Bug 1810670 (CVE-2020-10029) - CVE-2020-10029 glibc: stack corruption from crafted input in cosl, sinl, sincosl, and tanl functions
Summary: CVE-2020-10029 glibc: stack corruption from crafted input in cosl, sinl, sinc...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-10029
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1890408 1890871 1980890 1980891 1810671 1811796 1812119 1890405 1890406 1890407 1890409 1890410
Blocks: 1810673
TreeView+ depends on / blocked
 
Reported: 2020-03-05 17:29 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-07-09 18:07 UTC (History)
27 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in glibc in versions prior to 2.32. Pseudo-zero values are not validated causing a stack corruption due to a stack-based overflow. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed: 2020-11-04 02:24:36 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:4444 0 None None None 2020-11-04 01:00:34 UTC
Red Hat Product Errata RHSA-2021:0348 0 None None None 2021-02-02 12:07:12 UTC

Description Guilherme de Almeida Suckevicz 2020-03-05 17:29:22 UTC
The GNU C Library (aka glibc or libc6) before 2.32 could overflow an on-stack buffer during range reduction if an input to an 80-bit long double function contains a non-canonical bit pattern, a seen when passing a 0x5d414141414141410000 value to sinl on x86 targets. This is related to sysdeps/ieee754/ldbl-96/e_rem_pio2l.c.

Reference:
https://sourceware.org/bugzilla/show_bug.cgi?id=25487

Upstream commit:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=9333498794cde1d5cca518badf79533a24114b6f

Comment 1 Guilherme de Almeida Suckevicz 2020-03-05 17:29:43 UTC
Created glibc tracking bugs for this issue:

Affects: fedora-all [bug 1810671]

Comment 5 Marco Benatto 2020-03-10 18:58:35 UTC
There's an issue in __ieee754_rem_pio2l() function, where it doesn't validate correctly pseudo-zero values before call __kernel_rem_pio2() which doesn't expect such values. The __ieee754_rem_pio2l() is used by sinl() function and an attacker may take advantage by crafting an malicious input which may trigger stack corruption, compromising data integrity or confidentiality, DoS or code execution in some scenarios.
The glibc version shipped with Red Hat Enterprise Linux 8 is compiled using the stack-protector feature which mitigates code execution possibility.

Comment 8 Laurie Morse 2020-06-28 17:59:42 UTC
We outstanding issues CVE-2020-10029 and CVE-2020-1752, but there is no new errata for these. Do you all have an ETA for the glibc fix for RHEL 8?

Comment 12 Huzaifa S. Sidhpurwala 2020-08-12 04:48:14 UTC
A note on analysis:

After running the code through gdb on rhel-7, i doubt the exploitibilty of this flaw. Just before it crashes in __ieee754_rem_pio2l(), i can see that the EIP is replaced with 0x0000000000000000

220	  n = __kernel_rem_pio2 (tx, ty, exp, 3, 2, two_over_pi);
(gdb) 
218	  tx[2] = (double) ((i1 << 8) & 0xffffff);
(gdb) 
220	  n = __kernel_rem_pio2 (tx, ty, exp, 3, 2, two_over_pi);
(gdb) 

Program received signal SIGSEGV, Segmentation fault.
0x0000000000000000 in ?? ()
(gdb) 

So because of the pseudo zero values used, i think all the attacker can do is overwrite the stack with 0's, which means that a reachable jump address for code execution is difficult to get and may result in only a crash.

Comment 22 Eric Christensen 2020-09-03 12:51:00 UTC
Statement:

The glibc version shipped with Red Hat Enterprise Linux 8 is compiled using gcc's stack-protector option which mitigates the possibility of code execution led by the stack corruption.

The glibc version shipped with Red Hat Enterprise Linux 7 is more difficult to exploit using this flaw, specifically for remote code execution. Because exploitation of the flaw depends on the usage of pseudo-zero values, an attacker can only overwrite the stack with 0s. Due to this, a valid address value for code execution is difficult to get and is likely to only result in a crash.

Comment 27 errata-xmlrpc 2020-11-04 01:00:30 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4444 https://access.redhat.com/errata/RHSA-2020:4444

Comment 28 Product Security DevOps Team 2020-11-04 02:24:36 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10029

Comment 29 errata-xmlrpc 2021-02-02 12:07:08 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:0348 https://access.redhat.com/errata/RHSA-2021:0348


Note You need to log in before you can comment on or make changes to this bug.