public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug libc/14459] New: strtod integer and buffer overflows
@ 2012-08-12 18:23 jsm28 at gcc dot gnu.org
2012-08-13 17:35 ` [Bug libc/14459] " vapier at gentoo dot org
` (6 more replies)
0 siblings, 7 replies; 8+ messages in thread
From: jsm28 at gcc dot gnu.org @ 2012-08-12 18:23 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=14459
Bug #: 14459
Summary: strtod integer and buffer overflows
Product: glibc
Version: 2.16
Status: NEW
Severity: normal
Priority: P2
Component: libc
AssignedTo: unassigned@sourceware.org
ReportedBy: jsm28@gcc.gnu.org
CC: drepper.fsp@gmail.com
Classification: Unclassified
strtod and related functions have integer overflow bugs resulting from the use
of "int" for internal variables and calculations where the actual values
involved may exceed the range of int. These integer overflows can in turn
result in buffer overflow on the stack. The following testcase illustrates
such a buffer overflow. Testing a patch. (I found this issue while working on
the fix for bug 3479.)
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#define EXPONENT "e-2147483649"
#define SIZE 214748364
int
main (void)
{
char *p = malloc (1 + SIZE + sizeof (EXPONENT));
if (p == NULL)
{
perror ("malloc");
exit (EXIT_FAILURE);
}
p[0] = '1';
memset (p + 1, '0', SIZE);
memcpy (p + 1 + SIZE, EXPONENT, sizeof (EXPONENT));
double d = strtod (p, NULL);
printf ("%a\n", d);
exit (EXIT_SUCCESS);
}
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug libc/14459] strtod integer and buffer overflows
2012-08-12 18:23 [Bug libc/14459] New: strtod integer and buffer overflows jsm28 at gcc dot gnu.org
@ 2012-08-13 17:35 ` vapier at gentoo dot org
2012-08-13 19:12 ` bugdal at aerifal dot cx
` (5 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: vapier at gentoo dot org @ 2012-08-13 17:35 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=14459
Mike Frysinger <vapier at gentoo dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |toolchain at gentoo dot org
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug libc/14459] strtod integer and buffer overflows
2012-08-12 18:23 [Bug libc/14459] New: strtod integer and buffer overflows jsm28 at gcc dot gnu.org
2012-08-13 17:35 ` [Bug libc/14459] " vapier at gentoo dot org
@ 2012-08-13 19:12 ` bugdal at aerifal dot cx
2012-08-13 19:23 ` ppluzhnikov at google dot com
` (4 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: bugdal at aerifal dot cx @ 2012-08-13 19:12 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=14459
Rich Felker <bugdal at aerifal dot cx> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |bugdal at aerifal dot cx
--- Comment #1 from Rich Felker <bugdal at aerifal dot cx> 2012-08-13 19:11:52 UTC ---
In general, test cases for giant-string bugs like this can be written so as not
to require a machine with insane amounts of free memory by using mmap cleverly:
1. Make a giant PROT_NONE anonymous mapping of the entire size.
2. Allocate a shared memory object of some reasonable size, e.g. 256k and fill
it with the pattern you want (e.g. all '0').
3. Repeatedly map the object over the original mapping at each offset with
MAP_FIXED|MAP_SHARED.
4. Make new anonymous mappings over top of the parts you want to modify
(usually the head and tail) using MAP_FIXED and fill them with the necessary
data.
This kind of design can take a test case that would otherwise bog most systems
down swapping for several minutes and make it run in a matter of seconds.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug libc/14459] strtod integer and buffer overflows
2012-08-12 18:23 [Bug libc/14459] New: strtod integer and buffer overflows jsm28 at gcc dot gnu.org
2012-08-13 17:35 ` [Bug libc/14459] " vapier at gentoo dot org
2012-08-13 19:12 ` bugdal at aerifal dot cx
@ 2012-08-13 19:23 ` ppluzhnikov at google dot com
2012-08-15 22:08 ` allan at archlinux dot org
` (3 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: ppluzhnikov at google dot com @ 2012-08-13 19:23 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=14459
Paul Pluzhnikov <ppluzhnikov at google dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |ppluzhnikov at google dot
| |com
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug libc/14459] strtod integer and buffer overflows
2012-08-12 18:23 [Bug libc/14459] New: strtod integer and buffer overflows jsm28 at gcc dot gnu.org
` (2 preceding siblings ...)
2012-08-13 19:23 ` ppluzhnikov at google dot com
@ 2012-08-15 22:08 ` allan at archlinux dot org
2012-08-27 16:12 ` jsm28 at gcc dot gnu.org
` (2 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: allan at archlinux dot org @ 2012-08-15 22:08 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=14459
Allan McRae <allan at archlinux dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |allan at archlinux dot org
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug libc/14459] strtod integer and buffer overflows
2012-08-12 18:23 [Bug libc/14459] New: strtod integer and buffer overflows jsm28 at gcc dot gnu.org
` (3 preceding siblings ...)
2012-08-15 22:08 ` allan at archlinux dot org
@ 2012-08-27 16:12 ` jsm28 at gcc dot gnu.org
2012-08-27 23:03 ` jsm28 at gcc dot gnu.org
2014-06-17 18:45 ` [Bug libc/14459] strtod integer and buffer overflows (CVE-2012-3480) fweimer at redhat dot com
6 siblings, 0 replies; 8+ messages in thread
From: jsm28 at gcc dot gnu.org @ 2012-08-27 16:12 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=14459
Joseph Myers <jsm28 at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
--- Comment #2 from Joseph Myers <jsm28 at gcc dot gnu.org> 2012-08-27 16:12:05 UTC ---
Fixed for 2.17 by:
commit d6e70f4368533224e66d10b7f2126b899a3fd5e4
Author: Joseph Myers <joseph@codesourcery.com>
Date: Mon Aug 27 15:59:24 2012 +0000
Fix strtod integer/buffer overflow (bug 14459).
Testing a 2.16 backport.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug libc/14459] strtod integer and buffer overflows
2012-08-12 18:23 [Bug libc/14459] New: strtod integer and buffer overflows jsm28 at gcc dot gnu.org
` (4 preceding siblings ...)
2012-08-27 16:12 ` jsm28 at gcc dot gnu.org
@ 2012-08-27 23:03 ` jsm28 at gcc dot gnu.org
2014-06-17 18:45 ` [Bug libc/14459] strtod integer and buffer overflows (CVE-2012-3480) fweimer at redhat dot com
6 siblings, 0 replies; 8+ messages in thread
From: jsm28 at gcc dot gnu.org @ 2012-08-27 23:03 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=14459
--- Comment #3 from Joseph Myers <jsm28 at gcc dot gnu.org> 2012-08-27 23:03:15 UTC ---
Fixed on 2.16 branch by:
commit da1f431963218999c49cae928309dfec426c575c
Author: Joseph Myers <joseph@codesourcery.com>
Date: Mon Aug 27 15:59:24 2012 +0000
Fix strtod integer/buffer overflow (bug 14459).
(cherry picked from commit d6e70f4368533224e66d10b7f2126b899a3fd5e4)
Fixed on 2.15 branch by:
commit 8a780f7f68a1cd4c575bb17973a9e18826b05ef9
Author: Joseph Myers <joseph@codesourcery.com>
Date: Mon Aug 27 15:59:24 2012 +0000
Fix strtod integer/buffer overflow (bug 14459).
(cherry picked from commit d6e70f4368533224e66d10b7f2126b899a3fd5e4)
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug libc/14459] strtod integer and buffer overflows (CVE-2012-3480)
2012-08-12 18:23 [Bug libc/14459] New: strtod integer and buffer overflows jsm28 at gcc dot gnu.org
` (5 preceding siblings ...)
2012-08-27 23:03 ` jsm28 at gcc dot gnu.org
@ 2014-06-17 18:45 ` fweimer at redhat dot com
6 siblings, 0 replies; 8+ messages in thread
From: fweimer at redhat dot com @ 2014-06-17 18:45 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=14459
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |fweimer at redhat dot com
Summary|strtod integer and buffer |strtod integer and buffer
|overflows |overflows (CVE-2012-3480)
Alias| |CVE-2012-3480
Flags| |security+
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2014-06-17 18:45 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-08-12 18:23 [Bug libc/14459] New: strtod integer and buffer overflows jsm28 at gcc dot gnu.org
2012-08-13 17:35 ` [Bug libc/14459] " vapier at gentoo dot org
2012-08-13 19:12 ` bugdal at aerifal dot cx
2012-08-13 19:23 ` ppluzhnikov at google dot com
2012-08-15 22:08 ` allan at archlinux dot org
2012-08-27 16:12 ` jsm28 at gcc dot gnu.org
2012-08-27 23:03 ` jsm28 at gcc dot gnu.org
2014-06-17 18:45 ` [Bug libc/14459] strtod integer and buffer overflows (CVE-2012-3480) fweimer at redhat dot com
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).