From: Rasmus Villemoes <linux@rasmusvillemoes.dk>
To: Kees Cook <keescook@chromium.org>,
Andrew Morton <akpm@linux-foundation.org>
Cc: linux-kernel@vger.kernel.org,
Rasmus Villemoes <linux@rasmusvillemoes.dk>,
Miguel Ojeda <miguel.ojeda.sandonis@gmail.com>
Subject: [RFC PATCH 1/7] compiler_attributes.h: add __attribute__((format_arg)) shorthand
Date: Sat, 27 Oct 2018 01:24:03 +0200 [thread overview]
Message-ID: <20181026232409.16100-2-linux@rasmusvillemoes.dk> (raw)
In-Reply-To: <20181026232409.16100-1-linux@rasmusvillemoes.dk>
The __format_arg attribute tells gcc that it can use a specific
argument to the annotated function as the format string for the
purpose of type-checking a surrounding __printf function call. For
example, assuming one has a fmtcheck function declared as
const char *fmtcheck(const char *, const char *, unsigned) __format_arg(2);
and this is used in
sprintf(buf, fmtcheck(what->ever, "%d %lx", 0), i, m)
gcc checks that the varargs (i and m) matches the second argument to the
fmtcheck function, i.e. that they are (int, long). With
sprintf(buf, what->ever, i, m)
the compiler cannot do any type checking.
Even a static inline fmtcheck() that just returns its first argument
would provide documentation for which specifiers what->ever is supposed
to contain, but we'll implement an actual run-time check later.
Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
---
include/linux/compiler_attributes.h | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/include/linux/compiler_attributes.h b/include/linux/compiler_attributes.h
index 6b28c1b7310c..08264df52322 100644
--- a/include/linux/compiler_attributes.h
+++ b/include/linux/compiler_attributes.h
@@ -32,6 +32,7 @@
# define __GCC4_has_attribute___assume_aligned__ (__GNUC_MINOR__ >= 9)
# define __GCC4_has_attribute___designated_init__ 0
# define __GCC4_has_attribute___externally_visible__ 1
+# define __GCC4_has_attribute___format_arg__ 1
# define __GCC4_has_attribute___noclone__ 1
# define __GCC4_has_attribute___optimize__ 1
# define __GCC4_has_attribute___nonstring__ 0
@@ -140,6 +141,18 @@
#define __printf(a, b) __attribute__((__format__(printf, a, b)))
#define __scanf(a, b) __attribute__((__format__(scanf, a, b)))
+/*
+ * Optional
+ *
+ * gcc: https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html#index-format_005farg-function-attribute
+ * clang: apparently supported, but undocumented
+ */
+#if __has_attribute(__format_arg__)
+# define __format_arg(n) __attribute__((__format_arg__(n)))
+#else
+# define __format_arg(n)
+#endif
+
/*
* gcc: https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html#index-gnu_005finline-function-attribute
* clang: https://clang.llvm.org/docs/AttributeReference.html#gnu-inline
--
2.19.1.6.gbde171bbf5
next prev parent reply other threads:[~2018-10-26 23:24 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-08 22:30 [RFC 0/6] some compile- and run-time format checking Rasmus Villemoes
2017-11-08 22:30 ` [RFC 1/6] plugins: implement format_template attribute Rasmus Villemoes
2017-11-08 22:30 ` [RFC 2/6] compiler.h: add __format_template Rasmus Villemoes
2017-11-08 22:30 ` [RFC 3/6] compiler.h: add __attribute__((format_arg)) shorthand Rasmus Villemoes
2017-11-08 22:30 ` [RFC 4/6] lib/vsprintf.c: add fmtcheck utility Rasmus Villemoes
2017-11-09 1:08 ` Kees Cook
2017-11-08 22:30 ` [RFC 5/6] kernel.h: implement fmtmatch() wrapper around fmtcheck() Rasmus Villemoes
2017-11-08 22:30 ` [RFC 6/6] lib/test_printf.c: add a few fmtcheck() test cases Rasmus Villemoes
2017-11-09 1:11 ` [RFC 0/6] some compile- and run-time format checking Kees Cook
2017-11-09 14:08 ` Rasmus Villemoes
2018-10-26 23:24 ` [RFC PATCH 0/7] runtime format string checking Rasmus Villemoes
2018-10-26 23:24 ` Rasmus Villemoes [this message]
2018-10-27 12:06 ` [RFC PATCH 1/7] compiler_attributes.h: add __attribute__((format_arg)) shorthand Miguel Ojeda
2018-10-29 10:20 ` Rasmus Villemoes
2018-10-29 19:17 ` Miguel Ojeda
2018-11-02 10:36 ` Miguel Ojeda
2018-11-02 10:43 ` Rasmus Villemoes
2019-01-09 10:57 ` Miguel Ojeda
2018-10-26 23:24 ` [RFC PATCH 2/7] lib/vsprintf.c: add fmtcheck utility Rasmus Villemoes
2018-10-26 23:24 ` [RFC PATCH 3/7] kernel.h: implement fmtmatch() wrapper around fmtcheck() Rasmus Villemoes
2018-10-26 23:24 ` [RFC PATCH 4/7] lib/test_printf.c: add a few fmtcheck() test cases Rasmus Villemoes
2018-10-26 23:24 ` [RFC PATCH 5/7] kernel/kthread.c: do runtime check of format string in kthread_create_on_cpu() Rasmus Villemoes
2018-10-26 23:24 ` [RFC PATCH 6/7] nfs: use fmtcheck() in root_nfs_data Rasmus Villemoes
2018-10-26 23:24 ` [RFC PATCH 7/7] drivers: hwmon: add runtime format string checking Rasmus Villemoes
2018-10-27 17:44 ` Guenter Roeck
2018-10-30 20:58 ` [RFC PATCH 0/7] " Kees Cook
2018-11-01 22:06 ` Rasmus Villemoes
2018-11-01 22:57 ` Kees Cook
2018-11-02 20:09 ` Rasmus Villemoes
2018-11-02 20:46 ` Kees Cook
2018-11-05 9:33 ` Rasmus Villemoes
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181026232409.16100-2-linux@rasmusvillemoes.dk \
--to=linux@rasmusvillemoes.dk \
--cc=akpm@linux-foundation.org \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=miguel.ojeda.sandonis@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).