Coverity-updates archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
New Defects reported by Coverity Scan for NetBSD-i386-user
Hi,
Please find the latest report on new defect(s) introduced to NetBSD-i386-user found with Coverity Scan.
41 new defect(s) introduced to NetBSD-i386-user found with Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 41 defect(s)
** CID 1405169: Security best practices violations (TOCTOU)
/usr.bin/make/main.c: 437 in MainParseArgs()
________________________________________________________________________________________________________
*** CID 1405169: Security best practices violations (TOCTOU)
/usr.bin/make/main.c: 437 in MainParseArgs()
431 case 'B':
432 compatMake = TRUE;
433 Var_Append(MAKEFLAGS, "-B", VAR_GLOBAL);
434 Var_Set(MAKE_MODE, "compat", VAR_GLOBAL, 0);
435 break;
436 case 'C':
>>> CID 1405169: Security best practices violations (TOCTOU)
>>> Calling function "chdir" that uses "argvalue" after a check function. This can cause a time-of-check, time-of-use race condition.
437 if (chdir(argvalue) == -1) {
438 (void)fprintf(stderr,
439 "%s: chdir %s: %s\n",
440 progname, argvalue,
441 strerror(errno));
442 exit(1);
** CID 1405168: Memory - corruptions (STRING_SIZE)
/usr.bin/make/main.c: 873 in main()
________________________________________________________________________________________________________
*** CID 1405168: Memory - corruptions (STRING_SIZE)
/usr.bin/make/main.c: 873 in main()
867 gettimeofday(&rightnow, NULL);
868 srandom(rightnow.tv_sec + rightnow.tv_usec);
869
870 if ((progname = strrchr(argv[0], '/')) != NULL)
871 progname++;
872 else
>>> CID 1405168: Memory - corruptions (STRING_SIZE)
>>> Assigning: "progname" = "argv[0]". Both are now tainted.
873 progname = argv[0];
874 #if defined(MAKE_NATIVE) || (defined(HAVE_SETRLIMIT) && defined(RLIMIT_NOFILE))
875 /*
876 * get rid of resource limit on file descriptors
877 */
878 {
** CID 1405167: (FORWARD_NULL)
/usr.bin/make/main.c: 1914 in cached_realpath()
/usr.bin/make/main.c: 1916 in cached_realpath()
________________________________________________________________________________________________________
*** CID 1405167: (FORWARD_NULL)
/usr.bin/make/main.c: 1914 in cached_realpath()
1908 he = nhe;
1909 }
1910 return NULL;
1911 }
1912 if ((rp = Var_Value(pathname, cache, &cp)) != NULL) {
1913 /* a hit */
>>> CID 1405167: (FORWARD_NULL)
>>> Passing null pointer "resolved" to "strncpy", which dereferences it.
1914 strncpy(resolved, rp, MAXPATHLEN);
1915 resolved[MAXPATHLEN - 1] = '\0';
1916 } else if ((rp = realpath(pathname, resolved)) != NULL) {
1917 Var_Set(pathname, rp, cache, 0);
1918 } /* else should we negative-cache? */
1919
/usr.bin/make/main.c: 1916 in cached_realpath()
1910 return NULL;
1911 }
1912 if ((rp = Var_Value(pathname, cache, &cp)) != NULL) {
1913 /* a hit */
1914 strncpy(resolved, rp, MAXPATHLEN);
1915 resolved[MAXPATHLEN - 1] = '\0';
>>> CID 1405167: (FORWARD_NULL)
>>> Passing null pointer "resolved" to "realpath", which dereferences it.
1916 } else if ((rp = realpath(pathname, resolved)) != NULL) {
1917 Var_Set(pathname, rp, cache, 0);
1918 } /* else should we negative-cache? */
1919
1920 free(cp);
1921 return rp ? resolved : NULL;
** CID 1405166: Control flow issues (DEADCODE)
/usr.bin/make/compat.c: 351 in CompatRunCommand()
________________________________________________________________________________________________________
*** CID 1405166: Control flow issues (DEADCODE)
/usr.bin/make/compat.c: 351 in CompatRunCommand()
345 mav = NULL;
346 } else {
347 /*
348 * No meta-characters, so no need to exec a shell. Break the command
349 * into words to form an argument vector we can execute.
350 */
>>> CID 1405166: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "mav = brk_string(cmd, &argc...".
351 mav = brk_string(cmd, &argc, TRUE, &bp);
352 if (mav == NULL) {
353 useShell = 1;
354 goto again;
355 }
356 av = (void *)mav;
** CID 1347091: Null pointer dereferences (FORWARD_NULL)
/usr.bin/make/arch.c: 616 in ArchStatMember()
________________________________________________________________________________________________________
*** CID 1347091: Null pointer dereferences (FORWARD_NULL)
/usr.bin/make/arch.c: 616 in ArchStatMember()
610 fclose(arch);
611 return NULL;
612 }
613
614 ar = bmake_malloc(sizeof(Arch));
615 ar->name = bmake_strdup(archive);
>>> CID 1347091: Null pointer dereferences (FORWARD_NULL)
>>> Assigning: "ar->fnametab" = "NULL".
616 ar->fnametab = NULL;
617 ar->fnamesize = 0;
618 Hash_InitTable(&ar->members, -1);
619 memName[AR_MAX_NAME_LEN] = '\0';
620
621 while (fread((char *)&arh, sizeof(struct ar_hdr), 1, arch) == 1) {
** CID 1300284: Incorrect expression (IDENTICAL_BRANCHES)
/usr.bin/make/var.c: 1289 in VarSuffix()
________________________________________________________________________________________________________
*** CID 1300284: Incorrect expression (IDENTICAL_BRANCHES)
/usr.bin/make/var.c: 1289 in VarSuffix()
1283 }
1284 *dot++ = '\0';
1285 Buf_AddBytes(buf, strlen(dot), dot);
1286 dot[-1] = '.';
1287 addSpace = TRUE;
1288 }
>>> CID 1300284: Incorrect expression (IDENTICAL_BRANCHES)
>>> Ternary expression on condition "dummy" has identical then and else expressions: "addSpace". Should one of the expressions be modified, or the entire ternary expression replaced?
1289 return (dummy ? addSpace : addSpace);
1290 }
1291
1292 /*-
1293 *-----------------------------------------------------------------------
1294 * VarRoot --
** CID 1300267: Incorrect expression (IDENTICAL_BRANCHES)
/usr.bin/make/parse.c: 1137 in ParseClearPath()
________________________________________________________________________________________________________
*** CID 1300267: Incorrect expression (IDENTICAL_BRANCHES)
/usr.bin/make/parse.c: 1137 in ParseClearPath()
1131 *-----------------------------------------------------------------------
1132 */
1133 static int
1134 ParseClearPath(void *path, void *dummy)
1135 {
1136 Dir_ClearPath((Lst) path);
>>> CID 1300267: Incorrect expression (IDENTICAL_BRANCHES)
>>> Ternary expression on condition "dummy" has identical then and else expressions: "0". Should one of the expressions be modified, or the entire ternary expression replaced?
1137 return(dummy ? 0 : 0);
1138 }
1139
1140 /*-
1141 *---------------------------------------------------------------------
1142 * ParseDoDependency --
** CID 1300255: (IDENTICAL_BRANCHES)
/usr.bin/make/parse.c: 1094 in ParseFindMain()
/usr.bin/make/parse.c: 1096 in ParseFindMain()
________________________________________________________________________________________________________
*** CID 1300255: (IDENTICAL_BRANCHES)
/usr.bin/make/parse.c: 1094 in ParseFindMain()
1088 ParseFindMain(void *gnp, void *dummy)
1089 {
1090 GNode *gn = (GNode *)gnp;
1091 if ((gn->type & OP_NOTARGET) == 0) {
1092 mainNode = gn;
1093 Targ_SetMain(gn);
>>> CID 1300255: (IDENTICAL_BRANCHES)
>>> Ternary expression on condition "dummy" has identical then and else expressions: "1". Should one of the expressions be modified, or the entire ternary expression replaced?
1094 return (dummy ? 1 : 1);
1095 } else {
1096 return (dummy ? 0 : 0);
1097 }
1098 }
1099
/usr.bin/make/parse.c: 1096 in ParseFindMain()
1090 GNode *gn = (GNode *)gnp;
1091 if ((gn->type & OP_NOTARGET) == 0) {
1092 mainNode = gn;
1093 Targ_SetMain(gn);
1094 return (dummy ? 1 : 1);
1095 } else {
>>> CID 1300255: (IDENTICAL_BRANCHES)
>>> Ternary expression on condition "dummy" has identical then and else expressions: "0". Should one of the expressions be modified, or the entire ternary expression replaced?
1096 return (dummy ? 0 : 0);
1097 }
1098 }
1099
1100 /*-
1101 *-----------------------------------------------------------------------
** CID 1300245: Incorrect expression (IDENTICAL_BRANCHES)
/usr.bin/make/targ.c: 527 in Targ_PrintCmd()
________________________________________________________________________________________________________
*** CID 1300245: Incorrect expression (IDENTICAL_BRANCHES)
/usr.bin/make/targ.c: 527 in Targ_PrintCmd()
521
522
523 int
524 Targ_PrintCmd(void *cmd, void *dummy)
525 {
526 fprintf(debug_file, "\t%s\n", (char *)cmd);
>>> CID 1300245: Incorrect expression (IDENTICAL_BRANCHES)
>>> Ternary expression on condition "dummy" has identical then and else expressions: "0". Should one of the expressions be modified, or the entire ternary expression replaced?
527 return (dummy ? 0 : 0);
528 }
529
530 /*-
531 *-----------------------------------------------------------------------
532 * Targ_FmtTime --
** CID 1300238: Incorrect expression (IDENTICAL_BRANCHES)
/usr.bin/make/dir.c: 1857 in DirPrintDir()
________________________________________________________________________________________________________
*** CID 1300238: Incorrect expression (IDENTICAL_BRANCHES)
/usr.bin/make/dir.c: 1857 in DirPrintDir()
1851 }
1852
1853 static int
1854 DirPrintDir(void *p, void *dummy)
1855 {
1856 fprintf(debug_file, "%s ", ((Path *)p)->name);
>>> CID 1300238: Incorrect expression (IDENTICAL_BRANCHES)
>>> Ternary expression on condition "dummy" has identical then and else expressions: "0". Should one of the expressions be modified, or the entire ternary expression replaced?
1857 return (dummy ? 0 : 0);
1858 }
1859
1860 void
1861 Dir_PrintPath(Lst path)
1862 {
1863 Lst_ForEach(path, DirPrintDir, NULL);
** CID 1300237: Incorrect expression (IDENTICAL_BRANCHES)
/usr.bin/make/dir.c: 810 in DirPrintWord()
________________________________________________________________________________________________________
*** CID 1300237: Incorrect expression (IDENTICAL_BRANCHES)
/usr.bin/make/dir.c: 810 in DirPrintWord()
804 */
805 static int
806 DirPrintWord(void *word, void *dummy)
807 {
808 fprintf(debug_file, "%s ", (char *)word);
809
>>> CID 1300237: Incorrect expression (IDENTICAL_BRANCHES)
>>> Ternary expression on condition "dummy" has identical then and else expressions: "0". Should one of the expressions be modified, or the entire ternary expression replaced?
810 return(dummy ? 0 : 0);
811 }
812
813 /*-
814 *-----------------------------------------------------------------------
815 * Dir_Expand --
** CID 1300234: Incorrect expression (IDENTICAL_BRANCHES)
/usr.bin/make/main.c: 1928 in PrintAddr()
________________________________________________________________________________________________________
*** CID 1300234: Incorrect expression (IDENTICAL_BRANCHES)
/usr.bin/make/main.c: 1928 in PrintAddr()
1922 }
1923
1924 int
1925 PrintAddr(void *a, void *b)
1926 {
1927 printf("%lx ", (unsigned long) a);
>>> CID 1300234: Incorrect expression (IDENTICAL_BRANCHES)
>>> Ternary expression on condition "b" has identical then and else expressions: "0". Should one of the expressions be modified, or the entire ternary expression replaced?
1928 return b ? 0 : 0;
1929 }
1930
1931
1932 static int
1933 addErrorCMD(void *cmdp, void *gnp)
** CID 1299912: Security best practices violations (DC.WEAK_CRYPTO)
/usr.bin/make/var.c: 2074 in VarOrder()
________________________________________________________________________________________________________
*** CID 1299912: Security best practices violations (DC.WEAK_CRYPTO)
/usr.bin/make/var.c: 2074 in VarOrder()
2068 * We will use [ac..2] range for mod factors. This will produce
2069 * random numbers in [(ac-1)..0] interval, and minimal
2070 * reasonable value for mod factor is 2 (the mod 1 will produce
2071 * 0 with probability 1).
2072 */
2073 for (i = ac-1; i > 0; i--) {
>>> CID 1299912: Security best practices violations (DC.WEAK_CRYPTO)
>>> "random" should not be used for security related applications, as linear congruential algorithms are too easy to break.
2074 rndidx = random() % (i + 1);
2075 if (i != rndidx) {
2076 t = av[i];
2077 av[i] = av[rndidx];
2078 av[rndidx] = t;
2079 }
** CID 1030810: Null pointer dereferences (NULL_RETURNS)
/usr.bin/make/main.c: 327 in parse_debug_options()
________________________________________________________________________________________________________
*** CID 1030810: Null pointer dereferences (NULL_RETURNS)
/usr.bin/make/main.c: 327 in parse_debug_options()
321 if (strcmp(modules, "stderr") == 0) {
322 debug_file = stderr;
323 goto debug_setbuf;
324 }
325 len = strlen(modules);
326 fname = malloc(len + 20);
>>> CID 1030810: Null pointer dereferences (NULL_RETURNS)
>>> Dereferencing a pointer that might be null "fname" when calling "memcpy".
327 memcpy(fname, modules, len + 1);
328 /* Let the filename be modified by the pid */
329 if (strcmp(fname + len - 3, ".%d") == 0)
330 snprintf(fname + len - 2, 20, "%d", getpid());
331 debug_file = fopen(fname, mode);
332 if (!debug_file) {
** CID 1030809: Null pointer dereferences (NULL_RETURNS)
/usr.bin/make/parse.c: 531 in loadfile()
________________________________________________________________________________________________________
*** CID 1030809: Null pointer dereferences (NULL_RETURNS)
/usr.bin/make/parse.c: 531 in loadfile()
525 lf->buf = mmap(NULL, lf->maplen, PROT_READ|PROT_WRITE,
526 MAP_FILE|MAP_COPY, fd, 0);
527 if (lf->buf != MAP_FAILED) {
528 /* succeeded */
529 if (lf->len == lf->maplen && lf->buf[lf->len - 1] != '\n') {
530 char *b = malloc(lf->len + 1);
>>> CID 1030809: Null pointer dereferences (NULL_RETURNS)
>>> Dereferencing a null pointer "b".
531 b[lf->len] = '\n';
532 memcpy(b, lf->buf, lf->len++);
533 munmap(lf->buf, lf->maplen);
534 lf->maplen = 0;
535 lf->buf = b;
536 }
** CID 979363: Security best practices violations (TOCTOU)
/usr.bin/make/main.c: 1821 in eunlink()
________________________________________________________________________________________________________
*** CID 979363: Security best practices violations (TOCTOU)
/usr.bin/make/main.c: 1821 in eunlink()
1815 return -1;
1816
1817 if (S_ISDIR(st.st_mode)) {
1818 errno = EISDIR;
1819 return -1;
1820 }
>>> CID 979363: Security best practices violations (TOCTOU)
>>> Calling function "unlink" that uses "file" after a check function. This can cause a time-of-check, time-of-use race condition.
1821 return unlink(file);
1822 }
1823
1824 /*
1825 * execError --
1826 * Print why exec failed, avoiding stdio.
** CID 979362: Security best practices violations (TOCTOU)
/usr.bin/make/main.c: 710 in Main_SetObjdir()
________________________________________________________________________________________________________
*** CID 979362: Security best practices violations (TOCTOU)
/usr.bin/make/main.c: 710 in Main_SetObjdir()
704 snprintf(buf, MAXPATHLEN, "%s/%s", curdir, path);
705 path = buf;
706 }
707
708 /* look for the directory and try to chdir there */
709 if (stat(path, &sb) == 0 && S_ISDIR(sb.st_mode)) {
>>> CID 979362: Security best practices violations (TOCTOU)
>>> Calling function "chdir" that uses "path" after a check function. This can cause a time-of-check, time-of-use race condition.
710 if (chdir(path)) {
711 (void)fprintf(stderr, "make warning: %s: %s.\n",
712 path, strerror(errno));
713 } else {
714 strncpy(objdir, path, MAXPATHLEN);
715 Var_Set(".OBJDIR", objdir, VAR_GLOBAL, 0);
** CID 979214: Insecure data handling (TAINTED_STRING)
/usr.bin/make/var.c: 839 in Var_UnExport()
________________________________________________________________________________________________________
*** CID 979214: Insecure data handling (TAINTED_STRING)
/usr.bin/make/var.c: 839 in Var_UnExport()
833 if (!newenv)
834 return;
835 /* Note: we cannot safely free() the original environ. */
836 environ = savedEnv = newenv;
837 newenv[0] = NULL;
838 newenv[1] = NULL;
>>> CID 979214: Insecure data handling (TAINTED_STRING)
>>> Passing tainted string "cp" to "setenv", which cannot accept tainted data.
839 setenv(MAKE_LEVEL_ENV, cp, 1);
840 } else {
841 for (; *str != '\n' && isspace((unsigned char) *str); str++)
842 continue;
843 if (str[0] && str[0] != '\n') {
844 vlist = str;
** CID 979213: (TAINTED_STRING)
/usr.bin/make/main.c: 1007 in main()
/usr.bin/make/main.c: 1007 in main()
/usr.bin/make/main.c: 1114 in main()
________________________________________________________________________________________________________
*** CID 979213: (TAINTED_STRING)
/usr.bin/make/main.c: 1007 in main()
1001 if (argv[0][0] == '/' || strchr(argv[0], '/') == NULL) {
1002 /*
1003 * Leave alone if it is an absolute path, or if it does
1004 * not contain a '/' in which case we need to find it in
1005 * the path, like execvp(3) and the shells do.
1006 */
>>> CID 979213: (TAINTED_STRING)
>>> Assigning: "p1" = "argv[0]". Both are now tainted.
1007 p1 = argv[0];
1008 } else {
1009 /*
1010 * A relative path, canonicalize it.
1011 */
1012 p1 = cached_realpath(argv[0], mdpath);
/usr.bin/make/main.c: 1007 in main()
1001 if (argv[0][0] == '/' || strchr(argv[0], '/') == NULL) {
1002 /*
1003 * Leave alone if it is an absolute path, or if it does
1004 * not contain a '/' in which case we need to find it in
1005 * the path, like execvp(3) and the shells do.
1006 */
>>> CID 979213: (TAINTED_STRING)
>>> Assigning: "p1" = "argv[0]". Both are now tainted.
1007 p1 = argv[0];
1008 } else {
1009 /*
1010 * A relative path, canonicalize it.
1011 */
1012 p1 = cached_realpath(argv[0], mdpath);
/usr.bin/make/main.c: 1076 in main()
1070 if (getcwd(curdir, MAXPATHLEN) == NULL) {
1071 (void)fprintf(stderr, "%s: getcwd: %s.\n",
1072 progname, strerror(errno));
1073 exit(2);
1074 }
1075
>>> CID 979213: (TAINTED_STRING)
>>> Passing tainted string "argv" to "MainParseArgs", which cannot accept tainted data.
1076 MainParseArgs(argc, argv);
1077
1078 if (enterFlag)
1079 printf("%s: Entering directory `%s'\n", progname, curdir);
1080
1081 /*
/usr.bin/make/main.c: 1114 in main()
1108 VAR_CMD, &ptmp2);
1109
1110 if (makeobjdir == NULL || !strchr(makeobjdir, '$')) {
1111 if (stat(pwd, &sb) == 0 &&
1112 sa.st_ino == sb.st_ino &&
1113 sa.st_dev == sb.st_dev)
>>> CID 979213: (TAINTED_STRING)
>>> Call to function "strncpy" with tainted argument "pwd" transitively taints "curdir".
1114 (void)strncpy(curdir, pwd, MAXPATHLEN);
1115 }
1116 }
1117 free(ptmp1);
1118 free(ptmp2);
1119 }
** CID 978654: Security best practices violations (SECURE_TEMP)
/usr.bin/make/main.c: 2049 in mkTempFile()
________________________________________________________________________________________________________
*** CID 978654: Security best practices violations (SECURE_TEMP)
/usr.bin/make/main.c: 2049 in mkTempFile()
2043 tmpdir = getTmpdir();
2044 if (pattern[0] == '/') {
2045 snprintf(tfile, sizeof(tfile), "%s", pattern);
2046 } else {
2047 snprintf(tfile, sizeof(tfile), "%s%s", tmpdir, pattern);
2048 }
>>> CID 978654: Security best practices violations (SECURE_TEMP)
>>> Calling "mkstemp" without securely setting umask first.
2049 if ((fd = mkstemp(tfile)) < 0)
2050 Punt("Could not create temporary file %s: %s", tfile, strerror(errno));
2051 if (fnamep) {
2052 *fnamep = bmake_strdup(tfile);
2053 } else {
2054 unlink(tfile); /* we just want the descriptor */
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRb2JZfDAOAZcqzsy8LMBKBjZiXDg7WCnKqBB1q-2FtZ4dvE2p1AmNMmYII14NbCr9wIc-3D_XWm3CUIFU8ffmjzuNhQ8cIHoQgXzXkm61Fmjr59D05WHsDXTio9SUanBqEmkSRttJ2DubSFcYPBAQD7CDfD83BbEPLAqMMOhhV8eJApEI6Y9vETR1r35LC8bRMo7tyHXI3kemtCvCgLKkeog8mFO7-2B-2B0mw9nOcn9mhm7YMz9svGxFVzQEIwW57liUeSddbbpQ0xo2ursUFVBYYtRGC4NOA5zloNcJfVyWZVx75MXFYw-3D
To manage Coverity Scan email notifications for "coverity-updates%netbsd.org@localhost", click https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRbVDbis712qZDP-2FA8y06Nq4m7U7Yoel-2F6MYPxol7ToiLwYIjoNbVQOCAwEeTNJofEDwTlN0JRhKMyijhpnAObR-2FlLVG-2Fr3EBKWgiICNdX1HPA6Ws0-2F1wHBf2tG9AnMDB8g-3D_XWm3CUIFU8ffmjzuNhQ8cIHoQgXzXkm61Fmjr59D05WHsDXTio9SUanBqEmkSRttJ2DubSFcYPBAQD7CDfD83CNXCzgTctJhssZiECFXZlDDFaJpAW62EEGjsxtR6L95sGpFWacN3zjOq3gOyS4GPEGBR-2BGHPw2YsJ1KEtp-2BEOariSA6OVkwln-2FMsg0cJvrgly-2FFlFA-2Fz97jckknu456HoEFbYcKgBF6meN-2Fl8qczvw-3D
Home |
Main Index |
Thread Index |
Old Index