From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/14515 Path: news.gmane.org!.POSTED.blaine.gmane.org!not-for-mail From: Rich Felker Newsgroups: gmane.linux.lib.musl.general,gmane.comp.security.oss.general Subject: Re: CVE request: musl libc 1.1.23 and earlier x87 float stack imbalance Date: Tue, 6 Aug 2019 11:36:15 -0400 Message-ID: <20190806153615.GW9017@brightrain.aerifal.cx> References: <20190805232737.GA11260@brightrain.aerifal.cx> <20190806000539.GQ9017@brightrain.aerifal.cx> Reply-To: musl@lists.openwall.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Injection-Info: blaine.gmane.org; posting-host="blaine.gmane.org:195.159.176.226"; logging-data="108804"; mail-complaints-to="usenet@blaine.gmane.org" User-Agent: Mutt/1.5.21 (2010-09-15) Cc: musl@lists.openwall.com To: oss-security@lists.openwall.com Original-X-From: musl-return-14531-gllmg-musl=m.gmane.org@lists.openwall.com Tue Aug 06 17:36:32 2019 Return-path: Envelope-to: gllmg-musl@m.gmane.org Original-Received: from mother.openwall.net ([195.42.179.200]) by blaine.gmane.org with smtp (Exim 4.89) (envelope-from ) id 1hv1Vo-000S9z-7c for gllmg-musl@m.gmane.org; Tue, 06 Aug 2019 17:36:32 +0200 Original-Received: (qmail 32039 invoked by uid 550); 6 Aug 2019 15:36:27 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Original-Received: (qmail 31999 invoked from network); 6 Aug 2019 15:36:27 -0000 Content-Disposition: inline In-Reply-To: <20190806000539.GQ9017@brightrain.aerifal.cx> Original-Sender: Rich Felker Xref: news.gmane.org gmane.linux.lib.musl.general:14515 gmane.comp.security.oss.general:25498 Archived-At: On Mon, Aug 05, 2019 at 08:05:39PM -0400, Rich Felker wrote: > On Mon, Aug 05, 2019 at 07:27:37PM -0400, Rich Felker wrote: > > I've discovered a flaw in musl libc's arch-specific math assembly code > > for i386, whereby at least the log1p function and possibly others > > return with more than one item on the x87 stack. This can lead to x87 > > stack overflow in the execution of subsequent math code, causing it to > > incorrectly produce a NAN in place of the actual result. If floating > > point results are used in flow control, this can lead to runaway wrong > > code execution. For example, in Python (version 3.6.8 tested), at > > least one code path of the dtoa function becomes an infinite loop > > performing what's effectively an unbounded-length memset when entered > > under such a condition. > > > > This bug is potentially exploitable in software which calls affected > > math functions with inputs under user control. Impact depends on how > > the application handles the ABI-violating x87 state; in Python it > > seems to be limited to producing a crash. > > > > The bug is present in all versions after 0.9.12, up through the > > current (1.1.23) release. Only 32-bit x86 systems (aka IA32, musl's > > "i386" arch) are affected. Users of other archs, including x86_64, can > > safely ignore this issue. > > > > Affected users are advised to apply the following patch: > > > > https://git.musl-libc.org/cgit/musl/patch/?id=f3ed8bfe8a82af1870ddc8696ed4cc1d5aa6b441 > > The patch contains an error that was missed for unknown reasons, > probably failure to rebuild a file. I'm attaching an aggregate patch > that works. Alternaatively, these two commits can be applied: > > https://git.musl-libc.org/cgit/musl/patch/?id=f3ed8bfe8a82af1870ddc8696ed4cc1d5aa6b441 > https://git.musl-libc.org/cgit/musl/patch/?id=6818c31c9bc4bbad5357f1de14bedf781e5b349e CVE-2019-14697 has been assigned for this issue.