On Wed, Sep 11, 2013 at 12:22 PM, Dan Carpenter <dan.carpenter@xxxxxxxxxx> wrote: > On Wed, Sep 11, 2013 at 11:19:11AM -0700, Kees Cook wrote: >> On Wed, Sep 11, 2013 at 2:31 AM, Dan Carpenter <dan.carpenter@xxxxxxxxxx> wrote: >> > On Tue, Sep 10, 2013 at 10:19:17PM -0700, Kees Cook wrote: >> >> In the former case, format characters will get processed by the >> >> sprintf logic. In the latter, they are printed as-is. In this specific >> >> case, if there was a way to inject strings like "ohai %n" into the >> >> msgbuf string, the former would actually attempt to resolve the %n. In >> >> the simple case, this could lead to Oopses, and in the unlucky case, >> >> it could allow arbitrary memory writing and execution control. >> >> >> >> http://en.wikipedia.org/wiki/Uncontrolled_format_string >> > >> > The kernel ignores %n so hopefully it can't actually write to memory. >> >> I wish! This is not the case, though. See FORMAT_TYPE_NRCHARS in >> lib/vsprintf.c's vsnprintf(). >> >> $ git grep '%n' | wc -l >> 111 >> > > Hm... That's unfortunate. The comments were shifted around so it says > it's ignored but it's not. Outside of scanf, there are very few uses, though: $ git grep %n | grep print ... net/phonet/socket.c: seq_printf(seq, "%s%n", "pt loc rem rs st tx_queue rx_queue " net/phonet/socket.c: seq_printf(seq, "%s%n", "rs uid inode", &len); net/phonet/socket.c: seq_printf(seq, "%02X %5u %lu%n", net/sctp/objcnt.c: seq_printf(seq, "%s: %d%n", sctp_dbg_objcnt[i].label, -Kees -- Kees Cook Chrome OS Security _______________________________________________ devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxx http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
