c-common.c (warn_format_security): New variable.

* c-common.c (warn_format_security): New variable. (check_format_info): Warn about non-literal formats with no format arguments if either -Wformat-nonliteral or -Wformat-security is specified. (set_Wformat): Set warn_format_security for settings other than 1. * c-common.h (warn_format_security): Declare. * c-decl.c (c_decode_option): Decode -Wformat-security and -Wno-format-security. * invoke.texi: Document -Wformat-security. * toplev.c (documented_lang_options): Include -Wformat-security and -Wno-format-security. cp: * decl2.c (lang_decode_option): Handle -Wformat-security. testsuite: * format-sec-1.c: New test. From-SVN: r38106
2000-12-07 07:56:44 +00:00 · 2000-12-07 07:56:44 +00:00 · c907e68489
commit c907e68489
parent 1c248308f4
10 changed files with 72 additions and 6 deletions
--- a/gcc/ChangeLog
+++ b/gcc/ChangeLog
@ -1,3 +1,17 @@
+2000-12-07  Joseph S. Myers  <jsm28@cam.ac.uk>
+
+	* c-common.c (warn_format_security): New variable.
+	(check_format_info): Warn about non-literal formats with no format
+	arguments if either -Wformat-nonliteral or -Wformat-security is
+	specified.
+	(set_Wformat): Set warn_format_security for settings other than 1.
+	* c-common.h (warn_format_security): Declare.
+	* c-decl.c (c_decode_option): Decode -Wformat-security and
+	-Wno-format-security.
+	* invoke.texi: Document -Wformat-security.
+	* toplev.c (documented_lang_options): Include -Wformat-security
+	and -Wno-format-security.
+
 2000-12-07  Joseph S. Myers  <jsm28@cam.ac.uk>

 	* c-common.c (check_format_info): Warn for non-constant format
--- a/gcc/c-common.c
+++ b/gcc/c-common.c
@ -193,6 +193,10 @@ int warn_format_extra_args;

 int warn_format_nonliteral;

+/* Warn about possible security problems with calls to format functions.  */
+
+int warn_format_security;
+
 /* Nonzero means warn about possible violations of sequence point rules.  */

 int warn_sequence_point;
@ -2363,7 +2367,7 @@ check_format_info (status, info, params)
 	      params = TREE_CHAIN (params);
 	      ++arg_num;
 	    }
-	  if (params == 0 && warn_format_nonliteral)
+	  if (params == 0 && (warn_format_nonliteral || warn_format_security))
 	    status_warning (status, "format not a string literal and no format arguments");
 	  else if (warn_format_nonliteral)
 	    status_warning (status, "format not a string literal, argument types not checked");
@ -3401,7 +3405,10 @@ set_Wformat (setting)
  warn_format_y2k = setting;
  warn_format_extra_args = setting;
  if (setting != 1)
-    warn_format_nonliteral = setting;
+    {
+      warn_format_nonliteral = setting;
+      warn_format_security = setting;
+    }
 }

 /* Print a warning if a constant expression had overflow in folding.
--- a/gcc/c-common.h
+++ b/gcc/c-common.h
@ -361,6 +361,10 @@ extern int warn_format_extra_args;

 extern int warn_format_nonliteral;

+/* Warn about possible security problems with calls to format functions.  */
+
+extern int warn_format_security;
+
 /* Warn about possible violations of sequence point rules.  */

 extern int warn_sequence_point;
--- a/gcc/c-decl.c
+++ b/gcc/c-decl.c
@ -719,6 +719,10 @@ c_decode_option (argc, argv)
    warn_format_nonliteral = 1;
  else if (!strcmp (p, "-Wno-format-nonliteral"))
    warn_format_nonliteral = 0;
+  else if (!strcmp (p, "-Wformat-security"))
+    warn_format_security = 1;
+  else if (!strcmp (p, "-Wno-format-security"))
+    warn_format_security = 0;
  else if (!strcmp (p, "-Wchar-subscripts"))
    warn_char_subscripts = 1;
  else if (!strcmp (p, "-Wno-char-subscripts"))
--- a/gcc/cp/ChangeLog
+++ b/gcc/cp/ChangeLog
@ -1,3 +1,7 @@
+2000-12-07  Joseph S. Myers  <jsm28@cam.ac.uk>
+
+	* decl2.c (lang_decode_option): Handle -Wformat-security.
+
 2000-12-06  Kriang Lerdsuwanakij  <lerdsuwa@users.sourceforge.net>

 	* pt.c (verify_class_unification): New function.
--- a/gcc/cp/decl2.c
+++ b/gcc/cp/decl2.c
@ -726,6 +726,8 @@ lang_decode_option (argc, argv)
 	warn_format_extra_args = setting;
      else if (!strcmp (p, "format-nonliteral"))
 	warn_format_nonliteral = setting;
+      else if (!strcmp (p, "format-security"))
+	warn_format_security = setting;
      else if (!strcmp (p, "missing-format-attribute"))
 	warn_missing_format_attribute = setting;
      else if (!strcmp (p, "conversion"))
--- a/gcc/invoke.texi
+++ b/gcc/invoke.texi
@ -190,7 +190,7 @@ in the following sections.
 -Wcast-align  -Wcast-qual  -Wchar-subscripts  -Wcomment
 -Wconversion  -Wdisabled-optimization -Werror
 -Wfloat-equal  -Wformat  -Wformat=2
-Wformat-nonliteral
+-Wformat-nonliteral -Wformat-security
 -Wid-clash-@var{len}  -Wimplicit -Wimplicit-int 
 -Wimplicit-function-declaration
 -Werror-implicit-function-declaration
@ -1610,8 +1610,9 @@ Controlling C Dialect}.

@samp{-Wformat} is included in @samp{-Wall}.  For more control over some
 aspects of format checking, the options @samp{-Wno-format-y2k},
-@samp{-Wno-format-extra-args}, @samp{-Wformat-nonliteral} and
-@samp{-Wformat=2} are available, but are not included in @samp{-Wall}.
+@samp{-Wno-format-extra-args}, @samp{-Wformat-nonliteral},
+@samp{-Wformat-security} and @samp{-Wformat=2} are available, but are
+not included in @samp{-Wall}.

@item -Wno-format-y2k
 If @samp{-Wformat} is specified, do not warn about @code{strftime}
@ -1627,10 +1628,21 @@ If @samp{-Wformat} is specified, also warn if the format string is not a
 string literal and so cannot be checked, unless the format function
 takes its format arguments as a @code{va_list}.

+@item -Wformat-security
+If @samp{-Wformat} is specified, also warn about uses of format
+functions that represent possible security problems.  At present, this
+warns about calls to @code{printf} and @code{scanf} functions where the
+format string is not a string literal and there are no format arguments,
+as in @code{printf (foo);}.  This may be a security hole if the format
+string came from untrusted input and contains @samp{%n}.  (This is
+currently a subset of what @samp{-Wformat-nonliteral} warns about, but
+in future warnings may be added to @samp{-Wformat-security} that are not
+included in @samp{-Wformat-nonliteral}.)
+
@item -Wformat=2
 Enable @samp{-Wformat} plus format checks not included in
@samp{-Wformat}.  Currently equivalent to @samp{-Wformat
-Wformat-nonliteral}.
+-Wformat-nonliteral -Wformat-security}.

@item -Wimplicit-int
 Warn when a declaration does not specify a type.
--- a/gcc/testsuite/ChangeLog
+++ b/gcc/testsuite/ChangeLog
@ -1,3 +1,7 @@
+2000-12-07  Joseph S. Myers  <jsm28@cam.ac.uk>
+
+	* format-sec-1.c: New test.
+
 2000-12-07  Joseph S. Myers  <jsm28@cam.ac.uk>

 	* gcc.dg/format-nonlit-3.c: New test.
--- a/gcc/testsuite/gcc.dg/format-sec-1.c
+++ b/gcc/testsuite/gcc.dg/format-sec-1.c
@ -0,0 +1,12 @@
+/* Test for security warning when non-literal format has no arguments.  */
+/* Origin: Joseph Myers <jsm28@cam.ac.uk> */
+/* { dg-do compile } */
+/* { dg-options "-std=gnu99 -Wformat -Wformat-security" } */
+
+extern int printf (const char *, ...);
+
+void
+foo (char *s)
+{
+  printf (s); /* { dg-warning "no format arguments" "security warning" } */
+}
--- a/gcc/toplev.c
+++ b/gcc/toplev.c
@ -1236,6 +1236,9 @@ documented_lang_options[] =
    "Don't warn about too many arguments to format functions" },
  { "-Wformat-nonliteral", "Warn about non-string-literal format strings" },
  { "-Wno-format-nonliteral", "" },
+  { "-Wformat-security",
+    "Warn about possible security problems with format functions" },
+  { "-Wno-format-security", "" },
  { "-Wimplicit-function-declaration",
    "Warn about implicit function declarations" },
  { "-Wno-implicit-function-declaration", "" },