from:"geeknik"

[issue31165] null pointer deref and segfault in list_slice (listobject.c:455)

2017-08-09 Thread geeknik


New submission from geeknik:

Python 3.7 git commit 3ca9f50 compiled with afl-clang-fast on Ubuntu 16 x64. 
The following script triggers undefined-behavior followed by a null pointer 
dereference and a segfault.


import weakref
class A(object):pass
def callback(x):del lst[0]
keepali0e=[]
for i in range(1):
lst=[str()]
a=A()
a.c=a
keepali0e.append(weakref.ref(a,callback))
del a
while lst:keepali0e.append(lst[:])


Objects/dictobject.c:547:12: runtime error: index 16 out of bounds for type 
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
Objects/dictobject.c:547:12 in
Objects/dictobject.c:1105:18: runtime error: index 16 out of bounds for type 
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
Objects/dictobject.c:1105:18 in
Objects/dictobject.c:2739:15: runtime error: index 16 out of bounds for type 
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
Objects/dictobject.c:2739:15 in
Objects/dictobject.c:789:27: runtime error: index 16 out of bounds for type 
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
Objects/dictobject.c:789:27 in
Objects/dictobject.c:1104:18: runtime error: index 16 out of bounds for type 
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
Objects/dictobject.c:1104:18 in
Objects/dictobject.c:994:15: runtime error: index 16 out of bounds for type 
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
Objects/dictobject.c:994:15 in
Objects/dictobject.c:683:11: runtime error: index 16 out of bounds for type 
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
Objects/dictobject.c:683:11 in
Objects/dictobject.c:1024:9: runtime error: index 64 out of bounds for type 
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
Objects/dictobject.c:1024:9 in
Objects/dictobject.c:2882:31: runtime error: index 64 out of bounds for type 
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
Objects/dictobject.c:2882:31 in
Objects/dictobject.c:2346:15: runtime error: index 128 out of bounds for type 
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
Objects/dictobject.c:2346:15 in
Objects/dictobject.c:1449:11: runtime error: index 32 out of bounds for type 
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
Objects/dictobject.c:1449:11 in
Objects/dictobject.c:744:27: runtime error: index 16 out of bounds for type 
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
Objects/dictobject.c:744:27 in
Objects/dictobject.c:1631:22: runtime error: index 16 out of bounds for type 
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
Objects/dictobject.c:1631:22 in
Objects/dictobject.c:554:31: runtime error: index 16 out of bounds for type 
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
Objects/dictobject.c:554:31 in
Objects/dictobject.c:1183:15: runtime error: index 16 out of bounds for type 
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
Objects/dictobject.c:1183:15 in
Objects/dictobject.c:835:27: runtime error: index 16 out of bounds for type 
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
Objects/dictobject.c:835:27 in
Objects/dictobject.c:2036:10: runtime error: index 128 out of bounds for type 
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
Objects/dictobject.c:2036:10 in
Objects/dictobject.c:3504:38: runtime error: index 16 out of bounds for type 
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
Objects/dictobject.c:3504:38 in
Objects/dictobject.c:3422:38: runtime error: index 64 out of bounds for type 
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
Objects/dictobject.c:3422:38 in
Objects/listobject.c:455:23: runtime error: load of null pointer of type 
'PyObject *' (aka 'struct _object *')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
Objects/listobject.c:455:23 in
ASAN:DEADLYSIGNAL
=
==29900==ERROR: AddressSanitizer: SEGV on unknown address 0x (pc 
0x007772df bp 0x7fffdd00ce30 sp 0x7fffdd00cde0 T0)
==29900==The signal is caused by a READ memory access.
==29900==Hint: address points to the zero page.
#0 0x7772de in list_slice /root/cpython/Objects/listobject.c:455:23
#1 0x79257b in list_subscript /root/cpython/Objects/listobject.c:2499:20
#2 0xca195c in _PyEval_EvalFrameDefault /root/cpython/Python/ceval.c:1442:29
#3 0xcc723c in _PyEval_EvalCodeWithName /root/cpython/Python/ceval.c:4173:14
#4 0xc679f3 in PyEval_EvalCodeEx /root/cpython/Python/ceval.c:4200:12
#5 0xc679f3 in

[issue31165] null pointer deref and segfault in list_slice (listobject.c:455)

2017-08-09 Thread geeknik


Changes by geeknik :


--
type:  -> crash

___
Python tracker 
<http://bugs.python.org/issue31165>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue31166] null pointer deref and segfault in _PyObject_Alloc (obmalloc.c:1258)

2017-08-09 Thread geeknik


New submission from geeknik:

Python 3.7 git commit 3ca9f50 compiled with afl-clang-fast on Ubuntu 16 x64. 
The following script triggers undefined-behavior followed by a null pointer 
dereference and a segfault.


import gc
t0ing0=object()
class A(object):
def f():0
x=t0ing0
r=gc.get_referrers(t0ing0)
if[0]:dct=r[0]
a=A
for i in range(1):a.f
dct["f"]=lambda:0
(a.f)


Objects/dictobject.c:547:12: runtime error: index 16 out of bounds for type 
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
Objects/dictobject.c:547:12 in
Objects/dictobject.c:1105:18: runtime error: index 16 out of bounds for type 
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
Objects/dictobject.c:1105:18 in
Objects/dictobject.c:2739:15: runtime error: index 16 out of bounds for type 
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
Objects/dictobject.c:2739:15 in
Objects/dictobject.c:789:27: runtime error: index 16 out of bounds for type 
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
Objects/dictobject.c:789:27 in
Objects/dictobject.c:1104:18: runtime error: index 16 out of bounds for type 
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
Objects/dictobject.c:1104:18 in
Objects/dictobject.c:994:15: runtime error: index 16 out of bounds for type 
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
Objects/dictobject.c:994:15 in
Objects/dictobject.c:683:11: runtime error: index 16 out of bounds for type 
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
Objects/dictobject.c:683:11 in
Objects/dictobject.c:1024:9: runtime error: index 64 out of bounds for type 
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
Objects/dictobject.c:1024:9 in
Objects/dictobject.c:2882:31: runtime error: index 64 out of bounds for type 
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
Objects/dictobject.c:2882:31 in
Objects/dictobject.c:2346:15: runtime error: index 128 out of bounds for type 
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
Objects/dictobject.c:2346:15 in
Objects/dictobject.c:1449:11: runtime error: index 32 out of bounds for type 
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
Objects/dictobject.c:1449:11 in
Objects/dictobject.c:744:27: runtime error: index 16 out of bounds for type 
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
Objects/dictobject.c:744:27 in
Objects/dictobject.c:1631:22: runtime error: index 16 out of bounds for type 
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
Objects/dictobject.c:1631:22 in
Objects/dictobject.c:554:31: runtime error: index 16 out of bounds for type 
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
Objects/dictobject.c:554:31 in
Objects/dictobject.c:1183:15: runtime error: index 16 out of bounds for type 
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
Objects/dictobject.c:1183:15 in
Objects/dictobject.c:835:27: runtime error: index 16 out of bounds for type 
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
Objects/dictobject.c:835:27 in
Objects/dictobject.c:2036:10: runtime error: index 128 out of bounds for type 
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
Objects/dictobject.c:2036:10 in
Objects/dictobject.c:3504:38: runtime error: index 16 out of bounds for type 
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
Objects/dictobject.c:3504:38 in
Objects/dictobject.c:3422:38: runtime error: index 64 out of bounds for type 
'int8_t [8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
Objects/dictobject.c:3422:38 in
Objects/obmalloc.c:1258:36: runtime error: load of misaligned address 
0x for type 'block *' (aka 'unsigned char *'), which requires 8 
byte alignment
0x: note: pointer points here

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior 
Objects/obmalloc.c:1258:36 in
ASAN:DEADLYSIGNAL
=
==768==ERROR: AddressSanitizer: SEGV on unknown address 0x (pc 
0x00506f9f bp 0x7fff0666cbc0 sp 0x7fff0666cb20 T0)
==768==The signal is caused by a READ memory access.
==768==Hint: address points to the zero page.
#0 0x506f9e in _PyObject_Alloc /root/cpython/Objects/obmalloc.c:1258:36
#1 0x9a669b in PyUnicode_New /root/cpython/Objects/unicodeobject.c:1296:24
#2 0x9fea51 in _PyUnicodeWriter_PrepareInternal 
/root/cpython/Objects/unicodeobject.c:13561:26
#3 0x9b9db4 in PyUnicode_DecodeUTF8Stateful 
/root/cpython/Objects/unicodeobject.c:4995:9
#4 0x9c0e65 in _PyUnic

[issue31166] null pointer deref and segfault in _PyObject_Alloc (obmalloc.c:1258)

2017-08-10 Thread geeknik


geeknik added the comment:

So if I leave UBSan and ASan out of the equation and compile with gcc and run 
this script:

Program received signal SIGSEGV, Segmentation fault.
update_refs (containers=) at Modules/gcmodule.c:353
353 _PyGCHead_SET_REFS(gc, Py_REFCNT(FROM_GC(gc)));
(gdb) bt
#0  update_refs (containers=) at Modules/gcmodule.c:353
#1  collect (generation=generation@entry=2,
n_collected=n_collected@entry=0x7fffe2f8,
n_uncollectable=n_uncollectable@entry=0x7fffe300,
nofail=nofail@entry=0) at Modules/gcmodule.c:962
#2  0x555d5365 in collect_with_callback (generation=2)
at Modules/gcmodule.c:1135
#3  PyGC_Collect () at Modules/gcmodule.c:1622
#4  _PyGC_CollectIfEnabled () at Modules/gcmodule.c:1635
#5  0x555b8e28 in Py_FinalizeEx () at Python/pylifecycle.c:978
#6  0x555b9225 in Py_FinalizeEx () at Python/pylifecycle.c:1119
#7  0x555d2ed2 in Py_Main (argc=, argv=)
at Modules/main.c:921
#8  0x555aa1cb in main (argc=2, argv=)
at ./Programs/python.c:102
(gdb) list
348 update_refs(PyGC_Head *containers)
349 {
350 PyGC_Head *gc = containers->gc.gc_next;
351 for (; gc != containers; gc = gc->gc.gc_next) {
352 assert(_PyGCHead_REFS(gc) == GC_REACHABLE);
353 _PyGCHead_SET_REFS(gc, Py_REFCNT(FROM_GC(gc)));
354 /* Python's cyclic gc should never see an incoming refcount
355  * of 0:  if something decref'ed to 0, it should have been
356  * deallocated immediately at that time.
357  * Possible cause (if the assert triggers):  a tp_dealloc

Valgrind shows a null deref as well after some invalid reads and conditional 
jumps. I've attached the log, it's a bit verbose.

--
Added file: http://bugs.python.org/file47071/31166.txt

___
Python tracker 
<http://bugs.python.org/issue31166>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue27780] Memory leak during Python build (from git c3ff7e7) on Debian 8.5 x64

2016-08-16 Thread geeknik


New submission from geeknik:

CC=afl-clang-fast CXX=afl-clang-fast++ AFL_USE_ASAN=1 ./configure --disable-ipv6

Passes fine.

AFL_USE_ASAN=1 make

Ends with the following:

Parser/pgen ./Grammar/Grammar Include/graminit.h Python/graminit.c

=
==29392==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 12416 byte(s) in 8 object(s) allocated from:
#0 0x4a1f2e in realloc (/root/cpython/Parser/pgen+0x4a1f2e)
#1 0x4cfcca in PyMem_RawRealloc /root/cpython/Objects/obmalloc.c:414:12

Indirect leak of 2080 byte(s) in 3 object(s) allocated from:
#0 0x4a1f2e in realloc (/root/cpython/Parser/pgen+0x4a1f2e)
#1 0x4cfcca in PyMem_RawRealloc /root/cpython/Objects/obmalloc.c:414:12

Indirect leak of 898 byte(s) in 86 object(s) allocated from:
#0 0x4a1c3b in __interceptor_malloc (/root/cpython/Parser/pgen+0x4a1c3b)
#1 0x7fbd7abe3989 in __strdup 
/build/glibc-uPj9cH/glibc-2.19/string/strdup.c:42

Indirect leak of 520 byte(s) in 1 object(s) allocated from:
#0 0x4a1c3b in __interceptor_malloc (/root/cpython/Parser/pgen+0x4a1c3b)
#1 0x4d3fa0 in PyMem_RawMalloc /root/cpython/Objects/obmalloc.c:396:12
#2 0x4d3fa0 in _PyObject_Alloc /root/cpython/Objects/obmalloc.c:1467

Indirect leak of 178 byte(s) in 33 object(s) allocated from:
#0 0x4a1c3b in __interceptor_malloc (/root/cpython/Parser/pgen+0x4a1c3b)
#1 0x4c6756 in translabel /root/cpython/Parser/grammar.c:197:28
#2 0x4c6756 in _Py_translatelabels /root/cpython/Parser/grammar.c:141

SUMMARY: AddressSanitizer: 16092 byte(s) leaked in 131 allocation(s).
Makefile:804: recipe for target 'Include/graminit.h' failed
make: *** [Include/graminit.h] Error 23

--
components: Build
messages: 272889
nosy: geeknik
priority: normal
severity: normal
status: open
title: Memory leak during Python build (from git c3ff7e7) on Debian 8.5 x64

___
Python tracker 
<http://bugs.python.org/issue27780>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue27780] Memory leak during Python build (from git c3ff7e7) on Debian 8.5 x64

2016-08-17 Thread geeknik


geeknik added the comment:

FYI, I was only able to build Python with ASAN by passing 
ASAN_OPTIONS=detect_leaks=0 along with the make command, otherwise ASAN wanted 
to stop the build process as soon as it detected this leak.

--

___
Python tracker 
<http://bugs.python.org/issue27780>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue27831] Python 3.4.5 leaks memory when attempting to load non-existent file

2016-08-22 Thread geeknik


New submission from geeknik:

While fuzzing Python 3.4.5 with AFL, ASAN and libdislocator, I fat fingered the 
keyboard ASAN pops up a LeakSanitizer error. Apparently trying to open a 
non-existent file causes Python 3.4.5 to leak >880KB of memory.

./python: can't open file 'id:000109': [Errno 2] No such file or directory

=
==16921==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 620904 byte(s) in 469 object(s) allocated from:
#0 0x4bc2db in malloc (/root/python-3.4.5/python+0x4bc2db)
#1 0x4da307 in PyMem_Malloc /root/python-3.4.5/Objects/obmalloc.c:299:12

Direct leak of 41800 byte(s) in 29 object(s) allocated from:
#0 0x4bc2db in malloc (/root/python-3.4.5/python+0x4bc2db)
#1 0x4da307 in PyMem_Malloc /root/python-3.4.5/Objects/obmalloc.c:299:12
#2 0x769b2f in PyEval_EvalCodeEx /root/python-3.4.5/Python/ceval.c:3588:14

Direct leak of 28160 byte(s) in 7 object(s) allocated from:
#0 0x4bc2db in malloc (/root/python-3.4.5/python+0x4bc2db)
#1 0x4da307 in PyMem_Malloc /root/python-3.4.5/Objects/obmalloc.c:299:12
#2 0x60459c in set_add_key /root/python-3.4.5/Objects/setobject.c:373:12

Direct leak of 26095 byte(s) in 33 object(s) allocated from:
#0 0x4bc2db in malloc (/root/python-3.4.5/python+0x4bc2db)
#1 0x4dc54d in PyMem_RawMalloc /root/python-3.4.5/Objects/obmalloc.c:276:12
#2 0x4dc54d in _PyObject_Malloc /root/python-3.4.5/Objects/obmalloc.c:1314

Direct leak of 18176 byte(s) in 31 object(s) allocated from:
#0 0x4bc2db in malloc (/root/python-3.4.5/python+0x4bc2db)
#1 0x4dc54d in PyMem_RawMalloc /root/python-3.4.5/Objects/obmalloc.c:276:12
#2 0x4dc54d in _PyObject_Malloc /root/python-3.4.5/Objects/obmalloc.c:1314
#3 0x8a80e9 in _PyObject_GC_NewVar 
/root/python-3.4.5/Modules/gcmodule.c:1765:26

Direct leak of 3584 byte(s) in 16 object(s) allocated from:
#0 0x4bc2db in malloc (/root/python-3.4.5/python+0x4bc2db)
#1 0x4da307 in PyMem_Malloc /root/python-3.4.5/Objects/obmalloc.c:299:12
#2 0x636d59 in type_call /root/python-3.4.5/Objects/typeobject.c:883:11

Direct leak of 1472 byte(s) in 15 object(s) allocated from:
#0 0x4bc5ce in realloc (/root/python-3.4.5/python+0x4bc5ce)
#1 0x4da38a in PyMem_Realloc /root/python-3.4.5/Objects/obmalloc.c:308:12

Direct leak of 448 byte(s) in 2 object(s) allocated from:
#0 0x4bc2db in malloc (/root/python-3.4.5/python+0x4bc2db)
#1 0x4da307 in PyMem_Malloc /root/python-3.4.5/Objects/obmalloc.c:299:12
#2 0x836b0e in _Py_InitializeEx_Private 
/root/python-3.4.5/Python/pythonrun.c:418:14
#3 0x4e2e82 in Py_Main /root/python-3.4.5/Modules/main.c:654:5
#4 0x4d9c8e in main /root/python-3.4.5/./Modules/python.c:69:11

Direct leak of 264 byte(s) in 2 object(s) allocated from:
#0 0x4bc2db in malloc (/root/python-3.4.5/python+0x4bc2db)
#1 0x4da307 in PyMem_Malloc /root/python-3.4.5/Objects/obmalloc.c:299:12
#2 0x4e2e82 in Py_Main /root/python-3.4.5/Modules/main.c:654:5
#3 0x4d9c8e in main /root/python-3.4.5/./Modules/python.c:69:11

Direct leak of 224 byte(s) in 1 object(s) allocated from:
#0 0x4bc2db in malloc (/root/python-3.4.5/python+0x4bc2db)
#1 0x4da307 in PyMem_Malloc /root/python-3.4.5/Objects/obmalloc.c:299:12
#2 0x546820 in _PyExc_Init /root/python-3.4.5/Objects/exceptions.c:2509:5
#3 0x836b09 in _Py_InitializeEx_Private 
/root/python-3.4.5/Python/pythonrun.c:416:5
#4 0x4e2e82 in Py_Main /root/python-3.4.5/Modules/main.c:654:5
#5 0x4d9c8e in main /root/python-3.4.5/./Modules/python.c:69:11

Direct leak of 224 byte(s) in 1 object(s) allocated from:
#0 0x4bc2db in malloc (/root/python-3.4.5/python+0x4bc2db)
#1 0x4da307 in PyMem_Malloc /root/python-3.4.5/Objects/obmalloc.c:299:12
#2 0x5468ad in _PyExc_Init /root/python-3.4.5/Objects/exceptions.c:2510:5
#3 0x836b09 in _Py_InitializeEx_Private 
/root/python-3.4.5/Python/pythonrun.c:416:5
#4 0x4e2e82 in Py_Main /root/python-3.4.5/Modules/main.c:654:5
#5 0x4d9c8e in main /root/python-3.4.5/./Modules/python.c:69:11

Direct leak of 224 byte(s) in 1 object(s) allocated from:
#0 0x4bc2db in malloc (/root/python-3.4.5/python+0x4bc2db)
#1 0x4da307 in PyMem_Malloc /root/python-3.4.5/Objects/obmalloc.c:299:12
#2 0x5e7712 in PyModule_Create2 
/root/python-3.4.5/Objects/moduleobject.c:105:9
#3 0x4e2e82 in Py_Main /root/python-3.4.5/Modules/main.c:654:5
#4 0x4d9c8e in main /root/python-3.4.5/./Modules/python.c:69:11

Direct leak of 224 byte(s) in 1 object(s) allocated from:
#0 0x4bc2db in malloc (/root/python-3.4.5/python+0x4bc2db)
#1 0x4da307 in PyMem_Malloc /root/python-3.4.5/Objects/obmalloc.c:299:12
#2 0x545fdf in _PyExc_Init /root/python-3.4.5/Objects/exceptions.c:2494:5
#3 0x836b09 in _Py_InitializeEx_Private 
/root/python-3.4.5/Python/pythonrun.c:416:5
#4 0x4e2e82 in Py_Main /root/python-3.4.5/Modules/main.c:654:5
#5 0x4d9c8e in main

[issue27831] Python 3.4.5 leaks memory when attempting to load non-existent file

2016-08-23 Thread geeknik


geeknik added the comment:

Interesting that only Python exhibits this "leaky" behavior that generates a 
LeakSanitizer error. I don't see similar behavior in Perl, Ruby or PHP. Running 
a non-ASAN build under Valgrind reports that a leak is still occurring: 

LEAK SUMMARY:
==15496==definitely lost: 0 bytes in 0 blocks
==15496==indirectly lost: 0 bytes in 0 blocks
==15496==  possibly lost: 19,784 bytes in 34 blocks
==15496==still reachable: 879,399 bytes in 862 blocks
==15496== suppressed: 0 bytes in 0 blocks
==15496==
==15496== ERROR SUMMARY: 98 errors from 40 contexts (suppressed: 0 from 0)

>From the Valgrind manual:
"possibly lost" means your program is leaking memory, unless you're doing 
unusual things with pointers that could cause them to point into the middle of 
an allocated block;

--

___
Python tracker 
<http://bugs.python.org/issue27831>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue27831] Python 3.4.5 leaks memory when attempting to load non-existent file

2016-08-23 Thread geeknik


geeknik added the comment:

Sure, 3.5 and/or 3.6 has memory leaks during compilation:
https://bugs.python.org/issue27780

And I just compiled 3.5.2 and running that version of python against a 
non-existent file returns this from LeakSanitizer:

ASAN_SYMBOLIZER_PATH=/usr/lib/llvm-3.5/bin/llvm-symbolizer 
ASAN_OPTIONS=symbolizer=1 ./python garbage
./python: can't open file 'garbage': [Errno 2] No such file or directory

=
==5338==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 657546 byte(s) in 584 object(s) allocated from:
#0 0x4bd4ab in malloc (/root/python-3.5.2/python+0x4bd4ab)
#1 0x4db577 in PyMem_Malloc /root/python-3.5.2/Objects/obmalloc.c:325:12

Direct leak of 43896 byte(s) in 63 object(s) allocated from:
#0 0x4bd4ab in malloc (/root/python-3.5.2/python+0x4bd4ab)
#1 0x4de339 in PyMem_RawMalloc /root/python-3.5.2/Objects/obmalloc.c:293:12
#2 0x4de339 in _PyObject_Alloc /root/python-3.5.2/Objects/obmalloc.c:1376

Direct leak of 42520 byte(s) in 31 object(s) allocated from:
#0 0x4bd4ab in malloc (/root/python-3.5.2/python+0x4bd4ab)
#1 0x4db577 in PyMem_Malloc /root/python-3.5.2/Objects/obmalloc.c:325:12
#2 0x7e39df in _PyEval_EvalCodeWithName 
/root/python-3.5.2/Python/ceval.c:4018:14

Direct leak of 28160 byte(s) in 7 object(s) allocated from:
#0 0x4bd4ab in malloc (/root/python-3.5.2/python+0x4bd4ab)
#1 0x4db577 in PyMem_Malloc /root/python-3.5.2/Objects/obmalloc.c:325:12
#2 0x6535ab in set_add_entry /root/python-3.5.2/Objects/setobject.c:313:12

Direct leak of 3584 byte(s) in 15 object(s) allocated from:
#0 0x4bd79e in realloc (/root/python-3.5.2/python+0x4bd79e)
#1 0x4db6aa in PyMem_Realloc /root/python-3.5.2/Objects/obmalloc.c:343:12

Direct leak of 3584 byte(s) in 16 object(s) allocated from:
#0 0x4bd4ab in malloc (/root/python-3.5.2/python+0x4bd4ab)
#1 0x4db577 in PyMem_Malloc /root/python-3.5.2/Objects/obmalloc.c:325:12
#2 0x682a09 in type_call /root/python-3.5.2/Objects/typeobject.c:890:11

Direct leak of 448 byte(s) in 2 object(s) allocated from:
#0 0x4bd4ab in malloc (/root/python-3.5.2/python+0x4bd4ab)
#1 0x4db577 in PyMem_Malloc /root/python-3.5.2/Objects/obmalloc.c:325:12
#2 0x88e289 in _Py_InitializeEx_Private 
/root/python-3.5.2/Python/pylifecycle.c:377:14
#3 0x4e553f in Py_Main /root/python-3.5.2/Modules/main.c:669:5
#4 0x4dae5e in main /root/python-3.5.2/./Programs/python.c:65:11

Direct leak of 264 byte(s) in 2 object(s) allocated from:
#0 0x4bd4ab in malloc (/root/python-3.5.2/python+0x4bd4ab)
#1 0x4db577 in PyMem_Malloc /root/python-3.5.2/Objects/obmalloc.c:325:12
#2 0x4e553f in Py_Main /root/python-3.5.2/Modules/main.c:669:5
#3 0x4dae5e in main /root/python-3.5.2/./Programs/python.c:65:11

Direct leak of 96 byte(s) in 3 object(s) allocated from:
#0 0x4bd4ab in malloc (/root/python-3.5.2/python+0x4bd4ab)
#1 0x4db387 in PyMem_RawMalloc /root/python-3.5.2/Objects/obmalloc.c:293:12

Direct leak of 8 byte(s) in 1 object(s) allocated from:
#0 0x4bd4ab in malloc (/root/python-3.5.2/python+0x4bd4ab)
#1 0x4db577 in PyMem_Malloc /root/python-3.5.2/Objects/obmalloc.c:325:12
#2 0x4e5942 in Py_Main /root/python-3.5.2/Modules/main.c:693:5
#3 0x4dae5e in main /root/python-3.5.2/./Programs/python.c:65:11

Indirect leak of 124748 byte(s) in 133 object(s) allocated from:
#0 0x4bd4ab in malloc (/root/python-3.5.2/python+0x4bd4ab)
#1 0x4de339 in PyMem_RawMalloc /root/python-3.5.2/Objects/obmalloc.c:293:12
#2 0x4de339 in _PyObject_Alloc /root/python-3.5.2/Objects/obmalloc.c:1376

Indirect leak of 6016 byte(s) in 47 object(s) allocated from:
#0 0x4bd4ab in malloc (/root/python-3.5.2/python+0x4bd4ab)
#1 0x4db577 in PyMem_Malloc /root/python-3.5.2/Objects/obmalloc.c:325:12
#2 0x682a09 in type_call /root/python-3.5.2/Objects/typeobject.c:890:11

Indirect leak of 2912 byte(s) in 7 object(s) allocated from:
#0 0x4bd4ab in malloc (/root/python-3.5.2/python+0x4bd4ab)
#1 0x4db577 in PyMem_Malloc /root/python-3.5.2/Objects/obmalloc.c:325:12

Indirect leak of 640 byte(s) in 5 object(s) allocated from:
#0 0x4bd4ab in malloc (/root/python-3.5.2/python+0x4bd4ab)
#1 0x4db577 in PyMem_Malloc /root/python-3.5.2/Objects/obmalloc.c:325:12
#2 0x68dea1 in tp_new_wrapper 
/root/python-3.5.2/Objects/typeobject.c:5595:11

SUMMARY: AddressSanitizer: 914422 byte(s) leaked in 916 allocation(s).

--

___
Python tracker 
<http://bugs.python.org/issue27831>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue28198] heap-buffer-overflow in tok_nextc (Parser/tokenizer.c:954)

2016-09-18 Thread geeknik


New submission from geeknik:

As per the security team, I'm submitting this here as it doesn't appear 
exploitable.

Fuzzing Python 2.7.12 with AFL, ASAN and libdislocator.so on Debian 8.5 x64. 
(This might also affect Python 3.5) The attached 1-byte testcase triggers a 
heap-buffer-overflow: ~/python/Parser/tokenizer.c:954:28 in tok_nextc:

==9855==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x625028ff 
at pc 0x0050fd06 bp 0x7ffdbb810a30 sp 0x7ffdbb810a28
READ of size 1 at 0x625028ff thread T0
#0 0x50fd05 in tok_nextc /root/python/Parser/tokenizer.c:954:28
#1 0x505c49 in tok_get /root/python/Parser/tokenizer.c:1232:17
#2 0x505c49 in PyTokenizer_Get /root/python/Parser/tokenizer.c:1681
#3 0x5012b4 in parsetok /root/python/Parser/parsetok.c:159:16
#4 0x502e7f in PyParser_ParseFileFlagsEx 
/root/python/Parser/parsetok.c:106:12
#5 0x7fe4a9 in PyParser_ASTFromFile /root/python/Python/pythonrun.c:1499:15
#6 0x7fe887 in PyRun_FileExFlags /root/python/Python/pythonrun.c:1354:11
#7 0x7fd3fc in PyRun_SimpleFileExFlags 
/root/python/Python/pythonrun.c:948:13
#8 0x7fc36b in PyRun_AnyFileExFlags /root/python/Python/pythonrun.c:752:16
#9 0x4fe9c4 in Py_Main /root/python/Modules/main.c:640:23
#10 0x7fb6e24b282f in __libc_start_main 
/build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
#11 0x42a898 in _start (/root/python/python+0x42a898)

0x625028ff is located 1 bytes to the left of 8192-byte region 
[0x62502900,0x62504900)
allocated by thread T0 here:
#0 0x4ca9c8 in malloc (/root/python/python+0x4ca9c8)
#1 0x504ed5 in PyTokenizer_FromFile /root/python/Parser/tokenizer.c:759:29

SUMMARY: AddressSanitizer: heap-buffer-overflow 
/root/python/Parser/tokenizer.c:954:28 in tok_nextc
Shadow bytes around the buggy address:
  0x0c4a7fff84c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff84d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff84e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff84f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c4a7fff8510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
  0x0c4a7fff8520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff8530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff8540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff8550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff8560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:   00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:   fa
  Heap right redzone:  fb
  Freed heap region:   fd
  Stack left redzone:  f1
  Stack mid redzone:   f2
  Stack right redzone: f3
  Stack partial redzone:   f4
  Stack after return:  f5
  Stack use after scope:   f8
  Global redzone:  f9
  Global init order:   f6
  Poisoned by user:f7
  Container overflow:  fc
  Array cookie:ac
  Intra object redzone:bb
  ASan internal:   fe
  Left alloca redzone: ca
  Right alloca redzone:cb
==9855==ABORTING

--
components: Interpreter Core
files: test00.gz
messages: 276917
nosy: geeknik
priority: normal
severity: normal
status: open
title: heap-buffer-overflow in tok_nextc (Parser/tokenizer.c:954)
type: crash
versions: Python 2.7, Python 3.5
Added file: http://bugs.python.org/file44743/test00.gz

___
Python tracker 
<http://bugs.python.org/issue28198>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue31165] null pointer deref and segfault in list_slice (listobject.c:455)

[issue31165] null pointer deref and segfault in list_slice (listobject.c:455)

[issue31166] null pointer deref and segfault in _PyObject_Alloc (obmalloc.c:1258)

[issue31166] null pointer deref and segfault in _PyObject_Alloc (obmalloc.c:1258)

[issue27780] Memory leak during Python build (from git c3ff7e7) on Debian 8.5 x64

[issue27780] Memory leak during Python build (from git c3ff7e7) on Debian 8.5 x64

[issue27831] Python 3.4.5 leaks memory when attempting to load non-existent file

[issue27831] Python 3.4.5 leaks memory when attempting to load non-existent file

[issue27831] Python 3.4.5 leaks memory when attempting to load non-existent file

[issue28198] heap-buffer-overflow in tok_nextc (Parser/tokenizer.c:954)

10 matches

Site Navigation

Mail list logo

Footer information