[CRIU] Fwd: New Defects reported by Coverity Scan for avagin/criu
Andrei Vagin
avagin at gmail.com
Fri Oct 4 20:07:19 MSK 2019
---------- Forwarded message ---------
From: <scan-admin at coverity.com>
Date: Fri, Oct 4, 2019 at 10:02 AM
Subject: New Defects reported by Coverity Scan for avagin/criu
To: <avagin at gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to
avagin/criu found with Coverity Scan.
11 new defect(s) introduced to avagin/criu found with Coverity Scan.
6 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 11 of 11 defect(s)
** CID 226486: (RESOURCE_LEAK)
/criu/mount.c: 1506 in add_cr_time_mount()
/criu/mount.c: 1493 in add_cr_time_mount()
________________________________________________________________________________________________________
*** CID 226486: (RESOURCE_LEAK)
/criu/mount.c: 1506 in add_cr_time_mount()
1500 mi->flags = mi->sb_flags = 0;
1501 mi->root = xstrdup("/");
1502 mi->fsname = xstrdup(fsname);
1503 mi->source = xstrdup(fsname);
1504 mi->options = xstrdup("");
1505 if (!mi->root || !mi->fsname || !mi->source || !mi->options)
>>> CID 226486: (RESOURCE_LEAK)
>>> Variable "mi" going out of scope leaks the storage it points to.
1506 return -1;
1507 mi->fstype = find_fstype_by_name(fsname);
1508
1509 mi->s_dev = mi->s_dev_rt = s_dev;
1510
1511 parent = root;
/criu/mount.c: 1493 in add_cr_time_mount()
1487 add_slash = true;
1488 len++;
1489 }
1490
1491 mi->mountpoint = xmalloc(len + strlen(path) + 1);
1492 if (!mi->mountpoint)
>>> CID 226486: (RESOURCE_LEAK)
>>> Variable "mi" going out of scope leaks the storage it points to.
1493 return -1;
1494 mi->ns_mountpoint = mi->mountpoint;
1495 if (!add_slash)
1496 sprintf(mi->mountpoint, "%s%s", root->mountpoint, path);
1497 else
1498 sprintf(mi->mountpoint, "%s/%s",
root->mountpoint, path);
** CID 226485: (RESOURCE_LEAK)
/criu/uffd.c: 1461 in cr_lazy_pages()
/criu/uffd.c: 1468 in cr_lazy_pages()
/criu/uffd.c: 1464 in cr_lazy_pages()
________________________________________________________________________________________________________
*** CID 226485: (RESOURCE_LEAK)
/criu/uffd.c: 1461 in cr_lazy_pages()
1455 * daemon and the cr-restore, and, optionally TCP socket for
1456 * remote pages
1457 */
1458 nr_fds = task_entries->nr_tasks +
(opts.use_page_server ? 2 : 1);
1459 epollfd = epoll_prepare(nr_fds, &events);
1460 if (epollfd < 0)
>>> CID 226485: (RESOURCE_LEAK)
>>> Variable "events" going out of scope leaks the storage it points to.
1461 return -1;
1462
1463 if (prepare_uffds(lazy_sk, epollfd))
1464 return -1;
1465
1466 if (opts.use_page_server) {
/criu/uffd.c: 1468 in cr_lazy_pages()
1462
1463 if (prepare_uffds(lazy_sk, epollfd))
1464 return -1;
1465
1466 if (opts.use_page_server) {
1467 if (connect_to_page_server_to_recv(epollfd))
>>> CID 226485: (RESOURCE_LEAK)
>>> Variable "events" going out of scope leaks the storage it points to.
1468 return -1;
1469 }
1470
1471 ret = handle_requests(epollfd, events, nr_fds);
1472
1473 tls_terminate_session();
1474
1475 return ret;
/criu/uffd.c: 1464 in cr_lazy_pages()
1458 nr_fds = task_entries->nr_tasks +
(opts.use_page_server ? 2 : 1);
1459 epollfd = epoll_prepare(nr_fds, &events);
1460 if (epollfd < 0)
1461 return -1;
1462
1463 if (prepare_uffds(lazy_sk, epollfd))
>>> CID 226485: (RESOURCE_LEAK)
>>> Variable "events" going out of scope leaks the storage it points to.
1464 return -1;
1465
1466 if (opts.use_page_server) {
1467 if (connect_to_page_server_to_recv(epollfd))
1468 return -1;
1469 }
** CID 226484: API usage errors (USE_AFTER_FREE)
/criu/filesystems.c: 659 in dump_empty_fs()
________________________________________________________________________________________________________
*** CID 226484: API usage errors (USE_AFTER_FREE)
/criu/filesystems.c: 659 in dump_empty_fs()
653
654 fd = open_mountpoint(pm);
655 if (fd < 0)
656 return fd;
657
658 ret = is_empty_dir(fd);
>>> CID 226484: API usage errors (USE_AFTER_FREE)
>>> Calling "close(int)" closes handle "fd" which has already been closed.
659 close(fd);
660 if (ret < 0) {
661 pr_err("%s isn't empty\n", pm->fstype->name);
662 return -1;
663 }
664
** CID 226483: Resource leaks (RESOURCE_LEAK)
/criu/cgroup-props.c: 358 in cgp_parse_stream()
________________________________________________________________________________________________________
*** CID 226483: Resource leaks (RESOURCE_LEAK)
/criu/cgroup-props.c: 358 in cgp_parse_stream()
352
353 cgp_entry = NULL;
354 }
355
356 ret = 0;
357 out:
>>> CID 226483: Resource leaks (RESOURCE_LEAK)
>>> Variable "p" going out of scope leaks the storage it points to.
358 return ret;
359
360 err_parse:
361 cgp_free(cgp_entry);
362 ret = -EINVAL;
363 goto out;
** CID 226482: Resource leaks (RESOURCE_LEAK)
/criu/autofs.c: 118 in autofs_kernel_pipe_alive()
________________________________________________________________________________________________________
*** CID 226482: Resource leaks (RESOURCE_LEAK)
/criu/autofs.c: 118 in autofs_kernel_pipe_alive()
112 if (stat(path, &buf) < 0) {
113 if (errno == ENOENT) {
114 xfree(path);
115 return 0;
116 }
117 pr_perror("Failed to stat %s", path);
>>> CID 226482: Resource leaks (RESOURCE_LEAK)
>>> Variable "path" going out of scope leaks the storage it points to.
118 return -1;
119 }
120
121 xfree(path);
122
123 ret = autofs_check_fd_stat(&buf, pgrp, fd, ino, &fd_mode);
** CID 226481: Memory - corruptions (OVERRUN)
/criu/proc_parse.c: 2386 in parse_task_cgroup()
________________________________________________________________________________________________________
*** CID 226481: Memory - corruptions (OVERRUN)
/criu/proc_parse.c: 2386 in parse_task_cgroup()
2380 * try and parse the "internal" cgroup set to find namespace
2381 * boundaries.
2382 */
2383 if (!args)
2384 return 0;
2385
>>> CID 226481: Memory - corruptions (OVERRUN)
>>> Allocating insufficient memory for the terminating null of the string.
2386 f = fmemopen(args->contents, strlen(args->contents), "r");
2387 if (!f) {
2388 pr_perror("couldn't fmemopen cgroup buffer
%s", args->contents);
2389 return -1;
2390 }
2391
** CID 226480: Security best practices violations (STRING_OVERFLOW)
/criu/proc_parse.c: 1351 in parse_mountinfo_ent()
________________________________________________________________________________________________________
*** CID 226480: Security best practices violations (STRING_OVERFLOW)
/criu/proc_parse.c: 1351 in parse_mountinfo_ent()
1345 goto err;
1346
1347 cure_path(new->mountpoint);
1348 cure_path(new->root);
1349
1350 root_link.len = strlen(new->root);
>>> CID 226480: Security best practices violations (STRING_OVERFLOW)
>>> You might overrun the 4096-character fixed-size string "root_link.name" by copying "new->root" without checking the length.
1351 strcpy(root_link.name, new->root);
1352 if (strip_deleted(&root_link)) {
1353 strcpy(new->root, root_link.name);
1354 new->deleted = true;
1355 }
1356
** CID 226479: (BAD_FREE)
/criu/kerndat.c: 698 in kerndat_detect_stack_guard_gap()
/criu/kerndat.c: 655 in kerndat_detect_stack_guard_gap()
________________________________________________________________________________________________________
*** CID 226479: (BAD_FREE)
/criu/kerndat.c: 698 in kerndat_detect_stack_guard_gap()
692 }
693
694 if (detected)
695 ret = 0;
696
697 err:
>>> CID 226479: (BAD_FREE)
>>> "munmap" frees incorrect pointer "mem".
698 munmap(mem, (1ul << 20));
699 fclose(maps);
700 return ret;
701 }
702
703 static int kerndat_has_inotify_setnextwd(void)
/criu/kerndat.c: 655 in kerndat_detect_stack_guard_gap()
649 pr_perror("Can't mmap stack area");
650 return -1;
651 }
652
653 maps = fopen("/proc/self/maps", "r");
654 if (maps == NULL) {
>>> CID 226479: (BAD_FREE)
>>> "munmap" frees incorrect pointer "mem".
655 munmap(mem, 4096);
656 return -1;
657 }
658
659 while (fgets(buf, sizeof(buf), maps)) {
660 num = sscanf(buf, "%lx-%lx %c%c%c%c",
** CID 226478: (USE_AFTER_FREE)
/criu/irmap.c: 165 in irmap_update_dir()
/criu/irmap.c: 158 in irmap_update_dir()
________________________________________________________________________________________________________
*** CID 226478: (USE_AFTER_FREE)
/criu/irmap.c: 165 in irmap_update_dir()
159 t->nr_kids = nr;
160 return 0;
161
162 out_err:
163 xfree(t->kids);
164 closedir(dfd);
>>> CID 226478: (USE_AFTER_FREE)
>>> Calling "close(int)" closes handle "fd" which has already been closed.
165 close(fd);
166 return -1;
167 }
168
169 static struct irmap *irmap_scan(struct irmap *t, unsigned int
dev, unsigned long ino)
170 {
/criu/irmap.c: 158 in irmap_update_dir()
152 if (errno) {
153 pr_perror("Readdir failed");
154 goto out_err;
155 }
156
157 closedir(dfd);
>>> CID 226478: (USE_AFTER_FREE)
>>> Calling "close(int)" closes handle "fd" which has already been closed.
158 close(fd);
159 t->nr_kids = nr;
160 return 0;
161
162 out_err:
163 xfree(t->kids);
** CID 226477: Resource leaks (RESOURCE_LEAK)
/criu/cr-dump.c: 217 in collect_fds()
________________________________________________________________________________________________________
*** CID 226477: Resource leaks (RESOURCE_LEAK)
/criu/cr-dump.c: 217 in collect_fds()
211 if (sizeof(struct parasite_drain_fd) +
sizeof(int) * (n + 1) > size) {
212 struct parasite_drain_fd *t;
213
214 size += PAGE_SIZE;
215 t = xrealloc(*dfds, size);
216 if (!t)
>>> CID 226477: Resource leaks (RESOURCE_LEAK)
>>> Variable "fd_dir" going out of scope leaks the storage it points to.
217 return -1;
218 *dfds = t;
219 }
220
221 (*dfds)->fds[n++] = atoi(de->d_name);
222 }
** CID 190776: Resource leaks (RESOURCE_LEAK)
/criu/img-remote.c: 477 in handle_accept_cache_read()
________________________________________________________________________________________________________
*** CID 190776: Resource leaks (RESOURCE_LEAK)
/criu/img-remote.c: 477 in handle_accept_cache_read()
471 pr_info("No image %s:%s.\n", path, snapshot_id);
472 if (write_reply_header(cli_fd, ENOENT) < 0)
473 pr_perror("Error writing reply header
for unexisting image");
474 close(cli_fd);
475 xfree(rop);
476 }
>>> CID 190776: Resource leaks (RESOURCE_LEAK)
>>> Variable "rop" going out of scope leaks the storage it points to.
477 return NULL;
478 }
479
480 static void forward_remote_image(struct roperation *rop)
481 {
482 int64_t ret = 0;
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit,
https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRadE4HtGX0xZfM5m05cAqwSn9QqlIeVw-2FkcLgYpA0lPa2hX7Svir7fT2yO4VLkpytk-3D_7XGyd8wnBKQKOUX2qhR2S3Y7QuldqTTvWwLYtKkICxXZYK6w2-2FNijAYpqxWmC-2B-2B5-2BUXlvRW8JPUtIsLkbTXIBn36LUxBIrpR4AbxYvL5A4PPTxaHgyTnmfODMHzTRAsqp-2B5-2FcvUhiF2ZASgWBtD3vFhamQzIKiYTjoUw0dUatMNzHlaYPkzCpcF4S7fM64kolZbqxhW900e8U8kp29-2F8zA-3D-3D
To manage Coverity Scan email notifications for "avagin at gmail.com",
click https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRbVDbis712qZDP-2FA8y06Nq44kXajrJ468k-2Fv66mxYCIPsDiUCv-2B4KWm4khKJsFIPV5Ax9D4yYQUTik4CXrp0zKb-2B58ffTkdow6VNvG3RJ5t0IJhydhdanHQunZ4OKjSbeQ-3D_7XGyd8wnBKQKOUX2qhR2S3Y7QuldqTTvWwLYtKkICxXZYK6w2-2FNijAYpqxWmC-2B-2B5VTJBitSAAW4rUTwSFyFQans-2FURTtgN0yDEmMk-2BYvOk8xwVQCRPgoGBWFGTbV5YZFA0QrgjK72QWL5zVm9vzmC5Vu-2FlOIyoi42ddnZ8OIvrWi5Ib1VJnauoZHxg-2B36YzAXMWN1Yg7j81FscqytLDp7A-3D-3D
More information about the CRIU
mailing list