[PATCH] _json module arbitrary process memory read vulnerability

Openembedded Core Discussions
 help / color / mirror / Atom feed

* [PATCH] _json module arbitrary process memory read vulnerability
@ 2014-07-17 10:27 Daniel BORNAZ
  2014-07-17 16:26 ` Saul Wold
  2014-07-18 18:14 ` [yocto] " Saul Wold
  0 siblings, 2 replies; 3+ messages in thread
From: Daniel BORNAZ @ 2014-07-17 10:27 UTC (permalink / raw)
  To: yocto, openembedded-core; +Cc: Benjamin Peterson

python-native: _json module arbitrary process memory read vulnerability

http://bugs.python.org/issue21529

Python 2 and 3 are susceptible to arbitrary process memory reading by
a user or adversary due to a bug in the _json module caused by
insufficient bounds checking.

The sole prerequisites of this attack are that the attacker is able to
control or influence the two parameters of the default scanstring
function: the string to be decoded and the index.

The bug is caused by allowing the user to supply a negative index
value. The index value is then used directly as an index to an array
in the C code; internally the address of the array and its index are
added to each other in order to yield the address of the value that is
desired. However, by supplying a negative index value and adding this
to the address of the array, the processor's register value wraps
around and the calculated value will point to a position in memory
which isn't within the bounds of the supplied string, causing the
function to access other parts of the process memory.

Signed-off-by: Benjamin Peterson <benjamin@python.org>


Applied to python-native recipe in order to fix the above mentioned vulnerability.

Upstream-Status: Submitted

Signed-off-by: Daniel BORNAZ <daniel.bornaz@enea.com>

---
 meta/recipes-devtools/python/python-native_2.7.3.bb  |  1 +
 .../python/python/python-json-flaw-fix.patch         | 20 ++++++++++++++++++++
 2 files changed, 21 insertions(+)
 create mode 100644 meta/recipes-devtools/python/python/python-json-flaw-fix.patch

diff --git a/meta/recipes-devtools/python/python-native_2.7.3.bb b/meta/recipes-devtools/python/python-native_2.7.3.bb
index 0571d3a..74f0dfc 100644
--- a/meta/recipes-devtools/python/python-native_2.7.3.bb
+++ b/meta/recipes-devtools/python/python-native_2.7.3.bb
@@ -19,6 +19,7 @@ SRC_URI += "\
            file://parallel-makeinst-create-bindir.patch \
            file://python-fix-build-error-with-Readline-6.3.patch \
            file://gcc-4.8-fix-configure-Wformat.patch \
+           file://python-json-flaw-fix.patch \
            "
 S = "${WORKDIR}/Python-${PV}"
 
diff --git a/meta/recipes-devtools/python/python/python-json-flaw-fix.patch b/meta/recipes-devtools/python/python/python-json-flaw-fix.patch
new file mode 100644
index 0000000..631713d
--- /dev/null
+++ b/meta/recipes-devtools/python/python/python-json-flaw-fix.patch
@@ -0,0 +1,20 @@
+--- a/Modules/_json.c	2014-07-15 15:37:17.151046356 +0200
++++ b/Modules/_json.c	2014-07-15 15:38:37.335605042 +0200
+@@ -1491,7 +1491,7 @@ scan_once_str(PyScannerObject *s, PyObje
+     PyObject *res;
+     char *str = PyString_AS_STRING(pystr);
+     Py_ssize_t length = PyString_GET_SIZE(pystr);
+-    if (idx >= length) {
++    if ( idx < 0 || idx >= length) {
+         PyErr_SetNone(PyExc_StopIteration);
+         return NULL;
+     }
+@@ -1578,7 +1578,7 @@ scan_once_unicode(PyScannerObject *s, Py
+     PyObject *res;
+     Py_UNICODE *str = PyUnicode_AS_UNICODE(pystr);
+     Py_ssize_t length = PyUnicode_GET_SIZE(pystr);
+-    if (idx >= length) {
++    if ( idx < 0 || idx >= length) {
+         PyErr_SetNone(PyExc_StopIteration);
+         return NULL;
+     }
-- 
1.9.1



^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] _json module arbitrary process memory read vulnerability
  2014-07-17 10:27 [PATCH] _json module arbitrary process memory read vulnerability Daniel BORNAZ
@ 2014-07-17 16:26 ` Saul Wold
  2014-07-18 18:14 ` [yocto] " Saul Wold
  1 sibling, 0 replies; 3+ messages in thread
From: Saul Wold @ 2014-07-17 16:26 UTC (permalink / raw)
  To: Daniel BORNAZ, yocto, openembedded-core; +Cc: Benjamin Peterson

On 07/17/2014 03:27 AM, Daniel BORNAZ wrote:
> python-native: _json module arbitrary process memory read vulnerability
>
> http://bugs.python.org/issue21529
>
> Python 2 and 3 are susceptible to arbitrary process memory reading by
> a user or adversary due to a bug in the _json module caused by
> insufficient bounds checking.
>
> The sole prerequisites of this attack are that the attacker is able to
> control or influence the two parameters of the default scanstring
> function: the string to be decoded and the index.
>
> The bug is caused by allowing the user to supply a negative index
> value. The index value is then used directly as an index to an array
> in the C code; internally the address of the array and its index are
> added to each other in order to yield the address of the value that is
> desired. However, by supplying a negative index value and adding this
> to the address of the array, the processor's register value wraps
> around and the calculated value will point to a position in memory
> which isn't within the bounds of the supplied string, causing the
> function to access other parts of the process memory.
>
> Signed-off-by: Benjamin Peterson <benjamin@python.org>
>
>
> Applied to python-native recipe in order to fix the above mentioned vulnerability.
>
> Upstream-Status: Submitted
>
> Signed-off-by: Daniel BORNAZ <daniel.bornaz@enea.com>
>
> ---
>   meta/recipes-devtools/python/python-native_2.7.3.bb  |  1 +
>   .../python/python/python-json-flaw-fix.patch         | 20 ++++++++++++++++++++
>   2 files changed, 21 insertions(+)
>   create mode 100644 meta/recipes-devtools/python/python/python-json-flaw-fix.patch
>
> diff --git a/meta/recipes-devtools/python/python-native_2.7.3.bb b/meta/recipes-devtools/python/python-native_2.7.3.bb
> index 0571d3a..74f0dfc 100644
> --- a/meta/recipes-devtools/python/python-native_2.7.3.bb
> +++ b/meta/recipes-devtools/python/python-native_2.7.3.bb
> @@ -19,6 +19,7 @@ SRC_URI += "\
>              file://parallel-makeinst-create-bindir.patch \
>              file://python-fix-build-error-with-Readline-6.3.patch \
>              file://gcc-4.8-fix-configure-Wformat.patch \
> +           file://python-json-flaw-fix.patch \
>              "
>   S = "${WORKDIR}/Python-${PV}"
>
> diff --git a/meta/recipes-devtools/python/python/python-json-flaw-fix.patch b/meta/recipes-devtools/python/python/python-json-flaw-fix.patch
> new file mode 100644
> index 0000000..631713d
> --- /dev/null
> +++ b/meta/recipes-devtools/python/python/python-json-flaw-fix.patch
> @@ -0,0 +1,20 @@
> +--- a/Modules/_json.c	2014-07-15 15:37:17.151046356 +0200
> ++++ b/Modules/_json.c	2014-07-15 15:38:37.335605042 +0200

You need to to have the Upstream-Status in the patch file itself, along 
with a Signed-off-by, so that the information in available here.

Thanks
	Sau!

> +@@ -1491,7 +1491,7 @@ scan_once_str(PyScannerObject *s, PyObje
> +     PyObject *res;
> +     char *str = PyString_AS_STRING(pystr);
> +     Py_ssize_t length = PyString_GET_SIZE(pystr);
> +-    if (idx >= length) {
> ++    if ( idx < 0 || idx >= length) {
> +         PyErr_SetNone(PyExc_StopIteration);
> +         return NULL;
> +     }
> +@@ -1578,7 +1578,7 @@ scan_once_unicode(PyScannerObject *s, Py
> +     PyObject *res;
> +     Py_UNICODE *str = PyUnicode_AS_UNICODE(pystr);
> +     Py_ssize_t length = PyUnicode_GET_SIZE(pystr);
> +-    if (idx >= length) {
> ++    if ( idx < 0 || idx >= length) {
> +         PyErr_SetNone(PyExc_StopIteration);
> +         return NULL;
> +     }
>


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [yocto] [PATCH] _json module arbitrary process memory read vulnerability
  2014-07-17 10:27 [PATCH] _json module arbitrary process memory read vulnerability Daniel BORNAZ
  2014-07-17 16:26 ` Saul Wold
@ 2014-07-18 18:14 ` Saul Wold
  1 sibling, 0 replies; 3+ messages in thread
From: Saul Wold @ 2014-07-18 18:14 UTC (permalink / raw)
  To: Daniel BORNAZ, yocto, openembedded-core; +Cc: Benjamin Peterson

On 07/17/2014 03:27 AM, Daniel BORNAZ wrote:
> python-native: _json module arbitrary process memory read vulnerability
>
This should be the proper subject of the mail and commit, please update 
and see below.

> http://bugs.python.org/issue21529
>
> Python 2 and 3 are susceptible to arbitrary process memory reading by
> a user or adversary due to a bug in the _json module caused by
> insufficient bounds checking.
>
> The sole prerequisites of this attack are that the attacker is able to
> control or influence the two parameters of the default scanstring
> function: the string to be decoded and the index.
>
> The bug is caused by allowing the user to supply a negative index
> value. The index value is then used directly as an index to an array
> in the C code; internally the address of the array and its index are
> added to each other in order to yield the address of the value that is
> desired. However, by supplying a negative index value and adding this
> to the address of the array, the processor's register value wraps
> around and the calculated value will point to a position in memory
> which isn't within the bounds of the supplied string, causing the
> function to access other parts of the process memory.
>
> Signed-off-by: Benjamin Peterson <benjamin@python.org>
>
>
> Applied to python-native recipe in order to fix the above mentioned vulnerability.
>
> Upstream-Status: Submitted
>
> Signed-off-by: Daniel BORNAZ <daniel.bornaz@enea.com>
>
> ---
>   meta/recipes-devtools/python/python-native_2.7.3.bb  |  1 +
>   .../python/python/python-json-flaw-fix.patch         | 20 ++++++++++++++++++++
>   2 files changed, 21 insertions(+)
>   create mode 100644 meta/recipes-devtools/python/python/python-json-flaw-fix.patch
>
> diff --git a/meta/recipes-devtools/python/python-native_2.7.3.bb b/meta/recipes-devtools/python/python-native_2.7.3.bb
> index 0571d3a..74f0dfc 100644
> --- a/meta/recipes-devtools/python/python-native_2.7.3.bb
> +++ b/meta/recipes-devtools/python/python-native_2.7.3.bb
> @@ -19,6 +19,7 @@ SRC_URI += "\
>              file://parallel-makeinst-create-bindir.patch \
>              file://python-fix-build-error-with-Readline-6.3.patch \
>              file://gcc-4.8-fix-configure-Wformat.patch \
> +           file://python-json-flaw-fix.patch \
>              "
>   S = "${WORKDIR}/Python-${PV}"
>
> diff --git a/meta/recipes-devtools/python/python/python-json-flaw-fix.patch b/meta/recipes-devtools/python/python/python-json-flaw-fix.patch
> new file mode 100644
> index 0000000..631713d

This patch file needs a Signed-off-by and Upstream-Status.

Thanks
> --- /dev/null
> +++ b/meta/recipes-devtools/python/python/python-json-flaw-fix.patch
> @@ -0,0 +1,20 @@
> +--- a/Modules/_json.c	2014-07-15 15:37:17.151046356 +0200
> ++++ b/Modules/_json.c	2014-07-15 15:38:37.335605042 +0200
> +@@ -1491,7 +1491,7 @@ scan_once_str(PyScannerObject *s, PyObje
> +     PyObject *res;
> +     char *str = PyString_AS_STRING(pystr);
> +     Py_ssize_t length = PyString_GET_SIZE(pystr);
> +-    if (idx >= length) {
> ++    if ( idx < 0 || idx >= length) {
> +         PyErr_SetNone(PyExc_StopIteration);
> +         return NULL;
> +     }
> +@@ -1578,7 +1578,7 @@ scan_once_unicode(PyScannerObject *s, Py
> +     PyObject *res;
> +     Py_UNICODE *str = PyUnicode_AS_UNICODE(pystr);
> +     Py_ssize_t length = PyUnicode_GET_SIZE(pystr);
> +-    if (idx >= length) {
> ++    if ( idx < 0 || idx >= length) {
> +         PyErr_SetNone(PyExc_StopIteration);
> +         return NULL;
> +     }
>


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2014-07-18 18:14 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-07-17 10:27 [PATCH] _json module arbitrary process memory read vulnerability Daniel BORNAZ
2014-07-17 16:26 ` Saul Wold
2014-07-18 18:14 ` [yocto] " Saul Wold

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox