Hi Linted,

The buffer overflow occurs when the positional arguments are used.

In the attached example (hello_world.c), the use of positional arguments is deliberate to trigger the buffer overflow; I don't have a real-world example where positional arguments are really necessary and used without taking the format string from an untrusted source. In the attached example, it would be much more natural to use "%s" instead of "%1$s", and this would have avoided entering the problematic code path. The effect of the buffer overflow is not observable externally; it can however be confirmed by applying patch 'uclibc-_vfprintf.c.patch'.


Best regards,
Diego Dias

On 24/10/2023 17:06, linted wrote:
Very nice work Diego! 

Is there a POC showing the overflow, as that would make writing unit tests easier?

Also is this vulnerability in the same class as other printf vulnerabilities, where it requires a developer to pass untrusted input as the format string to print?

Thank you!
Linted

On Tue, Oct 24, 2023, 7:16 AM Diego Dias <diego.dias@kernkonzept.com> wrote:
Dear uclibc-ng developers,

We have run a static analysis tool (Klocwork) in uclibc and one of its
checkers (ABV.GENERAL) indicates a potential buffer overflow in
uclibc-ng/src/master/libc/stdio/_vfprintf.c:1045

The problem occurs as an out-of-bounds access to array 'argtype', which
is a member of 'ppfs_t'. This array has length 'MAX_ARGS'. According to
the static analysis tool, the array can be accessed using index 'n' of
value '-1' and '9..254' in the conditional shown below:

// File: uclibc-ng/src/master/libc/stdio/_vfprintf.c:1045
   if (_is_equal_or_bigger_arg(ppfs->argtype[n], argtype[i])) {
     ppfs->argtype[n] = argtype[i];
   }

Triggering an out-of-bounds access for 'n=-1' is relatively simply when
using printf or similar functions (e.g. vfprintf). Such out-of-bounds
access occurs when positional arguments are specified, as in the
following statement:

   printf("%1$s", "Hello world!");

Although Klocwork claims that the array might be accessed using indexes
'9..254', we were not able to trigger an out-of-bounds access for
indexes in this range.

Kind regards,
Diego Dias

--
Diego M. Dias, Systems Verification Engineer at Kernkonzept, diego.dias@kernkonzept.com
Phone: +49 351 41883231

Kernkonzept GmbH at Dresden, Germany, HRB 31129, CEO Dr.-Ing. Michael Hohmuth

_______________________________________________
devel mailing list -- devel@uclibc-ng.org
To unsubscribe send an email to devel-leave@uclibc-ng.org

_______________________________________________
devel mailing list -- devel@uclibc-ng.org
To unsubscribe send an email to devel-leave@uclibc-ng.org
-- 
Diego M. Dias, Systems Verification Engineer at Kernkonzept, diego.dias@kernkonzept.com
Phone: +49 351 41883231

Kernkonzept GmbH at Dresden, Germany, HRB 31129, CEO Dr.-Ing. Michael Hohmuth