[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: New Defects reported by Coverity Scan for QEMU
From: |
Greg Kurz |
Subject: |
Re: New Defects reported by Coverity Scan for QEMU |
Date: |
Mon, 12 Jul 2021 11:42:08 +0200 |
On Mon, 12 Jul 2021 19:26:20 +1000
Alexey Kardashevskiy <aik@ozlabs.ru> wrote:
> How do you run it?
>
I don't run it. I just get a report from the scans that
are run regularly against master. I'm not sure if anyone
can run a scan, Cc'ing Peter for details.
>
> On 12/07/2021 19:25, Greg Kurz wrote:
> > FYI
> >
> > Coverity detected some issues in VOF
> >
> > Cheers,
> >
> > --
> > Greg
> >
> > Begin forwarded message:
> >
> > Date: Sat, 10 Jul 2021 21:03:27 +0000
> > From: scan-admin@coverity.com
> > To: groug@kaod.org
> > Subject: New Defects reported by Coverity Scan for QEMU
> >
> >
> > Hi,
> >
> > Please find the latest report on new defect(s) introduced to QEMU found
> > with Coverity Scan.
> >
> > 8 new defect(s) introduced to QEMU found with Coverity Scan.
> >
> >
> > New defect(s) Reported-by: Coverity Scan
> > Showing 8 of 8 defect(s)
> >
> >
> > ** CID 1458139: Error handling issues (NEGATIVE_RETURNS)
> > /qemu/hw/ppc/vof.c: 545 in vof_instance_to_path()
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 1458139: Error handling issues (NEGATIVE_RETURNS)
> > /qemu/hw/ppc/vof.c: 545 in vof_instance_to_path()
> > 539 uint32_t phandle = vof_instance_to_package(vof, ihandle);
> > 540 char tmp[VOF_MAX_PATH] = "";
> > 541
> > 542 if (phandle != -1) {
> > 543 ret = phandle_to_path(fdt, phandle, tmp, sizeof(tmp));
> > 544 if (ret > 0) {
> >>>> CID 1458139: Error handling issues (NEGATIVE_RETURNS)
> >>>> "ret" is passed to a parameter that cannot be negative. [Note: The
> >>>> source code implementation of the function has been overridden by a user
> >>>> model.]
> > 545 if (VOF_MEM_WRITE(buf, tmp, ret) != MEMTX_OK) {
> > 546 ret = -1;
> > 547 }
> > 548 }
> > 549 }
> > 550 trace_vof_instance_to_path(ihandle, phandle, tmp, ret);
> >
> > ** CID 1458138: Memory - corruptions (OVERRUN)
> > /qemu/hw/ppc/vof.c: 545 in vof_instance_to_path()
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 1458138: Memory - corruptions (OVERRUN)
> > /qemu/hw/ppc/vof.c: 545 in vof_instance_to_path()
> > 539 uint32_t phandle = vof_instance_to_package(vof, ihandle);
> > 540 char tmp[VOF_MAX_PATH] = "";
> > 541
> > 542 if (phandle != -1) {
> > 543 ret = phandle_to_path(fdt, phandle, tmp, sizeof(tmp));
> > 544 if (ret > 0) {
> >>>> CID 1458138: Memory - corruptions (OVERRUN)
> >>>> Overrunning array "tmp" of 256 bytes by passing it to a function
> >>>> which accesses it at byte offset 4294967289 using argument "ret" (which
> >>>> evaluates to 4294967290). [Note: The source code implementation of the
> >>>> function has been overridden by a user model.]
> > 545 if (VOF_MEM_WRITE(buf, tmp, ret) != MEMTX_OK) {
> > 546 ret = -1;
> > 547 }
> > 548 }
> > 549 }
> > 550 trace_vof_instance_to_path(ihandle, phandle, tmp, ret);
> >
> > ** CID 1458137: Error handling issues (NEGATIVE_RETURNS)
> > /qemu/hw/ppc/vof.c: 525 in vof_package_to_path()
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 1458137: Error handling issues (NEGATIVE_RETURNS)
> > /qemu/hw/ppc/vof.c: 525 in vof_package_to_path()
> > 519 {
> > 520 uint32_t ret = -1;
> > 521 char tmp[VOF_MAX_PATH] = "";
> > 522
> > 523 ret = phandle_to_path(fdt, phandle, tmp, sizeof(tmp));
> > 524 if (ret > 0) {
> >>>> CID 1458137: Error handling issues (NEGATIVE_RETURNS)
> >>>> "ret" is passed to a parameter that cannot be negative. [Note: The
> >>>> source code implementation of the function has been overridden by a user
> >>>> model.]
> > 525 if (VOF_MEM_WRITE(buf, tmp, ret) != MEMTX_OK) {
> > 526 ret = -1;
> > 527 }
> > 528 }
> > 529
> > 530 trace_vof_package_to_path(phandle, tmp, ret);
> >
> > ** CID 1458136: Error handling issues (CHECKED_RETURN)
> > /qemu/hw/riscv/boot.c: 201 in riscv_load_fdt()
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 1458136: Error handling issues (CHECKED_RETURN)
> > /qemu/hw/riscv/boot.c: 201 in riscv_load_fdt()
> > 195 * Thus, put it at an 16MB aligned address that less than fdt
> > size from the
> > 196 * end of dram or 3GB whichever is lesser.
> > 197 */
> > 198 temp = MIN(dram_end, 3072 * MiB);
> > 199 fdt_addr = QEMU_ALIGN_DOWN(temp - fdtsize, 16 * MiB);
> > 200
> >>>> CID 1458136: Error handling issues (CHECKED_RETURN)
> >>>> Calling "fdt_pack" without checking return value (as is done
> >>>> elsewhere 4 out of 5 times).
> > 201 fdt_pack(fdt);
> > 202 /* copy in the device tree */
> > 203 qemu_fdt_dumpdtb(fdt, fdtsize);
> > 204
> > 205 rom_add_blob_fixed_as("fdt", fdt, fdtsize, fdt_addr,
> > 206 &address_space_memory);
> >
> > ** CID 1458135: Control flow issues (UNREACHABLE)
> > /qemu/hw/pci-host/mv64361.c: 691 in mv64361_write()
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 1458135: Control flow issues (UNREACHABLE)
> > /qemu/hw/pci-host/mv64361.c: 691 in mv64361_write()
> > 685 (addr == MV64340_PCI_0_MEMORY3_HIGH_ADDR_REMAP));
> > 686 break;
> > 687 case MV64340_PCI_1_IO_BASE_ADDR:
> > 688 s->pci[1].io_base = val & 0x30fffffULL;
> > 689 warn_swap_bit(val);
> > 690 break;
> >>>> CID 1458135: Control flow issues (UNREACHABLE)
> >>>> This code cannot be reached: "{
> > s->pci[1].remap[4] = (v...".
> > 691 if (!(s->cpu_conf & BIT(27))) {
> > 692 s->pci[1].remap[4] = (val & 0xffffULL) << 16;
> > 693 }
> > 694 break;
> > 695 case MV64340_PCI_1_IO_SIZE:
> > 696 s->pci[1].io_size = val & 0xffffULL;
> >
> > ** CID 1458134: Integer handling issues (BAD_SHIFT)
> > /qemu/hw/vfio/common.c: 786 in vfio_register_ram_discard_listener()
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 1458134: Integer handling issues (BAD_SHIFT)
> > /qemu/hw/vfio/common.c: 786 in vfio_register_ram_discard_listener()
> > 780 vrdl->offset_within_address_space =
> > section->offset_within_address_space;
> > 781 vrdl->size = int128_get64(section->size);
> > 782 vrdl->granularity = ram_discard_manager_get_min_granularity(rdm,
> > 783
> > section->mr);
> > 784
> > 785 g_assert(vrdl->granularity && is_power_of_2(vrdl->granularity));
> >>>> CID 1458134: Integer handling issues (BAD_SHIFT)
> >>>> In expression "1 << ctz64(container->pgsizes)", left shifting by
> >>>> more than 31 bits has undefined behavior. The shift amount,
> >>>> "ctz64(container->pgsizes)", is 64.
> > 786 g_assert(vrdl->granularity >= 1 << ctz64(container->pgsizes));
> > 787
> > 788 ram_discard_listener_init(&vrdl->listener,
> > 789 vfio_ram_discard_notify_populate,
> > 790 vfio_ram_discard_notify_discard,
> > true);
> > 791 ram_discard_manager_register_listener(rdm, &vrdl->listener,
> > section);
> >
> > ** CID 1458133: Memory - corruptions (OVERRUN)
> > /qemu/hw/ppc/vof.c: 525 in vof_package_to_path()
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 1458133: Memory - corruptions (OVERRUN)
> > /qemu/hw/ppc/vof.c: 525 in vof_package_to_path()
> > 519 {
> > 520 uint32_t ret = -1;
> > 521 char tmp[VOF_MAX_PATH] = "";
> > 522
> > 523 ret = phandle_to_path(fdt, phandle, tmp, sizeof(tmp));
> > 524 if (ret > 0) {
> >>>> CID 1458133: Memory - corruptions (OVERRUN)
> >>>> Overrunning array "tmp" of 256 bytes by passing it to a function
> >>>> which accesses it at byte offset 4294967289 using argument "ret" (which
> >>>> evaluates to 4294967290). [Note: The source code implementation of the
> >>>> function has been overridden by a user model.]
> > 525 if (VOF_MEM_WRITE(buf, tmp, ret) != MEMTX_OK) {
> > 526 ret = -1;
> > 527 }
> > 528 }
> > 529
> > 530 trace_vof_package_to_path(phandle, tmp, ret);
> >
> > ** CID 1458132: Memory - corruptions (OVERRUN)
> > /qemu/hw/ppc/vof.c: 975 in vof_client_call()
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 1458132: Memory - corruptions (OVERRUN)
> > /qemu/hw/ppc/vof.c: 975 in vof_client_call()
> > 969 if (!nret) {
> > 970 return 0;
> > 971 }
> > 972
> > 973 args_be.args[nargs] = cpu_to_be32(ret);
> > 974 for (i = 1; i < nret; ++i) {
> >>>> CID 1458132: Memory - corruptions (OVERRUN)
> >>>> Overrunning array "args_be.args" of 10 4-byte elements at element
> >>>> index 10 (byte offset 43) using index "nargs + i" (which evaluates to
> >>>> 10).
> > 975 args_be.args[nargs + i] = cpu_to_be32(rets[i - 1]);
> > 976 }
> > 977
> > 978 if (VOF_MEM_WRITE(args_real + offsetof(struct prom_args,
> > args[nargs]),
> > 979 args_be.args + nargs, sizeof(args_be.args[0])
> > * nret) !=
> > 980 MEMTX_OK) {
> >
> >
> > ________________________________________________________________________________________________________
> > To view the defects in Coverity Scan visit,
> > https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yrzEQNXe51mg-2FlKoEnRoarMq5nOxxfhqLUuo8HvG2S4Ew-3D-3DcZRx_jSsWe-2F8BIIMn-2B9cY8l8qvt9p9IF7rtc7g3r0ikIBL6GIol28p9caU9vZTC1xwZfxKmDiTO8e6mxQ7ZbEv31rPUBoHTUbMNZh9L5l5vgfe-2BEtU5qkZICtxrfTei790750jeD4KUVozZbec5fou0TGGUtwZSUzBVTsZ3AkvUG7VnBMAFJnyr0qf8MpWsH-2BRqvd1JKUzsEMfMiPKpWD2SNMew-3D-3D
> >
> > To manage Coverity Scan email notifications for "groug@kaod.org", click
> > https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxRiRmd0M90iCQoPbezwE-2FkdHIv0GokBYfo3C26LRTTZhn5m6cUWP7bKhZRS6EfCeWpwUz6flf1if0n-2F4Af6v6uSf1vtg3ZYC-2F-2Braj-2BJWKKsI-3DWb5H_jSsWe-2F8BIIMn-2B9cY8l8qvt9p9IF7rtc7g3r0ikIBL6GIol28p9caU9vZTC1xwZfxhyVXRa4Bqo93IUFSAIr2QgJgImWKmJJGbB2isJhtmHtaFQqPYf6yyA5n9v2JHViIV7FY6O72S-2FI2b7t3LDy5nzWMtsKpRE1FHaq3HSNIuVbawJsSF6omSzWI9iOGKXHof4786OKNjB-2FY3Ita-2F2ZIqQ-3D-3D
> >
>