New submission from ggbang :
python version:
Python 3.9.0a2 (default, Dec 25 2019, 20:42:47)
[GCC 7.5.0] on linux
crash log:
``` bash
code:x86:64
0x555afb88 <_PyEval_EvalFrameDefault+4056> movrdx, QWORD PTR
[rsi+rdx*8+0x18]
0x555afb8d <_PyEval_EvalFrameDefault+4061> addQWORD PTR [rdx], 0x1
0x555afb91 <_PyEval_EvalFrameDefault+4065> test eax, eax
→ 0x555afb93 <_PyEval_EvalFrameDefault+4067> movQWORD PTR [rcx], rdx
0x555afb96 <_PyEval_EvalFrameDefault+4070> jne0x555af226
<_PyEval_EvalFrameDefault+1654>
0x555afb9c <_PyEval_EvalFrameDefault+4076> movrdx, r12
0x555afb9f <_PyEval_EvalFrameDefault+4079> subrdx, QWORD PTR
[rsp+0x8]
0x555afba4 <_PyEval_EvalFrameDefault+4084> addr12, 0x2
0x555afba8 <_PyEval_EvalFrameDefault+4088> movDWORD PTR [rbx+0x68],
edx
─
source:Python/ceval.c+1352
1347
1348 case TARGET(LOAD_CONST): {
1349 PREDICTED(LOAD_CONST);
1350 PyObject *value = GETITEM(consts, oparg);
1351 Py_INCREF(value);
→ 1352 PUSH(value);
1353 FAST_DISPATCH();
1354 }
1355
1356 case TARGET(STORE_FAST): {
1357 PREDICTED(STORE_FAST);
threads
[#0] Id 1, Name: "python", stopped, reason: SIGSEGV
──
trace
[#0] 0x555afb93 → _PyEval_EvalFrameDefault(f=,
throwflag=)
[#1] 0x5568ad59 → _PyEval_EvalFrame(tstate=0x55b237b0, throwflag=0x0,
f=0x77eee440)
[#2] 0x5568ad59 → _PyEval_EvalCode(tstate=0x55b237b0,
_co=0x77ebdd40, globals=0x77f12480, locals=0x77f12480, args=0x0,
argcount=0x0, kwnames=0x0, kwargs=0x0, kwcount=0x0, kwstep=0x2, defs=0x0,
defcount=0x0, kwdefs=0x0, closure=0x0, name=0x0, qualname=0x0)
[#3] 0x5568b0c6 → _PyEval_EvalCodeWithName(qualname=0x0, name=0x0,
closure=0x0, kwdefs=0x0, defcount=0x0, defs=0x0, kwstep=0x2, kwcount=0x0,
kwargs=0x0, kwnames=0x0, argcount=0x0, args=0x0, locals=0x77f12480,
globals=0x77f12480, _co=0x77ebdd40)
[#4] 0x5568b0c6 → PyEval_EvalCodeEx(closure=0x0, kwdefs=0x0, defcount=0x0,
defs=0x0, kwcount=0x0, kws=0x0, argcount=0x0, args=0x0, locals=0x77f12480,
globals=0x77f12480, _co=0x77ebdd40)
[#5] 0x5568b0c6 → PyEval_EvalCode(co=0x77ebdd40,
globals=0x77f12480, locals=0x77f12480)
[#6] 0x556d6f1e → run_eval_code_obj(locals=0x77f12480,
globals=0x77f12480, co=0x77ebdd40)
[#7] 0x556d6f1e → run_pyc_file(filename=,
flags=0x7fffdc68, locals=0x77f12480, globals=0x77f12480,
fp=0x55b85360)
[#8] 0x556d6f1e → PyRun_SimpleFileExFlags(flags=,
closeit=, filename=, fp=)
[#9] 0x556d6f1e → PyRun_SimpleFileEx(f=, p=,
c=)
─
_PyEval_EvalFrameDefault (f=, throwflag=) at
Python/ceval.c:1352
1352PUSH(value);
gef➤ exploitable
Description: Access violation on destination operand
Short description: DestAv (8/22)
Hash: f01ce56ffe2792b45d9959e69a1ae15d.6dcf66201de3c2adc2e25e04dbdb55e8
Exploitability Classification: EXPLOITABLE
Explanation: The target crashed on an access violation at an address matching
the destination operand of the instruction. This likely indicates a write
access violation, which means the attacker may control the write address and/or
value.
Other tags: AccessViolation (21/22)
```
------
components: Interpreter Core
files: c1
messages: 359199
nosy: ggbang
priority: normal
severity: normal
status: open
title: Out-of-bound write in ceval.c:_PyEval_EvalFrameDefault
type: security
versions: Python 3.9
Added file: https://bugs.python.org/file48822/c1
___
Python tracker
<https://bugs.python.org/issue39193>
___
___
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
