Null pointer dereference in PycParser::ReadObject
Opened this issue · 0 comments
hac425xxx commented
crash context in gdb
pwndbg> r
Starting program: /home/xxx/workplace/fuzz_share-master/pycparser-git/pyc_parser ./pyc_null_ptr.pyc
[Info] : MAGIC NUMBER 0xa0df303
[Info] : Valid Pyc File!
[Info] : Last Modified Time : Mon Oct 21 22:13:29 2019
==================== Begin Code ====================
***** Code *****
[String]
string length: 44
***** Consts *****
Can't reach this point
***** Names *****
Can't reach this point
***** varNames *****
Can't reach this point
***** freeVars *****
Can't reach this point
***** cellVars *****
Can't reach this point
***** fileName *****
Can't reach this point
***** name *****
Can't reach this point
***** firstLineNo *****
value:1912603243
***** lnotab *****
Can't reach this point
Program received signal SIGSEGV, Segmentation fault.
0x0000000000404429 in PycParser::ParseOpCode (this=0x7fffffffd990, code=0x60b860, lnotab=0x0, firstLine=1912603243) at ./include/PycParser.h:331
331 if(lnotab->type != &PyString_Type)
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────────────────────────────────────────────────────[ REGISTERS ]────────────────────────────────────────────────────────────────────────────────
RAX 0x0
RBX 0x7ffff78bbda0 (result) ◂— 'Mon Oct 21 22:13:29 2019\n'
RCX 0x7200026b
RDX 0x0
RDI 0x7fffffffd990 ◂— 0x160000031d
RSI 0x60b860 ◂— 0x7fff00000001
R8 0x7ffff7fbc780 ◂— 0x7ffff7fbc780
R9 0x7ffff7fbc780 ◂— 0x7ffff7fbc780
R10 0xcccccccccccccccd
R11 0x246
R12 0x4018e0 (_start) ◂— xor ebp, ebp
R13 0x7fffffffe0f0 ◂— 0x2
R14 0x0
R15 0x0
RBP 0x7fffffffd3f0 —▸ 0x7fffffffd920 —▸ 0x7fffffffd960 —▸ 0x7fffffffe010 ◂— 0x0
RSP 0x7fffffffd390 ◂— 0x7200026bffffe0f0
RIP 0x404429 ◂— mov rax, qword ptr [rax + 8]
─────────────────────────────────────────────────────────────────────────────────[ DISASM ]─────────────────────────────────────────────────────────────────────────────────
► 0x404429 mov rax, qword ptr [rax + 8]
0x40442d cmp rax, PyString_Type <0x60a340>
0x404433 je 0x40445b
↓
0x40445b mov rax, qword ptr [rbp - 0x50]
0x40445f mov rdi, rax
0x404462 call PyString_GetRawString(tagPyObject*) <0x40626a>
0x404467 mov qword ptr [rbp - 0x10], rax
0x40446b mov rax, qword ptr [rbp - 0x10]
0x40446f mov qword ptr [rbp - 0x20], rax
0x404473 mov rax, qword ptr [rbp - 0x50]
0x404477 mov rdi, rax
─────────────────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]──────────────────────────────────────────────────────────────────────────────
In file: /home/xxx/workplace/fuzz_share-master/pycparser-git/include/PycParser.h
326 {
327 cout << "[Error]ParseOpCode : code is not a PyStringObject" << endl;
328 exit(1);
329 }
330
► 331 if(lnotab->type != &PyString_Type)
332 {
333 cout << "[Error]ParseOpCode : lnotab is not a PyStringObject" << endl;
334 exit(1);
335 }
336
─────────────────────────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7fffffffd390 ◂— 0x7200026bffffe0f0
01:0008│ 0x7fffffffd398 ◂— 0x0
02:0010│ 0x7fffffffd3a0 —▸ 0x60b860 ◂— 0x7fff00000001
03:0018│ 0x7fffffffd3a8 —▸ 0x7fffffffd990 ◂— 0x160000031d
04:0020│ 0x7fffffffd3b0 —▸ 0x60a301 (PyNone_Type+1) ◂— 0xc000000000000000
05:0028│ 0x7fffffffd3b8 —▸ 0x7ffff78bbda0 (result) ◂— 'Mon Oct 21 22:13:29 2019\n'
06:0030│ 0x7fffffffd3c0 —▸ 0x7fffffffd3f0 —▸ 0x7fffffffd920 —▸ 0x7fffffffd960 —▸ 0x7fffffffe010 ◂— ...
07:0038│ 0x7fffffffd3c8 —▸ 0x404933 ◂— leave
───────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────────────────────────────
► f 0 404429
f 1 404288 PycParser::ReadObject()+3686
f 2 403363
f 3 402bff main+131
f 4 7ffff7518f45 __libc_start_main+245
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Program received signal SIGSEGV (fault address 0x8)
pwndbg> p lnotab
$1 = (PyObject *) 0x0
pwndbg>
poc
https://github.com/hac425xxx/fuzzdata/blob/master/pyc_null_ptr.pyc