From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Tue, 5 Feb 2019 19:51:50 +0000 (+0100)
Subject: compiler: -Wformat=2 hardening
X-Git-Tag: lxc-3.2.0~166^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d07545c7da57156eb9ee8f04999f9dfb9bc53380;p=thirdparty%2Flxc.git

compiler: -Wformat=2 hardening

Enable -Wformat plus additional format checks. Currently equivalent to
-Wformat -Wformat-nonliteral -Wformat-security -Wformat-y2k.

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---

diff --git a/configure.ac b/configure.ac
index 4729bddca..052be683c 100644
--- a/configure.ac
+++ b/configure.ac
@@ -709,6 +709,8 @@ AX_CHECK_COMPILE_FLAG([-Wfloat-equal], [CFLAGS="$CFLAGS -Wfloat-equal"],,[-Werro
 AX_CHECK_COMPILE_FLAG([-Wsuggest-attribute=noreturn], [CFLAGS="$CFLAGS -Wsuggest-attribute=noreturn"],,[-Werror])
 AX_CHECK_COMPILE_FLAG([-Werror=return-type], [CFLAGS="$CFLAGS -Werror=return-type"],,[-Werror])
 AX_CHECK_COMPILE_FLAG([-Werror=incompatible-pointer-types], [CFLAGS="$CFLAGS -Werror=incompatible-pointer-types"],,[-Werror])
+AX_CHECK_COMPILE_FLAG([-Wformat=2], [CFLAGS="$CFLAGS -Wformat=2"],,[-Werror])
+AX_CHECK_COMPILE_FLAG([-Wshadow], [CFLAGS="$CFLAGS -Wshadow"],,[-Werror])
 
 AX_CHECK_LINK_FLAG([-z relro], [LDLAGS="$LDLAGS -z relro"],,[])
 AX_CHECK_LINK_FLAG([-z now], [LDLAGS="$LDLAGS -z now"],,[])
diff --git a/src/lxc/criu.c b/src/lxc/criu.c
index 3d857b541..d1807c939 100644
--- a/src/lxc/criu.c
+++ b/src/lxc/criu.c
@@ -388,7 +388,7 @@ static void exec_criu(struct cgroup_ops *cgroup_ops, struct lxc_conf *conf,
 		goto err;
 
 	while (getmntent_r(mnts, &mntent, buf, sizeof(buf))) {
-		char *fmt, *key, *val, *mntdata;
+		char *mntdata;
 		char arg[2 * PATH_MAX + 2];
 		unsigned long flags;
 
@@ -401,17 +401,12 @@ static void exec_criu(struct cgroup_ops *cgroup_ops, struct lxc_conf *conf,
 		if (!(flags & MS_BIND))
 			continue;
 
-		if (strcmp(opts->action, "dump") == 0) {
-			fmt = "/%s:%s";
-			key = mntent.mnt_dir;
-			val = mntent.mnt_dir;
-		} else {
-			fmt = "%s:%s";
-			key = mntent.mnt_dir;
-			val = mntent.mnt_fsname;
-		}
-
-		ret = snprintf(arg, sizeof(arg), fmt, key, val);
+		if (strcmp(opts->action, "dump") == 0)
+			ret = snprintf(arg, sizeof(arg), "/%s:%s",
+				       mntent.mnt_dir, mntent.mnt_dir);
+		else
+			ret = snprintf(arg, sizeof(arg), "%s:%s",
+				       mntent.mnt_dir, mntent.mnt_fsname);
 		if (ret < 0 || ret >= sizeof(arg)) {
 			fclose(mnts);
 			ERROR("snprintf failed");
@@ -547,7 +542,6 @@ static void exec_criu(struct cgroup_ops *cgroup_ops, struct lxc_conf *conf,
 		lxc_list_for_each(it, &opts->c->lxc_conf->network) {
 			size_t retlen;
 			char eth[128], *veth;
-			char *fmt;
 			struct lxc_netdev *n = it->elem;
 			bool external_not_veth;
 
@@ -579,18 +573,23 @@ static void exec_criu(struct cgroup_ops *cgroup_ops, struct lxc_conf *conf,
 
 				if (n->link[0] != '\0') {
 					if (external_not_veth)
-						fmt = "veth[%s]:%s@%s";
+						ret = snprintf(buf, sizeof(buf),
+							       "veth[%s]:%s@%s",
+							       eth, veth,
+							       n->link);
 					else
-						fmt = "%s=%s@%s";
-
-					ret = snprintf(buf, sizeof(buf), fmt, eth, veth, n->link);
+						ret = snprintf(buf, sizeof(buf),
+							       "%s=%s@%s", eth,
+							       veth, n->link);
 				} else {
 					if (external_not_veth)
-						fmt = "veth[%s]:%s";
+						ret = snprintf(buf, sizeof(buf),
+							       "veth[%s]:%s",
+							       eth, veth);
 					else
-						fmt = "%s=%s";
-
-					ret = snprintf(buf, sizeof(buf), fmt, eth, veth);
+						ret = snprintf(buf, sizeof(buf),
+							       "%s=%s", eth,
+							       veth);
 				}
 				if (ret < 0 || ret >= sizeof(buf))
 					goto err;
diff --git a/src/lxc/log.c b/src/lxc/log.c
index 1e0cc6a67..d5822c32b 100644
--- a/src/lxc/log.c
+++ b/src/lxc/log.c
@@ -122,14 +122,20 @@ static char *lxc_log_get_va_msg(struct lxc_log_event *event)
 		return NULL;
 
 	va_copy(args, *event->vap);
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wformat-nonliteral"
 	len = vsnprintf(NULL, 0, event->fmt, args) + 1;
+#pragma GCC diagnostic pop
 	va_end(args);
 
 	msg = malloc(len * sizeof(char));
 	if (!msg)
 		return NULL;
 
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wformat-nonliteral"
 	rc = vsnprintf(msg, len, event->fmt, *event->vap);
+#pragma GCC diagnostic pop
 	if (rc == -1 || rc >= len) {
 		free(msg);
 		return NULL;
@@ -183,7 +189,10 @@ static int log_append_stderr(const struct lxc_log_appender *appender,
 	        log_container_name ? ": " : "");
 	fprintf(stderr, "%s: %s: %d ", event->locinfo->file,
 	        event->locinfo->func, event->locinfo->line);
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wformat-nonliteral"
 	vfprintf(stderr, event->fmt, *event->vap);
+#pragma GCC diagnostic pop
 	fprintf(stderr, "\n");
 
 	return 0;
@@ -349,7 +358,10 @@ static int log_append_logfile(const struct lxc_log_appender *appender,
 		return n;
 
 	if ((size_t)n < STRARRAYLEN(buffer)) {
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wformat-nonliteral"
 		ret = vsnprintf(buffer + n, sizeof(buffer) - n, event->fmt, *event->vap);
+#pragma GCC diagnostic pop
 		if (ret < 0)
 			return 0;
 
diff --git a/src/lxc/pam/pam_cgfs.c b/src/lxc/pam/pam_cgfs.c
index 4a45600ea..7bf57077b 100644
--- a/src/lxc/pam/pam_cgfs.c
+++ b/src/lxc/pam/pam_cgfs.c
@@ -297,8 +297,11 @@ static void mysyslog(int err, const char *format, ...)
 	va_list args;
 
 	va_start(args, format);
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wformat-nonliteral"
 	openlog("PAM-CGFS", LOG_CONS | LOG_PID, LOG_AUTH);
 	vsyslog(err, format, args);
+#pragma GCC diagnostic pop
 	va_end(args);
 	closelog();
 }
diff --git a/src/lxc/storage/lvm.c b/src/lxc/storage/lvm.c
index c06e1a325..c581eefd4 100644
--- a/src/lxc/storage/lvm.c
+++ b/src/lxc/storage/lvm.c
@@ -264,6 +264,7 @@ int lvm_umount(struct lxc_storage *bdev)
 	return umount(bdev->dest);
 }
 
+#define __LVSCMD "lvs --unbuffered --noheadings -o lv_attr %s 2>/dev/null"
 int lvm_compare_lv_attr(const char *path, int pos, const char expected)
 {
 	struct lxc_popen_FILE *f;
@@ -272,12 +273,11 @@ int lvm_compare_lv_attr(const char *path, int pos, const char expected)
 	char *cmd;
 	char output[12];
 	int start = 0;
-	const char *lvscmd = "lvs --unbuffered --noheadings -o lv_attr %s 2>/dev/null";
 
-	len = strlen(lvscmd) + strlen(path) + 1;
+	len = strlen(__LVSCMD) + strlen(path) + 1;
 	cmd = alloca(len);
 
-	ret = snprintf(cmd, len, lvscmd, path);
+	ret = snprintf(cmd, len, __LVSCMD, path);
 	if (ret < 0 || (size_t)ret >= len)
 		return -1;
 
diff --git a/src/lxc/string_utils.c b/src/lxc/string_utils.c
index 0d7538c1f..607c9d8ec 100644
--- a/src/lxc/string_utils.c
+++ b/src/lxc/string_utils.c
@@ -295,19 +295,22 @@ char *lxc_append_paths(const char *first, const char *second)
 	int ret;
 	size_t len;
 	char *result = NULL;
-	const char *pattern = "%s%s";
+	int pattern_type = 0;
 
 	len = strlen(first) + strlen(second) + 1;
 	if (second[0] != '/') {
 		len += 1;
-		pattern = "%s/%s";
+		pattern_type = 1;
 	}
 
 	result = calloc(1, len);
 	if (!result)
 		return NULL;
 
-	ret = snprintf(result, len, pattern, first, second);
+	if (pattern_type == 0)
+		ret = snprintf(result, len, "%s%s", first, second);
+	else
+		ret = snprintf(result, len, "%s/%s", first, second);
 	if (ret < 0 || (size_t)ret >= len) {
 		free(result);
 		return NULL;