Bug 1293638 - mono: Converting specially crafted string to float causes crash and possible code execution
mono: Converting specially crafted string to float causes crash and possible ...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20151219,repo...
: Security
Depends On: 1293639 1293640
Blocks:
  Show dependency treegraph
 
Reported: 2015-12-22 09:16 EST by Adam Mariš
Modified: 2015-12-22 09:16 EST (History)
6 users (show)

See Also:
Fixed In Version: mono 4.2
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Adam Mariš 2015-12-22 09:16:09 EST
It was found that float-parsing code used in Mono before 4.2 is derived from code vulnerable to CVE-2009-0689. The issue concerns the `freelist` array, which is a global array of 16 pointers to `Bigint`. This array is part of a memory allocation and reuse system which attempts to reduce the number of `malloc` and `free` calls. The system allocates blocks in power-of-two sizes, from 2^0 through 2^15, and stores freed blocks of each size in a linked list rooted at the corresponding cell of `freelist`. The `Balloc` and `Bfree` functions which operate this system fail to check if the size parameter `k` is within the allocated 0..15 range. As a result, a sufficiently large allocation will have k=16 and treat the word immediately after `freelist` as a pointer to a previously-allocated chunk. The specific results may vary significantly based on the version, platform, and compiler, since they depend on the layout of variables in memory. An attacker who can cause a carefully-chosen string to be converted to a floating-point number can cause a crash and potentially induce arbitrary code execution.

Patch:

https://gist.github.com/directhex/01e853567fd2cc74ed39

CVE request (contains reproducer):

http://www.openwall.com/lists/oss-security/2015/12/19/3
Comment 1 Adam Mariš 2015-12-22 09:16:53 EST
Created mono tracking bugs for this issue:

Affects: fedora-all [bug 1293639]
Affects: epel-all [bug 1293640]

Note You need to log in before you can comment on or make changes to this bug.