[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: vasnprintf's "%n in writable segment" chokes with _FORTIFY_SOURCE ==
|
From: |
Bruno Haible |
|
Subject: |
Re: vasnprintf's "%n in writable segment" chokes with _FORTIFY_SOURCE == 2 |
|
Date: |
Fri, 19 Oct 2007 12:40:35 +0200 |
|
User-agent: |
KMail/1.5.4 |
Jim Meyering wrote:
> It is the key that gives format-abusers so much latitude
> in choosing what value to write where. Without that
> feature, coming up with a real exploit is much harder.
Without %n, one can still use format strings like
%.10000000f%.10000000f%.10000000f%.10000000f%.10000000f%.10000000f
to conduct denial-of-service attacks.
> > 2. a user-provided string that is used as a format string,
> > So why don't people think more about how to fix #2?
>
> Because removing such vulnerabilities at the source is much more
> labor-intensive.
It doesn't need to be at the source level. If, for example,
gcc was changed to emit a certain signature (4 bytes) in front of every
read-only format string, and vfprintf would verify this signature by
looking at fmt[-4..-1], then only the few applications which willfully
construct format strings at runtime would have to change their source code.
Bruno