Bug 14459 (CVE-2012-3480)

Summary: strtod integer and buffer overflows (CVE-2012-3480)
Product: glibc Reporter: Joseph Myers <jsm28>
Component: libcAssignee: Not yet assigned to anyone <unassigned>
Status: RESOLVED FIXED    
Severity: normal CC: allan, bugdal, drepper.fsp, fweimer, ppluzhnikov, toolchain
Priority: P2 Flags: fweimer: security+
Version: 2.16   
Target Milestone: ---   
Host: Target:
Build: Last reconfirmed:

Description Joseph Myers 2012-08-12 18:23:06 UTC
strtod and related functions have integer overflow bugs resulting from the use of "int" for internal variables and calculations where the actual values involved may exceed the range of int.  These integer overflows can in turn result in buffer overflow on the stack.  The following testcase illustrates such a buffer overflow.  Testing a patch.  (I found this issue while working on the fix for bug 3479.)

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#define EXPONENT "e-2147483649"
#define SIZE 214748364

int
main (void)
{
  char *p = malloc (1 + SIZE + sizeof (EXPONENT));
  if (p == NULL)
    {
      perror ("malloc");
      exit (EXIT_FAILURE);
    }
  p[0] = '1';
  memset (p + 1, '0', SIZE);
  memcpy (p + 1 + SIZE, EXPONENT, sizeof (EXPONENT));
  double d = strtod (p, NULL);
  printf ("%a\n", d);
  exit (EXIT_SUCCESS);
}
Comment 1 Rich Felker 2012-08-13 19:11:52 UTC
In general, test cases for giant-string bugs like this can be written so as not to require a machine with insane amounts of free memory by using mmap cleverly:

1. Make a giant PROT_NONE anonymous mapping of the entire size.
2. Allocate a shared memory object of some reasonable size, e.g. 256k and fill it with the pattern you want (e.g. all '0').
3. Repeatedly map the object over the original mapping at each offset with MAP_FIXED|MAP_SHARED.
4. Make new anonymous mappings over top of the parts you want to modify (usually the head and tail) using MAP_FIXED and fill them with the necessary data.

This kind of design can take a test case that would otherwise bog most systems down swapping for several minutes and make it run in a matter of seconds.
Comment 2 Joseph Myers 2012-08-27 16:12:05 UTC
Fixed for 2.17 by:

commit d6e70f4368533224e66d10b7f2126b899a3fd5e4
Author: Joseph Myers <joseph@codesourcery.com>
Date:   Mon Aug 27 15:59:24 2012 +0000

    Fix strtod integer/buffer overflow (bug 14459).

Testing a 2.16 backport.
Comment 3 Joseph Myers 2012-08-27 23:03:15 UTC
Fixed on 2.16 branch by:

commit da1f431963218999c49cae928309dfec426c575c
Author: Joseph Myers <joseph@codesourcery.com>
Date:   Mon Aug 27 15:59:24 2012 +0000

    Fix strtod integer/buffer overflow (bug 14459).
    (cherry picked from commit d6e70f4368533224e66d10b7f2126b899a3fd5e4)

Fixed on 2.15 branch by:

commit 8a780f7f68a1cd4c575bb17973a9e18826b05ef9
Author: Joseph Myers <joseph@codesourcery.com>
Date:   Mon Aug 27 15:59:24 2012 +0000

    Fix strtod integer/buffer overflow (bug 14459).
    (cherry picked from commit d6e70f4368533224e66d10b7f2126b899a3fd5e4)