Title: Heap overflow occurred due to the int overflow (Python-2.7.11/Modules/posixmodule.c)
Type: security Stage: resolved
Components: Extension Modules Versions: Python 2.7
Status: closed Resolution: not a bug
Dependencies: Superseder:
Assigned To: Nosy List: christian.heimes, larry, madness, osvdb, xiang.zhang
Priority: normal Keywords:

Created on 2016-06-05 18:01 by madness, last changed 2017-03-07 18:46 by serhiy.storchaka. This issue is now closed.

Messages (4)
msg267447 - (view) Author: Rustemzade Mehemmed (madness) Date: 2016-06-05 18:01
I have tested this vulnerability on the Python 2.7 and it absolutely affected :). Integer overflow produce in posix_fdopen function. If an attacker sent fdopen mode value larger than max integer value (2*32) to fdopen after integer overflow occurred. 

    int fd;
    char *orgmode = "r";
    int bufsize = -1;
    FILE *fp;
    PyObject *f;
    char *mode;
    if (!PyArg_ParseTuple(args, "i|si", &fd, &orgmode, &bufsize))
        return NULL;

    /* Sanitize mode.  See fileobject.c */
    mode = PyMem_MALLOC(strlen(orgmode)+3);
    strcpy(mode, orgmode);

 os.fdopen(fd[, mode[, bufsize]])

fo = os.fdopen(fd, "r"*0xffffffff)

   0x5e2595 <+86>:	mov    edi,eax
=> 0x5e2598 <+89>:	call   0x416e50 <strlen@plt>     
(gdb) print /x $eax
$1 = 0xffffffff
after does addition of "add" instruction therefore overflow occured and => 0x5e259d <+94>:	add    eax,0x3
(gdb) print /x $eax
$5 = 0x2
and memory allocate after buffer copy== > 
   0x5e25a1 <+98>:	mov    edi,eax
   0x5e25a4 <+101>:	call   0x48f793 <_PyMem_DebugMalloc>
   0x5e25cb <+140>:	mov    esi,edx
   0x5e25ce <+143>:	mov    edi,eax
   0x5e25d1 <+146>:	call   0x416b80 <strcpy@plt>

copy buffer
strcpy(mode, orgmode); <=== overflow


import os, sys

fd = "foo.txt", os.O_RDWR|os.O_CREAT )
fo = os.fdopen(fd, "r"*0xffffff)
print "Closed the file successfully!!"
msg267522 - (view) Author: Xiang Zhang (xiang.zhang) * (Python committer) Date: 2016-06-06 09:58
I am confused why this could happen. On x86 platform, you can not even create a string of size 0xffffffff. On x64 platform, I don't think strlen(s) + 3 can lead to overflow where s is of size Py_ssize_t.
msg267615 - (view) Author: Larry Hastings (larry) * (Python committer) Date: 2016-06-07 10:13
I agree with the previous comment author.  Can you post a sample program that crashes Python?  Please specify what platform you're running on.

On 32-bit platforms, you'd be unable to construct even the first "r" * ((2**32)-1) string.  That string would use 4GB of memory, and 32-bit platforms always reserve some virtual memory space for the OS.

Even if you could construct the first one, you couldn't create the second one.  mode would be NULL and the next line (which you didn't paste below) would notice the NULL and throw an exception.

On 64-bit platforms, strlen() returns a 64-bit signed integer, and a string of length (2**32)-1 is no problem as long as you have enough memory.
msg277331 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2016-09-24 20:00
I agree with Xiang and Larry. I don't see how you can successfully create an overflow.
Date User Action Args
2017-03-07 18:46:33serhiy.storchakasetstatus: pending -> closed
stage: test needed -> resolved
2016-09-24 20:00:43christian.heimessetstatus: open -> pending

nosy: + christian.heimes
messages: + msg277331

resolution: not a bug
2016-07-11 18:28:04osvdbsetstatus: pending -> open
nosy: + osvdb
2016-07-10 09:43:25serhiy.storchakasetstatus: open -> pending
stage: test needed
2016-06-07 10:13:25larrysetmessages: + msg267615
2016-06-06 09:58:08xiang.zhangsetmessages: + msg267522
2016-06-06 09:32:02xiang.zhangsetnosy: + xiang.zhang
2016-06-06 05:57:38SilentGhostsetnosy: + larry
components: + Extension Modules, - Interpreter Core
2016-06-06 03:05:59madnesssetcomponents: + Interpreter Core
versions: + Python 2.7
2016-06-05 18:09:32madnesssettype: security
2016-06-05 18:02:55madnesssettitle: Heap overflow occurred due to the int overflow -> Heap overflow occurred due to the int overflow (Python-2.7.11/Modules/posixmodule.c)
2016-06-05 18:01:37madnesscreate