New Defects reported by Coverity Scan for ubuntu-yakkety-kernel

Po-Hsu Lin (Sam) po-hsu.lin at canonical.com
Thu Jun 8 11:16:11 UTC 2017 

Looks like this issue was induced by the patch for CVE-2017-9074
And can be fixed by upstream commit 7dd7eb9513bd02184d45f000ab69d78cb1fa1531

"ipv6: Check ip6_find_1stfragopt() return value properly. "

On Thu, Jun 8, 2017 at 6:44 PM, Colin Ian King <colin.king at canonical.com> wrote:
> FYI
>
> Regression found in static analysis of Yakkety. Same applieds for Xenial
> too.
>
>
> -------- Forwarded Message --------
> Subject: New Defects reported by Coverity Scan for ubuntu-yakkety-kernel
> Date: Thu, 08 Jun 2017 03:10:30 -0700
> From: scan-admin at coverity.com
> To: colin.king at canonical.com
>
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to
> ubuntu-yakkety-kernel found with Coverity Scan.
>
> 3 new defect(s) introduced to ubuntu-yakkety-kernel found with Coverity
> Scan.
>
>
> New defect(s) Reported-by: Coverity Scan
> Showing 3 of 3 defect(s)
>
>
> ** CID 1436351:  Control flow issues  (NO_EFFECT)
> /net/ipv6/ip6_output.c: 574 in ip6_fragment()
>
>
> ________________________________________________________________________________________________________
> *** CID 1436351:  Control flow issues  (NO_EFFECT)
> /net/ipv6/ip6_output.c: 574 in ip6_fragment()
> 568             int hroom, troom;
> 569             __be32 frag_id;
> 570             int ptr, offset = 0, err = 0;
> 571             u8 *prevhdr, nexthdr = 0;
> 572     573             hlen = ip6_find_1stfragopt(skb, &prevhdr);
>>>>     CID 1436351:  Control flow issues  (NO_EFFECT)
>>>>     This less-than-zero comparison of an unsigned value is never true. "hlen < 0U".
> 574             if (hlen < 0) {
> 575                     err = hlen;
> 576                     goto fail;
> 577             }
> 578             nexthdr = *prevhdr;
> 579
> ** CID 1436352:  Control flow issues  (NO_EFFECT)
> /net/ipv6/ip6_offload.c: 117 in ipv6_gso_segment()
>
>
> ________________________________________________________________________________________________________
> *** CID 1436352:  Control flow issues  (NO_EFFECT)
> /net/ipv6/ip6_offload.c: 117 in ipv6_gso_segment()
> 111                             payload_len = skb->len - nhoff - sizeof(*ipv6h);
> 112                     ipv6h->payload_len = htons(payload_len);
> 113                     skb->network_header = (u8 *)ipv6h - skb->head;
> 114     115                     if (udpfrag) {
> 116                             unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr);
>>>>     CID 1436352:  Control flow issues  (NO_EFFECT)
>>>>     This less-than-zero comparison of an unsigned value is never true. "unfrag_ip6hlen < 0U".
> 117                             if (unfrag_ip6hlen < 0)
> 118                                     return ERR_PTR(unfrag_ip6hlen);
> 119                             fptr = (struct frag_hdr *)((u8 *)ipv6h + unfrag_ip6hlen);
> 120                             fptr->frag_off = htons(offset);
> 121                             if (skb->next)
> 122                                     fptr->frag_off |= htons(IP6_MF);
>
> ** CID 1436353:  Control flow issues  (NO_EFFECT)
> /net/ipv6/udp_offload.c: 94 in udp6_ufo_fragment()
>
>
> ________________________________________________________________________________________________________
> *** CID 1436353:  Control flow issues  (NO_EFFECT)
> /net/ipv6/udp_offload.c: 94 in udp6_ufo_fragment()
> 88              }
> 89     90               /* Find the unfragmentable header and shift it left by
> frag_hdr_sz
> 91               * bytes to insert fragment header.
> 92               */
> 93              unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr);
>>>>     CID 1436353:  Control flow issues  (NO_EFFECT)
>>>>     This less-than-zero comparison of an unsigned value is never true. "unfrag_ip6hlen < 0U".
> 94              if (unfrag_ip6hlen < 0)
> 95                      return ERR_PTR(unfrag_ip6hlen);
> 96              nexthdr = *prevhdr;
> 97              *prevhdr = NEXTHDR_FRAGMENT;
> 98              unfrag_len = (skb_network_header(skb) - skb_mac_header(skb)) +
> 99                           unfrag_ip6hlen + tnl_hlen;
>
>
> ________________________________________________________________________________________________________
> To view the defects in Coverity Scan visit,
> https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRZd8m-2BCYS83Gpc6CPaqTQF1bJMwOn9jMy3ALwpQ6CGNIiBJA8TxCf2QESwot41Sh-2Fg-3D_OFgvmg1J6naJevMotmPmRlTuZxP1uJqXcOMG9f4qAi7ndiJYVrD-2BytRHYZGrccOzOCbdMS5qdFltU-2FvvVPPXv3muyTAzmgiQASYJCdELwh88Ldo93w335Yw4smU0X1DC-2BGVcbK3oVJDnvuUUSTvjD4ZQ6QJE1GOBnEnn3E5Lr1QNItT8rxmPORfS0z2-2FUktX0F5qJ6vDXmE-2B9ILSr9tVFq2NFvQW0-2FiTI0bUAkFIfxY-3D
>
> To manage Coverity Scan email notifications for
> "colin.king at canonical.com", click
> https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRbVDbis712qZDP-2FA8y06Nq4B9nVBKVtwXiB4-2BdsKOQxbDQl0BcI5D9DhMHlVfgmixOEEI4TtjS4yCHzIkIbOF3ak-2BkflVDj0B1S6cLQhIOPZuGvnvI2bEt6aTZvzYSvWdc-3D_OFgvmg1J6naJevMotmPmRlTuZxP1uJqXcOMG9f4qAi7ndiJYVrD-2BytRHYZGrccOzOCbdMS5qdFltU-2FvvVPPXv-2F7yZ6AOElHt6qrKsHA3sHzJV9qq4Fbbm1XvkQ6cDLI-2FOUrsd08w97IxWwi-2FjLvmhVw7Ac8k90xBFTNm0we11-2Fr0e5VQUdVLI88Mno6ZUPeDCor4qQUjwsG3xWb1aICdf-2BnNV6WzSIS7Ddslqsnlttg-3D
>
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

More information about the kernel-team mailing list