Fwd: New Defects reported by Coverity Scan for RTEMS
Joel Sherrill
joel at rtems.org
Thu Jul 15 13:24:20 UTC 2021
I am not sure why these popped up now but some indicate logic errors
in the code cited.
--joel
---------- Forwarded message ---------
From: <scan-admin at coverity.com>
Date: Thu, Jul 15, 2021 at 12:26 AM
Subject: New Defects reported by Coverity Scan for RTEMS
To: <build at rtems.org>
Hi,
Please find the latest report on new defect(s) introduced to RTEMS
found with Coverity Scan.
9 new defect(s) introduced to RTEMS found with Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 9 of 9 defect(s)
** CID 1468693: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 1468693: Insecure data handling (TAINTED_SCALAR)
/testsuites/samples/fileio/init.c: 992 in fileio_read_file()
986 */
987 if (!failed) {
988 printf("use suffix K for Kbytes, M for Mbytes or no suffix
for bytes:\n"
989 "Enter block size to use for read calls ==>");
990 fflush(stdout);
991 fgets(tmp_str,sizeof(tmp_str)-1,stdin);
>>> CID 1468693: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "tmp_str" to "fileio_str2size", which uses it as an offset.
992 failed = fileio_str2size(tmp_str,&buf_size);
993 if (failed) {
994 printf("*** illegal block size, aborted\n");
995 }
996 }
997
** CID 1468692: Integer handling issues (DIVIDE_BY_ZERO)
/testsuites/samples/fileio/init.c: 401 in create_ramdisk()
________________________________________________________________________________________________________
*** CID 1468692: Integer handling issues (DIVIDE_BY_ZERO)
/testsuites/samples/fileio/init.c: 401 in create_ramdisk()
395 printf ("error: invalid option: %s\n", argv[arg]);
396 return 1;
397 }
398 }
399 }
400
>>> CID 1468692: Integer handling issues (DIVIDE_BY_ZERO)
>>> In expression "size / block_size", division by expression "block_size" which may be zero has undefined behavior.
401 block_count = size / block_size;
402
403 /*
404 * Register the RAM Disk driver.
405 */
406 printf ("Register RAM Disk Driver [blocks=%" PRIu32 \
** CID 1468691: Resource leaks (RESOURCE_LEAK)
/testsuites/samples/fileio/init.c: 209 in shell_nvdisk_erase()
________________________________________________________________________________________________________
*** CID 1468691: Resource leaks (RESOURCE_LEAK)
/testsuites/samples/fileio/init.c: 209 in shell_nvdisk_erase()
203 return 1;
204 }
205
206 if (ioctl (fd, RTEMS_NVDISK_IOCTL_ERASE_DISK) < 0)
207 {
208 printf ("error: nvdisk driver erase failed: %s\n",
strerror (errno));
>>> CID 1468691: Resource leaks (RESOURCE_LEAK)
>>> Handle variable "fd" going out of scope leaks the handle.
209 return 1;
210 }
211
212 close (fd);
213
214 printf ("nvdisk erased successful\n");
** CID 1468689: (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 1468689: (TAINTED_SCALAR)
/testsuites/samples/fileio/init.c: 846 in fileio_write_file()
840 */
841 if (!failed) {
842 printf("use suffix K for Kbytes, M for Mbytes or no suffix
for bytes:\n"
843 "Enter block size to use for write calls ==>");
844 fflush(stdout);
845 fgets(tmp_str,sizeof(tmp_str)-1,stdin);
>>> CID 1468689: (TAINTED_SCALAR)
>>> Passing tainted expression "tmp_str" to "fileio_str2size", which uses it as an offset.
846 failed = fileio_str2size(tmp_str,&buf_size);
847 if (failed) {
848 printf("*** illegal block size, aborted\n");
849 }
850 }
851
/testsuites/samples/fileio/init.c: 833 in fileio_write_file()
827 */
828 if (!failed) {
829 printf("use suffix K for Kbytes, M for Mbytes or no suffix
for bytes:\n"
830 "Enter filesize to write ==>");
831 fflush(stdout);
832 fgets(tmp_str,sizeof(tmp_str)-1,stdin);
>>> CID 1468689: (TAINTED_SCALAR)
>>> Passing tainted expression "tmp_str" to "fileio_str2size", which uses it as an offset.
833 failed = fileio_str2size(tmp_str,&file_size);
834 if (failed) {
835 printf("*** illegal file size, aborted\n");
836 }
837 }
838 /*
** CID 1468687: Incorrect expression (COPY_PASTE_ERROR)
/testsuites/samples/paranoia/paranoia.c: 584 in paranoia()
________________________________________________________________________________________________________
*** CID 1468687: Incorrect expression (COPY_PASTE_ERROR)
/testsuites/samples/paranoia/paranoia.c: 584 in paranoia()
578 Precision = Y;
579 }
580 if ((Precision != FLOOR (Precision)) || (Radix == One)) {
581 printf ("Precision cannot be characterized by an
Integer number\n");
582 printf ("of significant digits but, by itself, this is
a minor flaw.\n");
583 }
>>> CID 1468687: Incorrect expression (COPY_PASTE_ERROR)
>>> "Radix" in "Radix == One" looks like a copy-paste error.
584 if (Radix == One)
585 printf ("logarithmic encoding has precision
characterized solely by U1.\n");
586 else
587 printf ("The number of significant digits of the Radix
is %f .\n",
588 Precision);
589 TstCond (Serious, U2 * Nine * Nine * TwoForty < One,
** CID 1468686: Control flow issues (DEADCODE)
/testsuites/samples/fileio/init.c: 392 in create_ramdisk()
________________________________________________________________________________________________________
*** CID 1468686: Control flow issues (DEADCODE)
/testsuites/samples/fileio/init.c: 392 in create_ramdisk()
386 {
387 printf ("error: -b needs a size\n");
388 return 1;
389 }
390 block_size = parse_size_arg (argv[arg]);
391 if (size == 0)
>>> CID 1468686: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "return 1;".
392 return 1;
393 break;
394 default:
395 printf ("error: invalid option: %s\n", argv[arg]);
396 return 1;
397 }
** CID 1468685: Resource leaks (RESOURCE_LEAK)
/testsuites/samples/fileio/init.c: 163 in shell_nvdisk_trace()
________________________________________________________________________________________________________
*** CID 1468685: Resource leaks (RESOURCE_LEAK)
/testsuites/samples/fileio/init.c: 163 in shell_nvdisk_trace()
157 return 1;
158 }
159
160 if (ioctl (fd, RTEMS_NVDISK_IOCTL_INFO_LEVEL, level) < 0)
161 {
162 printf ("error: driver set level failed: %s\n", strerror (errno));
>>> CID 1468685: Resource leaks (RESOURCE_LEAK)
>>> Handle variable "fd" going out of scope leaks the handle.
163 return 1;
164 }
165
166 close (fd);
167
168 return 0;
** CID 1468679: Incorrect expression (NO_EFFECT)
/testsuites/samples/paranoia/paranoia.c: 1492 in paranoia()
________________________________________________________________________________________________________
*** CID 1468679: Incorrect expression (NO_EFFECT)
/testsuites/samples/paranoia/paranoia.c: 1492 in paranoia()
1486 printf ("print out as Q = %.17e, Y = %.17e .\n", Q, Y2);
1487 printf ("|Q - Y| = %.17e .\n", FABS (Q - Y2));
1488 UfThold = Q;
1489 break;
1490
1491 case 3:
>>> CID 1468679: Incorrect expression (NO_EFFECT)
>>> Assigning "X" to itself has no effect.
1492 X = X;
1493 break;
1494
1495 case 4:
1496 if ((Q == UfThold) && (E1 == E0)
1497 && (FABS (UfThold - E1 / E9) <= E1)) {
** CID 1468677: Uninitialized variables (UNINIT)
/testsuites/samples/capture/test1.c: 78 in capture_CT1b()
________________________________________________________________________________________________________
*** CID 1468677: Uninitialized variables (UNINIT)
/testsuites/samples/capture/test1.c: 78 in capture_CT1b()
72 static void
73 capture_CT1b (rtems_task_argument arg)
74 {
75 volatile int i;
76
77 while (!capture_CT1c_deleted)
>>> CID 1468677: Uninitialized variables (UNINIT)
>>> Using uninitialized value "i".
78 i++;
79
80 capture_CT1b_deleted = 1;
81
82 rtems_task_exit();
83 }
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit,
https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50ypUUzi-2FdSNmuyRB7BEFT8xQ4-2B8hpujh0hTgQljRGId4Dg-3D-3DhaSM_EU3W9teASMK00lBXX9WT4lsogDrkCcNZLvg-2FVxwAXMoyD0JEs4cQVPs7yModO9iS3KZmOTMtFerKpWJTESZ9XSy9bw2fNvjKFGKtVfArZIqrPcBx6KD5m2cYyPfuBRUlwl84oo0u5GaEKs-2FEiV5-2BOPirAYHmPdhb88irmeK9V0lU3GUWr0Z8zNQlCYoFZw1Rqng5dhEax-2FWHTiswmaiSJQ-3D-3D
_______________________________________________
build mailing list
build at rtems.org
http://lists.rtems.org/mailman/listinfo/build
More information about the devel
mailing list