CVE-2020-29573 Overview
CVE-2020-29573 is a stack-based buffer overflow vulnerability affecting the GNU C Library (glibc) on x86 targets. The flaw exists in sysdeps/i386/ldbl2mpn.c and can be triggered when input to any of the printf family of functions contains an 80-bit long double with a non-canonical bit pattern. This vulnerability affects glibc versions prior to 2.23, though the issue was effectively mitigated in 2015 through commits that enabled inlining of C99 math functions via GCC built-ins.
Critical Impact
A remote attacker can cause a denial of service condition by supplying specially crafted input to printf family functions, leading to application crashes due to stack-based buffer overflow.
Affected Products
- GNU glibc (versions before 2.23 on x86 targets)
- Red Hat Enterprise Linux 7.0
- NetApp Cloud Backup
- NetApp SolidFire Baseboard Management Controller
Discovery Timeline
- 2020-12-06 - CVE-2020-29573 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-29573
Vulnerability Analysis
This vulnerability is classified as CWE-787 (Out-of-bounds Write), specifically a stack-based buffer overflow. The flaw resides in the ldbl2mpn.c file within the i386 system-dependent code of glibc. When processing 80-bit long double floating-point values with non-canonical bit patterns through printf family functions (printf, sprintf, fprintf, etc.), the library fails to properly validate the input boundaries.
The vulnerability can be exploited remotely since network-accessible applications that process user-supplied floating-point data through printf functions are potential targets. The attack requires no authentication or user interaction, making it particularly concerning for server applications that format numerical output based on external input.
Root Cause
The root cause stems from improper bounds checking in the ldbl2mpn.c conversion routines. When an 80-bit extended precision floating-point number contains a non-canonical bit pattern (such as the specific byte sequence \\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04), the conversion code writes beyond the allocated stack buffer boundaries. This occurs because the code assumes well-formed floating-point representations and does not account for malformed or intentionally crafted non-canonical values.
The fix involved inlining C99 math functions through GCC built-ins in 2015, which changed the code path and prevented the vulnerable conversion routine from being triggered under normal circumstances.
Attack Vector
The attack vector is network-based, requiring an attacker to supply specially crafted input that eventually gets processed by one of the printf family functions. The specific attack involves passing a non-canonical 80-bit long double value to functions like sprintf.
When a vulnerable application receives this malformed floating-point data and attempts to format it for output, the stack buffer overflow occurs. This can result in application termination (denial of service) and potentially more severe consequences depending on the specific memory layout and exploitation technique.
The vulnerability is exploitable by crafting input containing specific byte patterns that represent non-canonical long double values. When this input is processed by sprintf or similar functions, the overflow occurs in the stack buffer used for the conversion.
Detection Methods for CVE-2020-29573
Indicators of Compromise
- Application crashes or unexpected terminations in services using glibc printf functions
- Core dumps showing stack corruption in ldbl2mpn.c or related floating-point conversion routines
- Anomalous input patterns containing non-standard floating-point byte sequences in application logs
- Segmentation faults originating from glibc string formatting functions
Detection Strategies
- Monitor for segmentation faults and core dumps in applications that process floating-point data from external sources
- Implement application-level input validation for floating-point values before passing to printf functions
- Deploy runtime memory protection tools (such as AddressSanitizer) in development environments to detect buffer overflows
- Review system logs for abnormal application behavior related to string formatting operations
Monitoring Recommendations
- Enable core dump collection and analysis for applications processing external numerical data
- Configure system monitoring to alert on repeated application crashes in services using glibc
- Implement centralized logging for applications that format floating-point output based on user input
- Monitor for patterns of malformed floating-point inputs in network traffic analysis tools
How to Mitigate CVE-2020-29573
Immediate Actions Required
- Verify glibc version across all x86 systems and prioritize upgrades for systems running versions prior to 2.23
- Review applications that process external floating-point data through printf functions for potential exposure
- Apply vendor-specific patches from Red Hat, Gentoo, or NetApp as applicable to your environment
- Implement input validation to reject malformed floating-point values before they reach printf functions
Patch Information
GNU glibc versions 2.23 and later include mitigations that prevent this vulnerability from being exploited under default configurations. The fix was implemented through commits made in 2015 that enabled inlining of C99 math functions using GCC built-ins.
For specific vendor patches and advisories:
- Sourceware Bug Report #26649 - Official bug tracking for this vulnerability
- Sourceware libc-alpha Mailing List Post - Technical discussion and patch details
- Gentoo GLSA 2021-20 - Gentoo Linux security advisory
- NetApp Security Advisory NTAP-20210122-0004 - NetApp affected products and remediation
Workarounds
- Upgrade glibc to version 2.23 or later, which includes the protective inlining of C99 math functions
- Implement application-level input validation to sanitize floating-point values before formatting operations
- Consider using alternative formatting functions that do not rely on the vulnerable code path
- Isolate applications processing untrusted floating-point input in containerized or sandboxed environments
# Check current glibc version on the system
ldd --version
# Verify the specific glibc package version (RPM-based systems)
rpm -qa | grep glibc
# Verify the specific glibc package version (Debian-based systems)
dpkg -l | grep libc6
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
