Open baltsers opened 2 years ago
[problem]
When we fuzzed the libsmbios, a Bus error happened which caused python to exit abnormally.
crash-stackinfo.txt
Starting program: /root/anaconda3/bin/python poc_op_mem.py crash-seed [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Program received signal SIGBUS, Bus error. __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:283 283 ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S: No such file or directory. (gdb) bt #0 __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:283 #1 0x00007ffff6bf01ac in memcpy (__len=1, __src=0x7ffff7e2f2f0, __dest=<optimized out>) at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34 #2 trycopy (rw=true, length=1, offset=<optimized out>, buffer=0x7ffff7e2f2f0 "a", private_data=0x555555a28640) at src/libsmbios_c/memory/memory_linux.c:141 #3 copy_mmap (this=0x5555559f82a0, buffer=0x7ffff7e2f2f0 "a", offset=0, length=1, rw=true) at src/libsmbios_c/memory/memory_linux.c:195 #4 0x00007ffff7fe29dd in ffi_call_unix64 () from /root/anaconda3/lib/python3.9/lib-dynload/../../libffi.so.7 #5 0x00007ffff7fe2067 in ffi_call_int () from /root/anaconda3/lib/python3.9/lib-dynload/../../libffi.so.7 #6 0x00007ffff7e200f6 in _call_function_pointer (argtypecount=<optimized out>, argcount=4, resmem=0x7fffffffd4d0, restype=<optimized out>, atypes=<optimized out>, avalues=<optimized out>, pProc=0x7ffff6bd17d0 <memory_obj_write>, flags=4353) at /usr/local/src/conda/python-3.9.7/Modules/_ctypes/callproc.c:920 #7 _ctypes_callproc () at /usr/local/src/conda/python-3.9.7/Modules/_ctypes/callproc.c:1263 #8 0x00007ffff7e2041f in PyCFuncPtr_call () at /usr/local/src/conda/python-3.9.7/Modules/_ctypes/_ctypes.c:4201 #9 0x00005555556989ef in _PyObject_MakeTpCall () at /tmp/build/80754af9/python-split_1631797238431/work/Objects/call.c:191 #10 0x0000555555722d89 in _PyObject_VectorcallTstate (kwnames=0x0, nargsf=<optimized out>, args=0x555555a1a6c0, callable=<optimized out>, tstate=<optimized out>) at /tmp/build/80754af9/python-split_1631797238431/work/Include/cpython/abstract.h:116 #11 PyObject_Vectorcall () at /tmp/build/80754af9/python-split_1631797238431/work/Include/cpython/abstract.h:127 #12 call_function (kwnames=0x0, oparg=<optimized out>, pp_stack=<synthetic pointer>, tstate=0x555555914800) at /tmp/build/80754af9/python-split_1631797238431/work/Python/ceval.c:5075 #13 _PyEval_EvalFrameDefault () at /tmp/build/80754af9/python-split_1631797238431/work/Python/ceval.c:3487 #14 0x00005555556d7753 in _PyEval_EvalFrame () at /tmp/build/80754af9/python-split_1631797238431/work/Include/internal/pycore_ceval.h:40 #15 function_code_fastcall (globals=<optimized out>, nargs=<optimized out>, args=<optimized out>, co=<optimized out>, tstate=0x555555914800) at /tmp/build/80754af9/python-split_1631797238431/work/Objects/call.c:330 #16 _PyFunction_Vectorcall () at /tmp/build/80754af9/python-split_1631797238431/work/Objects/call.c:367 #17 0x000055555568c8f8 in PyVectorcall_Call (kwargs=<optimized out>, tuple=0x7ffff6b2c0c0, callable=0x7ffff6b7eb80) at /tmp/build/80754af9/python-split_1631797238431/work/Objects/call.c:231 #18 _PyObject_Call () at /tmp/build/80754af9/python-split_1631797238431/work/Objects/call.c:266 #19 0x0000555555720740 in PyObject_Call (kwargs=0x7ffff6c040c0, args=0x7ffff6b2c0c0, callable=0x7ffff6b7eb80) at /tmp/build/80754af9/python-split_1631797238431/work/Objects/call.c:293 #20 do_call_core (kwdict=0x7ffff6c040c0, callargs=0x7ffff6b2c0c0, func=0x7ffff6b7eb80, tstate=<optimized out>) at /tmp/build/80754af9/python-split_1631797238431/work/Python/ceval.c:5123 #21 _PyEval_EvalFrameDefault () at /tmp/build/80754af9/python-split_1631797238431/work/Python/ceval.c:3580 #22 0x00005555556d6b0d in _PyEval_EvalFrame () at /tmp/build/80754af9/python-split_1631797238431/work/Include/internal/pycore_ceval.h:40 #23 _PyEval_EvalCode () at /tmp/build/80754af9/python-split_1631797238431/work/Python/ceval.c:4327 #24 0x00005555556d7527 in _PyFunction_Vectorcall () at /tmp/build/80754af9/python-split_1631797238431/work/Objects/call.c:396 #25 0x000055555564d10d in _PyObject_VectorcallTstate (kwnames=0x0, nargsf=<optimized out>, args=0x7ffff7ed5758, callable=0x7ffff6b7ec10, tstate=<optimized out>) at /tmp/build/80754af9/python-split_1631797238431/work/Include/cpython/abstract.h:118 #26 PyObject_Vectorcall () at /tmp/build/80754af9/python-split_1631797238431/work/Include/cpython/abstract.h:127 #27 call_function (kwnames=0x0, oparg=<optimized out>, pp_stack=<synthetic pointer>, tstate=0x555555914800) at /tmp/build/80754af9/python-split_1631797238431/work/Python/ceval.c:5075 #28 _PyEval_EvalFrameDefault (tstate=<optimized out>, f=0x7ffff7ed55e0, throwflag=<optimized out>) at /tmp/build/80754af9/python-split_1631797238431/work/Python/ceval.c:3504 #29 0x00005555556d68e2 in _PyEval_EvalFrame () at /tmp/build/80754af9/python-split_1631797238431/work/Include/internal/pycore_ceval.h:40 #30 _PyEval_EvalCode () at /tmp/build/80754af9/python-split_1631797238431/work/Python/ceval.c:4327 #31 0x0000555555788bac in _PyEval_EvalCodeWithName (qualname=0x0, name=0x0, closure=0x0, kwdefs=0x0, defcount=0, defs=0x0, kwstep=2, kwcount=0, kwargs=<optimized out>, kwnames=<optimized out>, argcount=<optimized out>, args=<optimized out>, locals=<optimized out>, globals=<optimized out>, _co=<optimized out>) at /tmp/build/80754af9/python-split_1631797238431/work/Python/ceval.c:4359 #32 PyEval_EvalCodeEx () at /tmp/build/80754af9/python-split_1631797238431/work/Python/ceval.c:4375 #33 0x00005555556d79eb in PyEval_EvalCode (co=<optimized out>, globals=<optimized out>, locals=<optimized out>) at /tmp/build/80754af9/python-split_1631797238431/work/Python/ceval.c:826 ---Type <return> to continue, or q <return> to quit--- #34 0x0000555555788c5b in run_eval_code_obj () at /tmp/build/80754af9/python-split_1631797238431/work/Python/pythonrun.c:1219 #35 0x00005555557bc705 in run_mod () at /tmp/build/80754af9/python-split_1631797238431/work/Python/pythonrun.c:1240 #36 0x000055555566160d in pyrun_file (fp=0x555555976ca0, filename=0x7ffff6c00450, start=<optimized out>, globals=0x7ffff7f01fc0, locals=0x7ffff7f01fc0, closeit=1, flags=0x7fffffffdfa8) at /tmp/build/80754af9/python-split_1631797238431/work/Python/pythonrun.c:1138 #37 0x00005555557c149f in pyrun_simple_file (flags=0x7fffffffdfa8, closeit=1, filename=0x7ffff6c00450, fp=0x555555976ca0) at /tmp/build/80754af9/python-split_1631797238431/work/Python/pythonrun.c:449 #38 PyRun_SimpleFileExFlags () at /tmp/build/80754af9/python-split_1631797238431/work/Python/pythonrun.c:482 #39 0x00005555557c1c7f in pymain_run_file (cf=0x7fffffffdfa8, config=0x555555913000) at /tmp/build/80754af9/python-split_1631797238431/work/Modules/main.c:379 #40 pymain_run_python (exitcode=0x7fffffffdfa0) at /tmp/build/80754af9/python-split_1631797238431/work/Modules/main.c:604 #41 Py_RunMain () at /tmp/build/80754af9/python-split_1631797238431/work/Modules/main.c:683 #42 0x00005555557c1d79 in Py_BytesMain () at /tmp/build/80754af9/python-split_1631797238431/work/Modules/main.c:1129 #43 0x00007ffff703fbf7 in __libc_start_main (main=0x555555669d80 <main>, argc=3, argv=0x7fffffffe198, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe188) at ../csu/libc-start.c:310 #44 0x0000555555746bc3 in _start ()
[version info] OS: Ubuntu18.04 Python: 3.9 libsmbios: latest (the main branch)
[script and input] python script
import sys import libsmbios_c.memory as Mem if __name__ == '__main__': try: Tf = sys.argv[1] Tf = Tf.encode('utf-8') memObj = Mem.MemoryAccess(Mem.MEMORY_GET_NEW | Mem.MEMORY_UNIT_TEST_MODE, Tf) Offset = 1024 for i in range(Offset): memObj.write(chr(ord("a") + i).encode('utf-8'), i) del(memObj) except Exception as e: print (e)
input
[problem]
When we fuzzed the libsmbios, a Bus error happened which caused python to exit abnormally.
crash-stackinfo.txt
[version info] OS: Ubuntu18.04 Python: 3.9 libsmbios: latest (the main branch)
[script and input] python script
input