Enabling "-Werror=format-security" by default

Mark Wielaard mjw at redhat.com
Wed Nov 20 21:03:48 UTC 2013 

On Wed, 2013-11-20 at 23:15 +0530, Dhiru Kholia wrote:
> On 11/20/13 at 11:16am, David Smith wrote:
> > > On 11/20/13 at 09:27pm, Dhiru Kholia wrote:
> > > A list of packages which FTBFS is available at,
> > >
> > > http://people.fedoraproject.org/~halfie/rebuild-logs.txt
> >
> > Looking at the list, I see several (~17) packages with errors of the form:
> >
> > error: -Wformat-security ignored without -Wformat [-Werror=format-security]
> >
> > Which is an error, but not exactly what you are trying to catch. Got any
> > ideas on what is going on here?
> 
> Hi David,
> 
> Excellent catch! I took a quick look and it seems that these packages
> are trying to use custom compilation flags.
> 
> E.g. p0f-3.06b-3.fc20.src.rpm has a line which says,
> 
> BASIC_CFLAGS="-Wall -Wno-format -I/usr/local/include/ \
>               -I/opt/local/include/ -DVERSION=\"$VERSION\" $CFLAGS"
> 
> 
> The usage of hard-coded "-Wno-format" flag conflicts with our desired
> "-Werror=format-security" flag.
> [...]
> The very next project I am (and was) planning to work on, is to detect
> packages which try to use custom compilation flags ;)

elfutils seems to be in somewhat of the same situation, although
slightly different. Upstream does actually explicitly enable -Werror
-Wformat=2 for all files, but has 5 exceptions for which it uses
-Wno-format which then clashes with the setting of -Wformat-security.

The reason such files use -Wno-format is either because they have some
helper method such as:

ssize_t
regtype (const char *setname, int type, const char *fmt, int arg)
{
   [...]
   int s = snprintf (name, namelen, fmt, arg);

which is always called with a static fmt string, but gcc is unable to
detect that.

Or it contains code that creates a format string such as by:

/* Location print format string.  */
static const char *locfmt;

[...]

parse_opt()

      switch (arg[0])
        {
        case 'd':
          locfmt = "%7" PRId64 " ";
          break;

        case 'o':
        octfmt:
          locfmt = "%7" PRIo64 " ";
          break;

        case 'x':
          locfmt = "%7" PRIx64 " ";
          break;

        default:
          error (0, 0, gettext ("invalid value '%s' ...

[...]

process()
              if (unlikely (locfmt != NULL))
                printf (locfmt, (int64_t) to - len - (buf - start));

Where gcc again seems unable to detect that the locfmt string is a
constant string.

How to deal with such cases?

Thanks,

Mark

More information about the devel mailing list