[issue40958] ASAN/UBSAN: heap-buffer-overflow in pegen.c
Christian Heimes
report at bugs.python.org
Fri Jun 12 06:42:31 EDT 2020
New submission from Christian Heimes <lists at cheimes.de>:
ASAN/UBSAN has detected a heap-buffer-overflow in pegen.c
==1625693==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x606000026b71 at pc 0x00000073574d bp 0x7fff297284f0 sp 0x7fff297284e0
READ of size 1 at 0x606000026b71 thread T0
#0 0x73574c in ascii_decode Objects/unicodeobject.c:4941
#1 0x82bd0f in unicode_decode_utf8 Objects/unicodeobject.c:4999
#2 0xf35859 in byte_offset_to_character_offset Parser/pegen.c:148
#3 0xf35859 in _PyPegen_raise_error_known_location Parser/pegen.c:412
#4 0xf36482 in _PyPegen_raise_error Parser/pegen.c:373
#5 0xf39e1d in tokenizer_error Parser/pegen.c:321
#6 0xf39e1d in _PyPegen_fill_token Parser/pegen.c:638
#7 0xf3ca0f in _PyPegen_expect_token Parser/pegen.c:753
#8 0xf4cc7a in _tmp_15_rule Parser/parser.c:16184
#9 0xf3c799 in _PyPegen_lookahead (/home/heimes/dev/python/cpython/python+0xf3c799)
#10 0xfafb4a in compound_stmt_rule Parser/parser.c:1860
#11 0xfb7fc2 in statement_rule Parser/parser.c:1224
#12 0xfb7fc2 in _loop1_11_rule Parser/parser.c:15954
#13 0xfb7fc2 in statements_rule Parser/parser.c:1183
#14 0xfbbce7 in file_rule Parser/parser.c:716
#15 0xfbbce7 in _PyPegen_parse Parser/parser.c:24401
#16 0xf3f868 in _PyPegen_run_parser Parser/pegen.c:1077
#17 0xf4044f in _PyPegen_run_parser_from_file_pointer Parser/pegen.c:1137
#18 0xa27f36 in PyRun_FileExFlags Python/pythonrun.c:1057
#19 0xa2826a in PyRun_SimpleFileExFlags Python/pythonrun.c:400
#20 0x479b1b in pymain_run_file Modules/main.c:369
#21 0x479b1b in pymain_run_python Modules/main.c:553
#22 0x47bd59 in Py_RunMain Modules/main.c:632
#23 0x47bd59 in pymain_main Modules/main.c:662
#24 0x47bd59 in Py_BytesMain Modules/main.c:686
#25 0x7f59aa5cd041 in __libc_start_main (/lib64/libc.so.6+0x27041)
#26 0x47643d in _start (/home/heimes/dev/python/cpython/python+0x47643d)
0x606000026b71 is located 0 bytes to the right of 49-byte region [0x606000026b40,0x606000026b71)
allocated by thread T0 here:
#0 0x7f59ab303667 in __interceptor_malloc (/lib64/libasan.so.6+0xb0667)
#1 0x749c7d in PyUnicode_New Objects/unicodeobject.c:1437
#2 0x872f15 in _PyUnicode_Init Objects/unicodeobject.c:15535
#3 0x9fe0ab in pycore_init_types Python/pylifecycle.c:599
#4 0x9fe0ab in pycore_interp_init Python/pylifecycle.c:724
#5 0xa07c69 in pyinit_config Python/pylifecycle.c:765
#6 0xa07c69 in pyinit_core Python/pylifecycle.c:926
#7 0xa09b17 in Py_InitializeFromConfig Python/pylifecycle.c:1136
#8 0x4766c2 in pymain_init Modules/main.c:66
#9 0x47bd12 in pymain_main Modules/main.c:653
#10 0x47bd12 in Py_BytesMain Modules/main.c:686
#11 0x7f59aa5cd041 in __libc_start_main (/lib64/libc.so.6+0x27041)
SUMMARY: AddressSanitizer: heap-buffer-overflow Objects/unicodeobject.c:4941 in ascii_decode
Shadow bytes around the buggy address:
0x0c0c7fffcd10: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
0x0c0c7fffcd20: 00 00 00 00 00 00 00 07 fa fa fa fa 00 00 00 00
0x0c0c7fffcd30: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 05
0x0c0c7fffcd40: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
0x0c0c7fffcd50: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
=>0x0c0c7fffcd60: 00 00 00 01 fa fa fa fa 00 00 00 00 00 00[01]fa
0x0c0c7fffcd70: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
0x0c0c7fffcd80: 00 00 00 00 00 00 05 fa fa fa fa fa 00 00 00 00
0x0c0c7fffcd90: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c0c7fffcda0: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
0x0c0c7fffcdb0: fd fd fd fd fd fd fd fd fa fa fa fa 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1625693==ABORTING
----------
components: Interpreter Core
messages: 371351
nosy: christian.heimes, pablogsal
priority: high
severity: normal
status: open
title: ASAN/UBSAN: heap-buffer-overflow in pegen.c
type: security
versions: Python 3.10, Python 3.9
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue40958>
_______________________________________
More information about the Python-bugs-list
mailing list