search

micropython / micropython

MicroPython - a lean and efficient Python implementation for microcontrollers and constrained systems
https://micropython.org
Other
19.47k stars 7.79k forks source link

Null pointer dereference in mp_reader_new_file #12522

Closed gwangmu closed 1 year ago

gwangmu commented 1 year ago

Description

We found a null-dereference in the UNIX port version. All PoCs involve builtins.execfile() and crash in mp_reader_new_file eventually. We've attached three PoCs and their stack trace from ASAN.

poc.zip

Proof of Concept

$ # build unix port with ASAN, at the root source code directory.
$ export CC=clang
$ export CXX=clang++
$ export CFLAGS="-fsanitize=address -fno-omit-frame-pointer"
$ export CXXFLAGS=$CFLAGS
$ export LDFLAGS=$CFLAGS
$ export DEBUG=1
$ make -C mpy-cross -j
$ make -C ports/unix -j all lib
$
$ # run a poc.
$ export ASAN_OPTIONS="detect_leaks=0"
$ ./ports/unix/build-standard/micropython <poc_file>

Environment

Ubuntu 20.04 Intel(R) Xeon(R) Gold 5218 CPU @ 2.30GHz Memory: 64 GB

Affected Version

v1.20.0 (commit a3862e726, latest as of 2023-09-26) v1.20.0 (commit 813d559bc, 2023-06-19)

Question

We actually found many more crashes with ASAN other than this (including buffer-overflow), but we'd need some advice from micropython maintainers before posting issues for all of them.

1) Do you also consider ASAN crashes through the UNIX port version relevant? 2) How do you prefer accepting buffer-overflow cases? (via e-mail or via here) We haven't verified their exploitability.

Please let me report the rest of the crashes following your advice. Thank you very much for maintaining micropython.

jimmo commented 1 year ago

Thanks for the detailed report @gwangmu.

This particular issue should be fixed by https://github.com/micropython/micropython/pull/12526

Do you also consider ASAN crashes through the UNIX port version relevant?

Definitely. Please continue to report them.

How do you prefer accepting buffer-overflow cases? (via e-mail or via here) We haven't verified their exploitability.

I understand why you're asking, but given the fixes are going to be public anyway we don't really have the resources to do a bigger process (and I'm not sure what that would achieve). I'm happy to just repeat exactly what you've done here. @dpgeorge WDYT?

dpgeorge commented 1 year ago

I'm happy to just repeat exactly what you've done here

Yes that's fine, to just open an issue with each of them. But if there are many, I suggest starting with just a few and we'll see how they go.

gwangmu commented 1 year ago

Thank you very much @jimmo @dpgeorge . We'll make sure to control the posting pace depending on how it develops.