1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
|
See http://www.freelists.org/post/procps/Scan-results,5
based on:
filtered-with-patches.err
these are the categories i've assigned:
defect_was_fixed
EVALUATION_ORDER
pmap
TAINTED_STRING
tload
possibly_filter_out_?
MISSING_BREAK
slabtop
ps/output
avoidable_false_positive
DEADCODE
proc/readproc
FORWARD_NULL
top
vmstat
RESOURCE_LEAK
ps/parser (3)
STRING_NULL
pwdx
proc/readproc
TAINTED_SCALAR
pgrep
slabtop
top (3)
TAINTED_STRING
watch (2)
TOCTOU
sysctl (2)
UNINIT
ps/output (2)
unavoidable_false_positive_?
UNREACHABLE
ps/sortformat
unavoidable_false_positive_but_patched_anyway
OVERRUN_STATIC
top (no defect, but i yield)
pgrep ------------------------------------------------------------------------
Error: TAINTED_SCALAR:
agree that argv might be tainted
but the (int)argv[1][1] index is being passed to isdigit() function (and glibc safely indexes into array sized at 384 bytes)
my_category: avoidable_false_positive (out of step with current glibc implementation)
pgrep.c:720: tainted_data: Passing tainted variable "argv" to a tainted sink.
pgrep.c:558: data_index: Using tainted variable "(int)argv[1][1]" as an index to pointer "*__ctype_b_loc()".
pmap -------------------------------------------------------------------------
Error: EVALUATION_ORDER:
agree that there is a problem.
moreover, it deals with an undocumented command line argument (but sami has documentation addition pending)
the logic was altered in line with intent, hopefully avoids this warning
my_category: defect_was_fixed
pmap.c:314: write_write_order: In "arg2 = (arg2 ? arg2++ : arg1)", "arg2" is written in "arg2" (the assignment left-hand side) and written in "arg2 ? arg2++ : arg1" but the order in which the side effects take place is undefined because there is no intervening sequence point.
pwdx -------------------------------------------------------------------------
Error: STRING_NULL:
static buffer is initialized to 0
it is +1 larger than size passed to readlink
was fixed in previous analysis
my_category: avoidable_false_positive
pwdx.c:86: string_null_argument: Function "readlink" does not terminate string "*buf".
pwdx.c:73: var_assign_var: Assigning: "s" = "buf". Both now point to the same unterminated string.
pwdx.c:73: var_assign_var: Assigning: "s" = "buf". Both now point to the same unterminated string.
pwdx.c:73: var_assign_var: Assigning: "s" = "buf". Both now point to the same unterminated string.
pwdx.c:92: string_null: Passing unterminated string "s" to "printf".
slabtop ----------------------------------------------------------------------
Error: MISSING_BREAK:
intentional fall through after setting return code
no change made
my_category: possibly_filter_out_?
slabtop.c:314: unterminated_case: This case (value 104) is not terminated by a 'break' statement.
slabtop.c:316: fallthrough: The above case falls through to this one.
Error: TAINTED_SCALAR:
read limited to single byte signed 'char'
ultimately passed to toupper() function (and glibc safely indexes into array sized at 384 bytes)
my_category: avoidable_false_positive (out of step with current glibc implementation)
slabtop.c:387: tainted_data_argument: Calling function "read" taints argument "c".
slabtop.c:389: tainted_data: Passing tainted variable "c" to a tainted sink.
slabtop.c:233: data_index: Using tainted variable "(int)c" as an index to pointer "*__ctype_toupper_loc()".
sysctl -----------------------------------------------------------------------
Error: TOCTOU:
the pathlength between these two events cannot be reduced further
instead of assessing intervening lines of code, perhaps tool should assess 'if' statements (2)
my_category: avoidable_false_positive
sysctl.c:149: fs_check_call: Calling function "stat" to perform check on "tmpname".
sysctl.c:168: toctou: Calling function "fopen" that uses "tmpname" after a check function. This can cause a time-of-check, time-of-use race condition.
Error: TOCTOU:
the pathlength between these two events cannot be reduced further
instead of assessing intervening lines of code, perhaps tool should assess 'if' statements (2)
my_category: avoidable_false_positive
sysctl.c:327: fs_check_call: Calling function "stat" to perform check on "tmpname".
sysctl.c:345: toctou: Calling function "fopen" that uses "tmpname" after a check function. This can cause a time-of-check, time-of-use race condition.
tload ------------------------------------------------------------------------
Error: TAINTED_STRING:
altered perror call to provide an untainted string
my_category: defect_was_fixed
tload.c:89: tainted_string: Passing tainted string "argv[optind]" to a function that cannot accept tainted data.
top --------------------------------------------------------------------------
Error: FORWARD_NULL:
cpus cannot be NULL without fp also being NULL
the very next 'if (!fp)' ensures cpus will be allocated
my_category: avoidable_false_positive
top.c:1790: assign_zero: Assigning: "cpus" = 0.
top.c:1807: var_deref_op: Dereferencing null variable "cpus".
Error: OVERRUN_STATIC:
This "error" is centered around the following code:
f = w->pflgsall[i + w->begpflg];
w->procflgs[i] = f;
#ifndef USE_X_COLHDR
if (P_MAXPFLGS < f) continue;
#endif
h = Fieldstab[f].head;
The enum P_MAXPFLGS is strictly a fencepost and can *never* appear in the arrays pflgsall or procflgs.
Thus it (39th element) cannot be used in referencing Fieldstab.
However, two enums of higher value (X_XON=40 and X_XOF=41) *can* appear in those arrays.
But the test against the fencepost ensures that those two enums are *never* used in referencing Fieldstab.
When the analyzer sees the conditional using '<' and not '<=' it reports a false positive.
i'm tired of explaining this so the program was changed to accommodate the tool's deficiency
my_category: unavoidable_false_positive_but_patched_anyway
top.c:1417: overrun-local: Overrunning static array "Fieldstab", with 39 elements, at position 39 with index variable "f".
Error: TAINTED_SCALAR:
the index is used subordinate to a case statement ensuring a value between '1' and '4'
my_category: avoidable_false_positive
top.c:2442: tainted_data_argument: Calling function "chin" taints argument "ch".
top.c:848: tainted_data_argument: Calling function "read" taints parameter "*buf".
top.c:2452: tainted_data: Using tainted variable "ch - 49" as an index into an array "Winstk".
Error: TAINTED_SCALAR:
the index is used subordinate to as case statement ensuring a value between '1' and '4'
my_category: avoidable_false_positive
top.c:2719: tainted_data_argument: Calling function "chin" taints argument "ch".
top.c:848: tainted_data_argument: Calling function "read" taints parameter "*buf".
top.c:2720: tainted_data: Passing tainted variable "ch" to a tainted sink.
top.c:2452: data_index: Using tainted variable "ch - 49" as an index to array "Winstk".
Error: TAINTED_SCALAR:
buf tainted by chin is zero terminated
single char is ultimately passed to isprintf() function (and glibc safely indexes into array sized at 384 bytes)
my_category: avoidable_false_positive (out of step with current glibc implementation)
top.c:972: tainted_data_return: Function "keyin" returns tainted data.
top.c:912: tainted_data_argument: Function "chin" taints argument "buf".
top.c:848: tainted_data_argument: Calling function "read" taints parameter "*buf".
top.c:926: return_tainted_data: Returning tainted variable "buf[0]".
top.c:972: var_assign: Assigning: "key" = "keyin", which taints "key".
top.c:1001: tainted_data: Using tainted variable "(int)key" as an index to pointer "*__ctype_b_loc()".
vmstat -----------------------------------------------------------------------
Error: FORWARD_NULL:
partition made non-null with optarg for -p where statMode |= PARTITIONSTAT
if no optarg then program exits with usage
thus call to diskpartition_format will be with non-null pointer
my_category: avoidable_false_positive
vmstat.c:593: assign_zero: Assigning: "partition" = 0.
vmstat.c:669: var_deref_model: Passing null variable "partition" to function "diskpartition_format", which dereferences it.
vmstat.c:301: deref_parm_in_call: Function "strcmp" dereferences parameter "partition_name". (The dereference is assumed on the basis of the 'nonnull' parameter attribute.)
watch ------------------------------------------------------------------------
Error: TAINTED_STRING:
even though the environment variable COLUMNS might begin tainted, from my analysis, the tool is totally mistaken
strtol actually untaints data in the form of 't' and 'endptr' then the environment variable COLUMNS is potentially purified with -1
my_category: avoidable_false_positive
watch.c:95: tainted_string_return_content: "getenv" returns tainted string content.
watch.c:95: var_assign: Assigning: "s" = "getenv("COLUMNS")", which taints "s".
watch.c:100: tainted_data_transitive: Call to function "strtol" with tainted argument "s" returns tainted data.
watch.c:100: var_assign: Assigning: "t" = "strtol(s, &endptr, 0)", which taints "t".
watch.c:101: var_assign_var: Assigning: "incoming_cols" = "(int)t". Both are now tainted.
watch.c:102: var_assign_var: Assigning: "width" = "incoming_cols". Both are now tainted.
watch.c:103: vararg_transitive: Call to "snprintf" with tainted argument "width" taints "env_col_buf".
watch.c:104: tainted_string: Passing tainted string "env_col_buf" to a function that cannot accept tainted data.
Error: TAINTED_STRING:
even though the environment variable LINES might begin tainted, from my analysis, the tool is totally mistaken
strtol actually untaints data in the form of 't' and 'endptr' then the environment variable LINES is potentially purified with -1
my_category: avoidable_false_positive
watch.c:108: tainted_string_return_content: "getenv" returns tainted string content.
watch.c:108: var_assign: Assigning: "s" = "getenv("LINES")", which taints "s".
watch.c:113: tainted_data_transitive: Call to function "strtol" with tainted argument "s" returns tainted data.
watch.c:113: var_assign: Assigning: "t" = "strtol(s, &endptr, 0)", which taints "t".
watch.c:114: var_assign_var: Assigning: "incoming_rows" = "(int)t". Both are now tainted.
watch.c:115: var_assign_var: Assigning: "height" = "incoming_rows". Both are now tainted.
watch.c:116: vararg_transitive: Call to "snprintf" with tainted argument "height" taints "env_row_buf".
watch.c:117: tainted_string: Passing tainted string "env_row_buf" to a function that cannot accept tainted data.
proc/readproc ----------------------------------------------------------------
Error: DEADCODE:
the tool does not understand gperf and the pseudo case labels preceded by goto
the following code snippets illustrate the deficiency:
goto *(&&base + entry.offset);
...
case_Threads:
Threads = strtol(S,&S,10);
continue;
my_category: avoidable_false_positive
proc/readproc.c:387: dead_error_condition: On this path, the condition "Threads" cannot be true.
proc/readproc.c:115: const: After this line, the value of "Threads" is equal to 0.
proc/readproc.c:115: assignment: Assigning: "Threads" = "0L".
proc/readproc.c:388: dead_error_begin: Execution cannot reach this statement "P->nlwp = Threads;".
Error: STRING_NULL:
read is asked to retrieve -1 bytes than passed capacity: num_read = read(fd, ret, cap - 1);
file2str does indeed null terminate sbuf: ret[num_read] = '\0';
my_category: avoidable_false_positive
proc/readproc.c:1193: string_null_argument: Function "file2str" does not terminate string "*sbuf".
proc/readproc.c:514: string_null_argument: Function "read" fills array "*ret" with a non-terminated string.
proc/readproc.c:1197: string_null: Passing unterminated string "sbuf" to a function expecting a null-terminated string.
proc/readproc.c:447: string_null_sink_parm_call: Passing parameter "S" to "strchr" which expects a null-terminated string.
ps/output --------------------------------------------------------------------
Error: MISSING_BREAK:
intentional fall through
my_category: possibly_filter_out_?
ps/output.c:1983: unterminated_default: The default case is not terminated by a 'break' statement.
ps/output.c:1984: fallthrough: The above case falls through to this one.
Error: UNINIT:
the first member is initialized in the very next statement, sufficient for bsearch callback
key.spec = findme;
my_category: avoidable_false_positive
ps/output.c:1737: var_decl: Declaring variable "key" without initializer.
ps/output.c:1739: uninit_use_in_call: Using uninitialized value "key": field "key".flags is uninitialized when calling "bsearch".
Error: UNINIT:
the first member is initialized in the very next statement, sufficient for bsearch callback
key.spec = findme;
my_category: avoidable_false_positive
ps/output.c:1745: var_decl: Declaring variable "key" without initializer.
ps/output.c:1747: uninit_use_in_call: Using uninitialized value "key": field "key".head is uninitialized when calling "bsearch".
ps/parser --------------------------------------------------------------------
Error: RESOURCE_LEAK:
intentional omission
abexit shortly
my_category: avoidable_false_positive
ps/parser.c:1021: alloc_fn: Calling allocation function "malloc".
ps/parser.c:1021: var_assign: Assigning: "pidnode" = storage returned from "malloc(sizeof (selection_node) /*24*/)".
ps/parser.c:1041: leaked_storage: Variable "pidnode" going out of scope leaks the storage it points to.
ps/parser.c:1062: leaked_storage: Variable "pidnode" going out of scope leaks the storage it points to.
Error: RESOURCE_LEAK:
intentional omission
abexit shortly
my_category: avoidable_false_positive
ps/parser.c:1025: alloc_fn: Calling allocation function "malloc".
ps/parser.c:1025: var_assign: Assigning: "grpnode" = storage returned from "malloc(sizeof (selection_node) /*24*/)".
ps/parser.c:1041: leaked_storage: Variable "grpnode" going out of scope leaks the storage it points to.
ps/parser.c:1062: leaked_storage: Variable "grpnode" going out of scope leaks the storage it points to.
Error: RESOURCE_LEAK:
intentional omission
abexit shortly
my_category: avoidable_false_positive
ps/parser.c:1029: alloc_fn: Calling allocation function "malloc".
ps/parser.c:1029: var_assign: Assigning: "sidnode" = storage returned from "malloc(sizeof (selection_node) /*24*/)".
ps/parser.c:1041: leaked_storage: Variable "sidnode" going out of scope leaks the storage it points to.
ps/parser.c:1062: leaked_storage: Variable "sidnode" going out of scope leaks the storage it points to.
ps/sortformat ----------------------------------------------------------------
Error: UNREACHABLE:
the tool does not understand the following 'label' usage (nor do i - perhaps some obscure compiler/platform warning/quirk)
goto unknown;
...
if(0) unknown: err=errbuf;
my_category: unavoidable_false_positive_?
ps/sortformat.c:312: unreachable: This code cannot be reached: "if (0){
unknown:
err = ...".
|
