Hi,
Please find the latest report on new defect(s) introduced to NetBSD-i386-user found with Coverity Scan.
12 new defect(s) introduced to NetBSD-i386-user found with Coverity Scan. 5 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan Showing 12 of 12 defect(s)
** CID 1288934: Memory – illegal accesses (USE_AFTER_FREE)
______________________________________________________________________________________________________ * CID 1288934: Memory – illegal accesses (USE_AFTER_FREE) /external/bsd/mdocml/dist/mdoc_validate.c: 814 in post_fo() 808 } 809 if (n->child != n->last) { 810 mandoc_vmsg(MANDOCERR_ARG_EXCESS, mdoc->parse, 811 n->child->next->line, n->child->next->pos, 812 “Fo … %s”, n->child->next->string); 813 while (n->child != n->last)
CID 1288934: Memory – illegal accesses (USE_AFTER_FREE) Calling “roff_node_delete” dereferences freed pointer “n->last”.
814 roff_node_delete(mdoc, n->last); 815 } 816 817 post_fname(mdoc); 818 } 819
** CID 1349652: (SECURE_TEMP) /external/bsd/mdocml/dist/tag.c: 89 in tag_init() /external/bsd/mdocml/dist/tag.c: 91 in tag_init()
______________________________________________________________________________________________________ * CID 1349652: (SECURE_TEMP) /external/bsd/mdocml/dist/tag.c: 89 in tag_init() 83 /* Create both temporary output files. */ 84 85 (void)strlcpy(tag_files.ofn, “/tmp/man.XXXXXXXXXX”, 86 sizeof(tag_files.ofn)); 87 (void)strlcpy(tag_files.tfn, “/tmp/man.XXXXXXXXXX”, 88 sizeof(tag_files.tfn));
CID 1349652: (SECURE_TEMP) Calling “mkstemp” without securely setting umask first.
89 if ((ofd = mkstemp(tag_files.ofn)) == -1) 90 goto fail; 91 if ((tag_files.tfd = mkstemp(tag_files.tfn)) == -1) 92 goto fail; 93 if (dup2(ofd, STDOUT_FILENO) == -1) 94 goto fail; /external/bsd/mdocml/dist/tag.c: 91 in tag_init() 85 (void)strlcpy(tag_files.ofn, “/tmp/man.XXXXXXXXXX”, 86 sizeof(tag_files.ofn)); 87 (void)strlcpy(tag_files.tfn, “/tmp/man.XXXXXXXXXX”, 88 sizeof(tag_files.tfn)); 89 if ((ofd = mkstemp(tag_files.ofn)) == -1) 90 goto fail;
CID 1349652: (SECURE_TEMP) Calling “mkstemp” without securely setting umask first.
91 if ((tag_files.tfd = mkstemp(tag_files.tfn)) == -1) 92 goto fail; 93 if (dup2(ofd, STDOUT_FILENO) == -1) 94 goto fail; 95 close(ofd); 96
** CID 1349665: Integer handling issues (NEGATIVE_RETURNS)
______________________________________________________________________________________________________ * CID 1349665: Integer handling issues (NEGATIVE_RETURNS) /external/bsd/mdocml/dist/mdoc_macro.c: 1476 in phrase_ta() 1470 } 1471 1472 /* Advance to the next column. */ 1473 1474 rew_last(mdoc, body); 1475 roff_body_alloc(mdoc, line, ppos, MDOC_It);
CID 1349665: Integer handling issues (NEGATIVE_RETURNS) Passing negative constant “-1” to a parameter that cannot be negative.
1476 parse_rest(mdoc, TOKEN_NONE, line, pos, buf);
** CID 1349674: Null pointer dereferences (FORWARD_NULL) /external/bsd/mdocml/dist/mdoc_macro.c: 1456 in phrase_ta()
______________________________________________________________________________________________________ * CID 1349674: Null pointer dereferences (FORWARD_NULL) /external/bsd/mdocml/dist/mdoc_macro.c: 1456 in phrase_ta() 1450 phrase_ta(MACRO_PROT_ARGS) 1451 { 1452 struct roff_node body, *n; 1453 1454 / Make sure we are in a column list or ignore this macro. */ 1455
CID 1349674: Null pointer dereferences (FORWARD_NULL) Assigning: “body” = “NULL”.
1456 body = NULL; 1457 for (n = mdoc->last; n != NULL; n = n->parent) { 1458 if (n->flags & MDOC_ENDED) 1459 continue; 1460 if (n->tok == MDOC_It && n->type == ROFFT_BODY) 1461 body = n;
** CID 1349675: Null pointer dereferences (FORWARD_NULL) /external/bsd/mdocml/dist/read.c: 691 in mparse_end()
______________________________________________________________________________________________________ * CID 1349675: Null pointer dereferences (FORWARD_NULL) /external/bsd/mdocml/dist/read.c: 691 in mparse_end() 685 mparse_end(struct mparse *curp) 686 { 687 688 if (curp->man == NULL && curp->sodest == NULL) 689 curp->man = roff_man_alloc(curp->roff, curp, curp->defos, 690 curp->options & MPARSE_QUICK ? 1 : 0);
CID 1349675: Null pointer dereferences (FORWARD_NULL) Dereferencing null pointer “curp->man”.
691 if (curp->man->macroset == MACROSET_NONE) 692 curp->man->macroset = MACROSET_MAN; 693 if (curp->man->macroset == MACROSET_MDOC) 694 mdoc_endparse(curp->man); 695 else 696 man_endparse(curp->man);
** CID 1364143: Memory – illegal accesses (OVERRUN) /sys/kern/kern_event.c: 946 in kqueue_register()
______________________________________________________________________________________________________ * CID 1364143: Memory – illegal accesses (OVERRUN) /sys/kern/kern_event.c: 946 in kqueue_register() 940 || (fp = fd_getfile(fd = kev->ident)) == NULL) { 941 rw_exit(&kqueue_filter_lock); 942 kmem_free(newkn, sizeof(*newkn)); 943 return EBADF; 944 } 945 mutex_enter(&fdp->fd_lock);
CID 1364143: Memory – illegal accesses (OVERRUN) Overrunning array “fdp->fd_dt->dt_ff” of 20 4-byte elements at element index 2147483647 (byte offset 8589934588) using index “fd” (which evaluates to 2147483647).
946 ff = fdp->fd_dt->dt_ff[fd]; 947 if (fd <= fdp->fd_lastkqfile) { 948 SLIST_FOREACH(kn, &ff->ff_knlist, kn_link) { 949 if (kq == kn->kn_kq && 950 kev->filter == kn->kn_filter) 951 break;
** CID 1364144: Memory – corruptions (OVERRUN) /sys/kern/kern_event.c: 939 in kqueue_register()
______________________________________________________________________________________________________ * CID 1364144: Memory – corruptions (OVERRUN) /sys/kern/kern_event.c: 939 in kqueue_register() 933 } 934 935 /* search if knote already exists / 936 if (kfilter->filtops->f_isfd) { 937 / monitoring a file descriptor / 938 / validate descriptor */
CID 1364144: Memory – corruptions (OVERRUN) Assigning: “fd” = “kev->ident”. The value of “fd” may now be up to 2147483647.
939 if (kev->ident > INT_MAX 940 || (fp = fd_getfile(fd = kev->ident)) == NULL) { 941 rw_exit(&kqueue_filter_lock); 942 kmem_free(newkn, sizeof(*newkn)); 943 return EBADF; 944 }
** CID 1364145: Error handling issues (CHECKED_RETURN) /home/phil/cov/xsrc/external/mit/MesaLib/dist/src/mesa/drivers/dri/i965/brw_program.c: 51 in get_new_program_id()
______________________________________________________________________________________________________ * CID 1364145: Error handling issues (CHECKED_RETURN) /home/phil/cov/xsrc/external/mit/MesaLib/dist/src/mesa/drivers/dri/i965/brw_program.c: 51 in get_new_program_id() 45 #include “brw_wm.h” 46 47 static unsigned 48 get_new_program_id(struct intel_screen *screen) 49 { 50 static pthread_mutex_t m = PTHREAD_MUTEX_INITIALIZER;
CID 1364145: Error handling issues (CHECKED_RETURN) Calling “__libc_mutex_lock” without checking return value (as is done elsewhere 24 out of 28 times).
51 pthread_mutex_lock(&m); 52 unsigned id = screen->program_id++; 53 pthread_mutex_unlock(&m); 54 return id; 55 } 56
** CID 1364146: Error handling issues (CHECKED_RETURN) /crypto/external/bsd/openssl/dist/crypto/threads/mttest.c: 959 in thread_setup()
______________________________________________________________________________________________________ * CID 1364146: Error handling issues (CHECKED_RETURN) /crypto/external/bsd/openssl/dist/crypto/threads/mttest.c: 959 in thread_setup() 953 int i; 954 955 lock_cs = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(pthread_mutex_t)); 956 lock_count = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(long)); 957 for (i = 0; i < CRYPTO_num_locks(); i++) { 958 lock_count[i] = 0;
CID 1364146: Error handling issues (CHECKED_RETURN) Calling “__libc_mutex_init” without checking return value (as is done elsewhere 4 out of 5 times).
959 pthread_mutex_init(&(lock_cs[i]), NULL); 960 } 961 962 CRYPTO_set_id_callback((unsigned long (*)(void))pthreads_thread_id); 963 CRYPTO_set_locking_callback((void (*)(int, int, const char *, int))pthreads_locking_callback); 964 }
** CID 1364147: Error handling issues (CHECKED_RETURN) /home/phil/cov/xsrc/external/mit/MesaLib/dist/src/glx/glxcurrent.c: 220 in MakeContextCurrent()
______________________________________________________________________________________________________ * CID 1364147: Error handling issues (CHECKED_RETURN) /home/phil/cov/xsrc/external/mit/MesaLib/dist/src/glx/glxcurrent.c: 220 in MakeContextCurrent() 214 if ((gc != NULL) && (gc->xid == None)) { 215 return GL_FALSE; 216 } 217 218 _glapi_check_multithread(); 219
CID 1364147: Error handling issues (CHECKED_RETURN) Calling “__libc_mutex_lock” without checking return value (as is done elsewhere 24 out of 28 times).
220 __glXLock(); 221 if (oldGC == gc && 222 gc->currentDrawable == draw && gc->currentReadable == read) { 223 __glXUnlock(); 224 return True; 225 }
** CID 1364148: Error handling issues (CHECKED_RETURN) /tests/lib/libpthread/h_resolv.c: 113 in resolvone()
______________________________________________________________________________________________________ * CID 1364148: Error handling issues (CHECKED_RETURN) /tests/lib/libpthread/h_resolv.c: 113 in resolvone() 107 error = getaddrinfo(host, NULL, NULL, &res); 108 if (debug) { 109 len = snprintf(buf, sizeof(buf), “%p: host %s %s\n”, 110 self, host, error ? “not found” : "ok"); 111 (void)write(STDOUT_FILENO, buf, len); 112 }
CID 1364148: Error handling issues (CHECKED_RETURN) Calling “__libc_mutex_lock” without checking return value (as is done elsewhere 24 out of 28 times).
113 pthread_mutex_lock(&stats); 114 ask[i]++; 115 got[i] += error == 0; 116 pthread_mutex_unlock(&stats); 117 if (error == 0) 118 freeaddrinfo(res);
** CID 1364149: Error handling issues (CHECKED_RETURN) /tests/lib/libpthread/t_mutex.c: 59 in mutex1_threadfunc()
______________________________________________________________________________________________________ * CID 1364149: Error handling issues (CHECKED_RETURN) /tests/lib/libpthread/t_mutex.c: 59 in mutex1_threadfunc() 53 int *param; 54 55 printf("2: Second thread.\n"); 56 57 param = arg; 58 printf("2: Locking mutex\n");
CID 1364149: Error handling issues (CHECKED_RETURN) Calling “__libc_mutex_lock” without checking return value (as is done elsewhere 24 out of 28 times).
59 pthread_mutex_lock(&mutex); 60 printf("2: Got mutex. *param = %d\n", *param); 61 ATF_REQUIRE_EQ(*param, 20); 62 (*param)++; 63 64 pthread_mutex_unlock(&mutex);
______________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/netbsd-i386-user?tab=overview
To manage Coverity Scan email notifications for “coverity-updates%netbsd.org@localhost”, click https://scan.coverity.com/subscriptions/edit?email=coverity-updates%40netbsd.org&token=487286ca1a9a4f4bd485d16f66b5e782