libgmp10:i386: buffer overflow due to integer overflow in mpz/inp_raw.c on 32-bit machines (CVE-2021-43618)

Debian Bug report logs - #994405
libgmp10:i386: buffer overflow due to integer overflow in mpz/inp_raw.c on 32-bit machines (CVE-2021-43618)

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Vincent Lefevre <vincent@vinc17.net>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libgmp10:i386: buffer overflow due to integer overflow in mpz/inp_raw.c on 32-bit machines

Date: Wed, 15 Sep 2021 17:48:00 +0200

Package: libgmp10
Version: 2:6.2.1+dfsg-2
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>

mpz_inp_raw segfaults (SEGV_MAPERR) on large sizes. I suspect that
this is due to an integer overflow in mpz/inp_raw.c:

  abs_xsize = BITS_TO_LIMBS (abs_csize*8);

See discussion
  https://gmplib.org/list-archives/gmp-bugs/2021-September/005077.html

and my comment
  https://gmplib.org/list-archives/gmp-bugs/2021-September/005086.html

I have not checked, but abs_xsize would be smaller than expected,
thus

      xp = MPZ_NEWALLOC (x, abs_xsize);

would allocate less than expected, thus I suppose that

      cp = (char *) (xp + abs_xsize) - abs_csize;

points to a location that is *before* the buffer.

-- System Information:
Debian Release: bookworm/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'stable-security'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.10.0-8-amd64 (SMP w/12 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=POSIX, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libgmp10:i386 depends on:
ii  libc6  2.32-2

libgmp10:i386 recommends no packages.

libgmp10:i386 suggests no packages.

-- no debconf information

-- 
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Message #10 received at submit@bugs.debian.org (full text, mbox, reply):

From: Anton Gladky <gladk@debian.org>

To: 994405@bugs.debian.org

Cc: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: Re: Bug#994405: libgmp10:i386: buffer overflow due to integer overflow in mpz/inp_raw.c on 32-bit machines

Date: Thu, 16 Sep 2021 21:23:34 +0200

[Message part 1 (text/plain, inline)]

Control: severity -1 important
Control: notfound -1 2:6.2.1+dfsg-2
Control: found -1 2:6.2.1+dfsg-1

Thanks for the bug report. We will fix it when CVE (if any) will be
assigned and upstream patch will be available.

Though, the integer overflows are not making the package unusable in most
cases.
Thus the severity is reduced.

Regards

Anton

[Message part 2 (text/html, inline)]

Message #26 received at 994405@bugs.debian.org (full text, mbox, reply):

From: Vincent Lefevre <vincent@vinc17.net>

To: Anton Gladky <gladk@debian.org>, 994405@bugs.debian.org

Subject: Re: Bug#994405: libgmp10:i386: buffer overflow due to integer overflow in mpz/inp_raw.c on 32-bit machines

Date: Fri, 17 Sep 2021 01:17:10 +0200

On 2021-09-16 21:23:34 +0200, Anton Gladky wrote:
> Thanks for the bug report. We will fix it when CVE (if any) will be
> assigned and upstream patch will be available.

FYI, an upstream patch is now available here:

  https://gmplib.org/list-archives/gmp-bugs/2021-September/005087.html

> Though, the integer overflows are not making the package unusable in
> most cases.

Yes, but they may introduce security issues, in particular here
because the behavior depends on data from a file, which may be
untrusted. That said, here it is probably wise to check that the
size is not too large in order to prevent the address space from
being exhausted.

-- 
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Message #31 received at 994405@bugs.debian.org (full text, mbox, reply):

From: Anton Gladky <gladk@debian.org>

To: Vincent Lefevre <vincent@vinc17.net>

Cc: 994405@bugs.debian.org

Subject: Re: Bug#994405: libgmp10:i386: buffer overflow due to integer overflow in mpz/inp_raw.c on 32-bit machines

Date: Fri, 17 Sep 2021 07:02:48 +0200

[Message part 1 (text/plain, inline)]

Thanks, Vincent, for the information. I would still wait for CVE,
so we can apply a patch and track vulnerability for other
Debian versions (stable/oldstable/o-o-stable etc.).

Regards

Anton


Am Fr., 17. Sept. 2021 um 01:17 Uhr schrieb Vincent Lefevre <
vincent@vinc17.net>:

> On 2021-09-16 21:23:34 +0200, Anton Gladky wrote:
> > Thanks for the bug report. We will fix it when CVE (if any) will be
> > assigned and upstream patch will be available.
>
> FYI, an upstream patch is now available here:
>
>   https://gmplib.org/list-archives/gmp-bugs/2021-September/005087.html
>
> > Though, the integer overflows are not making the package unusable in
> > most cases.
>
> Yes, but they may introduce security issues, in particular here
> because the behavior depends on data from a file, which may be
> untrusted. That said, here it is probably wise to check that the
> size is not too large in order to prevent the address space from
> being exhausted.
>

[Message part 2 (text/html, inline)]

Message #36 received at 994405@bugs.debian.org (full text, mbox, reply):

From: Marco Bodrato <bodrato@mail.dm.unipi.it>

To: 994405@bugs.debian.org

Subject: Patch from upstream.

Date: Thu, 21 Oct 2021 19:18:01 +0200

Ciao!

There is a patch from upstream related to this issue.

https://gmplib.org/repo/gmp-6.2/rev/561a9c25298e

Ĝis,
m

Message #41 received at 994405@bugs.debian.org (full text, mbox, reply):

From: Adrian Bunk <bunk@debian.org>

To: Anton Gladky <gladk@debian.org>, 994405@bugs.debian.org

Cc: Vincent Lefevre <vincent@vinc17.net>, debian-lts@lists.debian.org

Subject: Re: Bug#994405: libgmp10:i386: buffer overflow due to integer overflow in mpz/inp_raw.c on 32-bit machines

Date: Sat, 13 Nov 2021 22:09:04 +0200

On Fri, Sep 17, 2021 at 07:02:48AM +0200, Anton Gladky wrote:
> Thanks, Vincent, for the information. I would still wait for CVE,
> so we can apply a patch and track vulnerability for other
> Debian versions (stable/oldstable/o-o-stable etc.).

Hi Anton,

did you manage to get a CVE assigned for this issue, or has there been 
any problem with tnat?

> Regards
> 
> Anton

Thanks
Adrian

Message #46 received at 994405@bugs.debian.org (full text, mbox, reply):

From: Anton Gladky <gladk@debian.org>

To: Adrian Bunk <bunk@debian.org>

Cc: 994405@bugs.debian.org, Vincent Lefevre <vincent@vinc17.net>, Debian LTS <debian-lts@lists.debian.org>

Subject: Re: Bug#994405: libgmp10:i386: buffer overflow due to integer overflow in mpz/inp_raw.c on 32-bit machines

Date: Sun, 14 Nov 2021 14:15:25 +0100

Hi Adrian,

well, I was thinking that upstream should request a CVE. Neverheless
I could not reproduce the issue with the modern GCC-versions.
Even on 32bit-systems.

Regards

Anton

Am Sa., 13. Nov. 2021 um 21:09 Uhr schrieb Adrian Bunk <bunk@debian.org>:
>
> On Fri, Sep 17, 2021 at 07:02:48AM +0200, Anton Gladky wrote:
> > Thanks, Vincent, for the information. I would still wait for CVE,
> > so we can apply a patch and track vulnerability for other
> > Debian versions (stable/oldstable/o-o-stable etc.).
>
> Hi Anton,
>
> did you manage to get a CVE assigned for this issue, or has there been
> any problem with tnat?
>
> > Regards
> >
> > Anton
>
> Thanks
> Adrian

Message #51 received at 994405@bugs.debian.org (full text, mbox, reply):

From: Vincent Lefevre <vincent@vinc17.net>

To: Anton Gladky <gladk@debian.org>

Cc: Adrian Bunk <bunk@debian.org>, 994405@bugs.debian.org, Debian LTS <debian-lts@lists.debian.org>

Subject: Re: Bug#994405: libgmp10:i386: buffer overflow due to integer overflow in mpz/inp_raw.c on 32-bit machines

Date: Sun, 14 Nov 2021 15:43:25 +0100

On 2021-11-14 14:15:25 +0100, Anton Gladky wrote:
> well, I was thinking that upstream should request a CVE. Neverheless
> I could not reproduce the issue with the modern GCC-versions.
> Even on 32bit-systems.

I can still reproduce the segmentation fault under Debian/unstable.
Simplified testcase:

#include <stdio.h>
#include <gmp.h>

int main (void)
{
  mpz_t s;
  mpz_init (s);
  mpz_inp_raw (s, stdin);
  return 0;
}

Compile with gcc -m32 and execute:

  printf 12345 | ./testcase

Note that even if you don't get a segmentation fault, there may be
other erratic behaviors, such as silent memory corruption (which may
be even worse).

-- 
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Message #56 received at 994405@bugs.debian.org (full text, mbox, reply):

From: Anton Gladky <gladk@debian.org>

To: Vincent Lefevre <vincent@vinc17.net>

Cc: Adrian Bunk <bunk@debian.org>, 994405@bugs.debian.org, Debian LTS <debian-lts@lists.debian.org>

Subject: Re: Bug#994405: libgmp10:i386: buffer overflow due to integer overflow in mpz/inp_raw.c on 32-bit machines

Date: Sun, 14 Nov 2021 18:45:45 +0100

Thanks, Vincent,

now I am able to reproduce the issue!

I will request CVE.

Regards

Anton

Am So., 14. Nov. 2021 um 15:44 Uhr schrieb Vincent Lefevre <vincent@vinc17.net>:
>
> On 2021-11-14 14:15:25 +0100, Anton Gladky wrote:
> > well, I was thinking that upstream should request a CVE. Neverheless
> > I could not reproduce the issue with the modern GCC-versions.
> > Even on 32bit-systems.
>
> I can still reproduce the segmentation fault under Debian/unstable.
> Simplified testcase:
>
> #include <stdio.h>
> #include <gmp.h>
>
> int main (void)
> {
>   mpz_t s;
>   mpz_init (s);
>   mpz_inp_raw (s, stdin);
>   return 0;
> }
>
> Compile with gcc -m32 and execute:
>
>   printf 12345 | ./testcase
>
> Note that even if you don't get a segmentation fault, there may be
> other erratic behaviors, such as silent memory corruption (which may
> be even worse).
>
> --
> Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
>

Message #61 received at 994405@bugs.debian.org (full text, mbox, reply):

From: Anton Gladky <gladk@debian.org>

To: Adrian Bunk <bunk@debian.org>

Cc: 994405@bugs.debian.org, Vincent Lefevre <vincent@vinc17.net>, Debian LTS <debian-lts@lists.debian.org>

Subject: Re: Bug#994405: libgmp10:i386: buffer overflow due to integer overflow in mpz/inp_raw.c on 32-bit machines

Date: Mon, 15 Nov 2021 06:27:20 +0100

[Message part 1 (text/plain, inline)]

CVE-2021-43618 is assigned to this issue.

Adrian Bunk <bunk@debian.org> schrieb am Sa., 13. Nov. 2021, 21:09:

> On Fri, Sep 17, 2021 at 07:02:48AM +0200, Anton Gladky wrote:
> > Thanks, Vincent, for the information. I would still wait for CVE,
> > so we can apply a patch and track vulnerability for other
> > Debian versions (stable/oldstable/o-o-stable etc.).
>
> Hi Anton,
>
> did you manage to get a CVE assigned for this issue, or has there been
> any problem with tnat?
>
> > Regards
> >
> > Anton
>
> Thanks
> Adrian
>

[Message part 2 (text/html, inline)]

Message #68 received at 994405-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 994405-close@bugs.debian.org

Subject: Bug#994405: fixed in gmp 2:6.2.1+dfsg-3

Date: Mon, 15 Nov 2021 22:03:44 +0000

Source: gmp
Source-Version: 2:6.2.1+dfsg-3
Done: Anton Gladky <gladk@debian.org>

We believe that the bug you reported is fixed in the latest version of
gmp, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 994405@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Anton Gladky <gladk@debian.org> (supplier of updated gmp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 15 Nov 2021 22:28:20 +0100
Source: gmp
Architecture: source
Version: 2:6.2.1+dfsg-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>
Changed-By: Anton Gladky <gladk@debian.org>
Closes: 994405
Changes:
 gmp (2:6.2.1+dfsg-3) unstable; urgency=medium
 .
   * [2da3c94] Avoid bit size overflows. CVE-2021-43618. (Closes: #994405)
   * [0f172aa] Trim trailing whitespace.
   * [116e367] Update watch file format version to 4.
   * [a1c3867] Use secure URI in Homepage field.
   * [7f358d8] Set debhelper-compat version in Build-Depends.
   * [42336e5] Remove Section on libgmp10,
               Section on libgmpxx4ldbl,
               Priority on libgmp-dev,
               Priority on libgmp10-doc,
               Priority on libgmp3-dev that duplicate source.
Checksums-Sha1:
 98569db59bc6a8627784efabe19a1c00373ddea4 2223 gmp_6.2.1+dfsg-3.dsc
 382bfdef312d12b31b4c42a0c015a498d0ae7dab 18356 gmp_6.2.1+dfsg-3.debian.tar.xz
 bb5e7217a6054c99ec08ed727596c42736a7d417 6188 gmp_6.2.1+dfsg-3_source.buildinfo
Checksums-Sha256:
 b91dae1d6298e5ff75dee503c7f8128e822000e343e0a5b5d5146cc1713334bb 2223 gmp_6.2.1+dfsg-3.dsc
 32d75d4e7a383a5cea701aff4a4bf609933c4d15d1f5e3b6168eed51857bc8f0 18356 gmp_6.2.1+dfsg-3.debian.tar.xz
 8de6d725cbe43945d5b432164052a6c7ee8fe691132af1f833cc5d330ea717f2 6188 gmp_6.2.1+dfsg-3_source.buildinfo
Files:
 18245ac2b08fb3bdff39dfcf01f828c2 2223 libs optional gmp_6.2.1+dfsg-3.dsc
 2bcd8fe2eb8c34a2d5b195409313d96b 18356 libs optional gmp_6.2.1+dfsg-3.debian.tar.xz
 959b271adb952a0a863a0b9dabfb44e9 6188 libs optional gmp_6.2.1+dfsg-3_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmGS1VgACgkQ0+Fzg8+n
/wYgvA//Zi488lOcWGe65e03hqF4yvDRBrUFuFI75OLw8xlvriFEjV21NckJN2dD
/pWp48YnuxEL4HNjKKniQKzZOtkz5LSxkqxQiWmdits/t4/8ZiBe4b3eaSH/xrPd
dEsK3nadzNic7lWSgjGf6czoPOAaSuPFvjI+Pzv5MnIUD6aIvO3JafOoNbrXvDMq
kNXePl3jwDxm3XdbNbTcBAThoa759GroAceCo+kdx5Sv0Ze8Z/c0LQeyV3lcoK12
o0gUwVo4fjtGob/U7skSmQF+GfrvEi6no0TK1Q0VYwpiPvIdKxEpsO75ohHq8DfO
AhKw4oTmGJeF0ZSEm45R3lF39K8d2/oc7E2p9cEeswRXq2K5CRKAvtHWaT5Ojpns
6+z2iziX8EzO7M7JB4jxgG7HedatuAsVsMx4ZVjWb6KIsVvLG++UBesz9n303vbQ
/FNHHtgLy/jUh4Vxnuk16LCd/c2YQVeu7qvItVpDCB91XFYKX8+74udmUT8YBlro
57EWwTP9tmvt5ZoP48hUmX799NdwQuu4RuDip1skrskieSjlivW/DhTx3eggst67
BFGfgXMJchsqdFeZKoZEaN3I4h4KZ8rHW6LPP8Pm1KdVNecvV6sGjpxA6mYkRq77
NAe6ukhvNXzpRQbj7tiazYN9mA1eN23hJex7kl6S84Qt6Qwde9M=
=VQfb
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.