CVE-2020-10029: GNU libc trigonometry buffer overflow?!?


Bear in mind trigonometry, the place you got the size of two sides of a triangle and needed to compute the third facet? We remembered vaguely SOH CAH TOA, however not far more. One factor we might have wager $50 on: That there wouldn’t be a buffer overflow in primary trigonometric capabilities. We’d have misplaced that wager.

Earlier this yr we uncovered bugs within the glibc capabilities cosl, sinl, sincosl, and tanl attributable to assumptions in an underlying widespread operate, resulting in CVE-2020-10029. These bugs, after being  dormant for eight years (launched in 2012, on this commit) at the moment are mounted in glibc 2.32.

Bugs in floating level operations could be of super consequence. To call just a few:

Floating-point arithmetic is taken into account an esoteric topic by many individuals. That is fairly stunning as a result of floating-point is ubiquitous in laptop techniques.

On this publish, I’ll cowl:

  • The fundamentals of how floating level works.
  • The vulnerability in glibc.
  • How we fuzzed it with Mayhem.

A C library is a set of general-purpose utility capabilities that just about each program written in C makes use of. The programmer makes use of it to work with reminiscence buffers, information, community sockets, system time and extra. It additionally gives over 200 capabilities to carry out calculations with floating level numbers, which this weblog publish is about.

The GNU C Library (glibc) is the most typical open supply C library and is used on most Linux techniques. As a result of so many purposes depend upon it, and since it’s put in throughout hundreds of thousands of units, it’s a essential part within the open supply ecosystem.

“Twenty years in the past anarchy threatened floating-point arithmetic.”  –Prof Kahan, 1997.

Computer systems symbolize rational numbers, like 3.14, as floating level numbers. Whereas most builders perceive how integers, like 31 or 57, are represented, comparatively few perceive how floating level numbers are represented by the pc.

In 1985, the IEEE launched IEEE 754, the usual by which most computer systems now implement floating level numbers. The usual fastidiously weighed issues, comparable to the right way to deal with rounding and the right way to symbolize the biggest vary of numbers compactly.

At a excessive stage, each floating level quantity consists of three fields:

  • An indication bit, indicating whether or not the quantity is constructive or unfavorable
  • An exponent area, to be able to symbolize the exponent -12 in 1.01111 x 2-12
  • A signicand area, which represents the non-exponent part. For instance, “1.01111” in 1.01111 x 2-12  above.

The different sorts for floating level, comparable to float, double, and lengthy double, are represented utilizing different-size fields.

glibc image 2

Nonetheless, not all legitimate bit patterns are legitimate floating level numbers. This was stunning to us, and we solely realized it after fuzzing and discovering the bug with Mayhem.

The IEEE-754 format states the quantity 0.Zero is represented by the exponent and fractional bits all being zero. The issue arises: What if the exponent is non-zero, and the fractional bits f are zero? Whereas mathematically one might imagine that is zero (in any case 0.0 * 10 = Zero mathematically), it’s not on a pc. The IEEE-754 considers this an invalid quantity.

In different phrases, not all bit-patterns are legitimate floating level numbers.

As we have been assessing the safety of OpenWRT, which makes use of musl as its C library, we found {that a} reminiscence bug had been present in musl libc’s floating level code final yr.

Impressed by this, we got down to uncover extra bugs in floating level code. To this finish, we constructed a fuzzer that calls all floating level capabilities with random (fuzzer-generated) enter for glibc. By way of this holistic method, any reminiscence bug ought to come to gentle.

Sadly, we discovered no bugs in musl libc. However as a result of our fuzzer is common and can be utilized on any POSIX-compliant math library, adopting its use for GNU libc was straightforward.

Once we began fuzzing trig capabilities in glibc, we didn’t keep in mind any of the above. So, we wrote a small library that routinely calls any glibc capabilities. Then a vulnerability fell out, which prompted us to return to grasp the problem.

The proof of vulnerability created by Mayhem is fairly easy: go  0x5d4141414141414100000000 to sinl and watch the stack protector scream.

Right here is the total proof of vulnerability:

#embrace $ cat sinl-pov.c#embrace #embrace int predominant(void){ const unsigned char _v[16] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x5d}; lengthy double v; memcpy(&v, _v, sizeof(v)); /* Return the end result in order that gcc does not optimize every little thing away */ return sinl(v);}

Glibc crashes with SIGSEGV. What? Why would purely arithmetic code have a buffer or anything that will trigger a SIGSEGV?

With somewhat searching, we discovered that sinl, and all trig capabilities working on an extended double sort,  known as __kernel_rem_pio2. That’s the place the bug is at. The operate performs pi/2 and retains monitor of any the rest.

At first we have been thrown off from an uninitialized use error. It seems that you just at all times have an uninitialized use error when utilizing glibc due to the way it represents the double lengthy bit sample. It breaks it up into three 32-bit phrases, with the highest 16 bits unused “junk” bits merely there for reminiscence alignment. Consider a double lengthy worth as like being an enum with 4 elements (and certainly that is from glibc code):

#embrace typedef union{ lengthy double worth; struct { uint32_t lsw; /* bits 0-31 */ uint32_t msw; /* bits 32-63 */ int sign_exponent:16; /* bits 64-79 */ unsigned int junk:16; /* bits 80-128 */ } elements;} ieee_long_double_shape_type;

Though the vulnerability isn’t the “uninitialized reminiscence errors”, it did begin pointing us in the suitable path. The weak operate  __kernel_rem_pio2 is named with:

  • x, an array of three doubles for probably the most important phrase and least important phrase for the double lengthy significand
  • The exponent and signal bits e0
  • A lot of different choices which are effectively documented, however not crucial to explain right here
  • The POC found by Mayhem set the array x to be all zero and e0 to be non-zero. Nonetheless, the code as written expects a minimum of one bit in x[] to be set to 1. Consequently, there may be an out-of-bounds reminiscence learn, adopted by an out-of-bounds reminiscence write.

The weak code is dense (obtainable right here).

Here’s a walk-through with the salient elements commented with “observe”:

#embrace int__kernel_rem_pio2 (double *x, double *y, int e0, int nx, int prec, const int32_t *ipio2){ int32_t jz, jx, jv, jp, jk, carry, n, iq[20], i, j, okay, m, q0, ih; double z, fw, f[20], fq[20], q[20]; … /* compute q[0],q[1],…q[jk] */ /* observe: since x[j] is the enter and at all times zero within the POV, q[i] will at all times be zero */ for (i = 0; i <= jk; i++) { for (j = 0, fw = 0.0; j <= jx; j++) fw += x[j] * f[jx + i – j]; q[i] = fw; } jz = jk;recompute: /* observe: goto-loop. Our POV iterates by means of it till it will get to an OOB learn and OOB write. */ /* distill q[] into iq[] reversingly */ /* observe: iq[i] ought to be zero since q[i] is zero */ for (i = 0, j = jz, z = q[jz]; j > 0; i++, j–) { fw = (double) ((int32_t) (twon24 * z)); iq[i] = (int32_t) (z – two24 * fw); z = q[j – 1] + fw; } … /* test if recomputation is required */ if (z == zero) { j = 0; for (i = jz – 1; i >= jk; i–) j |= iq[i]; /* observe: observe that iq is zero, so that is true */ if (j == 0) /* want recomputation */ { /* observe: OOB learn. iq[0] for all enter parameters. Returns true on the first uninitialized slot of iq[], At the very least on the primary iteration or recompute/goto loop */ for (okay = 1; iq[jk – k] == 0; okay++) ; /* okay = no. of phrases wanted */ /* observe: okay is now some index such that iq[jk-k] is uninitialized reminiscence. We get an out-of-bound write As a result of i is derived from okay in f[jx+i] */ for (i = jz + 1; i <= jz + okay; i++) /* add q[jz+1] to q[jz+k] */ jz += okay; goto recompute; } } …}

We reported this bug to the glibc non-public safety tackle, then reported it to their public tracker per their request. You possibly can comply with the general public thread from January 31, 2020 on the glibc builders mailing record. The builders have put in a bug repair, and the CVE (CVE-2020-10029) is now public. The bug impacts the glibc capabilities cosl, sinl, sincosl, and tanl attributable to assumptions in an underlying widespread operate. The bugs can be mounted in glibc 2.32. The CVSS rating is 5.5.

Floating level arithmetic is prime to many techniques, from graphics to cyber-physical techniques. Floating level code can be laborious to test manually; even reviewing the vulnerability after we knew the place it was took appreciable time. One of many advantages of utilizing superior fuzz testing is it offers you an instance, proving that the vulnerability exists, and providing you with an precise enter to repair the issue. This ensures builders solely deal with verified points, expediting the remediation course of and permitting them to confirm their fixes.

You May Also Like