Park Alex added the comment:
all of .pyc files had been altered by fuzzer.
original py code is following:
$ cat helloworld.py
def hello(s=0x4142434445464748):
print s
if type(s) == str:
print s.encode('hex')
print repr(s)
else:
s = str(s)
print len(s) << 8, len(s) ^ 8, len(s) | 8, len(s) & 8, len(s) == 8, len(s)
<= 8, len(s) >= 8
x = __import__("sys")
# for k, v in x.__dict__.items():
# if hasattr(v, '__subclasses__') == True:
# cmd = "Subclasses:",
(v.__class__.__base__.__subclasses__()[11].__init__.__str__())
return 0x5152535455565758 == max(s, abs(len(s)) % 0x1234)
H = 'A'*128
hello(H.encode('base64'))
hello()
plus, python compiled with ASAN generated .pyc code.
After that, fuzzer found a few crashes.
Here are some diff information between original pyc and fuzzed pyc.
file: poc_heap-buffer-overflow.pyc
cmp -bl helloworld.pyc poc_heap-buffer-overflow.pyc | gawk '{printf "%08X %02X
%02X\n", $1, strtonum(0$2), strtonum(0$4)}'
00000010 00 03
00000012 03 00
00000026 01 00
00000027 00 F7
0000006A 06 EE
0000006B 00 FF
0000006C 00 FF
0000006D 00 FF
00000129 01 FE
0000012A 00 FF
0000012B 64 00
0000012C 04 00
000001F0 6C DB
000001FD 6C 49
file: poc_heap-use-after-free.pyc
cmp -bl helloworld.pyc poc_heap-use-after-free.pyc | gawk '{printf "%08X %02X
%02X\n", $1, strtonum(0$2), strtonum(0$4)}'
0000006A 06 D0
0000006B 00 FF
0000006C 00 FF
0000006D 00 FF
00000129 01 EB
0000012A 00 FF
0000012B 64 00
0000012C 04 00
000001F0 6C DB
000001FD 6C 49
0000026F 6C 7D
Thanks,
-- Alex
----------
_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue27291>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
