Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[security][CVE-2021-3177] ctypes double representation BoF #87104

Closed
JordyZomer mannequin opened this issue Jan 16, 2021 · 11 comments
Closed

[security][CVE-2021-3177] ctypes double representation BoF #87104

JordyZomer mannequin opened this issue Jan 16, 2021 · 11 comments
Labels
3.7 (EOL) end of life 3.8 only security fixes 3.9 only security fixes 3.10 only security fixes topic-ctypes type-security A security issue

Comments

@JordyZomer
Copy link
Mannequin

JordyZomer mannequin commented Jan 16, 2021

BPO 42938
Nosy @vstinner, @tiran, @benjaminp, @ariccio, @miss-islington, @JordyZomer
PRs
  • closes bpo-42938: Replace snprintf with Python unicode formatting in ctypes param reprs. #24239
  • [3.9] closes bpo-42938: Replace snprintf with Python unicode formatting in ctypes param reprs. #24247
  • [3.8] closes bpo-42938: Replace snprintf with Python unicode formatting in ctypes param reprs. #24248
  • [3.7] closes bpo-42938: Replace snprintf with Python unicode formatting in ctypes param reprs. #24249
  • [3.6] closes bpo-42938: Replace snprintf with Python unicode formatting in ctypes param reprs. #24250
    		•

    Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = None
closed_at = <Date 2021-01-18.20:47:22.417>
created_at = <Date 2021-01-16.08:03:26.992>
labels = ['type-security', '3.8', '3.9', '3.10', 'ctypes', '3.7']
title = '[security][CVE-2021-3177] ctypes double representation BoF'
updated_at = <Date 2021-03-29.12:32:06.005>
user = 'https://github.com/JordyZomer'

    bugs.python.org fields:

    activity = <Date 2021-03-29.12:32:06.005>
actor = 'vstinner'
assignee = 'none'
closed = True
closed_date = <Date 2021-01-18.20:47:22.417>
closer = 'benjamin.peterson'
components = ['ctypes']
creation = <Date 2021-01-16.08:03:26.992>
creator = 'JordyZomer'
dependencies = []
files = []
hgrepos = []
issue_num = 42938
keywords = ['patch', 'security_issue']
message_count = 11.0
messages = ['385136', '385226', '385229', '385231', '385233', '385234', '385236', '387194', '387535', '387536', '387537']
nosy_count = 7.0
nosy_names = ['vstinner', 'christian.heimes', 'benjamin.peterson', 'Alexander Riccio', 'miss-islington', 'JordyZomer', 'milanjugessur1404']
pr_nums = ['24239', '24247', '24248', '24249', '24250']
priority = 'high'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue42938'
versions = ['Python 3.6', 'Python 3.7', 'Python 3.8', 'Python 3.9', 'Python 3.10']
    @JordyZomer
    Copy link
    Mannequin Author

    JordyZomer mannequin commented Jan 16, 2021

    Hi,

    There's a buffer overflow in the PyCArg_repr() function in _ctypes/callproc.c.

    The buffer overflow happens due to not checking the length of th sprintf() function on line:

    case 'd':
    sprintf(buffer, "<cparam '%c' (%f)>",
        self->tag, self->value.d);
    break;

    Because we control self->value.d we could make it copy _extreme_ values. For example we could make it copy 1e300 which would be a 1 with 300 zero's to overflow the buffer.

    This could potentially cause RCE when a user allows untrusted input in these functions.

    A minimal PoC:

    >>> from ctypes import *
>>> c_double.from_param(1e300)
*** buffer overflow detected ***: terminated
Aborted

    I recommend __always__ controlling how much you copy so I'd use snprintf with a size argument instead.

    Best Regards,

    Jordy Zomer

    @JordyZomer JordyZomer mannequin added 3.10 only security fixes topic-ctypes type-security A security issue labels Jan 16, 2021
    @vstinner vstinner changed the title ctypes double representation BoF [security] ctypes double representation BoF Jan 18, 2021
    @benjaminp
    Copy link
    Contributor

    New changeset 916610e by Benjamin Peterson in branch 'master':
    closes bpo-42938: Replace snprintf with Python unicode formatting in ctypes param reprs. (24239)
    916610e

    @benjaminp
    Copy link
    Contributor

    New changeset 34df10a by Benjamin Peterson in branch '3.6':
    [3.6] closes bpo-42938: Replace snprintf with Python unicode formatting in ctypes param reprs. (GH-24250)
    34df10a

    @benjaminp
    Copy link
    Contributor

    New changeset d9b8f13 by Benjamin Peterson in branch '3.7':
    [3.7] closes bpo-42938: Replace snprintf with Python unicode formatting in ctypes param reprs. (GH-24249)
    d9b8f13

    @benjaminp
    Copy link
    Contributor

    New changeset ece5dfd by Miss Islington (bot) in branch '3.8':
    closes bpo-42938: Replace snprintf with Python unicode formatting in ctypes param reprs. (GH-24248)
    ece5dfd

    @benjaminp
    Copy link
    Contributor

    New changeset c347cbe by Miss Islington (bot) in branch '3.9':
    closes bpo-42938: Replace snprintf with Python unicode formatting in ctypes param reprs. (GH-24247)
    c347cbe

    @ned-deily ned-deily added 3.7 (EOL) end of life 3.8 only security fixes 3.9 only security fixes labels Jan 18, 2021
    @vstinner
    Copy link
    Member

    FYI I created https://python-security.readthedocs.io/vuln/ctypes-buffer-overflow-pycarg_repr.html to track fixes of this issue.

    @vstinner
    Copy link
    Member

    CVE-2021-3177 has been assigned to this issue:

    @vstinner vstinner changed the title [security] ctypes double representation BoF [security][CVE-2021-3177] ctypes double representation BoF Feb 17, 2021
    @ariccio
    Copy link
    Mannequin

    ariccio mannequin commented Feb 22, 2021

    Petition to remove all uses of the unchecked string handling functions from CPython?

    Sidenote: if C4996 was on, this would be a warning.

    @tiran
    Copy link
    Member

    tiran commented Feb 22, 2021

    Alexander, this bug report is closed. Could you please open a new request and explain your proposal?

    @ariccio
    Copy link
    Mannequin

    ariccio mannequin commented Feb 22, 2021

    Yes, I definitely should. I work on https://bugs.python.org/issue25878 sometimes, which encompasses this.

    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Assignees
    No one assigned
    Labels
    3.7 (EOL) end of life 3.8 only security fixes 3.9 only security fixes 3.10 only security fixes topic-ctypes type-security A security issue
    Projects
    None yet
    Milestone
    No milestone
    Development

    No branches or pull requests
    4 participants
    @vstinner @benjaminp @tiran @ned-deily