classification
Title: buffer overflow in socket.recvfrom_into
Type: security Stage: resolved
Components: Extension Modules Versions: Python 3.4, Python 3.3, Python 3.2, Python 3.1, Python 2.7
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: Nosy List: christian.heimes, cvrebert, ezio.melotti, giampaolo.rodola, koobs, ncoghlan, offby1, pefu, pitrou, python-dev, r.david.murray, rmsr, skrah
Priority: normal Keywords: patch

Created on 2014-01-14 00:43 by rmsr, last changed 2014-03-01 07:16 by koobs. This issue is now closed.

Files
File name Uploaded Description Edit
recvfrom_into_buffer_overflow_3.4.patch rmsr, 2014-01-14 00:44 patch against v3.4
recvfrom_into_buffer_overflow_2.7.patch rmsr, 2014-01-14 00:44 patch against 2.7 review
recvfrom_into_small_buffer_test.patch rmsr, 2014-01-20 20:46 review
Messages (24)
msg208062 - (view) Author: Ryan Smith-Roberts (rmsr) * Date: 2014-01-14 00:43
recvfrom_into fails to check that the supplied buffer object is big enough for the requested read and so will happily write off the end.

I will attach patches for 3.4 and 2.7, I'm not familiar with the backporting procedure to go further but all versions since 2.5 have this bug and while very highly unlikely it's technically remotely exploitable.

Quickie trigger script, crash on interpreter exit:

--------- BEGIN SEGFAULT ---------

import socket
r, w = socket.socketpair()
w.send(b'X' * 1024)
r.recvfrom_into(bytearray(), 1024)
msg208066 - (view) Author: R. David Murray (r.david.murray) * (Python committer) Date: 2014-01-14 02:35
Everything before 2.7 is already out of even security maintenance, so you've already checked off everything it will get fixed in.
msg208070 - (view) Author: Roundup Robot (python-dev) Date: 2014-01-14 04:15
New changeset 87673659d8f7 by Benjamin Peterson in branch '2.7':
complain when nbytes > buflen to fix possible buffer overflow (closes #20246)
http://hg.python.org/cpython/rev/87673659d8f7

New changeset 715fd3d8ac93 by Benjamin Peterson in branch '3.1':
complain when nbytes > buflen to fix possible buffer overflow (closes #20246)
http://hg.python.org/cpython/rev/715fd3d8ac93

New changeset 9c56217e5c79 by Benjamin Peterson in branch '3.2':
complain when nbytes > buflen to fix possible buffer overflow (closes #20246)
http://hg.python.org/cpython/rev/9c56217e5c79

New changeset 7f176a45211f by Benjamin Peterson in branch '3.3':
merge 3.2 (#20246)
http://hg.python.org/cpython/rev/7f176a45211f

New changeset ead74e54d68f by Benjamin Peterson in branch 'default':
merge 3.3 (#20246)
http://hg.python.org/cpython/rev/ead74e54d68f

New changeset 37ed85008f51 by Benjamin Peterson in branch 'default':
merge 3.3 (#20246)
http://hg.python.org/cpython/rev/37ed85008f51
msg208422 - (view) Author: Stefan Krah (skrah) * (Python committer) Date: 2014-01-18 23:05
One test fails on FreeBSD 9.0 and 6.4:

======================================================================
ERROR: testRecvFromIntoSmallBuffer (test.test_socket.BufferIOTest)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/usr/home/db3l/buildarea/3.x.bolen-freebsd/build/Lib/test/test_socket.py", line 259, in _tearDown
    raise exc
  File "/usr/home/db3l/buildarea/3.x.bolen-freebsd/build/Lib/test/test_socket.py", line 271, in clientRun
    test_func()
  File "/usr/home/db3l/buildarea/3.x.bolen-freebsd/build/Lib/test/test_socket.py", line 4690, in _testRecvFromIntoSmallBuffer
    self.serv_conn.send(MSG*2048)
BrokenPipeError: [Errno 32] Broken pipe
msg208428 - (view) Author: Ryan Smith-Roberts (rmsr) * Date: 2014-01-19 00:55
Perhaps the test is sending an infeasibly large message. If you remove the '*2048' does it pass? (I set up a FreeBSD 9.2 amd64 VM but all tests are passing here).
msg208501 - (view) Author: Stefan Krah (skrah) * (Python committer) Date: 2014-01-19 21:33
MSG*1024 passes. I did not look at this issue: Would changing the value to 1024
invalidate the test?
msg208580 - (view) Author: Ryan Smith-Roberts (rmsr) * Date: 2014-01-20 20:46
The send part of the test doesn't matter, since what's being tested happens before any reads. The MSG multiplier should be removed completely, since none of the other tests do that.

Patch attached.
msg208711 - (view) Author: Roundup Robot (python-dev) Date: 2014-01-21 22:07
New changeset 5c4f4db8107c by Stefan Krah in branch '3.3':
Issue #20246: Fix test failures on FreeBSD. Patch by Ryan Smith-Roberts.
http://hg.python.org/cpython/rev/5c4f4db8107c

New changeset 9bbc3cc8ff4c by Stefan Krah in branch 'default':
Issue #20246: Fix test failures on FreeBSD. Patch by Ryan Smith-Roberts.
http://hg.python.org/cpython/rev/9bbc3cc8ff4c

New changeset b6c5a37b221f by Stefan Krah in branch '2.7':
Issue #20246: Fix test failures on FreeBSD. Patch by Ryan Smith-Roberts.
http://hg.python.org/cpython/rev/b6c5a37b221f
msg208712 - (view) Author: Stefan Krah (skrah) * (Python committer) Date: 2014-01-21 22:11
Thanks Ryan. As you say, the original segfault is also triggered with the
shortened message.
msg212165 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2014-02-25 07:23
I just came across https://www.trustedsec.com/february-2014/python-remote-code-execution-socket-recvfrom_into/ . Now I wonder why this bug was neither reported to PSRT nor get a CVE number. It's a buffer overflow...

I'm going to contact MITRE right away.
msg212166 - (view) Author: Nick Coghlan (ncoghlan) * (Python committer) Date: 2014-02-25 07:43
Branch status:

Vulnerable (last release prior to patch):
    2.7.6
    3.1.5
    3.2.5

Fixed (latest release post patch):
    3.3.4+
    3.4

So my reading is that 2.7.7 needs to be brought forward, and source only releases of 3.1.6 and 3.2.6 should be published.

It also sounds like there's a missing trigger that automatically notifies PSRT when someone else classifies a bug as a security bug.
msg212167 - (view) Author: Nick Coghlan (ncoghlan) * (Python committer) Date: 2014-02-25 07:52
Confirming the fix is in the 3.3.4 tag: http://hg.python.org/cpython/file/7ff62415e426/Lib/test/test_socket.py#l4539

And the 3.4rc1 tag: http://hg.python.org/cpython/file/5e088cea8660/Lib/test/test_socket.py#l4708
msg212168 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2014-02-25 08:20
This issue has already been assigned CVE-2014-1912

Reference:

http://www.openwall.com/lists/oss-security/2014/02/12/16
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-1912
msg212179 - (view) Author: R. David Murray (r.david.murray) * (Python committer) Date: 2014-02-25 14:17
We don't currently have the capability to set an email trigger when the type is set to security.  That should be submitted as a request on the meta tracker.  (It will require a new reactor, which is easy, and a tweak to the database schema, which I don't offhand remember how to deploy, but it shouldn't be hard.)
msg212196 - (view) Author: Chris Rose (offby1) * Date: 2014-02-25 18:48
Is there an ETA for a 2.7.7 release with this fix?
msg212206 - (view) Author: Ryan Smith-Roberts (rmsr) * Date: 2014-02-25 19:52
I notified security@python.org and waited for the go-ahead (from Guido I think) before opening this bug. If today is the first that the PSRT is hearing about this, then the issue is broader than just the bugtracker.
msg212207 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2014-02-25 19:55
Yes, your message reached PSRT on Jan 12th.
msg212208 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2014-02-25 19:56
Sorry, you are right and I was wrong. :(

Your mail *was* delivered to PSRT. But it failed to reach me because I was having issues with my @python.org account. The server-side spam filter is now deactivated and I receive all mails again.
msg212248 - (view) Author: Peter Funk (pefu) Date: 2014-02-26 11:25
A recently posted proof of concept exploit got a lot of attention:

https://www.trustedsec.com/february-2014/python-remote-code-execution-socket-recvfrom_into/

I suggest some Python core developer should clarify here whether people running some publically available python based web service
(Zope, Plone, Roundup, MoinMoin, or whatever) are vulnerable or not.
msg212249 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2014-02-26 11:28
recvfrom_into() is hardly ever used, including in the stdlib itself.
People using third-party software should check that the software itself doesn't call this method (chances are it doesn't).
msg212253 - (view) Author: Peter Funk (pefu) Date: 2014-02-26 13:07
Antoine Pitrou:
> recvfrom_into() is hardly ever used, including in the stdlib itself.

Thank you for the quick clarification.  
This will certainly help to calm down nervous people.

Best regards, Peter.
msg212418 - (view) Author: koobs (koobs) Date: 2014-02-28 10:27
Can somebody backport the fixes for the test breakages to 3.1 and 3.2 please, it seems they were forgotten.

The original CVE fix includes changes to test_socket.py so I cant imagine security-only-fix policy applies.

Thanks!
msg212489 - (view) Author: Roundup Robot (python-dev) Date: 2014-03-01 07:04
New changeset c25e1442529f by Stefan Krah in branch '3.1':
Issue #20246: Fix test failures on FreeBSD. Patch by Ryan Smith-Roberts.
http://hg.python.org/cpython/rev/c25e1442529f

New changeset e82dcd700e8c by Stefan Krah in branch '3.2':
Issue #20246: Fix test failures on FreeBSD. Patch by Ryan Smith-Roberts.
http://hg.python.org/cpython/rev/e82dcd700e8c
msg212490 - (view) Author: koobs (koobs) Date: 2014-03-01 07:16
Thank you Stefan
History
Date User Action Args
2014-03-01 07:16:38koobssetmessages: + msg212490
2014-03-01 07:04:20python-devsetmessages: + msg212489
2014-02-28 10:27:15koobssetmessages: + msg212418
2014-02-26 13:07:48pefusetmessages: + msg212253
2014-02-26 11:28:43pitrousetmessages: + msg212249
2014-02-26 11:25:44pefusetnosy: + pefu
messages: + msg212248
2014-02-26 02:23:17giampaolo.rodolasetnosy: + giampaolo.rodola
2014-02-25 19:56:31christian.heimessetmessages: + msg212208
2014-02-25 19:55:25pitrousetnosy: + pitrou
messages: + msg212207
2014-02-25 19:52:28rmsrsetmessages: + msg212206
2014-02-25 18:48:09offby1setnosy: + offby1
messages: + msg212196
2014-02-25 14:17:59r.david.murraysetnosy: + ezio.melotti
messages: + msg212179
2014-02-25 11:45:50koobssetnosy: + koobs
2014-02-25 08:27:45cvrebertsetnosy: + cvrebert
2014-02-25 08:20:27christian.heimessetmessages: + msg212168
2014-02-25 07:52:16ncoghlansetmessages: + msg212167
2014-02-25 07:43:05ncoghlansetnosy: + ncoghlan
messages: + msg212166
2014-02-25 07:23:39christian.heimessetnosy: + christian.heimes
messages: + msg212165
2014-01-21 22:11:36skrahsetmessages: + msg208712
2014-01-21 22:07:02python-devsetmessages: + msg208711
2014-01-20 20:46:56rmsrsetfiles: + recvfrom_into_small_buffer_test.patch

messages: + msg208580
2014-01-19 21:33:26skrahsetmessages: + msg208501
2014-01-19 00:55:11rmsrsetmessages: + msg208428
2014-01-18 23:05:23skrahsetnosy: + skrah
messages: + msg208422
2014-01-14 04:15:07python-devsetstatus: open -> closed

nosy: + python-dev
messages: + msg208070

resolution: fixed
stage: resolved
2014-01-14 02:35:35r.david.murraysettype: crash -> security

messages: + msg208066
nosy: + r.david.murray
2014-01-14 00:44:34rmsrsetfiles: + recvfrom_into_buffer_overflow_2.7.patch
2014-01-14 00:44:23rmsrsetfiles: + recvfrom_into_buffer_overflow_3.4.patch
keywords: + patch
2014-01-14 00:43:59rmsrcreate