Bug 2322704
| Summary: | Fix various issues detected by static analysis | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Julien Rische <jrische> |
| Component: | krb5 | Assignee: | Julien Rische <jrische> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | rawhide | CC: | abokovoy, antorres, ftrivino, jrische, j, sbose, ssorce |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | krb5-1.21.3-3.fc42 krb5-1.21.3-3.fc41 krb5-1.21.3-2.fc40 krb5-1.21.3-2.fc39 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2024-10-30 18:31:09 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Rawhide RPM dist-git merge request: https://src.fedoraproject.org/rpms/krb5/pull-request/58 Fedora 41 RPM dist-git merge request: https://src.fedoraproject.org/rpms/krb5/pull-request/59 Fedora 40 RPM dist-git merge request: https://src.fedoraproject.org/rpms/krb5/pull-request/60 Fedora 39 RPM dist-git merge request: https://src.fedoraproject.org/rpms/krb5/pull-request/61 FEDORA-2024-ed15d25bf3 (krb5-1.21.3-3.fc42) has been submitted as an update to Fedora 42. https://bodhi.fedoraproject.org/updates/FEDORA-2024-ed15d25bf3 FEDORA-2024-862f5c4156 (krb5-1.21.3-2.fc39) has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2024-862f5c4156 FEDORA-2024-29a74ac2b0 (krb5-1.21.3-2.fc40) has been submitted as an update to Fedora 40. https://bodhi.fedoraproject.org/updates/FEDORA-2024-29a74ac2b0 FEDORA-2024-c0961d31b8 (krb5-1.21.3-3.fc41) has been submitted as an update to Fedora 41. https://bodhi.fedoraproject.org/updates/FEDORA-2024-c0961d31b8 FEDORA-2024-ed15d25bf3 (krb5-1.21.3-3.fc42) has been pushed to the Fedora 42 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2024-862f5c4156 has been pushed to the Fedora 39 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-862f5c4156` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-862f5c4156 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2024-29a74ac2b0 has been pushed to the Fedora 40 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-29a74ac2b0` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-29a74ac2b0 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2024-c0961d31b8 has been pushed to the Fedora 41 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-c0961d31b8` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-c0961d31b8 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2024-c0961d31b8 (krb5-1.21.3-3.fc41) has been pushed to the Fedora 41 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2024-29a74ac2b0 (krb5-1.21.3-2.fc40) has been pushed to the Fedora 40 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2024-862f5c4156 (krb5-1.21.3-2.fc39) has been pushed to the Fedora 39 stable repository. If problem still persists, please make note of it in this bug report. |
Finding #1 Sheet row #12 Details: Error: UNINIT (CWE-457): krb5-1.21.2/src/kdc/ndr.c:246: var_decl: Declaring variable "b" without initializer. krb5-1.21.2/src/kdc/ndr.c:312: uninit_use_in_call: Using uninitialized value "b.data" when calling "free". # 310| # 311| cleanup: # 312|-> free(b.data); # 313| free(pt_encoded.encoded); # 314| for (i = 0; tss_encoded != NULL && i < in->transited_services_length; i++) Finding #2 Sheet row #15 Details: Error: INTEGER_OVERFLOW (CWE-190): krb5-1.21.2/src/clients/klist/klist.c:714: tainted_data_return: Called function "printf("%s%.*s%s", ((i > 1) ? "(" : ""), (int)cred->server->data[i].length, cred->server->data[i].data, ((i > 1) ? ")" : ""))", and a possible return value may be less than zero. krb5-1.21.2/src/clients/klist/klist.c:714: overflow: The expression "ccol" is considered to have possibly overflowed. krb5-1.21.2/src/clients/klist/klist.c:714: overflow: The expression "ccol += printf("%s%.*s%s", ((i > 1) ? "(" : ""), (int)cred->server->data[i].length, cred->server->data[i].data, ((i > 1) ? ")" : ""))" is deemed overflowed because at least one of its arguments has overflowed. krb5-1.21.2/src/clients/klist/klist.c:714: overflow: The expression "ccol += printf("%s%.*s%s", ((i > 1) ? "(" : ""), (int)cred->server->data[i].length, cred->server->data[i].data, ((i > 1) ? ")" : ""))" is deemed underflowed because at least one of its arguments has underflowed. krb5-1.21.2/src/clients/klist/klist.c:714: overflow: The expression "ccol += printf("%s%.*s%s", ((i > 1) ? "(" : ""), (int)cred->server->data[i].length, cred->server->data[i].data, ((i > 1) ? ")" : ""))" is deemed underflowed because at least one of its arguments has underflowed. krb5-1.21.2/src/clients/klist/klist.c:721: overflow: The expression "ccol += 3" is deemed underflowed because at least one of its arguments has underflowed. krb5-1.21.2/src/clients/klist/klist.c:730: overflow_sink: "ccol", which might have underflowed, is passed to "print_config_data(ccol, &cred->ticket)". # 728| # 729| if (is_config) # 730|-> print_config_data(ccol, &cred->ticket); # 731| # 732| if (cred->times.renew_till) { Finding #3 Sheet row #16 Details: Error: OVERRUN (CWE-119): krb5-1.21.2/src/lib/rpc/svc_auth_gss.c:308: cond_at_most: Checking "oa->oa_length > 400U" implies that "oa->oa_length" may be up to 400 on the false branch. krb5-1.21.2/src/lib/rpc/svc_auth_gss.c:316: alias: Assigning: "buf" = "rpchdr". "buf" now points to element 0 of "rpchdr" (which consists of 32 4-byte elements). krb5-1.21.2/src/lib/rpc/svc_auth_gss.c:317: ptr_incr: Incrementing "buf". "buf" now points to element 1 of "rpchdr" (which consists of 32 4-byte elements). krb5-1.21.2/src/lib/rpc/svc_auth_gss.c:318: ptr_incr: Incrementing "buf". "buf" now points to element 2 of "rpchdr" (which consists of 32 4-byte elements). krb5-1.21.2/src/lib/rpc/svc_auth_gss.c:319: ptr_incr: Incrementing "buf". "buf" now points to element 3 of "rpchdr" (which consists of 32 4-byte elements). krb5-1.21.2/src/lib/rpc/svc_auth_gss.c:320: ptr_incr: Incrementing "buf". "buf" now points to element 4 of "rpchdr" (which consists of 32 4-byte elements). krb5-1.21.2/src/lib/rpc/svc_auth_gss.c:321: ptr_incr: Incrementing "buf". "buf" now points to element 5 of "rpchdr" (which consists of 32 4-byte elements). krb5-1.21.2/src/lib/rpc/svc_auth_gss.c:322: ptr_incr: Incrementing "buf". "buf" now points to element 6 of "rpchdr" (which consists of 32 4-byte elements). krb5-1.21.2/src/lib/rpc/svc_auth_gss.c:323: ptr_incr: Incrementing "buf". "buf" now points to element 7 of "rpchdr" (which consists of 32 4-byte elements). krb5-1.21.2/src/lib/rpc/svc_auth_gss.c:324: ptr_incr: Incrementing "buf". "buf" now points to element 8 of "rpchdr" (which consists of 32 4-byte elements). krb5-1.21.2/src/lib/rpc/svc_auth_gss.c:325: cond_between: Checking "oa->oa_length" implies that "oa->oa_length" is between 1 and 400 (inclusive) on the true branch. krb5-1.21.2/src/lib/rpc/svc_auth_gss.c:326: overrun-buffer-arg: Overrunning buffer pointed to by "(caddr_t)buf" of 128 bytes by passing it to a function which accesses it at byte offset 431 using argument "oa->oa_length" (which evaluates to 400). [Note: The source code implementation of the function has been overridden by a builtin model.] # 324| IXDR_PUT_LONG(buf, oa->oa_length); # 325| if (oa->oa_length) { # 326|-> memcpy((caddr_t)buf, oa->oa_base, oa->oa_length); # 327| buf += RNDUP(oa->oa_length) / sizeof(int32_t); # 328| } Finding #4 Sheet row #25 Details: Error: COMPILER_WARNING (CWE-697): krb5-1.21.2/src/util/support/threads.c: scope_hint: In function ‘krb5int_pthread_loaded’ krb5-1.21.2/src/util/support/threads.c:154:27: warning[-Waddress]: the comparison will always evaluate as ‘false’ for the address of ‘pthread_equal’ will never be NULL # 154 | || &pthread_equal == 0 # | ^~ /usr/include/features.h:503: included_from: Included from here. /usr/include/assert.h:35: included_from: Included from here. krb5-1.21.2/src/include/k5-platform.h:56: included_from: Included from here. krb5-1.21.2/src/util/support/threads.c:28: included_from: Included from here. /usr/include/pthread.h:1340:1: note: ‘pthread_equal’ declared here # 1340 | __NTH (pthread_equal (pthread_t __thread1, pthread_t __thread2)) # | ^~~~~ # 152| || &pthread_mutex_init == 0 # 153| || &pthread_self == 0 # 154|-> || &pthread_equal == 0 # 155| /* Any program that's really multithreaded will have to be # 156| able to create threads. */ Finding #5 Sheet row #26 Details: Error: UNINIT (CWE-457): krb5-1.21.2/src/lib/kdb/decrypt_key.c:63: var_decl: Declaring variable "ret" without initializer. krb5-1.21.2/src/lib/kdb/decrypt_key.c:134: uninit_use: Using uninitialized value "ret". # 132| krb5_free_keyblock_contents(context, &kb); # 133| free(salt.data.data); # 134|-> return ret; # 135| } Finding #6 Sheet row #34 Details: Error: CPPCHECK_WARNING (CWE-401): krb5-1.21.2/src/util/support/path.c:117: error[memleak]: Memory leak: basename # 115| if (basename_out) # 116| *basename_out = basename; # 117|-> return 0; # 118| } # 119| Finding #7 Sheet row #42 Details: Error: INTEGER_OVERFLOW (CWE-190): krb5-1.21.2/src/kadmin/dbutil/dump.c:669: tainted_data_argument: The value stored in "u5" is considered tainted. krb5-1.21.2/src/kadmin/dbutil/dump.c:707: cast_overflow: Truncation due to cast operation on "u5" from 32 to 16 bits. krb5-1.21.2/src/kadmin/dbutil/dump.c:707: overflow_assign: "dbentry->e_length" is assigned from "u5". krb5-1.21.2/src/kadmin/dbutil/dump.c:816: overflow_sink: "dbentry->e_length", which might have overflowed, is passed to "read_octets_or_minus1(filep, dbentry->e_length, &dbentry->e_data)". # 814| # 815| /* Get the extra data */ # 816|-> if (read_octets_or_minus1(filep, dbentry->e_length, &dbentry->e_data)) { # 817| load_err(fname, *linenop, _("cannot read extra data")); # 818| goto fail; Finding #8 Sheet row #46 Details: Error: REVERSE_NEGATIVE (CWE-191): krb5-1.21.2/src/lib/rpc/svc_udp.c:276: negative_sink_in_call: Passing "slen" to a parameter that cannot be negative. krb5-1.21.2/src/lib/rpc/svc_udp.c:280: check_after_sink: You might be using variable "slen" before verifying that it is >= 0. # 278| == slen) { # 279| stat = TRUE; # 280|-> if (su->su_cache && slen >= 0) { # 281| cache_set(xprt, (uint32_t) slen); # 282| } Reproducible: Always