-
Notifications
You must be signed in to change notification settings - Fork 183
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
reported buffer overflows #287
Comments
Thank you very much, I will look into this! I missed these three issues although I am somewhat watching if there are [major] complaints raised by the RPM, Debian, and FreeBSD packages. |
You wrote:
I missed these three issues although I am somewhat watching if there
are [major] complaints raised by the RPM, Debian, and FreeBSD
packages.
I'm sorry if you need to do that. I'll pass on anything relevant from
Fedora, anyhow; I know how annoying it is when distributions don't
report things "up-stream"!
|
The reported issues had the same root cause, which is fixed in GitHub/master (part of the next release update). The issues arised from fuzzed input data (perhaps generated automatically), which is nevertheless malformed CSC input. LIBXSMM's CSC/CSR readers now bail out with an error (previously: undefined behaviour). TODO: the issue is kept open until Valgrind (and similar tools) confirm no issues. |
FTR, CVE-2018-20541 and CVE-2018-20542 have been assigned for those issues, specifically: |
…by generate an eventual error message. Library initialization is needed for verbosity (warnings/errors). Added VC project for NOBLAS (dummy-)library. Adjusted error message (90011). Code cleanup.
The reported issues are fixed in LIBXSMM's master revision. There was no real application for the reported cases as invalid input data was supplied to a low-level API function. Beside of checking the input, an error message is generated. |
As stated above, the issues appeared to be discovered automatically using an approach fuzzing input data to induce a problem. The related publications can be found https://www.usenix.org/system/files/sec20spring_gan_prepub.pdf. The way of reporting the problem(s) is borderline (opinion) as the authors reported findings upstream as a security hole of the library for the matter of claiming three CVEs (instead of one). The latter got replicated allover the Internet (several other bug trackers). |
The following reports of asan errors in the generator were made in the Fedora tracker, but apparently against development source, not a version in Fedora, and it's not clear exactly how they're obtained. You may want to take a look anyhow. I haven't examined them other than to verify they don't match the v1.9 source which is currently in Fedora.
(I'll update the packaging to 1.10 now I know about it; Fedora release notification is broken, unfortunately.)
https://bugzilla.redhat.com/show_bug.cgi?id=1652632
https://bugzilla.redhat.com/show_bug.cgi?id=1652633
https://bugzilla.redhat.com/show_bug.cgi?id=1652635
The text was updated successfully, but these errors were encountered: