Bug 990472 (CVE-2016-6264)

Summary: VUL-1: CVE-2016-6264: uClibc: Integer overflow vulnerability leads to code execution on ARM architecture
Product: [Novell Products] SUSE Security Incidents Reporter: Andreas Stieger <astieger>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED WONTFIX QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P4 - Low CC: ismail, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: aarch64   
OS: openSUSE 42.1   
URL: https://smash.suse.de/issue/171212/
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: CVE-2016-6264.patch -- Patch from fedora

Description Andreas Stieger 2016-07-25 13:12:28 UTC

u-clibc and uclibc-ng is used in several projects[4, 5].

As described here[3], an attacker that controls the length parameter of
the `memset' can also control the value of the PC register. The issue is
similar to CVE-2011-2702. A patch has been proposed for uclibc-ng[1]. A
denial of service proof of concept is available[2].


        bugfix: ARM: memset.S: use unsigned comparisons

        The 'BLT' instruction checks for *signed* values. So if a3, length
        parameter of memset, is negative, then value added to the PC will be

        memset(buf, 0xaa, 0xffff0000) triggers the bug.

The attack is a bit unrealistic, as it requires that the
application that uses uClibc allows a user to control a memory chunk
larger than 2GB.



Ismail, worth a fix for arm port?
Comment 1 Swamp Workflow Management 2016-07-25 22:00:46 UTC
bugbot adjusting priority
Comment 2 Bjørn Lie 2017-06-24 21:32:50 UTC
Created attachment 730125 [details]
CVE-2016-6264.patch -- Patch from fedora
Comment 3 Andreas Stieger 2017-08-03 08:45:48 UTC
No maintainer, deprecated upstream.
Marked as deprecated in 42.3 lifecycle data.