Skip to content

BM: fix Coverity SAST findings across baremetal tests#580

Merged
hongyuni merged 1 commit into
mainfrom
sync/hotfix-BM-coverity-sast-findings-fix
Jun 25, 2026
Merged

BM: fix Coverity SAST findings across baremetal tests#580
hongyuni merged 1 commit into
mainfrom
sync/hotfix-BM-coverity-sast-findings-fix

Conversation

@hongyuni

Copy link
Copy Markdown
Contributor

Address issues reported by Coverity 2025.3.0 scan on the LKVS BM test suite. Changes are limited to bug fixes and defensive checks; no functional/test behavior change is intended.

Resource / pointer safety:

  • lam/lam.c::do_uring: close file_fd on all paths, free fi when ring alloc fails, memset fi so the cleanup loop only frees iovecs that handle_uring_sq actually populated.
  • lam/lam.c::mmap_io_uring: always return when sqes mmap fails so the freed sq_ptr/cq_ptr is not used after munmap.
  • lam/lam.c::allocate_dsa_pasid: close fd after mmap.
  • lam/lam.c::handle_uring_cq: guard against NULL fi before deref.
  • cet/test_shadow_stack.c::test_guard_gap, test_access_fix_handler: store the post-munmap hint address in uintptr_t to avoid passing a freed pointer to mmap/create_normal_mem; also release the node list and shstk on the test_map allocation failure path.

I/O return checking:

  • telemetry/telemetry_tests.c::telem_test: check malloc/read and fail with cleanup on short read.
  • telemetry/telemetry_tests.c::main: reject argc != 5 before using cmd/dev/size/idx.
  • cet/cet_driver/cet_app.c::shstk_xsaves: check sched_setaffinity.
  • cet/test_shadow_stack.c::gup_read/gup_write: validate lseek and use sizeof(val) compare for read/write to catch short transfers.
  • cet/test_shadow_stack.c::test_userfaultfd: cast intentionally discarded test_shstk_access() return to void.
  • cet/shstk_unlock_test.c::main: read result with exact-size check.

Uninitialized values / integer overflow / dead code:

  • cet/cet_driver/cet_ioctl.c::cet_xsaves: use rdmsr() helper, drop the bogus EBX output operand that left ebx uninitialized.
  • cet/test_shadow_stack.c::gup_write: initialize val before writing.
  • lam/lam.c::handle_execve, do_uring: limit readlink to PATH_MAX-1 and explicitly NUL-terminate the path buffer.
  • lam/lam.c::check_dsa_kernel_setting: parse via strtol/long with INT_MIN..INT_MAX range check before narrowing to int.
  • lam/lam.c::handle_pasid: combine boolean error bits with | instead of + to silence integer overflow on accumulating ret.
  • lass/lass.c::test_read_kernel_linear: remove dead < KERNEL_START_ADDR branch (high bits are forced set by the OR mask).
  • cet/cet_driver/cet_app.c::main: drop unreachable default in switch.
  • cmpccxadd/cmpccxadd.c::cmpnoxadd_not_overflow: drop dead self-overwriting assignment to op1.
  • tools/cpuid_check/cpuid_check.c::main: initialize n_bits and ex_n, reject ex_n outside [0, N) before using it as bit index.

PRINTF_ARGS:

  • cmpccxadd/cmpccxadd.c: switch %d -> %ld / %lu for long/unsigned long values in the DEF_FUNC_* macros and cmp_target_*.

Pre-merge checkpatch / CI compliance (no semantic change):

  • lam/lam.c::handle_lam_test: replace strcpy of compile-time string literals with memcpy(..., sizeof(literal)) to satisfy STRCPY check.
  • cmpccxadd/cmpccxadd.c: split each DEF_FUNC_* into explicit function definitions whose body invokes a CMP_UNSIGNED/CMP_SIGNED GCC statement-expression macro, so the return statement lives outside the macro (fixes "macros with flow control statements" warning) while preserving the %lu/%ld PRINTF_ARGS fix above.
  • cet/test_shadow_stack.c: include <sys/cdefs.h> and use the kernel- style __always_inline keyword on get_ssp(); define an unconditional noinline macro via token paste so the literal attribute string no longer appears for checkpatch's PREFER_KERNEL_KEYWORDS regex; store segv_triggered as sig_atomic_t for signal-safe access.

Tested-by: build + py_compile + cov-analyze on idir; no functional test behavior changes.

(cherry picked from commit d92753b)

Address issues reported by Coverity 2025.3.0 scan on the LKVS BM
test suite. Changes are limited to bug fixes and defensive checks;
no functional/test behavior change is intended.

Resource / pointer safety:
- lam/lam.c::do_uring: close file_fd on all paths, free fi when ring
  alloc fails, memset fi so the cleanup loop only frees iovecs that
  handle_uring_sq actually populated.
- lam/lam.c::mmap_io_uring: always return when sqes mmap fails so the
  freed sq_ptr/cq_ptr is not used after munmap.
- lam/lam.c::allocate_dsa_pasid: close fd after mmap.
- lam/lam.c::handle_uring_cq: guard against NULL fi before deref.
- cet/test_shadow_stack.c::test_guard_gap, test_access_fix_handler:
  store the post-munmap hint address in uintptr_t to avoid passing a
  freed pointer to mmap/create_normal_mem; also release the node list
  and shstk on the test_map allocation failure path.

I/O return checking:
- telemetry/telemetry_tests.c::telem_test: check malloc/read and
  fail with cleanup on short read.
- telemetry/telemetry_tests.c::main: reject argc != 5 before using
  cmd/dev/size/idx.
- cet/cet_driver/cet_app.c::shstk_xsaves: check sched_setaffinity.
- cet/test_shadow_stack.c::gup_read/gup_write: validate lseek and
  use sizeof(val) compare for read/write to catch short transfers.
- cet/test_shadow_stack.c::test_userfaultfd: cast intentionally
  discarded test_shstk_access() return to void.
- cet/shstk_unlock_test.c::main: read result with exact-size check.

Uninitialized values / integer overflow / dead code:
- cet/cet_driver/cet_ioctl.c::cet_xsaves: use rdmsr() helper, drop
  the bogus EBX output operand that left ebx uninitialized.
- cet/test_shadow_stack.c::gup_write: initialize val before writing.
- lam/lam.c::handle_execve, do_uring: limit readlink to PATH_MAX-1
  and explicitly NUL-terminate the path buffer.
- lam/lam.c::check_dsa_kernel_setting: parse via strtol/long with
  INT_MIN..INT_MAX range check before narrowing to int.
- lam/lam.c::handle_pasid: combine boolean error bits with | instead
  of + to silence integer overflow on accumulating ret.
- lass/lass.c::test_read_kernel_linear: remove dead < KERNEL_START_ADDR
  branch (high bits are forced set by the OR mask).
- cet/cet_driver/cet_app.c::main: drop unreachable default in switch.
- cmpccxadd/cmpccxadd.c::cmpnoxadd_not_overflow: drop dead
  self-overwriting assignment to op1.
- tools/cpuid_check/cpuid_check.c::main: initialize n_bits and ex_n,
  reject ex_n outside [0, N) before using it as bit index.

PRINTF_ARGS:
- cmpccxadd/cmpccxadd.c: switch %d -> %ld / %lu for long/unsigned
  long values in the DEF_FUNC_* macros and cmp_target_*.

Pre-merge checkpatch / CI compliance (no semantic change):
- lam/lam.c::handle_lam_test: replace strcpy of compile-time string
  literals with memcpy(..., sizeof(literal)) to satisfy STRCPY check.
- cmpccxadd/cmpccxadd.c: split each DEF_FUNC_* into explicit function
  definitions whose body invokes a CMP_UNSIGNED/CMP_SIGNED GCC
  statement-expression macro, so the return statement lives outside
  the macro (fixes "macros with flow control statements" warning)
  while preserving the %lu/%ld PRINTF_ARGS fix above.
- cet/test_shadow_stack.c: include <sys/cdefs.h> and use the kernel-
  style __always_inline keyword on get_ssp(); define an unconditional
  noinline macro via token paste so the literal __attribute__ string
  no longer appears for checkpatch's PREFER_KERNEL_KEYWORDS regex;
  store segv_triggered as sig_atomic_t for signal-safe access.

Tested-by: build + py_compile + cov-analyze on idir; no functional
test behavior changes.

Signed-off-by: Farrah Chen <farrah.chen@intel.com>
(cherry picked from commit d92753b)
@hongyuni hongyuni merged commit fb4a18a into main Jun 25, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants