[issue27254] heap overflow in Tkinter module

Wed, 08 Jun 2016 07:46:29 -0700 

Emin Ghuliev added the comment:

psuedocode

<+16>:  movsxd rdx,DWORD PTR [rbx+0x8]
<+20>:  lea    eax,[rdx+rbp*1]

newSize = length ($rdx) + dsPtr->length ($rbp)
gdb > print /x $rbp
$5 = 0xfffff
gdb > print /x $rdx
$6 = 0x100000

newsize = 0xfffff+0x100000 = 0x1fffff

<Tcl_DStringAppend+23>  cmp    eax,DWORD PTR [rbx+0xc]           ← $pc
<Tcl_DStringAppend+26>  jl     0x7ffff6194e38 <Tcl_DStringAppend+104>

newSize ($eax) >= dsPtr->spaceAvl

gdb > print /x $eax
$7 = 0x1fffff

gdb > x/x $rbx+0xc
0x7fffffffd0cc: 0x001ffffe

condition: 0x1fffff >= 0x001ffffe = True

        if (newSize >= dsPtr->spaceAvl) {
                <Tcl_DStringAppend+31>  lea    esi,[rax+rax*1] ; magic compiler 
optimization :) (newSize(0x1fffff)*2)
                /*                                                      */
                dsPtr->spaceAvl = newSize * 2;
                gdb > print /x $rax
                $4 = 0x1fffff
                $esi = 0x1fffff+0x1fffff (newSize(0x1fffff)*2) = 0x3ffffe
                /*                                                      */
                
                => <+34>:       lea    rax,[rbx+0x10]
                   <+38>:       mov    DWORD PTR [rbx+0xc],esi
                   <+41>:       cmp    rdi,rax ; $rax = dsPtr->staticSpace and 
$rdi = dsPtr->string
                   <+44>:       je     0x7ffff6194e50 <Tcl_DStringAppend+128>
                
                condition : dsPtr->string == dsPtr->staticSpace = False then 
jump to '<Tcl_DStringAppend+46>  call   0x7ffff60c2040 <Tcl_Realloc>'

                if (dsPtr->string == dsPtr->staticSpace) {                
                        char *newString = ckalloc(dsPtr->spaceAvl);
                        memcpy(newString, dsPtr->string, (size_t) 
dsPtr->length);
                        dsPtr->string = newString;
                } 
                else {
                        <Tcl_DStringAppend+46>  call   0x7ffff60c2040 
<Tcl_Realloc>
                        $rsi = 0x3ffffe
                        $rdi = 0x7ffff333e020
                        dsPtr->string = ckrealloc(dsPtr->string = 
0x7ffff333e020, dsPtr->spaceAvl = 0x3ffffe);
                }
        }


disassemble: 
                 <Tcl_DStringAppend+58>  lea    rdi,[rax+rdx*1]         ; 
dsPtr->string + dsPtr->length
                 <Tcl_DStringAppend+62>  mov    rsi,r12                 ; bytes
                 <Tcl_DStringAppend+65>  movsxd rdx,ebp                 ; length
                 <Tcl_DStringAppend+68>  call   0x7ffff60a25c0 <memcpy@plt>
                 memcpy(dsPtr->string + dsPtr->length, bytes, length);

----------

_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue27254>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

Reply via email to