On Wed, Nov 20, 2013 at 2:15 PM, Andrew Morton
<akpm@xxxxxxxxxxxxxxxxxxxx> wrote:
> On Tue, 12 Nov 2013 18:12:32 -0800 (PST) David Rientjes <rientjes@xxxxxxxxxx> wrote:
>
>> Fengguang Wu reports that compiling mm/mempolicy.c results in a warning:
>>
>> mm/mempolicy.c: In function 'mpol_to_str':
>> mm/mempolicy.c:2878:2: error: format not a string literal and no format arguments
>>
>> Kees says this is because he is using -Wformat-security.
>>
>> Silence the warning.
>>
>> ...
>>
>> --- a/mm/mempolicy.c
>> +++ b/mm/mempolicy.c
>> @@ -2950,7 +2950,7 @@ void mpol_to_str(char *buffer, int maxlen, struct mempolicy *pol)
>> return;
>> }
>>
>> - p += snprintf(p, maxlen, policy_modes[mode]);
>> + p += snprintf(p, maxlen, "%s", policy_modes[mode]);
>>
>> if (flags & MPOL_MODE_FLAGS) {
>> p += snprintf(p, buffer + maxlen - p, "=");
>
> mutter. There are no '%'s in policy_modes[]. Maybe we should only do
> this #ifdef CONFIG_KEES.
Yeah, I had offered to just whitelist this in my checker, since it's
the type of const char array that gcc doesn't realize is harmless as
an arg-less format string. Fengguang's reports are way faster than me,
though. :)
> mpol_to_str() would be simpler (and slower) if it was switched to use
> strncat().
>
> It worries me that the CONFIG_NUMA=n version of mpol_to_str() doesn't
> stick a '\0' into *buffer. Hopefully it never gets called...
-Kees
--
Kees Cook
Chrome OS Security
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@xxxxxxxxx. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>