Re: vasnprintf's "%n in writable segment" chokes with _FORTIFY

bug-gnulib

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: vasnprintf's "%n in writable segment" chokes with _FORTIFY_SOURCE ==

From:	Jim Meyering
Subject:	Re: vasnprintf's "%n in writable segment" chokes with _FORTIFY_SOURCE == 2
Date:	Fri, 19 Oct 2007 13:20:15 +0200

Bruno Haible <address@hidden> wrote:
> Jim Meyering wrote:
>> It is the key that gives format-abusers so much latitude
>> in choosing what value to write where.  Without that
>> feature, coming up with a real exploit is much harder.
>
> Without %n, one can still use format strings like
>   %.10000000f%.10000000f%.10000000f%.10000000f%.10000000f%.10000000f
> to conduct denial-of-service attacks.

Yes, it'd be great if all exploits resulted only in a DoS.
But limiting use of %n makes it much harder to construct more
serious exploits e.g., resulting in arbitrary code execution.

[Prev in Thread]

Current Thread

[Next in Thread]

Re: vasnprintf's "%n in writable segment" chokes with _FORTIFY_SOURCE == 2, (continued)
- Re: vasnprintf's "%n in writable segment" chokes with _FORTIFY_SOURCE == 2, Bruno Haible, 2007/10/18
  - Re: vasnprintf's "%n in writable segment" chokes with _FORTIFY_SOURCE == 2, Jim Meyering, 2007/10/18
    - Re: vasnprintf's "%n in writable segment" chokes with _FORTIFY_SOURCE == 2, Bruno Haible, 2007/10/18
    - Re: vasnprintf's "%n in writable segment" chokes with _FORTIFY_SOURCE == 2, Jim Meyering, 2007/10/19
    - Re: vasnprintf's "%n in writable segment" chokes with _FORTIFY_SOURCE == 2, Bruno Haible, 2007/10/19
    - Re: vasnprintf's "%n in writable segment" chokes with _FORTIFY_SOURCE == 2, Jim Meyering <=

Prev by Date: Re: @FOO@ vs. $(FOO)
Next by Date: stash clear, was Re: git: avoiding merges, rebasing
Previous by thread: Re: vasnprintf's "%n in writable segment" chokes with _FORTIFY_SOURCE == 2
Next by thread: filenamecat-tests
Index(es):
- Date
- Thread