Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <72221361-b345-49d5-9d4f-2ec3d226879b@kernkonzept.com>
Date: Fri, 19 Sep 2025 15:10:34 +0200
From: Georg Kotheimer <georg.kotheimer@...nkonzept.com>
To: musl@...ts.openwall.com
Subject: Bug: Stack buffer overflow in printf on aarch64

Hi,

while running some printf tests with musl on aarch64 I encountered a
mysterious segmentation fault. Turns out the cause of this crash is a
stack buffer overflow inside fmt_fp, which occurs when formatting `long
double` numbers with a lot of digits.

The buffer that overflows is the stack allocated `big` buffer in fmt_fp
(for the exact location where the overflow happens, see the attached
patch that checks and reports the overflow).

I also tested it on x86_64, there everything works fine.

My initial tests were done with the current master branch of musl
(commit 0b86d60badad6a69b37fc06d18b5763fbbf47b58). Then while writing
this mail I tested it with the most recent stable release musl-1.2.5,
and fortunately there NO overflow occurs. So I assume some of the recent
optimizations done on fmt_fp must be the culprit.

---

The bug can be reproduced by the following steps:

1. Download the attached patch and reproducer program.

2. Patch and build musl
cd /path/to/musl/source
git apply /path/to/musl-overflow-check.patch
mkdir build && cd build
../configure --prefix=/tmp/musl-aarch64 --target=aarch64-linux-gnu
make -j8 install

3. Build and execute reproducer
/tmp/musl-aarch64/bin/musl-gcc -static /path/to/musl-printf-overflow.c
qemu-aarch64 ./a.out

---

Georg
View attachment "musl-overflow-check.patch" of type "text/x-patch" (549 bytes)

View attachment "musl-printf-overflow.c" of type "text/x-csrc" (157 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.