Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 16 Apr 2014 05:06:03 -0400
From: Rich Felker <>
Subject: Details on printf issue fixed in musl 1.0.1 and 1.1.0

The release announcements for 1.0.1 and 1.1.0 mention the possibility
of buffer overflow. I believe it is unlikely that the bug results in a
security issue for real-world applications, but in the interest of
transparency I'm posting an explanation.

The floating point printf code represents a number being printed as an
array of 32-bit integers in the range 0 to 999999999 each representing
9 decimal digits. When rounding to a specific precision, a carry can
occur into the previous buffer slot. Under some circumstances, this
buffer slot may have been uninitialized (retaining whatever value was
previously stored at that particular location on the stack). If this
value happened to be greater than or equal to 999999999, the carry
would cascade into previous slot, and so on, eventually overflowing
past the beginning of the buffer.

In order to trigger such cascading carry, the caller would need to
arrange for a large part of the stack (roughly 8k on x86, 0.5k on most
other archs) to be pre-filled with large 32-bit integers.

Since the overflow takes place in the downward direction rather than
upward, it cannot overwrite return addresses stored in the usual
location. It was not determined however whether it might overwrite
other sensitive pointers; this of course depends on the compiler's
choice of how to arrange the stack frame.

Since the cascading overflow writes zeros to all but the last
position, and merely increments the last position, it seems unlikely
that this bug could be used as a vector for arbitrary code execution.
However it may allow malicious input to crash the application, and it
certainly results in the printing of incorrect decimal representations
for certain values except when the stack is clean with zeros.

Users concerned about this issue are advised to upgrade. The 1.0.1
release offers an upgrade path with minimal invasive changes, or the
specific patch which fixed the issue can be applied:

The 1.1.0 release also fixes this bug, and provides new features
including further hardening (RELRO support).


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.