| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <829BE905228AE14A9AE1A46E6F2E371605538D039F@VA3DIAXVS891.RED001.local>
Date: Fri, 6 Jul 2012 10:32:00 -0700
From: Scan Subscription <scan-subscription@...erity.com>
To: "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
CC: "axboe@...nel.dk" <axboe@...nel.dk>,
"axboe@...nel.dk" <axboe@...nel.dk>,
"roland@...estorage.com" <roland@...estorage.com>,
"viro@...iv.linux.org.uk" <viro@...iv.linux.org.uk>,
"jkosina@...e.cz" <jkosina@...e.cz>
Subject: New Defect found by Coverity Scan based on code change in last 1.5
week
New Defect found by Coverity Scan based on code change in last 1.5 week
Defect Summary
________________________________________________________________________
** CID 200075: Free of array-typed value (BAD_FREE.array)
/linux/fs/splice.c: 317
Alexander Viro
** CID 709210: Self assignment (NO_EFFECT.self_assign)
/linux/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c: 100
Roland Dreier
** CID 709213: Wrong sizeof argument (SIZEOF_MISMATCH.wrong_sizeof)
/linux/drivers/hid/hid-logitech-dj.c: 442
Jiri Kosina
** CID 709214: Wrong sizeof argument (SIZEOF_MISMATCH.wrong_sizeof)
/linux/drivers/hid/hid-logitech-dj.c: 459
Jiri Kosina
** CID 709551: Logically dead code (DEADCODE.none)
/linux/drivers/block/mtip32xx/mtip32xx.c: 2660
Jens Axboe
** CID 709552: Logically dead code (DEADCODE.none)
/linux/drivers/block/mtip32xx/mtip32xx.c: 2588
Jens Axboe
________________________________________________________________________
Defect Details:
________________________________________________________________________
CID 200075: Free of array-typed value (BAD_FREE.array)
/linux/fs/splice.c: 317 ( array_assign)
311 struct page *pages[PIPE_DEF_BUFFERS];
312 struct partial_page partial[PIPE_DEF_BUFFERS];
...
316 int error, page_nr;
>>> CID 200075: Free of array-typed value (BAD_FREE.array)
>>> Assigning: "spd.pages" = "pages".
317 struct splice_pipe_desc spd = {
318 .pages = pages,
319 .partial = partial,
320 .nr_pages_max = PIPE_DEF_BUFFERS,
321 .flags = flags,
/linux/fs/splice.c: 503 ( incorrect_free)
500 if (spd.nr_pages)
501 error = splice_to_pipe(pipe, &spd);
502
>>> "splice_shrink_spd" frees incorrect pointer "spd.pages".
503 splice_shrink_spd(&spd);
504 return error;
505 }
506
507 /**
/linux/fs/splice.c: 317 ( array_assign)
311 struct page *pages[PIPE_DEF_BUFFERS];
312 struct partial_page partial[PIPE_DEF_BUFFERS];
...
316 int error, page_nr;
>>> CID 200075: Free of array-typed value (BAD_FREE.array)
>>> Assigning: "spd.partial" = "partial".
317 struct splice_pipe_desc spd = {
318 .pages = pages,
319 .partial = partial,
320 .nr_pages_max = PIPE_DEF_BUFFERS,
321 .flags = flags,
/linux/fs/splice.c: 503 ( incorrect_free)
500 if (spd.nr_pages)
501 error = splice_to_pipe(pipe, &spd);
502
>>> "splice_shrink_spd" frees incorrect pointer "spd.partial".
503 splice_shrink_spd(&spd);
504 return error;
505 }
506
507 /**
________________________________________________________________________
CID 709210: Self assignment (NO_EFFECT.self_assign)
/linux/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c: 100 ( self_assign)
97 min(dev->attr.max_ord_per_qp, dev->attr.max_ird_per_qp);
98 attr->max_qp_init_rd_atom = dev->attr.max_ord_per_qp;
99 attr->max_srq = (dev->attr.max_qp - 1);
>>> CID 709210: Self assignment (NO_EFFECT.self_assign) Assignment
>>> operation "attr->max_srq_sge = attr->max_srq_sge" has no effect.
100 attr->max_srq_sge = attr->max_srq_sge;
101 attr->max_srq_wr = dev->attr.max_rqe;
102 attr->local_ca_ack_delay = dev->attr.local_ca_ack_delay;
103 attr->max_fast_reg_page_list_len = 0;
104 attr->max_pkeys = 1;
________________________________________________________________________
CID 709213: Wrong sizeof argument (SIZEOF_MISMATCH.wrong_sizeof)
/linux/drivers/hid/hid-logitech-dj.c: 442 ( suspicious_sizeof)
439 struct dj_report *dj_report;
440 int retval;
441
>>> CID 709213: Wrong sizeof argument (SIZEOF_MISMATCH.wrong_sizeof)
>>> Passing argument "8UL /* sizeof (dj_report) */" to function "kzalloc" and then casting the return value to "struct dj_report *" is suspicious.
>>> Did you intend to use "sizeof(*dj_report)" instead of "sizeof (dj_report)" ?
442 dj_report = kzalloc(sizeof(dj_report), GFP_KERNEL);
443 if (!dj_report)
444 return -ENOMEM;
445 dj_report->report_id = REPORT_ID_DJ_SHORT;
446 dj_report->device_index = 0xFF;
________________________________________________________________________
CID 709214: Wrong sizeof argument (SIZEOF_MISMATCH.wrong_sizeof)
/linux/drivers/hid/hid-logitech-dj.c: 459 (suspicious_sizeof)
456 struct dj_report *dj_report;
457 int retval;
458
>>> CID 709214: Wrong sizeof argument (SIZEOF_MISMATCH.wrong_sizeof)
>>> Passing argument "8UL /* sizeof (dj_report) */" to function "kzalloc" and then casting the return value to "struct dj_report *" is suspicious.
>>> Did you intend to use "sizeof(*dj_report)" instead of "sizeof (dj_report)" ?
459 dj_report = kzalloc(sizeof(dj_report), GFP_KERNEL);
460 if (!dj_report)
461 return -ENOMEM;
462 dj_report->report_id = REPORT_ID_DJ_SHORT;
463 dj_report->device_index = 0xFF;
________________________________________________________________________
CID 709551: Logically dead code (DEADCODE)
/linux/drivers/block/mtip32xx/mtip32xx.c: 2660
2657 char buf[MTIP_DFS_MAX_BUF_SIZE];
2658 int size = *offset;
2659
>>> CID 709551: Logically dead code (DEADCODE.none) After this line, the
>>> value of "size" is equal to 0.
>>> Noticing condition "size".
2660 if (!len || size)
2661 return 0;
2662
>>> On this path, the condition "size < 0" cannot be true.
2663 if (size < 0)
>>> Execution cannot reach this statement "return -22L;".
2664 return -EINVAL;
2665
2666 size += sprintf(&buf[size], "Flag-port : [ %08lX ]\n",
2667 dd->port->flags);
2668 size += sprintf(&buf[size], "Flag-dd : [ %08lX ]\n",
________________________________________________________________________
CID 709552: Logically dead code (DEADCODE)
/linux/drivers/block/mtip32xx/mtip32xx.c: 2588
2585 int size = *offset;
2586 int n;
2587
>>> CID 709552: Logically dead code (DEADCODE.none) After this line, the
>>> value of "size" is equal to 0.
>>> Noticing condition "size".
2588 if (!len || size)
2589 return 0;
2590
>>> On this path, the condition "size < 0" cannot be true.
2591 if (size < 0)
>>> Execution cannot reach this statement "return -22L;".
2592 return -EINVAL;
2593
2594 size += sprintf(&buf[size], "H/ S ACTive : [ 0x");
2595
2596 for (n = dd->slot_groups-1; n >= 0; n--)
________________________________________________________________________
Above code snippet provide you details information to know more about the defects.
You can also view the defect in Coverity Scan by visiting, http://scan5.coverity.com:8080
Your username is usually your first part of your email address.
If you don't have a username, you can request one by emailing: scan-admin@...erity.com
________________________________________________________________________
Thanks
SCAN-ADMIN
Scan-admin@...erity.com
http://scan.coverity.com
Powered by blists - more mailing lists