[RTEMS Project] #2926: Coverity Reports Multiple Out of Bounds Accesses in rtd-mdreloc-sparc.c

RTEMS trac trac at rtems.org
Tue Mar 14 23:15:59 UTC 2017 

#2926: Coverity Reports Multiple Out of Bounds Accesses in rtd-mdreloc-sparc.c
---------------------------+-----------------------
 Reporter:  Joel Sherrill  |       Owner:  chrisj@…
     Type:  defect         |      Status:  assigned
 Priority:  normal         |   Milestone:  4.12
Component:  libdl          |     Version:  4.12
 Severity:  normal         |  Resolution:
 Keywords:                 |
---------------------------+-----------------------

Comment (by Chris Johns):

 Replying to [ticket:2926 Joel Sherrill]:
 > Coverity spots an out of bounds read in rtl-mdreloc-sparc.c. Given the
 comment at the top that it was "Taken from NetBSD and stripped of the
 relocations not needed on RTEMS", I am unsure how to correlate the code
 back to the original to see if the issue exists upstream. Also I do not
 know where in the NetBSD source this came from.

 The code was taken into RTEMS and working with the upstream is only as a
 reference. The code in NetBSD is under:

 http://cvsweb.netbsd.org/bsdweb.cgi/src/libexec/ld.elf_so/?only_with_tag=MAIN

 and the SPARC code is:

 http://cvsweb.netbsd.org/bsdweb.cgi/src/libexec/ld.elf_so/arch/sparc/?only_with_tag=MAIN

 >
 > The first issue is:
 https://scan5.coverity.com/reports.htm#v29808/p10069/fileInstanceId=109360252&defectInstanceId=30967451&mergedDefectId=1255330

 This link is redirects me to a login page and my login for Coverity did
 not work. I had no idea it did not work and I never received anything from
 them it was being disabled.

 Should we have links to login pages in open tickets like this?

 >
 > The long analysis ends with:
 >
 > 226
 >
 > CID 1255330 (#1 of 1): Out-of-bounds read (OVERRUN)
 > 14. overrun-local: Overrunning array reloc_target_bitmask of 24 4-byte
 elements at element index 45 (byte offset 180) using index type (which
 evaluates to 45).

 Where does the 45 come from?

 > 227  mask = RELOC_VALUE_BITMASK (type);
 > 228  value >>= RELOC_VALUE_RIGHTSHIFT (type);
 > 229  value &= mask;
 >
 > The others are:
 >
 >
 https://scan5.coverity.com/reports.htm#v29808/p10069/fileInstanceId=109360252&defectInstanceId=30967452&mergedDefectId=1255332
 >
 https://scan5.coverity.com/reports.htm#v29808/p10069/fileInstanceId=109360252&defectInstanceId=30967450&mergedDefectId=1255342

 Sorry I cannot see these.

--
Ticket URL: <http://devel.rtems.org/ticket/2926#comment:2>
RTEMS Project <http://www.rtems.org/>
RTEMS Project

More information about the bugs mailing list