[New-bugs-announce] [issue34045] DoS due to null pointer dereference in marshal.dumps()
Krishna Ram Prakash R
report at bugs.python.org
Wed Jul 4 11:02:58 EDT 2018
New submission from Krishna Ram Prakash R <krp at gtux.in>:
By passing a malformed string as input to marshal.loads() an attacker can trigger a null pointer dereference resulting in DoS.
This happens because when a Python object is unmarshalled by reference, it is assumed that the target object is fully constructed. We can construct a marshal string such that it can reference partially constructed Python objects.
Example
-------
tuple(FrozenSet(REF(0)))
Tuple -> FrozenSet -> REF(0)
When unmarshalling of the tuple object starts, a new PyTuple_New() object is created and its address is added to p->refs array before starting to parse and load all its children elements in a loop. A FrozenSet can be added as 0th element of this tuple. And then add the 0th element of this FrozenSet as p->refs[0]. After an element is added to FrozenSet, it tries to hash it believing that it is a completely constructed Python object.
While it tries to hash the original tuple, it does not have any valid addresses in ob_item array. This results in a null pointer dereference throwing a SIGSEGV and crashing of interpreter.
Running the below script results in a segmentation fault.
```
#!/usr/bin/env python3
import marshal
marshal.loads(b"\xa9\x01\xbe\x01\x00\x00\x00r\x00\x00\x00\x00")
```
----------
components: Interpreter Core, Library (Lib)
messages: 321050
nosy: benjamin.peterson, rkrp
priority: normal
severity: normal
status: open
title: DoS due to null pointer dereference in marshal.dumps()
type: security
versions: Python 3.4, Python 3.5, Python 3.6, Python 3.7, Python 3.8
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue34045>
_______________________________________
More information about the New-bugs-announce
mailing list