Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NULL pointer dereference in listsort() with key function #68232

Closed
benjaminp opened this issue Apr 23, 2015 · 2 comments
Closed

NULL pointer dereference in listsort() with key function #68232

benjaminp opened this issue Apr 23, 2015 · 2 comments
Labels
interpreter-core (Objects, Python, Grammar, and Parser dirs) type-crash A hard crash of the interpreter, possibly with a core dump

Comments

@benjaminp
Copy link
Contributor

BPO 24044
Nosy @tiran, @benjaminp

Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2015-04-23.21:08:08.884>
created_at = <Date 2015-04-23.21:03:08.664>
labels = ['interpreter-core', 'type-crash']
title = 'NULL pointer dereference in listsort() with key function'
updated_at = <Date 2015-04-23.23:19:37.308>
user = 'https://github.com/benjaminp'

bugs.python.org fields:

activity = <Date 2015-04-23.23:19:37.308>
actor = 'Arfrever'
assignee = 'none'
closed = True
closed_date = <Date 2015-04-23.21:08:08.884>
closer = 'python-dev'
components = ['Interpreter Core']
creation = <Date 2015-04-23.21:03:08.664>
creator = 'benjamin.peterson'
dependencies = []
files = []
hgrepos = []
issue_num = 24044
keywords = []
message_count = 2.0
messages = ['241889', '241890']
nosy_count = 4.0
nosy_names = ['christian.heimes', 'benjamin.peterson', 'Arfrever', 'python-dev']
pr_nums = []
priority = 'high'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'crash'
url = 'https://bugs.python.org/issue24044'
versions = ['Python 3.2', 'Python 3.3', 'Python 3.4', 'Python 3.5', 'Python 3.6']
@benjaminp
Copy link
Contributor Author

Found by Christian Heimes:

Coverity has found a flaw in Objects/listobject.c:listsort() that
eventually leads to a NULL pointer dereference. Because NULL pointer
dereferences can lead to exploits or DoS vulnerabilities I'm reporting
the error on PSRT first. The error is on a code path that can be
triggered by a remote attacker, although not that easily. All Python 3
versions are affected, Python 2.7 looks save.

The problematic code line is
https://hg.python.org/cpython/file/bc1a178b3bc8/Objects/listobject.c#l19
65
. The code fails to restore self->ob_item to saved_ob_item when
PyMem_MALLOC() fails. Subsequent access to the same list object will
dereference self->ob_item (which is still NULL) and cause a segfault.

A remote attack might be able to trigger the segfault with a large
data set. All it takes is an application that sorts this large data
set with list.sort() and a custom key function. When Python runs out
of memory just in the right spot ... CRASH.

Additionally there is another bug, too. list.sort() doesn't set an
exception when PyMem_MALLOC() fails. A fix for both issues is simple
and straight forward:

diff -r bc1a178b3bc8 Objects/listobject.c
- --- a/Objects/listobject.c      Sat Apr 18 05:54:02 2015 +0200
+++ b/Objects/listobject.c      Sat Apr 18 06:29:02 2015 +0200
@@ -1961,8 +1961,10 @@
             keys = &ms.temparray[saved_ob_size+1];
         else {
             keys = PyMem_MALLOC(sizeof(PyObject *) * saved_ob_size);
- -            if (keys == NULL)
- -                return NULL;
+            if (keys == NULL) {
+                PyErr_NoMemory();
+                goto keyfunc_fail;
+            }
         }
         for (i = 0; i < saved_ob_size ; i++) {

@benjaminp benjaminp added interpreter-core (Objects, Python, Grammar, and Parser dirs) type-crash A hard crash of the interpreter, possibly with a core dump labels Apr 23, 2015
@python-dev
Copy link
Mannequin

python-dev mannequin commented Apr 23, 2015

New changeset 91096d27c802 by Benjamin Peterson in branch '3.2':
properly handle malloc failure (closes bpo-24044)
https://hg.python.org/cpython/rev/91096d27c802

New changeset 0d8f15053f42 by Benjamin Peterson in branch '3.3':
merge 3.2 (bpo-24044)
https://hg.python.org/cpython/rev/0d8f15053f42

New changeset 80485b8e43cd by Benjamin Peterson in branch '3.4':
merge 3.3 (bpo-24044)
https://hg.python.org/cpython/rev/80485b8e43cd

New changeset bd656916586f by Benjamin Peterson in branch 'default':
merge 3.4 (bpo-24044)
https://hg.python.org/cpython/rev/bd656916586f

@python-dev python-dev mannequin closed this as completed Apr 23, 2015
@ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
interpreter-core (Objects, Python, Grammar, and Parser dirs) type-crash A hard crash of the interpreter, possibly with a core dump
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@benjaminp