This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Coverity run for glibc 2.23.
- From: "Carlos O'Donell" <carlos at redhat dot com>
- To: GNU C Library <libc-alpha at sourceware dot org>
- Date: Fri, 26 Feb 2016 00:29:54 -0500
- Subject: Coverity run for glibc 2.23.
- Authentication-results: sourceware.org; auth=none
Community,
We added 12 new defects, but closed 18 previous defects.
https://scan.coverity.com/projects/gnu-c-library-glibc?tab=overview
One of the defects is in the CVE-2015-7547 code changes, but I already
knew about this issue (we run coverity internally at Red Hat), and
it's not a real problem (need to remove a NULL pointer check because
the API for send_dg and send_vc *require* the input args to be non-NULL
or we crash right away per glibc coding style guidelines).
These two need some review:
________________________________________________________________________________________________________
*** CID 123612: Memory - illegal accesses (OVERRUN)
/home/carlos/src/glibc-2.23-coverity/glibc-2.23/nscd/netgroupcache.c: 548 in addinnetgrX()
542
543 dataset->resp.version = NSCD_VERSION;
544 dataset->resp.found = result->resp.found;
545 /* Until we find a matching entry the result is 0. */
546 dataset->resp.result = 0;
547
>>> CID 123612: Memory - illegal accesses (OVERRUN)
>>> Overrunning array of 40 bytes at byte offset 40 by dereferencing pointer "(char *)(dataset + 1)". [Note: The source code implementation of the function has been overridden by a builtin model.]
548 char *key_copy = memcpy ((char *) (dataset + 1), group, req->key_len);
549
550 if (dataset->resp.found)
551 {
552 const char *triplets = (const char *) (&result->resp + 1);
553
________________________________________________________________________________________________________
*** CID 123611: Memory - corruptions (OVERRUN)
/home/carlos/src/glibc-2.23-coverity/glibc-2.23/io/ftw.c: 293 in open_dir_stream()
287 while ((d = __readdir64 (st)) != NULL)
288 {
289 size_t this_len = NAMLEN (d);
290 if (actsize + this_len + 2 >= bufsize)
291 {
292 char *newp;
>>> CID 123611: Memory - corruptions (OVERRUN)
>>> Checking "1024UL > 2UL * this_len" implies that "this_len" may be up to 511 on the true branch.
293 bufsize += MAX (1024, 2 * this_len);
294 newp = (char *) realloc (buf, bufsize);
295 if (newp == NULL)
296 {
297 /* No more memory. */
298 int save_err = errno;
I also wonder what these are about:
________________________________________________________________________________________________________
*** CID 123615: Uninitialized variables (UNINIT)
/home/carlos/src/glibc-2.23-coverity/glibc-2.23/sysdeps/ieee754/dbl-64/lgamma_neg.c: 290 in __lgamma_neg()
284 if ((i & 1) == 0 && i == -2 * x)
285 return 1.0 / 0.0;
286 double xn = ((i & 1) == 0 ? -i / 2 : (-i - 1) / 2);
287 i -= 4;
288 *signgamp = ((i & 2) == 0 ? -1 : 1);
289
>>> CID 123615: Uninitialized variables (UNINIT)
>>> Declaring variable "ctx" without initializer.
290 SET_RESTORE_ROUND (FE_TONEAREST);
291
292 /* Expand around the zero X0 = X0_HI + X0_LO. */
293 double x0_hi = lgamma_zeros[i][0], x0_lo = lgamma_zeros[i][1];
294 double xdiff = x - x0_hi - x0_lo;
295
Cheers,
Carlos.