#2926 assigned defect

Coverity Reports Multiple Out of Bounds Accesses in rtd-mdreloc-sparc.c

Reported by: Joel Sherrill Owned by: chrisj@…
Priority: normal Milestone:
Component: lib/dl Version:
Severity: normal Keywords: coverity
Cc: Blocked By:
Blocking:

Description (last modified by Joel Sherrill)

Coverity spots an out of bounds read in rtl-mdreloc-sparc.c. Given the comment at the top that it was "Taken from NetBSD and stripped of the relocations not needed on RTEMS", I am unsure how to correlate the code back to the original to see if the issue exists upstream. Also I do not know where in the NetBSD source this came from.

The first issue is: https://scan5.coverity.com/reports.htm#v29808/p10069/fileInstanceId=109360252&defectInstanceId=30967451&mergedDefectId=1255330

The long analysis ends with:

226

CID 1255330 (#1 of 1): Out-of-bounds read (OVERRUN)

  1. overrun-local: Overrunning array reloc_target_bitmask of 24 4-byte elements at element index 45 (byte offset 180) using index type (which evaluates to 45).

227 mask = RELOC_VALUE_BITMASK (type);
228 value >>= RELOC_VALUE_RIGHTSHIFT (type);
229 value &= mask;

The others are:

https://scan5.coverity.com/reports.htm#v29808/p10069/fileInstanceId=109360252&defectInstanceId=30967452&mergedDefectId=1255332
https://scan5.coverity.com/reports.htm#v29808/p10069/fileInstanceId=109360252&defectInstanceId=30967450&mergedDefectId=1255342

Change History (8)

comment:1 Changed on Mar 14, 2017 at 9:28:40 PM by Joel Sherrill

Description: modified (diff)
Summary: Out of Bounds Access in rtd-mdreloc-sparc.cCoverity Reports Multiple Out of Bounds Accesses in rtd-mdreloc-sparc.c

comment:2 in reply to:  description Changed on Mar 14, 2017 at 11:15:59 PM by Chris Johns

Replying to Joel Sherrill:

Coverity spots an out of bounds read in rtl-mdreloc-sparc.c. Given the comment at the top that it was "Taken from NetBSD and stripped of the relocations not needed on RTEMS", I am unsure how to correlate the code back to the original to see if the issue exists upstream. Also I do not know where in the NetBSD source this came from.

The code was taken into RTEMS and working with the upstream is only as a reference. The code in NetBSD is under:

http://cvsweb.netbsd.org/bsdweb.cgi/src/libexec/ld.elf_so/?only_with_tag=MAIN

and the SPARC code is:

http://cvsweb.netbsd.org/bsdweb.cgi/src/libexec/ld.elf_so/arch/sparc/?only_with_tag=MAIN

The first issue is: https://scan5.coverity.com/reports.htm#v29808/p10069/fileInstanceId=109360252&defectInstanceId=30967451&mergedDefectId=1255330

This link is redirects me to a login page and my login for Coverity did not work. I had no idea it did not work and I never received anything from them it was being disabled.

Should we have links to login pages in open tickets like this?

The long analysis ends with:

226

CID 1255330 (#1 of 1): Out-of-bounds read (OVERRUN)

  1. overrun-local: Overrunning array reloc_target_bitmask of 24 4-byte elements at element index 45 (byte offset 180) using index type (which evaluates to 45).

Where does the 45 come from?

227 mask = RELOC_VALUE_BITMASK (type);
228 value >>= RELOC_VALUE_RIGHTSHIFT (type);
229 value &= mask;

The others are:

https://scan5.coverity.com/reports.htm#v29808/p10069/fileInstanceId=109360252&defectInstanceId=30967452&mergedDefectId=1255332
https://scan5.coverity.com/reports.htm#v29808/p10069/fileInstanceId=109360252&defectInstanceId=30967450&mergedDefectId=1255342

Sorry I cannot see these.

comment:3 Changed on Mar 15, 2017 at 2:56:54 PM by Gedare Bloom

These links don't work for me even if I am logged in, so they are of minimal utility. I had to use the CID number to pull up the report.

Joel did not paste enough of Coverity's history to understand the context. You have to go back a step to see:

  1. cond_between: Checking type > 45UL implies that type is between 1 and 45 (inclusive) on the false branch.

176 if (type > R_TYPE(6))

comment:4 Changed on Mar 15, 2017 at 5:08:19 PM by Joel Sherrill

We will have to figure out how to make the links useful.

My hunch is that since the code is modified from the original that some logic from the original is missing which leads to the three issues spotted.

comment:5 Changed on Mar 15, 2017 at 9:48:00 PM by Chris Johns

Thank you for looking into the coverity links, having public view-able report data would be nice.

I will add the ticket to my list of things to look into.

The upstream code can contain functionality not needed on RTEMS and this effects the ability to handle the source as is. I used the NetBSD code as a base of what we need because it had suitable code and NetBSD has a wide range of architectures. Add to this newer tool sets have presented us with newer reloc types and some differences. For example this file was recently updated to handle the unwinding support and here RTEMS and NetBSD build gcc differently which effects the type of relocation records we see. I felt it was not worth the effort attempting to keep the code in sync with the upstream.

comment:6 Changed on May 11, 2017 at 7:31:02 AM by Sebastian Huber

Milestone: 4.124.12.0

comment:7 Changed on Nov 9, 2017 at 6:27:14 AM by Sebastian Huber

Milestone: 4.12.05.1

Milestone renamed

comment:8 Changed on Oct 14, 2018 at 1:04:03 AM by Joel Sherrill

Keywords: coverity added
Milestone: 5.1
Version: 5
Note: See TracTickets for help on using tickets.