[CRIU] Fwd: New Defects reported by Coverity Scan for avagin/criu

Andrei Vagin avagin at gmail.com
Fri Aug 17 10:10:50 MSK 2018 

---------- Пересылаемое сообщение ---------
От: <scan-admin at coverity.com>
Дата: чт, 16 авг. 2018 г. в 17:21
Тема: New Defects reported by Coverity Scan for avagin/criu
Кому: <avagin at gmail.com>


Hi,

Please find the latest report on new defect(s) introduced to avagin/criu
found with Coverity Scan.

3 new defect(s) introduced to avagin/criu found with Coverity Scan.
8 defect(s), reported by Coverity Scan earlier, were marked fixed in the
recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 3 of 3 defect(s)


** CID 191305:    (RESOURCE_LEAK)
/criu/parasite-syscall.c: 480 in parasite_prepare_threads()
/criu/parasite-syscall.c: 492 in parasite_prepare_threads()
/criu/parasite-syscall.c: 492 in parasite_prepare_threads()


________________________________________________________________________________________________________
*** CID 191305:    (RESOURCE_LEAK)
/criu/parasite-syscall.c: 480 in parasite_prepare_threads()
474             thread_ctls = xzalloc(sizeof(*thread_ctls) *
item->nr_threads);
475             if (!thread_ctls)
476                     return -1;
477
478             thread_sp = xzalloc(sizeof(*thread_sp) * item->nr_threads);
479             if (!thread_sp)
>>>     CID 191305:    (RESOURCE_LEAK)
>>>     Variable "thread_ctls" going out of scope leaks the storage it
points to.
480                     return -1;
481
482             for (i = 0; i < item->nr_threads; i++) {
483                     struct pid *tid = &item->threads[i];
484
485                     if (item->pid->real == tid->real) {
/criu/parasite-syscall.c: 492 in parasite_prepare_threads()
486                             thread_sp[i] = compel_get_leader_sp(ctl);
487                             continue;
488                     }
489
490                     thread_ctls[i] = compel_prepare_thread(ctl,
tid->real);
491                     if (!thread_ctls[i])
>>>     CID 191305:    (RESOURCE_LEAK)
>>>     Variable "thread_ctls" going out of scope leaks the storage it
points to.
492                             return -1;
493
494                     thread_sp[i] = compel_get_thread_sp(thread_ctls[i]);
495             }
496
497             dmpi(item)->thread_ctls = thread_ctls;
/criu/parasite-syscall.c: 492 in parasite_prepare_threads()
486                             thread_sp[i] = compel_get_leader_sp(ctl);
487                             continue;
488                     }
489
490                     thread_ctls[i] = compel_prepare_thread(ctl,
tid->real);
491                     if (!thread_ctls[i])
>>>     CID 191305:    (RESOURCE_LEAK)
>>>     Variable "thread_sp" going out of scope leaks the storage it points
to.
492                             return -1;
493
494                     thread_sp[i] = compel_get_thread_sp(thread_ctls[i]);
495             }
496
497             dmpi(item)->thread_ctls = thread_ctls;

** CID 191304:  Security best practices violations  (STRING_OVERFLOW)
/criu/cr-service.c: 1244 in cr_service()


________________________________________________________________________________________________________
*** CID 191304:  Security best practices violations  (STRING_OVERFLOW)
/criu/cr-service.c: 1244 in cr_service()
1238
1239                    if (opts.addr == NULL) {
1240                            pr_warn("Binding to local dir address!\n");
1241                            SET_CHAR_OPTS(addr,
CR_DEFAULT_SERVICE_ADDRESS);
1242                    }
1243
>>>     CID 191304:  Security best practices violations  (STRING_OVERFLOW)
>>>     You might overrun the 108-character fixed-size string
"server_addr.sun_path" by copying "opts.addr" without checking the length.
1244                    strcpy(server_addr.sun_path, opts.addr);
1245
1246                    server_addr_len = strlen(server_addr.sun_path)
1247                                    + sizeof(server_addr.sun_family);
1248                    client_addr_len = sizeof(client_addr);
1249

** CID 164715:    (BUFFER_SIZE_WARNING)
/criu/cr-restore.c: 3471 in sigreturn_restore()
/criu/cr-restore.c: 3473 in sigreturn_restore()


________________________________________________________________________________________________________
*** CID 164715:    (BUFFER_SIZE_WARNING)
/criu/cr-restore.c: 3471 in sigreturn_restore()
3465                    sigframe = (struct rt_sigframe *)&mz[i].rt_sigframe;
3466
3467                    if (construct_sigframe(sigframe, sigframe, blkset,
tcore))
3468                            goto err;
3469
3470                    if (tcore->thread_core->comm)
>>>     CID 164715:    (BUFFER_SIZE_WARNING)
>>>     Calling strncpy with a maximum size argument of 16 bytes on
destination array "thread_args[i].comm" of size 16 bytes might leave the
destination string unterminated.
3471                            strncpy(thread_args[i].comm,
tcore->thread_core->comm, TASK_COMM_LEN);
3472                    else
3473                            strncpy(thread_args[i].comm,
core->tc->comm, TASK_COMM_LEN);
3474
3475                    if (thread_args[i].pid != pid)
3476                            core_entry__free_unpacked(tcore, NULL);
/criu/cr-restore.c: 3473 in sigreturn_restore()
3467                    if (construct_sigframe(sigframe, sigframe, blkset,
tcore))
3468                            goto err;
3469
3470                    if (tcore->thread_core->comm)
3471                            strncpy(thread_args[i].comm,
tcore->thread_core->comm, TASK_COMM_LEN);
3472                    else
>>>     CID 164715:    (BUFFER_SIZE_WARNING)
>>>     Calling strncpy with a maximum size argument of 16 bytes on
destination array "thread_args[i].comm" of size 16 bytes might leave the
destination string unterminated.
3473                            strncpy(thread_args[i].comm,
core->tc->comm, TASK_COMM_LEN);
3474
3475                    if (thread_args[i].pid != pid)
3476                            core_entry__free_unpacked(tcore, NULL);
3477
3478                    pr_info("Thread %4d stack %8p rt_sigframe %8p\n",


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit,
https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRadE4HtGX0xZfM5m05cAqwSn9QqlIeVw-2FkcLgYpA0lPa4-2FPFHPsi12cWgYDDPc-2BEFA-3D_7XGyd8wnBKQKOUX2qhR2S3Y7QuldqTTvWwLYtKkICxW3y3l6qm7bIyDTDZoVpYU7bJRXuxdjm2EeiGJkKUYp7PwzioztceqLfTyQU9-2FJVrlmmorjjlp1tEchYBXVwy5nRoglCoDhCOPHPg7G7dxUIkX81sA4cPQ3ywBrvqQgTFlVnKy2d8Nh8ZEDZOESjxTmzfx1UwYSa685pObX-2B8AKEw-3D-3D

  To manage Coverity Scan email notifications for "avagin at gmail.com", click
https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRbVDbis712qZDP-2FA8y06Nq44kXajrJ468k-2Fv66mxYCIPsDiUCv-2B4KWm4khKJsFIPV5Ax9D4yYQUTik4CXrp0zKb-2B58ffTkdow6VNvG3RJ5t0Etx-2BiRAJHZZFXBSHBHLrQE-3D_7XGyd8wnBKQKOUX2qhR2S3Y7QuldqTTvWwLYtKkICxW3y3l6qm7bIyDTDZoVpYU7JBjb-2BRtUBGXPN7yCSq4DCB4ocQCeb6ZJk8Tpy4PaoGD4NlRwcnT0XRir9hvZYEzkUwHHjIFgVt5rtG2uDik-2FYaFu9VVzE2DnXwcRce3RGRC-2B3Glfh9M-2FieDi7mc8Zk9GvZGNAUVJEuBkKnEbRKx9Dg-3D-3D
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openvz.org/pipermail/criu/attachments/20180817/06f7643e/attachment-0001.html>

More information about the CRIU mailing list