Reproducer for GNU glibc CVE-2020-10029. The vulnerability exists in the libm component of GNU C library. It occurs when certain trigonometric functions like sinl are invoked with crafted input, leading to stack corruption. You can read a more detailed write-up on the ForAllSecure blog here.
All the files in the corpus/ directory were generated from scratch by Mayhem.
- March 16 2012: Bug introduced in commit 8848d99dce1e57168a492d146f5e72195c7665a5
- January 28 2020: Reported to
security@debian.org. - January 31 2020: Bug report at https://sourceware.org/bugzilla/show_bug.cgi?id=25487 created per instructions from GNU security team.
- February 12 2020: Bug fixed in commit 9333498794cde1d5cca518badf79533a24114b6f.
- August 1 2020: A new version of GNU libc is released once every six months. The first version to include a fix for this vulnerability will be 2.32.
Assuming you just want to build the docker image, run:
docker build -t forallsecure/libm-cve-2020-10029 .If you don't want to build locally, you can pull a pre-built image directly from dockerhub:
docker pull forallsecure/libm-cve-2020-10029Change to the libm-cve-2020-10029 folder and run:
mayhem run mayhem/libm-testerand watch Mayhem replicate the bugs! These bugs take very little time (several seconds) to find.
Change to the libm-cve-2020-10029 folder and run:
gcc src/libm-tester.c -lm -o libm-testerNow run:
./libm-tester mayhem/libm-tester/poc/b443907b34ee3a07378d82778406743cd686d25fIf your system is vulnerable to CVE-2020-10029, it will print:
*** stack smashing detected ***: <unknown> terminated
Aborted (core dumped)
We have included a proof of concept output under the poc
directory.
The code included with this project can be easily modified to test other libm's, like those included with musl libc and BSD libc's.
Modifiy libm-cve-2020-10029/src/generate_function_calls.py to match the functions supported by the library you want to test.
Then regenerate function_calls.h:
python3 generate_function_calls.py >function_calls.hYou should now be able to compile libm-cve-2020-10029/src/libm-tester.c against your library.