X-Recipient: archive-cygwin@delorie.com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:from:to:subject:date:message-id:mime-version
	:content-type:content-transfer-encoding; q=dns; s=default; b=wqc
	EgRUtZIfM+rh2/ngLc4NUDZPtPekKMehvap6RRI9H8MQZ1/Dp/HRTFVy3OseRFoG
	SdXzXGbqFEYvOWfit/hk5DX1CODSJYLAuOJ/667vXarFX3O2YNziGKyjEn34fCWq
	Vhq5RGkCtVQbuAzqMxGM3Qen9hdnEjQILS4b9FYs=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:from:to:subject:date:message-id:mime-version
	:content-type:content-transfer-encoding; s=default; bh=E0cWU0JuW
	k/GEF7+7C+gHvHLujw=; b=CXPneIilp4W8zU4qA8pK/2A7Eyp18xlwtm/nWZKSn
	8FOq9tybcOqtswxwzmCZKF+8425fJcMnWSPV+9u7KiJB4GU3sCf72o12g0xoeZCL
	yvWs3KD3SOZMGsvuYyBLEfsDdUjFKqONjcpIEu3je9aehSTJQAQMo8wHvdwwU3lk
	YE=
Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe@cygwin.com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin@cygwin.com>
List-Help: <mailto:cygwin-help@cygwin.com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner@cygwin.com
Mail-Followup-To: cygwin@cygwin.com
Delivered-To: mailing list cygwin@cygwin.com
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-7.6 required=5.0 tests=BAYES_00,FREEMAIL_FROM,GIT_PATCH_2,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=ham version=3.3.2 spammy=ukasz, H*x:15.0, H*UA:Outlook, H*x:Outlook
X-HELO: mail-lf0-f54.google.com
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;        d=1e100.net; s=20161025;        h=x-gm-message-state:from:to:subject:date:message-id:mime-version         :content-transfer-encoding:thread-index:content-language;        bh=InmlO+EVNAv0pvMQO5ratj7zF2/PL0++VwfVoJ34EvM=;        b=BwJ8bEVDuiBEB090LDjRS3Us/ANwt0QzvfdgurRdONyNWBuK1+gCBnwHfXLVI4jfIt         BVcOSG56fyQLUU0Zcvplh7wFXdDrVfv7MaffzRotvFrniZEQBvjPhCiZHvLmlztDIj/w         ihdXjXrXZMV1wvmHpyNIXxQWhFpp7RUy/jIEIMJIl60YbDxweG8mn9ibVQ5vcbKdbx/2         EC8Qg+zFTkzW+5tqy9Qg1mNcUCPT1Oa8uMdzPTFyZOrXGh5Bus/wPjksgok8ZsPBcXBQ         Az72d+6+OFDaW8l27aB9DPv56R4F97WovEK7bq8h67kJjpl8g6lAr2Hr7GQtdWKQtY9r         K8/A==
X-Gm-Message-State: AMke39l6FQkalcjhASPuTIff9BIuqEmwPbKn1aaoJM5O+dczlQWzGOLTl3odvHtuNWG6Zw==
X-Received: by 10.46.5.209 with SMTP id 200mr4190604ljf.137.1488743280583;        Sun, 05 Mar 2017 11:48:00 -0800 (PST)
From: "Lukas' Home Page" <lukas.home.page@gmail.com>
To: <cygwin@sourceware.org>
Subject: Integer overflow in functions from scanf() family in MinGW, Cygwin, Borland/Embarcadero C environments (Windows)
Date: Sun, 5 Mar 2017 20:48:00 +0100
Message-ID: <001101d295e9$65841800$308c4800$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain;	charset="iso-8859-2"
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by delorie.com id v25Jma6U002489

Good morning,

I find out a strange and bad beaviour in functions from scanf() family when
reading one-byte int variable in MinGW, Cygwin and Borland/Embarcadero C
environments (on Windows, on Linux this doesn't happen). This bug is
corelated with MSVCRT library which isn't written in C99 standard (it's
written in C89 i think).

So, the point is, when you're reading one byte using scanf() function, AND
you are using %hhu format specifier, you have Integer Overflow bug in your
code, because MinGW links to old MSVCRT (C89 version) even if you compile
with -std=c99 parameter.

This works, because scanf() in old MSVCRT library doesn't know "h" format
specifier. BUT! The problem is, that scanf try to interpret format specifier
anyway, omits unsupported "h" specifier and it's loading full integer ("u")
to memory (it should omit not supported part of format - whole "%hhu" format
part, not just only "h"). The C99 specification says on 361 page: "If a
conversion specification is invalid, the behavior is undefined." - but it is
WRONG, because the behaviour SHOULD BE DEFINED AS OMITING THE WHOLE
UNSUPPORTED PART OF FORMAT (not only single specifier, but whole part).
In exploit (below), compiler doesn't even display warnings (event if you
compile program with -std=c99 and -Wextra parameters). I compile on Windows
7 using that command:

gcc main.c -o main.exe -Wextra


Exploit example:
===============================

#include <stdio.h>
#include <stdbool.h>

typedef volatile unsigned char uint8_t;

int main()
{
    bool allowAccess = false; // allowAccess should be always FALSE
    uint8_t userNumber;
    char format[] = "%hhu";
    char buffer[] = "257\n";
    sscanf(buffer, format, &userNumber);
    if (allowAccess)
    {
        printf("Access granted: secret information - Lech Walesa was a Bolek
agent\n");
    }
    printf("Entered number is: %d\n", userNumber);
    return 0;
}

Best regards,

---
Łukasz "Lukas" Wyporek
lukas.home.page@gmail.com 
http://www.lukashp.pl 



--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple