This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: About *printf %n fortifications
- From: Daniel Jacobowitz <drow at false dot org>
- To: Gwenole Beauchesne <gbeauchesne at mandriva dot com>
- Cc: libc-alpha at sources dot redhat dot com
- Date: Fri, 24 Feb 2006 13:30:36 -0500
- Subject: Re: About *printf %n fortifications
- References: <Pine.LNX.4.58.0602241826191.3145@gauss.mandriva.com>
On Fri, Feb 24, 2006 at 07:04:08PM +0100, Gwenole Beauchesne wrote:
> Hi,
>
> Why a printf() with %n in the format string would require this string to
> be non-writable? (debug/tst-chk1.c, stdio-common/vfprintf.c)
>
> See the attached test case (-O2 -D_FORTIFY_SOURCE=2)
> char fmt[] = "%s%n\n";
> printf(fmt, "bar", &count);
> looks valid to me, but causes an abort() with
> *** %n in writable segment detected ***
>
> The check probably meant to be against the %n argument itself.
>
> The following patch fixes this but I have not updated tst-chk1.c yet.
> WDYT?
No, that's not the point. It doesn't matter whether the target of the
%n is writable; if it's not, we'll just segfault. The test is supposed
to prevent a malicious attacker inserting %n into the application
somewhere where it will be passed to printf, causing an unexpected
store.
Of course your testcase is valid - but it's a bad idea.
--
Daniel Jacobowitz
CodeSourcery