public inbox for glibc-bugs@sourceware.org help / color / mirror / Atom feed
* [Bug nscd/30795] New: avoid snprintf using %n to generate coredump when F_S=2 is enabled @ 2023-08-24 13:52 zhanghao383 at huawei dot com 2023-08-24 15:01 ` [Bug nscd/30795] " sam at gentoo dot org ` (3 more replies) 0 siblings, 4 replies; 5+ messages in thread From: zhanghao383 at huawei dot com @ 2023-08-24 13:52 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=30795 Bug ID: 30795 Summary: avoid snprintf using %n to generate coredump when F_S=2 is enabled Product: glibc Version: 2.34 Status: UNCONFIRMED Severity: normal Priority: P2 Component: nscd Assignee: unassigned at sourceware dot org Reporter: zhanghao383 at huawei dot com CC: drepper.fsp at gmail dot com Target Milestone: --- Created attachment 15084 --> https://sourceware.org/bugzilla/attachment.cgi?id=15084&action=edit coredump details Recently, we found that two coredump occurred when nscd involved calling the snprintf function and using %n and F_S=2 is set, the following two call stacks: and give the following prompt: *** %n in writable segment detected *** And the input parameters of the two call stacks look normal. Involved version: glibc 2.34 We use a simple test case to verify it: #include <stdio.h> #include <string.h> int main () { char fmtstring[10]; char buf[100]; int count = -1; strcpy (fmtstring, "%d%n"); snprintf (buf, 100, fmtstring, 123, &count); return 0; } when compiling with gcc snprintf_test.c -fstack-protector -Wall -Wformat -Wformat-security -D_FORTIFY_SOURCE=2 -O2 -o snprintf_test -g ./ snprintf_test *** %n in writable segment detected *** Aborted (core dumped) when compiling with gcc snprintf_test.c -fstack-protector -Wall -Wformat -Wformat-security -O2 -o snprintf_test -g ./ snprintf_test no core dumped We strip the calculation logic outside the snprintf function for replacement: From 4816192ca348e55b7b1d33feac9298d5b0ffb04c Mon Sep 17 00:00:00 2001 From: zhanghao<zhanghao383@huawei.com> Date: Mon, 21 Aug 2023 15:39:56 +0800 Subject: [PATCH] Avoid snprintf using %n to generate coredump when F_S=2 is enabled In nscd, F_S=2 added in 233399bce2e79e5af3b344782e9943d5f1a9cdcb just for warn_if_unused warnings rather than anything substantial. When F_S=2 is set, and snprintf() using %n will generate coredump and give the following prompt: *** %n in writable segment detected *** It is not recommended to use %n to calculate the length of the string in the snprintf function. We strip the calculation logic outside the snprintf function for replacement. --- nscd/grpcache.c | 5 +++-- nscd/pwdcache.c | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/nscd/grpcache.c b/nscd/grpcache.c index 457ca4d8..d7200f4e 100644 --- a/nscd/grpcache.c +++ b/nscd/grpcache.c @@ -176,8 +176,9 @@ cache_addgr (struct database_dyn *db, int fd, request_header *req, /* We need this to insert the `bygid' entry. */ int key_offset; - n = snprintf (buf, buf_len, "%d%c%n%s", grp->gr_gid, '\0', - &key_offset, (char *) key) + 1; + n = snprintf (buf, buf_len, "%d%c%s", grp->gr_gid, '\0', + (char *) key) + 1; + key_offset = n - strlen((char *) key)- 1; /* Determine the length of all members. */ while (grp->gr_mem[gr_mem_cnt]) diff --git a/nscd/pwdcache.c b/nscd/pwdcache.c index dfafb526..37dd402f 100644 --- a/nscd/pwdcache.c +++ b/nscd/pwdcache.c @@ -180,8 +180,9 @@ cache_addpw (struct database_dyn *db, int fd, request_header *req, /* We need this to insert the `byuid' entry. */ int key_offset; - n = snprintf (buf, buf_len, "%d%c%n%s", pwd->pw_uid, '\0', - &key_offset, (char *) key) + 1; + n = snprintf (buf, buf_len, "%d%c%s", pwd->pw_uid, '\0', + (char *) key) + 1; + key_offset = n - strlen((char *) key) - 1; total = (offsetof (struct dataset, strdata) + pw_name_len + pw_passwd_len -- 2.33.0 -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug nscd/30795] avoid snprintf using %n to generate coredump when F_S=2 is enabled 2023-08-24 13:52 [Bug nscd/30795] New: avoid snprintf using %n to generate coredump when F_S=2 is enabled zhanghao383 at huawei dot com @ 2023-08-24 15:01 ` sam at gentoo dot org 2023-08-25 2:29 ` zhanghao383 at huawei dot com ` (2 subsequent siblings) 3 siblings, 0 replies; 5+ messages in thread From: sam at gentoo dot org @ 2023-08-24 15:01 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=30795 Sam James <sam at gentoo dot org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |sam at gentoo dot org --- Comment #1 from Sam James <sam at gentoo dot org> --- Could you send the patch to the mailing list (libc-alpha) please? Thanks. -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug nscd/30795] avoid snprintf using %n to generate coredump when F_S=2 is enabled 2023-08-24 13:52 [Bug nscd/30795] New: avoid snprintf using %n to generate coredump when F_S=2 is enabled zhanghao383 at huawei dot com 2023-08-24 15:01 ` [Bug nscd/30795] " sam at gentoo dot org @ 2023-08-25 2:29 ` zhanghao383 at huawei dot com 2023-08-25 2:36 ` zhanghao383 at huawei dot com 2023-08-25 2:51 ` zhanghao383 at huawei dot com 3 siblings, 0 replies; 5+ messages in thread From: zhanghao383 at huawei dot com @ 2023-08-25 2:29 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=30795 zhanghao (ES) <zhanghao383 at huawei dot com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |zhanghao383 at huawei dot com --- Comment #2 from zhanghao (ES) <zhanghao383 at huawei dot com> --- Created attachment 15086 --> https://sourceware.org/bugzilla/attachment.cgi?id=15086&action=edit Avoid_snprintf_using_%n_to_generate_coredump_when_F_S=2_is_enabled Avoid snprintf using %n to generate coredump when F_S=2 is enabled -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug nscd/30795] avoid snprintf using %n to generate coredump when F_S=2 is enabled 2023-08-24 13:52 [Bug nscd/30795] New: avoid snprintf using %n to generate coredump when F_S=2 is enabled zhanghao383 at huawei dot com 2023-08-24 15:01 ` [Bug nscd/30795] " sam at gentoo dot org 2023-08-25 2:29 ` zhanghao383 at huawei dot com @ 2023-08-25 2:36 ` zhanghao383 at huawei dot com 2023-08-25 2:51 ` zhanghao383 at huawei dot com 3 siblings, 0 replies; 5+ messages in thread From: zhanghao383 at huawei dot com @ 2023-08-25 2:36 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=30795 --- Comment #3 from zhanghao (ES) <zhanghao383 at huawei dot com> --- and we find if patch 5b61880ba3a0367f8969e028cb2cfe80d6eda8ab, then check the compilation log: part: [ 114s] gcc pwdcache.c -c -std=gnu11 -fgnu89-inline -O2 -g -DNDEBUG -Wp,-D_GLIBCXX_ASSERTIONS -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -Wall -Wwrite-strings -Wundef -fmerge-all-constants -frounding-math -fstack-protector-strong -fno-common -Wstrict-prototypes -Wold-style-definition -fmath-errno -DHAVE_EPOLL -DHAVE_INOTIFY -DHAVE_NETLINK -fpie -fcf-protection -fpie -U_FORTIFY_SOURCE -I../include -I/home/abuild/rpmbuild/BUILD/glibc-2.34/build-x86_64-openEuler-linux/nscd -I/home/abuild/rpmbuild/BUILD/glibc-2.34/build-x86_64-openEuler-linux -I../sysdeps/unix/sysv/linux/x86_64/64 -I../sysdeps/unix/sysv/linux/x86_64 -I../sysdeps/unix/sysv/linux/x86/include -I../sysdeps/unix/sysv/linux/x86 -I../sysdeps/x86/nptl -I../sysdeps/unix/sysv/linux/wordsize-64 -I../sysdeps/x86_64/nptl -I../sysdeps/unix/sysv/linux/include -I../sysdeps/unix/sysv/linux -I../sysdeps/nptl -I../sysdeps/pthread -I../sysdeps/gnu -I../sysdeps/unix/inet -I../sysdeps/unix/sysv -I../sysdeps/unix/x86_64 -I../sysdeps/unix -I../sysdeps/posix -I../sysdeps/x86_64/64 -I../sysdeps/x86_64/fpu/multiarch -I../sysdeps/x86_64/fpu -I../sysdeps/x86/fpu -I../sysdeps/x86_64/multiarch -I../sysdeps/x86_64 -I../sysdeps/x86/include -I../sysdeps/x86 -I../sysdeps/ieee754/float128 -I../sysdeps/ieee754/ldbl-96/include -I../sysdeps/ieee754/ldbl-96 -I../sysdeps/ieee754/dbl-64 -I../sysdeps/ieee754/flt-32 -I../sysdeps/wordsize-64 -I../sysdeps/ieee754 -I../sysdeps/generic -I.. -I../libio -I. -nostdinc -isystem /usr/lib/gcc/x86_64-linux-gnu/10.3.1/include -isystem /usr/include -D_LIBC_REENTRANT -include /home/abuild/rpmbuild/BUILD/glibc-2.34/build-x86_64-openEuler-linux/libc-modules.h -DMODULE_NAME=nscd -include ../include/libc-symbols.h -DPIC -DTOP_NAMESPACE=glibc -o /home/abuild/rpmbuild/BUILD/glibc-2.34/build-x86_64-openEuler-linux/nscd/pwdcache.o -MD -MP -MF /home/abuild/rpmbuild/BUILD/glibc-2.34/build-x86_64-openEuler-linux/nscd/pwdcache.o.dt -MT /home/abuild/rpmbuild/BUILD/glibc-2.34/build-x86_64-openEuler-linux/nscd/pwdcache.o We found that -D_FORTIFY_SOURCE=2 is missing, won't removing -D_FORTIFY_SOURCE=2 for nscd module introduce security issues? -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug nscd/30795] avoid snprintf using %n to generate coredump when F_S=2 is enabled 2023-08-24 13:52 [Bug nscd/30795] New: avoid snprintf using %n to generate coredump when F_S=2 is enabled zhanghao383 at huawei dot com ` (2 preceding siblings ...) 2023-08-25 2:36 ` zhanghao383 at huawei dot com @ 2023-08-25 2:51 ` zhanghao383 at huawei dot com 3 siblings, 0 replies; 5+ messages in thread From: zhanghao383 at huawei dot com @ 2023-08-25 2:51 UTC (permalink / raw) To: glibc-bugs https://sourceware.org/bugzilla/show_bug.cgi?id=30795 --- Comment #4 from zhanghao (ES) <zhanghao383 at huawei dot com> --- (In reply to Sam James from comment #1) > Could you send the patch to the mailing list (libc-alpha) please? Thanks. Patch has been sent to mailbox libc-alpha@sourceware.org -- You are receiving this mail because: You are on the CC list for the bug. ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2023-08-25 2:51 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2023-08-24 13:52 [Bug nscd/30795] New: avoid snprintf using %n to generate coredump when F_S=2 is enabled zhanghao383 at huawei dot com 2023-08-24 15:01 ` [Bug nscd/30795] " sam at gentoo dot org 2023-08-25 2:29 ` zhanghao383 at huawei dot com 2023-08-25 2:36 ` zhanghao383 at huawei dot com 2023-08-25 2:51 ` zhanghao383 at huawei dot com
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).