New Defects reported by Coverity Scan for ubuntu-yakkety-kernel
Po-Hsu Lin (Sam)
po-hsu.lin at canonical.com
Fri Jun 9 07:34:57 UTC 2017
I've sent out the patch for this, "[T/X/Y/Z SRU] ipv6: Check
ip6_find_1stfragopt() return value properly"
Thanks for highlighting this issue.
On Thu, Jun 8, 2017 at 7:16 PM, Po-Hsu Lin (Sam)
<po-hsu.lin at canonical.com> wrote:
> Looks like this issue was induced by the patch for CVE-2017-9074
> And can be fixed by upstream commit 7dd7eb9513bd02184d45f000ab69d78cb1fa1531
>
> "ipv6: Check ip6_find_1stfragopt() return value properly. "
>
> On Thu, Jun 8, 2017 at 6:44 PM, Colin Ian King <colin.king at canonical.com> wrote:
>> FYI
>>
>> Regression found in static analysis of Yakkety. Same applieds for Xenial
>> too.
>>
>>
>> -------- Forwarded Message --------
>> Subject: New Defects reported by Coverity Scan for ubuntu-yakkety-kernel
>> Date: Thu, 08 Jun 2017 03:10:30 -0700
>> From: scan-admin at coverity.com
>> To: colin.king at canonical.com
>>
>>
>> Hi,
>>
>> Please find the latest report on new defect(s) introduced to
>> ubuntu-yakkety-kernel found with Coverity Scan.
>>
>> 3 new defect(s) introduced to ubuntu-yakkety-kernel found with Coverity
>> Scan.
>>
>>
>> New defect(s) Reported-by: Coverity Scan
>> Showing 3 of 3 defect(s)
>>
>>
>> ** CID 1436351: Control flow issues (NO_EFFECT)
>> /net/ipv6/ip6_output.c: 574 in ip6_fragment()
>>
>>
>> ________________________________________________________________________________________________________
>> *** CID 1436351: Control flow issues (NO_EFFECT)
>> /net/ipv6/ip6_output.c: 574 in ip6_fragment()
>> 568 int hroom, troom;
>> 569 __be32 frag_id;
>> 570 int ptr, offset = 0, err = 0;
>> 571 u8 *prevhdr, nexthdr = 0;
>> 572 573 hlen = ip6_find_1stfragopt(skb, &prevhdr);
>>>>> CID 1436351: Control flow issues (NO_EFFECT)
>>>>> This less-than-zero comparison of an unsigned value is never true. "hlen < 0U".
>> 574 if (hlen < 0) {
>> 575 err = hlen;
>> 576 goto fail;
>> 577 }
>> 578 nexthdr = *prevhdr;
>> 579
>> ** CID 1436352: Control flow issues (NO_EFFECT)
>> /net/ipv6/ip6_offload.c: 117 in ipv6_gso_segment()
>>
>>
>> ________________________________________________________________________________________________________
>> *** CID 1436352: Control flow issues (NO_EFFECT)
>> /net/ipv6/ip6_offload.c: 117 in ipv6_gso_segment()
>> 111 payload_len = skb->len - nhoff - sizeof(*ipv6h);
>> 112 ipv6h->payload_len = htons(payload_len);
>> 113 skb->network_header = (u8 *)ipv6h - skb->head;
>> 114 115 if (udpfrag) {
>> 116 unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr);
>>>>> CID 1436352: Control flow issues (NO_EFFECT)
>>>>> This less-than-zero comparison of an unsigned value is never true. "unfrag_ip6hlen < 0U".
>> 117 if (unfrag_ip6hlen < 0)
>> 118 return ERR_PTR(unfrag_ip6hlen);
>> 119 fptr = (struct frag_hdr *)((u8 *)ipv6h + unfrag_ip6hlen);
>> 120 fptr->frag_off = htons(offset);
>> 121 if (skb->next)
>> 122 fptr->frag_off |= htons(IP6_MF);
>>
>> ** CID 1436353: Control flow issues (NO_EFFECT)
>> /net/ipv6/udp_offload.c: 94 in udp6_ufo_fragment()
>>
>>
>> ________________________________________________________________________________________________________
>> *** CID 1436353: Control flow issues (NO_EFFECT)
>> /net/ipv6/udp_offload.c: 94 in udp6_ufo_fragment()
>> 88 }
>> 89 90 /* Find the unfragmentable header and shift it left by
>> frag_hdr_sz
>> 91 * bytes to insert fragment header.
>> 92 */
>> 93 unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr);
>>>>> CID 1436353: Control flow issues (NO_EFFECT)
>>>>> This less-than-zero comparison of an unsigned value is never true. "unfrag_ip6hlen < 0U".
>> 94 if (unfrag_ip6hlen < 0)
>> 95 return ERR_PTR(unfrag_ip6hlen);
>> 96 nexthdr = *prevhdr;
>> 97 *prevhdr = NEXTHDR_FRAGMENT;
>> 98 unfrag_len = (skb_network_header(skb) - skb_mac_header(skb)) +
>> 99 unfrag_ip6hlen + tnl_hlen;
>>
>>
>> ________________________________________________________________________________________________________
>> To view the defects in Coverity Scan visit,
>> https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRZd8m-2BCYS83Gpc6CPaqTQF1bJMwOn9jMy3ALwpQ6CGNIiBJA8TxCf2QESwot41Sh-2Fg-3D_OFgvmg1J6naJevMotmPmRlTuZxP1uJqXcOMG9f4qAi7ndiJYVrD-2BytRHYZGrccOzOCbdMS5qdFltU-2FvvVPPXv3muyTAzmgiQASYJCdELwh88Ldo93w335Yw4smU0X1DC-2BGVcbK3oVJDnvuUUSTvjD4ZQ6QJE1GOBnEnn3E5Lr1QNItT8rxmPORfS0z2-2FUktX0F5qJ6vDXmE-2B9ILSr9tVFq2NFvQW0-2FiTI0bUAkFIfxY-3D
>>
>> To manage Coverity Scan email notifications for
>> "colin.king at canonical.com", click
>> https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRbVDbis712qZDP-2FA8y06Nq4B9nVBKVtwXiB4-2BdsKOQxbDQl0BcI5D9DhMHlVfgmixOEEI4TtjS4yCHzIkIbOF3ak-2BkflVDj0B1S6cLQhIOPZuGvnvI2bEt6aTZvzYSvWdc-3D_OFgvmg1J6naJevMotmPmRlTuZxP1uJqXcOMG9f4qAi7ndiJYVrD-2BytRHYZGrccOzOCbdMS5qdFltU-2FvvVPPXv-2F7yZ6AOElHt6qrKsHA3sHzJV9qq4Fbbm1XvkQ6cDLI-2FOUrsd08w97IxWwi-2FjLvmhVw7Ac8k90xBFTNm0we11-2Fr0e5VQUdVLI88Mno6ZUPeDCor4qQUjwsG3xWb1aICdf-2BnNV6WzSIS7Ddslqsnlttg-3D
>>
>>
>> --
>> kernel-team mailing list
>> kernel-team at lists.ubuntu.com
>> https://lists.ubuntu.com/mailman/listinfo/kernel-team
More information about the kernel-team
mailing list