Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Buffer overflow in kqueue.control() #74244

Closed
serhiy-storchaka opened this issue Apr 12, 2017 · 6 comments
Closed

Buffer overflow in kqueue.control() #74244

serhiy-storchaka opened this issue Apr 12, 2017 · 6 comments
Assignees
@serhiy-storchaka
Labels
3.7 (EOL) end of life extension-modules C modules in the Modules dir type-crash A hard crash of the interpreter, possibly with a core dump

Comments

@serhiy-storchaka
Copy link
Member

BPO 30058
Nosy @serhiy-storchaka, @koobs
PRs
  • bpo-30058: Fixed buffer overflow in select.kqueue.control(). #1095
  • [3.6] bpo-30058: Fixed buffer overflow in select.kqueue.control(). (GH-1095) #3973
  • [2.7] bpo-30058: Fixed buffer overflow in select.kqueue.control(). (GH-1095). #3976
    		•

    Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = 'https://github.com/serhiy-storchaka'
closed_at = <Date 2017-10-12.21:13:33.168>
created_at = <Date 2017-04-12.17:13:38.494>
labels = ['extension-modules', '3.7', 'type-crash']
title = 'Buffer overflow in kqueue.control()'
updated_at = <Date 2017-10-12.21:13:33.167>
user = 'https://github.com/serhiy-storchaka'

    bugs.python.org fields:

    activity = <Date 2017-10-12.21:13:33.167>
actor = 'serhiy.storchaka'
assignee = 'serhiy.storchaka'
closed = True
closed_date = <Date 2017-10-12.21:13:33.168>
closer = 'serhiy.storchaka'
components = ['Extension Modules', 'FreeBSD']
creation = <Date 2017-04-12.17:13:38.494>
creator = 'serhiy.storchaka'
dependencies = []
files = []
hgrepos = []
issue_num = 30058
keywords = ['patch']
message_count = 6.0
messages = ['291563', '291565', '304281', '304282', '304286', '304289']
nosy_count = 2.0
nosy_names = ['serhiy.storchaka', 'koobs']
pr_nums = ['1095', '3973', '3976']
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'crash'
url = 'https://bugs.python.org/issue30058'
versions = ['Python 2.7', 'Python 3.6', 'Python 3.7']
    @serhiy-storchaka
    Copy link
    Member Author

    The first parameter of kqueue.control() is documented as an iterable. But actually it should have a length. kqueue.control() uses PyObject_Size() for allocating an array and PyObject_GetIter()+PyIter_Next() for iterating kevent objects and filling the array. If the length and the iterator are not consistent this can lead to writing past the end of the array.

    @serhiy-storchaka serhiy-storchaka added 3.7 (EOL) end of life extension-modules C modules in the Modules dir type-crash A hard crash of the interpreter, possibly with a core dump labels Apr 12, 2017
    @serhiy-storchaka
    Copy link
    Member Author

    Proposed patch presumably fixes the issue. But since this is *BSD specific I can't even check that it is compiled.

    @serhiy-storchaka
    Copy link
    Member Author

    I have tested it on FreeBSD, found and fixed one bug.

    @serhiy-storchaka serhiy-storchaka self-assigned this Oct 12, 2017
    @serhiy-storchaka
    Copy link
    Member Author

    New changeset de07210 by Serhiy Storchaka in branch 'master':
    bpo-30058: Fixed buffer overflow in select.kqueue.control(). (bpo-1095)
    de07210

    @serhiy-storchaka
    Copy link
    Member Author

    New changeset c923da1 by Serhiy Storchaka (Miss Islington (bot)) in branch '3.6':
    [3.6] bpo-30058: Fixed buffer overflow in select.kqueue.control(). (GH-1095) (bpo-3973)
    c923da1

    @serhiy-storchaka
    Copy link
    Member Author

    New changeset 9aa6024 by Serhiy Storchaka in branch '2.7':
    [2.7] bpo-30058: Fixed buffer overflow in select.kqueue.control(). (GH-1095). (bpo-3976)
    9aa6024

    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Assignees

    @serhiy-storchaka serhiy-storchaka

    Labels
    3.7 (EOL) end of life extension-modules C modules in the Modules dir type-crash A hard crash of the interpreter, possibly with a core dump
    Projects
    None yet
    Milestone
    No milestone
    Development

    No branches or pull requests
    1 participant
    @serhiy-storchaka