bug-gnulib
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: vasnprintf's "%n in writable segment" chokes with _FORTIFY_SOURCE ==


From: Bruno Haible
Subject: Re: vasnprintf's "%n in writable segment" chokes with _FORTIFY_SOURCE == 2
Date: Fri, 19 Oct 2007 02:19:44 +0200
User-agent: KMail/1.5.4

Jim Meyering wrote:
> But disallowing %n in a writable format string does
> protect applications from an entire class of exploits.
> That is worth more than enough to compensate for the minor limitation.

Two remarks:

* The %n has to serve as a scapegoat here. The exploit in [1] is a
  combination of
    1. a runtime system that allows modifications of arbitrary memory
       locations without the concept of compartments inside the memory
       of a process (C combined with the Unix memory model),
    2. a user-provided string that is used as a format string,
    3. a format directive that causes a write into memory.

  #1 is the real root of so many security issues, but its solution is
  out of scope here.

  #2 is the cause of this particular issue. #3 is not an issue by itself.

  So why don't people think more about how to fix #2?

2) Does it have to be done through abort()? Can't it be silent like on
   Windows Vista? IMO, library functions should not crash a program when
   the input is standards-compliant.

> BTW, this problem was also encountered last year by CVS developers.

I must have missed that, sorry.

Bruno

[1] http://seclists.org/bugtraq/1999/Sep/0328.html





reply via email to

[Prev in Thread] Current Thread [Next in Thread]