Bug 1801972
| Summary: | [RHEL-8.3/RDMA/rdma-core] Broadcom provider specific potential Coverity issues | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Honggang LI <honli> |
| Component: | rdma-core | Assignee: | Honggang LI <honli> |
| Status: | CLOSED WONTFIX | QA Contact: | Infiniband QE <infiniband-qe> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 8.3 | CC: | brcm-roce-dev.pdl, hwkernel-mgr, linville, rdma-dev-team, sxavier |
| Target Milestone: | rc | ||
| Target Release: | 8.4 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-11-11 12:28:45 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Hi, Selvin Please review and fix bnx_re specific Coverity issues in upstream repo. I will backport them for rhel-8.3 when the fix available in upstream repo. Please note Coverity report may include false positive. Thanks |
Description of problem: Error: OVERRUN (CWE-119): rdma-core-28.0/providers/bnxt_re/verbs.c:953: overrun-buffer-val: Overrunning struct type _KABI_RESP_STRUCT_IB_USER_VERBS_CMD_CREATE_QP of 32 bytes by passing it to a function which accesses it at byte offset 32. # 951| req.qp_handle = (uintptr_t)qp; # 952| # 953|-> if (ibv_cmd_create_qp(ibvpd, &qp->ibvqp, attr, &req.ibv_cmd, sizeof(req), # 954| &resp.ibv_resp, sizeof(resp))) { # 955| goto failcmd; Error: OVERRUN (CWE-119): rdma-core-28.0/providers/bnxt_re/verbs.c:1528: overrun-buffer-val: Overrunning struct type _KABI_RESP_STRUCT_IB_USER_VERBS_CMD_CREATE_SRQ of 16 bytes by passing it to a function which accesses it at byte offset 16. # 1526| req.srqva = (uintptr_t)srq->srqq->va; # 1527| req.srq_handle = (uintptr_t)srq; # 1528|-> ret = ibv_cmd_create_srq(ibvpd, &srq->ibvsrq, attr, # 1529| &req.ibv_cmd, sizeof(req), # 1530| &resp.ibv_resp, sizeof(resp)); Error: FORWARD_NULL (CWE-476): rdma-core-28.0/providers/bnxt_re/verbs.c:1520: var_compare_op: Comparing "srq" to null implies that "srq" might be null. rdma-core-28.0/providers/bnxt_re/verbs.c:1543: var_deref_model: Passing null pointer "srq" to "bnxt_re_srq_free_queue_ptr", which dereferences it. # 1541| return &srq->ibvsrq; # 1542| fail: # 1543|-> bnxt_re_srq_free_queue_ptr(srq); # 1544| return NULL; # 1545| } Version-Release number of selected component (if applicable): The source rpm had been created from git upstrema repo. The last upstream commit id is 4cb982f9773b5c06437b57341d65528d077129b9 . How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: