integer overflow in binascii.b2a_qp #71947

benjaminp · 2016-08-14T01:32:26Z

BPO	27760
Nosy	@benjaminp

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2016-08-14.01:37:35.623>
created_at = <Date 2016-08-14.01:32:26.218>
labels = ['type-security', 'library']
title = 'integer overflow in binascii.b2a_qp'
updated_at = <Date 2016-08-14.10:10:45.704>
user = 'https://github.com/benjaminp'

bugs.python.org fields:

activity = <Date 2016-08-14.10:10:45.704>
actor = 'tehybel'
assignee = 'none'
closed = True
closed_date = <Date 2016-08-14.01:37:35.623>
closer = 'python-dev'
components = ['Library (Lib)']
creation = <Date 2016-08-14.01:32:26.218>
creator = 'benjamin.peterson'
dependencies = []
files = []
hgrepos = []
issue_num = 27760
keywords = []
message_count = 3.0
messages = ['272634', '272635', '272661']
nosy_count = 3.0
nosy_names = ['benjamin.peterson', 'python-dev', 'tehybel']
pr_nums = []
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue27760'
versions = ['Python 2.7', 'Python 3.2', 'Python 3.3', 'Python 3.4', 'Python 3.5', 'Python 3.6']

benjaminp · 2016-08-14T01:32:25Z

Thomas E Hybel reports:

This vulnerability resides in /Modules/binascii.c in the function
binascii_b2a_qp_impl. The problem is that the integer variable "odatalen" can
overflow to become a small number.

The function binascii_b2a_qp_impl qp-encodes binary data. First it computes the
output string's length in the variable "odatalen":

    /* First, scan to see how many characters need to be encoded */
    in = 0;
    while (in < datalen) {
        if ((databuf[in] > 126) || ... )
        {
            ...
            odatalen += 3;
            in++;
        }
        ...
    }

As we can see, each input character can result in more than three
output-characters. Then we allocate the output string:

    odata = (unsigned char *) PyMem_Malloc(odatalen);

And finally we encode the input-string and write the result into odata.

If our string is so large that "odatalen" will wrap around and become a small
number, then the odata buffer will be too small to hold the data. Our input is
then copied into this too-small buffer. So the integer overflow results in a
heap buffer overflow.

Here's a proof-of-concept script:

--- begin script ---

import binascii
binascii.b2a_qp(b"\x80"*0x531dec0e) # this number gives odatalen=2

--- end script ---

Note that this script assumes a 32-bit system where the "odatalen" variable will
be 4 bytes wide. When run on Python-3.5.2, 32-bits, we get a segfault:

(gdb) r ../poc3.py
Starting program: /home/ubuntu32/python3/Python-3.5.2/python ../poc3.py

Breakpoint 1, binascii_b2a_qp_impl (module=module@entry=0xb7c370f4,
data=data@entry=0xbffff6e4, quotetabs=0x0, istext=0x1, header=0x0)
at /home/ubuntu32/python3/Python-3.5.2/Modules/binascii.c:1448
1448 odata = (unsigned char *) PyMem_Malloc(odatalen);
(gdb) p odatalen
$27 = 0x2
(gdb) p datalen
$28 = 0x531dec0e
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0xb7fd1f63 in to_hex (ch=0x80, s=s@entry=0x83c5fff "")
at /home/ubuntu32/python3/Python-3.5.2/Modules/binascii.c:1333
1333 s[1] = "0123456789ABCDEF"[uvalue % 16];
(gdb) bt
#0 0xb7fd1f63 in to_hex (ch=0x80, s=s@entry=0x83c5fff "")
at /home/ubuntu32/python3/Python-3.5.2/Modules/binascii.c:1333
#1 0xb7fd22fa in binascii_b2a_qp_impl (module=module@entry=0xb7c370f4,
data=data@entry=0xbffff6e4, quotetabs=0x0, istext=0x1, header=0x0)
at /home/ubuntu32/python3/Python-3.5.2/Modules/binascii.c:1476
#2 0xb7fd2510 in binascii_b2a_qp (module=module@entry=0xb7c370f4,
args=args@entry=0xb7cbbb5c, kwargs=kwargs@entry=0x0)
at /home/ubuntu32/python3/Python-3.5.2/Modules/clinic/binascii.c.h:510
#3 0x080e0ef4 in PyCFunction_Call (func=func@entry=0xb7c37534,
args=args@entry=0xb7cbbb5c, kwds=kwds@entry=0x0)
at Objects/methodobject.c:98

python-dev · 2016-08-14T01:37:35Z

New changeset af42635b5ed1 by Benjamin Peterson in branch '2.7':
fix possible integer overflow in binascii.b2a_qp (closes bpo-27760)
https://hg.python.org/cpython/rev/af42635b5ed1

New changeset 54c74212db91 by Benjamin Peterson in branch '3.3':
fix possible integer overflow in binascii.b2a_qp (closes bpo-27760)
https://hg.python.org/cpython/rev/54c74212db91

New changeset 9822bf4bcece by Benjamin Peterson in branch '3.4':
merge 3.3 (closes bpo-27760)
https://hg.python.org/cpython/rev/9822bf4bcece

New changeset a277ab6bf66b by Benjamin Peterson in branch '3.5':
merge 3.4 (closes bpo-27760)
https://hg.python.org/cpython/rev/a277ab6bf66b

New changeset 4a00d4ebf60f by Benjamin Peterson in branch 'default':
merge 3.5 (closes bpo-27760)
https://hg.python.org/cpython/rev/4a00d4ebf60f

tehybel · 2016-08-14T10:10:46Z

The patch seems correct to me.

benjaminp added stdlib Python modules in the Lib dir type-security A security issue labels Aug 14, 2016

python-dev mannequin closed this as completed Aug 14, 2016

ezio-melotti transferred this issue from another repository Apr 10, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

integer overflow in binascii.b2a_qp #71947

integer overflow in binascii.b2a_qp #71947

benjaminp commented Aug 14, 2016

benjaminp commented Aug 14, 2016

python-dev mannequin commented Aug 14, 2016

tehybel mannequin commented Aug 14, 2016

integer overflow in binascii.b2a_qp #71947

integer overflow in binascii.b2a_qp #71947

Comments

benjaminp commented Aug 14, 2016

benjaminp commented Aug 14, 2016

python-dev mannequin commented Aug 14, 2016

tehybel mannequin commented Aug 14, 2016