[PATCH net-next 0/3] net: String format safety updates

[PATCH net-next 0/3] net: String format safety updates

[Simon Horman]

Hi,

This series addresses string format safety issues that are
flagged by tooling in files touched by recent patches.

I do not believe that any of these issues are bugs.
Rather, I am providing these updates as I think there is a value
in addressing such warnings so real problems stand out.

---
Simon Horman (3):
      net: dsa: microchip: copy string using strscpy
      net: txgbe: Pass string literal as format argument of alloc_workqueue()
      accel/qaic: Pass string literal as format argument of alloc_workqueue()

 drivers/accel/qaic/qaic_drv.c                  | 4 ++--
 drivers/net/dsa/microchip/ksz_ptp.c            | 2 +-
 drivers/net/ethernet/wangxun/txgbe/txgbe_phy.c | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

base-commit: 59ae83dcf102710f097aa14de88ea5cb1396b866

[PATCH net-next 1/3] net: dsa: microchip: copy string using strscpy

[Simon Horman]

Prior to this patch ksz_ptp_msg_irq_setup() uses snprintf() to copy
strings. It does so by passing strings as the format argument of
snprintf(). This appears to be safe, due to the absence of format
specifiers in the strings, which are declared within the same function.
But nonetheless GCC 14 warns about it:

.../ksz_ptp.c:1109:55: warning: format string is not a string literal (potentially insecure) [-Wformat-security]
 1109 |         snprintf(ptpmsg_irq->name, sizeof(ptpmsg_irq->name), name[n]);
      |                                                              ^~~~~~~
.../ksz_ptp.c:1109:55: note: treat the string as an argument to avoid this
 1109 |         snprintf(ptpmsg_irq->name, sizeof(ptpmsg_irq->name), name[n]);
      |                                                              ^
      |                                                              "%s",

As what we are really dealing with here is a string copy, it seems make
sense to use a function designed for this purpose. In this case null
padding is not required, so strscpy is appropriate. And as the
destination is an array, the 2-argument variant may be used.

Signed-off-by: Simon Horman <horms@kernel.org>
---
 drivers/net/dsa/microchip/ksz_ptp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/dsa/microchip/ksz_ptp.c b/drivers/net/dsa/microchip/ksz_ptp.c
index 050f17c43ef6..22fb9ef4645c 100644
--- a/drivers/net/dsa/microchip/ksz_ptp.c
+++ b/drivers/net/dsa/microchip/ksz_ptp.c
@@ -1106,7 +1106,7 @@ static int ksz_ptp_msg_irq_setup(struct ksz_port *port, u8 n)
 	ptpmsg_irq->port = port;
 	ptpmsg_irq->ts_reg = ops->get_port_addr(port->num, ts_reg[n]);
 
-	snprintf(ptpmsg_irq->name, sizeof(ptpmsg_irq->name), name[n]);
+	strscpy(ptpmsg_irq->name, name[n]);
 
 	ptpmsg_irq->num = irq_find_mapping(port->ptpirq.domain, n);
 	if (ptpmsg_irq->num < 0)

-- 
2.45.2

[PATCH net-next 2/3] net: txgbe: Pass string literal as format argument of alloc_workqueue()

[Simon Horman]

Recently I noticed that both gcc-14 and clang-18 report that passing
a non-string literal as the format argument of clkdev_create()
is potentially insecure.

E.g. clang-18 says:

.../txgbe_phy.c:582:35: warning: format string is not a string literal (potentially insecure) [-Wformat-security]
  581 |         clock = clkdev_create(clk, NULL, clk_name);
      |                                          ^~~~~~~~
.../txgbe_phy.c:582:35: note: treat the string as an argument to avoid this
  581 |         clock = clkdev_create(clk, NULL, clk_name);
      |                                          ^
      |                                          "%s",

It is always the case where the contents of clk_name is safe to pass as the
format argument. That is, in my understanding, it never contains any
format escape sequences.

However, it seems better to be safe than sorry. And, as a bonus, compiler
output becomes less verbose by addressing this issue as suggested by
clang-18.

Compile tested only.

Signed-off-by: Simon Horman <horms@kernel.org>
---
 drivers/net/ethernet/wangxun/txgbe/txgbe_phy.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/wangxun/txgbe/txgbe_phy.c b/drivers/net/ethernet/wangxun/txgbe/txgbe_phy.c
index 3dd89dafe7c7..a0e4920b4761 100644
--- a/drivers/net/ethernet/wangxun/txgbe/txgbe_phy.c
+++ b/drivers/net/ethernet/wangxun/txgbe/txgbe_phy.c
@@ -578,7 +578,7 @@ static int txgbe_clock_register(struct txgbe *txgbe)
 	if (IS_ERR(clk))
 		return PTR_ERR(clk);
 
-	clock = clkdev_create(clk, NULL, clk_name);
+	clock = clkdev_create(clk, NULL, "%s", clk_name);
 	if (!clock) {
 		clk_unregister(clk);
 		return -ENOMEM;

-- 
2.45.2

[PATCH net-next 3/3] accel/qaic: Pass string literal as format argument of alloc_workqueue()

[Simon Horman]

Recently I noticed that both gcc-14 and clang-18 report that passing
a non-string literal as the format argument of alloc_workqueue()
is potentially insecure.

E.g. clang-18 says:

.../qaic_drv.c:61:23: warning: format string is not a string literal (potentially insecure) [-Wformat-security]
   61 |         wq = alloc_workqueue(fmt, WQ_UNBOUND, 0);
      |                              ^~~
.../qaic_drv.c:61:23: note: treat the string as an argument to avoid this
   61 |         wq = alloc_workqueue(fmt, WQ_UNBOUND, 0);
      |                              ^
      |                              "%s",

It is always the case where the contents of fmt is safe to pass as the
format argument. That is, in my understanding, it never contains any
format escape sequences.

But, it seems better to be safe than sorry. And, as a bonus, compiler
output becomes less verbose by addressing this issue as suggested by
clang-18.

Also, change the name of the parameter of qaicm_wq_init from
fmt to name to better reflect it's purpose.

Compile tested only.

Signed-off-by: Simon Horman <horms@kernel.org>
---
 drivers/accel/qaic/qaic_drv.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/accel/qaic/qaic_drv.c b/drivers/accel/qaic/qaic_drv.c
index bf10156c334e..30e6bf7897bd 100644
--- a/drivers/accel/qaic/qaic_drv.c
+++ b/drivers/accel/qaic/qaic_drv.c
@@ -53,12 +53,12 @@ static void qaicm_wq_release(struct drm_device *dev, void *res)
 	destroy_workqueue(wq);
 }
 
-static struct workqueue_struct *qaicm_wq_init(struct drm_device *dev, const char *fmt)
+static struct workqueue_struct *qaicm_wq_init(struct drm_device *dev, const char *name)
 {
 	struct workqueue_struct *wq;
 	int ret;
 
-	wq = alloc_workqueue(fmt, WQ_UNBOUND, 0);
+	wq = alloc_workqueue("%s", WQ_UNBOUND, 0, name);
 	if (!wq)
 		return ERR_PTR(-ENOMEM);
 	ret = drmm_add_action_or_reset(dev, qaicm_wq_release, wq);

-- 
2.45.2

Re: [PATCH net-next 3/3] accel/qaic: Pass string literal as format argument of alloc_workqueue()

[Jeffrey Hugo]

On 10/11/2024 3:57 AM, Simon Horman wrote:
> Recently I noticed that both gcc-14 and clang-18 report that passing
> a non-string literal as the format argument of alloc_workqueue()
> is potentially insecure.
> 
> E.g. clang-18 says:
> 
> .../qaic_drv.c:61:23: warning: format string is not a string literal (potentially insecure) [-Wformat-security]
>     61 |         wq = alloc_workqueue(fmt, WQ_UNBOUND, 0);
>        |                              ^~~
> .../qaic_drv.c:61:23: note: treat the string as an argument to avoid this
>     61 |         wq = alloc_workqueue(fmt, WQ_UNBOUND, 0);
>        |                              ^
>        |                              "%s",
> 
> It is always the case where the contents of fmt is safe to pass as the
> format argument. That is, in my understanding, it never contains any
> format escape sequences.
> 
> But, it seems better to be safe than sorry. And, as a bonus, compiler
> output becomes less verbose by addressing this issue as suggested by
> clang-18.
> 
> Also, change the name of the parameter of qaicm_wq_init from
> fmt to name to better reflect it's purpose.
> 
> Compile tested only.

I'm not sure why this looks like it is targeted for net-next.  I'm not 
seeing any dependencies on net code, nor is this a net driver.  My 
confusion makes me think I might be missing something.

I'll plan on independently taking this through DRM, unless something is 
brought to my attention.

Regarding the patch itself, looks sane to me.  I'll give it run through 
on hardware soon.

-Jeff

Re: [PATCH net-next 3/3] accel/qaic: Pass string literal as format argument of alloc_workqueue()

[Simon Horman]

On Fri, Oct 11, 2024 at 08:27:43AM -0600, Jeffrey Hugo wrote:
> On 10/11/2024 3:57 AM, Simon Horman wrote:
> > Recently I noticed that both gcc-14 and clang-18 report that passing
> > a non-string literal as the format argument of alloc_workqueue()
> > is potentially insecure.
> > 
> > E.g. clang-18 says:
> > 
> > .../qaic_drv.c:61:23: warning: format string is not a string literal (potentially insecure) [-Wformat-security]
> >     61 |         wq = alloc_workqueue(fmt, WQ_UNBOUND, 0);
> >        |                              ^~~
> > .../qaic_drv.c:61:23: note: treat the string as an argument to avoid this
> >     61 |         wq = alloc_workqueue(fmt, WQ_UNBOUND, 0);
> >        |                              ^
> >        |                              "%s",
> > 
> > It is always the case where the contents of fmt is safe to pass as the
> > format argument. That is, in my understanding, it never contains any
> > format escape sequences.
> > 
> > But, it seems better to be safe than sorry. And, as a bonus, compiler
> > output becomes less verbose by addressing this issue as suggested by
> > clang-18.
> > 
> > Also, change the name of the parameter of qaicm_wq_init from
> > fmt to name to better reflect it's purpose.
> > 
> > Compile tested only.
> 
> I'm not sure why this looks like it is targeted for net-next.  I'm not
> seeing any dependencies on net code, nor is this a net driver.  My confusion
> makes me think I might be missing something.
> 
> I'll plan on independently taking this through DRM, unless something is
> brought to my attention.
>
> Regarding the patch itself, looks sane to me.  I'll give it run through on
> hardware soon.

Sorry, the error is on my side.
I should not targeted this patch at net-next.
Let me know if I should repost it.

As the series isn't entirely for net-next, I'll mark
it as changes requested in netdev patchwork. And plan
on reposting the other two patches for net-next some time soon.

-- 
pw-bot: cr

Re: [PATCH net-next 1/3] net: dsa: microchip: copy string using strscpy

[Daniel Machon]

> Prior to this patch ksz_ptp_msg_irq_setup() uses snprintf() to copy
> strings. It does so by passing strings as the format argument of
> snprintf(). This appears to be safe, due to the absence of format
> specifiers in the strings, which are declared within the same function.
> But nonetheless GCC 14 warns about it:
> 
> .../ksz_ptp.c:1109:55: warning: format string is not a string literal (potentially insecure) [-Wformat-security]
>  1109 |         snprintf(ptpmsg_irq->name, sizeof(ptpmsg_irq->name), name[n]);
>       |                                                              ^~~~~~~
> .../ksz_ptp.c:1109:55: note: treat the string as an argument to avoid this
>  1109 |         snprintf(ptpmsg_irq->name, sizeof(ptpmsg_irq->name), name[n]);
>       |                                                              ^
>       |                                                              "%s",
> 
> As what we are really dealing with here is a string copy, it seems make
> sense to use a function designed for this purpose. In this case null
> padding is not required, so strscpy is appropriate. And as the
> destination is an array, the 2-argument variant may be used.

.. is an array - and of fixed size.

> 
> Signed-off-by: Simon Horman <horms@kernel.org>
> ---
>  drivers/net/dsa/microchip/ksz_ptp.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/net/dsa/microchip/ksz_ptp.c b/drivers/net/dsa/microchip/ksz_ptp.c
> index 050f17c43ef6..22fb9ef4645c 100644
> --- a/drivers/net/dsa/microchip/ksz_ptp.c
> +++ b/drivers/net/dsa/microchip/ksz_ptp.c
> @@ -1106,7 +1106,7 @@ static int ksz_ptp_msg_irq_setup(struct ksz_port *port, u8 n)
>         ptpmsg_irq->port = port;
>         ptpmsg_irq->ts_reg = ops->get_port_addr(port->num, ts_reg[n]);
> 
> -       snprintf(ptpmsg_irq->name, sizeof(ptpmsg_irq->name), name[n]);
> +       strscpy(ptpmsg_irq->name, name[n]);
> 
>         ptpmsg_irq->num = irq_find_mapping(port->ptpirq.domain, n);
>         if (ptpmsg_irq->num < 0)
> 
> --
> 2.45.2
>

This looks good to me.

Reviewed-by: Daniel Machon <daniel.machon@microchip.com>

Re: [PATCH net-next 3/3] accel/qaic: Pass string literal as format argument of alloc_workqueue()

[Jeffrey Hugo]

On 10/11/2024 3:57 AM, Simon Horman wrote:
> Recently I noticed that both gcc-14 and clang-18 report that passing
> a non-string literal as the format argument of alloc_workqueue()
> is potentially insecure.
> 
> E.g. clang-18 says:
> 
> .../qaic_drv.c:61:23: warning: format string is not a string literal (potentially insecure) [-Wformat-security]
>     61 |         wq = alloc_workqueue(fmt, WQ_UNBOUND, 0);
>        |                              ^~~
> .../qaic_drv.c:61:23: note: treat the string as an argument to avoid this
>     61 |         wq = alloc_workqueue(fmt, WQ_UNBOUND, 0);
>        |                              ^
>        |                              "%s",
> 
> It is always the case where the contents of fmt is safe to pass as the
> format argument. That is, in my understanding, it never contains any
> format escape sequences.
> 
> But, it seems better to be safe than sorry. And, as a bonus, compiler
> output becomes less verbose by addressing this issue as suggested by
> clang-18.
> 
> Also, change the name of the parameter of qaicm_wq_init from
> fmt to name to better reflect it's purpose.
> 
> Compile tested only.
> 
> Signed-off-by: Simon Horman <horms@kernel.org>

Reviewed-by: Jeffrey Hugo <quic_jhugo@quicinc.com>
Tested-by: Jeffrey Hugo <quic_jhugo@quicinc.com>

Re: [PATCH net-next 3/3] accel/qaic: Pass string literal as format argument of alloc_workqueue()

[Jeffrey Hugo]

On 10/11/2024 3:57 AM, Simon Horman wrote:
> Recently I noticed that both gcc-14 and clang-18 report that passing
> a non-string literal as the format argument of alloc_workqueue()
> is potentially insecure.
> 
> E.g. clang-18 says:
> 
> .../qaic_drv.c:61:23: warning: format string is not a string literal (potentially insecure) [-Wformat-security]
>     61 |         wq = alloc_workqueue(fmt, WQ_UNBOUND, 0);
>        |                              ^~~
> .../qaic_drv.c:61:23: note: treat the string as an argument to avoid this
>     61 |         wq = alloc_workqueue(fmt, WQ_UNBOUND, 0);
>        |                              ^
>        |                              "%s",
> 
> It is always the case where the contents of fmt is safe to pass as the
> format argument. That is, in my understanding, it never contains any
> format escape sequences.
> 
> But, it seems better to be safe than sorry. And, as a bonus, compiler
> output becomes less verbose by addressing this issue as suggested by
> clang-18.
> 
> Also, change the name of the parameter of qaicm_wq_init from
> fmt to name to better reflect it's purpose.
> 
> Compile tested only.
> 
> Signed-off-by: Simon Horman <horms@kernel.org>

Applied to drm-misc-next