From c440cf2cedef867bf498f48ace902700fb64037b Mon Sep 17 00:00:00 2001 From: Richard Yao Date: Fri, 14 Oct 2022 22:45:13 -0400 Subject: [PATCH 1/6] Fix NULL pointer dereference in zdb Clang's static analyzer complained that we dereference a NULL pointer in dump_path() if we return 0 when there is an error. Signed-off-by: Richard Yao --- cmd/zdb/zdb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmd/zdb/zdb.c b/cmd/zdb/zdb.c index 18a94da1f744..c6d5292575de 100644 --- a/cmd/zdb/zdb.c +++ b/cmd/zdb/zdb.c @@ -3066,7 +3066,7 @@ open_objset(const char *path, const void *tag, objset_t **osp) } sa_os = *osp; - return (0); + return (err); } static void From e1e6e72896bac208a30059a12f1e3b7840e10e26 Mon Sep 17 00:00:00 2001 From: Richard Yao Date: Fri, 14 Oct 2022 22:46:43 -0400 Subject: [PATCH 2/6] fm_fmri_hc_create() must call va_end() before returning clang-tidy caught this. Signed-off-by: Richard Yao --- module/zfs/fm.c | 1 + 1 file changed, 1 insertion(+) diff --git a/module/zfs/fm.c b/module/zfs/fm.c index 32b5cf8facd1..3f05d759770b 100644 --- a/module/zfs/fm.c +++ b/module/zfs/fm.c @@ -955,6 +955,7 @@ fm_fmri_hc_create(nvlist_t *fmri, int version, const nvlist_t *auth, } atomic_inc_64( &erpt_kstat_data.fmri_set_failed.value.ui64); + va_end(ap); return; } } From 9482028426f0a6e2d1907f2fd51217b2b9f43630 Mon Sep 17 00:00:00 2001 From: Richard Yao Date: Fri, 14 Oct 2022 22:55:48 -0400 Subject: [PATCH 3/6] Fix NULL pointer passed to strlcpy from zap_lookup_impl() Clang's static analyzer pointed out that whenever zap_lookup_by_dnode() is called, we have the following stack where strlcpy() is passed a NULL pointer for realname from zap_lookup_by_dnode(): strlcpy() zap_lookup_impl() zap_lookup_norm_by_dnode() zap_lookup_by_dnode() Signed-off-by: Richard Yao --- module/zfs/zap_micro.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/module/zfs/zap_micro.c b/module/zfs/zap_micro.c index 58a5c9f600b7..4bf8a322e91b 100644 --- a/module/zfs/zap_micro.c +++ b/module/zfs/zap_micro.c @@ -990,8 +990,10 @@ zap_lookup_impl(zap_t *zap, const char *name, } else { *(uint64_t *)buf = MZE_PHYS(zap, mze)->mze_value; - (void) strlcpy(realname, - MZE_PHYS(zap, mze)->mze_name, rn_len); + if (realname != NULL) + (void) strlcpy(realname, + MZE_PHYS(zap, mze)->mze_name, + rn_len); if (ncp) { *ncp = mzap_normalization_conflict(zap, zn, mze); From 75ab0562ea9941285416224329c029051f6b04bf Mon Sep 17 00:00:00 2001 From: Richard Yao Date: Sun, 16 Oct 2022 00:19:13 -0400 Subject: [PATCH 4/6] Fix NULL pointer dereference in spa_open_common() Calling spa_open() will pass a NULL pointer to spa_open_common()'s config parameter. Under the right circumstances, we will dereference the config parameter without doing a NULL check. Clang's static analyzer found this. Signed-off-by: Richard Yao --- module/zfs/spa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/module/zfs/spa.c b/module/zfs/spa.c index 0a9f31a8fc85..5d568e8340d6 100644 --- a/module/zfs/spa.c +++ b/module/zfs/spa.c @@ -5267,7 +5267,7 @@ spa_open_common(const char *pool, spa_t **spapp, const void *tag, * If we've recovered the pool, pass back any information we * gathered while doing the load. */ - if (state == SPA_LOAD_RECOVER) { + if (state == SPA_LOAD_RECOVER && config != NULL) { fnvlist_add_nvlist(*config, ZPOOL_CONFIG_LOAD_INFO, spa->spa_load_info); } From 69cd3ec82445c6e82ca44a6027f0c29a976dd6a0 Mon Sep 17 00:00:00 2001 From: Richard Yao Date: Sun, 16 Oct 2022 00:56:55 -0400 Subject: [PATCH 5/6] set_global_var() should not pass NULL pointers to dlclose() Both Coverity and Clang's static analyzer caught this. Signed-off-by: Richard Yao --- lib/libzpool/util.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/libzpool/util.c b/lib/libzpool/util.c index 0ce7822a3563..a310255d7a7d 100644 --- a/lib/libzpool/util.c +++ b/lib/libzpool/util.c @@ -229,13 +229,14 @@ set_global_var(char const *arg) fprintf(stderr, "Failed to open libzpool.so to set global " "variable\n"); ret = EIO; - goto out_dlclose; + goto out_free; } ret = 0; out_dlclose: dlclose(zpoolhdl); +out_free: free(varname); out_ret: return (ret); From daccf6806a18e1930d01e8e290ed54885701a4fc Mon Sep 17 00:00:00 2001 From: Richard Yao Date: Mon, 17 Oct 2022 02:06:40 -0400 Subject: [PATCH 6/6] Fix possible NULL pointer dereference in sha2_mac_init() If mechanism->cm_param is NULL, passing mechanism to PROV_SHA2_GET_DIGEST_LEN() will dereference a NULL pointer. Coverity reported this. Signed-off-by: Richard Yao --- module/icp/io/sha2_mod.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/module/icp/io/sha2_mod.c b/module/icp/io/sha2_mod.c index fadb58b81881..a58f0982c8c0 100644 --- a/module/icp/io/sha2_mod.c +++ b/module/icp/io/sha2_mod.c @@ -737,12 +737,15 @@ sha2_mac_init(crypto_ctx_t *ctx, crypto_mechanism_t *mechanism, */ if (mechanism->cm_type % 3 == 2) { if (mechanism->cm_param == NULL || - mechanism->cm_param_len != sizeof (ulong_t)) - ret = CRYPTO_MECHANISM_PARAM_INVALID; - PROV_SHA2_GET_DIGEST_LEN(mechanism, - PROV_SHA2_HMAC_CTX(ctx)->hc_digest_len); - if (PROV_SHA2_HMAC_CTX(ctx)->hc_digest_len > sha_digest_len) + mechanism->cm_param_len != sizeof (ulong_t)) { ret = CRYPTO_MECHANISM_PARAM_INVALID; + } else { + PROV_SHA2_GET_DIGEST_LEN(mechanism, + PROV_SHA2_HMAC_CTX(ctx)->hc_digest_len); + if (PROV_SHA2_HMAC_CTX(ctx)->hc_digest_len > + sha_digest_len) + ret = CRYPTO_MECHANISM_PARAM_INVALID; + } } if (ret != CRYPTO_SUCCESS) {