Hi, Please find the latest report on new defect(s) introduced to libvirt found with Coverity Scan. 15 new defect(s) introduced to libvirt found with Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 15 of 15 defect(s) ** CID 460819: API usage errors (VARARGS) /tests/qemunbdkittest.c: 168 in testInfoSetArgs() ________________________________________________________________________________________________________ *** CID 460819: API usage errors (VARARGS) /tests/qemunbdkittest.c: 168 in testInfoSetArgs() 162 break; 163 case NBDKIT_ARG_END: 164 default: 165 break; 166 } 167 }
CID 460819: API usage errors (VARARGS) "va_end" was not called for "argptr".
168 } 169 170 171 static int 172 testNbdkit(const void *data) 173 {
** CID 460818: Memory - corruptions (OVERRUN) ________________________________________________________________________________________________________ *** CID 460818: Memory - corruptions (OVERRUN) /tests/qemunbdkittest.c: 83 in virSecretGetSecretString() 77 char uuidstr[VIR_UUID_BUFLEN]; 78 const char *secretname = NULL; 79 char *tmp = NULL; 80 81 switch (seclookupdef->type) { 82 case VIR_SECRET_LOOKUP_TYPE_UUID:
CID 460818: Memory - corruptions (OVERRUN) Overrunning array "uuidstr" of 16 bytes by passing it to a function which accesses it at byte offset 36.
83 virUUIDFormat(seclookupdef->u.uuid, uuidstr); 84 secretname = uuidstr; 85 break; 86 case VIR_SECRET_LOOKUP_TYPE_USAGE: 87 secretname = seclookupdef->u.usage; 88 break;
** CID 460817: (NULL_RETURNS) /src/qemu/qemu_domain.c: 12151 in qemuDomainNamePathsCleanup() /src/qemu/qemu_domain.c: 12144 in qemuDomainNamePathsCleanup() ________________________________________________________________________________________________________ *** CID 460817: (NULL_RETURNS) /src/qemu/qemu_domain.c: 12151 in qemuDomainNamePathsCleanup() 12145 unlink(cfg_file) < 0) { 12146 virReportSystemError(errno, _("Failed to unlink '%1$s'"), cfg_file); 12147 if (!bestEffort) 12148 return -1; 12149 } 12150
CID 460817: (NULL_RETURNS) Dereferencing a pointer that might be "NULL" "autostart_link" when calling "virFileIsLink". (The dereference is assumed on the basis of the "nonnull" parameter attribute.)
12151 if (virFileIsLink(autostart_link) == 1 && 12152 unlink(autostart_link) < 0) { 12153 virReportSystemError(errno, _("Failed to unlink '%1$s'"), autostart_link); 12154 if (!bestEffort) 12155 return -1; 12156 } /src/qemu/qemu_domain.c: 12144 in qemuDomainNamePathsCleanup() 12138 12139 cfg_file = virDomainConfigFile(cfg->configDir, name); 12140 autostart_link = virDomainConfigFile(cfg->autostartDir, name); 12141 snap_dir = g_strdup_printf("%s/%s", cfg->snapshotDir, name); 12142 chk_dir = g_strdup_printf("%s/%s", cfg->checkpointDir, name); 12143
CID 460817: (NULL_RETURNS) Dereferencing a pointer that might be "NULL" "cfg_file" when calling "virFileExists". (The dereference is assumed on the basis of the "nonnull" parameter attribute.)
12144 if (virFileExists(cfg_file) && 12145 unlink(cfg_file) < 0) { 12146 virReportSystemError(errno, _("Failed to unlink '%1$s'"), cfg_file); 12147 if (!bestEffort) 12148 return -1; 12149 }
** CID 460816: Memory - corruptions (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 460816: Memory - corruptions (USE_AFTER_FREE) /src/qemu/qemu_driver.c: 4121 in qemuProcessEventHandler() 4115 processNbdkitExitedEvent(vm, processEvent->data); 4116 break; 4117 case QEMU_PROCESS_EVENT_LAST: 4118 break; 4119 } 4120
CID 460816: Memory - corruptions (USE_AFTER_FREE) Calling "virDomainObjEndAPI" frees pointer "vm" which has already been freed.
4121 virDomainObjEndAPI(&vm); 4122 qemuProcessEventFree(processEvent); 4123 } 4124 4125 4126 static int
** CID 460815: Memory - corruptions (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 460815: Memory - corruptions (USE_AFTER_FREE) /src/qemu/qemu_blockjob.c: 386 in qemuBlockJobDiskNewBackup() 380 job->data.backup.bitmap = g_strdup(bitmap); 381 job->data.backup.store = virObjectRef(store); 382 383 /* backup jobs are usually started in bulk by transaction so the caller 384 * shall save the status XML */ 385 if (qemuBlockJobRegister(job, vm, disk, false) < 0)
CID 460815: Memory - corruptions (USE_AFTER_FREE) Calling "glib_autoptr_cleanup_qemuBlockJobData" frees pointer "job" which has already been freed.
386 return NULL; 387 388 return g_steal_pointer(&job); 389 } 390 391
** CID 460814: Insecure data handling (TAINTED_SCALAR) /src/cpu/cpu_x86.c: 3441 in virCPUx86DataGetHost() ________________________________________________________________________________________________________ *** CID 460814: Insecure data handling (TAINTED_SCALAR) /src/cpu/cpu_x86.c: 3441 in virCPUx86DataGetHost() 3435 3436 if ((kvm_cpuid = virHostCPUGetCPUID()) == NULL) 3437 return NULL; 3438 3439 cpuid = virCPUDataNew(virArchFromHost()); 3440 cpuid->data.x86.len = 0;
CID 460814: Insecure data handling (TAINTED_SCALAR) Passing tainted expression "__n" to "g_malloc0_n", which uses it as an allocation size.
3441 cpuid->data.x86.items = g_new0(virCPUx86DataItem, kvm_cpuid->nent); 3442 3443 for (i = 0; i < kvm_cpuid->nent; ++i) { 3444 virCPUx86DataItem *item = &cpuid->data.x86.items[cpuid->data.x86.len]; 3445 item->type = VIR_CPU_X86_DATA_CPUID; 3446 item->data.cpuid.eax_in = kvm_cpuid->entries[i].function;
** CID 460813: Memory - illegal accesses (USE_AFTER_FREE) /src/qemu/qemu_process.c: 9723 in qemuProcessHandleNbdkitExit() ________________________________________________________________________________________________________ *** CID 460813: Memory - illegal accesses (USE_AFTER_FREE) /src/qemu/qemu_process.c: 9723 in qemuProcessHandleNbdkitExit() 9717 qemuProcessHandleNbdkitExit(qemuNbdkitProcess *nbdkit, 9718 virDomainObj *vm) 9719 { 9720 virObjectLock(vm); 9721 VIR_DEBUG("nbdkit process %i died", nbdkit->pid); 9722 qemuProcessEventSubmit(vm, QEMU_PROCESS_EVENT_NBDKIT_EXITED, 0, 0, nbdkit);
CID 460813: Memory - illegal accesses (USE_AFTER_FREE) Calling "virObjectUnlock" dereferences freed pointer "vm". (The dereference is assumed on the basis of the "nonnull" parameter attribute.)
9723 virObjectUnlock(vm);
** CID 460812: Memory - corruptions (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 460812: Memory - corruptions (USE_AFTER_FREE) /src/qemu/qemu_blockjob.c: 359 in qemuBlockJobDiskNewCopy() 353 if (shallow && !reuse) 354 job->data.copy.shallownew = true; 355 356 job->jobflags = jobflags; 357 358 if (qemuBlockJobRegister(job, vm, disk, true) < 0)
CID 460812: Memory - corruptions (USE_AFTER_FREE) Calling "glib_autoptr_cleanup_qemuBlockJobData" frees pointer "job" which has already been freed.
359 return NULL; 360 361 return g_steal_pointer(&job); 362 } 363 364
** CID 460811: Insecure data handling (TAINTED_STRING) ________________________________________________________________________________________________________ *** CID 460811: Insecure data handling (TAINTED_STRING) /tests/qemunbdkittest.c: 318 in main() 312 cleanup: 313 qemuTestDriverFree(&driver); 314 315 return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE; 316 } 317
CID 460811: Insecure data handling (TAINTED_STRING) Passing tainted string "**argv" to "virTestMain", which cannot accept tainted data.
** CID 460810: Memory - corruptions (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 460810: Memory - corruptions (USE_AFTER_FREE) /src/qemu/qemu_process.c: 9292 in qemuProcessReconnect() 9286 9287 cleanup: 9288 if (jobStarted) 9289 virDomainObjEndJob(obj); 9290 if (!virDomainObjIsActive(obj)) 9291 qemuDomainRemoveInactive(driver, obj, 0, false);
CID 460810: Memory - corruptions (USE_AFTER_FREE) Calling "virDomainObjEndAPI" frees pointer "obj" which has already been freed.
9292 virDomainObjEndAPI(&obj); 9293 virIdentitySetCurrent(NULL); 9294 return; 9295 9296 error: 9297 if (virDomainObjIsActive(obj)) {
** CID 460809: Memory - illegal accesses (USE_AFTER_FREE) /src/qemu/qemu_process.c: 1378 in qemuProcessHandleNetdevStreamDisconnected() ________________________________________________________________________________________________________ *** CID 460809: Memory - illegal accesses (USE_AFTER_FREE) /src/qemu/qemu_process.c: 1378 in qemuProcessHandleNetdevStreamDisconnected() 1372 VIR_DEBUG("Device %s Netdev Stream Disconnected in domain %p %s", 1373 devAlias, vm, vm->def->name); 1374 1375 qemuProcessEventSubmit(vm, QEMU_PROCESS_EVENT_NETDEV_STREAM_DISCONNECTED, 1376 0, 0, g_strdup(devAlias)); 1377
CID 460809: Memory - illegal accesses (USE_AFTER_FREE) Calling "virObjectUnlock" dereferences freed pointer "vm". (The dereference is assumed on the basis of the "nonnull" parameter attribute.)
1378 virObjectUnlock(vm); 1379 } 1380 1381 1382 static void 1383 qemuProcessHandleNicRxFilterChanged(qemuMonitor *mon G_GNUC_UNUSED,
** CID 460808: (CHECKED_RETURN) /src/ch/ch_monitor.c: 961 in virCHMonitorSaveRestoreVM() /src/ch/ch_monitor.c: 957 in virCHMonitorSaveRestoreVM() /src/ch/ch_monitor.c: 955 in virCHMonitorSaveRestoreVM() /src/ch/ch_monitor.c: 956 in virCHMonitorSaveRestoreVM() /src/ch/ch_monitor.c: 958 in virCHMonitorSaveRestoreVM() /src/ch/ch_monitor.c: 959 in virCHMonitorSaveRestoreVM() /src/ch/ch_monitor.c: 960 in virCHMonitorSaveRestoreVM() ________________________________________________________________________________________________________ *** CID 460808: (CHECKED_RETURN) /src/ch/ch_monitor.c: 961 in virCHMonitorSaveRestoreVM() 955 curl_easy_setopt(mon->handle, CURLOPT_UNIX_SOCKET_PATH, mon->socketpath); 956 curl_easy_setopt(mon->handle, CURLOPT_URL, url); 957 curl_easy_setopt(mon->handle, CURLOPT_CUSTOMREQUEST, "PUT"); 958 curl_easy_setopt(mon->handle, CURLOPT_HTTPHEADER, headers); 959 curl_easy_setopt(mon->handle, CURLOPT_POSTFIELDS, payload); 960 curl_easy_setopt(mon->handle, CURLOPT_WRITEFUNCTION, curl_callback);
CID 460808: (CHECKED_RETURN) Calling "curl_easy_setopt(mon->handle, _curl_opt, (void *)&data)" without checking return value. This library function may fail and return an error code.
961 curl_easy_setopt(mon->handle, CURLOPT_WRITEDATA, (void *)&data); 962 963 responseCode = virCHMonitorCurlPerform(mon->handle); 964 } 965 966 if (responseCode == 200 || responseCode == 204) { /src/ch/ch_monitor.c: 957 in virCHMonitorSaveRestoreVM() 951 VIR_WITH_OBJECT_LOCK_GUARD(mon) { 952 /* reset all options of a libcurl session handle at first */ 953 curl_easy_reset(mon->handle); 954 955 curl_easy_setopt(mon->handle, CURLOPT_UNIX_SOCKET_PATH, mon->socketpath); 956 curl_easy_setopt(mon->handle, CURLOPT_URL, url);
CID 460808: (CHECKED_RETURN) Calling "curl_easy_setopt(mon->handle, _curl_opt, "PUT")" without checking return value. This library function may fail and return an error code.
957 curl_easy_setopt(mon->handle, CURLOPT_CUSTOMREQUEST, "PUT"); 958 curl_easy_setopt(mon->handle, CURLOPT_HTTPHEADER, headers); 959 curl_easy_setopt(mon->handle, CURLOPT_POSTFIELDS, payload); 960 curl_easy_setopt(mon->handle, CURLOPT_WRITEFUNCTION, curl_callback); 961 curl_easy_setopt(mon->handle, CURLOPT_WRITEDATA, (void *)&data); 962 /src/ch/ch_monitor.c: 955 in virCHMonitorSaveRestoreVM() 949 } 950 951 VIR_WITH_OBJECT_LOCK_GUARD(mon) { 952 /* reset all options of a libcurl session handle at first */ 953 curl_easy_reset(mon->handle); 954
CID 460808: (CHECKED_RETURN) Calling "curl_easy_setopt(mon->handle, _curl_opt, mon->socketpath)" without checking return value. This library function may fail and return an error code.
955 curl_easy_setopt(mon->handle, CURLOPT_UNIX_SOCKET_PATH, mon->socketpath); 956 curl_easy_setopt(mon->handle, CURLOPT_URL, url); 957 curl_easy_setopt(mon->handle, CURLOPT_CUSTOMREQUEST, "PUT"); 958 curl_easy_setopt(mon->handle, CURLOPT_HTTPHEADER, headers); 959 curl_easy_setopt(mon->handle, CURLOPT_POSTFIELDS, payload); 960 curl_easy_setopt(mon->handle, CURLOPT_WRITEFUNCTION, curl_callback); /src/ch/ch_monitor.c: 956 in virCHMonitorSaveRestoreVM() 950 951 VIR_WITH_OBJECT_LOCK_GUARD(mon) { 952 /* reset all options of a libcurl session handle at first */ 953 curl_easy_reset(mon->handle); 954 955 curl_easy_setopt(mon->handle, CURLOPT_UNIX_SOCKET_PATH, mon->socketpath);
CID 460808: (CHECKED_RETURN) Calling "curl_easy_setopt(mon->handle, _curl_opt, url)" without checking return value. This library function may fail and return an error code.
956 curl_easy_setopt(mon->handle, CURLOPT_URL, url); 957 curl_easy_setopt(mon->handle, CURLOPT_CUSTOMREQUEST, "PUT"); 958 curl_easy_setopt(mon->handle, CURLOPT_HTTPHEADER, headers); 959 curl_easy_setopt(mon->handle, CURLOPT_POSTFIELDS, payload); 960 curl_easy_setopt(mon->handle, CURLOPT_WRITEFUNCTION, curl_callback); 961 curl_easy_setopt(mon->handle, CURLOPT_WRITEDATA, (void *)&data); /src/ch/ch_monitor.c: 958 in virCHMonitorSaveRestoreVM() 952 /* reset all options of a libcurl session handle at first */ 953 curl_easy_reset(mon->handle); 954 955 curl_easy_setopt(mon->handle, CURLOPT_UNIX_SOCKET_PATH, mon->socketpath); 956 curl_easy_setopt(mon->handle, CURLOPT_URL, url); 957 curl_easy_setopt(mon->handle, CURLOPT_CUSTOMREQUEST, "PUT");
CID 460808: (CHECKED_RETURN) Calling "curl_easy_setopt(mon->handle, _curl_opt, headers)" without checking return value. This library function may fail and return an error code.
958 curl_easy_setopt(mon->handle, CURLOPT_HTTPHEADER, headers); 959 curl_easy_setopt(mon->handle, CURLOPT_POSTFIELDS, payload); 960 curl_easy_setopt(mon->handle, CURLOPT_WRITEFUNCTION, curl_callback); 961 curl_easy_setopt(mon->handle, CURLOPT_WRITEDATA, (void *)&data); 962 963 responseCode = virCHMonitorCurlPerform(mon->handle); /src/ch/ch_monitor.c: 959 in virCHMonitorSaveRestoreVM() 953 curl_easy_reset(mon->handle); 954 955 curl_easy_setopt(mon->handle, CURLOPT_UNIX_SOCKET_PATH, mon->socketpath); 956 curl_easy_setopt(mon->handle, CURLOPT_URL, url); 957 curl_easy_setopt(mon->handle, CURLOPT_CUSTOMREQUEST, "PUT"); 958 curl_easy_setopt(mon->handle, CURLOPT_HTTPHEADER, headers);
CID 460808: (CHECKED_RETURN) Calling "curl_easy_setopt(mon->handle, _curl_opt, payload)" without checking return value. This library function may fail and return an error code.
959 curl_easy_setopt(mon->handle, CURLOPT_POSTFIELDS, payload); 960 curl_easy_setopt(mon->handle, CURLOPT_WRITEFUNCTION, curl_callback); 961 curl_easy_setopt(mon->handle, CURLOPT_WRITEDATA, (void *)&data); 962 963 responseCode = virCHMonitorCurlPerform(mon->handle); 964 } /src/ch/ch_monitor.c: 960 in virCHMonitorSaveRestoreVM() 954 955 curl_easy_setopt(mon->handle, CURLOPT_UNIX_SOCKET_PATH, mon->socketpath); 956 curl_easy_setopt(mon->handle, CURLOPT_URL, url); 957 curl_easy_setopt(mon->handle, CURLOPT_CUSTOMREQUEST, "PUT"); 958 curl_easy_setopt(mon->handle, CURLOPT_HTTPHEADER, headers); 959 curl_easy_setopt(mon->handle, CURLOPT_POSTFIELDS, payload);
CID 460808: (CHECKED_RETURN) Calling "curl_easy_setopt(mon->handle, _curl_opt, curl_callback)" without checking return value. This library function may fail and return an error code.
960 curl_easy_setopt(mon->handle, CURLOPT_WRITEFUNCTION, curl_callback); 961 curl_easy_setopt(mon->handle, CURLOPT_WRITEDATA, (void *)&data); 962 963 responseCode = virCHMonitorCurlPerform(mon->handle); 964 } 965
** CID 460807: Control flow issues (DEADCODE) /tests/qemunbdkittest.c: 163 in testInfoSetArgs() ________________________________________________________________________________________________________ *** CID 460807: Control flow issues (DEADCODE) /tests/qemunbdkittest.c: 163 in testInfoSetArgs() 157 while ((cap = va_arg(argptr, unsigned int)) < QEMU_NBDKIT_CAPS_LAST) 158 qemuNbdkitCapsSet(info->nbdkitcaps, cap); 159 break; 160 case NBDKIT_ARG_EXPECT_FAIL: 161 info->expectFail = va_arg(argptr, unsigned int); 162 break;
CID 460807: Control flow issues (DEADCODE) Execution cannot reach this statement: "case NBDKIT_ARG_END:".
163 case NBDKIT_ARG_END: 164 default: 165 break; 166 } 167 } 168 }
** CID 460806: Memory - corruptions (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 460806: Memory - corruptions (USE_AFTER_FREE) /src/qemu/qemu_blockjob.c: 265 in qemuBlockJobDiskNewPull() 259 return NULL; 260 261 job->data.pull.base = base; 262 job->jobflags = jobflags; 263 264 if (qemuBlockJobRegister(job, vm, disk, true) < 0)
CID 460806: Memory - corruptions (USE_AFTER_FREE) Calling "glib_autoptr_cleanup_qemuBlockJobData" frees pointer "job" which has already been freed.
265 return NULL; 266 267 return g_steal_pointer(&job); 268 } 269 270
** CID 460805: Memory - corruptions (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 460805: Memory - corruptions (USE_AFTER_FREE) /src/qemu/qemu_blockjob.c: 300 in qemuBlockJobDiskNewCommit() 294 job->data.commit.base = base; 295 job->data.commit.deleteCommittedImages = delete_imgs; 296 job->processPending = autofinalize == VIR_TRISTATE_BOOL_NO; 297 job->jobflags = jobflags; 298 299 if (qemuBlockJobRegister(job, vm, disk, true) < 0)
CID 460805: Memory - corruptions (USE_AFTER_FREE) Calling "glib_autoptr_cleanup_qemuBlockJobData" frees pointer "job" which has already been freed.
300 return NULL; 301 302 return g_steal_pointer(&job); 303 } 304 305
________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=u001.AxU2LYlgjL6eX23u9ErQy-2B...