Bug Classes/Format string injection

From Linux Kernel Security Subsystem
Revision as of 22:17, 4 November 2015 by KeesCook (talk | contribs) (Created page with "= Details = When an attacker supplied string is accidentally passed to format string parsing, the attacker can manipulate the resulting output. The write primitive available ...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Details

When an attacker supplied string is accidentally passed to format string parsing, the attacker can manipulate the resulting output. The write primitive available is through the use of the %n specifier, which writes to memory. All the other formats lead to information leaks.

Examples

Mitigations

  • Eliminate the use of %n
  • detect non-const format strings at compile time (e.g. gcc's -Wformat-security)
  • detect non-const format strings at run time (e.g. memory location checking done with glibc's -D_FORITY_SOURCE=2)