classification
Title: "stack smashing detected" in PyCursesWindow_Box
Type: crash Stage: resolved
Components: Extension Modules Versions: Python 3.7, Python 3.6, Python 2.7
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: serhiy.storchaka Nosy List: Steve Fink, serhiy.storchaka, twouters, vstinner
Priority: normal Keywords: patch

Created on 2016-08-01 23:52 by Steve Fink, last changed 2017-11-07 07:56 by serhiy.storchaka. This issue is now closed.

Files
File name Uploaded Description Edit
python-2.7.12-curses-argparse.patch Steve Fink, 2016-08-20 22:26 Fix arg parsing stack smash
Pull Requests
URL Status Linked Edit
PR 4220 merged serhiy.storchaka, 2017-11-01 16:54
PR 4221 merged python-dev, 2017-11-01 18:49
PR 4222 merged python-dev, 2017-11-01 19:24
PR 4305 merged serhiy.storchaka, 2017-11-07 07:09
Messages (8)
msg271796 - (view) Author: Steve Fink (Steve Fink) Date: 2016-08-01 23:52
When attempting to run |hg chistedit|, which uses the python curses module, I am getting *** stack smashing detected ***: /usr/bin/python terminated

The problem is in PyCursesWindow_Box in _cursesmodule.c:

        if (!PyArg_ParseTuple(args,"ll;vertint,horint", &ch1, &ch2))
            return NULL;

ch1 and ch2 are of type 'chtype', which is a 4-byte integer on my platform. (I am on a fresh install of Fedora 24 x86_64.) The format string 'l' is writing 8 bytes. It is hard to fit 8 bytes into a 4 byte variable.

I scanned through the rest of the file. Most places are very careful about this; if needed, they'll parse into a 'long' temporary and then assign. But here's another one in PyCurses_UngetMouse:

    MEVENT event;
    PyCursesInitialised;
    if (!PyArg_ParseTuple(args, "hiiil",
                          &event.id,
                          &event.x, &event.y, &event.z,
                          (int *) &event.bstate))
        return NULL;

event.bstate is of type mmask_t, which is also 4 bytes.

I did not find any more in that file.

% rpm -q python-libs
python-libs-2.7.12-1.fc24.x86_64
msg273248 - (view) Author: Steve Fink (Steve Fink) Date: 2016-08-20 22:26
I'm running now (successfully) with a simpler patch, just changing it to parse format 'i', but this patch is probably a bit safer.
msg305386 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2017-11-01 17:01
Thank you for your patch Steve.

It is better to use PyCurses_ConvertToChtype() which is used for parsing all chtype arguments.
msg305394 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2017-11-01 19:23
New changeset aad7ac10af6ed40fc21b842e04be0b04b2915d4a by Serhiy Storchaka (Miss Islington (bot)) in branch '3.6':
bpo-27666: Fixed stack corruption in curses.box() and curses.ungetmouse(). (GH-4220) (#4221)
https://github.com/python/cpython/commit/aad7ac10af6ed40fc21b842e04be0b04b2915d4a
msg305395 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2017-11-01 19:24
New changeset b694770a2b23cd485c98bf673a8b2dc1a865d9df by Serhiy Storchaka (Miss Islington (bot)) in branch '2.7':
bpo-27666: Fixed stack corruption in curses.box() and curses.ungetmouse(). (GH-4220) (#4222)
https://github.com/python/cpython/commit/b694770a2b23cd485c98bf673a8b2dc1a865d9df
msg305704 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2017-11-07 01:03
The Python 2.7 backport (commit b694770a2b23cd485c98bf673a8b2dc1a865d9df) is wrong. The _curses module cannot be compiled anymore:

Example of compilation errors:

/home/haypo/prog/python/2.7/Modules/_cursesmodule.c: In function 'PyCursesWindow_Box':
/home/haypo/prog/python/2.7/Modules/_cursesmodule.c:649:39: warning: passing argument 1 of 'PyCurses_ConvertToChtype' from incompatible pointer type [-Wincompatible-pointer-types]
         if (!PyCurses_ConvertToChtype(self, temp1, &ch1)) {
                                       ^~~~
/home/haypo/prog/python/2.7/Modules/_cursesmodule.c:195:1: note: expected 'PyObject * {aka struct _object *}' but argument is of type 'PyCursesWindowObject * {aka struct <anonymous> *}'
 PyCurses_ConvertToChtype(PyObject *obj, chtype *ch)
 ^~~~~~~~~~~~~~~~~~~~~~~~
/home/haypo/prog/python/2.7/Modules/_cursesmodule.c:649:45: warning: passing argument 2 of 'PyCurses_ConvertToChtype' from incompatible pointer type [-Wincompatible-pointer-types]
         if (!PyCurses_ConvertToChtype(self, temp1, &ch1)) {
                                             ^~~~~
/home/haypo/prog/python/2.7/Modules/_cursesmodule.c:195:1: note: expected 'chtype * {aka unsigned int *}' but argument is of type 'PyObject * {aka struct _object *}'
 PyCurses_ConvertToChtype(PyObject *obj, chtype *ch)
 ^~~~~~~~~~~~~~~~~~~~~~~~
/home/haypo/prog/python/2.7/Modules/_cursesmodule.c:649:14: error: too many arguments to function 'PyCurses_ConvertToChtype'
         if (!PyCurses_ConvertToChtype(self, temp1, &ch1)) {
              ^~~~~~~~~~~~~~~~~~~~~~~~
/home/haypo/prog/python/2.7/Modules/_cursesmodule.c:195:1: note: declared here
 PyCurses_ConvertToChtype(PyObject *obj, chtype *ch)
 ^~~~~~~~~~~~~~~~~~~~~~~~
msg305717 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2017-11-07 07:55
New changeset 69ea4b4deb123c9a3c986b7afb85183732784f4f by Serhiy Storchaka in branch '2.7':
Fix bpo-27666 backporting error in _cursesmodule.c (#4305)
https://github.com/python/cpython/commit/69ea4b4deb123c9a3c986b7afb85183732784f4f
msg305718 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2017-11-07 07:56
Thank you for catching this Victor.
History
Date User Action Args
2017-11-07 07:56:22serhiy.storchakasetmessages: + msg305718
2017-11-07 07:55:40serhiy.storchakasetstatus: open -> closed
resolution: fixed
messages: + msg305717

stage: patch review -> resolved
2017-11-07 07:09:06serhiy.storchakasetstage: resolved -> patch review
pull_requests: + pull_request4268
2017-11-07 01:03:45vstinnersetstatus: closed -> open

nosy: + vstinner
messages: + msg305704

resolution: fixed -> (no value)
2017-11-01 19:26:21serhiy.storchakasetstatus: open -> closed
resolution: fixed
stage: patch review -> resolved
2017-11-01 19:24:02serhiy.storchakasetmessages: + msg305395
2017-11-01 19:24:02python-devsetpull_requests: + pull_request4190
2017-11-01 19:23:52serhiy.storchakasetmessages: + msg305394
2017-11-01 18:49:58python-devsetpull_requests: + pull_request4189
2017-11-01 17:02:05serhiy.storchakasetassignee: serhiy.storchaka
versions: + Python 3.6, Python 3.7
2017-11-01 17:01:54serhiy.storchakasetmessages: + msg305386
2017-11-01 16:54:43serhiy.storchakasetstage: needs patch -> patch review
pull_requests: + pull_request4188
2016-08-20 22:26:22Steve Finksetfiles: + python-2.7.12-curses-argparse.patch
keywords: + patch
messages: + msg273248
2016-08-02 13:27:45serhiy.storchakasetnosy: + serhiy.storchaka

stage: needs patch
2016-08-02 08:41:24SilentGhostsetnosy: + twouters
components: + Extension Modules, - Library (Lib)
2016-08-01 23:52:30Steve Finkcreate