Subject: proposal: disable *printf %n specifier in libc in NetBSD 1.5
To: None <tech-userlevel@netbsd.org>
From: Bill Sommerfeld <sommerfeld@orchard.arlington.ma.us>
List: tech-userlevel
Date: 09/11/2000 10:04:37
As many of you are well aware, there have been a recent spate of
security vulnerabilities discovered as a result of applications
allowing untrusted data to end up as a format string.
All known non-denial-of-service format string exploits involve the use
of the %n specifier, which pulls an argument out of the argument list,
interprets it as an (int *), and stores the character count of the
current output into it.
Given an untrusted format string, this can often be twisted into
overwriting arbitrary locations in a process's memory.
The %n format specifier is not used very often -- I've been unable to
find any use of it within the NetBSD source tree.
Because it is used so infrequently, I'd like to *disable* the %n
format in userland by default. If a %n format is encountered when the
format is disabled, the *printf functions will instead print an error
to stderr (and possibly syslog as well) and call abort().
Applications which need to use %n can call some TBD function along the
lines of:
printf_enable_n();
to reenable the %n format directive.
Comments?
- Bill