[security][CVE-2021-3177] ctypes double representation BoF

[JordyZomer]

BPO	42938
Nosy	@vstinner, @tiran, @benjaminp, @ariccio, @miss-islington, @JordyZomer
PRs	closes bpo-42938: Replace snprintf with Python unicode formatting in ctypes param reprs. #24239 [3.9] closes bpo-42938: Replace snprintf with Python unicode formatting in ctypes param reprs. #24247 [3.8] closes bpo-42938: Replace snprintf with Python unicode formatting in ctypes param reprs. #24248 [3.7] closes bpo-42938: Replace snprintf with Python unicode formatting in ctypes param reprs. #24249 [3.6] closes bpo-42938: Replace snprintf with Python unicode formatting in ctypes param reprs. #24250

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2021-01-18.20:47:22.417>
created_at = <Date 2021-01-16.08:03:26.992>
labels = ['type-security', '3.8', '3.9', '3.10', 'ctypes', '3.7']
title = '[security][CVE-2021-3177] ctypes double representation BoF'
updated_at = <Date 2021-03-29.12:32:06.005>
user = 'https://github.com/JordyZomer'

bugs.python.org fields:

activity = <Date 2021-03-29.12:32:06.005>
actor = 'vstinner'
assignee = 'none'
closed = True
closed_date = <Date 2021-01-18.20:47:22.417>
closer = 'benjamin.peterson'
components = ['ctypes']
creation = <Date 2021-01-16.08:03:26.992>
creator = 'JordyZomer'
dependencies = []
files = []
hgrepos = []
issue_num = 42938
keywords = ['patch', 'security_issue']
message_count = 11.0
messages = ['385136', '385226', '385229', '385231', '385233', '385234', '385236', '387194', '387535', '387536', '387537']
nosy_count = 7.0
nosy_names = ['vstinner', 'christian.heimes', 'benjamin.peterson', 'Alexander Riccio', 'miss-islington', 'JordyZomer', 'milanjugessur1404']
pr_nums = ['24239', '24247', '24248', '24249', '24250']
priority = 'high'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue42938'
versions = ['Python 3.6', 'Python 3.7', 'Python 3.8', 'Python 3.9', 'Python 3.10']

[JordyZomer]

Hi,

There's a buffer overflow in the PyCArg_repr() function in _ctypes/callproc.c.

The buffer overflow happens due to not checking the length of th sprintf() function on line:

case 'd':
    sprintf(buffer, "<cparam '%c' (%f)>",
        self->tag, self->value.d);
    break;

Because we control self->value.d we could make it copy _extreme_ values. For example we could make it copy 1e300 which would be a 1 with 300 zero's to overflow the buffer.

This could potentially cause RCE when a user allows untrusted input in these functions.

A minimal PoC:

>>> from ctypes import *
>>> c_double.from_param(1e300)
*** buffer overflow detected ***: terminated
Aborted

I recommend __always__ controlling how much you copy so I'd use snprintf with a size argument instead.

Best Regards,

Jordy Zomer

[benjaminp]

New changeset 916610e by Benjamin Peterson in branch 'master':
closes bpo-42938: Replace snprintf with Python unicode formatting in ctypes param reprs. (24239)
916610e

[benjaminp]

New changeset 34df10a by Benjamin Peterson in branch '3.6':
[3.6] closes bpo-42938: Replace snprintf with Python unicode formatting in ctypes param reprs. (GH-24250)
34df10a

[benjaminp]

New changeset d9b8f13 by Benjamin Peterson in branch '3.7':
[3.7] closes bpo-42938: Replace snprintf with Python unicode formatting in ctypes param reprs. (GH-24249)
d9b8f13

[benjaminp]

New changeset ece5dfd by Miss Islington (bot) in branch '3.8':
closes bpo-42938: Replace snprintf with Python unicode formatting in ctypes param reprs. (GH-24248)
ece5dfd

[benjaminp]

New changeset c347cbe by Miss Islington (bot) in branch '3.9':
closes bpo-42938: Replace snprintf with Python unicode formatting in ctypes param reprs. (GH-24247)
c347cbe

[vstinner]

FYI I created https://python-security.readthedocs.io/vuln/ctypes-buffer-overflow-pycarg_repr.html to track fixes of this issue.

[vstinner]

CVE-2021-3177 has been assigned to this issue:

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3177
• https://access.redhat.com/security/cve/cve-2021-3177

[ariccio]

Petition to remove all uses of the unchecked string handling functions from CPython?

Sidenote: if C4996 was on, this would be a warning.

[tiran]

Alexander, this bug report is closed. Could you please open a new request and explain your proposal?

[ariccio]

Yes, I definitely should. I work on https://bugs.python.org/issue25878 sometimes, which encompasses this.