12:28 a.m.
Hi,
Please find the latest report on new defect(s) introduced to libvirt found with Coverity
Scan.
15 new defect(s) introduced to libvirt found with Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 15 of 15 defect(s)
** CID 460819: API usage errors (VARARGS)
/tests/qemunbdkittest.c: 168 in testInfoSetArgs()
________________________________________________________________________________________________________
*** CID 460819: API usage errors (VARARGS)
/tests/qemunbdkittest.c: 168 in testInfoSetArgs()
162 break;
163 case NBDKIT_ARG_END:
164 default:
165 break;
166 }
167 }
>> CID 460819: API usage errors (VARARGS)
>> "va_end" was not called for "argptr".
168 }
169
170
171 static int
172 testNbdkit(const void *data)
173 {
** CID 460818: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 460818: Memory - corruptions (OVERRUN)
/tests/qemunbdkittest.c: 83 in virSecretGetSecretString()
77 char uuidstr[VIR_UUID_BUFLEN];
78 const char *secretname = NULL;
79 char *tmp = NULL;
80
81 switch (seclookupdef->type) {
82 case VIR_SECRET_LOOKUP_TYPE_UUID:
>> CID 460818: Memory - corruptions (OVERRUN)
>> Overrunning array "uuidstr" of 16 bytes by passing it to a function
which accesses it at byte offset 36.
83
virUUIDFormat(seclookupdef->u.uuid, uuidstr);
84 secretname = uuidstr;
85 break;
86 case VIR_SECRET_LOOKUP_TYPE_USAGE:
87 secretname = seclookupdef->u.usage;
88 break;
** CID 460817: (NULL_RETURNS)
/src/qemu/qemu_domain.c: 12151 in qemuDomainNamePathsCleanup()
/src/qemu/qemu_domain.c: 12144 in qemuDomainNamePathsCleanup()
________________________________________________________________________________________________________
*** CID 460817: (NULL_RETURNS)
/src/qemu/qemu_domain.c: 12151 in qemuDomainNamePathsCleanup()
12145 unlink(cfg_file) < 0) {
12146 virReportSystemError(errno, _("Failed to unlink
'%1$s'"), cfg_file);
12147 if (!bestEffort)
12148 return -1;
12149 }
12150
>> CID 460817: (NULL_RETURNS)
>> Dereferencing a pointer that might be "NULL"
"autostart_link" when calling "virFileIsLink". (The dereference is
assumed on the basis of the "nonnull" parameter attribute.)
12151
if (virFileIsLink(autostart_link) == 1 &&
12152 unlink(autostart_link) < 0) {
12153 virReportSystemError(errno, _("Failed to unlink
'%1$s'"), autostart_link);
12154 if (!bestEffort)
12155 return -1;
12156 }
/src/qemu/qemu_domain.c: 12144 in qemuDomainNamePathsCleanup()
12138
12139 cfg_file = virDomainConfigFile(cfg->configDir, name);
12140 autostart_link = virDomainConfigFile(cfg->autostartDir, name);
12141 snap_dir = g_strdup_printf("%s/%s", cfg->snapshotDir, name);
12142 chk_dir = g_strdup_printf("%s/%s", cfg->checkpointDir, name);
12143
>> CID 460817: (NULL_RETURNS)
>> Dereferencing a pointer that might be "NULL" "cfg_file"
when calling "virFileExists". (The dereference is assumed on the basis of the
"nonnull" parameter attribute.)
12144 if (virFileExists(cfg_file)
&&
12145 unlink(cfg_file) < 0) {
12146 virReportSystemError(errno, _("Failed to unlink
'%1$s'"), cfg_file);
12147 if (!bestEffort)
12148 return -1;
12149 }
** CID 460816: Memory - corruptions (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 460816: Memory - corruptions (USE_AFTER_FREE)
/src/qemu/qemu_driver.c: 4121 in qemuProcessEventHandler()
4115 processNbdkitExitedEvent(vm, processEvent->data);
4116 break;
4117 case QEMU_PROCESS_EVENT_LAST:
4118 break;
4119 }
4120
>> CID 460816: Memory - corruptions (USE_AFTER_FREE)
>> Calling "virDomainObjEndAPI" frees pointer "vm" which has
already been freed.
4121 virDomainObjEndAPI(&vm);
4122 qemuProcessEventFree(processEvent);
4123 }
4124
4125
4126 static int
** CID 460815: Memory - corruptions (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 460815: Memory - corruptions (USE_AFTER_FREE)
/src/qemu/qemu_blockjob.c: 386 in qemuBlockJobDiskNewBackup()
380 job->data.backup.bitmap = g_strdup(bitmap);
381 job->data.backup.store = virObjectRef(store);
382
383 /* backup jobs are usually started in bulk by transaction so the caller
384 * shall save the status XML */
385 if (qemuBlockJobRegister(job, vm, disk, false) < 0)
>> CID 460815: Memory - corruptions (USE_AFTER_FREE)
>> Calling "glib_autoptr_cleanup_qemuBlockJobData" frees pointer
"job" which has already been freed.
386 return NULL;
387
388 return g_steal_pointer(&job);
389 }
390
391
** CID 460814: Insecure data handling (TAINTED_SCALAR)
/src/cpu/cpu_x86.c: 3441 in virCPUx86DataGetHost()
________________________________________________________________________________________________________
*** CID 460814: Insecure data handling (TAINTED_SCALAR)
/src/cpu/cpu_x86.c: 3441 in virCPUx86DataGetHost()
3435
3436 if ((kvm_cpuid = virHostCPUGetCPUID()) == NULL)
3437 return NULL;
3438
3439 cpuid = virCPUDataNew(virArchFromHost());
3440 cpuid->data.x86.len = 0;
>> CID 460814: Insecure data handling (TAINTED_SCALAR)
>> Passing tainted expression "__n" to "g_malloc0_n", which
uses it as an allocation size.
3441 cpuid->data.x86.items =
g_new0(virCPUx86DataItem, kvm_cpuid->nent);
3442
3443 for (i = 0; i < kvm_cpuid->nent; ++i) {
3444 virCPUx86DataItem *item =
&cpuid->data.x86.items[cpuid->data.x86.len];
3445 item->type = VIR_CPU_X86_DATA_CPUID;
3446 item->data.cpuid.eax_in = kvm_cpuid->entries[i].function;
** CID 460813: Memory - illegal accesses (USE_AFTER_FREE)
/src/qemu/qemu_process.c: 9723 in qemuProcessHandleNbdkitExit()
________________________________________________________________________________________________________
*** CID 460813: Memory - illegal accesses (USE_AFTER_FREE)
/src/qemu/qemu_process.c: 9723 in qemuProcessHandleNbdkitExit()
9717 qemuProcessHandleNbdkitExit(qemuNbdkitProcess *nbdkit,
9718 virDomainObj *vm)
9719 {
9720 virObjectLock(vm);
9721 VIR_DEBUG("nbdkit process %i died", nbdkit->pid);
9722 qemuProcessEventSubmit(vm, QEMU_PROCESS_EVENT_NBDKIT_EXITED, 0, 0, nbdkit);
>> CID 460813: Memory - illegal accesses (USE_AFTER_FREE)
>> Calling "virObjectUnlock" dereferences freed pointer
"vm". (The dereference is assumed on the basis of the "nonnull"
parameter attribute.)
9723 virObjectUnlock(vm);
** CID 460812: Memory - corruptions (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 460812: Memory - corruptions (USE_AFTER_FREE)
/src/qemu/qemu_blockjob.c: 359 in qemuBlockJobDiskNewCopy()
353 if (shallow && !reuse)
354 job->data.copy.shallownew = true;
355
356 job->jobflags = jobflags;
357
358 if (qemuBlockJobRegister(job, vm, disk, true) < 0)
>> CID 460812: Memory - corruptions (USE_AFTER_FREE)
>> Calling "glib_autoptr_cleanup_qemuBlockJobData" frees pointer
"job" which has already been freed.
359 return NULL;
360
361 return g_steal_pointer(&job);
362 }
363
364
** CID 460811: Insecure data handling (TAINTED_STRING)
________________________________________________________________________________________________________
*** CID 460811: Insecure data handling (TAINTED_STRING)
/tests/qemunbdkittest.c: 318 in main()
312 cleanup:
313 qemuTestDriverFree(&driver);
314
315 return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
316 }
317
>> CID 460811: Insecure data handling (TAINTED_STRING)
>> Passing tainted string "**argv" to "virTestMain", which
cannot accept tainted data.
** CID 460810: Memory - corruptions (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 460810: Memory - corruptions (USE_AFTER_FREE)
/src/qemu/qemu_process.c: 9292 in qemuProcessReconnect()
9286
9287 cleanup:
9288 if (jobStarted)
9289 virDomainObjEndJob(obj);
9290 if (!virDomainObjIsActive(obj))
9291 qemuDomainRemoveInactive(driver, obj, 0, false);
>> CID 460810: Memory - corruptions (USE_AFTER_FREE)
>> Calling "virDomainObjEndAPI" frees pointer "obj" which
has already been freed.
9292 virDomainObjEndAPI(&obj);
9293 virIdentitySetCurrent(NULL);
9294 return;
9295
9296 error:
9297 if (virDomainObjIsActive(obj)) {
** CID 460809: Memory - illegal accesses (USE_AFTER_FREE)
/src/qemu/qemu_process.c: 1378 in qemuProcessHandleNetdevStreamDisconnected()
________________________________________________________________________________________________________
*** CID 460809: Memory - illegal accesses (USE_AFTER_FREE)
/src/qemu/qemu_process.c: 1378 in qemuProcessHandleNetdevStreamDisconnected()
1372 VIR_DEBUG("Device %s Netdev Stream Disconnected in domain %p %s",
1373 devAlias, vm, vm->def->name);
1374
1375 qemuProcessEventSubmit(vm, QEMU_PROCESS_EVENT_NETDEV_STREAM_DISCONNECTED,
1376 0, 0, g_strdup(devAlias));
1377
>> CID 460809: Memory - illegal accesses (USE_AFTER_FREE)
>> Calling "virObjectUnlock" dereferences freed pointer
"vm". (The dereference is assumed on the basis of the "nonnull"
parameter attribute.)
1378 virObjectUnlock(vm);
1379 }
1380
1381
1382 static void
1383 qemuProcessHandleNicRxFilterChanged(qemuMonitor *mon G_GNUC_UNUSED,
** CID 460808: (CHECKED_RETURN)
/src/ch/ch_monitor.c: 961 in virCHMonitorSaveRestoreVM()
/src/ch/ch_monitor.c: 957 in virCHMonitorSaveRestoreVM()
/src/ch/ch_monitor.c: 955 in virCHMonitorSaveRestoreVM()
/src/ch/ch_monitor.c: 956 in virCHMonitorSaveRestoreVM()
/src/ch/ch_monitor.c: 958 in virCHMonitorSaveRestoreVM()
/src/ch/ch_monitor.c: 959 in virCHMonitorSaveRestoreVM()
/src/ch/ch_monitor.c: 960 in virCHMonitorSaveRestoreVM()
________________________________________________________________________________________________________
*** CID 460808: (CHECKED_RETURN)
/src/ch/ch_monitor.c: 961 in virCHMonitorSaveRestoreVM()
955 curl_easy_setopt(mon->handle, CURLOPT_UNIX_SOCKET_PATH,
mon->socketpath);
956 curl_easy_setopt(mon->handle, CURLOPT_URL, url);
957 curl_easy_setopt(mon->handle, CURLOPT_CUSTOMREQUEST, "PUT");
958 curl_easy_setopt(mon->handle, CURLOPT_HTTPHEADER, headers);
959 curl_easy_setopt(mon->handle, CURLOPT_POSTFIELDS, payload);
960 curl_easy_setopt(mon->handle, CURLOPT_WRITEFUNCTION, curl_callback);
>> CID 460808: (CHECKED_RETURN)
>> Calling "curl_easy_setopt(mon->handle, _curl_opt, (void
*)&data)" without checking return value. This library function may fail and
return an error code.
961 curl_easy_setopt(mon->handle,
CURLOPT_WRITEDATA, (void *)&data);
962
963 responseCode = virCHMonitorCurlPerform(mon->handle);
964 }
965
966 if (responseCode == 200 || responseCode == 204) {
/src/ch/ch_monitor.c: 957 in virCHMonitorSaveRestoreVM()
951 VIR_WITH_OBJECT_LOCK_GUARD(mon) {
952 /* reset all options of a libcurl session handle at first */
953 curl_easy_reset(mon->handle);
954
955 curl_easy_setopt(mon->handle, CURLOPT_UNIX_SOCKET_PATH,
mon->socketpath);
956 curl_easy_setopt(mon->handle, CURLOPT_URL, url);
>> CID 460808: (CHECKED_RETURN)
>> Calling "curl_easy_setopt(mon->handle, _curl_opt,
"PUT")" without checking return value. This library function may fail and
return an error code.
957 curl_easy_setopt(mon->handle,
CURLOPT_CUSTOMREQUEST, "PUT");
958 curl_easy_setopt(mon->handle, CURLOPT_HTTPHEADER, headers);
959 curl_easy_setopt(mon->handle, CURLOPT_POSTFIELDS, payload);
960 curl_easy_setopt(mon->handle, CURLOPT_WRITEFUNCTION, curl_callback);
961 curl_easy_setopt(mon->handle, CURLOPT_WRITEDATA, (void *)&data);
962
/src/ch/ch_monitor.c: 955 in virCHMonitorSaveRestoreVM()
949 }
950
951 VIR_WITH_OBJECT_LOCK_GUARD(mon) {
952 /* reset all options of a libcurl session handle at first */
953 curl_easy_reset(mon->handle);
954
>> CID 460808: (CHECKED_RETURN)
>> Calling "curl_easy_setopt(mon->handle, _curl_opt,
mon->socketpath)" without checking return value. This library function may fail
and return an error code.
955 curl_easy_setopt(mon->handle,
CURLOPT_UNIX_SOCKET_PATH, mon->socketpath);
956 curl_easy_setopt(mon->handle, CURLOPT_URL, url);
957 curl_easy_setopt(mon->handle, CURLOPT_CUSTOMREQUEST, "PUT");
958 curl_easy_setopt(mon->handle, CURLOPT_HTTPHEADER, headers);
959 curl_easy_setopt(mon->handle, CURLOPT_POSTFIELDS, payload);
960 curl_easy_setopt(mon->handle, CURLOPT_WRITEFUNCTION, curl_callback);
/src/ch/ch_monitor.c: 956 in virCHMonitorSaveRestoreVM()
950
951 VIR_WITH_OBJECT_LOCK_GUARD(mon) {
952 /* reset all options of a libcurl session handle at first */
953 curl_easy_reset(mon->handle);
954
955 curl_easy_setopt(mon->handle, CURLOPT_UNIX_SOCKET_PATH,
mon->socketpath);
>> CID 460808: (CHECKED_RETURN)
>> Calling "curl_easy_setopt(mon->handle, _curl_opt, url)" without
checking return value. This library function may fail and return an error code.
956
curl_easy_setopt(mon->handle, CURLOPT_URL, url);
957 curl_easy_setopt(mon->handle, CURLOPT_CUSTOMREQUEST, "PUT");
958 curl_easy_setopt(mon->handle, CURLOPT_HTTPHEADER, headers);
959 curl_easy_setopt(mon->handle, CURLOPT_POSTFIELDS, payload);
960 curl_easy_setopt(mon->handle, CURLOPT_WRITEFUNCTION, curl_callback);
961 curl_easy_setopt(mon->handle, CURLOPT_WRITEDATA, (void *)&data);
/src/ch/ch_monitor.c: 958 in virCHMonitorSaveRestoreVM()
952 /* reset all options of a libcurl session handle at first */
953 curl_easy_reset(mon->handle);
954
955 curl_easy_setopt(mon->handle, CURLOPT_UNIX_SOCKET_PATH,
mon->socketpath);
956 curl_easy_setopt(mon->handle, CURLOPT_URL, url);
957 curl_easy_setopt(mon->handle, CURLOPT_CUSTOMREQUEST, "PUT");
>> CID 460808: (CHECKED_RETURN)
>> Calling "curl_easy_setopt(mon->handle, _curl_opt, headers)"
without checking return value. This library function may fail and return an error code.
958 curl_easy_setopt(mon->handle, CURLOPT_HTTPHEADER, headers);
959 curl_easy_setopt(mon->handle, CURLOPT_POSTFIELDS, payload);
960 curl_easy_setopt(mon->handle, CURLOPT_WRITEFUNCTION, curl_callback);
961 curl_easy_setopt(mon->handle, CURLOPT_WRITEDATA, (void *)&data);
962
963 responseCode = virCHMonitorCurlPerform(mon->handle);
/src/ch/ch_monitor.c: 959 in virCHMonitorSaveRestoreVM()
953 curl_easy_reset(mon->handle);
954
955 curl_easy_setopt(mon->handle, CURLOPT_UNIX_SOCKET_PATH,
mon->socketpath);
956 curl_easy_setopt(mon->handle, CURLOPT_URL, url);
957 curl_easy_setopt(mon->handle, CURLOPT_CUSTOMREQUEST, "PUT");
958 curl_easy_setopt(mon->handle, CURLOPT_HTTPHEADER, headers);
>> CID 460808: (CHECKED_RETURN)
>> Calling "curl_easy_setopt(mon->handle, _curl_opt, payload)"
without checking return value. This library function may fail and return an error code.
959 curl_easy_setopt(mon->handle, CURLOPT_POSTFIELDS, payload);
960 curl_easy_setopt(mon->handle, CURLOPT_WRITEFUNCTION, curl_callback);
961 curl_easy_setopt(mon->handle, CURLOPT_WRITEDATA, (void *)&data);
962
963 responseCode = virCHMonitorCurlPerform(mon->handle);
964 }
/src/ch/ch_monitor.c: 960 in virCHMonitorSaveRestoreVM()
954
955 curl_easy_setopt(mon->handle, CURLOPT_UNIX_SOCKET_PATH,
mon->socketpath);
956 curl_easy_setopt(mon->handle, CURLOPT_URL, url);
957 curl_easy_setopt(mon->handle, CURLOPT_CUSTOMREQUEST, "PUT");
958 curl_easy_setopt(mon->handle, CURLOPT_HTTPHEADER, headers);
959 curl_easy_setopt(mon->handle, CURLOPT_POSTFIELDS, payload);
>> CID 460808: (CHECKED_RETURN)
>> Calling "curl_easy_setopt(mon->handle, _curl_opt,
curl_callback)" without checking return value. This library function may fail and
return an error code.
960 curl_easy_setopt(mon->handle,
CURLOPT_WRITEFUNCTION, curl_callback);
961 curl_easy_setopt(mon->handle, CURLOPT_WRITEDATA, (void *)&data);
962
963 responseCode = virCHMonitorCurlPerform(mon->handle);
964 }
965
** CID 460807: Control flow issues (DEADCODE)
/tests/qemunbdkittest.c: 163 in testInfoSetArgs()
________________________________________________________________________________________________________
*** CID 460807: Control flow issues (DEADCODE)
/tests/qemunbdkittest.c: 163 in testInfoSetArgs()
157 while ((cap = va_arg(argptr, unsigned int)) <
QEMU_NBDKIT_CAPS_LAST)
158 qemuNbdkitCapsSet(info->nbdkitcaps, cap);
159 break;
160 case NBDKIT_ARG_EXPECT_FAIL:
161 info->expectFail = va_arg(argptr, unsigned int);
162 break;
>> CID 460807: Control flow issues (DEADCODE)
>> Execution cannot reach this statement: "case NBDKIT_ARG_END:".
163 case NBDKIT_ARG_END:
164 default:
165 break;
166 }
167 }
168 }
** CID 460806: Memory - corruptions (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 460806: Memory - corruptions (USE_AFTER_FREE)
/src/qemu/qemu_blockjob.c: 265 in qemuBlockJobDiskNewPull()
259 return NULL;
260
261 job->data.pull.base = base;
262 job->jobflags = jobflags;
263
264 if (qemuBlockJobRegister(job, vm, disk, true) < 0)
>> CID 460806: Memory - corruptions (USE_AFTER_FREE)
>> Calling "glib_autoptr_cleanup_qemuBlockJobData" frees pointer
"job" which has already been freed.
265 return NULL;
266
267 return g_steal_pointer(&job);
268 }
269
270
** CID 460805: Memory - corruptions (USE_AFTER_FREE)
________________________________________________________________________________________________________
*** CID 460805: Memory - corruptions (USE_AFTER_FREE)
/src/qemu/qemu_blockjob.c: 300 in qemuBlockJobDiskNewCommit()
294 job->data.commit.base = base;
295 job->data.commit.deleteCommittedImages = delete_imgs;
296 job->processPending = autofinalize == VIR_TRISTATE_BOOL_NO;
297 job->jobflags = jobflags;
298
299 if (qemuBlockJobRegister(job, vm, disk, true) < 0)
>> CID 460805: Memory - corruptions (USE_AFTER_FREE)
>> Calling "glib_autoptr_cleanup_qemuBlockJobData" frees pointer
"job" which has already been freed.
300 return NULL;
301
302 return g_steal_pointer(&job);
303 }
304
305
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit,
https://u15810271.ct.sendgrid.net/ls/click?upn=u001.AxU2LYlgjL6eX23u9ErQy...
183
days inactive
183
days old
0 comments
1 participants
participants (1)
-
scan-admin@coverity.com