Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20140416090603.GA11954@brightrain.aerifal.cx>
Date: Wed, 16 Apr 2014 05:06:03 -0400
From: Rich Felker <dalias@...ifal.cx>
To: musl@...ts.openwall.com
Subject: Details on printf issue fixed in musl 1.0.1 and 1.1.0

The release announcements for 1.0.1 and 1.1.0 mention the possibility
of buffer overflow. I believe it is unlikely that the bug results in a
security issue for real-world applications, but in the interest of
transparency I'm posting an explanation.

The floating point printf code represents a number being printed as an
array of 32-bit integers in the range 0 to 999999999 each representing
9 decimal digits. When rounding to a specific precision, a carry can
occur into the previous buffer slot. Under some circumstances, this
buffer slot may have been uninitialized (retaining whatever value was
previously stored at that particular location on the stack). If this
value happened to be greater than or equal to 999999999, the carry
would cascade into previous slot, and so on, eventually overflowing
past the beginning of the buffer.

In order to trigger such cascading carry, the caller would need to
arrange for a large part of the stack (roughly 8k on x86, 0.5k on most
other archs) to be pre-filled with large 32-bit integers.

Since the overflow takes place in the downward direction rather than
upward, it cannot overwrite return addresses stored in the usual
location. It was not determined however whether it might overwrite
other sensitive pointers; this of course depends on the compiler's
choice of how to arrange the stack frame.

Since the cascading overflow writes zeros to all but the last
position, and merely increments the last position, it seems unlikely
that this bug could be used as a vector for arbitrary code execution.
However it may allow malicious input to crash the application, and it
certainly results in the printing of incorrect decimal representations
for certain values except when the stack is clean with zeros.

Users concerned about this issue are advised to upgrade. The 1.0.1
release offers an upgrade path with minimal invasive changes, or the
specific patch which fixed the issue can be applied:

http://git.musl-libc.org/cgit/musl/commit/?id=109048e031f39fbb370211fde44ababf6c04c8fb

The 1.1.0 release also fixes this bug, and provides new features
including further hardening (RELRO support).

Rich

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.