Re: [PATCH 1/3] lib/regexec: Fix possible null-dereference

bug-gnulib

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 1/3] lib/regexec: Fix possible null-dereference

From:	Darren Kenny
Subject:	Re: [PATCH 1/3] lib/regexec: Fix possible null-dereference
Date:	Tue, 24 Aug 2021 16:11:22 +0100

On Monday, 2021-08-23 at 13:09:18 -07, Paul Eggert wrote:
> On 8/23/21 3:05 AM, Darren Kenny wrote:
>
>> The explanation given by Coverity boils down to:
>> 
>> - In check_matching(), line 1069, there is a test if mctx->state_log !=
>>    NULL
>
> This line number doesn't match either the current Gnulib version (commit 
> d3837928885e91c9ddd465240b90a97aa342fda6) nor the version in the current 
> Grub release (2.06). So I guess you are using some other version of 
> regexec.c. Could you tell us which one?
>

You're right, I should have fetched from HEAD, the version I was looking
at was several weeks old at changeset b50a7e59debf8.

>> - In transit_state(), there is a call to transit_state_mb() at line
>>    2226, which in turn, at line 2497, directly references mctx->state_log
>>    without first checking if it is NULL.
>
> In the Gnulib version, transit_state calls transit_state_mb only if 
> state->accept_mb is true, and if the state can accept multibyte 
> characters then in re_search_internal dfa->has_mb_node must be true, 
> which means that re_search_internal initializes mctx.state_log to a 
> nonnull pointer before we get to transit_state.
>
> So I'm not seeing a bug here; it still appears to be a false alarm. If 
> I'm missing something please let us know.
>

It certainly may be that Coverity just doesn't know enough for all
use-cases.

Is there a specific set of assertions already present that ensure that
the circumstances you outline above are always in place?

>> The patch we have already satisfies Coverity, once applied
>
> Yes, I can see why the patch would pacify Coverity. However, we 
> shouldn't add unnecessary code merely to pacify a Coverity false alarm.
>
>> I have not checked if a DEBUG_ASSERT() call, in a path that Coverity isn't
>> including anywhere in its analysis would work.
>> 
>> Why do you think an assert in clean_state_log_if_needed() would help?
>
> If you tell Coverity to analyze with -DDEBUG, then adding DEBUG_ASSERT 
> (X != NULL) should tell Coverity that X must be nonnull at that point. 
> We can use this method to tell Coverity things that it can't deduce on 
> its own.
>

At present at least, we're not building GRUB with DEBUG, but maybe it is
something to consider for Coverity builds.

Thanks,

Darren.

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [PATCH 1/3] lib/regexec: Fix possible null-dereference, Paul Eggert, 2021/08/11
- Re: [PATCH 1/3] lib/regexec: Fix possible null-dereference, Darren Kenny, 2021/08/23
  - Re: [PATCH 1/3] lib/regexec: Fix possible null-dereference, Paul Eggert, 2021/08/23
    - Re: [PATCH 1/3] lib/regexec: Fix possible null-dereference, Darren Kenny <=
    - Re: [PATCH 1/3] lib/regexec: Fix possible null-dereference, Paul Eggert, 2021/08/24

Prev by Date: Re: [PATCH 3/3] lib/regexec: Resolve unused variable
Next by Date: Re: [PATCH 1/3] lib/regexec: Fix possible null-dereference
Previous by thread: Re: [PATCH 1/3] lib/regexec: Fix possible null-dereference
Next by thread: Re: [PATCH 1/3] lib/regexec: Fix possible null-dereference
Index(es):
- Date
- Thread