Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

flawfinder mischaracterizes printf -> vprintf style #28

Open
zyga opened this issue Jan 8, 2021 · 3 comments
Open

flawfinder mischaracterizes printf -> vprintf style #28

zyga opened this issue Jan 8, 2021 · 3 comments

Comments

@zyga
Copy link

zyga commented Jan 8, 2021

I've tried flawfinder on my zt library:

zt.c:47:  [4] (format) vfprintf:
  If format strings can be influenced by an attacker, they can be exploited
  (CWE-134). Use a constant for the format specification.

This refers to https://github.com/zyga/libzt/blob/main/zt.c#L47 - reproduced below for simplicity:

static void zt_logv(FILE* stream, zt_location loc, const char* fmt, va_list ap)
{
    if (stream != NULL) {
        if (loc.fname != NULL && loc.lineno != 0) {
            fprintf(stream, "%s:%d: ", loc.fname, loc.lineno);
        }
        vfprintf(stream, fmt, ap); /* This is line 47 */
        fprintf(stream, "\n");
    }
}

This function is used inside zt_logf reproduced below:

static void zt_logf(FILE* stream, zt_location loc, const char* fmt, ...)
{
    va_list ap;
    va_start(ap, fmt);
    zt_logv(stream, loc, fmt, ap);
    va_end(ap);
}

This is a common pattern in C, where a printf like function calls into vprintf like function.

It is technically true that vfprintf(stream, fmt, ap) requires agreement between fmt and ap but this is unavoidable in this specific case.
@david-a-wheeler
Copy link
Owner

Flawfinder is a lexing-only tool, so I don't see how we can handle this case.

To do more requires actually reading the code into some sort of data structure, which is obviously possible but not how flawfinder works.

@zyga
Copy link
Author

zyga commented Jan 11, 2021

Perhaps such suggestion should not be emitted? If the diagnostic message is associated with vfprintf will it ever be correct to pass ap but take literal string as fmt? I think the suggestion is over-applied from printf or fprintf but no longer applies in vfprintf.

@david-a-wheeler
Copy link
Owner

Oh, it definitely applies. If the fmt is from an attacker, the attacker could use %n to write to arbitrary memory, or reveal data that's not supposed to be revealed. If that's less likely we could reduce its risk level to say 3 instead of 4. Unfortunately, a lexically-based tool like flawfinder has no way to determine if the fmt is controlled by an attacker or not; that would require interprocedural flow control, and even then it's often impossible to tell (you also need to know which inputs are trusted, which is typically not information you can derive just from the source code).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zyga @david-a-wheeler