jvoisin/fortify-headers

stdio.h wrapper produces format-nonliteral warnings on gcc

Closed this issue · 3 comments

For example when compiling the fgets.c example or any of tests that include stdio.h:

$ "$CC" -Wformat -Wformat-nonliteral -Iinclude -D_FORTIFY_SOURCE=1 -O1 fgets.c 
In file included from fgets.c:1:
include/stdio.h: In function 'snprintf':
include/stdio.h:253:9: warning: format not a string literal, argument types not checked [-Wformat-nonliteral]
 253 | return __orig_snprintf(__s, __n, __f, __builtin_va_arg_pack());
 | ^~~~~~
include/stdio.h: In function 'sprintf':
include/stdio.h:269:17: warning: format not a string literal, argument types not checked [-Wformat-nonliteral]
 269 | __r = __orig_snprintf(__s, __b, __f, __builtin_va_arg_pack());
 | ^~~
include/stdio.h:273:17: warning: format not a string literal, argument types not checked [-Wformat-nonliteral]
 273 | __r = __orig_sprintf(__s, __f, __builtin_va_arg_pack());
 | ^~~
include/stdio.h: In function 'printf':
include/stdio.h:286:9: warning: format not a string literal, argument types not checked [-Wformat-nonliteral]
 286 | return __orig_printf(__f, __builtin_va_arg_pack());
 | ^~~~~~
include/stdio.h: In function 'fprintf':
include/stdio.h:300:9: warning: format not a string literal, argument types not checked [-Wformat-nonliteral]
 300 | return __orig_fprintf(__s, __f, __builtin_va_arg_pack());
 | ^~~~~~

$ "$CC" --version
mipsel-openwrt-linux-musl-gcc (OpenWrt GCC 11.2.0 r20028-43d71ad93e) 11.2.0
Copyright (C) 2021 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

This is probably a gcc bug (https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110834), however the practical effect of this is that it’s not possible to use FORTIFY and format-nonliteral enforcement in a project at the same time, both of which are very useful from a security perspective.

A concrete example of this is in the context of OpenWrt (openwrt/openwrt#13016), which is currently using the “1.1” version of this project from 2f30.org.

Since, from the point of view of an application, stdio.h is a system header, it’s messy to work around this in an application project directly. Until the gcc bug is fixed (which will probably take a long time), a viable workaround could be to simply suppress this warning within the affected wrapper functions in the fortify-headers stdio.h.

Thanks for the nice bug report and analysis!

This should be fixed by 5494a3f

Thanks for the quick fix!

A related question, I see that you're now listed as the repository owner of fortify-headers on https://git.2f30.org, and Gentoo has switched their fortify-headers package to point to this repo, so I take it this is intended to be the "official" continuation of the same project rather than a fork?

I'm keen to see this fix (and any other improvements of course) in OpenWrt, so I can put up a PR over there to point the package to your repo, but would be good to know what your intending to tag numbered releases on this repo? And of course let me know if you'd rather put up a downstream PR yourself.

Sorry, only saw your post on openwrt/openwrt#13016 just now, I'll wait for the next release :-)