Commit 9196436a authored by Kees Cook's avatar Kees Cook Committed by Linus Torvalds

vsprintf: ignore %n again

This ignores %n in printf again, as was originally documented.
Implementing %n poses a greater security risk than utility, so it should
stay ignored.  To help anyone attempting to use %n, a warning will be
emitted if it is encountered.

Based on an earlier patch by Joe Perches.

Because %n was designed to write to pointers on the stack, it has been
frequently used as an attack vector when bugs are found that leak
user-controlled strings into functions that ultimately process format
strings.  While this class of bug can still be turned into an
information leak, removing %n eliminates the common method of elevating
such a bug into an arbitrary kernel memory writing primitive,
significantly reducing the danger of this class of bug.

For seq_file users that need to know the length of a written string for
padding, please see seq_setwidth() and seq_pad() instead.
Signed-off-by: default avatarKees Cook <>
Cc: Joe Perches <>
Cc: Tetsuo Handa <>
Cc: David Miller <>
Signed-off-by: default avatarAndrew Morton <>
Signed-off-by: default avatarLinus Torvalds <>
parent 652586df
......@@ -1712,18 +1712,16 @@ int vsnprintf(char *buf, size_t size, const char *fmt, va_list args)
u8 qualifier = spec.qualifier;
* Since %n poses a greater security risk than
* utility, ignore %n and skip its argument.
void *skip_arg;
if (qualifier == 'l') {
long *ip = va_arg(args, long *);
*ip = (str - buf);
} else if (_tolower(qualifier) == 'z') {
size_t *ip = va_arg(args, size_t *);
*ip = (str - buf);
} else {
int *ip = va_arg(args, int *);
*ip = (str - buf);
WARN_ONCE(1, "Please remove ignored %%n in '%s'\n",
skip_arg = va_arg(args, void *);
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment