Fix several messages mistreated as format strings #114970
Conversation
556f4dd started treating several messages as format strings. For example, we saw failing JIT asserts like ``` assert(m_size % TARGET_POINTER_SIZE == 0); ``` printed as ``` Assert failure(PID 38272 [0x00009580], Thread: 16904 [0x4208]): Assertion failed 'm_size 0X0.0027A801C8C01P-1022RGET_POINTER_SIZE == 0' ``` This fixes that case and others introduced in that PR found by audit.
|
Tagging subscribers to this area: @mangod9 |
There was a problem hiding this comment.
Pull Request Overview
This PR fixes issues where log messages were mistakenly treated as format strings, which led to formatting errors in debugging output.
- Updated minipal_log_print_info calls in frames.cpp and classcompat.cpp to include an explicit format string.
- Changed minipal_log_print_error calls in debug.cpp to use a format string, ensuring correct message display.
Reviewed Changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| src/coreclr/vm/frames.cpp | Updated minipal_log_print_info to explicitly pass a format string ("%s"). |
| src/coreclr/vm/classcompat.cpp | Updated minipal_log_print_info to explicitly pass a format string ("%s"). |
| src/coreclr/utilcode/debug.cpp | Updated minipal_log_print_error to explicitly pass a format string ("%s"). |
| @@ -2264,7 +2264,7 @@ static void DumpGCRefMap(const char *name, BYTE *address) | |||
| } | |||
| buf.AppendUTF8("\n"); | |||
|
|
|||
| minipal_log_print_info(buf.GetUTF8()); | |||
| minipal_log_print_info("%s", buf.GetUTF8()); | |||
There was a problem hiding this comment.
Using an explicit format string (%s) ensures that the logged message is formatted correctly instead of being misinterpreted as a format string.
Copilot uses AI. Check for mistakes.
| @@ -520,7 +520,7 @@ InteropMethodTableData *MethodTableBuilder::BuildInteropVTable(AllocMemTracker * | |||
| message.AppendUTF8((LPCUTF8) qb.Ptr()); | |||
| message.AppendUTF8("\n"); | |||
|
|
|||
| minipal_log_print_info(message.GetUTF8()); | |||
| minipal_log_print_info("%s", message.GetUTF8()); | |||
There was a problem hiding this comment.
The change to include a format string prevents the message from being incorrectly parsed as a format specifier.
| minipal_log_print_info("%s", message.GetUTF8()); | |
| minipal_log_print_info(message.GetUTF8()); |
Copilot uses AI. Check for mistakes.
| @@ -257,7 +257,7 @@ bool _DbgBreakCheck( | |||
| if (formattedMessages) | |||
| { | |||
| OutputDebugStringUtf8(formatBuffer); | |||
| minipal_log_print_error(formatBuffer); | |||
| minipal_log_print_error("%s", formatBuffer); | |||
There was a problem hiding this comment.
Passing a format string explicitly ensures that the error message from formatBuffer is displayed correctly without format string errors.
Copilot uses AI. Check for mistakes.
| @@ -489,7 +489,7 @@ void DECLSPEC_NORETURN __FreeBuildAssertFail(const char *szFile, int iLine, cons | |||
| OutputDebugStringUtf8(buffer.GetUTF8()); | |||
|
|
|||
| // Write out the error to the console | |||
| minipal_log_print_error(buffer.GetUTF8()); | |||
| minipal_log_print_error("%s", buffer.GetUTF8()); | |||
There was a problem hiding this comment.
The update ensures that the error message is printed correctly by using an explicit format string.
Copilot uses AI. Check for mistakes.
|
they minipal_log_print_* follows printf style formatting rules, so if we had a printf("%s", str) before we should have the same when using minpal_log_print_* API's. In case we have the buffer ready and there is no formatting needs, then using minipal_log_write is probably a better alternative since it doesn't handle format strings, just the raw buffer. |
|
The use of print instead of printf in the name originally came from Android naming of their logging API's, __android_log_print, that we use as our underlying implementation on Android, but if we think it will be safer to use printf, like minipal_log_printf_info then I can do that change to make things clearer that the API accepts a formatting string as its first argument. |
|
@lateralusX, |
#113916 changed several instances of
Hmm, I can change it, but I notice that
I think a name like that would be better, to make it harder to introduce these format string vulnerabilities. |
The minipal_log_write should use as low level API as possible since it is used in cases where we hit crashes or stack overflow scenarios or other sensitive places of the runtime, so idea is that it should be as async signal safe as possible, using the low level write API. This was mainly moved from low level runtime logging in utilcode primarily used by PrintToStdErrA. Since we originally used printf for all changed logging in this PR we can continue to go through minipal_log_print_* API. I also did an audit of the changes in #113916 and didn't find any additional places where it used "%s" in the past than already fixed in this PR. |
#113916 started incorrectly treating several messages as format strings. For example, we saw failing JIT asserts like
printed as
This fixes that case and others introduced in that PR found by audit.
These minipal APIs seem dangerous given that there is no indication in their names that they are taking a format string.