public inbox for glibc-bugs@sourceware.org help / color / mirror / Atom feed
From: "carlos at redhat dot com" <sourceware-bugzilla@sourceware.org> To: glibc-bugs@sourceware.org Subject: [Bug stdio/28989] __snprintf_chk bounds check is too strict Date: Tue, 22 Mar 2022 15:16:06 +0000 [thread overview] Message-ID: <bug-28989-131-Tcy2GMehC7@http.sourceware.org/bugzilla/> (raw) In-Reply-To: <bug-28989-131@http.sourceware.org/bugzilla/> https://sourceware.org/bugzilla/show_bug.cgi?id=28989 Carlos O'Donell <carlos at redhat dot com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |carlos at redhat dot com --- Comment #3 from Carlos O'Donell <carlos at redhat dot com> --- I just reviewed the language in the upcoming C2x standard (N2454) and it remains the same in that the exact language for snprintf is ambiguous about what happens for the bytes between the actual size of 's' and the point at which characters start being discarded i.e. 'n-1'. It is in my opinion a weak argument to say that because C2x is ambiguous that we should relax the check in __snprintf_chk. POSIX is clearer in that it states that 'n' is the size of the buffer in 's', rather than just the point at which discarding starts to happen. _FORTIFY_SOURCE should allow a strict bounds to catch defects where writes occur beyond 's' but before 'n-1' which may or may not be out-of-bounds. Yes, there may be a *practical* false-positive here if the format specifier would not write more than the actual size of 's', and the caller did not want to adjust 'n' because it had a runtime cost. In this case I see two scenarios: (a) Caller doesn't adjust 'n' to match size of 's' because of runtime cost, and relies on specifier to control how much was written to 's'. - This is risky since in the future the specifier may change. (b) __snprintf_chk becomes more expensive to avoid the case where another restriction (format specifier) would prevent the overflow from happening. Again, this seems like a weak argument. Relying on the format specifier, which is in no way directly coupled with 'n' is a recipe for a potential future bug. The caller may not know the size of 's', in which case it should not use snprintf since there is no inherent benefit. I agree with Andreas here, we can be stricter in __snprintf_chk, it is both cheaper, and safer. -- You are receiving this mail because: You are on the CC list for the bug.
next prev parent reply other threads:[~2022-03-22 15:16 UTC|newest] Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top 2022-03-22 14:29 [Bug stdio/28989] New: " siddhesh at sourceware dot org 2022-03-22 14:30 ` [Bug stdio/28989] " siddhesh at sourceware dot org 2022-03-22 14:47 ` schwab@linux-m68k.org 2022-03-22 14:50 ` siddhesh at sourceware dot org 2022-03-22 15:16 ` carlos at redhat dot com [this message] 2022-03-22 18:21 ` dj at redhat dot com 2022-03-23 8:48 ` mliska at suse dot cz 2022-03-24 7:01 ` siddhesh at sourceware dot org 2024-01-17 19:47 ` i at maskray dot me 2024-01-18 4:58 ` sam at gentoo dot org 2024-01-26 1:50 ` gabravier at gmail dot com
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=bug-28989-131-Tcy2GMehC7@http.sourceware.org/bugzilla/ \ --to=sourceware-bugzilla@sourceware.org \ --cc=glibc-bugs@sourceware.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).