Date: Wed, 16 Apr 2014 05:06:03 -0400 From: Rich Felker <dalias@...ifal.cx> To: musl@...ts.openwall.com Subject: Details on printf issue fixed in musl 1.0.1 and 1.1.0 The release announcements for 1.0.1 and 1.1.0 mention the possibility of buffer overflow. I believe it is unlikely that the bug results in a security issue for real-world applications, but in the interest of transparency I'm posting an explanation. The floating point printf code represents a number being printed as an array of 32-bit integers in the range 0 to 999999999 each representing 9 decimal digits. When rounding to a specific precision, a carry can occur into the previous buffer slot. Under some circumstances, this buffer slot may have been uninitialized (retaining whatever value was previously stored at that particular location on the stack). If this value happened to be greater than or equal to 999999999, the carry would cascade into previous slot, and so on, eventually overflowing past the beginning of the buffer. In order to trigger such cascading carry, the caller would need to arrange for a large part of the stack (roughly 8k on x86, 0.5k on most other archs) to be pre-filled with large 32-bit integers. Since the overflow takes place in the downward direction rather than upward, it cannot overwrite return addresses stored in the usual location. It was not determined however whether it might overwrite other sensitive pointers; this of course depends on the compiler's choice of how to arrange the stack frame. Since the cascading overflow writes zeros to all but the last position, and merely increments the last position, it seems unlikely that this bug could be used as a vector for arbitrary code execution. However it may allow malicious input to crash the application, and it certainly results in the printing of incorrect decimal representations for certain values except when the stack is clean with zeros. Users concerned about this issue are advised to upgrade. The 1.0.1 release offers an upgrade path with minimal invasive changes, or the specific patch which fixed the issue can be applied: http://git.musl-libc.org/cgit/musl/commit/?id=109048e031f39fbb370211fde44ababf6c04c8fb The 1.1.0 release also fixes this bug, and provides new features including further hardening (RELRO support). Rich
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.