From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-oa1-f54.google.com (mail-oa1-f54.google.com [209.85.160.54]) by sourceware.org (Postfix) with ESMTPS id 927A63858427 for ; Wed, 31 Aug 2022 19:58:44 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 927A63858427 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=rtems.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-oa1-f54.google.com with SMTP id 586e51a60fabf-11f34610d4aso15878728fac.9 for ; Wed, 31 Aug 2022 12:58:44 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:reply-to:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=SceW3ZSRaaM4wbwXhLVaR0xZBYiRQU2WJK7GAuNF4A8=; b=Wbcl9bqEBRAR3k7aQqpapZrRpxMg9kgcU0Bk/dWEOvB1JNIgNYVR05c9V/Br45ocvQ nLWOeRkuFJNzWXMgLmhFoX3CCC2vQALybP+ehJBdJOr8r0Rav2N7KiV304upmcDNs6pf Ot99+hhIvDbXG8/ahQ7t6uXj+/RmGFiPZTHhIBkKDVxrB+WIq1RTBl3E98RcQYqGBr1z kjGYKmKIpmHwck+6O4kkdi2ulcJJBVCl+qlUJiSMl74aDM6nm5lOeNEoChdzcfePYis6 bBGc2J7rJ19fKi9B+FJgjLc9oUMsW5bI1jw0FydSsyMQXHJyAy1JIqV++vEDEF9r92Jo 2Jww== X-Gm-Message-State: ACgBeo2pxKxY+zJPY4HVFbELAMVY9phnl1r6jjYWtM7/ca0BTOvuidUX dhSZwXUN3wst/fs06FxYE91AtWNdu9s= X-Google-Smtp-Source: AA6agR66y0t3leN1uWIjv2Yc9uue5rr0Ne+/BZOZ9WACqllIpTaAjXyBk8WOuUoJEtY8Z6Wkr4Ll8A== X-Received: by 2002:aca:aa56:0:b0:345:7aeb:f0e1 with SMTP id t83-20020acaaa56000000b003457aebf0e1mr1891809oie.8.1661975923338; Wed, 31 Aug 2022 12:58:43 -0700 (PDT) Received: from mail-oa1-f52.google.com (mail-oa1-f52.google.com. [209.85.160.52]) by smtp.gmail.com with ESMTPSA id s24-20020a056808009800b00342e8bd2299sm7769157oic.6.2022.08.31.12.58.42 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 31 Aug 2022 12:58:42 -0700 (PDT) Received: by mail-oa1-f52.google.com with SMTP id 586e51a60fabf-11eb8b133fbso22281936fac.0 for ; Wed, 31 Aug 2022 12:58:42 -0700 (PDT) X-Received: by 2002:a05:6870:249c:b0:10c:7f4d:71ab with SMTP id s28-20020a056870249c00b0010c7f4d71abmr2240572oaq.15.1661975922430; Wed, 31 Aug 2022 12:58:42 -0700 (PDT) MIME-Version: 1.0 References: <630d44245d07b_448622ac7e91099ac81e@prd-scan-dashboard-0.mail> In-Reply-To: Reply-To: joel@rtems.org From: Joel Sherrill Date: Wed, 31 Aug 2022 14:58:31 -0500 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: New Defects reported by Coverity Scan for RTEMS-Newlib To: Jeff Johnston Cc: Newlib X-Spam-Status: No, score=-3030.8 required=5.0 tests=BAYES_00, FREEMAIL_FORGED_FROMDOMAIN, FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS, HTML_MESSAGE, KAM_DMARC_STATUS, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, SENDGRID_REDIR, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: newlib@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Newlib mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Aug 2022 19:58:49 -0000 On Wed, Aug 31, 2022 at 2:16 PM Jeff Johnston wrote: > Hi Joel, I will pushing a patch shortly but see comments below as IMO > there are some false positives. > I'm happy to mark the false positives in Coverity but I only ran this because they forced me to update the client side program and I wanted to make sure all my run coverity scripts continued to work with it. Normally this one isn't run on a regular basis. Is Cygwin still running Scan on newlib? I stopped because the focus was supposed to be on their run not on the RTEMS one. I can easily uncomment the one line to run it via cron. I have a script that can check for changes in git and run coverity if needed. Basically, where's the "official" Scan instance that we all should be referring to? --joel > > -- Jeff J. > > On Tue, Aug 30, 2022 at 3:03 PM Jeff Johnston wrote= : > >> Thanks Joel for bringing this to our attention. >> >> -- Jeff J. >> >> On Mon, Aug 29, 2022 at 7:09 PM Joel Sherrill wrote: >> >>> Hi >>> >>> I quit running Coverity on newlib as part of the repositories analysed = as >>> part of RTEMS BUT I had to update the version of cov-analysis we used a= nd >>> wanted to make sure the scripting stayed working. >>> >>> These issues were flagged since the last time we ran it. Some look like >>> they need attention. >>> >>> --joel >>> >>> ---------- Forwarded message --------- >>> From: >>> Date: Mon, Aug 29, 2022 at 5:56 PM >>> Subject: New Defects reported by Coverity Scan for RTEMS-Newlib >>> To: >>> >>> >>> Hi, >>> >>> Please find the latest report on new defect(s) introduced to RTEMS-Newl= ib >>> found with Coverity Scan. >>> >>> 10 new defect(s) introduced to RTEMS-Newlib found with Coverity Scan. >>> 1 defect(s), reported by Coverity Scan earlier, were marked fixed in th= e >>> recent build analyzed by Coverity Scan. >>> >>> New defect(s) Reported-by: Coverity Scan >>> Showing 10 of 10 defect(s) >>> >>> >>> ** CID 398779: (UNINIT) >>> >>> >>> Fixed. > > >> >>> _______________________________________________________________________= _________________________________ >>> *** CID 398779: (UNINIT) >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/l= ibc/stdio/swscanf.c: >>> 454 in _swscanf_r() >>> 448 f._bf._size =3D f._r =3D wcslen (str) * sizeof (wchar_t); >>> 449 f._read =3D __seofread; >>> 450 f._ub._base =3D NULL; >>> 451 f._lb._base =3D NULL; >>> 452 f._file =3D -1; /* No file. */ >>> 453 va_start (ap, fmt); >>> >>> CID 398779: (UNINIT) >>> >>> Using uninitialized value "f._flags2" when calling >>> "__ssvfwscanf_r". >>> 454 ret =3D __ssvfwscanf_r (ptr, &f, fmt, ap); >>> 455 va_end (ap); >>> 456 return ret; >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/l= ibc/stdio/swscanf.c: >>> 454 in _swscanf_r() >>> 448 f._bf._size =3D f._r =3D wcslen (str) * sizeof (wchar_t); >>> 449 f._read =3D __seofread; >>> 450 f._ub._base =3D NULL; >>> 451 f._lb._base =3D NULL; >>> 452 f._file =3D -1; /* No file. */ >>> 453 va_start (ap, fmt); >>> >>> CID 398779: (UNINIT) >>> >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r"= . >>> 454 ret =3D __ssvfwscanf_r (ptr, &f, fmt, ap); >>> 455 va_end (ap); >>> 456 return ret; >>> >>> ** CID 398778: High impact quality (Y2K38_SAFETY) >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/l= ibc/posix/sleep.c: >>> 18 in sleep() >>> >>> > Fixed. (I anded with UINT_MAX so the checker should allow this). > >> >>> >>> _______________________________________________________________________= _________________________________ >>> *** CID 398778: High impact quality (Y2K38_SAFETY) >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/l= ibc/posix/sleep.c: >>> 18 in sleep() >>> 12 { >>> 13 struct timespec ts; >>> 14 >>> 15 ts.tv_sec =3D seconds; >>> 16 ts.tv_nsec =3D 0; >>> 17 if (!nanosleep(&ts,&ts)) return 0; >>> >>> CID 398778: High impact quality (Y2K38_SAFETY) >>> >>> A "time_t" value is stored in an integer with too few bits to >>> accommodate it. The expression "ts.tv_sec" is cast to "unsigned int". >>> 18 if (errno =3D=3D EINTR) return ts.tv_sec; >>> 19 return -1; >>> 20 } >>> 21 >>> >>> ** CID 398777: (UNINIT) >>> >>> >>> Fixed. I just initialized the fields. > > >> >>> _______________________________________________________________________= _________________________________ >>> *** CID 398777: (UNINIT) >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/l= ibc/stdio/swscanf.c: >>> 432 in swscanf() >>> 426 f._bf._size =3D f._r =3D wcslen (str) * sizeof (wchar_t); >>> 427 f._read =3D __seofread; >>> 428 f._ub._base =3D NULL; >>> 429 f._lb._base =3D NULL; >>> 430 f._file =3D -1; /* No file. */ >>> 431 va_start (ap, fmt); >>> >>> CID 398777: (UNINIT) >>> >>> Using uninitialized value "f._flags2" when calling >>> "__ssvfwscanf_r". >>> 432 ret =3D __ssvfwscanf_r (_REENT, &f, fmt, ap); >>> 433 va_end (ap); >>> 434 return ret; >>> 435 } >>> 436 >>> 437 #endif /* !_REENT_ONLY */ >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/l= ibc/stdio/swscanf.c: >>> 432 in swscanf() >>> 426 f._bf._size =3D f._r =3D wcslen (str) * sizeof (wchar_t); >>> 427 f._read =3D __seofread; >>> 428 f._ub._base =3D NULL; >>> 429 f._lb._base =3D NULL; >>> 430 f._file =3D -1; /* No file. */ >>> 431 va_start (ap, fmt); >>> >>> CID 398777: (UNINIT) >>> >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r"= . >>> 432 ret =3D __ssvfwscanf_r (_REENT, &f, fmt, ap); >>> 433 va_end (ap); >>> 434 return ret; >>> 435 } >>> 436 >>> 437 #endif /* !_REENT_ONLY */ >>> >>> ** CID 398776: (UNINIT) >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/l= ibc/time/time.c: >>> 44 in time() >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/l= ibc/time/time.c: >>> 45 in time() >>> >>> >>> Although this should be a false positive because of gettimeofday_r > getting the address of now, I have > initialized the field to -1. > > >> >>> _______________________________________________________________________= _________________________________ >>> *** CID 398776: (UNINIT) >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/l= ibc/time/time.c: >>> 44 in time() >>> 38 struct timeval now; >>> 39 >>> 40 if (_gettimeofday_r (_REENT, &now, NULL) < 0) >>> 41 now.tv_sec =3D (time_t) -1; >>> 42 >>> 43 if (t) >>> >>> CID 398776: (UNINIT) >>> >>> Using uninitialized value "now.tv_sec". >>> 44 *t =3D now.tv_sec; >>> 45 return now.tv_sec; >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/l= ibc/time/time.c: >>> 45 in time() >>> 39 >>> 40 if (_gettimeofday_r (_REENT, &now, NULL) < 0) >>> 41 now.tv_sec =3D (time_t) -1; >>> 42 >>> 43 if (t) >>> 44 *t =3D now.tv_sec; >>> >>> CID 398776: (UNINIT) >>> >>> Using uninitialized value "now.tv_sec". >>> 45 return now.tv_sec; >>> >>> ** CID 398775: (UNINIT) >>> >>> >>> > Fixed. I initialized the fields. > >> >>> _______________________________________________________________________= _________________________________ >>> *** CID 398775: (UNINIT) >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/l= ibc/stdio/vswscanf.c: >>> 57 in _vswscanf_r() >>> 51 f._bf._base =3D f._p =3D (unsigned char *) str; >>> 52 f._bf._size =3D f._r =3D wcslen (str) * sizeof (wchar_t); >>> 53 f._read =3D __seofread; >>> 54 f._ub._base =3D NULL; >>> 55 f._lb._base =3D NULL; >>> 56 f._file =3D -1; /* No file. */ >>> >>> CID 398775: (UNINIT) >>> >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r"= . >>> 57 return __ssvfwscanf_r (ptr, &f, fmt, ap); >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/l= ibc/stdio/vswscanf.c: >>> 57 in _vswscanf_r() >>> 51 f._bf._base =3D f._p =3D (unsigned char *) str; >>> 52 f._bf._size =3D f._r =3D wcslen (str) * sizeof (wchar_t); >>> 53 f._read =3D __seofread; >>> 54 f._ub._base =3D NULL; >>> 55 f._lb._base =3D NULL; >>> 56 f._file =3D -1; /* No file. */ >>> >>> CID 398775: (UNINIT) >>> >>> Using uninitialized value "f._flags2" when calling >>> "__ssvfwscanf_r". >>> 57 return __ssvfwscanf_r (ptr, &f, fmt, ap); >>> >>> ** CID 398774: Uninitialized variables (UNINIT) >>> >>> Fixed. I memset the initial array to 0's. > > >> >>> >>> _______________________________________________________________________= _________________________________ >>> *** CID 398774: Uninitialized variables (UNINIT) >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/l= ibc/stdlib/arc4random.c: >>> 93 in _rs_stir() >>> 87 u_char rnd[KEYSZ + IVSZ]; >>> 88 >>> 89 if (getentropy(rnd, sizeof rnd) =3D=3D -1) >>> 90 _getentropy_fail(); >>> 91 >>> 92 if (!rs) >>> >>> CID 398774: Uninitialized variables (UNINIT) >>> >>> Using uninitialized element of array "rnd" when calling >>> "_rs_init". >>> 93 _rs_init(rnd, sizeof(rnd)); >>> 94 else >>> 95 _rs_rekey(rnd, sizeof(rnd)); >>> 96 explicit_bzero(rnd, sizeof(rnd)); /* discard source seed = */ >>> 97 >>> 98 /* invalidate rs_buf */ >>> >>> ** CID 398773: Incorrect expression (DIVIDE_BY_ZERO) >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/l= ibm/math/kf_tan.c: >>> 55 in __kernel_tanf() >>> >>> >>> > This is a false positive. We intend to divide by zero. > >> >>> _______________________________________________________________________= _________________________________ >>> *** CID 398773: Incorrect expression (DIVIDE_BY_ZERO) >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/l= ibm/math/kf_tan.c: >>> 55 in __kernel_tanf() >>> 49 __int32_t ix,hx; >>> 50 GET_FLOAT_WORD(hx,x); >>> 51 ix =3D hx&0x7fffffff; /* high word of |x| */ >>> 52 if(ix<0x31800000) /* x < 2**-28 */ >>> 53 {if((int)x=3D=3D0) { /* generate inexact= */ >>> 54 if((ix|(iy+1))=3D=3D0) return one/fabsf(x); >>> >>> CID 398773: Incorrect expression (DIVIDE_BY_ZERO) >>> >>> In expression "-1f / x", division by expression "x" which may b= e >>> zero has undefined behavior. >>> 55 else return (iy=3D=3D1)? x: -one/x; >>> 56 } >>> 57 } >>> 58 if(ix>=3D0x3f2ca140) { /* |x|>=3D0.6744 */ >>> 59 if(hx<0) {x =3D -x; y =3D -y;} >>> 60 z =3D pio4-x; >>> >>> ** CID 398772: Memory - corruptions (OVERRUN) >>> >>> I think this is another false positive. I couldn't see where it was > accessing storage without doing a length check > first. > > >> >>> >>> _______________________________________________________________________= _________________________________ >>> *** CID 398772: Memory - corruptions (OVERRUN) >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/l= ibc/posix/regcomp.c: >>> 1044 in bothcases() >>> 1038 assert(othercase(ch) !=3D ch); /* p_bracket() would >>> recurse */ >>> 1039 p->next =3D bracket; >>> 1040 p->end =3D bracket+2; >>> 1041 bracket[0] =3D ch; >>> 1042 bracket[1] =3D ']'; >>> 1043 bracket[2] =3D '\0'; >>> >>> CID 398772: Memory - corruptions (OVERRUN) >>> >>> Overrunning buffer pointed to by "p->next" of 3 bytes by passin= g >>> it >>> to a function which accesses it at byte offset 4. >>> 1044 p_bracket(p); >>> 1045 assert(p->next =3D=3D bracket+2); >>> 1046 p->next =3D oldnext; >>> 1047 p->end =3D oldend; >>> 1048 } >>> 1049 >>> >>> ** CID 398771: High impact quality (Y2K38_SAFETY) >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/l= ibc/posix/usleep.c: >>> 18 in usleep() >>> >>> > Fixed. I removed the return as usleep is supposed to return -1 on an > EINTR. > > >>> >>> _______________________________________________________________________= _________________________________ >>> *** CID 398771: High impact quality (Y2K38_SAFETY) >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/l= ibc/posix/usleep.c: >>> 18 in usleep() >>> 12 { >>> 13 struct timespec ts; >>> 14 >>> 15 ts.tv_sec =3D (long int)useconds / 1000000; >>> 16 ts.tv_nsec =3D ((long int)useconds % 1000000) * 1000; >>> 17 if (!nanosleep(&ts,&ts)) return 0; >>> >>> CID 398771: High impact quality (Y2K38_SAFETY) >>> >>> A "time_t" value is stored in an integer with too few bits to >>> accommodate it. The expression "ts.tv_sec" is cast to "int". >>> 18 if (errno =3D=3D EINTR) return ts.tv_sec; >>> 19 return -1; >>> 20 } >>> 21 >>> >>> ** CID 378851: Memory - corruptions (OVERRUN) >>> >>> > Again, I believe this is a false positive. No access of storage without > checking length first. > >> >>> >>> _______________________________________________________________________= _________________________________ >>> *** CID 378851: Memory - corruptions (OVERRUN) >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/l= ibc/posix/regcomp.c: >>> 1090 in nonnewline() >>> 1084 p->next =3D bracket; >>> 1085 p->end =3D bracket+3; >>> 1086 bracket[0] =3D '^'; >>> 1087 bracket[1] =3D '\n'; >>> 1088 bracket[2] =3D ']'; >>> 1089 bracket[3] =3D '\0'; >>> >>> CID 378851: Memory - corruptions (OVERRUN) >>> >>> Overrunning buffer pointed to by "p->next" of 4 bytes by passin= g >>> it >>> to a function which accesses it at byte offset 4. >>> 1090 p_bracket(p); >>> 1091 assert(p->next =3D=3D bracket+3); >>> 1092 p->next =3D oldnext; >>> 1093 p->end =3D oldend; >>> 1094 } >>> 1095 >>> >>> >>> >>> _______________________________________________________________________= _________________________________ >>> To view the defects in Coverity Scan visit, >>> >>> https://u15810271.ct.sendgrid.net/ls/click?upn=3DHRESupC-2F2Czv4BOaCWWC= y7my0P0qcxCbhZ31OYv50ypUUzi-2FdSNmuyRB7BEFT8xQWqa-2BcrUOdcmLJRN5wHA-2F-2Bj-= 2BUPxOS2vpJc2U7lnvDDSM-3DgcXN_CTvEjVoKhyc6dLmJJo1u9AYIk8P8bcAbCPbBDYvYSXrko= -2B6zqtxlihMO5pRBlqs6CXC6JoeSQ5BknttytYW4gn54pXoG5E1T2VTg7ZExldrWnOHoGNfjIT= pyeGBnq8zf1R1SvLaQHX0KwLC3QLIILHDIyeRDmH6ivilCfFIJbx4IaHchThYPPrH23evm0vJ6A= 6-2BcYCz2qmJNN2577UqVyYc0aItJ859abhW8GanEpsc-3D >>> >>> To manage Coverity Scan email notifications for " >>> joel.sherrill@gmail.com", >>> click >>> >>> https://u15810271.ct.sendgrid.net/ls/click?upn=3DHRESupC-2F2Czv4BOaCWWC= y7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxTJDdEZ5ceQ-2BXdf-2FM1tcMIXP73MN= 3HxQfFTMLU5dSe8Rv0KFh7gYStOFjZD12ucRRnrjyUHOCTj7rG0E9HBcwa6j-2FX4NTabdEq2v7= MM-2FuqaA-3D5Xsf_CTvEjVoKhyc6dLmJJo1u9AYIk8P8bcAbCPbBDYvYSXrko-2B6zqtxlihMO= 5pRBlqs6CXC6JoeSQ5BknttytYW4gsEM86eEaAqPEjIHUArLBXYOUpWfZ4bmwC96PG11GPPh-2F= LsC0rkTKQE2J8XRI45hCnTpCTbj87kq0GI1XLddKyw1JXGGqDcyizThGumwZmd8Tr5waHqdorDd= 3Wom83BYSMOhcHiGVjpnvscbd8ReGFw-3D >>> >>> From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-oa1-f54.google.com (mail-oa1-f54.google.com [209.85.160.54]) by sourceware.org (Postfix) with ESMTPS id 927A63858427 for ; Wed, 31 Aug 2022 19:58:44 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 927A63858427 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=rtems.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-oa1-f54.google.com with SMTP id 586e51a60fabf-11f34610d4aso15878728fac.9 for ; Wed, 31 Aug 2022 12:58:44 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:reply-to:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=SceW3ZSRaaM4wbwXhLVaR0xZBYiRQU2WJK7GAuNF4A8=; b=Wbcl9bqEBRAR3k7aQqpapZrRpxMg9kgcU0Bk/dWEOvB1JNIgNYVR05c9V/Br45ocvQ nLWOeRkuFJNzWXMgLmhFoX3CCC2vQALybP+ehJBdJOr8r0Rav2N7KiV304upmcDNs6pf Ot99+hhIvDbXG8/ahQ7t6uXj+/RmGFiPZTHhIBkKDVxrB+WIq1RTBl3E98RcQYqGBr1z kjGYKmKIpmHwck+6O4kkdi2ulcJJBVCl+qlUJiSMl74aDM6nm5lOeNEoChdzcfePYis6 bBGc2J7rJ19fKi9B+FJgjLc9oUMsW5bI1jw0FydSsyMQXHJyAy1JIqV++vEDEF9r92Jo 2Jww== X-Gm-Message-State: ACgBeo2pxKxY+zJPY4HVFbELAMVY9phnl1r6jjYWtM7/ca0BTOvuidUX dhSZwXUN3wst/fs06FxYE91AtWNdu9s= X-Google-Smtp-Source: AA6agR66y0t3leN1uWIjv2Yc9uue5rr0Ne+/BZOZ9WACqllIpTaAjXyBk8WOuUoJEtY8Z6Wkr4Ll8A== X-Received: by 2002:aca:aa56:0:b0:345:7aeb:f0e1 with SMTP id t83-20020acaaa56000000b003457aebf0e1mr1891809oie.8.1661975923338; Wed, 31 Aug 2022 12:58:43 -0700 (PDT) Received: from mail-oa1-f52.google.com (mail-oa1-f52.google.com. [209.85.160.52]) by smtp.gmail.com with ESMTPSA id s24-20020a056808009800b00342e8bd2299sm7769157oic.6.2022.08.31.12.58.42 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 31 Aug 2022 12:58:42 -0700 (PDT) Received: by mail-oa1-f52.google.com with SMTP id 586e51a60fabf-11eb8b133fbso22281936fac.0 for ; Wed, 31 Aug 2022 12:58:42 -0700 (PDT) X-Received: by 2002:a05:6870:249c:b0:10c:7f4d:71ab with SMTP id s28-20020a056870249c00b0010c7f4d71abmr2240572oaq.15.1661975922430; Wed, 31 Aug 2022 12:58:42 -0700 (PDT) MIME-Version: 1.0 References: <630d44245d07b_448622ac7e91099ac81e@prd-scan-dashboard-0.mail> In-Reply-To: Reply-To: joel@rtems.org From: Joel Sherrill Date: Wed, 31 Aug 2022 14:58:31 -0500 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: New Defects reported by Coverity Scan for RTEMS-Newlib To: Jeff Johnston Cc: Newlib Content-Type: multipart/alternative; boundary="0000000000007b5b4905e78eec21" X-Spam-Status: No, score=-3030.8 required=5.0 tests=BAYES_00,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,KAM_DMARC_STATUS,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SENDGRID_REDIR,SPF_HELO_NONE,SPF_PASS,TXREP,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: Message-ID: <20220831195831.rnCJMMt2gO0TEZIyl6wpWfnMgjKbnzk3v2Bj_TUTfxs@z> --0000000000007b5b4905e78eec21 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Wed, Aug 31, 2022 at 2:16 PM Jeff Johnston wrote: > Hi Joel, I will pushing a patch shortly but see comments below as IMO > there are some false positives. > I'm happy to mark the false positives in Coverity but I only ran this because they forced me to update the client side program and I wanted to make sure all my run coverity scripts continued to work with it. Normally this one isn't run on a regular basis. Is Cygwin still running Scan on newlib? I stopped because the focus was supposed to be on their run not on the RTEMS one. I can easily uncomment the one line to run it via cron. I have a script that can check for changes in git and run coverity if needed. Basically, where's the "official" Scan instance that we all should be referring to? --joel > > -- Jeff J. > > On Tue, Aug 30, 2022 at 3:03 PM Jeff Johnston wrote: > >> Thanks Joel for bringing this to our attention. >> >> -- Jeff J. >> >> On Mon, Aug 29, 2022 at 7:09 PM Joel Sherrill wrote: >> >>> Hi >>> >>> I quit running Coverity on newlib as part of the repositories analysed = as >>> part of RTEMS BUT I had to update the version of cov-analysis we used a= nd >>> wanted to make sure the scripting stayed working. >>> >>> These issues were flagged since the last time we ran it. Some look like >>> they need attention. >>> >>> --joel >>> >>> ---------- Forwarded message --------- >>> From: >>> Date: Mon, Aug 29, 2022 at 5:56 PM >>> Subject: New Defects reported by Coverity Scan for RTEMS-Newlib >>> To: >>> >>> >>> Hi, >>> >>> Please find the latest report on new defect(s) introduced to RTEMS-Newl= ib >>> found with Coverity Scan. >>> >>> 10 new defect(s) introduced to RTEMS-Newlib found with Coverity Scan. >>> 1 defect(s), reported by Coverity Scan earlier, were marked fixed in the >>> recent build analyzed by Coverity Scan. >>> >>> New defect(s) Reported-by: Coverity Scan >>> Showing 10 of 10 defect(s) >>> >>> >>> ** CID 398779: (UNINIT) >>> >>> >>> Fixed. > > >> >>> _______________________________________________________________________= _________________________________ >>> *** CID 398779: (UNINIT) >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/l= ibc/stdio/swscanf.c: >>> 454 in _swscanf_r() >>> 448 f._bf._size =3D f._r =3D wcslen (str) * sizeof (wchar_t); >>> 449 f._read =3D __seofread; >>> 450 f._ub._base =3D NULL; >>> 451 f._lb._base =3D NULL; >>> 452 f._file =3D -1; /* No file. */ >>> 453 va_start (ap, fmt); >>> >>> CID 398779: (UNINIT) >>> >>> Using uninitialized value "f._flags2" when calling >>> "__ssvfwscanf_r". >>> 454 ret =3D __ssvfwscanf_r (ptr, &f, fmt, ap); >>> 455 va_end (ap); >>> 456 return ret; >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/l= ibc/stdio/swscanf.c: >>> 454 in _swscanf_r() >>> 448 f._bf._size =3D f._r =3D wcslen (str) * sizeof (wchar_t); >>> 449 f._read =3D __seofread; >>> 450 f._ub._base =3D NULL; >>> 451 f._lb._base =3D NULL; >>> 452 f._file =3D -1; /* No file. */ >>> 453 va_start (ap, fmt); >>> >>> CID 398779: (UNINIT) >>> >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r". >>> 454 ret =3D __ssvfwscanf_r (ptr, &f, fmt, ap); >>> 455 va_end (ap); >>> 456 return ret; >>> >>> ** CID 398778: High impact quality (Y2K38_SAFETY) >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/l= ibc/posix/sleep.c: >>> 18 in sleep() >>> >>> > Fixed. (I anded with UINT_MAX so the checker should allow this). > >> >>> >>> _______________________________________________________________________= _________________________________ >>> *** CID 398778: High impact quality (Y2K38_SAFETY) >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/l= ibc/posix/sleep.c: >>> 18 in sleep() >>> 12 { >>> 13 struct timespec ts; >>> 14 >>> 15 ts.tv_sec =3D seconds; >>> 16 ts.tv_nsec =3D 0; >>> 17 if (!nanosleep(&ts,&ts)) return 0; >>> >>> CID 398778: High impact quality (Y2K38_SAFETY) >>> >>> A "time_t" value is stored in an integer with too few bits to >>> accommodate it. The expression "ts.tv_sec" is cast to "unsigned int". >>> 18 if (errno =3D=3D EINTR) return ts.tv_sec; >>> 19 return -1; >>> 20 } >>> 21 >>> >>> ** CID 398777: (UNINIT) >>> >>> >>> Fixed. I just initialized the fields. > > >> >>> _______________________________________________________________________= _________________________________ >>> *** CID 398777: (UNINIT) >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/l= ibc/stdio/swscanf.c: >>> 432 in swscanf() >>> 426 f._bf._size =3D f._r =3D wcslen (str) * sizeof (wchar_t); >>> 427 f._read =3D __seofread; >>> 428 f._ub._base =3D NULL; >>> 429 f._lb._base =3D NULL; >>> 430 f._file =3D -1; /* No file. */ >>> 431 va_start (ap, fmt); >>> >>> CID 398777: (UNINIT) >>> >>> Using uninitialized value "f._flags2" when calling >>> "__ssvfwscanf_r". >>> 432 ret =3D __ssvfwscanf_r (_REENT, &f, fmt, ap); >>> 433 va_end (ap); >>> 434 return ret; >>> 435 } >>> 436 >>> 437 #endif /* !_REENT_ONLY */ >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/l= ibc/stdio/swscanf.c: >>> 432 in swscanf() >>> 426 f._bf._size =3D f._r =3D wcslen (str) * sizeof (wchar_t); >>> 427 f._read =3D __seofread; >>> 428 f._ub._base =3D NULL; >>> 429 f._lb._base =3D NULL; >>> 430 f._file =3D -1; /* No file. */ >>> 431 va_start (ap, fmt); >>> >>> CID 398777: (UNINIT) >>> >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r". >>> 432 ret =3D __ssvfwscanf_r (_REENT, &f, fmt, ap); >>> 433 va_end (ap); >>> 434 return ret; >>> 435 } >>> 436 >>> 437 #endif /* !_REENT_ONLY */ >>> >>> ** CID 398776: (UNINIT) >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/l= ibc/time/time.c: >>> 44 in time() >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/l= ibc/time/time.c: >>> 45 in time() >>> >>> >>> Although this should be a false positive because of gettimeofday_r > getting the address of now, I have > initialized the field to -1. > > >> >>> _______________________________________________________________________= _________________________________ >>> *** CID 398776: (UNINIT) >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/l= ibc/time/time.c: >>> 44 in time() >>> 38 struct timeval now; >>> 39 >>> 40 if (_gettimeofday_r (_REENT, &now, NULL) < 0) >>> 41 now.tv_sec =3D (time_t) -1; >>> 42 >>> 43 if (t) >>> >>> CID 398776: (UNINIT) >>> >>> Using uninitialized value "now.tv_sec". >>> 44 *t =3D now.tv_sec; >>> 45 return now.tv_sec; >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/l= ibc/time/time.c: >>> 45 in time() >>> 39 >>> 40 if (_gettimeofday_r (_REENT, &now, NULL) < 0) >>> 41 now.tv_sec =3D (time_t) -1; >>> 42 >>> 43 if (t) >>> 44 *t =3D now.tv_sec; >>> >>> CID 398776: (UNINIT) >>> >>> Using uninitialized value "now.tv_sec". >>> 45 return now.tv_sec; >>> >>> ** CID 398775: (UNINIT) >>> >>> >>> > Fixed. I initialized the fields. > >> >>> _______________________________________________________________________= _________________________________ >>> *** CID 398775: (UNINIT) >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/l= ibc/stdio/vswscanf.c: >>> 57 in _vswscanf_r() >>> 51 f._bf._base =3D f._p =3D (unsigned char *) str; >>> 52 f._bf._size =3D f._r =3D wcslen (str) * sizeof (wchar_t); >>> 53 f._read =3D __seofread; >>> 54 f._ub._base =3D NULL; >>> 55 f._lb._base =3D NULL; >>> 56 f._file =3D -1; /* No file. */ >>> >>> CID 398775: (UNINIT) >>> >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r". >>> 57 return __ssvfwscanf_r (ptr, &f, fmt, ap); >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/l= ibc/stdio/vswscanf.c: >>> 57 in _vswscanf_r() >>> 51 f._bf._base =3D f._p =3D (unsigned char *) str; >>> 52 f._bf._size =3D f._r =3D wcslen (str) * sizeof (wchar_t); >>> 53 f._read =3D __seofread; >>> 54 f._ub._base =3D NULL; >>> 55 f._lb._base =3D NULL; >>> 56 f._file =3D -1; /* No file. */ >>> >>> CID 398775: (UNINIT) >>> >>> Using uninitialized value "f._flags2" when calling >>> "__ssvfwscanf_r". >>> 57 return __ssvfwscanf_r (ptr, &f, fmt, ap); >>> >>> ** CID 398774: Uninitialized variables (UNINIT) >>> >>> Fixed. I memset the initial array to 0's. > > >> >>> >>> _______________________________________________________________________= _________________________________ >>> *** CID 398774: Uninitialized variables (UNINIT) >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/l= ibc/stdlib/arc4random.c: >>> 93 in _rs_stir() >>> 87 u_char rnd[KEYSZ + IVSZ]; >>> 88 >>> 89 if (getentropy(rnd, sizeof rnd) =3D=3D -1) >>> 90 _getentropy_fail(); >>> 91 >>> 92 if (!rs) >>> >>> CID 398774: Uninitialized variables (UNINIT) >>> >>> Using uninitialized element of array "rnd" when calling >>> "_rs_init". >>> 93 _rs_init(rnd, sizeof(rnd)); >>> 94 else >>> 95 _rs_rekey(rnd, sizeof(rnd)); >>> 96 explicit_bzero(rnd, sizeof(rnd)); /* discard source seed = */ >>> 97 >>> 98 /* invalidate rs_buf */ >>> >>> ** CID 398773: Incorrect expression (DIVIDE_BY_ZERO) >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/l= ibm/math/kf_tan.c: >>> 55 in __kernel_tanf() >>> >>> >>> > This is a false positive. We intend to divide by zero. > >> >>> _______________________________________________________________________= _________________________________ >>> *** CID 398773: Incorrect expression (DIVIDE_BY_ZERO) >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/l= ibm/math/kf_tan.c: >>> 55 in __kernel_tanf() >>> 49 __int32_t ix,hx; >>> 50 GET_FLOAT_WORD(hx,x); >>> 51 ix =3D hx&0x7fffffff; /* high word of |x| */ >>> 52 if(ix<0x31800000) /* x < 2**-28 */ >>> 53 {if((int)x=3D=3D0) { /* generate inexact= */ >>> 54 if((ix|(iy+1))=3D=3D0) return one/fabsf(x); >>> >>> CID 398773: Incorrect expression (DIVIDE_BY_ZERO) >>> >>> In expression "-1f / x", division by expression "x" which may be >>> zero has undefined behavior. >>> 55 else return (iy=3D=3D1)? x: -one/x; >>> 56 } >>> 57 } >>> 58 if(ix>=3D0x3f2ca140) { /* |x|>=3D0.6744 */ >>> 59 if(hx<0) {x =3D -x; y =3D -y;} >>> 60 z =3D pio4-x; >>> >>> ** CID 398772: Memory - corruptions (OVERRUN) >>> >>> I think this is another false positive. I couldn't see where it was > accessing storage without doing a length check > first. > > >> >>> >>> _______________________________________________________________________= _________________________________ >>> *** CID 398772: Memory - corruptions (OVERRUN) >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/l= ibc/posix/regcomp.c: >>> 1044 in bothcases() >>> 1038 assert(othercase(ch) !=3D ch); /* p_bracket() would >>> recurse */ >>> 1039 p->next =3D bracket; >>> 1040 p->end =3D bracket+2; >>> 1041 bracket[0] =3D ch; >>> 1042 bracket[1] =3D ']'; >>> 1043 bracket[2] =3D '\0'; >>> >>> CID 398772: Memory - corruptions (OVERRUN) >>> >>> Overrunning buffer pointed to by "p->next" of 3 bytes by passing >>> it >>> to a function which accesses it at byte offset 4. >>> 1044 p_bracket(p); >>> 1045 assert(p->next =3D=3D bracket+2); >>> 1046 p->next =3D oldnext; >>> 1047 p->end =3D oldend; >>> 1048 } >>> 1049 >>> >>> ** CID 398771: High impact quality (Y2K38_SAFETY) >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/l= ibc/posix/usleep.c: >>> 18 in usleep() >>> >>> > Fixed. I removed the return as usleep is supposed to return -1 on an > EINTR. > > >>> >>> _______________________________________________________________________= _________________________________ >>> *** CID 398771: High impact quality (Y2K38_SAFETY) >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/l= ibc/posix/usleep.c: >>> 18 in usleep() >>> 12 { >>> 13 struct timespec ts; >>> 14 >>> 15 ts.tv_sec =3D (long int)useconds / 1000000; >>> 16 ts.tv_nsec =3D ((long int)useconds % 1000000) * 1000; >>> 17 if (!nanosleep(&ts,&ts)) return 0; >>> >>> CID 398771: High impact quality (Y2K38_SAFETY) >>> >>> A "time_t" value is stored in an integer with too few bits to >>> accommodate it. The expression "ts.tv_sec" is cast to "int". >>> 18 if (errno =3D=3D EINTR) return ts.tv_sec; >>> 19 return -1; >>> 20 } >>> 21 >>> >>> ** CID 378851: Memory - corruptions (OVERRUN) >>> >>> > Again, I believe this is a false positive. No access of storage without > checking length first. > >> >>> >>> _______________________________________________________________________= _________________________________ >>> *** CID 378851: Memory - corruptions (OVERRUN) >>> >>> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/l= ibc/posix/regcomp.c: >>> 1090 in nonnewline() >>> 1084 p->next =3D bracket; >>> 1085 p->end =3D bracket+3; >>> 1086 bracket[0] =3D '^'; >>> 1087 bracket[1] =3D '\n'; >>> 1088 bracket[2] =3D ']'; >>> 1089 bracket[3] =3D '\0'; >>> >>> CID 378851: Memory - corruptions (OVERRUN) >>> >>> Overrunning buffer pointed to by "p->next" of 4 bytes by passing >>> it >>> to a function which accesses it at byte offset 4. >>> 1090 p_bracket(p); >>> 1091 assert(p->next =3D=3D bracket+3); >>> 1092 p->next =3D oldnext; >>> 1093 p->end =3D oldend; >>> 1094 } >>> 1095 >>> >>> >>> >>> _______________________________________________________________________= _________________________________ >>> To view the defects in Coverity Scan visit, >>> >>> https://u15810271.ct.sendgrid.net/ls/click?upn=3DHRESupC-2F2Czv4BOaCWWC= y7my0P0qcxCbhZ31OYv50ypUUzi-2FdSNmuyRB7BEFT8xQWqa-2BcrUOdcmLJRN5wHA-2F-2Bj-= 2BUPxOS2vpJc2U7lnvDDSM-3DgcXN_CTvEjVoKhyc6dLmJJo1u9AYIk8P8bcAbCPbBDYvYSXrko= -2B6zqtxlihMO5pRBlqs6CXC6JoeSQ5BknttytYW4gn54pXoG5E1T2VTg7ZExldrWnOHoGNfjIT= pyeGBnq8zf1R1SvLaQHX0KwLC3QLIILHDIyeRDmH6ivilCfFIJbx4IaHchThYPPrH23evm0vJ6A= 6-2BcYCz2qmJNN2577UqVyYc0aItJ859abhW8GanEpsc-3D >>> >>> To manage Coverity Scan email notifications for " >>> joel.sherrill@gmail.com", >>> click >>> >>> https://u15810271.ct.sendgrid.net/ls/click?upn=3DHRESupC-2F2Czv4BOaCWWC= y7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxTJDdEZ5ceQ-2BXdf-2FM1tcMIXP73MN= 3HxQfFTMLU5dSe8Rv0KFh7gYStOFjZD12ucRRnrjyUHOCTj7rG0E9HBcwa6j-2FX4NTabdEq2v7= MM-2FuqaA-3D5Xsf_CTvEjVoKhyc6dLmJJo1u9AYIk8P8bcAbCPbBDYvYSXrko-2B6zqtxlihMO= 5pRBlqs6CXC6JoeSQ5BknttytYW4gsEM86eEaAqPEjIHUArLBXYOUpWfZ4bmwC96PG11GPPh-2F= LsC0rkTKQE2J8XRI45hCnTpCTbj87kq0GI1XLddKyw1JXGGqDcyizThGumwZmd8Tr5waHqdorDd= 3Wom83BYSMOhcHiGVjpnvscbd8ReGFw-3D >>> >>> --0000000000007b5b4905e78eec21--