Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

audioop.adpcm2lin Buffer Over-read #68644

Closed
JohnLeitch mannequin opened this issue Jun 15, 2015 · 4 comments
Closed

audioop.adpcm2lin Buffer Over-read #68644

JohnLeitch mannequin opened this issue Jun 15, 2015 · 4 comments
Assignees
@serhiy-storchaka
Labels
type-security A security issue

Comments

@JohnLeitch
Copy link
Mannequin

JohnLeitch mannequin commented Jun 15, 2015

BPO 24456
Nosy @serhiy-storchaka
Files
  • audioop.adpcm2lin_buffer_over-read.py
  • audioop_adpcm_range_check.patch
    		•

    Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = 'https://github.com/serhiy-storchaka'
closed_at = <Date 2015-06-28.16:31:26.334>
created_at = <Date 2015-06-15.20:57:26.480>
labels = ['type-security']
title = 'audioop.adpcm2lin Buffer Over-read'
updated_at = <Date 2015-07-05.21:07:40.360>
user = 'https://bugs.python.org/JohnLeitch'

    bugs.python.org fields:

    activity = <Date 2015-07-05.21:07:40.360>
actor = 'Arfrever'
assignee = 'serhiy.storchaka'
closed = True
closed_date = <Date 2015-06-28.16:31:26.334>
closer = 'serhiy.storchaka'
components = []
creation = <Date 2015-06-15.20:57:26.480>
creator = 'JohnLeitch'
dependencies = []
files = ['39712', '39816']
hgrepos = []
issue_num = 24456
keywords = ['patch']
message_count = 4.0
messages = ['245407', '245850', '245906', '245907']
nosy_count = 4.0
nosy_names = ['Arfrever', 'python-dev', 'serhiy.storchaka', 'JohnLeitch']
pr_nums = []
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue24456'
versions = ['Python 2.7', 'Python 3.4', 'Python 3.5', 'Python 3.6']
    @JohnLeitch
    Copy link
    Mannequin Author

    JohnLeitch mannequin commented Jun 15, 2015

    The audioop.adpcm2lin function suffers from a buffer over-read caused by unchecked access to stepsizeTable at line 1545 of Modules\audioop.c:

    } else if ( !PyArg_ParseTuple(state, "ii", &valpred, &index) )
    return 0;

        step = stepsizeTable[index];
    
Because the index variable can be controlled via the third parameter of audioop.adpcm2lin, this behavior could potentially be exploited to disclose arbitrary memory, should an application expose the parameter to the attack surface.

    0:000> r
    eax=01f13474 ebx=00000000 ecx=00000002 edx=01f13460 esi=01f13460 edi=00000001
    eip=1e01c4f0 esp=0027fcdc ebp=7e86ecdd iopl=0 nv up ei pl nz na po nc
    cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
    python27!audioop_adpcm2lin+0xe0:
    1e01c4f0 8b04adb0dd1f1e mov eax,dword ptr python27!stepsizeTable (1e1fddb0)[ebp*4] ss:002b:183b9124=????????
    0:000> k
    ChildEBP RetAddr
    0027fd18 1e0aafd7 python27!audioop_adpcm2lin+0xe0
    0027fd30 1e0edd10 python27!PyCFunction_Call+0x47
    0027fd5c 1e0f017a python27!call_function+0x2b0
    0027fdcc 1e0f1150 python27!PyEval_EvalFrameEx+0x239a
    0027fe00 1e0f11b2 python27!PyEval_EvalCodeEx+0x690
    0027fe2c 1e11707a python27!PyEval_EvalCode+0x22
    0027fe44 1e1181c5 python27!run_mod+0x2a
    0027fe64 1e118760 python27!PyRun_FileExFlags+0x75
    0027fea4 1e1190d9 python27!PyRun_SimpleFileExFlags+0x190
    0027fec0 1e038d35 python27!PyRun_AnyFileExFlags+0x59
    0027ff3c 1d00116d python27!Py_Main+0x965
    0027ff80 76477c04 python!__tmainCRTStartup+0x10f
    0027ff94 7799ad1f KERNEL32!BaseThreadInitThunk+0x24
    0027ffdc 7799acea ntdll!__RtlUserThreadStart+0x2f
    0027ffec 0000000 ntdll!_RtlUserThreadStart+0x1b
    0:000>

    To fix this issue, it is recommended that bounds checking be performed prior to accessing stepsizeTable.

    @JohnLeitch JohnLeitch mannequin added the type-security A security issue label Jun 15, 2015
    @serhiy-storchaka serhiy-storchaka self-assigned this Jun 16, 2015
    @serhiy-storchaka
    Copy link
    Member

    Here is a patch that checks the state and raises ValueError if integer values out of range.

    @python-dev
    Copy link
    Mannequin

    python-dev mannequin commented Jun 28, 2015

    New changeset 1f6c096ee772 by Serhiy Storchaka in branch '2.7':
    Issue bpo-24456: Fixed possible buffer over-read in adpcm2lin() and lin2adpcm()
    https://hg.python.org/cpython/rev/1f6c096ee772

    New changeset fd17e168b59f by Serhiy Storchaka in branch '3.4':
    Issue bpo-24456: Fixed possible buffer over-read in adpcm2lin() and lin2adpcm()
    https://hg.python.org/cpython/rev/fd17e168b59f

    New changeset 3039cb5b673c by Serhiy Storchaka in branch '3.5':
    Issue bpo-24456: Fixed possible buffer over-read in adpcm2lin() and lin2adpcm()
    https://hg.python.org/cpython/rev/3039cb5b673c

    New changeset 0e1d9018e74b by Serhiy Storchaka in branch 'default':
    Issue bpo-24456: Fixed possible buffer over-read in adpcm2lin() and lin2adpcm()
    https://hg.python.org/cpython/rev/0e1d9018e74b

    @serhiy-storchaka
    Copy link
    Member

    The patch for 2.7 also fixed SystemError and possible memory leak.

    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Assignees

    @serhiy-storchaka serhiy-storchaka

    Labels
    type-security A security issue
    Projects
    None yet
    Milestone
    No milestone
    Development

    No branches or pull requests
    1 participant
    @serhiy-storchaka