Re: some bugs in the kernel
On Mon, Mar 14, 2005, Ted Unangst wrote: These bugs were found using the Coverity Prevent static analysis tool. [...] Thanks for reporting these! It's great that your tools have been finding all these obscure bugs before users do. All of these should be fixed now, except for the if_ti bug, which I've forwarded to [EMAIL PROTECTED] pjd 2005-03-16 20:48:13 UTC FreeBSD src repository Modified files: sys/geom geom_bsd.c Log: Plug memory leak. Submitted by: Ted Unangst Found by: Coverity Prevent analysis tool Approved by:phk MFC after: 3 days Revision ChangesPath 1.73 +1 -2 src/sys/geom/geom_bsd.c das 2005-03-18 05:43:34 UTC FreeBSD src repository Modified files: sys/dev/hptmvgui_lib.c Log: Don't read past the end of pVDevice[]. (Previously, we would iterate twice as many times as there were entries in the array.) Spotted by: Ted Unangst using the Coverity Prevent static analysis tool Reviewed by:scottl Revision ChangesPath 1.4 +1 -1 src/sys/dev/hptmv/gui_lib.c das 2005-03-18 05:43:31 UTC FreeBSD src repository Modified files: sys/dev/hptmventry.c Log: Don't write past the end of the VendorId field (and into the ProductId field). Spotted by: Ted Unangst using the Coverity Prevent static analysis tool Reviewed by:scottl Revision ChangesPath 1.7 +1 -1 src/sys/dev/hptmv/entry.c imp 2005-03-15 22:53:31 UTC FreeBSD src repository Modified files: sys/dev/pci pci.c Log: If bus_generic_susped returns an error, devlist is not freed. Free it. Submitted by: Ted Unangst (using the Coverity Prevent analysis tool) Revision ChangesPath 1.281 +3 -1 src/sys/dev/pci/pci.c das 2005-03-18 05:43:37 UTC FreeBSD src repository Modified files: sys/dev/mlx mlx_pci.c Log: If mlx_attach() returns an error, don't free sc again. Spotted by: Ted Unangst using the Coverity Prevent static analysis tool Reviewed by:scottl Revision ChangesPath 1.21 +1 -3 src/sys/dev/mlx/mlx_pci.c ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: some bugs in the kernel
On Mon, Mar 14, 2005 at 01:25:21PM -0800, Ted Unangst wrote: NULL pointer dereference File: usr/home/tedu/src/sys/pci/if_ti.c Function: ti_setmulti malloc return at 1628 is not checked against NULL. Similar errors (lines numbers from 5.3-RELEASE): i386/i386/bios.c 516 devnodebuf = malloc(bigdev + (sizeof(struct pnp_sysdevargs) - sizeof(struct pnp_sysdev)), 517 M_DEVBUF, M_NOWAIT); pci/if_dc.c 1443 m = malloc(sizeof(struct dc_mediainfo), M_DEVBUF, M_NOWAIT | M_ZERO); 1482 m = malloc(sizeof(struct dc_mediainfo), M_DEVBUF, M_NOWAIT | M_ZERO); 1498 m = malloc(sizeof(struct dc_mediainfo), M_DEVBUF, M_NOWAIT | M_ZERO); 1517 sc-dc_srom = malloc(size, M_DEVBUF, M_NOWAIT); 1717 sc-dc_pnic_rx_buf = malloc(DC_RXLEN * 5, M_DEVBUF, M_NOWAIT); pci/if_sk.c 435 sc-sk_vpd_prodname = malloc(res.vr_len + 1, M_DEVBUF, M_NOWAIT); 447 sc-sk_vpd_readonly = malloc(res.vr_len, M_DEVBUF, M_NOWAIT); 1412 port = malloc(sizeof(int), M_DEVBUF, M_NOWAIT); 1417 port = malloc(sizeof(int), M_DEVBUF, M_NOWAIT); ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: some bugs in the kernel
On Mon, 14 Mar 2005, Ted Unangst wrote: =These bugs were found using the Coverity Prevent static analysis tool. = =Memory Leak =File: usr/home/tedu/src/sys/geom/geom_bsd.c =Function: g_bsd_ioctl =Returning at line 378 leaks the just allocated 'label'. = =Buffer Overrun =File: usr/home/tedu/src/sys/dev/hptmv/gui_lib.c =Function: hpt_default_ioctl =At line 1262, the loop bound of MAX_ARRAY_PER_VBUS is defined to be =twice the size of pVDevice (MAX_VDEVICE_PER_VBUS). = =Buffer Overrun =File: usr/home/tedu/src/sys/dev/hptmv/entry.c =Function: SetInquiryData =At line 2660, loop bound of 20 is greater than size of VendorID. = =Memory Leak =File: usr/home/tedu/src/sys/dev/pci/pci.c =Function: pci_suspend =If bus_generic_suspend fails at line 1061, 'devlist' is leaked. = =Use After Free, Memory Corruption =File: usr/home/tedu/src/sys/dev/mlx/mlx_pci.c =Function: mlx_pci_attach =Calling mlx_free on error at line 218 is dangerous, since mlx_attach =also called it. Eventually this will double free assorted bus resources. = =NULL pointer dereference =File: usr/home/tedu/src/sys/pci/if_ti.c =Function: ti_setmulti =malloc return at 1628 is not checked against NULL. Just to make sure it is said again. Thanks! Will -- Will Froning Unix Sys. Admin. [EMAIL PROTECTED] ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED]
some bugs in the kernel
These bugs were found using the Coverity Prevent static analysis tool. Memory Leak File: usr/home/tedu/src/sys/geom/geom_bsd.c Function: g_bsd_ioctl Returning at line 378 leaks the just allocated 'label'. Buffer Overrun File: usr/home/tedu/src/sys/dev/hptmv/gui_lib.c Function: hpt_default_ioctl At line 1262, the loop bound of MAX_ARRAY_PER_VBUS is defined to be twice the size of pVDevice (MAX_VDEVICE_PER_VBUS). Buffer Overrun File: usr/home/tedu/src/sys/dev/hptmv/entry.c Function: SetInquiryData At line 2660, loop bound of 20 is greater than size of VendorID. Memory Leak File: usr/home/tedu/src/sys/dev/pci/pci.c Function: pci_suspend If bus_generic_suspend fails at line 1061, 'devlist' is leaked. Use After Free, Memory Corruption File: usr/home/tedu/src/sys/dev/mlx/mlx_pci.c Function: mlx_pci_attach Calling mlx_free on error at line 218 is dangerous, since mlx_attach also called it. Eventually this will double free assorted bus resources. NULL pointer dereference File: usr/home/tedu/src/sys/pci/if_ti.c Function: ti_setmulti malloc return at 1628 is not checked against NULL. -- Ted Unangst www.coverity.com Coverity, Inc. ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: some bugs in the kernel
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon, 14 Mar 2005, Ted Unangst wrote: These bugs were found using the Coverity Prevent static analysis tool. Memory Leak File: usr/home/tedu/src/sys/geom/geom_bsd.c Function: g_bsd_ioctl Returning at line 378 leaks the just allocated 'label'. Buffer Overrun File: usr/home/tedu/src/sys/dev/hptmv/gui_lib.c Function: hpt_default_ioctl At line 1262, the loop bound of MAX_ARRAY_PER_VBUS is defined to be twice the size of pVDevice (MAX_VDEVICE_PER_VBUS). Buffer Overrun File: usr/home/tedu/src/sys/dev/hptmv/entry.c Function: SetInquiryData At line 2660, loop bound of 20 is greater than size of VendorID. Memory Leak File: usr/home/tedu/src/sys/dev/pci/pci.c Function: pci_suspend If bus_generic_suspend fails at line 1061, 'devlist' is leaked. Use After Free, Memory Corruption File: usr/home/tedu/src/sys/dev/mlx/mlx_pci.c Function: mlx_pci_attach Calling mlx_free on error at line 218 is dangerous, since mlx_attach also called it. Eventually this will double free assorted bus resources. NULL pointer dereference File: usr/home/tedu/src/sys/pci/if_ti.c Function: ti_setmulti malloc return at 1628 is not checked against NULL. -- Ted Unangst www.coverity.com Coverity, Inc. Pretty cool, thanks.. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (FreeBSD) Comment: http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xF7DF979F iD8DBQFCNuYQsmFQuvffl58RAqkEAJ41uvoxxZOLoclnAO15d+rlewIXOACeOyRg PJ48VXqgInEjY3FDOv42Aco= =RkCW -END PGP SIGNATURE- ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED]