classification
Title: Buffer overflow in kqueue.control()
Type: crash Stage: resolved
Components: Extension Modules, FreeBSD Versions: Python 3.7, Python 3.6, Python 2.7
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: serhiy.storchaka Nosy List: koobs, serhiy.storchaka
Priority: normal Keywords: patch

Created on 2017-04-12 17:13 by serhiy.storchaka, last changed 2017-10-12 21:13 by serhiy.storchaka. This issue is now closed.

Pull Requests
URL Status Linked Edit
PR 1095 merged serhiy.storchaka, 2017-04-12 17:20
PR 3973 merged python-dev, 2017-10-12 19:19
PR 3976 merged serhiy.storchaka, 2017-10-12 20:20
Messages (6)
msg291563 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2017-04-12 17:13
The first parameter of kqueue.control() is documented as an iterable. But actually it should have a length. kqueue.control() uses PyObject_Size() for allocating an array and PyObject_GetIter()+PyIter_Next() for iterating kevent objects and filling the array. If the length and the iterator are not consistent this can lead to writing past the end of the array.
msg291565 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2017-04-12 17:21
Proposed patch presumably fixes the issue. But since this is *BSD specific I can't even check that it is compiled.
msg304281 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2017-10-12 18:56
I have tested it on FreeBSD, found and fixed one bug.
msg304282 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2017-10-12 19:17
New changeset de072100775cc29e6cd93a75466cecbd1086f258 by Serhiy Storchaka in branch 'master':
bpo-30058: Fixed buffer overflow in select.kqueue.control(). (#1095)
https://github.com/python/cpython/commit/de072100775cc29e6cd93a75466cecbd1086f258
msg304286 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2017-10-12 20:20
New changeset c923da188bc055e4f3001a6daf1caf54f2b10e40 by Serhiy Storchaka (Miss Islington (bot)) in branch '3.6':
[3.6] bpo-30058: Fixed buffer overflow in select.kqueue.control(). (GH-1095) (#3973)
https://github.com/python/cpython/commit/c923da188bc055e4f3001a6daf1caf54f2b10e40
msg304289 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2017-10-12 21:13
New changeset 9aa60245a0ff929e528b4521da7af20dacd4145b by Serhiy Storchaka in branch '2.7':
[2.7] bpo-30058: Fixed buffer overflow in select.kqueue.control(). (GH-1095). (#3976)
https://github.com/python/cpython/commit/9aa60245a0ff929e528b4521da7af20dacd4145b
History
Date User Action Args
2017-10-12 21:13:33serhiy.storchakasetstatus: open -> closed
resolution: fixed
stage: patch review -> resolved
2017-10-12 21:13:13serhiy.storchakasetmessages: + msg304289
2017-10-12 20:20:46serhiy.storchakasetmessages: + msg304286
2017-10-12 20:20:04serhiy.storchakasetpull_requests: + pull_request3952
2017-10-12 19:19:00python-devsetkeywords: + patch
pull_requests: + pull_request3951
2017-10-12 19:17:48serhiy.storchakasetmessages: + msg304282
2017-10-12 18:56:00serhiy.storchakasetassignee: serhiy.storchaka
messages: + msg304281
versions: - Python 3.5
2017-04-12 17:21:44serhiy.storchakasetmessages: + msg291565
stage: patch review
2017-04-12 17:20:05serhiy.storchakasetpull_requests: + pull_request1237
2017-04-12 17:13:38serhiy.storchakacreate