Fix too few arguments to formatting function

CodeQL reported that when the VERIFY3U condition is false, we do not
pass enough arguments to `spl_panic()`. This is because the format
string from `snprintf()` was concatenated into the format string for
`spl_panic()`, which causes us to have an unexpected format specifier.

A CodeQL developer suggested fixing the macro to have a `%s` format
string that takes a stringified RIGHT argument, which would fix this.
However, upon inspection, the VERIFY3U check was never necessary in the
first place, so we remove it in favor of just calling `snprintf()`.

Lastly, it is interesting that every other static analyzer run on the
codebase did not catch this, including some that made an effort to catch
such things. Presumably, all of them relied on header annotations, which
we have not yet done on `spl_panic()`. CodeQL apparently is able to
track the flow of arguments on their way to annotated functions, which
llowed it to catch this when others did not. A future patch that I have
in development should annotate `spl_panic()`, so the others will catch
this too.

Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Richard Yao <richard.yao@alumni.stonybrook.edu>
Closes #14098
This commit is contained in:
Richard Yao 2022-10-27 12:45:26 -04:00 committed by Tony Hutter
parent 52e658edd7
commit e9a8fb17b5
1 changed files with 3 additions and 3 deletions

View File

@ -277,9 +277,9 @@ zcp_table_to_nvlist(lua_State *state, int index, int depth)
} }
break; break;
case LUA_TNUMBER: case LUA_TNUMBER:
VERIFY3U(sizeof (buf), >, (void) snprintf(buf, sizeof (buf), "%lld",
snprintf(buf, sizeof (buf), "%lld", (longlong_t)lua_tonumber(state, -2));
(longlong_t)lua_tonumber(state, -2)));
key = buf; key = buf;
if (saw_str_could_collide) { if (saw_str_could_collide) {
key_could_collide = B_TRUE; key_could_collide = B_TRUE;