qemu-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH] tests/Makefile: Suppress format-security warnin


From: Paolo Bonzini
Subject: Re: [Qemu-devel] [PATCH] tests/Makefile: Suppress format-security warnings on JSON tests
Date: Wed, 26 Feb 2014 23:58:17 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0

Il 26/02/2014 23:47, Peter Maydell ha scritto:
Some of our test binaries programmatically generate JSON format
strings to feed to qobject_from_json(). Since that function is
marked with GCC_FMT_ATTR(), clang complains about this:
 tests/test-qmp-input-visitor.c:76:35: warning: format string is not a
 string literal (potentially insecure) [-Wformat-security]
    data->obj = qobject_from_json(json_string);
                                  ^~~~~~~~~~~

qobject_from_json shouldn't have a GCC_FMT_ATTR marker, only qobject_from_jsonf and qobject_from_jsonv.

qobject_from_json passes a NULL va_list*, and then parse_escape in qobject/json-parser.c returns NULL before calling va_arg. Ultimately this produces a parse error.

Paolo

Since these are only test cases and not potential attack vectors,
the simplest approach is simply to suppress this particular
compiler warning when compiling the relevant test cases.

Signed-off-by: Peter Maydell <address@hidden>
---
I couldn't think of a better way to do this...

 tests/Makefile | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/tests/Makefile b/tests/Makefile
index b17d41e..496c02f 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -146,6 +146,17 @@ check-qapi-schema-y := $(addprefix tests/qapi-schema/, \

 GENERATED_HEADERS += tests/test-qapi-types.h tests/test-qapi-visit.h 
tests/test-qmp-commands.h

+# These tests use the qobject_from_json() function with programmatically
+# generated format strings; since this would otherwise trip clang's
+# format-security warnings and these are only test binaries, disable
+# the warnings when building them.
+JSON_USERS=check-qjson \
+           check-input-visitor \
+           test-qmp-input-visitor \
+           test-visitor-serialization
+
+$(JSON_USERS:%=tests/%.o): CFLAGS += -Wno-format-security
+
 test-obj-y = tests/check-qint.o tests/check-qstring.o tests/check-qdict.o \
        tests/check-qlist.o tests/check-qfloat.o tests/check-qjson.o \
        tests/test-coroutine.o tests/test-string-output-visitor.o \





reply via email to

[Prev in Thread] Current Thread [Next in Thread]