Description

We found a null-dereference in the UNIX port version. All PoCs involve builtins.execfile() and crash in mp_reader_new_file eventually. We've attached three PoCs and their stack trace from ASAN.

poc.zip

Proof of Concept

$ # build unix port with ASAN, at the root source code directory.
$ export CC=clang
$ export CXX=clang++
$ export CFLAGS="-fsanitize=address -fno-omit-frame-pointer"
$ export CXXFLAGS=$CFLAGS
$ export LDFLAGS=$CFLAGS
$ export DEBUG=1
$ make -C mpy-cross -j
$ make -C ports/unix -j all lib
$
$ # run a poc.
$ export ASAN_OPTIONS="detect_leaks=0"
$ ./ports/unix/build-standard/micropython <poc_file>

Environment

Ubuntu 20.04
Intel(R) Xeon(R) Gold 5218 CPU @ 2.30GHz
Memory: 64 GB

Affected Version

v1.20.0 (commit a3862e726, latest as of 2023-09-26)
v1.20.0 (commit 813d559bc, 2023-06-19)

Question

We actually found many more crashes with ASAN other than this (including buffer-overflow), but we'd need some advice from micropython maintainers before posting issues for all of them.

1. Do you also consider ASAN crashes through the UNIX port version relevant?
2. How do you prefer accepting buffer-overflow cases? (via e-mail or via here) We haven't verified their exploitability.

Please let me report the rest of the crashes following your advice. Thank you very much for maintaining micropython.