NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Linux Security Auditing Project> 2000-q3

Subject: Re: Catching format bugs
From: Olaf Kirch (okircaldera.de)
Date: Mon Sep 18 2000 - 03:04:26 CDT

Next message: Sandy Harris: "[Fwd: [Fwd: [ANNOUNCE] NSS 3.1 Beta 1 Release]]"
Previous message: Tim Robbins: "Re: Catching format bugs"
In reply to: Len Lattanzi: "Re: Catching format bugs"
Next in thread: Tim Robbins: "Re: Catching format bugs"
Reply: Olaf Kirch: "Re: Catching format bugs"
Reply: Tim Robbins: "Re: Catching format bugs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, Sep 16, 2000 at 09:18:16AM -0700, Len Lattanzi wrote:
> This might work for static executables but shared libraries
> will have "multiple" _end values.

Oops, yeah, you're right.

Here's a different approach:

void
checkfmt(const char *format)
{
        static char *lastfmt = NULL;
        char line[512], *sp;
        FILE *fp;
        caddr_t addr;

if (format == lastfmt || !strstr(format, "%n"))
return;

/* NB: Avoid %n in fatal() messages below :-) */

if ((fp = fopen("/proc/self/maps")) == NULL)
fatal("/proc/self/maps: %m");

        /* Lines in /proc/self/maps look like this right
         * now:
         *
         * startaddr-endaddr [-r][-w][-x][-p] flags dev:ino ...
         */
        while (fgets(line, sizeof(line), fp)) {
                addr = (caddr_t) strtoul(line, &sp, 16);
                if (addr > (caddr_t) format)
                        continue;
                if (*sp++ != '-')
                        continue; /* garbled line */
                addr = (caddr_t) strtoul(line, &sp, 16);
                if (addr <= (caddr_t) format)
                        continue;
                if (*sp++ != ' ')
                        continue; /* garbled line */

                /* Found it. Check whether segment is writable */
                if (sp[1] == 'w')
                        fatal("non-constant format string `%s'", format);
                lastfmt = format;
                fclose(fp);
                return;
        }
        fatal("failed to parse /proc/self/maps");
}

Olaf

-- 
Olaf Kirch         |  --- o --- Nous sommes du soleil we love when we play
okirmonad.swb.de  |    / | \   sol.dhoop.naytheet.ah kin.ir.samse.qurax
okircaldera.de    +-------------------- Why Not?! -----------------------
         UNIX, n.: Spanish manufacturer of fire extinguishers.

Next message: Sandy Harris: "[Fwd: [Fwd: [ANNOUNCE] NSS 3.1 Beta 1 Release]]"
Previous message: Tim Robbins: "Re: Catching format bugs"
In reply to: Len Lattanzi: "Re: Catching format bugs"
Next in thread: Tim Robbins: "Re: Catching format bugs"
Reply: Olaf Kirch: "Re: Catching format bugs"
Reply: Tim Robbins: "Re: Catching format bugs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]