Bug 2370944 - anaconda raises SystemError: buffer overflow on Python 3.14
Summary: anaconda raises SystemError: buffer overflow on Python 3.14
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: anaconda
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: ---
Assignee: anaconda-maint
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: PYTHON3.14
TreeView+ depends on / blocked
 
Reported: 2025-06-07 11:11 UTC by Miro Hrončok
Modified: 2025-06-09 09:48 UTC (History)
9 users (show)

Fixed In Version: anaconda-43.22-4.fc43
Clone Of:
Environment:
Last Closed: 2025-06-09 09:48:12 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
screen from OpenQA (23.61 KB, image/png)
2025-06-07 11:12 UTC, Miro Hrončok 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Fedora Package Sources anaconda pull-request 241 0 None None None 2025-06-07 12:03:09 UTC
Github rhinstaller anaconda pull 6447 0 None open Avoid buffer overflow with TIOCGWINSZ 2025-06-07 12:03:09 UTC

Description Miro Hrončok 2025-06-07 11:11:29 UTC 
There is an OpenQA anaconda test failure with Python 3.14 that manifests like this:

 install_default_update_netinst _boot_to_anaconda

https://openqa.stg.fedoraproject.org/tests/5055781#step/_boot_to_anaconda/5

>>> from pyanaconda.argument_parsing import get_help_width
...
>>> get_help_width()
Traceback (most recent call last):
  File "<python-input-1>", line 1, in <module>
    get_help_width()
    ~~~~~~~~~~~~~~^^
  File "/usr/lib64/python3.14/site-packages/pyanaconda/argument_parsing.py", line 68, in get_help_width
    data = fcntl.ioctl(sys.stdout, termios.TIOCGWINSZ, '1234')
SystemError: buffer overflow


$ python3.13
Python 3.13.3 (main, Apr 22 2025, 00:00:00) [GCC 14.2.1 20250110 (Red Hat 14.2.1-7)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import sys, termios
>>> import sys, termios, fcntl
>>> fcntl.ioctl(sys.stdout, termios.TIOCGWINSZ, "1234")
b'=\x00\xe1\x00'

$ python3.14
Python 3.14.0b2 (main, May 26 2025, 00:00:00) [GCC 14.3.1 20250523 (Red Hat 14.3.1-1)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import sys, termios, fcntl
>>> fcntl.ioctl(sys.stdout, termios.TIOCGWINSZ, "1234")
Traceback (most recent call last):
  File "<python-input-1>", line 1, in <module>
    fcntl.ioctl(sys.stdout, termios.TIOCGWINSZ, "1234")
    ~~~~~~~~~~~^^^^^^^^^^^^^^^^^

This might be a bug in Python.
Comment 1 Miro Hrončok 2025-06-07 11:12:38 UTC 
Created attachment 2093342 [details]
screen from OpenQA
Comment 2 Miro Hrončok 2025-06-07 11:21:51 UTC 
>>> termios.TIOCGWINSZ
21523

This is the same on both.
Comment 3 Miro Hrončok 2025-06-07 11:29:53 UTC 
https://github.com/python/cpython/commit/c2eaeee3dc3306ca486b0377b07b1a957584b691

Try to detect a buffer overflow in fcntl() and ioctl()
Comment 4 Miro Hrončok 2025-06-07 11:40:31 UTC 
This works.

>>> import sys, termios, fcntl, struct
>>> data = fcntl.ioctl(sys.stdout, termios.TIOCGWINSZ, "12345678")
>>> int(struct.unpack('hhhh', data)[1])
225

We need to read 4 shorts, not 2:

struct winsize {
        unsigned short  ws_row;
        unsigned short  ws_col; 
        unsigned short  ws_xpixel;
        unsigned short  ws_ypixel; 
};
Note You need to log in before you can comment on or make changes to this bug.