[PATCH nf-next] netfilter: bpf: Pass string literal as format argument of request

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH nf-next] netfilter: bpf: Pass string literal as format argument of request_module()
@ 2024-10-18  9:42 Simon Horman
  2024-10-18  9:44 ` Florian Westphal
  2024-10-18 10:35 ` Toke Høiland-Jørgensen
  0 siblings, 2 replies; 5+ messages in thread
From: Simon Horman @ 2024-10-18  9:42 UTC (permalink / raw)
  To: Pablo Neira Ayuso, Jozsef Kadlecsik
  Cc: David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
	Nathan Chancellor, Nick Desaulniers, Bill Wendling, Justin Stitt,
	netfilter-devel, coreteam, netdev, bpf, llvm

Both gcc-14 and clang-18 report that passing a non-string literal as the
format argument of request_module() is potentially insecure.

E.g. clang-18 says:

.../nf_bpf_link.c:46:24: warning: format string is not a string literal (potentially insecure) [-Wformat-security]
   46 |                 err = request_module(mod);
      |                                      ^~~
.../kmod.h:25:55: note: expanded from macro 'request_module'
   25 | #define request_module(mod...) __request_module(true, mod)
      |                                                       ^~~
.../nf_bpf_link.c:46:24: note: treat the string as an argument to avoid this
   46 |                 err = request_module(mod);
      |                                      ^
      |                                      "%s",
.../kmod.h:25:55: note: expanded from macro 'request_module'
   25 | #define request_module(mod...) __request_module(true, mod)
      |                                                       ^

It is always the case where the contents of mod is safe to pass as the
format argument. That is, in my understanding, it never contains any
format escape sequences.

But, it seems better to be safe than sorry. And, as a bonus, compiler
output becomes less verbose by addressing this issue as suggested by
clang-18.

No functional change intended.
Compile tested only.

Signed-off-by: Simon Horman <horms@kernel.org>
---
 net/netfilter/nf_bpf_link.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/netfilter/nf_bpf_link.c b/net/netfilter/nf_bpf_link.c
index 5257d5e7eb09..6b9c9d71906d 100644
--- a/net/netfilter/nf_bpf_link.c
+++ b/net/netfilter/nf_bpf_link.c
@@ -42,7 +42,7 @@ get_proto_defrag_hook(struct bpf_nf_link *link,
 	hook = rcu_dereference(*ptr_global_hook);
 	if (!hook) {
 		rcu_read_unlock();
-		err = request_module(mod);
+		err = request_module("%s", mod);
 		if (err)
 			return ERR_PTR(err < 0 ? err : -EINVAL);
 


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH nf-next] netfilter: bpf: Pass string literal as format argument of request_module()
  2024-10-18  9:42 [PATCH nf-next] netfilter: bpf: Pass string literal as format argument of request_module() Simon Horman
@ 2024-10-18  9:44 ` Florian Westphal
  2024-10-18 10:35 ` Toke Høiland-Jørgensen
  1 sibling, 0 replies; 5+ messages in thread
From: Florian Westphal @ 2024-10-18  9:44 UTC (permalink / raw)
  To: Simon Horman
  Cc: Pablo Neira Ayuso, Jozsef Kadlecsik, David S. Miller,
	Eric Dumazet, Jakub Kicinski, Paolo Abeni, Nathan Chancellor,
	Nick Desaulniers, Bill Wendling, Justin Stitt, netfilter-devel,
	coreteam, netdev, bpf, llvm

Simon Horman <horms@kernel.org> wrote:
> Both gcc-14 and clang-18 report that passing a non-string literal as the
> format argument of request_module() is potentially insecure.

Reviewed-by: Florian Westphal <fw@strlen.de>

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH nf-next] netfilter: bpf: Pass string literal as format argument of request_module()
  2024-10-18  9:42 [PATCH nf-next] netfilter: bpf: Pass string literal as format argument of request_module() Simon Horman
  2024-10-18  9:44 ` Florian Westphal
@ 2024-10-18 10:35 ` Toke Høiland-Jørgensen
  1 sibling, 0 replies; 5+ messages in thread
From: Toke Høiland-Jørgensen @ 2024-10-18 10:35 UTC (permalink / raw)
  To: Simon Horman, Pablo Neira Ayuso, Jozsef Kadlecsik
  Cc: David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
	Nathan Chancellor, Nick Desaulniers, Bill Wendling, Justin Stitt,
	netfilter-devel, coreteam, netdev, bpf, llvm

Simon Horman <horms@kernel.org> writes:

> Both gcc-14 and clang-18 report that passing a non-string literal as the
> format argument of request_module() is potentially insecure.
>
> E.g. clang-18 says:
>
> .../nf_bpf_link.c:46:24: warning: format string is not a string literal (potentially insecure) [-Wformat-security]
>    46 |                 err = request_module(mod);
>       |                                      ^~~
> .../kmod.h:25:55: note: expanded from macro 'request_module'
>    25 | #define request_module(mod...) __request_module(true, mod)
>       |                                                       ^~~
> .../nf_bpf_link.c:46:24: note: treat the string as an argument to avoid this
>    46 |                 err = request_module(mod);
>       |                                      ^
>       |                                      "%s",
> .../kmod.h:25:55: note: expanded from macro 'request_module'
>    25 | #define request_module(mod...) __request_module(true, mod)
>       |                                                       ^
>
> It is always the case where the contents of mod is safe to pass as the
> format argument. That is, in my understanding, it never contains any
> format escape sequences.
>
> But, it seems better to be safe than sorry. And, as a bonus, compiler
> output becomes less verbose by addressing this issue as suggested by
> clang-18.
>
> No functional change intended.
> Compile tested only.
>
> Signed-off-by: Simon Horman <horms@kernel.org>

Reviewed-by: Toke Høiland-Jørgensen <toke@redhat.com>


^ permalink raw reply	[flat|nested] 5+ messages in thread

* [PATCH nf-next] netfilter: bpf: Pass string literal as format argument of request_module()
@ 2024-11-11 14:47 Simon Horman
  2024-11-12 11:36 ` Pablo Neira Ayuso
  0 siblings, 1 reply; 5+ messages in thread
From: Simon Horman @ 2024-11-11 14:47 UTC (permalink / raw)
  To: Pablo Neira Ayuso, Jozsef Kadlecsik
  Cc: David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
	Nathan Chancellor, Nick Desaulniers, Bill Wendling, Justin Stitt,
	netfilter-devel, coreteam, netdev, linux-kernel, bpf, llvm

Both gcc-14 and clang-18 report that passing a non-string literal as the
format argument of request_module() is potentially insecure.

E.g. clang-18 says:

.../nf_bpf_link.c:46:24: warning: format string is not a string literal (potentially insecure) [-Wformat-security]
   46 |                 err = request_module(mod);
      |                                      ^~~
.../kmod.h:25:55: note: expanded from macro 'request_module'
   25 | #define request_module(mod...) __request_module(true, mod)
      |                                                       ^~~
.../nf_bpf_link.c:46:24: note: treat the string as an argument to avoid this
   46 |                 err = request_module(mod);
      |                                      ^
      |                                      "%s",
.../kmod.h:25:55: note: expanded from macro 'request_module'
   25 | #define request_module(mod...) __request_module(true, mod)
      |                                                       ^

It is always the case where the contents of mod is safe to pass as the
format argument. That is, in my understanding, it never contains any
format escape sequences.

But, it seems better to be safe than sorry. And, as a bonus, compiler
output becomes less verbose by addressing this issue as suggested by
clang-18.

Compile tested only.

Signed-off-by: Simon Horman <horms@kernel.org>
---
 net/netfilter/nf_bpf_link.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/netfilter/nf_bpf_link.c b/net/netfilter/nf_bpf_link.c
index 3d64a4511fcf..06b084844700 100644
--- a/net/netfilter/nf_bpf_link.c
+++ b/net/netfilter/nf_bpf_link.c
@@ -43,7 +43,7 @@ get_proto_defrag_hook(struct bpf_nf_link *link,
 	hook = rcu_dereference(*ptr_global_hook);
 	if (!hook) {
 		rcu_read_unlock();
-		err = request_module(mod);
+		err = request_module("%s", mod);
 		if (err)
 			return ERR_PTR(err < 0 ? err : -EINVAL);
 


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH nf-next] netfilter: bpf: Pass string literal as format argument of request_module()
  2024-11-11 14:47 Simon Horman
@ 2024-11-12 11:36 ` Pablo Neira Ayuso
  0 siblings, 0 replies; 5+ messages in thread
From: Pablo Neira Ayuso @ 2024-11-12 11:36 UTC (permalink / raw)
  To: Simon Horman
  Cc: Jozsef Kadlecsik, David S. Miller, Eric Dumazet, Jakub Kicinski,
	Paolo Abeni, Nathan Chancellor, Nick Desaulniers, Bill Wendling,
	Justin Stitt, netfilter-devel, coreteam, netdev, linux-kernel,
	bpf, llvm

On Mon, Nov 11, 2024 at 02:47:51PM +0000, Simon Horman wrote:
> Both gcc-14 and clang-18 report that passing a non-string literal as the
> format argument of request_module() is potentially insecure.

Applied to nf-next

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2024-11-12 11:36 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-10-18  9:42 [PATCH nf-next] netfilter: bpf: Pass string literal as format argument of request_module() Simon Horman
2024-10-18  9:44 ` Florian Westphal
2024-10-18 10:35 ` Toke Høiland-Jørgensen
  -- strict thread matches above, loose matches on Subject: below --
2024-11-11 14:47 Simon Horman
2024-11-12 11:36 ` Pablo Neira Ayuso

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).