On Mon, Aug 05, 2019 at 07:27:37PM -0400, Rich Felker wrote: > I've discovered a flaw in musl libc's arch-specific math assembly code > for i386, whereby at least the log1p function and possibly others > return with more than one item on the x87 stack. This can lead to x87 > stack overflow in the execution of subsequent math code, causing it to > incorrectly produce a NAN in place of the actual result. If floating > point results are used in flow control, this can lead to runaway wrong > code execution. For example, in Python (version 3.6.8 tested), at > least one code path of the dtoa function becomes an infinite loop > performing what's effectively an unbounded-length memset when entered > under such a condition. > > This bug is potentially exploitable in software which calls affected > math functions with inputs under user control. Impact depends on how > the application handles the ABI-violating x87 state; in Python it > seems to be limited to producing a crash. > > The bug is present in all versions after 0.9.12, up through the > current (1.1.23) release. Only 32-bit x86 systems (aka IA32, musl's > "i386" arch) are affected. Users of other archs, including x86_64, can > safely ignore this issue. > > Affected users are advised to apply the following patch: > > https://git.musl-libc.org/cgit/musl/patch/?id=f3ed8bfe8a82af1870ddc8696ed4cc1d5aa6b441 The patch contains an error that was missed for unknown reasons, probably failure to rebuild a file. I'm attaching an aggregate patch that works. Alternaatively, these two commits can be applied: https://git.musl-libc.org/cgit/musl/patch/?id=f3ed8bfe8a82af1870ddc8696ed4cc1d5aa6b441 https://git.musl-libc.org/cgit/musl/patch/?id=6818c31c9bc4bbad5357f1de14bedf781e5b349e