devbox
凡人多烦事01
这个屌丝很懒,什么也没留下!
关注作者
热门标签
热门文章
当前位置:   article > 正文

.pyc文件_漏洞公告 | Python 3.8.5 处理异常.pyc文件造成拒绝服务

作者:凡人多烦事01 | 2024-03-06 13:34:42

==2906198==the signal is caused by a read memory access. ==2906198==hint: ad

v2-527566bfb1e0cc7ab2298015aee7c7d8_1440w.jpg?source=172ae18b

漏洞简介:

极光无限维阵专家团队在对 Python最新版Python 3.8.5的分析中发现了一个 空指针引用漏洞,漏洞发生在Python对.pyc文件进行处理时。

下面是崩溃信息:

  1. $ Python-3.8.5/python 00-SEGV-on-unknown-address-Python-3.8.5.pyc
  2.  
  3.     Could not find platform dependent libraries <exec_prefix>
  4.     Consider setting $PYTHONHOME to <prefix>[:<exec_prefix>]
  5.     AddressSanitizer:DEADLYSIGNAL
  6.     =================================================================
  7.     ==8079==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x0000008aa86b bp 0x000000000000 sp 0x7ffe2a3f5bf0 T0)
  8.     ==8079==The signal is caused by a READ memory access.
  9.     ==8079==Hint: address points to the zero page.
  10.         #0 0x8aa86a in _PyEval_EvalCodeWithName /home/test/Python-3.8.5/Python/ceval.c:4266:23
  11.         #1 0x866d0f in PyEval_EvalCodeEx /home/test/Python-3.8.5/Python/ceval.c:4327:12
  12.         #2 0x866d0f in PyEval_EvalCode /home/test/Python-3.8.5/Python/ceval.c:718:12
  13.         #3 0x9f7355 in run_eval_code_obj /home/test/Python-3.8.5/Python/pythonrun.c:1125:9
  14.         #4 0x9e682d in run_pyc_file /home/test/Python-3.8.5/Python/pythonrun.c:1184:9
  15.         #5 0x9e682d in PyRun_SimpleFileExFlags /home/test/Python-3.8.5/Python/pythonrun.c:419:13
  16.         #6 0x9e4ca5 in PyRun_AnyFileExFlags /home/test/Python-3.8.5/Python/pythonrun.c:86:16
  17.         #7 0x5108db in pymain_run_file /home/test/Python-3.8.5/Modules/main.c:381:15
  18.         #8 0x5108db in pymain_run_python /home/test/Python-3.8.5/Modules/main.c:606:21
  19.         #9 0x5108db in Py_RunMain /home/test/Python-3.8.5/Modules/main.c:685:5
  20.         #10 0x5129d6 in pymain_main /home/test/Python-3.8.5/Modules/main.c:715:12
  21.         #11 0x512dd7 in Py_BytesMain /home/test/Python-3.8.5/Modules/main.c:739:12
  22.         #12 0x7f8316d4b82f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
  23.         #13 0x438888 in _start (/home/test/Python-3.8.5-Fuzz/python+0x438888)
  24.  
  25.     AddressSanitizer can not provide additional info.
  26.     SUMMARY: AddressSanitizer: SEGV /home/test/Python-3.8.5/Python/ceval.c:4266:23 in _PyEval_EvalCodeWithName
  27.     ==8079==ABORTING

漏洞分析:

在函数PyEval_EvalCode(Python-3.8.5/Python/ceval.c)中调用PyEval_EvalCodeEx函数。 
  1. PyObject *
  2.     PyEval_EvalCode(PyObject *co, PyObject *globals, PyObject *locals)
  3. {
  4.         return PyEval_EvalCodeEx(co,
  5.                         globals, locals,
  6.                         (PyObject **)NULL, 0,
  7.                         (PyObject **)NULL, 0,
  8.                         (PyObject **)NULL, 0,
  9.                         NULL, NULL);
  10.     }
传递给PyEval_EvalCodeEx函数的参数中closure设置为NULL。 
  1.     PyObject *
  2.     PyEval_EvalCodeEx(PyObject *_co, PyObject *globals, PyObject *locals,
  3.                     PyObject *const *args, int argcount,
  4.                     PyObject *const *kws, int kwcount,
  5.                     PyObject *const *defs, int defcount,
  6.                     PyObject *kwdefs, PyObject *closure)
  7. {
  8.         return _PyEval_EvalCodeWithName(_co, globals, locals,
  9.                                         args, argcount,
  10.                                         kws, kws != NULL ? kws + 1 : NULL,
  11.                                         kwcount, 2,
  12.                                         defs, defcount,
  13.                                         kwdefs, closure,
  14.                                         NULL, NULL);
  15.     }

PyEval_EvalCodeEx函数继续调用_PyEval_EvalCodeWithName函数,closure值不变依旧为NULL。

  1.   PyObject *
  2.     _PyEval_EvalCodeWithName(PyObject *_co, PyObject *globals, PyObject *locals,
  3.             PyObject *const *args, Py_ssize_t argcount,
  4.             PyObject *const *kwnames, PyObject *const *kwargs,
  5.             Py_ssize_t kwcount, int kwstep,
  6.             PyObject *const *defs, Py_ssize_t defcount,
  7.             PyObject *kwdefs, PyObject *closure,
  8.             PyObject *name, PyObject *qualname)
  9.     {
  10.         ******
  11.         /* Copy closure variables to free variables */
  12.         for (i = 0; i < PyTuple_GET_SIZE(co->co_freevars); ++i) {
  13.             PyObject *o = PyTuple_GET_ITEM(closure, i);   <----------------------------- crash
  14.             Py_INCREF(o);
  15.             freevars[PyTuple_GET_SIZE(co->co_cellvars) + i] = o;
  16.         }
  17.         ******
  18.     }

在_PyEval_EvalCodeWithName函数中对closure进行解引用,此时closure值为NULL,触发空指针引用漏洞。

修复建议:

在 _PyEval_EvalCodeWithName函数中引用closure前,对closure的值进行判断。

维阵

维阵(AI图神经网络漏洞挖掘)是一款基于图神经网络技术对设备和应用的二进制文件进行安全脆弱性检测的SaaS平台化服务产品,提供对二进制文件分析发现0day的在线服务。
“维阵”,历时十多个月,投入了过亿研发费用,动用了十多位数学教授、博士带领五十余名研发人员,AI算法模型经历了超过160次的版本迭代,最终打磨成型。
“维阵”,采用SaaS的服务模式,用户只需要将需要进行检测的二进制文件拖入,剩下的检测工作将完全交给系统来完成。这意味着,这款AI漏洞挖掘系统不仅仅适用于安全研究人员,对于并不擅长漏洞挖掘的开发人员而言,同样适用。这样做的好处显而易见——在产品上线之前,就能发现存在的安全问题,进一步提高产品的安全性,避免未来因安全漏洞造成更大的损失。
声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/凡人多烦事01/article/detail/199154
推荐阅读
相关标签

Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。

  

闽ICP备14008679号