This is the mail archive of the
gcc-bugs@gcc.gnu.org
mailing list for the GCC project.
[Bug c/72783] New: Fortify scanf %s, %[ conversion specifiers
- From: "fw at gcc dot gnu.org" <gcc-bugzilla at gcc dot gnu dot org>
- To: gcc-bugs at gcc dot gnu dot org
- Date: Wed, 03 Aug 2016 10:25:34 +0000
- Subject: [Bug c/72783] New: Fortify scanf %s, %[ conversion specifiers
- Auto-submitted: auto-generated
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=72783
Bug ID: 72783
Summary: Fortify scanf %s, %[ conversion specifiers
Product: gcc
Version: 7.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: c
Assignee: unassigned at gcc dot gnu.org
Reporter: fw at gcc dot gnu.org
CC: msebor at gcc dot gnu.org
Target Milestone: ---
A somewhat common source of buffer overflows are %s and %[ conversions in scanf
parsers, where the input string (and the extracted region) are larger than the
supplied target buffer.
A typical example for this category of bugs is CVE-2014-0004, which was fixed
thusly:
https://cgit.freedesktop.org/udisks/commit/?id=244967
There are various ways to add hardening against this.
If the length of the target buffer is known at compile time, it can be encoded
in the format string, but this result in silent truncation.
It is possible to specify the m flag and copy the result string to the actual
target buffer with length checking, and then free the temporary buffer.
The format string could be rewritten to include a new flag (say M) which
indicates that instead of a single char * argument, there is a char * argument
followed by the object size (in size_t). This approach at least needs a new
function attribute and needs to be coordinated with glibc. It is probably the
cleanest approach, but it is difficult to backport (at least for RPM-based
distributions) because it will result in a new symbol version for the *scanf
functions.