[New-bugs-announce] [issue33871] Possible integer overflow in iov_setup()
Serhiy Storchaka
report at bugs.python.org
Fri Jun 15 14:14:37 EDT 2018
New submission from Serhiy Storchaka <storchaka+cpython at gmail.com>:
The iov_setup() helper in posixmodule.c returns the total size of all buffers. But there is possible an integer overflow because the sequence of buffers can contain the same buffer repeated multiple times.
On 32-bit platform:
>>> import os
>>> f = open('/tmp/temp', 'wb')
>>> os.writev(f.fileno(), [b'x' * 2**16] * 2**15)
-1
Since the overflowed sum is negative, os_writev_impl() returns -1 as a signal of error, but since the exception is not set, -1 is returned as the result of os.writev(). If the overflowed sum is not negative, the sequence of buffers is passed to OS and an OSError is raised:
>>> os.writev(f.fileno(), [b'x' * 2**16] * 2**16)
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
OSError: [Errno 22] Invalid argument
I have not tested (because have not installed corresponding 32-bit OSes, and it is harder to reproduce on 64-bit), but seems this can even cause a crash in os.sendfile() on FreeBSD, DragonFly BSD and Mac OS.
This sum is used only in os.sendfile() on Mac OS. In all other cases it is enough to return just an error flag. I can't find the documentation for os.sendfile() on Mac OS for checking if this value actually is needed.
----------
components: Library (Lib)
messages: 319636
nosy: ned.deily, ronaldoussoren, serhiy.storchaka
priority: normal
severity: normal
status: open
title: Possible integer overflow in iov_setup()
type: crash
versions: Python 3.6, Python 3.7, Python 3.8
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue33871>
_______________________________________
More information about the New-bugs-announce
mailing list