This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH] vfprintf: validate nargs and maybe allocate from heap
- From: "Ryan S. Arnold" <ryan dot arnold at gmail dot com>
- To: Andreas Jaeger <aj at suse dot com>
- Cc: Kees Cook <kees at outflux dot net>, libc-alpha at sourceware dot org, Paul Eggert <eggert at cs dot ucla dot edu>, Roland McGrath <roland at hack dot frob dot com>, Andreas Schwab <schwab at linux-m68k dot org>
- Date: Fri, 2 Mar 2012 12:45:35 -0600
- Subject: Re: [PATCH] vfprintf: validate nargs and maybe allocate from heap
- Authentication-results: mr.google.com; spf=pass (google.com: domain of ryan.arnold@gmail.com designates 10.205.133.10 as permitted sender) smtp.mail=ryan.arnold@gmail.com; dkim=pass header.i=ryan.arnold@gmail.com
- References: <20120206062537.GM4979@outflux.net><20120207000509.GP4989@outflux.net><20120210192457.GF20420@outflux.net><CAAKybw8AgkGsKAx=kvX4Tsi74f+HtuVnatTCB0VfsHi7vVFi1Q@mail.gmail.com><20120214223048.GM20420@outflux.net><CAAKybw_HS+cav+YcDw3ns7UXu6_xA7EHPrkiB87P+OGwEB0PVQ@mail.gmail.com><20120214224543.GN20420@outflux.net><20120216161613.GZ20420@outflux.net><4F50EE1A.90902@suse.com><20120302164858.GB3990@outflux.net><4F510F3D.6040908@suse.com>
On Fri, Mar 2, 2012 at 12:19 PM, Andreas Jaeger <aj@suse.com> wrote:
> On 03/02/2012 05:48 PM, Kees Cook wrote:
>>
>> Hi Andreas,
>>
>> On Fri, Mar 02, 2012 at 04:58:18PM +0100, Andreas Jaeger wrote:
>>>
>>> On 02/16/2012 05:16 PM, Kees Cook wrote:
>>>>
>>>> The nargs value can overflow when doing allocations, allowing arbitrary
>>>> memory writes via format strings, bypassing _FORTIFY_SOURCE:
>>>> http://www.phrack.org/issues.html?issue=67&id=9
>>>
>>>
>>> So a security issue - can we get this fixed quickly, please? I'd
>>> like to ping for a review and commit!
>>
>>
>> Ryan has been trying to make some time for a final testing round, so
>> I'm confident a commit will be coming soon.
>
>
> Ryan, do you see any problems or want specific tests? I just tested on x86
> and x86-64 and think the patch is fine to commit. I can do the commit, just
> tell me what's holding you up...
I don't see any problems. I verified that an earlier rev of the patch
doesn't regress the printf hooks functionality and wanted to do the
same with the latest revision but that's probably not necessary. You
may check it in if you'd like.
Ryan