classification
Title: pickle fails with SystemError
Type: crash Stage: resolved
Components: Extension Modules Versions: Python 3.6, Python 3.5, Python 2.7
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: serhiy.storchaka Nosy List: alex, python-dev, r.david.murray, serhiy.storchaka, zach.ware
Priority: low Keywords: patch

Created on 2015-04-11 12:52 by alex, last changed 2015-11-27 07:57 by serhiy.storchaka. This issue is now closed.

Files
File name Uploaded Description Edit
unpickle_bad_stack.patch serhiy.storchaka, 2015-11-14 22:58 review
Messages (9)
msg240475 - (view) Author: Alex Gaynor (alex) * (Python committer) Date: 2015-04-11 12:52
>>> pickle.loads(b'(o.\x7f.')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
SystemError: Objects/tupleobject.c:71: bad argument to internal function

(Or the equivalent using cPickle on Python 2)

Found using http://lcamtuf.coredump.cx/afl/
msg240476 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2015-04-11 13:21
Warning: The pickle module is not intended to be secure against erroneous or maliciously constructed data. Never unpickle data received from an untrusted or unauthenticated source.

pickle.loads(b'cos\nsystem\n(Vrm -rf /\ntR.')
msg240477 - (view) Author: Alex Gaynor (alex) * (Python committer) Date: 2015-04-11 13:22
Yes, it can execute arbitrary code, but I think we should prefer raising "specific" error messages, instead of failing inside tuple details.
msg240482 - (view) Author: R. David Murray (r.david.murray) * (Python committer) Date: 2015-04-11 16:24
I dob't see a strong motivation to do that.  What's the use case?
msg254672 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2015-11-14 22:58
Here is a patch that makes broken OBJ opcode to raise UnpicklingError instead of SystemError, improves some UnpicklingError messages, and adds tests for unpickling broken data.
msg255154 - (view) Author: Roundup Robot (python-dev) (Python triager) Date: 2015-11-23 13:21
New changeset bac3f63ea747 by Serhiy Storchaka in branch '3.4':
Issue #23914: Fixed SystemError raised by unpickler on broken pickle data.
https://hg.python.org/cpython/rev/bac3f63ea747

New changeset 531e2674f003 by Serhiy Storchaka in branch '3.5':
Issue #23914: Fixed SystemError raised by unpickler on broken pickle data.
https://hg.python.org/cpython/rev/531e2674f003

New changeset b08c3a733fda by Serhiy Storchaka in branch 'default':
Issue #23914: Fixed SystemError raised by unpickler on broken pickle data.
https://hg.python.org/cpython/rev/b08c3a733fda

New changeset 686fa9439d38 by Serhiy Storchaka in branch '2.7':
Issue #23914: Fixed SystemError raised by unpickler on broken pickle data.
https://hg.python.org/cpython/rev/686fa9439d38
msg255452 - (view) Author: Roundup Robot (python-dev) (Python triager) Date: 2015-11-27 07:22
New changeset 322060740b64 by Zachary Ware in branch '2.7':
Issue #23914: Fix test_xpickle with python 2.4 and 2.5
https://hg.python.org/cpython/rev/322060740b64
msg255453 - (view) Author: Zachary Ware (zach.ware) * (Python committer) Date: 2015-11-27 07:27
This broke test_xpickle with python 2.4 and 2.5 due to 'b' prefixes and an import that's not actually used in the 2.7 patch; now fixed.  The ware-gentoo-x86 buildslave now has pythons 2.4, 2.5, and 2.6 installed for test_xpickle to use.
msg255454 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2015-11-27 07:57
Great! I afraid there were no buildbots with 2.4 and 2.5 for testing test_xpickle. Thank you Zachary!
History
Date User Action Args
2015-11-27 07:57:42serhiy.storchakasetmessages: + msg255454
2015-11-27 07:27:39zach.waresetnosy: + zach.ware
messages: + msg255453
2015-11-27 07:22:07python-devsetmessages: + msg255452
2015-11-23 15:54:09serhiy.storchakasetstatus: open -> closed
resolution: fixed
stage: patch review -> resolved
2015-11-23 13:21:12python-devsetnosy: + python-dev
messages: + msg255154
2015-11-14 22:58:32serhiy.storchakasetfiles: + unpickle_bad_stack.patch
messages: + msg254672

assignee: serhiy.storchaka
keywords: + patch
stage: patch review
2015-05-27 08:56:04serhiy.storchakasetpriority: normal -> low
2015-04-11 16:24:34r.david.murraysetnosy: + r.david.murray
messages: + msg240482
2015-04-11 13:22:21alexsetmessages: + msg240477
2015-04-11 13:21:17serhiy.storchakasetnosy: + serhiy.storchaka
messages: + msg240476
2015-04-11 12:52:42alexcreate