← index #12776Issue #12830
Off-topic · high · value 3.662
QUERY · ISSUE

Crashes while pushing to a TaskQueue instance

openby gwangmuopened 2023-10-23updated 2024-09-05
bug

Description

The UNIX port of MicroPython crashes while attempting to push an object to asyncio.TaskQueue() (or the waiting member of asyncio.Event(). It generally exhibited null-dereference when the passed object was a value and global-buffer-overflow when it was a module. We have attached three PoCs of each bug type.

poc.zip

Proof of Concept

$ # build unix port with ASAN, at the root source code directory.
$ export CC=clang
$ export CXX=clang++
$ export CFLAGS="-fsanitize=address -fno-omit-frame-pointer"
$ export CXXFLAGS=$CFLAGS
$ export LDFLAGS=$CFLAGS
$ export DEBUG=1
$ make -C mpy-cross -j
$ make -C ports/unix -j all lib
$
$ # run a poc.
$ export ASAN_OPTIONS="detect_leaks=0"
$ ./ports/unix/build-standard/micropython <poc_file>

Environment

Ubuntu 20.04
Intel(R) Xeon(R) Gold 5218 CPU @ 2.30GHz
Memory: 64 GB

Affected Version

v1.20.0 (commit a3862e726, latest as of 2023-09-26)
v1.20.0 (commit 813d559bc, 2023-06-19)
Discovered in the UNIX port version.

CANDIDATE · ISSUE

Crashes while using builtins.super

closedby gwangmuopened 2023-10-30updated 2024-07-25
bug

Description

The UNIX port of MicroPython crashes while using builtins.super() in one way or another. The crash was exhibited as global-buffer-overflow and null-dereference (SEGV near the null address). Most of the crashes happened in mp_obj_class_lookup, but one crash happened in mp_obj_get_type (the stack trace and PoC look similar to other crashes). We've attached one PoC for global-buffer-overflow, three PoCs for null-dereference, and one PoC for the crash in mp_obj_get_type.

poc.zip

Proof of Concept

$ # build unix port with ASAN, at the root source code directory.
$ export CC=clang
$ export CXX=clang++
$ export CFLAGS="-fsanitize=address -fno-omit-frame-pointer"
$ export CXXFLAGS=$CFLAGS
$ export LDFLAGS=$CFLAGS
$ export DEBUG=1
$ make -C mpy-cross -j
$ make -C ports/unix -j all lib
$
$ # run a poc.
$ export ASAN_OPTIONS="detect_leaks=0"
$ ./ports/unix/build-standard/micropython <poc_file>

Environment

Ubuntu 20.04
Intel(R) Xeon(R) Gold 5218 CPU @ 2.30GHz
Memory: 64 GB

Affected Version

v1.20.0 (commit a3862e726, latest as of 2023-09-26)
v1.20.0 (commit 813d559bc, 2023-06-19)
Discovered in the UNIX port version.

Keyboard

j / / n
next pair
k / / p
previous pair
1 / / h
show query pane
2 / / l
show candidate pane
c
copy suggested comment
r
toggle reasoning
g i
go to index
?
show this help
esc
close overlays

press ? or esc to close

copied