Coverity-updates archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
New Defects reported by Coverity Scan for NetBSD-i386-kernel
Hi,
Please find the latest report on new defect(s) introduced to NetBSD-i386-kernel found with Coverity Scan.
200 new defect(s) introduced to NetBSD-i386-kernel found with Coverity Scan.
1427 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 200 defect(s)
** CID 113253: Null pointer dereferences (FORWARD_NULL)
/sys/external/bsd/drm2/dist/drm/radeon/radeon_connectors.c: 775 in radeon_vga_detect()
________________________________________________________________________________________________________
*** CID 113253: Null pointer dereferences (FORWARD_NULL)
/sys/external/bsd/drm2/dist/drm/radeon/radeon_connectors.c: 775 in radeon_vga_detect()
769
770 r = pm_runtime_get_sync(connector->dev->dev);
771 if (r < 0)
772 return connector_status_disconnected;
773
774 encoder = radeon_best_single_encoder(connector);
>>> CID 113253: Null pointer dereferences (FORWARD_NULL)
>>> Comparing "encoder" to null implies that "encoder" might be null.
775 if (!encoder)
776 ret = connector_status_disconnected;
777
778 if (radeon_connector->ddc_bus)
779 dret = radeon_ddc_probe(radeon_connector, false);
780 if (dret) {
** CID 273063: Null pointer dereferences (FORWARD_NULL)
/sys/nfs/nfs_vnops.c: 2533 in nfs_readdirrpc()
________________________________________________________________________________________________________
*** CID 273063: Null pointer dereferences (FORWARD_NULL)
/sys/nfs/nfs_vnops.c: 2533 in nfs_readdirrpc()
2527 }
2528 /* for cookie stashing */
2529 reclen = _DIRENT_RECLEN(dp, len) + 2 * sizeof(off_t);
2530 left = NFS_DIRFRAGSIZ - blksiz;
2531 if (reclen > left) {
2532 memset(uiop->uio_iov->iov_base, 0, left);
>>> CID 273063: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "dp".
2533 dp->d_reclen += left;
2534 UIO_ADVANCE(uiop, left);
2535 blksiz = 0;
2536 NFS_STASHCOOKIE(dp, uiop->uio_offset);
2537 }
2538 if (reclen > uiop->uio_resid)
** CID 741136: (DEADCODE)
/sys/external/bsd/drm2/dist/drm/i915/intel_display.c: 4982 in i855_get_display_clock_speed()
/sys/external/bsd/drm2/dist/drm/i915/intel_display.c: 4980 in i855_get_display_clock_speed()
________________________________________________________________________________________________________
*** CID 741136: (DEADCODE)
/sys/external/bsd/drm2/dist/drm/i915/intel_display.c: 4982 in i855_get_display_clock_speed()
4976 switch (hpllcc & GC_CLOCK_CONTROL_MASK) {
4977 case GC_CLOCK_133_200:
4978 case GC_CLOCK_100_200:
4979 return 200000;
4980 case GC_CLOCK_166_250:
4981 return 250000;
>>> CID 741136: (DEADCODE)
>>> Execution cannot reach this statement: "case 2:".
4982 case GC_CLOCK_100_133:
4983 return 133000;
4984 }
4985
4986 /* Shouldn't happen */
4987 return 0;
/sys/external/bsd/drm2/dist/drm/i915/intel_display.c: 4980 in i855_get_display_clock_speed()
4974 * should be the default.
4975 */
4976 switch (hpllcc & GC_CLOCK_CONTROL_MASK) {
4977 case GC_CLOCK_133_200:
4978 case GC_CLOCK_100_200:
4979 return 200000;
>>> CID 741136: (DEADCODE)
>>> Execution cannot reach this statement: "case 3:".
4980 case GC_CLOCK_166_250:
4981 return 250000;
4982 case GC_CLOCK_100_133:
4983 return 133000;
4984 }
4985
** CID 974635: Memory - corruptions (BUFFER_SIZE)
/sys/ufs/ffs/ffs_bswap.c: 131 in ffs_dinode1_swap()
________________________________________________________________________________________________________
*** CID 974635: Memory - corruptions (BUFFER_SIZE)
/sys/ufs/ffs/ffs_bswap.c: 131 in ffs_dinode1_swap()
125 n->di_atime = bswap32(o->di_atime);
126 n->di_atimensec = bswap32(o->di_atimensec);
127 n->di_mtime = bswap32(o->di_mtime);
128 n->di_mtimensec = bswap32(o->di_mtimensec);
129 n->di_ctime = bswap32(o->di_ctime);
130 n->di_ctimensec = bswap32(o->di_ctimensec);
>>> CID 974635: Memory - corruptions (BUFFER_SIZE)
>>> You might overrun the 48 byte destination string "n->di_db" by writing the maximum 60 bytes from "o->di_db".
131 memcpy(n->di_db, o->di_db, (UFS_NDADDR + UFS_NIADDR) * sizeof(u_int32_t));
132 n->di_flags = bswap32(o->di_flags);
133 n->di_blocks = bswap32(o->di_blocks);
134 n->di_gen = bswap32(o->di_gen);
135 n->di_uid = bswap32(o->di_uid);
136 n->di_gid = bswap32(o->di_gid);
** CID 974636: Memory - corruptions (BUFFER_SIZE)
/sys/ufs/ffs/ffs_bswap.c: 161 in ffs_dinode2_swap()
________________________________________________________________________________________________________
*** CID 974636: Memory - corruptions (BUFFER_SIZE)
/sys/ufs/ffs/ffs_bswap.c: 161 in ffs_dinode2_swap()
155 n->di_birthtime = bswap64(o->di_birthtime);
156 n->di_birthnsec = bswap32(o->di_birthnsec);
157 n->di_gen = bswap32(o->di_gen);
158 n->di_kernflags = bswap32(o->di_kernflags);
159 n->di_flags = bswap32(o->di_flags);
160 n->di_extsize = bswap32(o->di_extsize);
>>> CID 974636: Memory - corruptions (BUFFER_SIZE)
>>> You might overrun the 16 byte destination string "n->di_extb" by writing the maximum 136 bytes from "o->di_extb".
161 memcpy(n->di_extb, o->di_extb, (UFS_NXADDR + UFS_NDADDR + UFS_NIADDR) * 8);
162 }
163
164 void
165 ffs_csum_swap(struct csum *o, struct csum *n, int size)
166 {
** CID 979553: Uninitialized variables (UNINIT)
/sys/dev/hdaudio/hdaudio.c: 1046 in hdaudio_stream_establish()
________________________________________________________________________________________________________
*** CID 979553: Uninitialized variables (UNINIT)
/sys/dev/hdaudio/hdaudio.c: 1046 in hdaudio_stream_establish()
1040 if (st->st_type != type)
1041 continue;
1042 if (sc->sc_stream_mask & (1 << i))
1043 continue;
1044
1045 /* Allocate stream */
>>> CID 979553: Uninitialized variables (UNINIT)
>>> Using uninitialized value "dma". Field "dma.dma_sizereg" is uninitialized.
1046 st->st_bdl = dma;
1047 st->st_intr = intr;
1048 st->st_cookie = cookie;
1049 sc->sc_stream_mask |= (1 << i);
1050 mutex_exit(&sc->sc_stream_mtx);
1051 return st;
** CID 980481: Insecure data handling (TAINTED_SCALAR)
/sys/arch/x86/x86/sys_machdep.c: 224 in x86_set_ldt()
________________________________________________________________________________________________________
*** CID 980481: Insecure data handling (TAINTED_SCALAR)
/sys/arch/x86/x86/sys_machdep.c: 224 in x86_set_ldt()
218 return EINVAL;
219
220 descv = malloc(sizeof (*descv) * ua.num, M_TEMP, M_NOWAIT);
221 if (descv == NULL)
222 return ENOMEM;
223
>>> CID 980481: Insecure data handling (TAINTED_SCALAR)
>>> Calling function "copyin" taints argument "descv".
224 error = copyin(ua.desc, descv, sizeof (*descv) * ua.num);
225 if (error == 0)
226 error = x86_set_ldt1(l, &ua, descv);
227 *retval = ua.start;
228
229 free(descv, M_TEMP);
** CID 980534: (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 980534: (TAINTED_SCALAR)
/sys/kern/kern_exec.c: 2623 in sys_posix_spawn()
2617 (void)chgproccnt(kauth_cred_getuid(l1->l_cred), -1);
2618 atomic_dec_uint(&nprocs);
2619
2620 if (sa)
2621 kmem_free(sa, sizeof(*sa));
2622 if (fa)
>>> CID 980534: (TAINTED_SCALAR)
>>> Passing tainted variable "fa->len" to a tainted sink.
2623 posix_spawn_fa_free(fa, fa->len);
2624 }
2625
2626 *retval = error;
2627 return 0;
2628 }
/sys/kern/kern_exec.c: 2604 in sys_posix_spawn()
2598 goto error_exit;
2599 }
2600
2601 /*
2602 * Do the spawn
2603 */
>>> CID 980534: (TAINTED_SCALAR)
>>> Passing tainted variable "fa" to a tainted sink.
2604 error = do_posix_spawn(l1, &pid, &child_ok, SCARG(uap, path), fa, sa,
2605 SCARG(uap, argv), SCARG(uap, envp), execve_fetch_element);
2606 if (error)
2607 goto error_exit;
2608
2609 if (error == 0 && SCARG(uap, pid) != NULL)
** CID 980545: Insecure data handling (TAINTED_SCALAR)
/sys/kern/sys_select.c: 513 in pollcommon()
________________________________________________________________________________________________________
*** CID 980545: Insecure data handling (TAINTED_SCALAR)
/sys/kern/sys_select.c: 513 in pollcommon()
507 fds = kmem_alloc(ni, KM_SLEEP);
508 if (fds == NULL)
509 return ENOMEM;
510 } else
511 fds = smallfds;
512
>>> CID 980545: Insecure data handling (TAINTED_SCALAR)
>>> Calling function "copyin" taints argument "fds".
513 error = copyin(u_fds, fds, ni);
514 if (error)
515 goto fail;
516
517 error = sel_do_scan(SELOP_POLL, fds, nfds, ni, ts, mask, retval);
518 if (error == 0)
** CID 980724: Error handling issues (CHECKED_RETURN)
/sys/kern/subr_autoconf.c: 1506 in config_add_attrib_dict()
________________________________________________________________________________________________________
*** CID 980724: Error handling issues (CHECKED_RETURN)
/sys/kern/subr_autoconf.c: 1506 in config_add_attrib_dict()
1500 prop_dictionary_set_cstring_nocopy(loc_dict,
1501 "loc-name", ci->ci_locdesc[j].cld_name);
1502 if (ci->ci_locdesc[j].cld_defaultstr != NULL)
1503 prop_dictionary_set_cstring_nocopy(
1504 loc_dict, "default",
1505 ci->ci_locdesc[j].cld_defaultstr);
>>> CID 980724: Error handling issues (CHECKED_RETURN)
>>> Calling "prop_array_set" without checking return value (as is done elsewhere 10 out of 11 times).
1506 prop_array_set(loc_array, j, loc_dict);
1507 prop_object_release(loc_dict);
1508 }
1509 prop_dictionary_set_and_rel(attr_dict, "locators",
1510 loc_array);
1511 }
** CID 992295: Memory - corruptions (BUFFER_SIZE)
/sys/fs/msdosfs/msdosfs_lookup.c: 612 in createde()
________________________________________________________________________________________________________
*** CID 992295: Memory - corruptions (BUFFER_SIZE)
/sys/fs/msdosfs/msdosfs_lookup.c: 612 in createde()
606 if ((error = bread(pmp->pm_devvp, de_bn2kb(pmp, bn), blsize,
607 B_MODIFY, &bp)) != 0) {
608 goto err_norollback;
609 }
610 ndep = bptoep(pmp, bp, clusoffset);
611
>>> CID 992295: Memory - corruptions (BUFFER_SIZE)
>>> You might overrun the 8 byte destination string "ndep->deName" by writing the maximum 11 bytes from "dep->de_Name".
612 DE_EXTERNALIZE(ndep, dep);
613
614 /*
615 * Now write the Win95 long name
616 */
617 if (ddep->de_fndcnt > 0) {
** CID 1192281: Integer handling issues (DIVIDE_BY_ZERO)
________________________________________________________________________________________________________
*** CID 1192281: Integer handling issues (DIVIDE_BY_ZERO)
/sys/external/bsd/drm2/dist/drm/radeon/evergreen.c: 1108 in evergreen_set_uvd_clocks()
1102 if (!vclk || !dclk) {
1103 /* keep the Bypass mode, put PLL to sleep */
1104 WREG32_P(CG_UPLL_FUNC_CNTL, UPLL_SLEEP_MASK, ~UPLL_SLEEP_MASK);
1105 return 0;
1106 }
1107
>>> CID 1192281: Integer handling issues (DIVIDE_BY_ZERO)
>>> In function call "radeon_uvd_calc_upll_dividers", division by expression "0U" has undefined behavior.
1108 r = radeon_uvd_calc_upll_dividers(rdev, vclk, dclk, 125000, 250000,
1109 16384, 0x03FFFFFF, 0, 128, 5,
1110 &fb_div, &vclk_div, &dclk_div);
1111 if (r)
1112 return r;
1113
** CID 1192282: Integer handling issues (DIVIDE_BY_ZERO)
/sys/external/bsd/drm2/dist/drm/radeon/evergreen_cs.c: 299 in evergreen_surface_check()
________________________________________________________________________________________________________
*** CID 1192282: Integer handling issues (DIVIDE_BY_ZERO)
/sys/external/bsd/drm2/dist/drm/radeon/evergreen_cs.c: 299 in evergreen_surface_check()
293
294 static int evergreen_surface_check(struct radeon_cs_parser *p,
295 struct eg_surface *surf,
296 const char *prefix)
297 {
298 /* some common value computed here */
>>> CID 1192282: Integer handling issues (DIVIDE_BY_ZERO)
>>> Assigning: "surf->bpe" = "r600_fmt_get_blocksize(surf->format)". The value of "surf->bpe" is now 0.
299 surf->bpe = r600_fmt_get_blocksize(surf->format);
300
301 switch (surf->mode) {
302 case ARRAY_LINEAR_GENERAL:
303 return evergreen_surface_check_linear(p, surf, prefix);
304 case ARRAY_LINEAR_ALIGNED:
** CID 1192283: Integer handling issues (DIVIDE_BY_ZERO)
/sys/external/bsd/drm2/dist/drm/i915/intel_sprite.c: 416 in ilk_update_plane()
________________________________________________________________________________________________________
*** CID 1192283: Integer handling issues (DIVIDE_BY_ZERO)
/sys/external/bsd/drm2/dist/drm/i915/intel_sprite.c: 416 in ilk_update_plane()
410 struct drm_device *dev = plane->dev;
411 struct drm_i915_private *dev_priv = dev->dev_private;
412 struct intel_plane *intel_plane = to_intel_plane(plane);
413 int pipe = intel_plane->pipe;
414 unsigned long dvssurf_offset, linear_offset;
415 u32 dvscntr, dvsscale;
>>> CID 1192283: Integer handling issues (DIVIDE_BY_ZERO)
>>> Assigning: "pixel_size" = "drm_format_plane_cpp(fb->pixel_format, 0)". The value of "pixel_size" is now 0.
416 int pixel_size = drm_format_plane_cpp(fb->pixel_format, 0);
417
418 dvscntr = I915_READ(DVSCNTR(pipe));
419
420 /* Mask out pixel format bits in case we change it */
421 dvscntr &= ~DVS_PIXFORMAT_MASK;
** CID 1192284: Integer handling issues (DIVIDE_BY_ZERO)
/sys/external/bsd/drm2/dist/drm/i915/intel_sprite.c: 232 in ivb_update_plane()
________________________________________________________________________________________________________
*** CID 1192284: Integer handling issues (DIVIDE_BY_ZERO)
/sys/external/bsd/drm2/dist/drm/i915/intel_sprite.c: 232 in ivb_update_plane()
226 struct drm_device *dev = plane->dev;
227 struct drm_i915_private *dev_priv = dev->dev_private;
228 struct intel_plane *intel_plane = to_intel_plane(plane);
229 int pipe = intel_plane->pipe;
230 u32 sprctl, sprscale = 0;
231 unsigned long sprsurf_offset, linear_offset;
>>> CID 1192284: Integer handling issues (DIVIDE_BY_ZERO)
>>> Assigning: "pixel_size" = "drm_format_plane_cpp(fb->pixel_format, 0)". The value of "pixel_size" is now 0.
232 int pixel_size = drm_format_plane_cpp(fb->pixel_format, 0);
233
234 sprctl = I915_READ(SPRCTL(pipe));
235
236 /* Mask out pixel format bits in case we change it */
237 sprctl &= ~SPRITE_PIXFORMAT_MASK;
** CID 1192291: Integer handling issues (DIVIDE_BY_ZERO)
________________________________________________________________________________________________________
*** CID 1192291: Integer handling issues (DIVIDE_BY_ZERO)
/sys/external/bsd/drm2/dist/drm/radeon/si.c: 6933 in si_set_uvd_clocks()
6927 if (!vclk || !dclk) {
6928 /* keep the Bypass mode, put PLL to sleep */
6929 WREG32_P(CG_UPLL_FUNC_CNTL, UPLL_SLEEP_MASK, ~UPLL_SLEEP_MASK);
6930 return 0;
6931 }
6932
>>> CID 1192291: Integer handling issues (DIVIDE_BY_ZERO)
>>> In function call "radeon_uvd_calc_upll_dividers", division by expression "0U" has undefined behavior.
6933 r = radeon_uvd_calc_upll_dividers(rdev, vclk, dclk, 125000, 250000,
6934 16384, 0x03FFFFFF, 0, 128, 5,
6935 &fb_div, &vclk_div, &dclk_div);
6936 if (r)
6937 return r;
6938
** CID 1192299: Integer handling issues (DIVIDE_BY_ZERO)
/sys/external/bsd/drm2/dist/drm/i915/intel_sprite.c: 55 in vlv_update_plane()
________________________________________________________________________________________________________
*** CID 1192299: Integer handling issues (DIVIDE_BY_ZERO)
/sys/external/bsd/drm2/dist/drm/i915/intel_sprite.c: 55 in vlv_update_plane()
49 struct drm_i915_private *dev_priv = dev->dev_private;
50 struct intel_plane *intel_plane = to_intel_plane(dplane);
51 int pipe = intel_plane->pipe;
52 int plane = intel_plane->plane;
53 u32 sprctl;
54 unsigned long sprsurf_offset, linear_offset;
>>> CID 1192299: Integer handling issues (DIVIDE_BY_ZERO)
>>> Assigning: "pixel_size" = "drm_format_plane_cpp(fb->pixel_format, 0)". The value of "pixel_size" is now 0.
55 int pixel_size = drm_format_plane_cpp(fb->pixel_format, 0);
56
57 sprctl = I915_READ(SPCNTR(pipe, plane));
58
59 /* Mask out pixel format bits in case we change it */
60 sprctl &= ~SP_PIXFORMAT_MASK;
** CID 1192307: Memory - illegal accesses (OVERRUN)
/sys/external/bsd/drm2/dist/drm/radeon/radeon_atombios.c: 3602 in radeon_atom_get_voltage_table()
________________________________________________________________________________________________________
*** CID 1192307: Memory - illegal accesses (OVERRUN)
/sys/external/bsd/drm2/dist/drm/radeon/radeon_atombios.c: 3602 in radeon_atom_get_voltage_table()
3596 &voltage_object->v2.asFormula;
3597 VOLTAGE_LUT_ENTRY *lut;
3598 if (formula->ucNumOfVoltageEntries > MAX_VOLTAGE_ENTRIES)
3599 return -EINVAL;
3600 lut = &formula->asVIDAdjustEntries[0];
3601 for (i = 0; i < formula->ucNumOfVoltageEntries; i++) {
>>> CID 1192307: Memory - illegal accesses (OVERRUN)
>>> Overrunning array of 32 4-byte elements at element index 124 (byte offset 496) by dereferencing pointer "lut".
3602 voltage_table->entries[i].value =
3603 le16_to_cpu(lut->usVoltageValue);
3604 ret = radeon_atom_get_voltage_gpio_settings(rdev,
3605 voltage_table->entries[i].value,
3606 voltage_type,
3607 &voltage_table->entries[i].smio_low,
** CID 1193696: Incorrect expression (COPY_PASTE_ERROR)
/sys/external/bsd/compiler_rt/dist/lib/builtins/udivmoddi4.c: 66 in __udivmoddi4()
________________________________________________________________________________________________________
*** CID 1193696: Incorrect expression (COPY_PASTE_ERROR)
/sys/external/bsd/compiler_rt/dist/lib/builtins/udivmoddi4.c: 66 in __udivmoddi4()
60 {
61 /* K X
62 * ---
63 * 0 0
64 */
65 if (rem)
>>> CID 1193696: Incorrect expression (COPY_PASTE_ERROR)
>>> "low" in "d.s.low" looks like a copy-paste error.
66 *rem = n.s.high % d.s.low;
67 return n.s.high / d.s.low;
68 }
69 /* d.s.high != 0 */
70 if (n.s.low == 0)
71 {
** CID 1198903: Integer handling issues (BAD_SHIFT)
/common/lib/libx86emu/x86emu.c: 6677 in rcr_word()
________________________________________________________________________________________________________
*** CID 1198903: Integer handling issues (BAD_SHIFT)
/common/lib/libx86emu/x86emu.c: 6677 in rcr_word()
6671 if (cnt == 1) {
6672 cf = d & 0x1;
6673 ocf = ACCESS_FLAG(F_CF) != 0;
6674 } else
6675 cf = (d >> (cnt - 1)) & 0x1;
6676 mask = (1 << (16 - cnt)) - 1;
>>> CID 1198903: Integer handling issues (BAD_SHIFT)
>>> In expression "d >> cnt", right shifting "d" by more than 15 bits always yields zero. The shift amount, "cnt", is as much as 16.
6677 res = (d >> cnt) & mask;
6678 res |= (d << (17 - cnt));
6679 if (ACCESS_FLAG(F_CF)) {
6680 res |= 1 << (16 - cnt);
6681 }
6682 CONDITIONAL_SET_FLAG(cf, F_CF);
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/1450?tab=overview
To manage Coverity Scan email notifications for "coverity-updates%netbsd.org@localhost", click https://scan.coverity.com/subscriptions/edit?email=coverity-updates%40netbsd.org&token=487286ca1a9a4f4bd485d16f66b5e782 .
Home |
Main Index |
Thread Index |
Old Index