Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20190805232737.GA11260@brightrain.aerifal.cx>
Date: Mon, 5 Aug 2019 19:27:37 -0400
From: Rich Felker <dalias@...c.org>
To: oss-security@...ts.openwall.com
Cc: musl@...ts.openwall.com
Subject: CVE request: musl libc 1.1.23 and earlier x87 float stack imbalance

I've discovered a flaw in musl libc's arch-specific math assembly code
for i386, whereby at least the log1p function and possibly others
return with more than one item on the x87 stack. This can lead to x87
stack overflow in the execution of subsequent math code, causing it to
incorrectly produce a NAN in place of the actual result. If floating
point results are used in flow control, this can lead to runaway wrong
code execution. For example, in Python (version 3.6.8 tested), at
least one code path of the dtoa function becomes an infinite loop
performing what's effectively an unbounded-length memset when entered
under such a condition.

This bug is potentially exploitable in software which calls affected
math functions with inputs under user control. Impact depends on how
the application handles the ABI-violating x87 state; in Python it
seems to be limited to producing a crash.

The bug is present in all versions after 0.9.12, up through the
current (1.1.23) release. Only 32-bit x86 systems (aka IA32, musl's
"i386" arch) are affected. Users of other archs, including x86_64, can
safely ignore this issue.

Affected users are advised to apply the following patch:

https://git.musl-libc.org/cgit/musl/patch/?id=f3ed8bfe8a82af1870ddc8696ed4cc1d5aa6b441

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.