* [PATCH nf-next] netfilter: bpf: Pass string literal as format argument of request_module()
@ 2024-11-11 14:47 Simon Horman
2024-11-12 11:36 ` Pablo Neira Ayuso
0 siblings, 1 reply; 2+ messages in thread
From: Simon Horman @ 2024-11-11 14:47 UTC (permalink / raw)
To: Pablo Neira Ayuso, Jozsef Kadlecsik
Cc: David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
Nathan Chancellor, Nick Desaulniers, Bill Wendling, Justin Stitt,
netfilter-devel, coreteam, netdev, linux-kernel, bpf, llvm
Both gcc-14 and clang-18 report that passing a non-string literal as the
format argument of request_module() is potentially insecure.
E.g. clang-18 says:
.../nf_bpf_link.c:46:24: warning: format string is not a string literal (potentially insecure) [-Wformat-security]
46 | err = request_module(mod);
| ^~~
.../kmod.h:25:55: note: expanded from macro 'request_module'
25 | #define request_module(mod...) __request_module(true, mod)
| ^~~
.../nf_bpf_link.c:46:24: note: treat the string as an argument to avoid this
46 | err = request_module(mod);
| ^
| "%s",
.../kmod.h:25:55: note: expanded from macro 'request_module'
25 | #define request_module(mod...) __request_module(true, mod)
| ^
It is always the case where the contents of mod is safe to pass as the
format argument. That is, in my understanding, it never contains any
format escape sequences.
But, it seems better to be safe than sorry. And, as a bonus, compiler
output becomes less verbose by addressing this issue as suggested by
clang-18.
Compile tested only.
Signed-off-by: Simon Horman <horms@kernel.org>
---
net/netfilter/nf_bpf_link.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/nf_bpf_link.c b/net/netfilter/nf_bpf_link.c
index 3d64a4511fcf..06b084844700 100644
--- a/net/netfilter/nf_bpf_link.c
+++ b/net/netfilter/nf_bpf_link.c
@@ -43,7 +43,7 @@ get_proto_defrag_hook(struct bpf_nf_link *link,
hook = rcu_dereference(*ptr_global_hook);
if (!hook) {
rcu_read_unlock();
- err = request_module(mod);
+ err = request_module("%s", mod);
if (err)
return ERR_PTR(err < 0 ? err : -EINVAL);
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH nf-next] netfilter: bpf: Pass string literal as format argument of request_module()
2024-11-11 14:47 [PATCH nf-next] netfilter: bpf: Pass string literal as format argument of request_module() Simon Horman
@ 2024-11-12 11:36 ` Pablo Neira Ayuso
0 siblings, 0 replies; 2+ messages in thread
From: Pablo Neira Ayuso @ 2024-11-12 11:36 UTC (permalink / raw)
To: Simon Horman
Cc: Jozsef Kadlecsik, David S. Miller, Eric Dumazet, Jakub Kicinski,
Paolo Abeni, Nathan Chancellor, Nick Desaulniers, Bill Wendling,
Justin Stitt, netfilter-devel, coreteam, netdev, linux-kernel,
bpf, llvm
On Mon, Nov 11, 2024 at 02:47:51PM +0000, Simon Horman wrote:
> Both gcc-14 and clang-18 report that passing a non-string literal as the
> format argument of request_module() is potentially insecure.
Applied to nf-next
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2024-11-12 11:36 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-11-11 14:47 [PATCH nf-next] netfilter: bpf: Pass string literal as format argument of request_module() Simon Horman
2024-11-12 11:36 ` Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox