| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 28 Jun 2012 11:32:09 -0700
From: Scan Subscription <scan-subscription@...erity.com>
To: "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: New Defects based on recent changes in Kernel code found by
Coverity Scan
Hi,
Based on several requests to test the recent changes to the Linux Kernel for any new defects, that may have been introduced, using Coverity SCAN, we have the results and we would share them with the larger community. To date we have found a total of 27 new defects based on changes made in the last THREE weeks. Below you can find the full summary and details of defects found including the source code snippet.
We will share this information weekly and include the list of new defects found by Coverity SCAN. You can also view the details of the defects by logging into SCAN http://scan5.coverity.com:8080
____________________________________________________________________________________________________________
Summary of Defects:
* CID 703583: Out-of-bounds access (OVERRUN_STATIC) - Array of uint16_t mb[4], is being accessed as mb[1],mb[2],mb[3],mb[4], instead of index from 0 to 3
drivers/scsi/qla2xxx/qla_isr.c:92
drivers/scsi/qla2xxx/qla_target.c:4045
* CID 709112: Dereference after null check - fs/btrfs/ioctl.c, line: 1309 Comparing "device->fs_devices" to null implies that "device->fs_devices" might be null, and then it is deference
fs/btrfs/ioctl.c:1309
*. CID 709078: Resource leak (RESOURCE_LEAK) - drivers/net/wireless/mwifiex/cfg80211.c, line: 935
Assigning: "bss_cfg" = storage returned from "kzalloc(132UL, 208U)" - but was not free
drivers/net/wireless/mwifiex/cfg80211.c:935
* CID 703581 - NO_EFFECT Unsigned compared against 0 - This less-than-zero comparison of an unsigned value is never true. "*val < 0UL".
drivers/scsi/fcoe/fcoe_sysfs.c:105
* CID 115636: Dereference null return value - Function "ext4_get_group_desc" returns null - And 23 times out of 28 times its return value was checked against NULL
fs/ext4/super.c:4500
* CID 703573 Dereference after null check
kernel/sys.c, line: 2212
* CID 703579 - NO_EFFECT - Unsigned compared against 0 - This less-than-zero comparison of an unsigned value is never true. "value < 0UL".
drivers/platform/x86/sony-laptop.c:993
____________________________________________________________________________________________________________
To View the defect in Coverity Scan visit, http://scan5.coverity.com:8080
Your username is usually your first part of your email address.
If you don't have a username, you can request one by emailing: scan-admin@...erity.com
____________________________________________________________________________________________________________
Details of Defect:-
____________________________________________________________________________________________________________
CID 703583: Out-of-bounds access (OVERRUN_STATIC) - Array of uint16_t mb[4], is being accessed as mb[1],mb[2],mb[3],mb[4], instead of index from 0 to 3
drivers/scsi/qla2xxx/qla_isr.c:92
33 irqreturn_t
34 qla2100_intr_handler(int irq, void *dev_id) 35{
42 uint16_t mb[4];
...
>>> CID 703583: Out-of-bounds access (OVERRUN_STATIC) Overrunning static array "mb" of size 8 bytes by passing it as an argument to a function which indexes it at byte position 8.
92 qla2x00_async_event(vha, rsp, mb);
...
836 qlt_async_event(mb[0], vha, mb);
drivers/scsi/qla2xxx/qla_target.c
3958 void qlt_async_event(uint16_t code, struct scsi_qla_host *vha,
3959 uint16_t *mailbox)
3960{
3961
>>> Pointer "mailbox" directly indexed by constant "4".
4045 ql_dbg(ql_dbg_tgt_mgt, vha, 0xf040,
4046 "qla_target(%d): Async event %#x occured: "
4047 "ignore (m[1]=%x, m[2]=%x, m[3]=%x, m[4]=%x)", vha->vp_idx,
4048 code, le16_to_cpu(mailbox[1]), le16_to_cpu(mailbox[2]),
4049 le16_to_cpu(mailbox[3]), le16_to_cpu(mailbox[4]));
____________________________________________________________________________________________________________
CID 709112: Dereference after null check
fs/btrfs/ioctl.c:1309
1256 static noinline int btrfs_ioctl_resize(struct btrfs_root *root,
1257 void __user *arg)
1258 {
...
>>> At conditional (1): "device->fs_devices" taking the false branch.
>>> CID 709112: Dereference after null check (FORWARD_NULL) Comparing "device->fs_devices" to null implies that "device->fs_devices" might be null.
1309 if (device->fs_devices && device->fs_devices->seeding) {
1310 printk(KERN_INFO "btrfs: resizer unable to apply on "
1311 "seeding device %llu\n", devid);
1312 ret = -EINVAL;
1313 goto out_free;
1314 }
...
>>> Passing null variable "device->fs_devices" to function "btrfs_grow_device", which dereferences it.
1367 ret = btrfs_grow_device(trans, device, new_size);
1368 btrfs_commit_transaction(trans, root);
1369 } else if (new_size < old_size) {
>>> Passing null variable "device->fs_devices" to function "btrfs_shrink_device", which dereferences it.
1370 ret = btrfs_shrink_device(device, new_size);
1371 }
1378 }
____________________________________________________________________________________________________________
CID 709078: Resource leak (RESOURCE_LEAK)
drivers/net/wireless/mwifiex/cfg80211.c:935
923 static int mwifiex_cfg80211_start_ap(struct wiphy *wiphy,
924 struct net_device *dev,
925 struct cfg80211_ap_settings *params)
926 {
934
>>> CID 709078: Resource leak (RESOURCE_LEAK) Calling allocation function "kzalloc".
>>> Assigning: "bss_cfg" = storage returned from "kzalloc(132UL, 208U)".
935 bss_cfg = kzalloc(sizeof(struct mwifiex_uap_bss_param), GFP_KERNEL);
...
950
951 switch (params->hidden_ssid) {
952 case NL80211_HIDDEN_SSID_NOT_IN_USE:
953 bss_cfg->bcast_ssid_ctl = 1;
954 break;
955 case NL80211_HIDDEN_SSID_ZERO_LEN:
956 bss_cfg->bcast_ssid_ctl = 0;
957 break;
>>> At conditional (6): switch case value "NL80211_HIDDEN_SSID_ZERO_CONTENTS" taking the true branch.
958 case NL80211_HIDDEN_SSID_ZERO_CONTENTS:
959 /* firmware doesn't support this type of hidden SSID */
960 default:
>>> Variable "bss_cfg" going out of scope leaks the storage it points to.
961 return -EINVAL;
962 }
963
____________________________________________________________________________________________________________
CID 703581 - NO_EFFECT Unsigned compared against 0 - This less-than-zero comparison of an unsigned value is never true. "*val < 0UL".
drivers/scsi/fcoe/fcoe_sysfs.c:105
100 static int fcoe_str_to_dev_loss(const char *buf, unsigned long *val)
101 {
102 int ret;
103
104 ret = kstrtoul(buf, 0, val);
>>> CID 703581: Unsigned compared against 0 (NO_EFFECT) This less-than-zero comparison of an unsigned value is never true. "*val < 0UL".
105 if (ret || *val < 0)
106 return -EINVAL;
107 /*
108 * Check for overflow; dev_loss_tmo is u32
____________________________________________________________________________________________________________
CID 115636: Dereference null return value - Function "ext4_get_group_desc" returns null (checked 23 out of 28 times).
fs/ext4/super.c:4500
4498 */
4499 for (g = 0; g < sbi->s_groups_count; g++) {
>>> CID 115636: Dereference null return value (NULL_RETURNS) Function "ext4_get_group_desc" returns null (checked 23 out of 28 times).
>>> Assigning: "gdp" = null return value from "ext4_get_group_desc".
4500 struct ext4_group_desc *gdp =
4501 ext4_get_group_desc(sb, g, NULL);
4502
>>> Dereferencing a pointer that might be null "gdp" when calling "ext4_group_desc_csum_verify".
4503 if (!ext4_group_desc_csum_verify(sb, g, gdp)) {
>>> Assigning: "desc" = return value from "ext4_get_group_desc(sb, block_group, NULL)".
367 desc = ext4_get_group_desc(sb, block_group, NULL);
>>> "desc" has its value checked in "desc".
368 if (!desc)
369 return NULL;
____________________________________________________________________________________________________________
CID 703573 Dereference after null check
kernel/sys.c, line: 2212
2201 int orderly_poweroff(bool force)
2202 {
...
2210 int ret = -ENOMEM;
2211
>>> At conditional (1): "argv == NULL" taking the true branch.
>>> CID 703573: Dereference after null check (FORWARD_NULL) Comparing "argv" to null implies that "argv" might be null.
2212 if (argv == NULL) {
2213 printk(KERN_WARNING "%s failed to allocate memory for \"%s\"\n",
2214 __func__, poweroff_cmd);
2215 goto out;
2216 }
2217
2218 ret = call_usermodehelper_fns(argv[0], argv, envp, UMH_NO_WAIT,
2219 NULL, argv_cleanup, NULL);
2220 out:
>>> At conditional (2): "!!!ret" taking the false branch.
>>> At conditional (3): "!!!ret" taking the false branch.
2221 if (likely(!ret))
2222 return 0;
2223
>>> At conditional (4): "ret == -12" taking the true branch.
2224 if (ret == -ENOMEM)
>>> Passing null variable "argv" to function "argv_free", which dereferences it.
2225 argv_free(argv);
2226
____________________________________________________________________________________________________________
CID 703579: Unsigned compared against 0 (NO_EFFECT)
drivers/platform/x86/sony-laptop.c:993
972 static ssize_t sony_nc_sysfs_store(struct device *dev,
973 struct device_attribute *attr,
974 const char *buffer, size_t count)
975 {
976 unsigned long value = 0;
...
989
990 if (item->validate)
991 value = item->validate(SNC_VALIDATE_IN, value);
992
>>> CID 703579: Unsigned compared against 0 (NO_EFFECT) This less-than-zero comparison of an unsigned value is never true. "value < 0UL".
993 if (value < 0)
994 return value;
____________________________________________________________________________________________________________
Thanks
SCAN-ADMIN
Scan-admin@...erity.com
http://scan.coverity.com
Powered by blists - more mailing lists