[PATCH] - improve sprintf buffer overflow detection (middle-end/49905)
Martin Sebor
msebor@gmail.com
Fri Jul 1 18:15:00 GMT 2016
The attached patch enhances compile-time checking for buffer overflow
and output truncation in non-trivial calls to the sprintf family of
functions under a new option -Wformat-length=[12]. This initial
patch handles printf directives with string, integer, and simple
floating arguments but eventually I'd like to extend it all other
functions and directives for which it makes sense.
I made some choices in the implementation that resulted in trade-offs
in the quality of the diagnostics. I would be grateful for comments
and suggestions how to improve them. Besides the list I include
Jakub who already gave me some feedback (thanks), Joseph who as
I understand has deep knowledge of the c-format.c code, and Richard
for his input on the LTO concern below.
1) Making use of -Wformat machinery in c-family/c-format.c. This
seemed preferable to duplicating some of the same code elsewhere
(I initially started implementing it in expand_builtin in
builtins.c). It makes the implementation readily extensible
to all the same formats as those already handled for -Wformat.
One drawback is that unlike in expand_builtin, calls to these
functions cannot readily be folded. Another drawback pointed
out by Jakub is that since the code is only available in the
C and C++ compilers, it apparently may not be available with
an LTO compiler (I don't completely understand this problem
but I mention it in the interest of full disclosure). In light
of the dependency in (2) below, I don't see a way to avoid it
(moving c-format.c to the middle end was suggested but seemed
like too much of a change to me).
2) Optimization.
In keeping with the other -Wformat options, the checking is
enabled without optimization. Especially at level 2, the
warnings can be useful even without it. But to make buffer
sizes and non-constant argument values available in calls to
functions like sprintf (via __builtin_object_size) better
results are obtained with optimization.
3) Truncation warnings.
Although calls to bounded functions like snprintf aren't subject
to buffer overflow, they can be subject to accidental truncation
when the destination buffer isn't sized appropriately. With the
patch, such calls are diagnosed under the same option, but I
wonder if have a separate warning option for them might be
preferable (e.g., -Wformat-trunc=[01] or something like that).
Independently, it might be useful to differentiate between
truncating calls that check the return value and those that
don't.
Besides the usual testing I compiled several packages with the
warning. If found a few bugs in boundary cases in Binutils that
are being fixed.
Thanks
Martin
PS There are a few FIXME notes in the patch that I will either
fix or remove, depending on feedback, before committing the
patch.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gcc-49905.diff
Type: text/x-patch
Size: 127966 bytes
Desc: not available
URL: <http://gcc.gnu.org/pipermail/gcc-patches/attachments/20160701/209a6220/attachment.bin>
More information about the Gcc-patches
mailing list