New submission from Mohammed Dief <mdaif1...@gmail.com>:
When you open Programs/_freeze_importlib.c code, you will get the main function that gets executed when the C binary is running. That proves the first point that that's the function that is gonna be used when this code is getting built or used on other functions. at the first variables define lines you will find that there's a variable called: `buf` with memory limit of 100 bytes: https://github.com/python/cpython/blob/bb3e0c240bc60fe08d332ff5955d54197f79751c/Programs/_freeze_importlib.c#L37 If you continue tracking the `buf` variable usage, you will get that the first function it's used in is `sprintf` at: https://github.com/python/cpython/blob/bb3e0c240bc60fe08d332ff5955d54197f79751c/Programs/_freeze_importlib.c#L102 and as we all know, sprintf isn't a memory secure function on C. and when the memory size isn't validated then BOFs can happen in this case. The sprintf function is using a variable called: `name` to store it's value to the buf variable, in this case the name variable is a constant variable that is defined as char with *name. then on https://github.com/python/cpython/blob/bb3e0c240bc60fe08d332ff5955d54197f79751c/Programs/_freeze_importlib.c#L51 the name variable value is set based on the first argument of the program. That means, running a program with 96 'A' characters on the first argument can exceed the 100 bytes on the memory limit causing possible arbitrary code execution and DOS on the binary. Once again, it's just a code review process. I dunno where the code is running but if you think this issue is invalid i would like to know where the code is running so I can dig deeper over there. Here's some code tests that proves my point here too: main.c: #include<stdlib.h> #include<stdio.h> int main(int argc, char *argv[]){ int i; const char *name; char buf[100]; for(i=1; i < argc; i++) { name = argv[i]; sprintf(buf, "<frozen %s>", name); puts(buf); } return 0; } shell: gcc main.c -o main ./main $(python3 -c "print('A'*100)") This issue was reported to PSRT, and they said the code is an internal tool that's used by developers not end-users. and asked me to open an issue here. ---------- components: Library (Lib) messages: 394203 nosy: demonia priority: normal severity: normal status: open title: Possible Stack Based Buffer Overflow at Programs/_freeze_importlib.c type: security versions: Python 3.11 _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue44218> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
