From b29e05d62973511aa6aed81f2787b6c451a3f43b Mon Sep 17 00:00:00 2001 From: Christian Brauner Date: Thu, 14 Jun 2018 21:56:52 +0200 Subject: [PATCH 1/8] coverity: #1425748 Time of check time of use Signed-off-by: Christian Brauner --- src/lxc/conf.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/lxc/conf.c b/src/lxc/conf.c index d4a16cd2b..6bcbe38cc 100644 --- a/src/lxc/conf.c +++ b/src/lxc/conf.c @@ -1581,13 +1581,13 @@ static int lxc_setup_devpts(struct lxc_conf *conf) DEBUG("Mount new devpts instance with options \"%s\"", devpts_mntopts); /* Remove any pre-existing /dev/ptmx file. */ - ret = access("/dev/ptmx", F_OK); - if (!ret) { - ret = remove("/dev/ptmx"); - if (ret < 0) { + ret = remove("/dev/ptmx"); + if (ret < 0) { + if (errno != ENOENT) { SYSERROR("Failed to remove existing \"/dev/ptmx\" file"); return -1; } + } else { DEBUG("Removed existing \"/dev/ptmx\" file"); } From d3ccc04e7921888f8debb57aa7088893891a1f35 Mon Sep 17 00:00:00 2001 From: Christian Brauner Date: Thu, 14 Jun 2018 22:00:22 +0200 Subject: [PATCH 2/8] coverity: #1425758 Time of check time of use Signed-off-by: Christian Brauner --- src/lxc/conf.c | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) diff --git a/src/lxc/conf.c b/src/lxc/conf.c index 6bcbe38cc..938762551 100644 --- a/src/lxc/conf.c +++ b/src/lxc/conf.c @@ -924,16 +924,9 @@ static int lxc_setup_ttys(struct lxc_conf *conf) /* If we populated /dev, then we need to create * /dev/ttyN */ - ret = access(path, F_OK); - if (ret < 0) { - ret = creat(path, 0660); - if (ret < 0) { - SYSERROR("Failed to create \"%s\"", path); - /* this isn't fatal, continue */ - } else { - close(ret); - } - } + ret = mknod(path, S_IFREG | 0000, 0); + if (ret < 0) /* this isn't fatal, continue */ + ERROR("%s - Failed to create \"%s\"", strerror(errno), path); ret = mount(tty->name, path, "none", MS_BIND, 0); if (ret < 0) { @@ -941,8 +934,7 @@ static int lxc_setup_ttys(struct lxc_conf *conf) continue; } - DEBUG("Bind mounted \"%s\" onto \"%s\"", tty->name, - path); + DEBUG("Bind mounted \"%s\" onto \"%s\"", tty->name, path); } if (!append_ttyname(&conf->ttys.tty_names, tty->name)) { From 76356656118a90f3f23edd56fcf0dd1b3e10898c Mon Sep 17 00:00:00 2001 From: Christian Brauner Date: Thu, 14 Jun 2018 22:05:09 +0200 Subject: [PATCH 3/8] coverity: #1425760 Use of untrusted scalar value Signed-off-by: Christian Brauner --- src/lxc/tools/lxc_ls.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/src/lxc/tools/lxc_ls.c b/src/lxc/tools/lxc_ls.c index 4089b9361..c152d6155 100644 --- a/src/lxc/tools/lxc_ls.c +++ b/src/lxc/tools/lxc_ls.c @@ -1136,17 +1136,27 @@ static int ls_serialize(int wpipefd, struct ls *n) static int ls_recv_str(int fd, char **buf) { + ssize_t ret; size_t slen = 0; - if (lxc_read_nointr(fd, &slen, sizeof(slen)) != sizeof(slen)) + + ret = lxc_read_nointr(fd, &slen, sizeof(slen)); + if (ret != sizeof(slen)) return -1; + if (slen > 0) { *buf = malloc(sizeof(char) * (slen + 1)); if (!*buf) return -1; - if (lxc_read_nointr(fd, *buf, slen) != (ssize_t)slen) + + ret = lxc_read_nointr(fd, *buf, slen); + if (ret != (ssize_t)slen) { + free(*buf); return -1; + } + (*buf)[slen] = '\0'; } + return 0; } From 1f080b1d66ffef2207be0951beab04fdfdc29d99 Mon Sep 17 00:00:00 2001 From: Christian Brauner Date: Thu, 14 Jun 2018 22:07:56 +0200 Subject: [PATCH 4/8] coverity: #1425764 Unchecked return value Signed-off-by: Christian Brauner --- src/lxc/lxccontainer.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c index 4a8a56072..de4a49e62 100644 --- a/src/lxc/lxccontainer.c +++ b/src/lxc/lxccontainer.c @@ -1564,7 +1564,12 @@ static bool create_run_template(struct lxc_container *c, char *tpath, snprintf(txtuid, 20, "%d", hostuid_mapped); n2[n2args - 4] = txtuid; n2[n2args - 3] = "--mapped-gid"; - snprintf(txtgid, 20, "%d", hostgid_mapped); + ret = snprintf(txtgid, 20, "%d", hostgid_mapped); + if (ret < 0 || ret >= 20) { + free(newargv); + free(n2); + _exit(EXIT_FAILURE); + } n2[n2args - 2] = txtgid; n2[n2args - 1] = NULL; free(newargv); From 7eab8fc6230b4ab7a7dd0305c63a8ff143a193a9 Mon Sep 17 00:00:00 2001 From: Christian Brauner Date: Thu, 14 Jun 2018 22:09:14 +0200 Subject: [PATCH 5/8] coverity: #1425766 Unchecked return value Signed-off-by: Christian Brauner --- src/lxc/criu.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/lxc/criu.c b/src/lxc/criu.c index eab650d7e..155e69f86 100644 --- a/src/lxc/criu.c +++ b/src/lxc/criu.c @@ -900,6 +900,7 @@ static bool criu_ok(struct lxc_container *c, char **criu_version) static bool restore_net_info(struct lxc_container *c) { + int ret; struct lxc_list *it; bool has_error = true; @@ -913,7 +914,9 @@ static bool restore_net_info(struct lxc_container *c) if (netdev->type != LXC_NET_VETH) continue; - snprintf(template, sizeof(template), "vethXXXXXX"); + ret = snprintf(template, sizeof(template), "vethXXXXXX"); + if (ret < 0 || ret >= sizeof(template)) + goto out_unlock; if (netdev->priv.veth_attr.pair[0] == '\0' && netdev->priv.veth_attr.veth1[0] == '\0') { From 76c00d391a2b9ed8ee02bc3c8db2f67adcbcff82 Mon Sep 17 00:00:00 2001 From: Christian Brauner Date: Thu, 14 Jun 2018 22:10:26 +0200 Subject: [PATCH 6/8] coverity: #1425767 Unchecked return value Signed-off-by: Christian Brauner --- src/lxc/storage/btrfs.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/lxc/storage/btrfs.c b/src/lxc/storage/btrfs.c index be07aeb6f..f22c41747 100644 --- a/src/lxc/storage/btrfs.c +++ b/src/lxc/storage/btrfs.c @@ -659,7 +659,7 @@ static void free_btrfs_tree(struct my_btrfs_tree *tree) static bool do_remove_btrfs_children(struct my_btrfs_tree *tree, u64 root_id, const char *path) { - int i; + int i, ret; char *newpath; size_t len; @@ -675,7 +675,11 @@ static bool do_remove_btrfs_children(struct my_btrfs_tree *tree, u64 root_id, ERROR("Out of memory"); return false; } - snprintf(newpath, len, "%s/%s", path, tree->nodes[i].dirname); + ret = snprintf(newpath, len, "%s/%s", path, tree->nodes[i].dirname); + if (ret < 0 || ret >= len) { + free(newpath); + return false; + } if (!do_remove_btrfs_children(tree, tree->nodes[i].objid, newpath)) { ERROR("Failed to prune %s\n", tree->nodes[i].name); free(newpath); From b695eea2ebf21bbcdc992f5b74ed78de8e18abaa Mon Sep 17 00:00:00 2001 From: Christian Brauner Date: Thu, 14 Jun 2018 22:17:08 +0200 Subject: [PATCH 7/8] coverity: #1425768 Untrusted array index read Signed-off-by: Christian Brauner --- src/lxc/state.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/lxc/state.c b/src/lxc/state.c index aea3a1847..06aa3208a 100644 --- a/src/lxc/state.c +++ b/src/lxc/state.c @@ -104,7 +104,7 @@ static int fillwaitedstates(const char *strstates, lxc_state_t *states) extern int lxc_wait(const char *lxcname, const char *states, int timeout, const char *lxcpath) { - int state; + int state = -1; lxc_state_t s[MAX_STATE] = {0}; if (fillwaitedstates(states, s)) @@ -129,6 +129,11 @@ extern int lxc_wait(const char *lxcname, const char *states, int timeout, sleep(1); } + if (state < 0) { + ERROR("Failed to retrieve state from monitor"); + return -1; + } + TRACE("Retrieved state of container %s", lxc_state2str(state)); if (!s[state]) return -1; From dd90a3bfabb71cd26fdf460db3e578929dcde6a5 Mon Sep 17 00:00:00 2001 From: Christian Brauner Date: Thu, 14 Jun 2018 22:26:52 +0200 Subject: [PATCH 8/8] parse: fix memory leak Signed-off-by: Christian Brauner --- src/lxc/parse.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/lxc/parse.c b/src/lxc/parse.c index 01801c582..a1025c5af 100644 --- a/src/lxc/parse.c +++ b/src/lxc/parse.c @@ -68,7 +68,7 @@ int lxc_file_for_each_line_mmap(const char *file, lxc_file_cb callback, void *data) { int fd; - char *buf, *line; + char *buf, *chop, *line; struct stat st; int ret = 0; char *saveptr = NULL; @@ -94,7 +94,7 @@ int lxc_file_for_each_line_mmap(const char *file, lxc_file_cb callback, return -1; } - for (; (line = strtok_r(buf, "\n\0", &saveptr)); buf = NULL) { + for (chop = buf; (line = strtok_r(chop, "\n\0", &saveptr)); chop = NULL) { ret = callback(line, data); if (ret) { /* Callback rv > 0 means stop here callback rv < 0 means