➜
This issue trackerhas been migrated toGitHub, and is currentlyread-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.
Created on2015-04-23 21:03 bybenjamin.peterson, last changed2022-04-11 14:58 byadmin. This issue is nowclosed.
| Messages (2) | |||
|---|---|---|---|
| msg241889 -(view) | Author: Benjamin Peterson (benjamin.peterson)* | Date: 2015-04-23 21:03 | |
Found by Christian Heimes:Coverity has found a flaw inObjects/listobject.c:listsort() thateventually leads to a NULL pointer dereference. Because NULL pointerdereferences can lead to exploits or DoS vulnerabilities I'm reportingthe error on PSRT first. The error is on a code path that can betriggered by a remote attacker, although not that easily. All Python 3versions are affected, Python 2.7 looks save.The problematic code line ishttps://hg.python.org/cpython/file/bc1a178b3bc8/Objects/listobject.c#l1965. The code fails to restore self->ob_item to saved_ob_item whenPyMem_MALLOC() fails. Subsequent access to the same list object willdereference self->ob_item (which is still NULL) and cause a segfault.A remote attack might be able to trigger the segfault with a largedata set. All it takes is an application that sorts this large dataset with list.sort() and a custom key function. When Python runs outof memory just in the right spot ... CRASH.Additionally there is another bug, too. list.sort() doesn't set anexception when PyMem_MALLOC() fails. A fix for both issues is simpleand straight forward:diff -rbc1a178b3bc8Objects/listobject.c- --- a/Objects/listobject.c Sat Apr 18 05:54:02 2015 +0200+++ b/Objects/listobject.c Sat Apr 18 06:29:02 2015 +0200@@ -1961,8 +1961,10 @@ keys = &ms.temparray[saved_ob_size+1]; else { keys = PyMem_MALLOC(sizeof(PyObject *) * saved_ob_size);- - if (keys == NULL)- - return NULL;+ if (keys == NULL) {+ PyErr_NoMemory();+ goto keyfunc_fail;+ } } for (i = 0; i < saved_ob_size ; i++) { | |||
| msg241890 -(view) | Author: Roundup Robot (python-dev) | Date: 2015-04-23 21:08 | |
New changeset91096d27c802 by Benjamin Peterson in branch '3.2':properly handle malloc failure (closes#24044)https://hg.python.org/cpython/rev/91096d27c802New changeset0d8f15053f42 by Benjamin Peterson in branch '3.3':merge 3.2 (#24044)https://hg.python.org/cpython/rev/0d8f15053f42New changeset80485b8e43cd by Benjamin Peterson in branch '3.4':merge 3.3 (#24044)https://hg.python.org/cpython/rev/80485b8e43cdNew changesetbd656916586f by Benjamin Peterson in branch 'default':merge 3.4 (#24044)https://hg.python.org/cpython/rev/bd656916586f | |||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:58:16 | admin | set | github: 68232 |
| 2015-04-23 23:19:37 | Arfrever | set | nosy: +Arfrever |
| 2015-04-23 21:08:39 | benjamin.peterson | link | issue24038 superseder |
| 2015-04-23 21:08:18 | benjamin.peterson | set | versions: - Python 2.7 |
| 2015-04-23 21:08:08 | python-dev | set | status: open -> closed nosy: +python-dev messages: +msg241890 resolution: fixed stage: resolved |
| 2015-04-23 21:03:08 | benjamin.peterson | create | |