subject:"\[issue25944\] Type confusion in partial_setstate and partial

[issue25944] Type confusion in partial_setstate and partial_repr leads to control flow hijack

2016-01-02 Thread Martin Panter


Martin Panter added the comment:

I presume you meant Issue 25945, also about partial_setstate(). Issue  25943 is 
about the bsddb module.

--
nosy: +martin.panter
superseder: Integer overflow in _bsddb leads to heap corruption -> Type 
confusion in partial_setstate and partial_call leads to memory corruption

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue25944] Type confusion in partial_setstate and partial_repr leads to control flow hijack

2016-01-02 Thread Serhiy Storchaka


Serhiy Storchaka added the comment:

Yes, thank you Martin.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue25944] Type confusion in partial_setstate and partial_repr leads to control flow hijack

2015-12-25 Thread Serhiy Storchaka


Serhiy Storchaka added the comment:

Merged with issue25943. This is the same bug.

--
components: +Extension Modules -Library (Lib)
nosy: +serhiy.storchaka
resolution:  -> duplicate
stage:  -> resolved
status: open -> closed
superseder:  -> Integer overflow in _bsddb leads to heap corruption

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue25944] Type confusion in partial_setstate and partial_repr leads to control flow hijack

2015-12-24 Thread Ned Williamson


New submission from Ned Williamson:

static PyObject *
partial_setstate(partialobject *pto, PyObject *state)
{
PyObject *fn, *fnargs, *kw, *dict;
if (!PyArg_ParseTuple(state, "",
  , , , ))
return NULL;
Py_XDECREF(pto->fn);
Py_XDECREF(pto->args);
Py_XDECREF(pto->kw);
Py_XDECREF(pto->dict);
pto->fn = fn;
pto->args = fnargs; //we control pto->args here

`partial_setstate` performs no checks on the objects
it is passed as an argument.

static PyObject *
partial_repr(partialobject *pto)
{
PyObject *result;
PyObject *arglist;
PyObject *tmp;
Py_ssize_t i, n;
arglist = PyUnicode_FromString("");
if (arglist == NULL) {
return NULL;
}
/* Pack positional arguments */
assert (PyTuple_Check(pto->args)); //not compiled in release build
n = PyTuple_GET_SIZE(pto->args);
for (i = 0; i < n; i++) {
tmp = PyUnicode_FromFormat("%U, %R", arglist,
   PyTuple_GET_ITEM(pto->args, i));

In partial_repr, `pto->args` is assumed to be a tuple and
unsafe functions `PyTuple_GET_SIZE` and `PyTuple_GET_ITEM`
are called on `pto->args`. This bug is particularly bad
because `PyUnicode_FromFormat` will call the object's repr
function. In this case, the attacker gains complete control
over the program counter.

vagrant@vagrant-ubuntu-wily-64:/vagrant/Python-3.5.1$ gdb -q ./python.exe
...
(gdb) r partialpoc.py
Starting program: /vagrant/Python-3.5.1/python.exe partialpoc.py
...
Program received signal SIGSEGV, Segmentation fault.
0x004851f6 in PyObject_Repr (v=0x972c90) at Objects/object.c:482
482 res = (*v->ob_type->tp_repr)(v);
(gdb) i r
rax0x4141414141414141   4702111234474983745
rbx0x972c90 9907344
rcx0x52 82
rdx0x77026718   140737337517848
rsi0x0  0
rdi0x972c90 9907344
rbp0x6667   0x6667
rsp0x7fffdb60   0x7fffdb60
r8 0x0  0
r9 0x6049a8 6310312
r100x   -1
r110x   -1
r120x7fff   9223372036854775807
r130x7fffdbe0   140737488346080
r140x6049a7 6310311
r150x0  0
rip0x4851f6 0x4851f6 
eflags 0x10206  [ PF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0  0
es 0x0  0
fs 0x0  0
gs 0x0  0
(gdb) x/3i $pc
=> 0x4851f6 : callq  *%rax
   0x4851f8 : test   %rax,%rax
   0x4851fb : mov%rax,%rbx

Please see the attached POC.

--
components: Library (Lib)
files: partialpoc.py
messages: 256975
nosy: Ned Williamson
priority: normal
severity: normal
status: open
title: Type confusion in partial_setstate and partial_repr leads to control 
flow hijack
type: crash
versions: Python 3.5, Python 3.6
Added file: http://bugs.python.org/file41409/partialpoc.py

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue25944] Type confusion in partial_setstate and partial_repr leads to control flow hijack

[issue25944] Type confusion in partial_setstate and partial_repr leads to control flow hijack

[issue25944] Type confusion in partial_setstate and partial_repr leads to control flow hijack

[issue25944] Type confusion in partial_setstate and partial_repr leads to control flow hijack

4 matches

Site Navigation

Mail list logo

Footer information