[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

branch-1_4 allow cross-compiles; expose buffer overrun

From: Eric Blake
Subject: branch-1_4 allow cross-compiles; expose buffer overrun
Date: Thu, 29 Jun 2006 07:36:27 -0600
User-agent: Thunderbird (Windows/20060516)

Hash: SHA1

This patch makes it easier to cross-compile (so I can test that my recent
gnulib changes make compilation on mingw possible), and makes it easier to
configure whether ecvt should be used by caching the test results.  With
the patch below in place:

$ M4_cv_have_efgcvt=no configure
$ make
$ echo 'format(%300d,1)'|src/m4
Segmentation fault (core dumped)

My analysis of format.c is as follows:

when HAVE_EFGCVT is defined, there is no buffer overflow.  However, the
three functions [efg]cvt have been declared obsolete by POSIX, replaced by
sprintf, so we probably should not be relying on them.  Besides, there is
an open bug on savannah complaining that format does not match printf,
probably due to the fact that we are using fcvt and massaging the output
ourself: https://savannah.gnu.org/support/?func=detailitem&item_id=104303

when HAVE_EFGCVT is not defined, we are using a 256-byte buffer to hold an
unlimited length string from sprintf.  Classic buffer overflow, allowing
arbitrary code execution.  I don't know how likely this is to be exploited
in the wild, since most machines these days have ecvt, but it absolutely
must be fixed before 1.4.5.

I think the best course of action here would be to rewrite format.c to use
a single approach, using xasprintf from gnulib so we don't have buffer
overflows, and avoiding ecvt.  I'm also looking at coreutils' printf.c for
inspiration on how printf(1) parses format strings and arguments in a safe
manner.  For 1.4.5, all we need to fix is the buffer overflow.  But for
2.0, we can probably do other things like adding support for additional
format characters, supporting [u]intmax_t rather than limiting ourselves
to long, etc.

2006-06-29  Eric Blake  <address@hidden>

        * configure.ac (AC_CANONICAL_HOST, AC_CANONICAL_BUILD): Allow
        (AC_CACHE_CHECK): Cache search for ecvt.

- --
Life is short - so eat dessert first!

Eric Blake             address@hidden
Version: GnuPG v1.4.2.1 (Cygwin)
Comment: Public key at home.comcast.net/~ericblake/eblake.gpg
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

Index: configure.ac
RCS file: /sources/m4/m4/configure.ac,v
retrieving revision
diff -u -p -r1.36.2.17 configure.ac
--- configure.ac        24 Jun 2006 22:53:35 -0000
+++ configure.ac        29 Jun 2006 13:13:02 -0000
@@ -29,6 +29,8 @@ m4_pattern_allow([^M4_cv_])
@@ -50,14 +52,16 @@ AC_CHECK_FUNCS_ONCE([sigaction sigaltsta
-AC_MSG_CHECKING([ecvt declaration])
-AC_EGREP_HEADER([ecvt], [stdlib.h],
-  [AC_MSG_RESULT([yes])
+AC_CACHE_CHECK([ecvt declaration], [M4_cv_have_efgcvt],
+[AC_EGREP_HEADER([ecvt], [stdlib.h],
+  [M4_cv_have_efgcvt=yes], [M4_cv_have_efgcvt=no])])
+if test $M4_cv_have_efgcvt = yes ; then
      [Define to 1 if you have ecvt(3), fcvt(3) and gcvt(3).  Define to 2 if
 they are declared in stdlib.h])
-  ],
-  [AC_MSG_RESULT([no]); AC_CHECK_FUNCS([ecvt])])
+  AC_CHECK_FUNCS([ecvt])
 # Code from Jim Avera <address@hidden>.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]