buffer overflow in socket.recvfrom_into

[rmsr]

BPO	20246
Nosy	@pefu, @ncoghlan, @pitrou, @giampaolo, @tiran, @ezio-melotti, @bitdancer, @skrah, @koobs
Files	recvfrom_into_buffer_overflow_3.4.patch: patch against v3.4 recvfrom_into_buffer_overflow_2.7.patch: patch against 2.7 recvfrom_into_small_buffer_test.patch

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2014-01-14.04:15:07.334>
created_at = <Date 2014-01-14.00:43:59.168>
labels = ['type-security', 'extension-modules']
title = 'buffer overflow in socket.recvfrom_into'
updated_at = <Date 2014-03-01.07:16:38.971>
user = 'https://bugs.python.org/rmsr'

bugs.python.org fields:

activity = <Date 2014-03-01.07:16:38.971>
actor = 'koobs'
assignee = 'none'
closed = True
closed_date = <Date 2014-01-14.04:15:07.334>
closer = 'python-dev'
components = ['Extension Modules']
creation = <Date 2014-01-14.00:43:59.168>
creator = 'rmsr'
dependencies = []
files = ['33452', '33453', '33573']
hgrepos = []
issue_num = 20246
keywords = ['patch']
message_count = 24.0
messages = ['208062', '208066', '208070', '208422', '208428', '208501', '208580', '208711', '208712', '212165', '212166', '212167', '212168', '212179', '212196', '212206', '212207', '212208', '212248', '212249', '212253', '212418', '212489', '212490']
nosy_count = 13.0
nosy_names = ['pefu', 'ncoghlan', 'pitrou', 'giampaolo.rodola', 'christian.heimes', 'rmsr', 'ezio.melotti', 'r.david.murray', 'cvrebert', 'skrah', 'offby1', 'python-dev', 'koobs']
pr_nums = []
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue20246'
versions = ['Python 3.1', 'Python 2.7', 'Python 3.2', 'Python 3.3', 'Python 3.4']

[rmsr]

recvfrom_into fails to check that the supplied buffer object is big enough for the requested read and so will happily write off the end.

I will attach patches for 3.4 and 2.7, I'm not familiar with the backporting procedure to go further but all versions since 2.5 have this bug and while very highly unlikely it's technically remotely exploitable.

Quickie trigger script, crash on interpreter exit:

--------- BEGIN SEGFAULT ---------

import socket
r, w = socket.socketpair()
w.send(b'X' * 1024)
r.recvfrom_into(bytearray(), 1024)

[bitdancer]

Everything before 2.7 is already out of even security maintenance, so you've already checked off everything it will get fixed in.

[python-dev]

New changeset 87673659d8f7 by Benjamin Peterson in branch '2.7':
complain when nbytes > buflen to fix possible buffer overflow (closes bpo-20246)
http://hg.python.org/cpython/rev/87673659d8f7

New changeset 715fd3d8ac93 by Benjamin Peterson in branch '3.1':
complain when nbytes > buflen to fix possible buffer overflow (closes bpo-20246)
http://hg.python.org/cpython/rev/715fd3d8ac93

New changeset 9c56217e5c79 by Benjamin Peterson in branch '3.2':
complain when nbytes > buflen to fix possible buffer overflow (closes bpo-20246)
http://hg.python.org/cpython/rev/9c56217e5c79

New changeset 7f176a45211f by Benjamin Peterson in branch '3.3':
merge 3.2 (bpo-20246)
http://hg.python.org/cpython/rev/7f176a45211f

New changeset ead74e54d68f by Benjamin Peterson in branch 'default':
merge 3.3 (bpo-20246)
http://hg.python.org/cpython/rev/ead74e54d68f

New changeset 37ed85008f51 by Benjamin Peterson in branch 'default':
merge 3.3 (bpo-20246)
http://hg.python.org/cpython/rev/37ed85008f51

[skrah]

One test fails on FreeBSD 9.0 and 6.4:

======================================================================
ERROR: testRecvFromIntoSmallBuffer (test.test_socket.BufferIOTest)
----------------------------------------------------------------------

Traceback (most recent call last):
  File "/usr/home/db3l/buildarea/3.x.bolen-freebsd/build/Lib/test/test_socket.py", line 259, in _tearDown
    raise exc
  File "/usr/home/db3l/buildarea/3.x.bolen-freebsd/build/Lib/test/test_socket.py", line 271, in clientRun
    test_func()
  File "/usr/home/db3l/buildarea/3.x.bolen-freebsd/build/Lib/test/test_socket.py", line 4690, in _testRecvFromIntoSmallBuffer
    self.serv_conn.send(MSG*2048)
BrokenPipeError: [Errno 32] Broken pipe

[rmsr]

Perhaps the test is sending an infeasibly large message. If you remove the '*2048' does it pass? (I set up a FreeBSD 9.2 amd64 VM but all tests are passing here).

[skrah]

MSG*1024 passes. I did not look at this issue: Would changing the value to 1024
invalidate the test?

[rmsr]

The send part of the test doesn't matter, since what's being tested happens before any reads. The MSG multiplier should be removed completely, since none of the other tests do that.

Patch attached.

[python-dev]

New changeset 5c4f4db8107c by Stefan Krah in branch '3.3':
Issue bpo-20246: Fix test failures on FreeBSD. Patch by Ryan Smith-Roberts.
http://hg.python.org/cpython/rev/5c4f4db8107c

New changeset 9bbc3cc8ff4c by Stefan Krah in branch 'default':
Issue bpo-20246: Fix test failures on FreeBSD. Patch by Ryan Smith-Roberts.
http://hg.python.org/cpython/rev/9bbc3cc8ff4c

New changeset b6c5a37b221f by Stefan Krah in branch '2.7':
Issue bpo-20246: Fix test failures on FreeBSD. Patch by Ryan Smith-Roberts.
http://hg.python.org/cpython/rev/b6c5a37b221f

[skrah]

Thanks Ryan. As you say, the original segfault is also triggered with the
shortened message.

[tiran]

I just came across https://www.trustedsec.com/february-2014/python-remote-code-execution-socket-recvfrom_into/ . Now I wonder why this bug was neither reported to PSRT nor get a CVE number. It's a buffer overflow...

I'm going to contact MITRE right away.