This is the mail archive of the
newlib@sourceware.org
mailing list for the newlib project.
[PATCH/ob] Fix security vulnerability CVE-2009-0689
- From: Corinna Vinschen <vinschen at redhat dot com>
- To: newlib at sourceware dot org
- Date: Mon, 23 Nov 2009 18:03:44 +0100
- Subject: [PATCH/ob] Fix security vulnerability CVE-2009-0689
- Reply-to: newlib at sourceware dot org
Hi,
CVE-2009-0689 describes a security vulnerability which affects the gdtoa
implementation in various BSD derivatives. Afer comparing the CVE
content and the NetBSD fix for this problem with the newlib code, it
turned out that newlib is affected by this vulnerability as well.
Testcase:
char *s;
asprintf (s, "%0.262159f", (double) 1.5);
This will result in a buffer overrun of the _REENT->_freelist array.
The _freelist array will be allocated with a size based on the value of
_Kmax, which is defined as the fixed value 15. However, given a
sufficiently big precision value, the incoming value k, which is used as
index into this array, can become bigger than that. The above example
will result in k being 16, for instance.
I applied the below patch as obvious.
Corinna
UseNetBSD fix for CVE-2009-0689 security vulnerability.
* libc/include/sys/reent.h (_Kmax): Define here based on the sizeof
size_t, as in latest NetBSD.
* libc/reent/reent.c (_reclaim_reent): Use _Kmax rather than constant
value 15.
* libc/stdlib/mprec.c (_Kmax): Don't define here. Explain why.
Index: libc/include/sys/reent.h
===================================================================
RCS file: /cvs/src/src/newlib/libc/include/sys/reent.h,v
retrieving revision 1.46
diff -u -p -r1.46 reent.h
--- libc/include/sys/reent.h 24 Mar 2009 10:13:27 -0000 1.46
+++ libc/include/sys/reent.h 23 Nov 2009 17:00:17 -0000
@@ -800,6 +800,11 @@ struct _reent
#endif /* !_REENT_SMALL */
+/* This value is used in stdlib/misc.c. reent/reent.c has to know it
+ as well to make sure the freelist is correctly free'd. Therefore
+ we define it here, rather than in stdlib/misc.c, as before. */
+#define _Kmax (sizeof (size_t) << 3)
+
/*
* All references to struct _reent are via this pointer.
* Internally, newlib routines that need to reference it should use _REENT.
Index: libc/reent/reent.c
===================================================================
RCS file: /cvs/src/src/newlib/libc/reent/reent.c,v
retrieving revision 1.10
diff -u -p -r1.10 reent.c
--- libc/reent/reent.c 6 Mar 2009 17:11:20 -0000 1.10
+++ libc/reent/reent.c 23 Nov 2009 17:00:17 -0000
@@ -55,7 +55,7 @@ _DEFUN (_reclaim_reent, (ptr),
if (_REENT_MP_FREELIST(ptr))
{
int i;
- for (i = 0; i < 15 /* _Kmax */; i++)
+ for (i = 0; i < _Kmax; i++)
{
struct _Bigint *thisone, *nextone;
Index: libc/stdlib/mprec.c
===================================================================
RCS file: /cvs/src/src/newlib/libc/stdlib/mprec.c,v
retrieving revision 1.5
diff -u -p -r1.5 mprec.c
--- libc/stdlib/mprec.c 22 Jun 2006 17:59:52 -0000 1.5
+++ libc/stdlib/mprec.c 23 Nov 2009 17:00:17 -0000
@@ -86,8 +86,12 @@
#include <reent.h>
#include "mprec.h"
-/* reent.c knows this value */
+/* This is defined in sys/reent.h as (sizeof (size_t) << 3) now, as in NetBSD.
+ The old value of 15 was wrong and made newlib vulnerable against buffer
+ overrun attacks (CVE-2009-0689), same as other implementations of gdtoa
+ based on BSD code.
#define _Kmax 15
+*/
_Bigint *
_DEFUN (Balloc, (ptr, k), struct _reent *ptr _AND int k)
--
Corinna Vinschen
Cygwin Project Co-Leader
Red Hat