About *printf %n fortifications
Daniel Jacobowitz
drow@false.org
Fri Feb 24 18:30:00 GMT 2006
On Fri, Feb 24, 2006 at 07:04:08PM +0100, Gwenole Beauchesne wrote:
> Hi,
>
> Why a printf() with %n in the format string would require this string to
> be non-writable? (debug/tst-chk1.c, stdio-common/vfprintf.c)
>
> See the attached test case (-O2 -D_FORTIFY_SOURCE=2)
> char fmt[] = "%s%n\n";
> printf(fmt, "bar", &count);
> looks valid to me, but causes an abort() with
> *** %n in writable segment detected ***
>
> The check probably meant to be against the %n argument itself.
>
> The following patch fixes this but I have not updated tst-chk1.c yet.
> WDYT?
No, that's not the point. It doesn't matter whether the target of the
%n is writable; if it's not, we'll just segfault. The test is supposed
to prevent a malicious attacker inserting %n into the application
somewhere where it will be passed to printf, causing an unexpected
store.
Of course your testcase is valid - but it's a bad idea.
--
Daniel Jacobowitz
CodeSourcery
More information about the Libc-alpha
mailing list