[New-bugs-announce] [issue39193] Out-of-bound write in ceval.c:_PyEval_EvalFrameDefault

Thu Jan 2 09:55:57 EST 2020

New submission from ggbang <dg_lsn at hotmail.com>:

python version:
Python 3.9.0a2 (default, Dec 25 2019, 20:42:47) 
[GCC 7.5.0] on linux

crash log:
``` bash
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
   0x5555555afb88 <_PyEval_EvalFrameDefault+4056> mov    rdx, QWORD PTR [rsi+rdx*8+0x18]
   0x5555555afb8d <_PyEval_EvalFrameDefault+4061> add    QWORD PTR [rdx], 0x1
   0x5555555afb91 <_PyEval_EvalFrameDefault+4065> test   eax, eax
 → 0x5555555afb93 <_PyEval_EvalFrameDefault+4067> mov    QWORD PTR [rcx], rdx
   0x5555555afb96 <_PyEval_EvalFrameDefault+4070> jne    0x5555555af226 <_PyEval_EvalFrameDefault+1654>
   0x5555555afb9c <_PyEval_EvalFrameDefault+4076> mov    rdx, r12
   0x5555555afb9f <_PyEval_EvalFrameDefault+4079> sub    rdx, QWORD PTR [rsp+0x8]
   0x5555555afba4 <_PyEval_EvalFrameDefault+4084> add    r12, 0x2
   0x5555555afba8 <_PyEval_EvalFrameDefault+4088> mov    DWORD PTR [rbx+0x68], edx
───────────────────────────────────────────────────────────────────────────────────────────────────────────── source:Python/ceval.c+1352 ────
   1347	 
   1348	         case TARGET(LOAD_CONST): {
   1349	             PREDICTED(LOAD_CONST);
   1350	             PyObject *value = GETITEM(consts, oparg);
   1351	             Py_INCREF(value);
 → 1352	             PUSH(value);
   1353	             FAST_DISPATCH();
   1354	         }
   1355	 
   1356	         case TARGET(STORE_FAST): {
   1357	             PREDICTED(STORE_FAST);
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "python", stopped, reason: SIGSEGV
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0x5555555afb93 → _PyEval_EvalFrameDefault(f=<optimized out>, throwflag=<optimized out>)
[#1] 0x55555568ad59 → _PyEval_EvalFrame(tstate=0x555555b237b0, throwflag=0x0, f=0x7ffff7eee440)
[#2] 0x55555568ad59 → _PyEval_EvalCode(tstate=0x555555b237b0, _co=0x7ffff7ebdd40, globals=0x7ffff7f12480, locals=0x7ffff7f12480, args=0x0, argcount=0x0, kwnames=0x0, kwargs=0x0, kwcount=0x0, kwstep=0x2, defs=0x0, defcount=0x0, kwdefs=0x0, closure=0x0, name=0x0, qualname=0x0)
[#3] 0x55555568b0c6 → _PyEval_EvalCodeWithName(qualname=0x0, name=0x0, closure=0x0, kwdefs=0x0, defcount=0x0, defs=0x0, kwstep=0x2, kwcount=0x0, kwargs=0x0, kwnames=0x0, argcount=0x0, args=0x0, locals=0x7ffff7f12480, globals=0x7ffff7f12480, _co=0x7ffff7ebdd40)
[#4] 0x55555568b0c6 → PyEval_EvalCodeEx(closure=0x0, kwdefs=0x0, defcount=0x0, defs=0x0, kwcount=0x0, kws=0x0, argcount=0x0, args=0x0, locals=0x7ffff7f12480, globals=0x7ffff7f12480, _co=0x7ffff7ebdd40)
[#5] 0x55555568b0c6 → PyEval_EvalCode(co=0x7ffff7ebdd40, globals=0x7ffff7f12480, locals=0x7ffff7f12480)
[#6] 0x5555556d6f1e → run_eval_code_obj(locals=0x7ffff7f12480, globals=0x7ffff7f12480, co=0x7ffff7ebdd40)
[#7] 0x5555556d6f1e → run_pyc_file(filename=<optimized out>, flags=0x7fffffffdc68, locals=0x7ffff7f12480, globals=0x7ffff7f12480, fp=0x555555b85360)
[#8] 0x5555556d6f1e → PyRun_SimpleFileExFlags(flags=<optimized out>, closeit=<optimized out>, filename=<optimized out>, fp=<optimized out>)
[#9] 0x5555556d6f1e → PyRun_SimpleFileEx(f=<optimized out>, p=<optimized out>, c=<optimized out>)
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
_PyEval_EvalFrameDefault (f=<optimized out>, throwflag=<optimized out>) at Python/ceval.c:1352
1352	            PUSH(value);
gef➤  exploitable
Description: Access violation on destination operand
Short description: DestAv (8/22)
Hash: f01ce56ffe2792b45d9959e69a1ae15d.6dcf66201de3c2adc2e25e04dbdb55e8
Exploitability Classification: EXPLOITABLE
Explanation: The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control the write address and/or value.
Other tags: AccessViolation (21/22)
```

----------
components: Interpreter Core
files: c1
messages: 359199
nosy: ggbang
priority: normal
severity: normal
status: open
title: Out-of-bound write in ceval.c:_PyEval_EvalFrameDefault
type: security
versions: Python 3.9
Added file: https://bugs.python.org/file48822/c1

_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue39193>
_______________________________________