[Bug 203944] makefs: Coverity CID 979130: Possibly gone after PR 203938 / CID 975345, 975346 is done

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Wed Oct 21 20:32:48 UTC 2015 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=203944

            Bug ID: 203944
           Summary: makefs: Coverity CID 979130: Possibly gone after PR
                    203938 / CID 975345, 975346 is done
           Product: Base System
           Version: 11.0-CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bin
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: scdbackup at gmx.net

usr.sbin/makefs/cd9660/iso9660_debug.c

CID 979131 (#2 of 2): Untrusted value as argument (TAINTED_SCALAR)
   4. tainted_data: Passing tainted variable pttemp.length to a tainted
   sink.

210                debug_dump_to_xml_ptentry(&pttemp, n, mode);

CID 979130 (#1 of 1): Untrusted value as argument (TAINTED_SCALAR)
   20. tainted_data: Passing tainted variable t2 to a tainted sink.

257        debug_dump_to_xml_path_table(fd, t, t2, 721);

--------------- Source analysis:

With CID 979131 Coverity first points to:
  CID 975346: Ignoring number of bytes read (CHECKED_RETURN)
  3. tainted_data_argument: Calling function fread taints argument pttemp
205                fread(&pttemp, 1, 8, fd);

and next to CID 979131.
With CID 979130 Coverity first points to:
  CID 975345: Ignoring number of bytes read (CHECKED_RETURN)
  10. tainted_data_argument: Calling function fread taints argument buf.
238                fread(buf, 1, CD9660_SECTOR_SIZE, fd);

Then it complains about further use of buf, of which is not clear
that it contains valid data.

  12. tainted_data_transitive: Call to function memcpy with tainted
  argument buf transitively taints primaryVD
245                        memcpy(&primaryVD, buf, CD9660_SECTOR_SIZE);

  18. tainted_data_transitive: Call to function debug_get_encoded_number
  with tainted argument primaryVD.path_table_size returns tainted data.

  19. var_assign: Assigning: t2 = debug_get_encoded_number, which taints t2.

and next to CID 979130.

So if error checks make sure that only valid buf content is
processed, both chains of tainting should be prevented from starting.

--------------- Remedy proposal:

In the next Coverity re-run after PR 203938 is solved, check
whether tainted parameters in functions debug_dump_to_xml()
and debug_dump_to_xml_path_table() are reported again.

------------------------------------------------------------------------

This is for now the last Coverity CID which is about makefs ISO 9660
production. Hopefully none slipped through.
There are still some left about FFS production.

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list