The GNU C Library (aka glibc or libc6) before 2.32 could overflow an on-stack buffer during range reduction if an input to an 80-bit long double function contains a non-canonical bit pattern, a seen when passing a 0x5d414141414141410000 value to sinl on x86 targets. This is related to sysdeps/ieee754/ldbl-96/e_rem_pio2l.c. Reference: https://sourceware.org/bugzilla/show_bug.cgi?id=25487 Upstream commit: https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=9333498794cde1d5cca518badf79533a24114b6f
Created glibc tracking bugs for this issue: Affects: fedora-all [bug 1810671]
There's an issue in __ieee754_rem_pio2l() function, where it doesn't validate correctly pseudo-zero values before call __kernel_rem_pio2() which doesn't expect such values. The __ieee754_rem_pio2l() is used by sinl() function and an attacker may take advantage by crafting an malicious input which may trigger stack corruption, compromising data integrity or confidentiality, DoS or code execution in some scenarios. The glibc version shipped with Red Hat Enterprise Linux 8 is compiled using the stack-protector feature which mitigates code execution possibility.
We outstanding issues CVE-2020-10029 and CVE-2020-1752, but there is no new errata for these. Do you all have an ETA for the glibc fix for RHEL 8?
A note on analysis: After running the code through gdb on rhel-7, i doubt the exploitibilty of this flaw. Just before it crashes in __ieee754_rem_pio2l(), i can see that the EIP is replaced with 0x0000000000000000 220 n = __kernel_rem_pio2 (tx, ty, exp, 3, 2, two_over_pi); (gdb) 218 tx[2] = (double) ((i1 << 8) & 0xffffff); (gdb) 220 n = __kernel_rem_pio2 (tx, ty, exp, 3, 2, two_over_pi); (gdb) Program received signal SIGSEGV, Segmentation fault. 0x0000000000000000 in ?? () (gdb) So because of the pseudo zero values used, i think all the attacker can do is overwrite the stack with 0's, which means that a reachable jump address for code execution is difficult to get and may result in only a crash.
Statement: The glibc version shipped with Red Hat Enterprise Linux 8 is compiled using gcc's stack-protector option which mitigates the possibility of code execution led by the stack corruption. The glibc version shipped with Red Hat Enterprise Linux 7 is more difficult to exploit using this flaw, specifically for remote code execution. Because exploitation of the flaw depends on the usage of pseudo-zero values, an attacker can only overwrite the stack with 0s. Due to this, a valid address value for code execution is difficult to get and is likely to only result in a crash.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4444 https://access.redhat.com/errata/RHSA-2020:4444
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-10029
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:0348 https://access.redhat.com/errata/RHSA-2021:0348
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.7 Extended Update Support Via RHSA-2021:2998 https://access.redhat.com/errata/RHSA-2021:2998
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.6 Advanced Update Support Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions Red Hat Enterprise Linux 7.6 Telco Extended Update Support Via RHSA-2021:3315 https://access.redhat.com/errata/RHSA-2021:3315