Thanks to visit codestin.com
Credit goes to github.com

Skip to content

stack buffer overflow of Record Object in msilib #96577

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
win32virus opened this issue Sep 5, 2022 · 2 comments
Closed

stack buffer overflow of Record Object in msilib #96577

win32virus opened this issue Sep 5, 2022 · 2 comments
Assignees
@vstinner @eryksun @zooba
Labels
type-bug An unexpected behavior, bug, or error

Comments

@win32virus
Copy link

hello.
There is a stack buffer overflow of Record object in msilib

After brief analysis, I was able to find that implementation of Record.GetString methods has a stack overflow vulnerability.
It seem to be implemented in msi.pyd file.

Vulnerable code snippet is below. pccValueBuf is the length of MsiRecordGetStringW() API, szValueBuf is a output buffer also this buffer has 4000 byte space from rsp, which means 2000 size of WCHAR.
I think there is slight mistake to calculate the buffer size.
Despite WCHAR is 2 byte, output size is still 4000, therefore stack buffer overflow could be happen.

v3 = PyLong_AsUnsignedLongMask(a2);
  if ( v3 == -1 && PyErr_Occurred() )
    return 0i64;
  v5 = *(_DWORD *)(a1 + 16);
  pcchValueBuf[0] = 4000;
  v6 = szValueBuf;
  StringW = MsiRecordGetStringW(v5, v3, szValueBuf, pcchValueBuf);

Test environment is Windows 10 as well as python version is 3.10.6
This bug can triggered by below PoC code.

import msilib
import msilib.schema

database = msilib.init_database('test', msilib.schema, 'testProduct',  msilib.gen_uuid(), 'testVersion', 'testManufacturer')
records = [('a',1,'c','d'*2000)]
msilib.add_data(database, 'CustomAction', records)
database.Commit()
database.Close()

database = msilib.OpenDatabase('test', msilib.MSIDBOPEN_READONLY)
view = database.OpenView("select Target from CustomAction where `Action`= 'a'")
view.Execute(None)
record = view.Fetch()
record.GetString(1)

Feel free to any question and If any what I have to know, please let me know.
Best Regards.
Thank you.
@win32virus win32virus added the type-bug An unexpected behavior, bug, or error label Sep 5, 2022
@zooba
Copy link
Member

zooba commented Sep 6, 2022

Yeah, looks like this line should be using an array size calculation, not plain sizeof:

cpython/PC/_msi.c

Line 487 in 95e271b

DWORD size = sizeof(buf);

@kumaraditya303
Copy link
Contributor

IIUC Py_ARRAY_LENGTH can be used there.

zooba added a commit to zooba/cpython that referenced this issue Sep 6, 2022
@zooba
pythongh-96577: Fixes buffer overrun in _msi module
986df40
@bedevere-bot bedevere-bot mentioned this issue Sep 6, 2022
Merged
zooba added a commit that referenced this issue Sep 7, 2022
@zooba
gh-96577: Fixes buffer overrun in _msi module (GH-96633)
4114bcc
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Sep 7, 2022
@zooba @miss-islington
pythongh-96577: Fixes buffer overrun in _msi module (pythonGH-96633)
d4f4fe9 
(cherry picked from commit 4114bcc)

Co-authored-by: Steve Dower <[email protected]>
@bedevere-bot bedevere-bot mentioned this issue Sep 7, 2022
Merged
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Sep 7, 2022
@zooba @miss-islington
pythongh-96577: Fixes buffer overrun in _msi module (pythonGH-96633)
6fb0be8 
(cherry picked from commit 4114bcc)

Co-authored-by: Steve Dower <[email protected]>
@bedevere-bot bedevere-bot mentioned this issue Sep 7, 2022
Merged
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Sep 7, 2022
@zooba @miss-islington
pythongh-96577: Fixes buffer overrun in _msi module (pythonGH-96633)
9dfb50b 
(cherry picked from commit 4114bcc)

Co-authored-by: Steve Dower <[email protected]>
This was referenced Sep 7, 2022
Merged
Merged
Merged
miss-islington pushed a commit to miss-islington/cpython that referenced this issue Sep 7, 2022
@zooba @miss-islington
pythongh-96577: Fixes buffer overrun in _msi module (pythonGH-96633)
48c6e59 
(cherry picked from commit 4114bcc)

Co-authored-by: Steve Dower <[email protected]>
miss-islington added a commit that referenced this issue Sep 7, 2022
@miss-islington @zooba
gh-96577: Fixes buffer overrun in _msi module (GH-96633)
9fa21d0 
(cherry picked from commit 4114bcc)

Co-authored-by: Steve Dower <[email protected]>
miss-islington added a commit that referenced this issue Sep 7, 2022
@miss-islington @zooba
gh-96577: Fixes buffer overrun in _msi module (GH-96633)
e561161 
(cherry picked from commit 4114bcc)

Co-authored-by: Steve Dower <[email protected]>
@zooba zooba closed this as completed Sep 7, 2022
ned-deily pushed a commit that referenced this issue Sep 13, 2022
@miss-islington @zooba
gh-96577: Fixes buffer overrun in _msi module (GH-96633) (GH-96659)
8fc2635 
(cherry picked from commit 4114bcc)

Co-authored-by: Steve Dower <[email protected]>
ambv pushed a commit that referenced this issue Oct 4, 2022
@miss-islington @zooba
[3.9] gh-96577: Fixes buffer overrun in _msi module (GH-96633) (GH-96657
938223e 
)

gh-96577: Fixes buffer overrun in _msi module (GH-96633)
(cherry picked from commit 4114bcc)

Co-authored-by: Steve Dower <[email protected]>
ambv pushed a commit that referenced this issue Oct 4, 2022
@miss-islington @zooba
[3.8] gh-96577: Fixes buffer overrun in _msi module (GH-96633) (GH-96658
12c72d6 
)

gh-96577: Fixes buffer overrun in _msi module (GH-96633)
(cherry picked from commit 4114bcc)

Co-authored-by: Steve Dower <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vstinner vstinner

@eryksun eryksun

@zooba zooba

Labels
type-bug An unexpected behavior, bug, or error
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@vstinner @eryksun @zooba @win32virus @kumaraditya303