use after free bugs
Ted Unangst
tedu at coverity.com
Thu Feb 19 17:43:53 PST 2004
Hi. These are some bugs found by Coverity in a static analysis run on the
FreeBSD kernel. All these are use after free bugs.
-------------- next part --------------
############################################################
# New errors.
#
---------------------------------------------------------
[UNINSPECTED]
X [BUG]
X [FALSE]
X [UNKNOWN]
X [BROKE]
X [SKIP]
/home/tedu/sys/dev/my/if_my.c|1102|my_detach|ERROR|FREE|1101|1102| Using freed "sc", deallocated by call to "free". [START_RELAX0=filename|none,fn|free,line1|none,line2|-1,argno|0]
bus_release_resource(dev, SYS_RES_IRQ, 0, sc->my_irq);
bus_release_resource(dev, MY_RES, MY_RID, sc->my_res);
#if 0
contigfree(sc->my_cdata.my_rx_buf, MY_RXBUFLEN + 32, M_DEVBUF);
#endif
Start --->
free(sc, M_DEVBUF);
Error --->
MY_UNLOCK(sc);
splx(s);
mtx_destroy(&sc->my_mtx);
return (0);
}
---------------------------------------------------------
[UNINSPECTED]
X [BUG]
X [FALSE]
X [UNKNOWN]
X [BROKE]
X [SKIP]
/home/tedu/sys/dev/raidframe/rf_freebsdkintf.c|517|raidctlioctl|ERROR|FREE|516|517| Using freed "k_cfg", deallocated by call to "free". [START_RELAX0=filename|none,fn|free,line1|none,line2|-1,argno|0]
}
retcode = copyin(k_cfg->layoutSpecific,
(caddr_t) specific_buf,
k_cfg->layoutSpecificSize);
if (retcode) {
Start --->
RF_Free(k_cfg, sizeof(RF_Config_t));
Error --->
RF_Free(specific_buf,
k_cfg->layoutSpecificSize);
rf_printf(2, "raidctlioctl: retcode=%d "
"copyin.2\n", retcode);
return (retcode);
}
---------------------------------------------------------
[UNINSPECTED]
X [BUG]
X [FALSE]
X [UNKNOWN]
X [BROKE]
X [SKIP]
/home/tedu/sys/netsmb/smb_rq.c|732|smb_t2_request_int|ERROR|FREE|730|732| Using freed "rqp", deallocated by call to "smb_rq_done". [START_RELAX0=filename|/home/tedu/sys/netsmb/smb_rq.c,fn|smb_rq_done,line1|147,line2|-1,argno|0]
md_initm(mdp, mdp->md_top);
}
bad:
smb_iod_removerq(rqp);
freerq:
Start --->
smb_rq_done(rqp);
if (error) {
Error --->
if (rqp->sr_flags & SMBR_RESTART)
t2p->t2_flags |= SMBT2_RESTART;
md_done(&t2p->t2_rparam);
md_done(&t2p->t2_rdata);
}
return error;
---------------------------------------------------------
[UNINSPECTED]
X [BUG]
X [FALSE]
X [UNKNOWN]
X [BROKE]
X [SKIP]
/home/tedu/sys/dev/ips/ips_commands.c|517|ips_ffdc_reset|ERROR|FREE|514|517| Using freed "status", deallocated by call to "free". [START_RELAX0=filename|none,fn|free,line1|none,line2|-1,argno|0]
status = malloc(sizeof(ips_cmd_status_t), M_DEVBUF, M_NOWAIT|M_ZERO);
if(!status)
return ENOMEM;
if(ips_get_free_cmd(sc, ips_send_ffdc_reset_cmd, status,
IPS_NOWAIT_FLAG)){
Start --->
free(status, M_DEVBUF);
device_printf(sc->dev, "ERROR: unable to get a command! can't send ffdc reset!\n");
}
Error --->
if(COMMAND_ERROR(status)){
device_printf(sc->dev, "ERROR: ffdc reset command failed!\n");
}
free(status, M_DEVBUF);
return 0;
}
---------------------------------------------------------
[UNINSPECTED]
X [BUG]
X [FALSE]
X [UNKNOWN]
X [BROKE]
X [SKIP]
/home/tedu/sys/dev/mlx/mlx.c|440|mlx_attach|ERROR|FREE|437|440| Using freed "meo", deallocated by call to "free". [START_RELAX0=filename|none,fn|free,line1|none,line2|-1,argno|0]
device_printf(sc->mlx_dev, "ENQUIRY_OLD failed\n");
mlx_free(sc);
return(ENXIO);
}
sc->mlx_enq2->me_firmware_id = ('0' << 24) | (0 << 16) | (meo->me_fwminor << 8) | meo->me_fwmajor;
Start --->
free(meo, M_DEVBUF);
/* XXX require 2.42 or better (PCI) or 2.14 or better (EISA) */
Error --->
if (meo->me_fwminor < 42) {
device_printf(sc->mlx_dev, " *** WARNING *** This firmware revision is not recommended\n");
device_printf(sc->mlx_dev, " *** WARNING *** Use revision 2.42 or later\n");
}
break;
case MLX_IFTYPE_3:
---------------------------------------------------------
[UNINSPECTED]
X [BUG]
X [FALSE]
X [UNKNOWN]
X [BROKE]
X [SKIP]
/home/tedu/sys/nfsclient/nfs_vfsops.c|509|nfs_mountdiskless|ERROR|FREE|506|509| Double free of "nam", deallocated by call to "mountnfs". [START_RELAX0=filename|/home/tedu/sys/nfsclient/nfs_vfsops.c,fn|mountnfs,line1|849,line2|-1,argno|2] [END_RELAX0=filename|none,fn|free,line1|none,line2|-1,argno|0]
int error;
mp->mnt_kern_flag = 0;
mp->mnt_flag = mountflag;
nam = dup_sockaddr((struct sockaddr *)sin, 1);
Start --->
if ((error = mountnfs(args, mp, nam, which, path, vpp,
td->td_ucred)) != 0) {
printf("nfs_mountroot: mount %s on %s: %d", path, which, error);
Error --->
FREE(nam, M_SONAME);
return (error);
}
(void) copystr(which, mp->mnt_stat.f_mntonname, MNAMELEN - 1, 0);
return (0);
}
---------------------------------------------------------
[UNINSPECTED]
X [BUG]
X [FALSE]
X [UNKNOWN]
X [BROKE]
X [SKIP]
/home/tedu/sys/dev/ips/ips_commands.c|430|ips_flush_cache|ERROR|FREE|427|430| Using freed "status", deallocated by call to "free". [START_RELAX0=filename|none,fn|free,line1|none,line2|-1,argno|0]
if(!status)
return ENOMEM;
device_printf(sc->dev, "flushing cache\n");
if(ips_get_free_cmd(sc, ips_send_flush_cache_cmd, status,
IPS_NOWAIT_FLAG)){
Start --->
free(status, M_DEVBUF);
device_printf(sc->dev, "ERROR: unable to get a command! can't flush cache!\n");
}
Error --->
if(COMMAND_ERROR(status)){
device_printf(sc->dev, "ERROR: cache flush command failed!\n");
}
free(status, M_DEVBUF);
return 0;
}
---------------------------------------------------------
[UNINSPECTED]
X [BUG]
X [FALSE]
X [UNKNOWN]
X [BROKE]
X [SKIP]
/home/tedu/sys/nfs4client/nfs4_idmap.c|388|idmap_uid_to_name|ERROR|FREE|384|388| Using freed "e", deallocated by call to "free". [START_RELAX0=filename|none,fn|free,line1|none,line2|-1,argno|0]
return EFAULT;
}
if (idmap_add(e) != 0) {
IDMAP_DEBUG("idmap_add failed\n");
Start --->
FREE(e, M_IDMAP);
}
}
Error --->
*name = e->id_info.id_name;
*len = e->id_info.id_namelen;
return 0;
}
int
---------------------------------------------------------
[UNINSPECTED]
X [BUG]
X [FALSE]
X [UNKNOWN]
X [BROKE]
X [SKIP]
/home/tedu/sys/net/if_ef.c|541|ef_load|ERROR|FREE|545|541| Using freed "efl", deallocated by call to "free". [START_RELAX0=filename|none,fn|free,line1|none,line2|-1,argno|0]
}
IFNET_RUNLOCK();
if (error) {
if (efl)
SLIST_INSERT_HEAD(&efdev, efl, el_next);
Error --->
SLIST_FOREACH(efl, &efdev, el_next) {
for (d = 0; d < EF_NFT; d++)
if (efl->el_units[d])
free(efl->el_units[d], M_IFADDR);
Start --->
free(efl, M_IFADDR);
}
return error;
}
SLIST_FOREACH(efl, &efdev, el_next) {
for (d = 0; d < EF_NFT; d++) {
More information about the freebsd-hackers
mailing list