On Fri, Feb 1, 2019 at 9:24 PM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote: > On Fri, Feb 1, 2019 at 8:36 PM Petr Lautrbach <plautrba@xxxxxxxxxx> wrote: > > gcc-9.0.0-0.3.fc30.x86_64 from Fedora Rawhide: > > > > gcc version 9.0.0 20190119 (Red Hat 9.0.0-0.3) (GCC) > > > > $ make DESTDIR=~/obj install install-pywrap > > ... > > > > make[2]: Entering directory > > '/home/build/SELinuxProject-selinux/libsepol/src' > > cc -O2 -Werror -Wall -Wextra -Wmissing-format-attribute > > -Wmissing-noreturn -Wpointer-arith -Wshadow -Wstrict-prototypes > > -Wundef -Wunused -Wwrite-strings -I. -I../include -D_GNU_SOURCE > > -I../cil/include -fPIC -c -o genbools.o genbools.c > > In function ‘strtrim’, > > inlined from ‘process_boolean.constprop’ at genbools.c:52:2: > > genbools.c:24:2: error: ‘strncpy’ output may be truncated copying > > 8191 bytes from a string of length 8191 > > [-Werror=stringop-truncation] > > 24 | strncpy(dest, ptr, size); > > | ^~~~~~~~~~~~~~~~~~~~~~~~ > > > > This is a typical strncpy() abuse. See 'man strncpy' -> /NOTES for how > to handle the corner case correctly (same for similar issues below). Actually, upon closer look it looks like there is no abuse and the warning simply warns that only a part of the string might be copied into the destination. I suppose we don't care about that possibility here, so the best way to resolve the warning might be to just disable the warning for this part of the code. > > > ... > > > > make[2]: Entering directory > > '/home/build/SELinuxProject-selinux/libsepol/src' > > cc -O2 -Werror -Wall -Wextra -Wmissing-format-attribute > > -Wmissing-noreturn -Wpointer-arith -Wshadow -Wstrict-prototypes > > -Wundef -Wunused -Wwrite-strings -I. -I../include -D_GNU_SOURCE > > -I../cil/include -fPIC -DSHARED -c -o genbools.lo genbools.c > > In function ‘strtrim’, > > inlined from ‘process_boolean.constprop’ at genbools.c:52:2: > > genbools.c:24:2: error: ‘strncpy’ output may be truncated copying > > 8191 bytes from a string of length 8191 > > [-Werror=stringop-truncation] > > 24 | strncpy(dest, ptr, size); > > | ^~~~~~~~~~~~~~~~~~~~~~~~ > > > > ... > > > > make[2]: Entering directory > > '/home/build/SELinuxProject-selinux/libselinux/src' > > cc -O2 -Werror -Wall -Wextra -Wmissing-format-attribute > > -Wmissing-noreturn -Wpointer-arith -Wshadow -Wstrict-prototypes > > -Wundef -Wunused -Wwrite-strings -I../include -D_GNU_SOURCE > > -DNO_ANDROID_BACKEND -c -o booleans.o booleans.c > > In function ‘strtrim’, > > inlined from ‘process_boolean’ at booleans.c:362:2: > > booleans.c:335:2: error: ‘strncpy’ output may be truncated copying > > between 8188 and 8191 bytes from a string of length 8191 > > [-Werror=stringop-truncation] > > 335 | strncpy(dest, ptr, size); > > | ^~~~~~~~~~~~~~~~~~~~~~~~ > > > > ... > > > > > > > > When libselinux is built separately, other CFLAGS is used: > > > > $ cd libselinux > > > > $ make DESTDIR=~/obj install install-pywrap > > ... > > > > make[1]: Entering directory > > '/home/build/SELinuxProject-selinux/libselinux/src' > > > > cc -O -Wall -W -Wundef -Wformat-y2k -Wformat-security -Winit-self > > -Wmissing-include-dirs -Wunused -Wunknown-pragmas > > -Wstrict-aliasing -Wshadow -Wpointer-arith -Wbad-function-cast > > -Wcast-align -Wwrite-strings -Waggregate-return > > -Wstrict-prototypes -Wold-style-definition -Wmissing-prototypes > > -Wmissing-declarations -Wmissing-noreturn > > -Wmissing-format-attribute -Wredundant-decls -Wnested-externs > > -Winline -Winvalid-pch -Wvolatile-register-var > > -Wdisabled-optimization -Wbuiltin-macro-redefined -Wattributes > > -Wmultichar -Wdeprecated-declarations -Wdiv-by-zero > > -Wdouble-promotion -Wendif-labels -Wextra -Wformat-extra-args > > -Wformat-zero-length -Wformat=2 -Wmultichar -Woverflow > > -Wpointer-to-int-cast -Wpragmas -Wno-missing-field-initializers > > -Wno-sign-compare -Wno-format-nonliteral -Wframe-larger-than=32768 > > -fstack-protector-all --param=ssp-buffer-size=4 -fexceptions > > -fasynchronous-unwind-tables -fdiagnostics-show-option > > -funit-at-a-time -Werror -Wno-aggregate-return > > -Wno-redundant-decls -fipa-pure-const -Wlogical-op > > -Wpacked-bitfield-compat -Wsync-nand -Wcoverage-mismatch -Wcpp > > -Wformat-contains-nul -Wnormalized=nfc -Wsuggest-attribute=const > > -Wsuggest-attribute=noreturn -Wsuggest-attribute=pure > > -Wtrampolines -Wjump-misses-init -Wno-suggest-attribute=pure > > -Wno-suggest-attribute=const -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 > > -Wstrict-overflow=5 -I../include -D_GNU_SOURCE > > -DNO_ANDROID_BACKEND -c -o booleans.o booleans.c > > booleans.c: In function ‘security_get_boolean_names’: > > booleans.c:39:5: error: assuming signed overflow does not occur > > when changing X +- C1 cmp C2 to X cmp C2 -+ C1 > > [-Werror=strict-overflow] > > 39 | int security_get_boolean_names(char ***names, int *len) > > | ^~~~~~~~~~~~~~~~~~~~~~~~~~ > > cc1: all warnings being treated as errors > > This one is really weird... Perhaps a bug in GCC? At the very least > the warning message and source code location are super confusing, > which is a bug on its own... > > -- > Ondrej Mosnacek <omosnace at redhat dot com> > Associate Software Engineer, Security Technologies > Red Hat, Inc. -- Ondrej Mosnacek <omosnace at redhat dot com> Associate Software Engineer, Security Technologies Red Hat, Inc.
