Date: Thu, 29 Mar 2001 17:09:04 +0100 From: Mike Bristow <mike@urgle.com> To: Kris Kennaway <kris@obsecurity.org> Cc: security@freebsd.org, doc@freebsd.org Subject: Re: man pages for format string functions Message-ID: <20010329170904.B70560@lindt.urgle.com> In-Reply-To: <20010327111709.A16916@xor.obsecurity.org>; from kris@obsecurity.org on Tue, Mar 27, 2001 at 11:17:09AM -0800 References: <Pine.NEB.3.96L.1010327140727.94638A-100000@fledge.watson.org> <20010327111709.A16916@xor.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--EuxKj2iCbKjpUGkD Content-Type: text/plain; charset=us-ascii Content-Disposition: inline [ doc@ added; hackers@ dropped (xpost limit:(). I'm not on either doc@ or security@, so please cc me on any replies ] On Tue, Mar 27, 2001 at 11:17:09AM -0800, Kris Kennaway wrote: > On Tue, Mar 27, 2001 at 02:13:03PM -0500, Andrew R. Reiter wrote: [ on adding warnings to man pages about potential format-string type bugs ] > > I am fairly poor with wording man pages, as you can see, but I think it > > might be worth while just to point this out. > > I've wanted to do this, but so far haven't had time. Do you think you > could submit a patch? Don't worry about wording, that can easily be > tweaked. Here's a first-draft of such a patch that covers printf(3), stdarg(3), err(3), setproctitle(3), and syslog(3), together with their on-the-same-manpage friends. I haven't touched NgSendAsciiMsg(3), and libstand(3) [ for panic(const char *msg, ...) ], but possibly I should. Any comments? Anything obvious I've missed? I'll look at these again with fresh eyes tomorrow, deal with any comments, and then file a PR, I guess. -- Mike Bristow, seebitwopie --EuxKj2iCbKjpUGkD Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="format-string-vulns-man.patch" Index: share/man/man3/stdarg.3 =================================================================== RCS file: /upstream-repositories/freebsd.org/src/share/man/man3/stdarg.3,v retrieving revision 1.4.2.2 diff -u -r1.4.2.2 stdarg.3 --- share/man/man3/stdarg.3 2001/03/06 19:08:09 1.4.2.2 +++ share/man/man3/stdarg.3 2001/03/29 15:48:07 @@ -120,7 +120,7 @@ .Fa type is not compatible with the type of the actual next argument (as promoted according to the default argument promotions), -random errors will occur. +random errors will occur, which might lead to a security risk. .Pp The first use of the .Fn va_arg Index: lib/libc/gen/err.3 =================================================================== RCS file: /upstream-repositories/freebsd.org/src/lib/libc/gen/err.3,v retrieving revision 1.11.2.4 diff -u -r1.11.2.4 err.3 --- lib/libc/gen/err.3 2001/03/05 08:42:22 1.11.2.4 +++ lib/libc/gen/err.3 2001/03/29 15:48:07 @@ -97,9 +97,16 @@ and a space are output. If the .Fa fmt -argument is not NULL, the -.Xr printf 3 --like formatted error message is output. +argument is not NULL, then further output is controlled by treating +it as a format string that specifies how subsequent arguments (or +arguments accessed via the variable-length argument facilities of +.Xr stdarg 3 ) +are converted for output, in the same way as +.Xr printf 3 . +If the format string specifies an argument that does not exist, or +a type different from that actually given, random errors, that +could cause a security risk, may occur. +.Pp The output is terminated by a newline character. .Pp The Index: lib/libc/gen/setproctitle.3 =================================================================== RCS file: /upstream-repositories/freebsd.org/src/lib/libc/gen/setproctitle.3,v retrieving revision 1.16.2.2 diff -u -r1.16.2.2 setproctitle.3 --- lib/libc/gen/setproctitle.3 2000/12/08 13:49:24 1.16.2.2 +++ lib/libc/gen/setproctitle.3 2001/03/29 15:48:07 @@ -39,13 +39,17 @@ .Xr ps 1 command. .Pp -The title is set from the executable's name, followed by the -result of a -.Xr printf 3 -style expansion of the arguments as specified by the +If +.Va fmt +is not NULL, then the title is set from the executable's name, +followed by the result of treating .Va fmt -argument. -If the +as a format string that specifies how subsequent arguments are +converted, in the same was as +.Xr printf 3 . +If the format string specifies arguments that do not exist, or it +specifies a type different from that actually given, random errors, +that could cause a security risk, may occur. If the .Va fmt argument begins with a .Dq - Index: lib/libc/gen/syslog.3 =================================================================== RCS file: /upstream-repositories/freebsd.org/src/lib/libc/gen/syslog.3,v retrieving revision 1.9.2.4 diff -u -r1.9.2.4 syslog.3 --- lib/libc/gen/syslog.3 2001/03/06 16:45:55 1.9.2.4 +++ lib/libc/gen/syslog.3 2001/03/29 15:48:07 @@ -48,9 +48,9 @@ .Fd #include <syslog.h> .Fd #include <varargs.h> .Ft void -.Fn syslog "int priority" "const char *message" "..." +.Fn syslog "int priority" "const char *fmt" "..." .Ft void -.Fn vsyslog "int priority" "const char *message" "va_list args" +.Fn vsyslog "int priority" "const char *fmt" "va_list args" .Ft void .Fn openlog "const char *ident" "int logopt" "int facility" .Ft void @@ -60,33 +60,34 @@ .Sh DESCRIPTION The .Fn syslog -function -writes -.Fa message -to the system message logger. +function writes a message to the system message logger. The message is then written to the system console, log files, logged-in users, or forwarded to other machines as appropriate. (See .Xr syslogd 8 . ) .Pp -The message is identical to a -.Xr printf 3 -format string, except that +The message is created by treating +.Va fmt +as a format string that specifies how subsequent arguments are +converted, in the same was as +.Xr printf 3 , +with an additional convertion specifier of .Ql %m -is replaced by the current error -message. -(As denoted by the global variable +which is replaced by the current error message. (As denoted by +the global variable .Va errno ; see .Xr strerror 3 . ) -A trailing newline is added if none is present. +If the format string specifies arguments that do not exist, or it +specifies a type different from that actually given, random errors, +that could cause a security risk, may occur. A trailing newline +is added if none is present. .Pp The .Fn vsyslog -function -is an alternate form in which the arguments have already been captured -using the variable-length argument facilities of -.Xr varargs 3 . +function is an alternate form in which the arguments have already +been captured using the variable-length argument facilities of +.Xr stdarg 3 . .Pp The message is tagged with .Fa priority . Index: lib/libc/stdio/printf.3 =================================================================== RCS file: /upstream-repositories/freebsd.org/src/lib/libc/stdio/printf.3,v retrieving revision 1.17.2.5 diff -u -r1.17.2.5 printf.3 --- lib/libc/stdio/printf.3 2001/03/06 16:46:01 1.17.2.5 +++ lib/libc/stdio/printf.3 2001/03/29 15:48:07 @@ -170,7 +170,11 @@ the character .Cm % . The arguments must correspond properly (after type promotion) -with the conversion specifier. +with the conversion specifier. If they do not random errors, +which could cause a security risk, may occur. In particular, +user-supplied data should never be included in the format string +without checking that it is safe (eg, does not contain %s +and other character sequences with special meaning). After the .Cm % , the following appear in sequence: --EuxKj2iCbKjpUGkD-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010329170904.B70560>