Fwd: New Defects reported by Coverity Scan for RTEMS
Joel Sherrill
joel at rtems.org
Mon Aug 29 23:06:13 UTC 2022
Again.. issue lurking spotted by new version of Coverity Scan.
Please look at it and fix.
---------- Forwarded message ---------
From: <scan-admin at coverity.com>
Date: Mon, Aug 29, 2022 at 5:55 PM
Subject: New Defects reported by Coverity Scan for RTEMS
To: <build at rtems.org>
Hi,
Please find the latest report on new defect(s) introduced to RTEMS found
with Coverity Scan.
61 new defect(s) introduced to RTEMS found with Coverity Scan.
5 defect(s), reported by Coverity Scan earlier, were marked fixed in the
recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 61 defect(s)
** CID 1512552: High impact quality (Y2K38_SAFETY)
/cpukit/score/src/kern_tc.c: 1804 in _Timecounter_Windup()
________________________________________________________________________________________________________
*** CID 1512552: High impact quality (Y2K38_SAFETY)
/cpukit/score/src/kern_tc.c: 1804 in _Timecounter_Windup()
1798 /* Go live with the new struct timehands. */
1799 #ifdef FFCLOCK
1800 switch (sysclock_active) {
1801 case SYSCLOCK_FBCK:
1802 #endif
1803 time_second = th->th_microtime.tv_sec;
>>> CID 1512552: High impact quality (Y2K38_SAFETY)
>>> A "time_t" value is stored in an integer with too few bits to
accommodate it. The expression "th->th_offset.sec" is cast to "int32_t".
1804 time_uptime = th->th_offset.sec;
1805 #ifdef FFCLOCK
1806 break;
1807 case SYSCLOCK_FFWD:
1808 time_second = fftimehands->tick_time_lerp.sec;
1809 time_uptime = fftimehands->tick_time_lerp.sec -
ffclock_boottime.sec;
** CID 1512551: (Y2K38_SAFETY)
/bsps/shared/dev/getentropy/getentropy-cpucounter.c: 74 in getentropy_init()
/bsps/shared/dev/getentropy/getentropy-cpucounter.c: 75 in getentropy_init()
________________________________________________________________________________________________________
*** CID 1512551: (Y2K38_SAFETY)
/bsps/shared/dev/getentropy/getentropy-cpucounter.c: 74 in getentropy_init()
68 {
69 struct bintime bt;
70
71 rtems_bsd_bintime(&bt);
72 state = (uint32_t) bt.frac;
73 state ^= (uint32_t) (bt.frac >> 32);
>>> CID 1512551: (Y2K38_SAFETY)
>>> A "time_t" value is stored in an integer with too few bits to
accommodate it. The expression "bt.sec" is cast to "uint32_t".
74 state ^= (uint32_t) bt.sec;
75 state ^= (uint32_t) (bt.sec >> 32);
76 }
77
78 RTEMS_SYSINIT_ITEM(
79 getentropy_init,
80 RTEMS_SYSINIT_DEVICE_DRIVERS,
81 RTEMS_SYSINIT_ORDER_LAST_BUT_5
/bsps/shared/dev/getentropy/getentropy-cpucounter.c: 75 in getentropy_init()
69 struct bintime bt;
70
71 rtems_bsd_bintime(&bt);
72 state = (uint32_t) bt.frac;
73 state ^= (uint32_t) (bt.frac >> 32);
74 state ^= (uint32_t) bt.sec;
>>> CID 1512551: (Y2K38_SAFETY)
>>> A "time_t" value is stored in an integer with too few bits to
accommodate it. The expression "bt.sec >> 32" is cast to "uint32_t".
75 state ^= (uint32_t) (bt.sec >> 32);
76 }
77
78 RTEMS_SYSINIT_ITEM(
79 getentropy_init,
80 RTEMS_SYSINIT_DEVICE_DRIVERS,
81 RTEMS_SYSINIT_ORDER_LAST_BUT_5
** CID 1512550: High impact quality (Y2K38_SAFETY)
/cpukit/libfs/src/jffs2/src/gc.c: 878 in jffs2_garbage_collect_dirent()
________________________________________________________________________________________________________
*** CID 1512550: High impact quality (Y2K38_SAFETY)
/cpukit/libfs/src/jffs2/src/gc.c: 878 in jffs2_garbage_collect_dirent()
872 rd.pino = cpu_to_je32(f->inocache->ino);
873 rd.version = cpu_to_je32(++f->highest_version);
874 rd.ino = cpu_to_je32(fd->ino);
875 /* If the times on this inode were set by explicit utime()
they can be different,
876 so refrain from splatting them. */
877 if (JFFS2_F_I_MTIME(f) == JFFS2_F_I_CTIME(f))
>>> CID 1512550: High impact quality (Y2K38_SAFETY)
>>> A "time_t" value is stored in an integer with too few bits to
accommodate it. The expression "((struct _inode *)((uintptr_t)f -
72U))->i_mtime" is cast to "__u32".
878 rd.mctime = cpu_to_je32(JFFS2_F_I_MTIME(f));
879 else
880 rd.mctime = cpu_to_je32(0);
881 rd.type = fd->type;
882 rd.node_crc = cpu_to_je32(crc32(0, &rd, sizeof(rd)-8));
883 rd.name_crc = cpu_to_je32(crc32(0, fd->name, rd.nsize));
** CID 1512549: High impact quality (Y2K38_SAFETY)
/cpukit/score/src/kern_tc.c: 2384 in _Timecounter_Tick_simple()
________________________________________________________________________________________________________
*** CID 1512549: High impact quality (Y2K38_SAFETY)
/cpukit/score/src/kern_tc.c: 2384 in _Timecounter_Tick_simple()
2378 #else
2379 atomic_store_rel_int(&th->th_generation, th->th_generation
+ 1);
2380 #endif
2381
2382 /* Go live with the new struct timehands. */
2383 time_second = th->th_microtime.tv_sec;
>>> CID 1512549: High impact quality (Y2K38_SAFETY)
>>> A "time_t" value is stored in an integer with too few bits to
accommodate it. The expression "th->th_offset.sec" is cast to "int32_t".
2384 time_uptime = th->th_offset.sec;
2385
2386 _Timecounter_Release(lock_context);
2387
2388 _Watchdog_Tick(_Per_CPU_Get_snapshot());
2389 }
** CID 1512548: Incorrect expression (PRECEDENCE_ERROR)
/cpukit/libdl/rtl-shell.c: 877 in rtems_rtl_shell_archive()
________________________________________________________________________________________________________
*** CID 1512548: Incorrect expression (PRECEDENCE_ERROR)
/cpukit/libdl/rtl-shell.c: 877 in rtems_rtl_shell_archive()
871 continue;
872 }
873 }
874
875 rtems_printf (printer, "%s%c\n",
876 archive->name,
>>> CID 1512548: Incorrect expression (PRECEDENCE_ERROR)
>>> Evaluates as: "(details | symbols | duplicates) ? <then> : <else>",
because "|" has higher operator precedence than "?:". The context suggests
that this might be in error.
877 details | symbols | duplicates ? ':' : ' ');
878
879 if (details)
880 {
881 rtems_printf (printer, " size : %zu\n", archive->size);
882 rtems_printf (printer, " symbols : %zu\n",
archive->symbols.entries);
** CID 1512547: Integer handling issues (BAD_SHIFT)
/cpukit/zlib/inflate.c: 225 in z_inflatePrime()
________________________________________________________________________________________________________
*** CID 1512547: Integer handling issues (BAD_SHIFT)
/cpukit/zlib/inflate.c: 225 in z_inflatePrime()
219 state->hold = 0;
220 state->bits = 0;
221 return Z_OK;
222 }
223 if (bits > 16 || state->bits + bits > 32) return Z_STREAM_ERROR;
224 value &= (1L << bits) - 1;
>>> CID 1512547: Integer handling issues (BAD_SHIFT)
>>> In expression "value << state->bits", left shifting by more than 31
bits has undefined behavior. The shift amount, "state->bits", is as much
as 32.
225 state->hold += value << state->bits;
226 state->bits += bits;
227 return Z_OK;
228 }
229
230 /*
** CID 1512546: High impact quality (Y2K38_SAFETY)
/cpukit/score/src/schedulercbsreleasejob.c: 60 in
_Scheduler_CBS_Release_job()
________________________________________________________________________________________________________
*** CID 1512546: High impact quality (Y2K38_SAFETY)
/cpukit/score/src/schedulercbsreleasejob.c: 60 in
_Scheduler_CBS_Release_job()
54
55 node = _Scheduler_CBS_Thread_get_node( the_thread );
56 serv_info = node->cbs_server;
57
58 /* Budget replenishment for the next job. */
59 if ( serv_info != NULL ) {
>>> CID 1512546: High impact quality (Y2K38_SAFETY)
>>> A "time_t" value is stored in an integer with too few bits to
accommodate it. The expression "serv_info->parameters.budget" is cast to
"uint32_t".
60 the_thread->CPU_budget.available = serv_info->parameters.budget;
61 }
62
63 node->deadline_node = priority_node;
64
65 _Scheduler_EDF_Release_job(
** CID 1512545: Memory - illegal accesses (UNINIT)
________________________________________________________________________________________________________
*** CID 1512545: Memory - illegal accesses (UNINIT)
/cpukit/libmisc/rtems-fdt/rtems-fdt.c: 664 in rtems_fdt_register()
658 blob->blob = dtb;
659 blob->name = NULL;
660 rtems_chain_initialize_node(&blob->node);
661
662 fdt = rtems_fdt_lock ();
663
>>> CID 1512545: Memory - illegal accesses (UNINIT)
>>> Using uninitialized value "blob->node.next" when calling
"rtems_chain_append_unprotected".
664 rtems_chain_append_unprotected (&fdt->blobs, &blob->node);
665
666 blob->refs = 1;
667
668 rtems_fdt_unlock (fdt);
669
** CID 1512544: Memory - illegal accesses (UNINIT)
________________________________________________________________________________________________________
*** CID 1512544: Memory - illegal accesses (UNINIT)
/cpukit/libcsupport/src/sup_fs_location.c: 98 in
rtems_filesystem_location_transform_to_global()
92 rtems_filesystem_global_location_t *global_loc =
malloc(sizeof(*global_loc));
93
94 if (global_loc != NULL) {
95 global_loc->reference_count = 1;
96 global_loc->deferred_released_next = NULL;
97 global_loc->deferred_released_count = 0;
>>> CID 1512544: Memory - illegal accesses (UNINIT)
>>> Using uninitialized value "global_loc->location.mt_entry_node.next"
when calling "rtems_filesystem_location_copy".
98 rtems_filesystem_location_copy(&global_loc->location, loc);
99 rtems_filesystem_location_remove_from_mt_entry(loc);
100 } else {
101 rtems_filesystem_location_free(loc);
102 global_loc = rtems_filesystem_global_location_obtain_null();
103 errno = ENOMEM;
** CID 1512543: Memory - illegal accesses (UNINIT)
________________________________________________________________________________________________________
*** CID 1512543: Memory - illegal accesses (UNINIT)
/cpukit/posix/src/pthreadcreate.c: 369 in _POSIX_Threads_Sporadic_timer()
363 }
364
365 _Watchdog_Per_CPU_remove_ticks( &api->Sporadic.Timer );
366 _POSIX_Threads_Sporadic_timer_insert( the_thread, api );
367
368 _Thread_Wait_release( the_thread, &queue_context );
>>> CID 1512543: Memory - illegal accesses (UNINIT)
>>> Using uninitialized element of array
"queue_context.Priority.update" when calling "_Thread_Priority_update".
369 _Thread_Priority_update( &queue_context );
370 }
371
372 static void _POSIX_Threads_Sporadic_budget_callout(
373 Thread_Control *the_thread
374 )
** CID 1512542: Memory - corruptions (OVERRUN)
/bsps/shared/ofw/ofw.c: 233 in rtems_ofw_get_prop()
________________________________________________________________________________________________________
*** CID 1512542: Memory - corruptions (OVERRUN)
/bsps/shared/ofw/ofw.c: 233 in rtems_ofw_get_prop()
227 if (prop == NULL) {
228 return -1;
229 }
230
231 copy_len = MIN(len, bufsize);
232 _Assert(copy_len <= bufsize);
>>> CID 1512542: Memory - corruptions (OVERRUN)
>>> Calling "memmove" with "buf" and "copy_len" is suspicious because
of the very large index, 4294967168. The index may be due to a negative
parameter being interpreted as unsigned.
233 memmove(buf, prop, copy_len);
234
235 return len;
236 }
237
238 ssize_t rtems_ofw_get_enc_prop(
** CID 1512541: Memory - illegal accesses (UNINIT)
________________________________________________________________________________________________________
*** CID 1512541: Memory - illegal accesses (UNINIT)
/cpukit/libcsupport/src/fchdir.c: 74 in fchdir()
68 st.st_mode,
69 st.st_uid,
70 st.st_gid
71 );
72
73 if ( access_ok ) {
>>> CID 1512541: Memory - illegal accesses (UNINIT)
>>> Using uninitialized value "loc.mt_entry_node.next" when calling
"rtems_filesystem_location_clone".
74 rtems_filesystem_location_clone( &loc, &iop->pathinfo );
75 } else {
76 errno = EACCES;
77 rv = -1;
78 }
79 }
** CID 1512540: High impact quality (Y2K38_SAFETY)
/cpukit/libfs/src/jffs2/src/dir-rtems.c: 132 in jffs2_unlink()
________________________________________________________________________________________________________
*** CID 1512540: High impact quality (Y2K38_SAFETY)
/cpukit/libfs/src/jffs2/src/dir-rtems.c: 132 in jffs2_unlink()
126 struct jffs2_sb_info *c = JFFS2_SB_INFO(dir_i->i_sb);
127 struct jffs2_inode_info *dir_f = JFFS2_INODE_INFO(dir_i);
128 struct jffs2_inode_info *dead_f = JFFS2_INODE_INFO(d_inode);
129 int ret;
130
131 ret = jffs2_do_unlink(c, dir_f, (const char *)d_name,
>>> CID 1512540: High impact quality (Y2K38_SAFETY)
>>> A "time_t" value is stored in an integer with too few bits to
accommodate it. The expression "time(NULL)" is cast to "uint32_t".
132 d_namelen, dead_f, get_seconds());
133 if (dead_f->inocache)
134 d_inode->i_nlink = dead_f->inocache->pino_nlink;
135 return ret;
136 }
137
/***********************************************************************/
** CID 1512539: High impact quality (Y2K38_SAFETY)
/cpukit/libmisc/cpuuse/cpuusagetop.c: 146 in print_time()
________________________________________________________________________________________________________
*** CID 1512539: High impact quality (Y2K38_SAFETY)
/cpukit/libmisc/cpuuse/cpuusagetop.c: 146 in print_time()
140
141 static int
142 print_time(rtems_cpu_usage_data* data,
143 const Timestamp_Control* time,
144 const int length)
145 {
>>> CID 1512539: High impact quality (Y2K38_SAFETY)
>>> A "time_t" value is stored in an integer with too few bits to
accommodate it. The expression "_Timestamp_Get_seconds(time)" is cast to
"uint32_t".
146 uint32_t secs = _Timestamp_Get_seconds( time );
147 uint32_t usecs = _Timestamp_Get_nanoseconds( time ) /
TOD_NANOSECONDS_PER_MICROSECOND;
148 int len = 0;
149
150 if (secs > 60)
151 {
** CID 1512538: Memory - illegal accesses (UNINIT)
________________________________________________________________________________________________________
*** CID 1512538: Memory - illegal accesses (UNINIT)
/cpukit/libcsupport/src/_rename_r.c: 64 in _rename_r()
58 int rv = 0;
59 rtems_filesystem_eval_path_context_t old_ctx;
60 int old_eval_flags = 0;
61 rtems_filesystem_location_info_t old_parentloc;
62 int old_parent_eval_flags = RTEMS_FS_PERMS_WRITE
63 | RTEMS_FS_FOLLOW_HARD_LINK;
>>> CID 1512538: Memory - illegal accesses (UNINIT)
>>> Using uninitialized value "old_parentloc.mt_entry_node.next" when
calling "rtems_filesystem_eval_path_start_with_parent".
64 const rtems_filesystem_location_info_t *old_currentloc =
65 rtems_filesystem_eval_path_start_with_parent(
66 &old_ctx,
67 old,
68 old_eval_flags,
69 &old_parentloc,
** CID 1512537: High impact quality (Y2K38_SAFETY)
/cpukit/libfs/src/jffs2/src/dir-rtems.c: 285 in jffs2_mknod()
________________________________________________________________________________________________________
*** CID 1512537: High impact quality (Y2K38_SAFETY)
/cpukit/libfs/src/jffs2/src/dir-rtems.c: 285 in jffs2_mknod()
279 rd->totlen = cpu_to_je32(sizeof(*rd) + d_namelen);
280 rd->hdr_crc = cpu_to_je32(crc32(0, rd, sizeof(struct
jffs2_unknown_node)-4));
281
282 rd->pino = cpu_to_je32(dir_i->i_ino);
283 rd->version = cpu_to_je32(++dir_f->highest_version);
284 rd->ino = cpu_to_je32(inode->i_ino);
>>> CID 1512537: High impact quality (Y2K38_SAFETY)
>>> A "time_t" value is stored in an integer with too few bits to
accommodate it. The expression "time(NULL)" is cast to "__u32".
285 rd->mctime = cpu_to_je32(get_seconds());
286 rd->nsize = d_namelen;
287
288 /* XXX: This is ugly. */
289 rd->type = (mode & S_IFMT) >> 12;
290
** CID 1512536: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 1512536: Memory - corruptions (OVERRUN)
/cpukit/posix/src/pthreadcreate.c: 257 in pthread_create()
251 return EAGAIN;
252 }
253
254 /*
255 * Initialize the core thread for this task.
256 */
>>> CID 1512536: Memory - corruptions (OVERRUN)
>>> Calling "_Thread_Initialize" with "config.stack_area" and
"config.stack_size" is suspicious because of the very large index,
4294967295. The index may be due to a negative parameter being interpreted
as unsigned.
257 status = _Thread_Initialize(
258 &_POSIX_Threads_Information,
259 the_thread,
260 &config
261 );
262 if ( status != STATUS_SUCCESSFUL ) {
** CID 1512535: High impact quality (Y2K38_SAFETY)
/cpukit/mghttpd/mongoose.c: 2608 in send_authorization_request()
________________________________________________________________________________________________________
*** CID 1512535: High impact quality (Y2K38_SAFETY)
/cpukit/mghttpd/mongoose.c: 2608 in send_authorization_request()
2602 mg_printf(conn,
2603 "HTTP/1.1 401 Unauthorized\r\n"
2604 "Content-Length: 0\r\n"
2605 "WWW-Authenticate: Digest qop=\"auth\", "
2606 "realm=\"%s\", nonce=\"%lu\"\r\n\r\n",
2607 conn->ctx->config[AUTHENTICATION_DOMAIN],
>>> CID 1512535: High impact quality (Y2K38_SAFETY)
>>> A "time_t" value is stored in an integer with too few bits to
accommodate it. The expression "time(NULL)" is cast to "unsigned long".
2608 (unsigned long) time(NULL));
2609 }
2610
2611 static int is_authorized_for_put(struct mg_connection *conn) {
2612 struct file file = STRUCT_FILE_INITIALIZER;
2613 const char *passfile =
conn->ctx->config[PUT_DELETE_PASSWORDS_FILE];
** CID 1512534: Memory - illegal accesses (UNINIT)
________________________________________________________________________________________________________
*** CID 1512534: Memory - illegal accesses (UNINIT)
/cpukit/libcsupport/src/printertask.c: 219 in rtems_printer_task_drain()
213 printer_task_buffer buffer;
214
215 rtems_chain_initialize_node( &buffer.node );
216 buffer.action_kind = ACTION_DRAIN;
217 buffer.action_data.task = rtems_task_self();
218
>>> CID 1512534: Memory - illegal accesses (UNINIT)
>>> Using uninitialized value "buffer.node.next" when calling
"printer_task_append_buffer".
219 printer_task_append_buffer( ctx, &ctx->todo_buffers, &buffer );
220 rtems_event_send( ctx->task, PRINT_TASK_WAKE_UP );
221 rtems_event_transient_receive( RTEMS_WAIT, RTEMS_NO_TIMEOUT );
** CID 1512533: High impact quality (Y2K38_SAFETY)
/cpukit/libfs/src/jffs2/src/dir-rtems.c: 385 in jffs2_rename()
________________________________________________________________________________________________________
*** CID 1512533: High impact quality (Y2K38_SAFETY)
/cpukit/libfs/src/jffs2/src/dir-rtems.c: 385 in jffs2_rename()
379 /* Make a hard link */
380
381 /* XXX: This is ugly */
382 type = (d_inode->i_mode & S_IFMT) >> 12;
383 if (!type) type = DT_REG;
384
>>> CID 1512533: High impact quality (Y2K38_SAFETY)
>>> A "time_t" value is stored in an integer with too few bits to
accommodate it. The expression "time(NULL)" is cast to "uint32_t".
385 now = get_seconds();
386 ret = jffs2_do_link(c, JFFS2_INODE_INFO(new_dir_i),
387 d_inode->i_ino, type,
388 (const char *)new_d_name,
389 new_d_namelen, now);
390
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit,
https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50ypUUzi-2FdSNmuyRB7BEFT8xQ4-2B8hpujh0hTgQljRGId4Dg-3D-3DkGkW_EU3W9teASMK00lBXX9WT4lsogDrkCcNZLvg-2FVxwAXMrOEZN-2BLUspARgYtiBqgHjzYVpaMXnc-2BLCLwhp1aWEHLF62YhIqEogAZ1zLsjPeB26DwhbGlA7CD9U7GFZ3MPXT9E7SOH6ZheIR0qSxbzkw5LrJaANPQMkrFAZ0WSxupw6q8aKgrnyDCRc3ulhtIN0qN1ay-2FBjeF29FT-2BfQMJgbJQ-3D-3D
_______________________________________________
build mailing list
build at rtems.org
http://lists.rtems.org/mailman/listinfo/build
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rtems.org/pipermail/devel/attachments/20220829/1d03f809/attachment-0001.htm>
More information about the devel
mailing list