Date: Fri, 20 Apr 2001 00:42:56 +0400 From: "D. K." <dk@homepage.ru> To: security@FreeBSD.ORG Subject: FreeBSD grow bug Message-ID: <3ADF4DD0.17AB0F64@homepage.ru>
next in thread | raw e-mail | index | archive | help
Hello All!
I played with format string in *printf functions
and have found bug in libc library on my FreeBSD 4.2-RELEASE
machine.
The bug is in the /usr/src/lib/libc/stdio/vfprintf.c source,
in function __grow_type_table, which is used by function
vfprintf. The first parameter of the memset function is
incorrectly counted up. All *printf functions which use
vfprintf have this error.
Test example:
===beg test.c===
#include <stdio.h>
int main(int argc, char *argv) {
printf("%7$x\n", 1, 2, 3, 4, 5, 6, 7);
printf("%8$x\n", 1, 2, 3, 4, 5, 6, 7, 8);
printf("no grow bug\n");
return 0;
}
===end test.c===
Results:
# ./test
7
Segmentation fault (core dumped)
If you have seen the eight it means that your system
has no this bug.
The error appears when the parameter after % more than seven.
Quick patch:
===beg grow_patch===
--- vfprintf.c.old Sat Aug 28 04:01:20 1999
+++ vfprintf.c Thu Apr 19 22:16:19 2001
@@ -1191,7 +1191,7 @@
reallocf (typetable, sizeof (unsigned char) * newsize);
}
- memset (&typetable [*tablesize], T_UNUSED, (newsize - *tablesize));
+ memset (*typetable + *tablesize, T_UNUSED, (newsize - *tablesize));
*tablesize = newsize;
}
===end grow_patch===
Best Regards,
Dmitry Kopteloff
---
LG Soft Lab.
Information Security Group, RUSSIA
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3ADF4DD0.17AB0F64>