Bug 886028

Summary: Incorrect return value checks can lead to crash
Product: Red Hat Enterprise Linux 6 Reporter: Daniel Berrangé <berrange>
Component: perl-Sys-VirtAssignee: Daniel Berrangé <berrange>
Status: CLOSED ERRATA QA Contact: Virtualization Bugs <virt-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.5CC: ajia, bsarathy, dallan, dyuan, mjenner, mzhan, rwu, weizhan, zpeng
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: perl-Sys-Virt-0.10.2-5.el6 Doc Type: Bug Fix
Doc Text:
Cause: When checking return value of some methods, the wrong data type was assumed Consequence: Errors were not handled with some methods leading to application crashes Fix: The error handling was fixed Result: API errors are correctly handled for the screenshot and current_snapshot methods
 Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-21 09:52:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Daniel Berrangé 2012-12-11 10:53:57 UTC 
Description of problem:
Coverity reported two problems with checking return values of APIs. This could lead to a crash in error code paths.

Fixed upstream in 

commit d6f25a7834fcad5f1ee1f8ea8f942b883086f3da
Author: Daniel P. Berrange <berrange>
Date:   Mon Dec 10 16:59:19 2012 +0000

    Fix some return value checks
    
    virDomainScreenshot and virDomainSnapshotCurrent both return
    pointers, so must compare " != NULL" instead of "< 0"
    
    Signed-off-by: Daniel P. Berrange <berrange>

Version-Release number of selected component (if applicable):
perl-Sys-Virt-0.10.2-4.el6
Comment 2 Alex Jia 2012-12-14 10:17:35 UTC 
Coverity scan on perl-Sys-Virt-0.10.2-5.el6.src.rpm.

Without patches(run0):

List of Defects

Error: BAD_COMPARE (CWE-628): [#def1]
Sys-Virt-0.10.2/Virt.xs:2923: null_misuse: Comparing pointer "virDomainScreenshot(dom, st, screen, flags)" against NULL using anything besides == or != is likely to be incorrect.

Error: BAD_COMPARE (CWE-628): [#def2]
Sys-Virt-0.10.2/Virt.xs:4277: null_misuse: Comparing pointer "RETVAL = virDomainSnapshotCurrent(dom, flags)" against NULL using anything besides == or != is likely to be incorrect.

Error: DEADCODE (CWE-561): [#def3]
Sys-Virt-0.10.2/Virt.xs:2923: dead_error_condition: The condition "virDomainScreenshot(dom, st, screen, flags) < NULL" cannot be true.
Sys-Virt-0.10.2/Virt.xs:2924: dead_error_line: Execution cannot reach this statement "_croak_error();".

Error: DEADCODE (CWE-561): [#def4]
Sys-Virt-0.10.2/Virt.xs:4277: dead_error_condition: The condition "(RETVAL = virDomainSnapshotCurrent(dom, flags)) < NULL" cannot be true.
Sys-Virt-0.10.2/Virt.xs:4278: dead_error_line: Execution cannot reach this statement "_croak_error();".

Error: NO_EFFECT (CWE-398): [#def5]
Sys-Virt-0.10.2/Virt.xs:5936: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "nbytes < 0UL".

Error: SIGN_EXTENSION (CWE-194): [#def6]
Sys-Virt-0.10.2/Virt.xs:4112: sign_extension: Suspicious implicit sign extension: "dominfo.nrVirtCpu" with type "unsigned short" (16 bits, unsigned) is promoted in "dominfo.nrVirtCpu * maplen" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned).  If "dominfo.nrVirtCpu * maplen" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.


With patches(run1):

List of Defects

Error: NO_EFFECT (CWE-398): [#def1]
Sys-Virt-0.10.2/Virt.xs:5952: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "nbytes < 0UL".

Error: SIGN_EXTENSION (CWE-194): [#def2]
Sys-Virt-0.10.2/Virt.xs:4128: sign_extension: Suspicious implicit sign extension: "dominfo.nrVirtCpu" with type "unsigned short" (16 bits, unsigned) is promoted in "dominfo.nrVirtCpu * maplen" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned).  If "dominfo.nrVirtCpu * maplen" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.


Notes, previous issues have been fixed, the rest of NO_EFFECT and SIGN_EXTENSION are harmless, so move the bug to verified.
Comment 4 errata-xmlrpc 2013-02-21 09:52:42 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0377.html