lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 6 Jul 2012 10:32:00 -0700
From:	Scan Subscription <scan-subscription@...erity.com>
To:	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
CC:	"axboe@...nel.dk" <axboe@...nel.dk>,
	"axboe@...nel.dk" <axboe@...nel.dk>,
	"roland@...estorage.com" <roland@...estorage.com>,
	"viro@...iv.linux.org.uk" <viro@...iv.linux.org.uk>,
	"jkosina@...e.cz" <jkosina@...e.cz>
Subject: New Defect found by Coverity Scan based on code change in last 1.5
 week

New Defect found by Coverity Scan based on code change in last 1.5 week

Defect Summary
________________________________________________________________________
** CID 200075: Free of array-typed value (BAD_FREE.array)
/linux/fs/splice.c: 317
Alexander Viro 

** CID 709210: Self assignment (NO_EFFECT.self_assign)
/linux/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c: 100
Roland Dreier 

** CID 709213: Wrong sizeof argument (SIZEOF_MISMATCH.wrong_sizeof)
/linux/drivers/hid/hid-logitech-dj.c: 442
Jiri Kosina 

** CID 709214: Wrong sizeof argument (SIZEOF_MISMATCH.wrong_sizeof)
/linux/drivers/hid/hid-logitech-dj.c: 459
Jiri Kosina

** CID 709551: Logically dead code (DEADCODE.none)
/linux/drivers/block/mtip32xx/mtip32xx.c: 2660
Jens Axboe 

** CID 709552: Logically dead code (DEADCODE.none)
/linux/drivers/block/mtip32xx/mtip32xx.c: 2588
Jens Axboe 

________________________________________________________________________
Defect Details:
________________________________________________________________________
CID 200075: Free of array-typed value (BAD_FREE.array)

/linux/fs/splice.c: 317 ( array_assign)
   311     struct page *pages[PIPE_DEF_BUFFERS];
   312     struct partial_page partial[PIPE_DEF_BUFFERS];
...
   316     int error, page_nr;
>>> CID 200075: Free of array-typed value (BAD_FREE.array)
>>> Assigning: "spd.pages" = "pages".
   317     struct splice_pipe_desc spd = {
   318      .pages = pages,
   319      .partial = partial,
   320      .nr_pages_max = PIPE_DEF_BUFFERS,
   321      .flags = flags,
  
/linux/fs/splice.c: 503 ( incorrect_free)
   500     if (spd.nr_pages)
   501      error = splice_to_pipe(pipe, &spd);
   502    
>>> "splice_shrink_spd" frees incorrect pointer "spd.pages".
   503     splice_shrink_spd(&spd);
   504     return error;
   505    }
   506    
   507    /**
  
/linux/fs/splice.c: 317 ( array_assign)
   311     struct page *pages[PIPE_DEF_BUFFERS];
   312     struct partial_page partial[PIPE_DEF_BUFFERS];
...
   316     int error, page_nr;
>>> CID 200075: Free of array-typed value (BAD_FREE.array)
>>> Assigning: "spd.partial" = "partial".
   317     struct splice_pipe_desc spd = {
   318      .pages = pages,
   319      .partial = partial,
   320      .nr_pages_max = PIPE_DEF_BUFFERS,
   321      .flags = flags,
  
/linux/fs/splice.c: 503 ( incorrect_free)
   500     if (spd.nr_pages)
   501      error = splice_to_pipe(pipe, &spd);
   502    
>>> "splice_shrink_spd" frees incorrect pointer "spd.partial".
   503     splice_shrink_spd(&spd);
   504     return error;
   505    }
   506    
   507    /**
  
________________________________________________________________________
CID 709210: Self assignment (NO_EFFECT.self_assign)

/linux/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c: 100 ( self_assign)
   97         min(dev->attr.max_ord_per_qp, dev->attr.max_ird_per_qp);
   98     attr->max_qp_init_rd_atom = dev->attr.max_ord_per_qp;
   99     attr->max_srq = (dev->attr.max_qp - 1);
>>> CID 709210: Self assignment (NO_EFFECT.self_assign) Assignment 
>>> operation "attr->max_srq_sge = attr->max_srq_sge" has no effect.
   100     attr->max_srq_sge = attr->max_srq_sge;
   101     attr->max_srq_wr = dev->attr.max_rqe;
   102     attr->local_ca_ack_delay = dev->attr.local_ca_ack_delay;
   103     attr->max_fast_reg_page_list_len = 0;
   104     attr->max_pkeys = 1;
  
________________________________________________________________________
CID 709213: Wrong sizeof argument (SIZEOF_MISMATCH.wrong_sizeof)

/linux/drivers/hid/hid-logitech-dj.c: 442 ( suspicious_sizeof)
   439     struct dj_report *dj_report;
   440     int retval;
   441    
>>> CID 709213: Wrong sizeof argument (SIZEOF_MISMATCH.wrong_sizeof) 
>>> Passing argument "8UL /* sizeof (dj_report) */" to function "kzalloc" and then casting the return value to "struct dj_report *" is suspicious.  
>>> Did you intend to use "sizeof(*dj_report)" instead of "sizeof (dj_report)" ?
   442     dj_report = kzalloc(sizeof(dj_report), GFP_KERNEL);
   443     if (!dj_report)
   444      return -ENOMEM;
   445     dj_report->report_id = REPORT_ID_DJ_SHORT;
   446     dj_report->device_index = 0xFF;
  
________________________________________________________________________
CID 709214: Wrong sizeof argument (SIZEOF_MISMATCH.wrong_sizeof)

/linux/drivers/hid/hid-logitech-dj.c: 459 (suspicious_sizeof)
   456     struct dj_report *dj_report;
   457     int retval;
   458    
>>> CID 709214: Wrong sizeof argument (SIZEOF_MISMATCH.wrong_sizeof) 
>>> Passing argument "8UL /* sizeof (dj_report) */" to function "kzalloc" and then casting the return value to "struct dj_report *" is suspicious.  
>>> Did you intend to use "sizeof(*dj_report)" instead of "sizeof (dj_report)" ?
   459     dj_report = kzalloc(sizeof(dj_report), GFP_KERNEL);
   460     if (!dj_report)
   461      return -ENOMEM;
   462     dj_report->report_id = REPORT_ID_DJ_SHORT;
   463     dj_report->device_index = 0xFF;
  
________________________________________________________________________
CID 709551: Logically dead code (DEADCODE)

/linux/drivers/block/mtip32xx/mtip32xx.c: 2660 
   2657     char buf[MTIP_DFS_MAX_BUF_SIZE];
   2658     int size = *offset;
   2659    
>>> CID 709551: Logically dead code (DEADCODE.none) After this line, the 
>>> value of "size" is equal to 0.
>>> Noticing condition "size".
   2660     if (!len || size)
   2661      return 0;
   2662    
>>> On this path, the condition "size < 0" cannot be true.
   2663     if (size < 0)
>>> Execution cannot reach this statement "return -22L;".
   2664      return -EINVAL;
   2665    
   2666     size += sprintf(&buf[size], "Flag-port : [ %08lX ]\n",
   2667           dd->port->flags);
   2668     size += sprintf(&buf[size], "Flag-dd   : [ %08lX ]\n",
  
________________________________________________________________________
CID 709552: Logically dead code (DEADCODE)

/linux/drivers/block/mtip32xx/mtip32xx.c: 2588 
   2585     int size = *offset;
   2586     int n;
   2587    
>>> CID 709552: Logically dead code (DEADCODE.none) After this line, the 
>>> value of "size" is equal to 0.
>>> Noticing condition "size".
   2588     if (!len || size)
   2589      return 0;
   2590    
>>> On this path, the condition "size < 0" cannot be true.
   2591     if (size < 0)
>>> Execution cannot reach this statement "return -22L;".
   2592      return -EINVAL;
   2593    
   2594     size += sprintf(&buf[size], "H/ S ACTive      : [ 0x");
   2595    
   2596     for (n = dd->slot_groups-1; n >= 0; n--)
  
________________________________________________________________________

Above code snippet provide you details information to know more about the defects.
You can also view the defect in Coverity Scan by visiting, http://scan5.coverity.com:8080  
Your username is usually your first part of your email address.
If you don't have a username, you can request one by emailing:  scan-admin@...erity.com
________________________________________________________________________

Thanks
SCAN-ADMIN 
Scan-admin@...erity.com
http://scan.coverity.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ