Fwd: New Defects reported by Coverity Scan for RTEMS

Joel Sherrill joel at rtems.org
Thu Jul 15 13:24:20 UTC 2021


I am not sure why these popped up now but some indicate logic errors
in the code cited.

--joel

---------- Forwarded message ---------
From: <scan-admin at coverity.com>
Date: Thu, Jul 15, 2021 at 12:26 AM
Subject: New Defects reported by Coverity Scan for RTEMS
To: <build at rtems.org>


Hi,

Please find the latest report on new defect(s) introduced to RTEMS
found with Coverity Scan.

9 new defect(s) introduced to RTEMS found with Coverity Scan.


New defect(s) Reported-by: Coverity Scan
Showing 9 of 9 defect(s)


** CID 1468693:  Insecure data handling  (TAINTED_SCALAR)


________________________________________________________________________________________________________
*** CID 1468693:  Insecure data handling  (TAINTED_SCALAR)
/testsuites/samples/fileio/init.c: 992 in fileio_read_file()
986        */
987       if (!failed) {
988         printf("use suffix K for Kbytes, M for Mbytes or no suffix
for bytes:\n"
989                "Enter block size to use for read calls ==>");
990         fflush(stdout);
991         fgets(tmp_str,sizeof(tmp_str)-1,stdin);
>>>     CID 1468693:  Insecure data handling  (TAINTED_SCALAR)
>>>     Passing tainted expression "tmp_str" to "fileio_str2size", which uses it as an offset.
992         failed = fileio_str2size(tmp_str,&buf_size);
993         if (failed) {
994           printf("*** illegal block size, aborted\n");
995         }
996       }
997

** CID 1468692:  Integer handling issues  (DIVIDE_BY_ZERO)
/testsuites/samples/fileio/init.c: 401 in create_ramdisk()


________________________________________________________________________________________________________
*** CID 1468692:  Integer handling issues  (DIVIDE_BY_ZERO)
/testsuites/samples/fileio/init.c: 401 in create_ramdisk()
395               printf ("error: invalid option: %s\n", argv[arg]);
396               return 1;
397           }
398         }
399       }
400
>>>     CID 1468692:  Integer handling issues  (DIVIDE_BY_ZERO)
>>>     In expression "size / block_size", division by expression "block_size" which may be zero has undefined behavior.
401       block_count = size / block_size;
402
403       /*
404        * Register the RAM Disk driver.
405        */
406       printf ("Register RAM Disk Driver [blocks=%" PRIu32 \

** CID 1468691:  Resource leaks  (RESOURCE_LEAK)
/testsuites/samples/fileio/init.c: 209 in shell_nvdisk_erase()


________________________________________________________________________________________________________
*** CID 1468691:  Resource leaks  (RESOURCE_LEAK)
/testsuites/samples/fileio/init.c: 209 in shell_nvdisk_erase()
203         return 1;
204       }
205
206       if (ioctl (fd, RTEMS_NVDISK_IOCTL_ERASE_DISK) < 0)
207       {
208         printf ("error: nvdisk driver erase failed: %s\n",
strerror (errno));
>>>     CID 1468691:  Resource leaks  (RESOURCE_LEAK)
>>>     Handle variable "fd" going out of scope leaks the handle.
209         return 1;
210       }
211
212       close (fd);
213
214       printf ("nvdisk erased successful\n");

** CID 1468689:    (TAINTED_SCALAR)


________________________________________________________________________________________________________
*** CID 1468689:    (TAINTED_SCALAR)
/testsuites/samples/fileio/init.c: 846 in fileio_write_file()
840        */
841       if (!failed) {
842         printf("use suffix K for Kbytes, M for Mbytes or no suffix
for bytes:\n"
843                "Enter block size to use for write calls ==>");
844         fflush(stdout);
845         fgets(tmp_str,sizeof(tmp_str)-1,stdin);
>>>     CID 1468689:    (TAINTED_SCALAR)
>>>     Passing tainted expression "tmp_str" to "fileio_str2size", which uses it as an offset.
846         failed = fileio_str2size(tmp_str,&buf_size);
847         if (failed) {
848           printf("*** illegal block size, aborted\n");
849         }
850       }
851
/testsuites/samples/fileio/init.c: 833 in fileio_write_file()
827        */
828       if (!failed) {
829         printf("use suffix K for Kbytes, M for Mbytes or no suffix
for bytes:\n"
830                "Enter filesize to write ==>");
831         fflush(stdout);
832         fgets(tmp_str,sizeof(tmp_str)-1,stdin);
>>>     CID 1468689:    (TAINTED_SCALAR)
>>>     Passing tainted expression "tmp_str" to "fileio_str2size", which uses it as an offset.
833         failed = fileio_str2size(tmp_str,&file_size);
834         if (failed) {
835           printf("*** illegal file size, aborted\n");
836         }
837       }
838       /*

** CID 1468687:  Incorrect expression  (COPY_PASTE_ERROR)
/testsuites/samples/paranoia/paranoia.c: 584 in paranoia()


________________________________________________________________________________________________________
*** CID 1468687:  Incorrect expression  (COPY_PASTE_ERROR)
/testsuites/samples/paranoia/paranoia.c: 584 in paranoia()
578                 Precision = Y;
579         }
580         if ((Precision != FLOOR (Precision)) || (Radix == One)) {
581             printf ("Precision cannot be characterized by an
Integer number\n");
582             printf ("of significant digits but, by itself, this is
a minor flaw.\n");
583         }
>>>     CID 1468687:  Incorrect expression  (COPY_PASTE_ERROR)
>>>     "Radix" in "Radix == One" looks like a copy-paste error.
584         if (Radix == One)
585             printf ("logarithmic encoding has precision
characterized solely by U1.\n");
586         else
587             printf ("The number of significant digits of the Radix
is %f .\n",
588                 Precision);
589         TstCond (Serious, U2 * Nine * Nine * TwoForty < One,

** CID 1468686:  Control flow issues  (DEADCODE)
/testsuites/samples/fileio/init.c: 392 in create_ramdisk()


________________________________________________________________________________________________________
*** CID 1468686:  Control flow issues  (DEADCODE)
/testsuites/samples/fileio/init.c: 392 in create_ramdisk()
386               {
387                 printf ("error: -b needs a size\n");
388                 return 1;
389               }
390               block_size = parse_size_arg (argv[arg]);
391               if (size == 0)
>>>     CID 1468686:  Control flow issues  (DEADCODE)
>>>     Execution cannot reach this statement: "return 1;".
392                 return 1;
393               break;
394             default:
395               printf ("error: invalid option: %s\n", argv[arg]);
396               return 1;
397           }

** CID 1468685:  Resource leaks  (RESOURCE_LEAK)
/testsuites/samples/fileio/init.c: 163 in shell_nvdisk_trace()


________________________________________________________________________________________________________
*** CID 1468685:  Resource leaks  (RESOURCE_LEAK)
/testsuites/samples/fileio/init.c: 163 in shell_nvdisk_trace()
157         return 1;
158       }
159
160       if (ioctl (fd, RTEMS_NVDISK_IOCTL_INFO_LEVEL, level) < 0)
161       {
162         printf ("error: driver set level failed: %s\n", strerror (errno));
>>>     CID 1468685:  Resource leaks  (RESOURCE_LEAK)
>>>     Handle variable "fd" going out of scope leaks the handle.
163         return 1;
164       }
165
166       close (fd);
167
168       return 0;

** CID 1468679:  Incorrect expression  (NO_EFFECT)
/testsuites/samples/paranoia/paranoia.c: 1492 in paranoia()


________________________________________________________________________________________________________
*** CID 1468679:  Incorrect expression  (NO_EFFECT)
/testsuites/samples/paranoia/paranoia.c: 1492 in paranoia()
1486             printf ("print out as Q = %.17e, Y = %.17e .\n", Q, Y2);
1487             printf ("|Q - Y| = %.17e .\n", FABS (Q - Y2));
1488             UfThold = Q;
1489             break;
1490
1491         case 3:
>>>     CID 1468679:  Incorrect expression  (NO_EFFECT)
>>>     Assigning "X" to itself has no effect.
1492             X = X;
1493             break;
1494
1495         case 4:
1496             if ((Q == UfThold) && (E1 == E0)
1497                 && (FABS (UfThold - E1 / E9) <= E1)) {

** CID 1468677:  Uninitialized variables  (UNINIT)
/testsuites/samples/capture/test1.c: 78 in capture_CT1b()


________________________________________________________________________________________________________
*** CID 1468677:  Uninitialized variables  (UNINIT)
/testsuites/samples/capture/test1.c: 78 in capture_CT1b()
72     static void
73     capture_CT1b (rtems_task_argument arg)
74     {
75       volatile int i;
76
77       while (!capture_CT1c_deleted)
>>>     CID 1468677:  Uninitialized variables  (UNINIT)
>>>     Using uninitialized value "i".
78         i++;
79
80       capture_CT1b_deleted = 1;
81
82       rtems_task_exit();
83     }


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit,
https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50ypUUzi-2FdSNmuyRB7BEFT8xQ4-2B8hpujh0hTgQljRGId4Dg-3D-3DhaSM_EU3W9teASMK00lBXX9WT4lsogDrkCcNZLvg-2FVxwAXMoyD0JEs4cQVPs7yModO9iS3KZmOTMtFerKpWJTESZ9XSy9bw2fNvjKFGKtVfArZIqrPcBx6KD5m2cYyPfuBRUlwl84oo0u5GaEKs-2FEiV5-2BOPirAYHmPdhb88irmeK9V0lU3GUWr0Z8zNQlCYoFZw1Rqng5dhEax-2FWHTiswmaiSJQ-3D-3D

_______________________________________________
build mailing list
build at rtems.org
http://lists.rtems.org/mailman/listinfo/build


More information about the devel mailing list