New submission from geeknik:
Python 3.7 git commit 3ca9f50 compiled with afl-clang-fast on Ubuntu 16 x64.
The following script triggers undefined-behavior followed by a null pointer
dereference and a segfault.
import gc
t0ing0=object()
class A(object):
def f():0
x=t0ing0
r=gc.get_referrers(t0ing0)
if[0]:dct=r[0]
a=A
for i in range(1):a.f
dct["f"]=lambda:0
(a.f)
Objects/dictobject.c:547:12: runtime error: index 16 out of bounds for type
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
Objects/dictobject.c:547:12 in
Objects/dictobject.c:1105:18: runtime error: index 16 out of bounds for type
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
Objects/dictobject.c:1105:18 in
Objects/dictobject.c:2739:15: runtime error: index 16 out of bounds for type
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
Objects/dictobject.c:2739:15 in
Objects/dictobject.c:789:27: runtime error: index 16 out of bounds for type
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
Objects/dictobject.c:789:27 in
Objects/dictobject.c:1104:18: runtime error: index 16 out of bounds for type
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
Objects/dictobject.c:1104:18 in
Objects/dictobject.c:994:15: runtime error: index 16 out of bounds for type
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
Objects/dictobject.c:994:15 in
Objects/dictobject.c:683:11: runtime error: index 16 out of bounds for type
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
Objects/dictobject.c:683:11 in
Objects/dictobject.c:1024:9: runtime error: index 64 out of bounds for type
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
Objects/dictobject.c:1024:9 in
Objects/dictobject.c:2882:31: runtime error: index 64 out of bounds for type
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
Objects/dictobject.c:2882:31 in
Objects/dictobject.c:2346:15: runtime error: index 128 out of bounds for type
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
Objects/dictobject.c:2346:15 in
Objects/dictobject.c:1449:11: runtime error: index 32 out of bounds for type
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
Objects/dictobject.c:1449:11 in
Objects/dictobject.c:744:27: runtime error: index 16 out of bounds for type
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
Objects/dictobject.c:744:27 in
Objects/dictobject.c:1631:22: runtime error: index 16 out of bounds for type
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
Objects/dictobject.c:1631:22 in
Objects/dictobject.c:554:31: runtime error: index 16 out of bounds for type
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
Objects/dictobject.c:554:31 in
Objects/dictobject.c:1183:15: runtime error: index 16 out of bounds for type
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
Objects/dictobject.c:1183:15 in
Objects/dictobject.c:835:27: runtime error: index 16 out of bounds for type
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
Objects/dictobject.c:835:27 in
Objects/dictobject.c:2036:10: runtime error: index 128 out of bounds for type
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
Objects/dictobject.c:2036:10 in
Objects/dictobject.c:3504:38: runtime error: index 16 out of bounds for type
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
Objects/dictobject.c:3504:38 in
Objects/dictobject.c:3422:38: runtime error: index 64 out of bounds for type
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
Objects/dictobject.c:3422:38 in
Objects/obmalloc.c:1258:36: runtime error: load of misaligned address
0xffffffffffffffff for type 'block *' (aka 'unsigned char *'), which requires 8
byte alignment
0xffffffffffffffff: note: pointer points here
<memory cannot be printed>
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
Objects/obmalloc.c:1258:36 in
ASAN:DEADLYSIGNAL
=================================================================
==768==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x000000506f9f bp 0x7fff0666cbc0 sp 0x7fff0666cb20 T0)
==768==The signal is caused by a READ memory access.
==768==Hint: address points to the zero page.
#0 0x506f9e in _PyObject_Alloc /root/cpython/Objects/obmalloc.c:1258:36
#1 0x9a669b in PyUnicode_New /root/cpython/Objects/unicodeobject.c:1296:24
#2 0x9fea51 in _PyUnicodeWriter_PrepareInternal
/root/cpython/Objects/unicodeobject.c:13561:26
#3 0x9b9db4 in PyUnicode_DecodeUTF8Stateful
/root/cpython/Objects/unicodeobject.c:4995:9
#4 0x9c0e65 in _PyUnicode_FromId
/root/cpython/Objects/unicodeobject.c:2115:22
#5 0x89561e in _PyObject_GetAttrId /root/cpython/Objects/object.c:850:23
#6 0x6b3f4a in _PyObject_CallMethodId /root/cpython/Objects/call.c:1086:16
#7 0x518569 in flush_std_files /root/cpython/Python/pylifecycle.c:889:15
#8 0x517942 in Py_FinalizeEx /root/cpython/Python/pylifecycle.c:959:9
#9 0x5a882b in Py_Main /root/cpython/Modules/main.c:921:9
#10 0x500382 in main /root/cpython/./Programs/python.c:102:11
#11 0x7f94db0bb3f0 in __libc_start_main
/build/glibc-mXZSwJ/glibc-2.24/csu/../csu/libc-start.c:291
#12 0x433e49 in _start (/root/cpython/python+0x433e49)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/cpython/Objects/obmalloc.c:1258:36 in
_PyObject_Alloc
==768==ABORTING
----------
components: Interpreter Core
messages: 300034
nosy: geeknik
priority: normal
severity: normal
status: open
title: null pointer deref and segfault in _PyObject_Alloc (obmalloc.c:1258)
type: crash
versions: Python 3.7
_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue31166>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
