| delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| DomainKey-Signature: | a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:subject:references:to:reply-to:from:message-id | |
| :date:mime-version:in-reply-to:content-type | |
| :content-transfer-encoding; q=dns; s=default; b=SxAIaTHHBpwxrhlO | |
| 9mR3kHHaDVlU/yAYdSoLke+LF1PvlNHm+WahHzGUMGmEFldq3nJYJIufFI19z0oO | |
| rIwloswhh2P8EyIPAM3R3VUsrgBcXFivMGNLKjciFzcNrmx+ZxpSC63wG3BbrUxS | |
| 1KRKVXJxH4mULGAn9o0+koFLATQ= | |
| DKIM-Signature: | v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:subject:references:to:reply-to:from:message-id | |
| :date:mime-version:in-reply-to:content-type | |
| :content-transfer-encoding; s=default; bh=3xd6l76+vgevViJLh5mneZ | |
| hmVKQ=; b=bUyPWFpIHHj4lzOgsVKRrG/JiWZWR2BZmEhAasJXEHe8eebkoCJNvm | |
| XWIdcxcnRpPvxTCOvxHlXTOJKvA+LkpYO0aDwi8/H6BgGxj72//VKFVwdM00qv0g | |
| nX3zEdxR635zQFY4sH1NGgP7y/ADyeLOC97Lok/zu/LBXhMEJVGyA= | |
| Mailing-List: | contact cygwin-help AT cygwin DOT com; run by ezmlm |
| List-Id: | <cygwin.cygwin.com> |
| List-Subscribe: | <mailto:cygwin-subscribe AT cygwin DOT com> |
| List-Archive: | <http://sourceware.org/ml/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs> |
| Sender: | cygwin-owner AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| Delivered-To: | mailing list cygwin AT cygwin DOT com |
| Authentication-Results: | sourceware.org; auth=none |
| X-Virus-Found: | No |
| X-Spam-SWARE-Status: | No, score=-1.3 required=5.0 tests=AWL,BAYES_00,KAM_LAZY_DOMAIN_SECURITY,RCVD_IN_DNSWL_LOW autolearn=no version=3.3.2 spammy=H*R:D*ca, H*r:ip*192.168.1.100, Hx-spam-relays-external:sk:smtp-ou, H*RU:sk:smtp-ou |
| X-HELO: | smtp-out-so.shaw.ca |
| X-Authority-Analysis: | v=2.2 cv=XbT59Mx5 c=1 sm=1 tr=0 a=WqCeCkldcEjBO3QZneQsCg==:117 a=WqCeCkldcEjBO3QZneQsCg==:17 a=IkcTkHD0fZMA:10 a=XUuwx5PK5hd1ywNdz38A:9 a=AbyRu-eBReapVuJ_:21 a=mWRn-uUUxjXkdqkF:21 a=QEXdDO2ut3YA:10 |
| Subject: | Re: Integer overflow in functions from scanf() family in MinGW, Cygwin, Borland/Embarcadero C environments (Windows) |
| References: | <001101d295e9$65841800$308c4800$@gmail.com> |
| To: | cygwin AT cygwin DOT com |
| Reply-To: | Brian DOT Inglis AT SystematicSw DOT ab DOT ca |
| From: | Brian Inglis <Brian DOT Inglis AT SystematicSw DOT ab DOT ca> |
| Message-ID: | <fbb14e7b-12e0-5ee3-5066-69c69f8c2643@SystematicSw.ab.ca> |
| Date: | Sun, 5 Mar 2017 15:50:59 -0700 |
| User-Agent: | Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.7.1 |
| MIME-Version: | 1.0 |
| In-Reply-To: | <001101d295e9$65841800$308c4800$@gmail.com> |
| X-CMAE-Envelope: | MS4wfHfr97kPnNEZnXi1QT0fDTAPDC+Ng6PENjY1YEbsIjMM/xqmko3+6YaptUU7qWaOfcHP4hQo8ef5Q9jUD9zYK0Z0se/QGDhwB38OriBcDFNlI/WHafcP yVBq46dvJ/31Lw847DhNzYkrKi7ONNSR7+hzGlUHgMIIVAdZ2c7jZqS+0sgu0AJdf/wCUCPXeqAzgw== |
| X-IsSubscribed: | yes |
On 2017-03-05 12:48, Lukas' Home Page wrote:
> I find out a strange and bad beaviour in functions from scanf() family when
> reading one-byte int variable in MinGW, Cygwin and Borland/Embarcadero C
> environments (on Windows, on Linux this doesn't happen). This bug is
> corelated with MSVCRT library which isn't written in C99 standard (it's
> written in C89 i think).
> So, the point is, when you're reading one byte using scanf() function, AND
> you are using %hhu format specifier, you have Integer Overflow bug in your
> code, because MinGW links to old MSVCRT (C89 version) even if you compile
> with -std=c99 parameter.
> This works, because scanf() in old MSVCRT library doesn't know "h" format
> specifier. BUT! The problem is, that scanf try to interpret format specifier
> anyway, omits unsupported "h" specifier and it's loading full integer ("u")
> to memory (it should omit not supported part of format - whole "%hhu" format
> part, not just only "h"). The C99 specification says on 361 page: "If a
> conversion specification is invalid, the behavior is undefined." - but it is
> WRONG, because the behaviour SHOULD BE DEFINED AS OMITING THE WHOLE
> UNSUPPORTED PART OF FORMAT (not only single specifier, but whole part).
Dealing safely with anything other than int, double, and width limited strings
using scanf requires a lot of care, by the implementation and the developer.
Undefined behaviour puts the onus on you as a developer to avoid invoking
whatever behaviour the implementation defaults to.
I can suggest looking into the inttypes.h SCNu* macros and stdint.h.
Options -Wall and -Wextra should produce format warnings.
Cygwin uses newlib and Mingw may use its own scanf library.
Cygwin provides a Mingw port, so any problems should be reported upstream.
> In exploit (below), compiler doesn't even display warnings (event if you
> compile program with -std=c99 and -Wextra parameters). I compile on Windows
> 7 using that command:
> gcc main.c -o main.exe -Wextra
> #include <stdio.h>
> #include <stdbool.h>
> typedef volatile unsigned char uint8_t;
> int main()
> {
> bool allowAccess = false; // allowAccess should be always FALSE
> uint8_t userNumber;
> char format[] = "%hhu";
> char buffer[] = "257\n";
> sscanf(buffer, format, &userNumber);
> if (allowAccess)
> {
> printf("Access granted: secret information - Lech Walesa was a Bolek
> agent\n");
> }
> printf("Entered number is: %d\n", userNumber);
> return 0;
> }
--
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |