usr.sbin/makefs/cd9660/iso9660_debug.c CID 979131 (#2 of 2): Untrusted value as argument (TAINTED_SCALAR) 4. tainted_data: Passing tainted variable pttemp.length to a tainted sink. 210 debug_dump_to_xml_ptentry(&pttemp, n, mode); CID 979130 (#1 of 1): Untrusted value as argument (TAINTED_SCALAR) 20. tainted_data: Passing tainted variable t2 to a tainted sink. 257 debug_dump_to_xml_path_table(fd, t, t2, 721); --------------- Source analysis: With CID 979131 Coverity first points to: CID 975346: Ignoring number of bytes read (CHECKED_RETURN) 3. tainted_data_argument: Calling function fread taints argument pttemp 205 fread(&pttemp, 1, 8, fd); and next to CID 979131. With CID 979130 Coverity first points to: CID 975345: Ignoring number of bytes read (CHECKED_RETURN) 10. tainted_data_argument: Calling function fread taints argument buf. 238 fread(buf, 1, CD9660_SECTOR_SIZE, fd); Then it complains about further use of buf, of which is not clear that it contains valid data. 12. tainted_data_transitive: Call to function memcpy with tainted argument buf transitively taints primaryVD 245 memcpy(&primaryVD, buf, CD9660_SECTOR_SIZE); 18. tainted_data_transitive: Call to function debug_get_encoded_number with tainted argument primaryVD.path_table_size returns tainted data. 19. var_assign: Assigning: t2 = debug_get_encoded_number, which taints t2. and next to CID 979130. So if error checks make sure that only valid buf content is processed, both chains of tainting should be prevented from starting. --------------- Remedy proposal: In the next Coverity re-run after PR 203938 is solved, check whether tainted parameters in functions debug_dump_to_xml() and debug_dump_to_xml_path_table() are reported again. ------------------------------------------------------------------------ This is for now the last Coverity CID which is about makefs ISO 9660 production. Hopefully none slipped through. There are still some left about FFS production.
Bulk taking makefs bugs.
Releasing bugs back to the pool.