Coverity-updates archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
New Defects reported by Coverity Scan for NetBSD-amd64-kernel
Hi,
Please find the latest report on new defect(s) introduced to NetBSD-amd64-kernel found with Coverity Scan.
374 new defect(s) introduced to NetBSD-amd64-kernel found with Coverity Scan.
635 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 374 defect(s)
** CID 1597793: High impact quality (Y2K38_SAFETY)
/sys/kern/kern_heartbeat.c: 648 in heartbeat()
________________________________________________________________________________________________________
*** CID 1597793: High impact quality (Y2K38_SAFETY)
/sys/kern/kern_heartbeat.c: 648 in heartbeat()
642 /*
643 * If the uptime hasn't changed, make sure that we haven't
644 * counted too many of our own heartbeats since the uptime last
645 * changed, and stop here -- we only do the cross-CPU work once
646 * per second.
647 */
>>> CID 1597793: High impact quality (Y2K38_SAFETY)
>>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "getuptime()" is cast to "unsigned int".
648 uptime = time_uptime;
649 cache = atomic_load_relaxed(&curcpu()->ci_heartbeat_uptime_cache);
650 if (__predict_true(cache == uptime)) {
651 /*
652 * Timecounter hasn't advanced by more than a second.
653 * Make sure the timecounter isn't stuck according to
** CID 1597792: (USER_POINTER)
________________________________________________________________________________________________________
*** CID 1597792: (USER_POINTER)
/sys/kern/kern_proc.c: 2532 in copy_procargs()
2526 size_t xlen;
2527 int j;
2528
2529 if (loaded == 0) {
2530 size_t rem = entry_len * argvlen;
2531 loaded = MIN(rem, PAGE_SIZE);
>>> CID 1597792: (USER_POINTER)
>>> Passing tainted pointer "(void const *)user_argv" to "copyin_vmspace" which derefences it.
2532 error = copyin_vmspace(vmspace,
2533 (const void *)user_argv, argv, loaded);
2534 if (error)
2535 break;
2536 user_argv += loaded;
2537 i = 0;
/sys/kern/kern_proc.c: 2532 in copy_procargs()
2526 size_t xlen;
2527 int j;
2528
2529 if (loaded == 0) {
2530 size_t rem = entry_len * argvlen;
2531 loaded = MIN(rem, PAGE_SIZE);
>>> CID 1597792: (USER_POINTER)
>>> Passing tainted pointer "(void const *)user_argv" to "copyin_vmspace" which derefences it.
2532 error = copyin_vmspace(vmspace,
2533 (const void *)user_argv, argv, loaded);
2534 if (error)
2535 break;
2536 user_argv += loaded;
2537 i = 0;
** CID 1597791: High impact quality (Y2K38_SAFETY)
/sys/nfs/nfs_socket.c: 633 in nfs_rephead()
________________________________________________________________________________________________________
*** CID 1597791: High impact quality (Y2K38_SAFETY)
/sys/nfs/nfs_socket.c: 633 in nfs_rephead()
627 #else
628 (void)ktvin.tv_sec;
629 #endif
630
631 *tl++ = rpc_auth_kerb;
632 *tl++ = txdr_unsigned(3 * NFSX_UNSIGNED);
>>> CID 1597791: High impact quality (Y2K38_SAFETY)
>>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "ktvout.tv_sec" is cast to "u_int32_t".
633 *tl = ktvout.tv_sec;
634 nfsm_build(tl, u_int32_t *, 3 * NFSX_UNSIGNED);
635 *tl++ = ktvout.tv_usec;
636 *tl++ = txdr_unsigned(
637 kauth_cred_geteuid(nuidp->nu_cr));
638 } else {
** CID 1597790: Memory - illegal accesses (OVERRUN)
/sys/external/bsd/drm2/dist/drm/i915/i915_vma.h: 111 in i915_vma_unset_userfault()
________________________________________________________________________________________________________
*** CID 1597790: Memory - illegal accesses (OVERRUN)
/sys/external/bsd/drm2/dist/drm/i915/i915_vma.h: 111 in i915_vma_unset_userfault()
105 GEM_BUG_ON(!i915_vma_is_map_and_fenceable(vma));
106 return test_and_set_bit(I915_VMA_USERFAULT_BIT, __i915_vma_flags(vma));
107 }
108
109 static inline void i915_vma_unset_userfault(struct i915_vma *vma)
110 {
>>> CID 1597790: Memory - illegal accesses (OVERRUN)
>>> Overrunning array of 4 bytes at byte offset 7 by dereferencing pointer "(unsigned long *)&vma->flags". [Note: The source code implementation of the function has been overridden by a builtin model.]
111 return clear_bit(I915_VMA_USERFAULT_BIT, __i915_vma_flags(vma));
112 }
113
114 static inline bool i915_vma_has_userfault(const struct i915_vma *vma)
115 {
116 return test_bit(I915_VMA_USERFAULT_BIT, __i915_vma_flags_const(vma));
** CID 1597789: (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 1597789: (TAINTED_SCALAR)
/sys/external/bsd/drm2/dist/drm/drm_dp_mst_topology.c: 4103 in drm_dp_mst_get_edid()
4097
4098 if (port->cached_edid)
4099 edid = drm_edid_duplicate(port->cached_edid);
4100 else {
4101 edid = drm_get_edid(connector, &port->aux.ddc);
4102 }
>>> CID 1597789: (TAINTED_SCALAR)
>>> Passing tainted expression "edid->extensions" to "drm_detect_monitor_audio", which uses it as a loop boundary.
4103 port->has_audio = drm_detect_monitor_audio(edid);
4104 drm_dp_mst_topology_put_port(port);
4105 return edid;
4106 }
4107 EXPORT_SYMBOL(drm_dp_mst_get_edid);
4108
/sys/external/bsd/drm2/dist/drm/drm_dp_mst_topology.c: 4103 in drm_dp_mst_get_edid()
4097
4098 if (port->cached_edid)
4099 edid = drm_edid_duplicate(port->cached_edid);
4100 else {
4101 edid = drm_get_edid(connector, &port->aux.ddc);
4102 }
>>> CID 1597789: (TAINTED_SCALAR)
>>> Passing tainted expression "edid->extensions" to "drm_detect_monitor_audio", which uses it as a loop boundary.
4103 port->has_audio = drm_detect_monitor_audio(edid);
4104 drm_dp_mst_topology_put_port(port);
4105 return edid;
4106 }
4107 EXPORT_SYMBOL(drm_dp_mst_get_edid);
4108
** CID 1597788: Error handling issues (CHECKED_RETURN)
/sys/dev/usb/if_smsc.c: 302 in smsc_uno_miibus_readreg()
________________________________________________________________________________________________________
*** CID 1597788: Error handling issues (CHECKED_RETURN)
/sys/dev/usb/if_smsc.c: 302 in smsc_uno_miibus_readreg()
296 if (smsc_wait_for_bits(un, SMSC_MII_ADDR, SMSC_MII_BUSY) != 0) {
297 smsc_warn_printf(un, "MII read timeout\n");
298 *val = 0;
299 return ETIMEDOUT;
300 }
301
>>> CID 1597788: Error handling issues (CHECKED_RETURN)
>>> Calling "smsc_readreg" without checking return value (as is done elsewhere 9 out of 10 times).
302 smsc_readreg(un, SMSC_MII_DATA, &data);
303
304 *val = data & 0xffff;
305 return 0;
306 }
307
** CID 1597787: (OVERRUN)
________________________________________________________________________________________________________
*** CID 1597787: (OVERRUN)
/sys/dev/pci/bktr/bktr_core.c: 2904 in rgb_vbi_prog()
2898 split(bktr, (volatile u_int **) &dma_prog,
2899 bktr->y2 - bktr->y, OP_WRITE,
2900 Bpp, (volatile u_char **)(uintptr_t)&target,
2901 cols);
2902 }
2903 if (bktr->yclip != bktr->yclip2) {
>>> CID 1597787: (OVERRUN)
>>> Overrunning array of 4 bytes at byte offset 7 by dereferencing pointer "(u_char volatile **)(uintptr_t)&target".
2904 split(bktr, (volatile u_int **) &dma_prog,
2905 bktr->yclip2 - bktr->yclip, OP_SKIP,
2906 Bpp, (volatile u_char **)(uintptr_t)&target, cols);
2907 }
2908
2909 }
/sys/dev/pci/bktr/bktr_core.c: 2834 in rgb_vbi_prog()
2828 *dma_prog++ = htole32(OP_SYNC | BKTR_FM1);
2829 *dma_prog++ = htole32(0); /* NULL WORD */
2830 width = cols;
2831 for (i = 0; i < (rows/interlace); i++) {
2832 target = target_buffer;
2833 if (notclipped(bktr, i, width)) {
>>> CID 1597787: (OVERRUN)
>>> Overrunning array of 4 bytes at byte offset 7 by dereferencing pointer "(u_char volatile **)(uintptr_t)&target".
2834 split(bktr, (volatile u_int **) &dma_prog,
2835 bktr->y2 - bktr->y, OP_WRITE,
2836 Bpp, (volatile u_char **)(uintptr_t)&target, cols);
2837
2838 } else {
2839 while(getline(bktr, i)) {
/sys/dev/pci/bktr/bktr_core.c: 2846 in rgb_vbi_prog()
2840 if (bktr->y != bktr->y2) {
2841 split(bktr, (volatile u_int **) &dma_prog,
2842 bktr->y2 - bktr->y, OP_WRITE,
2843 Bpp, (volatile u_char **) (uintptr_t)&target, cols);
2844 }
2845 if (bktr->yclip != bktr->yclip2) {
>>> CID 1597787: (OVERRUN)
>>> Overrunning array of 4 bytes at byte offset 7 by dereferencing pointer "(u_char volatile **)(uintptr_t)&target".
2846 split(bktr,(volatile u_int **) &dma_prog,
2847 bktr->yclip2 - bktr->yclip,
2848 OP_SKIP,
2849 Bpp, (volatile u_char **)(uintptr_t)&target, cols);
2850 }
2851 }
/sys/dev/pci/bktr/bktr_core.c: 2892 in rgb_vbi_prog()
2886 *dma_prog++ = htole32(OP_SYNC | BKTR_FM1);
2887 *dma_prog++ = htole32(0); /* NULL WORD */
2888 width = cols;
2889 for (i = 0; i < (rows/interlace); i++) {
2890 target = target_buffer;
2891 if (notclipped(bktr, i, width)) {
>>> CID 1597787: (OVERRUN)
>>> Overrunning array of 4 bytes at byte offset 7 by dereferencing pointer "(u_char volatile **)(uintptr_t)&target".
2892 split(bktr, (volatile u_int **) &dma_prog,
2893 bktr->y2 - bktr->y, OP_WRITE,
2894 Bpp, (volatile u_char **)(uintptr_t)&target, cols);
2895 } else {
2896 while(getline(bktr, i)) {
2897 if (bktr->y != bktr->y2) {
/sys/dev/pci/bktr/bktr_core.c: 2841 in rgb_vbi_prog()
2835 bktr->y2 - bktr->y, OP_WRITE,
2836 Bpp, (volatile u_char **)(uintptr_t)&target, cols);
2837
2838 } else {
2839 while(getline(bktr, i)) {
2840 if (bktr->y != bktr->y2) {
>>> CID 1597787: (OVERRUN)
>>> Overrunning array of 4 bytes at byte offset 7 by dereferencing pointer "(u_char volatile **)(uintptr_t)&target".
2841 split(bktr, (volatile u_int **) &dma_prog,
2842 bktr->y2 - bktr->y, OP_WRITE,
2843 Bpp, (volatile u_char **) (uintptr_t)&target, cols);
2844 }
2845 if (bktr->yclip != bktr->yclip2) {
2846 split(bktr,(volatile u_int **) &dma_prog,
/sys/dev/pci/bktr/bktr_core.c: 2898 in rgb_vbi_prog()
2892 split(bktr, (volatile u_int **) &dma_prog,
2893 bktr->y2 - bktr->y, OP_WRITE,
2894 Bpp, (volatile u_char **)(uintptr_t)&target, cols);
2895 } else {
2896 while(getline(bktr, i)) {
2897 if (bktr->y != bktr->y2) {
>>> CID 1597787: (OVERRUN)
>>> Overrunning array of 4 bytes at byte offset 7 by dereferencing pointer "(u_char volatile **)(uintptr_t)&target".
2898 split(bktr, (volatile u_int **) &dma_prog,
2899 bktr->y2 - bktr->y, OP_WRITE,
2900 Bpp, (volatile u_char **)(uintptr_t)&target,
2901 cols);
2902 }
2903 if (bktr->yclip != bktr->yclip2) {
** CID 1597786: Uninitialized variables (UNINIT)
________________________________________________________________________________________________________
*** CID 1597786: Uninitialized variables (UNINIT)
/sys/dev/pci/if_iwi.c: 2395 in iwi_config()
2389 nchan++;
2390 }
2391 power.nchan = nchan;
2392
2393 power.mode = IWI_MODE_11G;
2394 DPRINTF(("Setting .11g channels tx power\n"));
>>> CID 1597786: Uninitialized variables (UNINIT)
>>> Using uninitialized value "power". Field "power.chan" is uninitialized when calling "iwi_cmd".
2395 error = iwi_cmd(sc, IWI_CMD_SET_TX_POWER, &power, sizeof power, 0);
2396 if (error != 0)
2397 return error;
2398
2399 power.mode = IWI_MODE_11B;
2400 DPRINTF(("Setting .11b channels tx power\n"));
** CID 1597785: Memory - illegal accesses (OVERRUN)
________________________________________________________________________________________________________
*** CID 1597785: Memory - illegal accesses (OVERRUN)
/sys/external/bsd/drm2/dist/drm/i915/gt/intel_lrc.c: 2076 in execlists_dequeue()
2070
2071 while ((rb = rb_first_cached(&execlists->queue))) {
2072 struct i915_priolist *p = to_priolist(rb);
2073 struct i915_request *rq, *rn;
2074 int i;
2075
>>> CID 1597785: Memory - illegal accesses (OVERRUN)
>>> Overrunning array of 64 bytes at byte offset 1008 by dereferencing pointer "&p->requests[i]".
2076 priolist_for_each_request_consume(rq, rn, p, i) {
2077 bool merge = true;
2078
2079 /*
2080 * Can we combine this request with the current port?
2081 * It has to be the same context/ringbuffer and not
** CID 1597784: Null pointer dereferences (NULL_RETURNS)
/sys/external/bsd/drm2/dist/drm/radeon/radeon_ttm.c: 857 in radeon_ttm_tt_unpopulate()
________________________________________________________________________________________________________
*** CID 1597784: Null pointer dereferences (NULL_RETURNS)
/sys/external/bsd/drm2/dist/drm/radeon/radeon_ttm.c: 857 in radeon_ttm_tt_unpopulate()
851 #endif
852 struct radeon_ttm_tt *gtt = radeon_ttm_tt_to_gtt(ttm);
853 bool slave = !!(ttm->page_flags & TTM_PAGE_FLAG_SG);
854
855 #ifdef __NetBSD__
856 if (slave && ttm->sg) {
>>> CID 1597784: Null pointer dereferences (NULL_RETURNS)
>>> Dereferencing "gtt", which is known to be "NULL".
857 bus_dmamap_unload(ttm->bdev->dmat, gtt->ttm.dma_address);
858 }
859 #endif
860 if (gtt && gtt->userptr) {
861 kfree(ttm->sg);
862 ttm->page_flags &= ~TTM_PAGE_FLAG_SG;
** CID 1597783: (OVERRUN)
________________________________________________________________________________________________________
*** CID 1597783: (OVERRUN)
/sys/external/bsd/drm2/dist/drm/i915/display/intel_display.c: 3267 in intel_plane_compute_gtt()
3261 * big plane sizes and suitably misaligned
3262 * offsets.
3263 */
3264 return intel_plane_check_stride(plane_state);
3265 }
3266
>>> CID 1597783: (OVERRUN)
>>> Overrunning struct type drm_framebuffer of 200 bytes by passing it to a function which accesses it at byte offset 295.
3267 intel_fill_fb_ggtt_view(&plane_state->view, &fb->base, rotation);
3268
3269 for (i = 0; i < num_planes; i++) {
3270 plane_state->color_plane[i].stride = intel_fb_pitch(&fb->base, i, rotation);
3271 plane_state->color_plane[i].offset = 0;
3272
/sys/external/bsd/drm2/dist/drm/i915/display/intel_display.c: 3270 in intel_plane_compute_gtt()
3264 return intel_plane_check_stride(plane_state);
3265 }
3266
3267 intel_fill_fb_ggtt_view(&plane_state->view, &fb->base, rotation);
3268
3269 for (i = 0; i < num_planes; i++) {
>>> CID 1597783: (OVERRUN)
>>> Overrunning struct type drm_framebuffer of 200 bytes by passing it to a function which accesses it at byte offset 295.
3270 plane_state->color_plane[i].stride = intel_fb_pitch(&fb->base, i, rotation);
3271 plane_state->color_plane[i].offset = 0;
3272
3273 if (drm_rotation_90_or_270(rotation)) {
3274 plane_state->color_plane[i].x = fb->rotated[i].x;
3275 plane_state->color_plane[i].y = fb->rotated[i].y;
** CID 1597782: Memory - corruptions (OVERRUN)
/sys/external/bsd/drm2/dist/drm/i915/display/intel_display.c: 7558 in intel_crtc_disable_noatomic()
________________________________________________________________________________________________________
*** CID 1597782: Memory - corruptions (OVERRUN)
/sys/external/bsd/drm2/dist/drm/i915/display/intel_display.c: 7558 in intel_crtc_disable_noatomic()
7552 for_each_power_domain(domain, domains)
7553 intel_display_power_put_unchecked(dev_priv, domain);
7554 crtc->enabled_power_domains = 0;
7555
7556 dev_priv->active_pipes &= ~BIT(pipe);
7557 dev_priv->min_cdclk[pipe] = 0;
>>> CID 1597782: Memory - corruptions (OVERRUN)
>>> Overrunning array "dev_priv->min_voltage_level" of 4 bytes at byte offset 64 using index "pipe_drmhack" (which evaluates to 64).
7558 dev_priv->min_voltage_level[pipe] = 0;
7559
7560 bw_state->data_rate[pipe] = 0;
7561 bw_state->num_active_planes[pipe] = 0;
7562 }
7563
** CID 1597781: Null pointer dereferences (FORWARD_NULL)
/sys/kern/vfs_syscalls.c: 609 in do_sys_mount()
________________________________________________________________________________________________________
*** CID 1597781: Null pointer dereferences (FORWARD_NULL)
/sys/kern/vfs_syscalls.c: 609 in do_sys_mount()
603 goto done;
604 }
605 error = mount_getargs(l, vp, path, flags, data_buf, &data_len);
606 if (error != 0)
607 goto done;
608 if (data_seg == UIO_USERSPACE)
>>> CID 1597781: Null pointer dereferences (FORWARD_NULL)
>>> Passing null pointer "data" to "copyout", which dereferences it.
609 error = copyout(data_buf, data, data_len);
610 *retval = data_len;
611 } else if (flags & MNT_UPDATE) {
612 error = mount_update(l, vp, path, flags, data_buf, &data_len);
613 } else {
614 /* Locking is handled internally in mount_domount(). */
** CID 1597780: (BUFFER_SIZE)
/sys/nfs/nfs_bootdhcp.c: 829 in bootp_extract()
/sys/nfs/nfs_bootdhcp.c: 823 in bootp_extract()
________________________________________________________________________________________________________
*** CID 1597780: (BUFFER_SIZE)
/sys/nfs/nfs_bootdhcp.c: 829 in bootp_extract()
823 strncpy(hostname, myname, sizeof(hostname));
824 hostnamelen = mynamelen;
825 printf("nfs_boot: my_name=%s\n", hostname);
826 }
827 if (mydomain) {
828 mydomain[mydomainlen] = '\0';
>>> CID 1597780: (BUFFER_SIZE)
>>> Calling "strncpy" with a maximum size argument of 256 bytes on destination array "domainname" of size 256 bytes might leave the destination string unterminated.
829 strncpy(domainname, mydomain, sizeof(domainname));
830 domainnamelen = mydomainlen;
831 printf("nfs_boot: my_domain=%s\n", domainname);
832 }
833 if (!(*flags & NFS_BOOT_HAS_MYIP)) {
834 nd->nd_myip = bootp->bp_yiaddr;
/sys/nfs/nfs_bootdhcp.c: 823 in bootp_extract()
817
818 /*
819 * Store and print network config info.
820 */
821 if (myname) {
822 myname[mynamelen] = '\0';
>>> CID 1597780: (BUFFER_SIZE)
>>> Calling "strncpy" with a maximum size argument of 256 bytes on destination array "hostname" of size 256 bytes might leave the destination string unterminated.
823 strncpy(hostname, myname, sizeof(hostname));
824 hostnamelen = mynamelen;
825 printf("nfs_boot: my_name=%s\n", hostname);
826 }
827 if (mydomain) {
828 mydomain[mydomainlen] = '\0';
** CID 1597779: High impact quality (Y2K38_SAFETY)
/sys/net/npf/npf_conn.c: 280 in conn_update_atime()
________________________________________________________________________________________________________
*** CID 1597779: High impact quality (Y2K38_SAFETY)
/sys/net/npf/npf_conn.c: 280 in conn_update_atime()
274 static inline void
275 conn_update_atime(npf_conn_t *con)
276 {
277 struct timespec tsnow;
278
279 getnanouptime(&tsnow);
>>> CID 1597779: High impact quality (Y2K38_SAFETY)
>>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "tsnow.tv_sec" is cast to "uint32_t".
280 atomic_store_relaxed(&con->c_atime, tsnow.tv_sec);
281 }
282
283 /*
284 * npf_conn_check: check that:
285 *
** CID 1597778: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 1597778: Memory - corruptions (OVERRUN)
/sys/kern/vfs_vnode.c: 1614 in vcache_get()
1608 mutex_exit(&vcache_lock);
1609 goto again;
1610 }
1611 vp = VIMPL_TO_VNODE(vip);
1612 mutex_enter(vp->v_interlock);
1613 mutex_exit(&vcache_lock);
>>> CID 1597778: Memory - corruptions (OVERRUN)
>>> Overrunning struct type vnode of 256 bytes by passing it to a function which accesses it at byte offset 575.
1614 error = vcache_vget(vp);
1615 if (error == ENOENT)
1616 goto again;
1617 if (error == 0)
1618 *vpp = vp;
1619 KASSERT((error != 0) == (*vpp == NULL));
** CID 1597777: Memory - corruptions (OVERRUN)
/sys/dev/pci/if_iavf.c: 4858 in iavf_config_rss_lut()
________________________________________________________________________________________________________
*** CID 1597777: Memory - corruptions (OVERRUN)
/sys/dev/pci/if_iavf.c: 4858 in iavf_config_rss_lut()
4852 rss_lut->lut_entries = htole16(IXL_RSS_VSI_LUT_SIZE);
4853
4854 lut = rss_lut->lut;
4855 for (i = 0; i < IXL_RSS_VSI_LUT_SIZE; i++) {
4856 v = i % sc->sc_nqueue_pairs;
4857 v &= IAVF_RSS_VSI_LUT_ENTRY_MASK;
>>> CID 1597777: Memory - corruptions (OVERRUN)
>>> Overrunning array of 1 bytes at byte offset 63 by dereferencing pointer "lut + i".
4858 lut[i] = v;
4859 }
4860
4861 memset(&iaq, 0, sizeof(iaq));
4862 iaq.iaq_flags = htole16(IXL_AQ_BUF | IXL_AQ_RD);
4863 iaq.iaq_opcode = htole16(IAVF_AQ_OP_SEND_TO_PF);
** CID 1597776: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 1597776: Insecure data handling (TAINTED_SCALAR)
/sys/dev/pci/viomb.c: 472 in deflate_done()
466 r = virtio_dequeue(vsc, vq, &slot, NULL);
467 if (r != 0) {
468 printf("%s: deflate dequeue failed, errno %d\n",
469 device_xname(sc->sc_dev), r);
470 return 1;
471 }
>>> CID 1597776: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "slot" to "virtio_dequeue_commit", which uses it as an offset.
472 virtio_dequeue_commit(vsc, vq, slot);
473
474 b = &sc->sc_req;
475 nvpages = b->bl_nentries;
476 bus_dmamap_sync(virtio_dmat(vsc), b->bl_dmamap,
477 0,
** CID 1597775: High impact quality (Y2K38_SAFETY)
/sys/kern/init_sysctl.c: 1585 in fill_lwp()
________________________________________________________________________________________________________
*** CID 1597775: High impact quality (Y2K38_SAFETY)
/sys/kern/init_sysctl.c: 1585 in fill_lwp()
1579 kl->l_usrpri = l->l_priority;
1580 if (l->l_wchan)
1581 strncpy(kl->l_wmesg, l->l_wmesg, sizeof(kl->l_wmesg));
1582 COND_SET_VALUE(kl->l_wchan, PTRTOUINT64(l->l_wchan), allowaddr);
1583 kl->l_cpuid = cpu_index(l->l_cpu);
1584 bintime2timeval(&l->l_rtime, &tv);
>>> CID 1597775: High impact quality (Y2K38_SAFETY)
>>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "tv.tv_sec" is cast to "uint32_t".
1585 kl->l_rtime_sec = tv.tv_sec;
1586 kl->l_rtime_usec = tv.tv_usec;
1587 kl->l_cpticks = l->l_cpticks;
1588 kl->l_pctcpu = l->l_pctcpu;
1589 kl->l_pid = p->p_pid;
1590 if (l->l_name == NULL)
1591 kl->l_name[0] = '\0';
1592 else
1593 strlcpy(kl->l_name, l->l_name, sizeof(kl->l_name));
** CID 1597774: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 1597774: Insecure data handling (TAINTED_SCALAR)
/sys/dev/usb/usb.c: 1016 in usbioctl()
1010 if (uio.uio_rw == UIO_WRITE) {
1011 error = uiomove(ptr, len, &uio);
1012 if (error)
1013 goto ret;
1014 }
1015 }
>>> CID 1597774: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "ur->ucr_request.wLength" to "usbd_do_request_flags", which uses it as an offset.
1016 err = usbd_do_request_flags(sc->sc_bus->ub_devices[dindex],
1017 &ur->ucr_request, ptr, ur->ucr_flags, &ur->ucr_actlen,
1018 USBD_DEFAULT_TIMEOUT);
1019 if (err) {
1020 error = EIO;
1021 goto ret;
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=u001.AxU2LYlgjL6eX23u9ErQy-2BKADyCpvUKOL6EWmZljiu4Nbbca-2Bj5xy89KZAbuSS8zMLC60P5V6fdfclLrUYTWooJPiyx0UnOPSgi6MZBtBUA-3Dx0ZR_-2BwJ6JLtSrHuOVjqcF3J-2Fw6dcxx-2BEOKIuJ3YCALi-2FTyo1Iew7xgdlsaa2ABe1UuN8E3zoypTbh2jhv6-2FUZzF1Y5MRM-2FebUtHt107THvS66csNdIjr4m-2BDXFQ95GnbaeIhlmOs95VKqPktmSR0aefze69OuDJdtF1PpodsyJYjWlGCBZiN-2BSnoltQQ6FnTxZvNcFAMcmkTj13WWD8tKl1qUQ-3D-3D
Home |
Main Index |
Thread Index |
Old Index