This simple module audits your perl and looks for all non-literal sprintf/printf formats. They might be vunerable to an overflow bug in perls less than 5.8.8.

I haven't had a chance to try this out yet but thought I'd just post it and amend later if and when I find bugs.

See Searching for sprintf() bug exploit opportunities in core and CPAN modules for some results after I started auditing my local code using this module.

package SprintfBugChecker;
use B 'OPf_STACKED';
use B::Utils qw( walkallops_filtered opgrep carp );
CHECK { check() }

sub check {
    walkallops_filtered(
        \&is_non_literal_sprintf_format,
        \&report_non_literal_sprintf_format
    );
    return;
}

sub is_non_literal_sprintf_format {

    no warnings;
    my $op   = shift;
    my $name = eval { $op->oldname };

    if ( $name eq 'sprintf' ) {
        return opgrep( { first => { sibling => { name => [qw[! const]]
+ } } },
            $op );
    }
    elsif ( $name eq 'prtf' ) {
        if ( $op->flags & OPf_STACKED ) {
            return opgrep(
                {   first => {
                        sibling => { sibling => { name => [qw[! const]
+] } }
                    }
                },
                $op
            );
        }
        else {
            return opgrep(
                { first => { sibling => { name => [qw[! const]] } } },
+ $op );
        }
    }

    return;
}

sub report_non_literal_sprintf_format {
    warn(
        "Danger! Danger Will Robinson! at $B::Utils::file line $B::Uti
+ls::line.\n"
    );
    return;
}

"Ye olde true value."

[download]

Replies are listed 'Best First'.
Re: Experimental sprintf overflow bug detector
by jkva (Chaplain) on Dec 02, 2005 at 10:56 UTC

    As requested by diotalevi I attempted to write a script that utilized this in order to automatically check the perl libraries.

    It did not work out the way I wanted, heck I can't seem to figure out how his script works. Here is the code, I sincerely hope someone else can make something useful out of it. Yes I really don't know what I am doing. This is yet over my head.

    It searches @INC and generates a nice list of .pl .pm and .cgi files. 

    #!/usr/bin/perl

######################################################################
+#
#
#  Harness to test to automate earching for sprintf() bug exploit
#  opportunities in core and CPAN modules, see PM node 513527
#  Written on 02-12-2005. Yes, it took me way too long.
#
#  Yes, this code sucks. Yes, I am new here. And yes, I warned you. ;)
#
######################################################################
+#

use strict;
use warnings;

use File::Find;
use SprintfBugChecker;

my @dirs = @INC;
my @found = ();
my $crnt = '';

while(@dirs) {
  $crnt = shift @dirs;
  find(\&wanted, $crnt);
}

sub wanted {   #else construction to save stepping
  my $hit = $File::Find::name;  #Found file
  return if $hit eq $crnt; #Will otherwise be re-added, endless recurs
+ion
  if(-d $hit) {push @dirs, $hit}   #Subdirectory, add to list of dirs 
+to search
    elsif($hit =~ m/\w+(\.pm|\.pl|\.cgi)$/) {push @found, $hit} #File 
+with ext. we want
}

exit 0;

    [download]
    -- Detonite
[reply]
[d/l]
[select]
Re: Experimental sprintf overflow bug detector
by dragonchild (Archbishop) on Dec 02, 2005 at 03:39 UTC
    I haven't done any checking, but what is the bug, exactly?
    My criteria for good software:
    1. Does it work?
    2. Can someone else come in, make a change, and be reasonably certain no bugs were introduced?
[reply]
      Integer overflow: "%999999999d"
[reply]

Back to Cool Uses for Perl