Package: diffutils;
Reported by: Wasser Mai <wasser19641 <at> gmail.com>
Date: Thu, 13 Jun 2024 13:16:02 UTC
Severity: normal
Done: Paul Eggert <eggert <at> cs.ucla.edu>
Bug is archived. No further changes may be made.
View this message in rfc822 format
From: help-debbugs <at> gnu.org (GNU bug Tracking System) To: Paul Eggert <eggert <at> cs.ucla.edu> Cc: tracker <at> debbugs.gnu.org Subject: bug#71535: closed (multiple defects found by covscan in diffutils-3.10) Date: Fri, 14 Jun 2024 00:14:01 +0000
[Message part 1 (text/plain, inline)]
Your message dated Thu, 13 Jun 2024 17:13:17 -0700 with message-id <a7e9c8a5-5653-41a9-8439-b0305e558cac <at> cs.ucla.edu> and subject line Re: [bug-diffutils] bug#71535: multiple defects found by covscan in diffutils-3.10 has caused the debbugs.gnu.org bug report #71535, regarding multiple defects found by covscan in diffutils-3.10 to be marked as done. (If you believe you have received this mail in error, please contact help-debbugs <at> gnu.org.) -- 71535: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=71535 GNU Bug Tracking System Contact help-debbugs <at> gnu.org with problems
[Message part 2 (message/rfc822, inline)]
From: Wasser Mai <wasser19641 <at> gmail.com> To: bug-diffutils <at> gnu.org Subject: multiple defects found by covscan in diffutils-3.10 Date: Thu, 13 Jun 2024 11:34:27 +0200There are multiple defects in opencryptoki-3.23.0 found by covscan. It could be that some of them are false positives. Thanks! Error: OVERRUN (CWE-119): diffutils-3.10/lib/nstrftime.c:689:17: assignment: Assigning: ""width"" = ""2147483647"". diffutils-3.10/lib/nstrftime.c:1009:11: alias: Assigning: ""bufp"" = ""buf + 23UL"". ""bufp"" now points to byte 23 of ""buf"" (which consists of 23 bytes). diffutils-3.10/lib/nstrftime.c:1019:15: ptr_decr: Decrementing ""bufp"". ""bufp"" now points to byte 22 of ""buf"" (which consists of 23 bytes). diffutils-3.10/lib/nstrftime.c:1048:17: decr: Decrementing ""width"". The value of ""width"" is now 2147483646. diffutils-3.10/lib/nstrftime.c:1051:13: assignment: Assigning: ""_w"" = ""(pad == 45 || width < 0) ? 0 : width"". The value of ""_w"" is now 2147483646. diffutils-3.10/lib/nstrftime.c:1051:13: cond_at_most: Checking ""_n < _w"" implies that ""_n"" may be up to 2147483645 on the true branch. diffutils-3.10/lib/nstrftime.c:1051:13: overrun-buffer-arg: Overrunning buffer pointed to by ""(void const *)bufp"" of 23 bytes by passing it to a function which accesses it at byte offset 2147483666 using argument ""_n"" (which evaluates to 2147483645). [Note: The source code implementation of the function has been overridden by a builtin model.] # 1049| } # 1050| # 1051|-> cpy (numlen, bufp); # 1052| } # 1053| break;" Error: UNINIT (CWE-457): diffutils-3.10/lib/time_rz.c:294:11: var_decl: Declaring variable ""tm_1"" without initializer. diffutils-3.10/lib/time_rz.c:310:15: uninit_use: Using uninitialized value ""tm_1"". Field ""tm_1.tm_gmtoff"" is uninitialized. # 308| if (revert_tz (old_tz) && ok) # 309| { # 310|-> *tm = tm_1; # 311| return t; # 312| }" Error: RESOURCE_LEAK (CWE-772): diffutils-3.10/lib/stdopen.c:51:11: open_fn: Returning handle opened by ""open"". [Note: The source code implementation of the function has been overridden by a user model.] diffutils-3.10/lib/stdopen.c:51:11: var_assign: Assigning: ""full_fd"" = handle returned from ""open(""/dev/full"", mode)"". diffutils-3.10/lib/stdopen.c:52:11: var_assign: Assigning: ""new_fd"" = ""full_fd"". diffutils-3.10/lib/stdopen.c:62:9: leaked_handle: Handle variable ""new_fd"" going out of scope leaks the handle. diffutils-3.10/lib/stdopen.c:62:9: leaked_handle: Handle variable ""full_fd"" going out of scope leaks the handle. # 60| return 0; # 61| } # 62|-> } # 63| } # 64|" Error: INTEGER_OVERFLOW (CWE-190): diffutils-3.10/lib/stackvma.c:198:23: tainted_data_return: Called function ""read(fd, rof->buffer + rof->filled, size - rof->filled)"", and a possible return value may be less than zero. diffutils-3.10/lib/stackvma.c:198:23: cast_overflow: An assign that casts to a different type, which might trigger an overflow. diffutils-3.10/lib/stackvma.c:213:23: overflow: The expression ""rof->filled"" is considered to have possibly overflowed. diffutils-3.10/lib/stackvma.c:198:23: overflow: The expression ""size - rof->filled"" is deemed overflowed because at least one of its arguments has overflowed. diffutils-3.10/lib/stackvma.c:198:23: overflow_sink: ""size - rof->filled"", which might have underflowed, is passed to ""read(fd, rof->buffer + rof->filled, size - rof->filled)"". [Note: The source code implementation of the function has been overridden by a builtin model.] # 196| for (;;) # 197| { # 198|-> n = read (fd, rof->buffer + rof->filled, size - rof->filled); # 199| if (n < 0 && errno == EINTR) # 200| goto retry;" Error: UNINIT (CWE-457): diffutils-3.10/src/sdiff.c:867:7: var_decl: Declaring variable ""cmd1"" without initializer. diffutils-3.10/src/sdiff.c:964:13: uninit_use: Using uninitialized value ""cmd1"". # 962| perror_fatal (tmpname); # 963| # 964|-> switch (cmd1) # 965| { # 966| case 'd':" Error: UNINIT (CWE-457): diffutils-3.10/lib/sigsegv.c:1460:5: var_decl: Declaring variable ""ss"" without initializer. diffutils-3.10/lib/sigsegv.c:1462:5: uninit_use_in_call: Using uninitialized value ""ss"". Field ""ss.ss_sp"" is uninitialized when calling ""sigaltstack"". # 1460| stack_t ss; # 1461| ss.ss_flags = SS_DISABLE; # 1462|-> if (sigaltstack (&ss, (stack_t *) 0) < 0) # 1463| perror (""gnulib sigsegv (stackoverflow_deinstall_handler)""); # 1464| }" Error: OVERRUN (CWE-119): diffutils-3.10/src/diff.c:426:6: strlen_assign: Setting variable ""alloc"" to the return value of strlen called with argument ""optarg"". diffutils-3.10/src/diff.c:432:6: alloc_strlen: Allocating insufficient memory for the terminating null of the string. [Note: The source code implementation of the function has been overridden by a builtin model.] # 430| &alloc)) # 431| xalloc_die (); # 432|-> char *b = xmalloc (alloc); # 433| char *base = b; # 434| int changes = 0;" Error: RESOURCE_LEAK (CWE-772): diffutils-3.10/src/diff3.c:786:3: alloc_fn: Storage is returned from allocation function ""create_diff3_block"". diffutils-3.10/src/diff3.c:786:3: var_assign: Assigning: ""result"" = storage returned from ""create_diff3_block(low[0], high[0], low[1], high[1], lowc, highc)"". diffutils-3.10/src/diff3.c:801:11: leaked_storage: Variable ""result"" going out of scope leaks the storage it points to. # 799| D_LENARRAY (result, FILEC) + result_offset, # 800| D_NUMLINES (ptr, FC))) # 801|-> return 0; # 802| } # 803|" Error: RESOURCE_LEAK (CWE-772): diffutils-3.10/src/util.c:687:3: alloc_fn: Storage is returned from allocation function ""xstrdup"". diffutils-3.10/src/util.c:687:3: var_assign: Assigning: ""color_buf"" = storage returned from ""xstrdup(p)"". diffutils-3.10/src/util.c:687:3: var_assign: Assigning: ""buf"" = ""color_buf"". diffutils-3.10/src/util.c:795:1: leaked_storage: Variable ""buf"" going out of scope leaks the storage it points to. diffutils-3.10/src/util.c:795:1: leaked_storage: Variable ""color_buf"" going out of scope leaks the storage it points to. # 793| colors_enabled = false; # 794| } # 795|-> } # 796| # 797| static void" Error: UNINIT (CWE-457): diffutils-3.10/lib/time_rz.c:294:11: var_decl: Declaring variable ""tm_1"" without initializer. diffutils-3.10/lib/time_rz.c:306:11: uninit_use_in_call: Using uninitialized value ""tm_1.tm_zone"" when calling ""save_abbr"". # 304| bool ok = 0 <= tm_1.tm_yday; # 305| #if HAVE_STRUCT_TM_TM_ZONE || HAVE_TZNAME # 306|-> ok = ok && save_abbr (tz, &tm_1); # 307| #endif # 308| if (revert_tz (old_tz) && ok)" Error: BAD_FREE (CWE-763): diffutils-3.10/src/analyze.c:692:11: offset_free: ""free"" frees address offset from ""cmp->file[f].linbuf"". # 690| { # 691| free (cmp->file[f].equivs); # 692|-> free (cmp->file[f].linbuf + cmp->file[f].linbuf_base); # 693| } # 694|" Error: OVERRUN (CWE-119): diffutils-3.10/lib/nstrftime.c:689:17: assignment: Assigning: ""width"" = ""2147483647"". diffutils-3.10/lib/nstrftime.c:885:15: assignment: Assigning: ""_w"" = ""(pad == 45 || width < 0) ? 0 : width"". The value of ""_w"" is now 2147483647. diffutils-3.10/lib/nstrftime.c:885:15: cond_between: Checking ""_n < _w"" implies that ""_n"" is between 0 and 2147483646 (inclusive) on the true branch. diffutils-3.10/lib/nstrftime.c:885:15: overrun-buffer-arg: Overrunning buffer pointed to by ""(void const *)(ubuf + 1)"" of 1024 bytes by passing it to a function which accesses it at byte offset 2147483646 using argument ""_n"" (which evaluates to 2147483646). [Note: The source code implementation of the function has been overridden by a builtin model.] # 883| len = strftime (ubuf, sizeof ubuf, ufmt, tp); # 884| if (len != 0) # 885|-> cpy (len - 1, ubuf + 1); # 886| } # 887| break;" Error: BAD_ALLOC_ARITHMETIC (CWE-131): diffutils-3.10/src/ifdef.c:364:28: bad_alloc_arithmetic: Adding an offset to the result of a call to ""__builtin_alloca"" might indicate an under-allocation. diffutils-3.10/src/ifdef.c:364:28: remediation: Did you intend for the size argument to be ""spec_prefix_len + pI_len + 2UL + 32UL - 1UL + 31UL""? # 362| size_t spec_prefix_len = f - spec - 2; # 363| size_t pI_len = sizeof pI - 1; # 364|-> char *format = xmalloca (spec_prefix_len + pI_len + 2); # 365| char *p = mempcpy (format, spec, spec_prefix_len); # 366| p = stpcpy (p, pI);" Error: UNINIT (CWE-457): diffutils-3.10/lib/diffseq.h:388:11: var_decl: Declaring variable ""bxbest"" without initializer. diffutils-3.10/lib/diffseq.h:436:15: uninit_use: Using uninitialized value ""bxbest"". # 434| else # 435| { # 436|-> part->xmid = bxbest; # 437| part->ymid = bxybest - bxbest; # 438| part->lo_minimal = false;" Error: UNINIT (CWE-457): diffutils-3.10/lib/diffseq.h:386:11: var_decl: Declaring variable ""fxbest"" without initializer. diffutils-3.10/lib/diffseq.h:429:15: uninit_use: Using uninitialized value ""fxbest"". # 427| if ((xlim + ylim) - bxybest < fxybest - (xoff + yoff)) # 428| { # 429|-> part->xmid = fxbest; # 430| part->ymid = fxybest - fxbest; # 431| part->lo_minimal = true;" Error: RESOURCE_LEAK (CWE-772): diffutils-3.10/src/diff3.c:786:3: alloc_fn: Storage is returned from allocation function ""create_diff3_block"". diffutils-3.10/src/diff3.c:786:3: var_assign: Assigning: ""result"" = storage returned from ""create_diff3_block(low[0], high[0], low[1], high[1], lowc, highc)"". diffutils-3.10/src/diff3.c:830:13: leaked_storage: Variable ""result"" going out of scope leaks the storage it points to. # 828| D_LENARRAY (result, FILE0 + d) + result_offset, # 829| D_NUMLINES (ptr, FO))) # 830|-> return 0; # 831| # 832| /* Catch the lines between here and the next diff */"
[Message part 3 (message/rfc822, inline)]
From: Paul Eggert <eggert <at> cs.ucla.edu> To: Wasser Mai <wasser19641 <at> gmail.com> Cc: 71535-done <at> debbugs.gnu.org Subject: Re: [bug-diffutils] bug#71535: multiple defects found by covscan in diffutils-3.10 Date: Thu, 13 Jun 2024 17:13:17 -0700Thanks. Yes, they're all false alarms with the possible exception of the stackvma.c which is a false alarm on every platform I know of but perhaps we can make it bulletproof for hypothetical platforms. If I have time I'll look into the stackvma.c thing, though that's in Gnulib. Closing the bug report for now.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.