From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, FREEMAIL_FROM,MAILING_LIST_MULTI,RCVD_IN_MSPIKE_H2 autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 19310 invoked from network); 3 Nov 2022 19:42:37 -0000 Received: from second.openwall.net (193.110.157.125) by inbox.vuxu.org with ESMTPUTF8; 3 Nov 2022 19:42:37 -0000 Received: (qmail 25614 invoked by uid 550); 3 Nov 2022 19:42:30 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: musl@lists.openwall.com Received: (qmail 24558 invoked from network); 3 Nov 2022 19:42:30 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=s31663417; t=1667504538; bh=8mgFHJoE8b+E4AgemiK+tDiBjdpDxjvPRnwdpG0mmcI=; h=X-UI-Sender-Class:Date:From:To:Subject; b=A727KucJ9IwZ7ZMeLxRMTmVOZLHFNdag0+6YZXeRFfGSIcyXQb5yX4qLi75bOFEdR CV4cb4lIs3fS2jxo9sz2m0r8ZGuQl5u+MkthY2Jr3pQdkYnA/BwnhNjBk15ia93we0 3qjQd/z2PdwlprGFhAMiWIj4JKQxf3p4lFDHnqLUZDxURanvONUQkD44NO0w4P4+T+ Dd0S1hRzZm564/pVdWjh0jyIBewlMKSvsoM1woPVFkFZG8hxHQSSTLja819CR86n+5 /rpvqTcpC/UFE1ytUQOZBayTat9QGkm+6fUM32dl5x69tL/0XzntavA7ia9ng8M09x 3qn0df6n+hRyA== X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Date: Thu, 3 Nov 2022 20:42:16 +0100 From: Markus Wichmann To: musl@lists.openwall.com Message-ID: <20221103194216.GA7714@voyager> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="d6Gm4EdcadzBjdND" Content-Disposition: inline User-Agent: Mutt/1.9.4 (2018-02-28) X-Provags-ID: V03:K1:cbeaE5zBbIJOesUpM9TbeKzaf25T/bpuoKe6KqEjAR8PbtTZX3j hcCYaij+9yma6eZTyvAPXd+LArV5/HMdeTyyViekkSrXZDqDwYru9OliKC5F+go+ASl5Dth c44ybirPzPt5l4BKhJpgxuTX7P885uzjTH5YKW7MK9R2voXwjgH6JDzbSeek1dnJRxvGusR 81M2AjwwfwxhJ9bUSKXGw== UI-OutboundReport: notjunk:1;M01:P0:wVJUIEVGytU=;fP4IQdGqnkYTe3DncbGrOyDdxnv 9bqkpjHPbjQskaaSFNuo7FoVPktS+CVjK0/qdJkgmA3Ubltt9s9lhByQgIDfj+57dpL3axLq4 22iZOq1scwTNT/cyAXW81QP07NRTNLMbRfteCiMMXsDotfLfbOoDmsab9zv/No9u2B0RDuYB0 gx6pw76TQjnM9mKaSdPlfcuCeP2lnDx2EV708zLhfVvK56QkE3Jg0UnSq8iM4K/vU8DL88fkV BWe+9QXFZMTIZcwX0L5rVlTF87P4VeEMaZyBRq2q18ydlqYuNlc/LeqDetWtYyUSXSU2GtBlb hQf++fn4VYRvigjR72N0GeA4cutar2o27VwmIPqnkNaturseXmj9z3VQB3ipESTKgTapZ+eBi +bDtmqjKjVaDgXOkN860gpWeeU9IJ8PubtRorUW2hxN1ki0CoRrHGeIb/y9JjV6UWKQTYDwsr 0FUtMUX5oNYI9R0ouyGKF1JfPFFauimFWojheZFsQjjvOBbIloe/K2AkHkUjfC2bxjvcys58c 0RtCaoWg71VK4HmIA0VQcppvaJfzoCwdgAMUfShHyAClYrFB09tZmc0rYZJX9MrX/xDtq9gxG 3TwkIS36rNYqhZfx+8GrJiwUpiQTDJ+mEN38VtekWOKbEUuQ70xs81oJbwCRKHBaNTD9YcoMs LoJ2JbsVG90+JGBH+O3ibtcc71nIjjNTB5dVFf8KU0Dc7ZTxu3y26naOPAxw5CxrVVyqEI7QN jptQt/v8DNSDcoyWwm9CRRg95NAwHR8K3VrAQmYyyEWqwgJgYY3NLqr/iVZW2qtwDGdSIpiU+ R2+2nRfSceR+tEUTC2cMES2VXErwpe6D8E3M4TC6DyC2xY/3vYUFrnB7Lhr6aWU9OjBoS94kH TuHnPFMDrq6iOzH4T7bvGhRUblrE11OaGhGSy/c4vcrNMRQ8Iec9DUhb7rgu4kKlJAPOTM0zC EI8HNQ== Subject: [musl] Invalid read of nl_arg in printf_core() --d6Gm4EdcadzBjdND Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hi all, reading some code today, I noticed undefined behavior in printf_core(). vfprintf() creates an array called nl_arg automatically and does not initialize it. That is fine, but it means that reads from each array member are undefined behavior until that member gets assigned a value. printf_core() gets the array passed in as argument, and will read it in both passes. Unfortunately, it only assigns values to the array at the end of the first pass. Therefore the reads from nl_arg in the first pass are undefined. I also noticed that the assignments to nl_type in the second pass, while not undefined behavior, are just futile, since nl_type is only read during the initialization of nl_arg, at the end of the first pass. Therefore we can simply alternate the assignments depending on what pass we are in. Please have a look at the attached patch. Ciao, Markus --d6Gm4EdcadzBjdND Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="0001-Prevent-invalid-reads-of-nl_arg-in-printf_core.patch" Content-Transfer-Encoding: quoted-printable =46rom da0554ae8d415e5c6f9fbd9c256b8ad60f8e19d4 Mon Sep 17 00:00:00 2001 From: Markus Wichmann Date: Thu, 3 Nov 2022 20:29:12 +0100 Subject: [PATCH] Prevent invalid reads of nl_arg in printf_core(). printf_core() runs twice, and during its first run, nl_arg is uninitialized and must not be read. It gets initialized at the end of the first run. Conversely, nl_type does not need to be set during the second run, as its useful life has ended at that point, since the only time it is read is during that exact same initialization. Therefore we can simply alternate the assignments. p and w do still need to get values assigned to them, since at least one line in the same if-statement depends on that, but they can be dummy values. arg does not need to be assigned, since in the first run, we encounter a continue statement before using the argument. =2D-- src/stdio/vfprintf.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/src/stdio/vfprintf.c b/src/stdio/vfprintf.c index 9b961e7f..45557951 100644 =2D-- a/src/stdio/vfprintf.c +++ b/src/stdio/vfprintf.c @@ -478,8 +478,8 @@ static int printf_core(FILE *f, const char *fmt, va_li= st *ap, union arg *nl_arg, if (*s=3D=3D'*') { if (isdigit(s[1]) && s[2]=3D=3D'$') { l10n=3D1; - nl_type[s[1]-'0'] =3D INT; - w =3D nl_arg[s[1]-'0'].i; + if (!f) nl_type[s[1]-'0'] =3D INT, w =3D 0; + else w =3D nl_arg[s[1]-'0'].i; s+=3D3; } else if (!l10n) { w =3D f ? va_arg(*ap, int) : 0; @@ -491,8 +491,8 @@ static int printf_core(FILE *f, const char *fmt, va_li= st *ap, union arg *nl_arg, /* Read precision */ if (*s=3D=3D'.' && s[1]=3D=3D'*') { if (isdigit(s[2]) && s[3]=3D=3D'$') { - nl_type[s[2]-'0'] =3D INT; - p =3D nl_arg[s[2]-'0'].i; + if (!f) nl_type[s[2]-'0'] =3D INT, p =3D 0; + else p =3D nl_arg[s[2]-'0'].i; s+=3D4; } else if (!l10n) { p =3D f ? va_arg(*ap, int) : 0; @@ -521,8 +521,10 @@ static int printf_core(FILE *f, const char *fmt, va_l= ist *ap, union arg *nl_arg, if (st=3D=3DNOARG) { if (argpos>=3D0) goto inval; } else { - if (argpos>=3D0) nl_type[argpos]=3Dst, arg=3Dnl_arg[argpos]; - else if (f) pop_arg(&arg, st, ap); + if (argpos>=3D0) { + if (!f) nl_type[argpos]=3Dst; + else arg=3Dnl_arg[argpos]; + } else if (f) pop_arg(&arg, st, ap); else return 0; } =2D- 2.17.1 --d6Gm4EdcadzBjdND--