public inbox for glibc-bugs@sourceware.org help / color / mirror / Atom feed
* [Bug libc/14459] New: strtod integer and buffer overflows
@ 2012-08-12 18:23 jsm28 at gcc dot gnu.org
2012-08-13 17:35 ` [Bug libc/14459] " vapier at gentoo dot org
` (6 more replies)
0 siblings, 7 replies; 8+ messages in thread
From: jsm28 at gcc dot gnu.org @ 2012-08-12 18:23 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=14459
Bug #: 14459
Summary: strtod integer and buffer overflows
Product: glibc
Version: 2.16
Status: NEW
Severity: normal
Priority: P2
Component: libc
AssignedTo: unassigned@sourceware.org
ReportedBy: jsm28@gcc.gnu.org
CC: drepper.fsp@gmail.com
Classification: Unclassified
strtod and related functions have integer overflow bugs resulting from the use
of "int" for internal variables and calculations where the actual values
involved may exceed the range of int. These integer overflows can in turn
result in buffer overflow on the stack. The following testcase illustrates
such a buffer overflow. Testing a patch. (I found this issue while working on
the fix for bug 3479.)
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#define EXPONENT "e-2147483649"
#define SIZE 214748364
int
main (void)
{
char *p = malloc (1 + SIZE + sizeof (EXPONENT));
if (p == NULL)
{
perror ("malloc");
exit (EXIT_FAILURE);
}
p[0] = '1';
memset (p + 1, '0', SIZE);
memcpy (p + 1 + SIZE, EXPONENT, sizeof (EXPONENT));
double d = strtod (p, NULL);
printf ("%a\n", d);
exit (EXIT_SUCCESS);
}
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 8+ messages in thread* [Bug libc/14459] strtod integer and buffer overflows 2012-08-12 18:23 [Bug libc/14459] New: strtod integer and buffer overflows jsm28 at gcc dot gnu.org @ 2012-08-13 17:35 ` vapier at gentoo dot org 2012-08-13 19:12 ` bugdal at aerifal dot cx ` (5 subsequent siblings) 6 siblings, 0 replies; 8+ messages in thread From: vapier at gentoo dot org @ 2012-08-13 17:35 UTC (permalink / raw) To: glibc-bugs http://sourceware.org/bugzilla/show_bug.cgi?id=14459 Mike Frysinger <vapier at gentoo dot org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |toolchain at gentoo dot org -- Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug libc/14459] strtod integer and buffer overflows 2012-08-12 18:23 [Bug libc/14459] New: strtod integer and buffer overflows jsm28 at gcc dot gnu.org 2012-08-13 17:35 ` [Bug libc/14459] " vapier at gentoo dot org @ 2012-08-13 19:12 ` bugdal at aerifal dot cx 2012-08-13 19:23 ` ppluzhnikov at google dot com ` (4 subsequent siblings) 6 siblings, 0 replies; 8+ messages in thread From: bugdal at aerifal dot cx @ 2012-08-13 19:12 UTC (permalink / raw) To: glibc-bugs http://sourceware.org/bugzilla/show_bug.cgi?id=14459 Rich Felker <bugdal at aerifal dot cx> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |bugdal at aerifal dot cx --- Comment #1 from Rich Felker <bugdal at aerifal dot cx> 2012-08-13 19:11:52 UTC --- In general, test cases for giant-string bugs like this can be written so as not to require a machine with insane amounts of free memory by using mmap cleverly: 1. Make a giant PROT_NONE anonymous mapping of the entire size. 2. Allocate a shared memory object of some reasonable size, e.g. 256k and fill it with the pattern you want (e.g. all '0'). 3. Repeatedly map the object over the original mapping at each offset with MAP_FIXED|MAP_SHARED. 4. Make new anonymous mappings over top of the parts you want to modify (usually the head and tail) using MAP_FIXED and fill them with the necessary data. This kind of design can take a test case that would otherwise bog most systems down swapping for several minutes and make it run in a matter of seconds. -- Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug libc/14459] strtod integer and buffer overflows 2012-08-12 18:23 [Bug libc/14459] New: strtod integer and buffer overflows jsm28 at gcc dot gnu.org 2012-08-13 17:35 ` [Bug libc/14459] " vapier at gentoo dot org 2012-08-13 19:12 ` bugdal at aerifal dot cx @ 2012-08-13 19:23 ` ppluzhnikov at google dot com 2012-08-15 22:08 ` allan at archlinux dot org ` (3 subsequent siblings) 6 siblings, 0 replies; 8+ messages in thread From: ppluzhnikov at google dot com @ 2012-08-13 19:23 UTC (permalink / raw) To: glibc-bugs http://sourceware.org/bugzilla/show_bug.cgi?id=14459 Paul Pluzhnikov <ppluzhnikov at google dot com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |ppluzhnikov at google dot | |com -- Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug libc/14459] strtod integer and buffer overflows 2012-08-12 18:23 [Bug libc/14459] New: strtod integer and buffer overflows jsm28 at gcc dot gnu.org ` (2 preceding siblings ...) 2012-08-13 19:23 ` ppluzhnikov at google dot com @ 2012-08-15 22:08 ` allan at archlinux dot org 2012-08-27 16:12 ` jsm28 at gcc dot gnu.org ` (2 subsequent siblings) 6 siblings, 0 replies; 8+ messages in thread From: allan at archlinux dot org @ 2012-08-15 22:08 UTC (permalink / raw) To: glibc-bugs http://sourceware.org/bugzilla/show_bug.cgi?id=14459 Allan McRae <allan at archlinux dot org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |allan at archlinux dot org -- Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug libc/14459] strtod integer and buffer overflows 2012-08-12 18:23 [Bug libc/14459] New: strtod integer and buffer overflows jsm28 at gcc dot gnu.org ` (3 preceding siblings ...) 2012-08-15 22:08 ` allan at archlinux dot org @ 2012-08-27 16:12 ` jsm28 at gcc dot gnu.org 2012-08-27 23:03 ` jsm28 at gcc dot gnu.org 2014-06-17 18:45 ` [Bug libc/14459] strtod integer and buffer overflows (CVE-2012-3480) fweimer at redhat dot com 6 siblings, 0 replies; 8+ messages in thread From: jsm28 at gcc dot gnu.org @ 2012-08-27 16:12 UTC (permalink / raw) To: glibc-bugs http://sourceware.org/bugzilla/show_bug.cgi?id=14459 Joseph Myers <jsm28 at gcc dot gnu.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #2 from Joseph Myers <jsm28 at gcc dot gnu.org> 2012-08-27 16:12:05 UTC --- Fixed for 2.17 by: commit d6e70f4368533224e66d10b7f2126b899a3fd5e4 Author: Joseph Myers <joseph@codesourcery.com> Date: Mon Aug 27 15:59:24 2012 +0000 Fix strtod integer/buffer overflow (bug 14459). Testing a 2.16 backport. -- Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug libc/14459] strtod integer and buffer overflows 2012-08-12 18:23 [Bug libc/14459] New: strtod integer and buffer overflows jsm28 at gcc dot gnu.org ` (4 preceding siblings ...) 2012-08-27 16:12 ` jsm28 at gcc dot gnu.org @ 2012-08-27 23:03 ` jsm28 at gcc dot gnu.org 2014-06-17 18:45 ` [Bug libc/14459] strtod integer and buffer overflows (CVE-2012-3480) fweimer at redhat dot com 6 siblings, 0 replies; 8+ messages in thread From: jsm28 at gcc dot gnu.org @ 2012-08-27 23:03 UTC (permalink / raw) To: glibc-bugs http://sourceware.org/bugzilla/show_bug.cgi?id=14459 --- Comment #3 from Joseph Myers <jsm28 at gcc dot gnu.org> 2012-08-27 23:03:15 UTC --- Fixed on 2.16 branch by: commit da1f431963218999c49cae928309dfec426c575c Author: Joseph Myers <joseph@codesourcery.com> Date: Mon Aug 27 15:59:24 2012 +0000 Fix strtod integer/buffer overflow (bug 14459). (cherry picked from commit d6e70f4368533224e66d10b7f2126b899a3fd5e4) Fixed on 2.15 branch by: commit 8a780f7f68a1cd4c575bb17973a9e18826b05ef9 Author: Joseph Myers <joseph@codesourcery.com> Date: Mon Aug 27 15:59:24 2012 +0000 Fix strtod integer/buffer overflow (bug 14459). (cherry picked from commit d6e70f4368533224e66d10b7f2126b899a3fd5e4) -- Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug libc/14459] strtod integer and buffer overflows (CVE-2012-3480) 2012-08-12 18:23 [Bug libc/14459] New: strtod integer and buffer overflows jsm28 at gcc dot gnu.org ` (5 preceding siblings ...) 2012-08-27 23:03 ` jsm28 at gcc dot gnu.org @ 2014-06-17 18:45 ` fweimer at redhat dot com 6 siblings, 0 replies; 8+ messages in thread From: fweimer at redhat dot com @ 2014-06-17 18:45 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=14459 Florian Weimer <fweimer at redhat dot com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fweimer at redhat dot com Summary|strtod integer and buffer |strtod integer and buffer |overflows |overflows (CVE-2012-3480) Alias| |CVE-2012-3480 Flags| |security+ -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2014-06-17 18:45 UTC | newest] Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2012-08-12 18:23 [Bug libc/14459] New: strtod integer and buffer overflows jsm28 at gcc dot gnu.org 2012-08-13 17:35 ` [Bug libc/14459] " vapier at gentoo dot org 2012-08-13 19:12 ` bugdal at aerifal dot cx 2012-08-13 19:23 ` ppluzhnikov at google dot com 2012-08-15 22:08 ` allan at archlinux dot org 2012-08-27 16:12 ` jsm28 at gcc dot gnu.org 2012-08-27 23:03 ` jsm28 at gcc dot gnu.org 2014-06-17 18:45 ` [Bug libc/14459] strtod integer and buffer overflows (CVE-2012-3480) fweimer at redhat dot com
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).