Bug Summary

File:build-scan/../src/shared/specifier.c
Warning:line 271, column 20
Use of zero-allocated memory

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -cc1 -triple x86_64-unknown-linux-gnu -analyze -disable-free -disable-llvm-verifier -discard-value-names -main-file-name specifier.c -analyzer-store=region -analyzer-opt-analyze-nested-blocks -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 2 -fhalf-no-semantic-interposition -mframe-pointer=all -relaxed-aliasing -menable-no-infs -menable-no-nans -menable-unsafe-fp-math -fno-signed-zeros -mreassociate -freciprocal-math -fdenormal-fp-math=preserve-sign,preserve-sign -ffp-contract=fast -fno-rounding-math -ffast-math -ffinite-math-only -mconstructor-aliases -munwind-tables -target-cpu x86-64 -tune-cpu generic -fno-split-dwarf-inlining -debugger-tuning=gdb -resource-dir /usr/lib64/clang/12.0.0 -include config.h -I src/shared/libsystemd-shared-239.a.p -I src/shared -I ../src/shared -I src/basic -I ../src/basic -I src/systemd -I ../src/systemd -I src/journal -I ../src/journal -I src/journal-remote -I ../src/journal-remote -I src/nspawn -I ../src/nspawn -I src/resolve -I ../src/resolve -I src/timesync -I ../src/timesync -I ../src/time-wait-sync -I src/login -I ../src/login -I src/udev -I ../src/udev -I src/libudev -I ../src/libudev -I src/core -I ../src/core -I ../src/libsystemd/sd-bus -I ../src/libsystemd/sd-device -I ../src/libsystemd/sd-hwdb -I ../src/libsystemd/sd-id128 -I ../src/libsystemd/sd-netlink -I ../src/libsystemd/sd-network -I src/libsystemd-network -I ../src/libsystemd-network -I . -I .. -I /usr/include/blkid -D _FILE_OFFSET_BITS=64 -internal-isystem /usr/local/include -internal-isystem /usr/lib64/clang/12.0.0/include -internal-externc-isystem /include -internal-externc-isystem /usr/include -Wwrite-strings -Wno-unused-parameter -Wno-missing-field-initializers -Wno-unused-result -Wno-format-signedness -Wno-error=nonnull -std=gnu99 -fconst-strings -fdebug-compilation-dir /home/mrc0mmand/repos/@redhat-plumbers/systemd-rhel8/build-scan -ferror-limit 19 -fvisibility default -stack-protector 2 -fgnuc-version=4.2.1 -fcolor-diagnostics -analyzer-output=html -faddrsig -o /tmp/scan-build-2021-07-16-221226-1465241-1 -x c ../src/shared/specifier.c

../src/shared/specifier.c

1/* SPDX-License-Identifier: LGPL-2.1+ */
2
3#include <errno(*__errno_location ()).h>
4#include <stdbool.h>
5#include <stddef.h>
6#include <stdlib.h>
7#include <string.h>
8#include <sys/utsname.h>
9
10#include "sd-id128.h"
11
12#include "alloc-util.h"
13#include "fs-util.h"
14#include "hostname-util.h"
15#include "macro.h"
16#include "specifier.h"
17#include "string-util.h"
18#include "strv.h"
19#include "user-util.h"
20
21/*
22 * Generic infrastructure for replacing %x style specifiers in
23 * strings. Will call a callback for each replacement.
24 *
25 */
26
27/* Any ASCII character or digit: our pool of potential specifiers,
28 * and "%" used for escaping. */
29#define POSSIBLE_SPECIFIERS"abcdefghijklmnopqrstuvwxyz" "ABCDEFGHIJKLMNOPQRSTUVWXYZ" "0123456789"
"%" ALPHANUMERICAL"abcdefghijklmnopqrstuvwxyz" "ABCDEFGHIJKLMNOPQRSTUVWXYZ" "0123456789" "%"
30
31int specifier_printf(const char *text, const Specifier table[], void *userdata, char **_ret) {
32 size_t l, allocated = 0;
33 _cleanup_free___attribute__((cleanup(freep))) char *ret = NULL((void*)0);
34 char *t;
35 const char *f;
36 bool_Bool percent = false0;
37 int r;
38
39 assert(text)do { if ((__builtin_expect(!!(!(text)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("text"), "../src/shared/specifier.c", 39
, __PRETTY_FUNCTION__); } while (0);
40 assert(table)do { if ((__builtin_expect(!!(!(table)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("table"), "../src/shared/specifier.c", 40
, __PRETTY_FUNCTION__); } while (0);
41
42 l = strlen(text);
43 if (!GREEDY_REALLOC(ret, allocated, l + 1)greedy_realloc((void**) &(ret), &(allocated), (l + 1)
, sizeof((ret)[0])))
44 return -ENOMEM12;
45 t = ret;
46
47 for (f = text; *f; f++, l--)
48 if (percent) {
49 if (*f == '%')
50 *(t++) = '%';
51 else {
52 const Specifier *i;
53
54 for (i = table; i->specifier; i++)
55 if (i->specifier == *f)
56 break;
57
58 if (i->lookup) {
59 _cleanup_free___attribute__((cleanup(freep))) char *w = NULL((void*)0);
60 size_t k, j;
61
62 r = i->lookup(i->specifier, i->data, userdata, &w);
63 if (r < 0)
64 return r;
65
66 j = t - ret;
67 k = strlen(w);
68
69 if (!GREEDY_REALLOC(ret, allocated, j + k + l + 1)greedy_realloc((void**) &(ret), &(allocated), (j + k +
l + 1), sizeof((ret)[0])))
70 return -ENOMEM12;
71 memcpy(ret + j, w, k);
72 t = ret + j + k;
73 } else if (strchr(POSSIBLE_SPECIFIERS"abcdefghijklmnopqrstuvwxyz" "ABCDEFGHIJKLMNOPQRSTUVWXYZ" "0123456789"
"%", *f))
74 /* Oops, an unknown specifier. */
75 return -EBADSLT57;
76 else {
77 *(t++) = '%';
78 *(t++) = *f;
79 }
80 }
81
82 percent = false0;
83 } else if (*f == '%')
84 percent = true1;
85 else
86 *(t++) = *f;
87
88 /* If string ended with a stray %, also end with % */
89 if (percent)
90 *(t++) = '%';
91 *(t++) = 0;
92
93 /* Try to deallocate unused bytes, but don't sweat it too much */
94 if ((size_t)(t - ret) < allocated) {
95 t = realloc(ret, t - ret);
96 if (t)
97 ret = t;
98 }
99
100 *_ret = TAKE_PTR(ret)({ typeof(ret) _ptr_ = (ret); (ret) = ((void*)0); _ptr_; });
101 return 0;
102}
103
104/* Generic handler for simple string replacements */
105
106int specifier_string(char specifier, void *data, void *userdata, char **ret) {
107 char *n;
108
109 n = strdup(strempty(data));
110 if (!n)
111 return -ENOMEM12;
112
113 *ret = n;
114 return 0;
115}
116
117int specifier_machine_id(char specifier, void *data, void *userdata, char **ret) {
118 sd_id128_t id;
119 char *n;
120 int r;
121
122 r = sd_id128_get_machine(&id);
123 if (r < 0)
124 return r;
125
126 n = new(char, 33)((char*) malloc_multiply(sizeof(char), (33)));
127 if (!n)
128 return -ENOMEM12;
129
130 *ret = sd_id128_to_string(id, n);
131 return 0;
132}
133
134int specifier_boot_id(char specifier, void *data, void *userdata, char **ret) {
135 sd_id128_t id;
136 char *n;
137 int r;
138
139 r = sd_id128_get_boot(&id);
140 if (r < 0)
141 return r;
142
143 n = new(char, 33)((char*) malloc_multiply(sizeof(char), (33)));
144 if (!n)
145 return -ENOMEM12;
146
147 *ret = sd_id128_to_string(id, n);
148 return 0;
149}
150
151int specifier_host_name(char specifier, void *data, void *userdata, char **ret) {
152 char *n;
153
154 n = gethostname_malloc();
155 if (!n)
156 return -ENOMEM12;
157
158 *ret = n;
159 return 0;
160}
161
162int specifier_kernel_release(char specifier, void *data, void *userdata, char **ret) {
163 struct utsname uts;
164 char *n;
165 int r;
166
167 r = uname(&uts);
168 if (r < 0)
169 return -errno(*__errno_location ());
170
171 n = strdup(uts.release);
172 if (!n)
173 return -ENOMEM12;
174
175 *ret = n;
176 return 0;
177}
178
179int specifier_user_name(char specifier, void *data, void *userdata, char **ret) {
180 char *t;
181
182 /* If we are UID 0 (root), this will not result in NSS, otherwise it might. This is good, as we want to be able
183 * to run this in PID 1, where our user ID is 0, but where NSS lookups are not allowed.
184
185 * We don't use getusername_malloc() here, because we don't want to look at $USER, to remain consistent with
186 * specifer_user_id() below.
187 */
188
189 t = uid_to_name(getuid());
190 if (!t)
191 return -ENOMEM12;
192
193 *ret = t;
194 return 0;
195}
196
197int specifier_user_id(char specifier, void *data, void *userdata, char **ret) {
198
199 if (asprintf(ret, UID_FMT"%" "u", getuid()) < 0)
200 return -ENOMEM12;
201
202 return 0;
203}
204
205int specifier_user_home(char specifier, void *data, void *userdata, char **ret) {
206
207 /* On PID 1 (which runs as root) this will not result in NSS,
208 * which is good. See above */
209
210 return get_home_dir(ret);
211}
212
213int specifier_user_shell(char specifier, void *data, void *userdata, char **ret) {
214
215 /* On PID 1 (which runs as root) this will not result in NSS,
216 * which is good. See above */
217
218 return get_shell(ret);
219}
220
221int specifier_tmp_dir(char specifier, void *data, void *userdata, char **ret) {
222 const char *p;
223 char *copy;
224 int r;
225
226 r = tmp_dir(&p);
227 if (r < 0)
228 return r;
229
230 copy = strdup(p);
231 if (!copy)
232 return -ENOMEM12;
233
234 *ret = copy;
235 return 0;
236}
237
238int specifier_var_tmp_dir(char specifier, void *data, void *userdata, char **ret) {
239 const char *p;
240 char *copy;
241 int r;
242
243 r = var_tmp_dir(&p);
244 if (r < 0)
245 return r;
246
247 copy = strdup(p);
248 if (!copy)
249 return -ENOMEM12;
250
251 *ret = copy;
252 return 0;
253}
254
255int specifier_escape_strv(char **l, char ***ret) {
256 char **z, **p, **q;
257
258 assert(ret)do { if ((__builtin_expect(!!(!(ret)),0))) log_assert_failed_realm
(LOG_REALM_SYSTEMD, ("ret"), "../src/shared/specifier.c", 258
, __PRETTY_FUNCTION__); } while (0);
1
Assuming 'ret' is non-null
2
Taking false branch
3
Loop condition is false. Exiting loop
259
260 if (strv_isempty(l)) {
4
Taking false branch
261 *ret = NULL((void*)0);
262 return 0;
263 }
264
265 z = new(char*, strv_length(l)+1)((char**) malloc_multiply(sizeof(char*), (strv_length(l)+1)));
5
Calling 'malloc_multiply'
8
Returned allocated memory
266 if (!z)
9
Assuming 'z' is non-null
10
Taking false branch
267 return -ENOMEM12;
268
269 for (p = l, q = z; *p; p++, q++) {
11
Loop condition is true. Entering loop body
270
271 *q = specifier_escape(*p);
12
Use of zero-allocated memory
272 if (!*q) {
273 strv_free(z);
274 return -ENOMEM12;
275 }
276 }
277
278 *q = NULL((void*)0);
279 *ret = z;
280
281 return 0;
282}

../src/basic/alloc-util.h

1/* SPDX-License-Identifier: LGPL-2.1+ */
2#pragma once
3
4#include <alloca.h>
5#include <stddef.h>
6#include <stdlib.h>
7#include <string.h>
8
9#include "macro.h"
10
11#define new(t, n)((t*) malloc_multiply(sizeof(t), (n))) ((t*) malloc_multiply(sizeof(t), (n)))
12
13#define new0(t, n)((t*) calloc((n), sizeof(t))) ((t*) calloc((n), sizeof(t)))
14
15#define newa(t, n)({ do { if ((__builtin_expect(!!(!(!size_multiply_overflow(sizeof
(t), n))),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("!size_multiply_overflow(sizeof(t), n)"
), "../src/basic/alloc-util.h", 15, __PRETTY_FUNCTION__); } while
(0); (t*) __builtin_alloca (sizeof(t)*(n)); }) \
16 ({ \
17 assert(!size_multiply_overflow(sizeof(t), n))do { if ((__builtin_expect(!!(!(!size_multiply_overflow(sizeof
(t), n))),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("!size_multiply_overflow(sizeof(t), n)"
), "../src/basic/alloc-util.h", 17, __PRETTY_FUNCTION__); } while
(0); \
18 (t*) alloca(sizeof(t)*(n))__builtin_alloca (sizeof(t)*(n)); \
19 })
20
21#define newa0(t, n)({ do { if ((__builtin_expect(!!(!(!size_multiply_overflow(sizeof
(t), n))),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("!size_multiply_overflow(sizeof(t), n)"
), "../src/basic/alloc-util.h", 21, __PRETTY_FUNCTION__); } while
(0); (t*) ({ char *_new_; size_t _len_ = sizeof(t)*(n); _new_
= __builtin_alloca (_len_); (void *) memset(_new_, 0, _len_)
; }); }) \
22 ({ \
23 assert(!size_multiply_overflow(sizeof(t), n))do { if ((__builtin_expect(!!(!(!size_multiply_overflow(sizeof
(t), n))),0))) log_assert_failed_realm(LOG_REALM_SYSTEMD, ("!size_multiply_overflow(sizeof(t), n)"
), "../src/basic/alloc-util.h", 23, __PRETTY_FUNCTION__); } while
(0); \
24 (t*) alloca0(sizeof(t)*(n))({ char *_new_; size_t _len_ = sizeof(t)*(n); _new_ = __builtin_alloca
(_len_); (void *) memset(_new_, 0, _len_); }); \
25 })
26
27#define newdup(t, p, n)((t*) memdup_multiply(p, sizeof(t), (n))) ((t*) memdup_multiply(p, sizeof(t), (n)))
28
29#define newdup_suffix0(t, p, n)((t*) memdup_suffix0_multiply(p, sizeof(t), (n))) ((t*) memdup_suffix0_multiply(p, sizeof(t), (n)))
30
31#define malloc0(n)(calloc(1, (n))) (calloc(1, (n)))
32
33static inline void *mfree(void *memory) {
34 free(memory);
35 return NULL((void*)0);
36}
37
38#define free_and_replace(a, b)({ free(a); (a) = (b); (b) = ((void*)0); 0; }) \
39 ({ \
40 free(a); \
41 (a) = (b); \
42 (b) = NULL((void*)0); \
43 0; \
44 })
45
46void* memdup(const void *p, size_t l) _alloc_(2);
47void* memdup_suffix0(const void *p, size_t l) _alloc_(2);
48
49static inline void freep(void *p) {
50 free(*(void**) p);
51}
52
53#define _cleanup_free___attribute__((cleanup(freep))) _cleanup_(freep)__attribute__((cleanup(freep)))
54
55static inline bool_Bool size_multiply_overflow(size_t size, size_t need) {
56 return _unlikely_(need != 0 && size > (SIZE_MAX / need))(__builtin_expect(!!(need != 0 && size > ((18446744073709551615UL
) / need)),0));
57}
58
59_malloc___attribute__ ((malloc)) _alloc_(1, 2) static inline void *malloc_multiply(size_t size, size_t need) {
60 if (size_multiply_overflow(size, need))
6
Taking false branch
61 return NULL((void*)0);
62
63 return malloc(size * need);
7
Memory is allocated
64}
65
66#if !HAVE_REALLOCARRAY1
67_alloc_(2, 3) static inline void *reallocarray(void *p, size_t need, size_t size) {
68 if (size_multiply_overflow(size, need))
69 return NULL((void*)0);
70
71 return realloc(p, size * need);
72}
73#endif
74
75_alloc_(2, 3) static inline void *memdup_multiply(const void *p, size_t size, size_t need) {
76 if (size_multiply_overflow(size, need))
77 return NULL((void*)0);
78
79 return memdup(p, size * need);
80}
81
82_alloc_(2, 3) static inline void *memdup_suffix0_multiply(const void *p, size_t size, size_t need) {
83 if (size_multiply_overflow(size, need))
84 return NULL((void*)0);
85
86 return memdup_suffix0(p, size * need);
87}
88
89void* greedy_realloc(void **p, size_t *allocated, size_t need, size_t size);
90void* greedy_realloc0(void **p, size_t *allocated, size_t need, size_t size);
91
92#define GREEDY_REALLOC(array, allocated, need)greedy_realloc((void**) &(array), &(allocated), (need
), sizeof((array)[0])) \
93 greedy_realloc((void**) &(array), &(allocated), (need), sizeof((array)[0]))
94
95#define GREEDY_REALLOC0(array, allocated, need)greedy_realloc0((void**) &(array), &(allocated), (need
), sizeof((array)[0])) \
96 greedy_realloc0((void**) &(array), &(allocated), (need), sizeof((array)[0]))
97
98#define alloca0(n)({ char *_new_; size_t _len_ = n; _new_ = __builtin_alloca (_len_
); (void *) memset(_new_, 0, _len_); }) \
99 ({ \
100 char *_new_; \
101 size_t _len_ = n; \
102 _new_ = alloca(_len_)__builtin_alloca (_len_); \
103 (void *) memset(_new_, 0, _len_); \
104 })
105
106/* It's not clear what alignment glibc/gcc alloca() guarantee, hence provide a guaranteed safe version */
107#define alloca_align(size, align)({ void *_ptr_; size_t _mask_ = (align) - 1; _ptr_ = __builtin_alloca
((size) + _mask_); (void*)(((uintptr_t)_ptr_ + _mask_) &
~_mask_); }) \
108 ({ \
109 void *_ptr_; \
110 size_t _mask_ = (align) - 1; \
111 _ptr_ = alloca((size) + _mask_)__builtin_alloca ((size) + _mask_); \
112 (void*)(((uintptr_t)_ptr_ + _mask_) & ~_mask_); \
113 })
114
115#define alloca0_align(size, align)({ void *_new_; size_t _size_ = (size); _new_ = ({ void *_ptr_
; size_t _mask_ = ((align)) - 1; _ptr_ = __builtin_alloca ((_size_
) + _mask_); (void*)(((uintptr_t)_ptr_ + _mask_) & ~_mask_
); }); (void*)memset(_new_, 0, _size_); }) \
116 ({ \
117 void *_new_; \
118 size_t _size_ = (size); \
119 _new_ = alloca_align(_size_, (align))({ void *_ptr_; size_t _mask_ = ((align)) - 1; _ptr_ = __builtin_alloca
((_size_) + _mask_); (void*)(((uintptr_t)_ptr_ + _mask_) &
~_mask_); }); \
120 (void*)memset(_new_, 0, _size_); \
121 })
122
123/* Takes inspiration from Rusts's Option::take() method: reads and returns a pointer, but at the same time resets it to
124 * NULL. See: https://doc.rust-lang.org/std/option/enum.Option.html#method.take */
125#define TAKE_PTR(ptr)({ typeof(ptr) _ptr_ = (ptr); (ptr) = ((void*)0); _ptr_; }) \
126 ({ \
127 typeof(ptr) _ptr_ = (ptr); \
128 (ptr) = NULL((void*)0); \
129 _ptr_; \
130 })