public inbox for glibc-bugs@sourceware.org help / color / mirror / Atom feed
* [Bug stdio/30039] New: __vsprintf_internal does not handle unespecified buffer length in fortify mode @ 2023-01-24 9:44 fweimer at redhat dot com 2023-01-24 9:45 ` [Bug stdio/30039] " fweimer at redhat dot com ` (3 more replies) 0 siblings, 4 replies; 5+ messages in thread From: fweimer at redhat dot com @ 2023-01-24 9:44 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=30039 Bug ID: 30039 Summary: __vsprintf_internal does not handle unespecified buffer length in fortify mode Product: glibc Version: 2.37 Status: NEW Severity: normal Priority: P1 Component: stdio Assignee: unassigned at sourceware dot org Reporter: fweimer at redhat dot com Target Milestone: --- From libio/iovsprintf.c: /* When called from fortified sprintf/vsprintf, erase the destination buffer and try to detect overflows. When called from regular sprintf/vsprintf, do not erase the destination buffer, because known user code relies on this behavior (even though its undefined by ISO C), nor try to detect overflows. */ if ((mode_flags & PRINTF_CHK) != 0) { string[0] = '\0'; __printf_buffer_init (&buf, string, maxlen, __printf_buffer_mode_sprintf_chk); } else { __printf_buffer_init (&buf, string, 0, __printf_buffer_mode_sprintf); buf.write_end = (char *) ~(uintptr_t) 0; /* End of address space. */ } However, in some cases, this code is called for an inline expansion of sprintf where the buffer size is not known and maxlen == -1. This makes buf->write_end == buf->write_ptr - 1 (so end before active write position). This causes an assertion failure in __printf_buffer_as_file_commit: Fatal glibc error: printf_buffer_as_file.c:31 (__printf_buffer_as_file_commit): assertion failed: file->stream._IO_write_ptr <= file->next->write_end I believe the assertion is not unreasonable, so I think we need to fix the buffer setup. -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug stdio/30039] __vsprintf_internal does not handle unespecified buffer length in fortify mode 2023-01-24 9:44 [Bug stdio/30039] New: __vsprintf_internal does not handle unespecified buffer length in fortify mode fweimer at redhat dot com @ 2023-01-24 9:45 ` fweimer at redhat dot com 2023-01-24 9:46 ` [Bug stdio/30039] __vsprintf_internal does not handle unspecified " fweimer at redhat dot com ` (2 subsequent siblings) 3 siblings, 0 replies; 5+ messages in thread From: fweimer at redhat dot com @ 2023-01-24 9:45 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=30039 Florian Weimer <fweimer at redhat dot com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED Assignee|unassigned at sourceware dot org |fweimer at redhat dot com CC| |fweimer at redhat dot com -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug stdio/30039] __vsprintf_internal does not handle unspecified buffer length in fortify mode 2023-01-24 9:44 [Bug stdio/30039] New: __vsprintf_internal does not handle unespecified buffer length in fortify mode fweimer at redhat dot com 2023-01-24 9:45 ` [Bug stdio/30039] " fweimer at redhat dot com @ 2023-01-24 9:46 ` fweimer at redhat dot com 2023-01-24 11:33 ` fweimer at redhat dot com 2023-01-25 10:19 ` fweimer at redhat dot com 3 siblings, 0 replies; 5+ messages in thread From: fweimer at redhat dot com @ 2023-01-24 9:46 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=30039 Florian Weimer <fweimer at redhat dot com> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|__vsprintf_internal does |__vsprintf_internal does |not handle unespecified |not handle unspecified |buffer length in fortify |buffer length in fortify |mode |mode -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug stdio/30039] __vsprintf_internal does not handle unspecified buffer length in fortify mode 2023-01-24 9:44 [Bug stdio/30039] New: __vsprintf_internal does not handle unespecified buffer length in fortify mode fweimer at redhat dot com 2023-01-24 9:45 ` [Bug stdio/30039] " fweimer at redhat dot com 2023-01-24 9:46 ` [Bug stdio/30039] __vsprintf_internal does not handle unspecified " fweimer at redhat dot com @ 2023-01-24 11:33 ` fweimer at redhat dot com 2023-01-25 10:19 ` fweimer at redhat dot com 3 siblings, 0 replies; 5+ messages in thread From: fweimer at redhat dot com @ 2023-01-24 11:33 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=30039 --- Comment #1 from Florian Weimer <fweimer at redhat dot com> --- Patch posted: [PATCH] stdio-common: Handle -1 buffer size in __sprintf_chk & co (bug 30039) <https://sourceware.org/pipermail/libc-alpha/2023-January/144931.html> -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug stdio/30039] __vsprintf_internal does not handle unspecified buffer length in fortify mode 2023-01-24 9:44 [Bug stdio/30039] New: __vsprintf_internal does not handle unespecified buffer length in fortify mode fweimer at redhat dot com ` (2 preceding siblings ...) 2023-01-24 11:33 ` fweimer at redhat dot com @ 2023-01-25 10:19 ` fweimer at redhat dot com 3 siblings, 0 replies; 5+ messages in thread From: fweimer at redhat dot com @ 2023-01-25 10:19 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=30039 Florian Weimer <fweimer at redhat dot com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution|--- |FIXED Flags| |security- Target Milestone|--- |2.37 --- Comment #2 from Florian Weimer <fweimer at redhat dot com> --- Fixed for 2.37 via: commit 0d50f477f47ba637b54fb03ac48d769ec4543e8d Author: Florian Weimer <fweimer@redhat.com> Date: Wed Jan 25 08:01:00 2023 +0100 stdio-common: Handle -1 buffer size in __sprintf_chk & co (bug 30039) This shows up as an assertion failure when sprintf is called with a specifier like "%.8g" and libquadmath is linked in: Fatal glibc error: printf_buffer_as_file.c:31 (__printf_buffer_as_file_commit): assertion failed: file->stream._IO_write_ptr <= file->next->write_end Fix this by detecting pointer wraparound in __vsprintf_internal and saturate the addition to the end of the address space instead. Reviewed-by: Carlos O'Donell <carlos@redhat.com> Tested-by: Carlos O'Donell <carlos@redhat.com> Introduce in the vfprintf refactoring, so need for backporting. -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2023-01-25 10:19 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2023-01-24 9:44 [Bug stdio/30039] New: __vsprintf_internal does not handle unespecified buffer length in fortify mode fweimer at redhat dot com 2023-01-24 9:45 ` [Bug stdio/30039] " fweimer at redhat dot com 2023-01-24 9:46 ` [Bug stdio/30039] __vsprintf_internal does not handle unspecified " fweimer at redhat dot com 2023-01-24 11:33 ` fweimer at redhat dot com 2023-01-25 10:19 ` fweimer at redhat dot com
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).