转发: avoid snprintf using %n to generate coredump when F_S=2 is enabled

Sam James sam@gentoo.org
Fri Aug 25 15:26:44 GMT 2023


Florian Weimer via Libc-alpha <libc-alpha@sourceware.org> writes:

> * zhanghao via Libc-alpha:
>
>> Subject: [PATCH] Avoid snprintf using %n to generate coredump when F_S=2 is enabled
>>
>> In nscd, F_S=2 added in 233399bce2e79e5af3b344782e9943d5f1a9cdcb just for warn_if_unused
>> warnings rather than anything substantial.
>
> F_S is _FORTIFY_SOURCE, maybe spell this out?
>
>> When F_S=2 is set, and snprintf() using %n will generate coredump and give the
>> following prompt:
>>
>> *** %n in writable segment detected ***
>>
>> It is not recommended to use %n to calculate the length of the string
>> in the snprintf function. We strip the calculation logic outside the
>> snprintf function for replacement.
>
> So … why is the segment writable?  It's a string literal, so it should
> end up in .rodata.  If nscd is crashing due to this, either the writable
> data detection is broken, or nscd is linked incorrectly.  For example,
> nscd might have a RWX LOAD segement.

Thanks, I was wondering the same thing.

A copy of the binary might be instructive.


More information about the Libc-alpha mailing list