Coverity-updates archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
New Defects reported by Coverity Scan for NetBSD-amd64-user
- To: undisclosed-recipients:;
- Subject: New Defects reported by Coverity Scan for NetBSD-amd64-user
- From: scan-admin%coverity.com@localhost
- Date: Thu, 17 Apr 2014 19:19:53 -0700
Hi,
Please find the latest report on new defect(s) introduced to NetBSD-amd64-user
found with Coverity Scan.
Defect(s) Reported-by: Coverity Scan
Showing 20 of 168 defect(s)
** CID 980726: Unchecked return value (CHECKED_RETURN)
/usr.sbin/isibootd/isibootd.c: 187 in main()
** CID 1008691: Out-of-bounds read (OVERRUN)
/external/cddl/osnet/dist/cmd/ztest/ztest.c: 390 in fatal()
** CID 1056912: Out-of-bounds read (OVERRUN)
/external/bsd/dhcpcd/dist/script.c: 344 in make_env()
** CID 1102041: Dereference after null check (FORWARD_NULL)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/cache/ftcmanag.c: 460 in
FTC_Manager_Reset()
** CID 1102043: Explicit null dereferenced (FORWARD_NULL)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/base/ftobjs.c: 2078 in
FT_Open_Face()
/home/phil/cov/xsrc/external/mit/freetype/dist/src/base/ftobjs.c: 2112 in
FT_Open_Face()
** CID 1132651: Use of untrusted string value (TAINTED_STRING)
/home/phil/cov/xsrc/external/mit/xterm/dist/misc.c: 767 in
cleanup_colored_cursor()
** CID 1132652: Time of check time of use (TOCTOU)
/home/phil/cov/xsrc/external/mit/xterm/dist/misc.c: 767 in
cleanup_colored_cursor()
** CID 1188575: Resource leak (RESOURCE_LEAK)
/home/phil/cov/xsrc/external/mit/xterm/dist/main.c: 4619 in spawnXTerm()
/home/phil/cov/xsrc/external/mit/xterm/dist/main.c: 4633 in spawnXTerm()
/home/phil/cov/xsrc/external/mit/xterm/dist/main.c: 4633 in spawnXTerm()
/home/phil/cov/xsrc/external/mit/xterm/dist/main.c: 4633 in spawnXTerm()
** CID 1188577: Time of check time of use (TOCTOU)
/home/phil/cov/xsrc/external/mit/xterm/dist/main.c: 3202 in validShell()
** CID 1199512: Unchecked return value (CHECKED_RETURN)
/crypto/external/bsd/openssl/dist/ssl/s2_enc.c: 178 in ssl2_mac()
** CID 1199515: Uninitialized scalar variable (UNINIT)
/crypto/external/bsd/openssl/dist/crypto/evp/bio_b64.c: 267 in b64_read()
** CID 1203190: Dereference after null check (FORWARD_NULL)
/sys/ufs/lfs/lfs_syscalls.c: 757 in lfs_bmapv()
** CID 1203191: Out-of-bounds read (OVERRUN)
/sys/arch/x86/acpi/acpi_cpu_md.c: 1153 in acpicpu_md_pstate_sysctl_all()
** CID 1203196: Out-of-bounds access (OVERRUN)
/sys/kern/uipc_domain.c: 432 in sysctl_dounpcb()
** CID 1203205: Out-of-bounds access (ARRAY_VS_SINGLETON)
/home/phil/cov/xsrc/external/mit/xf86-video-intel/dist/src/sna/fb/fbclip.c: 72
in fbClipBoxes()
** CID 1203206: Side effect in assertion (ASSERT_SIDE_EFFECT)
/usr.sbin/acpitools/acpidump/acpi.c: 1952 in acpi_print_rsdt()
** CID 1203207: Free of address-of expression (BAD_FREE)
/home/phil/cov/xsrc/external/mit/xf86-video-intel/dist/src/sna/sna_damage.c:
1803 in _sna_damage_debug_get_region()
** CID 1203209: Unchecked return value from library (CHECKED_RETURN)
/home/phil/cov/xsrc/external/mit/xf86-video-intel/dist/src/intel_device.c: 117
in fd_set_cloexec()
** CID 1203210: Unchecked return value (CHECKED_RETURN)
/home/phil/cov/xsrc/external/mit/xf86-video-intel/dist/src/sna/kgem.c: 3030 in
kgem_clean_scanout_cache()
** CID 1203211: Unchecked return value (CHECKED_RETURN)
/home/phil/cov/xsrc/external/mit/xf86-video-intel/dist/src/sna/kgem.c: 4005 in
kgem_create_2d()
________________________________________________________________________________________________________
*** CID 980726: Unchecked return value (CHECKED_RETURN)
/usr.sbin/isibootd/isibootd.c: 187 in main()
181 err(EXIT_FAILURE, "can not chdir to %s", bootwd);
182
183 pollfd.fd = station.fd;
184 pollfd.events = POLLIN;
185 for (;;) {
186 poll(&pollfd, 1, INFTIM);
>>> CID 980726: Unchecked return value (CHECKED_RETURN)
>>> No check of the return value of "read(pollfd.fd, iobuf, iolen)".
187 read(pollfd.fd, iobuf, iolen); /* returns 1468 */
188 fp = (struct frame *)ISIBOOT_FRAME(iobuf);
189
190 /* ignore own TX packets */
191 if (memcmp(fp->src, station.addr, ETHER_ADDR_LEN) == 0)
192 continue;
________________________________________________________________________________________________________
*** CID 1008691: Out-of-bounds read (OVERRUN)
/external/cddl/osnet/dist/cmd/ztest/ztest.c: 390 in fatal()
384
385 va_start(args, message);
386 len = snprintf(buf, blklen, "ztest: ");
387 if (len > blklen)
388 len = blklen;
389 /* LINTED */
>>> CID 1008691: Out-of-bounds read (OVERRUN)
>>> Overrunning array of 1024 bytes at byte offset 1024 by dereferencing
>>> pointer "&buf[len]".
390 len += vsnprintf(buf + len, blklen - len, message, args);
391 va_end(args);
392 if (len > blklen)
393 len = blklen;
394 if (do_perror) {
395 snprintf(buf + len, blklen - len, ": %s",
strerror(save_errno));
________________________________________________________________________________________________________
*** CID 1056912: Out-of-bounds read (OVERRUN)
/external/bsd/dhcpcd/dist/script.c: 344 in make_env()
338 }
339 if (env[9] == NULL || env[10] == NULL)
340 goto eexit;
341 if (*ifp->profile) {
342 e = strlen("profile=") + strlen(ifp->profile) + 2;
343 EMALLOC(elen, e);
>>> CID 1056912: Out-of-bounds read (OVERRUN)
>>> Overrunning array of 12 8-byte elements at element index 12 (byte
>>> offset 96) by dereferencing pointer "env + elen++".
344 snprintf(env[elen++], e, "profile=%s", ifp->profile);
345 }
346 if (ifp->wireless) {
347 e = strlen("new_ssid=") + strlen(ifp->ssid) + 2;
348 if (strcmp(reason, "CARRIER") == 0) {
349 nenv = realloc(env, sizeof(char *) * (elen +
2));
________________________________________________________________________________________________________
*** CID 1102041: Dereference after null check (FORWARD_NULL)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/cache/ftcmanag.c: 460 in
FTC_Manager_Reset()
454 if ( manager )
455 {
456 FTC_MruList_Reset( &manager->sizes );
457 FTC_MruList_Reset( &manager->faces );
458 }
459
>>> CID 1102041: Dereference after null check (FORWARD_NULL)
>>> Dereferencing null pointer "manager".
460 FTC_Manager_FlushN( manager, manager->num_nodes );
461 }
462
463
464 #ifdef FT_DEBUG_ERROR
465
________________________________________________________________________________________________________
*** CID 1102043: Explicit null dereferenced (FORWARD_NULL)
/home/phil/cov/xsrc/external/mit/freetype/dist/src/base/ftobjs.c: 2078 in
FT_Open_Face()
2072 driver = FT_DRIVER( args->driver );
2073
2074 /* not all modules are drivers, so check... */
2075 if ( FT_MODULE_IS_DRIVER( driver ) )
2076 {
2077 FT_Int num_params = 0;
>>> CID 1102043: Explicit null dereferenced (FORWARD_NULL)
>>> Assigning: "params" = "NULL".
2078 FT_Parameter* params = 0;
2079
2080
2081 if ( args->flags & FT_OPEN_PARAMS )
2082 {
2083 num_params = args->num_params;
/home/phil/cov/xsrc/external/mit/freetype/dist/src/base/ftobjs.c: 2112 in
FT_Open_Face()
2106 for ( ; cur < limit; cur++ )
2107 {
2108 /* not all modules are font drivers, so check... */
2109 if ( FT_MODULE_IS_DRIVER( cur[0] ) )
2110 {
2111 FT_Int num_params = 0;
>>> CID 1102043: Explicit null dereferenced (FORWARD_NULL)
>>> Assigning: "params" = "NULL".
2112 FT_Parameter* params = 0;
2113
2114
2115 driver = FT_DRIVER( cur[0] );
2116
2117 if ( args->flags & FT_OPEN_PARAMS )
________________________________________________________________________________________________________
*** CID 1132651: Use of untrusted string value (TAINTED_STRING)
/home/phil/cov/xsrc/external/mit/xterm/dist/misc.c: 767 in
cleanup_colored_cursor()
761 char *my_path = getenv("XCURSOR_PATH");
762 struct stat sb;
763 if (!IsEmpty(my_path)
764 && stat(my_path, &sb) == 0
765 && (sb.st_mode & S_IFMT) == S_IFDIR) {
766 unlink(xterm_cursor_theme);
>>> CID 1132651: Use of untrusted string value (TAINTED_STRING)
>>> Passing tainted string "my_path" to "rmdir(char const *)", which cannot
>>> accept tainted data.
767 rmdir(my_path);
768 free(xterm_cursor_theme);
769 xterm_cursor_theme = 0;
770 }
771 }
772 #endif /* HAVE_LIB_XCURSOR */
________________________________________________________________________________________________________
*** CID 1132652: Time of check time of use (TOCTOU)
/home/phil/cov/xsrc/external/mit/xterm/dist/misc.c: 767 in
cleanup_colored_cursor()
761 char *my_path = getenv("XCURSOR_PATH");
762 struct stat sb;
763 if (!IsEmpty(my_path)
764 && stat(my_path, &sb) == 0
765 && (sb.st_mode & S_IFMT) == S_IFDIR) {
766 unlink(xterm_cursor_theme);
>>> CID 1132652: Time of check time of use (TOCTOU)
>>> Calling function "rmdir(char const *)" that uses "my_path" after a
>>> check function. This can cause a time-of-check, time-of-use race condition.
767 rmdir(my_path);
768 free(xterm_cursor_theme);
769 xterm_cursor_theme = 0;
770 }
771 }
772 #endif /* HAVE_LIB_XCURSOR */
________________________________________________________________________________________________________
*** CID 1188575: Resource leak (RESOURCE_LEAK)
/home/phil/cov/xsrc/external/mit/xterm/dist/main.c: 4619 in spawnXTerm()
4613 if (validShell(explicit_shname)) {
4614 xtermSetenv("SHELL", explicit_shname);
4615 } else if (validProgram(shell_path = x_getenv("SHELL"))) {
4616 if (!validShell(shell_path)) {
4617 xtermUnsetenv("SHELL");
4618 }
>>> CID 1188575: Resource leak (RESOURCE_LEAK)
>>> Overwriting "shell_path" in "shell_path = x_strdup(pw.pw_shell)" leaks
>>> the storage that "shell_path" points to.
4619 } else if ((!OkPasswd(&pw) && !x_getpwuid(screen->uid, &pw))
4620 || *(shell_path = x_strdup(pw.pw_shell)) == 0) {
4621 shell_path = resetShell(shell_path);
4622 } else if (validShell(shell_path)) {
4623 xtermSetenv("SHELL", shell_path);
4624 } else {
/home/phil/cov/xsrc/external/mit/xterm/dist/main.c: 4633 in spawnXTerm()
4627
4628 /*
4629 * Set $XTERM_SHELL, which is not necessarily a valid
shell, but
4630 * is executable.
4631 */
4632 if (validProgram(explicit_shname)) {
>>> CID 1188575: Resource leak (RESOURCE_LEAK)
>>> Overwriting "shell_path" in "shell_path = explicit_shname" leaks the
>>> storage that "shell_path" points to.
4633 shell_path = explicit_shname;
4634 } else if (shell_path == 0) {
4635 /* this could happen if the explicit shname lost a race
*/
4636 shell_path = resetShell(shell_path);
4637 }
4638 xtermSetenv("XTERM_SHELL", shell_path);
/home/phil/cov/xsrc/external/mit/xterm/dist/main.c: 4633 in spawnXTerm()
4627
4628 /*
4629 * Set $XTERM_SHELL, which is not necessarily a valid
shell, but
4630 * is executable.
4631 */
4632 if (validProgram(explicit_shname)) {
>>> CID 1188575: Resource leak (RESOURCE_LEAK)
>>> Overwriting "shell_path" in "shell_path = explicit_shname" leaks the
>>> storage that "shell_path" points to.
4633 shell_path = explicit_shname;
4634 } else if (shell_path == 0) {
4635 /* this could happen if the explicit shname lost a race
*/
4636 shell_path = resetShell(shell_path);
4637 }
4638 xtermSetenv("XTERM_SHELL", shell_path);
/home/phil/cov/xsrc/external/mit/xterm/dist/main.c: 4633 in spawnXTerm()
4627
4628 /*
4629 * Set $XTERM_SHELL, which is not necessarily a valid
shell, but
4630 * is executable.
4631 */
4632 if (validProgram(explicit_shname)) {
>>> CID 1188575: Resource leak (RESOURCE_LEAK)
>>> Overwriting "shell_path" in "shell_path = explicit_shname" leaks the
>>> storage that "shell_path" points to.
4633 shell_path = explicit_shname;
4634 } else if (shell_path == 0) {
4635 /* this could happen if the explicit shname lost a race
*/
4636 shell_path = resetShell(shell_path);
4637 }
4638 xtermSetenv("XTERM_SHELL", shell_path);
________________________________________________________________________________________________________
*** CID 1188577: Time of check time of use (TOCTOU)
/home/phil/cov/xsrc/external/mit/xterm/dist/main.c: 3202 in validShell()
3196
3197 if (validProgram(pathname)
3198 && stat(ok_shells, &sb) == 0
3199 && (sb.st_mode & S_IFMT) == S_IFREG
3200 && (sb.st_size != 0)
3201 && (blob = calloc((size_t) sb.st_size + 2, sizeof(char))) != 0)
{
>>> CID 1188577: Time of check time of use (TOCTOU)
>>> Calling function "fopen(char const *, char const *)" that uses
>>> "ok_shells" after a check function. This can cause a time-of-check,
>>> time-of-use race condition.
3202 if ((fp = fopen(ok_shells, "r")) != 0) {
3203 rc = fread(blob, sizeof(char), (size_t) sb.st_size, fp);
3204 if (rc == (size_t) sb.st_size) {
3205 char *p = blob;
3206 char *q, *r;
3207 blob[rc] = '\0';
________________________________________________________________________________________________________
*** CID 1199512: Unchecked return value (CHECKED_RETURN)
/crypto/external/bsd/openssl/dist/ssl/s2_enc.c: 178 in ssl2_mac()
172
173 p= &(sequence[0]);
174 l2n(seq,p);
175
176 /* There has to be a MAC algorithm. */
177 EVP_MD_CTX_init(&c);
>>> CID 1199512: Unchecked return value (CHECKED_RETURN)
>>> No check of the return value of "EVP_MD_CTX_copy(&c, s->read_hash)".
178 EVP_MD_CTX_copy(&c, s->read_hash);
179 EVP_DigestUpdate(&c,sec,
180 EVP_CIPHER_CTX_key_length(s->enc_read_ctx));
181 EVP_DigestUpdate(&c,act,len);
182 /* the above line also does the pad data */
183 EVP_DigestUpdate(&c,sequence,4);
________________________________________________________________________________________________________
*** CID 1199515: Uninitialized scalar variable (UNINIT)
/crypto/external/bsd/openssl/dist/crypto/evp/bio_b64.c: 267 in b64_read()
261 break;
262 }
263 p=q;
264 }
265
266 /* we fell off the end without starting */
>>> CID 1199515: Uninitialized scalar variable (UNINIT)
>>> Using uninitialized value "num".
267 if ((j == i) && (num == 0))
268 {
269 /* Is this is one long chunk?, if so,
keep on
270 * reading until a new line. */
271 if (p == (unsigned char
*)&(ctx->tmp[0]))
272 {
________________________________________________________________________________________________________
*** CID 1203190: Dereference after null check (FORWARD_NULL)
/sys/ufs/lfs/lfs_syscalls.c: 757 in lfs_bmapv()
751 if (lfs_vref(vp)) {
752 v_daddr = LFS_UNUSED_DADDR;
753 continue;
754 }
755 numrefed++;
756 } else {
>>> CID 1203190: Dereference after null check (FORWARD_NULL)
>>> Dereferencing null pointer "vp".
757 mutex_exit(vp->v_interlock);
758 mutex_exit(&ulfs_ihash_lock);
759 /*
760 * Don't VFS_VGET if we're being
unmounted,
761 * since we hold vfs_busy().
762 */
________________________________________________________________________________________________________
*** CID 1203191: Out-of-bounds read (OVERRUN)
/sys/arch/x86/acpi/acpi_cpu_md.c: 1153 in acpicpu_md_pstate_sysctl_all()
1147
1148 for (len = 0, i = sc->sc_pstate_max; i < sc->sc_pstate_count;
i++) {
1149
1150 if (sc->sc_pstate[i].ps_freq == 0)
1151 continue;
1152
>>> CID 1203191: Out-of-bounds read (OVERRUN)
>>> Overrunning array of 1024 bytes at byte offset 1024 by dereferencing
>>> pointer "&buf[len]".
1153 len += snprintf(buf + len, sizeof(buf) - len, "%u%s",
1154 sc->sc_pstate[i].ps_freq,
1155 i < (sc->sc_pstate_count - 1) ? " " : "");
1156 if (len > sizeof(buf))
1157 break;
1158 }
________________________________________________________________________________________________________
*** CID 1203196: Out-of-bounds access (OVERRUN)
/sys/kern/uipc_domain.c: 432 in sysctl_dounpcb()
426 if (unp->unp_addr != NULL) {
427 /*
428 * We've added one to sun_len when allocating to
429 * hold terminating NUL which we want here. See
430 * makeun().
431 */
>>> CID 1203196: Out-of-bounds access (OVERRUN)
>>> Overrunning struct type sockaddr of 16 bytes by passing it to a
>>> function which accesses it at byte offset 263 using argument "min(264U,
>>> unp->unp_addr->sun_len + 1)" (which evaluates to 264).
432 memcpy(un, unp->unp_addr,
433 min(sizeof(pcb->ki_s), unp->unp_addr->sun_len + 1));
434 }
435 else {
436 un->sun_len = offsetof(struct sockaddr_un, sun_path);
437 un->sun_family = pcb->ki_family;
________________________________________________________________________________________________________
*** CID 1203205: Out-of-bounds access (ARRAY_VS_SINGLETON)
/home/phil/cov/xsrc/external/mit/xf86-video-intel/dist/src/sna/fb/fbclip.c: 72
in fbClipBoxes()
66 box->y1 >= region->extents.y2 || box->y2 <= region->extents.y1) {
67 DBG(("%s: no intersection\n", __FUNCTION__));
68 return *end = box;
69 }
70
71 if (region->data == NULL) {
>>> CID 1203205: Out-of-bounds access (ARRAY_VS_SINGLETON)
>>> Using "®ion->extents" as an array. This might corrupt or
>>> misinterpret adjacent memory locations.
72 *end = ®ion->extents + 1;
73 return ®ion->extents;
74 }
75
76 c0 = (const BoxRec *)(region->data + 1);
77 c1 = c0 + region->data->numRects;
________________________________________________________________________________________________________
*** CID 1203206: Side effect in assertion (ASSERT_SIDE_EFFECT)
/usr.sbin/acpitools/acpidump/acpi.c: 1952 in acpi_print_rsdt()
1946 addr = le32toh(rsdt->TableOffsetEntry[i]);
1947 break;
1948 case 8:
1949 addr = le64toh(xsdt->TableOffsetEntry[i]);
1950 break;
1951 default:
>>> CID 1203206: Side effect in assertion (ASSERT_SIDE_EFFECT)
>>> Assignment "addr = 0UL" has a side effect. This code will work
>>> differently in a non-debug build. You might have intended to use a
>>> comparison instead.
1952 assert((addr = 0));
1953 }
1954 printf("0x%08lx", addr);
1955 }
1956 printf(" }\n");
1957 printf(END_COMMENT);
________________________________________________________________________________________________________
*** CID 1203207: Free of address-of expression (BAD_FREE)
/home/phil/cov/xsrc/external/mit/xf86-video-intel/dist/src/sna/sna_damage.c:
1803 in _sna_damage_debug_get_region()
1797 assert(damage->extents.x1 <= r->extents.x1 &&
1798 damage->extents.y1 <= r->extents.y1 &&
1799 damage->extents.x2 >= r->extents.x2 &&
1800 damage->extents.y2 >= r->extents.y2);
1801 }
1802
>>> CID 1203207: Free of address-of expression (BAD_FREE)
>>> "free(void *)" frees incorrect pointer "boxes".
1803 free(boxes);
________________________________________________________________________________________________________
*** CID 1203209: Unchecked return value from library (CHECKED_RETURN)
/home/phil/cov/xsrc/external/mit/xf86-video-intel/dist/src/intel_device.c: 117
in fd_set_cloexec()
111 return fd;
112
113 #ifdef FD_CLOEXEC
114 flags = fcntl(fd, F_GETFD);
115 if (flags != -1) {
116 flags |= FD_CLOEXEC;
>>> CID 1203209: Unchecked return value from library (CHECKED_RETURN)
>>> No check of the return value of "fcntl(fd, 2, flags)".
117 fcntl(fd, F_SETFD, flags);
118 }
119 #endif
120
121 return fd;
122 }
________________________________________________________________________________________________________
*** CID 1203210: Unchecked return value (CHECKED_RETURN)
/home/phil/cov/xsrc/external/mit/xf86-video-intel/dist/src/sna/kgem.c: 3030 in
kgem_clean_scanout_cache()
3024
3025 DBG(("%s: handle=%d, fb=%d (reusable=%d)\n",
3026 __FUNCTION__, bo->handle, bo->delta,
bo->reusable));
3027 list_del(&bo->list);
3028
3029 /* XXX will leak if we are not DRM_MASTER. *shrug* */
>>> CID 1203210: Unchecked return value (CHECKED_RETURN)
>>> No check of the return value of "drmIoctl(kgem->fd, 3221513391UL,
>>> &bo->delta)".
3030 drmIoctl(kgem->fd, DRM_IOCTL_MODE_RMFB, &bo->delta);
3031 bo->delta = 0;
3032 bo->scanout = false;
3033
3034 if (!bo->purged) {
3035 bo->reusable = true;
________________________________________________________________________________________________________
*** CID 1203211: Unchecked return value (CHECKED_RETURN)
/home/phil/cov/xsrc/external/mit/xf86-video-intel/dist/src/sna/kgem.c: 4005 in
kgem_create_2d()
3999 bo->refcnt = 1;
4000 bo->flush = true;
4001 return bo;
4002 }
4003
4004 large_inactive:
>>> CID 1203211: Unchecked return value (CHECKED_RETURN)
>>> No check of the return value of "__kgem_throttle_retire(kgem, flags)".
4005 __kgem_throttle_retire(kgem, flags);
4006 list_for_each_entry(bo, &kgem->large_inactive, list) {
4007 assert(bo->refcnt == 0);
4008 assert(bo->reusable);
4009 assert(!bo->scanout);
4010 assert_tiling(kgem, bo);
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit,
http://scan.coverity.com/projects/1449?tab=Overview
To unsubscribe from the email notification for new defects,
http://scan5.coverity.com/cgi-bin/unsubscribe.py
Home |
Main Index |
Thread Index |
Old Index