From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.1 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED,
	MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,RCVD_IN_MSPIKE_H3,
	RCVD_IN_MSPIKE_WL autolearn=ham autolearn_force=no version=3.4.4
Received: (qmail 23801 invoked from network); 6 Aug 2021 13:14:39 -0000
Received: from mother.openwall.net (195.42.179.200)
  by inbox.vuxu.org with ESMTPUTF8; 6 Aug 2021 13:14:39 -0000
Received: (qmail 32169 invoked by uid 550); 6 Aug 2021 13:14:37 -0000
Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:musl@lists.openwall.com>
List-Help: <mailto:musl-help@lists.openwall.com>
List-Unsubscribe: <mailto:musl-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:musl-subscribe@lists.openwall.com>
List-ID: <musl.lists.openwall.com>
Reply-To: musl@lists.openwall.com
Received: (qmail 32139 invoked from network); 6 Aug 2021 13:14:37 -0000
X-Virus-Scanned: amavisd-new at heinlein-support.de
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jensenkarlsson.se;
	s=MBO0001; t=1628255664;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=9Z5Nrr/50+Orj2XpJ1Lt5xUl4y0PBFIt0Q3loTLtGa8=;
	b=Kw83d1Pj8rPymxDE4jnJoqAivy4ptPDvBf11wYHoIhmMxuKdpdYaT+xHZ/ybRrXdKR6Zin
	oczZBUULh3tNTvjAF3B1m4kMnXh+Ti5Z5MRvHPYFfgNYL0mndjdnB6DfCclk7uRJyTFuwe
	7xAEMFixQpqw6F+KOWKbZVzrUxJa83Z60Q/VtscvWZoZfgI4szLpZyovHpM5y82Ea4rZ+N
	VPLK0K8ZXbC50QM7ofG1iJ2EcKDjA/o1DBbugJtYCpzVeVPz6Fvdfb6S7YnVWylJCVV7tk
	QaExoEilCUqUTcngb4l/rq0ppighvlmIHpyW8iyi4GJ58ge2Cq4yx/UI2FrBEA==
To: musl@lists.openwall.com
From: Pontus Jensen Karlsson <pontus@jensenkarlsson.se>
Message-ID: <23e62796-4efb-3495-d7c8-1e3d85f4ea82@jensenkarlsson.se>
Date: Fri, 6 Aug 2021 15:14:22 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: quoted-printable
Content-Language: en-US
X-Rspamd-Queue-Id: 22EF318BF
X-Rspamd-UID: 58c464
Subject: [musl] Potential bug in printf_core

Hi,

I've been trying to build audit-userspace tools for an ARMv7 SBC using=20
musl 1.2.2 as libc.
The tool auditd continously segfaults and I've traced it to a printf=20
statement that
I have isolated the issue to this piece of code (simplified for=20
debugging purposes):

#include <sys/time.h>
#include <stdio.h>

int main(int argc, char **argv)
{
 =C2=A0=C2=A0=C2=A0 struct timeval tv =3D {
 =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 .tv_sec =3D 1000,
 =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 .tv_usec =3D 4177777
 =C2=A0=C2=A0=C2=A0 };
 =C2=A0=C2=A0=C2=A0 char *str =3D "Hello World";
 =C2=A0=C2=A0=C2=A0 unsigned num =3D 8062;

 =C2=A0=C2=A0=C2=A0 printf("%lu %03u %u %s", tv.tv_sec, (unsigned)(tv.tv_=
usec), num, str);
}

This code segfaults at memchr (s =3D 0x3fbf71 <error: Cannot access memor=
y=20
at address 0x3fbf71>)
but three frames up we're at src/stdio/vfprintf.c:593.

Here it attempts to read the string length from the arg.p address, the=20
problem is that arg.p points
to the int-value of (unsigned)(tv.tv_usec) and not the memory address of =

str.

So, I'm confused as to why this happens? Is it something weird with the=20
state-machine in printf_core,
or am I misunderstanding something which needs to be patched into=20
audit-userspace?

Best regards,
Pontus Jensen Karlsson