Bugzilla – Bug 958097
VUL-0: CVE-2009-0689: mono-core: string-to-double parser implementations bugs
Last modified: 2016-12-27 17:54:18 UTC
embargoed, via distros CRD: 2015-12-14 Dear distributors, Security researchers at NCC Group have discovered that CVE-2009-0689, a definite DOS (and possible arbitrary code execution) in various applications' string-to-double parser implementations, also applies to Mono versions prior to 4.2. A fix is available at https://gist.github.com/directhex/01e853567fd2cc74ed39 and should apply cleanly to all versions of Mono you might care about. This fix should be applied to all Mono packages prior to 4.2 (everything except Debian Experimental, and Arch, from a quick look) We would appreciate holding this under embargo until 9am GMT on Monday December 14th (slightly longer than the preferred 7 days, but Sunday isn't good for anyone). Attached is the disclosure as-received by us, which includes a minimal test case to demonstrate the vulnerability. Thanks to Peter McLarnan <Peter.McLarnan@nccgroup.trust> and Andy Schmitz <andy.schmitz@nccgroup.trust>
Mono `strtod` Bounds Checking Vulnerability ==== Severity ---- High Impact ---- An attacker who can cause a carefully-chosen string to be converted to a floating-point number can cause a crash and potentially induce arbitrary code execution. Details ---- The float-parsing code used in Mono (before 4.2) is derived from classic code written by David M. Gay, and lives in `mono/utils/strtod.c`. This code has a vulnerability which has been noted before, and fixed in the upstream version, but this fix was apparently not propagated into the Mono codebase. See [1]. The issue concerns the `freelist` array, which is a global array of 16 pointers to `Bigint`. This array is part of a memory allocation and reuse system which attempts to reduce the number of `malloc` and `free` calls. The system allocates blocks in power-of-two sizes, from 2^0 through 2^15, and stores freed blocks of each size in a linked list rooted at the corresponding cell of `freelist`. The `Balloc` and `Bfree` functions which operate this system fail to check if the size parameter `k` is within the allocated 0..15 range. As a result, a sufficiently large allocation will have k=16 and treat the word immediately after `freelist` as a pointer to a previously-allocated chunk. The specific results may vary significantly based on the version, platform, and compiler, since they depend on the layout of variables in memory. However, the worst-case scenario of arbitrary code execution should be assumed until it can be ruled out. For an example, in a version distributed with Ubuntu 12.04, `freelist[16]` coincides with the variable `p5s`, which stores the number 625 in `Bigint` form. Importantly, this allocation is small. When the code reuses this supposedly-free space and attempts to write a large number, the numeric data overflows the allocation and can affect other parts of the program. By overwriting `malloc` heap metadata, it is likely possible to cause arbitrary code execution, although we do not yet have a full demonstration of this. The vulnerable code does not appear in version 4.2, which seems to use a different library. [1]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0689 Reproduction ---- The following C# code suffices to demonstrate the issue on Mac OS X with packaged Mono versions 3.12.1 and 4.0.4: ~~~ using System; class Test { static void Main() { string input = "1." + new string('1', 294912); Double.Parse(input); } } ~~~ Running the input causes an immediate crash. Recommendation ---- Implement the checks found in the current version of the upstream software (http://www.netlib.org/fp/dtoa.c): Balloc ~~~ if (k <= Kmax && (rv = freelist[k])) freelist[k] = rv->next; else { ... ~~~ Bfree ~~~ if (v) { if (v->k > Kmax) #ifdef FREE FREE((void*)v); #else free((void*)v); #endif else { ACQUIRE_DTOA_LOCK(0); v->next = freelist[v->k]; freelist[v->k] = v; FREE_DTOA_LOCK(0); } } } ~~~ Consider a full upgrade, as there may be other relevant bugs in the original version. (See http://www.netlib.org/fp/changes for a rough changelog)
Created attachment 658515 [details] Test.cs QA REPRODUCER: mcs Test.cs mono Test.exe BEFORE: $ mono Test.exe Unhandled Exception: System.OverflowException: Number overflow. at System.Double.Parse (System.String s, NumberStyles style, IFormatProvider provider) [0x00000] in <filename unknown>:0 at System.Double.Parse (System.String s) [0x00000] in <filename unknown>:0 at Test.Main () [0x00000] in <filename unknown>:0 [ERROR] FATAL UNHANDLED EXCEPTION: System.OverflowException: Number overflow. at System.Double.Parse (System.String s, NumberStyles style, IFormatProvider provider) [0x00000] in <filename unknown>:0 at System.Double.Parse (System.String s) [0x00000] in <filename unknown>:0 at Test.Main () [0x00000] in <filename unknown>:0 $ AFTER: $ mono Test.exe <no output> $
bugbot adjusting priority
public on http://www.mono-project.com/docs/about-mono/vulnerabilities/ string-to-double parser bug CVE: CVE-2009-0689 Mono’s string-to-double parser may crash, on specially crafted input. This could theoretically lead to arbitrary code execution. The following sample program may crash the runtime, on affected versions: using System; class Test { static void Main() { string input = "1." + new string('1', 294912); Double.Parse(input); } } Versions affected: All versions prior to 4.2.0.179 Versions fixed: 3.10.0-0xamarin4, 3.12.1-0xamarin2, 3.8.0-0xamarin3, 4.0.5.1-0xamarin2 packages in our Debian security repositories. Individual patch for affected versions: https://gist.github.com/directhex/01e853567fd2cc74ed39 Credits: Peter McLarnan Peter.McLarnan@nccgroup.trust Andy Schmitz andy.schmitz@nccgroup.trust
An update workflow for this issue was started. This issue was rated as "moderate". Please submit fixed packages until "Dec. 31, 2015". When done, reassign the bug to "security-team@suse.de". /update/121185/.
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2016-01-01. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62382
SUSE-SU-2016:0257-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 739119,958097 CVE References: CVE-2009-0689,CVE-2012-3543 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): mono-core-2.6.7-0.16.1 SUSE Linux Enterprise Software Development Kit 11-SP3 (src): mono-core-2.6.7-0.16.1 SUSE Linux Enterprise Server for VMWare 11-SP3 (src): mono-core-2.6.7-0.16.1 SUSE Linux Enterprise Server 11-SP4 (src): mono-core-2.6.7-0.16.1 SUSE Linux Enterprise Server 11-SP3 (src): mono-core-2.6.7-0.16.1 SUSE Linux Enterprise Desktop 11-SP4 (src): mono-core-2.6.7-0.16.1
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2016-12-07. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/63215
SUSE-SU-2016:2958-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 739119,958097 CVE References: CVE-2009-0689,CVE-2012-3543 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): mono-core-2.6.7-0.18.1 SUSE Linux Enterprise Server 11-SP4 (src): mono-core-2.6.7-0.18.1 SUSE Linux Enterprise Server 11-SP3-LTSS (src): mono-core-2.6.7-0.18.1
*** Bug 1010590 has been marked as a duplicate of this bug. ***