Bug Classes/Format string injection

From Linux Kernel Security Subsystem
Revision as of 22:29, 12 April 2016 by KeesCook (talk | contribs) (Examples)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search


When an attacker supplied string is accidentally passed to format string parsing, the attacker can manipulate the resulting output. The write primitive available is through the use of the %n specifier, which writes to memory. All the other formats lead to information leaks.



  • Eliminate the use of %n
  • detect non-const format strings at compile time (e.g. gcc's -Wformat-security)
  • detect non-const format strings at run time (e.g. memory location checking done with glibc's -D_FORITY_SOURCE=2)