Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"stack smashing detected" in PyCursesWindow_Box #71853

Closed
SteveFink mannequin opened this issue Aug 1, 2016 · 8 comments
Closed

"stack smashing detected" in PyCursesWindow_Box #71853

SteveFink mannequin opened this issue Aug 1, 2016 · 8 comments
Assignees
@serhiy-storchaka
Labels
3.7 (EOL) end of life extension-modules C modules in the Modules dir type-crash A hard crash of the interpreter, possibly with a core dump

Comments

@SteveFink
Copy link
Mannequin

SteveFink mannequin commented Aug 1, 2016

BPO 27666
Nosy @Yhg1s, @vstinner, @serhiy-storchaka
PRs
  • bpo-27666: Fixed stack corruption in curses.box() and curses.ungetmouse(). #4220
  • [3.6] bpo-27666: Fixed stack corruption in curses.box() and curses.ungetmouse(). (GH-4220) #4221
  • [2.7] bpo-27666: Fixed stack corruption in curses.box() and curses.ungetmouse(). (GH-4220) #4222
  • [2.7] Fix bpo-27666 backporting error in _cursesmodule.c  #4305
    		•
    Files
  • python-2.7.12-curses-argparse.patch: Fix arg parsing stack smash
    		•

    Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = 'https://github.com/serhiy-storchaka'
closed_at = <Date 2017-11-07.07:55:40.864>
created_at = <Date 2016-08-01.23:52:30.909>
labels = ['extension-modules', '3.7', 'type-crash']
title = '"stack smashing detected" in PyCursesWindow_Box'
updated_at = <Date 2017-11-07.07:56:22.623>
user = 'https://bugs.python.org/SteveFink'

    bugs.python.org fields:

    activity = <Date 2017-11-07.07:56:22.623>
actor = 'serhiy.storchaka'
assignee = 'serhiy.storchaka'
closed = True
closed_date = <Date 2017-11-07.07:55:40.864>
closer = 'serhiy.storchaka'
components = ['Extension Modules']
creation = <Date 2016-08-01.23:52:30.909>
creator = 'Steve Fink'
dependencies = []
files = ['44174']
hgrepos = []
issue_num = 27666
keywords = ['patch']
message_count = 8.0
messages = ['271796', '273248', '305386', '305394', '305395', '305704', '305717', '305718']
nosy_count = 4.0
nosy_names = ['twouters', 'vstinner', 'serhiy.storchaka', 'Steve Fink']
pr_nums = ['4220', '4221', '4222', '4305']
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'crash'
url = 'https://bugs.python.org/issue27666'
versions = ['Python 2.7', 'Python 3.6', 'Python 3.7']
    @SteveFink
    Copy link
    Mannequin Author

    SteveFink mannequin commented Aug 1, 2016

    When attempting to run |hg chistedit|, which uses the python curses module, I am getting *** stack smashing detected ***: /usr/bin/python terminated

    The problem is in PyCursesWindow_Box in _cursesmodule.c:

        if (!PyArg_ParseTuple(args,"ll;vertint,horint", &ch1, &ch2))
        return NULL;

    ch1 and ch2 are of type 'chtype', which is a 4-byte integer on my platform. (I am on a fresh install of Fedora 24 x86_64.) The format string 'l' is writing 8 bytes. It is hard to fit 8 bytes into a 4 byte variable.

    I scanned through the rest of the file. Most places are very careful about this; if needed, they'll parse into a 'long' temporary and then assign. But here's another one in PyCurses_UngetMouse:

    MEVENT event;
PyCursesInitialised;
if (!PyArg_ParseTuple(args, "hiiil",
                      &event.id,
                      &event.x, &event.y, &event.z,
                      (int *) &event.bstate))
    return NULL;

    event.bstate is of type mmask_t, which is also 4 bytes.

    I did not find any more in that file.

    % rpm -q python-libs
    python-libs-2.7.12-1.fc24.x86_64

    @SteveFink SteveFink mannequin added stdlib Python modules in the Lib dir type-crash A hard crash of the interpreter, possibly with a core dump labels Aug 1, 2016
    @SilentGhost SilentGhost mannequin added extension-modules C modules in the Modules dir and removed stdlib Python modules in the Lib dir labels Aug 2, 2016
    @SteveFink
    Copy link
    Mannequin Author

    SteveFink mannequin commented Aug 20, 2016

    I'm running now (successfully) with a simpler patch, just changing it to parse format 'i', but this patch is probably a bit safer.

    @serhiy-storchaka
    Copy link
    Member

    Thank you for your patch Steve.

    It is better to use PyCurses_ConvertToChtype() which is used for parsing all chtype arguments.

    @serhiy-storchaka serhiy-storchaka added the 3.7 (EOL) end of life label Nov 1, 2017
    @serhiy-storchaka serhiy-storchaka self-assigned this Nov 1, 2017
    @serhiy-storchaka
    Copy link
    Member

    New changeset aad7ac1 by Serhiy Storchaka (Miss Islington (bot)) in branch '3.6':
    bpo-27666: Fixed stack corruption in curses.box() and curses.ungetmouse(). (GH-4220) (bpo-4221)
    aad7ac1

    @serhiy-storchaka
    Copy link
    Member

    New changeset b694770 by Serhiy Storchaka (Miss Islington (bot)) in branch '2.7':
    bpo-27666: Fixed stack corruption in curses.box() and curses.ungetmouse(). (GH-4220) (bpo-4222)
    b694770

    @vstinner
    Copy link
    Member

    vstinner commented Nov 7, 2017

    The Python 2.7 backport (commit b694770) is wrong. The _curses module cannot be compiled anymore:

    Example of compilation errors:

    /home/haypo/prog/python/2.7/Modules/_cursesmodule.c: In function 'PyCursesWindow_Box':
/home/haypo/prog/python/2.7/Modules/_cursesmodule.c:649:39: warning: passing argument 1 of 'PyCurses_ConvertToChtype' from incompatible pointer type [-Wincompatible-pointer-types]
         if (!PyCurses_ConvertToChtype(self, temp1, &ch1)) {
                                       ^~~~
/home/haypo/prog/python/2.7/Modules/_cursesmodule.c:195:1: note: expected 'PyObject * {aka struct _object *}' but argument is of type 'PyCursesWindowObject * {aka struct <anonymous> *}'
 PyCurses_ConvertToChtype(PyObject *obj, chtype *ch)
 ^~~~~~~~~~~~~~~~~~~~~~~~
/home/haypo/prog/python/2.7/Modules/_cursesmodule.c:649:45: warning: passing argument 2 of 'PyCurses_ConvertToChtype' from incompatible pointer type [-Wincompatible-pointer-types]
         if (!PyCurses_ConvertToChtype(self, temp1, &ch1)) {
                                             ^~~~~
/home/haypo/prog/python/2.7/Modules/_cursesmodule.c:195:1: note: expected 'chtype * {aka unsigned int *}' but argument is of type 'PyObject * {aka struct _object *}'
 PyCurses_ConvertToChtype(PyObject *obj, chtype *ch)
 ^~~~~~~~~~~~~~~~~~~~~~~~
/home/haypo/prog/python/2.7/Modules/_cursesmodule.c:649:14: error: too many arguments to function 'PyCurses_ConvertToChtype'
         if (!PyCurses_ConvertToChtype(self, temp1, &ch1)) {
              ^~~~~~~~~~~~~~~~~~~~~~~~
/home/haypo/prog/python/2.7/Modules/_cursesmodule.c:195:1: note: declared here
 PyCurses_ConvertToChtype(PyObject *obj, chtype *ch)
 ^~~~~~~~~~~~~~~~~~~~~~~~

    @vstinner vstinner reopened this Nov 7, 2017
    @serhiy-storchaka
    Copy link
    Member

    New changeset 69ea4b4 by Serhiy Storchaka in branch '2.7':
    Fix bpo-27666 backporting error in _cursesmodule.c (bpo-4305)
    69ea4b4

    @serhiy-storchaka
    Copy link
    Member

    Thank you for catching this Victor.

    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Assignees

    @serhiy-storchaka serhiy-storchaka

    Labels
    3.7 (EOL) end of life extension-modules C modules in the Modules dir type-crash A hard crash of the interpreter, possibly with a core dump
    Projects
    None yet
    Milestone
    No milestone
    Development

    No branches or pull requests
    2 participants
    @vstinner @serhiy-storchaka