In the last episode (Apr 17), Rui Paulo said: > On 16 Apr 2010, at 22:41, Ivan Voras wrote: > > I have a buildworld error here: > > > > clang -isystem /usr/obj/mt/clangbsd/tmp/usr/include/clang/1.5 -isystem /usr/obj/mt/clangbsd/tmp/usr/include -B/usr/obj/mt/clangbsd/tmp/usr/lib/ -L/usr/obj/mt/clangbsd/tmp/usr/lib/ -fpic -DPIC -O2 -pipe -mtune=generic -I/mt/clangbsd/lib/libc/include -I/mt/clangbsd/lib/libc/../../include -I/mt/clangbsd/lib/libc/amd64 -DNLS -D__DBINTERFACE_PRIVATE -I/mt/clangbsd/lib/libc/../../contrib/gdtoa -DINET6 -I/usr/obj/mt/clangbsd/lib/libc -I/mt/clangbsd/lib/libc/resolv -D_ACL_PRIVATE -DPOSIX_MISTAKE -I/mt/clangbsd/lib/libc/../../contrib/tzcode/stdtime -I/mt/clangbsd/lib/libc/stdtime -I/mt/clangbsd/lib/libc/locale -DBROKEN_DES -DPORTMAP -DDES_BUILTIN -I/mt/clangbsd/lib/libc/rpc -DYP -DNS_CACHING -DSYMBOL_VERSIONING -std=gnu99 -fstack-protector -Wsystem-headers -Werror -Wall -Wno-format-y2k -Wno-uninitialized -Wno-pointer-sign -c /mt/clangbsd/lib/libc/sys/__error.c -o __error.So > > /mt/clangbsd/lib/libc/sys/stack_protector.c:88:19: error: format string is not a string literal (potentially insecure) [-Wformat-security] > > syslog(LOG_CRIT, msg); > > ^~~ > > 1 diagnostic generated. > > *** Error code 1 > > 2 errors > > *** Error code 2 > > 1 error > > > > The context is... I think a bit overprotective here :) At least this > > particular warning knob should probably be turned off. > > Actually, I would rather fix the code that does this than disabling the > warning. Even if this particular code is not vulnerable to format string > problems, it's 2010 now and it doesn't hurt to add a "%s" there. Agree. Calling sprintf-like functions with unknown format strings is dangerous. Technically, though, the code as is stands is safe, since __fail is static and the only two callers do pass safe string literals. It looks like we found three buglets here :) 1) __fail should use syslog(LOG_CRIT, "%s", msg). 2) We should add -Wformat-nonliteral to the gcc CFLAGS list so it can make the same check across the entire build (though it's no smarter than clang and emits one for this file). 3) Both clang and gcc (when asked to) emit a warning when they have enough information to know it's safe. It's better to err on the side of caution, though, and the compiler would have to analyze the whole source file to know that all the callers use the function safely. -- Dan Nelson dnelson_at_allantgroup.comReceived on Sun Apr 18 2010 - 00:01:32 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:02 UTC