Re: [linux-devel:devel-lkp-ib03-powerpc-201501140043 30/31] drivers/scsi/scsi_logging.c:254:3: error: format not a string literal and no format arguments

James Bottomley <jbottomley@xxxxxxxxxxxxx> · Tue, 13 Jan 2015 17:30:20 +0000

On Wed, 2015-01-14 at 01:21 +0800, kbuild test robot wrote:
> Hi Wu,
> 
> FYI, this happens on a merge commit, which indicates conflicting
> changes with one of the below merged branches.
> 
> d48f782 Merge 'scsi/for-next' into devel-lkp-ib03-powerpc-201501140043
> c03f620 Merge 'sound/for-next' into devel-lkp-ib03-powerpc-201501140043
> f9d968f Merge 'at91/at91-3.20-dt' into devel-lkp-ib03-powerpc-201501140043
> 9adbf93 Merge 'at91/at91-3.20-cleanup' into devel-lkp-ib03-powerpc-201501140043
> dd4d940 Merge 'kgene-samsung/for-next' into devel-lkp-ib03-powerpc-201501140043
> e61b26d Merge 'kees/yama/extras' into devel-lkp-ib03-powerpc-201501140043
> b852bd4 Merge 'kees/seccomp/tip' into devel-lkp-ib03-powerpc-201501140043
> 4ba9b87 Merge 'kees/nak/tcp-simult' into devel-lkp-ib03-powerpc-201501140043
> b55d682 Merge 'kees/nak/recv-leak' into devel-lkp-ib03-powerpc-201501140043
> 817fdb5 Merge 'kees/nak/proc-r' into devel-lkp-ib03-powerpc-201501140043
> 19df2de Merge 'kees/nak/fw-relative' into devel-lkp-ib03-powerpc-201501140043
> ce34254 Merge 'kees/nak/devtmpfs-safe' into devel-lkp-ib03-powerpc-201501140043
> 679bbc0 Merge 'kees/nak/dcache-oob-read' into devel-lkp-ib03-powerpc-201501140043
> 9ec475e Merge 'kees/lsm/stacking' into devel-lkp-ib03-powerpc-201501140043
> 1f17f0c Merge 'kees/lsm/mnt-restrict' into devel-lkp-ib03-powerpc-201501140043
> 7c1ed3b Merge 'kees/kaslr/4G' into devel-lkp-ib03-powerpc-201501140043
> 9730611 Merge 'kees/gcc-bug' into devel-lkp-ib03-powerpc-201501140043
> 9d54827 Merge 'kees/fw-restrict/fd' into devel-lkp-ib03-powerpc-201501140043
> 1bd8bc9 Merge 'kees/format-security' into devel-lkp-ib03-powerpc-201501140043
> d034622 Merge 'tixy/kprobes-opt' into devel-lkp-ib03-powerpc-201501140043
> 9eae903 Merge 'm68k/m68k-queue' into devel-lkp-ib03-powerpc-201501140043
> 4f2315d Merge 'renesas/dt-for-v3.20' into devel-lkp-ib03-powerpc-201501140043
> c6d07d9 Merge 'renesas/devel' into devel-lkp-ib03-powerpc-201501140043
> dc94109 Merge 'mediatek/v3.20-next/for-next' into devel-lkp-ib03-powerpc-201501140043
> 92f43df Merge 'mediatek/v3.20-next/dts' into devel-lkp-ib03-powerpc-201501140043
> 02c9f79 Merge 'tj-libata/for-next' into devel-lkp-ib03-powerpc-201501140043
> 886b78a Merge 'tj-libata/for-3.20' into devel-lkp-ib03-powerpc-201501140043
> 86df050 Merge 'tj-libata/for-3.19-fixes' into devel-lkp-ib03-powerpc-201501140043
> 603deae Merge 'slave-dma/next' into devel-lkp-ib03-powerpc-201501140043
> 447977c 0day base guard for 'devel-lkp-ib03-powerpc-201501140043'
> eaa27f3 linux 3.19-rc4
> 
> 
> tree:   git://internal_merge_and_test_tree devel-lkp-ib03-powerpc-201501140043
> head:   504d72416a8c64ecd470fbc4b7ba479d643e0e11
> commit: d48f782cad84c2c3b2686731110e53745f92f9ad [30/31] Merge 'scsi/for-next' into devel-lkp-ib03-powerpc-201501140043
> config: powerpc-defconfig (attached as .config)
> reproduce:
>   wget https://git.kernel.org/cgit/linux/kernel/git/wfg/lkp-tests.git/plain/sbin/make.cross -O ~/bin/make.cross
>   chmod +x ~/bin/make.cross
>   git checkout d48f782cad84c2c3b2686731110e53745f92f9ad
>   # save the attached .config to linux build tree
>   make.cross ARCH=powerpc 
> 
> All error/warnings:
> 
>    drivers/scsi/scsi_logging.c: In function 'scsi_print_command':
> >> drivers/scsi/scsi_logging.c:254:3: error: format not a string literal and no format arguments [-Werror=format-security]
>       dev_printk(KERN_INFO, &cmd->device->sdev_gendev, logbuf);
>       ^
> >> drivers/scsi/scsi_logging.c:273:8: error: format not a string literal and no format arguments [-Werror=format-security]
>            logbuf);
>            ^
> >> drivers/scsi/scsi_logging.c:285:2: error: format not a string literal and no format arguments [-Werror=format-security]
>      dev_printk(KERN_INFO, &cmd->device->sdev_gendev, logbuf);
>      ^
>    drivers/scsi/scsi_logging.c: In function 'scsi_log_dump_sense':
> >> drivers/scsi/scsi_logging.c:363:3: error: format not a string literal and no format arguments [-Werror=format-security]
>       dev_printk(KERN_INFO, &sdev->sdev_gendev, logbuf);
>       ^
>    drivers/scsi/scsi_logging.c: In function 'scsi_log_print_sense_hdr':
> >> drivers/scsi/scsi_logging.c:380:2: error: format not a string literal and no format arguments [-Werror=format-security]
>      dev_printk(KERN_INFO, &sdev->sdev_gendev, logbuf);
>      ^
> >> drivers/scsi/scsi_logging.c:389:2: error: format not a string literal and no format arguments [-Werror=format-security]
>      dev_printk(KERN_INFO, &sdev->sdev_gendev, logbuf);
>      ^
>    drivers/scsi/scsi_logging.c: In function 'scsi_print_result':
> >> drivers/scsi/scsi_logging.c:486:2: error: format not a string literal and no format arguments [-Werror=format-security]
>      dev_printk(KERN_INFO, &cmd->device->sdev_gendev, logbuf);
>      ^
>    cc1: some warnings being treated as errors
> 
> vim +254 drivers/scsi/scsi_logging.c
> 
> 9e5ed2a5 Hannes Reinecke 2015-01-08  248  		goto out_printk;
> 9e5ed2a5 Hannes Reinecke 2015-01-08  249  
> 9e5ed2a5 Hannes Reinecke 2015-01-08  250  	/* print out all bytes in cdb */
> 9e5ed2a5 Hannes Reinecke 2015-01-08  251  	if (cmd->cmd_len > 16) {
> 9e5ed2a5 Hannes Reinecke 2015-01-08  252  		/* Print opcode in one line and use separate lines for CDB */
> 9e5ed2a5 Hannes Reinecke 2015-01-08  253  		off += scnprintf(logbuf + off, logbuf_len - off, "\n");
> 9e5ed2a5 Hannes Reinecke 2015-01-08 @254  		dev_printk(KERN_INFO, &cmd->device->sdev_gendev, logbuf);
> 9e5ed2a5 Hannes Reinecke 2015-01-08  255  		scsi_log_release_buffer(logbuf);
> 9e5ed2a5 Hannes Reinecke 2015-01-08  256  		for (k = 0; k < cmd->cmd_len; k += 16) {
> 9e5ed2a5 Hannes Reinecke 2015-01-08  257  			size_t linelen = min(cmd->cmd_len - k, 16);
> 9e5ed2a5 Hannes Reinecke 2015-01-08  258  
> 9e5ed2a5 Hannes Reinecke 2015-01-08  259  			logbuf = scsi_log_reserve_buffer(&logbuf_len);
> 9e5ed2a5 Hannes Reinecke 2015-01-08  260  			if (!logbuf)
> 9e5ed2a5 Hannes Reinecke 2015-01-08  261  				break;
> 21045519 Hannes Reinecke 2015-01-08  262  			off = sdev_format_header(logbuf, logbuf_len,
> 21045519 Hannes Reinecke 2015-01-08  263  						 scmd_name(cmd),
> 9e5ed2a5 Hannes Reinecke 2015-01-08  264  						 cmd->request->tag);
> 9e5ed2a5 Hannes Reinecke 2015-01-08  265  			if (!WARN_ON(off > logbuf_len - 58)) {
> 9e5ed2a5 Hannes Reinecke 2015-01-08  266  				off += scnprintf(logbuf + off, logbuf_len - off,
> 9e5ed2a5 Hannes Reinecke 2015-01-08  267  						 "CDB[%02x]: ", k);
> 9e5ed2a5 Hannes Reinecke 2015-01-08  268  				hex_dump_to_buffer(&cmd->cmnd[k], linelen,
> 9e5ed2a5 Hannes Reinecke 2015-01-08  269  						   16, 1, logbuf + off,
> 9e5ed2a5 Hannes Reinecke 2015-01-08  270  						   logbuf_len - off, false);
> 9e5ed2a5 Hannes Reinecke 2015-01-08  271  			}
> 9e5ed2a5 Hannes Reinecke 2015-01-08  272  			dev_printk(KERN_INFO, &cmd->device->sdev_gendev,
> 9e5ed2a5 Hannes Reinecke 2015-01-08 @273  				   logbuf);
> 9e5ed2a5 Hannes Reinecke 2015-01-08  274  			scsi_log_release_buffer(logbuf);
> 9e5ed2a5 Hannes Reinecke 2015-01-08  275  		}
> 9e5ed2a5 Hannes Reinecke 2015-01-08  276  		return;
> 9e5ed2a5 Hannes Reinecke 2015-01-08  277  	}
> 9e5ed2a5 Hannes Reinecke 2015-01-08  278  	if (!WARN_ON(off > logbuf_len - 49)) {
> 9e5ed2a5 Hannes Reinecke 2015-01-08  279  		off += scnprintf(logbuf + off, logbuf_len - off, " ");
> 9e5ed2a5 Hannes Reinecke 2015-01-08  280  		hex_dump_to_buffer(cmd->cmnd, cmd->cmd_len, 16, 1,
> 9e5ed2a5 Hannes Reinecke 2015-01-08  281  				   logbuf + off, logbuf_len - off,
> 9e5ed2a5 Hannes Reinecke 2015-01-08  282  				   false);
> 9e5ed2a5 Hannes Reinecke 2015-01-08  283  	}
> 9e5ed2a5 Hannes Reinecke 2015-01-08  284  out_printk:
> 9e5ed2a5 Hannes Reinecke 2015-01-08 @285  	dev_printk(KERN_INFO, &cmd->device->sdev_gendev, logbuf);
> 9e5ed2a5 Hannes Reinecke 2015-01-08  286  	scsi_log_release_buffer(logbuf);
> 9e5ed2a5 Hannes Reinecke 2015-01-08  287  }
> 9e5ed2a5 Hannes Reinecke 2015-01-08  288  EXPORT_SYMBOL(scsi_print_command);
> 21045519 Hannes Reinecke 2015-01-08  289  
> 21045519 Hannes Reinecke 2015-01-08  290  static size_t
> 21045519 Hannes Reinecke 2015-01-08  291  scsi_format_extd_sense(char *buffer, size_t buf_len,
> 21045519 Hannes Reinecke 2015-01-08  292  		       unsigned char asc, unsigned char ascq)
> 21045519 Hannes Reinecke 2015-01-08  293  {
> 21045519 Hannes Reinecke 2015-01-08  294  	size_t off = 0;
> 21045519 Hannes Reinecke 2015-01-08  295  	const char *extd_sense_fmt = NULL;
> 21045519 Hannes Reinecke 2015-01-08  296  	const char *extd_sense_str = scsi_extd_sense_format(asc, ascq,
> 21045519 Hannes Reinecke 2015-01-08  297  							    &extd_sense_fmt);
> 21045519 Hannes Reinecke 2015-01-08  298  
> 21045519 Hannes Reinecke 2015-01-08  299  	if (extd_sense_str) {
> 21045519 Hannes Reinecke 2015-01-08  300  		off = scnprintf(buffer, buf_len, "Add. Sense: %s",
> 21045519 Hannes Reinecke 2015-01-08  301  				extd_sense_str);
> 21045519 Hannes Reinecke 2015-01-08  302  		if (extd_sense_fmt)
> 21045519 Hannes Reinecke 2015-01-08  303  			off += scnprintf(buffer + off, buf_len - off,
> 21045519 Hannes Reinecke 2015-01-08  304  					 "(%s%x)", extd_sense_fmt, ascq);
> 21045519 Hannes Reinecke 2015-01-08  305  	} else {
> 21045519 Hannes Reinecke 2015-01-08  306  		if (asc >= 0x80)
> 21045519 Hannes Reinecke 2015-01-08  307  			off = scnprintf(buffer, buf_len, "<<vendor>>");
> 21045519 Hannes Reinecke 2015-01-08  308  		off += scnprintf(buffer + off, buf_len - off,
> 21045519 Hannes Reinecke 2015-01-08  309  				 "ASC=0x%x ", asc);
> 21045519 Hannes Reinecke 2015-01-08  310  		if (ascq >= 0x80)
> 21045519 Hannes Reinecke 2015-01-08  311  			off += scnprintf(buffer + off, buf_len - off,
> 21045519 Hannes Reinecke 2015-01-08  312  					 "<<vendor>>");
> 21045519 Hannes Reinecke 2015-01-08  313  		off += scnprintf(buffer + off, buf_len - off,
> 21045519 Hannes Reinecke 2015-01-08  314  				 "ASCQ=0x%x ", ascq);
> 21045519 Hannes Reinecke 2015-01-08  315  	}
> 21045519 Hannes Reinecke 2015-01-08  316  	return off;
> 21045519 Hannes Reinecke 2015-01-08  317  }
> 21045519 Hannes Reinecke 2015-01-08  318  
> 21045519 Hannes Reinecke 2015-01-08  319  static size_t
> 21045519 Hannes Reinecke 2015-01-08  320  scsi_format_sense_hdr(char *buffer, size_t buf_len,
> 21045519 Hannes Reinecke 2015-01-08  321  		      const struct scsi_sense_hdr *sshdr)
> 21045519 Hannes Reinecke 2015-01-08  322  {
> 21045519 Hannes Reinecke 2015-01-08  323  	const char *sense_txt;
> 21045519 Hannes Reinecke 2015-01-08  324  	size_t off;
> 21045519 Hannes Reinecke 2015-01-08  325  
> 21045519 Hannes Reinecke 2015-01-08  326  	off = scnprintf(buffer, buf_len, "Sense Key : ");
> 21045519 Hannes Reinecke 2015-01-08  327  	sense_txt = scsi_sense_key_string(sshdr->sense_key);
> 21045519 Hannes Reinecke 2015-01-08  328  	if (sense_txt)
> 21045519 Hannes Reinecke 2015-01-08  329  		off += scnprintf(buffer + off, buf_len - off,
> 21045519 Hannes Reinecke 2015-01-08  330  				 "%s ", sense_txt);
> 21045519 Hannes Reinecke 2015-01-08  331  	else
> 21045519 Hannes Reinecke 2015-01-08  332  		off += scnprintf(buffer + off, buf_len - off,
> 21045519 Hannes Reinecke 2015-01-08  333  				 "0x%x ", sshdr->sense_key);
> 21045519 Hannes Reinecke 2015-01-08  334  	off += scnprintf(buffer + off, buf_len - off,
> 21045519 Hannes Reinecke 2015-01-08  335  		scsi_sense_is_deferred(sshdr) ? "[deferred] " : "[current] ");
> 21045519 Hannes Reinecke 2015-01-08  336  
> 21045519 Hannes Reinecke 2015-01-08  337  	if (sshdr->response_code >= 0x72)
> 21045519 Hannes Reinecke 2015-01-08  338  		off += scnprintf(buffer + off, buf_len - off, "[descriptor] ");
> 21045519 Hannes Reinecke 2015-01-08  339  	return off;
> 21045519 Hannes Reinecke 2015-01-08  340  }
> 21045519 Hannes Reinecke 2015-01-08  341  
> 21045519 Hannes Reinecke 2015-01-08  342  static void
> 21045519 Hannes Reinecke 2015-01-08  343  scsi_log_dump_sense(const struct scsi_device *sdev, const char *name, int tag,
> 21045519 Hannes Reinecke 2015-01-08  344  		    const unsigned char *sense_buffer, int sense_len)
> 21045519 Hannes Reinecke 2015-01-08  345  {
> 21045519 Hannes Reinecke 2015-01-08  346  	char *logbuf;
> 21045519 Hannes Reinecke 2015-01-08  347  	size_t logbuf_len;
> 21045519 Hannes Reinecke 2015-01-08  348  	int i;
> 21045519 Hannes Reinecke 2015-01-08  349  
> 21045519 Hannes Reinecke 2015-01-08  350  	logbuf = scsi_log_reserve_buffer(&logbuf_len);
> 21045519 Hannes Reinecke 2015-01-08  351  	if (!logbuf)
> 21045519 Hannes Reinecke 2015-01-08  352  		return;
> 21045519 Hannes Reinecke 2015-01-08  353  
> 21045519 Hannes Reinecke 2015-01-08  354  	for (i = 0; i < sense_len; i += 16) {
> 21045519 Hannes Reinecke 2015-01-08  355  		int len = min(sense_len - i, 16);
> 21045519 Hannes Reinecke 2015-01-08  356  		size_t off;
> 21045519 Hannes Reinecke 2015-01-08  357  
> 21045519 Hannes Reinecke 2015-01-08  358  		off = sdev_format_header(logbuf, logbuf_len,
> 21045519 Hannes Reinecke 2015-01-08  359  					 name, tag);
> 21045519 Hannes Reinecke 2015-01-08  360  		hex_dump_to_buffer(&sense_buffer[i], len, 16, 1,
> 21045519 Hannes Reinecke 2015-01-08  361  				   logbuf + off, logbuf_len - off,
> 21045519 Hannes Reinecke 2015-01-08  362  				   false);
> 21045519 Hannes Reinecke 2015-01-08 @363  		dev_printk(KERN_INFO, &sdev->sdev_gendev, logbuf);
> 21045519 Hannes Reinecke 2015-01-08  364  	}
> 21045519 Hannes Reinecke 2015-01-08  365  	scsi_log_release_buffer(logbuf);
> 21045519 Hannes Reinecke 2015-01-08  366  }
> 21045519 Hannes Reinecke 2015-01-08  367  
> 21045519 Hannes Reinecke 2015-01-08  368  static void
> 21045519 Hannes Reinecke 2015-01-08  369  scsi_log_print_sense_hdr(const struct scsi_device *sdev, const char *name,
> 21045519 Hannes Reinecke 2015-01-08  370  			 int tag, const struct scsi_sense_hdr *sshdr)
> 21045519 Hannes Reinecke 2015-01-08  371  {
> 21045519 Hannes Reinecke 2015-01-08  372  	char *logbuf;
> 21045519 Hannes Reinecke 2015-01-08  373  	size_t off, logbuf_len;
> 21045519 Hannes Reinecke 2015-01-08  374  
> 21045519 Hannes Reinecke 2015-01-08  375  	logbuf = scsi_log_reserve_buffer(&logbuf_len);
> 21045519 Hannes Reinecke 2015-01-08  376  	if (!logbuf)
> 21045519 Hannes Reinecke 2015-01-08  377  		return;
> 21045519 Hannes Reinecke 2015-01-08  378  	off = sdev_format_header(logbuf, logbuf_len, name, tag);
> 21045519 Hannes Reinecke 2015-01-08  379  	off += scsi_format_sense_hdr(logbuf + off, logbuf_len - off, sshdr);
> 21045519 Hannes Reinecke 2015-01-08 @380  	dev_printk(KERN_INFO, &sdev->sdev_gendev, logbuf);
> 21045519 Hannes Reinecke 2015-01-08  381  	scsi_log_release_buffer(logbuf);
> 21045519 Hannes Reinecke 2015-01-08  382  
> 21045519 Hannes Reinecke 2015-01-08  383  	logbuf = scsi_log_reserve_buffer(&logbuf_len);
> 21045519 Hannes Reinecke 2015-01-08  384  	if (!logbuf)
> 21045519 Hannes Reinecke 2015-01-08  385  		return;
> 21045519 Hannes Reinecke 2015-01-08  386  	off = sdev_format_header(logbuf, logbuf_len, name, tag);
> 21045519 Hannes Reinecke 2015-01-08  387  	off += scsi_format_extd_sense(logbuf + off, logbuf_len - off,
> 21045519 Hannes Reinecke 2015-01-08  388  				      sshdr->asc, sshdr->ascq);
> 21045519 Hannes Reinecke 2015-01-08 @389  	dev_printk(KERN_INFO, &sdev->sdev_gendev, logbuf);
> 21045519 Hannes Reinecke 2015-01-08  390  	scsi_log_release_buffer(logbuf);
> 21045519 Hannes Reinecke 2015-01-08  391  }
> 21045519 Hannes Reinecke 2015-01-08  392  
> 
> :::::: The code at line 254 was first introduced by commit
> :::::: 9e5ed2a5b3662c6f398023042c02aaa527099a3d scsi: use external buffer for command logging
> 
> :::::: TO: Hannes Reinecke <hare@xxxxxxx>
> :::::: CC: Christoph Hellwig <hch@xxxxxx>

It looks like we're going to need a couple of commits redone; at least 

commit 9e5ed2a5b3662c6f398023042c02aaa527099a3d
Author: Hannes Reinecke <hare@xxxxxxx>
Date:   Thu Jan 8 07:43:44 2015 +0100

    scsi: use external buffer for command logging

and

commit 2104551969e8011e72788dc5674609d437448cf6
Author: Hannes Reinecke <hare@xxxxxxx>
Date:   Thu Jan 8 07:43:46 2015 +0100

    scsi: use per-cpu buffer for formatting sense

Just for everyone's sake the problem is printk format strings (and all
the things that indirect there, like pr_xxx and dev_printk).  We must
never pass a mutable string directly to printk because of the mayhem
that would result if its contents were altered by the user (because some
of the things we do in string format parsing are very dangerous), making
this a potential security issue.  Only ever pass static strings (in the
ro section) to printk formats.

So this is wrong:

dev_printk(KERN_INFO, dev, logbuf);

This is correct:

dev_printk(KERN_INFO, dev, "%s", logbuf);

Thanks,

James

��.n��������+%������w��{.n�����{������ܨ}���Ơz�j:+v�����w����ޙ��&�)ߡ�a����z�ޗ���ݢj��w�f