Chapter 4. Introduction to Format String Bugs
This chapter focuses on format string bugs in Linux, although this class of bug is not operating system–specific. In their most common form, format string bugs are a result of facilities for handling functions with variable arguments in the C programming language. Because it's really C that makes format string bugs possible, they affect every OS that has a C compiler, which is to say, almost every OS in existence.
For a discussion of precisely why format string bugs exist at all, see the "Why Did This Happen?" section at the end of this chapter.
Prerequisites
To understand this chapter, you will need a basic knowledge of the C family of programming languages, as well as a basic knowledge of IA32 assembly. A working knowledge of Linux would be useful, but is not essential.
What Is a Format String?
To understand what a format string is, you need to understand the problem that format strings solve. Most programs output textual data in some form, often including numerical data. Say, for example, that a program wanted to output a string containing an amount of money. The actual amount might be held within the program in the form of a double-precision floating-point number, like this:
double AmountInSterling;
Say the amount in pounds sterling is £30432.36. We would like to output the amount exactly as written—preceded by a pound sign (£), with a decimal point and two places after it. In the absence of format strings, we would have to write a fairly ...
Get The Shellcoder's Handbook: Discovering and Exploiting Security Holes, Second Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
