This is a custom patch for RHEL 7 to fix CVE-2020-29573 and includes
parts of 41290b6e842a2adfbda77a49abfacb0db2d63bfb, and
681900d29683722b1cb0a8e565a0585846ec5a61.
We had a discussion[1] upstream about the treatment of unnormal long
double numbers in glibc and gcc and there is general consensus that
unnormal numbers (pseudos in general) ought to be treated like NaNs
without the guarantee that they will always be treated correctly in
glibc. That is, there is agreement that we should fix bugs and
security issues arising from such inputs but not guarantee glibc
behaviour with such inputs since the latter would involve extensive
coverage.
Now on to #1869380, this crash in printf manifests itself only in
RHEL-7 and not in any other Red Hat distribution because later
versions of glibc use __builtin_nan from gcc, which always recognizes
pseudos as NaN. Based on that and the recent consensus, the correct
way to fix #1869380 appears to be to treat unnormals as NaN instead of
fixing the unnormal representation as in this patch[2].
[1] https://sourceware.org/pipermail/libc-alpha/2020-November/119949.html
[2] https://sourceware.org/pipermail/libc-alpha/2020-September/117779.html
Co-authored-by: Siddhesh Poyarekar <siddhesh@redhat.com>
diff --git a/stdio-common/printf_fp.c b/stdio-common/printf_fp.c
index d0e082494af6b0a3..60b143571065a082 100644
--- a/stdio-common/printf_fp.c
+++ b/stdio-common/printf_fp.c
@@ -151,6 +151,28 @@ static wchar_t *group_number (wchar_t *buf, wchar_t *bufend,
wchar_t thousands_sep, int ngroups)
internal_function;
+static __always_inline int
+isnanl_or_pseudo (long double in)
+{
+#if defined __x86_64__ || defined __i386__
+ union
+ {
+ long double f;
+ struct
+ {
+ uint64_t low;
+ uint64_t high;
+ } u;
+ } ldouble;
+
+ ldouble.f = in;
+
+ return __isnanl (in) || (ldouble.u.low & 0x8000000000000000) == 0;
+#else
+ return __isnanl (in);
+#endif
+}
+
int
__printf_fp_l (FILE *fp, locale_t loc,
@@ -335,7 +357,7 @@ __printf_fp_l (FILE *fp, locale_t loc,
/* Check for special values: not a number or infinity. */
int res;
- if (__isnanl (fpnum.ldbl))
+ if (isnanl_or_pseudo (fpnum.ldbl))
{
is_neg = signbit (fpnum.ldbl);
if (isupper (info->spec))
diff --git a/sysdeps/x86/Makefile b/sysdeps/x86/Makefile
index c26533245e8a8103..f1da941dbbadadb3 100644
--- a/sysdeps/x86/Makefile
+++ b/sysdeps/x86/Makefile
@@ -18,3 +18,7 @@ sysdep-dl-routines += dl-get-cpu-features
tests += tst-get-cpu-features
tests-static += tst-get-cpu-features-static
endif
+
+ifeq ($(subdir),math)
+tests += tst-ldbl-nonnormal-printf
+endif # $(subdir) == math
diff --git a/sysdeps/x86/tst-ldbl-nonnormal-printf.c b/sysdeps/x86/tst-ldbl-nonnormal-printf.c
new file mode 100644
index 0000000000000000..e4e3e428747488b9
--- /dev/null
+++ b/sysdeps/x86/tst-ldbl-nonnormal-printf.c
@@ -0,0 +1,49 @@
+/* Test printf with x86-specific non-normal long double value.
+ Copyright (C) 2020-2021 Free Software Foundation, Inc.
+
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <https://www.gnu.org/licenses/>. */
+
+#include <stdio.h>
+#include <string.h>
+#include <support/check.h>
+
+/* Fill the stack with non-zero values. This makes a crash in
+ snprintf more likely. */
+static void __attribute__ ((noinline, noclone))
+fill_stack (void)
+{
+ char buffer[65536];
+ memset (buffer, 0xc0, sizeof (buffer));
+ asm ("" ::: "memory");
+}
+
+static int
+do_test (void)
+{
+ fill_stack ();
+
+ long double value;
+ memcpy (&value, "\x00\x04\x00\x00\x00\x00\x00\x00\x00\x04", 10);
+
+ char buf[30];
+ int ret = snprintf (buf, sizeof (buf), "%Lg", value);
+ TEST_COMPARE (ret, strlen (buf));
+ TEST_COMPARE_STRING (buf, "nan");
+ return 0;
+}
+
+#include <support/test-driver.c>