Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

S_unpack_from() Read Access Violation #46842

Closed
jnferguson mannequin opened this issue Apr 8, 2008 · 5 comments
Closed

S_unpack_from() Read Access Violation #46842

jnferguson mannequin opened this issue Apr 8, 2008 · 5 comments
Labels
extension-modules C modules in the Modules dir type-security A security issue

Comments

@jnferguson
Copy link
Mannequin

jnferguson mannequin commented Apr 8, 2008

BPO 2590
Nosy @gvanrossum, @amauryfa

Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2009-06-03.21:42:45.516>
created_at = <Date 2008-04-08.16:09:34.343>
labels = ['type-security', 'extension-modules']
title = 'S_unpack_from() Read Access Violation'
updated_at = <Date 2009-06-03.21:42:45.514>
user = 'https://bugs.python.org/jnferguson'

bugs.python.org fields:

activity = <Date 2009-06-03.21:42:45.514>
actor = 'amaury.forgeotdarc'
assignee = 'none'
closed = True
closed_date = <Date 2009-06-03.21:42:45.516>
closer = 'amaury.forgeotdarc'
components = ['Extension Modules']
creation = <Date 2008-04-08.16:09:34.343>
creator = 'jnferguson'
dependencies = []
files = []
hgrepos = []
issue_num = 2590
keywords = []
message_count = 5.0
messages = ['65178', '65373', '65380', '70757', '88832']
nosy_count = 3.0
nosy_names = ['gvanrossum', 'amaury.forgeotdarc', 'jnferguson']
pr_nums = []
priority = 'normal'
resolution = 'works for me'
stage = None
status = 'closed'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue2590'
versions = ['Python 2.5']

@jnferguson
Copy link
Mannequin Author

jnferguson mannequin commented Apr 8, 2008

The S_unpack_from() function in Modules/_struct.c does not adequately
validate its arguments, potentially causing an out-of-bounds read
access. It should be noted that the check at line 1561 is inadequate for
obscene values of offset. Finally, because they're not really important
and I really don't want to type them all up-- you guys might want to go
through your code-- especially the modules and look for constructs where
an empty string will cause memory to be uninitialized-- look at the
audioop module for examples of what I mean-- the only thing that
actually saved you guys from overflows there was that the loops you
write with use the same variable.

1533 static PyObject *
1534 s_unpack_from(PyObject *self, PyObject *args, PyObject *kwds)
1535 {
1536 static char *kwlist[] = {"buffer", "offset", 0};
1537 #if (PY_VERSION_HEX < 0x02050000)
1538 static char *fmt = "z#|i:unpack_from";
1539 #else
1540 static char *fmt = "z#|n:unpack_from";
1541 #endif
1542 Py_ssize_t buffer_len = 0, offset = 0;
[...]
1547
1548 if (!PyArg_ParseTupleAndKeywords(args, kwds, fmt, kwlist,
1549 &buffer, &buffer_len,
&offset))
1550 return NULL;
[...]
1558 if (offset < 0)
1559 offset += buffer_len;
1560
1561 if (offset < 0 || (buffer_len - offset) < soself->s_size) {
[...]
1566 }
1567 return s_unpack_internal(soself, buffer + offset);
1568 }

@jnferguson jnferguson mannequin added extension-modules C modules in the Modules dir type-security A security issue labels Apr 8, 2008
@amauryfa
Copy link
Member

What do you mean by "obscene" values? Do you have an example of actual
values where the check at line 1561 does not do the right thing?

-- just trying to understand where the problem is.

@jnferguson
Copy link
Mannequin Author

jnferguson mannequin commented Apr 11, 2008

What I was originally thinking was if offset was larger than buf_len,
that would cause the check at 1561 to fail due to the subtraction. That
said, I'm not sure what type its being compared against so I need to
check this further, let me get back to you, I may have made a mistake
and this may be !bug.

@gvanrossum
Copy link
Member

Ping? Patch?

@amauryfa
Copy link
Member

amauryfa commented Jun 3, 2009

All expressions are of type Py_ssize_t, which is signed.
buffer_len is positive; the subtraction (buffer_len - offset) can
overflow only if offset is a (large) negative number, but then the first
part of the test is already fulfilled.

Closing unless more evidence is given.

@amauryfa amauryfa closed this as completed Jun 3, 2009
@ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
extension-modules C modules in the Modules dir type-security A security issue
Projects
None yet
Development

No branches or pull requests

2 participants