[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] False positive coverity bug id: 1351218

To: xen-devel@xxxxxxxxxxxxxxxxxxxx, Dario Faggioli <dario.faggioli@xxxxxxxxxx>, Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>, ian.jackson@xxxxxxxxxxxxx, Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>, Ian Campbell <ian.campbell@xxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>
From: Harmandeep Kaur <write.harmandeep@xxxxxxxxx>
Date: Thu, 18 Feb 2016 21:06:03 +0530
Delivery-date: Thu, 18 Feb 2016 15:36:08 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

This is about a Coverity bug (included in the end), which I think is
a false positive. I don't think pagesize can be zero in any case.
pagesize = 1 << (((flags >> TMEM_POOL_PAGESIZE_SHIFT) &
                            TMEM_POOL_PAGESIZE_MASK) + 12);

Which means "pagesize > bufsize" will always be true and buf can
not be null in any case if it reaches line 464 (or call may terminate
if realloc(..) returns NULL).
-----------------------------------------------------------------------------------------
> ** CID 1351218:    (FORWARD_NULL)
> /tools/libxc/xc_tmem.c: 464 in xc_tmem_restore()
> /tools/libxc/xc_tmem.c: 427 in xc_tmem_restore()
>
> /tools/libxc/xc_tmem.c: 464 in xc_tmem_restore()
> 458                 if ( oid.oid[0] == -1L && oid.oid[1] == -1L && oid.oid[2] 
> == -1L )
> 459                     break;
> 460                 if ( read_exact(io_fd, &index, sizeof(index)) )
> 461                     return -1;
> 462                 if ( read_exact(io_fd, buf, pagesize) )
> 463                     return -1;
> > > >     CID 1351218:    (FORWARD_NULL)
> > > >     Dereferencing null pointer "buf".
> 464                 checksum += *buf;
> 465                 if ( (rc = xc_tmem_control_oid(xch, pool_id,
> 466
pagesize = 1 << (((flags >> TMEM_POOL_PAGESIZE_SHIFT) &
                            TMEM_POOL_PAGESIZE_MASK) + 12);
XEN_SYSCTL_TMEM_OP_RESTORE_PUT_PAGE, dom,
> 467                                                bufsize, index, oid, buf)) 
> <= 0 )
> 468                 {
> 469                     DPRINTF("xc_tmem_restore: putting page failed, 
> rc=%d\n",rc);
> /tools/libxc/xc_tmem.c: 427 in xc_tmem_restore()
> 421         if ( read_exact(io_fd, &minusone, sizeof(minusone)) )
> 422             return -1;
> 423         while ( read_exact(io_fd, &pool_id, sizeof(pool_id)) == 0 && 
> pool_id != -1 )
> 424         {
> 425             uint64_t uuid[2];
> 426             uint32_t n_pages;
> > > >     CID 1351218:    (FORWARD_NULL)
> > > >     Assigning: "buf" = "NULL".
> 427             char *buf = NULL;
> 428             int bufsize = 0, pagesize;
> 429             int j;
> 430
> 431             if ( read_exact(io_fd, &flags, sizeof(flags)) )
> 432                 return -1;

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] False positive coverity bug id: 1351218
  - From: Andrew Cooper

Prev by Date: Re: [Xen-devel] [PATCH v2 13/16] xenalyze: handle Credit1 scheduler events
Next by Date: Re: [Xen-devel] [PATCH] x86/hvm_event: fix uninitialized struct field usage introduced by c/s f5365e6
Previous by thread: [Xen-devel] [PATCH] travis: Drop bridge-utils and iproute2
Next by thread: Re: [Xen-devel] False positive coverity bug id: 1351218
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.