Building with --enable-analyzer throws warnings on Ubuntu 22.04 LTS
glitsj16 opened this issue · comments
glitsj16 commented
On my old Ubuntu 16.04 LTS box I never bothered to build Firejail with --enable-analyzer
. But after migrating that machine to Ubuntu 22.04 LTS I gave it a try. The below warnings showed up (which doesn't happen on my Arch Linux box BTW).
Here's the build output:
$ ./configure --prefix=/usr --enable-analyzer --enable-apparmor --enable-landlock --enable-private-lib && make
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether the compiler supports GNU C... yes
checking whether gcc accepts -g... yes
checking for gcc option to enable C11 features... none needed
checking whether C compiler accepts -MMD -MP... yes
checking whether C compiler accepts -mindirect-branch=thunk... no
checking whether C compiler accepts -fstack-clash-protection... yes
checking whether C compiler accepts -fstack-protector-strong... yes
checking for pkg-config... /usr/bin/pkg-config
checking pkg-config is at least version 0.9.0... yes
checking for libapparmor... yes
checking for stdio.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for strings.h... yes
checking for sys/stat.h... yes
checking for sys/types.h... yes
checking for unistd.h... yes
checking for linux/landlock.h... yes
checking for gawk... yes
checking for linux/seccomp.h... yes
configure: creating ./config.status
config.status: creating config.mk
config.status: creating config.sh
Compile options:
CC: gcc
CFLAGS: -g -O2
CPPFLAGS:
LDFLAGS:
EXTRA_CFLAGS: -fstack-clash-protection -fstack-protector-strong -fanalyzer -Wno-analyzer-malloc-leak
DEPS_CFLAGS: -MMD -MP
EXTRA_LDFLAGS:
LIBS: -lapparmor
fatal warnings:
gcov instrumentation:
install as a SUID executable: -DHAVE_SUID
install contrib scripts: yes
prefix: /usr
sysconfdir: /etc
Spectre compiler patch: yes
Features:
allow tmpfs as regular user: -DHAVE_USERTMPFS
always enforce filters:
apparmor: -DHAVE_APPARMOR
busybox workaround: no
chroot: -DHAVE_CHROOT
DBUS proxy support: -DHAVE_DBUSPROXY
disable user profiles:
enable --output logging: -DHAVE_OUTPUT
file transfer support: -DHAVE_FILE_TRANSFER
global config: -DHAVE_GLOBALCFG
IDS support:
Landlock support: -DHAVE_LANDLOCK
manpage support: -DHAVE_MAN
network: -DHAVE_NETWORK
overlayfs support:
private home support: -DHAVE_PRIVATE_HOME
private lib support: -DHAVE_PRIVATE_LIB
SELinux labeling support:
user namespace: -DHAVE_USERNS
X11 sandboxing support: -DHAVE_X11
$ make
[...]
../../src/fbuilder/filedb.c: In function ‘filedb_add.part.0’:
../../src/fbuilder/filedb.c:69:22: warning: use of possibly-NULL ‘strdup(fname)’ where non-null expected [CWE-690] [-Wanalyzer-possible-null-argument]
69 | entry->len = strlen(entry->fname);
| ^~~~~~~~~~~~~~~~~~~~
‘filedb_load_whitelist’: event 1
|
| 88 | FileDB *filedb_load_whitelist(FileDB *head, const char *fname, const char *prefix) {
| | ^~~~~~~~~~~~~~~~~~~~~
| | |
| | (1) entry to ‘filedb_load_whitelist’
|
‘filedb_load_whitelist’: event 2
|
| 89 | assert(fname);
| | ^~~~~~
| | |
| | (2) following ‘true’ branch (when ‘fname’ is non-NULL)...
|
‘filedb_load_whitelist’: event 3
|
| 90 | assert(prefix);
| | ^~~~~~
| | |
| | (3) ...to here
|
‘filedb_load_whitelist’: event 4
|
| 90 | assert(prefix);
| | ^~~~~~
| | |
| | (4) following ‘true’ branch (when ‘prefix’ is non-NULL)...
|
‘filedb_load_whitelist’: events 5-6
|
| 91 | int len = strlen(prefix);
| | ^~~
| | |
| | (5) ...to here
| 92 | char *f;
| 93 | if (asprintf(&f, "%s/%s", SYSCONFDIR, fname) == -1)
| | ~
| | |
| | (6) following ‘false’ branch...
|
‘filedb_load_whitelist’: event 7
|
|../../src/fbuilder/../include/common.h:42:25:
| 42 | #define errExit(msg) do { \
| | ^
| | |
| | (7) ...to here
../../src/fbuilder/filedb.c:94:17: note: in expansion of macro ‘errExit’
| 94 | errExit("asprintf");
| | ^~~~~~~
|
‘filedb_load_whitelist’: event 8
|
| 96 | if (!fp) {
| | ^
| | |
| | (8) following ‘false’ branch (when ‘fp’ is non-NULL)...
|
‘filedb_load_whitelist’: event 9
|
|cc1:
| (9): ...to here
|
‘filedb_load_whitelist’: events 10-12
|
| 103 | while (fgets(buf, MAX_BUF, fp)) {
| | ^~~~~
| | |
| | (10) following ‘true’ branch...
| 104 | if (strncmp(buf, prefix, len) != 0)
| | ~~
| | |
| | (11) ...to here
|......
| 114 | head = filedb_add(head, fn);
| | ~~~~~~~~~~~~~~~~~~~~
| | |
| | (12) calling ‘filedb_add’ from ‘filedb_load_whitelist’
|
+--> ‘filedb_add’: event 13
|
| 54 | FileDB *filedb_add(FileDB *head, const char *fname) {
| | ^~~~~~~~~~
| | |
| | (13) entry to ‘filedb_add’
|
‘filedb_add’: event 14
|
| 55 | assert(fname);
| | ^~~~~~
| | |
| | (14) following ‘true’ branch (when ‘fname’ is non-NULL)...
|
‘filedb_add’: events 15-16
|
| 58 | if (filedb_find(head, fname))
| | ^~ ~~~~~~~~~~~~~~~~~~~~~~~~
| | | |
| | | (16) calling ‘filedb_find’ from ‘filedb_add’
| | (15) ...to here
|
+--> ‘filedb_find’: event 17
|
| 24 | FileDB *filedb_find(FileDB *head, const char *fname) {
| | ^~~~~~~~~~~
| | |
| | (17) entry to ‘filedb_find’
|
‘filedb_find’: event 18
|
| 25 | assert(fname);
| | ^~~~~~
| | |
| | (18) following ‘true’ branch (when ‘fname’ is non-NULL)...
|
‘filedb_find’: event 19
|
|cc1:
| (19): ...to here
|
‘filedb_find’: event 20
|
|cc1:
| (20): calling ‘filedb_find.part.0’ from ‘filedb_find’
|
+--> ‘filedb_find.part.0’: events 21-27
|
| 24 | FileDB *filedb_find(FileDB *head, const char *fname) {
| | ^~~~~~~~~~~
| | |
| | (21) entry to ‘filedb_find.part.0’
|......
| 29 | while (ptr) {
| | ~~~
| | |
| | (22) following ‘true’ branch (when ‘ptr’ is non-NULL)...
| | (24) following ‘true’ branch (when ‘ptr’ is non-NULL)...
|......
| 32 | if (fnmatch(ptr->fname, fname, FNM_PATHNAME) == 0) {
| | ~~
| | |
| | (23) ...to here
| | (25) ...to here
|......
| 48 | if (found)
| | ~
| | |
| | (26) following ‘true’ branch (when ‘found != 0’)...
| 49 | return ptr;
| | ~~~~~~
| | |
| | (27) ...to here
|
<------+
|
‘filedb_find’: event 28
|
|cc1:
| (28): returning to ‘filedb_find’ from ‘filedb_find.part.0’
|
<------+
|
‘filedb_add’: event 29
|
| 58 | if (filedb_find(head, fname))
| | ^~~~~~~~~~~~~~~~~~~~~~~~
| | |
| | (29) returning to ‘filedb_add’ from ‘filedb_find’
|
‘filedb_add’: event 30
|
|cc1:
| (30): calling ‘filedb_add.part.0’ from ‘filedb_add’
|
+--> ‘filedb_add.part.0’: events 31-32
|
| 54 | FileDB *filedb_add(FileDB *head, const char *fname) {
| | ^~~~~~~~~~
| | |
| | (31) entry to ‘filedb_add.part.0’
|......
| 63 | if (!entry)
| | ~
| | |
| | (32) following ‘false’ branch (when ‘entry’ is non-NULL)...
|
‘filedb_add.part.0’: event 33
|
|../../src/fbuilder/../include/common.h:42:25:
| 42 | #define errExit(msg) do { \
| | ^
| | |
| | (33) ...to here
../../src/fbuilder/filedb.c:64:17: note: in expansion of macro ‘errExit’
| 64 | errExit("malloc");
| | ^~~~~~~
|
‘filedb_add.part.0’: events 34-36
|
| 66 | entry->fname = strdup(fname);
| | ^~~~~~~~~~~~~
| | |
| | (34) this call could return NULL
| 67 | if (!entry->fname)
| | ~
| | |
| | (35) assuming ‘strdup(fname)’ is non-NULL
| | (36) following ‘false’ branch...
|
‘filedb_add.part.0’: event 37
|
|../../src/fbuilder/../include/common.h:42:25:
| 42 | #define errExit(msg) do { \
| | ^
| | |
| | (37) ...to here
../../src/fbuilder/filedb.c:68:17: note: in expansion of macro ‘errExit’
| 68 | errExit("strdup");
| | ^~~~~~~
|
<------+
|
‘filedb_add’: event 38
|
|cc1:
| (38): returning to ‘filedb_add’ from ‘filedb_add.part.0’
|
<------+
|
‘filedb_load_whitelist’: events 39-46
|
| 103 | while (fgets(buf, MAX_BUF, fp)) {
| | ~~~~~
| | |
| | (40) following ‘true’ branch...
| 104 | if (strncmp(buf, prefix, len) != 0)
| | ~~ ~
| | | |
| | | (42) following ‘false’ branch...
| | (41) ...to here
|......
| 107 | char *fn = buf + len;
| | ~~~~
| | |
| | (43) ...to here
| 108 | char *ptr = strchr(buf, '\n');
| 109 | if (!ptr)
| | ~
| | |
| | (44) following ‘false’ branch (when ‘ptr’ is non-NULL)...
| 110 | continue;
| 111 | *ptr = '\0';
| | ~
| | |
| | (45) ...to here
|......
| 114 | head = filedb_add(head, fn);
| | ^~~~~~~~~~~~~~~~~~~~
| | |
| | (39) returning to ‘filedb_load_whitelist’ from ‘filedb_add’
| | (46) calling ‘filedb_add’ from ‘filedb_load_whitelist’
|
+--> ‘filedb_add’: event 47
|
| 54 | FileDB *filedb_add(FileDB *head, const char *fname) {
| | ^~~~~~~~~~
| | |
| | (47) entry to ‘filedb_add’
|
‘filedb_add’: event 48
|
| 55 | assert(fname);
| | ^~~~~~
| | |
| | (48) following ‘true’ branch (when ‘fname’ is non-NULL)...
|
‘filedb_add’: events 49-50
|
| 58 | if (filedb_find(head, fname))
| | ^~ ~~~~~~~~~~~~~~~~~~~~~~~~
| | | |
| | | (50) calling ‘filedb_find’ from ‘filedb_add’
| | (49) ...to here
|
+--> ‘filedb_find’: event 51
|
| 24 | FileDB *filedb_find(FileDB *head, const char *fname) {
| | ^~~~~~~~~~~
| | |
| | (51) entry to ‘filedb_find’
|
‘filedb_find’: event 52
|
| 25 | assert(fname);
| | ^~~~~~
| | |
| | (52) following ‘true’ branch (when ‘fname’ is non-NULL)...
|
‘filedb_find’: event 53
|
|cc1:
| (53): ...to here
|
‘filedb_find’: event 54
|
|cc1:
| (54): calling ‘filedb_find.part.0’ from ‘filedb_find’
|
+--> ‘filedb_find.part.0’: events 55-60
|
| 24 | FileDB *filedb_find(FileDB *head, const char *fname) {
| | ^~~~~~~~~~~
| | |
| | (55) entry to ‘filedb_find.part.0’
|......
| 29 | while (ptr) {
| | ~~~
| | |
| | (56) following ‘true’ branch (when ‘ptr’ is non-NULL)...
|......
| 32 | if (fnmatch(ptr->fname, fname, FNM_PATHNAME) == 0) {
| | ~~ ~
| | | |
| | | (58) following ‘false’ branch...
| | (57) ...to here
|......
| 38 | if (strlen(fname) > ptr->len &&
| | ~~
| | |
| | (59) ...to here
|......
| 48 | if (found)
| | ~
| | |
| | (60) following ‘false’ branch (when ‘found == 0’)...
|
‘filedb_find.part.0’: event 61
|
|cc1:
| (61): ...to here
|
<------+
|
‘filedb_find’: event 62
|
|cc1:
| (62): returning to ‘filedb_find’ from ‘filedb_find.part.0’
|
<------+
|
‘filedb_add’: events 63-64
|
| 58 | if (filedb_find(head, fname))
| | ~^~~~~~~~~~~~~~~~~~~~~~~~
| | ||
| | |(63) returning to ‘filedb_add’ from ‘filedb_find’
| | (64) following ‘false’ branch...
|
‘filedb_add’: event 65
|
|cc1:
| (65): ...to here
|
‘filedb_add’: event 66
|
|cc1:
| (66): calling ‘filedb_add.part.0’ from ‘filedb_add’
|
+--> ‘filedb_add.part.0’: events 67-68
|
| 54 | FileDB *filedb_add(FileDB *head, const char *fname) {
| | ^~~~~~~~~~
| | |
| | (67) entry to ‘filedb_add.part.0’
|......
| 63 | if (!entry)
| | ~
| | |
| | (68) following ‘false’ branch (when ‘entry’ is non-NULL)...
|
‘filedb_add.part.0’: event 69
|
|../../src/fbuilder/../include/common.h:42:25:
| 42 | #define errExit(msg) do { \
| | ^
| | |
| | (69) ...to here
../../src/fbuilder/filedb.c:64:17: note: in expansion of macro ‘errExit’
| 64 | errExit("malloc");
| | ^~~~~~~
|
‘filedb_add.part.0’: events 70-71
|
| 66 | entry->fname = strdup(fname);
| | ^~~~~~~~~~~~~
| | |
| | (70) this call could return NULL
| 67 | if (!entry->fname)
| | ~
| | |
| | (71) following ‘false’ branch...
|
‘filedb_add.part.0’: event 72
|
|../../src/fbuilder/../include/common.h:42:25:
| 42 | #define errExit(msg) do { \
| | ^
| | |
| | (72) ...to here
../../src/fbuilder/filedb.c:68:17: note: in expansion of macro ‘errExit’
| 68 | errExit("strdup");
| | ^~~~~~~
|
‘filedb_add.part.0’: event 73
|
| 69 | entry->len = strlen(entry->fname);
| | ^~~~~~~~~~~~~~~~~~~~
| | |
| | (73) argument 1 (‘strdup(fname)’) from (70) could be NULL where non-null expected
|
In file included from ../../src/fbuilder/../include/common.h:31,
from ../../src/fbuilder/fbuilder.h:23,
from ../../src/fbuilder/filedb.c:21:
/usr/include/string.h:407:15: note: argument 1 of ‘strlen’ must be non-null
407 | extern size_t strlen (const char *__s)
| ^~~~~~
static ip map: input 5998, output 2490
[...]
Full log is available here.
Kelvin M. Klann commented
Thanks for the heads up.
I get some of the warnings on Artix with:
$ pacman -Q gcc glibc
gcc 13.2.1-4
glibc 2.38-8
What are the versions on the Ubuntu machine?
glitsj16 commented
$ apt-cache policy gcc
gcc:
Installed: 4:11.2.0-1ubuntu1
Candidate: 4:11.2.0-1ubuntu1
Version table:
*** 4:11.2.0-1ubuntu1 500
500 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages
100 /var/lib/dpkg/status
$ $ apt-cache policy libc6
libc6:
Installed: 2.35-0ubuntu3.6
Candidate: 2.35-0ubuntu3.6
Version table:
*** 2.35-0ubuntu3.6 500
500 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
500 http://archive.ubuntu.com/ubuntu jammy-security/main amd64 Packages
100 /var/lib/dpkg/status
2.35-0ubuntu3 500
500 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages