Skip to content

Heap-use-after-free READ 8 · dictkeys_decref in fuzz_ast_literal_eval  #125010

Closed
@alex

Description

@alex

Crash report

What happened?

From: https://oss-fuzz.com/testcase-detail/5876542813569024

Introduced in: 29a1a6e...43cd7aa

reproducer.txt

>>> s = open("reproducer.txt").read()
>>> ast.literal_eval(s)
=================================================================
==11615==ERROR: AddressSanitizer: heap-use-after-free on address 0x62f000046410 at pc 0x000100fa9760 bp 0x00016f290780 sp 0x00016f290778
READ of size 8 at 0x62f000046410 thread T0
    #0 0x100fa975c in Py_DECREF refcount.h:342
    #1 0x100fc9c88 in dictkeys_decref dictobject.c:458
    #2 0x100fb8db8 in dict_dealloc dictobject.c:3199
    #3 0x1010235bc in _Py_Dealloc object.c:2893
    #4 0x1012659e4 in ast_dealloc Python-ast.c:5052
    #5 0x1010b4ffc in subtype_dealloc typeobject.c:2572
    #6 0x1010235bc in _Py_Dealloc object.c:2893
    #7 0x101267c00 in ast_repr_max_depth Python-ast.c
    #8 0x101017744 in PyObject_Repr object.c:694
    #9 0x101317d70 in _PyEval_EvalFrameDefault generated_cases.c.h:3248
    #10 0x1012f2bf0 in _PyObject_VectorcallTstate pycore_call.h:167
    #11 0x1012eeef8 in map_next bltinmodule.c:1442
    #12 0x100e5f368 in iternext abstract.c:2874
    #13 0x100e5aef8 in PyIter_Next abstract.c:2924
    #14 0x10108c200 in set_update_iterable_lock_held setobject.c:971
    #15 0x1010804ac in make_new_set setobject.c:1095
    #16 0x100ea92cc in _PyObject_VectorcallTstate pycore_call.h:167
    #17 0x10132e20c in _PyEval_EvalFrameDefault generated_cases.c.h:921
    #18 0x1013029d8 in PyEval_EvalCode ceval.c:647
    #19 0x1012f7b68 in builtin_exec bltinmodule.c.h:556
    #20 0x10131ccd8 in _PyEval_EvalFrameDefault generated_cases.c.h:1451
    #21 0x1013029d8 in PyEval_EvalCode ceval.c:647
    #22 0x1012f7b68 in builtin_exec bltinmodule.c.h:556
    #23 0x101004360 in cfunction_vectorcall_FASTCALL_KEYWORDS methodobject.c:441
    #24 0x100ea92cc in _PyObject_VectorcallTstate pycore_call.h:167
    #25 0x10132e20c in _PyEval_EvalFrameDefault generated_cases.c.h:921
    #26 0x100eabb64 in _PyVectorcall_Call call.c:273
    #27 0x1015e1fe0 in pymain_run_module main.c:349
    #28 0x1015e3048 in pymain_run_stdin main.c:574
    #29 0x1015e07fc in Py_RunMain main.c:775
    #30 0x1015e1894 in pymain_main main.c:805
    #31 0x1015e1c30 in Py_BytesMain main.c:829
    #32 0x19bf60270  (<unknown module>)

0x62f000046410 is located 16 bytes inside of 49104-byte region [0x62f000046400,0x62f0000523d0)
freed by thread T0 here:
    #0 0x102b84d40 in free+0x98 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x54d40)
    #1 0x1010235bc in _Py_Dealloc object.c:2893
    #2 0x101267c00 in ast_repr_max_depth Python-ast.c
    #3 0x1012675e0 in ast_repr_max_depth Python-ast.c:5799
    #4 0x101017744 in PyObject_Repr object.c:694
    #5 0x101317d70 in _PyEval_EvalFrameDefault generated_cases.c.h:3248
    #6 0x1012f2bf0 in _PyObject_VectorcallTstate pycore_call.h:167
    #7 0x1012eeef8 in map_next bltinmodule.c:1442
    #8 0x100e5f368 in iternext abstract.c:2874
    #9 0x100e5aef8 in PyIter_Next abstract.c:2924
    #10 0x10108c200 in set_update_iterable_lock_held setobject.c:971
    #11 0x1010804ac in make_new_set setobject.c:1095
    #12 0x100ea92cc in _PyObject_VectorcallTstate pycore_call.h:167
    #13 0x10132e20c in _PyEval_EvalFrameDefault generated_cases.c.h:921
    #14 0x1013029d8 in PyEval_EvalCode ceval.c:647
    #15 0x1012f7b68 in builtin_exec bltinmodule.c.h:556
    #16 0x10131ccd8 in _PyEval_EvalFrameDefault generated_cases.c.h:1451
    #17 0x1013029d8 in PyEval_EvalCode ceval.c:647
    #18 0x1012f7b68 in builtin_exec bltinmodule.c.h:556
    #19 0x101004360 in cfunction_vectorcall_FASTCALL_KEYWORDS methodobject.c:441
    #20 0x100ea92cc in _PyObject_VectorcallTstate pycore_call.h:167
    #21 0x10132e20c in _PyEval_EvalFrameDefault generated_cases.c.h:921
    #22 0x100eabb64 in _PyVectorcall_Call call.c:273
    #23 0x1015e1fe0 in pymain_run_module main.c:349
    #24 0x1015e3048 in pymain_run_stdin main.c:574
    #25 0x1015e07fc in Py_RunMain main.c:775
    #26 0x1015e1894 in pymain_main main.c:805
    #27 0x1015e1c30 in Py_BytesMain main.c:829
    #28 0x19bf60270  (<unknown module>)

previously allocated by thread T0 here:
    #0 0x102b84c04 in malloc+0x94 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x54c04)
    #1 0x10105eb7c in _PyMem_DebugRawAlloc obmalloc.c:2699
    #2 0x100f75aa8 in _PyLong_New longobject.c:157
    #3 0x100f95138 in long_from_binary_base longobject.c:2586
    #4 0x100f84a30 in PyLong_FromString longobject.c:3052
    #5 0x100b78d78 in parsenumber_raw pegen.c
    #6 0x100b75984 in _PyPegen_number_token pegen.c:704
    #7 0x100c037a4 in atom_rule parser.c:14845
    #8 0x100bfa8c4 in primary_rule parser.c:14262
    #9 0x100bf8068 in await_primary_rule parser.c:14216
    #10 0x100bf625c in power_rule parser.c:14092
    #11 0x100bf1a14 in factor_rule parser.c:14042
    #12 0x100bedfe8 in term_raw parser.c:13883
    #13 0x100bec1f8 in term_rule parser.c:13626
    #14 0x100be69e8 in sum_rule parser.c:13458
    #15 0x100be3e04 in shift_expr_rule parser.c:13278
    #16 0x100be19c4 in bitwise_and_rule parser.c:13156
    #17 0x100bdfb48 in bitwise_xor_rule parser.c:13034
    #18 0x100bd9084 in bitwise_or_rule parser.c:12912
    #19 0x100c30b5c in comparison_rule parser.c:12152
    #20 0x100c2f660 in inversion_rule parser.c:12103
    #21 0x100c2bc80 in conjunction_rule parser.c:11980
    #22 0x100c10584 in disjunction_rule parser.c:11892
    #23 0x100bd34ac in expression_rule parser.c:11180
    #24 0x100cb0914 in kvpair_rule parser.c:16890
    #25 0x100caed4c in double_starred_kvpair_rule parser.c:16850
    #26 0x100ca9890 in double_starred_kvpairs_rule parser.c:16778
    #27 0x100c82d0c in _tmp_96_rule parser.c:31587
    #28 0x100c04c18 in atom_rule parser.c:14908
    #29 0x100bfa8c4 in primary_rule parser.c:14262

SUMMARY: AddressSanitizer: heap-use-after-free refcount.h:342 in Py_DECREF
Shadow bytes around the buggy address:
  0x62f000046180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x62f000046200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x62f000046280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x62f000046300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x62f000046380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x62f000046400: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x62f000046480: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x62f000046500: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x62f000046580: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x62f000046600: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x62f000046680: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==11615==ABORTING
fish: Job 1, './python.exe' terminated by signal SIGABRT (Abort)
~/p/cpython ❯❯❯ 

CPython versions tested on:

CPython main branch

Operating systems tested on:

No response

Output from running 'python -VV' on the command line:

No response

Linked PRs

Metadata

Metadata

Assignees

No one assigned

    Labels

    3.14bugs and security fixestype-crashA hard crash of the interpreter, possibly with a core dumptype-securityA security issue

    Projects

    Status

    Done

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions