public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug libc/14459] New: strtod integer and buffer overflows
@ 2012-08-12 18:23 jsm28 at gcc dot gnu.org
  2012-08-13 17:35 ` [Bug libc/14459] " vapier at gentoo dot org
                   ` (6 more replies)
  0 siblings, 7 replies; 8+ messages in thread
From: jsm28 at gcc dot gnu.org @ 2012-08-12 18:23 UTC (permalink / raw)
  To: glibc-bugs

http://sourceware.org/bugzilla/show_bug.cgi?id=14459

             Bug #: 14459
           Summary: strtod integer and buffer overflows
           Product: glibc
           Version: 2.16
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
        AssignedTo: unassigned@sourceware.org
        ReportedBy: jsm28@gcc.gnu.org
                CC: drepper.fsp@gmail.com
    Classification: Unclassified


strtod and related functions have integer overflow bugs resulting from the use
of "int" for internal variables and calculations where the actual values
involved may exceed the range of int.  These integer overflows can in turn
result in buffer overflow on the stack.  The following testcase illustrates
such a buffer overflow.  Testing a patch.  (I found this issue while working on
the fix for bug 3479.)

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#define EXPONENT "e-2147483649"
#define SIZE 214748364

int
main (void)
{
  char *p = malloc (1 + SIZE + sizeof (EXPONENT));
  if (p == NULL)
    {
      perror ("malloc");
      exit (EXIT_FAILURE);
    }
  p[0] = '1';
  memset (p + 1, '0', SIZE);
  memcpy (p + 1 + SIZE, EXPONENT, sizeof (EXPONENT));
  double d = strtod (p, NULL);
  printf ("%a\n", d);
  exit (EXIT_SUCCESS);
}

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 8+ messages in thread
* [Bug libc/14459] strtod integer and buffer overflows
  2012-08-12 18:23 [Bug libc/14459] New: strtod integer and buffer overflows jsm28 at gcc dot gnu.org
@ 2012-08-13 17:35 ` vapier at gentoo dot org
  2012-08-13 19:12 ` bugdal at aerifal dot cx
                   ` (5 subsequent siblings)
  6 siblings, 0 replies; 8+ messages in thread
From: vapier at gentoo dot org @ 2012-08-13 17:35 UTC (permalink / raw)
  To: glibc-bugs

http://sourceware.org/bugzilla/show_bug.cgi?id=14459

Mike Frysinger <vapier at gentoo dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |toolchain at gentoo dot org

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 8+ messages in thread
* [Bug libc/14459] strtod integer and buffer overflows
  2012-08-12 18:23 [Bug libc/14459] New: strtod integer and buffer overflows jsm28 at gcc dot gnu.org
  2012-08-13 17:35 ` [Bug libc/14459] " vapier at gentoo dot org
@ 2012-08-13 19:12 ` bugdal at aerifal dot cx
  2012-08-13 19:23 ` ppluzhnikov at google dot com
                   ` (4 subsequent siblings)
  6 siblings, 0 replies; 8+ messages in thread
From: bugdal at aerifal dot cx @ 2012-08-13 19:12 UTC (permalink / raw)
  To: glibc-bugs

http://sourceware.org/bugzilla/show_bug.cgi?id=14459

Rich Felker <bugdal at aerifal dot cx> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |bugdal at aerifal dot cx

--- Comment #1 from Rich Felker <bugdal at aerifal dot cx> 2012-08-13 19:11:52 UTC ---
In general, test cases for giant-string bugs like this can be written so as not
to require a machine with insane amounts of free memory by using mmap cleverly:

1. Make a giant PROT_NONE anonymous mapping of the entire size.
2. Allocate a shared memory object of some reasonable size, e.g. 256k and fill
it with the pattern you want (e.g. all '0').
3. Repeatedly map the object over the original mapping at each offset with
MAP_FIXED|MAP_SHARED.
4. Make new anonymous mappings over top of the parts you want to modify
(usually the head and tail) using MAP_FIXED and fill them with the necessary
data.

This kind of design can take a test case that would otherwise bog most systems
down swapping for several minutes and make it run in a matter of seconds.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 8+ messages in thread
* [Bug libc/14459] strtod integer and buffer overflows
  2012-08-12 18:23 [Bug libc/14459] New: strtod integer and buffer overflows jsm28 at gcc dot gnu.org
  2012-08-13 17:35 ` [Bug libc/14459] " vapier at gentoo dot org
  2012-08-13 19:12 ` bugdal at aerifal dot cx
@ 2012-08-13 19:23 ` ppluzhnikov at google dot com
  2012-08-15 22:08 ` allan at archlinux dot org
                   ` (3 subsequent siblings)
  6 siblings, 0 replies; 8+ messages in thread
From: ppluzhnikov at google dot com @ 2012-08-13 19:23 UTC (permalink / raw)
  To: glibc-bugs

http://sourceware.org/bugzilla/show_bug.cgi?id=14459

Paul Pluzhnikov <ppluzhnikov at google dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |ppluzhnikov at google dot
                   |                            |com

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 8+ messages in thread
* [Bug libc/14459] strtod integer and buffer overflows
  2012-08-12 18:23 [Bug libc/14459] New: strtod integer and buffer overflows jsm28 at gcc dot gnu.org
                   ` (2 preceding siblings ...)
  2012-08-13 19:23 ` ppluzhnikov at google dot com
@ 2012-08-15 22:08 ` allan at archlinux dot org
  2012-08-27 16:12 ` jsm28 at gcc dot gnu.org
                   ` (2 subsequent siblings)
  6 siblings, 0 replies; 8+ messages in thread
From: allan at archlinux dot org @ 2012-08-15 22:08 UTC (permalink / raw)
  To: glibc-bugs

http://sourceware.org/bugzilla/show_bug.cgi?id=14459

Allan McRae <allan at archlinux dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |allan at archlinux dot org

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 8+ messages in thread
* [Bug libc/14459] strtod integer and buffer overflows
  2012-08-12 18:23 [Bug libc/14459] New: strtod integer and buffer overflows jsm28 at gcc dot gnu.org
                   ` (3 preceding siblings ...)
  2012-08-15 22:08 ` allan at archlinux dot org
@ 2012-08-27 16:12 ` jsm28 at gcc dot gnu.org
  2012-08-27 23:03 ` jsm28 at gcc dot gnu.org
  2014-06-17 18:45 ` [Bug libc/14459] strtod integer and buffer overflows (CVE-2012-3480) fweimer at redhat dot com
  6 siblings, 0 replies; 8+ messages in thread
From: jsm28 at gcc dot gnu.org @ 2012-08-27 16:12 UTC (permalink / raw)
  To: glibc-bugs

http://sourceware.org/bugzilla/show_bug.cgi?id=14459

Joseph Myers <jsm28 at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED

--- Comment #2 from Joseph Myers <jsm28 at gcc dot gnu.org> 2012-08-27 16:12:05 UTC ---
Fixed for 2.17 by:

commit d6e70f4368533224e66d10b7f2126b899a3fd5e4
Author: Joseph Myers <joseph@codesourcery.com>
Date:   Mon Aug 27 15:59:24 2012 +0000

    Fix strtod integer/buffer overflow (bug 14459).

Testing a 2.16 backport.

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 8+ messages in thread
* [Bug libc/14459] strtod integer and buffer overflows
  2012-08-12 18:23 [Bug libc/14459] New: strtod integer and buffer overflows jsm28 at gcc dot gnu.org
                   ` (4 preceding siblings ...)
  2012-08-27 16:12 ` jsm28 at gcc dot gnu.org
@ 2012-08-27 23:03 ` jsm28 at gcc dot gnu.org
  2014-06-17 18:45 ` [Bug libc/14459] strtod integer and buffer overflows (CVE-2012-3480) fweimer at redhat dot com
  6 siblings, 0 replies; 8+ messages in thread
From: jsm28 at gcc dot gnu.org @ 2012-08-27 23:03 UTC (permalink / raw)
  To: glibc-bugs

http://sourceware.org/bugzilla/show_bug.cgi?id=14459

--- Comment #3 from Joseph Myers <jsm28 at gcc dot gnu.org> 2012-08-27 23:03:15 UTC ---
Fixed on 2.16 branch by:

commit da1f431963218999c49cae928309dfec426c575c
Author: Joseph Myers <joseph@codesourcery.com>
Date:   Mon Aug 27 15:59:24 2012 +0000

    Fix strtod integer/buffer overflow (bug 14459).
    (cherry picked from commit d6e70f4368533224e66d10b7f2126b899a3fd5e4)

Fixed on 2.15 branch by:

commit 8a780f7f68a1cd4c575bb17973a9e18826b05ef9
Author: Joseph Myers <joseph@codesourcery.com>
Date:   Mon Aug 27 15:59:24 2012 +0000

    Fix strtod integer/buffer overflow (bug 14459).
    (cherry picked from commit d6e70f4368533224e66d10b7f2126b899a3fd5e4)

-- 
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 8+ messages in thread
* [Bug libc/14459] strtod integer and buffer overflows (CVE-2012-3480)
  2012-08-12 18:23 [Bug libc/14459] New: strtod integer and buffer overflows jsm28 at gcc dot gnu.org
                   ` (5 preceding siblings ...)
  2012-08-27 23:03 ` jsm28 at gcc dot gnu.org
@ 2014-06-17 18:45 ` fweimer at redhat dot com
  6 siblings, 0 replies; 8+ messages in thread
From: fweimer at redhat dot com @ 2014-06-17 18:45 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=14459

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fweimer at redhat dot com
            Summary|strtod integer and buffer   |strtod integer and buffer
                   |overflows                   |overflows (CVE-2012-3480)
              Alias|                            |CVE-2012-3480
              Flags|                            |security+

-- 
You are receiving this mail because:
You are on the CC list for the bug.


^ permalink raw reply	[flat|nested] 8+ messages in thread
end of thread, other threads:[~2014-06-17 18:45 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-08-12 18:23 [Bug libc/14459] New: strtod integer and buffer overflows jsm28 at gcc dot gnu.org
2012-08-13 17:35 ` [Bug libc/14459] " vapier at gentoo dot org
2012-08-13 19:12 ` bugdal at aerifal dot cx
2012-08-13 19:23 ` ppluzhnikov at google dot com
2012-08-15 22:08 ` allan at archlinux dot org
2012-08-27 16:12 ` jsm28 at gcc dot gnu.org
2012-08-27 23:03 ` jsm28 at gcc dot gnu.org
2014-06-17 18:45 ` [Bug libc/14459] strtod integer and buffer overflows (CVE-2012-3480) fweimer at redhat dot com

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).