Segfault with ctypes deep call stack calls - ebranca/owasp-pysec GitHub Wiki

Classification

• Affected Components : builtin, ctypes

• Operating System : Linux

• Python Versions : 2.6.x, 2.7.x, 3.1.x, 3.2.x

• Reproducible : Yes

Source code

from ctypes import *
NARGS = 2 ** 20
proto = CFUNCTYPE(None, *(c_int,) * NARGS)
def func(*args):
    return (1, "abc", None)

cb = proto(func)

cb(*(1,) * NARGS)

Steps to Produce/Reproduce

To reproduce the problem copy the source code in a file and execute the script using the following command syntax:

$ python -OOBRtt test.py

Alternatively you can open python in interactive mode:

$ python -OOBRtt <press enter>

Then copy the lines of code into the interpreter.

Description

Executing the script generates a Segmentation fault error.

python -OOBRtt 'test.py' 
Segmentation fault

The problem arises as a result of an unbounded 'alloca' call and because the interpreter does not have protective measures to deal with very deep call stack situations.

For this reason the Segmentation fault system error can even occur with less arguments in environments with low stack space situations.

Workaround

We are not aware on any easy solution that can fix a deep call stack situation.

Secure Implementation

WORK IN PROGRESS

References

[Python ctypes][01] [01]:https://docs.python.org/2/library/ctypes.html

[Python data structures][02] [02]:https://docs.python.org/2/tutorial/datastructures.html

[Python recursion limit][03] [03]:https://docs.python.org/2/library/sys.html#sys.setrecursionlimit

[Python bug 12881][04] [04]:http://bugs.python.org/issue12881

[Python bug 13097][05] [05]:http://bugs.python.org/issue13097

[What is a Segmentation Fault][06] [06]:http://en.wikipedia.org/wiki/Segmentation_fault