From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mout.gmx.net (mout.gmx.net [212.227.17.21]) by sourceware.org (Postfix) with ESMTPS id 0B47B385842C for ; Wed, 4 Oct 2023 14:43:45 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 0B47B385842C Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gmx.de Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gmx.de DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.de; s=s31663417; t=1696430621; x=1697035421; i=volker.weissmann@gmx.de; bh=elNLAbTVPNN1T6ed4KGJwmJ9hf7GhU715wBtVT3Clco=; h=X-UI-Sender-Class:Date:Subject:To:Cc:References:From:In-Reply-To; b=Ni62lJo0NJ44kAskOpBAOnH/DHlQqARLJOpjPWJzdFnPJ9XED505bSTbQ3H7fL5uIMuB/0ejPQE 4vU/Te7PSRDHHIRmdN4P6LuiH8Cv0K/+eZD/3hlbi62PZp9dpVKtiWMAiZ7UUNIEnJFRPbqtW14sf CPm5+N9qO+LRRQ4HL5uR5xz/nv/Km7A1vEBD6lbKsed/KH+Yc5rPAPojAMskB4jxT12qsanVqCcj9 i5fxUX5HcizTY7V833XqotMwLy4+c6ht11BGyco7jH+c+TWG9wbIICzwUOmKCUrYTyhZgVc7GxhER Nxs5kOHOm4GetqmCHGmZPJbDAZMLV9yabGug== X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Received: from [192.168.178.51] ([46.5.231.100]) by mail.gmx.net (mrgmx104 [212.227.17.168]) with ESMTPSA (Nemesis) id 1Mw9QC-1rdos43MdI-00s69O; Wed, 04 Oct 2023 16:43:40 +0200 Message-ID: <74fc573f-e83e-4383-af94-95f49d9ea1b2@gmx.de> Date: Wed, 4 Oct 2023 16:43:39 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v3] Fix FORTIFY_SOURCE false positive To: Siddhesh Poyarekar , libc-alpha@sourceware.org Cc: Adhemerval Zanella References: <20231003171844.9586-1-volker.weissmann@gmx.de> Content-Language: en-US From: =?UTF-8?Q?Volker_Wei=C3=9Fmann?= In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable X-Provags-ID: V03:K1:XP7eN8jYoH1RtHkNPtP+D0Z0MFsHd/lGImqlfRs05yRA3StG52n sASQ5n+3Cq8hhWknfhR/rn1CZC2V0aNNFG/jmviP4tDCndYZdvjj+lpJnPg/TMXvcNraLHh NS6TFb/pdn7of/13hjmydUxX0VtK63Mu9VL6x5F5zPpTxZ18h+2VKcTq8JFCwbOkOIyu7+f X5aQyL5S/lz5rZvKfMthA== UI-OutboundReport: notjunk:1;M01:P0:eliBHNrB5Rg=;X2NVe8B5n7ZKaLhJXP4f3+YJono Yf+GMIA+6ZxbzPST79BzciXdsjz5/7CUnBUsXdnNQwyyXxjut1HnfmzCT1VkCYPdemX3xQ/BN HNp7FE+EKtK8o6xmR3UAIO0TuiZRvzVa9E1nbprRi7qamixMF50PgpwyWePU3G0SolEdCCiDT 960syJJjcD6349McYqexOfmsb3yyG6w+WsmoVrwuJJMCe/5ujggWTLdkSYwKlKoTEXf/Gnlom OeMqpie2mHDU4M9huePhW+24HIA5YyOuSlA9+cfrQL1s3cjyWhoqUgEQx3gYkAyR49wpKier1 kUCxQAejStMWJte1WaoRvxj3QuA+VBS+3O0rk8r864tFDJ+lTtr+7GKe3NyBY18x/7t/Btowm 15nHkmp5S4C/Im0anjqN/5CJUbo5Bjo09onik/Jm+l5W3aT+83cQKUckk1XtZRqplDdMPyirQ WUmp+pzduWTHv26wi3PcHLjiviQ+MNigGzEzOcxfUa5fLqJxDDf/1/z3s8UsYD4H+e1A6eYjB m8YlI+2iYoYqeq4co3MdT3nrxCcshQyOiemJOdabFqLUpZX7xhlXFpLsP6UNEyRhL8FcZOZrg V4iobY1nN6LplKpotjIiQJZCGGeEEJB9WF41vNRiI4zt3QPD2YjIl+gb+vDAs9xoX8TjZ96SZ JvJ4IY3Ul5nxFUaMwST1LzAAREjZBW3lWLfo74kpD8FJdxG4uHbtc3+X/JyyDOV4vaQEc79C9 xSTLbx58O9AsbchqP/CjaqSdyw2tEZv4+JAzjqcBWfGYmT721MJIkvumMAeoOtMHLtoP5p75+ btRIPWvYJw4je365+sHiSET5DseJ2x5aeERzzI+OR5QbSC6IFQDzJAD7HI03kmT0JE68TZLEh 7F9HNGabe6YhGvCmSxMJdzdbS6mlWkVtSW2I19x7YirdQnQt27/i52Z31d1GnqRglvCcQDRGM 2Z7Erkd+J9kxCRuXb22tRYSspck= X-Spam-Status: No, score=-12.6 required=5.0 tests=BAYES_00,BODY_8BITS,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,GIT_PATCH_0,RCVD_IN_DNSWL_LOW,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: I thought about my patch again... If an attacker can make the victim-program leak file descriptors, this can be used to defeat string fortification. Since leaking file-descriptors is normally not that bad (normally, it cannot lead to anything worse than a DOS), programmers/security auditors might be less careful in ensuring that no fd leaks. It doesn't even have to be a true leak, image if e.g. the attacker controls python code that runs inside an interpreter that does some sandboxing. Then the attacker could do something like: with open("/dev/zero") as file1: =C2=A0=C2=A0=C2=A0 with open("/dev/zero") as file2: =C2=A0=C2=A0=C2=A0 ... =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 with open("/dev/zero") as file1023: =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 trigger_formatst= ring_bug_in_the_python_interpreter() to break out of the sandbox. I know I'm being a bit paranoid, but glibc is used *everywhere*. I think instead of "return 1;" we should do __libc_fatal ("*** too many open file descriptors ***\n"); instead. On 03.10.23 19:25, Siddhesh Poyarekar wrote: > On 2023-10-03 13:18, Volker Wei=C3=9Fmann wrote: >> When -D_FORTIFY_SOURCE=3D2 was given during compilation, >> sprintf and similar functions will check if their >> first argument is in read-only memory and exit with >> *** %n in writable segment detected *** >> otherwise. To check if the memory is read-only, glibc >> reads frpm the file "/proc/self/maps". If opening this >> file fails due to too many open files (EMFILE), glibc >> will now ignore this error. >> >> Fixes [BZ #30932] >> >> Signed-off-by: Volker Wei=C3=9Fmann >> --- > > Thanks!=C2=A0 LGTM. > > Reviewed-by: Siddhesh Poyarekar > > Adhemerval, could you please add this with your test case patch and > send it as a series?=C2=A0 I can then review that too. > > Thanks, > Sid > >> =C2=A0 sysdeps/unix/sysv/linux/readonly-area.c | 4 +++- >> =C2=A0 1 file changed, 3 insertions(+), 1 deletion(-) >> >> diff --git a/sysdeps/unix/sysv/linux/readonly-area.c >> b/sysdeps/unix/sysv/linux/readonly-area.c >> index edc68873f6..ba32372ebb 100644 >> --- a/sysdeps/unix/sysv/linux/readonly-area.c >> +++ b/sysdeps/unix/sysv/linux/readonly-area.c >> @@ -42,7 +42,9 @@ __readonly_area (const char *ptr, size_t size) >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 to the /pr= oc filesystem if it is set[ug]id.=C2=A0 There has >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 been no wi= llingness to change this in the kernel so >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 far.=C2=A0= */ >> -=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 || errno =3D=3D EACCES) >> +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 || errno =3D=3D EACCES >> +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 /* Process has reached the maximum numb= er of open files. */ >> +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 || errno =3D=3D EMFILE) >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 return 1; >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 return -1; >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 } >> -- >> 2.42.0 >>