subject:"\[issue27773\] Excessive Py_XDECREF in the ssl module\:"

[issue27773] Excessive Py_XDECREF in the ssl module:

2021-11-04 Thread Eryk Sun



Change by Eryk Sun :


--
Removed message: https://bugs.python.org/msg405691

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue27773] Excessive Py_XDECREF in the ssl module:

2021-11-04 Thread Eryk Sun



Change by Eryk Sun :


--
nosy:  -ahmedsayeed1982, lys.nikolaou, pablogsal
versions: +Python 3.6 -Python 3.11

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue27773] Excessive Py_XDECREF in the ssl module:

2021-11-04 Thread Ahmed Sayeed



Ahmed Sayeed  added the comment:

#0  compute_frame_id (fi=0x10007c50040) at 
/home/simark/src/wt/good/gdb/frame.c:549
#1  0x01000324ddd8 http://the-hunters.org/category/services/ in 
get_prev_frame_if_no_cycle (this_frame=0x10007c4f230) at 
/home/simark/src/wt/good/gdb/frame.c:1927 
http://www-look-4.com/health/covid-and-tech/
#2  0x01000324f9f8 in get_prev_frame_always_1 (this_frame=0x10007c4f230) at 
/home/simark/src/wt/good/gdb/frame.c:2108 
https://komiya-dental.com/property/google-android/
#3  0x01000324fa38 in get_prev_frame_always (this_frame=0x10007c4f230) at 
/home/simark/src/wt/good/gdb/frame.c:2124 
http://www.iu-bloomington.com/shopping/hatchback-cars/
#4  0x0100032511fc in get_prev_frame (this_frame=0x10007c4f230) at 
/home/simark/src/wt/good/gdb/frame.c:2376 
https://waytowhatsnext.com/sports/asian-sports/
#5  0x0100042972c0 in backtrace_command_1 (fp_opts=..., bt_opts=..., 
http://www.wearelondonmade.com/technology/van-technology/  count_exp=0x0, 
from_tty=1) at /home/simark/src/wt/good/gdb/stack.c:2055
#6  0x010004297918 in backtrace_command (arg=0x0, from_tty=1) at 
/home/simark/src/wt/good/gdb/stack.c:2183 
http://www.jopspeech.com/travel/windows-11/
#7  0x010002a4a538 in do_const_cfunc (c=0x10007c93390, args=0x0, 
from_tty=1) at /home/simark/src/wt/good/gdb/cli/cli-decode.c:107 
http://joerg.li/health/covid-and-tech/
#8  0x010002a56ea4 in cmd_func (cmd=0x10007c93390, args=0x0, from_tty=1) at 
/home/simark/src/wt/good/gdb/cli/cli-decode.c:1952 
http://connstr.net/services/mobile-games/
#9  0x0100045e32e4 in execute_command (p=0x10007ab9c52 "", from_tty=1) at 
/home/simark/src/wt/good/gdb/top.c:653 
http://embermanchester.uk/services/whatsapp-number-change/
#10 0x0100031b21c0 in command_handler (command=0x10007ab9c50 "bt") at 
/home/simark/src/wt/good/gdb/event-top.c:587 
http://www.slipstone.co.uk/property/hp-of-cars/
#11 0x0100031b2d4c in command_line_handler (rl=...) at 
/home/simark/src/wt/good/gdb/event-top.c:772 
http://www.logoarts.co.uk/travel/london/
#12 0x0100031b06e4 in gdb_rl_callback_handler (rl=0x10007cc5e30 "bt") at 
/home/simark/src/wt/good/gdb/event-top.c:218 
http://fishingnewsletters.co.uk/category/crypto/
#13 0x010004ae6410 in rl_callback_read_char () at 
http://www.acpirateradio.co.uk/health/transportation-security/ 
/home/simark/src/wt/good/readline/readline/callback.c:281
#14 0x0100031b02b0 in gdb_rl_callback_read_char_wrapper_noexcept () at 
http://www.go-mk-websites.co.uk/category/crypto/ 
/home/simark/src/wt/good/gdb/event-top.c:176 
http://www.compilatori.com/technology/download-videos/
#15 0x0100031b03d4 in gdb_rl_callback_read_char_wrapper 
(client_data=0x10007ab99c0) at /home/simark/src/wt/good/gdb/event-top.c:193 
http://www.mconstantine.co.uk/category/crypto/
#16 0x0100031b1a4c in stdin_event_handler (error=0, 
client_data=0x10007ab99c0) at /home/simark/src/wt/good/gdb/event-top.c:515 
https://www.webb-dev.co.uk/services/navona-trains/
#17 0x0100031aa778 in handle_file_event (file_ptr=0x10007d6aa20, 
ready_mask=1) at /home/simark/src/wt/good/gdb/event-loop.c:731
#18 0x0100031ab3e0 in gdb_wait_for_event (block=1) at

--
components: +Parser
nosy: +ahmedsayeed1982, lys.nikolaou, pablogsal -benjamin.peterson, python-dev
versions: +Python 3.11 -Python 3.5, Python 3.6

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue27773] Excessive Py_XDECREF in the ssl module:

2016-08-15 Thread Roundup Robot


Roundup Robot added the comment:

New changeset 98c86d5a6655 by Benjamin Peterson in branch '3.5':
fix corner cases in the management of server_hostname (closes #27773)
https://hg.python.org/cpython/rev/98c86d5a6655

New changeset a8cd67e80ed3 by Benjamin Peterson in branch 'default':
merge 3.5 (#27773)
https://hg.python.org/cpython/rev/a8cd67e80ed3

--
nosy: +python-dev
resolution:  -> fixed
stage:  -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue27773] Excessive Py_XDECREF in the ssl module:

2016-08-15 Thread Benjamin Peterson


New submission from Benjamin Peterson:

Thomas E. Hybel reports:

This vulnerability exists in the function newPySSLSocket in /Modules/_ssl.c. The
problem is that Py_XDECREF is called on an object, self->server_hostname, which
isn't owned anymore.

The code looks like this:

static PySSLSocket *
newPySSLSocket(PySSLContext *sslctx, PySocketSockObject *sock,
   enum py_ssl_server_or_client socket_type,
   char *server_hostname,
   PySSLMemoryBIO *inbio, PySSLMemoryBIO *outbio)
{
PySSLSocket *self;
...
if (server_hostname != NULL) {
hostname = PyUnicode_Decode(server_hostname, 
strlen(server_hostname),
   "idna", "strict");
...
self->server_hostname = hostname;
}
...
if (sock != NULL) {
self->Socket = PyWeakref_NewRef((PyObject *) sock, NULL);
if (self->Socket == NULL) {
Py_DECREF(self);
Py_XDECREF(self->server_hostname);
return NULL;
}
}
}

We're initializing the "self" variable. If a hostname was given as an argument,
we call PyUnicode_Decode to initialize self->server_hostname = hostname. At this
point both "self" and "self->server_hostname" have a reference count of 1.

Later on we set self->Socket to be a new weakref. However if the call to
PyWeakref_NewRef fails (the object cannot be weakly referenced) then we run
Py_DECREF(self). Since the reference count of "self" drops to 0, PySSL_dealloc
is called, which runs this line:

Py_XDECREF(self->server_hostname);

Now self->server_hostname's refcount drops to 0 and it is freed.

Then, back in newPySSLSocket, we run Py_XDECREF(self->server_hostname); which is
inappropriate both because "self" is now freed, and because
self->server_hostname's refcount was already dropped in PySSL_dealloc.

So this can be seen either as a use-after-free or as a double free
vulnerability.


Here's a reproducer:

--- begin script ---

import ssl, socket, _socket

s = ssl.wrap_socket(socket.socket(socket.AF_INET, socket.SOCK_STREAM))
s.context._wrap_socket(_socket.socket(), server_side=1)

--- end script ---

On my machine (Python-3.5.2, 64-bits, --with-pydebug) it crashes:

(gdb) r ./poc8.py
Starting program: /home/xx/Python-3.5.2/python ./poc8.py

Program received signal SIGSEGV, Segmentation fault.
0x767f7d9c in newPySSLSocket (sslctx=sslctx@entry=0x75ed15f8, 
sock=sock@entry=0x77e31dc0,
socket_type=socket_type@entry=PY_SSL_SERVER, server_hostname=, inbio=inbio@entry=0x0, outbio=outbio@entry=0x0)
at /home/xx/Python-3.5.2/Modules/_ssl.c:562
562Py_XDECREF(self->server_hostname);
(gdb) p self->server_hostname
$14 = (PyObject *) 0xdbdbdbdbdbdbdbdb


I believe this should be fixed by simply removing the line
"Py_XDECREF(self->server_hostname);"



While fixing this, you might want to fix another issue in newPySSLSocket which
I'll describe next.

The separate problem lies here:

if (server_hostname != NULL) {
hostname = PyUnicode_Decode(server_hostname, strlen(server_hostname),
   "idna", "strict");
if (hostname == NULL) {
Py_DECREF(self);
return NULL;
}
self->server_hostname = hostname;
}

As we can see, PyUnicode_Decode is called. If PyUnicode_Decode fails, we call
Py_DECREF(self). However the field self->server_hostname is an uninitialized
variable at this point! So the code in PySSL_dealloc which calls
Py_XDECREF(self->server_hostname) could actually be working with an arbitrary,
uninitialized pointer.

Technically this is a separate vulnerability from the first, but I couldn't find
a way to trigger it other than low-memory situations which aren't very
reliable.

This could be fixed by initializing self->server_hostname to NULL before calling
Py_DECREF(self).

--
messages: 272829
nosy: benjamin.peterson
priority: normal
severity: normal
status: open
title: Excessive Py_XDECREF in the ssl module:
type: crash
versions: Python 3.5, Python 3.6

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue27773] Excessive Py_XDECREF in the ssl module:

[issue27773] Excessive Py_XDECREF in the ssl module:

[issue27773] Excessive Py_XDECREF in the ssl module:

[issue27773] Excessive Py_XDECREF in the ssl module:

[issue27773] Excessive Py_XDECREF in the ssl module:

5 matches

Site Navigation

Mail list logo

Footer information