diff options
| author | Kees Cook <keescook@chromium.org> | 2012-03-05 10:17:22 +0100 |
|---|---|---|
| committer | Andreas Jaeger <aj@suse.de> | 2012-03-05 10:17:22 +0100 |
| commit | 7c1f4834d398163d1ac8101e35e9c36fc3176e6e (patch) | |
| tree | 16849fb20179cf05c02216556effaa2cfeb8aae7 /stdio-common/bug-vfprintf-nargs.c | |
| parent | c6922934363f44b88250567f52036d8e9972c255 (diff) | |
| download | glibc-7c1f4834d398163d1ac8101e35e9c36fc3176e6e.tar.gz glibc-7c1f4834d398163d1ac8101e35e9c36fc3176e6e.tar.xz glibc-7c1f4834d398163d1ac8101e35e9c36fc3176e6e.zip | |
2012-03-02 Kees Cook <keescook@chromium.org>
[BZ #13656]
* stdio-common/vfprintf.c (vfprintf): Check for nargs overflow and
possibly allocate from heap instead of stack.
* stdio-common/bug-vfprintf-nargs.c: New file.
* stdio-common/Makefile (tests): Add nargs overflow test.
Diffstat (limited to 'stdio-common/bug-vfprintf-nargs.c')
| -rw-r--r-- | stdio-common/bug-vfprintf-nargs.c | 78 |
1 files changed, 78 insertions, 0 deletions
diff --git a/stdio-common/bug-vfprintf-nargs.c b/stdio-common/bug-vfprintf-nargs.c new file mode 100644 index 0000000000..13c66c0486 --- /dev/null +++ b/stdio-common/bug-vfprintf-nargs.c @@ -0,0 +1,78 @@ +/* Test for vfprintf nargs allocation overflow (BZ #13656). + Copyright (C) 2012 Free Software Foundation, Inc. + This file is part of the GNU C Library. + Contributed by Kees Cook <keescook@chromium.org>, 2012. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, write to the Free + Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA + 02111-1307 USA. */ + +#include <stdio.h> +#include <stdlib.h> +#include <stdint.h> +#include <unistd.h> +#include <inttypes.h> +#include <string.h> +#include <signal.h> + +static int +format_failed (const char *fmt, const char *expected) +{ + char output[80]; + + printf ("%s : ", fmt); + + memset (output, 0, sizeof output); + /* Having sprintf itself detect a failure is good. */ + if (sprintf (output, fmt, 1, 2, 3, "test") > 0 + && strcmp (output, expected) != 0) + { + printf ("FAIL (output '%s' != expected '%s')\n", output, expected); + return 1; + } + puts ("ok"); + return 0; +} + +static int +do_test (void) +{ + int rc = 0; + char buf[64]; + + /* Regular positionals work. */ + if (format_failed ("%1$d", "1") != 0) + rc = 1; + + /* Regular width positionals work. */ + if (format_failed ("%1$*2$d", " 1") != 0) + rc = 1; + + /* Positional arguments are constructed via read_int, so nargs can only + overflow on 32-bit systems. On 64-bit systems, it will attempt to + allocate a giant amount of memory and possibly crash, which is the + expected situation. Since the 64-bit behavior is arch-specific, only + test this on 32-bit systems. */ + if (sizeof (long int) == 4) + { + sprintf (buf, "%%1$d %%%" PRIdPTR "$d", UINT32_MAX / sizeof (int)); + if (format_failed (buf, "1 %$d") != 0) + rc = 1; + } + + return rc; +} + +#define TEST_FUNCTION do_test () +#include "../test-skeleton.c" |