Skip to content

heap-buffer-overflow in _io__RawIOBase_read #140607

New issue
New issue
Closed
Closed
heap-buffer-overflow in _io__RawIOBase_read#140607
Labels
3.13bugs and security fixes3.14bugs and security fixes3.15new features, bugs and security fixesinterpreter-core(Objects, Python, Grammar, and Parser dirs)topic-IOtype-crashA hard crash of the interpreter, possibly with a core dump
@YuanchengJiang

Description

@YuanchengJiang
YuanchengJiang
opened on Oct 26, 2025

Crash report

What happened?

import io import unittest class CTestCase(unittest.TestCase): pass class BufferedReaderTest: read_mode = 'rb' class MockRaw(io.RawIOBase): def __init__(self, data=r'\n\r\t'): self._buf = memoryview(data) self._pos = 0 def readable(self): return True def readinto(self, b): if self._pos >= len(self._buf): return 2147483647 n = min(len(b), len(self._buf) - self._pos) self._pos += n return n class CBufferedReaderTest(BufferedReaderTest, CTestCase): tp = io.BufferedReader def test_initialization(self): rawio = MockRaw(b'abc') bufio = self.tp(rawio) self.assertEqual(bufio.read(), b'abc') if __name__ == "__main__": unittest.main()
================================================================= ==2664130==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x73a39fb97801 at pc 0x73a3a346142e bp 0x7fff799565e0 sp 0x7fff79955d88 READ of size 2147483647 at 0x73a39fb97801 thread T0 #0 0x73a3a346142d in memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors_memintrinsics.inc:115 #1 0x5b58cf248051 in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:29 #2 0x5b58cf248051 in PyBytes_FromStringAndSize ../Objects/bytesobject.c:162 #3 0x5b58cf8d7adb in _io__RawIOBase_read_impl ../Modules/_io/iobase.c:949 #4 0x5b58cf8d7adb in _io__RawIOBase_read ../Modules/_io/clinic/iobase.c.h:423 #5 0x5b58cf265928 in _PyObject_VectorcallTstate ../Include/internal/pycore_call.h:169 #6 0x5b58cf265928 in _PyObject_CallFunctionVa ../Objects/call.c:552 #7 0x5b58cf2675f0 in callmethod ../Objects/call.c:626 #8 0x5b58cf2675f0 in _PyObject_CallMethod ../Objects/call.c:694 #9 0x5b58cf8d7648 in _io__RawIOBase_readall_impl ../Modules/_io/iobase.c:971 #10 0x5b58cf8d7648 in _io__RawIOBase_readall ../Modules/_io/clinic/iobase.c.h:444 #11 0x5b58cf8eaee4 in _PyObject_VectorcallTstate ../Include/internal/pycore_call.h:169 #12 0x5b58cf8eaee4 in _PyObject_CallNoArgs ../Include/internal/pycore_call.h:185 #13 0x5b58cf8eaee4 in _bufferedreader_read_all ../Modules/_io/bufferedio.c:1706 #14 0x5b58cf8eaee4 in _io__Buffered_read_impl ../Modules/_io/bufferedio.c:1002 #15 0x5b58cf8eaee4 in _io__Buffered_read ../Modules/_io/clinic/bufferedio.c.h:677 #16 0x5b58cf265ee7 in _PyObject_VectorcallTstate ../Include/internal/pycore_call.h:169 #17 0x5b58cf265ee7 in PyObject_Vectorcall ../Objects/call.c:327 #18 0x5b58cf107ad2 in _PyEval_EvalFrameDefault ../Python/generated_cases.c.h:1620 #19 0x5b58cf5eab55 in _PyEval_EvalFrame ../Include/internal/pycore_ceval.h:121 #20 0x5b58cf5eab55 in _PyEval_Vector ../Python/ceval.c:2001 #21 0x5b58cf26fd90 in _PyObject_VectorcallTstate ../Include/internal/pycore_call.h:169 #22 0x5b58cf26fd90 in method_vectorcall ../Objects/classobject.c:95 #23 0x5b58cf26affe in _PyVectorcall_Call ../Objects/call.c:273 #24 0x5b58cf26affe in _PyObject_Call ../Objects/call.c:348 #25 0x5b58cf26affe in PyObject_Call ../Objects/call.c:373 #26 0x5b58cf10aeb7 in _PyEval_EvalFrameDefault ../Python/generated_cases.c.h:2616 #27 0x5b58cf5eab55 in _PyEval_EvalFrame ../Include/internal/pycore_ceval.h:121 #28 0x5b58cf5eab55 in _PyEval_Vector ../Python/ceval.c:2001 #29 0x5b58cf269623 in _PyObject_VectorcallDictTstate ../Objects/call.c:135 #30 0x5b58cf269cdc in _PyObject_Call_Prepend ../Objects/call.c:504 #31 0x5b58cf42a444 in call_method ../Objects/typeobject.c:3077 #32 0x5b58cf42a444 in slot_tp_call ../Objects/typeobject.c:10606 #33 0x5b58cf2644cd in _PyObject_MakeTpCall ../Objects/call.c:242 #34 0x5b58cf1087ac in _PyEval_EvalFrameDefault ../Python/generated_cases.c.h:4021 #35 0x5b58cf5eab55 in _PyEval_EvalFrame ../Include/internal/pycore_ceval.h:121 #36 0x5b58cf5eab55 in _PyEval_Vector ../Python/ceval.c:2001 #37 0x5b58cf26fd90 in _PyObject_VectorcallTstate ../Include/internal/pycore_call.h:169 #38 0x5b58cf26fd90 in method_vectorcall ../Objects/classobject.c:95 #39 0x5b58cf26affe in _PyVectorcall_Call ../Objects/call.c:273 #40 0x5b58cf26affe in _PyObject_Call ../Objects/call.c:348 #41 0x5b58cf26affe in PyObject_Call ../Objects/call.c:373 #42 0x5b58cf10aeb7 in _PyEval_EvalFrameDefault ../Python/generated_cases.c.h:2616 #43 0x5b58cf5eab55 in _PyEval_EvalFrame ../Include/internal/pycore_ceval.h:121 #44 0x5b58cf5eab55 in _PyEval_Vector ../Python/ceval.c:2001 #45 0x5b58cf269623 in _PyObject_VectorcallDictTstate ../Objects/call.c:135 #46 0x5b58cf269cdc in _PyObject_Call_Prepend ../Objects/call.c:504 #47 0x5b58cf42a444 in call_method ../Objects/typeobject.c:3077 #48 0x5b58cf42a444 in slot_tp_call ../Objects/typeobject.c:10606 #49 0x5b58cf2644cd in _PyObject_MakeTpCall ../Objects/call.c:242 #50 0x5b58cf107ad2 in _PyEval_EvalFrameDefault ../Python/generated_cases.c.h:1620 #51 0x5b58cf5eab55 in _PyEval_EvalFrame ../Include/internal/pycore_ceval.h:121 #52 0x5b58cf5eab55 in _PyEval_Vector ../Python/ceval.c:2001 #53 0x5b58cf26fd90 in _PyObject_VectorcallTstate ../Include/internal/pycore_call.h:169 #54 0x5b58cf26fd90 in method_vectorcall ../Objects/classobject.c:95 #55 0x5b58cf26affe in _PyVectorcall_Call ../Objects/call.c:273 #56 0x5b58cf26affe in _PyObject_Call ../Objects/call.c:348 #57 0x5b58cf26affe in PyObject_Call ../Objects/call.c:373 #58 0x5b58cf10aeb7 in _PyEval_EvalFrameDefault ../Python/generated_cases.c.h:2616 #59 0x5b58cf5eab55 in _PyEval_EvalFrame ../Include/internal/pycore_ceval.h:121 #60 0x5b58cf5eab55 in _PyEval_Vector ../Python/ceval.c:2001 #61 0x5b58cf269623 in _PyObject_VectorcallDictTstate ../Objects/call.c:135 #62 0x5b58cf269cdc in _PyObject_Call_Prepend ../Objects/call.c:504 #63 0x5b58cf42a444 in call_method ../Objects/typeobject.c:3077 #64 0x5b58cf42a444 in slot_tp_call ../Objects/typeobject.c:10606 #65 0x5b58cf2644cd in _PyObject_MakeTpCall ../Objects/call.c:242 #66 0x5b58cf107ad2 in _PyEval_EvalFrameDefault ../Python/generated_cases.c.h:1620 #67 0x5b58cf5eab55 in _PyEval_EvalFrame ../Include/internal/pycore_ceval.h:121 #68 0x5b58cf5eab55 in _PyEval_Vector ../Python/ceval.c:2001 #69 0x5b58cf269623 in _PyObject_VectorcallDictTstate ../Objects/call.c:135 #70 0x5b58cf269cdc in _PyObject_Call_Prepend ../Objects/call.c:504 #71 0x5b58cf416c50 in call_method ../Objects/typeobject.c:3077 #72 0x5b58cf416c50 in slot_tp_init ../Objects/typeobject.c:10835 #73 0x5b58cf4089d7 in type_call ../Objects/typeobject.c:2461 #74 0x5b58cf2644cd in _PyObject_MakeTpCall ../Objects/call.c:242 #75 0x5b58cf123a18 in _PyEval_EvalFrameDefault ../Python/generated_cases.c.h:1620 #76 0x5b58cf5ea386 in _PyEval_EvalFrame ../Include/internal/pycore_ceval.h:121 #77 0x5b58cf5ea386 in _PyEval_Vector ../Python/ceval.c:2001 #78 0x5b58cf5ea386 in PyEval_EvalCode ../Python/ceval.c:884 #79 0x5b58cf7a8f0e in run_eval_code_obj ../Python/pythonrun.c:1365 #80 0x5b58cf7a8f0e in run_mod ../Python/pythonrun.c:1459 #81 0x5b58cf7adbb7 in pyrun_file ../Python/pythonrun.c:1293 #82 0x5b58cf7adbb7 in _PyRun_SimpleFileObject ../Python/pythonrun.c:521 #83 0x5b58cf7ae6dc in _PyRun_AnyFileObject ../Python/pythonrun.c:81 #84 0x5b58cf821afc in pymain_run_file_obj ../Modules/main.c:410 #85 0x5b58cf821afc in pymain_run_file ../Modules/main.c:429 #86 0x5b58cf821afc in pymain_run_python ../Modules/main.c:691 #87 0x5b58cf8233de in Py_RunMain ../Modules/main.c:772 #88 0x5b58cf8233de in pymain_main ../Modules/main.c:802 #89 0x5b58cf8233de in Py_BytesMain ../Modules/main.c:826 #90 0x73a3a30951c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 282c2c16e7b6600b0b22ea0c99010d2795752b5f) #91 0x73a3a309528a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 282c2c16e7b6600b0b22ea0c99010d2795752b5f) #92 0x5b58cf13dfa4 in _start (/home/fuzz/WorkSpace/flowfusion-cpython/cpython/build/python+0x21afa4) (BuildId: f28384d3eff6aa8d5f0c5730194edf28c0f6b3bd) 0x73a39fb97801 is located 0 bytes after 131073-byte region [0x73a39fb77800,0x73a39fb97801) allocated by thread T0 here: #0 0x73a3a34639c7 in malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69 #1 0x5b58cf23550c in PyByteArray_FromStringAndSize ../Objects/bytearrayobject.c:153 #2 0x5b58cf8d7a18 in _io__RawIOBase_read_impl ../Modules/_io/iobase.c:932 #3 0x5b58cf8d7a18 in _io__RawIOBase_read ../Modules/_io/clinic/iobase.c.h:423 #4 0x5b58cf265928 in _PyObject_VectorcallTstate ../Include/internal/pycore_call.h:169 #5 0x5b58cf265928 in _PyObject_CallFunctionVa ../Objects/call.c:552 #6 0x5b58cf2675f0 in callmethod ../Objects/call.c:626 #7 0x5b58cf2675f0 in _PyObject_CallMethod ../Objects/call.c:694 #8 0x5b58cf8d7648 in _io__RawIOBase_readall_impl ../Modules/_io/iobase.c:971 #9 0x5b58cf8d7648 in _io__RawIOBase_readall ../Modules/_io/clinic/iobase.c.h:444 #10 0x5b58cf8eaee4 in _PyObject_VectorcallTstate ../Include/internal/pycore_call.h:169 #11 0x5b58cf8eaee4 in _PyObject_CallNoArgs ../Include/internal/pycore_call.h:185 #12 0x5b58cf8eaee4 in _bufferedreader_read_all ../Modules/_io/bufferedio.c:1706 #13 0x5b58cf8eaee4 in _io__Buffered_read_impl ../Modules/_io/bufferedio.c:1002 #14 0x5b58cf8eaee4 in _io__Buffered_read ../Modules/_io/clinic/bufferedio.c.h:677 #15 0x5b58cf265ee7 in _PyObject_VectorcallTstate ../Include/internal/pycore_call.h:169 #16 0x5b58cf265ee7 in PyObject_Vectorcall ../Objects/call.c:327 #17 0x5b58cf107ad2 in _PyEval_EvalFrameDefault ../Python/generated_cases.c.h:1620 #18 0x5b58cf5eab55 in _PyEval_EvalFrame ../Include/internal/pycore_ceval.h:121 #19 0x5b58cf5eab55 in _PyEval_Vector ../Python/ceval.c:2001 #20 0x5b58cf26fd90 in _PyObject_VectorcallTstate ../Include/internal/pycore_call.h:169 #21 0x5b58cf26fd90 in method_vectorcall ../Objects/classobject.c:95 #22 0x5b58cf26affe in _PyVectorcall_Call ../Objects/call.c:273 #23 0x5b58cf26affe in _PyObject_Call ../Objects/call.c:348 #24 0x5b58cf26affe in PyObject_Call ../Objects/call.c:373 #25 0x5b58cf10aeb7 in _PyEval_EvalFrameDefault ../Python/generated_cases.c.h:2616 #26 0x5b58cf5eab55 in _PyEval_EvalFrame ../Include/internal/pycore_ceval.h:121 #27 0x5b58cf5eab55 in _PyEval_Vector ../Python/ceval.c:2001 #28 0x5b58cf269623 in _PyObject_VectorcallDictTstate ../Objects/call.c:135 #29 0x5b58cf269cdc in _PyObject_Call_Prepend ../Objects/call.c:504 #30 0x5b58cf42a444 in call_method ../Objects/typeobject.c:3077 #31 0x5b58cf42a444 in slot_tp_call ../Objects/typeobject.c:10606 #32 0x5b58cf2644cd in _PyObject_MakeTpCall ../Objects/call.c:242 #33 0x5b58cf1087ac in _PyEval_EvalFrameDefault ../Python/generated_cases.c.h:4021 #34 0x5b58cf5eab55 in _PyEval_EvalFrame ../Include/internal/pycore_ceval.h:121 #35 0x5b58cf5eab55 in _PyEval_Vector ../Python/ceval.c:2001 #36 0x5b58cf26fd90 in _PyObject_VectorcallTstate ../Include/internal/pycore_call.h:169 #37 0x5b58cf26fd90 in method_vectorcall ../Objects/classobject.c:95 #38 0x5b58cf26affe in _PyVectorcall_Call ../Objects/call.c:273 #39 0x5b58cf26affe in _PyObject_Call ../Objects/call.c:348 #40 0x5b58cf26affe in PyObject_Call ../Objects/call.c:373 #41 0x5b58cf10aeb7 in _PyEval_EvalFrameDefault ../Python/generated_cases.c.h:2616 #42 0x5b58cf5eab55 in _PyEval_EvalFrame ../Include/internal/pycore_ceval.h:121 #43 0x5b58cf5eab55 in _PyEval_Vector ../Python/ceval.c:2001 #44 0x5b58cf269623 in _PyObject_VectorcallDictTstate ../Objects/call.c:135 #45 0x5b58cf269cdc in _PyObject_Call_Prepend ../Objects/call.c:504 #46 0x5b58cf42a444 in call_method ../Objects/typeobject.c:3077 #47 0x5b58cf42a444 in slot_tp_call ../Objects/typeobject.c:10606 #48 0x5b58cf2644cd in _PyObject_MakeTpCall ../Objects/call.c:242 #49 0x5b58cf107ad2 in _PyEval_EvalFrameDefault ../Python/generated_cases.c.h:1620 #50 0x5b58cf5eab55 in _PyEval_EvalFrame ../Include/internal/pycore_ceval.h:121 #51 0x5b58cf5eab55 in _PyEval_Vector ../Python/ceval.c:2001 SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors_memintrinsics.inc:115 in memcpy Shadow bytes around the buggy address: 0x73a39fb97580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x73a39fb97600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x73a39fb97680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x73a39fb97700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x73a39fb97780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x73a39fb97800:[01]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x73a39fb97880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x73a39fb97900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x73a39fb97980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x73a39fb97a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x73a39fb97a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==2664130==ABORTING

CPython versions tested on:

CPython main branch

Operating systems tested on:

Linux

Output from running 'python -VV' on the command line:

No response

Linked PRs

Metadata

Metadata

Assignees

No one assigned

    Labels

    3.13bugs and security fixes3.14bugs and security fixes3.15new features, bugs and security fixesinterpreter-core(Objects, Python, Grammar, and Parser dirs)topic-IOtype-crashA hard crash of the interpreter, possibly with a core dump

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions