Re: [RFC PATCH 0/7] runtime format string checking

From: Kees Cook
Date: Tue Oct 30 2018 - 16:59:03 EST

Next message: Andy Lutomirski: "Re: [PATCH 10/17] prmem: documentation"
Previous message: Schaufler, Casey: "RE: [Patch v4 13/18] security: Update security level of a process when modifying its dumpability"
In reply to: Rasmus Villemoes: "[RFC PATCH 3/7] kernel.h: implement fmtmatch() wrapper around fmtcheck()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, Oct 27, 2018 at 12:24 AM, Rasmus Villemoes
<linux@xxxxxxxxxxxxxxxxxx> wrote:
> This is a resurrection of something I sent out about a year ago. In
> the relatively few places where we use a non-literal as format string,
> we can annotate the source with a fmtcheck() call that will (a) at
> build time, allow the compiler to check the variadic arguments against
> the template, and (b) at runtime, check that the format specifiers
> present in the actual format string match those in the template (and
> if not, WARN and use the template to ensure runtime type safety).
>
> Finding places to annotate is just
>
> make -j8 KCFLAGS='-Wformat-nonliteral'
>
> So far, in about half the places I looked, one might as well get
> completely rid of the non-literal format string.

Agreed. When I was still updating format string sites regularly, I had
a couple "just make the build quiet" patches to do this:

https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/commit/?h=kspp/format-security&id=ce9b938574042d09920650cb3c63ec29658edc87
The above seemed to "noisy" to send, but perhaps we should just land
it anyway. They really _should_ be const.

https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/commit/?h=kspp/format-security&id=b7dcfc8f48caaafcc423e5793f7ef61b9bb5c458
This one covers cases where the pointer is pointing to a const string,
so really there's no sense in injecting the "%s", but I was collecting
them to make real ones stand out.

> Patches 5,6,7 are
> some examples of where one might add fmtcheck() calls. I don't think
> we can get to a state where we can unconditionally add
> -Wformat-nonliteral to the build, but I think there's a lot of
> low-hanging fruit.

How much work do you think it'd take to get to a
format-nonliteral-clean build? I think it's worth doing the work if
it's not totally intractable.

-Kees

>
> This is on top of Miguel's compiler attributes series [1], which I
> hope will land in mainline soon.
>
> [1] https://github.com/ojeda/linux.git tags/compiler-attributes-for-linus-4.20-rc1
>
> Rasmus Villemoes (7):
> compiler_attributes.h: add __attribute__((format_arg)) shorthand
> lib/vsprintf.c: add fmtcheck utility
> kernel.h: implement fmtmatch() wrapper around fmtcheck()
> lib/test_printf.c: add a few fmtcheck() test cases
> kernel/kthread.c: do runtime check of format string in
> kthread_create_on_cpu()
> nfs: use fmtcheck() in root_nfs_data
> drivers: hwmon: add runtime format string checking
>
> drivers/hwmon/hwmon.c | 3 +-
> fs/nfs/nfsroot.c | 2 +-
> include/linux/compiler_attributes.h | 13 ++++++
> include/linux/kernel.h | 25 +++++++++++
> kernel/kthread.c | 4 +-
> lib/Kconfig.debug | 9 ++++
> lib/test_printf.c | 43 +++++++++++++++++++
> lib/vsprintf.c | 65 +++++++++++++++++++++++++++++
> 8 files changed, 160 insertions(+), 4 deletions(-)
>
> --
> 2.19.1.6.gbde171bbf5
>

--
Kees Cook

Next message: Andy Lutomirski: "Re: [PATCH 10/17] prmem: documentation"
Previous message: Schaufler, Casey: "RE: [Patch v4 13/18] security: Update security level of a process when modifying its dumpability"
In reply to: Rasmus Villemoes: "[RFC PATCH 3/7] kernel.h: implement fmtmatch() wrapper around fmtcheck()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]