CVE-2019-14878: 
NixOS vulnerability analysis and mitigation

In the __d2b function of the newlib libc library, all versions prior to 3.3.0 (see newlib/libc/stdlib/mprec.c), Balloc is used to allocate a big integer, however no check is performed to verify if the allocation succeeded or not. Accessing _x will trigger a null pointer dereference bug in case of a memory allocation failure (CENSUS Labs).

The vulnerability occurs in the __d2b function where Balloc is used to allocate memory for a big integer. The function fails to check if the allocation was successful before accessing the _x member of the allocated structure. This leads to a null pointer dereference when memory allocation fails. The vulnerability affects newlib versions prior to 3.3.0, including derivatives like newlib-nano and picolibc (CENSUS Labs).

When exploited, this vulnerability can cause the processor to read or write bytes at an offset from the 0x0 memory address. On embedded processors where the Device Vector Table is mapped at address 0x0, this could lead to leaking interrupt handler addresses, overwriting interrupt handlers, or executing arbitrary code through function pointers found in these memory locations (CENSUS Labs).

Users are strongly advised to update to newlib version 3.3.0 or later, which includes patches for this vulnerability. When building the library, it's important to enable the newlib-reent-check-verify 'configure' option for proper protection (CENSUS Labs).

The vulnerability was discovered during a security assessment of a firmware binary by Dimitrios Glynos. The widespread use of newlib in 'bare metal' devices raises concerns as many of these devices may never receive security updates and will remain vulnerable (CENSUS Labs).