Exposure of memory addresses that may defeat ASLR

c.memory_management.memory_address_exposure

Severity

low

Resource

Memory Management

Language

C / C++

Description

The software generates an error message that includes sensitive information about its environment, users, or associated data. In particular, exposure of memory addresses might defeat ASLR.

Rationale

The software generates an error message that includes sensitive information about its environment, users, or associated data. In particular, exposure of memory addresses might defeat ASLR.

The following code illustrates a vulnerable pattern detected by this rule:

void print_address(char *string)
{
	char buf[BUFSIZE];
	char fmt[] = "whatever";

	// VULNERABLE: Exposure of memory addresses that may defeat ASLR
	printf("address: %p\n", buf);

	// VULNERABLE: Exposure of memory addresses that may defeat ASLR
	sprintf(buf, "address: %x\n", string);

Remediation

Follow secure coding practices and review the references below for detailed remediation guidance.

Configuration

This detector does not need any configuration.

References

CWE-200
OWASP Top 10 2021 - A01 : Broken Access Control.
https://cwe.mitre.org/data/definitions/209
https://cwe.mitre.org/data/definitions/497
https://github.com/struct/mms