Hi, Please find the latest report on new defect(s) introduced to NetBSD-amd64-kernel found with Coverity Scan. 374 new defect(s) introduced to NetBSD-amd64-kernel found with Coverity Scan. 635 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 20 of 374 defect(s) ** CID 1597793: High impact quality (Y2K38_SAFETY) /sys/kern/kern_heartbeat.c: 648 in heartbeat() ________________________________________________________________________________________________________ *** CID 1597793: High impact quality (Y2K38_SAFETY) /sys/kern/kern_heartbeat.c: 648 in heartbeat() 642 /* 643 * If the uptime hasn't changed, make sure that we haven't 644 * counted too many of our own heartbeats since the uptime last 645 * changed, and stop here -- we only do the cross-CPU work once 646 * per second. 647 */ >>> CID 1597793: High impact quality (Y2K38_SAFETY) >>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "getuptime()" is cast to "unsigned int". 648 uptime = time_uptime; 649 cache = atomic_load_relaxed(&curcpu()->ci_heartbeat_uptime_cache); 650 if (__predict_true(cache == uptime)) { 651 /* 652 * Timecounter hasn't advanced by more than a second. 653 * Make sure the timecounter isn't stuck according to ** CID 1597792: (USER_POINTER) ________________________________________________________________________________________________________ *** CID 1597792: (USER_POINTER) /sys/kern/kern_proc.c: 2532 in copy_procargs() 2526 size_t xlen; 2527 int j; 2528 2529 if (loaded == 0) { 2530 size_t rem = entry_len * argvlen; 2531 loaded = MIN(rem, PAGE_SIZE); >>> CID 1597792: (USER_POINTER) >>> Passing tainted pointer "(void const *)user_argv" to "copyin_vmspace" which derefences it. 2532 error = copyin_vmspace(vmspace, 2533 (const void *)user_argv, argv, loaded); 2534 if (error) 2535 break; 2536 user_argv += loaded; 2537 i = 0; /sys/kern/kern_proc.c: 2532 in copy_procargs() 2526 size_t xlen; 2527 int j; 2528 2529 if (loaded == 0) { 2530 size_t rem = entry_len * argvlen; 2531 loaded = MIN(rem, PAGE_SIZE); >>> CID 1597792: (USER_POINTER) >>> Passing tainted pointer "(void const *)user_argv" to "copyin_vmspace" which derefences it. 2532 error = copyin_vmspace(vmspace, 2533 (const void *)user_argv, argv, loaded); 2534 if (error) 2535 break; 2536 user_argv += loaded; 2537 i = 0; ** CID 1597791: High impact quality (Y2K38_SAFETY) /sys/nfs/nfs_socket.c: 633 in nfs_rephead() ________________________________________________________________________________________________________ *** CID 1597791: High impact quality (Y2K38_SAFETY) /sys/nfs/nfs_socket.c: 633 in nfs_rephead() 627 #else 628 (void)ktvin.tv_sec; 629 #endif 630 631 *tl++ = rpc_auth_kerb; 632 *tl++ = txdr_unsigned(3 * NFSX_UNSIGNED); >>> CID 1597791: High impact quality (Y2K38_SAFETY) >>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "ktvout.tv_sec" is cast to "u_int32_t". 633 *tl = ktvout.tv_sec; 634 nfsm_build(tl, u_int32_t *, 3 * NFSX_UNSIGNED); 635 *tl++ = ktvout.tv_usec; 636 *tl++ = txdr_unsigned( 637 kauth_cred_geteuid(nuidp->nu_cr)); 638 } else { ** CID 1597790: Memory - illegal accesses (OVERRUN) /sys/external/bsd/drm2/dist/drm/i915/i915_vma.h: 111 in i915_vma_unset_userfault() ________________________________________________________________________________________________________ *** CID 1597790: Memory - illegal accesses (OVERRUN) /sys/external/bsd/drm2/dist/drm/i915/i915_vma.h: 111 in i915_vma_unset_userfault() 105 GEM_BUG_ON(!i915_vma_is_map_and_fenceable(vma)); 106 return test_and_set_bit(I915_VMA_USERFAULT_BIT, __i915_vma_flags(vma)); 107 } 108 109 static inline void i915_vma_unset_userfault(struct i915_vma *vma) 110 { >>> CID 1597790: Memory - illegal accesses (OVERRUN) >>> Overrunning array of 4 bytes at byte offset 7 by dereferencing pointer "(unsigned long *)&vma->flags". [Note: The source code implementation of the function has been overridden by a builtin model.] 111 return clear_bit(I915_VMA_USERFAULT_BIT, __i915_vma_flags(vma)); 112 } 113 114 static inline bool i915_vma_has_userfault(const struct i915_vma *vma) 115 { 116 return test_bit(I915_VMA_USERFAULT_BIT, __i915_vma_flags_const(vma)); ** CID 1597789: (TAINTED_SCALAR) ________________________________________________________________________________________________________ *** CID 1597789: (TAINTED_SCALAR) /sys/external/bsd/drm2/dist/drm/drm_dp_mst_topology.c: 4103 in drm_dp_mst_get_edid() 4097 4098 if (port->cached_edid) 4099 edid = drm_edid_duplicate(port->cached_edid); 4100 else { 4101 edid = drm_get_edid(connector, &port->aux.ddc); 4102 } >>> CID 1597789: (TAINTED_SCALAR) >>> Passing tainted expression "edid->extensions" to "drm_detect_monitor_audio", which uses it as a loop boundary. 4103 port->has_audio = drm_detect_monitor_audio(edid); 4104 drm_dp_mst_topology_put_port(port); 4105 return edid; 4106 } 4107 EXPORT_SYMBOL(drm_dp_mst_get_edid); 4108 /sys/external/bsd/drm2/dist/drm/drm_dp_mst_topology.c: 4103 in drm_dp_mst_get_edid() 4097 4098 if (port->cached_edid) 4099 edid = drm_edid_duplicate(port->cached_edid); 4100 else { 4101 edid = drm_get_edid(connector, &port->aux.ddc); 4102 } >>> CID 1597789: (TAINTED_SCALAR) >>> Passing tainted expression "edid->extensions" to "drm_detect_monitor_audio", which uses it as a loop boundary. 4103 port->has_audio = drm_detect_monitor_audio(edid); 4104 drm_dp_mst_topology_put_port(port); 4105 return edid; 4106 } 4107 EXPORT_SYMBOL(drm_dp_mst_get_edid); 4108 ** CID 1597788: Error handling issues (CHECKED_RETURN) /sys/dev/usb/if_smsc.c: 302 in smsc_uno_miibus_readreg() ________________________________________________________________________________________________________ *** CID 1597788: Error handling issues (CHECKED_RETURN) /sys/dev/usb/if_smsc.c: 302 in smsc_uno_miibus_readreg() 296 if (smsc_wait_for_bits(un, SMSC_MII_ADDR, SMSC_MII_BUSY) != 0) { 297 smsc_warn_printf(un, "MII read timeout\n"); 298 *val = 0; 299 return ETIMEDOUT; 300 } 301 >>> CID 1597788: Error handling issues (CHECKED_RETURN) >>> Calling "smsc_readreg" without checking return value (as is done elsewhere 9 out of 10 times). 302 smsc_readreg(un, SMSC_MII_DATA, &data); 303 304 *val = data & 0xffff; 305 return 0; 306 } 307 ** CID 1597787: (OVERRUN) ________________________________________________________________________________________________________ *** CID 1597787: (OVERRUN) /sys/dev/pci/bktr/bktr_core.c: 2904 in rgb_vbi_prog() 2898 split(bktr, (volatile u_int **) &dma_prog, 2899 bktr->y2 - bktr->y, OP_WRITE, 2900 Bpp, (volatile u_char **)(uintptr_t)&target, 2901 cols); 2902 } 2903 if (bktr->yclip != bktr->yclip2) { >>> CID 1597787: (OVERRUN) >>> Overrunning array of 4 bytes at byte offset 7 by dereferencing pointer "(u_char volatile **)(uintptr_t)&target". 2904 split(bktr, (volatile u_int **) &dma_prog, 2905 bktr->yclip2 - bktr->yclip, OP_SKIP, 2906 Bpp, (volatile u_char **)(uintptr_t)&target, cols); 2907 } 2908 2909 } /sys/dev/pci/bktr/bktr_core.c: 2834 in rgb_vbi_prog() 2828 *dma_prog++ = htole32(OP_SYNC | BKTR_FM1); 2829 *dma_prog++ = htole32(0); /* NULL WORD */ 2830 width = cols; 2831 for (i = 0; i < (rows/interlace); i++) { 2832 target = target_buffer; 2833 if (notclipped(bktr, i, width)) { >>> CID 1597787: (OVERRUN) >>> Overrunning array of 4 bytes at byte offset 7 by dereferencing pointer "(u_char volatile **)(uintptr_t)&target". 2834 split(bktr, (volatile u_int **) &dma_prog, 2835 bktr->y2 - bktr->y, OP_WRITE, 2836 Bpp, (volatile u_char **)(uintptr_t)&target, cols); 2837 2838 } else { 2839 while(getline(bktr, i)) { /sys/dev/pci/bktr/bktr_core.c: 2846 in rgb_vbi_prog() 2840 if (bktr->y != bktr->y2) { 2841 split(bktr, (volatile u_int **) &dma_prog, 2842 bktr->y2 - bktr->y, OP_WRITE, 2843 Bpp, (volatile u_char **) (uintptr_t)&target, cols); 2844 } 2845 if (bktr->yclip != bktr->yclip2) { >>> CID 1597787: (OVERRUN) >>> Overrunning array of 4 bytes at byte offset 7 by dereferencing pointer "(u_char volatile **)(uintptr_t)&target". 2846 split(bktr,(volatile u_int **) &dma_prog, 2847 bktr->yclip2 - bktr->yclip, 2848 OP_SKIP, 2849 Bpp, (volatile u_char **)(uintptr_t)&target, cols); 2850 } 2851 } /sys/dev/pci/bktr/bktr_core.c: 2892 in rgb_vbi_prog() 2886 *dma_prog++ = htole32(OP_SYNC | BKTR_FM1); 2887 *dma_prog++ = htole32(0); /* NULL WORD */ 2888 width = cols; 2889 for (i = 0; i < (rows/interlace); i++) { 2890 target = target_buffer; 2891 if (notclipped(bktr, i, width)) { >>> CID 1597787: (OVERRUN) >>> Overrunning array of 4 bytes at byte offset 7 by dereferencing pointer "(u_char volatile **)(uintptr_t)&target". 2892 split(bktr, (volatile u_int **) &dma_prog, 2893 bktr->y2 - bktr->y, OP_WRITE, 2894 Bpp, (volatile u_char **)(uintptr_t)&target, cols); 2895 } else { 2896 while(getline(bktr, i)) { 2897 if (bktr->y != bktr->y2) { /sys/dev/pci/bktr/bktr_core.c: 2841 in rgb_vbi_prog() 2835 bktr->y2 - bktr->y, OP_WRITE, 2836 Bpp, (volatile u_char **)(uintptr_t)&target, cols); 2837 2838 } else { 2839 while(getline(bktr, i)) { 2840 if (bktr->y != bktr->y2) { >>> CID 1597787: (OVERRUN) >>> Overrunning array of 4 bytes at byte offset 7 by dereferencing pointer "(u_char volatile **)(uintptr_t)&target". 2841 split(bktr, (volatile u_int **) &dma_prog, 2842 bktr->y2 - bktr->y, OP_WRITE, 2843 Bpp, (volatile u_char **) (uintptr_t)&target, cols); 2844 } 2845 if (bktr->yclip != bktr->yclip2) { 2846 split(bktr,(volatile u_int **) &dma_prog, /sys/dev/pci/bktr/bktr_core.c: 2898 in rgb_vbi_prog() 2892 split(bktr, (volatile u_int **) &dma_prog, 2893 bktr->y2 - bktr->y, OP_WRITE, 2894 Bpp, (volatile u_char **)(uintptr_t)&target, cols); 2895 } else { 2896 while(getline(bktr, i)) { 2897 if (bktr->y != bktr->y2) { >>> CID 1597787: (OVERRUN) >>> Overrunning array of 4 bytes at byte offset 7 by dereferencing pointer "(u_char volatile **)(uintptr_t)&target". 2898 split(bktr, (volatile u_int **) &dma_prog, 2899 bktr->y2 - bktr->y, OP_WRITE, 2900 Bpp, (volatile u_char **)(uintptr_t)&target, 2901 cols); 2902 } 2903 if (bktr->yclip != bktr->yclip2) { ** CID 1597786: Uninitialized variables (UNINIT) ________________________________________________________________________________________________________ *** CID 1597786: Uninitialized variables (UNINIT) /sys/dev/pci/if_iwi.c: 2395 in iwi_config() 2389 nchan++; 2390 } 2391 power.nchan = nchan; 2392 2393 power.mode = IWI_MODE_11G; 2394 DPRINTF(("Setting .11g channels tx power\n")); >>> CID 1597786: Uninitialized variables (UNINIT) >>> Using uninitialized value "power". Field "power.chan" is uninitialized when calling "iwi_cmd". 2395 error = iwi_cmd(sc, IWI_CMD_SET_TX_POWER, &power, sizeof power, 0); 2396 if (error != 0) 2397 return error; 2398 2399 power.mode = IWI_MODE_11B; 2400 DPRINTF(("Setting .11b channels tx power\n")); ** CID 1597785: Memory - illegal accesses (OVERRUN) ________________________________________________________________________________________________________ *** CID 1597785: Memory - illegal accesses (OVERRUN) /sys/external/bsd/drm2/dist/drm/i915/gt/intel_lrc.c: 2076 in execlists_dequeue() 2070 2071 while ((rb = rb_first_cached(&execlists->queue))) { 2072 struct i915_priolist *p = to_priolist(rb); 2073 struct i915_request *rq, *rn; 2074 int i; 2075 >>> CID 1597785: Memory - illegal accesses (OVERRUN) >>> Overrunning array of 64 bytes at byte offset 1008 by dereferencing pointer "&p->requests[i]". 2076 priolist_for_each_request_consume(rq, rn, p, i) { 2077 bool merge = true; 2078 2079 /* 2080 * Can we combine this request with the current port? 2081 * It has to be the same context/ringbuffer and not ** CID 1597784: Null pointer dereferences (NULL_RETURNS) /sys/external/bsd/drm2/dist/drm/radeon/radeon_ttm.c: 857 in radeon_ttm_tt_unpopulate() ________________________________________________________________________________________________________ *** CID 1597784: Null pointer dereferences (NULL_RETURNS) /sys/external/bsd/drm2/dist/drm/radeon/radeon_ttm.c: 857 in radeon_ttm_tt_unpopulate() 851 #endif 852 struct radeon_ttm_tt *gtt = radeon_ttm_tt_to_gtt(ttm); 853 bool slave = !!(ttm->page_flags & TTM_PAGE_FLAG_SG); 854 855 #ifdef __NetBSD__ 856 if (slave && ttm->sg) { >>> CID 1597784: Null pointer dereferences (NULL_RETURNS) >>> Dereferencing "gtt", which is known to be "NULL". 857 bus_dmamap_unload(ttm->bdev->dmat, gtt->ttm.dma_address); 858 } 859 #endif 860 if (gtt && gtt->userptr) { 861 kfree(ttm->sg); 862 ttm->page_flags &= ~TTM_PAGE_FLAG_SG; ** CID 1597783: (OVERRUN) ________________________________________________________________________________________________________ *** CID 1597783: (OVERRUN) /sys/external/bsd/drm2/dist/drm/i915/display/intel_display.c: 3267 in intel_plane_compute_gtt() 3261 * big plane sizes and suitably misaligned 3262 * offsets. 3263 */ 3264 return intel_plane_check_stride(plane_state); 3265 } 3266 >>> CID 1597783: (OVERRUN) >>> Overrunning struct type drm_framebuffer of 200 bytes by passing it to a function which accesses it at byte offset 295. 3267 intel_fill_fb_ggtt_view(&plane_state->view, &fb->base, rotation); 3268 3269 for (i = 0; i < num_planes; i++) { 3270 plane_state->color_plane[i].stride = intel_fb_pitch(&fb->base, i, rotation); 3271 plane_state->color_plane[i].offset = 0; 3272 /sys/external/bsd/drm2/dist/drm/i915/display/intel_display.c: 3270 in intel_plane_compute_gtt() 3264 return intel_plane_check_stride(plane_state); 3265 } 3266 3267 intel_fill_fb_ggtt_view(&plane_state->view, &fb->base, rotation); 3268 3269 for (i = 0; i < num_planes; i++) { >>> CID 1597783: (OVERRUN) >>> Overrunning struct type drm_framebuffer of 200 bytes by passing it to a function which accesses it at byte offset 295. 3270 plane_state->color_plane[i].stride = intel_fb_pitch(&fb->base, i, rotation); 3271 plane_state->color_plane[i].offset = 0; 3272 3273 if (drm_rotation_90_or_270(rotation)) { 3274 plane_state->color_plane[i].x = fb->rotated[i].x; 3275 plane_state->color_plane[i].y = fb->rotated[i].y; ** CID 1597782: Memory - corruptions (OVERRUN) /sys/external/bsd/drm2/dist/drm/i915/display/intel_display.c: 7558 in intel_crtc_disable_noatomic() ________________________________________________________________________________________________________ *** CID 1597782: Memory - corruptions (OVERRUN) /sys/external/bsd/drm2/dist/drm/i915/display/intel_display.c: 7558 in intel_crtc_disable_noatomic() 7552 for_each_power_domain(domain, domains) 7553 intel_display_power_put_unchecked(dev_priv, domain); 7554 crtc->enabled_power_domains = 0; 7555 7556 dev_priv->active_pipes &= ~BIT(pipe); 7557 dev_priv->min_cdclk[pipe] = 0; >>> CID 1597782: Memory - corruptions (OVERRUN) >>> Overrunning array "dev_priv->min_voltage_level" of 4 bytes at byte offset 64 using index "pipe_drmhack" (which evaluates to 64). 7558 dev_priv->min_voltage_level[pipe] = 0; 7559 7560 bw_state->data_rate[pipe] = 0; 7561 bw_state->num_active_planes[pipe] = 0; 7562 } 7563 ** CID 1597781: Null pointer dereferences (FORWARD_NULL) /sys/kern/vfs_syscalls.c: 609 in do_sys_mount() ________________________________________________________________________________________________________ *** CID 1597781: Null pointer dereferences (FORWARD_NULL) /sys/kern/vfs_syscalls.c: 609 in do_sys_mount() 603 goto done; 604 } 605 error = mount_getargs(l, vp, path, flags, data_buf, &data_len); 606 if (error != 0) 607 goto done; 608 if (data_seg == UIO_USERSPACE) >>> CID 1597781: Null pointer dereferences (FORWARD_NULL) >>> Passing null pointer "data" to "copyout", which dereferences it. 609 error = copyout(data_buf, data, data_len); 610 *retval = data_len; 611 } else if (flags & MNT_UPDATE) { 612 error = mount_update(l, vp, path, flags, data_buf, &data_len); 613 } else { 614 /* Locking is handled internally in mount_domount(). */ ** CID 1597780: (BUFFER_SIZE) /sys/nfs/nfs_bootdhcp.c: 829 in bootp_extract() /sys/nfs/nfs_bootdhcp.c: 823 in bootp_extract() ________________________________________________________________________________________________________ *** CID 1597780: (BUFFER_SIZE) /sys/nfs/nfs_bootdhcp.c: 829 in bootp_extract() 823 strncpy(hostname, myname, sizeof(hostname)); 824 hostnamelen = mynamelen; 825 printf("nfs_boot: my_name=%s\n", hostname); 826 } 827 if (mydomain) { 828 mydomain[mydomainlen] = '\0'; >>> CID 1597780: (BUFFER_SIZE) >>> Calling "strncpy" with a maximum size argument of 256 bytes on destination array "domainname" of size 256 bytes might leave the destination string unterminated. 829 strncpy(domainname, mydomain, sizeof(domainname)); 830 domainnamelen = mydomainlen; 831 printf("nfs_boot: my_domain=%s\n", domainname); 832 } 833 if (!(*flags & NFS_BOOT_HAS_MYIP)) { 834 nd->nd_myip = bootp->bp_yiaddr; /sys/nfs/nfs_bootdhcp.c: 823 in bootp_extract() 817 818 /* 819 * Store and print network config info. 820 */ 821 if (myname) { 822 myname[mynamelen] = '\0'; >>> CID 1597780: (BUFFER_SIZE) >>> Calling "strncpy" with a maximum size argument of 256 bytes on destination array "hostname" of size 256 bytes might leave the destination string unterminated. 823 strncpy(hostname, myname, sizeof(hostname)); 824 hostnamelen = mynamelen; 825 printf("nfs_boot: my_name=%s\n", hostname); 826 } 827 if (mydomain) { 828 mydomain[mydomainlen] = '\0'; ** CID 1597779: High impact quality (Y2K38_SAFETY) /sys/net/npf/npf_conn.c: 280 in conn_update_atime() ________________________________________________________________________________________________________ *** CID 1597779: High impact quality (Y2K38_SAFETY) /sys/net/npf/npf_conn.c: 280 in conn_update_atime() 274 static inline void 275 conn_update_atime(npf_conn_t *con) 276 { 277 struct timespec tsnow; 278 279 getnanouptime(&tsnow); >>> CID 1597779: High impact quality (Y2K38_SAFETY) >>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "tsnow.tv_sec" is cast to "uint32_t". 280 atomic_store_relaxed(&con->c_atime, tsnow.tv_sec); 281 } 282 283 /* 284 * npf_conn_check: check that: 285 * ** CID 1597778: Memory - corruptions (OVERRUN) ________________________________________________________________________________________________________ *** CID 1597778: Memory - corruptions (OVERRUN) /sys/kern/vfs_vnode.c: 1614 in vcache_get() 1608 mutex_exit(&vcache_lock); 1609 goto again; 1610 } 1611 vp = VIMPL_TO_VNODE(vip); 1612 mutex_enter(vp->v_interlock); 1613 mutex_exit(&vcache_lock); >>> CID 1597778: Memory - corruptions (OVERRUN) >>> Overrunning struct type vnode of 256 bytes by passing it to a function which accesses it at byte offset 575. 1614 error = vcache_vget(vp); 1615 if (error == ENOENT) 1616 goto again; 1617 if (error == 0) 1618 *vpp = vp; 1619 KASSERT((error != 0) == (*vpp == NULL)); ** CID 1597777: Memory - corruptions (OVERRUN) /sys/dev/pci/if_iavf.c: 4858 in iavf_config_rss_lut() ________________________________________________________________________________________________________ *** CID 1597777: Memory - corruptions (OVERRUN) /sys/dev/pci/if_iavf.c: 4858 in iavf_config_rss_lut() 4852 rss_lut->lut_entries = htole16(IXL_RSS_VSI_LUT_SIZE); 4853 4854 lut = rss_lut->lut; 4855 for (i = 0; i < IXL_RSS_VSI_LUT_SIZE; i++) { 4856 v = i % sc->sc_nqueue_pairs; 4857 v &= IAVF_RSS_VSI_LUT_ENTRY_MASK; >>> CID 1597777: Memory - corruptions (OVERRUN) >>> Overrunning array of 1 bytes at byte offset 63 by dereferencing pointer "lut + i". 4858 lut[i] = v; 4859 } 4860 4861 memset(&iaq, 0, sizeof(iaq)); 4862 iaq.iaq_flags = htole16(IXL_AQ_BUF | IXL_AQ_RD); 4863 iaq.iaq_opcode = htole16(IAVF_AQ_OP_SEND_TO_PF); ** CID 1597776: Insecure data handling (TAINTED_SCALAR) ________________________________________________________________________________________________________ *** CID 1597776: Insecure data handling (TAINTED_SCALAR) /sys/dev/pci/viomb.c: 472 in deflate_done() 466 r = virtio_dequeue(vsc, vq, &slot, NULL); 467 if (r != 0) { 468 printf("%s: deflate dequeue failed, errno %d\n", 469 device_xname(sc->sc_dev), r); 470 return 1; 471 } >>> CID 1597776: Insecure data handling (TAINTED_SCALAR) >>> Passing tainted expression "slot" to "virtio_dequeue_commit", which uses it as an offset. 472 virtio_dequeue_commit(vsc, vq, slot); 473 474 b = &sc->sc_req; 475 nvpages = b->bl_nentries; 476 bus_dmamap_sync(virtio_dmat(vsc), b->bl_dmamap, 477 0, ** CID 1597775: High impact quality (Y2K38_SAFETY) /sys/kern/init_sysctl.c: 1585 in fill_lwp() ________________________________________________________________________________________________________ *** CID 1597775: High impact quality (Y2K38_SAFETY) /sys/kern/init_sysctl.c: 1585 in fill_lwp() 1579 kl->l_usrpri = l->l_priority; 1580 if (l->l_wchan) 1581 strncpy(kl->l_wmesg, l->l_wmesg, sizeof(kl->l_wmesg)); 1582 COND_SET_VALUE(kl->l_wchan, PTRTOUINT64(l->l_wchan), allowaddr); 1583 kl->l_cpuid = cpu_index(l->l_cpu); 1584 bintime2timeval(&l->l_rtime, &tv); >>> CID 1597775: High impact quality (Y2K38_SAFETY) >>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "tv.tv_sec" is cast to "uint32_t". 1585 kl->l_rtime_sec = tv.tv_sec; 1586 kl->l_rtime_usec = tv.tv_usec; 1587 kl->l_cpticks = l->l_cpticks; 1588 kl->l_pctcpu = l->l_pctcpu; 1589 kl->l_pid = p->p_pid; 1590 if (l->l_name == NULL) 1591 kl->l_name[0] = '\0'; 1592 else 1593 strlcpy(kl->l_name, l->l_name, sizeof(kl->l_name)); ** CID 1597774: Insecure data handling (TAINTED_SCALAR) ________________________________________________________________________________________________________ *** CID 1597774: Insecure data handling (TAINTED_SCALAR) /sys/dev/usb/usb.c: 1016 in usbioctl() 1010 if (uio.uio_rw == UIO_WRITE) { 1011 error = uiomove(ptr, len, &uio); 1012 if (error) 1013 goto ret; 1014 } 1015 } >>> CID 1597774: Insecure data handling (TAINTED_SCALAR) >>> Passing tainted expression "ur->ucr_request.wLength" to "usbd_do_request_flags", which uses it as an offset. 1016 err = usbd_do_request_flags(sc->sc_bus->ub_devices[dindex], 1017 &ur->ucr_request, ptr, ur->ucr_flags, &ur->ucr_actlen, 1018 USBD_DEFAULT_TIMEOUT); 1019 if (err) { 1020 error = EIO; 1021 goto ret; ________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=u001.AxU2LYlgjL6eX23u9ErQy-2BKADyCpvUKOL6EWmZljiu4Nbbca-2Bj5xy89KZAbuSS8zMLC60P5V6fdfclLrUYTWooJPiyx0UnOPSgi6MZBtBUA-3Dx0ZR_-2BwJ6JLtSrHuOVjqcF3J-2Fw6dcxx-2BEOKIuJ3YCALi-2FTyo1Iew7xgdlsaa2ABe1UuN8E3zoypTbh2jhv6-2FUZzF1Y5MRM-2FebUtHt107THvS66csNdIjr4m-2BDXFQ95GnbaeIhlmOs95VKqPktmSR0aefze69OuDJdtF1PpodsyJYjWlGCBZiN-2BSnoltQQ6FnTxZvNcFAMcmkTj13WWD8tKl1qUQ-3D-3D