0004184: printf buffer overflow - BusyBox Bug and Patch Tracking

BusyBox Bug and Patch Tracking

Viewing Issue Simple Details [ Jump to Notes ]

[ View Advanced ] [ Issue History ] [ Print ]

Category

Severity

Reproducibility

Date Submitted

Last Update

0004184

[BusyBox] Other

minor

always

07-16-08 17:32

08-19-08 17:56

Reporter

cristic

View Status

public

Assigned To

BusyBox

Priority

normal

Resolution

fixed

Status

closed

Product Version

svn

Summary

0004184: printf buffer overflow

Description

Hi, "printf %" leads to a buffer overflow, and prints random values from the stack:

This should be rejected as in Coreutils:
$ printf %
./printf: %: invalid conversion specification

  The problem is that printf does not validate the format specifier. One
possible fix would be to add a check along these lines this after line 201 in
printf.c:
                        direc_start = f++;
+ if (*f == '\0')
+ fprintf(stderr, "invalid conversion specification");
            direc_length = 1;
            field_width = precision = -1;
            if (*f == '%') {
                bb_putchar('%');
                break;
            }
Thanks,
Cristian

Additional Information

Attached Files

printf.diff [^] (2,511 bytes) 07-17-08 02:15

Relationships

Notes
(0009544) bernhardf 07-17-08 01:02	bb_error_msg_and_die("invalid conversion specification"), yes. What tool of yours is that? Is it available somewhere? Just curious since it sounds quite useful.. :)

(0009574) vda 07-17-08 02:16	Try attached patch

(0009584) vda 07-17-08 02:16	Careful with _and_die, ash uses printf_main directly

(0009704) cristic 07-17-08 16:03	> What tool of yours is that? Is it available somewhere? Just curious since it > sounds quite useful.. :) Hi, it's a tool that works by exploring various execution paths through the program (using symbolic execution), and generating concrete test cases for each path that it explores. The tool is still under development, but we might open source it at some point; we'll definitely let you guys know when this happens.

(0009714) cristic 07-17-08 16:05	> Try attached patch This does solve this overflow, thanks. I found a different one in printf, but I'll report it in a different thread.

Issue History
Date Modified	Username	Field	Change
07-16-08 17:32	cristic	New Issue
07-16-08 17:32	cristic	Status	new => assigned
07-16-08 17:32	cristic	Assigned To	=> BusyBox
07-16-08 17:32	cristic	Issue Monitored: cristic
07-17-08 01:02	bernhardf	Note Added: 0009544
07-17-08 02:15	vda	File Added: printf.diff
07-17-08 02:16	vda	Note Added: 0009574
07-17-08 02:16	vda	Note Added: 0009584
07-17-08 16:03	cristic	Note Added: 0009704
07-17-08 16:05	cristic	Note Added: 0009714
08-19-08 17:56	vda	Status	assigned => closed
08-19-08 17:56	vda	Resolution	open => fixed
08-19-08 17:56	vda	Fixed in Version	=> svn