Bug 20231 - vdprintf_chk() does not return EOF when writing to closed file
Summary: vdprintf_chk() does not return EOF when writing to closed file
Alias: None
Product: glibc
Classification: Unclassified
Component: stdio (show other bugs)
Version: 2.23
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
Depends on:
Reported: 2016-06-09 14:50 UTC by Isidor Kouvelas
Modified: 2018-11-08 17:10 UTC (History)
2 users (show)

See Also:
Last reconfirmed:
fweimer: security-


Note You need to log in before you can comment on or make changes to this bug.
Description Isidor Kouvelas 2016-06-09 14:50:16 UTC
The vdprintf_chk() in debug/vdprintf_chk.c does not return EOF when writing to a closed file. It instead returns the number of characters that would have been written.

Comparing the code in vdprintf_chk() with that in _IO_vdprintf() (libio/iovdprintf.c), there are two lines in _IO_vdprintf() checking for an EOF and adjusting the return value that are missing from vdprintf_chk() resulting in this issue. The rest of the code in the two functions is almost identical.

Adding the missing lines to vdprintf_chk() fixes the issue.
The two lines that are missing are:

*** vdprintf_chk.c.orig 2016-06-09 07:40:16.038497365 -0700
--- vdprintf_chk.c      2016-06-09 07:40:46.697971100 -0700
*** 60,65 ****
--- 60,68 ----

    done = _IO_vfprintf (&tmpfil.file, format, arg);

+   if (done != EOF && _IO_do_flush (&tmpfil.file) == EOF)
+     done = EOF;
    _IO_FINISH (&tmpfil.file);

    return done;
Comment 1 Adhemerval Zanella 2018-11-08 17:09:27 UTC
The vdprintf_chk does indeed return EOF when trying to write on a closed file. It will currently call:

  \_ _IO_new_file_attach
     \_ __GI___vdprintf_chk
        \_ _IO_file_seek
           \_ __lseek64

And the __lseek64 will return -1/EBADF and thus _IO_new_file_attach will fail.

The code difference with default vdprintf is, in fact, BZ#11319, where vdprintf_chk does not return an error output error is encountered (the same example reported on BZ#11319 fails with -D_FORTIFY_SOURCE=2 -O2).
Comment 2 Adhemerval Zanella 2018-11-08 17:10:09 UTC
I will close this as invalid and re-open BZ#11319.