Modify tc and mm_heapinfo.c based on svace

tc_libc_syslog.c : Use of vulnerable function 'sprintf' at tc_libc_syslog.c:90. This function is unsafe, use snprintf instead.
tc_libc_unistd.c : Use of vulnerable function 'sprintf' at tc_libc_unistd.c:279. This function is unsafe, use snprintf instead.
tc_pthread.c : No unlock for mutex 'g_mutex' at tc_pthread.c:1284 after lock at tc_pthread.c:1278 by calling function 'pthread_mutex_lock'.
tc_sched.c : Dynamic memory referenced by 'status' was allocated at tc_sched.c:306 by calling function 'malloc' and lost at tc_sched.c
mm_heapinfo.c : Return value of a function 'sched_gettcb' is dereferenced at mm_heapinfo.c:277 without checking, but it is usually checked for this function

diff --git a/apps/examples/testcase/le_tc/kernel/tc_libc_syslog.c b/apps/examples/testcase/le_tc/kernel/tc_libc_syslog.c
index d3192e9..a433613 100644 (file)
--- a/apps/examples/testcase/le_tc/kernel/tc_libc_syslog.c
+++ b/apps/examples/testcase/le_tc/kernel/tc_libc_syslog.c
@@ -35,7 +35,7 @@
 int g_prioidx[PRIORITY_NUM] = { LOG_EMERG, LOG_ALERT, LOG_CRIT, LOG_ERR, LOG_WARNING, LOG_NOTICE, LOG_INFO, LOG_DEBUG };
 const char *g_priostr[PRIORITY_NUM] = { "Emergency", "Alert", "Critical", "Error", "Warning", "Notice", "Information", "Debug" };
 
-char g_syslogmsg[MAX_SYSLOG_MSG];
+char g_syslogmsg[MAX_SYSLOG_MSG + 1];
 
 /**
  * @fn                  :tc_libc_syslog_setlogmask
@@ -87,7 +87,7 @@ static void tc_libc_syslog_syslog(void)
        int i;
 
        for (i = 0; i < PRIORITY_NUM; i++) {
-               sprintf(g_syslogmsg, "%s message\n", g_priostr[i]);
+               snprintf(g_syslogmsg, MAX_SYSLOG_MSG, "%s message\n", g_priostr[i]);
                usleep(USEC_100);
                ret_chk = syslog(g_prioidx[i], g_syslogmsg);
                TC_ASSERT_EQ("syslog", ret_chk, strlen(g_syslogmsg));
@@ -128,7 +128,7 @@ static void tc_libc_syslog_vsyslog(void)
        int i;
 
        for (i = 0; i < PRIORITY_NUM; i++) {
-               sprintf(g_syslogmsg, "%s message\n", g_priostr[i]);
+               snprintf(g_syslogmsg, MAX_SYSLOG_MSG, "%s message\n", g_priostr[i]);
                usleep(USEC_100);
                ret_chk = vsyslogFunc(g_prioidx[i], g_syslogmsg);
                TC_ASSERT_EQ("vsyslog", ret_chk, strlen(g_syslogmsg));
@@ -153,7 +153,7 @@ static void tc_libc_syslog_lowsyslog(void)
        int i;
 
        for (i = 0; i < PRIORITY_NUM; i++) {
-               sprintf(g_syslogmsg, "%s message\n", g_priostr[i]);
+               snprintf(g_syslogmsg, MAX_SYSLOG_MSG, "%s message\n", g_priostr[i]);
                usleep(USEC_100);
                ret_chk = lowsyslog(g_prioidx[i], g_syslogmsg);
                TC_ASSERT_EQ("lowsyslog", ret_chk, strlen(g_syslogmsg));
@@ -194,7 +194,7 @@ static void tc_libc_syslog_lowvsyslog(void)
        int i;
 
        for (i = 0; i < PRIORITY_NUM; i++) {
-               sprintf(g_syslogmsg, "%s message\n", g_priostr[i]);
+               snprintf(g_syslogmsg, MAX_SYSLOG_MSG, "%s message\n", g_priostr[i]);
                usleep(USEC_100);
                ret_chk = lowvsyslogFunc(g_prioidx[i], g_syslogmsg);
                TC_ASSERT_EQ("lowvsyslog", ret_chk, strlen(g_syslogmsg));

diff --git a/apps/examples/testcase/le_tc/kernel/tc_libc_unistd.c b/apps/examples/testcase/le_tc/kernel/tc_libc_unistd.c
index bb20da3..c922e6b 100644 (file)
--- a/apps/examples/testcase/le_tc/kernel/tc_libc_unistd.c
+++ b/apps/examples/testcase/le_tc/kernel/tc_libc_unistd.c
@@ -273,10 +273,10 @@ cleanup_pipe:
 static void tc_libc_unistd_access(void)
 {
        int ret_chk;
-       char path[BUFFSIZE];
+       char path[BUFFSIZE + 1];
 
        getcwd(path, BUFFSIZE);
-       sprintf(path, "%s/%s", path, __FILE__);
+       snprintf(path, BUFFSIZE, "%s/%s", path, __FILE__);
 
        ret_chk = access(path, F_OK);
        TC_ASSERT_EQ("access", ret_chk, 0);

diff --git a/apps/examples/testcase/le_tc/kernel/tc_pthread.c b/apps/examples/testcase/le_tc/kernel/tc_pthread.c
index 874e397..1bd7c44 100644 (file)
--- a/apps/examples/testcase/le_tc/kernel/tc_pthread.c
+++ b/apps/examples/testcase/le_tc/kernel/tc_pthread.c
@@ -895,7 +895,8 @@ static void tc_pthread_pthread_sem_take_give(void)
        TC_ASSERT_EQ("pthread_sem_take", ret_chk, OK);
 
        sem_getvalue(&sem, &get_value);
-       TC_ASSERT_EQ("sem_getvalue", get_value, VAL_TWO);
+       /* if get_value is not matched with VAL_TWO, then TC fails. but we will not use sem anymore, so destroy it */
+       TC_ASSERT_EQ_CLEANUP("sem_getvalue", get_value, VAL_TWO, sem_destroy(&sem));
 
        ret_chk = pthread_sem_give(&sem);
        TC_ASSERT_EQ("pthread_sem_give", ret_chk, OK);
@@ -1281,7 +1282,8 @@ static void tc_pthread_pthread_cond_signal_wait(void)
        ret_chk = pthread_create(&pthread_waiter, NULL, thread_cond_signal, NULL);
        TC_ASSERT_EQ("pthread_create", ret_chk, OK);
 
-       TC_ASSERT_EQ("pthread_mutex_lock", g_cond_sig_val, VAL_ONE);
+       /* if g_cond_sig_val is not matched with VAL_ONE, then TC fails. but we will not use g_mutex anymore, so destroy it */
+       TC_ASSERT_EQ_CLEANUP("pthread_mutex_lock", g_cond_sig_val, VAL_ONE, pthread_mutex_destroy(&g_mutex));
 
        ret_chk = pthread_mutex_unlock(&g_mutex);
        TC_ASSERT_EQ("pthread_mutex_unlock", ret_chk, OK);

diff --git a/apps/examples/testcase/le_tc/kernel/tc_sched.c b/apps/examples/testcase/le_tc/kernel/tc_sched.c
index 4c987dc..48a4bfb 100644 (file)
--- a/apps/examples/testcase/le_tc/kernel/tc_sched.c
+++ b/apps/examples/testcase/le_tc/kernel/tc_sched.c
@@ -303,15 +303,14 @@ static void tc_sched_waitpid(void)
 {
        int ret_chk;
        pid_t child_pid;
-       int *status = (int *)malloc(sizeof(int));
+       int status;
 
        child_pid = task_create("tc_waitpid", SCHED_PRIORITY_DEFAULT, TASK_STACKSIZE, function_wait, (char * const *)NULL);
        TC_ASSERT_GT("task_create", child_pid, 0);
 
-       ret_chk = waitpid(child_pid, status, 0);
-       TC_ASSERT_EQ_ERROR_CLEANUP("waitpid", ret_chk, child_pid, errno, TC_FREE_MEMORY(status));
+       ret_chk = waitpid(child_pid, &status, 0);
+       TC_ASSERT_EQ("waitpid", ret_chk, child_pid);
 
-       free(status);
        TC_SUCCESS_RESULT();
 }
 #endif

diff --git a/os/mm/mm_heap/mm_heapinfo.c b/os/mm/mm_heap/mm_heapinfo.c
index 8fef032..228189e 100644 (file)
--- a/os/mm/mm_heap/mm_heapinfo.c
+++ b/os/mm/mm_heap/mm_heapinfo.c
@@ -274,6 +274,7 @@ void heapinfo_exclude_stacksize(void *stack_ptr)
        node = (struct mm_allocnode_s *)(stack_ptr - SIZEOF_MM_ALLOCNODE);
        rtcb = sched_gettcb(node->pid);
 
+       ASSERT(rtcb);
        rtcb->curr_alloc_size -= node->size;
        node->pid = HEAPINFO_STACK;
 }