Bugzilla – Bug 990472
VUL-1: CVE-2016-6264: uClibc: Integer overflow vulnerability leads to code execution on ARM architecture
Last modified: 2017-08-03 08:45:48 UTC
u-clibc and uclibc-ng is used in several projects[4, 5].
As described here, an attacker that controls the length parameter of
the `memset' can also control the value of the PC register. The issue is
similar to CVE-2011-2702. A patch has been proposed for uclibc-ng. A
denial of service proof of concept is available.
bugfix: ARM: memset.S: use unsigned comparisons
The 'BLT' instruction checks for *signed* values. So if a3, length
parameter of memset, is negative, then value added to the PC will be
memset(buf, 0xaa, 0xffff0000) triggers the bug.
The attack is a bit unrealistic, as it requires that the
application that uses uClibc allows a user to control a memory chunk
larger than 2GB.
Ismail, worth a fix for arm port?
bugbot adjusting priority
Created attachment 730125 [details]
CVE-2016-6264.patch -- Patch from fedora
No maintainer, deprecated upstream.
Marked as deprecated in 42.3 lifecycle data.