[PATCH 1/6] scripts/run-scan-build: update

[PATCH 1/6] scripts/run-scan-build: update

[Christian Göttsche]

- use multiple jobs
- define _FORTIFY_SOURCE=2 to enable checks on standard string handling
  functions due to macro/intrinsic overloads or function attributes
- allow to override clang and scan-build binaries, i.e. for using
  versioned ones
- set PYTHON_SETUP_ARGS accordingly on Debian
- enable common warning -Wextra
- print build result

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
 scripts/run-scan-build | 22 ++++++++++++++++++----
 1 file changed, 18 insertions(+), 4 deletions(-)

diff --git a/scripts/run-scan-build b/scripts/run-scan-build
index ae5aa48b..ef07fefc 100755
--- a/scripts/run-scan-build
+++ b/scripts/run-scan-build
@@ -1,6 +1,10 @@
 #!/bin/sh
 # Run clang's static analyzer (scan-build) and record its output in output-scan-build/
 
+# Allow overriding binariy names, like clang-12
+export CC=${CC:-clang}
+SCAN_BUILD=${SCAN_BUILD:-scan-build}
+
 # Ensure the current directory is where this script is
 cd "$(dirname -- "$0")" || exit $?
 
@@ -20,14 +24,24 @@ export PATH="$DESTDIR/usr/sbin:$DESTDIR/usr/bin:$DESTDIR/sbin:$DESTDIR/bin:$PATH
 export PYTHONPATH="$DESTDIR$(${PYTHON:-python3} -c "from distutils.sysconfig import *;print(get_python_lib(prefix='/usr'))")"
 export RUBYLIB="$DESTDIR/$(${RUBY:-ruby} -e 'puts RbConfig::CONFIG["vendorlibdir"]'):$DESTDIR/$(${RUBY:-ruby} -e 'puts RbConfig::CONFIG["vendorarchdir"]')"
 
+if [ -f /etc/debian_version ]; then
+    export PYTHON_SETUP_ARGS='--install-layout=deb'
+fi
+
 # Build and analyze
-make -C .. CC=clang clean distclean -j"$(nproc)"
-scan-build -analyze-headers -o "$OUTPUTDIR" make -C .. \
-    CC=clang \
+make -C .. clean distclean -j"$(nproc)"
+$SCAN_BUILD -analyze-headers -o "$OUTPUTDIR" make -C .. \
     DESTDIR="$DESTDIR" \
-    CFLAGS="-O2 -Wall -D__CHECKER__ -I$DESTDIR/usr/include" \
+    CFLAGS="-O2 -Wall -Wextra -D_FORTIFY_SOURCE=2 -D__CHECKER__ -I$DESTDIR/usr/include" \
+    -j"$(nproc)" \
     install install-pywrap install-rubywrap all test
 
+if [ $? -eq 0 ]; then
+    echo "++ Build succeeded"
+else
+    echo "++ Build failed"
+fi
+
 # Reduce the verbosity in order to keep the message from scan-build saying
 # "scan-build: Run 'scan-view /.../output-scan-build/2018-...' to examine bug reports.
 set +x
-- 
2.32.0

[PATCH 2/6] secilc: fix memory leaks in secilc

[Christian Göttsche]

When specifying -o or -f more than once, the previous allocations leak.

Found by scan-build.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
 secilc/secilc.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/secilc/secilc.c b/secilc/secilc.c
index 1c4f1ca0..80d3583d 100644
--- a/secilc/secilc.c
+++ b/secilc/secilc.c
@@ -199,9 +199,11 @@ int main(int argc, char *argv[])
 				qualified_names = 1;
 				break;
 			case 'o':
+				free(output);
 				output = strdup(optarg);
 				break;
 			case 'f':
+				free(filecontexts);
 				filecontexts = strdup(optarg);
 				break;
 			case 'G':
-- 
2.32.0

[PATCH 3/6] secilc: fix memory leaks in secilc2conf

[Christian Göttsche]

When specifying -o more than once, the previous allocation leaks.

Found by scan-build.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
 secilc/secil2conf.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/secilc/secil2conf.c b/secilc/secil2conf.c
index d4103777..c49522e5 100644
--- a/secilc/secil2conf.c
+++ b/secilc/secil2conf.c
@@ -111,6 +111,7 @@ int main(int argc, char *argv[])
 				qualified_names = 1;
 				break;
 			case 'o':
+				free(output);
 				output = strdup(optarg);
 				break;
 			case 'h':
-- 
2.32.0

[PATCH 4/6] policycoreutils: free memory on lstat failure in sestatus

[Christian Göttsche]

In case lstat(3) fails the memory is not free'd at the end of the for
loop, due to the control flow change by continue.

Found by scan-build.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
 policycoreutils/sestatus/sestatus.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policycoreutils/sestatus/sestatus.c b/policycoreutils/sestatus/sestatus.c
index b37f0353..ceee0d52 100644
--- a/policycoreutils/sestatus/sestatus.c
+++ b/policycoreutils/sestatus/sestatus.c
@@ -461,6 +461,7 @@ int main(int argc, char **argv)
 				    ("%s (could not check link status (%s)!)\n",
 				     context, strerror(errno));
 				freecon(context);
+				free(fc[i]);
 				continue;
 			}
 			if (S_ISLNK(m.st_mode)) {
-- 
2.32.0

[PATCH 5/6] policycoreutils: free memory of allocated context in run_init

[Christian Göttsche]

Found by scan-build.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
 policycoreutils/run_init/run_init.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/policycoreutils/run_init/run_init.c b/policycoreutils/run_init/run_init.c
index 1c5eb68e..545490a2 100644
--- a/policycoreutils/run_init/run_init.c
+++ b/policycoreutils/run_init/run_init.c
@@ -406,14 +406,19 @@ int main(int argc, char *argv[])
 
 	if (chdir("/")) {
 		perror("chdir");
+		free(new_context);
 		exit(-1);
 	}
 
 	if (setexeccon(new_context) < 0) {
 		fprintf(stderr, _("Could not set exec context to %s.\n"),
 			new_context);
+		free(new_context);
 		exit(-1);
 	}
+
+	free(new_context);
+
 	if (access("/usr/sbin/open_init_pty", X_OK) != 0) {
 		if (execvp(argv[1], argv + 1)) {
 			perror("execvp");
-- 
2.32.0

[PATCH 6/6] policycoreutils: free memory of allocated context in newrole

[Christian Göttsche]

Found by scan-build.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
 policycoreutils/newrole/newrole.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policycoreutils/newrole/newrole.c b/policycoreutils/newrole/newrole.c
index 0264531a..7c1f062f 100644
--- a/policycoreutils/newrole/newrole.c
+++ b/policycoreutils/newrole/newrole.c
@@ -1239,6 +1239,7 @@ int main(int argc, char *argv[])
 		free(pw.pw_dir);
 		free(pw.pw_shell);
 		free(shell_argv0);
+		free(new_context);
 		return exit_code;
 	}
 
-- 
2.32.0

Re: [PATCH 1/6] scripts/run-scan-build: update

[James Carter]

On Wed, Jul 14, 2021 at 2:16 PM Christian Göttsche
<cgzones@googlemail.com> wrote:
>
> - use multiple jobs
> - define _FORTIFY_SOURCE=2 to enable checks on standard string handling
>   functions due to macro/intrinsic overloads or function attributes
> - allow to override clang and scan-build binaries, i.e. for using
>   versioned ones
> - set PYTHON_SETUP_ARGS accordingly on Debian
> - enable common warning -Wextra
> - print build result
>
> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>

For all six patches:
Acked-by: James Carter <jwcart2@gmail.com>

> ---
>  scripts/run-scan-build | 22 ++++++++++++++++++----
>  1 file changed, 18 insertions(+), 4 deletions(-)
>
> diff --git a/scripts/run-scan-build b/scripts/run-scan-build
> index ae5aa48b..ef07fefc 100755
> --- a/scripts/run-scan-build
> +++ b/scripts/run-scan-build
> @@ -1,6 +1,10 @@
>  #!/bin/sh
>  # Run clang's static analyzer (scan-build) and record its output in output-scan-build/
>
> +# Allow overriding binariy names, like clang-12
> +export CC=${CC:-clang}
> +SCAN_BUILD=${SCAN_BUILD:-scan-build}
> +
>  # Ensure the current directory is where this script is
>  cd "$(dirname -- "$0")" || exit $?
>
> @@ -20,14 +24,24 @@ export PATH="$DESTDIR/usr/sbin:$DESTDIR/usr/bin:$DESTDIR/sbin:$DESTDIR/bin:$PATH
>  export PYTHONPATH="$DESTDIR$(${PYTHON:-python3} -c "from distutils.sysconfig import *;print(get_python_lib(prefix='/usr'))")"
>  export RUBYLIB="$DESTDIR/$(${RUBY:-ruby} -e 'puts RbConfig::CONFIG["vendorlibdir"]'):$DESTDIR/$(${RUBY:-ruby} -e 'puts RbConfig::CONFIG["vendorarchdir"]')"
>
> +if [ -f /etc/debian_version ]; then
> +    export PYTHON_SETUP_ARGS='--install-layout=deb'
> +fi
> +
>  # Build and analyze
> -make -C .. CC=clang clean distclean -j"$(nproc)"
> -scan-build -analyze-headers -o "$OUTPUTDIR" make -C .. \
> -    CC=clang \
> +make -C .. clean distclean -j"$(nproc)"
> +$SCAN_BUILD -analyze-headers -o "$OUTPUTDIR" make -C .. \
>      DESTDIR="$DESTDIR" \
> -    CFLAGS="-O2 -Wall -D__CHECKER__ -I$DESTDIR/usr/include" \
> +    CFLAGS="-O2 -Wall -Wextra -D_FORTIFY_SOURCE=2 -D__CHECKER__ -I$DESTDIR/usr/include" \
> +    -j"$(nproc)" \
>      install install-pywrap install-rubywrap all test
>
> +if [ $? -eq 0 ]; then
> +    echo "++ Build succeeded"
> +else
> +    echo "++ Build failed"
> +fi
> +
>  # Reduce the verbosity in order to keep the message from scan-build saying
>  # "scan-build: Run 'scan-view /.../output-scan-build/2018-...' to examine bug reports.
>  set +x
> --
> 2.32.0
>

Re: [PATCH 1/6] scripts/run-scan-build: update

[James Carter]

On Mon, Jul 19, 2021 at 12:58 PM James Carter <jwcart2@gmail.com> wrote:
>
> On Wed, Jul 14, 2021 at 2:16 PM Christian Göttsche
> <cgzones@googlemail.com> wrote:
> >
> > - use multiple jobs
> > - define _FORTIFY_SOURCE=2 to enable checks on standard string handling
> >   functions due to macro/intrinsic overloads or function attributes
> > - allow to override clang and scan-build binaries, i.e. for using
> >   versioned ones
> > - set PYTHON_SETUP_ARGS accordingly on Debian
> > - enable common warning -Wextra
> > - print build result
> >
> > Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
>
> For all six patches:
> Acked-by: James Carter <jwcart2@gmail.com>
>

This series has been merged.

Thanks,
Jim

> > ---
> >  scripts/run-scan-build | 22 ++++++++++++++++++----
> >  1 file changed, 18 insertions(+), 4 deletions(-)
> >
> > diff --git a/scripts/run-scan-build b/scripts/run-scan-build
> > index ae5aa48b..ef07fefc 100755
> > --- a/scripts/run-scan-build
> > +++ b/scripts/run-scan-build
> > @@ -1,6 +1,10 @@
> >  #!/bin/sh
> >  # Run clang's static analyzer (scan-build) and record its output in output-scan-build/
> >
> > +# Allow overriding binariy names, like clang-12
> > +export CC=${CC:-clang}
> > +SCAN_BUILD=${SCAN_BUILD:-scan-build}
> > +
> >  # Ensure the current directory is where this script is
> >  cd "$(dirname -- "$0")" || exit $?
> >
> > @@ -20,14 +24,24 @@ export PATH="$DESTDIR/usr/sbin:$DESTDIR/usr/bin:$DESTDIR/sbin:$DESTDIR/bin:$PATH
> >  export PYTHONPATH="$DESTDIR$(${PYTHON:-python3} -c "from distutils.sysconfig import *;print(get_python_lib(prefix='/usr'))")"
> >  export RUBYLIB="$DESTDIR/$(${RUBY:-ruby} -e 'puts RbConfig::CONFIG["vendorlibdir"]'):$DESTDIR/$(${RUBY:-ruby} -e 'puts RbConfig::CONFIG["vendorarchdir"]')"
> >
> > +if [ -f /etc/debian_version ]; then
> > +    export PYTHON_SETUP_ARGS='--install-layout=deb'
> > +fi
> > +
> >  # Build and analyze
> > -make -C .. CC=clang clean distclean -j"$(nproc)"
> > -scan-build -analyze-headers -o "$OUTPUTDIR" make -C .. \
> > -    CC=clang \
> > +make -C .. clean distclean -j"$(nproc)"
> > +$SCAN_BUILD -analyze-headers -o "$OUTPUTDIR" make -C .. \
> >      DESTDIR="$DESTDIR" \
> > -    CFLAGS="-O2 -Wall -D__CHECKER__ -I$DESTDIR/usr/include" \
> > +    CFLAGS="-O2 -Wall -Wextra -D_FORTIFY_SOURCE=2 -D__CHECKER__ -I$DESTDIR/usr/include" \
> > +    -j"$(nproc)" \
> >      install install-pywrap install-rubywrap all test
> >
> > +if [ $? -eq 0 ]; then
> > +    echo "++ Build succeeded"
> > +else
> > +    echo "++ Build failed"
> > +fi
> > +
> >  # Reduce the verbosity in order to keep the message from scan-build saying
> >  # "scan-build: Run 'scan-view /.../output-scan-build/2018-...' to examine bug reports.
> >  set +x
> > --
> > 2.32.0
> >