GNU bug report logs - #71535
multiple defects found by covscan in diffutils-3.10

Previous Next

Package: diffutils;

Reported by: Wasser Mai <wasser19641 <at> gmail.com>

Date: Thu, 13 Jun 2024 13:16:02 UTC

Severity: normal

Done: Paul Eggert <eggert <at> cs.ucla.edu>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Paul Eggert <eggert <at> cs.ucla.edu>
To: Wasser Mai <wasser19641 <at> gmail.com>
Cc: 71535-done <at> debbugs.gnu.org, Gnulib bug reports <bug-gnulib <at> gnu.org>
Subject: bug#71535: [bug-diffutils] bug#71535: multiple defects found by covscan in diffutils-3.10
Date: Thu, 20 Jun 2024 00:30:29 -0400

[Message part 1 (text/plain, inline)]
On 6/13/24 05:34, Wasser Mai wrote:
> Error: INTEGER_OVERFLOW (CWE-190):
> diffutils-3.10/lib/stackvma.c:198:23: tainted_data_return: Called
> function ""read(fd, rof->buffer + rof->filled, size - rof->filled)"",
> and a possible return value may be less than zero.
> diffutils-3.10/lib/stackvma.c:198:23: cast_overflow: An assign that
> casts to a different type, which might trigger an overflow.
> diffutils-3.10/lib/stackvma.c:213:23: overflow: The expression
> ""rof->filled"" is considered to have possibly overflowed.
> diffutils-3.10/lib/stackvma.c:198:23: overflow: The expression ""size
> - rof->filled"" is deemed overflowed because at least one of its
> arguments has overflowed.
> diffutils-3.10/lib/stackvma.c:198:23: overflow_sink: ""size -
> rof->filled"", which might have underflowed, is passed to ""read(fd,
> rof->buffer + rof->filled, size - rof->filled)"". [Note: The source
> code implementation of the function has been overridden by a builtin
> model.]
> #  196|                     for (;;)
> #  197|                       {
> #  198|->                       n = read (fd, rof->buffer +
> rof->filled, size - rof->filled);
> #  199|                         if (n < 0 && errno == EINTR)
> #  200|                           goto retry;"


As near as I can make out, this was the only defect report by Coverity 
that was not a false alarm. I installed the attached patch into Gnulib 
to fix the bug, which appears to be so unlikely that it's not worth 
losing sleep over.

Marking the diffutils bug as done since the other defect reports were 
false alarms.
[0001-sigsegv-avoid-unlikely-undefined-behavior.patch (text/x-patch, attachment)]
This bug report was last modified 1 year and 30 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.