New Defects reported by Coverity Scan for libvirt
Hi, Please find the latest report on new defect(s) introduced to libvirt found with Coverity Scan. 82 new defect(s) introduced to libvirt found with Coverity Scan. 3 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 20 of 82 defect(s) ** CID 463071: (INTEGER_OVERFLOW) /src/util/virnetdevvportprofile.c: 897 in virNetDevVPortProfileGetNthParent() /src/util/virnetdevvportprofile.c: 897 in virNetDevVPortProfileGetNthParent() ________________________________________________________________________________________________________ *** CID 463071: (INTEGER_OVERFLOW) /src/util/virnetdevvportprofile.c: 897 in virNetDevVPortProfileGetNthParent() 891 end = true; 892 } 893 894 i++; 895 } 896
CID 463071: (INTEGER_OVERFLOW) Expression "i - 1UL", which is equal to 18446744073709551615, where "i" is known to be equal to 0, underflows the type that receives it, an unsigned integer 64 bits wide.
897 *nth = i - 1; 898 899 cleanup: 900 VIR_FREE(nlData); 901 return rc; 902 } /src/util/virnetdevvportprofile.c: 897 in virNetDevVPortProfileGetNthParent() 891 end = true; 892 } 893 894 i++; 895 } 896
CID 463071: (INTEGER_OVERFLOW) Expression "*nth", which is equal to 18446744073709551615, where "i - 1UL" is known to be equal to 18446744073709551615, overflows the type that receives it, an unsigned integer 32 bits wide.
897 *nth = i - 1; 898 899 cleanup: 900 VIR_FREE(nlData); 901 return rc; 902 }
** CID 463070: Insecure data handling (INTEGER_OVERFLOW) /tools/virsh-completer-checkpoint.c: 51 in virshCheckpointNameCompleter() ________________________________________________________________________________________________________ *** CID 463070: Insecure data handling (INTEGER_OVERFLOW) /tools/virsh-completer-checkpoint.c: 51 in virshCheckpointNameCompleter() 45 return NULL; 46 47 if ((ncheckpoints = virDomainListAllCheckpoints(dom, &checkpoints, 48 flags)) < 0) 49 goto error; 50
CID 463070: Insecure data handling (INTEGER_OVERFLOW) "__n", which might have overflowed, is passed to "g_malloc0_n(__n, __s)".
51 ret = g_new0(char *, ncheckpoints + 1); 52 53 for (i = 0; i < ncheckpoints; i++) { 54 const char *name = virDomainCheckpointGetName(checkpoints[i]); 55 56 ret[i] = g_strdup(name);
** CID 463069: (INTEGER_OVERFLOW) /tools/virsh-network.c: 857 in virshNetworkListCollect() /tools/virsh-network.c: 834 in virshNetworkListCollect() ________________________________________________________________________________________________________ *** CID 463069: (INTEGER_OVERFLOW) /tools/virsh-network.c: 857 in virshNetworkListCollect() 851 nInactiveNets) < 0) { 852 vshError(ctl, "%s", _("Failed to list inactive networks")); 853 goto cleanup; 854 } 855 } 856
CID 463069: (INTEGER_OVERFLOW) "__n", which might have overflowed, is passed to "g_malloc0_n(__n, __s)".
857 list->nets = g_new0(virNetworkPtr, nAllNets); 858 list->nnets = 0; 859 860 /* get active networks */ 861 for (i = 0; i < nActiveNets; i++) { 862 if (!(net = virNetworkLookupByName(priv->conn, names[i]))) /tools/virsh-network.c: 834 in virshNetworkListCollect() 828 829 nAllNets = nActiveNets + nInactiveNets; 830 831 if (nAllNets == 0) 832 return list; 833
CID 463069: (INTEGER_OVERFLOW) "__n", which might have overflowed, is passed to "g_malloc0_n(__n, __s)".
834 names = g_new0(char *, nAllNets); 835 836 /* Retrieve a list of active network names */ 837 if (!VSH_MATCH(VIR_CONNECT_LIST_NETWORKS_FILTERS_ACTIVE) || 838 VSH_MATCH(VIR_CONNECT_LIST_NETWORKS_ACTIVE)) { 839 if (virConnectListNetworks(priv->conn,
** CID 463068: Insecure data handling (INTEGER_OVERFLOW) /tools/virsh-interface.c: 256 in virshInterfaceListCollect() ________________________________________________________________________________________________________ *** CID 463068: Insecure data handling (INTEGER_OVERFLOW) /tools/virsh-interface.c: 256 in virshInterfaceListCollect() 250 if (nAllIfaces == 0) { 251 VIR_FREE(activeNames); 252 VIR_FREE(inactiveNames); 253 return list; 254 } 255
CID 463068: Insecure data handling (INTEGER_OVERFLOW) "__n", which might have overflowed, is passed to "g_malloc0_n(__n, __s)".
256 list->ifaces = g_new0(virInterfacePtr, nAllIfaces); 257 list->nifaces = 0; 258 259 /* get active interfaces */ 260 for (i = 0; i < nActiveIfaces; i++) { 261 if (!(iface = virInterfaceLookupByName(priv->conn, activeNames[i]))) {
** CID 463067: Insecure data handling (INTEGER_OVERFLOW) /src/util/virhostmem.c: 705 in virHostMemGetAvailable() ________________________________________________________________________________________________________ *** CID 463067: Insecure data handling (INTEGER_OVERFLOW) /src/util/virhostmem.c: 705 in virHostMemGetAvailable() 699 } 700 if ((pagesize = sysconf(_SC_PAGESIZE)) < 0) { 701 virReportSystemError(errno, "%s", 702 _("Unable to query memory page size")); 703 return 0; 704 }
CID 463067: Insecure data handling (INTEGER_OVERFLOW) "(unsigned long long)pages * (unsigned long long)pagesize", which might have overflowed, is returned from the function.
705 return (unsigned long long)pages * (unsigned long long)pagesize; 706 #elif defined WIN32 707 PFN_MS_EX pfnex; 708 HMODULE h = GetModuleHandle("kernel32.dll"); 709 710 if (!h) {
** CID 463066: Null pointer dereferences (FORWARD_NULL) /src/conf/virinterfaceobj.c: 327 in virInterfaceObjListExport() ________________________________________________________________________________________________________ *** CID 463066: Null pointer dereferences (FORWARD_NULL) /src/conf/virinterfaceobj.c: 327 in virInterfaceObjListExport() 321 if (data.error) 322 goto cleanup; 323 324 if (data.ifaces) { 325 /* trim the array to the final size */ 326 VIR_REALLOC_N(data.ifaces, data.nifaces + 1);
CID 463066: Null pointer dereferences (FORWARD_NULL) Dereferencing null pointer "ifaces".
327 *ifaces = g_steal_pointer(&data.ifaces); 328 } 329 330 ret = data.nifaces; 331 cleanup: 332 virObjectRWUnlock(ifaceobjs);
** CID 463065: Insecure data handling (INTEGER_OVERFLOW) /src/lxc/lxc_process.c: 1037 in virLXCProcessReadLogOutputData() ________________________________________________________________________________________________________ *** CID 463065: Insecure data handling (INTEGER_OVERFLOW) /src/lxc/lxc_process.c: 1037 in virLXCProcessReadLogOutputData() 1031 1032 /* Filter out debug messages from intermediate libvirt process */ 1033 filtered = false; 1034 while ((eol = strchr(filter_next, '\n'))) { 1035 *eol = '\0'; 1036 if (virLXCProcessIgnorableLogLine(filter_next)) {
CID 463065: Insecure data handling (INTEGER_OVERFLOW) "got - (eol - buf)", which might have underflowed, is passed to "memmove(filter_next, eol + 1, got - (eol - buf))". [Note: The source code implementation of the function has been overridden by a builtin model.]
1037 memmove(filter_next, eol + 1, got - (eol - buf)); 1038 got -= eol + 1 - filter_next; 1039 filtered = true; 1040 } else { 1041 filter_next = eol + 1; 1042 *eol = '\n';
** CID 463064: Insecure data handling (INTEGER_OVERFLOW) ________________________________________________________________________________________________________ *** CID 463064: Insecure data handling (INTEGER_OVERFLOW) /tools/virsh-util.c: 206 in virshStreamSkip() 200 buf = g_new0(char, buflen); 201 202 while (offset) { 203 size_t count = MIN(offset, buflen); 204 ssize_t r; 205
CID 463064: Insecure data handling (INTEGER_OVERFLOW) "count", which might be negative, is passed to "safewrite(cbData->fd, buf, count)".
206 if ((r = safewrite(cbData->fd, buf, count)) < 0) 207 return -1; 208 209 offset -= r; 210 } 211 } else {
** CID 463063: Concurrent data access violations (MISSING_LOCK) /src/node_device/node_device_udev.c: 2115 in processNodeStateInitializeEnumerate() ________________________________________________________________________________________________________ *** CID 463063: Concurrent data access violations (MISSING_LOCK) /src/node_device/node_device_udev.c: 2115 in processNodeStateInitializeEnumerate() 2109 2110 error: 2111 VIR_WITH_OBJECT_LOCK_GUARD(priv) { 2112 ignore_value(virEventRemoveHandle(priv->watch)); 2113 priv->watch = -1; 2114 priv->udevThreadQuit = true;
CID 463063: Concurrent data access violations (MISSING_LOCK) Accessing "priv->udevThreadCond" without holding lock "virMutex.lock". Elsewhere, "_udevEventData.udevThreadCond" is written to with "virMutex.lock" held 1 out of 1 times.
2115 virCondSignal(&priv->udevThreadCond); 2116 } 2117 2118 goto cleanup; 2119 } 2120
** CID 463062: (INTEGER_OVERFLOW) /src/storage/storage_util.c: 358 in createRawFile() ________________________________________________________________________________________________________ *** CID 463062: (INTEGER_OVERFLOW) /src/storage/storage_util.c: 358 in createRawFile() 352 * but fallocate failed, fill the rest with zeroes. 353 */ 354 pos = inputvol->target.capacity - remain; 355 } 356 357 if (need_alloc && (vol->target.allocation - pos > 0)) {
CID 463062: (INTEGER_OVERFLOW) "vol->target.allocation - pos", which might be negative, is passed to "safezero(fd, pos, vol->target.allocation - pos)".
358 if (safezero(fd, pos, vol->target.allocation - pos) < 0) { 359 virReportSystemError(errno, _("cannot fill file '%1$s'"), 360 vol->target.path); 361 return -1; 362 } 363 } /src/storage/storage_util.c: 358 in createRawFile() 352 * but fallocate failed, fill the rest with zeroes. 353 */ 354 pos = inputvol->target.capacity - remain; 355 } 356 357 if (need_alloc && (vol->target.allocation - pos > 0)) {
CID 463062: (INTEGER_OVERFLOW) The cast of "pos" to a signed type could result in a negative number.
358 if (safezero(fd, pos, vol->target.allocation - pos) < 0) { 359 virReportSystemError(errno, _("cannot fill file '%1$s'"), 360 vol->target.path); 361 return -1; 362 } 363 }
** CID 463061: Integer handling issues (INTEGER_OVERFLOW) /tools/wireshark/src/packet-libvirt.c: 295 in find_payload_dissector() ________________________________________________________________________________________________________ *** CID 463061: Integer handling issues (INTEGER_OVERFLOW) /tools/wireshark/src/packet-libvirt.c: 295 in find_payload_dissector() 289 if (proc < first || proc > last) 290 return NULL; 291 292 pd = &pds[proc-first]; 293 /* There is no guarantee to proc numbers has no gap */ 294 if (pd->proc != proc) {
CID 463061: Integer handling issues (INTEGER_OVERFLOW) Expression "direction", which is equal to -1, where "(pd->proc < proc) ? 1 : -1" is known to be equal to -1, overflows the type that receives it, an unsigned integer 32 bits wide.
295 direction = (pd->proc < proc) ? 1 : -1; 296 while (pd->proc != proc) { 297 if (pd->proc == first || pd->proc == last) 298 return NULL; 299 pd += direction; 300 }
** CID 463060: Insecure data handling (INTEGER_OVERFLOW) /src/conf/virdomainsnapshotobjlist.c: 293 in virDomainListSnapshots() ________________________________________________________________________________________________________ *** CID 463060: Insecure data handling (INTEGER_OVERFLOW) /src/conf/virdomainsnapshotobjlist.c: 293 in virDomainListSnapshots() 287 int ret = -1; 288 size_t i; 289 290 if (!snaps || count < 0) 291 return count; 292 names = g_new0(char *, count);
CID 463060: Insecure data handling (INTEGER_OVERFLOW) "__n", which might have overflowed, is passed to "g_malloc0_n(__n, __s)".
293 list = g_new0(virDomainSnapshotPtr, count + 1); 294 295 if (virDomainSnapshotObjListGetNames(snapshots, from, names, count, 296 flags) < 0) 297 goto cleanup; 298 for (i = 0; i < count; i++)
** CID 463059: (INTEGER_OVERFLOW) /src/util/virstring.c: 630 in virStringSearch() /src/util/virstring.c: 616 in virStringSearch() ________________________________________________________________________________________________________ *** CID 463059: (INTEGER_OVERFLOW) /src/util/virstring.c: 630 in virStringSearch() 624 VIR_EXPAND_N(*matches, nmatches, 1); 625 626 match = g_match_info_fetch(info, 1); 627 628 VIR_DEBUG("Got '%s'", match); 629
CID 463059: (INTEGER_OVERFLOW) Expression "nmatches - 2UL", which is equal to 18446744073709551614, where "nmatches" is known to be equal to 0, underflows the type that receives it, an unsigned integer 64 bits wide.
630 (*matches)[nmatches-2] = match; 631 632 g_match_info_fetch_pos(info, 1, NULL, &endpos); 633 str += endpos; 634 } 635 /src/util/virstring.c: 616 in virStringSearch() 610 611 /* '*matches' must always be NULL terminated in every iteration 612 * of the loop, so start by allocating 1 element 613 */ 614 VIR_EXPAND_N(*matches, nmatches, 1); 615
CID 463059: (INTEGER_OVERFLOW) Expression "nmatches - 1UL", which is equal to 18446744073709551615, where "nmatches" is known to be equal to 0, underflows the type that receives it, an unsigned integer 64 bits wide.
616 while ((nmatches - 1) < max_matches) { 617 g_autoptr(GMatchInfo) info = NULL; 618 char *match; 619 int endpos; 620 621 if (!g_regex_match(regex, str, 0, &info))
** CID 463058: Insecure data handling (INTEGER_OVERFLOW) /tools/virsh-completer-interface.c: 52 in virshInterfaceStringHelper() ________________________________________________________________________________________________________ *** CID 463058: Insecure data handling (INTEGER_OVERFLOW) /tools/virsh-completer-interface.c: 52 in virshInterfaceStringHelper() 46 if (!priv->conn || virConnectIsAlive(priv->conn) <= 0) 47 return NULL; 48 49 if ((nifaces = virConnectListAllInterfaces(priv->conn, &ifaces, flags)) < 0) 50 return NULL; 51
CID 463058: Insecure data handling (INTEGER_OVERFLOW) "__n", which might have overflowed, is passed to "g_malloc0_n(__n, __s)".
52 tmp = g_new0(char *, nifaces + 1); 53 54 for (i = 0; i < nifaces; i++) { 55 const char *name = (cb)(ifaces[i]); 56 57 tmp[i] = g_strdup(name);
** CID 463057: Resource leaks (RESOURCE_LEAK) /tests/qemufirmwaretest.c: 74 in testParseFailureFW() ________________________________________________________________________________________________________ *** CID 463057: Resource leaks (RESOURCE_LEAK) /tests/qemufirmwaretest.c: 74 in testParseFailureFW() 68 g_autofree char *inpath = NULL; 69 70 inpath = g_strdup_printf("%s/qemufirmwaredata/%s", abs_srcdir, filename); 71 72 /* This is a negative test case, so if the file was parsed 73 * successfully we need to report a failure */
CID 463057: Resource leaks (RESOURCE_LEAK) Failing to save or free storage allocated by "qemuFirmwareParse(inpath)" leaks it.
74 if (qemuFirmwareParse(inpath)) 75 return -1; 76 77 return 0; 78 } 79
** CID 463056: Integer handling issues (INTEGER_OVERFLOW) /src/security/security_util.c: 322 in virSecurityGetRememberedLabel() ________________________________________________________________________________________________________ *** CID 463056: Integer handling issues (INTEGER_OVERFLOW) /src/security/security_util.c: 322 in virSecurityGetRememberedLabel() 316 value, path); 317 return -1; 318 } 319 320 VIR_FREE(value); 321
CID 463056: Integer handling issues (INTEGER_OVERFLOW) Expression "refcount--", which is equal to 4294967295, where "refcount" is known to be equal to 0, underflows the type that receives it, an unsigned integer 32 bits wide.
322 refcount--; 323 324 if (refcount > 0) { 325 value = g_strdup_printf("%u", refcount); 326 327 if (virFileSetXAttr(path, ref_name, value) < 0)
** CID 463055: Insecure data handling (INTEGER_OVERFLOW) /tools/virsh-domain.c: 6774 in cmdVcpuinfo() ________________________________________________________________________________________________________ *** CID 463055: Insecure data handling (INTEGER_OVERFLOW) /tools/virsh-domain.c: 6774 in cmdVcpuinfo() 6768 6769 if (virDomainGetInfo(dom, &info) != 0) 6770 return false; 6771 6772 cpuinfo = g_new0(virVcpuInfo, info.nrVirtCpu); 6773 cpumaplen = VIR_CPU_MAPLEN(maxcpu);
CID 463055: Insecure data handling (INTEGER_OVERFLOW) "__n", which might have underflowed, is passed to "g_malloc0(__n)".
6774 cpumaps = g_new0(unsigned char, info.nrVirtCpu * cpumaplen); 6775 6776 if ((ncpus = virDomainGetVcpus(dom, 6777 cpuinfo, info.nrVirtCpu, 6778 cpumaps, cpumaplen)) < 0) { 6779 if (info.state != VIR_DOMAIN_SHUTOFF)
** CID 463054: Insecure data handling (INTEGER_OVERFLOW) /tools/virsh-completer-domain.c: 71 in virshDomainNameCompleter() ________________________________________________________________________________________________________ *** CID 463054: Insecure data handling (INTEGER_OVERFLOW) /tools/virsh-completer-domain.c: 71 in virshDomainNameCompleter() 65 if (!priv->conn || virConnectIsAlive(priv->conn) <= 0) 66 return NULL; 67 68 if ((ndomains = virConnectListAllDomains(priv->conn, &domains, flags)) < 0) 69 return NULL; 70
CID 463054: Insecure data handling (INTEGER_OVERFLOW) "__n", which might have overflowed, is passed to "g_malloc0_n(__n, __s)".
71 tmp = g_new0(char *, ndomains + 1); 72 73 for (i = 0; i < ndomains; i++) { 74 const char *name = virDomainGetName(domains[i]); 75 76 tmp[i] = g_strdup(name);
** CID 463053: Insecure data handling (INTEGER_OVERFLOW) /src/util/virfdstream.c: 984 in virFDStreamRead() ________________________________________________________________________________________________________ *** CID 463053: Insecure data handling (INTEGER_OVERFLOW) /src/util/virfdstream.c: 984 in virFDStreamRead() 978 979 if (fdst->length) 980 fdst->offset += ret; 981 982 cleanup: 983 virObjectUnlock(fdst);
CID 463053: Insecure data handling (INTEGER_OVERFLOW) "ret", which might have overflowed, is returned from the function.
984 return ret; 985 } 986 987 988 static int 989 virFDStreamSendHole(virStreamPtr st,
** CID 463052: Null pointer dereferences (FORWARD_NULL) /src/conf/virnodedeviceobj.c: 997 in virNodeDeviceObjListExport() ________________________________________________________________________________________________________ *** CID 463052: Null pointer dereferences (FORWARD_NULL) /src/conf/virnodedeviceobj.c: 997 in virNodeDeviceObjListExport() 991 992 if (data.error) 993 goto cleanup; 994 995 if (data.devices) { 996 VIR_REALLOC_N(data.devices, data.ndevices + 1);
CID 463052: Null pointer dereferences (FORWARD_NULL) Dereferencing null pointer "devices".
997 *devices = data.devices; 998 } 999 1000 return data.ndevices; 1001 1002 cleanup:
________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=u001.AxU2LYlgjL6eX23u9ErQy-2B...
participants (1)
-
scan-admin@coverity.com