[CRIU] Fwd: New Defects reported by Coverity Scan for avagin/criu
Andrei Vagin
avagin at gmail.com
Fri May 5 14:01:25 PDT 2017
Hi All,
Here is a new report from coverity. Pls, take a look and fix your
issues. Thanks.
---------- Forwarded message ----------
From: <scan-admin at coverity.com>
Date: Fri, May 5, 2017 at 1:54 PM
Subject: New Defects reported by Coverity Scan for avagin/criu
To: avagin at gmail.com
Hi,
Please find the latest report on new defect(s) introduced to
avagin/criu found with Coverity Scan.
13 new defect(s) introduced to avagin/criu found with Coverity Scan.
1 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 13 of 13 defect(s)
** CID 179043: (USE_AFTER_FREE)
/criu/vdso.c: 287 in vdso_parse_maps()
________________________________________________________________________________________________________
*** CID 179043: (USE_AFTER_FREE)
/criu/vdso.c: 287 in vdso_parse_maps()
281 s->vvar_end = end;
282 }
283 }
284
285 exit_code = 0;
286 err:
>>> CID 179043: (USE_AFTER_FREE)
>>> Calling "bclose(struct bfd *)" closes handle "f.fd" which has already been closed.
287 bclose(&f);
288 return exit_code;
289 }
290
291 static int validate_vdso_addr(struct vdso_symtable *s)
292 {
/criu/vdso.c: 287 in vdso_parse_maps()
281 s->vvar_end = end;
282 }
283 }
284
285 exit_code = 0;
286 err:
>>> CID 179043: (USE_AFTER_FREE)
>>> Passing closed handle "f.fd" as an argument to "bclose".
287 bclose(&f);
288 return exit_code;
289 }
290
291 static int validate_vdso_addr(struct vdso_symtable *s)
292 {
** CID 179042: Memory - illegal accesses (USE_AFTER_FREE)
/criu/proc_parse.c: 2320 in parse_threads()
________________________________________________________________________________________________________
*** CID 179042: Memory - illegal accesses (USE_AFTER_FREE)
/criu/proc_parse.c: 2320 in parse_threads()
2314 t[nr - 1] = xmalloc(sizeof(struct pid));
2315 if (!t[nr - 1]) {
2316 while (--nr > 0)
2317 xfree(t[nr-1]);
2318 xfree(t);
2319 }
>>> CID 179042: Memory - illegal accesses (USE_AFTER_FREE)
>>> Using freed pointer "t".
2320 t[nr - 1]->ns[0].virt = -1;
2321 }
2322 t[nr - 1]->real = atoi(de->d_name);
2323 t[nr - 1]->state = TASK_THREAD;
2324 t[nr - 1]->level = 1;
2325 nr++;
** CID 179041: Resource leaks (RESOURCE_LEAK)
/criu/kerndat.c: 673 in kerndat_try_load_cache()
________________________________________________________________________________________________________
*** CID 179041: Resource leaks (RESOURCE_LEAK)
/criu/kerndat.c: 673 in kerndat_try_load_cache()
667 return 1;
668 }
669
670 ret = read(fd, &kdat, sizeof(kdat));
671 if (ret < 0) {
672 pr_perror("Can't read kdat cache");
>>> CID 179041: Resource leaks (RESOURCE_LEAK)
>>> Handle variable "fd" going out of scope leaks the handle.
673 return -1;
674 }
675
676 close(fd);
677
678 if (ret != sizeof(kdat) ||
** CID 179040: (RESOURCE_LEAK)
/criu/namespaces.c: 2639 in do_create_pid_ns_helper()
/criu/namespaces.c: 2650 in do_create_pid_ns_helper()
/criu/namespaces.c: 2655 in do_create_pid_ns_helper()
/criu/namespaces.c: 2659 in do_create_pid_ns_helper()
/criu/namespaces.c: 2665 in do_create_pid_ns_helper()
/criu/namespaces.c: 2679 in do_create_pid_ns_helper()
/criu/namespaces.c: 2686 in do_create_pid_ns_helper()
________________________________________________________________________________________________________
*** CID 179040: (RESOURCE_LEAK)
/criu/namespaces.c: 2639 in do_create_pid_ns_helper()
2633 if (sk < 0)
2634 return -1;
2635
2636 pid = __pstree_pid_by_virt(ns, ns->ns_pid);
2637 if (!pid) {
2638 pr_err("Can't find helper reserved pid\n");
>>> CID 179040: (RESOURCE_LEAK)
>>> Handle variable "sk" going out of scope leaks the handle.
2639 return -1;
2640 }
2641
2642 tmp = ns->parent;
2643 if (tmp) {
2644 futex_t *f = &tmp->pid.helper_created;
/criu/namespaces.c: 2650 in do_create_pid_ns_helper()
2644 futex_t *f = &tmp->pid.helper_created;
2645 futex_wait_while_eq(f, 0);
2646 }
2647
2648 if (switch_ns(root_item->pid->real, &mnt_ns_desc,
&mnt_ns_fd) < 0) {
2649 pr_err("Can't set mnt_ns\n");
>>> CID 179040: (RESOURCE_LEAK)
>>> Handle variable "sk" going out of scope leaks the handle.
2650 return -1;
2651 }
2652
2653 lock_fd = open("/proc/" LAST_PID_PATH, O_RDONLY);
2654 if (lock_fd < 0)
2655 return -1;
/criu/namespaces.c: 2655 in do_create_pid_ns_helper()
2649 pr_err("Can't set mnt_ns\n");
2650 return -1;
2651 }
2652
2653 lock_fd = open("/proc/" LAST_PID_PATH, O_RDONLY);
2654 if (lock_fd < 0)
>>> CID 179040: (RESOURCE_LEAK)
>>> Handle variable "sk" going out of scope leaks the handle.
2655 return -1;
2656
2657 if (restore_ns(mnt_ns_fd, &mnt_ns_desc) < 0) {
2658 pr_err("Can't restore ns\n");
2659 return -1;
2660 }
/criu/namespaces.c: 2659 in do_create_pid_ns_helper()
2653 lock_fd = open("/proc/" LAST_PID_PATH, O_RDONLY);
2654 if (lock_fd < 0)
2655 return -1;
2656
2657 if (restore_ns(mnt_ns_fd, &mnt_ns_desc) < 0) {
2658 pr_err("Can't restore ns\n");
>>> CID 179040: (RESOURCE_LEAK)
>>> Handle variable "sk" going out of scope leaks the handle.
2659 return -1;
2660 }
2661
2662 if (flock(lock_fd, LOCK_EX)) {
2663 close(lock_fd);
2664 pr_perror("Can't lock %s", LAST_PID_PATH);
/criu/namespaces.c: 2665 in do_create_pid_ns_helper()
2659 return -1;
2660 }
2661
2662 if (flock(lock_fd, LOCK_EX)) {
2663 close(lock_fd);
2664 pr_perror("Can't lock %s", LAST_PID_PATH);
>>> CID 179040: (RESOURCE_LEAK)
>>> Handle variable "sk" going out of scope leaks the handle.
2665 return -1;
2666 }
2667
2668 transport_fd = get_service_fd(TRANSPORT_FD_OFF);
2669 /*
2670 * Starting not from pid->level - 1, as it's helper
has not created yet
/criu/namespaces.c: 2679 in do_create_pid_ns_helper()
2673 */
2674 for (i = pid->level - 2, tmp = ns->parent; i >= 0;
i--, tmp = tmp->parent)
2675 if (request_set_next_pid(tmp->id,
pid->ns[i].virt, transport_fd)) {
2676 pr_err("Can't set next pid using helper\n");
2677 flock(lock_fd, LOCK_UN);
2678 close(lock_fd);
>>> CID 179040: (RESOURCE_LEAK)
>>> Handle variable "sk" going out of scope leaks the handle.
2679 return -1;
2680 }
2681 child = fork();
2682 if (child < 0) {
2683 flock(lock_fd, LOCK_UN);
2684 close(lock_fd);
/criu/namespaces.c: 2686 in do_create_pid_ns_helper()
2680 }
2681 child = fork();
2682 if (child < 0) {
2683 flock(lock_fd, LOCK_UN);
2684 close(lock_fd);
2685 pr_perror("Can't fork");
>>> CID 179040: (RESOURCE_LEAK)
>>> Handle variable "sk" going out of scope leaks the handle.
2686 return -1;
2687 } else if (!child) {
2688 close(lock_fd);
2689 exit(pid_ns_helper(ns, sk));
2690 }
2691 close(sk);
** CID 179039: Resource leaks (RESOURCE_LEAK)
/criu/namespaces.c: 2659 in do_create_pid_ns_helper()
________________________________________________________________________________________________________
*** CID 179039: Resource leaks (RESOURCE_LEAK)
/criu/namespaces.c: 2659 in do_create_pid_ns_helper()
2653 lock_fd = open("/proc/" LAST_PID_PATH, O_RDONLY);
2654 if (lock_fd < 0)
2655 return -1;
2656
2657 if (restore_ns(mnt_ns_fd, &mnt_ns_desc) < 0) {
2658 pr_err("Can't restore ns\n");
>>> CID 179039: Resource leaks (RESOURCE_LEAK)
>>> Handle variable "lock_fd" going out of scope leaks the handle.
2659 return -1;
2660 }
2661
2662 if (flock(lock_fd, LOCK_EX)) {
2663 close(lock_fd);
2664 pr_perror("Can't lock %s", LAST_PID_PATH);
** CID 179038: Resource leaks (RESOURCE_LEAK)
/criu/namespaces.c: 2558 in pid_ns_helper_sock()
________________________________________________________________________________________________________
*** CID 179038: Resource leaks (RESOURCE_LEAK)
/criu/namespaces.c: 2558 in pid_ns_helper_sock()
2552 return -1;
2553 }
2554 pid_ns_helper_socket_name(&addr, &len, ns->id);
2555
2556 if (bind(sk, (struct sockaddr *)&addr, len) < 0) {
2557 pr_perror("Can't bind pid_ns sock");
>>> CID 179038: Resource leaks (RESOURCE_LEAK)
>>> Handle variable "sk" going out of scope leaks the handle.
2558 return -1;
2559 }
2560
2561 return sk;
2562 }
2563
** CID 179037: Resource leaks (RESOURCE_LEAK)
/criu/namespaces.c: 1568 in usernsd()
________________________________________________________________________________________________________
*** CID 179037: Resource leaks (RESOURCE_LEAK)
/criu/namespaces.c: 1568 in usernsd()
1562 pr_perror("Can't bind transport sock");
1563 return -1;
1564 }
1565
1566 if (install_service_fd(TRANSPORT_FD_OFF, transport_fd) < 0) {
1567 pr_perror("Can't install transport fd\n");
>>> CID 179037: Resource leaks (RESOURCE_LEAK)
>>> Handle variable "transport_fd" going out of scope leaks the handle.
1568 return -1;
1569 }
1570
1571 if (criu_signals_setup(usernsd_handler) < 0) {
1572 pr_err("Can't setup handler\n");
1573 return -1;
** CID 179036: Integer handling issues (NEGATIVE_RETURNS)
/criu/namespaces.c: 2748 in do_destroy_pid_ns_helper()
________________________________________________________________________________________________________
*** CID 179036: Integer handling issues (NEGATIVE_RETURNS)
/criu/namespaces.c: 2748 in do_destroy_pid_ns_helper()
2742
2743 if (block_sigmask(&sig_mask, SIGCHLD)) {
2744 sig_blocked = false;
2745 ret = -1;
2746 }
2747
>>> CID 179036: Integer handling issues (NEGATIVE_RETURNS)
>>> Assigning: signed variable "sk" = "get_service_fd".
2748 sk = get_service_fd(TRANSPORT_FD_OFF);
2749
2750 for (ns = ns_ids; ns; ns = ns->next) {
2751 if (ns->nd != &pid_ns_desc)
2752 continue;
2753 if (request_set_next_pid(ns->id, 0, sk) == 0)
** CID 179035: Integer handling issues (NEGATIVE_RETURNS)
/criu/namespaces.c: 2668 in do_create_pid_ns_helper()
________________________________________________________________________________________________________
*** CID 179035: Integer handling issues (NEGATIVE_RETURNS)
/criu/namespaces.c: 2668 in do_create_pid_ns_helper()
2662 if (flock(lock_fd, LOCK_EX)) {
2663 close(lock_fd);
2664 pr_perror("Can't lock %s", LAST_PID_PATH);
2665 return -1;
2666 }
2667
>>> CID 179035: Integer handling issues (NEGATIVE_RETURNS)
>>> Assigning: signed variable "transport_fd" = "get_service_fd".
2668 transport_fd = get_service_fd(TRANSPORT_FD_OFF);
2669 /*
2670 * Starting not from pid->level - 1, as it's helper
has not created yet
2671 * (we're creating it in the moment), and the true pid
for this level
2672 * is set by the task, who does close(CLONE_NEWPID)
(this task is sender of fd).
2673 */
** CID 179034: Error handling issues (NEGATIVE_RETURNS)
/criu/pagemap.c: 397 in maybe_read_page_img_cache()
________________________________________________________________________________________________________
*** CID 179034: Error handling issues (NEGATIVE_RETURNS)
/criu/pagemap.c: 397 in maybe_read_page_img_cache()
391 int fd = img_raw_fd(pr->pi);
392 int ret;
393 size_t curr = 0;
394
395 pr_debug("\tpr%d-%u Read page from self
%lx/%"PRIx64"\n", pr->pid, pr->id, pr->cvaddr, pr->pi_off);
396 while (1) {
>>> CID 179034: Error handling issues (NEGATIVE_RETURNS)
>>> "fd" is passed to a parameter that cannot be negative.
397 ret = read(fd, buf + curr, len - curr);
398 if (ret < 0) {
399 pr_perror("Can't read mapping page %d", ret);
400 return -1;
401 }
402 curr += ret;
** CID 179033: Integer handling issues (NEGATIVE_RETURNS)
/criu/cr-restore.c: 411 in set_next_pid()
________________________________________________________________________________________________________
*** CID 179033: Integer handling issues (NEGATIVE_RETURNS)
/criu/cr-restore.c: 411 in set_next_pid()
405 if (!(root_ns_mask & CLONE_NEWPID)) {
406 if (last_level_pid(pid) == INIT_PID)
407 return 0;
408 return __set_next_pid(last_level_pid(pid));
409 }
410
>>> CID 179033: Integer handling issues (NEGATIVE_RETURNS)
>>> Assigning: signed variable "sk" = "get_service_fd".
411 sk = get_service_fd(TRANSPORT_FD_OFF);
412
413 for (i = level - 1; i >= 0; i--, pid_ns = pid_ns->parent) {
414 if (i == level - 1 && last_level_pid(pid) == INIT_PID)
415 continue;
416 if (request_set_next_pid(pid_ns->id,
pid->ns[i].virt, sk) < 0) {
** CID 179032: Error handling issues (CHECKED_RETURN)
/criu/sysctl.c: 324 in __userns_sysctl_op()
________________________________________________________________________________________________________
*** CID 179032: Error handling issues (CHECKED_RETURN)
/criu/sysctl.c: 324 in __userns_sysctl_op()
318
319 if (waitpid(worker, &status, 0) != worker) {
320 pr_perror("worker didn't die?");
321 kill(worker, SIGKILL);
322 goto out;
323 }
>>> CID 179032: Error handling issues (CHECKED_RETURN)
>>> Calling "sigprocmask" without checking return value (as is done elsewhere 8 out of 10 times).
324 sigprocmask(SIG_SETMASK, &oldmask, NULL);
325
326 if (!WIFEXITED(status) || WEXITSTATUS(status)) {
327 pr_err("worker failed: %d\n", status);
328 goto out;
329 }
** CID 179031: Error handling issues (CHECKED_RETURN)
/criu/namespaces.c: 1825 in stop_usernsd()
________________________________________________________________________________________________________
*** CID 179031: Error handling issues (CHECKED_RETURN)
/criu/namespaces.c: 1825 in stop_usernsd()
1819 if (WIFEXITED(status))
1820 ret = WEXITSTATUS(status);
1821 else
1822 ret = -1;
1823
1824 usernsd_pid = 0;
>>> CID 179031: Error handling issues (CHECKED_RETURN)
>>> Calling "sigprocmask" without checking return value (as is done elsewhere 8 out of 10 times).
1825 sigprocmask(SIG_SETMASK, &oldmask, NULL);
1826
1827 if (ret != 0)
1828 pr_err("uns: daemon exited abnormally\n");
1829 else
1830 pr_info("uns: daemon stopped\n");
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit,
https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRadE4HtGX0xZfM5m05cAqwSn9QqlIeVw-2FkcLgYpA0lPa4-2FPFHPsi12cWgYDDPc-2BEFA-3D_7XGyd8wnBKQKOUX2qhR2S3Y7QuldqTTvWwLYtKkICxXF-2B2gLNVvy1aI0pjar2Z7kq5fuagUlz5pCyUNjwUmXE87eVIuZ16oQdX9PWyVwxls9KqkeCuTSN-2BSilJciplHAikizmQCbiniI7E8dL8dTGoC-2FiDnp1BRXxzWxOPskfk-2BLwF6rlx5ofcP6ypjVUQ2CrGpe1XcBjRPHAn0RLFtZiw-3D-3D
To manage Coverity Scan email notifications for "avagin at gmail.com",
click https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRbVDbis712qZDP-2FA8y06Nq44kXajrJ468k-2Fv66mxYCIPsDiUCv-2B4KWm4khKJsFIPV5Ax9D4yYQUTik4CXrp0zKb-2B58ffTkdow6VNvG3RJ5t0Etx-2BiRAJHZZFXBSHBHLrQE-3D_7XGyd8wnBKQKOUX2qhR2S3Y7QuldqTTvWwLYtKkICxXF-2B2gLNVvy1aI0pjar2Z7kV4GgzTMmi1tdzhRfoUD3-2F6BbbIsc30BwHTd-2FvrmwJonmbzbQq4WJ39GETEZ6RmPlk4JWZHxBmwZMr2-2FWjSU0JMOA3Tahm51w50vW8UWIdDl3UXaVJ7pBbbRTPqOrYBMjEQ4Rzq5hLqjWEm40Ci6XsQ-3D-3D
More information about the CRIU
mailing list