From: "Volker Weißmann" <volker.weissmann@gmx.de>
To: Siddhesh Poyarekar <siddhesh@gotplt.org>, libc-alpha@sourceware.org
Cc: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Subject: Re: [PATCH v3] Fix FORTIFY_SOURCE false positive
Date: Wed, 4 Oct 2023 16:43:39 +0200 [thread overview]
Message-ID: <74fc573f-e83e-4383-af94-95f49d9ea1b2@gmx.de> (raw)
In-Reply-To: <a83b52e1-951c-d22b-9156-bbc20963ac7c@gotplt.org>
I thought about my patch again...
If an attacker can make the victim-program leak file descriptors, this
can be used to defeat string fortification.
Since leaking file-descriptors is normally not that bad (normally, it
cannot lead to anything worse than a DOS), programmers/security auditors
might be less careful in ensuring that no fd leaks.
It doesn't even have to be a true leak, image if e.g. the attacker
controls python code that runs inside an interpreter that does some
sandboxing. Then the attacker could do something like:
with open("/dev/zero") as file1:
with open("/dev/zero") as file2:
...
with open("/dev/zero") as file1023:
trigger_formatstring_bug_in_the_python_interpreter()
to break out of the sandbox.
I know I'm being a bit paranoid, but glibc is used *everywhere*.
I think instead of "return 1;" we should do
__libc_fatal ("*** too many open file descriptors ***\n");
instead.
On 03.10.23 19:25, Siddhesh Poyarekar wrote:
> On 2023-10-03 13:18, Volker Weißmann wrote:
>> When -D_FORTIFY_SOURCE=2 was given during compilation,
>> sprintf and similar functions will check if their
>> first argument is in read-only memory and exit with
>> *** %n in writable segment detected ***
>> otherwise. To check if the memory is read-only, glibc
>> reads frpm the file "/proc/self/maps". If opening this
>> file fails due to too many open files (EMFILE), glibc
>> will now ignore this error.
>>
>> Fixes [BZ #30932]
>>
>> Signed-off-by: Volker Weißmann <volker.weissmann@gmx.de>
>> ---
>
> Thanks! LGTM.
>
> Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
>
> Adhemerval, could you please add this with your test case patch and
> send it as a series? I can then review that too.
>
> Thanks,
> Sid
>
>> sysdeps/unix/sysv/linux/readonly-area.c | 4 +++-
>> 1 file changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git a/sysdeps/unix/sysv/linux/readonly-area.c
>> b/sysdeps/unix/sysv/linux/readonly-area.c
>> index edc68873f6..ba32372ebb 100644
>> --- a/sysdeps/unix/sysv/linux/readonly-area.c
>> +++ b/sysdeps/unix/sysv/linux/readonly-area.c
>> @@ -42,7 +42,9 @@ __readonly_area (const char *ptr, size_t size)
>> to the /proc filesystem if it is set[ug]id. There has
>> been no willingness to change this in the kernel so
>> far. */
>> - || errno == EACCES)
>> + || errno == EACCES
>> + /* Process has reached the maximum number of open files. */
>> + || errno == EMFILE)
>> return 1;
>> return -1;
>> }
>> --
>> 2.42.0
>>
next prev parent reply other threads:[~2023-10-04 14:43 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-03 17:18 Volker Weißmann
2023-10-03 17:25 ` Siddhesh Poyarekar
2023-10-03 18:13 ` [PATCH] debug: Add regression tests for BZ 30932 Adhemerval Zanella
2023-10-03 18:48 ` Siddhesh Poyarekar
2023-10-04 14:43 ` Volker Weißmann [this message]
2023-10-04 16:57 ` [PATCH v3] Fix FORTIFY_SOURCE false positive Adhemerval Zanella Netto
2023-10-04 17:08 ` Siddhesh Poyarekar
2023-10-04 14:51 ` Andreas Schwab
2023-10-04 15:44 ` Volker Weißmann
2023-10-04 17:36 ` Florian Weimer
2023-10-04 17:45 ` Siddhesh Poyarekar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=74fc573f-e83e-4383-af94-95f49d9ea1b2@gmx.de \
--to=volker.weissmann@gmx.de \
--cc=adhemerval.zanella@linaro.org \
--cc=libc-alpha@sourceware.org \
--cc=siddhesh@gotplt.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).