Module cwe_checker_lib::checkers::cwe_134

Expand description

This module implements a check for CWE-134: Use of Externally-Controlled Format String.

The software uses a function that accepts a format string as an argument, but the format string originates from an external source.

See https://cwe.mitre.org/data/definitions/134.html for a detailed description.

How the check works

Using forward dataflow analysis we search for external symbols that take a format string as an input parameter. (e.g. sprintf). Then we check the content of the format string parameter and if it is not part of the global read only memory of the binary, a CWE warning is generated.

Symbols configurable in config.json

symbols that take a format string parameter.

False Positives

The input was externally provided on purpose and originates from a trusted source.
A pointer target could be lost but the format string was not externally provided.

Structs

Config
The configuration struct

Enums

StringLocation
The categorization of the string location based on kinds of different memory.

Statics

CWE_MODULE
The module name and version

Functions

check_cwe
This check searches for external symbols that take a format string as an input parameter. It then checks whether the parameter points to read only memory. If not, a CWE warning is generated.