Brainy>>

NetBSD

Creation:10-05-2013 | Update:30-10-2014

71 bugs fixed, 1 vulnerability.

27/06/2013

RED: #16, important
ORANGE: #3, not very important
GREEN: #19, solved

# 01 SYS/ARCH/
0x01 FALSE POSITIVE|UNINITIALIZED VARIABLE: acorn26/acorn26/cpu.c rev1.28
     At l.156, if (setjmp(&undef_jmp) != 0), 'id' is not initialized at l.166.
0x02 FIXED-rev1.10|LEAK: alpha/eisa/eisa_machdep.c rev1.9
     At l.267, 'ecuio' is leaked in the loop.
0x03 FIXED-rev1.4|UNINITIALIZED VARIABLE: ia64/stand/common/fileload.c rev1.3
     At l.96, 'error' may not be initialized.
0x04 FIXED-rev1.9|LEAK: mipsco/stand/installboot/installboot.c rev1.8
     At l.185, 'boot_code' is never freed.
OxO5 FIXED-rev1.19|LEAK: sgimips/stand/sgivol/sgivol.c rev1.18
     At l.532, 'fp' is leaked.
0x06 FIXED-rev1.26|OVERLAP: prep/prep/autoconf.c rev1.25
     At lines 168, 175, 189, 191, 197, 200, using sprintf() with the same src
     and dest can result in an undefined behavior.

# 02 SYS/DEV/
0x01 FIXED-rev1.27|UNINITIALIZED VARIABLE: hpc/hpf1275a_tty.c rev1.26
     At l.332, 'sc' is not initialized, and does not even seem to be used.
0x02 FIXED-rev1.49|UNINITIALIZED VARIABLE: ic/mfi.c rev1.48
     At l.373, if (sc->sc_ioptype != MFI_IOP_TBOLT), 'io_req_base_phys' is not
     initialized at l.417.
0x03 FIXED-rev1.49|UNINITIALIZED VARIABLE: ic/mfi.c rev1.48
     At l.373, if (sc->sc_ioptype != MFI_IOP_TBOLT), 'io_req_base' is not
     initialized at l.415.
0x04 FIXED-rev1.40|OVERLAP: ic/opl.c rev1.39
     At l.161, using snprintf() with the same src and dest can result in an
     undefined behavior.
0x05 FIXED-rev1.22|UNINITIALIZED VARIABLE: pci/pm2fb.c rev1.21
     From l.1351 to l.1356, 'n' is not initialized.

# 03 SYS/FS/ - with optimization rules
0x01 FIXED-rev1.3|LEAK: v7fs/v7fs_io.c rev1.2
     At l.99, 'buf' is leaked.
0x02 FIXED-rev1.50|USELESS INITIALIZATION: ntfs/ntfs_subr.c rev1.49
     At l.1789, it's useless to assign a value to the variable 'off' as it is
     reassigned at l.1811.

# 04 SYS/KERN/ - with optimization rules
0x01 FALSE POSITIVE|UNINITIALIZED VARIABLE: kern_sysctl.c rev1.243
     At l.1737, if (newp == NULL), 'dnode' is not initialized at l.1875.
0x02 FIXED-rev1.464|UNINITIALIZED VARIABLE: vfs_syscalls.c rev1.463
     At l.3188, if (vp->v_type != VLNK), 'auio' is not initialized at l.3204.
     It has already been fixed in OpenBSD, so you should have a look here.
0x03 FIXED-rev1.227|USELESS INITIALIZATION: subr_autoconf.c rev1.226
     At l.244, it's useless to assign a value to the variable 'i' as it is
     reassigned at l.246.
0x04 FIXED-rev1.245|USELESS INITIALIZATION: vfs_bio.c rev1.244
     At l.1439, it's useless to assign a value to the variable 'size' as it is
     reassigned at l.1448.

# 05 SYS/NFS/
0x01 FALSE POSITIVE|UNINITIALIZED VARIABLE: nfs_serv.c rev1.165
     At l.741, 'mb' is used whereas it is not initialized. It looks like you
     will have to revert the lines 741 and 742.

# 06 LIBEXEC/TELNETD/
0x01 FIXED-rev1.47|PTR DEREFERENCE: sys_term.c rev1.46
     At l.703, 'nargv' is not null-checked. It seems that someone mistakenly
     put 'argv' instead of 'nargv' at l.705. It can cause crashes.

~ 2014

0x01 FIXED-rev1.4|DEAD CODE: sys/dev/acpi/tpm_acpi.c rev1.3
     At l.190, some {} are missing. The function always jumps to 'out1'.
0x02 FIXED-rev1.21|UNINITIALIZED VARIABLE: sys/arch/arm/ep93xx/epclk.c rev1.20
     At l.157, 'first_run' may not be initialized.
0x03 FIXED-rev1.156|LEAK: sys/netinet/if_arp.c rev1.155
     At l.1477, 'm' is leaked.

28/07/2014

RED: #20, important
ORANGE: #6, not very important
GREEN: #26, solved
PURPLE: #21, pulled up to NetBSD-7

# 01 SYS/ALTQ
0x01 NetBSD-7|FIXED-rev1.7|LEAK: sys/altq/altq_jobs.c rev1.6
     Leak of 'result' with malloc() at l.1161.
0x02 NetBSD-7|FIXED-rev1.7|LEAK: sys/altq/altq_jobs.c rev1.6
     Leak of 'result', 'c', 'n', 'k' with malloc() from l.1286 to l.1299.

# 02 SYS/DEV
0x01 NetBSD-7|FIXED-rev1.14|LEAK: sys/dev/ic/oosiop.c rev1.13
     Leak of 'cb' with malloc() at l.272.
0x02 NetBSD-7|FIXED-rev1.72|LEAK: sys/dev/rasops/rasops.c rev1.71
     Leak of 'f' with malloc() at l.1357.
0x03 NetBSD-7|FIXED-rev1.20|LEAK: sys/dev/if_ndis/if_ndis_pci.c rev1.19
     Leak of 'rl' with malloc() at l.363.
0x04 NetBSD-7|FIXED-rev1.17|LEAK: sys/dev/dm/dm_target_snapshot.c rev1.16
     Leak of 'tsc' with kmem_alloc() at l.236.
0x05 NetBSD-7|FIXED-rev1.21|LEAK: sys/dev/dm/dm_target_stripe.c rev1.19
     Leak of 'tsc' and 'tlc' with kmem_alloc() at l.160.
0x06 NetBSD-7|FIXED-rev1.20|LEAK: sys/dev/dm/dm_target_stripe.c rev1.19
     Leak of 'params' with kmem_alloc() at l.187.
0x07 NetBSD-7|FIXED-rev1.73|LEAK: sys/dev/qbus/if_qe.c rev1.72
     Leak of 'ring' with malloc() at l.165.
0x08 NetBSD-7|FIXED-rev1.31|PARSER BUG: sys/dev/vme/if_ie_vme.c rev1.30
     My code scanner bugged when parsing the line 427; looks like a typo:
    sizeof(sizeof(struct ievme))

# 03 SYS/NET*
0x01 NetBSD-7|FIXED-rev1.158|LEAK: sys/net/if_gre.c rev1.157
     Leak of 'sc' with malloc() at l.307.
0x02 NetBSD-7|FIXED-rev1.158|LEAK: sys/netinet6/ip6_output.c rev1.157
     Leak of 'optbuf' with malloc() at l.1602.

# 04 SYS/{FS/UFS}
0x01 NetBSD-7|FIXED-rev1.45|UNINITIALIZED VAR: sys/fs/smbfs/smbfs_smb.c rev1.44
     Uninitialized var 'rqp' at l.781.
0x02 NetBSD-7|FIXED-rev1.65|UNUSED MACRO: sys/ufs/ext2fs/ext2fs_readwrite.c rev1.64
     Unused macros 'doclusterread' and 'doclusterwrite'.
0x03 NetBSD-7|FIXED-rev1.5|LEAK: sys/ufs/chfs/chfs_scan.c rev1.4
     Leak of 'buf' with kmem_alloc() at l.447.
0x04 NetBSD-7|FIXED-rev1.4|LEAK: sys/ufs/chfs/ebh.c rev1.3
     Leak of 'peb' with kmem_alloc() at l.832 and l.860.
0x05 NetBSD-7|FIXED-rev1.9|LEAK: sys/ufs/chfs/chfs_readinode.c rev1.8
     Leak of 'buf' with kmem_alloc() at l.805.
0x06 NetBSD-7|FIXED-rev1.11|LEAK: sys/ufs/chfs/chfs_vnode.c rev1.10
     Leak of 'buf' with kmem_alloc() at l.98.
0x07 NetBSD-7|FIXED-rev1.6|LEAK: sys/ufs/chfs/chfs_gc.c rev1.5
     Leak of 'data' with kmem_alloc() at l.729.

# 05 SYS/KERN
0x01 FIXED-rev1.4|POINTLESS CAST: sys/kern/kern_ctf.c rev1.3
     Pointless cast of 'ctfaddr' to 'uint8_t' at l.207.
0x02 FIXED-rev1.28|POINTLESS CAST: sys/kern/kgdb_stub.c rev1.27
     Pointless cast of 'len' to 'size_t' at l.468 and l.499.
0x03 FIXED-rev1.164|POINTLESS CAST: sys/kern/sys_process.c rev1.163
     Pointless cast of 'kl' to 'size_t' at l.1014.
0x04 FIXED-rev1.228|POINTLESS CAST: sys/kern/kern_descrip.c rev1.225
     Pointless cast of 'lastfile' to 'int' at l.1460.
0x05 FIXED-rev1.165|POINTLESS CAST: sys/kern/kern_ktrace.c rev1.164
     Pointless cast of 'user_dta' to 'void' at l.933.

# 06 SYS/COMPAT
0x01 NetBSD-7|FIXED-rev1.70|EMPTY COMPILER BLOCK: sys/compat/svr4/svr4_stat.c rev1.69
     Empty compiler block at l.480.

# 07 SYS/RUMP
0x01 NetBSD-7|FIXED-rev1.130|LEAK: sys/rump/librump/rumpvfs/rumpfs.c rev1.129
     Leak of 'rfsmp' with kmem_alloc() at l.1744.

20/09/2014

RED: #33, important
GREEN: #32, solved
PURPLE: #17, pulled up to NetBSD-7

# 01 SYS/ARCH
0x01 NetBSD-7|FIXED-rev1.62|DEAD CODE: sys/arch/amiga/amiga/disksubr.c [+] rev1.61
     Dead code at l.569.
0x02 NetBSD-7|FIXED-rev1.43|DEAD CODE: sys/arch/amiga/dev/siop2.c [+] rev1.42
     Dead code at l.1258.
0x03 NetBSD-7|FIXED-rev1.69|DEAD CODE: sys/arch/amiga/dev/siop.c [+] rev1.68
     Dead code at l.1129.
0x04 NetBSD-7|FIXED-rev1.300|DEAD CODE: sys/arch/arm/arm32/pmap.c [+] rev1.297
     Dead code at l.6233.
0x05 FIXED-rev1.21|LEAK: sys/arch/arm/iomd/iomd_irqhandler.c [+] rev1.20
     Leak of 'ih' with malloc() at l.360.
0x06 FIXED-rev1.21|LEAK: sys/arch/arm/ofw/ofw_irqhandler.c [+] rev1.20
     Leak of 'ih' with malloc() at l.305.
0x07 FIXED-rev1.27|LEAK: sys/arch/shark/isa/isa_irqhandler.c [+] rev1.26
     Leak of 'ih' with malloc() at l.324.
0x08 FIXED-rev1.25|LEAK: sys/arch/atari/atari/intr.c [+] rev1.23
     Leak of 'ih' with malloc() at l.136.
0x09 FIXED-rev1.14|LEAK: sys/arch/ews4800mips/sbd/fb_sbdio.c [+] rev1.13
     Leak of 'ri' with malloc() at l.157.
0x10 FIXED-rev1.34|LEAK: sys/arch/hpcmips/tx/tx39icu.c [+] rev1.33
     Leak of 'p' with malloc() at l.657.
0x11 NetBSD-7|FIXED-rev1.41|SAME RUNTIME BRANCH: sys/arch/m68k/m68k/db_disasm.c [+] rev1.40
     Same runtime branch at l.1186 and l.1192
0x12 NetBSD-7|FIXED-rev1.41|SAME RUNTIME BRANCH: sys/arch/m68k/m68k/db_disasm.c [+] rev1.40
     Same runtime branch at l.1244 and l.1250
0x13 NetBSD-7|FIXED-rev1.19|DEAD CODE: sys/arch/mvme68k/stand/installboot/installboot.c [+] rev1.18
     Dead code at l.221.
0x14 NetBSD-7|FIXED-rev1.13|DEAD CODE: sys/arch/news68k/news68k/bus_space.c [+] rev1.12
     Dead code at l.66.
0x15 NetBSD-7|FIXED-rev1.9|DEAD CODE: sys/arch/newsmips/stand/boot/netif_news.c [+] rev1.8
     Dead code at l.195.
0x16 FIXED-rev1.327|LEAK: sys/arch/sparc/sparc/machdep.c [+] rev1.326
     Leak of 'mlist' with malloc() at l.1382.
0x17 FIXED-rev1.119|LEAK: sys/arch/sparc64/dev/psycho.c [+] rev1.118
     Leak of 'ih' with malloc() at l.1345.
0x18 FIXED-rev1.19|LEAK: sys/arch/sparc64/dev/schizo.c [+] rev1.31
     Leak of 'pbm' with kmem_zalloc() at l.198.
0x19 FIXED-rev1.279|LEAK: sys/arch/sparc64/sparc64/machdep.c [+] rev1.278
     Leak of 'pglist' with malloc() at l.1441.
0x20 FIXED-rev1.22|LEAK: sys/arch/sun68k/sun68k/bus.c [+] rev1.21
     Leak of 'mlist' with malloc() at l.270.
0x21 FIXED-rev1.58|LEAK: sys/arch/x86/x86/ipmi.c [+] rev1.57
     Leak of 'psdr' with malloc() at l.1212.
0x22 NetBSD-7|FIXED-rev1.72|DEAD CODE: sys/arch/x86/x86/x86_autoconf.c [+] rev1.71
     Dead code at l.426.
0x23 FIXED-rev1.49|LEAK: sys/arch/xen/xen/privcmd.c [+] rev1.45
     Leak of 'maddr' with kmem_alloc() at l.364.
0x24 FIXED-rev1.49|LEAK: sys/arch/xen/xen/privcmd.c [+] rev1.45
     Leak of 'maddr' with kmem_alloc() at l.437.
0x25 FIXED-rev1.49|LEAK: sys/arch/xen/xen/privcmd.c [+] rev1.45
     Leak of 'obj' with kmem_alloc() at l.580.

# 02 SYS/COMPAT
0x01 NetBSD-7|FIXED-rev1.29|LEAK: sys/compat/linux/arch/i386/linux_ptrace.c [+] rev1.28
     Leak of 'regs', 'linux_regs', 'fpregs' and 'linux_fpregs' with kmem_alloc() at l.185.
0x02 NetBSD-7|FIXED-rev1.27|LEAK: sys/compat/linux/arch/powerpc/linux_ptrace.c [+] rev1.25
     Leak of 'regs', 'linux_regs', 'fpregs' and 'linux_fpregs' with kmem_alloc() at l.162.

# 03 SYS/DEV
0x01 NetBSD-7|FIXED-rev1.43|DEAD CODE: sys/dev/marvell/if_gfe.c [+] rev1.42
     Dead code at l.2023.
0x02 DEAD CODE: sys/dev/marvell/gtidmac.c [+] rev1.11
     Dead code at l.1826.
0x03 NetBSD-7|FIXED-rev1.16|DEAD CODE: sys/dev/usb/stuirda.c [+] rev1.15
     Dead code at l.178.
0x04 NetBSD-7|FIXED-rev1.4|DEAD CODE: sys/dev/pci/cxgb/cxgb_offload.c [+] rev1.3
     Dead code at l.713.
0x05 NetBSD-7|FIXED-rev1.15|INITIALIZATION INCONSISTENCY: sys/dev/ieee1394/fwcrom.c [+] rev1.14
     Initialization inconsistencies from l.568 to l.571.
0x06 NetBSD-7|FIXED-rev1.51|INITIALIZATION INCONSISTENCY: sys/dev/pci/twa.c [+] rev1.50
     Initialization inconsistency at l.2958.

~ 2014

0x01 FIXED-rev1.31|LEAK: sys/compat/linux/common/linux_uselib.c rev1.30
     Leak of 'vp' with namei_simple_user() at l.116.
0x03 FIXED-rev1.12|LEAK: sys/ufs/chfs/chfs_vfsops.c rev1.11
     Leak of 'pb' with pathbuf_copyin() at l.156.
0x03 FIXED-rev1.35|LEAK: sys/compat/common/vfs_syscalls_30.c rev1.34
     Leak of 'pb' with pathbuf_copyin() at l.360.