Coverity-updates archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
New Defects reported by Coverity Scan for NetBSD-amd64-kernel
Hi,
Please find the latest report on new defect(s) introduced to NetBSD-amd64-kernel found with Coverity Scan.
106 new defect(s) introduced to NetBSD-amd64-kernel found with Coverity Scan.
1 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 106 defect(s)
** CID 977076: Unintentional integer overflow (OVERFLOW_BEFORE_WIDEN)
/sys/ufs/ufs/ufs_quota1.c: 863 in dq1sync()
** CID 977389: Out-of-bounds access (OVERRUN)
/sys/netinet6/icmp6.c: 736 in icmp6_input()
** CID 977394: Out-of-bounds write (OVERRUN)
/sys/nfs/nfs_bootdhcp.c: 825 in bootp_extract()
** CID 981752: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
/sys/arch/amd64/amd64/linux32_syscall.c: 70 in ()
** CID 981753: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
/sys/arch/amd64/amd64/machdep.c: 1488 in ()
** CID 981754: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
/sys/arch/amd64/amd64/machdep.c: 1488 in ()
** CID 981755: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
/sys/ddb/db_lwp.c: 77 in ()
** CID 981756: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
/sys/dev/cgd.c: 699 in ()
** CID 981757: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
/sys/dev/dkwedge/dk.c: 1506 in ()
** CID 981758: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
/sys/dev/dtv/dtv_buffer.c: 68 in ()
** CID 981759: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
/sys/dev/dtv/dtv_scatter.c: 157 in ()
** CID 981760: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
/sys/dev/dtv/dtv_scatter.c: 157 in ()
** CID 981761: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
/sys/dev/i2c/nxt2k.c: 281 in ()
** CID 981762: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
/sys/dev/ic/aac.c: 848 in ()
** CID 981763: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
/sys/dev/ic/bwi.c: 1914 in ()
** CID 981764: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
/sys/dev/ic/bwi.c: 1914 in ()
** CID 981765: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
/sys/dev/ic/bwi.c: 2175 in ()
** CID 981766: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
/sys/dev/pci/ichsmb.c: 342 in ()
** CID 981767: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
/sys/dev/pci/ichsmb.c: 342 in ()
** CID 981768: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
/sys/dev/pci/if_iwn.c: 5719 in ()
________________________________________________________________________________________________________
*** CID 977076: Unintentional integer overflow (OVERFLOW_BEFORE_WIDEN)
/sys/ufs/ufs/ufs_quota1.c: 863 in dq1sync()
857 vn_lock(dqvp, LK_EXCLUSIVE | LK_RETRY);
858 auio.uio_iov = &aiov;
859 auio.uio_iovcnt = 1;
860 aiov.iov_base = (void *)&dq->dq_un.dq1_dqb;
861 aiov.iov_len = sizeof (struct dqblk);
862 auio.uio_resid = sizeof (struct dqblk);
>>> CID 977076: Unintentional integer overflow (OVERFLOW_BEFORE_WIDEN)
>>> Potentially overflowing expression "dq->dq_id * 32U" with type "unsigned int" (32 bits, unsigned) is evaluated using 32-bit arithmetic before being used in a context which expects an expression of type "__off_t" (64 bits, signed). To avoid overflow, cast either operand to "__off_t" before performing the multiplication.
863 auio.uio_offset = (off_t)(dq->dq_id * sizeof (struct dqblk));
864 auio.uio_rw = UIO_WRITE;
865 UIO_SETUP_SYSSPACE(&auio);
866 error = VOP_WRITE(dqvp, &auio, 0, dq->dq_ump->um_cred[dq->dq_type]);
867 if (auio.uio_resid && error == 0)
868 error = EIO;
869 dq->dq_flags &= ~DQ_MOD;
870 VOP_UNLOCK(dqvp);
871 return (error);
________________________________________________________________________________________________________
*** CID 977389: Out-of-bounds access (OVERRUN)
/sys/netinet6/icmp6.c: 736 in icmp6_input()
730 nip6 = mtod(n, struct ip6_hdr *);
731 bcopy(ip6, nip6, sizeof(struct ip6_hdr));
732 nicmp6 = (struct icmp6_hdr *)(nip6 + 1);
733 bcopy(icmp6, nicmp6, sizeof(struct icmp6_hdr));
734 p = (u_char *)(nicmp6 + 1);
735 memset(p, 0, 4);
>>> CID 977389: Out-of-bounds access (OVERRUN)
>>> Overrunning array "hostname" of 256 bytes by passing it to a function which accesses it at byte offset 4294967243 using argument "maxhlen" (which evaluates to 4294967244).
736 bcopy(hostname, p + 4, maxhlen); /* meaningless TTL */
737 noff = sizeof(struct ip6_hdr);
738 M_COPY_PKTHDR(n, m); /* just for rcvif */
739 n->m_pkthdr.len = n->m_len = sizeof(struct ip6_hdr) +
740 sizeof(struct icmp6_hdr) + 4 + maxhlen;
741 nicmp6->icmp6_type = ICMP6_WRUREPLY;
________________________________________________________________________________________________________
*** CID 977394: Out-of-bounds write (OVERRUN)
/sys/nfs/nfs_bootdhcp.c: 825 in bootp_extract()
819 }
820
821 /*
822 * Store and print network config info.
823 */
824 if (myname) {
>>> CID 977394: Out-of-bounds write (OVERRUN)
>>> Overrunning array of 64 bytes at byte offset 261 by dereferencing pointer "myname + mynamelen".
825 myname[mynamelen] = '\0';
826 strncpy(hostname, myname, sizeof(hostname));
827 hostnamelen = mynamelen;
828 printf("nfs_boot: my_name=%s\n", hostname);
829 }
830 if (mydomain) {
________________________________________________________________________________________________________
*** CID 981752: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
/sys/arch/amd64/amd64/linux32_syscall.c: 70 in ()
64 args[5] = frame->tf_rbp & 0xffffffff;
65
66 if (__predict_false(p->p_trace_enabled)) {
67 narg = callp->sy_narg;
68 if (__predict_false(narg > __arraycount(args)))
69 panic("impossible syscall narg, code %d, narg %zd",
>>> CID 981752: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
>>> argument is incompatible with corresponding format string conversion
70 code, narg);
71 for (i = 0; i < narg; i++)
72 args64[i] = args[i] & 0xffffffff;
73 if ((error = trace_enter(code, args64, narg)) != 0)
74 goto out;
75 }
________________________________________________________________________________________________________
*** CID 981753: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
/sys/arch/amd64/amd64/machdep.c: 1488 in ()
1482 return;
1483
1484 reqsz -= sz;
1485 if (msgbuf_p_cnt == VM_PHYSSEG_MAX) {
1486 /* No more segments available, bail out. */
1487 printf("WARNING: MSGBUFSIZE (%zu) too large, using %zu.\n",
>>> CID 981753: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
>>> argument is incompatible with corresponding format string conversion
1488 (size_t)MSGBUFSIZE, (size_t)(MSGBUFSIZE - reqsz));
1489 return;
1490 }
1491
1492 sz = reqsz;
1493 goto search_again;
________________________________________________________________________________________________________
*** CID 981754: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
/sys/arch/amd64/amd64/machdep.c: 1488 in ()
1482 return;
1483
1484 reqsz -= sz;
1485 if (msgbuf_p_cnt == VM_PHYSSEG_MAX) {
1486 /* No more segments available, bail out. */
1487 printf("WARNING: MSGBUFSIZE (%zu) too large, using %zu.\n",
>>> CID 981754: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
>>> argument is incompatible with corresponding format string conversion
1488 (size_t)MSGBUFSIZE, (size_t)(MSGBUFSIZE - reqsz));
1489 return;
1490 }
1491
1492 sz = reqsz;
1493 goto search_again;
________________________________________________________________________________________________________
*** CID 981755: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
/sys/ddb/db_lwp.c: 77 in ()
71 stack = (uintptr_t)KSTACK_LOWEST_ADDR((&l));
72 if (addr < stack || stack + KSTACK_SIZE <= addr) {
73 continue;
74 }
75 (*pr)("%p is %p+%zu, LWP %p's stack\n",
76 (void *)addr, (void *)stack,
>>> CID 981755: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
>>> argument is incompatible with corresponding format string conversion
77 (size_t)(addr - stack), lp);
78 }
________________________________________________________________________________________________________
*** CID 981756: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
/sys/dev/cgd.c: 699 in ()
693 cs->sc_cdata.cf_mode = encblkno[i].v;
694 cs->sc_cdata.cf_keylen = ci->ci_keylen;
695 cs->sc_cdata.cf_priv = cs->sc_cfuncs->cf_init(ci->ci_keylen, inbuf,
696 &cs->sc_cdata.cf_blocksize);
697 if (cs->sc_cdata.cf_blocksize > CGD_MAXBLOCKSIZE) {
698 log(LOG_WARNING, "cgd: Disallowed cipher with blocksize %zu > %u\n",
>>> CID 981756: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
>>> argument is incompatible with corresponding format string conversion
699 cs->sc_cdata.cf_blocksize, CGD_MAXBLOCKSIZE);
700 cs->sc_cdata.cf_priv = NULL;
701 }
702
703 /*
704 * The blocksize is supposed to be in bytes. Unfortunately originally
________________________________________________________________________________________________________
*** CID 981757: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
/sys/dev/dkwedge/dk.c: 1506 in ()
1500 rv = EINVAL;
1501 goto out;
1502 }
1503 if (blkno + size / DEV_BSIZE > sc->sc_size) {
1504 printf("%s: blkno (%" PRIu64 ") + size / DEV_BSIZE (%zu) > "
1505 "sc->sc_size (%" PRIu64 ")\n", __func__, blkno,
>>> CID 981757: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
>>> argument is incompatible with corresponding format string conversion
1506 size / DEV_BSIZE, sc->sc_size);
1507 rv = EINVAL;
1508 goto out;
1509 }
1510
1511 bdev = bdevsw_lookup(sc->sc_pdev);
________________________________________________________________________________________________________
*** CID 981758: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
/sys/dev/dtv/dtv_buffer.c: 68 in ()
62
63 while (resid > 0) {
64 mutex_enter(&ds->ds_ingress_lock);
65
66 if (SIMPLEQ_EMPTY(&ds->ds_ingress)) {
67 aprint_debug_dev(sc->sc_dev,
>>> CID 981758: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
>>> argument is incompatible with corresponding format string conversion
68 "dropping sample (%zu)\n", resid);
69 mutex_exit(&ds->ds_ingress_lock);
70 return;
71 }
72
73 db = SIMPLEQ_FIRST(&ds->ds_ingress);
________________________________________________________________________________________________________
*** CID 981759: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
/sys/dev/dtv/dtv_scatter.c: 157 in ()
151 off_t off, size_t len,
152 struct dtv_scatter_io *sio)
153 {
154 if ((off + len) > sb->sb_size) {
155 printf("dtv: %s failed: off=%" PRId64
156 " len=%zu sb->sb_size=%zu\n",
>>> CID 981759: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
>>> argument is incompatible with corresponding format string conversion
157 __func__, off, len, sb->sb_size);
158 return false;
159 }
160
161 sio->sio_buf = sb;
162 sio->sio_offset = off;
________________________________________________________________________________________________________
*** CID 981760: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
/sys/dev/dtv/dtv_scatter.c: 157 in ()
151 off_t off, size_t len,
152 struct dtv_scatter_io *sio)
153 {
154 if ((off + len) > sb->sb_size) {
155 printf("dtv: %s failed: off=%" PRId64
156 " len=%zu sb->sb_size=%zu\n",
>>> CID 981760: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
>>> argument is incompatible with corresponding format string conversion
157 __func__, off, len, sb->sb_size);
158 return false;
159 }
160
161 sio->sio_buf = sb;
162 sio->sio_offset = off;
________________________________________________________________________________________________________
*** CID 981761: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
/sys/dev/i2c/nxt2k.c: 281 in ()
275 if (error != 0) {
276 printf("nxt2k firmware_open fail %d\n", error);
277 return 0;
278 }
279
280 fwsize = firmware_get_size(fh);
>>> CID 981761: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
>>> argument is incompatible with corresponding format string conversion
281 printf("fwsize %zd\n", fwsize);
282 blob = firmware_malloc(fwsize);
283 if ( blob == NULL ) {
284 printf("nxt2k firmware_malloc fail\n");
285 firmware_close(fh);
286 return -1;
________________________________________________________________________________________________________
*** CID 981762: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
/sys/dev/ic/aac.c: 848 in ()
842 &rsize)) {
843 aprint_error_dev(sc->sc_dv, "error probing container %d\n", i);
844 continue;
845 }
846 if (rsize != ersize) {
847 aprint_error_dev(sc->sc_dv, "container info response wrong size "
>>> CID 981762: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
>>> argument is incompatible with corresponding format string conversion
848 "(%d should be %zu)\n", rsize, ersize);
849 continue;
850 }
851
852 /*
853 * Check container volume type for validity. Note that many
________________________________________________________________________________________________________
*** CID 981763: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
/sys/dev/ic/bwi.c: 1914 in ()
1908 * Don't verify IV's size, it has different meaning
1909 */
1910 size_t fw_size = (size_t)be32toh(hdr->fw_size);
1911 if (fw_size != fwi->fwi_size - sizeof(*hdr)) {
1912 aprint_error_dev(sc->sc_dev, "firmware image %s"
1913 " size mismatch, fw %zx, real %zx\n", fw_name,
>>> CID 981763: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
>>> argument is incompatible with corresponding format string conversion
1914 fw_size, fwi->fwi_size - sizeof(*hdr));
1915 goto invalid;
1916 }
1917 }
1918
1919 if (hdr->fw_type != fw_type) {
________________________________________________________________________________________________________
*** CID 981764: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
/sys/dev/ic/bwi.c: 1914 in ()
1908 * Don't verify IV's size, it has different meaning
1909 */
1910 size_t fw_size = (size_t)be32toh(hdr->fw_size);
1911 if (fw_size != fwi->fwi_size - sizeof(*hdr)) {
1912 aprint_error_dev(sc->sc_dev, "firmware image %s"
1913 " size mismatch, fw %zx, real %zx\n", fw_name,
>>> CID 981764: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
>>> argument is incompatible with corresponding format string conversion
1914 fw_size, fwi->fwi_size - sizeof(*hdr));
1915 goto invalid;
1916 }
1917 }
1918
1919 if (hdr->fw_type != fw_type) {
________________________________________________________________________________________________________
*** CID 981765: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
/sys/dev/ic/bwi.c: 2175 in ()
2169
2170 iv = (const struct bwi_fw_iv *)((const uint8_t *)iv + sz);
2171 }
2172
2173 if (iv_img_size != 0) {
2174 aprint_error_dev(sc->sc_dev,
>>> CID 981765: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
>>> argument is incompatible with corresponding format string conversion
2175 "invalid IV image, size left %zx\n", iv_img_size);
2176 return (EINVAL);
2177 }
2178
2179 return (0);
2180 }
________________________________________________________________________________________________________
*** CID 981766: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
/sys/dev/pci/ichsmb.c: 342 in ()
336 * Transfer timeout. Kill the transaction and clear status bits.
337 */
338 snprintb(fbuf, sizeof(fbuf), LPCIB_SMB_HS_BITS, st);
339 aprint_error_dev(sc->sc_dev,
340 "exec: op %d, addr 0x%02x, cmdlen %zd, len %zd, "
341 "flags 0x%02x: timeout, status 0x%s\n",
>>> CID 981766: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
>>> argument is incompatible with corresponding format string conversion
342 op, addr, cmdlen, len, flags, fbuf);
343 bus_space_write_1(sc->sc_iot, sc->sc_ioh, LPCIB_SMB_HC,
344 LPCIB_SMB_HC_KILL);
345 DELAY(ICHIIC_DELAY);
346 st = bus_space_read_1(sc->sc_iot, sc->sc_ioh, LPCIB_SMB_HS);
347 if ((st & LPCIB_SMB_HS_FAILED) == 0) {
________________________________________________________________________________________________________
*** CID 981767: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
/sys/dev/pci/ichsmb.c: 342 in ()
336 * Transfer timeout. Kill the transaction and clear status bits.
337 */
338 snprintb(fbuf, sizeof(fbuf), LPCIB_SMB_HS_BITS, st);
339 aprint_error_dev(sc->sc_dev,
340 "exec: op %d, addr 0x%02x, cmdlen %zd, len %zd, "
341 "flags 0x%02x: timeout, status 0x%s\n",
>>> CID 981767: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
>>> argument is incompatible with corresponding format string conversion
342 op, addr, cmdlen, len, flags, fbuf);
343 bus_space_write_1(sc->sc_iot, sc->sc_ioh, LPCIB_SMB_HC,
344 LPCIB_SMB_HC_KILL);
345 DELAY(ICHIIC_DELAY);
346 st = bus_space_read_1(sc->sc_iot, sc->sc_ioh, LPCIB_SMB_HS);
347 if ((st & LPCIB_SMB_HS_FAILED) == 0) {
________________________________________________________________________________________________________
*** CID 981768: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
/sys/dev/pci/if_iwn.c: 5719 in ()
5713 tlv = (const struct iwn_fw_tlv *)ptr;
5714 len = le32toh(tlv->len);
5715
5716 ptr += sizeof (*tlv);
5717 if (ptr + len > end) {
5718 aprint_error_dev(sc->sc_dev,
>>> CID 981768: Printf arg type mismatch (PW.PRINTF_ARG_MISMATCH)
>>> argument is incompatible with corresponding format string conversion
5719 "firmware too short: %zd bytes\n", fw->size);
5720 return EINVAL;
5721 }
5722 /* Skip other alternatives. */
5723 if (tlv->alt != 0 && tlv->alt != htole16(alt))
5724 goto next;
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, http://scan.coverity.com/projects/1447?tab=overview
To unsubscribe from the email notification for new defects, http://scan5.coverity.com/cgi-bin/unsubscribe.py
Home |
Main Index |
Thread Index |
Old Index