From db6a427ecfb3d23cd8f43f151622b17e37e3e04c Mon Sep 17 00:00:00 2001 From: Sami Kerola Date: Wed, 19 Oct 2011 09:39:36 +0200 Subject: [PATCH] docs: add rh analysis #2 information to contrib Reference information. Signed-off-by: Sami Kerola --- Makefile.am | 5 +- contrib/response.filtered-with-patches.err | 312 +++++++++++++++++++++ 2 files changed, 313 insertions(+), 4 deletions(-) create mode 100644 contrib/response.filtered-with-patches.err diff --git a/Makefile.am b/Makefile.am index 25925b31..9ca3c53b 100644 --- a/Makefile.am +++ b/Makefile.am @@ -66,10 +66,7 @@ sysconf_DATA = sysctl.conf EXTRA_DIST = \ autogen.sh \ CodingStyle \ - contrib/dummy.c \ - contrib/minimal.c \ - contrib/tmp-junk.c \ - contrib/utmp.c \ + contrib/ \ COPYING.LIB \ $(sysconf_DATA) diff --git a/contrib/response.filtered-with-patches.err b/contrib/response.filtered-with-patches.err new file mode 100644 index 00000000..ae6cda01 --- /dev/null +++ b/contrib/response.filtered-with-patches.err @@ -0,0 +1,312 @@ +See http://www.freelists.org/post/procps/Scan-results,5 + + + based on: +filtered-with-patches.err + + these are the categories i've assigned: +defect_was_fixed + EVALUATION_ORDER + pmap + TAINTED_STRING + tload + +possibly_filter_out_? + MISSING_BREAK + slabtop + ps/output + +avoidable_false_positive + DEADCODE + proc/readproc + FORWARD_NULL + top + vmstat + RESOURCE_LEAK + ps/parser (3) + STRING_NULL + pwdx + proc/readproc + TAINTED_SCALAR + pgrep + slabtop + top (3) + TAINTED_STRING + watch (2) + TOCTOU + sysctl (2) + UNINIT + ps/output (2) + +unavoidable_false_positive_? + UNREACHABLE + ps/sortformat + +unavoidable_false_positive_but_patched_anyway + OVERRUN_STATIC + top (no defect, but i yield) + + + + pgrep ------------------------------------------------------------------------ +Error: TAINTED_SCALAR: + agree that argv might be tainted + but the (int)argv[1][1] index is being passed to isdigit() function (and glibc safely indexes into array sized at 384 bytes) + my_category: avoidable_false_positive (out of step with current glibc implementation) +pgrep.c:720: tainted_data: Passing tainted variable "argv" to a tainted sink. +pgrep.c:558: data_index: Using tainted variable "(int)argv[1][1]" as an index to pointer "*__ctype_b_loc()". + + + pmap ------------------------------------------------------------------------- +Error: EVALUATION_ORDER: + agree that there is a problem. + moreover, it deals with an undocumented command line argument (but sami has documentation addition pending) + a deference was added in line with intent, hopefully avoids this warning + my_category: defect_was_fixed +pmap.c:314: write_write_order: In "arg2 = (arg2 ? arg2++ : arg1)", "arg2" is written in "arg2" (the assignment left-hand side) and written in "arg2 ? arg2++ : arg1" but the order in which the side effects take place is undefined because there is no intervening sequence point. + + + + pwdx ------------------------------------------------------------------------- +Error: STRING_NULL: + static buffer is initialized to 0 + it is +1 larger than size passed to readlink + was fixed in previous analysis + my_category: avoidable_false_positive +pwdx.c:86: string_null_argument: Function "readlink" does not terminate string "*buf". +pwdx.c:73: var_assign_var: Assigning: "s" = "buf". Both now point to the same unterminated string. +pwdx.c:73: var_assign_var: Assigning: "s" = "buf". Both now point to the same unterminated string. +pwdx.c:73: var_assign_var: Assigning: "s" = "buf". Both now point to the same unterminated string. +pwdx.c:92: string_null: Passing unterminated string "s" to "printf". + + + + slabtop ---------------------------------------------------------------------- +Error: MISSING_BREAK: + intentional fall through after setting return code + no change made + my_category: possibly_filter_out_? +slabtop.c:314: unterminated_case: This case (value 104) is not terminated by a 'break' statement. +slabtop.c:316: fallthrough: The above case falls through to this one. + +Error: TAINTED_SCALAR: + read limited to single byte signed 'char' + ultimately passed to toupper() function (and glibc safely indexes into array sized at 384 bytes) + my_category: avoidable_false_positive (out of step with current glibc implementation) +slabtop.c:387: tainted_data_argument: Calling function "read" taints argument "c". +slabtop.c:389: tainted_data: Passing tainted variable "c" to a tainted sink. +slabtop.c:233: data_index: Using tainted variable "(int)c" as an index to pointer "*__ctype_toupper_loc()". + + + + sysctl ----------------------------------------------------------------------- +Error: TOCTOU: + the pathlength between these two events cannot be reduced further + instead of assessing intervening lines of code, perhaps tool should assess 'if' statements (2) + my_category: avoidable_false_positive +sysctl.c:149: fs_check_call: Calling function "stat" to perform check on "tmpname". +sysctl.c:168: toctou: Calling function "fopen" that uses "tmpname" after a check function. This can cause a time-of-check, time-of-use race condition. + +Error: TOCTOU: + the pathlength between these two events cannot be reduced further + instead of assessing intervening lines of code, perhaps tool should assess 'if' statements (2) + my_category: avoidable_false_positive +sysctl.c:327: fs_check_call: Calling function "stat" to perform check on "tmpname". +sysctl.c:345: toctou: Calling function "fopen" that uses "tmpname" after a check function. This can cause a time-of-check, time-of-use race condition. + + + + tload ------------------------------------------------------------------------ +Error: TAINTED_STRING: + altered perror call to provide an untainted string + my_category: defect_was_fixed +tload.c:89: tainted_string: Passing tainted string "argv[optind]" to a function that cannot accept tainted data. + + + + top -------------------------------------------------------------------------- +Error: FORWARD_NULL: + cpus cannot be NULL without fp also being NULL + the very next 'if (!fp)' ensures cpus will be allocated + my_category: avoidable_false_positive +top.c:1790: assign_zero: Assigning: "cpus" = 0. +top.c:1807: var_deref_op: Dereferencing null variable "cpus". + +Error: OVERRUN_STATIC: + This "error" is centered around the following code: + f = w->pflgsall[i + w->begpflg]; + w->procflgs[i] = f; + #ifndef USE_X_COLHDR + if (P_MAXPFLGS < f) continue; + #endif + h = Fieldstab[f].head; + + The enum P_MAXPFLGS is strictly a fencepost and can *never* appear in the arrays pflgsall or procflgs. + Thus it (39th element) cannot be used in referencing Fieldstab. + However, two enums of higher value (X_XON=40 and X_XOF=41) *can* appear in those arrays. + But the test against the fencepost ensures that those two enums are *never* used in referencing Fieldstab. + + When the analyzer sees the conditional using '<' and not '<=' it reports a false positive. + + i'm tired of explaining this so the program was changed to accommodate the tool's deficiency + my_category: unavoidable_false_positive_but_patched_anyway +top.c:1417: overrun-local: Overrunning static array "Fieldstab", with 39 elements, at position 39 with index variable "f". + +Error: TAINTED_SCALAR: + the index is used subordinate to a case statement ensuring a value between '1' and '4' + my_category: avoidable_false_positive +top.c:2442: tainted_data_argument: Calling function "chin" taints argument "ch". +top.c:848: tainted_data_argument: Calling function "read" taints parameter "*buf". +top.c:2452: tainted_data: Using tainted variable "ch - 49" as an index into an array "Winstk". + +Error: TAINTED_SCALAR: + the index is used subordinate to as case statement ensuring a value between '1' and '4' + my_category: avoidable_false_positive +top.c:2719: tainted_data_argument: Calling function "chin" taints argument "ch". +top.c:848: tainted_data_argument: Calling function "read" taints parameter "*buf". +top.c:2720: tainted_data: Passing tainted variable "ch" to a tainted sink. +top.c:2452: data_index: Using tainted variable "ch - 49" as an index to array "Winstk". + +Error: TAINTED_SCALAR: + buf tainted by chin is zero terminated + single char is ultimately passed to isprintf() function (and glibc safely indexes into array sized at 384 bytes) + my_category: avoidable_false_positive (out of step with current glibc implementation) +top.c:972: tainted_data_return: Function "keyin" returns tainted data. +top.c:912: tainted_data_argument: Function "chin" taints argument "buf". +top.c:848: tainted_data_argument: Calling function "read" taints parameter "*buf". +top.c:926: return_tainted_data: Returning tainted variable "buf[0]". +top.c:972: var_assign: Assigning: "key" = "keyin", which taints "key". +top.c:1001: tainted_data: Using tainted variable "(int)key" as an index to pointer "*__ctype_b_loc()". + + + + vmstat ----------------------------------------------------------------------- +Error: FORWARD_NULL: + partition made non-null with optarg for -p where statMode |= PARTITIONSTAT + if no optarg then program exits with usage + thus call to diskpartition_format will be with non-null pointer + my_category: avoidable_false_positive +vmstat.c:593: assign_zero: Assigning: "partition" = 0. +vmstat.c:669: var_deref_model: Passing null variable "partition" to function "diskpartition_format", which dereferences it. +vmstat.c:301: deref_parm_in_call: Function "strcmp" dereferences parameter "partition_name". (The dereference is assumed on the basis of the 'nonnull' parameter attribute.) + + + + watch ------------------------------------------------------------------------ +Error: TAINTED_STRING: + even though the environment variable COLUMNS might begin tainted, from my analysis, the tool is totally mistaken + strtol actually untaints data in the form of 't' and 'endptr' then the environment variable COLUMNS is potentially purified with -1 + my_category: avoidable_false_positive +watch.c:95: tainted_string_return_content: "getenv" returns tainted string content. +watch.c:95: var_assign: Assigning: "s" = "getenv("COLUMNS")", which taints "s". +watch.c:100: tainted_data_transitive: Call to function "strtol" with tainted argument "s" returns tainted data. +watch.c:100: var_assign: Assigning: "t" = "strtol(s, &endptr, 0)", which taints "t". +watch.c:101: var_assign_var: Assigning: "incoming_cols" = "(int)t". Both are now tainted. +watch.c:102: var_assign_var: Assigning: "width" = "incoming_cols". Both are now tainted. +watch.c:103: vararg_transitive: Call to "snprintf" with tainted argument "width" taints "env_col_buf". +watch.c:104: tainted_string: Passing tainted string "env_col_buf" to a function that cannot accept tainted data. + +Error: TAINTED_STRING: + even though the environment variable LINES might begin tainted, from my analysis, the tool is totally mistaken + strtol actually untaints data in the form of 't' and 'endptr' then the environment variable LINES is potentially purified with -1 + my_category: avoidable_false_positive +watch.c:108: tainted_string_return_content: "getenv" returns tainted string content. +watch.c:108: var_assign: Assigning: "s" = "getenv("LINES")", which taints "s". +watch.c:113: tainted_data_transitive: Call to function "strtol" with tainted argument "s" returns tainted data. +watch.c:113: var_assign: Assigning: "t" = "strtol(s, &endptr, 0)", which taints "t". +watch.c:114: var_assign_var: Assigning: "incoming_rows" = "(int)t". Both are now tainted. +watch.c:115: var_assign_var: Assigning: "height" = "incoming_rows". Both are now tainted. +watch.c:116: vararg_transitive: Call to "snprintf" with tainted argument "height" taints "env_row_buf". +watch.c:117: tainted_string: Passing tainted string "env_row_buf" to a function that cannot accept tainted data. + + + + proc/readproc ---------------------------------------------------------------- +Error: DEADCODE: + the tool does not understand gperf and the pseudo case labels preceded by goto + the following code snippets illustrate the deficiency: + goto *(&&base + entry.offset); + ... + case_Threads: + Threads = strtol(S,&S,10); + continue; + my_category: avoidable_false_positive +proc/readproc.c:387: dead_error_condition: On this path, the condition "Threads" cannot be true. +proc/readproc.c:115: const: After this line, the value of "Threads" is equal to 0. +proc/readproc.c:115: assignment: Assigning: "Threads" = "0L". +proc/readproc.c:388: dead_error_begin: Execution cannot reach this statement "P->nlwp = Threads;". + +Error: STRING_NULL: + read is asked to retrieve -1 bytes than passed capacity: num_read = read(fd, ret, cap - 1); + file2str does indeed null terminate sbuf: ret[num_read] = '\0'; + my_category: avoidable_false_positive +proc/readproc.c:1193: string_null_argument: Function "file2str" does not terminate string "*sbuf". +proc/readproc.c:514: string_null_argument: Function "read" fills array "*ret" with a non-terminated string. +proc/readproc.c:1197: string_null: Passing unterminated string "sbuf" to a function expecting a null-terminated string. +proc/readproc.c:447: string_null_sink_parm_call: Passing parameter "S" to "strchr" which expects a null-terminated string. + + + + ps/output -------------------------------------------------------------------- +Error: MISSING_BREAK: + intentional fall through + my_category: possibly_filter_out_? +ps/output.c:1983: unterminated_default: The default case is not terminated by a 'break' statement. +ps/output.c:1984: fallthrough: The above case falls through to this one. + +Error: UNINIT: + the first member is initialized in the very next statement, sufficient for bsearch callback + key.spec = findme; + my_category: avoidable_false_positive +ps/output.c:1737: var_decl: Declaring variable "key" without initializer. +ps/output.c:1739: uninit_use_in_call: Using uninitialized value "key": field "key".flags is uninitialized when calling "bsearch". + +Error: UNINIT: + the first member is initialized in the very next statement, sufficient for bsearch callback + key.spec = findme; + my_category: avoidable_false_positive +ps/output.c:1745: var_decl: Declaring variable "key" without initializer. +ps/output.c:1747: uninit_use_in_call: Using uninitialized value "key": field "key".head is uninitialized when calling "bsearch". + + + + ps/parser -------------------------------------------------------------------- +Error: RESOURCE_LEAK: + intentional omission + abexit shortly + my_category: avoidable_false_positive +ps/parser.c:1021: alloc_fn: Calling allocation function "malloc". +ps/parser.c:1021: var_assign: Assigning: "pidnode" = storage returned from "malloc(sizeof (selection_node) /*24*/)". +ps/parser.c:1041: leaked_storage: Variable "pidnode" going out of scope leaks the storage it points to. +ps/parser.c:1062: leaked_storage: Variable "pidnode" going out of scope leaks the storage it points to. + +Error: RESOURCE_LEAK: + intentional omission + abexit shortly + my_category: avoidable_false_positive +ps/parser.c:1025: alloc_fn: Calling allocation function "malloc". +ps/parser.c:1025: var_assign: Assigning: "grpnode" = storage returned from "malloc(sizeof (selection_node) /*24*/)". +ps/parser.c:1041: leaked_storage: Variable "grpnode" going out of scope leaks the storage it points to. +ps/parser.c:1062: leaked_storage: Variable "grpnode" going out of scope leaks the storage it points to. + +Error: RESOURCE_LEAK: + intentional omission + abexit shortly + my_category: avoidable_false_positive +ps/parser.c:1029: alloc_fn: Calling allocation function "malloc". +ps/parser.c:1029: var_assign: Assigning: "sidnode" = storage returned from "malloc(sizeof (selection_node) /*24*/)". +ps/parser.c:1041: leaked_storage: Variable "sidnode" going out of scope leaks the storage it points to. +ps/parser.c:1062: leaked_storage: Variable "sidnode" going out of scope leaks the storage it points to. + + + + ps/sortformat ---------------------------------------------------------------- +Error: UNREACHABLE: + the tool does not understand the following 'label' usage (nor do i - perhaps some obscure compiler/platform warning/quirk) + goto unknown; + ... + if(0) unknown: err=errbuf; + my_category: unavoidable_false_positive_? +ps/sortformat.c:312: unreachable: This code cannot be reached: "if (0){ + unknown: + err = ...".