[PATCH] Sanitize printf functions

Thu Jan 9 00:07:10 PST 2014


================
Comment at: sanitizer_common/sanitizer_common_interceptors.inc:698
@@ +697,3 @@
+    int res = REAL(vname)(str, __VA_ARGS__);                                   \
+    if (res > 0 && common_flags()->check_printf) {                             \
+      COMMON_INTERCEPTOR_WRITE_RANGE(ctx, str, res + 1);                       \
----------------
I'd remove check_printf from this condition, otherwise we'd get an MSan regression when check_printf is disabled. Also, these writes don't depend on format string parsing, and are most certainly correct.

The same goes to other v*printf interceptors.


================
Comment at: sanitizer_common/sanitizer_common_interceptors_scanf.inc:11
@@ -11,2 +10,3 @@
+// Scanf/printf implementation for use in *Sanitizer interceptors.
 // Follows http://pubs.opengroup.org/onlinepubs/9699919799/functions/fscanf.html
 // with a few common GNU extensions.
----------------
Yury Gribov wrote:
> Alexander Potapenko wrote:
> > How about this line? Is there a printf specification we're following?
> Oh, this is a good one. I've blindly reused scanf parser but it seems that printf format has richer syntax: it has flags and precision + asterisk semantics is different. I'll fix this in next rev.
Yes, this is kind of scary.
AFAIK, glibc has a comprehensive set of tests for scanf format string parsing. Jakub Jelinek ran this code on them and found several tricky bugs in the parser. Could you look into doing the same for printf?



http://llvm-reviews.chandlerc.com/D2480

