Previous Entry Share Next Entry
May the (FORTIFY_)SOURCE be with you!!!
A few days back while investigating a particular security flaw, i discovered something about glibc's FORTIFY_SOURCE format string protection which i did not know earlier.

Most developers (at least some of them), seem to think that if a program is compiled with fortify_source enabled, it was protected against, any format string flaw, This however is not completely true, a lot of glibc functions in fact are not protected. One example is the warn() function.

As per the man page:

The  err() and warn() family of functions display a formatted error message on the standard error output.  In all cases, the last component of the program name, a colon character, and a space are output.  If the fmt argument is not  NULL,  the  printf(3)-like formatted error message is output.  The output is terminated by a newline character.

Both err() and warn() and other functions described in that man page, take printf() like "formatted" data as its input. And since its not protected by FORTIFY_SOURCE, something like warn(message) could be exploited.

There may be other glibc functions which take formatted user-arguement, and are not protected as well. I leave finding this as an excercise for the reader :)

In the mean time the following bugs were filed:

1. glibc upstream
2. Red Hat Bugzilla


Log in