classification
Title: Integer signedness bugs in zlib modules
Type: security Stage:
Components: Extension Modules Versions: Python 2.5
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: Nosy List: belopolsky, chmod007, jnferguson, rhettinger
Priority: critical Keywords:

Created on 2008-04-08 15:41 by jnferguson, last changed 2008-04-10 17:34 by belopolsky. This issue is now closed.

Files
File name Uploaded Description Edit
python-2.5.2-zlib-unflush-misallocation.py jnferguson, 2008-04-08 15:41
python-2.5.2-zlib-unflush-signedness.py jnferguson, 2008-04-08 15:42
Messages (7)
msg65171 - (view) Author: Justin Ferguson (jnferguson) Date: 2008-04-08 15:41
The zlib module in multiple places fails to adequately check the sanity
of its arguments resulting in memory corruption, please see two attached
PoCs.
msg65176 - (view) Author: Raymond Hettinger (rhettinger) * (Python committer) Date: 2008-04-08 16:04
Verified that the script crashes Python.
msg65191 - (view) Author: Justin Ferguson (jnferguson) Date: 2008-04-08 16:49
Just so you know, the scripts actually do two different things-- the
bugs are both related to negative values though. One causes
PyString_FromStringAndSize() to try an allocate zero bytes (the -24
one), the other causes like 22 bytes to get allocated and then takes
advantage of the sign-conversion when the value is assigned to the zlib
structure member (the member is unsigned, the value is signed)

Honestly, you guys should consider enforcing the safe downcast usage
because signedness issues are all over your code base (as I'm sure you know)
msg65229 - (view) Author: Alexander Belopolsky (belopolsky) * (Python committer) Date: 2008-04-09 01:57
This has just been fixed in the trunk: r62235.
msg65230 - (view) Author: Raymond Hettinger (rhettinger) * (Python committer) Date: 2008-04-09 02:20
Thx
msg65302 - (view) Author: David Remahl (chmod007) Date: 2008-04-10 17:17
I submit that a check for negative values (non-assert-based) should be 
added to PyString_FromStringAndSize(). This API is called from many, many 
places, and in several cases the operand could probably be negative. It 
should raise an overflow exception for a negative value.
msg65303 - (view) Author: Alexander Belopolsky (belopolsky) * (Python committer) Date: 2008-04-10 17:34
On Thu, Apr 10, 2008 at 1:17 PM, David Remahl <report@bugs.python.org> wrote:

>  I submit that a check for negative values (non-assert-based) should be
>  added to PyString_FromStringAndSize().

See issue2587 and r62262.
History
Date User Action Args
2008-04-10 17:34:48belopolskysetmessages: + msg65303
2008-04-10 17:17:29chmod007setnosy: + chmod007
messages: + msg65302
2008-04-09 02:20:17rhettingersetstatus: open -> closed
resolution: fixed
messages: + msg65230
2008-04-09 01:57:09belopolskysetnosy: + belopolsky
messages: + msg65229
2008-04-08 16:49:18jnfergusonsetmessages: + msg65191
2008-04-08 16:04:15rhettingersetpriority: critical
nosy: + rhettinger
messages: + msg65176
2008-04-08 15:42:05jnfergusonsetfiles: + python-2.5.2-zlib-unflush-signedness.py
2008-04-08 15:41:40jnfergusoncreate