[CVE-2020-8315]Avoid unsafe DLL load on Windows 7 and earlier

In Python (CPython) 3.6 through 3.6.10, 3.7 through 3.7.6,
and 3.8 through 3.8.1, an insecure dependency load upon
launch on Windows 7 may result in an attacker's copy of
api-ms-win-core-path-l1-1-0.dll being loaded and used
instead of the system's copy. Windows 8 and later are unaffected.

Change-Id: I18d6f2a1e6181232bd349041d26fb34b3070fa8f
Signed-off-by: JinWang An <jinwang.an@samsung.com>

diff --git a/PC/getpathp.c b/PC/getpathp.c
index 1b553d53affa1f57acde27b7861320be158ad231..0a1560c759f63006aeac55ff137d8af9f1519720 100644 (file)
--- a/PC/getpathp.c
+++ b/PC/getpathp.c
@@ -89,6 +89,7 @@
 #endif
 
 #include <windows.h>
+#include <pathcch.h>
 #include <shlwapi.h>
 
 #ifdef HAVE_SYS_TYPES_H
@@ -235,68 +236,22 @@ ismodule(wchar_t *filename, int update_filename)
    stuff as fits will be appended.
 */
 
-static int _PathCchCombineEx_Initialized = 0;
-typedef HRESULT(__stdcall *PPathCchCombineEx) (PWSTR pszPathOut, size_t cchPathOut,
-                                               PCWSTR pszPathIn, PCWSTR pszMore,
-                                               unsigned long dwFlags);
-static PPathCchCombineEx _PathCchCombineEx;
-
 static void
 join(wchar_t *buffer, const wchar_t *stuff)
 {
-    if (_PathCchCombineEx_Initialized == 0) {
-        HMODULE pathapi = LoadLibraryW(L"api-ms-win-core-path-l1-1-0.dll");
-        if (pathapi) {
-            _PathCchCombineEx = (PPathCchCombineEx)GetProcAddress(pathapi, "PathCchCombineEx");
-        }
-        else {
-            _PathCchCombineEx = NULL;
-        }
-        _PathCchCombineEx_Initialized = 1;
-    }
-
-    if (_PathCchCombineEx) {
-        if (FAILED(_PathCchCombineEx(buffer, MAXPATHLEN+1, buffer, stuff, 0))) {
-            Py_FatalError("buffer overflow in getpathp.c's join()");
-        }
-    } else {
-        if (!PathCombineW(buffer, buffer, stuff)) {
-            Py_FatalError("buffer overflow in getpathp.c's join()");
-        }
+    if (FAILED(PathCchCombineEx(buffer, MAXPATHLEN+1, buffer, stuff, 0))) {
+        Py_FatalError("buffer overflow in getpathp.c's join()");
     }
 }
 
-static int _PathCchCanonicalizeEx_Initialized = 0;
-typedef HRESULT(__stdcall *PPathCchCanonicalizeEx) (PWSTR pszPathOut, size_t cchPathOut,
-    PCWSTR pszPathIn, unsigned long dwFlags);
-static PPathCchCanonicalizeEx _PathCchCanonicalizeEx;
-
 static _PyInitError canonicalize(wchar_t *buffer, const wchar_t *path)
 {
     if (buffer == NULL) {
         return _Py_INIT_NO_MEMORY();
     }
 
-    if (_PathCchCanonicalizeEx_Initialized == 0) {
-        HMODULE pathapi = LoadLibraryW(L"api-ms-win-core-path-l1-1-0.dll");
-        if (pathapi) {
-            _PathCchCanonicalizeEx = (PPathCchCanonicalizeEx)GetProcAddress(pathapi, "PathCchCanonicalizeEx");
-        }
-        else {
-            _PathCchCanonicalizeEx = NULL;
-        }
-        _PathCchCanonicalizeEx_Initialized = 1;
-    }
-
-    if (_PathCchCanonicalizeEx) {
-        if (FAILED(_PathCchCanonicalizeEx(buffer, MAXPATHLEN + 1, path, 0))) {
-            return _Py_INIT_ERR("buffer overflow in getpathp.c's canonicalize()");
-        }
-    }
-    else {
-        if (!PathCanonicalizeW(buffer, path)) {
-            return _Py_INIT_ERR("buffer overflow in getpathp.c's canonicalize()");
-        }
+    if (FAILED(PathCchCanonicalizeEx(buffer, MAXPATHLEN + 1, path, 0))) {
+        return INIT_ERR_BUFFER_OVERFLOW();
     }
     return _Py_INIT_OK();
 }

diff --git a/PCbuild/pythoncore.vcxproj b/PCbuild/pythoncore.vcxproj
index e9947473720ae0d02d5afc58180242195e9f90af..3599526875a4e08638383068147635e782c6cd6b 100644 (file)
--- a/PCbuild/pythoncore.vcxproj
+++ b/PCbuild/pythoncore.vcxproj
@@ -74,7 +74,7 @@
       <PreprocessorDefinitions Condition="$(IncludeExternals)">_Py_HAVE_ZLIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>\r
     </ClCompile>\r
     <Link>\r
-      <AdditionalDependencies>version.lib;shlwapi.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>\r
+      <AdditionalDependencies>version.lib;shlwapi.lib;ws2_32.lib;pathcch.lib;%(AdditionalDependencies)</AdditionalDependencies>\r
     </Link>\r
   </ItemDefinitionGroup>\r
   <ItemGroup>\r