-
-
Notifications
You must be signed in to change notification settings - Fork 30.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
hashlib segmentation fault #79103
Comments
python hashlib a signd overflow maybe cause a memory over read. python version:
x.py
|
See also bpo-33729. We need this addressed for 3.6.7. |
Thanks for the report. Interesting, this is not reproducible on master and latest 3.7 branches though both have different errors but reproducible in latest 3.6 and v3.7.0 . As Ned noted this seems to have been fixed with bpo-33729 but still there is no decision on reverting/keeping the commits made with the linked issue. # master ./python.exe
Python 3.8.0a0 (heads/master:7dfbd49671, Oct 7 2018, 16:00:31)
[Clang 7.0.2 (clang-700.1.81)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import hashlib
>>> hashlib.shake_128().hexdigest(-10)
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
ValueError: value must be positive # upstream/3.7 ./python.exe
Python 3.7.1rc1+ (remotes/upstream/3.7:3b699932e5, Oct 7 2018, 21:44:03)
[Clang 7.0.2 (clang-700.1.81)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import hashlib
>>> hashlib.shake_128().hexdigest(-10)
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
OverflowError: can't convert negative value to unsigned int # 3.7.0 segfaults ./python.exe
Python 3.7.0 (tags/v3.7.0:1bf9cc5093, Oct 7 2018, 21:51:43)
[Clang 7.0.2 (clang-700.1.81)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import hashlib
>>> hashlib.shake_128().hexdigest(-10)
[1] 67585 bus error ./python.exe # upstream/3.6 segfaults ./python.exe
Python 3.6.7rc1+ (remotes/upstream/3.6:177254c96f, Oct 7 2018, 21:42:19)
[GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import hashlib
>>> hashlib.shake_128().hexdigest(-10)
[1] 49096 bus error ./python.exe Thanks |
Sorry Ned, my comment seems to have changed the priority while submitting the comment. I would also propose adding the attached report as a unit test. |
No problem; that's something to watch out for when you get an update conflict message from the bug tracker! Regarding this issue, I believe Serhiy is going to do a PR but perhaps you can work with him on providing the test case. |
The original crash is nor reproducible in 3.7 and master, but Victor found other example that causes a crash in 3.7 and master. import hashlib; hashlib.shake_128().hexdigest(2*64-10) Use 2*32-10 on 32-bit platforms. I suppose that passing 2**29 on 32-bit platforms will cause problems too. And this is just 512 MiB. So this issue affects 3.6, 3.7 and master. |
I send this to security@python.org.
|
We've reached the cutoff point for 3.7.1rc2 and 3.6.7rc2 and I don't see a PR or a resolution of this for either branch yet. If there's a chance for merged PRs in the next couple of hours, I'll wait a bit longer but otherwise these fixes will have to wait. |
Should this be closed as fixed? |
Since it is tagged as a release blocker, I think that only Ned can close it. Personally I don't think that this issue is a security issue. digest() and hexdigest() argument usually is a constant. It is unlikely that the crash can be triggered by user data. |
oh brother, maybe this worth open a cve. |
Serhiy's fixes (thanks!) are now released in 3.7.0rc2 and 3.6.7rc2 so I'm removing the "release blocker" status. If there is nothing more to be done for this issue, can we close it? shuoz:
Note that Serhiy believes that this is not a security issue since it is unlikely that the crash can be triggered by user data. Anyone can cause segfaults or do damage if they have unrestricted access to a Python interpreter; that's a threat model for any language that allows sometime like Python's os.system or subprocess. A better question is can a user of an application written in Python likely cause a DOS or create a privilege escalation. Is that the case here? |
Since there has been no further discussion on this since the fixes were pushed over a year ago, I am declaring this issue resolved. Thanks for everyone's help! |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: