New submission from Jeffrey Walton: >From Python head in mercurial:
$ hg id 7ce22d0899e4+ tip Exporting "set allocator_may_return_null=1" for Clang might tickle this issue. Without the export, this test did not fail. ================================================================= ==21071==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6030000b99f4 at pc 0x4aafea bp 0x7fffd2318c70 sp 0x7fffd2318c20 WRITE of size 24 at 0x6030000b99f4 thread T0 #0 0x4aafe9 in write_msghdr /home/jwalton/Desktop/clang-3.4/llvm-3.4/projects/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc:1395 #1 0x4aafe9 in __interceptor_recvmsg /home/jwalton/Desktop/clang-3.4/llvm-3.4/projects/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc:1405 #2 0x2ad35b764146 in sock_recvmsg_guts cpython/./Modules/socketmodule.c:2968 #3 0x2ad35b75f83c in sock_recvmsg cpython/./Modules/socketmodule.c:3098 #4 0x6642ba in ext_do_call cpython/./Python/ceval.c:4548 #5 0x6642ba in PyEval_EvalFrameEx cpython/./Python/ceval.c:2869 #6 0x655a7b in PyEval_EvalCodeEx cpython/./Python/ceval.c:3578 #7 0x670cb5 in fast_function cpython/./Python/ceval.c:4334 #8 0x65fbc8 in call_function cpython/./Python/ceval.c:4252 #9 0x65fbc8 in PyEval_EvalFrameEx cpython/./Python/ceval.c:2829 #10 0x655a7b in PyEval_EvalCodeEx cpython/./Python/ceval.c:3578 #11 0x670cb5 in fast_function cpython/./Python/ceval.c:4334 #12 0x65fbc8 in call_function cpython/./Python/ceval.c:4252 #13 0x65fbc8 in PyEval_EvalFrameEx cpython/./Python/ceval.c:2829 #14 0x670b7a in fast_function cpython/./Python/ceval.c:4324 #15 0x65fbc8 in call_function cpython/./Python/ceval.c:4252 #16 0x65fbc8 in PyEval_EvalFrameEx cpython/./Python/ceval.c:2829 #17 0x655a7b in PyEval_EvalCodeEx cpython/./Python/ceval.c:3578 #18 0x84c177 in function_call cpython/./Objects/funcobject.c:632 #19 0x4fd729 in PyObject_Call cpython/./Objects/abstract.c:2067 #20 0x6642d6 in ext_do_call cpython/./Python/ceval.c:4551 #21 0x6642d6 in PyEval_EvalFrameEx cpython/./Python/ceval.c:2869 #22 0x655a7b in PyEval_EvalCodeEx cpython/./Python/ceval.c:3578 #23 0x84c177 in function_call cpython/./Objects/funcobject.c:632 #24 0x4fd729 in PyObject_Call cpython/./Objects/abstract.c:2067 #25 0x830dcc in method_call cpython/./Objects/classobject.c:347 #26 0x4fd729 in PyObject_Call cpython/./Objects/abstract.c:2067 #27 0x5ae10f in slot_tp_call cpython/./Objects/typeobject.c:5809 #28 0x4fd729 in PyObject_Call cpython/./Objects/abstract.c:2067 #29 0x6653a0 in do_call cpython/./Python/ceval.c:4456 #30 0x6653a0 in call_function cpython/./Python/ceval.c:4254 #31 0x6653a0 in PyEval_EvalFrameEx cpython/./Python/ceval.c:2829 #32 0x655a7b in PyEval_EvalCodeEx cpython/./Python/ceval.c:3578 #33 0x84c177 in function_call cpython/./Objects/funcobject.c:632 #34 0x4fd729 in PyObject_Call cpython/./Objects/abstract.c:2067 #35 0x6642d6 in ext_do_call cpython/./Python/ceval.c:4551 #36 0x6642d6 in PyEval_EvalFrameEx cpython/./Python/ceval.c:2869 #37 0x655a7b in PyEval_EvalCodeEx cpython/./Python/ceval.c:3578 #38 0x84c177 in function_call cpython/./Objects/funcobject.c:632 #39 0x4fd729 in PyObject_Call cpython/./Objects/abstract.c:2067 #40 0x830dcc in method_call cpython/./Objects/classobject.c:347 #41 0x4fd729 in PyObject_Call cpython/./Objects/abstract.c:2067 #42 0x5ae10f in slot_tp_call cpython/./Objects/typeobject.c:5809 #43 0x4fd729 in PyObject_Call cpython/./Objects/abstract.c:2067 #44 0x6653a0 in do_call cpython/./Python/ceval.c:4456 #45 0x6653a0 in call_function cpython/./Python/ceval.c:4254 #46 0x6653a0 in PyEval_EvalFrameEx cpython/./Python/ceval.c:2829 #47 0x655a7b in PyEval_EvalCodeEx cpython/./Python/ceval.c:3578 #48 0x84c177 in function_call cpython/./Objects/funcobject.c:632 #49 0x4fd729 in PyObject_Call cpython/./Objects/abstract.c:2067 #50 0x6642d6 in ext_do_call cpython/./Python/ceval.c:4551 #51 0x6642d6 in PyEval_EvalFrameEx cpython/./Python/ceval.c:2869 #52 0x655a7b in PyEval_EvalCodeEx cpython/./Python/ceval.c:3578 #53 0x84c177 in function_call cpython/./Objects/funcobject.c:632 #54 0x4fd729 in PyObject_Call cpython/./Objects/abstract.c:2067 #55 0x830dcc in method_call cpython/./Objects/classobject.c:347 #56 0x4fd729 in PyObject_Call cpython/./Objects/abstract.c:2067 #57 0x5ae10f in slot_tp_call cpython/./Objects/typeobject.c:5809 #58 0x4fd729 in PyObject_Call cpython/./Objects/abstract.c:2067 #59 0x6653a0 in do_call cpython/./Python/ceval.c:4456 #60 0x6653a0 in call_function cpython/./Python/ceval.c:4254 #61 0x6653a0 in PyEval_EvalFrameEx cpython/./Python/ceval.c:2829 #62 0x670b7a in fast_function cpython/./Python/ceval.c:4324 #63 0x65fbc8 in call_function cpython/./Python/ceval.c:4252 #64 0x65fbc8 in PyEval_EvalFrameEx cpython/./Python/ceval.c:2829 #65 0x670b7a in fast_function cpython/./Python/ceval.c:4324 #66 0x65fbc8 in call_function cpython/./Python/ceval.c:4252 #67 0x65fbc8 in PyEval_EvalFrameEx cpython/./Python/ceval.c:2829 #68 0x655a7b in PyEval_EvalCodeEx cpython/./Python/ceval.c:3578 #69 0x84c177 in function_call cpython/./Objects/funcobject.c:632 #70 0x4fd729 in PyObject_Call cpython/./Objects/abstract.c:2067 #71 0x6642d6 in ext_do_call cpython/./Python/ceval.c:4551 #72 0x6642d6 in PyEval_EvalFrameEx cpython/./Python/ceval.c:2869 #73 0x670b7a in fast_function cpython/./Python/ceval.c:4324 #74 0x65fbc8 in call_function cpython/./Python/ceval.c:4252 #75 0x65fbc8 in PyEval_EvalFrameEx cpython/./Python/ceval.c:2829 #76 0x655a7b in PyEval_EvalCodeEx cpython/./Python/ceval.c:3578 #77 0x670cb5 in fast_function cpython/./Python/ceval.c:4334 #78 0x65fbc8 in call_function cpython/./Python/ceval.c:4252 #79 0x65fbc8 in PyEval_EvalFrameEx cpython/./Python/ceval.c:2829 #80 0x655a7b in PyEval_EvalCodeEx cpython/./Python/ceval.c:3578 #81 0x84c177 in function_call cpython/./Objects/funcobject.c:632 #82 0x4fd729 in PyObject_Call cpython/./Objects/abstract.c:2067 #83 0x6642d6 in ext_do_call cpython/./Python/ceval.c:4551 #84 0x6642d6 in PyEval_EvalFrameEx cpython/./Python/ceval.c:2869 #85 0x655a7b in PyEval_EvalCodeEx cpython/./Python/ceval.c:3578 #86 0x670cb5 in fast_function cpython/./Python/ceval.c:4334 #87 0x65fbc8 in call_function cpython/./Python/ceval.c:4252 #88 0x65fbc8 in PyEval_EvalFrameEx cpython/./Python/ceval.c:2829 #89 0x670b7a in fast_function cpython/./Python/ceval.c:4324 #90 0x65fbc8 in call_function cpython/./Python/ceval.c:4252 #91 0x65fbc8 in PyEval_EvalFrameEx cpython/./Python/ceval.c:2829 #92 0x655a7b in PyEval_EvalCodeEx cpython/./Python/ceval.c:3578 #93 0x6545ca in PyEval_EvalCode cpython/./Python/ceval.c:773 #94 0x64d74c in builtin_exec cpython/./Python/bltinmodule.c:876 #95 0x664ceb in call_function cpython/./Python/ceval.c:4227 #96 0x664ceb in PyEval_EvalFrameEx cpython/./Python/ceval.c:2829 #97 0x655a7b in PyEval_EvalCodeEx cpython/./Python/ceval.c:3578 #98 0x670cb5 in fast_function cpython/./Python/ceval.c:4334 #99 0x65fbc8 in call_function cpython/./Python/ceval.c:4252 #100 0x65fbc8 in PyEval_EvalFrameEx cpython/./Python/ceval.c:2829 #101 0x655a7b in PyEval_EvalCodeEx cpython/./Python/ceval.c:3578 #102 0x84c177 in function_call cpython/./Objects/funcobject.c:632 #103 0x4fd729 in PyObject_Call cpython/./Objects/abstract.c:2067 #104 0x4ee527 in RunModule cpython/./Modules/main.c:209 #105 0x4ed771 in Py_Main cpython/./Modules/main.c:693 #106 0x4e7d54 in main cpython/././Modules/python.c:69 #107 0x2ad3549e5eac in __libc_start_main /home/aurel32/eglibc/eglibc-2.13/csu/libc-start.c:244 #108 0x4e7b0c in _start (cpython/./python+0x4e7b0c) 0x6030000b99f4 is located 0 bytes to the right of 20-byte region [0x6030000b99e0,0x6030000b99f4) allocated by thread T0 here: #0 0x4d1a39 in malloc /home/jwalton/Desktop/clang-3.4/llvm-3.4/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:74 #1 0x2ad35b763c55 in sock_recvmsg_guts cpython/./Modules/socketmodule.c:2949 #2 0x2ad35b75f83c in sock_recvmsg cpython/./Modules/socketmodule.c:3098 #3 0x6642ba in ext_do_call cpython/./Python/ceval.c:4548 #4 0x6642ba in PyEval_EvalFrameEx cpython/./Python/ceval.c:2869 #5 0x655a7b in PyEval_EvalCodeEx cpython/./Python/ceval.c:3578 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/jwalton/Desktop/clang-3.4/llvm-3.4/projects/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc:1395 write_msghdr Shadow bytes around the buggy address: 0x0c068000f2e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c068000f2f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c068000f300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c068000f310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c068000f320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c068000f330: fa fa fa fa fa fa fa fa fa fa fa fa 00 00[04]fa 0x0c068000f340: fa fa 00 00 00 00 fa fa fd fd fd fd fa fa fd fd 0x0c068000f350: fd fd fa fa fd fd fd fd fa fa 00 00 00 00 fa fa 0x0c068000f360: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 0x0c068000f370: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 0x0c068000f380: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 ASan internal: fe ==21071==ABORTING[ 58/389] test_socket ---------- components: Tests hgrepos: 221 messages: 213667 nosy: Jeffrey.Walton priority: normal severity: normal status: open title: test_socket: buffer overflow in sock_recvmsg_guts versions: Python 3.5 _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue20937> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com