mdadm-4.2-rc2.el9
List of Defects
Error: SHELLCHECK_WARNING (CWE-563): [#def1]
/etc/sysconfig/raid-check:53:1: warning[SC2034]: ENABLED appears unused. Verify use (or export if used externally).
# 51| # /proc/mdstat and in /sys/block.
# 52|
# 53|-> ENABLED=yes
# 54| CHECK=check
# 55| NICE=low
Error: SHELLCHECK_WARNING (CWE-563): [#def2]
/etc/sysconfig/raid-check:54:1: warning[SC2034]: CHECK appears unused. Verify use (or export if used externally).
# 52|
# 53| ENABLED=yes
# 54|-> CHECK=check
# 55| NICE=low
# 56| # To check devs /dev/md0 and /dev/md3, use "md0 md3"
Error: SHELLCHECK_WARNING (CWE-563): [#def3]
/etc/sysconfig/raid-check:55:1: warning[SC2034]: NICE appears unused. Verify use (or export if used externally).
# 53| ENABLED=yes
# 54| CHECK=check
# 55|-> NICE=low
# 56| # To check devs /dev/md0 and /dev/md3, use "md0 md3"
# 57| CHECK_DEVS=""
Error: SHELLCHECK_WARNING (CWE-563): [#def4]
/etc/sysconfig/raid-check:57:1: warning[SC2034]: CHECK_DEVS appears unused. Verify use (or export if used externally).
# 55| NICE=low
# 56| # To check devs /dev/md0 and /dev/md3, use "md0 md3"
# 57|-> CHECK_DEVS=""
# 58| REPAIR_DEVS=""
# 59| SKIP_DEVS=""
Error: SHELLCHECK_WARNING (CWE-563): [#def5]
/etc/sysconfig/raid-check:58:1: warning[SC2034]: REPAIR_DEVS appears unused. Verify use (or export if used externally).
# 56| # To check devs /dev/md0 and /dev/md3, use "md0 md3"
# 57| CHECK_DEVS=""
# 58|-> REPAIR_DEVS=""
# 59| SKIP_DEVS=""
# 60| MAXCONCURRENT=
Error: SHELLCHECK_WARNING (CWE-563): [#def6]
/etc/sysconfig/raid-check:59:1: warning[SC2034]: SKIP_DEVS appears unused. Verify use (or export if used externally).
# 57| CHECK_DEVS=""
# 58| REPAIR_DEVS=""
# 59|-> SKIP_DEVS=""
# 60| MAXCONCURRENT=
Error: SHELLCHECK_WARNING (CWE-563): [#def7]
/etc/sysconfig/raid-check:60:1: warning[SC2034]: MAXCONCURRENT appears unused. Verify use (or export if used externally).
# 58| REPAIR_DEVS=""
# 59| SKIP_DEVS=""
# 60|-> MAXCONCURRENT=
Error: SHELLCHECK_WARNING (CWE-571): [#def8]
/usr/sbin/raid-check:23:12: warning[SC2155]: Declare and assign separately to avoid masking return values.
# 21| local dev=""
# 22| for dev in $dev_list; do
# 23|-> local sync_action=`cat /sys/block/$dev/md/sync_action`
# 24| if [ "$sync_action" != "idle" ]; then
# 25| let busy++
Error: SHELLCHECK_WARNING (CWE-398): [#def9]
/usr/sbin/raid-check:35:7: warning[SC2153]: Possible misspelling: CHECK may not be assigned, but check is.
# 33| [ "$ENABLED" != "yes" ] && exit 0
# 34|
# 35|-> case "$CHECK" in
# 36| check) ;;
# 37| repair) ;;
Error: SHELLCHECK_WARNING (CWE-477): [#def10]
/usr/sbin/raid-check:73:33: warning[SC2166]: Prefer [ p ] && [ q ] as [ p -a q ] is not well defined.
# 71| # when two or more arrays are on the same physical disk
# 72| array_state=`cat /sys/block/$dev/md/array_state`
# 73|-> if [ "$array_state" != "clean" -a "$array_state" != "active" ]; then
# 74| continue
# 75| fi
Error: SHELLCHECK_WARNING (CWE-477): [#def11]
/usr/sbin/raid-check:100:25: warning[SC2166]: Prefer [ p ] && [ q ] as [ p -a q ] is not well defined.
# 98| resync_pid=""
# 99| wait=10
# 100|-> while [ $wait -gt 0 -a -z "$resync_pid" ]; do
# 101| sleep 6
# 102| let wait--
Error: SHELLCHECK_WARNING (CWE-477): [#def12]
/usr/sbin/raid-check:105:24: warning[SC2166]: Prefer [ p ] && [ q ] as [ p -a q ] is not well defined.
# 103| resync_pid=$(ps -ef | awk -v mddev=$dev 'BEGIN { pattern = "^\\[" mddev "_resync]$" } $8 ~ pattern { print $2 }')
# 104| done
# 105|-> [ -n "$resync_pid" -a -n "$renice" ] &&
# 106| renice $renice -p $resync_pid >&/dev/null
# 107| [ -n "$resync_pid" -a -n "$ionice" ] &&
Error: SHELLCHECK_WARNING (CWE-477): [#def13]
/usr/sbin/raid-check:107:24: warning[SC2166]: Prefer [ p ] && [ q ] as [ p -a q ] is not well defined.
# 105| [ -n "$resync_pid" -a -n "$renice" ] &&
# 106| renice $renice -p $resync_pid >&/dev/null
# 107|-> [ -n "$resync_pid" -a -n "$ionice" ] &&
# 108| ionice $ionice -p $resync_pid >&/dev/null
# 109| done
Error: SHELLCHECK_WARNING (CWE-477): [#def14]
/usr/sbin/raid-check:128:29: warning[SC2166]: Prefer [ p ] || [ q ] as [ p -o q ] is not well defined.
# 126| # be in the device.
# 127| raid_lvl=`cat /sys/block/$dev/md/level`
# 128|-> if [ "$raid_lvl" = "raid1" -o "$raid_lvl" = "raid10" ]; then
# 129| continue
# 130| fi
Error: SHELLCHECK_WARNING (CWE-88): [#def15]
/usr/share/doc/mdadm/mdcheck:36:6: warning[SC2046]: Quote this to prevent word splitting.
# 34| # convert a /dev/md name into /sys/.../md equivalent
# 35| sysname() {
# 36|-> set `ls -lLd $1`
# 37| maj=${5%,}
# 38| min=$6
Error: SHELLCHECK_WARNING (CWE-477): [#def16]
/usr/share/doc/mdadm/mdcheck:98:23: warning[SC2166]: Prefer [ p ] || [ q ] as [ p -o q ] is not well defined.
# 96| start=0
# 97| logger -p daemon.info mdcheck start checking $dev
# 98|-> elif [ -z "$MD_UUID" -o ! -f "$fl" ]
# 99| then
# 100| # Nothing to continue here
Error: SHELLCHECK_WARNING (CWE-88): [#def17]
/usr/share/doc/mdadm/mdcheck:121:9: warning[SC2046]: Quote this to prevent word splitting.
# 119| fi
# 120|
# 121|-> while [ `date +%s` -lt $endtime ]
# 122| do
# 123| any=
Error: SHELLCHECK_WARNING (CWE-88): [#def18]
/usr/share/doc/mdadm/mdcheck:165:47: warning[SC2046]: Quote this to prevent word splitting.
# 163| echo idle > $sys/md/sync_action
# 164| cat $sys/md/sync_min > $fl
# 165|-> logger -p daemon.info pause checking $dev at `cat $fl`
# 166| done
Error: FORWARD_NULL (CWE-476): [#def19]
mdadm-4.2_rc2/Assemble.c:556: var_compare_op: Comparing "st" to null implies that "st" might be null.
mdadm-4.2_rc2/Assemble.c:566: var_deref_op: Dereferencing null pointer "st".
# 564| content = *contentp;
# 565|
# 566|-> if (!st->sb) {
# 567| /* we need sb from one of the spares */
# 568| int dfd = dev_open(tmpdev->devname, O_RDONLY);
Error: CHECKED_RETURN (CWE-252): [#def20]
mdadm-4.2_rc2/Assemble.c:652: check_return: Calling "fstat(mdfd, &stb2)" without checking return value. This library function may fail and return an error code.
# 650| struct stat stb2;
# 651| int err;
# 652|-> fstat(mdfd, &stb2);
# 653|
# 654| if (strcmp(c->update, "uuid") == 0 && !ident->uuid_set)
Error: NULL_RETURNS (CWE-476): [#def21]
mdadm-4.2_rc2/Assemble.c:1499: returned_null: "sysfs_read" returns "NULL" (checked 51 out of 55 times).
mdadm-4.2_rc2/Assemble.c:1499: var_assigned: Assigning: "pre_exist" = "NULL" return value from "sysfs_read".
mdadm-4.2_rc2/Assemble.c:1500: dereference: Dereferencing "pre_exist", which is known to be "NULL".
mdadm-4.2_rc2/Assemble.c:1988: example_assign: Example 1: Assigning: "sra" = return value from "sysfs_read(mdfd, NULL, 1048640UL)".
mdadm-4.2_rc2/Assemble.c:1989: example_checked: Example 1 (cont.): "sra" has its value checked in "sra == NULL".
mdadm-4.2_rc2/Create.c:764: example_assign: Example 2: Assigning: "mdi" = return value from "sysfs_read(-1, devnm, GET_VERSION)".
mdadm-4.2_rc2/Create.c:766: example_checked: Example 2 (cont.): "mdi" has its value checked in "mdi".
mdadm-4.2_rc2/Detail.c:91: example_assign: Example 3: Assigning: "sra" = return value from "sysfs_read(fd, NULL, 42991680UL)".
mdadm-4.2_rc2/Detail.c:93: example_checked: Example 3 (cont.): "sra" has its value checked in "sra".
mdadm-4.2_rc2/Grow.c:833: example_assign: Example 4: Assigning: "sra" = return value from "sysfs_read(-1, st->devnm, GET_VERSION)".
mdadm-4.2_rc2/Grow.c:836: example_checked: Example 4 (cont.): "sra" has its value checked in "sra".
mdadm-4.2_rc2/msg.c:428: example_assign: Example 5: Assigning: "sra" = return value from "sysfs_read(-1, e->devnm, 65UL)".
mdadm-4.2_rc2/msg.c:429: example_checked: Example 5 (cont.): "sra" has its value checked in "sra".
# 1498| /* array already exists. */
# 1499| pre_exist = sysfs_read(-1, mp->devnm, GET_LEVEL|GET_DEVS);
# 1500|-> if (pre_exist->array.level != UnSet) {
# 1501| pr_err("Found some drive for an array that is already active: %s\n",
# 1502| mp->path);
Error: RESOURCE_LEAK (CWE-772): [#def22] [important]
mdadm-4.2_rc2/Assemble.c:1499: alloc_fn: Storage is returned from allocation function "sysfs_read".
mdadm-4.2_rc2/Assemble.c:1499: var_assign: Assigning: "pre_exist" = storage returned from "sysfs_read(-1, mp->devnm, 1048577UL)".
mdadm-4.2_rc2/Assemble.c:1612: leaked_storage: Variable "pre_exist" going out of scope leaks the storage it points to.
# 1610| chosen_name, NULL);
# 1611| close(mdfd);
# 1612|-> return err;
# 1613| }
# 1614|
Error: RESOURCE_LEAK (CWE-772): [#def23] [important]
mdadm-4.2_rc2/Assemble.c:1649: alloc_fn: Storage is returned from allocation function "xcalloc".
mdadm-4.2_rc2/Assemble.c:1649: var_assign: Assigning: "avail" = storage returned from "xcalloc(content->array.raid_disks, 1UL)".
mdadm-4.2_rc2/Assemble.c:1721: noescape: Resource "avail" is not freed or pointed-to in "force_array".
mdadm-4.2_rc2/Assemble.c:1966: leaked_storage: Variable "avail" going out of scope leaks the storage it points to.
# 1964| if (rv == -1) {
# 1965| free(devices);
# 1966|-> return 1;
# 1967| }
# 1968| return rv == 2 ? 0 : rv;
Error: RESOURCE_LEAK (CWE-772): [#def24] [important]
mdadm-4.2_rc2/Assemble.c:1499: alloc_fn: Storage is returned from allocation function "sysfs_read".
mdadm-4.2_rc2/Assemble.c:1499: var_assign: Assigning: "pre_exist" = storage returned from "sysfs_read(-1, mp->devnm, 1048577UL)".
mdadm-4.2_rc2/Assemble.c:1966: leaked_storage: Variable "pre_exist" going out of scope leaks the storage it points to.
# 1964| if (rv == -1) {
# 1965| free(devices);
# 1966|-> return 1;
# 1967| }
# 1968| return rv == 2 ? 0 : rv;
Error: RESOURCE_LEAK (CWE-772): [#def25] [important]
mdadm-4.2_rc2/Assemble.c:1948: open_fn: Returning handle opened by "open". [Note: The source code implementation of the function has been overridden by a user model.]
mdadm-4.2_rc2/Assemble.c:1948: var_assign: Assigning: "mdfd" = handle returned from "open(mddev, 0)".
mdadm-4.2_rc2/Assemble.c:1951: noescape: Resource "mdfd" is not freed or pointed-to in "get_dev_size".
mdadm-4.2_rc2/Assemble.c:1968: leaked_handle: Handle variable "mdfd" going out of scope leaks the handle.
# 1966| return 1;
# 1967| }
# 1968|-> return rv == 2 ? 0 : rv;
# 1969| }
# 1970|
Error: RESOURCE_LEAK (CWE-772): [#def26] [important]
mdadm-4.2_rc2/Assemble.c:1649: alloc_fn: Storage is returned from allocation function "xcalloc".
mdadm-4.2_rc2/Assemble.c:1649: var_assign: Assigning: "avail" = storage returned from "xcalloc(content->array.raid_disks, 1UL)".
mdadm-4.2_rc2/Assemble.c:1721: noescape: Resource "avail" is not freed or pointed-to in "force_array".
mdadm-4.2_rc2/Assemble.c:1968: leaked_storage: Variable "avail" going out of scope leaks the storage it points to.
# 1966| return 1;
# 1967| }
# 1968|-> return rv == 2 ? 0 : rv;
# 1969| }
# 1970|
Error: FORWARD_NULL (CWE-476): [#def27]
mdadm-4.2_rc2/Assemble.c:1989: var_compare_op: Comparing "sra" to null implies that "sra" might be null.
mdadm-4.2_rc2/Assemble.c:2014: var_deref_op: Dereferencing null pointer "sra".
# 2012| block_subarray(content);
# 2013|
# 2014|-> for (dev2 = sra->devs; dev2; dev2 = dev2->next) {
# 2015| for (dev = content->devs; dev; dev = dev->next)
# 2016| if (dev2->disk.major == dev->disk.major &&
Error: RESOURCE_LEAK (CWE-772): [#def28] [important]
mdadm-4.2_rc2/Build.c:179: open_fn: Returning handle opened by "open". [Note: The source code implementation of the function has been overridden by a user model.]
mdadm-4.2_rc2/Build.c:179: var_assign: Assigning: "bitmap_fd" = handle returned from "open(s->bitmap_file, 2)".
mdadm-4.2_rc2/Build.c:201: noescape: Assuming resource "bitmap_fd" is not freed or pointed-to as ellipsis argument to "ioctl".
mdadm-4.2_rc2/Build.c:221: leaked_handle: Handle variable "bitmap_fd" going out of scope leaks the handle.
# 219| wait_for(mddev, mdfd);
# 220| close(mdfd);
# 221|-> return 0;
# 222|
# 223| abort:
Error: RESOURCE_LEAK (CWE-772): [#def29] [important]
mdadm-4.2_rc2/Build.c:179: open_fn: Returning handle opened by "open". [Note: The source code implementation of the function has been overridden by a user model.]
mdadm-4.2_rc2/Build.c:179: var_assign: Assigning: "bitmap_fd" = handle returned from "open(s->bitmap_file, 2)".
mdadm-4.2_rc2/Build.c:201: noescape: Assuming resource "bitmap_fd" is not freed or pointed-to as ellipsis argument to "ioctl".
mdadm-4.2_rc2/Build.c:226: leaked_handle: Handle variable "bitmap_fd" going out of scope leaks the handle.
# 224| ioctl(mdfd, STOP_ARRAY, 0);
# 225| close(mdfd);
# 226|-> return 1;
# 227| }
Error: CLANG_WARNING: [#def30]
mdadm-4.2_rc2/Create.c:182:17: warning[deadcode.DeadStores]: Although the value stored to 'rv' is used in the enclosing expression, the value is never actually read from 'rv'
# 180| } else {
# 181| st = super_by_fd(fd, NULL);
# 182|-> if (st && !(rv = st->ss->
# 183| load_container(st, fd,
# 184| devlist->devname)))
Error: RESOURCE_LEAK (CWE-772): [#def31] [important]
mdadm-4.2_rc2/Create.c:815: open_fn: Returning handle opened by "open_dev_excl".
mdadm-4.2_rc2/Create.c:815: var_assign: Assigning: "container_fd" = handle returned from "open_dev_excl(st->container_devnm)".
mdadm-4.2_rc2/Create.c:1112: leaked_handle: Handle variable "container_fd" going out of scope leaks the handle.
# 1110| if (mdfd >= 0)
# 1111| close(mdfd);
# 1112|-> return 1;
# 1113| }
Error: RESOURCE_LEAK (CWE-772): [#def32] [important]
mdadm-4.2_rc2/Create.c:858: alloc_fn: Storage is returned from allocation function "xmalloc".
mdadm-4.2_rc2/Create.c:858: var_assign: Assigning: "infos" = storage returned from "xmalloc(472UL * total_slots)".
mdadm-4.2_rc2/Create.c:866: var_assign: Assigning: "inf" = "infos".
mdadm-4.2_rc2/Create.c:877: leaked_storage: Variable "inf" going out of scope leaks the storage it points to.
mdadm-4.2_rc2/Create.c:1112: leaked_storage: Variable "infos" going out of scope leaks the storage it points to.
# 1110| if (mdfd >= 0)
# 1111| close(mdfd);
# 1112|-> return 1;
# 1113| }
Error: CLANG_WARNING: [#def33]
mdadm-4.2_rc2/Detail.c:105:8: warning[core.NullDereference]: Dereference of null pointer
# 103| if (md_get_array_info(fd, &array)) {
# 104| if (errno == ENODEV) {
# 105|-> if (sra->array.major_version == -1 &&
# 106| sra->array.minor_version == -1 &&
# 107| sra->devs == NULL) {
Error: CLANG_WARNING: [#def34]
mdadm-4.2_rc2/Detail.c:141:10: warning[core.NullDereference]: Access to field 'ss' results in a dereference of a null pointer (loaded from variable 'st')
# 139| cfd = open_dev(st->container_devnm);
# 140| if (cfd >= 0) {
# 141|-> err = st->ss->load_container(st, cfd, NULL);
# 142| close(cfd);
# 143| if (err == 0)
Error: COPY_PASTE_ERROR (CWE-398): [#def35] [important]
mdadm-4.2_rc2/Detail.c:460: original: "array.raid_disks" looks like the original copy.
mdadm-4.2_rc2/Detail.c:540: copy_paste_error: "raid_disks" in "array.raid_disks" looks like a copy-paste error.
mdadm-4.2_rc2/Detail.c:540: remediation: Should it say "active_disks" instead?
# 538| printf(" State : inactive\n");
# 539| }
# 540|-> if (array.raid_disks)
# 541| printf(" Active Devices : %d\n", array.active_disks);
# 542| if (array.working_disks > 0)
Error: DIVIDE_BY_ZERO (CWE-369): [#def36]
mdadm-4.2_rc2/Detail.c:120: cond_const: Checking "array.raid_disks == 0" implies that "array.raid_disks" is 0 on the true branch.
mdadm-4.2_rc2/Detail.c:816: divide_by_zero: In function call "enough", modulo by expression "array.raid_disks" which may be zero has undefined behavior.
# 814| if (c->brief)
# 815| printf("\n");
# 816|-> if (c->test &&
# 817| !enough(array.level, array.raid_disks, array.layout, 1, avail))
# 818| rv = 2;
Error: CHECKED_RETURN (CWE-252): [#def37]
mdadm-4.2_rc2/Dump.c:115: check_return: Calling "fstat(fd, &dstb)" without checking return value. This library function may fail and return an error code.
# 113| if (c->verbose >= 0)
# 114| printf("%s saved as %s.\n", dev, fname);
# 115|-> fstat(fd, &dstb);
# 116| close(fd);
# 117| close(fl);
Error: TOCTOU (CWE-367): [#def38]
mdadm-4.2_rc2/Dump.c:176: fs_check_call: Calling function "stat" to perform check on "dir".
mdadm-4.2_rc2/Dump.c:198: toctou: Calling function "opendir" that uses "dir" after a check function. This can cause a time-of-check, time-of-use race condition.
# 174| unsigned long long size;
# 175|
# 176|-> if (stat(dir, &stb) != 0) {
# 177| pr_err("%s does not exist: cannot restore from there.\n",
# 178| dir);
Error: CLANG_WARNING: [#def39]
mdadm-4.2_rc2/Dump.c:244:3: warning[core.NonNullParamChecker]: Null pointer passed to 1st parameter expecting 'nonnull'
# 242| return 1;
# 243| }
# 244|-> closedir(d);
# 245| if (!chosen) {
# 246| /* One last chance: try basename of device */
Error: NEGATIVE_RETURNS (CWE-394): [#def40]
mdadm-4.2_rc2/Dump.c:269: negative_return_fn: Function "open(fname, 0)" returns a negative number. [Note: The source code implementation of the function has been overridden by a user model.]
mdadm-4.2_rc2/Dump.c:269: assign: Assigning: "fl" = "open(fname, 0)".
mdadm-4.2_rc2/Dump.c:309: negative_returns: "fl" is passed to a parameter that cannot be negative.
# 307| if (c->verbose >= 0)
# 308| printf("%s restored from %s.\n", dev, fname);
# 309|-> close(fl);
# 310| close(fd);
# 311| free(fname);
Error: NEGATIVE_RETURNS (CWE-394): [#def41]
mdadm-4.2_rc2/Dump.c:269: negative_return_fn: Function "open(fname, 0)" returns a negative number. [Note: The source code implementation of the function has been overridden by a user model.]
mdadm-4.2_rc2/Dump.c:269: assign: Assigning: "fl" = "open(fname, 0)".
mdadm-4.2_rc2/Dump.c:316: negative_returns: "fl" is passed to a parameter that cannot be negative.
# 314| err:
# 315| close(fd);
# 316|-> close(fl);
# 317| free(fname);
# 318| return 1;
Error: RESOURCE_LEAK (CWE-772): [#def42] [important]
mdadm-4.2_rc2/Grow.c:515: open_fn: Returning handle opened by "open". [Note: The source code implementation of the function has been overridden by a user model.]
mdadm-4.2_rc2/Grow.c:515: var_assign: Assigning: "bitmap_fd" = handle returned from "open(s->bitmap_file, 2)".
mdadm-4.2_rc2/Grow.c:520: noescape: Assuming resource "bitmap_fd" is not freed or pointed-to as ellipsis argument to "ioctl".
mdadm-4.2_rc2/Grow.c:526: leaked_handle: Handle variable "bitmap_fd" going out of scope leaks the handle.
# 524| pr_err("Cannot set bitmap file for %s: %s\n",
# 525| devname, strerror(err));
# 526|-> return 1;
# 527| }
# 528| }
Error: RESOURCE_LEAK (CWE-772): [#def43] [important]
mdadm-4.2_rc2/Grow.c:515: open_fn: Returning handle opened by "open". [Note: The source code implementation of the function has been overridden by a user model.]
mdadm-4.2_rc2/Grow.c:515: var_assign: Assigning: "bitmap_fd" = handle returned from "open(s->bitmap_file, 2)".
mdadm-4.2_rc2/Grow.c:520: noescape: Assuming resource "bitmap_fd" is not freed or pointed-to as ellipsis argument to "ioctl".
mdadm-4.2_rc2/Grow.c:528: leaked_handle: Handle variable "bitmap_fd" going out of scope leaks the handle.
# 526| return 1;
# 527| }
# 528|-> }
# 529|
# 530| return 0;
Error: CHECKED_RETURN (CWE-252): [#def44]
mdadm-4.2_rc2/Grow.c:1166: check_return: Calling "fstat(*fdlist, &stb)" without checking return value. This library function may fail and return an error code.
# 1164| * nothing.
# 1165| */
# 1166|-> fstat(*fdlist, &stb);
# 1167| dev = stb.st_dev;
# 1168| fstat(fd, &stb);
Error: CHECKED_RETURN (CWE-252): [#def45]
mdadm-4.2_rc2/Grow.c:1168: check_return: Calling "fstat(fd, &stb)" without checking return value. This library function may fail and return an error code.
# 1166| fstat(*fdlist, &stb);
# 1167| dev = stb.st_dev;
# 1168|-> fstat(fd, &stb);
# 1169| if (stb.st_rdev == dev) {
# 1170| pr_err("backup file must NOT be on the array being reshaped.\n");
Error: MISSING_BREAK (CWE-484): [#def46]
mdadm-4.2_rc2/Grow.c:1464: unterminated_case: The case for value "4" is not terminated by a "break" statement.
mdadm-4.2_rc2/Grow.c:1466: fallthrough: The above case falls through to this one.
# 1462| */
# 1463| switch (info->new_level) {
# 1464|-> case 4:
# 1465| delta_parity = 1;
# 1466| case 0:
Error: MISSING_BREAK (CWE-484): [#def47]
mdadm-4.2_rc2/Grow.c:1491: unterminated_case: The case for value "4" is not terminated by a "break" statement.
mdadm-4.2_rc2/Grow.c:1493: fallthrough: The above case falls through to this one.
# 1489| break;
# 1490|
# 1491|-> case 4:
# 1492| info->array.layout = ALGORITHM_PARITY_N;
# 1493| case 5:
Error: MISSING_BREAK (CWE-484): [#def48]
mdadm-4.2_rc2/Grow.c:1495: unterminated_case: The case for value "0" is not terminated by a "break" statement.
mdadm-4.2_rc2/Grow.c:1497: fallthrough: The above case falls through to this one.
# 1493| case 5:
# 1494| switch (info->new_level) {
# 1495|-> case 0:
# 1496| delta_parity = -1;
# 1497| case 4:
Error: MISSING_BREAK (CWE-484): [#def49]
mdadm-4.2_rc2/Grow.c:1550: unterminated_case: The case for value "5" is not terminated by a "break" statement.
mdadm-4.2_rc2/Grow.c:1552: fallthrough: The above case falls through to this one.
# 1548| switch (info->new_level) {
# 1549| case 4:
# 1550|-> case 5:
# 1551| delta_parity = -1;
# 1552| case 6:
Error: STRING_OVERFLOW (CWE-120): [#def50]
mdadm-4.2_rc2/Grow.c:1631: fixed_size_dest: You might overrun the 40-character fixed-size string "layout" by copying "ls" without checking the length.
# 1629| * equivalent - good
# 1630| */
# 1631|-> strcat(strcpy(layout, ls), "-6");
# 1632| l = map_name(r6layout, layout);
# 1633| if (l == UnSet)
Error: UNUSED_VALUE (CWE-563): [#def51]
mdadm-4.2_rc2/Grow.c:2090: value_overwrite: Overwriting previous write to "rv" with value from "sysfs_set_num(sra, NULL, "component_size", s->size)".
mdadm-4.2_rc2/Grow.c:2093: value_overwrite: Overwriting previous write to "rv" with value "-1".
mdadm-4.2_rc2/Grow.c:2095: value_overwrite: Overwriting previous write to "rv" with value from "md_set_array_info(fd, &array)".
mdadm-4.2_rc2/Grow.c:2069: returned_value: Assigning value from "md_get_array_info(fd, &array)" to "rv" here, but that stored value is overwritten before it can be used.
# 2067| * to change one parameter at time only
# 2068| */
# 2069|-> rv = md_get_array_info(fd, &array);
# 2070| }
# 2071| }
Error: CHECKED_RETURN (CWE-252): [#def52]
mdadm-4.2_rc2/Grow.c:3211: check_return: Calling "add_disk" without checking return value (as is done elsewhere 8 out of 9 times).
mdadm-4.2_rc2/Assemble.c:1090: example_assign: Example 1: Assigning: "rv" = return value from "add_disk(mdfd, st, content, &devices[j].i)".
mdadm-4.2_rc2/Assemble.c:1092: example_checked: Example 1 (cont.): "rv" has its value checked in "rv".
mdadm-4.2_rc2/Assemble.c:1268: example_assign: Example 2: Assigning: "rv" = return value from "add_disk(mdfd, st, content, &devices[j].i)".
mdadm-4.2_rc2/Assemble.c:1270: example_checked: Example 2 (cont.): "rv" has its value checked in "rv == 0".
mdadm-4.2_rc2/Create.c:952: example_assign: Example 3: Assigning: "rv" = return value from "add_disk(mdfd, st, &info, inf)".
mdadm-4.2_rc2/Create.c:954: example_checked: Example 3 (cont.): "rv" has its value checked in "rv".
mdadm-4.2_rc2/Incremental.c:322: example_checked: Example 4: "add_disk(mdfd, st, &info, &dinfo)" has its value checked in "add_disk(mdfd, st, &info, &dinfo) != 0".
mdadm-4.2_rc2/Incremental.c:431: example_assign: Example 5: Assigning: "err" = return value from "add_disk(mdfd, st, sra, &info)".
mdadm-4.2_rc2/Incremental.c:432: example_checked: Example 5 (cont.): "err" has its value checked in "err < 0".
# 3209| * be part of the array.
# 3210| */
# 3211|-> add_disk(fd, st, info2, d);
# 3212| }
# 3213| }
Error: TAINTED_SCALAR (CWE-20): [#def53]
mdadm-4.2_rc2/Grow.c:3107: tainted_return_value: Function "sysfs_read" returns tainted data.
mdadm-4.2_rc2/Grow.c:3107: var_assign: Assigning: "sra" = "sysfs_read(fd, NULL, 11534364UL)", which taints "sra".
mdadm-4.2_rc2/Grow.c:3413: tainted_data: Using tainted variable "sra->component_size" as a loop boundary.
mdadm-4.2_rc2/Grow.c:3413: remediation: Ensure that tainted values are properly sanitized, by checking that their values are within a permissible range.
# 3411| * Try for 16 megabytes
# 3412| */
# 3413|-> while (blocks * 32 < sra->component_size && blocks < 16*1024*2)
# 3414| blocks *= 2;
# 3415| } else
Error: TOCTOU (CWE-367): [#def54]
mdadm-4.2_rc2/Grow.c:3582: fs_check_call: Calling function "readlink" to perform check on "bul".
mdadm-4.2_rc2/Grow.c:3587: toctou: Calling function "unlink" that uses "bul" after a check function. This can cause a time-of-check, time-of-use race condition.
# 3580| if (bul) {
# 3581| char buf[1024];
# 3582|-> int l = readlink(bul, buf, sizeof(buf) - 1);
# 3583| if (l > 0) {
# 3584| buf[l]=0;
Error: RESOURCE_LEAK (CWE-772): [#def55] [important]
mdadm-4.2_rc2/Grow.c:3117: alloc_fn: Storage is returned from allocation function "locate_backup".
mdadm-4.2_rc2/Grow.c:3117: var_assign: Assigning: "backup_file" = storage returned from "locate_backup(sra->sys_name)".
mdadm-4.2_rc2/Grow.c:3653: leaked_storage: Returning without freeing "backup_file" leaks the storage that it points to.
# 3651| if (!forked)
# 3652| unfreeze(st);
# 3653|-> return 1;
# 3654| }
# 3655|
Error: RESOURCE_LEAK (CWE-772): [#def56] [important]
mdadm-4.2_rc2/Grow.c:3761: open_fn: Returning handle opened by "open_dev".
mdadm-4.2_rc2/Grow.c:3761: var_assign: Assigning: "fd" = handle returned from "open_dev(mdstat->devnm)".
mdadm-4.2_rc2/Grow.c:3785: noescape: Resource "fd" is not freed or pointed-to in "sysfs_init".
mdadm-4.2_rc2/Grow.c:3789: leaked_handle: Handle variable "fd" going out of scope leaks the handle.
# 3787| mdstat->devnm);
# 3788| rv = 1;
# 3789|-> break;
# 3790| }
# 3791|
Error: CHECKED_RETURN (CWE-252): [#def57]
mdadm-4.2_rc2/Grow.c:4368: check_return: Calling "lseek64(bfd, offset - 4096ULL, 0)" without checking return value. This library function may fail and return an error code.
# 4366| if (afd < 0)
# 4367| return;
# 4368|-> lseek64(bfd, offset - 4096, 0);
# 4369| if (read(bfd, &bsb2, 512) != 512)
# 4370| fail("cannot read bsb");
Error: CHECKED_RETURN (CWE-252): [#def58]
mdadm-4.2_rc2/Grow.c:4399: check_return: Calling "lseek64(bfd, offset, 0)" without checking return value. This library function may fail and return an error code.
# 4397| }
# 4398|
# 4399|-> lseek64(bfd, offset, 0);
# 4400| if ((unsigned long long)read(bfd, bbuf, len) != len) {
# 4401| //printf("len %llu\n", len);
Error: TAINTED_SCALAR (CWE-20): [#def59]
mdadm-4.2_rc2/Grow.c:4369: tainted_argument: Calling function "read" taints argument "bsb2". [Note: The source code implementation of the function has been overridden by a builtin model.]
mdadm-4.2_rc2/Grow.c:4385: var_assign_var: Assigning: "len" = "(unsigned long long)bsb2.length * 512ULL". Both are now tainted.
mdadm-4.2_rc2/Grow.c:4387: lower_bounds: Checking lower bounds of unsigned scalar "len" by taking the true branch of "abuflen < len".
mdadm-4.2_rc2/Grow.c:4400: tainted_data: Passing tainted expression "len" to "read", which uses it as an offset. [Note: The source code implementation of the function has been overridden by a builtin model.]
mdadm-4.2_rc2/Grow.c:4400: remediation: Ensure that tainted values are properly sanitized, by checking that their values are within a permissible range.
# 4398|
# 4399| lseek64(bfd, offset, 0);
# 4400|-> if ((unsigned long long)read(bfd, bbuf, len) != len) {
# 4401| //printf("len %llu\n", len);
# 4402| fail("read first backup failed");
Error: CHECKED_RETURN (CWE-252): [#def60]
mdadm-4.2_rc2/Grow.c:4404: check_return: Calling "lseek64(afd, (unsigned long long)bsb2.arraystart * 512ULL, 0)" without checking return value. This library function may fail and return an error code.
# 4402| fail("read first backup failed");
# 4403| }
# 4404|-> lseek64(afd, __le64_to_cpu(bsb2.arraystart)*512, 0);
# 4405| if ((unsigned long long)read(afd, abuf, len) != len)
# 4406| fail("read first from array failed");
Error: TAINTED_SCALAR (CWE-20): [#def61]
mdadm-4.2_rc2/Grow.c:4369: tainted_argument: Calling function "read" taints argument "bsb2". [Note: The source code implementation of the function has been overridden by a builtin model.]
mdadm-4.2_rc2/Grow.c:4422: var_assign_var: Assigning: "len" = "(unsigned long long)bsb2.length2 * 512ULL". Both are now tainted.
mdadm-4.2_rc2/Grow.c:4424: lower_bounds: Checking lower bounds of unsigned scalar "len" by taking the true branch of "abuflen < len".
mdadm-4.2_rc2/Grow.c:4427: var_assign_var: Assigning: "abuflen" = "len". Both are now tainted.
mdadm-4.2_rc2/Grow.c:4428: tainted_data: Passing tainted expression "abuflen" to "xmalloc", which uses it as an allocation size.
mdadm-4.2_rc2/Grow.c:4428: remediation: Ensure that tainted values are properly sanitized, by checking that their values are within a permissible range.
# 4426| free(bbuf);
# 4427| abuflen = len;
# 4428|-> abuf = xmalloc(abuflen);
# 4429| bbuf = xmalloc(abuflen);
# 4430| }
Error: CHECKED_RETURN (CWE-252): [#def62]
mdadm-4.2_rc2/Grow.c:4432: check_return: Calling "lseek64(bfd, offset + (unsigned long long)bsb2.devstart2 * 512ULL, 0)" without checking return value. This library function may fail and return an error code.
# 4430| }
# 4431|
# 4432|-> lseek64(bfd, offset+__le64_to_cpu(bsb2.devstart2)*512, 0);
# 4433| if ((unsigned long long)read(bfd, bbuf, len) != len)
# 4434| fail("read second backup failed");
Error: CHECKED_RETURN (CWE-252): [#def63]
mdadm-4.2_rc2/Grow.c:4435: check_return: Calling "lseek64(afd, (unsigned long long)bsb2.arraystart2 * 512ULL, 0)" without checking return value. This library function may fail and return an error code.
# 4433| if ((unsigned long long)read(bfd, bbuf, len) != len)
# 4434| fail("read second backup failed");
# 4435|-> lseek64(afd, __le64_to_cpu(bsb2.arraystart2)*512, 0);
# 4436| if ((unsigned long long)read(afd, abuf, len) != len)
# 4437| fail("read second from array failed");
Error: FORWARD_NULL (CWE-476): [#def64]
mdadm-4.2_rc2/Grow.c:4680: var_compare_op: Comparing "backup_file" to null implies that "backup_file" might be null.
mdadm-4.2_rc2/Grow.c:4695: var_deref_model: Passing null pointer "backup_file" to "open", which dereferences it. [Note: The source code implementation of the function has been overridden by a user model.]
# 4693| */
# 4694| if (i == old_disks-1) {
# 4695|-> fd = open(backup_file, O_RDONLY);
# 4696| if (fd<0) {
# 4697| pr_err("backup file %s inaccessible: %s\n",
Error: RESOURCE_LEAK (CWE-772): [#def65] [important]
mdadm-4.2_rc2/Grow.c:4695: open_fn: Returning handle opened by "open". [Note: The source code implementation of the function has been overridden by a user model.]
mdadm-4.2_rc2/Grow.c:4695: var_assign: Assigning: "fd" = handle returned from "open(backup_file, 0)".
mdadm-4.2_rc2/Grow.c:4721: noescape: Resource "fd" is not freed or pointed-to in "read". [Note: The source code implementation of the function has been overridden by a builtin model.]
mdadm-4.2_rc2/Grow.c:4730: leaked_handle: Handle variable "fd" going out of scope leaks the handle.
# 4728| if (verbose)
# 4729| pr_err("No backup metadata on %s\n", devname);
# 4730|-> continue;
# 4731| }
# 4732| if (bsb.sb_csum != bsb_csum((char*)&bsb, ((char*)&bsb.sb_csum)-((char*)&bsb))) {
Error: RESOURCE_LEAK (CWE-772): [#def66] [important]
mdadm-4.2_rc2/Grow.c:4695: open_fn: Returning handle opened by "open". [Note: The source code implementation of the function has been overridden by a user model.]
mdadm-4.2_rc2/Grow.c:4695: var_assign: Assigning: "fd" = handle returned from "open(backup_file, 0)".
mdadm-4.2_rc2/Grow.c:4721: noescape: Resource "fd" is not freed or pointed-to in "read". [Note: The source code implementation of the function has been overridden by a builtin model.]
mdadm-4.2_rc2/Grow.c:4736: leaked_handle: Handle variable "fd" going out of scope leaks the handle.
# 4734| pr_err("Bad backup-metadata checksum on %s\n",
# 4735| devname);
# 4736|-> continue; /* bad checksum */
# 4737| }
# 4738| if (memcmp(bsb.magic, "md_backup_data-2", 16) == 0 &&
Error: RESOURCE_LEAK (CWE-772): [#def67] [important]
mdadm-4.2_rc2/Grow.c:4695: open_fn: Returning handle opened by "open". [Note: The source code implementation of the function has been overridden by a user model.]
mdadm-4.2_rc2/Grow.c:4695: var_assign: Assigning: "fd" = handle returned from "open(backup_file, 0)".
mdadm-4.2_rc2/Grow.c:4721: noescape: Resource "fd" is not freed or pointed-to in "read". [Note: The source code implementation of the function has been overridden by a builtin model.]
mdadm-4.2_rc2/Grow.c:4743: leaked_handle: Handle variable "fd" going out of scope leaks the handle.
# 4741| pr_err("Bad backup-metadata checksum2 on %s\n",
# 4742| devname);
# 4743|-> continue; /* Bad second checksum */
# 4744| }
# 4745| if (memcmp(bsb.set_uuid,info->uuid, 16) != 0) {
Error: RESOURCE_LEAK (CWE-772): [#def68] [important]
mdadm-4.2_rc2/Grow.c:4695: open_fn: Returning handle opened by "open". [Note: The source code implementation of the function has been overridden by a user model.]
mdadm-4.2_rc2/Grow.c:4695: var_assign: Assigning: "fd" = handle returned from "open(backup_file, 0)".
mdadm-4.2_rc2/Grow.c:4721: noescape: Resource "fd" is not freed or pointed-to in "read". [Note: The source code implementation of the function has been overridden by a builtin model.]
mdadm-4.2_rc2/Grow.c:4749: leaked_handle: Handle variable "fd" going out of scope leaks the handle.
# 4747| pr_err("Wrong uuid on backup-metadata on %s\n",
# 4748| devname);
# 4749|-> continue; /* Wrong uuid */
# 4750| }
# 4751|
Error: RESOURCE_LEAK (CWE-772): [#def69] [important]
mdadm-4.2_rc2/Grow.c:4695: open_fn: Returning handle opened by "open". [Note: The source code implementation of the function has been overridden by a user model.]
mdadm-4.2_rc2/Grow.c:4695: var_assign: Assigning: "fd" = handle returned from "open(backup_file, 0)".
mdadm-4.2_rc2/Grow.c:4721: noescape: Resource "fd" is not freed or pointed-to in "read". [Note: The source code implementation of the function has been overridden by a builtin model.]
mdadm-4.2_rc2/Grow.c:4774: leaked_handle: Handle variable "fd" going out of scope leaks the handle.
# 4772| if (bsb.magic[15] == '1') {
# 4773| if (bsb.length == 0)
# 4774|-> continue;
# 4775| if (info->delta_disks >= 0) {
# 4776| /* reshape_progress is increasing */
Error: RESOURCE_LEAK (CWE-772): [#def70] [important]
mdadm-4.2_rc2/Grow.c:4695: open_fn: Returning handle opened by "open". [Note: The source code implementation of the function has been overridden by a user model.]
mdadm-4.2_rc2/Grow.c:4695: var_assign: Assigning: "fd" = handle returned from "open(backup_file, 0)".
mdadm-4.2_rc2/Grow.c:4721: noescape: Resource "fd" is not freed or pointed-to in "read". [Note: The source code implementation of the function has been overridden by a builtin model.]
mdadm-4.2_rc2/Grow.c:4783: leaked_handle: Handle variable "fd" going out of scope leaks the handle.
# 4781| if (verbose)
# 4782| pr_err("backup-metadata found on %s but is not needed\n", devname);
# 4783|-> continue; /* No new data here */
# 4784| }
# 4785| } else {
Error: RESOURCE_LEAK (CWE-772): [#def71] [important]
mdadm-4.2_rc2/Grow.c:4695: open_fn: Returning handle opened by "open". [Note: The source code implementation of the function has been overridden by a user model.]
mdadm-4.2_rc2/Grow.c:4695: var_assign: Assigning: "fd" = handle returned from "open(backup_file, 0)".
mdadm-4.2_rc2/Grow.c:4721: noescape: Resource "fd" is not freed or pointed-to in "read". [Note: The source code implementation of the function has been overridden by a builtin model.]
mdadm-4.2_rc2/Grow.c:4793: leaked_handle: Handle variable "fd" going out of scope leaks the handle.
# 4791| } else {
# 4792| if (bsb.length == 0 && bsb.length2 == 0)
# 4793|-> continue;
# 4794| if (info->delta_disks >= 0) {
# 4795| /* reshape_progress is increasing */
Error: RESOURCE_LEAK (CWE-772): [#def72] [important]
mdadm-4.2_rc2/Grow.c:4695: open_fn: Returning handle opened by "open". [Note: The source code implementation of the function has been overridden by a user model.]
mdadm-4.2_rc2/Grow.c:4695: var_assign: Assigning: "fd" = handle returned from "open(backup_file, 0)".
mdadm-4.2_rc2/Grow.c:4721: noescape: Resource "fd" is not freed or pointed-to in "read". [Note: The source code implementation of the function has been overridden by a builtin model.]
mdadm-4.2_rc2/Grow.c:4812: noescape: Resource "fd" is not freed or pointed-to in "lseek64".
mdadm-4.2_rc2/Grow.c:4817: leaked_handle: Handle variable "fd" going out of scope leaks the handle.
# 4815| pr_err("Failed to verify secondary backup-metadata block on %s\n",
# 4816| devname);
# 4817|-> continue; /* Cannot seek */
# 4818| }
# 4819| /* There should be a duplicate backup superblock 4k before here */
Error: RESOURCE_LEAK (CWE-772): [#def73] [important]
mdadm-4.2_rc2/Grow.c:4695: open_fn: Returning handle opened by "open". [Note: The source code implementation of the function has been overridden by a user model.]
mdadm-4.2_rc2/Grow.c:4695: var_assign: Assigning: "fd" = handle returned from "open(backup_file, 0)".
mdadm-4.2_rc2/Grow.c:4721: noescape: Resource "fd" is not freed or pointed-to in "read". [Note: The source code implementation of the function has been overridden by a builtin model.]
mdadm-4.2_rc2/Grow.c:4812: noescape: Resource "fd" is not freed or pointed-to in "lseek64".
mdadm-4.2_rc2/Grow.c:4820: noescape: Resource "fd" is not freed or pointed-to in "lseek64".
mdadm-4.2_rc2/Grow.c:4820: noescape: Resource "fd" is not freed or pointed-to in "read". [Note: The source code implementation of the function has been overridden by a builtin model.]
mdadm-4.2_rc2/Grow.c:4844: noescape: Resource "fd" is not freed or pointed-to in "restore_stripes".
mdadm-4.2_rc2/Grow.c:4855: leaked_handle: Handle variable "fd" going out of scope leaks the handle.
# 4853| devname);
# 4854| free(offsets);
# 4855|-> return 1;
# 4856| }
# 4857|
Error: CHECKED_RETURN (CWE-252): [#def74]
mdadm-4.2_rc2/Grow.c:5006: check_return: Calling "sysfs_init" without checking return value (as is done elsewhere 17 out of 18 times).
mdadm-4.2_rc2/Assemble.c:1983: example_checked: Example 1: "sysfs_init(content, mdfd, NULL)" has its value checked in "sysfs_init(content, mdfd, NULL)".
mdadm-4.2_rc2/Create.c:747: example_checked: Example 2: "sysfs_init(&info, mdfd, NULL)" has its value checked in "sysfs_init(&info, mdfd, NULL)".
mdadm-4.2_rc2/Grow.c:2926: example_checked: Example 3: "sysfs_init(&info, fd, NULL)" has its value checked in "sysfs_init(&info, fd, NULL)".
mdadm-4.2_rc2/Grow.c:3189: example_checked: Example 4: "sysfs_init(info2, fd, st->devnm)" has its value checked in "sysfs_init(info2, fd, st->devnm)".
mdadm-4.2_rc2/sysfs.c:138: example_checked: Example 5: "sysfs_init(sra, fd, devnm)" has its value checked in "sysfs_init(sra, fd, devnm)".
# 5004| }
# 5005| content = &array;
# 5006|-> sysfs_init(content, fd, NULL);
# 5007| /* Need to load a superblock.
# 5008| * FIXME we should really get what we need from
Error: RESOURCE_LEAK (CWE-772): [#def75] [important]
mdadm-4.2_rc2/Incremental.c:1347: open_fn: Returning handle opened by "open_dev".
mdadm-4.2_rc2/Incremental.c:1347: var_assign: Assigning: "mdfd" = handle returned from "open_dev(me->devnm)".
mdadm-4.2_rc2/Incremental.c:1370: noescape: Resource "mdfd" is not freed or pointed-to in "md_array_active".
mdadm-4.2_rc2/Incremental.c:1404: noescape: Resource "mdfd" is not freed or pointed-to in "sysfs_read".
mdadm-4.2_rc2/Incremental.c:1419: leaked_handle: Handle variable "mdfd" going out of scope leaks the handle.
# 1417| sysfs_free(sra);
# 1418| }
# 1419|-> }
# 1420| map_free(mapl);
# 1421| return rv;
Error: RESOURCE_LEAK (CWE-772): [#def76] [important]
mdadm-4.2_rc2/Incremental.c:1515: open_fn: Returning handle opened by "open_dev".
mdadm-4.2_rc2/Incremental.c:1515: var_assign: Assigning: "mdfd" = handle returned from "open_dev(mp->devnm)".
mdadm-4.2_rc2/Incremental.c:1577: leaked_handle: Handle variable "mdfd" going out of scope leaks the handle.
# 1575| }
# 1576| if (only && (!mp || strcmp(mp->devnm, only) != 0))
# 1577|-> continue;
# 1578|
# 1579| if (mdfd < 0) {
Error: RESOURCE_LEAK (CWE-772): [#def77] [important]
mdadm-4.2_rc2/Incremental.c:1512: alloc_arg: "map_by_uuid" allocates memory that is stored into "map".
mdadm-4.2_rc2/Incremental.c:1582: leaked_storage: Variable "map" going out of scope leaks the storage it points to.
# 1580| pr_err("failed to open %s: %s.\n",
# 1581| chosen_name, strerror(errno));
# 1582|-> return 2;
# 1583| }
# 1584|
Error: RESOURCE_LEAK (CWE-772): [#def78] [important]
mdadm-4.2_rc2/Incremental.c:1512: alloc_arg: "map_by_uuid" allocates memory that is stored into "map".
mdadm-4.2_rc2/Incremental.c:1612: leaked_storage: Variable "map" going out of scope leaks the storage it points to.
# 1610| printf("\n");
# 1611| }
# 1612|-> return 0;
# 1613| }
# 1614|
Error: RESOURCE_LEAK (CWE-772): [#def79] [important]
mdadm-4.2_rc2/Incremental.c:1703: open_fn: Returning handle opened by "open_dev_excl".
mdadm-4.2_rc2/Incremental.c:1703: var_assign: Assigning: "mdfd" = handle returned from "open_dev_excl(ent->devnm)".
mdadm-4.2_rc2/Incremental.c:1704: off_by_one: Testing whether handle "mdfd" is strictly greater than zero is suspicious. "mdfd" leaks when it is zero.
mdadm-4.2_rc2/Incremental.c:1704: remediation: Did you intend to include equality with zero?
mdadm-4.2_rc2/Incremental.c:1714: overwrite_var: Overwriting handle "mdfd" in "mdfd = open_dev(ent->devnm)" leaks the handle.
# 1712| }
# 1713| }
# 1714|-> mdfd = open_dev(ent->devnm);
# 1715| if (mdfd < 0) {
# 1716| if (verbose >= 0)
Error: CLANG_WARNING: [#def80]
mdadm-4.2_rc2/Manage.c:67:5: warning[deadcode.DeadStores]: Value stored to 'rv' is never read
# 65| vers[9] = mdi->text_version[0];
# 66| sysfs_set_str(mdi, NULL, "metadata_version", vers);
# 67|-> rv = 1;
# 68| goto out;
# 69| }
Error: TOCTOU (CWE-367): [#def81]
mdadm-4.2_rc2/Manage.c:147: fs_check_call: Calling function "readlink" to perform check on "path2".
mdadm-4.2_rc2/Manage.c:150: toctou: Calling function "unlink" that uses "path2" after a check function. This can cause a time-of-check, time-of-use race condition.
# 145| sprintf(pe, "%d", part);
# 146| }
# 147|-> n = readlink(path2, link, sizeof(link));
# 148| if (n > 0 && (int)strlen(base) == n &&
# 149| strncmp(link, base, n) == 0)
Error: STRING_OVERFLOW (CWE-120): [#def82]
mdadm-4.2_rc2/Manage.c:167: fixed_size_dest: You might overrun the 32-character fixed-size string "nm" by copying "nmp" without checking the length.
# 165| return 1;
# 166| }
# 167|-> strcpy(nm, nmp);
# 168| return IncrementalScan(c, nm);
# 169| }
Error: STRING_OVERFLOW (CWE-120): [#def83]
mdadm-4.2_rc2/Manage.c:189: fixed_size_dest: You might overrun the 32-character fixed-size string "devnm" by copying the return value of "fd2devnm" without checking the length.
# 187| verbose = -1;
# 188|
# 189|-> strcpy(devnm, fd2devnm(fd));
# 190| /* Get EXCL access first. If this fails, then attempting
# 191| * to stop is probably a bad idea.
Error: RESOURCE_LEAK (CWE-772): [#def84] [important]
mdadm-4.2_rc2/Manage.c:193: alloc_fn: Storage is returned from allocation function "sysfs_read".
mdadm-4.2_rc2/Manage.c:193: var_assign: Assigning: "mdi" = storage returned from "sysfs_read(fd, NULL, 69UL)".
mdadm-4.2_rc2/Manage.c:225: leaked_storage: Variable "mdi" going out of scope leaks the storage it points to.
# 223| pr_err("Cannot get exclusive access to %s:Perhaps a running process, mounted filesystem or active volume group?\n",
# 224| devname);
# 225|-> return 1;
# 226| }
# 227| /* If this is an mdmon managed array, just write 'inactive'
Error: RESOURCE_LEAK (CWE-772): [#def85] [important]
mdadm-4.2_rc2/Manage.c:205: open_fn: Returning handle opened by "open". [Note: The source code implementation of the function has been overridden by a user model.]
mdadm-4.2_rc2/Manage.c:205: var_assign: Assigning: "fd" = handle returned from "open(devname, 128)".
mdadm-4.2_rc2/Manage.c:205: noescape: Resource "fd" is not freed or pointed-to in "fd2devnm".
mdadm-4.2_rc2/Manage.c:219: noescape: Resource "fd" is not freed or pointed-to in "fd2devnm".
mdadm-4.2_rc2/Manage.c:448: noescape: Resource "fd" is not freed or pointed-to in "ioctl".
mdadm-4.2_rc2/Manage.c:488: leaked_handle: Returning without closing handle "fd" leaks it.
# 486| sysfs_free(mdi);
# 487|
# 488|-> return rv;
# 489| }
# 490|
Error: STRING_OVERFLOW (CWE-120): [#def86]
mdadm-4.2_rc2/Manage.c:985: fixed_size_dest: You might overrun the 32-character fixed-size string "devnm" by copying the return value of "fd2devnm" without checking the length.
# 983| int dfd;
# 984|
# 985|-> strcpy(devnm, fd2devnm(fd));
# 986|
# 987| container_fd = open_dev_excl(devnm);
Error: NEGATIVE_RETURNS (CWE-394): [#def87]
mdadm-4.2_rc2/Manage.c:1003: negative_return_fn: Function "dev_open(dv->devname, 16514)" returns a negative number.
mdadm-4.2_rc2/Manage.c:1003: assign: Assigning: "dfd" = "dev_open(dv->devname, 16514)".
mdadm-4.2_rc2/Manage.c:1006: negative_returns: "dfd" is passed to a parameter that cannot be negative.
# 1004| if (tst->ss->add_to_super(tst, &disc, dfd,
# 1005| dv->devname, INVALID_SECTORS)) {
# 1006|-> close(dfd);
# 1007| close(container_fd);
# 1008| return -1;
Error: STRING_OVERFLOW (CWE-120): [#def88]
mdadm-4.2_rc2/Manage.c:1080: fixed_size_dest: You might overrun the 32-character fixed-size string "devnm" by copying the return value of "fd2devnm" without checking the length.
# 1078| int ret;
# 1079| char devnm[32];
# 1080|-> strcpy(devnm, fd2devnm(fd));
# 1081| lfd = open_dev_excl(devnm);
# 1082| if (lfd < 0) {
Error: CLANG_WARNING: [#def89]
mdadm-4.2_rc2/Manage.c:1094:4: warning[deadcode.DeadStores]: Value stored to 'ret' is never read
# 1092| */
# 1093| if (rdev == 0)
# 1094|-> ret = -1;
# 1095| else {
# 1096| /*
Error: RESOURCE_LEAK (CWE-772): [#def90] [important]
mdadm-4.2_rc2/Manage.c:1081: open_fn: Returning handle opened by "open_dev_excl".
mdadm-4.2_rc2/Manage.c:1081: var_assign: Assigning: "lfd" = handle returned from "open_dev_excl(devnm)".
mdadm-4.2_rc2/Manage.c:1170: leaked_handle: Handle variable "lfd" going out of scope leaks the handle.
# 1168| if (!devnm) {
# 1169| pr_err("unable to get container name\n");
# 1170|-> return -1;
# 1171| }
# 1172|
Error: RESOURCE_LEAK (CWE-772): [#def91] [important]
mdadm-4.2_rc2/Manage.c:1194: alloc_fn: Storage is returned from allocation function "sysfs_read".
mdadm-4.2_rc2/Manage.c:1194: var_assign: Assigning: "mdi" = storage returned from "sysfs_read(fd, NULL, GET_DEVS)".
mdadm-4.2_rc2/Manage.c:1198: leaked_storage: Variable "mdi" going out of scope leaks the storage it points to.
# 1196| pr_err("Cannot find status of %s to enable replacement - strange\n",
# 1197| devname);
# 1198|-> return -1;
# 1199| }
# 1200| for (di = mdi->devs; di; di = di->next)
Error: RESOURCE_LEAK (CWE-772): [#def92] [important]
mdadm-4.2_rc2/Manage.c:1194: alloc_fn: Storage is returned from allocation function "sysfs_read".
mdadm-4.2_rc2/Manage.c:1194: var_assign: Assigning: "mdi" = storage returned from "sysfs_read(fd, NULL, GET_DEVS)".
mdadm-4.2_rc2/Manage.c:1212: noescape: Resource "mdi" is not freed or pointed-to in "sysfs_set_str".
mdadm-4.2_rc2/Manage.c:1232: leaked_storage: Variable "mdi" going out of scope leaks the storage it points to.
# 1230| dv->used = di->disk.raid_disk;
# 1231| }
# 1232|-> return 1;
# 1233| }
# 1234| sysfs_free(mdi);
Error: RESOURCE_LEAK (CWE-772): [#def93] [important]
mdadm-4.2_rc2/Manage.c:1245: alloc_fn: Storage is returned from allocation function "sysfs_read".
mdadm-4.2_rc2/Manage.c:1245: var_assign: Assigning: "mdi" = storage returned from "sysfs_read(fd, NULL, 9437184UL)".
mdadm-4.2_rc2/Manage.c:1249: leaked_storage: Variable "mdi" going out of scope leaks the storage it points to.
# 1247| pr_err("Cannot find status of %s to enable replacement - strange\n",
# 1248| devname);
# 1249|-> return -1;
# 1250| }
# 1251| for (di = mdi->devs; di; di = di->next)
Error: RESOURCE_LEAK (CWE-772): [#def94] [important]
mdadm-4.2_rc2/Manage.c:1245: alloc_fn: Storage is returned from allocation function "sysfs_read".
mdadm-4.2_rc2/Manage.c:1245: var_assign: Assigning: "mdi" = storage returned from "sysfs_read(fd, NULL, 9437184UL)".
mdadm-4.2_rc2/Manage.c:1269: noescape: Resource "mdi" is not freed or pointed-to in "sysfs_set_num".
mdadm-4.2_rc2/Manage.c:1280: leaked_storage: Variable "mdi" going out of scope leaks the storage it points to.
# 1278| pr_err("Marked %s in %s as replacement for device %d\n",
# 1279| dv->devname, devname, dv->used);
# 1280|-> return 1;
# 1281| }
# 1282| sysfs_free(mdi);
Error: CLANG_WARNING: [#def95]
mdadm-4.2_rc2/Manage.c:1399:5: warning[deadcode.DeadStores]: Value stored to 'rv' is never read
# 1397| struct mddev_dev **dp;
# 1398| if (dv->disposition == 'c') {
# 1399|-> rv = ioctl(fd, CLUSTERED_DISK_NACK, NULL);
# 1400| break;
# 1401| }
Error: UNUSED_VALUE (CWE-563): [#def96]
mdadm-4.2_rc2/Manage.c:1489: value_overwrite: Overwriting previous write to "tfd" with value from "dev_open(dv->devname, 0)".
mdadm-4.2_rc2/Manage.c:1549: value_overwrite: Overwriting previous write to "tfd" with value from "dev_open(dv->devname, 128)".
mdadm-4.2_rc2/Manage.c:1575: assigned_value: Assigning value "-1" to "tfd" here, but that stored value is overwritten before it can be used.
# 1573| rdev, array_size, raid_slot);
# 1574| close(tfd);
# 1575|-> tfd = -1;
# 1576| if (rv < 0)
# 1577| goto abort;
Error: CLANG_WARNING: [#def97]
mdadm-4.2_rc2/Manage.c:1575:4: warning[deadcode.DeadStores]: Value stored to 'tfd' is never read
# 1573| rdev, array_size, raid_slot);
# 1574| close(tfd);
# 1575|-> tfd = -1;
# 1576| if (rv < 0)
# 1577| goto abort;
Error: DC.STREAM_BUFFER (CWE-120): [#def98] [important]
mdadm-4.2_rc2/Monitor.c:362: dont_call: "fscanf" assumes an arbitrarily long string, so callers must use correct precision specifiers or never use "fscanf".
mdadm-4.2_rc2/Monitor.c:362: remediation: Use correct precision specifiers or implement your own parsing.
# 360| comm_fp = fopen(comm_path, "r");
# 361| if (comm_fp) {
# 362|-> if (fscanf(comm_fp, "%s", comm) &&
# 363| strncmp(basename(comm), Name, strlen(Name)) == 0) {
# 364| if (scan) {
Error: STRING_OVERFLOW (CWE-120): [#def99]
mdadm-4.2_rc2/Monitor.c:542: fixed_size_dest: You might overrun the 32-character fixed-size string "st->devnm" by copying the return value of "fd2devnm" without checking the length.
# 540|
# 541| if (st->devnm[0] == 0)
# 542|-> strcpy(st->devnm, fd2devnm(fd));
# 543|
# 544| for (mse2 = mdstat; mse2; mse2 = mse2->next)
Error: CHECKED_RETURN (CWE-252): [#def100]
mdadm-4.2_rc2/Monitor.c:564: check_return: Calling "fcntl(fd, 2, 1)" without checking return value. This library function may fail and return an error code.
# 562| goto disappeared;
# 563|
# 564|-> fcntl(fd, F_SETFD, FD_CLOEXEC);
# 565| if (md_get_array_info(fd, &array) < 0)
# 566| goto disappeared;
Error: STRING_OVERFLOW (CWE-120): [#def101]
mdadm-4.2_rc2/Monitor.c:672: fixed_size_dest: You might overrun the 32-character fixed-size string "st->parent_devnm" by copying "mse->metadata_version + 10" without checking the length.
# 670| is_subarray(mse->metadata_version+9)) {
# 671| char *sl;
# 672|-> strcpy(st->parent_devnm, mse->metadata_version + 10);
# 673| sl = strchr(st->parent_devnm, '/');
# 674| if (sl)
Error: STRING_OVERFLOW (CWE-120): [#def102]
mdadm-4.2_rc2/Monitor.c:787: fixed_size_dest: You might overrun the 32-character fixed-size string "st->parent_devnm" by copying "mse->metadata_version + 10" without checking the length.
# 785| is_subarray(mse->metadata_version+9)) {
# 786| char *sl;
# 787|-> strcpy(st->parent_devnm,
# 788| mse->metadata_version+10);
# 789| sl = strchr(st->parent_devnm, '/');
Error: NULL_RETURNS (CWE-476): [#def103]
mdadm-4.2_rc2/Monitor.c:789: returned_null: "strchr" returns "NULL" (checked 38 out of 45 times).
mdadm-4.2_rc2/Monitor.c:789: var_assigned: Assigning: "sl" = "NULL" return value from "strchr".
mdadm-4.2_rc2/Monitor.c:790: dereference: Dereferencing "sl", which is known to be "NULL".
mdadm-4.2_rc2/Assemble.c:95: example_assign: Example 1: Assigning: "sep" = return value from "strchr(found, 58)".
mdadm-4.2_rc2/Assemble.c:96: example_checked: Example 1 (cont.): "sep" has its value checked in "sep".
mdadm-4.2_rc2/Create.c:331: example_assign: Example 2: Assigning: "doff" = return value from "strchr(dname, 58)".
mdadm-4.2_rc2/Create.c:332: example_checked: Example 2 (cont.): "doff" has its value checked in "doff".
mdadm-4.2_rc2/Incremental.c:1525: example_assign: Example 3: Assigning: "sub" = return value from "strchr(ra->text_version + 1, 47)".
mdadm-4.2_rc2/Incremental.c:1527: example_checked: Example 3 (cont.): "sub" has its value checked in "sub".
mdadm-4.2_rc2/monitor.c:159: example_assign: Example 4: Assigning: "cp" = return value from "strchr(cp, 44)".
mdadm-4.2_rc2/monitor.c:160: example_checked: Example 4 (cont.): "cp" has its value checked in "cp".
mdadm-4.2_rc2/super1.c:1468: example_checked: Example 5: "strchr(info->name, 58)" has its value checked in "strchr(info->name, 58) == NULL".
# 788| mse->metadata_version+10);
# 789| sl = strchr(st->parent_devnm, '/');
# 790|-> *sl = 0;
# 791| } else
# 792| st->parent_devnm[0] = 0;
Error: STRING_OVERFLOW (CWE-120): [#def104]
mdadm-4.2_rc2/Monitor.c:1129: fixed_size_dest: You might overrun the 32-character fixed-size string "devnm" by copying "tmp" without checking the length.
# 1127| }
# 1128|
# 1129|-> strcpy(devnm, tmp);
# 1130|
# 1131| while(1) {
Error: STRING_OVERFLOW (CWE-120): [#def105]
mdadm-4.2_rc2/Monitor.c:1200: fixed_size_dest: You might overrun the 32-character fixed-size string "devnm" by copying the return value of "fd2devnm" without checking the length.
# 1198| }
# 1199|
# 1200|-> strcpy(devnm, fd2devnm(fd));
# 1201| mdi = sysfs_read(fd, devnm, GET_VERSION|GET_LEVEL|GET_SAFEMODE);
# 1202| if (!mdi) {
Error: UNINIT (CWE-457): [#def106]
mdadm-4.2_rc2/Query.c:42: var_decl: Declaring variable "larray_size" without initializer.
mdadm-4.2_rc2/Query.c:94: uninit_use_in_call: Using uninitialized value "larray_size" when calling "human_size_brief".
# 92| dev, strerror(ioctlerr));
# 93| else {
# 94|-> printf("%s: %s %s %d devices, %d spare%s. Use mdadm --detail for more detail.\n",
# 95| dev, human_size_brief(larray_size,IEC),
# 96| map_num(pers, level), raid_disks,
Error: CLANG_WARNING: [#def107]
mdadm-4.2_rc2/Query.c:95:15: warning[core.CallAndMessage]: 1st function call argument is an uninitialized value
# 93| else {
# 94| printf("%s: %s %s %d devices, %d spare%s. Use mdadm --detail for more detail.\n",
# 95|-> dev, human_size_brief(larray_size,IEC),
# 96| map_num(pers, level), raid_disks,
# 97| spare_disks, spare_disks == 1 ? "" : "s");
Error: RESOURCE_LEAK (CWE-772): [#def108] [important]
mdadm-4.2_rc2/Query.c:61: alloc_fn: Storage is returned from allocation function "sysfs_read".
mdadm-4.2_rc2/Query.c:61: var_assign: Assigning: "sra" = storage returned from "sysfs_read(fd, dev, 9437313UL)".
mdadm-4.2_rc2/Query.c:139: leaked_storage: Variable "sra" going out of scope leaks the storage it points to.
# 137| put_md_name(mddev);
# 138| }
# 139|-> return 0;
# 140| }
Error: RESOURCE_LEAK (CWE-772): [#def109] [important]
mdadm-4.2_rc2/bitmap.c:253: open_fn: Returning handle opened by "bitmap_file_open".
mdadm-4.2_rc2/bitmap.c:253: var_assign: Assigning: "fd" = handle returned from "bitmap_file_open(filename, &st, 0, -1)".
mdadm-4.2_rc2/bitmap.c:257: noescape: Resource "fd" is not freed or pointed-to in "bitmap_fd_read".
mdadm-4.2_rc2/bitmap.c:259: leaked_handle: Handle variable "fd" going out of scope leaks the handle.
# 257| info = bitmap_fd_read(fd, brief);
# 258| if (!info)
# 259|-> return rv;
# 260| sb = &info->sb;
# 261| if (sb->magic != BITMAP_MAGIC) {
Error: TAINTED_SCALAR (CWE-20): [#def110]
mdadm-4.2_rc2/bitmap.c:257: tainted_return_value: Function "bitmap_fd_read" returns tainted data.
mdadm-4.2_rc2/bitmap.c:257: var_assign: Assigning: "info" = "bitmap_fd_read(fd, brief)", which taints "info".
mdadm-4.2_rc2/bitmap.c:260: var_assign_var: Assigning: "sb" = "&info->sb". Both are now tainted.
mdadm-4.2_rc2/bitmap.c:332: tainted_data: Using tainted variable "(int)sb->nodes" as a loop boundary.
mdadm-4.2_rc2/bitmap.c:332: remediation: Ensure that tainted values are properly sanitized, by checking that their values are within a permissible range.
# 330| printf(" Cluster nodes : %d\n", sb->nodes);
# 331| printf(" Cluster name : %-64s\n", sb->cluster_name);
# 332|-> for (i = 0; i < (int)sb->nodes; i++) {
# 333| st = NULL;
# 334| free(info);
Error: CLANG_WARNING: [#def111]
mdadm-4.2_rc2/bitmap.c:332:24: warning[unix.Malloc]: Use of memory after it is freed
# 330| printf(" Cluster nodes : %d\n", sb->nodes);
# 331| printf(" Cluster name : %-64s\n", sb->cluster_name);
# 332|-> for (i = 0; i < (int)sb->nodes; i++) {
# 333| st = NULL;
# 334| free(info);
Error: TAINTED_SCALAR (CWE-20): [#def112]
mdadm-4.2_rc2/bitmap.c:388: tainted_return_value: Function "bitmap_fd_read" returns tainted data.
mdadm-4.2_rc2/bitmap.c:388: var_assign: Assigning: "info" = "bitmap_fd_read(fd, 0)", which taints "info".
mdadm-4.2_rc2/bitmap.c:394: var_assign_var: Assigning: "sb" = "&info->sb". Both are now tainted.
mdadm-4.2_rc2/bitmap.c:395: tainted_data: Using tainted variable "(int)sb->nodes" as a loop boundary.
mdadm-4.2_rc2/bitmap.c:395: remediation: Ensure that tainted values are properly sanitized, by checking that their values are within a permissible range.
# 393|
# 394| sb = &info->sb;
# 395|-> for (i = 0; i < (int)sb->nodes; i++) {
# 396| st = NULL;
# 397| free(info);
Error: TOCTOU (CWE-367): [#def113]
mdadm-4.2_rc2/bitmap.c:444: fs_check_call: Calling function "access" to perform check on "filename".
mdadm-4.2_rc2/bitmap.c:449: toctou: Calling function "fopen" that uses "filename" after a check function. This can cause a time-of-check, time-of-use race condition.
# 442| long long bytes, filesize;
# 443|
# 444|-> if (!force && access(filename, F_OK) == 0) {
# 445| pr_err("bitmap file %s already exists, use --force to overwrite\n", filename);
# 446| return rv;
Error: RESOURCE_LEAK (CWE-772): [#def114] [important]
mdadm-4.2_rc2/config.c:178: alloc_arg: "map_by_devnm" allocates memory that is stored into "map".
mdadm-4.2_rc2/config.c:192: leaked_storage: Variable "map" going out of scope leaks the storage it points to.
# 190| free_mdstat(mdstat);
# 191|
# 192|-> return rv;
# 193| }
# 194|
Error: UNINIT (CWE-457): [#def115]
mdadm-4.2_rc2/config.c:368: var_decl: Declaring variable "mis" without initializer.
mdadm-4.2_rc2/config.c:512: uninit_use: Using uninitialized value "mis". Field "mis" is uninitialized.
# 510| else {
# 511| mi = xmalloc(sizeof(*mi));
# 512|-> *mi = mis;
# 513| mi->devname = mis.devname ? xstrdup(mis.devname) : NULL;
# 514| mi->next = NULL;
Error: UNINIT (CWE-457): [#def116]
mdadm-4.2_rc2/config.c:368: var_decl: Declaring variable "mis" without initializer.
mdadm-4.2_rc2/config.c:512: uninit_use: Using uninitialized value "mis". Field "mis.uuid" is uninitialized.
# 510| else {
# 511| mi = xmalloc(sizeof(*mi));
# 512|-> *mi = mis;
# 513| mi->devname = mis.devname ? xstrdup(mis.devname) : NULL;
# 514| mi->next = NULL;
Error: CHECKED_RETURN (CWE-252): [#def117]
mdadm-4.2_rc2/config.c:806: check_return: Calling "fstat(fileno(f), &st)" without checking return value. This library function may fail and return an error code.
# 804| struct fname *list = NULL;
# 805|
# 806|-> fstat(fileno(f), &st);
# 807| if (S_ISREG(st.st_mode))
# 808| conf_file(f);
Error: STRING_OVERFLOW (CWE-120): [#def118]
mdadm-4.2_rc2/lib.c:82: fixed_size_dest: You might overrun the 32-character fixed-size string "devnm" by copying "cp + 1" without checking the length.
# 80| cp = strrchr(link, '/');
# 81| if (cp) {
# 82|-> strcpy(devnm, cp + 1);
# 83| return devnm;
# 84| }
Error: STRING_OVERFLOW (CWE-120): [#def119]
mdadm-4.2_rc2/lib.c:132: fixed_size_dest: You might overrun the 32-character fixed-size string "devnm" by copying "cp" without checking the length.
# 130| if (ep)
# 131| *ep = 0;
# 132|-> strcpy(devnm, cp);
# 133| return devnm;
# 134| }
Error: TOCTOU (CWE-367): [#def120]
mdadm-4.2_rc2/lib.c:283: fs_check_call: Calling function "lstat" to perform check on "dev".
mdadm-4.2_rc2/lib.c:285: toctou: Calling function "nftw" that uses "dev" after a check function. This can cause a time-of-check, time-of-use race condition.
# 281| free(d);
# 282| }
# 283|-> if (lstat(dev, &stb) == 0 && S_ISLNK(stb.st_mode))
# 284| dev = "/dev/.";
# 285| nftw(dev, add_dev, 10, FTW_PHYS);
Error: CPPCHECK_WARNING (CWE-562): [#def121]
mdadm-4.2_rc2/managemon.c:288: error[autoVariables]: Address of local auto-variable assigned to a function parameter.
# 286| return;
# 287|
# 288|-> st->update_tail = &update;
# 289| st->ss->add_to_super(st, &dk, dfd, NULL, INVALID_SECTORS);
# 290| st->ss->write_init_super(st);
Error: CPPCHECK_WARNING (CWE-562): [#def122]
mdadm-4.2_rc2/managemon.c:313: error[autoVariables]: Address of local auto-variable assigned to a function parameter.
# 311| sd->disk.major, sd->disk.minor);
# 312|
# 313|-> st->update_tail = &update;
# 314| st->ss->remove_from_super(st, &dk);
# 315| /* FIXME this write_init_super shouldn't be here.
Error: CHECKED_RETURN (CWE-252): [#def123]
mdadm-4.2_rc2/managemon.c:396: check_return: "read(int, void *, size_t)" returns the number of bytes read, but it is ignored.
# 394| */
# 395| char buf[200];
# 396|-> if (read(fd, buf, sizeof(buf)) < 0)
# 397| /* pretend not to ignore return value */
# 398| return fd;
Error: CHECKED_RETURN (CWE-252): [#def124]
mdadm-4.2_rc2/managemon.c:867: check_return: Calling "fcntl(fd, 4, fl)" without checking return value. This library function may fail and return an error code.
# 865| fl = fcntl(fd, F_GETFL, 0);
# 866| fl |= O_NONBLOCK;
# 867|-> fcntl(fd, F_SETFL, fl);
# 868|
# 869| do {
Error: STRING_OVERFLOW (CWE-120): [#def125]
mdadm-4.2_rc2/mapfile.c:168: fixed_size_dest: You might overrun the 32-character fixed-size string "me->devnm" by copying "devnm" without checking the length.
mdadm-4.2_rc2/mapfile.c:168: parameter_as_source: Note: This defect has an elevated risk because the source argument is a parameter of the current function.
# 166| struct map_ent *me = xmalloc(sizeof(*me));
# 167|
# 168|-> strcpy(me->devnm, devnm);
# 169| strcpy(me->metadata, metadata);
# 170| memcpy(me->uuid, uuid, 16);
Error: STRING_OVERFLOW (CWE-120): [#def126]
mdadm-4.2_rc2/mapfile.c:169: fixed_size_dest: You might overrun the 20-character fixed-size string "me->metadata" by copying "metadata" without checking the length.
mdadm-4.2_rc2/mapfile.c:169: parameter_as_source: Note: This defect has an elevated risk because the source argument is a parameter of the current function.
# 167|
# 168| strcpy(me->devnm, devnm);
# 169|-> strcpy(me->metadata, metadata);
# 170| memcpy(me->uuid, uuid, 16);
# 171| me->path = path ? xstrdup(path) : NULL;
Error: STRING_OVERFLOW (CWE-120): [#def127]
mdadm-4.2_rc2/mapfile.c:230: fixed_size_dest: You might overrun the 20-character fixed-size string "mp->metadata" by copying "metadata" without checking the length.
mdadm-4.2_rc2/mapfile.c:230: parameter_as_source: Note: This defect has an elevated risk because the source argument is a parameter of the current function.
# 228| for (mp = map ; mp ; mp=mp->next)
# 229| if (strcmp(mp->devnm, devnm) == 0) {
# 230|-> strcpy(mp->metadata, metadata);
# 231| memcpy(mp->uuid, uuid, 16);
# 232| free(mp->path);
Error: MISSING_BREAK (CWE-484): [#def128]
mdadm-4.2_rc2/mdadm.c:859: unterminated_case: The case for value "524592" is not terminated by a "break" statement.
mdadm-4.2_rc2/mdadm.c:861: fallthrough: The above case falls through to this one.
# 857| continue;
# 858|
# 859|-> case O(INCREMENTAL,NoDegraded):
# 860| pr_err("--no-degraded is deprecated in Incremental mode\n");
# 861| case O(ASSEMBLE,NoDegraded): /* --no-degraded */
Error: RESOURCE_LEAK (CWE-772): [#def129] [important]
mdadm-4.2_rc2/mdadm.c:1897: alloc_arg: "map_by_devnm" allocates memory that is stored into "map".
mdadm-4.2_rc2/mdadm.c:1918: leaked_storage: Variable "map" going out of scope leaks the storage it points to.
# 1916| }
# 1917| free_mdstat(ms);
# 1918|-> return rv;
# 1919| }
# 1920|
Error: CHECKED_RETURN (CWE-252): [#def130]
mdadm-4.2_rc2/mdmon.c:203: check_return: Calling "fcntl(sock, 4, fl)" without checking return value. This library function may fail and return an error code.
# 201| fl = fcntl(sock, F_GETFL, 0);
# 202| fl &= ~O_NONBLOCK;
# 203|-> fcntl(sock, F_SETFL, fl);
# 204| n = read(sock, buf, 100);
# 205|
Error: CLANG_WARNING: [#def131]
mdadm-4.2_rc2/mdmon.c:204:2: warning[deadcode.DeadStores]: Value stored to 'n' is never read
# 202| fl &= ~O_NONBLOCK;
# 203| fcntl(sock, F_SETFL, fl);
# 204|-> n = read(sock, buf, 100);
# 205|
# 206| /* If there is I/O going on it might took some time to get to
Error: CHECKED_RETURN (CWE-252): [#def132]
mdadm-4.2_rc2/mdmon.c:253: check_return: Calling "fcntl(sfd, 4, fl)" without checking return value. This library function may fail and return an error code.
# 251| fl = fcntl(sfd, F_GETFL, 0);
# 252| fl |= O_NONBLOCK;
# 253|-> fcntl(sfd, F_SETFL, fl);
# 254| return sfd;
# 255| }
Error: STRING_SIZE (CWE-120): [#def133]
mdadm-4.2_rc2/mdmon.c:294: string_size_argv: "argv" contains strings with unknown size.
mdadm-4.2_rc2/mdmon.c:345: var_assign_var: Assigning: "container_name" = "argv[optind]". Both are now tainted.
mdadm-4.2_rc2/mdmon.c:381: string_size: Passing string "container_name" of unknown size to "devnm2devid", which expects a string of a particular size.
# 379| return status;
# 380| } else if (strncmp(container_name, "md", 2) == 0) {
# 381|-> int id = devnm2devid(container_name);
# 382| if (id)
# 383| devnm = container_name;
Error: RESOURCE_LEAK (CWE-772): [#def134] [important]
mdadm-4.2_rc2/mdmon.c:414: open_fn: Returning handle opened by "open_dev".
mdadm-4.2_rc2/mdmon.c:414: var_assign: Assigning: "mdfd" = handle returned from "open_dev(devnm)".
mdadm-4.2_rc2/mdmon.c:424: leaked_handle: Handle variable "mdfd" going out of scope leaks the handle.
# 422| if (pipe(pfd) != 0) {
# 423| pr_err("failed to create pipe\n");
# 424|-> return 1;
# 425| }
# 426| switch(fork()) {
Error: RESOURCE_LEAK (CWE-772): [#def135] [important]
mdadm-4.2_rc2/mdmon.c:414: open_fn: Returning handle opened by "open_dev".
mdadm-4.2_rc2/mdmon.c:414: var_assign: Assigning: "mdfd" = handle returned from "open_dev(devnm)".
mdadm-4.2_rc2/mdmon.c:429: leaked_handle: Handle variable "mdfd" going out of scope leaks the handle.
# 427| case -1:
# 428| pr_err("failed to fork: %s\n", strerror(errno));
# 429|-> return 1;
# 430| case 0: /* child */
# 431| close(pfd[0]);
Error: RESOURCE_LEAK (CWE-772): [#def136] [important]
mdadm-4.2_rc2/mdmon.c:414: open_fn: Returning handle opened by "open_dev".
mdadm-4.2_rc2/mdmon.c:414: var_assign: Assigning: "mdfd" = handle returned from "open_dev(devnm)".
mdadm-4.2_rc2/mdmon.c:440: leaked_handle: Handle variable "mdfd" going out of scope leaks the handle.
# 438| }
# 439| close(pfd[0]);
# 440|-> return status;
# 441| }
# 442| } else
Error: STRING_OVERFLOW (CWE-120): [#def137]
mdadm-4.2_rc2/mdmon.c:446: fixed_size_dest: You might overrun the 32-character fixed-size string "container->devnm" by copying "devnm" without checking the length.
mdadm-4.2_rc2/mdmon.c:446: parameter_as_source: Note: This defect has an elevated risk because the source argument is a parameter of the current function.
# 444|
# 445| container = xcalloc(1, sizeof(*container));
# 446|-> strcpy(container->devnm, devnm);
# 447| container->arrays = NULL;
# 448| container->sock = -1;
Error: UNINIT (CWE-457): [#def138]
mdadm-4.2_rc2/mdmon.c:405: var_decl: Declaring variable "act" without initializer.
mdadm-4.2_rc2/mdmon.c:492: uninit_use_in_call: Using uninitialized value "act.sa_mask" when calling "sigaction".
# 490| act.sa_handler = wake_me;
# 491| act.sa_flags = 0;
# 492|-> sigaction(SIGUSR1, &act, NULL);
# 493| act.sa_handler = term;
# 494| sigaction(SIGTERM, &act, NULL);
Error: TOCTOU (CWE-367): [#def139]
mdadm-4.2_rc2/mdopen.c:76: fs_check_call: Calling function "stat" to perform check on "name".
mdadm-4.2_rc2/mdopen.c:86: toctou: Calling function "mknod" that uses "name" after a check function. This can cause a time-of-check, time-of-use race condition.
# 74| struct stat stb2;
# 75| snprintf(name, nlen, "%s%s%d", dev, dig?"p":"", i);
# 76|-> if (stat(name, &stb2) == 0) {
# 77| if (!S_ISBLK(stb2.st_mode) || !S_ISBLK(stb.st_mode))
# 78| continue;
Error: REVERSE_INULL (CWE-476): [#def140]
mdadm-4.2_rc2/mdopen.c:336: check_after_deref: Null-checking "cname" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
mdadm-4.2_rc2/mdopen.c:196: deref_ptr_in_call: Dereferencing pointer "cname". [Note: The source code implementation of the function has been overridden by a builtin model.]
mdadm-4.2_rc2/mdopen.c:236: alias: Assigning: "sp" = "cname".
mdadm-4.2_rc2/mdopen.c:291: deref_ptr: Directly dereferencing pointer "cname".
mdadm-4.2_rc2/mdopen.c:303: alias: Assigning: "cp" = "cname".
# 334|
# 335| devnm[0] = 0;
# 336|-> if (num < 0 && cname && ci->names) {
# 337| sprintf(devnm, "md_%s", cname);
# 338| if (block_udev)
Error: STRING_OVERFLOW (CWE-120): [#def141]
mdadm-4.2_rc2/mdopen.c:362: fixed_size_dest: You might overrun the 32-character fixed-size string "devnm" by copying "_devnm" without checking the length.
# 360| return -1;
# 361| }
# 362|-> strcpy(devnm, _devnm);
# 363| } else {
# 364| sprintf(devnm, "%s%d", use_mdp?"md_d":"md", num);
Error: STRING_OVERFLOW (CWE-120): [#def142]
mdadm-4.2_rc2/mdopen.c:378: fixed_size_dest: You might overrun the 400-character fixed-size string "chosen" by copying "dev" without checking the length.
mdadm-4.2_rc2/mdopen.c:378: parameter_as_source: Note: This defect has an elevated risk because the source argument is a parameter of the current function.
# 376|
# 377| if (dev && dev[0] == '/')
# 378|-> strcpy(chosen, dev);
# 379| else if (cname[0] == 0)
# 380| strcpy(chosen, devname);
Error: TOCTOU (CWE-367): [#def143]
mdadm-4.2_rc2/mdopen.c:388: fs_check_call: Calling function "lstat" to perform check on "devname".
mdadm-4.2_rc2/mdopen.c:397: toctou: Calling function "mknod" that uses "devname" after a check function. This can cause a time-of-check, time-of-use race condition.
# 386| if (!use_udev()) {
# 387| /* Make sure 'devname' exists and 'chosen' is a symlink to it */
# 388|-> if (lstat(devname, &stb) == 0) {
# 389| /* Must be the correct device, else error */
# 390| if ((stb.st_mode&S_IFMT) != S_IFBLK ||
Error: CHECKED_RETURN (CWE-252): [#def144]
mdadm-4.2_rc2/mdopen.c:407: check_return: Calling "stat(devname, &stb)" without checking return value. This library function may fail and return an error code.
# 405| if (chmod(devname, ci->mode))
# 406| perror("chmod");
# 407|-> stat(devname, &stb);
# 408| add_dev(devname, &stb, 0, NULL);
# 409| }
Error: CHECKED_RETURN (CWE-252): [#def145]
mdadm-4.2_rc2/mdstat.c:150: check_return: Calling "fcntl(fileno(f), 2, 1)" without checking return value. This library function may fail and return an error code.
# 148| return NULL;
# 149| else
# 150|-> fcntl(fileno(f), F_SETFD, FD_CLOEXEC);
# 151|
# 152| all = NULL;
Error: CHECKED_RETURN (CWE-252): [#def146]
mdadm-4.2_rc2/mdstat.c:284: check_return: Calling "fcntl(mdstat_fd, 2, 1)" without checking return value. This library function may fail and return an error code.
# 282| if (hold && mdstat_fd == -1) {
# 283| mdstat_fd = dup(fileno(f));
# 284|-> fcntl(mdstat_fd, F_SETFD, FD_CLOEXEC);
# 285| }
# 286| fclose(f);
Error: CHECKED_RETURN (CWE-252): [#def147]
mdadm-4.2_rc2/mdstat.c:351: check_return: Calling "fstat(fd, &stb)" without checking return value. This library function may fail and return an error code.
# 349| if (fd >= 0) {
# 350| struct stat stb;
# 351|-> fstat(fd, &stb);
# 352| if ((stb.st_mode & S_IFMT) == S_IFREG)
# 353| /* Must be a /proc or /sys fd, so expect
Error: TAINTED_SCALAR (CWE-20): [#def148]
mdadm-4.2_rc2/monitor.c:247: tainted_argument: Calling function "read" taints argument "buf[pos]". [Note: The source code implementation of the function has been overridden by a builtin model.]
mdadm-4.2_rc2/monitor.c:264: vararg_transitive: Call to "sscanf" with tainted argument "buf[off]" taints "consumed".
mdadm-4.2_rc2/monitor.c:297: var_assign_var: Compound assignment involving tainted variable "consumed" to variable "off" taints "off".
mdadm-4.2_rc2/monitor.c:255: tainted_data: Using tainted variable "off" as a loop boundary.
mdadm-4.2_rc2/monitor.c:255: remediation: Ensure that tainted values are properly sanitized, by checking that their values are within a permissible range.
# 253| off = 0;
# 254|
# 255|-> while (off < n) {
# 256| unsigned long long sector;
# 257| int length;
Error: TAINTED_SCALAR (CWE-20): [#def149]
mdadm-4.2_rc2/monitor.c:247: tainted_argument: Calling function "read" taints argument "buf[pos]". [Note: The source code implementation of the function has been overridden by a builtin model.]
mdadm-4.2_rc2/monitor.c:264: vararg_transitive: Call to "sscanf" with tainted argument "buf[off]" taints "consumed".
mdadm-4.2_rc2/monitor.c:287: tainted_data: Passing tainted expression "consumed" to "process_ubb", which uses it as an offset.
mdadm-4.2_rc2/monitor.c:287: remediation: Ensure that tainted values are properly sanitized, by checking that their values are within a permissible range.
# 285|
# 286| if (action == RECORD_BB)
# 287|-> rc = process_ubb(a, mdi, sector, length,
# 288| buf + off, consumed);
# 289| else if (action == COMPARE_BB)
Error: NEGATIVE_RETURNS (CWE-394): [#def150]
mdadm-4.2_rc2/monitor.c:647: var_tested_neg: Assigning: "mdi->state_fd" = a negative value.
mdadm-4.2_rc2/monitor.c:652: negative_returns: "mdi->state_fd" is passed to a parameter that cannot be negative.
# 650| }
# 651| if (mdi->next_state & DS_INSYNC) {
# 652|-> write_attr("+in_sync", mdi->state_fd);
# 653| dprintf_cont(" %d:+in_sync", mdi->disk.raid_disk);
# 654| }
Error: NEGATIVE_RETURNS (CWE-394): [#def151]
mdadm-4.2_rc2/monitor.c:796: negative_return_fn: Function "open_dev_flags(container->devnm, 128)" returns a negative number.
mdadm-4.2_rc2/monitor.c:796: assign: Assigning: "fd" = "open_dev_flags(container->devnm, 128)".
mdadm-4.2_rc2/monitor.c:810: negative_returns: "fd" is passed to a parameter that cannot be negative.
# 808| exit_now = 1;
# 809| signal_manager();
# 810|-> close(fd);
# 811| exit(0);
# 812| }
Error: CLANG_WARNING: [#def152]
mdadm-4.2_rc2/monitor.c:832:5: warning[deadcode.DeadStores]: Value stored to 'rv' is never read
# 830| if (rv == -1) {
# 831| if (errno == EINTR) {
# 832|-> rv = 0;
# 833| FD_ZERO(&rfds);
# 834| dprintf("monitor: caught signal\n");
Error: UNUSED_VALUE (CWE-563): [#def153]
mdadm-4.2_rc2/msg.c:90: value_overwrite: Overwriting previous write to "rv" with value from "send_buf(fd, &end_magic, 4, tmo)".
mdadm-4.2_rc2/msg.c:89: assigned_value: Assigning value from "rv ?: send_buf(fd, msg->buf, msg->len, tmo)" to "rv" here, but that stored value is overwritten before it can be used.
# 87| rv = rv ?: send_buf(fd, &len, 4, tmo);
# 88| if (len > 0)
# 89|-> rv = rv ?: send_buf(fd, msg->buf, msg->len, tmo);
# 90| rv = send_buf(fd, &end_magic, 4, tmo);
# 91|
Error: CLANG_WARNING: [#def154]
mdadm-4.2_rc2/msg.c:89:3: warning[deadcode.DeadStores]: Value stored to 'rv' is never read
# 87| rv = rv ?: send_buf(fd, &len, 4, tmo);
# 88| if (len > 0)
# 89|-> rv = rv ?: send_buf(fd, msg->buf, msg->len, tmo);
# 90| rv = send_buf(fd, &end_magic, 4, tmo);
# 91|
Error: CHECKED_RETURN (CWE-252): [#def155]
mdadm-4.2_rc2/msg.c:180: check_return: Calling "fcntl(sfd, 4, fl)" without checking return value. This library function may fail and return an error code.
# 178| fl = fcntl(sfd, F_GETFL, 0);
# 179| fl |= O_NONBLOCK;
# 180|-> fcntl(sfd, F_SETFL, fl);
# 181|
# 182| return sfd;
Error: TOCTOU (CWE-367): [#def156]
mdadm-4.2_rc2/platform-intel.c:94: fs_check_call: Calling function "readlink" to perform check on "path".
mdadm-4.2_rc2/platform-intel.c:110: toctou: Calling function "realpath" that uses "path" after a check function. This can cause a time-of-check, time-of-use race condition.
# 92| sprintf(path, "/sys/bus/%s/drivers/%s/%s/subsystem",
# 93| bus, driver, de->d_name);
# 94|-> n = readlink(path, link, sizeof(link));
# 95| if (n < 0 || n >= (int)sizeof(link))
# 96| continue;
Error: OVERRUN (CWE-119): [#def157]
mdadm-4.2_rc2/platform-intel.c:573: identity_transfer: Passing "37UL" as argument 3 to function "read", which returns that argument. [Note: The source code implementation of the function has been overridden by a builtin model.]
mdadm-4.2_rc2/platform-intel.c:573: assignment: Assigning: "n" = "read(dfd, &buf, 37UL)". The value of "n" is now 37.
mdadm-4.2_rc2/platform-intel.c:577: overrun-local: Overrunning array "buf" of 37 bytes at byte offset 37 using index "n" (which evaluates to 37).
# 575| if (n < 0)
# 576| return 1;
# 577|-> buf[n] = '\0';
# 578|
# 579| errno = 0;
Error: GCC_ANALYZER_WARNING (CWE-688): [#def158]
mdadm-4.2_rc2/policy.c: scope_hint: In function 'pol_lesseq.part.0'
mdadm-4.2_rc2/policy.c:92:15: warning[-Wanalyzer-null-argument]: use of NULL '*b.metadata' where non-null expected
mdadm-4.2_rc2/mdadm.h:49: included_from: Included from here.
mdadm-4.2_rc2/policy.c:25: included_from: Included from here.
mdadm-4.2_rc2/mdadm.h:46: included_from: Included from here.
mdadm-4.2_rc2/policy.c:25: included_from: Included from here.
/usr/include/string.h:140:12: note: argument 1 of 'strcmp' must be non-null
# 90| return 0;
# 91|
# 92|-> cmp = strcmp(a->value, b->value);
# 93| if (cmp < 0)
# 94| return 1;
Error: GCC_ANALYZER_WARNING (CWE-688): [#def159]
mdadm-4.2_rc2/policy.c: scope_hint: In function 'pol_merge_part'
mdadm-4.2_rc2/policy.c:340:37: warning[-Wanalyzer-null-argument]: use of NULL 'part' where non-null expected
mdadm-4.2_rc2/mdadm.h:49: included_from: Included from here.
mdadm-4.2_rc2/policy.c:25: included_from: Included from here.
mdadm-4.2_rc2/mdadm.h:46: included_from: Included from here.
mdadm-4.2_rc2/policy.c:25: included_from: Included from here.
/usr/include/string.h:140:12: note: argument 2 of 'strcmp' must be non-null
# 338| for (dom = dl_next(r->dups); dom != r->dups;
# 339| dom = dl_next(dom))
# 340|-> if (strcmp(dom+len+1, part)== 0)
# 341| break;
# 342| if (dom == r->dups) {
Error: GCC_ANALYZER_WARNING (CWE-688): [#def160]
mdadm-4.2_rc2/policy.c:344:61: warning[-Wanalyzer-null-argument]: use of NULL 'part' where non-null expected
mdadm-4.2_rc2/mdadm.h:49: included_from: Included from here.
mdadm-4.2_rc2/policy.c:25: included_from: Included from here.
mdadm-4.2_rc2/mdadm.h:46: included_from: Included from here.
mdadm-4.2_rc2/policy.c:25: included_from: Included from here.
/usr/include/string.h:391:15: note: argument 1 of 'strlen' must be non-null
# 342| if (dom == r->dups) {
# 343| char *newdom = dl_strndup(
# 344|-> r->value, len + 1 + strlen(part));
# 345| strcat(strcat(newdom, "-"), part);
# 346| dl_add(r->dups, newdom);
Error: DC.STREAM_BUFFER (CWE-120): [#def161] [important]
mdadm-4.2_rc2/policy.c:787: dont_call: "fscanf" assumes an arbitrarily long string, so callers must use correct precision specifiers or never use "fscanf".
mdadm-4.2_rc2/policy.c:787: remediation: Use correct precision specifiers or implement your own parsing.
# 785| continue;
# 786|
# 787|-> rv = fscanf(f, " %s %x:%x:%x:%x\n",
# 788| array->metadata,
# 789| array->uuid,
Error: CHECKED_RETURN (CWE-252): [#def162]
mdadm-4.2_rc2/policy.c:922: check_return: Calling "rename(udev_rule_file, rule_name)" without checking return value. This library function may fail and return an error code.
# 920| if (rule_name) {
# 921| close(fd);
# 922|-> rename(udev_rule_file, rule_name);
# 923| }
# 924| return 0;
Error: CLANG_WARNING: [#def163]
mdadm-4.2_rc2/restripe.c:578:30: warning[core.UndefinedBinaryOperatorResult]: The result of the '/' expression is undefined
# 576| int dnum;
# 577|
# 578|-> offset = (start/chunk_size/data_disks)*chunk_size;
# 579| dnum = geo_map(disk < data_disks ? disk : data_disks - disk - 1,
# 580| start/chunk_size/data_disks,
Error: CLANG_WARNING: [#def164]
mdadm-4.2_rc2/restripe.c:580:28: warning[core.UndefinedBinaryOperatorResult]: The result of the '/' expression is undefined
# 578| offset = (start/chunk_size/data_disks)*chunk_size;
# 579| dnum = geo_map(disk < data_disks ? disk : data_disks - disk - 1,
# 580|-> start/chunk_size/data_disks,
# 581| raid_disks, level, layout);
# 582| if (dnum < 0) abort();
Error: CLANG_WARNING: [#def165]
mdadm-4.2_rc2/restripe.c:777:29: warning[core.UndefinedBinaryOperatorResult]: The result of the '/' expression is undefined
# 775| }
# 776| /* We have the data, now do the parity */
# 777|-> offset = (start/chunk_size/data_disks) * chunk_size;
# 778| switch (level) {
# 779| case 4:
Error: BUFFER_SIZE (CWE-474): [#def166] [important]
mdadm-4.2_rc2/sha1.c:261: overlapping_buffer: The source buffer "&ctx->buffer[16]" potentially overlaps with the destination buffer "ctx->buffer", which results in undefined behavior for "memcpy".
mdadm-4.2_rc2/sha1.c:261: remediation: Use memmove instead of "memcpy".
# 259| sha1_process_block (ctx->buffer, 64, ctx);
# 260| left_over -= 64;
# 261|-> memcpy (ctx->buffer, &ctx->buffer[16], left_over);
# 262| }
# 263| ctx->buflen = left_over;
Error: OVERRUN (CWE-119): [#def167]
mdadm-4.2_rc2/super-ddf.c:833: overrun-buffer-arg: Overrunning array "anchor->pad2" of 3 bytes by passing it to a function which accesses it at byte offset 398 using argument "399UL".
# 831| return 0;
# 832| }
# 833|-> if (memcmp(anchor->guid, hdr->guid, DDF_GUID_LEN) != 0 ||
# 834| memcmp(anchor->revision, hdr->revision, 8) != 0 ||
# 835| !be64_eq(anchor->primary_lba, hdr->primary_lba) ||
Error: OVERRUN (CWE-119): [#def168]
mdadm-4.2_rc2/super-ddf.c:833: overrun-buffer-arg: Overrunning array "hdr->pad2" of 3 bytes by passing it to a function which accesses it at byte offset 398 using argument "399UL".
# 831| return 0;
# 832| }
# 833|-> if (memcmp(anchor->guid, hdr->guid, DDF_GUID_LEN) != 0 ||
# 834| memcmp(anchor->revision, hdr->revision, 8) != 0 ||
# 835| !be64_eq(anchor->primary_lba, hdr->primary_lba) ||
Error: STRING_NULL (CWE-170): [#def169]
mdadm-4.2_rc2/super-ddf.c:898: string_null_argument: Function "read" does not terminate string "super->anchor". [Note: The source code implementation of the function has been overridden by a builtin model.]
mdadm-4.2_rc2/super-ddf.c:919: string_null: Passing unterminated string "super->anchor.revision" to "fprintf".
# 917| memcmp(super->anchor.revision, DDF_REVISION_2, 8) != 0) {
# 918| if (devname)
# 919|-> pr_err("can only support super revision %.8s and earlier, not %.8s on %s\n",
# 920| DDF_REVISION_2, super->anchor.revision,devname);
# 921| return 2;
Error: CHECKED_RETURN (CWE-252): [#def170]
mdadm-4.2_rc2/super-ddf.c:1063: check_return: Calling "fstat(fd, &stb)" without checking return value. This library function may fail and return an error code.
# 1061| dl->devname = devname ? xstrdup(devname) : NULL;
# 1062|
# 1063|-> fstat(fd, &stb);
# 1064| dl->major = major(stb.st_rdev);
# 1065| dl->minor = minor(stb.st_rdev);
Error: RESOURCE_LEAK (CWE-772): [#def171] [important]
mdadm-4.2_rc2/super-ddf.c:1599: alloc_fn: Storage is returned from allocation function "sysfs_read".
mdadm-4.2_rc2/super-ddf.c:1599: var_assign: Assigning: "sra" = storage returned from "sysfs_read(-1, st->devnm, GET_VERSION)".
mdadm-4.2_rc2/super-ddf.c:1603: leaked_storage: Variable "sra" going out of scope leaks the storage it points to.
# 1601| sra->array.minor_version != -2 ||
# 1602| !is_subarray(sra->text_version))
# 1603|-> return DDF_NOTFOUND;
# 1604|
# 1605| sub = strchr(sra->text_version + 1, '/');
Error: CPPCHECK_WARNING (CWE-456): [#def172]
mdadm-4.2_rc2/super-ddf.c:1608: error[uninitvar]: Uninitialized variable: end
# 1606| if (sub != NULL)
# 1607| vcnum = strtoul(sub + 1, &end, 10);
# 1608|-> if (sub == NULL || *sub == '\0' || *end != '\0' ||
# 1609| vcnum >= be16_to_cpu(ddf->active->max_vd_entries))
# 1610| return DDF_NOTFOUND;
Error: CPPCHECK_WARNING (CWE-456): [#def173]
mdadm-4.2_rc2/super-ddf.c:1609: error[uninitvar]: Uninitialized variable: vcnum
# 1607| vcnum = strtoul(sub + 1, &end, 10);
# 1608| if (sub == NULL || *sub == '\0' || *end != '\0' ||
# 1609|-> vcnum >= be16_to_cpu(ddf->active->max_vd_entries))
# 1610| return DDF_NOTFOUND;
# 1611|
Error: RESOURCE_LEAK (CWE-772): [#def174] [important]
mdadm-4.2_rc2/super-ddf.c:1599: alloc_fn: Storage is returned from allocation function "sysfs_read".
mdadm-4.2_rc2/super-ddf.c:1599: var_assign: Assigning: "sra" = storage returned from "sysfs_read(-1, st->devnm, GET_VERSION)".
mdadm-4.2_rc2/super-ddf.c:1610: leaked_storage: Variable "sra" going out of scope leaks the storage it points to.
# 1608| if (sub == NULL || *sub == '\0' || *end != '\0' ||
# 1609| vcnum >= be16_to_cpu(ddf->active->max_vd_entries))
# 1610|-> return DDF_NOTFOUND;
# 1611|
# 1612| return vcnum;
Error: RESOURCE_LEAK (CWE-772): [#def175] [important]
mdadm-4.2_rc2/super-ddf.c:1599: alloc_fn: Storage is returned from allocation function "sysfs_read".
mdadm-4.2_rc2/super-ddf.c:1599: var_assign: Assigning: "sra" = storage returned from "sysfs_read(-1, st->devnm, GET_VERSION)".
mdadm-4.2_rc2/super-ddf.c:1612: leaked_storage: Variable "sra" going out of scope leaks the storage it points to.
# 1610| return DDF_NOTFOUND;
# 1611|
# 1612|-> return vcnum;
# 1613| }
# 1614|
Error: NEGATIVE_RETURNS (CWE-394): [#def176]
mdadm-4.2_rc2/super-ddf.c:1987: negative_return_fn: Function "find_phys(ddf, ddf->dlist->disk.refnum)" returns a negative number.
mdadm-4.2_rc2/super-ddf.c:1987: assign: Assigning: "info->disk.raid_disk" = "find_phys(ddf, ddf->dlist->disk.refnum)".
mdadm-4.2_rc2/super-ddf.c:1989: negative_returns: Using variable "info->disk.raid_disk" as an index to array "ddf->phys->entries".
# 1987| info->disk.raid_disk = find_phys(ddf, ddf->dlist->disk.refnum);
# 1988|
# 1989|-> info->data_offset = be64_to_cpu(ddf->phys->
# 1990| entries[info->disk.raid_disk].
# 1991| config_size);
Error: REVERSE_NEGATIVE (CWE-191): [#def177]
mdadm-4.2_rc2/super-ddf.c:1989: negative_sink: Using "info->disk.raid_disk" as index to array "ddf->phys->entries".
mdadm-4.2_rc2/super-ddf.c:1993: check_after_sink: You might be using variable "info->disk.raid_disk" before verifying that it is >= 0.
# 1991| config_size);
# 1992| info->component_size = ddf->dlist->size - info->data_offset;
# 1993|-> if (info->disk.raid_disk >= 0)
# 1994| pde = ddf->phys->entries + info->disk.raid_disk;
# 1995| if (pde &&
Error: BUFFER_SIZE (CWE-170): [#def178] [important]
mdadm-4.2_rc2/super-ddf.c:2642: buffer_size_warning: Calling "strncpy" with a maximum size argument of 16 bytes on destination array "ve->name" of size 16 bytes might leave the destination string unterminated.
# 2640| memset(ve->name, ' ', 16);
# 2641| if (name)
# 2642|-> strncpy(ve->name, name, 16);
# 2643| ddf->virt->populated_vdes =
# 2644| cpu_to_be16(be16_to_cpu(ddf->virt->populated_vdes)+1);
Error: CHECKED_RETURN (CWE-252): [#def179]
mdadm-4.2_rc2/super-ddf.c:2857: check_return: Calling "fstat(fd, &stb)" without checking return value. This library function may fail and return an error code.
# 2855| * a phys_disk entry and a more detailed disk_data entry.
# 2856| */
# 2857|-> fstat(fd, &stb);
# 2858| n = find_unused_pde(ddf);
# 2859| if (n == DDF_NOTFOUND) {
Error: CHECKED_RETURN (CWE-252): [#def180]
mdadm-4.2_rc2/super-ddf.c:3038: check_return: Calling "lseek64(fd, sector << 9, 0)" without checking return value. This library function may fail and return an error code.
# 3036| header->crc = calc_crc(header, 512);
# 3037|
# 3038|-> lseek64(fd, sector<<9, 0);
# 3039| if (write(fd, header, 512) < 0)
# 3040| goto out;
Error: CHECKED_RETURN (CWE-252): [#def181]
mdadm-4.2_rc2/super-ddf.c:3102: check_return: Calling "lseek64(fd, sector << 9, 0)" without checking return value. This library function may fail and return an error code.
# 3100| header->crc = calc_crc(header, 512);
# 3101|
# 3102|-> lseek64(fd, sector<<9, 0);
# 3103| if (write(fd, header, 512) < 0)
# 3104| ret = 0;
Error: STRING_OVERFLOW (CWE-120): [#def182]
mdadm-4.2_rc2/super-ddf.c:3435: fixed_size_dest: You might overrun the 32-character fixed-size string "st->container_devnm" by copying the return value of "fd2devnm" without checking the length.
# 3433| if (load_super_ddf_all(st, cfd, (void **)&ddf, NULL) == 0) {
# 3434| st->sb = ddf;
# 3435|-> strcpy(st->container_devnm, fd2devnm(cfd));
# 3436| close(cfd);
# 3437| return validate_geometry_ddf_bvd(st, level, layout,
Error: RESOURCE_LEAK (CWE-772): [#def183] [important]
mdadm-4.2_rc2/super-ddf.c:3425: alloc_fn: Storage is returned from allocation function "sysfs_read".
mdadm-4.2_rc2/super-ddf.c:3425: var_assign: Assigning: "sra" = storage returned from "sysfs_read(cfd, NULL, GET_VERSION)".
mdadm-4.2_rc2/super-ddf.c:3437: leaked_storage: Variable "sra" going out of scope leaks the storage it points to.
# 3435| strcpy(st->container_devnm, fd2devnm(cfd));
# 3436| close(cfd);
# 3437|-> return validate_geometry_ddf_bvd(st, level, layout,
# 3438| raiddisks, chunk, size,
# 3439| data_offset,
Error: RESOURCE_LEAK (CWE-772): [#def184] [important]
mdadm-4.2_rc2/super-ddf.c:3417: open_fn: Returning handle opened by "open_container".
mdadm-4.2_rc2/super-ddf.c:3417: var_assign: Assigning: "cfd" = handle returned from "open_container(fd)".
mdadm-4.2_rc2/super-ddf.c:3425: noescape: Resource "cfd" is not freed or pointed-to in "sysfs_read".
mdadm-4.2_rc2/super-ddf.c:3445: leaked_handle: Handle variable "cfd" going out of scope leaks the handle.
# 3443| close(cfd);
# 3444| } else /* device may belong to a different container */
# 3445|-> return 0;
# 3446|
# 3447| return 1;
Error: RESOURCE_LEAK (CWE-772): [#def185] [important]
mdadm-4.2_rc2/super-ddf.c:3425: alloc_fn: Storage is returned from allocation function "sysfs_read".
mdadm-4.2_rc2/super-ddf.c:3425: var_assign: Assigning: "sra" = storage returned from "sysfs_read(cfd, NULL, GET_VERSION)".
mdadm-4.2_rc2/super-ddf.c:3445: leaked_storage: Variable "sra" going out of scope leaks the storage it points to.
# 3443| close(cfd);
# 3444| } else /* device may belong to a different container */
# 3445|-> return 0;
# 3446|
# 3447| return 1;
Error: RESOURCE_LEAK (CWE-772): [#def186] [important]
mdadm-4.2_rc2/super-ddf.c:3425: alloc_fn: Storage is returned from allocation function "sysfs_read".
mdadm-4.2_rc2/super-ddf.c:3425: var_assign: Assigning: "sra" = storage returned from "sysfs_read(cfd, NULL, GET_VERSION)".
mdadm-4.2_rc2/super-ddf.c:3447: leaked_storage: Variable "sra" going out of scope leaks the storage it points to.
# 3445| return 0;
# 3446|
# 3447|-> return 1;
# 3448| }
# 3449|
Error: RESOURCE_LEAK (CWE-772): [#def187] [important]
mdadm-4.2_rc2/super-ddf.c:3561: alloc_fn: Storage is returned from allocation function "sysfs_read".
mdadm-4.2_rc2/super-ddf.c:3561: var_assign: Assigning: "sra" = storage returned from "sysfs_read(fd, NULL, 9437249UL)".
mdadm-4.2_rc2/super-ddf.c:3567: leaked_storage: Variable "sra" going out of scope leaks the storage it points to.
# 3565| sra->array.minor_version != -2 ||
# 3566| strcmp(sra->text_version, "ddf") != 0)
# 3567|-> return 1;
# 3568|
# 3569| if (posix_memalign((void**)&super, 512, sizeof(*super)) != 0)
Error: RESOURCE_LEAK (CWE-772): [#def188] [important]
mdadm-4.2_rc2/super-ddf.c:3561: alloc_fn: Storage is returned from allocation function "sysfs_read".
mdadm-4.2_rc2/super-ddf.c:3561: var_assign: Assigning: "sra" = storage returned from "sysfs_read(fd, NULL, 9437249UL)".
mdadm-4.2_rc2/super-ddf.c:3570: leaked_storage: Variable "sra" going out of scope leaks the storage it points to.
# 3568|
# 3569| if (posix_memalign((void**)&super, 512, sizeof(*super)) != 0)
# 3570|-> return 1;
# 3571| memset(super, 0, sizeof(*super));
# 3572|
Error: RESOURCE_LEAK (CWE-772): [#def189] [important]
mdadm-4.2_rc2/super-ddf.c:3561: alloc_fn: Storage is returned from allocation function "sysfs_read".
mdadm-4.2_rc2/super-ddf.c:3561: var_assign: Assigning: "sra" = storage returned from "sysfs_read(fd, NULL, 9437249UL)".
mdadm-4.2_rc2/super-ddf.c:3579: leaked_storage: Variable "sra" going out of scope leaks the storage it points to.
# 3577| dfd = dev_open(nm, O_RDONLY);
# 3578| if (dfd < 0)
# 3579|-> return 2;
# 3580| rv = load_ddf_headers(dfd, super, NULL);
# 3581| close(dfd);
Error: RESOURCE_LEAK (CWE-772): [#def190] [important]
mdadm-4.2_rc2/super-ddf.c:3569: alloc_arg: "posix_memalign" allocates memory that is stored into "super".
mdadm-4.2_rc2/super-ddf.c:3571: noescape: Resource "super" is not freed or pointed-to in "memset". [Note: The source code implementation of the function has been overridden by a builtin model.]
mdadm-4.2_rc2/super-ddf.c:3579: leaked_storage: Variable "super" going out of scope leaks the storage it points to.
# 3577| dfd = dev_open(nm, O_RDONLY);
# 3578| if (dfd < 0)
# 3579|-> return 2;
# 3580| rv = load_ddf_headers(dfd, super, NULL);
# 3581| close(dfd);
Error: RESOURCE_LEAK (CWE-772): [#def191] [important]
mdadm-4.2_rc2/super-ddf.c:3561: alloc_fn: Storage is returned from allocation function "sysfs_read".
mdadm-4.2_rc2/super-ddf.c:3561: var_assign: Assigning: "sra" = storage returned from "sysfs_read(fd, NULL, 9437249UL)".
mdadm-4.2_rc2/super-ddf.c:3593: leaked_storage: Variable "sra" going out of scope leaks the storage it points to.
# 3591| }
# 3592| if (!best)
# 3593|-> return 1;
# 3594| /* OK, load this ddf */
# 3595| sprintf(nm, "%d:%d", best->disk.major, best->disk.minor);
Error: RESOURCE_LEAK (CWE-772): [#def192] [important]
mdadm-4.2_rc2/super-ddf.c:3569: alloc_arg: "posix_memalign" allocates memory that is stored into "super".
mdadm-4.2_rc2/super-ddf.c:3571: noescape: Resource "super" is not freed or pointed-to in "memset". [Note: The source code implementation of the function has been overridden by a builtin model.]
mdadm-4.2_rc2/super-ddf.c:3593: leaked_storage: Variable "super" going out of scope leaks the storage it points to.
# 3591| }
# 3592| if (!best)
# 3593|-> return 1;
# 3594| /* OK, load this ddf */
# 3595| sprintf(nm, "%d:%d", best->disk.major, best->disk.minor);
Error: RESOURCE_LEAK (CWE-772): [#def193] [important]
mdadm-4.2_rc2/super-ddf.c:3561: alloc_fn: Storage is returned from allocation function "sysfs_read".
mdadm-4.2_rc2/super-ddf.c:3561: var_assign: Assigning: "sra" = storage returned from "sysfs_read(fd, NULL, 9437249UL)".
mdadm-4.2_rc2/super-ddf.c:3598: leaked_storage: Variable "sra" going out of scope leaks the storage it points to.
# 3596| dfd = dev_open(nm, O_RDONLY);
# 3597| if (dfd < 0)
# 3598|-> return 1;
# 3599| load_ddf_headers(dfd, super, NULL);
# 3600| load_ddf_global(dfd, super, NULL);
Error: RESOURCE_LEAK (CWE-772): [#def194] [important]
mdadm-4.2_rc2/super-ddf.c:3569: alloc_arg: "posix_memalign" allocates memory that is stored into "super".
mdadm-4.2_rc2/super-ddf.c:3571: noescape: Resource "super" is not freed or pointed-to in "memset". [Note: The source code implementation of the function has been overridden by a builtin model.]
mdadm-4.2_rc2/super-ddf.c:3580: noescape: Resource "super" is not freed or pointed-to in "load_ddf_headers".
mdadm-4.2_rc2/super-ddf.c:3598: leaked_storage: Variable "super" going out of scope leaks the storage it points to.
# 3596| dfd = dev_open(nm, O_RDONLY);
# 3597| if (dfd < 0)
# 3598|-> return 1;
# 3599| load_ddf_headers(dfd, super, NULL);
# 3600| load_ddf_global(dfd, super, NULL);
Error: RESOURCE_LEAK (CWE-772): [#def195] [important]
mdadm-4.2_rc2/super-ddf.c:3561: alloc_fn: Storage is returned from allocation function "sysfs_read".
mdadm-4.2_rc2/super-ddf.c:3561: var_assign: Assigning: "sra" = storage returned from "sysfs_read(fd, NULL, 9437249UL)".
mdadm-4.2_rc2/super-ddf.c:3609: leaked_storage: Variable "sra" going out of scope leaks the storage it points to.
# 3607| dfd = dev_open(nm, O_RDWR);
# 3608| if (dfd < 0)
# 3609|-> return 2;
# 3610| rv = load_ddf_headers(dfd, super, NULL);
# 3611| if (rv == 0)
Error: RESOURCE_LEAK (CWE-772): [#def196] [important]
mdadm-4.2_rc2/super-ddf.c:3569: alloc_arg: "posix_memalign" allocates memory that is stored into "super".
mdadm-4.2_rc2/super-ddf.c:3571: noescape: Resource "super" is not freed or pointed-to in "memset". [Note: The source code implementation of the function has been overridden by a builtin model.]
mdadm-4.2_rc2/super-ddf.c:3580: noescape: Resource "super" is not freed or pointed-to in "load_ddf_headers".
mdadm-4.2_rc2/super-ddf.c:3599: noescape: Resource "super" is not freed or pointed-to in "load_ddf_headers".
mdadm-4.2_rc2/super-ddf.c:3600: noescape: Resource "super" is not freed or pointed-to in "load_ddf_global".
mdadm-4.2_rc2/super-ddf.c:3609: leaked_storage: Variable "super" going out of scope leaks the storage it points to.
# 3607| dfd = dev_open(nm, O_RDWR);
# 3608| if (dfd < 0)
# 3609|-> return 2;
# 3610| rv = load_ddf_headers(dfd, super, NULL);
# 3611| if (rv == 0)
Error: TAINTED_SCALAR (CWE-20): [#def197]
mdadm-4.2_rc2/super-ddf.c:3610: tainted_argument: Calling function "load_ddf_headers" taints argument "*super->active".
mdadm-4.2_rc2/super-ddf.c:3612: tainted_data: Passing tainted expression "super->active" to "load_ddf_local", which uses it as a loop boundary.
mdadm-4.2_rc2/super-ddf.c:3612: remediation: Ensure that tainted values are properly sanitized, by checking that their values are within a permissible range.
# 3610| rv = load_ddf_headers(dfd, super, NULL);
# 3611| if (rv == 0)
# 3612|-> rv = load_ddf_local(dfd, super, NULL, 1);
# 3613| if (rv)
# 3614| return 1;
Error: RESOURCE_LEAK (CWE-772): [#def198] [important]
mdadm-4.2_rc2/super-ddf.c:3607: open_fn: Returning handle opened by "dev_open".
mdadm-4.2_rc2/super-ddf.c:3607: var_assign: Assigning: "dfd" = handle returned from "dev_open(nm, 2)".
mdadm-4.2_rc2/super-ddf.c:3610: noescape: Resource "dfd" is not freed or pointed-to in "load_ddf_headers".
mdadm-4.2_rc2/super-ddf.c:3614: leaked_handle: Handle variable "dfd" going out of scope leaks the handle.
# 3612| rv = load_ddf_local(dfd, super, NULL, 1);
# 3613| if (rv)
# 3614|-> return 1;
# 3615| }
# 3616|
Error: RESOURCE_LEAK (CWE-772): [#def199] [important]
mdadm-4.2_rc2/super-ddf.c:3561: alloc_fn: Storage is returned from allocation function "sysfs_read".
mdadm-4.2_rc2/super-ddf.c:3561: var_assign: Assigning: "sra" = storage returned from "sysfs_read(fd, NULL, 9437249UL)".
mdadm-4.2_rc2/super-ddf.c:3614: leaked_storage: Variable "sra" going out of scope leaks the storage it points to.
# 3612| rv = load_ddf_local(dfd, super, NULL, 1);
# 3613| if (rv)
# 3614|-> return 1;
# 3615| }
# 3616|
Error: RESOURCE_LEAK (CWE-772): [#def200] [important]
mdadm-4.2_rc2/super-ddf.c:3569: alloc_arg: "posix_memalign" allocates memory that is stored into "super".
mdadm-4.2_rc2/super-ddf.c:3571: noescape: Resource "super" is not freed or pointed-to in "memset". [Note: The source code implementation of the function has been overridden by a builtin model.]
mdadm-4.2_rc2/super-ddf.c:3580: noescape: Resource "super" is not freed or pointed-to in "load_ddf_headers".
mdadm-4.2_rc2/super-ddf.c:3599: noescape: Resource "super" is not freed or pointed-to in "load_ddf_headers".
mdadm-4.2_rc2/super-ddf.c:3600: noescape: Resource "super" is not freed or pointed-to in "load_ddf_global".
mdadm-4.2_rc2/super-ddf.c:3610: noescape: Resource "super" is not freed or pointed-to in "load_ddf_headers".
mdadm-4.2_rc2/super-ddf.c:3614: leaked_storage: Variable "super" going out of scope leaks the storage it points to.
# 3612| rv = load_ddf_local(dfd, super, NULL, 1);
# 3613| if (rv)
# 3614|-> return 1;
# 3615| }
# 3616|
Error: STRING_OVERFLOW (CWE-120): [#def201]
mdadm-4.2_rc2/super-ddf.c:3623: fixed_size_dest: You might overrun the 32-character fixed-size string "st->container_devnm" by copying the return value of "fd2devnm" without checking the length.
# 3621| st->max_devs = 512;
# 3622| }
# 3623|-> strcpy(st->container_devnm, fd2devnm(fd));
# 3624| return 0;
# 3625| }
Error: RESOURCE_LEAK (CWE-772): [#def202] [important]
mdadm-4.2_rc2/super-ddf.c:3561: alloc_fn: Storage is returned from allocation function "sysfs_read".
mdadm-4.2_rc2/super-ddf.c:3561: var_assign: Assigning: "sra" = storage returned from "sysfs_read(fd, NULL, 9437249UL)".
mdadm-4.2_rc2/super-ddf.c:3624: leaked_storage: Variable "sra" going out of scope leaks the storage it points to.
# 3622| }
# 3623| strcpy(st->container_devnm, fd2devnm(fd));
# 3624|-> return 0;
# 3625| }
# 3626|
Error: STRING_OVERFLOW (CWE-120): [#def203]
mdadm-4.2_rc2/super-ddf.c:3861: fixed_size_dest: You might overrun the 33-character fixed-size string "dev->name" by copying "(*d).devname" without checking the length.
# 3859| dev->component_size = be64_to_cpu(bvd->blocks);
# 3860| if (d->devname)
# 3861|-> strcpy(dev->name, d->devname);
# 3862| }
# 3863| }
Error: CHECKED_RETURN (CWE-252): [#def204]
mdadm-4.2_rc2/super-ddf.c:3910: check_return: Calling "lseek64(fd, dsize - 512ULL, 0)" without checking return value. This library function may fail and return an error code.
# 3908| memset(buf, 0, 512);
# 3909|
# 3910|-> lseek64(fd, dsize-512, 0);
# 3911| rc = write(fd, buf, 512);
# 3912| free(buf);
Error: RESOURCE_LEAK (CWE-772): [#def205] [important]
mdadm-4.2_rc2/super-ddf.c:4010: alloc_arg: "posix_memalign" allocates memory that is stored into "dl1".
mdadm-4.2_rc2/super-ddf.c:4016: noescape: Resource "dl1" is not freed or pointed-to in "memcpy". [Note: The source code implementation of the function has been overridden by a builtin model.]
mdadm-4.2_rc2/super-ddf.c:4029: leaked_storage: Variable "dl1" going out of scope leaks the storage it points to.
# 4027| first->conf_rec_len*512) != 0) {
# 4028| pr_err("could not allocate spare info buf\n");
# 4029|-> return 3;
# 4030| }
# 4031| memcpy(dl1->spare, dl2->spare, first->conf_rec_len*512);
Error: RESOURCE_LEAK (CWE-772): [#def206] [important]
mdadm-4.2_rc2/super-ddf.c:4200: alloc_fn: Storage is returned from allocation function "xcalloc".
mdadm-4.2_rc2/super-ddf.c:4200: var_assign: Assigning: "avail" = storage returned from "xcalloc(1UL, n_prim)".
mdadm-4.2_rc2/super-ddf.c:4251: leaked_storage: Variable "avail" going out of scope leaks the storage it points to.
# 4249| break;
# 4250| }
# 4251|-> return state;
# 4252| }
# 4253|
Error: TAINTED_SCALAR (CWE-20): [#def207]
mdadm-4.2_rc2/super-ddf.c:4734: tainted_data_downcast: Downcasting "update->buf" from "char *" to "struct vd_config" implies that the data that this pointer points to is tainted.
mdadm-4.2_rc2/super-ddf.c:4734: var_assign_var: Assigning: "vc" = "(struct vd_config *)update->buf". Both are now tainted.
mdadm-4.2_rc2/super-ddf.c:4759: tainted_data: Using tainted variable "vc->sec_elmnt_count" as a loop boundary.
mdadm-4.2_rc2/super-ddf.c:4759: remediation: Ensure that tainted values are properly sanitized, by checking that their values are within a permissible range.
# 4757| be64_to_cpu(LBA_OFFSET(ddf,
# 4758| &vcl->conf)[k]));
# 4759|-> for (i = 1; i < vc->sec_elmnt_count; i++) {
# 4760| copy_matching_bvd(ddf, vcl->other_bvds[i-1],
# 4761| update);
Error: TAINTED_SCALAR (CWE-20): [#def208]
mdadm-4.2_rc2/super-ddf.c:4734: tainted_data_downcast: Downcasting "update->buf" from "char *" to "struct vd_config" implies that the data that this pointer points to is tainted.
mdadm-4.2_rc2/super-ddf.c:4734: var_assign_var: Assigning: "vc" = "(struct vd_config *)update->buf". Both are now tainted.
mdadm-4.2_rc2/super-ddf.c:4787: tainted_data: Using tainted variable "vc->sec_elmnt_count" as a loop boundary.
mdadm-4.2_rc2/super-ddf.c:4787: remediation: Ensure that tainted values are properly sanitized, by checking that their values are within a permissible range.
# 4785| vcl->vcnum = ent;
# 4786| ddf->conflist = vcl;
# 4787|-> for (i = 1; i < vc->sec_elmnt_count; i++)
# 4788| memcpy(vcl->other_bvds[i-1],
# 4789| update->buf + len * i, len);
Error: RESOURCE_LEAK (CWE-772): [#def209] [important]
mdadm-4.2_rc2/super-ddf.c:5093: alloc_fn: Storage is returned from allocation function "xcalloc".
mdadm-4.2_rc2/super-ddf.c:5093: var_assign: Assigning: "di" = storage returned from "xcalloc(1UL, 472UL)".
mdadm-4.2_rc2/super-ddf.c:5103: var_assign: Assigning: "rv" = "di".
mdadm-4.2_rc2/super-ddf.c:5128: leaked_storage: Variable "di" going out of scope leaks the storage it points to.
mdadm-4.2_rc2/super-ddf.c:5128: leaked_storage: Variable "rv" going out of scope leaks the storage it points to.
# 5126| &n_bvd, &vcl);
# 5127| if (vc == NULL)
# 5128|-> return NULL;
# 5129|
# 5130| mu = xmalloc(sizeof(*mu));
Error: FORWARD_NULL (CWE-476): [#def210]
mdadm-4.2_rc2/super-ddf.c:5133: assign_zero: Assigning: "mu" = "NULL".
mdadm-4.2_rc2/super-ddf.c:5136: var_deref_op: Dereferencing null pointer "mu".
# 5134| }
# 5135|
# 5136|-> mu->len = ddf->conf_rec_len * 512 * vcl->conf.sec_elmnt_count;
# 5137| mu->buf = xmalloc(mu->len);
# 5138| mu->space = NULL;
Error: CPPCHECK_WARNING (CWE-476): [#def211]
mdadm-4.2_rc2/super-ddf.c:5136: warning[nullPointer]: Possible null pointer dereference: mu
# 5134| }
# 5135|
# 5136|-> mu->len = ddf->conf_rec_len * 512 * vcl->conf.sec_elmnt_count;
# 5137| mu->buf = xmalloc(mu->len);
# 5138| mu->space = NULL;
Error: CPPCHECK_WARNING (CWE-476): [#def212]
mdadm-4.2_rc2/super-ddf.c:5137: warning[nullPointer]: Possible null pointer dereference: mu
# 5135|
# 5136| mu->len = ddf->conf_rec_len * 512 * vcl->conf.sec_elmnt_count;
# 5137|-> mu->buf = xmalloc(mu->len);
# 5138| mu->space = NULL;
# 5139| mu->space_list = NULL;
Error: CPPCHECK_WARNING (CWE-476): [#def213]
mdadm-4.2_rc2/super-ddf.c:5138: warning[nullPointer]: Possible null pointer dereference: mu
# 5136| mu->len = ddf->conf_rec_len * 512 * vcl->conf.sec_elmnt_count;
# 5137| mu->buf = xmalloc(mu->len);
# 5138|-> mu->space = NULL;
# 5139| mu->space_list = NULL;
# 5140| mu->next = *updates;
Error: CPPCHECK_WARNING (CWE-476): [#def214]
mdadm-4.2_rc2/super-ddf.c:5139: warning[nullPointer]: Possible null pointer dereference: mu
# 5137| mu->buf = xmalloc(mu->len);
# 5138| mu->space = NULL;
# 5139|-> mu->space_list = NULL;
# 5140| mu->next = *updates;
# 5141| memcpy(mu->buf, &vcl->conf, ddf->conf_rec_len * 512);
Error: CPPCHECK_WARNING (CWE-476): [#def215]
mdadm-4.2_rc2/super-ddf.c:5140: warning[nullPointer]: Possible null pointer dereference: mu
# 5138| mu->space = NULL;
# 5139| mu->space_list = NULL;
# 5140|-> mu->next = *updates;
# 5141| memcpy(mu->buf, &vcl->conf, ddf->conf_rec_len * 512);
# 5142| for (j = 1; j < vcl->conf.sec_elmnt_count; j++)
Error: CPPCHECK_WARNING (CWE-476): [#def216]
mdadm-4.2_rc2/super-ddf.c:5141: warning[nullPointer]: Possible null pointer dereference: mu
# 5139| mu->space_list = NULL;
# 5140| mu->next = *updates;
# 5141|-> memcpy(mu->buf, &vcl->conf, ddf->conf_rec_len * 512);
# 5142| for (j = 1; j < vcl->conf.sec_elmnt_count; j++)
# 5143| memcpy(mu->buf + j * ddf->conf_rec_len * 512,
Error: CPPCHECK_WARNING (CWE-476): [#def217]
mdadm-4.2_rc2/super-ddf.c:5146: warning[nullPointer]: Possible null pointer dereference: mu
# 5144| vcl->other_bvds[j-1], ddf->conf_rec_len * 512);
# 5145|
# 5146|-> vc = (struct vd_config*)mu->buf;
# 5147| for (di = rv ; di ; di = di->next) {
# 5148| unsigned int i_sec, i_prim;
Error: RESOURCE_LEAK (CWE-772): [#def218] [important]
mdadm-4.2_rc2/super-ddf.c:5130: alloc_fn: Storage is returned from allocation function "xmalloc".
mdadm-4.2_rc2/super-ddf.c:5130: var_assign: Assigning: "mu" = storage returned from "xmalloc(40UL)".
mdadm-4.2_rc2/super-ddf.c:5163: leaked_storage: Variable "mu" going out of scope leaks the storage it points to.
# 5161| di->disk.raid_disk,
# 5162| di->disk.major, di->disk.minor);
# 5163|-> return NULL;
# 5164| }
# 5165| vc->phys_refnum[i_prim] = ddf->phys->entries[dl->pdnum].refnum;
Error: RESOURCE_LEAK (CWE-772): [#def219] [important]
mdadm-4.2_rc2/super-ddf.c:5093: alloc_fn: Storage is returned from allocation function "xcalloc".
mdadm-4.2_rc2/super-ddf.c:5093: var_assign: Assigning: "di" = storage returned from "xcalloc(1UL, 472UL)".
mdadm-4.2_rc2/super-ddf.c:5103: var_assign: Assigning: "rv" = "di".
mdadm-4.2_rc2/super-ddf.c:5147: var_assign: Assigning: "di" = "rv".
mdadm-4.2_rc2/super-ddf.c:5163: leaked_storage: Variable "di" going out of scope leaks the storage it points to.
mdadm-4.2_rc2/super-ddf.c:5163: leaked_storage: Variable "rv" going out of scope leaks the storage it points to.
# 5161| di->disk.raid_disk,
# 5162| di->disk.major, di->disk.minor);
# 5163|-> return NULL;
# 5164| }
# 5165| vc->phys_refnum[i_prim] = ddf->phys->entries[dl->pdnum].refnum;
Error: CHECKED_RETURN (CWE-252): [#def220]
mdadm-4.2_rc2/super-gpt.c:108: check_return: Calling "lseek(fd, sector_size, 0)" without checking return value. This library function may fail and return an error code.
# 106| }
# 107| /* Set offset to second block (GPT header) */
# 108|-> lseek(fd, sector_size, SEEK_SET);
# 109| /* Seem to have GPT, load the header */
# 110| gpt_head = (struct GPT*)(super+1);
Error: CHECKED_RETURN (CWE-252): [#def221]
mdadm-4.2_rc2/super-gpt.c:121: check_return: Calling "lseek(fd, sector_size * 2U, 0)" without checking return value. This library function may fail and return an error code.
# 119| to_read = ((to_read+511)/512) * 512;
# 120| /* Set offset to third block (GPT entries) */
# 121|-> lseek(fd, sector_size*2, SEEK_SET);
# 122| if (read(fd, gpt_head+1, to_read) != to_read)
# 123| goto no_read;
Error: DIVIDE_BY_ZERO (CWE-369): [#def222]
mdadm-4.2_rc2/super-intel.c:1375: zero_return: Function call "imsm_num_data_members(map)" returns 0.
mdadm-4.2_rc2/super-intel.c:1375: divide_by_zero: In expression "dev_size / imsm_num_data_members(map)", division by expression "imsm_num_data_members(map)" which may be zero has undefined behavior.
# 1373| unsigned long long dev_size)
# 1374| {
# 1375|-> unsigned long long nds = dev_size / imsm_num_data_members(map);
# 1376|
# 1377| nds /= map->num_domains;
Error: BAD_SHIFT (CWE-682): [#def223]
mdadm-4.2_rc2/super-intel.c:2287: cond_at_most: Checking "port_count > 64" implies that "port_count" may be up to 64 on the false branch.
mdadm-4.2_rc2/super-intel.c:2431: cond_at_most: Checking "i < port_count" implies that "i" may be up to 63 on the true branch.
mdadm-4.2_rc2/super-intel.c:2432: large_shift: In expression "1 << i", left shifting by more than 31 bits has undefined behavior. The shift amount, "i", is as much as 63.
mdadm-4.2_rc2/super-intel.c:2432: remediation: The operand has type "int" (32 bits) and will be shifted as an "int". Did you intend to use a wider type? Consider specifying an integer suffix such as "ULL".
# 2430|
# 2431| for (i = 0; i < port_count; i++)
# 2432|-> if (port_mask & (1 << i))
# 2433| printf(" Port%d : - no device attached -\n", i);
# 2434| }
Error: OVERFLOW_BEFORE_WIDEN (CWE-190): [#def224]
mdadm-4.2_rc2/super-intel.c:3048: overflow_before_widen: Potentially overflowing expression "parity_depth * segment" with type "unsigned int" (32 bits, unsigned) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "__u64" (64 bits, unsigned).
mdadm-4.2_rc2/super-intel.c:3048: remediation: To avoid overflow, cast either "parity_depth" or "segment" to type "__u64".
# 3046| parity_depth = parity_segment_depth(dev);
# 3047| block_map = map_migr_block(dev, block_rel);
# 3048|-> return block_map + parity_depth * segment;
# 3049| }
# 3050| case MIGR_REBUILD: {
Error: OVERFLOW_BEFORE_WIDEN (CWE-190): [#def225]
mdadm-4.2_rc2/super-intel.c:3056: overflow_before_widen: Potentially overflowing expression "migr_chunk * stripes_per_unit" with type "unsigned int" (32 bits, unsigned) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "__u64" (64 bits, unsigned).
mdadm-4.2_rc2/super-intel.c:3056: remediation: To avoid overflow, cast either "migr_chunk" or "stripes_per_unit" to type "__u64".
# 3054| stripes_per_unit = num_stripes_per_unit_rebuild(dev);
# 3055| migr_chunk = migr_strip_blocks_rebuild(dev);
# 3056|-> return migr_chunk * stripes_per_unit;
# 3057| }
# 3058| case MIGR_STATE_CHANGE:
Error: FORWARD_NULL (CWE-476): [#def226]
mdadm-4.2_rc2/super-intel.c:3445: var_compare_op: Comparing "prev_map" to null implies that "prev_map" might be null.
mdadm-4.2_rc2/super-intel.c:3468: var_deref_op: Dereferencing null pointer "prev_map".
# 3466| info->new_layout = imsm_level_to_layout(info->new_level);
# 3467| info->new_chunk = __le16_to_cpu(map->blocks_per_strip) << 9;
# 3468|-> info->delta_disks = map->num_members - prev_map->num_members;
# 3469| if (info->delta_disks) {
# 3470| /* this needs to be applied to every array
Error: FORWARD_NULL (CWE-476): [#def227]
mdadm-4.2_rc2/super-intel.c:3445: var_compare_op: Comparing "prev_map" to null implies that "prev_map" might be null.
mdadm-4.2_rc2/super-intel.c:3590: var_deref_model: Passing null pointer "prev_map" to "imsm_num_data_members", which dereferences it.
# 3588| info->reshape_progress);
# 3589|
# 3590|-> used_disks = imsm_num_data_members(prev_map);
# 3591| if (used_disks > 0) {
# 3592| info->custom_array_size = per_dev_array_size(map) *
Error: CHECKED_RETURN (CWE-252): [#def228]
mdadm-4.2_rc2/super-intel.c:4167: check_return: Calling "fstat(fd, &stb)" without checking return value. This library function may fail and return an error code.
# 4165| dl = xcalloc(1, sizeof(*dl));
# 4166|
# 4167|-> fstat(fd, &stb);
# 4168| dl->major = major(stb.st_rdev);
# 4169| dl->minor = minor(stb.st_rdev);
Error: USE_AFTER_FREE (CWE-416): [#def229] [important]
mdadm-4.2_rc2/super-intel.c:5230: closed_arg: "close(int)" closes "dfd".
mdadm-4.2_rc2/super-intel.c:5233: double_close: Calling "close(int)" closes handle "dfd" which has already been closed.
# 5231| }
# 5232| if (dfd >= 0 && !keep_fd)
# 5233|-> close(dfd);
# 5234| return err;
# 5235|
Error: DIVIDE_BY_ZERO (CWE-369): [#def230]
mdadm-4.2_rc2/super-intel.c:5564: zero_return: Function call "get_data_disks(info->level, info->layout, info->raid_disks)" returns 0.
mdadm-4.2_rc2/super-intel.c:5564: assignment: Assigning: "data_disks" = "get_data_disks(info->level, info->layout, info->raid_disks)". The value of "data_disks" is now 0.
mdadm-4.2_rc2/super-intel.c:5566: divide_by_zero: In function call "round_size_to_mb", division by expression "data_disks" which may be zero has undefined behavior.
# 5564| data_disks = get_data_disks(info->level, info->layout,
# 5565| info->raid_disks);
# 5566|-> array_blocks = round_size_to_mb(array_blocks, data_disks);
# 5567| size_per_member = array_blocks / data_disks;
# 5568|
Error: DIVIDE_BY_ZERO (CWE-369): [#def231]
mdadm-4.2_rc2/super-intel.c:5564: zero_return: Function call "get_data_disks(info->level, info->layout, info->raid_disks)" returns 0.
mdadm-4.2_rc2/super-intel.c:5564: assignment: Assigning: "data_disks" = "get_data_disks(info->level, info->layout, info->raid_disks)". The value of "data_disks" is now 0.
mdadm-4.2_rc2/super-intel.c:5567: divide_by_zero: In expression "array_blocks / data_disks", division by expression "data_disks" which may be zero has undefined behavior.
# 5565| info->raid_disks);
# 5566| array_blocks = round_size_to_mb(array_blocks, data_disks);
# 5567|-> size_per_member = array_blocks / data_disks;
# 5568|
# 5569| set_imsm_dev_size(dev, array_blocks);
Error: CHECKED_RETURN (CWE-252): [#def232]
mdadm-4.2_rc2/super-intel.c:5913: check_return: Calling "fstat(fd, &stb)" without checking return value. This library function may fail and return an error code.
# 5911| return add_to_super_imsm_volume(st, dk, fd, devname);
# 5912|
# 5913|-> fstat(fd, &stb);
# 5914| dd = xcalloc(sizeof(*dd), 1);
# 5915| dd->major = major(stb.st_rdev);
Error: NEGATIVE_RETURNS (CWE-394): [#def233]
mdadm-4.2_rc2/super-intel.c:6045: var_tested_neg: Assigning: "dd->fd" = a negative value.
mdadm-4.2_rc2/super-intel.c:6046: negative_returns: "dd->fd" is passed to a parameter that cannot be negative.
# 6044| dd->minor = dk->minor;
# 6045| dd->fd = -1;
# 6046|-> mark_spare(dd);
# 6047| dd->action = DISK_REMOVE;
# 6048|
Error: TAINTED_SCALAR (CWE-20): [#def234]
mdadm-4.2_rc2/super-intel.c:6405: tainted_argument: Calling function "read" taints argument "*buf". [Note: The source code implementation of the function has been overridden by a builtin model.]
mdadm-4.2_rc2/super-intel.c:6411: var_assign_var: Assigning: "ppl_hdr" = "buf". Both are now tainted.
mdadm-4.2_rc2/super-intel.c:6439: tainted_data: Using tainted variable "(unsigned int)ppl_hdr->entries_count" as a loop boundary.
mdadm-4.2_rc2/super-intel.c:6439: remediation: Ensure that tainted values are properly sanitized, by checking that their values are within a permissible range.
# 6437|
# 6438| ppl_offset += PPL_HEADER_SIZE;
# 6439|-> for (i = 0; i < __le32_to_cpu(ppl_hdr->entries_count); i++)
# 6440| ppl_offset +=
# 6441| __le32_to_cpu(ppl_hdr->entries[i].pp_size);
Error: DEADCODE (CWE-561): [#def235]
mdadm-4.2_rc2/super-intel.c:6948: assignment: Assigning: "err" = "0".
mdadm-4.2_rc2/super-intel.c:6990: const: At condition "err", the value of "err" must be equal to 0.
mdadm-4.2_rc2/super-intel.c:6990: dead_error_condition: The condition "err" cannot be true.
mdadm-4.2_rc2/super-intel.c:6991: dead_error_line: Execution cannot reach this statement: "while (devlist) {
dv = de...".
mdadm-4.2_rc2/super-intel.c:6991: effectively_constant: Local variable "err" is assigned only once, to a constant value, making it effectively constant throughout its scope. If this is not the intent, examine the logic to see if there is a missing assignment that would make "err" not remain constant.
# 6989| }
# 6990| if (err) {
# 6991|-> while(devlist) {
# 6992| dv = devlist;
# 6993| devlist = devlist->next;
Error: CPPCHECK_WARNING (CWE-456): [#def236]
mdadm-4.2_rc2/super-intel.c:8172: error[uninitvar]: Uninitialized variable: insync
# 8170| int i;
# 8171| /* gcc -Os complains that this is unused */
# 8172|-> int insync = insync;
# 8173|
# 8174| for (i = 0; i < map->num_members; i++) {
Error: NULL_RETURNS (CWE-476): [#def237]
mdadm-4.2_rc2/super-intel.c:9259: returned_null: "get_imsm_disk" returns "NULL" (checked 11 out of 12 times).
mdadm-4.2_rc2/super-intel.c:9259: var_assigned: Assigning: "disk" = "NULL" return value from "get_imsm_disk".
mdadm-4.2_rc2/super-intel.c:9261: dereference: Dereferencing a pointer that might be "NULL" "disk->serial" when calling "serialcmp".
mdadm-4.2_rc2/super-intel.c:8244: example_assign: Example 1: Assigning: "disk" = return value from "get_imsm_disk(super, idx_1)".
mdadm-4.2_rc2/super-intel.c:8245: example_checked: Example 1 (cont.): "disk" has its value checked in "disk".
mdadm-4.2_rc2/super-intel.c:8185: example_assign: Example 2: Assigning: "disk" = return value from "get_imsm_disk(super, idx)".
mdadm-4.2_rc2/super-intel.c:8186: example_checked: Example 2 (cont.): "disk" has its value checked in "disk".
mdadm-4.2_rc2/super-intel.c:9597: example_assign: Example 3: Assigning: "disk" = return value from "get_imsm_disk(super, get_imsm_disk_idx(dev, i, -1))".
mdadm-4.2_rc2/super-intel.c:9599: example_checked: Example 3 (cont.): "disk" has its value checked in "disk".
mdadm-4.2_rc2/super-intel.c:3627: example_assign: Example 4: Assigning: "dsk" = return value from "get_imsm_disk(super, j)".
mdadm-4.2_rc2/super-intel.c:3628: example_checked: Example 4 (cont.): "dsk" has its value checked in "dsk".
mdadm-4.2_rc2/super-intel.c:10546: example_checked: Example 5: "get_imsm_disk(super, i)" has its value checked in "get_imsm_disk(super, i) == NULL".
# 9259| disk = get_imsm_disk(super, get_imsm_disk_idx(dev, i, MAP_X));
# 9260| for (j = 0; j < new_map->num_members; j++)
# 9261|-> if (serialcmp(disk->serial, inf[j].serial) == 0)
# 9262| return 1;
# 9263| }
Error: TAINTED_SCALAR (CWE-20): [#def238]
mdadm-4.2_rc2/super-intel.c:9989: tainted_data_downcast: Downcasting "update->buf" from "char *" to "struct imsm_update_create_array" implies that the data that this pointer points to is tainted.
mdadm-4.2_rc2/super-intel.c:9989: var_assign_var: Assigning: "u" = "(void *)update->buf". Both are now tainted.
mdadm-4.2_rc2/super-intel.c:10032: tainted_data: Passing tainted expression "u->dev" to "disks_overlap", which uses it as a loop boundary.
mdadm-4.2_rc2/super-intel.c:10032: remediation: Ensure that tainted values are properly sanitized, by checking that their values are within a permissible range.
#10030| continue;
#10031|
#10032|-> if (disks_overlap(super, i, u)) {
#10033| dprintf("arrays overlap\n");
#10034| goto create_error;
Error: TAINTED_SCALAR (CWE-20): [#def239]
mdadm-4.2_rc2/super-intel.c:9989: tainted_data_downcast: Downcasting "update->buf" from "char *" to "struct imsm_update_create_array" implies that the data that this pointer points to is tainted.
mdadm-4.2_rc2/super-intel.c:9989: var_assign_var: Assigning: "u" = "(void *)update->buf". Both are now tainted.
mdadm-4.2_rc2/super-intel.c:10012: tainted_data_transitive: Call to function "get_imsm_map" with tainted argument "u->dev.vol" transitively taints "get_imsm_map(&u->dev, 0)->num_members".
mdadm-4.2_rc2/super-intel.c:10012: var_assign: Assigning: "new_map" = "get_imsm_map(&u->dev, 0)", which taints "new_map".
mdadm-4.2_rc2/super-intel.c:10049: lower_bounds: Casting narrower unsigned "new_map->num_members" to wider signed type "int" effectively tests its lower bound.
mdadm-4.2_rc2/super-intel.c:10049: tainted_data: Using tainted variable "new_map->num_members" as a loop boundary.
mdadm-4.2_rc2/super-intel.c:10049: remediation: Ensure that tainted values are properly sanitized, by checking that their values are within a permissible range.
#10047| * so better to drop this update on the floor.
#10048| */
#10049|-> for (i = 0; i < new_map->num_members; i++) {
#10050| dl = serial_to_dl(inf[i].serial, super);
#10051| if (!dl) {
Error: TAINTED_SCALAR (CWE-20): [#def240]
mdadm-4.2_rc2/super-intel.c:9989: tainted_data_downcast: Downcasting "update->buf" from "char *" to "struct imsm_update_create_array" implies that the data that this pointer points to is tainted.
mdadm-4.2_rc2/super-intel.c:9989: var_assign_var: Assigning: "u" = "(void *)update->buf". Both are now tainted.
mdadm-4.2_rc2/super-intel.c:10074: tainted_data: Passing tainted expression "u->dev.vol" to "imsm_copy_dev", which uses it as an offset.
mdadm-4.2_rc2/super-intel.c:10074: remediation: Ensure that tainted values are properly sanitized, by checking that their values are within a permissible range.
#10072| dev = dv->dev;
#10073| update->space = NULL;
#10074|-> imsm_copy_dev(dev, &u->dev);
#10075| dv->index = u->dev_idx;
#10076| dv->next = super->devlist;
Error: TAINTED_SCALAR (CWE-20): [#def241]
mdadm-4.2_rc2/super-intel.c:10382: tainted_data_downcast: Downcasting "update->buf" from "char *" to "struct imsm_update_create_array" implies that the data that this pointer points to is tainted.
mdadm-4.2_rc2/super-intel.c:10382: var_assign_var: Assigning: "u" = "(void *)update->buf". Both are now tainted.
mdadm-4.2_rc2/super-intel.c:10384: var_assign_var: Assigning: "dev" = "&u->dev". Both are now tainted.
mdadm-4.2_rc2/super-intel.c:10395: tainted_data_transitive: Call to function "sizeof_imsm_dev" with tainted argument "dev->vol" transitively taints "dev->vol".
mdadm-4.2_rc2/super-intel.c:10395: tainted_data_transitive: Call to function "sizeof_imsm_dev" with tainted argument "dev->vol" returns tainted data.
mdadm-4.2_rc2/super-intel.c:10395: var_assign: Assigning: "len" = "sizeof_imsm_dev(dev, 1)", which taints "len".
mdadm-4.2_rc2/super-intel.c:10398: tainted_data: Passing tainted expression "len" to "xmalloc", which uses it as an allocation size.
mdadm-4.2_rc2/super-intel.c:10398: remediation: Ensure that tainted values are properly sanitized, by checking that their values are within a permissible range.
#10396| /* allocate a new super->devlist entry */
#10397| dv = xmalloc(sizeof(*dv));
#10398|-> dv->dev = xmalloc(len);
#10399| update->space = dv;
#10400|
Error: TAINTED_SCALAR (CWE-20): [#def242]
mdadm-4.2_rc2/super-intel.c:10382: tainted_data_downcast: Downcasting "update->buf" from "char *" to "struct imsm_update_create_array" implies that the data that this pointer points to is tainted.
mdadm-4.2_rc2/super-intel.c:10382: var_assign_var: Assigning: "u" = "(void *)update->buf". Both are now tainted.
mdadm-4.2_rc2/super-intel.c:10384: var_assign_var: Assigning: "dev" = "&u->dev". Both are now tainted.
mdadm-4.2_rc2/super-intel.c:10385: tainted_data_transitive: Call to function "get_imsm_map" with tainted argument "dev->vol" transitively taints "get_imsm_map(dev, 0)->num_members".
mdadm-4.2_rc2/super-intel.c:10385: var_assign: Assigning: "map" = "get_imsm_map(dev, 0)", which taints "map".
mdadm-4.2_rc2/super-intel.c:10402: lower_bounds: Casting narrower unsigned "map->num_members" to wider signed type "int" effectively tests its lower bound.
mdadm-4.2_rc2/super-intel.c:10402: tainted_data: Using tainted variable "map->num_members" as a loop boundary.
mdadm-4.2_rc2/super-intel.c:10402: remediation: Ensure that tainted values are properly sanitized, by checking that their values are within a permissible range.
#10400|
#10401| /* count how many spares will be converted to members */
#10402|-> for (i = 0; i < map->num_members; i++) {
#10403| dl = serial_to_dl(inf[i].serial, super);
#10404| if (!dl) {
Error: DIVIDE_BY_ZERO (CWE-369): [#def243]
mdadm-4.2_rc2/super-intel.c:10904: zero_return: Function call "imsm_num_data_members(map_dest)" returns 0.
mdadm-4.2_rc2/super-intel.c:10904: assignment: Assigning: "data_disks" = "imsm_num_data_members(map_dest)". The value of "data_disks" is now 0.
mdadm-4.2_rc2/super-intel.c:10922: divide_by_zero: In expression "start / data_disks", division by expression "data_disks" which may be zero has undefined behavior.
#10920| * in restore_stripes() using start input variable
#10921| */
#10922|-> target_offsets[i] -= start/data_disks;
#10923| }
#10924|
Error: DIVIDE_BY_ZERO (CWE-369): [#def244]
mdadm-4.2_rc2/super-intel.c:11603: zero_return: Function call "imsm_num_data_members(map)" returns 0.
mdadm-4.2_rc2/super-intel.c:11603: assignment: Assigning: "data_disks" = "imsm_num_data_members(map)". The value of "data_disks" is now 0.
mdadm-4.2_rc2/super-intel.c:11606: divide_by_zero: In expression "info.custom_array_size / data_disks", division by expression "data_disks" which may be zero has undefined behavior.
#11604| /* compute current size per disk member
#11605| */
#11606|-> current_size = info.custom_array_size / data_disks;
#11607|
#11608| if (geo->size > 0 && geo->size != MAX_SIZE) {
Error: RESOURCE_LEAK (CWE-772): [#def245] [important]
mdadm-4.2_rc2/super-intel.c:11787: alloc_arg: "imsm_create_metadata_update_for_size_change" allocates memory that is stored into "update".
mdadm-4.2_rc2/super-intel.c:11793: noescape: Resource "update" is not freed or pointed-to in "imsm_update_metadata_locally".
mdadm-4.2_rc2/super-intel.c:11801: leaked_storage: Variable "update" going out of scope leaks the storage it points to.
#11799| imsm_sync_metadata(st);
#11800| }
#11801|-> }
#11802| ret_val = 0;
#11803| exit:
Error: OVERFLOW_BEFORE_WIDEN (CWE-190): [#def246]
mdadm-4.2_rc2/super-intel.c:12185: overflow_before_widen: Potentially overflowing expression "odata * chunk" with type "int" (32 bits, signed) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "unsigned long long" (64 bits, unsigned).
mdadm-4.2_rc2/super-intel.c:12185: remediation: To avoid overflow, cast either "odata" or "chunk" to type "unsigned long long".
#12183|
#12184| chunk = __le16_to_cpu(map_src->blocks_per_strip) * 512;
#12185|-> old_data_stripe_length = odata * chunk;
#12186|
#12187| migr_rec = super->migr_rec;
Error: DIVIDE_BY_ZERO (CWE-369): [#def247]
mdadm-4.2_rc2/super-intel.c:12181: zero_return: Function call "imsm_num_data_members(map_dest)" returns 0.
mdadm-4.2_rc2/super-intel.c:12181: assignment: Assigning: "ndata" = "imsm_num_data_members(map_dest)". The value of "ndata" is now 0.
mdadm-4.2_rc2/super-intel.c:12250: divide_by_zero: In expression "start / ndata", division by expression "ndata" which may be zero has undefined behavior.
#12248| start_src = start - start_buf_shift;
#12249|
#12250|-> border = (start_src / odata) - (start / ndata);
#12251| border /= 512;
#12252| if (border <= __le32_to_cpu(migr_rec->dest_depth_per_unit)) {
Error: DIVIDE_BY_ZERO (CWE-369): [#def248]
mdadm-4.2_rc2/super-intel.c:12182: zero_return: Function call "imsm_num_data_members(map_src)" returns 0.
mdadm-4.2_rc2/super-intel.c:12182: assignment: Assigning: "odata" = "imsm_num_data_members(map_src)". The value of "odata" is now 0.
mdadm-4.2_rc2/super-intel.c:12250: divide_by_zero: In expression "start_src / odata", division by expression "odata" which may be zero has undefined behavior.
#12248| start_src = start - start_buf_shift;
#12249|
#12250|-> border = (start_src / odata) - (start / ndata);
#12251| border /= 512;
#12252| if (border <= __le32_to_cpu(migr_rec->dest_depth_per_unit)) {
Error: OVERFLOW_BEFORE_WIDEN (CWE-190): [#def249]
mdadm-4.2_rc2/super-intel.c:12412: overflow_before_widen: Potentially overflowing expression "1036288U * super->sector_size" with type "unsigned int" (32 bits, unsigned) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "unsigned long long" (64 bits, unsigned).
mdadm-4.2_rc2/super-intel.c:12412: remediation: To avoid overflow, cast either "1036288U" or "super->sector_size" to type "unsigned long long".
#12410|
#12411| min_chunksize = calculate_bitmap_min_chunksize(
#12412|-> IMSM_BITMAP_AREA_SIZE * super->sector_size, dev_size);
#12413|
#12414| if (result < min_chunksize)
Error: CHECKED_RETURN (CWE-252): [#def250]
mdadm-4.2_rc2/super-intel.c:12622: check_return: Calling "lseek64(fd, offset << 9, 0)" without checking return value. This library function may fail and return an error code.
#12620| dprintf("bitmap header offset is %llu\n", offset);
#12621|
#12622|-> lseek64(fd, offset << 9, 0);
#12623|
#12624| return 0;
Error: CHECKED_RETURN (CWE-252): [#def251]
mdadm-4.2_rc2/super-intel.c:12676: check_return: Calling "lseek64(fd, offset << 9, 0)" without checking return value. This library function may fail and return an error code.
#12674| memset(buf, 0xFF, MAX_SECTOR_SIZE);
#12675| offset = get_bitmap_sector(super, vol_idx);
#12676|-> lseek64(fd, offset << 9, 0);
#12677| while (written < IMSM_BITMAP_AREA_SIZE) {
#12678| to_write = IMSM_BITMAP_AREA_SIZE - written;
Error: UNUSED_VALUE (CWE-563): [#def252]
mdadm-4.2_rc2/super-intel.c:12678: value_overwrite: Overwriting previous write to "to_write" with value from "1036288UL - written".
mdadm-4.2_rc2/super-intel.c:12680: assigned_value: Assigning value "4096UL" to "to_write" here, but that stored value is overwritten before it can be used.
#12678| to_write = IMSM_BITMAP_AREA_SIZE - written;
#12679| if (to_write > MAX_SECTOR_SIZE)
#12680|-> to_write = MAX_SECTOR_SIZE;
#12681| rv_num = write(fd, buf, MAX_SECTOR_SIZE);
#12682| if (rv_num != MAX_SECTOR_SIZE) {
Error: TAINTED_SCALAR (CWE-20): [#def253]
mdadm-4.2_rc2/super0.c:81: tainted_data_downcast: Downcasting "st->sb" from "void *" to "struct mdp_superblock_s" implies that the data that this pointer points to is tainted.
mdadm-4.2_rc2/super0.c:81: var_assign_var: Assigning: "sb" = "st->sb". Both are now tainted.
mdadm-4.2_rc2/super0.c:227: tainted_data: Using tainted variable "(int)(sb->raid_disks + delta_extra + sb->spare_disks)" as a loop boundary.
mdadm-4.2_rc2/super0.c:227: remediation: Ensure that tainted values are properly sanitized, by checking that their values are within a permissible range.
# 225| printf("\n");
# 226| printf(" Number Major Minor RaidDevice State\n");
# 227|-> for (d = -1;
# 228| d < (signed int)(sb->raid_disks + delta_extra + sb->spare_disks);
# 229| d++) {
Error: TAINTED_SCALAR (CWE-20): [#def254]
mdadm-4.2_rc2/super0.c:504: tainted_data_downcast: Downcasting "st->sb" from "void *" to "struct mdp_superblock_s" implies that the data that this pointer points to is tainted.
mdadm-4.2_rc2/super0.c:504: var_assign_var: Assigning: "sb" = "st->sb". Both are now tainted.
mdadm-4.2_rc2/super0.c:686: tainted_data: Using tainted expression "sb->new_chunk / 512U * (sb->raid_disks - sb->delta_disks - parity)" as the modulus in "sb->reshape_position % (sb->new_chunk / 512U * (sb->raid_disks - sb->delta_disks - parity))".
mdadm-4.2_rc2/super0.c:686: remediation: Ensure that tainted values are properly sanitized, by checking that their values are within a permissible range.
# 684| rv = 0;
# 685|
# 686|-> if (sb->level >= 4 && sb->level <= 6 &&
# 687| sb->reshape_position % (
# 688| sb->new_chunk/512 *
Error: CHECKED_RETURN (CWE-252): [#def255]
mdadm-4.2_rc2/super0.c:1192: check_return: Calling "lseek64(fd, offset, 0)" without checking return value. This library function may fail and return an error code.
# 1190| offset += MD_SB_BYTES;
# 1191|
# 1192|-> lseek64(fd, offset, 0);
# 1193| return 0;
# 1194| }
Error: CHECKED_RETURN (CWE-252): [#def256]
mdadm-4.2_rc2/super1.c:263: check_return: Calling "lseek(afd->fd, len - n, 1)" without checking return value. This library function may fail and return an error code.
# 261| if (n <= 0)
# 262| return n;
# 263|-> lseek(afd->fd, len - n, 1);
# 264| if (n > len)
# 265| n = len;
Error: CHECKED_RETURN (CWE-252): [#def257]
mdadm-4.2_rc2/super1.c:297: check_return: Calling "lseek(afd->fd, -n, 1)" without checking return value. This library function may fail and return an error code.
# 295| if (n <= 0)
# 296| return n;
# 297|-> lseek(afd->fd, -n, 1);
# 298| }
# 299|
Error: CHECKED_RETURN (CWE-252): [#def258]
mdadm-4.2_rc2/super1.c:304: check_return: Calling "lseek(afd->fd, len - n, 1)" without checking return value. This library function may fail and return an error code.
# 302| if (n <= 0)
# 303| return n;
# 304|-> lseek(afd->fd, len - n, 1);
# 305| return len;
# 306| }
Error: TAINTED_SCALAR (CWE-20): [#def259]
mdadm-4.2_rc2/super1.c:321: tainted_data_downcast: Downcasting "st->sb" from "void *" to "struct mdp_superblock_1" implies that the data that this pointer points to is tainted.
mdadm-4.2_rc2/super1.c:321: var_assign_var: Assigning: "sb" = "st->sb". Both are now tainted.
mdadm-4.2_rc2/super1.c:494: tainted_data: Passing tainted expression "sb->max_dev" to "calc_sb_1_csum", which uses it as a loop boundary.
mdadm-4.2_rc2/super1.c:494: remediation: Ensure that tainted values are properly sanitized, by checking that their values are within a permissible range.
# 492| }
# 493|
# 494|-> if (calc_sb_1_csum(sb) == sb->sb_csum)
# 495| printf(" Checksum : %x - correct\n",
# 496| __le32_to_cpu(sb->sb_csum));
Error: TAINTED_SCALAR (CWE-20): [#def260]
mdadm-4.2_rc2/super1.c:321: tainted_data_downcast: Downcasting "st->sb" from "void *" to "struct mdp_superblock_1" implies that the data that this pointer points to is tainted.
mdadm-4.2_rc2/super1.c:321: var_assign_var: Assigning: "sb" = "st->sb". Both are now tainted.
mdadm-4.2_rc2/super1.c:572: tainted_data: Using tainted variable "(unsigned int)sb->raid_disks + delta_extra" as a loop boundary.
mdadm-4.2_rc2/super1.c:572: remediation: Ensure that tainted values are properly sanitized, by checking that their values are within a permissible range.
# 570|
# 571| printf(" Array State : ");
# 572|-> for (d = 0; d < __le32_to_cpu(sb->raid_disks) + delta_extra; d++) {
# 573| int cnt = 0;
# 574| unsigned int i;
Error: TAINTED_SCALAR (CWE-20): [#def261]
mdadm-4.2_rc2/super1.c:766: tainted_argument: Calling function "read" taints argument "*buf". [Note: The source code implementation of the function has been overridden by a builtin model.]
mdadm-4.2_rc2/super1.c:769: var_assign_var: Assigning: "sb" = "buf". Both are now tainted.
mdadm-4.2_rc2/super1.c:772: tainted_data: Passing tainted expression "sb->max_dev" to "calc_sb_1_csum", which uses it as a loop boundary.
mdadm-4.2_rc2/super1.c:772: remediation: Ensure that tainted values are properly sanitized, by checking that their values are within a permissible range.
# 770| super = *sb; // save most of sb for when we reuse buf
# 771|
# 772|-> if (__le32_to_cpu(super.magic) != MD_SB_MAGIC ||
# 773| __le32_to_cpu(super.major_version) != 1 ||
# 774| __le64_to_cpu(super.super_offset) != sb_offset ||
Error: TAINTED_SCALAR (CWE-20): [#def262]
mdadm-4.2_rc2/super1.c:803: tainted_argument: Calling function "aread" taints argument "*buf".
mdadm-4.2_rc2/super1.c:809: var_assign_var: Assigning: "bms" = "(void *)buf". Both are now tainted.
mdadm-4.2_rc2/super1.c:810: tainted_data: Passing tainted expression "bms->chunksize" to "calc_bitmap_size", which uses it as a divisor or modulus.
mdadm-4.2_rc2/super1.c:810: remediation: Ensure that tainted values are properly sanitized, by checking that their values are within a permissible range.
# 808| bitmap_super_t *bms;
# 809| bms = (void*)buf;
# 810|-> bytes = calc_bitmap_size(bms, 512);
# 811| if (n > bytes)
# 812| n = bytes;
Error: RESOURCE_LEAK (CWE-772): [#def263] [important]
mdadm-4.2_rc2/super1.c:936: alloc_arg: "posix_memalign" allocates memory that is stored into "bbl".
mdadm-4.2_rc2/super1.c:945: leaked_storage: Variable "bbl" going out of scope leaks the storage it points to.
# 943| if (lseek64(fd, offset, 0) < 0) {
# 944| pr_err("Cannot seek to bad-blocks list\n");
# 945|-> return 1;
# 946| }
# 947| if (read(fd, bbl, size) != size) {
Error: RESOURCE_LEAK (CWE-772): [#def264] [important]
mdadm-4.2_rc2/super1.c:936: alloc_arg: "posix_memalign" allocates memory that is stored into "bbl".
mdadm-4.2_rc2/super1.c:947: noescape: Resource "bbl" is not freed or pointed-to in "read". [Note: The source code implementation of the function has been overridden by a builtin model.]
mdadm-4.2_rc2/super1.c:949: leaked_storage: Variable "bbl" going out of scope leaks the storage it points to.
# 947| if (read(fd, bbl, size) != size) {
# 948| pr_err("Cannot read bad-blocks list\n");
# 949|-> return 1;
# 950| }
# 951| /* 64bits per entry. 10 bits is block-count, 54 bits is block
Error: RESOURCE_LEAK (CWE-772): [#def265] [important]
mdadm-4.2_rc2/super1.c:936: alloc_arg: "posix_memalign" allocates memory that is stored into "bbl".
mdadm-4.2_rc2/super1.c:947: noescape: Resource "bbl" is not freed or pointed-to in "read". [Note: The source code implementation of the function has been overridden by a builtin model.]
mdadm-4.2_rc2/super1.c:954: var_assign: Assigning: "bbp" = "bbl".
mdadm-4.2_rc2/super1.c:969: leaked_storage: Variable "bbp" going out of scope leaks the storage it points to.
mdadm-4.2_rc2/super1.c:969: leaked_storage: Variable "bbl" going out of scope leaks the storage it points to.
# 967| printf("%20llu for %d sectors\n", sector, count);
# 968| }
# 969|-> return 0;
# 970| }
# 971|
Error: TAINTED_SCALAR (CWE-20): [#def266]
mdadm-4.2_rc2/super1.c:992: tainted_data_downcast: Downcasting "st->sb" from "void *" to "struct mdp_superblock_1" implies that the data that this pointer points to is tainted.
mdadm-4.2_rc2/super1.c:992: var_assign_var: Assigning: "sb" = "st->sb". Both are now tainted.
mdadm-4.2_rc2/super1.c:993: var_assign_var: Assigning: "bsb" = "(void *)((char *)sb + 4096)". Both are now tainted.
mdadm-4.2_rc2/super1.c:1068: tainted_data: Passing tainted expression "bsb->chunksize" to "calc_bitmap_size", which uses it as a divisor or modulus.
mdadm-4.2_rc2/super1.c:1068: remediation: Ensure that tainted values are properly sanitized, by checking that their values are within a permissible range.
# 1066| if (info->bitmap_offset > 0) {
# 1067| unsigned long long bmend = info->bitmap_offset;
# 1068|-> unsigned long long size = calc_bitmap_size(bsb, 4096);
# 1069| size /= 512;
# 1070| bmend += size;
Error: TAINTED_SCALAR (CWE-20): [#def267]
mdadm-4.2_rc2/super1.c:992: tainted_data_downcast: Downcasting "st->sb" from "void *" to "struct mdp_superblock_1" implies that the data that this pointer points to is tainted.
mdadm-4.2_rc2/super1.c:992: var_assign_var: Assigning: "sb" = "st->sb". Both are now tainted.
mdadm-4.2_rc2/super1.c:1033: lower_bounds: Checking lower bounds of unsigned scalar "sb->max_dev" by taking the false branch of "(unsigned int)sb->dev_number >= (unsigned int)sb->max_dev".
mdadm-4.2_rc2/super1.c:1165: tainted_data: Using tainted variable "(unsigned int)sb->max_dev" as a loop boundary.
mdadm-4.2_rc2/super1.c:1165: remediation: Ensure that tainted values are properly sanitized, by checking that their values are within a permissible range.
# 1163| for (i=0; i<map_disks; i++)
# 1164| map[i] = 0;
# 1165|-> for (i = 0; i < __le32_to_cpu(sb->max_dev); i++) {
# 1166| role = __le16_to_cpu(sb->dev_roles[i]);
# 1167| if (/*role == MD_DISK_ROLE_SPARE || */role < (unsigned) info->array.raid_disks) {
Error: TAINTED_SCALAR (CWE-20): [#def268]
mdadm-4.2_rc2/super1.c:1213: tainted_data_downcast: Downcasting "st->sb" from "void *" to "struct mdp_superblock_1" implies that the data that this pointer points to is tainted.
mdadm-4.2_rc2/super1.c:1213: var_assign_var: Assigning: "sb" = "st->sb". Both are now tainted.
mdadm-4.2_rc2/super1.c:1214: var_assign_var: Assigning: "bms" = "(bitmap_super_t *)((char *)sb + 4096)". Both are now tainted.
mdadm-4.2_rc2/super1.c:1363: tainted_data: Passing tainted expression "bms->chunksize" to "calc_bitmap_size", which uses it as a divisor or modulus.
mdadm-4.2_rc2/super1.c:1363: remediation: Ensure that tainted values are properly sanitized, by checking that their values are within a permissible range.
# 1361| if (sb->feature_map & __cpu_to_le32(MD_FEATURE_BITMAP_OFFSET)) {
# 1362| bitmap_offset = (long)__le32_to_cpu(sb->bitmap_offset);
# 1363|-> bm_sectors = calc_bitmap_size(bms, 4096) >> 9;
# 1364| } else if (md_feature_any_ppl_on(sb->feature_map)) {
# 1365| bitmap_offset = (long)__le16_to_cpu(sb->ppl.offset);
Error: DEADCODE (CWE-561): [#def269]
mdadm-4.2_rc2/super1.c:1452: cond_at_most: Condition "space > optimal_space", taking true branch. Now the value of "optimal_space" is at most 2046.
mdadm-4.2_rc2/super1.c:1442: cond_at_least: Condition "space < 16", taking false branch. Now the value of "space" is at least 16.
mdadm-4.2_rc2/super1.c:1447: cond_between: Condition "space >= 2048", taking false branch. Now the value of "space" is between 16 and 2047.
mdadm-4.2_rc2/super1.c:1453: assignment: Assigning: "space" = "optimal_space".
mdadm-4.2_rc2/super1.c:1454: at_most: At condition "space > 65535", the value of "space" must be at most 2047.
mdadm-4.2_rc2/super1.c:1454: dead_error_condition: The condition "space > 65535" cannot be true.
mdadm-4.2_rc2/super1.c:1455: dead_error_line: Execution cannot reach this statement: "space = 65535;".
# 1453| space = optimal_space;
# 1454| if (space > UINT16_MAX)
# 1455|-> space = UINT16_MAX;
# 1456| }
# 1457|
Error: TAINTED_SCALAR (CWE-20): [#def270]
mdadm-4.2_rc2/super1.c:1213: tainted_data_downcast: Downcasting "st->sb" from "void *" to "struct mdp_superblock_1" implies that the data that this pointer points to is tainted.
mdadm-4.2_rc2/super1.c:1213: var_assign_var: Assigning: "sb" = "st->sb". Both are now tainted.
mdadm-4.2_rc2/super1.c:1538: lower_bounds: Casting narrower unsigned "(unsigned int)sb->raid_disks - (unsigned int)sb->delta_disks - (((unsigned int)sb->level == 6U) ? 2 : 1)" to wider signed type "long" effectively tests its lower bound.
mdadm-4.2_rc2/super1.c:1538: var_assign_var: Compound assignment involving tainted variable "(unsigned int)sb->raid_disks - (unsigned int)sb->delta_disks - (((unsigned int)sb->level == 6U) ? 2 : 1)" to variable "reshape_chunk" taints "reshape_chunk".
mdadm-4.2_rc2/super1.c:1541: tainted_data: Using tainted expression "reshape_chunk" as the modulus in "reshape_sectors % reshape_chunk".
mdadm-4.2_rc2/super1.c:1541: remediation: Ensure that tainted values are properly sanitized, by checking that their values are within a permissible range.
# 1539| __le32_to_cpu(sb->delta_disks) -
# 1540| (__le32_to_cpu(sb->level)==6 ? 2 : 1);
# 1541|-> if (reshape_sectors % reshape_chunk) {
# 1542| pr_err("Reshape position is not suitably aligned.\n");
# 1543| pr_err("Try normal assembly and stop again\n");
Error: OVERRUN (CWE-119): [#def271]
mdadm-4.2_rc2/super1.c:1222: alias: Assigning: "update" = ""name"". "update" now points to byte 0 of ""name"" (which consists of 5 bytes).
mdadm-4.2_rc2/super1.c:1595: overrun-local: Overrunning array of 5 bytes at byte offset 7 by dereferencing pointer "update + 7".
# 1593| } else {
# 1594| sb->feature_map |= __cpu_to_le32(MD_FEATURE_RAID0_LAYOUT);
# 1595|-> sb->layout = __cpu_to_le32(update[7] == 'o' ? 1 : 2);
# 1596| }
# 1597| } else
Error: TAINTED_SCALAR (CWE-20): [#def272]
mdadm-4.2_rc2/super1.c:1213: tainted_data_downcast: Downcasting "st->sb" from "void *" to "struct mdp_superblock_1" implies that the data that this pointer points to is tainted.
mdadm-4.2_rc2/super1.c:1213: var_assign_var: Assigning: "sb" = "st->sb". Both are now tainted.
mdadm-4.2_rc2/super1.c:1600: tainted_data: Passing tainted expression "sb->max_dev" to "calc_sb_1_csum", which uses it as a loop boundary.
mdadm-4.2_rc2/super1.c:1600: remediation: Ensure that tainted values are properly sanitized, by checking that their values are within a permissible range.
# 1598| rv = -1;
# 1599|
# 1600|-> sb->sb_csum = calc_sb_1_csum(sb);
# 1601|
# 1602| return rv;
Error: TAINTED_SCALAR (CWE-20): [#def273]
mdadm-4.2_rc2/super1.c:1709: tainted_data_downcast: Downcasting "st->sb" from "void *" to "struct mdp_superblock_1" implies that the data that this pointer points to is tainted.
mdadm-4.2_rc2/super1.c:1709: var_assign_var: Assigning: "sb" = "st->sb". Both are now tainted.
mdadm-4.2_rc2/super1.c:1726: lower_bounds: Checking lower bounds of unsigned scalar "sb->max_dev" by taking the false branch of "dk->number >= (int)(unsigned int)sb->max_dev".
mdadm-4.2_rc2/super1.c:1732: tainted_data: Passing tainted expression "sb->max_dev" to "calc_sb_1_csum", which uses it as a loop boundary.
mdadm-4.2_rc2/super1.c:1732: remediation: Ensure that tainted values are properly sanitized, by checking that their values are within a permissible range.
# 1730| sb->dev_number = __cpu_to_le32(dk->number);
# 1731| sb->devflags = 0; /* don't copy another disks flags */
# 1732|-> sb->sb_csum = calc_sb_1_csum(sb);
# 1733|
# 1734| dip = (struct devinfo **)&st->info;
Error: TAINTED_SCALAR (CWE-20): [#def274]
mdadm-4.2_rc2/super1.c:1935: tainted_data_downcast: Downcasting "st->sb" from "void *" to "struct mdp_superblock_1" implies that the data that this pointer points to is tainted.
mdadm-4.2_rc2/super1.c:1935: var_assign_var: Assigning: "sb" = "st->sb". Both are now tainted.
mdadm-4.2_rc2/super1.c:1955: tainted_data: Using tainted expression "sb->chunksize" as the divisor in "s1 /= (unsigned int)sb->chunksize".
mdadm-4.2_rc2/super1.c:1955: remediation: Ensure that tainted values are properly sanitized, by checking that their values are within a permissible range.
# 1953| if (di->data_offset != INVALID_SECTORS)
# 1954| s1 -= di->data_offset;
# 1955|-> s1 /= __le32_to_cpu(sb->chunksize);
# 1956| s2 = di2->dev_size;
# 1957| if (di2->data_offset != INVALID_SECTORS)
Error: TAINTED_SCALAR (CWE-20): [#def275]
mdadm-4.2_rc2/super1.c:1935: tainted_data_downcast: Downcasting "st->sb" from "void *" to "struct mdp_superblock_1" implies that the data that this pointer points to is tainted.
mdadm-4.2_rc2/super1.c:1935: var_assign_var: Assigning: "sb" = "st->sb". Both are now tainted.
mdadm-4.2_rc2/super1.c:2033: var_assign_var: Assigning: "bms" = "(bitmap_super_t *)((char *)sb + 4096)". Both are now tainted.
mdadm-4.2_rc2/super1.c:2035: tainted_data: Passing tainted expression "bms->chunksize" to "calc_bitmap_size", which uses it as a divisor or modulus.
mdadm-4.2_rc2/super1.c:2035: remediation: Ensure that tainted values are properly sanitized, by checking that their values are within a permissible range.
# 2033| bitmap_super_t *bms = (bitmap_super_t *)
# 2034| (((char *)sb) + MAX_SB_SIZE);
# 2035|-> bm_space = calc_bitmap_size(bms, 4096) >> 9;
# 2036| bm_offset = (long)__le32_to_cpu(sb->bitmap_offset);
# 2037| } else if (md_feature_any_ppl_on(sb->feature_map)) {
Error: TAINTED_SCALAR (CWE-20): [#def276]
mdadm-4.2_rc2/super1.c:1935: tainted_data_downcast: Downcasting "st->sb" from "void *" to "struct mdp_superblock_1" implies that the data that this pointer points to is tainted.
mdadm-4.2_rc2/super1.c:1935: var_assign_var: Assigning: "sb" = "st->sb". Both are now tainted.
mdadm-4.2_rc2/super1.c:2114: tainted_data: Passing tainted expression "sb->max_dev" to "calc_sb_1_csum", which uses it as a loop boundary.
mdadm-4.2_rc2/super1.c:2114: remediation: Ensure that tainted values are properly sanitized, by checking that their values are within a permissible range.
# 2112| sb->feature_map |= __cpu_to_le32(MD_FEATURE_RAID0_LAYOUT);
# 2113|
# 2114|-> sb->sb_csum = calc_sb_1_csum(sb);
# 2115| rv = store_super1(st, di->fd);
# 2116|
Error: TAINTED_SCALAR (CWE-20): [#def277]
mdadm-4.2_rc2/super1.c:2394: tainted_data_downcast: Downcasting "st->sb" from "void *" to "struct mdp_superblock_1" implies that the data that this pointer points to is tainted.
mdadm-4.2_rc2/super1.c:2394: var_assign_var: Assigning: "super" = "st->sb". Both are now tainted.
mdadm-4.2_rc2/super1.c:2403: var_assign_var: Assigning: "bsb" = "(struct bitmap_super_s *)((char *)super + 4096)". Both are now tainted.
mdadm-4.2_rc2/super1.c:2404: tainted_data: Passing tainted expression "bsb->chunksize" to "calc_bitmap_size", which uses it as a divisor or modulus.
mdadm-4.2_rc2/super1.c:2404: remediation: Ensure that tainted values are properly sanitized, by checking that their values are within a permissible range.
# 2402| struct bitmap_super_s *bsb;
# 2403| bsb = (struct bitmap_super_s *)(((char*)super)+MAX_SB_SIZE);
# 2404|-> bmspace = calc_bitmap_size(bsb, 4096) >> 9;
# 2405| } else if (md_feature_any_ppl_on(super->feature_map)) {
# 2406| bmspace = __le16_to_cpu(super->ppl.size);
Error: TAINTED_SCALAR (CWE-20): [#def278]
mdadm-4.2_rc2/super1.c:2627: tainted_data_downcast: Downcasting "st->sb" from "void *" to "struct mdp_superblock_1" implies that the data that this pointer points to is tainted.
mdadm-4.2_rc2/super1.c:2627: var_assign_var: Assigning: "sb" = "st->sb". Both are now tainted.
mdadm-4.2_rc2/super1.c:2636: var_assign_var: Assigning: "bms" = "(bitmap_super_t *)((char *)sb + 4096)". Both are now tainted.
mdadm-4.2_rc2/super1.c:2637: tainted_data: Passing tainted expression "bms->chunksize" to "calc_bitmap_size", which uses it as a divisor or modulus.
mdadm-4.2_rc2/super1.c:2637: remediation: Ensure that tainted values are properly sanitized, by checking that their values are within a permissible range.
# 2635| if (node_num) {
# 2636| bms = (bitmap_super_t*)(((char*)sb)+MAX_SB_SIZE);
# 2637|-> bm_sectors_per_node = calc_bitmap_size(bms, 4096) >> 9;
# 2638| offset += bm_sectors_per_node * node_num;
# 2639| }
Error: CHECKED_RETURN (CWE-252): [#def279]
mdadm-4.2_rc2/super1.c:2642: check_return: Calling "lseek64(fd, offset << 9, 0)" without checking return value. This library function may fail and return an error code.
# 2640| if (mustfree)
# 2641| free(sb);
# 2642|-> lseek64(fd, offset<<9, 0);
# 2643| return ret;
# 2644| }
Error: TAINTED_SCALAR (CWE-20): [#def280]
mdadm-4.2_rc2/super1.c:2648: tainted_data_downcast: Downcasting "st->sb" from "void *" to "struct mdp_superblock_1" implies that the data that this pointer points to is tainted.
mdadm-4.2_rc2/super1.c:2648: var_assign_var: Assigning: "sb" = "st->sb". Both are now tainted.
mdadm-4.2_rc2/super1.c:2649: var_assign_var: Assigning: "bms" = "(bitmap_super_t *)((char *)sb + 4096)". Both are now tainted.
mdadm-4.2_rc2/super1.c:2701: tainted_data: Passing tainted expression "bms->chunksize" to "calc_bitmap_size", which uses it as a divisor or modulus.
mdadm-4.2_rc2/super1.c:2701: remediation: Ensure that tainted values are properly sanitized, by checking that their values are within a permissible range.
# 2699| * bytes for the total bitmap
# 2700| */
# 2701|-> bm_space_per_node = calc_bitmap_size(bms, 4096);
# 2702|
# 2703| total_bm_space = 512 * (__le64_to_cpu(sb->data_offset) -
Error: TAINTED_SCALAR (CWE-20): [#def281]
mdadm-4.2_rc2/super1.c:2648: tainted_data_downcast: Downcasting "st->sb" from "void *" to "struct mdp_superblock_1" implies that the data that this pointer points to is tainted.
mdadm-4.2_rc2/super1.c:2648: var_assign_var: Assigning: "sb" = "st->sb". Both are now tainted.
mdadm-4.2_rc2/super1.c:2649: var_assign_var: Assigning: "bms" = "(bitmap_super_t *)((char *)sb + 4096)". Both are now tainted.
mdadm-4.2_rc2/super1.c:2747: tainted_data: Passing tainted expression "bms->chunksize" to "calc_bitmap_size", which uses it as a divisor or modulus.
mdadm-4.2_rc2/super1.c:2747: remediation: Ensure that tainted values are properly sanitized, by checking that their values are within a permissible range.
# 2745| */
# 2746| if (__le32_to_cpu(sb->bitmap_offset) & 7)
# 2747|-> towrite = calc_bitmap_size(bms, 512);
# 2748| else
# 2749| towrite = calc_bitmap_size(bms, 4096);
Error: TAINTED_SCALAR (CWE-20): [#def282]
mdadm-4.2_rc2/super1.c:2648: tainted_data_downcast: Downcasting "st->sb" from "void *" to "struct mdp_superblock_1" implies that the data that this pointer points to is tainted.
mdadm-4.2_rc2/super1.c:2648: var_assign_var: Assigning: "sb" = "st->sb". Both are now tainted.
mdadm-4.2_rc2/super1.c:2649: var_assign_var: Assigning: "bms" = "(bitmap_super_t *)((char *)sb + 4096)". Both are now tainted.
mdadm-4.2_rc2/super1.c:2749: tainted_data: Passing tainted expression "bms->chunksize" to "calc_bitmap_size", which uses it as a divisor or modulus.
mdadm-4.2_rc2/super1.c:2749: remediation: Ensure that tainted values are properly sanitized, by checking that their values are within a permissible range.
# 2747| towrite = calc_bitmap_size(bms, 512);
# 2748| else
# 2749|-> towrite = calc_bitmap_size(bms, 4096);
# 2750| while (towrite > 0) {
# 2751| n = towrite;
Error: TAINTED_SCALAR (CWE-20): [#def283]
mdadm-4.2_rc2/super1.c:2648: tainted_data_downcast: Downcasting "st->sb" from "void *" to "struct mdp_superblock_1" implies that the data that this pointer points to is tainted.
mdadm-4.2_rc2/super1.c:2648: var_assign_var: Assigning: "sb" = "st->sb". Both are now tainted.
mdadm-4.2_rc2/super1.c:2649: var_assign_var: Assigning: "bms" = "(bitmap_super_t *)((char *)sb + 4096)". Both are now tainted.
mdadm-4.2_rc2/super1.c:2769: tainted_data: Using tainted variable "(unsigned int)bms->nodes" as a loop boundary.
mdadm-4.2_rc2/super1.c:2769: remediation: Ensure that tainted values are properly sanitized, by checking that their values are within a permissible range.
# 2767| break;
# 2768| }
# 2769|-> } while (++i < __le32_to_cpu(bms->nodes));
# 2770|
# 2771| free(buf);
Error: STRING_OVERFLOW (CWE-120): [#def284]
mdadm-4.2_rc2/sysfs.c:119: fixed_size_dest: You might overrun the 32-character fixed-size string "mdi->sys_name" by copying "devnm" without checking the length.
mdadm-4.2_rc2/sysfs.c:119: parameter_as_source: Note: This defect has an elevated risk because the source argument is a parameter of the current function.
# 117| if (!S_ISDIR(stb.st_mode))
# 118| goto out;
# 119|-> strcpy(mdi->sys_name, devnm);
# 120|
# 121| retval = 0;
Error: STRING_OVERFLOW (CWE-120): [#def285]
mdadm-4.2_rc2/sysfs.c:158: fixed_size_dest: You might overrun the 50-character fixed-size string "sra->text_version" by copying "buf + 9" without checking the length.
# 156| sra->array.major_version = -1;
# 157| sra->array.minor_version = -2;
# 158|-> strcpy(sra->text_version, buf+9);
# 159| } else {
# 160| sscanf(buf, "%d.%d",
Error: STRING_OVERFLOW (CWE-120): [#def286]
mdadm-4.2_rc2/sysfs.c:319: string_overflow: You might overrun the 32-character destination string "dev->sys_name" by writing 256 characters from "de->d_name".
# 317|
# 318| }
# 319|-> strcpy(dev->sys_name, de->d_name);
# 320| dev->disk.raid_disk = strtoul(buf, &ep, 10);
# 321| if (*ep) dev->disk.raid_disk = -1;
Error: STRING_OVERFLOW (CWE-120): [#def287]
mdadm-4.2_rc2/sysfs.c:754: fixed_size_dest: You might overrun the 32-character fixed-size string "sd->sys_name + 4" by copying "dname" without checking the length.
# 752| dname = devid2kname(makedev(sd->disk.major, sd->disk.minor));
# 753| strcpy(sd->sys_name, "dev-");
# 754|-> strcpy(sd->sys_name+4, dname);
# 755|
# 756| /* test write to see if 'recovery_start' is available */
Error: STRING_OVERFLOW (CWE-120): [#def288]
mdadm-4.2_rc2/sysfs.c:942: string_overflow: You might overrun the 100-character destination string "dirname + l" by writing 256 characters from "de->d_name".
# 940| continue;
# 941| strcpy(dirname+l, "/");
# 942|-> strcat(dirname+l, de->d_name);
# 943| n = readlink(dirname, buf, sizeof(buf)-1);
# 944| if (n <= 0)
Error: CLANG_WARNING: [#def289]
mdadm-4.2_rc2/sysfs.c:1066:12: warning[core.NonNullParamChecker]: Null pointer passed to 1st parameter expecting 'nonnull'
# 1064| match = strcmp(devnm, rules->devname) == 0;
# 1065| } else {
# 1066|-> match = memcmp(dev->uuid, rules->uuid,
# 1067| sizeof(int[4])) == 0;
# 1068| }
Error: MISSING_BREAK (CWE-484): [#def290]
mdadm-4.2_rc2/util.c:364: unterminated_case: The case for value "'K'" is not terminated by a "break" statement.
mdadm-4.2_rc2/util.c:366: fallthrough: The above case falls through to this one.
# 362| if (s > 0) {
# 363| switch (*c) {
# 364|-> case 'K':
# 365| c++;
# 366| default:
Error: RESOURCE_LEAK (CWE-772): [#def291] [important]
mdadm-4.2_rc2/util.c:427: alloc_fn: Storage is returned from allocation function "xstrdup".
mdadm-4.2_rc2/util.c:427: var_assign: Assigning: "m" = storage returned from "xstrdup(layout)".
mdadm-4.2_rc2/util.c:430: noescape: Resource "m" is not freed or pointed-to in "map_name".
mdadm-4.2_rc2/util.c:432: leaked_storage: Variable "m" going out of scope leaks the storage it points to.
# 430| mode = map_name(faultylayout, m);
# 431| if (mode == UnSet)
# 432|-> return -1;
# 433|
# 434| return mode | (atoi(layout+ln)<< ModeShift);
Error: RESOURCE_LEAK (CWE-772): [#def292] [important]
mdadm-4.2_rc2/util.c:427: alloc_fn: Storage is returned from allocation function "xstrdup".
mdadm-4.2_rc2/util.c:427: var_assign: Assigning: "m" = storage returned from "xstrdup(layout)".
mdadm-4.2_rc2/util.c:430: noescape: Resource "m" is not freed or pointed-to in "map_name".
mdadm-4.2_rc2/util.c:434: leaked_storage: Variable "m" going out of scope leaks the storage it points to.
# 432| return -1;
# 433|
# 434|-> return mode | (atoi(layout+ln)<< ModeShift);
# 435| }
# 436|
Error: OVERRUN (CWE-119): [#def293]
mdadm-4.2_rc2/util.c:959: identity_transfer: Passing "20UL" as argument 3 to function "read", which returns that argument. [Note: The source code implementation of the function has been overridden by a builtin model.]
mdadm-4.2_rc2/util.c:959: assignment: Assigning: "n" = "read(fd, buf, 20UL)". The value of "n" is now 20.
mdadm-4.2_rc2/util.c:962: overrun-local: Overrunning array "buf" of 20 bytes at byte offset 20 using index "n" (which evaluates to 20).
# 960| close(fd);
# 961| if (n > 0)
# 962|-> buf[n] = 0;
# 963| if (n > 0 && sscanf(buf, "%d:%d\n", &mjr, &mnr) == 2)
# 964| return makedev(mjr, mnr);
Error: TOCTOU (CWE-367): [#def294]
mdadm-4.2_rc2/util.c:1006: fs_check_call: Calling function "stat" to perform check on "devname".
mdadm-4.2_rc2/util.c:1014: toctou: Calling function "mknod" that uses "devname" after a check function. This can cause a time-of-check, time-of-use race condition.
# 1004|
# 1005| snprintf(devname, sizeof(devname), "/dev/md/%s", devnm+2);
# 1006|-> if (stat(devname, &stb) == 0 && (S_IFMT&stb.st_mode) == S_IFBLK &&
# 1007| (stb.st_rdev == rdev))
# 1008| return devname;
Error: TOCTOU (CWE-367): [#def295]
mdadm-4.2_rc2/util.c:1018: fs_check_call: Calling function "stat" to perform check on "devname".
mdadm-4.2_rc2/util.c:1021: toctou: Calling function "unlink" that uses "devname" after a check function. This can cause a time-of-check, time-of-use race condition.
# 1016| return NULL;
# 1017|
# 1018|-> if (stat(devname, &stb) == 0 && (S_IFMT&stb.st_mode) == S_IFBLK &&
# 1019| (stb.st_rdev == rdev))
# 1020| return devname;
Error: STRING_OVERFLOW (CWE-120): [#def296]
mdadm-4.2_rc2/util.c:1203: fixed_size_dest: You might overrun the 32-character fixed-size string "container" by copying "dev" without checking the length.
# 1201| subarray = xstrdup(subarray);
# 1202| }
# 1203|-> strcpy(container, dev);
# 1204| sysfs_free(sra);
# 1205| sra = sysfs_read(-1, container, GET_VERSION);
Error: STRING_OVERFLOW (CWE-120): [#def297]
mdadm-4.2_rc2/util.c:1221: fixed_size_dest: You might overrun the 32-character fixed-size string "st->devnm" by copying the return value of "fd2devnm" without checking the length.
# 1219| *subarrayp = subarray;
# 1220| strcpy(st->container_devnm, container);
# 1221|-> strcpy(st->devnm, fd2devnm(fd));
# 1222| } else
# 1223| free(subarray);
Error: CHECKED_RETURN (CWE-252): [#def298]
mdadm-4.2_rc2/util.c:1414: check_return: Calling "lseek(fd, sector_size, 0)" without checking return value. This library function may fail and return an error code.
# 1412| if (!get_dev_sector_size(fd, NULL, §or_size))
# 1413| return 0;
# 1414|-> lseek(fd, sector_size, SEEK_SET);
# 1415| /* read GPT header */
# 1416| if (read(fd, &gpt, 512) != 512)
Error: CHECKED_RETURN (CWE-252): [#def299]
mdadm-4.2_rc2/util.c:1435: check_return: Calling "lseek(fd, sector_size * 2U, 0)" without checking return value. This library function may fail and return an error code.
# 1433|
# 1434| /* set offset to third block (GPT entries) */
# 1435|-> lseek(fd, sector_size*2, SEEK_SET);
# 1436| for (part_nr = 0; part_nr < all_partitions; part_nr++) {
# 1437| /* read partition entry */
Error: STRING_OVERFLOW (CWE-120): [#def300]
mdadm-4.2_rc2/util.c:1709: fixed_size_dest: You might overrun the 32-character fixed-size string "st->devnm" by copying "_devnm" without checking the length.
# 1707| goto close_fd;
# 1708| }
# 1709|-> strcpy(st->devnm, _devnm);
# 1710|
# 1711| mdi = sysfs_read(fd, st->devnm, GET_VERSION|GET_LEVEL);
Error: DC.WEAK_CRYPTO (CWE-327): [#def301]
mdadm-4.2_rc2/util.c:1975: dont_call: "random" should not be used for security-related applications, because linear congruential algorithms are too easy to break.
mdadm-4.2_rc2/util.c:1975: remediation: Use a compliant random number generator, such as "/dev/random" or "/dev/urandom" on Unix-like systems, and CNG (Cryptography API: Next Generation) on Windows.
# 1973| int rfd = open("/dev/urandom", O_RDONLY);
# 1974| if (rfd < 0 || read(rfd, &rv, 4) != 4)
# 1975|-> rv = random();
# 1976| if (rfd >= 0)
# 1977| close(rfd);
Error: DC.WEAK_CRYPTO (CWE-327): [#def302]
mdadm-4.2_rc2/util.c:1998: dont_call: "random" should not be used for security-related applications, because linear congruential algorithms are too easy to break.
mdadm-4.2_rc2/util.c:1998: remediation: Use a compliant random number generator, such as "/dev/random" or "/dev/urandom" on Unix-like systems, and CNG (Cryptography API: Next Generation) on Windows.
# 1996| use_random:
# 1997| for (i = 0; i < 4; i++)
# 1998|-> r[i] = random();
# 1999| memcpy(buf, r, 16);
# 2000| }
Error: GCC_ANALYZER_WARNING (CWE-416): [#def303]
mdadm-4.2_rc2/util.c: scope_hint: In function 'flush_metadata_updates'
mdadm-4.2_rc2/util.c:2016:33: warning[-Wanalyzer-use-after-free]: use after 'free' of '*st.updates'
# 2014| while (st->updates) {
# 2015| struct metadata_update *mu = st->updates;
# 2016|-> st->updates = mu->next;
# 2017|
# 2018| send_message(sfd, mu, 0);
Error: GCC_ANALYZER_WARNING (CWE-415): [#def304]
mdadm-4.2_rc2/util.c:2020:17: warning[-Wanalyzer-double-free]: double-'free' of '**st.updates.buf'
# 2018| send_message(sfd, mu, 0);
# 2019| wait_reply(sfd, 0);
# 2020|-> free(mu->buf);
# 2021| free(mu);
# 2022| }
Error: CHECKED_RETURN (CWE-252): [#def305]
mdadm-4.2_rc2/util.c:2169: check_return: Calling "open" without checking return value (as is done elsewhere 76 out of 84 times).
mdadm-4.2_rc2/Assemble.c:1058: example_assign: Example 1: Assigning: "bmfd" = return value from "open(ident->bitmap_file, 2)".
mdadm-4.2_rc2/Assemble.c:1059: example_checked: Example 1 (cont.): "bmfd" has its value checked in "bmfd < 0".
mdadm-4.2_rc2/Build.c:154: example_assign: Example 2: Assigning: "fd" = return value from "open(dv->devname, 128)".
mdadm-4.2_rc2/Build.c:155: example_checked: Example 2 (cont.): "fd" has its value checked in "fd < 0".
mdadm-4.2_rc2/Create.c:171: example_assign: Example 3: Assigning: "fd" = return value from "open(devlist->devname, 0)".
mdadm-4.2_rc2/Create.c:172: example_checked: Example 3 (cont.): "fd" has its value checked in "fd >= 0".
mdadm-4.2_rc2/Dump.c:269: example_assign: Example 4: Assigning: "fl" = return value from "open(fname, 0)".
mdadm-4.2_rc2/Dump.c:270: example_checked: Example 4 (cont.): "fl" has its value checked in "fl".
mdadm-4.2_rc2/Incremental.c:1429: example_assign: Example 5: Assigning: "fd" = return value from "open(devname, 0)".
mdadm-4.2_rc2/Incremental.c:1430: example_checked: Example 5 (cont.): "fd" has its value checked in "fd >= 0".
# 2167|
# 2168| close(0);
# 2169|-> open("/dev/null", O_RDWR);
# 2170|
# 2171| #ifndef DEBUG
Error: RESOURCE_LEAK (CWE-772): [#def306] [important]
mdadm-4.2_rc2/util.c:2179: alloc_fn: Storage is returned from allocation function "opendir".
mdadm-4.2_rc2/util.c:2179: var_assign: Assigning: "dir" = storage returned from "opendir("/proc/self/fd")".
mdadm-4.2_rc2/util.c:2184: noescape: Resource "dir" is not freed or pointed-to in "readdir".
mdadm-4.2_rc2/util.c:2184: noescape: Resource "dir" is not freed or pointed-to in "readdir".
mdadm-4.2_rc2/util.c:2195: leaked_storage: Variable "dir" going out of scope leaks the storage it points to.
# 2193| close(fd);
# 2194| }
# 2195|-> }
# 2196|
# 2197| /* In a systemd/udev world, it is best to get systemd to
Error: RESOURCE_LEAK (CWE-772): [#def307] [important]
mdadm-4.2_rc2/util.c:2253: open_fn: Returning handle opened by "open_dev".
mdadm-4.2_rc2/util.c:2253: var_assign: Assigning: "fd" = handle returned from "open_dev(devnm)".
mdadm-4.2_rc2/util.c:2256: leaked_handle: Handle variable "fd" going out of scope leaks the handle.
# 2254| if (fd >= 0 && fd != mdfd)
# 2255| dup2(fd, mdfd);
# 2256|-> }
# 2257|
# 2258| static struct cmap_hooks *cmap_hooks = NULL;
Scan Properties
| analyzer-version-clang | 12.0.1 |
| analyzer-version-coverity | 2020.12 |
| analyzer-version-cppcheck | 2.1 |
| analyzer-version-gcc | 11.2.1 |
| analyzer-version-gcc-analyzer | 11.2.1 |
| analyzer-version-shellcheck | 0.7.1 |
| cov-compilation-unit-count | 44 |
| cov-compilation-unit-ratio | 100 |
| cov-lines-processed | 63309 |
| cov-time-elapsed-analysis | 00:01:22 |
| exit-code | 0 |
| host | cov05.lab.eng.brq.redhat.com |
| known-false-positives | /usr/share/csmock/known-false-positives.js |
| mock-config | rhel-9-x86_64 |
| project-name | mdadm-4.2-rc2.el9 |
| store-results-to | /tmp/tmpmzIKeo/mdadm-4.2-rc2.el9.tar.xz |
| time-created | 2021-08-13 14:25:13 |
| time-finished | 2021-08-13 14:31:12 |
| tool | csmock |
| tool-args | '/bin/csmock' '-t' 'cppcheck,gcc,shellcheck,clang,coverity' '-r' 'rhel-9-x86_64' '-o' '/tmp/tmpmzIKeo/mdadm-4.2-rc2.el9.tar.xz' '--cov-analyze-java' '--use-host-cppcheck' '--gcc-analyze' '/tmp/tmpmzIKeo/mdadm-4.2-rc2.el9.src.rpm' |
| tool-version | csmock-2.8.0.20210811.140808.gcc3c8f6.internal-1.el7 |