kmk3
commented
8 months ago Thanks for the heads up.
I get some of the warnings on Artix with:
$ pacman -Q gcc glibc
gcc 13.2.1-4
glibc 2.38-8What are the versions on the Ubuntu machine?
Open glitsj16 opened 8 months ago
kmk3
commented
8 months ago Thanks for the heads up.
I get some of the warnings on Artix with:
$ pacman -Q gcc glibc
gcc 13.2.1-4
glibc 2.38-8What are the versions on the Ubuntu machine?
glitsj16
commented
8 months ago $ apt-cache policy gcc
gcc:
Installed: 4:11.2.0-1ubuntu1
Candidate: 4:11.2.0-1ubuntu1
Version table:
*** 4:11.2.0-1ubuntu1 500
500 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages
100 /var/lib/dpkg/status$ $ apt-cache policy libc6
libc6:
Installed: 2.35-0ubuntu3.6
Candidate: 2.35-0ubuntu3.6
Version table:
*** 2.35-0ubuntu3.6 500
500 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
500 http://archive.ubuntu.com/ubuntu jammy-security/main amd64 Packages
100 /var/lib/dpkg/status
2.35-0ubuntu3 500
500 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages
On my old Ubuntu 16.04 LTS box I never bothered to build Firejail with
--enable-analyzer. But after migrating that machine to Ubuntu 22.04 LTS I gave it a try. The below warnings showed up (which doesn't happen on my Arch Linux box BTW).Here's the build output:
$ ./configure --prefix=/usr --enable-analyzer --enable-apparmor --enable-landlock --enable-private-lib && make
``` checking for gcc... gcc checking whether the C compiler works... yes checking for C compiler default output file name... a.out checking for suffix of executables... checking whether we are cross compiling... no checking for suffix of object files... o checking whether the compiler supports GNU C... yes checking whether gcc accepts -g... yes checking for gcc option to enable C11 features... none needed checking whether C compiler accepts -MMD -MP... yes checking whether C compiler accepts -mindirect-branch=thunk... no checking whether C compiler accepts -fstack-clash-protection... yes checking whether C compiler accepts -fstack-protector-strong... yes checking for pkg-config... /usr/bin/pkg-config checking pkg-config is at least version 0.9.0... yes checking for libapparmor... yes checking for stdio.h... yes checking for stdlib.h... yes checking for string.h... yes checking for inttypes.h... yes checking for stdint.h... yes checking for strings.h... yes checking for sys/stat.h... yes checking for sys/types.h... yes checking for unistd.h... yes checking for linux/landlock.h... yes checking for gawk... yes checking for linux/seccomp.h... yes configure: creating ./config.status config.status: creating config.mk config.status: creating config.sh Compile options: CC: gcc CFLAGS: -g -O2 CPPFLAGS: LDFLAGS: EXTRA_CFLAGS: -fstack-clash-protection -fstack-protector-strong -fanalyzer -Wno-analyzer-malloc-leak DEPS_CFLAGS: -MMD -MP EXTRA_LDFLAGS: LIBS: -lapparmor fatal warnings: gcov instrumentation: install as a SUID executable: -DHAVE_SUID install contrib scripts: yes prefix: /usr sysconfdir: /etc Spectre compiler patch: yes Features: allow tmpfs as regular user: -DHAVE_USERTMPFS always enforce filters: apparmor: -DHAVE_APPARMOR busybox workaround: no chroot: -DHAVE_CHROOT DBUS proxy support: -DHAVE_DBUSPROXY disable user profiles: enable --output logging: -DHAVE_OUTPUT file transfer support: -DHAVE_FILE_TRANSFER global config: -DHAVE_GLOBALCFG IDS support: Landlock support: -DHAVE_LANDLOCK manpage support: -DHAVE_MAN network: -DHAVE_NETWORK overlayfs support: private home support: -DHAVE_PRIVATE_HOME private lib support: -DHAVE_PRIVATE_LIB SELinux labeling support: user namespace: -DHAVE_USERNS X11 sandboxing support: -DHAVE_X11 $ make [...] ../../src/fbuilder/filedb.c: In function ‘filedb_add.part.0’: ../../src/fbuilder/filedb.c:69:22: warning: use of possibly-NULL ‘strdup(fname)’ where non-null expected [CWE-690] [-Wanalyzer-possible-null-argument] 69 | entry->len = strlen(entry->fname); | ^~~~~~~~~~~~~~~~~~~~ ‘filedb_load_whitelist’: event 1 | | 88 | FileDB *filedb_load_whitelist(FileDB *head, const char *fname, const char *prefix) { | | ^~~~~~~~~~~~~~~~~~~~~ | | | | | (1) entry to ‘filedb_load_whitelist’ | ‘filedb_load_whitelist’: event 2 | | 89 | assert(fname); | | ^~~~~~ | | | | | (2) following ‘true’ branch (when ‘fname’ is non-NULL)... | ‘filedb_load_whitelist’: event 3 | | 90 | assert(prefix); | | ^~~~~~ | | | | | (3) ...to here | ‘filedb_load_whitelist’: event 4 | | 90 | assert(prefix); | | ^~~~~~ | | | | | (4) following ‘true’ branch (when ‘prefix’ is non-NULL)... | ‘filedb_load_whitelist’: events 5-6 | | 91 | int len = strlen(prefix); | | ^~~ | | | | | (5) ...to here | 92 | char *f; | 93 | if (asprintf(&f, "%s/%s", SYSCONFDIR, fname) == -1) | | ~ | | | | | (6) following ‘false’ branch... | ‘filedb_load_whitelist’: event 7 | |../../src/fbuilder/../include/common.h:42:25: | 42 | #define errExit(msg) do { \ | | ^ | | | | | (7) ...to here ../../src/fbuilder/filedb.c:94:17: note: in expansion of macro ‘errExit’ | 94 | errExit("asprintf"); | | ^~~~~~~ | ‘filedb_load_whitelist’: event 8 | | 96 | if (!fp) { | | ^ | | | | | (8) following ‘false’ branch (when ‘fp’ is non-NULL)... | ‘filedb_load_whitelist’: event 9 | |cc1: | (9): ...to here | ‘filedb_load_whitelist’: events 10-12 | | 103 | while (fgets(buf, MAX_BUF, fp)) { | | ^~~~~ | | | | | (10) following ‘true’ branch... | 104 | if (strncmp(buf, prefix, len) != 0) | | ~~ | | | | | (11) ...to here |...... | 114 | head = filedb_add(head, fn); | | ~~~~~~~~~~~~~~~~~~~~ | | | | | (12) calling ‘filedb_add’ from ‘filedb_load_whitelist’ | +--> ‘filedb_add’: event 13 | | 54 | FileDB *filedb_add(FileDB *head, const char *fname) { | | ^~~~~~~~~~ | | | | | (13) entry to ‘filedb_add’ | ‘filedb_add’: event 14 | | 55 | assert(fname); | | ^~~~~~ | | | | | (14) following ‘true’ branch (when ‘fname’ is non-NULL)... | ‘filedb_add’: events 15-16 | | 58 | if (filedb_find(head, fname)) | | ^~ ~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | | (16) calling ‘filedb_find’ from ‘filedb_add’ | | (15) ...to here | +--> ‘filedb_find’: event 17 | | 24 | FileDB *filedb_find(FileDB *head, const char *fname) { | | ^~~~~~~~~~~ | | | | | (17) entry to ‘filedb_find’ | ‘filedb_find’: event 18 | | 25 | assert(fname); | | ^~~~~~ | | | | | (18) following ‘true’ branch (when ‘fname’ is non-NULL)... | ‘filedb_find’: event 19 | |cc1: | (19): ...to here | ‘filedb_find’: event 20 | |cc1: | (20): calling ‘filedb_find.part.0’ from ‘filedb_find’ | +--> ‘filedb_find.part.0’: events 21-27 | | 24 | FileDB *filedb_find(FileDB *head, const char *fname) { | | ^~~~~~~~~~~ | | | | | (21) entry to ‘filedb_find.part.0’ |...... | 29 | while (ptr) { | | ~~~ | | | | | (22) following ‘true’ branch (when ‘ptr’ is non-NULL)... | | (24) following ‘true’ branch (when ‘ptr’ is non-NULL)... |...... | 32 | if (fnmatch(ptr->fname, fname, FNM_PATHNAME) == 0) { | | ~~ | | | | | (23) ...to here | | (25) ...to here |...... | 48 | if (found) | | ~ | | | | | (26) following ‘true’ branch (when ‘found != 0’)... | 49 | return ptr; | | ~~~~~~ | | | | | (27) ...to here | <------+ | ‘filedb_find’: event 28 | |cc1: | (28): returning to ‘filedb_find’ from ‘filedb_find.part.0’ | <------+ | ‘filedb_add’: event 29 | | 58 | if (filedb_find(head, fname)) | | ^~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (29) returning to ‘filedb_add’ from ‘filedb_find’ | ‘filedb_add’: event 30 | |cc1: | (30): calling ‘filedb_add.part.0’ from ‘filedb_add’ | +--> ‘filedb_add.part.0’: events 31-32 | | 54 | FileDB *filedb_add(FileDB *head, const char *fname) { | | ^~~~~~~~~~ | | | | | (31) entry to ‘filedb_add.part.0’ |...... | 63 | if (!entry) | | ~ | | | | | (32) following ‘false’ branch (when ‘entry’ is non-NULL)... | ‘filedb_add.part.0’: event 33 | |../../src/fbuilder/../include/common.h:42:25: | 42 | #define errExit(msg) do { \ | | ^ | | | | | (33) ...to here ../../src/fbuilder/filedb.c:64:17: note: in expansion of macro ‘errExit’ | 64 | errExit("malloc"); | | ^~~~~~~ | ‘filedb_add.part.0’: events 34-36 | | 66 | entry->fname = strdup(fname); | | ^~~~~~~~~~~~~ | | | | | (34) this call could return NULL | 67 | if (!entry->fname) | | ~ | | | | | (35) assuming ‘strdup(fname)’ is non-NULL | | (36) following ‘false’ branch... | ‘filedb_add.part.0’: event 37 | |../../src/fbuilder/../include/common.h:42:25: | 42 | #define errExit(msg) do { \ | | ^ | | | | | (37) ...to here ../../src/fbuilder/filedb.c:68:17: note: in expansion of macro ‘errExit’ | 68 | errExit("strdup"); | | ^~~~~~~ | <------+ | ‘filedb_add’: event 38 | |cc1: | (38): returning to ‘filedb_add’ from ‘filedb_add.part.0’ | <------+ | ‘filedb_load_whitelist’: events 39-46 | | 103 | while (fgets(buf, MAX_BUF, fp)) { | | ~~~~~ | | | | | (40) following ‘true’ branch... | 104 | if (strncmp(buf, prefix, len) != 0) | | ~~ ~ | | | | | | | (42) following ‘false’ branch... | | (41) ...to here |...... | 107 | char *fn = buf + len; | | ~~~~ | | | | | (43) ...to here | 108 | char *ptr = strchr(buf, '\n'); | 109 | if (!ptr) | | ~ | | | | | (44) following ‘false’ branch (when ‘ptr’ is non-NULL)... | 110 | continue; | 111 | *ptr = '\0'; | | ~ | | | | | (45) ...to here |...... | 114 | head = filedb_add(head, fn); | | ^~~~~~~~~~~~~~~~~~~~ | | | | | (39) returning to ‘filedb_load_whitelist’ from ‘filedb_add’ | | (46) calling ‘filedb_add’ from ‘filedb_load_whitelist’ | +--> ‘filedb_add’: event 47 | | 54 | FileDB *filedb_add(FileDB *head, const char *fname) { | | ^~~~~~~~~~ | | | | | (47) entry to ‘filedb_add’ | ‘filedb_add’: event 48 | | 55 | assert(fname); | | ^~~~~~ | | | | | (48) following ‘true’ branch (when ‘fname’ is non-NULL)... | ‘filedb_add’: events 49-50 | | 58 | if (filedb_find(head, fname)) | | ^~ ~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | | | (50) calling ‘filedb_find’ from ‘filedb_add’ | | (49) ...to here | +--> ‘filedb_find’: event 51 | | 24 | FileDB *filedb_find(FileDB *head, const char *fname) { | | ^~~~~~~~~~~ | | | | | (51) entry to ‘filedb_find’ | ‘filedb_find’: event 52 | | 25 | assert(fname); | | ^~~~~~ | | | | | (52) following ‘true’ branch (when ‘fname’ is non-NULL)... | ‘filedb_find’: event 53 | |cc1: | (53): ...to here | ‘filedb_find’: event 54 | |cc1: | (54): calling ‘filedb_find.part.0’ from ‘filedb_find’ | +--> ‘filedb_find.part.0’: events 55-60 | | 24 | FileDB *filedb_find(FileDB *head, const char *fname) { | | ^~~~~~~~~~~ | | | | | (55) entry to ‘filedb_find.part.0’ |...... | 29 | while (ptr) { | | ~~~ | | | | | (56) following ‘true’ branch (when ‘ptr’ is non-NULL)... |...... | 32 | if (fnmatch(ptr->fname, fname, FNM_PATHNAME) == 0) { | | ~~ ~ | | | | | | | (58) following ‘false’ branch... | | (57) ...to here |...... | 38 | if (strlen(fname) > ptr->len && | | ~~ | | | | | (59) ...to here |...... | 48 | if (found) | | ~ | | | | | (60) following ‘false’ branch (when ‘found == 0’)... | ‘filedb_find.part.0’: event 61 | |cc1: | (61): ...to here | <------+ | ‘filedb_find’: event 62 | |cc1: | (62): returning to ‘filedb_find’ from ‘filedb_find.part.0’ | <------+ | ‘filedb_add’: events 63-64 | | 58 | if (filedb_find(head, fname)) | | ~^~~~~~~~~~~~~~~~~~~~~~~~ | | || | | |(63) returning to ‘filedb_add’ from ‘filedb_find’ | | (64) following ‘false’ branch... | ‘filedb_add’: event 65 | |cc1: | (65): ...to here | ‘filedb_add’: event 66 | |cc1: | (66): calling ‘filedb_add.part.0’ from ‘filedb_add’ | +--> ‘filedb_add.part.0’: events 67-68 | | 54 | FileDB *filedb_add(FileDB *head, const char *fname) { | | ^~~~~~~~~~ | | | | | (67) entry to ‘filedb_add.part.0’ |...... | 63 | if (!entry) | | ~ | | | | | (68) following ‘false’ branch (when ‘entry’ is non-NULL)... | ‘filedb_add.part.0’: event 69 | |../../src/fbuilder/../include/common.h:42:25: | 42 | #define errExit(msg) do { \ | | ^ | | | | | (69) ...to here ../../src/fbuilder/filedb.c:64:17: note: in expansion of macro ‘errExit’ | 64 | errExit("malloc"); | | ^~~~~~~ | ‘filedb_add.part.0’: events 70-71 | | 66 | entry->fname = strdup(fname); | | ^~~~~~~~~~~~~ | | | | | (70) this call could return NULL | 67 | if (!entry->fname) | | ~ | | | | | (71) following ‘false’ branch... | ‘filedb_add.part.0’: event 72 | |../../src/fbuilder/../include/common.h:42:25: | 42 | #define errExit(msg) do { \ | | ^ | | | | | (72) ...to here ../../src/fbuilder/filedb.c:68:17: note: in expansion of macro ‘errExit’ | 68 | errExit("strdup"); | | ^~~~~~~ | ‘filedb_add.part.0’: event 73 | | 69 | entry->len = strlen(entry->fname); | | ^~~~~~~~~~~~~~~~~~~~ | | | | | (73) argument 1 (‘strdup(fname)’) from (70) could be NULL where non-null expected | In file included from ../../src/fbuilder/../include/common.h:31, from ../../src/fbuilder/fbuilder.h:23, from ../../src/fbuilder/filedb.c:21: /usr/include/string.h:407:15: note: argument 1 of ‘strlen’ must be non-null 407 | extern size_t strlen (const char *__s) | ^~~~~~ static ip map: input 5998, output 2490 [...] ```Full log is available here.