public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug libc/4438] New: vfprintf() segfault with multibyte string and long precision
@ 2007-04-30 12:46 victor dot stinner at inl dot fr
2007-04-30 12:56 ` [Bug libc/4438] " madcoder at debian dot org
` (5 more replies)
0 siblings, 6 replies; 7+ messages in thread
From: victor dot stinner at inl dot fr @ 2007-04-30 12:46 UTC (permalink / raw)
To: glibc-bugs
(Since the bug has been reported on Debian and Fedora Core, I create a bug
report on libc bugtracker)
Hi,
I use your personnal emails because the bug might be a security vulnerability
(I don't know Linux kernel enough to guess). If it is not, I can open a bug
report on Bugzilla if you would like to.
I found a bug in dpkg program (from apt-get of Debian project):
COLUMNS=10000000 dpkg -l
=> Crash with segfault (SIGSEGV)
After long investigation (around one week :-)), I'm certain that the bug comes
from GNU libc. The crash is not specific to this program, any program allowing
to change format string of printf() may crash. Smallest C testcase:
-------------------------------------------------------------
#include <stdlib.h>
#include <stdio.h>
#include <locale.h>
int main()
{
setlocale (LC_CTYPE, "");
printf("%-1.30500200s\n", "Hello");
return 0;
}
-------------------------------------------------------------
If your locale is not UTF-8, specify another multibyte locale to setlocale().
The value "30500200" just have to be bigger than current stack size limit.
You can also try with bash/core-utils printf:
-------------------------------------------------------------
printf '%-1.25000000s' 'Hello'
-------------------------------------------------------------
The bug is located in stdio-common/vfprintf.c, macro "process_string_arg", in
this block:
-------------------------------------------------------------
if (prec != -1)
{
/* Search for the end of the string, but don't search past
the length (in bytes) specified by the precision. Also
don't use incomplete characters. */
if (_NL_CURRENT_WORD (LC_CTYPE, _NL_CTYPE_MB_CUR_MAX) == 1)
len = __strnlen (string, prec);
else
{
/* In case we have a multibyte character set the
situation is more compilcated. We must not copy
bytes at the end which form an incomplete character. */
wchar_t ignore[prec];
const char *str2 = string;
mbstate_t ps;
memset (&ps, '\0', sizeof (ps));
if (__mbsnrtowcs (ignore, &str2, prec, prec, &ps)
== (size_t) -1)
{
done = -1;
goto all_done;
}
if (str2 == NULL)
len = strlen (string);
else
len = str2 - string - (ps.__count & 7);
}
}
else
len = strlen (string);
-------------------------------------------------------------
If 1 < prec and 1 < LC_CTYPE[_NL_CTYPE_MB_CUR_MAX], we go in "complicated"
block :-)
Now imagine that prec is equal to 30500200: 30 MB will be "allocated" on the
stack (by "wchar_t ignore[prec]") whereas Linux use 8 MB (in default config)
for stack limit. Stack *should* grow up/down, but on my compute (i386) gcc
just use "sub $eax, $esp" instruction to allocated memory and Linux just
raises the signal SIGSEGV.
I don't know enough locale API (mbsnrtowcs() function) to fix the bug.
Victor Stinner
http://www.inl.fr/
---
Other bug report of the same bug:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=238406
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=421555
--
Summary: vfprintf() segfault with multibyte string and long
precision
Product: glibc
Version: unspecified
Status: NEW
Severity: critical
Priority: P1
Component: libc
AssignedTo: drepper at redhat dot com
ReportedBy: victor dot stinner at inl dot fr
CC: glibc-bugs at sources dot redhat dot com
http://sourceware.org/bugzilla/show_bug.cgi?id=4438
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug libc/4438] vfprintf() segfault with multibyte string and long precision
2007-04-30 12:46 [Bug libc/4438] New: vfprintf() segfault with multibyte string and long precision victor dot stinner at inl dot fr
@ 2007-04-30 12:56 ` madcoder at debian dot org
2007-04-30 17:40 ` madcoder at debian dot org
` (4 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: madcoder at debian dot org @ 2007-04-30 12:56 UTC (permalink / raw)
To: glibc-bugs
------- Additional Comments From madcoder at debian dot org 2007-04-30 13:56 -------
Created an attachment (id=1742)
--> (http://sourceware.org/bugzilla/attachment.cgi?id=1742&action=view)
fix for that bug
FWIW here is a patch that should fix it. As you can guess, 'ignore' is an
ignored variable, hence __mbsnrtowcs is only used for mbs validation. So
passing NULL will work.
(yes I know that if passing NULL __mbsnrtowcs does not respect 'len' but it's
not relevant here, as we want to check 'spec' bytes from the mb sequence, and
the wchar_t buffer is made on purpose of 'spec' wchar_t's, so the 'len'
stopping condition will never be triggered, hence passing NULL as a dst will
work).
--
http://sourceware.org/bugzilla/show_bug.cgi?id=4438
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug libc/4438] vfprintf() segfault with multibyte string and long precision
2007-04-30 12:46 [Bug libc/4438] New: vfprintf() segfault with multibyte string and long precision victor dot stinner at inl dot fr
2007-04-30 12:56 ` [Bug libc/4438] " madcoder at debian dot org
2007-04-30 17:40 ` madcoder at debian dot org
@ 2007-04-30 17:40 ` madcoder at debian dot org
2007-05-01 4:12 ` drepper at redhat dot com
` (2 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: madcoder at debian dot org @ 2007-04-30 17:40 UTC (permalink / raw)
To: glibc-bugs
--
What |Removed |Added
----------------------------------------------------------------------------
CC| |madcoder at debian dot org
http://sourceware.org/bugzilla/show_bug.cgi?id=4438
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug libc/4438] vfprintf() segfault with multibyte string and long precision
2007-04-30 12:46 [Bug libc/4438] New: vfprintf() segfault with multibyte string and long precision victor dot stinner at inl dot fr
2007-04-30 12:56 ` [Bug libc/4438] " madcoder at debian dot org
@ 2007-04-30 17:40 ` madcoder at debian dot org
2007-04-30 17:40 ` madcoder at debian dot org
` (3 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: madcoder at debian dot org @ 2007-04-30 17:40 UTC (permalink / raw)
To: glibc-bugs
------- Additional Comments From madcoder at debian dot org 2007-04-30 18:40 -------
(In reply to comment #1)
> Created an attachment (id=1742)
--> (http://sourceware.org/bugzilla/attachment.cgi?id=1742&action=view)
> fix for that bug
except that it does not work, presumably because when passing NULL as dst, the
mbstate is not updated.
The current code forcing the conversion into a wchar string seems quite sloppy,
but I see no obvious way to deal with it. So a better patch will need to be
worked out :|
--
http://sourceware.org/bugzilla/show_bug.cgi?id=4438
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug libc/4438] vfprintf() segfault with multibyte string and long precision
2007-04-30 12:46 [Bug libc/4438] New: vfprintf() segfault with multibyte string and long precision victor dot stinner at inl dot fr
` (2 preceding siblings ...)
2007-04-30 17:40 ` madcoder at debian dot org
@ 2007-05-01 4:12 ` drepper at redhat dot com
2007-05-01 13:09 ` victor dot stinner at inl dot fr
2007-07-12 15:15 ` cvs-commit at gcc dot gnu dot org
5 siblings, 0 replies; 7+ messages in thread
From: drepper at redhat dot com @ 2007-05-01 4:12 UTC (permalink / raw)
To: glibc-bugs
------- Additional Comments From drepper at redhat dot com 2007-05-01 05:12 -------
I've checked in a patch.
And next time, don't mess with priorities and severity. This is not something
to be guessed by the submitter.
--
What |Removed |Added
----------------------------------------------------------------------------
Severity|critical |normal
Status|NEW |RESOLVED
Priority|P1 |P2
Resolution| |FIXED
http://sourceware.org/bugzilla/show_bug.cgi?id=4438
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug libc/4438] vfprintf() segfault with multibyte string and long precision
2007-04-30 12:46 [Bug libc/4438] New: vfprintf() segfault with multibyte string and long precision victor dot stinner at inl dot fr
` (3 preceding siblings ...)
2007-05-01 4:12 ` drepper at redhat dot com
@ 2007-05-01 13:09 ` victor dot stinner at inl dot fr
2007-07-12 15:15 ` cvs-commit at gcc dot gnu dot org
5 siblings, 0 replies; 7+ messages in thread
From: victor dot stinner at inl dot fr @ 2007-05-01 13:09 UTC (permalink / raw)
To: glibc-bugs
------- Additional Comments From victor dot stinner at inl dot fr 2007-05-01 14:09 -------
Thank you for your quick reaction ;-) Sorry for severity/priority, I will
leave them with default value next time.
--
http://sourceware.org/bugzilla/show_bug.cgi?id=4438
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug libc/4438] vfprintf() segfault with multibyte string and long precision
2007-04-30 12:46 [Bug libc/4438] New: vfprintf() segfault with multibyte string and long precision victor dot stinner at inl dot fr
` (4 preceding siblings ...)
2007-05-01 13:09 ` victor dot stinner at inl dot fr
@ 2007-07-12 15:15 ` cvs-commit at gcc dot gnu dot org
5 siblings, 0 replies; 7+ messages in thread
From: cvs-commit at gcc dot gnu dot org @ 2007-07-12 15:15 UTC (permalink / raw)
To: glibc-bugs
------- Additional Comments From cvs-commit at gcc dot gnu dot org 2007-07-12 15:15 -------
Subject: Bug 4438
CVSROOT: /cvs/glibc
Module name: libc
Branch: glibc-2_5-branch
Changes by: jakub@sourceware.org 2007-07-12 15:15:03
Modified files:
. : ChangeLog
stdio-common : test-vfprintf.c vfprintf.c
Log message:
2007-05-04 Ulrich Drepper <drepper@redhat.com>
* stdio-common/vfprintf.c (process_string_arg): Adjust call to
__mbsnrtowcs after last change.
2007-05-02 Jakub Jelinek <jakub@redhat.com>
* stdio-common/vfprintf.c (process_string_arg): Use a VLA rather than
fixed length array for ignore.
2007-04-30 Ulrich Drepper <drepper@redhat.com>
[BZ #4438]
* stdio-common/vfprintf.c (process_string_arg): Don't overflow the
stack for large precisions.
* stdio-common/test-vfprintf.c (main): Add test for large
precision.
Patches:
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/ChangeLog.diff?cvsroot=glibc&only_with_tag=glibc-2_5-branch&r1=1.10362.2.79&r2=1.10362.2.80
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/stdio-common/test-vfprintf.c.diff?cvsroot=glibc&only_with_tag=glibc-2_5-branch&r1=1.4&r2=1.4.8.1
http://sourceware.org/cgi-bin/cvsweb.cgi/libc/stdio-common/vfprintf.c.diff?cvsroot=glibc&only_with_tag=glibc-2_5-branch&r1=1.134&r2=1.134.2.1
--
http://sourceware.org/bugzilla/show_bug.cgi?id=4438
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2007-07-12 15:15 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2007-04-30 12:46 [Bug libc/4438] New: vfprintf() segfault with multibyte string and long precision victor dot stinner at inl dot fr
2007-04-30 12:56 ` [Bug libc/4438] " madcoder at debian dot org
2007-04-30 17:40 ` madcoder at debian dot org
2007-04-30 17:40 ` madcoder at debian dot org
2007-05-01 4:12 ` drepper at redhat dot com
2007-05-01 13:09 ` victor dot stinner at inl dot fr
2007-07-12 15:15 ` cvs-commit at gcc dot gnu dot org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).