New Defects reported by Coverity Scan for NetBSD-i386-user

To: coverity-updates%netbsd.org@localhost
Subject: New Defects reported by Coverity Scan for NetBSD-i386-user
From: scan-admin%coverity.com@localhost
Date: 2015年5月09日 05:18:28 -0700
Hi,
Please find the latest report on new defect(s) introduced to NetBSD-i386-user found with Coverity Scan.
86 new defect(s) introduced to NetBSD-i386-user found with Coverity Scan.
235 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 86 defect(s)
** CID 710492: Null pointer dereferences (REVERSE_INULL)
/sys/external/bsd/drm2/dist/drm/via/via_mm.c: 82 in via_final_context()
________________________________________________________________________________________________________
*** CID 710492: Null pointer dereferences (REVERSE_INULL)
/sys/external/bsd/drm2/dist/drm/via/via_mm.c: 82 in via_final_context()
76 	drm_via_private_t *dev_priv = (drm_via_private_t *) dev->dev_private;
77 
78 	via_release_futex(dev_priv, context);
79 
80 	/* Linux specific until context tracking code gets ported to BSD */
81 	/* Last context, perform cleanup */
>>> CID 710492: Null pointer dereferences (REVERSE_INULL)
>>> Null-checking "dev->dev_private" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
82 	if (list_is_singular(&dev->ctxlist) && dev->dev_private) {
83 		DRM_DEBUG("Last Context\n");
84 		drm_irq_uninstall(dev);
85 		via_cleanup_futex(dev_priv);
86 		via_do_cleanup_map(dev);
87 	}
** CID 976986: Null pointer dereferences (NULL_RETURNS)
/sys/external/bsd/sljit/dist/test_src/sljitTest.c: 1565 in test20()
________________________________________________________________________________________________________
*** CID 976986: Null pointer dereferences (NULL_RETURNS)
/sys/external/bsd/sljit/dist/test_src/sljitTest.c: 1565 in test20()
1559 	FAILED(buf[2] != 60, "test20 case 2 failed\n");
1560 	FAILED(buf[3] != 17, "test20 case 3 failed\n");
1561 	FAILED(buf[4] != 7, "test20 case 4 failed\n");
1562 
1563 	sljit_free_code(code.code);
1564 
>>> CID 976986: Null pointer dereferences (NULL_RETURNS)
>>> Assigning: "compiler" = null return value from "sljit_create_compiler(void)".
1565 	compiler = sljit_create_compiler();
1566 	sljit_emit_enter(compiler, 0, 3, 0, SLJIT_MAX_LOCAL_SIZE);
1567 
1568 	sljit_get_local_base(compiler, SLJIT_SCRATCH_REG1, 0, SLJIT_MAX_LOCAL_SIZE - sizeof(sljit_sw));
1569 	sljit_get_local_base(compiler, SLJIT_SCRATCH_REG2, 0, -(sljit_sw)sizeof(sljit_sw));
1570 	sljit_emit_op1(compiler, SLJIT_MOV, SLJIT_SCRATCH_REG3, 0, SLJIT_IMM, -1);
** CID 1009289: Error handling issues (CHECKED_RETURN)
/usr.sbin/rpcbind/rpcbind.c: 121 in main()
________________________________________________________________________________________________________
*** CID 1009289: Error handling issues (CHECKED_RETURN)
/usr.sbin/rpcbind/rpcbind.c: 121 in main()
115 	void *nc_handle;	/* Net config handle */
116 	struct rlimit rl;
117 	int maxrec = RPC_MAXDATASIZE;
118 
119 	parseargs(argc, argv);
120 
>>> CID 1009289: Error handling issues (CHECKED_RETURN)
>>> No check of the return value of "getrlimit(8, &rl)".
121 	getrlimit(RLIMIT_NOFILE, &rl);
122 	if (rl.rlim_cur < 128) {
123 		if (rl.rlim_max <= 128)
124 			rl.rlim_cur = rl.rlim_max;
125 		else
126 			rl.rlim_cur = 128;
** CID 1225077: (CHECKED_RETURN)
/bin/ksh/c_ulimit.c: 206 in c_ulimit()
/bin/ksh/c_ulimit.c: 235 in c_ulimit()
________________________________________________________________________________________________________
*** CID 1225077: (CHECKED_RETURN)
/bin/ksh/c_ulimit.c: 206 in c_ulimit()
200 		}
201 	}
202 	if (all) {
203 		for (l = limits; l->name; l++) {
204 #ifdef HAVE_SETRLIMIT
205 			if (l->which == RLIMIT) {
>>> CID 1225077: (CHECKED_RETURN)
>>> No check of the return value of "getrlimit(l->gcmd, &limit)".
206 				getrlimit(l->gcmd, &limit);
207 				if (how & SOFT)
208 					val = limit.rlim_cur;
209 				else if (how & HARD)
210 					val = limit.rlim_max;
211 			} else
/bin/ksh/c_ulimit.c: 235 in c_ulimit()
229 			}
230 		}
231 		return 0;
232 	}
233 #ifdef HAVE_SETRLIMIT
234 	if (l->which == RLIMIT) {
>>> CID 1225077: (CHECKED_RETURN)
>>> No check of the return value of "getrlimit(l->gcmd, &limit)".
235 		getrlimit(l->gcmd, &limit);
236 		if (set) {
237 			if (how & SOFT)
238 				limit.rlim_cur = val;
239 			if (how & HARD)
240 				limit.rlim_max = val;
** CID 1225078: Error handling issues (CHECKED_RETURN)
/bin/sh/miscbltin.c: 430 in ulimitcmd()
________________________________________________________________________________________________________
*** CID 1225078: Error handling issues (CHECKED_RETURN)
/bin/sh/miscbltin.c: 430 in ulimitcmd()
424 #endif
425 			}
426 		}
427 		return 0;
428 	}
429 
>>> CID 1225078: Error handling issues (CHECKED_RETURN)
>>> No check of the return value of "getrlimit(l->cmd, &limit)".
430 	getrlimit(l->cmd, &limit);
431 	if (set) {
432 		if (how & HARD)
433 			limit.rlim_max = val;
434 		if (how & SOFT)
435 			limit.rlim_cur = val;
** CID 1225079: Error handling issues (CHECKED_RETURN)
/gnu/lib/libmalloc/mem-limits.h: 124 in get_lim_data()
________________________________________________________________________________________________________
*** CID 1225079: Error handling issues (CHECKED_RETURN)
/gnu/lib/libmalloc/mem-limits.h: 124 in get_lim_data()
118 
119 static void
120 get_lim_data ()
121 {
122 struct rlimit XXrlimit;
123 
>>> CID 1225079: Error handling issues (CHECKED_RETURN)
>>> No check of the return value of "getrlimit(2, &XXrlimit)".
124 getrlimit (RLIMIT_DATA, &XXrlimit);
125 #ifdef RLIM_INFINITY
126 lim_data = XXrlimit.rlim_cur & RLIM_INFINITY; /* soft limit */
127 #else
128 lim_data = XXrlimit.rlim_cur;	/* soft limit */
129 #endif
130 }
131 #endif /* BSD4_2 */
** CID 1225080: Error handling issues (CHECKED_RETURN)
/home/phil/cov/xsrc/external/mit/xorg-server/dist/os/utils.c: 658 in ProcessCommandLine()
________________________________________________________________________________________________________
*** CID 1225080: Error handling issues (CHECKED_RETURN)
/home/phil/cov/xsrc/external/mit/xorg-server/dist/os/utils.c: 658 in ProcessCommandLine()
652 		UseMsg();
653 	}
654 	else if ( strcmp( argv[i], "-core") == 0)
655 	{
656 #if !defined(WIN32) || !defined(__MINGW32__)
657 	 struct rlimit core_limit;
>>> CID 1225080: Error handling issues (CHECKED_RETURN)
>>> No check of the return value of "getrlimit(4, &core_limit)".
658 	 getrlimit (RLIMIT_CORE, &core_limit);
659 	 core_limit.rlim_cur = core_limit.rlim_max;
660 	 setrlimit (RLIMIT_CORE, &core_limit);
661 #endif
662 	 CoreDump = TRUE;
663 	}
** CID 1225081: Error handling issues (CHECKED_RETURN)
/tests/fs/nfs/nfsservice/rpcbind/rpcbind.c: 135 in rpcbind_main()
________________________________________________________________________________________________________
*** CID 1225081: Error handling issues (CHECKED_RETURN)
/tests/fs/nfs/nfsservice/rpcbind/rpcbind.c: 135 in rpcbind_main()
129 #if 0
130 	parseargs(argc, argv);
131 #endif
132 
133 	alloc_fdset();
134 
>>> CID 1225081: Error handling issues (CHECKED_RETURN)
>>> No check of the return value of "getrlimit(8, &rl)".
135 	getrlimit(RLIMIT_NOFILE, &rl);
136 	if (rl.rlim_cur < 128) {
137 		if (rl.rlim_max <= 128)
138 			rl.rlim_cur = rl.rlim_max;
139 		else
140 			rl.rlim_cur = 128;
** CID 1225082: Error handling issues (CHECKED_RETURN)
/usr.sbin/rpc.pcnfsd/obj/pcnfsd_svc.c: 76 in closedown()
________________________________________________________________________________________________________
*** CID 1225082: Error handling issues (CHECKED_RETURN)
/usr.sbin/rpc.pcnfsd/obj/pcnfsd_svc.c: 76 in closedown()
70 		if (_rpcfdtype == SOCK_DGRAM)
71 			exit(0);
72 		if (size == 0) {
73 			struct rlimit rl;
74 
75 			rl.rlim_max = 0;
>>> CID 1225082: Error handling issues (CHECKED_RETURN)
>>> No check of the return value of "getrlimit(8, &rl)".
76 			getrlimit(RLIMIT_NOFILE, &rl);
77 			if ((size = rl.rlim_max) == 0)
78 				return;
79 		}
80 		for (i = 0, openfd = 0; i < size && openfd < 2; i++)
81 			if (FD_ISSET(i, &svc_fdset))
** CID 1225083: Error handling issues (CHECKED_RETURN)
/usr.sbin/rpc.pcnfsd/obj/pcnfsd_svc.c: 329 in mymain()
________________________________________________________________________________________________________
*** CID 1225083: Error handling issues (CHECKED_RETURN)
/usr.sbin/rpc.pcnfsd/obj/pcnfsd_svc.c: 329 in mymain()
323 			perror("cannot fork");
324 			exit(1);
325 		}
326 		if (pid)
327 			exit(0);
328 		rl.rlim_max = 0;
>>> CID 1225083: Error handling issues (CHECKED_RETURN)
>>> No check of the return value of "getrlimit(8, &rl)".
329 		getrlimit(RLIMIT_NOFILE, &rl);
330 		if ((size = rl.rlim_max) == 0)
331 			exit(1);
332 		for (i = 0; i < size; i++)
333 			(void) close(i);
334 		i = open("/dev/console", 2);
** CID 1256502: Control flow issues (MISSING_BREAK)
/sys/external/bsd/acpica/dist/disassembler/dmwalk.c: 316 in AcpiDmBlockType()
________________________________________________________________________________________________________
*** CID 1256502: Control flow issues (MISSING_BREAK)
/sys/external/bsd/acpica/dist/disassembler/dmwalk.c: 316 in AcpiDmBlockType()
310 {
311 /* This is a reference to a method, not an invocation */
312 
313 return (BLOCK_NONE);
314 }
315 
>>> CID 1256502: Control flow issues (MISSING_BREAK)
>>> The above case falls through to this one.
316 default:
317 
318 OpInfo = AcpiPsGetOpcodeInfo (Op->Common.AmlOpcode);
319 if (OpInfo->Flags & AML_HAS_ARGS)
320 {
321 return (BLOCK_PAREN);
** CID 1256503: Resource leaks (RESOURCE_LEAK)
/sys/external/bsd/acpica/dist/compiler/aslopcodes.c: 1361 in OpcDoPld()
________________________________________________________________________________________________________
*** CID 1256503: Resource leaks (RESOURCE_LEAK)
/sys/external/bsd/acpica/dist/compiler/aslopcodes.c: 1361 in OpcDoPld()
1355 break;
1356 }
1357 
1358 Node = Node->Asl.Next;
1359 }
1360 
>>> CID 1256503: Resource leaks (RESOURCE_LEAK)
>>> Overwriting "Buffer" in "Buffer = OpcEncodePldBuffer(&PldInfo)" leaks the storage that "Buffer" points to.
1361 Buffer = OpcEncodePldBuffer(&PldInfo);
1362 
1363 /* Change Op to a Buffer */
1364 
1365 Op->Asl.ParseOpcode = PARSEOP_BUFFER;
1366 Op->Common.AmlOpcode = AML_BUFFER_OP;
** CID 1268629: Null pointer dereferences (FORWARD_NULL)
/external/public-domain/xz/dist/src/xz/args.c: 83 in parse_block_list()
________________________________________________________________________________________________________
*** CID 1268629: Null pointer dereferences (FORWARD_NULL)
/external/public-domain/xz/dist/src/xz/args.c: 83 in parse_block_list()
77 	// If --block-list was specified already, its value is forgotten.
78 	free(opt_block_list);
79 	opt_block_list = xmalloc((count + 1) * sizeof(uint64_t));
80 
81 	for (size_t i = 0; i < count; ++i) {
82 		// Locate the next comma and replace it with 0円.
>>> CID 1268629: Null pointer dereferences (FORWARD_NULL)
>>> Passing null pointer "str" to function "strchr(char const *, int)", which dereferences it.
83 		char *p = strchr(str, ',');
84 		if (p != NULL)
85 			*p = '0円';
86 
87 		if (str[0] == '0円') {
88 			// There is no string, that is, a comma follows
** CID 1292510: Null pointer dereferences (NULL_RETURNS)
/sys/external/bsd/acpica/dist/dispatcher/dsutils.c: 608 in AcpiDsCreateOperand()
________________________________________________________________________________________________________
*** CID 1292510: Null pointer dereferences (NULL_RETURNS)
/sys/external/bsd/acpica/dist/dispatcher/dsutils.c: 608 in AcpiDsCreateOperand()
602 else if (ParentOp->Common.AmlOpcode == AML_EXTERNAL_OP)
603 {
604 /* TBD: May only be temporary */
605 
606 ObjDesc = AcpiUtCreateStringObject ((ACPI_SIZE) NameLength);
607 
>>> CID 1292510: Null pointer dereferences (NULL_RETURNS)
>>> Dereferencing a null pointer "ObjDesc".
608 ACPI_STRNCPY (ObjDesc->String.Pointer, NameString, NameLength);
609 Status = AE_OK;
610 }
611 else
612 {
613 /*
** CID 1292512: Memory - corruptions (BAD_FREE)
________________________________________________________________________________________________________
*** CID 1292512: Memory - corruptions (BAD_FREE)
/sys/external/bsd/acpica/dist/tables/tbinstal.c: 517 in AcpiTbUninstallTable()
511 
512 AcpiTbInvalidateTable (TableDesc);
513 
514 if ((TableDesc->Flags & ACPI_TABLE_ORIGIN_MASK) ==
515 ACPI_TABLE_ORIGIN_INTERNAL_VIRTUAL)
516 {
>>> CID 1292512: Memory - corruptions (BAD_FREE)
>>> "AcpiOsFree(void *)" frees address offset from "NULL".
517 ACPI_FREE (ACPI_PHYSADDR_TO_PTR (TableDesc->Address));
518 }
519 
520 TableDesc->Address = ACPI_PTR_TO_PHYSADDR (NULL);
521 return_VOID;
** CID 1294266: Error handling issues (CHECKED_RETURN)
/sys/external/bsd/acpica/dist/common/dmtbdump.c: 2541 in AcpiDmDumpSlic()
________________________________________________________________________________________________________
*** CID 1294266: Error handling issues (CHECKED_RETURN)
/sys/external/bsd/acpica/dist/common/dmtbdump.c: 2541 in AcpiDmDumpSlic()
2535 ******************************************************************************/
2536 
2537 void
2538 AcpiDmDumpSlic (
2539 ACPI_TABLE_HEADER *Table)
2540 {
>>> CID 1294266: Error handling issues (CHECKED_RETURN)
>>> No check of the return value of "AcpiDmDumpTable(Table->Length, 36U, Table, Table->Length - 36U, AcpiDmTableInfoSlic)".
2541 AcpiDmDumpTable (Table->Length, sizeof (ACPI_TABLE_HEADER), Table,
2542 Table->Length - sizeof (*Table), AcpiDmTableInfoSlic);
2543 }
2544 
2545 
2546 /*******************************************************************************
** CID 1297229: Memory - illegal accesses (BUFFER_SIZE_WARNING)
/sys/dev/dksubr.c: 85 in dk_init()
________________________________________________________________________________________________________
*** CID 1297229: Memory - illegal accesses (BUFFER_SIZE_WARNING)
/sys/dev/dksubr.c: 85 in dk_init()
79 {
80 
81 	memset(dksc, 0x0, sizeof(*dksc));
82 	dksc->sc_dtype = dtype;
83 	dksc->sc_dev = dev;
84 
>>> CID 1297229: Memory - illegal accesses (BUFFER_SIZE_WARNING)
>>> Calling strncpy with a maximum size argument of 8 bytes on destination array "dksc->sc_xname" of size 8 bytes might leave the destination string unterminated.
85 	strncpy(dksc->sc_xname, device_xname(dev), DK_XNAME_SIZE);
86 	dksc->sc_dkdev.dk_name = dksc->sc_xname;
87 }
88 
89 void
90 dk_attach(struct dk_softc *dksc)
** CID 1297237: Incorrect expression (BAD_SIZEOF)
/sys/external/bsd/drm/dist/bsd-core/drm_mm.c: 156 in drm_mm_add_space_to_tail()
________________________________________________________________________________________________________
*** CID 1297237: Incorrect expression (BAD_SIZEOF)
/sys/external/bsd/drm/dist/bsd-core/drm_mm.c: 156 in drm_mm_add_space_to_tail()
150 int drm_mm_add_space_to_tail(struct drm_mm *mm, unsigned long size, int atomic)
151 {
152 	struct list_head *tail_node;
153 	struct drm_mm_node *entry;
154 
155 	tail_node = mm->ml_entry.prev;
>>> CID 1297237: Incorrect expression (BAD_SIZEOF)
>>> Taking the size of arithmetic expression "tail_node - &((struct drm_mm_node *)((char *)tail_node - 8U))->ml_entry" is suspicious.
156 	entry = list_entry(tail_node, struct drm_mm_node, ml_entry);
157 	if (!entry->free) {
158 		return drm_mm_create_tail_node(mm, entry->start + entry->size,
159 					 size, atomic);
160 	}
161 	entry->size += size;
** CID 1297238: Incorrect expression (BAD_SIZEOF)
/sys/external/bsd/drm/dist/bsd-core/drm_mm.c: 248 in drm_mm_put_block()
________________________________________________________________________________________________________
*** CID 1297238: Incorrect expression (BAD_SIZEOF)
/sys/external/bsd/drm/dist/bsd-core/drm_mm.c: 248 in drm_mm_put_block()
242 		if (prev_node->free) {
243 			prev_node->size += cur->size;
244 			merged = 1;
245 		}
246 	}
247 	if (cur_head->next != root_head) {
>>> CID 1297238: Incorrect expression (BAD_SIZEOF)
>>> Taking the size of arithmetic expression "cur_head->next - &((struct drm_mm_node *)((char *)cur_head->next - 8U))->ml_entry" is suspicious.
248 		next_node =
249 		 list_entry(cur_head->next, struct drm_mm_node, ml_entry);
250 		if (next_node->free) {
251 			if (merged) {
252 				prev_node->size += next_node->size;
253 				list_del(&next_node->ml_entry);
** CID 1297239: Incorrect expression (BAD_SIZEOF)
/sys/external/bsd/drm/dist/bsd-core/drm_mm.c: 71 in drm_mm_remove_space_from_tail()
________________________________________________________________________________________________________
*** CID 1297239: Incorrect expression (BAD_SIZEOF)
/sys/external/bsd/drm/dist/bsd-core/drm_mm.c: 71 in drm_mm_remove_space_from_tail()
65 int drm_mm_remove_space_from_tail(struct drm_mm *mm, unsigned long size)
66 {
67 	struct list_head *tail_node;
68 	struct drm_mm_node *entry;
69 
70 	tail_node = mm->ml_entry.prev;
>>> CID 1297239: Incorrect expression (BAD_SIZEOF)
>>> Taking the size of arithmetic expression "tail_node - &((struct drm_mm_node *)((char *)tail_node - 8U))->ml_entry" is suspicious.
71 	entry = list_entry(tail_node, struct drm_mm_node, ml_entry);
72 	if (!entry->free)
73 		return -ENOMEM;
74 
75 	if (entry->size <= size)
76 		return -ENOMEM;
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/1448?tab=overview
To manage Coverity Scan email notifications for "coverity-updates%netbsd.org@localhost", click https://scan.coverity.com/subscriptions/edit?email=coverity-updates%40netbsd.org&token=487286ca1a9a4f4bd485d16f66b5e782 .
Prev by Date: New Defects reported by Coverity Scan for NetBSD-i386-kernel
Next by Date: New Defects reported by Coverity Scan for NetBSD-amd64-kernel
Previous by Thread: New Defects reported by Coverity Scan for NetBSD-i386-user
Next by Thread: New Defects reported by Coverity Scan for NetBSD-i386-user
Indexes:
Home | Main Index | Thread Index | Old Index