Bug 203944 - makefs: Coverity CID 979130, 979131: Possibly gone after PR 203938 / CID 975345, 975346 is done
Summary: makefs: Coverity CID 979130, 979131: Possibly gone after PR 203938 / CID 9753...
Status: New
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Some People
Assignee: freebsd-bugs mailing list
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-10-21 20:32 UTC by scdbackup
Modified: 2017-11-05 20:47 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description scdbackup 2015-10-21 20:32:48 UTC
usr.sbin/makefs/cd9660/iso9660_debug.c

CID 979131 (#2 of 2): Untrusted value as argument (TAINTED_SCALAR)
   4. tainted_data: Passing tainted variable pttemp.length to a tainted
   sink.

210                debug_dump_to_xml_ptentry(&pttemp, n, mode);

CID 979130 (#1 of 1): Untrusted value as argument (TAINTED_SCALAR)
   20. tainted_data: Passing tainted variable t2 to a tainted sink.

257        debug_dump_to_xml_path_table(fd, t, t2, 721);

--------------- Source analysis:

With CID 979131 Coverity first points to:
  CID 975346: Ignoring number of bytes read (CHECKED_RETURN)
  3. tainted_data_argument: Calling function fread taints argument pttemp
205                fread(&pttemp, 1, 8, fd);

and next to CID 979131.
With CID 979130 Coverity first points to:
  CID 975345: Ignoring number of bytes read (CHECKED_RETURN)
  10. tainted_data_argument: Calling function fread taints argument buf.
238                fread(buf, 1, CD9660_SECTOR_SIZE, fd);

Then it complains about further use of buf, of which is not clear
that it contains valid data.

  12. tainted_data_transitive: Call to function memcpy with tainted
  argument buf transitively taints primaryVD
245                        memcpy(&primaryVD, buf, CD9660_SECTOR_SIZE);

  18. tainted_data_transitive: Call to function debug_get_encoded_number
  with tainted argument primaryVD.path_table_size returns tainted data.

  19. var_assign: Assigning: t2 = debug_get_encoded_number, which taints t2.

and next to CID 979130.

So if error checks make sure that only valid buf content is
processed, both chains of tainting should be prevented from starting.

--------------- Remedy proposal:

In the next Coverity re-run after PR 203938 is solved, check
whether tainted parameters in functions debug_dump_to_xml()
and debug_dump_to_xml_path_table() are reported again.

------------------------------------------------------------------------

This is for now the last Coverity CID which is about makefs ISO 9660
production. Hopefully none slipped through.
There are still some left about FFS production.
Comment 1 Enji Cooper freebsd_committer 2015-10-25 22:12:58 UTC
Bulk taking makefs bugs.
Comment 2 Enji Cooper freebsd_committer 2017-11-05 20:47:22 UTC
Releasing bugs back to the pool.