Bug 25423 (CVE-2020-1751) - Array overflow in backtrace on powerpc (CVE-2020-1751)
Summary: Array overflow in backtrace on powerpc (CVE-2020-1751)
Status: RESOLVED FIXED
Alias: CVE-2020-1751
Product: glibc
Classification: Unclassified
Component: libc (show other bugs)
Version: 2.19
: P2 normal
Target Milestone: 2.31
Assignee: Adhemerval Zanella
URL:
Keywords:
Depends on:
Blocks: 15867
  Show dependency treegraph
 
Reported: 2020-01-20 15:25 UTC by Andreas Schwab
Modified: 2020-03-24 22:20 UTC (History)
4 users (show)

See Also:
Host: powerpc*-*-*
Target:
Build:
Last reconfirmed:
carlos: security+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Schwab 2020-01-20 15:25:36 UTC
Commit d400dcac5e introduced an array overflow in the backtrace functions for powerpc.  The entry for the signal trampoline stack frame is stored without checking the array bounds.
Comment 1 Adhemerval Zanella 2020-01-20 16:43:41 UTC
I will check this out.
Comment 2 Sourceware Commits 2020-01-21 14:29:40 UTC
The master branch has been updated by Andreas Schwab <schwab@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d93769405996dfc11d216ddbe415946617b5a494

commit d93769405996dfc11d216ddbe415946617b5a494
Author: Andreas Schwab <schwab@suse.de>
Date:   Mon Jan 20 17:01:50 2020 +0100

    Fix array overflow in backtrace on PowerPC (bug 25423)
    
    When unwinding through a signal frame the backtrace function on PowerPC
    didn't check array bounds when storing the frame address.  Fixes commit
    d400dcac5e ("PowerPC: fix backtrace to handle signal trampolines").
Comment 3 Andreas Schwab 2020-01-21 14:40:57 UTC
Fixed in 2.31.
Comment 4 Carlos O'Donell 2020-03-04 20:10:35 UTC
It is a security issue that the function call would write beyond the bounds of the input array given the size. Marked security+
Comment 5 Sourceware Commits 2020-03-18 16:07:28 UTC
The release/2.30/master branch has been updated by Patricia Franklin <patsy@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=fb266e65ccf6fd674e05352ceb5f12d60889b92d

commit fb266e65ccf6fd674e05352ceb5f12d60889b92d
Author: Andreas Schwab <schwab@suse.de>
Date:   Mon Jan 20 17:01:50 2020 +0100

    Fix array overflow in backtrace on PowerPC (bug 25423)
    
    When unwinding through a signal frame the backtrace function on PowerPC
    didn't check array bounds when storing the frame address.  Fixes commit
    d400dcac5e ("PowerPC: fix backtrace to handle signal trampolines").
    
    (cherry picked from commit d93769405996dfc11d216ddbe415946617b5a494)
Comment 6 Sourceware Commits 2020-03-18 20:46:29 UTC
The release/2.29/master branch has been updated by Patricia Franklin <patsy@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=a318448f7aca169f7795d9d300c525d96f914af0

commit a318448f7aca169f7795d9d300c525d96f914af0
Author: Andreas Schwab <schwab@suse.de>
Date:   Mon Jan 20 17:01:50 2020 +0100

    Fix array overflow in backtrace on PowerPC (bug 25423)
    
    When unwinding through a signal frame the backtrace function on PowerPC
    didn't check array bounds when storing the frame address.  Fixes commit
    d400dcac5e ("PowerPC: fix backtrace to handle signal trampolines").
    
    (cherry picked from commit d93769405996dfc11d216ddbe415946617b5a494)
Comment 7 Sourceware Commits 2020-03-20 21:02:22 UTC
The release/2.28/master branch has been updated by Tulio Magno Quites Machado Filho <tuliom@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=0478174d1e2c2a894a35b1cdffc573dca310b438

commit 0478174d1e2c2a894a35b1cdffc573dca310b438
Author: Andreas Schwab <schwab@suse.de>
Date:   Mon Jan 20 17:01:50 2020 +0100

    Fix array overflow in backtrace on PowerPC (bug 25423)
    
    When unwinding through a signal frame the backtrace function on PowerPC
    didn't check array bounds when storing the frame address.  Fixes commit
    d400dcac5e ("PowerPC: fix backtrace to handle signal trampolines").
    
    (cherry picked from commit d93769405996dfc11d216ddbe415946617b5a494)
Comment 8 Sourceware Commits 2020-03-20 21:23:09 UTC
The release/2.26/master branch has been updated by Tulio Magno Quites Machado Filho <tuliom@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=37db4539dd8b5c098d9235249c5d2aedaa67d7d1

commit 37db4539dd8b5c098d9235249c5d2aedaa67d7d1
Author: Andreas Schwab <schwab@suse.de>
Date:   Mon Jan 20 17:01:50 2020 +0100

    Fix array overflow in backtrace on PowerPC (bug 25423)
    
    When unwinding through a signal frame the backtrace function on PowerPC
    didn't check array bounds when storing the frame address.  Fixes commit
    d400dcac5e ("PowerPC: fix backtrace to handle signal trampolines").
    
    (cherry picked from commit d93769405996dfc11d216ddbe415946617b5a494)
Comment 9 Sourceware Commits 2020-03-24 21:52:47 UTC
The master branch has been updated by Aurelien Jarno <aurel32@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=07d16a6debc830ebcf9533da5396edd2eff688e0

commit 07d16a6debc830ebcf9533da5396edd2eff688e0
Author: Aurelien Jarno <aurelien@aurel32.net>
Date:   Tue Mar 24 22:49:10 2020 +0100

    Add NEWS entry for CVE-2020-1751 (bug 25423)
    
    Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Comment 10 Sourceware Commits 2020-03-24 22:13:45 UTC
The release/2.31/master branch has been updated by Aurelien Jarno <aurel32@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d39fb022c26cf6ad832f6ad0e94ff5b5e4b511cf

commit d39fb022c26cf6ad832f6ad0e94ff5b5e4b511cf
Author: Aurelien Jarno <aurelien@aurel32.net>
Date:   Tue Mar 24 22:49:10 2020 +0100

    Add NEWS entry for CVE-2020-1751 (bug 25423)
    
    Reviewed-by: Carlos O'Donell <carlos@redhat.com>
    
    (cherry picked from commit 07d16a6debc830ebcf9533da5396edd2eff688e0)
Comment 11 Sourceware Commits 2020-03-24 22:20:28 UTC
The release/2.30/master branch has been updated by Aurelien Jarno <aurel32@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=6b19792c9c86bb73e5032af7c2ff03272bdac442

commit 6b19792c9c86bb73e5032af7c2ff03272bdac442
Author: Aurelien Jarno <aurelien@aurel32.net>
Date:   Tue Mar 24 22:49:10 2020 +0100

    Add NEWS entry for CVE-2020-1751 (bug 25423)
    
    Reviewed-by: Carlos O'Donell <carlos@redhat.com>
    
    (cherry picked from commit 07d16a6debc830ebcf9533da5396edd2eff688e0)