Re: [PATCH] Kbuild: Disable the -Wformat-security gcc flag

From: Floris Kraak
Date: Thu Feb 05 2009 - 03:27:20 EST

Next message: Pasi Kärkkäinen: "Suggestions for debugging ata_piix and ahci driver failures on Xen pv_ops dom0 kernel (2.6.29-rcX)"
Previous message: Bryan Wu: "[PATCH 3/3] mtd/maps: blackfin async flash maps: fix up memory leak"
In reply to: Roland Dreier: "Re: [PATCH] Kbuild: Disable the -Wformat-security gcc flag"
Next in thread: Floris Kraak: "Re: [PATCH] Kbuild: Disable the -Wformat-security gcc flag"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Feb 5, 2009 at 7:37 AM, Roland Dreier <rdreier@xxxxxxxxx> wrote:
> > Just how many of these warnings are showing up? In the cases you
> > posted it's presumably no problem, but if the string could either a)
> > be potentially set by a malicious user or b) accidentally contain
> > printk format characters then this code has a risk that things could
> > blow up..
>
> I get ~150 of them on an x86 allyesconfig build here (see below). Many
> but not all are trivial; some at least appear to be passing in strings
> that come from random hardware/firmware or DNS names etc (ie there's at
> least a chance of a '%'); and I didn't exhaustively audit to make sure
> none of them could print something from an unprivileged user.
>

There are probably some real bugs in there. On the other hand there is
some overhead to fixing the warnings. Kernel text size increase,
possibly some CPU overhead from parsing the format string. Hopefully
none of these calls are in really hot code paths ;-)
As I noted applying a patch that does the reverse and enables the
check instead is perfectly acceptable to me. Long term somebody
probably needs to go through all of them and fix (most of) them
anyway.

What remains an open question to me though is what to do with cases
where the warning not only can be ignored but literally should be. eg.
when there is zero chance of something unexpected getting passed in
and 'fixing' it would just bloat the kernel.
Can sparse be used to check this kind of thing for correctness?

Regards,
Floris
---
"They that give up essential liberty to obtain temporary safety,
deserve neither liberty nor safety."
-- Ben Franklin

"The course of history shows that as a government grows, liberty
decreases."
-- Thomas Jefferson
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Pasi Kärkkäinen: "Suggestions for debugging ata_piix and ahci driver failures on Xen pv_ops dom0 kernel (2.6.29-rcX)"
Previous message: Bryan Wu: "[PATCH 3/3] mtd/maps: blackfin async flash maps: fix up memory leak"
In reply to: Roland Dreier: "Re: [PATCH] Kbuild: Disable the -Wformat-security gcc flag"
Next in thread: Floris Kraak: "Re: [PATCH] Kbuild: Disable the -Wformat-security gcc flag"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]