From: Florian Weimer <fweimer@redhat.com>
To: "Volker Weißmann" <volker.weissmann@gmx.de>
Cc: libc-alpha@sourceware.org, Siddhesh Poyarekar <siddhesh@redhat.com>
Subject: Re: [PATCH v3] Fix FORTIFY_SOURCE false positive
Date: Wed, 04 Oct 2023 19:36:04 +0200 [thread overview]
Message-ID: <87bkdeb88r.fsf@oldenburg.str.redhat.com> (raw)
In-Reply-To: <20231003171844.9586-1-volker.weissmann@gmx.de> ("Volker =?utf-8?Q?Wei=C3=9Fmann=22's?= message of "Tue, 3 Oct 2023 19:18:44 +0200")
* Volker Weißmann:
> When -D_FORTIFY_SOURCE=2 was given during compilation,
> sprintf and similar functions will check if their
> first argument is in read-only memory and exit with
> *** %n in writable segment detected ***
> otherwise. To check if the memory is read-only, glibc
> reads frpm the file "/proc/self/maps". If opening this
> file fails due to too many open files (EMFILE), glibc
> will now ignore this error.
>
> Fixes [BZ #30932]
>
> Signed-off-by: Volker Weißmann <volker.weissmann@gmx.de>
> ---
> sysdeps/unix/sysv/linux/readonly-area.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/sysdeps/unix/sysv/linux/readonly-area.c b/sysdeps/unix/sysv/linux/readonly-area.c
> index edc68873f6..ba32372ebb 100644
> --- a/sysdeps/unix/sysv/linux/readonly-area.c
> +++ b/sysdeps/unix/sysv/linux/readonly-area.c
> @@ -42,7 +42,9 @@ __readonly_area (const char *ptr, size_t size)
> to the /proc filesystem if it is set[ug]id. There has
> been no willingness to change this in the kernel so
> far. */
> - || errno == EACCES)
> + || errno == EACCES
> + /* Process has reached the maximum number of open files. */
> + || errno == EMFILE)
> return 1;
> return -1;
> }
This whole thing is rather questionable.
First of all, the compiler should detect the fact that a format argument
to printf is a string literal and record that in the flags argument
(which already exists for __printf_chk). Then we wouldn't have to do
any %n security checks for most uses of %n. (The flags argument cannot
be spoofed just by altering the string.)
Siddhesh, is that something you could be working on?
Even without that, if we are willing to trust the ld.so data structures,
we can do the permission check in userspace for strings that come from
.rodata. We an find the ELF object that contains them and check if the
loadable segment has the right permissions (or we are in the RELRO
area).
After these changes, I think we can fail hard on /proc-related errors
because they are very unlikely to happen.
Thanks,
Florian
next prev parent reply other threads:[~2023-10-04 17:36 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-03 17:18 Volker Weißmann
2023-10-03 17:25 ` Siddhesh Poyarekar
2023-10-03 18:13 ` [PATCH] debug: Add regression tests for BZ 30932 Adhemerval Zanella
2023-10-03 18:48 ` Siddhesh Poyarekar
2023-10-04 14:43 ` [PATCH v3] Fix FORTIFY_SOURCE false positive Volker Weißmann
2023-10-04 16:57 ` Adhemerval Zanella Netto
2023-10-04 17:08 ` Siddhesh Poyarekar
2023-10-04 14:51 ` Andreas Schwab
2023-10-04 15:44 ` Volker Weißmann
2023-10-04 17:36 ` Florian Weimer [this message]
2023-10-04 17:45 ` Siddhesh Poyarekar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87bkdeb88r.fsf@oldenburg.str.redhat.com \
--to=fweimer@redhat.com \
--cc=libc-alpha@sourceware.org \
--cc=siddhesh@redhat.com \
--cc=volker.weissmann@gmx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).