[LLVMbugs] [Bug 18412] New: Static analysis should've caught CVE-2013-6462

bugzilla-daemon at llvm.org bugzilla-daemon at llvm.org
Tue Jan 7 09:05:36 PST 2014 

http://llvm.org/bugs/show_bug.cgi?id=18412

            Bug ID: 18412
           Summary: Static analysis should've caught CVE-2013-6462
           Product: clang
           Version: unspecified
          Hardware: PC
                OS: All
            Status: NEW
          Severity: normal
          Priority: P
         Component: Static Analyzer
          Assignee: kremenek at apple.com
          Reporter: jeremyhu at apple.com
                CC: llvmbugs at cs.uiuc.edu
    Classification: Unclassified

http://lists.x.org/archives/xorg-announce/2014-January/002389.html

CVE-2013-6462 is a vulnerability in libXfont (part of X.org) due to not
properly specifying a buffer size when reading in a string via sscanf.

I have provided a reduced version of the issue, and neither static analysis nor
-Wformat=2 produces any indication of the issue with recent trunk:

~ $ clang-mp-3.5 --version
clang version 3.5 (trunk 198565)
Target: x86_64-apple-darwin13.1.0
Thread model: posix

~ $ scan-build-mp-3.5 clang-mp-3.5 -Wall -Wextra -Wformat=2 -c notcaught.c 
scan-build: Using '/opt/local/libexec/llvm-3.5/bin/clang' for static analysis
scan-build: Removing directory
'/var/folders/1b/f1bzh5152y9bvygzl07fn87m0000gn/T/scan-build-2014-01-07-090611-97009-1'
because it contains no reports.
scan-build: No bugs found.

~ $ cat notcaught.c 
#include <stdio.h>
#include <string.h>

int readforme(const char * line, char ** ret) {
    char charName[100];

    if (sscanf(line, "STARTCHAR %s", charName) != 1) {
        *ret = NULL;
        return -1;
    }

    *ret = strdup(charName);

    return 0;
}

---

Note that %s needs to be %99s in order to be safe.

---

cppcheck caught the issue:
  [lib/libXfont/src/bitmap/bdfread.c:341]: (warning)
      scanf without field width limits can crash with huge input data.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20140107/58586b17/attachment.html>

More information about the llvm-bugs mailing list