New submission from Krishna Ram Prakash R <k...@gtux.in>:
By passing a malformed string as input to marshal.loads() an attacker can trigger a null pointer dereference resulting in DoS. This happens because when a Python object is unmarshalled by reference, it is assumed that the target object is fully constructed. We can construct a marshal string such that it can reference partially constructed Python objects. Example ------- tuple(FrozenSet(REF(0))) Tuple -> FrozenSet -> REF(0) When unmarshalling of the tuple object starts, a new PyTuple_New() object is created and its address is added to p->refs array before starting to parse and load all its children elements in a loop. A FrozenSet can be added as 0th element of this tuple. And then add the 0th element of this FrozenSet as p->refs[0]. After an element is added to FrozenSet, it tries to hash it believing that it is a completely constructed Python object. While it tries to hash the original tuple, it does not have any valid addresses in ob_item array. This results in a null pointer dereference throwing a SIGSEGV and crashing of interpreter. Running the below script results in a segmentation fault. ``` #!/usr/bin/env python3 import marshal marshal.loads(b"\xa9\x01\xbe\x01\x00\x00\x00r\x00\x00\x00\x00") ``` ---------- components: Interpreter Core, Library (Lib) messages: 321050 nosy: benjamin.peterson, rkrp priority: normal severity: normal status: open title: DoS due to null pointer dereference in marshal.dumps() type: security versions: Python 3.4, Python 3.5, Python 3.6, Python 3.7, Python 3.8 _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue34045> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
