../libnvme/src/nvme/registry.c

Bug Summary

File:	.build-ci/../libnvme/src/nvme/registry.c
Warning:	line 102, column 30 Potential leak of memory pointed to by 'tmp'

Annotated Source Code

Press '?' to see keyboard shortcuts

Show analyzer invocation

clang -cc1 -cc1 -triple x86_64-pc-linux-gnu -analyze -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name registry.c -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 2 -fhalf-no-semantic-interposition -mframe-pointer=none -fmath-errno -ffp-contract=on -fno-rounding-math -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -tune-cpu generic -debugger-tuning=gdb -fdebug-compilation-dir=/__w/nvme-cli/nvme-cli/.build-ci -fcoverage-compilation-dir=/__w/nvme-cli/nvme-cli/.build-ci -resource-dir /usr/lib/llvm-19/lib/clang/19 -include /__w/nvme-cli/nvme-cli/.build-ci/nvme-config.h -I libnvme/src/libnvme3.so.3.0.0.p -I libnvme/src -I ../libnvme/src -I ccan -I ../ccan -I . -I .. -I /usr/include/json-c -D _FILE_OFFSET_BITS=64 -D _GNU_SOURCE -U NDEBUG -internal-isystem /usr/lib/llvm-19/lib/clang/19/include -internal-isystem /usr/local/include -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/14/../../../../x86_64-linux-gnu/include -internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-externc-isystem /usr/include -O3 -std=gnu99 -ferror-limit 19 -fvisibility=hidden -fgnuc-version=4.2.1 -fskip-odr-check-in-gmf -fcolor-diagnostics -vectorize-loops -vectorize-slp -analyzer-opt-analyze-headers -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /__w/nvme-cli/nvme-cli/.build-ci/scan-results/2026-06-24-175442-590-1 -x c ../libnvme/src/nvme/registry.c

1// SPDX-License-Identifier: LGPL-2.1-or-later
2/*
* This file is part of libnvme.
* Copyright (c) 2026 Dell Technologies Inc. or its subsidiaries.
*
* Authors: Martin Belanger <martin.belanger@dell.com>
*/

9#include <dirent.h>
10#include <errno(*__errno_location ()).h>
11#include <fcntl.h>
12#include <limits.h>
13#include <stdbool.h>
14#include <stdio.h>
15#include <stdlib.h>
16#include <string.h>
17#include <sys/stat.h>
18#include <sys/types.h>
19#include <unistd.h>

21#include "cleanup.h"
22#include "compiler-attributes.h"
23#include "private.h"
24#include "registry.h"

26/*
* Return the root directory of the registry.  In production this is always
* "/run/nvme/registry".  The NVME_REGISTRY_DIR override exists solely for unit
* testing: it lets the test suite run against a throwaway directory under /tmp
* instead of the production location.  The result is cached on first use.
*/
32static const char *registry_dir(void)
33{
static char buf[256];
static const char *dir;

if (!dir) {
const char *env = getenv("NVME_REGISTRY_DIR");

/*
 * NVME_REGISTRY_DIR is a test-only override.  The registry
 * path drives mkdir, writes and a recursive delete, so an
 * attacker who can inject it into a privileged process must
 * not redirect those to an arbitrary location.  Confine the
 * override to /tmp and reject ".." traversal; anything else
 * falls back to the production directory.
 *
 * Copy into a static buffer: getenv()'s pointer can be
 * invalidated by a later setenv()/putenv().  Truncation is
 * harmless -- a too-long test path simply won't resolve, and a
 * malicious value is both truncated and rejected above.
 */
if (env && strncmp(env, "/tmp/", 5) == 0 &&
    !strstr(env, "..")) {
	snprintf(buf, sizeof(buf), "%s", env);
	dir = buf;
} else {
	dir = "/run/nvme/registry";
}
}
return dir;
62}

64/*
* Build "<registry_dir>/<device>" (when @attr is NULL) or
* "<registry_dir>/<device>/<attr>".  Returns a newly allocated string the
* caller must free, or NULL on allocation failure.
*/
69static char *registry_path(const char *device, const char *attr)
70{
char *path = NULL((void*)0);
int n;

if (attr)
n = asprintf(&path, "%s/%s/%s", registry_dir(), device, attr);
else
n = asprintf(&path, "%s/%s", registry_dir(), device);
return n < 0 ? NULL((void*)0) : path;
79}

81/* mkdir -p: create @path and any missing parents. */
82static int mkdir_p(const char *path, mode_t mode)
83{
__cleanup_free__attribute__((cleanup(freep))) char *tmp = strdup(path);
8
←
Memory is allocated→
size_t len;
char *p;

if (!tmp)
9
←
Assuming 'tmp' is non-null→
10
←
Taking false branch→
return -ENOMEM12;
len = strlen(tmp);
if (len && tmp[len - 1] == '/')
11
←
Assuming 'len' is 0→
tmp[len - 1] = '\0';

for (p = tmp + 1; *p; p++) {
if (*p != '/')
	continue;
*p = '\0';
if (mkdir(tmp, mode) < 0 && errno(*__errno_location ()) != EEXIST17)
	return -errno(*__errno_location ());
*p = '/';
}
if (mkdir(tmp, mode) < 0 && errno(*__errno_location ()) != EEXIST17)
12
←
Potential leak of memory pointed to by 'tmp'
return -errno(*__errno_location ());
return 0;
105}

107static int ensure_device_dir(const char *device)
108{
__cleanup_free__attribute__((cleanup(freep))) char *path = NULL((void*)0);
int ret;

ret = mkdir_p(registry_dir(), 0755);
7
←
Calling 'mkdir_p'→
if (ret)
return ret;

path = registry_path(device, NULL((void*)0));
if (!path)
return -ENOMEM12;

/* EEXIST is success: two concurrent creates race to the same result. */
if (mkdir(path, 0755) < 0 && errno(*__errno_location ()) != EEXIST17)
return -errno(*__errno_location ());
return 0;
124}

126static bool_Bool valid_device(const char *device)
127{
const char *p;

if (!device || strncmp(device, "nvme", 4) != 0)
return false0;
p = device + 4;
if (!*p)
return false0;
for (; *p; p++) {
if (*p < '0' || *p > '9')
	return false0;
}
return true1;
140}

142static bool_Bool valid_attr(const char *attr)
143{
const char *p;

if (!attr || !*attr)
return false0;
for (p = attr; *p; p++) {
if ((*p >= 'a' && *p <= 'z') || (*p >= 'A' && *p <= 'Z') ||
    (*p >= '0' && *p <= '9') || *p == '_' || *p == '-')
	continue;
return false0;
}
return true1;
155}

157static int write_all(int fd, const char *buf, size_t len)
158{
while (len) {
ssize_t w = write(fd, buf, len);

if (w < 0) {
	if (errno(*__errno_location ()) == EINTR4)
		continue;
	return -errno(*__errno_location ());
}
if (w == 0)
	return -EIO5;
buf += w;
len -= w;
}
return 0;
173}

175/*
* read() up to @count bytes into @buf, retrying on EINTR.  Returns the number
* of bytes read (possibly short, at EOF) or a negative errno.
*/
179static ssize_t read_full(int fd, char *buf, size_t count)
180{
size_t off = 0;

while (off < count) {
ssize_t r = read(fd, buf + off, count - off);

if (r < 0) {
	if (errno(*__errno_location ()) == EINTR4)
		continue;
	return -errno(*__errno_location ());
}
if (r == 0)
	break;
off += r;
}
return off;
196}

198/*
* Read the attribute file open at @fd into a newly allocated, NUL-terminated
* string with the trailing newline stripped.  On success sets *out (the caller
* frees) and returns 0.  Returns -ENOENT for an empty file, or a negative
* errno on failure.
*/
204static int read_attr_fd(int fd, char **out)
205{
struct stat st;
char *val;
ssize_t n;

if (fstat(fd, &st) < 0)
return -errno(*__errno_location ());
if (st.st_size == 0)
return -ENOENT2;

val = malloc(st.st_size + 1);
if (!val)
return -ENOMEM12;

n = read_full(fd, val, st.st_size);
if (n < 0) {
free(val);
return n;
}

while (n > 0 && (val[n - 1] == '\n' || val[n - 1] == '\r'))
n--;
val[n] = '\0';
*out = val;
return 0;
230}

232/*
* Write @value atomically to the attribute file @attr inside @dir_path.
*
* Protocol:
*   mkostemp ->  <dir_path>/<attr>.tmp.XXXXXX  (random name, O_CLOEXEC)
*   fchmod   ->  0644
*   write    ->  value + newline
*   rename   ->  <dir_path>/<attr>
*   fsync    ->  directory
*
* mkostemp() atomically creates the tmp file with a random suffix, preventing
* both name prediction and TOCTOU races on the tmp file itself.  Builds without
* _GNU_SOURCE fall back to mkstemp() + fcntl(FD_CLOEXEC) (see below).  A NULL
* @value removes the attribute.
*/
247static int write_attr_atomic(int dir_fd, const char *dir_path,
	     const char *attr, const char *value)
249{
__cleanup_free__attribute__((cleanup(freep))) char *tmp_path = NULL((void*)0);
__cleanup_free__attribute__((cleanup(freep))) char *final_path = NULL((void*)0);
int fd, ret;

if (!valid_attr(attr))
return -EINVAL22;

if (!value) {
if (unlinkat(dir_fd, attr, 0) < 0 && errno(*__errno_location ()) != ENOENT2)
	return -errno(*__errno_location ());
fsync(dir_fd);
return 0;
}

if (asprintf(&final_path, "%s/%s", dir_path, attr) < 0)
return -ENOMEM12;
if (asprintf(&tmp_path, "%s/%s.tmp.XXXXXX", dir_path, attr) < 0)
return -ENOMEM12;

/*
* mkostemp() sets O_CLOEXEC atomically but its glibc declaration is
* gated behind _GNU_SOURCE; fall back to mkstemp() + fcntl() where
* _GNU_SOURCE is not defined (e.g. the musl-style CI build).
*/
274#ifdef _GNU_SOURCE1
fd = mkostemp(tmp_path, O_CLOEXEC02000000);
if (fd < 0)
return -errno(*__errno_location ());
278#else
fd = mkstemp(tmp_path);
if (fd < 0)
return -errno(*__errno_location ());
if (fcntl(fd, F_SETFD2, FD_CLOEXEC1) < 0) {
ret = -errno(*__errno_location ());
goto err;
}
286#endif

/* the temp file is created with 0600; open it to the registry world. */
if (fchmod(fd, 0644) < 0) {
ret = -errno(*__errno_location ());
goto err;
}

ret = write_all(fd, value, strlen(value));
if (ret)
goto err;
ret = write_all(fd, "\n", 1);
if (ret)
goto err;
close(fd);

if (rename(tmp_path, final_path) < 0) {
ret = -errno(*__errno_location ());
unlink(tmp_path);
return ret;
}

/* Flush the rename to stable storage. */
fsync(dir_fd);
return 0;

312err:
close(fd);
unlink(tmp_path);
return ret;
316}

318/*
* Open the directory for @device (creating it if needed) and write @attr=@value
* atomically.  Shared by the create and update paths.
*/
322static int write_device_attr(const char *device, const char *attr,
	     const char *value)
324{
__cleanup_free__attribute__((cleanup(freep))) char *dir_path = NULL((void*)0);
int dir_fd, ret;

ret = ensure_device_dir(device);
6
←
Calling 'ensure_device_dir'→
if (ret)
return ret;

dir_path = registry_path(device, NULL((void*)0));
if (!dir_path)
return -ENOMEM12;

dir_fd = open(dir_path, O_RDONLY00 | O_DIRECTORY0200000 | O_CLOEXEC02000000);
if (dir_fd < 0)
return -errno(*__errno_location ());

ret = write_attr_atomic(dir_fd, dir_path, attr, value);
close(dir_fd);
return ret;
343}

345/*
* libnvmf_registry_create_instance - Write a registry entry for a freshly
* connected controller.  Internal; called from the connect path in fabrics.c
* once the kernel returns instance=N.  Always overwrites any pre-existing
* entry: instance recycling means an old nvmeN/ directory is stale by
* definition.
*/
352int libnvmf_registry_create_instance(struct libnvme_global_ctx *ctx,
		     int instance, const char *owner)
354{
char device[32];

snprintf(device, sizeof(device), "nvme%d", instance);

/*
* Delete any stale entry unconditionally before creating the new one.
* Instance recycling means an old nvmeN/ directory is stale by
* definition — any attributes left over from the previous owner (e.g.
* a private attribute written via libnvmf_registry_update()) must not
* leak into the new entry.  Ignore errors: ENOENT is the common case.
*/
libnvmf_registry_delete(ctx, device);

return write_device_attr(device, "owner", owner);
369}

371int libnvmf_registry_delete_instance(struct libnvme_global_ctx *ctx,
		     int instance)
373{
char device[32];
int ret;

snprintf(device, sizeof(device), "nvme%d", instance);
ret = libnvmf_registry_delete(ctx, device);
return (ret == -ENOENT2) ? 0 : ret;
380}

382__libnvme_public__attribute__((visibility("default"))) int libnvmf_registry_retrieve(struct libnvme_global_ctx *ctx,
			       const char *device,
			       const char *attr, char **value)
385{
__cleanup_free__attribute__((cleanup(freep))) char *path = NULL((void*)0);
int fd, ret;

if (!ctx)
return -EINVAL22;
if (!device || !attr || !value)
return -EINVAL22;
if (!valid_device(device))
return -EINVAL22;

path = registry_path(device, attr);
if (!path)
return -ENOMEM12;

fd = open(path, O_RDONLY00 | O_CLOEXEC02000000);
if (fd < 0)
return -errno(*__errno_location ());

ret = read_attr_fd(fd, value);
close(fd);
return ret;
407}

409__libnvme_public__attribute__((visibility("default"))) int libnvmf_registry_attr_equal(struct libnvme_global_ctx *ctx,
				 const char *device,
				 const char *attr,
				 const char *value)
413{
char *stored = NULL((void*)0);
int rc;

if (!ctx)
return -EINVAL22;

rc = libnvmf_registry_retrieve(ctx, device, attr, &stored);
if (rc < 0 && rc != -ENOENT2)
return rc;
if (!stored)
rc = value ? 1 : 0;
else
rc = (value && !strcmp(stored, value)) ? 0 : 1;
free(stored);
return rc;
429}

431__libnvme_public__attribute__((visibility("default"))) int libnvmf_registry_update(struct libnvme_global_ctx *ctx,
			     const char *device,
			     const char *attr, const char *value)
434{
if (!ctx)
1
Assuming 'ctx' is non-null→
return -EINVAL22;
if (!device || !valid_device(device))
2
←
Assuming 'device' is non-null→
3
←
Assuming the condition is false→
4
←
Taking false branch→
return -EINVAL22;

return write_device_attr(device, attr, value);
5
←
Calling 'write_device_attr'→
441}

443__libnvme_public__attribute__((visibility("default"))) int libnvmf_registry_delete(struct libnvme_global_ctx *ctx,
			     const char *device)
445{
__cleanup_free__attribute__((cleanup(freep))) char *path = NULL((void*)0);
struct dirent *de;
int dir_fd, ret = 0;
DIR *d;

if (!ctx)
return -EINVAL22;
if (!device || !valid_device(device))
return -EINVAL22;

path = registry_path(device, NULL((void*)0));
if (!path)
return -ENOMEM12;

d = opendir(path);
if (!d)
return -errno(*__errno_location ());

dir_fd = dirfd(d);
while ((de = readdir(d)) != NULL((void*)0)) {
if (de->d_name[0] == '.')
	continue;
if (unlinkat(dir_fd, de->d_name, 0) < 0 && errno(*__errno_location ()) != ENOENT2)
	ret = -errno(*__errno_location ());
}
closedir(d);

if (ret)
return ret;

if (rmdir(path) < 0 && errno(*__errno_location ()) != ENOENT2)
return -errno(*__errno_location ());
return 0;
479}

481__libnvme_public__attribute__((visibility("default"))) int libnvmf_registry_device_for_each(
struct libnvme_global_ctx *ctx,
void (*callback)(const char *device, void *user_data),
void *user_data)
485{
char dev_path[NAME_MAX255 + 6]; /* "/dev/" + name + NUL */
struct dirent *de;
DIR *d;

if (!ctx)
return -EINVAL22;
if (!callback)
return -EINVAL22;

d = opendir(registry_dir());
if (!d) {
if (errno(*__errno_location ()) == ENOENT2)
	return 0;
return -errno(*__errno_location ());
}

while ((de = readdir(d)) != NULL((void*)0)) {
if (de->d_name[0] == '.')
	continue;

/*
 * Only visit directories.  Use stat() as a fallback when
 * d_type is DT_UNKNOWN (e.g. on some network filesystems).
 */
if (de->d_type != DT_DIRDT_DIR) {
	struct stat st;

	if (de->d_type != DT_UNKNOWNDT_UNKNOWN)
		continue;
	/*
	 * Resolve relative to the open directory rather than
	 * building an absolute path: avoids a fixed-size path
	 * buffer (and the format-truncation it invites).
	 */
	if (fstatat(dirfd(d), de->d_name, &st, 0) < 0 ||
	    !S_ISDIR(st.st_mode)((((st.st_mode)) & 0170000) == (0040000)))
		continue;
}

/* Stale-entry check: skip if the device node is gone. */
snprintf(dev_path, sizeof(dev_path), "/dev/%s", de->d_name);
if (access(dev_path, F_OK0) != 0)
	continue;

callback(de->d_name, user_data);
}
closedir(d);
return 0;
534}

536__libnvme_public__attribute__((visibility("default"))) int libnvmf_registry_attr_for_each(
struct libnvme_global_ctx *ctx,
const char *device,
void (*callback)(const char *attr, const char *value,
		 void *user_data),
void *user_data)
542{
__cleanup_free__attribute__((cleanup(freep))) char *dir_path = NULL((void*)0);
struct dirent *de;
int dir_fd;
DIR *d;

if (!ctx)
return -EINVAL22;
if (!device || !callback)
return -EINVAL22;
if (!valid_device(device))
return -EINVAL22;

dir_path = registry_path(device, NULL((void*)0));
if (!dir_path)
return -ENOMEM12;

d = opendir(dir_path);
if (!d)
return -errno(*__errno_location ());

dir_fd = dirfd(d);
while ((de = readdir(d)) != NULL((void*)0)) {
__cleanup_free__attribute__((cleanup(freep))) char *val = NULL((void*)0);
int fd, rc;

if (de->d_name[0] == '.')
	continue;
/* Skip in-flight tmp files from concurrent writers. */
if (strstr(de->d_name, ".tmp."))
	continue;

fd = openat(dir_fd, de->d_name, O_RDONLY00 | O_CLOEXEC02000000);
if (fd < 0)
	continue; /* device may have been removed concurrently */

rc = read_attr_fd(fd, &val);
close(fd);
if (rc == 0)
	callback(de->d_name, val, user_data);
}
closedir(d);
return 0;
585}