Skip to content

bpo-30058: Fixed buffer overflow in select.kqueue.control(). #1095

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 9 commits into from
Oct 12, 2017
Merged

bpo-30058: Fixed buffer overflow in select.kqueue.control(). #1095

merged 9 commits into from
Oct 12, 2017

Conversation

@serhiy-storchaka
Copy link
Member

@serhiy-storchaka serhiy-storchaka commented Apr 12, 2017
edited by bedevere-bot
Loading

@serhiy-storchaka serhiy-storchaka added type-bug An unexpected behavior, bug, or error needs backport to 2.7 labels Apr 12, 2017
@mention-bot
Copy link

mention-bot commented Apr 12, 2017

@serhiy-storchaka, thanks for your PR! By analyzing the history of the files in this pull request, we identified @tiran, @cf-natali and @akuchling to be potential reviewers.
zhangyangyu
zhangyangyu reviewed Apr 13, 2017
View reviewed changes
Modules/selectmodule.c Outdated
if (nchanges < 0) {
goto error;
}
nchanges = PySequence_Fast_GET_SIZE(arg);
Copy link
Member

@zhangyangyu zhangyangyu Apr 13, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PySequence_Fast_GET_SIZE returns a Py_ssize_t. This may trigger a compile warning.
Copy link
Member Author

@serhiy-storchaka serhiy-storchaka Apr 13, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point!
zhangyangyu
zhangyangyu reviewed Apr 13, 2017
View reviewed changes
Modules/selectmodule.c Outdated
}
nchanges = PyObject_Size(ch);
if (nchanges < 0) {
if (PySequence_Fast_GET_SIZE(arg) > INT_MAX / sizeof(struct kevent)) {
Copy link
Member

@zhangyangyu zhangyangyu Apr 13, 2017
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

arg should be seq, right?

I don't think we need to / sizeof(struct kevent). > INT_MAX is enough. Then there will be a memory error below. Or use PY_SSIZE_T_MAX here, assuming PY_SSIZE_T_MAX / sizeof(struct kevent) <= INT_MAX.
Copy link
Member Author

@serhiy-storchaka serhiy-storchaka Apr 13, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.
zhangyangyu
zhangyangyu approved these changes Apr 14, 2017
View reviewed changes
Copy link
Member

@zhangyangyu zhangyangyu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM from code. But I can't even compile.
louisom
louisom suggested changes Apr 16, 2017
View reviewed changes
Copy link
Contributor

@louisom louisom left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just a nit typo
Lib/test/test_kqueue.py Outdated
kq.close()

def test_issue30058(self):
# chagelist must be an iterable
Copy link
Contributor

@louisom louisom Apr 16, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

typo: chagelist -> changelist
Copy link
Member Author

@serhiy-storchaka serhiy-storchaka Apr 16, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch @lulouie!
@louisom
Copy link
Contributor

louisom commented Apr 16, 2017

@zhangyangyu why can't you compile? My env compile it well.
@zhangyangyu
Copy link
Member

zhangyangyu commented Apr 16, 2017

@lulouie , the code is specialized for BSD. I only have access to Linux. Compiling it on Linux doesn't make any sense.
@louisom
Copy link
Contributor

louisom commented Apr 16, 2017

@zhangyangyu ah, It has compiled on Linux, but only the GNU part, not BSD part.
@vstinner vstinner self-requested a review April 21, 2017 22:54
@serhiy-storchaka serhiy-storchaka merged commit de07210 into python:master Oct 12, 2017
@miss-islington
Copy link
Contributor

miss-islington commented Oct 12, 2017

Thanks @serhiy-storchaka for the PR 🌮🎉.. I'm working now to backport this PR to: 2.7, 3.6.
🐍🍒⛏🤖 I'm not a witch! I'm not a witch!
@serhiy-storchaka serhiy-storchaka deleted the kqueue-control-buffer-overflow branch October 12, 2017 19:17
@bedevere-bot
Copy link

bedevere-bot commented Oct 12, 2017

GH-3973 is a backport of this pull request to the 3.6 branch.
miss-islington pushed a commit to miss-islington/cpython that referenced this pull request Oct 12, 2017
@serhiy-storchaka @miss-islington
[3.6] bpo-30058: Fixed buffer overflow in select.kqueue.control(). (p…
3619f53 
…ythonGH-1095) (cherry picked from commit de07210)
@miss-islington
Copy link
Contributor

miss-islington commented Oct 12, 2017

Sorry, @serhiy-storchaka, I could not cleanly backport this to 2.7 due to a conflict.
Please backport using cherry_picker on command line.
cherry_picker de072100775cc29e6cd93a75466cecbd1086f258 2.7
serhiy-storchaka added a commit to serhiy-storchaka/cpython that referenced this pull request Oct 12, 2017
@serhiy-storchaka
[2.7] bpo-30058: Fixed buffer overflow in select.kqueue.control(). (p…
680dfc1 
…ythonGH-1095). (cherry picked from commit de07210)
@bedevere-bot
Copy link

bedevere-bot commented Oct 12, 2017

GH-3976 is a backport of this pull request to the 2.7 branch.
serhiy-storchaka pushed a commit that referenced this pull request Oct 12, 2017
@miss-islington @serhiy-storchaka
[3.6] bpo-30058: Fixed buffer overflow in select.kqueue.control(). (G…
c923da1 
…H-1095) (#3973) (cherry picked from commit de07210)
serhiy-storchaka added a commit that referenced this pull request Oct 12, 2017
@serhiy-storchaka
[2.7] bpo-30058: Fixed buffer overflow in select.kqueue.control(). (G…
9aa6024 
…H-1095). (#3976) (cherry picked from commit de07210)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

type-bug An unexpected behavior, bug, or error

9 participants

@serhiy-storchaka @mention-bot @louisom @zhangyangyu @miss-islington @bedevere-bot @brettcannon @Mariatta @the-knights-who-say-ni