[security] DoS (MemError via CPU and RAM exhaustion) when processing malformed Apple Property List files in binary format

[wessen]

BPO	42103
Nosy	@ronaldoussoren, @ned-deily, @ambv, @serhiy-storchaka, @miss-islington
PRs	bpo-42103: Improve validation of Plist files. #22882 [3.9] bpo-42103: Improve validation of Plist files. (GH-22882) #23115 [3.8] bpo-42103: Improve validation of Plist files. (GH-22882) #23116 [3.7] bpo-42103: Improve validation of Plist files. (GH-22882) #23117 [3.6] bpo-42103: Improve validation of Plist files. (GH-22882) #23118

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2020-11-10.20:17:26.610>
created_at = <Date 2020-10-21.00:25:11.057>
labels = ['3.8', '3.9', '3.10', 'performance', '3.7', 'library', 'release-blocker']
title = '[security] DoS (MemError via CPU and RAM exhaustion) when processing malformed Apple Property List files in binary format'
updated_at = <Date 2020-11-10.20:17:26.609>
user = 'https://bugs.python.org/wessen'

bugs.python.org fields:

activity = <Date 2020-11-10.20:17:26.609>
actor = 'serhiy.storchaka'
assignee = 'none'
closed = True
closed_date = <Date 2020-11-10.20:17:26.610>
closer = 'serhiy.storchaka'
components = ['Library (Lib)']
creation = <Date 2020-10-21.00:25:11.057>
creator = 'wessen'
dependencies = []
files = []
hgrepos = []
issue_num = 42103
keywords = ['patch', 'security_issue']
message_count = 12.0
messages = ['379175', '379238', '379243', '379255', '379283', '379285', '379286', '380250', '380252', '380265', '380703', '380704']
nosy_count = 6.0
nosy_names = ['ronaldoussoren', 'ned.deily', 'lukasz.langa', 'serhiy.storchaka', 'miss-islington', 'wessen']
pr_nums = ['22882', '23115', '23116', '23117', '23118']
priority = 'release blocker'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'resource usage'
url = 'https://bugs.python.org/issue42103'
versions = ['Python 3.6', 'Python 3.7', 'Python 3.8', 'Python 3.9', 'Python 3.10']

[wessen]

In versions of Python from 3.4-3.10, the Python core plistlib library supports Apple's binary plist format. When given malformed input, the implementation can be forced to create an argument to struct.unpack() which consumes all available CPU and memory until a MemError is thrown as it builds the 'format' argument to unpack().

This can be seen with the following malformed example binary plist input:

$ xxd binary_plist_dos.bplist
00000000: 6270 6c69 7374 3030 d101 0255 614c 6973  bplist00...UaLis
00000010: 74a5 0304 0506 0000 00df 4251 4351 44a3  t.........BQCQD.
00000020: 0809 0a10 0110 0210 0308 0b11 1719 1b1d  ................
00000030: 0000 0101 0000 0000 0000 000b 0000 0000  ................
00000040: 0000 0000 0000 0000 0000 0029            ...........)

The error is reached in the following lines of plistlib.py:
(

cpython/Lib/plistlib.py

Line 485 in e9959c7

return struct.unpack('>' + _BINARY_FORMAT[size] * n, data)

)

    def _read_ints(self, n, size):
        data = self._fp.read(size * n)
        if size in _BINARY_FORMAT:
            return struct.unpack('>' + _BINARY_FORMAT[size] * n, data)

When the malicious example above is opened by plistlib, it results in 'n' being controlled by the input and it can be forced to be very large. Plistlib attempts to build a string which is as long as 'n', consuming excessive resources.

Apple's built in utilities for handling plist files detects this same file as malformed and will not process it.