转发: avoid snprintf using %n to generate coredump when F_S=2 is enabled
Florian Weimer
fweimer@redhat.com
Fri Aug 25 07:01:22 GMT 2023
* zhanghao via Libc-alpha:
> Subject: [PATCH] Avoid snprintf using %n to generate coredump when F_S=2 is enabled
>
> In nscd, F_S=2 added in 233399bce2e79e5af3b344782e9943d5f1a9cdcb just for warn_if_unused
> warnings rather than anything substantial.
F_S is _FORTIFY_SOURCE, maybe spell this out?
> When F_S=2 is set, and snprintf() using %n will generate coredump and give the
> following prompt:
>
> *** %n in writable segment detected ***
>
> It is not recommended to use %n to calculate the length of the string
> in the snprintf function. We strip the calculation logic outside the
> snprintf function for replacement.
So … why is the segment writable? It's a string literal, so it should
end up in .rodata. If nscd is crashing due to this, either the writable
data detection is broken, or nscd is linked incorrectly. For example,
nscd might have a RWX LOAD segement.
Thanks,
Florian
More information about the Libc-alpha
mailing list