Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 19 Feb 2004 17:43:53 -0800 (PST)
From:      "Ted Unangst" <tedu@coverity.com>
To:        hackers@freebsd.org
Subject:   use after free bugs
Message-ID:  <19393.66.93.171.98.1077241433.spork@webmail.coverity.com>

next in thread | raw e-mail | index | archive | help
------=_20040219174353_68950
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit

Hi.  These are some bugs found by Coverity in a static analysis run on the
FreeBSD kernel.  All these are use after free bugs.


------=_20040219174353_68950
Content-Type: text/plain; name="report-free"
Content-Transfer-Encoding: 8bit
Content-Disposition: attachment; filename="report-free"



############################################################
# New errors.
#
---------------------------------------------------------
[UNINSPECTED]
X [BUG]
X [FALSE]
X [UNKNOWN]
X [BROKE]
X [SKIP]
/home/tedu/sys/dev/my/if_my.c|1102|my_detach|ERROR|FREE|1101|1102| Using freed "sc", deallocated by call to "free". [START_RELAX0=filename|none,fn|free,line1|none,line2|-1,argno|0]

	bus_release_resource(dev, SYS_RES_IRQ, 0, sc->my_irq);
	bus_release_resource(dev, MY_RES, MY_RID, sc->my_res);
#if 0
	contigfree(sc->my_cdata.my_rx_buf, MY_RXBUFLEN + 32, M_DEVBUF);
#endif
Start --->
	free(sc, M_DEVBUF);
Error --->
	MY_UNLOCK(sc);
	splx(s);
	mtx_destroy(&sc->my_mtx);
	return (0);
}

---------------------------------------------------------
[UNINSPECTED]
X [BUG]
X [FALSE]
X [UNKNOWN]
X [BROKE]
X [SKIP]
/home/tedu/sys/dev/raidframe/rf_freebsdkintf.c|517|raidctlioctl|ERROR|FREE|516|517| Using freed "k_cfg", deallocated by call to "free". [START_RELAX0=filename|none,fn|free,line1|none,line2|-1,argno|0]

			}
			retcode = copyin(k_cfg->layoutSpecific,
			    (caddr_t) specific_buf,
			    k_cfg->layoutSpecificSize);
			if (retcode) {
Start --->
				RF_Free(k_cfg, sizeof(RF_Config_t));
Error --->
				RF_Free(specific_buf, 
					k_cfg->layoutSpecificSize);
				rf_printf(2, "raidctlioctl: retcode=%d "
					"copyin.2\n", retcode);
				return (retcode);
			}
---------------------------------------------------------
[UNINSPECTED]
X [BUG]
X [FALSE]
X [UNKNOWN]
X [BROKE]
X [SKIP]
/home/tedu/sys/netsmb/smb_rq.c|732|smb_t2_request_int|ERROR|FREE|730|732| Using freed "rqp", deallocated by call to "smb_rq_done". [START_RELAX0=filename|/home/tedu/sys/netsmb/smb_rq.c,fn|smb_rq_done,line1|147,line2|-1,argno|0]

		md_initm(mdp, mdp->md_top);
	}
bad:
	smb_iod_removerq(rqp);
freerq:
Start --->
	smb_rq_done(rqp);
	if (error) {
Error --->
		if (rqp->sr_flags & SMBR_RESTART)
			t2p->t2_flags |= SMBT2_RESTART;
		md_done(&t2p->t2_rparam);
		md_done(&t2p->t2_rdata);
	}
	return error;
---------------------------------------------------------
[UNINSPECTED]
X [BUG]
X [FALSE]
X [UNKNOWN]
X [BROKE]
X [SKIP]
/home/tedu/sys/dev/ips/ips_commands.c|517|ips_ffdc_reset|ERROR|FREE|514|517| Using freed "status", deallocated by call to "free". [START_RELAX0=filename|none,fn|free,line1|none,line2|-1,argno|0]

	status = malloc(sizeof(ips_cmd_status_t), M_DEVBUF, M_NOWAIT|M_ZERO);
	if(!status)
		return ENOMEM;
	if(ips_get_free_cmd(sc, ips_send_ffdc_reset_cmd, status,
			    IPS_NOWAIT_FLAG)){
Start --->
		free(status, M_DEVBUF);
		device_printf(sc->dev, "ERROR: unable to get a command! can't send ffdc reset!\n");
	}
Error --->
	if(COMMAND_ERROR(status)){
		device_printf(sc->dev, "ERROR: ffdc reset command failed!\n");
	}
	free(status, M_DEVBUF);
	return 0;
}
---------------------------------------------------------
[UNINSPECTED]
X [BUG]
X [FALSE]
X [UNKNOWN]
X [BROKE]
X [SKIP]
/home/tedu/sys/dev/mlx/mlx.c|440|mlx_attach|ERROR|FREE|437|440| Using freed "meo", deallocated by call to "free". [START_RELAX0=filename|none,fn|free,line1|none,line2|-1,argno|0]

	    device_printf(sc->mlx_dev, "ENQUIRY_OLD failed\n");
	    mlx_free(sc);
	    return(ENXIO);
	}
	sc->mlx_enq2->me_firmware_id = ('0' << 24) | (0 << 16) | (meo->me_fwminor << 8) | meo->me_fwmajor;
Start --->
	free(meo, M_DEVBUF);
	
	/* XXX require 2.42 or better (PCI) or 2.14 or better (EISA) */
Error --->
	if (meo->me_fwminor < 42) {
	    device_printf(sc->mlx_dev, " *** WARNING *** This firmware revision is not recommended\n");
	    device_printf(sc->mlx_dev, " *** WARNING *** Use revision 2.42 or later\n");
	}
	break;
    case MLX_IFTYPE_3:
---------------------------------------------------------
[UNINSPECTED]
X [BUG]
X [FALSE]
X [UNKNOWN]
X [BROKE]
X [SKIP]
/home/tedu/sys/nfsclient/nfs_vfsops.c|509|nfs_mountdiskless|ERROR|FREE|506|509| Double free of "nam", deallocated by call to "mountnfs". [START_RELAX0=filename|/home/tedu/sys/nfsclient/nfs_vfsops.c,fn|mountnfs,line1|849,line2|-1,argno|2] [END_RELAX0=filename|none,fn|free,line1|none,line2|-1,argno|0]

	int error;

	mp->mnt_kern_flag = 0;
	mp->mnt_flag = mountflag;
	nam = dup_sockaddr((struct sockaddr *)sin, 1);
Start --->
	if ((error = mountnfs(args, mp, nam, which, path, vpp,
	    td->td_ucred)) != 0) {
		printf("nfs_mountroot: mount %s on %s: %d", path, which, error);
Error --->
		FREE(nam, M_SONAME);
		return (error);
	}
	(void) copystr(which, mp->mnt_stat.f_mntonname, MNAMELEN - 1, 0);
	return (0);
}
---------------------------------------------------------
[UNINSPECTED]
X [BUG]
X [FALSE]
X [UNKNOWN]
X [BROKE]
X [SKIP]
/home/tedu/sys/dev/ips/ips_commands.c|430|ips_flush_cache|ERROR|FREE|427|430| Using freed "status", deallocated by call to "free". [START_RELAX0=filename|none,fn|free,line1|none,line2|-1,argno|0]

	if(!status)
		return ENOMEM;
	device_printf(sc->dev, "flushing cache\n");
	if(ips_get_free_cmd(sc, ips_send_flush_cache_cmd, status, 
			    IPS_NOWAIT_FLAG)){
Start --->
		free(status, M_DEVBUF);
		device_printf(sc->dev, "ERROR: unable to get a command! can't flush cache!\n");
	}
Error --->
	if(COMMAND_ERROR(status)){
		device_printf(sc->dev, "ERROR: cache flush command failed!\n");
	}
	free(status, M_DEVBUF);
	return 0;
}
---------------------------------------------------------
[UNINSPECTED]
X [BUG]
X [FALSE]
X [UNKNOWN]
X [BROKE]
X [SKIP]
/home/tedu/sys/nfs4client/nfs4_idmap.c|388|idmap_uid_to_name|ERROR|FREE|384|388| Using freed "e", deallocated by call to "free". [START_RELAX0=filename|none,fn|free,line1|none,line2|-1,argno|0]

			return EFAULT;
		}

		if (idmap_add(e) != 0) {
			IDMAP_DEBUG("idmap_add failed\n");
Start --->
			FREE(e, M_IDMAP);
		}
	}

Error --->
	*name = e->id_info.id_name;
	*len = e->id_info.id_namelen;
	return 0;
}

int 
---------------------------------------------------------
[UNINSPECTED]
X [BUG]
X [FALSE]
X [UNKNOWN]
X [BROKE]
X [SKIP]
/home/tedu/sys/net/if_ef.c|541|ef_load|ERROR|FREE|545|541| Using freed "efl", deallocated by call to "free". [START_RELAX0=filename|none,fn|free,line1|none,line2|-1,argno|0]

	}
	IFNET_RUNLOCK();
	if (error) {
		if (efl)
			SLIST_INSERT_HEAD(&efdev, efl, el_next);
Error --->
		SLIST_FOREACH(efl, &efdev, el_next) {
			for (d = 0; d < EF_NFT; d++)
				if (efl->el_units[d])
					free(efl->el_units[d], M_IFADDR);
Start --->
			free(efl, M_IFADDR);
		}
		return error;
	}
	SLIST_FOREACH(efl, &efdev, el_next) {
		for (d = 0; d < EF_NFT; d++) {
------=_20040219174353_68950--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19393.66.93.171.98.1077241433.spork>