CVE-2019-14697: Re: CVE request: musl libc 1.1.23 and earlier x87 float stack imbalance

• Products
  • Openwall GNU/*/Linux server OS
  • Linux Kernel Runtime Guard
  • John the Ripper password cracker
    • Free & Open Source for any platform
    • in the cloud
    • Pro for Linux
    • Pro for macOS
  • Wordlists for password cracking
  • passwdqc policy enforcement
    • Free & Open Source for Unix
    • Pro for Windows (Active Directory)
  • yescrypt KDF & password hashing
  • yespower Proof-of-Work (PoW)
  • crypt_blowfish password hashing
  • phpass ditto in PHP
  • tcb better password shadowing
  • Pluggable Authentication Modules
  • scanlogd port scan detector
  • popa3d tiny POP3 daemon
  • blists web interface to mailing lists
  • msulogin single user mode login
  • php_mt_seed mt_rand() cracker
• Services
• Publications
  • Articles
  • Presentations
• Resources
  • Mailing lists
  • Community wiki
  • Source code repositories (GitHub)
  • Source code repositories (CVSweb)
  • File archive & mirrors
  • How to verify digital signatures
  • OVE IDs
• What’s new

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Date: Mon, 5 Aug 2019 20:05:39 -0400 From: Rich Felker <dalias@…c.org> To: oss-security@…ts.openwall.com Cc: musl@…ts.openwall.com Subject: Re: CVE request: musl libc 1.1.23 and earlier x87 float stack imbalance

On Mon, Aug 05, 2019 at 07:27:37PM -0400, Rich Felker wrote:

I’ve discovered a flaw in musl libc’s arch-specific math assembly code for i386, whereby at least the log1p function and possibly others return with more than one item on the x87 stack. This can lead to x87 stack overflow in the execution of subsequent math code, causing it to incorrectly produce a NAN in place of the actual result. If floating point results are used in flow control, this can lead to runaway wrong code execution. For example, in Python (version 3.6.8 tested), at least one code path of the dtoa function becomes an infinite loop performing what’s effectively an unbounded-length memset when entered under such a condition.

This bug is potentially exploitable in software which calls affected math functions with inputs under user control. Impact depends on how the application handles the ABI-violating x87 state; in Python it seems to be limited to producing a crash.

The bug is present in all versions after 0.9.12, up through the current (1.1.23) release. Only 32-bit x86 systems (aka IA32, musl’s “i386” arch) are affected. Users of other archs, including x86_64, can safely ignore this issue.

Affected users are advised to apply the following patch:

https://git.musl-libc.org/cgit/musl/patch/?id=f3ed8bfe8a82af1870ddc8696ed4cc1d5aa6b441

The patch contains an error that was missed for unknown reasons, probably failure to rebuild a file. I’m attaching an aggregate patch that works. Alternaatively, these two commits can be applied:

https://git.musl-libc.org/cgit/musl/patch/?id=f3ed8bfe8a82af1870ddc8696ed4cc1d5aa6b441 https://git.musl-libc.org/cgit/musl/patch/?id=6818c31c9bc4bbad5357f1de14bedf781e5b349e

View attachment "x87_stack_bug.diff" of type "text/plain" (3105 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.