Closed
Description
Description
The UNIX port of MicroPython crashes while using builtins.super() in one way or another. The crash was exhibited as global-buffer-overflow and null-dereference (SEGV near the null address). Most of the crashes happened in mp_obj_class_lookup, but one crash happened in mp_obj_get_type (the stack trace and PoC look similar to other crashes). We've attached one PoC for global-buffer-overflow, three PoCs for null-dereference, and one PoC for the crash in mp_obj_get_type.
Proof of Concept
$ # build unix port with ASAN, at the root source code directory.
$ export CC=clang
$ export CXX=clang++
$ export CFLAGS="-fsanitize=address -fno-omit-frame-pointer"
$ export CXXFLAGS=$CFLAGS
$ export LDFLAGS=$CFLAGS
$ export DEBUG=1
$ make -C mpy-cross -j
$ make -C ports/unix -j all lib
$
$ # run a poc.
$ export ASAN_OPTIONS="detect_leaks=0"
$ ./ports/unix/build-standard/micropython <poc_file>
Environment
Ubuntu 20.04
Intel(R) Xeon(R) Gold 5218 CPU @ 2.30GHz
Memory: 64 GB
Affected Version
v1.20.0 (commit a3862e7, latest as of 2023-09-26)
v1.20.0 (commit 813d559, 2023-06-19)
Discovered in the UNIX port version.