[issue44218] Possible Stack Based Buffer Overflow at Programs/_freeze_importlib.c

Mohammed Dief report at bugs.python.org
Sun May 23 11:47:04 EDT 2021 

New submission from Mohammed Dief <mdaif1332 at gmail.com>:

When you open Programs/_freeze_importlib.c code, you will get the main function that gets executed when the C binary is running. That proves the first point that that's the function that is gonna be used when this code is getting built or used on other functions. at the first variables define lines you will find that there's a variable called: `buf` with memory limit of 100 bytes: https://github.com/python/cpython/blob/bb3e0c240bc60fe08d332ff5955d54197f79751c/Programs/_freeze_importlib.c#L37

If you continue tracking the `buf` variable usage, you will get that the first function it's used in is `sprintf` at: https://github.com/python/cpython/blob/bb3e0c240bc60fe08d332ff5955d54197f79751c/Programs/_freeze_importlib.c#L102 and as we all know, sprintf isn't a memory secure function on C. and when the memory size isn't validated then BOFs can happen in this case.

The sprintf function is using a variable called: `name` to store it's value to the buf variable, in this case the name variable is a constant variable that is defined as char with *name. then on https://github.com/python/cpython/blob/bb3e0c240bc60fe08d332ff5955d54197f79751c/Programs/_freeze_importlib.c#L51 the name variable value is set based on the first argument of the program.

That means, running a program with 96 'A' characters on the first argument can exceed the 100 bytes on the memory limit causing possible arbitrary code execution and DOS on the binary.
Once again, it's just a code review process. I dunno where the code is running but if you think this issue is invalid i would like to know where the code is running so I can dig deeper over there.

Here's some code tests that proves my point here too:
main.c:

#include<stdlib.h>
#include<stdio.h>

int main(int argc, char *argv[]){
    int i;
    const char *name;
    char buf[100];

    for(i=1; i < argc; i++) {
        name = argv[i];
        sprintf(buf, "<frozen %s>", name);
        puts(buf);
    }

    return 0;
}

shell:
gcc main.c -o main
./main $(python3 -c "print('A'*100)")

This issue was reported to PSRT, and they said the code is an internal tool that's used by developers not end-users. and asked me to open an issue here.

----------
components: Library (Lib)
messages: 394203
nosy: demonia
priority: normal
severity: normal
status: open
title: Possible Stack Based Buffer Overflow at Programs/_freeze_importlib.c
type: security
versions: Python 3.11

_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue44218>
_______________________________________

More information about the Python-bugs-list mailing list