Various crashes while executing uctypes.sizeof()

[gwangmu]

Description

We found a crash case involving uctypes.sizeof() that was exhibited in global-buffer-overflow sometimes or in null-dereference the other times. We couldn't identify the apparent difference between PoCs exhibiting global-buffer-overflow and null-dereference. We have attached three PoCs for each crash type.

poc.zip

Proof of Concept

$ # build unix port with ASAN, at the root source code directory.
$ export CC=clang
$ export CXX=clang++
$ export CFLAGS="-fsanitize=address -fno-omit-frame-pointer"
$ export CXXFLAGS=$CFLAGS
$ export LDFLAGS=$CFLAGS
$ export DEBUG=1
$ make -C mpy-cross -j
$ make -C ports/unix -j all lib
$
$ # run a poc.
$ export ASAN_OPTIONS="detect_leaks=0"
$ ./ports/unix/build-standard/micropython <poc_file>

Environment

Ubuntu 20.04
Intel(R) Xeon(R) Gold 5218 CPU @ 2.30GHz
Memory: 64 GB

Affected Version

v1.20.0 (commit a3862e7, latest as of 2023-09-26)
v1.20.0 (commit 813d559, 2023-06-19)
Discovered in the UNIX port version.

[stinos]

The buffer overflow pocs are all because of incorrect empty tuple access i.e. simplest repro is uctypes.sizeof(()).

The null-dereferencing is a similar issue, because sizeof expects a tuple with certain content like (uctypes.ARRAY | 0, uctypes.FLOAT32 | 2) but doesn't properly handle anything else and will then either assert(0) or access out-of-bounds memory, so simplest repro is uctypes.sizeof((1)) just to name something.

[dpgeorge]

Thanks for the report. Fixed by 444d7ba