* Fwd: New Defects reported by Coverity Scan for RTEMS-Newlib
[not found] <630d44245d07b_448622ac7e91099ac81e@prd-scan-dashboard-0.mail>
@ 2022-08-29 23:09 ` Joel Sherrill
2022-08-29 23:09 ` Joel Sherrill
2022-08-30 19:03 ` Jeff Johnston
0 siblings, 2 replies; 11+ messages in thread
From: Joel Sherrill @ 2022-08-29 23:09 UTC (permalink / raw)
To: Newlib
Hi
I quit running Coverity on newlib as part of the repositories analysed as
part of RTEMS BUT I had to update the version of cov-analysis we used and
wanted to make sure the scripting stayed working.
These issues were flagged since the last time we ran it. Some look like
they need attention.
--joel
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Aug 29, 2022 at 5:56 PM
Subject: New Defects reported by Coverity Scan for RTEMS-Newlib
To: <joel.sherrill@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to RTEMS-Newlib
found with Coverity Scan.
10 new defect(s) introduced to RTEMS-Newlib found with Coverity Scan.
1 defect(s), reported by Coverity Scan earlier, were marked fixed in the
recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 10 of 10 defect(s)
** CID 398779: (UNINIT)
________________________________________________________________________________________________________
*** CID 398779: (UNINIT)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c:
454 in _swscanf_r()
448 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
449 f._read = __seofread;
450 f._ub._base = NULL;
451 f._lb._base = NULL;
452 f._file = -1; /* No file. */
453 va_start (ap, fmt);
>>> CID 398779: (UNINIT)
>>> Using uninitialized value "f._flags2" when calling "__ssvfwscanf_r".
454 ret = __ssvfwscanf_r (ptr, &f, fmt, ap);
455 va_end (ap);
456 return ret;
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c:
454 in _swscanf_r()
448 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
449 f._read = __seofread;
450 f._ub._base = NULL;
451 f._lb._base = NULL;
452 f._file = -1; /* No file. */
453 va_start (ap, fmt);
>>> CID 398779: (UNINIT)
>>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r".
454 ret = __ssvfwscanf_r (ptr, &f, fmt, ap);
455 va_end (ap);
456 return ret;
** CID 398778: High impact quality (Y2K38_SAFETY)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/sleep.c:
18 in sleep()
________________________________________________________________________________________________________
*** CID 398778: High impact quality (Y2K38_SAFETY)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/sleep.c:
18 in sleep()
12 {
13 struct timespec ts;
14
15 ts.tv_sec = seconds;
16 ts.tv_nsec = 0;
17 if (!nanosleep(&ts,&ts)) return 0;
>>> CID 398778: High impact quality (Y2K38_SAFETY)
>>> A "time_t" value is stored in an integer with too few bits to
accommodate it. The expression "ts.tv_sec" is cast to "unsigned int".
18 if (errno == EINTR) return ts.tv_sec;
19 return -1;
20 }
21
** CID 398777: (UNINIT)
________________________________________________________________________________________________________
*** CID 398777: (UNINIT)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c:
432 in swscanf()
426 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
427 f._read = __seofread;
428 f._ub._base = NULL;
429 f._lb._base = NULL;
430 f._file = -1; /* No file. */
431 va_start (ap, fmt);
>>> CID 398777: (UNINIT)
>>> Using uninitialized value "f._flags2" when calling "__ssvfwscanf_r".
432 ret = __ssvfwscanf_r (_REENT, &f, fmt, ap);
433 va_end (ap);
434 return ret;
435 }
436
437 #endif /* !_REENT_ONLY */
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c:
432 in swscanf()
426 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
427 f._read = __seofread;
428 f._ub._base = NULL;
429 f._lb._base = NULL;
430 f._file = -1; /* No file. */
431 va_start (ap, fmt);
>>> CID 398777: (UNINIT)
>>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r".
432 ret = __ssvfwscanf_r (_REENT, &f, fmt, ap);
433 va_end (ap);
434 return ret;
435 }
436
437 #endif /* !_REENT_ONLY */
** CID 398776: (UNINIT)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c:
44 in time()
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c:
45 in time()
________________________________________________________________________________________________________
*** CID 398776: (UNINIT)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c:
44 in time()
38 struct timeval now;
39
40 if (_gettimeofday_r (_REENT, &now, NULL) < 0)
41 now.tv_sec = (time_t) -1;
42
43 if (t)
>>> CID 398776: (UNINIT)
>>> Using uninitialized value "now.tv_sec".
44 *t = now.tv_sec;
45 return now.tv_sec;
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c:
45 in time()
39
40 if (_gettimeofday_r (_REENT, &now, NULL) < 0)
41 now.tv_sec = (time_t) -1;
42
43 if (t)
44 *t = now.tv_sec;
>>> CID 398776: (UNINIT)
>>> Using uninitialized value "now.tv_sec".
45 return now.tv_sec;
** CID 398775: (UNINIT)
________________________________________________________________________________________________________
*** CID 398775: (UNINIT)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/vswscanf.c:
57 in _vswscanf_r()
51 f._bf._base = f._p = (unsigned char *) str;
52 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
53 f._read = __seofread;
54 f._ub._base = NULL;
55 f._lb._base = NULL;
56 f._file = -1; /* No file. */
>>> CID 398775: (UNINIT)
>>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r".
57 return __ssvfwscanf_r (ptr, &f, fmt, ap);
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/vswscanf.c:
57 in _vswscanf_r()
51 f._bf._base = f._p = (unsigned char *) str;
52 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
53 f._read = __seofread;
54 f._ub._base = NULL;
55 f._lb._base = NULL;
56 f._file = -1; /* No file. */
>>> CID 398775: (UNINIT)
>>> Using uninitialized value "f._flags2" when calling "__ssvfwscanf_r".
57 return __ssvfwscanf_r (ptr, &f, fmt, ap);
** CID 398774: Uninitialized variables (UNINIT)
________________________________________________________________________________________________________
*** CID 398774: Uninitialized variables (UNINIT)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdlib/arc4random.c:
93 in _rs_stir()
87 u_char rnd[KEYSZ + IVSZ];
88
89 if (getentropy(rnd, sizeof rnd) == -1)
90 _getentropy_fail();
91
92 if (!rs)
>>> CID 398774: Uninitialized variables (UNINIT)
>>> Using uninitialized element of array "rnd" when calling "_rs_init".
93 _rs_init(rnd, sizeof(rnd));
94 else
95 _rs_rekey(rnd, sizeof(rnd));
96 explicit_bzero(rnd, sizeof(rnd)); /* discard source seed */
97
98 /* invalidate rs_buf */
** CID 398773: Incorrect expression (DIVIDE_BY_ZERO)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libm/math/kf_tan.c:
55 in __kernel_tanf()
________________________________________________________________________________________________________
*** CID 398773: Incorrect expression (DIVIDE_BY_ZERO)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libm/math/kf_tan.c:
55 in __kernel_tanf()
49 __int32_t ix,hx;
50 GET_FLOAT_WORD(hx,x);
51 ix = hx&0x7fffffff; /* high word of |x| */
52 if(ix<0x31800000) /* x < 2**-28 */
53 {if((int)x==0) { /* generate inexact */
54 if((ix|(iy+1))==0) return one/fabsf(x);
>>> CID 398773: Incorrect expression (DIVIDE_BY_ZERO)
>>> In expression "-1f / x", division by expression "x" which may be
zero has undefined behavior.
55 else return (iy==1)? x: -one/x;
56 }
57 }
58 if(ix>=0x3f2ca140) { /* |x|>=0.6744 */
59 if(hx<0) {x = -x; y = -y;}
60 z = pio4-x;
** CID 398772: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 398772: Memory - corruptions (OVERRUN)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/regcomp.c:
1044 in bothcases()
1038 assert(othercase(ch) != ch); /* p_bracket() would
recurse */
1039 p->next = bracket;
1040 p->end = bracket+2;
1041 bracket[0] = ch;
1042 bracket[1] = ']';
1043 bracket[2] = '\0';
>>> CID 398772: Memory - corruptions (OVERRUN)
>>> Overrunning buffer pointed to by "p->next" of 3 bytes by passing it
to a function which accesses it at byte offset 4.
1044 p_bracket(p);
1045 assert(p->next == bracket+2);
1046 p->next = oldnext;
1047 p->end = oldend;
1048 }
1049
** CID 398771: High impact quality (Y2K38_SAFETY)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/usleep.c:
18 in usleep()
________________________________________________________________________________________________________
*** CID 398771: High impact quality (Y2K38_SAFETY)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/usleep.c:
18 in usleep()
12 {
13 struct timespec ts;
14
15 ts.tv_sec = (long int)useconds / 1000000;
16 ts.tv_nsec = ((long int)useconds % 1000000) * 1000;
17 if (!nanosleep(&ts,&ts)) return 0;
>>> CID 398771: High impact quality (Y2K38_SAFETY)
>>> A "time_t" value is stored in an integer with too few bits to
accommodate it. The expression "ts.tv_sec" is cast to "int".
18 if (errno == EINTR) return ts.tv_sec;
19 return -1;
20 }
21
** CID 378851: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 378851: Memory - corruptions (OVERRUN)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/regcomp.c:
1090 in nonnewline()
1084 p->next = bracket;
1085 p->end = bracket+3;
1086 bracket[0] = '^';
1087 bracket[1] = '\n';
1088 bracket[2] = ']';
1089 bracket[3] = '\0';
>>> CID 378851: Memory - corruptions (OVERRUN)
>>> Overrunning buffer pointed to by "p->next" of 4 bytes by passing it
to a function which accesses it at byte offset 4.
1090 p_bracket(p);
1091 assert(p->next == bracket+3);
1092 p->next = oldnext;
1093 p->end = oldend;
1094 }
1095
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit,
https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50ypUUzi-2FdSNmuyRB7BEFT8xQWqa-2BcrUOdcmLJRN5wHA-2F-2Bj-2BUPxOS2vpJc2U7lnvDDSM-3DgcXN_CTvEjVoKhyc6dLmJJo1u9AYIk8P8bcAbCPbBDYvYSXrko-2B6zqtxlihMO5pRBlqs6CXC6JoeSQ5BknttytYW4gn54pXoG5E1T2VTg7ZExldrWnOHoGNfjITpyeGBnq8zf1R1SvLaQHX0KwLC3QLIILHDIyeRDmH6ivilCfFIJbx4IaHchThYPPrH23evm0vJ6A6-2BcYCz2qmJNN2577UqVyYc0aItJ859abhW8GanEpsc-3D
To manage Coverity Scan email notifications for "joel.sherrill@gmail.com",
click
https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxTJDdEZ5ceQ-2BXdf-2FM1tcMIXP73MN3HxQfFTMLU5dSe8Rv0KFh7gYStOFjZD12ucRRnrjyUHOCTj7rG0E9HBcwa6j-2FX4NTabdEq2v7MM-2FuqaA-3D5Xsf_CTvEjVoKhyc6dLmJJo1u9AYIk8P8bcAbCPbBDYvYSXrko-2B6zqtxlihMO5pRBlqs6CXC6JoeSQ5BknttytYW4gsEM86eEaAqPEjIHUArLBXYOUpWfZ4bmwC96PG11GPPh-2FLsC0rkTKQE2J8XRI45hCnTpCTbj87kq0GI1XLddKyw1JXGGqDcyizThGumwZmd8Tr5waHqdorDd3Wom83BYSMOhcHiGVjpnvscbd8ReGFw-3D
^ permalink raw reply [flat|nested] 11+ messages in thread
* Fwd: New Defects reported by Coverity Scan for RTEMS-Newlib
2022-08-29 23:09 ` Fwd: New Defects reported by Coverity Scan for RTEMS-Newlib Joel Sherrill
@ 2022-08-29 23:09 ` Joel Sherrill
2022-08-30 19:03 ` Jeff Johnston
1 sibling, 0 replies; 11+ messages in thread
From: Joel Sherrill @ 2022-08-29 23:09 UTC (permalink / raw)
To: Newlib
[-- Attachment #1: Type: text/plain, Size: 12625 bytes --]
Hi
I quit running Coverity on newlib as part of the repositories analysed as
part of RTEMS BUT I had to update the version of cov-analysis we used and
wanted to make sure the scripting stayed working.
These issues were flagged since the last time we ran it. Some look like
they need attention.
--joel
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Aug 29, 2022 at 5:56 PM
Subject: New Defects reported by Coverity Scan for RTEMS-Newlib
To: <joel.sherrill@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to RTEMS-Newlib
found with Coverity Scan.
10 new defect(s) introduced to RTEMS-Newlib found with Coverity Scan.
1 defect(s), reported by Coverity Scan earlier, were marked fixed in the
recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 10 of 10 defect(s)
** CID 398779: (UNINIT)
________________________________________________________________________________________________________
*** CID 398779: (UNINIT)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c:
454 in _swscanf_r()
448 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
449 f._read = __seofread;
450 f._ub._base = NULL;
451 f._lb._base = NULL;
452 f._file = -1; /* No file. */
453 va_start (ap, fmt);
>>> CID 398779: (UNINIT)
>>> Using uninitialized value "f._flags2" when calling "__ssvfwscanf_r".
454 ret = __ssvfwscanf_r (ptr, &f, fmt, ap);
455 va_end (ap);
456 return ret;
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c:
454 in _swscanf_r()
448 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
449 f._read = __seofread;
450 f._ub._base = NULL;
451 f._lb._base = NULL;
452 f._file = -1; /* No file. */
453 va_start (ap, fmt);
>>> CID 398779: (UNINIT)
>>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r".
454 ret = __ssvfwscanf_r (ptr, &f, fmt, ap);
455 va_end (ap);
456 return ret;
** CID 398778: High impact quality (Y2K38_SAFETY)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/sleep.c:
18 in sleep()
________________________________________________________________________________________________________
*** CID 398778: High impact quality (Y2K38_SAFETY)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/sleep.c:
18 in sleep()
12 {
13 struct timespec ts;
14
15 ts.tv_sec = seconds;
16 ts.tv_nsec = 0;
17 if (!nanosleep(&ts,&ts)) return 0;
>>> CID 398778: High impact quality (Y2K38_SAFETY)
>>> A "time_t" value is stored in an integer with too few bits to
accommodate it. The expression "ts.tv_sec" is cast to "unsigned int".
18 if (errno == EINTR) return ts.tv_sec;
19 return -1;
20 }
21
** CID 398777: (UNINIT)
________________________________________________________________________________________________________
*** CID 398777: (UNINIT)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c:
432 in swscanf()
426 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
427 f._read = __seofread;
428 f._ub._base = NULL;
429 f._lb._base = NULL;
430 f._file = -1; /* No file. */
431 va_start (ap, fmt);
>>> CID 398777: (UNINIT)
>>> Using uninitialized value "f._flags2" when calling "__ssvfwscanf_r".
432 ret = __ssvfwscanf_r (_REENT, &f, fmt, ap);
433 va_end (ap);
434 return ret;
435 }
436
437 #endif /* !_REENT_ONLY */
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c:
432 in swscanf()
426 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
427 f._read = __seofread;
428 f._ub._base = NULL;
429 f._lb._base = NULL;
430 f._file = -1; /* No file. */
431 va_start (ap, fmt);
>>> CID 398777: (UNINIT)
>>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r".
432 ret = __ssvfwscanf_r (_REENT, &f, fmt, ap);
433 va_end (ap);
434 return ret;
435 }
436
437 #endif /* !_REENT_ONLY */
** CID 398776: (UNINIT)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c:
44 in time()
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c:
45 in time()
________________________________________________________________________________________________________
*** CID 398776: (UNINIT)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c:
44 in time()
38 struct timeval now;
39
40 if (_gettimeofday_r (_REENT, &now, NULL) < 0)
41 now.tv_sec = (time_t) -1;
42
43 if (t)
>>> CID 398776: (UNINIT)
>>> Using uninitialized value "now.tv_sec".
44 *t = now.tv_sec;
45 return now.tv_sec;
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c:
45 in time()
39
40 if (_gettimeofday_r (_REENT, &now, NULL) < 0)
41 now.tv_sec = (time_t) -1;
42
43 if (t)
44 *t = now.tv_sec;
>>> CID 398776: (UNINIT)
>>> Using uninitialized value "now.tv_sec".
45 return now.tv_sec;
** CID 398775: (UNINIT)
________________________________________________________________________________________________________
*** CID 398775: (UNINIT)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/vswscanf.c:
57 in _vswscanf_r()
51 f._bf._base = f._p = (unsigned char *) str;
52 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
53 f._read = __seofread;
54 f._ub._base = NULL;
55 f._lb._base = NULL;
56 f._file = -1; /* No file. */
>>> CID 398775: (UNINIT)
>>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r".
57 return __ssvfwscanf_r (ptr, &f, fmt, ap);
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/vswscanf.c:
57 in _vswscanf_r()
51 f._bf._base = f._p = (unsigned char *) str;
52 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
53 f._read = __seofread;
54 f._ub._base = NULL;
55 f._lb._base = NULL;
56 f._file = -1; /* No file. */
>>> CID 398775: (UNINIT)
>>> Using uninitialized value "f._flags2" when calling "__ssvfwscanf_r".
57 return __ssvfwscanf_r (ptr, &f, fmt, ap);
** CID 398774: Uninitialized variables (UNINIT)
________________________________________________________________________________________________________
*** CID 398774: Uninitialized variables (UNINIT)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdlib/arc4random.c:
93 in _rs_stir()
87 u_char rnd[KEYSZ + IVSZ];
88
89 if (getentropy(rnd, sizeof rnd) == -1)
90 _getentropy_fail();
91
92 if (!rs)
>>> CID 398774: Uninitialized variables (UNINIT)
>>> Using uninitialized element of array "rnd" when calling "_rs_init".
93 _rs_init(rnd, sizeof(rnd));
94 else
95 _rs_rekey(rnd, sizeof(rnd));
96 explicit_bzero(rnd, sizeof(rnd)); /* discard source seed */
97
98 /* invalidate rs_buf */
** CID 398773: Incorrect expression (DIVIDE_BY_ZERO)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libm/math/kf_tan.c:
55 in __kernel_tanf()
________________________________________________________________________________________________________
*** CID 398773: Incorrect expression (DIVIDE_BY_ZERO)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libm/math/kf_tan.c:
55 in __kernel_tanf()
49 __int32_t ix,hx;
50 GET_FLOAT_WORD(hx,x);
51 ix = hx&0x7fffffff; /* high word of |x| */
52 if(ix<0x31800000) /* x < 2**-28 */
53 {if((int)x==0) { /* generate inexact */
54 if((ix|(iy+1))==0) return one/fabsf(x);
>>> CID 398773: Incorrect expression (DIVIDE_BY_ZERO)
>>> In expression "-1f / x", division by expression "x" which may be
zero has undefined behavior.
55 else return (iy==1)? x: -one/x;
56 }
57 }
58 if(ix>=0x3f2ca140) { /* |x|>=0.6744 */
59 if(hx<0) {x = -x; y = -y;}
60 z = pio4-x;
** CID 398772: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 398772: Memory - corruptions (OVERRUN)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/regcomp.c:
1044 in bothcases()
1038 assert(othercase(ch) != ch); /* p_bracket() would
recurse */
1039 p->next = bracket;
1040 p->end = bracket+2;
1041 bracket[0] = ch;
1042 bracket[1] = ']';
1043 bracket[2] = '\0';
>>> CID 398772: Memory - corruptions (OVERRUN)
>>> Overrunning buffer pointed to by "p->next" of 3 bytes by passing it
to a function which accesses it at byte offset 4.
1044 p_bracket(p);
1045 assert(p->next == bracket+2);
1046 p->next = oldnext;
1047 p->end = oldend;
1048 }
1049
** CID 398771: High impact quality (Y2K38_SAFETY)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/usleep.c:
18 in usleep()
________________________________________________________________________________________________________
*** CID 398771: High impact quality (Y2K38_SAFETY)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/usleep.c:
18 in usleep()
12 {
13 struct timespec ts;
14
15 ts.tv_sec = (long int)useconds / 1000000;
16 ts.tv_nsec = ((long int)useconds % 1000000) * 1000;
17 if (!nanosleep(&ts,&ts)) return 0;
>>> CID 398771: High impact quality (Y2K38_SAFETY)
>>> A "time_t" value is stored in an integer with too few bits to
accommodate it. The expression "ts.tv_sec" is cast to "int".
18 if (errno == EINTR) return ts.tv_sec;
19 return -1;
20 }
21
** CID 378851: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 378851: Memory - corruptions (OVERRUN)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/regcomp.c:
1090 in nonnewline()
1084 p->next = bracket;
1085 p->end = bracket+3;
1086 bracket[0] = '^';
1087 bracket[1] = '\n';
1088 bracket[2] = ']';
1089 bracket[3] = '\0';
>>> CID 378851: Memory - corruptions (OVERRUN)
>>> Overrunning buffer pointed to by "p->next" of 4 bytes by passing it
to a function which accesses it at byte offset 4.
1090 p_bracket(p);
1091 assert(p->next == bracket+3);
1092 p->next = oldnext;
1093 p->end = oldend;
1094 }
1095
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit,
https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50ypUUzi-2FdSNmuyRB7BEFT8xQWqa-2BcrUOdcmLJRN5wHA-2F-2Bj-2BUPxOS2vpJc2U7lnvDDSM-3DgcXN_CTvEjVoKhyc6dLmJJo1u9AYIk8P8bcAbCPbBDYvYSXrko-2B6zqtxlihMO5pRBlqs6CXC6JoeSQ5BknttytYW4gn54pXoG5E1T2VTg7ZExldrWnOHoGNfjITpyeGBnq8zf1R1SvLaQHX0KwLC3QLIILHDIyeRDmH6ivilCfFIJbx4IaHchThYPPrH23evm0vJ6A6-2BcYCz2qmJNN2577UqVyYc0aItJ859abhW8GanEpsc-3D
To manage Coverity Scan email notifications for "joel.sherrill@gmail.com",
click
https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxTJDdEZ5ceQ-2BXdf-2FM1tcMIXP73MN3HxQfFTMLU5dSe8Rv0KFh7gYStOFjZD12ucRRnrjyUHOCTj7rG0E9HBcwa6j-2FX4NTabdEq2v7MM-2FuqaA-3D5Xsf_CTvEjVoKhyc6dLmJJo1u9AYIk8P8bcAbCPbBDYvYSXrko-2B6zqtxlihMO5pRBlqs6CXC6JoeSQ5BknttytYW4gsEM86eEaAqPEjIHUArLBXYOUpWfZ4bmwC96PG11GPPh-2FLsC0rkTKQE2J8XRI45hCnTpCTbj87kq0GI1XLddKyw1JXGGqDcyizThGumwZmd8Tr5waHqdorDd3Wom83BYSMOhcHiGVjpnvscbd8ReGFw-3D
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: New Defects reported by Coverity Scan for RTEMS-Newlib
2022-08-29 23:09 ` Fwd: New Defects reported by Coverity Scan for RTEMS-Newlib Joel Sherrill
2022-08-29 23:09 ` Joel Sherrill
@ 2022-08-30 19:03 ` Jeff Johnston
2022-08-30 19:03 ` Jeff Johnston
2022-08-31 19:16 ` Jeff Johnston
1 sibling, 2 replies; 11+ messages in thread
From: Jeff Johnston @ 2022-08-30 19:03 UTC (permalink / raw)
To: joel; +Cc: Newlib
Thanks Joel for bringing this to our attention.
-- Jeff J.
On Mon, Aug 29, 2022 at 7:09 PM Joel Sherrill <joel@rtems.org> wrote:
> Hi
>
> I quit running Coverity on newlib as part of the repositories analysed as
> part of RTEMS BUT I had to update the version of cov-analysis we used and
> wanted to make sure the scripting stayed working.
>
> These issues were flagged since the last time we ran it. Some look like
> they need attention.
>
> --joel
>
> ---------- Forwarded message ---------
> From: <scan-admin@coverity.com>
> Date: Mon, Aug 29, 2022 at 5:56 PM
> Subject: New Defects reported by Coverity Scan for RTEMS-Newlib
> To: <joel.sherrill@gmail.com>
>
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to RTEMS-Newlib
> found with Coverity Scan.
>
> 10 new defect(s) introduced to RTEMS-Newlib found with Coverity Scan.
> 1 defect(s), reported by Coverity Scan earlier, were marked fixed in the
> recent build analyzed by Coverity Scan.
>
> New defect(s) Reported-by: Coverity Scan
> Showing 10 of 10 defect(s)
>
>
> ** CID 398779: (UNINIT)
>
>
>
> ________________________________________________________________________________________________________
> *** CID 398779: (UNINIT)
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c:
> 454 in _swscanf_r()
> 448 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
> 449 f._read = __seofread;
> 450 f._ub._base = NULL;
> 451 f._lb._base = NULL;
> 452 f._file = -1; /* No file. */
> 453 va_start (ap, fmt);
> >>> CID 398779: (UNINIT)
> >>> Using uninitialized value "f._flags2" when calling
> "__ssvfwscanf_r".
> 454 ret = __ssvfwscanf_r (ptr, &f, fmt, ap);
> 455 va_end (ap);
> 456 return ret;
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c:
> 454 in _swscanf_r()
> 448 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
> 449 f._read = __seofread;
> 450 f._ub._base = NULL;
> 451 f._lb._base = NULL;
> 452 f._file = -1; /* No file. */
> 453 va_start (ap, fmt);
> >>> CID 398779: (UNINIT)
> >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r".
> 454 ret = __ssvfwscanf_r (ptr, &f, fmt, ap);
> 455 va_end (ap);
> 456 return ret;
>
> ** CID 398778: High impact quality (Y2K38_SAFETY)
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/sleep.c:
> 18 in sleep()
>
>
>
> ________________________________________________________________________________________________________
> *** CID 398778: High impact quality (Y2K38_SAFETY)
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/sleep.c:
> 18 in sleep()
> 12 {
> 13 struct timespec ts;
> 14
> 15 ts.tv_sec = seconds;
> 16 ts.tv_nsec = 0;
> 17 if (!nanosleep(&ts,&ts)) return 0;
> >>> CID 398778: High impact quality (Y2K38_SAFETY)
> >>> A "time_t" value is stored in an integer with too few bits to
> accommodate it. The expression "ts.tv_sec" is cast to "unsigned int".
> 18 if (errno == EINTR) return ts.tv_sec;
> 19 return -1;
> 20 }
> 21
>
> ** CID 398777: (UNINIT)
>
>
>
> ________________________________________________________________________________________________________
> *** CID 398777: (UNINIT)
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c:
> 432 in swscanf()
> 426 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
> 427 f._read = __seofread;
> 428 f._ub._base = NULL;
> 429 f._lb._base = NULL;
> 430 f._file = -1; /* No file. */
> 431 va_start (ap, fmt);
> >>> CID 398777: (UNINIT)
> >>> Using uninitialized value "f._flags2" when calling
> "__ssvfwscanf_r".
> 432 ret = __ssvfwscanf_r (_REENT, &f, fmt, ap);
> 433 va_end (ap);
> 434 return ret;
> 435 }
> 436
> 437 #endif /* !_REENT_ONLY */
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c:
> 432 in swscanf()
> 426 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
> 427 f._read = __seofread;
> 428 f._ub._base = NULL;
> 429 f._lb._base = NULL;
> 430 f._file = -1; /* No file. */
> 431 va_start (ap, fmt);
> >>> CID 398777: (UNINIT)
> >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r".
> 432 ret = __ssvfwscanf_r (_REENT, &f, fmt, ap);
> 433 va_end (ap);
> 434 return ret;
> 435 }
> 436
> 437 #endif /* !_REENT_ONLY */
>
> ** CID 398776: (UNINIT)
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c:
> 44 in time()
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c:
> 45 in time()
>
>
>
> ________________________________________________________________________________________________________
> *** CID 398776: (UNINIT)
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c:
> 44 in time()
> 38 struct timeval now;
> 39
> 40 if (_gettimeofday_r (_REENT, &now, NULL) < 0)
> 41 now.tv_sec = (time_t) -1;
> 42
> 43 if (t)
> >>> CID 398776: (UNINIT)
> >>> Using uninitialized value "now.tv_sec".
> 44 *t = now.tv_sec;
> 45 return now.tv_sec;
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c:
> 45 in time()
> 39
> 40 if (_gettimeofday_r (_REENT, &now, NULL) < 0)
> 41 now.tv_sec = (time_t) -1;
> 42
> 43 if (t)
> 44 *t = now.tv_sec;
> >>> CID 398776: (UNINIT)
> >>> Using uninitialized value "now.tv_sec".
> 45 return now.tv_sec;
>
> ** CID 398775: (UNINIT)
>
>
>
> ________________________________________________________________________________________________________
> *** CID 398775: (UNINIT)
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/vswscanf.c:
> 57 in _vswscanf_r()
> 51 f._bf._base = f._p = (unsigned char *) str;
> 52 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
> 53 f._read = __seofread;
> 54 f._ub._base = NULL;
> 55 f._lb._base = NULL;
> 56 f._file = -1; /* No file. */
> >>> CID 398775: (UNINIT)
> >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r".
> 57 return __ssvfwscanf_r (ptr, &f, fmt, ap);
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/vswscanf.c:
> 57 in _vswscanf_r()
> 51 f._bf._base = f._p = (unsigned char *) str;
> 52 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
> 53 f._read = __seofread;
> 54 f._ub._base = NULL;
> 55 f._lb._base = NULL;
> 56 f._file = -1; /* No file. */
> >>> CID 398775: (UNINIT)
> >>> Using uninitialized value "f._flags2" when calling
> "__ssvfwscanf_r".
> 57 return __ssvfwscanf_r (ptr, &f, fmt, ap);
>
> ** CID 398774: Uninitialized variables (UNINIT)
>
>
>
> ________________________________________________________________________________________________________
> *** CID 398774: Uninitialized variables (UNINIT)
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdlib/arc4random.c:
> 93 in _rs_stir()
> 87 u_char rnd[KEYSZ + IVSZ];
> 88
> 89 if (getentropy(rnd, sizeof rnd) == -1)
> 90 _getentropy_fail();
> 91
> 92 if (!rs)
> >>> CID 398774: Uninitialized variables (UNINIT)
> >>> Using uninitialized element of array "rnd" when calling "_rs_init".
> 93 _rs_init(rnd, sizeof(rnd));
> 94 else
> 95 _rs_rekey(rnd, sizeof(rnd));
> 96 explicit_bzero(rnd, sizeof(rnd)); /* discard source seed */
> 97
> 98 /* invalidate rs_buf */
>
> ** CID 398773: Incorrect expression (DIVIDE_BY_ZERO)
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libm/math/kf_tan.c:
> 55 in __kernel_tanf()
>
>
>
> ________________________________________________________________________________________________________
> *** CID 398773: Incorrect expression (DIVIDE_BY_ZERO)
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libm/math/kf_tan.c:
> 55 in __kernel_tanf()
> 49 __int32_t ix,hx;
> 50 GET_FLOAT_WORD(hx,x);
> 51 ix = hx&0x7fffffff; /* high word of |x| */
> 52 if(ix<0x31800000) /* x < 2**-28 */
> 53 {if((int)x==0) { /* generate inexact */
> 54 if((ix|(iy+1))==0) return one/fabsf(x);
> >>> CID 398773: Incorrect expression (DIVIDE_BY_ZERO)
> >>> In expression "-1f / x", division by expression "x" which may be
> zero has undefined behavior.
> 55 else return (iy==1)? x: -one/x;
> 56 }
> 57 }
> 58 if(ix>=0x3f2ca140) { /* |x|>=0.6744 */
> 59 if(hx<0) {x = -x; y = -y;}
> 60 z = pio4-x;
>
> ** CID 398772: Memory - corruptions (OVERRUN)
>
>
>
> ________________________________________________________________________________________________________
> *** CID 398772: Memory - corruptions (OVERRUN)
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/regcomp.c:
> 1044 in bothcases()
> 1038 assert(othercase(ch) != ch); /* p_bracket() would
> recurse */
> 1039 p->next = bracket;
> 1040 p->end = bracket+2;
> 1041 bracket[0] = ch;
> 1042 bracket[1] = ']';
> 1043 bracket[2] = '\0';
> >>> CID 398772: Memory - corruptions (OVERRUN)
> >>> Overrunning buffer pointed to by "p->next" of 3 bytes by passing it
> to a function which accesses it at byte offset 4.
> 1044 p_bracket(p);
> 1045 assert(p->next == bracket+2);
> 1046 p->next = oldnext;
> 1047 p->end = oldend;
> 1048 }
> 1049
>
> ** CID 398771: High impact quality (Y2K38_SAFETY)
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/usleep.c:
> 18 in usleep()
>
>
>
> ________________________________________________________________________________________________________
> *** CID 398771: High impact quality (Y2K38_SAFETY)
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/usleep.c:
> 18 in usleep()
> 12 {
> 13 struct timespec ts;
> 14
> 15 ts.tv_sec = (long int)useconds / 1000000;
> 16 ts.tv_nsec = ((long int)useconds % 1000000) * 1000;
> 17 if (!nanosleep(&ts,&ts)) return 0;
> >>> CID 398771: High impact quality (Y2K38_SAFETY)
> >>> A "time_t" value is stored in an integer with too few bits to
> accommodate it. The expression "ts.tv_sec" is cast to "int".
> 18 if (errno == EINTR) return ts.tv_sec;
> 19 return -1;
> 20 }
> 21
>
> ** CID 378851: Memory - corruptions (OVERRUN)
>
>
>
> ________________________________________________________________________________________________________
> *** CID 378851: Memory - corruptions (OVERRUN)
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/regcomp.c:
> 1090 in nonnewline()
> 1084 p->next = bracket;
> 1085 p->end = bracket+3;
> 1086 bracket[0] = '^';
> 1087 bracket[1] = '\n';
> 1088 bracket[2] = ']';
> 1089 bracket[3] = '\0';
> >>> CID 378851: Memory - corruptions (OVERRUN)
> >>> Overrunning buffer pointed to by "p->next" of 4 bytes by passing it
> to a function which accesses it at byte offset 4.
> 1090 p_bracket(p);
> 1091 assert(p->next == bracket+3);
> 1092 p->next = oldnext;
> 1093 p->end = oldend;
> 1094 }
> 1095
>
>
>
> ________________________________________________________________________________________________________
> To view the defects in Coverity Scan visit,
>
> https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50ypUUzi-2FdSNmuyRB7BEFT8xQWqa-2BcrUOdcmLJRN5wHA-2F-2Bj-2BUPxOS2vpJc2U7lnvDDSM-3DgcXN_CTvEjVoKhyc6dLmJJo1u9AYIk8P8bcAbCPbBDYvYSXrko-2B6zqtxlihMO5pRBlqs6CXC6JoeSQ5BknttytYW4gn54pXoG5E1T2VTg7ZExldrWnOHoGNfjITpyeGBnq8zf1R1SvLaQHX0KwLC3QLIILHDIyeRDmH6ivilCfFIJbx4IaHchThYPPrH23evm0vJ6A6-2BcYCz2qmJNN2577UqVyYc0aItJ859abhW8GanEpsc-3D
>
> To manage Coverity Scan email notifications for "joel.sherrill@gmail.com
> ",
> click
>
> https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxTJDdEZ5ceQ-2BXdf-2FM1tcMIXP73MN3HxQfFTMLU5dSe8Rv0KFh7gYStOFjZD12ucRRnrjyUHOCTj7rG0E9HBcwa6j-2FX4NTabdEq2v7MM-2FuqaA-3D5Xsf_CTvEjVoKhyc6dLmJJo1u9AYIk8P8bcAbCPbBDYvYSXrko-2B6zqtxlihMO5pRBlqs6CXC6JoeSQ5BknttytYW4gsEM86eEaAqPEjIHUArLBXYOUpWfZ4bmwC96PG11GPPh-2FLsC0rkTKQE2J8XRI45hCnTpCTbj87kq0GI1XLddKyw1JXGGqDcyizThGumwZmd8Tr5waHqdorDd3Wom83BYSMOhcHiGVjpnvscbd8ReGFw-3D
>
>
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: New Defects reported by Coverity Scan for RTEMS-Newlib
2022-08-30 19:03 ` Jeff Johnston
@ 2022-08-30 19:03 ` Jeff Johnston
2022-08-31 19:16 ` Jeff Johnston
1 sibling, 0 replies; 11+ messages in thread
From: Jeff Johnston @ 2022-08-30 19:03 UTC (permalink / raw)
To: joel; +Cc: Newlib
[-- Attachment #1: Type: text/plain, Size: 13455 bytes --]
Thanks Joel for bringing this to our attention.
-- Jeff J.
On Mon, Aug 29, 2022 at 7:09 PM Joel Sherrill <joel@rtems.org> wrote:
> Hi
>
> I quit running Coverity on newlib as part of the repositories analysed as
> part of RTEMS BUT I had to update the version of cov-analysis we used and
> wanted to make sure the scripting stayed working.
>
> These issues were flagged since the last time we ran it. Some look like
> they need attention.
>
> --joel
>
> ---------- Forwarded message ---------
> From: <scan-admin@coverity.com>
> Date: Mon, Aug 29, 2022 at 5:56 PM
> Subject: New Defects reported by Coverity Scan for RTEMS-Newlib
> To: <joel.sherrill@gmail.com>
>
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to RTEMS-Newlib
> found with Coverity Scan.
>
> 10 new defect(s) introduced to RTEMS-Newlib found with Coverity Scan.
> 1 defect(s), reported by Coverity Scan earlier, were marked fixed in the
> recent build analyzed by Coverity Scan.
>
> New defect(s) Reported-by: Coverity Scan
> Showing 10 of 10 defect(s)
>
>
> ** CID 398779: (UNINIT)
>
>
>
> ________________________________________________________________________________________________________
> *** CID 398779: (UNINIT)
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c:
> 454 in _swscanf_r()
> 448 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
> 449 f._read = __seofread;
> 450 f._ub._base = NULL;
> 451 f._lb._base = NULL;
> 452 f._file = -1; /* No file. */
> 453 va_start (ap, fmt);
> >>> CID 398779: (UNINIT)
> >>> Using uninitialized value "f._flags2" when calling
> "__ssvfwscanf_r".
> 454 ret = __ssvfwscanf_r (ptr, &f, fmt, ap);
> 455 va_end (ap);
> 456 return ret;
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c:
> 454 in _swscanf_r()
> 448 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
> 449 f._read = __seofread;
> 450 f._ub._base = NULL;
> 451 f._lb._base = NULL;
> 452 f._file = -1; /* No file. */
> 453 va_start (ap, fmt);
> >>> CID 398779: (UNINIT)
> >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r".
> 454 ret = __ssvfwscanf_r (ptr, &f, fmt, ap);
> 455 va_end (ap);
> 456 return ret;
>
> ** CID 398778: High impact quality (Y2K38_SAFETY)
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/sleep.c:
> 18 in sleep()
>
>
>
> ________________________________________________________________________________________________________
> *** CID 398778: High impact quality (Y2K38_SAFETY)
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/sleep.c:
> 18 in sleep()
> 12 {
> 13 struct timespec ts;
> 14
> 15 ts.tv_sec = seconds;
> 16 ts.tv_nsec = 0;
> 17 if (!nanosleep(&ts,&ts)) return 0;
> >>> CID 398778: High impact quality (Y2K38_SAFETY)
> >>> A "time_t" value is stored in an integer with too few bits to
> accommodate it. The expression "ts.tv_sec" is cast to "unsigned int".
> 18 if (errno == EINTR) return ts.tv_sec;
> 19 return -1;
> 20 }
> 21
>
> ** CID 398777: (UNINIT)
>
>
>
> ________________________________________________________________________________________________________
> *** CID 398777: (UNINIT)
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c:
> 432 in swscanf()
> 426 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
> 427 f._read = __seofread;
> 428 f._ub._base = NULL;
> 429 f._lb._base = NULL;
> 430 f._file = -1; /* No file. */
> 431 va_start (ap, fmt);
> >>> CID 398777: (UNINIT)
> >>> Using uninitialized value "f._flags2" when calling
> "__ssvfwscanf_r".
> 432 ret = __ssvfwscanf_r (_REENT, &f, fmt, ap);
> 433 va_end (ap);
> 434 return ret;
> 435 }
> 436
> 437 #endif /* !_REENT_ONLY */
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c:
> 432 in swscanf()
> 426 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
> 427 f._read = __seofread;
> 428 f._ub._base = NULL;
> 429 f._lb._base = NULL;
> 430 f._file = -1; /* No file. */
> 431 va_start (ap, fmt);
> >>> CID 398777: (UNINIT)
> >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r".
> 432 ret = __ssvfwscanf_r (_REENT, &f, fmt, ap);
> 433 va_end (ap);
> 434 return ret;
> 435 }
> 436
> 437 #endif /* !_REENT_ONLY */
>
> ** CID 398776: (UNINIT)
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c:
> 44 in time()
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c:
> 45 in time()
>
>
>
> ________________________________________________________________________________________________________
> *** CID 398776: (UNINIT)
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c:
> 44 in time()
> 38 struct timeval now;
> 39
> 40 if (_gettimeofday_r (_REENT, &now, NULL) < 0)
> 41 now.tv_sec = (time_t) -1;
> 42
> 43 if (t)
> >>> CID 398776: (UNINIT)
> >>> Using uninitialized value "now.tv_sec".
> 44 *t = now.tv_sec;
> 45 return now.tv_sec;
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c:
> 45 in time()
> 39
> 40 if (_gettimeofday_r (_REENT, &now, NULL) < 0)
> 41 now.tv_sec = (time_t) -1;
> 42
> 43 if (t)
> 44 *t = now.tv_sec;
> >>> CID 398776: (UNINIT)
> >>> Using uninitialized value "now.tv_sec".
> 45 return now.tv_sec;
>
> ** CID 398775: (UNINIT)
>
>
>
> ________________________________________________________________________________________________________
> *** CID 398775: (UNINIT)
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/vswscanf.c:
> 57 in _vswscanf_r()
> 51 f._bf._base = f._p = (unsigned char *) str;
> 52 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
> 53 f._read = __seofread;
> 54 f._ub._base = NULL;
> 55 f._lb._base = NULL;
> 56 f._file = -1; /* No file. */
> >>> CID 398775: (UNINIT)
> >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r".
> 57 return __ssvfwscanf_r (ptr, &f, fmt, ap);
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/vswscanf.c:
> 57 in _vswscanf_r()
> 51 f._bf._base = f._p = (unsigned char *) str;
> 52 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
> 53 f._read = __seofread;
> 54 f._ub._base = NULL;
> 55 f._lb._base = NULL;
> 56 f._file = -1; /* No file. */
> >>> CID 398775: (UNINIT)
> >>> Using uninitialized value "f._flags2" when calling
> "__ssvfwscanf_r".
> 57 return __ssvfwscanf_r (ptr, &f, fmt, ap);
>
> ** CID 398774: Uninitialized variables (UNINIT)
>
>
>
> ________________________________________________________________________________________________________
> *** CID 398774: Uninitialized variables (UNINIT)
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdlib/arc4random.c:
> 93 in _rs_stir()
> 87 u_char rnd[KEYSZ + IVSZ];
> 88
> 89 if (getentropy(rnd, sizeof rnd) == -1)
> 90 _getentropy_fail();
> 91
> 92 if (!rs)
> >>> CID 398774: Uninitialized variables (UNINIT)
> >>> Using uninitialized element of array "rnd" when calling "_rs_init".
> 93 _rs_init(rnd, sizeof(rnd));
> 94 else
> 95 _rs_rekey(rnd, sizeof(rnd));
> 96 explicit_bzero(rnd, sizeof(rnd)); /* discard source seed */
> 97
> 98 /* invalidate rs_buf */
>
> ** CID 398773: Incorrect expression (DIVIDE_BY_ZERO)
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libm/math/kf_tan.c:
> 55 in __kernel_tanf()
>
>
>
> ________________________________________________________________________________________________________
> *** CID 398773: Incorrect expression (DIVIDE_BY_ZERO)
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libm/math/kf_tan.c:
> 55 in __kernel_tanf()
> 49 __int32_t ix,hx;
> 50 GET_FLOAT_WORD(hx,x);
> 51 ix = hx&0x7fffffff; /* high word of |x| */
> 52 if(ix<0x31800000) /* x < 2**-28 */
> 53 {if((int)x==0) { /* generate inexact */
> 54 if((ix|(iy+1))==0) return one/fabsf(x);
> >>> CID 398773: Incorrect expression (DIVIDE_BY_ZERO)
> >>> In expression "-1f / x", division by expression "x" which may be
> zero has undefined behavior.
> 55 else return (iy==1)? x: -one/x;
> 56 }
> 57 }
> 58 if(ix>=0x3f2ca140) { /* |x|>=0.6744 */
> 59 if(hx<0) {x = -x; y = -y;}
> 60 z = pio4-x;
>
> ** CID 398772: Memory - corruptions (OVERRUN)
>
>
>
> ________________________________________________________________________________________________________
> *** CID 398772: Memory - corruptions (OVERRUN)
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/regcomp.c:
> 1044 in bothcases()
> 1038 assert(othercase(ch) != ch); /* p_bracket() would
> recurse */
> 1039 p->next = bracket;
> 1040 p->end = bracket+2;
> 1041 bracket[0] = ch;
> 1042 bracket[1] = ']';
> 1043 bracket[2] = '\0';
> >>> CID 398772: Memory - corruptions (OVERRUN)
> >>> Overrunning buffer pointed to by "p->next" of 3 bytes by passing it
> to a function which accesses it at byte offset 4.
> 1044 p_bracket(p);
> 1045 assert(p->next == bracket+2);
> 1046 p->next = oldnext;
> 1047 p->end = oldend;
> 1048 }
> 1049
>
> ** CID 398771: High impact quality (Y2K38_SAFETY)
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/usleep.c:
> 18 in usleep()
>
>
>
> ________________________________________________________________________________________________________
> *** CID 398771: High impact quality (Y2K38_SAFETY)
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/usleep.c:
> 18 in usleep()
> 12 {
> 13 struct timespec ts;
> 14
> 15 ts.tv_sec = (long int)useconds / 1000000;
> 16 ts.tv_nsec = ((long int)useconds % 1000000) * 1000;
> 17 if (!nanosleep(&ts,&ts)) return 0;
> >>> CID 398771: High impact quality (Y2K38_SAFETY)
> >>> A "time_t" value is stored in an integer with too few bits to
> accommodate it. The expression "ts.tv_sec" is cast to "int".
> 18 if (errno == EINTR) return ts.tv_sec;
> 19 return -1;
> 20 }
> 21
>
> ** CID 378851: Memory - corruptions (OVERRUN)
>
>
>
> ________________________________________________________________________________________________________
> *** CID 378851: Memory - corruptions (OVERRUN)
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/regcomp.c:
> 1090 in nonnewline()
> 1084 p->next = bracket;
> 1085 p->end = bracket+3;
> 1086 bracket[0] = '^';
> 1087 bracket[1] = '\n';
> 1088 bracket[2] = ']';
> 1089 bracket[3] = '\0';
> >>> CID 378851: Memory - corruptions (OVERRUN)
> >>> Overrunning buffer pointed to by "p->next" of 4 bytes by passing it
> to a function which accesses it at byte offset 4.
> 1090 p_bracket(p);
> 1091 assert(p->next == bracket+3);
> 1092 p->next = oldnext;
> 1093 p->end = oldend;
> 1094 }
> 1095
>
>
>
> ________________________________________________________________________________________________________
> To view the defects in Coverity Scan visit,
>
> https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50ypUUzi-2FdSNmuyRB7BEFT8xQWqa-2BcrUOdcmLJRN5wHA-2F-2Bj-2BUPxOS2vpJc2U7lnvDDSM-3DgcXN_CTvEjVoKhyc6dLmJJo1u9AYIk8P8bcAbCPbBDYvYSXrko-2B6zqtxlihMO5pRBlqs6CXC6JoeSQ5BknttytYW4gn54pXoG5E1T2VTg7ZExldrWnOHoGNfjITpyeGBnq8zf1R1SvLaQHX0KwLC3QLIILHDIyeRDmH6ivilCfFIJbx4IaHchThYPPrH23evm0vJ6A6-2BcYCz2qmJNN2577UqVyYc0aItJ859abhW8GanEpsc-3D
>
> To manage Coverity Scan email notifications for "joel.sherrill@gmail.com
> ",
> click
>
> https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxTJDdEZ5ceQ-2BXdf-2FM1tcMIXP73MN3HxQfFTMLU5dSe8Rv0KFh7gYStOFjZD12ucRRnrjyUHOCTj7rG0E9HBcwa6j-2FX4NTabdEq2v7MM-2FuqaA-3D5Xsf_CTvEjVoKhyc6dLmJJo1u9AYIk8P8bcAbCPbBDYvYSXrko-2B6zqtxlihMO5pRBlqs6CXC6JoeSQ5BknttytYW4gsEM86eEaAqPEjIHUArLBXYOUpWfZ4bmwC96PG11GPPh-2FLsC0rkTKQE2J8XRI45hCnTpCTbj87kq0GI1XLddKyw1JXGGqDcyizThGumwZmd8Tr5waHqdorDd3Wom83BYSMOhcHiGVjpnvscbd8ReGFw-3D
>
>
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: New Defects reported by Coverity Scan for RTEMS-Newlib
2022-08-30 19:03 ` Jeff Johnston
2022-08-30 19:03 ` Jeff Johnston
@ 2022-08-31 19:16 ` Jeff Johnston
2022-08-31 19:16 ` Jeff Johnston
2022-08-31 19:58 ` Joel Sherrill
1 sibling, 2 replies; 11+ messages in thread
From: Jeff Johnston @ 2022-08-31 19:16 UTC (permalink / raw)
To: joel; +Cc: Newlib
Hi Joel, I will pushing a patch shortly but see comments below as IMO there
are some false positives.
-- Jeff J.
On Tue, Aug 30, 2022 at 3:03 PM Jeff Johnston <jjohnstn@redhat.com> wrote:
> Thanks Joel for bringing this to our attention.
>
> -- Jeff J.
>
> On Mon, Aug 29, 2022 at 7:09 PM Joel Sherrill <joel@rtems.org> wrote:
>
>> Hi
>>
>> I quit running Coverity on newlib as part of the repositories analysed as
>> part of RTEMS BUT I had to update the version of cov-analysis we used and
>> wanted to make sure the scripting stayed working.
>>
>> These issues were flagged since the last time we ran it. Some look like
>> they need attention.
>>
>> --joel
>>
>> ---------- Forwarded message ---------
>> From: <scan-admin@coverity.com>
>> Date: Mon, Aug 29, 2022 at 5:56 PM
>> Subject: New Defects reported by Coverity Scan for RTEMS-Newlib
>> To: <joel.sherrill@gmail.com>
>>
>>
>> Hi,
>>
>> Please find the latest report on new defect(s) introduced to RTEMS-Newlib
>> found with Coverity Scan.
>>
>> 10 new defect(s) introduced to RTEMS-Newlib found with Coverity Scan.
>> 1 defect(s), reported by Coverity Scan earlier, were marked fixed in the
>> recent build analyzed by Coverity Scan.
>>
>> New defect(s) Reported-by: Coverity Scan
>> Showing 10 of 10 defect(s)
>>
>>
>> ** CID 398779: (UNINIT)
>>
>>
>> Fixed.
>
>> ________________________________________________________________________________________________________
>> *** CID 398779: (UNINIT)
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c:
>> 454 in _swscanf_r()
>> 448 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
>> 449 f._read = __seofread;
>> 450 f._ub._base = NULL;
>> 451 f._lb._base = NULL;
>> 452 f._file = -1; /* No file. */
>> 453 va_start (ap, fmt);
>> >>> CID 398779: (UNINIT)
>> >>> Using uninitialized value "f._flags2" when calling
>> "__ssvfwscanf_r".
>> 454 ret = __ssvfwscanf_r (ptr, &f, fmt, ap);
>> 455 va_end (ap);
>> 456 return ret;
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c:
>> 454 in _swscanf_r()
>> 448 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
>> 449 f._read = __seofread;
>> 450 f._ub._base = NULL;
>> 451 f._lb._base = NULL;
>> 452 f._file = -1; /* No file. */
>> 453 va_start (ap, fmt);
>> >>> CID 398779: (UNINIT)
>> >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r".
>> 454 ret = __ssvfwscanf_r (ptr, &f, fmt, ap);
>> 455 va_end (ap);
>> 456 return ret;
>>
>> ** CID 398778: High impact quality (Y2K38_SAFETY)
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/sleep.c:
>> 18 in sleep()
>>
>>
Fixed. (I anded with UINT_MAX so the checker should allow this).
>
>>
>> ________________________________________________________________________________________________________
>> *** CID 398778: High impact quality (Y2K38_SAFETY)
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/sleep.c:
>> 18 in sleep()
>> 12 {
>> 13 struct timespec ts;
>> 14
>> 15 ts.tv_sec = seconds;
>> 16 ts.tv_nsec = 0;
>> 17 if (!nanosleep(&ts,&ts)) return 0;
>> >>> CID 398778: High impact quality (Y2K38_SAFETY)
>> >>> A "time_t" value is stored in an integer with too few bits to
>> accommodate it. The expression "ts.tv_sec" is cast to "unsigned int".
>> 18 if (errno == EINTR) return ts.tv_sec;
>> 19 return -1;
>> 20 }
>> 21
>>
>> ** CID 398777: (UNINIT)
>>
>>
>> Fixed. I just initialized the fields.
>
>> ________________________________________________________________________________________________________
>> *** CID 398777: (UNINIT)
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c:
>> 432 in swscanf()
>> 426 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
>> 427 f._read = __seofread;
>> 428 f._ub._base = NULL;
>> 429 f._lb._base = NULL;
>> 430 f._file = -1; /* No file. */
>> 431 va_start (ap, fmt);
>> >>> CID 398777: (UNINIT)
>> >>> Using uninitialized value "f._flags2" when calling
>> "__ssvfwscanf_r".
>> 432 ret = __ssvfwscanf_r (_REENT, &f, fmt, ap);
>> 433 va_end (ap);
>> 434 return ret;
>> 435 }
>> 436
>> 437 #endif /* !_REENT_ONLY */
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c:
>> 432 in swscanf()
>> 426 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
>> 427 f._read = __seofread;
>> 428 f._ub._base = NULL;
>> 429 f._lb._base = NULL;
>> 430 f._file = -1; /* No file. */
>> 431 va_start (ap, fmt);
>> >>> CID 398777: (UNINIT)
>> >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r".
>> 432 ret = __ssvfwscanf_r (_REENT, &f, fmt, ap);
>> 433 va_end (ap);
>> 434 return ret;
>> 435 }
>> 436
>> 437 #endif /* !_REENT_ONLY */
>>
>> ** CID 398776: (UNINIT)
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c:
>> 44 in time()
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c:
>> 45 in time()
>>
>>
>> Although this should be a false positive because of gettimeofday_r
getting the address of now, I have
initialized the field to -1.
>
>> ________________________________________________________________________________________________________
>> *** CID 398776: (UNINIT)
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c:
>> 44 in time()
>> 38 struct timeval now;
>> 39
>> 40 if (_gettimeofday_r (_REENT, &now, NULL) < 0)
>> 41 now.tv_sec = (time_t) -1;
>> 42
>> 43 if (t)
>> >>> CID 398776: (UNINIT)
>> >>> Using uninitialized value "now.tv_sec".
>> 44 *t = now.tv_sec;
>> 45 return now.tv_sec;
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c:
>> 45 in time()
>> 39
>> 40 if (_gettimeofday_r (_REENT, &now, NULL) < 0)
>> 41 now.tv_sec = (time_t) -1;
>> 42
>> 43 if (t)
>> 44 *t = now.tv_sec;
>> >>> CID 398776: (UNINIT)
>> >>> Using uninitialized value "now.tv_sec".
>> 45 return now.tv_sec;
>>
>> ** CID 398775: (UNINIT)
>>
>>
>>
Fixed. I initialized the fields.
>
>> ________________________________________________________________________________________________________
>> *** CID 398775: (UNINIT)
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/vswscanf.c:
>> 57 in _vswscanf_r()
>> 51 f._bf._base = f._p = (unsigned char *) str;
>> 52 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
>> 53 f._read = __seofread;
>> 54 f._ub._base = NULL;
>> 55 f._lb._base = NULL;
>> 56 f._file = -1; /* No file. */
>> >>> CID 398775: (UNINIT)
>> >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r".
>> 57 return __ssvfwscanf_r (ptr, &f, fmt, ap);
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/vswscanf.c:
>> 57 in _vswscanf_r()
>> 51 f._bf._base = f._p = (unsigned char *) str;
>> 52 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
>> 53 f._read = __seofread;
>> 54 f._ub._base = NULL;
>> 55 f._lb._base = NULL;
>> 56 f._file = -1; /* No file. */
>> >>> CID 398775: (UNINIT)
>> >>> Using uninitialized value "f._flags2" when calling
>> "__ssvfwscanf_r".
>> 57 return __ssvfwscanf_r (ptr, &f, fmt, ap);
>>
>> ** CID 398774: Uninitialized variables (UNINIT)
>>
>> Fixed. I memset the initial array to 0's.
>
>>
>> ________________________________________________________________________________________________________
>> *** CID 398774: Uninitialized variables (UNINIT)
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdlib/arc4random.c:
>> 93 in _rs_stir()
>> 87 u_char rnd[KEYSZ + IVSZ];
>> 88
>> 89 if (getentropy(rnd, sizeof rnd) == -1)
>> 90 _getentropy_fail();
>> 91
>> 92 if (!rs)
>> >>> CID 398774: Uninitialized variables (UNINIT)
>> >>> Using uninitialized element of array "rnd" when calling
>> "_rs_init".
>> 93 _rs_init(rnd, sizeof(rnd));
>> 94 else
>> 95 _rs_rekey(rnd, sizeof(rnd));
>> 96 explicit_bzero(rnd, sizeof(rnd)); /* discard source seed */
>> 97
>> 98 /* invalidate rs_buf */
>>
>> ** CID 398773: Incorrect expression (DIVIDE_BY_ZERO)
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libm/math/kf_tan.c:
>> 55 in __kernel_tanf()
>>
>>
>>
This is a false positive. We intend to divide by zero.
>
>> ________________________________________________________________________________________________________
>> *** CID 398773: Incorrect expression (DIVIDE_BY_ZERO)
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libm/math/kf_tan.c:
>> 55 in __kernel_tanf()
>> 49 __int32_t ix,hx;
>> 50 GET_FLOAT_WORD(hx,x);
>> 51 ix = hx&0x7fffffff; /* high word of |x| */
>> 52 if(ix<0x31800000) /* x < 2**-28 */
>> 53 {if((int)x==0) { /* generate inexact */
>> 54 if((ix|(iy+1))==0) return one/fabsf(x);
>> >>> CID 398773: Incorrect expression (DIVIDE_BY_ZERO)
>> >>> In expression "-1f / x", division by expression "x" which may be
>> zero has undefined behavior.
>> 55 else return (iy==1)? x: -one/x;
>> 56 }
>> 57 }
>> 58 if(ix>=0x3f2ca140) { /* |x|>=0.6744 */
>> 59 if(hx<0) {x = -x; y = -y;}
>> 60 z = pio4-x;
>>
>> ** CID 398772: Memory - corruptions (OVERRUN)
>>
>> I think this is another false positive. I couldn't see where it was
accessing storage without doing a length check
first.
>
>>
>> ________________________________________________________________________________________________________
>> *** CID 398772: Memory - corruptions (OVERRUN)
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/regcomp.c:
>> 1044 in bothcases()
>> 1038 assert(othercase(ch) != ch); /* p_bracket() would
>> recurse */
>> 1039 p->next = bracket;
>> 1040 p->end = bracket+2;
>> 1041 bracket[0] = ch;
>> 1042 bracket[1] = ']';
>> 1043 bracket[2] = '\0';
>> >>> CID 398772: Memory - corruptions (OVERRUN)
>> >>> Overrunning buffer pointed to by "p->next" of 3 bytes by passing
>> it
>> to a function which accesses it at byte offset 4.
>> 1044 p_bracket(p);
>> 1045 assert(p->next == bracket+2);
>> 1046 p->next = oldnext;
>> 1047 p->end = oldend;
>> 1048 }
>> 1049
>>
>> ** CID 398771: High impact quality (Y2K38_SAFETY)
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/usleep.c:
>> 18 in usleep()
>>
>>
Fixed. I removed the return as usleep is supposed to return -1 on an EINTR.
>>
>> ________________________________________________________________________________________________________
>> *** CID 398771: High impact quality (Y2K38_SAFETY)
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/usleep.c:
>> 18 in usleep()
>> 12 {
>> 13 struct timespec ts;
>> 14
>> 15 ts.tv_sec = (long int)useconds / 1000000;
>> 16 ts.tv_nsec = ((long int)useconds % 1000000) * 1000;
>> 17 if (!nanosleep(&ts,&ts)) return 0;
>> >>> CID 398771: High impact quality (Y2K38_SAFETY)
>> >>> A "time_t" value is stored in an integer with too few bits to
>> accommodate it. The expression "ts.tv_sec" is cast to "int".
>> 18 if (errno == EINTR) return ts.tv_sec;
>> 19 return -1;
>> 20 }
>> 21
>>
>> ** CID 378851: Memory - corruptions (OVERRUN)
>>
>>
Again, I believe this is a false positive. No access of storage without
checking length first.
>
>>
>> ________________________________________________________________________________________________________
>> *** CID 378851: Memory - corruptions (OVERRUN)
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/regcomp.c:
>> 1090 in nonnewline()
>> 1084 p->next = bracket;
>> 1085 p->end = bracket+3;
>> 1086 bracket[0] = '^';
>> 1087 bracket[1] = '\n';
>> 1088 bracket[2] = ']';
>> 1089 bracket[3] = '\0';
>> >>> CID 378851: Memory - corruptions (OVERRUN)
>> >>> Overrunning buffer pointed to by "p->next" of 4 bytes by passing
>> it
>> to a function which accesses it at byte offset 4.
>> 1090 p_bracket(p);
>> 1091 assert(p->next == bracket+3);
>> 1092 p->next = oldnext;
>> 1093 p->end = oldend;
>> 1094 }
>> 1095
>>
>>
>>
>> ________________________________________________________________________________________________________
>> To view the defects in Coverity Scan visit,
>>
>> https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50ypUUzi-2FdSNmuyRB7BEFT8xQWqa-2BcrUOdcmLJRN5wHA-2F-2Bj-2BUPxOS2vpJc2U7lnvDDSM-3DgcXN_CTvEjVoKhyc6dLmJJo1u9AYIk8P8bcAbCPbBDYvYSXrko-2B6zqtxlihMO5pRBlqs6CXC6JoeSQ5BknttytYW4gn54pXoG5E1T2VTg7ZExldrWnOHoGNfjITpyeGBnq8zf1R1SvLaQHX0KwLC3QLIILHDIyeRDmH6ivilCfFIJbx4IaHchThYPPrH23evm0vJ6A6-2BcYCz2qmJNN2577UqVyYc0aItJ859abhW8GanEpsc-3D
>>
>> To manage Coverity Scan email notifications for "
>> joel.sherrill@gmail.com",
>> click
>>
>> https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxTJDdEZ5ceQ-2BXdf-2FM1tcMIXP73MN3HxQfFTMLU5dSe8Rv0KFh7gYStOFjZD12ucRRnrjyUHOCTj7rG0E9HBcwa6j-2FX4NTabdEq2v7MM-2FuqaA-3D5Xsf_CTvEjVoKhyc6dLmJJo1u9AYIk8P8bcAbCPbBDYvYSXrko-2B6zqtxlihMO5pRBlqs6CXC6JoeSQ5BknttytYW4gsEM86eEaAqPEjIHUArLBXYOUpWfZ4bmwC96PG11GPPh-2FLsC0rkTKQE2J8XRI45hCnTpCTbj87kq0GI1XLddKyw1JXGGqDcyizThGumwZmd8Tr5waHqdorDd3Wom83BYSMOhcHiGVjpnvscbd8ReGFw-3D
>>
>>
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: New Defects reported by Coverity Scan for RTEMS-Newlib
2022-08-31 19:16 ` Jeff Johnston
@ 2022-08-31 19:16 ` Jeff Johnston
2022-08-31 19:58 ` Joel Sherrill
1 sibling, 0 replies; 11+ messages in thread
From: Jeff Johnston @ 2022-08-31 19:16 UTC (permalink / raw)
To: joel; +Cc: Newlib
[-- Attachment #1: Type: text/plain, Size: 14762 bytes --]
Hi Joel, I will pushing a patch shortly but see comments below as IMO there
are some false positives.
-- Jeff J.
On Tue, Aug 30, 2022 at 3:03 PM Jeff Johnston <jjohnstn@redhat.com> wrote:
> Thanks Joel for bringing this to our attention.
>
> -- Jeff J.
>
> On Mon, Aug 29, 2022 at 7:09 PM Joel Sherrill <joel@rtems.org> wrote:
>
>> Hi
>>
>> I quit running Coverity on newlib as part of the repositories analysed as
>> part of RTEMS BUT I had to update the version of cov-analysis we used and
>> wanted to make sure the scripting stayed working.
>>
>> These issues were flagged since the last time we ran it. Some look like
>> they need attention.
>>
>> --joel
>>
>> ---------- Forwarded message ---------
>> From: <scan-admin@coverity.com>
>> Date: Mon, Aug 29, 2022 at 5:56 PM
>> Subject: New Defects reported by Coverity Scan for RTEMS-Newlib
>> To: <joel.sherrill@gmail.com>
>>
>>
>> Hi,
>>
>> Please find the latest report on new defect(s) introduced to RTEMS-Newlib
>> found with Coverity Scan.
>>
>> 10 new defect(s) introduced to RTEMS-Newlib found with Coverity Scan.
>> 1 defect(s), reported by Coverity Scan earlier, were marked fixed in the
>> recent build analyzed by Coverity Scan.
>>
>> New defect(s) Reported-by: Coverity Scan
>> Showing 10 of 10 defect(s)
>>
>>
>> ** CID 398779: (UNINIT)
>>
>>
>> Fixed.
>
>> ________________________________________________________________________________________________________
>> *** CID 398779: (UNINIT)
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c:
>> 454 in _swscanf_r()
>> 448 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
>> 449 f._read = __seofread;
>> 450 f._ub._base = NULL;
>> 451 f._lb._base = NULL;
>> 452 f._file = -1; /* No file. */
>> 453 va_start (ap, fmt);
>> >>> CID 398779: (UNINIT)
>> >>> Using uninitialized value "f._flags2" when calling
>> "__ssvfwscanf_r".
>> 454 ret = __ssvfwscanf_r (ptr, &f, fmt, ap);
>> 455 va_end (ap);
>> 456 return ret;
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c:
>> 454 in _swscanf_r()
>> 448 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
>> 449 f._read = __seofread;
>> 450 f._ub._base = NULL;
>> 451 f._lb._base = NULL;
>> 452 f._file = -1; /* No file. */
>> 453 va_start (ap, fmt);
>> >>> CID 398779: (UNINIT)
>> >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r".
>> 454 ret = __ssvfwscanf_r (ptr, &f, fmt, ap);
>> 455 va_end (ap);
>> 456 return ret;
>>
>> ** CID 398778: High impact quality (Y2K38_SAFETY)
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/sleep.c:
>> 18 in sleep()
>>
>>
Fixed. (I anded with UINT_MAX so the checker should allow this).
>
>>
>> ________________________________________________________________________________________________________
>> *** CID 398778: High impact quality (Y2K38_SAFETY)
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/sleep.c:
>> 18 in sleep()
>> 12 {
>> 13 struct timespec ts;
>> 14
>> 15 ts.tv_sec = seconds;
>> 16 ts.tv_nsec = 0;
>> 17 if (!nanosleep(&ts,&ts)) return 0;
>> >>> CID 398778: High impact quality (Y2K38_SAFETY)
>> >>> A "time_t" value is stored in an integer with too few bits to
>> accommodate it. The expression "ts.tv_sec" is cast to "unsigned int".
>> 18 if (errno == EINTR) return ts.tv_sec;
>> 19 return -1;
>> 20 }
>> 21
>>
>> ** CID 398777: (UNINIT)
>>
>>
>> Fixed. I just initialized the fields.
>
>> ________________________________________________________________________________________________________
>> *** CID 398777: (UNINIT)
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c:
>> 432 in swscanf()
>> 426 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
>> 427 f._read = __seofread;
>> 428 f._ub._base = NULL;
>> 429 f._lb._base = NULL;
>> 430 f._file = -1; /* No file. */
>> 431 va_start (ap, fmt);
>> >>> CID 398777: (UNINIT)
>> >>> Using uninitialized value "f._flags2" when calling
>> "__ssvfwscanf_r".
>> 432 ret = __ssvfwscanf_r (_REENT, &f, fmt, ap);
>> 433 va_end (ap);
>> 434 return ret;
>> 435 }
>> 436
>> 437 #endif /* !_REENT_ONLY */
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c:
>> 432 in swscanf()
>> 426 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
>> 427 f._read = __seofread;
>> 428 f._ub._base = NULL;
>> 429 f._lb._base = NULL;
>> 430 f._file = -1; /* No file. */
>> 431 va_start (ap, fmt);
>> >>> CID 398777: (UNINIT)
>> >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r".
>> 432 ret = __ssvfwscanf_r (_REENT, &f, fmt, ap);
>> 433 va_end (ap);
>> 434 return ret;
>> 435 }
>> 436
>> 437 #endif /* !_REENT_ONLY */
>>
>> ** CID 398776: (UNINIT)
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c:
>> 44 in time()
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c:
>> 45 in time()
>>
>>
>> Although this should be a false positive because of gettimeofday_r
getting the address of now, I have
initialized the field to -1.
>
>> ________________________________________________________________________________________________________
>> *** CID 398776: (UNINIT)
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c:
>> 44 in time()
>> 38 struct timeval now;
>> 39
>> 40 if (_gettimeofday_r (_REENT, &now, NULL) < 0)
>> 41 now.tv_sec = (time_t) -1;
>> 42
>> 43 if (t)
>> >>> CID 398776: (UNINIT)
>> >>> Using uninitialized value "now.tv_sec".
>> 44 *t = now.tv_sec;
>> 45 return now.tv_sec;
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c:
>> 45 in time()
>> 39
>> 40 if (_gettimeofday_r (_REENT, &now, NULL) < 0)
>> 41 now.tv_sec = (time_t) -1;
>> 42
>> 43 if (t)
>> 44 *t = now.tv_sec;
>> >>> CID 398776: (UNINIT)
>> >>> Using uninitialized value "now.tv_sec".
>> 45 return now.tv_sec;
>>
>> ** CID 398775: (UNINIT)
>>
>>
>>
Fixed. I initialized the fields.
>
>> ________________________________________________________________________________________________________
>> *** CID 398775: (UNINIT)
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/vswscanf.c:
>> 57 in _vswscanf_r()
>> 51 f._bf._base = f._p = (unsigned char *) str;
>> 52 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
>> 53 f._read = __seofread;
>> 54 f._ub._base = NULL;
>> 55 f._lb._base = NULL;
>> 56 f._file = -1; /* No file. */
>> >>> CID 398775: (UNINIT)
>> >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r".
>> 57 return __ssvfwscanf_r (ptr, &f, fmt, ap);
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/vswscanf.c:
>> 57 in _vswscanf_r()
>> 51 f._bf._base = f._p = (unsigned char *) str;
>> 52 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
>> 53 f._read = __seofread;
>> 54 f._ub._base = NULL;
>> 55 f._lb._base = NULL;
>> 56 f._file = -1; /* No file. */
>> >>> CID 398775: (UNINIT)
>> >>> Using uninitialized value "f._flags2" when calling
>> "__ssvfwscanf_r".
>> 57 return __ssvfwscanf_r (ptr, &f, fmt, ap);
>>
>> ** CID 398774: Uninitialized variables (UNINIT)
>>
>> Fixed. I memset the initial array to 0's.
>
>>
>> ________________________________________________________________________________________________________
>> *** CID 398774: Uninitialized variables (UNINIT)
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdlib/arc4random.c:
>> 93 in _rs_stir()
>> 87 u_char rnd[KEYSZ + IVSZ];
>> 88
>> 89 if (getentropy(rnd, sizeof rnd) == -1)
>> 90 _getentropy_fail();
>> 91
>> 92 if (!rs)
>> >>> CID 398774: Uninitialized variables (UNINIT)
>> >>> Using uninitialized element of array "rnd" when calling
>> "_rs_init".
>> 93 _rs_init(rnd, sizeof(rnd));
>> 94 else
>> 95 _rs_rekey(rnd, sizeof(rnd));
>> 96 explicit_bzero(rnd, sizeof(rnd)); /* discard source seed */
>> 97
>> 98 /* invalidate rs_buf */
>>
>> ** CID 398773: Incorrect expression (DIVIDE_BY_ZERO)
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libm/math/kf_tan.c:
>> 55 in __kernel_tanf()
>>
>>
>>
This is a false positive. We intend to divide by zero.
>
>> ________________________________________________________________________________________________________
>> *** CID 398773: Incorrect expression (DIVIDE_BY_ZERO)
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libm/math/kf_tan.c:
>> 55 in __kernel_tanf()
>> 49 __int32_t ix,hx;
>> 50 GET_FLOAT_WORD(hx,x);
>> 51 ix = hx&0x7fffffff; /* high word of |x| */
>> 52 if(ix<0x31800000) /* x < 2**-28 */
>> 53 {if((int)x==0) { /* generate inexact */
>> 54 if((ix|(iy+1))==0) return one/fabsf(x);
>> >>> CID 398773: Incorrect expression (DIVIDE_BY_ZERO)
>> >>> In expression "-1f / x", division by expression "x" which may be
>> zero has undefined behavior.
>> 55 else return (iy==1)? x: -one/x;
>> 56 }
>> 57 }
>> 58 if(ix>=0x3f2ca140) { /* |x|>=0.6744 */
>> 59 if(hx<0) {x = -x; y = -y;}
>> 60 z = pio4-x;
>>
>> ** CID 398772: Memory - corruptions (OVERRUN)
>>
>> I think this is another false positive. I couldn't see where it was
accessing storage without doing a length check
first.
>
>>
>> ________________________________________________________________________________________________________
>> *** CID 398772: Memory - corruptions (OVERRUN)
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/regcomp.c:
>> 1044 in bothcases()
>> 1038 assert(othercase(ch) != ch); /* p_bracket() would
>> recurse */
>> 1039 p->next = bracket;
>> 1040 p->end = bracket+2;
>> 1041 bracket[0] = ch;
>> 1042 bracket[1] = ']';
>> 1043 bracket[2] = '\0';
>> >>> CID 398772: Memory - corruptions (OVERRUN)
>> >>> Overrunning buffer pointed to by "p->next" of 3 bytes by passing
>> it
>> to a function which accesses it at byte offset 4.
>> 1044 p_bracket(p);
>> 1045 assert(p->next == bracket+2);
>> 1046 p->next = oldnext;
>> 1047 p->end = oldend;
>> 1048 }
>> 1049
>>
>> ** CID 398771: High impact quality (Y2K38_SAFETY)
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/usleep.c:
>> 18 in usleep()
>>
>>
Fixed. I removed the return as usleep is supposed to return -1 on an EINTR.
>>
>> ________________________________________________________________________________________________________
>> *** CID 398771: High impact quality (Y2K38_SAFETY)
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/usleep.c:
>> 18 in usleep()
>> 12 {
>> 13 struct timespec ts;
>> 14
>> 15 ts.tv_sec = (long int)useconds / 1000000;
>> 16 ts.tv_nsec = ((long int)useconds % 1000000) * 1000;
>> 17 if (!nanosleep(&ts,&ts)) return 0;
>> >>> CID 398771: High impact quality (Y2K38_SAFETY)
>> >>> A "time_t" value is stored in an integer with too few bits to
>> accommodate it. The expression "ts.tv_sec" is cast to "int".
>> 18 if (errno == EINTR) return ts.tv_sec;
>> 19 return -1;
>> 20 }
>> 21
>>
>> ** CID 378851: Memory - corruptions (OVERRUN)
>>
>>
Again, I believe this is a false positive. No access of storage without
checking length first.
>
>>
>> ________________________________________________________________________________________________________
>> *** CID 378851: Memory - corruptions (OVERRUN)
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/regcomp.c:
>> 1090 in nonnewline()
>> 1084 p->next = bracket;
>> 1085 p->end = bracket+3;
>> 1086 bracket[0] = '^';
>> 1087 bracket[1] = '\n';
>> 1088 bracket[2] = ']';
>> 1089 bracket[3] = '\0';
>> >>> CID 378851: Memory - corruptions (OVERRUN)
>> >>> Overrunning buffer pointed to by "p->next" of 4 bytes by passing
>> it
>> to a function which accesses it at byte offset 4.
>> 1090 p_bracket(p);
>> 1091 assert(p->next == bracket+3);
>> 1092 p->next = oldnext;
>> 1093 p->end = oldend;
>> 1094 }
>> 1095
>>
>>
>>
>> ________________________________________________________________________________________________________
>> To view the defects in Coverity Scan visit,
>>
>> https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50ypUUzi-2FdSNmuyRB7BEFT8xQWqa-2BcrUOdcmLJRN5wHA-2F-2Bj-2BUPxOS2vpJc2U7lnvDDSM-3DgcXN_CTvEjVoKhyc6dLmJJo1u9AYIk8P8bcAbCPbBDYvYSXrko-2B6zqtxlihMO5pRBlqs6CXC6JoeSQ5BknttytYW4gn54pXoG5E1T2VTg7ZExldrWnOHoGNfjITpyeGBnq8zf1R1SvLaQHX0KwLC3QLIILHDIyeRDmH6ivilCfFIJbx4IaHchThYPPrH23evm0vJ6A6-2BcYCz2qmJNN2577UqVyYc0aItJ859abhW8GanEpsc-3D
>>
>> To manage Coverity Scan email notifications for "
>> joel.sherrill@gmail.com",
>> click
>>
>> https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxTJDdEZ5ceQ-2BXdf-2FM1tcMIXP73MN3HxQfFTMLU5dSe8Rv0KFh7gYStOFjZD12ucRRnrjyUHOCTj7rG0E9HBcwa6j-2FX4NTabdEq2v7MM-2FuqaA-3D5Xsf_CTvEjVoKhyc6dLmJJo1u9AYIk8P8bcAbCPbBDYvYSXrko-2B6zqtxlihMO5pRBlqs6CXC6JoeSQ5BknttytYW4gsEM86eEaAqPEjIHUArLBXYOUpWfZ4bmwC96PG11GPPh-2FLsC0rkTKQE2J8XRI45hCnTpCTbj87kq0GI1XLddKyw1JXGGqDcyizThGumwZmd8Tr5waHqdorDd3Wom83BYSMOhcHiGVjpnvscbd8ReGFw-3D
>>
>>
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: New Defects reported by Coverity Scan for RTEMS-Newlib
2022-08-31 19:16 ` Jeff Johnston
2022-08-31 19:16 ` Jeff Johnston
@ 2022-08-31 19:58 ` Joel Sherrill
2022-08-31 19:58 ` Joel Sherrill
1 sibling, 1 reply; 11+ messages in thread
From: Joel Sherrill @ 2022-08-31 19:58 UTC (permalink / raw)
To: Jeff Johnston; +Cc: Newlib
On Wed, Aug 31, 2022 at 2:16 PM Jeff Johnston <jjohnstn@redhat.com> wrote:
> Hi Joel, I will pushing a patch shortly but see comments below as IMO
> there are some false positives.
>
I'm happy to mark the false positives in Coverity but I only ran this
because they forced me to update the client side program and I
wanted to make sure all my run coverity scripts continued to work
with it. Normally this one isn't run on a regular basis.
Is Cygwin still running Scan on newlib? I stopped because the
focus was supposed to be on their run not on the RTEMS one.
I can easily uncomment the one line to run it via cron. I have a script
that can check for changes in git and run coverity if needed.
Basically, where's the "official" Scan instance that we all should
be referring to?
--joel
>
> -- Jeff J.
>
> On Tue, Aug 30, 2022 at 3:03 PM Jeff Johnston <jjohnstn@redhat.com> wrote:
>
>> Thanks Joel for bringing this to our attention.
>>
>> -- Jeff J.
>>
>> On Mon, Aug 29, 2022 at 7:09 PM Joel Sherrill <joel@rtems.org> wrote:
>>
>>> Hi
>>>
>>> I quit running Coverity on newlib as part of the repositories analysed as
>>> part of RTEMS BUT I had to update the version of cov-analysis we used and
>>> wanted to make sure the scripting stayed working.
>>>
>>> These issues were flagged since the last time we ran it. Some look like
>>> they need attention.
>>>
>>> --joel
>>>
>>> ---------- Forwarded message ---------
>>> From: <scan-admin@coverity.com>
>>> Date: Mon, Aug 29, 2022 at 5:56 PM
>>> Subject: New Defects reported by Coverity Scan for RTEMS-Newlib
>>> To: <joel.sherrill@gmail.com>
>>>
>>>
>>> Hi,
>>>
>>> Please find the latest report on new defect(s) introduced to RTEMS-Newlib
>>> found with Coverity Scan.
>>>
>>> 10 new defect(s) introduced to RTEMS-Newlib found with Coverity Scan.
>>> 1 defect(s), reported by Coverity Scan earlier, were marked fixed in the
>>> recent build analyzed by Coverity Scan.
>>>
>>> New defect(s) Reported-by: Coverity Scan
>>> Showing 10 of 10 defect(s)
>>>
>>>
>>> ** CID 398779: (UNINIT)
>>>
>>>
>>> Fixed.
>
>
>>
>>> ________________________________________________________________________________________________________
>>> *** CID 398779: (UNINIT)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c:
>>> 454 in _swscanf_r()
>>> 448 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
>>> 449 f._read = __seofread;
>>> 450 f._ub._base = NULL;
>>> 451 f._lb._base = NULL;
>>> 452 f._file = -1; /* No file. */
>>> 453 va_start (ap, fmt);
>>> >>> CID 398779: (UNINIT)
>>> >>> Using uninitialized value "f._flags2" when calling
>>> "__ssvfwscanf_r".
>>> 454 ret = __ssvfwscanf_r (ptr, &f, fmt, ap);
>>> 455 va_end (ap);
>>> 456 return ret;
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c:
>>> 454 in _swscanf_r()
>>> 448 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
>>> 449 f._read = __seofread;
>>> 450 f._ub._base = NULL;
>>> 451 f._lb._base = NULL;
>>> 452 f._file = -1; /* No file. */
>>> 453 va_start (ap, fmt);
>>> >>> CID 398779: (UNINIT)
>>> >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r".
>>> 454 ret = __ssvfwscanf_r (ptr, &f, fmt, ap);
>>> 455 va_end (ap);
>>> 456 return ret;
>>>
>>> ** CID 398778: High impact quality (Y2K38_SAFETY)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/sleep.c:
>>> 18 in sleep()
>>>
>>>
> Fixed. (I anded with UINT_MAX so the checker should allow this).
>
>>
>>>
>>> ________________________________________________________________________________________________________
>>> *** CID 398778: High impact quality (Y2K38_SAFETY)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/sleep.c:
>>> 18 in sleep()
>>> 12 {
>>> 13 struct timespec ts;
>>> 14
>>> 15 ts.tv_sec = seconds;
>>> 16 ts.tv_nsec = 0;
>>> 17 if (!nanosleep(&ts,&ts)) return 0;
>>> >>> CID 398778: High impact quality (Y2K38_SAFETY)
>>> >>> A "time_t" value is stored in an integer with too few bits to
>>> accommodate it. The expression "ts.tv_sec" is cast to "unsigned int".
>>> 18 if (errno == EINTR) return ts.tv_sec;
>>> 19 return -1;
>>> 20 }
>>> 21
>>>
>>> ** CID 398777: (UNINIT)
>>>
>>>
>>> Fixed. I just initialized the fields.
>
>
>>
>>> ________________________________________________________________________________________________________
>>> *** CID 398777: (UNINIT)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c:
>>> 432 in swscanf()
>>> 426 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
>>> 427 f._read = __seofread;
>>> 428 f._ub._base = NULL;
>>> 429 f._lb._base = NULL;
>>> 430 f._file = -1; /* No file. */
>>> 431 va_start (ap, fmt);
>>> >>> CID 398777: (UNINIT)
>>> >>> Using uninitialized value "f._flags2" when calling
>>> "__ssvfwscanf_r".
>>> 432 ret = __ssvfwscanf_r (_REENT, &f, fmt, ap);
>>> 433 va_end (ap);
>>> 434 return ret;
>>> 435 }
>>> 436
>>> 437 #endif /* !_REENT_ONLY */
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c:
>>> 432 in swscanf()
>>> 426 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
>>> 427 f._read = __seofread;
>>> 428 f._ub._base = NULL;
>>> 429 f._lb._base = NULL;
>>> 430 f._file = -1; /* No file. */
>>> 431 va_start (ap, fmt);
>>> >>> CID 398777: (UNINIT)
>>> >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r".
>>> 432 ret = __ssvfwscanf_r (_REENT, &f, fmt, ap);
>>> 433 va_end (ap);
>>> 434 return ret;
>>> 435 }
>>> 436
>>> 437 #endif /* !_REENT_ONLY */
>>>
>>> ** CID 398776: (UNINIT)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c:
>>> 44 in time()
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c:
>>> 45 in time()
>>>
>>>
>>> Although this should be a false positive because of gettimeofday_r
> getting the address of now, I have
> initialized the field to -1.
>
>
>>
>>> ________________________________________________________________________________________________________
>>> *** CID 398776: (UNINIT)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c:
>>> 44 in time()
>>> 38 struct timeval now;
>>> 39
>>> 40 if (_gettimeofday_r (_REENT, &now, NULL) < 0)
>>> 41 now.tv_sec = (time_t) -1;
>>> 42
>>> 43 if (t)
>>> >>> CID 398776: (UNINIT)
>>> >>> Using uninitialized value "now.tv_sec".
>>> 44 *t = now.tv_sec;
>>> 45 return now.tv_sec;
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c:
>>> 45 in time()
>>> 39
>>> 40 if (_gettimeofday_r (_REENT, &now, NULL) < 0)
>>> 41 now.tv_sec = (time_t) -1;
>>> 42
>>> 43 if (t)
>>> 44 *t = now.tv_sec;
>>> >>> CID 398776: (UNINIT)
>>> >>> Using uninitialized value "now.tv_sec".
>>> 45 return now.tv_sec;
>>>
>>> ** CID 398775: (UNINIT)
>>>
>>>
>>>
> Fixed. I initialized the fields.
>
>>
>>> ________________________________________________________________________________________________________
>>> *** CID 398775: (UNINIT)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/vswscanf.c:
>>> 57 in _vswscanf_r()
>>> 51 f._bf._base = f._p = (unsigned char *) str;
>>> 52 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
>>> 53 f._read = __seofread;
>>> 54 f._ub._base = NULL;
>>> 55 f._lb._base = NULL;
>>> 56 f._file = -1; /* No file. */
>>> >>> CID 398775: (UNINIT)
>>> >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r".
>>> 57 return __ssvfwscanf_r (ptr, &f, fmt, ap);
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/vswscanf.c:
>>> 57 in _vswscanf_r()
>>> 51 f._bf._base = f._p = (unsigned char *) str;
>>> 52 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
>>> 53 f._read = __seofread;
>>> 54 f._ub._base = NULL;
>>> 55 f._lb._base = NULL;
>>> 56 f._file = -1; /* No file. */
>>> >>> CID 398775: (UNINIT)
>>> >>> Using uninitialized value "f._flags2" when calling
>>> "__ssvfwscanf_r".
>>> 57 return __ssvfwscanf_r (ptr, &f, fmt, ap);
>>>
>>> ** CID 398774: Uninitialized variables (UNINIT)
>>>
>>> Fixed. I memset the initial array to 0's.
>
>
>>
>>>
>>> ________________________________________________________________________________________________________
>>> *** CID 398774: Uninitialized variables (UNINIT)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdlib/arc4random.c:
>>> 93 in _rs_stir()
>>> 87 u_char rnd[KEYSZ + IVSZ];
>>> 88
>>> 89 if (getentropy(rnd, sizeof rnd) == -1)
>>> 90 _getentropy_fail();
>>> 91
>>> 92 if (!rs)
>>> >>> CID 398774: Uninitialized variables (UNINIT)
>>> >>> Using uninitialized element of array "rnd" when calling
>>> "_rs_init".
>>> 93 _rs_init(rnd, sizeof(rnd));
>>> 94 else
>>> 95 _rs_rekey(rnd, sizeof(rnd));
>>> 96 explicit_bzero(rnd, sizeof(rnd)); /* discard source seed */
>>> 97
>>> 98 /* invalidate rs_buf */
>>>
>>> ** CID 398773: Incorrect expression (DIVIDE_BY_ZERO)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libm/math/kf_tan.c:
>>> 55 in __kernel_tanf()
>>>
>>>
>>>
> This is a false positive. We intend to divide by zero.
>
>>
>>> ________________________________________________________________________________________________________
>>> *** CID 398773: Incorrect expression (DIVIDE_BY_ZERO)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libm/math/kf_tan.c:
>>> 55 in __kernel_tanf()
>>> 49 __int32_t ix,hx;
>>> 50 GET_FLOAT_WORD(hx,x);
>>> 51 ix = hx&0x7fffffff; /* high word of |x| */
>>> 52 if(ix<0x31800000) /* x < 2**-28 */
>>> 53 {if((int)x==0) { /* generate inexact */
>>> 54 if((ix|(iy+1))==0) return one/fabsf(x);
>>> >>> CID 398773: Incorrect expression (DIVIDE_BY_ZERO)
>>> >>> In expression "-1f / x", division by expression "x" which may be
>>> zero has undefined behavior.
>>> 55 else return (iy==1)? x: -one/x;
>>> 56 }
>>> 57 }
>>> 58 if(ix>=0x3f2ca140) { /* |x|>=0.6744 */
>>> 59 if(hx<0) {x = -x; y = -y;}
>>> 60 z = pio4-x;
>>>
>>> ** CID 398772: Memory - corruptions (OVERRUN)
>>>
>>> I think this is another false positive. I couldn't see where it was
> accessing storage without doing a length check
> first.
>
>
>>
>>>
>>> ________________________________________________________________________________________________________
>>> *** CID 398772: Memory - corruptions (OVERRUN)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/regcomp.c:
>>> 1044 in bothcases()
>>> 1038 assert(othercase(ch) != ch); /* p_bracket() would
>>> recurse */
>>> 1039 p->next = bracket;
>>> 1040 p->end = bracket+2;
>>> 1041 bracket[0] = ch;
>>> 1042 bracket[1] = ']';
>>> 1043 bracket[2] = '\0';
>>> >>> CID 398772: Memory - corruptions (OVERRUN)
>>> >>> Overrunning buffer pointed to by "p->next" of 3 bytes by passing
>>> it
>>> to a function which accesses it at byte offset 4.
>>> 1044 p_bracket(p);
>>> 1045 assert(p->next == bracket+2);
>>> 1046 p->next = oldnext;
>>> 1047 p->end = oldend;
>>> 1048 }
>>> 1049
>>>
>>> ** CID 398771: High impact quality (Y2K38_SAFETY)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/usleep.c:
>>> 18 in usleep()
>>>
>>>
> Fixed. I removed the return as usleep is supposed to return -1 on an
> EINTR.
>
>
>>>
>>> ________________________________________________________________________________________________________
>>> *** CID 398771: High impact quality (Y2K38_SAFETY)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/usleep.c:
>>> 18 in usleep()
>>> 12 {
>>> 13 struct timespec ts;
>>> 14
>>> 15 ts.tv_sec = (long int)useconds / 1000000;
>>> 16 ts.tv_nsec = ((long int)useconds % 1000000) * 1000;
>>> 17 if (!nanosleep(&ts,&ts)) return 0;
>>> >>> CID 398771: High impact quality (Y2K38_SAFETY)
>>> >>> A "time_t" value is stored in an integer with too few bits to
>>> accommodate it. The expression "ts.tv_sec" is cast to "int".
>>> 18 if (errno == EINTR) return ts.tv_sec;
>>> 19 return -1;
>>> 20 }
>>> 21
>>>
>>> ** CID 378851: Memory - corruptions (OVERRUN)
>>>
>>>
> Again, I believe this is a false positive. No access of storage without
> checking length first.
>
>>
>>>
>>> ________________________________________________________________________________________________________
>>> *** CID 378851: Memory - corruptions (OVERRUN)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/regcomp.c:
>>> 1090 in nonnewline()
>>> 1084 p->next = bracket;
>>> 1085 p->end = bracket+3;
>>> 1086 bracket[0] = '^';
>>> 1087 bracket[1] = '\n';
>>> 1088 bracket[2] = ']';
>>> 1089 bracket[3] = '\0';
>>> >>> CID 378851: Memory - corruptions (OVERRUN)
>>> >>> Overrunning buffer pointed to by "p->next" of 4 bytes by passing
>>> it
>>> to a function which accesses it at byte offset 4.
>>> 1090 p_bracket(p);
>>> 1091 assert(p->next == bracket+3);
>>> 1092 p->next = oldnext;
>>> 1093 p->end = oldend;
>>> 1094 }
>>> 1095
>>>
>>>
>>>
>>> ________________________________________________________________________________________________________
>>> To view the defects in Coverity Scan visit,
>>>
>>> https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50ypUUzi-2FdSNmuyRB7BEFT8xQWqa-2BcrUOdcmLJRN5wHA-2F-2Bj-2BUPxOS2vpJc2U7lnvDDSM-3DgcXN_CTvEjVoKhyc6dLmJJo1u9AYIk8P8bcAbCPbBDYvYSXrko-2B6zqtxlihMO5pRBlqs6CXC6JoeSQ5BknttytYW4gn54pXoG5E1T2VTg7ZExldrWnOHoGNfjITpyeGBnq8zf1R1SvLaQHX0KwLC3QLIILHDIyeRDmH6ivilCfFIJbx4IaHchThYPPrH23evm0vJ6A6-2BcYCz2qmJNN2577UqVyYc0aItJ859abhW8GanEpsc-3D
>>>
>>> To manage Coverity Scan email notifications for "
>>> joel.sherrill@gmail.com",
>>> click
>>>
>>> https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxTJDdEZ5ceQ-2BXdf-2FM1tcMIXP73MN3HxQfFTMLU5dSe8Rv0KFh7gYStOFjZD12ucRRnrjyUHOCTj7rG0E9HBcwa6j-2FX4NTabdEq2v7MM-2FuqaA-3D5Xsf_CTvEjVoKhyc6dLmJJo1u9AYIk8P8bcAbCPbBDYvYSXrko-2B6zqtxlihMO5pRBlqs6CXC6JoeSQ5BknttytYW4gsEM86eEaAqPEjIHUArLBXYOUpWfZ4bmwC96PG11GPPh-2FLsC0rkTKQE2J8XRI45hCnTpCTbj87kq0GI1XLddKyw1JXGGqDcyizThGumwZmd8Tr5waHqdorDd3Wom83BYSMOhcHiGVjpnvscbd8ReGFw-3D
>>>
>>>
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: New Defects reported by Coverity Scan for RTEMS-Newlib
2022-08-31 19:58 ` Joel Sherrill
@ 2022-08-31 19:58 ` Joel Sherrill
0 siblings, 0 replies; 11+ messages in thread
From: Joel Sherrill @ 2022-08-31 19:58 UTC (permalink / raw)
To: Jeff Johnston; +Cc: Newlib
[-- Attachment #1: Type: text/plain, Size: 15887 bytes --]
On Wed, Aug 31, 2022 at 2:16 PM Jeff Johnston <jjohnstn@redhat.com> wrote:
> Hi Joel, I will pushing a patch shortly but see comments below as IMO
> there are some false positives.
>
I'm happy to mark the false positives in Coverity but I only ran this
because they forced me to update the client side program and I
wanted to make sure all my run coverity scripts continued to work
with it. Normally this one isn't run on a regular basis.
Is Cygwin still running Scan on newlib? I stopped because the
focus was supposed to be on their run not on the RTEMS one.
I can easily uncomment the one line to run it via cron. I have a script
that can check for changes in git and run coverity if needed.
Basically, where's the "official" Scan instance that we all should
be referring to?
--joel
>
> -- Jeff J.
>
> On Tue, Aug 30, 2022 at 3:03 PM Jeff Johnston <jjohnstn@redhat.com> wrote:
>
>> Thanks Joel for bringing this to our attention.
>>
>> -- Jeff J.
>>
>> On Mon, Aug 29, 2022 at 7:09 PM Joel Sherrill <joel@rtems.org> wrote:
>>
>>> Hi
>>>
>>> I quit running Coverity on newlib as part of the repositories analysed as
>>> part of RTEMS BUT I had to update the version of cov-analysis we used and
>>> wanted to make sure the scripting stayed working.
>>>
>>> These issues were flagged since the last time we ran it. Some look like
>>> they need attention.
>>>
>>> --joel
>>>
>>> ---------- Forwarded message ---------
>>> From: <scan-admin@coverity.com>
>>> Date: Mon, Aug 29, 2022 at 5:56 PM
>>> Subject: New Defects reported by Coverity Scan for RTEMS-Newlib
>>> To: <joel.sherrill@gmail.com>
>>>
>>>
>>> Hi,
>>>
>>> Please find the latest report on new defect(s) introduced to RTEMS-Newlib
>>> found with Coverity Scan.
>>>
>>> 10 new defect(s) introduced to RTEMS-Newlib found with Coverity Scan.
>>> 1 defect(s), reported by Coverity Scan earlier, were marked fixed in the
>>> recent build analyzed by Coverity Scan.
>>>
>>> New defect(s) Reported-by: Coverity Scan
>>> Showing 10 of 10 defect(s)
>>>
>>>
>>> ** CID 398779: (UNINIT)
>>>
>>>
>>> Fixed.
>
>
>>
>>> ________________________________________________________________________________________________________
>>> *** CID 398779: (UNINIT)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c:
>>> 454 in _swscanf_r()
>>> 448 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
>>> 449 f._read = __seofread;
>>> 450 f._ub._base = NULL;
>>> 451 f._lb._base = NULL;
>>> 452 f._file = -1; /* No file. */
>>> 453 va_start (ap, fmt);
>>> >>> CID 398779: (UNINIT)
>>> >>> Using uninitialized value "f._flags2" when calling
>>> "__ssvfwscanf_r".
>>> 454 ret = __ssvfwscanf_r (ptr, &f, fmt, ap);
>>> 455 va_end (ap);
>>> 456 return ret;
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c:
>>> 454 in _swscanf_r()
>>> 448 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
>>> 449 f._read = __seofread;
>>> 450 f._ub._base = NULL;
>>> 451 f._lb._base = NULL;
>>> 452 f._file = -1; /* No file. */
>>> 453 va_start (ap, fmt);
>>> >>> CID 398779: (UNINIT)
>>> >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r".
>>> 454 ret = __ssvfwscanf_r (ptr, &f, fmt, ap);
>>> 455 va_end (ap);
>>> 456 return ret;
>>>
>>> ** CID 398778: High impact quality (Y2K38_SAFETY)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/sleep.c:
>>> 18 in sleep()
>>>
>>>
> Fixed. (I anded with UINT_MAX so the checker should allow this).
>
>>
>>>
>>> ________________________________________________________________________________________________________
>>> *** CID 398778: High impact quality (Y2K38_SAFETY)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/sleep.c:
>>> 18 in sleep()
>>> 12 {
>>> 13 struct timespec ts;
>>> 14
>>> 15 ts.tv_sec = seconds;
>>> 16 ts.tv_nsec = 0;
>>> 17 if (!nanosleep(&ts,&ts)) return 0;
>>> >>> CID 398778: High impact quality (Y2K38_SAFETY)
>>> >>> A "time_t" value is stored in an integer with too few bits to
>>> accommodate it. The expression "ts.tv_sec" is cast to "unsigned int".
>>> 18 if (errno == EINTR) return ts.tv_sec;
>>> 19 return -1;
>>> 20 }
>>> 21
>>>
>>> ** CID 398777: (UNINIT)
>>>
>>>
>>> Fixed. I just initialized the fields.
>
>
>>
>>> ________________________________________________________________________________________________________
>>> *** CID 398777: (UNINIT)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c:
>>> 432 in swscanf()
>>> 426 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
>>> 427 f._read = __seofread;
>>> 428 f._ub._base = NULL;
>>> 429 f._lb._base = NULL;
>>> 430 f._file = -1; /* No file. */
>>> 431 va_start (ap, fmt);
>>> >>> CID 398777: (UNINIT)
>>> >>> Using uninitialized value "f._flags2" when calling
>>> "__ssvfwscanf_r".
>>> 432 ret = __ssvfwscanf_r (_REENT, &f, fmt, ap);
>>> 433 va_end (ap);
>>> 434 return ret;
>>> 435 }
>>> 436
>>> 437 #endif /* !_REENT_ONLY */
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c:
>>> 432 in swscanf()
>>> 426 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
>>> 427 f._read = __seofread;
>>> 428 f._ub._base = NULL;
>>> 429 f._lb._base = NULL;
>>> 430 f._file = -1; /* No file. */
>>> 431 va_start (ap, fmt);
>>> >>> CID 398777: (UNINIT)
>>> >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r".
>>> 432 ret = __ssvfwscanf_r (_REENT, &f, fmt, ap);
>>> 433 va_end (ap);
>>> 434 return ret;
>>> 435 }
>>> 436
>>> 437 #endif /* !_REENT_ONLY */
>>>
>>> ** CID 398776: (UNINIT)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c:
>>> 44 in time()
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c:
>>> 45 in time()
>>>
>>>
>>> Although this should be a false positive because of gettimeofday_r
> getting the address of now, I have
> initialized the field to -1.
>
>
>>
>>> ________________________________________________________________________________________________________
>>> *** CID 398776: (UNINIT)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c:
>>> 44 in time()
>>> 38 struct timeval now;
>>> 39
>>> 40 if (_gettimeofday_r (_REENT, &now, NULL) < 0)
>>> 41 now.tv_sec = (time_t) -1;
>>> 42
>>> 43 if (t)
>>> >>> CID 398776: (UNINIT)
>>> >>> Using uninitialized value "now.tv_sec".
>>> 44 *t = now.tv_sec;
>>> 45 return now.tv_sec;
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c:
>>> 45 in time()
>>> 39
>>> 40 if (_gettimeofday_r (_REENT, &now, NULL) < 0)
>>> 41 now.tv_sec = (time_t) -1;
>>> 42
>>> 43 if (t)
>>> 44 *t = now.tv_sec;
>>> >>> CID 398776: (UNINIT)
>>> >>> Using uninitialized value "now.tv_sec".
>>> 45 return now.tv_sec;
>>>
>>> ** CID 398775: (UNINIT)
>>>
>>>
>>>
> Fixed. I initialized the fields.
>
>>
>>> ________________________________________________________________________________________________________
>>> *** CID 398775: (UNINIT)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/vswscanf.c:
>>> 57 in _vswscanf_r()
>>> 51 f._bf._base = f._p = (unsigned char *) str;
>>> 52 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
>>> 53 f._read = __seofread;
>>> 54 f._ub._base = NULL;
>>> 55 f._lb._base = NULL;
>>> 56 f._file = -1; /* No file. */
>>> >>> CID 398775: (UNINIT)
>>> >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r".
>>> 57 return __ssvfwscanf_r (ptr, &f, fmt, ap);
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/vswscanf.c:
>>> 57 in _vswscanf_r()
>>> 51 f._bf._base = f._p = (unsigned char *) str;
>>> 52 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
>>> 53 f._read = __seofread;
>>> 54 f._ub._base = NULL;
>>> 55 f._lb._base = NULL;
>>> 56 f._file = -1; /* No file. */
>>> >>> CID 398775: (UNINIT)
>>> >>> Using uninitialized value "f._flags2" when calling
>>> "__ssvfwscanf_r".
>>> 57 return __ssvfwscanf_r (ptr, &f, fmt, ap);
>>>
>>> ** CID 398774: Uninitialized variables (UNINIT)
>>>
>>> Fixed. I memset the initial array to 0's.
>
>
>>
>>>
>>> ________________________________________________________________________________________________________
>>> *** CID 398774: Uninitialized variables (UNINIT)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdlib/arc4random.c:
>>> 93 in _rs_stir()
>>> 87 u_char rnd[KEYSZ + IVSZ];
>>> 88
>>> 89 if (getentropy(rnd, sizeof rnd) == -1)
>>> 90 _getentropy_fail();
>>> 91
>>> 92 if (!rs)
>>> >>> CID 398774: Uninitialized variables (UNINIT)
>>> >>> Using uninitialized element of array "rnd" when calling
>>> "_rs_init".
>>> 93 _rs_init(rnd, sizeof(rnd));
>>> 94 else
>>> 95 _rs_rekey(rnd, sizeof(rnd));
>>> 96 explicit_bzero(rnd, sizeof(rnd)); /* discard source seed */
>>> 97
>>> 98 /* invalidate rs_buf */
>>>
>>> ** CID 398773: Incorrect expression (DIVIDE_BY_ZERO)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libm/math/kf_tan.c:
>>> 55 in __kernel_tanf()
>>>
>>>
>>>
> This is a false positive. We intend to divide by zero.
>
>>
>>> ________________________________________________________________________________________________________
>>> *** CID 398773: Incorrect expression (DIVIDE_BY_ZERO)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libm/math/kf_tan.c:
>>> 55 in __kernel_tanf()
>>> 49 __int32_t ix,hx;
>>> 50 GET_FLOAT_WORD(hx,x);
>>> 51 ix = hx&0x7fffffff; /* high word of |x| */
>>> 52 if(ix<0x31800000) /* x < 2**-28 */
>>> 53 {if((int)x==0) { /* generate inexact */
>>> 54 if((ix|(iy+1))==0) return one/fabsf(x);
>>> >>> CID 398773: Incorrect expression (DIVIDE_BY_ZERO)
>>> >>> In expression "-1f / x", division by expression "x" which may be
>>> zero has undefined behavior.
>>> 55 else return (iy==1)? x: -one/x;
>>> 56 }
>>> 57 }
>>> 58 if(ix>=0x3f2ca140) { /* |x|>=0.6744 */
>>> 59 if(hx<0) {x = -x; y = -y;}
>>> 60 z = pio4-x;
>>>
>>> ** CID 398772: Memory - corruptions (OVERRUN)
>>>
>>> I think this is another false positive. I couldn't see where it was
> accessing storage without doing a length check
> first.
>
>
>>
>>>
>>> ________________________________________________________________________________________________________
>>> *** CID 398772: Memory - corruptions (OVERRUN)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/regcomp.c:
>>> 1044 in bothcases()
>>> 1038 assert(othercase(ch) != ch); /* p_bracket() would
>>> recurse */
>>> 1039 p->next = bracket;
>>> 1040 p->end = bracket+2;
>>> 1041 bracket[0] = ch;
>>> 1042 bracket[1] = ']';
>>> 1043 bracket[2] = '\0';
>>> >>> CID 398772: Memory - corruptions (OVERRUN)
>>> >>> Overrunning buffer pointed to by "p->next" of 3 bytes by passing
>>> it
>>> to a function which accesses it at byte offset 4.
>>> 1044 p_bracket(p);
>>> 1045 assert(p->next == bracket+2);
>>> 1046 p->next = oldnext;
>>> 1047 p->end = oldend;
>>> 1048 }
>>> 1049
>>>
>>> ** CID 398771: High impact quality (Y2K38_SAFETY)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/usleep.c:
>>> 18 in usleep()
>>>
>>>
> Fixed. I removed the return as usleep is supposed to return -1 on an
> EINTR.
>
>
>>>
>>> ________________________________________________________________________________________________________
>>> *** CID 398771: High impact quality (Y2K38_SAFETY)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/usleep.c:
>>> 18 in usleep()
>>> 12 {
>>> 13 struct timespec ts;
>>> 14
>>> 15 ts.tv_sec = (long int)useconds / 1000000;
>>> 16 ts.tv_nsec = ((long int)useconds % 1000000) * 1000;
>>> 17 if (!nanosleep(&ts,&ts)) return 0;
>>> >>> CID 398771: High impact quality (Y2K38_SAFETY)
>>> >>> A "time_t" value is stored in an integer with too few bits to
>>> accommodate it. The expression "ts.tv_sec" is cast to "int".
>>> 18 if (errno == EINTR) return ts.tv_sec;
>>> 19 return -1;
>>> 20 }
>>> 21
>>>
>>> ** CID 378851: Memory - corruptions (OVERRUN)
>>>
>>>
> Again, I believe this is a false positive. No access of storage without
> checking length first.
>
>>
>>>
>>> ________________________________________________________________________________________________________
>>> *** CID 378851: Memory - corruptions (OVERRUN)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/regcomp.c:
>>> 1090 in nonnewline()
>>> 1084 p->next = bracket;
>>> 1085 p->end = bracket+3;
>>> 1086 bracket[0] = '^';
>>> 1087 bracket[1] = '\n';
>>> 1088 bracket[2] = ']';
>>> 1089 bracket[3] = '\0';
>>> >>> CID 378851: Memory - corruptions (OVERRUN)
>>> >>> Overrunning buffer pointed to by "p->next" of 4 bytes by passing
>>> it
>>> to a function which accesses it at byte offset 4.
>>> 1090 p_bracket(p);
>>> 1091 assert(p->next == bracket+3);
>>> 1092 p->next = oldnext;
>>> 1093 p->end = oldend;
>>> 1094 }
>>> 1095
>>>
>>>
>>>
>>> ________________________________________________________________________________________________________
>>> To view the defects in Coverity Scan visit,
>>>
>>> https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50ypUUzi-2FdSNmuyRB7BEFT8xQWqa-2BcrUOdcmLJRN5wHA-2F-2Bj-2BUPxOS2vpJc2U7lnvDDSM-3DgcXN_CTvEjVoKhyc6dLmJJo1u9AYIk8P8bcAbCPbBDYvYSXrko-2B6zqtxlihMO5pRBlqs6CXC6JoeSQ5BknttytYW4gn54pXoG5E1T2VTg7ZExldrWnOHoGNfjITpyeGBnq8zf1R1SvLaQHX0KwLC3QLIILHDIyeRDmH6ivilCfFIJbx4IaHchThYPPrH23evm0vJ6A6-2BcYCz2qmJNN2577UqVyYc0aItJ859abhW8GanEpsc-3D
>>>
>>> To manage Coverity Scan email notifications for "
>>> joel.sherrill@gmail.com",
>>> click
>>>
>>> https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxTJDdEZ5ceQ-2BXdf-2FM1tcMIXP73MN3HxQfFTMLU5dSe8Rv0KFh7gYStOFjZD12ucRRnrjyUHOCTj7rG0E9HBcwa6j-2FX4NTabdEq2v7MM-2FuqaA-3D5Xsf_CTvEjVoKhyc6dLmJJo1u9AYIk8P8bcAbCPbBDYvYSXrko-2B6zqtxlihMO5pRBlqs6CXC6JoeSQ5BknttytYW4gsEM86eEaAqPEjIHUArLBXYOUpWfZ4bmwC96PG11GPPh-2FLsC0rkTKQE2J8XRI45hCnTpCTbj87kq0GI1XLddKyw1JXGGqDcyizThGumwZmd8Tr5waHqdorDd3Wom83BYSMOhcHiGVjpnvscbd8ReGFw-3D
>>>
>>>
^ permalink raw reply [flat|nested] 11+ messages in thread
* Fwd: New Defects reported by Coverity Scan for RTEMS-Newlib
[not found] <67aa7d4565885_1e98fe2ac1a16659a8550b1@prd-scan-dashboard-0.mail>
@ 2025-02-10 22:56 ` Joel Sherrill
0 siblings, 0 replies; 11+ messages in thread
From: Joel Sherrill @ 2025-02-10 22:56 UTC (permalink / raw)
To: Newlib
[-- Attachment #1: Type: text/plain, Size: 7218 bytes --]
Coverity Scan has spotted a handful of issues with the recent string
changes.
--joel
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Feb 10, 2025 at 4:27 PM
Subject: New Defects reported by Coverity Scan for RTEMS-Newlib
To: <joel.sherrill@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to RTEMS-Newlib
found with Coverity Scan.
6 new defect(s) introduced to RTEMS-Newlib found with Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 6 of 6 defect(s)
** CID 474676: Integer handling issues (INTEGER_OVERFLOW)
/home/joel/rtems-cron-coverity/newlib-cygwin/newlib/libc/string/mempcpy.c:
68 in mempcpy()
________________________________________________________________________________________________________
*** CID 474676: Integer handling issues (INTEGER_OVERFLOW)
/home/joel/rtems-cron-coverity/newlib-cygwin/newlib/libc/string/mempcpy.c:
68 in mempcpy()
62 while (!TOO_SMALL_BIG_BLOCK(len0))
63 {
64 *aligned_dst++ = *aligned_src++;
65 *aligned_dst++ = *aligned_src++;
66 *aligned_dst++ = *aligned_src++;
67 *aligned_dst++ = *aligned_src++;
>>> CID 474676: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "len0", underflows the type of "len0", which is type
"size_t".
68 len0 -= BIG_BLOCK_SIZE;
69 }
70
71 /* Copy one long word at a time if possible. */
72 while (!TOO_SMALL_LITTLE_BLOCK(len0))
73 {
** CID 474675: Integer handling issues (INTEGER_OVERFLOW)
/home/joel/rtems-cron-coverity/newlib-cygwin/newlib/libc/string/stpncpy.c:
64 in stpncpy()
________________________________________________________________________________________________________
*** CID 474675: Integer handling issues (INTEGER_OVERFLOW)
/home/joel/rtems-cron-coverity/newlib-cygwin/newlib/libc/string/stpncpy.c:
64 in stpncpy()
58 aligned_src = (long*)src;
59
60 /* SRC and DEST are both LITTLE_BLOCK_SIZE aligned,
61 try to do LITTLE_BLOCK_SIZE sized copies. */
62 while (!TOO_SMALL_LITTLE_BLOCK (count) &&
!DETECT_NULL(*aligned_src))
63 {
>>> CID 474675: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "count", underflows the type of "count", which is type
"size_t".
64 count -= LITTLE_BLOCK_SIZE;
65 *aligned_dst++ = *aligned_src++;
66 }
67
68 dst = (char*)aligned_dst;
69 src = (char*)aligned_src;
** CID 474674: Integer handling issues (INTEGER_OVERFLOW)
/home/joel/rtems-cron-coverity/newlib-cygwin/newlib/libc/string/memccpy.c:
96 in memccpy()
________________________________________________________________________________________________________
*** CID 474674: Integer handling issues (INTEGER_OVERFLOW)
/home/joel/rtems-cron-coverity/newlib-cygwin/newlib/libc/string/memccpy.c:
96 in memccpy()
90 {
91 unsigned long buffer = (unsigned long)(*aligned_src);
92 buffer ^= mask;
93 if (DETECT_NULL(buffer))
94 break; /* endchar is found, go byte by byte from here */
95 *aligned_dst++ = *aligned_src++;
>>> CID 474674: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "len0", underflows the type of "len0", which is type
"size_t".
96 len0 -= LITTLE_BLOCK_SIZE;
97 }
98
99 /* Pick up any residual with a byte copier. */
100 dst = (unsigned char*)aligned_dst;
101 src = (unsigned char*)aligned_src;
** CID 474673: Integer handling issues (INTEGER_OVERFLOW)
/home/joel/rtems-cron-coverity/newlib-cygwin/newlib/libc/string/memmove.c:
88 in memmove()
________________________________________________________________________________________________________
*** CID 474673: Integer handling issues (INTEGER_OVERFLOW)
/home/joel/rtems-cron-coverity/newlib-cygwin/newlib/libc/string/memmove.c:
88 in memmove()
82 aligned_src = (long*)src;
83
84 /* Copy one long word at a time if possible. */
85 while (!TOO_SMALL_LITTLE_BLOCK(length))
86 {
87 *--aligned_dst = *--aligned_src;
>>> CID 474673: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "length", underflows the type of "length", which is type
"size_t".
88 length -= LITTLE_BLOCK_SIZE;
89 }
90
91 /* Pick up any residual with a byte copier. */
92 dst = (char*)aligned_dst;
93 src = (char*)aligned_src;
** CID 474672: Integer handling issues (INTEGER_OVERFLOW)
/home/joel/rtems-cron-coverity/newlib-cygwin/newlib/libc/string/memcpy.c:
72 in memcpy()
________________________________________________________________________________________________________
*** CID 474672: Integer handling issues (INTEGER_OVERFLOW)
/home/joel/rtems-cron-coverity/newlib-cygwin/newlib/libc/string/memcpy.c:
72 in memcpy()
66 while (!TOO_SMALL_BIG_BLOCK(len0))
67 {
68 *aligned_dst++ = *aligned_src++;
69 *aligned_dst++ = *aligned_src++;
70 *aligned_dst++ = *aligned_src++;
71 *aligned_dst++ = *aligned_src++;
>>> CID 474672: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "len0", underflows the type of "len0", which is type
"size_t".
72 len0 -= BIG_BLOCK_SIZE;
73 }
74
75 /* Copy one long word at a time if possible. */
76 while (!TOO_SMALL_LITTLE_BLOCK(len0))
77 {
** CID 470638: Integer handling issues (INTEGER_OVERFLOW)
/home/joel/rtems-cron-coverity/newlib-cygwin/newlib/libc/string/strncpy.c:
78 in strncpy()
________________________________________________________________________________________________________
*** CID 470638: Integer handling issues (INTEGER_OVERFLOW)
/home/joel/rtems-cron-coverity/newlib-cygwin/newlib/libc/string/strncpy.c:
78 in strncpy()
72 aligned_src = (long*)src;
73
74 /* SRC and DEST are both "long int" aligned, try to do "long
int"
75 sized copies. */
76 while (!TOO_SMALL_LITTLE_BLOCK(count) &&
!DETECT_NULL(*aligned_src))
77 {
>>> CID 470638: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "count", underflows the type of "count", which is type
"size_t".
78 count -= sizeof (long int);
79 *aligned_dst++ = *aligned_src++;
80 }
81
82 dst = (char*)aligned_dst;
83 src = (char*)aligned_src;
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit,
https://scan.coverity.com/projects/rtems-newlib?tab=overview
To manage Coverity Scan email notifications for "joel.sherrill@gmail.com",
click
https://scan.coverity.com/subscriptions/edit?email=joel.sherrill%40gmail.com&token=1d6de09a8cf588074bed902a634fe5bc
^ permalink raw reply [flat|nested] 11+ messages in thread
* Fwd: New Defects reported by Coverity Scan for RTEMS-Newlib
[not found] <654dcb725557c_69be32c62521719a8359f9@prd-scan-dashboard-0.mail>
@ 2023-11-10 14:40 ` Joel Sherrill
0 siblings, 0 replies; 11+ messages in thread
From: Joel Sherrill @ 2023-11-10 14:40 UTC (permalink / raw)
To: Newlib
[-- Attachment #1: Type: text/plain, Size: 6891 bytes --]
The RTEMS Project scan on newlib shows that the recent change introduced a
new issue.
--joel
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Fri, Nov 10, 2023 at 12:19 AM
Subject: New Defects reported by Coverity Scan for RTEMS-Newlib
To: <joel.sherrill@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to RTEMS-Newlib
found with Coverity Scan.
6 new defect(s) introduced to RTEMS-Newlib found with Coverity Scan.
2 defect(s), reported by Coverity Scan earlier, were marked fixed in the
recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 6 of 6 defect(s)
** CID 423232: Uninitialized variables (UNINIT)
________________________________________________________________________________________________________
*** CID 423232: Uninitialized variables (UNINIT)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/sscanf.c:
469 in _sscanf_r()
463 f._bf._size = f._r = strlen (str);
464 f._read = __seofread;
465 f._ub._base = NULL;
466 f._lb._base = NULL;
467 f._file = -1; /* No file. */
468 va_start (ap, fmt);
>>> CID 423232: Uninitialized variables (UNINIT)
>>> Using uninitialized value "f._flags2" when calling "__ssvfscanf_r".
469 ret = __ssvfscanf_r (ptr, &f, fmt, ap);
470 va_end (ap);
471 return ret;
472 }
473
474 #ifdef _NANO_FORMATTED_IO
475 int
476 _siscanf_r (struct _reent *, const char *, const char *, ...)
477 _ATTRIBUTE ((__alias__("_sscanf_r")));
** CID 423231: Uninitialized variables (UNINIT)
________________________________________________________________________________________________________
*** CID 423231: Uninitialized variables (UNINIT)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/vsiscanf.c:
58 in _vsiscanf_r()
52 f._bf._base = f._p = (unsigned char *) str;
53 f._bf._size = f._r = strlen (str);
54 f._read = __seofread;
55 f._ub._base = NULL;
56 f._lb._base = NULL;
57 f._file = -1; /* No file. */
>>> CID 423231: Uninitialized variables (UNINIT)
>>> Using uninitialized value "f._flags2" when calling "__ssvfiscanf_r".
58 return __ssvfiscanf_r (ptr, &f, fmt, ap);
** CID 423230: Uninitialized variables (UNINIT)
________________________________________________________________________________________________________
*** CID 423230: Uninitialized variables (UNINIT)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/siscanf.c:
100 in siscanf()
94 f._bf._size = f._r = strlen (str);
95 f._read = __seofread;
96 f._ub._base = NULL;
97 f._lb._base = NULL;
98 f._file = -1; /* No file. */
99 va_start (ap, fmt);
>>> CID 423230: Uninitialized variables (UNINIT)
>>> Using uninitialized value "f._flags2" when calling "__ssvfiscanf_r".
100 ret = __ssvfiscanf_r (_REENT, &f, fmt, ap);
101 va_end (ap);
102 return ret;
103 }
104
105 #endif /* !_REENT_ONLY */
** CID 423229: Uninitialized variables (UNINIT)
________________________________________________________________________________________________________
*** CID 423229: Uninitialized variables (UNINIT)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/siscanf.c:
124 in _siscanf_r()
118 f._bf._size = f._r = strlen (str);
119 f._read = __seofread;
120 f._ub._base = NULL;
121 f._lb._base = NULL;
122 f._file = -1; /* No file. */
123 va_start (ap, fmt);
>>> CID 423229: Uninitialized variables (UNINIT)
>>> Using uninitialized value "f._flags2" when calling "__ssvfiscanf_r".
124 ret = __ssvfiscanf_r (ptr, &f, fmt, ap);
125 va_end (ap);
126 return ret;
** CID 423228: Uninitialized variables (UNINIT)
________________________________________________________________________________________________________
*** CID 423228: Uninitialized variables (UNINIT)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/sscanf.c:
439 in sscanf()
433 f._bf._size = f._r = strlen (str);
434 f._read = __seofread;
435 f._ub._base = NULL;
436 f._lb._base = NULL;
437 f._file = -1; /* No file. */
438 va_start (ap, fmt);
>>> CID 423228: Uninitialized variables (UNINIT)
>>> Using uninitialized value "f._flags2" when calling "__ssvfscanf_r".
439 ret = __ssvfscanf_r (_REENT, &f, fmt, ap);
440 va_end (ap);
441 return ret;
442 }
443
444 #ifdef _NANO_FORMATTED_IO
** CID 423227: Uninitialized variables (UNINIT)
________________________________________________________________________________________________________
*** CID 423227: Uninitialized variables (UNINIT)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/vsscanf.c:
64 in _vsscanf_r()
58 f._bf._base = f._p = (unsigned char *) str;
59 f._bf._size = f._r = strlen (str);
60 f._read = __seofread;
61 f._ub._base = NULL;
62 f._lb._base = NULL;
63 f._file = -1; /* No file. */
>>> CID 423227: Uninitialized variables (UNINIT)
>>> Using uninitialized value "f._flags2" when calling "__ssvfscanf_r".
64 return __ssvfscanf_r (ptr, &f, fmt, ap);
65 }
66
67 #ifdef _NANO_FORMATTED_IO
68 int
69 _vsiscanf_r (struct _reent *, const char *, const char *, __VALIST)
70 _ATTRIBUTE ((__alias__("_vsscanf_r")));
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit,
https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50ypUUzi-2FdSNmuyRB7BEFT8xQWqa-2BcrUOdcmLJRN5wHA-2F-2BoTXFME2lv6iQTYdROp9w6g-3DQTF3_CTvEjVoKhyc6dLmJJo1u9AYIk8P8bcAbCPbBDYvYSXp1-2BJXKpwt4lXmrE0X07lEhNaO7tBL6kJfZw-2FGQ5RAQBkD-2FfM67sOR-2FBAm5aQfUHtxJk-2FCacFNPXewtLnpAdTY1WiQZdVvp2XpFZqG2vutBufgYKbMiZ0mbd5TLcHaqtAG1SNf6JuIUAMBiPHK73Z3Q3yfpbmH-2FDVUL9UIkjSmNKRHboJ-2BNTLwF-2BEVor5SVrRA-3D
To manage Coverity Scan email notifications for "joel.sherrill@gmail.com",
click
https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxTJDdEZ5ceQ-2BXdf-2FM1tcMIXP73MN3HxQfFTMLU5dSe8Rv0KFh7gYStOFjZD12ucRRnrjyUHOCTj7rG0E9HBcwa9CE8CGpcthnaEEfHiFVPqc-3DhjWj_CTvEjVoKhyc6dLmJJo1u9AYIk8P8bcAbCPbBDYvYSXp1-2BJXKpwt4lXmrE0X07lEhNaO7tBL6kJfZw-2FGQ5RAQBsp-2FrHGE1qFCrN1eUAbyDSLUURBk8su75Gbb68SpMXZjOf4zGYZ9SA9OnI08Y106eYEHPmV-2F8TLs-2BFUD1b8y32sPrlw0P7whD98wRlcHUwUZ5zn0TobkovFd1mH4rNSiu6wf0Ze8WbqUhKuj7wnEMT4-3D
^ permalink raw reply [flat|nested] 11+ messages in thread
* Fwd: New Defects reported by Coverity Scan for RTEMS-Newlib
[not found] <621dbc6e5b779_bb4ce2b0cf36619a0847b1@prd-scan-dashboard-0.mail>
@ 2022-03-01 12:59 ` Joel Sherrill
0 siblings, 0 replies; 11+ messages in thread
From: Joel Sherrill @ 2022-03-01 12:59 UTC (permalink / raw)
To: Newlib
Hi
The RTEMS Projects runs Coverity Scan when Newlib changes.
Not sure who committed something that triggered these but overnight 6 new
defects showed up. Most look to be NULL dereferences.
--joel
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Tue, Mar 1, 2022, 12:25 AM
Subject: New Defects reported by Coverity Scan for RTEMS-Newlib
To: <joel.sherrill@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to RTEMS-Newlib
found with Coverity Scan.
6 new defect(s) introduced to RTEMS-Newlib found with Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 6 of 6 defect(s)
** CID 387497: (FORWARD_NULL)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/asiprintf.c:
46 in _asiprintf_r()
________________________________________________________________________________________________________
*** CID 387497: (FORWARD_NULL)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/asiprintf.c:
46 in _asiprintf_r()
40 f._file = -1; /* No file. */
41 va_start (ap, fmt);
42 ret = _svfiprintf_r (ptr, &f, fmt, ap);
43 va_end (ap);
44 if (ret >= 0)
45 {
>>> CID 387497: (FORWARD_NULL)
>>> Dereferencing null pointer "f._p".
46 *f._p = 0;
47 *strp = (char *) f._bf._base;
48 }
49 return (ret);
50 }
51
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/asiprintf.c:
42 in _asiprintf_r()
36 /* mark a zero-length reallocatable buffer */
37 f._flags = __SWR | __SSTR | __SMBF;
38 f._bf._base = f._p = NULL;
39 f._bf._size = f._w = 0;
40 f._file = -1; /* No file. */
41 va_start (ap, fmt);
>>> CID 387497: (FORWARD_NULL)
>>> Passing "&f" to "_svfiprintf_r", which dereferences null "f._p".
42 ret = _svfiprintf_r (ptr, &f, fmt, ap);
43 va_end (ap);
44 if (ret >= 0)
45 {
46 *f._p = 0;
47 *strp = (char *) f._bf._base;
** CID 387496: (FORWARD_NULL)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/vasniprintf.c:
54 in _vasniprintf_r()
________________________________________________________________________________________________________
*** CID 387496: (FORWARD_NULL)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/vasniprintf.c:
54 in _vasniprintf_r()
48 f._bf._size = f._w = len;
49 f._file = -1; /* No file. */
50 ret = _svfiprintf_r (ptr, &f, fmt, ap);
51 if (ret < 0)
52 return NULL;
53 *lenp = ret;
>>> CID 387496: (FORWARD_NULL)
>>> Dereferencing null pointer "f._p".
54 *f._p = '\0';
55 return (char *) f._bf._base;
56 }
57
58 #ifndef _REENT_ONLY
59
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/vasniprintf.c:
50 in _vasniprintf_r()
44 {
45 ptr->_errno = EOVERFLOW;
46 return NULL;
47 }
48 f._bf._size = f._w = len;
49 f._file = -1; /* No file. */
>>> CID 387496: (FORWARD_NULL)
>>> Passing "&f" to "_svfiprintf_r", which dereferences null "f._p".
50 ret = _svfiprintf_r (ptr, &f, fmt, ap);
51 if (ret < 0)
52 return NULL;
53 *lenp = ret;
54 *f._p = '\0';
55 return (char *) f._bf._base;
** CID 387495: (FORWARD_NULL)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/asiprintf.c:
72 in asiprintf()
________________________________________________________________________________________________________
*** CID 387495: (FORWARD_NULL)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/asiprintf.c:
72 in asiprintf()
66 f._file = -1; /* No file. */
67 va_start (ap, fmt);
68 ret = _svfiprintf_r (_REENT, &f, fmt, ap);
69 va_end (ap);
70 if (ret >= 0)
71 {
>>> CID 387495: (FORWARD_NULL)
>>> Dereferencing null pointer "f._p".
72 *f._p = 0;
73 *strp = (char *) f._bf._base;
74 }
75 return (ret);
76 }
77
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/asiprintf.c:
68 in asiprintf()
62 /* mark a zero-length reallocatable buffer */
63 f._flags = __SWR | __SSTR | __SMBF;
64 f._bf._base = f._p = NULL;
65 f._bf._size = f._w = 0;
66 f._file = -1; /* No file. */
67 va_start (ap, fmt);
>>> CID 387495: (FORWARD_NULL)
>>> Passing "&f" to "_svfiprintf_r", which dereferences null "f._p".
68 ret = _svfiprintf_r (_REENT, &f, fmt, ap);
69 va_end (ap);
70 if (ret >= 0)
71 {
72 *f._p = 0;
73 *strp = (char *) f._bf._base;
** CID 387494: (FORWARD_NULL)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/vasiprintf.c:
59 in _vasiprintf_r()
________________________________________________________________________________________________________
*** CID 387494: (FORWARD_NULL)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/vasiprintf.c:
56 in _vasiprintf_r()
50 FILE f;
51
52 f._flags = __SWR | __SSTR | __SMBF ;
53 f._bf._base = f._p = NULL;
54 f._bf._size = f._w = 0;
55 f._file = -1; /* No file. */
>>> CID 387494: (FORWARD_NULL)
>>> Passing "&f" to "_svfiprintf_r", which dereferences null "f._p".
56 ret = _svfiprintf_r (ptr, &f, fmt, ap);
57 if (ret >= 0)
58 {
59 *f._p = 0;
60 *strp = (char *) f._bf._base;
61 }
62 return ret;
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/vasiprintf.c:
59 in _vasiprintf_r()
53 f._bf._base = f._p = NULL;
54 f._bf._size = f._w = 0;
55 f._file = -1; /* No file. */
56 ret = _svfiprintf_r (ptr, &f, fmt, ap);
57 if (ret >= 0)
58 {
>>> CID 387494: (FORWARD_NULL)
>>> Dereferencing null pointer "f._p".
59 *f._p = 0;
60 *strp = (char *) f._bf._base;
61 }
62 return ret;
** CID 387493: (FORWARD_NULL)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/asniprintf.c:
56 in _asniprintf_r()
________________________________________________________________________________________________________
*** CID 387493: (FORWARD_NULL)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/asniprintf.c:
56 in _asniprintf_r()
50 va_start (ap, fmt);
51 ret = _svfiprintf_r (ptr, &f, fmt, ap);
52 va_end (ap);
53 if (ret < 0)
54 return NULL;
55 *lenp = ret;
>>> CID 387493: (FORWARD_NULL)
>>> Dereferencing null pointer "f._p".
56 *f._p = '\0';
57 return (char *) f._bf._base;
58 }
59
60 #ifndef _REENT_ONLY
61
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/asniprintf.c:
51 in _asniprintf_r()
45 ptr->_errno = EOVERFLOW;
46 return NULL;
47 }
48 f._bf._size = f._w = len;
49 f._file = -1; /* No file. */
50 va_start (ap, fmt);
>>> CID 387493: (FORWARD_NULL)
>>> Passing "&f" to "_svfiprintf_r", which dereferences null "f._p".
51 ret = _svfiprintf_r (ptr, &f, fmt, ap);
52 va_end (ap);
53 if (ret < 0)
54 return NULL;
55 *lenp = ret;
56 *f._p = '\0';
** CID 387492: (FORWARD_NULL)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/asniprintf.c:
102 in asniprintf()
________________________________________________________________________________________________________
*** CID 387492: (FORWARD_NULL)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/asniprintf.c:
97 in asniprintf()
91 ptr->_errno = EOVERFLOW;
92 return NULL;
93 }
94 f._bf._size = f._w = len;
95 f._file = -1; /* No file. */
96 va_start (ap, fmt);
>>> CID 387492: (FORWARD_NULL)
>>> Passing "&f" to "_svfiprintf_r", which dereferences null "f._p".
97 ret = _svfiprintf_r (ptr, &f, fmt, ap);
98 va_end (ap);
99 if (ret < 0)
100 return NULL;
101 *lenp = ret;
102 *f._p = '\0';
103 return (char *) f._bf._base;
104 }
105
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/asniprintf.c:
102 in asniprintf()
96 va_start (ap, fmt);
97 ret = _svfiprintf_r (ptr, &f, fmt, ap);
98 va_end (ap);
99 if (ret < 0)
100 return NULL;
101 *lenp = ret;
>>> CID 387492: (FORWARD_NULL)
>>> Dereferencing null pointer "f._p".
102 *f._p = '\0';
103 return (char *) f._bf._base;
104 }
105
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit,
https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50ypUUzi-2FdSNmuyRB7BEFT8xQWqa-2BcrUOdcmLJRN5wHA-2F-2Bj-2BUPxOS2vpJc2U7lnvDDSM-3Dnqug_CTvEjVoKhyc6dLmJJo1u9AYIk8P8bcAbCPbBDYvYSXrGLZMaHd5esU0ARWQLalpbU14eFG-2B8GBetplQDq0TFveW7GhsLMcXeSEhKYoSzfs79W0hf2Yn-2BdzWSDPS0EESLlkStqI3WwPQMfb34ZdTZU7WEQcrZaQuFXKuGz0VlCF7KqPVBI3zTemmClCpRRwRohHCmfibOFsZTs1X-2FRcY52FNG4ag-2BOQcuq0K2qt4q3HU-3D
To manage Coverity Scan email notifications for "joel.sherrill@gmail.com",
click
https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxTJDdEZ5ceQ-2BXdf-2FM1tcMIXP73MN3HxQfFTMLU5dSe8Rv0KFh7gYStOFjZD12ucRRnrjyUHOCTj7rG0E9HBcwa6j-2FX4NTabdEq2v7MM-2FuqaA-3DJ8Qh_CTvEjVoKhyc6dLmJJo1u9AYIk8P8bcAbCPbBDYvYSXrGLZMaHd5esU0ARWQLalpbU14eFG-2B8GBetplQDq0TFvV2SdrBvi9WPWAL9ik9dUN3G4GCz8VYLMQNfnG1KXM-2B3Izv46DsGCDeNRaHHjKQaodaHQLONx4FWpogc4bk0lIv9WPI18Ah675HB1nu1NDtORJjikxZE-2BlhmmrkoLD0utEP5uRkuJbyd23X6MuuSrA8-3D
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2025-02-10 22:56 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <630d44245d07b_448622ac7e91099ac81e@prd-scan-dashboard-0.mail>
2022-08-29 23:09 ` Fwd: New Defects reported by Coverity Scan for RTEMS-Newlib Joel Sherrill
2022-08-29 23:09 ` Joel Sherrill
2022-08-30 19:03 ` Jeff Johnston
2022-08-30 19:03 ` Jeff Johnston
2022-08-31 19:16 ` Jeff Johnston
2022-08-31 19:16 ` Jeff Johnston
2022-08-31 19:58 ` Joel Sherrill
2022-08-31 19:58 ` Joel Sherrill
[not found] <67aa7d4565885_1e98fe2ac1a16659a8550b1@prd-scan-dashboard-0.mail>
2025-02-10 22:56 ` Fwd: " Joel Sherrill
[not found] <654dcb725557c_69be32c62521719a8359f9@prd-scan-dashboard-0.mail>
2023-11-10 14:40 ` Joel Sherrill
[not found] <621dbc6e5b779_bb4ce2b0cf36619a0847b1@prd-scan-dashboard-0.mail>
2022-03-01 12:59 ` Joel Sherrill
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).