From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/14502 Path: news.gmane.org!.POSTED.blaine.gmane.org!not-for-mail From: Rich Felker Newsgroups: gmane.comp.security.oss.general,gmane.linux.lib.musl.general Subject: CVE request: musl libc 1.1.23 and earlier x87 float stack imbalance Date: Mon, 5 Aug 2019 19:27:37 -0400 Message-ID: <20190805232737.GA11260@brightrain.aerifal.cx> Reply-To: oss-security-ZwoEplunGu1jrUoiu81ncdBPR1lH4CV8@public.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Injection-Info: blaine.gmane.org; posting-host="blaine.gmane.org:195.159.176.226"; logging-data="169126"; mail-complaints-to="usenet@blaine.gmane.org" User-Agent: Mutt/1.5.21 (2010-09-15) Cc: musl-ZwoEplunGu1jrUoiu81ncdBPR1lH4CV8@public.gmane.org To: oss-security-ZwoEplunGu1jrUoiu81ncdBPR1lH4CV8@public.gmane.org Original-X-From: oss-security-return-25385-gcsos-oss-security=m.gmane.org-ZwoEplunGu1jrUoiu81ncdBPR1lH4CV8@public.gmane.org Tue Aug 06 01:29:25 2019 Return-path: Envelope-to: gcsos-oss-security@m.gmane.org Original-Received: from mother.openwall.net ([195.42.179.200]) by blaine.gmane.org with smtp (Exim 4.89) (envelope-from ) id 1humPs-000hsf-Ku for gcsos-oss-security@m.gmane.org; Tue, 06 Aug 2019 01:29:24 +0200 Original-Received: (qmail 25730 invoked by uid 550); 5 Aug 2019 23:27:51 -0000 Mailing-List: contact oss-security-help-ZwoEplunGu1jrUoiu81ncdBPR1lH4CV8@public.gmane.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Original-Received: (qmail 25699 invoked from network); 5 Aug 2019 23:27:50 -0000 Content-Disposition: inline Original-Sender: Rich Felker Xref: news.gmane.org gmane.comp.security.oss.general:25494 gmane.linux.lib.musl.general:14502 Archived-At: I've discovered a flaw in musl libc's arch-specific math assembly code for i386, whereby at least the log1p function and possibly others return with more than one item on the x87 stack. This can lead to x87 stack overflow in the execution of subsequent math code, causing it to incorrectly produce a NAN in place of the actual result. If floating point results are used in flow control, this can lead to runaway wrong code execution. For example, in Python (version 3.6.8 tested), at least one code path of the dtoa function becomes an infinite loop performing what's effectively an unbounded-length memset when entered under such a condition. This bug is potentially exploitable in software which calls affected math functions with inputs under user control. Impact depends on how the application handles the ABI-violating x87 state; in Python it seems to be limited to producing a crash. The bug is present in all versions after 0.9.12, up through the current (1.1.23) release. Only 32-bit x86 systems (aka IA32, musl's "i386" arch) are affected. Users of other archs, including x86_64, can safely ignore this issue. Affected users are advised to apply the following patch: https://git.musl-libc.org/cgit/musl/patch/?id=f3ed8bfe8a82af1870ddc8696ed4cc1d5aa6b441