Bug 203944 - makefs: Coverity CID 979130, 979131: Possibly gone after PR 203938 / CID 975345, 975346 is done
Summary: makefs: Coverity CID 979130, 979131: Possibly gone after PR 203938 / CID 9753...
Status: New
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Some People
Assignee: freebsd-bugs (Nobody)
Depends on:
Reported: 2015-10-21 20:32 UTC by scdbackup
Modified: 2017-11-05 20:47 UTC (History)
0 users

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description scdbackup 2015-10-21 20:32:48 UTC

CID 979131 (#2 of 2): Untrusted value as argument (TAINTED_SCALAR)
   4. tainted_data: Passing tainted variable pttemp.length to a tainted

210                debug_dump_to_xml_ptentry(&pttemp, n, mode);

CID 979130 (#1 of 1): Untrusted value as argument (TAINTED_SCALAR)
   20. tainted_data: Passing tainted variable t2 to a tainted sink.

257        debug_dump_to_xml_path_table(fd, t, t2, 721);

--------------- Source analysis:

With CID 979131 Coverity first points to:
  CID 975346: Ignoring number of bytes read (CHECKED_RETURN)
  3. tainted_data_argument: Calling function fread taints argument pttemp
205                fread(&pttemp, 1, 8, fd);

and next to CID 979131.
With CID 979130 Coverity first points to:
  CID 975345: Ignoring number of bytes read (CHECKED_RETURN)
  10. tainted_data_argument: Calling function fread taints argument buf.
238                fread(buf, 1, CD9660_SECTOR_SIZE, fd);

Then it complains about further use of buf, of which is not clear
that it contains valid data.

  12. tainted_data_transitive: Call to function memcpy with tainted
  argument buf transitively taints primaryVD
245                        memcpy(&primaryVD, buf, CD9660_SECTOR_SIZE);

  18. tainted_data_transitive: Call to function debug_get_encoded_number
  with tainted argument primaryVD.path_table_size returns tainted data.

  19. var_assign: Assigning: t2 = debug_get_encoded_number, which taints t2.

and next to CID 979130.

So if error checks make sure that only valid buf content is
processed, both chains of tainting should be prevented from starting.

--------------- Remedy proposal:

In the next Coverity re-run after PR 203938 is solved, check
whether tainted parameters in functions debug_dump_to_xml()
and debug_dump_to_xml_path_table() are reported again.


This is for now the last Coverity CID which is about makefs ISO 9660
production. Hopefully none slipped through.
There are still some left about FFS production.
Comment 1 Enji Cooper freebsd_committer 2015-10-25 22:12:58 UTC
Bulk taking makefs bugs.
Comment 2 Enji Cooper freebsd_committer 2017-11-05 20:47:22 UTC
Releasing bugs back to the pool.