classification
Title: null poiter dereference in set_conversion_mode due uncheck _ctypes_conversion_encoding
Type: security Stage: resolved
Components: ctypes Versions: Python 2.7
process
Status: closed Resolution: duplicate
Dependencies: Superseder: null poiter dereference in set_conversion_mode due uncheck _ctypes_conversion_errors
View: 27963
Assigned To: Nosy List: minhrau, xiang.zhang
Priority: normal Keywords:

Created on 2016-09-06 02:09 by minhrau, last changed 2016-09-06 14:14 by eryksun. This issue is now closed.

Messages (3)
msg274493 - (view) Author: Minh Râu (minhrau) Date: 2016-09-06 02:09
Description:
------------
Null dereference in function set_conversion_mode due uncheck _ctypes_conversion_encoding:

static PyObject *
set_conversion_mode(PyObject *self, PyObject *args)
{
...
    if (coding) {
        PyMem_Free(_ctypes_conversion_encoding);
        _ctypes_conversion_encoding = PyMem_Malloc(strlen(coding) + 1); //if memory is not enough, _ctypes_conversion_encoding will be null
        strcpy(_ctypes_conversion_encoding, coding); // crash here
    } else {
...


Test script:
---------------

import ctypes

s = 'a'*(0xffffffff/2-0xffff)
sss = 'a'*(0xffffffff/4)
ctypes.set_conversion_mode(s, s)


Expected result:
----------------
No Crash

Actual result:
--------------
Starting program: /home/minhrau/cpython-2.7/python ~/pythontestcase/test.py
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0xf7def209 in __strcpy_sse2 () from /usr/lib32/libc.so.6
(gdb) bt
#0  0xf7def209 in __strcpy_sse2 () from /usr/lib32/libc.so.6
#1  0xf7fba5c2 in set_conversion_mode (self=0x0, args=0xf7cd602c) at /home/minhrau/cpython-2.7/Modules/_ctypes/callproc.c:1700
#2  0x080f6dfc in call_function (oparg=<optimized out>, pp_stack=0xffffd45c) at Python/ceval.c:4350
#3  PyEval_EvalFrameEx (f=<optimized out>, throwflag=<optimized out>) at Python/ceval.c:2987
#4  0x080f964e in PyEval_EvalCodeEx (co=0xf7cc94e8, globals=0xf7d5b714, locals=0xf7d5b714, args=0x0, argcount=0, kws=0x0, kwcount=0, defs=0x0, defcount=0, closure=0x0) at Python/ceval.c:3582
#5  0x080f9942 in PyEval_EvalCode (co=0xf7cc94e8, globals=0xf7d5b714, locals=0xf7d5b714) at Python/ceval.c:669
#6  0x0811e928 in run_mod (arena=0x8264f18, flags=0xffffd64c, locals=0xf7d5b714, globals=0xf7d5b714, filename=0xffffd96e "/home/minhrau/pythontestcase/test.py", mod=0x826daa0) at Python/pythonrun.c:1376
#7  PyRun_FileExFlags (fp=0x826c788, filename=0xffffd96e "/home/minhrau/pythontestcase/test.py", start=257, globals=0xf7d5b714, locals=0xf7d5b714, closeit=1, flags=0xffffd64c) at Python/pythonrun.c:1362
#8  0x081202f4 in PyRun_SimpleFileExFlags (fp=0x826c788, filename=0xffffd96e "/home/minhrau/pythontestcase/test.py", closeit=1, flags=0xffffd64c) at Python/pythonrun.c:948
#9  0x0805a37d in Py_Main (argc=2, argv=0xffffd794) at Modules/main.c:640
#10 0x080594cb in main (argc=2, argv=0xffffd794) at ./Modules/python.c:20

Patch:
--------------
file: cpython-2.7/Modules/_ctypes/callproc.c
1700,1701d1699
<         if (_ctypes_conversion_encoding == NULL)
<             return PyErr_NoMemory();
msg274514 - (view) Author: Xiang Zhang (xiang.zhang) * (Python committer) Date: 2016-09-06 04:31
Same as my comment in issue27963.

Python 2.7.12+ (2.7:de9e410e78d8, Sep  6 2016, 12:28:48) 
[GCC 5.4.0 20160609] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import ctypes
>>> 
>>> s = 'a'*(0xffffffff/2-0xffff)
>>> sss = 'a'*(0xffffffff/4)
>>> ctypes.set_conversion_mode(s, s)
('ascii', 'strict')
msg274523 - (view) Author: Xiang Zhang (xiang.zhang) * (Python committer) Date: 2016-09-06 05:01
I suggest close this as duplicate of issue27963 and fix these all in that issue.
History
Date User Action Args
2016-09-06 14:14:19eryksunsetstatus: open -> closed
superseder: null poiter dereference in set_conversion_mode due uncheck _ctypes_conversion_errors
resolution: duplicate
stage: resolved
2016-09-06 05:01:38xiang.zhangsetmessages: + msg274523
2016-09-06 04:31:00xiang.zhangsetnosy: + xiang.zhang
messages: + msg274514
2016-09-06 02:12:08minhrausettitle: null poiter dereference in set_conversion_mode dua uncheck _ctypes_conversion_encoding -> null poiter dereference in set_conversion_mode due uncheck _ctypes_conversion_encoding
2016-09-06 02:09:52minhraucreate