[CRIU] New Defects reported by Coverity Scan for crtools

Mon Aug 4 23:50:07 PDT 2014

Just in case if someone interested to take a look (latest criu @master).
I'll take a look into vdso code as well a bit later.

On Mon, Aug 04, 2014 at 11:44:07PM -0700, scan-admin at coverity.com wrote:
> 
> Hi,
> 
> 
> Please find the latest report on new defect(s) introduced to crtools found with Coverity Scan.
> 
> Defect(s) Reported-by: Coverity Scan
> Showing 9 of 9 defect(s)
> 
> 
> ** CID 1230183:  Unchecked return value  (CHECKED_RETURN)
> /cr-restore.c: 749 in zombie_prepare_signals()
> 
> ** CID 1230182:  Logically dead code  (DEADCODE)
> /arch/x86/vdso-pie.c: 406 in vdso_proxify()
> 
> ** CID 1230181:  Dereference after null check  (FORWARD_NULL)
> /files-reg.c: 463 in create_link_remap()
> 
> ** CID 1230180:  Argument cannot be negative  (NEGATIVE_RETURNS)
> /files.c: 1011 in fchroot()
> 
> ** CID 1230179:  Resource leak  (RESOURCE_LEAK)
> /cgroup.c: 270 in add_cgroup()
> 
> ** CID 1230178:  Dereference before null check  (REVERSE_INULL)
> /files-reg.c: 465 in create_link_remap()
> 
> ** CID 1230177:  Dereference before null check  (REVERSE_INULL)
> /proc_parse.c: 1542 in parse_task_cgroup()
> 
> ** CID 1230176:  Double close  (USE_AFTER_FREE)
> /files.c: 1115 in prepare_fs_pid()
> 
> ** CID 1230175:  Write to pointer after free  (USE_AFTER_FREE)
> /util.c: 797 in split()
> 
> 
> ________________________________________________________________________________________________________
> *** CID 1230183:  Unchecked return value  (CHECKED_RETURN)
> /cr-restore.c: 749 in zombie_prepare_signals()
> 743     	sigprocmask(SIG_UNBLOCK, &blockmask, NULL);
> 744     
> 745     	memset(&act, 0, sizeof(act));
> 746     	act.sa_handler = SIG_DFL;
> 747     
> 748     	for (sig = 1; sig <= SIGMAX; sig++)
> >>>     CID 1230183:  Unchecked return value  (CHECKED_RETURN)
> >>>     No check of the return value of "sigaction(sig, &act, NULL)".
> 749     		sigaction(sig, &act, NULL);
> 750     }
> 751     
> 752     #define SIG_FATAL_MASK	(	\
> 753     		(1 << SIGHUP)	|\
> 754     		(1 << SIGINT)	|\
> 
> ________________________________________________________________________________________________________
> *** CID 1230182:  Logically dead code  (DEADCODE)
> /arch/x86/vdso-pie.c: 406 in vdso_proxify()
> 400     			} else {
> 401     				ret  = vdso_remap(who, vdso_rt_parked_at, vma_vvar->start, vvar_vma_size(sym_rt));
> 402     				vdso_rt_parked_at += vvar_vma_size(sym_rt);
> 403     				ret |= vdso_remap(who, vdso_rt_parked_at, vma_vdso->start, vdso_vma_size(sym_rt));
> 404     			}
> 405     		} else
> >>>     CID 1230182:  Logically dead code  (DEADCODE)
> >>>     Execution cannot reach this statement "ret = vdso_remap(who, vdso_...".
> 406     			ret = vdso_remap(who, vdso_rt_parked_at, vma_vdso->start, vdso_vma_size(sym_rt));
> 407     
> 408     		return ret;
> 409     	}
> 410     
> 411     	/*
> 
> ________________________________________________________________________________________________________
> *** CID 1230181:  Dereference after null check  (FORWARD_NULL)
> /files-reg.c: 463 in create_link_remap()
> 457     	 * we keep all data in memory.
> 458     	 */
> 459     	rlb = xmalloc(sizeof(*rlb));
> 460     	if (rlb)
> 461     		rlb->path = strdup(link_name);
> 462     
> >>>     CID 1230181:  Dereference after null check  (FORWARD_NULL)
> >>>     Dereferencing null pointer "rlb".
> 463     	rlb->mnt_ns = nsid;
> 464     
> 465     	if (!rlb || !rlb->path) {
> 466     		pr_perror("Can't register rollback for %s", path);
> 467     		xfree(rlb ? rlb->path : NULL);
> 468     		xfree(rlb);
> 
> ________________________________________________________________________________________________________
> *** CID 1230180:  Argument cannot be negative  (NEGATIVE_RETURNS)
> /files.c: 1011 in fchroot()
> 1005     	 *
> 1006     	 * But since there might be no /proc mount in our mount
> 1007     	 * namespace, we will have to ... workaround it.
> 1008     	 */
> 1009     
> 1010     	proc = get_service_fd(PROC_FD_OFF);
> >>>     CID 1230180:  Argument cannot be negative  (NEGATIVE_RETURNS)
> >>>     "proc" is passed to a parameter that cannot be negative.
> 1011     	if (fchdir(proc) < 0) {
> 1012     		pr_perror("Can't chdir to proc");
> 1013     		return -1;
> 1014     	}
> 1015     
> 1016     	sprintf(fd_path, "./self/fd/%d", fd);
> 
> ________________________________________________________________________________________________________
> *** CID 1230179:  Resource leak  (RESOURCE_LEAK)
> /cgroup.c: 270 in add_cgroup()
> 264     			current_controller->n_heads++;
> 265     			break;
> 266     		}
> 267     
> 268     		INIT_LIST_HEAD(&ncd->children);
> 269     		ncd->n_children = 0;
> >>>     CID 1230179:  Resource leak  (RESOURCE_LEAK)
> >>>     Variable "ncd" going out of scope leaks the storage it points to.
> 270     		return 0;
> 271     	} else
> 272     		return 0;
> 273     
> 274     out:
> 275     	if (ncd)
> 
> ________________________________________________________________________________________________________
> *** CID 1230178:  Dereference before null check  (REVERSE_INULL)
> /files-reg.c: 465 in create_link_remap()
> 459     	rlb = xmalloc(sizeof(*rlb));
> 460     	if (rlb)
> 461     		rlb->path = strdup(link_name);
> 462     
> 463     	rlb->mnt_ns = nsid;
> 464     
> >>>     CID 1230178:  Dereference before null check  (REVERSE_INULL)
> >>>     Null-checking "rlb" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
> 465     	if (!rlb || !rlb->path) {
> 466     		pr_perror("Can't register rollback for %s", path);
> 467     		xfree(rlb ? rlb->path : NULL);
> 468     		xfree(rlb);
> 469     		return -1;
> 470     	}
> 
> ________________________________________________________________________________________________________
> *** CID 1230177:  Dereference before null check  (REVERSE_INULL)
> /proc_parse.c: 1542 in parse_task_cgroup()
> 1536     		 * 4:cpu,cpuacct:/
> 1537     		 * 3:cpuset:/
> 1538     		 * 2:name=systemd:/user.slice/user-1000.slice/session-1.scope
> 1539     		 */
> 1540     		name = strchr(buf, ':') + 1;
> 1541     		path = strchr(name, ':');
> >>>     CID 1230177:  Dereference before null check  (REVERSE_INULL)
> >>>     Null-checking "name" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
> 1542     		if (!name || !path) {
> 1543     			pr_err("Failed parsing cgroup %s\n", buf);
> 1544     			xfree(ncc);
> 1545     			goto err;
> 1546     		}
> 1547     		e = strchr(name, '\n');
> 
> ________________________________________________________________________________________________________
> *** CID 1230176:  Double close  (USE_AFTER_FREE)
> /files.c: 1115 in prepare_fs_pid()
> 1109     ok:
> 1110     	return 0;
> 1111     
> 1112     out_f:
> 1113     	fs_entry__free_unpacked(fe, NULL);
> 1114     out_i:
> >>>     CID 1230176:  Double close  (USE_AFTER_FREE)
> >>>     Calling "close(int)" closes handle "ifd" which has already been closed.
> 1115     	close(ifd);
> 1116     out:
> 1117     	return -1;
> 1118     }
> 1119     
> 1120     int shared_fdt_prepare(struct pstree_item *item)
> 
> ________________________________________________________________________________________________________
> *** CID 1230175:  Write to pointer after free  (USE_AFTER_FREE)
> /util.c: 797 in split()
> 791     
> 792     		if (!(*out)[i]) {
> 793     			int j;
> 794     			for (j = 0; j < i; j++)
> 795     				xfree((*out)[j]);
> 796     			xfree(out);
> >>>     CID 1230175:  Write to pointer after free  (USE_AFTER_FREE)
> >>>     Dereferencing freed pointer "out".
> 797     			*out = NULL;
> 798     			*n = -1;
> 799     			return;
> 800     		}
> 801     
> 802     		i++;
> 803     	} while(cur);