reported buffer overflows #287
Comments
|
Thank you very much, I will look into this! I missed these three issues although I am somewhat watching if there are [major] complaints raised by the RPM, Debian, and FreeBSD packages. |
|
You wrote:
I missed these three issues although I am somewhat watching if there
are [major] complaints raised by the RPM, Debian, and FreeBSD
packages.
I'm sorry if you need to do that. I'll pass on anything relevant from
Fedora, anyhow; I know how annoying it is when distributions don't
report things "up-stream"!
|
|
The reported issues had the same root cause, which is fixed in GitHub/master (part of the next release update). The issues arised from fuzzed input data (perhaps generated automatically), which is nevertheless malformed CSC input. LIBXSMM's CSC/CSR readers now bail out with an error (previously: undefined behaviour). TODO: the issue is kept open until Valgrind (and similar tools) confirm no issues. |
|
FTR, CVE-2018-20541 and CVE-2018-20542 have been assigned for those issues, specifically: |
…by generate an eventual error message. Library initialization is needed for verbosity (warnings/errors). Added VC project for NOBLAS (dummy-)library. Adjusted error message (90011). Code cleanup.
|
The reported issues are fixed in LIBXSMM's master revision. There was no real application for the reported cases as invalid input data was supplied to a low-level API function. Beside of checking the input, an error message is generated. |
|
As stated above, the issues appeared to be discovered automatically using an approach fuzzing input data to induce a problem. The related publications can be found https://www.usenix.org/system/files/sec20spring_gan_prepub.pdf. The way of reporting the problem(s) is borderline (opinion) as the authors reported findings upstream as a security hole of the library for the matter of claiming three CVEs (instead of one). The latter got replicated allover the Internet (several other bug trackers). |
The following reports of asan errors in the generator were made in the Fedora tracker, but apparently against development source, not a version in Fedora, and it's not clear exactly how they're obtained. You may want to take a look anyhow. I haven't examined them other than to verify they don't match the v1.9 source which is currently in Fedora.
(I'll update the packaging to 1.10 now I know about it; Fedora release notification is broken, unfortunately.)
https://bugzilla.redhat.com/show_bug.cgi?id=1652632
https://bugzilla.redhat.com/show_bug.cgi?id=1652633
https://bugzilla.redhat.com/show_bug.cgi?id=1652635
The text was updated successfully, but these errors were encountered: