| Summary: | vfprintf() segfault with multibyte string and long precision | ||
|---|---|---|---|
| Product: | glibc | Reporter: | Victor Stinner <victor.stinner> |
| Component: | libc | Assignee: | Ulrich Drepper <drepper.fsp> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | glibc-bugs, madcoder |
| Priority: | P2 | ||
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Host: | Target: | ||
| Build: | Last reconfirmed: | ||
| Attachments: | fix for that bug | ||
Created attachment 1742 [details]
fix for that bug
FWIW here is a patch that should fix it. As you can guess, 'ignore' is an
ignored variable, hence __mbsnrtowcs is only used for mbs validation. So
passing NULL will work.
(yes I know that if passing NULL __mbsnrtowcs does not respect 'len' but it's
not relevant here, as we want to check 'spec' bytes from the mb sequence, and
the wchar_t buffer is made on purpose of 'spec' wchar_t's, so the 'len'
stopping condition will never be triggered, hence passing NULL as a dst will
work).
(In reply to comment #1) > Created an attachment (id=1742) > fix for that bug except that it does not work, presumably because when passing NULL as dst, the mbstate is not updated. The current code forcing the conversion into a wchar string seems quite sloppy, but I see no obvious way to deal with it. So a better patch will need to be worked out :| I've checked in a patch. And next time, don't mess with priorities and severity. This is not something to be guessed by the submitter. Thank you for your quick reaction ;-) Sorry for severity/priority, I will leave them with default value next time. Subject: Bug 4438 CVSROOT: /cvs/glibc Module name: libc Branch: glibc-2_5-branch Changes by: jakub@sourceware.org 2007-07-12 15:15:03 Modified files: . : ChangeLog stdio-common : test-vfprintf.c vfprintf.c Log message: 2007-05-04 Ulrich Drepper <drepper@redhat.com> * stdio-common/vfprintf.c (process_string_arg): Adjust call to __mbsnrtowcs after last change. 2007-05-02 Jakub Jelinek <jakub@redhat.com> * stdio-common/vfprintf.c (process_string_arg): Use a VLA rather than fixed length array for ignore. 2007-04-30 Ulrich Drepper <drepper@redhat.com> [BZ #4438] * stdio-common/vfprintf.c (process_string_arg): Don't overflow the stack for large precisions. * stdio-common/test-vfprintf.c (main): Add test for large precision. Patches: http://sourceware.org/cgi-bin/cvsweb.cgi/libc/ChangeLog.diff?cvsroot=glibc&only_with_tag=glibc-2_5-branch&r1=1.10362.2.79&r2=1.10362.2.80 http://sourceware.org/cgi-bin/cvsweb.cgi/libc/stdio-common/test-vfprintf.c.diff?cvsroot=glibc&only_with_tag=glibc-2_5-branch&r1=1.4&r2=1.4.8.1 http://sourceware.org/cgi-bin/cvsweb.cgi/libc/stdio-common/vfprintf.c.diff?cvsroot=glibc&only_with_tag=glibc-2_5-branch&r1=1.134&r2=1.134.2.1 |
(Since the bug has been reported on Debian and Fedora Core, I create a bug report on libc bugtracker) Hi, I use your personnal emails because the bug might be a security vulnerability (I don't know Linux kernel enough to guess). If it is not, I can open a bug report on Bugzilla if you would like to. I found a bug in dpkg program (from apt-get of Debian project): COLUMNS=10000000 dpkg -l => Crash with segfault (SIGSEGV) After long investigation (around one week :-)), I'm certain that the bug comes from GNU libc. The crash is not specific to this program, any program allowing to change format string of printf() may crash. Smallest C testcase: ------------------------------------------------------------- #include <stdlib.h> #include <stdio.h> #include <locale.h> int main() { setlocale (LC_CTYPE, ""); printf("%-1.30500200s\n", "Hello"); return 0; } ------------------------------------------------------------- If your locale is not UTF-8, specify another multibyte locale to setlocale(). The value "30500200" just have to be bigger than current stack size limit. You can also try with bash/core-utils printf: ------------------------------------------------------------- printf '%-1.25000000s' 'Hello' ------------------------------------------------------------- The bug is located in stdio-common/vfprintf.c, macro "process_string_arg", in this block: ------------------------------------------------------------- if (prec != -1) { /* Search for the end of the string, but don't search past the length (in bytes) specified by the precision. Also don't use incomplete characters. */ if (_NL_CURRENT_WORD (LC_CTYPE, _NL_CTYPE_MB_CUR_MAX) == 1) len = __strnlen (string, prec); else { /* In case we have a multibyte character set the situation is more compilcated. We must not copy bytes at the end which form an incomplete character. */ wchar_t ignore[prec]; const char *str2 = string; mbstate_t ps; memset (&ps, '\0', sizeof (ps)); if (__mbsnrtowcs (ignore, &str2, prec, prec, &ps) == (size_t) -1) { done = -1; goto all_done; } if (str2 == NULL) len = strlen (string); else len = str2 - string - (ps.__count & 7); } } else len = strlen (string); ------------------------------------------------------------- If 1 < prec and 1 < LC_CTYPE[_NL_CTYPE_MB_CUR_MAX], we go in "complicated" block :-) Now imagine that prec is equal to 30500200: 30 MB will be "allocated" on the stack (by "wchar_t ignore[prec]") whereas Linux use 8 MB (in default config) for stack limit. Stack *should* grow up/down, but on my compute (i386) gcc just use "sub $eax, $esp" instruction to allocated memory and Linux just raises the signal SIGSEGV. I don't know enough locale API (mbsnrtowcs() function) to fix the bug. Victor Stinner http://www.inl.fr/ --- Other bug report of the same bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=238406 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=421555