![]() |
|
Message-ID: <72221361-b345-49d5-9d4f-2ec3d226879b@kernkonzept.com> Date: Fri, 19 Sep 2025 15:10:34 +0200 From: Georg Kotheimer <georg.kotheimer@...nkonzept.com> To: musl@...ts.openwall.com Subject: Bug: Stack buffer overflow in printf on aarch64 Hi, while running some printf tests with musl on aarch64 I encountered a mysterious segmentation fault. Turns out the cause of this crash is a stack buffer overflow inside fmt_fp, which occurs when formatting `long double` numbers with a lot of digits. The buffer that overflows is the stack allocated `big` buffer in fmt_fp (for the exact location where the overflow happens, see the attached patch that checks and reports the overflow). I also tested it on x86_64, there everything works fine. My initial tests were done with the current master branch of musl (commit 0b86d60badad6a69b37fc06d18b5763fbbf47b58). Then while writing this mail I tested it with the most recent stable release musl-1.2.5, and fortunately there NO overflow occurs. So I assume some of the recent optimizations done on fmt_fp must be the culprit. --- The bug can be reproduced by the following steps: 1. Download the attached patch and reproducer program. 2. Patch and build musl cd /path/to/musl/source git apply /path/to/musl-overflow-check.patch mkdir build && cd build ../configure --prefix=/tmp/musl-aarch64 --target=aarch64-linux-gnu make -j8 install 3. Build and execute reproducer /tmp/musl-aarch64/bin/musl-gcc -static /path/to/musl-printf-overflow.c qemu-aarch64 ./a.out --- Georg View attachment "musl-overflow-check.patch" of type "text/x-patch" (549 bytes) View attachment "musl-printf-overflow.c" of type "text/x-csrc" (157 bytes)
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.