Coverity Reports Multiple Out of Bounds Accesses in rtd-mdreloc-sparc.c

[Joel Sherrill]

Coverity spots an out of bounds read in rtl-mdreloc-sparc.c. Given the comment at the top that it was "Taken from NetBSD and stripped of the relocations not needed on RTEMS", I am unsure how to correlate the code back to the original to see if the issue exists upstream. Also I do not know where in the NetBSD source this came from.

The first issue is: ​https://scan5.coverity.com/reports.htm#v29808/p10069/fileInstanceId=109360252&defectInstanceId=30967451&mergedDefectId=1255330

The long analysis ends with:

226

CID 1255330 (#1 of 1): Out-of-bounds read (OVERRUN)

14. overrun-local: Overrunning array reloc_target_bitmask of 24 4-byte elements at element index 45 (byte offset 180) using index type (which evaluates to 45).

227 mask = RELOC_VALUE_BITMASK (type);
228 value >>= RELOC_VALUE_RIGHTSHIFT (type);
229 value &= mask;

The others are:

​https://scan5.coverity.com/reports.htm#v29808/p10069/fileInstanceId=109360252&defectInstanceId=30967452&mergedDefectId=1255332
​https://scan5.coverity.com/reports.htm#v29808/p10069/fileInstanceId=109360252&defectInstanceId=30967450&mergedDefectId=1255342

[Chris Johns]

Replying to Joel Sherrill:

Coverity spots an out of bounds read in rtl-mdreloc-sparc.c. Given the comment at the top that it was "Taken from NetBSD and stripped of the relocations not needed on RTEMS", I am unsure how to correlate the code back to the original to see if the issue exists upstream. Also I do not know where in the NetBSD source this came from.

The code was taken into RTEMS and working with the upstream is only as a reference. The code in NetBSD is under:

​http://cvsweb.netbsd.org/bsdweb.cgi/src/libexec/ld.elf_so/?only_with_tag=MAIN

and the SPARC code is:

​http://cvsweb.netbsd.org/bsdweb.cgi/src/libexec/ld.elf_so/arch/sparc/?only_with_tag=MAIN

The first issue is: ​https://scan5.coverity.com/reports.htm#v29808/p10069/fileInstanceId=109360252&defectInstanceId=30967451&mergedDefectId=1255330

This link is redirects me to a login page and my login for Coverity did not work. I had no idea it did not work and I never received anything from them it was being disabled.

Should we have links to login pages in open tickets like this?

The long analysis ends with:

226

CID 1255330 (#1 of 1): Out-of-bounds read (OVERRUN)

14. overrun-local: Overrunning array reloc_target_bitmask of 24 4-byte elements at element index 45 (byte offset 180) using index type (which evaluates to 45).

Where does the 45 come from?

227 mask = RELOC_VALUE_BITMASK (type);
228 value >>= RELOC_VALUE_RIGHTSHIFT (type);
229 value &= mask;

The others are:

​https://scan5.coverity.com/reports.htm#v29808/p10069/fileInstanceId=109360252&defectInstanceId=30967452&mergedDefectId=1255332
​https://scan5.coverity.com/reports.htm#v29808/p10069/fileInstanceId=109360252&defectInstanceId=30967450&mergedDefectId=1255342

Sorry I cannot see these.

[Gedare Bloom]

These links don't work for me even if I am logged in, so they are of minimal utility. I had to use the CID number to pull up the report.

Joel did not paste enough of Coverity's history to understand the context. You have to go back a step to see:

6. cond_between: Checking type > 45UL implies that type is between 1 and 45 (inclusive) on the false branch.

176 if (type > R_TYPE(6))

[Joel Sherrill]

We will have to figure out how to make the links useful.

My hunch is that since the code is modified from the original that some logic from the original is missing which leads to the three issues spotted.

[Chris Johns]

Thank you for looking into the coverity links, having public view-able report data would be nice.

I will add the ticket to my list of things to look into.

The upstream code can contain functionality not needed on RTEMS and this effects the ability to handle the source as is. I used the NetBSD code as a base of what we need because it had suitable code and NetBSD has a wide range of architectures. Add to this newer tool sets have presented us with newer reloc types and some differences. For example this file was recently updated to handle the unwinding support and here RTEMS and NetBSD build gcc differently which effects the type of relocation records we see. I felt it was not worth the effort attempting to keep the code in sync with the upstream.

[Sebastian Huber]

Milestone renamed