From owner-freebsd-arch@FreeBSD.ORG  Mon Dec 12 19:19:08 2005
Return-Path: <owner-freebsd-arch@FreeBSD.ORG>
X-Original-To: arch@freebsd.org
Delivered-To: freebsd-arch@FreeBSD.ORG
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 68CAE16A436
	for <arch@freebsd.org>; Mon, 12 Dec 2005 19:19:08 +0000 (GMT)
	(envelope-from PeterJeremy@optushome.com.au)
Received: from mail12.syd.optusnet.com.au (mail12.syd.optusnet.com.au
	[211.29.132.193])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 839A643D5D
	for <arch@freebsd.org>; Mon, 12 Dec 2005 19:18:45 +0000 (GMT)
	(envelope-from PeterJeremy@optushome.com.au)
Received: from cirb503493.alcatel.com.au
	(c220-239-19-236.belrs4.nsw.optusnet.com.au [220.239.19.236])
	by mail12.syd.optusnet.com.au (8.12.11/8.12.11) with ESMTP id
	jBCJIV74014232
	(version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO);
	Tue, 13 Dec 2005 06:18:33 +1100
Received: from cirb503493.alcatel.com.au (localhost.alcatel.com.au [127.0.0.1])
	by cirb503493.alcatel.com.au (8.12.10/8.12.10) with ESMTP id
	jBCJIVHh077100; Tue, 13 Dec 2005 06:18:31 +1100 (EST)
	(envelope-from pjeremy@cirb503493.alcatel.com.au)
Received: (from pjeremy@localhost)
	by cirb503493.alcatel.com.au (8.12.10/8.12.9/Submit) id jBCJIUlP077099; 
	Tue, 13 Dec 2005 06:18:30 +1100 (EST) (envelope-from pjeremy)
Date: Tue, 13 Dec 2005 06:18:30 +1100
From: Peter Jeremy <PeterJeremy@optushome.com.au>
To: Poul-Henning Kamp <phk@phk.freebsd.dk>
Message-ID: <20051212191830.GD74684@cirb503493.alcatel.com.au>
References: <1023.1134389663@critter.freebsd.dk>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1023.1134389663@critter.freebsd.dk>
User-Agent: Mutt/1.4.2.1i
X-PGP-Key: http://members.optusnet.com.au/peterjeremy/pubkey.asc
Cc: arch@freebsd.org
Subject: Re: printf behaviour with illegal or malformed format string
X-BeenThere: freebsd-arch@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussion related to FreeBSD architecture <freebsd-arch.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-arch>,
	<mailto:freebsd-arch-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-arch>
List-Post: <mailto:freebsd-arch@freebsd.org>
List-Help: <mailto:freebsd-arch-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-arch>,
	<mailto:freebsd-arch-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Dec 2005 19:19:08 -0000

On Mon, 2005-Dec-12 13:14:23 +0100, Poul-Henning Kamp wrote:
>The context for the above is that I'm working on adding extensibility
>to our printf, compatible with the GLIBC (see 12.13 in the glibc
>manual).

http://www.gnu.org/software/libc/manual/html_node/Customizing-Printf.html
for anyone else wanting to see what it does.

>  Obviously, gcc cannot compile-time check such extensions
>for us, and therefore the question gains a bit more relevance.

There doesn't even appear to be a defined way of determining whether
extensions are supported.  Since not all libc's support printf
extensions, an application that wants to use them has to confirm that
they work and the only way to do this appears to be to try it and see
what happens (either at runtime, or during a autoconf-style configuration
process).

>Another alternative is to spit out the format string unformatted,
>possibly with an attached notice, but this doesn't really seem to
>help anybody either, but at least indicates what the problem is.

xterm does (or did) this if it is running as root and the format
string contains conversion specification that it thinks are suspicious.

>I'm leaning towards doing what phkmalloc has migrated to over time:
>Make a variable which can select between "normal/paranoia" and force
>it to paranoia for (uid==0 || gid==0 || setuid || setgid).
>
>If the variable is set, a bogus format string will result in abort(2).

set{u,g}id programs won't dump core so just abort(2)ing leaves no
trace of what went wrong.  This makes finding the problem more
difficult.  Even for {u,g}id == 0 programs, it would be nice to have
something reported (but see below).  Note that this behaviour has
implications for programs that are trying to determine if extensions
are supported or not.

>If it is not set, the format string will be output unformatted in
>the message "WARNING: Illegal printf() format string: \"...\".

Since this check presumably applies to the entire *printf() family,
where do you report the error for {s,f}printf()?

What do you define as an "illegal printf() format string"?  I can
think of four possible categories:
1) Using a nonsense value before '$', eg "%12345$d"
2) Having an invalid modifier on a builtin conversion specifier, eg "%hf"
3) Using an undefined conversion specified, eg '%W'
4) Having an invalid modifier on a user-specified conversion specifier

The last category is particularly problematic because the glibc
interface does not have any way to identify this error.  The glibc
documentation just states that the output handler conversion function
(printf_function) should return a negative number if an error occurs
so it's not possible to distinguish an invalid modifier from an I/O
error or invalid argument.

-- 
Peter Jeremy