Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing checks in calls to variadic functions inside checked scope #1178

Open
mgrang opened this issue Sep 2, 2021 · 0 comments
Open

Missing checks in calls to variadic functions inside checked scope #1178

mgrang opened this issue Sep 2, 2021 · 0 comments
Labels
bug This labels issues that are bugs. future work This labels issues that need further triaging and discussion.

Comments

@mgrang
Copy link

mgrang commented Sep 2, 2021
edited
Loading

#1174 added support to call variadic functions in checked scope. There are several checks which are yet to be implemented. The PR does not do any bounds checking for the arguments to printf/scanf like functions. The following issues were raised by @mattmccutchen-cci on the PR.

I realize I may have waited a little too late to post this, but I tested this PR and found several holes in the new checking. If you save the code below as printf-checking-bugs.c and then run clang -o printf-checking-bugs printf-checking-bugs.c and ./printf-checking-bugs percent_n, etc., you can see the SEGV. If you don't want to address the problems in this PR, I can copy the examples to a new issue.

#pragma CHECKED_SCOPE on

#include <string.h>
#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>

#define TEST(_name) else if (strcmp(test_name, #_name) == 0)

int main(int argc, _Nt_array_ptr<_Nt_array_ptr<char>> argv : count(argc)) {
  _Nt_array_ptr<char> test_name = argv[1];
  if (!test_name) {
    fprintf(stderr, "No test name specified\n");
    return 1;
  }

  if (0) {}
  TEST(percent_n) {
    // Missing check that %n argument is a _Ptr.
    int arr _Checked[1];
    printf("hello\n%n", arr + 123456789);
  }
  TEST(scanf_scalar) {
    // Missing check that _any_ scalar scanf argument is a _Ptr.
    int arr _Checked[1];
    sscanf("42", "%d", arr + 123456789);
  }
  TEST(printf_s_count) {
    // Missing check that printf %s argument has at least count(0).
    char buf _Nt_checked[1];
    printf("%s", buf + 123456789);
  }
  TEST(scanf_p) {
    // scanf reads an arbitrary _Ptr<void> via %p. The right solution here may
    // be to disallow _Ptr<void>
    // (https://github.com/microsoft/checkedc/issues/335). I couldn't find any
    // other way to exploit %p, but that doesn't mean there isn't any.
    _Ptr<void> q = 0;
    sscanf("0x1", "%p", &q);
    _Ptr<char> p = (_Ptr<char>)q;
    (*p)++;
  }
  TEST(scanf_s_overflow) {
    // scanf %s overflows the output buffer. I guess the compiler should require
    // the format string to specify a maximum width and check it against the
    // bounds of the argument?
    char field _Nt_checked[10];
    char input _Nt_checked[1000];
    memset(input, 'x', sizeof input - 1);
    sscanf(input, "%s", field);
  }
  else {
    fprintf(stderr, "Unknown test name\n");
    return 1;
  }

  return 0;
}

Originally posted by @mattmccutchen-cci in #1174 (comment)
@mgrang mgrang mentioned this issue Sep 2, 2021
Closed
@mgrang mgrang added bug This labels issues that are bugs. future work This labels issues that need further triaging and discussion. labels Sep 2, 2021
This was referenced Sep 2, 2021
Merged
Closed
@mattmccutchen-cci mattmccutchen-cci mentioned this issue Sep 9, 2021
Merged
This was referenced Jan 17, 2022
Closed
Closed
Closed
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug This labels issues that are bugs. future work This labels issues that need further triaging and discussion.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mgrang