CVE request: musl libc 1.1.23 and earlier x87 float stack imbalance

mailing list of musl libc
 help / color / mirror / code / Atom feed

From: Rich Felker <dalias-8zAoT0mYgF4@public.gmane.org>
To: oss-security-ZwoEplunGu1jrUoiu81ncdBPR1lH4CV8@public.gmane.org
Cc: musl-ZwoEplunGu1jrUoiu81ncdBPR1lH4CV8@public.gmane.org
Subject: CVE request: musl libc 1.1.23 and earlier x87 float stack imbalance
Date: Mon, 5 Aug 2019 19:27:37 -0400	[thread overview]
Message-ID: <20190805232737.GA11260@brightrain.aerifal.cx> (raw)

I've discovered a flaw in musl libc's arch-specific math assembly code
for i386, whereby at least the log1p function and possibly others
return with more than one item on the x87 stack. This can lead to x87
stack overflow in the execution of subsequent math code, causing it to
incorrectly produce a NAN in place of the actual result. If floating
point results are used in flow control, this can lead to runaway wrong
code execution. For example, in Python (version 3.6.8 tested), at
least one code path of the dtoa function becomes an infinite loop
performing what's effectively an unbounded-length memset when entered
under such a condition.

This bug is potentially exploitable in software which calls affected
math functions with inputs under user control. Impact depends on how
the application handles the ABI-violating x87 state; in Python it
seems to be limited to producing a crash.

The bug is present in all versions after 0.9.12, up through the
current (1.1.23) release. Only 32-bit x86 systems (aka IA32, musl's
"i386" arch) are affected. Users of other archs, including x86_64, can
safely ignore this issue.

Affected users are advised to apply the following patch:

https://git.musl-libc.org/cgit/musl/patch/?id=f3ed8bfe8a82af1870ddc8696ed4cc1d5aa6b441

next             reply	other threads:[~2019-08-05 23:27 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-08-05 23:27 Rich Felker [this message]
2019-08-06  0:05 ` Rich Felker
2019-08-06 15:36   ` Rich Felker
     [not found] ` <20190805232737.GA11260-C3MtFaGISjmo6RMmaWD+6Sb1p8zYI1N1@public.gmane.org>
2019-08-06  7:16   ` Moritz Muehlenhoff

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190805232737.GA11260@brightrain.aerifal.cx \
    --to=dalias-8zaot0mygf4@public.gmane.org \
    --cc=musl-ZwoEplunGu1jrUoiu81ncdBPR1lH4CV8@public.gmane.org \
    --cc=oss-security-ZwoEplunGu1jrUoiu81ncdBPR1lH4CV8@public.gmane.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://git.vuxu.org/mirror/musl/

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).