docs: add rh analysis #2 information to contrib

Reference information.

Signed-off-by: Sami Kerola <kerolasa@iki.fi>
This commit is contained in:
Sami Kerola 2011-10-19 09:39:36 +02:00
parent cea2e7ca5b
commit db6a427ecf
2 changed files with 313 additions and 4 deletions

View File

@ -66,10 +66,7 @@ sysconf_DATA = sysctl.conf
EXTRA_DIST = \
autogen.sh \
CodingStyle \
contrib/dummy.c \
contrib/minimal.c \
contrib/tmp-junk.c \
contrib/utmp.c \
contrib/ \
COPYING.LIB \
$(sysconf_DATA)

View File

@ -0,0 +1,312 @@
See http://www.freelists.org/post/procps/Scan-results,5
based on:
filtered-with-patches.err
these are the categories i've assigned:
defect_was_fixed
EVALUATION_ORDER
pmap
TAINTED_STRING
tload
possibly_filter_out_?
MISSING_BREAK
slabtop
ps/output
avoidable_false_positive
DEADCODE
proc/readproc
FORWARD_NULL
top
vmstat
RESOURCE_LEAK
ps/parser (3)
STRING_NULL
pwdx
proc/readproc
TAINTED_SCALAR
pgrep
slabtop
top (3)
TAINTED_STRING
watch (2)
TOCTOU
sysctl (2)
UNINIT
ps/output (2)
unavoidable_false_positive_?
UNREACHABLE
ps/sortformat
unavoidable_false_positive_but_patched_anyway
OVERRUN_STATIC
top (no defect, but i yield)
pgrep ------------------------------------------------------------------------
Error: TAINTED_SCALAR:
agree that argv might be tainted
but the (int)argv[1][1] index is being passed to isdigit() function (and glibc safely indexes into array sized at 384 bytes)
my_category: avoidable_false_positive (out of step with current glibc implementation)
pgrep.c:720: tainted_data: Passing tainted variable "argv" to a tainted sink.
pgrep.c:558: data_index: Using tainted variable "(int)argv[1][1]" as an index to pointer "*__ctype_b_loc()".
pmap -------------------------------------------------------------------------
Error: EVALUATION_ORDER:
agree that there is a problem.
moreover, it deals with an undocumented command line argument (but sami has documentation addition pending)
a deference was added in line with intent, hopefully avoids this warning
my_category: defect_was_fixed
pmap.c:314: write_write_order: In "arg2 = (arg2 ? arg2++ : arg1)", "arg2" is written in "arg2" (the assignment left-hand side) and written in "arg2 ? arg2++ : arg1" but the order in which the side effects take place is undefined because there is no intervening sequence point.
pwdx -------------------------------------------------------------------------
Error: STRING_NULL:
static buffer is initialized to 0
it is +1 larger than size passed to readlink
was fixed in previous analysis
my_category: avoidable_false_positive
pwdx.c:86: string_null_argument: Function "readlink" does not terminate string "*buf".
pwdx.c:73: var_assign_var: Assigning: "s" = "buf". Both now point to the same unterminated string.
pwdx.c:73: var_assign_var: Assigning: "s" = "buf". Both now point to the same unterminated string.
pwdx.c:73: var_assign_var: Assigning: "s" = "buf". Both now point to the same unterminated string.
pwdx.c:92: string_null: Passing unterminated string "s" to "printf".
slabtop ----------------------------------------------------------------------
Error: MISSING_BREAK:
intentional fall through after setting return code
no change made
my_category: possibly_filter_out_?
slabtop.c:314: unterminated_case: This case (value 104) is not terminated by a 'break' statement.
slabtop.c:316: fallthrough: The above case falls through to this one.
Error: TAINTED_SCALAR:
read limited to single byte signed 'char'
ultimately passed to toupper() function (and glibc safely indexes into array sized at 384 bytes)
my_category: avoidable_false_positive (out of step with current glibc implementation)
slabtop.c:387: tainted_data_argument: Calling function "read" taints argument "c".
slabtop.c:389: tainted_data: Passing tainted variable "c" to a tainted sink.
slabtop.c:233: data_index: Using tainted variable "(int)c" as an index to pointer "*__ctype_toupper_loc()".
sysctl -----------------------------------------------------------------------
Error: TOCTOU:
the pathlength between these two events cannot be reduced further
instead of assessing intervening lines of code, perhaps tool should assess 'if' statements (2)
my_category: avoidable_false_positive
sysctl.c:149: fs_check_call: Calling function "stat" to perform check on "tmpname".
sysctl.c:168: toctou: Calling function "fopen" that uses "tmpname" after a check function. This can cause a time-of-check, time-of-use race condition.
Error: TOCTOU:
the pathlength between these two events cannot be reduced further
instead of assessing intervening lines of code, perhaps tool should assess 'if' statements (2)
my_category: avoidable_false_positive
sysctl.c:327: fs_check_call: Calling function "stat" to perform check on "tmpname".
sysctl.c:345: toctou: Calling function "fopen" that uses "tmpname" after a check function. This can cause a time-of-check, time-of-use race condition.
tload ------------------------------------------------------------------------
Error: TAINTED_STRING:
altered perror call to provide an untainted string
my_category: defect_was_fixed
tload.c:89: tainted_string: Passing tainted string "argv[optind]" to a function that cannot accept tainted data.
top --------------------------------------------------------------------------
Error: FORWARD_NULL:
cpus cannot be NULL without fp also being NULL
the very next 'if (!fp)' ensures cpus will be allocated
my_category: avoidable_false_positive
top.c:1790: assign_zero: Assigning: "cpus" = 0.
top.c:1807: var_deref_op: Dereferencing null variable "cpus".
Error: OVERRUN_STATIC:
This "error" is centered around the following code:
f = w->pflgsall[i + w->begpflg];
w->procflgs[i] = f;
#ifndef USE_X_COLHDR
if (P_MAXPFLGS < f) continue;
#endif
h = Fieldstab[f].head;
The enum P_MAXPFLGS is strictly a fencepost and can *never* appear in the arrays pflgsall or procflgs.
Thus it (39th element) cannot be used in referencing Fieldstab.
However, two enums of higher value (X_XON=40 and X_XOF=41) *can* appear in those arrays.
But the test against the fencepost ensures that those two enums are *never* used in referencing Fieldstab.
When the analyzer sees the conditional using '<' and not '<=' it reports a false positive.
i'm tired of explaining this so the program was changed to accommodate the tool's deficiency
my_category: unavoidable_false_positive_but_patched_anyway
top.c:1417: overrun-local: Overrunning static array "Fieldstab", with 39 elements, at position 39 with index variable "f".
Error: TAINTED_SCALAR:
the index is used subordinate to a case statement ensuring a value between '1' and '4'
my_category: avoidable_false_positive
top.c:2442: tainted_data_argument: Calling function "chin" taints argument "ch".
top.c:848: tainted_data_argument: Calling function "read" taints parameter "*buf".
top.c:2452: tainted_data: Using tainted variable "ch - 49" as an index into an array "Winstk".
Error: TAINTED_SCALAR:
the index is used subordinate to as case statement ensuring a value between '1' and '4'
my_category: avoidable_false_positive
top.c:2719: tainted_data_argument: Calling function "chin" taints argument "ch".
top.c:848: tainted_data_argument: Calling function "read" taints parameter "*buf".
top.c:2720: tainted_data: Passing tainted variable "ch" to a tainted sink.
top.c:2452: data_index: Using tainted variable "ch - 49" as an index to array "Winstk".
Error: TAINTED_SCALAR:
buf tainted by chin is zero terminated
single char is ultimately passed to isprintf() function (and glibc safely indexes into array sized at 384 bytes)
my_category: avoidable_false_positive (out of step with current glibc implementation)
top.c:972: tainted_data_return: Function "keyin" returns tainted data.
top.c:912: tainted_data_argument: Function "chin" taints argument "buf".
top.c:848: tainted_data_argument: Calling function "read" taints parameter "*buf".
top.c:926: return_tainted_data: Returning tainted variable "buf[0]".
top.c:972: var_assign: Assigning: "key" = "keyin", which taints "key".
top.c:1001: tainted_data: Using tainted variable "(int)key" as an index to pointer "*__ctype_b_loc()".
vmstat -----------------------------------------------------------------------
Error: FORWARD_NULL:
partition made non-null with optarg for -p where statMode |= PARTITIONSTAT
if no optarg then program exits with usage
thus call to diskpartition_format will be with non-null pointer
my_category: avoidable_false_positive
vmstat.c:593: assign_zero: Assigning: "partition" = 0.
vmstat.c:669: var_deref_model: Passing null variable "partition" to function "diskpartition_format", which dereferences it.
vmstat.c:301: deref_parm_in_call: Function "strcmp" dereferences parameter "partition_name". (The dereference is assumed on the basis of the 'nonnull' parameter attribute.)
watch ------------------------------------------------------------------------
Error: TAINTED_STRING:
even though the environment variable COLUMNS might begin tainted, from my analysis, the tool is totally mistaken
strtol actually untaints data in the form of 't' and 'endptr' then the environment variable COLUMNS is potentially purified with -1
my_category: avoidable_false_positive
watch.c:95: tainted_string_return_content: "getenv" returns tainted string content.
watch.c:95: var_assign: Assigning: "s" = "getenv("COLUMNS")", which taints "s".
watch.c:100: tainted_data_transitive: Call to function "strtol" with tainted argument "s" returns tainted data.
watch.c:100: var_assign: Assigning: "t" = "strtol(s, &endptr, 0)", which taints "t".
watch.c:101: var_assign_var: Assigning: "incoming_cols" = "(int)t". Both are now tainted.
watch.c:102: var_assign_var: Assigning: "width" = "incoming_cols". Both are now tainted.
watch.c:103: vararg_transitive: Call to "snprintf" with tainted argument "width" taints "env_col_buf".
watch.c:104: tainted_string: Passing tainted string "env_col_buf" to a function that cannot accept tainted data.
Error: TAINTED_STRING:
even though the environment variable LINES might begin tainted, from my analysis, the tool is totally mistaken
strtol actually untaints data in the form of 't' and 'endptr' then the environment variable LINES is potentially purified with -1
my_category: avoidable_false_positive
watch.c:108: tainted_string_return_content: "getenv" returns tainted string content.
watch.c:108: var_assign: Assigning: "s" = "getenv("LINES")", which taints "s".
watch.c:113: tainted_data_transitive: Call to function "strtol" with tainted argument "s" returns tainted data.
watch.c:113: var_assign: Assigning: "t" = "strtol(s, &endptr, 0)", which taints "t".
watch.c:114: var_assign_var: Assigning: "incoming_rows" = "(int)t". Both are now tainted.
watch.c:115: var_assign_var: Assigning: "height" = "incoming_rows". Both are now tainted.
watch.c:116: vararg_transitive: Call to "snprintf" with tainted argument "height" taints "env_row_buf".
watch.c:117: tainted_string: Passing tainted string "env_row_buf" to a function that cannot accept tainted data.
proc/readproc ----------------------------------------------------------------
Error: DEADCODE:
the tool does not understand gperf and the pseudo case labels preceded by goto
the following code snippets illustrate the deficiency:
goto *(&&base + entry.offset);
...
case_Threads:
Threads = strtol(S,&S,10);
continue;
my_category: avoidable_false_positive
proc/readproc.c:387: dead_error_condition: On this path, the condition "Threads" cannot be true.
proc/readproc.c:115: const: After this line, the value of "Threads" is equal to 0.
proc/readproc.c:115: assignment: Assigning: "Threads" = "0L".
proc/readproc.c:388: dead_error_begin: Execution cannot reach this statement "P->nlwp = Threads;".
Error: STRING_NULL:
read is asked to retrieve -1 bytes than passed capacity: num_read = read(fd, ret, cap - 1);
file2str does indeed null terminate sbuf: ret[num_read] = '\0';
my_category: avoidable_false_positive
proc/readproc.c:1193: string_null_argument: Function "file2str" does not terminate string "*sbuf".
proc/readproc.c:514: string_null_argument: Function "read" fills array "*ret" with a non-terminated string.
proc/readproc.c:1197: string_null: Passing unterminated string "sbuf" to a function expecting a null-terminated string.
proc/readproc.c:447: string_null_sink_parm_call: Passing parameter "S" to "strchr" which expects a null-terminated string.
ps/output --------------------------------------------------------------------
Error: MISSING_BREAK:
intentional fall through
my_category: possibly_filter_out_?
ps/output.c:1983: unterminated_default: The default case is not terminated by a 'break' statement.
ps/output.c:1984: fallthrough: The above case falls through to this one.
Error: UNINIT:
the first member is initialized in the very next statement, sufficient for bsearch callback
key.spec = findme;
my_category: avoidable_false_positive
ps/output.c:1737: var_decl: Declaring variable "key" without initializer.
ps/output.c:1739: uninit_use_in_call: Using uninitialized value "key": field "key".flags is uninitialized when calling "bsearch".
Error: UNINIT:
the first member is initialized in the very next statement, sufficient for bsearch callback
key.spec = findme;
my_category: avoidable_false_positive
ps/output.c:1745: var_decl: Declaring variable "key" without initializer.
ps/output.c:1747: uninit_use_in_call: Using uninitialized value "key": field "key".head is uninitialized when calling "bsearch".
ps/parser --------------------------------------------------------------------
Error: RESOURCE_LEAK:
intentional omission
abexit shortly
my_category: avoidable_false_positive
ps/parser.c:1021: alloc_fn: Calling allocation function "malloc".
ps/parser.c:1021: var_assign: Assigning: "pidnode" = storage returned from "malloc(sizeof (selection_node) /*24*/)".
ps/parser.c:1041: leaked_storage: Variable "pidnode" going out of scope leaks the storage it points to.
ps/parser.c:1062: leaked_storage: Variable "pidnode" going out of scope leaks the storage it points to.
Error: RESOURCE_LEAK:
intentional omission
abexit shortly
my_category: avoidable_false_positive
ps/parser.c:1025: alloc_fn: Calling allocation function "malloc".
ps/parser.c:1025: var_assign: Assigning: "grpnode" = storage returned from "malloc(sizeof (selection_node) /*24*/)".
ps/parser.c:1041: leaked_storage: Variable "grpnode" going out of scope leaks the storage it points to.
ps/parser.c:1062: leaked_storage: Variable "grpnode" going out of scope leaks the storage it points to.
Error: RESOURCE_LEAK:
intentional omission
abexit shortly
my_category: avoidable_false_positive
ps/parser.c:1029: alloc_fn: Calling allocation function "malloc".
ps/parser.c:1029: var_assign: Assigning: "sidnode" = storage returned from "malloc(sizeof (selection_node) /*24*/)".
ps/parser.c:1041: leaked_storage: Variable "sidnode" going out of scope leaks the storage it points to.
ps/parser.c:1062: leaked_storage: Variable "sidnode" going out of scope leaks the storage it points to.
ps/sortformat ----------------------------------------------------------------
Error: UNREACHABLE:
the tool does not understand the following 'label' usage (nor do i - perhaps some obscure compiler/platform warning/quirk)
goto unknown;
...
if(0) unknown: err=errbuf;
my_category: unavoidable_false_positive_?
ps/sortformat.c:312: unreachable: This code cannot be reached: "if (0){
unknown:
err = ...".