New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Possible integer overflow in iov_setup() #78052
Comments
The iov_setup() helper in posixmodule.c returns the total size of all buffers. But there is possible an integer overflow because the sequence of buffers can contain the same buffer repeated multiple times. On 32-bit platform: >>> import os
>>> f = open('/tmp/temp', 'wb')
>>> os.writev(f.fileno(), [b'x' * 2**16] * 2**15)
-1 Since the overflowed sum is negative, os_writev_impl() returns -1 as a signal of error, but since the exception is not set, -1 is returned as the result of os.writev(). If the overflowed sum is not negative, the sequence of buffers is passed to OS and an OSError is raised: >>> os.writev(f.fileno(), [b'x' * 2**16] * 2**16)
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
OSError: [Errno 22] Invalid argument I have not tested (because have not installed corresponding 32-bit OSes, and it is harder to reproduce on 64-bit), but seems this can even cause a crash in os.sendfile() on FreeBSD, DragonFly BSD and Mac OS. This sum is used only in os.sendfile() on Mac OS. In all other cases it is enough to return just an error flag. I can't find the documentation for os.sendfile() on Mac OS for checking if this value actually is needed. |
I can reproduce the issue on a i686 GNU/Linux Debian system: >>> import os
>>> f = open('/tmp/temp', 'wb')
>>> l = os.writev(f.fileno(), [b'x' * 2**16] * 2**15)
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
SystemError: error return without exception set |
Docs for sendfile in macOS: |
Test case: import os
fo = open('/tmp/temp', 'wb')
fi = open('/tmp/temp', 'rb')
os.sendfile(fo.fileno(), fi.fileno(), 0, 0, headers=[b'x' * 2**16] * 2**15) -- 64-bit Python $ ./bin/python3.8 ~/Desktop/test_s.py
Traceback (most recent call last):
File "/Users/nad/Desktop/test_s.py", line 4, in <module>
os.sendfile(fo.fileno(), fi.fileno(), 0, 0, headers=[b'x' * 2**16] * 2**15)
OSError: [Errno 38] Socket operation on non-socket
sys:1: ResourceWarning: unclosed file <_io.BufferedWriter name='/tmp/temp'>
sys:1: ResourceWarning: unclosed file <_io.BufferedReader name='/tmp/temp'> 32-bit Python $ ./bin/python3.8-32 ~/Desktop/test_s.py
Fatal Python error: a function returned NULL without setting an error
SystemError: <built-in function sendfile> returned NULL without setting an error Current thread 0xa983a1c0 (most recent call first): |
Thank you Pablo and Ned! Seems there is other bug on Mac OS, not related to integer overflow. I am working on it. |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: