-
-
Notifications
You must be signed in to change notification settings - Fork 31.7k
[security][CVE-2021-3177] ctypes double representation BoF #87104
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Comments
Hi, There's a buffer overflow in the PyCArg_repr() function in _ctypes/callproc.c. The buffer overflow happens due to not checking the length of th sprintf() function on line:
Because we control self->value.d we could make it copy _extreme_ values. For example we could make it copy 1e300 which would be a 1 with 300 zero's to overflow the buffer. This could potentially cause RCE when a user allows untrusted input in these functions. A minimal PoC: >>> from ctypes import *
>>> c_double.from_param(1e300)
*** buffer overflow detected ***: terminated
Aborted I recommend __always__ controlling how much you copy so I'd use snprintf with a size argument instead. Best Regards, Jordy Zomer |
FYI I created https://python-security.readthedocs.io/vuln/ctypes-buffer-overflow-pycarg_repr.html to track fixes of this issue. |
CVE-2021-3177 has been assigned to this issue: |
Petition to remove all uses of the unchecked string handling functions from CPython? Sidenote: if C4996 was on, this would be a warning. |
Alexander, this bug report is closed. Could you please open a new request and explain your proposal? |
Yes, I definitely should. I work on https://bugs.python.org/issue25878 sometimes, which encompasses this. |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: