lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <2lrekzigagve633hztrttgulu4pjtgjy3chasl35fk53bqybhp@yy27gkgcx6a7>
Date: Thu, 24 Apr 2025 15:48:59 +0200
From: Jan Kara <jack@...e.cz>
To: Arnd Bergmann <arnd@...db.de>
Cc: Jan Kara <jack@...e.cz>, Arnd Bergmann <arnd@...nel.org>, 
	Theodore Ts'o <tytso@....edu>, Andreas Dilger <adilger.kernel@...ger.ca>, 
	Zhang Yi <yi.zhang@...wei.com>, Ojaswin Mujoo <ojaswin@...ux.ibm.com>, 
	"Darrick J. Wong" <djwong@...nel.org>, Matthew Wilcox <willy@...radead.org>, 
	"Ritesh Harjani (IBM)" <ritesh.list@...il.com>, Shida Zhang <zhangshida@...inos.cn>, 
	Baokun Li <libaokun1@...wei.com>, Jann Horn <jannh@...gle.com>, Brian Foster <bfoster@...hat.com>, 
	linux-ext4@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] ext4: avoid -Wformat-security warning

On Thu 24-04-25 14:31:02, Arnd Bergmann wrote:
> On Thu, Apr 24, 2025, at 13:39, Jan Kara wrote:
> > On Wed 23-04-25 18:43:49, Arnd Bergmann wrote:
> >> From: Arnd Bergmann <arnd@...db.de>
> >> 
> >> check_igot_inode() prints a variable string, which causes a harmless
> >> warning with 'make W=1':
> >> 
> >> fs/ext4/inode.c:4763:45: error: format string is not a string literal (potentially insecure) [-Werror,-Wformat-security]
> >>  4763 |         ext4_error_inode(inode, function, line, 0, err_str);
> >> 
> >> Use a trivial "%s" format string instead.
> >> 
> >> Signed-off-by: Arnd Bergmann <arnd@...db.de>
> >
> > Frankly I don't care much either way but if my memory serves me well year
> > or two ago someone was going through the kernel and was replacing pointless
> > ("%s", str) cases with printing the string directly. So we should make up
> > our minds how we want this... In my opinion this is one of the warnings
> > which may be useful but have false positives too often (like here where
> > err_str is just a selection from several string literals) so I'm not sure
> > it's worth the effort to try to silence it.
> 
> I had a look at the git log now and see no evidence of those
> patches getting merged, but plenty of patches going the same way
> as my patch.

OK, so maybe I'm just confused or the patch indeed got discarded. Thanks
for having a look! With this clarification feel free to add:

Reviewed-by: Jan Kara <jack@...e.cz>

								Honza
-- 
Jan Kara <jack@...e.com>
SUSE Labs, CR

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ