From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <sourceware-bugzilla@sourceware.org>
Received: by sourceware.org (Postfix, from userid 48)
 id BC85039484A4; Tue, 22 Mar 2022 14:29:09 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org BC85039484A4
From: "siddhesh at sourceware dot org" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug stdio/28989] New: __snprintf_chk bounds check is too strict
Date: Tue, 22 Mar 2022 14:29:09 +0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: stdio
X-Bugzilla-Version: 2.35
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: normal
X-Bugzilla-Who: siddhesh at sourceware dot org
X-Bugzilla-Status: NEW
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status
 bug_severity priority component assigned_to reporter target_milestone
Message-ID: <bug-28989-131@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: glibc-bugs@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Glibc-bugs mailing list <glibc-bugs.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/glibc-bugs>,
 <mailto:glibc-bugs-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/glibc-bugs/>
List-Help: <mailto:glibc-bugs-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/glibc-bugs>,
 <mailto:glibc-bugs-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Mar 2022 14:29:09 -0000

https://sourceware.org/bugzilla/show_bug.cgi?id=3D28989

            Bug ID: 28989
           Summary: __snprintf_chk bounds check is too strict
           Product: glibc
           Version: 2.35
            Status: NEW
          Severity: normal
          Priority: P2
         Component: stdio
          Assignee: unassigned at sourceware dot org
          Reporter: siddhesh at sourceware dot org
  Target Milestone: ---

__snprintf_chk aborts if the object size is less than the provide length
argument in snprintf.  While this enforces the POSIX requirement of the len=
gth
argument being the object size, there's a counter-argument that it's overri=
dden
by the C standard's lack of such a requirement.

We could resolve this by having __vsnprintf_internal accept slen too and ca=
ll
__chk_fail only if an actual overflow happens but it makes __vsnprintf_inte=
rnal
more expensive in the general case too.

from the gcc bug:

$ cat sratom.c
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>

int size =3D 3;
unsigned char data =3D 0xff;

int main()
{
    unsigned len =3D size * 2 + 1;
    char * str =3D __builtin_calloc(len, 1);

    for (uint32_t i =3D 0; i < size; ++i) {
      fprintf (stderr, "i=3D%i\n", i);
      snprintf((char*)str + (2 * i), len, "%02X", data);
    }

    fprintf (stderr, "R=3D%s\n", str);
}

$ gcc sratom.c -O2 -D_FORTIFY_SOURCE=3D3 && ./a.out
i=3D0
i=3D1
*** buffer overflow detected ***: terminated
Aborted (core dumped)

$ clang sratom.c -O2 -D_FORTIFY_SOURCE=3D3 && ./a.out
i=3D0
i=3D1
*** buffer overflow detected ***: terminated
Aborted (core dumped)

$ gcc-11 sratom.c -g -O2 -fsanitize=3Daddress,undefined && ./a.out=20
i=3D0
i=3D1
i=3D2
R=3DFFFFFF

--=20
You are receiving this mail because:
You are on the CC list for the bug.=