Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AddressSanitizer: SEGV on unknown address 0x000cffff800d #73679

Closed
beginvuln mannequin opened this issue Feb 8, 2017 · 1 comment
Closed

AddressSanitizer: SEGV on unknown address 0x000cffff800d #73679

beginvuln mannequin opened this issue Feb 8, 2017 · 1 comment
Labels
extension-modules C modules in the Modules dir type-bug An unexpected behavior, bug, or error

Comments

@beginvuln
Copy link
Mannequin

beginvuln mannequin commented Feb 8, 2017

BPO 29493
Files
  • gcmodule_1699: PoC
    		•

    Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = None
closed_at = <Date 2017-02-08.15:00:01.191>
created_at = <Date 2017-02-08.14:50:45.506>
labels = ['extension-modules', 'type-bug']
title = 'AddressSanitizer: SEGV on unknown address 0x000cffff800d'
updated_at = <Date 2017-02-08.15:00:01.190>
user = 'https://bugs.python.org/beginvuln'

    bugs.python.org fields:

    activity = <Date 2017-02-08.15:00:01.190>
actor = 'matrixise'
assignee = 'none'
closed = True
closed_date = <Date 2017-02-08.15:00:01.191>
closer = 'matrixise'
components = ['Extension Modules']
creation = <Date 2017-02-08.14:50:45.506>
creator = 'beginvuln'
dependencies = []
files = ['46588']
hgrepos = []
issue_num = 29493
keywords = []
message_count = 1.0
messages = ['287330']
nosy_count = 1.0
nosy_names = ['beginvuln']
pr_nums = []
priority = 'low'
resolution = None
stage = 'resolved'
status = 'closed'
superseder = None
type = 'behavior'
url = 'https://bugs.python.org/issue29493'
versions = ['Python 3.6']
    @beginvuln
    Copy link
    Mannequin Author

    beginvuln mannequin commented Feb 8, 2017

    OS Version : Ubuntu 16.04 LTS
    Python download link : https://www.python.org/ftp/python/3.6.0/Python-3.6.0.tar.xz

    Python version : 3.6.0

    Normal build cmd :
    ./configure
    make

    Asan build cmd:
    export CC="/usr/bin/clang -fsanitize=address
    export CXX="/usr/bin/clang++ -fsanitize=address
    ./confiugre
    make

    GDB with exploitable:

    To enable execution of this file add
    add-auto-load-safe-path /home/test/check/PythonGDB/python-gdb.py
    line to your configuration file "/home/test/.gdbinit".
    To completely disable this security protection add
    set auto-load safe-path /
    line to your configuration file "/home/test/.gdbinit".
    For more information about this security protection see the
    "Auto-loading safe path" section in the GDB manual. E.g., run from the shell:
    info "(gdb)Auto-loading safe path"
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

    Program received signal SIGSEGV, Segmentation fault.
    0x000000000043d563 in PyObject_GC_UnTrack (op=0x7ffff3810400) at Modules/gcmodule.c:1699
    1699 _PyObject_GC_UNTRACK(op);
    Description: Access violation on destination operand
    Short description: DestAv (8/22)
    Hash: a30125899c34aa234161214a7afc7066.d78488ccad0508b81b411140385e7113
    Exploitability Classification: EXPLOITABLE
    Explanation: The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control the write address and/or value.
    Other tags: AccessViolation (21/22)

    ASAN:

    EsFASAN:DEADLYSIGNAL
    =================================================================
    ==18094==ERROR: AddressSanitizer: SEGV on unknown address 0x000cffff800d (pc 0x000000543039 bp 0x0fec572c0c81 sp 0x7ffc421b9cf0 T0)
    #0 0x543038 in PyObject_GC_UnTrack /home/test/check/PythonASAN/Modules/gcmodule.c:1699 (discriminator 4)
    #1 0x543038 in ?? ??:0
    #2 0x65ca2f in subtype_dealloc /home/test/check/PythonASAN/Objects/typeobject.c:1133
    #3 0x65ca2f in ?? ??:0
    #4 0x5d10da in frame_dealloc /home/test/check/PythonASAN/Objects/frameobject.c:423 (discriminator 5)
    #5 0x5d10da in ?? ??:0
    #6 0x5304c4 in tb_dealloc /home/test/check/PythonASAN/Python/traceback.c:55 (discriminator 5)
    #7 0x5304c4 in ?? ??:0
    #8 0x530456 in tb_dealloc /home/test/check/PythonASAN/Python/traceback.c:54 (discriminator 5)
    #9 0x530456 in ?? ??:0
    #10 0x530456 in tb_dealloc /home/test/check/PythonASAN/Python/traceback.c:54 (discriminator 5)
    #11 0x530456 in ?? ??:0
    #12 0x5b3b49 in BaseException_clear /home/test/check/PythonASAN/Objects/exceptions.c:76 (discriminator 5)
    #13 0x5b3b49 in ?? ??:0
    #14 0x5b3742 in BaseException_dealloc /home/test/check/PythonASAN/Objects/exceptions.c:86
    #15 0x5b3742 in ?? ??:0
    #16 0x656df9 in tupledealloc /home/test/check/PythonASAN/Objects/tupleobject.c:243 (discriminator 5)
    #17 0x656df9 in ?? ??:0
    #18 0x656df9 in tupledealloc /home/test/check/PythonASAN/Objects/tupleobject.c:243 (discriminator 5)
    #19 0x656df9 in ?? ??:0
    #20 0x5e5c19 in list_clear /home/test/check/PythonASAN/Objects/listobject.c:562 (discriminator 5)
    #21 0x5e5c19 in listclear /home/test/check/PythonASAN/Objects/listobject.c:763 (discriminator 5)
    #22 0x5e5c19 in ?? ??:0
    #23 0x632208 in _PyCFunction_FastCallDict /home/test/check/PythonASAN/Objects/methodobject.c:192
    #24 0x632208 in ?? ??:0
    #25 0x7a7751 in call_function /home/test/check/PythonASAN/Python/ceval.c:4788 (discriminator 17)
    #26 0x7a7751 in ?? ??:0
    #27 0x7995cc in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3275
    #28 0x7995cc in ?? ??:0
    #29 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
    #30 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119
    #31 0x7a9847 in ?? ??:0
    #32 0x7ac2ea in _PyFunction_FastCallDict /home/test/check/PythonASAN/Python/ceval.c:5021
    #33 0x7ac2ea in ?? ??:0
    #34 0x574668 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2295
    #35 0x574668 in ?? ??:0
    #36 0x5749fa in _PyObject_Call_Prepend /home/test/check/PythonASAN/Objects/abstract.c:2358
    #37 0x5749fa in ?? ??:0
    #38 0x573e9b in PyObject_Call /home/test/check/PythonASAN/Objects/abstract.c:2246
    #39 0x573e9b in ?? ??:0
    #40 0x793369 in do_call_core /home/test/check/PythonASAN/Python/ceval.c:5057
    #41 0x793369 in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3357
    #42 0x793369 in ?? ??:0
    #43 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
    #44 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119
    #45 0x7a9847 in ?? ??:0
    #46 0x7ac2ea in _PyFunction_FastCallDict /home/test/check/PythonASAN/Python/ceval.c:5021
    #47 0x7ac2ea in ?? ??:0
    #48 0x574668 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2295
    #49 0x574668 in ?? ??:0
    #50 0x5749fa in _PyObject_Call_Prepend /home/test/check/PythonASAN/Objects/abstract.c:2358
    #51 0x5749fa in ?? ??:0
    #52 0x573e9b in PyObject_Call /home/test/check/PythonASAN/Objects/abstract.c:2246
    #53 0x573e9b in ?? ??:0
    #54 0x66efe4 in slot_tp_call /home/test/check/PythonASAN/Objects/typeobject.c:6167
    #55 0x66efe4 in ?? ??:0
    #56 0x5745f0 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2316
    #57 0x5745f0 in ?? ??:0
    #58 0x7a7429 in call_function /home/test/check/PythonASAN/Python/ceval.c:4812
    #59 0x7a7429 in ?? ??:0
    #60 0x7995cc in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3275
    #61 0x7995cc in ?? ??:0
    #62 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
    #63 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119
    #64 0x7a9847 in ?? ??:0
    #65 0x7ac2ea in _PyFunction_FastCallDict /home/test/check/PythonASAN/Python/ceval.c:5021
    #66 0x7ac2ea in ?? ??:0
    #67 0x574668 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2295
    #68 0x574668 in ?? ??:0
    #69 0x5749fa in _PyObject_Call_Prepend /home/test/check/PythonASAN/Objects/abstract.c:2358
    #70 0x5749fa in ?? ??:0
    #71 0x573e9b in PyObject_Call /home/test/check/PythonASAN/Objects/abstract.c:2246
    #72 0x573e9b in ?? ??:0
    #73 0x793369 in do_call_core /home/test/check/PythonASAN/Python/ceval.c:5057
    #74 0x793369 in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3357
    #75 0x793369 in ?? ??:0
    #76 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
    #77 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119
    #78 0x7a9847 in ?? ??:0
    #79 0x7ac2ea in _PyFunction_FastCallDict /home/test/check/PythonASAN/Python/ceval.c:5021
    #80 0x7ac2ea in ?? ??:0
    #81 0x574668 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2295
    #82 0x574668 in ?? ??:0
    #83 0x5749fa in _PyObject_Call_Prepend /home/test/check/PythonASAN/Objects/abstract.c:2358
    #84 0x5749fa in ?? ??:0
    #85 0x573e9b in PyObject_Call /home/test/check/PythonASAN/Objects/abstract.c:2246
    #86 0x573e9b in ?? ??:0
    #87 0x66efe4 in slot_tp_call /home/test/check/PythonASAN/Objects/typeobject.c:6167
    #88 0x66efe4 in ?? ??:0
    #89 0x5745f0 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2316
    #90 0x5745f0 in ?? ??:0
    #91 0x7a7429 in call_function /home/test/check/PythonASAN/Python/ceval.c:4812
    #92 0x7a7429 in ?? ??:0
    #93 0x7995cc in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3275
    #94 0x7995cc in ?? ??:0
    #95 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
    #96 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119
    #97 0x7a9847 in ?? ??:0
    #98 0x7ac2ea in _PyFunction_FastCallDict /home/test/check/PythonASAN/Python/ceval.c:5021
    #99 0x7ac2ea in ?? ??:0
    #100 0x574668 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2295
    #101 0x574668 in ?? ??:0
    #102 0x5749fa in _PyObject_Call_Prepend /home/test/check/PythonASAN/Objects/abstract.c:2358
    #103 0x5749fa in ?? ??:0
    #104 0x573e9b in PyObject_Call /home/test/check/PythonASAN/Objects/abstract.c:2246
    #105 0x573e9b in ?? ??:0
    #106 0x793369 in do_call_core /home/test/check/PythonASAN/Python/ceval.c:5057
    #107 0x793369 in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3357
    #108 0x793369 in ?? ??:0
    #109 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
    #110 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119
    #111 0x7a9847 in ?? ??:0
    #112 0x7ac2ea in _PyFunction_FastCallDict /home/test/check/PythonASAN/Python/ceval.c:5021
    #113 0x7ac2ea in ?? ??:0
    #114 0x574668 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2295
    #115 0x574668 in ?? ??:0
    #116 0x5749fa in _PyObject_Call_Prepend /home/test/check/PythonASAN/Objects/abstract.c:2358
    #117 0x5749fa in ?? ??:0
    #118 0x573e9b in PyObject_Call /home/test/check/PythonASAN/Objects/abstract.c:2246
    #119 0x573e9b in ?? ??:0
    #120 0x66efe4 in slot_tp_call /home/test/check/PythonASAN/Objects/typeobject.c:6167
    #121 0x66efe4 in ?? ??:0
    #122 0x5745f0 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2316
    #123 0x5745f0 in ?? ??:0
    #124 0x7a7429 in call_function /home/test/check/PythonASAN/Python/ceval.c:4812
    #125 0x7a7429 in ?? ??:0
    #126 0x7995cc in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3275
    #127 0x7995cc in ?? ??:0
    #128 0x7ab4cb in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
    #129 0x7ab4cb in _PyFunction_FastCall /home/test/check/PythonASAN/Python/ceval.c:4870
    #130 0x7ab4cb in fast_function /home/test/check/PythonASAN/Python/ceval.c:4905
    #131 0x7ab4cb in ?? ??:0
    #132 0x7a76f2 in call_function /home/test/check/PythonASAN/Python/ceval.c:4809
    #133 0x7a76f2 in ?? ??:0
    #134 0x7995cc in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3275
    #135 0x7995cc in ?? ??:0
    #136 0x7ab4cb in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
    #137 0x7ab4cb in _PyFunction_FastCall /home/test/check/PythonASAN/Python/ceval.c:4870
    #138 0x7ab4cb in fast_function /home/test/check/PythonASAN/Python/ceval.c:4905
    #139 0x7ab4cb in ?? ??:0
    #140 0x7a76f2 in call_function /home/test/check/PythonASAN/Python/ceval.c:4809
    #141 0x7a76f2 in ?? ??:0
    #142 0x7995cc in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3275
    #143 0x7995cc in ?? ??:0
    #144 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
    #145 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119
    #146 0x7a9847 in ?? ??:0
    #147 0x7ac2ea in _PyFunction_FastCallDict /home/test/check/PythonASAN/Python/ceval.c:5021
    #148 0x7ac2ea in ?? ??:0
    #149 0x574668 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2295
    #150 0x574668 in ?? ??:0
    #151 0x5749fa in _PyObject_Call_Prepend /home/test/check/PythonASAN/Objects/abstract.c:2358
    #152 0x5749fa in ?? ??:0
    #153 0x573e9b in PyObject_Call /home/test/check/PythonASAN/Objects/abstract.c:2246
    #154 0x573e9b in ?? ??:0
    #155 0x6713f8 in slot_tp_init /home/test/check/PythonASAN/Objects/typeobject.c:6380
    #156 0x6713f8 in ?? ??:0
    #157 0x666d8d in type_call /home/test/check/PythonASAN/Objects/typeobject.c:915 (discriminator 1)
    #158 0x666d8d in ?? ??:0
    #159 0x5745f0 in _PyObject_FastCallDict /home/test/check/PythonASAN/Objects/abstract.c:2316
    #160 0x5745f0 in ?? ??:0
    #161 0x7a7429 in call_function /home/test/check/PythonASAN/Python/ceval.c:4812
    #162 0x7a7429 in ?? ??:0
    #163 0x7995cc in _PyEval_EvalFrameDefault /home/test/check/PythonASAN/Python/ceval.c:3275
    #164 0x7995cc in ?? ??:0
    #165 0x7a9847 in PyEval_EvalFrameEx /home/test/check/PythonASAN/Python/ceval.c:718
    #166 0x7a9847 in _PyEval_EvalCodeWithName /home/test/check/PythonASAN/Python/ceval.c:4119
    #167 0x7a9847 in ?? ??:0
    #168 0x78e0df in PyEval_EvalCodeEx /home/test/check/PythonASAN/Python/ceval.c:4140
    #169 0x78e0df in PyEval_EvalCode /home/test/check/PythonASAN/Python/ceval.c:695
    #170 0x78e0df in ?? ??:0
    #171 0x5142f5 in run_mod /home/test/check/PythonASAN/Python/pythonrun.c:980
    #172 0x5142f5 in PyRun_FileExFlags /home/test/check/PythonASAN/Python/pythonrun.c:933
    #173 0x5142f5 in ?? ??:0
    #174 0x512afa in PyRun_SimpleFileExFlags /home/test/check/PythonASAN/Python/pythonrun.c:396
    #175 0x512afa in ?? ??:0
    #176 0x53eefd in run_file /home/test/check/PythonASAN/Modules/main.c:320
    #177 0x53eefd in Py_Main /home/test/check/PythonASAN/Modules/main.c:780
    #178 0x53eefd in ?? ??:0
    #179 0x503d16 in main /home/test/check/PythonASAN/./Programs/python.c:69
    #180 0x503d16 in ?? ??:0
    #181 0x7f62bf5d482f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
    #182 0x7f62bf5d482f in ?? ??:0
    #183 0x432548 in _start ??:?
    #184 0x432548 in ?? ??:0

    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV (/home/test/check/PythonASAN/python+0x543038)
    ==18094==ABORTING

    @beginvuln beginvuln mannequin added type-security A security issue interpreter-core (Objects, Python, Grammar, and Parser dirs) labels Feb 8, 2017
    @tiran tiran added extension-modules C modules in the Modules dir type-bug An unexpected behavior, bug, or error and removed interpreter-core (Objects, Python, Grammar, and Parser dirs) type-security A security issue labels Feb 8, 2017
    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Assignees
    No one assigned
    Labels
    extension-modules C modules in the Modules dir type-bug An unexpected behavior, bug, or error
    Projects
    None yet
    Milestone
    No milestone
    Development

    No branches or pull requests
    2 participants
    @matrixise @tiran