public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
From: "carlos at redhat dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug stdio/28989] __snprintf_chk bounds check is too strict
Date: Tue, 22 Mar 2022 15:16:06 +0000 [thread overview]
Message-ID: <bug-28989-131-Tcy2GMehC7@http.sourceware.org/bugzilla/> (raw)
In-Reply-To: <bug-28989-131@http.sourceware.org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=28989
Carlos O'Donell <carlos at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |carlos at redhat dot com
--- Comment #3 from Carlos O'Donell <carlos at redhat dot com> ---
I just reviewed the language in the upcoming C2x standard (N2454) and it
remains the same in that the exact language for snprintf is ambiguous about
what happens for the bytes between the actual size of 's' and the point at
which characters start being discarded i.e. 'n-1'.
It is in my opinion a weak argument to say that because C2x is ambiguous that
we should relax the check in __snprintf_chk.
POSIX is clearer in that it states that 'n' is the size of the buffer in 's',
rather than just the point at which discarding starts to happen.
_FORTIFY_SOURCE should allow a strict bounds to catch defects where writes
occur beyond 's' but before 'n-1' which may or may not be out-of-bounds. Yes,
there may be a *practical* false-positive here if the format specifier would
not write more than the actual size of 's', and the caller did not want to
adjust 'n' because it had a runtime cost. In this case I see two scenarios:
(a) Caller doesn't adjust 'n' to match size of 's' because of runtime cost, and
relies on specifier to control how much was written to 's'.
- This is risky since in the future the specifier may change.
(b) __snprintf_chk becomes more expensive to avoid the case where another
restriction (format specifier) would prevent the overflow from happening.
Again, this seems like a weak argument. Relying on the format specifier, which
is in no way directly coupled with 'n' is a recipe for a potential future bug.
The caller may not know the size of 's', in which case it should not use
snprintf since there is no inherent benefit.
I agree with Andreas here, we can be stricter in __snprintf_chk, it is both
cheaper, and safer.
--
You are receiving this mail because:
You are on the CC list for the bug.
next prev parent reply other threads:[~2022-03-22 15:16 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-22 14:29 [Bug stdio/28989] New: " siddhesh at sourceware dot org
2022-03-22 14:30 ` [Bug stdio/28989] " siddhesh at sourceware dot org
2022-03-22 14:47 ` schwab@linux-m68k.org
2022-03-22 14:50 ` siddhesh at sourceware dot org
2022-03-22 15:16 ` carlos at redhat dot com [this message]
2022-03-22 18:21 ` dj at redhat dot com
2022-03-23 8:48 ` mliska at suse dot cz
2022-03-24 7:01 ` siddhesh at sourceware dot org
2024-01-17 19:47 ` i at maskray dot me
2024-01-18 4:58 ` sam at gentoo dot org
2024-01-26 1:50 ` gabravier at gmail dot com
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-28989-131-Tcy2GMehC7@http.sourceware.org/bugzilla/ \
--to=sourceware-bugzilla@sourceware.org \
--cc=glibc-bugs@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).