Hide Forgot
Created attachment 491997 [details] Proposed solution Description of problem: Coverity scan discovered dereferencing null variable rs on line #1010 in dmraid/1.0.0.rc13/lib/events/libdmraid-events-isw.c. If variable dir_entries is equal to zero, null variable rs is dereferenced. Additional info: This defect was not present in current supported version of dmraid package.
Zdenek, I am new to dmraid, any way for us to trigger the _scandir() return 0 so that we could test this bug? The code in RHEL 5.5 (dmraid-1.0.0.rc13-63.el5) is also facing the issue of NULL pointer. Michal Luscon mentioned this will not impact current supported version. What does that mean?
We scanned dmraid-1.0.0.rc13-63.el5 and dmraid-1.0.0.rc13-64.el5. You could see the results at http://dhcp-25-220.brq.redhat.com/cov-patches/rhel-5.7/old/dmraid-1.0.0.rc13-63.el5/run1/dmraid-1.0.0.rc13-63.el5.err and http://dhcp-25-220.brq.redhat.com/cov-patches/rhel-5.7/new/dmraid-1.0.0.rc13-64.el5/run1/dmraid-1.0.0.rc13-64.el5.err . Lexical diff uncovered this defect as the only difference between defect logs. If the code in 5.5 is same/similar and you say the code in 5.5 is facing the same issue, probably some change in 5.7 triggered the detection by Coverity static analyser. This one particular defect was not present in dmraid-1.0.0.rc13-63.el5 log. Therefore it was identified to be new in RHEL-5.7 dmraid package. Usually, in the case of Coverity scans, we don't have reproducers ... we discussed the verification with BaseOS QE guys and they were ok with SanityOnly verifications. Maybe you could use similar approach here.
Thanks for the detailed clarification. Code reviewed. The only change for this bug is --- libdmraid-events-isw.c_old 2011-05-30 10:23:43.686537617 +0800 +++ libdmraid-events-isw.c 2011-05-30 10:24:25.696536555 +0800 @@ -1007,7 +1007,7 @@ static struct dso_raid_set *_create_raid } /* Check if all devices are avaliable */ - for (dev = rs->devs, i = 0; i < rs->num_devs; i++, dev++) { + if (rs) for (dev = rs->devs, i = 0; i < rs->num_devs; i++, dev++) { /* If there is no major:minor number device is missing */ if (*dev->major_minor == '\0') { /* Replace failed device with last device in set; reduce num_devs. */ Set as sanity only.
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Patch for bug 626417 introduced a new code path which would deference already know NULL pointer and would end with application coredump. To avoid this problem, a check against NULL was added before pointer dereference.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-1020.html