Simon Horman <horms@xxxxxxxxxx> writes: > Both gcc-14 and clang-18 report that passing a non-string literal as the > format argument of request_module() is potentially insecure. > > E.g. clang-18 says: > > .../nf_bpf_link.c:46:24: warning: format string is not a string literal (potentially insecure) [-Wformat-security] > 46 | err = request_module(mod); > | ^~~ > .../kmod.h:25:55: note: expanded from macro 'request_module' > 25 | #define request_module(mod...) __request_module(true, mod) > | ^~~ > .../nf_bpf_link.c:46:24: note: treat the string as an argument to avoid this > 46 | err = request_module(mod); > | ^ > | "%s", > .../kmod.h:25:55: note: expanded from macro 'request_module' > 25 | #define request_module(mod...) __request_module(true, mod) > | ^ > > It is always the case where the contents of mod is safe to pass as the > format argument. That is, in my understanding, it never contains any > format escape sequences. > > But, it seems better to be safe than sorry. And, as a bonus, compiler > output becomes less verbose by addressing this issue as suggested by > clang-18. > > No functional change intended. > Compile tested only. > > Signed-off-by: Simon Horman <horms@xxxxxxxxxx> Reviewed-by: Toke Høiland-Jørgensen <toke@xxxxxxxxxx>
