[v2,4/4] stdio-common: Suppress Clang warnings on scanf13.c with fortify enable
Checks
Context |
Check |
Description |
redhat-pt-bot/TryBot-apply_patch |
success
|
Patch applied to master at the time it was sent
|
linaro-tcwg-bot/tcwg_glibc_build--master-arm |
success
|
Build passed
|
linaro-tcwg-bot/tcwg_glibc_build--master-aarch64 |
success
|
Build passed
|
linaro-tcwg-bot/tcwg_glibc_check--master-arm |
success
|
Test passed
|
redhat-pt-bot/TryBot-32bit |
success
|
Build for i686
|
linaro-tcwg-bot/tcwg_glibc_check--master-aarch64 |
success
|
Test passed
|
Commit Message
clang-19 shows:
scanf13.c:28:40: error: 'sscanf' may overflow; destination buffer in argument 4 has size 8, but the corresponding specifier may require size 11 [-Werror,-Wfortify-source]
28 | "A%ms%10ms%4m[bcd]%4mcB", &sp1, &sp2, &sp3, &sp4) != 4)
| ^
scanf13.c:94:34: error: 'sscanf' may overflow; destination buffer in argument 3 has size 8, but the corresponding specifier may require size 2049 [-Werror,-Wfortify-source]
94 | if (sscanf (buf, "%2048ms%mc", &sp3, &sp4) != 2)
| ^
scanf13.c:110:61: error: 'sscanf' may overflow; destination buffer in argument 4 has size 8, but the corresponding specifier may require size 1501 [-Werror,-Wfortify-source]
110 | if (sscanf (buf, "%4mc%1500m[dr/]%548m[abc/d]%3mc", &sp1, &sp2, &sp3, &sp4)
| ^
scanf13.c:110:67: error: 'sscanf' may overflow; destination buffer in argument 5 has size 8, but the corresponding specifier may require size 549 [-Werror,-Wfortify-source]
110 | if (sscanf (buf, "%4mc%1500m[dr/]%548m[abc/d]%3mc", &sp1, &sp2, &sp3, &sp4)
---
stdio-common/scanf13.c | 5 +++++
1 file changed, 5 insertions(+)
Comments
> On 10 Jan 2025, at 18:15, Adhemerval Zanella <adhemerval.zanella@linaro.org> wrote:
>
> clang-19 shows:
>
> scanf13.c:28:40: error: 'sscanf' may overflow; destination buffer in argument 4 has size 8, but the corresponding specifier may require size 11 [-Werror,-Wfortify-source]
> 28 | "A%ms%10ms%4m[bcd]%4mcB", &sp1, &sp2, &sp3, &sp4) != 4)
> | ^
> scanf13.c:94:34: error: 'sscanf' may overflow; destination buffer in argument 3 has size 8, but the corresponding specifier may require size 2049 [-Werror,-Wfortify-source]
> 94 | if (sscanf (buf, "%2048ms%mc", &sp3, &sp4) != 2)
> | ^
> scanf13.c:110:61: error: 'sscanf' may overflow; destination buffer in argument 4 has size 8, but the corresponding specifier may require size 1501 [-Werror,-Wfortify-source]
> 110 | if (sscanf (buf, "%4mc%1500m[dr/]%548m[abc/d]%3mc", &sp1, &sp2, &sp3, &sp4)
> | ^
> scanf13.c:110:67: error: 'sscanf' may overflow; destination buffer in argument 5 has size 8, but the corresponding specifier may require size 549 [-Werror,-Wfortify-source]
> 110 | if (sscanf (buf, "%4mc%1500m[dr/]%548m[abc/d]%3mc", &sp1, &sp2, &sp3, &sp4)
> ---
> stdio-common/scanf13.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/stdio-common/scanf13.c b/stdio-common/scanf13.c
> index 65b1429720..131abb33de 100644
> --- a/stdio-common/scanf13.c
> +++ b/stdio-common/scanf13.c
> @@ -24,6 +24,7 @@ main (void)
> DIAG_PUSH_NEEDS_COMMENT_CLANG;
> DIAG_IGNORE_NEEDS_COMMENT_CLANG (13, "-Wformat-invalid-specifier");
> DIAG_IGNORE_NEEDS_COMMENT_CLANG (13, "-Wformat-extra-args");
> + DIAG_IGNORE_NEEDS_COMMENT_CLANG (13, "-Wfortify-source");
> if (sscanf ("A \xc3\x84-\t\t\xc3\x84-abcdefbcd\t\xc3\x84-B",
> "A%ms%10ms%4m[bcd]%4mcB", &sp1, &sp2, &sp3, &sp4) != 4)
> FAIL ();
> @@ -91,6 +92,8 @@ main (void)
> FAIL ();
> free (sp2);
> }
> + DIAG_PUSH_NEEDS_COMMENT_CLANG;
> + DIAG_IGNORE_NEEDS_COMMENT_CLANG (13, "-Wfortify-source");
> if (sscanf (buf, "%2048ms%mc", &sp3, &sp4) != 2)
> FAIL ();
> else
> @@ -131,6 +134,7 @@ main (void)
> FAIL ();
> free (sp4);
> }
> + DIAG_POP_NEEDS_COMMENT_CLANG;
> if (sscanf (buf, "%mS%mC", &lsp1, &lsp2) != 2)
> FAIL ();
> else
> @@ -150,6 +154,7 @@ main (void)
> DIAG_PUSH_NEEDS_COMMENT_CLANG;
> DIAG_IGNORE_NEEDS_COMMENT_CLANG (13, "-Wformat-invalid-specifier");
> DIAG_IGNORE_NEEDS_COMMENT_CLANG (13, "-Wformat-extra-args");
> + DIAG_IGNORE_NEEDS_COMMENT_CLANG (13, "-Wfortify-source");
> if (sscanf (buf, "%2048mls%mlc", &lsp3, &lsp4) != 2)
> FAIL ();
> else
> --
ok
> 2.43.0
>
Am Freitag, 10. Januar 2025, 19:12:14 Mitteleuropäische Normalzeit schrieb Adhemerval Zanella:
> clang-19 shows:
>
> scanf13.c:28:40: error: 'sscanf' may overflow; destination buffer in argument 4 has size 8, but the corresponding specifier may require size 11 [-Werror,-Wfortify-source]
> 28 | "A%ms%10ms%4m[bcd]%4mcB", &sp1, &sp2, &sp3, &sp4) != 4)
> | ^
> scanf13.c:94:34: error: 'sscanf' may overflow; destination buffer in argument 3 has size 8, but the corresponding specifier may require size 2049 [-Werror,-Wfortify-source]
> 94 | if (sscanf (buf, "%2048ms%mc", &sp3, &sp4) != 2)
> | ^
> scanf13.c:110:61: error: 'sscanf' may overflow; destination buffer in argument 4 has size 8, but the corresponding specifier may require size 1501 [-Werror,-Wfortify-source]
> 110 | if (sscanf (buf, "%4mc%1500m[dr/]%548m[abc/d]%3mc", &sp1, &sp2, &sp3, &sp4)
> | ^
> scanf13.c:110:67: error: 'sscanf' may overflow; destination buffer in argument 5 has size 8, but the corresponding specifier may require size 549 [-Werror,-Wfortify-source]
> 110 | if (sscanf (buf, "%4mc%1500m[dr/]%548m[abc/d]%3mc", &sp1, &sp2, &sp3, &sp4)
> ---
Please add a brief remark on what the actual problem is (and why these warnings are bogus).
[my understanding - clang does not understand the 'nm' prefix telling sscanf to allocate
n+1 memory for the passed pointer to a string, and uses the pointer size instead to calculate
validity. however, since the actual call goes back to the c library, it works as intended?]
[[the sscanf manpage is a bit horrible w/r to %m]]
> stdio-common/scanf13.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/stdio-common/scanf13.c b/stdio-common/scanf13.c
> index 65b1429720..131abb33de 100644
> --- a/stdio-common/scanf13.c
> +++ b/stdio-common/scanf13.c
> @@ -24,6 +24,7 @@ main (void)
> DIAG_PUSH_NEEDS_COMMENT_CLANG;
> DIAG_IGNORE_NEEDS_COMMENT_CLANG (13, "-Wformat-invalid-specifier");
> DIAG_IGNORE_NEEDS_COMMENT_CLANG (13, "-Wformat-extra-args");
> + DIAG_IGNORE_NEEDS_COMMENT_CLANG (13, "-Wfortify-source");
> if (sscanf ("A \xc3\x84-\t\t\xc3\x84-abcdefbcd\t\xc3\x84-B",
> "A%ms%10ms%4m[bcd]%4mcB", &sp1, &sp2, &sp3, &sp4) != 4)
> FAIL ();
> @@ -91,6 +92,8 @@ main (void)
> FAIL ();
> free (sp2);
> }
> + DIAG_PUSH_NEEDS_COMMENT_CLANG;
> + DIAG_IGNORE_NEEDS_COMMENT_CLANG (13, "-Wfortify-source");
> if (sscanf (buf, "%2048ms%mc", &sp3, &sp4) != 2)
> FAIL ();
> else
> @@ -131,6 +134,7 @@ main (void)
> FAIL ();
> free (sp4);
> }
> + DIAG_POP_NEEDS_COMMENT_CLANG;
> if (sscanf (buf, "%mS%mC", &lsp1, &lsp2) != 2)
> FAIL ();
> else
> @@ -150,6 +154,7 @@ main (void)
> DIAG_PUSH_NEEDS_COMMENT_CLANG;
> DIAG_IGNORE_NEEDS_COMMENT_CLANG (13, "-Wformat-invalid-specifier");
> DIAG_IGNORE_NEEDS_COMMENT_CLANG (13, "-Wformat-extra-args");
> + DIAG_IGNORE_NEEDS_COMMENT_CLANG (13, "-Wfortify-source");
> if (sscanf (buf, "%2048mls%mlc", &lsp3, &lsp4) != 2)
> FAIL ();
> else
>
On 11/01/25 10:51, Andreas K. Huettel wrote:
> Am Freitag, 10. Januar 2025, 19:12:14 Mitteleuropäische Normalzeit schrieb Adhemerval Zanella:
>> clang-19 shows:
>>
>> scanf13.c:28:40: error: 'sscanf' may overflow; destination buffer in argument 4 has size 8, but the corresponding specifier may require size 11 [-Werror,-Wfortify-source]
>> 28 | "A%ms%10ms%4m[bcd]%4mcB", &sp1, &sp2, &sp3, &sp4) != 4)
>> | ^
>> scanf13.c:94:34: error: 'sscanf' may overflow; destination buffer in argument 3 has size 8, but the corresponding specifier may require size 2049 [-Werror,-Wfortify-source]
>> 94 | if (sscanf (buf, "%2048ms%mc", &sp3, &sp4) != 2)
>> | ^
>> scanf13.c:110:61: error: 'sscanf' may overflow; destination buffer in argument 4 has size 8, but the corresponding specifier may require size 1501 [-Werror,-Wfortify-source]
>> 110 | if (sscanf (buf, "%4mc%1500m[dr/]%548m[abc/d]%3mc", &sp1, &sp2, &sp3, &sp4)
>> | ^
>> scanf13.c:110:67: error: 'sscanf' may overflow; destination buffer in argument 5 has size 8, but the corresponding specifier may require size 549 [-Werror,-Wfortify-source]
>> 110 | if (sscanf (buf, "%4mc%1500m[dr/]%548m[abc/d]%3mc", &sp1, &sp2, &sp3, &sp4)
>> ---
>
> Please add a brief remark on what the actual problem is (and why these warnings are bogus).
>
> [my understanding - clang does not understand the 'nm' prefix telling sscanf to allocate
> n+1 memory for the passed pointer to a string, and uses the pointer size instead to calculate
> validity. however, since the actual call goes back to the c library, it works as intended?]
>
> [[the sscanf manpage is a bit horrible w/r to %m]]
I am trying to pinpoint exactly what is clang missing here and it seems
it does have some support to handle 'm' prefix for -Wformat; but it lacks
support for -Wfortify to understand that it is up to libc to allocate
memory.
>
>> stdio-common/scanf13.c | 5 +++++
>> 1 file changed, 5 insertions(+)
>>
>> diff --git a/stdio-common/scanf13.c b/stdio-common/scanf13.c
>> index 65b1429720..131abb33de 100644
>> --- a/stdio-common/scanf13.c
>> +++ b/stdio-common/scanf13.c
>> @@ -24,6 +24,7 @@ main (void)
>> DIAG_PUSH_NEEDS_COMMENT_CLANG;
>> DIAG_IGNORE_NEEDS_COMMENT_CLANG (13, "-Wformat-invalid-specifier");
>> DIAG_IGNORE_NEEDS_COMMENT_CLANG (13, "-Wformat-extra-args");
>> + DIAG_IGNORE_NEEDS_COMMENT_CLANG (13, "-Wfortify-source");
>> if (sscanf ("A \xc3\x84-\t\t\xc3\x84-abcdefbcd\t\xc3\x84-B",
>> "A%ms%10ms%4m[bcd]%4mcB", &sp1, &sp2, &sp3, &sp4) != 4)
>> FAIL ();
>> @@ -91,6 +92,8 @@ main (void)
>> FAIL ();
>> free (sp2);
>> }
>> + DIAG_PUSH_NEEDS_COMMENT_CLANG;
>> + DIAG_IGNORE_NEEDS_COMMENT_CLANG (13, "-Wfortify-source");
>> if (sscanf (buf, "%2048ms%mc", &sp3, &sp4) != 2)
>> FAIL ();
>> else
>> @@ -131,6 +134,7 @@ main (void)
>> FAIL ();
>> free (sp4);
>> }
>> + DIAG_POP_NEEDS_COMMENT_CLANG;
>> if (sscanf (buf, "%mS%mC", &lsp1, &lsp2) != 2)
>> FAIL ();
>> else
>> @@ -150,6 +154,7 @@ main (void)
>> DIAG_PUSH_NEEDS_COMMENT_CLANG;
>> DIAG_IGNORE_NEEDS_COMMENT_CLANG (13, "-Wformat-invalid-specifier");
>> DIAG_IGNORE_NEEDS_COMMENT_CLANG (13, "-Wformat-extra-args");
>> + DIAG_IGNORE_NEEDS_COMMENT_CLANG (13, "-Wfortify-source");
>> if (sscanf (buf, "%2048mls%mlc", &lsp3, &lsp4) != 2)
>> FAIL ();
>> else
>>
>
>
@@ -24,6 +24,7 @@ main (void)
DIAG_PUSH_NEEDS_COMMENT_CLANG;
DIAG_IGNORE_NEEDS_COMMENT_CLANG (13, "-Wformat-invalid-specifier");
DIAG_IGNORE_NEEDS_COMMENT_CLANG (13, "-Wformat-extra-args");
+ DIAG_IGNORE_NEEDS_COMMENT_CLANG (13, "-Wfortify-source");
if (sscanf ("A \xc3\x84-\t\t\xc3\x84-abcdefbcd\t\xc3\x84-B",
"A%ms%10ms%4m[bcd]%4mcB", &sp1, &sp2, &sp3, &sp4) != 4)
FAIL ();
@@ -91,6 +92,8 @@ main (void)
FAIL ();
free (sp2);
}
+ DIAG_PUSH_NEEDS_COMMENT_CLANG;
+ DIAG_IGNORE_NEEDS_COMMENT_CLANG (13, "-Wfortify-source");
if (sscanf (buf, "%2048ms%mc", &sp3, &sp4) != 2)
FAIL ();
else
@@ -131,6 +134,7 @@ main (void)
FAIL ();
free (sp4);
}
+ DIAG_POP_NEEDS_COMMENT_CLANG;
if (sscanf (buf, "%mS%mC", &lsp1, &lsp2) != 2)
FAIL ();
else
@@ -150,6 +154,7 @@ main (void)
DIAG_PUSH_NEEDS_COMMENT_CLANG;
DIAG_IGNORE_NEEDS_COMMENT_CLANG (13, "-Wformat-invalid-specifier");
DIAG_IGNORE_NEEDS_COMMENT_CLANG (13, "-Wformat-extra-args");
+ DIAG_IGNORE_NEEDS_COMMENT_CLANG (13, "-Wfortify-source");
if (sscanf (buf, "%2048mls%mlc", &lsp3, &lsp4) != 2)
FAIL ();
else