[openssl-project] coverity defect release criteria (Fwd: New Defects reported by Coverity Scan for openssl/openssl)
Dr. Matthias St. Pierre
Matthias.St.Pierre at ncp-e.com
Sun Sep 9 18:31:18 UTC 2018
I am currently occupied with other things, so I won't be able to look at it before later this evening or tomorrow.
I also had a quick look at CID 1423323 (see below) but I was unable to see why 'pkey' would be a NULL pointer
when passed to 'EVP_PKEY_up_ref'. So I'm not sure yet whether this is a false positive.
Matthias
> -----Ursprüngliche Nachricht-----
> Von: openssl-project <openssl-project-bounces at openssl.org> Im Auftrag von Benjamin Kaduk
> Gesendet: Sonntag, 9. September 2018 18:04
> An: openssl-project at openssl.org
> Betreff: [openssl-project] coverity defect release criteria (Fwd: New Defects reported by Coverity Scan for openssl/openssl)
>
> I see that Matthias has opened pull requests for a couple of these already;
> are you planning to work through the rest of them as well?
>
> -Ben
>
> On Sun, Sep 09, 2018 at 09:28:12AM +0000, scan-admin at coverity.com wrote:
> > Hi,
> >
> > Please find the latest report on new defect(s) introduced to openssl/openssl found with Coverity Scan.
> >
> > 6 new defect(s) introduced to openssl/openssl found with Coverity Scan.
> >
> >
> > New defect(s) Reported-by: Coverity Scan
> > Showing 6 of 6 defect(s)
> >
> >
> > ** CID 1439138: Integer handling issues (NEGATIVE_RETURNS)
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 1439138: Integer handling issues (NEGATIVE_RETURNS)
> > /crypto/rsa/rsa_pss.c: 247 in RSA_padding_add_PKCS1_PSS_mgf1()
> > 241 EM[emLen - 1] = 0xbc;
> > 242
> > 243 ret = 1;
> > 244
> > 245 err:
> > 246 EVP_MD_CTX_free(ctx);
> > >>> CID 1439138: Integer handling issues (NEGATIVE_RETURNS)
> > >>> "sLen" is passed to a parameter that cannot be negative.
> > 247 OPENSSL_clear_free(salt, sLen);
> > 248
> > 249 return ret;
> > 250
> > 251 }
> > 252
> > 253 #if defined(_MSC_VER)
> > 254 # pragma optimize("",on)
> >
> > ** CID 1439137: Integer handling issues (NEGATIVE_RETURNS)
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 1439137: Integer handling issues (NEGATIVE_RETURNS)
> > /crypto/sm2/sm2_pmeth.c: 277 in pkey_sm2_digest_custom()
> > 271 }
> > 272
> > 273 /* get hashed prefix 'z' of tbs message */
> > 274 if (!sm2_compute_z_digest(z, md, smctx->id, smctx->id_len, ec))
> > 275 return 0;
> > 276
> > >>> CID 1439137: Integer handling issues (NEGATIVE_RETURNS)
> > >>> "EVP_MD_size(md)" is passed to a parameter that cannot be negative.
> > 277 return EVP_DigestUpdate(mctx, z, EVP_MD_size(md));
> > 278 }
> > 279
> > 280 const EVP_PKEY_METHOD sm2_pkey_meth = {
> > 281 EVP_PKEY_SM2,
> > 282 0,
> >
> > ** CID 1439136: Resource leaks (RESOURCE_LEAK)
> > /test/dhtest.c: 202 in dh_test()
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 1439136: Resource leaks (RESOURCE_LEAK)
> > /test/dhtest.c: 202 in dh_test()
> > 196 BN_free(bp);
> > 197 BN_free(bg);
> > 198 BN_free(cpriv_key);
> > 199 BN_GENCB_free(_cb);
> > 200 DH_free(dh);
> > 201
> > >>> CID 1439136: Resource leaks (RESOURCE_LEAK)
> > >>> Variable "priv_key" going out of scope leaks the storage it points to.
> > 202 return ret;
> > 203 }
> > 204
> > 205 static int cb(int p, int n, BN_GENCB *arg)
> > 206 {
> > 207 return 1;
> >
> > ** CID 1439135: Memory - illegal accesses (INCOMPATIBLE_CAST)
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 1439135: Memory - illegal accesses (INCOMPATIBLE_CAST)
> > /apps/speed.c: 3105 in speed_main()
> > 3099 ERR_print_errors(bio_err);
> > 3100 rsa_count = 1;
> > 3101 } else {
> > 3102 for (i = 0; i < loopargs_len; i++) {
> > 3103 /* Perform EdDSA signature test */
> > 3104 loopargs[i].siglen = test_ed_curves[testnum].siglen;
> > >>> CID 1439135: Memory - illegal accesses (INCOMPATIBLE_CAST)
> > >>> Pointer "&loopargs[i].siglen" points to an object whose effective type is "unsigned int" (32 bits, unsigned) but is dereferenced as a
> wider "unsigned long" (64 bits, unsigned). This may lead to memory corruption.
> > 3105 st = EVP_DigestSign(loopargs[i].eddsa_ctx[testnum],
> > 3106 loopargs[i].buf2, (size_t *)&loopargs[i].siglen,
> > 3107 loopargs[i].buf, 20);
> > 3108 if (st == 0)
> > 3109 break;
> > 3110 }
> >
> > ** CID 1423323: Null pointer dereferences (FORWARD_NULL)
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 1423323: Null pointer dereferences (FORWARD_NULL)
> > /test/evp_extra_test.c: 894 in test_EVP_PKEY_check()
> > 888
> > 889 if (!TEST_int_eq(EVP_PKEY_param_check(ctx), expected_param_check))
> > 890 goto done;
> > 891
> > 892 ctx2 = EVP_PKEY_CTX_new_id(0xdefaced, NULL);
> > 893 /* assign the pkey directly, as an internal test */
> > >>> CID 1423323: Null pointer dereferences (FORWARD_NULL)
> > >>> Passing null pointer "pkey" to "EVP_PKEY_up_ref", which dereferences it.
> > 894 EVP_PKEY_up_ref(pkey);
> > 895 ctx2->pkey = pkey;
> > 896
> > 897 if (!TEST_int_eq(EVP_PKEY_check(ctx2), 0xbeef))
> > 898 goto done;
> > 899
> >
> > ** CID 1201571: Error handling issues (CHECKED_RETURN)
> > /crypto/pkcs12/p12_init.c: 25 in PKCS12_init()
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 1201571: Error handling issues (CHECKED_RETURN)
> > /crypto/pkcs12/p12_init.c: 25 in PKCS12_init()
> > 19 PKCS12 *pkcs12;
> > 20
> > 21 if ((pkcs12 = PKCS12_new()) == NULL) {
> > 22 PKCS12err(PKCS12_F_PKCS12_INIT, ERR_R_MALLOC_FAILURE);
> > 23 return NULL;
> > 24 }
> > >>> CID 1201571: Error handling issues (CHECKED_RETURN)
> > >>> Calling "ASN1_INTEGER_set" without checking return value (as is done elsewhere 30 out of 37 times).
> > 25 ASN1_INTEGER_set(pkcs12->version, 3);
> > 26 pkcs12->authsafes->type = OBJ_nid2obj(mode);
> > 27 switch (mode) {
> > 28 case NID_pkcs7_data:
> > 29 if ((pkcs12->authsafes->d.data = ASN1_OCTET_STRING_new()) == NULL) {
> > 30 PKCS12err(PKCS12_F_PKCS12_INIT, ERR_R_MALLOC_FAILURE);
> >
> >
> > ________________________________________________________________________________________________________
> > To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-
> 2BfV0V05UPxvVjWch-2Bd2MGckcRakUl6QyjujEohY7rPpoYUE4H-2Fm-2BeoDOl8jw7bf4Z78hw-3D-3D_bpOft2V4l9NXEcTx5CnNFJqpP-
> 2F8a09dz6vsuNilvAJgBy9hWgnGhTAFGZnkvhcJuSQocoiCV36Dw66FwvViDOF-2BGQbzbMH8LM1tsnputryXt7SEgZZ-
> 2FmpoWsuVr91UzOFBmmlL0bipzCjL7WfoT7QvLLnFuGxTjboshY44ftCBEhW8TAZR-2B1c1y7JdbYkdSXw-2B7Vmts-2F-
> 2BitkvIjISgebBlgXuThX1DnzutpYSf00XD0-3D
> >
> > To manage Coverity Scan email notifications for "kaduk-github at mit.edu", click
> https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRbVDbis712qZDP-
> 2FA8y06Nq414hC6p-2BsqBEViFMJYotwSt4SYNeSzd6tPCdCHgDzpHIBW-2Fr0I0sQJCop-2Fx5Lu2ueYFxYqLmFh7APZbTTED-
> 2B53KXZ2qVo0Y2q2bUC-2BpL2TzE-3D_bpOft2V4l9NXEcTx5CnNFJqpP-2F8a09dz6vsuNilvAJgBy9hWgnGhTAFGZnkvhcJu7xxYKPr1HkiPh-
> 2BL3MaUbhQMZae3MPjv9c6bU6U4uhOZEhiS1P-2BwpukQ4-2BcSzk5FouA75ij0odEEgZcWTB05BKimz0wg0Y8JsC1Izz20-
> 2FpfRp2kjWD47vvs4NmxuDPkNqvS3qoLRQ0vIXW8CFF339G-2B7jGolZ214Wxo3Gh6Hc0HY-3D
> >
> _______________________________________________
> openssl-project mailing list
> openssl-project at openssl.org
> https://mta.openssl.org/mailman/listinfo/openssl-project
More information about the openssl-project
mailing list