[v2,4/4] stdio-common: Suppress Clang warnings on scanf13.c with fortify enable

Message ID 20250110181508.350378-5-adhemerval.zanella@linaro.org (mailing list archive)
State Committed
Commit e59bdf63cbe16b018f8b9b38f1daf9ece2329ab8
Headers
Series More fixes for building tests with clang |

Checks

Context Check Description
redhat-pt-bot/TryBot-apply_patch success Patch applied to master at the time it was sent
linaro-tcwg-bot/tcwg_glibc_build--master-arm success Build passed
linaro-tcwg-bot/tcwg_glibc_build--master-aarch64 success Build passed
linaro-tcwg-bot/tcwg_glibc_check--master-arm success Test passed
redhat-pt-bot/TryBot-32bit success Build for i686
linaro-tcwg-bot/tcwg_glibc_check--master-aarch64 success Test passed

Commit Message

Adhemerval Zanella Netto Jan. 10, 2025, 6:12 p.m. UTC
  clang-19 shows:

scanf13.c:28:40: error: 'sscanf' may overflow; destination buffer in argument 4 has size 8, but the corresponding specifier may require size 11 [-Werror,-Wfortify-source]
   28 |               "A%ms%10ms%4m[bcd]%4mcB", &sp1, &sp2, &sp3, &sp4) != 4)
      |                                               ^
scanf13.c:94:34: error: 'sscanf' may overflow; destination buffer in argument 3 has size 8, but the corresponding specifier may require size 2049 [-Werror,-Wfortify-source]
   94 |   if (sscanf (buf, "%2048ms%mc", &sp3, &sp4) != 2)
      |                                  ^
scanf13.c:110:61: error: 'sscanf' may overflow; destination buffer in argument 4 has size 8, but the corresponding specifier may require size 1501 [-Werror,-Wfortify-source]
  110 |   if (sscanf (buf, "%4mc%1500m[dr/]%548m[abc/d]%3mc", &sp1, &sp2, &sp3, &sp4)
      |                                                             ^
scanf13.c:110:67: error: 'sscanf' may overflow; destination buffer in argument 5 has size 8, but the corresponding specifier may require size 549 [-Werror,-Wfortify-source]
  110 |   if (sscanf (buf, "%4mc%1500m[dr/]%548m[abc/d]%3mc", &sp1, &sp2, &sp3, &sp4)
---
 stdio-common/scanf13.c | 5 +++++
 1 file changed, 5 insertions(+)
  

Comments

Sam James Jan. 10, 2025, 6:26 p.m. UTC | #1
> On 10 Jan 2025, at 18:15, Adhemerval Zanella <adhemerval.zanella@linaro.org> wrote:
> 
> clang-19 shows:
> 
> scanf13.c:28:40: error: 'sscanf' may overflow; destination buffer in argument 4 has size 8, but the corresponding specifier may require size 11 [-Werror,-Wfortify-source]
>   28 |               "A%ms%10ms%4m[bcd]%4mcB", &sp1, &sp2, &sp3, &sp4) != 4)
>      |                                               ^
> scanf13.c:94:34: error: 'sscanf' may overflow; destination buffer in argument 3 has size 8, but the corresponding specifier may require size 2049 [-Werror,-Wfortify-source]
>   94 |   if (sscanf (buf, "%2048ms%mc", &sp3, &sp4) != 2)
>      |                                  ^
> scanf13.c:110:61: error: 'sscanf' may overflow; destination buffer in argument 4 has size 8, but the corresponding specifier may require size 1501 [-Werror,-Wfortify-source]
>  110 |   if (sscanf (buf, "%4mc%1500m[dr/]%548m[abc/d]%3mc", &sp1, &sp2, &sp3, &sp4)
>      |                                                             ^
> scanf13.c:110:67: error: 'sscanf' may overflow; destination buffer in argument 5 has size 8, but the corresponding specifier may require size 549 [-Werror,-Wfortify-source]
>  110 |   if (sscanf (buf, "%4mc%1500m[dr/]%548m[abc/d]%3mc", &sp1, &sp2, &sp3, &sp4)
> ---
> stdio-common/scanf13.c | 5 +++++
> 1 file changed, 5 insertions(+)
> 
> diff --git a/stdio-common/scanf13.c b/stdio-common/scanf13.c
> index 65b1429720..131abb33de 100644
> --- a/stdio-common/scanf13.c
> +++ b/stdio-common/scanf13.c
> @@ -24,6 +24,7 @@ main (void)
>   DIAG_PUSH_NEEDS_COMMENT_CLANG;
>   DIAG_IGNORE_NEEDS_COMMENT_CLANG (13, "-Wformat-invalid-specifier");
>   DIAG_IGNORE_NEEDS_COMMENT_CLANG (13, "-Wformat-extra-args");
> +  DIAG_IGNORE_NEEDS_COMMENT_CLANG (13, "-Wfortify-source");
>   if (sscanf ("A  \xc3\x84-\t\t\xc3\x84-abcdefbcd\t\xc3\x84-B",
>          "A%ms%10ms%4m[bcd]%4mcB", &sp1, &sp2, &sp3, &sp4) != 4)
>     FAIL ();
> @@ -91,6 +92,8 @@ main (void)
>    FAIL ();
>       free (sp2);
>     }
> +  DIAG_PUSH_NEEDS_COMMENT_CLANG;
> +  DIAG_IGNORE_NEEDS_COMMENT_CLANG (13, "-Wfortify-source");
>   if (sscanf (buf, "%2048ms%mc", &sp3, &sp4) != 2)
>     FAIL ();
>   else
> @@ -131,6 +134,7 @@ main (void)
>    FAIL ();
>       free (sp4);
>     }
> +  DIAG_POP_NEEDS_COMMENT_CLANG;
>   if (sscanf (buf, "%mS%mC", &lsp1, &lsp2) != 2)
>     FAIL ();
>   else
> @@ -150,6 +154,7 @@ main (void)
>   DIAG_PUSH_NEEDS_COMMENT_CLANG;
>   DIAG_IGNORE_NEEDS_COMMENT_CLANG (13, "-Wformat-invalid-specifier");
>   DIAG_IGNORE_NEEDS_COMMENT_CLANG (13, "-Wformat-extra-args");
> +  DIAG_IGNORE_NEEDS_COMMENT_CLANG (13, "-Wfortify-source");
>   if (sscanf (buf, "%2048mls%mlc", &lsp3, &lsp4) != 2)
>     FAIL ();
>   else
> --

ok

> 2.43.0
>
  
Andreas K. Huettel Jan. 11, 2025, 1:51 p.m. UTC | #2
Am Freitag, 10. Januar 2025, 19:12:14 Mitteleuropäische Normalzeit schrieb Adhemerval Zanella:
> clang-19 shows:
> 
> scanf13.c:28:40: error: 'sscanf' may overflow; destination buffer in argument 4 has size 8, but the corresponding specifier may require size 11 [-Werror,-Wfortify-source]
>    28 |               "A%ms%10ms%4m[bcd]%4mcB", &sp1, &sp2, &sp3, &sp4) != 4)
>       |                                               ^
> scanf13.c:94:34: error: 'sscanf' may overflow; destination buffer in argument 3 has size 8, but the corresponding specifier may require size 2049 [-Werror,-Wfortify-source]
>    94 |   if (sscanf (buf, "%2048ms%mc", &sp3, &sp4) != 2)
>       |                                  ^
> scanf13.c:110:61: error: 'sscanf' may overflow; destination buffer in argument 4 has size 8, but the corresponding specifier may require size 1501 [-Werror,-Wfortify-source]
>   110 |   if (sscanf (buf, "%4mc%1500m[dr/]%548m[abc/d]%3mc", &sp1, &sp2, &sp3, &sp4)
>       |                                                             ^
> scanf13.c:110:67: error: 'sscanf' may overflow; destination buffer in argument 5 has size 8, but the corresponding specifier may require size 549 [-Werror,-Wfortify-source]
>   110 |   if (sscanf (buf, "%4mc%1500m[dr/]%548m[abc/d]%3mc", &sp1, &sp2, &sp3, &sp4)
> ---

Please add a brief remark on what the actual problem is (and why these warnings are bogus).

[my understanding - clang does not understand the 'nm' prefix telling sscanf to allocate
n+1 memory for the passed pointer to a string, and uses the pointer size instead to calculate
validity. however, since the actual call goes back to the c library, it works as intended?]

[[the sscanf manpage is a bit horrible w/r to %m]]

>  stdio-common/scanf13.c | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/stdio-common/scanf13.c b/stdio-common/scanf13.c
> index 65b1429720..131abb33de 100644
> --- a/stdio-common/scanf13.c
> +++ b/stdio-common/scanf13.c
> @@ -24,6 +24,7 @@ main (void)
>    DIAG_PUSH_NEEDS_COMMENT_CLANG;
>    DIAG_IGNORE_NEEDS_COMMENT_CLANG (13, "-Wformat-invalid-specifier");
>    DIAG_IGNORE_NEEDS_COMMENT_CLANG (13, "-Wformat-extra-args");
> +  DIAG_IGNORE_NEEDS_COMMENT_CLANG (13, "-Wfortify-source");
>    if (sscanf ("A  \xc3\x84-\t\t\xc3\x84-abcdefbcd\t\xc3\x84-B",
>  	      "A%ms%10ms%4m[bcd]%4mcB", &sp1, &sp2, &sp3, &sp4) != 4)
>      FAIL ();
> @@ -91,6 +92,8 @@ main (void)
>  	FAIL ();
>        free (sp2);
>      }
> +  DIAG_PUSH_NEEDS_COMMENT_CLANG;
> +  DIAG_IGNORE_NEEDS_COMMENT_CLANG (13, "-Wfortify-source");
>    if (sscanf (buf, "%2048ms%mc", &sp3, &sp4) != 2)
>      FAIL ();
>    else
> @@ -131,6 +134,7 @@ main (void)
>  	FAIL ();
>        free (sp4);
>      }
> +  DIAG_POP_NEEDS_COMMENT_CLANG;
>    if (sscanf (buf, "%mS%mC", &lsp1, &lsp2) != 2)
>      FAIL ();
>    else
> @@ -150,6 +154,7 @@ main (void)
>    DIAG_PUSH_NEEDS_COMMENT_CLANG;
>    DIAG_IGNORE_NEEDS_COMMENT_CLANG (13, "-Wformat-invalid-specifier");
>    DIAG_IGNORE_NEEDS_COMMENT_CLANG (13, "-Wformat-extra-args");
> +  DIAG_IGNORE_NEEDS_COMMENT_CLANG (13, "-Wfortify-source");
>    if (sscanf (buf, "%2048mls%mlc", &lsp3, &lsp4) != 2)
>      FAIL ();
>    else
>
  
Adhemerval Zanella Netto Jan. 13, 2025, 1:52 p.m. UTC | #3
On 11/01/25 10:51, Andreas K. Huettel wrote:
> Am Freitag, 10. Januar 2025, 19:12:14 Mitteleuropäische Normalzeit schrieb Adhemerval Zanella:
>> clang-19 shows:
>>
>> scanf13.c:28:40: error: 'sscanf' may overflow; destination buffer in argument 4 has size 8, but the corresponding specifier may require size 11 [-Werror,-Wfortify-source]
>>    28 |               "A%ms%10ms%4m[bcd]%4mcB", &sp1, &sp2, &sp3, &sp4) != 4)
>>       |                                               ^
>> scanf13.c:94:34: error: 'sscanf' may overflow; destination buffer in argument 3 has size 8, but the corresponding specifier may require size 2049 [-Werror,-Wfortify-source]
>>    94 |   if (sscanf (buf, "%2048ms%mc", &sp3, &sp4) != 2)
>>       |                                  ^
>> scanf13.c:110:61: error: 'sscanf' may overflow; destination buffer in argument 4 has size 8, but the corresponding specifier may require size 1501 [-Werror,-Wfortify-source]
>>   110 |   if (sscanf (buf, "%4mc%1500m[dr/]%548m[abc/d]%3mc", &sp1, &sp2, &sp3, &sp4)
>>       |                                                             ^
>> scanf13.c:110:67: error: 'sscanf' may overflow; destination buffer in argument 5 has size 8, but the corresponding specifier may require size 549 [-Werror,-Wfortify-source]
>>   110 |   if (sscanf (buf, "%4mc%1500m[dr/]%548m[abc/d]%3mc", &sp1, &sp2, &sp3, &sp4)
>> ---
> 
> Please add a brief remark on what the actual problem is (and why these warnings are bogus).
> 
> [my understanding - clang does not understand the 'nm' prefix telling sscanf to allocate
> n+1 memory for the passed pointer to a string, and uses the pointer size instead to calculate
> validity. however, since the actual call goes back to the c library, it works as intended?]
> 
> [[the sscanf manpage is a bit horrible w/r to %m]]

I am trying to pinpoint exactly what is clang missing here and it seems
it does have some support to handle 'm' prefix for -Wformat; but it lacks
support for -Wfortify to understand that it is up to libc to allocate
memory.

> 
>>  stdio-common/scanf13.c | 5 +++++
>>  1 file changed, 5 insertions(+)
>>
>> diff --git a/stdio-common/scanf13.c b/stdio-common/scanf13.c
>> index 65b1429720..131abb33de 100644
>> --- a/stdio-common/scanf13.c
>> +++ b/stdio-common/scanf13.c
>> @@ -24,6 +24,7 @@ main (void)
>>    DIAG_PUSH_NEEDS_COMMENT_CLANG;
>>    DIAG_IGNORE_NEEDS_COMMENT_CLANG (13, "-Wformat-invalid-specifier");
>>    DIAG_IGNORE_NEEDS_COMMENT_CLANG (13, "-Wformat-extra-args");
>> +  DIAG_IGNORE_NEEDS_COMMENT_CLANG (13, "-Wfortify-source");
>>    if (sscanf ("A  \xc3\x84-\t\t\xc3\x84-abcdefbcd\t\xc3\x84-B",
>>  	      "A%ms%10ms%4m[bcd]%4mcB", &sp1, &sp2, &sp3, &sp4) != 4)
>>      FAIL ();
>> @@ -91,6 +92,8 @@ main (void)
>>  	FAIL ();
>>        free (sp2);
>>      }
>> +  DIAG_PUSH_NEEDS_COMMENT_CLANG;
>> +  DIAG_IGNORE_NEEDS_COMMENT_CLANG (13, "-Wfortify-source");
>>    if (sscanf (buf, "%2048ms%mc", &sp3, &sp4) != 2)
>>      FAIL ();
>>    else
>> @@ -131,6 +134,7 @@ main (void)
>>  	FAIL ();
>>        free (sp4);
>>      }
>> +  DIAG_POP_NEEDS_COMMENT_CLANG;
>>    if (sscanf (buf, "%mS%mC", &lsp1, &lsp2) != 2)
>>      FAIL ();
>>    else
>> @@ -150,6 +154,7 @@ main (void)
>>    DIAG_PUSH_NEEDS_COMMENT_CLANG;
>>    DIAG_IGNORE_NEEDS_COMMENT_CLANG (13, "-Wformat-invalid-specifier");
>>    DIAG_IGNORE_NEEDS_COMMENT_CLANG (13, "-Wformat-extra-args");
>> +  DIAG_IGNORE_NEEDS_COMMENT_CLANG (13, "-Wfortify-source");
>>    if (sscanf (buf, "%2048mls%mlc", &lsp3, &lsp4) != 2)
>>      FAIL ();
>>    else
>>
> 
>
  

Patch

diff --git a/stdio-common/scanf13.c b/stdio-common/scanf13.c
index 65b1429720..131abb33de 100644
--- a/stdio-common/scanf13.c
+++ b/stdio-common/scanf13.c
@@ -24,6 +24,7 @@  main (void)
   DIAG_PUSH_NEEDS_COMMENT_CLANG;
   DIAG_IGNORE_NEEDS_COMMENT_CLANG (13, "-Wformat-invalid-specifier");
   DIAG_IGNORE_NEEDS_COMMENT_CLANG (13, "-Wformat-extra-args");
+  DIAG_IGNORE_NEEDS_COMMENT_CLANG (13, "-Wfortify-source");
   if (sscanf ("A  \xc3\x84-\t\t\xc3\x84-abcdefbcd\t\xc3\x84-B",
 	      "A%ms%10ms%4m[bcd]%4mcB", &sp1, &sp2, &sp3, &sp4) != 4)
     FAIL ();
@@ -91,6 +92,8 @@  main (void)
 	FAIL ();
       free (sp2);
     }
+  DIAG_PUSH_NEEDS_COMMENT_CLANG;
+  DIAG_IGNORE_NEEDS_COMMENT_CLANG (13, "-Wfortify-source");
   if (sscanf (buf, "%2048ms%mc", &sp3, &sp4) != 2)
     FAIL ();
   else
@@ -131,6 +134,7 @@  main (void)
 	FAIL ();
       free (sp4);
     }
+  DIAG_POP_NEEDS_COMMENT_CLANG;
   if (sscanf (buf, "%mS%mC", &lsp1, &lsp2) != 2)
     FAIL ();
   else
@@ -150,6 +154,7 @@  main (void)
   DIAG_PUSH_NEEDS_COMMENT_CLANG;
   DIAG_IGNORE_NEEDS_COMMENT_CLANG (13, "-Wformat-invalid-specifier");
   DIAG_IGNORE_NEEDS_COMMENT_CLANG (13, "-Wformat-extra-args");
+  DIAG_IGNORE_NEEDS_COMMENT_CLANG (13, "-Wfortify-source");
   if (sscanf (buf, "%2048mls%mlc", &lsp3, &lsp4) != 2)
     FAIL ();
   else