Bug 1810670 (CVE-2020-10029)

Summary: CVE-2020-10029 glibc: stack corruption from crafted input in cosl, sinl, sincosl, and tanl functions
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aoliva, apmukher, arjun.is, ashankar, awestbro, bdettelb, cmoore, codonell, dj, fcanogab, fweimer, glibc-bugzilla, gmccullo, huzaifas, kaycoth, law, lmorse, mbenatto, mfabian, mmezynsk, mmilgram, mnewsome, pfrankli, rth, sdunning, siddhesh, tcrider
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in glibc in versions prior to 2.32. Pseudo-zero values are not validated causing a stack corruption due to a stack-based overflow. The highest threat from this vulnerability is to system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-04 02:24:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1810671, 1811796, 1812119, 1890405, 1890406, 1890407, 1890408, 1890409, 1890410, 1890871, 1980890, 1980891    
Bug Blocks: 1810673    

Description Guilherme de Almeida Suckevicz 2020-03-05 17:29:22 UTC 
The GNU C Library (aka glibc or libc6) before 2.32 could overflow an on-stack buffer during range reduction if an input to an 80-bit long double function contains a non-canonical bit pattern, a seen when passing a 0x5d414141414141410000 value to sinl on x86 targets. This is related to sysdeps/ieee754/ldbl-96/e_rem_pio2l.c.

Reference:
https://sourceware.org/bugzilla/show_bug.cgi?id=25487

Upstream commit:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=9333498794cde1d5cca518badf79533a24114b6f
Comment 1 Guilherme de Almeida Suckevicz 2020-03-05 17:29:43 UTC 
Created glibc tracking bugs for this issue:

Affects: fedora-all [bug 1810671]
Comment 5 Marco Benatto 2020-03-10 18:58:35 UTC 
There's an issue in __ieee754_rem_pio2l() function, where it doesn't validate correctly pseudo-zero values before call __kernel_rem_pio2() which doesn't expect such values. The __ieee754_rem_pio2l() is used by sinl() function and an attacker may take advantage by crafting an malicious input which may trigger stack corruption, compromising data integrity or confidentiality, DoS or code execution in some scenarios.
The glibc version shipped with Red Hat Enterprise Linux 8 is compiled using the stack-protector feature which mitigates code execution possibility.
Comment 8 Laurie Morse 2020-06-28 17:59:42 UTC 
We outstanding issues CVE-2020-10029 and CVE-2020-1752, but there is no new errata for these. Do you all have an ETA for the glibc fix for RHEL 8?
Comment 12 Huzaifa S. Sidhpurwala 2020-08-12 04:48:14 UTC 
A note on analysis:

After running the code through gdb on rhel-7, i doubt the exploitibilty of this flaw. Just before it crashes in __ieee754_rem_pio2l(), i can see that the EIP is replaced with 0x0000000000000000

220	  n = __kernel_rem_pio2 (tx, ty, exp, 3, 2, two_over_pi);
(gdb) 
218	  tx[2] = (double) ((i1 << 8) & 0xffffff);
(gdb) 
220	  n = __kernel_rem_pio2 (tx, ty, exp, 3, 2, two_over_pi);
(gdb) 

Program received signal SIGSEGV, Segmentation fault.
0x0000000000000000 in ?? ()
(gdb) 

So because of the pseudo zero values used, i think all the attacker can do is overwrite the stack with 0's, which means that a reachable jump address for code execution is difficult to get and may result in only a crash.
Comment 22 Eric Christensen 2020-09-03 12:51:00 UTC 
Statement:

The glibc version shipped with Red Hat Enterprise Linux 8 is compiled using gcc's stack-protector option which mitigates the possibility of code execution led by the stack corruption.

The glibc version shipped with Red Hat Enterprise Linux 7 is more difficult to exploit using this flaw, specifically for remote code execution. Because exploitation of the flaw depends on the usage of pseudo-zero values, an attacker can only overwrite the stack with 0s. Due to this, a valid address value for code execution is difficult to get and is likely to only result in a crash.
Comment 27 errata-xmlrpc 2020-11-04 01:00:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4444 https://access.redhat.com/errata/RHSA-2020:4444
Comment 28 Product Security DevOps Team 2020-11-04 02:24:36 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10029
Comment 29 errata-xmlrpc 2021-02-02 12:07:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:0348 https://access.redhat.com/errata/RHSA-2021:0348
Comment 31 errata-xmlrpc 2021-08-03 13:47:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Extended Update Support

Via RHSA-2021:2998 https://access.redhat.com/errata/RHSA-2021:2998
Comment 32 errata-xmlrpc 2021-08-31 08:23:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Advanced Update Support
  Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.6 Telco Extended Update Support

Via RHSA-2021:3315 https://access.redhat.com/errata/RHSA-2021:3315