thr3ads.net - Secure testing team - [Secure-testing-team] Bug#581058: Running pylint on a file with just "import numpy" corrupts memory [May 2010]

If this information is useful, please help other people find it:
Share via:
Joseph Barillari
2010-May-10 21:51 UTC
[Secure-testing-team] Bug#581058: Running pylint on a file with just "import numpy" corrupts memory

Package: pylint
Version: 0.20.0-1
Severity: grave
Tags: upstream security
Justification: user security hole


For the record, I''m not certain that this is a bug in pylint and not a
bug in numpy. However, since I couldn''t reproduce it
with pylint''s stable version (pylint 0.14.0-2.2, python-logilab-astng
0.17.2-2.1, and python-logilab-common 0.30.0-2), but
_could_ reproduce it with python-numpy''s stable version
(1:1.1.0-3+lenny1), I believe pylint or python-logilab-common
or python-logilab-astng is the proximate cause of the bug.

Steps to reproduce:
Create a file "t.py" with the single line:
import numpy

Run pylint on this file and glibc will throw a memory corruption warning and
hang:

$ /usr/bin/pylint -e t.py
No config file found, using default configuration
/usr/lib/pymodules/python2.5/logilab/common/configuration.py:716:
DeprecationWarning: "_config_parser" attribute has been renamed to
"cfgfile_parser"
  warn(msg, DeprecationWarning)
*** glibc detected *** /usr/bin/python: corrupted double-linked list: 0x0955c120
***


You can also run it under gdb for a bit more detail:

jdb at slim:~/gtp$ gdb python
GNU gdb (GDB) 7.1-debian
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show
copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/bin/python...Reading symbols from
/usr/lib/debug/usr/bin/python2.5...done.
done.
(gdb) run /usr/bin/pylint -e t.py
Starting program: /usr/bin/python /usr/bin/pylint -e t.py
[Thread debugging using libthread_db enabled]
No config file found, using default configuration
/usr/lib/pymodules/python2.5/logilab/common/configuration.py:716:
DeprecationWarning: "_config_parser" attribute has been renamed to
"cfgfile_parser"
  warn(msg, DeprecationWarning)
*** glibc detected *** /usr/bin/python: corrupted double-linked list: 0x087f7410
***
^C
Program received signal SIGINT, Interrupt.
0xb7fe1424 in __kernel_vsyscall ()
(gdb) bt
#0  0xb7fe1424 in __kernel_vsyscall ()
#1  0xb7f15b63 in __lll_lock_wait_private () at
../nptl/sysdeps/unix/sysv/linux/i386/i686/../i486/lowlevellock.S:95
#2  0xb7eaa91d in _L_lock_9675 () from /lib/i686/cmov/libc.so.6
#3  0xb7ea90d6 in *__GI___libc_free (mem=0x8800dc0) at malloc.c:3736
#4  0xb7ff418c in _dl_scope_free (old=0x8800dc0) at dl-open.c:175
#5  0xb7feed8f in _dl_map_object_deps (map=0x88251c0, preloads=0x0,
npreloads=<value optimized out>, trace_mode=0,
    open_mode=-2147483648) at dl-deps.c:668
#6  0xb7ff43e0 in dl_open_worker (a=0xbfffe7a0) at dl-open.c:326
#7  0xb7ff0186 in _dl_catch_error (objname=0xbfffe7c8, errstring=0xbfffe7c4,
mallocedp=0xbfffe7cf,
    operate=0xb7ff4230 <dl_open_worker>, args=0xbfffe7a0) at
dl-error.c:178
#8  0xb7ff3d3e in _dl_open (file=0xb7f5c35d "libgcc_s.so.1",
mode=-2147483647, caller_dlopen=0x0, nsid=-1208495168, argc=4,
    argv=0xbffff4c4, env=0xbffff4d8) at dl-open.c:616
#9  0xb7f3f082 in do_dlopen (ptr=0xbfffe920) at dl-libc.c:86
#10 0xb7ff0186 in _dl_catch_error (objname=0xbfffe8fc, errstring=0xbfffe8f8,
mallocedp=0xbfffe903, operate=0xb7f3f020 <do_dlopen>,
    args=0xbfffe920) at dl-error.c:178
#11 0xb7f3f181 in dlerror_run (operate=<value optimized out>,
args=<value optimized out>) at dl-libc.c:47
#12 0xb7f3f2ab in *__GI___libc_dlopen_mode (name=0xb7f5c35d
"libgcc_s.so.1", mode=-2147483647) at dl-libc.c:160
#13 0xb7f1d238 in init () at ../sysdeps/i386/backtrace.c:44
#14 0xb7fba460 in pthread_once () at
../nptl/sysdeps/unix/sysv/linux/i386/pthread_once.S:122
#15 0xb7f1d42d in *__GI___backtrace (array=0xbfffef00, size=64) at
../sysdeps/i386/backtrace.c:121
#16 0xb7e9a6db in __libc_message (do_abort=2, fmt=0xb7f610e8 "*** glibc
detected *** %s: %s: 0x%s ***\n")
    at ../sysdeps/unix/sysv/linux/libc_fatal.c:152
#17 0xb7ea4824 in malloc_printerr (action=2, str=0xb7f5db6c "corrupted
double-linked list", ptr=0x87f7410) at malloc.c:6239
#18 0xb7ea62df in _int_free (av=0xb7f7d3c0, p=0x7f741008) at malloc.c:4925
#19 0xb7ea90dd in *__GI___libc_free (mem=0x87f7538) at malloc.c:3738
#20 0xb7926819 in ?? () from
/usr/lib/python2.5/site-packages/numpy/core/umath.so
#21 0x08086659 in insertdict (mp=0xb794fe6c, key=0x87f7538, hash=-128066157,
value=0x8146b78) at ../Objects/dictobject.c:420
#22 0x080883a2 in PyDict_SetItem (op=0x87a79bc, key=0x87be360, value=0x8146b78)
at ../Objects/dictobject.c:645
#23 0x0808a3f4 in _PyModule_Clear (m=0x82acb0c) at ../Objects/moduleobject.c:136
#24 0x080df7a1 in PyImport_Cleanup () at ../Python/import.c:492
#25 0x080ea5f1 in Py_Finalize () at ../Python/pythonrun.c:399
#26 0x080e9cb7 in Py_Exit () at ../Python/pythonrun.c:1618
#27 handle_system_exit () at ../Python/pythonrun.c:1054
#28 0x080ea27d in PyErr_PrintEx (set_sys_last_vars=<value optimized out>)
at ../Python/pythonrun.c:1064
#29 0x080eb2f3 in PyRun_SimpleFileExFlags (fp=0xbffff654, filename=0xbffff654
"/usr/bin/pylint", closeit=1, flags=0xbffff3fc)
    at ../Python/pythonrun.c:883
#30 0x08059401 in Py_Main (argc=4, argv=0xbffff4c4) at ../Modules/main.c:532
#31 0x0805877b in main (argc=4, argv=0xbffff4c4) at ../Modules/python.c:23
(gdb) 



By contrast, if you download to the old version of pylint and the logilab
libraries described above, pylint runs without a problem:

$ /usr/bin/pylint -e t.py
No config file found, using default configuration
$

Since this bug causes memory corruption and could presumably be exploited for
nefarious purposes, I marked it "grave".

-- System Information:
Debian Release: squeeze/sid
  APT prefers oldstable
  APT policy: (500, ''oldstable''), (500,
''unstable''), (500, ''testing''), (500,
''stable'')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-trunk-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages pylint depends on:
ii  python                        2.5.4-9    An interactive high-level object-o
ii  python-logilab-astng          0.20.0-1   rebuild a new abstract syntax tree
ii  python-logilab-common         0.50.1-1   useful miscellaneous modules used 
ii  python-support                1.0.8      automated rebuilding support for P

Versions of packages pylint recommends:
ii  python-tk                     2.6.5-1    Tkinter - Writing Tk applications 

pylint suggests no packages.

-- no debconf information
Secure testing team - May 2010 - Bug#581058: Running pylint on a file with just "import numpy" corrupts memory

[Secure-testing-team] Bug#581058: Running pylint on a file with just "import numpy" corrupts memory
