Date: Wed, 7 Dec 2016 16:54:14 +0100 From: Nicolas Iooss <nicolas.iooss_linux@....org> To: kernel-hardening@...ts.openwall.com Subject: Re: Picking "Write a plugin to do format string warnings correctly" On Wed, Dec 7, 2016 at 12:21 AM, Ruslan Kuprieiev <kupruser@...il.com> wrote: > Hi! > > After watching a bunch of talks from Kees about security, I've finally > decided to > try to participate in KSPP. > > If it's not taken, I would like to start with this task: > > Write a plugin to do format string warnings correctly (gcc's > -Wformat-security is bad about const strings) > > Unfortunately, I wasn't able to find any details about this task. Could > someone provide some info about it, please? > Hello, I do not know either what this task is about. Nevertheless I started writing a plugin to check the %p... format strings in the kernel by implementing a white-list of types associated to a format (eg. %pd used with "struct dentry*", %pIS with a sockaddr pointer, etc.). This work-in-progress plugin is available on https://github.com/fishilico/linux-patches/blob/master/patches/plugin/Add-printk-format-checker-plugin.patch and I have used it to find bugs like the one fixed in https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=7703773ef1d85b40433902a8da20167331597e4a . The main reason why my plugin is still "work-in-progress / not ready for proper submission" is that it does not support casts well. For example if p is a void* variable, my plugin sees printk("%s", (char *)p) as using %s on a void*. I have not yet found how I need to modify the plugin to get the type-casting information (I may need to specify a suitable gcc pass in the plugin). Anyway, as this seems to be something different from "gcc's -Wformat-security is bad about const strings", the task may be about something else. On a related subject, I have also written some patches in order to automatically silent -Wformat-security warnings when using a variable as a format string. For example some code in the kernel like to call request_module(module_name) where module_name is a non-const variable. Instead of "fixing" such a call with request_module("%s", module_name) I am working on two patches which define macros to make request_module(module_name) call a function which does not use a format string parameter ( https://github.com/fishilico/linux-patches/blob/master/patches/maybe_upstreamable/Allow-overiding-functions-depending-on-the.patch and https://github.com/fishilico/linux-patches/blob/master/patches/maybe_upstreamable/Make-request_module-callable-without-a-format.patch). Would such patches be appreciated in the kernel? Thanks, Nicolas Content of type "text/html" skipped
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.