From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/12959 Path: news.gmane.org!.POSTED!not-for-mail From: Mark Winterrowd Newsgroups: gmane.linux.lib.musl.general Subject: Out of bounds memory read in src/stdio/vfprintf.c Date: Thu, 28 Jun 2018 10:20:28 -0700 Message-ID: Reply-To: musl@lists.openwall.com NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="00000000000046ecb7056fb6f389" X-Trace: blaine.gmane.org 1530206328 26790 195.159.176.226 (28 Jun 2018 17:18:48 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Thu, 28 Jun 2018 17:18:48 +0000 (UTC) To: musl@lists.openwall.com Original-X-From: musl-return-12975-gllmg-musl=m.gmane.org@lists.openwall.com Thu Jun 28 19:18:44 2018 Return-path: Envelope-to: gllmg-musl@m.gmane.org Original-Received: from mother.openwall.net ([195.42.179.200]) by blaine.gmane.org with smtp (Exim 4.84_2) (envelope-from ) id 1fYaZA-0006ty-2E for gllmg-musl@m.gmane.org; Thu, 28 Jun 2018 19:18:44 +0200 Original-Received: (qmail 5889 invoked by uid 550); 28 Jun 2018 17:20:52 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Original-Received: (qmail 5852 invoked from network); 28 Jun 2018 17:20:51 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=VK98mIZyol7xSYuYjBiCoGkp54RjMiZisJzVRQfe8Ak=; b=vEbOgeAxSYnqmPSbKzqXCHrAvv60jk3BpCYdSAGrvelsYuJTcJvPxt1qLUg727c3UB 7ETwhEJmg6PsZC8mK757Gn0bkQkMpHohyAzCKBCi6H2dfs8qEMc4FK7fxdOdfJOaH6n6 sLqM5zWXkQRjlwkgVNFjA99TSm4vRUE9a5jxJOwDkEddXJGWD/dwgtshWG2EJORhGEHk Bh7jXniywcafMFoj3YANUPySjx11UNsRyyF0jF7m7tVVliz44ou+peaGiyjfrzQLoPja K15DMUrDQO8xr811IOWH14gaoz950aO8dUaFW09QRicu7Fr0GH38bGDbE4sl6andIroP nn+g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=VK98mIZyol7xSYuYjBiCoGkp54RjMiZisJzVRQfe8Ak=; b=flqn9iC+aPah9+Cf6aTITiX2Mc3yXdWmDndL/weEoGzDvJXS+UI56W7UVB/7+bFVVC XuUgQ11Or1Mf+r8KShBNs+jfY+k87bb/vuear2KPNXisOjpeFnZkjtKr7zxCMXR5LgcY vGr/Znwr43vw0WCxvqkcGkeim5r72L4EO4Lfi/iagcsOGQZKDz6AEdt7mPefoKsydGYi h06MXAKq3yOU1YmN6jUEoP302sJrKdQVXWkQlQ4nlrWHMPrnrc+g5R6qOC009TEMewaC 20T5X2wGFxXNRninEOoYL6ZgTgriX3sgmksnetB1VIX+kakXxso9F13zEhAc3ioJ+DdU Pvng== X-Gm-Message-State: APt69E04Mnb40lnNPPhgCvsemlDKJYRymc9aeNzJUuSwB2xe3tvP8GHL zxvvqtZcW8JPY3E0jRdBDWyruGt5OFLDWeNth7YbSw== X-Google-Smtp-Source: AAOMgpes1tSQfbpWETAdS8Yr++e+Q5kPbTp4RzSceF2KWJBrdqzOVj1ZKZYssFt13DFepztzoD79aqSc2st/eoEILro= X-Received: by 2002:a6b:e901:: with SMTP id u1-v6mr5686420iof.38.1530206439793; Thu, 28 Jun 2018 10:20:39 -0700 (PDT) Xref: news.gmane.org gmane.linux.lib.musl.general:12959 Archived-At: --00000000000046ecb7056fb6f389 Content-Type: text/plain; charset="UTF-8" Hi all, I believe I have found an out of bounds memory read in vfprintf.c On line 509 in src/stdio/vfprintf.c in the current source tree head, you can observe the following snippet of code: /* Format specifier state machine */ st=0; do { if (OOB(*s)) goto inval; ps=st; st=states[st]S(*s++); } while (st-1 'z'-'A') Unfortunately, the cast to unsigned binds tighter than the subtract from 'A', so if x is less than 'A', OOB will return false. This is common in the case of space, which has an ascii value of 32 compared to 'A' 's value of 65. This causes us to index into states with a negative value for its second dimension, causing us to index to an unpredictable location in states, possibly even off the beginning. Hope this helps, Mark Winterrowd --00000000000046ecb7056fb6f389 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi all,

I believe I have found an out of bounds mem= ory read in vfprintf.c

On line 509 in src/stdio/vfprintf.c in the cu= rrent source tree head, you can observe the following snippet of code:
<= br>
/* Format specifier state = machine */
st=3D0;
=
do {
if (OOB(*s)) goto inval;
ps=3Dst;
st=3Dstates[st]S(*s++);
} while (st-1<STOP);
if (!st) goto inval;

Note that on line 99 the OOB m= acro expands to the following test whether the argument falls outside of &#= 39;A' and 'z', written to use a single compare:

#define OOB(x) ((unsigned)(x)-'A' > 'z'-'A')

Unfortunately, the cast to unsigned binds tighter=
 than the subtract from 'A', so if x is less than 'A',
OOB will return false. This is common in the case of space, which has an as=
cii value of 32
compared to 'A' 's value=
 of 65.

This causes us to index into states with a negative value for its second di=
mension, causing us to
index to an unpredictable location in states, possibly even off the beginni=
ng.

Hope this helps,
Mark Winterrowd
--00000000000046ecb7056fb6f389--