-3

Is there an exploit for this bug for python's sort implementation?

http://envisage-project.eu/proving-android-java-and-python-sorting-algorithm-is-broken-and-how-to-fix-it/

Smit Johnth
  • 1,781
  • 4
  • 17
  • 26
  • 2
    Is there a security vulnerability? Just because it is a bug does not mean that there is a vulnerability. – schroeder Feb 26 '15 at 18:09
  • @schroeder it could lead at least to crash due to unhandled exception or segfault. – Smit Johnth Feb 26 '15 at 19:14
  • "could" being the operative term. The real question is: "Is there a vulnerability with this bug?" – schroeder Feb 26 '15 at 19:52
  • @schroeder That's what i'm asking. Now open the question. – Smit Johnth Feb 27 '15 at 06:18
  • 1
    Then this is a programming question, not an InfoSec question, yet. As there does not seem to be a CVE registered for this, it appears as though there isn't a vulnerability, but the investigation of the code for possible vulnerabilities is outside the scope of this site. – schroeder Feb 27 '15 at 07:15
  • 1
    If you want to try for getting this re-opened, you could attempt to edit the question to ask about known vulnerabilities for timsort, but that might still not get voted to open because that question is answered by Google or doing a CVE lookup. – schroeder Feb 27 '15 at 07:18
  • @schroeder Why "can this bug be exploited" is not a security question? – Smit Johnth Feb 27 '15 at 16:14

1 Answers1

2

That version also contains the bug and was intended to work for arrays with up to 2^64 elements. However, on current machines it is not possible to trigger an out-of-bounds error in the Python version: it allocates 85 elements for runLen, which suffices (following our analysis in the full paper) for arrays with less than 2^49 elements. For comparison, the current most powerful supercomputer http://en.wikipedia.org/wiki/Tianhe-2 has about 2^50 bytes of memory in total.

It is not currently possible to trigger the bug in CPython, since it requires a data set that does not fit in today's machines. Since the bug cannot be triggered, in cannot be exploited.

As the article mentions, some Java implementations of this algorithm use smaller arrays which can overflow with smaller datasets (a few hundred MB in the sample code, if I read it correctly). Since this is a buffer overflow, there is a fair chance that it is exploitable.

Gilles 'SO- stop being evil'
  • 51,955
  • 14
  • 122
  • 182