public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
From: "siddhesh at sourceware dot org" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug stdio/28989] New: __snprintf_chk bounds check is too strict
Date: Tue, 22 Mar 2022 14:29:09 +0000 [thread overview]
Message-ID: <bug-28989-131@http.sourceware.org/bugzilla/> (raw)
https://sourceware.org/bugzilla/show_bug.cgi?id=28989
Bug ID: 28989
Summary: __snprintf_chk bounds check is too strict
Product: glibc
Version: 2.35
Status: NEW
Severity: normal
Priority: P2
Component: stdio
Assignee: unassigned at sourceware dot org
Reporter: siddhesh at sourceware dot org
Target Milestone: ---
__snprintf_chk aborts if the object size is less than the provide length
argument in snprintf. While this enforces the POSIX requirement of the length
argument being the object size, there's a counter-argument that it's overridden
by the C standard's lack of such a requirement.
We could resolve this by having __vsnprintf_internal accept slen too and call
__chk_fail only if an actual overflow happens but it makes __vsnprintf_internal
more expensive in the general case too.
from the gcc bug:
$ cat sratom.c
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
int size = 3;
unsigned char data = 0xff;
int main()
{
unsigned len = size * 2 + 1;
char * str = __builtin_calloc(len, 1);
for (uint32_t i = 0; i < size; ++i) {
fprintf (stderr, "i=%i\n", i);
snprintf((char*)str + (2 * i), len, "%02X", data);
}
fprintf (stderr, "R=%s\n", str);
}
$ gcc sratom.c -O2 -D_FORTIFY_SOURCE=3 && ./a.out
i=0
i=1
*** buffer overflow detected ***: terminated
Aborted (core dumped)
$ clang sratom.c -O2 -D_FORTIFY_SOURCE=3 && ./a.out
i=0
i=1
*** buffer overflow detected ***: terminated
Aborted (core dumped)
$ gcc-11 sratom.c -g -O2 -fsanitize=address,undefined && ./a.out
i=0
i=1
i=2
R=FFFFFF
--
You are receiving this mail because:
You are on the CC list for the bug.
next reply other threads:[~2022-03-22 14:29 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-22 14:29 siddhesh at sourceware dot org [this message]
2022-03-22 14:30 ` [Bug stdio/28989] " siddhesh at sourceware dot org
2022-03-22 14:47 ` schwab@linux-m68k.org
2022-03-22 14:50 ` siddhesh at sourceware dot org
2022-03-22 15:16 ` carlos at redhat dot com
2022-03-22 18:21 ` dj at redhat dot com
2022-03-23 8:48 ` mliska at suse dot cz
2022-03-24 7:01 ` siddhesh at sourceware dot org
2024-01-17 19:47 ` i at maskray dot me
2024-01-18 4:58 ` sam at gentoo dot org
2024-01-26 1:50 ` gabravier at gmail dot com
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-28989-131@http.sourceware.org/bugzilla/ \
--to=sourceware-bugzilla@sourceware.org \
--cc=glibc-bugs@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).