On Sun, Sep 09, 2018 at 10:38:50PM +0000, Dr. Matthias St. Pierre wrote:
> preliminary status report:
> 
> *** CID 1439138:  Integer handling issues  (NEGATIVE_RETURNS)
>       see https://github.com/openssl/openssl/pull/7156
>       
> *** CID 1439137:  Integer handling issues  (NEGATIVE_RETURNS)
>       work in progress...               

I think this one may be a false positive -- it's worried that EVP_MD_size()
will return -1, but we've essentially already validated that the md is
valid by the time we get there.  I didn't do a full check, though.

-Ben

> *** CID 1439136:  Resource leaks  (RESOURCE_LEAK)
>       see https://github.com/openssl/openssl/pull/7155
> 
> *** CID 1439135:  Memory - illegal accesses  (INCOMPATIBLE_CAST)
>       todo
> 
> *** CID 1423323:  Null pointer dereferences  (FORWARD_NULL)
>       see https://github.com/openssl/openssl/pull/7158
> 
> *** CID 1201571:  Error handling issues  (CHECKED_RETURN)
>       todo
> 
> if anybody wants to fix one of the CIDs marked 'todo', no problem. Just drop 
> a note on the openssl-project list.
> 
> Matthias
> 
> 
> > -----Urspr√ľngliche Nachricht-----
> > Von: openssl-project <openssl-project-boun...@openssl.org> Im Auftrag von 
> > Benjamin Kaduk
> > Gesendet: Sonntag, 9. September 2018 18:04
> > An: openssl-project@openssl.org
> > Betreff: [openssl-project] coverity defect release criteria (Fwd: New 
> > Defects reported by Coverity Scan for openssl/openssl)
> > 
> > I see that Matthias has opened pull requests for a couple of these already;
> > are you planning to work through the rest of them as well?
> > 
> > -Ben
> > 
> > On Sun, Sep 09, 2018 at 09:28:12AM +0000, scan-ad...@coverity.com wrote:
> > > Hi,
> > >
> > > Please find the latest report on new defect(s) introduced to 
> > > openssl/openssl found with Coverity Scan.
> > >
> > > 6 new defect(s) introduced to openssl/openssl found with Coverity Scan.
> > >
> > >
> > > New defect(s) Reported-by: Coverity Scan
> > > Showing 6 of 6 defect(s)
> > >
> > >
> > > ** CID 1439138:  Integer handling issues  (NEGATIVE_RETURNS)
> > >
> > >
> > > ________________________________________________________________________________________________________
> > > *** CID 1439138:  Integer handling issues  (NEGATIVE_RETURNS)
> > > /crypto/rsa/rsa_pss.c: 247 in RSA_padding_add_PKCS1_PSS_mgf1()
> > > 241         EM[emLen - 1] = 0xbc;
> > > 242
> > > 243         ret = 1;
> > > 244
> > > 245      err:
> > > 246         EVP_MD_CTX_free(ctx);
> > > >>>     CID 1439138:  Integer handling issues  (NEGATIVE_RETURNS)
> > > >>>     "sLen" is passed to a parameter that cannot be negative.
> > > 247         OPENSSL_clear_free(salt, sLen);
> > > 248
> > > 249         return ret;
> > > 250
> > > 251     }
> > > 252
> > > 253     #if defined(_MSC_VER)
> > > 254     # pragma optimize("",on)
> > >
> > > ** CID 1439137:  Integer handling issues  (NEGATIVE_RETURNS)
> > >
> > >
> > > ________________________________________________________________________________________________________
> > > *** CID 1439137:  Integer handling issues  (NEGATIVE_RETURNS)
> > > /crypto/sm2/sm2_pmeth.c: 277 in pkey_sm2_digest_custom()
> > > 271         }
> > > 272
> > > 273         /* get hashed prefix 'z' of tbs message */
> > > 274         if (!sm2_compute_z_digest(z, md, smctx->id, smctx->id_len, 
> > > ec))
> > > 275             return 0;
> > > 276
> > > >>>     CID 1439137:  Integer handling issues  (NEGATIVE_RETURNS)
> > > >>>     "EVP_MD_size(md)" is passed to a parameter that cannot be 
> > > >>> negative.
> > > 277         return EVP_DigestUpdate(mctx, z, EVP_MD_size(md));
> > > 278     }
> > > 279
> > > 280     const EVP_PKEY_METHOD sm2_pkey_meth = {
> > > 281         EVP_PKEY_SM2,
> > > 282         0,
> > >
> > > ** CID 1439136:  Resource leaks  (RESOURCE_LEAK)
> > > /test/dhtest.c: 202 in dh_test()
> > >
> > >
> > > ________________________________________________________________________________________________________
> > > *** CID 1439136:  Resource leaks  (RESOURCE_LEAK)
> > > /test/dhtest.c: 202 in dh_test()
> > > 196         BN_free(bp);
> > > 197         BN_free(bg);
> > > 198         BN_free(cpriv_key);
> > > 199         BN_GENCB_free(_cb);
> > > 200         DH_free(dh);
> > > 201
> > > >>>     CID 1439136:  Resource leaks  (RESOURCE_LEAK)
> > > >>>     Variable "priv_key" going out of scope leaks the storage it 
> > > >>> points to.
> > > 202         return ret;
> > > 203     }
> > > 204
> > > 205     static int cb(int p, int n, BN_GENCB *arg)
> > > 206     {
> > > 207         return 1;
> > >
> > > ** CID 1439135:  Memory - illegal accesses  (INCOMPATIBLE_CAST)
> > >
> > >
> > > ________________________________________________________________________________________________________
> > > *** CID 1439135:  Memory - illegal accesses  (INCOMPATIBLE_CAST)
> > > /apps/speed.c: 3105 in speed_main()
> > > 3099                 ERR_print_errors(bio_err);
> > > 3100                 rsa_count = 1;
> > > 3101             } else {
> > > 3102                 for (i = 0; i < loopargs_len; i++) {
> > > 3103                     /* Perform EdDSA signature test */
> > > 3104                     loopargs[i].siglen = 
> > > test_ed_curves[testnum].siglen;
> > > >>>     CID 1439135:  Memory - illegal accesses  (INCOMPATIBLE_CAST)
> > > >>>     Pointer "&loopargs[i].siglen" points to an object whose effective 
> > > >>> type is "unsigned int" (32 bits, unsigned) but is dereferenced as a
> > wider "unsigned long" (64 bits, unsigned).  This may lead to memory 
> > corruption.
> > > 3105                     st = 
> > > EVP_DigestSign(loopargs[i].eddsa_ctx[testnum],
> > > 3106                                         loopargs[i].buf2, (size_t 
> > > *)&loopargs[i].siglen,
> > > 3107                                         loopargs[i].buf, 20);
> > > 3108                     if (st == 0)
> > > 3109                         break;
> > > 3110                 }
> > >
> > > ** CID 1423323:  Null pointer dereferences  (FORWARD_NULL)
> > >
> > >
> > > ________________________________________________________________________________________________________
> > > *** CID 1423323:  Null pointer dereferences  (FORWARD_NULL)
> > > /test/evp_extra_test.c: 894 in test_EVP_PKEY_check()
> > > 888
> > > 889         if (!TEST_int_eq(EVP_PKEY_param_check(ctx), 
> > > expected_param_check))
> > > 890             goto done;
> > > 891
> > > 892         ctx2 = EVP_PKEY_CTX_new_id(0xdefaced, NULL);
> > > 893         /* assign the pkey directly, as an internal test */
> > > >>>     CID 1423323:  Null pointer dereferences  (FORWARD_NULL)
> > > >>>     Passing null pointer "pkey" to "EVP_PKEY_up_ref", which 
> > > >>> dereferences it.
> > > 894         EVP_PKEY_up_ref(pkey);
> > > 895         ctx2->pkey = pkey;
> > > 896
> > > 897         if (!TEST_int_eq(EVP_PKEY_check(ctx2), 0xbeef))
> > > 898             goto done;
> > > 899
> > >
> > > ** CID 1201571:  Error handling issues  (CHECKED_RETURN)
> > > /crypto/pkcs12/p12_init.c: 25 in PKCS12_init()
> > >
> > >
> > > ________________________________________________________________________________________________________
> > > *** CID 1201571:  Error handling issues  (CHECKED_RETURN)
> > > /crypto/pkcs12/p12_init.c: 25 in PKCS12_init()
> > > 19         PKCS12 *pkcs12;
> > > 20
> > > 21         if ((pkcs12 = PKCS12_new()) == NULL) {
> > > 22             PKCS12err(PKCS12_F_PKCS12_INIT, ERR_R_MALLOC_FAILURE);
> > > 23             return NULL;
> > > 24         }
> > > >>>     CID 1201571:  Error handling issues  (CHECKED_RETURN)
> > > >>>     Calling "ASN1_INTEGER_set" without checking return value (as is 
> > > >>> done elsewhere 30 out of 37 times).
> > > 25         ASN1_INTEGER_set(pkcs12->version, 3);
> > > 26         pkcs12->authsafes->type = OBJ_nid2obj(mode);
> > > 27         switch (mode) {
> > > 28         case NID_pkcs7_data:
> > > 29             if ((pkcs12->authsafes->d.data = ASN1_OCTET_STRING_new()) 
> > > == NULL) {
> > > 30                 PKCS12err(PKCS12_F_PKCS12_INIT, ERR_R_MALLOC_FAILURE);
> > >
> > >
> > > ________________________________________________________________________________________________________
> > > To view the defects in Coverity Scan visit, 
> > > https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-
> > 2BfV0V05UPxvVjWch-2Bd2MGckcRakUl6QyjujEohY7rPpoYUE4H-2Fm-2BeoDOl8jw7bf4Z78hw-3D-3D_bpOft2V4l9NXEcTx5CnNFJqpP-
> > 2F8a09dz6vsuNilvAJgBy9hWgnGhTAFGZnkvhcJuSQocoiCV36Dw66FwvViDOF-2BGQbzbMH8LM1tsnputryXt7SEgZZ-
> > 2FmpoWsuVr91UzOFBmmlL0bipzCjL7WfoT7QvLLnFuGxTjboshY44ftCBEhW8TAZR-2B1c1y7JdbYkdSXw-2B7Vmts-2F-
> > 2BitkvIjISgebBlgXuThX1DnzutpYSf00XD0-3D
> > >
> > >   To manage Coverity Scan email notifications for "kaduk-git...@mit.edu", 
> > > click
> > https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRbVDbis712qZDP-
> > 2FA8y06Nq414hC6p-2BsqBEViFMJYotwSt4SYNeSzd6tPCdCHgDzpHIBW-2Fr0I0sQJCop-2Fx5Lu2ueYFxYqLmFh7APZbTTED-
> > 2B53KXZ2qVo0Y2q2bUC-2BpL2TzE-3D_bpOft2V4l9NXEcTx5CnNFJqpP-2F8a09dz6vsuNilvAJgBy9hWgnGhTAFGZnkvhcJu7xxYKPr1HkiPh-
> > 2BL3MaUbhQMZae3MPjv9c6bU6U4uhOZEhiS1P-2BwpukQ4-2BcSzk5FouA75ij0odEEgZcWTB05BKimz0wg0Y8JsC1Izz20-
> > 2FpfRp2kjWD47vvs4NmxuDPkNqvS3qoLRQ0vIXW8CFF339G-2B7jGolZ214Wxo3Gh6Hc0HY-3D
> > >
> > _______________________________________________
> > openssl-project mailing list
> > openssl-project@openssl.org
> > https://mta.openssl.org/mailman/listinfo/openssl-project
> _______________________________________________
> openssl-project mailing list
> openssl-project@openssl.org
> https://mta.openssl.org/mailman/listinfo/openssl-project
_______________________________________________
openssl-project mailing list
openssl-project@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-project

Reply via email to