[Bug locale/29727] New: __strtol_internal out-of-bounds read when parsing thousands grouping

[Bug locale/29727] New: __strtol_internal out-of-bounds read when parsing thousands grouping

[nsz at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=29727

            Bug ID: 29727
           Summary: __strtol_internal out-of-bounds read when parsing
                    thousands grouping
           Product: glibc
           Version: 2.35
            Status: NEW
          Severity: normal
          Priority: P2
         Component: locale
          Assignee: unassigned at sourceware dot org
          Reporter: nsz at gcc dot gnu.org
  Target Milestone: ---

__correctly_grouped_prefixmb reads past end if the locale specific thousands
separator is more than 1 byte.

crash can be triggered via __strto{l,ll,ul,ull}_internal and
__strto{f,d,ld}_internal.

plain strtol and strtof don't parse grouping, scanf %'d and %'f do, but scanf
parses from an internal buffer in a way such that OOB read unlikely to cause a
crash.

e.g. using LC_NUMERIC=cs_CZ.UTF-8 the following code crashes

#include <locale.h>
#include <stdio.h>
#include <sys/mman.h>
long __strtol_internal(const char *, char **, int, int, locale_t);

int main()
{
if(setlocale(LC_ALL,"")==0) return -1;
char *p = mmap(0, 4096*2, PROT_NONE, MAP_ANONYMOUS|MAP_PRIVATE, -1, 0);
mprotect(p, 4096, PROT_READ|PROT_WRITE);
char *s = p + 4096 - 2;
s[0] = '1';
s[1] = 0;
int x;
sscanf(s, "%'d", &x); // may copy s
printf("%d\n", x);
x = __strtol_internal(s, 0, 0, 1, LC_GLOBAL_LOCALE); // segfaults
printf("%d\n", x);
}

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug locale/29727] __strtol_internal out-of-bounds read when parsing thousands grouping

[cvs-commit at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=29727

--- Comment #1 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Szabolcs Nagy <nsz@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=17bfe5954baee1f18672aea94caa1126ec36fb81

commit 17bfe5954baee1f18672aea94caa1126ec36fb81
Author: Szabolcs Nagy <szabolcs.nagy@arm.com>
Date:   Tue Oct 11 15:24:41 2022 +0100

    Fix OOB read in stdlib thousand grouping parsing [BZ #29727]

    __correctly_grouped_prefixmb only worked with thousands_len == 1,
    otherwise it read past the end of cp or thousands.

    This affects scanf formats like %'d, %'f and the internal but
    exposed __strto{l,ul,f,d,..}_internal with grouping flag set
    and an LC_NUMERIC locale where thousands_len > 1.

    Avoid OOB access by considering thousands_len when initializing cp.
    This fixes bug 29727.

    Found by the morello port with strict bounds checking where

    FAIL: stdlib/tst-strtod4
    FAIL: stdlib/tst-strtod5i

    crashed using a locale with thousands_len==3.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug locale/29727] __strtol_internal out-of-bounds read when parsing thousands grouping

[nsz at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=29727

Szabolcs Nagy <nsz at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED
   Target Milestone|---                         |2.37

--- Comment #2 from Szabolcs Nagy <nsz at gcc dot gnu.org> ---
fixed for 2.37

-- 
You are receiving this mail because:
You are on the CC list for the bug.