Hi, Please find the latest report on new defect(s) introduced to libvirt found with Coverity Scan. 214 new defect(s) introduced to libvirt found with Coverity Scan. 21 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 20 of 214 defect(s) ** CID 309378: Insecure data handling (TAINTED_STRING) ________________________________________________________________________________________________________ *** CID 309378: Insecure data handling (TAINTED_STRING) /tests/virnettlssessiontest.c: 489 in main() 483 484 testTLSCleanup(KEYFILE); 485 486 return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE; 487 } 488 489 VIR_TEST_MAIN_PRELOAD(mymain, VIR_TEST_MOCK("virrandom")) 490 491 #else 492 493 int 494 main(void) ** CID 309377: Memory - corruptions (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 309377: Memory - corruptions (USE_AFTER_FREE) /src/qemu/qemu_migration.c: 3268 in qemuMigrationSrcConfirm() 3262 phase = QEMU_MIGRATION_PHASE_CONFIRM3; 3263 3264 qemuMigrationJobStartPhase(driver, vm, phase); 3265 virCloseCallbacksUnset(driver->closeCallbacks, vm, 3266 qemuMigrationSrcCleanup); 3267 3268 ret = qemuMigrationSrcConfirmPhase(driver, vm, 3269 cookiein, cookieinlen, 3270 flags, cancelled); 3271 3272 qemuMigrationJobFinish(driver, vm); 3273 if (!virDomainObjIsActive(vm)) { ** CID 309376: (USE_AFTER_FREE) /src/util/virresctrl.c: 1944 in virResctrlAllocGetUnused() /src/util/virresctrl.c: 1944 in virResctrlAllocGetUnused() ________________________________________________________________________________________________________ *** CID 309376: (USE_AFTER_FREE) /src/util/virresctrl.c: 1944 in virResctrlAllocGetUnused() 1938 alloc = NULL; 1939 } 1940 if (rv < 0) 1941 goto error; 1942 1943 cleanup: 1944 virObjectUnref(alloc); 1945 return ret; 1946 1947 error: 1948 virObjectUnref(ret); 1949 ret = NULL; /src/util/virresctrl.c: 1944 in virResctrlAllocGetUnused() 1938 alloc = NULL; 1939 } 1940 if (rv < 0) 1941 goto error; 1942 1943 cleanup: 1944 virObjectUnref(alloc); 1945 return ret; 1946 1947 error: 1948 virObjectUnref(ret); 1949 ret = NULL; ** CID 309375: Insecure data handling (TAINTED_SCALAR) /src/util/virfile.c: 2326 in virFileOpenForked() ________________________________________________________________________________________________________ *** CID 309375: Insecure data handling (TAINTED_SCALAR) /src/util/virfile.c: 2326 in virFileOpenForked() 2320 /* parent */ 2321 2322 VIR_FORCE_CLOSE(pair[1]); 2323 2324 do { 2325 fd = virSocketRecvFD(pair[0], 0); 2326 } while (fd < 0 && errno == EINTR); 2327 VIR_FORCE_CLOSE(pair[0]); /* NB: this preserves errno */ 2328 if (fd < 0) 2329 recvfd_errno = errno; 2330 2331 if (virProcessWait(pid, &status, 0) < 0) { ** CID 309374: Resource leaks (RESOURCE_LEAK) /src/qemu/qemu_domain.c: 7962 in qemuDomainUpdateDeviceList() ________________________________________________________________________________________________________ *** CID 309374: Resource leaks (RESOURCE_LEAK) /src/qemu/qemu_domain.c: 7962 in qemuDomainUpdateDeviceList() 7956 int rc; 7957 7958 if (qemuDomainObjEnterMonitorAsync(driver, vm, asyncJob) < 0) 7959 return -1; 7960 rc = qemuMonitorGetDeviceAliases(priv->mon, &aliases); 7961 if (qemuDomainObjExitMonitor(driver, vm) < 0) 7962 return -1; 7963 if (rc < 0) 7964 return -1; 7965 7966 g_strfreev(priv->qemuDevices); 7967 priv->qemuDevices = aliases; ** CID 309373: Null pointer dereferences (FORWARD_NULL) ________________________________________________________________________________________________________ *** CID 309373: Null pointer dereferences (FORWARD_NULL) /src/qemu/qemu_agent.c: 2294 in qemuAgentGetInterfaces() 2288 if (!(cmd = qemuAgentMakeCommand("guest-network-get-interfaces", NULL))) 2289 return -1; 2290 2291 if (qemuAgentCommand(agent, cmd, &reply, agent->timeout) < 0) 2292 return -1; 2293 2294 if (!(ret_array = virJSONValueObjectGetArray(reply, "return"))) { 2295 virReportError(VIR_ERR_INTERNAL_ERROR, "%s", 2296 _("qemu agent didn't return an array of interfaces")); 2297 return -1; 2298 } 2299 ** CID 309372: Null pointer dereferences (FORWARD_NULL) ________________________________________________________________________________________________________ *** CID 309372: Null pointer dereferences (FORWARD_NULL) /src/qemu/qemu_agent.c: 1290 in qemuAgentFSFreeze() 1284 if (!cmd) 1285 goto cleanup; 1286 1287 if (qemuAgentCommand(agent, cmd, &reply, agent->timeout) < 0) 1288 goto cleanup; 1289 1290 if (virJSONValueObjectGetNumberInt(reply, "return", &ret) < 0) { 1291 virReportError(VIR_ERR_INTERNAL_ERROR, "%s", 1292 _("malformed return value")); 1293 } 1294 1295 cleanup: ** CID 309371: (USE_AFTER_FREE) /src/qemu/qemu_domain.c: 5749 in qemuDomainObjExitMonitorInternal() /src/qemu/qemu_domain.c: 5752 in qemuDomainObjExitMonitorInternal() ________________________________________________________________________________________________________ *** CID 309371: (USE_AFTER_FREE) /src/qemu/qemu_domain.c: 5749 in qemuDomainObjExitMonitorInternal() 5743 5744 qemuMonitorWatchDispose(); 5745 virObjectUnref(priv->mon); 5746 5747 hasRefs = !qemuMonitorWasDisposed(); 5748 if (hasRefs) 5749 virObjectUnlock(priv->mon); 5750 5751 virObjectLock(obj); 5752 VIR_DEBUG("Exited monitor (mon=%p vm=%p name=%s)", 5753 priv->mon, obj, obj->def->name); 5754 /src/qemu/qemu_domain.c: 5752 in qemuDomainObjExitMonitorInternal() 5746 5747 hasRefs = !qemuMonitorWasDisposed(); 5748 if (hasRefs) 5749 virObjectUnlock(priv->mon); 5750 5751 virObjectLock(obj); 5752 VIR_DEBUG("Exited monitor (mon=%p vm=%p name=%s)", 5753 priv->mon, obj, obj->def->name); 5754 5755 priv->monStart = 0; 5756 if (!hasRefs) 5757 priv->mon = NULL; ** CID 309370: (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 309370: (USE_AFTER_FREE) /src/qemu/qemu_hotplug.c: 646 in qemuDomainChangeEjectableMedia() 640 goto cleanup; 641 642 if (qemuHotplugAttachManagedPR(driver, vm, newsrc, QEMU_ASYNC_JOB_NONE) < 0) 643 goto cleanup; 644 645 if (virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_BLOCKDEV)) 646 rc = qemuDomainChangeMediaBlockdev(driver, vm, disk, oldsrc, newsrc, force); 647 else 648 rc = qemuDomainChangeMediaLegacy(driver, vm, disk, newsrc, force); 649 650 virDomainAuditDisk(vm, oldsrc, newsrc, "update", rc >= 0); 651 /src/qemu/qemu_hotplug.c: 648 in qemuDomainChangeEjectableMedia() 642 if (qemuHotplugAttachManagedPR(driver, vm, newsrc, QEMU_ASYNC_JOB_NONE) < 0) 643 goto cleanup; 644 645 if (virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_BLOCKDEV)) 646 rc = qemuDomainChangeMediaBlockdev(driver, vm, disk, oldsrc, newsrc, force); 647 else 648 rc = qemuDomainChangeMediaLegacy(driver, vm, disk, newsrc, force); 649 650 virDomainAuditDisk(vm, oldsrc, newsrc, "update", rc >= 0); 651 652 if (rc < 0) 653 goto cleanup; /src/qemu/qemu_hotplug.c: 646 in qemuDomainChangeEjectableMedia() 640 goto cleanup; 641 642 if (qemuHotplugAttachManagedPR(driver, vm, newsrc, QEMU_ASYNC_JOB_NONE) < 0) 643 goto cleanup; 644 645 if (virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_BLOCKDEV)) 646 rc = qemuDomainChangeMediaBlockdev(driver, vm, disk, oldsrc, newsrc, force); 647 else 648 rc = qemuDomainChangeMediaLegacy(driver, vm, disk, newsrc, force); 649 650 virDomainAuditDisk(vm, oldsrc, newsrc, "update", rc >= 0); 651 /src/qemu/qemu_hotplug.c: 648 in qemuDomainChangeEjectableMedia() 642 if (qemuHotplugAttachManagedPR(driver, vm, newsrc, QEMU_ASYNC_JOB_NONE) < 0) 643 goto cleanup; 644 645 if (virQEMUCapsGet(priv->qemuCaps, QEMU_CAPS_BLOCKDEV)) 646 rc = qemuDomainChangeMediaBlockdev(driver, vm, disk, oldsrc, newsrc, force); 647 else 648 rc = qemuDomainChangeMediaLegacy(driver, vm, disk, newsrc, force); 649 650 virDomainAuditDisk(vm, oldsrc, newsrc, "update", rc >= 0); 651 652 if (rc < 0) 653 goto cleanup; /src/qemu/qemu_hotplug.c: 678 in qemuDomainChangeEjectableMedia() 672 673 ignore_value(qemuDomainStorageSourceChainAccessRevoke(driver, vm, newsrc)); 674 } 675 676 /* remove PR manager object if unneeded */ 677 if (managedpr) 678 ignore_value(qemuHotplugRemoveManagedPR(driver, vm, QEMU_ASYNC_JOB_NONE)); 679 680 /* revert old image do the disk definition */ 681 if (oldsrc) 682 disk->src = oldsrc; 683 /src/qemu/qemu_hotplug.c: 678 in qemuDomainChangeEjectableMedia() 672 673 ignore_value(qemuDomainStorageSourceChainAccessRevoke(driver, vm, newsrc)); 674 } 675 676 /* remove PR manager object if unneeded */ 677 if (managedpr) 678 ignore_value(qemuHotplugRemoveManagedPR(driver, vm, QEMU_ASYNC_JOB_NONE)); 679 680 /* revert old image do the disk definition */ 681 if (oldsrc) 682 disk->src = oldsrc; 683 /src/qemu/qemu_hotplug.c: 639 in qemuDomainChangeEjectableMedia() 633 if (qemuDomainDetermineDiskChain(driver, vm, disk, NULL, true) < 0) 634 goto cleanup; 635 636 if (qemuDomainPrepareDiskSource(disk, priv, cfg) < 0) 637 goto cleanup; 638 639 if (qemuDomainStorageSourceChainAccessAllow(driver, vm, newsrc) < 0) 640 goto cleanup; 641 642 if (qemuHotplugAttachManagedPR(driver, vm, newsrc, QEMU_ASYNC_JOB_NONE) < 0) 643 goto cleanup; 644 /src/qemu/qemu_hotplug.c: 673 in qemuDomainChangeEjectableMedia() 667 cleanup: 668 /* undo changes to the new disk */ 669 if (ret < 0) { 670 if (sharedAdded) 671 ignore_value(qemuRemoveSharedDisk(driver, disk, vm->def->name)); 672 673 ignore_value(qemuDomainStorageSourceChainAccessRevoke(driver, vm, newsrc)); 674 } 675 676 /* remove PR manager object if unneeded */ 677 if (managedpr) 678 ignore_value(qemuHotplugRemoveManagedPR(driver, vm, QEMU_ASYNC_JOB_NONE)); /src/qemu/qemu_hotplug.c: 673 in qemuDomainChangeEjectableMedia() 667 cleanup: 668 /* undo changes to the new disk */ 669 if (ret < 0) { 670 if (sharedAdded) 671 ignore_value(qemuRemoveSharedDisk(driver, disk, vm->def->name)); 672 673 ignore_value(qemuDomainStorageSourceChainAccessRevoke(driver, vm, newsrc)); 674 } 675 676 /* remove PR manager object if unneeded */ 677 if (managedpr) 678 ignore_value(qemuHotplugRemoveManagedPR(driver, vm, QEMU_ASYNC_JOB_NONE)); ** CID 309369: Insecure data handling (TAINTED_STRING) ________________________________________________________________________________________________________ *** CID 309369: Insecure data handling (TAINTED_STRING) /tests/esxutilstest.c: 264 in main() 258 DO_TEST(EscapeDatastoreItem); 259 DO_TEST(ConvertWindows1252ToUTF8); 260 261 return result == 0 ? EXIT_SUCCESS : EXIT_FAILURE; 262 } 263 264 VIR_TEST_MAIN(mymain) 265 266 #else 267 268 int main(void) 269 { 270 return EXIT_AM_SKIP; 271 } 272 ** CID 309368: Null pointer dereferences (FORWARD_NULL) ________________________________________________________________________________________________________ *** CID 309368: Null pointer dereferences (FORWARD_NULL) /src/qemu/qemu_agent.c: 1746 in qemuAgentGetTime() 1740 if (!cmd) 1741 return ret; 1742 1743 if (qemuAgentCommand(agent, cmd, &reply, agent->timeout) < 0) 1744 goto cleanup; 1745 1746 if (virJSONValueObjectGetNumberUlong(reply, "return", &json_time) < 0) { 1747 virReportError(VIR_ERR_INTERNAL_ERROR, "%s", 1748 _("malformed return value")); 1749 goto cleanup; 1750 } 1751 ** CID 309367: Memory - corruptions (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 309367: Memory - corruptions (USE_AFTER_FREE) /src/storage/storage_driver.c: 917 in storagePoolUndefine() 911 VIR_INFO("Undefining storage pool '%s'", def->name); 912 virStoragePoolObjRemove(driver->pools, obj); 913 ret = 0; 914 915 cleanup: 916 virObjectEventStateQueue(driver->storageEventState, event); 917 virStoragePoolObjEndAPI(&obj); 918 return ret; 919 } 920 921 static int 922 storagePoolCreate(virStoragePoolPtr pool, ** CID 309366: Insecure data handling (TAINTED_STRING) ________________________________________________________________________________________________________ *** CID 309366: Insecure data handling (TAINTED_STRING) /tests/metadatatest.c: 318 in main() 312 virDomainFree(test.dom); 313 virConnectClose(test.conn); 314 315 return ret; 316 } 317 ** CID 309365: Insecure data handling (TAINTED_STRING) ________________________________________________________________________________________________________ *** CID 309365: Insecure data handling (TAINTED_STRING) /tests/domaincapstest.c: 482 in main() 476 #endif /* WITH_BHYVE */ 477 478 return ret; 479 } 480 481 #if WITH_QEMU 482 VIR_TEST_MAIN_PRELOAD(mymain, 483 VIR_TEST_MOCK("domaincaps"), 484 VIR_TEST_MOCK("qemucpu")) 485 #else 486 VIR_TEST_MAIN_PRELOAD(mymain, VIR_TEST_MOCK("domaincaps")) ** CID 309264: (USE_AFTER_FREE) /build/src/remote/remote_client_bodies.h: 4098 in remoteDomainOpenChannel() /build/src/remote/remote_client_bodies.h: 4098 in remoteDomainOpenChannel() ________________________________________________________________________________________________________ *** CID 309264: (USE_AFTER_FREE) /build/src/remote/remote_client_bodies.h: 4098 in remoteDomainOpenChannel() 4092 args.flags = flags; 4093 4094 if (call(dom->conn, priv, 0, REMOTE_PROC_DOMAIN_OPEN_CHANNEL, 4095 (xdrproc_t)xdr_remote_domain_open_channel_args, (char *)&args, 4096 (xdrproc_t)xdr_void, (char *)NULL) == -1) { 4097 virNetClientRemoveStream(priv->client, netst); 4098 virObjectUnref(netst); 4099 st->driver = NULL; 4100 st->privateData = NULL; 4101 goto done; 4102 } 4103 /build/src/remote/remote_client_bodies.h: 4098 in remoteDomainOpenChannel() 4092 args.flags = flags; 4093 4094 if (call(dom->conn, priv, 0, REMOTE_PROC_DOMAIN_OPEN_CHANNEL, 4095 (xdrproc_t)xdr_remote_domain_open_channel_args, (char *)&args, 4096 (xdrproc_t)xdr_void, (char *)NULL) == -1) { 4097 virNetClientRemoveStream(priv->client, netst); 4098 virObjectUnref(netst); 4099 st->driver = NULL; 4100 st->privateData = NULL; 4101 goto done; 4102 } 4103 ** CID 309263: (TAINTED_SCALAR) /src/util/virpci.c: 556 in virPCIDeviceFindCapabilityOffset() /src/util/virpci.c: 556 in virPCIDeviceFindCapabilityOffset() ________________________________________________________________________________________________________ *** CID 309263: (TAINTED_SCALAR) /src/util/virpci.c: 556 in virPCIDeviceFindCapabilityOffset() 550 * be in the config space header and 0xff is returned 551 * by the kernel if we don't have access to this region 552 * 553 * Note: we're not handling loops or extended 554 * capabilities here. 555 */ 556 while (pos >= PCI_CONF_HEADER_LEN && pos != 0xff) { 557 uint8_t capid = virPCIDeviceRead8(dev, cfgfd, pos); 558 if (errno != 0) 559 goto error; 560 561 if (capid == capability) { /src/util/virpci.c: 556 in virPCIDeviceFindCapabilityOffset() 550 * be in the config space header and 0xff is returned 551 * by the kernel if we don't have access to this region 552 * 553 * Note: we're not handling loops or extended 554 * capabilities here. 555 */ 556 while (pos >= PCI_CONF_HEADER_LEN && pos != 0xff) { 557 uint8_t capid = virPCIDeviceRead8(dev, cfgfd, pos); 558 if (errno != 0) 559 goto error; 560 561 if (capid == capability) { ** CID 309262: Insecure data handling (TAINTED_STRING) ________________________________________________________________________________________________________ *** CID 309262: Insecure data handling (TAINTED_STRING) /tests/virhostcputest.c: 326 in main() 320 DO_TEST_CPU_STATS("24cpu", 24, false); 321 DO_TEST_CPU_STATS("24cpu", 25, true); 322 323 return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE; 324 } 325 326 VIR_TEST_MAIN_PRELOAD(mymain, VIR_TEST_MOCK("virhostcpu")) 327 ** CID 309261: Insecure data handling (TAINTED_STRING) ________________________________________________________________________________________________________ *** CID 309261: Insecure data handling (TAINTED_STRING) /tests/qemuvhostusertest.c: 129 in main() 123 virFileWrapperClearPrefixes(); 124 125 return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE; 126 } 127 128 ** CID 309260: (USE_AFTER_FREE) /src/remote/remote_driver.c: 1325 in doRemoteClose() /src/remote/remote_driver.c: 1325 in doRemoteClose() ________________________________________________________________________________________________________ *** CID 309260: (USE_AFTER_FREE) /src/remote/remote_driver.c: 1325 in doRemoteClose() 1319 1320 virNetClientSetCloseCallback(priv->client, 1321 NULL, 1322 priv->closeCallback, virObjectFreeCallback); 1323 1324 virNetClientClose(priv->client); 1325 virObjectUnref(priv->client); 1326 priv->client = NULL; 1327 virObjectUnref(priv->closeCallback); 1328 priv->closeCallback = NULL; 1329 virObjectUnref(priv->remoteProgram); 1330 virObjectUnref(priv->lxcProgram); /src/remote/remote_driver.c: 1325 in doRemoteClose() 1319 1320 virNetClientSetCloseCallback(priv->client, 1321 NULL, 1322 priv->closeCallback, virObjectFreeCallback); 1323 1324 virNetClientClose(priv->client); 1325 virObjectUnref(priv->client); 1326 priv->client = NULL; 1327 virObjectUnref(priv->closeCallback); 1328 priv->closeCallback = NULL; 1329 virObjectUnref(priv->remoteProgram); 1330 virObjectUnref(priv->lxcProgram); ** CID 309259: Memory - corruptions (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 309259: Memory - corruptions (USE_AFTER_FREE) /src/test/test_driver.c: 5513 in testNetworkDestroy() 5507 virNetworkObjRemoveInactive(privconn->networks, obj); 5508 5509 ret = 0; 5510 5511 cleanup: 5512 virObjectEventStateQueue(privconn->eventState, event); 5513 virNetworkObjEndAPI(&obj); 5514 return ret; 5515 } 5516 5517 5518 static char * ________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my...