Why scanf?

yes, please

This interceptor will cause many new bugs to be discovered
and the deployment in many cases will take time.
Please add a flag "check_printf" to sanitizer_common/sanitizer_flags.h (true by default)
and if this flag is false, don't do any checking.

I felt cynical and simply grabbed SANITIZER_INTERCEPT_SCANF from sanitizer_common/sanitizer_platform_interceptors.h in hope that printf and scanf always go together. What about renaming SANITIZER_INTERCEPT_SCANF to SANITIZER_INTERCEPT_FORMAT?

I tried this initially but realized that Msan already intercepts printf stuff. What's the general policy about what goes into sanitizer_common (e.g. strcmp) and what gets re-implemented in each sanitizer (e.g. memset)?

Makes sense, will do.

I would have a separate SANITIZER_INTERCEPT_PRINTF

msan interceptors are rudimentary and will have to be replaced with these *eventually*.
Here is a suggestion: move the code to sanitizer_common_interceptors.inc
but define SANITIZER_INTERCEPT_PRINTF to 1 only in asan.
tsan and msan will follow later.

We can enable it in MSan from the start (killing the old msan interceptors), just make sure that the new interceptors emulate a WRITE to the target buffer (for sprintf and friends).

Is current emulation fine or do you want to check each specifier separately?

I mean, when this is moved to common interceptors, you'll need to do COMMON_INTERCEPTOR_WRITE_RANGE() for the sprintf target buffer, like the current msan interceptors do.
That is in addition to reads and writes that you do already.

we can do it as a separate commit (I'd even prefer that)

can you avoid this?

good idea. feel free to implement or to leave the TODO.
Actually this code base uses FIXME (w/o name) more often.

Sure.

Well, I need size_t for snprintf.

Actually this code base uses FIXME (w/o name) more often.

Got it. Anyway, this was more a question for reviewers than real TODO. I'll add format check in next rev.

please use SIZE_T and don't include any additional system headers

Agreed, my bad.

Please update this comment.
Also, how about renaming the file to something like "sanitizer_common_interceptors_printf_scanf.inc" or "sanitizer_common_interceptors_format.inc"?

We sure need to check |format|. Since you've already touched scanf_common in this CL, why not just add

COMMON_INTERCEPTOR_READ_RANGE(ctx, format, internal_strlen(format) + 1);

?

Two spaces before the comment, please.

I wonder why the lines above have this strange indentation, but let us fix that in a separate commit.

Please update this comment.

Will do.

Also, how about renaming the file to something like "sanitizer_common_interceptors_printf_scanf.inc"

But won't this make diff unreadable? Perhaps this should be a separate patch?

Yup, already added this in new version of the patch. I didn't resubmit it because I wanted to gather reviews from all team members.

The bigger question is whether we want to check size of input buffer in sscanf and friends.

BTW what's the general rule: should I resubmit patch as often as possible or wait till everyone comments?

Do you think we need a warning here? If yes, I'll add it, if not - I'll remove the comment alltogether.

Looks like something lint should be able to handle.

But won't this make diff unreadable? Perhaps this should be a separate patch?

SGTM

BTW what's the general rule: should I resubmit patch as often as possible or wait till everyone comments?

I think it's better to resubmit once you've addressed a round of comments.
Most of the team is on holidays now, so you'll never know whether everyone is going to comment.

The bigger question is whether we want to check size of input buffer in sscanf and friends.

Yes, that's nice to have, too.

We can't get an invalid size from format_get_value_size(), so it's ok to have a CHECK here.

I've removed these. There's no clear policy about these spaces anyway.

Any idea how to achieve this? Scanfs won't tell us number of bytes read and I can't make use of %n in interceptor...

Will do.

Please sort the includes alphabetically (here and in other tests)

How about this line? Is there a printf specification we're following?

Please swap this line with the above declaration and remove the empty line below.

How does this comment relate to the above one?

Good point, probably worth doing.

Will do.

Oh, this is a good one. I've blindly reused scanf parser but it seems that printf format has richer syntax: it has flags and precision + asterisk semantics is different. I'll fix this in next rev.

+1

Sorry, not quite clear. I believe we don't want to bother with positional args neither in scanf, nor in printf.

Ok, I can do this. Note that there are actually many more checks of this sort: intersection of format with target string, intersection of format with %n destination, intersection of format with scanf argument, etc., etc. I guess errors like this should already be handled by things like FORTIFY_SOURCE pretty well.

I'd remove check_printf from this condition, otherwise we'd get an MSan regression when check_printf is disabled. Also, these writes don't depend on format string parsing, and are most certainly correct.

The same goes to other v*printf interceptors.

Yes, this is kind of scary.
AFAIK, glibc has a comprehensive set of tests for scanf format string parsing. Jakub Jelinek ran this code on them and found several tricky bugs in the parser. Could you look into doing the same for printf?

Note that check_printf is true by default and MSan will still use it's own interceptors for now.

AFAIK, glibc has a comprehensive set of tests for scanf format string parsing.

Are we talking about these:

$ find glibc-master -name tst\* -o -name test\* | grep printf
glibc-master/stdio-common/tst-swprintf.c
glibc-master/stdio-common/test-vfprintf.c
glibc-master/stdio-common/tst-printf-round.c
glibc-master/stdio-common/tst-printf.c
glibc-master/stdio-common/tst-sprintf3.c
glibc-master/stdio-common/tst-printf.sh
glibc-master/stdio-common/tst-sprintf2.c
glibc-master/stdio-common/tst-sprintf.c
glibc-master/stdio-common/tst-obprintf.c
glibc-master/stdio-common/tst-wc-printf.c
glibc-master/stdio-common/tst-printfsz.c

Could you look into doing the same for printf?

I probably should...

please make these tests run in 3 modes:

ASAN_OPTIONS=check_printf=0
ASAN_OPTIONS=check_printf=1
ASAN_OPTIONS=""

we need to test that the flag affects the behavior and that it's default value is what we expect it to be.

(use FileCheck --check-prefix=CHECK-ON and --check-prefix=CHECK-OFF)

I actually changed my mind.
Please make if false by default for now.
After this patch is committed we'll test it a bit more before enabling by default.

Ok.

BTW how do you suggest the check_printf=0 case? In my understanding we'll have UB with absolutely unpredictable behavior...

That's not that bad.
If you allocate a heap block using asan's allocator,
the behavior of an uncheck-ed out-of-bounds read is quite predictable

I tend to agree but e.g. GCC team tends to reject tests that trigger UB. Also things like this tend to be rather unstable with respect to glibc/kernel versions.

I'll do this if you're adamant though.

According to the manual, field width can be "*", too. The number-or-star parsing logic could be factored out in a separate function.

This does not look right. %m in printf is a complete conversion specifier, it should end parsing of the current directive. And it seems like "m" could go into convSpecifier, and printErrno could be removed.

At this point allowGnuMalloc is true. It does not make sense for output to be true. Please remove this and instead check this invariant at the beginning of the functions (!(allowGnuMalloc && output)).

Are these guys ([...]) even allowed in printf?

Does it really need to be a macro?

According to the manual, field width can be "*", too

Yup, this is handled by dir->suppressed above)

The number-or-star parsing logic could be factored out in a separate function.

Agreed.

%m in printf is a complete conversion specifier, it should end parsing of the current directive

I agree that we are currently parsing a wider format language than really necessary. But same is true for %n in original scanf implementation and we didn't bother handling it.

I was under impression that pointers to va_list are not portable C but http://gcc.gnu.org/ml/gcc-help/1999-q3n/msg00283.html suggests that they're sane. I'll give it a try tomorrow.

Agreed.

No, they aren't. But why do you ask the question here?

And it seems like "m" could go into convSpecifier, and printErrno could be removed.

Agreed to this one, will fix.

Ok, even though standard kind of allows this, GCC has a long and famous history of pointers to va_list not working (see e.g. http://gcc.gnu.org/bugzilla/show_bug.cgi?id=14557). Looks like passing va_list by reference is unportable.

Oh, right. This is a bit confusing, could you add a separate field to FormatDirective instead of reusing "suppressed" here?

What's wrong with %n? We parse it as convSpecifier which can not have anything going after it.
It seems like simply changing the code here to

if (*p == 'm' && !output) {

dir->allocate=true;
++p;

}

would do the trick.

Then it would make sense to handle this case earlier, in format_parse_next. Probably not a big deal.

Already done. I've also decided to split format_parse_next to {printf,scanf}_parse_next because they are different enough.

Ok, should be fixed by splitting format_parse_next mentioned above.

It never returns null pointer.

maybe_parse_signed ?

Code duplication between scanf and printf parsers. Please factor this out.

True, just trying to be safe here.

My bad.

Will do.

Unless I'm missing something, you could use REAL(strlen)(str) here instead of calling *printf twice.

Should it be lengthModifier[0]?
Looks like a bug in the original code.

Hm but str isn't necessarily a string - it's just plain array of chars. I don't think we can call strlen on it.

1. Bug or some weird GNU scanf (mis)feature. Who is the author of this piece?
2. How do you guys normally treat situations when both change code and move it to a different place for clarity? Do you make two separate commits to make reviewers life easier?

I think *printf always end the output with a null character, and never print null in the middle, but I don't see a clear indication of that in the spec.

Me :)
I think it's a bug, it's meant to check that %p has no length modifier.
Two commits are good, but people often don't bother.
In this case it's ok to make the change in the same commit, or whatever is more convenient for you.

Sorry, I must be missing something... My intent with REAL(vname2) (which is actually REAL(vsnprintf)) is to estimate number of chars that will be written. 0 tells vsnprintf that it should not _write_ anything, only estimate number of chars. We could simply pass NULL instead of str and it wouldn't change anything. So why do you bother about str?

I'll update the code and see if tests seize to work then.

I'm just worried that it makes *printf quite a bit heavier - we now parse the format string 3 times (2 in libc *printf and 1 in our code). Alternatively, we could do 1 + 1, and then figure out the length of the resulting string with strlen() after the REAL *printf.

Agreed but then we may get stack overflow before Asan is able to react. Looks like a trade-off between speed and security. Does libsanitizer have general preference for any of those?

IMHO sprintf is already so slow that we may not need to bother so much.

Now I must be missing something. What would be the cause of stack overflow?

That would slow down sprintf (and snprintf, etc) by a factor of 1.5 (roughly speaking). That may be a big hit exactly because sprintf is so slow. I'm assuming that calculation the length of the output by passing 0 as size takes about the same time as actually formatting the output.

Now I must be missing something. What would be the cause of stack overflow?

A call to REAL(sprintf) with unchecked target buffer size.

That would slow down sprintf (and snprintf, etc) by a factor of 1.5 (roughly speaking).

Yup, as I said I agree that this adds a penalty. Let's see if we can now come to conclusion on buffer overflow part and see which one is more important.

I see. But that's the same call that the application does, i.e. the overflow would have happened without sanitizer, too. And we will most likely catch it, but after sprintf corrupts some memory.

I think its common to use the strlen way. Interceptors like strcat, strcpy call the real function without checking that the string is actually null-terminated, and examine the result afterwards.

we will most likely catch it, but after sprintf corrupts some memory.

After some internal fighting I have to agree with that. The claim would be wrong on platforms with ascending stacks but I'm unaware of any living instance (last I heard Aarch64 failed at that).

I think its common to use the strlen way.
Interceptors like strcat, strcpy call the real function
without checking

I see, so we favor perf indeed. I'll remove the first sprintf call then.

BTW do we mention somewhere on our wiki that our interceptors are not 100% secure?

vname2 can be removed

I don't think we claim anywhere that ASan is 100% reliable, or that it catches all the bugs ;)

Just use "%t 2>&1" to test it with default ASAN_OPTIONS.

I'd suggest to merge all these test cases into one, as we're really testing one thing here. That would save some lines of code and would make modifying and extending the test case easier, and the tests will run faster (you will compile/link a single binary instead of 5 binaries). You can control the printf(...) call you're testing with an argv. See TestCases/stack-buffer-overflow-with-position.cc

Could you match a file/line in the stack trace in error report? E.g. see TestCases/null_deref.cc

Just "#include", we don't seem to use "# " indentation in another places in this file.

Quick check: is it OK you will consume the first "-" in "--" string?

Please clarify in function name or comment why "0" or "-0" are unexpected.

remove empty line

Is it ok the code originally parsed only unsigned integers as the field width, but now it will treat "-9" as a field width "9"?

I don't like this diagnostics: we don't even print what this unknown specifier is. We should either do this, or silently exit.

same here.

This one is also const.

Ok.

I don't quite agree. Different tests trigger different types of memory errors so CHECKs will be different. Also printed messages in some tests differ.

Well, ok although I'd consider this an overkill.

+1

+1

%-- is invalid syntax anyway so I think it's ok.

This is Evegeny's code so I have no idea.

Ok.

Well, the spec does not mention that width in scanf must be positive but GNU scanf rejects negatives. I'll replace with parse_number.

This warning is mainly to inform us that we failed to parse some format spec and I think it's rather important for debugging purposes. What if I replace it with VReport(1, ...) ?

+1

Could it be different for printf vs scanf?

The warning is good, but to be useful it should print a bit more info. Otherwise in a big program it is not at all clear what to do about it.

Well, ok, leaving this to you. If you think that merging the cases would complicate things too much, leave it as is.

We generally don't want many internal frames from ASan runtime to appear in the error report. So it's nice to verify that error report looks somewhat like this:
#0 __interceptor_printf ....
#1 main printf-2.c:16

Alright, I agree that %-- is just invalid scanf/printf syntax and we may not necessarily parse it correctly, but now we move this to function "maybe_parse_signed", and its name doesn't tell much about this hidden assumptions ("-" consumed from "--", "0" results in NULL returned), so one could use it in a wrong way somewhere else. IMO It's better to specify this assumptions explicitly here.

See above

Closer study of scanf/printf spec reveals that width/precision are unsigned both for printf and scanf. But printf may have '-' or '+' flag in front of width.

Anyway I don't know why you check for <= 0 here.

The best solution would be to remember pointers to begin and end of specifier in format string. We can then use them to print specifier here.

Got it.

I agree that whole parse_number/parse_signed thing is a bit messy. Let me see if I can prettify it with next commit.

Ok, I got it: scanf is only allowed to have a non-zero width so this check needs to be moved to scanf_parse_next. All this syntax peculiarities are going to drive me crazy.

Can you please add a comment above describing why NOLINT is necessary here?

At least two spaces between the code and the comment, please (you'll need to reformat the rest of declarations)

Once again, what's the point of testing the default configuration? In this way you'll have to update the tests on a flag flip, is this really what we want? Can we remove it, or at least have a single test for default configuration?

q is always non-NULL

Please either make it a function (I see, va_list might be a problem), or name it as SKIP_SCALAR_ARG

I've submitted this part in r199724 (it's not directly related to printf interceptors).

This was my suggestion, I think this *is* what we want.

Yeah, I guess Kostya wants to explicitly test that printf checks are disabled by default for now.

+1

Will do.

I copy-pasted this from TEST(SanitizerCommonInterceptors, Scanf). Seems to work with NOLINT removed so I'll update the patch.

Likewise.