[issue33661] urllib may leak sensitive HTTP headers to a third-party web site1111

2018-12-24 Thread shuoz 


Change by shuoz :


--
title: urllib may leak sensitive HTTP headers to a third-party web site -> 
urllib may leak sensitive HTTP headers to a third-party web site

___
Python tracker 
<https://bugs.python.org/issue33661>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue35542] stack exhaustion in 3.6.7

2018-12-19 Thread shuoz 


shuoz  added the comment:

thank you for your reply.

--
resolution:  -> not a bug
stage:  -> resolved
status: open -> closed
type: security -> crash

___
Python tracker 
<https://bugs.python.org/issue35542>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue35542] stack exhaustion in 3.6.7

2018-12-19 Thread shuoz 


New submission from shuoz :

stack exhaustion in 3.6.7.

in python  3.6.7 set recursive depth 2 will exhaustion stack and get 
Segmentation fault. But this dont happen in python 2.7


```
import sys
sys.setrecursionlimit(2)
def f():
f()
f()
```

--
components: 2to3 (2.x to 3.x conversion tool)
messages: 332183
nosy: shuoz
priority: normal
severity: normal
status: open
title: stack exhaustion in 3.6.7
type: security
versions: Python 3.6

___
Python tracker 
<https://bugs.python.org/issue35542>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34922] hashlib segmentation fault

2018-10-12 Thread shuoz 


shuoz  added the comment:

oh brother, maybe this worth open a cve.

--

___
Python tracker 
<https://bugs.python.org/issue34922>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34922] hashlib segmentation fault

2018-10-07 Thread shuoz 


shuoz  added the comment:

I send this to secur...@python.org.
Victor Stinner response me. 
"import hashlib; hashlib.shake_128().hexdigest((-1)&2**64-1)" can crash 
python3.7 and master


```
fan@fan:~/github/new$ ./py3.7/bin/python3
Python 3.7.1rc1+ (heads/3.7:c59e75c, Oct  8 2018, 08:53:13) 
[GCC 5.4.0 20160609] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import hashlib; hashlib.shake_128().hexdigest((-1)&2**64-1)
ASAN:SIGSEGV
=
==29245==ERROR: AddressSanitizer: SEGV on unknown address 0x7f3a50713000 (pc 
0x7f3a537994c1 bp 0x7ffd978e27f0 sp 0x7ffd978e1f78 T0)
#0 0x7f3a537994c0  (/lib/x86_64-linux-gnu/libc.so.6+0x1564c0)
#1 0x7f3a543df5d0 in __asan_memcpy 
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c5d0)
#2 0x7f3a4f5a8603 in memcpy /usr/include/x86_64-linux-gnu/bits/string3.h:53
#3 0x7f3a4f5a8603 in _PySHA3_KeccakP1600_ExtractLanes 
/home/fan/github/new/cpython3.7/Modules/_sha3/kcp/KeccakP-1600-opt64.c:342
#4 0x7f3a4f5a877b in _PySHA3_KeccakP1600_ExtractBytes 
/home/fan/github/new/cpython3.7/Modules/_sha3/kcp/KeccakP-1600-opt64.c:375
#5 0x7f3a4f5a8965 in _PySHA3_KeccakWidth1600_SpongeSqueeze 
/home/fan/github/new/cpython3.7/Modules/_sha3/kcp/KeccakSponge.inc:287
#6 0x7f3a4f5a92a2 in _SHAKE_digest 
/home/fan/github/new/cpython3.7/Modules/_sha3/sha3module.c:615
#7 0x465348 in _PyMethodDef_RawFastCallKeywords Objects/call.c:644
#8 0x74c83c in _PyMethodDescr_FastCallKeywords Objects/descrobject.c:288
#9 0x441c3b in call_function Python/ceval.c:4579
#10 0x441c3b in _PyEval_EvalFrameDefault Python/ceval.c:3110
#11 0x5a3b1f in _PyEval_EvalCodeWithName Python/ceval.c:3930
#12 0x5a40c2 in PyEval_EvalCodeEx Python/ceval.c:3959
#13 0x5a40c2 in PyEval_EvalCode Python/ceval.c:524
#14 0x605047 in run_mod Python/pythonrun.c:1035
#15 0x6097c4 in PyRun_InteractiveOneObjectEx Python/pythonrun.c:256
#16 0x609d65 in PyRun_InteractiveLoopFlags Python/pythonrun.c:120
#17 0x60ad2b in PyRun_AnyFileExFlags Python/pythonrun.c:78
#18 0x44d7c5 in pymain_run_file Modules/main.c:427
#19 0x44d7c5 in pymain_run_filename Modules/main.c:1537
#20 0x44d7c5 in pymain_run_python Modules/main.c:2626
#21 0x44d7c5 in pymain_main Modules/main.c:2787
#22 0x44e33b in _Py_UnixMain Modules/main.c:2822
#23 0x7f3a5366382f in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#24 0x442db8 in _start (/home/fan/github/new/py3.7/bin/python3.7+0x442db8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 ??
==29245==ABORTING
```


```
(venv) fan@fan:~/github/new$ python
Python 3.8.0a0 (heads/master:f6c8007, Sep 25 2018, 12:42:29) 
[GCC 5.4.0 20160609] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import hashlib; hashlib.shake_128().hexdigest((-1)&2**64-1)
ASAN:SIGSEGV
=
==29347==ERROR: AddressSanitizer: SEGV on unknown address 0x7f6df36db000 (pc 
0x7f6df1a0a210 bp 0x7ffdc8f57a80 sp 0x7ffdc8f57208 T0)
#0 0x7f6df1a0a20f  (/lib/x86_64-linux-gnu/libc.so.6+0x15720f)
#1 0x7f6df264f5d0 in __asan_memcpy 
(/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c5d0)
#2 0x7f6ded528643 in memcpy /usr/include/x86_64-linux-gnu/bits/string3.h:53
#3 0x7f6ded528643 in _PySHA3_KeccakP1600_ExtractLanes 
/home/fan/github/new/cpython_a/Modules/_sha3/kcp/KeccakP-1600-opt64.c:342
#4 0x7f6ded5287bb in _PySHA3_KeccakP1600_ExtractBytes 
/home/fan/github/new/cpython_a/Modules/_sha3/kcp/KeccakP-1600-opt64.c:375
#5 0x7f6ded5289a5 in _PySHA3_KeccakWidth1600_SpongeSqueeze 
/home/fan/github/new/cpython_a/Modules/_sha3/kcp/KeccakSponge.inc:287
#6 0x7f6ded529312 in _SHAKE_digest 
/home/fan/github/new/cpython_a/Modules/_sha3/sha3module.c:609
#7 0x7f6ded529312 in _sha3_shake_128_hexdigest_impl 
/home/fan/github/new/cpython_a/Modules/_sha3/sha3module.c:658
#8 0x7f6ded529312 in _sha3_shake_128_hexdigest 
/home/fan/github/new/cpython_a/Modules/_sha3/clinic/sha3module.c.h:116
#9 0x46b389 in _PyMethodDef_RawFastCallKeywords Objects/call.c:644
#10 0x81403c in _PyMethodDescr_FastCallKeywords Objects/descrobject.c:288
#11 0x4416b1 in call_function Python/ceval.c:4600
#12 0x4416b1 in _PyEval_EvalFrameDefault Python/ceval.c:3186
#13 0x5ecfbb in PyEval_EvalFrameEx Python/ceval.c:536
#14 0x5ecfbb in _PyEval_EvalCodeWithName Python/ceval.c:3951
#15 0x5ed4d2 in PyEval_EvalCodeEx Python/ceval.c:3980
#16 0x5ed4d2 in PyEval_EvalCode Python/ceval.c:513
#17 0x68addd in run_mod Python/pythonrun.c:1031
#18 0x68addd in PyRun_InteractiveOneObjectEx Python/pythonrun.c:256
#19 0x68b3f5 in PyRun_InteractiveLoopFlags Python/pythonrun.c:120
#20 0x68b71b in PyRun_AnyFileExFlags Pyth

[issue34922] hashlib segmentation fault

2018-10-07 Thread shuoz 

New submission from shuoz :

python hashlib a signd overflow maybe cause a memory over read.

python version:
Python 3.6.7rc1+ (heads/3.6:cb0bec3, Oct  1 2018, 02:19:39)
[GCC 7.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.

```
[--registers---]
RAX: 0x0
RBX: 0x7fffd5f0 --> 0x41b58ab3
RCX: 0x0
RDX: 0x1ff6
RSI: 0x735ae880 --> 0x0
RDI: 0x7fffd650 --> 0x7d828fe8a42b9c7f
RBP: 0xabe --> 0x0
RSP: 0x7fffd5c8 --> 0x72a5f793 (<_sha3_shake_128_hexdigest+627>:
test   eax,eax)
RIP: 0x72a5ec60 (<_PySHA3_KeccakWidth1600_SpongeSqueeze>:   push   r15)
R8 : 0x65fc7ba985946aff
R9 : 0xefbdaa140b587a16
R10: 0x50573373c9b2b8dc
R11: 0xfba4d93abbdabffc
R12: 0x7fffd770 --> 0x7fffd7d0 --> 0xb00 --> 0x0
R13: 0x7fffd650 --> 0x7d828fe8a42b9c7f
R14: 0x735ae880 --> 0x0
R15: 0xfff6
EFLAGS: 0xa06 (carry PARITY adjust zero sign trap INTERRUPT direction OVERFLOW)
[-code-]
   0x72a5ec50 <_PySHA3_KeccakP1600_ExtractBytes+160>:   jmp
0x72a54d10 <_PySHA3_KeccakP1600_ExtractBytesInLane@plt>
   0x72a5ec55:  nop
   0x72a5ec56:  nopWORD PTR cs:[rax+rax*1+0x0]
=> 0x72a5ec60 <_PySHA3_KeccakWidth1600_SpongeSqueeze>:  push   r15
   0x72a5ec62 <_PySHA3_KeccakWidth1600_SpongeSqueeze+2>:push   r14
   0x72a5ec64 <_PySHA3_KeccakWidth1600_SpongeSqueeze+4>:push   r13
   0x72a5ec66 <_PySHA3_KeccakWidth1600_SpongeSqueeze+6>:push   r12
   0x72a5ec68 <_PySHA3_KeccakWidth1600_SpongeSqueeze+8>:movr13,rdx
[stack-]
| 0x7fffd5c8 --> 0x72a5f793 (<_sha3_shake_128_hexdigest+627>:   
test   eax,eax)
0008| 0x7fffd5d0 --> 0x7fffd5f0 --> 0x41b58ab3
0016| 0x7fffd5d8 --> 0xefdb33b --> 0x0
0024| 0x7fffd5e0 --> 0x77ed99d8 --> 0x0
0032| 0x7fffd5e8 --> 0x73606910 --> 0x619096e5 --> 
0x90982800
0040| 0x7fffd5f0 --> 0x41b58ab3
0048| 0x7fffd5f8 --> 0x72a68c08 ("2 32 8 6 length 96 224 4 temp ")
0056| 0x7fffd600 --> 0x72a5f520 (<_sha3_shake_128_hexdigest>:   push   
r15)
[--]
Legend: code, data, rodata, value

Breakpoint 2, _PySHA3_KeccakWidth1600_SpongeSqueeze (instance=0x7fffd650, 
data=0x735ae880 "", dataByteLen=0x1ff6) at 
/home/test/cpython/Modules/_sha3/kcp/KeccakSponge.inc:272
```
dataByteLen=0x1ff6

```
RAX: 0x73615f90 --> 0xfffa
RBX: 0xa8
RCX: 0x73616028 --> 0xf93801a4
RDX: 0x18
RSI: 0x7fffd6e0 --> 0x6ab2a5fe4fe8efd
RDI: 0x73615fe0 --> 0x44b6a41dfdc1a3df
RBP: 0x7fffd510 --> 0xa8
RSP: 0x7fffcc78 --> 0x76e936cf (movrcx,QWORD PTR [rbp-0x38])
RIP: 0x76120786 (<__memmove_sse2_unaligned_erms+614>:   movntdq XMMWORD 
PTR [rdi+0x20],xmm2)
R8 : 0xfff0
R9 : 0x10007e6bac07 --> 0x0
R10: 0x73616038 --> 0x0
R11: 0x73615f90 --> 0xfffa
R12: 0x73615f90 --> 0xfffa
R13: 0x7fffd650 --> 0xa35bf3e9cd13e78e
R14: 0x73615f90 --> 0xfffa
R15: 0x0
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction 
overflow)
[-code-]
   0x76120779 <__memmove_sse2_unaligned_erms+601>:  subrdx,0x40
   0x7612077d <__memmove_sse2_unaligned_erms+605>:  movntdq XMMWORD PTR 
[rdi],xmm0
   0x76120781 <__memmove_sse2_unaligned_erms+609>:  movntdq XMMWORD PTR 
[rdi+0x10],xmm1
=> 0x76120786 <__memmove_sse2_unaligned_erms+614>:  movntdq XMMWORD PTR 
[rdi+0x20],xmm2
   0x7612078b <__memmove_sse2_unaligned_erms+619>:  movntdq XMMWORD PTR 
[rdi+0x30],xmm3
   0x76120790 <__memmove_sse2_unaligned_erms+624>:  addrdi,0x40
   0x76120794 <__memmove_sse2_unaligned_erms+628>:  cmprdx,0x40
   0x76120798 <__memmove_sse2_unaligned_erms+632>:  ja 0x76120758 
<__memmove_sse2_unaligned_erms+568>
[stack-]
| 0x7fffcc78 --> 0x76e936cf (movrcx,QWORD PTR [rbp-0x38])
0008| 0x7fffcc80 --> 0x7fffccf0 --> 0x41b58ab3
0016| 0x7fffcc88 --> 0x7fffcd90 --> 0x6
0024| 0x7fffcc90 --> 0x99e --> 0x0
0032| 0x7fffcc98 --> 0x7fffcd50 --> 0x0
0040| 0x7fffcca0 --> 0x0
0048| 0x7fffcca8 --> 0x73616038 --> 0x0
0056| 0x7fffccb0 --> 0x7358a068 -->

[issue34840] dlopen() error with no error message from dlerror()

2018-09-28 Thread shuoz 


New submission from shuoz :

python _ctypes.dlclose(arg). 
Never check the arg  so we get a Segmentation fault (core dumped)

poc.py
```
import _ctypes
_ctypes.dlclose(3)  # 3-4294967296
```
python poc.py


gdb info

```
--registers---]
RAX: 0x77ffcca0 --> 0x40d0d 
RBX: 0x0 
RCX: 0x76a49fd0 (:movrax,QWORD PTR [rip+0x201fe1] 
   # 0x76c4bfb8)
RDX: 0x2e10a0bf96213a9d 
RSI: 0x0 
RDI: 0x3 
RBP: 0x76a49fd0 (:movrax,QWORD PTR [rip+0x201fe1] 
   # 0x76c4bfb8)
RSP: 0x7fffd280 --> 0x0 
RIP: 0x77dee161 (<_dl_close+1>: test   BYTE PTR [rdi+0x3d4],0x8)
R8 : 0x3 
R9 : 0x76a49fd0 (:movrax,QWORD PTR [rip+0x201fe1] 
   # 0x76c4bfb8)
R10: 0xc55dc0 --> 0x31 ('1')
R11: 0x77eec3d8 --> 0x9 ('\t')
R12: 0x3 
R13: 0x77e952b0 --> 0x1 
R14: 0x72d12140 (: push   r14)
R15: 0x77e17228 --> 0x16
EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction 
overflow)
[-code-]
   0x77dee152:  nopDWORD PTR [rax+0x0]
   0x77dee156:  nopWORD PTR cs:[rax+rax*1+0x0]
   0x77dee160 <_dl_close>:  push   rbx
=> 0x77dee161 <_dl_close+1>:test   BYTE PTR [rdi+0x3d4],0x8
   0x77dee168 <_dl_close+8>:movrbx,rdi
   0x77dee16b <_dl_close+11>:   jne0x77dee210 <_dl_close+176>
   0x77dee171 <_dl_close+17>:   movedx,DWORD PTR [rdi+0x310]
   0x77dee177 <_dl_close+23>:   test   edx,edx
[stack-]
| 0x7fffd280 --> 0x0 
0008| 0x7fffd288 --> 0x77de7564 (<_dl_catch_error+116>: mov
rax,QWORD PTR [rsp+0x8])
0016| 0x7fffd290 --> 0x0 
0024| 0x7fffd298 --> 0x77fd8720 --> 0x7fffd2e0 --> 0x7737f690 
--> 0x0 
0032| 0x7fffd2a0 --> 0x0 
0040| 0x7fffd2a8 --> 0x7737f690 --> 0x0 
0048| 0x7fffd2b0 --> 0x7737f698 --> 0x0 
0056| 0x7fffd2b8 --> 0x7737f688 --> 0x0 
[--]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
_dl_close (_map=0x3) at dl-close.c:809
809 dl-close.c: No such file or directory.
gdb-peda$ bt
```

--
components: ctypes
messages: 326668
nosy: shuoz
priority: normal
severity: normal
status: open
title: dlopen() error with no error message from dlerror()
type: crash
versions: Python 3.5

___
Python tracker 
<https://bugs.python.org/issue34840>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34656] memory exhaustion in Modules/_pickle.c:1393

2018-09-12 Thread shuoz 


shuoz  added the comment:

[--registers---]
RAX: 0x7ff9d401e010 --> 0x0 
RBX: 0x77f48d00 --> 0x1 
RCX: 0x7ff8ab58c800 --> 0x77ea5d80 --> 0x2 
RDX: 0x73ac47d8 --> 0x1 
RSI: 0x25152303 
RDI: 0xfff3a803c00 --> 0x0 
RBP: 0x7473078c 
RSP: 0x7fffcf20 --> 0x73ac47d8 --> 0x1 
RIP: 0x728a8a64 (<_Unpickler_MemoPut+1668>: addr11,0x20)
R8 : 0xfff3a803bff --> 0x0 
R9 : 0xfff3a803c01 --> 0x0 
R10: 0xefe91a3 --> 0x0 
R11: 0x128a917f8 --> 0x0 
R12: 0xfff156b1922 --> 0x0 
R13: 0xe8e60f18 --> 0x0 
R14: 0x77f48d18 --> 0x7ff8ab58c800 --> 0x77ea5d80 --> 0x2 
R15: 0xfff3a803c02 --> 0x0
EFLAGS: 0x216 (carry PARITY ADJUST zero sign trap INTERRUPT direction overflow)
[-code-]
   0x728a8a52 <_Unpickler_MemoPut+1650>:cmpBYTE PTR 
[r15+0x7fff8000],0x0
   0x728a8a5a <_Unpickler_MemoPut+1658>:jne0x728a8ae1 
<_Unpickler_MemoPut+1793>
   0x728a8a60 <_Unpickler_MemoPut+1664>:addrsi,0x4
=> 0x728a8a64 <_Unpickler_MemoPut+1668>:addr11,0x20
   0x728a8a68 <_Unpickler_MemoPut+1672>:cmpBYTE PTR 
[r10+0x7fff8000],0x0
   0x728a8a70 <_Unpickler_MemoPut+1680>:movQWORD PTR [rax],0x0
   0x728a8a77 <_Unpickler_MemoPut+1687>:je 0x728a896d 
<_Unpickler_MemoPut+1421>
   0x728a8a7d <_Unpickler_MemoPut+1693>:nopDWORD PTR [rax]
[stack-]
| 0x7fffcf20 --> 0x73ac47d8 --> 0x1 
0008| 0x7fffcf28 --> 0xefe91a3 --> 0x0 
0016| 0x7fffcf30 --> 0x77f48da8 --> 0x20 (' ')
0024| 0x7fffcf38 --> 0x77f48d00 --> 0x1 
0032| 0x7fffcf40 --> 0xa00 --> 0x0 
0040| 0x7fffcf48 --> 0x0 
0048| 0x7fffcf50 --> 0x77f48da0 --> 0x28 ('(')
0056| 0x7fffcf58 --> 0x77f48da8 --> 0x20 (' ')
[--]
Legend: code, data, rodata, value
0x728a8a64  1392for (i = self->memo_size; i < new_size; i++)
gdb-peda$ p new_size
$5 = 0xe8e60f18
gdb-peda$ p self->memo_size
$6 = 0x20
gdb-peda$ p i


.
for (i = self->memo_size; i < new_size; i++)
self->memo[i] = NULL;
.

--

___
Python tracker 
<https://bugs.python.org/issue34656>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34656] memory exhaustion in Modules/_pickle.c:1393

2018-09-12 Thread shuoz 


Change by shuoz :


Added file: https://bugs.python.org/file47802/pk.py

___
Python tracker 
<https://bugs.python.org/issue34656>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34656] memory exhaustion in Modules/_pickle.c:1393

2018-09-12 Thread shuoz 


New submission from shuoz :

python version:
   Python 3.8.0a0 (heads/master:4ae8ece, Sep 13 2018, 09:48:16) 
   [GCC 5.4.0 20160609] on linux


I found a bug in python pickle.load func. Can cause memory exhaustion DDOS.

./python pk.py poc


cat ./pk.py
import pickle
import sys
filename = sys.argv[1]
with open(filename, 'rb') as f:
aa = pickle.load(f)
print(aa)

--
components: FreeBSD
files: poc
messages: 325230
nosy: koobs, shuoz
priority: normal
severity: normal
status: open
title: memory exhaustion in Modules/_pickle.c:1393
type: security
versions: Python 3.8
Added file: https://bugs.python.org/file47801/poc

___
Python tracker 
<https://bugs.python.org/issue34656>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com