From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS22989 209.51.188.0/24 X-Spam-Status: No, score=-4.9 required=3.0 tests=AWL,BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,NICE_REPLY_A, RCVD_IN_DNSWL_HI,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dcvr.yhbt.net (Postfix) with ESMTPS id B169F1F8C6 for ; Mon, 23 Aug 2021 20:16:05 +0000 (UTC) Received: from localhost ([::1]:50218 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mIGMW-0006qc-EW for normalperson@yhbt.net; Mon, 23 Aug 2021 16:16:04 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:34622) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mIGG6-00077E-7k for bug-gnulib@gnu.org; Mon, 23 Aug 2021 16:09:30 -0400 Received: from zimbra.cs.ucla.edu ([131.179.128.68]:37556) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mIGG3-0003if-L5 for bug-gnulib@gnu.org; Mon, 23 Aug 2021 16:09:25 -0400 Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 2CFF5160071; Mon, 23 Aug 2021 13:09:20 -0700 (PDT) Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id HPvAa7rLoDKI; Mon, 23 Aug 2021 13:09:19 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 1280A1600AD; Mon, 23 Aug 2021 13:09:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at zimbra.cs.ucla.edu Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id trA5foLVrzou; Mon, 23 Aug 2021 13:09:18 -0700 (PDT) Received: from [192.168.1.9] (cpe-172-91-119-151.socal.res.rr.com [172.91.119.151]) by zimbra.cs.ucla.edu (Postfix) with ESMTPSA id DF40A160071; Mon, 23 Aug 2021 13:09:18 -0700 (PDT) To: Darren Kenny References: <96f2ea78b6ce05f20d2c38fee43ffe87c3ca2664.1624030621.git.darren.kenny@oracle.com> From: Paul Eggert Organization: UCLA Computer Science Department Subject: Re: [PATCH 1/3] lib/regexec: Fix possible null-dereference Message-ID: <92b34c53-aa12-fb5e-19fd-fd0c7015bddf@cs.ucla.edu> Date: Mon, 23 Aug 2021 13:09:18 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=131.179.128.68; envelope-from=eggert@cs.ucla.edu; helo=zimbra.cs.ucla.edu X-Spam_score_int: -61 X-Spam_score: -6.2 X-Spam_bar: ------ X-Spam_report: (-6.2 / 5.0 requ) BAYES_00=-1.9, NICE_REPLY_A=-2.023, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: bug-gnulib@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Gnulib discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Daniel Kiper , bug-gnulib@gnu.org Errors-To: bug-gnulib-bounces+normalperson=yhbt.net@gnu.org Sender: "bug-gnulib" On 8/23/21 3:05 AM, Darren Kenny wrote: > The explanation given by Coverity boils down to: >=20 > - In check_matching(), line 1069, there is a test if mctx->state_log !=3D > NULL This line number doesn't match either the current Gnulib version (commit=20 d3837928885e91c9ddd465240b90a97aa342fda6) nor the version in the current=20 Grub release (2.06). So I guess you are using some other version of=20 regexec.c. Could you tell us which one? > - In transit_state(), there is a call to transit_state_mb() at line > 2226, which in turn, at line 2497, directly references mctx->state_l= og > without first checking if it is NULL. In the Gnulib version, transit_state calls transit_state_mb only if=20 state->accept_mb is true, and if the state can accept multibyte=20 characters then in re_search_internal dfa->has_mb_node must be true,=20 which means that re_search_internal initializes mctx.state_log to a=20 nonnull pointer before we get to transit_state. So I'm not seeing a bug here; it still appears to be a false alarm. If=20 I'm missing something please let us know. > The patch we have already satisfies Coverity, once applied Yes, I can see why the patch would pacify Coverity. However, we=20 shouldn't add unnecessary code merely to pacify a Coverity false alarm. > I have not checked if a DEBUG_ASSERT() call, in a path that Coverity is= n't > including anywhere in its analysis would work. >=20 > Why do you think an assert in clean_state_log_if_needed() would help? If you tell Coverity to analyze with -DDEBUG, then adding DEBUG_ASSERT=20 (X !=3D NULL) should tell Coverity that X must be nonnull at that point.=20 We can use this method to tell Coverity things that it can't deduce on=20 its own.