public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug libc/17829] New: Incorrect handling of precision specifier in printf family
@ 2015-01-12 4:32 nfxjfg at googlemail dot com
2015-01-12 4:33 ` [Bug libc/17829] " nfxjfg at googlemail dot com
` (10 more replies)
0 siblings, 11 replies; 12+ messages in thread
From: nfxjfg at googlemail dot com @ 2015-01-12 4:32 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=17829
Bug ID: 17829
Summary: Incorrect handling of precision specifier in printf
family
Product: glibc
Version: 2.19
Status: NEW
Severity: critical
Priority: P2
Component: libc
Assignee: unassigned at sourceware dot org
Reporter: nfxjfg at googlemail dot com
CC: drepper.fsp at gmail dot com
The following program shows no output:
#include <stdio.h>
#include <limits.h>
int main(int argc, char **argv)
{
printf("%.*s\n", INT_MAX, "hi");
return 0;
}
The precision given is INT_MAX; this should turn the precision specifier into a
no-OP, equivalent to 'printf("%s\n", "hi");'. Making the precision value
somewhat lower seems to make it work.
snprintf() seems to have a similar issue, but the failure seems to start with
even lower precision values.
Other libcs handle this correctly (I tested mingw-w64 and musl).
Using glibc 2.19-13 on Debian 32 bit x86.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 12+ messages in thread
* [Bug libc/17829] Incorrect handling of precision specifier in printf family
2015-01-12 4:32 [Bug libc/17829] New: Incorrect handling of precision specifier in printf family nfxjfg at googlemail dot com
@ 2015-01-12 4:33 ` nfxjfg at googlemail dot com
2015-01-12 17:52 ` [Bug stdio/17829] " jsm28 at gcc dot gnu.org
` (9 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: nfxjfg at googlemail dot com @ 2015-01-12 4:33 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=17829
nfxjfg at googlemail dot com changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |nfxjfg at googlemail dot com
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 12+ messages in thread
* [Bug stdio/17829] Incorrect handling of precision specifier in printf family
2015-01-12 4:32 [Bug libc/17829] New: Incorrect handling of precision specifier in printf family nfxjfg at googlemail dot com
2015-01-12 4:33 ` [Bug libc/17829] " nfxjfg at googlemail dot com
@ 2015-01-12 17:52 ` jsm28 at gcc dot gnu.org
2015-01-29 13:00 ` fweimer at redhat dot com
` (8 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: jsm28 at gcc dot gnu.org @ 2015-01-12 17:52 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=17829
Joseph Myers <jsm28 at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Component|libc |stdio
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 12+ messages in thread
* [Bug stdio/17829] Incorrect handling of precision specifier in printf family
2015-01-12 4:32 [Bug libc/17829] New: Incorrect handling of precision specifier in printf family nfxjfg at googlemail dot com
2015-01-12 4:33 ` [Bug libc/17829] " nfxjfg at googlemail dot com
2015-01-12 17:52 ` [Bug stdio/17829] " jsm28 at gcc dot gnu.org
@ 2015-01-29 13:00 ` fweimer at redhat dot com
2015-02-18 14:27 ` fweimer at redhat dot com
` (7 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: fweimer at redhat dot com @ 2015-01-29 13:00 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=17829
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |fweimer at redhat dot com
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 12+ messages in thread
* [Bug stdio/17829] Incorrect handling of precision specifier in printf family
2015-01-12 4:32 [Bug libc/17829] New: Incorrect handling of precision specifier in printf family nfxjfg at googlemail dot com
` (2 preceding siblings ...)
2015-01-29 13:00 ` fweimer at redhat dot com
@ 2015-02-18 14:27 ` fweimer at redhat dot com
2015-02-18 14:33 ` carlos at redhat dot com
` (6 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: fweimer at redhat dot com @ 2015-02-18 14:27 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=17829
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |codonell at redhat dot com
--- Comment #1 from Florian Weimer <fweimer at redhat dot com> ---
Carlos, do you remember what the “32” in stdio-common/vfprintf.c guards
against? (You helped to fix some overflow-related issues in this area.)
1574 if (prec > width
1575 && prec > sizeof (work_buffer) / sizeof (work_buffer[0]) -
32)
1576 {
1577 if (__glibc_unlikely (prec >= INT_MAX / sizeof (CHAR_T) -
32))
1578 {
1579 __set_errno (EOVERFLOW);
1580 done = -1;
1581 goto all_done;
1582 }
1583 size_t needed = ((size_t) prec + 32) * sizeof (CHAR_T);
I'm a bit at a loss here. Certainly, this use is not recommended because
printf will allocate tons of memory as part of the format processing.
--
You are receiving this mail because:
You are on the CC list for the bug.
>From glibc-bugs-return-27490-listarch-glibc-bugs=sources.redhat.com@sourceware.org Wed Feb 18 14:27:30 2015
Return-Path: <glibc-bugs-return-27490-listarch-glibc-bugs=sources.redhat.com@sourceware.org>
Delivered-To: listarch-glibc-bugs@sources.redhat.com
Received: (qmail 527 invoked by alias); 18 Feb 2015 14:27:30 -0000
Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs@sourceware.org>
List-Help: <mailto:glibc-bugs-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-owner@sourceware.org
Delivered-To: mailing list glibc-bugs@sourceware.org
Received: (qmail 31876 invoked by uid 48); 18 Feb 2015 14:27:26 -0000
From: "fweimer at redhat dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug libc/17825] Incorrect return value for string functions invoked with size_t parameter having the most significant bit set on Sparc V9
Date: Wed, 18 Feb 2015 14:27:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: libc
X-Bugzilla-Version: unspecified
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: fweimer at redhat dot com
X-Bugzilla-Status: NEW
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: security?
X-Bugzilla-Changed-Fields: flagtypes.name
Message-ID: <bug-17825-131-FWwCTmivjV@http.sourceware.org/bugzilla/>
In-Reply-To: <bug-17825-131@http.sourceware.org/bugzilla/>
References: <bug-17825-131@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2015-02/txt/msg00225.txt.bz2
Content-length: 378
https://sourceware.org/bugzilla/show_bug.cgi?id\x17825
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Flags| |security?
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 12+ messages in thread
* [Bug stdio/17829] Incorrect handling of precision specifier in printf family
2015-01-12 4:32 [Bug libc/17829] New: Incorrect handling of precision specifier in printf family nfxjfg at googlemail dot com
` (3 preceding siblings ...)
2015-02-18 14:27 ` fweimer at redhat dot com
@ 2015-02-18 14:33 ` carlos at redhat dot com
2015-02-18 17:26 ` nfxjfg at googlemail dot com
` (5 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: carlos at redhat dot com @ 2015-02-18 14:33 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=17829
Carlos O'Donell <carlos at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |carlos at redhat dot com
--- Comment #2 from Carlos O'Donell <carlos at redhat dot com> ---
(In reply to Florian Weimer from comment #1)
> Carlos, do you remember what the “32” in stdio-common/vfprintf.c guards
> against? (You helped to fix some overflow-related issues in this area.)
>
> 1574 if (prec > width
> 1575 && prec > sizeof (work_buffer) / sizeof (work_buffer[0]) -
> 32)
> 1576 {
> 1577 if (__glibc_unlikely (prec >= INT_MAX / sizeof (CHAR_T) -
> 32))
> 1578 {
> 1579 __set_errno (EOVERFLOW);
> 1580 done = -1;
> 1581 goto all_done;
> 1582 }
> 1583 size_t needed = ((size_t) prec + 32) * sizeof (CHAR_T);
>
> I'm a bit at a loss here. Certainly, this use is not recommended because
> printf will allocate tons of memory as part of the format processing.
The +32 is an arbitrarily selected value to make the buffer large enough to be
OK for the largest precision we need. It is an artifact of sloppy accounting
for how much would be needed. The correct fix is to be more precise in
computing what we need.
--
You are receiving this mail because:
You are on the CC list for the bug.
>From glibc-bugs-return-27499-listarch-glibc-bugs=sources.redhat.com@sourceware.org Wed Feb 18 14:38:03 2015
Return-Path: <glibc-bugs-return-27499-listarch-glibc-bugs=sources.redhat.com@sourceware.org>
Delivered-To: listarch-glibc-bugs@sources.redhat.com
Received: (qmail 8499 invoked by alias); 18 Feb 2015 14:38:03 -0000
Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs@sourceware.org>
List-Help: <mailto:glibc-bugs-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-owner@sourceware.org
Delivered-To: mailing list glibc-bugs@sourceware.org
Received: (qmail 8455 invoked by uid 48); 18 Feb 2015 14:37:59 -0000
From: "fweimer at redhat dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug nptl/17013] pthread_cond_broadcast could call lll_unlock() twice, breaking the shared data
Date: Wed, 18 Feb 2015 14:38:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: nptl
X-Bugzilla-Version: 2.18
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: fweimer at redhat dot com
X-Bugzilla-Status: WAITING
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: security?
X-Bugzilla-Changed-Fields: cc flagtypes.name
Message-ID: <bug-17013-131-iBPTPcFpv8@http.sourceware.org/bugzilla/>
In-Reply-To: <bug-17013-131@http.sourceware.org/bugzilla/>
References: <bug-17013-131@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2015-02/txt/msg00234.txt.bz2
Content-length: 665
https://sourceware.org/bugzilla/show_bug.cgi?id\x17013
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |fweimer at redhat dot com
Flags| |security?
--- Comment #3 from Florian Weimer <fweimer at redhat dot com> ---
This may have security implications. I asked on libc-alpha, on the original
thread: https://sourceware.org/ml/libc-alpha/2015-02/msg00510.html
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 12+ messages in thread
* [Bug stdio/17829] Incorrect handling of precision specifier in printf family
2015-01-12 4:32 [Bug libc/17829] New: Incorrect handling of precision specifier in printf family nfxjfg at googlemail dot com
` (4 preceding siblings ...)
2015-02-18 14:33 ` carlos at redhat dot com
@ 2015-02-18 17:26 ` nfxjfg at googlemail dot com
2020-07-07 14:54 ` cvs-commit at gcc dot gnu.org
` (4 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: nfxjfg at googlemail dot com @ 2015-02-18 17:26 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=17829
--- Comment #3 from nfxjfg at googlemail dot com ---
>Certainly, this use is not recommended because printf will allocate tons of memory as part of the format processing.
There's literally no reason why it'd need to allocate memory of the size of the
maximum _possible_ length of the string. In fact, I'd argue printf doesn't need
to do unbounded memory allocations at all.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 12+ messages in thread
* [Bug stdio/17829] Incorrect handling of precision specifier in printf family
2015-01-12 4:32 [Bug libc/17829] New: Incorrect handling of precision specifier in printf family nfxjfg at googlemail dot com
` (5 preceding siblings ...)
2015-02-18 17:26 ` nfxjfg at googlemail dot com
@ 2020-07-07 14:54 ` cvs-commit at gcc dot gnu.org
2022-08-30 8:23 ` cvs-commit at gcc dot gnu.org
` (3 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2020-07-07 14:54 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=17829
--- Comment #14 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Joseph Myers <jsm28@sourceware.org>:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=6caddd34bd7ffb5ac4f36c8e036eee100c2cc535
commit 6caddd34bd7ffb5ac4f36c8e036eee100c2cc535
Author: Joseph Myers <joseph@codesourcery.com>
Date: Tue Jul 7 14:54:12 2020 +0000
Remove most vfprintf width/precision-dependent allocations (bug 14231, bug
26211).
The vfprintf implementation (used for all printf-family functions)
contains complicated logic to allocate internal buffers of a size
depending on the width and precision used for a format, using either
malloc or alloca depending on that size, and with consequent checks
for size overflow and allocation failure.
As noted in bug 26211, the version of that logic used when '$' plus
argument number formats are in use is missing the overflow checks,
which can result in segfaults (quite possibly exploitable, I didn't
try to work that out) when the width or precision is in the range
0x7fffffe0 through 0x7fffffff (maybe smaller values as well in the
wprintf case on 32-bit systems, when the multiplication by sizeof
(CHAR_T) can overflow).
All that complicated logic in fact appears to be useless. As far as I
can tell, there has been no need (outside the floating-point printf
code, which does its own allocations) for allocations depending on
width or precision since commit
3e95f6602b226e0de06aaff686dc47b282d7cc16 ("Remove limitation on size
of precision for integers", Sun Sep 12 21:23:32 1999 +0000). Thus,
this patch removes that logic completely, thereby fixing both problems
with excessive allocations for large width and precision for
non-floating-point formats, and the problem with missing overflow
checks with such allocations. Note that this does have the
consequence that width and precision up to INT_MAX are now allowed
where previously INT_MAX / sizeof (CHAR_T) - EXTSIZ or more would have
been rejected, so could potentially expose any other overflows where
the value would previously have been rejected by those removed checks.
I believe this completely fixes bugs 14231 and 26211.
Excessive allocations are still possible in the floating-point case
(bug 21127), as are other integer or buffer overflows (see bug 26201).
This does not address the cases where a precision larger than INT_MAX
(embedded in the format string) would be meaningful without printf's
return value overflowing (when it's used with a string format, or %g
without the '#' flag, so the actual output will be much smaller), as
mentioned in bug 17829 comment 8; using size_t internally for
precision to handle that case would be complicated by struct
printf_info being a public ABI. Nor does it address the matter of an
INT_MIN width being negated (bug 17829 comment 7; the same logic
appears a second time in the file as well, in the form of multiplying
by -1). There may be other sources of memory allocations with malloc
in printf functions as well (bug 24988, bug 16060). From inspection,
I think there are also integer overflows in two copies of "if ((width
-= len) < 0)" logic (where width is int, len is size_t and a very long
string could result in spurious padding being output on a 32-bit
system before printf overflows the count of output characters).
Tested for x86-64 and x86.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 12+ messages in thread
* [Bug stdio/17829] Incorrect handling of precision specifier in printf family
2015-01-12 4:32 [Bug libc/17829] New: Incorrect handling of precision specifier in printf family nfxjfg at googlemail dot com
` (6 preceding siblings ...)
2020-07-07 14:54 ` cvs-commit at gcc dot gnu.org
@ 2022-08-30 8:23 ` cvs-commit at gcc dot gnu.org
2022-08-30 8:45 ` cvs-commit at gcc dot gnu.org
` (2 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2022-08-30 8:23 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=17829
--- Comment #15 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The release/2.31/master branch has been updated by Florian Weimer
<fw@sourceware.org>:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=1dbe841a672f5d6fdaf73c5d50774a2944a7d42b
commit 1dbe841a672f5d6fdaf73c5d50774a2944a7d42b
Author: Joseph Myers <joseph@codesourcery.com>
Date: Tue Jul 7 14:54:12 2020 +0000
Remove most vfprintf width/precision-dependent allocations (bug 14231, bug
26211).
The vfprintf implementation (used for all printf-family functions)
contains complicated logic to allocate internal buffers of a size
depending on the width and precision used for a format, using either
malloc or alloca depending on that size, and with consequent checks
for size overflow and allocation failure.
As noted in bug 26211, the version of that logic used when '$' plus
argument number formats are in use is missing the overflow checks,
which can result in segfaults (quite possibly exploitable, I didn't
try to work that out) when the width or precision is in the range
0x7fffffe0 through 0x7fffffff (maybe smaller values as well in the
wprintf case on 32-bit systems, when the multiplication by sizeof
(CHAR_T) can overflow).
All that complicated logic in fact appears to be useless. As far as I
can tell, there has been no need (outside the floating-point printf
code, which does its own allocations) for allocations depending on
width or precision since commit
3e95f6602b226e0de06aaff686dc47b282d7cc16 ("Remove limitation on size
of precision for integers", Sun Sep 12 21:23:32 1999 +0000). Thus,
this patch removes that logic completely, thereby fixing both problems
with excessive allocations for large width and precision for
non-floating-point formats, and the problem with missing overflow
checks with such allocations. Note that this does have the
consequence that width and precision up to INT_MAX are now allowed
where previously INT_MAX / sizeof (CHAR_T) - EXTSIZ or more would have
been rejected, so could potentially expose any other overflows where
the value would previously have been rejected by those removed checks.
I believe this completely fixes bugs 14231 and 26211.
Excessive allocations are still possible in the floating-point case
(bug 21127), as are other integer or buffer overflows (see bug 26201).
This does not address the cases where a precision larger than INT_MAX
(embedded in the format string) would be meaningful without printf's
return value overflowing (when it's used with a string format, or %g
without the '#' flag, so the actual output will be much smaller), as
mentioned in bug 17829 comment 8; using size_t internally for
precision to handle that case would be complicated by struct
printf_info being a public ABI. Nor does it address the matter of an
INT_MIN width being negated (bug 17829 comment 7; the same logic
appears a second time in the file as well, in the form of multiplying
by -1). There may be other sources of memory allocations with malloc
in printf functions as well (bug 24988, bug 16060). From inspection,
I think there are also integer overflows in two copies of "if ((width
-= len) < 0)" logic (where width is int, len is size_t and a very long
string could result in spurious padding being output on a 32-bit
system before printf overflows the count of output characters).
Tested for x86-64 and x86.
(cherry picked from commit 6caddd34bd7ffb5ac4f36c8e036eee100c2cc535)
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 12+ messages in thread
* [Bug stdio/17829] Incorrect handling of precision specifier in printf family
2015-01-12 4:32 [Bug libc/17829] New: Incorrect handling of precision specifier in printf family nfxjfg at googlemail dot com
` (7 preceding siblings ...)
2022-08-30 8:23 ` cvs-commit at gcc dot gnu.org
@ 2022-08-30 8:45 ` cvs-commit at gcc dot gnu.org
2022-08-30 9:20 ` cvs-commit at gcc dot gnu.org
2022-08-30 11:07 ` cvs-commit at gcc dot gnu.org
10 siblings, 0 replies; 12+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2022-08-30 8:45 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=17829
--- Comment #16 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The release/2.30/master branch has been updated by Florian Weimer
<fw@sourceware.org>:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=2c2357eedebcd93be932031f567c0c66c664131d
commit 2c2357eedebcd93be932031f567c0c66c664131d
Author: Joseph Myers <joseph@codesourcery.com>
Date: Tue Jul 7 14:54:12 2020 +0000
Remove most vfprintf width/precision-dependent allocations (bug 14231, bug
26211).
The vfprintf implementation (used for all printf-family functions)
contains complicated logic to allocate internal buffers of a size
depending on the width and precision used for a format, using either
malloc or alloca depending on that size, and with consequent checks
for size overflow and allocation failure.
As noted in bug 26211, the version of that logic used when '$' plus
argument number formats are in use is missing the overflow checks,
which can result in segfaults (quite possibly exploitable, I didn't
try to work that out) when the width or precision is in the range
0x7fffffe0 through 0x7fffffff (maybe smaller values as well in the
wprintf case on 32-bit systems, when the multiplication by sizeof
(CHAR_T) can overflow).
All that complicated logic in fact appears to be useless. As far as I
can tell, there has been no need (outside the floating-point printf
code, which does its own allocations) for allocations depending on
width or precision since commit
3e95f6602b226e0de06aaff686dc47b282d7cc16 ("Remove limitation on size
of precision for integers", Sun Sep 12 21:23:32 1999 +0000). Thus,
this patch removes that logic completely, thereby fixing both problems
with excessive allocations for large width and precision for
non-floating-point formats, and the problem with missing overflow
checks with such allocations. Note that this does have the
consequence that width and precision up to INT_MAX are now allowed
where previously INT_MAX / sizeof (CHAR_T) - EXTSIZ or more would have
been rejected, so could potentially expose any other overflows where
the value would previously have been rejected by those removed checks.
I believe this completely fixes bugs 14231 and 26211.
Excessive allocations are still possible in the floating-point case
(bug 21127), as are other integer or buffer overflows (see bug 26201).
This does not address the cases where a precision larger than INT_MAX
(embedded in the format string) would be meaningful without printf's
return value overflowing (when it's used with a string format, or %g
without the '#' flag, so the actual output will be much smaller), as
mentioned in bug 17829 comment 8; using size_t internally for
precision to handle that case would be complicated by struct
printf_info being a public ABI. Nor does it address the matter of an
INT_MIN width being negated (bug 17829 comment 7; the same logic
appears a second time in the file as well, in the form of multiplying
by -1). There may be other sources of memory allocations with malloc
in printf functions as well (bug 24988, bug 16060). From inspection,
I think there are also integer overflows in two copies of "if ((width
-= len) < 0)" logic (where width is int, len is size_t and a very long
string could result in spurious padding being output on a 32-bit
system before printf overflows the count of output characters).
Tested for x86-64 and x86.
(cherry picked from commit 6caddd34bd7ffb5ac4f36c8e036eee100c2cc535)
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 12+ messages in thread
* [Bug stdio/17829] Incorrect handling of precision specifier in printf family
2015-01-12 4:32 [Bug libc/17829] New: Incorrect handling of precision specifier in printf family nfxjfg at googlemail dot com
` (8 preceding siblings ...)
2022-08-30 8:45 ` cvs-commit at gcc dot gnu.org
@ 2022-08-30 9:20 ` cvs-commit at gcc dot gnu.org
2022-08-30 11:07 ` cvs-commit at gcc dot gnu.org
10 siblings, 0 replies; 12+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2022-08-30 9:20 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=17829
--- Comment #17 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The release/2.29/master branch has been updated by Florian Weimer
<fw@sourceware.org>:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5b5dd5a43d0e13529a86332a5c10bdd5b5185e38
commit 5b5dd5a43d0e13529a86332a5c10bdd5b5185e38
Author: Joseph Myers <joseph@codesourcery.com>
Date: Tue Jul 7 14:54:12 2020 +0000
Remove most vfprintf width/precision-dependent allocations (bug 14231, bug
26211).
The vfprintf implementation (used for all printf-family functions)
contains complicated logic to allocate internal buffers of a size
depending on the width and precision used for a format, using either
malloc or alloca depending on that size, and with consequent checks
for size overflow and allocation failure.
As noted in bug 26211, the version of that logic used when '$' plus
argument number formats are in use is missing the overflow checks,
which can result in segfaults (quite possibly exploitable, I didn't
try to work that out) when the width or precision is in the range
0x7fffffe0 through 0x7fffffff (maybe smaller values as well in the
wprintf case on 32-bit systems, when the multiplication by sizeof
(CHAR_T) can overflow).
All that complicated logic in fact appears to be useless. As far as I
can tell, there has been no need (outside the floating-point printf
code, which does its own allocations) for allocations depending on
width or precision since commit
3e95f6602b226e0de06aaff686dc47b282d7cc16 ("Remove limitation on size
of precision for integers", Sun Sep 12 21:23:32 1999 +0000). Thus,
this patch removes that logic completely, thereby fixing both problems
with excessive allocations for large width and precision for
non-floating-point formats, and the problem with missing overflow
checks with such allocations. Note that this does have the
consequence that width and precision up to INT_MAX are now allowed
where previously INT_MAX / sizeof (CHAR_T) - EXTSIZ or more would have
been rejected, so could potentially expose any other overflows where
the value would previously have been rejected by those removed checks.
I believe this completely fixes bugs 14231 and 26211.
Excessive allocations are still possible in the floating-point case
(bug 21127), as are other integer or buffer overflows (see bug 26201).
This does not address the cases where a precision larger than INT_MAX
(embedded in the format string) would be meaningful without printf's
return value overflowing (when it's used with a string format, or %g
without the '#' flag, so the actual output will be much smaller), as
mentioned in bug 17829 comment 8; using size_t internally for
precision to handle that case would be complicated by struct
printf_info being a public ABI. Nor does it address the matter of an
INT_MIN width being negated (bug 17829 comment 7; the same logic
appears a second time in the file as well, in the form of multiplying
by -1). There may be other sources of memory allocations with malloc
in printf functions as well (bug 24988, bug 16060). From inspection,
I think there are also integer overflows in two copies of "if ((width
-= len) < 0)" logic (where width is int, len is size_t and a very long
string could result in spurious padding being output on a 32-bit
system before printf overflows the count of output characters).
Tested for x86-64 and x86.
(cherry picked from commit 6caddd34bd7ffb5ac4f36c8e036eee100c2cc535)
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 12+ messages in thread
* [Bug stdio/17829] Incorrect handling of precision specifier in printf family
2015-01-12 4:32 [Bug libc/17829] New: Incorrect handling of precision specifier in printf family nfxjfg at googlemail dot com
` (9 preceding siblings ...)
2022-08-30 9:20 ` cvs-commit at gcc dot gnu.org
@ 2022-08-30 11:07 ` cvs-commit at gcc dot gnu.org
10 siblings, 0 replies; 12+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2022-08-30 11:07 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=17829
--- Comment #18 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The release/2.28/master branch has been updated by Florian Weimer
<fw@sourceware.org>:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=e1c0c00cc2bdd147bfcf362ada1443bee90465ec
commit e1c0c00cc2bdd147bfcf362ada1443bee90465ec
Author: Joseph Myers <joseph@codesourcery.com>
Date: Tue Jul 7 14:54:12 2020 +0000
Remove most vfprintf width/precision-dependent allocations (bug 14231, bug
26211).
The vfprintf implementation (used for all printf-family functions)
contains complicated logic to allocate internal buffers of a size
depending on the width and precision used for a format, using either
malloc or alloca depending on that size, and with consequent checks
for size overflow and allocation failure.
As noted in bug 26211, the version of that logic used when '$' plus
argument number formats are in use is missing the overflow checks,
which can result in segfaults (quite possibly exploitable, I didn't
try to work that out) when the width or precision is in the range
0x7fffffe0 through 0x7fffffff (maybe smaller values as well in the
wprintf case on 32-bit systems, when the multiplication by sizeof
(CHAR_T) can overflow).
All that complicated logic in fact appears to be useless. As far as I
can tell, there has been no need (outside the floating-point printf
code, which does its own allocations) for allocations depending on
width or precision since commit
3e95f6602b226e0de06aaff686dc47b282d7cc16 ("Remove limitation on size
of precision for integers", Sun Sep 12 21:23:32 1999 +0000). Thus,
this patch removes that logic completely, thereby fixing both problems
with excessive allocations for large width and precision for
non-floating-point formats, and the problem with missing overflow
checks with such allocations. Note that this does have the
consequence that width and precision up to INT_MAX are now allowed
where previously INT_MAX / sizeof (CHAR_T) - EXTSIZ or more would have
been rejected, so could potentially expose any other overflows where
the value would previously have been rejected by those removed checks.
I believe this completely fixes bugs 14231 and 26211.
Excessive allocations are still possible in the floating-point case
(bug 21127), as are other integer or buffer overflows (see bug 26201).
This does not address the cases where a precision larger than INT_MAX
(embedded in the format string) would be meaningful without printf's
return value overflowing (when it's used with a string format, or %g
without the '#' flag, so the actual output will be much smaller), as
mentioned in bug 17829 comment 8; using size_t internally for
precision to handle that case would be complicated by struct
printf_info being a public ABI. Nor does it address the matter of an
INT_MIN width being negated (bug 17829 comment 7; the same logic
appears a second time in the file as well, in the form of multiplying
by -1). There may be other sources of memory allocations with malloc
in printf functions as well (bug 24988, bug 16060). From inspection,
I think there are also integer overflows in two copies of "if ((width
-= len) < 0)" logic (where width is int, len is size_t and a very long
string could result in spurious padding being output on a 32-bit
system before printf overflows the count of output characters).
Tested for x86-64 and x86.
(cherry picked from commit 6caddd34bd7ffb5ac4f36c8e036eee100c2cc535)
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2022-08-30 11:07 UTC | newest]
Thread overview: 12+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-01-12 4:32 [Bug libc/17829] New: Incorrect handling of precision specifier in printf family nfxjfg at googlemail dot com
2015-01-12 4:33 ` [Bug libc/17829] " nfxjfg at googlemail dot com
2015-01-12 17:52 ` [Bug stdio/17829] " jsm28 at gcc dot gnu.org
2015-01-29 13:00 ` fweimer at redhat dot com
2015-02-18 14:27 ` fweimer at redhat dot com
2015-02-18 14:33 ` carlos at redhat dot com
2015-02-18 17:26 ` nfxjfg at googlemail dot com
2020-07-07 14:54 ` cvs-commit at gcc dot gnu.org
2022-08-30 8:23 ` cvs-commit at gcc dot gnu.org
2022-08-30 8:45 ` cvs-commit at gcc dot gnu.org
2022-08-30 9:20 ` cvs-commit at gcc dot gnu.org
2022-08-30 11:07 ` cvs-commit at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).