[New-bugs-announce] [issue42938] ctypes double representation BoF
Jordy Zomer
report at bugs.python.org
Sat Jan 16 03:03:27 EST 2021
New submission from Jordy Zomer <jordy at simplyhacker.com>:
Hi,
There's a buffer overflow in the PyCArg_repr() function in _ctypes/callproc.c.
The buffer overflow happens due to not checking the length of th sprintf() function on line:
case 'd':
sprintf(buffer, "<cparam '%c' (%f)>",
self->tag, self->value.d);
break;
Because we control self->value.d we could make it copy _extreme_ values. For example we could make it copy 1e300 which would be a 1 with 300 zero's to overflow the buffer.
This could potentially cause RCE when a user allows untrusted input in these functions.
A minimal PoC:
>>> from ctypes import *
>>> c_double.from_param(1e300)
*** buffer overflow detected ***: terminated
Aborted
I recommend __always__ controlling how much you copy so I'd use snprintf with a size argument instead.
Best Regards,
Jordy Zomer
----------
components: ctypes
messages: 385136
nosy: JordyZomer
priority: normal
severity: normal
status: open
title: ctypes double representation BoF
type: security
versions: Python 3.10
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue42938>
_______________________________________
More information about the New-bugs-announce
mailing list