From patchwork Thu Oct 26 09:41:22 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Diego Dias X-Patchwork-Id: 1855716 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=kernkonzept.com header.i=@kernkonzept.com header.a=rsa-sha256 header.s=mx1 header.b=Fyq6+t5b; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=uclibc-ng.org (client-ip=89.238.66.15; helo=helium.openadk.org; envelope-from=devel-bounces@uclibc-ng.org; receiver=patchwork.ozlabs.org) Received: from helium.openadk.org (helium.openadk.org [89.238.66.15]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4SGLSP3bHyz23jr for ; Thu, 26 Oct 2023 20:42:43 +1100 (AEDT) Received: from helium.openadk.org (localhost [IPv6:::1]) by helium.openadk.org (Postfix) with ESMTP id 0466C3520E55; Thu, 26 Oct 2023 11:42:31 +0200 (CEST) Authentication-Results: helium.openadk.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=kernkonzept.com header.i=@kernkonzept.com header.a=rsa-sha256 header.s=mx1 header.b=Fyq6+t5b; dkim-atps=neutral Received: from mx.kernkonzept.com (serv1.kernkonzept.com [159.69.200.6]) by helium.openadk.org (Postfix) with ESMTPS id 974CD3520CE4 for ; Thu, 26 Oct 2023 11:41:23 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kernkonzept.com; s=mx1; h=In-Reply-To:From:References:To:Subject: MIME-Version:Date:Message-ID:Content-Type:Content-Transfer-Encoding:Cc: Reply-To:Content-ID:Content-Description; bh=vfxU+AjkHlox2cehhEiqHkB887YuLc2/AFahnAZs/VI=; b=Fyq6+t5bo0IXa0RfVah5hMSXsY +orXnmwq5qegucCo/q2hcPRiXDo5jifFt7dgrojlt4YKwDYduXUyqCJlt5GeMgNfpdOa4i43GDt/x cKtnm+iSiivHiJMM2MbtweVUkQrQPxD+fGz82bbLPOlz3jJPHup2RIy3u4SX61XeR1UI08rDS0N8T WtnRMlc5MGaPFl1UlDvK2J8DmZZg3pyoqHK83zJAdm5mMVs7l5L4IAzcHu8wUmoPoKX38yx2+m9R+ bmC5NZLf1O40XBOsNgCxcJxjKxW/geCo+7lvy8AUmzkrtFeKytzjuIZwuPrBN0sPqGLDchwp7Bd3L 1atKuOag==; Received: from [10.22.3.176] by mx.kernkonzept.com with esmtpsa (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_128_GCM:128) (Exim 4.96) id 1qvwri-0017Xx-3C for devel@uclibc-ng.org; Thu, 26 Oct 2023 11:41:22 +0200 Message-ID: Date: Thu, 26 Oct 2023 11:41:22 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Content-Language: en-US To: devel@uclibc-ng.org References: From: Diego Dias Autocrypt: addr=diego.dias@kernkonzept.com; keydata= xsDNBGBcy1MBDADwjQTLR/MzEHSx0B/pQ7Xf+N+SkiP3Phzei30UVZPTinz0uLQlP2y0hkj1 eYiO/FCx77bEKT+v1csFqxqhHyMShLK1qqfWpoQ0hl56TqMnY80YIj8nmf9UE8166X9xEv9G KUKX6mXNUzxv27r4A81YiIlS9s8WYPvjN8+3wOzmygppkkVeMTWprZkMTrdVMcnAuNMDErv6 KylytaS8IaQaFG1kPBsGF506U+qgUWxtcZn0DP+HAcLxWyC2yqNxUnXcf9XO+u/AVH0WjYpU VETWmIKmeWdjZUUYbf1K/O33GZ5PjZkj4V5PrvIRX+QOAkCthGd+lFlDx5mhqwBPw1iSStWM ZewlfH5fTNZAJBbMWt/pp6kl828JU006PbHWIetAKYlmaW8rvYm1Ny9gQaC6CLD/fa59O5dD Br+YGuLTExj5Voj4Bj0ts3IxViMCiOzKFBgg12ADrcrsPEsaY+c7OFHEWxExtluJtay7z51d pkftkOLROD15CSP4zn2UzMcAEQEAAc0vRGllZ28gTWFjaGFkbyBEaWFzIDxkaWVnby5kaWFz QGtlcm5rb256ZXB0LmNvbT7CwRQEEwEKAD4WIQSu0kQIxJ6OIFxIhKEscSvLs4zNWAUCZCwd 7gIbAwUJBanumwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRAscSvLs4zNWOqzC/wLw9XX wVQJbg6WQ8wrEc7q+lPiCnkvLTAUuDu8Qz0yIhC6ksQlyh3DIK+BYdrPk2Eo5Z4F3iL6UpHK efdZmqgRMlXvV53lQt2TAENwepQrVRsaALPMmQQ3mKEm+c5b8faV+BXeDIYrnglT9lAvKtNG LYJXvDidlfrIybyR4jTfbIV4iR0YeMyREX3+vX0Vg5JyCewp2ztSiRjcAql0T9FWeLF40cw3 VdpCWa1KyQ54BJO/pdaX2VyCJA7IeQB2DDsNlfnQovz2SUxJTletRqhK2lsSGQjWlXs4tkSW 9SPe1pH+7qWHTC3F5NTVw84v9TygcQhTBiwUXmRw7ELVTAjQCuqd1cNgBPVjwyGLjjZXozBV Rn/MZ3hRCGkMuJOdOE/etA9HiDeKe5JUQGpXR/wQF65QHYcm1qMAEzNhlkxJ61Pakr7c+8fv 0lq62d3npmj4br2eLRkk8S+dZzLyctI+wzWUm3H9KevctQjFCMA10s9P6wQ2y2bA23T2+/AN RkHOwM0EYFzLUwEMAMw+gxtgTFiR7piXm+l701sXUFwFJMFiDnRrzoYTyT93mandSfiJ1urQ iHyVah5nQ7ngcSOx58bACKwSjHGQAuuaNfoQNvd9LfFFZnVqme34FCkrNe2PPsnNaXqkL9Cf wakt9DTZuMFXB6yZZrvq1SmpBILs5RGkjK/BKAmVUns+TkuZ9oQDcFUwPHvVFhnqWV5xDGJC /aHkmJBp7x8hrmAyEMVaFO/YZFd0F2xLnwNyQtUe2EHJ69w4BR9HpoATirSfqwZzC82PoS8s vctAAk1BJuS4r3zwa8RFZtZNoD6ACHFnxclIBd0VXcUcaS0SJqSIsfwVMizQapHR4VesY2V5 BSkF/KAuJ25FiD//qQ4P8BbnWNRlFXEmV5edRYO0EoGQywGhs93TLf2jhiL4QFY0lp0BZGvo mGcdK6fn5QRBYQYuzCvJ1H1igr72R5PwmeDFFm+q5EJR9zxjMnklF6C1DGitMHgSp7pw992O SYq6i6H/jGRW/GVG0QO+WoJ4SwARAQABwsD8BBgBCgAmFiEErtJECMSejiBcSIShLHEry7OM zVgFAmQsHe4CGwwFCQWp7psACgkQLHEry7OMzViqrQwA3kgVxGqGz7Lwya9YwSbBw8jHaZhC yLgsU46QzW7pfyxdDMdMek9eZ6y3d+QevhNu9MTZKKu4p0SbV75r6tx3UOH71cVQwJtKP1OR l8lynfR/NBSZfuU6BZGLAYnv/doOPXW5FUFdPkvxN55jkW89dXn/nWJp6QIZnfSV/6j0Wo3v KC8N/kIXMDNhm1DdyPRrtGto6d9rQQ46gjmNDIav3Wh9XCnH+tC1lmc2TZ52teZ22CjSwaxS rlpigcoHC1U3HeuNK+8wE87pFo4e5AvYQ4DwJ2C/deLlh4/44oPbqAGP2pDudHxDC/Ax45Tm XPok6EtSBbmnxExXx6BhpzZ/y6m2/Q2mJ9Ynvft9sLY0lt3iWSv6cOpjtJghyjRj4ByFm5rF El4/1K687+uP2ylUXIM+8IG07jukDngWqNY8owBnkGj1hSydOazeYHBClLGDs34jxgtJ48/U mBaKV6GxqHd6EaP412JUrETaS05uDpVEpBpVxJTRjzFHjd37vGP4 In-Reply-To: Message-ID-Hash: RAKEFQASPFGC6LTIMWKH73CML46AK2A2 X-Message-ID-Hash: RAKEFQASPFGC6LTIMWKH73CML46AK2A2 X-MailFrom: diego.dias@kernkonzept.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.3 Precedence: list Subject: [uclibc-ng-devel] Re: Issue: Possible buffer overflow in _vfprintf.c (out-of-bounds access) List-Id: uClibc-ng Development Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Hi Linted, The buffer overflow occurs when the positional arguments are used. In the attached example (hello_world.c), the use of positional arguments is deliberate to trigger the buffer overflow; I don't have a real-world example where positional arguments are really necessary and used without taking the format string from an untrusted source. In the attached example, it would be much more natural to use "%s" instead of "%1$s", and this would have avoided entering the problematic code path. The effect of the buffer overflow is not observable externally; it can however be confirmed by applying patch 'uclibc-_vfprintf.c.patch'. Best regards, Diego Dias On 24/10/2023 17:06, linted wrote: > Very nice work Diego! > > Is there a POC showing the overflow, as that would make writing unit > tests easier? > > Also is this vulnerability in the same class as other printf > vulnerabilities, where it requires a developer to pass untrusted input > as the format string to print? > > Thank you! > Linted > > On Tue, Oct 24, 2023, 7:16 AM Diego Dias > wrote: > > Dear uclibc-ng developers, > > We have run a static analysis tool (Klocwork) in uclibc and one of > its > checkers (ABV.GENERAL) indicates a potential buffer overflow in > uclibc-ng/src/master/libc/stdio/_vfprintf.c:1045 > > The problem occurs as an out-of-bounds access to array 'argtype', > which > is a member of 'ppfs_t'. This array has length 'MAX_ARGS'. > According to > the static analysis tool, the array can be accessed using index > 'n' of > value '-1' and '9..254' in the conditional shown below: > > // File: uclibc-ng/src/master/libc/stdio/_vfprintf.c:1045 >    if (_is_equal_or_bigger_arg(ppfs->argtype[n], argtype[i])) { >      ppfs->argtype[n] = argtype[i]; >    } > > Triggering an out-of-bounds access for 'n=-1' is relatively simply > when > using printf or similar functions (e.g. vfprintf). Such out-of-bounds > access occurs when positional arguments are specified, as in the > following statement: > >    printf("%1$s", "Hello world!"); > > Although Klocwork claims that the array might be accessed using > indexes > '9..254', we were not able to trigger an out-of-bounds access for > indexes in this range. > > Kind regards, > Diego Dias > > -- > Diego M. Dias, Systems Verification Engineer at Kernkonzept, > diego.dias@kernkonzept.com > Phone: +49 351 41883231 > > Kernkonzept GmbH at Dresden, Germany, HRB 31129, CEO Dr.-Ing. > Michael Hohmuth > > _______________________________________________ > devel mailing list -- devel@uclibc-ng.org > To unsubscribe send an email to devel-leave@uclibc-ng.org > > > _______________________________________________ > devel mailing list --devel@uclibc-ng.org > To unsubscribe send an email todevel-leave@uclibc-ng.org diff --git a/libc/stdio/_vfprintf.c b/libc/stdio/_vfprintf.c index fc5d3ff68..2605f6682 100644 --- a/libc/stdio/_vfprintf.c +++ b/libc/stdio/_vfprintf.c @@ -1042,6 +1042,15 @@ int attribute_hidden _ppfs_parsespec(ppfs_t *ppfs) } --n; /* Record argtype with largest size (current, new). */ + if (!(n>=0 && n<9)) + { + if (n==-1) + puts("## Buffer-overflow ## [-1]"); + else if (n==9) + puts("## Buffer-overflow ## [9]"); + else + puts("## Buffer-overflow ## [?]"); + } if (_is_equal_or_bigger_arg(ppfs->argtype[n], argtype[i])) { ppfs->argtype[n] = argtype[i]; }