User: Password:
|
|
Subscribe / Log in / New account

Format string vulnerabilities

Format string vulnerabilities

Posted Feb 2, 2012 17:59 UTC (Thu) by csd (subscriber, #66784)
Parent article: Format string vulnerabilities

puts has been in place for this for a long time. Since printf actually... There is absolutely no need to ever use printf(str) to just print a string without interpreting it. It's faster too.


(Log in to post comments)

Format string vulnerabilities

Posted Feb 2, 2012 22:22 UTC (Thu) by khim (subscriber, #9252) [Link]

How can it be faster? It generates identical code:
$ echo 'void foo() { printf("%s\n", "bar"); }' | gcc -S -O2 -xc - -o- 
	.file	""
	.section	.rodata.str1.1,"aMS",@progbits,1
.LC0:
	.string	"bar"
	.text
	.p2align 4,,15
.globl foo
	.type	foo, @function
foo:
.LFB0:
	.cfi_startproc
	movl	$.LC0, %edi
	jmp	puts
	.cfi_endproc
.LFE0:
	.size	foo, .-foo
	.ident	"GCC: (Ubuntu 4.4.3-4ubuntu5) 4.4.3"
	.section	.note.GNU-stack,"",@progbits

Format string vulnerabilities

Posted Feb 2, 2012 23:16 UTC (Thu) by csd (subscriber, #66784) [Link]

I meant that the *implementation* of puts is faster than printf, as puts doesn't have to parse through the first param like printf does. In your example, gcc simply optimized the code into calling puts instead of printf, which it can only do for a very limited number of cases (e.g. with a fixed constant as the 1st param, which is not the case that this article covers). In this very similar example, you can see that the generated code is quite different and will be slower to run:

$ echo 'void foo() { extern char *str; printf(str, "bar"); } ; char * str = "%s\n";' | gcc -S -O2 -xc - -o-
.file ""
<stdin>: In function ‘foo’:
<stdin>:1: warning: incompatible implicit declaration of built-in function ‘printf’
.section .rodata.str1.1,"aMS",@progbits,1
.LC0:
.string "bar"
.text
.p2align 4,,15
.globl foo
.type foo, @function
foo:
.LFB0:
.cfi_startproc
movq str(%rip), %rdi
movl $.LC0, %esi
xorl %eax, %eax
jmp printf
.cfi_endproc
.LFE0:
.size foo, .-foo
.globl str
.section .rodata.str1.1
.LC1:
.string "%s\n"
.data
.align 8
.type str, @object
.size str, 8
str:
.quad .LC1
.ident "GCC: (Ubuntu/Linaro 4.4.4-14ubuntu5) 4.4.5"
.section .note.GNU-stack,"",@progbits

So I'll restate my original statement to: "... In most cases, it's faster too"

Format string vulnerabilities

Posted Feb 3, 2012 5:30 UTC (Fri) by geofft (subscriber, #59789) [Link]

But they weren't printing a literal string, they were trying to modify a format string to prepend the name of the program, and call printf again. They did correctly pass the program name to a "%s", they just passed the result of that to another printf-family call, which caused the program name to be interpreted at that point.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds