Coverity-updates archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
New Defects reported by Coverity Scan for NetBSD-amd64-kernel
Hi,
Please find the latest report on new defect(s) introduced to NetBSD-amd64-kernel found with Coverity Scan.
127 new defect(s) introduced to NetBSD-amd64-kernel found with Coverity Scan.
41 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 127 defect(s)
** CID 1428660: Error handling issues (CHECKED_RETURN)
/sys/dev/pci/agp_sis.c: 90 in agp_sis_attach()
________________________________________________________________________________________________________
*** CID 1428660: Error handling issues (CHECKED_RETURN)
/sys/dev/pci/agp_sis.c: 90 in agp_sis_attach()
84 if (ssc == NULL) {
85 aprint_error(": can't allocate chipset-specific softc\n");
86 return ENOMEM;
87 }
88 sc->as_methods = &agp_sis_methods;
89 sc->as_chipc = ssc;
>>> CID 1428660: Error handling issues (CHECKED_RETURN)
>>> Calling "pci_get_capability" without checking return value (as is done elsewhere 45 out of 53 times).
90 pci_get_capability(pa->pa_pc, pa->pa_tag, PCI_CAP_AGP, &sc->as_capoff,
91 NULL);
92
93 if (agp_map_aperture(pa, sc, AGP_APBASE) != 0) {
94 aprint_error(": can't map aperture\n");
95 free(ssc, M_AGP);
** CID 1428659: Null pointer dereferences (FORWARD_NULL)
/sys/netipsec/ipsec.c: 498 in ipsec_getpolicybysock()
________________________________________________________________________________________________________
*** CID 1428659: Null pointer dereferences (FORWARD_NULL)
/sys/netipsec/ipsec.c: 498 in ipsec_getpolicybysock()
492 currsp = pcbsp->sp_out;
493 break;
494 }
495 KASSERT(currsp != NULL);
496
497 if (pcbsp->priv) { /* when privilieged socket */
>>> CID 1428659: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "currsp".
498 switch (currsp->policy) {
499 case IPSEC_POLICY_BYPASS:
500 case IPSEC_POLICY_IPSEC:
501 KEY_SP_REF(currsp);
502 sp = currsp;
503 break;
** CID 1428658: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 1428658: Insecure data handling (TAINTED_SCALAR)
/sys/kern/core_elf32.c: 419 in coredump_note_auxv()
413 if ((error = proc_getauxv(l->l_proc, &kauxv, &len)) != 0)
414 return error;
415
416 ELFNAMEEND(coredump_savenote)(ns, ELF_NOTE_NETBSD_CORE_AUXV,
417 ELF_NOTE_NETBSD_CORE_NAME, kauxv, len);
418
>>> CID 1428658: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted variable "kauxv" to a tainted sink.
419 kmem_free(kauxv, len);
420 return 0;
421 }
422
423 static int
424 ELFNAMEEND(coredump_notes)(struct lwp *l, struct note_state *ns)
** CID 1428657: Uninitialized variables (UNINIT)
/sys/dev/pad/pad.c: 390 in pad_open()
________________________________________________________________________________________________________
*** CID 1428657: Uninitialized variables (UNINIT)
/sys/dev/pad/pad.c: 390 in pad_open()
384 error = fd_clone(fp, fd, flags, &pad_fileops, sc);
385 KASSERT(error == EMOVEFD);
386 }
387 sc->sc_open = 1;
388 mutex_exit(&padconfig);
389
>>> CID 1428657: Uninitialized variables (UNINIT)
>>> Using uninitialized value "error".
390 return error;
391 bad:
392 mutex_exit(&padconfig);
393 return ENXIO;
394 }
395
** CID 1428656: Null pointer dereferences (FORWARD_NULL)
/sys/dev/usb/ohci.c: 1792 in ohci_rem_ed()
________________________________________________________________________________________________________
*** CID 1428656: Null pointer dereferences (FORWARD_NULL)
/sys/dev/usb/ohci.c: 1792 in ohci_rem_ed()
1786 ;
1787 KASSERT(p != NULL);
1788
1789 usb_syncmem(&sed->dma, sed->offs + offsetof(ohci_ed_t, ed_nexted),
1790 sizeof(sed->ed.ed_nexted),
1791 BUS_DMASYNC_POSTWRITE | BUS_DMASYNC_POSTREAD);
>>> CID 1428656: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "p".
1792 p->next = sed->next;
1793 p->ed.ed_nexted = sed->ed.ed_nexted;
1794 usb_syncmem(&p->dma, p->offs + offsetof(ohci_ed_t, ed_nexted),
1795 sizeof(p->ed.ed_nexted),
1796 BUS_DMASYNC_PREWRITE | BUS_DMASYNC_PREREAD);
1797 }
** CID 1428655: Error handling issues (CHECKED_RETURN)
/sys/dev/pci/agp_intel.c: 131 in agp_intel_attach()
________________________________________________________________________________________________________
*** CID 1428655: Error handling issues (CHECKED_RETURN)
/sys/dev/pci/agp_intel.c: 131 in agp_intel_attach()
125 if (pci_find_device(&isc->vga_pa, agp_intel_vgamatch) == 0) {
126 aprint_normal(": using generic initialization for Intel AGP\n");
127 aprint_normal_dev(sc->as_dev, "");
128 isc->chiptype = CHIP_INTEL;
129 }
130
>>> CID 1428655: Error handling issues (CHECKED_RETURN)
>>> Calling "pci_get_capability" without checking return value (as is done elsewhere 45 out of 53 times).
131 pci_get_capability(pa->pa_pc, pa->pa_tag, PCI_CAP_AGP, &sc->as_capoff,
132 NULL);
133
134 if (agp_map_aperture(pa, sc, AGP_APBASE) != 0) {
135 aprint_error(": can't map aperture\n");
136 free(isc, M_AGP);
** CID 1428654: Null pointer dereferences (FORWARD_NULL)
/sys/netinet6/ip6_forward.c: 271 in ip6_forward()
________________________________________________________________________________________________________
*** CID 1428654: Null pointer dereferences (FORWARD_NULL)
/sys/netinet6/ip6_forward.c: 271 in ip6_forward()
265 * ipsec6_proces_packet will send the packet using ip6_output
266 */
267 if (needipsec) {
268 int s = splsoftnet();
269 error = ipsec6_process_packet(m, sp->req);
270 splx(s);
>>> CID 1428654: Null pointer dereferences (FORWARD_NULL)
>>> Comparing "mcopy" to null implies that "mcopy" might be null.
271 if (mcopy)
272 goto freecopy;
273 }
274 #endif
275
276 /*
** CID 1428653: Insecure data handling (TAINTED_SCALAR)
/sys/netsmb/smb_subr.c: 393 in dup_sockaddr_copyin()
________________________________________________________________________________________________________
*** CID 1428653: Insecure data handling (TAINTED_SCALAR)
/sys/netsmb/smb_subr.c: 393 in dup_sockaddr_copyin()
387 return EINVAL;
388
389 /* Don't let the user overfeed us. */
390 usalen = MIN(usalen, sizeof(struct sockaddr_storage));
391
392 /* Copy the buffer in from userland. */
>>> CID 1428653: Insecure data handling (TAINTED_SCALAR)
>>> Assigning: "ksa" = "smb_memdupin", which taints "ksa".
393 ksa = smb_memdupin(usa, usalen);
394 if (ksa == NULL)
395 return ENOMEM;
396
397 /* Make sure the user's idea of sa_len is reasonable. */
398 if (ksa->sa_len > usalen) {
** CID 1428652: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 1428652: Insecure data handling (TAINTED_SCALAR)
/sys/miscfs/procfs/procfs_auxv.c: 61 in procfs_doauxv()
55 if (uio->uio_offset < bufsize)
56 error = uiomove((char *)buffer + uio->uio_offset,
57 bufsize - uio->uio_offset, uio);
58 else
59 error = 0;
60
>>> CID 1428652: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted variable "buffer" to a tainted sink.
61 kmem_free(buffer, bufsize);
62 return error;
63 }
64
65 int
66 procfs_validauxv(struct lwp *l, struct mount *mp)
67 {
68 return l != NULL && l->l_proc != NULL && l->l_proc->p_execsw != NULL;
** CID 1428651: Integer handling issues (BAD_SHIFT)
/sys/kern/subr_vmem.c: 409 in bt_freehead_toalloc()
________________________________________________________________________________________________________
*** CID 1428651: Integer handling issues (BAD_SHIFT)
/sys/kern/subr_vmem.c: 409 in bt_freehead_toalloc()
403 const vmem_size_t qsize = size >> vm->vm_quantum_shift;
404 int idx = SIZE2ORDER(qsize);
405
406 KASSERT(size != 0 && qsize != 0);
407 KASSERT((size & vm->vm_quantum_mask) == 0);
408
>>> CID 1428651: Integer handling issues (BAD_SHIFT)
>>> In expression "1UL << idx", shifting by a negative amount has undefined behavior. The shift amount, "idx", is -1.
409 if (strat == VM_INSTANTFIT && ORDER2SIZE(idx) != qsize) {
410 idx++;
411 /* check too large request? */
412 }
413 KASSERT(idx >= 0);
414 KASSERT(idx < VMEM_MAXORDER);
** CID 1428650: Memory - illegal accesses (OVERRUN)
/sys/kern/kern_sysctl.c: 2480 in sysctl_log_add()
________________________________________________________________________________________________________
*** CID 1428650: Memory - illegal accesses (OVERRUN)
/sys/kern/kern_sysctl.c: 2480 in sysctl_log_add()
2474
2475 /*
2476 * stuff name in, then namelen, then node type, and finally,
2477 * the version for non-node nodes.
2478 */
2479 for (i = 0; i < namelen; i++)
>>> CID 1428650: Memory - illegal accesses (OVERRUN)
>>> Overrunning array "name" of 12 4-byte elements at element index 12 (byte offset 48) using index "i" (which evaluates to 12).
2480 log->log_num[--log->log_left] = name[i];
2481 log->log_num[--log->log_left] = namelen;
2482 log->log_num[--log->log_left] = SYSCTL_TYPE(node->sysctl_flags);
2483 if (log->log_num[log->log_left] != CTLTYPE_NODE)
2484 log->log_num[--log->log_left] = node->sysctl_ver;
2485 else
** CID 1428649: Null pointer dereferences (FORWARD_NULL)
/sys/kern/subr_autoconf.c: 1402 in config_devalloc()
________________________________________________________________________________________________________
*** CID 1428649: Null pointer dereferences (FORWARD_NULL)
/sys/kern/subr_autoconf.c: 1402 in config_devalloc()
1396 } else {
1397 dev = dev_private;
1398 #ifdef DIAGNOSTIC
1399 printf("%s has not been converted to device_t\n", cd->cd_name);
1400 #endif
1401 }
>>> CID 1428649: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "dev".
1402 dev->dv_class = cd->cd_class;
1403 dev->dv_cfdata = cf;
1404 dev->dv_cfdriver = cd;
1405 dev->dv_cfattach = ca;
1406 dev->dv_activity_count = 0;
1407 dev->dv_activity_handlers = NULL;
** CID 1428648: Null pointer dereferences (FORWARD_NULL)
/sys/kern/exec_elf.c: 245 in elf64_copyargs()
________________________________________________________________________________________________________
*** CID 1428648: Null pointer dereferences (FORWARD_NULL)
/sys/kern/exec_elf.c: 245 in elf64_copyargs()
239
240 vlen = (a - ai) * sizeof(ai[0]);
241
242 KASSERT(vlen <= sizeof(ai));
243
244 char *path = l->l_proc->p_path;
>>> CID 1428648: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "execname".
245 execname->a_v = (uintptr_t)(*stackp + vlen);
246 len = strlen(path) + 1;
247 if ((error = copyout(path, (*stackp + vlen), len)) != 0)
248 return error;
249 len = ALIGN(len);
250
** CID 1428647: (TAINTED_SCALAR)
/sys/dev/i2c/ihidev.c: 421 in ihidev_hid_command()
/sys/dev/i2c/ihidev.c: 421 in ihidev_hid_command()
/sys/dev/i2c/ihidev.c: 428 in ihidev_hid_command()
/sys/dev/i2c/ihidev.c: 428 in ihidev_hid_command()
________________________________________________________________________________________________________
*** CID 1428647: (TAINTED_SCALAR)
/sys/dev/i2c/ihidev.c: 421 in ihidev_hid_command()
415 tmprep = kmem_zalloc(report_len, KM_NOSLEEP);
416
417 /* type 3 id 8: 22 00 38 02 23 00 */
418 res = iic_exec(sc->sc_tag, I2C_OP_READ_WITH_STOP, sc->sc_addr,
419 &cmd, cmdlen, tmprep, report_len, flags);
420
>>> CID 1428647: (TAINTED_SCALAR)
>>> Performing a byte swapping operation on "tmprep" implies that it came from an external source, and is therefore tainted.
421 d = tmprep[0] | tmprep[1] << 8;
422 if (d != report_len) {
423 DPRINTF(("%s: response size %d != expected length %d\n",
424 sc->sc_dev.dv_xname, d, report_len));
425 }
426
/sys/dev/i2c/ihidev.c: 421 in ihidev_hid_command()
415 tmprep = kmem_zalloc(report_len, KM_NOSLEEP);
416
417 /* type 3 id 8: 22 00 38 02 23 00 */
418 res = iic_exec(sc->sc_tag, I2C_OP_READ_WITH_STOP, sc->sc_addr,
419 &cmd, cmdlen, tmprep, report_len, flags);
420
>>> CID 1428647: (TAINTED_SCALAR)
>>> Performing a byte swapping operation on "tmprep" implies that it came from an external source, and is therefore tainted.
421 d = tmprep[0] | tmprep[1] << 8;
422 if (d != report_len) {
423 DPRINTF(("%s: response size %d != expected length %d\n",
424 sc->sc_dev.dv_xname, d, report_len));
425 }
426
/sys/dev/i2c/ihidev.c: 428 in ihidev_hid_command()
422 if (d != report_len) {
423 DPRINTF(("%s: response size %d != expected length %d\n",
424 sc->sc_dev.dv_xname, d, report_len));
425 }
426
427 if (report_id_len == 2)
>>> CID 1428647: (TAINTED_SCALAR)
>>> Performing a byte swapping operation on "tmprep" implies that it came from an external source, and is therefore tainted.
428 d = tmprep[2] | tmprep[3] << 8;
429 else
430 d = tmprep[2];
431
432 if (d != rreq->id) {
433 DPRINTF(("%s: response report id %d != %d\n",
/sys/dev/i2c/ihidev.c: 428 in ihidev_hid_command()
422 if (d != report_len) {
423 DPRINTF(("%s: response size %d != expected length %d\n",
424 sc->sc_dev.dv_xname, d, report_len));
425 }
426
427 if (report_id_len == 2)
>>> CID 1428647: (TAINTED_SCALAR)
>>> Performing a byte swapping operation on "tmprep" implies that it came from an external source, and is therefore tainted.
428 d = tmprep[2] | tmprep[3] << 8;
429 else
430 d = tmprep[2];
431
432 if (d != rreq->id) {
433 DPRINTF(("%s: response report id %d != %d\n",
** CID 1428646: Null pointer dereferences (FORWARD_NULL)
/sys/kern/kern_exec.c: 883 in execve_dovmcmds()
________________________________________________________________________________________________________
*** CID 1428646: Null pointer dereferences (FORWARD_NULL)
/sys/kern/kern_exec.c: 883 in execve_dovmcmds()
877 vcp = &epp->ep_vmcmds.evs_cmds[i];
878 if (vcp->ev_flags & VMCMD_RELATIVE) {
879 KASSERTMSG(base_vcp != NULL,
880 "%s: relative vmcmd with no base", __func__);
881 KASSERTMSG((vcp->ev_flags & VMCMD_BASE) == 0,
882 "%s: illegal base & relative vmcmd", __func__);
>>> CID 1428646: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "base_vcp".
883 vcp->ev_addr += base_vcp->ev_addr;
884 }
885 error = (*vcp->ev_proc)(l, vcp);
886 if (error)
887 DUMPVMCMDS(epp, i, error);
888 if (vcp->ev_flags & VMCMD_BASE)
** CID 1428645: Memory - corruptions (NEGATIVE_RETURNS)
/sys/dev/pci/if_wm.c: 7365 in wm_send_common_locked()
________________________________________________________________________________________________________
*** CID 1428645: Memory - corruptions (NEGATIVE_RETURNS)
/sys/dev/pci/if_wm.c: 7365 in wm_send_common_locked()
7359
7360 /*
7361 * Set up the command byte on the last descriptor of
7362 * the packet. If we're in the interrupt delay window,
7363 * delay the interrupt.
7364 */
>>> CID 1428645: Memory - corruptions (NEGATIVE_RETURNS)
>>> Using variable "lasttx" as an index to array "txq->txq_descs_u->sctxu_txdescs".
7365 txq->txq_descs[lasttx].wtx_cmdlen |=
7366 htole32(WTX_CMD_EOP | WTX_CMD_RS);
7367
7368 /*
7369 * If VLANs are enabled and the packet has a VLAN tag, set
7370 * up the descriptor to encapsulate the packet for us.
** CID 1428644: Null pointer dereferences (REVERSE_INULL)
/sys/arch/x86/pci/amdzentemp.c: 170 in amdzentemp_attach()
________________________________________________________________________________________________________
*** CID 1428644: Null pointer dereferences (REVERSE_INULL)
/sys/arch/x86/pci/amdzentemp.c: 170 in amdzentemp_attach()
164 bad:
165 if (sc->sc_sme != NULL) {
166 sysmon_envsys_destroy(sc->sc_sme);
167 sc->sc_sme = NULL;
168 }
169
>>> CID 1428644: Null pointer dereferences (REVERSE_INULL)
>>> Null-checking "sc->sc_sensor" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
170 if (sc->sc_sensor != NULL) {
171 kmem_free(sc->sc_sensor, sc->sc_sensor_len);
172 sc->sc_sensor = NULL;
173 }
174 }
175
** CID 1428643: Error handling issues (CHECKED_RETURN)
/sys/dev/pckbport/pms.c: 240 in pmsattach()
________________________________________________________________________________________________________
*** CID 1428643: Error handling issues (CHECKED_RETURN)
/sys/dev/pckbport/pms.c: 240 in pmsattach()
234 cmd[0] = PMS_DEV_DISABLE;
235 res = pckbport_poll_cmd(pa->pa_tag, pa->pa_slot, cmd, 1, 0, NULL, 0);
236 if (res)
237 aprint_error("pmsattach: disable error\n");
238 pckbport_slot_enable(sc->sc_kbctag, sc->sc_kbcslot, 0);
239
>>> CID 1428643: Error handling issues (CHECKED_RETURN)
>>> Calling "kthread_create" without checking return value (as is done elsewhere 57 out of 66 times).
240 kthread_create(PRI_NONE, 0, NULL, pms_reset_thread, sc,
241 &sc->sc_event_thread, "%s", device_xname(sc->sc_dev));
242
243 if (!pmf_device_register(self, pms_suspend, pms_resume))
244 aprint_error_dev(self, "couldn't establish power handler\n");
245 }
** CID 1428642: Integer handling issues (BAD_SHIFT)
/sys/kern/subr_vmem.c: 934 in vmem_init()
________________________________________________________________________________________________________
*** CID 1428642: Integer handling issues (BAD_SHIFT)
/sys/kern/subr_vmem.c: 934 in vmem_init()
928 vm->vm_flags = flags;
929 vm->vm_nfreetags = 0;
930 LIST_INIT(&vm->vm_freetags);
931 strlcpy(vm->vm_name, name, sizeof(vm->vm_name));
932 vm->vm_quantum_mask = quantum - 1;
933 vm->vm_quantum_shift = SIZE2ORDER(quantum);
>>> CID 1428642: Integer handling issues (BAD_SHIFT)
>>> In expression "1UL << vm->vm_quantum_shift", shifting by a negative amount has undefined behavior. The shift amount, "vm->vm_quantum_shift", is -1.
934 KASSERT(ORDER2SIZE(vm->vm_quantum_shift) == quantum);
935 vm->vm_importfn = importfn;
936 vm->vm_releasefn = releasefn;
937 vm->vm_arg = arg;
938 vm->vm_nbusytag = 0;
939 vm->vm_size = 0;
** CID 1428641: Memory - illegal accesses (NEGATIVE_RETURNS)
/sys/uvm/uvm_physseg.c: 1167 in uvm_physseg_seg_alloc_from_slab()
________________________________________________________________________________________________________
*** CID 1428641: Memory - illegal accesses (NEGATIVE_RETURNS)
/sys/uvm/uvm_physseg.c: 1167 in uvm_physseg_seg_alloc_from_slab()
1161 */
1162 KASSERT(uvm.page_init_done != true);
1163
1164 uvm_physseg_t upmp = uvm_physseg_get_prev(upm);
1165 KASSERT(upmp != UVM_PHYSSEG_TYPE_INVALID);
1166
>>> CID 1428641: Memory - illegal accesses (NEGATIVE_RETURNS)
>>> Using variable "upmp" as an index to array "vm_physmem".
1167 seg->ext = HANDLE_TO_PHYSSEG_NODE(upmp)->ext;
1168
1169 KASSERT(seg->ext != NULL);
1170 }
1171
1172 /* We allocate enough for this segment */
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRb2JZfDAOAZcqzsy8LMBKBj0qtSICo2DZNjmmsVjYof54PahgUQ7xLRwU5wjlAON3Q-3D_XWm3CUIFU8ffmjzuNhQ8cIHoQgXzXkm61Fmjr59D05Ud8CmvNgYmlqRwvlj8Q-2BaL9gKYL-2B-2BrFAZE2-2BtpxO9BN-2FhtsrfUXkeFblqeyC6frF6ugAD7AplhFat4Lx0uFOFelDLO3rvmIfZbj1eT-2FUgZQz6-2Fvt9ZmNwYKqBiwc8dmTEO5oQB9kspRgtRON91ez-2F2ab7zf1VarJGT-2BEm05EftXt50bbpr4y304XpAhhnLjzE-3D
To manage Coverity Scan email notifications for "coverity-updates%netbsd.org@localhost", click https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRbVDbis712qZDP-2FA8y06Nq4m7U7Yoel-2F6MYPxol7ToiLwYIjoNbVQOCAwEeTNJofEDwTlN0JRhKMyijhpnAObR-2FlLVG-2Fr3EBKWgiICNdX1HPA6Ws0-2F1wHBf2tG9AnMDB8g-3D_XWm3CUIFU8ffmjzuNhQ8cIHoQgXzXkm61Fmjr59D05Ud8CmvNgYmlqRwvlj8Q-2BaL9gKYL-2B-2BrFAZE2-2BtpxO9BNxlnMnUM7kZiNDi4sLHw9L-2FafuPS9STy9y8-2B5ndkWCCqfhin4SaiG32Nlj6ltZODmf-2FUcbDT6JSuN9Y1YajqwErUkk0SuiubYg6fM6Hi9xoSIOUmw2L0tEmmDU7UImJ8y-2BfCa1PTzyv6BhAo6tTwhsM-3D
Home |
Main Index |
Thread Index |
Old Index