[issue33871] Possible integer overflow in iov_setup()

2018-09-22 Thread Serhiy Storchaka 


Change by Serhiy Storchaka :


--
resolution:  -> fixed
stage: patch review -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue33871] Possible integer overflow in iov_setup()

2018-07-31 Thread Serhiy Storchaka 


Serhiy Storchaka  added the comment:


New changeset ada5d99306dc8af21c32cefb3d86891e8553dbc6 by Serhiy Storchaka in 
branch '3.6':
[3.6] bpo-33871: Fix os.sendfile(), os.writev(), os.readv(), etc. (GH-7931) 
(GH-8584)
https://github.com/python/cpython/commit/ada5d99306dc8af21c32cefb3d86891e8553dbc6


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue33871] Possible integer overflow in iov_setup()

2018-07-31 Thread miss-islington 


miss-islington  added the comment:


New changeset 3e4b68875917a4605b45918f9e3232730fed9399 by Miss Islington (bot) 
in branch '3.7':
bpo-33871: Fix os.sendfile(), os.writev(), os.readv(), etc. (GH-7931)
https://github.com/python/cpython/commit/3e4b68875917a4605b45918f9e3232730fed9399


--
nosy: +miss-islington

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue33871] Possible integer overflow in iov_setup()

2018-07-31 Thread Serhiy Storchaka 


Change by Serhiy Storchaka :


--
pull_requests: +8093

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue33871] Possible integer overflow in iov_setup()

2018-07-31 Thread miss-islington 


Change by miss-islington :


--
pull_requests: +8092

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue33871] Possible integer overflow in iov_setup()

2018-07-31 Thread Serhiy Storchaka 


Serhiy Storchaka  added the comment:


New changeset 9d5727326af53ddd91016d98e16ae7cf829caa95 by Serhiy Storchaka in 
branch 'master':
bpo-33871: Fix os.sendfile(), os.writev(), os.readv(), etc. (GH-7931)
https://github.com/python/cpython/commit/9d5727326af53ddd91016d98e16ae7cf829caa95


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue33871] Possible integer overflow in iov_setup()

2018-06-26 Thread Serhiy Storchaka 


Change by Serhiy Storchaka :


--
keywords: +patch
pull_requests: +7538
stage:  -> patch review

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue33871] Possible integer overflow in iov_setup()

2018-06-18 Thread Serhiy Storchaka 


Serhiy Storchaka  added the comment:

Thank you Pablo and Ned!

Seems there is other bug on Mac OS, not related to integer overflow. I am 
working on it.

--
priority: normal -> high

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue33871] Possible integer overflow in iov_setup()

2018-06-16 Thread Ned Deily 


Ned Deily  added the comment:

Test case:

import os
fo = open('/tmp/temp', 'wb')
fi = open('/tmp/temp', 'rb')
os.sendfile(fo.fileno(), fi.fileno(), 0, 0, headers=[b'x' * 2**16] * 2**15)

--
run against current master HEAD (2f9cbaa8b2190b6dfd3157ede9b6973523a3b939, as 
of 2018-06-15)
--with-pydebug
current macOS 10.13.5


64-bit Python

$ ./bin/python3.8 ~/Desktop/test_s.py
Traceback (most recent call last):
 File "/Users/nad/Desktop/test_s.py", line 4, in 
   os.sendfile(fo.fileno(), fi.fileno(), 0, 0, headers=[b'x' * 2**16] * 2**15)
OSError: [Errno 38] Socket operation on non-socket
sys:1: ResourceWarning: unclosed file <_io.BufferedWriter name='/tmp/temp'>
sys:1: ResourceWarning: unclosed file <_io.BufferedReader name='/tmp/temp'>


32-bit Python

$ ./bin/python3.8-32 ~/Desktop/test_s.py
Fatal Python error: a function returned NULL without setting an error
SystemError:  returned NULL without setting an error

Current thread 0xa983a1c0 (most recent call first):
 File "/Users/nad/Desktop/test_s.py", line 4 in 
Abort trap: 6

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue33871] Possible integer overflow in iov_setup()

2018-06-15 Thread Pablo Galindo Salgado 


Pablo Galindo Salgado  added the comment:

Docs for sendfile in macOS:

https://www.unix.com/man-page/osx/2/sendfile/

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue33871] Possible integer overflow in iov_setup()

2018-06-15 Thread Pablo Galindo Salgado 


Pablo Galindo Salgado  added the comment:

I can reproduce the issue on a i686 GNU/Linux  Debian system:

>>> import os
>>> f = open('/tmp/temp', 'wb')
>>> l = os.writev(f.fileno(), [b'x' * 2**16] * 2**15)
Traceback (most recent call last):
  File "", line 1, in 
SystemError: error return without exception set

--
nosy: +pablogsal

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue33871] Possible integer overflow in iov_setup()

2018-06-15 Thread Serhiy Storchaka 


New submission from Serhiy Storchaka :

The iov_setup() helper in posixmodule.c returns the total size of all buffers. 
But there is possible an integer overflow because the sequence of buffers can 
contain the same buffer repeated multiple times.

On 32-bit platform:

>>> import os
>>> f = open('/tmp/temp', 'wb')
>>> os.writev(f.fileno(), [b'x' * 2**16] * 2**15)
-1

Since the overflowed sum is negative, os_writev_impl() returns -1 as a signal 
of error, but since the exception is not set, -1 is returned as the result of 
os.writev(). If the overflowed sum is not negative, the sequence of buffers is 
passed to OS and an OSError is raised:

>>> os.writev(f.fileno(), [b'x' * 2**16] * 2**16)
Traceback (most recent call last):
  File "", line 1, in 
OSError: [Errno 22] Invalid argument

I have not tested (because have not installed corresponding 32-bit OSes, and it 
is harder to reproduce on 64-bit), but seems this can even cause a crash in 
os.sendfile() on FreeBSD, DragonFly BSD and Mac OS.

This sum is used only in os.sendfile() on Mac OS. In all other cases it is 
enough to return just an error flag. I can't find the documentation for 
os.sendfile() on Mac OS for checking if this value actually is needed.

--
components: Library (Lib)
messages: 319636
nosy: ned.deily, ronaldoussoren, serhiy.storchaka
priority: normal
severity: normal
status: open
title: Possible integer overflow in iov_setup()
type: crash
versions: Python 3.6, Python 3.7, Python 3.8

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com