classification
Title: PyOS_vsnprintf() potential integer overflow leads to memory corruption
Type: security Stage:
Components: Interpreter Core Versions: Python 2.5
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: gregory.p.smith Nosy List: gregory.p.smith, jnferguson
Priority: normal Keywords:

Created on 2008-04-08 15:59 by jnferguson, last changed 2008-06-02 00:08 by gregory.p.smith. This issue is now closed.

Messages (3)
msg65175 - (view) Author: Justin Ferguson (jnferguson) Date: 2008-04-08 15:59
On architectures that do not have a vsnprintf() in their standard
library Python attempts to emulate it. When doing so, the implementation
ambitiously allocates more memory than requested without verifying the
sanity of the summed value. As a result it becomes possible (although
unlikely) for an integer overflow to occur misallocating memory and
causing a buffer overflow.

 53 int
 54 PyOS_vsnprintf(char *str, size_t size, const char  *format, va_list va)
 55 {
 56         int len;  /* # bytes written, excluding \0 */
[...]
 60         assert(str != NULL);
 61         assert(size > 0);
 62         assert(format != NULL);
 63 
[...]
 67         /* Emulate it. */
 68         buffer = PyMem_MALLOC(size + 512);
 69         if (buffer == NULL) {
 70                 len = -666;
 71                 goto Done;
 72         }
 73 
 74         len = vsprintf(buffer, format, va);
 75         if (len < 0)
 76                 /* ignore the error */;
 77 
 78         else if ((size_t)len >= size + 512)
 79                 Py_FatalError("Buffer overflow in
PyOS_snprintf/PyOS_vsnprintf");
 80 
 81         else {
 82                 const size_t to_copy = (size_t)len < size ?
 83                                         (size_t)len : size - 1;
 84                 assert(to_copy < size);
 85                 memcpy(str, buffer, to_copy);
 86                 str[to_copy] = '\0';
 87         }
 88         PyMem_FREE(buffer);
 89 Done:
[...]
 91         str[size-1] = '\0';
 92         return len;
 93 }
msg67396 - (view) Author: Gregory P. Smith (gregory.p.smith) * (Python committer) Date: 2008-05-26 21:17
Fixed in trunk r63728.


There was a problem with the code on normal architectures as well.

The input was a size_t while the output was an int.  So an integer
overflow could have happened going from the vsnprintf return value to
the integer since size_t is unsigned and int isn't (also when size_t is
a larger type than an int).

I don't think that would lead to memory corruption when using the
system's vsnprintf but it could have bad results if the caller expected
str to be null terminated properly.


I will backport this to release25-maint.
msg67621 - (view) Author: Gregory P. Smith (gregory.p.smith) * (Python committer) Date: 2008-06-02 00:08
Fixed in release25-maint r63883.
History
Date User Action Args
2008-06-02 00:08:51gregory.p.smithsetstatus: open -> closed
resolution: fixed
messages: + msg67621
2008-05-26 21:17:30gregory.p.smithsetpriority: low -> normal
messages: + msg67396
title: PyOS_vsnprintf() potential integer overflow leads to memory corruption on esoteric architectures -> PyOS_vsnprintf() potential integer overflow leads to memory corruption
2008-05-25 09:13:07gregory.p.smithsetpriority: low
assignee: gregory.p.smith
nosy: + gregory.p.smith
2008-04-08 15:59:48jnfergusoncreate