Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be unavailable on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 886028 - Incorrect return value checks can lead to crash
Summary: Incorrect return value checks can lead to crash
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: perl-Sys-Virt
Version: 6.5
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Daniel Berrangé
QA Contact: Virtualization Bugs
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-12-11 10:53 UTC by Daniel Berrangé
Modified: 2013-02-21 09:52 UTC (History)
9 users (show)

Fixed In Version: perl-Sys-Virt-0.10.2-5.el6
Doc Type: Bug Fix
Doc Text:
Cause: When checking return value of some methods, the wrong data type was assumed Consequence: Errors were not handled with some methods leading to application crashes Fix: The error handling was fixed Result: API errors are correctly handled for the screenshot and current_snapshot methods
Clone Of:
Environment:
Last Closed: 2013-02-21 09:52:42 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:0377 0 normal SHIPPED_LIVE perl-Sys-Virt bug fix and enhancement update 2013-02-20 20:52:18 UTC

Description Daniel Berrangé 2012-12-11 10:53:57 UTC
Description of problem:
Coverity reported two problems with checking return values of APIs. This could lead to a crash in error code paths.

Fixed upstream in 

commit d6f25a7834fcad5f1ee1f8ea8f942b883086f3da
Author: Daniel P. Berrange <berrange@redhat.com>
Date:   Mon Dec 10 16:59:19 2012 +0000

    Fix some return value checks
    
    virDomainScreenshot and virDomainSnapshotCurrent both return
    pointers, so must compare " != NULL" instead of "< 0"
    
    Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

Version-Release number of selected component (if applicable):
perl-Sys-Virt-0.10.2-4.el6

Comment 2 Alex Jia 2012-12-14 10:17:35 UTC
Coverity scan on perl-Sys-Virt-0.10.2-5.el6.src.rpm.

Without patches(run0):

List of Defects

Error: BAD_COMPARE (CWE-628): [#def1]
Sys-Virt-0.10.2/Virt.xs:2923: null_misuse: Comparing pointer "virDomainScreenshot(dom, st, screen, flags)" against NULL using anything besides == or != is likely to be incorrect.

Error: BAD_COMPARE (CWE-628): [#def2]
Sys-Virt-0.10.2/Virt.xs:4277: null_misuse: Comparing pointer "RETVAL = virDomainSnapshotCurrent(dom, flags)" against NULL using anything besides == or != is likely to be incorrect.

Error: DEADCODE (CWE-561): [#def3]
Sys-Virt-0.10.2/Virt.xs:2923: dead_error_condition: The condition "virDomainScreenshot(dom, st, screen, flags) < NULL" cannot be true.
Sys-Virt-0.10.2/Virt.xs:2924: dead_error_line: Execution cannot reach this statement "_croak_error();".

Error: DEADCODE (CWE-561): [#def4]
Sys-Virt-0.10.2/Virt.xs:4277: dead_error_condition: The condition "(RETVAL = virDomainSnapshotCurrent(dom, flags)) < NULL" cannot be true.
Sys-Virt-0.10.2/Virt.xs:4278: dead_error_line: Execution cannot reach this statement "_croak_error();".

Error: NO_EFFECT (CWE-398): [#def5]
Sys-Virt-0.10.2/Virt.xs:5936: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "nbytes < 0UL".

Error: SIGN_EXTENSION (CWE-194): [#def6]
Sys-Virt-0.10.2/Virt.xs:4112: sign_extension: Suspicious implicit sign extension: "dominfo.nrVirtCpu" with type "unsigned short" (16 bits, unsigned) is promoted in "dominfo.nrVirtCpu * maplen" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned).  If "dominfo.nrVirtCpu * maplen" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.


With patches(run1):

List of Defects

Error: NO_EFFECT (CWE-398): [#def1]
Sys-Virt-0.10.2/Virt.xs:5952: unsigned_compare: This less-than-zero comparison of an unsigned value is never true. "nbytes < 0UL".

Error: SIGN_EXTENSION (CWE-194): [#def2]
Sys-Virt-0.10.2/Virt.xs:4128: sign_extension: Suspicious implicit sign extension: "dominfo.nrVirtCpu" with type "unsigned short" (16 bits, unsigned) is promoted in "dominfo.nrVirtCpu * maplen" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned).  If "dominfo.nrVirtCpu * maplen" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.


Notes, previous issues have been fixed, the rest of NO_EFFECT and SIGN_EXTENSION are harmless, so move the bug to verified.

Comment 4 errata-xmlrpc 2013-02-21 09:52:42 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0377.html


Note You need to log in before you can comment on or make changes to this bug.