public inbox for glibc-bugs@sourceware.org help / color / mirror / Atom feed
From: "jsm28 at gcc dot gnu.org" <sourceware-bugzilla@sourceware.org> To: glibc-bugs@sourceware.org Subject: [Bug stdio/16617] New: printf stack overflow with many format specs (CVE-2012-3406) Date: Thu, 20 Feb 2014 23:43:00 -0000 [thread overview] Message-ID: <bug-16617-131@http.sourceware.org/bugzilla/> (raw) https://sourceware.org/bugzilla/show_bug.cgi?id=16617 Bug ID: 16617 Summary: printf stack overflow with many format specs (CVE-2012-3406) Product: glibc Version: 2.19 Status: NEW Severity: normal Priority: P2 Component: stdio Assignee: unassigned at sourceware dot org Reporter: jsm28 at gcc dot gnu.org printf has an alloca that can overflow the stack when there are many format specifiers in a format string, as illustrated by the following testcase: #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/resource.h> #define LIMIT 1000000 int main (void) { struct rlimit lim; getrlimit (RLIMIT_STACK, &lim); lim.rlim_cur = 1048576; setrlimit (RLIMIT_STACK, &lim); char *fmtstr = malloc (4 * LIMIT + 1); if (fmtstr == NULL) abort (); char *output = malloc (LIMIT + 1); if (output == NULL) abort (); for (size_t i = 0; i < LIMIT; i++) memcpy (fmtstr + 4 * i, "%1$d", 4); fmtstr[4 * LIMIT] = '\0'; int ret = snprintf (output, LIMIT + 1, fmtstr, 0); if (ret != LIMIT) abort (); for (size_t i = 0; i < LIMIT; i++) if (output[i] != '0') abort (); return 0; } Notes: * This is apparently CVE-2012-3406. I'm not asserting here whether it is or is not a security issue, but on general principles all glibc functions should bound their stack usage to avoid stack overflows with large but valid arguments, since stack overflows don't result in useful error reporting. * https://bugzilla.redhat.com/show_bug.cgi?id=826943 has a patch (which I have not tested), although it includes an excessively large testcase when something like the above generating the format string at runtime would seem better. * https://sourceware.org/ml/libc-alpha/2012-02/msg00092.html has an assertion that the alloca is OK (which I disagree with on the first principle above regarding avoiding stack overflow, whether or not it is exploitable). The followup https://sourceware.org/ml/libc-alpha/2012-02/msg00102.html discusses other possible overflows there, though the stack would overflow first so they don't need considering until the use of the stack for large allocations is resolved. -- You are receiving this mail because: You are on the CC list for the bug.
next reply other threads:[~2014-02-20 23:43 UTC|newest] Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top 2014-02-20 23:43 jsm28 at gcc dot gnu.org [this message] 2014-02-21 3:03 ` [Bug stdio/16617] " carlos at redhat dot com 2014-02-22 2:46 ` bugdal at aerifal dot cx 2014-02-22 2:57 ` joseph at codesourcery dot com 2014-06-13 8:12 ` fweimer at redhat dot com 2014-12-04 22:20 ` jsm28 at gcc dot gnu.org 2014-12-05 6:24 ` fweimer at redhat dot com 2014-12-05 14:05 ` fweimer at redhat dot com 2014-12-15 9:38 ` cvs-commit at gcc dot gnu.org 2014-12-15 9:41 ` fweimer at redhat dot com 2014-12-16 4:35 ` cvs-commit at gcc dot gnu.org 2015-01-14 12:19 ` cvs-commit at gcc dot gnu.org 2015-01-14 13:13 ` cvs-commit at gcc dot gnu.org 2015-01-16 16:59 ` cvs-commit at gcc dot gnu.org 2015-01-16 17:02 ` cvs-commit at gcc dot gnu.org 2015-01-16 17:03 ` cvs-commit at gcc dot gnu.org 2015-01-21 13:56 ` cvs-commit at gcc dot gnu.org 2015-01-29 18:50 ` cvs-commit at gcc dot gnu.org 2015-02-12 13:05 ` cvs-commit at gcc dot gnu.org 2015-02-23 14:06 ` cvs-commit at gcc dot gnu.org 2015-02-23 14:23 ` cvs-commit at gcc dot gnu.org 2015-02-23 15:02 ` cvs-commit at gcc dot gnu.org
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=bug-16617-131@http.sourceware.org/bugzilla/ \ --to=sourceware-bugzilla@sourceware.org \ --cc=glibc-bugs@sourceware.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).