From: Mark Wielaard <mark@klomp.org>
To: noloader@gmail.com, bzip2-devel@sourceware.org
Subject: Re: call to ‘fprintf’ from within signal handler [CWE-479]
Date: Thu, 16 Jul 2020 15:55:40 +0200 [thread overview]
Message-ID: <31c7983432368f62b6d8a7c5e0f395770de3ac2e.camel@klomp.org> (raw)
In-Reply-To: <CAH8yC8m=SGOa=tHMh4giELb7nQJA+NtOtCNzXrM1L7wnePb5PQ@mail.gmail.com>
Hi Jeffrey,
On Thu, 2020-07-16 at 04:49 -0400, Jeffrey Walton via Bzip2-devel
wrote:
> I'm testing a build with the GCC 10 analyzer. Add -fanalyzer to
> CFLAGS. If you need GCC 10, then you can find it on Fedora 32.
The GCC -fanalyzer is indeed awesome!
> The Analyzer is producing a finding:
>
> bzip2.c:677:4: warning: call to ‘fprintf’ from within signal handler
> [CWE-479] [-Wanalyzer-unsafe-call-within-signal-handler]
> 677 | fprintf (
> | ^~~~~~~~~
> 678 | stderr,
> | ~~~~~~~
> 679 | "\tInput file = %s, output file = %s\n",
> | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 680 | inName, outName
> | ~~~~~~~~~~~~~~~
> 681 | );
>
> There are two additional findings that are similar.
That should already have been fixed in git:
commit 8ca1faa31f396d94ab927b257f3a05236c84e330
Author: Mark Wielaard <mark@klomp.org>
Date: Sun May 17 20:02:31 2020 +0200
Don't call unsafe functions from SIGSEGV/SIGBUS signal handler.
GCC10 -fanalyzer notices that we try to call functions that are not
signal safe from our fatal signal handler:
bzip2.c: In function ‘mySIGSEGVorSIGBUScatcher’:
bzip2.c:819:7: warning: call to ‘fprintf’ from within signal handler
[CWE-479] [-Wanalyzer-unsafe-call-within-signal-handler]
It also notices we then call showFileNames and cleanupAndFail which
also call possibly not signal safe functions.
Just write out the error message directly to STDERR and exit without
trying to clean up any files.
next prev parent reply other threads:[~2020-07-16 13:55 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-16 8:49 Jeffrey Walton
2020-07-16 13:55 ` Mark Wielaard [this message]
2020-07-16 15:03 ` Jeffrey Walton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=31c7983432368f62b6d8a7c5e0f395770de3ac2e.camel@klomp.org \
--to=mark@klomp.org \
--cc=bzip2-devel@sourceware.org \
--cc=noloader@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).