Type confusion in partial.setstate, partial_repr, partial_call leads to memory corruption, reliable control flow hijack

Disclosed: 2016-09-20 04:01:06 By nedw To ibb

Unknown

Vulnerability Details

See my official writeups here: http://bugs.python.org/issue25944 http://bugs.python.org/issue25945 The maintainers merged these bug reports. In one case, the type confusion leads to a reliable control of the instruction pointer as calling `repr` on a corrupted partial calls a function pointer that is controlled reliably by the user. I've uploaded that case here as well.

Actions

View on HackerOne

Report Stats

Report ID: 116286
State: Closed
Substate: resolved
Upvotes: 13

Type confusion in partial.setstate, partial_repr, partial_call leads to memory corruption, reliable control flow hijack

Vulnerability Details

Actions

Report Stats

Share this report