Subject: proposal: disable *printf %n specifier in libc in NetBSD 1.5
To: None <>
From: Bill Sommerfeld <>
List: tech-userlevel
Date: 09/11/2000 10:04:37
As many of you are well aware, there have been a recent spate of
security vulnerabilities discovered as a result of applications
allowing untrusted data to end up as a format string.

All known non-denial-of-service format string exploits involve the use
of the %n specifier, which pulls an argument out of the argument list,
interprets it as an (int *), and stores the character count of the
current output into it.  

Given an untrusted format string, this can often be twisted into
overwriting arbitrary locations in a process's memory.  

The %n format specifier is not used very often -- I've been unable to
find any use of it within the NetBSD source tree.

Because it is used so infrequently, I'd like to *disable* the %n
format in userland by default.  If a %n format is encountered when the
format is disabled, the *printf functions will instead print an error
to stderr (and possibly syslog as well) and call abort().

Applications which need to use %n can call some TBD function along the
lines of:


to reenable the %n format directive.


						- Bill