This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Coverity run for glibc 2.23.

From: "Carlos O'Donell" <carlos at redhat dot com>
To: GNU C Library <libc-alpha at sourceware dot org>
Date: Fri, 26 Feb 2016 00:29:54 -0500
Subject: Coverity run for glibc 2.23.
Authentication-results: sourceware.org; auth=none

Community,

We added 12 new defects, but closed 18 previous defects.

https://scan.coverity.com/projects/gnu-c-library-glibc?tab=overview

One of the defects is in the CVE-2015-7547 code changes, but I already
knew about this issue (we run coverity internally at Red Hat), and
it's not a real problem (need to remove a NULL pointer check because
the API for send_dg and send_vc *require* the input args to be non-NULL
or we crash right away per glibc coding style guidelines).

These two need some review:
________________________________________________________________________________________________________
*** CID 123612:  Memory - illegal accesses  (OVERRUN)
/home/carlos/src/glibc-2.23-coverity/glibc-2.23/nscd/netgroupcache.c: 548 in addinnetgrX()
542     
543       dataset->resp.version = NSCD_VERSION;
544       dataset->resp.found = result->resp.found;
545       /* Until we find a matching entry the result is 0.  */
546       dataset->resp.result = 0;
547     
>>>     CID 123612:  Memory - illegal accesses  (OVERRUN)
>>>     Overrunning array of 40 bytes at byte offset 40 by dereferencing pointer "(char *)(dataset + 1)". [Note: The source code implementation of the function has been overridden by a builtin model.]
548       char *key_copy = memcpy ((char *) (dataset + 1), group, req->key_len);
549     
550       if (dataset->resp.found)
551         {
552           const char *triplets = (const char *) (&result->resp + 1);
553     

________________________________________________________________________________________________________
*** CID 123611:  Memory - corruptions  (OVERRUN)
/home/carlos/src/glibc-2.23-coverity/glibc-2.23/io/ftw.c: 293 in open_dir_stream()
287     	  while ((d = __readdir64 (st)) != NULL)
288     	    {
289     	      size_t this_len = NAMLEN (d);
290     	      if (actsize + this_len + 2 >= bufsize)
291     		{
292     		  char *newp;
>>>     CID 123611:  Memory - corruptions  (OVERRUN)
>>>     Checking "1024UL > 2UL * this_len" implies that "this_len" may be up to 511 on the true branch.
293     		  bufsize += MAX (1024, 2 * this_len);
294     		  newp = (char *) realloc (buf, bufsize);
295     		  if (newp == NULL)
296     		    {
297     		      /* No more memory.  */
298     		      int save_err = errno;

I also wonder what these are about:

________________________________________________________________________________________________________
*** CID 123615:  Uninitialized variables  (UNINIT)
/home/carlos/src/glibc-2.23-coverity/glibc-2.23/sysdeps/ieee754/dbl-64/lgamma_neg.c: 290 in __lgamma_neg()
284       if ((i & 1) == 0 && i == -2 * x)
285         return 1.0 / 0.0;
286       double xn = ((i & 1) == 0 ? -i / 2 : (-i - 1) / 2);
287       i -= 4;
288       *signgamp = ((i & 2) == 0 ? -1 : 1);
289     
>>>     CID 123615:  Uninitialized variables  (UNINIT)
>>>     Declaring variable "ctx" without initializer.
290       SET_RESTORE_ROUND (FE_TONEAREST);
291     
292       /* Expand around the zero X0 = X0_HI + X0_LO.  */
293       double x0_hi = lgamma_zeros[i][0], x0_lo = lgamma_zeros[i][1];
294       double xdiff = x - x0_hi - x0_lo;
295     

Cheers,
Carlos.

Follow-Ups:
- Re: Coverity run for glibc 2.23.
  - From: Paul Eggert
- Re: Coverity run for glibc 2.23.
  - From: Joseph Myers

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]