www.infradead.org Git - users/jedix/linux-maple.git/commit

author	Simon Horman <horms@kernel.org>
	Mon, 11 Nov 2024 14:47:51 +0000 (14:47 +0000)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Thu, 14 Nov 2024 11:39:50 +0000 (12:39 +0100)
commit	8340b0056ac723d04918573761b5d8f979d15a75
tree	3f6f1c16933daf624a642e65c9dd28c3c30d175e	tree
parent	3f5495962824fbef3b9a577ccd9b02f967452c11	commit \| diff

netfilter: bpf: Pass string literal as format argument of request_module()

Both gcc-14 and clang-18 report that passing a non-string literal as the
format argument of request_module() is potentially insecure.

E.g. clang-18 says:

.../nf_bpf_link.c:46:24: warning: format string is not a string literal (potentially insecure) [-Wformat-security]
   46 |                 err = request_module(mod);
      |                                      ^~~
.../kmod.h:25:55: note: expanded from macro 'request_module'
   25 | #define request_module(mod...) __request_module(true, mod)
      |                                                       ^~~
.../nf_bpf_link.c:46:24: note: treat the string as an argument to avoid this
   46 |                 err = request_module(mod);
      |                                      ^
      |                                      "%s",
.../kmod.h:25:55: note: expanded from macro 'request_module'
   25 | #define request_module(mod...) __request_module(true, mod)
      |                                                       ^

It is always the case where the contents of mod is safe to pass as the
format argument. That is, in my understanding, it never contains any
format escape sequences.

But, it seems better to be safe than sorry. And, as a bonus, compiler
output becomes less verbose by addressing this issue as suggested by
clang-18.

Compile tested only.

Signed-off-by: Simon Horman <horms@kernel.org>
Reviewed-by: Toke Høiland-Jørgensen <toke@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>