docs: add rh analysis #2 information to contrib
Reference information. Signed-off-by: Sami Kerola <kerolasa@iki.fi>
This commit is contained in:
parent
cea2e7ca5b
commit
db6a427ecf
@ -66,10 +66,7 @@ sysconf_DATA = sysctl.conf
|
||||
EXTRA_DIST = \
|
||||
autogen.sh \
|
||||
CodingStyle \
|
||||
contrib/dummy.c \
|
||||
contrib/minimal.c \
|
||||
contrib/tmp-junk.c \
|
||||
contrib/utmp.c \
|
||||
contrib/ \
|
||||
COPYING.LIB \
|
||||
$(sysconf_DATA)
|
||||
|
||||
|
312
contrib/response.filtered-with-patches.err
Normal file
312
contrib/response.filtered-with-patches.err
Normal file
@ -0,0 +1,312 @@
|
||||
See http://www.freelists.org/post/procps/Scan-results,5
|
||||
|
||||
|
||||
based on:
|
||||
filtered-with-patches.err
|
||||
|
||||
these are the categories i've assigned:
|
||||
defect_was_fixed
|
||||
EVALUATION_ORDER
|
||||
pmap
|
||||
TAINTED_STRING
|
||||
tload
|
||||
|
||||
possibly_filter_out_?
|
||||
MISSING_BREAK
|
||||
slabtop
|
||||
ps/output
|
||||
|
||||
avoidable_false_positive
|
||||
DEADCODE
|
||||
proc/readproc
|
||||
FORWARD_NULL
|
||||
top
|
||||
vmstat
|
||||
RESOURCE_LEAK
|
||||
ps/parser (3)
|
||||
STRING_NULL
|
||||
pwdx
|
||||
proc/readproc
|
||||
TAINTED_SCALAR
|
||||
pgrep
|
||||
slabtop
|
||||
top (3)
|
||||
TAINTED_STRING
|
||||
watch (2)
|
||||
TOCTOU
|
||||
sysctl (2)
|
||||
UNINIT
|
||||
ps/output (2)
|
||||
|
||||
unavoidable_false_positive_?
|
||||
UNREACHABLE
|
||||
ps/sortformat
|
||||
|
||||
unavoidable_false_positive_but_patched_anyway
|
||||
OVERRUN_STATIC
|
||||
top (no defect, but i yield)
|
||||
|
||||
|
||||
|
||||
pgrep ------------------------------------------------------------------------
|
||||
Error: TAINTED_SCALAR:
|
||||
agree that argv might be tainted
|
||||
but the (int)argv[1][1] index is being passed to isdigit() function (and glibc safely indexes into array sized at 384 bytes)
|
||||
my_category: avoidable_false_positive (out of step with current glibc implementation)
|
||||
pgrep.c:720: tainted_data: Passing tainted variable "argv" to a tainted sink.
|
||||
pgrep.c:558: data_index: Using tainted variable "(int)argv[1][1]" as an index to pointer "*__ctype_b_loc()".
|
||||
|
||||
|
||||
pmap -------------------------------------------------------------------------
|
||||
Error: EVALUATION_ORDER:
|
||||
agree that there is a problem.
|
||||
moreover, it deals with an undocumented command line argument (but sami has documentation addition pending)
|
||||
a deference was added in line with intent, hopefully avoids this warning
|
||||
my_category: defect_was_fixed
|
||||
pmap.c:314: write_write_order: In "arg2 = (arg2 ? arg2++ : arg1)", "arg2" is written in "arg2" (the assignment left-hand side) and written in "arg2 ? arg2++ : arg1" but the order in which the side effects take place is undefined because there is no intervening sequence point.
|
||||
|
||||
|
||||
|
||||
pwdx -------------------------------------------------------------------------
|
||||
Error: STRING_NULL:
|
||||
static buffer is initialized to 0
|
||||
it is +1 larger than size passed to readlink
|
||||
was fixed in previous analysis
|
||||
my_category: avoidable_false_positive
|
||||
pwdx.c:86: string_null_argument: Function "readlink" does not terminate string "*buf".
|
||||
pwdx.c:73: var_assign_var: Assigning: "s" = "buf". Both now point to the same unterminated string.
|
||||
pwdx.c:73: var_assign_var: Assigning: "s" = "buf". Both now point to the same unterminated string.
|
||||
pwdx.c:73: var_assign_var: Assigning: "s" = "buf". Both now point to the same unterminated string.
|
||||
pwdx.c:92: string_null: Passing unterminated string "s" to "printf".
|
||||
|
||||
|
||||
|
||||
slabtop ----------------------------------------------------------------------
|
||||
Error: MISSING_BREAK:
|
||||
intentional fall through after setting return code
|
||||
no change made
|
||||
my_category: possibly_filter_out_?
|
||||
slabtop.c:314: unterminated_case: This case (value 104) is not terminated by a 'break' statement.
|
||||
slabtop.c:316: fallthrough: The above case falls through to this one.
|
||||
|
||||
Error: TAINTED_SCALAR:
|
||||
read limited to single byte signed 'char'
|
||||
ultimately passed to toupper() function (and glibc safely indexes into array sized at 384 bytes)
|
||||
my_category: avoidable_false_positive (out of step with current glibc implementation)
|
||||
slabtop.c:387: tainted_data_argument: Calling function "read" taints argument "c".
|
||||
slabtop.c:389: tainted_data: Passing tainted variable "c" to a tainted sink.
|
||||
slabtop.c:233: data_index: Using tainted variable "(int)c" as an index to pointer "*__ctype_toupper_loc()".
|
||||
|
||||
|
||||
|
||||
sysctl -----------------------------------------------------------------------
|
||||
Error: TOCTOU:
|
||||
the pathlength between these two events cannot be reduced further
|
||||
instead of assessing intervening lines of code, perhaps tool should assess 'if' statements (2)
|
||||
my_category: avoidable_false_positive
|
||||
sysctl.c:149: fs_check_call: Calling function "stat" to perform check on "tmpname".
|
||||
sysctl.c:168: toctou: Calling function "fopen" that uses "tmpname" after a check function. This can cause a time-of-check, time-of-use race condition.
|
||||
|
||||
Error: TOCTOU:
|
||||
the pathlength between these two events cannot be reduced further
|
||||
instead of assessing intervening lines of code, perhaps tool should assess 'if' statements (2)
|
||||
my_category: avoidable_false_positive
|
||||
sysctl.c:327: fs_check_call: Calling function "stat" to perform check on "tmpname".
|
||||
sysctl.c:345: toctou: Calling function "fopen" that uses "tmpname" after a check function. This can cause a time-of-check, time-of-use race condition.
|
||||
|
||||
|
||||
|
||||
tload ------------------------------------------------------------------------
|
||||
Error: TAINTED_STRING:
|
||||
altered perror call to provide an untainted string
|
||||
my_category: defect_was_fixed
|
||||
tload.c:89: tainted_string: Passing tainted string "argv[optind]" to a function that cannot accept tainted data.
|
||||
|
||||
|
||||
|
||||
top --------------------------------------------------------------------------
|
||||
Error: FORWARD_NULL:
|
||||
cpus cannot be NULL without fp also being NULL
|
||||
the very next 'if (!fp)' ensures cpus will be allocated
|
||||
my_category: avoidable_false_positive
|
||||
top.c:1790: assign_zero: Assigning: "cpus" = 0.
|
||||
top.c:1807: var_deref_op: Dereferencing null variable "cpus".
|
||||
|
||||
Error: OVERRUN_STATIC:
|
||||
This "error" is centered around the following code:
|
||||
f = w->pflgsall[i + w->begpflg];
|
||||
w->procflgs[i] = f;
|
||||
#ifndef USE_X_COLHDR
|
||||
if (P_MAXPFLGS < f) continue;
|
||||
#endif
|
||||
h = Fieldstab[f].head;
|
||||
|
||||
The enum P_MAXPFLGS is strictly a fencepost and can *never* appear in the arrays pflgsall or procflgs.
|
||||
Thus it (39th element) cannot be used in referencing Fieldstab.
|
||||
However, two enums of higher value (X_XON=40 and X_XOF=41) *can* appear in those arrays.
|
||||
But the test against the fencepost ensures that those two enums are *never* used in referencing Fieldstab.
|
||||
|
||||
When the analyzer sees the conditional using '<' and not '<=' it reports a false positive.
|
||||
|
||||
i'm tired of explaining this so the program was changed to accommodate the tool's deficiency
|
||||
my_category: unavoidable_false_positive_but_patched_anyway
|
||||
top.c:1417: overrun-local: Overrunning static array "Fieldstab", with 39 elements, at position 39 with index variable "f".
|
||||
|
||||
Error: TAINTED_SCALAR:
|
||||
the index is used subordinate to a case statement ensuring a value between '1' and '4'
|
||||
my_category: avoidable_false_positive
|
||||
top.c:2442: tainted_data_argument: Calling function "chin" taints argument "ch".
|
||||
top.c:848: tainted_data_argument: Calling function "read" taints parameter "*buf".
|
||||
top.c:2452: tainted_data: Using tainted variable "ch - 49" as an index into an array "Winstk".
|
||||
|
||||
Error: TAINTED_SCALAR:
|
||||
the index is used subordinate to as case statement ensuring a value between '1' and '4'
|
||||
my_category: avoidable_false_positive
|
||||
top.c:2719: tainted_data_argument: Calling function "chin" taints argument "ch".
|
||||
top.c:848: tainted_data_argument: Calling function "read" taints parameter "*buf".
|
||||
top.c:2720: tainted_data: Passing tainted variable "ch" to a tainted sink.
|
||||
top.c:2452: data_index: Using tainted variable "ch - 49" as an index to array "Winstk".
|
||||
|
||||
Error: TAINTED_SCALAR:
|
||||
buf tainted by chin is zero terminated
|
||||
single char is ultimately passed to isprintf() function (and glibc safely indexes into array sized at 384 bytes)
|
||||
my_category: avoidable_false_positive (out of step with current glibc implementation)
|
||||
top.c:972: tainted_data_return: Function "keyin" returns tainted data.
|
||||
top.c:912: tainted_data_argument: Function "chin" taints argument "buf".
|
||||
top.c:848: tainted_data_argument: Calling function "read" taints parameter "*buf".
|
||||
top.c:926: return_tainted_data: Returning tainted variable "buf[0]".
|
||||
top.c:972: var_assign: Assigning: "key" = "keyin", which taints "key".
|
||||
top.c:1001: tainted_data: Using tainted variable "(int)key" as an index to pointer "*__ctype_b_loc()".
|
||||
|
||||
|
||||
|
||||
vmstat -----------------------------------------------------------------------
|
||||
Error: FORWARD_NULL:
|
||||
partition made non-null with optarg for -p where statMode |= PARTITIONSTAT
|
||||
if no optarg then program exits with usage
|
||||
thus call to diskpartition_format will be with non-null pointer
|
||||
my_category: avoidable_false_positive
|
||||
vmstat.c:593: assign_zero: Assigning: "partition" = 0.
|
||||
vmstat.c:669: var_deref_model: Passing null variable "partition" to function "diskpartition_format", which dereferences it.
|
||||
vmstat.c:301: deref_parm_in_call: Function "strcmp" dereferences parameter "partition_name". (The dereference is assumed on the basis of the 'nonnull' parameter attribute.)
|
||||
|
||||
|
||||
|
||||
watch ------------------------------------------------------------------------
|
||||
Error: TAINTED_STRING:
|
||||
even though the environment variable COLUMNS might begin tainted, from my analysis, the tool is totally mistaken
|
||||
strtol actually untaints data in the form of 't' and 'endptr' then the environment variable COLUMNS is potentially purified with -1
|
||||
my_category: avoidable_false_positive
|
||||
watch.c:95: tainted_string_return_content: "getenv" returns tainted string content.
|
||||
watch.c:95: var_assign: Assigning: "s" = "getenv("COLUMNS")", which taints "s".
|
||||
watch.c:100: tainted_data_transitive: Call to function "strtol" with tainted argument "s" returns tainted data.
|
||||
watch.c:100: var_assign: Assigning: "t" = "strtol(s, &endptr, 0)", which taints "t".
|
||||
watch.c:101: var_assign_var: Assigning: "incoming_cols" = "(int)t". Both are now tainted.
|
||||
watch.c:102: var_assign_var: Assigning: "width" = "incoming_cols". Both are now tainted.
|
||||
watch.c:103: vararg_transitive: Call to "snprintf" with tainted argument "width" taints "env_col_buf".
|
||||
watch.c:104: tainted_string: Passing tainted string "env_col_buf" to a function that cannot accept tainted data.
|
||||
|
||||
Error: TAINTED_STRING:
|
||||
even though the environment variable LINES might begin tainted, from my analysis, the tool is totally mistaken
|
||||
strtol actually untaints data in the form of 't' and 'endptr' then the environment variable LINES is potentially purified with -1
|
||||
my_category: avoidable_false_positive
|
||||
watch.c:108: tainted_string_return_content: "getenv" returns tainted string content.
|
||||
watch.c:108: var_assign: Assigning: "s" = "getenv("LINES")", which taints "s".
|
||||
watch.c:113: tainted_data_transitive: Call to function "strtol" with tainted argument "s" returns tainted data.
|
||||
watch.c:113: var_assign: Assigning: "t" = "strtol(s, &endptr, 0)", which taints "t".
|
||||
watch.c:114: var_assign_var: Assigning: "incoming_rows" = "(int)t". Both are now tainted.
|
||||
watch.c:115: var_assign_var: Assigning: "height" = "incoming_rows". Both are now tainted.
|
||||
watch.c:116: vararg_transitive: Call to "snprintf" with tainted argument "height" taints "env_row_buf".
|
||||
watch.c:117: tainted_string: Passing tainted string "env_row_buf" to a function that cannot accept tainted data.
|
||||
|
||||
|
||||
|
||||
proc/readproc ----------------------------------------------------------------
|
||||
Error: DEADCODE:
|
||||
the tool does not understand gperf and the pseudo case labels preceded by goto
|
||||
the following code snippets illustrate the deficiency:
|
||||
goto *(&&base + entry.offset);
|
||||
...
|
||||
case_Threads:
|
||||
Threads = strtol(S,&S,10);
|
||||
continue;
|
||||
my_category: avoidable_false_positive
|
||||
proc/readproc.c:387: dead_error_condition: On this path, the condition "Threads" cannot be true.
|
||||
proc/readproc.c:115: const: After this line, the value of "Threads" is equal to 0.
|
||||
proc/readproc.c:115: assignment: Assigning: "Threads" = "0L".
|
||||
proc/readproc.c:388: dead_error_begin: Execution cannot reach this statement "P->nlwp = Threads;".
|
||||
|
||||
Error: STRING_NULL:
|
||||
read is asked to retrieve -1 bytes than passed capacity: num_read = read(fd, ret, cap - 1);
|
||||
file2str does indeed null terminate sbuf: ret[num_read] = '\0';
|
||||
my_category: avoidable_false_positive
|
||||
proc/readproc.c:1193: string_null_argument: Function "file2str" does not terminate string "*sbuf".
|
||||
proc/readproc.c:514: string_null_argument: Function "read" fills array "*ret" with a non-terminated string.
|
||||
proc/readproc.c:1197: string_null: Passing unterminated string "sbuf" to a function expecting a null-terminated string.
|
||||
proc/readproc.c:447: string_null_sink_parm_call: Passing parameter "S" to "strchr" which expects a null-terminated string.
|
||||
|
||||
|
||||
|
||||
ps/output --------------------------------------------------------------------
|
||||
Error: MISSING_BREAK:
|
||||
intentional fall through
|
||||
my_category: possibly_filter_out_?
|
||||
ps/output.c:1983: unterminated_default: The default case is not terminated by a 'break' statement.
|
||||
ps/output.c:1984: fallthrough: The above case falls through to this one.
|
||||
|
||||
Error: UNINIT:
|
||||
the first member is initialized in the very next statement, sufficient for bsearch callback
|
||||
key.spec = findme;
|
||||
my_category: avoidable_false_positive
|
||||
ps/output.c:1737: var_decl: Declaring variable "key" without initializer.
|
||||
ps/output.c:1739: uninit_use_in_call: Using uninitialized value "key": field "key".flags is uninitialized when calling "bsearch".
|
||||
|
||||
Error: UNINIT:
|
||||
the first member is initialized in the very next statement, sufficient for bsearch callback
|
||||
key.spec = findme;
|
||||
my_category: avoidable_false_positive
|
||||
ps/output.c:1745: var_decl: Declaring variable "key" without initializer.
|
||||
ps/output.c:1747: uninit_use_in_call: Using uninitialized value "key": field "key".head is uninitialized when calling "bsearch".
|
||||
|
||||
|
||||
|
||||
ps/parser --------------------------------------------------------------------
|
||||
Error: RESOURCE_LEAK:
|
||||
intentional omission
|
||||
abexit shortly
|
||||
my_category: avoidable_false_positive
|
||||
ps/parser.c:1021: alloc_fn: Calling allocation function "malloc".
|
||||
ps/parser.c:1021: var_assign: Assigning: "pidnode" = storage returned from "malloc(sizeof (selection_node) /*24*/)".
|
||||
ps/parser.c:1041: leaked_storage: Variable "pidnode" going out of scope leaks the storage it points to.
|
||||
ps/parser.c:1062: leaked_storage: Variable "pidnode" going out of scope leaks the storage it points to.
|
||||
|
||||
Error: RESOURCE_LEAK:
|
||||
intentional omission
|
||||
abexit shortly
|
||||
my_category: avoidable_false_positive
|
||||
ps/parser.c:1025: alloc_fn: Calling allocation function "malloc".
|
||||
ps/parser.c:1025: var_assign: Assigning: "grpnode" = storage returned from "malloc(sizeof (selection_node) /*24*/)".
|
||||
ps/parser.c:1041: leaked_storage: Variable "grpnode" going out of scope leaks the storage it points to.
|
||||
ps/parser.c:1062: leaked_storage: Variable "grpnode" going out of scope leaks the storage it points to.
|
||||
|
||||
Error: RESOURCE_LEAK:
|
||||
intentional omission
|
||||
abexit shortly
|
||||
my_category: avoidable_false_positive
|
||||
ps/parser.c:1029: alloc_fn: Calling allocation function "malloc".
|
||||
ps/parser.c:1029: var_assign: Assigning: "sidnode" = storage returned from "malloc(sizeof (selection_node) /*24*/)".
|
||||
ps/parser.c:1041: leaked_storage: Variable "sidnode" going out of scope leaks the storage it points to.
|
||||
ps/parser.c:1062: leaked_storage: Variable "sidnode" going out of scope leaks the storage it points to.
|
||||
|
||||
|
||||
|
||||
ps/sortformat ----------------------------------------------------------------
|
||||
Error: UNREACHABLE:
|
||||
the tool does not understand the following 'label' usage (nor do i - perhaps some obscure compiler/platform warning/quirk)
|
||||
goto unknown;
|
||||
...
|
||||
if(0) unknown: err=errbuf;
|
||||
my_category: unavoidable_false_positive_?
|
||||
ps/sortformat.c:312: unreachable: This code cannot be reached: "if (0){
|
||||
unknown:
|
||||
err = ...".
|
Loading…
Reference in New Issue
Block a user