subject:"\[issue39193\] Out\-of\-bound write in ceval.c\:_PyEval

[issue39193] Out-of-bound write in ceval.c:_PyEval_EvalFrameDefault

2020-01-03 Thread Pablo Galindo Salgado



Pablo Galindo Salgado  added the comment:

I concur with Antoine, the interpreter does not have any contract around 
crafting incorrect bytecode and evaluating it (and it will not since by 
definition the bytecode created by the interpreter is (should) be correct and 
any extra check in this code path will impact performance notably). 

I also have to say that I struggle to understand how to reproduce this or what 
is exactly the problem from your text and the files you attach.

Closing this as "not a bug". Feel free to re-open if you think we are missing 
something else.

--
nosy: +pablogsal
resolution:  -> not a bug
stage:  -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39193] Out-of-bound write in ceval.c:_PyEval_EvalFrameDefault

2020-01-03 Thread Antoine Pitrou



Antoine Pitrou  added the comment:

I don't think so. I'll let other confirm.

--
nosy: +christian.heimes, vstinner

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39193] Out-of-bound write in ceval.c:_PyEval_EvalFrameDefault

2020-01-03 Thread ggbang



ggbang  added the comment:

hello, if a crafting deliberately incorrect bytecode could control the eip of 
Python interpreter, it's the scope to fix? thx.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39193] Out-of-bound write in ceval.c:_PyEval_EvalFrameDefault

2020-01-03 Thread Antoine Pitrou



Change by Antoine Pitrou :


--
nosy: +benjamin.peterson

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39193] Out-of-bound write in ceval.c:_PyEval_EvalFrameDefault

2020-01-03 Thread Antoine Pitrou



Antoine Pitrou  added the comment:

It seems what you're saying is that one can crash Python by crafting 
deliberately incorrect bytecode.  If so, then I'm afraid it's something we 
won't consider fixing.

--
nosy: +pitrou

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39193] Out-of-bound write in ceval.c:_PyEval_EvalFrameDefault

2020-01-02 Thread ggbang



Change by ggbang :


Added file: https://bugs.python.org/file48823/crashc1.md

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39193] Out-of-bound write in ceval.c:_PyEval_EvalFrameDefault

2020-01-02 Thread ggbang


New submission from ggbang :

python version:
Python 3.9.0a2 (default, Dec 25 2019, 20:42:47) 
[GCC 7.5.0] on linux

crash log:
``` bash

 code:x86:64 
   0x555afb88 <_PyEval_EvalFrameDefault+4056> movrdx, QWORD PTR 
[rsi+rdx*8+0x18]
   0x555afb8d <_PyEval_EvalFrameDefault+4061> addQWORD PTR [rdx], 0x1
   0x555afb91 <_PyEval_EvalFrameDefault+4065> test   eax, eax
 → 0x555afb93 <_PyEval_EvalFrameDefault+4067> movQWORD PTR [rcx], rdx
   0x555afb96 <_PyEval_EvalFrameDefault+4070> jne0x555af226 
<_PyEval_EvalFrameDefault+1654>
   0x555afb9c <_PyEval_EvalFrameDefault+4076> movrdx, r12
   0x555afb9f <_PyEval_EvalFrameDefault+4079> subrdx, QWORD PTR 
[rsp+0x8]
   0x555afba4 <_PyEval_EvalFrameDefault+4084> addr12, 0x2
   0x555afba8 <_PyEval_EvalFrameDefault+4088> movDWORD PTR [rbx+0x68], 
edx
─
 source:Python/ceval.c+1352 
   1347  
   1348  case TARGET(LOAD_CONST): {
   1349  PREDICTED(LOAD_CONST);
   1350  PyObject *value = GETITEM(consts, oparg);
   1351  Py_INCREF(value);
 → 1352  PUSH(value);
   1353  FAST_DISPATCH();
   1354  }
   1355  
   1356  case TARGET(STORE_FAST): {
   1357  PREDICTED(STORE_FAST);

 threads 
[#0] Id 1, Name: "python", stopped, reason: SIGSEGV
──
 trace 
[#0] 0x555afb93 → _PyEval_EvalFrameDefault(f=, 
throwflag=)
[#1] 0x5568ad59 → _PyEval_EvalFrame(tstate=0x55b237b0, throwflag=0x0, 
f=0x77eee440)
[#2] 0x5568ad59 → _PyEval_EvalCode(tstate=0x55b237b0, 
_co=0x77ebdd40, globals=0x77f12480, locals=0x77f12480, args=0x0, 
argcount=0x0, kwnames=0x0, kwargs=0x0, kwcount=0x0, kwstep=0x2, defs=0x0, 
defcount=0x0, kwdefs=0x0, closure=0x0, name=0x0, qualname=0x0)
[#3] 0x5568b0c6 → _PyEval_EvalCodeWithName(qualname=0x0, name=0x0, 
closure=0x0, kwdefs=0x0, defcount=0x0, defs=0x0, kwstep=0x2, kwcount=0x0, 
kwargs=0x0, kwnames=0x0, argcount=0x0, args=0x0, locals=0x77f12480, 
globals=0x77f12480, _co=0x77ebdd40)
[#4] 0x5568b0c6 → PyEval_EvalCodeEx(closure=0x0, kwdefs=0x0, defcount=0x0, 
defs=0x0, kwcount=0x0, kws=0x0, argcount=0x0, args=0x0, locals=0x77f12480, 
globals=0x77f12480, _co=0x77ebdd40)
[#5] 0x5568b0c6 → PyEval_EvalCode(co=0x77ebdd40, 
globals=0x77f12480, locals=0x77f12480)
[#6] 0x556d6f1e → run_eval_code_obj(locals=0x77f12480, 
globals=0x77f12480, co=0x77ebdd40)
[#7] 0x556d6f1e → run_pyc_file(filename=, 
flags=0x7fffdc68, locals=0x77f12480, globals=0x77f12480, 
fp=0x55b85360)
[#8] 0x556d6f1e → PyRun_SimpleFileExFlags(flags=, 
closeit=, filename=, fp=)
[#9] 0x556d6f1e → PyRun_SimpleFileEx(f=, p=, 
c=)
─
_PyEval_EvalFrameDefault (f=, throwflag=) at 
Python/ceval.c:1352
1352PUSH(value);
gef➤  exploitable
Description: Access violation on destination operand
Short description: DestAv (8/22)
Hash: f01ce56ffe2792b45d9959e69a1ae15d.6dcf66201de3c2adc2e25e04dbdb55e8
Exploitability Classification: EXPLOITABLE
Explanation: The target crashed on an access violation at an address matching 
the destination operand of the instruction. This likely indicates a write 
access violation, which means the attacker may control the write address and/or 
value.
Other tags: AccessViolation (21/22)
```

--
components: Interpreter Core
files: c1
messages: 359199
nosy: ggbang
priority: normal
severity: normal
status: open
title: Out-of-bound write in ceval.c:_PyEval_EvalFrameDefault
type: security
versions: Python 3.9
Added file: https://bugs.python.org/file48822/c1

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39193] Out-of-bound write in ceval.c:_PyEval_EvalFrameDefault

[issue39193] Out-of-bound write in ceval.c:_PyEval_EvalFrameDefault

[issue39193] Out-of-bound write in ceval.c:_PyEval_EvalFrameDefault

[issue39193] Out-of-bound write in ceval.c:_PyEval_EvalFrameDefault

[issue39193] Out-of-bound write in ceval.c:_PyEval_EvalFrameDefault

[issue39193] Out-of-bound write in ceval.c:_PyEval_EvalFrameDefault

[issue39193] Out-of-bound write in ceval.c:_PyEval_EvalFrameDefault

7 matches

Site Navigation

Mail list logo

Footer information