Bug 13656 (CVE-2012-0864)

Summary: vfprintf nargs integer overflow (CVE-2012-0864)
Product: glibc Reporter: Kees Cook <kees>
Component: stdioAssignee: Carlos O'Donell <carlos>
Severity: normal CC: aj, eggert, fweimer, thoger
Priority: P2 Keywords: glibc_2.14, glibc_2.15
Version: unspecifiedFlags: fweimer: security+
Target Milestone: ---   
Host: Target:
Build: Last reconfirmed:

Description Kees Cook 2012-02-02 20:52:43 UTC
The nargs value can overflow when doing allocations, and argument-based offsets are not bounds-checked, allowing arbitrary memory writes via format strings, bypassing _FORTIFY_SOURCE protections:


Patch in progress:
Comment 1 Andreas Jaeger 2012-03-05 09:38:00 UTC
Fixed in git head, this should be backported to all active branches.
Comment 2 Tomas Hoger 2012-03-05 09:56:50 UTC
FYI, a comment form Laszlo Ersek in Red Hat BZ:


The easiest fix would have been to restrict "nargs" to NL_ARGMAX.

Comment 3 Andreas Jaeger 2012-03-05 10:09:26 UTC
Tomas, could you or Laszlo bring this up on libc-alpha, please?
Comment 4 Tomas Hoger 2012-03-06 14:42:32 UTC
(In reply to comment #3)
> Tomas, could you or Laszlo bring this up on libc-alpha, please?

This was posted in:

Replies indicate it is preferred to limit nargs by available memory rather than using an arbitrary limit, i.e. what Kees' patch was doing already.

Related commit links for posterity:

Comment 5 Paul Eggert 2012-03-09 08:36:47 UTC
Fix committed:


so I am marking this bug as fixed.
Comment 6 Jackie Rosen 2014-02-16 19:42:18 UTC Comment hidden (spam)