This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: test_socket: buffer overflow in sock_recvmsg_guts
Type: Stage: resolved
Components: Tests Versions: Python 3.3, Python 3.4
process
Status: closed Resolution: out of date
Dependencies: Superseder:
Assigned To: Nosy List: Jeffrey.Walton, giampaolo.rodola, iritkatriel, neologix, pitrou
Priority: normal Keywords:

Created on 2014-03-15 17:07 by Jeffrey.Walton, last changed 2022-04-11 14:58 by admin. This issue is now closed.

Repositories containing patches
http://hg.python.org/cpython
Messages (5)
msg213667 - (view) Author: Jeffrey Walton (Jeffrey.Walton) * Date: 2014-03-15 17:07 
From Python head in mercurial:

    $ hg id
    7ce22d0899e4+ tip

Exporting "set allocator_may_return_null=1" for Clang might tickle this issue. Without the export, this test did not fail.

=================================================================
==21071==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6030000b99f4 at pc 0x4aafea bp 0x7fffd2318c70 sp 0x7fffd2318c20
WRITE of size 24 at 0x6030000b99f4 thread T0
    #0 0x4aafe9 in write_msghdr /home/jwalton/Desktop/clang-3.4/llvm-3.4/projects/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc:1395
    #1 0x4aafe9 in __interceptor_recvmsg /home/jwalton/Desktop/clang-3.4/llvm-3.4/projects/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc:1405
    #2 0x2ad35b764146 in sock_recvmsg_guts cpython/./Modules/socketmodule.c:2968
    #3 0x2ad35b75f83c in sock_recvmsg cpython/./Modules/socketmodule.c:3098
    #4 0x6642ba in ext_do_call cpython/./Python/ceval.c:4548
    #5 0x6642ba in PyEval_EvalFrameEx cpython/./Python/ceval.c:2869
    #6 0x655a7b in PyEval_EvalCodeEx cpython/./Python/ceval.c:3578
    #7 0x670cb5 in fast_function cpython/./Python/ceval.c:4334
    #8 0x65fbc8 in call_function cpython/./Python/ceval.c:4252
    #9 0x65fbc8 in PyEval_EvalFrameEx cpython/./Python/ceval.c:2829
    #10 0x655a7b in PyEval_EvalCodeEx cpython/./Python/ceval.c:3578
    #11 0x670cb5 in fast_function cpython/./Python/ceval.c:4334
    #12 0x65fbc8 in call_function cpython/./Python/ceval.c:4252
    #13 0x65fbc8 in PyEval_EvalFrameEx cpython/./Python/ceval.c:2829
    #14 0x670b7a in fast_function cpython/./Python/ceval.c:4324
    #15 0x65fbc8 in call_function cpython/./Python/ceval.c:4252
    #16 0x65fbc8 in PyEval_EvalFrameEx cpython/./Python/ceval.c:2829
    #17 0x655a7b in PyEval_EvalCodeEx cpython/./Python/ceval.c:3578
    #18 0x84c177 in function_call cpython/./Objects/funcobject.c:632
    #19 0x4fd729 in PyObject_Call cpython/./Objects/abstract.c:2067
    #20 0x6642d6 in ext_do_call cpython/./Python/ceval.c:4551
    #21 0x6642d6 in PyEval_EvalFrameEx cpython/./Python/ceval.c:2869
    #22 0x655a7b in PyEval_EvalCodeEx cpython/./Python/ceval.c:3578
    #23 0x84c177 in function_call cpython/./Objects/funcobject.c:632
    #24 0x4fd729 in PyObject_Call cpython/./Objects/abstract.c:2067
    #25 0x830dcc in method_call cpython/./Objects/classobject.c:347
    #26 0x4fd729 in PyObject_Call cpython/./Objects/abstract.c:2067
    #27 0x5ae10f in slot_tp_call cpython/./Objects/typeobject.c:5809
    #28 0x4fd729 in PyObject_Call cpython/./Objects/abstract.c:2067
    #29 0x6653a0 in do_call cpython/./Python/ceval.c:4456
    #30 0x6653a0 in call_function cpython/./Python/ceval.c:4254
    #31 0x6653a0 in PyEval_EvalFrameEx cpython/./Python/ceval.c:2829
    #32 0x655a7b in PyEval_EvalCodeEx cpython/./Python/ceval.c:3578
    #33 0x84c177 in function_call cpython/./Objects/funcobject.c:632
    #34 0x4fd729 in PyObject_Call cpython/./Objects/abstract.c:2067
    #35 0x6642d6 in ext_do_call cpython/./Python/ceval.c:4551
    #36 0x6642d6 in PyEval_EvalFrameEx cpython/./Python/ceval.c:2869
    #37 0x655a7b in PyEval_EvalCodeEx cpython/./Python/ceval.c:3578
    #38 0x84c177 in function_call cpython/./Objects/funcobject.c:632
    #39 0x4fd729 in PyObject_Call cpython/./Objects/abstract.c:2067
    #40 0x830dcc in method_call cpython/./Objects/classobject.c:347
    #41 0x4fd729 in PyObject_Call cpython/./Objects/abstract.c:2067
    #42 0x5ae10f in slot_tp_call cpython/./Objects/typeobject.c:5809
    #43 0x4fd729 in PyObject_Call cpython/./Objects/abstract.c:2067
    #44 0x6653a0 in do_call cpython/./Python/ceval.c:4456
    #45 0x6653a0 in call_function cpython/./Python/ceval.c:4254
    #46 0x6653a0 in PyEval_EvalFrameEx cpython/./Python/ceval.c:2829
    #47 0x655a7b in PyEval_EvalCodeEx cpython/./Python/ceval.c:3578
    #48 0x84c177 in function_call cpython/./Objects/funcobject.c:632
    #49 0x4fd729 in PyObject_Call cpython/./Objects/abstract.c:2067
    #50 0x6642d6 in ext_do_call cpython/./Python/ceval.c:4551
    #51 0x6642d6 in PyEval_EvalFrameEx cpython/./Python/ceval.c:2869
    #52 0x655a7b in PyEval_EvalCodeEx cpython/./Python/ceval.c:3578
    #53 0x84c177 in function_call cpython/./Objects/funcobject.c:632
    #54 0x4fd729 in PyObject_Call cpython/./Objects/abstract.c:2067
    #55 0x830dcc in method_call cpython/./Objects/classobject.c:347
    #56 0x4fd729 in PyObject_Call cpython/./Objects/abstract.c:2067
    #57 0x5ae10f in slot_tp_call cpython/./Objects/typeobject.c:5809
    #58 0x4fd729 in PyObject_Call cpython/./Objects/abstract.c:2067
    #59 0x6653a0 in do_call cpython/./Python/ceval.c:4456
    #60 0x6653a0 in call_function cpython/./Python/ceval.c:4254
    #61 0x6653a0 in PyEval_EvalFrameEx cpython/./Python/ceval.c:2829
    #62 0x670b7a in fast_function cpython/./Python/ceval.c:4324
    #63 0x65fbc8 in call_function cpython/./Python/ceval.c:4252
    #64 0x65fbc8 in PyEval_EvalFrameEx cpython/./Python/ceval.c:2829
    #65 0x670b7a in fast_function cpython/./Python/ceval.c:4324
    #66 0x65fbc8 in call_function cpython/./Python/ceval.c:4252
    #67 0x65fbc8 in PyEval_EvalFrameEx cpython/./Python/ceval.c:2829
    #68 0x655a7b in PyEval_EvalCodeEx cpython/./Python/ceval.c:3578
    #69 0x84c177 in function_call cpython/./Objects/funcobject.c:632
    #70 0x4fd729 in PyObject_Call cpython/./Objects/abstract.c:2067
    #71 0x6642d6 in ext_do_call cpython/./Python/ceval.c:4551
    #72 0x6642d6 in PyEval_EvalFrameEx cpython/./Python/ceval.c:2869
    #73 0x670b7a in fast_function cpython/./Python/ceval.c:4324
    #74 0x65fbc8 in call_function cpython/./Python/ceval.c:4252
    #75 0x65fbc8 in PyEval_EvalFrameEx cpython/./Python/ceval.c:2829
    #76 0x655a7b in PyEval_EvalCodeEx cpython/./Python/ceval.c:3578
    #77 0x670cb5 in fast_function cpython/./Python/ceval.c:4334
    #78 0x65fbc8 in call_function cpython/./Python/ceval.c:4252
    #79 0x65fbc8 in PyEval_EvalFrameEx cpython/./Python/ceval.c:2829
    #80 0x655a7b in PyEval_EvalCodeEx cpython/./Python/ceval.c:3578
    #81 0x84c177 in function_call cpython/./Objects/funcobject.c:632
    #82 0x4fd729 in PyObject_Call cpython/./Objects/abstract.c:2067
    #83 0x6642d6 in ext_do_call cpython/./Python/ceval.c:4551
    #84 0x6642d6 in PyEval_EvalFrameEx cpython/./Python/ceval.c:2869
    #85 0x655a7b in PyEval_EvalCodeEx cpython/./Python/ceval.c:3578
    #86 0x670cb5 in fast_function cpython/./Python/ceval.c:4334
    #87 0x65fbc8 in call_function cpython/./Python/ceval.c:4252
    #88 0x65fbc8 in PyEval_EvalFrameEx cpython/./Python/ceval.c:2829
    #89 0x670b7a in fast_function cpython/./Python/ceval.c:4324
    #90 0x65fbc8 in call_function cpython/./Python/ceval.c:4252
    #91 0x65fbc8 in PyEval_EvalFrameEx cpython/./Python/ceval.c:2829
    #92 0x655a7b in PyEval_EvalCodeEx cpython/./Python/ceval.c:3578
    #93 0x6545ca in PyEval_EvalCode cpython/./Python/ceval.c:773
    #94 0x64d74c in builtin_exec cpython/./Python/bltinmodule.c:876
    #95 0x664ceb in call_function cpython/./Python/ceval.c:4227
    #96 0x664ceb in PyEval_EvalFrameEx cpython/./Python/ceval.c:2829
    #97 0x655a7b in PyEval_EvalCodeEx cpython/./Python/ceval.c:3578
    #98 0x670cb5 in fast_function cpython/./Python/ceval.c:4334
    #99 0x65fbc8 in call_function cpython/./Python/ceval.c:4252
    #100 0x65fbc8 in PyEval_EvalFrameEx cpython/./Python/ceval.c:2829
    #101 0x655a7b in PyEval_EvalCodeEx cpython/./Python/ceval.c:3578
    #102 0x84c177 in function_call cpython/./Objects/funcobject.c:632
    #103 0x4fd729 in PyObject_Call cpython/./Objects/abstract.c:2067
    #104 0x4ee527 in RunModule cpython/./Modules/main.c:209
    #105 0x4ed771 in Py_Main cpython/./Modules/main.c:693
    #106 0x4e7d54 in main cpython/././Modules/python.c:69
    #107 0x2ad3549e5eac in __libc_start_main /home/aurel32/eglibc/eglibc-2.13/csu/libc-start.c:244
    #108 0x4e7b0c in _start (cpython/./python+0x4e7b0c)

0x6030000b99f4 is located 0 bytes to the right of 20-byte region [0x6030000b99e0,0x6030000b99f4)
allocated by thread T0 here:
    #0 0x4d1a39 in malloc /home/jwalton/Desktop/clang-3.4/llvm-3.4/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:74
    #1 0x2ad35b763c55 in sock_recvmsg_guts cpython/./Modules/socketmodule.c:2949
    #2 0x2ad35b75f83c in sock_recvmsg cpython/./Modules/socketmodule.c:3098
    #3 0x6642ba in ext_do_call cpython/./Python/ceval.c:4548
    #4 0x6642ba in PyEval_EvalFrameEx cpython/./Python/ceval.c:2869
    #5 0x655a7b in PyEval_EvalCodeEx cpython/./Python/ceval.c:3578

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/jwalton/Desktop/clang-3.4/llvm-3.4/projects/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc:1395 write_msghdr
Shadow bytes around the buggy address:
  0x0c068000f2e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c068000f2f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c068000f300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c068000f310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c068000f320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c068000f330: fa fa fa fa fa fa fa fa fa fa fa fa 00 00[04]fa
  0x0c068000f340: fa fa 00 00 00 00 fa fa fd fd fd fd fa fa fd fd
  0x0c068000f350: fd fd fa fa fd fd fd fd fa fa 00 00 00 00 fa fa
  0x0c068000f360: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00
  0x0c068000f370: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
  0x0c068000f380: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:     fa
  Heap right redzone:    fb
  Freed heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe

==21071==ABORTING[ 58/389] test_socket
msg213675 - (view) Author: Jeffrey Walton (Jeffrey.Walton) * Date: 2014-03-15 19:19 
This does not look quite right from Modules/sockewtmodule.c.

    /* Fill in an iovec for each item, and save the Py_buffer
       structs to release afterwards. */
    if (nitems > 0 && ((iovs = PyMem_New(struct iovec, nitems)) == NULL ||
                       (bufs = PyMem_New(Py_buffer, nitems)) == NULL)) {
        PyErr_NoMemory();
        goto finally;
    }

    for (; nbufs < nitems; nbufs++) {
        if (!PyArg_Parse(PySequence_Fast_GET_ITEM(fast, nbufs),
                         "w*;recvmsg_into() argument 1 must be an iterable "
                         "of single-segment read-write buffers",
                         &bufs[nbufs]))
            goto finally;
        iovs[nbufs].iov_base = bufs[nbufs].buf;
        iovs[nbufs].iov_len = bufs[nbufs].len;
    }
msg213787 - (view) Author: Jeffrey Walton (Jeffrey.Walton) * Date: 2014-03-17 02:41 
This might be relevant. It showed up while building Python 3.3.5 from sources.

/usr/local/bin/clang -fsanitize=undefined -fPIC -Wno-unused-result -DNDEBUG -g -fwrapv -O3 -Wall -Wstrict-prototypes -I./Include -I. -IInclude -I/usr/local/include -IPython-3.3.5/./Include -IPython-3.3.5/. -c Python-3.3.5/./Modules/socketmodule.c -o build/temp.linux-x86_64-3.3Python-3.3.5/./Modules/socketmodule.o
Python-3.3.5/./Modules/socketmodule.c:1951:74: warning: 
      comparison of unsigned expression < 0 is always false
      [-Wtautological-compare]
    if (cmsgh == NULL || msg->msg_control == NULL || msg->msg_controllen < 0)
msg214514 - (view) Author: Charles-François Natali (neologix) * (Python committer) Date: 2014-03-22 20:33 
I don't see anything wrong with the code.

Could you try running the test under valgrind.
You must build Python with --with-valgrind, and then:
valgrind --tool=memcheck --suppressions=Misc/valgrind-python.supp <test>
msg404791 - (view) Author: Irit Katriel (iritkatriel) * (Python committer) Date: 2021-10-22 16:33 
Please create a new issue if you're still seeing this on 3.9+.
History
Date User Action Args
2022-04-11 14:58:00adminsetgithub: 65136
2021-10-22 16:33:50iritkatrielsetnosy: + iritkatriel
messages: + msg404791
2021-10-22 16:33:10iritkatrielsetstatus: open -> closed
resolution: out of date
stage: resolved
2014-03-22 20:33:21neologixsetmessages: + msg214514
2014-03-17 02:41:58Jeffrey.Waltonsetmessages: + msg213787
2014-03-16 14:37:07neologixlinkissue20940 superseder
2014-03-15 22:06:27pitrousetnosy: + pitrou, giampaolo.rodola, neologix

versions: + Python 3.3, Python 3.4, - Python 3.5
2014-03-15 19:19:21Jeffrey.Waltonsetmessages: + msg213675
2014-03-15 17:07:06Jeffrey.Waltoncreate