[issue29500] AddressSanitizer: heap-buffer-overflow on address 0x61600004a982

2017-02-08 Thread Stéphane Wirtel 

Changes by Stéphane Wirtel :


--
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29500] AddressSanitizer: heap-buffer-overflow on address 0x61600004a982

2017-02-08 Thread Stéphane Wirtel 

Changes by Stéphane Wirtel :


--
status: closed -> open

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29500] AddressSanitizer: heap-buffer-overflow on address 0x61600004a982

2017-02-08 Thread Stéphane Wirtel 

Changes by Stéphane Wirtel :


--
stage:  -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29500] AddressSanitizer: heap-buffer-overflow on address 0x61600004a982

2017-02-08 Thread Christian Heimes 

Changes by Christian Heimes :


--
components: +Extension Modules -Interpreter Core
priority: normal -> low
type: security -> behavior

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue29500] AddressSanitizer: heap-buffer-overflow on address 0x61600004a982

2017-02-08 Thread BeginVuln 

New submission from BeginVuln:

OS Version : Ubuntu 16.04 LTS
Python download link : 
https://www.python.org/ftp/python/3.6.0/Python-3.6.0.tar.xz

Python version : 3.6.0

Normal build cmd : 
./configure 
make

Asan build cmd:
export CC="/usr/bin/clang -fsanitize=address
export CXX="/usr/bin/clang++ -fsanitize=address
./confiugre
make

GDB with exploitable:

To enable execution of this file add
add-auto-load-safe-path /home/test/check/PythonGDB/python-gdb.py
line to your configuration file "/home/test/.gdbinit".
To completely disable this security protection add
set auto-load safe-path /
line to your configuration file "/home/test/.gdbinit".
For more information about this security protection see the
"Auto-loading safe path" section in the GDB manual.  E.g., run from the shell:
info "(gdb)Auto-loading safe path"
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[Inferior 1 (process 19456) exited normally]


ASAN:

=
==18010==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x6164a982 at pc 0x00830a11 bp 0x7fff6131b9b0 sp 0x7fff6131b9a8
READ of size 2 at 0x6164a982 thread T0
#0 0x830a10 in find_op /home/test/check/PythonASAN/Python/peephole.c:101 
(discriminator 1)
#1 0x830a10 in PyCode_Optimize 
/home/test/check/PythonASAN/Python/peephole.c:712 (discriminator 1)
#2 0x830a10 in ?? ??:0
#3 0x7ccf6c in makecode /home/test/check/PythonASAN/Python/compile.c:5249
#4 0x7ccf6c in assemble /home/test/check/PythonASAN/Python/compile.c:5367
#5 0x7ccf6c in ?? ??:0
#6 0x7d0a09 in compiler_function 
/home/test/check/PythonASAN/Python/compile.c:1886
#7 0x7d0a09 in ?? ??:0
#8 0x7b0923 in compiler_body 
/home/test/check/PythonASAN/Python/compile.c:1463
#9 0x7b0923 in ?? ??:0
#10 0x7ae107 in compiler_mod 
/home/test/check/PythonASAN/Python/compile.c:1483
#11 0x7ae107 in PyAST_CompileObject 
/home/test/check/PythonASAN/Python/compile.c:341
#12 0x7ae107 in ?? ??:0
#13 0x5142d8 in run_mod /home/test/check/PythonASAN/Python/pythonrun.c:977
#14 0x5142d8 in PyRun_FileExFlags 
/home/test/check/PythonASAN/Python/pythonrun.c:933
#15 0x5142d8 in ?? ??:0
#16 0x512afa in PyRun_SimpleFileExFlags 
/home/test/check/PythonASAN/Python/pythonrun.c:396
#17 0x512afa in ?? ??:0
#18 0x53eefd in run_file /home/test/check/PythonASAN/Modules/main.c:320
#19 0x53eefd in Py_Main /home/test/check/PythonASAN/Modules/main.c:780
#20 0x53eefd in ?? ??:0
#21 0x503d16 in main /home/test/check/PythonASAN/./Programs/python.c:69
#22 0x503d16 in ?? ??:0
#23 0x7f5554ba782f in __libc_start_main 
/build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
#24 0x7f5554ba782f in ?? ??:0
#25 0x432548 in _start ??:?
#26 0x432548 in ?? ??:0

0x6164a982 is located 0 bytes to the right of 514-byte region 
[0x6164a780,0x6164a982)
allocated by thread T0 here:
#0 0x4d2678 in malloc ??:?
#1 0x4d2678 in ?? ??:0
#2 0x508c35 in PyMem_RawMalloc 
/home/test/check/PythonASAN/Objects/obmalloc.c:386
#3 0x508c35 in _PyObject_Alloc 
/home/test/check/PythonASAN/Objects/obmalloc.c:1427
#4 0x508c35 in ?? ??:0

SUMMARY: AddressSanitizer: heap-buffer-overflow 
(/home/test/check/PythonASAN/python+0x830a10)
Shadow bytes around the buggy address:
  0x0c2c800014e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c800014f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c80001500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c80001510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c80001520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2c80001530:[02]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c80001540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c80001550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c80001560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c80001570: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c80001580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:   00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:   fa
  Heap right redzone:  fb
  Freed heap region:   fd
  Stack left redzone:  f1
  Stack mid redzone:   f2
  Stack right redzone: f3
  Stack partial redzone:   f4
  Stack after return:  f5
  Stack use after scope:   f8
  Global redzone:  f9
  Global init order:   f6
  Poisoned by user:f7
  Container overflow:  fc
  Array cookie:ac
  Intra object redzone:bb
  ASan internal:   fe
  Left alloca redzone: ca
  Right alloca redzone:cb
==18010==ABORTING

--
components: Interpreter Core
files: peephole_101
messages: 287339
nosy: beginvuln
priority: normal
severity: normal
status: