Bug 2370944

Summary: anaconda raises SystemError: buffer overflow on Python 3.14
Product: [Fedora] Fedora Reporter: Miro Hrončok <mhroncok>
Component: anacondaAssignee: anaconda-maint
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: rawhideCC: anaconda-maint, awilliam, kkoukiou, ksurma, lbalhar, mhroncok, python-maint, python-packagers-sig, w
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: anaconda-43.22-4.fc43 Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2025-06-09 09:48:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2322407    
Attachments:
Description Flags
screen from OpenQA none

Description Miro Hrončok 2025-06-07 11:11:29 UTC 
There is an OpenQA anaconda test failure with Python 3.14 that manifests like this:

 install_default_update_netinst _boot_to_anaconda

https://openqa.stg.fedoraproject.org/tests/5055781#step/_boot_to_anaconda/5

>>> from pyanaconda.argument_parsing import get_help_width
...
>>> get_help_width()
Traceback (most recent call last):
  File "<python-input-1>", line 1, in <module>
    get_help_width()
    ~~~~~~~~~~~~~~^^
  File "/usr/lib64/python3.14/site-packages/pyanaconda/argument_parsing.py", line 68, in get_help_width
    data = fcntl.ioctl(sys.stdout, termios.TIOCGWINSZ, '1234')
SystemError: buffer overflow


$ python3.13
Python 3.13.3 (main, Apr 22 2025, 00:00:00) [GCC 14.2.1 20250110 (Red Hat 14.2.1-7)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import sys, termios
>>> import sys, termios, fcntl
>>> fcntl.ioctl(sys.stdout, termios.TIOCGWINSZ, "1234")
b'=\x00\xe1\x00'

$ python3.14
Python 3.14.0b2 (main, May 26 2025, 00:00:00) [GCC 14.3.1 20250523 (Red Hat 14.3.1-1)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import sys, termios, fcntl
>>> fcntl.ioctl(sys.stdout, termios.TIOCGWINSZ, "1234")
Traceback (most recent call last):
  File "<python-input-1>", line 1, in <module>
    fcntl.ioctl(sys.stdout, termios.TIOCGWINSZ, "1234")
    ~~~~~~~~~~~^^^^^^^^^^^^^^^^^

This might be a bug in Python.
Comment 1 Miro Hrončok 2025-06-07 11:12:38 UTC 
Created attachment 2093342 [details]
screen from OpenQA
Comment 2 Miro Hrončok 2025-06-07 11:21:51 UTC 
>>> termios.TIOCGWINSZ
21523

This is the same on both.
Comment 3 Miro Hrončok 2025-06-07 11:29:53 UTC 
https://github.com/python/cpython/commit/c2eaeee3dc3306ca486b0377b07b1a957584b691

Try to detect a buffer overflow in fcntl() and ioctl()
Comment 4 Miro Hrončok 2025-06-07 11:40:31 UTC 
This works.

>>> import sys, termios, fcntl, struct
>>> data = fcntl.ioctl(sys.stdout, termios.TIOCGWINSZ, "12345678")
>>> int(struct.unpack('hhhh', data)[1])
225

We need to read 4 shorts, not 2:

struct winsize {
        unsigned short  ws_row;
        unsigned short  ws_col; 
        unsigned short  ws_xpixel;
        unsigned short  ws_ypixel; 
};