Fwd: New Defects reported by Coverity Scan for RTEMS
Gedare Bloom
gedare at rtems.org
Thu Jan 28 04:24:56 UTC 2021
FYI
---------- Forwarded message ---------
From: <scan-admin at coverity.com>
Date: Wed, Jan 27, 2021, 9:21 PM
Subject: New Defects reported by Coverity Scan for RTEMS
To: <gedare at gwmail.gwu.edu>
Hi,
Please find the latest report on new defect(s) introduced to RTEMS found
with Coverity Scan.
11 new defect(s) introduced to RTEMS found with Coverity Scan.
42 defect(s), reported by Coverity Scan earlier, were marked fixed in the
recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 11 of 11 defect(s)
** CID 1472583: (STRING_NULL)
/cpukit/libdl/rtl-archive.c: 796 in rtems_rtl_archives_refresh()
/cpukit/libdl/rtl-archive.c: 796 in rtems_rtl_archives_refresh()
/cpukit/libdl/rtl-archive.c: 796 in rtems_rtl_archives_refresh()
/cpukit/libdl/rtl-archive.c: 798 in rtems_rtl_archives_refresh()
/cpukit/libdl/rtl-archive.c: 798 in rtems_rtl_archives_refresh()
/cpukit/libdl/rtl-archive.c: 798 in rtems_rtl_archives_refresh()
________________________________________________________________________________________________________
*** CID 1472583: (STRING_NULL)
/cpukit/libdl/rtl-archive.c: 796 in rtems_rtl_archives_refresh()
790 {
791 ++config_path;
792 continue;
793 }
794
795 if (rtems_rtl_trace (RTEMS_RTL_TRACE_ARCHIVES))
>>> CID 1472583: (STRING_NULL)
>>> Passing unterminated string "dirname" to "printf".
796 printf ("rtl: archive: refresh: %s\n", dirname);
797
798 config_path += strlen (dirname);
799
800 /*
801 * Relative paths do not work in the config. Must be absolute.
/cpukit/libdl/rtl-archive.c: 796 in rtems_rtl_archives_refresh()
790 {
791 ++config_path;
792 continue;
793 }
794
795 if (rtems_rtl_trace (RTEMS_RTL_TRACE_ARCHIVES))
>>> CID 1472583: (STRING_NULL)
>>> Passing unterminated string "dirname" to "printf".
796 printf ("rtl: archive: refresh: %s\n", dirname);
797
798 config_path += strlen (dirname);
799
800 /*
801 * Relative paths do not work in the config. Must be absolute.
/cpukit/libdl/rtl-archive.c: 796 in rtems_rtl_archives_refresh()
790 {
791 ++config_path;
792 continue;
793 }
794
795 if (rtems_rtl_trace (RTEMS_RTL_TRACE_ARCHIVES))
>>> CID 1472583: (STRING_NULL)
>>> Passing unterminated string "dirname" to "printf".
796 printf ("rtl: archive: refresh: %s\n", dirname);
797
798 config_path += strlen (dirname);
799
800 /*
801 * Relative paths do not work in the config. Must be absolute.
/cpukit/libdl/rtl-archive.c: 798 in rtems_rtl_archives_refresh()
792 continue;
793 }
794
795 if (rtems_rtl_trace (RTEMS_RTL_TRACE_ARCHIVES))
796 printf ("rtl: archive: refresh: %s\n", dirname);
797
>>> CID 1472583: (STRING_NULL)
>>> Passing unterminated string "dirname" to "strlen", which expects a
null-terminated string.
798 config_path += strlen (dirname);
799
800 /*
801 * Relative paths do not work in the config. Must be absolute.
802 */
803 if (dirname[0] != '/')
/cpukit/libdl/rtl-archive.c: 798 in rtems_rtl_archives_refresh()
792 continue;
793 }
794
795 if (rtems_rtl_trace (RTEMS_RTL_TRACE_ARCHIVES))
796 printf ("rtl: archive: refresh: %s\n", dirname);
797
>>> CID 1472583: (STRING_NULL)
>>> Passing unterminated string "dirname" to "strlen", which expects a
null-terminated string.
798 config_path += strlen (dirname);
799
800 /*
801 * Relative paths do not work in the config. Must be absolute.
802 */
803 if (dirname[0] != '/')
/cpukit/libdl/rtl-archive.c: 798 in rtems_rtl_archives_refresh()
792 continue;
793 }
794
795 if (rtems_rtl_trace (RTEMS_RTL_TRACE_ARCHIVES))
796 printf ("rtl: archive: refresh: %s\n", dirname);
797
>>> CID 1472583: (STRING_NULL)
>>> Passing unterminated string "dirname" to "strlen", which expects a
null-terminated string.
798 config_path += strlen (dirname);
799
800 /*
801 * Relative paths do not work in the config. Must be absolute.
802 */
803 if (dirname[0] != '/')
** CID 1472582: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 1472582: Insecure data handling (TAINTED_SCALAR)
/cpukit/libdl/rtl-elf.c: 1328 in rtems_rtl_elf_parse_sections()
1322 printf ("rtl: section header: %2d: offset=%d\n", section,
(int) off);
1323
1324 if (!rtems_rtl_obj_cache_read_byval (sects, fd, off, &shdr,
sizeof (shdr)))
1325 return false;
1326
1327 len = RTEMS_RTL_ELF_STRING_MAX;
>>> CID 1472582: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "sectstroff + shdr.sh_name" to
"rtems_rtl_obj_cache_read", which uses it as an offset.
1328 if (!rtems_rtl_obj_cache_read (strings, fd,
1329 sectstroff + shdr.sh_name,
1330 (void**) &name, &len))
1331 return false;
1332
1333 if (rtems_rtl_trace (RTEMS_RTL_TRACE_DETAIL))
** CID 1472581: Null pointer dereferences (REVERSE_INULL)
/cpukit/mghttpd/mongoose.c: 656 in cry()
________________________________________________________________________________________________________
*** CID 1472581: Null pointer dereferences (REVERSE_INULL)
/cpukit/mghttpd/mongoose.c: 656 in cry()
650
651 // Do not lock when getting the callback value, here and below.
652 // I suppose this is fine, since function cannot disappear in the
653 // same way string option can.
654 if (conn->ctx->callbacks.log_message == NULL ||
655 conn->ctx->callbacks.log_message(conn, buf) == 0) {
>>> CID 1472581: Null pointer dereferences (REVERSE_INULL)
>>> Null-checking "conn->ctx" suggests that it may be null, but it has
already been dereferenced on all paths leading to the check.
656 fp = conn->ctx == NULL || conn->ctx->config[ERROR_LOG_FILE] ==
NULL ? NULL :
657 fopen(conn->ctx->config[ERROR_LOG_FILE], "a+");
658
659 if (fp != NULL) {
660 flockfile(fp);
661 timestamp = time(NULL);
** CID 1472580: (TAINTED_SCALAR)
/cpukit/libdl/rtl-rap.c: 921 in rtems_rtl_rap_file_load()
/cpukit/libdl/rtl-rap.c: 915 in rtems_rtl_rap_file_load()
________________________________________________________________________________________________________
*** CID 1472580: (TAINTED_SCALAR)
/cpukit/libdl/rtl-rap.c: 933 in rtems_rtl_rap_file_load()
927 if (!rtems_rtl_rap_read_uint32 (rap.decomp, &rap.strtable_size))
928 return false;
929
930 if (rtems_rtl_trace (RTEMS_RTL_TRACE_DETAIL))
931 printf ("rtl: rap: details: obj_num=%" PRIu32 "\n",
obj->obj_num);
932
>>> CID 1472580: (TAINTED_SCALAR)
>>> Passing tainted expression "rap.rpathlen" to
"rtems_rtl_rap_load_linkmap", which uses it as a loop boundary.
933 if (!rtems_rtl_rap_load_linkmap (&rap, obj))
934 return false;
935 }
936
937 /*
938 * uint32_t: text_size
/cpukit/libdl/rtl-rap.c: 921 in rtems_rtl_rap_file_load()
915 obj->sec_num = (uint32_t*) malloc (sizeof (uint32_t) *
obj->obj_num);
916
917 if (!rtems_rtl_rap_read_uint32 (rap.decomp, &rap.rpathlen))
918 return false;
919
920 uint32_t i;
>>> CID 1472580: (TAINTED_SCALAR)
>>> Using tainted variable "obj->obj_num" as a loop boundary.
921 for (i = 0; i < obj->obj_num; ++i)
922 {
923 if (!rtems_rtl_rap_read_uint32 (rap.decomp,
&(obj->sec_num[i])))
924 return false;
925 }
926
/cpukit/libdl/rtl-rap.c: 915 in rtems_rtl_rap_file_load()
909 */
910 if (!rtems_rtl_rap_read_uint32 (rap.decomp, &obj->obj_num))
911 return false;
912
913 if (obj->obj_num > 0)
914 {
>>> CID 1472580: (TAINTED_SCALAR)
>>> Passing tainted expression "4U * obj->obj_num" to "malloc", which
uses it as an allocation size. [Note: The source code implementation of the
function has been overridden by a builtin model.]
915 obj->sec_num = (uint32_t*) malloc (sizeof (uint32_t) *
obj->obj_num);
916
917 if (!rtems_rtl_rap_read_uint32 (rap.decomp, &rap.rpathlen))
918 return false;
919
920 uint32_t i;
/cpukit/libdl/rtl-rap.c: 933 in rtems_rtl_rap_file_load()
927 if (!rtems_rtl_rap_read_uint32 (rap.decomp, &rap.strtable_size))
928 return false;
929
930 if (rtems_rtl_trace (RTEMS_RTL_TRACE_DETAIL))
931 printf ("rtl: rap: details: obj_num=%" PRIu32 "\n",
obj->obj_num);
932
>>> CID 1472580: (TAINTED_SCALAR)
>>> Passing tainted expression "rap.strtable_size" to
"rtems_rtl_rap_load_linkmap", which uses it as an offset.
933 if (!rtems_rtl_rap_load_linkmap (&rap, obj))
934 return false;
935 }
936
937 /*
938 * uint32_t: text_size
/cpukit/libdl/rtl-rap.c: 933 in rtems_rtl_rap_file_load()
927 if (!rtems_rtl_rap_read_uint32 (rap.decomp, &rap.strtable_size))
928 return false;
929
930 if (rtems_rtl_trace (RTEMS_RTL_TRACE_DETAIL))
931 printf ("rtl: rap: details: obj_num=%" PRIu32 "\n",
obj->obj_num);
932
>>> CID 1472580: (TAINTED_SCALAR)
>>> Passing tainted expression "*obj->sec_num" to
"rtems_rtl_rap_load_linkmap", which uses it as an offset.
933 if (!rtems_rtl_rap_load_linkmap (&rap, obj))
934 return false;
935 }
936
937 /*
938 * uint32_t: text_size
** CID 1472579: Error handling issues (CHECKED_RETURN)
/cpukit/mghttpd/mongoose.c: 3716 in put_file()
________________________________________________________________________________________________________
*** CID 1472579: Error handling issues (CHECKED_RETURN)
/cpukit/mghttpd/mongoose.c: 3716 in put_file()
3710 } else {
3711 fclose_on_exec(&file);
3712 range = mg_get_header(conn, "Content-Range");
3713 r1 = r2 = 0;
3714 if (range != NULL && parse_range_header(range, &r1, &r2) > 0) {
3715 conn->status_code = 206;
>>> CID 1472579: Error handling issues (CHECKED_RETURN)
>>> Calling "fseeko(file.fp, r1, 0)" without checking return value.
This library function may fail and return an error code.
3716 fseeko(file.fp, r1, SEEK_SET);
3717 }
3718 if (!forward_body_data(conn, file.fp, INVALID_SOCKET, NULL)) {
3719 conn->status_code = 500;
3720 }
3721 mg_printf(conn, "HTTP/1.1 %d OK\r\nContent-Length: 0\r\n\r\n",
** CID 1472578: Uninitialized variables (UNINIT)
________________________________________________________________________________________________________
*** CID 1472578: Uninitialized variables (UNINIT)
/cpukit/libfs/src/jffs2/src/scan.c: 759 in jffs2_scan_eraseblock()
753 continue;
754 }
755 /* We seem to have a node of sorts. Check the CRC */
756 crcnode.magic = node->magic;
757 crcnode.nodetype = cpu_to_je16(
je16_to_cpu(node->nodetype) | JFFS2_NODE_ACCURATE);
758 crcnode.totlen = node->totlen;
>>> CID 1472578: Uninitialized variables (UNINIT)
>>> Using uninitialized value "crcnode". Field "crcnode.hdr_crc" is
uninitialized when calling "cyg_crc32_accumulate".
759 hdr_crc = crc32(0, &crcnode, sizeof(crcnode)-4);
760
761 if (hdr_crc != je32_to_cpu(node->hdr_crc)) {
762 noisy_printk(&noise, "%s(): Node at 0x%08x
{0x%04x, 0x%04x, 0x%08x) has invalid CRC 0x%08x (calculated 0x%08x)\n",
763 __func__,
764 ofs, je16_to_cpu(node->magic),
** CID 1472577: (PATH_MANIPULATION)
/cpukit/mghttpd/mongoose.c: 4432 in mg_upload()
/cpukit/mghttpd/mongoose.c: 4432 in mg_upload()
/cpukit/mghttpd/mongoose.c: 4432 in mg_upload()
________________________________________________________________________________________________________
*** CID 1472577: (PATH_MANIPULATION)
/cpukit/mghttpd/mongoose.c: 4432 in mg_upload()
4426 (s = strrchr(fname, '\\')) == NULL) {
4427 s = fname;
4428 }
4429
4430 // Open file in binary mode. TODO: set an exclusive lock.
4431 snprintf(path, sizeof(path), "%s/%s", destination_dir, s);
>>> CID 1472577: (PATH_MANIPULATION)
>>> Constructing a path or URI using the tainted value "path" and
passing it to "fopen". This may allow an attacker to access, modify, or
test the existence of critical or sensitive files.
4432 if ((fp = fopen(path, "wb")) == NULL) {
4433 break;
4434 }
4435
4436 // Read POST data, write into file until boundary is found.
4437 eof = n = 0;
/cpukit/mghttpd/mongoose.c: 4432 in mg_upload()
4426 (s = strrchr(fname, '\\')) == NULL) {
4427 s = fname;
4428 }
4429
4430 // Open file in binary mode. TODO: set an exclusive lock.
4431 snprintf(path, sizeof(path), "%s/%s", destination_dir, s);
>>> CID 1472577: (PATH_MANIPULATION)
>>> Constructing a path or URI using the tainted value "path" and
passing it to "fopen". This may allow an attacker to access, modify, or
test the existence of critical or sensitive files.
4432 if ((fp = fopen(path, "wb")) == NULL) {
4433 break;
4434 }
4435
4436 // Read POST data, write into file until boundary is found.
4437 eof = n = 0;
/cpukit/mghttpd/mongoose.c: 4432 in mg_upload()
4426 (s = strrchr(fname, '\\')) == NULL) {
4427 s = fname;
4428 }
4429
4430 // Open file in binary mode. TODO: set an exclusive lock.
4431 snprintf(path, sizeof(path), "%s/%s", destination_dir, s);
>>> CID 1472577: (PATH_MANIPULATION)
>>> Constructing a path or URI using the tainted value "path" and
passing it to "fopen". This may allow an attacker to access, modify, or
test the existence of critical or sensitive files.
4432 if ((fp = fopen(path, "wb")) == NULL) {
4433 break;
4434 }
4435
4436 // Read POST data, write into file until boundary is found.
4437 eof = n = 0;
** CID 1472576: Null pointer dereferences (FORWARD_NULL)
________________________________________________________________________________________________________
*** CID 1472576: Null pointer dereferences (FORWARD_NULL)
/cpukit/libblock/src/bdbuf.c: 2632 in rtems_bdbuf_swapout_worker_task()
2626 rtems_bdbuf_swapout_worker* worker =
(rtems_bdbuf_swapout_worker*) arg;
2627
2628 while (worker->enabled)
2629 {
2630 rtems_bdbuf_wait_for_event (RTEMS_BDBUF_SWAPOUT_SYNC);
2631
>>> CID 1472576: Null pointer dereferences (FORWARD_NULL)
>>> Passing "&worker->transfer" to "rtems_bdbuf_swapout_write", which
dereferences null "worker->transfer.dd".
2632 rtems_bdbuf_swapout_write (&worker->transfer);
2633
2634 rtems_bdbuf_lock_cache ();
2635
2636 rtems_chain_initialize_empty (&worker->transfer.bds);
2637 worker->transfer.dd = BDBUF_INVALID_DEV;
** CID 1472575: Memory - illegal accesses (UNINIT)
/cpukit/libmisc/shell/main_rtrace.c: 229 in
rtems_trace_buffering_print_arg()
________________________________________________________________________________________________________
*** CID 1472575: Memory - illegal accesses (UNINIT)
/cpukit/libmisc/shell/main_rtrace.c: 229 in
rtems_trace_buffering_print_arg()
223 memcpy (&variable.bytes[0], argv, arg->size);
224
225 printf ("(%s) ", arg->type);
226
227 if (strchr (arg->type, '*') != NULL)
228 {
>>> CID 1472575: Memory - illegal accesses (UNINIT)
>>> Using uninitialized value "variable.pointer" when calling "printf".
229 printf ("%p", variable.pointer);
230 }
231 else
232 {
233 size_t b;
234 switch (arg->size)
** CID 1472574: Error handling issues (CHECKED_RETURN)
/cpukit/libfs/src/dosfs/msdos_format.c: 131 in msdos_format_read_sec()
________________________________________________________________________________________________________
*** CID 1472574: Error handling issues (CHECKED_RETURN)
/cpukit/libfs/src/dosfs/msdos_format.c: 131 in msdos_format_read_sec()
125 int ret_val = 0;
126
127 if (0 > lseek(fd,((off_t)start_sector)*sector_size,SEEK_SET)) {
128 ret_val = -1;
129 }
130 if (ret_val == 0) {
>>> CID 1472574: Error handling issues (CHECKED_RETURN)
>>> "read(int, void *, size_t)" returns the number of bytes read, but
it is ignored.
131 if (0 > read(fd,buffer,sector_size)) {
132 ret_val = -1;
133 }
134 }
135
136 return ret_val;
** CID 1472573: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 1472573: Insecure data handling (TAINTED_SCALAR)
/cpukit/libdl/rtl-elf.c: 1706 in rtems_rtl_elf_file_load()
1700
1701 /*
1702 * Parse the section information first so we have the memory map
of the object
1703 * file and the memory allocated. Any further allocations we
make to complete
1704 * the load will not fragment the memory.
1705 */
>>> CID 1472573: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "ehdr.e_shnum" to
"rtems_rtl_elf_parse_sections", which uses it as a loop boundary.
1706 if (!rtems_rtl_elf_parse_sections (obj, fd, &ehdr))
1707 return false;
1708
1709 /*
1710 * Set the entry point if there is one.
1711 */
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit,
https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50ypUUzi-2FdSNmuyRB7BEFT8xQ4-2B8hpujh0hTgQljRGId4Dg-3D-3DHaSx_NXfCUf1CLFYLbjXajJIgHlbL5qYn95oel6MvjPauKOZWRAeoPfG9R5Ut-2B0l1A5CBYN8H1u2OvYHQK1lhr4Zh6SDh2S5PCPFmmyp-2BCuliFxJzj1S7OgK9z2cMZjSTabCeURWJhVg1EI1bNhOt7aXFw3Vp5t2pGj4mbLRlTtRMHZ6hxDQXicJzm8pwnsWJaDgwdb8CD96vfoF8CM8XgA81RPZ7mfvWd3hfqlGbYPYac3I-3D
To manage Coverity Scan email notifications for "gedare at gwmail.gwu.edu",
click
https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxkxN7gn3yK5ofbuH1ptBFYw9YgpazuIaA-2BBUVKiHj8oUDwYWUynp42iaapm4KJU8XqWU01jaV7ANE1ZK33b9AxrNSft0QTNSkD2bLN6ho-2BnY-3DE-ws_NXfCUf1CLFYLbjXajJIgHlbL5qYn95oel6MvjPauKOZWRAeoPfG9R5Ut-2B0l1A5CB2NlyTs8n9wN-2FSyicx0tEXvXYGaGlLArYwAKrk-2B9Jr66dphmYP41ATiju2UCnJoYnvc2ZTjo8dyOLJxCeQsHoCOP862aab9fl1B0ammZrfyNIUSx8tg05QJP9bJRsN6zngYUWsWkGMJv3twh07snfhrXqd0NMPJLhSvujwj6My6A-3D
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rtems.org/pipermail/devel/attachments/20210127/1c9803fa/attachment-0001.html>
More information about the devel
mailing list