Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAJfZ7==mdOFbrhuYcKX5gnHk9OHVFNUSj0XGiTZrmWEDRwMMuw@mail.gmail.com>
Date: Wed, 7 Dec 2016 16:54:14 +0100
From: Nicolas Iooss <nicolas.iooss_linux@....org>
To: kernel-hardening@...ts.openwall.com
Subject: Re: Picking "Write a plugin to do format string
 warnings correctly"

On Wed, Dec 7, 2016 at 12:21 AM, Ruslan Kuprieiev <kupruser@...il.com>
wrote:

> Hi!
>
> After watching a bunch of talks from Kees about security, I've finally
> decided to
> try to participate in KSPP.
>
> If it's not taken, I would like to start with this task:
>
>      Write a plugin to do format string warnings correctly (gcc's
> -Wformat-security is bad about const strings)
>
> Unfortunately, I wasn't able to find any details about this task. Could
> someone provide some info about it, please?
>

Hello,
I do not know either what this task is about. Nevertheless I started
writing a plugin to check the %p... format strings in the kernel by
implementing a white-list of types associated to a format (eg. %pd used
with "struct dentry*", %pIS with a sockaddr pointer, etc.). This
work-in-progress plugin is available on
https://github.com/fishilico/linux-patches/blob/master/patches/plugin/Add-printk-format-checker-plugin.patch
and I have used it to find bugs like the one fixed in
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=7703773ef1d85b40433902a8da20167331597e4a
.

The main reason why my plugin is still "work-in-progress / not ready for
proper submission" is that it does not support casts well. For example if p
is a void* variable, my plugin sees printk("%s", (char *)p) as using %s on
a void*. I have not yet found how I need to modify the plugin to get the
type-casting information (I may need to specify a suitable gcc pass in the
plugin).

Anyway, as this seems to be something different from "gcc's
-Wformat-security is bad about const strings", the task may be about
something else.

On a related subject, I have also written some patches in order to
automatically silent -Wformat-security warnings when using a variable as a
format string. For example some code in the kernel like to call
request_module(module_name) where module_name is a non-const variable.
Instead of "fixing" such a call with request_module("%s", module_name) I am
working on two patches which define macros to make
request_module(module_name) call a function which does not use a format
string parameter (
https://github.com/fishilico/linux-patches/blob/master/patches/maybe_upstreamable/Allow-overiding-functions-depending-on-the.patch
and
https://github.com/fishilico/linux-patches/blob/master/patches/maybe_upstreamable/Make-request_module-callable-without-a-format.patch).
Would such patches be appreciated in the kernel?

Thanks,
Nicolas

Content of type "text/html" skipped

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.