New Defects reported by Coverity Scan for libvirt
Hi, Please find the latest report on new defect(s) introduced to libvirt found with Coverity Scan. 15 new defect(s) introduced to libvirt found with Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 15 of 15 defect(s) ** CID 460819: API usage errors (VARARGS) /tests/qemunbdkittest.c: 168 in testInfoSetArgs() ________________________________________________________________________________________________________ *** CID 460819: API usage errors (VARARGS) /tests/qemunbdkittest.c: 168 in testInfoSetArgs() 162 break; 163 case NBDKIT_ARG_END: 164 default: 165 break; 166 } 167 }
CID 460819: API usage errors (VARARGS) "va_end" was not called for "argptr".
168 } 169 170 171 static int 172 testNbdkit(const void *data) 173 {
** CID 460818: Memory - corruptions (OVERRUN) ________________________________________________________________________________________________________ *** CID 460818: Memory - corruptions (OVERRUN) /tests/qemunbdkittest.c: 83 in virSecretGetSecretString() 77 char uuidstr[VIR_UUID_BUFLEN]; 78 const char *secretname = NULL; 79 char *tmp = NULL; 80 81 switch (seclookupdef->type) { 82 case VIR_SECRET_LOOKUP_TYPE_UUID:
CID 460818: Memory - corruptions (OVERRUN) Overrunning array "uuidstr" of 16 bytes by passing it to a function which accesses it at byte offset 36.
83 virUUIDFormat(seclookupdef->u.uuid, uuidstr); 84 secretname = uuidstr; 85 break; 86 case VIR_SECRET_LOOKUP_TYPE_USAGE: 87 secretname = seclookupdef->u.usage; 88 break;
** CID 460817: (NULL_RETURNS) /src/qemu/qemu_domain.c: 12151 in qemuDomainNamePathsCleanup() /src/qemu/qemu_domain.c: 12144 in qemuDomainNamePathsCleanup() ________________________________________________________________________________________________________ *** CID 460817: (NULL_RETURNS) /src/qemu/qemu_domain.c: 12151 in qemuDomainNamePathsCleanup() 12145 unlink(cfg_file) < 0) { 12146 virReportSystemError(errno, _("Failed to unlink '%1$s'"), cfg_file); 12147 if (!bestEffort) 12148 return -1; 12149 } 12150
CID 460817: (NULL_RETURNS) Dereferencing a pointer that might be "NULL" "autostart_link" when calling "virFileIsLink". (The dereference is assumed on the basis of the "nonnull" parameter attribute.)
12151 if (virFileIsLink(autostart_link) == 1 && 12152 unlink(autostart_link) < 0) { 12153 virReportSystemError(errno, _("Failed to unlink '%1$s'"), autostart_link); 12154 if (!bestEffort) 12155 return -1; 12156 } /src/qemu/qemu_domain.c: 12144 in qemuDomainNamePathsCleanup() 12138 12139 cfg_file = virDomainConfigFile(cfg->configDir, name); 12140 autostart_link = virDomainConfigFile(cfg->autostartDir, name); 12141 snap_dir = g_strdup_printf("%s/%s", cfg->snapshotDir, name); 12142 chk_dir = g_strdup_printf("%s/%s", cfg->checkpointDir, name); 12143
CID 460817: (NULL_RETURNS) Dereferencing a pointer that might be "NULL" "cfg_file" when calling "virFileExists". (The dereference is assumed on the basis of the "nonnull" parameter attribute.)
12144 if (virFileExists(cfg_file) && 12145 unlink(cfg_file) < 0) { 12146 virReportSystemError(errno, _("Failed to unlink '%1$s'"), cfg_file); 12147 if (!bestEffort) 12148 return -1; 12149 }
** CID 460816: Memory - corruptions (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 460816: Memory - corruptions (USE_AFTER_FREE) /src/qemu/qemu_driver.c: 4121 in qemuProcessEventHandler() 4115 processNbdkitExitedEvent(vm, processEvent->data); 4116 break; 4117 case QEMU_PROCESS_EVENT_LAST: 4118 break; 4119 } 4120
CID 460816: Memory - corruptions (USE_AFTER_FREE) Calling "virDomainObjEndAPI" frees pointer "vm" which has already been freed.
4121 virDomainObjEndAPI(&vm); 4122 qemuProcessEventFree(processEvent); 4123 } 4124 4125 4126 static int
** CID 460815: Memory - corruptions (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 460815: Memory - corruptions (USE_AFTER_FREE) /src/qemu/qemu_blockjob.c: 386 in qemuBlockJobDiskNewBackup() 380 job->data.backup.bitmap = g_strdup(bitmap); 381 job->data.backup.store = virObjectRef(store); 382 383 /* backup jobs are usually started in bulk by transaction so the caller 384 * shall save the status XML */ 385 if (qemuBlockJobRegister(job, vm, disk, false) < 0)
CID 460815: Memory - corruptions (USE_AFTER_FREE) Calling "glib_autoptr_cleanup_qemuBlockJobData" frees pointer "job" which has already been freed.
386 return NULL; 387 388 return g_steal_pointer(&job); 389 } 390 391
** CID 460814: Insecure data handling (TAINTED_SCALAR) /src/cpu/cpu_x86.c: 3441 in virCPUx86DataGetHost() ________________________________________________________________________________________________________ *** CID 460814: Insecure data handling (TAINTED_SCALAR) /src/cpu/cpu_x86.c: 3441 in virCPUx86DataGetHost() 3435 3436 if ((kvm_cpuid = virHostCPUGetCPUID()) == NULL) 3437 return NULL; 3438 3439 cpuid = virCPUDataNew(virArchFromHost()); 3440 cpuid->data.x86.len = 0;
CID 460814: Insecure data handling (TAINTED_SCALAR) Passing tainted expression "__n" to "g_malloc0_n", which uses it as an allocation size.
3441 cpuid->data.x86.items = g_new0(virCPUx86DataItem, kvm_cpuid->nent); 3442 3443 for (i = 0; i < kvm_cpuid->nent; ++i) { 3444 virCPUx86DataItem *item = &cpuid->data.x86.items[cpuid->data.x86.len]; 3445 item->type = VIR_CPU_X86_DATA_CPUID; 3446 item->data.cpuid.eax_in = kvm_cpuid->entries[i].function;
** CID 460813: Memory - illegal accesses (USE_AFTER_FREE) /src/qemu/qemu_process.c: 9723 in qemuProcessHandleNbdkitExit() ________________________________________________________________________________________________________ *** CID 460813: Memory - illegal accesses (USE_AFTER_FREE) /src/qemu/qemu_process.c: 9723 in qemuProcessHandleNbdkitExit() 9717 qemuProcessHandleNbdkitExit(qemuNbdkitProcess *nbdkit, 9718 virDomainObj *vm) 9719 { 9720 virObjectLock(vm); 9721 VIR_DEBUG("nbdkit process %i died", nbdkit->pid); 9722 qemuProcessEventSubmit(vm, QEMU_PROCESS_EVENT_NBDKIT_EXITED, 0, 0, nbdkit);
CID 460813: Memory - illegal accesses (USE_AFTER_FREE) Calling "virObjectUnlock" dereferences freed pointer "vm". (The dereference is assumed on the basis of the "nonnull" parameter attribute.)
9723 virObjectUnlock(vm);
** CID 460812: Memory - corruptions (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 460812: Memory - corruptions (USE_AFTER_FREE) /src/qemu/qemu_blockjob.c: 359 in qemuBlockJobDiskNewCopy() 353 if (shallow && !reuse) 354 job->data.copy.shallownew = true; 355 356 job->jobflags = jobflags; 357 358 if (qemuBlockJobRegister(job, vm, disk, true) < 0)
CID 460812: Memory - corruptions (USE_AFTER_FREE) Calling "glib_autoptr_cleanup_qemuBlockJobData" frees pointer "job" which has already been freed.
359 return NULL; 360 361 return g_steal_pointer(&job); 362 } 363 364
** CID 460811: Insecure data handling (TAINTED_STRING) ________________________________________________________________________________________________________ *** CID 460811: Insecure data handling (TAINTED_STRING) /tests/qemunbdkittest.c: 318 in main() 312 cleanup: 313 qemuTestDriverFree(&driver); 314 315 return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE; 316 } 317
CID 460811: Insecure data handling (TAINTED_STRING) Passing tainted string "**argv" to "virTestMain", which cannot accept tainted data.
** CID 460810: Memory - corruptions (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 460810: Memory - corruptions (USE_AFTER_FREE) /src/qemu/qemu_process.c: 9292 in qemuProcessReconnect() 9286 9287 cleanup: 9288 if (jobStarted) 9289 virDomainObjEndJob(obj); 9290 if (!virDomainObjIsActive(obj)) 9291 qemuDomainRemoveInactive(driver, obj, 0, false);
CID 460810: Memory - corruptions (USE_AFTER_FREE) Calling "virDomainObjEndAPI" frees pointer "obj" which has already been freed.
9292 virDomainObjEndAPI(&obj); 9293 virIdentitySetCurrent(NULL); 9294 return; 9295 9296 error: 9297 if (virDomainObjIsActive(obj)) {
** CID 460809: Memory - illegal accesses (USE_AFTER_FREE) /src/qemu/qemu_process.c: 1378 in qemuProcessHandleNetdevStreamDisconnected() ________________________________________________________________________________________________________ *** CID 460809: Memory - illegal accesses (USE_AFTER_FREE) /src/qemu/qemu_process.c: 1378 in qemuProcessHandleNetdevStreamDisconnected() 1372 VIR_DEBUG("Device %s Netdev Stream Disconnected in domain %p %s", 1373 devAlias, vm, vm->def->name); 1374 1375 qemuProcessEventSubmit(vm, QEMU_PROCESS_EVENT_NETDEV_STREAM_DISCONNECTED, 1376 0, 0, g_strdup(devAlias)); 1377
CID 460809: Memory - illegal accesses (USE_AFTER_FREE) Calling "virObjectUnlock" dereferences freed pointer "vm". (The dereference is assumed on the basis of the "nonnull" parameter attribute.)
1378 virObjectUnlock(vm); 1379 } 1380 1381 1382 static void 1383 qemuProcessHandleNicRxFilterChanged(qemuMonitor *mon G_GNUC_UNUSED,
** CID 460808: (CHECKED_RETURN) /src/ch/ch_monitor.c: 961 in virCHMonitorSaveRestoreVM() /src/ch/ch_monitor.c: 957 in virCHMonitorSaveRestoreVM() /src/ch/ch_monitor.c: 955 in virCHMonitorSaveRestoreVM() /src/ch/ch_monitor.c: 956 in virCHMonitorSaveRestoreVM() /src/ch/ch_monitor.c: 958 in virCHMonitorSaveRestoreVM() /src/ch/ch_monitor.c: 959 in virCHMonitorSaveRestoreVM() /src/ch/ch_monitor.c: 960 in virCHMonitorSaveRestoreVM() ________________________________________________________________________________________________________ *** CID 460808: (CHECKED_RETURN) /src/ch/ch_monitor.c: 961 in virCHMonitorSaveRestoreVM() 955 curl_easy_setopt(mon->handle, CURLOPT_UNIX_SOCKET_PATH, mon->socketpath); 956 curl_easy_setopt(mon->handle, CURLOPT_URL, url); 957 curl_easy_setopt(mon->handle, CURLOPT_CUSTOMREQUEST, "PUT"); 958 curl_easy_setopt(mon->handle, CURLOPT_HTTPHEADER, headers); 959 curl_easy_setopt(mon->handle, CURLOPT_POSTFIELDS, payload); 960 curl_easy_setopt(mon->handle, CURLOPT_WRITEFUNCTION, curl_callback);
CID 460808: (CHECKED_RETURN) Calling "curl_easy_setopt(mon->handle, _curl_opt, (void *)&data)" without checking return value. This library function may fail and return an error code.
961 curl_easy_setopt(mon->handle, CURLOPT_WRITEDATA, (void *)&data); 962 963 responseCode = virCHMonitorCurlPerform(mon->handle); 964 } 965 966 if (responseCode == 200 || responseCode == 204) { /src/ch/ch_monitor.c: 957 in virCHMonitorSaveRestoreVM() 951 VIR_WITH_OBJECT_LOCK_GUARD(mon) { 952 /* reset all options of a libcurl session handle at first */ 953 curl_easy_reset(mon->handle); 954 955 curl_easy_setopt(mon->handle, CURLOPT_UNIX_SOCKET_PATH, mon->socketpath); 956 curl_easy_setopt(mon->handle, CURLOPT_URL, url);
CID 460808: (CHECKED_RETURN) Calling "curl_easy_setopt(mon->handle, _curl_opt, "PUT")" without checking return value. This library function may fail and return an error code.
957 curl_easy_setopt(mon->handle, CURLOPT_CUSTOMREQUEST, "PUT"); 958 curl_easy_setopt(mon->handle, CURLOPT_HTTPHEADER, headers); 959 curl_easy_setopt(mon->handle, CURLOPT_POSTFIELDS, payload); 960 curl_easy_setopt(mon->handle, CURLOPT_WRITEFUNCTION, curl_callback); 961 curl_easy_setopt(mon->handle, CURLOPT_WRITEDATA, (void *)&data); 962 /src/ch/ch_monitor.c: 955 in virCHMonitorSaveRestoreVM() 949 } 950 951 VIR_WITH_OBJECT_LOCK_GUARD(mon) { 952 /* reset all options of a libcurl session handle at first */ 953 curl_easy_reset(mon->handle); 954
CID 460808: (CHECKED_RETURN) Calling "curl_easy_setopt(mon->handle, _curl_opt, mon->socketpath)" without checking return value. This library function may fail and return an error code.
955 curl_easy_setopt(mon->handle, CURLOPT_UNIX_SOCKET_PATH, mon->socketpath); 956 curl_easy_setopt(mon->handle, CURLOPT_URL, url); 957 curl_easy_setopt(mon->handle, CURLOPT_CUSTOMREQUEST, "PUT"); 958 curl_easy_setopt(mon->handle, CURLOPT_HTTPHEADER, headers); 959 curl_easy_setopt(mon->handle, CURLOPT_POSTFIELDS, payload); 960 curl_easy_setopt(mon->handle, CURLOPT_WRITEFUNCTION, curl_callback); /src/ch/ch_monitor.c: 956 in virCHMonitorSaveRestoreVM() 950 951 VIR_WITH_OBJECT_LOCK_GUARD(mon) { 952 /* reset all options of a libcurl session handle at first */ 953 curl_easy_reset(mon->handle); 954 955 curl_easy_setopt(mon->handle, CURLOPT_UNIX_SOCKET_PATH, mon->socketpath);
CID 460808: (CHECKED_RETURN) Calling "curl_easy_setopt(mon->handle, _curl_opt, url)" without checking return value. This library function may fail and return an error code.
956 curl_easy_setopt(mon->handle, CURLOPT_URL, url); 957 curl_easy_setopt(mon->handle, CURLOPT_CUSTOMREQUEST, "PUT"); 958 curl_easy_setopt(mon->handle, CURLOPT_HTTPHEADER, headers); 959 curl_easy_setopt(mon->handle, CURLOPT_POSTFIELDS, payload); 960 curl_easy_setopt(mon->handle, CURLOPT_WRITEFUNCTION, curl_callback); 961 curl_easy_setopt(mon->handle, CURLOPT_WRITEDATA, (void *)&data); /src/ch/ch_monitor.c: 958 in virCHMonitorSaveRestoreVM() 952 /* reset all options of a libcurl session handle at first */ 953 curl_easy_reset(mon->handle); 954 955 curl_easy_setopt(mon->handle, CURLOPT_UNIX_SOCKET_PATH, mon->socketpath); 956 curl_easy_setopt(mon->handle, CURLOPT_URL, url); 957 curl_easy_setopt(mon->handle, CURLOPT_CUSTOMREQUEST, "PUT");
CID 460808: (CHECKED_RETURN) Calling "curl_easy_setopt(mon->handle, _curl_opt, headers)" without checking return value. This library function may fail and return an error code.
958 curl_easy_setopt(mon->handle, CURLOPT_HTTPHEADER, headers); 959 curl_easy_setopt(mon->handle, CURLOPT_POSTFIELDS, payload); 960 curl_easy_setopt(mon->handle, CURLOPT_WRITEFUNCTION, curl_callback); 961 curl_easy_setopt(mon->handle, CURLOPT_WRITEDATA, (void *)&data); 962 963 responseCode = virCHMonitorCurlPerform(mon->handle); /src/ch/ch_monitor.c: 959 in virCHMonitorSaveRestoreVM() 953 curl_easy_reset(mon->handle); 954 955 curl_easy_setopt(mon->handle, CURLOPT_UNIX_SOCKET_PATH, mon->socketpath); 956 curl_easy_setopt(mon->handle, CURLOPT_URL, url); 957 curl_easy_setopt(mon->handle, CURLOPT_CUSTOMREQUEST, "PUT"); 958 curl_easy_setopt(mon->handle, CURLOPT_HTTPHEADER, headers);
CID 460808: (CHECKED_RETURN) Calling "curl_easy_setopt(mon->handle, _curl_opt, payload)" without checking return value. This library function may fail and return an error code.
959 curl_easy_setopt(mon->handle, CURLOPT_POSTFIELDS, payload); 960 curl_easy_setopt(mon->handle, CURLOPT_WRITEFUNCTION, curl_callback); 961 curl_easy_setopt(mon->handle, CURLOPT_WRITEDATA, (void *)&data); 962 963 responseCode = virCHMonitorCurlPerform(mon->handle); 964 } /src/ch/ch_monitor.c: 960 in virCHMonitorSaveRestoreVM() 954 955 curl_easy_setopt(mon->handle, CURLOPT_UNIX_SOCKET_PATH, mon->socketpath); 956 curl_easy_setopt(mon->handle, CURLOPT_URL, url); 957 curl_easy_setopt(mon->handle, CURLOPT_CUSTOMREQUEST, "PUT"); 958 curl_easy_setopt(mon->handle, CURLOPT_HTTPHEADER, headers); 959 curl_easy_setopt(mon->handle, CURLOPT_POSTFIELDS, payload);
CID 460808: (CHECKED_RETURN) Calling "curl_easy_setopt(mon->handle, _curl_opt, curl_callback)" without checking return value. This library function may fail and return an error code.
960 curl_easy_setopt(mon->handle, CURLOPT_WRITEFUNCTION, curl_callback); 961 curl_easy_setopt(mon->handle, CURLOPT_WRITEDATA, (void *)&data); 962 963 responseCode = virCHMonitorCurlPerform(mon->handle); 964 } 965
** CID 460807: Control flow issues (DEADCODE) /tests/qemunbdkittest.c: 163 in testInfoSetArgs() ________________________________________________________________________________________________________ *** CID 460807: Control flow issues (DEADCODE) /tests/qemunbdkittest.c: 163 in testInfoSetArgs() 157 while ((cap = va_arg(argptr, unsigned int)) < QEMU_NBDKIT_CAPS_LAST) 158 qemuNbdkitCapsSet(info->nbdkitcaps, cap); 159 break; 160 case NBDKIT_ARG_EXPECT_FAIL: 161 info->expectFail = va_arg(argptr, unsigned int); 162 break;
CID 460807: Control flow issues (DEADCODE) Execution cannot reach this statement: "case NBDKIT_ARG_END:".
163 case NBDKIT_ARG_END: 164 default: 165 break; 166 } 167 } 168 }
** CID 460806: Memory - corruptions (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 460806: Memory - corruptions (USE_AFTER_FREE) /src/qemu/qemu_blockjob.c: 265 in qemuBlockJobDiskNewPull() 259 return NULL; 260 261 job->data.pull.base = base; 262 job->jobflags = jobflags; 263 264 if (qemuBlockJobRegister(job, vm, disk, true) < 0)
CID 460806: Memory - corruptions (USE_AFTER_FREE) Calling "glib_autoptr_cleanup_qemuBlockJobData" frees pointer "job" which has already been freed.
265 return NULL; 266 267 return g_steal_pointer(&job); 268 } 269 270
** CID 460805: Memory - corruptions (USE_AFTER_FREE) ________________________________________________________________________________________________________ *** CID 460805: Memory - corruptions (USE_AFTER_FREE) /src/qemu/qemu_blockjob.c: 300 in qemuBlockJobDiskNewCommit() 294 job->data.commit.base = base; 295 job->data.commit.deleteCommittedImages = delete_imgs; 296 job->processPending = autofinalize == VIR_TRISTATE_BOOL_NO; 297 job->jobflags = jobflags; 298 299 if (qemuBlockJobRegister(job, vm, disk, true) < 0)
CID 460805: Memory - corruptions (USE_AFTER_FREE) Calling "glib_autoptr_cleanup_qemuBlockJobData" frees pointer "job" which has already been freed.
300 return NULL; 301 302 return g_steal_pointer(&job); 303 } 304 305
________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=u001.AxU2LYlgjL6eX23u9ErQy-2B...
participants (1)
-
scan-admin@coverity.com