classification
Title: Segfault on error in code object checking
Type: Stage: resolved
Components: Versions: Python 3.6, Python 3.5, Python 3.4, Python 2.7
process
Status: closed Resolution: wont fix
Dependencies: Superseder:
Assigned To: Nosy List: Decorater, ammar2, ned.deily, pabstersac, r.david.murray, serhiy.storchaka
Priority: normal Keywords:

Created on 2016-07-17 06:16 by pabstersac, last changed 2016-07-17 17:48 by pabstersac. This issue is now closed.

Messages (10)
msg270612 - (view) Author: pablo sacristan (pabstersac) Date: 2016-07-17 06:16
The code is also simple on this one:
from types import CodeType as code
exec code(0, 2, 3, 0, "lol lolol", (), (), (), "", "", 0, "") 

The interpreter isn't checking if the code object is correct, therefore it is possible to segfault by putting wrong opcodes and more.
msg270613 - (view) Author: Decorater (Decorater) * Date: 2016-07-17 06:24
Why are you even using v2.7 anyway when you can use asyncio with the coroutines in 3.4 or newer (which is pretty fast on things and is thread safe).
msg270615 - (view) Author: Ammar Askar (ammar2) * (Python triager) Date: 2016-07-17 07:23
Can recreate on both py2.7 and py3.6

Constructor for CodeType in py3.6 is slightly different:

exec(code(0, 0, 2, 3, 0, b"lol lolol", (), (), (), "", "", 0, b""))
msg270618 - (view) Author: pablo sacristan (pabstersac) Date: 2016-07-17 08:11
I can also reproduce on 3.5 and on 3.4.
Thank you.
msg270645 - (view) Author: R. David Murray (r.david.murray) * (Python committer) Date: 2016-07-17 15:21
I don't think this is a bug.  You can construct whatever code object you like; it is your responsibility at that point to make sure it is correct.  This is an example of why we call Python a "consenting adults" language.
msg270649 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2016-07-17 16:10
I agree with RDM. CPython makes no guarantee that you can't crash the interpreter if you really try to.  "Consenting adult" means we don't impose performance penalties on everyone just to protect some users from their own attempts to exploit edge cases.
msg270651 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2016-07-17 17:01
Let me add that, in principle, no one is opposed to making Python more fault-tolerant, certainly if there are demonstrable cases where the behavior can be exploited to deny services to others.  Cases like this, where it would seem that exploiters could only deny service to themselves, are much less interesting.  If someone were to submit a patch with tests and with benchmarking to show that the fix has minimal performance implications, a core developer might be inclined to review it.  But that seems like a lot of work for little gain when there are far more important problems that need attention.  Hence "consenting adults".
msg270654 - (view) Author: pablo sacristan (pabstersac) Date: 2016-07-17 17:28
I do agree it is not a very big problem, but it is still a problem. If a python program took user input (maybe HTTP server) took user input (POST values) and construct a code object with that input. It would be possible to crash it and that can be bad for the web application. Even though it is not the most important Python problem, it is still a problem which can cause moderate problems, and it can be exploited remotely if the HTTP server did what I said before. One vulnerable HTTP server is one too many ;)
Hope it helps :)
msg270655 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2016-07-17 17:38
If you construct a code object with user input without a checking, the segfault is the least of your problems. The user can inject a code that formats your hard disk or steals your passwords. It is impossible to write general checker that accepts all legitimate bytecode, but rejects malicious bytecode.
msg270656 - (view) Author: pablo sacristan (pabstersac) Date: 2016-07-17 17:48
Yes, but it is possible to blacklist some bytecode (it may be possible to blacklist all or almost all malicious bytecode) and even more if the attacker just wants to crash the target then the segfault would be an easy crash. It is still an attack scenario that is possible.
Hope it helps :)
History
Date User Action Args
2016-07-17 17:48:44pabstersacsetmessages: + msg270656
2016-07-17 17:43:41ned.deilysetstatus: open -> closed
resolution: remind -> wont fix
2016-07-17 17:38:12serhiy.storchakasetnosy: + serhiy.storchaka
messages: + msg270655
2016-07-17 17:28:08pabstersacsetstatus: closed -> open
resolution: wont fix -> remind
messages: + msg270654
2016-07-17 17:01:07ned.deilysetresolution: not a bug -> wont fix
messages: + msg270651
2016-07-17 16:10:56ned.deilysetstatus: open -> closed

nosy: + ned.deily
messages: + msg270649

resolution: not a bug
stage: resolved
2016-07-17 15:21:22r.david.murraysetnosy: + r.david.murray
messages: + msg270645
2016-07-17 08:11:15pabstersacsetmessages: + msg270618
versions: + Python 3.4, Python 3.5
2016-07-17 07:23:43ammar2setnosy: + ammar2

messages: + msg270615
versions: + Python 3.6
2016-07-17 06:24:42Decoratersetnosy: + Decorater
messages: + msg270613
2016-07-17 06:16:53pabstersaccreate