[Bug libc/25423] New: Array overflow in backtrace on powerpc

classic Classic list List threaded Threaded
18 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bug libc/25423] New: Array overflow in backtrace on powerpc

glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25423

            Bug ID: 25423
           Summary: Array overflow in backtrace on powerpc
           Product: glibc
           Version: 2.26
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
          Assignee: unassigned at sourceware dot org
          Reporter: [hidden email]
                CC: drepper.fsp at gmail dot com
            Blocks: 15867
  Target Milestone: ---
            Target: powerpc*-*-*

Commit d400dcac5e introduced an array overflow in the backtrace functions for
powerpc.  The entry for the signal trampoline stack frame is stored without
checking the array bounds.


Referenced Bugs:

https://sourceware.org/bugzilla/show_bug.cgi?id=15867
[Bug 15867] PowerPC: backtrace() fails to handle signal trampoline stack frames
--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug libc/25423] Array overflow in backtrace on powerpc

glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25423

Andreas Schwab <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Target|powerpc*-*-*                |
               Host|                            |powerpc*-*-*

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug libc/25423] Array overflow in backtrace on powerpc

glaubitz at physik dot fu-berlin.de
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25423

Andreas Schwab <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Version|2.26                        |2.19

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug libc/25423] Array overflow in backtrace on powerpc

glaubitz at physik dot fu-berlin.de
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25423

Adhemerval Zanella <adhemerval.zanella at linaro dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |adhemerval.zanella at linaro dot o
                   |                            |rg
           Assignee|unassigned at sourceware dot org   |adhemerval.zanella at linaro dot o
                   |                            |rg

--- Comment #1 from Adhemerval Zanella <adhemerval.zanella at linaro dot org> ---
I will check this out.

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug libc/25423] Array overflow in backtrace on powerpc

glaubitz at physik dot fu-berlin.de
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25423

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fweimer at redhat dot com

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug libc/25423] Array overflow in backtrace on powerpc

glaubitz at physik dot fu-berlin.de
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25423

--- Comment #2 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Andreas Schwab <[hidden email]>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d93769405996dfc11d216ddbe415946617b5a494

commit d93769405996dfc11d216ddbe415946617b5a494
Author: Andreas Schwab <[hidden email]>
Date:   Mon Jan 20 17:01:50 2020 +0100

    Fix array overflow in backtrace on PowerPC (bug 25423)

    When unwinding through a signal frame the backtrace function on PowerPC
    didn't check array bounds when storing the frame address.  Fixes commit
    d400dcac5e ("PowerPC: fix backtrace to handle signal trampolines").

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug libc/25423] Array overflow in backtrace on powerpc

glaubitz at physik dot fu-berlin.de
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25423

Andreas Schwab <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED
   Target Milestone|---                         |2.31

--- Comment #3 from Andreas Schwab <[hidden email]> ---
Fixed in 2.31.

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug libc/25423] Array overflow in backtrace on powerpc

glaubitz at physik dot fu-berlin.de
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25423

Carlos O'Donell <carlos at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |carlos at redhat dot com
              Flags|                            |security+

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug libc/25423] Array overflow in backtrace on powerpc

glaubitz at physik dot fu-berlin.de
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25423

--- Comment #4 from Carlos O'Donell <carlos at redhat dot com> ---
It is a security issue that the function call would write beyond the bounds of
the input array given the size. Marked security+

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug libc/25423] Array overflow in backtrace on powerpc

glaubitz at physik dot fu-berlin.de
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25423

Carlos O'Donell <carlos at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
              Alias|                            |CVE-2020-1751

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug libc/25423] Array overflow in backtrace on powerpc (CVE-2020-1751)

glaubitz at physik dot fu-berlin.de
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25423

Carlos O'Donell <carlos at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|Array overflow in backtrace |Array overflow in backtrace
                   |on powerpc                  |on powerpc (CVE-2020-1751)

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug libc/25423] Array overflow in backtrace on powerpc (CVE-2020-1751)

Sourceware - glibc-bugs mailing list
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25423

--- Comment #5 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The release/2.30/master branch has been updated by Patricia Franklin
<[hidden email]>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=fb266e65ccf6fd674e05352ceb5f12d60889b92d

commit fb266e65ccf6fd674e05352ceb5f12d60889b92d
Author: Andreas Schwab <[hidden email]>
Date:   Mon Jan 20 17:01:50 2020 +0100

    Fix array overflow in backtrace on PowerPC (bug 25423)

    When unwinding through a signal frame the backtrace function on PowerPC
    didn't check array bounds when storing the frame address.  Fixes commit
    d400dcac5e ("PowerPC: fix backtrace to handle signal trampolines").

    (cherry picked from commit d93769405996dfc11d216ddbe415946617b5a494)

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug libc/25423] Array overflow in backtrace on powerpc (CVE-2020-1751)

Sourceware - glibc-bugs mailing list
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25423

--- Comment #6 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The release/2.29/master branch has been updated by Patricia Franklin
<[hidden email]>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=a318448f7aca169f7795d9d300c525d96f914af0

commit a318448f7aca169f7795d9d300c525d96f914af0
Author: Andreas Schwab <[hidden email]>
Date:   Mon Jan 20 17:01:50 2020 +0100

    Fix array overflow in backtrace on PowerPC (bug 25423)

    When unwinding through a signal frame the backtrace function on PowerPC
    didn't check array bounds when storing the frame address.  Fixes commit
    d400dcac5e ("PowerPC: fix backtrace to handle signal trampolines").

    (cherry picked from commit d93769405996dfc11d216ddbe415946617b5a494)

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug libc/25423] Array overflow in backtrace on powerpc (CVE-2020-1751)

Sourceware - glibc-bugs mailing list
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25423

--- Comment #7 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The release/2.28/master branch has been updated by Tulio Magno Quites Machado
Filho <[hidden email]>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=0478174d1e2c2a894a35b1cdffc573dca310b438

commit 0478174d1e2c2a894a35b1cdffc573dca310b438
Author: Andreas Schwab <[hidden email]>
Date:   Mon Jan 20 17:01:50 2020 +0100

    Fix array overflow in backtrace on PowerPC (bug 25423)

    When unwinding through a signal frame the backtrace function on PowerPC
    didn't check array bounds when storing the frame address.  Fixes commit
    d400dcac5e ("PowerPC: fix backtrace to handle signal trampolines").

    (cherry picked from commit d93769405996dfc11d216ddbe415946617b5a494)

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug libc/25423] Array overflow in backtrace on powerpc (CVE-2020-1751)

Sourceware - glibc-bugs mailing list
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25423

--- Comment #8 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The release/2.26/master branch has been updated by Tulio Magno Quites Machado
Filho <[hidden email]>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=37db4539dd8b5c098d9235249c5d2aedaa67d7d1

commit 37db4539dd8b5c098d9235249c5d2aedaa67d7d1
Author: Andreas Schwab <[hidden email]>
Date:   Mon Jan 20 17:01:50 2020 +0100

    Fix array overflow in backtrace on PowerPC (bug 25423)

    When unwinding through a signal frame the backtrace function on PowerPC
    didn't check array bounds when storing the frame address.  Fixes commit
    d400dcac5e ("PowerPC: fix backtrace to handle signal trampolines").

    (cherry picked from commit d93769405996dfc11d216ddbe415946617b5a494)

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug libc/25423] Array overflow in backtrace on powerpc (CVE-2020-1751)

Sourceware - glibc-bugs mailing list
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25423

--- Comment #9 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Aurelien Jarno <[hidden email]>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=07d16a6debc830ebcf9533da5396edd2eff688e0

commit 07d16a6debc830ebcf9533da5396edd2eff688e0
Author: Aurelien Jarno <[hidden email]>
Date:   Tue Mar 24 22:49:10 2020 +0100

    Add NEWS entry for CVE-2020-1751 (bug 25423)

    Reviewed-by: Carlos O'Donell <[hidden email]>

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug libc/25423] Array overflow in backtrace on powerpc (CVE-2020-1751)

Sourceware - glibc-bugs mailing list
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25423

--- Comment #10 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The release/2.31/master branch has been updated by Aurelien Jarno
<[hidden email]>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d39fb022c26cf6ad832f6ad0e94ff5b5e4b511cf

commit d39fb022c26cf6ad832f6ad0e94ff5b5e4b511cf
Author: Aurelien Jarno <[hidden email]>
Date:   Tue Mar 24 22:49:10 2020 +0100

    Add NEWS entry for CVE-2020-1751 (bug 25423)

    Reviewed-by: Carlos O'Donell <[hidden email]>

    (cherry picked from commit 07d16a6debc830ebcf9533da5396edd2eff688e0)

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug libc/25423] Array overflow in backtrace on powerpc (CVE-2020-1751)

Sourceware - glibc-bugs mailing list
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25423

--- Comment #11 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The release/2.30/master branch has been updated by Aurelien Jarno
<[hidden email]>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=6b19792c9c86bb73e5032af7c2ff03272bdac442

commit 6b19792c9c86bb73e5032af7c2ff03272bdac442
Author: Aurelien Jarno <[hidden email]>
Date:   Tue Mar 24 22:49:10 2020 +0100

    Add NEWS entry for CVE-2020-1751 (bug 25423)

    Reviewed-by: Carlos O'Donell <[hidden email]>

    (cherry picked from commit 07d16a6debc830ebcf9533da5396edd2eff688e0)

--
You are receiving this mail because:
You are on the CC list for the bug.