[Bug nscd/30795] New: avoid snprintf using %n to generate coredump when F_S=2 is enabled

[Bug nscd/30795] New: avoid snprintf using %n to generate coredump when F_S=2 is enabled

[zhanghao383 at huawei dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=30795

            Bug ID: 30795
           Summary: avoid snprintf using %n to generate coredump when
                    F_S=2 is enabled
           Product: glibc
           Version: 2.34
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: nscd
          Assignee: unassigned at sourceware dot org
          Reporter: zhanghao383 at huawei dot com
                CC: drepper.fsp at gmail dot com
  Target Milestone: ---

Created attachment 15084
  --> https://sourceware.org/bugzilla/attachment.cgi?id=15084&action=edit
coredump details

Recently, we found that two coredump occurred when nscd involved calling the
snprintf function and using %n and F_S=2 is set, the following two call stacks: 
and give the following prompt:
*** %n in writable segment detected ***
And the input parameters of the two call stacks look normal.
Involved version: glibc 2.34

We use a simple test case to verify it:
#include <stdio.h>
#include <string.h>
int main ()
{
  char fmtstring[10];
  char buf[100];
  int count = -1;
  strcpy (fmtstring, "%d%n");
  snprintf (buf, 100, fmtstring, 123, &count);
  return 0;
}
when compiling with
gcc snprintf_test.c -fstack-protector -Wall -Wformat -Wformat-security
-D_FORTIFY_SOURCE=2 -O2 -o snprintf_test -g
./ snprintf_test
*** %n in writable segment detected ***
Aborted (core dumped)

when compiling with
gcc snprintf_test.c -fstack-protector -Wall -Wformat -Wformat-security -O2 -o
snprintf_test -g
./ snprintf_test
no core dumped

We strip the calculation logic outside the snprintf function for replacement:
From 4816192ca348e55b7b1d33feac9298d5b0ffb04c Mon Sep 17 00:00:00 2001
From: zhanghao<zhanghao383@huawei.com>
Date: Mon, 21 Aug 2023 15:39:56 +0800
Subject: [PATCH] Avoid snprintf using %n to generate coredump when F_S=2 is
enabled

In nscd, F_S=2 added in 233399bce2e79e5af3b344782e9943d5f1a9cdcb just for
warn_if_unused
warnings rather than anything substantial.

When F_S=2 is set, and snprintf() using %n will generate coredump and give the
following prompt:

*** %n in writable segment detected ***

It is not recommended to use %n to calculate the length of the string in the
snprintf function. We strip the calculation logic outside the snprintf function
for replacement.

---
nscd/grpcache.c | 5 +++--
nscd/pwdcache.c | 5 +++--
2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/nscd/grpcache.c b/nscd/grpcache.c
index 457ca4d8..d7200f4e 100644
--- a/nscd/grpcache.c
+++ b/nscd/grpcache.c
@@ -176,8 +176,9 @@ cache_addgr (struct database_dyn *db, int fd,
request_header *req,

       /* We need this to insert the `bygid' entry.  */
       int key_offset;
-      n = snprintf (buf, buf_len, "%d%c%n%s", grp->gr_gid, '\0',
-                   &key_offset, (char *) key) + 1;
+      n = snprintf (buf, buf_len, "%d%c%s", grp->gr_gid, '\0',
+                   (char *) key) + 1;
+      key_offset = n - strlen((char *) key)- 1;

       /* Determine the length of all members.  */
       while (grp->gr_mem[gr_mem_cnt])
diff --git a/nscd/pwdcache.c b/nscd/pwdcache.c
index dfafb526..37dd402f 100644
--- a/nscd/pwdcache.c
+++ b/nscd/pwdcache.c
@@ -180,8 +180,9 @@ cache_addpw (struct database_dyn *db, int fd,
request_header *req,

       /* We need this to insert the `byuid' entry.  */
       int key_offset;
-      n = snprintf (buf, buf_len, "%d%c%n%s", pwd->pw_uid, '\0',
-                   &key_offset, (char *) key) + 1;
+      n = snprintf (buf, buf_len, "%d%c%s", pwd->pw_uid, '\0',
+                   (char *) key) + 1;
+      key_offset = n - strlen((char *) key) - 1;

       total = (offsetof (struct dataset, strdata)
               + pw_name_len + pw_passwd_len
--
2.33.0

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug nscd/30795] avoid snprintf using %n to generate coredump when F_S=2 is enabled

[sam at gentoo dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=30795

Sam James <sam at gentoo dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |sam at gentoo dot org

--- Comment #1 from Sam James <sam at gentoo dot org> ---
Could you send the patch to the mailing list (libc-alpha) please? Thanks.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug nscd/30795] avoid snprintf using %n to generate coredump when F_S=2 is enabled

[zhanghao383 at huawei dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=30795

zhanghao (ES) <zhanghao383 at huawei dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |zhanghao383 at huawei dot com

--- Comment #2 from zhanghao (ES) <zhanghao383 at huawei dot com> ---
Created attachment 15086
  --> https://sourceware.org/bugzilla/attachment.cgi?id=15086&action=edit
Avoid_snprintf_using_%n_to_generate_coredump_when_F_S=2_is_enabled

Avoid snprintf using %n to generate coredump when F_S=2 is enabled

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug nscd/30795] avoid snprintf using %n to generate coredump when F_S=2 is enabled

[zhanghao383 at huawei dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=30795

--- Comment #3 from zhanghao (ES) <zhanghao383 at huawei dot com> ---
and we find if patch 5b61880ba3a0367f8969e028cb2cfe80d6eda8ab, then check the
compilation log：
part:
[  114s] gcc pwdcache.c -c -std=gnu11 -fgnu89-inline  -O2 -g -DNDEBUG
-Wp,-D_GLIBCXX_ASSERTIONS -m64 -mtune=generic -fasynchronous-unwind-tables
-fstack-clash-protection -Wall -Wwrite-strings -Wundef -fmerge-all-constants
-frounding-math -fstack-protector-strong -fno-common -Wstrict-prototypes
-Wold-style-definition -fmath-errno -DHAVE_EPOLL -DHAVE_INOTIFY -DHAVE_NETLINK 
-fpie -fcf-protection    -fpie  -U_FORTIFY_SOURCE   -I../include
-I/home/abuild/rpmbuild/BUILD/glibc-2.34/build-x86_64-openEuler-linux/nscd 
-I/home/abuild/rpmbuild/BUILD/glibc-2.34/build-x86_64-openEuler-linux 
-I../sysdeps/unix/sysv/linux/x86_64/64  -I../sysdeps/unix/sysv/linux/x86_64 
-I../sysdeps/unix/sysv/linux/x86/include -I../sysdeps/unix/sysv/linux/x86 
-I../sysdeps/x86/nptl  -I../sysdeps/unix/sysv/linux/wordsize-64 
-I../sysdeps/x86_64/nptl  -I../sysdeps/unix/sysv/linux/include
-I../sysdeps/unix/sysv/linux  -I../sysdeps/nptl  -I../sysdeps/pthread 
-I../sysdeps/gnu  -I../sysdeps/unix/inet  -I../sysdeps/unix/sysv 
-I../sysdeps/unix/x86_64  -I../sysdeps/unix  -I../sysdeps/posix 
-I../sysdeps/x86_64/64  -I../sysdeps/x86_64/fpu/multiarch 
-I../sysdeps/x86_64/fpu  -I../sysdeps/x86/fpu  -I../sysdeps/x86_64/multiarch 
-I../sysdeps/x86_64  -I../sysdeps/x86/include -I../sysdeps/x86 
-I../sysdeps/ieee754/float128  -I../sysdeps/ieee754/ldbl-96/include
-I../sysdeps/ieee754/ldbl-96  -I../sysdeps/ieee754/dbl-64 
-I../sysdeps/ieee754/flt-32  -I../sysdeps/wordsize-64  -I../sysdeps/ieee754 
-I../sysdeps/generic  -I.. -I../libio -I. -nostdinc -isystem
/usr/lib/gcc/x86_64-linux-gnu/10.3.1/include -isystem /usr/include
-D_LIBC_REENTRANT -include
/home/abuild/rpmbuild/BUILD/glibc-2.34/build-x86_64-openEuler-linux/libc-modules.h
-DMODULE_NAME=nscd -include ../include/libc-symbols.h  -DPIC    
-DTOP_NAMESPACE=glibc -o
/home/abuild/rpmbuild/BUILD/glibc-2.34/build-x86_64-openEuler-linux/nscd/pwdcache.o
-MD -MP -MF
/home/abuild/rpmbuild/BUILD/glibc-2.34/build-x86_64-openEuler-linux/nscd/pwdcache.o.dt
-MT
/home/abuild/rpmbuild/BUILD/glibc-2.34/build-x86_64-openEuler-linux/nscd/pwdcache.o

We found that -D_FORTIFY_SOURCE=2 is missing, won't removing
-D_FORTIFY_SOURCE=2 for nscd module introduce security issues?

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug nscd/30795] avoid snprintf using %n to generate coredump when F_S=2 is enabled

[zhanghao383 at huawei dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=30795

--- Comment #4 from zhanghao (ES) <zhanghao383 at huawei dot com> ---
(In reply to Sam James from comment #1)
> Could you send the patch to the mailing list (libc-alpha) please? Thanks.

Patch has been sent to mailbox libc-alpha@sourceware.org

-- 
You are receiving this mail because:
You are on the CC list for the bug.