1. Patchew
  2. linux
  3. View series

[PATCH] scripts/clang-tools: Remove DeprecatedOrUnsafeBufferHandling check

Guru Das Srinagesh posted 1 patch 3 years, 8 months ago 
scripts/clang-tools/run-clang-tools.py | 1 +
1 file changed, 1 insertion(+)
[PATCH] scripts/clang-tools: Remove DeprecatedOrUnsafeBufferHandling check
Posted by Guru Das Srinagesh 3 years, 8 months ago 
This `clang-analyzer` check flags the use of memset(), suggesting a more
secure version of the API, such as memset_s(), which does not exist in
the kernel:

  warning: Call to function 'memset' is insecure as it does not provide
  security checks introduced in the C11 standard. Replace with analogous
  functions that support length arguments or provides boundary checks such
  as 'memset_s' in case of C11
  [clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling]

Signed-off-by: Guru Das Srinagesh <quic_gurus@quicinc.com>
---
 scripts/clang-tools/run-clang-tools.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/scripts/clang-tools/run-clang-tools.py b/scripts/clang-tools/run-clang-tools.py
index f754415a..1337ced 100755
--- a/scripts/clang-tools/run-clang-tools.py
+++ b/scripts/clang-tools/run-clang-tools.py
@@ -51,6 +51,7 @@ def run_analysis(entry):
         checks += "linuxkernel-*"
     else:
         checks += "clang-analyzer-*"
+        checks += ",-clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling"
     p = subprocess.run(["clang-tidy", "-p", args.path, checks, entry["file"]],
                        stdout=subprocess.PIPE,
                        stderr=subprocess.STDOUT,
-- 
2.7.4
Re: [PATCH] scripts/clang-tools: Remove DeprecatedOrUnsafeBufferHandling check
Posted by Nick Desaulniers 3 years, 7 months ago 
On Thu, Aug 4, 2022 at 10:46 AM Guru Das Srinagesh
<quic_gurus@quicinc.com> wrote:
>
> This `clang-analyzer` check flags the use of memset(), suggesting a more
> secure version of the API, such as memset_s(), which does not exist in
> the kernel:
>
>   warning: Call to function 'memset' is insecure as it does not provide
>   security checks introduced in the C11 standard. Replace with analogous
>   functions that support length arguments or provides boundary checks such
>   as 'memset_s' in case of C11
>   [clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling]
>
> Signed-off-by: Guru Das Srinagesh <quic_gurus@quicinc.com>
> ---
>  scripts/clang-tools/run-clang-tools.py | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/scripts/clang-tools/run-clang-tools.py b/scripts/clang-tools/run-clang-tools.py
> index f754415a..1337ced 100755
> --- a/scripts/clang-tools/run-clang-tools.py
> +++ b/scripts/clang-tools/run-clang-tools.py
> @@ -51,6 +51,7 @@ def run_analysis(entry):
>          checks += "linuxkernel-*"
>      else:
>          checks += "clang-analyzer-*"
> +        checks += ",-clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling"

Thanks for the patch! I think it makes sense to add this.  I suspect
the list of checks we might want to disable may grow. Maybe when it
does, we could put these in an array and join them at the end.

Anyways, LGTM
Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>

Masahiro, would you mind picking this up for us, please?

>      p = subprocess.run(["clang-tidy", "-p", args.path, checks, entry["file"]],
>                         stdout=subprocess.PIPE,
>                         stderr=subprocess.STDOUT,
> --
> 2.7.4
>


-- 
Thanks,
~Nick Desaulniers
Re: [PATCH] scripts/clang-tools: Remove DeprecatedOrUnsafeBufferHandling check
Posted by Masahiro Yamada 3 years, 7 months ago 
On Thu, Aug 18, 2022 at 8:40 AM Nick Desaulniers
<ndesaulniers@google.com> wrote:
>
> On Thu, Aug 4, 2022 at 10:46 AM Guru Das Srinagesh
> <quic_gurus@quicinc.com> wrote:
> >
> > This `clang-analyzer` check flags the use of memset(), suggesting a more
> > secure version of the API, such as memset_s(), which does not exist in
> > the kernel:
> >
> >   warning: Call to function 'memset' is insecure as it does not provide
> >   security checks introduced in the C11 standard. Replace with analogous
> >   functions that support length arguments or provides boundary checks such
> >   as 'memset_s' in case of C11
> >   [clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling]
> >
> > Signed-off-by: Guru Das Srinagesh <quic_gurus@quicinc.com>
> > ---
> >  scripts/clang-tools/run-clang-tools.py | 1 +
> >  1 file changed, 1 insertion(+)
> >
> > diff --git a/scripts/clang-tools/run-clang-tools.py b/scripts/clang-tools/run-clang-tools.py
> > index f754415a..1337ced 100755
> > --- a/scripts/clang-tools/run-clang-tools.py
> > +++ b/scripts/clang-tools/run-clang-tools.py
> > @@ -51,6 +51,7 @@ def run_analysis(entry):
> >          checks += "linuxkernel-*"
> >      else:
> >          checks += "clang-analyzer-*"
> > +        checks += ",-clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling"
>
> Thanks for the patch! I think it makes sense to add this.  I suspect
> the list of checks we might want to disable may grow. Maybe when it
> does, we could put these in an array and join them at the end.
>
> Anyways, LGTM
> Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
>
> Masahiro, would you mind picking this up for us, please?




Sure.
Applied to linux-kbuild/fixes.
Thanks.





> >      p = subprocess.run(["clang-tidy", "-p", args.path, checks, entry["file"]],
> >                         stdout=subprocess.PIPE,
> >                         stderr=subprocess.STDOUT,
> > --
> > 2.7.4
> >
>
>
> --
> Thanks,
> ~Nick Desaulniers



-- 
Best Regards
Masahiro Yamada

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.