[issue6873] posix_lchown: possible overflow of uid, gid
Boya Sun boya@case.edu added the comment: Gregory, I discovered this bug by static analysis, so I do not have a system that this bug is actually triggered. But I am happy to see the fix applied since this makes code safer. It would be great if anyone could write a test case that cause uid and gid to overflow, then use the test case as a regression test on the fix. Boya -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue6873 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue6873] posix_lchown: possible overflow of uid, gid
Boya Sun boya@case.edu added the comment: Martin, Corrected the patch accordingly. Can you verify whether the fix is correct or not now? Boya -- Added file: http://bugs.python.org/file14900/patch_6873.diff ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue6873 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue6873] posix_lchown: possible overflow of uid, gid
Boya Sun boya@case.edu added the comment: Martin, I am sorry that I do not have a system where this code actually triggered a problem, since this bug is discovered by a *static* analysis tool that is recently developed by our research group, which finds code segments that are similar to a previously fixed bugs as potential bugs. You are saying that if I pass a long to the i argument parser it will cause a problem. But if I passed a int, it will be same as before and overflow will not be detected at all. --- Victor, Do you also agree that it will cause a problem if I pass a long to the i argument parser? If so, I think maybe the overflow problem cannot be solved by the patch I submitted. Boya -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue6873 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue6873] posix_lchown: possible overflow of uid, gid
Boya Sun boya@case.edu added the comment: Martin, The reason why I think there is a possible overflow is that according to issue 5705, uid/gid overflows are fixed in the following functions: posix_setegid, posix_setreuid(), posix_setregid(), posix_setgid(). So I think a similar fix should also be applied to the function posix_lchown. Or did I misunderstand anything? And you're right. The previous patch is incorrect. I now submitted another patch that deals with the *actual* overflow of gid and uid. --- Victor, I agree that all posix_*chown() functions should also be fixed for the same overflow problem, and it's a good idea to create callback functions as you described. But if nobody does that, I can at least created more patches to fix other posix_*chown() functions. -- Added file: http://bugs.python.org/file14873/patch_6873.diff ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue6873 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue6873] posix_lchown: possible overflow of uid, gid
Changes by Boya Sun boya@case.edu: Removed file: http://bugs.python.org/file14869/patch.diff ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue6873 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue6817] char buffer in function posix_getcwdu should not be fix length
Boya Sun boya@case.edu added the comment: Victor, I corrected both issues of the patch according to your first comment. This patch did not fix the Windows implementation. It seems that there will not be buffer overflow in the Windows implementation, since if the buffer is small for GetCurrentDirectoryW(), the code allocates a new buffer for it with enough length by the following code: len = GetCurrentDirectoryW(sizeof wbuf/ sizeof wbuf[0], wbuf); if (len = sizeof wbuf/ sizeof wbuf[0]) { wbuf2 = malloc(len * sizeof(wchar_t)); if (wbuf2) len = GetCurrentDirectoryW(len, wbuf2); } -- Added file: http://bugs.python.org/file14874/patch_6817.diff ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue6817 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue6873] posix_lchown: possible overflow of uid, gid
New submission from Boya Sun boya@case.edu: posix_lchown(PyObject *self, PyObject *args) { ... int uid, gid; ... if (!PyArg_ParseTuple(args, etii:lchown, Py_FileSystemDefaultEncoding, path, uid, gid)) ... } uid and gid could cause over flow. A similar bug is issue 5705. Patch attached. Any comment is appreciated! Boya -- files: patch.diff keywords: patch messages: 92465 nosy: boya severity: normal status: open title: posix_lchown: possible overflow of uid, gid Added file: http://bugs.python.org/file14869/patch.diff ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue6873 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue5705] os.getpwent returns unsigned 32bit value, os.setuid refuses it
Boya Sun boya@case.edu added the comment: Created issue 6879 following Victor's suggestion. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue5705 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue5705] os.getpwent returns unsigned 32bit value, os.setuid refuses it
Boya Sun boya@case.edu added the comment: Sorry, typo. Created issue 6873 following Victor's suggestion. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue5705 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue3139] bytearrays are not thread safe
Boya Sun boya@case.edu added the comment: I am still a little bit confused. Can you explain a little more in detail? What is the difference between the suspicious code and the ones that are fixed? -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue3139 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue3139] bytearrays are not thread safe
Boya Sun boya@case.edu added the comment: Although the bug is fixed, the following three code segments seems suspicious in _codecsmodule.c in the latest revision 74624, and they are similar to the bug described here: (1) escape_decode(PyObject *self, PyObject *args) { ... const char *data; ... if (!PyArg_ParseTuple(args, s#|z:escape_decode, data, size, errors)) } (2) readbuffer_encode(PyObject *self, PyObject *args) { const char *data; ... if (!PyArg_ParseTuple(args, s#|z:readbuffer_encode, data, size, errors)) ... } (3) charbuffer_encode(PyObject *self, PyObject *args) { const char *data; ... if (!PyArg_ParseTuple(args, t#|z:charbuffer_encode, data, size, errors)) ... } Firstly, char *data; have been replaced by Py_buffer pbuf; in many procedures in this file in the bug fix, but these code did not; Secondly, they uses s# or t# which should probably changed to s*; I could be wrong about it. Does anyone have any opinions on the above code? Are they really buggy or am I misunderstanding anything? -- nosy: +boya ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue3139 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue5705] os.getpwent returns unsigned 32bit value, os.setuid refuses it
Boya Sun boya@case.edu added the comment: Another potential bug discovered in posixmodule.c in the function posix_lchown: posix_lchown(PyObject *self, PyObject *args) { ... int uid, gid; ... if (!PyArg_ParseTuple(args, etii:lchown, Py_FileSystemDefaultEncoding, path, uid, gid)) ... } uid and gid could also cause over flow. Patch attached. Hope some one can comment on the patch, thanks a lot! -- keywords: +patch nosy: +boya Added file: http://bugs.python.org/file14816/patch_5705.diff ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue5705 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue2722] os.getcwd fails for long path names on linux
Boya Sun boya@case.edu added the comment: This bug occurred in posix_getcwd() and is being fixed. Should the following code in posix_getcwdu() also be fixed the same way? posix_getcwdu(PyObject *self, PyObject *noargs) { char buf[1026]; ... #if defined(PYOS_OS2) defined(PYCC_GCC) res = _getcwd2(buf, sizeof buf); #else res = getcwd(buf, sizeof buf); #endif ... } In my opinion, the fixed length buf should be discarded and instead allocate memory to buf as needed (as the fix code in posix_getcwd()), since getcwd() does not have a maximum anymore. -- nosy: +boya ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue2722 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue2620] Multiple buffer overflows in unicode processing
Boya Sun boya@case.edu added the comment: In Python/pyarena.c: block_new(size_t size) { /* Allocate header and block as one unit. ab_mem points just past header. */ block *b = (block *)malloc(sizeof(block) + size); ... } Should a check for overflow of size also be performed before calling malloc? -- nosy: +boya ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue2620 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue6817] char buffer in function posix_getcwdu should not be fix length
New submission from Boya Sun boya@case.edu: This issue is similar to issue 2722 (http://bugs.python.org/issue2722#), where the char buffer support that the path string has not fixed length in the function posix_getcwd(). In the function posix_getcwdu(), the char buffer is still fix length. But I think the same change should also apply to this function. A patch is attached to allow the char buffer in posix_getcwdu() to be not fixed length. -- files: patch_get_cwdu.diff keywords: patch messages: 92151 nosy: boya severity: normal status: open title: char buffer in function posix_getcwdu should not be fix length Added file: http://bugs.python.org/file14818/patch_get_cwdu.diff ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue6817 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue2722] os.getcwd fails for long path names on linux
Boya Sun boya@case.edu added the comment: Amaury, Created issue 6817 with a patch. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue2722 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com