Received: by 2002:a5d:925a:0:0:0:0:0 with SMTP id e26csp939456iol; Thu, 9 Jun 2022 18:13:08 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxbqxvvQcnPy3jb1PNkxudxVFoGr3m2fOV6O/DRrRHSD+L7s97QXmGZzFMLna4+VqI46Ljh X-Received: by 2002:a63:8841:0:b0:3fc:704c:24ff with SMTP id l62-20020a638841000000b003fc704c24ffmr37259483pgd.116.1654823588640; Thu, 09 Jun 2022 18:13:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1654823588; cv=none; d=google.com; s=arc-20160816; b=S3Ex5ln82JiWE0iF7I5o/d/kr6b4DKm0Zm/3le4lw62l3V2Esqi7wW4dGQSy1St1KT ZlghM205dijdKKuq56nRjITRqTnXiP5qNtwz59NfylalY54VaxzPawEatBez1Df2fBBj PPEImh7fKM0FYbFHpktiafG50mEpksQScFOuxXCjRL9yelwetLCNT07thTJoc7lx8Ii8 6cxer+8oIh+NQ3r4OsM6Ov+e80eFQ8gGM/DwsSIg/K8Ahdozb5G8lxZhju0XyUNYM7TM cnMQ8VmK2RfinGXu8sxNbqFE8FZUbJX02M2k3FRBPm8aaaCbjGBsRO4YcX9mgES2Xbh3 YfBg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=M1G6Hf9v6f6xyLP2a6Gh7yfuFJ+6ipgBJHHWwU80v1c=; b=veUwQNTqGuB7+FG2LltQZy8panWrqoGwSnk0c4TM9lDlFwZfB7BZnLDw9WnUkUp6Mz AIYIchyEITM3ykonqui7vXFD28FyoxaI24rAUiAI0H+mFVWMMJz2ofKLtBcDKzM/DndP 292QduHswGLEMVrZ6MndhGY1mE7stkWX4668h3aaX9Ewc4FOOmedh+4Yijgi08Ej+AhY KLHCIcW9PzAMG0HFf8sDuod1hnwohEVIGnvC+xEr9zE69oVqMbzEtQ6HHJ9sir+tTm3i mYPblj8mgq8fe/jwJ6Vgg2mKa+qsFn2kSXzHk7NzstIYavpIs+nNLciBY5k9yJ15cHOi +TYA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=GzLaviOq; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id j7-20020a170903024700b00156b24c4bb6si39036054plh.120.2022.06.09.18.12.48; Thu, 09 Jun 2022 18:13:08 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=GzLaviOq; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238900AbiFJAdE (ORCPT + 99 others); Thu, 9 Jun 2022 20:33:04 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52816 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230371AbiFJAdD (ORCPT ); Thu, 9 Jun 2022 20:33:03 -0400 Received: from mail-lf1-x12a.google.com (mail-lf1-x12a.google.com [IPv6:2a00:1450:4864:20::12a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5A6D5366A7 for ; Thu, 9 Jun 2022 17:33:00 -0700 (PDT) Received: by mail-lf1-x12a.google.com with SMTP id c2so21030641lfk.0 for ; Thu, 09 Jun 2022 17:33:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=M1G6Hf9v6f6xyLP2a6Gh7yfuFJ+6ipgBJHHWwU80v1c=; b=GzLaviOqRCp4B7LqsBfA2qFyX6V1uMUAbIpS5ZG+ymr/9aN/hsQn1QW3PtN+GmgInQ He0Q1Uquu8aHzwNdzglLiDyax/ofVj35MhNvH0zBU7U/FgsC8lV4WZcV1MRSavA6givw MwwoH6cUS805gA1B/kna/OiRrljxuadDNbWQe2uk3jqSGIPZTj1Nggn2aFmaJOxpn0ee keyXmIa2x54GZzES+MYP7V0JK7Y0RzKUk9jyYpIawwn1bBhBPn8bT+rMBalAXRhKRGqN ws66+mukc8/rRLkWY5c5tACdnnEguXj7+LFVYthISMqK0wDGsAxLLnOu3EGgFefxrZxd +Qcg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=M1G6Hf9v6f6xyLP2a6Gh7yfuFJ+6ipgBJHHWwU80v1c=; b=f6p1VdBLr2qFvZ6ImT+X+jTcnYVwvSRhH0JJwL47DAL0bJchYMUkABVdj0CagvKsi2 MbkJ6auQS39OQf31AnMEoUAlnRMAZDvMDRaOOeG0cvjxkE+L+qpHNt7h42Rfviwmj5zk 2GqO5AO5BBgyduNLb+fTtx6OIsxfgkx80ru6borvt0g9o3Zt04HgoKrqd3dOwW8wxKpM JQyA3YXZKdVDTYu2Z26lXNGH0amQMS/ofeKCoIi/jCgYGf3eph1/rYl/XtC0GeEXPnAl D8rfqsIKdERFUb+JvuLgxDAUW6uH7lRy2YSvFUnskdRj3HIM1hCLX1YF7AJc/veFJZy7 hiDQ== X-Gm-Message-State: AOAM531SVWtHY9lRx4IHoF2kCDOtnx37M70tFx97qarXFA8auxiLTMdq LEKGCVHPkkVCkEw09D7E786l9ry7WNjNq94JFnTDZA== X-Received: by 2002:a05:6512:ad6:b0:479:5599:d834 with SMTP id n22-20020a0565120ad600b004795599d834mr11951775lfu.103.1654821178297; Thu, 09 Jun 2022 17:32:58 -0700 (PDT) MIME-Version: 1.0 References: <20220609221702.347522-1-morbo@google.com> <20220609152527.4ad7862d4126e276e6f76315@linux-foundation.org> In-Reply-To: <20220609152527.4ad7862d4126e276e6f76315@linux-foundation.org> From: Nick Desaulniers Date: Thu, 9 Jun 2022 17:32:46 -0700 Message-ID: Subject: Re: [PATCH 00/12] Clang -Wformat warning fixes To: Andrew Morton , Bill Wendling , Randy Dunlap Cc: Bill Wendling , Tony Luck , Borislav Petkov , Thomas Gleixner , Ingo Molnar , Dave Hansen , "maintainer:X86 ARCHITECTURE (32-BIT AND 64-BIT)" , "H. Peter Anvin" , Phillip Potter , Arnd Bergmann , Greg Kroah-Hartman , "Rafael J. Wysocki" , Jan Kara , Pablo Neira Ayuso , Jozsef Kadlecsik , Florian Westphal , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Jaroslav Kysela , Takashi Iwai , Nathan Chancellor , Tom Rix , Ross Philipson , Daniel Kiper , linux-edac@vger.kernel.org, LKML , ACPI Devel Maling List , Linux Memory Management List , netfilter-devel@vger.kernel.org, coreteam@netfilter.org, Network Development , alsa-devel@alsa-project.org, clang-built-linux , Justin Stitt , Justin Stitt Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE,T_TVD_FUZZY_SECURITIES,URIBL_BLOCKED, USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jun 9, 2022 at 3:25 PM Andrew Morton wrote: > > On Thu, 9 Jun 2022 22:16:19 +0000 Bill Wendling wrote: > > > This patch set fixes some clang warnings when -Wformat is enabled. It looks like this series fixes -Wformat-security, which while being a member of the -Wformat group, is intentionally disabled in the kernel and somewhat orthogonal to enabling -Wformat with Clang. -Wformat is a group flag (like -Wall) that enables multiple other flags implicitly. Reading through clang/include/clang/Basic/DiagnosticGroups.td in clang's sources, it looks like: 1. -Wformat is a group flag. 2. -Wformat-security is a member of the -Wformat group; enabling -Wformat will enable -Wformat-security. 3. -Wformat itself is a member of -Wmost (never heard of -Wmost, but w/e). So -Wmost will enable -Wformat will enable -Wformat-security. 4. -Wmost is itself a member of -Wall. -Wall enables -Wmost enables -Wformat enables -Wformat security. Looking now at Kbuild: 1. Makefile:523 adds -Wall to KBUILD_CFLAGS. 2. The same assignment expression but on line 526 immediately disables -Wformat-security via -Wno-format-security. 3. scripts/Makefile.extrawarn disables -Wformat via -Wno-format only for clang (via guard of CONFIG_CC_IS_CLANG). We _want_ -Wformat enabled for clang so that developers aren't sending patches that trigger -Wformat with GCC (if they didn't happen to test their code with both). It's disabled for clang until we can build the kernel cleanly with it enabled, which we'd like to do. I don't think that we need to enable -Wformat-security to build with -Wformat for clang. I suspect based on Randy's comment on patch 1/12 that perhaps -Wformat was _added_ to KBUILD_CFLAGS in scripts/Makefile.extrawarn rather than -Wno-format being _removed_. The former would re-enable -Wformat-security due to the grouping logic described above. The latter is probably closer to our ultimate goal of enabling -Wformat coverage for clang (or rather not disabling the coverage via -Wno-format; a double negative). I'm pretty sure the kernel doesn't support %n in format strings...see the comment above vsnprintf in lib/vsprintf.c. Are there other attacks other than %n that -Wformat-security guards against? Maybe there's some context on the commit that added -Wno-format-security to the kernel? Regardless, I don't think enabling -Wformat-security is a blocker for enabling -Wformat (or...disabling -Wno-format...two sides of the same coin) for clang. > > > > tldr: > > - printk(msg); > + printk("%s", msg); > > the only reason to make this change is where `msg' could contain a `%'. > Generally, it came from userspace. Otherwise these changes are a > useless consumer of runtime resources. > > I think it would be better to quieten clang in some fashion. -- Thanks, ~Nick Desaulniers