* [Bug libc/7075] sprintf(buf, "%sfoo", buf) has different results with -O2 -D_FORTIFY_SOURCE=2 (__sprintf_chk bug?)
2008-12-07 17:43 [Bug libc/7075] New: sprintf(buf, "%sfoo", buf) has different results with -O2 -D_FORTIFY_SOURCE=2 (__sprintf_chk bug?) kees at outflux dot net
@ 2008-12-07 17:44 ` kees at outflux dot net
2008-12-07 17:52 ` schwab at suse dot de
` (7 subsequent siblings)
8 siblings, 0 replies; 17+ messages in thread
From: kees at outflux dot net @ 2008-12-07 17:44 UTC (permalink / raw)
To: glibc-bugs
------- Additional Comments From kees at outflux dot net 2008-12-07 17:42 -------
Created an attachment (id=3095)
--> (http://sourceware.org/bugzilla/attachment.cgi?id=3095&action=view)
test case
--
http://sourceware.org/bugzilla/show_bug.cgi?id=7075
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
^ permalink raw reply [flat|nested] 17+ messages in thread
* [Bug libc/7075] sprintf(buf, "%sfoo", buf) has different results with -O2 -D_FORTIFY_SOURCE=2 (__sprintf_chk bug?)
2008-12-07 17:43 [Bug libc/7075] New: sprintf(buf, "%sfoo", buf) has different results with -O2 -D_FORTIFY_SOURCE=2 (__sprintf_chk bug?) kees at outflux dot net
2008-12-07 17:44 ` [Bug libc/7075] " kees at outflux dot net
@ 2008-12-07 17:52 ` schwab at suse dot de
2008-12-07 18:36 ` kees at outflux dot net
` (6 subsequent siblings)
8 siblings, 0 replies; 17+ messages in thread
From: schwab at suse dot de @ 2008-12-07 17:52 UTC (permalink / raw)
To: glibc-bugs
------- Additional Comments From schwab at suse dot de 2008-12-07 17:49 -------
sprintf(buf, "%sfoo", buf) is UNDEFINED.
--
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |INVALID
http://sourceware.org/bugzilla/show_bug.cgi?id=7075
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
^ permalink raw reply [flat|nested] 17+ messages in thread
* [Bug libc/7075] sprintf(buf, "%sfoo", buf) has different results with -O2 -D_FORTIFY_SOURCE=2 (__sprintf_chk bug?)
2008-12-07 17:43 [Bug libc/7075] New: sprintf(buf, "%sfoo", buf) has different results with -O2 -D_FORTIFY_SOURCE=2 (__sprintf_chk bug?) kees at outflux dot net
2008-12-07 17:44 ` [Bug libc/7075] " kees at outflux dot net
2008-12-07 17:52 ` schwab at suse dot de
@ 2008-12-07 18:36 ` kees at outflux dot net
2008-12-07 19:08 ` schwab at suse dot de
` (5 subsequent siblings)
8 siblings, 0 replies; 17+ messages in thread
From: kees at outflux dot net @ 2008-12-07 18:36 UTC (permalink / raw)
To: glibc-bugs
------- Additional Comments From kees at outflux dot net 2008-12-07 18:33 -------
Thanks for the clarification. However, I think it is still a bug that the
limitation is not mentioned in the manpage.
--
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|INVALID |
http://sourceware.org/bugzilla/show_bug.cgi?id=7075
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
^ permalink raw reply [flat|nested] 17+ messages in thread
* [Bug libc/7075] sprintf(buf, "%sfoo", buf) has different results with -O2 -D_FORTIFY_SOURCE=2 (__sprintf_chk bug?)
2008-12-07 17:43 [Bug libc/7075] New: sprintf(buf, "%sfoo", buf) has different results with -O2 -D_FORTIFY_SOURCE=2 (__sprintf_chk bug?) kees at outflux dot net
` (2 preceding siblings ...)
2008-12-07 18:36 ` kees at outflux dot net
@ 2008-12-07 19:08 ` schwab at suse dot de
2008-12-07 22:57 ` jakub at redhat dot com
` (4 subsequent siblings)
8 siblings, 0 replies; 17+ messages in thread
From: schwab at suse dot de @ 2008-12-07 19:08 UTC (permalink / raw)
To: glibc-bugs
------- Additional Comments From schwab at suse dot de 2008-12-07 19:05 -------
Then contact whoever wrote it.
--
What |Removed |Added
----------------------------------------------------------------------------
Status|REOPENED |RESOLVED
Resolution| |INVALID
http://sourceware.org/bugzilla/show_bug.cgi?id=7075
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
^ permalink raw reply [flat|nested] 17+ messages in thread
* [Bug libc/7075] sprintf(buf, "%sfoo", buf) has different results with -O2 -D_FORTIFY_SOURCE=2 (__sprintf_chk bug?)
2008-12-07 17:43 [Bug libc/7075] New: sprintf(buf, "%sfoo", buf) has different results with -O2 -D_FORTIFY_SOURCE=2 (__sprintf_chk bug?) kees at outflux dot net
` (3 preceding siblings ...)
2008-12-07 19:08 ` schwab at suse dot de
@ 2008-12-07 22:57 ` jakub at redhat dot com
2008-12-07 23:39 ` pasky at suse dot cz
` (3 subsequent siblings)
8 siblings, 0 replies; 17+ messages in thread
From: jakub at redhat dot com @ 2008-12-07 22:57 UTC (permalink / raw)
To: glibc-bugs
------- Additional Comments From jakub at redhat dot com 2008-12-07 22:56 -------
man 3p sprintf certainly documents it:
"If copying takes place between objects that overlap as a result of a call
to sprintf() or snprintf(), the results are undefined."
--
http://sourceware.org/bugzilla/show_bug.cgi?id=7075
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
^ permalink raw reply [flat|nested] 17+ messages in thread
* [Bug libc/7075] sprintf(buf, "%sfoo", buf) has different results with -O2 -D_FORTIFY_SOURCE=2 (__sprintf_chk bug?)
2008-12-07 17:43 [Bug libc/7075] New: sprintf(buf, "%sfoo", buf) has different results with -O2 -D_FORTIFY_SOURCE=2 (__sprintf_chk bug?) kees at outflux dot net
` (4 preceding siblings ...)
2008-12-07 22:57 ` jakub at redhat dot com
@ 2008-12-07 23:39 ` pasky at suse dot cz
2008-12-19 16:58 ` mtk dot manpages at gmail dot com
` (2 subsequent siblings)
8 siblings, 0 replies; 17+ messages in thread
From: pasky at suse dot cz @ 2008-12-07 23:39 UTC (permalink / raw)
To: glibc-bugs
------- Additional Comments From pasky at suse dot cz 2008-12-07 23:38 -------
I have submitted a patch for linux-manpages:
http://thread.gmane.org/gmane.linux.man/639
--
http://sourceware.org/bugzilla/show_bug.cgi?id=7075
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
^ permalink raw reply [flat|nested] 17+ messages in thread
* [Bug libc/7075] sprintf(buf, "%sfoo", buf) has different results with -O2 -D_FORTIFY_SOURCE=2 (__sprintf_chk bug?)
2008-12-07 17:43 [Bug libc/7075] New: sprintf(buf, "%sfoo", buf) has different results with -O2 -D_FORTIFY_SOURCE=2 (__sprintf_chk bug?) kees at outflux dot net
` (5 preceding siblings ...)
2008-12-07 23:39 ` pasky at suse dot cz
@ 2008-12-19 16:58 ` mtk dot manpages at gmail dot com
2008-12-24 17:41 ` kees at outflux dot net
2009-02-05 8:55 ` lidaobing at gmail dot com
8 siblings, 0 replies; 17+ messages in thread
From: mtk dot manpages at gmail dot com @ 2008-12-19 16:58 UTC (permalink / raw)
To: glibc-bugs
------- Additional Comments From mtk dot manpages at gmail dot com 2008-12-19 16:57 -------
(In reply to comment #6)
> I have submitted a patch for linux-manpages:
> http://thread.gmane.org/gmane.linux.man/639
I've applied the following patch for man-pages-3.16.
--- a/man3/printf.3
+++ b/man3/printf.3
@@ -133,6 +133,17 @@ string that specifies how subsequent arguments (or
arguments accessed via
the variable-length argument facilities of
.BR stdarg (3))
are converted for output.
+
+C99 and POSIX.1-2001 specify that the results are undefined if a call to
+.BR sprintf (),
+.BR snprintf (),
+.BR vsprintf (),
+or
+.BR vsnprintf ()
+would cause to copying to take place between objects that overlap
+(e.g., if the target string array and one of the supplied input arguments
+refer to the same buffer).
+See NOTES.
.SS "Return value"
Upon successful return, these functions return the number of characters
printed (not including the
@@ -851,6 +862,26 @@ and conversion characters \fBa\fP and \fBA\fP.
glibc 2.2 adds the conversion character \fBF\fP with C99 semantics,
and the flag character \fBI\fP.
.SH NOTES
+Some programs imprudently rely on code such as the following
+
+ sprintf(buf, "%s some further text", buf);
+
+to append text to
+.IR buf .
+However, the standards explicitly note that the results are undefined
+if source and destination buffers overlap when calling
+.BR sprintf (),
+.BR snprintf (),
+.BR vsprintf (),
+and
+.BR vsnprintf ().
+.\" http://sourceware.org/bugzilla/show_bug.cgi?id=7075
+Depending on the version of
+.BR gcc (1)
+used, and the compiler options employed, calls such as the above will
+.B not
+produce the expected results.
+
The glibc implementation of the functions
.BR snprintf ()
and
--
http://sourceware.org/bugzilla/show_bug.cgi?id=7075
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
^ permalink raw reply [flat|nested] 17+ messages in thread
* [Bug libc/7075] sprintf(buf, "%sfoo", buf) has different results with -O2 -D_FORTIFY_SOURCE=2 (__sprintf_chk bug?)
2008-12-07 17:43 [Bug libc/7075] New: sprintf(buf, "%sfoo", buf) has different results with -O2 -D_FORTIFY_SOURCE=2 (__sprintf_chk bug?) kees at outflux dot net
` (6 preceding siblings ...)
2008-12-19 16:58 ` mtk dot manpages at gmail dot com
@ 2008-12-24 17:41 ` kees at outflux dot net
2009-02-05 8:55 ` lidaobing at gmail dot com
8 siblings, 0 replies; 17+ messages in thread
From: kees at outflux dot net @ 2008-12-24 17:41 UTC (permalink / raw)
To: glibc-bugs
------- Additional Comments From kees at outflux dot net 2008-12-24 17:40 -------
Created an attachment (id=3625)
--> (http://sourceware.org/bugzilla/attachment.cgi?id=3625&action=view)
work-around pre-trunc behavior
This patch restores the prior sprintf behavior. Looking through
_IO_str_init_static_internal seems to indicate that nothing actually requires
"s" to lead with a NULL. Is there anything wrong with this work-around, which
could be used until the number of affected upstream sources is not quite so
large?
--
http://sourceware.org/bugzilla/show_bug.cgi?id=7075
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
^ permalink raw reply [flat|nested] 17+ messages in thread
* [Bug libc/7075] sprintf(buf, "%sfoo", buf) has different results with -O2 -D_FORTIFY_SOURCE=2 (__sprintf_chk bug?)
2008-12-07 17:43 [Bug libc/7075] New: sprintf(buf, "%sfoo", buf) has different results with -O2 -D_FORTIFY_SOURCE=2 (__sprintf_chk bug?) kees at outflux dot net
` (7 preceding siblings ...)
2008-12-24 17:41 ` kees at outflux dot net
@ 2009-02-05 8:55 ` lidaobing at gmail dot com
8 siblings, 0 replies; 17+ messages in thread
From: lidaobing at gmail dot com @ 2009-02-05 8:55 UTC (permalink / raw)
To: glibc-bugs
--
What |Removed |Added
----------------------------------------------------------------------------
CC| |lidaobing at gmail dot com
http://sourceware.org/bugzilla/show_bug.cgi?id=7075
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
^ permalink raw reply [flat|nested] 17+ messages in thread
* [Bug libc/7075] sprintf(buf, "%sfoo", buf) has different results with -O2 -D_FORTIFY_SOURCE=2 (__sprintf_chk bug?)
[not found] <bug-7075-131@http.sourceware.org/bugzilla/>
@ 2014-02-16 17:44 ` jackie.rosen at hushmail dot com
2014-05-28 19:42 ` schwab at sourceware dot org
` (5 subsequent siblings)
6 siblings, 0 replies; 17+ messages in thread
From: jackie.rosen at hushmail dot com @ 2014-02-16 17:44 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=7075
Jackie Rosen <jackie.rosen at hushmail dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jackie.rosen at hushmail dot com
--- Comment #9 from Jackie Rosen <jackie.rosen at hushmail dot com> ---
*** Bug 260998 has been marked as a duplicate of this bug. ***
Seen from the domain http://volichat.com
Page where seen: http://volichat.com/adult-chat-rooms
Marked for reference. Resolved as fixed @bugzilla.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 17+ messages in thread
* [Bug libc/7075] sprintf(buf, "%sfoo", buf) has different results with -O2 -D_FORTIFY_SOURCE=2 (__sprintf_chk bug?)
[not found] <bug-7075-131@http.sourceware.org/bugzilla/>
2014-02-16 17:44 ` jackie.rosen at hushmail dot com
@ 2014-05-28 19:42 ` schwab at sourceware dot org
2014-06-13 19:49 ` kees at outflux dot net
` (4 subsequent siblings)
6 siblings, 0 replies; 17+ messages in thread
From: schwab at sourceware dot org @ 2014-05-28 19:42 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=7075
Andreas Schwab <schwab at sourceware dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC|jackie.rosen at hushmail dot com |
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 17+ messages in thread
* [Bug libc/7075] sprintf(buf, "%sfoo", buf) has different results with -O2 -D_FORTIFY_SOURCE=2 (__sprintf_chk bug?)
[not found] <bug-7075-131@http.sourceware.org/bugzilla/>
2014-02-16 17:44 ` jackie.rosen at hushmail dot com
2014-05-28 19:42 ` schwab at sourceware dot org
@ 2014-06-13 19:49 ` kees at outflux dot net
2014-06-13 20:25 ` schwab@linux-m68k.org
` (3 subsequent siblings)
6 siblings, 0 replies; 17+ messages in thread
From: kees at outflux dot net @ 2014-06-13 19:49 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=7075
Kees Cook <kees at outflux dot net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|INVALID |---
--- Comment #10 from Kees Cook <kees at outflux dot net> ---
I'd still like to have this patch applied -- while we can claim the behavior is
"undefined", it is not, in fact, undefined. It behaves one way without
-D_FORTIFY_SOURCE=2, and differently with it. And that difference doesn't need
to exist. Ubuntu carried this patch for quite a while.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 17+ messages in thread
* [Bug libc/7075] sprintf(buf, "%sfoo", buf) has different results with -O2 -D_FORTIFY_SOURCE=2 (__sprintf_chk bug?)
[not found] <bug-7075-131@http.sourceware.org/bugzilla/>
` (2 preceding siblings ...)
2014-06-13 19:49 ` kees at outflux dot net
@ 2014-06-13 20:25 ` schwab@linux-m68k.org
2014-06-13 20:36 ` kees at outflux dot net
` (2 subsequent siblings)
6 siblings, 0 replies; 17+ messages in thread
From: schwab@linux-m68k.org @ 2014-06-13 20:25 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=7075
Andreas Schwab <schwab@linux-m68k.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|REOPENED |RESOLVED
Resolution|--- |INVALID
--- Comment #11 from Andreas Schwab <schwab@linux-m68k.org> ---
The point of _FORTIFY_SOURCE is to expose undefined behaviour.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 17+ messages in thread
* [Bug libc/7075] sprintf(buf, "%sfoo", buf) has different results with -O2 -D_FORTIFY_SOURCE=2 (__sprintf_chk bug?)
[not found] <bug-7075-131@http.sourceware.org/bugzilla/>
` (3 preceding siblings ...)
2014-06-13 20:25 ` schwab@linux-m68k.org
@ 2014-06-13 20:36 ` kees at outflux dot net
2014-06-13 20:48 ` siddhesh at redhat dot com
2014-06-16 10:57 ` fweimer at redhat dot com
6 siblings, 0 replies; 17+ messages in thread
From: kees at outflux dot net @ 2014-06-13 20:36 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=7075
--- Comment #12 from Kees Cook <kees at outflux dot net> ---
It's not defined in POSIX, but it has worked a certain way in glibc for
decades. There's no _reason_ to break it for _FORTIFY_SOURCE. Pre-truncating
just silently breaks programs and does weird stuff. If you want to expose it
with _FORITFY_SOURCE then have vsprintf notice that the target and first format
argument are the same variable, and refuse to build.
Either pretruncation should be eliminated, or the undefined behavior should be
explicitly detected and dealt with. Just having programs lose data while
running with no indication of the cause seems like a terrible user experience.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 17+ messages in thread
* [Bug libc/7075] sprintf(buf, "%sfoo", buf) has different results with -O2 -D_FORTIFY_SOURCE=2 (__sprintf_chk bug?)
[not found] <bug-7075-131@http.sourceware.org/bugzilla/>
` (4 preceding siblings ...)
2014-06-13 20:36 ` kees at outflux dot net
@ 2014-06-13 20:48 ` siddhesh at redhat dot com
2014-06-16 10:57 ` fweimer at redhat dot com
6 siblings, 0 replies; 17+ messages in thread
From: siddhesh at redhat dot com @ 2014-06-13 20:48 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=7075
Siddhesh Poyarekar <siddhesh at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |siddhesh at redhat dot com
--- Comment #13 from Siddhesh Poyarekar <siddhesh at redhat dot com> ---
It might be a good idea to take this discussion to the libc-alpha mailing list.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 17+ messages in thread
* [Bug libc/7075] sprintf(buf, "%sfoo", buf) has different results with -O2 -D_FORTIFY_SOURCE=2 (__sprintf_chk bug?)
[not found] <bug-7075-131@http.sourceware.org/bugzilla/>
` (5 preceding siblings ...)
2014-06-13 20:48 ` siddhesh at redhat dot com
@ 2014-06-16 10:57 ` fweimer at redhat dot com
6 siblings, 0 replies; 17+ messages in thread
From: fweimer at redhat dot com @ 2014-06-16 10:57 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=7075
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |fweimer at redhat dot com
Flags| |security-
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 17+ messages in thread