FYI ---------- Forwarded message --------- From: <scan-ad...@coverity.com> Date: Wed, Jan 27, 2021, 9:21 PM Subject: New Defects reported by Coverity Scan for RTEMS To: <ged...@gwmail.gwu.edu>
Hi, Please find the latest report on new defect(s) introduced to RTEMS found with Coverity Scan. 11 new defect(s) introduced to RTEMS found with Coverity Scan. 42 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 11 of 11 defect(s) ** CID 1472583: (STRING_NULL) /cpukit/libdl/rtl-archive.c: 796 in rtems_rtl_archives_refresh() /cpukit/libdl/rtl-archive.c: 796 in rtems_rtl_archives_refresh() /cpukit/libdl/rtl-archive.c: 796 in rtems_rtl_archives_refresh() /cpukit/libdl/rtl-archive.c: 798 in rtems_rtl_archives_refresh() /cpukit/libdl/rtl-archive.c: 798 in rtems_rtl_archives_refresh() /cpukit/libdl/rtl-archive.c: 798 in rtems_rtl_archives_refresh() ________________________________________________________________________________________________________ *** CID 1472583: (STRING_NULL) /cpukit/libdl/rtl-archive.c: 796 in rtems_rtl_archives_refresh() 790 { 791 ++config_path; 792 continue; 793 } 794 795 if (rtems_rtl_trace (RTEMS_RTL_TRACE_ARCHIVES)) >>> CID 1472583: (STRING_NULL) >>> Passing unterminated string "dirname" to "printf". 796 printf ("rtl: archive: refresh: %s\n", dirname); 797 798 config_path += strlen (dirname); 799 800 /* 801 * Relative paths do not work in the config. Must be absolute. /cpukit/libdl/rtl-archive.c: 796 in rtems_rtl_archives_refresh() 790 { 791 ++config_path; 792 continue; 793 } 794 795 if (rtems_rtl_trace (RTEMS_RTL_TRACE_ARCHIVES)) >>> CID 1472583: (STRING_NULL) >>> Passing unterminated string "dirname" to "printf". 796 printf ("rtl: archive: refresh: %s\n", dirname); 797 798 config_path += strlen (dirname); 799 800 /* 801 * Relative paths do not work in the config. Must be absolute. /cpukit/libdl/rtl-archive.c: 796 in rtems_rtl_archives_refresh() 790 { 791 ++config_path; 792 continue; 793 } 794 795 if (rtems_rtl_trace (RTEMS_RTL_TRACE_ARCHIVES)) >>> CID 1472583: (STRING_NULL) >>> Passing unterminated string "dirname" to "printf". 796 printf ("rtl: archive: refresh: %s\n", dirname); 797 798 config_path += strlen (dirname); 799 800 /* 801 * Relative paths do not work in the config. Must be absolute. /cpukit/libdl/rtl-archive.c: 798 in rtems_rtl_archives_refresh() 792 continue; 793 } 794 795 if (rtems_rtl_trace (RTEMS_RTL_TRACE_ARCHIVES)) 796 printf ("rtl: archive: refresh: %s\n", dirname); 797 >>> CID 1472583: (STRING_NULL) >>> Passing unterminated string "dirname" to "strlen", which expects a null-terminated string. 798 config_path += strlen (dirname); 799 800 /* 801 * Relative paths do not work in the config. Must be absolute. 802 */ 803 if (dirname[0] != '/') /cpukit/libdl/rtl-archive.c: 798 in rtems_rtl_archives_refresh() 792 continue; 793 } 794 795 if (rtems_rtl_trace (RTEMS_RTL_TRACE_ARCHIVES)) 796 printf ("rtl: archive: refresh: %s\n", dirname); 797 >>> CID 1472583: (STRING_NULL) >>> Passing unterminated string "dirname" to "strlen", which expects a null-terminated string. 798 config_path += strlen (dirname); 799 800 /* 801 * Relative paths do not work in the config. Must be absolute. 802 */ 803 if (dirname[0] != '/') /cpukit/libdl/rtl-archive.c: 798 in rtems_rtl_archives_refresh() 792 continue; 793 } 794 795 if (rtems_rtl_trace (RTEMS_RTL_TRACE_ARCHIVES)) 796 printf ("rtl: archive: refresh: %s\n", dirname); 797 >>> CID 1472583: (STRING_NULL) >>> Passing unterminated string "dirname" to "strlen", which expects a null-terminated string. 798 config_path += strlen (dirname); 799 800 /* 801 * Relative paths do not work in the config. Must be absolute. 802 */ 803 if (dirname[0] != '/') ** CID 1472582: Insecure data handling (TAINTED_SCALAR) ________________________________________________________________________________________________________ *** CID 1472582: Insecure data handling (TAINTED_SCALAR) /cpukit/libdl/rtl-elf.c: 1328 in rtems_rtl_elf_parse_sections() 1322 printf ("rtl: section header: %2d: offset=%d\n", section, (int) off); 1323 1324 if (!rtems_rtl_obj_cache_read_byval (sects, fd, off, &shdr, sizeof (shdr))) 1325 return false; 1326 1327 len = RTEMS_RTL_ELF_STRING_MAX; >>> CID 1472582: Insecure data handling (TAINTED_SCALAR) >>> Passing tainted expression "sectstroff + shdr.sh_name" to "rtems_rtl_obj_cache_read", which uses it as an offset. 1328 if (!rtems_rtl_obj_cache_read (strings, fd, 1329 sectstroff + shdr.sh_name, 1330 (void**) &name, &len)) 1331 return false; 1332 1333 if (rtems_rtl_trace (RTEMS_RTL_TRACE_DETAIL)) ** CID 1472581: Null pointer dereferences (REVERSE_INULL) /cpukit/mghttpd/mongoose.c: 656 in cry() ________________________________________________________________________________________________________ *** CID 1472581: Null pointer dereferences (REVERSE_INULL) /cpukit/mghttpd/mongoose.c: 656 in cry() 650 651 // Do not lock when getting the callback value, here and below. 652 // I suppose this is fine, since function cannot disappear in the 653 // same way string option can. 654 if (conn->ctx->callbacks.log_message == NULL || 655 conn->ctx->callbacks.log_message(conn, buf) == 0) { >>> CID 1472581: Null pointer dereferences (REVERSE_INULL) >>> Null-checking "conn->ctx" suggests that it may be null, but it has already been dereferenced on all paths leading to the check. 656 fp = conn->ctx == NULL || conn->ctx->config[ERROR_LOG_FILE] == NULL ? NULL : 657 fopen(conn->ctx->config[ERROR_LOG_FILE], "a+"); 658 659 if (fp != NULL) { 660 flockfile(fp); 661 timestamp = time(NULL); ** CID 1472580: (TAINTED_SCALAR) /cpukit/libdl/rtl-rap.c: 921 in rtems_rtl_rap_file_load() /cpukit/libdl/rtl-rap.c: 915 in rtems_rtl_rap_file_load() ________________________________________________________________________________________________________ *** CID 1472580: (TAINTED_SCALAR) /cpukit/libdl/rtl-rap.c: 933 in rtems_rtl_rap_file_load() 927 if (!rtems_rtl_rap_read_uint32 (rap.decomp, &rap.strtable_size)) 928 return false; 929 930 if (rtems_rtl_trace (RTEMS_RTL_TRACE_DETAIL)) 931 printf ("rtl: rap: details: obj_num=%" PRIu32 "\n", obj->obj_num); 932 >>> CID 1472580: (TAINTED_SCALAR) >>> Passing tainted expression "rap.rpathlen" to "rtems_rtl_rap_load_linkmap", which uses it as a loop boundary. 933 if (!rtems_rtl_rap_load_linkmap (&rap, obj)) 934 return false; 935 } 936 937 /* 938 * uint32_t: text_size /cpukit/libdl/rtl-rap.c: 921 in rtems_rtl_rap_file_load() 915 obj->sec_num = (uint32_t*) malloc (sizeof (uint32_t) * obj->obj_num); 916 917 if (!rtems_rtl_rap_read_uint32 (rap.decomp, &rap.rpathlen)) 918 return false; 919 920 uint32_t i; >>> CID 1472580: (TAINTED_SCALAR) >>> Using tainted variable "obj->obj_num" as a loop boundary. 921 for (i = 0; i < obj->obj_num; ++i) 922 { 923 if (!rtems_rtl_rap_read_uint32 (rap.decomp, &(obj->sec_num[i]))) 924 return false; 925 } 926 /cpukit/libdl/rtl-rap.c: 915 in rtems_rtl_rap_file_load() 909 */ 910 if (!rtems_rtl_rap_read_uint32 (rap.decomp, &obj->obj_num)) 911 return false; 912 913 if (obj->obj_num > 0) 914 { >>> CID 1472580: (TAINTED_SCALAR) >>> Passing tainted expression "4U * obj->obj_num" to "malloc", which uses it as an allocation size. [Note: The source code implementation of the function has been overridden by a builtin model.] 915 obj->sec_num = (uint32_t*) malloc (sizeof (uint32_t) * obj->obj_num); 916 917 if (!rtems_rtl_rap_read_uint32 (rap.decomp, &rap.rpathlen)) 918 return false; 919 920 uint32_t i; /cpukit/libdl/rtl-rap.c: 933 in rtems_rtl_rap_file_load() 927 if (!rtems_rtl_rap_read_uint32 (rap.decomp, &rap.strtable_size)) 928 return false; 929 930 if (rtems_rtl_trace (RTEMS_RTL_TRACE_DETAIL)) 931 printf ("rtl: rap: details: obj_num=%" PRIu32 "\n", obj->obj_num); 932 >>> CID 1472580: (TAINTED_SCALAR) >>> Passing tainted expression "rap.strtable_size" to "rtems_rtl_rap_load_linkmap", which uses it as an offset. 933 if (!rtems_rtl_rap_load_linkmap (&rap, obj)) 934 return false; 935 } 936 937 /* 938 * uint32_t: text_size /cpukit/libdl/rtl-rap.c: 933 in rtems_rtl_rap_file_load() 927 if (!rtems_rtl_rap_read_uint32 (rap.decomp, &rap.strtable_size)) 928 return false; 929 930 if (rtems_rtl_trace (RTEMS_RTL_TRACE_DETAIL)) 931 printf ("rtl: rap: details: obj_num=%" PRIu32 "\n", obj->obj_num); 932 >>> CID 1472580: (TAINTED_SCALAR) >>> Passing tainted expression "*obj->sec_num" to "rtems_rtl_rap_load_linkmap", which uses it as an offset. 933 if (!rtems_rtl_rap_load_linkmap (&rap, obj)) 934 return false; 935 } 936 937 /* 938 * uint32_t: text_size ** CID 1472579: Error handling issues (CHECKED_RETURN) /cpukit/mghttpd/mongoose.c: 3716 in put_file() ________________________________________________________________________________________________________ *** CID 1472579: Error handling issues (CHECKED_RETURN) /cpukit/mghttpd/mongoose.c: 3716 in put_file() 3710 } else { 3711 fclose_on_exec(&file); 3712 range = mg_get_header(conn, "Content-Range"); 3713 r1 = r2 = 0; 3714 if (range != NULL && parse_range_header(range, &r1, &r2) > 0) { 3715 conn->status_code = 206; >>> CID 1472579: Error handling issues (CHECKED_RETURN) >>> Calling "fseeko(file.fp, r1, 0)" without checking return value. This library function may fail and return an error code. 3716 fseeko(file.fp, r1, SEEK_SET); 3717 } 3718 if (!forward_body_data(conn, file.fp, INVALID_SOCKET, NULL)) { 3719 conn->status_code = 500; 3720 } 3721 mg_printf(conn, "HTTP/1.1 %d OK\r\nContent-Length: 0\r\n\r\n", ** CID 1472578: Uninitialized variables (UNINIT) ________________________________________________________________________________________________________ *** CID 1472578: Uninitialized variables (UNINIT) /cpukit/libfs/src/jffs2/src/scan.c: 759 in jffs2_scan_eraseblock() 753 continue; 754 } 755 /* We seem to have a node of sorts. Check the CRC */ 756 crcnode.magic = node->magic; 757 crcnode.nodetype = cpu_to_je16( je16_to_cpu(node->nodetype) | JFFS2_NODE_ACCURATE); 758 crcnode.totlen = node->totlen; >>> CID 1472578: Uninitialized variables (UNINIT) >>> Using uninitialized value "crcnode". Field "crcnode.hdr_crc" is uninitialized when calling "cyg_crc32_accumulate". 759 hdr_crc = crc32(0, &crcnode, sizeof(crcnode)-4); 760 761 if (hdr_crc != je32_to_cpu(node->hdr_crc)) { 762 noisy_printk(&noise, "%s(): Node at 0x%08x {0x%04x, 0x%04x, 0x%08x) has invalid CRC 0x%08x (calculated 0x%08x)\n", 763 __func__, 764 ofs, je16_to_cpu(node->magic), ** CID 1472577: (PATH_MANIPULATION) /cpukit/mghttpd/mongoose.c: 4432 in mg_upload() /cpukit/mghttpd/mongoose.c: 4432 in mg_upload() /cpukit/mghttpd/mongoose.c: 4432 in mg_upload() ________________________________________________________________________________________________________ *** CID 1472577: (PATH_MANIPULATION) /cpukit/mghttpd/mongoose.c: 4432 in mg_upload() 4426 (s = strrchr(fname, '\\')) == NULL) { 4427 s = fname; 4428 } 4429 4430 // Open file in binary mode. TODO: set an exclusive lock. 4431 snprintf(path, sizeof(path), "%s/%s", destination_dir, s); >>> CID 1472577: (PATH_MANIPULATION) >>> Constructing a path or URI using the tainted value "path" and passing it to "fopen". This may allow an attacker to access, modify, or test the existence of critical or sensitive files. 4432 if ((fp = fopen(path, "wb")) == NULL) { 4433 break; 4434 } 4435 4436 // Read POST data, write into file until boundary is found. 4437 eof = n = 0; /cpukit/mghttpd/mongoose.c: 4432 in mg_upload() 4426 (s = strrchr(fname, '\\')) == NULL) { 4427 s = fname; 4428 } 4429 4430 // Open file in binary mode. TODO: set an exclusive lock. 4431 snprintf(path, sizeof(path), "%s/%s", destination_dir, s); >>> CID 1472577: (PATH_MANIPULATION) >>> Constructing a path or URI using the tainted value "path" and passing it to "fopen". This may allow an attacker to access, modify, or test the existence of critical or sensitive files. 4432 if ((fp = fopen(path, "wb")) == NULL) { 4433 break; 4434 } 4435 4436 // Read POST data, write into file until boundary is found. 4437 eof = n = 0; /cpukit/mghttpd/mongoose.c: 4432 in mg_upload() 4426 (s = strrchr(fname, '\\')) == NULL) { 4427 s = fname; 4428 } 4429 4430 // Open file in binary mode. TODO: set an exclusive lock. 4431 snprintf(path, sizeof(path), "%s/%s", destination_dir, s); >>> CID 1472577: (PATH_MANIPULATION) >>> Constructing a path or URI using the tainted value "path" and passing it to "fopen". This may allow an attacker to access, modify, or test the existence of critical or sensitive files. 4432 if ((fp = fopen(path, "wb")) == NULL) { 4433 break; 4434 } 4435 4436 // Read POST data, write into file until boundary is found. 4437 eof = n = 0; ** CID 1472576: Null pointer dereferences (FORWARD_NULL) ________________________________________________________________________________________________________ *** CID 1472576: Null pointer dereferences (FORWARD_NULL) /cpukit/libblock/src/bdbuf.c: 2632 in rtems_bdbuf_swapout_worker_task() 2626 rtems_bdbuf_swapout_worker* worker = (rtems_bdbuf_swapout_worker*) arg; 2627 2628 while (worker->enabled) 2629 { 2630 rtems_bdbuf_wait_for_event (RTEMS_BDBUF_SWAPOUT_SYNC); 2631 >>> CID 1472576: Null pointer dereferences (FORWARD_NULL) >>> Passing "&worker->transfer" to "rtems_bdbuf_swapout_write", which dereferences null "worker->transfer.dd". 2632 rtems_bdbuf_swapout_write (&worker->transfer); 2633 2634 rtems_bdbuf_lock_cache (); 2635 2636 rtems_chain_initialize_empty (&worker->transfer.bds); 2637 worker->transfer.dd = BDBUF_INVALID_DEV; ** CID 1472575: Memory - illegal accesses (UNINIT) /cpukit/libmisc/shell/main_rtrace.c: 229 in rtems_trace_buffering_print_arg() ________________________________________________________________________________________________________ *** CID 1472575: Memory - illegal accesses (UNINIT) /cpukit/libmisc/shell/main_rtrace.c: 229 in rtems_trace_buffering_print_arg() 223 memcpy (&variable.bytes[0], argv, arg->size); 224 225 printf ("(%s) ", arg->type); 226 227 if (strchr (arg->type, '*') != NULL) 228 { >>> CID 1472575: Memory - illegal accesses (UNINIT) >>> Using uninitialized value "variable.pointer" when calling "printf". 229 printf ("%p", variable.pointer); 230 } 231 else 232 { 233 size_t b; 234 switch (arg->size) ** CID 1472574: Error handling issues (CHECKED_RETURN) /cpukit/libfs/src/dosfs/msdos_format.c: 131 in msdos_format_read_sec() ________________________________________________________________________________________________________ *** CID 1472574: Error handling issues (CHECKED_RETURN) /cpukit/libfs/src/dosfs/msdos_format.c: 131 in msdos_format_read_sec() 125 int ret_val = 0; 126 127 if (0 > lseek(fd,((off_t)start_sector)*sector_size,SEEK_SET)) { 128 ret_val = -1; 129 } 130 if (ret_val == 0) { >>> CID 1472574: Error handling issues (CHECKED_RETURN) >>> "read(int, void *, size_t)" returns the number of bytes read, but it is ignored. 131 if (0 > read(fd,buffer,sector_size)) { 132 ret_val = -1; 133 } 134 } 135 136 return ret_val; ** CID 1472573: Insecure data handling (TAINTED_SCALAR) ________________________________________________________________________________________________________ *** CID 1472573: Insecure data handling (TAINTED_SCALAR) /cpukit/libdl/rtl-elf.c: 1706 in rtems_rtl_elf_file_load() 1700 1701 /* 1702 * Parse the section information first so we have the memory map of the object 1703 * file and the memory allocated. Any further allocations we make to complete 1704 * the load will not fragment the memory. 1705 */ >>> CID 1472573: Insecure data handling (TAINTED_SCALAR) >>> Passing tainted expression "ehdr.e_shnum" to "rtems_rtl_elf_parse_sections", which uses it as a loop boundary. 1706 if (!rtems_rtl_elf_parse_sections (obj, fd, &ehdr)) 1707 return false; 1708 1709 /* 1710 * Set the entry point if there is one. 1711 */ ________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50ypUUzi-2FdSNmuyRB7BEFT8xQ4-2B8hpujh0hTgQljRGId4Dg-3D-3DHaSx_NXfCUf1CLFYLbjXajJIgHlbL5qYn95oel6MvjPauKOZWRAeoPfG9R5Ut-2B0l1A5CBYN8H1u2OvYHQK1lhr4Zh6SDh2S5PCPFmmyp-2BCuliFxJzj1S7OgK9z2cMZjSTabCeURWJhVg1EI1bNhOt7aXFw3Vp5t2pGj4mbLRlTtRMHZ6hxDQXicJzm8pwnsWJaDgwdb8CD96vfoF8CM8XgA81RPZ7mfvWd3hfqlGbYPYac3I-3D To manage Coverity Scan email notifications for "ged...@gwmail.gwu.edu", click https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxkxN7gn3yK5ofbuH1ptBFYw9YgpazuIaA-2BBUVKiHj8oUDwYWUynp42iaapm4KJU8XqWU01jaV7ANE1ZK33b9AxrNSft0QTNSkD2bLN6ho-2BnY-3DE-ws_NXfCUf1CLFYLbjXajJIgHlbL5qYn95oel6MvjPauKOZWRAeoPfG9R5Ut-2B0l1A5CB2NlyTs8n9wN-2FSyicx0tEXvXYGaGlLArYwAKrk-2B9Jr66dphmYP41ATiju2UCnJoYnvc2ZTjo8dyOLJxCeQsHoCOP862aab9fl1B0ammZrfyNIUSx8tg05QJP9bJRsN6zngYUWsWkGMJv3twh07snfhrXqd0NMPJLhSvujwj6My6A-3D
_______________________________________________ devel mailing list devel@rtems.org http://lists.rtems.org/mailman/listinfo/devel