[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: vasnprintf's "%n in writable segment" chokes with _FORTIFY_SOURCE ==
|
From: |
Bruno Haible |
|
Subject: |
Re: vasnprintf's "%n in writable segment" chokes with _FORTIFY_SOURCE == 2 |
|
Date: |
Fri, 19 Oct 2007 02:19:44 +0200 |
|
User-agent: |
KMail/1.5.4 |
Jim Meyering wrote:
> But disallowing %n in a writable format string does
> protect applications from an entire class of exploits.
> That is worth more than enough to compensate for the minor limitation.
Two remarks:
* The %n has to serve as a scapegoat here. The exploit in [1] is a
combination of
1. a runtime system that allows modifications of arbitrary memory
locations without the concept of compartments inside the memory
of a process (C combined with the Unix memory model),
2. a user-provided string that is used as a format string,
3. a format directive that causes a write into memory.
#1 is the real root of so many security issues, but its solution is
out of scope here.
#2 is the cause of this particular issue. #3 is not an issue by itself.
So why don't people think more about how to fix #2?
2) Does it have to be done through abort()? Can't it be silent like on
Windows Vista? IMO, library functions should not crash a program when
the input is standards-compliant.
> BTW, this problem was also encountered last year by CVS developers.
I must have missed that, sorry.
Bruno
[1] http://seclists.org/bugtraq/1999/Sep/0328.html