classification
Title: null poiter dereference in set_conversion_mode due uncheck _ctypes_conversion_errors
Type: crash Stage: resolved
Components: ctypes Versions: Python 2.7
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: serhiy.storchaka Nosy List: minhrau, python-dev, serhiy.storchaka, xiang.zhang
Priority: normal Keywords: patch

Created on 2016-09-06 02:10 by minhrau, last changed 2016-09-27 12:25 by serhiy.storchaka. This issue is now closed.

Files
File name Uploaded Description Edit
issue27963.patch xiang.zhang, 2016-09-06 05:50 review
Messages (6)
msg274494 - (view) Author: Minh Râu (minhrau) Date: 2016-09-06 02:10
Description:
------------
Null dereference in function set_conversion_mode due uncheck _ctypes_conversion_errors:

static PyObject *
set_conversion_mode(PyObject *self, PyObject *args)
{
    char *coding, *mode;
    PyObject *result;
...
    PyMem_Free(_ctypes_conversion_errors);
    _ctypes_conversion_errors = PyMem_Malloc(strlen(mode) + 1); //if memory is not enough, _ctypes_conversion_errors will be null
    strcpy(_ctypes_conversion_errors, mode); // crash here
    return result;
}



Test script:
---------------

import ctypes

s = 'a'*(0xffffffff/2-0xffff)
sss = 'a'*(0xffffffff/4)
ctypes.set_conversion_mode('a', s)


Expected result:
----------------
No Crash

Actual result:
--------------
Starting program: /home/minhrau/cpython-2.7/python ~/pythontestcase/test.py
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0xf7def209 in __strcpy_sse2 () from /usr/lib32/libc.so.6
(gdb) bt
#0  0xf7def209 in __strcpy_sse2 () from /usr/lib32/libc.so.6
#1  0xf7fba5f2 in set_conversion_mode (self=0x0, args=0xf7cd602c) at /home/minhrau/cpython-2.7/Modules/_ctypes/callproc.c:1706
#2  0x080f6dfc in call_function (oparg=<optimized out>, pp_stack=0xffffd45c) at Python/ceval.c:4350
#3  PyEval_EvalFrameEx (f=<optimized out>, throwflag=<optimized out>) at Python/ceval.c:2987
#4  0x080f964e in PyEval_EvalCodeEx (co=0xf7cc94e8, globals=0xf7d5b714, locals=0xf7d5b714, args=0x0, argcount=0, kws=0x0, kwcount=0, defs=0x0, defcount=0, closure=0x0) at Python/ceval.c:3582
#5  0x080f9942 in PyEval_EvalCode (co=0xf7cc94e8, globals=0xf7d5b714, locals=0xf7d5b714) at Python/ceval.c:669
#6  0x0811e928 in run_mod (arena=0x8264f18, flags=0xffffd64c, locals=0xf7d5b714, globals=0xf7d5b714, filename=0xffffd96e "/home/minhrau/pythontestcase/test.py", mod=0x826daa0) at Python/pythonrun.c:1376
#7  PyRun_FileExFlags (fp=0x826c788, filename=0xffffd96e "/home/minhrau/pythontestcase/test.py", start=257, globals=0xf7d5b714, locals=0xf7d5b714, closeit=1, flags=0xffffd64c) at Python/pythonrun.c:1362
#8  0x081202f4 in PyRun_SimpleFileExFlags (fp=0x826c788, filename=0xffffd96e "/home/minhrau/pythontestcase/test.py", closeit=1, flags=0xffffd64c) at Python/pythonrun.c:948
#9  0x0805a37d in Py_Main (argc=2, argv=0xffffd794) at Modules/main.c:640
#10 0x080594cb in main (argc=2, argv=0xffffd794) at ./Modules/python.c:20
(gdb) 


Patch:
--------------
file: cpython-2.7/Modules/_ctypes/callproc.c
1706,1707d1705
<     if (_ctypes_conversion_errors == NULL)
<         return PyErr_NoMemory();
msg274513 - (view) Author: Xiang Zhang (xiang.zhang) * (Python committer) Date: 2016-09-06 04:26
Hmm, I tested the example snippet but it works. And PyMem_Free shouldn't fail when encounter NULL. The doc explicitly says "If p is NULL, no operation is performed".
msg274521 - (view) Author: Xiang Zhang (xiang.zhang) * (Python committer) Date: 2016-09-06 04:58
Ooh, I treat dereference as decref, sorry. Then I think it may happen when there is not enough memory. But your patch is not complete, at least you should Py_DECREF(result). But this function may need more care since the malloc failure in it will alter states.
msg274526 - (view) Author: Xiang Zhang (xiang.zhang) * (Python committer) Date: 2016-09-06 05:50
issue27963.patch tries to fix the crash caused by not enough memory and avoid inconsistent state when failure.
msg274527 - (view) Author: Minh Râu (minhrau) Date: 2016-09-06 05:53
the patch look good. Thank Xiang
msg277514 - (view) Author: Roundup Robot (python-dev) (Python triager) Date: 2016-09-27 12:24
New changeset 637ce96423ef by Serhiy Storchaka in branch '2.7':
Issue #27963: Fixed possible null pointer dereference in ctypes.set_conversion_mode().
https://hg.python.org/cpython/rev/637ce96423ef
History
Date User Action Args
2016-09-27 12:25:35serhiy.storchakasettype: security -> crash
2016-09-27 12:25:18serhiy.storchakasetstatus: open -> closed
resolution: fixed
stage: patch review -> resolved
2016-09-27 12:24:38python-devsetnosy: + python-dev
messages: + msg277514
2016-09-27 11:54:11serhiy.storchakasetstage: patch review
2016-09-07 08:08:11serhiy.storchakasetassignee: serhiy.storchaka
2016-09-07 03:43:33xiang.zhangsetnosy: + serhiy.storchaka
2016-09-06 14:14:19eryksunlinkissue27962 superseder
2016-09-06 05:53:42minhrausetmessages: + msg274527
2016-09-06 05:50:07xiang.zhangsetfiles: + issue27963.patch
keywords: + patch
messages: + msg274526
2016-09-06 04:58:07xiang.zhangsetmessages: + msg274521
2016-09-06 04:26:06xiang.zhangsetnosy: + xiang.zhang
messages: + msg274513
2016-09-06 02:12:03minhrausettitle: null poiter dereference in set_conversion_mode dua uncheck _ctypes_conversion_errors -> null poiter dereference in set_conversion_mode due uncheck _ctypes_conversion_errors
2016-09-06 02:11:22minhrausettype: security
2016-09-06 02:10:46minhraucreate