[openssl-project] coverity defect release criteria (Fwd: New Defects reported by Coverity Scan for openssl/openssl)

Matt Caswell matt at openssl.org
Sun Sep 9 22:44:33 UTC 2018 


On 09/09/18 19:31, Dr. Matthias St. Pierre wrote:
> I am currently occupied with other things, so I won't be able to look at it before later this evening or tomorrow.
> 
> I also had a quick look at CID 1423323 (see below) but I was unable to see why 'pkey' would be a NULL pointer
> when passed to 'EVP_PKEY_up_ref'. So I'm not sure yet whether this is a false positive.

It's because Coverity doesn't know that "type" will only ever be 0, 1 or
2. If it wasn't one of those then pkey would be NULL.

BTW, note that there is an oddity in the way we have Coverity set up.
It's my understanding that we filter out defect reports in the tests and
only worry about issues found in the main code base. If you look in the
Coverity tool itself you will never see any issues in the test suite (at
least I've never figured out how to see them if they are there).
Nonetheless it still reports them in the emails it sends out.

As far as the release criteria go we only count the ones shown in the
Coverity tool. That's not to say we shouldn't fix issues in the tests as
well (and actually I'd suggest we stop filtering out problems in the
tests if anyone knows how to do that...perhaps Tim?).

Matt


> 
> Matthias
> 
> 
>> -----Ursprüngliche Nachricht-----
>> Von: openssl-project <openssl-project-bounces at openssl.org> Im Auftrag von Benjamin Kaduk
>> Gesendet: Sonntag, 9. September 2018 18:04
>> An: openssl-project at openssl.org
>> Betreff: [openssl-project] coverity defect release criteria (Fwd: New Defects reported by Coverity Scan for openssl/openssl)
>>
>> I see that Matthias has opened pull requests for a couple of these already;
>> are you planning to work through the rest of them as well?
>>
>> -Ben
>>
>> On Sun, Sep 09, 2018 at 09:28:12AM +0000, scan-admin at coverity.com wrote:
>>> Hi,
>>>
>>> Please find the latest report on new defect(s) introduced to openssl/openssl found with Coverity Scan.
>>>
>>> 6 new defect(s) introduced to openssl/openssl found with Coverity Scan.
>>>
>>>
>>> New defect(s) Reported-by: Coverity Scan
>>> Showing 6 of 6 defect(s)
>>>
>>>
>>> ** CID 1439138:  Integer handling issues  (NEGATIVE_RETURNS)
>>>
>>>
>>> ________________________________________________________________________________________________________
>>> *** CID 1439138:  Integer handling issues  (NEGATIVE_RETURNS)
>>> /crypto/rsa/rsa_pss.c: 247 in RSA_padding_add_PKCS1_PSS_mgf1()
>>> 241         EM[emLen - 1] = 0xbc;
>>> 242
>>> 243         ret = 1;
>>> 244
>>> 245      err:
>>> 246         EVP_MD_CTX_free(ctx);
>>>>>>     CID 1439138:  Integer handling issues  (NEGATIVE_RETURNS)
>>>>>>     "sLen" is passed to a parameter that cannot be negative.
>>> 247         OPENSSL_clear_free(salt, sLen);
>>> 248
>>> 249         return ret;
>>> 250
>>> 251     }
>>> 252
>>> 253     #if defined(_MSC_VER)
>>> 254     # pragma optimize("",on)
>>>
>>> ** CID 1439137:  Integer handling issues  (NEGATIVE_RETURNS)
>>>
>>>
>>> ________________________________________________________________________________________________________
>>> *** CID 1439137:  Integer handling issues  (NEGATIVE_RETURNS)
>>> /crypto/sm2/sm2_pmeth.c: 277 in pkey_sm2_digest_custom()
>>> 271         }
>>> 272
>>> 273         /* get hashed prefix 'z' of tbs message */
>>> 274         if (!sm2_compute_z_digest(z, md, smctx->id, smctx->id_len, ec))
>>> 275             return 0;
>>> 276
>>>>>>     CID 1439137:  Integer handling issues  (NEGATIVE_RETURNS)
>>>>>>     "EVP_MD_size(md)" is passed to a parameter that cannot be negative.
>>> 277         return EVP_DigestUpdate(mctx, z, EVP_MD_size(md));
>>> 278     }
>>> 279
>>> 280     const EVP_PKEY_METHOD sm2_pkey_meth = {
>>> 281         EVP_PKEY_SM2,
>>> 282         0,
>>>
>>> ** CID 1439136:  Resource leaks  (RESOURCE_LEAK)
>>> /test/dhtest.c: 202 in dh_test()
>>>
>>>
>>> ________________________________________________________________________________________________________
>>> *** CID 1439136:  Resource leaks  (RESOURCE_LEAK)
>>> /test/dhtest.c: 202 in dh_test()
>>> 196         BN_free(bp);
>>> 197         BN_free(bg);
>>> 198         BN_free(cpriv_key);
>>> 199         BN_GENCB_free(_cb);
>>> 200         DH_free(dh);
>>> 201
>>>>>>     CID 1439136:  Resource leaks  (RESOURCE_LEAK)
>>>>>>     Variable "priv_key" going out of scope leaks the storage it points to.
>>> 202         return ret;
>>> 203     }
>>> 204
>>> 205     static int cb(int p, int n, BN_GENCB *arg)
>>> 206     {
>>> 207         return 1;
>>>
>>> ** CID 1439135:  Memory - illegal accesses  (INCOMPATIBLE_CAST)
>>>
>>>
>>> ________________________________________________________________________________________________________
>>> *** CID 1439135:  Memory - illegal accesses  (INCOMPATIBLE_CAST)
>>> /apps/speed.c: 3105 in speed_main()
>>> 3099                 ERR_print_errors(bio_err);
>>> 3100                 rsa_count = 1;
>>> 3101             } else {
>>> 3102                 for (i = 0; i < loopargs_len; i++) {
>>> 3103                     /* Perform EdDSA signature test */
>>> 3104                     loopargs[i].siglen = test_ed_curves[testnum].siglen;
>>>>>>     CID 1439135:  Memory - illegal accesses  (INCOMPATIBLE_CAST)
>>>>>>     Pointer "&loopargs[i].siglen" points to an object whose effective type is "unsigned int" (32 bits, unsigned) but is dereferenced as a
>> wider "unsigned long" (64 bits, unsigned).  This may lead to memory corruption.
>>> 3105                     st = EVP_DigestSign(loopargs[i].eddsa_ctx[testnum],
>>> 3106                                         loopargs[i].buf2, (size_t *)&loopargs[i].siglen,
>>> 3107                                         loopargs[i].buf, 20);
>>> 3108                     if (st == 0)
>>> 3109                         break;
>>> 3110                 }
>>>
>>> ** CID 1423323:  Null pointer dereferences  (FORWARD_NULL)
>>>
>>>
>>> ________________________________________________________________________________________________________
>>> *** CID 1423323:  Null pointer dereferences  (FORWARD_NULL)
>>> /test/evp_extra_test.c: 894 in test_EVP_PKEY_check()
>>> 888
>>> 889         if (!TEST_int_eq(EVP_PKEY_param_check(ctx), expected_param_check))
>>> 890             goto done;
>>> 891
>>> 892         ctx2 = EVP_PKEY_CTX_new_id(0xdefaced, NULL);
>>> 893         /* assign the pkey directly, as an internal test */
>>>>>>     CID 1423323:  Null pointer dereferences  (FORWARD_NULL)
>>>>>>     Passing null pointer "pkey" to "EVP_PKEY_up_ref", which dereferences it.
>>> 894         EVP_PKEY_up_ref(pkey);
>>> 895         ctx2->pkey = pkey;
>>> 896
>>> 897         if (!TEST_int_eq(EVP_PKEY_check(ctx2), 0xbeef))
>>> 898             goto done;
>>> 899
>>>
>>> ** CID 1201571:  Error handling issues  (CHECKED_RETURN)
>>> /crypto/pkcs12/p12_init.c: 25 in PKCS12_init()
>>>
>>>
>>> ________________________________________________________________________________________________________
>>> *** CID 1201571:  Error handling issues  (CHECKED_RETURN)
>>> /crypto/pkcs12/p12_init.c: 25 in PKCS12_init()
>>> 19         PKCS12 *pkcs12;
>>> 20
>>> 21         if ((pkcs12 = PKCS12_new()) == NULL) {
>>> 22             PKCS12err(PKCS12_F_PKCS12_INIT, ERR_R_MALLOC_FAILURE);
>>> 23             return NULL;
>>> 24         }
>>>>>>     CID 1201571:  Error handling issues  (CHECKED_RETURN)
>>>>>>     Calling "ASN1_INTEGER_set" without checking return value (as is done elsewhere 30 out of 37 times).
>>> 25         ASN1_INTEGER_set(pkcs12->version, 3);
>>> 26         pkcs12->authsafes->type = OBJ_nid2obj(mode);
>>> 27         switch (mode) {
>>> 28         case NID_pkcs7_data:
>>> 29             if ((pkcs12->authsafes->d.data = ASN1_OCTET_STRING_new()) == NULL) {
>>> 30                 PKCS12err(PKCS12_F_PKCS12_INIT, ERR_R_MALLOC_FAILURE);
>>>
>>>
>>> ________________________________________________________________________________________________________
>>> To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-
>> 2BfV0V05UPxvVjWch-2Bd2MGckcRakUl6QyjujEohY7rPpoYUE4H-2Fm-2BeoDOl8jw7bf4Z78hw-3D-3D_bpOft2V4l9NXEcTx5CnNFJqpP-
>> 2F8a09dz6vsuNilvAJgBy9hWgnGhTAFGZnkvhcJuSQocoiCV36Dw66FwvViDOF-2BGQbzbMH8LM1tsnputryXt7SEgZZ-
>> 2FmpoWsuVr91UzOFBmmlL0bipzCjL7WfoT7QvLLnFuGxTjboshY44ftCBEhW8TAZR-2B1c1y7JdbYkdSXw-2B7Vmts-2F-
>> 2BitkvIjISgebBlgXuThX1DnzutpYSf00XD0-3D
>>>
>>>   To manage Coverity Scan email notifications for "kaduk-github at mit.edu", click
>> https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRbVDbis712qZDP-
>> 2FA8y06Nq414hC6p-2BsqBEViFMJYotwSt4SYNeSzd6tPCdCHgDzpHIBW-2Fr0I0sQJCop-2Fx5Lu2ueYFxYqLmFh7APZbTTED-
>> 2B53KXZ2qVo0Y2q2bUC-2BpL2TzE-3D_bpOft2V4l9NXEcTx5CnNFJqpP-2F8a09dz6vsuNilvAJgBy9hWgnGhTAFGZnkvhcJu7xxYKPr1HkiPh-
>> 2BL3MaUbhQMZae3MPjv9c6bU6U4uhOZEhiS1P-2BwpukQ4-2BcSzk5FouA75ij0odEEgZcWTB05BKimz0wg0Y8JsC1Izz20-
>> 2FpfRp2kjWD47vvs4NmxuDPkNqvS3qoLRQ0vIXW8CFF339G-2B7jGolZ214Wxo3Gh6Hc0HY-3D
>>>
>> _______________________________________________
>> openssl-project mailing list
>> openssl-project at openssl.org
>> https://mta.openssl.org/mailman/listinfo/openssl-project
> _______________________________________________
> openssl-project mailing list
> openssl-project at openssl.org
> https://mta.openssl.org/mailman/listinfo/openssl-project
>

More information about the openssl-project mailing list