From: Tobias Stoeckmann <tobias@stoeckmann.org>
To: mtk.manpages@gmail.com
Cc: linux-man@vger.kernel.org
Subject: [patch] printf.3: Prevent signed integer overflow in example
Date: Thu, 21 May 2020 14:15:06 +0200 [thread overview]
Message-ID: <20200521121505.dfh473amjvb37rwr@localhost> (raw)
The function make_message illustrates how to use vsnprintf to determine
the required amount of memory for a specific format and its arguments.
If make_message is called with a format which will use exactly INT_MAX
characters (excluding '\0'), then the size++ calculation will overflow
the signed integer "size", which is an undefined behaviour in C.
Since malloc and vsnprintf rightfully take a size_t argument, I decided
to use a size_t variable for size calculation. Therefore, this patched
code uses variables of the same data types as expected by function
arguments.
Proof of concept (tested on Linux/glibc amd64):
int main() { make_message("%647s%2147483000s", "", ""); }
If the code is compiled with address sanitizer (gcc -fsanitize=address)
you can see the following line, assuming that a signed integer overflow
simply leads to INT_MIN:
==3094==WARNING: AddressSanitizer failed to allocate 0xffffffff80000000 bytes
---
man3/printf.3 | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/man3/printf.3 b/man3/printf.3
index 50e136ba6..827d9cbae 100644
--- a/man3/printf.3
+++ b/man3/printf.3
@@ -1132,29 +1132,32 @@ To allocate a sufficiently large string and print into it
char *
make_message(const char *fmt, ...)
{
- int size = 0;
+ int n = 0;
+ size_t size = 0;
char *p = NULL;
va_list ap;
/* Determine required size */
va_start(ap, fmt);
- size = vsnprintf(p, size, fmt, ap);
+ n = vsnprintf(p, size, fmt, ap);
va_end(ap);
- if (size < 0)
+ if (n < 0)
return NULL;
- size++; /* For '\e0' */
+ /* One extra byte for '\e0' */
+
+ size = (size_t) n + 1;
p = malloc(size);
if (p == NULL)
return NULL;
va_start(ap, fmt);
- size = vsnprintf(p, size, fmt, ap);
+ n = vsnprintf(p, size, fmt, ap);
va_end(ap);
- if (size < 0) {
+ if (n < 0) {
free(p);
return NULL;
}
--
2.26.2
next reply other threads:[~2020-05-21 12:15 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-21 12:15 Tobias Stoeckmann [this message]
2020-05-25 14:00 ` [patch] printf.3: Prevent signed integer overflow in example Michael Kerrisk (man-pages)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200521121505.dfh473amjvb37rwr@localhost \
--to=tobias@stoeckmann.org \
--cc=linux-man@vger.kernel.org \
--cc=mtk.manpages@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).