[issue24913] newblock() Uninitialized Variable

John Leitch Tue, 25 Aug 2015 08:56:15 -0700

John Leitch added the comment:

The "exception analysis" is output from the WinDbg !analyze command run on a 
crash where access to the uninitialized memory ultimately corrupted the 
instruction pointer, leading to a data execution prevention crash. That's why 
the disassembly is junk--the IP is not pointing to valid instructions. This 
crash was provided as an example because it demonstrates that the issue is 
likely exploitable, and can probably be used to achieve code execution.


Here is an example of a crash where execution halts immediately upon attempted 
to dereference a corrupted pointer. Note that the pointer is 0xC0C0C0C0--a fill 
pattern indicative of uninitialized memory. 

0:000> r
eax=000002a2 ebx=551160a8 ecx=c0c0c0c0 edx=07e538e0 esi=07e538e0 edi=c0c0c0c0
eip=54f25a55 esp=004cf6e4 ebp=004cf6f4 iopl=0         nv up ei ng nz na pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010287
python35!do_richcompare+0x15:
54f25a55 8b4704          mov     eax,dword ptr [edi+4] ds:002b:c0c0c0c4=????????
0:000> k
ChildEBP RetAddr  
004cf6f4 54f25be3 python35!do_richcompare+0x15 
[c:\build\cpython\objects\object.c @ 659]
004cf700 54e453fc python35!PyObject_RichCompare+0x53 
[c:\build\cpython\objects\object.c @ 718]
(Inline) -------- python35!PyObject_RichCompareBool+0x14 
[c:\build\cpython\objects\object.c @ 739]
004cf738 54f232d3 python35!deque_index+0xac 
[c:\build\cpython\modules\_collectionsmodule.c @ 933]
004cf754 54f8442f python35!PyCFunction_Call+0x113 
[c:\build\cpython\objects\methodobject.c @ 109]
004cf788 54f818ec python35!call_function+0x2ff [c:\build\cpython\python\ceval.c 
@ 4651]
004cf800 54f8339f python35!PyEval_EvalFrameEx+0x232c 
[c:\build\cpython\python\ceval.c @ 3184]
004cf84c 54fba0b2 python35!_PyEval_EvalCodeWithName+0x82f 
[c:\build\cpython\python\ceval.c @ 3962]
(Inline) -------- python35!PyEval_EvalCodeEx+0x21 
[c:\build\cpython\python\ceval.c @ 3983]
(Inline) -------- python35!PyEval_EvalCode+0x21 
[c:\build\cpython\python\ceval.c @ 777]
004cf888 54fb9f45 python35!run_mod+0x42 [c:\build\cpython\python\pythonrun.c @ 
970]
004cf8b4 54fb8fba python35!PyRun_FileExFlags+0x85 
[c:\build\cpython\python\pythonrun.c @ 923]
004cf8f8 54e8f1f7 python35!PyRun_SimpleFileExFlags+0x20a 
[c:\build\cpython\python\pythonrun.c @ 396]
(Inline) -------- python35!PyRun_AnyFileExFlags+0x4e 
[c:\build\cpython\python\pythonrun.c @ 80]
004cf924 54e8fb33 python35!run_file+0xe7 [c:\build\cpython\modules\main.c @ 318]
004cf9c8 1cd4143f python35!Py_Main+0x913 [c:\build\cpython\modules\main.c @ 768]
(Inline) -------- python!invoke_main+0x1d 
[f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 89]
004cfa14 75463744 python!__scrt_common_main_seh+0xff 
[f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 264]
004cfa28 76f0a064 KERNEL32!BaseThreadInitThunk+0x24
004cfa70 76f0a02f ntdll!__RtlUserThreadStart+0x2f
004cfa80 00000000 ntdll!_RtlUserThreadStart+0x1b
0:000> !analyze -v -nodb
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************


FAULTING_IP: 
python35!do_richcompare+15 [c:\build\cpython\objects\object.c @ 659]
54f25a55 8b4704          mov     eax,dword ptr [edi+4]

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 54f25a55 (python35!do_richcompare+0x00000015)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: c0c0c0c4
Attempt to read from address c0c0c0c4

CONTEXT:  00000000 -- (.cxr 0x0;r)
eax=000002a2 ebx=551160a8 ecx=c0c0c0c0 edx=07e538e0 esi=07e538e0 edi=c0c0c0c0
eip=54f25a55 esp=004cf6e4 ebp=004cf6f4 iopl=0         nv up ei ng nz na pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010287
python35!do_richcompare+0x15:
54f25a55 8b4704          mov     eax,dword ptr [edi+4] ds:002b:c0c0c0c4=????????

FAULTING_THREAD:  00004a48

DEFAULT_BUCKET_ID:  INVALID_POINTER_READ

PROCESS_NAME:  python.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory 
at 0x%p. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced 
memory at 0x%p. The memory could not be %s.

EXCEPTION_PARAMETER1:  00000000

EXCEPTION_PARAMETER2:  c0c0c0c4

READ_ADDRESS:  c0c0c0c4 

FOLLOWUP_IP: 
python35!do_richcompare+15 [c:\build\cpython\objects\object.c @ 659]
54f25a55 8b4704          mov     eax,dword ptr [edi+4]

NTGLOBALFLAG:  2000000

APPLICATION_VERIFIER_FLAGS:  0

APP:  python.exe

ANALYSIS_VERSION: 6.3.9600.17029 (debuggers(dbg).140219-1702) x86fre

PRIMARY_PROBLEM_CLASS:  INVALID_POINTER_READ

BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_READ

LAST_CONTROL_TRANSFER:  from 54f25be3 to 54f25a55

STACK_TEXT:  
004cf6f4 54f25be3 00000002 004cf738 54e453fc python35!do_richcompare+0x15
004cf700 54e453fc c0c0c0c0 07e538e0 00000002 python35!PyObject_RichCompare+0x53
004cf738 54f232d3 07e31d18 07e50e40 08e78b48 python35!deque_index+0xac
004cf754 54f8442f 08e78b48 07e50e40 00000000 python35!PyCFunction_Call+0x113
004cf788 54f818ec 0586eab0 00000000 00000040 python35!call_function+0x2ff
004cf800 54f8339f 0586eab0 00000000 08910ff0 python35!PyEval_EvalFrameEx+0x232c
004cf84c 54fba0b2 0588ff80 00000000 00000000 
python35!_PyEval_EvalCodeWithName+0x82f
004cf888 54fb9f45 0588ff80 0588ff80 004cf954 python35!run_mod+0x42
004cf8b4 54fb8fba 06a90fc8 0581bc70 00000101 python35!PyRun_FileExFlags+0x85
004cf8f8 54e8f1f7 06a90fc8 0581bc70 00000001 
python35!PyRun_SimpleFileExFlags+0x20a
004cf924 54e8fb33 004cf954 71902100 71902108 python35!run_file+0xe7
004cf9c8 1cd4143f 00000002 05b46f08 05b4cf48 python35!Py_Main+0x913
004cfa14 75463744 7ecee000 75463720 fbb4cf67 python!__scrt_common_main_seh+0xff
004cfa28 76f0a064 7ecee000 949593e0 00000000 KERNEL32!BaseThreadInitThunk+0x24
004cfa70 76f0a02f ffffffff 76f2d7ec 00000000 ntdll!__RtlUserThreadStart+0x2f
004cfa80 00000000 1cd414f7 7ecee000 00000000 ntdll!_RtlUserThreadStart+0x1b


STACK_COMMAND:  .cxr 0x0 ; kb

FAULTING_SOURCE_LINE:  c:\build\cpython\objects\object.c

FAULTING_SOURCE_FILE:  c:\build\cpython\objects\object.c

FAULTING_SOURCE_LINE_NUMBER:  659

FAULTING_SOURCE_CODE:  
   655:     PyObject *res;
   656:     int checked_reverse_op = 0;
   657: 
   658:     if (v->ob_type != w->ob_type &&
>  659:         PyType_IsSubtype(w->ob_type, v->ob_type) &&
   660:         (f = w->ob_type->tp_richcompare) != NULL) {
   661:         checked_reverse_op = 1;
   662:         res = (*f)(w, v, _Py_SwappedOp[op]);
   663:         if (res != Py_NotImplemented)
   664:             return res;


SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  python35!do_richcompare+15

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: python35

IMAGE_NAME:  python35.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  55c83105

FAILURE_BUCKET_ID:  INVALID_POINTER_READ_c0000005_python35.dll!do_richcompare

BUCKET_ID:  APPLICATION_FAULT_INVALID_POINTER_READ_python35!do_richcompare+15

ANALYSIS_SOURCE:  UM

FAILURE_ID_HASH_STRING:  
um:invalid_pointer_read_c0000005_python35.dll!do_richcompare

FAILURE_ID_HASH:  {9d923c37-6c51-89af-91c6-b0039172374e}

Followup: MachineOwner
---------

----------

_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue24913>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue24913] newblock() Uninitialized Variable

Reply via email to