This is the mail archive of the gcc-patches@gcc.gnu.org mailing list for the GCC project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]

Re: Security patch for printf - please no! (Was: Re: Patch to add__builtin_printf)


On Thu, 21 Sep 2000, Kamil Iskra wrote:

> However, you fail to patch other obvious examples of format string
> problems. What's the difference between the two lines:
> 
> printf(var);
> printf(var, "abc");
> 
> The first one is vulnerable to var such as "bla %s bla", the second one to
> only slightly more complicated "bla %s %s bla". You can fix the first one,
> but what about the second one? You are not going to suggest that GCC
> suddenly starts warning whenever the format string is not a constant?

The first one can almost always be changed by the programmer to use fputs
which is faster and safer; it is probably very rare that someone wants to
output a format string which may contain %% and %m conversions but can be
proved not to contain any others.  The second doesn't have such a simple
replacement.  -Wall already gives some warnings expecting stylistic
changes of the programmer - in particular -Wparentheses - a warning here
would effectively simply be another.

-Wformat=2 already does warn when the format string is not a constant.  
This was on by default for a while at -Wall, then turned off because of
levels of false positives.  I expect the specific case of printf(var) to
have many fewer false positives.  If the patch goes in, hopefully the
people on linux-security-audit will run some Linux distribution compiles
with it and with -Wformat=2 which should lead to some actual statistics on
false positives and real bugs found.

-- 
Joseph S. Myers
jsm28@cam.ac.uk


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]