Coverity-updates archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

New Defects reported by Coverity Scan for NetBSD-amd64-kernel



Hi,

Please find the latest report on new defect(s) introduced to NetBSD-amd64-kernel found with Coverity Scan.

374 new defect(s) introduced to NetBSD-amd64-kernel found with Coverity Scan.
635 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 20 of 374 defect(s)


** CID 1597793:  High impact quality  (Y2K38_SAFETY)
/sys/kern/kern_heartbeat.c: 648 in heartbeat()


________________________________________________________________________________________________________
*** CID 1597793:  High impact quality  (Y2K38_SAFETY)
/sys/kern/kern_heartbeat.c: 648 in heartbeat()
642     	/*
643     	 * If the uptime hasn't changed, make sure that we haven't
644     	 * counted too many of our own heartbeats since the uptime last
645     	 * changed, and stop here -- we only do the cross-CPU work once
646     	 * per second.
647     	 */
>>>     CID 1597793:  High impact quality  (Y2K38_SAFETY)
>>>     A "time_t" value is stored in an integer with too few bits to accommodate it.  The expression "getuptime()" is cast to "unsigned int".
648     	uptime = time_uptime;
649     	cache = atomic_load_relaxed(&curcpu()->ci_heartbeat_uptime_cache);
650     	if (__predict_true(cache == uptime)) {
651     		/*
652     		 * Timecounter hasn't advanced by more than a second.
653     		 * Make sure the timecounter isn't stuck according to

** CID 1597792:    (USER_POINTER)


________________________________________________________________________________________________________
*** CID 1597792:    (USER_POINTER)
/sys/kern/kern_proc.c: 2532 in copy_procargs()
2526     		size_t xlen;
2527     		int j;
2528     
2529     		if (loaded == 0) {
2530     			size_t rem = entry_len * argvlen;
2531     			loaded = MIN(rem, PAGE_SIZE);
>>>     CID 1597792:    (USER_POINTER)
>>>     Passing tainted pointer "(void const *)user_argv" to "copyin_vmspace" which derefences it.
2532     			error = copyin_vmspace(vmspace,
2533     			    (const void *)user_argv, argv, loaded);
2534     			if (error)
2535     				break;
2536     			user_argv += loaded;
2537     			i = 0;
/sys/kern/kern_proc.c: 2532 in copy_procargs()
2526     		size_t xlen;
2527     		int j;
2528     
2529     		if (loaded == 0) {
2530     			size_t rem = entry_len * argvlen;
2531     			loaded = MIN(rem, PAGE_SIZE);
>>>     CID 1597792:    (USER_POINTER)
>>>     Passing tainted pointer "(void const *)user_argv" to "copyin_vmspace" which derefences it.
2532     			error = copyin_vmspace(vmspace,
2533     			    (const void *)user_argv, argv, loaded);
2534     			if (error)
2535     				break;
2536     			user_argv += loaded;
2537     			i = 0;

** CID 1597791:  High impact quality  (Y2K38_SAFETY)
/sys/nfs/nfs_socket.c: 633 in nfs_rephead()


________________________________________________________________________________________________________
*** CID 1597791:  High impact quality  (Y2K38_SAFETY)
/sys/nfs/nfs_socket.c: 633 in nfs_rephead()
627     #else
628     				(void)ktvin.tv_sec;
629     #endif
630     
631     				*tl++ = rpc_auth_kerb;
632     				*tl++ = txdr_unsigned(3 * NFSX_UNSIGNED);
>>>     CID 1597791:  High impact quality  (Y2K38_SAFETY)
>>>     A "time_t" value is stored in an integer with too few bits to accommodate it.  The expression "ktvout.tv_sec" is cast to "u_int32_t".
633     				*tl = ktvout.tv_sec;
634     				nfsm_build(tl, u_int32_t *, 3 * NFSX_UNSIGNED);
635     				*tl++ = ktvout.tv_usec;
636     				*tl++ = txdr_unsigned(
637     				    kauth_cred_geteuid(nuidp->nu_cr));
638     			} else {

** CID 1597790:  Memory - illegal accesses  (OVERRUN)
/sys/external/bsd/drm2/dist/drm/i915/i915_vma.h: 111 in i915_vma_unset_userfault()


________________________________________________________________________________________________________
*** CID 1597790:  Memory - illegal accesses  (OVERRUN)
/sys/external/bsd/drm2/dist/drm/i915/i915_vma.h: 111 in i915_vma_unset_userfault()
105     	GEM_BUG_ON(!i915_vma_is_map_and_fenceable(vma));
106     	return test_and_set_bit(I915_VMA_USERFAULT_BIT, __i915_vma_flags(vma));
107     }
108     
109     static inline void i915_vma_unset_userfault(struct i915_vma *vma)
110     {
>>>     CID 1597790:  Memory - illegal accesses  (OVERRUN)
>>>     Overrunning array of 4 bytes at byte offset 7 by dereferencing pointer "(unsigned long *)&vma->flags". [Note: The source code implementation of the function has been overridden by a builtin model.]
111     	return clear_bit(I915_VMA_USERFAULT_BIT, __i915_vma_flags(vma));
112     }
113     
114     static inline bool i915_vma_has_userfault(const struct i915_vma *vma)
115     {
116     	return test_bit(I915_VMA_USERFAULT_BIT, __i915_vma_flags_const(vma));

** CID 1597789:    (TAINTED_SCALAR)


________________________________________________________________________________________________________
*** CID 1597789:    (TAINTED_SCALAR)
/sys/external/bsd/drm2/dist/drm/drm_dp_mst_topology.c: 4103 in drm_dp_mst_get_edid()
4097     
4098     	if (port->cached_edid)
4099     		edid = drm_edid_duplicate(port->cached_edid);
4100     	else {
4101     		edid = drm_get_edid(connector, &port->aux.ddc);
4102     	}
>>>     CID 1597789:    (TAINTED_SCALAR)
>>>     Passing tainted expression "edid->extensions" to "drm_detect_monitor_audio", which uses it as a loop boundary.
4103     	port->has_audio = drm_detect_monitor_audio(edid);
4104     	drm_dp_mst_topology_put_port(port);
4105     	return edid;
4106     }
4107     EXPORT_SYMBOL(drm_dp_mst_get_edid);
4108     
/sys/external/bsd/drm2/dist/drm/drm_dp_mst_topology.c: 4103 in drm_dp_mst_get_edid()
4097     
4098     	if (port->cached_edid)
4099     		edid = drm_edid_duplicate(port->cached_edid);
4100     	else {
4101     		edid = drm_get_edid(connector, &port->aux.ddc);
4102     	}
>>>     CID 1597789:    (TAINTED_SCALAR)
>>>     Passing tainted expression "edid->extensions" to "drm_detect_monitor_audio", which uses it as a loop boundary.
4103     	port->has_audio = drm_detect_monitor_audio(edid);
4104     	drm_dp_mst_topology_put_port(port);
4105     	return edid;
4106     }
4107     EXPORT_SYMBOL(drm_dp_mst_get_edid);
4108     

** CID 1597788:  Error handling issues  (CHECKED_RETURN)
/sys/dev/usb/if_smsc.c: 302 in smsc_uno_miibus_readreg()


________________________________________________________________________________________________________
*** CID 1597788:  Error handling issues  (CHECKED_RETURN)
/sys/dev/usb/if_smsc.c: 302 in smsc_uno_miibus_readreg()
296     	if (smsc_wait_for_bits(un, SMSC_MII_ADDR, SMSC_MII_BUSY) != 0) {
297     		smsc_warn_printf(un, "MII read timeout\n");
298     		*val = 0;
299     		return ETIMEDOUT;
300     	}
301     
>>>     CID 1597788:  Error handling issues  (CHECKED_RETURN)
>>>     Calling "smsc_readreg" without checking return value (as is done elsewhere 9 out of 10 times).
302     	smsc_readreg(un, SMSC_MII_DATA, &data);
303     
304     	*val = data & 0xffff;
305     	return 0;
306     }
307     

** CID 1597787:    (OVERRUN)


________________________________________________________________________________________________________
*** CID 1597787:    (OVERRUN)
/sys/dev/pci/bktr/bktr_core.c: 2904 in rgb_vbi_prog()
2898     				split(bktr, (volatile u_int **) &dma_prog,
2899     				      bktr->y2 - bktr->y, OP_WRITE,
2900     				      Bpp, (volatile u_char **)(uintptr_t)&target,
2901     				      cols);
2902     			    }
2903     			    if (bktr->yclip != bktr->yclip2) {
>>>     CID 1597787:    (OVERRUN)
>>>     Overrunning array of 4 bytes at byte offset 7 by dereferencing pointer "(u_char volatile **)(uintptr_t)&target".
2904     				split(bktr, (volatile u_int **) &dma_prog,
2905     				      bktr->yclip2 - bktr->yclip, OP_SKIP,
2906     				      Bpp, (volatile u_char **)(uintptr_t)&target,  cols);
2907     			    }
2908     
2909     			}
/sys/dev/pci/bktr/bktr_core.c: 2834 in rgb_vbi_prog()
2828     		*dma_prog++ = htole32(OP_SYNC  | BKTR_FM1);
2829     		*dma_prog++ = htole32(0);  /* NULL WORD */
2830     		width = cols;
2831     		for (i = 0; i < (rows/interlace); i++) {
2832     		    target = target_buffer;
2833     		    if (notclipped(bktr, i, width)) {
>>>     CID 1597787:    (OVERRUN)
>>>     Overrunning array of 4 bytes at byte offset 7 by dereferencing pointer "(u_char volatile **)(uintptr_t)&target".
2834     			split(bktr, (volatile u_int **) &dma_prog,
2835     			      bktr->y2 - bktr->y, OP_WRITE,
2836     			      Bpp, (volatile u_char **)(uintptr_t)&target,  cols);
2837     
2838     		    } else {
2839     			while(getline(bktr, i)) {
/sys/dev/pci/bktr/bktr_core.c: 2846 in rgb_vbi_prog()
2840     			    if (bktr->y != bktr->y2) {
2841     				split(bktr, (volatile u_int **) &dma_prog,
2842     				      bktr->y2 - bktr->y, OP_WRITE,
2843     				      Bpp, (volatile u_char **) (uintptr_t)&target, cols);
2844     			    }
2845     			    if (bktr->yclip != bktr->yclip2) {
>>>     CID 1597787:    (OVERRUN)
>>>     Overrunning array of 4 bytes at byte offset 7 by dereferencing pointer "(u_char volatile **)(uintptr_t)&target".
2846     				split(bktr,(volatile u_int **) &dma_prog,
2847     				      bktr->yclip2 - bktr->yclip,
2848     				      OP_SKIP,
2849     				      Bpp, (volatile u_char **)(uintptr_t)&target,  cols);
2850     			    }
2851     			}
/sys/dev/pci/bktr/bktr_core.c: 2892 in rgb_vbi_prog()
2886     		*dma_prog++ = htole32(OP_SYNC | BKTR_FM1);
2887     		*dma_prog++ = htole32(0);  /* NULL WORD */
2888     		width = cols;
2889     		for (i = 0; i < (rows/interlace); i++) {
2890     		    target = target_buffer;
2891     		    if (notclipped(bktr, i, width)) {
>>>     CID 1597787:    (OVERRUN)
>>>     Overrunning array of 4 bytes at byte offset 7 by dereferencing pointer "(u_char volatile **)(uintptr_t)&target".
2892     			split(bktr, (volatile u_int **) &dma_prog,
2893     			      bktr->y2 - bktr->y, OP_WRITE,
2894     			      Bpp, (volatile u_char **)(uintptr_t)&target,  cols);
2895     		    } else {
2896     			while(getline(bktr, i)) {
2897     			    if (bktr->y != bktr->y2) {
/sys/dev/pci/bktr/bktr_core.c: 2841 in rgb_vbi_prog()
2835     			      bktr->y2 - bktr->y, OP_WRITE,
2836     			      Bpp, (volatile u_char **)(uintptr_t)&target,  cols);
2837     
2838     		    } else {
2839     			while(getline(bktr, i)) {
2840     			    if (bktr->y != bktr->y2) {
>>>     CID 1597787:    (OVERRUN)
>>>     Overrunning array of 4 bytes at byte offset 7 by dereferencing pointer "(u_char volatile **)(uintptr_t)&target".
2841     				split(bktr, (volatile u_int **) &dma_prog,
2842     				      bktr->y2 - bktr->y, OP_WRITE,
2843     				      Bpp, (volatile u_char **) (uintptr_t)&target, cols);
2844     			    }
2845     			    if (bktr->yclip != bktr->yclip2) {
2846     				split(bktr,(volatile u_int **) &dma_prog,
/sys/dev/pci/bktr/bktr_core.c: 2898 in rgb_vbi_prog()
2892     			split(bktr, (volatile u_int **) &dma_prog,
2893     			      bktr->y2 - bktr->y, OP_WRITE,
2894     			      Bpp, (volatile u_char **)(uintptr_t)&target,  cols);
2895     		    } else {
2896     			while(getline(bktr, i)) {
2897     			    if (bktr->y != bktr->y2) {
>>>     CID 1597787:    (OVERRUN)
>>>     Overrunning array of 4 bytes at byte offset 7 by dereferencing pointer "(u_char volatile **)(uintptr_t)&target".
2898     				split(bktr, (volatile u_int **) &dma_prog,
2899     				      bktr->y2 - bktr->y, OP_WRITE,
2900     				      Bpp, (volatile u_char **)(uintptr_t)&target,
2901     				      cols);
2902     			    }
2903     			    if (bktr->yclip != bktr->yclip2) {

** CID 1597786:  Uninitialized variables  (UNINIT)


________________________________________________________________________________________________________
*** CID 1597786:  Uninitialized variables  (UNINIT)
/sys/dev/pci/if_iwi.c: 2395 in iwi_config()
2389     		nchan++;
2390     	}
2391     	power.nchan = nchan;
2392     
2393     	power.mode = IWI_MODE_11G;
2394     	DPRINTF(("Setting .11g channels tx power\n"));
>>>     CID 1597786:  Uninitialized variables  (UNINIT)
>>>     Using uninitialized value "power". Field "power.chan" is uninitialized when calling "iwi_cmd".
2395     	error = iwi_cmd(sc, IWI_CMD_SET_TX_POWER, &power, sizeof power, 0);
2396     	if (error != 0)
2397     		return error;
2398     
2399     	power.mode = IWI_MODE_11B;
2400     	DPRINTF(("Setting .11b channels tx power\n"));

** CID 1597785:  Memory - illegal accesses  (OVERRUN)


________________________________________________________________________________________________________
*** CID 1597785:  Memory - illegal accesses  (OVERRUN)
/sys/external/bsd/drm2/dist/drm/i915/gt/intel_lrc.c: 2076 in execlists_dequeue()
2070     
2071     	while ((rb = rb_first_cached(&execlists->queue))) {
2072     		struct i915_priolist *p = to_priolist(rb);
2073     		struct i915_request *rq, *rn;
2074     		int i;
2075     
>>>     CID 1597785:  Memory - illegal accesses  (OVERRUN)
>>>     Overrunning array of 64 bytes at byte offset 1008 by dereferencing pointer "&p->requests[i]".
2076     		priolist_for_each_request_consume(rq, rn, p, i) {
2077     			bool merge = true;
2078     
2079     			/*
2080     			 * Can we combine this request with the current port?
2081     			 * It has to be the same context/ringbuffer and not

** CID 1597784:  Null pointer dereferences  (NULL_RETURNS)
/sys/external/bsd/drm2/dist/drm/radeon/radeon_ttm.c: 857 in radeon_ttm_tt_unpopulate()


________________________________________________________________________________________________________
*** CID 1597784:  Null pointer dereferences  (NULL_RETURNS)
/sys/external/bsd/drm2/dist/drm/radeon/radeon_ttm.c: 857 in radeon_ttm_tt_unpopulate()
851     #endif
852     	struct radeon_ttm_tt *gtt = radeon_ttm_tt_to_gtt(ttm);
853     	bool slave = !!(ttm->page_flags & TTM_PAGE_FLAG_SG);
854     
855     #ifdef __NetBSD__
856     	if (slave && ttm->sg) {
>>>     CID 1597784:  Null pointer dereferences  (NULL_RETURNS)
>>>     Dereferencing "gtt", which is known to be "NULL".
857     		bus_dmamap_unload(ttm->bdev->dmat, gtt->ttm.dma_address);
858     	}
859     #endif
860     	if (gtt && gtt->userptr) {
861     		kfree(ttm->sg);
862     		ttm->page_flags &= ~TTM_PAGE_FLAG_SG;

** CID 1597783:    (OVERRUN)


________________________________________________________________________________________________________
*** CID 1597783:    (OVERRUN)
/sys/external/bsd/drm2/dist/drm/i915/display/intel_display.c: 3267 in intel_plane_compute_gtt()
3261     		 * big plane sizes and suitably misaligned
3262     		 * offsets.
3263     		 */
3264     		return intel_plane_check_stride(plane_state);
3265     	}
3266     
>>>     CID 1597783:    (OVERRUN)
>>>     Overrunning struct type drm_framebuffer of 200 bytes by passing it to a function which accesses it at byte offset 295.
3267     	intel_fill_fb_ggtt_view(&plane_state->view, &fb->base, rotation);
3268     
3269     	for (i = 0; i < num_planes; i++) {
3270     		plane_state->color_plane[i].stride = intel_fb_pitch(&fb->base, i, rotation);
3271     		plane_state->color_plane[i].offset = 0;
3272     
/sys/external/bsd/drm2/dist/drm/i915/display/intel_display.c: 3270 in intel_plane_compute_gtt()
3264     		return intel_plane_check_stride(plane_state);
3265     	}
3266     
3267     	intel_fill_fb_ggtt_view(&plane_state->view, &fb->base, rotation);
3268     
3269     	for (i = 0; i < num_planes; i++) {
>>>     CID 1597783:    (OVERRUN)
>>>     Overrunning struct type drm_framebuffer of 200 bytes by passing it to a function which accesses it at byte offset 295.
3270     		plane_state->color_plane[i].stride = intel_fb_pitch(&fb->base, i, rotation);
3271     		plane_state->color_plane[i].offset = 0;
3272     
3273     		if (drm_rotation_90_or_270(rotation)) {
3274     			plane_state->color_plane[i].x = fb->rotated[i].x;
3275     			plane_state->color_plane[i].y = fb->rotated[i].y;

** CID 1597782:  Memory - corruptions  (OVERRUN)
/sys/external/bsd/drm2/dist/drm/i915/display/intel_display.c: 7558 in intel_crtc_disable_noatomic()


________________________________________________________________________________________________________
*** CID 1597782:  Memory - corruptions  (OVERRUN)
/sys/external/bsd/drm2/dist/drm/i915/display/intel_display.c: 7558 in intel_crtc_disable_noatomic()
7552     	for_each_power_domain(domain, domains)
7553     		intel_display_power_put_unchecked(dev_priv, domain);
7554     	crtc->enabled_power_domains = 0;
7555     
7556     	dev_priv->active_pipes &= ~BIT(pipe);
7557     	dev_priv->min_cdclk[pipe] = 0;
>>>     CID 1597782:  Memory - corruptions  (OVERRUN)
>>>     Overrunning array "dev_priv->min_voltage_level" of 4 bytes at byte offset 64 using index "pipe_drmhack" (which evaluates to 64).
7558     	dev_priv->min_voltage_level[pipe] = 0;
7559     
7560     	bw_state->data_rate[pipe] = 0;
7561     	bw_state->num_active_planes[pipe] = 0;
7562     }
7563     

** CID 1597781:  Null pointer dereferences  (FORWARD_NULL)
/sys/kern/vfs_syscalls.c: 609 in do_sys_mount()


________________________________________________________________________________________________________
*** CID 1597781:  Null pointer dereferences  (FORWARD_NULL)
/sys/kern/vfs_syscalls.c: 609 in do_sys_mount()
603     			goto done;
604     		}
605     		error = mount_getargs(l, vp, path, flags, data_buf, &data_len);
606     		if (error != 0)
607     			goto done;
608     		if (data_seg == UIO_USERSPACE)
>>>     CID 1597781:  Null pointer dereferences  (FORWARD_NULL)
>>>     Passing null pointer "data" to "copyout", which dereferences it.
609     			error = copyout(data_buf, data, data_len);
610     		*retval = data_len;
611     	} else if (flags & MNT_UPDATE) {
612     		error = mount_update(l, vp, path, flags, data_buf, &data_len);
613     	} else {
614     		/* Locking is handled internally in mount_domount(). */

** CID 1597780:    (BUFFER_SIZE)
/sys/nfs/nfs_bootdhcp.c: 829 in bootp_extract()
/sys/nfs/nfs_bootdhcp.c: 823 in bootp_extract()


________________________________________________________________________________________________________
*** CID 1597780:    (BUFFER_SIZE)
/sys/nfs/nfs_bootdhcp.c: 829 in bootp_extract()
823     		strncpy(hostname, myname, sizeof(hostname));
824     		hostnamelen = mynamelen;
825     		printf("nfs_boot: my_name=%s\n", hostname);
826     	}
827     	if (mydomain) {
828     		mydomain[mydomainlen] = '\0';
>>>     CID 1597780:    (BUFFER_SIZE)
>>>     Calling "strncpy" with a maximum size argument of 256 bytes on destination array "domainname" of size 256 bytes might leave the destination string unterminated.
829     		strncpy(domainname, mydomain, sizeof(domainname));
830     		domainnamelen = mydomainlen;
831     		printf("nfs_boot: my_domain=%s\n", domainname);
832     	}
833     	if (!(*flags & NFS_BOOT_HAS_MYIP)) {
834     		nd->nd_myip = bootp->bp_yiaddr;
/sys/nfs/nfs_bootdhcp.c: 823 in bootp_extract()
817     
818     	/*
819     	 * Store and print network config info.
820     	 */
821     	if (myname) {
822     		myname[mynamelen] = '\0';
>>>     CID 1597780:    (BUFFER_SIZE)
>>>     Calling "strncpy" with a maximum size argument of 256 bytes on destination array "hostname" of size 256 bytes might leave the destination string unterminated.
823     		strncpy(hostname, myname, sizeof(hostname));
824     		hostnamelen = mynamelen;
825     		printf("nfs_boot: my_name=%s\n", hostname);
826     	}
827     	if (mydomain) {
828     		mydomain[mydomainlen] = '\0';

** CID 1597779:  High impact quality  (Y2K38_SAFETY)
/sys/net/npf/npf_conn.c: 280 in conn_update_atime()


________________________________________________________________________________________________________
*** CID 1597779:  High impact quality  (Y2K38_SAFETY)
/sys/net/npf/npf_conn.c: 280 in conn_update_atime()
274     static inline void
275     conn_update_atime(npf_conn_t *con)
276     {
277     	struct timespec tsnow;
278     
279     	getnanouptime(&tsnow);
>>>     CID 1597779:  High impact quality  (Y2K38_SAFETY)
>>>     A "time_t" value is stored in an integer with too few bits to accommodate it.  The expression "tsnow.tv_sec" is cast to "uint32_t".
280     	atomic_store_relaxed(&con->c_atime, tsnow.tv_sec);
281     }
282     
283     /*
284      * npf_conn_check: check that:
285      *

** CID 1597778:  Memory - corruptions  (OVERRUN)


________________________________________________________________________________________________________
*** CID 1597778:  Memory - corruptions  (OVERRUN)
/sys/kern/vfs_vnode.c: 1614 in vcache_get()
1608     			mutex_exit(&vcache_lock);
1609     			goto again;
1610     		}
1611     		vp = VIMPL_TO_VNODE(vip);
1612     		mutex_enter(vp->v_interlock);
1613     		mutex_exit(&vcache_lock);
>>>     CID 1597778:  Memory - corruptions  (OVERRUN)
>>>     Overrunning struct type vnode of 256 bytes by passing it to a function which accesses it at byte offset 575.
1614     		error = vcache_vget(vp);
1615     		if (error == ENOENT)
1616     			goto again;
1617     		if (error == 0)
1618     			*vpp = vp;
1619     		KASSERT((error != 0) == (*vpp == NULL));

** CID 1597777:  Memory - corruptions  (OVERRUN)
/sys/dev/pci/if_iavf.c: 4858 in iavf_config_rss_lut()


________________________________________________________________________________________________________
*** CID 1597777:  Memory - corruptions  (OVERRUN)
/sys/dev/pci/if_iavf.c: 4858 in iavf_config_rss_lut()
4852     	rss_lut->lut_entries = htole16(IXL_RSS_VSI_LUT_SIZE);
4853     
4854     	lut = rss_lut->lut;
4855     	for (i = 0; i < IXL_RSS_VSI_LUT_SIZE; i++)  {
4856     		v = i % sc->sc_nqueue_pairs;
4857     		v &= IAVF_RSS_VSI_LUT_ENTRY_MASK;
>>>     CID 1597777:  Memory - corruptions  (OVERRUN)
>>>     Overrunning array of 1 bytes at byte offset 63 by dereferencing pointer "lut + i".
4858     		lut[i] = v;
4859     	}
4860     
4861     	memset(&iaq, 0, sizeof(iaq));
4862     	iaq.iaq_flags = htole16(IXL_AQ_BUF | IXL_AQ_RD);
4863     	iaq.iaq_opcode = htole16(IAVF_AQ_OP_SEND_TO_PF);

** CID 1597776:  Insecure data handling  (TAINTED_SCALAR)


________________________________________________________________________________________________________
*** CID 1597776:  Insecure data handling  (TAINTED_SCALAR)
/sys/dev/pci/viomb.c: 472 in deflate_done()
466     	r = virtio_dequeue(vsc, vq, &slot, NULL);
467     	if (r != 0) {
468     		printf("%s: deflate dequeue failed, errno %d\n",
469     		       device_xname(sc->sc_dev), r);
470     		return 1;
471     	}
>>>     CID 1597776:  Insecure data handling  (TAINTED_SCALAR)
>>>     Passing tainted expression "slot" to "virtio_dequeue_commit", which uses it as an offset.
472     	virtio_dequeue_commit(vsc, vq, slot);
473     
474     	b = &sc->sc_req;
475     	nvpages = b->bl_nentries;
476     	bus_dmamap_sync(virtio_dmat(vsc), b->bl_dmamap,
477     			0,

** CID 1597775:  High impact quality  (Y2K38_SAFETY)
/sys/kern/init_sysctl.c: 1585 in fill_lwp()


________________________________________________________________________________________________________
*** CID 1597775:  High impact quality  (Y2K38_SAFETY)
/sys/kern/init_sysctl.c: 1585 in fill_lwp()
1579     	kl->l_usrpri = l->l_priority;
1580     	if (l->l_wchan)
1581     		strncpy(kl->l_wmesg, l->l_wmesg, sizeof(kl->l_wmesg));
1582     	COND_SET_VALUE(kl->l_wchan, PTRTOUINT64(l->l_wchan), allowaddr);
1583     	kl->l_cpuid = cpu_index(l->l_cpu);
1584     	bintime2timeval(&l->l_rtime, &tv);
>>>     CID 1597775:  High impact quality  (Y2K38_SAFETY)
>>>     A "time_t" value is stored in an integer with too few bits to accommodate it.  The expression "tv.tv_sec" is cast to "uint32_t".
1585     	kl->l_rtime_sec = tv.tv_sec;
1586     	kl->l_rtime_usec = tv.tv_usec;
1587     	kl->l_cpticks = l->l_cpticks;
1588     	kl->l_pctcpu = l->l_pctcpu;
1589     	kl->l_pid = p->p_pid;
1590     	if (l->l_name == NULL)
1591     		kl->l_name[0] = '\0';
1592     	else
1593     		strlcpy(kl->l_name, l->l_name, sizeof(kl->l_name));

** CID 1597774:  Insecure data handling  (TAINTED_SCALAR)


________________________________________________________________________________________________________
*** CID 1597774:  Insecure data handling  (TAINTED_SCALAR)
/sys/dev/usb/usb.c: 1016 in usbioctl()
1010     			if (uio.uio_rw == UIO_WRITE) {
1011     				error = uiomove(ptr, len, &uio);
1012     				if (error)
1013     					goto ret;
1014     			}
1015     		}
>>>     CID 1597774:  Insecure data handling  (TAINTED_SCALAR)
>>>     Passing tainted expression "ur->ucr_request.wLength" to "usbd_do_request_flags", which uses it as an offset.
1016     		err = usbd_do_request_flags(sc->sc_bus->ub_devices[dindex],
1017     			  &ur->ucr_request, ptr, ur->ucr_flags, &ur->ucr_actlen,
1018     			  USBD_DEFAULT_TIMEOUT);
1019     		if (err) {
1020     			error = EIO;
1021     			goto ret;


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=u001.AxU2LYlgjL6eX23u9ErQy-2BKADyCpvUKOL6EWmZljiu4Nbbca-2Bj5xy89KZAbuSS8zMLC60P5V6fdfclLrUYTWooJPiyx0UnOPSgi6MZBtBUA-3Dx0ZR_-2BwJ6JLtSrHuOVjqcF3J-2Fw6dcxx-2BEOKIuJ3YCALi-2FTyo1Iew7xgdlsaa2ABe1UuN8E3zoypTbh2jhv6-2FUZzF1Y5MRM-2FebUtHt107THvS66csNdIjr4m-2BDXFQ95GnbaeIhlmOs95VKqPktmSR0aefze69OuDJdtF1PpodsyJYjWlGCBZiN-2BSnoltQQ6FnTxZvNcFAMcmkTj13WWD8tKl1qUQ-3D-3D



Home | Main Index | Thread Index | Old Index