Potential buffer-overflow from string operations in function array_from_pyobj of fortranobject.c

[awen-li]

Reproducing code example:

Snippet:

    char mess[200];
    if ((intent & F2PY_INTENT_HIDE)
        || ((intent & F2PY_INTENT_CACHE) && (obj==Py_None))
        || ((intent & F2PY_OPTIONAL) && (obj==Py_None))
        ) {
        /* intent(cache), optional, intent(hide) */
        if (count_negative_dimensions(rank,dims) > 0) {
            int i;
            strcpy(mess, "failed to create intent(cache|hide)|optional array"
                   "-- must have defined dimensions but got (");  ----> 91 chars copied into mess
            for(i=0;i<rank;++i)
                sprintf(mess+strlen(mess),"%" NPY_INTP_FMT ",",dims[i]);  ----> max of rank is F2PY_MAX_DIMS (40), and all values of dims could be -1. Given the format "%d," ("-1,"), max length of this part could be 40*3=120 + 91 > 200
            strcat(mess, ")");
            PyErr_SetString(PyExc_ValueError,mess);
            return NULL;
        }
        arr = (PyArrayObject *)
            PyArray_New(&PyArray_Type, rank, dims, type_num,
                        NULL,NULL,1,
                        !(intent&F2PY_INTENT_C),
                        NULL);
        if (arr==NULL) return NULL;
        if (!(intent & F2PY_INTENT_CACHE))
            PyArray_FILLWBYTE(arr, 0);
        return arr;
    }

Error message:

File: numpy/f2py/src/fortranobject.c
Function: array_from_pyobj (line 724 : 733)
Optional call-path: External -> fortran_setattr -> array_from_pyobj
Details in description

When we run our analysis tool on NumPy, a few Inappropriate string operations are reported at call sites of function strcpy, sprintf, and strcat in array_from_pyobj. There are no boundary checks at these points despite "mess" seems large enough to ensure the operations safe except for the point shown above.
As a suggestion, it is better to replace these functions with strncpy, strncat, and snprintf.

NumPy/Python version information:

the main branch of NumPy

[awen-li]

Anyone can help confirm this issue? thanks.

[eric-wieser]

This report is almost certainly valid, but I suspect there are lower-hanging bugs in the f2py code. It's probably easier to assemble the strings on the heap using the Python C API than mess with keeping track of buffer lengths.

[melissawm]

Thanks @Daybreak2019 - string support in f2py is undergoing some changes, I'll include this in the things to check.

[00xc]

Hi, any update on this issue? It was recently assigned CVE-2021-41496.

[seberg]

I don't think the CVE text is quite correct. I do not see the "by carefully constructing an array with negative values" working (I guess "array" refers to the C array of dims), these are negative dimensions though and such an array should never exist, there would be far worse problems.

I would have to check closer, but I think that negative values are always placed there by f2py/the wrapping module itself. Users may be able to trigger the error (not quite sure how), but I do not think they can craft it or the message based on malicious data (the one exception is that there is a test function calling this more directly, but this is also not available by passing malicious data).

To be clear, this should be fixed and should be easy enough (contributions also welcome!). @melissawm, @HaoZeke do you have a bit of time to just check this off? I still doubt there is much of an attack vector at all, unless you are wrapping very high dimensional working arrays and additional expose an API that allows "malicious data" to toggle whether or not the path is taken.

[WarrenWeckesser]

@seberg, I submitted a PR a few minutes ago: #20630

[seberg]

Ah, that was quick, cool :). Not related to this, but we may want to replace all other sprintf's here with PyErr_Format or similar, since the f2py-cleanup drive is continuing.