Fwd: New Defects reported by Coverity Scan for RTEMS

Joel Sherrill joel at rtems.org
Mon Aug 29 23:06:13 UTC 2022


Again..  issue lurking spotted by new version of Coverity Scan.

Please look at it and fix.

---------- Forwarded message ---------
From: <scan-admin at coverity.com>
Date: Mon, Aug 29, 2022 at 5:55 PM
Subject: New Defects reported by Coverity Scan for RTEMS
To: <build at rtems.org>


Hi,

Please find the latest report on new defect(s) introduced to RTEMS found
with Coverity Scan.

61 new defect(s) introduced to RTEMS found with Coverity Scan.
5 defect(s), reported by Coverity Scan earlier, were marked fixed in the
recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 20 of 61 defect(s)


** CID 1512552:  High impact quality  (Y2K38_SAFETY)
/cpukit/score/src/kern_tc.c: 1804 in _Timecounter_Windup()


________________________________________________________________________________________________________
*** CID 1512552:  High impact quality  (Y2K38_SAFETY)
/cpukit/score/src/kern_tc.c: 1804 in _Timecounter_Windup()
1798            /* Go live with the new struct timehands. */
1799     #ifdef FFCLOCK
1800            switch (sysclock_active) {
1801            case SYSCLOCK_FBCK:
1802     #endif
1803                    time_second = th->th_microtime.tv_sec;
>>>     CID 1512552:  High impact quality  (Y2K38_SAFETY)
>>>     A "time_t" value is stored in an integer with too few bits to
accommodate it.  The expression "th->th_offset.sec" is cast to "int32_t".
1804                    time_uptime = th->th_offset.sec;
1805     #ifdef FFCLOCK
1806                    break;
1807            case SYSCLOCK_FFWD:
1808                    time_second = fftimehands->tick_time_lerp.sec;
1809                    time_uptime = fftimehands->tick_time_lerp.sec -
ffclock_boottime.sec;

** CID 1512551:    (Y2K38_SAFETY)
/bsps/shared/dev/getentropy/getentropy-cpucounter.c: 74 in getentropy_init()
/bsps/shared/dev/getentropy/getentropy-cpucounter.c: 75 in getentropy_init()


________________________________________________________________________________________________________
*** CID 1512551:    (Y2K38_SAFETY)
/bsps/shared/dev/getentropy/getentropy-cpucounter.c: 74 in getentropy_init()
68     {
69       struct bintime bt;
70
71       rtems_bsd_bintime(&bt);
72       state = (uint32_t) bt.frac;
73       state ^= (uint32_t) (bt.frac >> 32);
>>>     CID 1512551:    (Y2K38_SAFETY)
>>>     A "time_t" value is stored in an integer with too few bits to
accommodate it.  The expression "bt.sec" is cast to "uint32_t".
74       state ^= (uint32_t) bt.sec;
75       state ^= (uint32_t) (bt.sec >> 32);
76     }
77
78     RTEMS_SYSINIT_ITEM(
79       getentropy_init,
80       RTEMS_SYSINIT_DEVICE_DRIVERS,
81       RTEMS_SYSINIT_ORDER_LAST_BUT_5
/bsps/shared/dev/getentropy/getentropy-cpucounter.c: 75 in getentropy_init()
69       struct bintime bt;
70
71       rtems_bsd_bintime(&bt);
72       state = (uint32_t) bt.frac;
73       state ^= (uint32_t) (bt.frac >> 32);
74       state ^= (uint32_t) bt.sec;
>>>     CID 1512551:    (Y2K38_SAFETY)
>>>     A "time_t" value is stored in an integer with too few bits to
accommodate it.  The expression "bt.sec >> 32" is cast to "uint32_t".
75       state ^= (uint32_t) (bt.sec >> 32);
76     }
77
78     RTEMS_SYSINIT_ITEM(
79       getentropy_init,
80       RTEMS_SYSINIT_DEVICE_DRIVERS,
81       RTEMS_SYSINIT_ORDER_LAST_BUT_5

** CID 1512550:  High impact quality  (Y2K38_SAFETY)
/cpukit/libfs/src/jffs2/src/gc.c: 878 in jffs2_garbage_collect_dirent()


________________________________________________________________________________________________________
*** CID 1512550:  High impact quality  (Y2K38_SAFETY)
/cpukit/libfs/src/jffs2/src/gc.c: 878 in jffs2_garbage_collect_dirent()
872             rd.pino = cpu_to_je32(f->inocache->ino);
873             rd.version = cpu_to_je32(++f->highest_version);
874             rd.ino = cpu_to_je32(fd->ino);
875             /* If the times on this inode were set by explicit utime()
they can be different,
876                so refrain from splatting them. */
877             if (JFFS2_F_I_MTIME(f) == JFFS2_F_I_CTIME(f))
>>>     CID 1512550:  High impact quality  (Y2K38_SAFETY)
>>>     A "time_t" value is stored in an integer with too few bits to
accommodate it.  The expression "((struct _inode *)((uintptr_t)f -
72U))->i_mtime" is cast to "__u32".
878                     rd.mctime = cpu_to_je32(JFFS2_F_I_MTIME(f));
879             else
880                     rd.mctime = cpu_to_je32(0);
881             rd.type = fd->type;
882             rd.node_crc = cpu_to_je32(crc32(0, &rd, sizeof(rd)-8));
883             rd.name_crc = cpu_to_je32(crc32(0, fd->name, rd.nsize));

** CID 1512549:  High impact quality  (Y2K38_SAFETY)
/cpukit/score/src/kern_tc.c: 2384 in _Timecounter_Tick_simple()


________________________________________________________________________________________________________
*** CID 1512549:  High impact quality  (Y2K38_SAFETY)
/cpukit/score/src/kern_tc.c: 2384 in _Timecounter_Tick_simple()
2378     #else
2379            atomic_store_rel_int(&th->th_generation, th->th_generation
+ 1);
2380     #endif
2381
2382            /* Go live with the new struct timehands. */
2383            time_second = th->th_microtime.tv_sec;
>>>     CID 1512549:  High impact quality  (Y2K38_SAFETY)
>>>     A "time_t" value is stored in an integer with too few bits to
accommodate it.  The expression "th->th_offset.sec" is cast to "int32_t".
2384            time_uptime = th->th_offset.sec;
2385
2386            _Timecounter_Release(lock_context);
2387
2388            _Watchdog_Tick(_Per_CPU_Get_snapshot());
2389     }

** CID 1512548:  Incorrect expression  (PRECEDENCE_ERROR)
/cpukit/libdl/rtl-shell.c: 877 in rtems_rtl_shell_archive()


________________________________________________________________________________________________________
*** CID 1512548:  Incorrect expression  (PRECEDENCE_ERROR)
/cpukit/libdl/rtl-shell.c: 877 in rtems_rtl_shell_archive()
871             continue;
872           }
873         }
874
875         rtems_printf (printer, "%s%c\n",
876                       archive->name,
>>>     CID 1512548:  Incorrect expression  (PRECEDENCE_ERROR)
>>>     Evaluates as: "(details | symbols | duplicates) ? <then> : <else>",
because "|" has higher operator precedence than "?:". The context suggests
that this might be in error.
877                       details | symbols | duplicates ? ':' : ' ');
878
879         if (details)
880         {
881           rtems_printf (printer, "  size    : %zu\n", archive->size);
882           rtems_printf (printer, "  symbols : %zu\n",
archive->symbols.entries);

** CID 1512547:  Integer handling issues  (BAD_SHIFT)
/cpukit/zlib/inflate.c: 225 in z_inflatePrime()


________________________________________________________________________________________________________
*** CID 1512547:  Integer handling issues  (BAD_SHIFT)
/cpukit/zlib/inflate.c: 225 in z_inflatePrime()
219             state->hold = 0;
220             state->bits = 0;
221             return Z_OK;
222         }
223         if (bits > 16 || state->bits + bits > 32) return Z_STREAM_ERROR;
224         value &= (1L << bits) - 1;
>>>     CID 1512547:  Integer handling issues  (BAD_SHIFT)
>>>     In expression "value << state->bits", left shifting by more than 31
bits has undefined behavior.  The shift amount, "state->bits", is as much
as 32.
225         state->hold += value << state->bits;
226         state->bits += bits;
227         return Z_OK;
228     }
229
230     /*

** CID 1512546:  High impact quality  (Y2K38_SAFETY)
/cpukit/score/src/schedulercbsreleasejob.c: 60 in
_Scheduler_CBS_Release_job()


________________________________________________________________________________________________________
*** CID 1512546:  High impact quality  (Y2K38_SAFETY)
/cpukit/score/src/schedulercbsreleasejob.c: 60 in
_Scheduler_CBS_Release_job()
54
55       node = _Scheduler_CBS_Thread_get_node( the_thread );
56       serv_info = node->cbs_server;
57
58       /* Budget replenishment for the next job. */
59       if ( serv_info != NULL ) {
>>>     CID 1512546:  High impact quality  (Y2K38_SAFETY)
>>>     A "time_t" value is stored in an integer with too few bits to
accommodate it.  The expression "serv_info->parameters.budget" is cast to
"uint32_t".
60         the_thread->CPU_budget.available = serv_info->parameters.budget;
61       }
62
63       node->deadline_node = priority_node;
64
65       _Scheduler_EDF_Release_job(

** CID 1512545:  Memory - illegal accesses  (UNINIT)


________________________________________________________________________________________________________
*** CID 1512545:  Memory - illegal accesses  (UNINIT)
/cpukit/libmisc/rtems-fdt/rtems-fdt.c: 664 in rtems_fdt_register()
658       blob->blob = dtb;
659       blob->name = NULL;
660       rtems_chain_initialize_node(&blob->node);
661
662       fdt = rtems_fdt_lock ();
663
>>>     CID 1512545:  Memory - illegal accesses  (UNINIT)
>>>     Using uninitialized value "blob->node.next" when calling
"rtems_chain_append_unprotected".
664       rtems_chain_append_unprotected (&fdt->blobs, &blob->node);
665
666       blob->refs = 1;
667
668       rtems_fdt_unlock (fdt);
669

** CID 1512544:  Memory - illegal accesses  (UNINIT)


________________________________________________________________________________________________________
*** CID 1512544:  Memory - illegal accesses  (UNINIT)
/cpukit/libcsupport/src/sup_fs_location.c: 98 in
rtems_filesystem_location_transform_to_global()
92       rtems_filesystem_global_location_t *global_loc =
malloc(sizeof(*global_loc));
93
94       if (global_loc != NULL) {
95         global_loc->reference_count = 1;
96         global_loc->deferred_released_next = NULL;
97         global_loc->deferred_released_count = 0;
>>>     CID 1512544:  Memory - illegal accesses  (UNINIT)
>>>     Using uninitialized value "global_loc->location.mt_entry_node.next"
when calling "rtems_filesystem_location_copy".
98         rtems_filesystem_location_copy(&global_loc->location, loc);
99         rtems_filesystem_location_remove_from_mt_entry(loc);
100       } else {
101         rtems_filesystem_location_free(loc);
102         global_loc = rtems_filesystem_global_location_obtain_null();
103         errno = ENOMEM;

** CID 1512543:  Memory - illegal accesses  (UNINIT)


________________________________________________________________________________________________________
*** CID 1512543:  Memory - illegal accesses  (UNINIT)
/cpukit/posix/src/pthreadcreate.c: 369 in _POSIX_Threads_Sporadic_timer()
363       }
364
365       _Watchdog_Per_CPU_remove_ticks( &api->Sporadic.Timer );
366       _POSIX_Threads_Sporadic_timer_insert( the_thread, api );
367
368       _Thread_Wait_release( the_thread, &queue_context );
>>>     CID 1512543:  Memory - illegal accesses  (UNINIT)
>>>     Using uninitialized element of array
"queue_context.Priority.update" when calling "_Thread_Priority_update".
369       _Thread_Priority_update( &queue_context );
370     }
371
372     static void _POSIX_Threads_Sporadic_budget_callout(
373       Thread_Control *the_thread
374     )

** CID 1512542:  Memory - corruptions  (OVERRUN)
/bsps/shared/ofw/ofw.c: 233 in rtems_ofw_get_prop()


________________________________________________________________________________________________________
*** CID 1512542:  Memory - corruptions  (OVERRUN)
/bsps/shared/ofw/ofw.c: 233 in rtems_ofw_get_prop()
227       if (prop == NULL) {
228         return -1;
229       }
230
231       copy_len = MIN(len, bufsize);
232       _Assert(copy_len <= bufsize);
>>>     CID 1512542:  Memory - corruptions  (OVERRUN)
>>>     Calling "memmove" with "buf" and "copy_len" is suspicious because
of the very large index, 4294967168. The index may be due to a negative
parameter being interpreted as unsigned.
233       memmove(buf, prop, copy_len);
234
235       return len;
236     }
237
238     ssize_t rtems_ofw_get_enc_prop(

** CID 1512541:  Memory - illegal accesses  (UNINIT)


________________________________________________________________________________________________________
*** CID 1512541:  Memory - illegal accesses  (UNINIT)
/cpukit/libcsupport/src/fchdir.c: 74 in fchdir()
68           st.st_mode,
69           st.st_uid,
70           st.st_gid
71         );
72
73         if ( access_ok ) {
>>>     CID 1512541:  Memory - illegal accesses  (UNINIT)
>>>     Using uninitialized value "loc.mt_entry_node.next" when calling
"rtems_filesystem_location_clone".
74           rtems_filesystem_location_clone( &loc, &iop->pathinfo );
75         } else {
76           errno = EACCES;
77           rv = -1;
78         }
79       }

** CID 1512540:  High impact quality  (Y2K38_SAFETY)
/cpukit/libfs/src/jffs2/src/dir-rtems.c: 132 in jffs2_unlink()


________________________________________________________________________________________________________
*** CID 1512540:  High impact quality  (Y2K38_SAFETY)
/cpukit/libfs/src/jffs2/src/dir-rtems.c: 132 in jffs2_unlink()
126             struct jffs2_sb_info *c = JFFS2_SB_INFO(dir_i->i_sb);
127             struct jffs2_inode_info *dir_f = JFFS2_INODE_INFO(dir_i);
128             struct jffs2_inode_info *dead_f = JFFS2_INODE_INFO(d_inode);
129             int ret;
130
131             ret = jffs2_do_unlink(c, dir_f, (const char *)d_name,
>>>     CID 1512540:  High impact quality  (Y2K38_SAFETY)
>>>     A "time_t" value is stored in an integer with too few bits to
accommodate it.  The expression "time(NULL)" is cast to "uint32_t".
132                                    d_namelen, dead_f, get_seconds());
133             if (dead_f->inocache)
134                     d_inode->i_nlink = dead_f->inocache->pino_nlink;
135             return ret;
136     }
137
 /***********************************************************************/

** CID 1512539:  High impact quality  (Y2K38_SAFETY)
/cpukit/libmisc/cpuuse/cpuusagetop.c: 146 in print_time()


________________________________________________________________________________________________________
*** CID 1512539:  High impact quality  (Y2K38_SAFETY)
/cpukit/libmisc/cpuuse/cpuusagetop.c: 146 in print_time()
140
141     static int
142     print_time(rtems_cpu_usage_data*    data,
143                const Timestamp_Control* time,
144                const int                length)
145     {
>>>     CID 1512539:  High impact quality  (Y2K38_SAFETY)
>>>     A "time_t" value is stored in an integer with too few bits to
accommodate it.  The expression "_Timestamp_Get_seconds(time)" is cast to
"uint32_t".
146       uint32_t secs = _Timestamp_Get_seconds( time );
147       uint32_t usecs = _Timestamp_Get_nanoseconds( time ) /
TOD_NANOSECONDS_PER_MICROSECOND;
148       int      len = 0;
149
150       if (secs > 60)
151       {

** CID 1512538:  Memory - illegal accesses  (UNINIT)


________________________________________________________________________________________________________
*** CID 1512538:  Memory - illegal accesses  (UNINIT)
/cpukit/libcsupport/src/_rename_r.c: 64 in _rename_r()
58       int rv = 0;
59       rtems_filesystem_eval_path_context_t old_ctx;
60       int old_eval_flags = 0;
61       rtems_filesystem_location_info_t old_parentloc;
62       int old_parent_eval_flags = RTEMS_FS_PERMS_WRITE
63         | RTEMS_FS_FOLLOW_HARD_LINK;
>>>     CID 1512538:  Memory - illegal accesses  (UNINIT)
>>>     Using uninitialized value "old_parentloc.mt_entry_node.next" when
calling "rtems_filesystem_eval_path_start_with_parent".
64       const rtems_filesystem_location_info_t *old_currentloc =
65         rtems_filesystem_eval_path_start_with_parent(
66           &old_ctx,
67           old,
68           old_eval_flags,
69           &old_parentloc,

** CID 1512537:  High impact quality  (Y2K38_SAFETY)
/cpukit/libfs/src/jffs2/src/dir-rtems.c: 285 in jffs2_mknod()


________________________________________________________________________________________________________
*** CID 1512537:  High impact quality  (Y2K38_SAFETY)
/cpukit/libfs/src/jffs2/src/dir-rtems.c: 285 in jffs2_mknod()
279             rd->totlen = cpu_to_je32(sizeof(*rd) + d_namelen);
280             rd->hdr_crc = cpu_to_je32(crc32(0, rd, sizeof(struct
jffs2_unknown_node)-4));
281
282             rd->pino = cpu_to_je32(dir_i->i_ino);
283             rd->version = cpu_to_je32(++dir_f->highest_version);
284             rd->ino = cpu_to_je32(inode->i_ino);
>>>     CID 1512537:  High impact quality  (Y2K38_SAFETY)
>>>     A "time_t" value is stored in an integer with too few bits to
accommodate it.  The expression "time(NULL)" is cast to "__u32".
285             rd->mctime = cpu_to_je32(get_seconds());
286             rd->nsize = d_namelen;
287
288             /* XXX: This is ugly. */
289             rd->type = (mode & S_IFMT) >> 12;
290

** CID 1512536:  Memory - corruptions  (OVERRUN)


________________________________________________________________________________________________________
*** CID 1512536:  Memory - corruptions  (OVERRUN)
/cpukit/posix/src/pthreadcreate.c: 257 in pthread_create()
251         return EAGAIN;
252       }
253
254       /*
255        *  Initialize the core thread for this task.
256        */
>>>     CID 1512536:  Memory - corruptions  (OVERRUN)
>>>     Calling "_Thread_Initialize" with "config.stack_area" and
"config.stack_size" is suspicious because of the very large index,
4294967295. The index may be due to a negative parameter being interpreted
as unsigned.
257       status = _Thread_Initialize(
258         &_POSIX_Threads_Information,
259         the_thread,
260         &config
261       );
262       if ( status != STATUS_SUCCESSFUL ) {

** CID 1512535:  High impact quality  (Y2K38_SAFETY)
/cpukit/mghttpd/mongoose.c: 2608 in send_authorization_request()


________________________________________________________________________________________________________
*** CID 1512535:  High impact quality  (Y2K38_SAFETY)
/cpukit/mghttpd/mongoose.c: 2608 in send_authorization_request()
2602       mg_printf(conn,
2603                 "HTTP/1.1 401 Unauthorized\r\n"
2604                 "Content-Length: 0\r\n"
2605                 "WWW-Authenticate: Digest qop=\"auth\", "
2606                 "realm=\"%s\", nonce=\"%lu\"\r\n\r\n",
2607                 conn->ctx->config[AUTHENTICATION_DOMAIN],
>>>     CID 1512535:  High impact quality  (Y2K38_SAFETY)
>>>     A "time_t" value is stored in an integer with too few bits to
accommodate it.  The expression "time(NULL)" is cast to "unsigned long".
2608                 (unsigned long) time(NULL));
2609     }
2610
2611     static int is_authorized_for_put(struct mg_connection *conn) {
2612       struct file file = STRUCT_FILE_INITIALIZER;
2613       const char *passfile =
conn->ctx->config[PUT_DELETE_PASSWORDS_FILE];

** CID 1512534:  Memory - illegal accesses  (UNINIT)


________________________________________________________________________________________________________
*** CID 1512534:  Memory - illegal accesses  (UNINIT)
/cpukit/libcsupport/src/printertask.c: 219 in rtems_printer_task_drain()
213       printer_task_buffer buffer;
214
215       rtems_chain_initialize_node( &buffer.node );
216       buffer.action_kind = ACTION_DRAIN;
217       buffer.action_data.task = rtems_task_self();
218
>>>     CID 1512534:  Memory - illegal accesses  (UNINIT)
>>>     Using uninitialized value "buffer.node.next" when calling
"printer_task_append_buffer".
219       printer_task_append_buffer( ctx, &ctx->todo_buffers, &buffer );
220       rtems_event_send( ctx->task, PRINT_TASK_WAKE_UP );
221       rtems_event_transient_receive( RTEMS_WAIT, RTEMS_NO_TIMEOUT );

** CID 1512533:  High impact quality  (Y2K38_SAFETY)
/cpukit/libfs/src/jffs2/src/dir-rtems.c: 385 in jffs2_rename()


________________________________________________________________________________________________________
*** CID 1512533:  High impact quality  (Y2K38_SAFETY)
/cpukit/libfs/src/jffs2/src/dir-rtems.c: 385 in jffs2_rename()
379             /* Make a hard link */
380
381             /* XXX: This is ugly */
382             type = (d_inode->i_mode & S_IFMT) >> 12;
383             if (!type) type = DT_REG;
384
>>>     CID 1512533:  High impact quality  (Y2K38_SAFETY)
>>>     A "time_t" value is stored in an integer with too few bits to
accommodate it.  The expression "time(NULL)" is cast to "uint32_t".
385             now = get_seconds();
386             ret = jffs2_do_link(c, JFFS2_INODE_INFO(new_dir_i),
387                                 d_inode->i_ino, type,
388                                 (const char *)new_d_name,
389                                 new_d_namelen, now);
390


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit,
https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50ypUUzi-2FdSNmuyRB7BEFT8xQ4-2B8hpujh0hTgQljRGId4Dg-3D-3DkGkW_EU3W9teASMK00lBXX9WT4lsogDrkCcNZLvg-2FVxwAXMrOEZN-2BLUspARgYtiBqgHjzYVpaMXnc-2BLCLwhp1aWEHLF62YhIqEogAZ1zLsjPeB26DwhbGlA7CD9U7GFZ3MPXT9E7SOH6ZheIR0qSxbzkw5LrJaANPQMkrFAZ0WSxupw6q8aKgrnyDCRc3ulhtIN0qN1ay-2FBjeF29FT-2BfQMJgbJQ-3D-3D

_______________________________________________
build mailing list
build at rtems.org
http://lists.rtems.org/mailman/listinfo/build
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rtems.org/pipermail/devel/attachments/20220829/1d03f809/attachment-0001.htm>


More information about the devel mailing list