From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=7/Nl=JJ=vinc17.net=vincent@sourceware.org>
Received: from cventin.lip.ens-lyon.fr (cventin.lip.ens-lyon.fr [140.77.13.17])
	by sourceware.org (Postfix) with ESMTPS id 50E783858C2D
	for <libc-alpha@sourceware.org>; Wed, 31 Jan 2024 14:55:57 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 50E783858C2D
Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=vinc17.net
Authentication-Results: sourceware.org; spf=none smtp.mailfrom=vinc17.net
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 50E783858C2D
Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=140.77.13.17
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1706712958; cv=none;
	b=VSVMopJzAFjRoSwZf24UK4x82jpYyh6V5am+dqtrT9aehqunIYxM7Ap7U2Gsek9JvcKJRlEfnAcKd18zEVqEmltS6qTbZRuiNqpJLF4phVTlH5z25FbUqmgsrsyLZhRrxUFFL1xVpK98hHnFvKg1fxP3TNNoG1GJlahMO2F96Tg=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
	t=1706712958; c=relaxed/simple;
	bh=NiP4EkqaOHLGdstNu+yPfwFK+MbBfvWvohltCXEqcLs=;
	h=Date:From:To:Subject:Message-ID:MIME-Version; b=lyxZW+KJ4K2MutHWWMmLgzNEuoccsYpH5LF3aPDv269ku6H9KUzn707uWg2G7p4wUXR2PzFS0PTXjd1G1vsx/M+nZ9qAPhM12j2Gs+2jasXiuEE0qePC+6xuAgbW2xaL1Yvy6gSBTt9IbSXvKYH7/MsWnMIhwW6WmO5nVRZZKMA=
ARC-Authentication-Results: i=1; server2.sourceware.org
Received: from vlefevre by cventin.lip.ens-lyon.fr with local (Exim 4.97)
	(envelope-from <vincent@vinc17.net>)
	id 1rVC0J-000000008XL-2MOI;
	Wed, 31 Jan 2024 15:55:55 +0100
Date: Wed, 31 Jan 2024 15:55:55 +0100
From: Vincent Lefevre <vincent@vinc17.net>
To: Xi Ruoyao <xry111@xry111.site>
Cc: Turritopsis Dohrnii Teo En Ming <teo.en.ming@protonmail.com>,
	"libc-alpha@sourceware.org" <libc-alpha@sourceware.org>,
	"ceo@teo-en-ming-corp.com" <ceo@teo-en-ming-corp.com>
Subject: Re: New GNU C Library (glibc) security flaw reported on 30 Jan 2024
Message-ID: <20240131145555.GB2102@cventin.lip.ens-lyon.fr>
Mail-Followup-To: Vincent Lefevre <vincent@vinc17.net>,
	Xi Ruoyao <xry111@xry111.site>,
	Turritopsis Dohrnii Teo En Ming <teo.en.ming@protonmail.com>,
	"libc-alpha@sourceware.org" <libc-alpha@sourceware.org>,
	"ceo@teo-en-ming-corp.com" <ceo@teo-en-ming-corp.com>
References: <vCs-fh6jYIOa_9Ru0H0tlrhIOOu811b3JBhYJsT4tZsBJWVmBR06ttykt_pmw9clWd8zNsiSIShRyYjpq7muFtpVYBGfMvvhB3Kk8-AfUEE=@protonmail.com>
 <b6e0bf7d3e0376b37861226cb84e7eca190beb78.camel@xry111.site>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <b6e0bf7d3e0376b37861226cb84e7eca190beb78.camel@xry111.site>
X-Mailer-Info: https://www.vinc17.net/mutt/
User-Agent: Mutt/2.2.12+69 (354c5b11) vl-149028 (2023-12-10)
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,KAM_DMARC_STATUS,KAM_LAZY_DOMAIN_SECURITY,SPF_HELO_NONE,SPF_NONE,TXREP,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <libc-alpha.sourceware.org>

On 2024-01-31 22:23:32 +0800, Xi Ruoyao wrote:
> On Wed, 2024-01-31 at 14:08 +0000, Turritopsis Dohrnii Teo En Ming
> wrote:
> > Subject: New GNU C Library (glibc) security flaw reported on 30 Jan 2024
> > 
> > Good day from Singapore,
> > 
> > I recently stumbled upon this insightful article and wanted to share it with you.
> > 
> > Article: New Linux glibc flaw lets attackers get root on major distros
> > Link: https://www.bleepingcomputer.com/news/security/new-linux-glibc-flaw-lets-attackers-get-root-on-major-distros/
> 
> I cannot see why https://www.qualys.com/2024/01/30/qsort.txt is a
> **Glibc** security issue.  The standard is clear that if you pass a non-
> transitive comparator to qsort, you invoke an undefined behavior.

This is what the ISO C standard says. But the glibc manual explicitly
allows non-transitive comparators.

See the example in 9.1 Defining the Comparison Function:

   Here is an example of a comparison function which works with an array
of numbers of type ‘double’:

     int
     compare_doubles (const void *a, const void *b)
     {
       const double *da = (const double *) a;
       const double *db = (const double *) b;

       return (*da > *db) - (*da < *db);
     }

The non-transitivity can be demonstrated with the following test
program:

#include <stdio.h>
#include <math.h>

int
compare_doubles (const void *a, const void *b)
{
  const double *da = (const double *) a;
  const double *db = (const double *) b;

  return (*da > *db) - (*da < *db);
}

int main (void)
{
  double t[3] = { 1.0, NAN, 2.0 };
  printf ("%d\n", compare_doubles(t+0, t+1));
  printf ("%d\n", compare_doubles(t+1, t+2));
  printf ("%d\n", compare_doubles(t+0, t+2));
  return 0;
}

which gives

0
0
-1

while the initial 0 0 implies a third 0 with a transitive comparator.

-- 
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)