[GH-ISSUE #4503] Code scanning alerts (CodeQL CWE-367/TOCTOU warnings) #2685

New issue

Open

opened 2026-05-05 09:20:39 -06:00 by gitea-mirror · 9 comments

gitea-mirror commented 2026-05-05 09:20:39 -06:00

Owner

Copy link

Originally created by @rusty-snake on GitHub (Sep 3, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/4503

GitHub seems to have updated CodeQL.

https://github.com/netblue30/firejail/security/code-scanning

Can someone have a look whether this are false-positives or unproblematic alerts.
@netblue30 @smitsohu @reinerh

Originally created by @rusty-snake on GitHub (Sep 3, 2021). Original GitHub issue: https://github.com/netblue30/firejail/issues/4503 GitHub seems to have updated CodeQL. https://github.com/netblue30/firejail/security/code-scanning Can someone have a look whether this are false-positives or unproblematic alerts. @netblue30 @smitsohu @reinerh

gitea-mirror added the

security

label 2026-05-05 09:20:39 -06:00

gitea-mirror commented 2026-05-05 09:20:41 -06:00

Author

Owner

Copy link

@kmk3 commented on GitHub (Sep 22, 2021):

Is anyone already working on this? I think I managed to fix some of them;
might submit a PR eventually.

<!-- gh-comment-id:924842040 --> @kmk3 commented on GitHub (Sep 22, 2021): Is anyone already working on this? I think I managed to fix some of them; might submit a PR eventually.

gitea-mirror commented 2026-05-05 09:20:42 -06:00

Author

Owner

Copy link

@reinerh commented on GitHub (Sep 22, 2021):

I wanted to have a look at it, but didn't find the time so far. Please go ahead. :)

<!-- gh-comment-id:924844613 --> @reinerh commented on GitHub (Sep 22, 2021): I wanted to have a look at it, but didn't find the time so far. Please go ahead. :)

gitea-mirror commented 2026-05-05 09:20:43 -06:00

Author

Owner

Copy link

@reinerh commented on GitHub (Oct 18, 2021):

@kmk3 Feel free to open PRs for the ones you already worked on. No need to fix all of them at once.
Then others could already have a look at the remaining ones.

<!-- gh-comment-id:946037743 --> @reinerh commented on GitHub (Oct 18, 2021): @kmk3 Feel free to open PRs for the ones you already worked on. No need to fix all of them at once. Then others could already have a look at the remaining ones.

gitea-mirror commented 2026-05-05 09:20:45 -06:00

Author

Owner

Copy link

@kmk3 commented on GitHub (Oct 19, 2021):

@reinerh commented on Oct 18:

@kmk3 Feel free to open PRs for the ones you already worked on. No need to
fix all of them at once. Then others could already have a look at the
remaining ones.

Alright, I'll try to wrap up the branch and open a PR. I have indeed not fully
fixed all of them; I'll just send the ones I'm more sure about in the PR.

<!-- gh-comment-id:947045158 --> @kmk3 commented on GitHub (Oct 19, 2021): @reinerh commented [on Oct 18](https://github.com/netblue30/firejail/issues/4503#issuecomment-946037743): > @kmk3 Feel free to open PRs for the ones you already worked on. No need to > fix all of them at once. Then others could already have a look at the > remaining ones. Alright, I'll try to wrap up the branch and open a PR. I have indeed not fully fixed all of them; I'll just send the ones I'm more sure about in the PR.

gitea-mirror commented 2026-05-05 09:20:46 -06:00

Author

Owner

Copy link

@kmk3 commented on GitHub (Oct 29, 2021):

Sorry for the delay; I've opened #4652 with just the more trivial fixes to get
some basic feedback. I have a few more fixes mostly ready.

<!-- gh-comment-id:954445939 --> @kmk3 commented on GitHub (Oct 29, 2021): Sorry for the delay; I've opened #4652 with just the more trivial fixes to get some basic feedback. I have a few more fixes mostly ready.

gitea-mirror commented 2026-05-05 09:20:47 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Oct 29, 2021):

Insteresting, ./configure --enable-analyzer && en_US-locale make finds only https://github.com/netblue30/firejail/issues/4592#issuecomment-937507639 while CFLAGS=-fanalyzer ./configure && en_US-locale CFLAGS=-fanalyzer make finds a few [CWE-401] [-Wanalyzer-malloc-leak] in addition. Any my experimental meson setup finds even [CWE-415] [-Wanalyzer-double-free].

edit: this explains it

d04f63cba2/configure.ac (L45)

gcc --version: gcc (GCC) 11.2.1 20210728 (Red Hat 11.2.1-1)

<!-- gh-comment-id:954922075 --> @rusty-snake commented on GitHub (Oct 29, 2021): Insteresting, `./configure --enable-analyzer && en_US-locale make` finds only https://github.com/netblue30/firejail/issues/4592#issuecomment-937507639 while `CFLAGS=-fanalyzer ./configure && en_US-locale CFLAGS=-fanalyzer make` finds a few `[CWE-401] [-Wanalyzer-malloc-leak]` in addition. Any my *experimental* meson setup finds even `[CWE-415] [-Wanalyzer-double-free]`. edit: this explains it https://github.com/netblue30/firejail/blob/d04f63cba2ebfcfc4c3b99ac24e39c2b0ce37e1f/configure.ac#L45 `gcc --version`: `gcc (GCC) 11.2.1 20210728 (Red Hat 11.2.1-1)`

gitea-mirror commented 2026-05-05 09:20:48 -06:00

Author

Owner

Copy link

@smitsohu commented on GitHub (Oct 29, 2021):

@rusty-snake Could you please share [CWE-415] [-Wanalyzer-double-free] ?

<!-- gh-comment-id:955019284 --> @smitsohu commented on GitHub (Oct 29, 2021): @rusty-snake Could you please share `[CWE-415] [-Wanalyzer-double-free]` ?

gitea-mirror commented 2026-05-05 09:20:49 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Oct 29, 2021):

[CWE-415] [-Wanalyzer-double-free]

../src/fcopy/main.c: In Funktion »duplicate_dir«:
../src/fcopy/main.c:370:9: Warnung: double-»free« of »rdest« [CWE-415] [-Wanalyzer-double-free]
  370 |         free(rdest);
      |         ^~~~~~~~~~~
  »duplicate_dir«: events 1-2
    |
    |  356 | static void duplicate_dir(const char *src, const char *dest, struct stat *s) {
    |      |             ^~~~~~~~~~~~~
    |      |             |
    |      |             (1) entry to »duplicate_dir«
    |  357 |         (void) s;
    |  358 |         char *rsrc = check(src);
    |      |                      ~~~~~~~~~~
    |      |                      |
    |      |                      (2) calling »check« from »duplicate_dir«
    |
    +--> »check«: events 3-6
           |
           |  322 | static char *check(const char *src) {
           |      |              ^~~~~
           |      |              |
           |      |              (3) entry to »check«
           |......
           |  325 |         if (!rsrc || stat(rsrc, &s) == -1)
           |      |            ~  
           |      |            |
           |      |            (4) following »false« branch...
           |......
           |  331 |         uid_t user = getuid();
           |      |                      ~~~~~~~~
           |      |                      |
           |      |                      (5) ...to here
           |......
           |  341 |                 if (s.st_uid != user)
           |      |                    ~
           |      |                    |
           |      |                    (6) following »false« branch...
           |
         »check«: event 7
           |
           |  346 |         if (S_ISDIR(s.st_mode) || S_ISREG(s.st_mode) || S_ISLNK(s.st_mode))
           |      |                      ^
           |      |                      |
           |      |                      (7) ...to here
           |
    <------+
    |
  »duplicate_dir«: events 8-9
    |
    |  358 |         char *rsrc = check(src);
    |      |                      ^~~~~~~~~~
    |      |                      |
    |      |                      (8) returning to »duplicate_dir« from »check«
    |  359 |         char *rdest = check(dest);
    |      |                       ~~~~~~~~~~~
    |      |                       |
    |      |                       (9) calling »check« from »duplicate_dir«
    |
    +--> »check«: events 10-13
           |
           |  322 | static char *check(const char *src) {
           |      |              ^~~~~
           |      |              |
           |      |              (10) entry to »check«
           |......
           |  325 |         if (!rsrc || stat(rsrc, &s) == -1)
           |      |            ~  
           |      |            |
           |      |            (11) following »false« branch...
           |......
           |  331 |         uid_t user = getuid();
           |      |                      ~~~~~~~~
           |      |                      |
           |      |                      (12) ...to here
           |......
           |  341 |                 if (s.st_uid != user)
           |      |                    ~
           |      |                    |
           |      |                    (13) following »false« branch...
           |
         »check«: event 14
           |
           |  346 |         if (S_ISDIR(s.st_mode) || S_ISREG(s.st_mode) || S_ISLNK(s.st_mode))
           |      |                      ^
           |      |                      |
           |      |                      (14) ...to here
           |
    <------+
    |
  »duplicate_dir«: events 15-19
    |
    |  359 |         char *rdest = check(dest);
    |      |                       ^~~~~~~~~~~
    |      |                       |
    |      |                       (15) returning to »duplicate_dir« from »check«
    |......
    |  364 |         if(nftw(rsrc, fs_copydir, 1, FTW_PHYS) != 0) {
    |      |           ~            
    |      |           |
    |      |           (16) following »false« branch...
    |......
    |  369 |         free(rsrc);
    |      |         ~~~~~~~~~~     
    |      |         |
    |      |         (17) ...to here
    |      |         (18) first »free« here
    |  370 |         free(rdest);
    |      |         ~~~~~~~~~~~    
    |      |         |
    |      |         (19) second »free« here; first »free« was at (18)
    |
../src/fcopy/main.c: In Funktion »duplicate_file«:
../src/fcopy/main.c:393:9: Warnung: double-»free« of »rdest« [CWE-415] [-Wanalyzer-double-free]
  393 |         free(rdest);
      |         ^~~~~~~~~~~
  »duplicate_file«: events 1-2
    |
    |  374 | static void duplicate_file(const char *src, const char *dest, struct stat *s) {
    |      |             ^~~~~~~~~~~~~~
    |      |             |
    |      |             (1) entry to »duplicate_file«
    |  375 |         char *rsrc = check(src);
    |      |                      ~~~~~~~~~~
    |      |                      |
    |      |                      (2) calling »check« from »duplicate_file«
    |
    +--> »check«: events 3-6
           |
           |  322 | static char *check(const char *src) {
           |      |              ^~~~~
           |      |              |
           |      |              (3) entry to »check«
           |......
           |  325 |         if (!rsrc || stat(rsrc, &s) == -1)
           |      |            ~  
           |      |            |
           |      |            (4) following »false« branch...
           |......
           |  331 |         uid_t user = getuid();
           |      |                      ~~~~~~~~
           |      |                      |
           |      |                      (5) ...to here
           |......
           |  341 |                 if (s.st_uid != user)
           |      |                    ~
           |      |                    |
           |      |                    (6) following »false« branch...
           |
         »check«: event 7
           |
           |  346 |         if (S_ISDIR(s.st_mode) || S_ISREG(s.st_mode) || S_ISLNK(s.st_mode))
           |      |                      ^
           |      |                      |
           |      |                      (7) ...to here
           |
    <------+
    |
  »duplicate_file«: events 8-9
    |
    |  375 |         char *rsrc = check(src);
    |      |                      ^~~~~~~~~~
    |      |                      |
    |      |                      (8) returning to »duplicate_file« from »check«
    |  376 |         char *rdest = check(dest);
    |      |                       ~~~~~~~~~~~
    |      |                       |
    |      |                       (9) calling »check« from »duplicate_file«
    |
    +--> »check«: events 10-13
           |
           |  322 | static char *check(const char *src) {
           |      |              ^~~~~
           |      |              |
           |      |              (10) entry to »check«
           |......
           |  325 |         if (!rsrc || stat(rsrc, &s) == -1)
           |      |            ~  
           |      |            |
           |      |            (11) following »false« branch...
           |......
           |  331 |         uid_t user = getuid();
           |      |                      ~~~~~~~~
           |      |                      |
           |      |                      (12) ...to here
           |......
           |  341 |                 if (s.st_uid != user)
           |      |                    ~
           |      |                    |
           |      |                    (13) following »false« branch...
           |
         »check«: event 14
           |
           |  346 |         if (S_ISDIR(s.st_mode) || S_ISREG(s.st_mode) || S_ISLNK(s.st_mode))
           |      |                      ^
           |      |                      |
           |      |                      (14) ...to here
           |
    <------+
    |
  »duplicate_file«: events 15-18
    |
    |  376 |         char *rdest = check(dest);
    |      |                       ^~~~~~~~~~~
    |      |                       |
    |      |                       (15) returning to »duplicate_file« from »check«
    |......
    |  385 |         if (asprintf(&name, "%s/%s", rdest, ptr) == -1)
    |      |            ~           
    |      |            |
    |      |            (16) following »false« branch...
    |......
    |  389 |         copy_file(rsrc, name, mode, uid, gid);
    |      |         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    |      |         |
    |      |         (17) ...to here
    |      |         (18) calling »copy_file« from »duplicate_file«
    |
    +--> »copy_file«: event 19
           |
           |  104 | static void copy_file(const char *srcname, const char *destname, mode_t mode, uid_t uid, gid_t gid) {
           |      |             ^~~~~~~~~
           |      |             |
           |      |             (19) entry to »copy_file«
           |
         »copy_file«: event 20
           |
           |  105 |         assert(srcname);
           |      |         ^~~~~~
           |      |         |
           |      |         (20) following »true« branch (when »srcname« is non-NULL)...
           |
         »copy_file«: event 21
           |
           |  106 |         assert(destname);
           |      |         ^~~~~~
           |      |         |
           |      |         (21) ...to here
           |
         »copy_file«: event 22
           |
           |  106 |         assert(destname);
           |      |         ^~~~~~
           |      |         |
           |      |         (22) following »true« branch (when »destname« is non-NULL)...
           |
         »copy_file«: event 23
           |
           |  107 |         mode &= 07777;
           |      |         ~~~~~^~~~~~~~
           |      |              |
           |      |              (23) ...to here
           |
    <------+
    |
  »duplicate_file«: events 24-26
    |
    |  389 |         copy_file(rsrc, name, mode, uid, gid);
    |      |         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    |      |         |
    |      |         (24) returning to »duplicate_file« from »copy_file«
    |......
    |  392 |         free(rsrc);
    |      |         ~~~~~~~~~~
    |      |         |
    |      |         (25) first »free« here
    |  393 |         free(rdest);
    |      |         ~~~~~~~~~~~
    |      |         |
    |      |         (26) second »free« here; first »free« was at (25)
    |
../src/fcopy/main.c: In Funktion »duplicate_link«:
../src/fcopy/main.c:417:9: Warnung: double-»free« of »rdest« [CWE-415] [-Wanalyzer-double-free]
  417 |         free(rdest);
      |         ^~~~~~~~~~~
  »duplicate_link«: events 1-2
    |
    |  397 | static void duplicate_link(const char *src, const char *dest, struct stat *s) {
    |      |             ^~~~~~~~~~~~~~
    |      |             |
    |      |             (1) entry to »duplicate_link«
    |  398 |         char *rsrc = check(src);                  // we drop the result and use the original name
    |      |                      ~~~~~~~~~~
    |      |                      |
    |      |                      (2) calling »check« from »duplicate_link«
    |
    +--> »check«: events 3-6
           |
           |  322 | static char *check(const char *src) {
           |      |              ^~~~~
           |      |              |
           |      |              (3) entry to »check«
           |......
           |  325 |         if (!rsrc || stat(rsrc, &s) == -1)
           |      |            ~  
           |      |            |
           |      |            (4) following »false« branch...
           |......
           |  331 |         uid_t user = getuid();
           |      |                      ~~~~~~~~
           |      |                      |
           |      |                      (5) ...to here
           |......
           |  341 |                 if (s.st_uid != user)
           |      |                    ~
           |      |                    |
           |      |                    (6) following »false« branch...
           |
         »check«: event 7
           |
           |  346 |         if (S_ISDIR(s.st_mode) || S_ISREG(s.st_mode) || S_ISLNK(s.st_mode))
           |      |                      ^
           |      |                      |
           |      |                      (7) ...to here
           |
    <------+
    |
  »duplicate_link«: events 8-9
    |
    |  398 |         char *rsrc = check(src);                  // we drop the result and use the original name
    |      |                      ^~~~~~~~~~
    |      |                      |
    |      |                      (8) returning to »duplicate_link« from »check«
    |  399 |         char *rdest = check(dest);
    |      |                       ~~~~~~~~~~~
    |      |                       |
    |      |                       (9) calling »check« from »duplicate_link«
    |
    +--> »check«: events 10-13
           |
           |  322 | static char *check(const char *src) {
           |      |              ^~~~~
           |      |              |
           |      |              (10) entry to »check«
           |......
           |  325 |         if (!rsrc || stat(rsrc, &s) == -1)
           |      |            ~  
           |      |            |
           |      |            (11) following »false« branch...
           |......
           |  331 |         uid_t user = getuid();
           |      |                      ~~~~~~~~
           |      |                      |
           |      |                      (12) ...to here
           |......
           |  341 |                 if (s.st_uid != user)
           |      |                    ~
           |      |                    |
           |      |                    (13) following »false« branch...
           |
         »check«: event 14
           |
           |  346 |         if (S_ISDIR(s.st_mode) || S_ISREG(s.st_mode) || S_ISLNK(s.st_mode))
           |      |                      ^
           |      |                      |
           |      |                      (14) ...to here
           |
    <------+
    |
  »duplicate_link«: events 15-19
    |
    |  399 |         char *rdest = check(dest);
    |      |                       ^~~~~~~~~~~
    |      |                       |
    |      |                       (15) returning to »duplicate_link« from »check«
    |......
    |  409 |         if (asprintf(&name, "%s/%s", rdest, ptr) == -1)
    |      |            ~           
    |      |            |
    |      |            (16) following »false« branch...
    |......
    |  413 |         copy_link(rsrc, name, mode, uid, gid);
    |      |         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    |      |         |
    |      |         (17) ...to here
    |......
    |  416 |         free(rsrc);
    |      |         ~~~~~~~~~~     
    |      |         |
    |      |         (18) first »free« here
    |  417 |         free(rdest);
    |      |         ~~~~~~~~~~~    
    |      |         |
    |      |         (19) second »free« here; first »free« was at (18)
    |

<!-- gh-comment-id:955022022 --> @rusty-snake commented on GitHub (Oct 29, 2021): <details><summary><code>[CWE-415] [-Wanalyzer-double-free]</code></summary> ``` ../src/fcopy/main.c: In Funktion »duplicate_dir«: ../src/fcopy/main.c:370:9: Warnung: double-»free« of »rdest« [CWE-415] [-Wanalyzer-double-free] 370 | free(rdest); | ^~~~~~~~~~~ »duplicate_dir«: events 1-2 | | 356 | static void duplicate_dir(const char *src, const char *dest, struct stat *s) { | | ^~~~~~~~~~~~~ | | | | | (1) entry to »duplicate_dir« | 357 | (void) s; | 358 | char *rsrc = check(src); | | ~~~~~~~~~~ | | | | | (2) calling »check« from »duplicate_dir« | +--> »check«: events 3-6 | | 322 | static char *check(const char *src) { | | ^~~~~ | | | | | (3) entry to »check« |...... | 325 | if (!rsrc || stat(rsrc, &s) == -1) | | ~ | | | | | (4) following »false« branch... |...... | 331 | uid_t user = getuid(); | | ~~~~~~~~ | | | | | (5) ...to here |...... | 341 | if (s.st_uid != user) | | ~ | | | | | (6) following »false« branch... | »check«: event 7 | | 346 | if (S_ISDIR(s.st_mode) || S_ISREG(s.st_mode) || S_ISLNK(s.st_mode)) | | ^ | | | | | (7) ...to here | <------+ | »duplicate_dir«: events 8-9 | | 358 | char *rsrc = check(src); | | ^~~~~~~~~~ | | | | | (8) returning to »duplicate_dir« from »check« | 359 | char *rdest = check(dest); | | ~~~~~~~~~~~ | | | | | (9) calling »check« from »duplicate_dir« | +--> »check«: events 10-13 | | 322 | static char *check(const char *src) { | | ^~~~~ | | | | | (10) entry to »check« |...... | 325 | if (!rsrc || stat(rsrc, &s) == -1) | | ~ | | | | | (11) following »false« branch... |...... | 331 | uid_t user = getuid(); | | ~~~~~~~~ | | | | | (12) ...to here |...... | 341 | if (s.st_uid != user) | | ~ | | | | | (13) following »false« branch... | »check«: event 14 | | 346 | if (S_ISDIR(s.st_mode) || S_ISREG(s.st_mode) || S_ISLNK(s.st_mode)) | | ^ | | | | | (14) ...to here | <------+ | »duplicate_dir«: events 15-19 | | 359 | char *rdest = check(dest); | | ^~~~~~~~~~~ | | | | | (15) returning to »duplicate_dir« from »check« |...... | 364 | if(nftw(rsrc, fs_copydir, 1, FTW_PHYS) != 0) { | | ~ | | | | | (16) following »false« branch... |...... | 369 | free(rsrc); | | ~~~~~~~~~~ | | | | | (17) ...to here | | (18) first »free« here | 370 | free(rdest); | | ~~~~~~~~~~~ | | | | | (19) second »free« here; first »free« was at (18) | ../src/fcopy/main.c: In Funktion »duplicate_file«: ../src/fcopy/main.c:393:9: Warnung: double-»free« of »rdest« [CWE-415] [-Wanalyzer-double-free] 393 | free(rdest); | ^~~~~~~~~~~ »duplicate_file«: events 1-2 | | 374 | static void duplicate_file(const char *src, const char *dest, struct stat *s) { | | ^~~~~~~~~~~~~~ | | | | | (1) entry to »duplicate_file« | 375 | char *rsrc = check(src); | | ~~~~~~~~~~ | | | | | (2) calling »check« from »duplicate_file« | +--> »check«: events 3-6 | | 322 | static char *check(const char *src) { | | ^~~~~ | | | | | (3) entry to »check« |...... | 325 | if (!rsrc || stat(rsrc, &s) == -1) | | ~ | | | | | (4) following »false« branch... |...... | 331 | uid_t user = getuid(); | | ~~~~~~~~ | | | | | (5) ...to here |...... | 341 | if (s.st_uid != user) | | ~ | | | | | (6) following »false« branch... | »check«: event 7 | | 346 | if (S_ISDIR(s.st_mode) || S_ISREG(s.st_mode) || S_ISLNK(s.st_mode)) | | ^ | | | | | (7) ...to here | <------+ | »duplicate_file«: events 8-9 | | 375 | char *rsrc = check(src); | | ^~~~~~~~~~ | | | | | (8) returning to »duplicate_file« from »check« | 376 | char *rdest = check(dest); | | ~~~~~~~~~~~ | | | | | (9) calling »check« from »duplicate_file« | +--> »check«: events 10-13 | | 322 | static char *check(const char *src) { | | ^~~~~ | | | | | (10) entry to »check« |...... | 325 | if (!rsrc || stat(rsrc, &s) == -1) | | ~ | | | | | (11) following »false« branch... |...... | 331 | uid_t user = getuid(); | | ~~~~~~~~ | | | | | (12) ...to here |...... | 341 | if (s.st_uid != user) | | ~ | | | | | (13) following »false« branch... | »check«: event 14 | | 346 | if (S_ISDIR(s.st_mode) || S_ISREG(s.st_mode) || S_ISLNK(s.st_mode)) | | ^ | | | | | (14) ...to here | <------+ | »duplicate_file«: events 15-18 | | 376 | char *rdest = check(dest); | | ^~~~~~~~~~~ | | | | | (15) returning to »duplicate_file« from »check« |...... | 385 | if (asprintf(&name, "%s/%s", rdest, ptr) == -1) | | ~ | | | | | (16) following »false« branch... |...... | 389 | copy_file(rsrc, name, mode, uid, gid); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (17) ...to here | | (18) calling »copy_file« from »duplicate_file« | +--> »copy_file«: event 19 | | 104 | static void copy_file(const char *srcname, const char *destname, mode_t mode, uid_t uid, gid_t gid) { | | ^~~~~~~~~ | | | | | (19) entry to »copy_file« | »copy_file«: event 20 | | 105 | assert(srcname); | | ^~~~~~ | | | | | (20) following »true« branch (when »srcname« is non-NULL)... | »copy_file«: event 21 | | 106 | assert(destname); | | ^~~~~~ | | | | | (21) ...to here | »copy_file«: event 22 | | 106 | assert(destname); | | ^~~~~~ | | | | | (22) following »true« branch (when »destname« is non-NULL)... | »copy_file«: event 23 | | 107 | mode &= 07777; | | ~~~~~^~~~~~~~ | | | | | (23) ...to here | <------+ | »duplicate_file«: events 24-26 | | 389 | copy_file(rsrc, name, mode, uid, gid); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (24) returning to »duplicate_file« from »copy_file« |...... | 392 | free(rsrc); | | ~~~~~~~~~~ | | | | | (25) first »free« here | 393 | free(rdest); | | ~~~~~~~~~~~ | | | | | (26) second »free« here; first »free« was at (25) | ../src/fcopy/main.c: In Funktion »duplicate_link«: ../src/fcopy/main.c:417:9: Warnung: double-»free« of »rdest« [CWE-415] [-Wanalyzer-double-free] 417 | free(rdest); | ^~~~~~~~~~~ »duplicate_link«: events 1-2 | | 397 | static void duplicate_link(const char *src, const char *dest, struct stat *s) { | | ^~~~~~~~~~~~~~ | | | | | (1) entry to »duplicate_link« | 398 | char *rsrc = check(src); // we drop the result and use the original name | | ~~~~~~~~~~ | | | | | (2) calling »check« from »duplicate_link« | +--> »check«: events 3-6 | | 322 | static char *check(const char *src) { | | ^~~~~ | | | | | (3) entry to »check« |...... | 325 | if (!rsrc || stat(rsrc, &s) == -1) | | ~ | | | | | (4) following »false« branch... |...... | 331 | uid_t user = getuid(); | | ~~~~~~~~ | | | | | (5) ...to here |...... | 341 | if (s.st_uid != user) | | ~ | | | | | (6) following »false« branch... | »check«: event 7 | | 346 | if (S_ISDIR(s.st_mode) || S_ISREG(s.st_mode) || S_ISLNK(s.st_mode)) | | ^ | | | | | (7) ...to here | <------+ | »duplicate_link«: events 8-9 | | 398 | char *rsrc = check(src); // we drop the result and use the original name | | ^~~~~~~~~~ | | | | | (8) returning to »duplicate_link« from »check« | 399 | char *rdest = check(dest); | | ~~~~~~~~~~~ | | | | | (9) calling »check« from »duplicate_link« | +--> »check«: events 10-13 | | 322 | static char *check(const char *src) { | | ^~~~~ | | | | | (10) entry to »check« |...... | 325 | if (!rsrc || stat(rsrc, &s) == -1) | | ~ | | | | | (11) following »false« branch... |...... | 331 | uid_t user = getuid(); | | ~~~~~~~~ | | | | | (12) ...to here |...... | 341 | if (s.st_uid != user) | | ~ | | | | | (13) following »false« branch... | »check«: event 14 | | 346 | if (S_ISDIR(s.st_mode) || S_ISREG(s.st_mode) || S_ISLNK(s.st_mode)) | | ^ | | | | | (14) ...to here | <------+ | »duplicate_link«: events 15-19 | | 399 | char *rdest = check(dest); | | ^~~~~~~~~~~ | | | | | (15) returning to »duplicate_link« from »check« |...... | 409 | if (asprintf(&name, "%s/%s", rdest, ptr) == -1) | | ~ | | | | | (16) following »false« branch... |...... | 413 | copy_link(rsrc, name, mode, uid, gid); | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | | | | (17) ...to here |...... | 416 | free(rsrc); | | ~~~~~~~~~~ | | | | | (18) first »free« here | 417 | free(rdest); | | ~~~~~~~~~~~ | | | | | (19) second »free« here; first »free« was at (18) | ``` </details>

gitea-mirror commented 2026-05-05 09:20:50 -06:00

Author

Owner

Copy link

@smitsohu commented on GitHub (Oct 29, 2021):

@rusty-snake Thank you.
I think it is a false positive, too, but maybe someone else wants to confirm.

<!-- gh-comment-id:955047191 --> @smitsohu commented on GitHub (Oct 29, 2021): @rusty-snake Thank you. I think it is a false positive, too, but maybe someone else wants to confirm.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2685

No description provided.