Summary: | strtod integer and buffer overflows (CVE-2012-3480) | ||
---|---|---|---|
Product: | glibc | Reporter: | Joseph Myers <jsm28> |
Component: | libc | Assignee: | Not yet assigned to anyone <unassigned> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | allan, bugdal, drepper.fsp, fweimer, ppluzhnikov, toolchain |
Priority: | P2 | Flags: | fweimer:
security+
|
Version: | 2.16 | ||
Target Milestone: | --- | ||
Host: | Target: | ||
Build: | Last reconfirmed: |
Description
Joseph Myers
2012-08-12 18:23:06 UTC
In general, test cases for giant-string bugs like this can be written so as not to require a machine with insane amounts of free memory by using mmap cleverly: 1. Make a giant PROT_NONE anonymous mapping of the entire size. 2. Allocate a shared memory object of some reasonable size, e.g. 256k and fill it with the pattern you want (e.g. all '0'). 3. Repeatedly map the object over the original mapping at each offset with MAP_FIXED|MAP_SHARED. 4. Make new anonymous mappings over top of the parts you want to modify (usually the head and tail) using MAP_FIXED and fill them with the necessary data. This kind of design can take a test case that would otherwise bog most systems down swapping for several minutes and make it run in a matter of seconds. Fixed for 2.17 by: commit d6e70f4368533224e66d10b7f2126b899a3fd5e4 Author: Joseph Myers <joseph@codesourcery.com> Date: Mon Aug 27 15:59:24 2012 +0000 Fix strtod integer/buffer overflow (bug 14459). Testing a 2.16 backport. Fixed on 2.16 branch by: commit da1f431963218999c49cae928309dfec426c575c Author: Joseph Myers <joseph@codesourcery.com> Date: Mon Aug 27 15:59:24 2012 +0000 Fix strtod integer/buffer overflow (bug 14459). (cherry picked from commit d6e70f4368533224e66d10b7f2126b899a3fd5e4) Fixed on 2.15 branch by: commit 8a780f7f68a1cd4c575bb17973a9e18826b05ef9 Author: Joseph Myers <joseph@codesourcery.com> Date: Mon Aug 27 15:59:24 2012 +0000 Fix strtod integer/buffer overflow (bug 14459). (cherry picked from commit d6e70f4368533224e66d10b7f2126b899a3fd5e4) |