Hi, Please find the latest report on new defect(s) introduced to libvirt found with Coverity Scan. 82 new defect(s) introduced to libvirt found with Coverity Scan. 3 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 20 of 82 defect(s) ** CID 463071: (INTEGER_OVERFLOW) /src/util/virnetdevvportprofile.c: 897 in virNetDevVPortProfileGetNthParent() /src/util/virnetdevvportprofile.c: 897 in virNetDevVPortProfileGetNthParent() ________________________________________________________________________________________________________ *** CID 463071: (INTEGER_OVERFLOW) /src/util/virnetdevvportprofile.c: 897 in virNetDevVPortProfileGetNthParent() 891 end = true; 892 } 893 894 i++; 895 } 896
CID 463071: (INTEGER_OVERFLOW) Expression "i - 1UL", which is equal to 18446744073709551615, where "i" is known to be equal to 0, underflows the type that receives it, an unsigned integer 64 bits wide.
897 *nth = i - 1; 898 899 cleanup: 900 VIR_FREE(nlData); 901 return rc; 902 } /src/util/virnetdevvportprofile.c: 897 in virNetDevVPortProfileGetNthParent() 891 end = true; 892 } 893 894 i++; 895 } 896
CID 463071: (INTEGER_OVERFLOW) Expression "*nth", which is equal to 18446744073709551615, where "i - 1UL" is known to be equal to 18446744073709551615, overflows the type that receives it, an unsigned integer 32 bits wide.
897 *nth = i - 1; 898 899 cleanup: 900 VIR_FREE(nlData); 901 return rc; 902 }
** CID 463070: Insecure data handling (INTEGER_OVERFLOW) /tools/virsh-completer-checkpoint.c: 51 in virshCheckpointNameCompleter() ________________________________________________________________________________________________________ *** CID 463070: Insecure data handling (INTEGER_OVERFLOW) /tools/virsh-completer-checkpoint.c: 51 in virshCheckpointNameCompleter() 45 return NULL; 46 47 if ((ncheckpoints = virDomainListAllCheckpoints(dom, &checkpoints, 48 flags)) < 0) 49 goto error; 50
CID 463070: Insecure data handling (INTEGER_OVERFLOW) "__n", which might have overflowed, is passed to "g_malloc0_n(__n, __s)".
51 ret = g_new0(char *, ncheckpoints + 1); 52 53 for (i = 0; i < ncheckpoints; i++) { 54 const char *name = virDomainCheckpointGetName(checkpoints[i]); 55 56 ret[i] = g_strdup(name);
** CID 463069: (INTEGER_OVERFLOW) /tools/virsh-network.c: 857 in virshNetworkListCollect() /tools/virsh-network.c: 834 in virshNetworkListCollect() ________________________________________________________________________________________________________ *** CID 463069: (INTEGER_OVERFLOW) /tools/virsh-network.c: 857 in virshNetworkListCollect() 851 nInactiveNets) < 0) { 852 vshError(ctl, "%s", _("Failed to list inactive networks")); 853 goto cleanup; 854 } 855 } 856
CID 463069: (INTEGER_OVERFLOW) "__n", which might have overflowed, is passed to "g_malloc0_n(__n, __s)".
857 list->nets = g_new0(virNetworkPtr, nAllNets); 858 list->nnets = 0; 859 860 /* get active networks */ 861 for (i = 0; i < nActiveNets; i++) { 862 if (!(net = virNetworkLookupByName(priv->conn, names[i]))) /tools/virsh-network.c: 834 in virshNetworkListCollect() 828 829 nAllNets = nActiveNets + nInactiveNets; 830 831 if (nAllNets == 0) 832 return list; 833
CID 463069: (INTEGER_OVERFLOW) "__n", which might have overflowed, is passed to "g_malloc0_n(__n, __s)".
834 names = g_new0(char *, nAllNets); 835 836 /* Retrieve a list of active network names */ 837 if (!VSH_MATCH(VIR_CONNECT_LIST_NETWORKS_FILTERS_ACTIVE) || 838 VSH_MATCH(VIR_CONNECT_LIST_NETWORKS_ACTIVE)) { 839 if (virConnectListNetworks(priv->conn,
** CID 463068: Insecure data handling (INTEGER_OVERFLOW) /tools/virsh-interface.c: 256 in virshInterfaceListCollect() ________________________________________________________________________________________________________ *** CID 463068: Insecure data handling (INTEGER_OVERFLOW) /tools/virsh-interface.c: 256 in virshInterfaceListCollect() 250 if (nAllIfaces == 0) { 251 VIR_FREE(activeNames); 252 VIR_FREE(inactiveNames); 253 return list; 254 } 255
CID 463068: Insecure data handling (INTEGER_OVERFLOW) "__n", which might have overflowed, is passed to "g_malloc0_n(__n, __s)".
256 list->ifaces = g_new0(virInterfacePtr, nAllIfaces); 257 list->nifaces = 0; 258 259 /* get active interfaces */ 260 for (i = 0; i < nActiveIfaces; i++) { 261 if (!(iface = virInterfaceLookupByName(priv->conn, activeNames[i]))) {
** CID 463067: Insecure data handling (INTEGER_OVERFLOW) /src/util/virhostmem.c: 705 in virHostMemGetAvailable() ________________________________________________________________________________________________________ *** CID 463067: Insecure data handling (INTEGER_OVERFLOW) /src/util/virhostmem.c: 705 in virHostMemGetAvailable() 699 } 700 if ((pagesize = sysconf(_SC_PAGESIZE)) < 0) { 701 virReportSystemError(errno, "%s", 702 _("Unable to query memory page size")); 703 return 0; 704 }
CID 463067: Insecure data handling (INTEGER_OVERFLOW) "(unsigned long long)pages * (unsigned long long)pagesize", which might have overflowed, is returned from the function.
705 return (unsigned long long)pages * (unsigned long long)pagesize; 706 #elif defined WIN32 707 PFN_MS_EX pfnex; 708 HMODULE h = GetModuleHandle("kernel32.dll"); 709 710 if (!h) {
** CID 463066: Null pointer dereferences (FORWARD_NULL) /src/conf/virinterfaceobj.c: 327 in virInterfaceObjListExport() ________________________________________________________________________________________________________ *** CID 463066: Null pointer dereferences (FORWARD_NULL) /src/conf/virinterfaceobj.c: 327 in virInterfaceObjListExport() 321 if (data.error) 322 goto cleanup; 323 324 if (data.ifaces) { 325 /* trim the array to the final size */ 326 VIR_REALLOC_N(data.ifaces, data.nifaces + 1);
CID 463066: Null pointer dereferences (FORWARD_NULL) Dereferencing null pointer "ifaces".
327 *ifaces = g_steal_pointer(&data.ifaces); 328 } 329 330 ret = data.nifaces; 331 cleanup: 332 virObjectRWUnlock(ifaceobjs);
** CID 463065: Insecure data handling (INTEGER_OVERFLOW) /src/lxc/lxc_process.c: 1037 in virLXCProcessReadLogOutputData() ________________________________________________________________________________________________________ *** CID 463065: Insecure data handling (INTEGER_OVERFLOW) /src/lxc/lxc_process.c: 1037 in virLXCProcessReadLogOutputData() 1031 1032 /* Filter out debug messages from intermediate libvirt process */ 1033 filtered = false; 1034 while ((eol = strchr(filter_next, '\n'))) { 1035 *eol = '\0'; 1036 if (virLXCProcessIgnorableLogLine(filter_next)) {
CID 463065: Insecure data handling (INTEGER_OVERFLOW) "got - (eol - buf)", which might have underflowed, is passed to "memmove(filter_next, eol + 1, got - (eol - buf))". [Note: The source code implementation of the function has been overridden by a builtin model.]
1037 memmove(filter_next, eol + 1, got - (eol - buf)); 1038 got -= eol + 1 - filter_next; 1039 filtered = true; 1040 } else { 1041 filter_next = eol + 1; 1042 *eol = '\n';
** CID 463064: Insecure data handling (INTEGER_OVERFLOW) ________________________________________________________________________________________________________ *** CID 463064: Insecure data handling (INTEGER_OVERFLOW) /tools/virsh-util.c: 206 in virshStreamSkip() 200 buf = g_new0(char, buflen); 201 202 while (offset) { 203 size_t count = MIN(offset, buflen); 204 ssize_t r; 205
CID 463064: Insecure data handling (INTEGER_OVERFLOW) "count", which might be negative, is passed to "safewrite(cbData->fd, buf, count)".
206 if ((r = safewrite(cbData->fd, buf, count)) < 0) 207 return -1; 208 209 offset -= r; 210 } 211 } else {
** CID 463063: Concurrent data access violations (MISSING_LOCK) /src/node_device/node_device_udev.c: 2115 in processNodeStateInitializeEnumerate() ________________________________________________________________________________________________________ *** CID 463063: Concurrent data access violations (MISSING_LOCK) /src/node_device/node_device_udev.c: 2115 in processNodeStateInitializeEnumerate() 2109 2110 error: 2111 VIR_WITH_OBJECT_LOCK_GUARD(priv) { 2112 ignore_value(virEventRemoveHandle(priv->watch)); 2113 priv->watch = -1; 2114 priv->udevThreadQuit = true;
CID 463063: Concurrent data access violations (MISSING_LOCK) Accessing "priv->udevThreadCond" without holding lock "virMutex.lock". Elsewhere, "_udevEventData.udevThreadCond" is written to with "virMutex.lock" held 1 out of 1 times.
2115 virCondSignal(&priv->udevThreadCond); 2116 } 2117 2118 goto cleanup; 2119 } 2120
** CID 463062: (INTEGER_OVERFLOW) /src/storage/storage_util.c: 358 in createRawFile() ________________________________________________________________________________________________________ *** CID 463062: (INTEGER_OVERFLOW) /src/storage/storage_util.c: 358 in createRawFile() 352 * but fallocate failed, fill the rest with zeroes. 353 */ 354 pos = inputvol->target.capacity - remain; 355 } 356 357 if (need_alloc && (vol->target.allocation - pos > 0)) {
CID 463062: (INTEGER_OVERFLOW) "vol->target.allocation - pos", which might be negative, is passed to "safezero(fd, pos, vol->target.allocation - pos)".
358 if (safezero(fd, pos, vol->target.allocation - pos) < 0) { 359 virReportSystemError(errno, _("cannot fill file '%1$s'"), 360 vol->target.path); 361 return -1; 362 } 363 } /src/storage/storage_util.c: 358 in createRawFile() 352 * but fallocate failed, fill the rest with zeroes. 353 */ 354 pos = inputvol->target.capacity - remain; 355 } 356 357 if (need_alloc && (vol->target.allocation - pos > 0)) {
CID 463062: (INTEGER_OVERFLOW) The cast of "pos" to a signed type could result in a negative number.
358 if (safezero(fd, pos, vol->target.allocation - pos) < 0) { 359 virReportSystemError(errno, _("cannot fill file '%1$s'"), 360 vol->target.path); 361 return -1; 362 } 363 }
** CID 463061: Integer handling issues (INTEGER_OVERFLOW) /tools/wireshark/src/packet-libvirt.c: 295 in find_payload_dissector() ________________________________________________________________________________________________________ *** CID 463061: Integer handling issues (INTEGER_OVERFLOW) /tools/wireshark/src/packet-libvirt.c: 295 in find_payload_dissector() 289 if (proc < first || proc > last) 290 return NULL; 291 292 pd = &pds[proc-first]; 293 /* There is no guarantee to proc numbers has no gap */ 294 if (pd->proc != proc) {
CID 463061: Integer handling issues (INTEGER_OVERFLOW) Expression "direction", which is equal to -1, where "(pd->proc < proc) ? 1 : -1" is known to be equal to -1, overflows the type that receives it, an unsigned integer 32 bits wide.
295 direction = (pd->proc < proc) ? 1 : -1; 296 while (pd->proc != proc) { 297 if (pd->proc == first || pd->proc == last) 298 return NULL; 299 pd += direction; 300 }
** CID 463060: Insecure data handling (INTEGER_OVERFLOW) /src/conf/virdomainsnapshotobjlist.c: 293 in virDomainListSnapshots() ________________________________________________________________________________________________________ *** CID 463060: Insecure data handling (INTEGER_OVERFLOW) /src/conf/virdomainsnapshotobjlist.c: 293 in virDomainListSnapshots() 287 int ret = -1; 288 size_t i; 289 290 if (!snaps || count < 0) 291 return count; 292 names = g_new0(char *, count);
CID 463060: Insecure data handling (INTEGER_OVERFLOW) "__n", which might have overflowed, is passed to "g_malloc0_n(__n, __s)".
293 list = g_new0(virDomainSnapshotPtr, count + 1); 294 295 if (virDomainSnapshotObjListGetNames(snapshots, from, names, count, 296 flags) < 0) 297 goto cleanup; 298 for (i = 0; i < count; i++)
** CID 463059: (INTEGER_OVERFLOW) /src/util/virstring.c: 630 in virStringSearch() /src/util/virstring.c: 616 in virStringSearch() ________________________________________________________________________________________________________ *** CID 463059: (INTEGER_OVERFLOW) /src/util/virstring.c: 630 in virStringSearch() 624 VIR_EXPAND_N(*matches, nmatches, 1); 625 626 match = g_match_info_fetch(info, 1); 627 628 VIR_DEBUG("Got '%s'", match); 629
CID 463059: (INTEGER_OVERFLOW) Expression "nmatches - 2UL", which is equal to 18446744073709551614, where "nmatches" is known to be equal to 0, underflows the type that receives it, an unsigned integer 64 bits wide.
630 (*matches)[nmatches-2] = match; 631 632 g_match_info_fetch_pos(info, 1, NULL, &endpos); 633 str += endpos; 634 } 635 /src/util/virstring.c: 616 in virStringSearch() 610 611 /* '*matches' must always be NULL terminated in every iteration 612 * of the loop, so start by allocating 1 element 613 */ 614 VIR_EXPAND_N(*matches, nmatches, 1); 615
CID 463059: (INTEGER_OVERFLOW) Expression "nmatches - 1UL", which is equal to 18446744073709551615, where "nmatches" is known to be equal to 0, underflows the type that receives it, an unsigned integer 64 bits wide.
616 while ((nmatches - 1) < max_matches) { 617 g_autoptr(GMatchInfo) info = NULL; 618 char *match; 619 int endpos; 620 621 if (!g_regex_match(regex, str, 0, &info))
** CID 463058: Insecure data handling (INTEGER_OVERFLOW) /tools/virsh-completer-interface.c: 52 in virshInterfaceStringHelper() ________________________________________________________________________________________________________ *** CID 463058: Insecure data handling (INTEGER_OVERFLOW) /tools/virsh-completer-interface.c: 52 in virshInterfaceStringHelper() 46 if (!priv->conn || virConnectIsAlive(priv->conn) <= 0) 47 return NULL; 48 49 if ((nifaces = virConnectListAllInterfaces(priv->conn, &ifaces, flags)) < 0) 50 return NULL; 51
CID 463058: Insecure data handling (INTEGER_OVERFLOW) "__n", which might have overflowed, is passed to "g_malloc0_n(__n, __s)".
52 tmp = g_new0(char *, nifaces + 1); 53 54 for (i = 0; i < nifaces; i++) { 55 const char *name = (cb)(ifaces[i]); 56 57 tmp[i] = g_strdup(name);
** CID 463057: Resource leaks (RESOURCE_LEAK) /tests/qemufirmwaretest.c: 74 in testParseFailureFW() ________________________________________________________________________________________________________ *** CID 463057: Resource leaks (RESOURCE_LEAK) /tests/qemufirmwaretest.c: 74 in testParseFailureFW() 68 g_autofree char *inpath = NULL; 69 70 inpath = g_strdup_printf("%s/qemufirmwaredata/%s", abs_srcdir, filename); 71 72 /* This is a negative test case, so if the file was parsed 73 * successfully we need to report a failure */
CID 463057: Resource leaks (RESOURCE_LEAK) Failing to save or free storage allocated by "qemuFirmwareParse(inpath)" leaks it.
74 if (qemuFirmwareParse(inpath)) 75 return -1; 76 77 return 0; 78 } 79
** CID 463056: Integer handling issues (INTEGER_OVERFLOW) /src/security/security_util.c: 322 in virSecurityGetRememberedLabel() ________________________________________________________________________________________________________ *** CID 463056: Integer handling issues (INTEGER_OVERFLOW) /src/security/security_util.c: 322 in virSecurityGetRememberedLabel() 316 value, path); 317 return -1; 318 } 319 320 VIR_FREE(value); 321
CID 463056: Integer handling issues (INTEGER_OVERFLOW) Expression "refcount--", which is equal to 4294967295, where "refcount" is known to be equal to 0, underflows the type that receives it, an unsigned integer 32 bits wide.
322 refcount--; 323 324 if (refcount > 0) { 325 value = g_strdup_printf("%u", refcount); 326 327 if (virFileSetXAttr(path, ref_name, value) < 0)
** CID 463055: Insecure data handling (INTEGER_OVERFLOW) /tools/virsh-domain.c: 6774 in cmdVcpuinfo() ________________________________________________________________________________________________________ *** CID 463055: Insecure data handling (INTEGER_OVERFLOW) /tools/virsh-domain.c: 6774 in cmdVcpuinfo() 6768 6769 if (virDomainGetInfo(dom, &info) != 0) 6770 return false; 6771 6772 cpuinfo = g_new0(virVcpuInfo, info.nrVirtCpu); 6773 cpumaplen = VIR_CPU_MAPLEN(maxcpu);
CID 463055: Insecure data handling (INTEGER_OVERFLOW) "__n", which might have underflowed, is passed to "g_malloc0(__n)".
6774 cpumaps = g_new0(unsigned char, info.nrVirtCpu * cpumaplen); 6775 6776 if ((ncpus = virDomainGetVcpus(dom, 6777 cpuinfo, info.nrVirtCpu, 6778 cpumaps, cpumaplen)) < 0) { 6779 if (info.state != VIR_DOMAIN_SHUTOFF)
** CID 463054: Insecure data handling (INTEGER_OVERFLOW) /tools/virsh-completer-domain.c: 71 in virshDomainNameCompleter() ________________________________________________________________________________________________________ *** CID 463054: Insecure data handling (INTEGER_OVERFLOW) /tools/virsh-completer-domain.c: 71 in virshDomainNameCompleter() 65 if (!priv->conn || virConnectIsAlive(priv->conn) <= 0) 66 return NULL; 67 68 if ((ndomains = virConnectListAllDomains(priv->conn, &domains, flags)) < 0) 69 return NULL; 70
CID 463054: Insecure data handling (INTEGER_OVERFLOW) "__n", which might have overflowed, is passed to "g_malloc0_n(__n, __s)".
71 tmp = g_new0(char *, ndomains + 1); 72 73 for (i = 0; i < ndomains; i++) { 74 const char *name = virDomainGetName(domains[i]); 75 76 tmp[i] = g_strdup(name);
** CID 463053: Insecure data handling (INTEGER_OVERFLOW) /src/util/virfdstream.c: 984 in virFDStreamRead() ________________________________________________________________________________________________________ *** CID 463053: Insecure data handling (INTEGER_OVERFLOW) /src/util/virfdstream.c: 984 in virFDStreamRead() 978 979 if (fdst->length) 980 fdst->offset += ret; 981 982 cleanup: 983 virObjectUnlock(fdst);
CID 463053: Insecure data handling (INTEGER_OVERFLOW) "ret", which might have overflowed, is returned from the function.
984 return ret; 985 } 986 987 988 static int 989 virFDStreamSendHole(virStreamPtr st,
** CID 463052: Null pointer dereferences (FORWARD_NULL) /src/conf/virnodedeviceobj.c: 997 in virNodeDeviceObjListExport() ________________________________________________________________________________________________________ *** CID 463052: Null pointer dereferences (FORWARD_NULL) /src/conf/virnodedeviceobj.c: 997 in virNodeDeviceObjListExport() 991 992 if (data.error) 993 goto cleanup; 994 995 if (data.devices) { 996 VIR_REALLOC_N(data.devices, data.ndevices + 1);
CID 463052: Null pointer dereferences (FORWARD_NULL) Dereferencing null pointer "devices".
997 *devices = data.devices; 998 } 999 1000 return data.ndevices; 1001 1002 cleanup:
________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=u001.AxU2LYlgjL6eX23u9ErQy-2B...