From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by sourceware.org (Postfix) with ESMTPS id 48CE9385086A for ; Wed, 31 Aug 2022 19:16:34 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 48CE9385086A Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=redhat.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1661973393; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=eSLuM339HsH4hOpEeKRuzVYFoJQQedX6Y82ETYg37xE=; b=ZRVxMXK8qhX5KOKwn9jZBaZcomU+MIXluG6242/7ifoznqns9Ub690z8aTFCkUPI8dUmI4 xcqmT1sOSneCxdkZtzrfThVJcIxyZLukF4NYcVi92NELi7njSorNw5/6qGeTPNJg4KNu24 lAwJC7AnAj17pZL9RM6ZuhBLitgtyv0= Received: from mail-yb1-f200.google.com (mail-yb1-f200.google.com [209.85.219.200]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_128_GCM_SHA256) id us-mta-641-99cMx38xON2BcB95ePuVjQ-1; Wed, 31 Aug 2022 15:16:32 -0400 X-MC-Unique: 99cMx38xON2BcB95ePuVjQ-1 Received: by mail-yb1-f200.google.com with SMTP id h9-20020a256c09000000b0069671af62ecso2815942ybc.4 for ; Wed, 31 Aug 2022 12:16:31 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date; bh=eSLuM339HsH4hOpEeKRuzVYFoJQQedX6Y82ETYg37xE=; b=6X8sv3oqNvuEEJHvczlD3q0vF5yRqYBbC+LCub0CSg5KW6gnYfw/P1jzhwTdP/J3L9 JY2tsMjPX+MAfvPhxaL0zL5qmzC7XZNOKt2IHrLMmW3FjJBQssHg5DwpMeU3kBDv+jeU g6F6/WzZraOWGuT1FnGdSAu6X/82ucu2k0F1aUjSpxG4785M285ssntXeo8xAFp9qdkm 4PFVKXiQwsIQOI/BAjAR33fbZSG59AALnCduD0Y5kjBlf609unuX/v2P9R3DVhbcwnDv s33U0Hls9Kn8SDCTS1Y2VckEpsfLKz4tvTPgUSUF+lsi/k4tC6k+Z/j0dd28usJCX6mL Ur3A== X-Gm-Message-State: ACgBeo06GudWYM1aR6r7JAbqq1ITCq7jpEAXzCXhXTANmMO8oQQauJDN WpbrIjGnsX/ogrq/5Eou2ESeUbvMgiYXadZP/mBSjTFz9K59QcgUuZznHFqbwfFfWh0ZTM2uZhl 2zqEvft0NCL1+mHRIpqfAMhWEn7mIQGM= X-Received: by 2002:a25:874d:0:b0:695:9b0d:abfe with SMTP id e13-20020a25874d000000b006959b0dabfemr16832452ybn.88.1661973391102; Wed, 31 Aug 2022 12:16:31 -0700 (PDT) X-Google-Smtp-Source: AA6agR7LppggXXNmXJEI+LCRhC8c88rydoCfMyXSASJIZgQ5oqaZ+jwxMQnz+fL0wJLs6Dl1tHjzBr4cUHmJnBubkis= X-Received: by 2002:a25:874d:0:b0:695:9b0d:abfe with SMTP id e13-20020a25874d000000b006959b0dabfemr16832428ybn.88.1661973390653; Wed, 31 Aug 2022 12:16:30 -0700 (PDT) MIME-Version: 1.0 References: <630d44245d07b_448622ac7e91099ac81e@prd-scan-dashboard-0.mail> In-Reply-To: From: Jeff Johnston Date: Wed, 31 Aug 2022 15:16:19 -0400 Message-ID: Subject: Re: New Defects reported by Coverity Scan for RTEMS-Newlib To: joel@rtems.org Cc: Newlib X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com X-Spam-Status: No, score=-4.3 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, HTML_MESSAGE, RCVD_IN_DNSWL_LOW, SENDGRID_REDIR, SPF_HELO_NONE, SPF_NONE, TXREP, T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: newlib@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Newlib mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Aug 2022 19:16:38 -0000 Hi Joel, I will pushing a patch shortly but see comments below as IMO there are some false positives. -- Jeff J. On Tue, Aug 30, 2022 at 3:03 PM Jeff Johnston wrote: > Thanks Joel for bringing this to our attention. > > -- Jeff J. > > On Mon, Aug 29, 2022 at 7:09 PM Joel Sherrill wrote: > >> Hi >> >> I quit running Coverity on newlib as part of the repositories analysed a= s >> part of RTEMS BUT I had to update the version of cov-analysis we used an= d >> wanted to make sure the scripting stayed working. >> >> These issues were flagged since the last time we ran it. Some look like >> they need attention. >> >> --joel >> >> ---------- Forwarded message --------- >> From: >> Date: Mon, Aug 29, 2022 at 5:56 PM >> Subject: New Defects reported by Coverity Scan for RTEMS-Newlib >> To: >> >> >> Hi, >> >> Please find the latest report on new defect(s) introduced to RTEMS-Newli= b >> found with Coverity Scan. >> >> 10 new defect(s) introduced to RTEMS-Newlib found with Coverity Scan. >> 1 defect(s), reported by Coverity Scan earlier, were marked fixed in the >> recent build analyzed by Coverity Scan. >> >> New defect(s) Reported-by: Coverity Scan >> Showing 10 of 10 defect(s) >> >> >> ** CID 398779: (UNINIT) >> >> >> Fixed. > >> ________________________________________________________________________= ________________________________ >> *** CID 398779: (UNINIT) >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/li= bc/stdio/swscanf.c: >> 454 in _swscanf_r() >> 448 f._bf._size =3D f._r =3D wcslen (str) * sizeof (wchar_t); >> 449 f._read =3D __seofread; >> 450 f._ub._base =3D NULL; >> 451 f._lb._base =3D NULL; >> 452 f._file =3D -1; /* No file. */ >> 453 va_start (ap, fmt); >> >>> CID 398779: (UNINIT) >> >>> Using uninitialized value "f._flags2" when calling >> "__ssvfwscanf_r". >> 454 ret =3D __ssvfwscanf_r (ptr, &f, fmt, ap); >> 455 va_end (ap); >> 456 return ret; >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/li= bc/stdio/swscanf.c: >> 454 in _swscanf_r() >> 448 f._bf._size =3D f._r =3D wcslen (str) * sizeof (wchar_t); >> 449 f._read =3D __seofread; >> 450 f._ub._base =3D NULL; >> 451 f._lb._base =3D NULL; >> 452 f._file =3D -1; /* No file. */ >> 453 va_start (ap, fmt); >> >>> CID 398779: (UNINIT) >> >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r". >> 454 ret =3D __ssvfwscanf_r (ptr, &f, fmt, ap); >> 455 va_end (ap); >> 456 return ret; >> >> ** CID 398778: High impact quality (Y2K38_SAFETY) >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/li= bc/posix/sleep.c: >> 18 in sleep() >> >> Fixed. (I anded with UINT_MAX so the checker should allow this). > >> >> ________________________________________________________________________= ________________________________ >> *** CID 398778: High impact quality (Y2K38_SAFETY) >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/li= bc/posix/sleep.c: >> 18 in sleep() >> 12 { >> 13 struct timespec ts; >> 14 >> 15 ts.tv_sec =3D seconds; >> 16 ts.tv_nsec =3D 0; >> 17 if (!nanosleep(&ts,&ts)) return 0; >> >>> CID 398778: High impact quality (Y2K38_SAFETY) >> >>> A "time_t" value is stored in an integer with too few bits to >> accommodate it. The expression "ts.tv_sec" is cast to "unsigned int". >> 18 if (errno =3D=3D EINTR) return ts.tv_sec; >> 19 return -1; >> 20 } >> 21 >> >> ** CID 398777: (UNINIT) >> >> >> Fixed. I just initialized the fields. > >> ________________________________________________________________________= ________________________________ >> *** CID 398777: (UNINIT) >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/li= bc/stdio/swscanf.c: >> 432 in swscanf() >> 426 f._bf._size =3D f._r =3D wcslen (str) * sizeof (wchar_t); >> 427 f._read =3D __seofread; >> 428 f._ub._base =3D NULL; >> 429 f._lb._base =3D NULL; >> 430 f._file =3D -1; /* No file. */ >> 431 va_start (ap, fmt); >> >>> CID 398777: (UNINIT) >> >>> Using uninitialized value "f._flags2" when calling >> "__ssvfwscanf_r". >> 432 ret =3D __ssvfwscanf_r (_REENT, &f, fmt, ap); >> 433 va_end (ap); >> 434 return ret; >> 435 } >> 436 >> 437 #endif /* !_REENT_ONLY */ >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/li= bc/stdio/swscanf.c: >> 432 in swscanf() >> 426 f._bf._size =3D f._r =3D wcslen (str) * sizeof (wchar_t); >> 427 f._read =3D __seofread; >> 428 f._ub._base =3D NULL; >> 429 f._lb._base =3D NULL; >> 430 f._file =3D -1; /* No file. */ >> 431 va_start (ap, fmt); >> >>> CID 398777: (UNINIT) >> >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r". >> 432 ret =3D __ssvfwscanf_r (_REENT, &f, fmt, ap); >> 433 va_end (ap); >> 434 return ret; >> 435 } >> 436 >> 437 #endif /* !_REENT_ONLY */ >> >> ** CID 398776: (UNINIT) >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/li= bc/time/time.c: >> 44 in time() >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/li= bc/time/time.c: >> 45 in time() >> >> >> Although this should be a false positive because of gettimeofday_r getting the address of now, I have initialized the field to -1. > >> ________________________________________________________________________= ________________________________ >> *** CID 398776: (UNINIT) >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/li= bc/time/time.c: >> 44 in time() >> 38 struct timeval now; >> 39 >> 40 if (_gettimeofday_r (_REENT, &now, NULL) < 0) >> 41 now.tv_sec =3D (time_t) -1; >> 42 >> 43 if (t) >> >>> CID 398776: (UNINIT) >> >>> Using uninitialized value "now.tv_sec". >> 44 *t =3D now.tv_sec; >> 45 return now.tv_sec; >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/li= bc/time/time.c: >> 45 in time() >> 39 >> 40 if (_gettimeofday_r (_REENT, &now, NULL) < 0) >> 41 now.tv_sec =3D (time_t) -1; >> 42 >> 43 if (t) >> 44 *t =3D now.tv_sec; >> >>> CID 398776: (UNINIT) >> >>> Using uninitialized value "now.tv_sec". >> 45 return now.tv_sec; >> >> ** CID 398775: (UNINIT) >> >> >> Fixed. I initialized the fields. > >> ________________________________________________________________________= ________________________________ >> *** CID 398775: (UNINIT) >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/li= bc/stdio/vswscanf.c: >> 57 in _vswscanf_r() >> 51 f._bf._base =3D f._p =3D (unsigned char *) str; >> 52 f._bf._size =3D f._r =3D wcslen (str) * sizeof (wchar_t); >> 53 f._read =3D __seofread; >> 54 f._ub._base =3D NULL; >> 55 f._lb._base =3D NULL; >> 56 f._file =3D -1; /* No file. */ >> >>> CID 398775: (UNINIT) >> >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r". >> 57 return __ssvfwscanf_r (ptr, &f, fmt, ap); >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/li= bc/stdio/vswscanf.c: >> 57 in _vswscanf_r() >> 51 f._bf._base =3D f._p =3D (unsigned char *) str; >> 52 f._bf._size =3D f._r =3D wcslen (str) * sizeof (wchar_t); >> 53 f._read =3D __seofread; >> 54 f._ub._base =3D NULL; >> 55 f._lb._base =3D NULL; >> 56 f._file =3D -1; /* No file. */ >> >>> CID 398775: (UNINIT) >> >>> Using uninitialized value "f._flags2" when calling >> "__ssvfwscanf_r". >> 57 return __ssvfwscanf_r (ptr, &f, fmt, ap); >> >> ** CID 398774: Uninitialized variables (UNINIT) >> >> Fixed. I memset the initial array to 0's. > >> >> ________________________________________________________________________= ________________________________ >> *** CID 398774: Uninitialized variables (UNINIT) >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/li= bc/stdlib/arc4random.c: >> 93 in _rs_stir() >> 87 u_char rnd[KEYSZ + IVSZ]; >> 88 >> 89 if (getentropy(rnd, sizeof rnd) =3D=3D -1) >> 90 _getentropy_fail(); >> 91 >> 92 if (!rs) >> >>> CID 398774: Uninitialized variables (UNINIT) >> >>> Using uninitialized element of array "rnd" when calling >> "_rs_init". >> 93 _rs_init(rnd, sizeof(rnd)); >> 94 else >> 95 _rs_rekey(rnd, sizeof(rnd)); >> 96 explicit_bzero(rnd, sizeof(rnd)); /* discard source seed *= / >> 97 >> 98 /* invalidate rs_buf */ >> >> ** CID 398773: Incorrect expression (DIVIDE_BY_ZERO) >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/li= bm/math/kf_tan.c: >> 55 in __kernel_tanf() >> >> >> This is a false positive. We intend to divide by zero. > >> ________________________________________________________________________= ________________________________ >> *** CID 398773: Incorrect expression (DIVIDE_BY_ZERO) >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/li= bm/math/kf_tan.c: >> 55 in __kernel_tanf() >> 49 __int32_t ix,hx; >> 50 GET_FLOAT_WORD(hx,x); >> 51 ix =3D hx&0x7fffffff; /* high word of |x| */ >> 52 if(ix<0x31800000) /* x < 2**-28 */ >> 53 {if((int)x=3D=3D0) { /* generate inexact = */ >> 54 if((ix|(iy+1))=3D=3D0) return one/fabsf(x); >> >>> CID 398773: Incorrect expression (DIVIDE_BY_ZERO) >> >>> In expression "-1f / x", division by expression "x" which may be >> zero has undefined behavior. >> 55 else return (iy=3D=3D1)? x: -one/x; >> 56 } >> 57 } >> 58 if(ix>=3D0x3f2ca140) { /* |x|>=3D0.6744 */ >> 59 if(hx<0) {x =3D -x; y =3D -y;} >> 60 z =3D pio4-x; >> >> ** CID 398772: Memory - corruptions (OVERRUN) >> >> I think this is another false positive. I couldn't see where it was accessing storage without doing a length check first. > >> >> ________________________________________________________________________= ________________________________ >> *** CID 398772: Memory - corruptions (OVERRUN) >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/li= bc/posix/regcomp.c: >> 1044 in bothcases() >> 1038 assert(othercase(ch) !=3D ch); /* p_bracket() would >> recurse */ >> 1039 p->next =3D bracket; >> 1040 p->end =3D bracket+2; >> 1041 bracket[0] =3D ch; >> 1042 bracket[1] =3D ']'; >> 1043 bracket[2] =3D '\0'; >> >>> CID 398772: Memory - corruptions (OVERRUN) >> >>> Overrunning buffer pointed to by "p->next" of 3 bytes by passing >> it >> to a function which accesses it at byte offset 4. >> 1044 p_bracket(p); >> 1045 assert(p->next =3D=3D bracket+2); >> 1046 p->next =3D oldnext; >> 1047 p->end =3D oldend; >> 1048 } >> 1049 >> >> ** CID 398771: High impact quality (Y2K38_SAFETY) >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/li= bc/posix/usleep.c: >> 18 in usleep() >> >> Fixed. I removed the return as usleep is supposed to return -1 on an EINTR= . >> >> ________________________________________________________________________= ________________________________ >> *** CID 398771: High impact quality (Y2K38_SAFETY) >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/li= bc/posix/usleep.c: >> 18 in usleep() >> 12 { >> 13 struct timespec ts; >> 14 >> 15 ts.tv_sec =3D (long int)useconds / 1000000; >> 16 ts.tv_nsec =3D ((long int)useconds % 1000000) * 1000; >> 17 if (!nanosleep(&ts,&ts)) return 0; >> >>> CID 398771: High impact quality (Y2K38_SAFETY) >> >>> A "time_t" value is stored in an integer with too few bits to >> accommodate it. The expression "ts.tv_sec" is cast to "int". >> 18 if (errno =3D=3D EINTR) return ts.tv_sec; >> 19 return -1; >> 20 } >> 21 >> >> ** CID 378851: Memory - corruptions (OVERRUN) >> >> Again, I believe this is a false positive. No access of storage without checking length first. > >> >> ________________________________________________________________________= ________________________________ >> *** CID 378851: Memory - corruptions (OVERRUN) >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/li= bc/posix/regcomp.c: >> 1090 in nonnewline() >> 1084 p->next =3D bracket; >> 1085 p->end =3D bracket+3; >> 1086 bracket[0] =3D '^'; >> 1087 bracket[1] =3D '\n'; >> 1088 bracket[2] =3D ']'; >> 1089 bracket[3] =3D '\0'; >> >>> CID 378851: Memory - corruptions (OVERRUN) >> >>> Overrunning buffer pointed to by "p->next" of 4 bytes by passing >> it >> to a function which accesses it at byte offset 4. >> 1090 p_bracket(p); >> 1091 assert(p->next =3D=3D bracket+3); >> 1092 p->next =3D oldnext; >> 1093 p->end =3D oldend; >> 1094 } >> 1095 >> >> >> >> ________________________________________________________________________= ________________________________ >> To view the defects in Coverity Scan visit, >> >> https://u15810271.ct.sendgrid.net/ls/click?upn=3DHRESupC-2F2Czv4BOaCWWCy= 7my0P0qcxCbhZ31OYv50ypUUzi-2FdSNmuyRB7BEFT8xQWqa-2BcrUOdcmLJRN5wHA-2F-2Bj-2= BUPxOS2vpJc2U7lnvDDSM-3DgcXN_CTvEjVoKhyc6dLmJJo1u9AYIk8P8bcAbCPbBDYvYSXrko-= 2B6zqtxlihMO5pRBlqs6CXC6JoeSQ5BknttytYW4gn54pXoG5E1T2VTg7ZExldrWnOHoGNfjITp= yeGBnq8zf1R1SvLaQHX0KwLC3QLIILHDIyeRDmH6ivilCfFIJbx4IaHchThYPPrH23evm0vJ6A6= -2BcYCz2qmJNN2577UqVyYc0aItJ859abhW8GanEpsc-3D >> >> To manage Coverity Scan email notifications for " >> joel.sherrill@gmail.com", >> click >> >> https://u15810271.ct.sendgrid.net/ls/click?upn=3DHRESupC-2F2Czv4BOaCWWCy= 7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxTJDdEZ5ceQ-2BXdf-2FM1tcMIXP73MN3= HxQfFTMLU5dSe8Rv0KFh7gYStOFjZD12ucRRnrjyUHOCTj7rG0E9HBcwa6j-2FX4NTabdEq2v7M= M-2FuqaA-3D5Xsf_CTvEjVoKhyc6dLmJJo1u9AYIk8P8bcAbCPbBDYvYSXrko-2B6zqtxlihMO5= pRBlqs6CXC6JoeSQ5BknttytYW4gsEM86eEaAqPEjIHUArLBXYOUpWfZ4bmwC96PG11GPPh-2FL= sC0rkTKQE2J8XRI45hCnTpCTbj87kq0GI1XLddKyw1JXGGqDcyizThGumwZmd8Tr5waHqdorDd3= Wom83BYSMOhcHiGVjpnvscbd8ReGFw-3D >> >> From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by sourceware.org (Postfix) with ESMTPS id 48CE9385086A for ; Wed, 31 Aug 2022 19:16:34 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 48CE9385086A Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=redhat.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1661973393; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=eSLuM339HsH4hOpEeKRuzVYFoJQQedX6Y82ETYg37xE=; b=ZRVxMXK8qhX5KOKwn9jZBaZcomU+MIXluG6242/7ifoznqns9Ub690z8aTFCkUPI8dUmI4 xcqmT1sOSneCxdkZtzrfThVJcIxyZLukF4NYcVi92NELi7njSorNw5/6qGeTPNJg4KNu24 lAwJC7AnAj17pZL9RM6ZuhBLitgtyv0= Received: from mail-yb1-f200.google.com (mail-yb1-f200.google.com [209.85.219.200]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_128_GCM_SHA256) id us-mta-641-99cMx38xON2BcB95ePuVjQ-1; Wed, 31 Aug 2022 15:16:32 -0400 X-MC-Unique: 99cMx38xON2BcB95ePuVjQ-1 Received: by mail-yb1-f200.google.com with SMTP id h9-20020a256c09000000b0069671af62ecso2815942ybc.4 for ; Wed, 31 Aug 2022 12:16:31 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date; bh=eSLuM339HsH4hOpEeKRuzVYFoJQQedX6Y82ETYg37xE=; b=6X8sv3oqNvuEEJHvczlD3q0vF5yRqYBbC+LCub0CSg5KW6gnYfw/P1jzhwTdP/J3L9 JY2tsMjPX+MAfvPhxaL0zL5qmzC7XZNOKt2IHrLMmW3FjJBQssHg5DwpMeU3kBDv+jeU g6F6/WzZraOWGuT1FnGdSAu6X/82ucu2k0F1aUjSpxG4785M285ssntXeo8xAFp9qdkm 4PFVKXiQwsIQOI/BAjAR33fbZSG59AALnCduD0Y5kjBlf609unuX/v2P9R3DVhbcwnDv s33U0Hls9Kn8SDCTS1Y2VckEpsfLKz4tvTPgUSUF+lsi/k4tC6k+Z/j0dd28usJCX6mL Ur3A== X-Gm-Message-State: ACgBeo06GudWYM1aR6r7JAbqq1ITCq7jpEAXzCXhXTANmMO8oQQauJDN WpbrIjGnsX/ogrq/5Eou2ESeUbvMgiYXadZP/mBSjTFz9K59QcgUuZznHFqbwfFfWh0ZTM2uZhl 2zqEvft0NCL1+mHRIpqfAMhWEn7mIQGM= X-Received: by 2002:a25:874d:0:b0:695:9b0d:abfe with SMTP id e13-20020a25874d000000b006959b0dabfemr16832452ybn.88.1661973391102; Wed, 31 Aug 2022 12:16:31 -0700 (PDT) X-Google-Smtp-Source: AA6agR7LppggXXNmXJEI+LCRhC8c88rydoCfMyXSASJIZgQ5oqaZ+jwxMQnz+fL0wJLs6Dl1tHjzBr4cUHmJnBubkis= X-Received: by 2002:a25:874d:0:b0:695:9b0d:abfe with SMTP id e13-20020a25874d000000b006959b0dabfemr16832428ybn.88.1661973390653; Wed, 31 Aug 2022 12:16:30 -0700 (PDT) MIME-Version: 1.0 References: <630d44245d07b_448622ac7e91099ac81e@prd-scan-dashboard-0.mail> In-Reply-To: From: Jeff Johnston Date: Wed, 31 Aug 2022 15:16:19 -0400 Message-ID: Subject: Re: New Defects reported by Coverity Scan for RTEMS-Newlib To: joel@rtems.org Cc: Newlib X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: multipart/alternative; boundary="00000000000093940405e78e5590" X-Spam-Status: No, score=-4.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SENDGRID_REDIR,SPF_HELO_NONE,SPF_NONE,TXREP,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: Message-ID: <20220831191619.DHKSNz1gK2wm2jGMFRbq3RjqfcAG5oluicDRWKusOcw@z> --00000000000093940405e78e5590 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Joel, I will pushing a patch shortly but see comments below as IMO there are some false positives. -- Jeff J. On Tue, Aug 30, 2022 at 3:03 PM Jeff Johnston wrote: > Thanks Joel for bringing this to our attention. > > -- Jeff J. > > On Mon, Aug 29, 2022 at 7:09 PM Joel Sherrill wrote: > >> Hi >> >> I quit running Coverity on newlib as part of the repositories analysed as >> part of RTEMS BUT I had to update the version of cov-analysis we used and >> wanted to make sure the scripting stayed working. >> >> These issues were flagged since the last time we ran it. Some look like >> they need attention. >> >> --joel >> >> ---------- Forwarded message --------- >> From: >> Date: Mon, Aug 29, 2022 at 5:56 PM >> Subject: New Defects reported by Coverity Scan for RTEMS-Newlib >> To: >> >> >> Hi, >> >> Please find the latest report on new defect(s) introduced to RTEMS-Newlib >> found with Coverity Scan. >> >> 10 new defect(s) introduced to RTEMS-Newlib found with Coverity Scan. >> 1 defect(s), reported by Coverity Scan earlier, were marked fixed in the >> recent build analyzed by Coverity Scan. >> >> New defect(s) Reported-by: Coverity Scan >> Showing 10 of 10 defect(s) >> >> >> ** CID 398779: (UNINIT) >> >> >> Fixed. > >> ________________________________________________________________________= ________________________________ >> *** CID 398779: (UNINIT) >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/li= bc/stdio/swscanf.c: >> 454 in _swscanf_r() >> 448 f._bf._size =3D f._r =3D wcslen (str) * sizeof (wchar_t); >> 449 f._read =3D __seofread; >> 450 f._ub._base =3D NULL; >> 451 f._lb._base =3D NULL; >> 452 f._file =3D -1; /* No file. */ >> 453 va_start (ap, fmt); >> >>> CID 398779: (UNINIT) >> >>> Using uninitialized value "f._flags2" when calling >> "__ssvfwscanf_r". >> 454 ret =3D __ssvfwscanf_r (ptr, &f, fmt, ap); >> 455 va_end (ap); >> 456 return ret; >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/li= bc/stdio/swscanf.c: >> 454 in _swscanf_r() >> 448 f._bf._size =3D f._r =3D wcslen (str) * sizeof (wchar_t); >> 449 f._read =3D __seofread; >> 450 f._ub._base =3D NULL; >> 451 f._lb._base =3D NULL; >> 452 f._file =3D -1; /* No file. */ >> 453 va_start (ap, fmt); >> >>> CID 398779: (UNINIT) >> >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r". >> 454 ret =3D __ssvfwscanf_r (ptr, &f, fmt, ap); >> 455 va_end (ap); >> 456 return ret; >> >> ** CID 398778: High impact quality (Y2K38_SAFETY) >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/li= bc/posix/sleep.c: >> 18 in sleep() >> >> Fixed. (I anded with UINT_MAX so the checker should allow this). > >> >> ________________________________________________________________________= ________________________________ >> *** CID 398778: High impact quality (Y2K38_SAFETY) >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/li= bc/posix/sleep.c: >> 18 in sleep() >> 12 { >> 13 struct timespec ts; >> 14 >> 15 ts.tv_sec =3D seconds; >> 16 ts.tv_nsec =3D 0; >> 17 if (!nanosleep(&ts,&ts)) return 0; >> >>> CID 398778: High impact quality (Y2K38_SAFETY) >> >>> A "time_t" value is stored in an integer with too few bits to >> accommodate it. The expression "ts.tv_sec" is cast to "unsigned int". >> 18 if (errno =3D=3D EINTR) return ts.tv_sec; >> 19 return -1; >> 20 } >> 21 >> >> ** CID 398777: (UNINIT) >> >> >> Fixed. I just initialized the fields. > >> ________________________________________________________________________= ________________________________ >> *** CID 398777: (UNINIT) >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/li= bc/stdio/swscanf.c: >> 432 in swscanf() >> 426 f._bf._size =3D f._r =3D wcslen (str) * sizeof (wchar_t); >> 427 f._read =3D __seofread; >> 428 f._ub._base =3D NULL; >> 429 f._lb._base =3D NULL; >> 430 f._file =3D -1; /* No file. */ >> 431 va_start (ap, fmt); >> >>> CID 398777: (UNINIT) >> >>> Using uninitialized value "f._flags2" when calling >> "__ssvfwscanf_r". >> 432 ret =3D __ssvfwscanf_r (_REENT, &f, fmt, ap); >> 433 va_end (ap); >> 434 return ret; >> 435 } >> 436 >> 437 #endif /* !_REENT_ONLY */ >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/li= bc/stdio/swscanf.c: >> 432 in swscanf() >> 426 f._bf._size =3D f._r =3D wcslen (str) * sizeof (wchar_t); >> 427 f._read =3D __seofread; >> 428 f._ub._base =3D NULL; >> 429 f._lb._base =3D NULL; >> 430 f._file =3D -1; /* No file. */ >> 431 va_start (ap, fmt); >> >>> CID 398777: (UNINIT) >> >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r". >> 432 ret =3D __ssvfwscanf_r (_REENT, &f, fmt, ap); >> 433 va_end (ap); >> 434 return ret; >> 435 } >> 436 >> 437 #endif /* !_REENT_ONLY */ >> >> ** CID 398776: (UNINIT) >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/li= bc/time/time.c: >> 44 in time() >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/li= bc/time/time.c: >> 45 in time() >> >> >> Although this should be a false positive because of gettimeofday_r getting the address of now, I have initialized the field to -1. > >> ________________________________________________________________________= ________________________________ >> *** CID 398776: (UNINIT) >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/li= bc/time/time.c: >> 44 in time() >> 38 struct timeval now; >> 39 >> 40 if (_gettimeofday_r (_REENT, &now, NULL) < 0) >> 41 now.tv_sec =3D (time_t) -1; >> 42 >> 43 if (t) >> >>> CID 398776: (UNINIT) >> >>> Using uninitialized value "now.tv_sec". >> 44 *t =3D now.tv_sec; >> 45 return now.tv_sec; >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/li= bc/time/time.c: >> 45 in time() >> 39 >> 40 if (_gettimeofday_r (_REENT, &now, NULL) < 0) >> 41 now.tv_sec =3D (time_t) -1; >> 42 >> 43 if (t) >> 44 *t =3D now.tv_sec; >> >>> CID 398776: (UNINIT) >> >>> Using uninitialized value "now.tv_sec". >> 45 return now.tv_sec; >> >> ** CID 398775: (UNINIT) >> >> >> Fixed. I initialized the fields. > >> ________________________________________________________________________= ________________________________ >> *** CID 398775: (UNINIT) >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/li= bc/stdio/vswscanf.c: >> 57 in _vswscanf_r() >> 51 f._bf._base =3D f._p =3D (unsigned char *) str; >> 52 f._bf._size =3D f._r =3D wcslen (str) * sizeof (wchar_t); >> 53 f._read =3D __seofread; >> 54 f._ub._base =3D NULL; >> 55 f._lb._base =3D NULL; >> 56 f._file =3D -1; /* No file. */ >> >>> CID 398775: (UNINIT) >> >>> Using uninitialized value "f._ur" when calling "__ssvfwscanf_r". >> 57 return __ssvfwscanf_r (ptr, &f, fmt, ap); >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/li= bc/stdio/vswscanf.c: >> 57 in _vswscanf_r() >> 51 f._bf._base =3D f._p =3D (unsigned char *) str; >> 52 f._bf._size =3D f._r =3D wcslen (str) * sizeof (wchar_t); >> 53 f._read =3D __seofread; >> 54 f._ub._base =3D NULL; >> 55 f._lb._base =3D NULL; >> 56 f._file =3D -1; /* No file. */ >> >>> CID 398775: (UNINIT) >> >>> Using uninitialized value "f._flags2" when calling >> "__ssvfwscanf_r". >> 57 return __ssvfwscanf_r (ptr, &f, fmt, ap); >> >> ** CID 398774: Uninitialized variables (UNINIT) >> >> Fixed. I memset the initial array to 0's. > >> >> ________________________________________________________________________= ________________________________ >> *** CID 398774: Uninitialized variables (UNINIT) >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/li= bc/stdlib/arc4random.c: >> 93 in _rs_stir() >> 87 u_char rnd[KEYSZ + IVSZ]; >> 88 >> 89 if (getentropy(rnd, sizeof rnd) =3D=3D -1) >> 90 _getentropy_fail(); >> 91 >> 92 if (!rs) >> >>> CID 398774: Uninitialized variables (UNINIT) >> >>> Using uninitialized element of array "rnd" when calling >> "_rs_init". >> 93 _rs_init(rnd, sizeof(rnd)); >> 94 else >> 95 _rs_rekey(rnd, sizeof(rnd)); >> 96 explicit_bzero(rnd, sizeof(rnd)); /* discard source seed */ >> 97 >> 98 /* invalidate rs_buf */ >> >> ** CID 398773: Incorrect expression (DIVIDE_BY_ZERO) >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/li= bm/math/kf_tan.c: >> 55 in __kernel_tanf() >> >> >> This is a false positive. We intend to divide by zero. > >> ________________________________________________________________________= ________________________________ >> *** CID 398773: Incorrect expression (DIVIDE_BY_ZERO) >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/li= bm/math/kf_tan.c: >> 55 in __kernel_tanf() >> 49 __int32_t ix,hx; >> 50 GET_FLOAT_WORD(hx,x); >> 51 ix =3D hx&0x7fffffff; /* high word of |x| */ >> 52 if(ix<0x31800000) /* x < 2**-28 */ >> 53 {if((int)x=3D=3D0) { /* generate inexact = */ >> 54 if((ix|(iy+1))=3D=3D0) return one/fabsf(x); >> >>> CID 398773: Incorrect expression (DIVIDE_BY_ZERO) >> >>> In expression "-1f / x", division by expression "x" which may be >> zero has undefined behavior. >> 55 else return (iy=3D=3D1)? x: -one/x; >> 56 } >> 57 } >> 58 if(ix>=3D0x3f2ca140) { /* |x|>=3D0.6744 */ >> 59 if(hx<0) {x =3D -x; y =3D -y;} >> 60 z =3D pio4-x; >> >> ** CID 398772: Memory - corruptions (OVERRUN) >> >> I think this is another false positive. I couldn't see where it was accessing storage without doing a length check first. > >> >> ________________________________________________________________________= ________________________________ >> *** CID 398772: Memory - corruptions (OVERRUN) >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/li= bc/posix/regcomp.c: >> 1044 in bothcases() >> 1038 assert(othercase(ch) !=3D ch); /* p_bracket() would >> recurse */ >> 1039 p->next =3D bracket; >> 1040 p->end =3D bracket+2; >> 1041 bracket[0] =3D ch; >> 1042 bracket[1] =3D ']'; >> 1043 bracket[2] =3D '\0'; >> >>> CID 398772: Memory - corruptions (OVERRUN) >> >>> Overrunning buffer pointed to by "p->next" of 3 bytes by passing >> it >> to a function which accesses it at byte offset 4. >> 1044 p_bracket(p); >> 1045 assert(p->next =3D=3D bracket+2); >> 1046 p->next =3D oldnext; >> 1047 p->end =3D oldend; >> 1048 } >> 1049 >> >> ** CID 398771: High impact quality (Y2K38_SAFETY) >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/li= bc/posix/usleep.c: >> 18 in usleep() >> >> Fixed. I removed the return as usleep is supposed to return -1 on an EINTR. >> >> ________________________________________________________________________= ________________________________ >> *** CID 398771: High impact quality (Y2K38_SAFETY) >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/li= bc/posix/usleep.c: >> 18 in usleep() >> 12 { >> 13 struct timespec ts; >> 14 >> 15 ts.tv_sec =3D (long int)useconds / 1000000; >> 16 ts.tv_nsec =3D ((long int)useconds % 1000000) * 1000; >> 17 if (!nanosleep(&ts,&ts)) return 0; >> >>> CID 398771: High impact quality (Y2K38_SAFETY) >> >>> A "time_t" value is stored in an integer with too few bits to >> accommodate it. The expression "ts.tv_sec" is cast to "int". >> 18 if (errno =3D=3D EINTR) return ts.tv_sec; >> 19 return -1; >> 20 } >> 21 >> >> ** CID 378851: Memory - corruptions (OVERRUN) >> >> Again, I believe this is a false positive. No access of storage without checking length first. > >> >> ________________________________________________________________________= ________________________________ >> *** CID 378851: Memory - corruptions (OVERRUN) >> >> /home/joel/rtems-cron-coverity/sourceware-mirror-newlib-cygwin/newlib/li= bc/posix/regcomp.c: >> 1090 in nonnewline() >> 1084 p->next =3D bracket; >> 1085 p->end =3D bracket+3; >> 1086 bracket[0] =3D '^'; >> 1087 bracket[1] =3D '\n'; >> 1088 bracket[2] =3D ']'; >> 1089 bracket[3] =3D '\0'; >> >>> CID 378851: Memory - corruptions (OVERRUN) >> >>> Overrunning buffer pointed to by "p->next" of 4 bytes by passing >> it >> to a function which accesses it at byte offset 4. >> 1090 p_bracket(p); >> 1091 assert(p->next =3D=3D bracket+3); >> 1092 p->next =3D oldnext; >> 1093 p->end =3D oldend; >> 1094 } >> 1095 >> >> >> >> ________________________________________________________________________= ________________________________ >> To view the defects in Coverity Scan visit, >> >> https://u15810271.ct.sendgrid.net/ls/click?upn=3DHRESupC-2F2Czv4BOaCWWCy= 7my0P0qcxCbhZ31OYv50ypUUzi-2FdSNmuyRB7BEFT8xQWqa-2BcrUOdcmLJRN5wHA-2F-2Bj-2= BUPxOS2vpJc2U7lnvDDSM-3DgcXN_CTvEjVoKhyc6dLmJJo1u9AYIk8P8bcAbCPbBDYvYSXrko-= 2B6zqtxlihMO5pRBlqs6CXC6JoeSQ5BknttytYW4gn54pXoG5E1T2VTg7ZExldrWnOHoGNfjITp= yeGBnq8zf1R1SvLaQHX0KwLC3QLIILHDIyeRDmH6ivilCfFIJbx4IaHchThYPPrH23evm0vJ6A6= -2BcYCz2qmJNN2577UqVyYc0aItJ859abhW8GanEpsc-3D >> >> To manage Coverity Scan email notifications for " >> joel.sherrill@gmail.com", >> click >> >> https://u15810271.ct.sendgrid.net/ls/click?upn=3DHRESupC-2F2Czv4BOaCWWCy= 7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxTJDdEZ5ceQ-2BXdf-2FM1tcMIXP73MN3= HxQfFTMLU5dSe8Rv0KFh7gYStOFjZD12ucRRnrjyUHOCTj7rG0E9HBcwa6j-2FX4NTabdEq2v7M= M-2FuqaA-3D5Xsf_CTvEjVoKhyc6dLmJJo1u9AYIk8P8bcAbCPbBDYvYSXrko-2B6zqtxlihMO5= pRBlqs6CXC6JoeSQ5BknttytYW4gsEM86eEaAqPEjIHUArLBXYOUpWfZ4bmwC96PG11GPPh-2FL= sC0rkTKQE2J8XRI45hCnTpCTbj87kq0GI1XLddKyw1JXGGqDcyizThGumwZmd8Tr5waHqdorDd3= Wom83BYSMOhcHiGVjpnvscbd8ReGFw-3D >> >> --00000000000093940405e78e5590--