Very nice work Diego!
Is there a POC showing the overflow, as that would make writing unit
tests easier?
Also is this vulnerability in the same class as other printf
vulnerabilities, where it requires a developer to pass untrusted input as
the format string to print?
Thank you!
Linted
On Tue, Oct 24, 2023, 7:16 AM Diego Dias <diego.d...@kernkonzept.com> wrote:
> Dear uclibc-ng developers,
>
> We have run a static analysis tool (Klocwork) in uclibc and one of its
> checkers (ABV.GENERAL) indicates a potential buffer overflow in
> uclibc-ng/src/master/libc/stdio/_vfprintf.c:1045
>
> The problem occurs as an out-of-bounds access to array 'argtype', which
> is a member of 'ppfs_t'. This array has length 'MAX_ARGS'. According to
> the static analysis tool, the array can be accessed using index 'n' of
> value '-1' and '9..254' in the conditional shown below:
>
> // File: uclibc-ng/src/master/libc/stdio/_vfprintf.c:1045
> if (_is_equal_or_bigger_arg(ppfs->argtype[n], argtype[i])) {
> ppfs->argtype[n] = argtype[i];
> }
>
> Triggering an out-of-bounds access for 'n=-1' is relatively simply when
> using printf or similar functions (e.g. vfprintf). Such out-of-bounds
> access occurs when positional arguments are specified, as in the
> following statement:
>
> printf("%1$s", "Hello world!");
>
> Although Klocwork claims that the array might be accessed using indexes
> '9..254', we were not able to trigger an out-of-bounds access for
> indexes in this range.
>
> Kind regards,
> Diego Dias
>
> --
> Diego M. Dias, Systems Verification Engineer at Kernkonzept,
> diego.d...@kernkonzept.com
> Phone: +49 351 41883231
>
> Kernkonzept GmbH at Dresden, Germany, HRB 31129, CEO Dr.-Ing. Michael
> Hohmuth
>
> _______________________________________________
> devel mailing list -- devel@uclibc-ng.org
> To unsubscribe send an email to devel-le...@uclibc-ng.org
>
_______________________________________________
devel mailing list -- devel@uclibc-ng.org
To unsubscribe send an email to devel-le...@uclibc-ng.org
