lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20181026232409.16100-2-linux@rasmusvillemoes.dk>
Date:   Sat, 27 Oct 2018 01:24:03 +0200
From:   Rasmus Villemoes <linux@...musvillemoes.dk>
To:     Kees Cook <keescook@...omium.org>,
        Andrew Morton <akpm@...ux-foundation.org>
Cc:     linux-kernel@...r.kernel.org,
        Rasmus Villemoes <linux@...musvillemoes.dk>,
        Miguel Ojeda <miguel.ojeda.sandonis@...il.com>
Subject: [RFC PATCH 1/7] compiler_attributes.h: add __attribute__((format_arg)) shorthand

The __format_arg attribute tells gcc that it can use a specific
argument to the annotated function as the format string for the
purpose of type-checking a surrounding __printf function call. For
example, assuming one has a fmtcheck function declared as

  const char *fmtcheck(const char *, const char *, unsigned) __format_arg(2);

and this is used in

  sprintf(buf, fmtcheck(what->ever, "%d %lx", 0), i, m)

gcc checks that the varargs (i and m) matches the second argument to the
fmtcheck function, i.e. that they are (int, long). With

  sprintf(buf, what->ever, i, m)

the compiler cannot do any type checking.

Even a static inline fmtcheck() that just returns its first argument
would provide documentation for which specifiers what->ever is supposed
to contain, but we'll implement an actual run-time check later.

Signed-off-by: Rasmus Villemoes <linux@...musvillemoes.dk>
---
 include/linux/compiler_attributes.h | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/include/linux/compiler_attributes.h b/include/linux/compiler_attributes.h
index 6b28c1b7310c..08264df52322 100644
--- a/include/linux/compiler_attributes.h
+++ b/include/linux/compiler_attributes.h
@@ -32,6 +32,7 @@
 # define __GCC4_has_attribute___assume_aligned__      (__GNUC_MINOR__ >= 9)
 # define __GCC4_has_attribute___designated_init__     0
 # define __GCC4_has_attribute___externally_visible__  1
+# define __GCC4_has_attribute___format_arg__          1
 # define __GCC4_has_attribute___noclone__             1
 # define __GCC4_has_attribute___optimize__            1
 # define __GCC4_has_attribute___nonstring__           0
@@ -140,6 +141,18 @@
 #define __printf(a, b)                  __attribute__((__format__(printf, a, b)))
 #define __scanf(a, b)                   __attribute__((__format__(scanf, a, b)))
 
+/*
+ * Optional
+ *
+ *   gcc: https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html#index-format_005farg-function-attribute
+ * clang: apparently supported, but undocumented
+ */
+#if __has_attribute(__format_arg__)
+# define __format_arg(n) __attribute__((__format_arg__(n)))
+#else
+# define __format_arg(n)
+#endif
+
 /*
  *   gcc: https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html#index-gnu_005finline-function-attribute
  * clang: https://clang.llvm.org/docs/AttributeReference.html#gnu-inline
-- 
2.19.1.6.gbde171bbf5

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ