qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: New Defects reported by Coverity Scan for QEMU

From: Dr. David Alan Gilbert
Subject: Re: New Defects reported by Coverity Scan for QEMU
Date: Wed, 18 May 2022 09:24:06 +0100
User-agent: Mutt/2.2.1 (2022-02-19) 
(Resend with correct address)
Hi Dan, Leo,
  There are a few coverity warns from that last series:


Two moans about not checking mkdir in the tls tests:
> ** CID 1488871:  Error handling issues  (CHECKED_RETURN)
> /qemu/tests/qtest/migration-test.c: 782 in 
> test_migrate_tls_x509_start_common()
> 
> 
> ________________________________________________________________________________________________________
> *** CID 1488871:  Error handling issues  (CHECKED_RETURN)
> /qemu/tests/qtest/migration-test.c: 782 in 
> test_migrate_tls_x509_start_common()
> 776         data->servercert = g_strdup_printf("%s/server-cert.pem", 
> data->workdir);
> 777         if (args->clientcert) {
> 778             data->clientkey = g_strdup_printf("%s/client-key.pem", 
> data->workdir);
> 779             data->clientcert = g_strdup_printf("%s/client-cert.pem", 
> data->workdir);
> 780         }
> 781     
> >>>     CID 1488871:  Error handling issues  (CHECKED_RETURN)
> >>>     Calling "mkdir(data->workdir, 448U)" without checking return value. 
> >>> This library function may fail and return an error code.
> 782         mkdir(data->workdir, 0700);
> 783     
> 784         test_tls_init(data->keyfile);
> 785         g_assert(link(data->keyfile, data->serverkey) == 0);
> 786         if (args->clientcert) {
> 787             g_assert(link(data->keyfile, data->clientkey) == 0);
> 
> ** CID 1488870:    (CHECKED_RETURN)
> /qemu/tests/qtest/migration-test.c: 677 in test_migrate_tls_psk_start_common()
> /qemu/tests/qtest/migration-test.c: 670 in test_migrate_tls_psk_start_common()
> 
> 
> ________________________________________________________________________________________________________
> *** CID 1488870:    (CHECKED_RETURN)
> /qemu/tests/qtest/migration-test.c: 677 in test_migrate_tls_psk_start_common()
> 671         test_tls_psk_init(data->pskfile);
> 672     
> 673         if (mismatch) {
> 674             data->workdiralt = g_strdup_printf("%s/tlscredspskalt0", 
> tmpfs);
> 675             data->pskfilealt = g_strdup_printf("%s/%s", data->workdiralt,
> 676                                                QCRYPTO_TLS_CREDS_PSKFILE);
> >>>     CID 1488870:    (CHECKED_RETURN)
> >>>     Calling "mkdir(data->workdiralt, 448U)" without checking return 
> >>> value. This library function may fail and return an error code.
> 677             mkdir(data->workdiralt, 0700);
> 678             test_tls_psk_init_alt(data->pskfilealt);
> 679         }
> 680     
> 681         rsp = wait_command(from,
> 682                            "{ 'execute': 'object-add',"
> /qemu/tests/qtest/migration-test.c: 670 in test_migrate_tls_psk_start_common()
> 664             g_new0(struct TestMigrateTLSPSKData, 1);
> 665         QDict *rsp;
> 666     
> 667         data->workdir = g_strdup_printf("%s/tlscredspsk0", tmpfs);
> 668         data->pskfile = g_strdup_printf("%s/%s", data->workdir,
> 669                                         QCRYPTO_TLS_CREDS_PSKFILE);
> >>>     CID 1488870:    (CHECKED_RETURN)
> >>>     Calling "mkdir(data->workdir, 448U)" without checking return value. 
> >>> This library function may fail and return an error code.
> 670         mkdir(data->workdir, 0700);
> 671         test_tls_psk_init(data->pskfile);
> 672     
> 673         if (mismatch) {
> 674             data->workdiralt = g_strdup_printf("%s/tlscredspskalt0", 
> tmpfs);
> 675             data->pskfilealt = g_strdup_printf("%s/%s", data->workdiralt,
> 
> ** CID 1488869:  Insecure data handling  (TAINTED_SCALAR)
> /qemu/io/channel-socket.c: 716 in qio_channel_socket_flush()



This one is more curious:
> *** CID 1488869:  Insecure data handling  (TAINTED_SCALAR)
> /qemu/io/channel-socket.c: 716 in qio_channel_socket_flush()
> 710         int ret = 1;
> 711     
> 712         msg.msg_control = control;
> 713         msg.msg_controllen = sizeof(control);
> 714         memset(control, 0, sizeof(control));
> 715     
> >>>     CID 1488869:  Insecure data handling  (TAINTED_SCALAR)
> >>>     Using tainted variable "sioc->zero_copy_sent" as a loop boundary.
> 716         while (sioc->zero_copy_sent < sioc->zero_copy_queued) {
> 717             received = recvmsg(sioc->fd, &msg, MSG_ERRQUEUE);
> 718             if (received < 0) {
> 719                 switch (errno) {
> 720                 case EAGAIN:
> 721                     /* Nothing on errqueue, wait until something is 
> available */

it's not clear to me why it considers that 'insecure'; is that because
it's using values returned by the recvmsg ???

Dave

> 
> ** CID 1488868:  Integer handling issues  (OVERFLOW_BEFORE_WIDEN)
> /qemu/include/hw/cxl/cxl_component.h: 218 in cxl_decode_ig()
> 
> 
> ________________________________________________________________________________________________________
> *** CID 1488868:  Integer handling issues  (OVERFLOW_BEFORE_WIDEN)
> /qemu/include/hw/cxl/cxl_component.h: 218 in cxl_decode_ig()
> 212     
> 213     uint8_t cxl_interleave_ways_enc(int iw, Error **errp);
> 214     uint8_t cxl_interleave_granularity_enc(uint64_t gran, Error **errp);
> 215     
> 216     static inline hwaddr cxl_decode_ig(int ig)
> 217     {
> >>>     CID 1488868:  Integer handling issues  (OVERFLOW_BEFORE_WIDEN)
> >>>     Potentially overflowing expression "1 << ig + 8" with type "int" (32 
> >>> bits, signed) is evaluated using 32-bit arithmetic, and then used in a 
> >>> context that expects an expression of type "hwaddr" (64 bits, unsigned).
> 218         return 1 << (ig + 8);
> 219     }
> 220     
> 221     CXLComponentState *cxl_get_hb_cstate(PCIHostState *hb);
> 222     
> 
> 
> ________________________________________________________________________________________________________
> To view the defects in Coverity Scan visit, 
> https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yrzEQNXe51mg-2FlKoEnRoarMq5nOxxfhqLUuo8HvG2S4Ew-3D-3DsJiM_-2BVwspb-2FvVsiDHi6TjJb1RCVMbxW4dUuL9sNVe8y5Hw33niByDzIZpGAOA5aYVSqv5jZRKaysoHO8HDAwcefdRpS6APFciD-2BwrlJOuA5BQE0BdpVQ-2F2N4H1eMXpy9YdBkXKlWx-2FEjNzp4PFxHatEl0DUHK-2BmMHOAPpvs5sC8wiJnoEK-2FOHDrJRemKeQ9jYmHtYSxFL21EDsvDKE-2FaIvXgh2BZ1DIuERrQlniBGfoVsYI-3D
> 
>   To manage Coverity Scan email notifications for "dgilbert@redhat.com", 
> click 
> https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXx81NaqhEuFta67QJjvrT4RaVMQaGq-2BvVMlKibSYlsRsVMlpoQjDNxxnuHxr4ePPs-2BGw9e2Rwvy7HI6fIypkgcFLOSiaVl1GR5WZgeKL5Lc28-3DX0rx_-2BVwspb-2FvVsiDHi6TjJb1RCVMbxW4dUuL9sNVe8y5Hw33niByDzIZpGAOA5aYVSqvTnKwL62mXPLveeP-2BWUfRx5fh6FkZ4ip8kt9FOWgTvKnwBEgRG9Hd6pRry4YHYry9Link-2B-2FJaxPuPjvtUPJC-2FjaH8m4iuyJBAq1vyM0bUUjuOwaUkIo9d-2F5qAkATC9CFkabYArjrgzBzYyi9I4oa04-2B1XLhr2wHE07h56XDN37Gw-3D
-- 
Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK
reply via email to
[Prev in Thread] Current Thread [Next in Thread]