This chapter focuses on format string bugs in Linux, although this class of bug is not operating system–specific. In their most common form, format string bugs are a result of facilities for handling functions with variable arguments in the C programming language. Because it's really C that makes format string bugs possible, they affect every OS that has a C compiler, which is to say, almost every OS in existence.
For a discussion of precisely why format string bugs exist at all, see the "Why Did This Happen?" section at the end of this chapter.
To understand this chapter, you will need a basic knowledge of the C family of programming languages, as well as a basic knowledge of IA32 assembly. A working knowledge of Linux would be useful, but is not essential.
To understand what a format string is, you need to understand the problem that format strings solve. Most programs output textual data in some form, often including numerical data. Say, for example, that a program wanted to output a string containing an amount of money. The actual amount might be held within the program in the form of a double-precision floating-point number, like this:
Say the amount in pounds sterling is £30432.36. We would like to output the amount exactly as written—preceded by a pound sign (£), with a decimal point and two places after it. In the absence of format strings, we would have to write a fairly ...