* Fwd: New Defects reported by Coverity Scan for RTEMS-Newlib [not found] <630d44245d07b_448622ac7e91099ac81e@prd-scan-dashboard-0.mail> @ 2022-08-29 23:09 ` Joel Sherrill 2022-08-29 23:09 ` Joel Sherrill 2022-08-30 19:03 ` Jeff Johnston 0 siblings, 2 replies; 10+ messages in thread From: Joel Sherrill @ 2022-08-29 23:09 UTC (permalink / raw) To: Newlib Hi I quit running Coverity on newlib as part of the repositories analysed as part of RTEMS BUT I had to update the version of cov-analysis we used and wanted to make sure the scripting stayed working. These issues were flagged since the last time we ran it. Some look like they need attention. --joel ---------- Forwarded message --------- From: <scan-admin@coverity.com> Date: Mon, Aug 29, 2022 at 5:56 PM Subject: New Defects reported by Coverity Scan for RTEMS-Newlib To: <joel.sherrill@gmail.com> Hi, Please find the latest report on new defect(s) introduced to RTEMS-Newlib found with Coverity Scan. 10 new defect(s) introduced to RTEMS-Newlib found with Coverity Scan. 1 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 10 of 10 defect(s) ** CID 398779: (UNINIT) ________________________________________________________________________________________________________ *** CID 398779: (UNINIT) /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c: 454 in _swscanf_r() 448 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t); 449 f._read = __seofread; 450 f._ub._base = NULL; 451 f._lb._base = NULL; 452 f._file = -1; /* No file. */ 453 va_start (ap, fmt); >>> CID 398779: (UNINIT) >>> Using uninitialized value "f._flags2" when calling "__ssvfwscanf_r". 454 ret = __ssvfwscanf_r (ptr, &f, fmt, ap); 455 va_end (ap); 456 return ret; /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c: 454 in _swscanf_r() 448 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t); 449 f._read = __seofread; 450 f._ub._base = NULL; 451 f._lb._base = NULL; 452 f._file = -1; /* No file. */ 453 va_start (ap, fmt); >>> CID 398779: (UNINIT) >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r". 454 ret = __ssvfwscanf_r (ptr, &f, fmt, ap); 455 va_end (ap); 456 return ret; ** CID 398778: High impact quality (Y2K38_SAFETY) /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/sleep.c: 18 in sleep() ________________________________________________________________________________________________________ *** CID 398778: High impact quality (Y2K38_SAFETY) /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/sleep.c: 18 in sleep() 12 { 13 struct timespec ts; 14 15 ts.tv_sec = seconds; 16 ts.tv_nsec = 0; 17 if (!nanosleep(&ts,&ts)) return 0; >>> CID 398778: High impact quality (Y2K38_SAFETY) >>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "ts.tv_sec" is cast to "unsigned int". 18 if (errno == EINTR) return ts.tv_sec; 19 return -1; 20 } 21 ** CID 398777: (UNINIT) ________________________________________________________________________________________________________ *** CID 398777: (UNINIT) /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c: 432 in swscanf() 426 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t); 427 f._read = __seofread; 428 f._ub._base = NULL; 429 f._lb._base = NULL; 430 f._file = -1; /* No file. */ 431 va_start (ap, fmt); >>> CID 398777: (UNINIT) >>> Using uninitialized value "f._flags2" when calling "__ssvfwscanf_r". 432 ret = __ssvfwscanf_r (_REENT, &f, fmt, ap); 433 va_end (ap); 434 return ret; 435 } 436 437 #endif /* !_REENT_ONLY */ /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c: 432 in swscanf() 426 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t); 427 f._read = __seofread; 428 f._ub._base = NULL; 429 f._lb._base = NULL; 430 f._file = -1; /* No file. */ 431 va_start (ap, fmt); >>> CID 398777: (UNINIT) >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r". 432 ret = __ssvfwscanf_r (_REENT, &f, fmt, ap); 433 va_end (ap); 434 return ret; 435 } 436 437 #endif /* !_REENT_ONLY */ ** CID 398776: (UNINIT) /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c: 44 in time() /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c: 45 in time() ________________________________________________________________________________________________________ *** CID 398776: (UNINIT) /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c: 44 in time() 38 struct timeval now; 39 40 if (_gettimeofday_r (_REENT, &now, NULL) < 0) 41 now.tv_sec = (time_t) -1; 42 43 if (t) >>> CID 398776: (UNINIT) >>> Using uninitialized value "now.tv_sec". 44 *t = now.tv_sec; 45 return now.tv_sec; /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c: 45 in time() 39 40 if (_gettimeofday_r (_REENT, &now, NULL) < 0) 41 now.tv_sec = (time_t) -1; 42 43 if (t) 44 *t = now.tv_sec; >>> CID 398776: (UNINIT) >>> Using uninitialized value "now.tv_sec". 45 return now.tv_sec; ** CID 398775: (UNINIT) ________________________________________________________________________________________________________ *** CID 398775: (UNINIT) /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/vswscanf.c: 57 in _vswscanf_r() 51 f._bf._base = f._p = (unsigned char *) str; 52 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t); 53 f._read = __seofread; 54 f._ub._base = NULL; 55 f._lb._base = NULL; 56 f._file = -1; /* No file. */ >>> CID 398775: (UNINIT) >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r". 57 return __ssvfwscanf_r (ptr, &f, fmt, ap); /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/vswscanf.c: 57 in _vswscanf_r() 51 f._bf._base = f._p = (unsigned char *) str; 52 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t); 53 f._read = __seofread; 54 f._ub._base = NULL; 55 f._lb._base = NULL; 56 f._file = -1; /* No file. */ >>> CID 398775: (UNINIT) >>> Using uninitialized value "f._flags2" when calling "__ssvfwscanf_r". 57 return __ssvfwscanf_r (ptr, &f, fmt, ap); ** CID 398774: Uninitialized variables (UNINIT) ________________________________________________________________________________________________________ *** CID 398774: Uninitialized variables (UNINIT) /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdlib/arc4random.c: 93 in _rs_stir() 87 u_char rnd[KEYSZ + IVSZ]; 88 89 if (getentropy(rnd, sizeof rnd) == -1) 90 _getentropy_fail(); 91 92 if (!rs) >>> CID 398774: Uninitialized variables (UNINIT) >>> Using uninitialized element of array "rnd" when calling "_rs_init". 93 _rs_init(rnd, sizeof(rnd)); 94 else 95 _rs_rekey(rnd, sizeof(rnd)); 96 explicit_bzero(rnd, sizeof(rnd)); /* discard source seed */ 97 98 /* invalidate rs_buf */ ** CID 398773: Incorrect expression (DIVIDE_BY_ZERO) /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libm/math/kf_tan.c: 55 in __kernel_tanf() ________________________________________________________________________________________________________ *** CID 398773: Incorrect expression (DIVIDE_BY_ZERO) /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libm/math/kf_tan.c: 55 in __kernel_tanf() 49 __int32_t ix,hx; 50 GET_FLOAT_WORD(hx,x); 51 ix = hx&0x7fffffff; /* high word of |x| */ 52 if(ix<0x31800000) /* x < 2**-28 */ 53 {if((int)x==0) { /* generate inexact */ 54 if((ix|(iy+1))==0) return one/fabsf(x); >>> CID 398773: Incorrect expression (DIVIDE_BY_ZERO) >>> In expression "-1f / x", division by expression "x" which may be zero has undefined behavior. 55 else return (iy==1)? x: -one/x; 56 } 57 } 58 if(ix>=0x3f2ca140) { /* |x|>=0.6744 */ 59 if(hx<0) {x = -x; y = -y;} 60 z = pio4-x; ** CID 398772: Memory - corruptions (OVERRUN) ________________________________________________________________________________________________________ *** CID 398772: Memory - corruptions (OVERRUN) /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/regcomp.c: 1044 in bothcases() 1038 assert(othercase(ch) != ch); /* p_bracket() would recurse */ 1039 p->next = bracket; 1040 p->end = bracket+2; 1041 bracket[0] = ch; 1042 bracket[1] = ']'; 1043 bracket[2] = '\0'; >>> CID 398772: Memory - corruptions (OVERRUN) >>> Overrunning buffer pointed to by "p->next" of 3 bytes by passing it to a function which accesses it at byte offset 4. 1044 p_bracket(p); 1045 assert(p->next == bracket+2); 1046 p->next = oldnext; 1047 p->end = oldend; 1048 } 1049 ** CID 398771: High impact quality (Y2K38_SAFETY) /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/usleep.c: 18 in usleep() ________________________________________________________________________________________________________ *** CID 398771: High impact quality (Y2K38_SAFETY) /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/usleep.c: 18 in usleep() 12 { 13 struct timespec ts; 14 15 ts.tv_sec = (long int)useconds / 1000000; 16 ts.tv_nsec = ((long int)useconds % 1000000) * 1000; 17 if (!nanosleep(&ts,&ts)) return 0; >>> CID 398771: High impact quality (Y2K38_SAFETY) >>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "ts.tv_sec" is cast to "int". 18 if (errno == EINTR) return ts.tv_sec; 19 return -1; 20 } 21 ** CID 378851: Memory - corruptions (OVERRUN) ________________________________________________________________________________________________________ *** CID 378851: Memory - corruptions (OVERRUN) /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/regcomp.c: 1090 in nonnewline() 1084 p->next = bracket; 1085 p->end = bracket+3; 1086 bracket[0] = '^'; 1087 bracket[1] = '\n'; 1088 bracket[2] = ']'; 1089 bracket[3] = '\0'; >>> CID 378851: Memory - corruptions (OVERRUN) >>> Overrunning buffer pointed to by "p->next" of 4 bytes by passing it to a function which accesses it at byte offset 4. 1090 p_bracket(p); 1091 assert(p->next == bracket+3); 1092 p->next = oldnext; 1093 p->end = oldend; 1094 } 1095 ________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50ypUUzi-2FdSNmuyRB7BEFT8xQWqa-2BcrUOdcmLJRN5wHA-2F-2Bj-2BUPxOS2vpJc2U7lnvDDSM-3DgcXN_CTvEjVoKhyc6dLmJJo1u9AYIk8P8bcAbCPbBDYvYSXrko-2B6zqtxlihMO5pRBlqs6CXC6JoeSQ5BknttytYW4gn54pXoG5E1T2VTg7ZExldrWnOHoGNfjITpyeGBnq8zf1R1SvLaQHX0KwLC3QLIILHDIyeRDmH6ivilCfFIJbx4IaHchThYPPrH23evm0vJ6A6-2BcYCz2qmJNN2577UqVyYc0aItJ859abhW8GanEpsc-3D To manage Coverity Scan email notifications for "joel.sherrill@gmail.com", click https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxTJDdEZ5ceQ-2BXdf-2FM1tcMIXP73MN3HxQfFTMLU5dSe8Rv0KFh7gYStOFjZD12ucRRnrjyUHOCTj7rG0E9HBcwa6j-2FX4NTabdEq2v7MM-2FuqaA-3D5Xsf_CTvEjVoKhyc6dLmJJo1u9AYIk8P8bcAbCPbBDYvYSXrko-2B6zqtxlihMO5pRBlqs6CXC6JoeSQ5BknttytYW4gsEM86eEaAqPEjIHUArLBXYOUpWfZ4bmwC96PG11GPPh-2FLsC0rkTKQE2J8XRI45hCnTpCTbj87kq0GI1XLddKyw1JXGGqDcyizThGumwZmd8Tr5waHqdorDd3Wom83BYSMOhcHiGVjpnvscbd8ReGFw-3D ^ permalink raw reply [flat|nested] 10+ messages in thread
* Fwd: New Defects reported by Coverity Scan for RTEMS-Newlib 2022-08-29 23:09 ` Fwd: New Defects reported by Coverity Scan for RTEMS-Newlib Joel Sherrill @ 2022-08-29 23:09 ` Joel Sherrill 2022-08-30 19:03 ` Jeff Johnston 1 sibling, 0 replies; 10+ messages in thread From: Joel Sherrill @ 2022-08-29 23:09 UTC (permalink / raw) To: Newlib [-- Attachment #1: Type: text/plain, Size: 12625 bytes --] Hi I quit running Coverity on newlib as part of the repositories analysed as part of RTEMS BUT I had to update the version of cov-analysis we used and wanted to make sure the scripting stayed working. These issues were flagged since the last time we ran it. Some look like they need attention. --joel ---------- Forwarded message --------- From: <scan-admin@coverity.com> Date: Mon, Aug 29, 2022 at 5:56 PM Subject: New Defects reported by Coverity Scan for RTEMS-Newlib To: <joel.sherrill@gmail.com> Hi, Please find the latest report on new defect(s) introduced to RTEMS-Newlib found with Coverity Scan. 10 new defect(s) introduced to RTEMS-Newlib found with Coverity Scan. 1 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 10 of 10 defect(s) ** CID 398779: (UNINIT) ________________________________________________________________________________________________________ *** CID 398779: (UNINIT) /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c: 454 in _swscanf_r() 448 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t); 449 f._read = __seofread; 450 f._ub._base = NULL; 451 f._lb._base = NULL; 452 f._file = -1; /* No file. */ 453 va_start (ap, fmt); >>> CID 398779: (UNINIT) >>> Using uninitialized value "f._flags2" when calling "__ssvfwscanf_r". 454 ret = __ssvfwscanf_r (ptr, &f, fmt, ap); 455 va_end (ap); 456 return ret; /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c: 454 in _swscanf_r() 448 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t); 449 f._read = __seofread; 450 f._ub._base = NULL; 451 f._lb._base = NULL; 452 f._file = -1; /* No file. */ 453 va_start (ap, fmt); >>> CID 398779: (UNINIT) >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r". 454 ret = __ssvfwscanf_r (ptr, &f, fmt, ap); 455 va_end (ap); 456 return ret; ** CID 398778: High impact quality (Y2K38_SAFETY) /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/sleep.c: 18 in sleep() ________________________________________________________________________________________________________ *** CID 398778: High impact quality (Y2K38_SAFETY) /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/sleep.c: 18 in sleep() 12 { 13 struct timespec ts; 14 15 ts.tv_sec = seconds; 16 ts.tv_nsec = 0; 17 if (!nanosleep(&ts,&ts)) return 0; >>> CID 398778: High impact quality (Y2K38_SAFETY) >>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "ts.tv_sec" is cast to "unsigned int". 18 if (errno == EINTR) return ts.tv_sec; 19 return -1; 20 } 21 ** CID 398777: (UNINIT) ________________________________________________________________________________________________________ *** CID 398777: (UNINIT) /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c: 432 in swscanf() 426 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t); 427 f._read = __seofread; 428 f._ub._base = NULL; 429 f._lb._base = NULL; 430 f._file = -1; /* No file. */ 431 va_start (ap, fmt); >>> CID 398777: (UNINIT) >>> Using uninitialized value "f._flags2" when calling "__ssvfwscanf_r". 432 ret = __ssvfwscanf_r (_REENT, &f, fmt, ap); 433 va_end (ap); 434 return ret; 435 } 436 437 #endif /* !_REENT_ONLY */ /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c: 432 in swscanf() 426 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t); 427 f._read = __seofread; 428 f._ub._base = NULL; 429 f._lb._base = NULL; 430 f._file = -1; /* No file. */ 431 va_start (ap, fmt); >>> CID 398777: (UNINIT) >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r". 432 ret = __ssvfwscanf_r (_REENT, &f, fmt, ap); 433 va_end (ap); 434 return ret; 435 } 436 437 #endif /* !_REENT_ONLY */ ** CID 398776: (UNINIT) /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c: 44 in time() /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c: 45 in time() ________________________________________________________________________________________________________ *** CID 398776: (UNINIT) /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c: 44 in time() 38 struct timeval now; 39 40 if (_gettimeofday_r (_REENT, &now, NULL) < 0) 41 now.tv_sec = (time_t) -1; 42 43 if (t) >>> CID 398776: (UNINIT) >>> Using uninitialized value "now.tv_sec". 44 *t = now.tv_sec; 45 return now.tv_sec; /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c: 45 in time() 39 40 if (_gettimeofday_r (_REENT, &now, NULL) < 0) 41 now.tv_sec = (time_t) -1; 42 43 if (t) 44 *t = now.tv_sec; >>> CID 398776: (UNINIT) >>> Using uninitialized value "now.tv_sec". 45 return now.tv_sec; ** CID 398775: (UNINIT) ________________________________________________________________________________________________________ *** CID 398775: (UNINIT) /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/vswscanf.c: 57 in _vswscanf_r() 51 f._bf._base = f._p = (unsigned char *) str; 52 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t); 53 f._read = __seofread; 54 f._ub._base = NULL; 55 f._lb._base = NULL; 56 f._file = -1; /* No file. */ >>> CID 398775: (UNINIT) >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r". 57 return __ssvfwscanf_r (ptr, &f, fmt, ap); /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/vswscanf.c: 57 in _vswscanf_r() 51 f._bf._base = f._p = (unsigned char *) str; 52 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t); 53 f._read = __seofread; 54 f._ub._base = NULL; 55 f._lb._base = NULL; 56 f._file = -1; /* No file. */ >>> CID 398775: (UNINIT) >>> Using uninitialized value "f._flags2" when calling "__ssvfwscanf_r". 57 return __ssvfwscanf_r (ptr, &f, fmt, ap); ** CID 398774: Uninitialized variables (UNINIT) ________________________________________________________________________________________________________ *** CID 398774: Uninitialized variables (UNINIT) /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdlib/arc4random.c: 93 in _rs_stir() 87 u_char rnd[KEYSZ + IVSZ]; 88 89 if (getentropy(rnd, sizeof rnd) == -1) 90 _getentropy_fail(); 91 92 if (!rs) >>> CID 398774: Uninitialized variables (UNINIT) >>> Using uninitialized element of array "rnd" when calling "_rs_init". 93 _rs_init(rnd, sizeof(rnd)); 94 else 95 _rs_rekey(rnd, sizeof(rnd)); 96 explicit_bzero(rnd, sizeof(rnd)); /* discard source seed */ 97 98 /* invalidate rs_buf */ ** CID 398773: Incorrect expression (DIVIDE_BY_ZERO) /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libm/math/kf_tan.c: 55 in __kernel_tanf() ________________________________________________________________________________________________________ *** CID 398773: Incorrect expression (DIVIDE_BY_ZERO) /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libm/math/kf_tan.c: 55 in __kernel_tanf() 49 __int32_t ix,hx; 50 GET_FLOAT_WORD(hx,x); 51 ix = hx&0x7fffffff; /* high word of |x| */ 52 if(ix<0x31800000) /* x < 2**-28 */ 53 {if((int)x==0) { /* generate inexact */ 54 if((ix|(iy+1))==0) return one/fabsf(x); >>> CID 398773: Incorrect expression (DIVIDE_BY_ZERO) >>> In expression "-1f / x", division by expression "x" which may be zero has undefined behavior. 55 else return (iy==1)? x: -one/x; 56 } 57 } 58 if(ix>=0x3f2ca140) { /* |x|>=0.6744 */ 59 if(hx<0) {x = -x; y = -y;} 60 z = pio4-x; ** CID 398772: Memory - corruptions (OVERRUN) ________________________________________________________________________________________________________ *** CID 398772: Memory - corruptions (OVERRUN) /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/regcomp.c: 1044 in bothcases() 1038 assert(othercase(ch) != ch); /* p_bracket() would recurse */ 1039 p->next = bracket; 1040 p->end = bracket+2; 1041 bracket[0] = ch; 1042 bracket[1] = ']'; 1043 bracket[2] = '\0'; >>> CID 398772: Memory - corruptions (OVERRUN) >>> Overrunning buffer pointed to by "p->next" of 3 bytes by passing it to a function which accesses it at byte offset 4. 1044 p_bracket(p); 1045 assert(p->next == bracket+2); 1046 p->next = oldnext; 1047 p->end = oldend; 1048 } 1049 ** CID 398771: High impact quality (Y2K38_SAFETY) /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/usleep.c: 18 in usleep() ________________________________________________________________________________________________________ *** CID 398771: High impact quality (Y2K38_SAFETY) /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/usleep.c: 18 in usleep() 12 { 13 struct timespec ts; 14 15 ts.tv_sec = (long int)useconds / 1000000; 16 ts.tv_nsec = ((long int)useconds % 1000000) * 1000; 17 if (!nanosleep(&ts,&ts)) return 0; >>> CID 398771: High impact quality (Y2K38_SAFETY) >>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "ts.tv_sec" is cast to "int". 18 if (errno == EINTR) return ts.tv_sec; 19 return -1; 20 } 21 ** CID 378851: Memory - corruptions (OVERRUN) ________________________________________________________________________________________________________ *** CID 378851: Memory - corruptions (OVERRUN) /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/regcomp.c: 1090 in nonnewline() 1084 p->next = bracket; 1085 p->end = bracket+3; 1086 bracket[0] = '^'; 1087 bracket[1] = '\n'; 1088 bracket[2] = ']'; 1089 bracket[3] = '\0'; >>> CID 378851: Memory - corruptions (OVERRUN) >>> Overrunning buffer pointed to by "p->next" of 4 bytes by passing it to a function which accesses it at byte offset 4. 1090 p_bracket(p); 1091 assert(p->next == bracket+3); 1092 p->next = oldnext; 1093 p->end = oldend; 1094 } 1095 ________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50ypUUzi-2FdSNmuyRB7BEFT8xQWqa-2BcrUOdcmLJRN5wHA-2F-2Bj-2BUPxOS2vpJc2U7lnvDDSM-3DgcXN_CTvEjVoKhyc6dLmJJo1u9AYIk8P8bcAbCPbBDYvYSXrko-2B6zqtxlihMO5pRBlqs6CXC6JoeSQ5BknttytYW4gn54pXoG5E1T2VTg7ZExldrWnOHoGNfjITpyeGBnq8zf1R1SvLaQHX0KwLC3QLIILHDIyeRDmH6ivilCfFIJbx4IaHchThYPPrH23evm0vJ6A6-2BcYCz2qmJNN2577UqVyYc0aItJ859abhW8GanEpsc-3D To manage Coverity Scan email notifications for "joel.sherrill@gmail.com", click https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxTJDdEZ5ceQ-2BXdf-2FM1tcMIXP73MN3HxQfFTMLU5dSe8Rv0KFh7gYStOFjZD12ucRRnrjyUHOCTj7rG0E9HBcwa6j-2FX4NTabdEq2v7MM-2FuqaA-3D5Xsf_CTvEjVoKhyc6dLmJJo1u9AYIk8P8bcAbCPbBDYvYSXrko-2B6zqtxlihMO5pRBlqs6CXC6JoeSQ5BknttytYW4gsEM86eEaAqPEjIHUArLBXYOUpWfZ4bmwC96PG11GPPh-2FLsC0rkTKQE2J8XRI45hCnTpCTbj87kq0GI1XLddKyw1JXGGqDcyizThGumwZmd8Tr5waHqdorDd3Wom83BYSMOhcHiGVjpnvscbd8ReGFw-3D ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: New Defects reported by Coverity Scan for RTEMS-Newlib 2022-08-29 23:09 ` Fwd: New Defects reported by Coverity Scan for RTEMS-Newlib Joel Sherrill 2022-08-29 23:09 ` Joel Sherrill @ 2022-08-30 19:03 ` Jeff Johnston 2022-08-30 19:03 ` Jeff Johnston 2022-08-31 19:16 ` Jeff Johnston 1 sibling, 2 replies; 10+ messages in thread From: Jeff Johnston @ 2022-08-30 19:03 UTC (permalink / raw) To: joel; +Cc: Newlib Thanks Joel for bringing this to our attention. -- Jeff J. On Mon, Aug 29, 2022 at 7:09 PM Joel Sherrill <joel@rtems.org> wrote: > Hi > > I quit running Coverity on newlib as part of the repositories analysed as > part of RTEMS BUT I had to update the version of cov-analysis we used and > wanted to make sure the scripting stayed working. > > These issues were flagged since the last time we ran it. Some look like > they need attention. > > --joel > > ---------- Forwarded message --------- > From: <scan-admin@coverity.com> > Date: Mon, Aug 29, 2022 at 5:56 PM > Subject: New Defects reported by Coverity Scan for RTEMS-Newlib > To: <joel.sherrill@gmail.com> > > > Hi, > > Please find the latest report on new defect(s) introduced to RTEMS-Newlib > found with Coverity Scan. > > 10 new defect(s) introduced to RTEMS-Newlib found with Coverity Scan. > 1 defect(s), reported by Coverity Scan earlier, were marked fixed in the > recent build analyzed by Coverity Scan. > > New defect(s) Reported-by: Coverity Scan > Showing 10 of 10 defect(s) > > > ** CID 398779: (UNINIT) > > > > ________________________________________________________________________________________________________ > *** CID 398779: (UNINIT) > > /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c: > 454 in _swscanf_r() > 448 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t); > 449 f._read = __seofread; > 450 f._ub._base = NULL; > 451 f._lb._base = NULL; > 452 f._file = -1; /* No file. */ > 453 va_start (ap, fmt); > >>> CID 398779: (UNINIT) > >>> Using uninitialized value "f._flags2" when calling > "__ssvfwscanf_r". > 454 ret = __ssvfwscanf_r (ptr, &f, fmt, ap); > 455 va_end (ap); > 456 return ret; > > /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c: > 454 in _swscanf_r() > 448 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t); > 449 f._read = __seofread; > 450 f._ub._base = NULL; > 451 f._lb._base = NULL; > 452 f._file = -1; /* No file. */ > 453 va_start (ap, fmt); > >>> CID 398779: (UNINIT) > >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r". > 454 ret = __ssvfwscanf_r (ptr, &f, fmt, ap); > 455 va_end (ap); > 456 return ret; > > ** CID 398778: High impact quality (Y2K38_SAFETY) > > /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/sleep.c: > 18 in sleep() > > > > ________________________________________________________________________________________________________ > *** CID 398778: High impact quality (Y2K38_SAFETY) > > /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/sleep.c: > 18 in sleep() > 12 { > 13 struct timespec ts; > 14 > 15 ts.tv_sec = seconds; > 16 ts.tv_nsec = 0; > 17 if (!nanosleep(&ts,&ts)) return 0; > >>> CID 398778: High impact quality (Y2K38_SAFETY) > >>> A "time_t" value is stored in an integer with too few bits to > accommodate it. The expression "ts.tv_sec" is cast to "unsigned int". > 18 if (errno == EINTR) return ts.tv_sec; > 19 return -1; > 20 } > 21 > > ** CID 398777: (UNINIT) > > > > ________________________________________________________________________________________________________ > *** CID 398777: (UNINIT) > > /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c: > 432 in swscanf() > 426 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t); > 427 f._read = __seofread; > 428 f._ub._base = NULL; > 429 f._lb._base = NULL; > 430 f._file = -1; /* No file. */ > 431 va_start (ap, fmt); > >>> CID 398777: (UNINIT) > >>> Using uninitialized value "f._flags2" when calling > "__ssvfwscanf_r". > 432 ret = __ssvfwscanf_r (_REENT, &f, fmt, ap); > 433 va_end (ap); > 434 return ret; > 435 } > 436 > 437 #endif /* !_REENT_ONLY */ > > /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c: > 432 in swscanf() > 426 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t); > 427 f._read = __seofread; > 428 f._ub._base = NULL; > 429 f._lb._base = NULL; > 430 f._file = -1; /* No file. */ > 431 va_start (ap, fmt); > >>> CID 398777: (UNINIT) > >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r". > 432 ret = __ssvfwscanf_r (_REENT, &f, fmt, ap); > 433 va_end (ap); > 434 return ret; > 435 } > 436 > 437 #endif /* !_REENT_ONLY */ > > ** CID 398776: (UNINIT) > > /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c: > 44 in time() > > /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c: > 45 in time() > > > > ________________________________________________________________________________________________________ > *** CID 398776: (UNINIT) > > /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c: > 44 in time() > 38 struct timeval now; > 39 > 40 if (_gettimeofday_r (_REENT, &now, NULL) < 0) > 41 now.tv_sec = (time_t) -1; > 42 > 43 if (t) > >>> CID 398776: (UNINIT) > >>> Using uninitialized value "now.tv_sec". > 44 *t = now.tv_sec; > 45 return now.tv_sec; > > /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c: > 45 in time() > 39 > 40 if (_gettimeofday_r (_REENT, &now, NULL) < 0) > 41 now.tv_sec = (time_t) -1; > 42 > 43 if (t) > 44 *t = now.tv_sec; > >>> CID 398776: (UNINIT) > >>> Using uninitialized value "now.tv_sec". > 45 return now.tv_sec; > > ** CID 398775: (UNINIT) > > > > ________________________________________________________________________________________________________ > *** CID 398775: (UNINIT) > > /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/vswscanf.c: > 57 in _vswscanf_r() > 51 f._bf._base = f._p = (unsigned char *) str; > 52 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t); > 53 f._read = __seofread; > 54 f._ub._base = NULL; > 55 f._lb._base = NULL; > 56 f._file = -1; /* No file. */ > >>> CID 398775: (UNINIT) > >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r". > 57 return __ssvfwscanf_r (ptr, &f, fmt, ap); > > /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/vswscanf.c: > 57 in _vswscanf_r() > 51 f._bf._base = f._p = (unsigned char *) str; > 52 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t); > 53 f._read = __seofread; > 54 f._ub._base = NULL; > 55 f._lb._base = NULL; > 56 f._file = -1; /* No file. */ > >>> CID 398775: (UNINIT) > >>> Using uninitialized value "f._flags2" when calling > "__ssvfwscanf_r". > 57 return __ssvfwscanf_r (ptr, &f, fmt, ap); > > ** CID 398774: Uninitialized variables (UNINIT) > > > > ________________________________________________________________________________________________________ > *** CID 398774: Uninitialized variables (UNINIT) > > /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdlib/arc4random.c: > 93 in _rs_stir() > 87 u_char rnd[KEYSZ + IVSZ]; > 88 > 89 if (getentropy(rnd, sizeof rnd) == -1) > 90 _getentropy_fail(); > 91 > 92 if (!rs) > >>> CID 398774: Uninitialized variables (UNINIT) > >>> Using uninitialized element of array "rnd" when calling "_rs_init". > 93 _rs_init(rnd, sizeof(rnd)); > 94 else > 95 _rs_rekey(rnd, sizeof(rnd)); > 96 explicit_bzero(rnd, sizeof(rnd)); /* discard source seed */ > 97 > 98 /* invalidate rs_buf */ > > ** CID 398773: Incorrect expression (DIVIDE_BY_ZERO) > > /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libm/math/kf_tan.c: > 55 in __kernel_tanf() > > > > ________________________________________________________________________________________________________ > *** CID 398773: Incorrect expression (DIVIDE_BY_ZERO) > > /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libm/math/kf_tan.c: > 55 in __kernel_tanf() > 49 __int32_t ix,hx; > 50 GET_FLOAT_WORD(hx,x); > 51 ix = hx&0x7fffffff; /* high word of |x| */ > 52 if(ix<0x31800000) /* x < 2**-28 */ > 53 {if((int)x==0) { /* generate inexact */ > 54 if((ix|(iy+1))==0) return one/fabsf(x); > >>> CID 398773: Incorrect expression (DIVIDE_BY_ZERO) > >>> In expression "-1f / x", division by expression "x" which may be > zero has undefined behavior. > 55 else return (iy==1)? x: -one/x; > 56 } > 57 } > 58 if(ix>=0x3f2ca140) { /* |x|>=0.6744 */ > 59 if(hx<0) {x = -x; y = -y;} > 60 z = pio4-x; > > ** CID 398772: Memory - corruptions (OVERRUN) > > > > ________________________________________________________________________________________________________ > *** CID 398772: Memory - corruptions (OVERRUN) > > /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/regcomp.c: > 1044 in bothcases() > 1038 assert(othercase(ch) != ch); /* p_bracket() would > recurse */ > 1039 p->next = bracket; > 1040 p->end = bracket+2; > 1041 bracket[0] = ch; > 1042 bracket[1] = ']'; > 1043 bracket[2] = '\0'; > >>> CID 398772: Memory - corruptions (OVERRUN) > >>> Overrunning buffer pointed to by "p->next" of 3 bytes by passing it > to a function which accesses it at byte offset 4. > 1044 p_bracket(p); > 1045 assert(p->next == bracket+2); > 1046 p->next = oldnext; > 1047 p->end = oldend; > 1048 } > 1049 > > ** CID 398771: High impact quality (Y2K38_SAFETY) > > /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/usleep.c: > 18 in usleep() > > > > ________________________________________________________________________________________________________ > *** CID 398771: High impact quality (Y2K38_SAFETY) > > /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/usleep.c: > 18 in usleep() > 12 { > 13 struct timespec ts; > 14 > 15 ts.tv_sec = (long int)useconds / 1000000; > 16 ts.tv_nsec = ((long int)useconds % 1000000) * 1000; > 17 if (!nanosleep(&ts,&ts)) return 0; > >>> CID 398771: High impact quality (Y2K38_SAFETY) > >>> A "time_t" value is stored in an integer with too few bits to > accommodate it. The expression "ts.tv_sec" is cast to "int". > 18 if (errno == EINTR) return ts.tv_sec; > 19 return -1; > 20 } > 21 > > ** CID 378851: Memory - corruptions (OVERRUN) > > > > ________________________________________________________________________________________________________ > *** CID 378851: Memory - corruptions (OVERRUN) > > /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/regcomp.c: > 1090 in nonnewline() > 1084 p->next = bracket; > 1085 p->end = bracket+3; > 1086 bracket[0] = '^'; > 1087 bracket[1] = '\n'; > 1088 bracket[2] = ']'; > 1089 bracket[3] = '\0'; > >>> CID 378851: Memory - corruptions (OVERRUN) > >>> Overrunning buffer pointed to by "p->next" of 4 bytes by passing it > to a function which accesses it at byte offset 4. > 1090 p_bracket(p); > 1091 assert(p->next == bracket+3); > 1092 p->next = oldnext; > 1093 p->end = oldend; > 1094 } > 1095 > > > > ________________________________________________________________________________________________________ > To view the defects in Coverity Scan visit, > > https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50ypUUzi-2FdSNmuyRB7BEFT8xQWqa-2BcrUOdcmLJRN5wHA-2F-2Bj-2BUPxOS2vpJc2U7lnvDDSM-3DgcXN_CTvEjVoKhyc6dLmJJo1u9AYIk8P8bcAbCPbBDYvYSXrko-2B6zqtxlihMO5pRBlqs6CXC6JoeSQ5BknttytYW4gn54pXoG5E1T2VTg7ZExldrWnOHoGNfjITpyeGBnq8zf1R1SvLaQHX0KwLC3QLIILHDIyeRDmH6ivilCfFIJbx4IaHchThYPPrH23evm0vJ6A6-2BcYCz2qmJNN2577UqVyYc0aItJ859abhW8GanEpsc-3D > > To manage Coverity Scan email notifications for "joel.sherrill@gmail.com > ", > click > > https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxTJDdEZ5ceQ-2BXdf-2FM1tcMIXP73MN3HxQfFTMLU5dSe8Rv0KFh7gYStOFjZD12ucRRnrjyUHOCTj7rG0E9HBcwa6j-2FX4NTabdEq2v7MM-2FuqaA-3D5Xsf_CTvEjVoKhyc6dLmJJo1u9AYIk8P8bcAbCPbBDYvYSXrko-2B6zqtxlihMO5pRBlqs6CXC6JoeSQ5BknttytYW4gsEM86eEaAqPEjIHUArLBXYOUpWfZ4bmwC96PG11GPPh-2FLsC0rkTKQE2J8XRI45hCnTpCTbj87kq0GI1XLddKyw1JXGGqDcyizThGumwZmd8Tr5waHqdorDd3Wom83BYSMOhcHiGVjpnvscbd8ReGFw-3D > > ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: New Defects reported by Coverity Scan for RTEMS-Newlib 2022-08-30 19:03 ` Jeff Johnston @ 2022-08-30 19:03 ` Jeff Johnston 2022-08-31 19:16 ` Jeff Johnston 1 sibling, 0 replies; 10+ messages in thread From: Jeff Johnston @ 2022-08-30 19:03 UTC (permalink / raw) To: joel; +Cc: Newlib [-- Attachment #1: Type: text/plain, Size: 13455 bytes --] Thanks Joel for bringing this to our attention. -- Jeff J. On Mon, Aug 29, 2022 at 7:09 PM Joel Sherrill <joel@rtems.org> wrote: > Hi > > I quit running Coverity on newlib as part of the repositories analysed as > part of RTEMS BUT I had to update the version of cov-analysis we used and > wanted to make sure the scripting stayed working. > > These issues were flagged since the last time we ran it. Some look like > they need attention. > > --joel > > ---------- Forwarded message --------- > From: <scan-admin@coverity.com> > Date: Mon, Aug 29, 2022 at 5:56 PM > Subject: New Defects reported by Coverity Scan for RTEMS-Newlib > To: <joel.sherrill@gmail.com> > > > Hi, > > Please find the latest report on new defect(s) introduced to RTEMS-Newlib > found with Coverity Scan. > > 10 new defect(s) introduced to RTEMS-Newlib found with Coverity Scan. > 1 defect(s), reported by Coverity Scan earlier, were marked fixed in the > recent build analyzed by Coverity Scan. > > New defect(s) Reported-by: Coverity Scan > Showing 10 of 10 defect(s) > > > ** CID 398779: (UNINIT) > > > > ________________________________________________________________________________________________________ > *** CID 398779: (UNINIT) > > /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c: > 454 in _swscanf_r() > 448 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t); > 449 f._read = __seofread; > 450 f._ub._base = NULL; > 451 f._lb._base = NULL; > 452 f._file = -1; /* No file. */ > 453 va_start (ap, fmt); > >>> CID 398779: (UNINIT) > >>> Using uninitialized value "f._flags2" when calling > "__ssvfwscanf_r". > 454 ret = __ssvfwscanf_r (ptr, &f, fmt, ap); > 455 va_end (ap); > 456 return ret; > > /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c: > 454 in _swscanf_r() > 448 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t); > 449 f._read = __seofread; > 450 f._ub._base = NULL; > 451 f._lb._base = NULL; > 452 f._file = -1; /* No file. */ > 453 va_start (ap, fmt); > >>> CID 398779: (UNINIT) > >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r". > 454 ret = __ssvfwscanf_r (ptr, &f, fmt, ap); > 455 va_end (ap); > 456 return ret; > > ** CID 398778: High impact quality (Y2K38_SAFETY) > > /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/sleep.c: > 18 in sleep() > > > > ________________________________________________________________________________________________________ > *** CID 398778: High impact quality (Y2K38_SAFETY) > > /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/sleep.c: > 18 in sleep() > 12 { > 13 struct timespec ts; > 14 > 15 ts.tv_sec = seconds; > 16 ts.tv_nsec = 0; > 17 if (!nanosleep(&ts,&ts)) return 0; > >>> CID 398778: High impact quality (Y2K38_SAFETY) > >>> A "time_t" value is stored in an integer with too few bits to > accommodate it. The expression "ts.tv_sec" is cast to "unsigned int". > 18 if (errno == EINTR) return ts.tv_sec; > 19 return -1; > 20 } > 21 > > ** CID 398777: (UNINIT) > > > > ________________________________________________________________________________________________________ > *** CID 398777: (UNINIT) > > /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c: > 432 in swscanf() > 426 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t); > 427 f._read = __seofread; > 428 f._ub._base = NULL; > 429 f._lb._base = NULL; > 430 f._file = -1; /* No file. */ > 431 va_start (ap, fmt); > >>> CID 398777: (UNINIT) > >>> Using uninitialized value "f._flags2" when calling > "__ssvfwscanf_r". > 432 ret = __ssvfwscanf_r (_REENT, &f, fmt, ap); > 433 va_end (ap); > 434 return ret; > 435 } > 436 > 437 #endif /* !_REENT_ONLY */ > > /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c: > 432 in swscanf() > 426 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t); > 427 f._read = __seofread; > 428 f._ub._base = NULL; > 429 f._lb._base = NULL; > 430 f._file = -1; /* No file. */ > 431 va_start (ap, fmt); > >>> CID 398777: (UNINIT) > >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r". > 432 ret = __ssvfwscanf_r (_REENT, &f, fmt, ap); > 433 va_end (ap); > 434 return ret; > 435 } > 436 > 437 #endif /* !_REENT_ONLY */ > > ** CID 398776: (UNINIT) > > /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c: > 44 in time() > > /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c: > 45 in time() > > > > ________________________________________________________________________________________________________ > *** CID 398776: (UNINIT) > > /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c: > 44 in time() > 38 struct timeval now; > 39 > 40 if (_gettimeofday_r (_REENT, &now, NULL) < 0) > 41 now.tv_sec = (time_t) -1; > 42 > 43 if (t) > >>> CID 398776: (UNINIT) > >>> Using uninitialized value "now.tv_sec". > 44 *t = now.tv_sec; > 45 return now.tv_sec; > > /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c: > 45 in time() > 39 > 40 if (_gettimeofday_r (_REENT, &now, NULL) < 0) > 41 now.tv_sec = (time_t) -1; > 42 > 43 if (t) > 44 *t = now.tv_sec; > >>> CID 398776: (UNINIT) > >>> Using uninitialized value "now.tv_sec". > 45 return now.tv_sec; > > ** CID 398775: (UNINIT) > > > > ________________________________________________________________________________________________________ > *** CID 398775: (UNINIT) > > /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/vswscanf.c: > 57 in _vswscanf_r() > 51 f._bf._base = f._p = (unsigned char *) str; > 52 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t); > 53 f._read = __seofread; > 54 f._ub._base = NULL; > 55 f._lb._base = NULL; > 56 f._file = -1; /* No file. */ > >>> CID 398775: (UNINIT) > >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r". > 57 return __ssvfwscanf_r (ptr, &f, fmt, ap); > > /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/vswscanf.c: > 57 in _vswscanf_r() > 51 f._bf._base = f._p = (unsigned char *) str; > 52 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t); > 53 f._read = __seofread; > 54 f._ub._base = NULL; > 55 f._lb._base = NULL; > 56 f._file = -1; /* No file. */ > >>> CID 398775: (UNINIT) > >>> Using uninitialized value "f._flags2" when calling > "__ssvfwscanf_r". > 57 return __ssvfwscanf_r (ptr, &f, fmt, ap); > > ** CID 398774: Uninitialized variables (UNINIT) > > > > ________________________________________________________________________________________________________ > *** CID 398774: Uninitialized variables (UNINIT) > > /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdlib/arc4random.c: > 93 in _rs_stir() > 87 u_char rnd[KEYSZ + IVSZ]; > 88 > 89 if (getentropy(rnd, sizeof rnd) == -1) > 90 _getentropy_fail(); > 91 > 92 if (!rs) > >>> CID 398774: Uninitialized variables (UNINIT) > >>> Using uninitialized element of array "rnd" when calling "_rs_init". > 93 _rs_init(rnd, sizeof(rnd)); > 94 else > 95 _rs_rekey(rnd, sizeof(rnd)); > 96 explicit_bzero(rnd, sizeof(rnd)); /* discard source seed */ > 97 > 98 /* invalidate rs_buf */ > > ** CID 398773: Incorrect expression (DIVIDE_BY_ZERO) > > /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libm/math/kf_tan.c: > 55 in __kernel_tanf() > > > > ________________________________________________________________________________________________________ > *** CID 398773: Incorrect expression (DIVIDE_BY_ZERO) > > /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libm/math/kf_tan.c: > 55 in __kernel_tanf() > 49 __int32_t ix,hx; > 50 GET_FLOAT_WORD(hx,x); > 51 ix = hx&0x7fffffff; /* high word of |x| */ > 52 if(ix<0x31800000) /* x < 2**-28 */ > 53 {if((int)x==0) { /* generate inexact */ > 54 if((ix|(iy+1))==0) return one/fabsf(x); > >>> CID 398773: Incorrect expression (DIVIDE_BY_ZERO) > >>> In expression "-1f / x", division by expression "x" which may be > zero has undefined behavior. > 55 else return (iy==1)? x: -one/x; > 56 } > 57 } > 58 if(ix>=0x3f2ca140) { /* |x|>=0.6744 */ > 59 if(hx<0) {x = -x; y = -y;} > 60 z = pio4-x; > > ** CID 398772: Memory - corruptions (OVERRUN) > > > > ________________________________________________________________________________________________________ > *** CID 398772: Memory - corruptions (OVERRUN) > > /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/regcomp.c: > 1044 in bothcases() > 1038 assert(othercase(ch) != ch); /* p_bracket() would > recurse */ > 1039 p->next = bracket; > 1040 p->end = bracket+2; > 1041 bracket[0] = ch; > 1042 bracket[1] = ']'; > 1043 bracket[2] = '\0'; > >>> CID 398772: Memory - corruptions (OVERRUN) > >>> Overrunning buffer pointed to by "p->next" of 3 bytes by passing it > to a function which accesses it at byte offset 4. > 1044 p_bracket(p); > 1045 assert(p->next == bracket+2); > 1046 p->next = oldnext; > 1047 p->end = oldend; > 1048 } > 1049 > > ** CID 398771: High impact quality (Y2K38_SAFETY) > > /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/usleep.c: > 18 in usleep() > > > > ________________________________________________________________________________________________________ > *** CID 398771: High impact quality (Y2K38_SAFETY) > > /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/usleep.c: > 18 in usleep() > 12 { > 13 struct timespec ts; > 14 > 15 ts.tv_sec = (long int)useconds / 1000000; > 16 ts.tv_nsec = ((long int)useconds % 1000000) * 1000; > 17 if (!nanosleep(&ts,&ts)) return 0; > >>> CID 398771: High impact quality (Y2K38_SAFETY) > >>> A "time_t" value is stored in an integer with too few bits to > accommodate it. The expression "ts.tv_sec" is cast to "int". > 18 if (errno == EINTR) return ts.tv_sec; > 19 return -1; > 20 } > 21 > > ** CID 378851: Memory - corruptions (OVERRUN) > > > > ________________________________________________________________________________________________________ > *** CID 378851: Memory - corruptions (OVERRUN) > > /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/regcomp.c: > 1090 in nonnewline() > 1084 p->next = bracket; > 1085 p->end = bracket+3; > 1086 bracket[0] = '^'; > 1087 bracket[1] = '\n'; > 1088 bracket[2] = ']'; > 1089 bracket[3] = '\0'; > >>> CID 378851: Memory - corruptions (OVERRUN) > >>> Overrunning buffer pointed to by "p->next" of 4 bytes by passing it > to a function which accesses it at byte offset 4. > 1090 p_bracket(p); > 1091 assert(p->next == bracket+3); > 1092 p->next = oldnext; > 1093 p->end = oldend; > 1094 } > 1095 > > > > ________________________________________________________________________________________________________ > To view the defects in Coverity Scan visit, > > https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50ypUUzi-2FdSNmuyRB7BEFT8xQWqa-2BcrUOdcmLJRN5wHA-2F-2Bj-2BUPxOS2vpJc2U7lnvDDSM-3DgcXN_CTvEjVoKhyc6dLmJJo1u9AYIk8P8bcAbCPbBDYvYSXrko-2B6zqtxlihMO5pRBlqs6CXC6JoeSQ5BknttytYW4gn54pXoG5E1T2VTg7ZExldrWnOHoGNfjITpyeGBnq8zf1R1SvLaQHX0KwLC3QLIILHDIyeRDmH6ivilCfFIJbx4IaHchThYPPrH23evm0vJ6A6-2BcYCz2qmJNN2577UqVyYc0aItJ859abhW8GanEpsc-3D > > To manage Coverity Scan email notifications for "joel.sherrill@gmail.com > ", > click > > https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxTJDdEZ5ceQ-2BXdf-2FM1tcMIXP73MN3HxQfFTMLU5dSe8Rv0KFh7gYStOFjZD12ucRRnrjyUHOCTj7rG0E9HBcwa6j-2FX4NTabdEq2v7MM-2FuqaA-3D5Xsf_CTvEjVoKhyc6dLmJJo1u9AYIk8P8bcAbCPbBDYvYSXrko-2B6zqtxlihMO5pRBlqs6CXC6JoeSQ5BknttytYW4gsEM86eEaAqPEjIHUArLBXYOUpWfZ4bmwC96PG11GPPh-2FLsC0rkTKQE2J8XRI45hCnTpCTbj87kq0GI1XLddKyw1JXGGqDcyizThGumwZmd8Tr5waHqdorDd3Wom83BYSMOhcHiGVjpnvscbd8ReGFw-3D > > ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: New Defects reported by Coverity Scan for RTEMS-Newlib 2022-08-30 19:03 ` Jeff Johnston 2022-08-30 19:03 ` Jeff Johnston @ 2022-08-31 19:16 ` Jeff Johnston 2022-08-31 19:16 ` Jeff Johnston 2022-08-31 19:58 ` Joel Sherrill 1 sibling, 2 replies; 10+ messages in thread From: Jeff Johnston @ 2022-08-31 19:16 UTC (permalink / raw) To: joel; +Cc: Newlib Hi Joel, I will pushing a patch shortly but see comments below as IMO there are some false positives. -- Jeff J. On Tue, Aug 30, 2022 at 3:03 PM Jeff Johnston <jjohnstn@redhat.com> wrote: > Thanks Joel for bringing this to our attention. > > -- Jeff J. > > On Mon, Aug 29, 2022 at 7:09 PM Joel Sherrill <joel@rtems.org> wrote: > >> Hi >> >> I quit running Coverity on newlib as part of the repositories analysed as >> part of RTEMS BUT I had to update the version of cov-analysis we used and >> wanted to make sure the scripting stayed working. >> >> These issues were flagged since the last time we ran it. Some look like >> they need attention. >> >> --joel >> >> ---------- Forwarded message --------- >> From: <scan-admin@coverity.com> >> Date: Mon, Aug 29, 2022 at 5:56 PM >> Subject: New Defects reported by Coverity Scan for RTEMS-Newlib >> To: <joel.sherrill@gmail.com> >> >> >> Hi, >> >> Please find the latest report on new defect(s) introduced to RTEMS-Newlib >> found with Coverity Scan. >> >> 10 new defect(s) introduced to RTEMS-Newlib found with Coverity Scan. >> 1 defect(s), reported by Coverity Scan earlier, were marked fixed in the >> recent build analyzed by Coverity Scan. >> >> New defect(s) Reported-by: Coverity Scan >> Showing 10 of 10 defect(s) >> >> >> ** CID 398779: (UNINIT) >> >> >> Fixed. > >> ________________________________________________________________________________________________________ >> *** CID 398779: (UNINIT) >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c: >> 454 in _swscanf_r() >> 448 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t); >> 449 f._read = __seofread; >> 450 f._ub._base = NULL; >> 451 f._lb._base = NULL; >> 452 f._file = -1; /* No file. */ >> 453 va_start (ap, fmt); >> >>> CID 398779: (UNINIT) >> >>> Using uninitialized value "f._flags2" when calling >> "__ssvfwscanf_r". >> 454 ret = __ssvfwscanf_r (ptr, &f, fmt, ap); >> 455 va_end (ap); >> 456 return ret; >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c: >> 454 in _swscanf_r() >> 448 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t); >> 449 f._read = __seofread; >> 450 f._ub._base = NULL; >> 451 f._lb._base = NULL; >> 452 f._file = -1; /* No file. */ >> 453 va_start (ap, fmt); >> >>> CID 398779: (UNINIT) >> >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r". >> 454 ret = __ssvfwscanf_r (ptr, &f, fmt, ap); >> 455 va_end (ap); >> 456 return ret; >> >> ** CID 398778: High impact quality (Y2K38_SAFETY) >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/sleep.c: >> 18 in sleep() >> >> Fixed. (I anded with UINT_MAX so the checker should allow this). > >> >> ________________________________________________________________________________________________________ >> *** CID 398778: High impact quality (Y2K38_SAFETY) >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/sleep.c: >> 18 in sleep() >> 12 { >> 13 struct timespec ts; >> 14 >> 15 ts.tv_sec = seconds; >> 16 ts.tv_nsec = 0; >> 17 if (!nanosleep(&ts,&ts)) return 0; >> >>> CID 398778: High impact quality (Y2K38_SAFETY) >> >>> A "time_t" value is stored in an integer with too few bits to >> accommodate it. The expression "ts.tv_sec" is cast to "unsigned int". >> 18 if (errno == EINTR) return ts.tv_sec; >> 19 return -1; >> 20 } >> 21 >> >> ** CID 398777: (UNINIT) >> >> >> Fixed. I just initialized the fields. > >> ________________________________________________________________________________________________________ >> *** CID 398777: (UNINIT) >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c: >> 432 in swscanf() >> 426 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t); >> 427 f._read = __seofread; >> 428 f._ub._base = NULL; >> 429 f._lb._base = NULL; >> 430 f._file = -1; /* No file. */ >> 431 va_start (ap, fmt); >> >>> CID 398777: (UNINIT) >> >>> Using uninitialized value "f._flags2" when calling >> "__ssvfwscanf_r". >> 432 ret = __ssvfwscanf_r (_REENT, &f, fmt, ap); >> 433 va_end (ap); >> 434 return ret; >> 435 } >> 436 >> 437 #endif /* !_REENT_ONLY */ >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c: >> 432 in swscanf() >> 426 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t); >> 427 f._read = __seofread; >> 428 f._ub._base = NULL; >> 429 f._lb._base = NULL; >> 430 f._file = -1; /* No file. */ >> 431 va_start (ap, fmt); >> >>> CID 398777: (UNINIT) >> >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r". >> 432 ret = __ssvfwscanf_r (_REENT, &f, fmt, ap); >> 433 va_end (ap); >> 434 return ret; >> 435 } >> 436 >> 437 #endif /* !_REENT_ONLY */ >> >> ** CID 398776: (UNINIT) >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c: >> 44 in time() >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c: >> 45 in time() >> >> >> Although this should be a false positive because of gettimeofday_r getting the address of now, I have initialized the field to -1. > >> ________________________________________________________________________________________________________ >> *** CID 398776: (UNINIT) >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c: >> 44 in time() >> 38 struct timeval now; >> 39 >> 40 if (_gettimeofday_r (_REENT, &now, NULL) < 0) >> 41 now.tv_sec = (time_t) -1; >> 42 >> 43 if (t) >> >>> CID 398776: (UNINIT) >> >>> Using uninitialized value "now.tv_sec". >> 44 *t = now.tv_sec; >> 45 return now.tv_sec; >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c: >> 45 in time() >> 39 >> 40 if (_gettimeofday_r (_REENT, &now, NULL) < 0) >> 41 now.tv_sec = (time_t) -1; >> 42 >> 43 if (t) >> 44 *t = now.tv_sec; >> >>> CID 398776: (UNINIT) >> >>> Using uninitialized value "now.tv_sec". >> 45 return now.tv_sec; >> >> ** CID 398775: (UNINIT) >> >> >> Fixed. I initialized the fields. > >> ________________________________________________________________________________________________________ >> *** CID 398775: (UNINIT) >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/vswscanf.c: >> 57 in _vswscanf_r() >> 51 f._bf._base = f._p = (unsigned char *) str; >> 52 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t); >> 53 f._read = __seofread; >> 54 f._ub._base = NULL; >> 55 f._lb._base = NULL; >> 56 f._file = -1; /* No file. */ >> >>> CID 398775: (UNINIT) >> >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r". >> 57 return __ssvfwscanf_r (ptr, &f, fmt, ap); >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/vswscanf.c: >> 57 in _vswscanf_r() >> 51 f._bf._base = f._p = (unsigned char *) str; >> 52 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t); >> 53 f._read = __seofread; >> 54 f._ub._base = NULL; >> 55 f._lb._base = NULL; >> 56 f._file = -1; /* No file. */ >> >>> CID 398775: (UNINIT) >> >>> Using uninitialized value "f._flags2" when calling >> "__ssvfwscanf_r". >> 57 return __ssvfwscanf_r (ptr, &f, fmt, ap); >> >> ** CID 398774: Uninitialized variables (UNINIT) >> >> Fixed. I memset the initial array to 0's. > >> >> ________________________________________________________________________________________________________ >> *** CID 398774: Uninitialized variables (UNINIT) >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdlib/arc4random.c: >> 93 in _rs_stir() >> 87 u_char rnd[KEYSZ + IVSZ]; >> 88 >> 89 if (getentropy(rnd, sizeof rnd) == -1) >> 90 _getentropy_fail(); >> 91 >> 92 if (!rs) >> >>> CID 398774: Uninitialized variables (UNINIT) >> >>> Using uninitialized element of array "rnd" when calling >> "_rs_init". >> 93 _rs_init(rnd, sizeof(rnd)); >> 94 else >> 95 _rs_rekey(rnd, sizeof(rnd)); >> 96 explicit_bzero(rnd, sizeof(rnd)); /* discard source seed */ >> 97 >> 98 /* invalidate rs_buf */ >> >> ** CID 398773: Incorrect expression (DIVIDE_BY_ZERO) >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libm/math/kf_tan.c: >> 55 in __kernel_tanf() >> >> >> This is a false positive. We intend to divide by zero. > >> ________________________________________________________________________________________________________ >> *** CID 398773: Incorrect expression (DIVIDE_BY_ZERO) >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libm/math/kf_tan.c: >> 55 in __kernel_tanf() >> 49 __int32_t ix,hx; >> 50 GET_FLOAT_WORD(hx,x); >> 51 ix = hx&0x7fffffff; /* high word of |x| */ >> 52 if(ix<0x31800000) /* x < 2**-28 */ >> 53 {if((int)x==0) { /* generate inexact */ >> 54 if((ix|(iy+1))==0) return one/fabsf(x); >> >>> CID 398773: Incorrect expression (DIVIDE_BY_ZERO) >> >>> In expression "-1f / x", division by expression "x" which may be >> zero has undefined behavior. >> 55 else return (iy==1)? x: -one/x; >> 56 } >> 57 } >> 58 if(ix>=0x3f2ca140) { /* |x|>=0.6744 */ >> 59 if(hx<0) {x = -x; y = -y;} >> 60 z = pio4-x; >> >> ** CID 398772: Memory - corruptions (OVERRUN) >> >> I think this is another false positive. I couldn't see where it was accessing storage without doing a length check first. > >> >> ________________________________________________________________________________________________________ >> *** CID 398772: Memory - corruptions (OVERRUN) >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/regcomp.c: >> 1044 in bothcases() >> 1038 assert(othercase(ch) != ch); /* p_bracket() would >> recurse */ >> 1039 p->next = bracket; >> 1040 p->end = bracket+2; >> 1041 bracket[0] = ch; >> 1042 bracket[1] = ']'; >> 1043 bracket[2] = '\0'; >> >>> CID 398772: Memory - corruptions (OVERRUN) >> >>> Overrunning buffer pointed to by "p->next" of 3 bytes by passing >> it >> to a function which accesses it at byte offset 4. >> 1044 p_bracket(p); >> 1045 assert(p->next == bracket+2); >> 1046 p->next = oldnext; >> 1047 p->end = oldend; >> 1048 } >> 1049 >> >> ** CID 398771: High impact quality (Y2K38_SAFETY) >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/usleep.c: >> 18 in usleep() >> >> Fixed. I removed the return as usleep is supposed to return -1 on an EINTR. >> >> ________________________________________________________________________________________________________ >> *** CID 398771: High impact quality (Y2K38_SAFETY) >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/usleep.c: >> 18 in usleep() >> 12 { >> 13 struct timespec ts; >> 14 >> 15 ts.tv_sec = (long int)useconds / 1000000; >> 16 ts.tv_nsec = ((long int)useconds % 1000000) * 1000; >> 17 if (!nanosleep(&ts,&ts)) return 0; >> >>> CID 398771: High impact quality (Y2K38_SAFETY) >> >>> A "time_t" value is stored in an integer with too few bits to >> accommodate it. The expression "ts.tv_sec" is cast to "int". >> 18 if (errno == EINTR) return ts.tv_sec; >> 19 return -1; >> 20 } >> 21 >> >> ** CID 378851: Memory - corruptions (OVERRUN) >> >> Again, I believe this is a false positive. No access of storage without checking length first. > >> >> ________________________________________________________________________________________________________ >> *** CID 378851: Memory - corruptions (OVERRUN) >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/regcomp.c: >> 1090 in nonnewline() >> 1084 p->next = bracket; >> 1085 p->end = bracket+3; >> 1086 bracket[0] = '^'; >> 1087 bracket[1] = '\n'; >> 1088 bracket[2] = ']'; >> 1089 bracket[3] = '\0'; >> >>> CID 378851: Memory - corruptions (OVERRUN) >> >>> Overrunning buffer pointed to by "p->next" of 4 bytes by passing >> it >> to a function which accesses it at byte offset 4. >> 1090 p_bracket(p); >> 1091 assert(p->next == bracket+3); >> 1092 p->next = oldnext; >> 1093 p->end = oldend; >> 1094 } >> 1095 >> >> >> >> ________________________________________________________________________________________________________ >> To view the defects in Coverity Scan visit, >> >> https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50ypUUzi-2FdSNmuyRB7BEFT8xQWqa-2BcrUOdcmLJRN5wHA-2F-2Bj-2BUPxOS2vpJc2U7lnvDDSM-3DgcXN_CTvEjVoKhyc6dLmJJo1u9AYIk8P8bcAbCPbBDYvYSXrko-2B6zqtxlihMO5pRBlqs6CXC6JoeSQ5BknttytYW4gn54pXoG5E1T2VTg7ZExldrWnOHoGNfjITpyeGBnq8zf1R1SvLaQHX0KwLC3QLIILHDIyeRDmH6ivilCfFIJbx4IaHchThYPPrH23evm0vJ6A6-2BcYCz2qmJNN2577UqVyYc0aItJ859abhW8GanEpsc-3D >> >> To manage Coverity Scan email notifications for " >> joel.sherrill@gmail.com", >> click >> >> https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxTJDdEZ5ceQ-2BXdf-2FM1tcMIXP73MN3HxQfFTMLU5dSe8Rv0KFh7gYStOFjZD12ucRRnrjyUHOCTj7rG0E9HBcwa6j-2FX4NTabdEq2v7MM-2FuqaA-3D5Xsf_CTvEjVoKhyc6dLmJJo1u9AYIk8P8bcAbCPbBDYvYSXrko-2B6zqtxlihMO5pRBlqs6CXC6JoeSQ5BknttytYW4gsEM86eEaAqPEjIHUArLBXYOUpWfZ4bmwC96PG11GPPh-2FLsC0rkTKQE2J8XRI45hCnTpCTbj87kq0GI1XLddKyw1JXGGqDcyizThGumwZmd8Tr5waHqdorDd3Wom83BYSMOhcHiGVjpnvscbd8ReGFw-3D >> >> ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: New Defects reported by Coverity Scan for RTEMS-Newlib 2022-08-31 19:16 ` Jeff Johnston @ 2022-08-31 19:16 ` Jeff Johnston 2022-08-31 19:58 ` Joel Sherrill 1 sibling, 0 replies; 10+ messages in thread From: Jeff Johnston @ 2022-08-31 19:16 UTC (permalink / raw) To: joel; +Cc: Newlib [-- Attachment #1: Type: text/plain, Size: 14762 bytes --] Hi Joel, I will pushing a patch shortly but see comments below as IMO there are some false positives. -- Jeff J. On Tue, Aug 30, 2022 at 3:03 PM Jeff Johnston <jjohnstn@redhat.com> wrote: > Thanks Joel for bringing this to our attention. > > -- Jeff J. > > On Mon, Aug 29, 2022 at 7:09 PM Joel Sherrill <joel@rtems.org> wrote: > >> Hi >> >> I quit running Coverity on newlib as part of the repositories analysed as >> part of RTEMS BUT I had to update the version of cov-analysis we used and >> wanted to make sure the scripting stayed working. >> >> These issues were flagged since the last time we ran it. Some look like >> they need attention. >> >> --joel >> >> ---------- Forwarded message --------- >> From: <scan-admin@coverity.com> >> Date: Mon, Aug 29, 2022 at 5:56 PM >> Subject: New Defects reported by Coverity Scan for RTEMS-Newlib >> To: <joel.sherrill@gmail.com> >> >> >> Hi, >> >> Please find the latest report on new defect(s) introduced to RTEMS-Newlib >> found with Coverity Scan. >> >> 10 new defect(s) introduced to RTEMS-Newlib found with Coverity Scan. >> 1 defect(s), reported by Coverity Scan earlier, were marked fixed in the >> recent build analyzed by Coverity Scan. >> >> New defect(s) Reported-by: Coverity Scan >> Showing 10 of 10 defect(s) >> >> >> ** CID 398779: (UNINIT) >> >> >> Fixed. > >> ________________________________________________________________________________________________________ >> *** CID 398779: (UNINIT) >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c: >> 454 in _swscanf_r() >> 448 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t); >> 449 f._read = __seofread; >> 450 f._ub._base = NULL; >> 451 f._lb._base = NULL; >> 452 f._file = -1; /* No file. */ >> 453 va_start (ap, fmt); >> >>> CID 398779: (UNINIT) >> >>> Using uninitialized value "f._flags2" when calling >> "__ssvfwscanf_r". >> 454 ret = __ssvfwscanf_r (ptr, &f, fmt, ap); >> 455 va_end (ap); >> 456 return ret; >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c: >> 454 in _swscanf_r() >> 448 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t); >> 449 f._read = __seofread; >> 450 f._ub._base = NULL; >> 451 f._lb._base = NULL; >> 452 f._file = -1; /* No file. */ >> 453 va_start (ap, fmt); >> >>> CID 398779: (UNINIT) >> >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r". >> 454 ret = __ssvfwscanf_r (ptr, &f, fmt, ap); >> 455 va_end (ap); >> 456 return ret; >> >> ** CID 398778: High impact quality (Y2K38_SAFETY) >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/sleep.c: >> 18 in sleep() >> >> Fixed. (I anded with UINT_MAX so the checker should allow this). > >> >> ________________________________________________________________________________________________________ >> *** CID 398778: High impact quality (Y2K38_SAFETY) >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/sleep.c: >> 18 in sleep() >> 12 { >> 13 struct timespec ts; >> 14 >> 15 ts.tv_sec = seconds; >> 16 ts.tv_nsec = 0; >> 17 if (!nanosleep(&ts,&ts)) return 0; >> >>> CID 398778: High impact quality (Y2K38_SAFETY) >> >>> A "time_t" value is stored in an integer with too few bits to >> accommodate it. The expression "ts.tv_sec" is cast to "unsigned int". >> 18 if (errno == EINTR) return ts.tv_sec; >> 19 return -1; >> 20 } >> 21 >> >> ** CID 398777: (UNINIT) >> >> >> Fixed. I just initialized the fields. > >> ________________________________________________________________________________________________________ >> *** CID 398777: (UNINIT) >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c: >> 432 in swscanf() >> 426 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t); >> 427 f._read = __seofread; >> 428 f._ub._base = NULL; >> 429 f._lb._base = NULL; >> 430 f._file = -1; /* No file. */ >> 431 va_start (ap, fmt); >> >>> CID 398777: (UNINIT) >> >>> Using uninitialized value "f._flags2" when calling >> "__ssvfwscanf_r". >> 432 ret = __ssvfwscanf_r (_REENT, &f, fmt, ap); >> 433 va_end (ap); >> 434 return ret; >> 435 } >> 436 >> 437 #endif /* !_REENT_ONLY */ >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c: >> 432 in swscanf() >> 426 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t); >> 427 f._read = __seofread; >> 428 f._ub._base = NULL; >> 429 f._lb._base = NULL; >> 430 f._file = -1; /* No file. */ >> 431 va_start (ap, fmt); >> >>> CID 398777: (UNINIT) >> >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r". >> 432 ret = __ssvfwscanf_r (_REENT, &f, fmt, ap); >> 433 va_end (ap); >> 434 return ret; >> 435 } >> 436 >> 437 #endif /* !_REENT_ONLY */ >> >> ** CID 398776: (UNINIT) >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c: >> 44 in time() >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c: >> 45 in time() >> >> >> Although this should be a false positive because of gettimeofday_r getting the address of now, I have initialized the field to -1. > >> ________________________________________________________________________________________________________ >> *** CID 398776: (UNINIT) >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c: >> 44 in time() >> 38 struct timeval now; >> 39 >> 40 if (_gettimeofday_r (_REENT, &now, NULL) < 0) >> 41 now.tv_sec = (time_t) -1; >> 42 >> 43 if (t) >> >>> CID 398776: (UNINIT) >> >>> Using uninitialized value "now.tv_sec". >> 44 *t = now.tv_sec; >> 45 return now.tv_sec; >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c: >> 45 in time() >> 39 >> 40 if (_gettimeofday_r (_REENT, &now, NULL) < 0) >> 41 now.tv_sec = (time_t) -1; >> 42 >> 43 if (t) >> 44 *t = now.tv_sec; >> >>> CID 398776: (UNINIT) >> >>> Using uninitialized value "now.tv_sec". >> 45 return now.tv_sec; >> >> ** CID 398775: (UNINIT) >> >> >> Fixed. I initialized the fields. > >> ________________________________________________________________________________________________________ >> *** CID 398775: (UNINIT) >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/vswscanf.c: >> 57 in _vswscanf_r() >> 51 f._bf._base = f._p = (unsigned char *) str; >> 52 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t); >> 53 f._read = __seofread; >> 54 f._ub._base = NULL; >> 55 f._lb._base = NULL; >> 56 f._file = -1; /* No file. */ >> >>> CID 398775: (UNINIT) >> >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r". >> 57 return __ssvfwscanf_r (ptr, &f, fmt, ap); >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/vswscanf.c: >> 57 in _vswscanf_r() >> 51 f._bf._base = f._p = (unsigned char *) str; >> 52 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t); >> 53 f._read = __seofread; >> 54 f._ub._base = NULL; >> 55 f._lb._base = NULL; >> 56 f._file = -1; /* No file. */ >> >>> CID 398775: (UNINIT) >> >>> Using uninitialized value "f._flags2" when calling >> "__ssvfwscanf_r". >> 57 return __ssvfwscanf_r (ptr, &f, fmt, ap); >> >> ** CID 398774: Uninitialized variables (UNINIT) >> >> Fixed. I memset the initial array to 0's. > >> >> ________________________________________________________________________________________________________ >> *** CID 398774: Uninitialized variables (UNINIT) >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdlib/arc4random.c: >> 93 in _rs_stir() >> 87 u_char rnd[KEYSZ + IVSZ]; >> 88 >> 89 if (getentropy(rnd, sizeof rnd) == -1) >> 90 _getentropy_fail(); >> 91 >> 92 if (!rs) >> >>> CID 398774: Uninitialized variables (UNINIT) >> >>> Using uninitialized element of array "rnd" when calling >> "_rs_init". >> 93 _rs_init(rnd, sizeof(rnd)); >> 94 else >> 95 _rs_rekey(rnd, sizeof(rnd)); >> 96 explicit_bzero(rnd, sizeof(rnd)); /* discard source seed */ >> 97 >> 98 /* invalidate rs_buf */ >> >> ** CID 398773: Incorrect expression (DIVIDE_BY_ZERO) >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libm/math/kf_tan.c: >> 55 in __kernel_tanf() >> >> >> This is a false positive. We intend to divide by zero. > >> ________________________________________________________________________________________________________ >> *** CID 398773: Incorrect expression (DIVIDE_BY_ZERO) >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libm/math/kf_tan.c: >> 55 in __kernel_tanf() >> 49 __int32_t ix,hx; >> 50 GET_FLOAT_WORD(hx,x); >> 51 ix = hx&0x7fffffff; /* high word of |x| */ >> 52 if(ix<0x31800000) /* x < 2**-28 */ >> 53 {if((int)x==0) { /* generate inexact */ >> 54 if((ix|(iy+1))==0) return one/fabsf(x); >> >>> CID 398773: Incorrect expression (DIVIDE_BY_ZERO) >> >>> In expression "-1f / x", division by expression "x" which may be >> zero has undefined behavior. >> 55 else return (iy==1)? x: -one/x; >> 56 } >> 57 } >> 58 if(ix>=0x3f2ca140) { /* |x|>=0.6744 */ >> 59 if(hx<0) {x = -x; y = -y;} >> 60 z = pio4-x; >> >> ** CID 398772: Memory - corruptions (OVERRUN) >> >> I think this is another false positive. I couldn't see where it was accessing storage without doing a length check first. > >> >> ________________________________________________________________________________________________________ >> *** CID 398772: Memory - corruptions (OVERRUN) >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/regcomp.c: >> 1044 in bothcases() >> 1038 assert(othercase(ch) != ch); /* p_bracket() would >> recurse */ >> 1039 p->next = bracket; >> 1040 p->end = bracket+2; >> 1041 bracket[0] = ch; >> 1042 bracket[1] = ']'; >> 1043 bracket[2] = '\0'; >> >>> CID 398772: Memory - corruptions (OVERRUN) >> >>> Overrunning buffer pointed to by "p->next" of 3 bytes by passing >> it >> to a function which accesses it at byte offset 4. >> 1044 p_bracket(p); >> 1045 assert(p->next == bracket+2); >> 1046 p->next = oldnext; >> 1047 p->end = oldend; >> 1048 } >> 1049 >> >> ** CID 398771: High impact quality (Y2K38_SAFETY) >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/usleep.c: >> 18 in usleep() >> >> Fixed. I removed the return as usleep is supposed to return -1 on an EINTR. >> >> ________________________________________________________________________________________________________ >> *** CID 398771: High impact quality (Y2K38_SAFETY) >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/usleep.c: >> 18 in usleep() >> 12 { >> 13 struct timespec ts; >> 14 >> 15 ts.tv_sec = (long int)useconds / 1000000; >> 16 ts.tv_nsec = ((long int)useconds % 1000000) * 1000; >> 17 if (!nanosleep(&ts,&ts)) return 0; >> >>> CID 398771: High impact quality (Y2K38_SAFETY) >> >>> A "time_t" value is stored in an integer with too few bits to >> accommodate it. The expression "ts.tv_sec" is cast to "int". >> 18 if (errno == EINTR) return ts.tv_sec; >> 19 return -1; >> 20 } >> 21 >> >> ** CID 378851: Memory - corruptions (OVERRUN) >> >> Again, I believe this is a false positive. No access of storage without checking length first. > >> >> ________________________________________________________________________________________________________ >> *** CID 378851: Memory - corruptions (OVERRUN) >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/regcomp.c: >> 1090 in nonnewline() >> 1084 p->next = bracket; >> 1085 p->end = bracket+3; >> 1086 bracket[0] = '^'; >> 1087 bracket[1] = '\n'; >> 1088 bracket[2] = ']'; >> 1089 bracket[3] = '\0'; >> >>> CID 378851: Memory - corruptions (OVERRUN) >> >>> Overrunning buffer pointed to by "p->next" of 4 bytes by passing >> it >> to a function which accesses it at byte offset 4. >> 1090 p_bracket(p); >> 1091 assert(p->next == bracket+3); >> 1092 p->next = oldnext; >> 1093 p->end = oldend; >> 1094 } >> 1095 >> >> >> >> ________________________________________________________________________________________________________ >> To view the defects in Coverity Scan visit, >> >> https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50ypUUzi-2FdSNmuyRB7BEFT8xQWqa-2BcrUOdcmLJRN5wHA-2F-2Bj-2BUPxOS2vpJc2U7lnvDDSM-3DgcXN_CTvEjVoKhyc6dLmJJo1u9AYIk8P8bcAbCPbBDYvYSXrko-2B6zqtxlihMO5pRBlqs6CXC6JoeSQ5BknttytYW4gn54pXoG5E1T2VTg7ZExldrWnOHoGNfjITpyeGBnq8zf1R1SvLaQHX0KwLC3QLIILHDIyeRDmH6ivilCfFIJbx4IaHchThYPPrH23evm0vJ6A6-2BcYCz2qmJNN2577UqVyYc0aItJ859abhW8GanEpsc-3D >> >> To manage Coverity Scan email notifications for " >> joel.sherrill@gmail.com", >> click >> >> https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxTJDdEZ5ceQ-2BXdf-2FM1tcMIXP73MN3HxQfFTMLU5dSe8Rv0KFh7gYStOFjZD12ucRRnrjyUHOCTj7rG0E9HBcwa6j-2FX4NTabdEq2v7MM-2FuqaA-3D5Xsf_CTvEjVoKhyc6dLmJJo1u9AYIk8P8bcAbCPbBDYvYSXrko-2B6zqtxlihMO5pRBlqs6CXC6JoeSQ5BknttytYW4gsEM86eEaAqPEjIHUArLBXYOUpWfZ4bmwC96PG11GPPh-2FLsC0rkTKQE2J8XRI45hCnTpCTbj87kq0GI1XLddKyw1JXGGqDcyizThGumwZmd8Tr5waHqdorDd3Wom83BYSMOhcHiGVjpnvscbd8ReGFw-3D >> >> ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: New Defects reported by Coverity Scan for RTEMS-Newlib 2022-08-31 19:16 ` Jeff Johnston 2022-08-31 19:16 ` Jeff Johnston @ 2022-08-31 19:58 ` Joel Sherrill 2022-08-31 19:58 ` Joel Sherrill 1 sibling, 1 reply; 10+ messages in thread From: Joel Sherrill @ 2022-08-31 19:58 UTC (permalink / raw) To: Jeff Johnston; +Cc: Newlib On Wed, Aug 31, 2022 at 2:16 PM Jeff Johnston <jjohnstn@redhat.com> wrote: > Hi Joel, I will pushing a patch shortly but see comments below as IMO > there are some false positives. > I'm happy to mark the false positives in Coverity but I only ran this because they forced me to update the client side program and I wanted to make sure all my run coverity scripts continued to work with it. Normally this one isn't run on a regular basis. Is Cygwin still running Scan on newlib? I stopped because the focus was supposed to be on their run not on the RTEMS one. I can easily uncomment the one line to run it via cron. I have a script that can check for changes in git and run coverity if needed. Basically, where's the "official" Scan instance that we all should be referring to? --joel > > -- Jeff J. > > On Tue, Aug 30, 2022 at 3:03 PM Jeff Johnston <jjohnstn@redhat.com> wrote: > >> Thanks Joel for bringing this to our attention. >> >> -- Jeff J. >> >> On Mon, Aug 29, 2022 at 7:09 PM Joel Sherrill <joel@rtems.org> wrote: >> >>> Hi >>> >>> I quit running Coverity on newlib as part of the repositories analysed as >>> part of RTEMS BUT I had to update the version of cov-analysis we used and >>> wanted to make sure the scripting stayed working. >>> >>> These issues were flagged since the last time we ran it. Some look like >>> they need attention. >>> >>> --joel >>> >>> ---------- Forwarded message --------- >>> From: <scan-admin@coverity.com> >>> Date: Mon, Aug 29, 2022 at 5:56 PM >>> Subject: New Defects reported by Coverity Scan for RTEMS-Newlib >>> To: <joel.sherrill@gmail.com> >>> >>> >>> Hi, >>> >>> Please find the latest report on new defect(s) introduced to RTEMS-Newlib >>> found with Coverity Scan. >>> >>> 10 new defect(s) introduced to RTEMS-Newlib found with Coverity Scan. >>> 1 defect(s), reported by Coverity Scan earlier, were marked fixed in the >>> recent build analyzed by Coverity Scan. >>> >>> New defect(s) Reported-by: Coverity Scan >>> Showing 10 of 10 defect(s) >>> >>> >>> ** CID 398779: (UNINIT) >>> >>> >>> Fixed. > > >> >>> ________________________________________________________________________________________________________ >>> *** CID 398779: (UNINIT) >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c: >>> 454 in _swscanf_r() >>> 448 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t); >>> 449 f._read = __seofread; >>> 450 f._ub._base = NULL; >>> 451 f._lb._base = NULL; >>> 452 f._file = -1; /* No file. */ >>> 453 va_start (ap, fmt); >>> >>> CID 398779: (UNINIT) >>> >>> Using uninitialized value "f._flags2" when calling >>> "__ssvfwscanf_r". >>> 454 ret = __ssvfwscanf_r (ptr, &f, fmt, ap); >>> 455 va_end (ap); >>> 456 return ret; >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c: >>> 454 in _swscanf_r() >>> 448 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t); >>> 449 f._read = __seofread; >>> 450 f._ub._base = NULL; >>> 451 f._lb._base = NULL; >>> 452 f._file = -1; /* No file. */ >>> 453 va_start (ap, fmt); >>> >>> CID 398779: (UNINIT) >>> >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r". >>> 454 ret = __ssvfwscanf_r (ptr, &f, fmt, ap); >>> 455 va_end (ap); >>> 456 return ret; >>> >>> ** CID 398778: High impact quality (Y2K38_SAFETY) >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/sleep.c: >>> 18 in sleep() >>> >>> > Fixed. (I anded with UINT_MAX so the checker should allow this). > >> >>> >>> ________________________________________________________________________________________________________ >>> *** CID 398778: High impact quality (Y2K38_SAFETY) >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/sleep.c: >>> 18 in sleep() >>> 12 { >>> 13 struct timespec ts; >>> 14 >>> 15 ts.tv_sec = seconds; >>> 16 ts.tv_nsec = 0; >>> 17 if (!nanosleep(&ts,&ts)) return 0; >>> >>> CID 398778: High impact quality (Y2K38_SAFETY) >>> >>> A "time_t" value is stored in an integer with too few bits to >>> accommodate it. The expression "ts.tv_sec" is cast to "unsigned int". >>> 18 if (errno == EINTR) return ts.tv_sec; >>> 19 return -1; >>> 20 } >>> 21 >>> >>> ** CID 398777: (UNINIT) >>> >>> >>> Fixed. I just initialized the fields. > > >> >>> ________________________________________________________________________________________________________ >>> *** CID 398777: (UNINIT) >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c: >>> 432 in swscanf() >>> 426 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t); >>> 427 f._read = __seofread; >>> 428 f._ub._base = NULL; >>> 429 f._lb._base = NULL; >>> 430 f._file = -1; /* No file. */ >>> 431 va_start (ap, fmt); >>> >>> CID 398777: (UNINIT) >>> >>> Using uninitialized value "f._flags2" when calling >>> "__ssvfwscanf_r". >>> 432 ret = __ssvfwscanf_r (_REENT, &f, fmt, ap); >>> 433 va_end (ap); >>> 434 return ret; >>> 435 } >>> 436 >>> 437 #endif /* !_REENT_ONLY */ >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c: >>> 432 in swscanf() >>> 426 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t); >>> 427 f._read = __seofread; >>> 428 f._ub._base = NULL; >>> 429 f._lb._base = NULL; >>> 430 f._file = -1; /* No file. */ >>> 431 va_start (ap, fmt); >>> >>> CID 398777: (UNINIT) >>> >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r". >>> 432 ret = __ssvfwscanf_r (_REENT, &f, fmt, ap); >>> 433 va_end (ap); >>> 434 return ret; >>> 435 } >>> 436 >>> 437 #endif /* !_REENT_ONLY */ >>> >>> ** CID 398776: (UNINIT) >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c: >>> 44 in time() >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c: >>> 45 in time() >>> >>> >>> Although this should be a false positive because of gettimeofday_r > getting the address of now, I have > initialized the field to -1. > > >> >>> ________________________________________________________________________________________________________ >>> *** CID 398776: (UNINIT) >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c: >>> 44 in time() >>> 38 struct timeval now; >>> 39 >>> 40 if (_gettimeofday_r (_REENT, &now, NULL) < 0) >>> 41 now.tv_sec = (time_t) -1; >>> 42 >>> 43 if (t) >>> >>> CID 398776: (UNINIT) >>> >>> Using uninitialized value "now.tv_sec". >>> 44 *t = now.tv_sec; >>> 45 return now.tv_sec; >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c: >>> 45 in time() >>> 39 >>> 40 if (_gettimeofday_r (_REENT, &now, NULL) < 0) >>> 41 now.tv_sec = (time_t) -1; >>> 42 >>> 43 if (t) >>> 44 *t = now.tv_sec; >>> >>> CID 398776: (UNINIT) >>> >>> Using uninitialized value "now.tv_sec". >>> 45 return now.tv_sec; >>> >>> ** CID 398775: (UNINIT) >>> >>> >>> > Fixed. I initialized the fields. > >> >>> ________________________________________________________________________________________________________ >>> *** CID 398775: (UNINIT) >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/vswscanf.c: >>> 57 in _vswscanf_r() >>> 51 f._bf._base = f._p = (unsigned char *) str; >>> 52 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t); >>> 53 f._read = __seofread; >>> 54 f._ub._base = NULL; >>> 55 f._lb._base = NULL; >>> 56 f._file = -1; /* No file. */ >>> >>> CID 398775: (UNINIT) >>> >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r". >>> 57 return __ssvfwscanf_r (ptr, &f, fmt, ap); >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/vswscanf.c: >>> 57 in _vswscanf_r() >>> 51 f._bf._base = f._p = (unsigned char *) str; >>> 52 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t); >>> 53 f._read = __seofread; >>> 54 f._ub._base = NULL; >>> 55 f._lb._base = NULL; >>> 56 f._file = -1; /* No file. */ >>> >>> CID 398775: (UNINIT) >>> >>> Using uninitialized value "f._flags2" when calling >>> "__ssvfwscanf_r". >>> 57 return __ssvfwscanf_r (ptr, &f, fmt, ap); >>> >>> ** CID 398774: Uninitialized variables (UNINIT) >>> >>> Fixed. I memset the initial array to 0's. > > >> >>> >>> ________________________________________________________________________________________________________ >>> *** CID 398774: Uninitialized variables (UNINIT) >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdlib/arc4random.c: >>> 93 in _rs_stir() >>> 87 u_char rnd[KEYSZ + IVSZ]; >>> 88 >>> 89 if (getentropy(rnd, sizeof rnd) == -1) >>> 90 _getentropy_fail(); >>> 91 >>> 92 if (!rs) >>> >>> CID 398774: Uninitialized variables (UNINIT) >>> >>> Using uninitialized element of array "rnd" when calling >>> "_rs_init". >>> 93 _rs_init(rnd, sizeof(rnd)); >>> 94 else >>> 95 _rs_rekey(rnd, sizeof(rnd)); >>> 96 explicit_bzero(rnd, sizeof(rnd)); /* discard source seed */ >>> 97 >>> 98 /* invalidate rs_buf */ >>> >>> ** CID 398773: Incorrect expression (DIVIDE_BY_ZERO) >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libm/math/kf_tan.c: >>> 55 in __kernel_tanf() >>> >>> >>> > This is a false positive. We intend to divide by zero. > >> >>> ________________________________________________________________________________________________________ >>> *** CID 398773: Incorrect expression (DIVIDE_BY_ZERO) >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libm/math/kf_tan.c: >>> 55 in __kernel_tanf() >>> 49 __int32_t ix,hx; >>> 50 GET_FLOAT_WORD(hx,x); >>> 51 ix = hx&0x7fffffff; /* high word of |x| */ >>> 52 if(ix<0x31800000) /* x < 2**-28 */ >>> 53 {if((int)x==0) { /* generate inexact */ >>> 54 if((ix|(iy+1))==0) return one/fabsf(x); >>> >>> CID 398773: Incorrect expression (DIVIDE_BY_ZERO) >>> >>> In expression "-1f / x", division by expression "x" which may be >>> zero has undefined behavior. >>> 55 else return (iy==1)? x: -one/x; >>> 56 } >>> 57 } >>> 58 if(ix>=0x3f2ca140) { /* |x|>=0.6744 */ >>> 59 if(hx<0) {x = -x; y = -y;} >>> 60 z = pio4-x; >>> >>> ** CID 398772: Memory - corruptions (OVERRUN) >>> >>> I think this is another false positive. I couldn't see where it was > accessing storage without doing a length check > first. > > >> >>> >>> ________________________________________________________________________________________________________ >>> *** CID 398772: Memory - corruptions (OVERRUN) >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/regcomp.c: >>> 1044 in bothcases() >>> 1038 assert(othercase(ch) != ch); /* p_bracket() would >>> recurse */ >>> 1039 p->next = bracket; >>> 1040 p->end = bracket+2; >>> 1041 bracket[0] = ch; >>> 1042 bracket[1] = ']'; >>> 1043 bracket[2] = '\0'; >>> >>> CID 398772: Memory - corruptions (OVERRUN) >>> >>> Overrunning buffer pointed to by "p->next" of 3 bytes by passing >>> it >>> to a function which accesses it at byte offset 4. >>> 1044 p_bracket(p); >>> 1045 assert(p->next == bracket+2); >>> 1046 p->next = oldnext; >>> 1047 p->end = oldend; >>> 1048 } >>> 1049 >>> >>> ** CID 398771: High impact quality (Y2K38_SAFETY) >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/usleep.c: >>> 18 in usleep() >>> >>> > Fixed. I removed the return as usleep is supposed to return -1 on an > EINTR. > > >>> >>> ________________________________________________________________________________________________________ >>> *** CID 398771: High impact quality (Y2K38_SAFETY) >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/usleep.c: >>> 18 in usleep() >>> 12 { >>> 13 struct timespec ts; >>> 14 >>> 15 ts.tv_sec = (long int)useconds / 1000000; >>> 16 ts.tv_nsec = ((long int)useconds % 1000000) * 1000; >>> 17 if (!nanosleep(&ts,&ts)) return 0; >>> >>> CID 398771: High impact quality (Y2K38_SAFETY) >>> >>> A "time_t" value is stored in an integer with too few bits to >>> accommodate it. The expression "ts.tv_sec" is cast to "int". >>> 18 if (errno == EINTR) return ts.tv_sec; >>> 19 return -1; >>> 20 } >>> 21 >>> >>> ** CID 378851: Memory - corruptions (OVERRUN) >>> >>> > Again, I believe this is a false positive. No access of storage without > checking length first. > >> >>> >>> ________________________________________________________________________________________________________ >>> *** CID 378851: Memory - corruptions (OVERRUN) >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/regcomp.c: >>> 1090 in nonnewline() >>> 1084 p->next = bracket; >>> 1085 p->end = bracket+3; >>> 1086 bracket[0] = '^'; >>> 1087 bracket[1] = '\n'; >>> 1088 bracket[2] = ']'; >>> 1089 bracket[3] = '\0'; >>> >>> CID 378851: Memory - corruptions (OVERRUN) >>> >>> Overrunning buffer pointed to by "p->next" of 4 bytes by passing >>> it >>> to a function which accesses it at byte offset 4. >>> 1090 p_bracket(p); >>> 1091 assert(p->next == bracket+3); >>> 1092 p->next = oldnext; >>> 1093 p->end = oldend; >>> 1094 } >>> 1095 >>> >>> >>> >>> ________________________________________________________________________________________________________ >>> To view the defects in Coverity Scan visit, >>> >>> https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50ypUUzi-2FdSNmuyRB7BEFT8xQWqa-2BcrUOdcmLJRN5wHA-2F-2Bj-2BUPxOS2vpJc2U7lnvDDSM-3DgcXN_CTvEjVoKhyc6dLmJJo1u9AYIk8P8bcAbCPbBDYvYSXrko-2B6zqtxlihMO5pRBlqs6CXC6JoeSQ5BknttytYW4gn54pXoG5E1T2VTg7ZExldrWnOHoGNfjITpyeGBnq8zf1R1SvLaQHX0KwLC3QLIILHDIyeRDmH6ivilCfFIJbx4IaHchThYPPrH23evm0vJ6A6-2BcYCz2qmJNN2577UqVyYc0aItJ859abhW8GanEpsc-3D >>> >>> To manage Coverity Scan email notifications for " >>> joel.sherrill@gmail.com", >>> click >>> >>> https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxTJDdEZ5ceQ-2BXdf-2FM1tcMIXP73MN3HxQfFTMLU5dSe8Rv0KFh7gYStOFjZD12ucRRnrjyUHOCTj7rG0E9HBcwa6j-2FX4NTabdEq2v7MM-2FuqaA-3D5Xsf_CTvEjVoKhyc6dLmJJo1u9AYIk8P8bcAbCPbBDYvYSXrko-2B6zqtxlihMO5pRBlqs6CXC6JoeSQ5BknttytYW4gsEM86eEaAqPEjIHUArLBXYOUpWfZ4bmwC96PG11GPPh-2FLsC0rkTKQE2J8XRI45hCnTpCTbj87kq0GI1XLddKyw1JXGGqDcyizThGumwZmd8Tr5waHqdorDd3Wom83BYSMOhcHiGVjpnvscbd8ReGFw-3D >>> >>> ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: New Defects reported by Coverity Scan for RTEMS-Newlib 2022-08-31 19:58 ` Joel Sherrill @ 2022-08-31 19:58 ` Joel Sherrill 0 siblings, 0 replies; 10+ messages in thread From: Joel Sherrill @ 2022-08-31 19:58 UTC (permalink / raw) To: Jeff Johnston; +Cc: Newlib [-- Attachment #1: Type: text/plain, Size: 15887 bytes --] On Wed, Aug 31, 2022 at 2:16 PM Jeff Johnston <jjohnstn@redhat.com> wrote: > Hi Joel, I will pushing a patch shortly but see comments below as IMO > there are some false positives. > I'm happy to mark the false positives in Coverity but I only ran this because they forced me to update the client side program and I wanted to make sure all my run coverity scripts continued to work with it. Normally this one isn't run on a regular basis. Is Cygwin still running Scan on newlib? I stopped because the focus was supposed to be on their run not on the RTEMS one. I can easily uncomment the one line to run it via cron. I have a script that can check for changes in git and run coverity if needed. Basically, where's the "official" Scan instance that we all should be referring to? --joel > > -- Jeff J. > > On Tue, Aug 30, 2022 at 3:03 PM Jeff Johnston <jjohnstn@redhat.com> wrote: > >> Thanks Joel for bringing this to our attention. >> >> -- Jeff J. >> >> On Mon, Aug 29, 2022 at 7:09 PM Joel Sherrill <joel@rtems.org> wrote: >> >>> Hi >>> >>> I quit running Coverity on newlib as part of the repositories analysed as >>> part of RTEMS BUT I had to update the version of cov-analysis we used and >>> wanted to make sure the scripting stayed working. >>> >>> These issues were flagged since the last time we ran it. Some look like >>> they need attention. >>> >>> --joel >>> >>> ---------- Forwarded message --------- >>> From: <scan-admin@coverity.com> >>> Date: Mon, Aug 29, 2022 at 5:56 PM >>> Subject: New Defects reported by Coverity Scan for RTEMS-Newlib >>> To: <joel.sherrill@gmail.com> >>> >>> >>> Hi, >>> >>> Please find the latest report on new defect(s) introduced to RTEMS-Newlib >>> found with Coverity Scan. >>> >>> 10 new defect(s) introduced to RTEMS-Newlib found with Coverity Scan. >>> 1 defect(s), reported by Coverity Scan earlier, were marked fixed in the >>> recent build analyzed by Coverity Scan. >>> >>> New defect(s) Reported-by: Coverity Scan >>> Showing 10 of 10 defect(s) >>> >>> >>> ** CID 398779: (UNINIT) >>> >>> >>> Fixed. > > >> >>> ________________________________________________________________________________________________________ >>> *** CID 398779: (UNINIT) >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c: >>> 454 in _swscanf_r() >>> 448 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t); >>> 449 f._read = __seofread; >>> 450 f._ub._base = NULL; >>> 451 f._lb._base = NULL; >>> 452 f._file = -1; /* No file. */ >>> 453 va_start (ap, fmt); >>> >>> CID 398779: (UNINIT) >>> >>> Using uninitialized value "f._flags2" when calling >>> "__ssvfwscanf_r". >>> 454 ret = __ssvfwscanf_r (ptr, &f, fmt, ap); >>> 455 va_end (ap); >>> 456 return ret; >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c: >>> 454 in _swscanf_r() >>> 448 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t); >>> 449 f._read = __seofread; >>> 450 f._ub._base = NULL; >>> 451 f._lb._base = NULL; >>> 452 f._file = -1; /* No file. */ >>> 453 va_start (ap, fmt); >>> >>> CID 398779: (UNINIT) >>> >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r". >>> 454 ret = __ssvfwscanf_r (ptr, &f, fmt, ap); >>> 455 va_end (ap); >>> 456 return ret; >>> >>> ** CID 398778: High impact quality (Y2K38_SAFETY) >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/sleep.c: >>> 18 in sleep() >>> >>> > Fixed. (I anded with UINT_MAX so the checker should allow this). > >> >>> >>> ________________________________________________________________________________________________________ >>> *** CID 398778: High impact quality (Y2K38_SAFETY) >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/sleep.c: >>> 18 in sleep() >>> 12 { >>> 13 struct timespec ts; >>> 14 >>> 15 ts.tv_sec = seconds; >>> 16 ts.tv_nsec = 0; >>> 17 if (!nanosleep(&ts,&ts)) return 0; >>> >>> CID 398778: High impact quality (Y2K38_SAFETY) >>> >>> A "time_t" value is stored in an integer with too few bits to >>> accommodate it. The expression "ts.tv_sec" is cast to "unsigned int". >>> 18 if (errno == EINTR) return ts.tv_sec; >>> 19 return -1; >>> 20 } >>> 21 >>> >>> ** CID 398777: (UNINIT) >>> >>> >>> Fixed. I just initialized the fields. > > >> >>> ________________________________________________________________________________________________________ >>> *** CID 398777: (UNINIT) >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c: >>> 432 in swscanf() >>> 426 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t); >>> 427 f._read = __seofread; >>> 428 f._ub._base = NULL; >>> 429 f._lb._base = NULL; >>> 430 f._file = -1; /* No file. */ >>> 431 va_start (ap, fmt); >>> >>> CID 398777: (UNINIT) >>> >>> Using uninitialized value "f._flags2" when calling >>> "__ssvfwscanf_r". >>> 432 ret = __ssvfwscanf_r (_REENT, &f, fmt, ap); >>> 433 va_end (ap); >>> 434 return ret; >>> 435 } >>> 436 >>> 437 #endif /* !_REENT_ONLY */ >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c: >>> 432 in swscanf() >>> 426 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t); >>> 427 f._read = __seofread; >>> 428 f._ub._base = NULL; >>> 429 f._lb._base = NULL; >>> 430 f._file = -1; /* No file. */ >>> 431 va_start (ap, fmt); >>> >>> CID 398777: (UNINIT) >>> >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r". >>> 432 ret = __ssvfwscanf_r (_REENT, &f, fmt, ap); >>> 433 va_end (ap); >>> 434 return ret; >>> 435 } >>> 436 >>> 437 #endif /* !_REENT_ONLY */ >>> >>> ** CID 398776: (UNINIT) >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c: >>> 44 in time() >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c: >>> 45 in time() >>> >>> >>> Although this should be a false positive because of gettimeofday_r > getting the address of now, I have > initialized the field to -1. > > >> >>> ________________________________________________________________________________________________________ >>> *** CID 398776: (UNINIT) >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c: >>> 44 in time() >>> 38 struct timeval now; >>> 39 >>> 40 if (_gettimeofday_r (_REENT, &now, NULL) < 0) >>> 41 now.tv_sec = (time_t) -1; >>> 42 >>> 43 if (t) >>> >>> CID 398776: (UNINIT) >>> >>> Using uninitialized value "now.tv_sec". >>> 44 *t = now.tv_sec; >>> 45 return now.tv_sec; >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c: >>> 45 in time() >>> 39 >>> 40 if (_gettimeofday_r (_REENT, &now, NULL) < 0) >>> 41 now.tv_sec = (time_t) -1; >>> 42 >>> 43 if (t) >>> 44 *t = now.tv_sec; >>> >>> CID 398776: (UNINIT) >>> >>> Using uninitialized value "now.tv_sec". >>> 45 return now.tv_sec; >>> >>> ** CID 398775: (UNINIT) >>> >>> >>> > Fixed. I initialized the fields. > >> >>> ________________________________________________________________________________________________________ >>> *** CID 398775: (UNINIT) >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/vswscanf.c: >>> 57 in _vswscanf_r() >>> 51 f._bf._base = f._p = (unsigned char *) str; >>> 52 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t); >>> 53 f._read = __seofread; >>> 54 f._ub._base = NULL; >>> 55 f._lb._base = NULL; >>> 56 f._file = -1; /* No file. */ >>> >>> CID 398775: (UNINIT) >>> >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r". >>> 57 return __ssvfwscanf_r (ptr, &f, fmt, ap); >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/vswscanf.c: >>> 57 in _vswscanf_r() >>> 51 f._bf._base = f._p = (unsigned char *) str; >>> 52 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t); >>> 53 f._read = __seofread; >>> 54 f._ub._base = NULL; >>> 55 f._lb._base = NULL; >>> 56 f._file = -1; /* No file. */ >>> >>> CID 398775: (UNINIT) >>> >>> Using uninitialized value "f._flags2" when calling >>> "__ssvfwscanf_r". >>> 57 return __ssvfwscanf_r (ptr, &f, fmt, ap); >>> >>> ** CID 398774: Uninitialized variables (UNINIT) >>> >>> Fixed. I memset the initial array to 0's. > > >> >>> >>> ________________________________________________________________________________________________________ >>> *** CID 398774: Uninitialized variables (UNINIT) >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdlib/arc4random.c: >>> 93 in _rs_stir() >>> 87 u_char rnd[KEYSZ + IVSZ]; >>> 88 >>> 89 if (getentropy(rnd, sizeof rnd) == -1) >>> 90 _getentropy_fail(); >>> 91 >>> 92 if (!rs) >>> >>> CID 398774: Uninitialized variables (UNINIT) >>> >>> Using uninitialized element of array "rnd" when calling >>> "_rs_init". >>> 93 _rs_init(rnd, sizeof(rnd)); >>> 94 else >>> 95 _rs_rekey(rnd, sizeof(rnd)); >>> 96 explicit_bzero(rnd, sizeof(rnd)); /* discard source seed */ >>> 97 >>> 98 /* invalidate rs_buf */ >>> >>> ** CID 398773: Incorrect expression (DIVIDE_BY_ZERO) >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libm/math/kf_tan.c: >>> 55 in __kernel_tanf() >>> >>> >>> > This is a false positive. We intend to divide by zero. > >> >>> ________________________________________________________________________________________________________ >>> *** CID 398773: Incorrect expression (DIVIDE_BY_ZERO) >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libm/math/kf_tan.c: >>> 55 in __kernel_tanf() >>> 49 __int32_t ix,hx; >>> 50 GET_FLOAT_WORD(hx,x); >>> 51 ix = hx&0x7fffffff; /* high word of |x| */ >>> 52 if(ix<0x31800000) /* x < 2**-28 */ >>> 53 {if((int)x==0) { /* generate inexact */ >>> 54 if((ix|(iy+1))==0) return one/fabsf(x); >>> >>> CID 398773: Incorrect expression (DIVIDE_BY_ZERO) >>> >>> In expression "-1f / x", division by expression "x" which may be >>> zero has undefined behavior. >>> 55 else return (iy==1)? x: -one/x; >>> 56 } >>> 57 } >>> 58 if(ix>=0x3f2ca140) { /* |x|>=0.6744 */ >>> 59 if(hx<0) {x = -x; y = -y;} >>> 60 z = pio4-x; >>> >>> ** CID 398772: Memory - corruptions (OVERRUN) >>> >>> I think this is another false positive. I couldn't see where it was > accessing storage without doing a length check > first. > > >> >>> >>> ________________________________________________________________________________________________________ >>> *** CID 398772: Memory - corruptions (OVERRUN) >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/regcomp.c: >>> 1044 in bothcases() >>> 1038 assert(othercase(ch) != ch); /* p_bracket() would >>> recurse */ >>> 1039 p->next = bracket; >>> 1040 p->end = bracket+2; >>> 1041 bracket[0] = ch; >>> 1042 bracket[1] = ']'; >>> 1043 bracket[2] = '\0'; >>> >>> CID 398772: Memory - corruptions (OVERRUN) >>> >>> Overrunning buffer pointed to by "p->next" of 3 bytes by passing >>> it >>> to a function which accesses it at byte offset 4. >>> 1044 p_bracket(p); >>> 1045 assert(p->next == bracket+2); >>> 1046 p->next = oldnext; >>> 1047 p->end = oldend; >>> 1048 } >>> 1049 >>> >>> ** CID 398771: High impact quality (Y2K38_SAFETY) >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/usleep.c: >>> 18 in usleep() >>> >>> > Fixed. I removed the return as usleep is supposed to return -1 on an > EINTR. > > >>> >>> ________________________________________________________________________________________________________ >>> *** CID 398771: High impact quality (Y2K38_SAFETY) >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/usleep.c: >>> 18 in usleep() >>> 12 { >>> 13 struct timespec ts; >>> 14 >>> 15 ts.tv_sec = (long int)useconds / 1000000; >>> 16 ts.tv_nsec = ((long int)useconds % 1000000) * 1000; >>> 17 if (!nanosleep(&ts,&ts)) return 0; >>> >>> CID 398771: High impact quality (Y2K38_SAFETY) >>> >>> A "time_t" value is stored in an integer with too few bits to >>> accommodate it. The expression "ts.tv_sec" is cast to "int". >>> 18 if (errno == EINTR) return ts.tv_sec; >>> 19 return -1; >>> 20 } >>> 21 >>> >>> ** CID 378851: Memory - corruptions (OVERRUN) >>> >>> > Again, I believe this is a false positive. No access of storage without > checking length first. > >> >>> >>> ________________________________________________________________________________________________________ >>> *** CID 378851: Memory - corruptions (OVERRUN) >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/regcomp.c: >>> 1090 in nonnewline() >>> 1084 p->next = bracket; >>> 1085 p->end = bracket+3; >>> 1086 bracket[0] = '^'; >>> 1087 bracket[1] = '\n'; >>> 1088 bracket[2] = ']'; >>> 1089 bracket[3] = '\0'; >>> >>> CID 378851: Memory - corruptions (OVERRUN) >>> >>> Overrunning buffer pointed to by "p->next" of 4 bytes by passing >>> it >>> to a function which accesses it at byte offset 4. >>> 1090 p_bracket(p); >>> 1091 assert(p->next == bracket+3); >>> 1092 p->next = oldnext; >>> 1093 p->end = oldend; >>> 1094 } >>> 1095 >>> >>> >>> >>> ________________________________________________________________________________________________________ >>> To view the defects in Coverity Scan visit, >>> >>> https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50ypUUzi-2FdSNmuyRB7BEFT8xQWqa-2BcrUOdcmLJRN5wHA-2F-2Bj-2BUPxOS2vpJc2U7lnvDDSM-3DgcXN_CTvEjVoKhyc6dLmJJo1u9AYIk8P8bcAbCPbBDYvYSXrko-2B6zqtxlihMO5pRBlqs6CXC6JoeSQ5BknttytYW4gn54pXoG5E1T2VTg7ZExldrWnOHoGNfjITpyeGBnq8zf1R1SvLaQHX0KwLC3QLIILHDIyeRDmH6ivilCfFIJbx4IaHchThYPPrH23evm0vJ6A6-2BcYCz2qmJNN2577UqVyYc0aItJ859abhW8GanEpsc-3D >>> >>> To manage Coverity Scan email notifications for " >>> joel.sherrill@gmail.com", >>> click >>> >>> https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxTJDdEZ5ceQ-2BXdf-2FM1tcMIXP73MN3HxQfFTMLU5dSe8Rv0KFh7gYStOFjZD12ucRRnrjyUHOCTj7rG0E9HBcwa6j-2FX4NTabdEq2v7MM-2FuqaA-3D5Xsf_CTvEjVoKhyc6dLmJJo1u9AYIk8P8bcAbCPbBDYvYSXrko-2B6zqtxlihMO5pRBlqs6CXC6JoeSQ5BknttytYW4gsEM86eEaAqPEjIHUArLBXYOUpWfZ4bmwC96PG11GPPh-2FLsC0rkTKQE2J8XRI45hCnTpCTbj87kq0GI1XLddKyw1JXGGqDcyizThGumwZmd8Tr5waHqdorDd3Wom83BYSMOhcHiGVjpnvscbd8ReGFw-3D >>> >>> ^ permalink raw reply [flat|nested] 10+ messages in thread
[parent not found: <654dcb725557c_69be32c62521719a8359f9@prd-scan-dashboard-0.mail>]
* Fwd: New Defects reported by Coverity Scan for RTEMS-Newlib [not found] <654dcb725557c_69be32c62521719a8359f9@prd-scan-dashboard-0.mail> @ 2023-11-10 14:40 ` Joel Sherrill 0 siblings, 0 replies; 10+ messages in thread From: Joel Sherrill @ 2023-11-10 14:40 UTC (permalink / raw) To: Newlib [-- Attachment #1: Type: text/plain, Size: 6891 bytes --] The RTEMS Project scan on newlib shows that the recent change introduced a new issue. --joel ---------- Forwarded message --------- From: <scan-admin@coverity.com> Date: Fri, Nov 10, 2023 at 12:19 AM Subject: New Defects reported by Coverity Scan for RTEMS-Newlib To: <joel.sherrill@gmail.com> Hi, Please find the latest report on new defect(s) introduced to RTEMS-Newlib found with Coverity Scan. 6 new defect(s) introduced to RTEMS-Newlib found with Coverity Scan. 2 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 6 of 6 defect(s) ** CID 423232: Uninitialized variables (UNINIT) ________________________________________________________________________________________________________ *** CID 423232: Uninitialized variables (UNINIT) /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/sscanf.c: 469 in _sscanf_r() 463 f._bf._size = f._r = strlen (str); 464 f._read = __seofread; 465 f._ub._base = NULL; 466 f._lb._base = NULL; 467 f._file = -1; /* No file. */ 468 va_start (ap, fmt); >>> CID 423232: Uninitialized variables (UNINIT) >>> Using uninitialized value "f._flags2" when calling "__ssvfscanf_r". 469 ret = __ssvfscanf_r (ptr, &f, fmt, ap); 470 va_end (ap); 471 return ret; 472 } 473 474 #ifdef _NANO_FORMATTED_IO 475 int 476 _siscanf_r (struct _reent *, const char *, const char *, ...) 477 _ATTRIBUTE ((__alias__("_sscanf_r"))); ** CID 423231: Uninitialized variables (UNINIT) ________________________________________________________________________________________________________ *** CID 423231: Uninitialized variables (UNINIT) /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/vsiscanf.c: 58 in _vsiscanf_r() 52 f._bf._base = f._p = (unsigned char *) str; 53 f._bf._size = f._r = strlen (str); 54 f._read = __seofread; 55 f._ub._base = NULL; 56 f._lb._base = NULL; 57 f._file = -1; /* No file. */ >>> CID 423231: Uninitialized variables (UNINIT) >>> Using uninitialized value "f._flags2" when calling "__ssvfiscanf_r". 58 return __ssvfiscanf_r (ptr, &f, fmt, ap); ** CID 423230: Uninitialized variables (UNINIT) ________________________________________________________________________________________________________ *** CID 423230: Uninitialized variables (UNINIT) /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/siscanf.c: 100 in siscanf() 94 f._bf._size = f._r = strlen (str); 95 f._read = __seofread; 96 f._ub._base = NULL; 97 f._lb._base = NULL; 98 f._file = -1; /* No file. */ 99 va_start (ap, fmt); >>> CID 423230: Uninitialized variables (UNINIT) >>> Using uninitialized value "f._flags2" when calling "__ssvfiscanf_r". 100 ret = __ssvfiscanf_r (_REENT, &f, fmt, ap); 101 va_end (ap); 102 return ret; 103 } 104 105 #endif /* !_REENT_ONLY */ ** CID 423229: Uninitialized variables (UNINIT) ________________________________________________________________________________________________________ *** CID 423229: Uninitialized variables (UNINIT) /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/siscanf.c: 124 in _siscanf_r() 118 f._bf._size = f._r = strlen (str); 119 f._read = __seofread; 120 f._ub._base = NULL; 121 f._lb._base = NULL; 122 f._file = -1; /* No file. */ 123 va_start (ap, fmt); >>> CID 423229: Uninitialized variables (UNINIT) >>> Using uninitialized value "f._flags2" when calling "__ssvfiscanf_r". 124 ret = __ssvfiscanf_r (ptr, &f, fmt, ap); 125 va_end (ap); 126 return ret; ** CID 423228: Uninitialized variables (UNINIT) ________________________________________________________________________________________________________ *** CID 423228: Uninitialized variables (UNINIT) /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/sscanf.c: 439 in sscanf() 433 f._bf._size = f._r = strlen (str); 434 f._read = __seofread; 435 f._ub._base = NULL; 436 f._lb._base = NULL; 437 f._file = -1; /* No file. */ 438 va_start (ap, fmt); >>> CID 423228: Uninitialized variables (UNINIT) >>> Using uninitialized value "f._flags2" when calling "__ssvfscanf_r". 439 ret = __ssvfscanf_r (_REENT, &f, fmt, ap); 440 va_end (ap); 441 return ret; 442 } 443 444 #ifdef _NANO_FORMATTED_IO ** CID 423227: Uninitialized variables (UNINIT) ________________________________________________________________________________________________________ *** CID 423227: Uninitialized variables (UNINIT) /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/vsscanf.c: 64 in _vsscanf_r() 58 f._bf._base = f._p = (unsigned char *) str; 59 f._bf._size = f._r = strlen (str); 60 f._read = __seofread; 61 f._ub._base = NULL; 62 f._lb._base = NULL; 63 f._file = -1; /* No file. */ >>> CID 423227: Uninitialized variables (UNINIT) >>> Using uninitialized value "f._flags2" when calling "__ssvfscanf_r". 64 return __ssvfscanf_r (ptr, &f, fmt, ap); 65 } 66 67 #ifdef _NANO_FORMATTED_IO 68 int 69 _vsiscanf_r (struct _reent *, const char *, const char *, __VALIST) 70 _ATTRIBUTE ((__alias__("_vsscanf_r"))); ________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50ypUUzi-2FdSNmuyRB7BEFT8xQWqa-2BcrUOdcmLJRN5wHA-2F-2BoTXFME2lv6iQTYdROp9w6g-3DQTF3_CTvEjVoKhyc6dLmJJo1u9AYIk8P8bcAbCPbBDYvYSXp1-2BJXKpwt4lXmrE0X07lEhNaO7tBL6kJfZw-2FGQ5RAQBkD-2FfM67sOR-2FBAm5aQfUHtxJk-2FCacFNPXewtLnpAdTY1WiQZdVvp2XpFZqG2vutBufgYKbMiZ0mbd5TLcHaqtAG1SNf6JuIUAMBiPHK73Z3Q3yfpbmH-2FDVUL9UIkjSmNKRHboJ-2BNTLwF-2BEVor5SVrRA-3D To manage Coverity Scan email notifications for "joel.sherrill@gmail.com", click https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxTJDdEZ5ceQ-2BXdf-2FM1tcMIXP73MN3HxQfFTMLU5dSe8Rv0KFh7gYStOFjZD12ucRRnrjyUHOCTj7rG0E9HBcwa9CE8CGpcthnaEEfHiFVPqc-3DhjWj_CTvEjVoKhyc6dLmJJo1u9AYIk8P8bcAbCPbBDYvYSXp1-2BJXKpwt4lXmrE0X07lEhNaO7tBL6kJfZw-2FGQ5RAQBsp-2FrHGE1qFCrN1eUAbyDSLUURBk8su75Gbb68SpMXZjOf4zGYZ9SA9OnI08Y106eYEHPmV-2F8TLs-2BFUD1b8y32sPrlw0P7whD98wRlcHUwUZ5zn0TobkovFd1mH4rNSiu6wf0Ze8WbqUhKuj7wnEMT4-3D ^ permalink raw reply [flat|nested] 10+ messages in thread
[parent not found: <621dbc6e5b779_bb4ce2b0cf36619a0847b1@prd-scan-dashboard-0.mail>]
* Fwd: New Defects reported by Coverity Scan for RTEMS-Newlib [not found] <621dbc6e5b779_bb4ce2b0cf36619a0847b1@prd-scan-dashboard-0.mail> @ 2022-03-01 12:59 ` Joel Sherrill 0 siblings, 0 replies; 10+ messages in thread From: Joel Sherrill @ 2022-03-01 12:59 UTC (permalink / raw) To: Newlib Hi The RTEMS Projects runs Coverity Scan when Newlib changes. Not sure who committed something that triggered these but overnight 6 new defects showed up. Most look to be NULL dereferences. --joel ---------- Forwarded message --------- From: <scan-admin@coverity.com> Date: Tue, Mar 1, 2022, 12:25 AM Subject: New Defects reported by Coverity Scan for RTEMS-Newlib To: <joel.sherrill@gmail.com> Hi, Please find the latest report on new defect(s) introduced to RTEMS-Newlib found with Coverity Scan. 6 new defect(s) introduced to RTEMS-Newlib found with Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 6 of 6 defect(s) ** CID 387497: (FORWARD_NULL) /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/asiprintf.c: 46 in _asiprintf_r() ________________________________________________________________________________________________________ *** CID 387497: (FORWARD_NULL) /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/asiprintf.c: 46 in _asiprintf_r() 40 f._file = -1; /* No file. */ 41 va_start (ap, fmt); 42 ret = _svfiprintf_r (ptr, &f, fmt, ap); 43 va_end (ap); 44 if (ret >= 0) 45 { >>> CID 387497: (FORWARD_NULL) >>> Dereferencing null pointer "f._p". 46 *f._p = 0; 47 *strp = (char *) f._bf._base; 48 } 49 return (ret); 50 } 51 /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/asiprintf.c: 42 in _asiprintf_r() 36 /* mark a zero-length reallocatable buffer */ 37 f._flags = __SWR | __SSTR | __SMBF; 38 f._bf._base = f._p = NULL; 39 f._bf._size = f._w = 0; 40 f._file = -1; /* No file. */ 41 va_start (ap, fmt); >>> CID 387497: (FORWARD_NULL) >>> Passing "&f" to "_svfiprintf_r", which dereferences null "f._p". 42 ret = _svfiprintf_r (ptr, &f, fmt, ap); 43 va_end (ap); 44 if (ret >= 0) 45 { 46 *f._p = 0; 47 *strp = (char *) f._bf._base; ** CID 387496: (FORWARD_NULL) /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/vasniprintf.c: 54 in _vasniprintf_r() ________________________________________________________________________________________________________ *** CID 387496: (FORWARD_NULL) /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/vasniprintf.c: 54 in _vasniprintf_r() 48 f._bf._size = f._w = len; 49 f._file = -1; /* No file. */ 50 ret = _svfiprintf_r (ptr, &f, fmt, ap); 51 if (ret < 0) 52 return NULL; 53 *lenp = ret; >>> CID 387496: (FORWARD_NULL) >>> Dereferencing null pointer "f._p". 54 *f._p = '\0'; 55 return (char *) f._bf._base; 56 } 57 58 #ifndef _REENT_ONLY 59 /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/vasniprintf.c: 50 in _vasniprintf_r() 44 { 45 ptr->_errno = EOVERFLOW; 46 return NULL; 47 } 48 f._bf._size = f._w = len; 49 f._file = -1; /* No file. */ >>> CID 387496: (FORWARD_NULL) >>> Passing "&f" to "_svfiprintf_r", which dereferences null "f._p". 50 ret = _svfiprintf_r (ptr, &f, fmt, ap); 51 if (ret < 0) 52 return NULL; 53 *lenp = ret; 54 *f._p = '\0'; 55 return (char *) f._bf._base; ** CID 387495: (FORWARD_NULL) /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/asiprintf.c: 72 in asiprintf() ________________________________________________________________________________________________________ *** CID 387495: (FORWARD_NULL) /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/asiprintf.c: 72 in asiprintf() 66 f._file = -1; /* No file. */ 67 va_start (ap, fmt); 68 ret = _svfiprintf_r (_REENT, &f, fmt, ap); 69 va_end (ap); 70 if (ret >= 0) 71 { >>> CID 387495: (FORWARD_NULL) >>> Dereferencing null pointer "f._p". 72 *f._p = 0; 73 *strp = (char *) f._bf._base; 74 } 75 return (ret); 76 } 77 /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/asiprintf.c: 68 in asiprintf() 62 /* mark a zero-length reallocatable buffer */ 63 f._flags = __SWR | __SSTR | __SMBF; 64 f._bf._base = f._p = NULL; 65 f._bf._size = f._w = 0; 66 f._file = -1; /* No file. */ 67 va_start (ap, fmt); >>> CID 387495: (FORWARD_NULL) >>> Passing "&f" to "_svfiprintf_r", which dereferences null "f._p". 68 ret = _svfiprintf_r (_REENT, &f, fmt, ap); 69 va_end (ap); 70 if (ret >= 0) 71 { 72 *f._p = 0; 73 *strp = (char *) f._bf._base; ** CID 387494: (FORWARD_NULL) /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/vasiprintf.c: 59 in _vasiprintf_r() ________________________________________________________________________________________________________ *** CID 387494: (FORWARD_NULL) /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/vasiprintf.c: 56 in _vasiprintf_r() 50 FILE f; 51 52 f._flags = __SWR | __SSTR | __SMBF ; 53 f._bf._base = f._p = NULL; 54 f._bf._size = f._w = 0; 55 f._file = -1; /* No file. */ >>> CID 387494: (FORWARD_NULL) >>> Passing "&f" to "_svfiprintf_r", which dereferences null "f._p". 56 ret = _svfiprintf_r (ptr, &f, fmt, ap); 57 if (ret >= 0) 58 { 59 *f._p = 0; 60 *strp = (char *) f._bf._base; 61 } 62 return ret; /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/vasiprintf.c: 59 in _vasiprintf_r() 53 f._bf._base = f._p = NULL; 54 f._bf._size = f._w = 0; 55 f._file = -1; /* No file. */ 56 ret = _svfiprintf_r (ptr, &f, fmt, ap); 57 if (ret >= 0) 58 { >>> CID 387494: (FORWARD_NULL) >>> Dereferencing null pointer "f._p". 59 *f._p = 0; 60 *strp = (char *) f._bf._base; 61 } 62 return ret; ** CID 387493: (FORWARD_NULL) /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/asniprintf.c: 56 in _asniprintf_r() ________________________________________________________________________________________________________ *** CID 387493: (FORWARD_NULL) /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/asniprintf.c: 56 in _asniprintf_r() 50 va_start (ap, fmt); 51 ret = _svfiprintf_r (ptr, &f, fmt, ap); 52 va_end (ap); 53 if (ret < 0) 54 return NULL; 55 *lenp = ret; >>> CID 387493: (FORWARD_NULL) >>> Dereferencing null pointer "f._p". 56 *f._p = '\0'; 57 return (char *) f._bf._base; 58 } 59 60 #ifndef _REENT_ONLY 61 /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/asniprintf.c: 51 in _asniprintf_r() 45 ptr->_errno = EOVERFLOW; 46 return NULL; 47 } 48 f._bf._size = f._w = len; 49 f._file = -1; /* No file. */ 50 va_start (ap, fmt); >>> CID 387493: (FORWARD_NULL) >>> Passing "&f" to "_svfiprintf_r", which dereferences null "f._p". 51 ret = _svfiprintf_r (ptr, &f, fmt, ap); 52 va_end (ap); 53 if (ret < 0) 54 return NULL; 55 *lenp = ret; 56 *f._p = '\0'; ** CID 387492: (FORWARD_NULL) /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/asniprintf.c: 102 in asniprintf() ________________________________________________________________________________________________________ *** CID 387492: (FORWARD_NULL) /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/asniprintf.c: 97 in asniprintf() 91 ptr->_errno = EOVERFLOW; 92 return NULL; 93 } 94 f._bf._size = f._w = len; 95 f._file = -1; /* No file. */ 96 va_start (ap, fmt); >>> CID 387492: (FORWARD_NULL) >>> Passing "&f" to "_svfiprintf_r", which dereferences null "f._p". 97 ret = _svfiprintf_r (ptr, &f, fmt, ap); 98 va_end (ap); 99 if (ret < 0) 100 return NULL; 101 *lenp = ret; 102 *f._p = '\0'; 103 return (char *) f._bf._base; 104 } 105 /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/asniprintf.c: 102 in asniprintf() 96 va_start (ap, fmt); 97 ret = _svfiprintf_r (ptr, &f, fmt, ap); 98 va_end (ap); 99 if (ret < 0) 100 return NULL; 101 *lenp = ret; >>> CID 387492: (FORWARD_NULL) >>> Dereferencing null pointer "f._p". 102 *f._p = '\0'; 103 return (char *) f._bf._base; 104 } 105 ________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50ypUUzi-2FdSNmuyRB7BEFT8xQWqa-2BcrUOdcmLJRN5wHA-2F-2Bj-2BUPxOS2vpJc2U7lnvDDSM-3Dnqug_CTvEjVoKhyc6dLmJJo1u9AYIk8P8bcAbCPbBDYvYSXrGLZMaHd5esU0ARWQLalpbU14eFG-2B8GBetplQDq0TFveW7GhsLMcXeSEhKYoSzfs79W0hf2Yn-2BdzWSDPS0EESLlkStqI3WwPQMfb34ZdTZU7WEQcrZaQuFXKuGz0VlCF7KqPVBI3zTemmClCpRRwRohHCmfibOFsZTs1X-2FRcY52FNG4ag-2BOQcuq0K2qt4q3HU-3D To manage Coverity Scan email notifications for "joel.sherrill@gmail.com", click https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxTJDdEZ5ceQ-2BXdf-2FM1tcMIXP73MN3HxQfFTMLU5dSe8Rv0KFh7gYStOFjZD12ucRRnrjyUHOCTj7rG0E9HBcwa6j-2FX4NTabdEq2v7MM-2FuqaA-3DJ8Qh_CTvEjVoKhyc6dLmJJo1u9AYIk8P8bcAbCPbBDYvYSXrGLZMaHd5esU0ARWQLalpbU14eFG-2B8GBetplQDq0TFvV2SdrBvi9WPWAL9ik9dUN3G4GCz8VYLMQNfnG1KXM-2B3Izv46DsGCDeNRaHHjKQaodaHQLONx4FWpogc4bk0lIv9WPI18Ah675HB1nu1NDtORJjikxZE-2BlhmmrkoLD0utEP5uRkuJbyd23X6MuuSrA8-3D ^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2023-11-10 14:41 UTC | newest] Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- [not found] <630d44245d07b_448622ac7e91099ac81e@prd-scan-dashboard-0.mail> 2022-08-29 23:09 ` Fwd: New Defects reported by Coverity Scan for RTEMS-Newlib Joel Sherrill 2022-08-29 23:09 ` Joel Sherrill 2022-08-30 19:03 ` Jeff Johnston 2022-08-30 19:03 ` Jeff Johnston 2022-08-31 19:16 ` Jeff Johnston 2022-08-31 19:16 ` Jeff Johnston 2022-08-31 19:58 ` Joel Sherrill 2022-08-31 19:58 ` Joel Sherrill [not found] <654dcb725557c_69be32c62521719a8359f9@prd-scan-dashboard-0.mail> 2023-11-10 14:40 ` Fwd: " Joel Sherrill [not found] <621dbc6e5b779_bb4ce2b0cf36619a0847b1@prd-scan-dashboard-0.mail> 2022-03-01 12:59 ` Joel Sherrill
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).