Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Full Disclosure: Full-Disclosure

Firefox 2.0.0.7 has a very serious calculation bug

 

 

First page Previous page 1 2 Next page Last page  View All Full Disclosure full-disclosure RSS feed   Index | Next | Previous | View Threaded


hardwick.carl at gmail

Sep 28, 2007, 9:16 AM

Post #1 of 29 (8976 views)
Permalink
Firefox 2.0.0.7 has a very serious calculation bug

There's a flaw in Firefox 2.0.0.7 allows javascript to execute wrong
subtractions.

PoC concept here:
javascript:5.2-0.1
(copy this code into address bar)

Firefox 2.0.0.7 result: 5.1000000000000005 (WRONG!)
Internet Explorer 7 result: 5.1 (OK)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Larry at larryseltzer

Sep 28, 2007, 9:25 AM

Post #2 of 29 (8872 views)
Permalink
Re: Firefox 2.0.0.7 has a very serious calculation bug [In reply to]

>>Firefox 2.0.0.7 result: 5.1000000000000005 (WRONG!) Internet Explorer
7 result: 5.1 (OK)

Maybe they're using Excel 2007 for their math.

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blogs.eweek.com/cheap_hack/
Contributing Editor, PC Magazine
larry.seltzer [at] ziffdavisenterprise

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Larry at larryseltzer

Sep 28, 2007, 9:31 AM

Post #3 of 29 (8854 views)
Permalink
Re: Firefox 2.0.0.7 has a very serious calculation bug [In reply to]

Actually, I see 5.1000000000000005 in both browsers.

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blogs.eweek.com/cheap_hack/
Contributing Editor, PC Magazine
larry.seltzer [at] ziffdavisenterprise

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


jimbysharp at gmail

Sep 28, 2007, 9:34 AM

Post #4 of 29 (8855 views)
Permalink
Re: Firefox 2.0.0.7 has a very serious calculation bug [In reply to]

How is this serious and is it related to security in any manner? If
not, please do not spam. :-(

And go and learn some floating point maths.

On 9/28/07, carl hardwick <hardwick.carl [at] gmail> wrote:
> There's a flaw in Firefox 2.0.0.7 allows javascript to execute wrong
> subtractions.
>
> PoC concept here:
> javascript:5.2-0.1
> (copy this code into address bar)
>
> Firefox 2.0.0.7 result: 5.1000000000000005 (WRONG!)
> Internet Explorer 7 result: 5.1 (OK)
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


jimbysharp at gmail

Sep 28, 2007, 9:35 AM

Post #5 of 29 (8863 views)
Permalink
Re: Firefox 2.0.0.7 has a very serious calculation bug [In reply to]

How is this serious and is it related to security in any manner? If
not, please do not spam. :-(

And go and learn some floating point maths.

On 9/28/07, carl hardwick <hardwick.carl [at] gmail> wrote:
> There's a flaw in Firefox 2.0.0.7 allows javascript to execute wrong
> subtractions.
>
> PoC concept here:
> javascript:5.2-0.1
> (copy this code into address bar)
>
> Firefox 2.0.0.7 result: 5.1000000000000005 (WRONG!)
> Internet Explorer 7 result: 5.1 (OK)
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


bob at bclary

Sep 28, 2007, 10:16 AM

Post #6 of 29 (8870 views)
Permalink
Re: Firefox 2.0.0.7 has a very serious calculation bug [In reply to]

carl hardwick wrote:
> There's a flaw in Firefox 2.0.0.7 allows javascript to execute wrong
> subtractions.
>
> PoC concept here:
> javascript:5.2-0.1
> (copy this code into address bar)
>
> Firefox 2.0.0.7 result: 5.1000000000000005 (WRONG!)
> Internet Explorer 7 result: 5.1 (OK)
>

Please read <https://bugzilla.mozilla.org/show_bug.cgi?id=5856>.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


steven at securityzone

Sep 28, 2007, 10:20 AM

Post #7 of 29 (8850 views)
Permalink
Re: Firefox 2.0.0.7 has a very serious calculation bug [In reply to]

So are we dealing with an RDCB (Recently Disclosed Calculation Bug) or was
this just a mistake?

Steven

> Actually, I see 5.1000000000000005 in both browsers.
>
> Larry Seltzer
> eWEEK.com Security Center Editor
> http://security.eweek.com/
> http://blogs.eweek.com/cheap_hack/
> Contributing Editor, PC Magazine
> larry.seltzer [at] ziffdavisenterprise
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


lcamtuf at dione

Sep 28, 2007, 10:22 AM

Post #8 of 29 (8876 views)
Permalink
Re: Firefox 2.0.0.7 has a very serious calculation bug [In reply to]

On Fri, 28 Sep 2007, carl hardwick wrote:

> javascript:5.2-0.1
> Firefox 2.0.0.7 result: 5.1000000000000005 (WRONG!)

This is a proper behavior of IEEE 754 64-bit double float, which, IIRC, is
precisely what ECMA standard mandates.

You will get the same from any C-style 'double' arithmetics.

> Internet Explorer 7 result: 5.1 (OK)

They use a marginally higher precision. Now try 5.002-.001 - chances are,
you will get 5.00999...

Neither is a "very serious calculation bug". Javascript does not guarantee
- and nowhere actually delivers - arbitrary GMP-style precision.

/mz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


dveditz at cruzio

Sep 28, 2007, 10:43 AM

Post #9 of 29 (8864 views)
Permalink
Re: Firefox 2.0.0.7 has a very serious calculation bug [In reply to]

carl hardwick wrote:
> PoC concept here:
> javascript:5.2-0.1
> (copy this code into address bar)
>
> Firefox 2.0.0.7 result: 5.1000000000000005 (WRONG!)
> Internet Explorer 7 result: 5.1 (OK)

In IE7 and Opera I get the same thing you do for Firefox. This is not
surprising because the ECMAScript specification says that floating point
operations must comply with ANSI/IEEE Std 754-1985: IEEE Standard for
Binary Floating-Point Arithmetic.

The ECMAScript version 4 proposal introduces a decimal type intended to fix
up some of weirdness caused by mapping base-2 floating point rounding back
into base-10 notation.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


full-disclosure at hushmail

Sep 28, 2007, 10:48 AM

Post #10 of 29 (8843 views)
Permalink
Re: Firefox 2.0.0.7 has a very serious calculation bug [In reply to]

Dear Jimby,

Please read the list charter.

What if this issue has security implications that we are unaware
of? It is important to saturate this list with any and all reports
of software misbehavior (or perceived misbehavior) so that Vladis
and the other aged mailing list participants can show off that they
have nothing to offer aside from stale sarcastic responses.

"yo dude i was first poster on teh bugtraq in 1992ad and haven't
shut up since and am moar stupid that teh blue baor but i will not
shut up"
-vladis clitus

Shut up Vladis.

On Fri, 28 Sep 2007 12:35:11 -0400 Jimby Sharp
<jimbysharp [at] gmail> wrote:
>How is this serious and is it related to security in any manner?
>If
>not, please do not spam. :-(
>
>And go and learn some floating point maths.
>
>On 9/28/07, carl hardwick <hardwick.carl [at] gmail> wrote:
>> There's a flaw in Firefox 2.0.0.7 allows javascript to execute
>wrong
>> subtractions.
>>
>> PoC concept here:
>> javascript:5.2-0.1
>> (copy this code into address bar)
>>
>> Firefox 2.0.0.7 result: 5.1000000000000005 (WRONG!)
>> Internet Explorer 7 result: 5.1 (OK)
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/

--
Click here to see the world and find great teaching positions abroad.
http://tagline.hushmail.com/fc/Ioyw6h4dBblxrXgOig5M4LZFilyzN7rXjQOCUVZTz1iFMiPHCFgqQA/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


susam at susam

Sep 28, 2007, 11:09 AM

Post #11 of 29 (8855 views)
Permalink
Re: Firefox 2.0.0.7 has a very serious calculation bug [In reply to]

Let's take this C code.

#include <stdio.h>

int main(int argc, char **argv) {
float a = 0.7;
if(a == 0.7) {
printf("%f is equal to %f\n", a, 0.7);
} else {
printf("%f is not equal to %f\n", a, 0.7);
}
}

On many implementations (not necessarily all implementations) we will
get the output as:-

0.700000 is not equal to 0.700000

For example, on my Debian Etch with gcc 4.1.2, the output is as shown
above. This doesn't mean it is a bug in GCC. We can't call this a bug in
GCC because it's just a limitation of floating point math. The
programmer should be careful of these floating point issues while
programming.

Similarly, if someone doesn't take care of the floating point behavior
while writing code in JavaScript, we should say that the JavaScript code
has the bug instead of saying that the bug is in Firefox.

Regards,
Susam Pal
http://susam.in/

carl hardwick wrote, On Friday 28 September 2007 09:46 PM:
> There's a flaw in Firefox 2.0.0.7 allows javascript to execute wrong
> subtractions.
>
> PoC concept here:
> javascript:5.2-0.1
> (copy this code into address bar)
>
> Firefox 2.0.0.7 result: 5.1000000000000005 (WRONG!)
> Internet Explorer 7 result: 5.1 (OK)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


bmhkim at gmail

Sep 28, 2007, 11:38 AM

Post #12 of 29 (8850 views)
Permalink
Re: Firefox 2.0.0.7 has a very serious calculation bug [In reply to]

On 9/28/07, Susam Pal <susam [at] susam> wrote:
> Let's take this C code.
>
> #include <stdio.h>
>
> int main(int argc, char **argv) {
> float a = 0.7;
> if(a == 0.7) {
> printf("%f is equal to %f\n", a, 0.7);
> } else {
> printf("%f is not equal to %f\n", a, 0.7);
> }
> }
>
> On many implementations (not necessarily all implementations) we will
> get the output as:-
>
> 0.700000 is not equal to 0.700000
>
> For example, on my Debian Etch with gcc 4.1.2, the output is as shown
> above. This doesn't mean it is a bug in GCC. We can't call this a bug in
> GCC because it's just a limitation of floating point math. The
> programmer should be careful of these floating point issues while
> programming.
>
> Similarly, if someone doesn't take care of the floating point behavior
> while writing code in JavaScript, we should say that the JavaScript code
> has the bug instead of saying that the bug is in Firefox.
>
> Regards,
> Susam Pal
> http://susam.in/
>
> carl hardwick wrote, On Friday 28 September 2007 09:46 PM:
> > There's a flaw in Firefox 2.0.0.7 allows javascript to execute wrong
> > subtractions.
> >
> > PoC concept here:
> > javascript:5.2-0.1
> > (copy this code into address bar)
> >
> > Firefox 2.0.0.7 result: 5.1000000000000005 (WRONG!)
> > Internet Explorer 7 result: 5.1 (OK)
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Wouldn't that be because (float)0.7 != (double)0.7?

Also, relevant to the whole discussion:
http://www.cygnus-software.com/papers/comparingfloats/comparingfloats.htm

Cheers!
Brian

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


susam at susam

Sep 28, 2007, 11:52 AM

Post #13 of 29 (8875 views)
Permalink
Re: Firefox 2.0.0.7 has a very serious calculation bug [In reply to]

Yes. If one operand of a binary operator is of double type and the other
is of float type, then it is converted to double before the operator
operates. In this case when float type 0.7 is converted to double type,
the converted value is not exactly equal to double type 0.7. It can
never be on many implementations because some precision is lost in float
type 0.7.

So, I wanted to highlight that these issues are to be taken care of by
the programmer. Hence, we should not say that the flaw is in Firefox.

Regards,
Susam Pal
http://susam.in/

Brian Kim wrote, On Saturday 29 September 2007 12:08 AM:
>
> Wouldn't that be because (float)0.7 != (double)0.7?
>
> Also, relevant to the whole discussion:
> http://www.cygnus-software.com/papers/comparingfloats/comparingfloats.htm
>
> Cheers!
> Brian
>
>
> On 9/28/07, Susam Pal <susam [at] susam> wrote:
>> Let's take this C code.
>>
>> #include <stdio.h>
>>
>> int main(int argc, char **argv) {
>> float a = 0.7;
>> if(a == 0.7) {
>> printf("%f is equal to %f\n", a, 0.7);
>> } else {
>> printf("%f is not equal to %f\n", a, 0.7);
>> }
>> }
>>
>> On many implementations (not necessarily all implementations) we will
>> get the output as:-
>>
>> 0.700000 is not equal to 0.700000
>>
>> For example, on my Debian Etch with gcc 4.1.2, the output is as shown
>> above. This doesn't mean it is a bug in GCC. We can't call this a bug in
>> GCC because it's just a limitation of floating point math. The
>> programmer should be careful of these floating point issues while
>> programming.
>>
>> Similarly, if someone doesn't take care of the floating point behavior
>> while writing code in JavaScript, we should say that the JavaScript code
>> has the bug instead of saying that the bug is in Firefox.
>>
>> Regards,
>> Susam Pal
>> http://susam.in/
>>
>> carl hardwick wrote, On Friday 28 September 2007 09:46 PM:
>>> There's a flaw in Firefox 2.0.0.7 allows javascript to execute wrong
>>> subtractions.
>>>
>>> PoC concept here:
>>> javascript:5.2-0.1
>>> (copy this code into address bar)
>>>
>>> Firefox 2.0.0.7 result: 5.1000000000000005 (WRONG!)
>>> Internet Explorer 7 result: 5.1 (OK)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


jimbysharp at gmail

Sep 28, 2007, 12:02 PM

Post #14 of 29 (8847 views)
Permalink
Re: Firefox 2.0.0.7 has a very serious calculation bug [In reply to]

Michal

I don't get the same from C-style double arithmetics. Could you
provide a sample code that you believe should show the same behavior?

On 9/28/07, Michal Zalewski <lcamtuf [at] dione> wrote:
> On Fri, 28 Sep 2007, carl hardwick wrote:
>
> > javascript:5.2-0.1
> > Firefox 2.0.0.7 result: 5.1000000000000005 (WRONG!)
>
> This is a proper behavior of IEEE 754 64-bit double float, which, IIRC, is
> precisely what ECMA standard mandates.
>
> You will get the same from any C-style 'double' arithmetics.
>
> > Internet Explorer 7 result: 5.1 (OK)
>
> They use a marginally higher precision. Now try 5.002-.001 - chances are,
> you will get 5.00999...
>
> Neither is a "very serious calculation bug". Javascript does not guarantee
> - and nowhere actually delivers - arbitrary GMP-style precision.
>
> /mz
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


lcamtuf at dione

Sep 28, 2007, 12:09 PM

Post #15 of 29 (8854 views)
Permalink
Re: Firefox 2.0.0.7 has a very serious calculation bug [In reply to]

On Sat, 29 Sep 2007, Jimby Sharp wrote:

> I don't get the same from C-style double arithmetics. Could you provide
> a sample code that you believe should show the same behavior?

If you don't, it's presumably because the subtraction is optimized out by
the compiler, or because you printf() with an insufficient precision in
format spec. The following should do the trick:

volatile double a = 5.2;
volatile double b = 0.1;
main() { printf("%.16lf\n",a-b); }

/mz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


rodrigob at darkover

Sep 28, 2007, 12:29 PM

Post #16 of 29 (8851 views)
Permalink
Re: Firefox 2.0.0.7 has a very serious calculation bug [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, Sep 28, 2007 at 09:09:02PM +0200, Michal Zalewski wrote:
> On Sat, 29 Sep 2007, Jimby Sharp wrote:
>
> > I don't get the same from C-style double arithmetics. Could you provide
> > a sample code that you believe should show the same behavior?
>
> If you don't, it's presumably because the subtraction is optimized out by
> the compiler, or because you printf() with an insufficient precision in
> format spec. The following should do the trick:
>
> volatile double a = 5.2;
> volatile double b = 0.1;
> main() { printf("%.16lf\n",a-b); }

Confirmed here with:

gcc (GCC) 4.1.1 20070105 (Red Hat 4.1.1-52)

Actually quite interesting.

- --
Rodrigo Barbosa
"Quid quid Latine dictum sit, altum viditur"
"Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFG/VYOpdyWzQ5b5ckRAn1tAJ9x3djXPKEjWRvziawa14/PVQE1YACeKjZw
U3PlG4Gey2JfDO+vckjkyNY=
=whDu
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


rodrigob at darkover

Sep 28, 2007, 12:44 PM

Post #17 of 29 (8846 views)
Permalink
Re: Firefox 2.0.0.7 has a very serious calculation bug [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, Sep 28, 2007 at 09:09:02PM +0200, Michal Zalewski wrote:
> On Sat, 29 Sep 2007, Jimby Sharp wrote:
>
> > I don't get the same from C-style double arithmetics. Could you provide
> > a sample code that you believe should show the same behavior?
>
> If you don't, it's presumably because the subtraction is optimized out by
> the compiler, or because you printf() with an insufficient precision in
> format spec. The following should do the trick:
>
> volatile double a = 5.2;
> volatile double b = 0.1;
> main() { printf("%.16lf\n",a-b); }

Isn't this the same issue pointed out by Brian Kim (double to float
conversion) ?

Look the results I get for the following code:

volatile double a = 5.2;
volatile double b = 0.1;
main() {
printf("%.16lf\n",a);
printf("%.16lf\n",b);
printf("%.16lf\n",(volatile double) 5.1);
printf("%.16lf\n",(volatile double)((float) 5.1));
printf("%.16lf\n",a-b);
}


Results:
5.2000000000000002
0.1000000000000000
5.0999999999999996
5.0999999046325684 <------------
5.1000000000000005


- --
Rodrigo Barbosa
"Quid quid Latine dictum sit, altum viditur"
"Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFG/VmCpdyWzQ5b5ckRArw8AJ9snBYsgIK7pvwHbILw43gTtuz6rwCgqxGO
snsqqiu9zDaqhITIe/Ycf7o=
=MJfE
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


jimbysharp at gmail

Sep 28, 2007, 12:48 PM

Post #18 of 29 (8851 views)
Permalink
Re: Firefox 2.0.0.7 has a very serious calculation bug [In reply to]

Thanks.

On 9/29/07, Michal Zalewski <lcamtuf [at] dione> wrote:
> On Sat, 29 Sep 2007, Jimby Sharp wrote:
>
> > I don't get the same from C-style double arithmetics. Could you provide
> > a sample code that you believe should show the same behavior?
>
> If you don't, it's presumably because the subtraction is optimized out by
> the compiler, or because you printf() with an insufficient precision in
> format spec. The following should do the trick:
>
> volatile double a = 5.2;
> volatile double b = 0.1;
> main() { printf("%.16lf\n",a-b); }
>
> /mz
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


lcamtuf at dione

Sep 28, 2007, 1:08 PM

Post #19 of 29 (8839 views)
Permalink
Re: Firefox 2.0.0.7 has a very serious calculation bug [In reply to]

On Fri, 28 Sep 2007, Rodrigo Barbosa wrote:

>> volatile double a = 5.2;
>> volatile double b = 0.1;
>> main() { printf("%.16lf\n",a-b); }
> Isn't this the same issue pointed out by Brian Kim (double to float
> conversion) ?

There is no double to float conversion in the above code.

> Look the results I get for the following code:

> volatile double a = 5.2;
> volatile double b = 0.1;
> printf("%.16lf\n",a);
> printf("%.16lf\n",b);
> printf("%.16lf\n",(volatile double) 5.1);
> printf("%.16lf\n",(volatile double)((float) 5.1));
> printf("%.16lf\n",a-b);

There is no double to float conversion in your code, either. There is a
float to double conversion, to which you point, but it has pretty much
nothing to do with the discussed behavior of Firefox (or my code snippet),
and produces a distinctive result (5.0999999046325684).

I'm also puzzled as to why you typecast printf parameters to volatile.

Floating point integers are inherently inaccurate; many numbers cannot be
accurately represented in this format (5.2 being no exception) - and small
errors are introduced and propagated through calculations. This is a
well-documented and well-understood property, and really the only way such
calculations could realistically be performed using small, constrained
datatypes and sane FPU designs.

It's not a security problem, either, unless a misguided application
programmer expects the calculations to have some magical unconstrained
precision (yet fails to use specialized scientific libraries to get close
to this goal), and makes critical decisions based on these made up
expectations. That's not a problem with Firefox, though.

Really...
http://en.wikipedia.org/wiki/IEEE_754

/mz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


waldoalvarez00 at gmail

Sep 28, 2007, 7:25 PM

Post #20 of 29 (8830 views)
Permalink
Re: Firefox 2.0.0.7 has a very serious calculation bug [In reply to]

Hello:

On 9/28/07, Jimby Sharp <jimbysharp [at] gmail> wrote:
>
> How is this serious and is it related to security in any manner? If
> not, please do not spam. :-(


Many bugs are security related (I would say all). How it is security
related? Think. What happens if your bank calculates something wrong and
puts the lower in your account and the higher in another account? Yes It
might be little but what about a little many
times? That could be done with javascript too. Then... you are not safe
anymore. Specially today with the invasion of AJAX. One of the browsers is
broken for sure (several?). They should do the same even in such small
things. Should at least be very carefully documented. However just
documenting it is only going to bring trouble since many programmers won't
be aware of that. They would not even be making mistakes in the code but
triggering somebodie's else errors. This kind of stuff happens many times.
For instance a couple of days ago I hitted a problem in wich both Opera and
Firefox behaved differently to IE (some parameters in the form where not
sent to the server). Was with a <table><form></form></table> instead of
<form><table></table><form> (or the other way around can't remember right
was the workaround).

Yes, every bug is security related. A database that is out of synch. An
improperly rounded number. Remember why Arianne blowed up on the air because
of this? Remember the mars landrover locked because of a priority inversion
bug? Would you call it a security bug? I really doubt many of you would.
However millions were lost. Wasn't security related? Think. What about if
someday the computers that handle the nuclear plant nearby make a wrong
rouding and one of the parameters go out of rank? Computers handle that,
handle your car, all of your communications, your heart beat and even your
foot steps (heard about those smart Adidas with a chip?).

What if an airplane computer miss one of the parameters? It *is* a security
bug even if it is not a stack/heap overflow, an integer overflow and all of
the rest you all know about. I consider if not all of the bugs, at least the
vast majority as security bugs. For your very own good start thinking that
way too. Because someday you could even die just because somebody's else
made a mistake in one of those control systems. Worst yet... because someone
thought that it wasn't a security bug and was not important to fix it.

Regards
Waldo Alvarez

PD: Now you have another way to verify (fingerprint) wich browser is used to
browse a website even with spoofed User-Agent headers if javascript is
turned on.

And go and learn some floating point maths.
>
> On 9/28/07, carl hardwick <hardwick.carl [at] gmail> wrote:
> > There's a flaw in Firefox 2.0.0.7 allows javascript to execute wrong
> > subtractions.
> >
> > PoC concept here:
> > javascript:5.2-0.1
> > (copy this code into address bar)
> >
> > Firefox 2.0.0.7 result: 5.1000000000000005 (WRONG!)
> > Internet Explorer 7 result: 5.1 (OK)
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>


full-disclosure at hushmail

Sep 29, 2007, 5:35 AM

Post #21 of 29 (8827 views)
Permalink
Re: Firefox 2.0.0.7 has a very serious calculation bug [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Not so much it required such a long thread.

On Fri, 28 Sep 2007 15:29:18 -0400 Rodrigo Barbosa
<rodrigob [at] darkover> wrote:
>On Fri, Sep 28, 2007 at 09:09:02PM +0200, Michal Zalewski wrote:
>> On Sat, 29 Sep 2007, Jimby Sharp wrote:
>>
>> > I don't get the same from C-style double arithmetics. Could
>you provide
>> > a sample code that you believe should show the same behavior?
>>
>> If you don't, it's presumably because the subtraction is
>optimized out by
>> the compiler, or because you printf() with an insufficient
>precision in
>> format spec. The following should do the trick:
>>
>> volatile double a = 5.2;
>> volatile double b = 0.1;
>> main() { printf("%.16lf\n",a-b); }
>
>Confirmed here with:
>
>gcc (GCC) 4.1.1 20070105 (Red Hat 4.1.1-52)
>
>Actually quite interesting.
>
>--
>Rodrigo Barbosa
>"Quid quid Latine dictum sit, altum viditur"
>"Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Charset: UTF8
Version: Hush 2.5

wpwEAQECAAYFAkb+RoIACgkQ+dWaEhErNvTOsgP/ZcU7BhwhtlxVR3DGfKQU7mn5uLVR
cN9rMB+G+yvM8CtdwrN3d0aJDCd2LFIal0XhnzvlPIV86wAhWic2gS89TRGHt9J82mKp
PyqHJWN0OAfMY0EjbURREjaz4dxmfV0d+T8la5b/vLRDhcI7HlH7YvLBrLcuDSAcySZX
5BtQnKE=
=uIWZ
-----END PGP SIGNATURE-----

--
Click here to find great prices on contact lenses. Save now.
http://tagline.hushmail.com/fc/Ioyw6h4ea3BpGtXYQZ6VgDfUuhClr58eVgjo8X0nsCkACj902Us7mY/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


jimbysharp at gmail

Sep 29, 2007, 6:41 AM

Post #22 of 29 (8862 views)
Permalink
Re: Firefox 2.0.0.7 has a very serious calculation bug [In reply to]

Go and read floating point math.

On 9/29/07, wac <waldoalvarez00 [at] gmail> wrote:
>
> Many bugs are security related (I would say all). How it is security
> related? Think. What happens if your bank calculates something wrong and
> puts the lower in your account and the higher in another account? Yes It
> might be little but what about a little many times? That could be done
> with javascript too. Then... you are not safe anymore.
> Specially today with the invasion of AJAX. One of the
> browsers is broken for sure (several?). They should do the same even in such
> small things. Should at least be very carefully documented. However just
> documenting it is only going to bring trouble since many programmers won't
> be aware of that. They would not even be making mistakes in the code but
> triggering somebodie's else errors. This kind of stuff happens many times.
> For instance a couple of days ago I hitted a problem in wich both Opera and
> Firefox behaved differently to IE (some parameters in the form where not
> sent to the server). Was with a <table><form></form></table> instead of
> <form><table></table><form> (or the other way around can't remember right
> was the workaround).
>
> Yes, every bug is security related. A database that is out of synch. An
> improperly rounded number. Remember why Arianne blowed up on the air because
> of this? Remember the mars landrover locked because of a priority inversion
> bug? Would you call it a security bug? I really doubt many of you would.
> However millions were lost. Wasn't security related? Think. What about if
> someday the computers that handle the nuclear plant nearby make a wrong
> rouding and one of the parameters go out of rank? Computers handle that,
> handle your car, all of your communications, your heart beat and even your
> foot steps (heard about those smart Adidas with a chip?).
>
> What if an airplane computer miss one of the parameters? It *is* a security
> bug even if it is not a stack/heap overflow, an integer overflow and all of
> the rest you all know about. I consider if not all of the bugs, at least the
> vast majority as security bugs. For your very own good start thinking that
> way too. Because someday you could even die just because somebody's else
> made a mistake in one of those control systems. Worst yet... because someone
> thought that it wasn't a security bug and was not important to fix it.
>
> Regards
> Waldo Alvarez
>
> PD: Now you have another way to verify (fingerprint) wich browser is used to
> browse a website even with spoofed User-Agent headers if javascript is
> turned on.
>
> > And go and learn some floating point maths.
> >
> > On 9/28/07, carl hardwick <hardwick.carl [at] gmail > wrote:
> > > There's a flaw in Firefox 2.0.0.7 allows javascript to execute wrong
> > > subtractions.
> > >
> > > PoC concept here:
> > > javascript:5.2-0.1
> > > (copy this code into address bar)
> > >
> > > Firefox 2.0.0.7 result: 5.1000000000000005 (WRONG!)
> > > Internet Explorer 7 result: 5.1 (OK)
> > >
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html
> > > Hosted and sponsored by Secunia - http://secunia.com/
> > >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


andfarm at gmail

Sep 29, 2007, 4:32 PM

Post #23 of 29 (8808 views)
Permalink
Re: Firefox 2.0.0.7 has a very serious calculation bug [In reply to]

On 28 Sep 07, at 19:25, wac wrote:
> On 9/28/07, Jimby Sharp <jimbysharp [at] gmail> wrote:
>> How is this serious and is it related to security in any manner? If
>> not, please do not spam. :-(
>
> Many bugs are security related (I would say all). How it is security
> related? Think. What happens if your bank calculates something
> wrong and
> puts the lower in your account and the higher in another account?
> Yes It
> might be little but what about a little many
> times? That could be done with javascript too. Then... you are not
> safe
> anymore.

If your bank is doing financial calculations using Javascript in a
standard web browser, you have bigger things to worry about than
roundoff errors.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


jimbysharp at gmail

Sep 29, 2007, 11:25 PM

Post #24 of 29 (8790 views)
Permalink
Re: Firefox 2.0.0.7 has a very serious calculation bug [In reply to]

Exactly! And the so called security experts who are giving long
lectures in the list about how any bug can result in a potential
security flaw, they are forgetting that if a security flaw arises it
arises because of the programmer and not Firefox.

If I use strcpy() to read user input into a buffer, I am at fault and
not C compiler.

On 9/30/07, Andrew Farmer <andfarm [at] gmail> wrote:
> On 28 Sep 07, at 19:25, wac wrote:
> > On 9/28/07, Jimby Sharp <jimbysharp [at] gmail> wrote:
> >> How is this serious and is it related to security in any manner? If
> >> not, please do not spam. :-(
> >
> > Many bugs are security related (I would say all). How it is security
> > related? Think. What happens if your bank calculates something
> > wrong and
> > puts the lower in your account and the higher in another account?
> > Yes It
> > might be little but what about a little many
> > times? That could be done with javascript too. Then... you are not
> > safe
> > anymore.
>
> If your bank is doing financial calculations using Javascript in a
> standard web browser, you have bigger things to worry about than
> roundoff errors.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


nytrokiss at gmail

Sep 29, 2007, 11:58 PM

Post #25 of 29 (8787 views)
Permalink
Re: Firefox 2.0.0.7 has a very serious calculation bug [In reply to]

Correct! The line is always "there is no patch for human stupidity"

On 9/29/07, Jimby Sharp <jimbysharp [at] gmail> wrote:
>
> Exactly! And the so called security experts who are giving long
> lectures in the list about how any bug can result in a potential
> security flaw, they are forgetting that if a security flaw arises it
> arises because of the programmer and not Firefox.
>
> If I use strcpy() to read user input into a buffer, I am at fault and
> not C compiler.
>
> On 9/30/07, Andrew Farmer <andfarm [at] gmail> wrote:
> > On 28 Sep 07, at 19:25, wac wrote:
> > > On 9/28/07, Jimby Sharp <jimbysharp [at] gmail> wrote:
> > >> How is this serious and is it related to security in any manner? If
> > >> not, please do not spam. :-(
> > >
> > > Many bugs are security related (I would say all). How it is security
> > > related? Think. What happens if your bank calculates something
> > > wrong and
> > > puts the lower in your account and the higher in another account?
> > > Yes It
> > > might be little but what about a little many
> > > times? That could be done with javascript too. Then... you are not
> > > safe
> > > anymore.
> >
> > If your bank is doing financial calculations using Javascript in a
> > standard web browser, you have bigger things to worry about than
> > roundoff errors.
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



--
http://www.goldwatches.com/mens/cufflinks.html
http://www.jewelerslounge.com

First page Previous page 1 2 Next page Last page  View All Full Disclosure full-disclosure RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.