From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/4894 Path: news.gmane.org!not-for-mail From: Rich Felker Newsgroups: gmane.linux.lib.musl.general Subject: Details on printf issue fixed in musl 1.0.1 and 1.1.0 Date: Wed, 16 Apr 2014 05:06:03 -0400 Message-ID: <20140416090603.GA11954@brightrain.aerifal.cx> Reply-To: musl@lists.openwall.com NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: ger.gmane.org 1397639181 4807 80.91.229.3 (16 Apr 2014 09:06:21 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Wed, 16 Apr 2014 09:06:21 +0000 (UTC) To: musl@lists.openwall.com Original-X-From: musl-return-4898-gllmg-musl=m.gmane.org@lists.openwall.com Wed Apr 16 11:06:16 2014 Return-path: Envelope-to: gllmg-musl@plane.gmane.org Original-Received: from mother.openwall.net ([195.42.179.200]) by plane.gmane.org with smtp (Exim 4.69) (envelope-from ) id 1WaLnL-0007zn-TV for gllmg-musl@plane.gmane.org; Wed, 16 Apr 2014 11:06:15 +0200 Original-Received: (qmail 20099 invoked by uid 550); 16 Apr 2014 09:06:15 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: Original-Received: (qmail 20091 invoked from network); 16 Apr 2014 09:06:15 -0000 Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) Xref: news.gmane.org gmane.linux.lib.musl.general:4894 Archived-At: The release announcements for 1.0.1 and 1.1.0 mention the possibility of buffer overflow. I believe it is unlikely that the bug results in a security issue for real-world applications, but in the interest of transparency I'm posting an explanation. The floating point printf code represents a number being printed as an array of 32-bit integers in the range 0 to 999999999 each representing 9 decimal digits. When rounding to a specific precision, a carry can occur into the previous buffer slot. Under some circumstances, this buffer slot may have been uninitialized (retaining whatever value was previously stored at that particular location on the stack). If this value happened to be greater than or equal to 999999999, the carry would cascade into previous slot, and so on, eventually overflowing past the beginning of the buffer. In order to trigger such cascading carry, the caller would need to arrange for a large part of the stack (roughly 8k on x86, 0.5k on most other archs) to be pre-filled with large 32-bit integers. Since the overflow takes place in the downward direction rather than upward, it cannot overwrite return addresses stored in the usual location. It was not determined however whether it might overwrite other sensitive pointers; this of course depends on the compiler's choice of how to arrange the stack frame. Since the cascading overflow writes zeros to all but the last position, and merely increments the last position, it seems unlikely that this bug could be used as a vector for arbitrary code execution. However it may allow malicious input to crash the application, and it certainly results in the printing of incorrect decimal representations for certain values except when the stack is clean with zeros. Users concerned about this issue are advised to upgrade. The 1.0.1 release offers an upgrade path with minimal invasive changes, or the specific patch which fixed the issue can be applied: http://git.musl-libc.org/cgit/musl/commit/?id=109048e031f39fbb370211fde44ababf6c04c8fb The 1.1.0 release also fixes this bug, and provides new features including further hardening (RELRO support). Rich