From: Rich Felker <dalias@aerifal.cx>
To: musl@lists.openwall.com
Subject: Details on printf issue fixed in musl 1.0.1 and 1.1.0
Date: Wed, 16 Apr 2014 05:06:03 -0400 [thread overview]
Message-ID: <20140416090603.GA11954@brightrain.aerifal.cx> (raw)
The release announcements for 1.0.1 and 1.1.0 mention the possibility
of buffer overflow. I believe it is unlikely that the bug results in a
security issue for real-world applications, but in the interest of
transparency I'm posting an explanation.
The floating point printf code represents a number being printed as an
array of 32-bit integers in the range 0 to 999999999 each representing
9 decimal digits. When rounding to a specific precision, a carry can
occur into the previous buffer slot. Under some circumstances, this
buffer slot may have been uninitialized (retaining whatever value was
previously stored at that particular location on the stack). If this
value happened to be greater than or equal to 999999999, the carry
would cascade into previous slot, and so on, eventually overflowing
past the beginning of the buffer.
In order to trigger such cascading carry, the caller would need to
arrange for a large part of the stack (roughly 8k on x86, 0.5k on most
other archs) to be pre-filled with large 32-bit integers.
Since the overflow takes place in the downward direction rather than
upward, it cannot overwrite return addresses stored in the usual
location. It was not determined however whether it might overwrite
other sensitive pointers; this of course depends on the compiler's
choice of how to arrange the stack frame.
Since the cascading overflow writes zeros to all but the last
position, and merely increments the last position, it seems unlikely
that this bug could be used as a vector for arbitrary code execution.
However it may allow malicious input to crash the application, and it
certainly results in the printing of incorrect decimal representations
for certain values except when the stack is clean with zeros.
Users concerned about this issue are advised to upgrade. The 1.0.1
release offers an upgrade path with minimal invasive changes, or the
specific patch which fixed the issue can be applied:
http://git.musl-libc.org/cgit/musl/commit/?id=109048e031f39fbb370211fde44ababf6c04c8fb
The 1.1.0 release also fixes this bug, and provides new features
including further hardening (RELRO support).
Rich
reply other threads:[~2014-04-16 9:06 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140416090603.GA11954@brightrain.aerifal.cx \
--to=dalias@aerifal.cx \
--cc=musl@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).