musl libc Stack-Based Buffer Overflow Vulnerability in qsort Function

A stack-based buffer overflow vulnerability has been identified in musl libc versions 0.7.10 prior to 1.2.6. The issue arises in the qsort function when sorting very large arrays, specifically those exceeding approximately seven million elements on 32-bit platforms. This vulnerability is caused by a logic error in the implementation of double-word primitives, which leads to memory corruption by allowing writes past the end of a stack-based buffer. On 64-bit platforms, the vulnerability is not practical as the element threshold for exploitation is excessively high.

Impact

Exploitation of this vulnerability can lead to stack-based memory corruption, with the potential for a crash and possibly arbitrary code execution on affected 32-bit systems.

Reproduction

The vulnerability can be reproduced by using the qsort function to sort an array of more than seven million elements on a 32-bit system. The issue is triggered by the way the smoothsort algorithm, which is used by qsort, handles the input when it exceeds the Leonardo number corresponding to the system's word size.

Remediation

Users are advised to upgrade to musl libc version 1.2.7 or apply the available patch.