NotificationsYou must be signed in to change notification settings
Fork33.3k
Star69.8k

[3.11] gh-95778: Correctly pre-check for int-to-str conversion (GH-96537)#96562

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Jump to bottom

Merged

miss-islington merged 1 commit intopython:3.11frommiss-islington:backport-b126196-3.11

Sep 4, 2022

Merged

[3.11] gh-95778: Correctly pre-check for int-to-str conversion (GH-96537)#96562

miss-islington merged 1 commit intopython:3.11frommiss-islington:backport-b126196-3.11

Sep 4, 2022

Conversation

Copy link

Contributor

miss-islington commentedSep 4, 2022•
edited
Loading

Converting a large enoughint to a decimal string raisesValueError as expected. However, the raise comesafter the quadratic-time base-conversion algorithm has run to completion. For effective DOS prevention, we need some kind of check before entering the quadratic-time loop. Oops! =)

The quick fix: essentially we catchmost values that exceed the threshold up front. Those that slip through will still be on the small side (read: sufficiently fast), and will get caught by the existing check so that the limit remains exact.

The justification for the current check. The C code check is:

max_str_digits / (3*PyLong_SHIFT) <= (size_a-11) /10

In GitHub markdown math-speak, writing$M$ formax_str_digits,$L$ forPyLong_SHIFT and$s$ forsize_a, that check is:
$$\left\lfloor\frac{M}{3L}\right\rfloor \le \left\lfloor\frac{s - 11}{10}\right\rfloor$$

From this it follows that
$$\frac{M}{3L} < \frac{s-1}{10}$$
hence that
$$\frac{L(s-1)}{M} > \frac{10}{3} > \log_2(10).$$
So
$$2^{L(s-1)} > 10^M.$$
But our input integer$a$ satisfies$|a| \ge 2^{L(s-1)}$, so$|a|$ is larger than$10^M$. This shows that we don't accidentally capture anythingbelow the intended limit in the check.

Issue:CVE-2020-10735: Prevent DoS by large int<->str conversions #95778

Co-authored-by: Gregory P. Smith [Google LLC]greg@krypto.org
(cherry picked from commitb126196)

Co-authored-by: Mark Dickinsondickinsm@gmail.com

Automerge-Triggered-By: GH:gpshead

pythongh-95778: Correctly pre-check for int-to-str conversion (python…

51ba378

…GH-96537)Converting a large enough `int` to a decimal string raises `ValueError` as expected. However, the raise comes _after_ the quadratic-time base-conversion algorithm has run to completion. For effective DOS prevention, we need some kind of check before entering the quadratic-time loop. Oops! =)The quick fix: essentially we catch _most_ values that exceed the threshold up front. Those that slip through will still be on the small side (read: sufficiently fast), and will get caught by the existing check so that the limit remains exact.The justification for the current check. The C code check is:```cmax_str_digits / (3 * PyLong_SHIFT) <= (size_a - 11) / 10```In GitHub markdown math-speak, writing $M$ for `max_str_digits`, $L$ for `PyLong_SHIFT` and $s$ for `size_a`, that check is:$$\left\lfloor\frac{M}{3L}\right\rfloor \le \left\lfloor\frac{s - 11}{10}\right\rfloor$$From this it follows that$$\frac{M}{3L} < \frac{s-1}{10}$$hence that$$\frac{L(s-1)}{M} > \frac{10}{3} > \log_2(10).$$So$$2^{L(s-1)} > 10^M.$$But our input integer $a$ satisfies $|a| \ge 2^{L(s-1)}$, so $|a|$ is larger than $10^M$. This shows that we don't accidentally capture anything _below_ the intended limit in the check.<!-- gh-issue-number:pythongh-95778 -->* Issue:pythongh-95778<!-- /gh-issue-number -->Co-authored-by: Gregory P. Smith [Google LLC] <greg@krypto.org>(cherry picked from commitb126196)Co-authored-by: Mark Dickinson <dickinsm@gmail.com>