public inbox for newlib@sourceware.org
 help / color / mirror / Atom feed
From: Joel Sherrill <joel@rtems.org>
To: Jeff Johnston <jjohnstn@redhat.com>
Cc: Newlib <newlib@sourceware.org>
Subject: Re: New Defects reported by Coverity Scan for RTEMS-Newlib
Date: Wed, 31 Aug 2022 14:58:31 -0500	[thread overview]
Message-ID: <CAF9ehCU0Q+-NFweZO9fKvQbsLAy_R556u7K+U2+k6BCOvM_r8w@mail.gmail.com> (raw)
In-Reply-To: <CAOox84vtvxGhHyXHyg3O740qWuG8r-3kJSr89hBZRaf2KmnWnw@mail.gmail.com>

On Wed, Aug 31, 2022 at 2:16 PM Jeff Johnston <jjohnstn@redhat.com> wrote:

> Hi Joel, I will pushing a patch shortly but see comments below as IMO
> there are some false positives.
>

I'm happy to mark the false positives in Coverity but I only ran this
because they forced me to update the client side program and I
wanted to make sure all my run coverity scripts continued to work
with it. Normally this one isn't run on a regular basis.

Is Cygwin still running Scan on newlib? I stopped because the
focus was supposed to be on their run not on the RTEMS one.

I can easily uncomment the one line to run it via cron. I have a script
that can check for changes in git and run coverity if needed.

Basically, where's the "official" Scan instance that we all should
be referring to?

--joel


>
> -- Jeff J.
>
> On Tue, Aug 30, 2022 at 3:03 PM Jeff Johnston <jjohnstn@redhat.com> wrote:
>
>> Thanks Joel for bringing this to our attention.
>>
>> -- Jeff J.
>>
>> On Mon, Aug 29, 2022 at 7:09 PM Joel Sherrill <joel@rtems.org> wrote:
>>
>>> Hi
>>>
>>> I quit running Coverity on newlib as part of the repositories analysed as
>>> part of RTEMS BUT I had to update the version of cov-analysis we used and
>>> wanted to make sure the scripting stayed working.
>>>
>>> These issues were flagged since the last time we ran it. Some look like
>>> they need attention.
>>>
>>> --joel
>>>
>>> ---------- Forwarded message ---------
>>> From: <scan-admin@coverity.com>
>>> Date: Mon, Aug 29, 2022 at 5:56 PM
>>> Subject: New Defects reported by Coverity Scan for RTEMS-Newlib
>>> To: <joel.sherrill@gmail.com>
>>>
>>>
>>> Hi,
>>>
>>> Please find the latest report on new defect(s) introduced to RTEMS-Newlib
>>> found with Coverity Scan.
>>>
>>> 10 new defect(s) introduced to RTEMS-Newlib found with Coverity Scan.
>>> 1 defect(s), reported by Coverity Scan earlier, were marked fixed in the
>>> recent build analyzed by Coverity Scan.
>>>
>>> New defect(s) Reported-by: Coverity Scan
>>> Showing 10 of 10 defect(s)
>>>
>>>
>>> ** CID 398779:    (UNINIT)
>>>
>>>
>>> Fixed.
>
>
>>
>>> ________________________________________________________________________________________________________
>>> *** CID 398779:    (UNINIT)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c:
>>> 454 in _swscanf_r()
>>> 448       f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
>>> 449       f._read = __seofread;
>>> 450       f._ub._base = NULL;
>>> 451       f._lb._base = NULL;
>>> 452       f._file = -1;  /* No file. */
>>> 453       va_start (ap, fmt);
>>> >>>     CID 398779:    (UNINIT)
>>> >>>     Using uninitialized value "f._flags2" when calling
>>> "__ssvfwscanf_r".
>>> 454       ret = __ssvfwscanf_r (ptr, &f, fmt, ap);
>>> 455       va_end (ap);
>>> 456       return ret;
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c:
>>> 454 in _swscanf_r()
>>> 448       f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
>>> 449       f._read = __seofread;
>>> 450       f._ub._base = NULL;
>>> 451       f._lb._base = NULL;
>>> 452       f._file = -1;  /* No file. */
>>> 453       va_start (ap, fmt);
>>> >>>     CID 398779:    (UNINIT)
>>> >>>     Using uninitialized value "f._ur" when calling "__ssvfwscanf_r".
>>> 454       ret = __ssvfwscanf_r (ptr, &f, fmt, ap);
>>> 455       va_end (ap);
>>> 456       return ret;
>>>
>>> ** CID 398778:  High impact quality  (Y2K38_SAFETY)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/sleep.c:
>>> 18 in sleep()
>>>
>>>
> Fixed.  (I anded with UINT_MAX so the checker should allow this).
>
>>
>>>
>>> ________________________________________________________________________________________________________
>>> *** CID 398778:  High impact quality  (Y2K38_SAFETY)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/sleep.c:
>>> 18 in sleep()
>>> 12     {
>>> 13         struct timespec ts;
>>> 14
>>> 15         ts.tv_sec = seconds;
>>> 16         ts.tv_nsec = 0;
>>> 17         if (!nanosleep(&ts,&ts)) return 0;
>>> >>>     CID 398778:  High impact quality  (Y2K38_SAFETY)
>>> >>>     A "time_t" value is stored in an integer with too few bits to
>>> accommodate it.  The expression "ts.tv_sec" is cast to "unsigned int".
>>> 18         if (errno == EINTR) return ts.tv_sec;
>>> 19         return -1;
>>> 20     }
>>> 21
>>>
>>> ** CID 398777:    (UNINIT)
>>>
>>>
>>> Fixed.  I just initialized the fields.
>
>
>>
>>> ________________________________________________________________________________________________________
>>> *** CID 398777:    (UNINIT)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c:
>>> 432 in swscanf()
>>> 426       f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
>>> 427       f._read = __seofread;
>>> 428       f._ub._base = NULL;
>>> 429       f._lb._base = NULL;
>>> 430       f._file = -1;  /* No file. */
>>> 431       va_start (ap, fmt);
>>> >>>     CID 398777:    (UNINIT)
>>> >>>     Using uninitialized value "f._flags2" when calling
>>> "__ssvfwscanf_r".
>>> 432       ret = __ssvfwscanf_r (_REENT, &f, fmt, ap);
>>> 433       va_end (ap);
>>> 434       return ret;
>>> 435     }
>>> 436
>>> 437     #endif /* !_REENT_ONLY */
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/swscanf.c:
>>> 432 in swscanf()
>>> 426       f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
>>> 427       f._read = __seofread;
>>> 428       f._ub._base = NULL;
>>> 429       f._lb._base = NULL;
>>> 430       f._file = -1;  /* No file. */
>>> 431       va_start (ap, fmt);
>>> >>>     CID 398777:    (UNINIT)
>>> >>>     Using uninitialized value "f._ur" when calling "__ssvfwscanf_r".
>>> 432       ret = __ssvfwscanf_r (_REENT, &f, fmt, ap);
>>> 433       va_end (ap);
>>> 434       return ret;
>>> 435     }
>>> 436
>>> 437     #endif /* !_REENT_ONLY */
>>>
>>> ** CID 398776:    (UNINIT)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c:
>>> 44 in time()
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c:
>>> 45 in time()
>>>
>>>
>>> Although this should be a false positive because of gettimeofday_r
> getting the address of now, I have
> initialized the field to -1.
>
>
>>
>>> ________________________________________________________________________________________________________
>>> *** CID 398776:    (UNINIT)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c:
>>> 44 in time()
>>> 38       struct timeval now;
>>> 39
>>> 40       if (_gettimeofday_r (_REENT, &now, NULL) < 0)
>>> 41         now.tv_sec = (time_t) -1;
>>> 42
>>> 43       if (t)
>>> >>>     CID 398776:    (UNINIT)
>>> >>>     Using uninitialized value "now.tv_sec".
>>> 44         *t = now.tv_sec;
>>> 45       return now.tv_sec;
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/time/time.c:
>>> 45 in time()
>>> 39
>>> 40       if (_gettimeofday_r (_REENT, &now, NULL) < 0)
>>> 41         now.tv_sec = (time_t) -1;
>>> 42
>>> 43       if (t)
>>> 44         *t = now.tv_sec;
>>> >>>     CID 398776:    (UNINIT)
>>> >>>     Using uninitialized value "now.tv_sec".
>>> 45       return now.tv_sec;
>>>
>>> ** CID 398775:    (UNINIT)
>>>
>>>
>>>
> Fixed.  I initialized the fields.
>
>>
>>> ________________________________________________________________________________________________________
>>> *** CID 398775:    (UNINIT)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/vswscanf.c:
>>> 57 in _vswscanf_r()
>>> 51       f._bf._base = f._p = (unsigned char *) str;
>>> 52       f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
>>> 53       f._read = __seofread;
>>> 54       f._ub._base = NULL;
>>> 55       f._lb._base = NULL;
>>> 56       f._file = -1;  /* No file. */
>>> >>>     CID 398775:    (UNINIT)
>>> >>>     Using uninitialized value "f._ur" when calling "__ssvfwscanf_r".
>>> 57       return __ssvfwscanf_r (ptr, &f, fmt, ap);
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdio/vswscanf.c:
>>> 57 in _vswscanf_r()
>>> 51       f._bf._base = f._p = (unsigned char *) str;
>>> 52       f._bf._size = f._r = wcslen (str) * sizeof (wchar_t);
>>> 53       f._read = __seofread;
>>> 54       f._ub._base = NULL;
>>> 55       f._lb._base = NULL;
>>> 56       f._file = -1;  /* No file. */
>>> >>>     CID 398775:    (UNINIT)
>>> >>>     Using uninitialized value "f._flags2" when calling
>>> "__ssvfwscanf_r".
>>> 57       return __ssvfwscanf_r (ptr, &f, fmt, ap);
>>>
>>> ** CID 398774:  Uninitialized variables  (UNINIT)
>>>
>>> Fixed. I memset the initial array to 0's.
>
>
>>
>>>
>>> ________________________________________________________________________________________________________
>>> *** CID 398774:  Uninitialized variables  (UNINIT)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/stdlib/arc4random.c:
>>> 93 in _rs_stir()
>>> 87      u_char rnd[KEYSZ + IVSZ];
>>> 88
>>> 89      if (getentropy(rnd, sizeof rnd) == -1)
>>> 90              _getentropy_fail();
>>> 91
>>> 92      if (!rs)
>>> >>>     CID 398774:  Uninitialized variables  (UNINIT)
>>> >>>     Using uninitialized element of array "rnd" when calling
>>> "_rs_init".
>>> 93              _rs_init(rnd, sizeof(rnd));
>>> 94      else
>>> 95              _rs_rekey(rnd, sizeof(rnd));
>>> 96      explicit_bzero(rnd, sizeof(rnd));       /* discard source seed */
>>> 97
>>> 98      /* invalidate rs_buf */
>>>
>>> ** CID 398773:  Incorrect expression  (DIVIDE_BY_ZERO)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libm/math/kf_tan.c:
>>> 55 in __kernel_tanf()
>>>
>>>
>>>
> This is a false positive.  We intend to divide by zero.
>
>>
>>> ________________________________________________________________________________________________________
>>> *** CID 398773:  Incorrect expression  (DIVIDE_BY_ZERO)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libm/math/kf_tan.c:
>>> 55 in __kernel_tanf()
>>> 49      __int32_t ix,hx;
>>> 50      GET_FLOAT_WORD(hx,x);
>>> 51      ix = hx&0x7fffffff;     /* high word of |x| */
>>> 52      if(ix<0x31800000)                       /* x < 2**-28 */
>>> 53          {if((int)x==0) {                    /* generate inexact */
>>> 54              if((ix|(iy+1))==0) return one/fabsf(x);
>>> >>>     CID 398773:  Incorrect expression  (DIVIDE_BY_ZERO)
>>> >>>     In expression "-1f / x", division by expression "x" which may be
>>> zero has undefined behavior.
>>> 55              else return (iy==1)? x: -one/x;
>>> 56          }
>>> 57          }
>>> 58      if(ix>=0x3f2ca140) {                    /* |x|>=0.6744 */
>>> 59          if(hx<0) {x = -x; y = -y;}
>>> 60          z = pio4-x;
>>>
>>> ** CID 398772:  Memory - corruptions  (OVERRUN)
>>>
>>> I think this is another false positive.  I couldn't see where it was
> accessing storage without doing a length check
> first.
>
>
>>
>>>
>>> ________________________________________________________________________________________________________
>>> *** CID 398772:  Memory - corruptions  (OVERRUN)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/regcomp.c:
>>> 1044 in bothcases()
>>> 1038            assert(othercase(ch) != ch);    /* p_bracket() would
>>> recurse */
>>> 1039            p->next = bracket;
>>> 1040            p->end = bracket+2;
>>> 1041            bracket[0] = ch;
>>> 1042            bracket[1] = ']';
>>> 1043            bracket[2] = '\0';
>>> >>>     CID 398772:  Memory - corruptions  (OVERRUN)
>>> >>>     Overrunning buffer pointed to by "p->next" of 3 bytes by passing
>>> it
>>> to a function which accesses it at byte offset 4.
>>> 1044            p_bracket(p);
>>> 1045            assert(p->next == bracket+2);
>>> 1046            p->next = oldnext;
>>> 1047            p->end = oldend;
>>> 1048     }
>>> 1049
>>>
>>> ** CID 398771:  High impact quality  (Y2K38_SAFETY)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/usleep.c:
>>> 18 in usleep()
>>>
>>>
> Fixed.  I removed the return as usleep is supposed to return -1 on an
> EINTR.
>
>
>>>
>>> ________________________________________________________________________________________________________
>>> *** CID 398771:  High impact quality  (Y2K38_SAFETY)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/usleep.c:
>>> 18 in usleep()
>>> 12     {
>>> 13         struct timespec ts;
>>> 14
>>> 15         ts.tv_sec = (long int)useconds / 1000000;
>>> 16         ts.tv_nsec = ((long int)useconds % 1000000) * 1000;
>>> 17         if (!nanosleep(&ts,&ts)) return 0;
>>> >>>     CID 398771:  High impact quality  (Y2K38_SAFETY)
>>> >>>     A "time_t" value is stored in an integer with too few bits to
>>> accommodate it.  The expression "ts.tv_sec" is cast to "int".
>>> 18         if (errno == EINTR) return ts.tv_sec;
>>> 19         return -1;
>>> 20     }
>>> 21
>>>
>>> ** CID 378851:  Memory - corruptions  (OVERRUN)
>>>
>>>
> Again, I believe this is a false positive.  No access of storage without
> checking length first.
>
>>
>>>
>>> ________________________________________________________________________________________________________
>>> *** CID 378851:  Memory - corruptions  (OVERRUN)
>>>
>>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/libc/posix/regcomp.c:
>>> 1090 in nonnewline()
>>> 1084            p->next = bracket;
>>> 1085            p->end = bracket+3;
>>> 1086            bracket[0] = '^';
>>> 1087            bracket[1] = '\n';
>>> 1088            bracket[2] = ']';
>>> 1089            bracket[3] = '\0';
>>> >>>     CID 378851:  Memory - corruptions  (OVERRUN)
>>> >>>     Overrunning buffer pointed to by "p->next" of 4 bytes by passing
>>> it
>>> to a function which accesses it at byte offset 4.
>>> 1090            p_bracket(p);
>>> 1091            assert(p->next == bracket+3);
>>> 1092            p->next = oldnext;
>>> 1093            p->end = oldend;
>>> 1094     }
>>> 1095
>>>
>>>
>>>
>>> ________________________________________________________________________________________________________
>>> To view the defects in Coverity Scan visit,
>>>
>>> https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50ypUUzi-2FdSNmuyRB7BEFT8xQWqa-2BcrUOdcmLJRN5wHA-2F-2Bj-2BUPxOS2vpJc2U7lnvDDSM-3DgcXN_CTvEjVoKhyc6dLmJJo1u9AYIk8P8bcAbCPbBDYvYSXrko-2B6zqtxlihMO5pRBlqs6CXC6JoeSQ5BknttytYW4gn54pXoG5E1T2VTg7ZExldrWnOHoGNfjITpyeGBnq8zf1R1SvLaQHX0KwLC3QLIILHDIyeRDmH6ivilCfFIJbx4IaHchThYPPrH23evm0vJ6A6-2BcYCz2qmJNN2577UqVyYc0aItJ859abhW8GanEpsc-3D
>>>
>>>   To manage Coverity Scan email notifications for "
>>> joel.sherrill@gmail.com",
>>> click
>>>
>>> https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxTJDdEZ5ceQ-2BXdf-2FM1tcMIXP73MN3HxQfFTMLU5dSe8Rv0KFh7gYStOFjZD12ucRRnrjyUHOCTj7rG0E9HBcwa6j-2FX4NTabdEq2v7MM-2FuqaA-3D5Xsf_CTvEjVoKhyc6dLmJJo1u9AYIk8P8bcAbCPbBDYvYSXrko-2B6zqtxlihMO5pRBlqs6CXC6JoeSQ5BknttytYW4gsEM86eEaAqPEjIHUArLBXYOUpWfZ4bmwC96PG11GPPh-2FLsC0rkTKQE2J8XRI45hCnTpCTbj87kq0GI1XLddKyw1JXGGqDcyizThGumwZmd8Tr5waHqdorDd3Wom83BYSMOhcHiGVjpnvscbd8ReGFw-3D
>>>
>>>

  reply	other threads:[~2022-08-31 19:58 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <630d44245d07b_448622ac7e91099ac81e@prd-scan-dashboard-0.mail>
2022-08-29 23:09 ` Fwd: " Joel Sherrill
2022-08-30 19:03   ` Jeff Johnston
2022-08-31 19:16     ` Jeff Johnston
2022-08-31 19:58       ` Joel Sherrill [this message]
     [not found] <621dbc6e5b779_bb4ce2b0cf36619a0847b1@prd-scan-dashboard-0.mail>
2022-03-01 12:59 ` Fwd: " Joel Sherrill
     [not found]   ` <BN2P110MB1544826C2DADD0A490C6E5E49A029@BN2P110MB1544.NAMP110.PROD.OUTLOOK.COM>
2022-03-01 19:30     ` C Howland
2022-03-01 20:43       ` Joel Sherrill

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAF9ehCU0Q+-NFweZO9fKvQbsLAy_R556u7K+U2+k6BCOvM_r8w@mail.gmail.com \
    --to=joel@rtems.org \
    --cc=jjohnstn@redhat.com \
    --cc=newlib@sourceware.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).