[PATCH 00/19] More fixes for resource leaks and warnings

[PATCH 00/19] More fixes for resource leaks and warnings

[Jes.Sorensen]

From: Jes Sorensen <Jes.Sorensen@redhat.com>

Hi,

Another 'small' pile of fixes for various resource leaks, null pointer
dereferencing and out of bounds buffer access found by Coverity.

This is the bulk of these for now. Please notice that I haven't
touched super-ddf.c at all, and that is probably the single biggest
offender. Also note that I haven't addressed a number of warnings in
sysfs.c where we know for sure that files aren't bigger than a given
size. The tool obviously doesn't know this, so it spews warnings when
we strcpy() content we just read. While the code per-ce is probably
safe, we may want to switch to strncpy() just to reduce the noise
ratio?

Cheers,
Jes


Jes Sorensen (19):
  Grow_Add_device(): dev_open() return a negative fd on error
  Grow_addbitmap(): don't try to close a file descriptor which failed
    to open
  Incremental(): Check return value of dev_open() before trying to use
    it
  sysfs_unique_holder(): Check read() return value before using as
    buffer index
  remove_devices(): readlink returns -1 on error
  assemble_container_content(): fix memory leak
  Grow_restart(): free() offsets after use
  Assemble(): don't dup_super() before we need it.
  Detail(): Remember to free 'avail'
  Grow_reshape(): Fix another 'sra' leak
  enough_fd(): remember to free buffer for avail array
  Manage_subdevs(): avoid leaking super
  IncrementalScan(): Fix memory leak
  Managa_ro(): free() mdi before exiting
  Manage_runstop(): Avoid memory leak
  Monitor(): free allocated memory on exit
  bitmap_fd_read(): fix memory leak
  validate_geometry_imsm_volume(): Avoid NULL pointer dereference
  make_parts(): Avoid false positive security warning

 Assemble.c    |    9 +++++++--
 Detail.c      |    3 ++-
 Grow.c        |   19 +++++++++++++------
 Incremental.c |    7 +++++++
 Manage.c      |   56 ++++++++++++++++++++++++++++++++++++++++----------------
 Monitor.c     |    6 ++++++
 bitmap.c      |    3 +++
 mdopen.c      |   14 +++++++-------
 super-intel.c |    4 +++-
 sysfs.c       |    2 ++
 util.c        |    9 +++++----
 11 files changed, 95 insertions(+), 37 deletions(-)

-- 
1.7.6.4

[PATCH 01/19] Grow_Add_device(): dev_open() return a negative fd on error

[Jes.Sorensen]

From: Jes Sorensen <Jes.Sorensen@redhat.com>

Signed-off-by: Jes Sorensen <Jes.Sorensen@redhat.com>
---
 Grow.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/Grow.c b/Grow.c
index b80f202..9ee22e0 100644
--- a/Grow.c
+++ b/Grow.c
@@ -174,7 +174,7 @@ int Grow_Add_device(char *devname, int fd, char *newdev)
 			return 1;
 		}
 		fd2 = dev_open(dv, O_RDWR);
-		if (!fd2) {
+		if (fd2 < 0) {
 			fprintf(stderr, Name ": cannot open device file %s\n", dv);
 			close(nfd);
 			free(st);
-- 
1.7.6.4

[PATCH 02/19] Grow_addbitmap(): don't try to close a file descriptor which failed to open

[Jes.Sorensen]

From: Jes Sorensen <Jes.Sorensen@redhat.com>

Signed-off-by: Jes Sorensen <Jes.Sorensen@redhat.com>
---
 Grow.c |   11 ++++++-----
 1 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/Grow.c b/Grow.c
index 9ee22e0..93a1fba 100644
--- a/Grow.c
+++ b/Grow.c
@@ -442,13 +442,14 @@ int Grow_addbitmap(char *devname, int fd, char *file, int chunk, int delay, int
 			dv = map_dev(disk.major, disk.minor, 1);
 			if (!dv) continue;
 			fd2 = dev_open(dv, O_RDONLY);
-			if (fd2 >= 0 &&
-			    st->ss->load_super(st, fd2, NULL) == 0) {
+			if (fd2 >= 0) {
+				if (st->ss->load_super(st, fd2, NULL) == 0) {
+					close(fd2);
+					st->ss->uuid_from_super(st, uuid);
+					break;
+				}
 				close(fd2);
-				st->ss->uuid_from_super(st, uuid);
-				break;
 			}
-			close(fd2);
 		}
 		if (d == max_devs) {
 			fprintf(stderr, Name ": cannot find UUID for array!\n");
-- 
1.7.6.4

[PATCH 03/19] Incremental(): Check return value of dev_open() before trying to use it

[Jes.Sorensen]

From: Jes Sorensen <Jes.Sorensen@redhat.com>

Signed-off-by: Jes Sorensen <Jes.Sorensen@redhat.com>
---
 Incremental.c |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

diff --git a/Incremental.c b/Incremental.c
index 3596739..bc5e9d0 100644
--- a/Incremental.c
+++ b/Incremental.c
@@ -386,6 +386,12 @@ int Incremental(char *devname, int verbose, int runstop,
 			sprintf(dn, "%d:%d", sra->devs->disk.major,
 				sra->devs->disk.minor);
 			dfd2 = dev_open(dn, O_RDONLY);
+			if (dfd2 < 0) {
+				fprintf(stderr, Name
+					": unable to open %s\n", devname);
+				rv = 2;
+				goto out_unlock;
+			}
 			st2 = dup_super(st);
 			if (st2->ss->load_super(st2, dfd2, NULL) ||
 			    st->ss->compare_super(st, st2) != 0) {
-- 
1.7.6.4

[PATCH 04/19] sysfs_unique_holder(): Check read() return value before using as buffer index

[Jes.Sorensen]

From: Jes Sorensen <Jes.Sorensen@redhat.com>

Signed-off-by: Jes Sorensen <Jes.Sorensen@redhat.com>
---
 sysfs.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/sysfs.c b/sysfs.c
index 05f0118..10e1597 100644
--- a/sysfs.c
+++ b/sysfs.c
@@ -804,6 +804,8 @@ int sysfs_unique_holder(int devnum, long rdev)
 		}
 		n = read(fd, buf, sizeof(buf)-1);
 		close(fd);
+		if (n < 0)
+			continue;
 		buf[n] = 0;
 		if (sscanf(buf, "%d:%d%c", &mj, &mn, &c) != 3 ||
 		    c != '\n') {
-- 
1.7.6.4

[PATCH 05/19] remove_devices(): readlink returns -1 on error

[Jes.Sorensen]

From: Jes Sorensen <Jes.Sorensen@redhat.com>

Signed-off-by: Jes Sorensen <Jes.Sorensen@redhat.com>
---
 Manage.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/Manage.c b/Manage.c
index 2d8c916..613a549 100644
--- a/Manage.c
+++ b/Manage.c
@@ -156,7 +156,7 @@ static void remove_devices(int devnum, char *path)
 				sprintf(pe, "%d", part);
 		}
 		n = readlink(path2, link, sizeof(link));
-		if (n && (int)strlen(base) == n &&
+		if (n > 0 && (int)strlen(base) == n &&
 		    strncmp(link, base, n) == 0)
 			unlink(path2);
 	}
-- 
1.7.6.4

[PATCH 06/19] assemble_container_content(): fix memory leak

[Jes.Sorensen]

From: Jes Sorensen <Jes.Sorensen@redhat.com>

Signed-off-by: Jes Sorensen <Jes.Sorensen@redhat.com>
---
 Assemble.c |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)

diff --git a/Assemble.c b/Assemble.c
index 4ded58c..05710f5 100644
--- a/Assemble.c
+++ b/Assemble.c
@@ -1527,8 +1527,11 @@ int assemble_container_content(struct supertype *st, int mdfd,
 
 	sra = sysfs_read(mdfd, 0, GET_VERSION);
 	if (sra == NULL || strcmp(sra->text_version, content->text_version) != 0)
-		if (sysfs_set_array(content, md_get_version(mdfd)) != 0)
+		if (sysfs_set_array(content, md_get_version(mdfd)) != 0) {
+			if (sra)
+				sysfs_free(sra);
 			return 1;
+		}
 
 	if (st->ss->external && content->recovery_blocked)
 		block_subarray(content);
-- 
1.7.6.4

[PATCH 07/19] Grow_restart(): free() offsets after use

[Jes.Sorensen]

From: Jes Sorensen <Jes.Sorensen@redhat.com>

Signed-off-by: Jes Sorensen <Jes.Sorensen@redhat.com>
---
 Grow.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/Grow.c b/Grow.c
index 93a1fba..af61fc3 100644
--- a/Grow.c
+++ b/Grow.c
@@ -3578,6 +3578,7 @@ int Grow_restart(struct supertype *st, struct mdinfo *info, int *fdlist, int cnt
 			if (verbose)
 				fprintf(stderr, Name ": Error restoring backup from %s\n",
 					devname);
+			free(offsets);
 			return 1;
 		}
 		
@@ -3595,9 +3596,11 @@ int Grow_restart(struct supertype *st, struct mdinfo *info, int *fdlist, int cnt
 			if (verbose)
 				fprintf(stderr, Name ": Error restoring second backup from %s\n",
 					devname);
+			free(offsets);
 			return 1;
 		}
 
+		free(offsets);
 
 		/* Ok, so the data is restored. Let's update those superblocks. */
 
-- 
1.7.6.4

[PATCH 08/19] Assemble(): don't dup_super() before we need it.

[Jes.Sorensen]

From: Jes Sorensen <Jes.Sorensen@redhat.com>

Avoid resource leak in case we bail loop early

Signed-off-by: Jes Sorensen <Jes.Sorensen@redhat.com>
---
 Assemble.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/Assemble.c b/Assemble.c
index 05710f5..3c8e74d 100644
--- a/Assemble.c
+++ b/Assemble.c
@@ -293,7 +293,7 @@ int Assemble(struct supertype *st, char *mddev,
 		char *devname = tmpdev->devname;
 		int dfd;
 		struct stat stb;
-		struct supertype *tst = dup_super(st);
+		struct supertype *tst;
 		struct dev_policy *pol = NULL;
 		int found_container = 0;
 
@@ -306,6 +306,8 @@ int Assemble(struct supertype *st, char *mddev,
 			continue;
 		}
 
+		tst = dup_super(st);
+
 		dfd = dev_open(devname, O_RDONLY|O_EXCL);
 		if (dfd < 0) {
 			if (report_missmatch)
-- 
1.7.6.4

[PATCH 09/19] Detail(): Remember to free 'avail'

[Jes.Sorensen]

From: Jes Sorensen <Jes.Sorensen@redhat.com>

Signed-off-by: Jes Sorensen <Jes.Sorensen@redhat.com>
---
 Detail.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/Detail.c b/Detail.c
index c564786..e7d1681 100644
--- a/Detail.c
+++ b/Detail.c
@@ -58,7 +58,7 @@ int Detail(char *dev, int brief, int export, int test, char *homehost)
 
 	int rv = test ? 4 : 1;
 	int avail_disks = 0;
-	char *avail;
+	char *avail = NULL;
 
 	if (fd < 0) {
 		fprintf(stderr, Name ": cannot open %s: %s\n",
@@ -587,6 +587,7 @@ This is pretty boring
 out:
 	close(fd);
 	free(subarray);
+	free(avail);
 	sysfs_free(sra);
 	return rv;
 }
-- 
1.7.6.4

[PATCH 10/19] Grow_reshape(): Fix another 'sra' leak

[Jes.Sorensen]

From: Jes Sorensen <Jes.Sorensen@redhat.com>

Signed-off-by: Jes Sorensen <Jes.Sorensen@redhat.com>
---
 Grow.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/Grow.c b/Grow.c
index af61fc3..29a9126 100644
--- a/Grow.c
+++ b/Grow.c
@@ -1535,10 +1535,12 @@ int Grow_reshape(char *devname, int fd, int quiet, char *backup_file,
 	frozen = freeze(st);
 	if (frozen < -1) {
 		/* freeze() already spewed the reason */
+		sysfs_free(sra);
 		return 1;
 	} else if (frozen < 0) {
 		fprintf(stderr, Name ": %s is performing resync/recovery and cannot"
 			" be reshaped\n", devname);
+		sysfs_free(sra);
 		return 1;
 	}
 
@@ -1835,6 +1837,7 @@ int Grow_reshape(char *devname, int fd, int quiet, char *backup_file,
 		frozen = 0;
 	}
 release:
+	sysfs_free(sra);
 	if (frozen > 0)
 		unfreeze(st);
 	return rv;
-- 
1.7.6.4

[PATCH 11/19] enough_fd(): remember to free buffer for avail array

[Jes.Sorensen]

From: Jes Sorensen <Jes.Sorensen@redhat.com>

Signed-off-by: Jes Sorensen <Jes.Sorensen@redhat.com>
---
 util.c |    9 +++++----
 1 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/util.c b/util.c
index 38af6d5..6985a70 100644
--- a/util.c
+++ b/util.c
@@ -363,7 +363,7 @@ int enough_fd(int fd)
 	struct mdu_array_info_s array;
 	struct mdu_disk_info_s disk;
 	int avail_disks = 0;
-	int i;
+	int i, rv;
 	char *avail;
 
 	if (ioctl(fd, GET_ARRAY_INFO, &array) != 0 ||
@@ -386,9 +386,10 @@ int enough_fd(int fd)
 		avail[disk.raid_disk] = 1;
 	}
 	/* This is used on an active array, so assume it is clean */
-	return enough(array.level, array.raid_disks, array.layout,
-		      1,
-		      avail, avail_disks);
+	rv = enough(array.level, array.raid_disks, array.layout,
+		    1, avail, avail_disks);
+	free(avail);
+	return rv;
 }
 
 
-- 
1.7.6.4

[PATCH 12/19] Manage_subdevs(): avoid leaking super

[Jes.Sorensen]

From: Jes Sorensen <Jes.Sorensen@redhat.com>

Signed-off-by: Jes Sorensen <Jes.Sorensen@redhat.com>
---
 Manage.c |   10 ++++++++++
 1 files changed, 10 insertions(+), 0 deletions(-)

diff --git a/Manage.c b/Manage.c
index 613a549..170af57 100644
--- a/Manage.c
+++ b/Manage.c
@@ -623,10 +623,12 @@ int Manage_subdevs(char *devname, int fd,
 
 			if (add_dev == dv->devname) {
 				if (!get_dev_size(tfd, dv->devname, &ldsize)) {
+					st->ss->free_super(st);
 					close(tfd);
 					return 1;
 				}
 			} else if (!get_dev_size(tfd, NULL, &ldsize)) {
+				st->ss->free_super(st);
 				close(tfd);
 				tfd = -1;
 				continue;
@@ -643,6 +645,7 @@ int Manage_subdevs(char *devname, int fd,
 						"       Add --force is you "
 						"really wan to add this device.\n",
 						add_dev, devname);
+					st->ss->free_super(st);
 					close(tfd);
 					return 1;
 				}
@@ -657,6 +660,7 @@ int Manage_subdevs(char *devname, int fd,
 			    array.major_version == 0 &&
 			    md_get_version(fd)%100 < 2) {
 				close(tfd);
+				st->ss->free_super(st);
 				tfd = -1;
 				if (ioctl(fd, HOT_ADD_DISK,
 					  (unsigned long)stb.st_rdev)==0) {
@@ -707,6 +711,7 @@ int Manage_subdevs(char *devname, int fd,
 				/* FIXME this is a bad test to be using */
 				if (!tst->sb) {
 					close(tfd);
+					st->ss->free_super(st);
 					fprintf(stderr, Name ": cannot load array metadata from %s\n", devname);
 					return 1;
 				}
@@ -716,6 +721,7 @@ int Manage_subdevs(char *devname, int fd,
 				    array_size) {
 					close(tfd);
 					tfd = -1;
+					st->ss->free_super(st);
 					if (add_dev != dv->devname)
 						continue;
 					fprintf(stderr, Name ": %s not large enough to join array\n",
@@ -768,6 +774,7 @@ int Manage_subdevs(char *devname, int fd,
 							if (tfd < 0) {
 								fprintf(stderr, Name ": failed to open %s for"
 									" superblock update during re-add\n", dv->devname);
+								st->ss->free_super(st);
 								return 1;
 							}
 
@@ -790,6 +797,7 @@ int Manage_subdevs(char *devname, int fd,
 							if (rv != 0) {
 								fprintf(stderr, Name ": failed to update"
 									" superblock during re-add\n");
+								st->ss->free_super(st);
 								return 1;
 							}
 						}
@@ -799,11 +807,13 @@ int Manage_subdevs(char *devname, int fd,
 							if (verbose >= 0)
 								fprintf(stderr, Name ": re-added %s\n", add_dev);
 							count++;
+							st->ss->free_super(st);
 							continue;
 						}
 						if (errno == ENOMEM || errno == EROFS) {
 							fprintf(stderr, Name ": add new device failed for %s: %s\n",
 								add_dev, strerror(errno));
+							st->ss->free_super(st);
 							if (add_dev != dv->devname)
 								continue;
 							return 1;
-- 
1.7.6.4

[PATCH 13/19] IncrementalScan(): Fix memory leak

[Jes.Sorensen]

From: Jes Sorensen <Jes.Sorensen@redhat.com>

Signed-off-by: Jes Sorensen <Jes.Sorensen@redhat.com>
---
 Incremental.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/Incremental.c b/Incremental.c
index bc5e9d0..c2c9051 100644
--- a/Incremental.c
+++ b/Incremental.c
@@ -1329,6 +1329,7 @@ int IncrementalScan(int verbose)
 					strerror(errno));
 				rv = 1;
 			}
+			sysfs_free(sra);
 		}
 	}
 	return rv;
-- 
1.7.6.4

[PATCH 14/19] Managa_ro(): free() mdi before exiting

[Jes.Sorensen]

From: Jes Sorensen <Jes.Sorensen@redhat.com>

Signed-off-by: Jes Sorensen <Jes.Sorensen@redhat.com>
---
 Manage.c |   22 ++++++++++++++++------
 1 files changed, 16 insertions(+), 6 deletions(-)

diff --git a/Manage.c b/Manage.c
index 170af57..39a9b20 100644
--- a/Manage.c
+++ b/Manage.c
@@ -44,6 +44,7 @@ int Manage_ro(char *devname, int fd, int readonly)
 #ifndef MDASSEMBLE
 	struct mdinfo *mdi;
 #endif
+	int rv = 0;
 
 	if (md_get_version(fd) < 9000) {
 		fprintf(stderr, Name ": need md driver version 0.90.0 or later\n");
@@ -75,7 +76,8 @@ int Manage_ro(char *devname, int fd, int readonly)
 
 				vers[9] = mdi->text_version[0];
 				sysfs_set_str(mdi, NULL, "metadata_version", vers);
-				return 1;
+				rv = 1;
+				goto out;
 			}
 		} else {
 			char *cp;
@@ -90,29 +92,37 @@ int Manage_ro(char *devname, int fd, int readonly)
 			if (mdi->array.level <= 0)
 				sysfs_set_str(mdi, NULL, "array_state", "active");
 		}
-		return 0;
+		goto out;
 	}
 #endif
 	if (ioctl(fd, GET_ARRAY_INFO, &array)) {
 		fprintf(stderr, Name ": %s does not appear to be active.\n",
 			devname);
-		return 1;
+		rv = 1;
+		goto out;
 	}
 
 	if (readonly>0) {
 		if (ioctl(fd, STOP_ARRAY_RO, NULL)) {
 			fprintf(stderr, Name ": failed to set readonly for %s: %s\n",
 				devname, strerror(errno));
-			return 1;
+			rv = 1;
+			goto out;
 		}
 	} else if (readonly < 0) {
 		if (ioctl(fd, RESTART_ARRAY_RW, NULL)) {
 			fprintf(stderr, Name ": failed to set writable for %s: %s\n",
 				devname, strerror(errno));
-			return 1;
+			rv = 1;
+			goto out;
 		}
 	}
-	return 0;
+out:
+#ifndef MDASSEMBLE
+	if (mdi)
+		sysfs_free(mdi);
+#endif
+	return rv;
 }
 
 #ifndef MDASSEMBLE
-- 
1.7.6.4

[PATCH 15/19] Manage_runstop(): Avoid memory leak

[Jes.Sorensen]

From: Jes Sorensen <Jes.Sorensen@redhat.com>

Signed-off-by: Jes Sorensen <Jes.Sorensen@redhat.com>
---
 Manage.c |   22 +++++++++++++---------
 1 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/Manage.c b/Manage.c
index 39a9b20..d5110a7 100644
--- a/Manage.c
+++ b/Manage.c
@@ -183,6 +183,7 @@ int Manage_runstop(char *devname, int fd, int runstop, int quiet)
 	 * quiet < 0 means we will try again if it fails.
 	 */
 	mdu_param_t param; /* unused */
+	int rv = 0;
 
 	if (runstop == -1 && md_get_version(fd) < 9000) {
 		if (ioctl(fd, STOP_MD, 0)) {
@@ -261,7 +262,8 @@ int Manage_runstop(char *devname, int fd, int runstop, int quiet)
 				fprintf(stderr, Name
 					": failed to stop array %s: %s\n",
 					devname, strerror(errno));
-				return 1;
+				rv = 1;
+				goto out;
 			}
 
 			/* Give monitor a chance to act */
@@ -273,7 +275,8 @@ int Manage_runstop(char *devname, int fd, int runstop, int quiet)
 					": failed to completely stop %s"
 					": Device is busy\n",
 					devname);
-				return 1;
+				rv = 1;
+				goto out;
 			}
 		} else if (mdi &&
 			   mdi->array.major_version == -1 &&
@@ -301,9 +304,8 @@ int Manage_runstop(char *devname, int fd, int runstop, int quiet)
 							"member %s still active\n",
 							devname, m->dev);
 					free_mdstat(mds);
-					if (mdi)
-						sysfs_free(mdi);
-					return 1;
+					rv = 1;
+					goto out;
 				}
 		}
 
@@ -328,9 +330,8 @@ int Manage_runstop(char *devname, int fd, int runstop, int quiet)
 						"process, mounted filesystem "
 						"or active volume group?\n");
 			}
-			if (mdi)
-				sysfs_free(mdi);
-			return 1;
+			rv = 1;
+			goto out;
 		}
 		/* prior to 2.6.28, KOBJ_CHANGE was not sent when an md array
 		 * was stopped, so We'll do it here just to be sure.  Drop any
@@ -355,8 +356,11 @@ int Manage_runstop(char *devname, int fd, int runstop, int quiet)
 		map_lock(&map);
 		map_remove(&map, devnum);
 		map_unlock(&map);
+	out:
+		if (mdi)
+			sysfs_free(mdi);
 	}
-	return 0;
+	return rv;
 }
 
 int Manage_resize(char *devname, int fd, long long size, int raid_disks)
-- 
1.7.6.4

[PATCH 16/19] Monitor(): free allocated memory on exit

[Jes.Sorensen]

From: Jes Sorensen <Jes.Sorensen@redhat.com>

Signed-off-by: Jes Sorensen <Jes.Sorensen@redhat.com>
---
 Monitor.c |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

diff --git a/Monitor.c b/Monitor.c
index 101bca4..fc0488b 100644
--- a/Monitor.c
+++ b/Monitor.c
@@ -124,6 +124,7 @@ int Monitor(struct mddev_dev *devlist,
 	 */
 
 	struct state *statelist = NULL;
+	struct state *st2;
 	int finished = 0;
 	struct mdstat_ent *mdstat = NULL;
 	char *mailfrom = NULL;
@@ -242,6 +243,11 @@ int Monitor(struct mddev_dev *devlist,
 		}
 		test = 0;
 	}
+	for (st2 = statelist; st2; st2 = statelist) {
+		statelist = st2->next;
+		free(st2);
+	}
+
 	if (pidfile)
 		unlink(pidfile);
 	return 0;
-- 
1.7.6.4

[PATCH 17/19] bitmap_fd_read(): fix memory leak

[Jes.Sorensen]

From: Jes Sorensen <Jes.Sorensen@redhat.com>

Signed-off-by: Jes Sorensen <Jes.Sorensen@redhat.com>
---
 bitmap.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/bitmap.c b/bitmap.c
index 2e1ecda..d02f16e 100644
--- a/bitmap.c
+++ b/bitmap.c
@@ -147,6 +147,7 @@ bitmap_info_t *bitmap_fd_read(int fd, int brief)
 		fprintf(stderr, Name ": failed to allocate %zd bytes\n",
 				sizeof(*info));
 #endif
+		free(buf);
 		return NULL;
 	}
 
@@ -154,6 +155,7 @@ bitmap_info_t *bitmap_fd_read(int fd, int brief)
 		fprintf(stderr, Name ": failed to read superblock of bitmap "
 			"file: %s\n", strerror(errno));
 		free(info);
+		free(buf);
 		return NULL;
 	}
 	memcpy(&info->sb, buf, sizeof(info->sb));
@@ -198,6 +200,7 @@ bitmap_info_t *bitmap_fd_read(int fd, int brief)
 		total_bits = read_bits;
 	}
 out:
+	free(buf);
 	info->total_bits = total_bits;
 	info->dirty_bits = dirty_bits;
 	return info;
-- 
1.7.6.4

[PATCH 18/19] validate_geometry_imsm_volume(): Avoid NULL pointer dereference

[Jes.Sorensen]

From: Jes Sorensen <Jes.Sorensen@redhat.com>

Signed-off-by: Jes Sorensen <Jes.Sorensen@redhat.com>
---
 super-intel.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/super-intel.c b/super-intel.c
index 34a4b34..0193fe7 100644
--- a/super-intel.c
+++ b/super-intel.c
@@ -5139,7 +5139,7 @@ static int validate_geometry_imsm_volume(struct supertype *st, int level,
 {
 	struct stat stb;
 	struct intel_super *super = st->sb;
-	struct imsm_super *mpb = super->anchor;
+	struct imsm_super *mpb;
 	struct dl *dl;
 	unsigned long long pos = 0;
 	unsigned long long maxsize;
@@ -5150,6 +5150,8 @@ static int validate_geometry_imsm_volume(struct supertype *st, int level,
 	if (!super)
 		return 0;
 
+	mpb = super->anchor;
+
 	if (mpb->num_raid_devs > 0 && mpb->num_disks != raiddisks) {
 		fprintf(stderr, Name ": the option-rom requires all "
 			"member disks to be a member of all volumes.\n");
-- 
1.7.6.4

[PATCH 19/19] make_parts(): Avoid false positive security warning

[Jes.Sorensen]

From: Jes Sorensen <Jes.Sorensen@redhat.com>

S_ISBLK() and S_ISLNK() are mutually exclusive. By swapping the checks
round and testing S_ISBLK() first, we avoid having to silence the
compiler for uninitialized variable usage, and avoid a warning from
security checking tools.

Signed-off-by: Jes Sorensen <Jes.Sorensen@redhat.com>
---
 mdopen.c |   14 +++++++-------
 1 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/mdopen.c b/mdopen.c
index 555ab84..e6db7d7 100644
--- a/mdopen.c
+++ b/mdopen.c
@@ -38,9 +38,9 @@ void make_parts(char *dev, int cnt)
 	 * else that of dev
 	 */
 	struct stat stb;
-	int major_num = major_num; /* quiet gcc -Os unitialized warning */
-	int minor_num = minor_num; /* quiet gcc -Os unitialized warning */
-	int odig = odig; /* quiet gcc -Os unitialized warning */
+	int major_num;
+	int minor_num;
+	int odig;
 	int i;
 	int nlen = strlen(dev) + 20;
 	char *name;
@@ -53,15 +53,15 @@ void make_parts(char *dev, int cnt)
 	if (lstat(dev, &stb)!= 0)
 		return;
 
-	if (S_ISLNK(stb.st_mode)) {
+	if (S_ISBLK(stb.st_mode)) {
+		major_num = major(stb.st_rdev);
+		minor_num = minor(stb.st_rdev);
+	} else if (S_ISLNK(stb.st_mode)) {
 		int len = readlink(dev, orig, sizeof(orig));
 		if (len < 0 || len > 1000)
 			return;
 		orig[len] = 0;
 		odig = isdigit(orig[len-1]);
-	} else if (S_ISBLK(stb.st_mode)) {
-		major_num = major(stb.st_rdev);
-		minor_num = minor(stb.st_rdev);
 	} else
 		   return;
 	name = malloc(nlen);
-- 
1.7.6.4

Re: [PATCH 19/19] make_parts(): Avoid false positive security warning

[Jes Sorensen]

[-- Attachment #1: Type: text/plain, Size: 710 bytes --]

On 11/01/11 16:09, Jes.Sorensen@redhat.com wrote:
> From: Jes Sorensen <Jes.Sorensen@redhat.com>
> 
> S_ISBLK() and S_ISLNK() are mutually exclusive. By swapping the checks
> round and testing S_ISBLK() first, we avoid having to silence the
> compiler for uninitialized variable usage, and avoid a warning from
> security checking tools.
> 
> Signed-off-by: Jes Sorensen <Jes.Sorensen@redhat.com>

Looking at this one again, I realized it doesn't solve the real problem.
In particular if /dev/md64 already exists as a symlink and /dev/md64p1
exists as a device node, we end up comparing against random stack data.

Please discard the previous patch and use this one instead.

Sorry for the noise.

Cheers,
Jes

[-- Attachment #2: 0019-make_parts-Fix-case-of-comparing-against-uninitializ.patch --]
[-- Type: text/x-patch, Size: 2248 bytes --]

From a6411e70a8074d13f9ad0af6d68a6d8bb550c317 Mon Sep 17 00:00:00 2001
From: Jes Sorensen <Jes.Sorensen@redhat.com>
Date: Tue, 1 Nov 2011 14:53:37 +0100
Subject: [PATCH 19/19] make_parts(): Fix case of comparing against
 uninitialized variables

Silencing gcc's warning of uninitialized variables was hiding a bug
where if we have /dev/md64 as a symlink, and /dev/md64p1 was a real
device node.

In this case major_num and minor_num would not get populated, but we
end up comparing against them because the stat for md64p1 succeeds.

Instead of using the int foo = foo trick, change the code to set
set the variables to invalid values so comparisons will fail.

Signed-off-by: Jes Sorensen <Jes.Sorensen@redhat.com>
---
 mdopen.c |   21 ++++++++++++---------
 1 files changed, 12 insertions(+), 9 deletions(-)

diff --git a/mdopen.c b/mdopen.c
index 555ab84..eac1c1f 100644
--- a/mdopen.c
+++ b/mdopen.c
@@ -38,9 +38,9 @@ void make_parts(char *dev, int cnt)
 	 * else that of dev
 	 */
 	struct stat stb;
-	int major_num = major_num; /* quiet gcc -Os unitialized warning */
-	int minor_num = minor_num; /* quiet gcc -Os unitialized warning */
-	int odig = odig; /* quiet gcc -Os unitialized warning */
+	int major_num;
+	int minor_num;
+	int odig;
 	int i;
 	int nlen = strlen(dev) + 20;
 	char *name;
@@ -53,23 +53,26 @@ void make_parts(char *dev, int cnt)
 	if (lstat(dev, &stb)!= 0)
 		return;
 
-	if (S_ISLNK(stb.st_mode)) {
+	if (S_ISBLK(stb.st_mode)) {
+		major_num = major(stb.st_rdev);
+		minor_num = minor(stb.st_rdev);
+		odig = -1;
+	} else if (S_ISLNK(stb.st_mode)) {
 		int len = readlink(dev, orig, sizeof(orig));
 		if (len < 0 || len > 1000)
 			return;
 		orig[len] = 0;
 		odig = isdigit(orig[len-1]);
-	} else if (S_ISBLK(stb.st_mode)) {
-		major_num = major(stb.st_rdev);
-		minor_num = minor(stb.st_rdev);
+		major_num = -1;
+		minor_num = -1;
 	} else
-		   return;
+		return;
 	name = malloc(nlen);
 	for (i=1; i <= cnt ; i++) {
 		struct stat stb2;
 		snprintf(name, nlen, "%s%s%d", dev, dig?"p":"", i);
 		if (stat(name, &stb2)==0) {
-			if (!S_ISBLK(stb2.st_mode))
+			if (!S_ISBLK(stb2.st_mode) || !S_ISBLK(stb.st_mode))
 				continue;
 			if (stb2.st_rdev == makedev(major_num, minor_num+i))
 				continue;
-- 
1.7.6.4

Re: [PATCH 00/19] More fixes for resource leaks and warnings

[NeilBrown]

[-- Attachment #1: Type: text/plain, Size: 2815 bytes --]

On Tue,  1 Nov 2011 16:09:16 +0100 Jes.Sorensen@redhat.com wrote:

> From: Jes Sorensen <Jes.Sorensen@redhat.com>
> 
> Hi,
> 
> Another 'small' pile of fixes for various resource leaks, null pointer
> dereferencing and out of bounds buffer access found by Coverity.

Thanks Jes.
I've applied all of these - using the second version of patch 19.

I'm not normally very fussed about freeing and closing things shortly before
the process is going to exit anyway, but I'm not against it.  And some of
your patches were for other leaks.

> 
> This is the bulk of these for now. Please notice that I haven't
> touched super-ddf.c at all, and that is probably the single biggest
> offender. Also note that I haven't addressed a number of warnings in
> sysfs.c where we know for sure that files aren't bigger than a given
> size. The tool obviously doesn't know this, so it spews warnings when
> we strcpy() content we just read. While the code per-ce is probably
> safe, we may want to switch to strncpy() just to reduce the noise
> ratio?

Maybe.  I hate strncpy because it doesn't reliably nul-terminate but I'm
happy to make the code 'safer' as long as we avoid making it ugly.

Thanks,
NeilBrown


> 
> Cheers,
> Jes
> 
> 
> Jes Sorensen (19):
>   Grow_Add_device(): dev_open() return a negative fd on error
>   Grow_addbitmap(): don't try to close a file descriptor which failed
>     to open
>   Incremental(): Check return value of dev_open() before trying to use
>     it
>   sysfs_unique_holder(): Check read() return value before using as
>     buffer index
>   remove_devices(): readlink returns -1 on error
>   assemble_container_content(): fix memory leak
>   Grow_restart(): free() offsets after use
>   Assemble(): don't dup_super() before we need it.
>   Detail(): Remember to free 'avail'
>   Grow_reshape(): Fix another 'sra' leak
>   enough_fd(): remember to free buffer for avail array
>   Manage_subdevs(): avoid leaking super
>   IncrementalScan(): Fix memory leak
>   Managa_ro(): free() mdi before exiting
>   Manage_runstop(): Avoid memory leak
>   Monitor(): free allocated memory on exit
>   bitmap_fd_read(): fix memory leak
>   validate_geometry_imsm_volume(): Avoid NULL pointer dereference
>   make_parts(): Avoid false positive security warning
> 
>  Assemble.c    |    9 +++++++--
>  Detail.c      |    3 ++-
>  Grow.c        |   19 +++++++++++++------
>  Incremental.c |    7 +++++++
>  Manage.c      |   56 ++++++++++++++++++++++++++++++++++++++++----------------
>  Monitor.c     |    6 ++++++
>  bitmap.c      |    3 +++
>  mdopen.c      |   14 +++++++-------
>  super-intel.c |    4 +++-
>  sysfs.c       |    2 ++
>  util.c        |    9 +++++----
>  11 files changed, 95 insertions(+), 37 deletions(-)
> 


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 828 bytes --]

Re: [PATCH 00/19] More fixes for resource leaks and warnings

[Jes Sorensen]

On 11/02/11 01:25, NeilBrown wrote:
> Thanks Jes.
> I've applied all of these - using the second version of patch 19.
> 
> I'm not normally very fussed about freeing and closing things shortly before
> the process is going to exit anyway, but I'm not against it.  And some of
> your patches were for other leaks.

Hi Neil,

I totally agree here. The main reason for applying those fixes is to
reduce the S/N ratio from the checking tools.

With my latest with these patches applied run I got about 65 warnings
whereas I am getting around 105 in the version of mdadm that is in
Fedora 16. Some of these are definitely false positives, but I have
another set of patches with real fixes coming your way shortly.

>> This is the bulk of these for now. Please notice that I haven't
>> touched super-ddf.c at all, and that is probably the single biggest
>> offender. Also note that I haven't addressed a number of warnings in
>> sysfs.c where we know for sure that files aren't bigger than a given
>> size. The tool obviously doesn't know this, so it spews warnings when
>> we strcpy() content we just read. While the code per-ce is probably
>> safe, we may want to switch to strncpy() just to reduce the noise
>> ratio?
> 
> Maybe.  I hate strncpy because it doesn't reliably nul-terminate but I'm
> happy to make the code 'safer' as long as we avoid making it ugly.

I couldn't agree more - it is such a mess :(

Cheers,
Jes

Re: [PATCH 00/19] More fixes for resource leaks and warnings

[Doug Ledford]

----- Original Message -----
> On 11/02/11 01:25, NeilBrown wrote:
> > Thanks Jes.
> > I've applied all of these - using the second version of patch 19.
> > 
> > I'm not normally very fussed about freeing and closing things
> > shortly before
> > the process is going to exit anyway, but I'm not against it.  And
> > some of
> > your patches were for other leaks.
> 
> Hi Neil,
> 
> I totally agree here. The main reason for applying those fixes is to
> reduce the S/N ratio from the checking tools.

It has the advantage that if mdadm is ever converted to run any of
these routines from a long standing operation (say monitor mode decides
to start doing new things), then we aren't tasked with fixing up
1001 little details that could have been right in the first place ;-)

-- 
Doug Ledford <dledford@redhat.com>
              GPG KeyID: 0E572FDD
	      http://people.redhat.com/dledford