Bug 990472 - (CVE-2016-6264) VUL-1: CVE-2016-6264: uClibc: Integer overflow vulnerability leads to code execution on ARM architecture
(CVE-2016-6264)
VUL-1: CVE-2016-6264: uClibc: Integer overflow vulnerability leads to code ex...
Status: RESOLVED WONTFIX
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
aarch64 openSUSE 42.1
: P4 - Low : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/171212/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-07-25 13:12 UTC by Andreas Stieger
Modified: 2017-08-03 08:45 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
CVE-2016-6264.patch -- Patch from fedora (3.28 KB, patch)
2017-06-24 21:32 UTC, Bjørn Lie
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2016-07-25 13:12:28 UTC
http://seclists.org/oss-sec/2016/q3/126

u-clibc and uclibc-ng is used in several projects[4, 5].

As described here[3], an attacker that controls the length parameter of
the `memset' can also control the value of the PC register. The issue is
similar to CVE-2011-2702. A patch has been proposed for uclibc-ng[1]. A
denial of service proof of concept is available[2].

        libc/string/arm/memset.S


        bugfix: ARM: memset.S: use unsigned comparisons

        The 'BLT' instruction checks for *signed* values. So if a3, length
        parameter of memset, is negative, then value added to the PC will be
        large.

        memset(buf, 0xaa, 0xffff0000) triggers the bug.


The attack is a bit unrealistic, as it requires that the
application that uses uClibc allows a user to control a memory chunk
larger than 2GB.


[1]http://repo.or.cz/uclibc-ng.git/commit/e3848e3dd64a8d6437531488fe341354bc02eaed
[2]http://article.gmane.org/gmane.comp.lib.uclibc-ng/27
[3]http://mailman.uclibc-ng.org/pipermail/devel/2016-May/000890.html
[4]https://www.uclibc.org/products.html
[5]http://www.uclibc-ng.org/


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1352459
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6264
http://seclists.org/oss-sec/2016/q3/126
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6264.html


Ismail, worth a fix for arm port?
Comment 1 Swamp Workflow Management 2016-07-25 22:00:46 UTC
bugbot adjusting priority
Comment 2 Bjørn Lie 2017-06-24 21:32:50 UTC
Created attachment 730125 [details]
CVE-2016-6264.patch -- Patch from fedora
Comment 3 Andreas Stieger 2017-08-03 08:45:48 UTC
No maintainer, deprecated upstream.
Marked as deprecated in 42.3 lifecycle data.