Skip to content

Improve size validation in _Py_DecodeUTF8Ex #91421

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
stoeckmann opened this issue Apr 10, 2022 · 0 comments
Closed

Improve size validation in _Py_DecodeUTF8Ex #91421

stoeckmann opened this issue Apr 10, 2022 · 0 comments

Comments

@stoeckmann
Copy link
Contributor

The size check in _Py_DecodeUTF8Ex can be improved to always check against a constant value without further arithmetic involved. This is already done at other places within the file, e.g. here.

I was curious if this could actually be triggered with a proof of concept by overflowing the check and eventually performing an out of boundary heap access. And in fact, with a very artificial setup, it is possible on a 32 bit system which tries to convert a 2 GB long string:

#include "Python.h"

#include <sys/mman.h>

#include <err.h>
#include <stdlib.h>

int
main(int argc, char *argv[])
{
        char *str;
        size_t wlen;
        wchar_t *program;

        // force UTF-8 mode
        Py_UTF8Mode = 1;
        if ((program = Py_DecodeLocale(argv[0], NULL)) == NULL)
                errx(1, "PyDecodeLocale");
        Py_SetProgramName(program);
        Py_Initialize();

        // try to convert a 2 GB long string
        if ((str = mmap(NULL, (size_t)INT_MAX + 1, PROT_READ | PROT_WRITE,
            MAP_PRIVATE | MAP_ANONYMOUS, -1, 0)) == (void *)-1)
                err(1, "malloc");
        memset(str, 'a', INT_MAX);
        str[INT_MAX] = '\0';
        Py_DecodeLocale(str, &wlen);

        PyMem_RawFree(program);
        return 0;
}

I doubt that this is really reachable with actual code. But at least it is a good showcase that actual arithmetic is left over in the if-check. Let's remove it and save us this possible headache.

PS: Not sure if this is the correct way to create python issues with GitHub now. Let me know if something's missing or wrong!
@stoeckmann stoeckmann mentioned this issue Apr 10, 2022
Merged
This was referenced Apr 13, 2022
Merged
Merged
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Apr 13, 2022
@stoeckmann @miss-islington
pythongh-91421: Use constant value check during runtime (pythonGH-91422)
ed220bf 
The left-hand side expression of the if-check can be converted to a
constant by the compiler, but the addition on the right-hand side is
performed during runtime.

Move the addition from the right-hand side to the left-hand side by
turning it into a subtraction there. Since the values are known to
be large enough to not turn negative, this is a safe operation.

Prevents a very unlikely integer overflow on 32 bit systems.

Fixes pythonGH-91421.
(cherry picked from commit 0859368)

Co-authored-by: Tobias Stoeckmann <[email protected]>
JelleZijlstra pushed a commit that referenced this issue Apr 14, 2022
@miss-islington @stoeckmann
gh-91421: Use constant value check during runtime (GH-91422) (GH-91492)
72114c0 
The left-hand side expression of the if-check can be converted to a
constant by the compiler, but the addition on the right-hand side is
performed during runtime.

Move the addition from the right-hand side to the left-hand side by
turning it into a subtraction there. Since the values are known to
be large enough to not turn negative, this is a safe operation.

Prevents a very unlikely integer overflow on 32 bit systems.

Fixes GH-91421.
(cherry picked from commit 0859368)

Co-authored-by: Tobias Stoeckmann <[email protected]>
JelleZijlstra pushed a commit that referenced this issue Apr 14, 2022
@miss-islington @stoeckmann
gh-91421: Use constant value check during runtime (GH-91422) (GH-91493)
edf1a77 
The left-hand side expression of the if-check can be converted to a
constant by the compiler, but the addition on the right-hand side is
performed during runtime.

Move the addition from the right-hand side to the left-hand side by
turning it into a subtraction there. Since the values are known to
be large enough to not turn negative, this is a safe operation.

Prevents a very unlikely integer overflow on 32 bit systems.

Fixes GH-91421.
(cherry picked from commit 0859368)

Co-authored-by: Tobias Stoeckmann <[email protected]>
hello-adam pushed a commit to hello-adam/cpython that referenced this issue Jun 2, 2022
@miss-islington @stoeckmann @hello-adam
pythongh-91421: Use constant value check during runtime (pythonGH-91422
806ebc7 
…) (pythonGH-91493)

The left-hand side expression of the if-check can be converted to a
constant by the compiler, but the addition on the right-hand side is
performed during runtime.

Move the addition from the right-hand side to the left-hand side by
turning it into a subtraction there. Since the values are known to
be large enough to not turn negative, this is a safe operation.

Prevents a very unlikely integer overflow on 32 bit systems.

Fixes pythonGH-91421.
(cherry picked from commit 0859368)

Co-authored-by: Tobias Stoeckmann <[email protected]>
@ezio-melotti ezio-melotti mentioned this issue Sep 22, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@stoeckmann