New Defects reported by Coverity Scan for RTEMS
Gedare Bloom
gedare at rtems.org
Thu Jul 15 14:09:01 UTC 2021
I think we have been excluding testsuites. The setting appears to
still be there:
Tests */testsuites/* Ignored=Yes
I think maybe the pattern needs to be updated to put a dot before each
asterisk: .*/testsuites/.*
However, these could probably be fixed mostly without trouble.
On Thu, Jul 15, 2021 at 7:24 AM Joel Sherrill <joel at rtems.org> wrote:
>
> I am not sure why these popped up now but some indicate logic errors
> in the code cited.
>
> --joel
>
> ---------- Forwarded message ---------
> From: <scan-admin at coverity.com>
> Date: Thu, Jul 15, 2021 at 12:26 AM
> Subject: New Defects reported by Coverity Scan for RTEMS
> To: <build at rtems.org>
>
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to RTEMS
> found with Coverity Scan.
>
> 9 new defect(s) introduced to RTEMS found with Coverity Scan.
>
>
> New defect(s) Reported-by: Coverity Scan
> Showing 9 of 9 defect(s)
>
>
> ** CID 1468693: Insecure data handling (TAINTED_SCALAR)
>
>
> ________________________________________________________________________________________________________
> *** CID 1468693: Insecure data handling (TAINTED_SCALAR)
> /testsuites/samples/fileio/init.c: 992 in fileio_read_file()
> 986 */
> 987 if (!failed) {
> 988 printf("use suffix K for Kbytes, M for Mbytes or no suffix
> for bytes:\n"
> 989 "Enter block size to use for read calls ==>");
> 990 fflush(stdout);
> 991 fgets(tmp_str,sizeof(tmp_str)-1,stdin);
> >>> CID 1468693: Insecure data handling (TAINTED_SCALAR)
> >>> Passing tainted expression "tmp_str" to "fileio_str2size", which uses it as an offset.
> 992 failed = fileio_str2size(tmp_str,&buf_size);
> 993 if (failed) {
> 994 printf("*** illegal block size, aborted\n");
> 995 }
> 996 }
> 997
>
> ** CID 1468692: Integer handling issues (DIVIDE_BY_ZERO)
> /testsuites/samples/fileio/init.c: 401 in create_ramdisk()
>
>
> ________________________________________________________________________________________________________
> *** CID 1468692: Integer handling issues (DIVIDE_BY_ZERO)
> /testsuites/samples/fileio/init.c: 401 in create_ramdisk()
> 395 printf ("error: invalid option: %s\n", argv[arg]);
> 396 return 1;
> 397 }
> 398 }
> 399 }
> 400
> >>> CID 1468692: Integer handling issues (DIVIDE_BY_ZERO)
> >>> In expression "size / block_size", division by expression "block_size" which may be zero has undefined behavior.
> 401 block_count = size / block_size;
> 402
> 403 /*
> 404 * Register the RAM Disk driver.
> 405 */
> 406 printf ("Register RAM Disk Driver [blocks=%" PRIu32 \
>
> ** CID 1468691: Resource leaks (RESOURCE_LEAK)
> /testsuites/samples/fileio/init.c: 209 in shell_nvdisk_erase()
>
>
> ________________________________________________________________________________________________________
> *** CID 1468691: Resource leaks (RESOURCE_LEAK)
> /testsuites/samples/fileio/init.c: 209 in shell_nvdisk_erase()
> 203 return 1;
> 204 }
> 205
> 206 if (ioctl (fd, RTEMS_NVDISK_IOCTL_ERASE_DISK) < 0)
> 207 {
> 208 printf ("error: nvdisk driver erase failed: %s\n",
> strerror (errno));
> >>> CID 1468691: Resource leaks (RESOURCE_LEAK)
> >>> Handle variable "fd" going out of scope leaks the handle.
> 209 return 1;
> 210 }
> 211
> 212 close (fd);
> 213
> 214 printf ("nvdisk erased successful\n");
>
> ** CID 1468689: (TAINTED_SCALAR)
>
>
> ________________________________________________________________________________________________________
> *** CID 1468689: (TAINTED_SCALAR)
> /testsuites/samples/fileio/init.c: 846 in fileio_write_file()
> 840 */
> 841 if (!failed) {
> 842 printf("use suffix K for Kbytes, M for Mbytes or no suffix
> for bytes:\n"
> 843 "Enter block size to use for write calls ==>");
> 844 fflush(stdout);
> 845 fgets(tmp_str,sizeof(tmp_str)-1,stdin);
> >>> CID 1468689: (TAINTED_SCALAR)
> >>> Passing tainted expression "tmp_str" to "fileio_str2size", which uses it as an offset.
> 846 failed = fileio_str2size(tmp_str,&buf_size);
> 847 if (failed) {
> 848 printf("*** illegal block size, aborted\n");
> 849 }
> 850 }
> 851
> /testsuites/samples/fileio/init.c: 833 in fileio_write_file()
> 827 */
> 828 if (!failed) {
> 829 printf("use suffix K for Kbytes, M for Mbytes or no suffix
> for bytes:\n"
> 830 "Enter filesize to write ==>");
> 831 fflush(stdout);
> 832 fgets(tmp_str,sizeof(tmp_str)-1,stdin);
> >>> CID 1468689: (TAINTED_SCALAR)
> >>> Passing tainted expression "tmp_str" to "fileio_str2size", which uses it as an offset.
> 833 failed = fileio_str2size(tmp_str,&file_size);
> 834 if (failed) {
> 835 printf("*** illegal file size, aborted\n");
> 836 }
> 837 }
> 838 /*
>
> ** CID 1468687: Incorrect expression (COPY_PASTE_ERROR)
> /testsuites/samples/paranoia/paranoia.c: 584 in paranoia()
>
>
> ________________________________________________________________________________________________________
> *** CID 1468687: Incorrect expression (COPY_PASTE_ERROR)
> /testsuites/samples/paranoia/paranoia.c: 584 in paranoia()
> 578 Precision = Y;
> 579 }
> 580 if ((Precision != FLOOR (Precision)) || (Radix == One)) {
> 581 printf ("Precision cannot be characterized by an
> Integer number\n");
> 582 printf ("of significant digits but, by itself, this is
> a minor flaw.\n");
> 583 }
> >>> CID 1468687: Incorrect expression (COPY_PASTE_ERROR)
> >>> "Radix" in "Radix == One" looks like a copy-paste error.
> 584 if (Radix == One)
> 585 printf ("logarithmic encoding has precision
> characterized solely by U1.\n");
> 586 else
> 587 printf ("The number of significant digits of the Radix
> is %f .\n",
> 588 Precision);
> 589 TstCond (Serious, U2 * Nine * Nine * TwoForty < One,
>
> ** CID 1468686: Control flow issues (DEADCODE)
> /testsuites/samples/fileio/init.c: 392 in create_ramdisk()
>
>
> ________________________________________________________________________________________________________
> *** CID 1468686: Control flow issues (DEADCODE)
> /testsuites/samples/fileio/init.c: 392 in create_ramdisk()
> 386 {
> 387 printf ("error: -b needs a size\n");
> 388 return 1;
> 389 }
> 390 block_size = parse_size_arg (argv[arg]);
> 391 if (size == 0)
> >>> CID 1468686: Control flow issues (DEADCODE)
> >>> Execution cannot reach this statement: "return 1;".
> 392 return 1;
> 393 break;
> 394 default:
> 395 printf ("error: invalid option: %s\n", argv[arg]);
> 396 return 1;
> 397 }
>
> ** CID 1468685: Resource leaks (RESOURCE_LEAK)
> /testsuites/samples/fileio/init.c: 163 in shell_nvdisk_trace()
>
>
> ________________________________________________________________________________________________________
> *** CID 1468685: Resource leaks (RESOURCE_LEAK)
> /testsuites/samples/fileio/init.c: 163 in shell_nvdisk_trace()
> 157 return 1;
> 158 }
> 159
> 160 if (ioctl (fd, RTEMS_NVDISK_IOCTL_INFO_LEVEL, level) < 0)
> 161 {
> 162 printf ("error: driver set level failed: %s\n", strerror (errno));
> >>> CID 1468685: Resource leaks (RESOURCE_LEAK)
> >>> Handle variable "fd" going out of scope leaks the handle.
> 163 return 1;
> 164 }
> 165
> 166 close (fd);
> 167
> 168 return 0;
>
> ** CID 1468679: Incorrect expression (NO_EFFECT)
> /testsuites/samples/paranoia/paranoia.c: 1492 in paranoia()
>
>
> ________________________________________________________________________________________________________
> *** CID 1468679: Incorrect expression (NO_EFFECT)
> /testsuites/samples/paranoia/paranoia.c: 1492 in paranoia()
> 1486 printf ("print out as Q = %.17e, Y = %.17e .\n", Q, Y2);
> 1487 printf ("|Q - Y| = %.17e .\n", FABS (Q - Y2));
> 1488 UfThold = Q;
> 1489 break;
> 1490
> 1491 case 3:
> >>> CID 1468679: Incorrect expression (NO_EFFECT)
> >>> Assigning "X" to itself has no effect.
> 1492 X = X;
> 1493 break;
> 1494
> 1495 case 4:
> 1496 if ((Q == UfThold) && (E1 == E0)
> 1497 && (FABS (UfThold - E1 / E9) <= E1)) {
>
> ** CID 1468677: Uninitialized variables (UNINIT)
> /testsuites/samples/capture/test1.c: 78 in capture_CT1b()
>
>
> ________________________________________________________________________________________________________
> *** CID 1468677: Uninitialized variables (UNINIT)
> /testsuites/samples/capture/test1.c: 78 in capture_CT1b()
> 72 static void
> 73 capture_CT1b (rtems_task_argument arg)
> 74 {
> 75 volatile int i;
> 76
> 77 while (!capture_CT1c_deleted)
> >>> CID 1468677: Uninitialized variables (UNINIT)
> >>> Using uninitialized value "i".
> 78 i++;
> 79
> 80 capture_CT1b_deleted = 1;
> 81
> 82 rtems_task_exit();
> 83 }
>
>
> ________________________________________________________________________________________________________
> To view the defects in Coverity Scan visit,
> https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50ypUUzi-2FdSNmuyRB7BEFT8xQ4-2B8hpujh0hTgQljRGId4Dg-3D-3DhaSM_EU3W9teASMK00lBXX9WT4lsogDrkCcNZLvg-2FVxwAXMoyD0JEs4cQVPs7yModO9iS3KZmOTMtFerKpWJTESZ9XSy9bw2fNvjKFGKtVfArZIqrPcBx6KD5m2cYyPfuBRUlwl84oo0u5GaEKs-2FEiV5-2BOPirAYHmPdhb88irmeK9V0lU3GUWr0Z8zNQlCYoFZw1Rqng5dhEax-2FWHTiswmaiSJQ-3D-3D
>
> _______________________________________________
> build mailing list
> build at rtems.org
> http://lists.rtems.org/mailman/listinfo/build
> _______________________________________________
> devel mailing list
> devel at rtems.org
> http://lists.rtems.org/mailman/listinfo/devel
More information about the devel
mailing list