https://gcc.gnu.org/bugzilla/show_bug.cgi?id=72783
Bug ID: 72783 Summary: Fortify scanf %s, %[ conversion specifiers Product: gcc Version: 7.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: c Assignee: unassigned at gcc dot gnu.org Reporter: fw at gcc dot gnu.org CC: msebor at gcc dot gnu.org Target Milestone: --- A somewhat common source of buffer overflows are %s and %[ conversions in scanf parsers, where the input string (and the extracted region) are larger than the supplied target buffer. A typical example for this category of bugs is CVE-2014-0004, which was fixed thusly: https://cgit.freedesktop.org/udisks/commit/?id=244967 There are various ways to add hardening against this. If the length of the target buffer is known at compile time, it can be encoded in the format string, but this result in silent truncation. It is possible to specify the m flag and copy the result string to the actual target buffer with length checking, and then free the temporary buffer. The format string could be rewritten to include a new flag (say M) which indicates that instead of a single char * argument, there is a char * argument followed by the object size (in size_t). This approach at least needs a new function attribute and needs to be coordinated with glibc. It is probably the cleanest approach, but it is difficult to backport (at least for RPM-based distributions) because it will result in a new symbol version for the *scanf functions.