[BusyBox 0004184]: printf buffer overflow
bugs at busybox.net
bugs at busybox.net
Wed Aug 20 00:56:58 UTC 2008
The following issue has been CLOSED
======================================================================
http://busybox.net/bugs/view.php?id=4184
======================================================================
Reported By: cristic
Assigned To: BusyBox
======================================================================
Project: BusyBox
Issue ID: 4184
Category: Other
Reproducibility: always
Severity: minor
Priority: normal
Status: closed
Resolution: open
Fixed in Version:
======================================================================
Date Submitted: 07-16-2008 17:32 PDT
Last Modified: 08-19-2008 17:56 PDT
======================================================================
Summary: printf buffer overflow
Description:
Hi, "printf %" leads to a buffer overflow, and prints random values from
the stack:
This should be rejected as in Coreutils:
$ printf %
./printf: %: invalid conversion specification
The problem is that printf does not validate the format specifier. One
possible fix would be to add a check along these lines this after line 201
in
printf.c:
direc_start = f++;
+ if (*f == '\0')
+ fprintf(stderr, "invalid conversion
specification");
direc_length = 1;
field_width = precision = -1;
if (*f == '%') {
bb_putchar('%');
break;
}
Thanks,
Cristian
======================================================================
----------------------------------------------------------------------
bernhardf - 07-17-08 01:02
----------------------------------------------------------------------
bb_error_msg_and_die("invalid conversion specification"), yes.
What tool of yours is that? Is it available somewhere? Just curious since
it sounds quite useful.. :)
----------------------------------------------------------------------
vda - 07-17-08 02:16
----------------------------------------------------------------------
Try attached patch
----------------------------------------------------------------------
vda - 07-17-08 02:16
----------------------------------------------------------------------
Careful with _and_die, ash uses printf_main directly
----------------------------------------------------------------------
cristic - 07-17-08 16:03
----------------------------------------------------------------------
> What tool of yours is that? Is it available somewhere? Just curious since
it
> sounds quite useful.. :)
Hi, it's a tool that works by exploring various execution paths through
the
program (using symbolic execution), and generating concrete test cases for
each path that it explores. The tool is still under development, but we
might open source it at some point; we'll definitely let you guys know
when
this happens.
----------------------------------------------------------------------
cristic - 07-17-08 16:05
----------------------------------------------------------------------
> Try attached patch
This does solve this overflow, thanks. I found a different one in printf,
but
I'll report it in a different thread.
Issue History
Date Modified Username Field Change
======================================================================
07-16-08 17:32 cristic New Issue
07-16-08 17:32 cristic Status new => assigned
07-16-08 17:32 cristic Assigned To => BusyBox
07-16-08 17:32 cristic Issue Monitored: cristic
07-17-08 01:02 bernhardf Note Added: 0009544
07-17-08 02:15 vda File Added: printf.diff
07-17-08 02:16 vda Note Added: 0009574
07-17-08 02:16 vda Note Added: 0009584
07-17-08 16:03 cristic Note Added: 0009704
07-17-08 16:05 cristic Note Added: 0009714
08-19-08 17:56 vda Status assigned => closed
======================================================================
More information about the busybox-cvs
mailing list