[Python-Dev] Deprecate invalid ctypes call protection on Windows
Paul Moore
p.f.moore at gmail.com
Mon May 22 15:56:11 EDT 2017
On 22 May 2017 at 19:17, Steve Dower <steve.dower at python.org> wrote:
> One of the main reasons we are stuck with an old libffi fork in CPython is
> because the newer versions do not support protection from calling functions
> with too few/many arguments:
>
> https://docs.python.org/3/library/ctypes.html?highlight=ctypes#calling-functions
>
> There are a number of caveats here, including "this only works on Windows",
> but since it is documented we cannot just remove the behaviour without a
> deprecation period.
>
> I'd like to propose a highly-accelerated deprecation period for this
> specific feature, starting in CPython 3.6.2 and being "completed" in 3.7.0,
> when we will hopefully move onto a newer libffi.
>
> In general, the "feature" is a misfeature anyway, since calling a native
> function with incorrect arguments is unsupported and a very easy way to
> cause information leakage or code execution vulnerabilities. There may be an
> argument for removing the functionality immediately, but honestly I think
> changing libffi in a point release is higher risk.
>
> Once the special protection is removed, most of these cases will become
> OSError due to the general protection against segmentation faults. Some will
> undoubtedly fall through the cracks and crash the entire interpreter, but
> these are unavoidable (and really ought to crash to avoid potential
> exploits).
>
> Does anyone have any reasons to oppose this? It already has votes from
> another Windows expert and the 3.6/3.7 Release Manager, but we wanted to see
> if anyone has a concern we haven't thought of.
+1 from me.
Paul
More information about the Python-Dev
mailing list