public inbox for glibc-bugs@sourceware.org help / color / mirror / Atom feed
From: "siddhesh at sourceware dot org" <sourceware-bugzilla@sourceware.org> To: glibc-bugs@sourceware.org Subject: [Bug stdio/28989] New: __snprintf_chk bounds check is too strict Date: Tue, 22 Mar 2022 14:29:09 +0000 [thread overview] Message-ID: <bug-28989-131@http.sourceware.org/bugzilla/> (raw) https://sourceware.org/bugzilla/show_bug.cgi?id=28989 Bug ID: 28989 Summary: __snprintf_chk bounds check is too strict Product: glibc Version: 2.35 Status: NEW Severity: normal Priority: P2 Component: stdio Assignee: unassigned at sourceware dot org Reporter: siddhesh at sourceware dot org Target Milestone: --- __snprintf_chk aborts if the object size is less than the provide length argument in snprintf. While this enforces the POSIX requirement of the length argument being the object size, there's a counter-argument that it's overridden by the C standard's lack of such a requirement. We could resolve this by having __vsnprintf_internal accept slen too and call __chk_fail only if an actual overflow happens but it makes __vsnprintf_internal more expensive in the general case too. from the gcc bug: $ cat sratom.c #include <stdint.h> #include <stdio.h> #include <stdlib.h> int size = 3; unsigned char data = 0xff; int main() { unsigned len = size * 2 + 1; char * str = __builtin_calloc(len, 1); for (uint32_t i = 0; i < size; ++i) { fprintf (stderr, "i=%i\n", i); snprintf((char*)str + (2 * i), len, "%02X", data); } fprintf (stderr, "R=%s\n", str); } $ gcc sratom.c -O2 -D_FORTIFY_SOURCE=3 && ./a.out i=0 i=1 *** buffer overflow detected ***: terminated Aborted (core dumped) $ clang sratom.c -O2 -D_FORTIFY_SOURCE=3 && ./a.out i=0 i=1 *** buffer overflow detected ***: terminated Aborted (core dumped) $ gcc-11 sratom.c -g -O2 -fsanitize=address,undefined && ./a.out i=0 i=1 i=2 R=FFFFFF -- You are receiving this mail because: You are on the CC list for the bug.
next reply other threads:[~2022-03-22 14:29 UTC|newest] Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top 2022-03-22 14:29 siddhesh at sourceware dot org [this message] 2022-03-22 14:30 ` [Bug stdio/28989] " siddhesh at sourceware dot org 2022-03-22 14:47 ` schwab@linux-m68k.org 2022-03-22 14:50 ` siddhesh at sourceware dot org 2022-03-22 15:16 ` carlos at redhat dot com 2022-03-22 18:21 ` dj at redhat dot com 2022-03-23 8:48 ` mliska at suse dot cz 2022-03-24 7:01 ` siddhesh at sourceware dot org 2024-01-17 19:47 ` i at maskray dot me 2024-01-18 4:58 ` sam at gentoo dot org 2024-01-26 1:50 ` gabravier at gmail dot com
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=bug-28989-131@http.sourceware.org/bugzilla/ \ --to=sourceware-bugzilla@sourceware.org \ --cc=glibc-bugs@sourceware.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).