QUERY · ISSUE
null-dereference in int_from_bytes
bugproposed-close
Description
We found a null-dereference crash in int_from_bytes while using a framebuf.FrameBuffer1() instance for from_bytes(). We have attached three PoCs below.
Proof of Concept
$ # build unix port with ASAN, at the root source code directory.
$ export CC=clang
$ export CXX=clang++
$ export CFLAGS="-fsanitize=address -fno-omit-frame-pointer"
$ export CXXFLAGS=$CFLAGS
$ export LDFLAGS=$CFLAGS
$ export DEBUG=1
$ make -C mpy-cross -j
$ make -C ports/unix -j all lib
$
$ # run a poc.
$ export ASAN_OPTIONS="detect_leaks=0"
$ ./ports/unix/build-standard/micropython <poc_file>
Environment
Ubuntu 20.04
Intel(R) Xeon(R) Gold 5218 CPU @ 2.30GHz
Memory: 64 GB
Affected Version
v1.20.0 (commit a3862e726, latest as of 2023-09-26)
v1.20.0 (commit 813d559bc, 2023-06-19)
Discovered in the UNIX port version.
CANDIDATE · ISSUE
null-dereference in mp_binary_get_val_array
bugproposed-close
Description
We found a null-dereference crash in mp_binary_get_val_array while attempting to get a set difference to a builtin.memoryview() instance. We have attached the only PoC for this crash case below.
Proof of Concept
- poc.py
import framebuf
import builtins
v1 = builtins.set();
v4 = builtins.bytearray();
v6 = select != builtins;
v7 = +v6;
v8 = 6;
v9 = framebuf.FrameBuffer1(v4, v7, v8);
v11 = builtins.memoryview(v9);
v1.difference(v11);
- Execution
$ # build unix port with ASAN, at the root source code directory.
$ export CC=clang
$ export CXX=clang++
$ export CFLAGS="-fsanitize=address -fno-omit-frame-pointer"
$ export CXXFLAGS=$CFLAGS
$ export LDFLAGS=$CFLAGS
$ export DEBUG=1
$ make -C mpy-cross -j
$ make -C ports/unix -j all lib
$
$ # run a poc.
$ export ASAN_OPTIONS="detect_leaks=0"
$ ./ports/unix/build-standard/micropython poc.py
- Stack trace
=================================================================
==243167==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55911a64cb8e bp 0x7ffe886de930 sp 0x7ffe886de930 T0)
==243167==The signal is caused by a READ memory access.
==243167==Hint: address points to the zero page.
#0 0x55911a64cb8e in mp_binary_get_val_array ../../py/binary.c:155
#1 0x55911a61dd57 in array_it_iternext ../../py/objarray.c:688
#2 0x55911a61510b in mp_iternext ../../py/runtime.c:1373
#3 0x55911a632d26 in set_diff_int ../../py/objset.c:210
#4 0x55911a632d9b in set_diff ../../py/objset.c:220
#5 0x55911a6289e0 in fun_builtin_var_call ../../py/objfun.c:119
#6 0x55911a6134ec in mp_call_function_n_kw ../../py/runtime.c:712
#7 0x55911a61396b in mp_call_method_n_kw ../../py/runtime.c:728
#8 0x55911a65975d in mp_execute_bytecode ../../py/vm.c:1042
#9 0x55911a628e46 in fun_bc_call ../../py/objfun.c:273
#10 0x55911a6134ec in mp_call_function_n_kw ../../py/runtime.c:712
#11 0x55911a613546 in mp_call_function_0 ../../py/runtime.c:686
#12 0x55911a721cfd in execute_from_lexer /workspaces/Latest/micropython/ports/unix/main.c:160
#13 0x55911a721dc2 in do_file /workspaces/Latest/micropython/ports/unix/main.c:309
#14 0x55911a722ded in main_ /workspaces/Latest/micropython/ports/unix/main.c:721
#15 0x55911a72321a in main /workspaces/Latest/micropython/ports/unix/main.c:476
#16 0x7fc35185ad8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#17 0x7fc35185ae3f in __libc_start_main_impl ../csu/libc-start.c:392
#18 0x55911a5d24c4 in _start (/workspaces/Latest/micropython/ports/unix/build-standard/micropython+0x854c4)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ../../py/binary.c:155 in mp_binary_get_val_array
==243167==ABORTING
Environment
Ubuntu 20.04
Intel(R) Xeon(R) Gold 5218 CPU @ 2.30GHz
Memory: 64 GB
Affected Version
v1.20.0 (commit a3862e726, latest as of 2023-09-26)
v1.20.0 (commit 813d559bc, 2023-06-19)
Discovered in the UNIX port version.