This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author benjamin.peterson
Recipients benjamin.peterson, christian.heimes
Date 2015-04-23.21:03:08
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1429822988.7.0.684416288083.issue24044@psf.upfronthosting.co.za>
In-reply-to
Content
Found by Christian Heimes:

Coverity has found a flaw in Objects/listobject.c:listsort() that
eventually leads to a NULL pointer dereference. Because NULL pointer
dereferences can lead to exploits or DoS vulnerabilities I'm reporting
the error on PSRT first. The error is on a code path that can be
triggered by a remote attacker, although not that easily. All Python 3
versions are affected, Python 2.7 looks save.

The problematic code line is
https://hg.python.org/cpython/file/bc1a178b3bc8/Objects/listobject.c#l19
65
. The code fails to restore self->ob_item to saved_ob_item when
PyMem_MALLOC() fails. Subsequent access to the same list object will
dereference self->ob_item (which is still NULL) and cause a segfault.

A remote attack might be able to trigger the segfault with a large
data set. All it takes is an application that sorts this large data
set with list.sort() and a custom key function. When Python runs out
of memory just in the right spot ... CRASH.

Additionally there is another bug, too. list.sort() doesn't set an
exception when PyMem_MALLOC() fails. A fix for both issues is simple
and straight forward:

diff -r bc1a178b3bc8 Objects/listobject.c
- --- a/Objects/listobject.c      Sat Apr 18 05:54:02 2015 +0200
+++ b/Objects/listobject.c      Sat Apr 18 06:29:02 2015 +0200
@@ -1961,8 +1961,10 @@
             keys = &ms.temparray[saved_ob_size+1];
         else {
             keys = PyMem_MALLOC(sizeof(PyObject *) * saved_ob_size);
- -            if (keys == NULL)
- -                return NULL;
+            if (keys == NULL) {
+                PyErr_NoMemory();
+                goto keyfunc_fail;
+            }
         }

         for (i = 0; i < saved_ob_size ; i++) {
History
Date User Action Args
2015-04-23 21:03:08benjamin.petersonsetrecipients: + benjamin.peterson, christian.heimes
2015-04-23 21:03:08benjamin.petersonsetmessageid: <1429822988.7.0.684416288083.issue24044@psf.upfronthosting.co.za>
2015-04-23 21:03:08benjamin.petersonlinkissue24044 messages
2015-04-23 21:03:08benjamin.petersoncreate