Closed
Bug 1234524
Opened 9 years ago
Closed 8 years ago
[CID 221866][CID 748522] unchecked return values in sdb.c
Categories
(NSS :: Libraries, defect)
NSS
Libraries
Tracking
(firefox46 affected)
RESOLVED
FIXED
3.25
Tracking | Status | |
---|---|---|
firefox46 | --- | affected |
People
(Reporter: franziskus, Assigned: mds)
References
(Blocks 1 open bug)
Details
(Keywords: coverity, Whiteboard: CID221866,CID748522)
Attachments
(1 file, 5 obsolete files)
964 bytes,
patch
|
wtc
:
review+
franziskus
:
feedback+
|
Details | Diff | Splinter Review |
Unchecked return values in sdb_init and sdb_measureAccess in sdb.c
Assignee | ||
Updated•8 years ago
|
Assignee: nobody → michelangelo
Assignee | ||
Comment 1•8 years ago
|
||
Hey Franziskus would you please paste Coverity's lament here?:)
Reporter | ||
Comment 2•8 years ago
|
||
369 /* no directory, just return one */ 1. Condition directory == NULL, taking false branch 370 if (directory == NULL) { 371 return 1; 372 } 373 374 /* our calculation assumes time is a 4 bytes == 32 bit integer */ 2. Condition 1 /* sizeof (time) == 4 */, taking true branch 375 PORT_Assert(sizeof(time) == 4); 376 377 directoryLength = strlen(directory); 378 379 maxTempLen = directoryLength + strlen(doesntExistName) 380 + 1 /* potential additional separator char */ 381 + 11 /* max chars for 32 bit int plus potential sign */ 382 + 1; /* zero terminator */ 383 384 temp = PORT_Alloc(maxTempLen); 3. Condition !temp, taking false branch 385 if (!temp) { 386 return 1; 387 } 388 389 /* We'll copy directory into temp just once, then ensure it ends 390 * with the directory separator, then remember the position after 391 * the separator, and calculate the number of remaining bytes. */ 392 393 strcpy(temp, directory); 4. Condition directory[directoryLength - 1] != PR_GetDirectorySeparator(), taking true branch 394 if (directory[directoryLength - 1] != PR_GetDirectorySeparator()) { 395 temp[directoryLength++] = PR_GetDirectorySeparator(); 396 } 397 tempStartOfFilename = temp + directoryLength; 398 maxFileNameLen = maxTempLen - directoryLength; 399 400 /* measure number of Access operations that can be done in 33 milliseconds 401 * (1/30'th of a second), or 10000 operations, which ever comes first. 402 */ 403 time = PR_IntervalNow(); 5. Condition i < 10000U, taking true branch 404 for (i=0; i < 10000u; i++) { 405 PRIntervalTime next; 406 407 /* We'll use the variable part first in the filename string, just in 408 * case it's longer than assumed, so if anything gets cut off, it 409 * will be cut off from the constant part. 410 * This code assumes the directory name at the beginning of 411 * temp remains unchanged during our loop. */ 412 PR_snprintf(tempStartOfFilename, maxFileNameLen, 413 ".%lu%s", (PRUint32)(time+i), doesntExistName); CID 221866 (#1 of 1): Unchecked return value (CHECKED_RETURN)6. check_return: Calling PR_Access without checking return value (as is done elsewhere 14 out of 15 times). 414 PR_Access(temp,PR_ACCESS_EXISTS); 415 next = PR_IntervalNow(); 416 delta = next - time; 417 if (delta >= duration) 418 break; 419 } 1722 LOCK_SQLITE(); 1. Condition PR_Access(dbname, PR_ACCESS_EXISTS) != PR_SUCCESS, taking true branch 1723 create = (PR_Access(dbname, PR_ACCESS_EXISTS) != PR_SUCCESS); 2. Condition flags == 1, taking false branch 1724 if ((flags == SDB_RDONLY) && create) { 1725 error = sdb_mapSQLError(type, SQLITE_CANTOPEN); 1726 goto loser; 1727 } 1728 sqlerr = sdb_openDB(dbname, &sqlDB, flags); 3. Condition sqlerr != 0, taking false branch 1729 if (sqlerr != SQLITE_OK) { 1730 error = sdb_mapSQLError(type, sqlerr); 1731 goto loser; 1732 } 1733 /* sql created the file, but it doesn't set appropriate modes for 1734 * a database */ 4. Condition create, taking true branch 1735 if (create) { 1736 /* NO NSPR call for this? :( */ CID 748522 (#1 of 1): Unchecked return value from library (CHECKED_RETURN)5. check_return: Calling chmod(dbname, 384U) without checking return value. This library function may fail and return an error code. 1737 chmod (dbname, 0600); 1738 }
Assignee | ||
Comment 3•8 years ago
|
||
Assignee | ||
Comment 4•8 years ago
|
||
Comment on attachment 8736039 [details] [diff] [review] Fixing a potentially unsafe chmod call in sdb.c (In reply to Franziskus Kiefer [:fkiefer or :franziskus] from comment #2) > CID 221866 (#1 of 1): Unchecked return value (CHECKED_RETURN)6. > check_return: Calling PR_Access without checking return value (as is done > elsewhere 14 out of 15 times). > 414 PR_Access(temp,PR_ACCESS_EXISTS); Hey Franziskus, this call here is the actuall core of the function and pretty clearly a false positive: we only need to execute the function to check its running time but we're not interested in its result. We could of course have a PR_Bool but I'm unsure whether putting something else on the frame would make sense. Is there a way to mark this as a false-positive in Coverity? > CID 748522 (#1 of 1): Unchecked return value from library > (CHECKED_RETURN)5. check_return: Calling chmod(dbname, 384U) without > checking return value. This library function may fail and return an error > code. > 1737 chmod (dbname, 0600); > 1738 } OTOH this looks legit: I've embedded the function within a condition; what do you think about it? I didn't put the patch up for review yet because of the previous false-positive.
Attachment #8736039 -
Flags: feedback?(franziskuskiefer)
Reporter | ||
Comment 5•8 years ago
|
||
Comment on attachment 8736039 [details] [diff] [review] Fixing a potentially unsafe chmod call in sdb.c Review of attachment 8736039 [details] [diff] [review]: ----------------------------------------------------------------- the second part looks good to me. to the first: > > > CID 221866 (#1 of 1): Unchecked return value (CHECKED_RETURN)6. > > check_return: Calling PR_Access without checking return value (as is done > > elsewhere 14 out of 15 times). > > 414 PR_Access(temp,PR_ACCESS_EXISTS); > > this call here is the actuall core of the function and pretty clearly a false positive: we only need to execute the function to check its running time but we're not interested in its result. We could of course have a PR_Bool but I'm unsure whether putting something else on the frame would make sense. yes we can mark things as false positive but I'm not sure if this is the case here (I'd prefer a check but read on). If access fails PR_Access returns PR_FAILURE. However, I'm not entirely sure what to do if that happens. Without checking the return value the call is a bit pointless. It looks like the purpose of the function is to measure how fast the access is. This is only used in [1], which compares two values produced by this function. So adding a check for the result shouldn't hurt but I don't know what to do after checking it. Breaking would skew the result. If you don't have a better idea I'll mark it as false positive. [1] https://dxr.mozilla.org/nss/source/nss/lib/softoken/sdb.c#1887
Attachment #8736039 -
Flags: feedback?(franziskuskiefer) → feedback+
Assignee | ||
Comment 6•8 years ago
|
||
sdb_measureAccess is also being used in s_open(...) (other than in sdb_init(...)). The sole purpose of the function is measuring the average access times for non-existing files: it does that - if I understood - by counting how many new files it can access(2) in 33ms. Hence, the higher the return of sdb_measureAccess, the faster the performance => the more convenient the proposed directory. The whole point is for access(2) to fail: if - by any chance - the function returns 0, it'd mean that sdb_measureAccess() would have hit an existing file, invalidating its semantics. If I got the picture right, my suggestion is: check for PR_Access():414 return value, and if IT SUCCEEDS (unlikely), return 1u to signal a bad choice. No impact on the callers. Otherwise we can slightly change its syntax by using the usual POSIX way and have it return negative values in case of unforeseen errors, and check those cases in the two callers in sdb.c. (Or just mark it as false-positive and forget it :-))
Reporter | ||
Comment 7•8 years ago
|
||
Comment on attachment 8736039 [details] [diff] [review] Fixing a potentially unsafe chmod call in sdb.c Review of attachment 8736039 [details] [diff] [review]: ----------------------------------------------------------------- marked CID 221866 as intentional. let's land this one
Attachment #8736039 -
Flags: review+
Reporter | ||
Comment 8•8 years ago
|
||
https://hg.mozilla.org/projects/nss/rev/6c3d7cb5178a
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.24
Reporter | ||
Comment 9•8 years ago
|
||
I should've tested before. This fails many tests. I suspect that chmod actually fails here but we never cared. backed out: https://hg.mozilla.org/projects/nss/rev/2ab0ad981a4b
Status: RESOLVED → REOPENED
Flags: needinfo?(michelangelo)
Resolution: FIXED → ---
Assignee | ||
Comment 10•8 years ago
|
||
(In reply to Franziskus Kiefer [:fkiefer or :franziskus] from comment #9) > I should've tested before. This fails many tests. I suspect that chmod > actually fails here but we never cared. It wasn't up for review yet, indeed.;):) I'm gonna check it and upload a formal patch.
Flags: needinfo?(michelangelo)
Assignee | ||
Comment 11•8 years ago
|
||
(In reply to Franziskus Kiefer [:fkiefer or :franziskus] from comment #9) > I should've tested before. This fails many tests. I suspect that chmod > actually fails here but we never cared. I've just run the whole suite locally and there's no failure, at least locally: would you please point me to what failure you saw? I've run everything on a Linux x86_64 with USE_64.
Assignee | ||
Comment 12•8 years ago
|
||
Assignee | ||
Updated•8 years ago
|
Attachment #8736039 -
Attachment is obsolete: true
Assignee | ||
Comment 13•8 years ago
|
||
Comment on attachment 8737463 [details] [diff] [review] Fixing a potentially unsafe chmod call in sdb.c (In reply to Michelangelo De Simone from comment #11) > I've just run the whole suite locally and there's no failure Nevermind, I was wrong: I had at least 30 tests failing too. Let me know what you think about this. Thanks!
Attachment #8737463 -
Flags: review?(franziskuskiefer)
Reporter | ||
Comment 14•8 years ago
|
||
Comment on attachment 8737463 [details] [diff] [review] Fixing a potentially unsafe chmod call in sdb.c Review of attachment 8737463 [details] [diff] [review]: ----------------------------------------------------------------- this looks better and passes all tests for me.
Attachment #8737463 -
Flags: review?(franziskuskiefer) → review+
Assignee | ||
Comment 15•8 years ago
|
||
(In reply to Franziskus Kiefer [:fkiefer or :franziskus] from comment #14) > this looks better and passes all tests for me. Thanks!
Keywords: checkin-needed
Reporter | ||
Comment 16•8 years ago
|
||
https://hg.mozilla.org/projects/nss/rev/c719ec548096
Status: REOPENED → RESOLVED
Closed: 8 years ago → 8 years ago
Resolution: --- → FIXED
Reporter | ||
Updated•8 years ago
|
Keywords: checkin-needed
Comment 17•8 years ago
|
||
(In reply to Franziskus Kiefer [:fkiefer or :franziskus] from comment #16) > https://hg.mozilla.org/projects/nss/rev/c719ec548096 This is suspected to be causing Android test failures, see this try build, which has crashes in softokn: https://hg.mozilla.org/projects/nss/rev/c719ec548096 I propose to backout, reopen and prior to committing again, verify the effects of the fix with a Firefox try build.
Comment 18•8 years ago
|
||
backed out: https://hg.mozilla.org/projects/nss/rev/e2ec1315ba8d It seems the chmod call has unexpected behaviour on Android.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Comment 19•8 years ago
|
||
Comment on attachment 8737463 [details] [diff] [review] Fixing a potentially unsafe chmod call in sdb.c Review of attachment 8737463 [details] [diff] [review]: ----------------------------------------------------------------- I found a bug that is irrelevant if we decide to ignore the failure of the chmod() call. If we handle chmod() failure, we need to set |error| before goto loser. ::: lib/softoken/sdb.c @@ +1737,5 @@ > + * > + * NO NSPR call for chmod? :( > + */ > + if (create && chmod(dbname, 0600) != 0) { > + goto loser; BUG: at this point, |error| still has the initial value of CKR_OK. Although chmod() is not an SQLite function, we can simulate an SQLite error here: if (create && chmod(dbname, 0600) != 0) { error = sdb_mapSQLError(type, SQLITE_CANTOPEN); goto loser; } or we can directly set |error| to an appropriate PKCS #11 error: if (create && chmod(dbname, 0600) != 0) { error = CKR_DEVICE_ERROR; goto loser; }
Attachment #8737463 -
Flags: review+
Comment 20•8 years ago
|
||
Comment on attachment 8737463 [details] [diff] [review] Fixing a potentially unsafe chmod call in sdb.c Thanks Wan-Teh. I assumed you intended to set this r- (not r+)
Attachment #8737463 -
Flags: review+ → review-
Comment 21•8 years ago
|
||
Kai: yes, thank you.
Assignee | ||
Comment 22•8 years ago
|
||
Assignee | ||
Updated•8 years ago
|
Attachment #8737463 -
Attachment is obsolete: true
Comment 23•8 years ago
|
||
Comment on attachment 8738725 [details] [diff] [review] Fixing a potentially unsafe chmod call in sdb.c Review of attachment 8738725 [details] [diff] [review]: ----------------------------------------------------------------- r=wtc.
Attachment #8738725 -
Flags: review+
Assignee | ||
Comment 24•8 years ago
|
||
(In reply to Wan-Teh Chang from comment #23) > r=wtc. Thanks! I'll finish running the test suite before putting it up for checkin.:)
Assignee | ||
Comment 25•8 years ago
|
||
Assignee | ||
Updated•8 years ago
|
Attachment #8738725 -
Attachment is obsolete: true
Assignee | ||
Updated•8 years ago
|
Keywords: checkin-needed
Reporter | ||
Comment 26•8 years ago
|
||
A try run to see if FF on Android is ok with this https://treeherder.mozilla.org/#/jobs?repo=try&revision=e73a7a7b3426
Assignee | ||
Comment 27•8 years ago
|
||
(In reply to Franziskus Kiefer [:fkiefer or :franziskus] from comment #26) > https://treeherder.mozilla.org/#/jobs?repo=try&revision=e73a7a7b3426 The Linux builds are busted but I'm not sure why...
Reporter | ||
Comment 28•8 years ago
|
||
(In reply to Michelangelo De Simone from comment #27) > (In reply to Franziskus Kiefer [:fkiefer or :franziskus] from comment #26) > > > https://treeherder.mozilla.org/#/jobs?repo=try&revision=e73a7a7b3426 > > The Linux builds are busted but I'm not sure why... That's probably my fault of not properly merging NSS into m-c... (I tripped over the new libfreeblpriv). But the Android tests look good already. Here another one that looks even better https://treeherder.mozilla.org/#/jobs?repo=try&revision=bedf8d50fa3a
Comment 29•8 years ago
|
||
What's the status of this bug? Is the keyword "checkin-needed" correct? Or is this already resolved? Can you please fix the status? Thank you.
Flags: needinfo?(franziskuskiefer)
Assignee | ||
Comment 30•8 years ago
|
||
AFAIK this should be good to go.
Comment 31•8 years ago
|
||
Comment on attachment 8738781 [details] [diff] [review] Fixing a potentially unsafe chmod call in sdb.c Review of attachment 8738781 [details] [diff] [review]: ----------------------------------------------------------------- r=wtc. I suggest returning a more informative error code than CKR_DEVICE_ERROR by faking the SQLITE_CANTOPEN error. ::: lib/softoken/sdb.c @@ +1737,5 @@ > + * > + * NO NSPR call for chmod? :( > + */ > + if (create && chmod(dbname, 0600) != 0) { > + error = CKR_DEVICE_ERROR; I suggest faking the SQLite error SQLITE_CANTOPEN here: error = sdb_mapSQLError(type, SQLITE_CANTOPEN); This will allow us to return a more informative error code (CKR_NETSCAPE_CERTDB_FAILED or CKR_NETSCAPE_KEYDB_FAILED) than CKR_DEVICE_ERROR.
Attachment #8738781 -
Flags: review+
Reporter | ||
Comment 32•8 years ago
|
||
sorry, forgot to land this one. Landed as https://hg.mozilla.org/projects/nss/rev/bc6d0f4b167b Michelangelo, do you want to do a follow up for this (sorry saw the comment only after pushing)
Flags: needinfo?(franziskuskiefer) → needinfo?(michelangelo)
Assignee | ||
Comment 33•8 years ago
|
||
(In reply to Franziskus Kiefer [:fkiefer or :franziskus] from comment #32) > Michelangelo, do you want to do a follow up for this (sorry saw the comment > only after pushing) I'll follow-up Wan-Teh Chang's suggestion with an incremental change.
Flags: needinfo?(michelangelo)
Assignee | ||
Comment 34•8 years ago
|
||
Assignee | ||
Updated•8 years ago
|
Attachment #8738781 -
Attachment is obsolete: true
Assignee | ||
Updated•8 years ago
|
Attachment #8747954 -
Flags: review?(wtc)
Comment 35•8 years ago
|
||
Comment on attachment 8747954 [details] [diff] [review] More informative error in sdb.c Review of attachment 8747954 [details] [diff] [review]: ----------------------------------------------------------------- ::: lib/softoken/sdb.c @@ +1741,5 @@ > + /* > + * A fake SQLITE_CANTOPEN error here sounds like a more > + * informative error for the user. See: > + * https://bugzilla.mozilla.org/show_bug.cgi?id=1234524#c31 > + */ This comment isn't necessary, because we're already faking the SQLITE_CANTOPEN error in two other places in this function.
Attachment #8747954 -
Flags: review?(wtc) → review+
Assignee | ||
Comment 36•8 years ago
|
||
Assignee | ||
Updated•8 years ago
|
Attachment #8747954 -
Attachment is obsolete: true
Assignee | ||
Comment 37•8 years ago
|
||
Comment on attachment 8747996 [details] [diff] [review] More informative error in sdb.c Incremental change proposed and r='ed by wtc. Franziskus, would you please check this one in too before marking the bug FIXED (granted everything is alright)? Thanks!
Attachment #8747996 -
Flags: feedback?(franziskuskiefer)
Comment 38•8 years ago
|
||
Comment on attachment 8747996 [details] [diff] [review] More informative error in sdb.c Review of attachment 8747996 [details] [diff] [review]: ----------------------------------------------------------------- r=wtc. Thanks.
Attachment #8747996 -
Flags: review+
Reporter | ||
Updated•8 years ago
|
Attachment #8747996 -
Flags: feedback?(franziskuskiefer) → feedback+
Reporter | ||
Comment 39•8 years ago
|
||
thanks, landed as https://hg.mozilla.org/projects/nss/rev/5b1295e84637
Status: REOPENED → RESOLVED
Closed: 8 years ago → 8 years ago
Resolution: --- → FIXED
Reporter | ||
Updated•8 years ago
|
Target Milestone: 3.24 → 3.25
Updated•8 years ago
|
Keywords: checkin-needed
You need to log in
before you can comment on or make changes to this bug.
Description
•