[ python-Bugs-1468727 ] Possible Integer overflow

SourceForge.net noreply at sourceforge.net
Wed Apr 12 10:08:19 CEST 2006 

Bugs item #1468727, was opened at 2006-04-11 19:00
Message generated for change (Comment added) made by mwh
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=1468727&group_id=5470

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: Python Library
Group: Python 2.5
>Status: Closed
>Resolution: Invalid
Priority: 7
Submitted By: ekellinis (ekellinis)
>Assigned to: Michael Hudson (mwh)
Summary: Possible Integer overflow

Initial Comment:
There is possible integer overlow in the fcntlmodule.c 


=================================
fcntl_fcntl(PyObject *self, PyObject *args)
{
	int fd;
	int code;
	int arg;
	int ret;
	char *str;
	Py_ssize_t len;
	char buf[1024];

	if (PyArg_ParseTuple(args, "O&is#:fcntl",
                             conv_descriptor, &fd,
&code, &str, &len)) {
		if (len > sizeof buf) {
			PyErr_SetString(PyExc_ValueError,
					"fcntl string arg too long");
			return NULL;
		}
		memcpy(buf, str, len);
=================================
Explanation : 
if "len" receives very large value (>integer) there is
a possiblity that it will become negative and the value
will bypass the if statement and go directly to
memcpy(buf, str, len);

The latest  revision of the module (42787) has int
replaced with Py_ssize_t which as it mentions at
http://www.python.org/dev/peps/pep-0353/
"...Py_ssize_t is introduced, which has the same size
as the compiler's size_t type, but is signed.." so the
problem seem to still be there.

-The int type is used from revision 42093 and back

Someone needs to be able to execute arbitrary python to
exploit it , possible effect  : break from the Python
sandbox



----------------------------------------------------------------------

>Comment By: Michael Hudson (mwh)
Date: 2006-04-12 09:08

Message:
Logged In: YES 
user_id=6656

>From a little source staring, I am pretty sure that len can in fact never be 
negative.  If you have exploit code, please share in.  On the optimistic premise 
that I'm not blind, closing this bug.

Also, you're letting code execute ioctl and are worried about what else it might 
be doing ... ?

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=1468727&group_id=5470

More information about the Python-bugs-list mailing list