From owner-freebsd-audit Sun Nov 26 2:40:57 2000 Delivered-To: freebsd-audit@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 7AF1937B479 for ; Sun, 26 Nov 2000 02:40:55 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id eAQAfrY08705 for audit@FreeBSD.org; Sun, 26 Nov 2000 02:41:53 -0800 (PST) (envelope-from kris) Date: Sun, 26 Nov 2000 02:41:51 -0800 From: Kris Kennaway To: audit@FreeBSD.org Subject: Non-constant format string list Message-ID: <20001126024151.A2846@citusc17.usc.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="uAKRQypu60I7Lcqm" Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG --uAKRQypu60I7Lcqm Content-Type: text/plain; charset=us-ascii Content-Disposition: inline I have uploaded the list of warnings from make world with -Wnetbsd-format-audit enabled, to http://www.freebsd.org/~kris/gcc-format-audit Most of these warnings are not actual problems (e.g. all uses of the function are safe), and some can be silenced by appropriate use of const, but the rest must be checked that all uses of the function which takes a format string argument are in fact safe. I will be updating the above list as the warnings are checked for safety. In fact I have already corrected some in -current. What would be very useful is a list of library functions which take format string arguments in the format of a pscan data file (/usr/ports/security/pscan). pscan by default only comes with common libc function definitions - if we can expand it to cover all FreeBSD library functions which take format strings it will assist in auditing of FreeBSD code. Any takers? If anyone is interested in helping the format string audit, please mail me with the directories from the above list you want to cover, and I'll update the list so there isn't unnecessary duplication of work. Kris --uAKRQypu60I7Lcqm Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjog6O8ACgkQWry0BWjoQKWw6QCfUlPYPaQ3JhnViuWlk68eApFm 4AwAoKV+V+jRI0t1WTJ6oqlhqdbOjx2e =q2v6 -----END PGP SIGNATURE----- --uAKRQypu60I7Lcqm-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message