From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS22989 209.51.188.0/24 X-Spam-Status: No, score=-3.5 required=3.0 tests=AWL,BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED, SPF_PASS shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by dcvr.yhbt.net (Postfix) with ESMTPS id 69E901F45F for ; Tue, 7 May 2019 14:22:43 +0000 (UTC) Received: from localhost ([127.0.0.1]:47650 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1hO0zR-0007Tb-SO for normalperson@yhbt.net; Tue, 07 May 2019 10:22:41 -0400 Received: from eggs.gnu.org ([209.51.188.92]:45878) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1hO0zK-0007Pv-9c for bug-gnulib@gnu.org; Tue, 07 May 2019 10:22:35 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1hO0zJ-0002es-9A for bug-gnulib@gnu.org; Tue, 07 May 2019 10:22:34 -0400 Received: from mx1.redhat.com ([209.132.183.28]:25618) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1hO0zJ-0002dj-3w for bug-gnulib@gnu.org; Tue, 07 May 2019 10:22:33 -0400 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 458E430821FF for ; Tue, 7 May 2019 14:22:26 +0000 (UTC) Received: from kdudka-nb.localnet (unknown [10.43.2.82]) by smtp.corp.redhat.com (Postfix) with ESMTP id E435154FCB for ; Tue, 7 May 2019 14:22:25 +0000 (UTC) From: Kamil Dudka To: bug-gnulib@gnu.org Subject: Coverity false positives triggered by gnulib's implementation of base64 Date: Tue, 07 May 2019 16:22:34 +0200 Message-ID: <2475310.f135Qeco9B@kdudka-nb> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.47]); Tue, 07 May 2019 14:22:26 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 209.132.183.28 X-BeenThere: bug-gnulib@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: Gnulib discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnulib-bounces+normalperson=yhbt.net@gnu.org Sender: "bug-gnulib" Coverity Analysis 2019.03 incorrectly marks the input argument of base64_encode(), and conseuqnetly base64_encode_alloc(), as tainted_data_sink because it sees byte-level operations on the input. It triggered the following false positives in the cryptsetup project: Error: TAINTED_SCALAR: lib/luks2/luks2_digest_pbkdf2.c:117: tainted_data_argument: Calling function "crypt_random_get" taints argument "salt". lib/luks2/luks2_digest_pbkdf2.c:157: tainted_data: Passing tainted variable "salt" to a tainted sink. Error: TAINTED_SCALAR: lib/luks2/luks2_keyslot_luks2.c:445: tainted_data_argument: Calling function "crypt_random_get" taints argument "salt". lib/luks2/luks2_keyslot_luks2.c:448: tainted_data: Passing tainted variable "salt" to a tainted sink. ... but it can affect other gnulib-based projects, too. Would it be possible to apply the following one-line patch on gnulib source code to suppress this class of false positives in gnulib-based projects? https://gitlab.com/cryptsetup/cryptsetup/commit/75b2610e Thanks in advance for considering it! Kamil