This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: About *printf %n fortifications

From: Daniel Jacobowitz <drow at false dot org>
To: Gwenole Beauchesne <gbeauchesne at mandriva dot com>
Cc: libc-alpha at sources dot redhat dot com
Date: Fri, 24 Feb 2006 13:30:36 -0500
Subject: Re: About *printf %n fortifications
References: <Pine.LNX.4.58.0602241826191.3145@gauss.mandriva.com>

On Fri, Feb 24, 2006 at 07:04:08PM +0100, Gwenole Beauchesne wrote:
> Hi,
> 
> Why a printf() with %n in the format string would require this string to
> be non-writable? (debug/tst-chk1.c, stdio-common/vfprintf.c)
> 
> See the attached test case (-O2 -D_FORTIFY_SOURCE=2)
>   char fmt[] = "%s%n\n";
>   printf(fmt, "bar", &count);
> looks valid to me, but causes an abort() with
> *** %n in writable segment detected ***
> 
> The check probably meant to be against the %n argument itself.
> 
> The following patch fixes this but I have not updated tst-chk1.c yet. 
> WDYT?

No, that's not the point.  It doesn't matter whether the target of the
%n is writable; if it's not, we'll just segfault.  The test is supposed
to prevent a malicious attacker inserting %n into the application
somewhere where it will be passed to printf, causing an unexpected
store.

Of course your testcase is valid - but it's a bad idea.

-- 
Daniel Jacobowitz
CodeSourcery

Follow-Ups:
- Re: About *printf %n fortifications
  - From: Gwenole Beauchesne
- Re: About *printf %n fortifications
  - From: Jakub Jelinek

References:
- About *printf %n fortifications
  - From: Gwenole Beauchesne

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]