_vsnprintf reads past the format parameter value #140
Description
This code snippet illustrates the issue (the issue does not manifest when using libc's printf):
(it can likely be abused by a hacker for malicious purposes)
It originated here mpaland#139
/* enable one of these 2 lines to use printf()*/
#include <printf/printf.h> // enable this and see wrong print
#include <unistd.h>
void putchar_(char character) {
int dummy = write(1, &character, 1);
}
int main(int argc, char *argv[]) {
// case 1
printf_("Reads past this string%.\x00\nShould not see this: it's beyond the NUL terminator!%.");
// case 2 (mentioned by https://github.com/ledvinap)
printf_("Reads past this string%");
return 0;
}Compile like this:
gcc -fsanitize=address -o tst -I src main.c src/printf/printf.cThe output:
./tst
Reads past this string
Should not see this: it's beyond the NUL terminator!=================================================================
==73260==ERROR: AddressSanitizer: global-buffer-overflow on address 0x563bc4f2a091 at pc 0x563bc4f28e70 bp 0x7fff7ffeabb0 sp 0x7fff7ffeaba0
READ of size 1 at 0x563bc4f2a091 thread T0
#0 0x563bc4f28e6f in _vsnprintf (/home/francis/dev/git/printf.maintained/tst+0x7e6f)
#1 0x563bc4f29051 in vprintf_ (/home/francis/dev/git/printf.maintained/tst+0x8051)
#2 0x563bc4f29596 in printf_ (/home/francis/dev/git/printf.maintained/tst+0x8596)
#3 0x563bc4f22478 in main (/home/francis/dev/git/printf.maintained/tst+0x1478)
#4 0x7f13fcf08d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#5 0x7f13fcf08e3f in __libc_start_main_impl ../csu/libc-start.c:392
#6 0x563bc4f22284 in _start (/home/francis/dev/git/printf.maintained/tst+0x1284)
0x563bc4f2a091 is located 47 bytes to the left of global variable '*.LC2' defined in 'main.c' (0x563bc4f2a0c0) of size 24
'*.LC2' is ascii string 'Reads past this string%'
0x563bc4f2a091 is located 0 bytes to the right of global variable '*.LC1' defined in 'main.c' (0x563bc4f2a040) of size 81
SUMMARY: AddressSanitizer: global-buffer-overflow (/home/francis/dev/git/printf.maintained/tst+0x7e6f) in _vsnprintf
Shadow bytes around the buggy address:
0x0ac7f89dd3c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ac7f89dd3d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ac7f89dd3e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ac7f89dd3f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ac7f89dd400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ac7f89dd410: 00 00[01]f9 f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9
0x0ac7f89dd420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ac7f89dd430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ac7f89dd440: 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00
0x0ac7f89dd450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ac7f89dd460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==73260==ABORTING