New submission from Minh Râu:
Description:
------------
Null dereference in function set_conversion_mode due uncheck
_ctypes_conversion_encoding:
static PyObject *
set_conversion_mode(PyObject *self, PyObject *args)
{
...
if (coding) {
PyMem_Free(_ctypes_conversion_encoding);
_ctypes_conversion_encoding = PyMem_Malloc(strlen(coding) + 1); //if
memory is not enough, _ctypes_conversion_encoding will be null
strcpy(_ctypes_conversion_encoding, coding); // crash here
} else {
...
Test script:
---------------
import ctypes
s = 'a'*(0xffffffff/2-0xffff)
sss = 'a'*(0xffffffff/4)
ctypes.set_conversion_mode(s, s)
Expected result:
----------------
No Crash
Actual result:
--------------
Starting program: /home/minhrau/cpython-2.7/python ~/pythontestcase/test.py
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
0xf7def209 in __strcpy_sse2 () from /usr/lib32/libc.so.6
(gdb) bt
#0 0xf7def209 in __strcpy_sse2 () from /usr/lib32/libc.so.6
#1 0xf7fba5c2 in set_conversion_mode (self=0x0, args=0xf7cd602c) at
/home/minhrau/cpython-2.7/Modules/_ctypes/callproc.c:1700
#2 0x080f6dfc in call_function (oparg=<optimized out>, pp_stack=0xffffd45c) at
Python/ceval.c:4350
#3 PyEval_EvalFrameEx (f=<optimized out>, throwflag=<optimized out>) at
Python/ceval.c:2987
#4 0x080f964e in PyEval_EvalCodeEx (co=0xf7cc94e8, globals=0xf7d5b714,
locals=0xf7d5b714, args=0x0, argcount=0, kws=0x0, kwcount=0, defs=0x0,
defcount=0, closure=0x0) at Python/ceval.c:3582
#5 0x080f9942 in PyEval_EvalCode (co=0xf7cc94e8, globals=0xf7d5b714,
locals=0xf7d5b714) at Python/ceval.c:669
#6 0x0811e928 in run_mod (arena=0x8264f18, flags=0xffffd64c,
locals=0xf7d5b714, globals=0xf7d5b714, filename=0xffffd96e
"/home/minhrau/pythontestcase/test.py", mod=0x826daa0) at
Python/pythonrun.c:1376
#7 PyRun_FileExFlags (fp=0x826c788, filename=0xffffd96e
"/home/minhrau/pythontestcase/test.py", start=257, globals=0xf7d5b714,
locals=0xf7d5b714, closeit=1, flags=0xffffd64c) at Python/pythonrun.c:1362
#8 0x081202f4 in PyRun_SimpleFileExFlags (fp=0x826c788, filename=0xffffd96e
"/home/minhrau/pythontestcase/test.py", closeit=1, flags=0xffffd64c) at
Python/pythonrun.c:948
#9 0x0805a37d in Py_Main (argc=2, argv=0xffffd794) at Modules/main.c:640
#10 0x080594cb in main (argc=2, argv=0xffffd794) at ./Modules/python.c:20
Patch:
--------------
file: cpython-2.7/Modules/_ctypes/callproc.c
1700,1701d1699
< if (_ctypes_conversion_encoding == NULL)
< return PyErr_NoMemory();
----------
components: ctypes
messages: 274493
nosy: minhrau
priority: normal
severity: normal
status: open
title: null poiter dereference in set_conversion_mode dua uncheck
_ctypes_conversion_encoding
type: security
versions: Python 2.7
_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue27962>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
