enabling gcc's -fanalyzer option
Falko Strenzke
falko.strenzke at mtg.de
Wed Mar 6 11:46:18 CET 2024
Hi,
I enabled -fanalyzer for GnuPG in my project. It reports quite a few
findings. Some of them (or even the majority) might be false positives.
I haven't checked that, though. However, the one I quote below seems
like a true positive (the line numbers in current master slightly
deviate, but the picture is simple anyway: md has to be initialized to
NULL when declared).
Just as a suggestion from me to add a flag to the configure script to
enable this gcc feature. I am still looking for a way to inform the
static analyzer in the source code about certain semantics (i.e.
restrictions on the values returned by functions in external libraries),
this would be very helpful to suppress false positives.
- Falko
sign.c:1760:3: warning: use of uninitialized value ‘md’ [CWE-457]
[-Wanalyzer-use-of-uninitialized-value]
1760 | gcry_md_close (md);
| ^~~~~~~~~~~~~~~~~~
‘sign_symencrypt_file’: events 1-7
|
| 1587 | gcry_md_hd_t md;
| | ^~
| | |
| | (1) region created on stack here
| | (2) capacity: 8 bytes
|......
| 1618 | if (rc)
| | ~
| | |
| | (3) following ‘true’ branch (when ‘rc != 0’)...
| 1619 | goto leave;
| | ~~~~
| | |
| | (4) ...to here
|......
| 1751 | if (rc)
| | ~
| | |
| | (5) following ‘true’ branch (when ‘rc != 0’)...
| 1752 | iobuf_cancel (out);
| | ~~~~~~~~~~~~~~~~~~
| | |
| | (6) ...to here
|......
| 1760 | gcry_md_close (md);
| | ~~~~~~~~~~~~~~~~~~
| | |
| | (7) use of uninitialized value ‘md’ here
|
--
*MTG AG*
Dr. Falko Strenzke
Executive System Architect
Phone: +49 6151 8000 24
E-Mail: falko.strenzke at mtg.de
Web: mtg.de <https://www.mtg.de>
<https://www.linkedin.com/search/results/all/?fetchDeterministicClustersOnly=true&heroEntityKey=urn%3Ali%3Aorganization%3A13983133&keywords=mtg%20ag&origin=RICH_QUERY_SUGGESTION&position=0&searchId=d5bc71c3-97f7-4cae-83e7-e9e16d497dc2&sid=3S5&spellCorrectionEnabled=false>
Follow us
------------------------------------------------------------------------
<https://www.mtg.de/de/aktuelles/MTG-AG-erhaelt-Innovationspreis-des-Bundesverbands-IT-Sicherheit-e.V-00001.-TeleTrust/>
<https://www.itsa365.de/de-de/companies/m/mtg-ag>
MTG AG - Dolivostr. 11 - 64293 Darmstadt, Germany
Commercial register: HRB 8901
Register Court: Amtsgericht Darmstadt
Management Board: Jürgen Ruf (CEO), Tamer Kemeröz
Chairman of the Supervisory Board: Dr. Thomas Milde
This email may contain confidential and/or privileged information. If
you are not the correct recipient or have received this email in error,
please inform the sender immediately and delete this email.Unauthorised
copying or distribution of this email is not permitted.
Data protection information: Privacy policy
<https://www.mtg.de/en/privacy-policy>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20240306/508d8933/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 73t6G3nkheDzgnUr.png
Type: image/png
Size: 4018 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20240306/508d8933/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: s50ppgeRmyFZOTKY.png
Type: image/png
Size: 14587 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20240306/508d8933/attachment-0004.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CS0G8v68No0Gz0mf.png
Type: image/png
Size: 13185 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20240306/508d8933/attachment-0005.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4813 bytes
Desc: Kryptografische S/MIME-Signatur
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20240306/508d8933/attachment-0001.bin>
More information about the Gnupg-devel
mailing list