This is the mail archive of the
gcc-patches@gcc.gnu.org
mailing list for the GCC project.
Patch for format checking security warnings
- To: <gcc-patches at gcc dot gnu dot org>
- Subject: Patch for format checking security warnings
- From: "Joseph S. Myers" <jsm28 at cam dot ac dot uk>
- Date: Thu, 7 Dec 2000 00:45:49 +0000 (GMT)
This patch adds an option -Wformat-security to warn about security
problems in calls to format functions - currently only "printf (foo)"
and similar, but potentially in future other warnings such as sprintf
into a fixed length buffer which might overrun. It depends on my
previous patch
<URL:http://gcc.gnu.org/ml/gcc-patches/2000-12/msg00074.html>. All
the previous versions,
http://gcc.gnu.org/ml/gcc-patches/2000-09/msg00854.html
http://gcc.gnu.org/ml/gcc-patches/2000-09/msg01163.html
http://gcc.gnu.org/ml/gcc-patches/2000-10/msg00284.html
http://gcc.gnu.org/ml/gcc-patches/2000-10/msg00521.html
which no-one seems to have wanted to review, are now superseded by these
two patches. [NB: the implementation since the original patch of checks
going into conditional expressions and const arrays should have reduced
the false positive rate.]
Bootstrapped with no regressions on i686-pc-linux-gnu. OK to commit?
gcc/ChangeLog:
2000-12-07 Joseph S. Myers <jsm28@cam.ac.uk>
* c-common.c (warn_format_security): New variable.
(check_format_info): Warn about non-literal formats with no format
arguments if either -Wformat-nonliteral or -Wformat-security is
specified.
(set_Wformat): Set warn_format_security for settings other than 1.
* c-common.h (warn_format_security): Declare.
* c-decl.c (c_decode_option): Decode -Wformat-security and
-Wno-format-security.
* invoke.texi: Document -Wformat-security.
* toplev.c (documented_lang_options): Include -Wformat-security
and -Wno-format-security.
gcc/cp/ChangeLog:
2000-12-07 Joseph S. Myers <jsm28@cam.ac.uk>
* decl2.c (lang_decode_option): Handle -Wformat-security.
gcc/testsuite/ChangeLog:
2000-12-07 Joseph S. Myers <jsm28@cam.ac.uk>
* format-sec-1.c: New test.
--- c-common.c.orig Wed Dec 6 19:09:42 2000
+++ c-common.c Wed Dec 6 19:24:27 2000
@@ -193,6 +193,10 @@ int warn_format_extra_args;
int warn_format_nonliteral;
+/* Warn about possible security problems with calls to format functions. */
+
+int warn_format_security;
+
/* Nonzero means warn about possible violations of sequence point rules. */
int warn_sequence_point;
@@ -2359,7 +2363,7 @@ check_format_info (status, info, params)
params = TREE_CHAIN (params);
++arg_num;
}
- if (params == 0 && warn_format_nonliteral)
+ if (params == 0 && (warn_format_nonliteral || warn_format_security))
status_warning (status, "format not a string literal and no format arguments");
else if (warn_format_nonliteral)
status_warning (status, "format not a string literal, argument types not checked");
@@ -3378,7 +3382,10 @@ set_Wformat (setting)
warn_format_y2k = setting;
warn_format_extra_args = setting;
if (setting != 1)
- warn_format_nonliteral = setting;
+ {
+ warn_format_nonliteral = setting;
+ warn_format_security = setting;
+ }
}
/* Print a warning if a constant expression had overflow in folding.
--- c-common.h.orig Sat Dec 2 18:44:36 2000
+++ c-common.h Wed Dec 6 19:21:39 2000
@@ -361,6 +361,10 @@ extern int warn_format_extra_args;
extern int warn_format_nonliteral;
+/* Warn about possible security problems with calls to format functions. */
+
+extern int warn_format_security;
+
/* Warn about possible violations of sequence point rules. */
extern int warn_sequence_point;
--- c-decl.c.orig Sat Dec 2 18:44:36 2000
+++ c-decl.c Wed Dec 6 19:21:11 2000
@@ -719,6 +719,10 @@ c_decode_option (argc, argv)
warn_format_nonliteral = 1;
else if (!strcmp (p, "-Wno-format-nonliteral"))
warn_format_nonliteral = 0;
+ else if (!strcmp (p, "-Wformat-security"))
+ warn_format_security = 1;
+ else if (!strcmp (p, "-Wno-format-security"))
+ warn_format_security = 0;
else if (!strcmp (p, "-Wchar-subscripts"))
warn_char_subscripts = 1;
else if (!strcmp (p, "-Wno-char-subscripts"))
--- invoke.texi.orig Wed Dec 6 18:48:46 2000
+++ invoke.texi Wed Dec 6 19:19:47 2000
@@ -190,7 +190,7 @@ in the following sections.
-Wcast-align -Wcast-qual -Wchar-subscripts -Wcomment
-Wconversion -Wdisabled-optimization -Werror
-Wfloat-equal -Wformat -Wformat=2
--Wformat-nonliteral
+-Wformat-nonliteral -Wformat-security
-Wid-clash-@var{len} -Wimplicit -Wimplicit-int
-Wimplicit-function-declaration
-Werror-implicit-function-declaration
@@ -1600,8 +1600,9 @@ specified.
@samp{-Wformat} is included in @samp{-Wall}. For more control over some
aspects of format checking, the options @samp{-Wno-format-y2k},
-@samp{-Wno-format-extra-args}, @samp{-Wformat-nonliteral} and
-@samp{-Wformat=2} are available, but are not included in @samp{-Wall}.
+@samp{-Wno-format-extra-args}, @samp{-Wformat-nonliteral},
+@samp{-Wformat-security} and @samp{-Wformat=2} are available, but are
+not included in @samp{-Wall}.
@item -Wno-format-y2k
If @samp{-Wformat} is specified, do not warn about @code{strftime}
@@ -1617,10 +1618,21 @@ If @samp{-Wformat} is specified, also wa
string literal and so cannot be checked, unless the format function
takes its format arguments as a @code{va_list}.
+@item -Wformat-security
+If @samp{-Wformat} is specified, also warn about uses of format
+functions that represent possible security problems. At present, this
+warns about calls to @code{printf} and @code{scanf} functions where the
+format string is not a string literal and there are no format arguments,
+as in @code{printf (foo);}. This may be a security hole if the format
+string came from untrusted input and contains @samp{%n}. (This is
+currently a subset of what @samp{-Wformat-nonliteral} warns about, but
+in future warnings may be added to @samp{-Wformat-security} that are not
+included in @samp{-Wformat-nonliteral}.)
+
@item -Wformat=2
Enable @samp{-Wformat} plus format checks not included in
@samp{-Wformat}. Currently equivalent to @samp{-Wformat
--Wformat-nonliteral}.
+-Wformat-nonliteral -Wformat-security}.
@item -Wimplicit-int
Warn when a declaration does not specify a type.
--- toplev.c.orig Mon Dec 4 18:52:12 2000
+++ toplev.c Wed Dec 6 19:14:13 2000
@@ -1236,6 +1236,9 @@ documented_lang_options[] =
"Don't warn about too many arguments to format functions" },
{ "-Wformat-nonliteral", "Warn about non-string-literal format strings" },
{ "-Wno-format-nonliteral", "" },
+ { "-Wformat-security",
+ "Warn about possible security problems with format functions" },
+ { "-Wno-format-security", "" },
{ "-Wimplicit-function-declaration",
"Warn about implicit function declarations" },
{ "-Wno-implicit-function-declaration", "" },
--- cp/decl2.c.orig Mon Dec 4 18:52:13 2000
+++ cp/decl2.c Wed Dec 6 19:13:15 2000
@@ -726,6 +726,8 @@ lang_decode_option (argc, argv)
warn_format_extra_args = setting;
else if (!strcmp (p, "format-nonliteral"))
warn_format_nonliteral = setting;
+ else if (!strcmp (p, "format-security"))
+ warn_format_security = setting;
else if (!strcmp (p, "missing-format-attribute"))
warn_missing_format_attribute = setting;
else if (!strcmp (p, "conversion"))
--- testsuite/gcc.dg/format-sec-1.c.orig Fri Sep 11 11:31:59 1998
+++ testsuite/gcc.dg/format-sec-1.c Wed Dec 6 19:23:36 2000
@@ -0,0 +1,12 @@
+/* Test for security warning when non-literal format has no arguments. */
+/* Origin: Joseph Myers <jsm28@cam.ac.uk> */
+/* { dg-do compile } */
+/* { dg-options "-std=gnu99 -Wformat -Wformat-security" } */
+
+extern int printf (const char *, ...);
+
+void
+foo (char *s)
+{
+ printf (s); /* { dg-warning "no format arguments" "security warning" } */
+}
--
Joseph S. Myers
jsm28@cam.ac.uk