This is the mail archive of the mailing list for the GCC project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]

Re: Security patch for printf - please no! (Was: Re: Patch to add __builtin_printf)

Kamil Iskra <> said:
> On Tue, 19 Sep 2000, Zack Weinberg wrote:
> > In light of recent security advisories, I'd like to see us do a
> > transformation like this:
> > 
> >   char *foo;  printf (foo);  -> printf ("%s", foo);  [->fputs (foo, stdout)]
> > 
> > and issue a loud warning about the potential hole.  Note that the
> > transformation only applies when there are no arguments after the variable.

This is illegal, as it will write something different if foo happens to be
"An %% example".

> I am sorry, but I think that this idea, and the whole thread following it,
> patches included, is nonsensical.
> Implementing this idea will result in:
> 1. HUGE amounts of false positives for most code.

What "false positives"? printf(3) with a variable format is fishy.

> 2. false sense of security, because in fact only one category of format
>    string problems will be patched.

Better catching one than none, IMVHO...


> However, you fail to patch other obvious examples of format string
> problems. What's the difference between the two lines:
> printf(var);
> printf(var, "abc");
> The first one is vulnerable to var such as "bla %s bla", the second one to
> only slightly more complicated "bla %s %s bla". You can fix the first one,
> but what about the second one? You are not going to suggest that GCC
> suddenly starts warning whenever the format string is not a constant?

Not a bad idea, come to think of it...

> Basically, you can't fix such format string problems this way. Given the
> large noise raitio which must result from such a patch, and the minimal
> improvements it results in, I strongly suggest that the GCC maintainers
> reject it. It just isn't worth the trouble it causes.

Code wich uses the above is broken in my book.
Horst von Brand                   
Casilla 9G, Vin~a del Mar, Chile                               +56 32 672616

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]