This is the mail archive of the
gcc-patches@gcc.gnu.org
mailing list for the GCC project.
Re: Security patch for printf - please no! (Was: Re: Patch to add __builtin_printf)
- To: Kamil Iskra <kamil at wins dot uva dot nl>
- Subject: Re: Security patch for printf - please no! (Was: Re: Patch to add __builtin_printf)
- From: Horst von Brand <vonbrand at sleipnir dot valparaiso dot cl>
- Date: Thu, 21 Sep 2000 23:04:46 -0400
- cc: gcc-patches at gcc dot gnu dot org
Kamil Iskra <kamil@wins.uva.nl> said:
> On Tue, 19 Sep 2000, Zack Weinberg wrote:
> > In light of recent security advisories, I'd like to see us do a
> > transformation like this:
> >
> > char *foo; printf (foo); -> printf ("%s", foo); [->fputs (foo, stdout)]
> >
> > and issue a loud warning about the potential hole. Note that the
> > transformation only applies when there are no arguments after the variable.
This is illegal, as it will write something different if foo happens to be
"An %% example".
> I am sorry, but I think that this idea, and the whole thread following it,
> patches included, is nonsensical.
>
> Implementing this idea will result in:
>
> 1. HUGE amounts of false positives for most code.
What "false positives"? printf(3) with a variable format is fishy.
> 2. false sense of security, because in fact only one category of format
> string problems will be patched.
Better catching one than none, IMVHO...
[...]
> However, you fail to patch other obvious examples of format string
> problems. What's the difference between the two lines:
>
> printf(var);
> printf(var, "abc");
>
> The first one is vulnerable to var such as "bla %s bla", the second one to
> only slightly more complicated "bla %s %s bla". You can fix the first one,
> but what about the second one? You are not going to suggest that GCC
> suddenly starts warning whenever the format string is not a constant?
Not a bad idea, come to think of it...
> Basically, you can't fix such format string problems this way. Given the
> large noise raitio which must result from such a patch, and the minimal
> improvements it results in, I strongly suggest that the GCC maintainers
> reject it. It just isn't worth the trouble it causes.
Code wich uses the above is broken in my book.
--
Horst von Brand vonbrand@sleipnir.valparaiso.cl
Casilla 9G, Vin~a del Mar, Chile +56 32 672616