This is the mail archive of the gcc@gcc.gnu.org mailing list for the GCC project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: use of %n in genmodes.c causes trouble on Vista

From: Florian Weimer <fw at deneb dot enyo dot de>
To: Ian Lance Taylor <iant at google dot com>
Cc: Olivier Hainque <hainque at adacore dot com>, gcc at gcc dot gnu dot org
Date: Thu, 07 Jun 2007 10:36:43 +0200
Subject: Re: use of %n in genmodes.c causes trouble on Vista
References: <20070606074818.GA18078@cardhu.act-europe.fr> <m3sl952m2h.fsf@localhost.localdomain>

* Ian Lance Taylor:

> What is the security issue here?

The issue arrases in programs that pass attacker-controlled data as
the format string.  They use

  printf(some_string);
  syslog(LOG_INFO, some_string);

instead of

  printf("%s", some_string);
  syslog(LOG_INFO, "%s", some_string);

The main point of this attack is to embed target addresses in the
format string and add conversion specifications so that "%n" picks up
these addresses.  On a machine that supports unaligned memory
accesses, you can use a sequence of overlapping writes to put
arbitrary contents into arbitrary memory locations.

Follow-Ups:
- Re: use of %n in genmodes.c causes trouble on Vista
  - From: Jakub Jelinek
- Re: use of %n in genmodes.c causes trouble on Vista
  - From: Ian Lance Taylor

References:
- use of %n in genmodes.c causes trouble on Vista
  - From: Olivier Hainque
- Re: use of %n in genmodes.c causes trouble on Vista
  - From: Ian Lance Taylor

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]