Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Py_DECREF on a non-owned object in _sre #71961

Closed
benjaminp opened this issue Aug 16, 2016 · 2 comments
Closed

Py_DECREF on a non-owned object in _sre #71961

benjaminp opened this issue Aug 16, 2016 · 2 comments
Labels
type-security A security issue

Comments

@benjaminp
Copy link
Contributor

BPO 27774
Nosy @benjaminp

Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2016-08-16.05:05:31.257>
created_at = <Date 2016-08-16.05:00:44.256>
labels = ['type-security']
title = 'Py_DECREF on a non-owned object in _sre'
updated_at = <Date 2016-08-16.05:05:31.255>
user = 'https://github.com/benjaminp'

bugs.python.org fields:

activity = <Date 2016-08-16.05:05:31.255>
actor = 'python-dev'
assignee = 'none'
closed = True
closed_date = <Date 2016-08-16.05:05:31.257>
closer = 'python-dev'
components = []
creation = <Date 2016-08-16.05:00:44.256>
creator = 'benjamin.peterson'
dependencies = []
files = []
hgrepos = []
issue_num = 27774
keywords = []
message_count = 2.0
messages = ['272831', '272833']
nosy_count = 2.0
nosy_names = ['benjamin.peterson', 'python-dev']
pr_nums = []
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue27774'
versions = ['Python 2.7', 'Python 3.2', 'Python 3.3', 'Python 3.4', 'Python 3.5', 'Python 3.6']
@benjaminp
Copy link
Contributor Author

Thomas E Hybel reports:

This vulnerability exists in the function _sre_SRE_Match_groupdict_impl which
resides in the /Modules/_sre.c file.

The problem is that the code calls Py_DECREF(key); without having done a
corresponding Py_INCREF on the key.

Here's the relevant code:

    static PyObject *
    _sre_SRE_Match_groupdict_impl(MatchObject *self, PyObject *default_value)
    {
        ...
        for (index = 0; index < PyList_GET_SIZE(keys); index++) {
            ...
            PyObject* key;
            ...
            key = PyList_GET_ITEM(keys, index);
            ...
            value = match_getslice(self, key, default_value);
            if (!value) {
                Py_DECREF(key);
                goto failed;
            }
            ...
        }
        ...
    }

We initialize the "key" variable via PyList_GET_ITEM(keys, index) which simply
takes keys->ob_item[index]. There is no increase in reference count.

If match_getslice fails, we then call Py_DECREF(key). This is simply wrong. It
will result in the key object getting freed prematurely, leading to
use-after-free scenarios.

Here's a script which reproduces this:

--- begin script ---

import _sre
import time

p = _sre.compile(
    "A",                # pattern
    0,                  # flags
    [1],                # code
    1,                  # groups
    {0xdeadbeef: 0},    # groupindex
    0                   # indexgroup
)  

m = p.match("AAAA")

for _ in range(5):
    # each call to m.groupdict decreases the refcount of 0xdeadbeef once
    try:
        m.groupdict()
    except IndexError:
        pass
       
--- end script

Running the script crashes python on my machine:

(gdb) r ./poc7.py
Starting program: /home/xx/Python-3.5.2/python ./poc7.py

Program received signal SIGSEGV, Segmentation fault.
0x0000000000567d71 in match_getindex (self=self@entry=0x7ffff7e2da18, index=index@entry=0x7ffff6d582c0)
at ./Modules/_sre.c:2055
2055 if (PyLong_Check(index))
(gdb) bt
#0 0x0000000000567d71 in match_getindex (self=self@entry=0x7ffff7e2da18, index=index@entry=0x7ffff6d582c0)
at ./Modules/_sre.c:2055
#1 0x0000000000568946 in match_getslice (self=self@entry=0x7ffff7e2da18, index=index@entry=0x7ffff6d582c0,
def=def@entry=0x8831c0 <_Py_NoneStruct>) at ./Modules/_sre.c:2076
#2 0x0000000000568a99 in _sre_SRE_Match_groupdict_impl (self=self@entry=0x7ffff7e2da18,
default_value=0x8831c0 <_Py_NoneStruct>) at ./Modules/_sre.c:2198
#3 0x0000000000568bc5 in _sre_SRE_Match_groupdict (self=0x7ffff7e2da18, args=<optimized out>,
kwargs=<optimized out>) at ./Modules/clinic/_sre.c.h:518

@benjaminp benjaminp added the type-security A security issue label Aug 16, 2016
@python-dev
Copy link
Mannequin

python-dev mannequin commented Aug 16, 2016

New changeset 4ca84a3e37d7 by Benjamin Peterson in branch '2.7':
do not decref value borrowed from list (closes bpo-27774)
https://hg.python.org/cpython/rev/4ca84a3e37d7

New changeset cbf2a05648b3 by Benjamin Peterson in branch '3.3':
do not decref value borrowed from list (closes bpo-27774)
https://hg.python.org/cpython/rev/cbf2a05648b3

New changeset 2e404ac88e0e by Benjamin Peterson in branch '3.4':
merge 3.3 (bpo-27774)
https://hg.python.org/cpython/rev/2e404ac88e0e

New changeset 424cb9482974 by Benjamin Peterson in branch '3.5':
merge 3.4 (bpo-27774)
https://hg.python.org/cpython/rev/424cb9482974

New changeset 64b0e0a29874 by Benjamin Peterson in branch 'default':
merge 3.5 (bpo-27774)
https://hg.python.org/cpython/rev/64b0e0a29874

@python-dev python-dev mannequin closed this as completed Aug 16, 2016
@ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type-security A security issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@benjaminp