Stack buffer overflow in parsing J1939 network address #89391

serhiy-storchaka · 2021-09-17T06:56:43Z

BPO	45228
Nosy	@serhiy-storchaka, @miss-islington
PRs	bpo-45228: Fix stack buffer overflow in parsing J1939 address #28404 [3.10] bpo-45228: Fix stack buffer overflow in parsing J1939 address (GH-28404) #28406 [3.9] bpo-45228: Fix stack buffer overflow in parsing J1939 address (GH-28404) #28407
Files	J1939Test.log

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2021-09-17.11:51:16.309>
created_at = <Date 2021-09-17.06:56:42.577>
labels = ['extension-modules', '3.10', '3.9', 'type-crash', '3.11']
title = 'Stack buffer overflow in parsing J1939 network address'
updated_at = <Date 2021-09-17.11:51:16.308>
user = 'https://github.com/serhiy-storchaka'

bugs.python.org fields:

activity = <Date 2021-09-17.11:51:16.308>
actor = 'serhiy.storchaka'
assignee = 'none'
closed = True
closed_date = <Date 2021-09-17.11:51:16.309>
closer = 'serhiy.storchaka'
components = ['Extension Modules']
creation = <Date 2021-09-17.06:56:42.577>
creator = 'serhiy.storchaka'
dependencies = []
files = ['50283']
hgrepos = []
issue_num = 45228
keywords = ['patch']
message_count = 4.0
messages = ['402003', '402011', '402013', '402015']
nosy_count = 2.0
nosy_names = ['serhiy.storchaka', 'miss-islington']
pr_nums = ['28404', '28406', '28407']
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'crash'
url = 'https://bugs.python.org/issue45228'
versions = ['Python 3.9', 'Python 3.10', 'Python 3.11']

serhiy-storchaka · 2021-09-17T06:56:42Z

It can be reproduced when run test.test_socket.J1939Test (omitted in regrtests now, see bpo-45187) with Address Sanitizer. See for example https://github.com/python/cpython/pull/28317/checks?check_run_id=3625390397.

It can be reproduced when run test.test_socket.J1939Test with unittest:

$ ./python -m unittest -v test.test_socket -k J1939Test

See J1939Test.log for output.

The cause is using PyArg_ParseTuple() with format unit "k" (unsigned long) and variable of type uint32_t. PyArg_ParseTuple() should only be used with native integer types (short, int, long, long long), it does not support support types of fixed size (uint16_t, uint32_t, uint64_t).

serhiy-storchaka · 2021-09-17T08:46:26Z

New changeset 7733195 by Serhiy Storchaka in branch 'main':
bpo-45228: Fix stack buffer overflow in parsing J1939 address (GH-28404)
7733195

miss-islington · 2021-09-17T09:09:34Z

New changeset 62c74f3 by Miss Islington (bot) in branch '3.10':
bpo-45228: Fix stack buffer overflow in parsing J1939 address (GH-28404)
62c74f3

miss-islington · 2021-09-17T09:10:59Z

New changeset 98fef20 by Miss Islington (bot) in branch '3.9':
bpo-45228: Fix stack buffer overflow in parsing J1939 address (GH-28404)
98fef20

serhiy-storchaka added 3.11 only security fixes extension-modules C modules in the Modules dir type-crash A hard crash of the interpreter, possibly with a core dump 3.9 only security fixes 3.10 only security fixes labels Sep 17, 2021

serhiy-storchaka closed this as completed Sep 17, 2021

ezio-melotti transferred this issue from another repository Apr 10, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Stack buffer overflow in parsing J1939 network address #89391

Stack buffer overflow in parsing J1939 network address #89391

serhiy-storchaka commented Sep 17, 2021

serhiy-storchaka commented Sep 17, 2021

serhiy-storchaka commented Sep 17, 2021

miss-islington commented Sep 17, 2021

miss-islington commented Sep 17, 2021

Stack buffer overflow in parsing J1939 network address #89391

Stack buffer overflow in parsing J1939 network address #89391

Comments

serhiy-storchaka commented Sep 17, 2021

serhiy-storchaka commented Sep 17, 2021

serhiy-storchaka commented Sep 17, 2021

miss-islington commented Sep 17, 2021

miss-islington commented Sep 17, 2021