From owner-freebsd-security Thu Apr 19 13:42:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id DEA9537B43E for ; Thu, 19 Apr 2001 13:42:44 -0700 (PDT) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.3/8.11.3) with ESMTP id f3JKgiC77921; Thu, 19 Apr 2001 16:42:44 -0400 (EDT) (envelope-from rsimmons@wlcg.com) Date: Thu, 19 Apr 2001 16:42:39 -0400 (EDT) From: Rob Simmons To: "D. K." Cc: Subject: Re: FreeBSD grow bug In-Reply-To: <3ADF4DD0.17AB0F64@homepage.ru> Message-ID: <20010419164112.C72854-100000@mail.wlcg.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 That has been fixed since 4.2-RELEASE. Robert Simmons Systems Administrator http://www.wlcg.com/ On Fri, 20 Apr 2001, D. K. wrote: > Hello All! > > I played with format string in *printf functions > and have found bug in libc library on my FreeBSD 4.2-RELEASE > machine. > > The bug is in the /usr/src/lib/libc/stdio/vfprintf.c source, > in function __grow_type_table, which is used by function > vfprintf. The first parameter of the memset function is > incorrectly counted up. All *printf functions which use > vfprintf have this error. > > Test example: > ===beg test.c=== > #include > > int main(int argc, char *argv) { > printf("%7$x\n", 1, 2, 3, 4, 5, 6, 7); > printf("%8$x\n", 1, 2, 3, 4, 5, 6, 7, 8); > printf("no grow bug\n"); > return 0; > } > ===end test.c=== > > Results: > # ./test > 7 > Segmentation fault (core dumped) > > If you have seen the eight it means that your system > has no this bug. > > The error appears when the parameter after % more than seven. > > Quick patch: > ===beg grow_patch=== > --- vfprintf.c.old Sat Aug 28 04:01:20 1999 > +++ vfprintf.c Thu Apr 19 22:16:19 2001 > @@ -1191,7 +1191,7 @@ > reallocf (typetable, sizeof (unsigned char) * newsize); > > } > - memset (&typetable [*tablesize], T_UNUSED, (newsize - *tablesize)); > + memset (*typetable + *tablesize, T_UNUSED, (newsize - *tablesize)); > > *tablesize = newsize; > } > ===end grow_patch=== > > > Best Regards, > Dmitry Kopteloff > --- > LG Soft Lab. > Information Security Group, RUSSIA > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6303Ev8Bofna59hYRA9gxAKCYvnJ3ca8N7ZskTfzx6ViknZWwCQCgvpDK idd2LjNLtUqHqjcsX0IKa0A= =/OWA -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message