➜
This issue tracker has been migrated to GitHub,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2016-09-06 02:10 by minhrau, last changed 2022-04-11 14:58 by admin. This issue is now closed.
| Files | ||||
|---|---|---|---|---|
| File name | Uploaded | Description | Edit | |
| issue27963.patch | xiang.zhang, 2016-09-06 05:50 | review | ||
| Messages (6) | |||
|---|---|---|---|
| msg274494 - (view) | Author: Minh Râu (minhrau) | Date: 2016-09-06 02:10 | |
Description:
------------
Null dereference in function set_conversion_mode due uncheck _ctypes_conversion_errors:
static PyObject *
set_conversion_mode(PyObject *self, PyObject *args)
{
char *coding, *mode;
PyObject *result;
...
PyMem_Free(_ctypes_conversion_errors);
_ctypes_conversion_errors = PyMem_Malloc(strlen(mode) + 1); //if memory is not enough, _ctypes_conversion_errors will be null
strcpy(_ctypes_conversion_errors, mode); // crash here
return result;
}
Test script:
---------------
import ctypes
s = 'a'*(0xffffffff/2-0xffff)
sss = 'a'*(0xffffffff/4)
ctypes.set_conversion_mode('a', s)
Expected result:
----------------
No Crash
Actual result:
--------------
Starting program: /home/minhrau/cpython-2.7/python ~/pythontestcase/test.py
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
0xf7def209 in __strcpy_sse2 () from /usr/lib32/libc.so.6
(gdb) bt
#0 0xf7def209 in __strcpy_sse2 () from /usr/lib32/libc.so.6
#1 0xf7fba5f2 in set_conversion_mode (self=0x0, args=0xf7cd602c) at /home/minhrau/cpython-2.7/Modules/_ctypes/callproc.c:1706
#2 0x080f6dfc in call_function (oparg=<optimized out>, pp_stack=0xffffd45c) at Python/ceval.c:4350
#3 PyEval_EvalFrameEx (f=<optimized out>, throwflag=<optimized out>) at Python/ceval.c:2987
#4 0x080f964e in PyEval_EvalCodeEx (co=0xf7cc94e8, globals=0xf7d5b714, locals=0xf7d5b714, args=0x0, argcount=0, kws=0x0, kwcount=0, defs=0x0, defcount=0, closure=0x0) at Python/ceval.c:3582
#5 0x080f9942 in PyEval_EvalCode (co=0xf7cc94e8, globals=0xf7d5b714, locals=0xf7d5b714) at Python/ceval.c:669
#6 0x0811e928 in run_mod (arena=0x8264f18, flags=0xffffd64c, locals=0xf7d5b714, globals=0xf7d5b714, filename=0xffffd96e "/home/minhrau/pythontestcase/test.py", mod=0x826daa0) at Python/pythonrun.c:1376
#7 PyRun_FileExFlags (fp=0x826c788, filename=0xffffd96e "/home/minhrau/pythontestcase/test.py", start=257, globals=0xf7d5b714, locals=0xf7d5b714, closeit=1, flags=0xffffd64c) at Python/pythonrun.c:1362
#8 0x081202f4 in PyRun_SimpleFileExFlags (fp=0x826c788, filename=0xffffd96e "/home/minhrau/pythontestcase/test.py", closeit=1, flags=0xffffd64c) at Python/pythonrun.c:948
#9 0x0805a37d in Py_Main (argc=2, argv=0xffffd794) at Modules/main.c:640
#10 0x080594cb in main (argc=2, argv=0xffffd794) at ./Modules/python.c:20
(gdb)
Patch:
--------------
file: cpython-2.7/Modules/_ctypes/callproc.c
1706,1707d1705
< if (_ctypes_conversion_errors == NULL)
< return PyErr_NoMemory();
|
|||
| msg274513 - (view) | Author: Xiang Zhang (xiang.zhang) *  |
Date: 2016-09-06 04:26 | |
Hmm, I tested the example snippet but it works. And PyMem_Free shouldn't fail when encounter NULL. The doc explicitly says "If p is NULL, no operation is performed". |
|||
| msg274521 - (view) | Author: Xiang Zhang (xiang.zhang) * |
Date: 2016-09-06 04:58 | |
Ooh, I treat dereference as decref, sorry. Then I think it may happen when there is not enough memory. But your patch is not complete, at least you should Py_DECREF(result). But this function may need more care since the malloc failure in it will alter states. |
|||
| msg274526 - (view) | Author: Xiang Zhang (xiang.zhang) * |
Date: 2016-09-06 05:50 | |
issue27963.patch tries to fix the crash caused by not enough memory and avoid inconsistent state when failure. |
|||
| msg274527 - (view) | Author: Minh Râu (minhrau) | Date: 2016-09-06 05:53 | |
the patch look good. Thank Xiang |
|||
| msg277514 - (view) | Author: Roundup Robot (python-dev)  |
Date: 2016-09-27 12:24 | |
New changeset 637ce96423ef by Serhiy Storchaka in branch '2.7': Issue #27963: Fixed possible null pointer dereference in ctypes.set_conversion_mode(). https://hg.python.org/cpython/rev/637ce96423ef |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:58:35 | admin | set | github: 72150 |
| 2016-09-27 12:25:35 | serhiy.storchaka | set | type: security -> crash |
| 2016-09-27 12:25:18 | serhiy.storchaka | set | status: open -> closed resolution: fixed stage: patch review -> resolved |
| 2016-09-27 12:24:38 | python-dev | set | nosy:
+ python-dev messages: + msg277514 |
| 2016-09-27 11:54:11 | serhiy.storchaka | set | stage: patch review |
| 2016-09-07 08:08:11 | serhiy.storchaka | set | assignee: serhiy.storchaka |
| 2016-09-07 03:43:33 | xiang.zhang | set | nosy:
+ serhiy.storchaka |
| 2016-09-06 14:14:19 | eryksun | link | issue27962 superseder |
| 2016-09-06 05:53:42 | minhrau | set | messages: + msg274527 |
| 2016-09-06 05:50:07 | xiang.zhang | set | files:
+ issue27963.patch keywords: + patch messages: + msg274526 |
| 2016-09-06 04:58:07 | xiang.zhang | set | messages: + msg274521 |
| 2016-09-06 04:26:06 | xiang.zhang | set | nosy:
+ xiang.zhang messages: + msg274513 |
| 2016-09-06 02:12:03 | minhrau | set | title: null poiter dereference in set_conversion_mode dua uncheck _ctypes_conversion_errors -> null poiter dereference in set_conversion_mode due uncheck _ctypes_conversion_errors |
| 2016-09-06 02:11:22 | minhrau | set | type: security |
| 2016-09-06 02:10:46 | minhrau | create | |