[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Potential security bug: Buffer overflow in gsl_stats_quantile_from_s
|
From: |
Zhoulai Fu |
|
Subject: |
Re: Potential security bug: Buffer overflow in gsl_stats_quantile_from_sorted_data (of library Statistics) |
|
Date: |
Sat, 16 Apr 2022 23:46:26 +0900 |
I just found out that the buffer overflow issue I reported years ago (see
below) remains in the recent version of GSL (just tested on the newest one
on GitHub). Is this issue something we plan to fix? I am asking since
now computing quantiles with GSL, or anything depending on it, seems not
secure.
BR,
Zhoulai
On Thu, Dec 3, 2020 at 11:12 PM Zhoulai Fu@Gmail <zhoulai.fu@gmail.com>
wrote:
> Running the following code (also attached as a file) triggers a
> segmentation error.
>
>
>
>
>
>
>
>
>
>
>
>
>
> *#include <stdio.h>#include <gsl/gsl_sort.h>#include
> <gsl/gsl_statistics.h>int main(void){ double upperq; double data[5] =
> {17.2, 18.1, 16.5, 18.3, 12.6}; gsl_sort (data, 1, 5); upperq =
> gsl_stats_quantile_from_sorted_data (data, 1, 5, 675); return 0;}// gcc
> statsort_bug.c -lgsl -lgslcblas; ./a.out*
>
> The error points to statistics/quantiles_source.c:41:
>
>
> * result = (1 - delta) * sorted_data[lhs * stride] + delta *
> sorted_data[(lhs + 1) * stride] ;*
> The segmentation error is due to a stack buffer overflow (where
> lhs=2700, strid=1 as shown in GDB). The bug could be exploited for
> security attack, knowing that it occurs when the quantile "f" is
> beyond the expected [0,1] range (f=675 in this case).
>
> BR,
> Zhoulai
>
>
- Re: Potential security bug: Buffer overflow in gsl_stats_quantile_from_sorted_data (of library Statistics),
Zhoulai Fu <=