* Fwd: New Defects reported by Coverity Scan for RTEMS-Newlib
[not found] <630d44245d07b_448622ac7e91099ac81e@prd-scan-dashboard-0.mail>
@ 2022-08-29 23:09 ` Joel Sherrill
2022-08-29 23:09 ` Joel Sherrill
2022-08-30 19:03 ` Jeff Johnston
0 siblings, 2 replies; 15+ messages in thread
From: Joel Sherrill @ 2022-08-29 23:09 UTC (permalink / raw)
To: Newlib
Hi
I quit running Coverity on newlib as part of the repositories analysed as
part of RTEMS BUT I had to update the version of cov-analysis we used and
wanted to make sure the scripting stayed working.
These issues were flagged since the last time we ran it. Some look like
they need attention.
--joel
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Aug 29, 2022 at 5:56 PM
Subject: New Defects reported by Coverity Scan for RTEMS-Newlib
To: <joel.sherrill@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to RTEMS-Newlib
found with Coverity Scan.
10 new defect(s) introduced to RTEMS-Newlib found with Coverity Scan.
1 defect(s), reported by Coverity Scan earlier, were marked fixed in the
recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 10 of 10 defect(s)
** CID 398779: (UNINIT)
________________________________________________________________________________________________________
*** CID 398779: (UNINIT)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c:
454 in _swscanf_r()
448 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
449 f._read = __seofread;
450 f._ub._base = NULL;
451 f._lb._base = NULL;
452 f._file = -1; /* No file. */
453 va_start (ap, fmt);
>>> CID 398779: (UNINIT)
>>> Using uninitialized value "f._flags2" when calling "__ssvfwscanf_r".
454 ret = __ssvfwscanf_r (ptr, &f, fmt, ap);
455 va_end (ap);
456 return ret;
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c:
454 in _swscanf_r()
448 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
449 f._read = __seofread;
450 f._ub._base = NULL;
451 f._lb._base = NULL;
452 f._file = -1; /* No file. */
453 va_start (ap, fmt);
>>> CID 398779: (UNINIT)
>>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r".
454 ret = __ssvfwscanf_r (ptr, &f, fmt, ap);
455 va_end (ap);
456 return ret;
** CID 398778: High impact quality (Y2K38_SAFETY)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/sleep.c:
18 in sleep()
________________________________________________________________________________________________________
*** CID 398778: High impact quality (Y2K38_SAFETY)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/sleep.c:
18 in sleep()
12 {
13 struct timespec ts;
14
15 ts.tv_sec = seconds;
16 ts.tv_nsec = 0;
17 if (!nanosleep(&ts,&ts)) return 0;
>>> CID 398778: High impact quality (Y2K38_SAFETY)
>>> A "time_t" value is stored in an integer with too few bits to
accommodate it. The expression "ts.tv_sec" is cast to "unsigned int".
18 if (errno == EINTR) return ts.tv_sec;
19 return -1;
20 }
21
** CID 398777: (UNINIT)
________________________________________________________________________________________________________
*** CID 398777: (UNINIT)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c:
432 in swscanf()
426 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
427 f._read = __seofread;
428 f._ub._base = NULL;
429 f._lb._base = NULL;
430 f._file = -1; /* No file. */
431 va_start (ap, fmt);
>>> CID 398777: (UNINIT)
>>> Using uninitialized value "f._flags2" when calling "__ssvfwscanf_r".
432 ret = __ssvfwscanf_r (_REENT, &f, fmt, ap);
433 va_end (ap);
434 return ret;
435 }
436
437 #endif /* !_REENT_ONLY */
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c:
432 in swscanf()
426 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
427 f._read = __seofread;
428 f._ub._base = NULL;
429 f._lb._base = NULL;
430 f._file = -1; /* No file. */
431 va_start (ap, fmt);
>>> CID 398777: (UNINIT)
>>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r".
432 ret = __ssvfwscanf_r (_REENT, &f, fmt, ap);
433 va_end (ap);
434 return ret;
435 }
436
437 #endif /* !_REENT_ONLY */
** CID 398776: (UNINIT)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c:
44 in time()
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c:
45 in time()
________________________________________________________________________________________________________
*** CID 398776: (UNINIT)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c:
44 in time()
38 struct timeval now;
39
40 if (_gettimeofday_r (_REENT, &now, NULL) < 0)
41 now.tv_sec = (time_t) -1;
42
43 if (t)
>>> CID 398776: (UNINIT)
>>> Using uninitialized value "now.tv_sec".
44 *t = now.tv_sec;
45 return now.tv_sec;
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c:
45 in time()
39
40 if (_gettimeofday_r (_REENT, &now, NULL) < 0)
41 now.tv_sec = (time_t) -1;
42
43 if (t)
44 *t = now.tv_sec;
>>> CID 398776: (UNINIT)
>>> Using uninitialized value "now.tv_sec".
45 return now.tv_sec;
** CID 398775: (UNINIT)
________________________________________________________________________________________________________
*** CID 398775: (UNINIT)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/vswscanf.c:
57 in _vswscanf_r()
51 f._bf._base = f._p = (unsigned char *) str;
52 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
53 f._read = __seofread;
54 f._ub._base = NULL;
55 f._lb._base = NULL;
56 f._file = -1; /* No file. */
>>> CID 398775: (UNINIT)
>>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r".
57 return __ssvfwscanf_r (ptr, &f, fmt, ap);
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/vswscanf.c:
57 in _vswscanf_r()
51 f._bf._base = f._p = (unsigned char *) str;
52 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
53 f._read = __seofread;
54 f._ub._base = NULL;
55 f._lb._base = NULL;
56 f._file = -1; /* No file. */
>>> CID 398775: (UNINIT)
>>> Using uninitialized value "f._flags2" when calling "__ssvfwscanf_r".
57 return __ssvfwscanf_r (ptr, &f, fmt, ap);
** CID 398774: Uninitialized variables (UNINIT)
________________________________________________________________________________________________________
*** CID 398774: Uninitialized variables (UNINIT)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdlib/arc4random.c:
93 in _rs_stir()
87 u_char rnd[KEYSZ + IVSZ];
88
89 if (getentropy(rnd, sizeof rnd) == -1)
90 _getentropy_fail();
91
92 if (!rs)
>>> CID 398774: Uninitialized variables (UNINIT)
>>> Using uninitialized element of array "rnd" when calling "_rs_init".
93 _rs_init(rnd, sizeof(rnd));
94 else
95 _rs_rekey(rnd, sizeof(rnd));
96 explicit_bzero(rnd, sizeof(rnd)); /* discard source seed */
97
98 /* invalidate rs_buf */
** CID 398773: Incorrect expression (DIVIDE_BY_ZERO)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libm/math/kf_tan.c:
55 in __kernel_tanf()
________________________________________________________________________________________________________
*** CID 398773: Incorrect expression (DIVIDE_BY_ZERO)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libm/math/kf_tan.c:
55 in __kernel_tanf()
49 __int32_t ix,hx;
50 GET_FLOAT_WORD(hx,x);
51 ix = hx&0x7fffffff; /* high word of |x| */
52 if(ix<0x31800000) /* x < 2**-28 */
53 {if((int)x==0) { /* generate inexact */
54 if((ix|(iy+1))==0) return one/fabsf(x);
>>> CID 398773: Incorrect expression (DIVIDE_BY_ZERO)
>>> In expression "-1f / x", division by expression "x" which may be
zero has undefined behavior.
55 else return (iy==1)? x: -one/x;
56 }
57 }
58 if(ix>=0x3f2ca140) { /* |x|>=0.6744 */
59 if(hx<0) {x = -x; y = -y;}
60 z = pio4-x;
** CID 398772: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 398772: Memory - corruptions (OVERRUN)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/regcomp.c:
1044 in bothcases()
1038 assert(othercase(ch) != ch); /* p_bracket() would
recurse */
1039 p->next = bracket;
1040 p->end = bracket+2;
1041 bracket[0] = ch;
1042 bracket[1] = ']';
1043 bracket[2] = '\0';
>>> CID 398772: Memory - corruptions (OVERRUN)
>>> Overrunning buffer pointed to by "p->next" of 3 bytes by passing it
to a function which accesses it at byte offset 4.
1044 p_bracket(p);
1045 assert(p->next == bracket+2);
1046 p->next = oldnext;
1047 p->end = oldend;
1048 }
1049
** CID 398771: High impact quality (Y2K38_SAFETY)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/usleep.c:
18 in usleep()
________________________________________________________________________________________________________
*** CID 398771: High impact quality (Y2K38_SAFETY)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/usleep.c:
18 in usleep()
12 {
13 struct timespec ts;
14
15 ts.tv_sec = (long int)useconds / 1000000;
16 ts.tv_nsec = ((long int)useconds % 1000000) * 1000;
17 if (!nanosleep(&ts,&ts)) return 0;
>>> CID 398771: High impact quality (Y2K38_SAFETY)
>>> A "time_t" value is stored in an integer with too few bits to
accommodate it. The expression "ts.tv_sec" is cast to "int".
18 if (errno == EINTR) return ts.tv_sec;
19 return -1;
20 }
21
** CID 378851: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 378851: Memory - corruptions (OVERRUN)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/regcomp.c:
1090 in nonnewline()
1084 p->next = bracket;
1085 p->end = bracket+3;
1086 bracket[0] = '^';
1087 bracket[1] = '\n';
1088 bracket[2] = ']';
1089 bracket[3] = '\0';
>>> CID 378851: Memory - corruptions (OVERRUN)
>>> Overrunning buffer pointed to by "p->next" of 4 bytes by passing it
to a function which accesses it at byte offset 4.
1090 p_bracket(p);
1091 assert(p->next == bracket+3);
1092 p->next = oldnext;
1093 p->end = oldend;
1094 }
1095
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit,
https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50ypUUzi-2FdSNmuyRB7BEFT8xQWqa-2BcrUOdcmLJRN5wHA-2F-2Bj-2BUPxOS2vpJc2U7lnvDDSM-3DgcXN_CTvEjVoKhyc6dLmJJo1u9AYIk8P8bcAbCPbBDYvYSXrko-2B6zqtxlihMO5pRBlqs6CXC6JoeSQ5BknttytYW4gn54pXoG5E1T2VTg7ZExldrWnOHoGNfjITpyeGBnq8zf1R1SvLaQHX0KwLC3QLIILHDIyeRDmH6ivilCfFIJbx4IaHchThYPPrH23evm0vJ6A6-2BcYCz2qmJNN2577UqVyYc0aItJ859abhW8GanEpsc-3D
To manage Coverity Scan email notifications for "joel.sherrill@gmail.com",
click
https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxTJDdEZ5ceQ-2BXdf-2FM1tcMIXP73MN3HxQfFTMLU5dSe8Rv0KFh7gYStOFjZD12ucRRnrjyUHOCTj7rG0E9HBcwa6j-2FX4NTabdEq2v7MM-2FuqaA-3D5Xsf_CTvEjVoKhyc6dLmJJo1u9AYIk8P8bcAbCPbBDYvYSXrko-2B6zqtxlihMO5pRBlqs6CXC6JoeSQ5BknttytYW4gsEM86eEaAqPEjIHUArLBXYOUpWfZ4bmwC96PG11GPPh-2FLsC0rkTKQE2J8XRI45hCnTpCTbj87kq0GI1XLddKyw1JXGGqDcyizThGumwZmd8Tr5waHqdorDd3Wom83BYSMOhcHiGVjpnvscbd8ReGFw-3D
^ permalink raw reply [flat|nested] 15+ messages in thread
* Fwd: New Defects reported by Coverity Scan for RTEMS-Newlib
2022-08-29 23:09 ` Fwd: New Defects reported by Coverity Scan for RTEMS-Newlib Joel Sherrill
@ 2022-08-29 23:09 ` Joel Sherrill
2022-08-30 19:03 ` Jeff Johnston
1 sibling, 0 replies; 15+ messages in thread
From: Joel Sherrill @ 2022-08-29 23:09 UTC (permalink / raw)
To: Newlib
[-- Attachment #1: Type: text/plain, Size: 12625 bytes --]
Hi
I quit running Coverity on newlib as part of the repositories analysed as
part of RTEMS BUT I had to update the version of cov-analysis we used and
wanted to make sure the scripting stayed working.
These issues were flagged since the last time we ran it. Some look like
they need attention.
--joel
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Aug 29, 2022 at 5:56 PM
Subject: New Defects reported by Coverity Scan for RTEMS-Newlib
To: <joel.sherrill@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to RTEMS-Newlib
found with Coverity Scan.
10 new defect(s) introduced to RTEMS-Newlib found with Coverity Scan.
1 defect(s), reported by Coverity Scan earlier, were marked fixed in the
recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 10 of 10 defect(s)
** CID 398779: (UNINIT)
________________________________________________________________________________________________________
*** CID 398779: (UNINIT)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c:
454 in _swscanf_r()
448 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
449 f._read = __seofread;
450 f._ub._base = NULL;
451 f._lb._base = NULL;
452 f._file = -1; /* No file. */
453 va_start (ap, fmt);
>>> CID 398779: (UNINIT)
>>> Using uninitialized value "f._flags2" when calling "__ssvfwscanf_r".
454 ret = __ssvfwscanf_r (ptr, &f, fmt, ap);
455 va_end (ap);
456 return ret;
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c:
454 in _swscanf_r()
448 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
449 f._read = __seofread;
450 f._ub._base = NULL;
451 f._lb._base = NULL;
452 f._file = -1; /* No file. */
453 va_start (ap, fmt);
>>> CID 398779: (UNINIT)
>>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r".
454 ret = __ssvfwscanf_r (ptr, &f, fmt, ap);
455 va_end (ap);
456 return ret;
** CID 398778: High impact quality (Y2K38_SAFETY)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/sleep.c:
18 in sleep()
________________________________________________________________________________________________________
*** CID 398778: High impact quality (Y2K38_SAFETY)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/sleep.c:
18 in sleep()
12 {
13 struct timespec ts;
14
15 ts.tv_sec = seconds;
16 ts.tv_nsec = 0;
17 if (!nanosleep(&ts,&ts)) return 0;
>>> CID 398778: High impact quality (Y2K38_SAFETY)
>>> A "time_t" value is stored in an integer with too few bits to
accommodate it. The expression "ts.tv_sec" is cast to "unsigned int".
18 if (errno == EINTR) return ts.tv_sec;
19 return -1;
20 }
21
** CID 398777: (UNINIT)
________________________________________________________________________________________________________
*** CID 398777: (UNINIT)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c:
432 in swscanf()
426 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
427 f._read = __seofread;
428 f._ub._base = NULL;
429 f._lb._base = NULL;
430 f._file = -1; /* No file. */
431 va_start (ap, fmt);
>>> CID 398777: (UNINIT)
>>> Using uninitialized value "f._flags2" when calling "__ssvfwscanf_r".
432 ret = __ssvfwscanf_r (_REENT, &f, fmt, ap);
433 va_end (ap);
434 return ret;
435 }
436
437 #endif /* !_REENT_ONLY */
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c:
432 in swscanf()
426 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
427 f._read = __seofread;
428 f._ub._base = NULL;
429 f._lb._base = NULL;
430 f._file = -1; /* No file. */
431 va_start (ap, fmt);
>>> CID 398777: (UNINIT)
>>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r".
432 ret = __ssvfwscanf_r (_REENT, &f, fmt, ap);
433 va_end (ap);
434 return ret;
435 }
436
437 #endif /* !_REENT_ONLY */
** CID 398776: (UNINIT)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c:
44 in time()
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c:
45 in time()
________________________________________________________________________________________________________
*** CID 398776: (UNINIT)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c:
44 in time()
38 struct timeval now;
39
40 if (_gettimeofday_r (_REENT, &now, NULL) < 0)
41 now.tv_sec = (time_t) -1;
42
43 if (t)
>>> CID 398776: (UNINIT)
>>> Using uninitialized value "now.tv_sec".
44 *t = now.tv_sec;
45 return now.tv_sec;
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c:
45 in time()
39
40 if (_gettimeofday_r (_REENT, &now, NULL) < 0)
41 now.tv_sec = (time_t) -1;
42
43 if (t)
44 *t = now.tv_sec;
>>> CID 398776: (UNINIT)
>>> Using uninitialized value "now.tv_sec".
45 return now.tv_sec;
** CID 398775: (UNINIT)
________________________________________________________________________________________________________
*** CID 398775: (UNINIT)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/vswscanf.c:
57 in _vswscanf_r()
51 f._bf._base = f._p = (unsigned char *) str;
52 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
53 f._read = __seofread;
54 f._ub._base = NULL;
55 f._lb._base = NULL;
56 f._file = -1; /* No file. */
>>> CID 398775: (UNINIT)
>>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r".
57 return __ssvfwscanf_r (ptr, &f, fmt, ap);
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/vswscanf.c:
57 in _vswscanf_r()
51 f._bf._base = f._p = (unsigned char *) str;
52 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
53 f._read = __seofread;
54 f._ub._base = NULL;
55 f._lb._base = NULL;
56 f._file = -1; /* No file. */
>>> CID 398775: (UNINIT)
>>> Using uninitialized value "f._flags2" when calling "__ssvfwscanf_r".
57 return __ssvfwscanf_r (ptr, &f, fmt, ap);
** CID 398774: Uninitialized variables (UNINIT)
________________________________________________________________________________________________________
*** CID 398774: Uninitialized variables (UNINIT)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdlib/arc4random.c:
93 in _rs_stir()
87 u_char rnd[KEYSZ + IVSZ];
88
89 if (getentropy(rnd, sizeof rnd) == -1)
90 _getentropy_fail();
91
92 if (!rs)
>>> CID 398774: Uninitialized variables (UNINIT)
>>> Using uninitialized element of array "rnd" when calling "_rs_init".
93 _rs_init(rnd, sizeof(rnd));
94 else
95 _rs_rekey(rnd, sizeof(rnd));
96 explicit_bzero(rnd, sizeof(rnd)); /* discard source seed */
97
98 /* invalidate rs_buf */
** CID 398773: Incorrect expression (DIVIDE_BY_ZERO)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libm/math/kf_tan.c:
55 in __kernel_tanf()
________________________________________________________________________________________________________
*** CID 398773: Incorrect expression (DIVIDE_BY_ZERO)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libm/math/kf_tan.c:
55 in __kernel_tanf()
49 __int32_t ix,hx;
50 GET_FLOAT_WORD(hx,x);
51 ix = hx&0x7fffffff; /* high word of |x| */
52 if(ix<0x31800000) /* x < 2**-28 */
53 {if((int)x==0) { /* generate inexact */
54 if((ix|(iy+1))==0) return one/fabsf(x);
>>> CID 398773: Incorrect expression (DIVIDE_BY_ZERO)
>>> In expression "-1f / x", division by expression "x" which may be
zero has undefined behavior.
55 else return (iy==1)? x: -one/x;
56 }
57 }
58 if(ix>=0x3f2ca140) { /* |x|>=0.6744 */
59 if(hx<0) {x = -x; y = -y;}
60 z = pio4-x;
** CID 398772: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 398772: Memory - corruptions (OVERRUN)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/regcomp.c:
1044 in bothcases()
1038 assert(othercase(ch) != ch); /* p_bracket() would
recurse */
1039 p->next = bracket;
1040 p->end = bracket+2;
1041 bracket[0] = ch;
1042 bracket[1] = ']';
1043 bracket[2] = '\0';
>>> CID 398772: Memory - corruptions (OVERRUN)
>>> Overrunning buffer pointed to by "p->next" of 3 bytes by passing it
to a function which accesses it at byte offset 4.
1044 p_bracket(p);
1045 assert(p->next == bracket+2);
1046 p->next = oldnext;
1047 p->end = oldend;
1048 }
1049
** CID 398771: High impact quality (Y2K38_SAFETY)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/usleep.c:
18 in usleep()
________________________________________________________________________________________________________
*** CID 398771: High impact quality (Y2K38_SAFETY)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/usleep.c:
18 in usleep()
12 {
13 struct timespec ts;
14
15 ts.tv_sec = (long int)useconds / 1000000;
16 ts.tv_nsec = ((long int)useconds % 1000000) * 1000;
17 if (!nanosleep(&ts,&ts)) return 0;
>>> CID 398771: High impact quality (Y2K38_SAFETY)
>>> A "time_t" value is stored in an integer with too few bits to
accommodate it. The expression "ts.tv_sec" is cast to "int".
18 if (errno == EINTR) return ts.tv_sec;
19 return -1;
20 }
21
** CID 378851: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 378851: Memory - corruptions (OVERRUN)
/home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/regcomp.c:
1090 in nonnewline()
1084 p->next = bracket;
1085 p->end = bracket+3;
1086 bracket[0] = '^';
1087 bracket[1] = '\n';
1088 bracket[2] = ']';
1089 bracket[3] = '\0';
>>> CID 378851: Memory - corruptions (OVERRUN)
>>> Overrunning buffer pointed to by "p->next" of 4 bytes by passing it
to a function which accesses it at byte offset 4.
1090 p_bracket(p);
1091 assert(p->next == bracket+3);
1092 p->next = oldnext;
1093 p->end = oldend;
1094 }
1095
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit,
https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50ypUUzi-2FdSNmuyRB7BEFT8xQWqa-2BcrUOdcmLJRN5wHA-2F-2Bj-2BUPxOS2vpJc2U7lnvDDSM-3DgcXN_CTvEjVoKhyc6dLmJJo1u9AYIk8P8bcAbCPbBDYvYSXrko-2B6zqtxlihMO5pRBlqs6CXC6JoeSQ5BknttytYW4gn54pXoG5E1T2VTg7ZExldrWnOHoGNfjITpyeGBnq8zf1R1SvLaQHX0KwLC3QLIILHDIyeRDmH6ivilCfFIJbx4IaHchThYPPrH23evm0vJ6A6-2BcYCz2qmJNN2577UqVyYc0aItJ859abhW8GanEpsc-3D
To manage Coverity Scan email notifications for "joel.sherrill@gmail.com",
click
https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxTJDdEZ5ceQ-2BXdf-2FM1tcMIXP73MN3HxQfFTMLU5dSe8Rv0KFh7gYStOFjZD12ucRRnrjyUHOCTj7rG0E9HBcwa6j-2FX4NTabdEq2v7MM-2FuqaA-3D5Xsf_CTvEjVoKhyc6dLmJJo1u9AYIk8P8bcAbCPbBDYvYSXrko-2B6zqtxlihMO5pRBlqs6CXC6JoeSQ5BknttytYW4gsEM86eEaAqPEjIHUArLBXYOUpWfZ4bmwC96PG11GPPh-2FLsC0rkTKQE2J8XRI45hCnTpCTbj87kq0GI1XLddKyw1JXGGqDcyizThGumwZmd8Tr5waHqdorDd3Wom83BYSMOhcHiGVjpnvscbd8ReGFw-3D
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: New Defects reported by Coverity Scan for RTEMS-Newlib
2022-08-29 23:09 ` Fwd: New Defects reported by Coverity Scan for RTEMS-Newlib Joel Sherrill
2022-08-29 23:09 ` Joel Sherrill
@ 2022-08-30 19:03 ` Jeff Johnston
2022-08-30 19:03 ` Jeff Johnston
2022-08-31 19:16 ` Jeff Johnston
1 sibling, 2 replies; 15+ messages in thread
From: Jeff Johnston @ 2022-08-30 19:03 UTC (permalink / raw)
To: joel; +Cc: Newlib
Thanks Joel for bringing this to our attention.
-- Jeff J.
On Mon, Aug 29, 2022 at 7:09 PM Joel Sherrill <joel@rtems.org> wrote:
> Hi
>
> I quit running Coverity on newlib as part of the repositories analysed as
> part of RTEMS BUT I had to update the version of cov-analysis we used and
> wanted to make sure the scripting stayed working.
>
> These issues were flagged since the last time we ran it. Some look like
> they need attention.
>
> --joel
>
> ---------- Forwarded message ---------
> From: <scan-admin@coverity.com>
> Date: Mon, Aug 29, 2022 at 5:56 PM
> Subject: New Defects reported by Coverity Scan for RTEMS-Newlib
> To: <joel.sherrill@gmail.com>
>
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to RTEMS-Newlib
> found with Coverity Scan.
>
> 10 new defect(s) introduced to RTEMS-Newlib found with Coverity Scan.
> 1 defect(s), reported by Coverity Scan earlier, were marked fixed in the
> recent build analyzed by Coverity Scan.
>
> New defect(s) Reported-by: Coverity Scan
> Showing 10 of 10 defect(s)
>
>
> ** CID 398779: (UNINIT)
>
>
>
> ________________________________________________________________________________________________________
> *** CID 398779: (UNINIT)
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c:
> 454 in _swscanf_r()
> 448 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
> 449 f._read = __seofread;
> 450 f._ub._base = NULL;
> 451 f._lb._base = NULL;
> 452 f._file = -1; /* No file. */
> 453 va_start (ap, fmt);
> >>> CID 398779: (UNINIT)
> >>> Using uninitialized value "f._flags2" when calling
> "__ssvfwscanf_r".
> 454 ret = __ssvfwscanf_r (ptr, &f, fmt, ap);
> 455 va_end (ap);
> 456 return ret;
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c:
> 454 in _swscanf_r()
> 448 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
> 449 f._read = __seofread;
> 450 f._ub._base = NULL;
> 451 f._lb._base = NULL;
> 452 f._file = -1; /* No file. */
> 453 va_start (ap, fmt);
> >>> CID 398779: (UNINIT)
> >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r".
> 454 ret = __ssvfwscanf_r (ptr, &f, fmt, ap);
> 455 va_end (ap);
> 456 return ret;
>
> ** CID 398778: High impact quality (Y2K38_SAFETY)
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/sleep.c:
> 18 in sleep()
>
>
>
> ________________________________________________________________________________________________________
> *** CID 398778: High impact quality (Y2K38_SAFETY)
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/sleep.c:
> 18 in sleep()
> 12 {
> 13 struct timespec ts;
> 14
> 15 ts.tv_sec = seconds;
> 16 ts.tv_nsec = 0;
> 17 if (!nanosleep(&ts,&ts)) return 0;
> >>> CID 398778: High impact quality (Y2K38_SAFETY)
> >>> A "time_t" value is stored in an integer with too few bits to
> accommodate it. The expression "ts.tv_sec" is cast to "unsigned int".
> 18 if (errno == EINTR) return ts.tv_sec;
> 19 return -1;
> 20 }
> 21
>
> ** CID 398777: (UNINIT)
>
>
>
> ________________________________________________________________________________________________________
> *** CID 398777: (UNINIT)
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c:
> 432 in swscanf()
> 426 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
> 427 f._read = __seofread;
> 428 f._ub._base = NULL;
> 429 f._lb._base = NULL;
> 430 f._file = -1; /* No file. */
> 431 va_start (ap, fmt);
> >>> CID 398777: (UNINIT)
> >>> Using uninitialized value "f._flags2" when calling
> "__ssvfwscanf_r".
> 432 ret = __ssvfwscanf_r (_REENT, &f, fmt, ap);
> 433 va_end (ap);
> 434 return ret;
> 435 }
> 436
> 437 #endif /* !_REENT_ONLY */
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c:
> 432 in swscanf()
> 426 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
> 427 f._read = __seofread;
> 428 f._ub._base = NULL;
> 429 f._lb._base = NULL;
> 430 f._file = -1; /* No file. */
> 431 va_start (ap, fmt);
> >>> CID 398777: (UNINIT)
> >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r".
> 432 ret = __ssvfwscanf_r (_REENT, &f, fmt, ap);
> 433 va_end (ap);
> 434 return ret;
> 435 }
> 436
> 437 #endif /* !_REENT_ONLY */
>
> ** CID 398776: (UNINIT)
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c:
> 44 in time()
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c:
> 45 in time()
>
>
>
> ________________________________________________________________________________________________________
> *** CID 398776: (UNINIT)
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c:
> 44 in time()
> 38 struct timeval now;
> 39
> 40 if (_gettimeofday_r (_REENT, &now, NULL) < 0)
> 41 now.tv_sec = (time_t) -1;
> 42
> 43 if (t)
> >>> CID 398776: (UNINIT)
> >>> Using uninitialized value "now.tv_sec".
> 44 *t = now.tv_sec;
> 45 return now.tv_sec;
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c:
> 45 in time()
> 39
> 40 if (_gettimeofday_r (_REENT, &now, NULL) < 0)
> 41 now.tv_sec = (time_t) -1;
> 42
> 43 if (t)
> 44 *t = now.tv_sec;
> >>> CID 398776: (UNINIT)
> >>> Using uninitialized value "now.tv_sec".
> 45 return now.tv_sec;
>
> ** CID 398775: (UNINIT)
>
>
>
> ________________________________________________________________________________________________________
> *** CID 398775: (UNINIT)
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/vswscanf.c:
> 57 in _vswscanf_r()
> 51 f._bf._base = f._p = (unsigned char *) str;
> 52 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
> 53 f._read = __seofread;
> 54 f._ub._base = NULL;
> 55 f._lb._base = NULL;
> 56 f._file = -1; /* No file. */
> >>> CID 398775: (UNINIT)
> >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r".
> 57 return __ssvfwscanf_r (ptr, &f, fmt, ap);
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/vswscanf.c:
> 57 in _vswscanf_r()
> 51 f._bf._base = f._p = (unsigned char *) str;
> 52 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
> 53 f._read = __seofread;
> 54 f._ub._base = NULL;
> 55 f._lb._base = NULL;
> 56 f._file = -1; /* No file. */
> >>> CID 398775: (UNINIT)
> >>> Using uninitialized value "f._flags2" when calling
> "__ssvfwscanf_r".
> 57 return __ssvfwscanf_r (ptr, &f, fmt, ap);
>
> ** CID 398774: Uninitialized variables (UNINIT)
>
>
>
> ________________________________________________________________________________________________________
> *** CID 398774: Uninitialized variables (UNINIT)
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdlib/arc4random.c:
> 93 in _rs_stir()
> 87 u_char rnd[KEYSZ + IVSZ];
> 88
> 89 if (getentropy(rnd, sizeof rnd) == -1)
> 90 _getentropy_fail();
> 91
> 92 if (!rs)
> >>> CID 398774: Uninitialized variables (UNINIT)
> >>> Using uninitialized element of array "rnd" when calling "_rs_init".
> 93 _rs_init(rnd, sizeof(rnd));
> 94 else
> 95 _rs_rekey(rnd, sizeof(rnd));
> 96 explicit_bzero(rnd, sizeof(rnd)); /* discard source seed */
> 97
> 98 /* invalidate rs_buf */
>
> ** CID 398773: Incorrect expression (DIVIDE_BY_ZERO)
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libm/math/kf_tan.c:
> 55 in __kernel_tanf()
>
>
>
> ________________________________________________________________________________________________________
> *** CID 398773: Incorrect expression (DIVIDE_BY_ZERO)
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libm/math/kf_tan.c:
> 55 in __kernel_tanf()
> 49 __int32_t ix,hx;
> 50 GET_FLOAT_WORD(hx,x);
> 51 ix = hx&0x7fffffff; /* high word of |x| */
> 52 if(ix<0x31800000) /* x < 2**-28 */
> 53 {if((int)x==0) { /* generate inexact */
> 54 if((ix|(iy+1))==0) return one/fabsf(x);
> >>> CID 398773: Incorrect expression (DIVIDE_BY_ZERO)
> >>> In expression "-1f / x", division by expression "x" which may be
> zero has undefined behavior.
> 55 else return (iy==1)? x: -one/x;
> 56 }
> 57 }
> 58 if(ix>=0x3f2ca140) { /* |x|>=0.6744 */
> 59 if(hx<0) {x = -x; y = -y;}
> 60 z = pio4-x;
>
> ** CID 398772: Memory - corruptions (OVERRUN)
>
>
>
> ________________________________________________________________________________________________________
> *** CID 398772: Memory - corruptions (OVERRUN)
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/regcomp.c:
> 1044 in bothcases()
> 1038 assert(othercase(ch) != ch); /* p_bracket() would
> recurse */
> 1039 p->next = bracket;
> 1040 p->end = bracket+2;
> 1041 bracket[0] = ch;
> 1042 bracket[1] = ']';
> 1043 bracket[2] = '\0';
> >>> CID 398772: Memory - corruptions (OVERRUN)
> >>> Overrunning buffer pointed to by "p->next" of 3 bytes by passing it
> to a function which accesses it at byte offset 4.
> 1044 p_bracket(p);
> 1045 assert(p->next == bracket+2);
> 1046 p->next = oldnext;
> 1047 p->end = oldend;
> 1048 }
> 1049
>
> ** CID 398771: High impact quality (Y2K38_SAFETY)
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/usleep.c:
> 18 in usleep()
>
>
>
> ________________________________________________________________________________________________________
> *** CID 398771: High impact quality (Y2K38_SAFETY)
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/usleep.c:
> 18 in usleep()
> 12 {
> 13 struct timespec ts;
> 14
> 15 ts.tv_sec = (long int)useconds / 1000000;
> 16 ts.tv_nsec = ((long int)useconds % 1000000) * 1000;
> 17 if (!nanosleep(&ts,&ts)) return 0;
> >>> CID 398771: High impact quality (Y2K38_SAFETY)
> >>> A "time_t" value is stored in an integer with too few bits to
> accommodate it. The expression "ts.tv_sec" is cast to "int".
> 18 if (errno == EINTR) return ts.tv_sec;
> 19 return -1;
> 20 }
> 21
>
> ** CID 378851: Memory - corruptions (OVERRUN)
>
>
>
> ________________________________________________________________________________________________________
> *** CID 378851: Memory - corruptions (OVERRUN)
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/regcomp.c:
> 1090 in nonnewline()
> 1084 p->next = bracket;
> 1085 p->end = bracket+3;
> 1086 bracket[0] = '^';
> 1087 bracket[1] = '\n';
> 1088 bracket[2] = ']';
> 1089 bracket[3] = '\0';
> >>> CID 378851: Memory - corruptions (OVERRUN)
> >>> Overrunning buffer pointed to by "p->next" of 4 bytes by passing it
> to a function which accesses it at byte offset 4.
> 1090 p_bracket(p);
> 1091 assert(p->next == bracket+3);
> 1092 p->next = oldnext;
> 1093 p->end = oldend;
> 1094 }
> 1095
>
>
>
> ________________________________________________________________________________________________________
> To view the defects in Coverity Scan visit,
>
> https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50ypUUzi-2FdSNmuyRB7BEFT8xQWqa-2BcrUOdcmLJRN5wHA-2F-2Bj-2BUPxOS2vpJc2U7lnvDDSM-3DgcXN_CTvEjVoKhyc6dLmJJo1u9AYIk8P8bcAbCPbBDYvYSXrko-2B6zqtxlihMO5pRBlqs6CXC6JoeSQ5BknttytYW4gn54pXoG5E1T2VTg7ZExldrWnOHoGNfjITpyeGBnq8zf1R1SvLaQHX0KwLC3QLIILHDIyeRDmH6ivilCfFIJbx4IaHchThYPPrH23evm0vJ6A6-2BcYCz2qmJNN2577UqVyYc0aItJ859abhW8GanEpsc-3D
>
> To manage Coverity Scan email notifications for "joel.sherrill@gmail.com
> ",
> click
>
> https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxTJDdEZ5ceQ-2BXdf-2FM1tcMIXP73MN3HxQfFTMLU5dSe8Rv0KFh7gYStOFjZD12ucRRnrjyUHOCTj7rG0E9HBcwa6j-2FX4NTabdEq2v7MM-2FuqaA-3D5Xsf_CTvEjVoKhyc6dLmJJo1u9AYIk8P8bcAbCPbBDYvYSXrko-2B6zqtxlihMO5pRBlqs6CXC6JoeSQ5BknttytYW4gsEM86eEaAqPEjIHUArLBXYOUpWfZ4bmwC96PG11GPPh-2FLsC0rkTKQE2J8XRI45hCnTpCTbj87kq0GI1XLddKyw1JXGGqDcyizThGumwZmd8Tr5waHqdorDd3Wom83BYSMOhcHiGVjpnvscbd8ReGFw-3D
>
>
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: New Defects reported by Coverity Scan for RTEMS-Newlib
2022-08-30 19:03 ` Jeff Johnston
@ 2022-08-30 19:03 ` Jeff Johnston
2022-08-31 19:16 ` Jeff Johnston
1 sibling, 0 replies; 15+ messages in thread
From: Jeff Johnston @ 2022-08-30 19:03 UTC (permalink / raw)
To: joel; +Cc: Newlib
[-- Attachment #1: Type: text/plain, Size: 13455 bytes --]
Thanks Joel for bringing this to our attention.
-- Jeff J.
On Mon, Aug 29, 2022 at 7:09 PM Joel Sherrill <joel@rtems.org> wrote:
> Hi
>
> I quit running Coverity on newlib as part of the repositories analysed as
> part of RTEMS BUT I had to update the version of cov-analysis we used and
> wanted to make sure the scripting stayed working.
>
> These issues were flagged since the last time we ran it. Some look like
> they need attention.
>
> --joel
>
> ---------- Forwarded message ---------
> From: <scan-admin@coverity.com>
> Date: Mon, Aug 29, 2022 at 5:56 PM
> Subject: New Defects reported by Coverity Scan for RTEMS-Newlib
> To: <joel.sherrill@gmail.com>
>
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to RTEMS-Newlib
> found with Coverity Scan.
>
> 10 new defect(s) introduced to RTEMS-Newlib found with Coverity Scan.
> 1 defect(s), reported by Coverity Scan earlier, were marked fixed in the
> recent build analyzed by Coverity Scan.
>
> New defect(s) Reported-by: Coverity Scan
> Showing 10 of 10 defect(s)
>
>
> ** CID 398779: (UNINIT)
>
>
>
> ________________________________________________________________________________________________________
> *** CID 398779: (UNINIT)
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c:
> 454 in _swscanf_r()
> 448 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
> 449 f._read = __seofread;
> 450 f._ub._base = NULL;
> 451 f._lb._base = NULL;
> 452 f._file = -1; /* No file. */
> 453 va_start (ap, fmt);
> >>> CID 398779: (UNINIT)
> >>> Using uninitialized value "f._flags2" when calling
> "__ssvfwscanf_r".
> 454 ret = __ssvfwscanf_r (ptr, &f, fmt, ap);
> 455 va_end (ap);
> 456 return ret;
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c:
> 454 in _swscanf_r()
> 448 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
> 449 f._read = __seofread;
> 450 f._ub._base = NULL;
> 451 f._lb._base = NULL;
> 452 f._file = -1; /* No file. */
> 453 va_start (ap, fmt);
> >>> CID 398779: (UNINIT)
> >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r".
> 454 ret = __ssvfwscanf_r (ptr, &f, fmt, ap);
> 455 va_end (ap);
> 456 return ret;
>
> ** CID 398778: High impact quality (Y2K38_SAFETY)
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/sleep.c:
> 18 in sleep()
>
>
>
> ________________________________________________________________________________________________________
> *** CID 398778: High impact quality (Y2K38_SAFETY)
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/sleep.c:
> 18 in sleep()
> 12 {
> 13 struct timespec ts;
> 14
> 15 ts.tv_sec = seconds;
> 16 ts.tv_nsec = 0;
> 17 if (!nanosleep(&ts,&ts)) return 0;
> >>> CID 398778: High impact quality (Y2K38_SAFETY)
> >>> A "time_t" value is stored in an integer with too few bits to
> accommodate it. The expression "ts.tv_sec" is cast to "unsigned int".
> 18 if (errno == EINTR) return ts.tv_sec;
> 19 return -1;
> 20 }
> 21
>
> ** CID 398777: (UNINIT)
>
>
>
> ________________________________________________________________________________________________________
> *** CID 398777: (UNINIT)
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c:
> 432 in swscanf()
> 426 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
> 427 f._read = __seofread;
> 428 f._ub._base = NULL;
> 429 f._lb._base = NULL;
> 430 f._file = -1; /* No file. */
> 431 va_start (ap, fmt);
> >>> CID 398777: (UNINIT)
> >>> Using uninitialized value "f._flags2" when calling
> "__ssvfwscanf_r".
> 432 ret = __ssvfwscanf_r (_REENT, &f, fmt, ap);
> 433 va_end (ap);
> 434 return ret;
> 435 }
> 436
> 437 #endif /* !_REENT_ONLY */
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c:
> 432 in swscanf()
> 426 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
> 427 f._read = __seofread;
> 428 f._ub._base = NULL;
> 429 f._lb._base = NULL;
> 430 f._file = -1; /* No file. */
> 431 va_start (ap, fmt);
> >>> CID 398777: (UNINIT)
> >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r".
> 432 ret = __ssvfwscanf_r (_REENT, &f, fmt, ap);
> 433 va_end (ap);
> 434 return ret;
> 435 }
> 436
> 437 #endif /* !_REENT_ONLY */
>
> ** CID 398776: (UNINIT)
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c:
> 44 in time()
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c:
> 45 in time()
>
>
>
> ________________________________________________________________________________________________________
> *** CID 398776: (UNINIT)
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c:
> 44 in time()
> 38 struct timeval now;
> 39
> 40 if (_gettimeofday_r (_REENT, &now, NULL) < 0)
> 41 now.tv_sec = (time_t) -1;
> 42
> 43 if (t)
> >>> CID 398776: (UNINIT)
> >>> Using uninitialized value "now.tv_sec".
> 44 *t = now.tv_sec;
> 45 return now.tv_sec;
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c:
> 45 in time()
> 39
> 40 if (_gettimeofday_r (_REENT, &now, NULL) < 0)
> 41 now.tv_sec = (time_t) -1;
> 42
> 43 if (t)
> 44 *t = now.tv_sec;
> >>> CID 398776: (UNINIT)
> >>> Using uninitialized value "now.tv_sec".
> 45 return now.tv_sec;
>
> ** CID 398775: (UNINIT)
>
>
>
> ________________________________________________________________________________________________________
> *** CID 398775: (UNINIT)
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/vswscanf.c:
> 57 in _vswscanf_r()
> 51 f._bf._base = f._p = (unsigned char *) str;
> 52 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
> 53 f._read = __seofread;
> 54 f._ub._base = NULL;
> 55 f._lb._base = NULL;
> 56 f._file = -1; /* No file. */
> >>> CID 398775: (UNINIT)
> >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r".
> 57 return __ssvfwscanf_r (ptr, &f, fmt, ap);
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/vswscanf.c:
> 57 in _vswscanf_r()
> 51 f._bf._base = f._p = (unsigned char *) str;
> 52 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
> 53 f._read = __seofread;
> 54 f._ub._base = NULL;
> 55 f._lb._base = NULL;
> 56 f._file = -1; /* No file. */
> >>> CID 398775: (UNINIT)
> >>> Using uninitialized value "f._flags2" when calling
> "__ssvfwscanf_r".
> 57 return __ssvfwscanf_r (ptr, &f, fmt, ap);
>
> ** CID 398774: Uninitialized variables (UNINIT)
>
>
>
> ________________________________________________________________________________________________________
> *** CID 398774: Uninitialized variables (UNINIT)
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdlib/arc4random.c:
> 93 in _rs_stir()
> 87 u_char rnd[KEYSZ + IVSZ];
> 88
> 89 if (getentropy(rnd, sizeof rnd) == -1)
> 90 _getentropy_fail();
> 91
> 92 if (!rs)
> >>> CID 398774: Uninitialized variables (UNINIT)
> >>> Using uninitialized element of array "rnd" when calling "_rs_init".
> 93 _rs_init(rnd, sizeof(rnd));
> 94 else
> 95 _rs_rekey(rnd, sizeof(rnd));
> 96 explicit_bzero(rnd, sizeof(rnd)); /* discard source seed */
> 97
> 98 /* invalidate rs_buf */
>
> ** CID 398773: Incorrect expression (DIVIDE_BY_ZERO)
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libm/math/kf_tan.c:
> 55 in __kernel_tanf()
>
>
>
> ________________________________________________________________________________________________________
> *** CID 398773: Incorrect expression (DIVIDE_BY_ZERO)
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libm/math/kf_tan.c:
> 55 in __kernel_tanf()
> 49 __int32_t ix,hx;
> 50 GET_FLOAT_WORD(hx,x);
> 51 ix = hx&0x7fffffff; /* high word of |x| */
> 52 if(ix<0x31800000) /* x < 2**-28 */
> 53 {if((int)x==0) { /* generate inexact */
> 54 if((ix|(iy+1))==0) return one/fabsf(x);
> >>> CID 398773: Incorrect expression (DIVIDE_BY_ZERO)
> >>> In expression "-1f / x", division by expression "x" which may be
> zero has undefined behavior.
> 55 else return (iy==1)? x: -one/x;
> 56 }
> 57 }
> 58 if(ix>=0x3f2ca140) { /* |x|>=0.6744 */
> 59 if(hx<0) {x = -x; y = -y;}
> 60 z = pio4-x;
>
> ** CID 398772: Memory - corruptions (OVERRUN)
>
>
>
> ________________________________________________________________________________________________________
> *** CID 398772: Memory - corruptions (OVERRUN)
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/regcomp.c:
> 1044 in bothcases()
> 1038 assert(othercase(ch) != ch); /* p_bracket() would
> recurse */
> 1039 p->next = bracket;
> 1040 p->end = bracket+2;
> 1041 bracket[0] = ch;
> 1042 bracket[1] = ']';
> 1043 bracket[2] = '\0';
> >>> CID 398772: Memory - corruptions (OVERRUN)
> >>> Overrunning buffer pointed to by "p->next" of 3 bytes by passing it
> to a function which accesses it at byte offset 4.
> 1044 p_bracket(p);
> 1045 assert(p->next == bracket+2);
> 1046 p->next = oldnext;
> 1047 p->end = oldend;
> 1048 }
> 1049
>
> ** CID 398771: High impact quality (Y2K38_SAFETY)
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/usleep.c:
> 18 in usleep()
>
>
>
> ________________________________________________________________________________________________________
> *** CID 398771: High impact quality (Y2K38_SAFETY)
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/usleep.c:
> 18 in usleep()
> 12 {
> 13 struct timespec ts;
> 14
> 15 ts.tv_sec = (long int)useconds / 1000000;
> 16 ts.tv_nsec = ((long int)useconds % 1000000) * 1000;
> 17 if (!nanosleep(&ts,&ts)) return 0;
> >>> CID 398771: High impact quality (Y2K38_SAFETY)
> >>> A "time_t" value is stored in an integer with too few bits to
> accommodate it. The expression "ts.tv_sec" is cast to "int".
> 18 if (errno == EINTR) return ts.tv_sec;
> 19 return -1;
> 20 }
> 21
>
> ** CID 378851: Memory - corruptions (OVERRUN)
>
>
>
> ________________________________________________________________________________________________________
> *** CID 378851: Memory - corruptions (OVERRUN)
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/regcomp.c:
> 1090 in nonnewline()
> 1084 p->next = bracket;
> 1085 p->end = bracket+3;
> 1086 bracket[0] = '^';
> 1087 bracket[1] = '\n';
> 1088 bracket[2] = ']';
> 1089 bracket[3] = '\0';
> >>> CID 378851: Memory - corruptions (OVERRUN)
> >>> Overrunning buffer pointed to by "p->next" of 4 bytes by passing it
> to a function which accesses it at byte offset 4.
> 1090 p_bracket(p);
> 1091 assert(p->next == bracket+3);
> 1092 p->next = oldnext;
> 1093 p->end = oldend;
> 1094 }
> 1095
>
>
>
> ________________________________________________________________________________________________________
> To view the defects in Coverity Scan visit,
>
> https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50ypUUzi-2FdSNmuyRB7BEFT8xQWqa-2BcrUOdcmLJRN5wHA-2F-2Bj-2BUPxOS2vpJc2U7lnvDDSM-3DgcXN_CTvEjVoKhyc6dLmJJo1u9AYIk8P8bcAbCPbBDYvYSXrko-2B6zqtxlihMO5pRBlqs6CXC6JoeSQ5BknttytYW4gn54pXoG5E1T2VTg7ZExldrWnOHoGNfjITpyeGBnq8zf1R1SvLaQHX0KwLC3QLIILHDIyeRDmH6ivilCfFIJbx4IaHchThYPPrH23evm0vJ6A6-2BcYCz2qmJNN2577UqVyYc0aItJ859abhW8GanEpsc-3D
>
> To manage Coverity Scan email notifications for "joel.sherrill@gmail.com
> ",
> click
>
> https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxTJDdEZ5ceQ-2BXdf-2FM1tcMIXP73MN3HxQfFTMLU5dSe8Rv0KFh7gYStOFjZD12ucRRnrjyUHOCTj7rG0E9HBcwa6j-2FX4NTabdEq2v7MM-2FuqaA-3D5Xsf_CTvEjVoKhyc6dLmJJo1u9AYIk8P8bcAbCPbBDYvYSXrko-2B6zqtxlihMO5pRBlqs6CXC6JoeSQ5BknttytYW4gsEM86eEaAqPEjIHUArLBXYOUpWfZ4bmwC96PG11GPPh-2FLsC0rkTKQE2J8XRI45hCnTpCTbj87kq0GI1XLddKyw1JXGGqDcyizThGumwZmd8Tr5waHqdorDd3Wom83BYSMOhcHiGVjpnvscbd8ReGFw-3D
>
>
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: New Defects reported by Coverity Scan for RTEMS-Newlib
2022-08-30 19:03 ` Jeff Johnston
2022-08-30 19:03 ` Jeff Johnston
@ 2022-08-31 19:16 ` Jeff Johnston
2022-08-31 19:16 ` Jeff Johnston
2022-08-31 19:58 ` Joel Sherrill
1 sibling, 2 replies; 15+ messages in thread
From: Jeff Johnston @ 2022-08-31 19:16 UTC (permalink / raw)
To: joel; +Cc: Newlib
Hi Joel, I will pushing a patch shortly but see comments below as IMO there
are some false positives.
-- Jeff J.
On Tue, Aug 30, 2022 at 3:03 PM Jeff Johnston <jjohnstn@redhat.com> wrote:
> Thanks Joel for bringing this to our attention.
>
> -- Jeff J.
>
> On Mon, Aug 29, 2022 at 7:09 PM Joel Sherrill <joel@rtems.org> wrote:
>
>> Hi
>>
>> I quit running Coverity on newlib as part of the repositories analysed as
>> part of RTEMS BUT I had to update the version of cov-analysis we used and
>> wanted to make sure the scripting stayed working.
>>
>> These issues were flagged since the last time we ran it. Some look like
>> they need attention.
>>
>> --joel
>>
>> ---------- Forwarded message ---------
>> From: <scan-admin@coverity.com>
>> Date: Mon, Aug 29, 2022 at 5:56 PM
>> Subject: New Defects reported by Coverity Scan for RTEMS-Newlib
>> To: <joel.sherrill@gmail.com>
>>
>>
>> Hi,
>>
>> Please find the latest report on new defect(s) introduced to RTEMS-Newlib
>> found with Coverity Scan.
>>
>> 10 new defect(s) introduced to RTEMS-Newlib found with Coverity Scan.
>> 1 defect(s), reported by Coverity Scan earlier, were marked fixed in the
>> recent build analyzed by Coverity Scan.
>>
>> New defect(s) Reported-by: Coverity Scan
>> Showing 10 of 10 defect(s)
>>
>>
>> ** CID 398779: (UNINIT)
>>
>>
>> Fixed.
>
>> ________________________________________________________________________________________________________
>> *** CID 398779: (UNINIT)
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c:
>> 454 in _swscanf_r()
>> 448 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
>> 449 f._read = __seofread;
>> 450 f._ub._base = NULL;
>> 451 f._lb._base = NULL;
>> 452 f._file = -1; /* No file. */
>> 453 va_start (ap, fmt);
>> >>> CID 398779: (UNINIT)
>> >>> Using uninitialized value "f._flags2" when calling
>> "__ssvfwscanf_r".
>> 454 ret = __ssvfwscanf_r (ptr, &f, fmt, ap);
>> 455 va_end (ap);
>> 456 return ret;
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c:
>> 454 in _swscanf_r()
>> 448 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
>> 449 f._read = __seofread;
>> 450 f._ub._base = NULL;
>> 451 f._lb._base = NULL;
>> 452 f._file = -1; /* No file. */
>> 453 va_start (ap, fmt);
>> >>> CID 398779: (UNINIT)
>> >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r".
>> 454 ret = __ssvfwscanf_r (ptr, &f, fmt, ap);
>> 455 va_end (ap);
>> 456 return ret;
>>
>> ** CID 398778: High impact quality (Y2K38_SAFETY)
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/sleep.c:
>> 18 in sleep()
>>
>>
Fixed. (I anded with UINT_MAX so the checker should allow this).
>
>>
>> ________________________________________________________________________________________________________
>> *** CID 398778: High impact quality (Y2K38_SAFETY)
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/sleep.c:
>> 18 in sleep()
>> 12 {
>> 13 struct timespec ts;
>> 14
>> 15 ts.tv_sec = seconds;
>> 16 ts.tv_nsec = 0;
>> 17 if (!nanosleep(&ts,&ts)) return 0;
>> >>> CID 398778: High impact quality (Y2K38_SAFETY)
>> >>> A "time_t" value is stored in an integer with too few bits to
>> accommodate it. The expression "ts.tv_sec" is cast to "unsigned int".
>> 18 if (errno == EINTR) return ts.tv_sec;
>> 19 return -1;
>> 20 }
>> 21
>>
>> ** CID 398777: (UNINIT)
>>
>>
>> Fixed. I just initialized the fields.
>
>> ________________________________________________________________________________________________________
>> *** CID 398777: (UNINIT)
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c:
>> 432 in swscanf()
>> 426 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
>> 427 f._read = __seofread;
>> 428 f._ub._base = NULL;
>> 429 f._lb._base = NULL;
>> 430 f._file = -1; /* No file. */
>> 431 va_start (ap, fmt);
>> >>> CID 398777: (UNINIT)
>> >>> Using uninitialized value "f._flags2" when calling
>> "__ssvfwscanf_r".
>> 432 ret = __ssvfwscanf_r (_REENT, &f, fmt, ap);
>> 433 va_end (ap);
>> 434 return ret;
>> 435 }
>> 436
>> 437 #endif /* !_REENT_ONLY */
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c:
>> 432 in swscanf()
>> 426 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
>> 427 f._read = __seofread;
>> 428 f._ub._base = NULL;
>> 429 f._lb._base = NULL;
>> 430 f._file = -1; /* No file. */
>> 431 va_start (ap, fmt);
>> >>> CID 398777: (UNINIT)
>> >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r".
>> 432 ret = __ssvfwscanf_r (_REENT, &f, fmt, ap);
>> 433 va_end (ap);
>> 434 return ret;
>> 435 }
>> 436
>> 437 #endif /* !_REENT_ONLY */
>>
>> ** CID 398776: (UNINIT)
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c:
>> 44 in time()
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c:
>> 45 in time()
>>
>>
>> Although this should be a false positive because of gettimeofday_r
getting the address of now, I have
initialized the field to -1.
>
>> ________________________________________________________________________________________________________
>> *** CID 398776: (UNINIT)
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c:
>> 44 in time()
>> 38 struct timeval now;
>> 39
>> 40 if (_gettimeofday_r (_REENT, &now, NULL) < 0)
>> 41 now.tv_sec = (time_t) -1;
>> 42
>> 43 if (t)
>> >>> CID 398776: (UNINIT)
>> >>> Using uninitialized value "now.tv_sec".
>> 44 *t = now.tv_sec;
>> 45 return now.tv_sec;
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c:
>> 45 in time()
>> 39
>> 40 if (_gettimeofday_r (_REENT, &now, NULL) < 0)
>> 41 now.tv_sec = (time_t) -1;
>> 42
>> 43 if (t)
>> 44 *t = now.tv_sec;
>> >>> CID 398776: (UNINIT)
>> >>> Using uninitialized value "now.tv_sec".
>> 45 return now.tv_sec;
>>
>> ** CID 398775: (UNINIT)
>>
>>
>>
Fixed. I initialized the fields.
>
>> ________________________________________________________________________________________________________
>> *** CID 398775: (UNINIT)
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/vswscanf.c:
>> 57 in _vswscanf_r()
>> 51 f._bf._base = f._p = (unsigned char *) str;
>> 52 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
>> 53 f._read = __seofread;
>> 54 f._ub._base = NULL;
>> 55 f._lb._base = NULL;
>> 56 f._file = -1; /* No file. */
>> >>> CID 398775: (UNINIT)
>> >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r".
>> 57 return __ssvfwscanf_r (ptr, &f, fmt, ap);
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/vswscanf.c:
>> 57 in _vswscanf_r()
>> 51 f._bf._base = f._p = (unsigned char *) str;
>> 52 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
>> 53 f._read = __seofread;
>> 54 f._ub._base = NULL;
>> 55 f._lb._base = NULL;
>> 56 f._file = -1; /* No file. */
>> >>> CID 398775: (UNINIT)
>> >>> Using uninitialized value "f._flags2" when calling
>> "__ssvfwscanf_r".
>> 57 return __ssvfwscanf_r (ptr, &f, fmt, ap);
>>
>> ** CID 398774: Uninitialized variables (UNINIT)
>>
>> Fixed. I memset the initial array to 0's.
>
>>
>> ________________________________________________________________________________________________________
>> *** CID 398774: Uninitialized variables (UNINIT)
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdlib/arc4random.c:
>> 93 in _rs_stir()
>> 87 u_char rnd[KEYSZ + IVSZ];
>> 88
>> 89 if (getentropy(rnd, sizeof rnd) == -1)
>> 90 _getentropy_fail();
>> 91
>> 92 if (!rs)
>> >>> CID 398774: Uninitialized variables (UNINIT)
>> >>> Using uninitialized element of array "rnd" when calling
>> "_rs_init".
>> 93 _rs_init(rnd, sizeof(rnd));
>> 94 else
>> 95 _rs_rekey(rnd, sizeof(rnd));
>> 96 explicit_bzero(rnd, sizeof(rnd)); /* discard source seed */
>> 97
>> 98 /* invalidate rs_buf */
>>
>> ** CID 398773: Incorrect expression (DIVIDE_BY_ZERO)
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libm/math/kf_tan.c:
>> 55 in __kernel_tanf()
>>
>>
>>
This is a false positive. We intend to divide by zero.
>
>> ________________________________________________________________________________________________________
>> *** CID 398773: Incorrect expression (DIVIDE_BY_ZERO)
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libm/math/kf_tan.c:
>> 55 in __kernel_tanf()
>> 49 __int32_t ix,hx;
>> 50 GET_FLOAT_WORD(hx,x);
>> 51 ix = hx&0x7fffffff; /* high word of |x| */
>> 52 if(ix<0x31800000) /* x < 2**-28 */
>> 53 {if((int)x==0) { /* generate inexact */
>> 54 if((ix|(iy+1))==0) return one/fabsf(x);
>> >>> CID 398773: Incorrect expression (DIVIDE_BY_ZERO)
>> >>> In expression "-1f / x", division by expression "x" which may be
>> zero has undefined behavior.
>> 55 else return (iy==1)? x: -one/x;
>> 56 }
>> 57 }
>> 58 if(ix>=0x3f2ca140) { /* |x|>=0.6744 */
>> 59 if(hx<0) {x = -x; y = -y;}
>> 60 z = pio4-x;
>>
>> ** CID 398772: Memory - corruptions (OVERRUN)
>>
>> I think this is another false positive. I couldn't see where it was
accessing storage without doing a length check
first.
>
>>
>> ________________________________________________________________________________________________________
>> *** CID 398772: Memory - corruptions (OVERRUN)
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/regcomp.c:
>> 1044 in bothcases()
>> 1038 assert(othercase(ch) != ch); /* p_bracket() would
>> recurse */
>> 1039 p->next = bracket;
>> 1040 p->end = bracket+2;
>> 1041 bracket[0] = ch;
>> 1042 bracket[1] = ']';
>> 1043 bracket[2] = '\0';
>> >>> CID 398772: Memory - corruptions (OVERRUN)
>> >>> Overrunning buffer pointed to by "p->next" of 3 bytes by passing
>> it
>> to a function which accesses it at byte offset 4.
>> 1044 p_bracket(p);
>> 1045 assert(p->next == bracket+2);
>> 1046 p->next = oldnext;
>> 1047 p->end = oldend;
>> 1048 }
>> 1049
>>
>> ** CID 398771: High impact quality (Y2K38_SAFETY)
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/usleep.c:
>> 18 in usleep()
>>
>>
Fixed. I removed the return as usleep is supposed to return -1 on an EINTR.
>>
>> ________________________________________________________________________________________________________
>> *** CID 398771: High impact quality (Y2K38_SAFETY)
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/usleep.c:
>> 18 in usleep()
>> 12 {
>> 13 struct timespec ts;
>> 14
>> 15 ts.tv_sec = (long int)useconds / 1000000;
>> 16 ts.tv_nsec = ((long int)useconds % 1000000) * 1000;
>> 17 if (!nanosleep(&ts,&ts)) return 0;
>> >>> CID 398771: High impact quality (Y2K38_SAFETY)
>> >>> A "time_t" value is stored in an integer with too few bits to
>> accommodate it. The expression "ts.tv_sec" is cast to "int".
>> 18 if (errno == EINTR) return ts.tv_sec;
>> 19 return -1;
>> 20 }
>> 21
>>
>> ** CID 378851: Memory - corruptions (OVERRUN)
>>
>>
Again, I believe this is a false positive. No access of storage without
checking length first.
>
>>
>> ________________________________________________________________________________________________________
>> *** CID 378851: Memory - corruptions (OVERRUN)
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/regcomp.c:
>> 1090 in nonnewline()
>> 1084 p->next = bracket;
>> 1085 p->end = bracket+3;
>> 1086 bracket[0] = '^';
>> 1087 bracket[1] = '\n';
>> 1088 bracket[2] = ']';
>> 1089 bracket[3] = '\0';
>> >>> CID 378851: Memory - corruptions (OVERRUN)
>> >>> Overrunning buffer pointed to by "p->next" of 4 bytes by passing
>> it
>> to a function which accesses it at byte offset 4.
>> 1090 p_bracket(p);
>> 1091 assert(p->next == bracket+3);
>> 1092 p->next = oldnext;
>> 1093 p->end = oldend;
>> 1094 }
>> 1095
>>
>>
>>
>> ________________________________________________________________________________________________________
>> To view the defects in Coverity Scan visit,
>>
>> https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50ypUUzi-2FdSNmuyRB7BEFT8xQWqa-2BcrUOdcmLJRN5wHA-2F-2Bj-2BUPxOS2vpJc2U7lnvDDSM-3DgcXN_CTvEjVoKhyc6dLmJJo1u9AYIk8P8bcAbCPbBDYvYSXrko-2B6zqtxlihMO5pRBlqs6CXC6JoeSQ5BknttytYW4gn54pXoG5E1T2VTg7ZExldrWnOHoGNfjITpyeGBnq8zf1R1SvLaQHX0KwLC3QLIILHDIyeRDmH6ivilCfFIJbx4IaHchThYPPrH23evm0vJ6A6-2BcYCz2qmJNN2577UqVyYc0aItJ859abhW8GanEpsc-3D
>>
>> To manage Coverity Scan email notifications for "
>> joel.sherrill@gmail.com",
>> click
>>
>> https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxTJDdEZ5ceQ-2BXdf-2FM1tcMIXP73MN3HxQfFTMLU5dSe8Rv0KFh7gYStOFjZD12ucRRnrjyUHOCTj7rG0E9HBcwa6j-2FX4NTabdEq2v7MM-2FuqaA-3D5Xsf_CTvEjVoKhyc6dLmJJo1u9AYIk8P8bcAbCPbBDYvYSXrko-2B6zqtxlihMO5pRBlqs6CXC6JoeSQ5BknttytYW4gsEM86eEaAqPEjIHUArLBXYOUpWfZ4bmwC96PG11GPPh-2FLsC0rkTKQE2J8XRI45hCnTpCTbj87kq0GI1XLddKyw1JXGGqDcyizThGumwZmd8Tr5waHqdorDd3Wom83BYSMOhcHiGVjpnvscbd8ReGFw-3D
>>
>>
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: New Defects reported by Coverity Scan for RTEMS-Newlib
2022-08-31 19:16 ` Jeff Johnston
@ 2022-08-31 19:16 ` Jeff Johnston
2022-08-31 19:58 ` Joel Sherrill
1 sibling, 0 replies; 15+ messages in thread
From: Jeff Johnston @ 2022-08-31 19:16 UTC (permalink / raw)
To: joel; +Cc: Newlib
[-- Attachment #1: Type: text/plain, Size: 14762 bytes --]
Hi Joel, I will pushing a patch shortly but see comments below as IMO there
are some false positives.
-- Jeff J.
On Tue, Aug 30, 2022 at 3:03 PM Jeff Johnston <jjohnstn@redhat.com> wrote:
> Thanks Joel for bringing this to our attention.
>
> -- Jeff J.
>
> On Mon, Aug 29, 2022 at 7:09 PM Joel Sherrill <joel@rtems.org> wrote:
>
>> Hi
>>
>> I quit running Coverity on newlib as part of the repositories analysed as
>> part of RTEMS BUT I had to update the version of cov-analysis we used and
>> wanted to make sure the scripting stayed working.
>>
>> These issues were flagged since the last time we ran it. Some look like
>> they need attention.
>>
>> --joel
>>
>> ---------- Forwarded message ---------
>> From: <scan-admin@coverity.com>
>> Date: Mon, Aug 29, 2022 at 5:56 PM
>> Subject: New Defects reported by Coverity Scan for RTEMS-Newlib
>> To: <joel.sherrill@gmail.com>
>>
>>
>> Hi,
>>
>> Please find the latest report on new defect(s) introduced to RTEMS-Newlib
>> found with Coverity Scan.
>>
>> 10 new defect(s) introduced to RTEMS-Newlib found with Coverity Scan.
>> 1 defect(s), reported by Coverity Scan earlier, were marked fixed in the
>> recent build analyzed by Coverity Scan.
>>
>> New defect(s) Reported-by: Coverity Scan
>> Showing 10 of 10 defect(s)
>>
>>
>> ** CID 398779: (UNINIT)
>>
>>
>> Fixed.
>
>> ________________________________________________________________________________________________________
>> *** CID 398779: (UNINIT)
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c:
>> 454 in _swscanf_r()
>> 448 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
>> 449 f._read = __seofread;
>> 450 f._ub._base = NULL;
>> 451 f._lb._base = NULL;
>> 452 f._file = -1; /* No file. */
>> 453 va_start (ap, fmt);
>> >>> CID 398779: (UNINIT)
>> >>> Using uninitialized value "f._flags2" when calling
>> "__ssvfwscanf_r".
>> 454 ret = __ssvfwscanf_r (ptr, &f, fmt, ap);
>> 455 va_end (ap);
>> 456 return ret;
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c:
>> 454 in _swscanf_r()
>> 448 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
>> 449 f._read = __seofread;
>> 450 f._ub._base = NULL;
>> 451 f._lb._base = NULL;
>> 452 f._file = -1; /* No file. */
>> 453 va_start (ap, fmt);
>> >>> CID 398779: (UNINIT)
>> >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r".
>> 454 ret = __ssvfwscanf_r (ptr, &f, fmt, ap);
>> 455 va_end (ap);
>> 456 return ret;
>>
>> ** CID 398778: High impact quality (Y2K38_SAFETY)
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/sleep.c:
>> 18 in sleep()
>>
>>
Fixed. (I anded with UINT_MAX so the checker should allow this).
>
>>
>> ________________________________________________________________________________________________________
>> *** CID 398778: High impact quality (Y2K38_SAFETY)
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/sleep.c:
>> 18 in sleep()
>> 12 {
>> 13 struct timespec ts;
>> 14
>> 15 ts.tv_sec = seconds;
>> 16 ts.tv_nsec = 0;
>> 17 if (!nanosleep(&ts,&ts)) return 0;
>> >>> CID 398778: High impact quality (Y2K38_SAFETY)
>> >>> A "time_t" value is stored in an integer with too few bits to
>> accommodate it. The expression "ts.tv_sec" is cast to "unsigned int".
>> 18 if (errno == EINTR) return ts.tv_sec;
>> 19 return -1;
>> 20 }
>> 21
>>
>> ** CID 398777: (UNINIT)
>>
>>
>> Fixed. I just initialized the fields.
>
>> ________________________________________________________________________________________________________
>> *** CID 398777: (UNINIT)
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c:
>> 432 in swscanf()
>> 426 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
>> 427 f._read = __seofread;
>> 428 f._ub._base = NULL;
>> 429 f._lb._base = NULL;
>> 430 f._file = -1; /* No file. */
>> 431 va_start (ap, fmt);
>> >>> CID 398777: (UNINIT)
>> >>> Using uninitialized value "f._flags2" when calling
>> "__ssvfwscanf_r".
>> 432 ret = __ssvfwscanf_r (_REENT, &f, fmt, ap);
>> 433 va_end (ap);
>> 434 return ret;
>> 435 }
>> 436
>> 437 #endif /* !_REENT_ONLY */
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c:
>> 432 in swscanf()
>> 426 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
>> 427 f._read = __seofread;
>> 428 f._ub._base = NULL;
>> 429 f._lb._base = NULL;
>> 430 f._file = -1; /* No file. */
>> 431 va_start (ap, fmt);
>> >>> CID 398777: (UNINIT)
>> >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r".
>> 432 ret = __ssvfwscanf_r (_REENT, &f, fmt, ap);
>> 433 va_end (ap);
>> 434 return ret;
>> 435 }
>> 436
>> 437 #endif /* !_REENT_ONLY */
>>
>> ** CID 398776: (UNINIT)
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c:
>> 44 in time()
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c:
>> 45 in time()
>>
>>
>> Although this should be a false positive because of gettimeofday_r
getting the address of now, I have
initialized the field to -1.
>
>> ________________________________________________________________________________________________________
>> *** CID 398776: (UNINIT)
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c:
>> 44 in time()
>> 38 struct timeval now;
>> 39
>> 40 if (_gettimeofday_r (_REENT, &now, NULL) < 0)
>> 41 now.tv_sec = (time_t) -1;
>> 42
>> 43 if (t)
>> >>> CID 398776: (UNINIT)
>> >>> Using uninitialized value "now.tv_sec".
>> 44 *t = now.tv_sec;
>> 45 return now.tv_sec;
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c:
>> 45 in time()
>> 39
>> 40 if (_gettimeofday_r (_REENT, &now, NULL) < 0)
>> 41 now.tv_sec = (time_t) -1;
>> 42
>> 43 if (t)
>> 44 *t = now.tv_sec;
>> >>> CID 398776: (UNINIT)
>> >>> Using uninitialized value "now.tv_sec".
>> 45 return now.tv_sec;
>>
>> ** CID 398775: (UNINIT)
>>
>>
>>
Fixed. I initialized the fields.
>
>> ________________________________________________________________________________________________________
>> *** CID 398775: (UNINIT)
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/vswscanf.c:
>> 57 in _vswscanf_r()
>> 51 f._bf._base = f._p = (unsigned char *) str;
>> 52 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
>> 53 f._read = __seofread;
>> 54 f._ub._base = NULL;
>> 55 f._lb._base = NULL;
>> 56 f._file = -1; /* No file. */
>> >>> CID 398775: (UNINIT)
>> >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r".
>> 57 return __ssvfwscanf_r (ptr, &f, fmt, ap);
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/vswscanf.c:
>> 57 in _vswscanf_r()
>> 51 f._bf._base = f._p = (unsigned char *) str;
>> 52 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
>> 53 f._read = __seofread;
>> 54 f._ub._base = NULL;
>> 55 f._lb._base = NULL;
>> 56 f._file = -1; /* No file. */
>> >>> CID 398775: (UNINIT)
>> >>> Using uninitialized value "f._flags2" when calling
>> "__ssvfwscanf_r".
>> 57 return __ssvfwscanf_r (ptr, &f, fmt, ap);
>>
>> ** CID 398774: Uninitialized variables (UNINIT)
>>
>> Fixed. I memset the initial array to 0's.
>
>>
>> ________________________________________________________________________________________________________
>> *** CID 398774: Uninitialized variables (UNINIT)
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdlib/arc4random.c:
>> 93 in _rs_stir()
>> 87 u_char rnd[KEYSZ + IVSZ];
>> 88
>> 89 if (getentropy(rnd, sizeof rnd) == -1)
>> 90 _getentropy_fail();
>> 91
>> 92 if (!rs)
>> >>> CID 398774: Uninitialized variables (UNINIT)
>> >>> Using uninitialized element of array "rnd" when calling
>> "_rs_init".
>> 93 _rs_init(rnd, sizeof(rnd));
>> 94 else
>> 95 _rs_rekey(rnd, sizeof(rnd));
>> 96 explicit_bzero(rnd, sizeof(rnd)); /* discard source seed */
>> 97
>> 98 /* invalidate rs_buf */
>>
>> ** CID 398773: Incorrect expression (DIVIDE_BY_ZERO)
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libm/math/kf_tan.c:
>> 55 in __kernel_tanf()
>>
>>
>>
This is a false positive. We intend to divide by zero.
>
>> ________________________________________________________________________________________________________
>> *** CID 398773: Incorrect expression (DIVIDE_BY_ZERO)
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libm/math/kf_tan.c:
>> 55 in __kernel_tanf()
>> 49 __int32_t ix,hx;
>> 50 GET_FLOAT_WORD(hx,x);
>> 51 ix = hx&0x7fffffff; /* high word of |x| */
>> 52 if(ix<0x31800000) /* x < 2**-28 */
>> 53 {if((int)x==0) { /* generate inexact */
>> 54 if((ix|(iy+1))==0) return one/fabsf(x);
>> >>> CID 398773: Incorrect expression (DIVIDE_BY_ZERO)
>> >>> In expression "-1f / x", division by expression "x" which may be
>> zero has undefined behavior.
>> 55 else return (iy==1)? x: -one/x;
>> 56 }
>> 57 }
>> 58 if(ix>=0x3f2ca140) { /* |x|>=0.6744 */
>> 59 if(hx<0) {x = -x; y = -y;}
>> 60 z = pio4-x;
>>
>> ** CID 398772: Memory - corruptions (OVERRUN)
>>
>> I think this is another false positive. I couldn't see where it was
accessing storage without doing a length check
first.
>
>>
>> ________________________________________________________________________________________________________
>> *** CID 398772: Memory - corruptions (OVERRUN)
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/regcomp.c:
>> 1044 in bothcases()
>> 1038 assert(othercase(ch) != ch); /* p_bracket() would
>> recurse */
>> 1039 p->next = bracket;
>> 1040 p->end = bracket+2;
>> 1041 bracket[0] = ch;
>> 1042 bracket[1] = ']';
>> 1043 bracket[2] = '\0';
>> >>> CID 398772: Memory - corruptions (OVERRUN)
>> >>> Overrunning buffer pointed to by "p->next" of 3 bytes by passing
>> it
>> to a function which accesses it at byte offset 4.
>> 1044 p_bracket(p);
>> 1045 assert(p->next == bracket+2);
>> 1046 p->next = oldnext;
>> 1047 p->end = oldend;
>> 1048 }
>> 1049
>>
>> ** CID 398771: High impact quality (Y2K38_SAFETY)
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/usleep.c:
>> 18 in usleep()
>>
>>
Fixed. I removed the return as usleep is supposed to return -1 on an EINTR.
>>
>> ________________________________________________________________________________________________________
>> *** CID 398771: High impact quality (Y2K38_SAFETY)
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/usleep.c:
>> 18 in usleep()
>> 12 {
>> 13 struct timespec ts;
>> 14
>> 15 ts.tv_sec = (long int)useconds / 1000000;
>> 16 ts.tv_nsec = ((long int)useconds % 1000000) * 1000;
>> 17 if (!nanosleep(&ts,&ts)) return 0;
>> >>> CID 398771: High impact quality (Y2K38_SAFETY)
>> >>> A "time_t" value is stored in an integer with too few bits to
>> accommodate it. The expression "ts.tv_sec" is cast to "int".
>> 18 if (errno == EINTR) return ts.tv_sec;
>> 19 return -1;
>> 20 }
>> 21
>>
>> ** CID 378851: Memory - corruptions (OVERRUN)
>>
>>
Again, I believe this is a false positive. No access of storage without
checking length first.
>
>>
>> ________________________________________________________________________________________________________
>> *** CID 378851: Memory - corruptions (OVERRUN)
>>
>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/regcomp.c:
>> 1090 in nonnewline()
>> 1084 p->next = bracket;
>> 1085 p->end = bracket+3;
>> 1086 bracket[0] = '^';
>> 1087 bracket[1] = '\n';
>> 1088 bracket[2] = ']';
>> 1089 bracket[3] = '\0';
>> >>> CID 378851: Memory - corruptions (OVERRUN)
>> >>> Overrunning buffer pointed to by "p->next" of 4 bytes by passing
>> it
>> to a function which accesses it at byte offset 4.
>> 1090 p_bracket(p);
>> 1091 assert(p->next == bracket+3);
>> 1092 p->next = oldnext;
>> 1093 p->end = oldend;
>> 1094 }
>> 1095
>>
>>
>>
>> ________________________________________________________________________________________________________
>> To view the defects in Coverity Scan visit,
>>
>> https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50ypUUzi-2FdSNmuyRB7BEFT8xQWqa-2BcrUOdcmLJRN5wHA-2F-2Bj-2BUPxOS2vpJc2U7lnvDDSM-3DgcXN_CTvEjVoKhyc6dLmJJo1u9AYIk8P8bcAbCPbBDYvYSXrko-2B6zqtxlihMO5pRBlqs6CXC6JoeSQ5BknttytYW4gn54pXoG5E1T2VTg7ZExldrWnOHoGNfjITpyeGBnq8zf1R1SvLaQHX0KwLC3QLIILHDIyeRDmH6ivilCfFIJbx4IaHchThYPPrH23evm0vJ6A6-2BcYCz2qmJNN2577UqVyYc0aItJ859abhW8GanEpsc-3D
>>
>> To manage Coverity Scan email notifications for "
>> joel.sherrill@gmail.com",
>> click
>>
>> https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxTJDdEZ5ceQ-2BXdf-2FM1tcMIXP73MN3HxQfFTMLU5dSe8Rv0KFh7gYStOFjZD12ucRRnrjyUHOCTj7rG0E9HBcwa6j-2FX4NTabdEq2v7MM-2FuqaA-3D5Xsf_CTvEjVoKhyc6dLmJJo1u9AYIk8P8bcAbCPbBDYvYSXrko-2B6zqtxlihMO5pRBlqs6CXC6JoeSQ5BknttytYW4gsEM86eEaAqPEjIHUArLBXYOUpWfZ4bmwC96PG11GPPh-2FLsC0rkTKQE2J8XRI45hCnTpCTbj87kq0GI1XLddKyw1JXGGqDcyizThGumwZmd8Tr5waHqdorDd3Wom83BYSMOhcHiGVjpnvscbd8ReGFw-3D
>>
>>
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: New Defects reported by Coverity Scan for RTEMS-Newlib
2022-08-31 19:16 ` Jeff Johnston
2022-08-31 19:16 ` Jeff Johnston
@ 2022-08-31 19:58 ` Joel Sherrill
2022-08-31 19:58 ` Joel Sherrill
1 sibling, 1 reply; 15+ messages in thread
From: Joel Sherrill @ 2022-08-31 19:58 UTC (permalink / raw)
To: Jeff Johnston; +Cc: Newlib
On Wed, Aug 31, 2022 at 2:16 PM Jeff Johnston <jjohnstn@redhat.com> wrote:
> Hi Joel, I will pushing a patch shortly but see comments below as IMO
> there are some false positives.
>
I'm happy to mark the false positives in Coverity but I only ran this
because they forced me to update the client side program and I
wanted to make sure all my run coverity scripts continued to work
with it. Normally this one isn't run on a regular basis.
Is Cygwin still running Scan on newlib? I stopped because the
focus was supposed to be on their run not on the RTEMS one.
I can easily uncomment the one line to run it via cron. I have a script
that can check for changes in git and run coverity if needed.
Basically, where's the "official" Scan instance that we all should
be referring to?
--joel
>
> -- Jeff J.
>
> On Tue, Aug 30, 2022 at 3:03 PM Jeff Johnston <jjohnstn@redhat.com> wrote:
>
>> Thanks Joel for bringing this to our attention.
>>
>> -- Jeff J.
>>
>> On Mon, Aug 29, 2022 at 7:09 PM Joel Sherrill <joel@rtems.org> wrote:
>>
>>> Hi
>>>
>>> I quit running Coverity on newlib as part of the repositories analysed as
>>> part of RTEMS BUT I had to update the version of cov-analysis we used and
>>> wanted to make sure the scripting stayed working.
>>>
>>> These issues were flagged since the last time we ran it. Some look like
>>> they need attention.
>>>
>>> --joel
>>>
>>> ---------- Forwarded message ---------
>>> From: <scan-admin@coverity.com>
>>> Date: Mon, Aug 29, 2022 at 5:56 PM
>>> Subject: New Defects reported by Coverity Scan for RTEMS-Newlib
>>> To: <joel.sherrill@gmail.com>
>>>
>>>
>>> Hi,
>>>
>>> Please find the latest report on new defect(s) introduced to RTEMS-Newlib
>>> found with Coverity Scan.
>>>
>>> 10 new defect(s) introduced to RTEMS-Newlib found with Coverity Scan.
>>> 1 defect(s), reported by Coverity Scan earlier, were marked fixed in the
>>> recent build analyzed by Coverity Scan.
>>>
>>> New defect(s) Reported-by: Coverity Scan
>>> Showing 10 of 10 defect(s)
>>>
>>>
>>> ** CID 398779: (UNINIT)
>>>
>>>
>>> Fixed.
>
>
>>
>>> ________________________________________________________________________________________________________
>>> *** CID 398779: (UNINIT)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c:
>>> 454 in _swscanf_r()
>>> 448 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
>>> 449 f._read = __seofread;
>>> 450 f._ub._base = NULL;
>>> 451 f._lb._base = NULL;
>>> 452 f._file = -1; /* No file. */
>>> 453 va_start (ap, fmt);
>>> >>> CID 398779: (UNINIT)
>>> >>> Using uninitialized value "f._flags2" when calling
>>> "__ssvfwscanf_r".
>>> 454 ret = __ssvfwscanf_r (ptr, &f, fmt, ap);
>>> 455 va_end (ap);
>>> 456 return ret;
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c:
>>> 454 in _swscanf_r()
>>> 448 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
>>> 449 f._read = __seofread;
>>> 450 f._ub._base = NULL;
>>> 451 f._lb._base = NULL;
>>> 452 f._file = -1; /* No file. */
>>> 453 va_start (ap, fmt);
>>> >>> CID 398779: (UNINIT)
>>> >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r".
>>> 454 ret = __ssvfwscanf_r (ptr, &f, fmt, ap);
>>> 455 va_end (ap);
>>> 456 return ret;
>>>
>>> ** CID 398778: High impact quality (Y2K38_SAFETY)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/sleep.c:
>>> 18 in sleep()
>>>
>>>
> Fixed. (I anded with UINT_MAX so the checker should allow this).
>
>>
>>>
>>> ________________________________________________________________________________________________________
>>> *** CID 398778: High impact quality (Y2K38_SAFETY)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/sleep.c:
>>> 18 in sleep()
>>> 12 {
>>> 13 struct timespec ts;
>>> 14
>>> 15 ts.tv_sec = seconds;
>>> 16 ts.tv_nsec = 0;
>>> 17 if (!nanosleep(&ts,&ts)) return 0;
>>> >>> CID 398778: High impact quality (Y2K38_SAFETY)
>>> >>> A "time_t" value is stored in an integer with too few bits to
>>> accommodate it. The expression "ts.tv_sec" is cast to "unsigned int".
>>> 18 if (errno == EINTR) return ts.tv_sec;
>>> 19 return -1;
>>> 20 }
>>> 21
>>>
>>> ** CID 398777: (UNINIT)
>>>
>>>
>>> Fixed. I just initialized the fields.
>
>
>>
>>> ________________________________________________________________________________________________________
>>> *** CID 398777: (UNINIT)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c:
>>> 432 in swscanf()
>>> 426 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
>>> 427 f._read = __seofread;
>>> 428 f._ub._base = NULL;
>>> 429 f._lb._base = NULL;
>>> 430 f._file = -1; /* No file. */
>>> 431 va_start (ap, fmt);
>>> >>> CID 398777: (UNINIT)
>>> >>> Using uninitialized value "f._flags2" when calling
>>> "__ssvfwscanf_r".
>>> 432 ret = __ssvfwscanf_r (_REENT, &f, fmt, ap);
>>> 433 va_end (ap);
>>> 434 return ret;
>>> 435 }
>>> 436
>>> 437 #endif /* !_REENT_ONLY */
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c:
>>> 432 in swscanf()
>>> 426 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
>>> 427 f._read = __seofread;
>>> 428 f._ub._base = NULL;
>>> 429 f._lb._base = NULL;
>>> 430 f._file = -1; /* No file. */
>>> 431 va_start (ap, fmt);
>>> >>> CID 398777: (UNINIT)
>>> >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r".
>>> 432 ret = __ssvfwscanf_r (_REENT, &f, fmt, ap);
>>> 433 va_end (ap);
>>> 434 return ret;
>>> 435 }
>>> 436
>>> 437 #endif /* !_REENT_ONLY */
>>>
>>> ** CID 398776: (UNINIT)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c:
>>> 44 in time()
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c:
>>> 45 in time()
>>>
>>>
>>> Although this should be a false positive because of gettimeofday_r
> getting the address of now, I have
> initialized the field to -1.
>
>
>>
>>> ________________________________________________________________________________________________________
>>> *** CID 398776: (UNINIT)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c:
>>> 44 in time()
>>> 38 struct timeval now;
>>> 39
>>> 40 if (_gettimeofday_r (_REENT, &now, NULL) < 0)
>>> 41 now.tv_sec = (time_t) -1;
>>> 42
>>> 43 if (t)
>>> >>> CID 398776: (UNINIT)
>>> >>> Using uninitialized value "now.tv_sec".
>>> 44 *t = now.tv_sec;
>>> 45 return now.tv_sec;
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c:
>>> 45 in time()
>>> 39
>>> 40 if (_gettimeofday_r (_REENT, &now, NULL) < 0)
>>> 41 now.tv_sec = (time_t) -1;
>>> 42
>>> 43 if (t)
>>> 44 *t = now.tv_sec;
>>> >>> CID 398776: (UNINIT)
>>> >>> Using uninitialized value "now.tv_sec".
>>> 45 return now.tv_sec;
>>>
>>> ** CID 398775: (UNINIT)
>>>
>>>
>>>
> Fixed. I initialized the fields.
>
>>
>>> ________________________________________________________________________________________________________
>>> *** CID 398775: (UNINIT)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/vswscanf.c:
>>> 57 in _vswscanf_r()
>>> 51 f._bf._base = f._p = (unsigned char *) str;
>>> 52 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
>>> 53 f._read = __seofread;
>>> 54 f._ub._base = NULL;
>>> 55 f._lb._base = NULL;
>>> 56 f._file = -1; /* No file. */
>>> >>> CID 398775: (UNINIT)
>>> >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r".
>>> 57 return __ssvfwscanf_r (ptr, &f, fmt, ap);
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/vswscanf.c:
>>> 57 in _vswscanf_r()
>>> 51 f._bf._base = f._p = (unsigned char *) str;
>>> 52 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
>>> 53 f._read = __seofread;
>>> 54 f._ub._base = NULL;
>>> 55 f._lb._base = NULL;
>>> 56 f._file = -1; /* No file. */
>>> >>> CID 398775: (UNINIT)
>>> >>> Using uninitialized value "f._flags2" when calling
>>> "__ssvfwscanf_r".
>>> 57 return __ssvfwscanf_r (ptr, &f, fmt, ap);
>>>
>>> ** CID 398774: Uninitialized variables (UNINIT)
>>>
>>> Fixed. I memset the initial array to 0's.
>
>
>>
>>>
>>> ________________________________________________________________________________________________________
>>> *** CID 398774: Uninitialized variables (UNINIT)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdlib/arc4random.c:
>>> 93 in _rs_stir()
>>> 87 u_char rnd[KEYSZ + IVSZ];
>>> 88
>>> 89 if (getentropy(rnd, sizeof rnd) == -1)
>>> 90 _getentropy_fail();
>>> 91
>>> 92 if (!rs)
>>> >>> CID 398774: Uninitialized variables (UNINIT)
>>> >>> Using uninitialized element of array "rnd" when calling
>>> "_rs_init".
>>> 93 _rs_init(rnd, sizeof(rnd));
>>> 94 else
>>> 95 _rs_rekey(rnd, sizeof(rnd));
>>> 96 explicit_bzero(rnd, sizeof(rnd)); /* discard source seed */
>>> 97
>>> 98 /* invalidate rs_buf */
>>>
>>> ** CID 398773: Incorrect expression (DIVIDE_BY_ZERO)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libm/math/kf_tan.c:
>>> 55 in __kernel_tanf()
>>>
>>>
>>>
> This is a false positive. We intend to divide by zero.
>
>>
>>> ________________________________________________________________________________________________________
>>> *** CID 398773: Incorrect expression (DIVIDE_BY_ZERO)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libm/math/kf_tan.c:
>>> 55 in __kernel_tanf()
>>> 49 __int32_t ix,hx;
>>> 50 GET_FLOAT_WORD(hx,x);
>>> 51 ix = hx&0x7fffffff; /* high word of |x| */
>>> 52 if(ix<0x31800000) /* x < 2**-28 */
>>> 53 {if((int)x==0) { /* generate inexact */
>>> 54 if((ix|(iy+1))==0) return one/fabsf(x);
>>> >>> CID 398773: Incorrect expression (DIVIDE_BY_ZERO)
>>> >>> In expression "-1f / x", division by expression "x" which may be
>>> zero has undefined behavior.
>>> 55 else return (iy==1)? x: -one/x;
>>> 56 }
>>> 57 }
>>> 58 if(ix>=0x3f2ca140) { /* |x|>=0.6744 */
>>> 59 if(hx<0) {x = -x; y = -y;}
>>> 60 z = pio4-x;
>>>
>>> ** CID 398772: Memory - corruptions (OVERRUN)
>>>
>>> I think this is another false positive. I couldn't see where it was
> accessing storage without doing a length check
> first.
>
>
>>
>>>
>>> ________________________________________________________________________________________________________
>>> *** CID 398772: Memory - corruptions (OVERRUN)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/regcomp.c:
>>> 1044 in bothcases()
>>> 1038 assert(othercase(ch) != ch); /* p_bracket() would
>>> recurse */
>>> 1039 p->next = bracket;
>>> 1040 p->end = bracket+2;
>>> 1041 bracket[0] = ch;
>>> 1042 bracket[1] = ']';
>>> 1043 bracket[2] = '\0';
>>> >>> CID 398772: Memory - corruptions (OVERRUN)
>>> >>> Overrunning buffer pointed to by "p->next" of 3 bytes by passing
>>> it
>>> to a function which accesses it at byte offset 4.
>>> 1044 p_bracket(p);
>>> 1045 assert(p->next == bracket+2);
>>> 1046 p->next = oldnext;
>>> 1047 p->end = oldend;
>>> 1048 }
>>> 1049
>>>
>>> ** CID 398771: High impact quality (Y2K38_SAFETY)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/usleep.c:
>>> 18 in usleep()
>>>
>>>
> Fixed. I removed the return as usleep is supposed to return -1 on an
> EINTR.
>
>
>>>
>>> ________________________________________________________________________________________________________
>>> *** CID 398771: High impact quality (Y2K38_SAFETY)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/usleep.c:
>>> 18 in usleep()
>>> 12 {
>>> 13 struct timespec ts;
>>> 14
>>> 15 ts.tv_sec = (long int)useconds / 1000000;
>>> 16 ts.tv_nsec = ((long int)useconds % 1000000) * 1000;
>>> 17 if (!nanosleep(&ts,&ts)) return 0;
>>> >>> CID 398771: High impact quality (Y2K38_SAFETY)
>>> >>> A "time_t" value is stored in an integer with too few bits to
>>> accommodate it. The expression "ts.tv_sec" is cast to "int".
>>> 18 if (errno == EINTR) return ts.tv_sec;
>>> 19 return -1;
>>> 20 }
>>> 21
>>>
>>> ** CID 378851: Memory - corruptions (OVERRUN)
>>>
>>>
> Again, I believe this is a false positive. No access of storage without
> checking length first.
>
>>
>>>
>>> ________________________________________________________________________________________________________
>>> *** CID 378851: Memory - corruptions (OVERRUN)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/regcomp.c:
>>> 1090 in nonnewline()
>>> 1084 p->next = bracket;
>>> 1085 p->end = bracket+3;
>>> 1086 bracket[0] = '^';
>>> 1087 bracket[1] = '\n';
>>> 1088 bracket[2] = ']';
>>> 1089 bracket[3] = '\0';
>>> >>> CID 378851: Memory - corruptions (OVERRUN)
>>> >>> Overrunning buffer pointed to by "p->next" of 4 bytes by passing
>>> it
>>> to a function which accesses it at byte offset 4.
>>> 1090 p_bracket(p);
>>> 1091 assert(p->next == bracket+3);
>>> 1092 p->next = oldnext;
>>> 1093 p->end = oldend;
>>> 1094 }
>>> 1095
>>>
>>>
>>>
>>> ________________________________________________________________________________________________________
>>> To view the defects in Coverity Scan visit,
>>>
>>> https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50ypUUzi-2FdSNmuyRB7BEFT8xQWqa-2BcrUOdcmLJRN5wHA-2F-2Bj-2BUPxOS2vpJc2U7lnvDDSM-3DgcXN_CTvEjVoKhyc6dLmJJo1u9AYIk8P8bcAbCPbBDYvYSXrko-2B6zqtxlihMO5pRBlqs6CXC6JoeSQ5BknttytYW4gn54pXoG5E1T2VTg7ZExldrWnOHoGNfjITpyeGBnq8zf1R1SvLaQHX0KwLC3QLIILHDIyeRDmH6ivilCfFIJbx4IaHchThYPPrH23evm0vJ6A6-2BcYCz2qmJNN2577UqVyYc0aItJ859abhW8GanEpsc-3D
>>>
>>> To manage Coverity Scan email notifications for "
>>> joel.sherrill@gmail.com",
>>> click
>>>
>>> https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxTJDdEZ5ceQ-2BXdf-2FM1tcMIXP73MN3HxQfFTMLU5dSe8Rv0KFh7gYStOFjZD12ucRRnrjyUHOCTj7rG0E9HBcwa6j-2FX4NTabdEq2v7MM-2FuqaA-3D5Xsf_CTvEjVoKhyc6dLmJJo1u9AYIk8P8bcAbCPbBDYvYSXrko-2B6zqtxlihMO5pRBlqs6CXC6JoeSQ5BknttytYW4gsEM86eEaAqPEjIHUArLBXYOUpWfZ4bmwC96PG11GPPh-2FLsC0rkTKQE2J8XRI45hCnTpCTbj87kq0GI1XLddKyw1JXGGqDcyizThGumwZmd8Tr5waHqdorDd3Wom83BYSMOhcHiGVjpnvscbd8ReGFw-3D
>>>
>>>
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: New Defects reported by Coverity Scan for RTEMS-Newlib
2022-08-31 19:58 ` Joel Sherrill
@ 2022-08-31 19:58 ` Joel Sherrill
0 siblings, 0 replies; 15+ messages in thread
From: Joel Sherrill @ 2022-08-31 19:58 UTC (permalink / raw)
To: Jeff Johnston; +Cc: Newlib
[-- Attachment #1: Type: text/plain, Size: 15887 bytes --]
On Wed, Aug 31, 2022 at 2:16 PM Jeff Johnston <jjohnstn@redhat.com> wrote:
> Hi Joel, I will pushing a patch shortly but see comments below as IMO
> there are some false positives.
>
I'm happy to mark the false positives in Coverity but I only ran this
because they forced me to update the client side program and I
wanted to make sure all my run coverity scripts continued to work
with it. Normally this one isn't run on a regular basis.
Is Cygwin still running Scan on newlib? I stopped because the
focus was supposed to be on their run not on the RTEMS one.
I can easily uncomment the one line to run it via cron. I have a script
that can check for changes in git and run coverity if needed.
Basically, where's the "official" Scan instance that we all should
be referring to?
--joel
>
> -- Jeff J.
>
> On Tue, Aug 30, 2022 at 3:03 PM Jeff Johnston <jjohnstn@redhat.com> wrote:
>
>> Thanks Joel for bringing this to our attention.
>>
>> -- Jeff J.
>>
>> On Mon, Aug 29, 2022 at 7:09 PM Joel Sherrill <joel@rtems.org> wrote:
>>
>>> Hi
>>>
>>> I quit running Coverity on newlib as part of the repositories analysed as
>>> part of RTEMS BUT I had to update the version of cov-analysis we used and
>>> wanted to make sure the scripting stayed working.
>>>
>>> These issues were flagged since the last time we ran it. Some look like
>>> they need attention.
>>>
>>> --joel
>>>
>>> ---------- Forwarded message ---------
>>> From: <scan-admin@coverity.com>
>>> Date: Mon, Aug 29, 2022 at 5:56 PM
>>> Subject: New Defects reported by Coverity Scan for RTEMS-Newlib
>>> To: <joel.sherrill@gmail.com>
>>>
>>>
>>> Hi,
>>>
>>> Please find the latest report on new defect(s) introduced to RTEMS-Newlib
>>> found with Coverity Scan.
>>>
>>> 10 new defect(s) introduced to RTEMS-Newlib found with Coverity Scan.
>>> 1 defect(s), reported by Coverity Scan earlier, were marked fixed in the
>>> recent build analyzed by Coverity Scan.
>>>
>>> New defect(s) Reported-by: Coverity Scan
>>> Showing 10 of 10 defect(s)
>>>
>>>
>>> ** CID 398779: (UNINIT)
>>>
>>>
>>> Fixed.
>
>
>>
>>> ________________________________________________________________________________________________________
>>> *** CID 398779: (UNINIT)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c:
>>> 454 in _swscanf_r()
>>> 448 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
>>> 449 f._read = __seofread;
>>> 450 f._ub._base = NULL;
>>> 451 f._lb._base = NULL;
>>> 452 f._file = -1; /* No file. */
>>> 453 va_start (ap, fmt);
>>> >>> CID 398779: (UNINIT)
>>> >>> Using uninitialized value "f._flags2" when calling
>>> "__ssvfwscanf_r".
>>> 454 ret = __ssvfwscanf_r (ptr, &f, fmt, ap);
>>> 455 va_end (ap);
>>> 456 return ret;
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c:
>>> 454 in _swscanf_r()
>>> 448 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
>>> 449 f._read = __seofread;
>>> 450 f._ub._base = NULL;
>>> 451 f._lb._base = NULL;
>>> 452 f._file = -1; /* No file. */
>>> 453 va_start (ap, fmt);
>>> >>> CID 398779: (UNINIT)
>>> >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r".
>>> 454 ret = __ssvfwscanf_r (ptr, &f, fmt, ap);
>>> 455 va_end (ap);
>>> 456 return ret;
>>>
>>> ** CID 398778: High impact quality (Y2K38_SAFETY)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/sleep.c:
>>> 18 in sleep()
>>>
>>>
> Fixed. (I anded with UINT_MAX so the checker should allow this).
>
>>
>>>
>>> ________________________________________________________________________________________________________
>>> *** CID 398778: High impact quality (Y2K38_SAFETY)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/sleep.c:
>>> 18 in sleep()
>>> 12 {
>>> 13 struct timespec ts;
>>> 14
>>> 15 ts.tv_sec = seconds;
>>> 16 ts.tv_nsec = 0;
>>> 17 if (!nanosleep(&ts,&ts)) return 0;
>>> >>> CID 398778: High impact quality (Y2K38_SAFETY)
>>> >>> A "time_t" value is stored in an integer with too few bits to
>>> accommodate it. The expression "ts.tv_sec" is cast to "unsigned int".
>>> 18 if (errno == EINTR) return ts.tv_sec;
>>> 19 return -1;
>>> 20 }
>>> 21
>>>
>>> ** CID 398777: (UNINIT)
>>>
>>>
>>> Fixed. I just initialized the fields.
>
>
>>
>>> ________________________________________________________________________________________________________
>>> *** CID 398777: (UNINIT)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c:
>>> 432 in swscanf()
>>> 426 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
>>> 427 f._read = __seofread;
>>> 428 f._ub._base = NULL;
>>> 429 f._lb._base = NULL;
>>> 430 f._file = -1; /* No file. */
>>> 431 va_start (ap, fmt);
>>> >>> CID 398777: (UNINIT)
>>> >>> Using uninitialized value "f._flags2" when calling
>>> "__ssvfwscanf_r".
>>> 432 ret = __ssvfwscanf_r (_REENT, &f, fmt, ap);
>>> 433 va_end (ap);
>>> 434 return ret;
>>> 435 }
>>> 436
>>> 437 #endif /* !_REENT_ONLY */
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c:
>>> 432 in swscanf()
>>> 426 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
>>> 427 f._read = __seofread;
>>> 428 f._ub._base = NULL;
>>> 429 f._lb._base = NULL;
>>> 430 f._file = -1; /* No file. */
>>> 431 va_start (ap, fmt);
>>> >>> CID 398777: (UNINIT)
>>> >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r".
>>> 432 ret = __ssvfwscanf_r (_REENT, &f, fmt, ap);
>>> 433 va_end (ap);
>>> 434 return ret;
>>> 435 }
>>> 436
>>> 437 #endif /* !_REENT_ONLY */
>>>
>>> ** CID 398776: (UNINIT)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c:
>>> 44 in time()
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c:
>>> 45 in time()
>>>
>>>
>>> Although this should be a false positive because of gettimeofday_r
> getting the address of now, I have
> initialized the field to -1.
>
>
>>
>>> ________________________________________________________________________________________________________
>>> *** CID 398776: (UNINIT)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c:
>>> 44 in time()
>>> 38 struct timeval now;
>>> 39
>>> 40 if (_gettimeofday_r (_REENT, &now, NULL) < 0)
>>> 41 now.tv_sec = (time_t) -1;
>>> 42
>>> 43 if (t)
>>> >>> CID 398776: (UNINIT)
>>> >>> Using uninitialized value "now.tv_sec".
>>> 44 *t = now.tv_sec;
>>> 45 return now.tv_sec;
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c:
>>> 45 in time()
>>> 39
>>> 40 if (_gettimeofday_r (_REENT, &now, NULL) < 0)
>>> 41 now.tv_sec = (time_t) -1;
>>> 42
>>> 43 if (t)
>>> 44 *t = now.tv_sec;
>>> >>> CID 398776: (UNINIT)
>>> >>> Using uninitialized value "now.tv_sec".
>>> 45 return now.tv_sec;
>>>
>>> ** CID 398775: (UNINIT)
>>>
>>>
>>>
> Fixed. I initialized the fields.
>
>>
>>> ________________________________________________________________________________________________________
>>> *** CID 398775: (UNINIT)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/vswscanf.c:
>>> 57 in _vswscanf_r()
>>> 51 f._bf._base = f._p = (unsigned char *) str;
>>> 52 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
>>> 53 f._read = __seofread;
>>> 54 f._ub._base = NULL;
>>> 55 f._lb._base = NULL;
>>> 56 f._file = -1; /* No file. */
>>> >>> CID 398775: (UNINIT)
>>> >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r".
>>> 57 return __ssvfwscanf_r (ptr, &f, fmt, ap);
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/vswscanf.c:
>>> 57 in _vswscanf_r()
>>> 51 f._bf._base = f._p = (unsigned char *) str;
>>> 52 f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
>>> 53 f._read = __seofread;
>>> 54 f._ub._base = NULL;
>>> 55 f._lb._base = NULL;
>>> 56 f._file = -1; /* No file. */
>>> >>> CID 398775: (UNINIT)
>>> >>> Using uninitialized value "f._flags2" when calling
>>> "__ssvfwscanf_r".
>>> 57 return __ssvfwscanf_r (ptr, &f, fmt, ap);
>>>
>>> ** CID 398774: Uninitialized variables (UNINIT)
>>>
>>> Fixed. I memset the initial array to 0's.
>
>
>>
>>>
>>> ________________________________________________________________________________________________________
>>> *** CID 398774: Uninitialized variables (UNINIT)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdlib/arc4random.c:
>>> 93 in _rs_stir()
>>> 87 u_char rnd[KEYSZ + IVSZ];
>>> 88
>>> 89 if (getentropy(rnd, sizeof rnd) == -1)
>>> 90 _getentropy_fail();
>>> 91
>>> 92 if (!rs)
>>> >>> CID 398774: Uninitialized variables (UNINIT)
>>> >>> Using uninitialized element of array "rnd" when calling
>>> "_rs_init".
>>> 93 _rs_init(rnd, sizeof(rnd));
>>> 94 else
>>> 95 _rs_rekey(rnd, sizeof(rnd));
>>> 96 explicit_bzero(rnd, sizeof(rnd)); /* discard source seed */
>>> 97
>>> 98 /* invalidate rs_buf */
>>>
>>> ** CID 398773: Incorrect expression (DIVIDE_BY_ZERO)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libm/math/kf_tan.c:
>>> 55 in __kernel_tanf()
>>>
>>>
>>>
> This is a false positive. We intend to divide by zero.
>
>>
>>> ________________________________________________________________________________________________________
>>> *** CID 398773: Incorrect expression (DIVIDE_BY_ZERO)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libm/math/kf_tan.c:
>>> 55 in __kernel_tanf()
>>> 49 __int32_t ix,hx;
>>> 50 GET_FLOAT_WORD(hx,x);
>>> 51 ix = hx&0x7fffffff; /* high word of |x| */
>>> 52 if(ix<0x31800000) /* x < 2**-28 */
>>> 53 {if((int)x==0) { /* generate inexact */
>>> 54 if((ix|(iy+1))==0) return one/fabsf(x);
>>> >>> CID 398773: Incorrect expression (DIVIDE_BY_ZERO)
>>> >>> In expression "-1f / x", division by expression "x" which may be
>>> zero has undefined behavior.
>>> 55 else return (iy==1)? x: -one/x;
>>> 56 }
>>> 57 }
>>> 58 if(ix>=0x3f2ca140) { /* |x|>=0.6744 */
>>> 59 if(hx<0) {x = -x; y = -y;}
>>> 60 z = pio4-x;
>>>
>>> ** CID 398772: Memory - corruptions (OVERRUN)
>>>
>>> I think this is another false positive. I couldn't see where it was
> accessing storage without doing a length check
> first.
>
>
>>
>>>
>>> ________________________________________________________________________________________________________
>>> *** CID 398772: Memory - corruptions (OVERRUN)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/regcomp.c:
>>> 1044 in bothcases()
>>> 1038 assert(othercase(ch) != ch); /* p_bracket() would
>>> recurse */
>>> 1039 p->next = bracket;
>>> 1040 p->end = bracket+2;
>>> 1041 bracket[0] = ch;
>>> 1042 bracket[1] = ']';
>>> 1043 bracket[2] = '\0';
>>> >>> CID 398772: Memory - corruptions (OVERRUN)
>>> >>> Overrunning buffer pointed to by "p->next" of 3 bytes by passing
>>> it
>>> to a function which accesses it at byte offset 4.
>>> 1044 p_bracket(p);
>>> 1045 assert(p->next == bracket+2);
>>> 1046 p->next = oldnext;
>>> 1047 p->end = oldend;
>>> 1048 }
>>> 1049
>>>
>>> ** CID 398771: High impact quality (Y2K38_SAFETY)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/usleep.c:
>>> 18 in usleep()
>>>
>>>
> Fixed. I removed the return as usleep is supposed to return -1 on an
> EINTR.
>
>
>>>
>>> ________________________________________________________________________________________________________
>>> *** CID 398771: High impact quality (Y2K38_SAFETY)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/usleep.c:
>>> 18 in usleep()
>>> 12 {
>>> 13 struct timespec ts;
>>> 14
>>> 15 ts.tv_sec = (long int)useconds / 1000000;
>>> 16 ts.tv_nsec = ((long int)useconds % 1000000) * 1000;
>>> 17 if (!nanosleep(&ts,&ts)) return 0;
>>> >>> CID 398771: High impact quality (Y2K38_SAFETY)
>>> >>> A "time_t" value is stored in an integer with too few bits to
>>> accommodate it. The expression "ts.tv_sec" is cast to "int".
>>> 18 if (errno == EINTR) return ts.tv_sec;
>>> 19 return -1;
>>> 20 }
>>> 21
>>>
>>> ** CID 378851: Memory - corruptions (OVERRUN)
>>>
>>>
> Again, I believe this is a false positive. No access of storage without
> checking length first.
>
>>
>>>
>>> ________________________________________________________________________________________________________
>>> *** CID 378851: Memory - corruptions (OVERRUN)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/regcomp.c:
>>> 1090 in nonnewline()
>>> 1084 p->next = bracket;
>>> 1085 p->end = bracket+3;
>>> 1086 bracket[0] = '^';
>>> 1087 bracket[1] = '\n';
>>> 1088 bracket[2] = ']';
>>> 1089 bracket[3] = '\0';
>>> >>> CID 378851: Memory - corruptions (OVERRUN)
>>> >>> Overrunning buffer pointed to by "p->next" of 4 bytes by passing
>>> it
>>> to a function which accesses it at byte offset 4.
>>> 1090 p_bracket(p);
>>> 1091 assert(p->next == bracket+3);
>>> 1092 p->next = oldnext;
>>> 1093 p->end = oldend;
>>> 1094 }
>>> 1095
>>>
>>>
>>>
>>> ________________________________________________________________________________________________________
>>> To view the defects in Coverity Scan visit,
>>>
>>> https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50ypUUzi-2FdSNmuyRB7BEFT8xQWqa-2BcrUOdcmLJRN5wHA-2F-2Bj-2BUPxOS2vpJc2U7lnvDDSM-3DgcXN_CTvEjVoKhyc6dLmJJo1u9AYIk8P8bcAbCPbBDYvYSXrko-2B6zqtxlihMO5pRBlqs6CXC6JoeSQ5BknttytYW4gn54pXoG5E1T2VTg7ZExldrWnOHoGNfjITpyeGBnq8zf1R1SvLaQHX0KwLC3QLIILHDIyeRDmH6ivilCfFIJbx4IaHchThYPPrH23evm0vJ6A6-2BcYCz2qmJNN2577UqVyYc0aItJ859abhW8GanEpsc-3D
>>>
>>> To manage Coverity Scan email notifications for "
>>> joel.sherrill@gmail.com",
>>> click
>>>
>>> https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxTJDdEZ5ceQ-2BXdf-2FM1tcMIXP73MN3HxQfFTMLU5dSe8Rv0KFh7gYStOFjZD12ucRRnrjyUHOCTj7rG0E9HBcwa6j-2FX4NTabdEq2v7MM-2FuqaA-3D5Xsf_CTvEjVoKhyc6dLmJJo1u9AYIk8P8bcAbCPbBDYvYSXrko-2B6zqtxlihMO5pRBlqs6CXC6JoeSQ5BknttytYW4gsEM86eEaAqPEjIHUArLBXYOUpWfZ4bmwC96PG11GPPh-2FLsC0rkTKQE2J8XRI45hCnTpCTbj87kq0GI1XLddKyw1JXGGqDcyizThGumwZmd8Tr5waHqdorDd3Wom83BYSMOhcHiGVjpnvscbd8ReGFw-3D
>>>
>>>
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: New Defects reported by Coverity Scan for RTEMS-Newlib
2025-02-11 15:07 ` Joel Sherrill
@ 2025-02-11 21:24 ` Brian Inglis
0 siblings, 0 replies; 15+ messages in thread
From: Brian Inglis @ 2025-02-11 21:24 UTC (permalink / raw)
To: newlib
On 2025-02-11 08:07, Joel Sherrill wrote:
> Confirming I should mark then as false positives.
>
> Thanks.
>
> On Tue, Feb 11, 2025 at 6:02 AM Corinna Vinschen wrote:
>
> On Feb 11 10:50, Alexey Lapshin wrote:
> > Hi, interesting finding,
> >
> > Are not all these found "underflows" issues false-positive?
> > Because all of them are under `while(!TOO_SMALL_LITTLE_BLOCK(len))` block
> > which guarantees no underflow of "len" variable
>
> Yeah, looks like false positives to me, too.
Could add (size_t) to block size constant definitions?
--
Take care. Thanks, Brian Inglis Calgary, Alberta, Canada
La perfection est atteinte Perfection is achieved
non pas lorsqu'il n'y a plus rien à ajouter not when there is no more to add
mais lorsqu'il n'y a plus rien à retrancher but when there is no more to cut
-- Antoine de Saint-Exupéry
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: New Defects reported by Coverity Scan for RTEMS-Newlib
2025-02-11 12:02 ` Corinna Vinschen
@ 2025-02-11 15:07 ` Joel Sherrill
2025-02-11 21:24 ` Brian Inglis
0 siblings, 1 reply; 15+ messages in thread
From: Joel Sherrill @ 2025-02-11 15:07 UTC (permalink / raw)
To: newlib, Alexey Lapshin, joel.sherrill
[-- Attachment #1: Type: text/plain, Size: 496 bytes --]
Confirming I should mark then as false positives.
Thanks.
On Tue, Feb 11, 2025 at 6:02 AM Corinna Vinschen <vinschen@redhat.com>
wrote:
> On Feb 11 10:50, Alexey Lapshin wrote:
> > Hi, interesting finding,
> >
> > Are not all these found "underflows" issues false-positive?
> > Because all of them are under `while(!TOO_SMALL_LITTLE_BLOCK(len))` block
> > which guarantees no underflow of "len" variable
>
> Yeah, looks like false positives to me, too.
>
>
> Corinna
>
>
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: New Defects reported by Coverity Scan for RTEMS-Newlib
2025-02-11 10:50 ` Alexey Lapshin
@ 2025-02-11 12:02 ` Corinna Vinschen
2025-02-11 15:07 ` Joel Sherrill
0 siblings, 1 reply; 15+ messages in thread
From: Corinna Vinschen @ 2025-02-11 12:02 UTC (permalink / raw)
To: Alexey Lapshin; +Cc: newlib, joel.sherrill
On Feb 11 10:50, Alexey Lapshin wrote:
> Hi, interesting finding,
>
> Are not all these found "underflows" issues false-positive?
> Because all of them are under `while(!TOO_SMALL_LITTLE_BLOCK(len))` block
> which guarantees no underflow of "len" variable
Yeah, looks like false positives to me, too.
Corinna
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: New Defects reported by Coverity Scan for RTEMS-Newlib
2025-02-11 10:40 ` Corinna Vinschen
@ 2025-02-11 10:50 ` Alexey Lapshin
2025-02-11 12:02 ` Corinna Vinschen
0 siblings, 1 reply; 15+ messages in thread
From: Alexey Lapshin @ 2025-02-11 10:50 UTC (permalink / raw)
To: newlib, joel.sherrill, vinschen
Hi, interesting finding,
Are not all these found "underflows" issues false-positive?
Because all of them are under `while(!TOO_SMALL_LITTLE_BLOCK(len))` block
which guarantees no underflow of "len" variable
Regards,
Alexey
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: New Defects reported by Coverity Scan for RTEMS-Newlib
2025-02-10 22:56 ` Fwd: " Joel Sherrill
@ 2025-02-11 10:40 ` Corinna Vinschen
2025-02-11 10:50 ` Alexey Lapshin
0 siblings, 1 reply; 15+ messages in thread
From: Corinna Vinschen @ 2025-02-11 10:40 UTC (permalink / raw)
To: Alexey Lapshin; +Cc: Joel Sherrill, Newlib
Alexey?
On Feb 10 16:56, Joel Sherrill wrote:
> Coverity Scan has spotted a handful of issues with the recent string
> changes.
>
> --joel
>
> ---------- Forwarded message ---------
> From: <scan-admin@coverity.com>
> Date: Mon, Feb 10, 2025 at 4:27 PM
> Subject: New Defects reported by Coverity Scan for RTEMS-Newlib
> To: <joel.sherrill@gmail.com>
>
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to RTEMS-Newlib
> found with Coverity Scan.
>
> 6 new defect(s) introduced to RTEMS-Newlib found with Coverity Scan.
>
>
> New defect(s) Reported-by: Coverity Scan
> Showing 6 of 6 defect(s)
>
>
> ** CID 474676: Integer handling issues (INTEGER_OVERFLOW)
> /home/joel/rtems-cron-coverity/newlib-cygwin/newlib/libc/string/mempcpy.c:
> 68 in mempcpy()
>
>
> ________________________________________________________________________________________________________
> *** CID 474676: Integer handling issues (INTEGER_OVERFLOW)
> /home/joel/rtems-cron-coverity/newlib-cygwin/newlib/libc/string/mempcpy.c:
> 68 in mempcpy()
> 62 while (!TOO_SMALL_BIG_BLOCK(len0))
> 63 {
> 64 *aligned_dst++ = *aligned_src++;
> 65 *aligned_dst++ = *aligned_src++;
> 66 *aligned_dst++ = *aligned_src++;
> 67 *aligned_dst++ = *aligned_src++;
> >>> CID 474676: Integer handling issues (INTEGER_OVERFLOW)
> >>> Expression "len0", underflows the type of "len0", which is type
> "size_t".
> 68 len0 -= BIG_BLOCK_SIZE;
> 69 }
> 70
> 71 /* Copy one long word at a time if possible. */
> 72 while (!TOO_SMALL_LITTLE_BLOCK(len0))
> 73 {
>
> ** CID 474675: Integer handling issues (INTEGER_OVERFLOW)
> /home/joel/rtems-cron-coverity/newlib-cygwin/newlib/libc/string/stpncpy.c:
> 64 in stpncpy()
>
>
> ________________________________________________________________________________________________________
> *** CID 474675: Integer handling issues (INTEGER_OVERFLOW)
> /home/joel/rtems-cron-coverity/newlib-cygwin/newlib/libc/string/stpncpy.c:
> 64 in stpncpy()
> 58 aligned_src = (long*)src;
> 59
> 60 /* SRC and DEST are both LITTLE_BLOCK_SIZE aligned,
> 61 try to do LITTLE_BLOCK_SIZE sized copies. */
> 62 while (!TOO_SMALL_LITTLE_BLOCK (count) &&
> !DETECT_NULL(*aligned_src))
> 63 {
> >>> CID 474675: Integer handling issues (INTEGER_OVERFLOW)
> >>> Expression "count", underflows the type of "count", which is type
> "size_t".
> 64 count -= LITTLE_BLOCK_SIZE;
> 65 *aligned_dst++ = *aligned_src++;
> 66 }
> 67
> 68 dst = (char*)aligned_dst;
> 69 src = (char*)aligned_src;
>
> ** CID 474674: Integer handling issues (INTEGER_OVERFLOW)
> /home/joel/rtems-cron-coverity/newlib-cygwin/newlib/libc/string/memccpy.c:
> 96 in memccpy()
>
>
> ________________________________________________________________________________________________________
> *** CID 474674: Integer handling issues (INTEGER_OVERFLOW)
> /home/joel/rtems-cron-coverity/newlib-cygwin/newlib/libc/string/memccpy.c:
> 96 in memccpy()
> 90 {
> 91 unsigned long buffer = (unsigned long)(*aligned_src);
> 92 buffer ^= mask;
> 93 if (DETECT_NULL(buffer))
> 94 break; /* endchar is found, go byte by byte from here */
> 95 *aligned_dst++ = *aligned_src++;
> >>> CID 474674: Integer handling issues (INTEGER_OVERFLOW)
> >>> Expression "len0", underflows the type of "len0", which is type
> "size_t".
> 96 len0 -= LITTLE_BLOCK_SIZE;
> 97 }
> 98
> 99 /* Pick up any residual with a byte copier. */
> 100 dst = (unsigned char*)aligned_dst;
> 101 src = (unsigned char*)aligned_src;
>
> ** CID 474673: Integer handling issues (INTEGER_OVERFLOW)
> /home/joel/rtems-cron-coverity/newlib-cygwin/newlib/libc/string/memmove.c:
> 88 in memmove()
>
>
> ________________________________________________________________________________________________________
> *** CID 474673: Integer handling issues (INTEGER_OVERFLOW)
> /home/joel/rtems-cron-coverity/newlib-cygwin/newlib/libc/string/memmove.c:
> 88 in memmove()
> 82 aligned_src = (long*)src;
> 83
> 84 /* Copy one long word at a time if possible. */
> 85 while (!TOO_SMALL_LITTLE_BLOCK(length))
> 86 {
> 87 *--aligned_dst = *--aligned_src;
> >>> CID 474673: Integer handling issues (INTEGER_OVERFLOW)
> >>> Expression "length", underflows the type of "length", which is type
> "size_t".
> 88 length -= LITTLE_BLOCK_SIZE;
> 89 }
> 90
> 91 /* Pick up any residual with a byte copier. */
> 92 dst = (char*)aligned_dst;
> 93 src = (char*)aligned_src;
>
> ** CID 474672: Integer handling issues (INTEGER_OVERFLOW)
> /home/joel/rtems-cron-coverity/newlib-cygwin/newlib/libc/string/memcpy.c:
> 72 in memcpy()
>
>
> ________________________________________________________________________________________________________
> *** CID 474672: Integer handling issues (INTEGER_OVERFLOW)
> /home/joel/rtems-cron-coverity/newlib-cygwin/newlib/libc/string/memcpy.c:
> 72 in memcpy()
> 66 while (!TOO_SMALL_BIG_BLOCK(len0))
> 67 {
> 68 *aligned_dst++ = *aligned_src++;
> 69 *aligned_dst++ = *aligned_src++;
> 70 *aligned_dst++ = *aligned_src++;
> 71 *aligned_dst++ = *aligned_src++;
> >>> CID 474672: Integer handling issues (INTEGER_OVERFLOW)
> >>> Expression "len0", underflows the type of "len0", which is type
> "size_t".
> 72 len0 -= BIG_BLOCK_SIZE;
> 73 }
> 74
> 75 /* Copy one long word at a time if possible. */
> 76 while (!TOO_SMALL_LITTLE_BLOCK(len0))
> 77 {
>
> ** CID 470638: Integer handling issues (INTEGER_OVERFLOW)
> /home/joel/rtems-cron-coverity/newlib-cygwin/newlib/libc/string/strncpy.c:
> 78 in strncpy()
>
>
> ________________________________________________________________________________________________________
> *** CID 470638: Integer handling issues (INTEGER_OVERFLOW)
> /home/joel/rtems-cron-coverity/newlib-cygwin/newlib/libc/string/strncpy.c:
> 78 in strncpy()
> 72 aligned_src = (long*)src;
> 73
> 74 /* SRC and DEST are both "long int" aligned, try to do "long
> int"
> 75 sized copies. */
> 76 while (!TOO_SMALL_LITTLE_BLOCK(count) &&
> !DETECT_NULL(*aligned_src))
> 77 {
> >>> CID 470638: Integer handling issues (INTEGER_OVERFLOW)
> >>> Expression "count", underflows the type of "count", which is type
> "size_t".
> 78 count -= sizeof (long int);
> 79 *aligned_dst++ = *aligned_src++;
> 80 }
> 81
> 82 dst = (char*)aligned_dst;
> 83 src = (char*)aligned_src;
>
>
> ________________________________________________________________________________________________________
> To view the defects in Coverity Scan visit,
> https://scan.coverity.com/projects/rtems-newlib?tab=overview
>
> To manage Coverity Scan email notifications for "joel.sherrill@gmail.com",
> click
> https://scan.coverity.com/subscriptions/edit?email=joel.sherrill%40gmail.com&token=1d6de09a8cf588074bed902a634fe5bc
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: New Defects reported by Coverity Scan for RTEMS-Newlib
2022-03-01 19:30 ` C Howland
@ 2022-03-01 20:43 ` Joel Sherrill
0 siblings, 0 replies; 15+ messages in thread
From: Joel Sherrill @ 2022-03-01 20:43 UTC (permalink / raw)
To: C Howland; +Cc: Newlib
On Tue, Mar 1, 2022, 1:31 PM C Howland <cc1964t@gmail.com> wrote:
> >
> > ------------------------------
> > *From:* Newlib <newlib-bounces+craig.howland=caci.com@sourceware.org> on
> > behalf of Joel Sherrill <joel@rtems.org>
> > *Sent:* Tuesday, March 1, 2022 7:59 AM
> > *To:* Newlib <newlib@sourceware.org>
> > *Subject:* Fwd: New Defects reported by Coverity Scan for RTEMS-Newlib
> >
> >
> >
> > Hi
> >
> > The RTEMS Projects runs Coverity Scan when Newlib changes.
> >
> > Not sure who committed something that triggered these but overnight 6 new
> > defects showed up. Most look to be NULL dereferences.
> >
> > --joel
> >
> > ---------- Forwarded message ---------
> > From: <scan-admin@coverity.com>
> > Date: Tue, Mar 1, 2022, 12:25 AM
> > Subject: New Defects reported by Coverity Scan for RTEMS-Newlib
> > To: <joel.sherrill@gmail.com>
> >
> >
> > Hi,
> >
> > Please find the latest report on new defect(s) introduced to RTEMS-Newlib
> > found with Coverity Scan.
> >
> > 6 new defect(s) introduced to RTEMS-Newlib found with Coverity Scan.
> >
> >
> > New defect(s) Reported-by: Coverity Scan
> > Showing 6 of 6 defect(s)
> >
> >
> > ** CID 387497: (FORWARD_NULL)
> >
> >
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/asiprintf.c:
> > 46 in _asiprintf_r()
> >
> >
> >
> >
> ________________________________________________________________________________________________________
> > *** CID 387497: (FORWARD_NULL)
> >
> >
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/asiprintf.c:
> > 46 in _asiprintf_r()
> > 40 f._file = -1; /* No file. */
> > 41 va_start (ap, fmt);
> > 42 ret = _svfiprintf_r (ptr, &f, fmt, ap);
> > 43 va_end (ap);
> > 44 if (ret >= 0)
> > 45 {
> > >>> CID 387497: (FORWARD_NULL)
> > >>> Dereferencing null pointer "f._p".
> > 46 *f._p = 0;
> > 47 *strp = (char *) f._bf._base;
> > 48 }
> > 49 return (ret);
> > 50 }
> > 51
> >
>
> Joel:
> In a quick look nothing related to these has changed. And looking
> specifically at this one complaint (which looks to be representative of all
> the rest), the complaint is spurious. The check for the return being >= 0
> means that _p has been set by the called function.
>
Weird. Shouldn't have popped up suddenly.
Just passing along. If you don't pay attention when they are new, they age
badly.
Thanks.
Craig
>
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: New Defects reported by Coverity Scan for RTEMS-Newlib
[not found] ` <BN2P110MB1544826C2DADD0A490C6E5E49A029@BN2P110MB1544.NAMP110.PROD.OUTLOOK.COM>
@ 2022-03-01 19:30 ` C Howland
2022-03-01 20:43 ` Joel Sherrill
0 siblings, 1 reply; 15+ messages in thread
From: C Howland @ 2022-03-01 19:30 UTC (permalink / raw)
To: newlib
>
> ------------------------------
> *From:* Newlib <newlib-bounces+craig.howland=caci.com@sourceware.org> on
> behalf of Joel Sherrill <joel@rtems.org>
> *Sent:* Tuesday, March 1, 2022 7:59 AM
> *To:* Newlib <newlib@sourceware.org>
> *Subject:* Fwd: New Defects reported by Coverity Scan for RTEMS-Newlib
>
>
>
> Hi
>
> The RTEMS Projects runs Coverity Scan when Newlib changes.
>
> Not sure who committed something that triggered these but overnight 6 new
> defects showed up. Most look to be NULL dereferences.
>
> --joel
>
> ---------- Forwarded message ---------
> From: <scan-admin@coverity.com>
> Date: Tue, Mar 1, 2022, 12:25 AM
> Subject: New Defects reported by Coverity Scan for RTEMS-Newlib
> To: <joel.sherrill@gmail.com>
>
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to RTEMS-Newlib
> found with Coverity Scan.
>
> 6 new defect(s) introduced to RTEMS-Newlib found with Coverity Scan.
>
>
> New defect(s) Reported-by: Coverity Scan
> Showing 6 of 6 defect(s)
>
>
> ** CID 387497: (FORWARD_NULL)
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/asiprintf.c:
> 46 in _asiprintf_r()
>
>
>
> ________________________________________________________________________________________________________
> *** CID 387497: (FORWARD_NULL)
>
> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/asiprintf.c:
> 46 in _asiprintf_r()
> 40 f._file = -1; /* No file. */
> 41 va_start (ap, fmt);
> 42 ret = _svfiprintf_r (ptr, &f, fmt, ap);
> 43 va_end (ap);
> 44 if (ret >= 0)
> 45 {
> >>> CID 387497: (FORWARD_NULL)
> >>> Dereferencing null pointer "f._p".
> 46 *f._p = 0;
> 47 *strp = (char *) f._bf._base;
> 48 }
> 49 return (ret);
> 50 }
> 51
>
Joel:
In a quick look nothing related to these has changed. And looking
specifically at this one complaint (which looks to be representative of all
the rest), the complaint is spurious. The check for the return being >= 0
means that _p has been set by the called function.
Craig
^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2025-02-11 21:24 UTC | newest]
Thread overview: 15+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <630d44245d07b_448622ac7e91099ac81e@prd-scan-dashboard-0.mail>
2022-08-29 23:09 ` Fwd: New Defects reported by Coverity Scan for RTEMS-Newlib Joel Sherrill
2022-08-29 23:09 ` Joel Sherrill
2022-08-30 19:03 ` Jeff Johnston
2022-08-30 19:03 ` Jeff Johnston
2022-08-31 19:16 ` Jeff Johnston
2022-08-31 19:16 ` Jeff Johnston
2022-08-31 19:58 ` Joel Sherrill
2022-08-31 19:58 ` Joel Sherrill
[not found] <67aa7d4565885_1e98fe2ac1a16659a8550b1@prd-scan-dashboard-0.mail>
2025-02-10 22:56 ` Fwd: " Joel Sherrill
2025-02-11 10:40 ` Corinna Vinschen
2025-02-11 10:50 ` Alexey Lapshin
2025-02-11 12:02 ` Corinna Vinschen
2025-02-11 15:07 ` Joel Sherrill
2025-02-11 21:24 ` Brian Inglis
[not found] <621dbc6e5b779_bb4ce2b0cf36619a0847b1@prd-scan-dashboard-0.mail>
2022-03-01 12:59 ` Fwd: " Joel Sherrill
[not found] ` <BN2P110MB1544826C2DADD0A490C6E5E49A029@BN2P110MB1544.NAMP110.PROD.OUTLOOK.COM>
2022-03-01 19:30 ` C Howland
2022-03-01 20:43 ` Joel Sherrill
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).