转发: avoid snprintf using %n to generate coredump when F_S=2 is enabled
Sam James
sam@gentoo.org
Fri Aug 25 15:26:44 GMT 2023
Florian Weimer via Libc-alpha <libc-alpha@sourceware.org> writes:
> * zhanghao via Libc-alpha:
>
>> Subject: [PATCH] Avoid snprintf using %n to generate coredump when F_S=2 is enabled
>>
>> In nscd, F_S=2 added in 233399bce2e79e5af3b344782e9943d5f1a9cdcb just for warn_if_unused
>> warnings rather than anything substantial.
>
> F_S is _FORTIFY_SOURCE, maybe spell this out?
>
>> When F_S=2 is set, and snprintf() using %n will generate coredump and give the
>> following prompt:
>>
>> *** %n in writable segment detected ***
>>
>> It is not recommended to use %n to calculate the length of the string
>> in the snprintf function. We strip the calculation logic outside the
>> snprintf function for replacement.
>
> So … why is the segment writable? It's a string literal, so it should
> end up in .rodata. If nscd is crashing due to this, either the writable
> data detection is broken, or nscd is linked incorrectly. For example,
> nscd might have a RWX LOAD segement.
Thanks, I was wondering the same thing.
A copy of the binary might be instructive.
More information about the Libc-alpha
mailing list