Bug#994405: libgmp10:i386: buffer overflow due to integer overflow in mpz/inp_raw.c on 32-bit machines
Vincent Lefevre
vincent at vinc17.net
Wed Sep 15 16:48:00 BST 2021
Package: libgmp10
Version: 2:6.2.1+dfsg-2
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: Debian Security Team <team at security.debian.org>
mpz_inp_raw segfaults (SEGV_MAPERR) on large sizes. I suspect that
this is due to an integer overflow in mpz/inp_raw.c:
abs_xsize = BITS_TO_LIMBS (abs_csize*8);
See discussion
https://gmplib.org/list-archives/gmp-bugs/2021-September/005077.html
and my comment
https://gmplib.org/list-archives/gmp-bugs/2021-September/005086.html
I have not checked, but abs_xsize would be smaller than expected,
thus
xp = MPZ_NEWALLOC (x, abs_xsize);
would allocate less than expected, thus I suppose that
cp = (char *) (xp + abs_xsize) - abs_csize;
points to a location that is *before* the buffer.
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'stable-security'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.10.0-8-amd64 (SMP w/12 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=POSIX, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages libgmp10:i386 depends on:
ii libc6 2.32-2
libgmp10:i386 recommends no packages.
libgmp10:i386 suggests no packages.
-- no debconf information
--
Vincent Lefèvre <vincent at vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
More information about the debian-science-maintainers
mailing list