* CVE request: musl libc 1.1.23 and earlier x87 float stack imbalance @ 2019-08-05 23:27 Rich Felker 2019-08-06 0:05 ` Rich Felker [not found] ` <20190805232737.GA11260-C3MtFaGISjmo6RMmaWD+6Sb1p8zYI1N1@public.gmane.org> 0 siblings, 2 replies; 4+ messages in thread From: Rich Felker @ 2019-08-05 23:27 UTC (permalink / raw) To: oss-security-ZwoEplunGu1jrUoiu81ncdBPR1lH4CV8 Cc: musl-ZwoEplunGu1jrUoiu81ncdBPR1lH4CV8 I've discovered a flaw in musl libc's arch-specific math assembly code for i386, whereby at least the log1p function and possibly others return with more than one item on the x87 stack. This can lead to x87 stack overflow in the execution of subsequent math code, causing it to incorrectly produce a NAN in place of the actual result. If floating point results are used in flow control, this can lead to runaway wrong code execution. For example, in Python (version 3.6.8 tested), at least one code path of the dtoa function becomes an infinite loop performing what's effectively an unbounded-length memset when entered under such a condition. This bug is potentially exploitable in software which calls affected math functions with inputs under user control. Impact depends on how the application handles the ABI-violating x87 state; in Python it seems to be limited to producing a crash. The bug is present in all versions after 0.9.12, up through the current (1.1.23) release. Only 32-bit x86 systems (aka IA32, musl's "i386" arch) are affected. Users of other archs, including x86_64, can safely ignore this issue. Affected users are advised to apply the following patch: https://git.musl-libc.org/cgit/musl/patch/?id=f3ed8bfe8a82af1870ddc8696ed4cc1d5aa6b441 ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: CVE request: musl libc 1.1.23 and earlier x87 float stack imbalance 2019-08-05 23:27 CVE request: musl libc 1.1.23 and earlier x87 float stack imbalance Rich Felker @ 2019-08-06 0:05 ` Rich Felker 2019-08-06 15:36 ` Rich Felker [not found] ` <20190805232737.GA11260-C3MtFaGISjmo6RMmaWD+6Sb1p8zYI1N1@public.gmane.org> 1 sibling, 1 reply; 4+ messages in thread From: Rich Felker @ 2019-08-06 0:05 UTC (permalink / raw) To: oss-security; +Cc: musl [-- Attachment #1: Type: text/plain, Size: 1748 bytes --] On Mon, Aug 05, 2019 at 07:27:37PM -0400, Rich Felker wrote: > I've discovered a flaw in musl libc's arch-specific math assembly code > for i386, whereby at least the log1p function and possibly others > return with more than one item on the x87 stack. This can lead to x87 > stack overflow in the execution of subsequent math code, causing it to > incorrectly produce a NAN in place of the actual result. If floating > point results are used in flow control, this can lead to runaway wrong > code execution. For example, in Python (version 3.6.8 tested), at > least one code path of the dtoa function becomes an infinite loop > performing what's effectively an unbounded-length memset when entered > under such a condition. > > This bug is potentially exploitable in software which calls affected > math functions with inputs under user control. Impact depends on how > the application handles the ABI-violating x87 state; in Python it > seems to be limited to producing a crash. > > The bug is present in all versions after 0.9.12, up through the > current (1.1.23) release. Only 32-bit x86 systems (aka IA32, musl's > "i386" arch) are affected. Users of other archs, including x86_64, can > safely ignore this issue. > > Affected users are advised to apply the following patch: > > https://git.musl-libc.org/cgit/musl/patch/?id=f3ed8bfe8a82af1870ddc8696ed4cc1d5aa6b441 The patch contains an error that was missed for unknown reasons, probably failure to rebuild a file. I'm attaching an aggregate patch that works. Alternaatively, these two commits can be applied: https://git.musl-libc.org/cgit/musl/patch/?id=f3ed8bfe8a82af1870ddc8696ed4cc1d5aa6b441 https://git.musl-libc.org/cgit/musl/patch/?id=6818c31c9bc4bbad5357f1de14bedf781e5b349e [-- Attachment #2: x87_stack_bug.diff --] [-- Type: text/plain, Size: 3104 bytes --] diff --git a/src/math/i386/asin.s b/src/math/i386/asin.s index a9f691bf..920d967a 100644 --- a/src/math/i386/asin.s +++ b/src/math/i386/asin.s @@ -7,13 +7,10 @@ asinf: cmp $0x01000000,%eax jae 1f # subnormal x, return x with underflow - fnstsw %ax - and $16,%ax - jnz 2f fld %st(0) fmul %st(1) fstps 4(%esp) -2: ret + ret .global asinl .type asinl,@function @@ -30,11 +27,8 @@ asin: cmp $0x00200000,%eax jae 1f # subnormal x, return x with underflow - fnstsw %ax - and $16,%ax - jnz 2f fsts 4(%esp) -2: ret + ret 1: fld %st(0) fld1 fsub %st(0),%st(1) diff --git a/src/math/i386/atan.s b/src/math/i386/atan.s index d73137b2..a26feae1 100644 --- a/src/math/i386/atan.s +++ b/src/math/i386/atan.s @@ -10,8 +10,5 @@ atan: fpatan ret # subnormal x, return x with underflow -1: fnstsw %ax - and $16,%ax - jnz 2f - fsts 4(%esp) -2: ret +1: fsts 4(%esp) + ret diff --git a/src/math/i386/atan2.s b/src/math/i386/atan2.s index a7d2979b..76b95f31 100644 --- a/src/math/i386/atan2.s +++ b/src/math/i386/atan2.s @@ -10,8 +10,5 @@ atan2: cmp $0x00200000,%eax jae 1f # subnormal x, return x with underflow - fnstsw %ax - and $16,%ax - jnz 1f fsts 4(%esp) 1: ret diff --git a/src/math/i386/atan2f.s b/src/math/i386/atan2f.s index 14b88ce5..c9408a90 100644 --- a/src/math/i386/atan2f.s +++ b/src/math/i386/atan2f.s @@ -10,9 +10,6 @@ atan2f: cmp $0x01000000,%eax jae 1f # subnormal x, return x with underflow - fnstsw %ax - and $16,%ax - jnz 1f fld %st(0) fmul %st(1) fstps 4(%esp) diff --git a/src/math/i386/atanf.s b/src/math/i386/atanf.s index 8caddefa..893beac5 100644 --- a/src/math/i386/atanf.s +++ b/src/math/i386/atanf.s @@ -10,10 +10,7 @@ atanf: fpatan ret # subnormal x, return x with underflow -1: fnstsw %ax - and $16,%ax - jnz 2f - fld %st(0) +1: fld %st(0) fmul %st(1) fstps 4(%esp) -2: ret + ret diff --git a/src/math/i386/exp.s b/src/math/i386/exp.s index c7aa5b6e..df87c497 100644 --- a/src/math/i386/exp.s +++ b/src/math/i386/exp.s @@ -7,13 +7,10 @@ expm1f: cmp $0x01000000,%eax jae 1f # subnormal x, return x with underflow - fnstsw %ax - and $16,%ax - jnz 2f fld %st(0) fmul %st(1) fstps 4(%esp) -2: ret + ret .global expm1l .type expm1l,@function @@ -30,11 +27,8 @@ expm1: cmp $0x00200000,%eax jae 1f # subnormal x, return x with underflow - fnstsw %ax - and $16,%ax - jnz 2f fsts 4(%esp) -2: ret + ret 1: fldl2e fmulp mov $0xc2820000,%eax diff --git a/src/math/i386/log1p.s b/src/math/i386/log1p.s index 6b6929c7..354f391a 100644 --- a/src/math/i386/log1p.s +++ b/src/math/i386/log1p.s @@ -16,9 +16,6 @@ log1p: fyl2x ret # subnormal x, return x with underflow -2: fnstsw %ax - and $16,%ax - jnz 1f - fsts 4(%esp) +2: fsts 4(%esp) fstp %st(1) -1: ret + ret diff --git a/src/math/i386/log1pf.s b/src/math/i386/log1pf.s index c0bcd30f..4d3484cd 100644 --- a/src/math/i386/log1pf.s +++ b/src/math/i386/log1pf.s @@ -16,10 +16,7 @@ log1pf: fyl2x ret # subnormal x, return x with underflow -2: fnstsw %ax - and $16,%ax - jnz 1f - fxch +2: fxch fmul %st(1) fstps 4(%esp) -1: ret + ret ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: CVE request: musl libc 1.1.23 and earlier x87 float stack imbalance 2019-08-06 0:05 ` Rich Felker @ 2019-08-06 15:36 ` Rich Felker 0 siblings, 0 replies; 4+ messages in thread From: Rich Felker @ 2019-08-06 15:36 UTC (permalink / raw) To: oss-security; +Cc: musl On Mon, Aug 05, 2019 at 08:05:39PM -0400, Rich Felker wrote: > On Mon, Aug 05, 2019 at 07:27:37PM -0400, Rich Felker wrote: > > I've discovered a flaw in musl libc's arch-specific math assembly code > > for i386, whereby at least the log1p function and possibly others > > return with more than one item on the x87 stack. This can lead to x87 > > stack overflow in the execution of subsequent math code, causing it to > > incorrectly produce a NAN in place of the actual result. If floating > > point results are used in flow control, this can lead to runaway wrong > > code execution. For example, in Python (version 3.6.8 tested), at > > least one code path of the dtoa function becomes an infinite loop > > performing what's effectively an unbounded-length memset when entered > > under such a condition. > > > > This bug is potentially exploitable in software which calls affected > > math functions with inputs under user control. Impact depends on how > > the application handles the ABI-violating x87 state; in Python it > > seems to be limited to producing a crash. > > > > The bug is present in all versions after 0.9.12, up through the > > current (1.1.23) release. Only 32-bit x86 systems (aka IA32, musl's > > "i386" arch) are affected. Users of other archs, including x86_64, can > > safely ignore this issue. > > > > Affected users are advised to apply the following patch: > > > > https://git.musl-libc.org/cgit/musl/patch/?id=f3ed8bfe8a82af1870ddc8696ed4cc1d5aa6b441 > > The patch contains an error that was missed for unknown reasons, > probably failure to rebuild a file. I'm attaching an aggregate patch > that works. Alternaatively, these two commits can be applied: > > https://git.musl-libc.org/cgit/musl/patch/?id=f3ed8bfe8a82af1870ddc8696ed4cc1d5aa6b441 > https://git.musl-libc.org/cgit/musl/patch/?id=6818c31c9bc4bbad5357f1de14bedf781e5b349e CVE-2019-14697 has been assigned for this issue. ^ permalink raw reply [flat|nested] 4+ messages in thread
[parent not found: <20190805232737.GA11260-C3MtFaGISjmo6RMmaWD+6Sb1p8zYI1N1@public.gmane.org>]
* Re: CVE request: musl libc 1.1.23 and earlier x87 float stack imbalance [not found] ` <20190805232737.GA11260-C3MtFaGISjmo6RMmaWD+6Sb1p8zYI1N1@public.gmane.org> @ 2019-08-06 7:16 ` Moritz Muehlenhoff 0 siblings, 0 replies; 4+ messages in thread From: Moritz Muehlenhoff @ 2019-08-06 7:16 UTC (permalink / raw) To: oss-security-ZwoEplunGu1jrUoiu81ncdBPR1lH4CV8 Cc: musl-ZwoEplunGu1jrUoiu81ncdBPR1lH4CV8 On Mon, Aug 05, 2019 at 07:27:37PM -0400, Rich Felker wrote: > I've discovered a flaw in musl libc's arch-specific math assembly code > for i386, whereby at least the log1p function and possibly others > return with more than one item on the x87 stack. Given that the Subject: mentions a CVE request; these are no longer handled via the oss-security mailing list. Please use https://cveform.mitre.org/ instead. Cheers, Moritz ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-08-06 15:36 UTC | newest] Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2019-08-05 23:27 CVE request: musl libc 1.1.23 and earlier x87 float stack imbalance Rich Felker 2019-08-06 0:05 ` Rich Felker 2019-08-06 15:36 ` Rich Felker [not found] ` <20190805232737.GA11260-C3MtFaGISjmo6RMmaWD+6Sb1p8zYI1N1@public.gmane.org> 2019-08-06 7:16 ` Moritz Muehlenhoff
Code repositories for project(s) associated with this public inbox https://git.vuxu.org/mirror/musl/ This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).