oss-sec mailing list archives
Re: Real world vulnerabilities of CWE-1077: Floating Point Comparison with Incorrect Operator?
From: Solar Designer <solar () openwall com>
Date: Sun, 14 May 2023 23:41:21 +0200
On Mon, Apr 24, 2023 at 04:43:29PM +0300, Georgi Guninski wrote:
Are there real world examples of vulnerabilities of this: https://cwe.mitre.org/data/definitions/1077.html CWE-1077: Floating Point Comparison with Incorrect Operator This issue can prevent the product from running reliably. If the relevant code is reachable by an attacker, then this reliability problem might introduce a vulnerability. One simple example in python:A=(0.1+0.2)+0.3;B=0.1+(0.2+0.3);(A==B,A-B,A,B)(False, 1.1102230246251565e-16, 0.6000000000000001, 0.6)
See this thread: https://www.openwall.com/lists/oss-security/2011/01/05/2 "Since this problem stems from a single codebase, strtod.c, so it gets a single CVE identifier (already assigned CVE-2010-4645). The CVE description will "blame" strtod.c and mention PHP, and any other high-profile software that is discovered to use the same vulnerable, shared code." CVE-2010-4645 description currently in NVD is: "strtod.c, as used in the zend_strtod function in PHP 5.2 before 5.2.17 and 5.3 before 5.3.5, and other products, allows context-dependent attackers to cause a denial of service (infinite loop) via a certain floating-point value in scientific notation, which is not properly handled in x87 FPU registers, as demonstrated using 2.2250738585072011e-308." Interestingly, at least PHP's fix at the time wasn't to avoid the direct comparison, but to avoid having the floating-point values stay in x87 FP registers. This should be sufficient to workaround GCC "bug" 323, but it might not be robust across platforms and it does not fix CWE-1077. Alexander
Current thread:
- Real world vulnerabilities of CWE-1077: Floating Point Comparison with Incorrect Operator? Georgi Guninski (Apr 24)
- Re: Real world vulnerabilities of CWE-1077: Floating Point Comparison with Incorrect Operator? Solar Designer (May 14)