[CRIU] Fwd: New Defects reported by Coverity Scan for avagin/criu

Andrei Vagin avagin at gmail.com
Fri May 5 14:01:25 PDT 2017


Hi All,

Here is a new report from coverity.  Pls, take a look and fix your
issues. Thanks.


---------- Forwarded message ----------
From:  <scan-admin at coverity.com>
Date: Fri, May 5, 2017 at 1:54 PM
Subject: New Defects reported by Coverity Scan for avagin/criu
To: avagin at gmail.com



Hi,

Please find the latest report on new defect(s) introduced to
avagin/criu found with Coverity Scan.

13 new defect(s) introduced to avagin/criu found with Coverity Scan.
1 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 13 of 13 defect(s)


** CID 179043:    (USE_AFTER_FREE)
/criu/vdso.c: 287 in vdso_parse_maps()


________________________________________________________________________________________________________
*** CID 179043:    (USE_AFTER_FREE)
/criu/vdso.c: 287 in vdso_parse_maps()
281                             s->vvar_end = end;
282                     }
283             }
284
285             exit_code = 0;
286     err:
>>>     CID 179043:    (USE_AFTER_FREE)
>>>     Calling "bclose(struct bfd *)" closes handle "f.fd" which has already been closed.
287             bclose(&f);
288             return exit_code;
289     }
290
291     static int validate_vdso_addr(struct vdso_symtable *s)
292     {
/criu/vdso.c: 287 in vdso_parse_maps()
281                             s->vvar_end = end;
282                     }
283             }
284
285             exit_code = 0;
286     err:
>>>     CID 179043:    (USE_AFTER_FREE)
>>>     Passing closed handle "f.fd" as an argument to "bclose".
287             bclose(&f);
288             return exit_code;
289     }
290
291     static int validate_vdso_addr(struct vdso_symtable *s)
292     {

** CID 179042:  Memory - illegal accesses  (USE_AFTER_FREE)
/criu/proc_parse.c: 2320 in parse_threads()


________________________________________________________________________________________________________
*** CID 179042:  Memory - illegal accesses  (USE_AFTER_FREE)
/criu/proc_parse.c: 2320 in parse_threads()
2314                            t[nr - 1] = xmalloc(sizeof(struct pid));
2315                            if (!t[nr - 1]) {
2316                                    while (--nr > 0)
2317                                            xfree(t[nr-1]);
2318                                    xfree(t);
2319                            }
>>>     CID 179042:  Memory - illegal accesses  (USE_AFTER_FREE)
>>>     Using freed pointer "t".
2320                            t[nr - 1]->ns[0].virt = -1;
2321                    }
2322                    t[nr - 1]->real = atoi(de->d_name);
2323                    t[nr - 1]->state = TASK_THREAD;
2324                    t[nr - 1]->level = 1;
2325                    nr++;

** CID 179041:  Resource leaks  (RESOURCE_LEAK)
/criu/kerndat.c: 673 in kerndat_try_load_cache()


________________________________________________________________________________________________________
*** CID 179041:  Resource leaks  (RESOURCE_LEAK)
/criu/kerndat.c: 673 in kerndat_try_load_cache()
667                     return 1;
668             }
669
670             ret = read(fd, &kdat, sizeof(kdat));
671             if (ret < 0) {
672                     pr_perror("Can't read kdat cache");
>>>     CID 179041:  Resource leaks  (RESOURCE_LEAK)
>>>     Handle variable "fd" going out of scope leaks the handle.
673                     return -1;
674             }
675
676             close(fd);
677
678             if (ret != sizeof(kdat) ||

** CID 179040:    (RESOURCE_LEAK)
/criu/namespaces.c: 2639 in do_create_pid_ns_helper()
/criu/namespaces.c: 2650 in do_create_pid_ns_helper()
/criu/namespaces.c: 2655 in do_create_pid_ns_helper()
/criu/namespaces.c: 2659 in do_create_pid_ns_helper()
/criu/namespaces.c: 2665 in do_create_pid_ns_helper()
/criu/namespaces.c: 2679 in do_create_pid_ns_helper()
/criu/namespaces.c: 2686 in do_create_pid_ns_helper()


________________________________________________________________________________________________________
*** CID 179040:    (RESOURCE_LEAK)
/criu/namespaces.c: 2639 in do_create_pid_ns_helper()
2633            if (sk < 0)
2634                    return -1;
2635
2636            pid = __pstree_pid_by_virt(ns, ns->ns_pid);
2637            if (!pid) {
2638                    pr_err("Can't find helper reserved pid\n");
>>>     CID 179040:    (RESOURCE_LEAK)
>>>     Handle variable "sk" going out of scope leaks the handle.
2639                    return -1;
2640            }
2641
2642            tmp = ns->parent;
2643            if (tmp) {
2644                    futex_t *f = &tmp->pid.helper_created;
/criu/namespaces.c: 2650 in do_create_pid_ns_helper()
2644                    futex_t *f = &tmp->pid.helper_created;
2645                    futex_wait_while_eq(f, 0);
2646            }
2647
2648            if (switch_ns(root_item->pid->real, &mnt_ns_desc,
&mnt_ns_fd) < 0) {
2649                    pr_err("Can't set mnt_ns\n");
>>>     CID 179040:    (RESOURCE_LEAK)
>>>     Handle variable "sk" going out of scope leaks the handle.
2650                    return -1;
2651            }
2652
2653            lock_fd = open("/proc/" LAST_PID_PATH, O_RDONLY);
2654            if (lock_fd < 0)
2655                    return -1;
/criu/namespaces.c: 2655 in do_create_pid_ns_helper()
2649                    pr_err("Can't set mnt_ns\n");
2650                    return -1;
2651            }
2652
2653            lock_fd = open("/proc/" LAST_PID_PATH, O_RDONLY);
2654            if (lock_fd < 0)
>>>     CID 179040:    (RESOURCE_LEAK)
>>>     Handle variable "sk" going out of scope leaks the handle.
2655                    return -1;
2656
2657            if (restore_ns(mnt_ns_fd, &mnt_ns_desc) < 0) {
2658                    pr_err("Can't restore ns\n");
2659                    return -1;
2660            }
/criu/namespaces.c: 2659 in do_create_pid_ns_helper()
2653            lock_fd = open("/proc/" LAST_PID_PATH, O_RDONLY);
2654            if (lock_fd < 0)
2655                    return -1;
2656
2657            if (restore_ns(mnt_ns_fd, &mnt_ns_desc) < 0) {
2658                    pr_err("Can't restore ns\n");
>>>     CID 179040:    (RESOURCE_LEAK)
>>>     Handle variable "sk" going out of scope leaks the handle.
2659                    return -1;
2660            }
2661
2662            if (flock(lock_fd, LOCK_EX)) {
2663                    close(lock_fd);
2664                    pr_perror("Can't lock %s", LAST_PID_PATH);
/criu/namespaces.c: 2665 in do_create_pid_ns_helper()
2659                    return -1;
2660            }
2661
2662            if (flock(lock_fd, LOCK_EX)) {
2663                    close(lock_fd);
2664                    pr_perror("Can't lock %s", LAST_PID_PATH);
>>>     CID 179040:    (RESOURCE_LEAK)
>>>     Handle variable "sk" going out of scope leaks the handle.
2665                    return -1;
2666            }
2667
2668            transport_fd = get_service_fd(TRANSPORT_FD_OFF);
2669            /*
2670             * Starting not from pid->level - 1, as it's helper
has not created yet
/criu/namespaces.c: 2679 in do_create_pid_ns_helper()
2673             */
2674            for (i = pid->level - 2, tmp = ns->parent; i >= 0;
i--, tmp = tmp->parent)
2675                    if (request_set_next_pid(tmp->id,
pid->ns[i].virt, transport_fd)) {
2676                            pr_err("Can't set next pid using helper\n");
2677                            flock(lock_fd, LOCK_UN);
2678                            close(lock_fd);
>>>     CID 179040:    (RESOURCE_LEAK)
>>>     Handle variable "sk" going out of scope leaks the handle.
2679                            return -1;
2680                    }
2681            child = fork();
2682            if (child < 0) {
2683                    flock(lock_fd, LOCK_UN);
2684                    close(lock_fd);
/criu/namespaces.c: 2686 in do_create_pid_ns_helper()
2680                    }
2681            child = fork();
2682            if (child < 0) {
2683                    flock(lock_fd, LOCK_UN);
2684                    close(lock_fd);
2685                    pr_perror("Can't fork");
>>>     CID 179040:    (RESOURCE_LEAK)
>>>     Handle variable "sk" going out of scope leaks the handle.
2686                    return -1;
2687            } else if (!child) {
2688                    close(lock_fd);
2689                    exit(pid_ns_helper(ns, sk));
2690            }
2691            close(sk);

** CID 179039:  Resource leaks  (RESOURCE_LEAK)
/criu/namespaces.c: 2659 in do_create_pid_ns_helper()


________________________________________________________________________________________________________
*** CID 179039:  Resource leaks  (RESOURCE_LEAK)
/criu/namespaces.c: 2659 in do_create_pid_ns_helper()
2653            lock_fd = open("/proc/" LAST_PID_PATH, O_RDONLY);
2654            if (lock_fd < 0)
2655                    return -1;
2656
2657            if (restore_ns(mnt_ns_fd, &mnt_ns_desc) < 0) {
2658                    pr_err("Can't restore ns\n");
>>>     CID 179039:  Resource leaks  (RESOURCE_LEAK)
>>>     Handle variable "lock_fd" going out of scope leaks the handle.
2659                    return -1;
2660            }
2661
2662            if (flock(lock_fd, LOCK_EX)) {
2663                    close(lock_fd);
2664                    pr_perror("Can't lock %s", LAST_PID_PATH);

** CID 179038:  Resource leaks  (RESOURCE_LEAK)
/criu/namespaces.c: 2558 in pid_ns_helper_sock()


________________________________________________________________________________________________________
*** CID 179038:  Resource leaks  (RESOURCE_LEAK)
/criu/namespaces.c: 2558 in pid_ns_helper_sock()
2552                    return -1;
2553            }
2554            pid_ns_helper_socket_name(&addr, &len, ns->id);
2555
2556            if (bind(sk, (struct sockaddr *)&addr, len) < 0) {
2557                    pr_perror("Can't bind pid_ns sock");
>>>     CID 179038:  Resource leaks  (RESOURCE_LEAK)
>>>     Handle variable "sk" going out of scope leaks the handle.
2558                    return -1;
2559            }
2560
2561            return sk;
2562     }
2563

** CID 179037:  Resource leaks  (RESOURCE_LEAK)
/criu/namespaces.c: 1568 in usernsd()


________________________________________________________________________________________________________
*** CID 179037:  Resource leaks  (RESOURCE_LEAK)
/criu/namespaces.c: 1568 in usernsd()
1562                    pr_perror("Can't bind transport sock");
1563                    return -1;
1564            }
1565
1566            if (install_service_fd(TRANSPORT_FD_OFF, transport_fd) < 0) {
1567                    pr_perror("Can't install transport fd\n");
>>>     CID 179037:  Resource leaks  (RESOURCE_LEAK)
>>>     Handle variable "transport_fd" going out of scope leaks the handle.
1568                    return -1;
1569            }
1570
1571            if (criu_signals_setup(usernsd_handler) < 0) {
1572                    pr_err("Can't setup handler\n");
1573                    return -1;

** CID 179036:  Integer handling issues  (NEGATIVE_RETURNS)
/criu/namespaces.c: 2748 in do_destroy_pid_ns_helper()


________________________________________________________________________________________________________
*** CID 179036:  Integer handling issues  (NEGATIVE_RETURNS)
/criu/namespaces.c: 2748 in do_destroy_pid_ns_helper()
2742
2743            if (block_sigmask(&sig_mask, SIGCHLD)) {
2744                    sig_blocked = false;
2745                    ret = -1;
2746            }
2747
>>>     CID 179036:  Integer handling issues  (NEGATIVE_RETURNS)
>>>     Assigning: signed variable "sk" = "get_service_fd".
2748            sk = get_service_fd(TRANSPORT_FD_OFF);
2749
2750            for (ns = ns_ids; ns; ns = ns->next) {
2751                    if (ns->nd != &pid_ns_desc)
2752                            continue;
2753                    if (request_set_next_pid(ns->id, 0, sk) == 0)

** CID 179035:  Integer handling issues  (NEGATIVE_RETURNS)
/criu/namespaces.c: 2668 in do_create_pid_ns_helper()


________________________________________________________________________________________________________
*** CID 179035:  Integer handling issues  (NEGATIVE_RETURNS)
/criu/namespaces.c: 2668 in do_create_pid_ns_helper()
2662            if (flock(lock_fd, LOCK_EX)) {
2663                    close(lock_fd);
2664                    pr_perror("Can't lock %s", LAST_PID_PATH);
2665                    return -1;
2666            }
2667
>>>     CID 179035:  Integer handling issues  (NEGATIVE_RETURNS)
>>>     Assigning: signed variable "transport_fd" = "get_service_fd".
2668            transport_fd = get_service_fd(TRANSPORT_FD_OFF);
2669            /*
2670             * Starting not from pid->level - 1, as it's helper
has not created yet
2671             * (we're creating it in the moment), and the true pid
for this level
2672             * is set by the task, who does close(CLONE_NEWPID)
(this task is sender of fd).
2673             */

** CID 179034:  Error handling issues  (NEGATIVE_RETURNS)
/criu/pagemap.c: 397 in maybe_read_page_img_cache()


________________________________________________________________________________________________________
*** CID 179034:  Error handling issues  (NEGATIVE_RETURNS)
/criu/pagemap.c: 397 in maybe_read_page_img_cache()
391             int fd = img_raw_fd(pr->pi);
392             int ret;
393             size_t curr = 0;
394
395             pr_debug("\tpr%d-%u Read page from self
%lx/%"PRIx64"\n", pr->pid, pr->id, pr->cvaddr, pr->pi_off);
396             while (1) {
>>>     CID 179034:  Error handling issues  (NEGATIVE_RETURNS)
>>>     "fd" is passed to a parameter that cannot be negative.
397                     ret = read(fd, buf + curr, len - curr);
398                     if (ret < 0) {
399                             pr_perror("Can't read mapping page %d", ret);
400                             return -1;
401                     }
402                     curr += ret;

** CID 179033:  Integer handling issues  (NEGATIVE_RETURNS)
/criu/cr-restore.c: 411 in set_next_pid()


________________________________________________________________________________________________________
*** CID 179033:  Integer handling issues  (NEGATIVE_RETURNS)
/criu/cr-restore.c: 411 in set_next_pid()
405             if (!(root_ns_mask & CLONE_NEWPID)) {
406                     if (last_level_pid(pid) == INIT_PID)
407                             return 0;
408                     return __set_next_pid(last_level_pid(pid));
409             }
410
>>>     CID 179033:  Integer handling issues  (NEGATIVE_RETURNS)
>>>     Assigning: signed variable "sk" = "get_service_fd".
411             sk = get_service_fd(TRANSPORT_FD_OFF);
412
413             for (i = level - 1; i >= 0; i--, pid_ns = pid_ns->parent) {
414                     if (i == level - 1 && last_level_pid(pid) == INIT_PID)
415                             continue;
416                     if (request_set_next_pid(pid_ns->id,
pid->ns[i].virt, sk) < 0) {

** CID 179032:  Error handling issues  (CHECKED_RETURN)
/criu/sysctl.c: 324 in __userns_sysctl_op()


________________________________________________________________________________________________________
*** CID 179032:  Error handling issues  (CHECKED_RETURN)
/criu/sysctl.c: 324 in __userns_sysctl_op()
318
319             if (waitpid(worker, &status, 0) != worker) {
320                     pr_perror("worker didn't die?");
321                     kill(worker, SIGKILL);
322                     goto out;
323             }
>>>     CID 179032:  Error handling issues  (CHECKED_RETURN)
>>>     Calling "sigprocmask" without checking return value (as is done elsewhere 8 out of 10 times).
324             sigprocmask(SIG_SETMASK, &oldmask, NULL);
325
326             if (!WIFEXITED(status) || WEXITSTATUS(status)) {
327                     pr_err("worker failed: %d\n", status);
328                     goto out;
329             }

** CID 179031:  Error handling issues  (CHECKED_RETURN)
/criu/namespaces.c: 1825 in stop_usernsd()


________________________________________________________________________________________________________
*** CID 179031:  Error handling issues  (CHECKED_RETURN)
/criu/namespaces.c: 1825 in stop_usernsd()
1819                    if (WIFEXITED(status))
1820                            ret = WEXITSTATUS(status);
1821                    else
1822                            ret = -1;
1823
1824                    usernsd_pid = 0;
>>>     CID 179031:  Error handling issues  (CHECKED_RETURN)
>>>     Calling "sigprocmask" without checking return value (as is done elsewhere 8 out of 10 times).
1825                    sigprocmask(SIG_SETMASK, &oldmask, NULL);
1826
1827                    if (ret != 0)
1828                            pr_err("uns: daemon exited abnormally\n");
1829                    else
1830                            pr_info("uns: daemon stopped\n");


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit,
https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRadE4HtGX0xZfM5m05cAqwSn9QqlIeVw-2FkcLgYpA0lPa4-2FPFHPsi12cWgYDDPc-2BEFA-3D_7XGyd8wnBKQKOUX2qhR2S3Y7QuldqTTvWwLYtKkICxXF-2B2gLNVvy1aI0pjar2Z7kq5fuagUlz5pCyUNjwUmXE87eVIuZ16oQdX9PWyVwxls9KqkeCuTSN-2BSilJciplHAikizmQCbiniI7E8dL8dTGoC-2FiDnp1BRXxzWxOPskfk-2BLwF6rlx5ofcP6ypjVUQ2CrGpe1XcBjRPHAn0RLFtZiw-3D-3D

To manage Coverity Scan email notifications for "avagin at gmail.com",
click https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRbVDbis712qZDP-2FA8y06Nq44kXajrJ468k-2Fv66mxYCIPsDiUCv-2B4KWm4khKJsFIPV5Ax9D4yYQUTik4CXrp0zKb-2B58ffTkdow6VNvG3RJ5t0Etx-2BiRAJHZZFXBSHBHLrQE-3D_7XGyd8wnBKQKOUX2qhR2S3Y7QuldqTTvWwLYtKkICxXF-2B2gLNVvy1aI0pjar2Z7kV4GgzTMmi1tdzhRfoUD3-2F6BbbIsc30BwHTd-2FvrmwJonmbzbQq4WJ39GETEZ6RmPlk4JWZHxBmwZMr2-2FWjSU0JMOA3Tahm51w50vW8UWIdDl3UXaVJ7pBbbRTPqOrYBMjEQ4Rzq5hLqjWEm40Ci6XsQ-3D-3D



More information about the CRIU mailing list