3.3 format string vulnerabilities

[normster]

I think this paragraph could be explained a bit more clearly:

When the printf() function executes, it looks for a format string modifier denoted by a “%” in its first argument located 4 bytes above the RIP of printf(). If it finds the modifier, it then looks 8 bytes above the RIP for the “actual” argument (i.e. what the format modifier will be acting upon).

1. The address of the first argument, not the first argument itself, is located 4 bytes above the RIP
2. "actual" is a little vague, would it be more accurate to say second argument or first modifier argument?
3. In this case 8 bytes above RIP coincidentally points to the (middle of the) first argument to printf but this isn't generally true.

[ashmchiu]

Could you clarify what you mean by 3? At least in the way that we teach this course, each argument passed onto the stack is 4 bytes, so 8 bytes above the RIP of printf would give the first argument to be consumed (skipping the address of the format string).

[normster]

Ah I just meant that it's a coincidence here that printf tries to read the second argument from the middle of the first argument. I wonder if it might be more straightforward to start the section walking through a "normal" example of what happens when printf is called correctly with the appropriate arguments passed in.

[ashmchiu]

Ah, as in the fact that the format string specifiers (that start with %) will be in the middle of the first argument? Pretty sure that's by design though because only the format string specifiers in the format string (which is dereferenced via the first argument) will be utilized. So there's either only just one argument to printf (and no % in the string that's dereferenced from that argument), or there's many, and the subsequent arguments to printf are consumed via the format string specifiers within the format string.
I think I might still be misunderstanding, feel free to clarify though -- we should definitely clarify the wording here, I agree with that!