| Lists: | pgsql-hackers |
|---|
| From: | Alan Li <alanwli(at)gmail(dot)com> |
|---|---|
| To: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Fixes for compiler warnings |
| Date: | 2009-01-17 09:44:07 |
| Message-ID: | bc34668d0901170144p35d0ee5es9ced4fc7378f9ab@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-hackers |
Attached are patches to fix the following compiler warnings that I see when
using gcc 4.3.2.
MASTER warning:
tablecmds.c: In function 'DropErrorMsgWrongType':
tablecmds.c:601: warning: format not a string literal and no format
arguments
REL8_3_STABLE warnings:
utility.c: In function 'DropErrorMsgWrongType':
utility.c:129: warning: format not a string literal and no format arguments
trigger.c: In function 'ConvertTriggerToFK':
trigger.c:600: warning: format not a string literal and no format arguments
trigger.c:616: warning: format not a string literal and no format arguments
trigger.c:628: warning: format not a string literal and no format arguments
guc.c: In function 'set_config_option':
guc.c:4424: warning: format not a string literal and no format arguments
describe.c: In function 'describeOneTableDetails':
describe.c:1294: warning: format not a string literal and no format
arguments
Alan
| Attachment | Content-Type | Size |
|---|---|---|
| trunk.diff | text/x-patch | 852 bytes |
| 8_3.diff | text/x-patch | 5.0 KB |
| From: | Peter Eisentraut <peter_e(at)gmx(dot)net> |
|---|---|
| To: | pgsql-hackers(at)postgresql(dot)org |
| Cc: | Alan Li <alanwli(at)gmail(dot)com> |
| Subject: | Re: Fixes for compiler warnings |
| Date: | 2009-01-17 23:34:09 |
| Message-ID: | 200901180134.10251.peter_e@gmx.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-hackers |
On Saturday 17 January 2009 11:44:07 Alan Li wrote:
> Attached are patches to fix the following compiler warnings that I see when
> using gcc 4.3.2.
>
> MASTER warning:
> tablecmds.c: In function 'DropErrorMsgWrongType':
> tablecmds.c:601: warning: format not a string literal and no format
> arguments
>
> REL8_3_STABLE warnings:
> utility.c: In function 'DropErrorMsgWrongType':
> utility.c:129: warning: format not a string literal and no format arguments
> trigger.c: In function 'ConvertTriggerToFK':
> trigger.c:600: warning: format not a string literal and no format arguments
> trigger.c:616: warning: format not a string literal and no format arguments
> trigger.c:628: warning: format not a string literal and no format arguments
> guc.c: In function 'set_config_option':
> guc.c:4424: warning: format not a string literal and no format arguments
> describe.c: In function 'describeOneTableDetails':
> describe.c:1294: warning: format not a string literal and no format
> arguments
You apparently have your compiler configured with -Wformat-security. Our code
doesn't do that. I think the cases the warning complains about are fine and
the way the warning is designed is a bit bogus.
| From: | Gregory Stark <stark(at)enterprisedb(dot)com> |
|---|---|
| To: | Peter Eisentraut <peter_e(at)gmx(dot)net> |
| Cc: | pgsql-hackers(at)postgresql(dot)org, Alan Li <alanwli(at)gmail(dot)com> |
| Subject: | Re: Fixes for compiler warnings |
| Date: | 2009-01-18 01:12:36 |
| Message-ID: | 87k58tct8b.fsf@oxford.xeocode.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-hackers |
Peter Eisentraut <peter_e(at)gmx(dot)net> writes:
> You apparently have your compiler configured with -Wformat-security. Our code
> doesn't do that. I think the cases the warning complains about are fine and
> the way the warning is designed is a bit bogus.
Hm, only a bit. You know, we've had precisely this bug at least once not that
long ago. And the way the warning is designed it won't fire any false
positives except in cases that are easily avoided.
There's an argument to be made that the code is easier to audit if you put the
"%s" format string in explicitly too. Even if the current code is correct you
have to trace the variable back up to its source to be sure. If you add the
escape then you can see that the code is safe just from that line of code
alone.
--
Gregory Stark
EnterpriseDB http://www.enterprisedb.com
Ask me about EnterpriseDB's Slony Replication support!
| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Gregory Stark <stark(at)enterprisedb(dot)com> |
| Cc: | Peter Eisentraut <peter_e(at)gmx(dot)net>, pgsql-hackers(at)postgresql(dot)org, Alan Li <alanwli(at)gmail(dot)com> |
| Subject: | Re: Fixes for compiler warnings |
| Date: | 2009-01-18 06:28:51 |
| Message-ID: | 23977.1232260131@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-hackers |
Gregory Stark <stark(at)enterprisedb(dot)com> writes:
> There's an argument to be made that the code is easier to audit if you put the
> "%s" format string in explicitly too.
Yeah, the risk this is trying to guard against is variables containing
"%" unexpectedly. Even if that's not possible, it requires some work
to verify and it's a bit fragile. I didn't look at the specific cases
yet but in general I think this is a good policy.
One thing to watch out for is that the intention may have been to allow
the strings to be translated.
regards, tom lane
| From: | Peter Eisentraut <peter_e(at)gmx(dot)net> |
|---|---|
| To: | pgsql-hackers(at)postgresql(dot)org |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Gregory Stark <stark(at)enterprisedb(dot)com>, Alan Li <alanwli(at)gmail(dot)com> |
| Subject: | Re: Fixes for compiler warnings |
| Date: | 2009-01-18 09:56:51 |
| Message-ID: | 200901181156.52475.peter_e@gmx.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-hackers |
On Sunday 18 January 2009 08:28:51 Tom Lane wrote:
> Yeah, the risk this is trying to guard against is variables containing
> "%" unexpectedly. Even if that's not possible, it requires some work
> to verify and it's a bit fragile. I didn't look at the specific cases
> yet but in general I think this is a good policy.
-Wformat-security warns about
printf(var);
but not about
printf(var, a);
I don't understand that; the crash or exploit potential is pretty much the
same in both cases.
-Wformat-nonliteral warns about both cases. We have legitimate code that
requires this, however.
What would be helpful is a way to individually override the warning for the
rare code where you know what you are doing.
| From: | Grzegorz Jaskiewicz <gj(at)pointblue(dot)com(dot)pl> |
|---|---|
| To: | Peter Eisentraut <peter_e(at)gmx(dot)net> |
| Cc: | pgsql-hackers Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Fixes for compiler warnings |
| Date: | 2009-01-18 10:43:46 |
| Message-ID: | C51B6AFA-9588-4823-80CD-53C5BD7AD88A@pointblue.com.pl |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-hackers |
On 2009-01-18, at 09:56, Peter Eisentraut wrote:
> On Sunday 18 January 2009 08:28:51 Tom Lane wrote:
>> Yeah, the risk this is trying to guard against is variables
>> containing
>> "%" unexpectedly. Even if that's not possible, it requires some work
>> to verify and it's a bit fragile. I didn't look at the specific
>> cases
>> yet but in general I think this is a good policy.
>
> -Wformat-security warns about
>
> printf(var);
>
> but not about
>
> printf(var, a);
>
> I don't understand that; the crash or exploit potential is pretty
> much the
> same in both cases.
not at all. First case allows you to pass in var from outside, with
your, well crafted format strings. Please read more about subject,
before you say something that silly.
| From: | Heikki Linnakangas <heikki(dot)linnakangas(at)enterprisedb(dot)com> |
|---|---|
| To: | Grzegorz Jaskiewicz <gj(at)pointblue(dot)com(dot)pl> |
| Cc: | Peter Eisentraut <peter_e(at)gmx(dot)net>, pgsql-hackers Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Fixes for compiler warnings |
| Date: | 2009-01-18 15:00:56 |
| Message-ID: | 49734428.7090308@enterprisedb.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-hackers |
Grzegorz Jaskiewicz wrote:
> On 2009-01-18, at 09:56, Peter Eisentraut wrote:
>> -Wformat-security warns about
>>
>> printf(var);
>>
>> but not about
>>
>> printf(var, a);
>>
>> I don't understand that; the crash or exploit potential is pretty much
>> the
>> same in both cases.
> not at all. First case allows you to pass in var from outside, with
> your, well crafted format strings. Please read more about subject,
> before you say something that silly.
The point is that if "var" comes from an untrusted source, both forms
are just as dangerous.
I guess that in practice, the first form is more likely to be an oversight.
--
Heikki Linnakangas
EnterpriseDB http://www.enterprisedb.com
| From: | Peter Eisentraut <peter_e(at)gmx(dot)net> |
|---|---|
| To: | pgsql-hackers(at)postgresql(dot)org |
| Cc: | Grzegorz Jaskiewicz <gj(at)pointblue(dot)com(dot)pl> |
| Subject: | Re: Fixes for compiler warnings |
| Date: | 2009-01-18 20:16:23 |
| Message-ID: | 200901182216.24364.peter_e@gmx.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-hackers |
On Sunday 18 January 2009 12:43:46 Grzegorz Jaskiewicz wrote:
> > -Wformat-security warns about
> >
> > printf(var);
> >
> > but not about
> >
> > printf(var, a);
> >
> > I don't understand that; the crash or exploit potential is pretty
> > much the
> > same in both cases.
>
> not at all. First case allows you to pass in var from outside, with
> your, well crafted format strings. Please read more about subject,
> before you say something that silly.
If your premise is that var is passed in from the outside, then the real issue
is the %n placeholder. And then it doesn't matter how many variadic args you
pass.
| From: | Jeroen Vermeulen <jtv(at)xs4all(dot)nl> |
|---|---|
| To: | Peter Eisentraut <peter_e(at)gmx(dot)net> |
| Cc: | pgsql-hackers(at)postgresql(dot)org, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Gregory Stark <stark(at)enterprisedb(dot)com>, Alan Li <alanwli(at)gmail(dot)com> |
| Subject: | Re: Fixes for compiler warnings |
| Date: | 2009-01-20 16:01:19 |
| Message-ID: | 4975F54F.4000703@xs4all.nl |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-hackers |
Peter Eisentraut wrote:
> -Wformat-security warns about
>
> printf(var);
>
> but not about
>
> printf(var, a);
>
> I don't understand that; the crash or exploit potential is pretty much the
> same in both cases.
Not sure this is the reason, but in the first case any risk is trivially
avoided by using puts() or printf("%s", var) instead. So printf(var) is
almost certainly not what you mean.
I think that's a reasonable warning to have enabled, whereas the other
one is more of a "try it sometime, you might find something" kind of
warning.
Jeroen