-
Notifications
You must be signed in to change notification settings - Fork 51
/
format-string-bugs.yaml
93 lines (93 loc) · 3.11 KB
/
format-string-bugs.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
rules:
- id: raptor-format-string-bugs
metadata:
author: Marco Ivaldi <raptor@0xdeadbeef.info>
references:
- https://cwe.mitre.org/data/definitions/134
- https://julianor.tripod.com/bc/formatstring-1.2.pdf
- http://phrack.org/issues/70/13.html#article
- https://g.co/kgs/PCHQjJ
- https://www.sei.cmu.edu/downloads/sei-cert-c-coding-standard-2016-v01.pdf
confidence: MEDIUM
# NOTE: generic va_list matching for custom functions is not covered.
# NOTE: see also cpp.format-string.*.
message: >-
The software uses a function that accepts a format string as an argument,
but the format string originates from an external source. This can lead
to buffer overflows, denial of service, or data representation problems.
severity: ERROR
languages:
- c
- cpp
pattern-either:
# format string in 1st arg
- patterns:
- pattern-either:
# printf family
- pattern: printf(...)
- pattern: vprintf(...)
- pattern: wprintf(...)
- pattern: vwprintf(...)
- pattern: vcprintf(...)
- pattern: vcwprintf(...)
- pattern: vscprintf(...)
- pattern: vscwprintf(...)
- pattern: printk(...)
# scanf family
- pattern: scanf(...)
- pattern: vscanf(...)
- pattern: wscanf(...)
- pattern: vwscanf(...)
# err/warn family
- pattern: warn(...)
- pattern: vwarn(...)
- pattern: warnx(...)
- pattern: vwarnx(...)
- pattern-not: $FUN("...", ...)
# format string in 2nd arg
- patterns:
- pattern-either:
# printf family
- pattern: fprintf(...)
- pattern: vfprintf(...)
- pattern: fwprintf(...)
- pattern: vfwprintf(...)
- pattern: sprintf(...)
- pattern: vsprintf(...)
- pattern: asprintf(...)
- pattern: vasprintf(...)
- pattern: dprintf(...)
- pattern: vdprintf(...)
- pattern: wsprintf(...)
# scanf family
- pattern: fscanf(...)
- pattern: vfscanf(...)
- pattern: fwscanf(...)
- pattern: vfwscanf(...)
- pattern: sscanf(...)
- pattern: vsscanf(...)
- pattern: swscanf(...)
- pattern: vswscanf(...)
# syslog family
- pattern: syslog(...)
- pattern: vsyslog(...)
# err/warn family
- pattern: err(...)
- pattern: verr(...)
- pattern: errx(...)
- pattern: verrx(...)
- pattern: warnc(...)
- pattern: vwarnc(...)
- pattern-not: $FUN($ARG1, "...", ...)
# format string in 3rd arg
- patterns:
- pattern-either:
# printf family
- pattern: snprintf(...)
- pattern: vsnprintf(...)
- pattern: swprintf(...)
- pattern: vswprintf(...)
# err/warn family
- pattern: errc(...)
- pattern: verrc(...)
- pattern-not: $FUN($ARG1, $ARG2, "...", ...)