diff --git a/lib/libc/gen/setproctitle.3 b/lib/libc/gen/setproctitle.3 index eed8f810af9b..15538d52f825 100644 --- a/lib/libc/gen/setproctitle.3 +++ b/lib/libc/gen/setproctitle.3 @@ -25,8 +25,7 @@ .Dt SETPROCTITLE 3 .Sh NAME .Nm setproctitle -.Nd set the process title for -.Xr ps 1 +.Nd set process title .Sh SYNOPSIS .Fd #include .Fd #include @@ -99,3 +98,17 @@ stole the idea from the .Sy "Sendmail 8.7.3" source code by .An Eric Allman Aq eric@sendmail.org . +.Sh BUGS +Never pass a string with user-supplied data as a format without using +.Ql %s . +An attacker can put format specifiers in the string to mangle your stack, +leading to a possible security hole. +This holds true even if the string was built using a function like +.Fn snprintf , +as the resulting string may still contain user-supplied conversion specifiers +for later interpolation by +.Fn setproctitle . +.Pp +Always use the proper secure idiom: +.Pp +.Dl setproctitle("%s", string); diff --git a/lib/libc/gen/syslog.3 b/lib/libc/gen/syslog.3 index a2763234f4fb..7513d6018191 100644 --- a/lib/libc/gen/syslog.3 +++ b/lib/libc/gen/syslog.3 @@ -280,3 +280,17 @@ syslog(LOG_INFO|LOG_LOCAL2, "foobar error: %m"); These functions appeared in .Bx 4.2 . +.Sh BUGS +Never pass a string with user-supplied data as a format without using +.Ql %s . +An attacker can put format specifiers in the string to mangle your stack, +leading to a possible security hole. +This holds true even if the string was built using a function like +.Fn snprintf , +as the resulting string may still contain user-supplied conversion specifiers +for later interpolation by +.Fn syslog . +.Pp +Always use the proper secure idiom: +.Pp +.Dl syslog("%s", string); diff --git a/lib/libc/stdio/printf.3 b/lib/libc/stdio/printf.3 index 30b02a653300..590c1c0bfddb 100644 --- a/lib/libc/stdio/printf.3 +++ b/lib/libc/stdio/printf.3 @@ -664,3 +664,17 @@ For safety, programmers should use the .Fn snprintf interface instead. Unfortunately, this interface is not portable. +.Pp +Never pass a string with user-supplied data as a format without using +.Ql %s . +An attacker can put format specifiers in the string to mangle your stack, +leading to a possible security hole. +This holds true even if the string was built using a function like +.Fn snprintf , +as the resulting string may still contain user-supplied conversion specifiers +for later interpolation by +.Fn printf . +.Pp +Always use the proper secure idiom: +.Pp +.Dl snprintf(buffer, sizeof(buffer), "%s", string);