[Bug 733140] New: glibc sprintf crashes if there are too many format strings
https://bugzilla.novell.com/show_bug.cgi?id=733140 https://bugzilla.novell.com/show_bug.cgi?id=733140#c0 Summary: glibc sprintf crashes if there are too many format strings Classification: openSUSE Product: openSUSE 12.1 Version: Final Platform: All OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: bartoschek@or.uni-bonn.de QAContact: qa@suse.de Found By: --- Blocker: --- Created an attachment (id=464383) --> (http://bugzilla.novell.com/attachment.cgi?id=464383) Program showing the problem User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.121 Safari/535.2 I have program that crashes only on opensuse 12.1 and not on opensuse 11.2, 11.3 and 11.4. The crash occurs in sprintf. Rich Coe is our hero, because he was able to isolate the problem wrote a small program that shows the crash. See the attached file on how to reproduce the problem. I think the issue has also a high security impact, because programs that rely on a working sprintf might use this hole to overwritte arbitrary memory. Reproducible: Always Steps to Reproduce: 1. Compile the attached program 2. Run it. Actual Results: It crashes. Expected Results: A path is printed and no crash occurs. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=733140 https://bugzilla.novell.com/show_bug.cgi?id=733140#c Lars Müller <lmuelle@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #464383|text/x-csrc |text/plain mime type| | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=733140 https://bugzilla.novell.com/show_bug.cgi?id=733140#c Cristian Rodríguez <crrodriguez@opensuse.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |crrodriguez@opensuse.org AssignedTo|bnc-team-screening@forge.pr |aj@suse.com |ovo.novell.com | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=733140 https://bugzilla.novell.com/show_bug.cgi?id=733140#c1 Rich Coe <rcoe@wi.rr.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |rcoe@wi.rr.com --- Comment #1 from Rich Coe <rcoe@wi.rr.com> 2011-11-28 23:56:03 UTC --- I have a patch for this issue. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=733140 https://bugzilla.novell.com/show_bug.cgi?id=733140#c Rich Coe <rcoe@wi.rr.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=733140 https://bugzilla.novell.com/show_bug.cgi?id=733140#c Rich Coe <rcoe@wi.rr.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|aj@suse.com |rcoe@wi.rr.com -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=733140 https://bugzilla.novell.com/show_bug.cgi?id=733140#c2 Rich Coe <rcoe@wi.rr.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED --- Comment #2 from Rich Coe <rcoe@wi.rr.com> 2011-11-29 03:21:57 UTC --- patch submitted - request id 94187 extend_alloca() is incorrectly used in vfprintf() The second parameter holds the number of items in the alloca array specs, but extend_alloca sets it to the total number of bytes allocated. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=733140 https://bugzilla.novell.com/show_bug.cgi?id=733140#c3 Rich Coe <rcoe@wi.rr.com> changed: What |Removed |Added ---------------------------------------------------------------------------- URL| |http://sourceware.org/bugzi | |lla/show_bug.cgi?id=13446 --- Comment #3 from Rich Coe <rcoe@wi.rr.com> 2011-11-29 03:40:10 UTC --- Submitted upstream as http://sourceware.org/bugzilla/show_bug.cgi?id=13446 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=733140 https://bugzilla.novell.com/show_bug.cgi?id=733140#c4 Andreas Jaeger <aj@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|FIXED | AssignedTo|rcoe@wi.rr.com |aj@suse.com --- Comment #4 from Andreas Jaeger <aj@suse.com> 2011-11-29 08:46:43 UTC --- Rich, do you want to take over glibc? Thanks a lot! Let me open the bug for releasing an online update! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=733140 https://bugzilla.novell.com/show_bug.cgi?id=733140#c5 Andreas Jaeger <aj@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |NEEDINFO InfoProvider| |maintenance@opensuse.org --- Comment #5 from Andreas Jaeger <aj@suse.com> 2011-11-29 08:51:02 UTC --- Hi, I'd like do an online update for openSUSE 12.1 and fix bnc#732349 as well. Btw. is the description of the workflow on http://en.opensuse.org/Portal:Maintenance still correct? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=733140 https://bugzilla.novell.com/show_bug.cgi?id=733140#c6 --- Comment #6 from Christoph Bartoschek <bartoschek@or.uni-bonn.de> 2011-11-29 10:10:41 UTC --- I would suggest the following patch instead. This way nsize is initialized with the correct number of bytes. And nspecs_max uses the whole given buffer. diff --git a/stdio-common/vfprintf.c b/stdio-common/vfprintf.c index 753a5ac..6e026ae 100644 --- a/stdio-common/vfprintf.c +++ b/stdio-common/vfprintf.c @@ -1683,8 +1683,9 @@ do_positional: { /* Extend the array of format specifiers. */ struct printf_spec *old = specs; - specs = extend_alloca (specs, nspecs_max, - 2 * nspecs_max * sizeof (*specs)); + size_t nsize = nspecs_max * sizeof(*specs); + specs = extend_alloca (specs, nsize, 2 * nsize); + nspecs_max = nsize/sizeof(*specs); /* Copy the old array's elements to the new space. */ memmove (specs, old, nspecs * sizeof (struct printf_spec)); I do not have access to the glibc bugzilla, so I will not post it there. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=733140 https://bugzilla.novell.com/show_bug.cgi?id=733140#c7 --- Comment #7 from Andreas Jaeger <aj@suse.com> 2011-11-29 10:38:47 UTC --- Christoph, everybody can access the glibc bugzilla. Let me just copy your comment to it in this case. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=733140 https://bugzilla.novell.com/show_bug.cgi?id=733140#c8 --- Comment #8 from Rich Coe <rcoe@wi.rr.com> 2011-11-29 12:21:41 UTC --- nsize does not always represent the correct size of the returned object, due to the way that extend_alloca (an internal glibc macro). I wouldn't recommend this latest proposal. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=733140 https://bugzilla.novell.com/show_bug.cgi?id=733140#c9 --- Comment #9 from Christoph Bartoschek <bartoschek@or.uni-bonn.de> 2011-11-29 12:30:24 UTC --- It represents at least what is usable. There is no possibility that nsize is larger than the usable buffer size after extend_alloca. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=733140 https://bugzilla.novell.com/show_bug.cgi?id=733140#c10 --- Comment #10 from Christoph Bartoschek <bartoschek@or.uni-bonn.de> 2011-11-29 12:36:52 UTC --- If one does not want to use the extending feature of extend_alloca then one should just use alloca. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=733140 https://bugzilla.novell.com/show_bug.cgi?id=733140#c11 Benjamin Brunner <bbrunner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |REOPENED InfoProvider|maintenance@opensuse.org | --- Comment #11 from Benjamin Brunner <bbrunner@suse.com> 2011-12-03 18:26:29 CET --- Rich, could you do a submitrequest to openSUSE:12.1:Update:Test please. And AJ we had some changes in our maintenance-workflow. ATM there is no SWAMPID needed and we will update the documentation ASAP. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=733140 https://bugzilla.novell.com/show_bug.cgi?id=733140#c12 --- Comment #12 from Andreas Jaeger <aj@suse.com> 2011-12-04 12:19:47 UTC --- I did the submitrequest myself now: 95313 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=733140 https://bugzilla.novell.com/show_bug.cgi?id=733140#c13 --- Comment #13 from Bernhard Wiedemann <bwiedemann@suse.com> 2011-12-04 14:00:24 CET --- This is an autogenerated message for OBS integration: This bug (733140) was mentioned in https://build.opensuse.org/request/show/95313 12.1 / glibc -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=733140 https://bugzilla.novell.com/show_bug.cgi?id=733140#c14 Christoph Bartoschek <novell@pontohonk.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |novell@pontohonk.de --- Comment #14 from Christoph Bartoschek <novell@pontohonk.de> 2011-12-08 21:54:28 UTC --- When can we expect to get the update? I would like to start deploying 12.1. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=733140 https://bugzilla.novell.com/show_bug.cgi?id=733140#c15 Benjamin Brunner <bbrunner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution| |FIXED --- Comment #15 from Benjamin Brunner <bbrunner@suse.com> 2011-12-13 14:23:05 CET --- Update already released. Resolved fixed. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com