Summary: | printf should handle non-normal x86 long double numbers gracefully (CVE-2020-29573) | ||
---|---|---|---|
Product: | glibc | Reporter: | Florian Weimer <fweimer> |
Component: | stdio | Assignee: | Florian Weimer <fweimer> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | bruno, carnil, fweimer, siddhesh |
Priority: | P2 | Flags: | siddhesh:
security+
|
Version: | unspecified | ||
Target Milestone: | 2.33 | ||
See Also: |
https://sourceware.org/bugzilla/show_bug.cgi?id=4586 https://bugzilla.redhat.com/show_bug.cgi?id=1869380 |
||
Host: | Target: | ||
Build: | Last reconfirmed: |
Description
Florian Weimer
2020-09-22 14:24:34 UTC
Fixed for glibc 2.33 via: commit 681900d29683722b1cb0a8e565a0585846ec5a61 Author: Florian Weimer <fweimer@redhat.com> Date: Tue Sep 22 19:07:48 2020 +0200 x86: Harden printf against non-normal long double values (bug 26649) The behavior of isnan/__builtin_isnan on bit patterns that do not correspond to something that the CPU would produce from valid inputs is currently under-defined in the toolchain. (The GCC built-in and glibc disagree.) The isnan check in PRINTF_FP_FETCH in stdio-common/printf_fp.c assumes the GCC behavior that returns true for non-normal numbers which are not specified as NaN. (The glibc implementation returns false for such numbers.) At present, passing non-normal numbers to __mpn_extract_long_double causes this function to produce irregularly shaped multi-precision integers, triggering undefined behavior in __printf_fp_l. With GCC 10 and glibc 2.32, this behavior is not visible because __builtin_isnan is used, which avoids calling __mpn_extract_long_double in this case. This commit updates the implementation of __mpn_extract_long_double so that regularly shaped multi-precision integers are produced in this case, avoiding undefined behavior in __printf_fp_l. |