Coverity-updates archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
New Defects reported by Coverity Scan for NetBSD-amd64-kernel
- To: undisclosed-recipients:;
- Subject: New Defects reported by Coverity Scan for NetBSD-amd64-kernel
- From: scan-admin%coverity.com@localhost
- Date: Wed, 19 Mar 2014 21:20:39 -0700
Hi,
Please find the latest report on new defect(s) introduced to
NetBSD-amd64-kernel found with Coverity Scan.
Defect(s) Reported-by: Coverity Scan
Showing 20 of 76 defect(s)
** CID 977076: Unintentional integer overflow (OVERFLOW_BEFORE_WIDEN)
/sys/ufs/ufs/ufs_quota1.c: 863 in dq1sync()
** CID 977389: Out-of-bounds access (OVERRUN)
/sys/netinet6/icmp6.c: 739 in icmp6_input()
** CID 977394: Out-of-bounds write (OVERRUN)
/sys/nfs/nfs_bootdhcp.c: 825 in bootp_extract()
** CID 981752: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
/sys/arch/amd64/amd64/linux32_syscall.c: 70 in ()
** CID 981753: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
/sys/arch/amd64/amd64/machdep.c: 1487 in ()
** CID 981754: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
/sys/arch/amd64/amd64/machdep.c: 1487 in ()
** CID 981755: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
/sys/ddb/db_lwp.c: 77 in ()
** CID 981756: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
/sys/dev/cgd.c: 685 in ()
** CID 981757: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
/sys/dev/dkwedge/dk.c: 1410 in ()
** CID 981758: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
/sys/dev/dtv/dtv_buffer.c: 68 in ()
** CID 981759: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
/sys/dev/dtv/dtv_scatter.c: 160 in ()
** CID 981760: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
/sys/dev/dtv/dtv_scatter.c: 160 in ()
** CID 981761: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
/sys/dev/i2c/nxt2k.c: 281 in ()
** CID 981762: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
/sys/dev/ic/aac.c: 848 in ()
** CID 981763: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
/sys/dev/ic/bwi.c: 1914 in ()
** CID 981764: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
/sys/dev/ic/bwi.c: 1914 in ()
** CID 981765: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
/sys/dev/ic/bwi.c: 2175 in ()
** CID 981766: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
/sys/dev/pci/ichsmb.c: 338 in ()
** CID 981767: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
/sys/dev/pci/ichsmb.c: 338 in ()
** CID 981768: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
/sys/dev/pci/if_iwn.c: 5429 in ()
________________________________________________________________________________________________________
*** CID 977076: Unintentional integer overflow (OVERFLOW_BEFORE_WIDEN)
/sys/ufs/ufs/ufs_quota1.c: 863 in dq1sync()
857 vn_lock(dqvp, LK_EXCLUSIVE | LK_RETRY);
858 auio.uio_iov = &aiov;
859 auio.uio_iovcnt = 1;
860 aiov.iov_base = (void *)&dq->dq_un.dq1_dqb;
861 aiov.iov_len = sizeof (struct dqblk);
862 auio.uio_resid = sizeof (struct dqblk);
>>> CID 977076: Unintentional integer overflow (OVERFLOW_BEFORE_WIDEN)
>>> Potentially overflowing expression "dq->dq_id * 32U" with type
>>> "unsigned int" (32 bits, unsigned) is evaluated using 32-bit arithmetic
>>> before being used in a context which expects an expression of type
>>> "__off_t" (64 bits, signed). To avoid overflow, cast either operand to
>>> "__off_t" before performing the multiplication.
863 auio.uio_offset = (off_t)(dq->dq_id * sizeof (struct dqblk));
864 auio.uio_rw = UIO_WRITE;
865 UIO_SETUP_SYSSPACE(&auio);
866 error = VOP_WRITE(dqvp, &auio, 0,
dq->dq_ump->um_cred[dq->dq_type]);
867 if (auio.uio_resid && error == 0)
868 error = EIO;
869 dq->dq_flags &= ~DQ_MOD;
870 VOP_UNLOCK(dqvp);
871 return (error);
________________________________________________________________________________________________________
*** CID 977389: Out-of-bounds access (OVERRUN)
/sys/netinet6/icmp6.c: 739 in icmp6_input()
733 nip6 = mtod(n, struct ip6_hdr *);
734 bcopy(ip6, nip6, sizeof(struct ip6_hdr));
735 nicmp6 = (struct icmp6_hdr *)(nip6 + 1);
736 bcopy(icmp6, nicmp6, sizeof(struct icmp6_hdr));
737 p = (u_char *)(nicmp6 + 1);
738 memset(p, 0, 4);
>>> CID 977389: Out-of-bounds access (OVERRUN)
>>> Overrunning array "hostname" of 256 bytes by passing it to a function
>>> which accesses it at byte offset 4294967243 using argument "maxhlen" (which
>>> evaluates to 4294967244).
739 bcopy(hostname, p + 4, maxhlen); /* meaningless
TTL */
740 noff = sizeof(struct ip6_hdr);
741 M_COPY_PKTHDR(n, m); /* just for rcvif */
742 n->m_pkthdr.len = n->m_len = sizeof(struct
ip6_hdr) +
743 sizeof(struct icmp6_hdr) + 4 + maxhlen;
744 nicmp6->icmp6_type = ICMP6_WRUREPLY;
________________________________________________________________________________________________________
*** CID 977394: Out-of-bounds write (OVERRUN)
/sys/nfs/nfs_bootdhcp.c: 825 in bootp_extract()
819 }
820
821 /*
822 * Store and print network config info.
823 */
824 if (myname) {
>>> CID 977394: Out-of-bounds write (OVERRUN)
>>> Overrunning array of 64 bytes at byte offset 261 by dereferencing
>>> pointer "myname + mynamelen".
825 myname[mynamelen] = '\0';
826 strncpy(hostname, myname, sizeof(hostname));
827 hostnamelen = mynamelen;
828 printf("nfs_boot: my_name=%s\n", hostname);
829 }
830 if (mydomain) {
________________________________________________________________________________________________________
*** CID 981752: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
/sys/arch/amd64/amd64/linux32_syscall.c: 70 in ()
64 args[5] = frame->tf_rbp & 0xffffffff;
65
66 if (__predict_false(p->p_trace_enabled)) {
67 narg = callp->sy_narg;
68 if (__predict_false(narg > __arraycount(args)))
69 panic("impossible syscall narg, code %d, narg %zd",
>>> CID 981752: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
>>> argument is incompatible with corresponding format string conversion
70 code, narg);
71 for (i = 0; i < narg; i++)
72 args64[i] = args[i] & 0xffffffff;
73 if ((error = trace_enter(code, args64, narg)) != 0)
74 goto out;
75 }
________________________________________________________________________________________________________
*** CID 981753: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
/sys/arch/amd64/amd64/machdep.c: 1487 in ()
1481 return;
1482
1483 reqsz -= sz;
1484 if (msgbuf_p_cnt == VM_PHYSSEG_MAX) {
1485 /* No more segments available, bail out. */
1486 printf("WARNING: MSGBUFSIZE (%zu) too large, using
%zu.\n",
>>> CID 981753: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
>>> argument is incompatible with corresponding format string conversion
1487 (size_t)MSGBUFSIZE, (size_t)(MSGBUFSIZE - reqsz));
1488 return;
1489 }
1490
1491 sz = reqsz;
1492 goto search_again;
________________________________________________________________________________________________________
*** CID 981754: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
/sys/arch/amd64/amd64/machdep.c: 1487 in ()
1481 return;
1482
1483 reqsz -= sz;
1484 if (msgbuf_p_cnt == VM_PHYSSEG_MAX) {
1485 /* No more segments available, bail out. */
1486 printf("WARNING: MSGBUFSIZE (%zu) too large, using
%zu.\n",
>>> CID 981754: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
>>> argument is incompatible with corresponding format string conversion
1487 (size_t)MSGBUFSIZE, (size_t)(MSGBUFSIZE - reqsz));
1488 return;
1489 }
1490
1491 sz = reqsz;
1492 goto search_again;
________________________________________________________________________________________________________
*** CID 981755: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
/sys/ddb/db_lwp.c: 77 in ()
71 stack = (uintptr_t)KSTACK_LOWEST_ADDR((&l));
72 if (addr < stack || stack + KSTACK_SIZE <= addr) {
73 continue;
74 }
75 (*pr)("%p is %p+%zu, LWP %p's stack\n",
76 (void *)addr, (void *)stack,
>>> CID 981755: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
>>> argument is incompatible with corresponding format string conversion
77 (size_t)(addr - stack), lp);
78 }
________________________________________________________________________________________________________
*** CID 981756: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
/sys/dev/cgd.c: 685 in ()
679 cs->sc_cdata.cf_mode = encblkno[i].v;
680 cs->sc_cdata.cf_keylen = ci->ci_keylen;
681 cs->sc_cdata.cf_priv = cs->sc_cfuncs->cf_init(ci->ci_keylen,
inbuf,
682 &cs->sc_cdata.cf_blocksize);
683 if (cs->sc_cdata.cf_blocksize > CGD_MAXBLOCKSIZE) {
684 log(LOG_WARNING, "cgd: Disallowed cipher with blocksize %zu
> %u\n",
>>> CID 981756: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
>>> argument is incompatible with corresponding format string conversion
685 cs->sc_cdata.cf_blocksize, CGD_MAXBLOCKSIZE);
686 cs->sc_cdata.cf_priv = NULL;
687 }
688
689 /*
690 * The blocksize is supposed to be in bytes. Unfortunately
originally
________________________________________________________________________________________________________
*** CID 981757: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
/sys/dev/dkwedge/dk.c: 1410 in ()
1404 rv = EINVAL;
1405 goto out;
1406 }
1407 if (blkno + size / DEV_BSIZE > sc->sc_size) {
1408 printf("%s: blkno (%" PRIu64 ") + size / DEV_BSIZE
(%zu) > "
1409 "sc->sc_size (%" PRIu64 ")\n", __func__, blkno,
>>> CID 981757: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
>>> argument is incompatible with corresponding format string conversion
1410 size / DEV_BSIZE, sc->sc_size);
1411 rv = EINVAL;
1412 goto out;
1413 }
1414
1415 bdev = bdevsw_lookup(sc->sc_pdev);
________________________________________________________________________________________________________
*** CID 981758: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
/sys/dev/dtv/dtv_buffer.c: 68 in ()
62
63 while (resid > 0) {
64 mutex_enter(&ds->ds_ingress_lock);
65
66 if (SIMPLEQ_EMPTY(&ds->ds_ingress)) {
67 aprint_debug_dev(sc->sc_dev,
>>> CID 981758: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
>>> argument is incompatible with corresponding format string conversion
68 "dropping sample (%zu)\n", resid);
69 mutex_exit(&ds->ds_ingress_lock);
70 return;
71 }
72
73 db = SIMPLEQ_FIRST(&ds->ds_ingress);
________________________________________________________________________________________________________
*** CID 981759: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
/sys/dev/dtv/dtv_scatter.c: 160 in ()
154 off_t off, size_t len,
155 struct dtv_scatter_io *sio)
156 {
157 if ((off + len) > sb->sb_size) {
158 printf("dtv: %s failed: off=%" PRId64
159 " len=%zu sb->sb_size=%zu\n",
>>> CID 981759: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
>>> argument is incompatible with corresponding format string conversion
160 __func__, off, len, sb->sb_size);
161 return false;
162 }
163
164 sio->sio_buf = sb;
165 sio->sio_offset = off;
________________________________________________________________________________________________________
*** CID 981760: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
/sys/dev/dtv/dtv_scatter.c: 160 in ()
154 off_t off, size_t len,
155 struct dtv_scatter_io *sio)
156 {
157 if ((off + len) > sb->sb_size) {
158 printf("dtv: %s failed: off=%" PRId64
159 " len=%zu sb->sb_size=%zu\n",
>>> CID 981760: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
>>> argument is incompatible with corresponding format string conversion
160 __func__, off, len, sb->sb_size);
161 return false;
162 }
163
164 sio->sio_buf = sb;
165 sio->sio_offset = off;
________________________________________________________________________________________________________
*** CID 981761: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
/sys/dev/i2c/nxt2k.c: 281 in ()
275 if (error != 0) {
276 printf("nxt2k firmware_open fail %d\n", error);
277 return 0;
278 }
279
280 fwsize = firmware_get_size(fh);
>>> CID 981761: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
>>> argument is incompatible with corresponding format string conversion
281 printf("fwsize %zd\n", fwsize);
282 blob = firmware_malloc(fwsize);
283 if ( blob == NULL ) {
284 printf("nxt2k firmware_malloc fail\n");
285 firmware_close(fh);
286 return -1;
________________________________________________________________________________________________________
*** CID 981762: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
/sys/dev/ic/aac.c: 848 in ()
842 &rsize)) {
843 aprint_error_dev(sc->sc_dv, "error probing
container %d\n", i);
844 continue;
845 }
846 if (rsize != ersize) {
847 aprint_error_dev(sc->sc_dv, "container info
response wrong size "
>>> CID 981762: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
>>> argument is incompatible with corresponding format string conversion
848 "(%d should be %zu)\n", rsize, ersize);
849 continue;
850 }
851
852 /*
853 * Check container volume type for validity. Note that
many
________________________________________________________________________________________________________
*** CID 981763: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
/sys/dev/ic/bwi.c: 1914 in ()
1908 * Don't verify IV's size, it has different meaning
1909 */
1910 size_t fw_size = (size_t)be32toh(hdr->fw_size);
1911 if (fw_size != fwi->fwi_size - sizeof(*hdr)) {
1912 aprint_error_dev(sc->sc_dev, "firmware image %s"
1913 " size mismatch, fw %zx, real %zx\n",
fw_name,
>>> CID 981763: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
>>> argument is incompatible with corresponding format string conversion
1914 fw_size, fwi->fwi_size - sizeof(*hdr));
1915 goto invalid;
1916 }
1917 }
1918
1919 if (hdr->fw_type != fw_type) {
________________________________________________________________________________________________________
*** CID 981764: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
/sys/dev/ic/bwi.c: 1914 in ()
1908 * Don't verify IV's size, it has different meaning
1909 */
1910 size_t fw_size = (size_t)be32toh(hdr->fw_size);
1911 if (fw_size != fwi->fwi_size - sizeof(*hdr)) {
1912 aprint_error_dev(sc->sc_dev, "firmware image %s"
1913 " size mismatch, fw %zx, real %zx\n",
fw_name,
>>> CID 981764: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
>>> argument is incompatible with corresponding format string conversion
1914 fw_size, fwi->fwi_size - sizeof(*hdr));
1915 goto invalid;
1916 }
1917 }
1918
1919 if (hdr->fw_type != fw_type) {
________________________________________________________________________________________________________
*** CID 981765: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
/sys/dev/ic/bwi.c: 2175 in ()
2169
2170 iv = (const struct bwi_fw_iv *)((const uint8_t *)iv +
sz);
2171 }
2172
2173 if (iv_img_size != 0) {
2174 aprint_error_dev(sc->sc_dev,
>>> CID 981765: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
>>> argument is incompatible with corresponding format string conversion
2175 "invalid IV image, size left %zx\n", iv_img_size);
2176 return (EINVAL);
2177 }
2178
2179 return (0);
2180 }
________________________________________________________________________________________________________
*** CID 981766: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
/sys/dev/pci/ichsmb.c: 338 in ()
332 * Transfer timeout. Kill the transaction and clear status bits.
333 */
334 snprintb(fbuf, sizeof(fbuf), LPCIB_SMB_HS_BITS, st);
335 aprint_error_dev(sc->sc_dev,
336 "exec: op %d, addr 0x%02x, cmdlen %zd, len %zd, "
337 "flags 0x%02x: timeout, status 0x%s\n",
>>> CID 981766: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
>>> argument is incompatible with corresponding format string conversion
338 op, addr, cmdlen, len, flags, fbuf);
339 bus_space_write_1(sc->sc_iot, sc->sc_ioh, LPCIB_SMB_HC,
340 LPCIB_SMB_HC_KILL);
341 DELAY(ICHIIC_DELAY);
342 st = bus_space_read_1(sc->sc_iot, sc->sc_ioh, LPCIB_SMB_HS);
343 if ((st & LPCIB_SMB_HS_FAILED) == 0) {
________________________________________________________________________________________________________
*** CID 981767: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
/sys/dev/pci/ichsmb.c: 338 in ()
332 * Transfer timeout. Kill the transaction and clear status bits.
333 */
334 snprintb(fbuf, sizeof(fbuf), LPCIB_SMB_HS_BITS, st);
335 aprint_error_dev(sc->sc_dev,
336 "exec: op %d, addr 0x%02x, cmdlen %zd, len %zd, "
337 "flags 0x%02x: timeout, status 0x%s\n",
>>> CID 981767: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
>>> argument is incompatible with corresponding format string conversion
338 op, addr, cmdlen, len, flags, fbuf);
339 bus_space_write_1(sc->sc_iot, sc->sc_ioh, LPCIB_SMB_HC,
340 LPCIB_SMB_HC_KILL);
341 DELAY(ICHIIC_DELAY);
342 st = bus_space_read_1(sc->sc_iot, sc->sc_ioh, LPCIB_SMB_HS);
343 if ((st & LPCIB_SMB_HS_FAILED) == 0) {
________________________________________________________________________________________________________
*** CID 981768: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
/sys/dev/pci/if_iwn.c: 5429 in ()
5423 tlv = (const struct iwn_fw_tlv *)ptr;
5424 len = le32toh(tlv->len);
5425
5426 ptr += sizeof (*tlv);
5427 if (ptr + len > end) {
5428 aprint_error_dev(sc->sc_dev,
>>> CID 981768: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
>>> argument is incompatible with corresponding format string conversion
5429 "firmware too short: %zd bytes\n",
fw->size);
5430 return EINVAL;
5431 }
5432 /* Skip other alternatives. */
5433 if (tlv->alt != 0 && tlv->alt != htole16(alt))
5434 goto next;
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit,
http://scan.coverity.com/projects/1447?tab=Overview
To unsubscribe from the email notification for new defects,
http://scan5.coverity.com/cgi-bin/unsubscribe.py
Home |
Main Index |
Thread Index |
Old Index