This is the mail archive of the
mailing list for the GCC project.
Re: Security patch for printf - please no! (Was: Re: Patch to add__builtin_printf)
- To: Kamil Iskra <kamil at wins dot uva dot nl>
- Subject: Re: Security patch for printf - please no! (Was: Re: Patch to add__builtin_printf)
- From: "Joseph S. Myers" <jsm28 at cam dot ac dot uk>
- Date: Thu, 21 Sep 2000 23:59:46 +0100 (BST)
- cc: gcc-patches at gcc dot gnu dot org
On Thu, 21 Sep 2000, Kamil Iskra wrote:
> However, you fail to patch other obvious examples of format string
> problems. What's the difference between the two lines:
> printf(var, "abc");
> The first one is vulnerable to var such as "bla %s bla", the second one to
> only slightly more complicated "bla %s %s bla". You can fix the first one,
> but what about the second one? You are not going to suggest that GCC
> suddenly starts warning whenever the format string is not a constant?
The first one can almost always be changed by the programmer to use fputs
which is faster and safer; it is probably very rare that someone wants to
output a format string which may contain %% and %m conversions but can be
proved not to contain any others. The second doesn't have such a simple
replacement. -Wall already gives some warnings expecting stylistic
changes of the programmer - in particular -Wparentheses - a warning here
would effectively simply be another.
-Wformat=2 already does warn when the format string is not a constant.
This was on by default for a while at -Wall, then turned off because of
levels of false positives. I expect the specific case of printf(var) to
have many fewer false positives. If the patch goes in, hopefully the
people on linux-security-audit will run some Linux distribution compiles
with it and with -Wformat=2 which should lead to some actual statistics on
false positives and real bugs found.
Joseph S. Myers