* [scan-admin@coverity.com: New Defects reported by Coverity Scan for Das U-Boot]
@ 2021-07-27 2:52 Tom Rini
2021-07-27 3:26 ` Sean Anderson
0 siblings, 1 reply; 46+ messages in thread
From: Tom Rini @ 2021-07-27 2:52 UTC (permalink / raw)
To: u-boot, Simon Glass, Sean Anderson
[-- Attachment #1: Type: text/plain, Size: 13357 bytes --]
----- Forwarded message from scan-admin@coverity.com -----
Date: Tue, 27 Jul 2021 01:10:27 +0000 (UTC)
From: scan-admin@coverity.com
To: tom.rini@gmail.com
Subject: New Defects reported by Coverity Scan for Das U-Boot
Hi,
Please find the latest report on new defect(s) introduced to Das U-Boot found with Coverity Scan.
6 new defect(s) introduced to Das U-Boot found with Coverity Scan.
9 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 6 of 6 defect(s)
** CID 332931: Control flow issues (NO_EFFECT)
/drivers/clk/clk_kendryte.c: 852 in k210_pll_set_rate()
________________________________________________________________________________________________________
*** CID 332931: Control flow issues (NO_EFFECT)
/drivers/clk/clk_kendryte.c: 852 in k210_pll_set_rate()
846 int err;
847 const struct k210_pll_params *pll = &k210_plls[id];
848 struct k210_pll_config config = {};
849 u32 reg;
850 ulong calc_rate;
851
>>> CID 332931: Control flow issues (NO_EFFECT)
>>> This less-than-zero comparison of an unsigned value is never true. "rate_in < 0UL".
852 if (rate_in < 0)
853 return rate_in;
854
855 err = k210_pll_calc_config(rate, rate_in, &config);
856 if (err)
857 return err;
** CID 332930: Integer handling issues (NO_EFFECT)
/lib/display_options.c: 216 in print_buffer()
________________________________________________________________________________________________________
*** CID 332930: Integer handling issues (NO_EFFECT)
/lib/display_options.c: 216 in print_buffer()
210 while (count) {
211 uint thislinelen;
212 char buf[HEXDUMP_MAX_BUF_LENGTH(width * linelen)];
213
214 thislinelen = hexdump_line(addr, data, width, count, linelen,
215 buf, sizeof(buf));
>>> CID 332930: Integer handling issues (NO_EFFECT)
>>> This greater-than-or-equal-to-zero comparison of an unsigned value is always true. "thislinelen >= 0U".
216 assert(thislinelen >= 0);
217 puts(buf);
218 putc('\n');
219
220 /* update references */
221 data += thislinelen * width;
** CID 332929: Integer handling issues (NO_EFFECT)
/drivers/clk/clk_kendryte.c: 898 in k210_pll_get_rate()
________________________________________________________________________________________________________
*** CID 332929: Integer handling issues (NO_EFFECT)
/drivers/clk/clk_kendryte.c: 898 in k210_pll_get_rate()
892 static ulong k210_pll_get_rate(struct k210_clk_priv *priv, int id,
893 ulong rate_in)
894 {
895 u64 r, f, od;
896 u32 reg = readl(priv->base + k210_plls[id].off);
897
>>> CID 332929: Integer handling issues (NO_EFFECT)
>>> This less-than-zero comparison of an unsigned value is never true. "rate_in < 0UL".
898 if (rate_in < 0 || (reg & K210_PLL_BYPASS))
899 return rate_in;
900
901 if (!(reg & K210_PLL_PWRD))
902 return 0;
903
** CID 332928: Integer handling issues (NO_EFFECT)
/common/log.c: 305 in _log_buffer()
________________________________________________________________________________________________________
*** CID 332928: Integer handling issues (NO_EFFECT)
/common/log.c: 305 in _log_buffer()
299 while (count) {
300 uint thislinelen;
301 char buf[HEXDUMP_MAX_BUF_LENGTH(width * linelen)];
302
303 thislinelen = hexdump_line(addr, data, width, count, linelen,
304 buf, sizeof(buf));
>>> CID 332928: Integer handling issues (NO_EFFECT)
>>> This greater-than-or-equal-to-zero comparison of an unsigned value is always true. "thislinelen >= 0U".
305 assert(thislinelen >= 0);
306 _log(cat, level, file, line, func, "%s\n", buf);
307
308 /* update references */
309 data += thislinelen * width;
310 addr += thislinelen * width;
** CID 332927: (DIVIDE_BY_ZERO)
/drivers/clk/clk_kendryte.c: 784 in k210_pll_calc_config()
/drivers/clk/clk_kendryte.c: 784 in k210_pll_calc_config()
/drivers/clk/clk_kendryte.c: 784 in k210_pll_calc_config()
/drivers/clk/clk_kendryte.c: 784 in k210_pll_calc_config()
/drivers/clk/clk_kendryte.c: 784 in k210_pll_calc_config()
/drivers/clk/clk_kendryte.c: 784 in k210_pll_calc_config()
________________________________________________________________________________________________________
*** CID 332927: (DIVIDE_BY_ZERO)
/drivers/clk/clk_kendryte.c: 784 in k210_pll_calc_config()
778 } else {
779 /*
780 * There is no way to only divide once; we need
781 * to examine the frequency with and without the
782 * effect of od.
783 */
>>> CID 332927: (DIVIDE_BY_ZERO)
>>> In function call "__div64_32", division by expression "__base" which may be zero has undefined behavior.
784 u64 vco = DIV_ROUND_CLOSEST_ULL(rate_in * f, r);
785
786 if (vco > 1750000000 || vco < 340000000)
787 out_of_spec = true;
788 }
789
/drivers/clk/clk_kendryte.c: 784 in k210_pll_calc_config()
778 } else {
779 /*
780 * There is no way to only divide once; we need
781 * to examine the frequency with and without the
782 * effect of od.
783 */
>>> CID 332927: (DIVIDE_BY_ZERO)
>>> In expression "(u32)_tmp % __base", modulo by expression "__base" which may be zero has undefined behavior.
784 u64 vco = DIV_ROUND_CLOSEST_ULL(rate_in * f, r);
785
786 if (vco > 1750000000 || vco < 340000000)
787 out_of_spec = true;
788 }
789
/drivers/clk/clk_kendryte.c: 784 in k210_pll_calc_config()
778 } else {
779 /*
780 * There is no way to only divide once; we need
781 * to examine the frequency with and without the
782 * effect of od.
783 */
>>> CID 332927: (DIVIDE_BY_ZERO)
>>> In function call "__div64_32", division by expression "__base" which may be zero has undefined behavior.
784 u64 vco = DIV_ROUND_CLOSEST_ULL(rate_in * f, r);
785
786 if (vco > 1750000000 || vco < 340000000)
787 out_of_spec = true;
788 }
789
/drivers/clk/clk_kendryte.c: 784 in k210_pll_calc_config()
778 } else {
779 /*
780 * There is no way to only divide once; we need
781 * to examine the frequency with and without the
782 * effect of od.
783 */
>>> CID 332927: (DIVIDE_BY_ZERO)
>>> In function call "__div64_32", division by expression "__base" which may be zero has undefined behavior.
784 u64 vco = DIV_ROUND_CLOSEST_ULL(rate_in * f, r);
785
786 if (vco > 1750000000 || vco < 340000000)
787 out_of_spec = true;
788 }
789
/drivers/clk/clk_kendryte.c: 784 in k210_pll_calc_config()
778 } else {
779 /*
780 * There is no way to only divide once; we need
781 * to examine the frequency with and without the
782 * effect of od.
783 */
>>> CID 332927: (DIVIDE_BY_ZERO)
>>> In function call "__div64_32", division by expression "__base" which may be zero has undefined behavior.
784 u64 vco = DIV_ROUND_CLOSEST_ULL(rate_in * f, r);
785
786 if (vco > 1750000000 || vco < 340000000)
787 out_of_spec = true;
788 }
789
/drivers/clk/clk_kendryte.c: 784 in k210_pll_calc_config()
778 } else {
779 /*
780 * There is no way to only divide once; we need
781 * to examine the frequency with and without the
782 * effect of od.
783 */
>>> CID 332927: (DIVIDE_BY_ZERO)
>>> In function call "__div64_32", division by expression "__base" which may be zero has undefined behavior.
784 u64 vco = DIV_ROUND_CLOSEST_ULL(rate_in * f, r);
785
786 if (vco > 1750000000 || vco < 340000000)
787 out_of_spec = true;
788 }
789
/drivers/clk/clk_kendryte.c: 784 in k210_pll_calc_config()
778 } else {
779 /*
780 * There is no way to only divide once; we need
781 * to examine the frequency with and without the
782 * effect of od.
783 */
>>> CID 332927: (DIVIDE_BY_ZERO)
>>> In expression "(u32)_tmp % __base", modulo by expression "__base" which may be zero has undefined behavior.
784 u64 vco = DIV_ROUND_CLOSEST_ULL(rate_in * f, r);
785
786 if (vco > 1750000000 || vco < 340000000)
787 out_of_spec = true;
788 }
789
/drivers/clk/clk_kendryte.c: 784 in k210_pll_calc_config()
778 } else {
779 /*
780 * There is no way to only divide once; we need
781 * to examine the frequency with and without the
782 * effect of od.
783 */
>>> CID 332927: (DIVIDE_BY_ZERO)
>>> In expression "(u32)_tmp % __base", modulo by expression "__base" which may be zero has undefined behavior.
784 u64 vco = DIV_ROUND_CLOSEST_ULL(rate_in * f, r);
785
786 if (vco > 1750000000 || vco < 340000000)
787 out_of_spec = true;
788 }
789
/drivers/clk/clk_kendryte.c: 784 in k210_pll_calc_config()
778 } else {
779 /*
780 * There is no way to only divide once; we need
781 * to examine the frequency with and without the
782 * effect of od.
783 */
>>> CID 332927: (DIVIDE_BY_ZERO)
>>> In expression "(u32)_tmp % __base", modulo by expression "__base" which may be zero has undefined behavior.
784 u64 vco = DIV_ROUND_CLOSEST_ULL(rate_in * f, r);
785
786 if (vco > 1750000000 || vco < 340000000)
787 out_of_spec = true;
788 }
789
/drivers/clk/clk_kendryte.c: 784 in k210_pll_calc_config()
778 } else {
779 /*
780 * There is no way to only divide once; we need
781 * to examine the frequency with and without the
782 * effect of od.
783 */
>>> CID 332927: (DIVIDE_BY_ZERO)
>>> In expression "(u32)_tmp % __base", modulo by expression "__base" which may be zero has undefined behavior.
784 u64 vco = DIV_ROUND_CLOSEST_ULL(rate_in * f, r);
785
786 if (vco > 1750000000 || vco < 340000000)
787 out_of_spec = true;
788 }
789
/drivers/clk/clk_kendryte.c: 784 in k210_pll_calc_config()
778 } else {
779 /*
780 * There is no way to only divide once; we need
781 * to examine the frequency with and without the
782 * effect of od.
783 */
>>> CID 332927: (DIVIDE_BY_ZERO)
>>> In expression "(u32)_tmp % __base", modulo by expression "__base" which may be zero has undefined behavior.
784 u64 vco = DIV_ROUND_CLOSEST_ULL(rate_in * f, r);
785
786 if (vco > 1750000000 || vco < 340000000)
787 out_of_spec = true;
788 }
789
** CID 332926: API usage errors (CHAR_IO)
/common/autoboot.c: 95 in passwd_abort_crypt()
________________________________________________________________________________________________________
*** CID 332926: API usage errors (CHAR_IO)
/common/autoboot.c: 95 in passwd_abort_crypt()
89 do {
90 if (tstc()) {
91 /* Check for input string overflow */
92 if (presskey_len >= sizeof(presskey))
93 return 0;
94
>>> CID 332926: API usage errors (CHAR_IO)
>>> Assigning the return value of "getchar" to char "presskey[presskey_len]" truncates its value.
95 presskey[presskey_len] = getchar();
96
97 if ((presskey[presskey_len] == '\r') ||
98 (presskey[presskey_len] == '\n')) {
99 if (IS_ENABLED(CONFIG_AUTOBOOT_NEVER_TIMEOUT) &&
100 !presskey_len) {
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoA22WlOQ-2By3ieUvdbKmOyw68TMVT4Kip-2BBzfOGWXJ5yIiYplmPF9KAnKIja4Zd7tU-3DgJHe_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTvYvjbZ9T6kqAgpHsL-2FhWyLWnQSgvdEHm6q866xWqhF8Kmj20Sw-2BzKXCiftzibA0uYIZFV1vWC-2FCXF6Dh6IUI5qabfVwsX4r17fuZmWj1IE9lgKHs0WTSBRQjnbruexWDlIvVYutFNrdA8azZiOmUFO6-2FIEOap-2BpBRs7mGOMMevZw-3D-3D
To manage Coverity Scan email notifications for "tom.rini@gmail.com", click https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxWeIHzDeopm-2BEWQ6S6K-2FtUHv9ZTk8qZbuzkkz9sa-2BJFw4elYDyedRVZOC-2ButxjBZdouVmTGuWB6Aj6G7lm7t25-2Biv1B-2B9082pHzCCex2kqMs-3DJ_Gj_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTvYvjbZ9T6kqAgpHsL-2FhWyLCbMsoi8Sh2iVNRO-2F4TymJeWpR6YUe5abzfxZiSqdMBZVlERkyaxx1HaUIY6r92vdxJPh9Y1P2q2Jzb9e1sOCST8P9RzKNS5Cgy-2F0NiCXVB-2F-2BEazUIg-2BeJSNSm4v-2Bke0oWlGf3b6Paw7Los1KuqTOiQ-3D-3D
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 46+ messages in thread
* Re: [scan-admin@coverity.com: New Defects reported by Coverity Scan for Das U-Boot]
2021-07-27 2:52 [scan-admin@coverity.com: New Defects reported by Coverity Scan for Das U-Boot] Tom Rini
@ 2021-07-27 3:26 ` Sean Anderson
2021-07-27 15:04 ` Tom Rini
0 siblings, 1 reply; 46+ messages in thread
From: Sean Anderson @ 2021-07-27 3:26 UTC (permalink / raw)
To: Tom Rini, u-boot, Simon Glass
On 7/26/21 10:52 PM, Tom Rini wrote:
> ----- Forwarded message from scan-admin@coverity.com -----
>
> Date: Tue, 27 Jul 2021 01:10:27 +0000 (UTC)
> From: scan-admin@coverity.com
> To: tom.rini@gmail.com
> Subject: New Defects reported by Coverity Scan for Das U-Boot
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to Das U-Boot found with Coverity Scan.
>
> 6 new defect(s) introduced to Das U-Boot found with Coverity Scan.
> 9 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
>
> New defect(s) Reported-by: Coverity Scan
> Showing 6 of 6 defect(s)
>
>
> ** CID 332931: Control flow issues (NO_EFFECT)
> /drivers/clk/clk_kendryte.c: 852 in k210_pll_set_rate()
>
>
> ________________________________________________________________________________________________________
> *** CID 332931: Control flow issues (NO_EFFECT)
> /drivers/clk/clk_kendryte.c: 852 in k210_pll_set_rate()
> 846 int err;
> 847 const struct k210_pll_params *pll = &k210_plls[id];
> 848 struct k210_pll_config config = {};
> 849 u32 reg;
> 850 ulong calc_rate;
> 851
>>>> CID 332931: Control flow issues (NO_EFFECT)
>>>> This less-than-zero comparison of an unsigned value is never true. "rate_in < 0UL".
> 852 if (rate_in < 0)
> 853 return rate_in;
> 854
> 855 err = k210_pll_calc_config(rate, rate_in, &config);
> 856 if (err)
> 857 return err;
>
> ** CID 332929: Integer handling issues (NO_EFFECT)
> /drivers/clk/clk_kendryte.c: 898 in k210_pll_get_rate()
>
>
> ________________________________________________________________________________________________________
> *** CID 332929: Integer handling issues (NO_EFFECT)
> /drivers/clk/clk_kendryte.c: 898 in k210_pll_get_rate()
> 892 static ulong k210_pll_get_rate(struct k210_clk_priv *priv, int id,
> 893 ulong rate_in)
> 894 {
> 895 u64 r, f, od;
> 896 u32 reg = readl(priv->base + k210_plls[id].off);
> 897
>>>> CID 332929: Integer handling issues (NO_EFFECT)
>>>> This less-than-zero comparison of an unsigned value is never true. "rate_in < 0UL".
> 898 if (rate_in < 0 || (reg & K210_PLL_BYPASS))
> 899 return rate_in;
> 900
> 901 if (!(reg & K210_PLL_PWRD))
> 902 return 0;
> 903
>
Will send a patch for these.
> ** CID 332927: (DIVIDE_BY_ZERO)
> /drivers/clk/clk_kendryte.c: 784 in k210_pll_calc_config()
> /drivers/clk/clk_kendryte.c: 784 in k210_pll_calc_config()
> /drivers/clk/clk_kendryte.c: 784 in k210_pll_calc_config()
> /drivers/clk/clk_kendryte.c: 784 in k210_pll_calc_config()
> /drivers/clk/clk_kendryte.c: 784 in k210_pll_calc_config()
> /drivers/clk/clk_kendryte.c: 784 in k210_pll_calc_config()
>
>
> ________________________________________________________________________________________________________
> *** CID 332927: (DIVIDE_BY_ZERO)
> /drivers/clk/clk_kendryte.c: 784 in k210_pll_calc_config()
> 778 } else {
> 779 /*
> 780 * There is no way to only divide once; we need
> 781 * to examine the frequency with and without the
> 782 * effect of od.
> 783 */
>>>> CID 332927: (DIVIDE_BY_ZERO)
>>>> In function call "__div64_32", division by expression "__base" which may be zero has undefined behavior.
> 784 u64 vco = DIV_ROUND_CLOSEST_ULL(rate_in * f, r);
> 785
> 786 if (vco > 1750000000 || vco < 340000000)
> 787 out_of_spec = true;
> 788 }
> 789
> /drivers/clk/clk_kendryte.c: 784 in k210_pll_calc_config()
> 778 } else {
> 779 /*
> 780 * There is no way to only divide once; we need
> 781 * to examine the frequency with and without the
> 782 * effect of od.
> 783 */
>>>> CID 332927: (DIVIDE_BY_ZERO)
>>>> In expression "(u32)_tmp % __base", modulo by expression "__base" which may be zero has undefined behavior.
> 784 u64 vco = DIV_ROUND_CLOSEST_ULL(rate_in * f, r);
> 785
> 786 if (vco > 1750000000 || vco < 340000000)
> 787 out_of_spec = true;
> 788 }
> 789
> /drivers/clk/clk_kendryte.c: 784 in k210_pll_calc_config()
> 778 } else {
> 779 /*
> 780 * There is no way to only divide once; we need
> 781 * to examine the frequency with and without the
> 782 * effect of od.
> 783 */
>>>> CID 332927: (DIVIDE_BY_ZERO)
>>>> In function call "__div64_32", division by expression "__base" which may be zero has undefined behavior.
> 784 u64 vco = DIV_ROUND_CLOSEST_ULL(rate_in * f, r);
> 785
> 786 if (vco > 1750000000 || vco < 340000000)
> 787 out_of_spec = true;
> 788 }
> 789
> /drivers/clk/clk_kendryte.c: 784 in k210_pll_calc_config()
> 778 } else {
> 779 /*
> 780 * There is no way to only divide once; we need
> 781 * to examine the frequency with and without the
> 782 * effect of od.
> 783 */
>>>> CID 332927: (DIVIDE_BY_ZERO)
>>>> In function call "__div64_32", division by expression "__base" which may be zero has undefined behavior.
> 784 u64 vco = DIV_ROUND_CLOSEST_ULL(rate_in * f, r);
> 785
> 786 if (vco > 1750000000 || vco < 340000000)
> 787 out_of_spec = true;
> 788 }
> 789
> /drivers/clk/clk_kendryte.c: 784 in k210_pll_calc_config()
> 778 } else {
> 779 /*
> 780 * There is no way to only divide once; we need
> 781 * to examine the frequency with and without the
> 782 * effect of od.
> 783 */
>>>> CID 332927: (DIVIDE_BY_ZERO)
>>>> In function call "__div64_32", division by expression "__base" which may be zero has undefined behavior.
> 784 u64 vco = DIV_ROUND_CLOSEST_ULL(rate_in * f, r);
> 785
> 786 if (vco > 1750000000 || vco < 340000000)
> 787 out_of_spec = true;
> 788 }
> 789
> /drivers/clk/clk_kendryte.c: 784 in k210_pll_calc_config()
> 778 } else {
> 779 /*
> 780 * There is no way to only divide once; we need
> 781 * to examine the frequency with and without the
> 782 * effect of od.
> 783 */
>>>> CID 332927: (DIVIDE_BY_ZERO)
>>>> In function call "__div64_32", division by expression "__base" which may be zero has undefined behavior.
> 784 u64 vco = DIV_ROUND_CLOSEST_ULL(rate_in * f, r);
> 785
> 786 if (vco > 1750000000 || vco < 340000000)
> 787 out_of_spec = true;
> 788 }
> 789
> /drivers/clk/clk_kendryte.c: 784 in k210_pll_calc_config()
> 778 } else {
> 779 /*
> 780 * There is no way to only divide once; we need
> 781 * to examine the frequency with and without the
> 782 * effect of od.
> 783 */
>>>> CID 332927: (DIVIDE_BY_ZERO)
>>>> In expression "(u32)_tmp % __base", modulo by expression "__base" which may be zero has undefined behavior.
> 784 u64 vco = DIV_ROUND_CLOSEST_ULL(rate_in * f, r);
> 785
> 786 if (vco > 1750000000 || vco < 340000000)
> 787 out_of_spec = true;
> 788 }
> 789
> /drivers/clk/clk_kendryte.c: 784 in k210_pll_calc_config()
> 778 } else {
> 779 /*
> 780 * There is no way to only divide once; we need
> 781 * to examine the frequency with and without the
> 782 * effect of od.
> 783 */
>>>> CID 332927: (DIVIDE_BY_ZERO)
>>>> In expression "(u32)_tmp % __base", modulo by expression "__base" which may be zero has undefined behavior.
> 784 u64 vco = DIV_ROUND_CLOSEST_ULL(rate_in * f, r);
> 785
> 786 if (vco > 1750000000 || vco < 340000000)
> 787 out_of_spec = true;
> 788 }
> 789
> /drivers/clk/clk_kendryte.c: 784 in k210_pll_calc_config()
> 778 } else {
> 779 /*
> 780 * There is no way to only divide once; we need
> 781 * to examine the frequency with and without the
> 782 * effect of od.
> 783 */
>>>> CID 332927: (DIVIDE_BY_ZERO)
>>>> In expression "(u32)_tmp % __base", modulo by expression "__base" which may be zero has undefined behavior.
> 784 u64 vco = DIV_ROUND_CLOSEST_ULL(rate_in * f, r);
> 785
> 786 if (vco > 1750000000 || vco < 340000000)
> 787 out_of_spec = true;
> 788 }
> 789
> /drivers/clk/clk_kendryte.c: 784 in k210_pll_calc_config()
> 778 } else {
> 779 /*
> 780 * There is no way to only divide once; we need
> 781 * to examine the frequency with and without the
> 782 * effect of od.
> 783 */
>>>> CID 332927: (DIVIDE_BY_ZERO)
>>>> In expression "(u32)_tmp % __base", modulo by expression "__base" which may be zero has undefined behavior.
> 784 u64 vco = DIV_ROUND_CLOSEST_ULL(rate_in * f, r);
> 785
> 786 if (vco > 1750000000 || vco < 340000000)
> 787 out_of_spec = true;
> 788 }
> 789
> /drivers/clk/clk_kendryte.c: 784 in k210_pll_calc_config()
> 778 } else {
> 779 /*
> 780 * There is no way to only divide once; we need
> 781 * to examine the frequency with and without the
> 782 * effect of od.
> 783 */
>>>> CID 332927: (DIVIDE_BY_ZERO)
>>>> In expression "(u32)_tmp % __base", modulo by expression "__base" which may be zero has undefined behavior.
> 784 u64 vco = DIV_ROUND_CLOSEST_ULL(rate_in * f, r);
> 785
> 786 if (vco > 1750000000 || vco < 340000000)
> 787 out_of_spec = true;
> 788 }
> 789
These are completely safe, but it is relatively non-obvious why. The
only way that r can be 0 is on the very first iteration. When rate >
rate_in, r gets assigned (to a non-zero number) immediately. For the
converse, we only assign to r and od when r * od < goal. goal is
calculated by multiplying f (which is always at least 1) with inv_ratio,
shifted right by 32 bits. In the worst-case (the first iteration), this
is just inv_ratio >> 32. But inv_ratio is rate_in << 32 / rate, and
above we assumed that rate <= rate_in. So inv_ratio is always at least 1
<< 32, and we never divide by 0 :)
In the course of investigating the above, I added some additional test
cases and discovered that we don't always get the best factors in some
cases. I will also send a patch for this.
--Sean
^ permalink raw reply [flat|nested] 46+ messages in thread
* Re: [scan-admin@coverity.com: New Defects reported by Coverity Scan for Das U-Boot]
2021-07-27 3:26 ` Sean Anderson
@ 2021-07-27 15:04 ` Tom Rini
0 siblings, 0 replies; 46+ messages in thread
From: Tom Rini @ 2021-07-27 15:04 UTC (permalink / raw)
To: Sean Anderson; +Cc: u-boot, Simon Glass
[-- Attachment #1: Type: text/plain, Size: 11419 bytes --]
On Mon, Jul 26, 2021 at 11:26:39PM -0400, Sean Anderson wrote:
> On 7/26/21 10:52 PM, Tom Rini wrote:
> > ----- Forwarded message from scan-admin@coverity.com -----
> >
> > Date: Tue, 27 Jul 2021 01:10:27 +0000 (UTC)
> > From: scan-admin@coverity.com
> > To: tom.rini@gmail.com
> > Subject: New Defects reported by Coverity Scan for Das U-Boot
> >
> > Hi,
> >
> > Please find the latest report on new defect(s) introduced to Das U-Boot found with Coverity Scan.
> >
> > 6 new defect(s) introduced to Das U-Boot found with Coverity Scan.
> > 9 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
> >
> > New defect(s) Reported-by: Coverity Scan
> > Showing 6 of 6 defect(s)
> >
> >
> > ** CID 332931: Control flow issues (NO_EFFECT)
> > /drivers/clk/clk_kendryte.c: 852 in k210_pll_set_rate()
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 332931: Control flow issues (NO_EFFECT)
> > /drivers/clk/clk_kendryte.c: 852 in k210_pll_set_rate()
> > 846 int err;
> > 847 const struct k210_pll_params *pll = &k210_plls[id];
> > 848 struct k210_pll_config config = {};
> > 849 u32 reg;
> > 850 ulong calc_rate;
> > 851
> > > > > CID 332931: Control flow issues (NO_EFFECT)
> > > > > This less-than-zero comparison of an unsigned value is never true. "rate_in < 0UL".
> > 852 if (rate_in < 0)
> > 853 return rate_in;
> > 854
> > 855 err = k210_pll_calc_config(rate, rate_in, &config);
> > 856 if (err)
> > 857 return err;
> >
>
> > ** CID 332929: Integer handling issues (NO_EFFECT)
> > /drivers/clk/clk_kendryte.c: 898 in k210_pll_get_rate()
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 332929: Integer handling issues (NO_EFFECT)
> > /drivers/clk/clk_kendryte.c: 898 in k210_pll_get_rate()
> > 892 static ulong k210_pll_get_rate(struct k210_clk_priv *priv, int id,
> > 893 ulong rate_in)
> > 894 {
> > 895 u64 r, f, od;
> > 896 u32 reg = readl(priv->base + k210_plls[id].off);
> > 897
> > > > > CID 332929: Integer handling issues (NO_EFFECT)
> > > > > This less-than-zero comparison of an unsigned value is never true. "rate_in < 0UL".
> > 898 if (rate_in < 0 || (reg & K210_PLL_BYPASS))
> > 899 return rate_in;
> > 900
> > 901 if (!(reg & K210_PLL_PWRD))
> > 902 return 0;
> > 903
> >
>
>
> Will send a patch for these.
>
> > ** CID 332927: (DIVIDE_BY_ZERO)
> > /drivers/clk/clk_kendryte.c: 784 in k210_pll_calc_config()
> > /drivers/clk/clk_kendryte.c: 784 in k210_pll_calc_config()
> > /drivers/clk/clk_kendryte.c: 784 in k210_pll_calc_config()
> > /drivers/clk/clk_kendryte.c: 784 in k210_pll_calc_config()
> > /drivers/clk/clk_kendryte.c: 784 in k210_pll_calc_config()
> > /drivers/clk/clk_kendryte.c: 784 in k210_pll_calc_config()
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 332927: (DIVIDE_BY_ZERO)
> > /drivers/clk/clk_kendryte.c: 784 in k210_pll_calc_config()
> > 778 } else {
> > 779 /*
> > 780 * There is no way to only divide once; we need
> > 781 * to examine the frequency with and without the
> > 782 * effect of od.
> > 783 */
> > > > > CID 332927: (DIVIDE_BY_ZERO)
> > > > > In function call "__div64_32", division by expression "__base" which may be zero has undefined behavior.
> > 784 u64 vco = DIV_ROUND_CLOSEST_ULL(rate_in * f, r);
> > 785
> > 786 if (vco > 1750000000 || vco < 340000000)
> > 787 out_of_spec = true;
> > 788 }
> > 789
> > /drivers/clk/clk_kendryte.c: 784 in k210_pll_calc_config()
> > 778 } else {
> > 779 /*
> > 780 * There is no way to only divide once; we need
> > 781 * to examine the frequency with and without the
> > 782 * effect of od.
> > 783 */
> > > > > CID 332927: (DIVIDE_BY_ZERO)
> > > > > In expression "(u32)_tmp % __base", modulo by expression "__base" which may be zero has undefined behavior.
> > 784 u64 vco = DIV_ROUND_CLOSEST_ULL(rate_in * f, r);
> > 785
> > 786 if (vco > 1750000000 || vco < 340000000)
> > 787 out_of_spec = true;
> > 788 }
> > 789
> > /drivers/clk/clk_kendryte.c: 784 in k210_pll_calc_config()
> > 778 } else {
> > 779 /*
> > 780 * There is no way to only divide once; we need
> > 781 * to examine the frequency with and without the
> > 782 * effect of od.
> > 783 */
> > > > > CID 332927: (DIVIDE_BY_ZERO)
> > > > > In function call "__div64_32", division by expression "__base" which may be zero has undefined behavior.
> > 784 u64 vco = DIV_ROUND_CLOSEST_ULL(rate_in * f, r);
> > 785
> > 786 if (vco > 1750000000 || vco < 340000000)
> > 787 out_of_spec = true;
> > 788 }
> > 789
> > /drivers/clk/clk_kendryte.c: 784 in k210_pll_calc_config()
> > 778 } else {
> > 779 /*
> > 780 * There is no way to only divide once; we need
> > 781 * to examine the frequency with and without the
> > 782 * effect of od.
> > 783 */
> > > > > CID 332927: (DIVIDE_BY_ZERO)
> > > > > In function call "__div64_32", division by expression "__base" which may be zero has undefined behavior.
> > 784 u64 vco = DIV_ROUND_CLOSEST_ULL(rate_in * f, r);
> > 785
> > 786 if (vco > 1750000000 || vco < 340000000)
> > 787 out_of_spec = true;
> > 788 }
> > 789
> > /drivers/clk/clk_kendryte.c: 784 in k210_pll_calc_config()
> > 778 } else {
> > 779 /*
> > 780 * There is no way to only divide once; we need
> > 781 * to examine the frequency with and without the
> > 782 * effect of od.
> > 783 */
> > > > > CID 332927: (DIVIDE_BY_ZERO)
> > > > > In function call "__div64_32", division by expression "__base" which may be zero has undefined behavior.
> > 784 u64 vco = DIV_ROUND_CLOSEST_ULL(rate_in * f, r);
> > 785
> > 786 if (vco > 1750000000 || vco < 340000000)
> > 787 out_of_spec = true;
> > 788 }
> > 789
> > /drivers/clk/clk_kendryte.c: 784 in k210_pll_calc_config()
> > 778 } else {
> > 779 /*
> > 780 * There is no way to only divide once; we need
> > 781 * to examine the frequency with and without the
> > 782 * effect of od.
> > 783 */
> > > > > CID 332927: (DIVIDE_BY_ZERO)
> > > > > In function call "__div64_32", division by expression "__base" which may be zero has undefined behavior.
> > 784 u64 vco = DIV_ROUND_CLOSEST_ULL(rate_in * f, r);
> > 785
> > 786 if (vco > 1750000000 || vco < 340000000)
> > 787 out_of_spec = true;
> > 788 }
> > 789
> > /drivers/clk/clk_kendryte.c: 784 in k210_pll_calc_config()
> > 778 } else {
> > 779 /*
> > 780 * There is no way to only divide once; we need
> > 781 * to examine the frequency with and without the
> > 782 * effect of od.
> > 783 */
> > > > > CID 332927: (DIVIDE_BY_ZERO)
> > > > > In expression "(u32)_tmp % __base", modulo by expression "__base" which may be zero has undefined behavior.
> > 784 u64 vco = DIV_ROUND_CLOSEST_ULL(rate_in * f, r);
> > 785
> > 786 if (vco > 1750000000 || vco < 340000000)
> > 787 out_of_spec = true;
> > 788 }
> > 789
> > /drivers/clk/clk_kendryte.c: 784 in k210_pll_calc_config()
> > 778 } else {
> > 779 /*
> > 780 * There is no way to only divide once; we need
> > 781 * to examine the frequency with and without the
> > 782 * effect of od.
> > 783 */
> > > > > CID 332927: (DIVIDE_BY_ZERO)
> > > > > In expression "(u32)_tmp % __base", modulo by expression "__base" which may be zero has undefined behavior.
> > 784 u64 vco = DIV_ROUND_CLOSEST_ULL(rate_in * f, r);
> > 785
> > 786 if (vco > 1750000000 || vco < 340000000)
> > 787 out_of_spec = true;
> > 788 }
> > 789
> > /drivers/clk/clk_kendryte.c: 784 in k210_pll_calc_config()
> > 778 } else {
> > 779 /*
> > 780 * There is no way to only divide once; we need
> > 781 * to examine the frequency with and without the
> > 782 * effect of od.
> > 783 */
> > > > > CID 332927: (DIVIDE_BY_ZERO)
> > > > > In expression "(u32)_tmp % __base", modulo by expression "__base" which may be zero has undefined behavior.
> > 784 u64 vco = DIV_ROUND_CLOSEST_ULL(rate_in * f, r);
> > 785
> > 786 if (vco > 1750000000 || vco < 340000000)
> > 787 out_of_spec = true;
> > 788 }
> > 789
> > /drivers/clk/clk_kendryte.c: 784 in k210_pll_calc_config()
> > 778 } else {
> > 779 /*
> > 780 * There is no way to only divide once; we need
> > 781 * to examine the frequency with and without the
> > 782 * effect of od.
> > 783 */
> > > > > CID 332927: (DIVIDE_BY_ZERO)
> > > > > In expression "(u32)_tmp % __base", modulo by expression "__base" which may be zero has undefined behavior.
> > 784 u64 vco = DIV_ROUND_CLOSEST_ULL(rate_in * f, r);
> > 785
> > 786 if (vco > 1750000000 || vco < 340000000)
> > 787 out_of_spec = true;
> > 788 }
> > 789
> > /drivers/clk/clk_kendryte.c: 784 in k210_pll_calc_config()
> > 778 } else {
> > 779 /*
> > 780 * There is no way to only divide once; we need
> > 781 * to examine the frequency with and without the
> > 782 * effect of od.
> > 783 */
> > > > > CID 332927: (DIVIDE_BY_ZERO)
> > > > > In expression "(u32)_tmp % __base", modulo by expression "__base" which may be zero has undefined behavior.
> > 784 u64 vco = DIV_ROUND_CLOSEST_ULL(rate_in * f, r);
> > 785
> > 786 if (vco > 1750000000 || vco < 340000000)
> > 787 out_of_spec = true;
> > 788 }
> > 789
>
> These are completely safe, but it is relatively non-obvious why. The
> only way that r can be 0 is on the very first iteration. When rate >
> rate_in, r gets assigned (to a non-zero number) immediately. For the
> converse, we only assign to r and od when r * od < goal. goal is
> calculated by multiplying f (which is always at least 1) with inv_ratio,
> shifted right by 32 bits. In the worst-case (the first iteration), this
> is just inv_ratio >> 32. But inv_ratio is rate_in << 32 / rate, and
> above we assumed that rate <= rate_in. So inv_ratio is always at least 1
> << 32, and we never divide by 0 :)
>
> In the course of investigating the above, I added some additional test
> cases and discovered that we don't always get the best factors in some
> cases. I will also send a patch for this.
Thanks for looking so quickly!
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 46+ messages in thread
* [scan-admin@coverity.com: New Defects reported by Coverity Scan for Das U-Boot]
@ 2022-09-06 15:50 Tom Rini
0 siblings, 0 replies; 46+ messages in thread
From: Tom Rini @ 2022-09-06 15:50 UTC (permalink / raw)
To: u-boot, Ilias Apalodimas
[-- Attachment #1: Type: text/plain, Size: 4355 bytes --]
----- Forwarded message from scan-admin@coverity.com -----
Date: Tue, 06 Sep 2022 01:07:45 +0000 (UTC)
From: scan-admin@coverity.com
To: tom.rini@gmail.com
Subject: New Defects reported by Coverity Scan for Das U-Boot
Hi,
Please find the latest report on new defect(s) introduced to Das U-Boot found with Coverity Scan.
2 new defect(s) introduced to Das U-Boot found with Coverity Scan.
2 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 2 of 2 defect(s)
** CID 356664: API usage errors (BUFFER_SIZE)
/lib/tpm-v2.c: 703 in tpm2_report_state()
________________________________________________________________________________________________________
*** CID 356664: API usage errors (BUFFER_SIZE)
/lib/tpm-v2.c: 703 in tpm2_report_state()
697 log_debug("ret=%s, %x\n", dev->name, ret);
698 if (ret)
699 return ret;
700 if (*recv_size < 12)
701 return -ENODATA;
702 *recv_size -= 12;
>>> CID 356664: API usage errors (BUFFER_SIZE)
>>> The source buffer "recvbuf + 12" potentially overlaps with the destination buffer "recvbuf", which results in undefined behavior for "memcpy".
703 memcpy(recvbuf, recvbuf + 12, *recv_size);
704
705 return 0;
706 }
707
708 u32 tpm2_enable_nvcommits(struct udevice *dev, uint vendor_cmd,
** CID 183377: (TAINTED_SCALAR)
/drivers/tpm/tpm2_tis_sandbox.c: 735 in sandbox_tpm2_xfer()
/drivers/tpm/tpm2_tis_sandbox.c: 586 in sandbox_tpm2_xfer()
________________________________________________________________________________________________________
*** CID 183377: (TAINTED_SCALAR)
/drivers/tpm/tpm2_tis_sandbox.c: 735 in sandbox_tpm2_xfer()
729 seq = sb_tpm_index_to_seq(index);
730 if (seq < 0)
731 return log_msg_ret("index", -EINVAL);
732 printf("tpm: nvread index=%#02x, len=%#02x, seq=%#02x\n", index,
733 length, seq);
734 *recv_len = TPM2_HDR_LEN + 6 + length;
>>> CID 183377: (TAINTED_SCALAR)
>>> Passing tainted expression "*recv_len" to "memset", which uses it as an offset. [Note: The source code implementation of the function has been overridden by a builtin model.]
735 memset(recvbuf, '\0', *recv_len);
736 put_unaligned_be32(length, recvbuf + 2);
737 sb_tpm_read_data(tpm->nvdata, seq, recvbuf,
738 TPM2_HDR_LEN + 4 + 2, length);
739 break;
740 }
/drivers/tpm/tpm2_tis_sandbox.c: 586 in sandbox_tpm2_xfer()
580
581 /* Give the number of properties that follow */
582 put_unaligned_be32(property_count, recv);
583 recv += sizeof(property_count);
584
585 /* Fill with the properties */
>>> CID 183377: (TAINTED_SCALAR)
>>> Using tainted variable "property_count" as a loop boundary.
586 for (i = 0; i < property_count; i++) {
587 put_unaligned_be32(TPM2_PROPERTIES_OFFSET + property +
588 i, recv);
589 recv += sizeof(property);
590 put_unaligned_be32(tpm->properties[property + i],
591 recv);
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoA22WlOQ-2By3ieUvdbKmOyw68TMVT4Kip-2BBzfOGWXJ5yIiYplmPF9KAnKIja4Zd7tU-3D4Xh0_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTtsqJ39YESEW2nKPYCMHF70wsixkMVibSCjQ-2FGaGw5huIkg7-2FWaEDzqOUGcMyrbAAtsYzFGNDW0J6oj0eM4yvinWio8GHNygWR2n19gx10LjZwDEeBkQkwqkhNLGzEBh5ka4haIShtRdBfXm97-2BH2LxChYnqy6cvN-2BxDI2jW9HZJA-3D-3D
To manage Coverity Scan email notifications for "tom.rini@gmail.com", click https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxWeIHzDeopm-2BEWQ6S6K-2FtUHv9ZTk8qZbuzkkz9sa-2BJFzf226DuRd-2B2ygQlLnerl-2BA3jN1AOYejXZ-2FNZ62waJHedPFGpqqjTx8fawy9KPJBno-3DsyQ2_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTtsqJ39YESEW2nKPYCMHF700mhadf4YcMAqAcj9oPFjTlJ2s4EcIQU2bFVkOb10WKv-2FZ2t9vT4MUzH6ZOeXZ7qzOdr4JI8cQEPg4D8Tf3kLp0qolYqirx5tuUYCJh6JJ8ik6zvle859z9fd8Tb07Eb4SVxS10DXjSaXXriNevOzvQ-3D-3D
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 46+ messages in thread
* [scan-admin@coverity.com: New Defects reported by Coverity Scan for Das U-Boot]
@ 2022-05-09 17:22 Tom Rini
0 siblings, 0 replies; 46+ messages in thread
From: Tom Rini @ 2022-05-09 17:22 UTC (permalink / raw)
To: u-boot
[-- Attachment #1: Type: text/plain, Size: 2775 bytes --]
----- Forwarded message from scan-admin@coverity.com -----
Date: Mon, 09 May 2022 17:01:24 +0000 (UTC)
From: scan-admin@coverity.com
To: tom.rini@gmail.com
Subject: New Defects reported by Coverity Scan for Das U-Boot
Hi,
Please find the latest report on new defect(s) introduced to Das U-Boot found with Coverity Scan.
1 new defect(s) introduced to Das U-Boot found with Coverity Scan.
2 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)
** CID 352689: (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 352689: (TAINTED_SCALAR)
/disk/part_efi.c: 787 in gpt_repair_headers()
781 ret = -1;
782 goto out;
783 }
784
785 out:
786 if (is_gpt1_valid)
>>> CID 352689: (TAINTED_SCALAR)
>>> Passing tainted expression "*gpt_e1" to "dlfree", which uses it as an offset.
787 free(gpt_e1);
788 if (is_gpt2_valid)
789 free(gpt_e2);
790
791 return ret;
792 }
/disk/part_efi.c: 789 in gpt_repair_headers()
783 }
784
785 out:
786 if (is_gpt1_valid)
787 free(gpt_e1);
788 if (is_gpt2_valid)
>>> CID 352689: (TAINTED_SCALAR)
>>> Passing tainted expression "*gpt_e2" to "dlfree", which uses it as an offset.
789 free(gpt_e2);
790
791 return ret;
792 }
793
794 int gpt_verify_partitions(struct blk_desc *dev_desc,
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoA22WlOQ-2By3ieUvdbKmOyw68TMVT4Kip-2BBzfOGWXJ5yIiYplmPF9KAnKIja4Zd7tU-3DGqKU_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTsfhVsKKsR3c478hKe3-2F-2FLN8zoWOj41ecD7CSt7PypU5QD9n80MY9Rs1arW-2BHU4TPPediLGjBHI3nONZiF3DWq15WWcXak6YZOj1-2Bh4Ghg40YAiu9rL0Desvzy1ol4IgRt78V9gOZ23haWo1J8KIz4jmOLhV6-2Bpr5dSfmq5L3wNwQ-3D-3D
To manage Coverity Scan email notifications for "tom.rini@gmail.com", click https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxWeIHzDeopm-2BEWQ6S6K-2FtUHv9ZTk8qZbuzkkz9sa-2BJFzjOBieP6b0dz5E7tt2oz36Wvlg1QEKcMzEGZfXcFNGjQo60A04mWM-2BEqg04xcxWDA-3DZP6y_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTsfhVsKKsR3c478hKe3-2F-2FLNz-2B0IrdidMAm5FDsAz5oYWCmFhjUuDo2-2F1aUYijT1io7CDkiWy5lmwq83JoiXnQCQiBXOWUoZTssnFBJAnTPJkIaK9c-2FmBCAFplgKOsTtNvS2JMHPp85TR-2FaWNGaXGQDPb-2FnYoHwrj1A7iMxpcps8FQ-3D-3D
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 46+ messages in thread
* [scan-admin@coverity.com: New Defects reported by Coverity Scan for Das U-Boot]
@ 2022-04-25 23:41 Tom Rini
0 siblings, 0 replies; 46+ messages in thread
From: Tom Rini @ 2022-04-25 23:41 UTC (permalink / raw)
To: u-boot
[-- Attachment #1: Type: text/plain, Size: 22450 bytes --]
----- Forwarded message from scan-admin@coverity.com -----
Date: Mon, 25 Apr 2022 23:38:10 +0000 (UTC)
From: scan-admin@coverity.com
To: tom.rini@gmail.com
Subject: New Defects reported by Coverity Scan for Das U-Boot
Hi,
Please find the latest report on new defect(s) introduced to Das U-Boot found with Coverity Scan.
21 new defect(s) introduced to Das U-Boot found with Coverity Scan.
4 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 21 defect(s)
** CID 352464: Memory - illegal accesses (NO_EFFECT)
/scripts/dtc/pylibfdt/libfdt_wrap.c: 4291 in _wrap_fdt_property_data_set()
________________________________________________________________________________________________________
*** CID 352464: Memory - illegal accesses (NO_EFFECT)
/scripts/dtc/pylibfdt/libfdt_wrap.c: 4291 in _wrap_fdt_property_data_set()
4285 res2 = SWIG_AsCharArray(swig_obj[1], temp2, 0);
4286 if (!SWIG_IsOK(res2)) {
4287 SWIG_exception_fail(SWIG_ArgError(res2), "in method '" "fdt_property_data_set" "', argument " "2"" of type '" "char [0]""'");
4288 }
4289 arg2 = (char *)(temp2);
4290 if (arg2) memcpy(arg1->data,arg2,0*sizeof(char));
>>> CID 352464: Memory - illegal accesses (NO_EFFECT)
>>> Calling "memset" with size 0: "memset(arg1->data, 0, 0UL)" does nothing.
4291 else memset(arg1->data,0,0*sizeof(char));
4292 resultobj = SWIG_Py_Void();
4293 return resultobj;
4294 fail:
4295 return NULL;
4296 }
** CID 352463: Control flow issues (DEADCODE)
/scripts/dtc/pylibfdt/libfdt_wrap.c: 4030 in _wrap_fdt_node_header_name_set()
________________________________________________________________________________________________________
*** CID 352463: Control flow issues (DEADCODE)
/scripts/dtc/pylibfdt/libfdt_wrap.c: 4030 in _wrap_fdt_node_header_name_set()
4024 res2 = SWIG_AsCharArray(swig_obj[1], temp2, 0);
4025 if (!SWIG_IsOK(res2)) {
4026 SWIG_exception_fail(SWIG_ArgError(res2), "in method '" "fdt_node_header_name_set" "', argument " "2"" of type '" "char [0]""'");
4027 }
4028 arg2 = (char *)(temp2);
4029 if (arg2) memcpy(arg1->name,arg2,0*sizeof(char));
>>> CID 352463: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "memset(arg1->name, 0, 0UL);".
4030 else memset(arg1->name,0,0*sizeof(char));
4031 resultobj = SWIG_Py_Void();
4032 return resultobj;
4033 fail:
4034 return NULL;
4035 }
** CID 352462: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 352462: Insecure data handling (TAINTED_SCALAR)
/drivers/gpio/gpio-uclass.c: 1203 in gpio_request_by_line_name()
1197 return ret;
1198
1199 desc->dev = dev;
1200 desc->offset = ret;
1201 desc->flags = 0;
1202
>>> CID 352462: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "desc->offset" to "dm_gpio_request", which uses it as an offset.
1203 ret = dm_gpio_request(desc, line_name);
1204 if (ret) {
1205 debug("%s: dm_gpio_requestf failed\n", __func__);
1206 return ret;
1207 }
1208
** CID 352461: Control flow issues (UNREACHABLE)
/drivers/block/blk-uclass.c: 568 in blk_find_first()
________________________________________________________________________________________________________
*** CID 352461: Control flow issues (UNREACHABLE)
/drivers/block/blk-uclass.c: 568 in blk_find_first()
562 int blk_find_first(enum blk_flag_t flags, struct udevice **devp)
563 {
564 int ret;
565
566 for (ret = uclass_find_first_device(UCLASS_BLK, devp);
567 *devp && !blk_flags_check(*devp, flags);
>>> CID 352461: Control flow issues (UNREACHABLE)
>>> Since the loop increment "ret = uclass_find_next_devi..." is unreachable, the loop body will never execute more than once.
568 ret = uclass_find_next_device(devp))
569 return 0;
570
571 return -ENODEV;
572 }
573
** CID 352460: Memory - illegal accesses (RETURN_LOCAL)
/drivers/clk/clk_scmi.c: 56 in scmi_clk_get_attibute()
________________________________________________________________________________________________________
*** CID 352460: Memory - illegal accesses (RETURN_LOCAL)
/drivers/clk/clk_scmi.c: 56 in scmi_clk_get_attibute()
50 int ret;
51
52 ret = devm_scmi_process_msg(dev, &msg);
53 if (ret)
54 return ret;
55
>>> CID 352460: Memory - illegal accesses (RETURN_LOCAL)
>>> Returning, through "*name", the address of stack variable "out".
56 *name = out.clock_name;
57
58 return 0;
59 }
60
61 static int scmi_clk_gate(struct clk *clk, int enable)
** CID 352459: Control flow issues (DEADCODE)
/scripts/dtc/pylibfdt/libfdt_wrap.c: 5877 in _wrap_fdt_get_name()
________________________________________________________________________________________________________
*** CID 352459: Control flow issues (DEADCODE)
/scripts/dtc/pylibfdt/libfdt_wrap.c: 5877 in _wrap_fdt_get_name()
5871 arg2 = (int)(val2);
5872 result = (char *)fdt_get_name((void const *)arg1,arg2,arg3);
5873 resultobj = SWIG_FromCharPtr((const char *)result);
5874 if (SWIG_IsTmpObj(res3)) {
5875 resultobj = SWIG_Python_AppendOutput(resultobj, SWIG_From_int((*arg3)));
5876 } else {
>>> CID 352459: Control flow issues (DEADCODE)
>>> Execution cannot reach the expression "new_flags" inside this statement: "new_flags = ((res3 >= 0 && ...".
5877 int new_flags = SWIG_IsNewObj(res3) ? (SWIG_POINTER_OWN | 0 ) : 0 ;
5878 resultobj = SWIG_Python_AppendOutput(resultobj, SWIG_NewPointerObj((void*)(arg3), SWIGTYPE_p_int, new_flags));
5879 }
5880 return resultobj;
5881 fail:
5882 return NULL;
** CID 352458: Control flow issues (UNREACHABLE)
/drivers/block/blk-uclass.c: 580 in blk_find_next()
________________________________________________________________________________________________________
*** CID 352458: Control flow issues (UNREACHABLE)
/drivers/block/blk-uclass.c: 580 in blk_find_next()
574 int blk_find_next(enum blk_flag_t flags, struct udevice **devp)
575 {
576 int ret;
577
578 for (ret = uclass_find_next_device(devp);
579 *devp && !blk_flags_check(*devp, flags);
>>> CID 352458: Control flow issues (UNREACHABLE)
>>> Since the loop increment "ret = uclass_find_next_devi..." is unreachable, the loop body will never execute more than once.
580 ret = uclass_find_next_device(devp))
581 return 0;
582
583 return -ENODEV;
584 }
585
** CID 352457: Null pointer dereferences (FORWARD_NULL)
/drivers/net/phy/phy.c: 990 in fixed_phy_create()
________________________________________________________________________________________________________
*** CID 352457: Null pointer dereferences (FORWARD_NULL)
/drivers/net/phy/phy.c: 990 in fixed_phy_create()
984 }
985
986 phydev = phy_device_create(NULL, 0, PHY_FIXED_ID, false);
987 if (phydev)
988 phydev->node = subnode;
989
>>> CID 352457: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "phydev".
990 phydev->interface = ofnode_read_phy_mode(node);
991
992 return phydev;
993 }
994
995 static struct phy_device *phy_connect_fixed(struct mii_dev *bus,
** CID 352456: Control flow issues (DEADCODE)
/scripts/dtc/pylibfdt/libfdt_wrap.c: 5996 in _wrap_fdt_get_property_by_offset()
________________________________________________________________________________________________________
*** CID 352456: Control flow issues (DEADCODE)
/scripts/dtc/pylibfdt/libfdt_wrap.c: 5996 in _wrap_fdt_get_property_by_offset()
5990 resultobj = SWIG_Python_AppendOutput(resultobj, buff);
5991 }
5992 }
5993 if (SWIG_IsTmpObj(res3)) {
5994 resultobj = SWIG_Python_AppendOutput(resultobj, SWIG_From_int((*arg3)));
5995 } else {
>>> CID 352456: Control flow issues (DEADCODE)
>>> Execution cannot reach the expression "new_flags" inside this statement: "new_flags = ((res3 >= 0 && ...".
5996 int new_flags = SWIG_IsNewObj(res3) ? (SWIG_POINTER_OWN | 0 ) : 0 ;
5997 resultobj = SWIG_Python_AppendOutput(resultobj, SWIG_NewPointerObj((void*)(arg3), SWIGTYPE_p_int, new_flags));
5998 }
5999 return resultobj;
6000 fail:
6001 return NULL;
** CID 352455: Control flow issues (DEADCODE)
/scripts/dtc/pylibfdt/libfdt_wrap.c: 6058 in _wrap_fdt_get_property()
________________________________________________________________________________________________________
*** CID 352455: Control flow issues (DEADCODE)
/scripts/dtc/pylibfdt/libfdt_wrap.c: 6058 in _wrap_fdt_get_property()
6052 resultobj = SWIG_Python_AppendOutput(resultobj, buff);
6053 }
6054 }
6055 if (SWIG_IsTmpObj(res4)) {
6056 resultobj = SWIG_Python_AppendOutput(resultobj, SWIG_From_int((*arg4)));
6057 } else {
>>> CID 352455: Control flow issues (DEADCODE)
>>> Execution cannot reach the expression "new_flags" inside this statement: "new_flags = ((res4 >= 0 && ...".
6058 int new_flags = SWIG_IsNewObj(res4) ? (SWIG_POINTER_OWN | 0 ) : 0 ;
6059 resultobj = SWIG_Python_AppendOutput(resultobj, SWIG_NewPointerObj((void*)(arg4), SWIGTYPE_p_int, new_flags));
6060 }
6061 if (alloc3 == SWIG_NEWOBJ) free((char*)buf3);
6062 return resultobj;
6063 fail:
** CID 352454: Control flow issues (DEADCODE)
/scripts/dtc/pylibfdt/libfdt_wrap.c: 6239 in _wrap_fdt_getprop_w()
________________________________________________________________________________________________________
*** CID 352454: Control flow issues (DEADCODE)
/scripts/dtc/pylibfdt/libfdt_wrap.c: 6239 in _wrap_fdt_getprop_w()
6233 arg3 = (char *)(buf3);
6234 result = (void *)fdt_getprop_w(arg1,arg2,(char const *)arg3,arg4);
6235 resultobj = SWIG_NewPointerObj(SWIG_as_voidptr(result), SWIGTYPE_p_void, 0 | 0 );
6236 if (SWIG_IsTmpObj(res4)) {
6237 resultobj = SWIG_Python_AppendOutput(resultobj, SWIG_From_int((*arg4)));
6238 } else {
>>> CID 352454: Control flow issues (DEADCODE)
>>> Execution cannot reach the expression "new_flags" inside this statement: "new_flags = ((res4 >= 0 && ...".
6239 int new_flags = SWIG_IsNewObj(res4) ? (SWIG_POINTER_OWN | 0 ) : 0 ;
6240 resultobj = SWIG_Python_AppendOutput(resultobj, SWIG_NewPointerObj((void*)(arg4), SWIGTYPE_p_int, new_flags));
6241 }
6242 if (alloc3 == SWIG_NEWOBJ) free((char*)buf3);
6243 return resultobj;
6244 fail:
** CID 352453: Control flow issues (DEADCODE)
/scripts/dtc/pylibfdt/libfdt_wrap.c: 6122 in _wrap_fdt_get_property_w()
________________________________________________________________________________________________________
*** CID 352453: Control flow issues (DEADCODE)
/scripts/dtc/pylibfdt/libfdt_wrap.c: 6122 in _wrap_fdt_get_property_w()
6116 resultobj = SWIG_Python_AppendOutput(resultobj, buff);
6117 }
6118 }
6119 if (SWIG_IsTmpObj(res4)) {
6120 resultobj = SWIG_Python_AppendOutput(resultobj, SWIG_From_int((*arg4)));
6121 } else {
>>> CID 352453: Control flow issues (DEADCODE)
>>> Execution cannot reach the expression "new_flags" inside this statement: "new_flags = ((res4 >= 0 && ...".
6122 int new_flags = SWIG_IsNewObj(res4) ? (SWIG_POINTER_OWN | 0 ) : 0 ;
6123 resultobj = SWIG_Python_AppendOutput(resultobj, SWIG_NewPointerObj((void*)(arg4), SWIGTYPE_p_int, new_flags));
6124 }
6125 if (alloc3 == SWIG_NEWOBJ) free((char*)buf3);
6126 return resultobj;
6127 fail:
** CID 352452: Memory - corruptions (OVERRUN)
/fs/erofs/fs.c: 151 in erofs_readdir()
________________________________________________________________________________________________________
*** CID 352452: Memory - corruptions (OVERRUN)
/fs/erofs/fs.c: 151 in erofs_readdir()
145
146 de = (struct erofs_dirent *)(dirs->dblk + erofs_blkoff(pos));
147 nameoff = le16_to_cpu(de->nameoff);
148 de_name = (char *)dirs->dblk + nameoff;
149
150 /* the last dirent in the block? */
>>> CID 352452: Memory - corruptions (OVERRUN)
>>> "de + 1" evaluates to an address that is at byte offset 4107 of an array of 4096 bytes.
151 if (de + 1 >= (struct erofs_dirent *)(dirs->dblk + dirs->de_end))
152 de_namelen = strnlen(de_name, dirs->maxsize - nameoff);
153 else
154 de_namelen = le16_to_cpu(de[1].nameoff) - nameoff;
155
156 /* a corrupted entry is found */
** CID 352451: Control flow issues (DEADCODE)
/boot/bootflow.c: 226 in bootflow_check()
________________________________________________________________________________________________________
*** CID 352451: Control flow issues (DEADCODE)
/boot/bootflow.c: 226 in bootflow_check()
220 if (iter->flags & BOOTFLOWF_ALL)
221 return log_msg_ret("all", ret);
222 }
223 if (ret)
224 return log_msg_ret("check", ret);
225
>>> CID 352451: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "return 0;".
226 return 0;
227 }
228
229 int bootflow_scan_bootdev(struct udevice *dev, struct bootflow_iter *iter,
230 int flags, struct bootflow *bflow)
231 {
** CID 352450: (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 352450: (TAINTED_SCALAR)
/net/eth_common.c: 129 in eth_set_current()
123 char *ethprime = env_get("ethprime");
124 void *dev = NULL;
125
126 if (ethprime)
127 dev = eth_get_dev_by_name(ethprime);
128 if (dev)
>>> CID 352450: (TAINTED_SCALAR)
>>> Passing tainted expression "*dev->priv_" to "eth_set_dev", which uses it as an offset.
129 eth_set_dev(dev);
130 else
131 eth_set_dev(NULL);
132 } else {
133 eth_set_dev(eth_get_dev_by_name(act));
134 }
/net/eth_common.c: 129 in eth_set_current()
123 char *ethprime = env_get("ethprime");
124 void *dev = NULL;
125
126 if (ethprime)
127 dev = eth_get_dev_by_name(ethprime);
128 if (dev)
>>> CID 352450: (TAINTED_SCALAR)
>>> Passing tainted expression "*dev->parent_priv_" to "eth_set_dev", which uses it as an offset.
129 eth_set_dev(dev);
130 else
131 eth_set_dev(NULL);
132 } else {
133 eth_set_dev(eth_get_dev_by_name(act));
134 }
/net/eth_common.c: 129 in eth_set_current()
123 char *ethprime = env_get("ethprime");
124 void *dev = NULL;
125
126 if (ethprime)
127 dev = eth_get_dev_by_name(ethprime);
128 if (dev)
>>> CID 352450: (TAINTED_SCALAR)
>>> Passing tainted expression "*dev->uclass_priv_" to "eth_set_dev", which uses it as an offset.
129 eth_set_dev(dev);
130 else
131 eth_set_dev(NULL);
132 } else {
133 eth_set_dev(eth_get_dev_by_name(act));
134 }
** CID 352449: Control flow issues (DEADCODE)
/scripts/dtc/pylibfdt/libfdt_wrap.c: 5542 in _wrap_fdt_get_string()
________________________________________________________________________________________________________
*** CID 352449: Control flow issues (DEADCODE)
/scripts/dtc/pylibfdt/libfdt_wrap.c: 5542 in _wrap_fdt_get_string()
5536 arg2 = (int)(val2);
5537 result = (char *)fdt_get_string((void const *)arg1,arg2,arg3);
5538 resultobj = SWIG_FromCharPtr((const char *)result);
5539 if (SWIG_IsTmpObj(res3)) {
5540 resultobj = SWIG_Python_AppendOutput(resultobj, SWIG_From_int((*arg3)));
5541 } else {
>>> CID 352449: Control flow issues (DEADCODE)
>>> Execution cannot reach the expression "new_flags" inside this statement: "new_flags = ((res3 >= 0 && ...".
5542 int new_flags = SWIG_IsNewObj(res3) ? (SWIG_POINTER_OWN | 0 ) : 0 ;
5543 resultobj = SWIG_Python_AppendOutput(resultobj, SWIG_NewPointerObj((void*)(arg3), SWIGTYPE_p_int, new_flags));
5544 }
5545 return resultobj;
5546 fail:
5547 return NULL;
** CID 352448: Control flow issues (DEADCODE)
/scripts/dtc/pylibfdt/libfdt_wrap.c: 4291 in _wrap_fdt_property_data_set()
________________________________________________________________________________________________________
*** CID 352448: Control flow issues (DEADCODE)
/scripts/dtc/pylibfdt/libfdt_wrap.c: 4291 in _wrap_fdt_property_data_set()
4285 res2 = SWIG_AsCharArray(swig_obj[1], temp2, 0);
4286 if (!SWIG_IsOK(res2)) {
4287 SWIG_exception_fail(SWIG_ArgError(res2), "in method '" "fdt_property_data_set" "', argument " "2"" of type '" "char [0]""'");
4288 }
4289 arg2 = (char *)(temp2);
4290 if (arg2) memcpy(arg1->data,arg2,0*sizeof(char));
>>> CID 352448: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "memset(arg1->data, 0, 0UL);".
4291 else memset(arg1->data,0,0*sizeof(char));
4292 resultobj = SWIG_Py_Void();
4293 return resultobj;
4294 fail:
4295 return NULL;
4296 }
** CID 352447: Control flow issues (DEADCODE)
/scripts/dtc/pylibfdt/libfdt_wrap.c: 6864 in _wrap_fdt_stringlist_get()
________________________________________________________________________________________________________
*** CID 352447: Control flow issues (DEADCODE)
/scripts/dtc/pylibfdt/libfdt_wrap.c: 6864 in _wrap_fdt_stringlist_get()
6858 arg4 = (int)(val4);
6859 result = (char *)fdt_stringlist_get((void const *)arg1,arg2,(char const *)arg3,arg4,arg5);
6860 resultobj = SWIG_FromCharPtr((const char *)result);
6861 if (SWIG_IsTmpObj(res5)) {
6862 resultobj = SWIG_Python_AppendOutput(resultobj, SWIG_From_int((*arg5)));
6863 } else {
>>> CID 352447: Control flow issues (DEADCODE)
>>> Execution cannot reach the expression "new_flags" inside this statement: "new_flags = ((res5 >= 0 && ...".
6864 int new_flags = SWIG_IsNewObj(res5) ? (SWIG_POINTER_OWN | 0 ) : 0 ;
6865 resultobj = SWIG_Python_AppendOutput(resultobj, SWIG_NewPointerObj((void*)(arg5), SWIGTYPE_p_int, new_flags));
6866 }
6867 if (alloc3 == SWIG_NEWOBJ) free((char*)buf3);
6868 return resultobj;
6869 fail:
** CID 352446: Control flow issues (DEADCODE)
/scripts/dtc/pylibfdt/libfdt_wrap.c: 6185 in _wrap_fdt_getprop()
________________________________________________________________________________________________________
*** CID 352446: Control flow issues (DEADCODE)
/scripts/dtc/pylibfdt/libfdt_wrap.c: 6185 in _wrap_fdt_getprop()
6179 resultobj = Py_BuildValue("s#", result, *arg4);
6180 #endif
6181 }
6182 if (SWIG_IsTmpObj(res4)) {
6183 resultobj = SWIG_Python_AppendOutput(resultobj, SWIG_From_int((*arg4)));
6184 } else {
>>> CID 352446: Control flow issues (DEADCODE)
>>> Execution cannot reach the expression "new_flags" inside this statement: "new_flags = ((res4 >= 0 && ...".
6185 int new_flags = SWIG_IsNewObj(res4) ? (SWIG_POINTER_OWN | 0 ) : 0 ;
6186 resultobj = SWIG_Python_AppendOutput(resultobj, SWIG_NewPointerObj((void*)(arg4), SWIGTYPE_p_int, new_flags));
6187 }
6188 if (alloc3 == SWIG_NEWOBJ) free((char*)buf3);
6189 return resultobj;
6190 fail:
** CID 352445: Memory - illegal accesses (NO_EFFECT)
/scripts/dtc/pylibfdt/libfdt_wrap.c: 4030 in _wrap_fdt_node_header_name_set()
________________________________________________________________________________________________________
*** CID 352445: Memory - illegal accesses (NO_EFFECT)
/scripts/dtc/pylibfdt/libfdt_wrap.c: 4030 in _wrap_fdt_node_header_name_set()
4024 res2 = SWIG_AsCharArray(swig_obj[1], temp2, 0);
4025 if (!SWIG_IsOK(res2)) {
4026 SWIG_exception_fail(SWIG_ArgError(res2), "in method '" "fdt_node_header_name_set" "', argument " "2"" of type '" "char [0]""'");
4027 }
4028 arg2 = (char *)(temp2);
4029 if (arg2) memcpy(arg1->name,arg2,0*sizeof(char));
>>> CID 352445: Memory - illegal accesses (NO_EFFECT)
>>> Calling "memset" with size 0: "memset(arg1->name, 0, 0UL)" does nothing.
4030 else memset(arg1->name,0,0*sizeof(char));
4031 resultobj = SWIG_Py_Void();
4032 return resultobj;
4033 fail:
4034 return NULL;
4035 }
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoA22WlOQ-2By3ieUvdbKmOyw68TMVT4Kip-2BBzfOGWXJ5yIiYplmPF9KAnKIja4Zd7tU-3DPkY8_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTszK3GDZ9otc8DV3LsnT3z-2F28zz8q5lyeH4hij-2F4stU6mHKHoiYMCCzT6sqvh0yjfRtFJBeQgBYEqn2q85ANfte0TE5DnZksPKtSgc-2ByzT03KaKrNTAA8tRIAJ9D42pLh1urVtQBUaLcD6pi-2F4pw8lD32lkT0HLL97L6TKqmit1uQ-3D-3D
To manage Coverity Scan email notifications for "tom.rini@gmail.com", click https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxWeIHzDeopm-2BEWQ6S6K-2FtUHv9ZTk8qZbuzkkz9sa-2BJFwJpnH7TdCssKXId9ROfNiDuiUJRwNJQFpbHtj7ECbuia38O4wcdCAa38qtgl2vIVc-3DMDdx_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTszK3GDZ9otc8DV3LsnT3z-2FB7wXaOEj7Qci1j-2FZgcO8RxSEjMQGaVeLa-2BejYGjSjU5GtjJmbYXiBXZdcDueNljgGGfbYLk7HuX6dpJHxlDbZVOhkuA1FuAUrWa39egd3Wsmt0lqPCa3QPGFEIPi6AFogH4XKCYOcjA8lBuD58N82g-3D-3D
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 46+ messages in thread
* [scan-admin@coverity.com: New Defects reported by Coverity Scan for Das U-Boot]
@ 2022-03-05 18:27 Tom Rini
0 siblings, 0 replies; 46+ messages in thread
From: Tom Rini @ 2022-03-05 18:27 UTC (permalink / raw)
To: u-boot, Simon Glass, Stefan Roese, Pali Rohár, Heinrich Schuchardt
[-- Attachment #1: Type: text/plain, Size: 27550 bytes --]
So I've updated to the latest tool and that's why there's so many new
defects found in old code.
----- Forwarded message from scan-admin@coverity.com -----
Date: Sat, 05 Mar 2022 17:28:09 +0000 (UTC)
From: scan-admin@coverity.com
To: tom.rini@gmail.com
Subject: New Defects reported by Coverity Scan for Das U-Boot
Hi,
Please find the latest report on new defect(s) introduced to Das U-Boot found with Coverity Scan.
43 new defect(s) introduced to Das U-Boot found with Coverity Scan.
3 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 43 defect(s)
** CID 350448: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 350448: Insecure data handling (TAINTED_SCALAR)
/cmd/abootimg.c: 90 in abootimg_get_dtb_load_addr()
84 goto exit;
85 }
86
87 if (argc == 0)
88 printf("%lx\n", (ulong)hdr->dtb_addr);
89 else
>>> CID 350448: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "hdr->dtb_addr" to "env_set_hex", which uses it as an offset.
90 env_set_hex(argv[0], (ulong)hdr->dtb_addr);
91
92 exit:
93 unmap_sysmem(hdr);
94 return res;
95 }
** CID 350447: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
/drivers/nvme/nvme.c: 772 in nvme_blk_rw()
________________________________________________________________________________________________________
*** CID 350447: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
/drivers/nvme/nvme.c: 772 in nvme_blk_rw()
766 c.rw.prp1 = cpu_to_le64(temp_buffer);
767 c.rw.prp2 = cpu_to_le64(prp2);
768 status = nvme_submit_sync_cmd(dev->queues[NVME_IO_Q],
769 &c, NULL, IO_TIMEOUT);
770 if (status)
771 break;
>>> CID 350447: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
>>> Potentially overflowing expression "(u32)lbas << ns->lba_shift" with type "u32" (32 bits, unsigned) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "u64" (64 bits, unsigned).
772 temp_len -= (u32)lbas << ns->lba_shift;
773 temp_buffer += lbas << ns->lba_shift;
774 }
775
776 if (read)
777 invalidate_dcache_range((unsigned long)buffer,
** CID 350446: (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 350446: (TAINTED_SCALAR)
/fs/fat/fat.c: 1016 in fat_itr_next()
1010 }
1011
1012 /* short file name */
1013 break;
1014 }
1015
>>> CID 350446: (TAINTED_SCALAR)
>>> Passing tainted expression "dent->nameext" to "get_name", which uses it as an offset.
1016 get_name(dent, itr->s_name);
1017 if (!itr->name)
1018 itr->name = itr->s_name;
1019
1020 return 1;
1021 }
/fs/fat/fat.c: 1016 in fat_itr_next()
1010 }
1011
1012 /* short file name */
1013 break;
1014 }
1015
>>> CID 350446: (TAINTED_SCALAR)
>>> Passing tainted expression "dent->nameext" to "get_name", which uses it as an offset.
1016 get_name(dent, itr->s_name);
1017 if (!itr->name)
1018 itr->name = itr->s_name;
1019
1020 return 1;
1021 }
/fs/fat/fat.c: 1016 in fat_itr_next()
1010 }
1011
1012 /* short file name */
1013 break;
1014 }
1015
>>> CID 350446: (TAINTED_SCALAR)
>>> Passing tainted expression "dent->nameext" to "get_name", which uses it as an offset.
1016 get_name(dent, itr->s_name);
1017 if (!itr->name)
1018 itr->name = itr->s_name;
1019
1020 return 1;
1021 }
** CID 350445: (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 350445: (TAINTED_SCALAR)
/tools/kwbimage.c: 2452 in kwbimage_extract_subimage()
2446 fprintf(stderr, " -p N - Nth binary header image (totally: %d)\n",
2447 cur_idx - 1);
2448 return -1;
2449 }
2450 }
2451
>>> CID 350445: (TAINTED_SCALAR)
>>> Passing tainted expression "size" to "imagetool_save_subimage", which uses it as an offset.
2452 return imagetool_save_subimage(params->outfile, image, size);
2453 }
2454
2455 /*
2456 * Report Error if xflag is set in addition to default
2457 */
/tools/kwbimage.c: 2452 in kwbimage_extract_subimage()
2446 fprintf(stderr, " -p N - Nth binary header image (totally: %d)\n",
2447 cur_idx - 1);
2448 return -1;
2449 }
2450 }
2451
>>> CID 350445: (TAINTED_SCALAR)
>>> Passing tainted expression "size" to "imagetool_save_subimage", which uses it as an offset.
2452 return imagetool_save_subimage(params->outfile, image, size);
2453 }
2454
2455 /*
2456 * Report Error if xflag is set in addition to default
2457 */
/tools/kwbimage.c: 2452 in kwbimage_extract_subimage()
2446 fprintf(stderr, " -p N - Nth binary header image (totally: %d)\n",
2447 cur_idx - 1);
2448 return -1;
2449 }
2450 }
2451
>>> CID 350445: (TAINTED_SCALAR)
>>> Passing tainted expression "size" to "imagetool_save_subimage", which uses it as an offset.
2452 return imagetool_save_subimage(params->outfile, image, size);
2453 }
2454
2455 /*
2456 * Report Error if xflag is set in addition to default
2457 */
/tools/kwbimage.c: 2452 in kwbimage_extract_subimage()
2446 fprintf(stderr, " -p N - Nth binary header image (totally: %d)\n",
2447 cur_idx - 1);
2448 return -1;
2449 }
2450 }
2451
>>> CID 350445: (TAINTED_SCALAR)
>>> Passing tainted expression "size" to "imagetool_save_subimage", which uses it as an offset.
2452 return imagetool_save_subimage(params->outfile, image, size);
2453 }
2454
2455 /*
2456 * Report Error if xflag is set in addition to default
2457 */
** CID 350444: Insecure data handling (TAINTED_SCALAR)
/boot/image-android.c: 354 in android_image_get_dtb_by_index()
________________________________________________________________________________________________________
*** CID 350444: Insecure data handling (TAINTED_SCALAR)
/boot/image-android.c: 354 in android_image_get_dtb_by_index()
348 /* Find out the address of DTB with specified index in concat blobs */
349 hdr = map_sysmem(hdr_addr, sizeof(*hdr));
350 dtb_img_size = hdr->dtb_size;
351 unmap_sysmem(hdr);
352 i = 0;
353 dtb_addr = dtb_img_addr;
>>> CID 350444: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "dtb_img_addr + dtb_img_size" as a loop boundary.
354 while (dtb_addr < dtb_img_addr + dtb_img_size) {
355 const struct fdt_header *fdt;
356 u32 dtb_size;
357
358 fdt = map_sysmem(dtb_addr, sizeof(*fdt));
359 if (fdt_check_header(fdt) != 0) {
** CID 350443: (TAINTED_SCALAR)
/drivers/nvme/nvme.c: 862 in nvme_init()
________________________________________________________________________________________________________
*** CID 350443: (TAINTED_SCALAR)
/drivers/nvme/nvme.c: 862 in nvme_init()
856 id = memalign(ndev->page_size, sizeof(struct nvme_id_ns));
857 if (!id) {
858 ret = -ENOMEM;
859 goto free_queue;
860 }
861
>>> CID 350443: (TAINTED_SCALAR)
>>> Using tainted variable "ndev->nn" as a loop boundary.
862 for (int i = 1; i <= ndev->nn; i++) {
863 struct udevice *ns_udev;
864 char name[20];
865
866 memset(id, 0, sizeof(*id));
867 if (nvme_identify(ndev, i, 0, (dma_addr_t)(long)id)) {
/drivers/nvme/nvme.c: 889 in nvme_init()
883 ret = blk_create_devicef(udev, "nvme-blk", name, IF_TYPE_NVME,
884 -1, 512, 0, &ns_udev);
885 if (ret)
886 goto free_id;
887 }
888
>>> CID 350443: (TAINTED_SCALAR)
>>> Passing tainted expression "*id" to "dlfree", which uses it as an offset.
889 free(id);
890 return 0;
891
892 free_id:
893 free(id);
894 free_queue:
/drivers/nvme/nvme.c: 893 in nvme_init()
887 }
888
889 free(id);
890 return 0;
891
892 free_id:
>>> CID 350443: (TAINTED_SCALAR)
>>> Passing tainted expression "*id" to "dlfree", which uses it as an offset.
893 free(id);
894 free_queue:
895 free((void *)ndev->queues);
896 free_nvme:
897 return ret;
898 }
** CID 350442: Memory - corruptions (OVERRUN)
/env/common.c: 103 in eth_env_set_enetaddr()
________________________________________________________________________________________________________
*** CID 350442: Memory - corruptions (OVERRUN)
/env/common.c: 103 in eth_env_set_enetaddr()
97 {
98 char buf[ARP_HLEN_ASCII + 1];
99
100 if (eth_env_get_enetaddr(name, (uint8_t *)buf))
101 return -EEXIST;
102
>>> CID 350442: Memory - corruptions (OVERRUN)
>>> "sprintf" will overrun its first argument "buf" which can accommodate 18 bytes. The number of bytes written may be 20 bytes, including the terminating null.
103 sprintf(buf, "%pM", enetaddr);
104
105 return env_set(name, buf);
106 }
107
108 /*
** CID 350441: (TAINTED_SCALAR)
/tools/ifwitool.c: 1888 in ifwi_dir_extract()
________________________________________________________________________________________________________
*** CID 350441: (TAINTED_SCALAR)
/tools/ifwitool.c: 1907 in ifwi_dir_extract()
1901
1902 DEBUG("Splicing buffer at 0x%x size 0x%x\n", s->e[i].offset,
1903 s->e[i].length);
1904 buffer_splice(&dst, &ifwi_image.subpart_buf[type], s->e[i].offset,
1905 s->e[i].length);
1906
>>> CID 350441: (TAINTED_SCALAR)
>>> Passing tainted expression "dst.size" to "buffer_write_file", which uses it as an offset.
1907 if (buffer_write_file(&dst, param.file_name))
1908 return COMMAND_ERR;
1909
1910 printf("Sub-Partition %s(%d), entry(%s) stored in %s.\n",
1911 param.subpart_name, type, param.dentry_name, param.file_name);
1912
/tools/ifwitool.c: 1888 in ifwi_dir_extract()
1882 parse_subpart_dir(&subpart_dir_buff, &ifwi_image.subpart_buf[type],
1883 subparts[type].name);
1884
1885 uint32_t i;
1886 struct subpart_dir *s = buffer_get(&subpart_dir_buff);
1887
>>> CID 350441: (TAINTED_SCALAR)
>>> Using tainted variable "s->h.num_entries" as a loop boundary.
1888 for (i = 0; i < s->h.num_entries; i++) {
1889 if (!strncmp((char *)s->e[i].name, param.dentry_name,
1890 sizeof(s->e[i].name)))
1891 break;
1892 }
1893
** CID 350440: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 350440: Memory - corruptions (OVERRUN)
/drivers/block/ide.c: 615 in ide_ident()
609 #endif
610
611 ide_input_swap_data(device, (ulong *)&iop, ATA_SECTORWORDS);
612
613 ident_cpy((unsigned char *)dev_desc->revision, iop.fw_rev,
614 sizeof(dev_desc->revision));
>>> CID 350440: Memory - corruptions (OVERRUN)
>>> Overrunning array "iop.model" of 40 bytes by passing it to a function which accesses it at byte offset 40 using argument "41U".
615 ident_cpy((unsigned char *)dev_desc->vendor, iop.model,
616 sizeof(dev_desc->vendor));
617 ident_cpy((unsigned char *)dev_desc->product, iop.serial_no,
618 sizeof(dev_desc->product));
619
620 if ((iop.config & 0x0080) == 0x0080)
** CID 350439: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 350439: Insecure data handling (TAINTED_SCALAR)
/disk/part_efi.c: 257 in part_print_efi()
251 printf("\ttype:\t%pUl\n", uuid);
252 uuid = (unsigned char *)gpt_pte[i].unique_partition_guid.b;
253 printf("\tguid:\t%pUl\n", uuid);
254 }
255
256 /* Remember to free pte */
>>> CID 350439: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "*gpt_pte" to "dlfree", which uses it as an offset.
257 free(gpt_pte);
258 return;
259 }
260
261 int part_get_info_efi(struct blk_desc *dev_desc, int part,
262 struct disk_partition *info)
** CID 350438: (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 350438: (TAINTED_SCALAR)
/disk/part_efi.c: 281 in part_get_info_efi()
275 return -1;
276
277 if (part > le32_to_cpu(gpt_head->num_partition_entries) ||
278 !is_pte_valid(&gpt_pte[part - 1])) {
279 debug("%s: *** ERROR: Invalid partition number %d ***\n",
280 __func__, part);
>>> CID 350438: (TAINTED_SCALAR)
>>> Passing tainted expression "*gpt_pte" to "dlfree", which uses it as an offset.
281 free(gpt_pte);
282 return -1;
283 }
284
285 /* The 'lbaint_t' casting may limit the maximum disk size to 2 TB */
286 info->start = (lbaint_t)le64_to_cpu(gpt_pte[part - 1].starting_lba);
/disk/part_efi.c: 309 in part_get_info_efi()
303 #endif
304
305 debug("%s: start 0x" LBAF ", size 0x" LBAF ", name %s\n", __func__,
306 info->start, info->size, info->name);
307
308 /* Remember to free pte */
>>> CID 350438: (TAINTED_SCALAR)
>>> Passing tainted expression "*gpt_pte" to "dlfree", which uses it as an offset.
309 free(gpt_pte);
310 return 0;
311 }
312
313 static int part_test_efi(struct blk_desc *dev_desc)
314 {
** CID 350437: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 350437: Insecure data handling (TAINTED_SCALAR)
/disk/part_efi.c: 687 in gpt_verify_headers()
681 printf("%s: *** ERROR: Invalid GPT ***\n",
682 __func__);
683 return -1;
684 }
685
686 /* Free pte before allocating again */
>>> CID 350437: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "**gpt_pte" to "dlfree", which uses it as an offset.
687 free(*gpt_pte);
688
689 /*
690 * Check that the alternate_lba entry points to the last LBA
691 */
692 if (le64_to_cpu(gpt_head->alternate_lba) != (dev_desc->lba - 1)) {
** CID 350436: Insecure data handling (TAINTED_SCALAR)
/tools/ifwitool.c: 1456 in bpdt_fixup_write_buffer()
________________________________________________________________________________________________________
*** CID 350436: Insecure data handling (TAINTED_SCALAR)
/tools/ifwitool.c: 1456 in bpdt_fixup_write_buffer()
1450 offset = fix_member(&h->ifwi_version, offset, sizeof(h->ifwi_version));
1451 offset = fix_member(&h->fit_tool_version, offset,
1452 sizeof(h->fit_tool_version));
1453
1454 uint32_t i;
1455
>>> CID 350436: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "count" as a loop boundary.
1456 for (i = 0; i < count; i++) {
1457 offset = fix_member(&e[i].type, offset, sizeof(e[i].type));
1458 offset = fix_member(&e[i].flags, offset, sizeof(e[i].flags));
1459 offset = fix_member(&e[i].offset, offset, sizeof(e[i].offset));
1460 offset = fix_member(&e[i].size, offset, sizeof(e[i].size));
1461 }
** CID 350435: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 350435: Insecure data handling (TAINTED_SCALAR)
/cmd/extension_board.c: 56 in extension_apply()
50
51 blob = map_sysmem(overlay_addr, 0);
52 if (!fdt_valid(&blob))
53 return CMD_RET_FAILURE;
54
55 /* apply method prints messages on error */
>>> CID 350435: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "*blob" to "fdt_overlay_apply_verbose", which uses it as an offset.
56 if (fdt_overlay_apply_verbose(working_fdt, blob))
57 return CMD_RET_FAILURE;
58
59 return CMD_RET_SUCCESS;
60 }
61
** CID 350434: Uninitialized variables (UNINIT)
________________________________________________________________________________________________________
*** CID 350434: Uninitialized variables (UNINIT)
/lib/efi_loader/efi_device_path_to_text.c: 435 in efi_convert_device_path_to_text()
429 str = efi_convert_single_device_node_to_text(
430 str, device_path);
431 }
432 *(u8 **)&device_path += device_path->length;
433 }
434
>>> CID 350434: Uninitialized variables (UNINIT)
>>> Using uninitialized value "*buffer" when calling "efi_str_to_u16".
435 text = efi_str_to_u16(buffer);
436
437 out:
438 EFI_EXIT(EFI_SUCCESS);
439 return text;
440 }
** CID 350433: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 350433: Memory - corruptions (OVERRUN)
/drivers/block/ide.c: 613 in ide_ident()
607 if (retries == 2) /* Not found */
608 return;
609 #endif
610
611 ide_input_swap_data(device, (ulong *)&iop, ATA_SECTORWORDS);
612
>>> CID 350433: Memory - corruptions (OVERRUN)
>>> Overrunning array "iop.fw_rev" of 8 bytes by passing it to a function which accesses it at byte offset 8 using argument "9U".
613 ident_cpy((unsigned char *)dev_desc->revision, iop.fw_rev,
614 sizeof(dev_desc->revision));
615 ident_cpy((unsigned char *)dev_desc->vendor, iop.model,
616 sizeof(dev_desc->vendor));
617 ident_cpy((unsigned char *)dev_desc->product, iop.serial_no,
618 sizeof(dev_desc->product));
** CID 350432: (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 350432: (TAINTED_SCALAR)
/cmd/gpt.c: 650 in gpt_verify()
644 /* Check partition layout with provided pattern */
645 ret = gpt_verify_partitions(blk_dev_desc, partitions, part_count,
646 gpt_head, &gpt_pte);
647 free(str_disk_guid);
648 free(partitions);
649 out:
>>> CID 350432: (TAINTED_SCALAR)
>>> Passing tainted expression "*gpt_pte" to "dlfree", which uses it as an offset.
650 free(gpt_pte);
651 return ret;
652 }
653
654 /**
655 * gpt_enumerate() - Enumerate partition names into environment variable.
/cmd/gpt.c: 650 in gpt_verify()
644 /* Check partition layout with provided pattern */
645 ret = gpt_verify_partitions(blk_dev_desc, partitions, part_count,
646 gpt_head, &gpt_pte);
647 free(str_disk_guid);
648 free(partitions);
649 out:
>>> CID 350432: (TAINTED_SCALAR)
>>> Passing tainted expression "*gpt_pte" to "dlfree", which uses it as an offset.
650 free(gpt_pte);
651 return ret;
652 }
653
654 /**
655 * gpt_enumerate() - Enumerate partition names into environment variable.
/cmd/gpt.c: 650 in gpt_verify()
644 /* Check partition layout with provided pattern */
645 ret = gpt_verify_partitions(blk_dev_desc, partitions, part_count,
646 gpt_head, &gpt_pte);
647 free(str_disk_guid);
648 free(partitions);
649 out:
>>> CID 350432: (TAINTED_SCALAR)
>>> Passing tainted expression "*gpt_pte" to "dlfree", which uses it as an offset.
650 free(gpt_pte);
651 return ret;
652 }
653
654 /**
655 * gpt_enumerate() - Enumerate partition names into environment variable.
/cmd/gpt.c: 650 in gpt_verify()
644 /* Check partition layout with provided pattern */
645 ret = gpt_verify_partitions(blk_dev_desc, partitions, part_count,
646 gpt_head, &gpt_pte);
647 free(str_disk_guid);
648 free(partitions);
649 out:
>>> CID 350432: (TAINTED_SCALAR)
>>> Passing tainted expression "*gpt_pte" to "dlfree", which uses it as an offset.
650 free(gpt_pte);
651 return ret;
652 }
653
654 /**
655 * gpt_enumerate() - Enumerate partition names into environment variable.
** CID 350431: (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 350431: (TAINTED_SCALAR)
/tools/ifwitool.c: 1974 in ifwi_print()
1968
1969 bpdt_print_header(&b->h, "BPDT");
1970 bpdt_print_entries(&b->e[0], b->h.descriptor_count, "BPDT");
1971
1972 b = buffer_get(&ifwi_image.subpart_buf[S_BPDT_TYPE]);
1973 bpdt_print_header(&b->h, "S-BPDT");
>>> CID 350431: (TAINTED_SCALAR)
>>> Passing tainted expression "b->h.descriptor_count" to "bpdt_print_entries", which uses it as a loop boundary.
1974 bpdt_print_entries(&b->e[0], b->h.descriptor_count, "S-BPDT");
1975
1976 if (param.dir_ops == 0) {
1977 verbose -= 2;
1978 return NO_ACTION_REQUIRED;
1979 }
/tools/ifwitool.c: 1970 in ifwi_print()
1964 {
1965 verbose += 2;
1966
1967 struct bpdt *b = buffer_get(&ifwi_image.bpdt);
1968
1969 bpdt_print_header(&b->h, "BPDT");
>>> CID 350431: (TAINTED_SCALAR)
>>> Passing tainted expression "b->h.descriptor_count" to "bpdt_print_entries", which uses it as a loop boundary.
1970 bpdt_print_entries(&b->e[0], b->h.descriptor_count, "BPDT");
1971
1972 b = buffer_get(&ifwi_image.subpart_buf[S_BPDT_TYPE]);
1973 bpdt_print_header(&b->h, "S-BPDT");
1974 bpdt_print_entries(&b->e[0], b->h.descriptor_count, "S-BPDT");
1975
/tools/ifwitool.c: 1989 in ifwi_print()
1983
1984 for (i = 0; i < MAX_SUBPARTS ; i++) {
1985 if (!(subparts[i].attr & CONTAINS_DIR) ||
1986 (buffer_size(&ifwi_image.subpart_buf[i]) == 0))
1987 continue;
1988
>>> CID 350431: (TAINTED_SCALAR)
>>> Passing tainted expression "*subpart_dir_buf.data" to "parse_subpart_dir", which uses it as a loop boundary.
1989 parse_subpart_dir(&subpart_dir_buf, &ifwi_image.subpart_buf[i],
1990 subparts[i].name);
1991 buffer_delete(&subpart_dir_buf);
1992 }
1993
1994 verbose -= 2;
/tools/ifwitool.c: 1970 in ifwi_print()
1964 {
1965 verbose += 2;
1966
1967 struct bpdt *b = buffer_get(&ifwi_image.bpdt);
1968
1969 bpdt_print_header(&b->h, "BPDT");
>>> CID 350431: (TAINTED_SCALAR)
>>> Passing tainted expression "b->e[0].type" to "bpdt_print_entries", which uses it as an offset.
1970 bpdt_print_entries(&b->e[0], b->h.descriptor_count, "BPDT");
1971
1972 b = buffer_get(&ifwi_image.subpart_buf[S_BPDT_TYPE]);
1973 bpdt_print_header(&b->h, "S-BPDT");
1974 bpdt_print_entries(&b->e[0], b->h.descriptor_count, "S-BPDT");
1975
/tools/ifwitool.c: 1974 in ifwi_print()
1968
1969 bpdt_print_header(&b->h, "BPDT");
1970 bpdt_print_entries(&b->e[0], b->h.descriptor_count, "BPDT");
1971
1972 b = buffer_get(&ifwi_image.subpart_buf[S_BPDT_TYPE]);
1973 bpdt_print_header(&b->h, "S-BPDT");
>>> CID 350431: (TAINTED_SCALAR)
>>> Passing tainted expression "b->e[0].type" to "bpdt_print_entries", which uses it as an offset.
1974 bpdt_print_entries(&b->e[0], b->h.descriptor_count, "S-BPDT");
1975
1976 if (param.dir_ops == 0) {
1977 verbose -= 2;
1978 return NO_ACTION_REQUIRED;
1979 }
** CID 350430: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 350430: Insecure data handling (TAINTED_SCALAR)
/disk/part_efi.c: 1072 in alloc_read_gpt_entries()
1066
1067 /* Read GPT Entries from device */
1068 blk = le64_to_cpu(pgpt_head->partition_entry_lba);
1069 blk_cnt = BLOCK_CNT(count, dev_desc);
1070 if (blk_dread(dev_desc, blk, (lbaint_t)blk_cnt, pte) != blk_cnt) {
1071 printf("*** ERROR: Can't read GPT Entries ***\n");
>>> CID 350430: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "*pte" to "dlfree", which uses it as an offset.
1072 free(pte);
1073 return NULL;
1074 }
1075 return pte;
1076 }
1077
** CID 350429: Insecure data handling (TAINTED_SCALAR)
/tools/ifwitool.c: 1671 in subpart_dir_fixup_write_buffer()
________________________________________________________________________________________________________
*** CID 350429: Insecure data handling (TAINTED_SCALAR)
/tools/ifwitool.c: 1671 in subpart_dir_fixup_write_buffer()
1665 sizeof(h->header_length));
1666 offset = fix_member(&h->checksum, offset, sizeof(h->checksum));
1667 offset += sizeof(h->name);
1668
1669 uint32_t i;
1670
>>> CID 350429: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "count" as a loop boundary.
1671 for (i = 0; i < count; i++) {
1672 offset += sizeof(e[i].name);
1673 offset = fix_member(&e[i].offset, offset, sizeof(e[i].offset));
1674 offset = fix_member(&e[i].length, offset, sizeof(e[i].length));
1675 offset = fix_member(&e[i].rsvd, offset, sizeof(e[i].rsvd));
1676 }
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoA22WlOQ-2By3ieUvdbKmOyw68TMVT4Kip-2BBzfOGWXJ5yIiYplmPF9KAnKIja4Zd7tU-3DGKvW_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTtc7gEAOgWMAeiVB7LaCwibvgJK-2BuYN7whAG3Emw0bQHn1Oa8Pcu5zkc9xjCGLkZ-2BEFifG0kw14m6L3JHaODpHs3zvdstJCbcIrf3zAfeJAJpnLuNKaD25DMT20lk8wd23-2FKhn6sgueK1Gl-2F0NAhAGzLJwzuClWIrLkqo2p6t1WFg-3D-3D
To manage Coverity Scan email notifications for "tom.rini@gmail.com", click https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxWeIHzDeopm-2BEWQ6S6K-2FtUHv9ZTk8qZbuzkkz9sa-2BJFw4elYDyedRVZOC-2ButxjBZdouVmTGuWB6Aj6G7lm7t25-2Biv1B-2B9082pHzCCex2kqMs-3DDVrT_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTtc7gEAOgWMAeiVB7LaCwib75SfFPYaKzdACS1Z9ToCtOsih-2BMTLyAxlDzAd-2FLeYHYEN1IK1-2Fbn-2FLcv9ogc83QsLVvCuIi9jVi1nxPXJ7JAS96hMH2EUN-2FLKJO15sWXsEMyXEZiSQMhnxAEbzlEnt5Ya7usI0bf1TIUf2uxUNF2bQ-3D-3D
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 46+ messages in thread
* [scan-admin@coverity.com: New Defects reported by Coverity Scan for Das U-Boot]
@ 2022-02-15 19:29 Tom Rini
0 siblings, 0 replies; 46+ messages in thread
From: Tom Rini @ 2022-02-15 19:29 UTC (permalink / raw)
To: u-boot, Zhang Ning, AKASHI Takahiro
[-- Attachment #1: Type: text/plain, Size: 3545 bytes --]
Hey all,
Here's the latest report.
----- Forwarded message from scan-admin@coverity.com -----
Date: Mon, 14 Feb 2022 22:13:51 +0000 (UTC)
From: scan-admin@coverity.com
To: tom.rini@gmail.com
Subject: New Defects reported by Coverity Scan for Das U-Boot
Hi,
Please find the latest report on new defect(s) introduced to Das U-Boot found with Coverity Scan.
2 new defect(s) introduced to Das U-Boot found with Coverity Scan.
2 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 2 of 2 defect(s)
** CID 348361: Code maintainability issues (SIZEOF_MISMATCH)
/boot/pxe_utils.c: 369 in label_boot_kaslrseed()
________________________________________________________________________________________________________
*** CID 348361: Code maintainability issues (SIZEOF_MISMATCH)
/boot/pxe_utils.c: 369 in label_boot_kaslrseed()
363
364 if (dm_rng_read(dev, buf, n)) {
365 printf("Reading RNG failed\n");
366 goto err;
367 }
368
>>> CID 348361: Code maintainability issues (SIZEOF_MISMATCH)
>>> Passing argument "buf" of type "u64 *" and argument "8 /* sizeof (buf) */" to function "fdt_setprop" is suspicious. In this case, "sizeof (u64 *)" is equal to "sizeof (u64)", but this is not a portable assumption.
369 err = fdt_setprop(working_fdt, nodeoffset, "kaslr-seed", buf, sizeof(buf));
370 if (err < 0) {
371 printf("Unable to set kaslr-seed on chosen node: %s\n", fdt_strerror(err));
372 goto err;
373 }
374 err:
** CID 348360: Control flow issues (DEADCODE)
/tools/mkeficapsule.c: 216 in create_auth_data()
________________________________________________________________________________________________________
*** CID 348360: Control flow issues (DEADCODE)
/tools/mkeficapsule.c: 216 in create_auth_data()
210 cert.size = file_size;
211
212 ret = read_bin_file(ctx->key_file, &key.data, &file_size);
213 if (ret < 0)
214 return -1;
215 if (ret < 0)
>>> CID 348360: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "return -1;".
216 return -1;
217 if (file_size > UINT_MAX)
218 return -1;
219 key.size = file_size;
220
221 /*
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoA22WlOQ-2By3ieUvdbKmOyw68TMVT4Kip-2BBzfOGWXJ5yIiYplmPF9KAnKIja4Zd7tU-3DzatU_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTtBG6gUqymbLeHiLUZdYE-2BnFbf8zeujozu1RicmnClG68TkQz5O-2BGjs-2FiSUi9SbNlD0ZKYuwGCOtzzhPrzmz3aE-2FGoy8IfPEIkNIW63Gi9NpdMUS9Ikumb8oIFeDys4nJ5vGaorBAY9O9ON-2BXS4h6-2FgOrRT3qYLv0G399O590I1aQ-3D-3D
To manage Coverity Scan email notifications for "tom.rini@gmail.com", click https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxWeIHzDeopm-2BEWQ6S6K-2FtUHv9ZTk8qZbuzkkz9sa-2BJFw4elYDyedRVZOC-2ButxjBZdouVmTGuWB6Aj6G7lm7t25-2Biv1B-2B9082pHzCCex2kqMs-3D4FDW_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTtBG6gUqymbLeHiLUZdYE-2BnFhYoNq9mQGL-2FVdQFZIqeIZwliLES0HECBswlH590ugIExPr3PyN1Y4w0WO5KtHGXAw8STt9dOWWhzHpyUYpWpEhXNMVJaJpaycREp8UUQddEItpr1JHWiHxEXRzVxzJv5pVvnvWo1MNlxWMr7wY67Q-3D-3D
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 46+ messages in thread
* [scan-admin@coverity.com: New Defects reported by Coverity Scan for Das U-Boot]
@ 2022-02-01 0:33 Tom Rini
0 siblings, 0 replies; 46+ messages in thread
From: Tom Rini @ 2022-02-01 0:33 UTC (permalink / raw)
To: u-boot, Ilias Apalodimas, Heinrich Schuchardt, Simon Glass,
AKASHI Takahiro
[-- Attachment #1: Type: text/plain, Size: 10291 bytes --]
Hey folks,
Here's the latest report and I think some of these are new tests rather
than new code.
----- Forwarded message from scan-admin@coverity.com -----
Date: Mon, 31 Jan 2022 23:09:01 +0000 (UTC)
From: scan-admin@coverity.com
To: tom.rini@gmail.com
Subject: New Defects reported by Coverity Scan for Das U-Boot
Hi,
Please find the latest report on new defect(s) introduced to Das U-Boot found with Coverity Scan.
9 new defect(s) introduced to Das U-Boot found with Coverity Scan.
5 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 9 of 9 defect(s)
** CID 345920: API usage errors (CHAR_IO)
/tools/bmp_logo.c: 165 in main()
________________________________________________________________________________________________________
*** CID 345920: API usage errors (CHAR_IO)
/tools/bmp_logo.c: 165 in main()
159 "#define __BMP_LOGO_DATA_H__\n\n");
160
161 /* read and print the palette information */
162 printf("unsigned short bmp_logo_palette[] = {\n");
163
164 for (i=0; i<n_colors; ++i) {
>>> CID 345920: API usage errors (CHAR_IO)
>>> Assigning the return value of "fgetc" to char "b->palette[(int)(i * 3 + 2)]" truncates its value.
165 b->palette[(int)(i*3+2)] = fgetc(fp);
166 b->palette[(int)(i*3+1)] = fgetc(fp);
167 b->palette[(int)(i*3+0)] = fgetc(fp);
168 x=fgetc(fp);
169
170 printf ("%s0x0%X%X%X,%s",
** CID 345919: Resource leaks (RESOURCE_LEAK)
/tools/image-host.c: 969 in fit_config_get_regions()
________________________________________________________________________________________________________
*** CID 345919: Resource leaks (RESOURCE_LEAK)
/tools/image-host.c: 969 in fit_config_get_regions()
963 len += strlen(node_inc.strings[i]) + 1;
964 }
965 region_prop = malloc(len);
966 if (!region_prop) {
967 printf("Out of memory setting up regions for configuration '%s/%s'\n",
968 conf_name, sig_name);
>>> CID 345919: Resource leaks (RESOURCE_LEAK)
>>> Variable "region" going out of scope leaks the storage it points to.
969 return -ENOMEM;
970 }
971 for (i = len = 0; i < node_inc.count;
972 len += strlen(node_inc.strings[i]) + 1, i++)
973 strcpy(region_prop + len, node_inc.strings[i]);
974 strlist_free(&node_inc);
** CID 345918: Error handling issues (CHECKED_RETURN)
/tools/bmp_logo.c: 41 in skip_bytes()
________________________________________________________________________________________________________
*** CID 345918: Error handling issues (CHECKED_RETURN)
/tools/bmp_logo.c: 41 in skip_bytes()
35 return val;
36 }
37
38 void skip_bytes (FILE *fp, int n)
39 {
40 while (n-- > 0)
>>> CID 345918: Error handling issues (CHECKED_RETURN)
>>> Calling "fgetc(fp)" without checking return value. This library function may fail and return an error code. [Note: The source code implementation of the function has been overridden by a builtin model.]
41 fgetc (fp);
42 }
43
44 __attribute__ ((__noreturn__))
45 int error (char * msg, FILE *fp)
46 {
** CID 345917: Resource leaks (RESOURCE_LEAK)
/tools/mkeficapsule.c: 121 in read_bin_file()
________________________________________________________________________________________________________
*** CID 345917: Resource leaks (RESOURCE_LEAK)
/tools/mkeficapsule.c: 121 in read_bin_file()
115
116 *data = buf;
117 *bin_size = bin_stat.st_size;
118 err:
119 fclose(g);
120
>>> CID 345917: Resource leaks (RESOURCE_LEAK)
>>> Variable "buf" going out of scope leaks the storage it points to.
121 return ret;
122 }
123
124 /**
125 * write_capsule_file - write a capsule file
126 * @bin: FILE stream
** CID 345916: Code maintainability issues (UNUSED_VALUE)
/tools/bmp_logo.c: 168 in main()
________________________________________________________________________________________________________
*** CID 345916: Code maintainability issues (UNUSED_VALUE)
/tools/bmp_logo.c: 168 in main()
162 printf("unsigned short bmp_logo_palette[] = {\n");
163
164 for (i=0; i<n_colors; ++i) {
165 b->palette[(int)(i*3+2)] = fgetc(fp);
166 b->palette[(int)(i*3+1)] = fgetc(fp);
167 b->palette[(int)(i*3+0)] = fgetc(fp);
>>> CID 345916: Code maintainability issues (UNUSED_VALUE)
>>> Assigning value from "fgetc(fp)" to "x" here, but that stored value is overwritten before it can be used.
168 x=fgetc(fp);
169
170 printf ("%s0x0%X%X%X,%s",
171 ((i%8) == 0) ? "\t" : " ",
172 (b->palette[(int)(i*3+0)] >> 4) & 0x0F,
173 (b->palette[(int)(i*3+1)] >> 4) & 0x0F,
** CID 345915: Control flow issues (NO_EFFECT)
/lib/image-sparse.c: 214 in write_sparse_image()
________________________________________________________________________________________________________
*** CID 345915: Control flow issues (NO_EFFECT)
/lib/image-sparse.c: 214 in write_sparse_image()
208 response);
209 return -1;
210 }
211
212 blks = write_sparse_chunk_raw(info, blk, blkcnt,
213 data, response);
>>> CID 345915: Control flow issues (NO_EFFECT)
>>> This less-than-zero comparison of an unsigned value is never true. "blks < 0UL".
214 if (blks < 0)
215 return -1;
216
217 blk += blks;
218 bytes_written += ((u64)blkcnt) * info->blksz;
219 total_blocks += chunk_header->chunk_sz;
** CID 345914: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/tools/mkeficapsule.c: 96 in read_bin_file()
________________________________________________________________________________________________________
*** CID 345914: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/tools/mkeficapsule.c: 96 in read_bin_file()
90 }
91 if (stat(bin, &bin_stat) < 0) {
92 fprintf(stderr, "cannot determine the size of %s\n", bin);
93 ret = -1;
94 goto err;
95 }
>>> CID 345914: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
>>> "bin_stat.st_size > 18446744073709551615UL" is always false regardless of the values of its operands. This occurs as the logical operand of "if".
96 if (bin_stat.st_size > SIZE_MAX) {
97 fprintf(stderr, "file size is too large for malloc: %s\n", bin);
98 ret = -1;
99 goto err;
100 }
101 buf = malloc(bin_stat.st_size);
** CID 345913: (TAINTED_SCALAR)
/drivers/core/ofnode.c: 477 in ofnode_read_string_list()
________________________________________________________________________________________________________
*** CID 345913: (TAINTED_SCALAR)
/drivers/core/ofnode.c: 473 in ofnode_read_string_list()
467 count = ofnode_read_string_count(node, property);
468 if (count < 0)
469 return count;
470 if (!count)
471 return 0;
472
>>> CID 345913: (TAINTED_SCALAR)
>>> Passing tainted expression "count + 1" to "dlcalloc", which uses it as an offset.
473 prop = calloc(count + 1, sizeof(char *));
474 if (!prop)
475 return -ENOMEM;
476
477 for (i = 0; i < count; i++)
478 ofnode_read_string_index(node, property, i, &prop[i]);
/drivers/core/ofnode.c: 477 in ofnode_read_string_list()
471 return 0;
472
473 prop = calloc(count + 1, sizeof(char *));
474 if (!prop)
475 return -ENOMEM;
476
>>> CID 345913: (TAINTED_SCALAR)
>>> Using tainted variable "count" as a loop boundary.
477 for (i = 0; i < count; i++)
478 ofnode_read_string_index(node, property, i, &prop[i]);
479 prop[count] = NULL;
480 *listp = prop;
481
482 return count;
** CID 345912: Null pointer dereferences (FORWARD_NULL)
/lib/efi_loader/efi_signature.c: 232 in efi_signature_lookup_digest()
________________________________________________________________________________________________________
*** CID 345912: Null pointer dereferences (FORWARD_NULL)
/lib/efi_loader/efi_signature.c: 232 in efi_signature_lookup_digest()
226 sig_data = sig_data->next) {
227 #ifdef DEBUG
228 EFI_PRINT("Msg digest in database:\n");
229 print_hex_dump(" ", DUMP_PREFIX_OFFSET, 16, 1,
230 sig_data->data, sig_data->size, false);
231 #endif
>>> CID 345912: Null pointer dereferences (FORWARD_NULL)
>>> Passing null pointer "hash" to "memcmp", which dereferences it. [Note: The source code implementation of the function has been overridden by a builtin model.]
232 if (sig_data->size == size &&
233 !memcmp(sig_data->data, hash, size)) {
234 found = true;
235 free(hash);
236 goto out;
237 }
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoA22WlOQ-2By3ieUvdbKmOyw68TMVT4Kip-2BBzfOGWXJ5yIiYplmPF9KAnKIja4Zd7tU-3DDKue_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTuSTR0FmiqU27GON2I9OwY5WGDhGm0B966wHcuXU1-2FAw3I1WyHwNMgtGMOCa3zfgzO3mwIYqjUojcuMoMoDYdcvewXSwAEhrjnoEUuW1P7jZMkKegPKNElHEFXfD5RSxi9z9qHMwR-2BQoDabuhKt6QcxRUxX6HfnI4Rx23wgFEhKyA-3D-3D
To manage Coverity Scan email notifications for "tom.rini@gmail.com", click https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxWeIHzDeopm-2BEWQ6S6K-2FtUHv9ZTk8qZbuzkkz9sa-2BJFw4elYDyedRVZOC-2ButxjBZdouVmTGuWB6Aj6G7lm7t25-2Biv1B-2B9082pHzCCex2kqMs-3Dt4lb_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTuSTR0FmiqU27GON2I9OwY5iQ6QEKvvgo3kbcKQQzCeMzyYZUUiCCaPfKKIlYQsIBBmoj-2F-2F-2FVcReszYTf2sW-2Fwd1PrbdSELsWk-2FBSCGTEz-2B3dJauXj8pwgVdMYO3Z-2B05o5wBxdS6CNyX1ZFmrg4ubeFG97RpOh-2Fk-2FvV3V-2F9EveHkw-3D-3D
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 46+ messages in thread
* [scan-admin@coverity.com: New Defects reported by Coverity Scan for Das U-Boot]
@ 2021-11-15 18:02 Tom Rini
0 siblings, 0 replies; 46+ messages in thread
From: Tom Rini @ 2021-11-15 18:02 UTC (permalink / raw)
To: u-boot, Simon Glass
[-- Attachment #1: Type: text/plain, Size: 2838 bytes --]
Now I'm not 100% sure if this is actually new or due to the code moving,
since there's a new helper function involved, and I also know I had to
hand-merge this section due to the zboot related changes.
----- Forwarded message from scan-admin@coverity.com -----
Date: Mon, 15 Nov 2021 17:10:36 +0000 (UTC)
From: scan-admin@coverity.com
To: tom.rini@gmail.com
Subject: New Defects reported by Coverity Scan for Das U-Boot
Hi,
Please find the latest report on new defect(s) introduced to Das U-Boot found with Coverity Scan.
1 new defect(s) introduced to Das U-Boot found with Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)
** CID 131256: Security best practices violations (STRING_OVERFLOW)
/boot/pxe_utils.c: 468 in label_boot()
________________________________________________________________________________________________________
*** CID 131256: Security best practices violations (STRING_OVERFLOW)
/boot/pxe_utils.c: 468 in label_boot()
462 printf("Skipping %s for failure retrieving initrd\n",
463 label->name);
464 return 1;
465 }
466
467 initrd_addr_str = env_get("ramdisk_addr_r");
>>> CID 131256: Security best practices violations (STRING_OVERFLOW)
>>> You might overrun the 10-character fixed-size string "initrd_filesize" by copying the return value of "simple_xtoa" without checking the length.
468 strcpy(initrd_filesize, simple_xtoa(size));
469
470 strncpy(initrd_str, initrd_addr_str, 18);
471 strcat(initrd_str, ":");
472 strncat(initrd_str, initrd_filesize, 9);
473 }
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoA22WlOQ-2By3ieUvdbKmOyw68TMVT4Kip-2BBzfOGWXJ5yIiYplmPF9KAnKIja4Zd7tU-3DqDBS_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTs3WaBv80RE1DzruJJZi6BnrEYmnrpcEhMD7i6Nn71mQEiN89q-2B05dnIrl-2F-2FLg-2FyyKhNlhf8f6j98klrBBZkTjKpvVHRnkKQV4P8RJHrC-2FTlH-2FnR3hd-2B-2FB4Xs9jPdh0o38re9-2FCcUQKHUJRCJuEiM0XGs5hL9sNTUyuPqeCqFN29A-3D-3D
To manage Coverity Scan email notifications for "tom.rini@gmail.com", click https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxWeIHzDeopm-2BEWQ6S6K-2FtUHv9ZTk8qZbuzkkz9sa-2BJFw4elYDyedRVZOC-2ButxjBZdouVmTGuWB6Aj6G7lm7t25-2Biv1B-2B9082pHzCCex2kqMs-3DijCU_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTs3WaBv80RE1DzruJJZi6BnLcSIt4qRszMu8-2Fc6KHwE4eIspInu-2BW-2BBj23zAvCJHJy3kqoIbz4ydm6YAo63IB6MH66h52-2BUSdSSZFOCcaOcTEKYnCZ7XyrLuHLqrOy9IJQ0bUxbb-2F7xYHStimToW4RrC0VtoGZ4LNyOVS-2FVJOdQaw-3D-3D
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 46+ messages in thread
* [scan-admin@coverity.com: New Defects reported by Coverity Scan for Das U-Boot]
@ 2021-11-02 16:22 Tom Rini
0 siblings, 0 replies; 46+ messages in thread
From: Tom Rini @ 2021-11-02 16:22 UTC (permalink / raw)
To: u-boot
[-- Attachment #1: Type: text/plain, Size: 27904 bytes --]
There's a whole lot of new defects here because I noticed yesterday that
there was a new stable version of the scanner, after running yesterdays
normal post-RC scan. So here's a new scan done on current master.
----- Forwarded message from scan-admin@coverity.com -----
Date: Tue, 02 Nov 2021 15:55:16 +0000 (UTC)
From: scan-admin@coverity.com
To: tom.rini@gmail.com
Subject: New Defects reported by Coverity Scan for Das U-Boot
Hi,
Please find the latest report on new defect(s) introduced to Das U-Boot found with Coverity Scan.
80 new defect(s) introduced to Das U-Boot found with Coverity Scan.
25 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 80 defect(s)
** CID 340915: (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 340915: (TAINTED_SCALAR)
/drivers/input/key_matrix.c: 166 in key_matrix_decode_fdt()
160
161 prop = dev_read_prop(dev, "linux,fn-keymap", &proplen);
162 /* fn keymap is optional */
163 if (!prop)
164 goto done;
165
>>> CID 340915: (TAINTED_SCALAR)
>>> Passing tainted expression "proplen" to "create_keymap", which uses it as a loop boundary.
166 config->fn_keycode = create_keymap(config, prop, proplen, -1, NULL);
167 /* Conversion error -> fail */
168 if (!config->fn_keycode) {
169 free(plain_keycode);
170 return -1;
171 }
/drivers/input/key_matrix.c: 154 in key_matrix_decode_fdt()
148 /* Basic keymap is required */
149 if (!prop) {
150 debug("%s: cannot find keycode-plain map\n", __func__);
151 return -1;
152 }
153
>>> CID 340915: (TAINTED_SCALAR)
>>> Passing tainted expression "proplen" to "create_keymap", which uses it as a loop boundary.
154 plain_keycode = create_keymap(config, prop, proplen, KEY_FN,
155 &config->fn_pos);
156 config->plain_keycode = plain_keycode;
157 /* Conversion error -> fail */
158 if (!config->plain_keycode)
159 return -1;
** CID 340914: (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 340914: (TAINTED_SCALAR)
/arch/sandbox/cpu/state.c: 38 in state_ensure_space()
32
33 size = used + extra_size;
34 buf = os_malloc(size);
35 if (!buf)
36 return -ENOMEM;
37
>>> CID 340914: (TAINTED_SCALAR)
>>> Passing tainted expression "blob->size_dt_strings" to "fdt_open_into", which uses it as an offset.
38 ret = fdt_open_into(blob, buf, size);
39 if (ret) {
40 os_free(buf);
41 return -EIO;
42 }
43
/arch/sandbox/cpu/state.c: 38 in state_ensure_space()
32
33 size = used + extra_size;
34 buf = os_malloc(size);
35 if (!buf)
36 return -ENOMEM;
37
>>> CID 340914: (TAINTED_SCALAR)
>>> Passing tainted expression "blob->totalsize" to "fdt_open_into", which uses it as an offset.
38 ret = fdt_open_into(blob, buf, size);
39 if (ret) {
40 os_free(buf);
41 return -EIO;
42 }
43
/arch/sandbox/cpu/state.c: 34 in state_ensure_space()
28 size = fdt_totalsize(blob);
29 free_bytes = size - used;
30 if (free_bytes > extra_size)
31 return 0;
32
33 size = used + extra_size;
>>> CID 340914: (TAINTED_SCALAR)
>>> Passing tainted expression "size" to "os_malloc", which uses it as an offset.
34 buf = os_malloc(size);
35 if (!buf)
36 return -ENOMEM;
37
38 ret = fdt_open_into(blob, buf, size);
39 if (ret) {
/arch/sandbox/cpu/state.c: 38 in state_ensure_space()
32
33 size = used + extra_size;
34 buf = os_malloc(size);
35 if (!buf)
36 return -ENOMEM;
37
>>> CID 340914: (TAINTED_SCALAR)
>>> Passing tainted expression "blob->size_dt_struct" to "fdt_open_into", which uses it as an offset.
38 ret = fdt_open_into(blob, buf, size);
39 if (ret) {
40 os_free(buf);
41 return -EIO;
42 }
43
/arch/sandbox/cpu/state.c: 44 in state_ensure_space()
38 ret = fdt_open_into(blob, buf, size);
39 if (ret) {
40 os_free(buf);
41 return -EIO;
42 }
43
>>> CID 340914: (TAINTED_SCALAR)
>>> Passing tainted expression "*blob" to "os_free", which uses it as an offset.
44 os_free(blob);
45 state->state_fdt = buf;
46 return 0;
47 }
48
49 static int state_read_file(struct sandbox_state *state, const char *fname)
** CID 340913: Uninitialized variables (UNINIT)
/lib/gunzip.c: 298 in zunzip()
________________________________________________________________________________________________________
*** CID 340913: Uninitialized variables (UNINIT)
/lib/gunzip.c: 298 in zunzip()
292 }
293 s.next_in = src + offset;
294 s.avail_in = *lenp - offset;
295 s.next_out = dst;
296 s.avail_out = dstlen;
297 do {
>>> CID 340913: Uninitialized variables (UNINIT)
>>> Using uninitialized value "s.total_out" when calling "inflate". [Note: The source code implementation of the function has been overridden by a builtin model.]
298 r = inflate(&s, Z_FINISH);
299 if (stoponerr == 1 && r != Z_STREAM_END &&
300 (s.avail_in == 0 || s.avail_out == 0 || r != Z_BUF_ERROR)) {
301 printf("Error: inflate() returned %d\n", r);
302 err = -1;
303 break;
** CID 340912: (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 340912: (TAINTED_SCALAR)
/lib/efi_loader/efi_variable.c: 191 in efi_variable_authenticate()
185 ret = EFI_SUCCESS;
186
187 err:
188 efi_sigstore_free(truststore);
189 efi_sigstore_free(truststore2);
190 pkcs7_free_message(var_sig);
>>> CID 340912: (TAINTED_SCALAR)
>>> Passing tainted expression "*ebuf" to "dlfree", which uses it as an offset.
191 free(ebuf);
192 free(regs);
193
194 return ret;
195 }
196 #else
/lib/efi_loader/efi_variable.c: 133 in efi_variable_authenticate()
127
128 /* variable's signature list */
129 if (auth->auth_info.hdr.dwLength < sizeof(auth->auth_info))
130 goto err;
131
132 /* ebuf should be kept valid during the authentication */
>>> CID 340912: (TAINTED_SCALAR)
>>> Passing tainted expression "auth->auth_info.cert_data" to "efi_parse_pkcs7_header", which uses it as an offset.
133 var_sig = efi_parse_pkcs7_header(auth->auth_info.cert_data,
134 auth->auth_info.hdr.dwLength
135 - sizeof(auth->auth_info),
136 &ebuf);
137 if (!var_sig) {
138 EFI_PRINT("Parsing variable's signature failed\n");
** CID 340910: (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 340910: (TAINTED_SCALAR)
/arch/sandbox/cpu/state.c: 284 in sandbox_write_state()
278
279 if (ret == -EIO) {
280 printf("Could not write sandbox state\n");
281 goto err_create;
282 }
283
>>> CID 340910: (TAINTED_SCALAR)
>>> Passing tainted expression "state->state_fdt->size_dt_struct" to "fdt_pack", which uses it as an offset.
284 ret = fdt_pack(state->state_fdt);
285 if (ret < 0) {
286 printf("Cannot pack state FDT: %s\n", fdt_strerror(ret));
287 ret = -EINVAL;
288 goto err_create;
289 }
/arch/sandbox/cpu/state.c: 311 in sandbox_write_state()
305 got_err ? " (with errors)" : "");
306
307 return 0;
308 err_write:
309 os_close(fd);
310 err_create:
>>> CID 340910: (TAINTED_SCALAR)
>>> Passing tainted expression "*state->state_fdt" to "os_free", which uses it as an offset.
311 os_free(state->state_fdt);
312
313 return ret;
314 }
315
316 int state_setprop(int node, const char *prop_name, const void *data, int size)
/arch/sandbox/cpu/state.c: 284 in sandbox_write_state()
278
279 if (ret == -EIO) {
280 printf("Could not write sandbox state\n");
281 goto err_create;
282 }
283
>>> CID 340910: (TAINTED_SCALAR)
>>> Passing tainted expression "state->state_fdt->size_dt_strings" to "fdt_pack", which uses it as an offset.
284 ret = fdt_pack(state->state_fdt);
285 if (ret < 0) {
286 printf("Cannot pack state FDT: %s\n", fdt_strerror(ret));
287 ret = -EINVAL;
288 goto err_create;
289 }
/arch/sandbox/cpu/state.c: 311 in sandbox_write_state()
305 got_err ? " (with errors)" : "");
306
307 return 0;
308 err_write:
309 os_close(fd);
310 err_create:
>>> CID 340910: (TAINTED_SCALAR)
>>> Passing tainted expression "*state->state_fdt" to "os_free", which uses it as an offset.
311 os_free(state->state_fdt);
312
313 return ret;
314 }
315
316 int state_setprop(int node, const char *prop_name, const void *data, int size)
** CID 340909: Uninitialized variables (UNINIT)
/lib/gunzip.c: 226 in gzwrite()
________________________________________________________________________________________________________
*** CID 340909: Uninitialized variables (UNINIT)
/lib/gunzip.c: 226 in gzwrite()
220 unsigned long blocks_written;
221 int numfilled;
222 lbaint_t writeblocks;
223
224 s.avail_out = szwritebuf;
225 s.next_out = writebuf;
>>> CID 340909: Uninitialized variables (UNINIT)
>>> Using uninitialized value "s.total_out" when calling "inflate". [Note: The source code implementation of the function has been overridden by a builtin model.]
226 r = inflate(&s, Z_SYNC_FLUSH);
227 if ((r != Z_OK) &&
228 (r != Z_STREAM_END)) {
229 printf("Error: inflate() returned %d\n", r);
230 goto out;
231 }
** CID 340908: Insecure data handling (TAINTED_SCALAR)
/common/board_f.c: 627 in reloc_fdt()
________________________________________________________________________________________________________
*** CID 340908: Insecure data handling (TAINTED_SCALAR)
/common/board_f.c: 627 in reloc_fdt()
621 static int reloc_fdt(void)
622 {
623 if (!IS_ENABLED(CONFIG_OF_EMBED)) {
624 if (gd->flags & GD_FLG_SKIP_RELOC)
625 return 0;
626 if (gd->new_fdt) {
>>> CID 340908: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "__fswab32((__u32)(__be32)((struct fdt_header const *)gd->fdt_blob)->totalsize)" to "memcpy", which uses it as an offset. [Note: The source code implementation of the function has been overridden by a builtin model.]
627 memcpy(gd->new_fdt, gd->fdt_blob,
628 fdt_totalsize(gd->fdt_blob));
629 gd->fdt_blob = gd->new_fdt;
630 }
631 }
632
** CID 340907: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 340907: Insecure data handling (TAINTED_SCALAR)
/cmd/fdt.c: 59 in fdt_value_env_set()
53 if (is_printable_string(nodep, len))
54 env_set(var, (void *)nodep);
55 else if (len == 4) {
56 char buf[11];
57
58 sprintf(buf, "0x%08X", fdt32_to_cpu(*(fdt32_t *)nodep));
>>> CID 340907: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "buf" to "env_set", which uses it as an offset.
59 env_set(var, buf);
60 } else if (len%4 == 0 && len <= 20) {
61 /* Needed to print things like sha1 hashes. */
62 char buf[41];
63 int i;
64
** CID 340906: (TAINTED_SCALAR)
/fs/squashfs/sqfs.c: 1059 in sqfs_readdir()
/fs/squashfs/sqfs.c: 1060 in sqfs_readdir()
/fs/squashfs/sqfs.c: 1060 in sqfs_readdir()
/fs/squashfs/sqfs.c: 1059 in sqfs_readdir()
________________________________________________________________________________________________________
*** CID 340906: (TAINTED_SCALAR)
/fs/squashfs/sqfs.c: 1059 in sqfs_readdir()
1053 break;
1054 default:
1055 return -SQFS_STOP_READDIR;
1056 }
1057
1058 /* Set entry name */
>>> CID 340906: (TAINTED_SCALAR)
>>> Passing tainted expression "dirs->entry->name_size + 1" to "strncpy", which uses it as an offset. [Note: The source code implementation of the function has been overridden by a builtin model.]
1059 strncpy(dent->name, dirs->entry->name, dirs->entry->name_size + 1);
1060 dent->name[dirs->entry->name_size + 1] = '\0';
1061
1062 offset = dirs->entry->name_size + 1 + SQFS_ENTRY_BASE_LENGTH;
1063 dirs->entry_count--;
1064
/fs/squashfs/sqfs.c: 1060 in sqfs_readdir()
1054 default:
1055 return -SQFS_STOP_READDIR;
1056 }
1057
1058 /* Set entry name */
1059 strncpy(dent->name, dirs->entry->name, dirs->entry->name_size + 1);
>>> CID 340906: (TAINTED_SCALAR)
>>> Using tainted variable "dirs->entry->name_size + 1" as an index into an array "dent->name".
1060 dent->name[dirs->entry->name_size + 1] = '\0';
1061
1062 offset = dirs->entry->name_size + 1 + SQFS_ENTRY_BASE_LENGTH;
1063 dirs->entry_count--;
1064
1065 /* Decrement size to be read */
/fs/squashfs/sqfs.c: 1060 in sqfs_readdir()
1054 default:
1055 return -SQFS_STOP_READDIR;
1056 }
1057
1058 /* Set entry name */
1059 strncpy(dent->name, dirs->entry->name, dirs->entry->name_size + 1);
>>> CID 340906: (TAINTED_SCALAR)
>>> Using tainted variable "dirs->entry->name_size + 1" as an index into an array "dent->name".
1060 dent->name[dirs->entry->name_size + 1] = '\0';
1061
1062 offset = dirs->entry->name_size + 1 + SQFS_ENTRY_BASE_LENGTH;
1063 dirs->entry_count--;
1064
1065 /* Decrement size to be read */
/fs/squashfs/sqfs.c: 1059 in sqfs_readdir()
1053 break;
1054 default:
1055 return -SQFS_STOP_READDIR;
1056 }
1057
1058 /* Set entry name */
>>> CID 340906: (TAINTED_SCALAR)
>>> Passing tainted expression "dirs->entry->name_size + 1" to "strncpy", which uses it as an offset. [Note: The source code implementation of the function has been overridden by a builtin model.]
1059 strncpy(dent->name, dirs->entry->name, dirs->entry->name_size + 1);
1060 dent->name[dirs->entry->name_size + 1] = '\0';
1061
1062 offset = dirs->entry->name_size + 1 + SQFS_ENTRY_BASE_LENGTH;
1063 dirs->entry_count--;
1064
** CID 340905: Insecure data handling (TAINTED_SCALAR)
/scripts/dtc/checks.c: 1163 in check_property_phandle_args()
________________________________________________________________________________________________________
*** CID 340905: Insecure data handling (TAINTED_SCALAR)
/scripts/dtc/checks.c: 1163 in check_property_phandle_args()
1157 FAIL_PROP(c, dti, node, prop,
1158 "property size (%d) is invalid, expected multiple of %zu",
1159 prop->val.len, sizeof(cell_t));
1160 return;
1161 }
1162
>>> CID 340905: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "cell" as a loop boundary.
1163 for (cell = 0; cell < prop->val.len / sizeof(cell_t); cell += cellsize + 1) {
1164 struct node *provider_node;
1165 struct property *cellprop;
1166 int phandle;
1167
1168 phandle = propval_cell_n(prop, cell);
** CID 340904: (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 340904: (TAINTED_SCALAR)
/fs/ext4/ext4_journal.c: 580 in update_descriptor_block()
574
575 jdb.h_blocktype = cpu_to_be32(EXT3_JOURNAL_DESCRIPTOR_BLOCK);
576 jdb.h_magic = cpu_to_be32(EXT3_JOURNAL_MAGIC_NUMBER);
577 jdb.h_sequence = jsb->s_sequence;
578 buf = zalloc(fs->blksz);
579 if (!buf) {
>>> CID 340904: (TAINTED_SCALAR)
>>> Passing tainted expression "*temp_buff" to "dlfree", which uses it as an offset.
580 free(temp_buff);
581 return;
582 }
583 temp = buf;
584 memcpy(buf, &jdb, sizeof(struct journal_header_t));
585 temp += sizeof(struct journal_header_t);
/fs/ext4/ext4_journal.c: 603 in update_descriptor_block()
597 tag.block = cpu_to_be32(journal_ptr[--i]->blknr);
598 tag.flags = cpu_to_be32(EXT3_JOURNAL_FLAG_LAST_TAG);
599 memcpy(temp - sizeof(struct ext3_journal_block_tag), &tag,
600 sizeof(struct ext3_journal_block_tag));
601 put_ext4((uint64_t) ((uint64_t)blknr * (uint64_t)fs->blksz), buf, (uint32_t) fs->blksz);
602
>>> CID 340904: (TAINTED_SCALAR)
>>> Passing tainted expression "*temp_buff" to "dlfree", which uses it as an offset.
603 free(temp_buff);
604 free(buf);
605 }
606
607 static void update_commit_block(long int blknr)
608 {
** CID 340903: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 340903: Insecure data handling (TAINTED_SCALAR)
/fs/btrfs/disk-io.c: 1036 in open_ctree_fs_info()
1030 fs_info->stripesize = btrfs_super_stripesize(disk_super);
1031
1032 ret = btrfs_check_fs_compatibility(fs_info->super_copy);
1033 if (ret)
1034 goto out_devices;
1035
>>> CID 340903: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "fs_info->nodesize" to "btrfs_setup_chunk_tree_and_device_map", which uses it as an offset.
1036 ret = btrfs_setup_chunk_tree_and_device_map(fs_info);
1037 if (ret)
1038 goto out_chunk;
1039
1040 /* Chunk tree root is unable to read, return directly */
1041 if (!fs_info->chunk_root)
** CID 340902: (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 340902: (TAINTED_SCALAR)
/common/fdt_support.c: 1784 in fdt_read_range()
1778
1779 /* Jump to the n'th entry */
1780 cell = n * (pacells + acells + scells);
1781
1782 /* Read <child address> */
1783 if (child_addr) {
>>> CID 340902: (TAINTED_SCALAR)
>>> Passing tainted expression "cell" to "fdt_read_prop", which uses it as an offset.
1784 r = fdt_read_prop(ranges, ranges_len, cell, child_addr,
1785 acells);
1786 if (r)
1787 return r;
1788 }
1789 cell += acells;
/common/fdt_support.c: 1784 in fdt_read_range()
1778
1779 /* Jump to the n'th entry */
1780 cell = n * (pacells + acells + scells);
1781
1782 /* Read <child address> */
1783 if (child_addr) {
>>> CID 340902: (TAINTED_SCALAR)
>>> Passing tainted expression "cell" to "fdt_read_prop", which uses it as an offset.
1784 r = fdt_read_prop(ranges, ranges_len, cell, child_addr,
1785 acells);
1786 if (r)
1787 return r;
1788 }
1789 cell += acells;
/common/fdt_support.c: 1798 in fdt_read_range()
1792 if (addr)
1793 *addr = fdt_translate_address(fdt, node, ranges + cell);
1794 cell += pacells;
1795
1796 /* Read <size in child address space> */
1797 if (len) {
>>> CID 340902: (TAINTED_SCALAR)
>>> Passing tainted expression "cell" to "fdt_read_prop", which uses it as an offset.
1798 r = fdt_read_prop(ranges, ranges_len, cell, len, scells);
1799 if (r)
1800 return r;
1801 }
1802
1803 return 0;
** CID 340901: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 340901: Insecure data handling (TAINTED_SCALAR)
/scripts/dtc/libfdt/fdt_overlay.c: 643 in overlay_merge()
637 return overlay;
638
639 target = overlay_get_target(fdt, fdto, fragment, NULL);
640 if (target < 0)
641 return target;
642
>>> CID 340901: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "target" to "overlay_apply_node", which uses it as a loop boundary.
643 ret = overlay_apply_node(fdt, target, fdto, overlay);
644 if (ret)
645 return ret;
646 }
647
648 return 0;
** CID 340900: Error handling issues (NEGATIVE_RETURNS)
/fs/btrfs/inode.c: 644 in read_and_truncate_page()
________________________________________________________________________________________________________
*** CID 340900: Error handling issues (NEGATIVE_RETURNS)
/fs/btrfs/inode.c: 644 in read_and_truncate_page()
638 if (!buf)
639 return -ENOMEM;
640
641 extent_type = btrfs_file_extent_type(leaf, fi);
642 if (extent_type == BTRFS_FILE_EXTENT_INLINE) {
643 ret = btrfs_read_extent_inline(path, fi, buf);
>>> CID 340900: Error handling issues (NEGATIVE_RETURNS)
>>> "({...; (_min1 < _min2) ? _min1 : _min2;})" is passed to a parameter that cannot be negative. [Note: The source code implementation of the function has been overridden by a builtin model.]
644 memcpy(dest, buf + page_off, min(page_len, ret));
645 free(buf);
646 return len;
647 }
648
649 ret = btrfs_read_extent_reg(path, fi,
** CID 340899: Insecure data handling (TAINTED_SCALAR)
/fs/ext4/ext4_journal.c: 219 in print_revoke_blks()
________________________________________________________________________________________________________
*** CID 340899: Insecure data handling (TAINTED_SCALAR)
/fs/ext4/ext4_journal.c: 219 in print_revoke_blks()
213
214 header = (struct journal_revoke_header_t *) revk_blk;
215 offset = sizeof(struct journal_revoke_header_t);
216 max = be32_to_cpu(header->r_count);
217 printf("total bytes %d\n", max);
218
>>> CID 340899: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "max" as a loop boundary.
219 while (offset < max) {
220 blocknr = be32_to_cpu(*((__be32 *)(revk_blk + offset)));
221 printf("revoke blknr is %ld\n", blocknr);
222 offset += 4;
223 }
224 }
** CID 340898: Memory - illegal accesses (UNINIT)
/lib/efi_loader/efi_boottime.c: 2667 in efi_uninstall_multiple_protocol_interfaces()
________________________________________________________________________________________________________
*** CID 340898: Memory - illegal accesses (UNINIT)
/lib/efi_loader/efi_boottime.c: 2667 in efi_uninstall_multiple_protocol_interfaces()
2661 efi_status_t r = EFI_SUCCESS;
2662 size_t i = 0;
2663
2664 if (!handle)
2665 return EFI_EXIT(EFI_INVALID_PARAMETER);
2666
>>> CID 340898: Memory - illegal accesses (UNINIT)
>>> Using uninitialized value "argptr" when calling "__builtin_ms_va_start".
2667 efi_va_start(argptr, handle);
2668 for (;;) {
2669 protocol = efi_va_arg(argptr, efi_guid_t*);
2670 if (!protocol)
2671 break;
2672 protocol_interface = efi_va_arg(argptr, void*);
** CID 340897: Memory - illegal accesses (UNINIT)
/lib/efi_loader/efi_boottime.c: 2594 in efi_install_multiple_protocol_interfaces()
________________________________________________________________________________________________________
*** CID 340897: Memory - illegal accesses (UNINIT)
/lib/efi_loader/efi_boottime.c: 2594 in efi_install_multiple_protocol_interfaces()
2588 efi_status_t r = EFI_SUCCESS;
2589 int i = 0;
2590
2591 if (!handle)
2592 return EFI_EXIT(EFI_INVALID_PARAMETER);
2593
>>> CID 340897: Memory - illegal accesses (UNINIT)
>>> Using uninitialized value "argptr" when calling "__builtin_ms_va_start".
2594 efi_va_start(argptr, handle);
2595 for (;;) {
2596 protocol = efi_va_arg(argptr, efi_guid_t*);
2597 if (!protocol)
2598 break;
2599 protocol_interface = efi_va_arg(argptr, void*);
** CID 340896: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 340896: Insecure data handling (TAINTED_SCALAR)
/common/image-fdt.c: 510 in boot_get_fdt()
504 ulong fdt_data, fdt_len;
505 u32 fdt_size, dtb_idx;
506 /*
507 * Firstly check if this android boot image has dtb field.
508 */
509 dtb_idx = (u32)env_get_ulong("adtb_idx", 10, 0);
>>> CID 340896: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "hdr" to "android_image_get_dtb_by_index", which uses it as a loop boundary.
510 if (android_image_get_dtb_by_index((ulong)hdr, dtb_idx, &fdt_addr, &fdt_size)) {
511 fdt_blob = (char *)map_sysmem(fdt_addr, 0);
512 if (fdt_check_header(fdt_blob))
513 goto no_fdt;
514
515 debug("## Using FDT in Android image dtb area with idx %u\n", dtb_idx);
** CID 340895: Insecure data handling (TAINTED_SCALAR)
/common/image-android-dt.c: 128 in android_dt_print_contents()
________________________________________________________________________________________________________
*** CID 340895: Insecure data handling (TAINTED_SCALAR)
/common/image-android-dt.c: 128 in android_dt_print_contents()
122 printf(" page_size = %d\n", fdt32_to_cpu(hdr->page_size));
123 printf(" version = %d\n", fdt32_to_cpu(hdr->version));
124
125 unmap_sysmem(hdr);
126
127 /* Print image entries info */
>>> CID 340895: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "entry_count" as a loop boundary.
128 for (i = 0; i < entry_count; ++i) {
129 const ulong e_addr = hdr_addr + entries_offset + i * entry_size;
130 const struct dt_table_entry *e;
131 const struct fdt_header *fdt;
132 u32 dt_offset, dt_size;
133 u32 j;
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoA22WlOQ-2By3ieUvdbKmOyw68TMVT4Kip-2BBzfOGWXJ5yIiYplmPF9KAnKIja4Zd7tU-3D9GGA_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTs3pBU8vxliBOfH1-2FBt0vqbdIx1mP6FC3-2FQe-2Fw-2F-2FDBEhKG26IbQfiRoX0gqXB9Wm6CFQKvUL203el0Uwq3R00CKZgVFh0pACrzKTpfyuRUH7ZMXL834xWtjRvq7oWINAt-2FvvOwfqgX9iTtocxbsR7P736LnIQHB4GthdbQG8xFv4Q-3D-3D
To manage Coverity Scan email notifications for "tom.rini@gmail.com", click https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxWeIHzDeopm-2BEWQ6S6K-2FtUHv9ZTk8qZbuzkkz9sa-2BJFw4elYDyedRVZOC-2ButxjBZdouVmTGuWB6Aj6G7lm7t25-2Biv1B-2B9082pHzCCex2kqMs-3Dp1U4_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTs3pBU8vxliBOfH1-2FBt0vqbclVGnJdJ2jYQpaLHmC-2BWaiKYUmh5-2BWRNQHXgL0tqPDBr5zJNId2seKKN819S3BkxgDCXMchYRh-2BH6W8WhXwQjsEAGX5MWx-2FVvnCjUsyybd-2FX8yAQGOFpUWS11iICkcOGU8IXKIHrICdOOFVa3O8-2BPw-3D-3D
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 46+ messages in thread
* [scan-admin@coverity.com: New Defects reported by Coverity Scan for Das U-Boot]
@ 2021-11-01 20:06 Tom Rini
0 siblings, 0 replies; 46+ messages in thread
From: Tom Rini @ 2021-11-01 20:06 UTC (permalink / raw)
To: u-boot
[-- Attachment #1: Type: text/plain, Size: 13439 bytes --]
Here's the list of new defects from v2022.01-rc1
----- Forwarded message from scan-admin@coverity.com -----
Date: Mon, 01 Nov 2021 19:29:37 +0000 (UTC)
From: scan-admin@coverity.com
To: tom.rini@gmail.com
Subject: New Defects reported by Coverity Scan for Das U-Boot
Hi,
Please find the latest report on new defect(s) introduced to Das U-Boot found with Coverity Scan.
10 new defect(s) introduced to Das U-Boot found with Coverity Scan.
10 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 10 of 10 defect(s)
** CID 340850: Control flow issues (UNREACHABLE)
/test/lib/abuf.c: 81 in lib_test_abuf_realloc()
________________________________________________________________________________________________________
*** CID 340850: Control flow issues (UNREACHABLE)
/test/lib/abuf.c: 81 in lib_test_abuf_realloc()
75 /*
76 * TODO: crashes on sandbox sometimes due to an apparent bug in
77 * realloc().
78 */
79 return 0;
80
>>> CID 340850: Control flow issues (UNREACHABLE)
>>> This code cannot be reached: "start = ut_check_free();".
81 start = ut_check_free();
82
83 abuf_init(&buf);
84
85 /* Allocate an empty buffer */
86 ut_asserteq(true, abuf_realloc(&buf, 0));
** CID 340849: Uninitialized variables (UNINIT)
/lib/efi_loader/efi_boottime.c: 1991 in efi_load_image_from_path()
________________________________________________________________________________________________________
*** CID 340849: Uninitialized variables (UNINIT)
/lib/efi_loader/efi_boottime.c: 1991 in efi_load_image_from_path()
1985 &buffer_size, (void *)(uintptr_t)addr));
1986 if (ret != EFI_SUCCESS)
1987 efi_free_pages(addr, pages);
1988 out:
1989 EFI_CALL(efi_close_protocol(device, guid, efi_root, NULL));
1990 if (ret == EFI_SUCCESS) {
>>> CID 340849: Uninitialized variables (UNINIT)
>>> Using uninitialized value "addr".
1991 *buffer = (void *)(uintptr_t)addr;
1992 *size = buffer_size;
1993 }
1994
1995 return ret;
1996 }
** CID 340848: Control flow issues (DEADCODE)
/lib/rsa/rsa-sign.c: 255 in rsa_engine_get_priv_key()
________________________________________________________________________________________________________
*** CID 340848: Control flow issues (DEADCODE)
/lib/rsa/rsa-sign.c: 255 in rsa_engine_get_priv_key()
249 } else if (engine_id) {
250 if (keydir && name)
251 snprintf(key_id, sizeof(key_id),
252 "%s%s",
253 keydir, name);
254 else if (name)
>>> CID 340848: Control flow issues (DEADCODE)
>>> Execution cannot reach the expression """" inside this statement: "snprintf(key_id, 1024UL, "%...".
255 snprintf(key_id, sizeof(key_id),
256 "%s",
257 name ? name : "");
258 else if (keyfile)
259 snprintf(key_id, sizeof(key_id), "%s", keyfile);
260 else
** CID 340847: (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 340847: (TAINTED_SCALAR)
/lib/zstd/zstd.c: 49 in zstd_decompress()
43 out_buf.pos = 0;
44 out_buf.size = abuf_size(out);
45
46 while (1) {
47 size_t res;
48
>>> CID 340847: (TAINTED_SCALAR)
>>> Passing tainted variable "dstream->inBuff" to a tainted sink.
49 res = ZSTD_decompressStream(dstream, &out_buf, &in_buf);
50 if (ZSTD_isError(res)) {
51 ret = ZSTD_getErrorCode(res);
52 log_err("ZSTD_decompressStream error %d\n", ret);
53 goto do_free;
54 }
/lib/zstd/zstd.c: 49 in zstd_decompress()
43 out_buf.pos = 0;
44 out_buf.size = abuf_size(out);
45
46 while (1) {
47 size_t res;
48
>>> CID 340847: (TAINTED_SCALAR)
>>> Passing tainted variable "in_buf.src" to a tainted sink.
49 res = ZSTD_decompressStream(dstream, &out_buf, &in_buf);
50 if (ZSTD_isError(res)) {
51 ret = ZSTD_getErrorCode(res);
52 log_err("ZSTD_decompressStream error %d\n", ret);
53 goto do_free;
54 }
** CID 340846: Control flow issues (UNREACHABLE)
/test/lib/abuf.c: 144 in lib_test_abuf_large()
________________________________________________________________________________________________________
*** CID 340846: Control flow issues (UNREACHABLE)
/test/lib/abuf.c: 144 in lib_test_abuf_large()
138 /*
139 * This crashes at present due to trying to allocate more memory than
140 * available, which breaks something on sandbox.
141 */
142 return 0;
143
>>> CID 340846: Control flow issues (UNREACHABLE)
>>> This code cannot be reached: "start = ut_check_free();".
144 start = ut_check_free();
145
146 /* Try an impossible size */
147 abuf_init(&buf);
148 ut_asserteq(false, abuf_realloc(&buf, CONFIG_SYS_MALLOC_LEN));
149 ut_assertnull(buf.data);
** CID 340845: Control flow issues (UNREACHABLE)
/test/lib/abuf.c: 211 in lib_test_abuf_uninit_move()
________________________________________________________________________________________________________
*** CID 340845: Control flow issues (UNREACHABLE)
/test/lib/abuf.c: 211 in lib_test_abuf_uninit_move()
205 * TODO: crashes on sandbox sometimes due to an apparent bug in
206 * realloc().
207 */
208 return 0;
209
210 /* Move an empty buffer */
>>> CID 340845: Control flow issues (UNREACHABLE)
>>> This code cannot be reached: "abuf_init(&buf);".
211 abuf_init(&buf);
212 ut_assertnull(abuf_uninit_move(&buf, &size));
213 ut_asserteq(0, size);
214 ut_assertnull(abuf_uninit_move(&buf, NULL));
215
216 /* Move an unallocated buffer */
** CID 340844: (DEADCODE)
/drivers/usb/gadget/ether.c: 2078 in eth_bind()
/drivers/usb/gadget/ether.c: 2178 in eth_bind()
/drivers/usb/gadget/ether.c: 2174 in eth_bind()
/drivers/usb/gadget/ether.c: 2310 in eth_bind()
/drivers/usb/gadget/ether.c: 2246 in eth_bind()
________________________________________________________________________________________________________
*** CID 340844: (DEADCODE)
/drivers/usb/gadget/ether.c: 2078 in eth_bind()
2072 * needed to install MSFT drivers. Current Linux kernels will use
2073 * the second configuration if it's CDC Ethernet, and need some help
2074 * to choose the right configuration otherwise.
2075 */
2076 if (rndis) {
2077 #if defined(CONFIG_USB_GADGET_VENDOR_NUM) && defined(CONFIG_USB_GADGET_PRODUCT_NUM)
>>> CID 340844: (DEADCODE)
>>> Execution cannot reach this statement: "device_desc.idVendor = 0;".
2078 device_desc.idVendor =
2079 __constant_cpu_to_le16(CONFIG_USB_GADGET_VENDOR_NUM);
2080 device_desc.idProduct =
2081 __constant_cpu_to_le16(CONFIG_USB_GADGET_PRODUCT_NUM);
2082 #else
2083 device_desc.idVendor =
/drivers/usb/gadget/ether.c: 2178 in eth_bind()
2172 /* For now RNDIS is always a second config */
2173 if (rndis)
2174 device_desc.bNumConfigurations = 2;
2175
2176 if (gadget_is_dualspeed(gadget)) {
2177 if (rndis)
>>> CID 340844: (DEADCODE)
>>> Execution cannot reach this statement: "dev_qualifier.bNumConfigura...".
2178 dev_qualifier.bNumConfigurations = 2;
2179 else if (!cdc)
2180 dev_qualifier.bDeviceClass = USB_CLASS_VENDOR_SPEC;
2181
2182 /* assumes ep0 uses the same value for both speeds ... */
2183 dev_qualifier.bMaxPacketSize0 = device_desc.bMaxPacketSize0;
/drivers/usb/gadget/ether.c: 2174 in eth_bind()
2168 }
2169
2170 usb_gadget_set_selfpowered(gadget);
2171
2172 /* For now RNDIS is always a second config */
2173 if (rndis)
>>> CID 340844: (DEADCODE)
>>> Execution cannot reach this statement: "device_desc.bNumConfigurati...".
2174 device_desc.bNumConfigurations = 2;
2175
2176 if (gadget_is_dualspeed(gadget)) {
2177 if (rndis)
2178 dev_qualifier.bNumConfigurations = 2;
2179 else if (!cdc)
/drivers/usb/gadget/ether.c: 2310 in eth_bind()
2304 printf("HOST MAC %02x:%02x:%02x:%02x:%02x:%02x\n",
2305 dev->host_mac[0], dev->host_mac[1],
2306 dev->host_mac[2], dev->host_mac[3],
2307 dev->host_mac[4], dev->host_mac[5]);
2308
2309 if (rndis) {
>>> CID 340844: (DEADCODE)
>>> Execution cannot reach this statement: "vendorID = 0U;".
2310 u32 vendorID = 0;
2311
2312 /* FIXME RNDIS vendor id == "vendor NIC code" == ? */
2313
2314 dev->rndis_config = rndis_register(rndis_control_ack);
2315 if (dev->rndis_config < 0) {
/drivers/usb/gadget/ether.c: 2246 in eth_bind()
2240 sprintf(ethaddr, "%02X%02X%02X%02X%02X%02X",
2241 dev->host_mac[0], dev->host_mac[1],
2242 dev->host_mac[2], dev->host_mac[3],
2243 dev->host_mac[4], dev->host_mac[5]);
2244
2245 if (rndis) {
>>> CID 340844: (DEADCODE)
>>> Execution cannot reach this statement: "status = rndis_init();".
2246 status = rndis_init();
2247 if (status < 0) {
2248 pr_err("can't init RNDIS, %d", status);
2249 goto fail;
2250 }
2251 }
** CID 340843: Control flow issues (UNREACHABLE)
/test/lib/abuf.c: 315 in lib_test_abuf_init_move()
________________________________________________________________________________________________________
*** CID 340843: Control flow issues (UNREACHABLE)
/test/lib/abuf.c: 315 in lib_test_abuf_init_move()
309 /*
310 * TODO: crashes on sandbox sometimes due to an apparent bug in
311 * realloc().
312 */
313 return 0;
314
>>> CID 340843: Control flow issues (UNREACHABLE)
>>> This code cannot be reached: "ptr = sandbox_strdup(test_d...".
315 ptr = strdup(test_data);
316 ut_assertnonnull(ptr);
317
318 free(ptr);
319
320 abuf_init_move(&buf, ptr, TEST_DATA_LEN);
** CID 312933: Error handling issues (CHECKED_RETURN)
/net/mdio-uclass.c: 33 in dm_mdio_probe_devices()
________________________________________________________________________________________________________
*** CID 312933: Error handling issues (CHECKED_RETURN)
/net/mdio-uclass.c: 33 in dm_mdio_probe_devices()
27
28 void dm_mdio_probe_devices(void)
29 {
30 struct udevice *it;
31 struct uclass *uc;
32
>>> CID 312933: Error handling issues (CHECKED_RETURN)
>>> Calling "uclass_get" without checking return value (as is done elsewhere 58 out of 72 times).
33 uclass_get(UCLASS_MDIO, &uc);
34 uclass_foreach_dev(it, uc) {
35 device_probe(it);
36 }
37 }
38
** CID 166730: Integer handling issues (SIGN_EXTENSION)
/drivers/nvme/nvme.c: 786 in nvme_blk_rw()
________________________________________________________________________________________________________
*** CID 166730: Integer handling issues (SIGN_EXTENSION)
/drivers/nvme/nvme.c: 786 in nvme_blk_rw()
780 c.rw.prp2 = cpu_to_le64(prp2);
781 status = nvme_submit_sync_cmd(dev->queues[NVME_IO_Q],
782 &c, NULL, IO_TIMEOUT);
783 if (status)
784 break;
785 temp_len -= (u32)lbas << ns->lba_shift;
>>> CID 166730: Integer handling issues (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "lbas" with type "u16" (16 bits, unsigned) is promoted in "lbas << ns->lba_shift" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "lbas << ns->lba_shift" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
786 temp_buffer += lbas << ns->lba_shift;
787 }
788
789 if (read)
790 invalidate_dcache_range((unsigned long)buffer,
791 (unsigned long)buffer + total_len);
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoA22WlOQ-2By3ieUvdbKmOyw68TMVT4Kip-2BBzfOGWXJ5yIiYplmPF9KAnKIja4Zd7tU-3DK7Ur_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTv2MEevk0ukd8spynR-2FdwIfCJVVOYA1tleqY-2BXaL0cBMwJ1IN62SlBYZTWeyGVfETq6dQU5Z757a9RpEHNUetHBLhP7WTf2pUXtpaHKgIB-2BJJRnCYvASPy63SZJeEuGhZMbVagadPofKk4H4PHfCFB4dVqyklahj-2B1P0DPRbe8B-2FA-3D-3D
To manage Coverity Scan email notifications for "tom.rini@gmail.com", click https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxWeIHzDeopm-2BEWQ6S6K-2FtUHv9ZTk8qZbuzkkz9sa-2BJFw4elYDyedRVZOC-2ButxjBZdouVmTGuWB6Aj6G7lm7t25-2Biv1B-2B9082pHzCCex2kqMs-3Df7A0_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTv2MEevk0ukd8spynR-2FdwIfZbk3JZAsjphuB5i-2F95GC4r6B5TgK6GVnvqd9jOzi-2FEfG49B6RT8uHLKl7eUBwzIhiQw7Of4LExH3CBUAOZ-2FoJWB0qOI-2BfaE7KqJUeo7jWelN0MfiQxJASUMfn4ddaknmL09WtkO5D1OelUIYvbTZ2w-3D-3D
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 46+ messages in thread
* [scan-admin@coverity.com: New Defects reported by Coverity Scan for Das U-Boot]
@ 2021-09-15 14:11 Tom Rini
0 siblings, 0 replies; 46+ messages in thread
From: Tom Rini @ 2021-09-15 14:11 UTC (permalink / raw)
To: u-boot, Aswath Govindraju, Peng Fan, Jaehoon Chung
[-- Attachment #1: Type: text/plain, Size: 2753 bytes --]
Hey all,
Just a minor issue to fix from the latest scan. A fixes tag on
19f7a34a4642e25aa8b80c6d75129fe7848a158d would be appropriate. Thanks!
----- Forwarded message from scan-admin@coverity.com -----
Date: Tue, 14 Sep 2021 23:10:58 +0000 (UTC)
From: scan-admin@coverity.com
To: tom.rini@gmail.com
Subject: New Defects reported by Coverity Scan for Das U-Boot
Hi,
Please find the latest report on new defect(s) introduced to Das U-Boot found with Coverity Scan.
1 new defect(s) introduced to Das U-Boot found with Coverity Scan.
3 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)
** CID 338845: Null pointer dereferences (REVERSE_INULL)
/drivers/mmc/mmc.c: 3085 in mmc_init_device()
________________________________________________________________________________________________________
*** CID 338845: Null pointer dereferences (REVERSE_INULL)
/drivers/mmc/mmc.c: 3085 in mmc_init_device()
3079 return ret;
3080 }
3081
3082 m = mmc_get_mmc_dev(dev);
3083 m->user_speed_mode = MMC_MODES_END; /* Initialising user set speed mode */
3084
>>> CID 338845: Null pointer dereferences (REVERSE_INULL)
>>> Null-checking "m" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
3085 if (!m)
3086 return 0;
3087 if (m->preinit)
3088 mmc_start_init(m);
3089
3090 return 0;
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoA22WlOQ-2By3ieUvdbKmOyw68TMVT4Kip-2BBzfOGWXJ5yIiYplmPF9KAnKIja4Zd7tU-3DRWeY_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTu3vYiCvsy-2F4Q187kdIvXEo5jWH8-2FKD7MYSJdIip3-2Byx1oYllNoM-2F0ob1q3wtaHWq0tUNaaBFtPBtgqFvkSGHsIlwT00tS5zQP-2BCb6DQYEFZ2k5NYPFr6RdNzSJtDjKq86BuqLAmJb30Q54nF-2Fk-2Bb4BEFQu8TD4BC9Si1Mg8VeIWQ-3D-3D
To manage Coverity Scan email notifications for "tom.rini@gmail.com", click https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxWeIHzDeopm-2BEWQ6S6K-2FtUHv9ZTk8qZbuzkkz9sa-2BJFw4elYDyedRVZOC-2ButxjBZdouVmTGuWB6Aj6G7lm7t25-2Biv1B-2B9082pHzCCex2kqMs-3Dq0B2_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTu3vYiCvsy-2F4Q187kdIvXEoqfDQ5N8pBM-2Fjgu-2FDSK-2F-2FefZxW44efUFPv-2BUNG5gusOb1n0Y4Wtmh-2FGP7sAeHBsIh-2Fx2TbIe016grlxclHcizP0vNuIKH-2BJmHpfqnTTU1oORi0tFLIe2oPa-2BmwlB5lSAS-2BKQGq533LaGbEGxmYXNErg-3D-3D
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 46+ messages in thread
* Re: [scan-admin@coverity.com: New Defects reported by Coverity Scan for Das U-Boot]
2021-09-06 14:05 ` Oleh Kravchenko
@ 2021-09-06 15:23 ` Tom Rini
0 siblings, 0 replies; 46+ messages in thread
From: Tom Rini @ 2021-09-06 15:23 UTC (permalink / raw)
To: Oleh Kravchenko; +Cc: u-boot
[-- Attachment #1: Type: text/plain, Size: 4165 bytes --]
On Mon, Sep 06, 2021 at 05:05:40PM +0300, Oleh Kravchenko wrote:
> Hello Tom!
>
> Looks like it a false positive detection.
> info and dev_desc are validated in few lines above:
>
> 609 | if (!info.name[0] &&
> 610 | fastboot_mmc_get_part_info(cmd, &dev_desc, &info, response)
> < 0)
> 611 | return;
Thanks for reviewing! I've updated the CIDs.
>
> 30.08.21 20:39, Tom Rini пише:
>
> > Hey all,
> >
> > Here's the latest report.
> >
> > ----- Forwarded message from scan-admin@coverity.com -----
> >
> > Date: Mon, 30 Aug 2021 16:58:54 +0000 (UTC)
> > From: scan-admin@coverity.com
> > To: tom.rini@gmail.com
> > Subject: New Defects reported by Coverity Scan for Das U-Boot
> >
> > Hi,
> >
> > Please find the latest report on new defect(s) introduced to Das U-Boot found with Coverity Scan.
> >
> > 2 new defect(s) introduced to Das U-Boot found with Coverity Scan.
> >
> >
> > New defect(s) Reported-by: Coverity Scan
> > Showing 2 of 2 defect(s)
> >
> >
> > ** CID 338648: Memory - illegal accesses (UNINIT)
> > /drivers/fastboot/fb_mmc.c: 618 in fastboot_mmc_flash_write()
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 338648: Memory - illegal accesses (UNINIT)
> > /drivers/fastboot/fb_mmc.c: 618 in fastboot_mmc_flash_write()
> > 612
> > 613 if (is_sparse_image(download_buffer)) {
> > 614 struct fb_mmc_sparse sparse_priv;
> > 615 struct sparse_storage sparse;
> > 616 int err;
> > 617
> >>>> CID 338648: Memory - illegal accesses (UNINIT)
> >>>> Using uninitialized value "dev_desc".
> > 618 sparse_priv.dev_desc = dev_desc;
> > 619
> > 620 sparse.blksz = info.blksz;
> > 621 sparse.start = info.start;
> > 622 sparse.size = info.size;
> > 623 sparse.write = fb_mmc_sparse_write;
> >
> > ** CID 338647: Integer handling issues (DIVIDE_BY_ZERO)
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 338647: Integer handling issues (DIVIDE_BY_ZERO)
> > /drivers/fastboot/fb_mmc.c: 631 in fastboot_mmc_flash_write()
> > 625 sparse.mssg = fastboot_fail;
> > 626
> > 627 printf("Flashing sparse image at offset " LBAFU "\n",
> > 628 sparse.start);
> > 629
> > 630 sparse.priv = &sparse_priv;
> >>>> CID 338647: Integer handling issues (DIVIDE_BY_ZERO)
> >>>> In function call "write_sparse_image", division by expression "sparse.blksz" which may be zero has undefined behavior.
> > 631 err = write_sparse_image(&sparse, cmd, download_buffer,
> > 632 response);
> > 633 if (!err)
> > 634 fastboot_okay(NULL, response);
> > 635 } else {
> > 636 write_raw_image(dev_desc, &info, cmd, download_buffer,
> >
> >
> > ________________________________________________________________________________________________________
> > To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoA22WlOQ-2By3ieUvdbKmOyw68TMVT4Kip-2BBzfOGWXJ5yIiYplmPF9KAnKIja4Zd7tU-3DB0R5_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTsWpxO-2FB72i0SdTN3-2BHFJyiYovM6CPwd6hE024NqoJv2G1PZTeHMVC9jxFLJgI9alL1SVy-2FumNUJ7wQLM0LhmayO628LnXGSp6-2BQxL8eWMnX8DfYwdG1iiYjTCUb6p6N4KZqayMpDRL0dNo-2FZrxTT-2FAz2SR1H1kktB9lp0iaajH-2BQ-3D-3D
> >
> > To manage Coverity Scan email notifications for "tom.rini@gmail.com", click https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxWeIHzDeopm-2BEWQ6S6K-2FtUHv9ZTk8qZbuzkkz9sa-2BJFw4elYDyedRVZOC-2ButxjBZdouVmTGuWB6Aj6G7lm7t25-2Biv1B-2B9082pHzCCex2kqMs-3DiOdo_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTsWpxO-2FB72i0SdTN3-2BHFJyiTVHAVBb1e5w6-2BMjbd4JHjfrBraKGFtJ28aslex2Dq-2BGKoKqFa9LXDqSXKh1T4x2FIG8bOrMBw8qOG48BL8SGCU5Fh4Mz3heVvRktq2Dv-2Bu-2Fb8WoqCxYHUiUWEtrXPETG439ARsKn2eC80b78pwPIaQ-3D-3D
> >
> >
> > ----- End forwarded message -----
> >
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 46+ messages in thread
* Re: [scan-admin@coverity.com: New Defects reported by Coverity Scan for Das U-Boot]
2021-08-30 17:39 Tom Rini
2021-08-31 15:18 ` Oleh Kravchenko
@ 2021-09-06 14:05 ` Oleh Kravchenko
2021-09-06 15:23 ` Tom Rini
1 sibling, 1 reply; 46+ messages in thread
From: Oleh Kravchenko @ 2021-09-06 14:05 UTC (permalink / raw)
To: Tom Rini, u-boot
Hello Tom!
Looks like it a false positive detection.
info and dev_desc are validated in few lines above:
609 | if (!info.name[0] &&
610 | fastboot_mmc_get_part_info(cmd, &dev_desc, &info, response)
< 0)
611 | return;
30.08.21 20:39, Tom Rini пише:
> Hey all,
>
> Here's the latest report.
>
> ----- Forwarded message from scan-admin@coverity.com -----
>
> Date: Mon, 30 Aug 2021 16:58:54 +0000 (UTC)
> From: scan-admin@coverity.com
> To: tom.rini@gmail.com
> Subject: New Defects reported by Coverity Scan for Das U-Boot
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to Das U-Boot found with Coverity Scan.
>
> 2 new defect(s) introduced to Das U-Boot found with Coverity Scan.
>
>
> New defect(s) Reported-by: Coverity Scan
> Showing 2 of 2 defect(s)
>
>
> ** CID 338648: Memory - illegal accesses (UNINIT)
> /drivers/fastboot/fb_mmc.c: 618 in fastboot_mmc_flash_write()
>
>
> ________________________________________________________________________________________________________
> *** CID 338648: Memory - illegal accesses (UNINIT)
> /drivers/fastboot/fb_mmc.c: 618 in fastboot_mmc_flash_write()
> 612
> 613 if (is_sparse_image(download_buffer)) {
> 614 struct fb_mmc_sparse sparse_priv;
> 615 struct sparse_storage sparse;
> 616 int err;
> 617
>>>> CID 338648: Memory - illegal accesses (UNINIT)
>>>> Using uninitialized value "dev_desc".
> 618 sparse_priv.dev_desc = dev_desc;
> 619
> 620 sparse.blksz = info.blksz;
> 621 sparse.start = info.start;
> 622 sparse.size = info.size;
> 623 sparse.write = fb_mmc_sparse_write;
>
> ** CID 338647: Integer handling issues (DIVIDE_BY_ZERO)
>
>
> ________________________________________________________________________________________________________
> *** CID 338647: Integer handling issues (DIVIDE_BY_ZERO)
> /drivers/fastboot/fb_mmc.c: 631 in fastboot_mmc_flash_write()
> 625 sparse.mssg = fastboot_fail;
> 626
> 627 printf("Flashing sparse image at offset " LBAFU "\n",
> 628 sparse.start);
> 629
> 630 sparse.priv = &sparse_priv;
>>>> CID 338647: Integer handling issues (DIVIDE_BY_ZERO)
>>>> In function call "write_sparse_image", division by expression "sparse.blksz" which may be zero has undefined behavior.
> 631 err = write_sparse_image(&sparse, cmd, download_buffer,
> 632 response);
> 633 if (!err)
> 634 fastboot_okay(NULL, response);
> 635 } else {
> 636 write_raw_image(dev_desc, &info, cmd, download_buffer,
>
>
> ________________________________________________________________________________________________________
> To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoA22WlOQ-2By3ieUvdbKmOyw68TMVT4Kip-2BBzfOGWXJ5yIiYplmPF9KAnKIja4Zd7tU-3DB0R5_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTsWpxO-2FB72i0SdTN3-2BHFJyiYovM6CPwd6hE024NqoJv2G1PZTeHMVC9jxFLJgI9alL1SVy-2FumNUJ7wQLM0LhmayO628LnXGSp6-2BQxL8eWMnX8DfYwdG1iiYjTCUb6p6N4KZqayMpDRL0dNo-2FZrxTT-2FAz2SR1H1kktB9lp0iaajH-2BQ-3D-3D
>
> To manage Coverity Scan email notifications for "tom.rini@gmail.com", click https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxWeIHzDeopm-2BEWQ6S6K-2FtUHv9ZTk8qZbuzkkz9sa-2BJFw4elYDyedRVZOC-2ButxjBZdouVmTGuWB6Aj6G7lm7t25-2Biv1B-2B9082pHzCCex2kqMs-3DiOdo_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTsWpxO-2FB72i0SdTN3-2BHFJyiTVHAVBb1e5w6-2BMjbd4JHjfrBraKGFtJ28aslex2Dq-2BGKoKqFa9LXDqSXKh1T4x2FIG8bOrMBw8qOG48BL8SGCU5Fh4Mz3heVvRktq2Dv-2Bu-2Fb8WoqCxYHUiUWEtrXPETG439ARsKn2eC80b78pwPIaQ-3D-3D
>
>
> ----- End forwarded message -----
>
^ permalink raw reply [flat|nested] 46+ messages in thread
* Re: [scan-admin@coverity.com: New Defects reported by Coverity Scan for Das U-Boot]
2021-08-30 17:39 Tom Rini
@ 2021-08-31 15:18 ` Oleh Kravchenko
2021-09-06 14:05 ` Oleh Kravchenko
1 sibling, 0 replies; 46+ messages in thread
From: Oleh Kravchenko @ 2021-08-31 15:18 UTC (permalink / raw)
To: Tom Rini, u-boot
I will take a look on it?
30.08.21 20:39, Tom Rini пише:
> Hey all,
>
> Here's the latest report.
>
> ----- Forwarded message from scan-admin@coverity.com -----
>
> Date: Mon, 30 Aug 2021 16:58:54 +0000 (UTC)
> From: scan-admin@coverity.com
> To: tom.rini@gmail.com
> Subject: New Defects reported by Coverity Scan for Das U-Boot
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to Das U-Boot found with Coverity Scan.
>
> 2 new defect(s) introduced to Das U-Boot found with Coverity Scan.
>
>
> New defect(s) Reported-by: Coverity Scan
> Showing 2 of 2 defect(s)
>
>
> ** CID 338648: Memory - illegal accesses (UNINIT)
> /drivers/fastboot/fb_mmc.c: 618 in fastboot_mmc_flash_write()
>
>
> ________________________________________________________________________________________________________
> *** CID 338648: Memory - illegal accesses (UNINIT)
> /drivers/fastboot/fb_mmc.c: 618 in fastboot_mmc_flash_write()
> 612
> 613 if (is_sparse_image(download_buffer)) {
> 614 struct fb_mmc_sparse sparse_priv;
> 615 struct sparse_storage sparse;
> 616 int err;
> 617
>>>> CID 338648: Memory - illegal accesses (UNINIT)
>>>> Using uninitialized value "dev_desc".
> 618 sparse_priv.dev_desc = dev_desc;
> 619
> 620 sparse.blksz = info.blksz;
> 621 sparse.start = info.start;
> 622 sparse.size = info.size;
> 623 sparse.write = fb_mmc_sparse_write;
>
> ** CID 338647: Integer handling issues (DIVIDE_BY_ZERO)
>
>
> ________________________________________________________________________________________________________
> *** CID 338647: Integer handling issues (DIVIDE_BY_ZERO)
> /drivers/fastboot/fb_mmc.c: 631 in fastboot_mmc_flash_write()
> 625 sparse.mssg = fastboot_fail;
> 626
> 627 printf("Flashing sparse image at offset " LBAFU "\n",
> 628 sparse.start);
> 629
> 630 sparse.priv = &sparse_priv;
>>>> CID 338647: Integer handling issues (DIVIDE_BY_ZERO)
>>>> In function call "write_sparse_image", division by expression "sparse.blksz" which may be zero has undefined behavior.
> 631 err = write_sparse_image(&sparse, cmd, download_buffer,
> 632 response);
> 633 if (!err)
> 634 fastboot_okay(NULL, response);
> 635 } else {
> 636 write_raw_image(dev_desc, &info, cmd, download_buffer,
>
>
> ________________________________________________________________________________________________________
> To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoA22WlOQ-2By3ieUvdbKmOyw68TMVT4Kip-2BBzfOGWXJ5yIiYplmPF9KAnKIja4Zd7tU-3DB0R5_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTsWpxO-2FB72i0SdTN3-2BHFJyiYovM6CPwd6hE024NqoJv2G1PZTeHMVC9jxFLJgI9alL1SVy-2FumNUJ7wQLM0LhmayO628LnXGSp6-2BQxL8eWMnX8DfYwdG1iiYjTCUb6p6N4KZqayMpDRL0dNo-2FZrxTT-2FAz2SR1H1kktB9lp0iaajH-2BQ-3D-3D
>
> To manage Coverity Scan email notifications for "tom.rini@gmail.com", click https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxWeIHzDeopm-2BEWQ6S6K-2FtUHv9ZTk8qZbuzkkz9sa-2BJFw4elYDyedRVZOC-2ButxjBZdouVmTGuWB6Aj6G7lm7t25-2Biv1B-2B9082pHzCCex2kqMs-3DiOdo_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTsWpxO-2FB72i0SdTN3-2BHFJyiTVHAVBb1e5w6-2BMjbd4JHjfrBraKGFtJ28aslex2Dq-2BGKoKqFa9LXDqSXKh1T4x2FIG8bOrMBw8qOG48BL8SGCU5Fh4Mz3heVvRktq2Dv-2Bu-2Fb8WoqCxYHUiUWEtrXPETG439ARsKn2eC80b78pwPIaQ-3D-3D
>
>
> ----- End forwarded message -----
>
^ permalink raw reply [flat|nested] 46+ messages in thread
* [scan-admin@coverity.com: New Defects reported by Coverity Scan for Das U-Boot]
@ 2021-08-30 17:39 Tom Rini
2021-08-31 15:18 ` Oleh Kravchenko
2021-09-06 14:05 ` Oleh Kravchenko
0 siblings, 2 replies; 46+ messages in thread
From: Tom Rini @ 2021-08-30 17:39 UTC (permalink / raw)
To: u-boot, Oleh Kravchenko
[-- Attachment #1: Type: text/plain, Size: 3449 bytes --]
Hey all,
Here's the latest report.
----- Forwarded message from scan-admin@coverity.com -----
Date: Mon, 30 Aug 2021 16:58:54 +0000 (UTC)
From: scan-admin@coverity.com
To: tom.rini@gmail.com
Subject: New Defects reported by Coverity Scan for Das U-Boot
Hi,
Please find the latest report on new defect(s) introduced to Das U-Boot found with Coverity Scan.
2 new defect(s) introduced to Das U-Boot found with Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 2 of 2 defect(s)
** CID 338648: Memory - illegal accesses (UNINIT)
/drivers/fastboot/fb_mmc.c: 618 in fastboot_mmc_flash_write()
________________________________________________________________________________________________________
*** CID 338648: Memory - illegal accesses (UNINIT)
/drivers/fastboot/fb_mmc.c: 618 in fastboot_mmc_flash_write()
612
613 if (is_sparse_image(download_buffer)) {
614 struct fb_mmc_sparse sparse_priv;
615 struct sparse_storage sparse;
616 int err;
617
>>> CID 338648: Memory - illegal accesses (UNINIT)
>>> Using uninitialized value "dev_desc".
618 sparse_priv.dev_desc = dev_desc;
619
620 sparse.blksz = info.blksz;
621 sparse.start = info.start;
622 sparse.size = info.size;
623 sparse.write = fb_mmc_sparse_write;
** CID 338647: Integer handling issues (DIVIDE_BY_ZERO)
________________________________________________________________________________________________________
*** CID 338647: Integer handling issues (DIVIDE_BY_ZERO)
/drivers/fastboot/fb_mmc.c: 631 in fastboot_mmc_flash_write()
625 sparse.mssg = fastboot_fail;
626
627 printf("Flashing sparse image at offset " LBAFU "\n",
628 sparse.start);
629
630 sparse.priv = &sparse_priv;
>>> CID 338647: Integer handling issues (DIVIDE_BY_ZERO)
>>> In function call "write_sparse_image", division by expression "sparse.blksz" which may be zero has undefined behavior.
631 err = write_sparse_image(&sparse, cmd, download_buffer,
632 response);
633 if (!err)
634 fastboot_okay(NULL, response);
635 } else {
636 write_raw_image(dev_desc, &info, cmd, download_buffer,
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoA22WlOQ-2By3ieUvdbKmOyw68TMVT4Kip-2BBzfOGWXJ5yIiYplmPF9KAnKIja4Zd7tU-3DB0R5_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTsWpxO-2FB72i0SdTN3-2BHFJyiYovM6CPwd6hE024NqoJv2G1PZTeHMVC9jxFLJgI9alL1SVy-2FumNUJ7wQLM0LhmayO628LnXGSp6-2BQxL8eWMnX8DfYwdG1iiYjTCUb6p6N4KZqayMpDRL0dNo-2FZrxTT-2FAz2SR1H1kktB9lp0iaajH-2BQ-3D-3D
To manage Coverity Scan email notifications for "tom.rini@gmail.com", click https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxWeIHzDeopm-2BEWQ6S6K-2FtUHv9ZTk8qZbuzkkz9sa-2BJFw4elYDyedRVZOC-2ButxjBZdouVmTGuWB6Aj6G7lm7t25-2Biv1B-2B9082pHzCCex2kqMs-3DiOdo_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTsWpxO-2FB72i0SdTN3-2BHFJyiTVHAVBb1e5w6-2BMjbd4JHjfrBraKGFtJ28aslex2Dq-2BGKoKqFa9LXDqSXKh1T4x2FIG8bOrMBw8qOG48BL8SGCU5Fh4Mz3heVvRktq2Dv-2Bu-2Fb8WoqCxYHUiUWEtrXPETG439ARsKn2eC80b78pwPIaQ-3D-3D
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 46+ messages in thread
* Re: [scan-admin@coverity.com: New Defects reported by Coverity Scan for Das U-Boot]
2021-08-16 20:15 ` Pali Rohár
@ 2021-08-16 20:20 ` Tom Rini
0 siblings, 0 replies; 46+ messages in thread
From: Tom Rini @ 2021-08-16 20:20 UTC (permalink / raw)
To: Pali Rohár
Cc: u-boot, Simon Glass, Alexandru Gagniuc, Stefan Roese, Marek Behún
[-- Attachment #1: Type: text/plain, Size: 4009 bytes --]
On Mon, Aug 16, 2021 at 10:15:49PM +0200, Pali Rohár wrote:
> + Stefan and Marek
>
> On Monday 16 August 2021 15:57:26 Tom Rini wrote:
> > Hey all,
> >
> > Can people please take a look? I can mark as intentional anything that
> > really is intentional, thanks.
>
> Hello Tom!
>
> These kwbimage issues look to be a real issues. But I do not think that
> anybody touched these parts of kwbimage code recently. So looks like
> that Coverity must have run some more tests this time...
Yeah, that happens from time to time.
>
> > ** CID 338491: Null pointer dereferences (NULL_RETURNS)
> > /tools/kwbimage.c: 1066 in export_pub_kak_hash()
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 338491: Null pointer dereferences (NULL_RETURNS)
> > /tools/kwbimage.c: 1066 in export_pub_kak_hash()
> > 1060 int res;
> > 1061
> > 1062 hashf = fopen("pub_kak_hash.txt", "w");
> > 1063
> > 1064 res = kwb_export_pubkey(kak, &secure_hdr->kak, hashf, "KAK");
> > 1065
> > >>> CID 338491: Null pointer dereferences (NULL_RETURNS)
> > >>> Dereferencing a pointer that might be "NULL" "hashf" when calling "fclose".
> > 1066 fclose(hashf);
> > 1067
> > 1068 return res < 0 ? 1 : 0;
> > 1069 }
> > 1070
> > 1071 int kwb_sign_csk_with_kak(struct image_tool_params *params,
>
> There is really missing check that fopen() succeeded.
>
> > ** CID 338488: Memory - illegal accesses (NEGATIVE_RETURNS)
> > /tools/kwbimage.c: 1093 in kwb_sign_csk_with_kak()
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 338488: Memory - illegal accesses (NEGATIVE_RETURNS)
> > /tools/kwbimage.c: 1093 in kwb_sign_csk_with_kak()
> > 1087 if (export_pub_kak_hash(kak, secure_hdr))
> > 1088 return 1;
> > 1089
> > 1090 if (kwb_import_pubkey(&kak_pub, &secure_hdr->kak, "KAK") < 0)
> > 1091 return 1;
> > 1092
> > >>> CID 338488: Memory - illegal accesses (NEGATIVE_RETURNS)
> > >>> Using variable "csk_idx" as an index to array "secure_hdr->csk".
> > 1093 if (kwb_export_pubkey(csk, &secure_hdr->csk[csk_idx], NULL, "CSK") < 0)
> > 1094 return 1;
> > 1095
> > 1096 if (kwb_sign_and_verify(kak, &secure_hdr->csk,
> > 1097 sizeof(secure_hdr->csk) +
> > 1098 sizeof(secure_hdr->csksig),
>
> There is code:
>
> int csk_idx = image_get_csk_index();
> ...
> if (csk_idx >= 16) {
> ...
> return 1;
> }
> ... &secure_hdr->csk[csk_idx] ...
>
> And ->csk is defined as:
>
> struct secure_hdr_v1 {
> ..
> struct pubkey_der_v1 csk[16]
> ..
> };
>
> image_get_csk_index() returns int and it may returns also negative value
> on error. So there is really possible illegal memory access.
>
> > ** CID 338486: Null pointer dereferences (NULL_RETURNS)
> > /tools/kwbimage.c: 836 in kwb_dump_fuse_cmds()
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 338486: Null pointer dereferences (NULL_RETURNS)
> > /tools/kwbimage.c: 836 in kwb_dump_fuse_cmds()
> > 830 return 0;
> > 831
> > 832 if (!strcmp(e->name, "a38x")) {
> > 833 FILE *out = fopen("kwb_fuses_a38x.txt", "w+");
> > 834
> > 835 kwb_dump_fuse_cmds_38x(out, sec_hdr);
> > >>> CID 338486: Null pointer dereferences (NULL_RETURNS)
> > >>> Dereferencing a pointer that might be "NULL" "out" when calling "fclose".
> > 836 fclose(out);
> > 837 goto done;
> > 838 }
> > 839
> > 840 ret = -ENOSYS;
> > 841
>
> And there is also missing check that fopen() succeeded.
Since you've been in here and analyzed things (thanks!) can you make a
few patches for things?
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 46+ messages in thread
* Re: [scan-admin@coverity.com: New Defects reported by Coverity Scan for Das U-Boot]
2021-08-16 19:57 Tom Rini
@ 2021-08-16 20:15 ` Pali Rohár
2021-08-16 20:20 ` Tom Rini
0 siblings, 1 reply; 46+ messages in thread
From: Pali Rohár @ 2021-08-16 20:15 UTC (permalink / raw)
To: Tom Rini
Cc: u-boot, Simon Glass, Alexandru Gagniuc, Stefan Roese, Marek Behún
+ Stefan and Marek
On Monday 16 August 2021 15:57:26 Tom Rini wrote:
> Hey all,
>
> Can people please take a look? I can mark as intentional anything that
> really is intentional, thanks.
Hello Tom!
These kwbimage issues look to be a real issues. But I do not think that
anybody touched these parts of kwbimage code recently. So looks like
that Coverity must have run some more tests this time...
> ** CID 338491: Null pointer dereferences (NULL_RETURNS)
> /tools/kwbimage.c: 1066 in export_pub_kak_hash()
>
>
> ________________________________________________________________________________________________________
> *** CID 338491: Null pointer dereferences (NULL_RETURNS)
> /tools/kwbimage.c: 1066 in export_pub_kak_hash()
> 1060 int res;
> 1061
> 1062 hashf = fopen("pub_kak_hash.txt", "w");
> 1063
> 1064 res = kwb_export_pubkey(kak, &secure_hdr->kak, hashf, "KAK");
> 1065
> >>> CID 338491: Null pointer dereferences (NULL_RETURNS)
> >>> Dereferencing a pointer that might be "NULL" "hashf" when calling "fclose".
> 1066 fclose(hashf);
> 1067
> 1068 return res < 0 ? 1 : 0;
> 1069 }
> 1070
> 1071 int kwb_sign_csk_with_kak(struct image_tool_params *params,
There is really missing check that fopen() succeeded.
> ** CID 338488: Memory - illegal accesses (NEGATIVE_RETURNS)
> /tools/kwbimage.c: 1093 in kwb_sign_csk_with_kak()
>
>
> ________________________________________________________________________________________________________
> *** CID 338488: Memory - illegal accesses (NEGATIVE_RETURNS)
> /tools/kwbimage.c: 1093 in kwb_sign_csk_with_kak()
> 1087 if (export_pub_kak_hash(kak, secure_hdr))
> 1088 return 1;
> 1089
> 1090 if (kwb_import_pubkey(&kak_pub, &secure_hdr->kak, "KAK") < 0)
> 1091 return 1;
> 1092
> >>> CID 338488: Memory - illegal accesses (NEGATIVE_RETURNS)
> >>> Using variable "csk_idx" as an index to array "secure_hdr->csk".
> 1093 if (kwb_export_pubkey(csk, &secure_hdr->csk[csk_idx], NULL, "CSK") < 0)
> 1094 return 1;
> 1095
> 1096 if (kwb_sign_and_verify(kak, &secure_hdr->csk,
> 1097 sizeof(secure_hdr->csk) +
> 1098 sizeof(secure_hdr->csksig),
There is code:
int csk_idx = image_get_csk_index();
...
if (csk_idx >= 16) {
...
return 1;
}
... &secure_hdr->csk[csk_idx] ...
And ->csk is defined as:
struct secure_hdr_v1 {
..
struct pubkey_der_v1 csk[16]
..
};
image_get_csk_index() returns int and it may returns also negative value
on error. So there is really possible illegal memory access.
> ** CID 338486: Null pointer dereferences (NULL_RETURNS)
> /tools/kwbimage.c: 836 in kwb_dump_fuse_cmds()
>
>
> ________________________________________________________________________________________________________
> *** CID 338486: Null pointer dereferences (NULL_RETURNS)
> /tools/kwbimage.c: 836 in kwb_dump_fuse_cmds()
> 830 return 0;
> 831
> 832 if (!strcmp(e->name, "a38x")) {
> 833 FILE *out = fopen("kwb_fuses_a38x.txt", "w+");
> 834
> 835 kwb_dump_fuse_cmds_38x(out, sec_hdr);
> >>> CID 338486: Null pointer dereferences (NULL_RETURNS)
> >>> Dereferencing a pointer that might be "NULL" "out" when calling "fclose".
> 836 fclose(out);
> 837 goto done;
> 838 }
> 839
> 840 ret = -ENOSYS;
> 841
And there is also missing check that fopen() succeeded.
^ permalink raw reply [flat|nested] 46+ messages in thread
* [scan-admin@coverity.com: New Defects reported by Coverity Scan for Das U-Boot]
@ 2021-08-16 19:57 Tom Rini
2021-08-16 20:15 ` Pali Rohár
0 siblings, 1 reply; 46+ messages in thread
From: Tom Rini @ 2021-08-16 19:57 UTC (permalink / raw)
To: u-boot, Simon Glass, Pali Rohár, Alexandru Gagniuc
[-- Attachment #1: Type: text/plain, Size: 7666 bytes --]
Hey all,
Can people please take a look? I can mark as intentional anything that
really is intentional, thanks.
----- Forwarded message from scan-admin@coverity.com -----
Date: Mon, 16 Aug 2021 18:33:32 +0000 (UTC)
From: scan-admin@coverity.com
To: tom.rini@gmail.com
Subject: New Defects reported by Coverity Scan for Das U-Boot
Hi,
Please find the latest report on new defect(s) introduced to Das U-Boot found with Coverity Scan.
7 new defect(s) introduced to Das U-Boot found with Coverity Scan.
3 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 7 of 7 defect(s)
** CID 338491: Null pointer dereferences (NULL_RETURNS)
/tools/kwbimage.c: 1066 in export_pub_kak_hash()
________________________________________________________________________________________________________
*** CID 338491: Null pointer dereferences (NULL_RETURNS)
/tools/kwbimage.c: 1066 in export_pub_kak_hash()
1060 int res;
1061
1062 hashf = fopen("pub_kak_hash.txt", "w");
1063
1064 res = kwb_export_pubkey(kak, &secure_hdr->kak, hashf, "KAK");
1065
>>> CID 338491: Null pointer dereferences (NULL_RETURNS)
>>> Dereferencing a pointer that might be "NULL" "hashf" when calling "fclose".
1066 fclose(hashf);
1067
1068 return res < 0 ? 1 : 0;
1069 }
1070
1071 int kwb_sign_csk_with_kak(struct image_tool_params *params,
** CID 338490: Control flow issues (DEADCODE)
/drivers/tpm/sandbox_common.c: 34 in sb_tpm_index_to_seq()
________________________________________________________________________________________________________
*** CID 338490: Control flow issues (DEADCODE)
/drivers/tpm/sandbox_common.c: 34 in sb_tpm_index_to_seq()
28 case FWMP_NV_INDEX:
29 return NV_SEQ_FWMP;
30 case MRC_REC_HASH_NV_INDEX:
31 return NV_SEQ_REC_HASH;
32 case 0:
33 return NV_SEQ_GLOBAL_LOCK;
>>> CID 338490: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "case TPM_NV_INDEX_LOCK:".
34 case TPM_NV_INDEX_LOCK:
35 return NV_SEQ_ENABLE_LOCKING;
36 }
37
38 printf("Invalid nv index %#x\n", index);
39 return -1;
** CID 338489: Control flow issues (DEADCODE)
/drivers/tpm/tpm2_tis_sandbox.c: 652 in sandbox_tpm2_xfer()
________________________________________________________________________________________________________
*** CID 338489: Control flow issues (DEADCODE)
/drivers/tpm/tpm2_tis_sandbox.c: 652 in sandbox_tpm2_xfer()
646
647 for (i = 0; i < SANDBOX_TPM_PCR_NB; i++)
648 if (pcr_map & BIT(i))
649 pcr_index = i;
650
651 if (pcr_index >= SANDBOX_TPM_PCR_NB) {
>>> CID 338489: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "printf("Invalid index %d, s...".
652 printf("Invalid index %d, sandbox TPM handles up to %d PCR(s)\n",
653 pcr_index, SANDBOX_TPM_PCR_NB);
654 rc = TPM2_RC_VALUE;
655 return sandbox_tpm2_fill_buf(recv, recv_len, tag, rc);
656 }
657
** CID 338488: Memory - illegal accesses (NEGATIVE_RETURNS)
/tools/kwbimage.c: 1093 in kwb_sign_csk_with_kak()
________________________________________________________________________________________________________
*** CID 338488: Memory - illegal accesses (NEGATIVE_RETURNS)
/tools/kwbimage.c: 1093 in kwb_sign_csk_with_kak()
1087 if (export_pub_kak_hash(kak, secure_hdr))
1088 return 1;
1089
1090 if (kwb_import_pubkey(&kak_pub, &secure_hdr->kak, "KAK") < 0)
1091 return 1;
1092
>>> CID 338488: Memory - illegal accesses (NEGATIVE_RETURNS)
>>> Using variable "csk_idx" as an index to array "secure_hdr->csk".
1093 if (kwb_export_pubkey(csk, &secure_hdr->csk[csk_idx], NULL, "CSK") < 0)
1094 return 1;
1095
1096 if (kwb_sign_and_verify(kak, &secure_hdr->csk,
1097 sizeof(secure_hdr->csk) +
1098 sizeof(secure_hdr->csksig),
** CID 338487: Null pointer dereferences (FORWARD_NULL)
________________________________________________________________________________________________________
*** CID 338487: Null pointer dereferences (FORWARD_NULL)
/test/dm/ecdsa.c: 34 in dm_test_ecdsa_verify()
28 struct image_sign_info info = {
29 .checksum = &algo,
30 };
31
32 ut_assertok(uclass_get(UCLASS_ECDSA, &ucp));
33 ut_assertnonnull(ucp);
>>> CID 338487: Null pointer dereferences (FORWARD_NULL)
>>> Passing "&info" to "ecdsa_verify", which dereferences null "info.fdt_blob".
34 ut_asserteq(-ENODEV, ecdsa_verify(&info, NULL, 0, NULL, 0));
35
36 return 0;
37 }
** CID 338486: Null pointer dereferences (NULL_RETURNS)
/tools/kwbimage.c: 836 in kwb_dump_fuse_cmds()
________________________________________________________________________________________________________
*** CID 338486: Null pointer dereferences (NULL_RETURNS)
/tools/kwbimage.c: 836 in kwb_dump_fuse_cmds()
830 return 0;
831
832 if (!strcmp(e->name, "a38x")) {
833 FILE *out = fopen("kwb_fuses_a38x.txt", "w+");
834
835 kwb_dump_fuse_cmds_38x(out, sec_hdr);
>>> CID 338486: Null pointer dereferences (NULL_RETURNS)
>>> Dereferencing a pointer that might be "NULL" "out" when calling "fclose".
836 fclose(out);
837 goto done;
838 }
839
840 ret = -ENOSYS;
841
** CID 338485: Security best practices violations (STRING_OVERFLOW)
/test/str_ut.c: 126 in run_strtoull()
________________________________________________________________________________________________________
*** CID 338485: Security best practices violations (STRING_OVERFLOW)
/test/str_ut.c: 126 in run_strtoull()
120 bool upper)
121 {
122 char out[TEST_STR_SIZE];
123 char *endp;
124 unsigned long long val;
125
>>> CID 338485: Security best practices violations (STRING_OVERFLOW)
>>> You might overrun the 200-character fixed-size string "out" by copying "str" without checking the length.
126 strcpy(out, str);
127 if (upper)
128 str_to_upper(out, out, -1);
129
130 val = simple_strtoull(out, &endp, base);
131 ut_asserteq(expect_val, val);
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoA22WlOQ-2By3ieUvdbKmOyw68TMVT4Kip-2BBzfOGWXJ5yIiYplmPF9KAnKIja4Zd7tU-3Dpne1_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTsGY-2Fdp5hfqC-2B6ss-2FtTgTZdxyWngwdNCSBcWaoglYsMi33qZ6o4IvlPo1NMZ6HKzSbi0k3YdDAC-2BTUaeXbDEnIRwEUtXC7QvseJgqoTO7Dy-2FbiEUFH4xtjfmqCkZmTJb3YVLV9-2Ba99V6cQv2l1vnfXAACur8TFDo8g-2FsXRbmip9nw-3D-3D
To manage Coverity Scan email notifications for "tom.rini@gmail.com", click https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxWeIHzDeopm-2BEWQ6S6K-2FtUHv9ZTk8qZbuzkkz9sa-2BJFw4elYDyedRVZOC-2ButxjBZdouVmTGuWB6Aj6G7lm7t25-2Biv1B-2B9082pHzCCex2kqMs-3DZz5A_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTsGY-2Fdp5hfqC-2B6ss-2FtTgTZdXwxIYMpdS4H155aON0dxh2JciN9BuG3rKCbVzTcBZLXOvfO7Si-2FBGSpoJNCavkeTT3AGnasDLWxyxFydCRuDUJa2tYQzp6QhBJbaTuEIeds3Dm8aBmYjPfgEtJGmGgn084OEX2dKxosO7FhRlH0u8A-3D-3D
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 46+ messages in thread
* [scan-admin@coverity.com: New Defects reported by Coverity Scan for Das U-Boot]
@ 2021-05-26 16:58 Tom Rini
0 siblings, 0 replies; 46+ messages in thread
From: Tom Rini @ 2021-05-26 16:58 UTC (permalink / raw)
To: u-boot, Heinrich Schuchardt, Ilias Apalodimas
[-- Attachment #1: Type: text/plain, Size: 4582 bytes --]
----- Forwarded message from scan-admin@coverity.com -----
Date: Tue, 25 May 2021 01:05:20 +0000 (UTC)
From: scan-admin@coverity.com
To: tom.rini@gmail.com
Subject: New Defects reported by Coverity Scan for Das U-Boot
Hi,
Please find the latest report on new defect(s) introduced to Das U-Boot found with Coverity Scan.
3 new defect(s) introduced to Das U-Boot found with Coverity Scan.
2 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 3 of 3 defect(s)
** CID 331856: Uninitialized variables (UNINIT)
________________________________________________________________________________________________________
*** CID 331856: Uninitialized variables (UNINIT)
/lib/efi_loader/efi_tcg2.c: 921 in create_specid_event()
915 spec_event->spec_version_major =
916 TCG_EFI_SPEC_ID_EVENT_SPEC_VERSION_MAJOR_TPM2;
917 spec_event->spec_errata =
918 TCG_EFI_SPEC_ID_EVENT_SPEC_VERSION_ERRATA_TPM2;
919 spec_event->uintn_size = sizeof(efi_uintn_t) / sizeof(u32);
920
>>> CID 331856: Uninitialized variables (UNINIT)
>>> Using uninitialized value "supported" when calling "tpm2_get_pcr_info".
921 err = tpm2_get_pcr_info(dev, &supported, &active,
922 &spec_event->number_of_algorithms);
923 if (err)
924 goto out;
925 if (spec_event->number_of_algorithms > MAX_HASH_COUNT ||
926 spec_event->number_of_algorithms < 1)
** CID 331855: Uninitialized variables (UNINIT)
________________________________________________________________________________________________________
*** CID 331855: Uninitialized variables (UNINIT)
/lib/efi_loader/efi_tcg2.c: 921 in create_specid_event()
915 spec_event->spec_version_major =
916 TCG_EFI_SPEC_ID_EVENT_SPEC_VERSION_MAJOR_TPM2;
917 spec_event->spec_errata =
918 TCG_EFI_SPEC_ID_EVENT_SPEC_VERSION_ERRATA_TPM2;
919 spec_event->uintn_size = sizeof(efi_uintn_t) / sizeof(u32);
920
>>> CID 331855: Uninitialized variables (UNINIT)
>>> Using uninitialized value "active" when calling "tpm2_get_pcr_info".
921 err = tpm2_get_pcr_info(dev, &supported, &active,
922 &spec_event->number_of_algorithms);
923 if (err)
924 goto out;
925 if (spec_event->number_of_algorithms > MAX_HASH_COUNT ||
926 spec_event->number_of_algorithms < 1)
** CID 331854: Control flow issues (NO_EFFECT)
/lib/efi_loader/efi_tcg2.c: 752 in efi_tcg2_hash_log_extend_event()
________________________________________________________________________________________________________
*** CID 331854: Control flow issues (NO_EFFECT)
/lib/efi_loader/efi_tcg2.c: 752 in efi_tcg2_hash_log_extend_event()
746 if (efi_tcg_event->size < efi_tcg_event->header.header_size +
747 sizeof(u32)) {
748 ret = EFI_INVALID_PARAMETER;
749 goto out;
750 }
751
>>> CID 331854: Control flow issues (NO_EFFECT)
>>> This less-than-zero comparison of an unsigned value is never true. "efi_tcg_event->header.pcr_index < 0U".
752 if (efi_tcg_event->header.pcr_index < 0 ||
753 efi_tcg_event->header.pcr_index > TPM2_MAX_PCRS) {
754 ret = EFI_INVALID_PARAMETER;
755 goto out;
756 }
757
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoA22WlOQ-2By3ieUvdbKmOyw68TMVT4Kip-2BBzfOGWXJ5yIiYplmPF9KAnKIja4Zd7tU-3DH9_4_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTuOTF5O38i4jL-2BD-2FsmrMh2lPzvREHBhqI8vCJ-2BIP-2FXhAJ3irlT-2FJk2sTfzSE0n6yvc5mZv-2F1TXb3F0Ev-2FdreWwRhxjJoa-2FPZBEnX6yBmc80HGnkfFCmBlGixi3NDktrXT0unG8R8-2B-2BMnfJ5ZEf2wap1no4QCXizq5T9klMZiXxyjw-3D-3D
To manage Coverity Scan email notifications for "tom.rini@gmail.com", click https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxWeIHzDeopm-2BEWQ6S6K-2FtUHv9ZTk8qZbuzkkz9sa-2BJFw4elYDyedRVZOC-2ButxjBZdouVmTGuWB6Aj6G7lm7t25-2Biv1B-2B9082pHzCCex2kqMs-3DrJM5_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTuOTF5O38i4jL-2BD-2FsmrMh2lCbMtreDazwi5HIVw-2FInsq1UjQPSekFOErjT207tnNVPyexr3egGBVAo2ZA7Ge-2Fl7I3INbrgnTuXLIb-2FaWaodarJVao56-2BJxiYKJP-2B-2F-2FDlnIXZgenQkkpFLZvmZ4cmX1xLH9fbJ713T6bqjKF-2Fjt7HQ-3D-3D
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 46+ messages in thread
* [scan-admin@coverity.com: New Defects reported by Coverity Scan for Das U-Boot]
@ 2021-05-12 22:30 Tom Rini
0 siblings, 0 replies; 46+ messages in thread
From: Tom Rini @ 2021-05-12 22:30 UTC (permalink / raw)
To: u-boot
----- Forwarded message from scan-admin at coverity.com -----
Date: Mon, 10 May 2021 21:17:32 +0000 (UTC)
From: scan-admin@coverity.com
To: tom.rini at gmail.com
Subject: New Defects reported by Coverity Scan for Das U-Boot
Hi,
Please find the latest report on new defect(s) introduced to Das U-Boot found with Coverity Scan.
1 new defect(s) introduced to Das U-Boot found with Coverity Scan.
3 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)
** CID 331544: Null pointer dereferences (REVERSE_INULL)
/drivers/core/ofnode.c: 317 in ofnode_get_addr_size_index()
________________________________________________________________________________________________________
*** CID 331544: Null pointer dereferences (REVERSE_INULL)
/drivers/core/ofnode.c: 317 in ofnode_get_addr_size_index()
311 uint flags;
312
313 prop_val = of_get_address(ofnode_to_np(node), index, &size64,
314 &flags);
315 if (!prop_val)
316 return FDT_ADDR_T_NONE;
>>> CID 331544: Null pointer dereferences (REVERSE_INULL)
>>> Null-checking "size" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
317 if (size)
318 *size = size64;
319
320 ns = of_n_size_cells(ofnode_to_np(node));
321
322 if (IS_ENABLED(CONFIG_OF_TRANSLATE) &&
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoA22WlOQ-2By3ieUvdbKmOyw68TMVT4Kip-2BBzfOGWXJ5yIiYplmPF9KAnKIja4Zd7tU-3DG8yI_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTtU1-2Brl29AQnRBl5SDIhsdlk4JL-2BC60Yy99Ru0XHXKZmudWSFasqNbw3J8c8YsieibEgnFne8AQZsraqyZc6bSorO2VVj4yo2EYbDylqVK-2BNvmB4zxqglhPpQGYCxEyim-2BCmtR1oyAQcyUT-2F0UpwA2s3mUEbsptAVDqX6MTucjWlw-3D-3D
To manage Coverity Scan email notifications for "tom.rini at gmail.com", click https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxWeIHzDeopm-2BEWQ6S6K-2FtUHv9ZTk8qZbuzkkz9sa-2BJFw4elYDyedRVZOC-2ButxjBZdouVmTGuWB6Aj6G7lm7t25-2Biv1B-2B9082pHzCCex2kqMs-3DcN-g_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTtU1-2Brl29AQnRBl5SDIhsdlpXdtm0ziQZhCdYNwPtYo9juOCfJRYvUSD6RBDul3PpPJtEbQAvJyD64um9NlavMb-2FNhtaCPCgg1OZOg6fyHdjqmNc-2BSac4T2ShWFTENHS5073Orso2HRCvi56uwUJuZ8ILMBdsEOC5-2FtuCAU-2BmbVBQ-3D-3D
----- End forwarded message -----
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20210512/12943f8a/attachment.sig>
^ permalink raw reply [flat|nested] 46+ messages in thread
* [scan-admin@coverity.com: New Defects reported by Coverity Scan for Das U-Boot]
2021-04-19 12:20 Tom Rini
2021-04-20 0:58 ` Asherah Connor
@ 2021-04-20 6:13 ` Dario Binacchi
1 sibling, 0 replies; 46+ messages in thread
From: Dario Binacchi @ 2021-04-20 6:13 UTC (permalink / raw)
To: u-boot
Hi Tom,
> Il 19/04/2021 14:20 Tom Rini <trini@konsulko.com> ha scritto:
>
>
> Hey all,
>
> Here's the latest report.
>
> ----- Forwarded message from scan-admin at coverity.com -----
>
> Date: Mon, 19 Apr 2021 01:18:55 +0000 (UTC)
> From: scan-admin at coverity.com
> To: tom.rini at gmail.com
> Subject: New Defects reported by Coverity Scan for Das U-Boot
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to Das U-Boot found with Coverity Scan.
>
> 13 new defect(s) introduced to Das U-Boot found with Coverity Scan.
> 5 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
>
> New defect(s) Reported-by: Coverity Scan
> Showing 13 of 13 defect(s)
>
>
> ** CID 331158: Control flow issues (NO_EFFECT)
> /drivers/pinctrl/pinctrl-single.c: 347 in single_configure_bits()
>
>
> ________________________________________________________________________________________________________
> *** CID 331158: Control flow issues (NO_EFFECT)
> /drivers/pinctrl/pinctrl-single.c: 347 in single_configure_bits()
> 341 return PTR_ERR(func);
> 342
> 343 func->name = fname;
> 344 func->npins = 0;
> 345 for (n = 0; n < count; n++, pins++) {
> 346 offset = fdt32_to_cpu(pins->reg);
> >>> CID 331158: Control flow issues (NO_EFFECT)
> >>> This less-than-zero comparison of an unsigned value is never true. "offset < 0U".
> 347 if (offset < 0 || offset > pdata->offset) {
> 348 dev_dbg(dev, " invalid register offset 0x%x\n",
> 349 offset);
> 350 continue;
> 351 }
> 352
>
> ** CID 331157: Null pointer dereferences (NULL_RETURNS)
> /drivers/misc/cros_ec_sandbox.c: 229 in keyscan_read_fdt_matrix()
>
>
> ________________________________________________________________________________________________________
> *** CID 331157: Null pointer dereferences (NULL_RETURNS)
> /drivers/misc/cros_ec_sandbox.c: 229 in keyscan_read_fdt_matrix()
> 223
> 224 /* Now read the data */
> 225 for (upto = 0; upto < ec->matrix_count; upto++) {
> 226 struct ec_keymatrix_entry *matrix = &ec->matrix[upto];
> 227 u32 word;
> 228
> >>> CID 331157: Null pointer dereferences (NULL_RETURNS)
> >>> Incrementing a pointer which might be null: "cell".
> 229 word = fdt32_to_cpu(*cell++);
> 230 matrix->row = word >> 24;
> 231 matrix->col = (word >> 16) & 0xff;
> 232 matrix->keycode = word & 0xffff;
> 233
> 234 /* Hard-code some sanity limits for now */
>
> ** CID 331156: Incorrect expression (UNUSED_VALUE)
> /cmd/qfw.c: 40 in qemu_fwcfg_cmd_setup_kernel()
>
>
> ________________________________________________________________________________________________________
> *** CID 331156: Incorrect expression (UNUSED_VALUE)
> /cmd/qfw.c: 40 in qemu_fwcfg_cmd_setup_kernel()
> 34 qfw_read_entry(qfw_dev, FW_CFG_SETUP_DATA,
> 35 le32_to_cpu(setup_size), data_addr);
> 36 data_addr += le32_to_cpu(setup_size);
> 37
> 38 qfw_read_entry(qfw_dev, FW_CFG_KERNEL_DATA,
> 39 le32_to_cpu(kernel_size), data_addr);
> >>> CID 331156: Incorrect expression (UNUSED_VALUE)
> >>> Assigning value from "(__u32)(__le32)kernel_size" to "data_addr" here, but that stored value is overwritten before it can be used.
> 40 data_addr += le32_to_cpu(kernel_size);
> 41
> 42 data_addr = initrd_addr;
> 43 qfw_read_entry(qfw_dev, FW_CFG_INITRD_SIZE, 4, &initrd_size);
> 44 if (initrd_size == 0) {
> 45 printf("warning: no initrd available\n");
>
> ** CID 331155: Insecure data handling (TAINTED_SCALAR)
>
>
> ________________________________________________________________________________________________________
> *** CID 331155: Insecure data handling (TAINTED_SCALAR)
> /fs/cbfs/cbfs.c: 170 in file_cbfs_next_file()
> 164 size -= align;
> 165 start += align;
> 166 continue;
> 167 }
> 168
> 169 swap_file_header(&header, file_header);
> >>> CID 331155: Insecure data handling (TAINTED_SCALAR)
> >>> Passing tainted variable "header.offset" to a tainted sink.
> 170 ret = fill_node(node, start, &header);
> 171 if (ret) {
> 172 priv->result = CBFS_BAD_FILE;
> 173 return log_msg_ret("fill", ret);
> 174 }
> 175
>
> ** CID 331154: Integer handling issues (DIVIDE_BY_ZERO)
> /drivers/pinctrl/pinctrl-single.c: 473 in single_probe()
>
>
> ________________________________________________________________________________________________________
> *** CID 331154: Integer handling issues (DIVIDE_BY_ZERO)
> /drivers/pinctrl/pinctrl-single.c: 473 in single_probe()
> 467 return -ENOMEM;
> 468 #endif
> 469
> 470 priv->npins = size / (pdata->width / BITS_PER_BYTE);
> 471 if (pdata->bits_per_mux) {
> 472 priv->bits_per_pin = fls(pdata->mask);
> >>> CID 331154: Integer handling issues (DIVIDE_BY_ZERO)
> >>> In expression "pdata->width / priv->bits_per_pin", division by expression "priv->bits_per_pin" which may be zero has undefined behavior.
> 473 priv->npins *= (pdata->width / priv->bits_per_pin);
> 474 }
> 475
> 476 dev_dbg(dev, "%d pins\n", priv->npins);
> 477 return 0;
> 478 }
>
> ** CID 331153: Code maintainability issues (UNUSED_VALUE)
> /lib/efi_loader/efi_capsule.c: 661 in find_boot_device()
>
>
> ________________________________________________________________________________________________________
> *** CID 331153: Code maintainability issues (UNUSED_VALUE)
> /lib/efi_loader/efi_capsule.c: 661 in find_boot_device()
> 655 size = 0;
> 656 ret = efi_get_variable_int(L"BootOrder", &efi_global_variable_guid,
> 657 NULL, &size, NULL, NULL);
> 658 if (ret == EFI_BUFFER_TOO_SMALL) {
> 659 boot_order = malloc(size);
> 660 if (!boot_order) {
> >>> CID 331153: Code maintainability issues (UNUSED_VALUE)
> >>> Assigning value "9223372036854775817UL" to "ret" here, but that stored value is overwritten before it can be used.
> 661 ret = EFI_OUT_OF_RESOURCES;
> 662 goto out;
> 663 }
> 664
> 665 ret = efi_get_variable_int(L"BootOrder",
> 666 &efi_global_variable_guid,
>
> ** CID 331152: Insecure data handling (TAINTED_SCALAR)
> /lib/tpm-common.c: 180 in tpm_sendrecv_command()
>
>
> ________________________________________________________________________________________________________
> *** CID 331152: Insecure data handling (TAINTED_SCALAR)
> /lib/tpm-common.c: 180 in tpm_sendrecv_command()
> 174 response = response_buffer;
> 175 response_length = sizeof(response_buffer);
> 176 }
> 177
> 178 size = tpm_command_size(command);
> 179 log_debug("TPM request [size:%d]: ", size);
> >>> CID 331152: Insecure data handling (TAINTED_SCALAR)
> >>> Using tainted variable "size" as a loop boundary.
> 180 for (i = 0; i < size; i++)
> 181 log_debug("%02x ", ((u8 *)command)[i]);
> 182 log_debug("\n");
> 183
> 184 err = tpm_xfer(dev, command, size, response, &response_length);
> 185
>
> ** CID 331151: Resource leaks (RESOURCE_LEAK)
> /drivers/pinctrl/pinctrl-single.c: 247 in single_allocate_function()
>
>
> ________________________________________________________________________________________________________
> *** CID 331151: Resource leaks (RESOURCE_LEAK)
> /drivers/pinctrl/pinctrl-single.c: 247 in single_allocate_function()
> 241 if (!func)
> 242 return ERR_PTR(-ENOMEM);
> 243
> 244 func->pins = devm_kmalloc(dev, sizeof(unsigned int) * group_pins,
> 245 GFP_KERNEL);
> 246 if (!func->pins)
> >>> CID 331151: Resource leaks (RESOURCE_LEAK)
> >>> Variable "func" going out of scope leaks the storage it points to.
> 247 return ERR_PTR(-ENOMEM);
Is this really a memory leak? I used devm_kmalloc() to not have to manually free
the allocated memory but delegating it to the device.
Thanks and regards,
Dario
> 248
> 249 return func;
> 250 }
> 251
> 252 static int single_pin_compare(const void *s1, const void *s2)
>
> ** CID 331150: Memory - illegal accesses (BUFFER_SIZE_WARNING)
> /net/dsa-uclass.c: 415 in dsa_post_bind()
>
>
> ________________________________________________________________________________________________________
> *** CID 331150: Memory - illegal accesses (BUFFER_SIZE_WARNING)
> /net/dsa-uclass.c: 415 in dsa_post_bind()
> 409 err = device_bind_driver_to_node(dev, DSA_PORT_CHILD_DRV_NAME,
> 410 name, pnode, &pdev);
> 411 if (pdev) {
> 412 struct dsa_port_pdata *port_pdata;
> 413
> 414 port_pdata = dev_get_parent_plat(pdev);
> >>> CID 331150: Memory - illegal accesses (BUFFER_SIZE_WARNING)
> >>> Calling "strncpy" with a maximum size argument of 16 bytes on destination array "port_pdata->name" of size 16 bytes might leave the destination string unterminated.
> 415 strncpy(port_pdata->name, name, DSA_PORT_NAME_LENGTH);
> 416 pdev->name = port_pdata->name;
> 417 }
> 418
> 419 /* try to bind all ports but keep 1st error */
> 420 if (err && !first_err)
>
> ** CID 331149: Memory - illegal accesses (BUFFER_SIZE_WARNING)
> /net/dsa-uclass.c: 224 in dsa_port_of_to_pdata()
>
>
> ________________________________________________________________________________________________________
> *** CID 331149: Memory - illegal accesses (BUFFER_SIZE_WARNING)
> /net/dsa-uclass.c: 224 in dsa_port_of_to_pdata()
> 218
> 219 port_pdata = dev_get_parent_plat(pdev);
> 220 port_pdata->index = index;
> 221
> 222 label = ofnode_read_string(dev_ofnode(pdev), "label");
> 223 if (label)
> >>> CID 331149: Memory - illegal accesses (BUFFER_SIZE_WARNING)
> >>> Calling "strncpy" with a maximum size argument of 16 bytes on destination array "port_pdata->name" of size 16 bytes might leave the destination string unterminated.
> 224 strncpy(port_pdata->name, label, DSA_PORT_NAME_LENGTH);
> 225
> 226 eth_pdata = dev_get_plat(pdev);
> 227 eth_pdata->priv_pdata = port_pdata;
> 228
> 229 dev_dbg(pdev, "port %d node %s\n", port_pdata->index,
>
> ** CID 331148: Control flow issues (NO_EFFECT)
> /drivers/pinctrl/pinctrl-single.c: 298 in single_configure_pins()
>
>
> ________________________________________________________________________________________________________
> *** CID 331148: Control flow issues (NO_EFFECT)
> /drivers/pinctrl/pinctrl-single.c: 298 in single_configure_pins()
> 292 return PTR_ERR(func);
> 293
> 294 func->name = fname;
> 295 func->npins = 0;
> 296 for (n = 0; n < count; n++, pins++) {
> 297 offset = fdt32_to_cpu(pins->reg);
> >>> CID 331148: Control flow issues (NO_EFFECT)
> >>> This less-than-zero comparison of an unsigned value is never true. "offset < 0U".
> 298 if (offset < 0 || offset > pdata->offset) {
> 299 dev_err(dev, " invalid register offset 0x%x\n",
> 300 offset);
> 301 continue;
> 302 }
> 303
>
> ** CID 331147: Code maintainability issues (UNUSED_VALUE)
> /lib/efi_loader/efi_capsule.c: 456 in efi_update_capsule()
>
>
> ________________________________________________________________________________________________________
> *** CID 331147: Code maintainability issues (UNUSED_VALUE)
> /lib/efi_loader/efi_capsule.c: 456 in efi_update_capsule()
> 450 efi_status_t ret;
> 451
> 452 EFI_ENTRY("%p, %zu, %llu\n", capsule_header_array, capsule_count,
> 453 scatter_gather_list);
> 454
> 455 if (!capsule_count) {
> >>> CID 331147: Code maintainability issues (UNUSED_VALUE)
> >>> Assigning value "9223372036854775810UL" to "ret" here, but that stored value is overwritten before it can be used.
> 456 ret = EFI_INVALID_PARAMETER;
> 457 goto out;
> 458 }
> 459
> 460 ret = EFI_SUCCESS;
> 461 for (i = 0, capsule = *capsule_header_array; i < capsule_count;
>
> ** CID 165109: Insecure data handling (TAINTED_SCALAR)
>
>
> ________________________________________________________________________________________________________
> *** CID 165109: Insecure data handling (TAINTED_SCALAR)
> /arch/sandbox/cpu/state.c: 81 in state_read_file()
> 75 os_close(fd);
> 76
> 77 return 0;
> 78 err_read:
> 79 os_close(fd);
> 80 err_open:
> >>> CID 165109: Insecure data handling (TAINTED_SCALAR)
> >>> Passing tainted variable "state->state_fdt" to a tainted sink.
> 81 os_free(state->state_fdt);
> 82 state->state_fdt = NULL;
> 83
> 84 return ret;
> 85 }
> 86
>
>
> ________________________________________________________________________________________________________
> To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoA22WlOQ-2By3ieUvdbKmOyw68TMVT4Kip-2BBzfOGWXJ5yIiYplmPF9KAnKIja4Zd7tU-3DZZ5O_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTtGHJmPef5TSDjCzuFmDLHCcVLNpHIs0AqBsXJPs2SOVhTXup007yHbqhSGIK1hyqPpz1vYe-2BN9550EDGrhLxMxHlBpTdungq17k4ECpA3No35lrqehPZZCZ5BAHvEzJczmieHTM7FI63-2BfXLhs4wtMUoPRU5sgDVix9YwcWKeyJg-3D-3D
>
> To manage Coverity Scan email notifications for "tom.rini at gmail.com", click https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxWeIHzDeopm-2BEWQ6S6K-2FtUHv9ZTk8qZbuzkkz9sa-2BJFw4elYDyedRVZOC-2ButxjBZdouVmTGuWB6Aj6G7lm7t25-2Biv1B-2B9082pHzCCex2kqMs-3D7Yww_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTtGHJmPef5TSDjCzuFmDLHCW8SwWH4xnbrtsvKIl7wSRW1TJ0hCM5LxXTBnJTFVzTPqGPjtEf73gX6pVG3GrWXNEgT0Oc3HyLVVXgFxESdYpPKxcdJpqRbkjikARwdrSNj3JcSFiRd69dOJds-2BH2aqoLVHmnb03BoAwP5b1o0enAw-3D-3D
>
>
> ----- End forwarded message -----
>
> --
> Tom
^ permalink raw reply [flat|nested] 46+ messages in thread
* [scan-admin@coverity.com: New Defects reported by Coverity Scan for Das U-Boot]
2021-04-20 0:58 ` Asherah Connor
@ 2021-04-20 1:17 ` Tom Rini
0 siblings, 0 replies; 46+ messages in thread
From: Tom Rini @ 2021-04-20 1:17 UTC (permalink / raw)
To: u-boot
On Tue, Apr 20, 2021 at 12:58:28AM +0000, Asherah Connor wrote:
> Looking at cmd/qfw.c as I touched it last:
>
> On 21/04/19 08:04:p, Tom Rini wrote:
> > ** CID 331156: Incorrect expression (UNUSED_VALUE)
> > /cmd/qfw.c: 40 in qemu_fwcfg_cmd_setup_kernel()
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 331156: Incorrect expression (UNUSED_VALUE)
> > /cmd/qfw.c: 40 in qemu_fwcfg_cmd_setup_kernel()
> > 34 qfw_read_entry(qfw_dev, FW_CFG_SETUP_DATA,
> > 35 le32_to_cpu(setup_size), data_addr);
> > 36 data_addr += le32_to_cpu(setup_size);
> > 37
> > 38 qfw_read_entry(qfw_dev, FW_CFG_KERNEL_DATA,
> > 39 le32_to_cpu(kernel_size), data_addr);
> > >>> CID 331156: Incorrect expression (UNUSED_VALUE)
> > >>> Assigning value from "(__u32)(__le32)kernel_size" to "data_addr" here, but that stored value is overwritten before it can be used.
> > 40 data_addr += le32_to_cpu(kernel_size);
> > 41
> > 42 data_addr = initrd_addr;
> > 43 qfw_read_entry(qfw_dev, FW_CFG_INITRD_SIZE, 4, &initrd_size);
> > 44 if (initrd_size == 0) {
> > 45 printf("warning: no initrd available\n");
>
> This is unchanged since 2016 and I think is fine to leave as-is. The
> data_addr increment goes together with the qfw_read_entry() to keep
> advancing the data_addr pointer correctly.
>
> It does get immediately thrown away in this case, but if we moved any
> part of this around or changed it we'd want to keep it, so the warning
> is likely best ignored.
Thanks, I'll mark it as intentional in the dashboard.
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20210419/8f54f47f/attachment.sig>
^ permalink raw reply [flat|nested] 46+ messages in thread
* [scan-admin@coverity.com: New Defects reported by Coverity Scan for Das U-Boot]
2021-04-19 12:20 Tom Rini
@ 2021-04-20 0:58 ` Asherah Connor
2021-04-20 1:17 ` Tom Rini
2021-04-20 6:13 ` Dario Binacchi
1 sibling, 1 reply; 46+ messages in thread
From: Asherah Connor @ 2021-04-20 0:58 UTC (permalink / raw)
To: u-boot
Looking at cmd/qfw.c as I touched it last:
On 21/04/19 08:04:p, Tom Rini wrote:
> ** CID 331156: Incorrect expression (UNUSED_VALUE)
> /cmd/qfw.c: 40 in qemu_fwcfg_cmd_setup_kernel()
>
>
> ________________________________________________________________________________________________________
> *** CID 331156: Incorrect expression (UNUSED_VALUE)
> /cmd/qfw.c: 40 in qemu_fwcfg_cmd_setup_kernel()
> 34 qfw_read_entry(qfw_dev, FW_CFG_SETUP_DATA,
> 35 le32_to_cpu(setup_size), data_addr);
> 36 data_addr += le32_to_cpu(setup_size);
> 37
> 38 qfw_read_entry(qfw_dev, FW_CFG_KERNEL_DATA,
> 39 le32_to_cpu(kernel_size), data_addr);
> >>> CID 331156: Incorrect expression (UNUSED_VALUE)
> >>> Assigning value from "(__u32)(__le32)kernel_size" to "data_addr" here, but that stored value is overwritten before it can be used.
> 40 data_addr += le32_to_cpu(kernel_size);
> 41
> 42 data_addr = initrd_addr;
> 43 qfw_read_entry(qfw_dev, FW_CFG_INITRD_SIZE, 4, &initrd_size);
> 44 if (initrd_size == 0) {
> 45 printf("warning: no initrd available\n");
This is unchanged since 2016 and I think is fine to leave as-is. The
data_addr increment goes together with the qfw_read_entry() to keep
advancing the data_addr pointer correctly.
It does get immediately thrown away in this case, but if we moved any
part of this around or changed it we'd want to keep it, so the warning
is likely best ignored.
Asherah
^ permalink raw reply [flat|nested] 46+ messages in thread
* [scan-admin@coverity.com: New Defects reported by Coverity Scan for Das U-Boot]
@ 2021-04-19 12:20 Tom Rini
2021-04-20 0:58 ` Asherah Connor
2021-04-20 6:13 ` Dario Binacchi
0 siblings, 2 replies; 46+ messages in thread
From: Tom Rini @ 2021-04-19 12:20 UTC (permalink / raw)
To: u-boot
Hey all,
Here's the latest report.
----- Forwarded message from scan-admin at coverity.com -----
Date: Mon, 19 Apr 2021 01:18:55 +0000 (UTC)
From: scan-admin@coverity.com
To: tom.rini at gmail.com
Subject: New Defects reported by Coverity Scan for Das U-Boot
Hi,
Please find the latest report on new defect(s) introduced to Das U-Boot found with Coverity Scan.
13 new defect(s) introduced to Das U-Boot found with Coverity Scan.
5 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 13 of 13 defect(s)
** CID 331158: Control flow issues (NO_EFFECT)
/drivers/pinctrl/pinctrl-single.c: 347 in single_configure_bits()
________________________________________________________________________________________________________
*** CID 331158: Control flow issues (NO_EFFECT)
/drivers/pinctrl/pinctrl-single.c: 347 in single_configure_bits()
341 return PTR_ERR(func);
342
343 func->name = fname;
344 func->npins = 0;
345 for (n = 0; n < count; n++, pins++) {
346 offset = fdt32_to_cpu(pins->reg);
>>> CID 331158: Control flow issues (NO_EFFECT)
>>> This less-than-zero comparison of an unsigned value is never true. "offset < 0U".
347 if (offset < 0 || offset > pdata->offset) {
348 dev_dbg(dev, " invalid register offset 0x%x\n",
349 offset);
350 continue;
351 }
352
** CID 331157: Null pointer dereferences (NULL_RETURNS)
/drivers/misc/cros_ec_sandbox.c: 229 in keyscan_read_fdt_matrix()
________________________________________________________________________________________________________
*** CID 331157: Null pointer dereferences (NULL_RETURNS)
/drivers/misc/cros_ec_sandbox.c: 229 in keyscan_read_fdt_matrix()
223
224 /* Now read the data */
225 for (upto = 0; upto < ec->matrix_count; upto++) {
226 struct ec_keymatrix_entry *matrix = &ec->matrix[upto];
227 u32 word;
228
>>> CID 331157: Null pointer dereferences (NULL_RETURNS)
>>> Incrementing a pointer which might be null: "cell".
229 word = fdt32_to_cpu(*cell++);
230 matrix->row = word >> 24;
231 matrix->col = (word >> 16) & 0xff;
232 matrix->keycode = word & 0xffff;
233
234 /* Hard-code some sanity limits for now */
** CID 331156: Incorrect expression (UNUSED_VALUE)
/cmd/qfw.c: 40 in qemu_fwcfg_cmd_setup_kernel()
________________________________________________________________________________________________________
*** CID 331156: Incorrect expression (UNUSED_VALUE)
/cmd/qfw.c: 40 in qemu_fwcfg_cmd_setup_kernel()
34 qfw_read_entry(qfw_dev, FW_CFG_SETUP_DATA,
35 le32_to_cpu(setup_size), data_addr);
36 data_addr += le32_to_cpu(setup_size);
37
38 qfw_read_entry(qfw_dev, FW_CFG_KERNEL_DATA,
39 le32_to_cpu(kernel_size), data_addr);
>>> CID 331156: Incorrect expression (UNUSED_VALUE)
>>> Assigning value from "(__u32)(__le32)kernel_size" to "data_addr" here, but that stored value is overwritten before it can be used.
40 data_addr += le32_to_cpu(kernel_size);
41
42 data_addr = initrd_addr;
43 qfw_read_entry(qfw_dev, FW_CFG_INITRD_SIZE, 4, &initrd_size);
44 if (initrd_size == 0) {
45 printf("warning: no initrd available\n");
** CID 331155: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 331155: Insecure data handling (TAINTED_SCALAR)
/fs/cbfs/cbfs.c: 170 in file_cbfs_next_file()
164 size -= align;
165 start += align;
166 continue;
167 }
168
169 swap_file_header(&header, file_header);
>>> CID 331155: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted variable "header.offset" to a tainted sink.
170 ret = fill_node(node, start, &header);
171 if (ret) {
172 priv->result = CBFS_BAD_FILE;
173 return log_msg_ret("fill", ret);
174 }
175
** CID 331154: Integer handling issues (DIVIDE_BY_ZERO)
/drivers/pinctrl/pinctrl-single.c: 473 in single_probe()
________________________________________________________________________________________________________
*** CID 331154: Integer handling issues (DIVIDE_BY_ZERO)
/drivers/pinctrl/pinctrl-single.c: 473 in single_probe()
467 return -ENOMEM;
468 #endif
469
470 priv->npins = size / (pdata->width / BITS_PER_BYTE);
471 if (pdata->bits_per_mux) {
472 priv->bits_per_pin = fls(pdata->mask);
>>> CID 331154: Integer handling issues (DIVIDE_BY_ZERO)
>>> In expression "pdata->width / priv->bits_per_pin", division by expression "priv->bits_per_pin" which may be zero has undefined behavior.
473 priv->npins *= (pdata->width / priv->bits_per_pin);
474 }
475
476 dev_dbg(dev, "%d pins\n", priv->npins);
477 return 0;
478 }
** CID 331153: Code maintainability issues (UNUSED_VALUE)
/lib/efi_loader/efi_capsule.c: 661 in find_boot_device()
________________________________________________________________________________________________________
*** CID 331153: Code maintainability issues (UNUSED_VALUE)
/lib/efi_loader/efi_capsule.c: 661 in find_boot_device()
655 size = 0;
656 ret = efi_get_variable_int(L"BootOrder", &efi_global_variable_guid,
657 NULL, &size, NULL, NULL);
658 if (ret == EFI_BUFFER_TOO_SMALL) {
659 boot_order = malloc(size);
660 if (!boot_order) {
>>> CID 331153: Code maintainability issues (UNUSED_VALUE)
>>> Assigning value "9223372036854775817UL" to "ret" here, but that stored value is overwritten before it can be used.
661 ret = EFI_OUT_OF_RESOURCES;
662 goto out;
663 }
664
665 ret = efi_get_variable_int(L"BootOrder",
666 &efi_global_variable_guid,
** CID 331152: Insecure data handling (TAINTED_SCALAR)
/lib/tpm-common.c: 180 in tpm_sendrecv_command()
________________________________________________________________________________________________________
*** CID 331152: Insecure data handling (TAINTED_SCALAR)
/lib/tpm-common.c: 180 in tpm_sendrecv_command()
174 response = response_buffer;
175 response_length = sizeof(response_buffer);
176 }
177
178 size = tpm_command_size(command);
179 log_debug("TPM request [size:%d]: ", size);
>>> CID 331152: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "size" as a loop boundary.
180 for (i = 0; i < size; i++)
181 log_debug("%02x ", ((u8 *)command)[i]);
182 log_debug("\n");
183
184 err = tpm_xfer(dev, command, size, response, &response_length);
185
** CID 331151: Resource leaks (RESOURCE_LEAK)
/drivers/pinctrl/pinctrl-single.c: 247 in single_allocate_function()
________________________________________________________________________________________________________
*** CID 331151: Resource leaks (RESOURCE_LEAK)
/drivers/pinctrl/pinctrl-single.c: 247 in single_allocate_function()
241 if (!func)
242 return ERR_PTR(-ENOMEM);
243
244 func->pins = devm_kmalloc(dev, sizeof(unsigned int) * group_pins,
245 GFP_KERNEL);
246 if (!func->pins)
>>> CID 331151: Resource leaks (RESOURCE_LEAK)
>>> Variable "func" going out of scope leaks the storage it points to.
247 return ERR_PTR(-ENOMEM);
248
249 return func;
250 }
251
252 static int single_pin_compare(const void *s1, const void *s2)
** CID 331150: Memory - illegal accesses (BUFFER_SIZE_WARNING)
/net/dsa-uclass.c: 415 in dsa_post_bind()
________________________________________________________________________________________________________
*** CID 331150: Memory - illegal accesses (BUFFER_SIZE_WARNING)
/net/dsa-uclass.c: 415 in dsa_post_bind()
409 err = device_bind_driver_to_node(dev, DSA_PORT_CHILD_DRV_NAME,
410 name, pnode, &pdev);
411 if (pdev) {
412 struct dsa_port_pdata *port_pdata;
413
414 port_pdata = dev_get_parent_plat(pdev);
>>> CID 331150: Memory - illegal accesses (BUFFER_SIZE_WARNING)
>>> Calling "strncpy" with a maximum size argument of 16 bytes on destination array "port_pdata->name" of size 16 bytes might leave the destination string unterminated.
415 strncpy(port_pdata->name, name, DSA_PORT_NAME_LENGTH);
416 pdev->name = port_pdata->name;
417 }
418
419 /* try to bind all ports but keep 1st error */
420 if (err && !first_err)
** CID 331149: Memory - illegal accesses (BUFFER_SIZE_WARNING)
/net/dsa-uclass.c: 224 in dsa_port_of_to_pdata()
________________________________________________________________________________________________________
*** CID 331149: Memory - illegal accesses (BUFFER_SIZE_WARNING)
/net/dsa-uclass.c: 224 in dsa_port_of_to_pdata()
218
219 port_pdata = dev_get_parent_plat(pdev);
220 port_pdata->index = index;
221
222 label = ofnode_read_string(dev_ofnode(pdev), "label");
223 if (label)
>>> CID 331149: Memory - illegal accesses (BUFFER_SIZE_WARNING)
>>> Calling "strncpy" with a maximum size argument of 16 bytes on destination array "port_pdata->name" of size 16 bytes might leave the destination string unterminated.
224 strncpy(port_pdata->name, label, DSA_PORT_NAME_LENGTH);
225
226 eth_pdata = dev_get_plat(pdev);
227 eth_pdata->priv_pdata = port_pdata;
228
229 dev_dbg(pdev, "port %d node %s\n", port_pdata->index,
** CID 331148: Control flow issues (NO_EFFECT)
/drivers/pinctrl/pinctrl-single.c: 298 in single_configure_pins()
________________________________________________________________________________________________________
*** CID 331148: Control flow issues (NO_EFFECT)
/drivers/pinctrl/pinctrl-single.c: 298 in single_configure_pins()
292 return PTR_ERR(func);
293
294 func->name = fname;
295 func->npins = 0;
296 for (n = 0; n < count; n++, pins++) {
297 offset = fdt32_to_cpu(pins->reg);
>>> CID 331148: Control flow issues (NO_EFFECT)
>>> This less-than-zero comparison of an unsigned value is never true. "offset < 0U".
298 if (offset < 0 || offset > pdata->offset) {
299 dev_err(dev, " invalid register offset 0x%x\n",
300 offset);
301 continue;
302 }
303
** CID 331147: Code maintainability issues (UNUSED_VALUE)
/lib/efi_loader/efi_capsule.c: 456 in efi_update_capsule()
________________________________________________________________________________________________________
*** CID 331147: Code maintainability issues (UNUSED_VALUE)
/lib/efi_loader/efi_capsule.c: 456 in efi_update_capsule()
450 efi_status_t ret;
451
452 EFI_ENTRY("%p, %zu, %llu\n", capsule_header_array, capsule_count,
453 scatter_gather_list);
454
455 if (!capsule_count) {
>>> CID 331147: Code maintainability issues (UNUSED_VALUE)
>>> Assigning value "9223372036854775810UL" to "ret" here, but that stored value is overwritten before it can be used.
456 ret = EFI_INVALID_PARAMETER;
457 goto out;
458 }
459
460 ret = EFI_SUCCESS;
461 for (i = 0, capsule = *capsule_header_array; i < capsule_count;
** CID 165109: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 165109: Insecure data handling (TAINTED_SCALAR)
/arch/sandbox/cpu/state.c: 81 in state_read_file()
75 os_close(fd);
76
77 return 0;
78 err_read:
79 os_close(fd);
80 err_open:
>>> CID 165109: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted variable "state->state_fdt" to a tainted sink.
81 os_free(state->state_fdt);
82 state->state_fdt = NULL;
83
84 return ret;
85 }
86
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoA22WlOQ-2By3ieUvdbKmOyw68TMVT4Kip-2BBzfOGWXJ5yIiYplmPF9KAnKIja4Zd7tU-3DZZ5O_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTtGHJmPef5TSDjCzuFmDLHCcVLNpHIs0AqBsXJPs2SOVhTXup007yHbqhSGIK1hyqPpz1vYe-2BN9550EDGrhLxMxHlBpTdungq17k4ECpA3No35lrqehPZZCZ5BAHvEzJczmieHTM7FI63-2BfXLhs4wtMUoPRU5sgDVix9YwcWKeyJg-3D-3D
To manage Coverity Scan email notifications for "tom.rini at gmail.com", click https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxWeIHzDeopm-2BEWQ6S6K-2FtUHv9ZTk8qZbuzkkz9sa-2BJFw4elYDyedRVZOC-2ButxjBZdouVmTGuWB6Aj6G7lm7t25-2Biv1B-2B9082pHzCCex2kqMs-3D7Yww_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTtGHJmPef5TSDjCzuFmDLHCW8SwWH4xnbrtsvKIl7wSRW1TJ0hCM5LxXTBnJTFVzTPqGPjtEf73gX6pVG3GrWXNEgT0Oc3HyLVVXgFxESdYpPKxcdJpqRbkjikARwdrSNj3JcSFiRd69dOJds-2BH2aqoLVHmnb03BoAwP5b1o0enAw-3D-3D
----- End forwarded message -----
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20210419/67b2ece7/attachment.sig>
^ permalink raw reply [flat|nested] 46+ messages in thread
* [scan-admin@coverity.com: New Defects reported by Coverity Scan for Das U-Boot]
@ 2021-03-30 19:55 Tom Rini
0 siblings, 0 replies; 46+ messages in thread
From: Tom Rini @ 2021-03-30 19:55 UTC (permalink / raw)
To: u-boot
----- Forwarded message from scan-admin at coverity.com -----
Date: Mon, 29 Mar 2021 21:36:46 +0000 (UTC)
From: scan-admin@coverity.com
To: tom.rini at gmail.com
Subject: New Defects reported by Coverity Scan for Das U-Boot
Hi,
Please find the latest report on new defect(s) introduced to Das U-Boot found with Coverity Scan.
1 new defect(s) introduced to Das U-Boot found with Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)
** CID 330038: Control flow issues (MISSING_BREAK)
/lib/efi_loader/efi_device_path_to_text.c: 127 in dp_msging()
________________________________________________________________________________________________________
*** CID 330038: Control flow issues (MISSING_BREAK)
/lib/efi_loader/efi_device_path_to_text.c: 127 in dp_msging()
121 case DEVICE_PATH_SUB_TYPE_MSG_UART: {
122 struct efi_device_path_uart *uart =
123 (struct efi_device_path_uart *)dp;
124 s += sprintf(s, "Uart(%lld,%d,%d,", uart->baud_rate,
125 uart->data_bits, uart->parity);
126 switch (uart->stop_bits) {
>>> CID 330038: Control flow issues (MISSING_BREAK)
>>> The case for value "2" is not terminated by a 'break' statement.
127 case 2:
128 s += sprintf(s, "1.5)");
129 default:
130 s += sprintf(s, "%d)", uart->stop_bits);
131 }
132 break;
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoA22WlOQ-2By3ieUvdbKmOyw68TMVT4Kip-2BBzfOGWXJ5yIiYplmPF9KAnKIja4Zd7tU-3DBhZW_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTstSMqVOjJgwDA20NyxjmPGeKo9BglNKh9aEhn9S8EB1oCw6cR4uIPbuszyHz3vraSMSXe5JfK8FzRi1eazsAKo10eUW6iMsCeu-2FUfPj2BWVYXPUk8POuuLy23Jkmzp64xVn1GfLKqtzR0AdMzluPThzU0tpZGM11-2B9pQvuosXc7gSzvtgM1NT-2FdGDJX575oz4-3D
To manage Coverity Scan email notifications for "tom.rini at gmail.com", click https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxWeIHzDeopm-2BEWQ6S6K-2FtUHv9ZTk8qZbuzkkz9sa-2BJFw4elYDyedRVZOC-2ButxjBZdouVmTGuWB6Aj6G7lm7t25-2Biv1B-2B9082pHzCCex2kqMs-3DvbKW_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTstSMqVOjJgwDA20NyxjmPGHD541Chc5mPE3RVfCK-2BOF5NSWkQHAaXl-2FQPZFBpnL-2BC99OMxA9pkoKssB9kmXqsYsiUWfD-2B6QWUT1SZULr1-2BVSBlgeLgQdCZa9HOKrIznM7VheS4VXmqbsCHGAHtTUcscLchhANSZR0F-2FdSyUmPuL8TDwRnIHCQXi5p-2BC4h6kDU-3D
----- End forwarded message -----
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20210330/2fbf2a95/attachment.sig>
^ permalink raw reply [flat|nested] 46+ messages in thread
* [scan-admin@coverity.com: New Defects reported by Coverity Scan for Das U-Boot]
@ 2021-03-02 14:42 Tom Rini
0 siblings, 0 replies; 46+ messages in thread
From: Tom Rini @ 2021-03-02 14:42 UTC (permalink / raw)
To: u-boot
Here's the new issues from the last time I ran Coverity.
----- Forwarded message from scan-admin at coverity.com -----
Date: Tue, 02 Mar 2021 13:31:05 +0000 (UTC)
From: scan-admin@coverity.com
To: tom.rini at gmail.com
Subject: New Defects reported by Coverity Scan for Das U-Boot
Hi,
Please find the latest report on new defect(s) introduced to Das U-Boot found with Coverity Scan.
2 new defect(s) introduced to Das U-Boot found with Coverity Scan.
3 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 2 of 2 defect(s)
** CID 325866: Error handling issues (CHECKED_RETURN)
/drivers/core/ofnode.c: 77 in ofnode_read_s32_default()
________________________________________________________________________________________________________
*** CID 325866: Error handling issues (CHECKED_RETURN)
/drivers/core/ofnode.c: 77 in ofnode_read_s32_default()
71 return def;
72 }
73
74 int ofnode_read_s32_default(ofnode node, const char *propname, s32 def)
75 {
76 assert(ofnode_valid(node));
>>> CID 325866: Error handling issues (CHECKED_RETURN)
>>> Calling "ofnode_read_u32" without checking return value (as is done elsewhere 14 out of 17 times).
77 ofnode_read_u32(node, propname, (u32 *)&def);
78
79 return def;
80 }
81
82 int ofnode_read_u64(ofnode node, const char *propname, u64 *outp)
** CID 325865: Memory - illegal accesses (BUFFER_SIZE_WARNING)
/drivers/fastboot/fb_mmc.c: 64 in raw_part_get_info_by_name()
________________________________________________________________________________________________________
*** CID 325865: Memory - illegal accesses (BUFFER_SIZE_WARNING)
/drivers/fastboot/fb_mmc.c: 64 in raw_part_get_info_by_name()
58 }
59 }
60
61 info->start = simple_strtoul(argv[0], NULL, 0);
62 info->size = simple_strtoul(argv[1], NULL, 0);
63 info->blksz = dev_desc->blksz;
>>> CID 325865: Memory - illegal accesses (BUFFER_SIZE_WARNING)
>>> Calling "strncpy" with a maximum size argument of 32 bytes on destination array "info->name" of size 32 bytes might leave the destination string unterminated.
64 strncpy((char *)info->name, name, PART_NAME_LEN);
65
66 if (raw_part_desc) {
67 if (strcmp(strsep(&raw_part_desc, " "), "mmcpart") == 0) {
68 ulong mmcpart = simple_strtoul(raw_part_desc, NULL, 0);
69 int ret = blk_dselect_hwpart(dev_desc, mmcpart);
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoA22WlOQ-2By3ieUvdbKmOyw68TMVT4Kip-2BBzfOGWXJ5yIiYplmPF9KAnKIja4Zd7tU-3DFzp4_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTv98pi1c8uIeqB-2F-2BFPUzcYfoG-2Bd8nhM2Fv5oFkq75-2BxXz7QGOLwRlCO953bEVYICeg2vVIyq8wQ3LaizUFiBfjBG-2BWhQ090GAOOTZ3lBXzN-2FWpp4MyKZ4n2ZP-2B3vGoAx2pKXpTw1dEZn1a7OJG4qmBCwvuSQI-2FiEHFLEFNwQEkCS2bixUdLckzdntWX0AN5f6o-3D
To manage Coverity Scan email notifications for "tom.rini at gmail.com", click https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxWeIHzDeopm-2BEWQ6S6K-2FtUHv9ZTk8qZbuzkkz9sa-2BJFw4elYDyedRVZOC-2ButxjBZdouVmTGuWB6Aj6G7lm7t25-2Biv1B-2B9082pHzCCex2kqMs-3DH-YO_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTv98pi1c8uIeqB-2F-2BFPUzcYfVUSll4t2sRO5wsZnPOmmof4GOvk2w6ODLcJ3IaX17q78kitYrmOJJ8VFbT-2BNDNk8I23CTJCXl3U7RBskWtLaNdcHyH-2BGFsz88rbIyrFvYuNFT0POy5JGKBhENFhh-2FUKYhbX1ZRSCbtzlhx6TQJc5rC2UTl5lvExmP-2FpY5LE5VNA-3D
----- End forwarded message -----
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20210302/5b2b83d6/attachment.sig>
^ permalink raw reply [flat|nested] 46+ messages in thread
* [scan-admin@coverity.com: New Defects reported by Coverity Scan for Das U-Boot]
@ 2021-02-23 16:15 Tom Rini
0 siblings, 0 replies; 46+ messages in thread
From: Tom Rini @ 2021-02-23 16:15 UTC (permalink / raw)
To: u-boot
----- Forwarded message from scan-admin at coverity.com -----
Date: Mon, 22 Feb 2021 16:03:35 +0000 (UTC)
From: scan-admin@coverity.com
To: tom.rini at gmail.com
Subject: New Defects reported by Coverity Scan for Das U-Boot
Hi,
Please find the latest report on new defect(s) introduced to Das U-Boot found with Coverity Scan.
3 new defect(s) introduced to Das U-Boot found with Coverity Scan.
1 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 3 of 3 defect(s)
** CID 320541: (UNREACHABLE)
/common/fdt_support.c: 1403 in fdt_get_dma_range()
/common/fdt_support.c: 1394 in fdt_get_dma_range()
________________________________________________________________________________________________________
*** CID 320541: (UNREACHABLE)
/common/fdt_support.c: 1403 in fdt_get_dma_range()
1397 bus_node = of_match_bus(blob, parent);
1398 bus_node->count_cells(blob, parent, &pna, &pns);
1399 if (!OF_CHECK_COUNTS(pna, pns)) {
1400 printf("%s: Bad cell count for %s\n", __FUNCTION__,
1401 fdt_get_name(blob, parent, NULL));
1402 return -EINVAL;
>>> CID 320541: (UNREACHABLE)
>>> This code cannot be reached: "goto out;".
1403 goto out;
1404 }
1405
1406 *bus = fdt_read_number(ranges, na);
1407 *cpu = fdt_translate_dma_address(blob, node, ranges + na);
1408 *size = fdt_read_number(ranges + na + pna, ns);
/common/fdt_support.c: 1394 in fdt_get_dma_range()
1388 bus_node = of_match_bus(blob, node);
1389 bus_node->count_cells(blob, node, &na, &ns);
1390 if (!OF_CHECK_COUNTS(na, ns)) {
1391 printf("%s: Bad cell count for %s\n", __FUNCTION__,
1392 fdt_get_name(blob, node, NULL));
1393 return -EINVAL;
>>> CID 320541: (UNREACHABLE)
>>> This code cannot be reached: "goto out;".
1394 goto out;
1395 }
1396
1397 bus_node = of_match_bus(blob, parent);
1398 bus_node->count_cells(blob, parent, &pna, &pns);
1399 if (!OF_CHECK_COUNTS(pna, pns)) {
** CID 320540: Null pointer dereferences (REVERSE_INULL)
/lib/efi_loader/efi_device_path_to_text.c: 372 in efi_convert_device_path_to_text()
________________________________________________________________________________________________________
*** CID 320540: Null pointer dereferences (REVERSE_INULL)
/lib/efi_loader/efi_device_path_to_text.c: 372 in efi_convert_device_path_to_text()
366 char *str = buffer;
367
368 EFI_ENTRY("%p, %d, %d", device_path, display_only, allow_shortcuts);
369
370 if (!device_path)
371 goto out;
>>> CID 320540: Null pointer dereferences (REVERSE_INULL)
>>> Null-checking "device_path" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
372 while (device_path && str + MAX_NODE_LEN < buffer + MAX_PATH_LEN) {
373 if (device_path->type == DEVICE_PATH_TYPE_END) {
374 if (device_path->sub_type !=
375 DEVICE_PATH_SUB_TYPE_INSTANCE_END)
376 break;
377 *str++ = ',';
** CID 320539: (UNREACHABLE)
/drivers/core/of_addr.c: 376 in of_get_dma_range()
/drivers/core/of_addr.c: 384 in of_get_dma_range()
________________________________________________________________________________________________________
*** CID 320539: (UNREACHABLE)
/drivers/core/of_addr.c: 376 in of_get_dma_range()
370 /* Get the address sizes both for the bus and its parent */
371 bus_node = of_match_bus((struct device_node*)dev);
372 bus_node->count_cells(dev, &na, &ns);
373 if (!OF_CHECK_COUNTS(na, ns)) {
374 printf("Bad cell count for %s\n", of_node_full_name(dev));
375 return -EINVAL;
>>> CID 320539: (UNREACHABLE)
>>> This code cannot be reached: "goto out_parent;".
376 goto out_parent;
377 }
378
379 bus_node = of_match_bus(parent);
380 bus_node->count_cells(parent, &pna, &pns);
381 if (!OF_CHECK_COUNTS(pna, pns)) {
/drivers/core/of_addr.c: 384 in of_get_dma_range()
378
379 bus_node = of_match_bus(parent);
380 bus_node->count_cells(parent, &pna, &pns);
381 if (!OF_CHECK_COUNTS(pna, pns)) {
382 printf("Bad cell count for %s\n", of_node_full_name(parent));
383 return -EINVAL;
>>> CID 320539: (UNREACHABLE)
>>> This code cannot be reached: "goto out_parent;".
384 goto out_parent;
385 }
386
387 *bus = of_read_number(ranges, na);
388 *cpu = of_translate_dma_address(dev, ranges + na);
389 *size = of_read_number(ranges + na + pna, ns);
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoA22WlOQ-2By3ieUvdbKmOyw68TMVT4Kip-2BBzfOGWXJ5yIiYplmPF9KAnKIja4Zd7tU-3DkhgB_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTuFndYt0428JASMRkmHZLSITBJ0Vi-2FD6f05nIVUSmnVv8EiELa3JyWOENpLUHtuZOod1gP-2Bguh9C-2F8bIopNkrVgNm-2FXOHQf-2FNn4-2BfWygEtp3JHQjNO8fjvcw4h6bT-2FYfq3wAl1yg3N7cqeEXOfLrUD-2BPXwNzuNZHbsXHu9-2F1uV5Rz16-2Fnox4-2B6vKs-2F6a5r39Gc-3D
To manage Coverity Scan email notifications for "tom.rini at gmail.com", click https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxWeIHzDeopm-2BEWQ6S6K-2FtUHv9ZTk8qZbuzkkz9sa-2BJFw4elYDyedRVZOC-2ButxjBZdouVmTGuWB6Aj6G7lm7t25-2Biv1B-2B9082pHzCCex2kqMs-3Dv5l0_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTuFndYt0428JASMRkmHZLSIiYWEii5TpKwkyhfq4t-2F2ietx17-2F0IqZk8o7XGEEyQFKDgmzmDngfP9-2Bitq0jamteMGX-2B4Qmi6nbdRIW9Hkd6ixfEQD0P5FK8F-2BtWnJTkUb388b59jLc1GgEnlcEKwE15dqxmOSOg0VHdWyeOw9fLK4gMsJhgG-2FM-2B9uxrzZaJtE8-3D
----- End forwarded message -----
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20210223/15e48610/attachment.sig>
^ permalink raw reply [flat|nested] 46+ messages in thread
* [scan-admin@coverity.com: New Defects reported by Coverity Scan for Das U-Boot]
@ 2021-02-01 19:51 Tom Rini
0 siblings, 0 replies; 46+ messages in thread
From: Tom Rini @ 2021-02-01 19:51 UTC (permalink / raw)
To: u-boot
----- Forwarded message from scan-admin at coverity.com -----
Date: Mon, 01 Feb 2021 16:18:03 +0000 (UTC)
From: scan-admin@coverity.com
To: tom.rini at gmail.com
Subject: New Defects reported by Coverity Scan for Das U-Boot
Hi,
Please find the latest report on new defect(s) introduced to Das U-Boot found with Coverity Scan.
1 new defect(s) introduced to Das U-Boot found with Coverity Scan.
3 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)
** CID 317953: (OVERRUN)
/drivers/misc/cros_ec_sandbox.c: 536 in process_cmd()
/drivers/misc/cros_ec_sandbox.c: 548 in process_cmd()
________________________________________________________________________________________________________
*** CID 317953: (OVERRUN)
/drivers/misc/cros_ec_sandbox.c: 536 in process_cmd()
530 const struct ec_params_vstore_write *req = req_data;
531 struct vstore_slot *slot;
532
533 if (req->slot >= EC_VSTORE_SLOT_MAX)
534 return -EINVAL;
535 slot = &ec->slot[req->slot];
>>> CID 317953: (OVERRUN)
>>> Overrunning array of 260 bytes at byte offset 2015 by dereferencing pointer "slot".
536 slot->locked = true;
537 memcpy(slot->data, req->data, EC_VSTORE_SLOT_SIZE);
538 len = 0;
539 break;
540 }
541 case EC_CMD_VSTORE_READ: {
/drivers/misc/cros_ec_sandbox.c: 548 in process_cmd()
542 const struct ec_params_vstore_read *req = req_data;
543 struct ec_response_vstore_read *resp = resp_data;
544 struct vstore_slot *slot;
545
546 if (req->slot >= EC_VSTORE_SLOT_MAX)
547 return -EINVAL;
>>> CID 317953: (OVERRUN)
>>> "&ec->slot[req->slot]" evaluates to an address that is at byte offset 2015 of an array of 260 bytes.
548 slot = &ec->slot[req->slot];
549 memcpy(resp->data, slot->data, EC_VSTORE_SLOT_SIZE);
550 len = sizeof(*resp);
551 break;
552 }
553 default:
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoA22WlOQ-2By3ieUvdbKmOyw68TMVT4Kip-2BBzfOGWXJ5yIiYplmPF9KAnKIja4Zd7tU-3Djsgx_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTvw0i-2BZeaG2NwneHBLdclGj0dZxktyUtICgF-2Bw8qb-2FneqjEmvbgwhNvmXz70TzQRWpHGC1GPOtnJwuV-2FckrA-2BZiBdaNnl8UUpJ7kZhxZQ8SEHToTVO0UrgPu4MRukOIBHhlfE0M0ylVZGm578kgQu1oUY7oQY10WypcgJYSRFzSXsa60oObHMkzy4DPrA9sxlM-3D
To manage Coverity Scan email notifications for "tom.rini at gmail.com", click https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxWeIHzDeopm-2BEWQ6S6K-2FtUHv9ZTk8qZbuzkkz9sa-2BJFw4elYDyedRVZOC-2ButxjBZdouVmTGuWB6Aj6G7lm7t25-2Biv1B-2B9082pHzCCex2kqMs-3D-7XA_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTvw0i-2BZeaG2NwneHBLdclGj20f9M5rwX45j1npE5NazJWu81Awx8InXRPGu6jHKeg-2FiGihplqmlvrD2TJCzaX2RMUSTw1UsD73k4c-2BNmtoo4gnEa-2F9ofAHPE-2FZkYpp20hp5GosFa8Ui3NxsPSg45ev6lLxbCss-2FNUAnPCCwc-2BAHBiJS-2FlnTcurE6JsyCKtYop8-3D
----- End forwarded message -----
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20210201/43ae6d74/attachment-0001.sig>
^ permalink raw reply [flat|nested] 46+ messages in thread
* [scan-admin@coverity.com: New Defects reported by Coverity Scan for Das U-Boot]
2021-01-21 2:09 ` AKASHI Takahiro
@ 2021-01-26 17:02 ` Tom Rini
0 siblings, 0 replies; 46+ messages in thread
From: Tom Rini @ 2021-01-26 17:02 UTC (permalink / raw)
To: u-boot
On Thu, Jan 21, 2021 at 11:09:16AM +0900, AKASHI Takahiro wrote:
> Tom,
>
> Regarding EFI capsule update,
[snip]
> > > ** CID 316360: Uninitialized variables (UNINIT)
> > > /tools/mkeficapsule.c: 298 in create_fwbin()
> > >
> > >
> > > ________________________________________________________________________________________________________
> > > *** CID 316360: Uninitialized variables (UNINIT)
> > > /tools/mkeficapsule.c: 298 in create_fwbin()
> > > 292 goto err_3;
> > > 293 }
> > > 294
> > > 295 capsule.version = 0x00000001;
> > > 296 capsule.embedded_driver_count = 0;
> > > 297 capsule.payload_item_count = 1;
> > > > > > CID 316360: Uninitialized variables (UNINIT)
> > > > > > Using uninitialized value "capsule". Field "capsule.item_offset_list" is uninitialized when calling "fwrite".
> > > 298 size = fwrite(&capsule, 1, sizeof(capsule), f);
>
> This code is safe because capsule.item_offset_list is actually
> defined as "item_offset_list[]" (null array) at the end of the structure
> and the data will be filled in by the succeeding fwrite()'s.
>
> What action should be taken to suppress this warning?
>
> > > 299 if (size < (sizeof(capsule))) {
> > > 300 printf("write failed (%lx)\n", size);
> > > 301 goto err_3;
> > > 302 }
> > > 303 offset = sizeof(capsule) + sizeof(u64);
> > >
> > > ** CID 316359: Null pointer dereferences (FORWARD_NULL)
> > >
> > >
> > > ________________________________________________________________________________________________________
> > > *** CID 316359: Null pointer dereferences (FORWARD_NULL)
> > > /lib/efi_loader/efi_capsule.c: 380 in efi_capsule_update_firmware()
> > > 374 ret = EFI_UNSUPPORTED;
> > > 375 goto out;
> > > 376 }
> > > 377
> > > 378 /* find a device for update firmware */
> > > 379 /* TODO: should we pass index as well, or nothing but type? */
> > > > > > CID 316359: Null pointer dereferences (FORWARD_NULL)
> > > > > > Passing null pointer "handles" to "efi_fmp_find", which dereferences it.
> > > 380 fmp = efi_fmp_find(&image->update_image_type_id,
> > > 381 image->update_hardware_instance,
> > > 382 handles, no_handles);
>
> This code is safe because "handles" is actually an array of pointers
> and "no_handles" indicates the number of elements in this array.
> efi_fmp_find() will not dereference handles at all if no_handles is zero.
>
> What action should be taken to suppress this warning?
I've updated Coverity to list both of these as intentional / ignore,
thanks.
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20210126/446189dd/attachment.sig>
^ permalink raw reply [flat|nested] 46+ messages in thread
* [scan-admin@coverity.com: New Defects reported by Coverity Scan for Das U-Boot]
@ 2021-01-26 16:41 Tom Rini
0 siblings, 0 replies; 46+ messages in thread
From: Tom Rini @ 2021-01-26 16:41 UTC (permalink / raw)
To: u-boot
One new issue since the last time I ran this, and I think after reading
the code myself, argc counting / sanity checking should be handled a
little more clearly as well. I'm going to take a quick attempt at
updating this.
----- Forwarded message from scan-admin at coverity.com -----
Date: Tue, 26 Jan 2021 14:49:09 +0000 (UTC)
From: scan-admin@coverity.com
To: tom.rini at gmail.com
Subject: New Defects reported by Coverity Scan for Das U-Boot
Hi,
Please find the latest report on new defect(s) introduced to Das U-Boot found with Coverity Scan.
1 new defect(s) introduced to Das U-Boot found with Coverity Scan.
11 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)
** CID 316601: Control flow issues (DEADCODE)
/cmd/pwm.c: 76 in do_pwm()
________________________________________________________________________________________________________
*** CID 316601: Control flow issues (DEADCODE)
/cmd/pwm.c: 76 in do_pwm()
70 if (argc > 0) {
71 str_channel = *argv;
72 channel = simple_strtoul(str_channel, NULL, 10);
73 argc--;
74 argv++;
75 } else {
>>> CID 316601: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "return CMD_RET_USAGE;".
76 return CMD_RET_USAGE;
77 }
78
79 if (sub_cmd == PWM_SET_INVERT && argc > 0) {
80 str_enable = *argv;
81 pwm_enable = simple_strtoul(str_enable, NULL, 10);
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoA22WlOQ-2By3ieUvdbKmOyw68TMVT4Kip-2BBzfOGWXJ5yIiYplmPF9KAnKIja4Zd7tU-3DLCWK_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTuq9MPVHh3L32qrt5Ip1XnD-2FT7d2mqiVO5we8a7GYUflN8rPcFOvcPpmp7-2BHI-2FiMfMO0wZQJtLM0dmCxiZNLE1W2LBnroP7MP6w9NyH2xFZ9xER-2BYILtC7OORWk6E4iIWZD9NlPZovnnox2hXNU-2BrT4CJt7BMGDQWZi6SpY7EYshq4VQFMnD2W10PtfVsO5xns-3D
To manage Coverity Scan email notifications for "tom.rini at gmail.com", click https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxWeIHzDeopm-2BEWQ6S6K-2FtUHv9ZTk8qZbuzkkz9sa-2BJFw4elYDyedRVZOC-2ButxjBZdouVmTGuWB6Aj6G7lm7t25-2Biv1B-2B9082pHzCCex2kqMs-3D96A1_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTuq9MPVHh3L32qrt5Ip1XnD3WtWkNhMk8aqtcWpx18kz28O3aHVrPlQ7m76aTH42S-2FV-2BF-2BKKCm-2FUrVIBSGsRbPXbwCAkWzmG8EDOELQylE3c1UBFxOE6UpyBOxSvs1gNr-2BGyVbFqpLnYutK4cobU8DJEv-2BJRff57Ua6iETxKItKuhEjwidyxUp7lL-2FPx1HSxdY-3D
----- End forwarded message -----
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20210126/ca1d34c3/attachment.sig>
^ permalink raw reply [flat|nested] 46+ messages in thread
* [scan-admin@coverity.com: New Defects reported by Coverity Scan for Das U-Boot]
2021-01-22 8:54 ` Sughosh Ganu
@ 2021-01-22 11:37 ` Heinrich Schuchardt
0 siblings, 0 replies; 46+ messages in thread
From: Heinrich Schuchardt @ 2021-01-22 11:37 UTC (permalink / raw)
To: u-boot
Am 22. Januar 2021 09:54:20 MEZ schrieb Sughosh Ganu <sughosh.ganu@linaro.org>:
>On Thu, 21 Jan 2021 at 19:14, Heinrich Schuchardt <xypron.glpk@gmx.de>
>wrote:
>
>> On 21.01.21 12:36, Sughosh Ganu wrote:
>> >
>> >
>> > On Thu, 21 Jan 2021 at 00:34, Tom Rini <trini@konsulko.com
>> > <mailto:trini@konsulko.com>> wrote:
>> >
>> > I decided to run Coverity part-way through the merge window
>this time
>> > and here's what's been found so far.
>> >
>> > ----- Forwarded message from scan-admin at coverity.com
>> > <mailto:scan-admin@coverity.com> -----
>> >
>> > Date: Mon, 18 Jan 2021 17:53:19 +0000 (UTC)
>> > From: scan-admin at coverity.com <mailto:scan-admin@coverity.com>
>> > To: tom.rini at gmail.com <mailto:tom.rini@gmail.com>
>> > Subject: New Defects reported by Coverity Scan for Das U-Boot
>> >
>> > Hi,
>> >
>> > Please find the latest report on new defect(s) introduced to
>Das
>> > U-Boot found with Coverity Scan.
>> >
>> > 23 new defect(s) introduced to Das U-Boot found with Coverity
>Scan.
>> > 2 defect(s), reported by Coverity Scan earlier, were marked
>fixed in
>> > the recent build analyzed by Coverity Scan.
>> >
>> > New defect(s) Reported-by: Coverity Scan
>> > Showing 20 of 23 defect(s)
>> >
>> > ** CID 316356: Resource leaks (RESOURCE_LEAK)
>> > /tools/mkeficapsule.c: 225 in add_public_key()
>> >
>> >
>> > <snip>
>> >
>> >
>> >
>> >
>>
>________________________________________________________________________________________________________
>> > *** CID 316356: Resource leaks (RESOURCE_LEAK)
>> > /tools/mkeficapsule.c: 225 in add_public_key()
>> > 219 if (ret < 0) {
>> > 220 fprintf(stderr, "%s: Unable to add
>public
>> > key to the FDT\n",
>> > 221 __func__);
>> > 222 goto err;
>> > 223 }
>> > 224
>> > >>> CID 316356: Resource leaks (RESOURCE_LEAK)
>> > >>> Handle variable "srcfd" going out of scope leaks the
>handle.
>> > 225 return 0;
>> > 226
>> > 227 err:
>> > 228 if (sptr)
>> > 229 munmap(sptr, src_size);
>> > 230
>> >
>> >
>> > I think these should not cause any issues, since the function
>return
>> > results in the process termination in both the scenarios of success
>and
>> > failure. But i will post a patch to handle these errors to keep the
>> > resource handling consistent.
>>
>> Looking at line 234f:
>>
>> if (srcfd >= 0)
>> close(srcfd);
>>
>> The comparison is wrong. It should be:
>>
>> if (srcfd != -1)
>> close(srcfd);
>>
>> The open.2 man-page says that only -1 signals an error. According to
>the
>> man-page -2 is a legal value for a file descriptor.
>>
>
>Can you point me to which man page you are referring to. The open
>manpage
>on my ubuntu system has the following,
>
>"The return value of open() is a file descriptor, a small, nonnegative
>integer that is used in subsequent system calls"
>
>I could not find any mention of -2 being a valid file descriptor.
>
>-sughosh
You are right
https://pubs.opengroup.org/onlinepubs/9699919799/
says the return value must be positive or -1 (in case of an error).
^ permalink raw reply [flat|nested] 46+ messages in thread
* [scan-admin@coverity.com: New Defects reported by Coverity Scan for Das U-Boot]
2021-01-21 13:44 ` Heinrich Schuchardt
@ 2021-01-22 8:54 ` Sughosh Ganu
2021-01-22 11:37 ` Heinrich Schuchardt
0 siblings, 1 reply; 46+ messages in thread
From: Sughosh Ganu @ 2021-01-22 8:54 UTC (permalink / raw)
To: u-boot
On Thu, 21 Jan 2021 at 19:14, Heinrich Schuchardt <xypron.glpk@gmx.de>
wrote:
> On 21.01.21 12:36, Sughosh Ganu wrote:
> >
> >
> > On Thu, 21 Jan 2021 at 00:34, Tom Rini <trini@konsulko.com
> > <mailto:trini@konsulko.com>> wrote:
> >
> > I decided to run Coverity part-way through the merge window this time
> > and here's what's been found so far.
> >
> > ----- Forwarded message from scan-admin at coverity.com
> > <mailto:scan-admin@coverity.com> -----
> >
> > Date: Mon, 18 Jan 2021 17:53:19 +0000 (UTC)
> > From: scan-admin at coverity.com <mailto:scan-admin@coverity.com>
> > To: tom.rini at gmail.com <mailto:tom.rini@gmail.com>
> > Subject: New Defects reported by Coverity Scan for Das U-Boot
> >
> > Hi,
> >
> > Please find the latest report on new defect(s) introduced to Das
> > U-Boot found with Coverity Scan.
> >
> > 23 new defect(s) introduced to Das U-Boot found with Coverity Scan.
> > 2 defect(s), reported by Coverity Scan earlier, were marked fixed in
> > the recent build analyzed by Coverity Scan.
> >
> > New defect(s) Reported-by: Coverity Scan
> > Showing 20 of 23 defect(s)
> >
> > ** CID 316356: Resource leaks (RESOURCE_LEAK)
> > /tools/mkeficapsule.c: 225 in add_public_key()
> >
> >
> > <snip>
> >
> >
> >
> >
> ________________________________________________________________________________________________________
> > *** CID 316356: Resource leaks (RESOURCE_LEAK)
> > /tools/mkeficapsule.c: 225 in add_public_key()
> > 219 if (ret < 0) {
> > 220 fprintf(stderr, "%s: Unable to add public
> > key to the FDT\n",
> > 221 __func__);
> > 222 goto err;
> > 223 }
> > 224
> > >>> CID 316356: Resource leaks (RESOURCE_LEAK)
> > >>> Handle variable "srcfd" going out of scope leaks the handle.
> > 225 return 0;
> > 226
> > 227 err:
> > 228 if (sptr)
> > 229 munmap(sptr, src_size);
> > 230
> >
> >
> > I think these should not cause any issues, since the function return
> > results in the process termination in both the scenarios of success and
> > failure. But i will post a patch to handle these errors to keep the
> > resource handling consistent.
>
> Looking at line 234f:
>
> if (srcfd >= 0)
> close(srcfd);
>
> The comparison is wrong. It should be:
>
> if (srcfd != -1)
> close(srcfd);
>
> The open.2 man-page says that only -1 signals an error. According to the
> man-page -2 is a legal value for a file descriptor.
>
Can you point me to which man page you are referring to. The open manpage
on my ubuntu system has the following,
"The return value of open() is a file descriptor, a small, nonnegative
integer that is used in subsequent system calls"
I could not find any mention of -2 being a valid file descriptor.
-sughosh
^ permalink raw reply [flat|nested] 46+ messages in thread
* [scan-admin@coverity.com: New Defects reported by Coverity Scan for Das U-Boot]
2021-01-21 11:36 ` Sughosh Ganu
@ 2021-01-21 13:44 ` Heinrich Schuchardt
2021-01-22 8:54 ` Sughosh Ganu
0 siblings, 1 reply; 46+ messages in thread
From: Heinrich Schuchardt @ 2021-01-21 13:44 UTC (permalink / raw)
To: u-boot
On 21.01.21 12:36, Sughosh Ganu wrote:
>
>
> On Thu, 21 Jan 2021 at 00:34, Tom Rini <trini@konsulko.com
> <mailto:trini@konsulko.com>> wrote:
>
> I decided to run Coverity part-way through the merge window this time
> and here's what's been found so far.
>
> ----- Forwarded message from scan-admin at coverity.com
> <mailto:scan-admin@coverity.com> -----
>
> Date: Mon, 18 Jan 2021 17:53:19 +0000 (UTC)
> From: scan-admin at coverity.com <mailto:scan-admin@coverity.com>
> To: tom.rini at gmail.com <mailto:tom.rini@gmail.com>
> Subject: New Defects reported by Coverity Scan for Das U-Boot
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to Das
> U-Boot found with Coverity Scan.
>
> 23 new defect(s) introduced to Das U-Boot found with Coverity Scan.
> 2 defect(s), reported by Coverity Scan earlier, were marked fixed in
> the recent build analyzed by Coverity Scan.
>
> New defect(s) Reported-by: Coverity Scan
> Showing 20 of 23 defect(s)
>
> ** CID 316356:? Resource leaks? (RESOURCE_LEAK)
> /tools/mkeficapsule.c: 225 in add_public_key()
>
>
> <snip>
> ?
>
>
> ________________________________________________________________________________________________________
> *** CID 316356:? Resource leaks? (RESOURCE_LEAK)
> /tools/mkeficapsule.c: 225 in add_public_key()
> 219? ? ? ? ? ? ?if (ret < 0) {
> 220? ? ? ? ? ? ? ? ? ? ?fprintf(stderr, "%s: Unable to add public
> key to the FDT\n",
> 221? ? ? ? ? ? ? ? ? ? ? ? ? ? ?__func__);
> 222? ? ? ? ? ? ? ? ? ? ?goto err;
> 223? ? ? ? ? ? ?}
> 224? ? ?
> >>>? ? ?CID 316356:? Resource leaks? (RESOURCE_LEAK)
> >>>? ? ?Handle variable "srcfd" going out of scope leaks the handle.
> 225? ? ? ? ? ? ?return 0;
> 226? ? ?
> 227? ? ?err:
> 228? ? ? ? ? ? ?if (sptr)
> 229? ? ? ? ? ? ? ? ? ? ?munmap(sptr, src_size);
> 230? ? ?
>
>
> I think these should not cause any issues, since the function return
> results in the process termination in both the scenarios of success and
> failure. But i will post a patch to handle these errors to keep the
> resource handling consistent.
Looking at line 234f:
??????? if (srcfd >= 0)
????????????????close(srcfd);
The comparison is wrong. It should be:
??????? if (srcfd != -1)
????????????????close(srcfd);
The open.2 man-page says that only -1 signals an error. According to the
man-page -2 is a legal value for a file descriptor.
The initialization of destfd is wrong:
141:
int destfd = 0;
In case of an error opening srcfd this leads to closing file descriptor
0 which relates to the console input. You should use:
int destfd = -1;
and
??????? if (destfd != -1)
????????????????close(destfd);
Best regards
Heinrich
^ permalink raw reply [flat|nested] 46+ messages in thread
* [scan-admin@coverity.com: New Defects reported by Coverity Scan for Das U-Boot]
2021-01-20 19:04 Tom Rini
2021-01-20 20:43 ` Heinrich Schuchardt
2021-01-20 21:03 ` Andre Przywara
@ 2021-01-21 11:36 ` Sughosh Ganu
2021-01-21 13:44 ` Heinrich Schuchardt
2 siblings, 1 reply; 46+ messages in thread
From: Sughosh Ganu @ 2021-01-21 11:36 UTC (permalink / raw)
To: u-boot
On Thu, 21 Jan 2021 at 00:34, Tom Rini <trini@konsulko.com> wrote:
> I decided to run Coverity part-way through the merge window this time
> and here's what's been found so far.
>
> ----- Forwarded message from scan-admin at coverity.com -----
>
> Date: Mon, 18 Jan 2021 17:53:19 +0000 (UTC)
> From: scan-admin at coverity.com
> To: tom.rini at gmail.com
> Subject: New Defects reported by Coverity Scan for Das U-Boot
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to Das U-Boot
> found with Coverity Scan.
>
> 23 new defect(s) introduced to Das U-Boot found with Coverity Scan.
> 2 defect(s), reported by Coverity Scan earlier, were marked fixed in the
> recent build analyzed by Coverity Scan.
>
> New defect(s) Reported-by: Coverity Scan
> Showing 20 of 23 defect(s)
>
> ** CID 316356: Resource leaks (RESOURCE_LEAK)
> /tools/mkeficapsule.c: 225 in add_public_key()
>
>
<snip>
>
>
> ________________________________________________________________________________________________________
> *** CID 316356: Resource leaks (RESOURCE_LEAK)
> /tools/mkeficapsule.c: 225 in add_public_key()
> 219 if (ret < 0) {
> 220 fprintf(stderr, "%s: Unable to add public key to
> the FDT\n",
> 221 __func__);
> 222 goto err;
> 223 }
> 224
> >>> CID 316356: Resource leaks (RESOURCE_LEAK)
> >>> Handle variable "srcfd" going out of scope leaks the handle.
> 225 return 0;
> 226
> 227 err:
> 228 if (sptr)
> 229 munmap(sptr, src_size);
> 230
>
I think these should not cause any issues, since the function return
results in the process termination in both the scenarios of success and
failure. But i will post a patch to handle these errors to keep the
resource handling consistent.
-sughosh
^ permalink raw reply [flat|nested] 46+ messages in thread
* [scan-admin@coverity.com: New Defects reported by Coverity Scan for Das U-Boot]
2021-01-20 20:43 ` Heinrich Schuchardt
2021-01-20 22:33 ` Heinrich Schuchardt
@ 2021-01-21 2:09 ` AKASHI Takahiro
2021-01-26 17:02 ` Tom Rini
1 sibling, 1 reply; 46+ messages in thread
From: AKASHI Takahiro @ 2021-01-21 2:09 UTC (permalink / raw)
To: u-boot
Tom,
Regarding EFI capsule update,
On Wed, Jan 20, 2021 at 09:43:57PM +0100, Heinrich Schuchardt wrote:
> On 1/20/21 8:04 PM, Tom Rini wrote:
>
> CC: Takahiro
>
> > I decided to run Coverity part-way through the merge window this time
> > and here's what's been found so far.
> >
> > ----- Forwarded message from scan-admin at coverity.com -----
> >
> > Date: Mon, 18 Jan 2021 17:53:19 +0000 (UTC)
> > From: scan-admin at coverity.com
> > To: tom.rini at gmail.com
> > Subject: New Defects reported by Coverity Scan for Das U-Boot
> >
> > Hi,
> >
> > Please find the latest report on new defect(s) introduced to Das U-Boot found with Coverity Scan.
> >
> > 23 new defect(s) introduced to Das U-Boot found with Coverity Scan.
> > 2 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
> >
> > New defect(s) Reported-by: Coverity Scan
> > Showing 20 of 23 defect(s)
> >
> >
> > ** CID 316365: Memory - corruptions (STRING_OVERFLOW)
> > /tools/sunxi_egon.c: 96 in egon_set_header()
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 316365: Memory - corruptions (STRING_OVERFLOW)
> > /tools/sunxi_egon.c: 96 in egon_set_header()
> > 90
> > 91 /* If an image name has been provided, use it as the DT name. */
> > 92 if (params->imagename && params->imagename[0]) {
> > 93 if (strlen(params->imagename) > sizeof(header->string_pool) - 1)
> > 94 printf("WARNING: DT name too long for SPL header!\n");
> > 95 else {
> > > > > CID 316365: Memory - corruptions (STRING_OVERFLOW)
> > > > > You might overrun the 13-character destination string "header->string_pool" by writing 51 characters from "params->imagename".
> > 96 strcpy((char *)header->string_pool, params->imagename);
> > 97 value = offsetof(struct boot_file_head, string_pool);
> > 98 header->dt_name_offset = cpu_to_le32(value);
> > 99 header->spl_signature[3] = SPL_DT_HEADER_VERSION;
> > 100 }
> > 101 }
> >
> > ** CID 316364: Null pointer dereferences (FORWARD_NULL)
> > /cmd/efidebug.c: 202 in do_efi_capsule_res()
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 316364: Null pointer dereferences (FORWARD_NULL)
> > /cmd/efidebug.c: 202 in do_efi_capsule_res()
> > 196 printf("Failed to get %ls\n", var_name16);
> > 197
> > 198 return CMD_RET_FAILURE;
> > 199 }
> > 200 }
> > 201
> > > > > CID 316364: Null pointer dereferences (FORWARD_NULL)
> > > > > Dereferencing null pointer "result".
> > 202 printf("Result total size: 0x%x\n", result->variable_total_size);
This is basically safe because a buffer for "result" is allocated by malloc().
(The second "get_variable" fails any way if the allocation has failed.)
But there may be a chance (unlikely though) that the first "get_variable"
will return neither EFI_SUCCESS or EFI_BUFFER_TOO_SMALL.
I will modify the code a bit to address that.
> > 203 printf("Capsule guid: %pUl\n", &result->capsule_guid);
> > 204 printf("Time processed: %04d-%02d-%02d %02d:%02d:%02d\n",
> > 205 result->capsule_processed.year, result->capsule_processed.month,
> > 206 result->capsule_processed.day, result->capsule_processed.hour,
> > 207 result->capsule_processed.minute,
> >
> > ** CID 316363: Null pointer dereferences (REVERSE_INULL)
> > /lib/efi_loader/efi_boottime.c: 1993 in efi_load_image_from_path()
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 316363: Null pointer dereferences (REVERSE_INULL)
> > /lib/efi_loader/efi_boottime.c: 1993 in efi_load_image_from_path()
> > 1987 ret = EFI_CALL(load_file_protocol->load_file(
> > 1988 load_file_protocol, dp, boot_policy,
> > 1989 &buffer_size, (void *)(uintptr_t)addr));
> > 1990 if (ret != EFI_SUCCESS)
> > 1991 efi_free_pages(addr, pages);
> > 1992 out:
> > > > > CID 316363: Null pointer dereferences (REVERSE_INULL)
> > > > > Null-checking "load_file_protocol" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
> > 1993 if (load_file_protocol)
> > 1994 EFI_CALL(efi_close_protocol(device,
> > 1995 &efi_guid_load_file2_protocol,
> > 1996 efi_root, NULL));
> > 1997 if (ret == EFI_SUCCESS) {
> > 1998 *buffer = (void *)(uintptr_t)addr;
> >
> > ** CID 316362: Error handling issues (CHECKED_RETURN)
> > /fs/fat/fat_write.c: 422 in fill_dir_slot()
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 316362: Error handling issues (CHECKED_RETURN)
> > /fs/fat/fat_write.c: 422 in fill_dir_slot()
> > 416 while (counter >= 1) {
> > 417 memcpy(itr->dent, slotptr, sizeof(dir_slot));
> > 418 slotptr--;
> > 419 counter--;
> > 420
> > 421 if (itr->remaining == 0)
> > > > > CID 316362: Error handling issues (CHECKED_RETURN)
> > > > > Calling "flush_dir" without checking return value (as is done elsewhere 5 out of 6 times).
> > 422 flush_dir(itr);
> > 423
> > 424 next_dent(itr);
> > 425 if (!itr->dent)
> > 426 return -EIO;
> > 427 }
> >
> > ** CID 316361: Code maintainability issues (SIZEOF_MISMATCH)
> > /lib/efi_loader/efi_capsule.c: 767 in efi_capsule_scan_dir()
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 316361: Code maintainability issues (SIZEOF_MISMATCH)
> > /lib/efi_loader/efi_capsule.c: 767 in efi_capsule_scan_dir()
> > 761
> > 762 ret = EFI_CALL((*dirh->setpos)(dirh, 0));
> > 763 if (ret != EFI_SUCCESS)
> > 764 goto err;
> > 765
> > 766 /* make a list */
> > > > > CID 316361: Code maintainability issues (SIZEOF_MISMATCH)
> > > > > Passing argument "count * 8UL /* sizeof (*files) */" to function "dlmalloc" and then casting the return value to "u16 **" is suspicious. In this particular case "sizeof (u16 **)" happens to be equal to "sizeof (u16 *)", but this is not a portable assumption.
> > 767 tmp_files = malloc(count * sizeof(*files));
I will fix this by modifying the code to:
tmp_files = malloc(count * sizeof(tmp_files[0]));
> > 768 if (!tmp_files) {
> > 769 ret = EFI_OUT_OF_RESOURCES;
> > 770 goto err;
> > 771 }
> > 772
> >
> > ** CID 316360: Uninitialized variables (UNINIT)
> > /tools/mkeficapsule.c: 298 in create_fwbin()
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 316360: Uninitialized variables (UNINIT)
> > /tools/mkeficapsule.c: 298 in create_fwbin()
> > 292 goto err_3;
> > 293 }
> > 294
> > 295 capsule.version = 0x00000001;
> > 296 capsule.embedded_driver_count = 0;
> > 297 capsule.payload_item_count = 1;
> > > > > CID 316360: Uninitialized variables (UNINIT)
> > > > > Using uninitialized value "capsule". Field "capsule.item_offset_list" is uninitialized when calling "fwrite".
> > 298 size = fwrite(&capsule, 1, sizeof(capsule), f);
This code is safe because capsule.item_offset_list is actually
defined as "item_offset_list[]" (null array) at the end of the structure
and the data will be filled in by the succeeding fwrite()'s.
What action should be taken to suppress this warning?
> > 299 if (size < (sizeof(capsule))) {
> > 300 printf("write failed (%lx)\n", size);
> > 301 goto err_3;
> > 302 }
> > 303 offset = sizeof(capsule) + sizeof(u64);
> >
> > ** CID 316359: Null pointer dereferences (FORWARD_NULL)
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 316359: Null pointer dereferences (FORWARD_NULL)
> > /lib/efi_loader/efi_capsule.c: 380 in efi_capsule_update_firmware()
> > 374 ret = EFI_UNSUPPORTED;
> > 375 goto out;
> > 376 }
> > 377
> > 378 /* find a device for update firmware */
> > 379 /* TODO: should we pass index as well, or nothing but type? */
> > > > > CID 316359: Null pointer dereferences (FORWARD_NULL)
> > > > > Passing null pointer "handles" to "efi_fmp_find", which dereferences it.
> > 380 fmp = efi_fmp_find(&image->update_image_type_id,
> > 381 image->update_hardware_instance,
> > 382 handles, no_handles);
This code is safe because "handles" is actually an array of pointers
and "no_handles" indicates the number of elements in this array.
efi_fmp_find() will not dereference handles at all if no_handles is zero.
What action should be taken to suppress this warning?
> > 383 if (!fmp) {
> > 384 log_err("EFI Capsule: driver not found for firmware type: %pUl, hardware instance: %lld\n",
> > 385 &image->update_image_type_id,
> >
> > ** CID 316358: Memory - illegal accesses (BUFFER_SIZE_WARNING)
> > /drivers/net/sandbox-raw.c: 163 in sb_eth_raw_of_to_plat()
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 316358: Memory - illegal accesses (BUFFER_SIZE_WARNING)
> > /drivers/net/sandbox-raw.c: 163 in sb_eth_raw_of_to_plat()
> > 157 int ret;
> > 158
> > 159 pdata->iobase = dev_read_addr(dev);
> > 160
> > 161 ifname = dev_read_string(dev, "host-raw-interface");
> > 162 if (ifname) {
> > > > > CID 316358: Memory - illegal accesses (BUFFER_SIZE_WARNING)
> > > > > Calling "strncpy" with a maximum size argument of 16 bytes on destination array "priv->host_ifname" of size 16 bytes might leave the destination string unterminated.
> > 163 strncpy(priv->host_ifname, ifname, IFNAMSIZ);
> > 164 printf(": Using %s from DT\n", priv->host_ifname);
> > 165 }
> > 166 if (dev_read_u32(dev, "host-raw-interface-idx",
> > 167 &priv->host_ifindex) < 0) {
> > 168 priv->host_ifindex = 0;
> >
> > ** CID 316357: Memory - corruptions (BUFFER_SIZE)
> > /fs/fat/fat_write.c: 1154 in fill_dentry()
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 316357: Memory - corruptions (BUFFER_SIZE)
> > /fs/fat/fat_write.c: 1154 in fill_dentry()
> > 1148
> > 1149 set_start_cluster(mydata, dentptr, start_cluster);
> > 1150 dentptr->size = cpu_to_le32(size);
> > 1151
> > 1152 dentptr->attr = attr;
> > 1153
> > > > > CID 316357: Memory - corruptions (BUFFER_SIZE)
> > > > > You might overrun the 8 byte destination string "dentptr->name" by writing the maximum 11 bytes from "shortname".
> > 1154 memcpy(dentptr->name, shortname, SHORT_NAME_SIZE);
> > 1155 }
> > 1156
> > 1157 /**
> > 1158 * find_directory_entry() - find a directory entry by filename
> > 1159 *
> >
> > ** CID 316356: Resource leaks (RESOURCE_LEAK)
> > /tools/mkeficapsule.c: 225 in add_public_key()
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 316356: Resource leaks (RESOURCE_LEAK)
> > /tools/mkeficapsule.c: 225 in add_public_key()
> > 219 if (ret < 0) {
> > 220 fprintf(stderr, "%s: Unable to add public key to the FDT\n",
> > 221 __func__);
> > 222 goto err;
> > 223 }
> > 224
> > > > > CID 316356: Resource leaks (RESOURCE_LEAK)
> > > > > Handle variable "srcfd" going out of scope leaks the handle.
I'd defer to Sughosh.
> > 225 return 0;
> > 226
> > 227 err:
> > 228 if (sptr)
> > 229 munmap(sptr, src_size);
> > 230
> >
> > ** CID 316355: Null pointer dereferences (FORWARD_NULL)
> > /lib/efi_loader/efi_capsule.c: 848 in efi_capsule_read_file()
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 316355: Null pointer dereferences (FORWARD_NULL)
> > /lib/efi_loader/efi_capsule.c: 848 in efi_capsule_read_file()
> > 842 }
> > 843 ret = EFI_CALL((*fh->getinfo)(fh, &efi_file_info_guid,
> > 844 &size, file_info));
> > 845 }
> > 846 if (ret != EFI_SUCCESS)
> > 847 goto err;
> > > > > CID 316355: Null pointer dereferences (FORWARD_NULL)
> > > > > Dereferencing null pointer "file_info".
Same as CID 316364 above.
> > 848 size = file_info->file_size;
> > 849 free(file_info);
> > 850 buf = malloc(size);
> > 851 if (!buf) {
> > 852 ret = EFI_OUT_OF_RESOURCES;
> > 853 goto err;
> >
> > ** CID 316354: Uninitialized variables (UNINIT)
> > /tools/mkeficapsule.c: 318 in create_fwbin()
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 316354: Uninitialized variables (UNINIT)
> > /tools/mkeficapsule.c: 318 in create_fwbin()
> > 312 image.update_image_index = index;
> > 313 image.update_image_size = bin_stat.st_size;
> > 314 image.update_vendor_code_size = 0; /* none */
> > 315 image.update_hardware_instance = instance;
> > 316 image.image_capsule_support = 0;
> > 317
> > > > > CID 316354: Uninitialized variables (UNINIT)
> > > > > Using uninitialized value "image". Field "image.reserved" is uninitialized when calling "fwrite".
> > 318 size = fwrite(&image, 1, sizeof(image), f);
"reserved" is reserved, but I'd like to set them to zero for safety.
> > 319 if (size < sizeof(image)) {
> > 320 printf("write failed (%lx)\n", size);
> > 321 goto err_3;
> > 322 }
> > 323 size = fread(data, 1, bin_stat.st_size, g);
> >
> > ** CID 316353: Resource leaks (RESOURCE_LEAK)
> > /tools/mkeficapsule.c: 225 in add_public_key()
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 316353: Resource leaks (RESOURCE_LEAK)
> > /tools/mkeficapsule.c: 225 in add_public_key()
> > 219 if (ret < 0) {
> > 220 fprintf(stderr, "%s: Unable to add public key to the FDT\n",
> > 221 __func__);
> > 222 goto err;
> > 223 }
> > 224
> > > > > CID 316353: Resource leaks (RESOURCE_LEAK)
> > > > > Variable "sptr" going out of scope leaks the storage it points to.
Defer to Sughosh.
> > 225 return 0;
> > 226
> > 227 err:
> > 228 if (sptr)
> > 229 munmap(sptr, src_size);
> > 230
> >
> > ** CID 316352: Security best practices violations (STRING_OVERFLOW)
> > /drivers/dfu/dfu.c: 490 in dfu_fill_entity()
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 316352: Security best practices violations (STRING_OVERFLOW)
> > /drivers/dfu/dfu.c: 490 in dfu_fill_entity()
> > 484 char *interface, char *devstr)
> > 485 {
> > 486 char *st;
> > 487
> > 488 debug("%s: %s interface: %s dev: %s\n", __func__, s, interface, devstr);
> > 489 st = strsep(&s, " ");
> > > > > CID 316352: Security best practices violations (STRING_OVERFLOW)
> > > > > You might overrun the 32-character fixed-size string "dfu->name" by copying "st" without checking the length.
> > 490 strcpy(dfu->name, st);
> > 491
> > 492 dfu->alt = alt;
> > 493 dfu->max_buf_size = 0;
> > 494 dfu->free_entity = NULL;
> > 495
> >
> > ** CID 316351: Error handling issues (CHECKED_RETURN)
> > /drivers/video/pwm_backlight.c: 230 in pwm_backlight_of_to_plat()
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 316351: Error handling issues (CHECKED_RETURN)
> > /drivers/video/pwm_backlight.c: 230 in pwm_backlight_of_to_plat()
> > 224 cell = dev_read_prop(dev, "brightness-levels", &len);
> > 225 count = len / sizeof(u32);
> > 226 if (cell && count > index) {
> > 227 priv->levels = malloc(len);
> > 228 if (!priv->levels)
> > 229 return log_ret(-ENOMEM);
> > > > > CID 316351: Error handling issues (CHECKED_RETURN)
> > > > > Calling "dev_read_u32_array" without checking return value (as is done elsewhere 8 out of 9 times).
> > 230 dev_read_u32_array(dev, "brightness-levels", priv->levels,
> > 231 count);
> > 232 priv->num_levels = count;
> > 233 priv->default_level = priv->levels[index];
> > 234 priv->max_level = priv->levels[count - 1];
> > 235 } else {
> >
> > ** CID 316350: Memory - corruptions (OVERRUN)
> > /fs/fat/fat_write.c: 1154 in fill_dentry()
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 316350: Memory - corruptions (OVERRUN)
> > /fs/fat/fat_write.c: 1154 in fill_dentry()
> > 1148
> > 1149 set_start_cluster(mydata, dentptr, start_cluster);
> > 1150 dentptr->size = cpu_to_le32(size);
> > 1151
> > 1152 dentptr->attr = attr;
> > 1153
> > > > > CID 316350: Memory - corruptions (OVERRUN)
> > > > > Overrunning array "dentptr->name" of 8 bytes by passing it to a function which accesses it at byte offset 10 using argument "11UL". [Note: The source code implementation of the function has been overridden by a builtin model.]
> > 1154 memcpy(dentptr->name, shortname, SHORT_NAME_SIZE);
> > 1155 }
> > 1156
> > 1157 /**
> > 1158 * find_directory_entry() - find a directory entry by filename
> > 1159 *
> >
> > ** CID 316349: Resource leaks (RESOURCE_LEAK)
> > /tools/mkeficapsule.c: 225 in add_public_key()
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 316349: Resource leaks (RESOURCE_LEAK)
> > /tools/mkeficapsule.c: 225 in add_public_key()
> > 219 if (ret < 0) {
> > 220 fprintf(stderr, "%s: Unable to add public key to the FDT\n",
> > 221 __func__);
> > 222 goto err;
> > 223 }
> > 224
> > > > > CID 316349: Resource leaks (RESOURCE_LEAK)
> > > > > Handle variable "destfd" going out of scope leaks the handle.
To Sughosh.
-Takahiro Akashi
> > 225 return 0;
> > 226
> > 227 err:
> > 228 if (sptr)
> > 229 munmap(sptr, src_size);
> > 230
> >
> > ** CID 316348: Memory - corruptions (OVERRUN)
> > /fs/fat/fat_write.c: 188 in set_name()
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 316348: Memory - corruptions (OVERRUN)
> > /fs/fat/fat_write.c: 188 in set_name()
> > 182 /* Each long name directory entry takes 13 characters. */
> > 183 ret = (strlen(filename) + 25) / 13;
> > 184 goto out;
> > 185 }
> > 186 return -EIO;
> > 187 out:
> > > > > CID 316348: Memory - corruptions (OVERRUN)
> > > > > Overrunning array "dirent.name" of 8 bytes by passing it to a function which accesses it at byte offset 10 using argument "11UL". [Note: The source code implementation of the function has been overridden by a builtin model.]
> > 188 memcpy(shortname, dirent.name, SHORT_NAME_SIZE);
> > 189 return ret;
> > 190 }
> > 191
> > 192 static int total_sector;
> > 193 static int disk_write(__u32 block, __u32 nr_blocks, void *buf)
> >
> > ** CID 316347: Null pointer dereferences (FORWARD_NULL)
> > /cmd/sandbox/exception.c: 16 in do_sigsegv()
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 316347: Null pointer dereferences (FORWARD_NULL)
> > /cmd/sandbox/exception.c: 16 in do_sigsegv()
> > 10
> > 11 static int do_sigsegv(struct cmd_tbl *cmdtp, int flag, int argc,
> > 12 char *const argv[])
> > 13 {
> > 14 u8 *ptr = NULL;
> > 15
> > > > > CID 316347: Null pointer dereferences (FORWARD_NULL)
> > > > > Dereferencing null pointer "ptr".
> > 16 *ptr = 0;
> > 17 return CMD_RET_FAILURE;
> > 18 }
> > 19
> > 20 static int do_undefined(struct cmd_tbl *cmdtp, int flag, int argc,
> > 21 char *const argv[])
> >
> > ** CID 316346: Control flow issues (UNREACHABLE)
> > /test/cmd/setexpr.c: 275 in setexpr_test_backref()
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 316346: Control flow issues (UNREACHABLE)
> > /test/cmd/setexpr.c: 275 in setexpr_test_backref()
> > 269 "us \\1 \\2 \\3!", true));
> > 270 ut_asserteq_str("us this is surely! a test is it? yes us this is indeed! a test",
> > 271 buf);
> > 272
> > 273 /* The following checks fail at present due to a bug in setexpr */
> > 274 return 0;
> > > > > CID 316346: Control flow issues (UNREACHABLE)
> > > > > This code cannot be reached: "i = 256;".
> > 275 for (i = BUF_SIZE; i < 0x1000; i++) {
> > 276 ut_assertf(buf[i] == (char)i,
> > 277 "buf byte at %x should be %02x, got %02x)\n",
> > 278 i, i & 0xff, (u8)buf[i]);
> > 279 ut_assertf(nbuf[i] == (char)i,
> > 280 "nbuf byte at %x should be %02x, got %02x)\n",
> >
> >
> > ________________________________________________________________________________________________________
> > To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoA22WlOQ-2By3ieUvdbKmOyw68TMVT4Kip-2BBzfOGWXJ5yIiYplmPF9KAnKIja4Zd7tU-3DzXLV_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTvNl0LKdSggNphGlGz-2FZpFlP-2B70lLxg94OYlINE3kVz2K7-2BaNONHtJP8TbjZRniVWbxuTUQjTtQl1N-2FQyFOjCv8gPw5EPU0ENb3p98VX92ve7SRBWt1r1v-2F-2F6AWroTa-2Bh7rN2QA2fbSgDcYmJ9RJ86TD6dhAH88KDOiq3Saai3zTbA9TSu9jcthFTuvEyi5KBE-3D
> >
> > To manage Coverity Scan email notifications for "tom.rini at gmail.com", click https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxWeIHzDeopm-2BEWQ6S6K-2FtUHv9ZTk8qZbuzkkz9sa-2BJFw4elYDyedRVZOC-2ButxjBZdouVmTGuWB6Aj6G7lm7t25-2Biv1B-2B9082pHzCCex2kqMs-3DBleN_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTvNl0LKdSggNphGlGz-2FZpFl83Kn4j1MsEeVR-2BhiT4TgLlRMzBzziPEpnjhf5UW-2FNLxwPg-2FlX4hM5uoZCyOPlCN-2BiReYf6wkiLt6iKknc3lnJUyqsWnyxIFGwSu2OUxAVy5vnsIFdRuglO4-2B9vJx2XrTM801x6AhuO0Zb5xr5hI9qgs9dwug2dbKvAt0T-2F-2Bv9VI-3D
> >
> >
> > ----- End forwarded message -----
> >
>
^ permalink raw reply [flat|nested] 46+ messages in thread
* [scan-admin@coverity.com: New Defects reported by Coverity Scan for Das U-Boot]
2021-01-20 20:43 ` Heinrich Schuchardt
@ 2021-01-20 22:33 ` Heinrich Schuchardt
2021-01-21 2:09 ` AKASHI Takahiro
1 sibling, 0 replies; 46+ messages in thread
From: Heinrich Schuchardt @ 2021-01-20 22:33 UTC (permalink / raw)
To: u-boot
Dear Tom,
thanks for providing the Coverity results.
I hope Sugosh and Takahiro will take care of the EFI capsule stuff.
Find my comments for some other findings below.
On 1/20/21 9:43 PM, Heinrich Schuchardt wrote:
> On 1/20/21 8:04 PM, Tom Rini wrote:
>
> CC: Takahiro
>
>> I decided to run Coverity part-way through the merge window this time
>> and here's what's been found so far.
>>
>> ----- Forwarded message from scan-admin at coverity.com -----
>>
>> Date: Mon, 18 Jan 2021 17:53:19 +0000 (UTC)
>> From: scan-admin at coverity.com
>> To: tom.rini at gmail.com
>> Subject: New Defects reported by Coverity Scan for Das U-Boot
>>
>> Hi,
>>
>> Please find the latest report on new defect(s) introduced to Das
>> U-Boot found with Coverity Scan.
>>
>> 23 new defect(s) introduced to Das U-Boot found with Coverity Scan.
>> 2 defect(s), reported by Coverity Scan earlier, were marked fixed in
>> the recent build analyzed by Coverity Scan.
>>
>> New defect(s) Reported-by: Coverity Scan
>> Showing 20 of 23 defect(s)
>>
>>
>> ** CID 316365:? Memory - corruptions? (STRING_OVERFLOW)
>> /tools/sunxi_egon.c: 96 in egon_set_header()
>>
>>
>> ________________________________________________________________________________________________________
>>
>> *** CID 316365:? Memory - corruptions? (STRING_OVERFLOW)
>> /tools/sunxi_egon.c: 96 in egon_set_header()
>> 90
>> 91???????? /* If an image name has been provided, use it as the DT
>> name. */
>> 92???????? if (params->imagename && params->imagename[0]) {
>> 93???????????? if (strlen(params->imagename) >
>> sizeof(header->string_pool) - 1)
>> 94???????????????? printf("WARNING: DT name too long for SPL header!\n");
>> 95???????????? else {
>>>>> ???? CID 316365:? Memory - corruptions? (STRING_OVERFLOW)
>>>>> ???? You might overrun the 13-character destination string
>>>>> "header->string_pool" by writing 51 characters from
>>>>> "params->imagename".
>> 96???????????????? strcpy((char *)header->string_pool,
>> params->imagename);
>> 97???????????????? value = offsetof(struct boot_file_head, string_pool);
>> 98???????????????? header->dt_name_offset = cpu_to_le32(value);
>> 99???????????????? header->spl_signature[3] = SPL_DT_HEADER_VERSION;
>> 100???????????? }
>> 101???????? }
>>
>> ** CID 316364:? Null pointer dereferences? (FORWARD_NULL)
>> /cmd/efidebug.c: 202 in do_efi_capsule_res()
>>
>>
>> ________________________________________________________________________________________________________
>>
>> *** CID 316364:? Null pointer dereferences? (FORWARD_NULL)
>> /cmd/efidebug.c: 202 in do_efi_capsule_res()
>> 196???????????????? printf("Failed to get %ls\n", var_name16);
>> 197
>> 198???????????????? return CMD_RET_FAILURE;
>> 199???????????? }
>> 200???????? }
>> 201
>>>>> ???? CID 316364:? Null pointer dereferences? (FORWARD_NULL)
>>>>> ???? Dereferencing null pointer "result".
>> 202???????? printf("Result total size: 0x%x\n",
>> result->variable_total_size);
>> 203???????? printf("Capsule guid: %pUl\n", &result->capsule_guid);
>> 204???????? printf("Time processed: %04d-%02d-%02d %02d:%02d:%02d\n",
>> 205??????????????? result->capsule_processed.year,
>> result->capsule_processed.month,
>> 206??????????????? result->capsule_processed.day,
>> result->capsule_processed.hour,
>> 207??????????????? result->capsule_processed.minute,
>>
>> ** CID 316363:? Null pointer dereferences? (REVERSE_INULL)
>> /lib/efi_loader/efi_boottime.c: 1993 in efi_load_image_from_path()
>>
>>
>> ________________________________________________________________________________________________________
>>
>> *** CID 316363:? Null pointer dereferences? (REVERSE_INULL)
>> /lib/efi_loader/efi_boottime.c: 1993 in efi_load_image_from_path()
I will create a patch to remove the unnecessary check.
>> 1987???????? ret = EFI_CALL(load_file_protocol->load_file(
>> 1988???????????????????????? load_file_protocol, dp, boot_policy,
>> 1989???????????????????????? &buffer_size, (void *)(uintptr_t)addr));
>> 1990???????? if (ret != EFI_SUCCESS)
>> 1991???????????? efi_free_pages(addr, pages);
>> 1992???? out:
>>>>> ???? CID 316363:? Null pointer dereferences? (REVERSE_INULL)
>>>>> ???? Null-checking "load_file_protocol" suggests that it may be
>>>>> null, but it has already been dereferenced on all paths leading to
>>>>> the check.
>> 1993???????? if (load_file_protocol)
>> 1994???????????? EFI_CALL(efi_close_protocol(device,
>> 1995???????????????????????????? &efi_guid_load_file2_protocol,
>> 1996???????????????????????????? efi_root, NULL));
>> 1997???????? if (ret == EFI_SUCCESS) {
>> 1998???????????? *buffer = (void *)(uintptr_t)addr;
>>
>> ** CID 316362:? Error handling issues? (CHECKED_RETURN)
>> /fs/fat/fat_write.c: 422 in fill_dir_slot()
>>
>>
>> ________________________________________________________________________________________________________
>>
>> *** CID 316362:? Error handling issues? (CHECKED_RETURN)
>> /fs/fat/fat_write.c: 422 in fill_dir_slot()
I will add the missing return value handling.
>> 416???????? while (counter >= 1) {
>> 417???????????? memcpy(itr->dent, slotptr, sizeof(dir_slot));
>> 418???????????? slotptr--;
>> 419???????????? counter--;
>> 420
>> 421???????????? if (itr->remaining == 0)
>>>>> ???? CID 316362:? Error handling issues? (CHECKED_RETURN)
>>>>> ???? Calling "flush_dir" without checking return value (as is done
>>>>> elsewhere 5 out of 6 times).
>> 422???????????????? flush_dir(itr);
>> 423
>> 424???????????? next_dent(itr);
>> 425???????????? if (!itr->dent)
>> 426???????????????? return -EIO;
>> 427???????? }
>>
>> ** CID 316361:? Code maintainability issues? (SIZEOF_MISMATCH)
>> /lib/efi_loader/efi_capsule.c: 767 in efi_capsule_scan_dir()
>>
>>
>> ________________________________________________________________________________________________________
>>
>> *** CID 316361:? Code maintainability issues? (SIZEOF_MISMATCH)
>> /lib/efi_loader/efi_capsule.c: 767 in efi_capsule_scan_dir()
>> 761
>> 762???????? ret = EFI_CALL((*dirh->setpos)(dirh, 0));
>> 763???????? if (ret != EFI_SUCCESS)
>> 764???????????? goto err;
>> 765
>> 766???????? /* make a list */
>>>>> ???? CID 316361:? Code maintainability issues? (SIZEOF_MISMATCH)
>>>>> ???? Passing argument "count * 8UL /* sizeof (*files) */" to
>>>>> function "dlmalloc" and then casting the return value to "u16 **"
>>>>> is suspicious.? In this particular case "sizeof (u16 **)" happens
>>>>> to be equal to "sizeof (u16 *)", but this is not a portable
>>>>> assumption.
>> 767???????? tmp_files = malloc(count * sizeof(*files));
>> 768???????? if (!tmp_files) {
>> 769???????????? ret = EFI_OUT_OF_RESOURCES;
>> 770???????????? goto err;
>> 771???????? }
>> 772
>>
>> ** CID 316360:? Uninitialized variables? (UNINIT)
>> /tools/mkeficapsule.c: 298 in create_fwbin()
>>
>>
>> ________________________________________________________________________________________________________
>>
>> *** CID 316360:? Uninitialized variables? (UNINIT)
>> /tools/mkeficapsule.c: 298 in create_fwbin()
>> 292???????????? goto err_3;
>> 293???????? }
>> 294
>> 295???????? capsule.version = 0x00000001;
>> 296???????? capsule.embedded_driver_count = 0;
>> 297???????? capsule.payload_item_count = 1;
>>>>> ???? CID 316360:? Uninitialized variables? (UNINIT)
>>>>> ???? Using uninitialized value "capsule". Field
>>>>> "capsule.item_offset_list" is uninitialized when calling "fwrite".
>> 298???????? size = fwrite(&capsule, 1, sizeof(capsule), f);
>> 299???????? if (size < (sizeof(capsule))) {
>> 300???????????? printf("write failed (%lx)\n", size);
>> 301???????????? goto err_3;
>> 302???????? }
>> 303???????? offset = sizeof(capsule) + sizeof(u64);
>>
>> ** CID 316359:? Null pointer dereferences? (FORWARD_NULL)
>>
>>
>> ________________________________________________________________________________________________________
>>
>> *** CID 316359:? Null pointer dereferences? (FORWARD_NULL)
>> /lib/efi_loader/efi_capsule.c: 380 in efi_capsule_update_firmware()
>> 374???????????????? ret = EFI_UNSUPPORTED;
>> 375???????????????? goto out;
>> 376???????????? }
>> 377
>> 378???????????? /* find a device for update firmware */
>> 379???????????? /* TODO: should we pass index as well, or nothing but
>> type? */
>>>>> ???? CID 316359:? Null pointer dereferences? (FORWARD_NULL)
>>>>> ???? Passing null pointer "handles" to "efi_fmp_find", which
>>>>> dereferences it.
>> 380???????????? fmp = efi_fmp_find(&image->update_image_type_id,
>> 381??????????????????????? image->update_hardware_instance,
>> 382??????????????????????? handles, no_handles);
>> 383???????????? if (!fmp) {
>> 384???????????????? log_err("EFI Capsule: driver not found for
>> firmware type: %pUl, hardware instance: %lld\n",
>> 385???????????????????? &image->update_image_type_id,
>>
>> ** CID 316358:? Memory - illegal accesses? (BUFFER_SIZE_WARNING)
>> /drivers/net/sandbox-raw.c: 163 in sb_eth_raw_of_to_plat()
>>
>>
>> ________________________________________________________________________________________________________
>>
>> *** CID 316358:? Memory - illegal accesses? (BUFFER_SIZE_WARNING)
>> /drivers/net/sandbox-raw.c: 163 in sb_eth_raw_of_to_plat()
>> 157???????? int ret;
>> 158
>> 159???????? pdata->iobase = dev_read_addr(dev);
>> 160
>> 161???????? ifname = dev_read_string(dev, "host-raw-interface");
>> 162???????? if (ifname) {
>>>>> ???? CID 316358:? Memory - illegal accesses? (BUFFER_SIZE_WARNING)
>>>>> ???? Calling "strncpy" with a maximum size argument of 16 bytes on
>>>>> destination array "priv->host_ifname" of size 16 bytes might leave
>>>>> the destination string unterminated.
>> 163???????????? strncpy(priv->host_ifname, ifname, IFNAMSIZ);
>> 164???????????? printf(": Using %s from DT\n", priv->host_ifname);
>> 165???????? }
>> 166???????? if (dev_read_u32(dev, "host-raw-interface-idx",
>> 167????????????????? &priv->host_ifindex) < 0) {
>> 168???????????? priv->host_ifindex = 0;
>>
>> ** CID 316357:? Memory - corruptions? (BUFFER_SIZE)
>> /fs/fat/fat_write.c: 1154 in fill_dentry()
>>
>>
>> ________________________________________________________________________________________________________
>>
>> *** CID 316357:? Memory - corruptions? (BUFFER_SIZE)
>> /fs/fat/fat_write.c: 1154 in fill_dentry()
>> 1148
>> 1149???????? set_start_cluster(mydata, dentptr, start_cluster);
>> 1150???????? dentptr->size = cpu_to_le32(size);
>> 1151
>> 1152???????? dentptr->attr = attr;
>> 1153
>>>>> ???? CID 316357:? Memory - corruptions? (BUFFER_SIZE)
>>>>> ???? You might overrun the 8 byte destination string
>>>>> "dentptr->name" by writing the maximum 11 bytes from "shortname".
>> 1154???????? memcpy(dentptr->name, shortname, SHORT_NAME_SIZE);
>> 1155???? }
We are writing here adjacent fields shortname (8 chars) and extension (3
chars). This saves a second memcpy() call for the adjacent field.
>> 1156
>> 1157???? /**
>> 1158????? * find_directory_entry() - find a directory entry by filename
>> 1159????? *
>>
>> ** CID 316356:? Resource leaks? (RESOURCE_LEAK)
>> /tools/mkeficapsule.c: 225 in add_public_key()
>>
>>
>> ________________________________________________________________________________________________________
>>
>> *** CID 316356:? Resource leaks? (RESOURCE_LEAK)
>> /tools/mkeficapsule.c: 225 in add_public_key()
>> 219???????? if (ret < 0) {
>> 220???????????? fprintf(stderr, "%s: Unable to add public key to the
>> FDT\n",
>> 221???????????????? __func__);
>> 222???????????? goto err;
>> 223???????? }
>> 224
>>>>> ???? CID 316356:? Resource leaks? (RESOURCE_LEAK)
>>>>> ???? Handle variable "srcfd" going out of scope leaks the handle.
>> 225???????? return 0;
>> 226
>> 227???? err:
>> 228???????? if (sptr)
>> 229???????????? munmap(sptr, src_size);
>> 230
>>
>> ** CID 316355:? Null pointer dereferences? (FORWARD_NULL)
>> /lib/efi_loader/efi_capsule.c: 848 in efi_capsule_read_file()
>>
>>
>> ________________________________________________________________________________________________________
>>
>> *** CID 316355:? Null pointer dereferences? (FORWARD_NULL)
>> /lib/efi_loader/efi_capsule.c: 848 in efi_capsule_read_file()
>> 842???????????? }
>> 843???????????? ret = EFI_CALL((*fh->getinfo)(fh, &efi_file_info_guid,
>> 844?????????????????????????????? &size, file_info));
>> 845???????? }
>> 846???????? if (ret != EFI_SUCCESS)
>> 847???????????? goto err;
>>>>> ???? CID 316355:? Null pointer dereferences? (FORWARD_NULL)
>>>>> ???? Dereferencing null pointer "file_info".
>> 848???????? size = file_info->file_size;
>> 849???????? free(file_info);
>> 850???????? buf = malloc(size);
>> 851???????? if (!buf) {
>> 852???????????? ret = EFI_OUT_OF_RESOURCES;
>> 853???????????? goto err;
>>
>> ** CID 316354:? Uninitialized variables? (UNINIT)
>> /tools/mkeficapsule.c: 318 in create_fwbin()
>>
>>
>> ________________________________________________________________________________________________________
>>
>> *** CID 316354:? Uninitialized variables? (UNINIT)
>> /tools/mkeficapsule.c: 318 in create_fwbin()
>> 312???????? image.update_image_index = index;
>> 313???????? image.update_image_size = bin_stat.st_size;
>> 314???????? image.update_vendor_code_size = 0; /* none */
>> 315???????? image.update_hardware_instance = instance;
>> 316???????? image.image_capsule_support = 0;
>> 317
>>>>> ???? CID 316354:? Uninitialized variables? (UNINIT)
>>>>> ???? Using uninitialized value "image". Field "image.reserved" is
>>>>> uninitialized when calling "fwrite".
>> 318???????? size = fwrite(&image, 1, sizeof(image), f);
>> 319???????? if (size < sizeof(image)) {
>> 320???????????? printf("write failed (%lx)\n", size);
>> 321???????????? goto err_3;
>> 322???????? }
>> 323???????? size = fread(data, 1, bin_stat.st_size, g);
>>
>> ** CID 316353:? Resource leaks? (RESOURCE_LEAK)
>> /tools/mkeficapsule.c: 225 in add_public_key()
>>
>>
>> ________________________________________________________________________________________________________
>>
>> *** CID 316353:? Resource leaks? (RESOURCE_LEAK)
>> /tools/mkeficapsule.c: 225 in add_public_key()
>> 219???????? if (ret < 0) {
>> 220???????????? fprintf(stderr, "%s: Unable to add public key to the
>> FDT\n",
>> 221???????????????? __func__);
>> 222???????????? goto err;
>> 223???????? }
>> 224
>>>>> ???? CID 316353:? Resource leaks? (RESOURCE_LEAK)
>>>>> ???? Variable "sptr" going out of scope leaks the storage it points
>>>>> to.
>> 225???????? return 0;
>> 226
>> 227???? err:
>> 228???????? if (sptr)
>> 229???????????? munmap(sptr, src_size);
>> 230
>>
>> ** CID 316352:? Security best practices violations? (STRING_OVERFLOW)
>> /drivers/dfu/dfu.c: 490 in dfu_fill_entity()
>>
>>
>> ________________________________________________________________________________________________________
>>
>> *** CID 316352:? Security best practices violations? (STRING_OVERFLOW)
>> /drivers/dfu/dfu.c: 490 in dfu_fill_entity()
>> 484??????????????????? char *interface, char *devstr)
>> 485???? {
>> 486???????? char *st;
>> 487
>> 488???????? debug("%s: %s interface: %s dev: %s\n", __func__, s,
>> interface, devstr);
>> 489???????? st = strsep(&s, " ");
>>>>> ???? CID 316352:? Security best practices violations
>>>>> (STRING_OVERFLOW)
>>>>> ???? You might overrun the 32-character fixed-size string
>>>>> "dfu->name" by copying "st" without checking the length.
>> 490???????? strcpy(dfu->name, st);
>> 491
>> 492???????? dfu->alt = alt;
>> 493???????? dfu->max_buf_size = 0;
>> 494???????? dfu->free_entity = NULL;
>> 495
>>
>> ** CID 316351:? Error handling issues? (CHECKED_RETURN)
>> /drivers/video/pwm_backlight.c: 230 in pwm_backlight_of_to_plat()
>>
>>
>> ________________________________________________________________________________________________________
>>
>> *** CID 316351:? Error handling issues? (CHECKED_RETURN)
>> /drivers/video/pwm_backlight.c: 230 in pwm_backlight_of_to_plat()
>> 224???????? cell = dev_read_prop(dev, "brightness-levels", &len);
>> 225???????? count = len / sizeof(u32);
>> 226???????? if (cell && count > index) {
>> 227???????????? priv->levels = malloc(len);
>> 228???????????? if (!priv->levels)
>> 229???????????????? return log_ret(-ENOMEM);
>>>>> ???? CID 316351:? Error handling issues? (CHECKED_RETURN)
>>>>> ???? Calling "dev_read_u32_array" without checking return value (as
>>>>> is done elsewhere 8 out of 9 times).
>> 230???????????? dev_read_u32_array(dev, "brightness-levels",
>> priv->levels,
>> 231??????????????????????? count);
>> 232???????????? priv->num_levels = count;
>> 233???????????? priv->default_level = priv->levels[index];
>> 234???????????? priv->max_level = priv->levels[count - 1];
>> 235???????? } else {
>>
>> ** CID 316350:? Memory - corruptions? (OVERRUN)
>> /fs/fat/fat_write.c: 1154 in fill_dentry()
>>
>>
>> ________________________________________________________________________________________________________
>>
>> *** CID 316350:? Memory - corruptions? (OVERRUN)
>> /fs/fat/fat_write.c: 1154 in fill_dentry()
>> 1148
>> 1149???????? set_start_cluster(mydata, dentptr, start_cluster);
>> 1150???????? dentptr->size = cpu_to_le32(size);
>> 1151
>> 1152???????? dentptr->attr = attr;
>> 1153
>>>>> ???? CID 316350:? Memory - corruptions? (OVERRUN)
>>>>> ???? Overrunning array "dentptr->name" of 8 bytes by passing it to
>>>>> a function which accesses it at byte offset 10 using argument
>>>>> "11UL". [Note: The source code implementation of the function has
>>>>> been overridden by a builtin model.]
>> 1154???????? memcpy(dentptr->name, shortname, SHORT_NAME_SIZE);
We are copying to two adjacent fields (filename and extension) which
together have 11 bytes. This saves a second memcpy call.
>> 1155???? }
>> 1156
>> 1157???? /**
>> 1158????? * find_directory_entry() - find a directory entry by filename
>> 1159????? *
>>
>> ** CID 316349:? Resource leaks? (RESOURCE_LEAK)
>> /tools/mkeficapsule.c: 225 in add_public_key()
>>
>>
>> ________________________________________________________________________________________________________
>>
>> *** CID 316349:? Resource leaks? (RESOURCE_LEAK)
>> /tools/mkeficapsule.c: 225 in add_public_key()
>> 219???????? if (ret < 0) {
>> 220???????????? fprintf(stderr, "%s: Unable to add public key to the
>> FDT\n",
>> 221???????????????? __func__);
>> 222???????????? goto err;
>> 223???????? }
>> 224
>>>>> ???? CID 316349:? Resource leaks? (RESOURCE_LEAK)
>>>>> ???? Handle variable "destfd" going out of scope leaks the handle.
>> 225???????? return 0;
>> 226
>> 227???? err:
>> 228???????? if (sptr)
>> 229???????????? munmap(sptr, src_size);
>> 230
>>
>> ** CID 316348:? Memory - corruptions? (OVERRUN)
>> /fs/fat/fat_write.c: 188 in set_name()
>>
>>
>> ________________________________________________________________________________________________________
>>
>> *** CID 316348:? Memory - corruptions? (OVERRUN)
>> /fs/fat/fat_write.c: 188 in set_name()
>> 182???????????? /* Each long name directory entry takes 13 characters. */
>> 183???????????? ret = (strlen(filename) + 25) / 13;
>> 184???????????? goto out;
>> 185???????? }
>> 186???????? return -EIO;
>> 187???? out:
>>>>> ???? CID 316348:? Memory - corruptions? (OVERRUN)
>>>>> ???? Overrunning array "dirent.name" of 8 bytes by passing it to a
>>>>> function which accesses it at byte offset 10 using argument "11UL".
>>>>> [Note: The source code implementation of the function has been
>>>>> overridden by a builtin model.]
>> 188???????? memcpy(shortname, dirent.name, SHORT_NAME_SIZE);
We are copying to two adjacent fields (filename and extension) which
together have 11 bytes. This saves a second memcpy call.
>> 189???????? return ret;
>> 190???? }
>> 191
>> 192???? static int total_sector;
>> 193???? static int disk_write(__u32 block, __u32 nr_blocks, void *buf)
>>
>> ** CID 316347:? Null pointer dereferences? (FORWARD_NULL)
>> /cmd/sandbox/exception.c: 16 in do_sigsegv()
>>
>>
>> ________________________________________________________________________________________________________
>>
>> *** CID 316347:? Null pointer dereferences? (FORWARD_NULL)
>> /cmd/sandbox/exception.c: 16 in do_sigsegv()
>> 10
>> 11???? static int do_sigsegv(struct cmd_tbl *cmdtp, int flag, int argc,
>> 12?????????????????? char *const argv[])
>> 13???? {
>> 14???????? u8 *ptr = NULL;
>> 15
>>>>> ???? CID 316347:? Null pointer dereferences? (FORWARD_NULL)
>>>>> ???? Dereferencing null pointer "ptr".
Yes, we want to cause a segmentation fault here to test the crash handler.
Best regards
Heinrich
>> 16???????? *ptr = 0;
>> 17???????? return CMD_RET_FAILURE;
>> 18???? }
>> 19
>> 20???? static int do_undefined(struct cmd_tbl *cmdtp, int flag, int argc,
>> 21???????????????? char *const argv[])
>>
>> ** CID 316346:? Control flow issues? (UNREACHABLE)
>> /test/cmd/setexpr.c: 275 in setexpr_test_backref()
>>
>>
>> ________________________________________________________________________________________________________
>>
>> *** CID 316346:? Control flow issues? (UNREACHABLE)
>> /test/cmd/setexpr.c: 275 in setexpr_test_backref()
>> 269?????????????????????????? "us \\1 \\2 \\3!", true));
>> 270???????? ut_asserteq_str("us this is surely! a test is it? yes us
>> this is indeed! a test",
>> 271???????????????? buf);
>> 272
>> 273???????? /* The following checks fail at present due to a bug in
>> setexpr */
>> 274???????? return 0;
>>>>> ???? CID 316346:? Control flow issues? (UNREACHABLE)
>>>>> ???? This code cannot be reached: "i = 256;".
>> 275???????? for (i = BUF_SIZE; i < 0x1000; i++) {
>> 276???????????? ut_assertf(buf[i] == (char)i,
>> 277??????????????????? "buf byte at %x should be %02x, got %02x)\n",
>> 278??????????????????? i, i & 0xff, (u8)buf[i]);
>> 279???????????? ut_assertf(nbuf[i] == (char)i,
>> 280??????????????????? "nbuf byte at %x should be %02x, got %02x)\n",
>>
>>
>> ________________________________________________________________________________________________________
>>
>> To view the defects in Coverity Scan visit,
>> https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoA22WlOQ-2By3ieUvdbKmOyw68TMVT4Kip-2BBzfOGWXJ5yIiYplmPF9KAnKIja4Zd7tU-3DzXLV_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTvNl0LKdSggNphGlGz-2FZpFlP-2B70lLxg94OYlINE3kVz2K7-2BaNONHtJP8TbjZRniVWbxuTUQjTtQl1N-2FQyFOjCv8gPw5EPU0ENb3p98VX92ve7SRBWt1r1v-2F-2F6AWroTa-2Bh7rN2QA2fbSgDcYmJ9RJ86TD6dhAH88KDOiq3Saai3zTbA9TSu9jcthFTuvEyi5KBE-3D
>>
>>
>> ?? To manage Coverity Scan email notifications for
>> "tom.rini at gmail.com", click
>> https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxWeIHzDeopm-2BEWQ6S6K-2FtUHv9ZTk8qZbuzkkz9sa-2BJFw4elYDyedRVZOC-2ButxjBZdouVmTGuWB6Aj6G7lm7t25-2Biv1B-2B9082pHzCCex2kqMs-3DBleN_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTvNl0LKdSggNphGlGz-2FZpFl83Kn4j1MsEeVR-2BhiT4TgLlRMzBzziPEpnjhf5UW-2FNLxwPg-2FlX4hM5uoZCyOPlCN-2BiReYf6wkiLt6iKknc3lnJUyqsWnyxIFGwSu2OUxAVy5vnsIFdRuglO4-2B9vJx2XrTM801x6AhuO0Zb5xr5hI9qgs9dwug2dbKvAt0T-2F-2Bv9VI-3D
>>
>>
>>
>> ----- End forwarded message -----
>>
>
^ permalink raw reply [flat|nested] 46+ messages in thread
* [scan-admin@coverity.com: New Defects reported by Coverity Scan for Das U-Boot]
2021-01-20 21:03 ` Andre Przywara
@ 2021-01-20 21:34 ` Tom Rini
0 siblings, 0 replies; 46+ messages in thread
From: Tom Rini @ 2021-01-20 21:34 UTC (permalink / raw)
To: u-boot
On Wed, Jan 20, 2021 at 09:03:40PM +0000, Andre Przywara wrote:
> On Wed, 20 Jan 2021 14:04:18 -0500
> Tom Rini <trini@konsulko.com> wrote:
>
> Hi Tom,
>
> > I decided to run Coverity part-way through the merge window this time
> > and here's what's been found so far.
>
> Thanks for that!
> >
> > ----- Forwarded message from scan-admin at coverity.com -----
> >
> > Date: Mon, 18 Jan 2021 17:53:19 +0000 (UTC)
> > From: scan-admin at coverity.com
> > To: tom.rini at gmail.com
> > Subject: New Defects reported by Coverity Scan for Das U-Boot
> >
> > Hi,
> >
> > Please find the latest report on new defect(s) introduced to Das
> > U-Boot found with Coverity Scan.
> >
> > 23 new defect(s) introduced to Das U-Boot found with Coverity Scan.
> > 2 defect(s), reported by Coverity Scan earlier, were marked fixed in
> > the recent build analyzed by Coverity Scan.
> >
> > New defect(s) Reported-by: Coverity Scan
> > Showing 20 of 23 defect(s)
> >
> >
> > ** CID 316365: Memory - corruptions (STRING_OVERFLOW)
> > /tools/sunxi_egon.c: 96 in egon_set_header()
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 316365: Memory - corruptions (STRING_OVERFLOW)
> > /tools/sunxi_egon.c: 96 in egon_set_header()
> > 90
> > 91 /* If an image name has been provided, use it as the DT name.*/
> > 92 if (params->imagename && params->imagename[0]) {
> > 93 if (strlen(params->imagename) >
> > sizeof(header->string_pool) - 1)
> > 94 printf("WARNING: DT name too long for SPL
> > header!\n");
> > 95 else {
> > >>> CID 316365: Memory - corruptions (STRING_OVERFLOW)
> > >>> You might overrun the 13-character destination string
> > >>> "header->string_pool" by writing 51 characters from
> > >>> "params->imagename".
>
> So this is a false report, as string_pool is 13 *words*:
> uint32_t string_pool[13];
> And I explicitly used sizeof() to avoid any ambiguities here.
>
> One could argue that this is at least misleading for a human reader, and
> a string pool should indeed be made of "char"s (which looks like indeed
> worth a patch), but the buffer is definitely 52 bytes long (and sizeof
> reports that).
> Not sure if that's worth reporting to Coverity, or we do just ignore it?
I'll mark it as false positive with your explanation above, thanks!
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20210120/c7650000/attachment.sig>
^ permalink raw reply [flat|nested] 46+ messages in thread
* [scan-admin@coverity.com: New Defects reported by Coverity Scan for Das U-Boot]
2021-01-20 19:04 Tom Rini
2021-01-20 20:43 ` Heinrich Schuchardt
@ 2021-01-20 21:03 ` Andre Przywara
2021-01-20 21:34 ` Tom Rini
2021-01-21 11:36 ` Sughosh Ganu
2 siblings, 1 reply; 46+ messages in thread
From: Andre Przywara @ 2021-01-20 21:03 UTC (permalink / raw)
To: u-boot
On Wed, 20 Jan 2021 14:04:18 -0500
Tom Rini <trini@konsulko.com> wrote:
Hi Tom,
> I decided to run Coverity part-way through the merge window this time
> and here's what's been found so far.
Thanks for that!
>
> ----- Forwarded message from scan-admin at coverity.com -----
>
> Date: Mon, 18 Jan 2021 17:53:19 +0000 (UTC)
> From: scan-admin at coverity.com
> To: tom.rini at gmail.com
> Subject: New Defects reported by Coverity Scan for Das U-Boot
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to Das
> U-Boot found with Coverity Scan.
>
> 23 new defect(s) introduced to Das U-Boot found with Coverity Scan.
> 2 defect(s), reported by Coverity Scan earlier, were marked fixed in
> the recent build analyzed by Coverity Scan.
>
> New defect(s) Reported-by: Coverity Scan
> Showing 20 of 23 defect(s)
>
>
> ** CID 316365: Memory - corruptions (STRING_OVERFLOW)
> /tools/sunxi_egon.c: 96 in egon_set_header()
>
>
> ________________________________________________________________________________________________________
> *** CID 316365: Memory - corruptions (STRING_OVERFLOW)
> /tools/sunxi_egon.c: 96 in egon_set_header()
> 90
> 91 /* If an image name has been provided, use it as the DT name.*/
> 92 if (params->imagename && params->imagename[0]) {
> 93 if (strlen(params->imagename) >
> sizeof(header->string_pool) - 1)
> 94 printf("WARNING: DT name too long for SPL
> header!\n");
> 95 else {
> >>> CID 316365: Memory - corruptions (STRING_OVERFLOW)
> >>> You might overrun the 13-character destination string
> >>> "header->string_pool" by writing 51 characters from
> >>> "params->imagename".
So this is a false report, as string_pool is 13 *words*:
uint32_t string_pool[13];
And I explicitly used sizeof() to avoid any ambiguities here.
One could argue that this is at least misleading for a human reader, and
a string pool should indeed be made of "char"s (which looks like indeed
worth a patch), but the buffer is definitely 52 bytes long (and sizeof
reports that).
Not sure if that's worth reporting to Coverity, or we do just ignore it?
Cheers,
Andre
> 96 strcpy((char *)header->string_pool, params->imagename);
^ permalink raw reply [flat|nested] 46+ messages in thread
* [scan-admin@coverity.com: New Defects reported by Coverity Scan for Das U-Boot]
2021-01-20 19:04 Tom Rini
@ 2021-01-20 20:43 ` Heinrich Schuchardt
2021-01-20 22:33 ` Heinrich Schuchardt
2021-01-21 2:09 ` AKASHI Takahiro
2021-01-20 21:03 ` Andre Przywara
2021-01-21 11:36 ` Sughosh Ganu
2 siblings, 2 replies; 46+ messages in thread
From: Heinrich Schuchardt @ 2021-01-20 20:43 UTC (permalink / raw)
To: u-boot
On 1/20/21 8:04 PM, Tom Rini wrote:
CC: Takahiro
> I decided to run Coverity part-way through the merge window this time
> and here's what's been found so far.
>
> ----- Forwarded message from scan-admin at coverity.com -----
>
> Date: Mon, 18 Jan 2021 17:53:19 +0000 (UTC)
> From: scan-admin at coverity.com
> To: tom.rini at gmail.com
> Subject: New Defects reported by Coverity Scan for Das U-Boot
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to Das U-Boot found with Coverity Scan.
>
> 23 new defect(s) introduced to Das U-Boot found with Coverity Scan.
> 2 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
>
> New defect(s) Reported-by: Coverity Scan
> Showing 20 of 23 defect(s)
>
>
> ** CID 316365: Memory - corruptions (STRING_OVERFLOW)
> /tools/sunxi_egon.c: 96 in egon_set_header()
>
>
> ________________________________________________________________________________________________________
> *** CID 316365: Memory - corruptions (STRING_OVERFLOW)
> /tools/sunxi_egon.c: 96 in egon_set_header()
> 90
> 91 /* If an image name has been provided, use it as the DT name. */
> 92 if (params->imagename && params->imagename[0]) {
> 93 if (strlen(params->imagename) > sizeof(header->string_pool) - 1)
> 94 printf("WARNING: DT name too long for SPL header!\n");
> 95 else {
>>>> CID 316365: Memory - corruptions (STRING_OVERFLOW)
>>>> You might overrun the 13-character destination string "header->string_pool" by writing 51 characters from "params->imagename".
> 96 strcpy((char *)header->string_pool, params->imagename);
> 97 value = offsetof(struct boot_file_head, string_pool);
> 98 header->dt_name_offset = cpu_to_le32(value);
> 99 header->spl_signature[3] = SPL_DT_HEADER_VERSION;
> 100 }
> 101 }
>
> ** CID 316364: Null pointer dereferences (FORWARD_NULL)
> /cmd/efidebug.c: 202 in do_efi_capsule_res()
>
>
> ________________________________________________________________________________________________________
> *** CID 316364: Null pointer dereferences (FORWARD_NULL)
> /cmd/efidebug.c: 202 in do_efi_capsule_res()
> 196 printf("Failed to get %ls\n", var_name16);
> 197
> 198 return CMD_RET_FAILURE;
> 199 }
> 200 }
> 201
>>>> CID 316364: Null pointer dereferences (FORWARD_NULL)
>>>> Dereferencing null pointer "result".
> 202 printf("Result total size: 0x%x\n", result->variable_total_size);
> 203 printf("Capsule guid: %pUl\n", &result->capsule_guid);
> 204 printf("Time processed: %04d-%02d-%02d %02d:%02d:%02d\n",
> 205 result->capsule_processed.year, result->capsule_processed.month,
> 206 result->capsule_processed.day, result->capsule_processed.hour,
> 207 result->capsule_processed.minute,
>
> ** CID 316363: Null pointer dereferences (REVERSE_INULL)
> /lib/efi_loader/efi_boottime.c: 1993 in efi_load_image_from_path()
>
>
> ________________________________________________________________________________________________________
> *** CID 316363: Null pointer dereferences (REVERSE_INULL)
> /lib/efi_loader/efi_boottime.c: 1993 in efi_load_image_from_path()
> 1987 ret = EFI_CALL(load_file_protocol->load_file(
> 1988 load_file_protocol, dp, boot_policy,
> 1989 &buffer_size, (void *)(uintptr_t)addr));
> 1990 if (ret != EFI_SUCCESS)
> 1991 efi_free_pages(addr, pages);
> 1992 out:
>>>> CID 316363: Null pointer dereferences (REVERSE_INULL)
>>>> Null-checking "load_file_protocol" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
> 1993 if (load_file_protocol)
> 1994 EFI_CALL(efi_close_protocol(device,
> 1995 &efi_guid_load_file2_protocol,
> 1996 efi_root, NULL));
> 1997 if (ret == EFI_SUCCESS) {
> 1998 *buffer = (void *)(uintptr_t)addr;
>
> ** CID 316362: Error handling issues (CHECKED_RETURN)
> /fs/fat/fat_write.c: 422 in fill_dir_slot()
>
>
> ________________________________________________________________________________________________________
> *** CID 316362: Error handling issues (CHECKED_RETURN)
> /fs/fat/fat_write.c: 422 in fill_dir_slot()
> 416 while (counter >= 1) {
> 417 memcpy(itr->dent, slotptr, sizeof(dir_slot));
> 418 slotptr--;
> 419 counter--;
> 420
> 421 if (itr->remaining == 0)
>>>> CID 316362: Error handling issues (CHECKED_RETURN)
>>>> Calling "flush_dir" without checking return value (as is done elsewhere 5 out of 6 times).
> 422 flush_dir(itr);
> 423
> 424 next_dent(itr);
> 425 if (!itr->dent)
> 426 return -EIO;
> 427 }
>
> ** CID 316361: Code maintainability issues (SIZEOF_MISMATCH)
> /lib/efi_loader/efi_capsule.c: 767 in efi_capsule_scan_dir()
>
>
> ________________________________________________________________________________________________________
> *** CID 316361: Code maintainability issues (SIZEOF_MISMATCH)
> /lib/efi_loader/efi_capsule.c: 767 in efi_capsule_scan_dir()
> 761
> 762 ret = EFI_CALL((*dirh->setpos)(dirh, 0));
> 763 if (ret != EFI_SUCCESS)
> 764 goto err;
> 765
> 766 /* make a list */
>>>> CID 316361: Code maintainability issues (SIZEOF_MISMATCH)
>>>> Passing argument "count * 8UL /* sizeof (*files) */" to function "dlmalloc" and then casting the return value to "u16 **" is suspicious. In this particular case "sizeof (u16 **)" happens to be equal to "sizeof (u16 *)", but this is not a portable assumption.
> 767 tmp_files = malloc(count * sizeof(*files));
> 768 if (!tmp_files) {
> 769 ret = EFI_OUT_OF_RESOURCES;
> 770 goto err;
> 771 }
> 772
>
> ** CID 316360: Uninitialized variables (UNINIT)
> /tools/mkeficapsule.c: 298 in create_fwbin()
>
>
> ________________________________________________________________________________________________________
> *** CID 316360: Uninitialized variables (UNINIT)
> /tools/mkeficapsule.c: 298 in create_fwbin()
> 292 goto err_3;
> 293 }
> 294
> 295 capsule.version = 0x00000001;
> 296 capsule.embedded_driver_count = 0;
> 297 capsule.payload_item_count = 1;
>>>> CID 316360: Uninitialized variables (UNINIT)
>>>> Using uninitialized value "capsule". Field "capsule.item_offset_list" is uninitialized when calling "fwrite".
> 298 size = fwrite(&capsule, 1, sizeof(capsule), f);
> 299 if (size < (sizeof(capsule))) {
> 300 printf("write failed (%lx)\n", size);
> 301 goto err_3;
> 302 }
> 303 offset = sizeof(capsule) + sizeof(u64);
>
> ** CID 316359: Null pointer dereferences (FORWARD_NULL)
>
>
> ________________________________________________________________________________________________________
> *** CID 316359: Null pointer dereferences (FORWARD_NULL)
> /lib/efi_loader/efi_capsule.c: 380 in efi_capsule_update_firmware()
> 374 ret = EFI_UNSUPPORTED;
> 375 goto out;
> 376 }
> 377
> 378 /* find a device for update firmware */
> 379 /* TODO: should we pass index as well, or nothing but type? */
>>>> CID 316359: Null pointer dereferences (FORWARD_NULL)
>>>> Passing null pointer "handles" to "efi_fmp_find", which dereferences it.
> 380 fmp = efi_fmp_find(&image->update_image_type_id,
> 381 image->update_hardware_instance,
> 382 handles, no_handles);
> 383 if (!fmp) {
> 384 log_err("EFI Capsule: driver not found for firmware type: %pUl, hardware instance: %lld\n",
> 385 &image->update_image_type_id,
>
> ** CID 316358: Memory - illegal accesses (BUFFER_SIZE_WARNING)
> /drivers/net/sandbox-raw.c: 163 in sb_eth_raw_of_to_plat()
>
>
> ________________________________________________________________________________________________________
> *** CID 316358: Memory - illegal accesses (BUFFER_SIZE_WARNING)
> /drivers/net/sandbox-raw.c: 163 in sb_eth_raw_of_to_plat()
> 157 int ret;
> 158
> 159 pdata->iobase = dev_read_addr(dev);
> 160
> 161 ifname = dev_read_string(dev, "host-raw-interface");
> 162 if (ifname) {
>>>> CID 316358: Memory - illegal accesses (BUFFER_SIZE_WARNING)
>>>> Calling "strncpy" with a maximum size argument of 16 bytes on destination array "priv->host_ifname" of size 16 bytes might leave the destination string unterminated.
> 163 strncpy(priv->host_ifname, ifname, IFNAMSIZ);
> 164 printf(": Using %s from DT\n", priv->host_ifname);
> 165 }
> 166 if (dev_read_u32(dev, "host-raw-interface-idx",
> 167 &priv->host_ifindex) < 0) {
> 168 priv->host_ifindex = 0;
>
> ** CID 316357: Memory - corruptions (BUFFER_SIZE)
> /fs/fat/fat_write.c: 1154 in fill_dentry()
>
>
> ________________________________________________________________________________________________________
> *** CID 316357: Memory - corruptions (BUFFER_SIZE)
> /fs/fat/fat_write.c: 1154 in fill_dentry()
> 1148
> 1149 set_start_cluster(mydata, dentptr, start_cluster);
> 1150 dentptr->size = cpu_to_le32(size);
> 1151
> 1152 dentptr->attr = attr;
> 1153
>>>> CID 316357: Memory - corruptions (BUFFER_SIZE)
>>>> You might overrun the 8 byte destination string "dentptr->name" by writing the maximum 11 bytes from "shortname".
> 1154 memcpy(dentptr->name, shortname, SHORT_NAME_SIZE);
> 1155 }
> 1156
> 1157 /**
> 1158 * find_directory_entry() - find a directory entry by filename
> 1159 *
>
> ** CID 316356: Resource leaks (RESOURCE_LEAK)
> /tools/mkeficapsule.c: 225 in add_public_key()
>
>
> ________________________________________________________________________________________________________
> *** CID 316356: Resource leaks (RESOURCE_LEAK)
> /tools/mkeficapsule.c: 225 in add_public_key()
> 219 if (ret < 0) {
> 220 fprintf(stderr, "%s: Unable to add public key to the FDT\n",
> 221 __func__);
> 222 goto err;
> 223 }
> 224
>>>> CID 316356: Resource leaks (RESOURCE_LEAK)
>>>> Handle variable "srcfd" going out of scope leaks the handle.
> 225 return 0;
> 226
> 227 err:
> 228 if (sptr)
> 229 munmap(sptr, src_size);
> 230
>
> ** CID 316355: Null pointer dereferences (FORWARD_NULL)
> /lib/efi_loader/efi_capsule.c: 848 in efi_capsule_read_file()
>
>
> ________________________________________________________________________________________________________
> *** CID 316355: Null pointer dereferences (FORWARD_NULL)
> /lib/efi_loader/efi_capsule.c: 848 in efi_capsule_read_file()
> 842 }
> 843 ret = EFI_CALL((*fh->getinfo)(fh, &efi_file_info_guid,
> 844 &size, file_info));
> 845 }
> 846 if (ret != EFI_SUCCESS)
> 847 goto err;
>>>> CID 316355: Null pointer dereferences (FORWARD_NULL)
>>>> Dereferencing null pointer "file_info".
> 848 size = file_info->file_size;
> 849 free(file_info);
> 850 buf = malloc(size);
> 851 if (!buf) {
> 852 ret = EFI_OUT_OF_RESOURCES;
> 853 goto err;
>
> ** CID 316354: Uninitialized variables (UNINIT)
> /tools/mkeficapsule.c: 318 in create_fwbin()
>
>
> ________________________________________________________________________________________________________
> *** CID 316354: Uninitialized variables (UNINIT)
> /tools/mkeficapsule.c: 318 in create_fwbin()
> 312 image.update_image_index = index;
> 313 image.update_image_size = bin_stat.st_size;
> 314 image.update_vendor_code_size = 0; /* none */
> 315 image.update_hardware_instance = instance;
> 316 image.image_capsule_support = 0;
> 317
>>>> CID 316354: Uninitialized variables (UNINIT)
>>>> Using uninitialized value "image". Field "image.reserved" is uninitialized when calling "fwrite".
> 318 size = fwrite(&image, 1, sizeof(image), f);
> 319 if (size < sizeof(image)) {
> 320 printf("write failed (%lx)\n", size);
> 321 goto err_3;
> 322 }
> 323 size = fread(data, 1, bin_stat.st_size, g);
>
> ** CID 316353: Resource leaks (RESOURCE_LEAK)
> /tools/mkeficapsule.c: 225 in add_public_key()
>
>
> ________________________________________________________________________________________________________
> *** CID 316353: Resource leaks (RESOURCE_LEAK)
> /tools/mkeficapsule.c: 225 in add_public_key()
> 219 if (ret < 0) {
> 220 fprintf(stderr, "%s: Unable to add public key to the FDT\n",
> 221 __func__);
> 222 goto err;
> 223 }
> 224
>>>> CID 316353: Resource leaks (RESOURCE_LEAK)
>>>> Variable "sptr" going out of scope leaks the storage it points to.
> 225 return 0;
> 226
> 227 err:
> 228 if (sptr)
> 229 munmap(sptr, src_size);
> 230
>
> ** CID 316352: Security best practices violations (STRING_OVERFLOW)
> /drivers/dfu/dfu.c: 490 in dfu_fill_entity()
>
>
> ________________________________________________________________________________________________________
> *** CID 316352: Security best practices violations (STRING_OVERFLOW)
> /drivers/dfu/dfu.c: 490 in dfu_fill_entity()
> 484 char *interface, char *devstr)
> 485 {
> 486 char *st;
> 487
> 488 debug("%s: %s interface: %s dev: %s\n", __func__, s, interface, devstr);
> 489 st = strsep(&s, " ");
>>>> CID 316352: Security best practices violations (STRING_OVERFLOW)
>>>> You might overrun the 32-character fixed-size string "dfu->name" by copying "st" without checking the length.
> 490 strcpy(dfu->name, st);
> 491
> 492 dfu->alt = alt;
> 493 dfu->max_buf_size = 0;
> 494 dfu->free_entity = NULL;
> 495
>
> ** CID 316351: Error handling issues (CHECKED_RETURN)
> /drivers/video/pwm_backlight.c: 230 in pwm_backlight_of_to_plat()
>
>
> ________________________________________________________________________________________________________
> *** CID 316351: Error handling issues (CHECKED_RETURN)
> /drivers/video/pwm_backlight.c: 230 in pwm_backlight_of_to_plat()
> 224 cell = dev_read_prop(dev, "brightness-levels", &len);
> 225 count = len / sizeof(u32);
> 226 if (cell && count > index) {
> 227 priv->levels = malloc(len);
> 228 if (!priv->levels)
> 229 return log_ret(-ENOMEM);
>>>> CID 316351: Error handling issues (CHECKED_RETURN)
>>>> Calling "dev_read_u32_array" without checking return value (as is done elsewhere 8 out of 9 times).
> 230 dev_read_u32_array(dev, "brightness-levels", priv->levels,
> 231 count);
> 232 priv->num_levels = count;
> 233 priv->default_level = priv->levels[index];
> 234 priv->max_level = priv->levels[count - 1];
> 235 } else {
>
> ** CID 316350: Memory - corruptions (OVERRUN)
> /fs/fat/fat_write.c: 1154 in fill_dentry()
>
>
> ________________________________________________________________________________________________________
> *** CID 316350: Memory - corruptions (OVERRUN)
> /fs/fat/fat_write.c: 1154 in fill_dentry()
> 1148
> 1149 set_start_cluster(mydata, dentptr, start_cluster);
> 1150 dentptr->size = cpu_to_le32(size);
> 1151
> 1152 dentptr->attr = attr;
> 1153
>>>> CID 316350: Memory - corruptions (OVERRUN)
>>>> Overrunning array "dentptr->name" of 8 bytes by passing it to a function which accesses it at byte offset 10 using argument "11UL". [Note: The source code implementation of the function has been overridden by a builtin model.]
> 1154 memcpy(dentptr->name, shortname, SHORT_NAME_SIZE);
> 1155 }
> 1156
> 1157 /**
> 1158 * find_directory_entry() - find a directory entry by filename
> 1159 *
>
> ** CID 316349: Resource leaks (RESOURCE_LEAK)
> /tools/mkeficapsule.c: 225 in add_public_key()
>
>
> ________________________________________________________________________________________________________
> *** CID 316349: Resource leaks (RESOURCE_LEAK)
> /tools/mkeficapsule.c: 225 in add_public_key()
> 219 if (ret < 0) {
> 220 fprintf(stderr, "%s: Unable to add public key to the FDT\n",
> 221 __func__);
> 222 goto err;
> 223 }
> 224
>>>> CID 316349: Resource leaks (RESOURCE_LEAK)
>>>> Handle variable "destfd" going out of scope leaks the handle.
> 225 return 0;
> 226
> 227 err:
> 228 if (sptr)
> 229 munmap(sptr, src_size);
> 230
>
> ** CID 316348: Memory - corruptions (OVERRUN)
> /fs/fat/fat_write.c: 188 in set_name()
>
>
> ________________________________________________________________________________________________________
> *** CID 316348: Memory - corruptions (OVERRUN)
> /fs/fat/fat_write.c: 188 in set_name()
> 182 /* Each long name directory entry takes 13 characters. */
> 183 ret = (strlen(filename) + 25) / 13;
> 184 goto out;
> 185 }
> 186 return -EIO;
> 187 out:
>>>> CID 316348: Memory - corruptions (OVERRUN)
>>>> Overrunning array "dirent.name" of 8 bytes by passing it to a function which accesses it at byte offset 10 using argument "11UL". [Note: The source code implementation of the function has been overridden by a builtin model.]
> 188 memcpy(shortname, dirent.name, SHORT_NAME_SIZE);
> 189 return ret;
> 190 }
> 191
> 192 static int total_sector;
> 193 static int disk_write(__u32 block, __u32 nr_blocks, void *buf)
>
> ** CID 316347: Null pointer dereferences (FORWARD_NULL)
> /cmd/sandbox/exception.c: 16 in do_sigsegv()
>
>
> ________________________________________________________________________________________________________
> *** CID 316347: Null pointer dereferences (FORWARD_NULL)
> /cmd/sandbox/exception.c: 16 in do_sigsegv()
> 10
> 11 static int do_sigsegv(struct cmd_tbl *cmdtp, int flag, int argc,
> 12 char *const argv[])
> 13 {
> 14 u8 *ptr = NULL;
> 15
>>>> CID 316347: Null pointer dereferences (FORWARD_NULL)
>>>> Dereferencing null pointer "ptr".
> 16 *ptr = 0;
> 17 return CMD_RET_FAILURE;
> 18 }
> 19
> 20 static int do_undefined(struct cmd_tbl *cmdtp, int flag, int argc,
> 21 char *const argv[])
>
> ** CID 316346: Control flow issues (UNREACHABLE)
> /test/cmd/setexpr.c: 275 in setexpr_test_backref()
>
>
> ________________________________________________________________________________________________________
> *** CID 316346: Control flow issues (UNREACHABLE)
> /test/cmd/setexpr.c: 275 in setexpr_test_backref()
> 269 "us \\1 \\2 \\3!", true));
> 270 ut_asserteq_str("us this is surely! a test is it? yes us this is indeed! a test",
> 271 buf);
> 272
> 273 /* The following checks fail at present due to a bug in setexpr */
> 274 return 0;
>>>> CID 316346: Control flow issues (UNREACHABLE)
>>>> This code cannot be reached: "i = 256;".
> 275 for (i = BUF_SIZE; i < 0x1000; i++) {
> 276 ut_assertf(buf[i] == (char)i,
> 277 "buf byte at %x should be %02x, got %02x)\n",
> 278 i, i & 0xff, (u8)buf[i]);
> 279 ut_assertf(nbuf[i] == (char)i,
> 280 "nbuf byte at %x should be %02x, got %02x)\n",
>
>
> ________________________________________________________________________________________________________
> To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoA22WlOQ-2By3ieUvdbKmOyw68TMVT4Kip-2BBzfOGWXJ5yIiYplmPF9KAnKIja4Zd7tU-3DzXLV_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTvNl0LKdSggNphGlGz-2FZpFlP-2B70lLxg94OYlINE3kVz2K7-2BaNONHtJP8TbjZRniVWbxuTUQjTtQl1N-2FQyFOjCv8gPw5EPU0ENb3p98VX92ve7SRBWt1r1v-2F-2F6AWroTa-2Bh7rN2QA2fbSgDcYmJ9RJ86TD6dhAH88KDOiq3Saai3zTbA9TSu9jcthFTuvEyi5KBE-3D
>
> To manage Coverity Scan email notifications for "tom.rini at gmail.com", click https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxWeIHzDeopm-2BEWQ6S6K-2FtUHv9ZTk8qZbuzkkz9sa-2BJFw4elYDyedRVZOC-2ButxjBZdouVmTGuWB6Aj6G7lm7t25-2Biv1B-2B9082pHzCCex2kqMs-3DBleN_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTvNl0LKdSggNphGlGz-2FZpFl83Kn4j1MsEeVR-2BhiT4TgLlRMzBzziPEpnjhf5UW-2FNLxwPg-2FlX4hM5uoZCyOPlCN-2BiReYf6wkiLt6iKknc3lnJUyqsWnyxIFGwSu2OUxAVy5vnsIFdRuglO4-2B9vJx2XrTM801x6AhuO0Zb5xr5hI9qgs9dwug2dbKvAt0T-2F-2Bv9VI-3D
>
>
> ----- End forwarded message -----
>
^ permalink raw reply [flat|nested] 46+ messages in thread
* [scan-admin@coverity.com: New Defects reported by Coverity Scan for Das U-Boot]
@ 2021-01-20 19:04 Tom Rini
2021-01-20 20:43 ` Heinrich Schuchardt
` (2 more replies)
0 siblings, 3 replies; 46+ messages in thread
From: Tom Rini @ 2021-01-20 19:04 UTC (permalink / raw)
To: u-boot
I decided to run Coverity part-way through the merge window this time
and here's what's been found so far.
----- Forwarded message from scan-admin at coverity.com -----
Date: Mon, 18 Jan 2021 17:53:19 +0000 (UTC)
From: scan-admin@coverity.com
To: tom.rini at gmail.com
Subject: New Defects reported by Coverity Scan for Das U-Boot
Hi,
Please find the latest report on new defect(s) introduced to Das U-Boot found with Coverity Scan.
23 new defect(s) introduced to Das U-Boot found with Coverity Scan.
2 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 23 defect(s)
** CID 316365: Memory - corruptions (STRING_OVERFLOW)
/tools/sunxi_egon.c: 96 in egon_set_header()
________________________________________________________________________________________________________
*** CID 316365: Memory - corruptions (STRING_OVERFLOW)
/tools/sunxi_egon.c: 96 in egon_set_header()
90
91 /* If an image name has been provided, use it as the DT name. */
92 if (params->imagename && params->imagename[0]) {
93 if (strlen(params->imagename) > sizeof(header->string_pool) - 1)
94 printf("WARNING: DT name too long for SPL header!\n");
95 else {
>>> CID 316365: Memory - corruptions (STRING_OVERFLOW)
>>> You might overrun the 13-character destination string "header->string_pool" by writing 51 characters from "params->imagename".
96 strcpy((char *)header->string_pool, params->imagename);
97 value = offsetof(struct boot_file_head, string_pool);
98 header->dt_name_offset = cpu_to_le32(value);
99 header->spl_signature[3] = SPL_DT_HEADER_VERSION;
100 }
101 }
** CID 316364: Null pointer dereferences (FORWARD_NULL)
/cmd/efidebug.c: 202 in do_efi_capsule_res()
________________________________________________________________________________________________________
*** CID 316364: Null pointer dereferences (FORWARD_NULL)
/cmd/efidebug.c: 202 in do_efi_capsule_res()
196 printf("Failed to get %ls\n", var_name16);
197
198 return CMD_RET_FAILURE;
199 }
200 }
201
>>> CID 316364: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "result".
202 printf("Result total size: 0x%x\n", result->variable_total_size);
203 printf("Capsule guid: %pUl\n", &result->capsule_guid);
204 printf("Time processed: %04d-%02d-%02d %02d:%02d:%02d\n",
205 result->capsule_processed.year, result->capsule_processed.month,
206 result->capsule_processed.day, result->capsule_processed.hour,
207 result->capsule_processed.minute,
** CID 316363: Null pointer dereferences (REVERSE_INULL)
/lib/efi_loader/efi_boottime.c: 1993 in efi_load_image_from_path()
________________________________________________________________________________________________________
*** CID 316363: Null pointer dereferences (REVERSE_INULL)
/lib/efi_loader/efi_boottime.c: 1993 in efi_load_image_from_path()
1987 ret = EFI_CALL(load_file_protocol->load_file(
1988 load_file_protocol, dp, boot_policy,
1989 &buffer_size, (void *)(uintptr_t)addr));
1990 if (ret != EFI_SUCCESS)
1991 efi_free_pages(addr, pages);
1992 out:
>>> CID 316363: Null pointer dereferences (REVERSE_INULL)
>>> Null-checking "load_file_protocol" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
1993 if (load_file_protocol)
1994 EFI_CALL(efi_close_protocol(device,
1995 &efi_guid_load_file2_protocol,
1996 efi_root, NULL));
1997 if (ret == EFI_SUCCESS) {
1998 *buffer = (void *)(uintptr_t)addr;
** CID 316362: Error handling issues (CHECKED_RETURN)
/fs/fat/fat_write.c: 422 in fill_dir_slot()
________________________________________________________________________________________________________
*** CID 316362: Error handling issues (CHECKED_RETURN)
/fs/fat/fat_write.c: 422 in fill_dir_slot()
416 while (counter >= 1) {
417 memcpy(itr->dent, slotptr, sizeof(dir_slot));
418 slotptr--;
419 counter--;
420
421 if (itr->remaining == 0)
>>> CID 316362: Error handling issues (CHECKED_RETURN)
>>> Calling "flush_dir" without checking return value (as is done elsewhere 5 out of 6 times).
422 flush_dir(itr);
423
424 next_dent(itr);
425 if (!itr->dent)
426 return -EIO;
427 }
** CID 316361: Code maintainability issues (SIZEOF_MISMATCH)
/lib/efi_loader/efi_capsule.c: 767 in efi_capsule_scan_dir()
________________________________________________________________________________________________________
*** CID 316361: Code maintainability issues (SIZEOF_MISMATCH)
/lib/efi_loader/efi_capsule.c: 767 in efi_capsule_scan_dir()
761
762 ret = EFI_CALL((*dirh->setpos)(dirh, 0));
763 if (ret != EFI_SUCCESS)
764 goto err;
765
766 /* make a list */
>>> CID 316361: Code maintainability issues (SIZEOF_MISMATCH)
>>> Passing argument "count * 8UL /* sizeof (*files) */" to function "dlmalloc" and then casting the return value to "u16 **" is suspicious. In this particular case "sizeof (u16 **)" happens to be equal to "sizeof (u16 *)", but this is not a portable assumption.
767 tmp_files = malloc(count * sizeof(*files));
768 if (!tmp_files) {
769 ret = EFI_OUT_OF_RESOURCES;
770 goto err;
771 }
772
** CID 316360: Uninitialized variables (UNINIT)
/tools/mkeficapsule.c: 298 in create_fwbin()
________________________________________________________________________________________________________
*** CID 316360: Uninitialized variables (UNINIT)
/tools/mkeficapsule.c: 298 in create_fwbin()
292 goto err_3;
293 }
294
295 capsule.version = 0x00000001;
296 capsule.embedded_driver_count = 0;
297 capsule.payload_item_count = 1;
>>> CID 316360: Uninitialized variables (UNINIT)
>>> Using uninitialized value "capsule". Field "capsule.item_offset_list" is uninitialized when calling "fwrite".
298 size = fwrite(&capsule, 1, sizeof(capsule), f);
299 if (size < (sizeof(capsule))) {
300 printf("write failed (%lx)\n", size);
301 goto err_3;
302 }
303 offset = sizeof(capsule) + sizeof(u64);
** CID 316359: Null pointer dereferences (FORWARD_NULL)
________________________________________________________________________________________________________
*** CID 316359: Null pointer dereferences (FORWARD_NULL)
/lib/efi_loader/efi_capsule.c: 380 in efi_capsule_update_firmware()
374 ret = EFI_UNSUPPORTED;
375 goto out;
376 }
377
378 /* find a device for update firmware */
379 /* TODO: should we pass index as well, or nothing but type? */
>>> CID 316359: Null pointer dereferences (FORWARD_NULL)
>>> Passing null pointer "handles" to "efi_fmp_find", which dereferences it.
380 fmp = efi_fmp_find(&image->update_image_type_id,
381 image->update_hardware_instance,
382 handles, no_handles);
383 if (!fmp) {
384 log_err("EFI Capsule: driver not found for firmware type: %pUl, hardware instance: %lld\n",
385 &image->update_image_type_id,
** CID 316358: Memory - illegal accesses (BUFFER_SIZE_WARNING)
/drivers/net/sandbox-raw.c: 163 in sb_eth_raw_of_to_plat()
________________________________________________________________________________________________________
*** CID 316358: Memory - illegal accesses (BUFFER_SIZE_WARNING)
/drivers/net/sandbox-raw.c: 163 in sb_eth_raw_of_to_plat()
157 int ret;
158
159 pdata->iobase = dev_read_addr(dev);
160
161 ifname = dev_read_string(dev, "host-raw-interface");
162 if (ifname) {
>>> CID 316358: Memory - illegal accesses (BUFFER_SIZE_WARNING)
>>> Calling "strncpy" with a maximum size argument of 16 bytes on destination array "priv->host_ifname" of size 16 bytes might leave the destination string unterminated.
163 strncpy(priv->host_ifname, ifname, IFNAMSIZ);
164 printf(": Using %s from DT\n", priv->host_ifname);
165 }
166 if (dev_read_u32(dev, "host-raw-interface-idx",
167 &priv->host_ifindex) < 0) {
168 priv->host_ifindex = 0;
** CID 316357: Memory - corruptions (BUFFER_SIZE)
/fs/fat/fat_write.c: 1154 in fill_dentry()
________________________________________________________________________________________________________
*** CID 316357: Memory - corruptions (BUFFER_SIZE)
/fs/fat/fat_write.c: 1154 in fill_dentry()
1148
1149 set_start_cluster(mydata, dentptr, start_cluster);
1150 dentptr->size = cpu_to_le32(size);
1151
1152 dentptr->attr = attr;
1153
>>> CID 316357: Memory - corruptions (BUFFER_SIZE)
>>> You might overrun the 8 byte destination string "dentptr->name" by writing the maximum 11 bytes from "shortname".
1154 memcpy(dentptr->name, shortname, SHORT_NAME_SIZE);
1155 }
1156
1157 /**
1158 * find_directory_entry() - find a directory entry by filename
1159 *
** CID 316356: Resource leaks (RESOURCE_LEAK)
/tools/mkeficapsule.c: 225 in add_public_key()
________________________________________________________________________________________________________
*** CID 316356: Resource leaks (RESOURCE_LEAK)
/tools/mkeficapsule.c: 225 in add_public_key()
219 if (ret < 0) {
220 fprintf(stderr, "%s: Unable to add public key to the FDT\n",
221 __func__);
222 goto err;
223 }
224
>>> CID 316356: Resource leaks (RESOURCE_LEAK)
>>> Handle variable "srcfd" going out of scope leaks the handle.
225 return 0;
226
227 err:
228 if (sptr)
229 munmap(sptr, src_size);
230
** CID 316355: Null pointer dereferences (FORWARD_NULL)
/lib/efi_loader/efi_capsule.c: 848 in efi_capsule_read_file()
________________________________________________________________________________________________________
*** CID 316355: Null pointer dereferences (FORWARD_NULL)
/lib/efi_loader/efi_capsule.c: 848 in efi_capsule_read_file()
842 }
843 ret = EFI_CALL((*fh->getinfo)(fh, &efi_file_info_guid,
844 &size, file_info));
845 }
846 if (ret != EFI_SUCCESS)
847 goto err;
>>> CID 316355: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "file_info".
848 size = file_info->file_size;
849 free(file_info);
850 buf = malloc(size);
851 if (!buf) {
852 ret = EFI_OUT_OF_RESOURCES;
853 goto err;
** CID 316354: Uninitialized variables (UNINIT)
/tools/mkeficapsule.c: 318 in create_fwbin()
________________________________________________________________________________________________________
*** CID 316354: Uninitialized variables (UNINIT)
/tools/mkeficapsule.c: 318 in create_fwbin()
312 image.update_image_index = index;
313 image.update_image_size = bin_stat.st_size;
314 image.update_vendor_code_size = 0; /* none */
315 image.update_hardware_instance = instance;
316 image.image_capsule_support = 0;
317
>>> CID 316354: Uninitialized variables (UNINIT)
>>> Using uninitialized value "image". Field "image.reserved" is uninitialized when calling "fwrite".
318 size = fwrite(&image, 1, sizeof(image), f);
319 if (size < sizeof(image)) {
320 printf("write failed (%lx)\n", size);
321 goto err_3;
322 }
323 size = fread(data, 1, bin_stat.st_size, g);
** CID 316353: Resource leaks (RESOURCE_LEAK)
/tools/mkeficapsule.c: 225 in add_public_key()
________________________________________________________________________________________________________
*** CID 316353: Resource leaks (RESOURCE_LEAK)
/tools/mkeficapsule.c: 225 in add_public_key()
219 if (ret < 0) {
220 fprintf(stderr, "%s: Unable to add public key to the FDT\n",
221 __func__);
222 goto err;
223 }
224
>>> CID 316353: Resource leaks (RESOURCE_LEAK)
>>> Variable "sptr" going out of scope leaks the storage it points to.
225 return 0;
226
227 err:
228 if (sptr)
229 munmap(sptr, src_size);
230
** CID 316352: Security best practices violations (STRING_OVERFLOW)
/drivers/dfu/dfu.c: 490 in dfu_fill_entity()
________________________________________________________________________________________________________
*** CID 316352: Security best practices violations (STRING_OVERFLOW)
/drivers/dfu/dfu.c: 490 in dfu_fill_entity()
484 char *interface, char *devstr)
485 {
486 char *st;
487
488 debug("%s: %s interface: %s dev: %s\n", __func__, s, interface, devstr);
489 st = strsep(&s, " ");
>>> CID 316352: Security best practices violations (STRING_OVERFLOW)
>>> You might overrun the 32-character fixed-size string "dfu->name" by copying "st" without checking the length.
490 strcpy(dfu->name, st);
491
492 dfu->alt = alt;
493 dfu->max_buf_size = 0;
494 dfu->free_entity = NULL;
495
** CID 316351: Error handling issues (CHECKED_RETURN)
/drivers/video/pwm_backlight.c: 230 in pwm_backlight_of_to_plat()
________________________________________________________________________________________________________
*** CID 316351: Error handling issues (CHECKED_RETURN)
/drivers/video/pwm_backlight.c: 230 in pwm_backlight_of_to_plat()
224 cell = dev_read_prop(dev, "brightness-levels", &len);
225 count = len / sizeof(u32);
226 if (cell && count > index) {
227 priv->levels = malloc(len);
228 if (!priv->levels)
229 return log_ret(-ENOMEM);
>>> CID 316351: Error handling issues (CHECKED_RETURN)
>>> Calling "dev_read_u32_array" without checking return value (as is done elsewhere 8 out of 9 times).
230 dev_read_u32_array(dev, "brightness-levels", priv->levels,
231 count);
232 priv->num_levels = count;
233 priv->default_level = priv->levels[index];
234 priv->max_level = priv->levels[count - 1];
235 } else {
** CID 316350: Memory - corruptions (OVERRUN)
/fs/fat/fat_write.c: 1154 in fill_dentry()
________________________________________________________________________________________________________
*** CID 316350: Memory - corruptions (OVERRUN)
/fs/fat/fat_write.c: 1154 in fill_dentry()
1148
1149 set_start_cluster(mydata, dentptr, start_cluster);
1150 dentptr->size = cpu_to_le32(size);
1151
1152 dentptr->attr = attr;
1153
>>> CID 316350: Memory - corruptions (OVERRUN)
>>> Overrunning array "dentptr->name" of 8 bytes by passing it to a function which accesses it at byte offset 10 using argument "11UL". [Note: The source code implementation of the function has been overridden by a builtin model.]
1154 memcpy(dentptr->name, shortname, SHORT_NAME_SIZE);
1155 }
1156
1157 /**
1158 * find_directory_entry() - find a directory entry by filename
1159 *
** CID 316349: Resource leaks (RESOURCE_LEAK)
/tools/mkeficapsule.c: 225 in add_public_key()
________________________________________________________________________________________________________
*** CID 316349: Resource leaks (RESOURCE_LEAK)
/tools/mkeficapsule.c: 225 in add_public_key()
219 if (ret < 0) {
220 fprintf(stderr, "%s: Unable to add public key to the FDT\n",
221 __func__);
222 goto err;
223 }
224
>>> CID 316349: Resource leaks (RESOURCE_LEAK)
>>> Handle variable "destfd" going out of scope leaks the handle.
225 return 0;
226
227 err:
228 if (sptr)
229 munmap(sptr, src_size);
230
** CID 316348: Memory - corruptions (OVERRUN)
/fs/fat/fat_write.c: 188 in set_name()
________________________________________________________________________________________________________
*** CID 316348: Memory - corruptions (OVERRUN)
/fs/fat/fat_write.c: 188 in set_name()
182 /* Each long name directory entry takes 13 characters. */
183 ret = (strlen(filename) + 25) / 13;
184 goto out;
185 }
186 return -EIO;
187 out:
>>> CID 316348: Memory - corruptions (OVERRUN)
>>> Overrunning array "dirent.name" of 8 bytes by passing it to a function which accesses it at byte offset 10 using argument "11UL". [Note: The source code implementation of the function has been overridden by a builtin model.]
188 memcpy(shortname, dirent.name, SHORT_NAME_SIZE);
189 return ret;
190 }
191
192 static int total_sector;
193 static int disk_write(__u32 block, __u32 nr_blocks, void *buf)
** CID 316347: Null pointer dereferences (FORWARD_NULL)
/cmd/sandbox/exception.c: 16 in do_sigsegv()
________________________________________________________________________________________________________
*** CID 316347: Null pointer dereferences (FORWARD_NULL)
/cmd/sandbox/exception.c: 16 in do_sigsegv()
10
11 static int do_sigsegv(struct cmd_tbl *cmdtp, int flag, int argc,
12 char *const argv[])
13 {
14 u8 *ptr = NULL;
15
>>> CID 316347: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "ptr".
16 *ptr = 0;
17 return CMD_RET_FAILURE;
18 }
19
20 static int do_undefined(struct cmd_tbl *cmdtp, int flag, int argc,
21 char *const argv[])
** CID 316346: Control flow issues (UNREACHABLE)
/test/cmd/setexpr.c: 275 in setexpr_test_backref()
________________________________________________________________________________________________________
*** CID 316346: Control flow issues (UNREACHABLE)
/test/cmd/setexpr.c: 275 in setexpr_test_backref()
269 "us \\1 \\2 \\3!", true));
270 ut_asserteq_str("us this is surely! a test is it? yes us this is indeed! a test",
271 buf);
272
273 /* The following checks fail at present due to a bug in setexpr */
274 return 0;
>>> CID 316346: Control flow issues (UNREACHABLE)
>>> This code cannot be reached: "i = 256;".
275 for (i = BUF_SIZE; i < 0x1000; i++) {
276 ut_assertf(buf[i] == (char)i,
277 "buf byte at %x should be %02x, got %02x)\n",
278 i, i & 0xff, (u8)buf[i]);
279 ut_assertf(nbuf[i] == (char)i,
280 "nbuf byte at %x should be %02x, got %02x)\n",
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoA22WlOQ-2By3ieUvdbKmOyw68TMVT4Kip-2BBzfOGWXJ5yIiYplmPF9KAnKIja4Zd7tU-3DzXLV_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTvNl0LKdSggNphGlGz-2FZpFlP-2B70lLxg94OYlINE3kVz2K7-2BaNONHtJP8TbjZRniVWbxuTUQjTtQl1N-2FQyFOjCv8gPw5EPU0ENb3p98VX92ve7SRBWt1r1v-2F-2F6AWroTa-2Bh7rN2QA2fbSgDcYmJ9RJ86TD6dhAH88KDOiq3Saai3zTbA9TSu9jcthFTuvEyi5KBE-3D
To manage Coverity Scan email notifications for "tom.rini@gmail.com", click https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxWeIHzDeopm-2BEWQ6S6K-2FtUHv9ZTk8qZbuzkkz9sa-2BJFw4elYDyedRVZOC-2ButxjBZdouVmTGuWB6Aj6G7lm7t25-2Biv1B-2B9082pHzCCex2kqMs-3DBleN_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTvNl0LKdSggNphGlGz-2FZpFl83Kn4j1MsEeVR-2BhiT4TgLlRMzBzziPEpnjhf5UW-2FNLxwPg-2FlX4hM5uoZCyOPlCN-2BiReYf6wkiLt6iKknc3lnJUyqsWnyxIFGwSu2OUxAVy5vnsIFdRuglO4-2B9vJx2XrTM801x6AhuO0Zb5xr5hI9qgs9dwug2dbKvAt0T-2F-2Bv9VI-3D
----- End forwarded message -----
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20210120/58b3178c/attachment.sig>
^ permalink raw reply [flat|nested] 46+ messages in thread
* [scan-admin@coverity.com: New Defects reported by Coverity Scan for Das U-Boot]
@ 2020-12-03 17:28 Tom Rini
0 siblings, 0 replies; 46+ messages in thread
From: Tom Rini @ 2020-12-03 17:28 UTC (permalink / raw)
To: u-boot
This latest run also closed a number of open defects (the CIDs of which
are sadly not in the summary).
----- Forwarded message from scan-admin at coverity.com -----
Date: Mon, 30 Nov 2020 18:33:34 +0000 (UTC)
From: scan-admin@coverity.com
To: tom.rini at gmail.com
Subject: New Defects reported by Coverity Scan for Das U-Boot
Hi,
Please find the latest report on new defect(s) introduced to Das U-Boot found with Coverity Scan.
5 new defect(s) introduced to Das U-Boot found with Coverity Scan.
17 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 5 of 5 defect(s)
** CID 313548: Uninitialized variables (UNINIT)
/drivers/mmc/mmc.c: 2194 in mmc_select_mode_and_width()
________________________________________________________________________________________________________
*** CID 313548: Uninitialized variables (UNINIT)
/drivers/mmc/mmc.c: 2194 in mmc_select_mode_and_width()
2188 EXT_CSD_BUS_WIDTH, EXT_CSD_BUS_WIDTH_1);
2189 mmc_select_mode(mmc, MMC_LEGACY);
2190 mmc_set_bus_width(mmc, 1);
2191 }
2192 }
2193
>>> CID 313548: Uninitialized variables (UNINIT)
>>> Using uninitialized value "err" when calling "printf".
2194 pr_err("unable to select a mode : %d\n", err);
2195
2196 return -ENOTSUPP;
2197 }
2198 #endif
2199
** CID 313547: Null pointer dereferences (FORWARD_NULL)
/fs/squashfs/sqfs.c: 953 in sqfs_opendir()
________________________________________________________________________________________________________
*** CID 313547: Null pointer dereferences (FORWARD_NULL)
/fs/squashfs/sqfs.c: 953 in sqfs_opendir()
947 dirs->table += SQFS_DIR_HEADER_SIZE;
948
949 *dirsp = (struct fs_dir_stream *)dirs;
950
951 out:
952 for (j = 0; j < token_count; j++)
>>> CID 313547: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "token_list".
953 free(token_list[j]);
954 free(token_list);
955 free(pos_list);
956 free(path);
957 if (ret) {
958 free(inode_table);
** CID 313546: Null pointer dereferences (FORWARD_NULL)
/fs/squashfs/sqfs.c: 1605 in sqfs_size()
________________________________________________________________________________________________________
*** CID 313546: Null pointer dereferences (FORWARD_NULL)
/fs/squashfs/sqfs.c: 1605 in sqfs_size()
1599 printf("File not found.\n");
1600 *size = 0;
1601 ret = -EINVAL;
1602 goto free_strings;
1603 }
1604
>>> CID 313546: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "dirs->entry".
1605 i_number = dirs->dir_header->inode_number + dirs->entry->inode_offset;
1606 ipos = sqfs_find_inode(dirs->inode_table, i_number, sblk->inodes,
1607 sblk->block_size);
1608 free(dirs->entry);
1609 dirs->entry = NULL;
1610
** CID 313545: (FORWARD_NULL)
/fs/squashfs/sqfs.c: 516 in sqfs_search_dir()
/fs/squashfs/sqfs.c: 516 in sqfs_search_dir()
________________________________________________________________________________________________________
*** CID 313545: (FORWARD_NULL)
/fs/squashfs/sqfs.c: 516 in sqfs_search_dir()
510 printf("** Cannot find directory. **\n");
511 ret = -EINVAL;
512 goto out;
513 }
514
515 /* Redefine inode as the found token */
>>> CID 313545: (FORWARD_NULL)
>>> Dereferencing null pointer "dirs->entry".
516 new_inode_number = dirs->entry->inode_offset +
517 dirs->dir_header->inode_number;
518
519 /* Get reference to inode in the inode table */
520 table = sqfs_find_inode(dirs->inode_table, new_inode_number,
521 sblk->inodes, sblk->block_size);
/fs/squashfs/sqfs.c: 516 in sqfs_search_dir()
510 printf("** Cannot find directory. **\n");
511 ret = -EINVAL;
512 goto out;
513 }
514
515 /* Redefine inode as the found token */
>>> CID 313545: (FORWARD_NULL)
>>> Dereferencing null pointer "dirs->entry".
516 new_inode_number = dirs->entry->inode_offset +
517 dirs->dir_header->inode_number;
518
519 /* Get reference to inode in the inode table */
520 table = sqfs_find_inode(dirs->inode_table, new_inode_number,
521 sblk->inodes, sblk->block_size);
** CID 313544: Null pointer dereferences (FORWARD_NULL)
/fs/squashfs/sqfs.c: 1366 in sqfs_read()
________________________________________________________________________________________________________
*** CID 313544: Null pointer dereferences (FORWARD_NULL)
/fs/squashfs/sqfs.c: 1366 in sqfs_read()
1360 printf("File not found.\n");
1361 *actread = 0;
1362 ret = -ENOENT;
1363 goto out;
1364 }
1365
>>> CID 313544: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "dirs->entry".
1366 i_number = dirs->dir_header->inode_number + dirs->entry->inode_offset;
1367 ipos = sqfs_find_inode(dirs->inode_table, i_number, sblk->inodes,
1368 sblk->block_size);
1369
1370 base = (struct squashfs_base_inode *)ipos;
1371 switch (get_unaligned_le16(&base->inode_type)) {
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoA22WlOQ-2By3ieUvdbKmOyw68TMVT4Kip-2BBzfOGWXJ5yIiYplmPF9KAnKIja4Zd7tU-3DZs-v_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTtN3JxLp2B5CSsxorhm8wtmLedkiPv9kYejlqgrLobigk7QzKCLISKHxGU6zVV33iYV78tUEiPh5Ztuf69acmElPECtqYXfGpV6b65zwVBCWUkOdU-2FFhvPGbHv2RyJAEnx6WQlg467Tgn7Pa8uHzDtH4S-2FI9gFsM6OsQ8ct1T7Ovl-2FJvkc1s3u7lPACBdbfIOo-3D
To manage Coverity Scan email notifications for "tom.rini at gmail.com", click https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxWeIHzDeopm-2BEWQ6S6K-2FtUHv9ZTk8qZbuzkkz9sa-2BJFw4elYDyedRVZOC-2ButxjBZdouVmTGuWB6Aj6G7lm7t25-2Biv1B-2B9082pHzCCex2kqMs-3DSCgH_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTtN3JxLp2B5CSsxorhm8wtm-2BYdI9RyIF9jeDtnXStwhOThFUwHv1h2rtl1Rc-2F3So-2B-2FoVfdIYBRRPrxN8Do-2BHHhwVch1Nm7xBI1HVIWTGmw5XFXcqFyhJ17sm4uZdEqbM-2BgqoOenysxH5k9MFDvKEAN402mvfbkkTtOJJwqeGxrekkiTH43M6bnkpzNozhrl9Ws-3D
----- End forwarded message -----
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20201203/4c36d92f/attachment.sig>
^ permalink raw reply [flat|nested] 46+ messages in thread
* [scan-admin@coverity.com: New Defects reported by Coverity Scan for Das U-Boot]
@ 2020-11-10 21:18 Tom Rini
0 siblings, 0 replies; 46+ messages in thread
From: Tom Rini @ 2020-11-10 21:18 UTC (permalink / raw)
To: u-boot
Sadly, when we eliminate defects it doesn't say which ones in an email.
-rc2 eliminated one defect and introduced these two new ones.
----- Forwarded message from scan-admin at coverity.com -----
Date: Mon, 09 Nov 2020 22:31:55 +0000 (UTC)
From: scan-admin@coverity.com
To: tom.rini at gmail.com
Subject: New Defects reported by Coverity Scan for Das U-Boot
Hi,
Please find the latest report on new defect(s) introduced to Das U-Boot found with Coverity Scan.
2 new defect(s) introduced to Das U-Boot found with Coverity Scan.
1 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 2 of 2 defect(s)
** CID 313047: Control flow issues (DEADCODE)
/drivers/core/lists.c: 106 in bind_drivers_pass()
________________________________________________________________________________________________________
*** CID 313047: Control flow issues (DEADCODE)
/drivers/core/lists.c: 106 in bind_drivers_pass()
100 dm_warn("No match for driver '%s'\n", entry->name);
101 if (!result || ret != -ENOENT)
102 result = ret;
103 }
104 }
105
>>> CID 313047: Control flow issues (DEADCODE)
>>> Execution cannot reach the expression "-11" inside this statement: "return result ? result : (m...".
106 return result ? result : missing_parent ? -EAGAIN : 0;
107 }
108
109 int lists_bind_drivers(struct udevice *parent, bool pre_reloc_only)
110 {
111 int result = 0;
** CID 313046: Uninitialized variables (UNINIT)
/test/dm/test-main.c: 202 in dm_test_main()
________________________________________________________________________________________________________
*** CID 313046: Uninitialized variables (UNINIT)
/test/dm/test-main.c: 202 in dm_test_main()
196 */
197 if (!(test->flags & UT_TESTF_LIVE_TREE) &&
198 (!runs || dm_test_run_on_flattree(test))) {
199 ut_assertok(dm_do_test(uts, test, false));
200 runs++;
201 }
>>> CID 313046: Uninitialized variables (UNINIT)
>>> Using uninitialized value "found".
202 found++;
203 }
204
205 if (test_name && !found)
206 printf("Test '%s' not found\n", test_name);
207 else
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoA22WlOQ-2By3ieUvdbKmOyw68TMVT4Kip-2BBzfOGWXJ5yIiYplmPF9KAnKIja4Zd7tU-3Da1oJ_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTsYOUgTY-2FyPoDZTSHwUzjSdopTJBj3nqeuoH6EmxKw4bdnFoAIzoVhtx0ddbDrK9rK3KXWgv-2Fr91EWwYn-2FbuIxmGoRCC1vVrTIiiS-2BeJSJN-2BAm6wStqFh31o-2B6yfb96-2FExHhDPXc860EDfuC4s6C3e7tpg2RzHHl-2BVIUN9ezOpqfmXzuXw-2FptMXHgCInxfd5Iw-3D
To manage Coverity Scan email notifications for "tom.rini at gmail.com", click https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxWeIHzDeopm-2BEWQ6S6K-2FtUHv9ZTk8qZbuzkkz9sa-2BJFw4elYDyedRVZOC-2ButxjBZdouVmTGuWB6Aj6G7lm7t25-2Biv1B-2B9082pHzCCex2kqMs-3D62m6_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTsYOUgTY-2FyPoDZTSHwUzjSd4GW73bOCxFmNia7zoK3Oa4qB9-2BOuJcFplp02CIL-2B7HRGMgBx-2F2-2FpfhSyRpqj-2FZxPwBQ27l3roadNVk85oAbxGhcAf6bMfXb4BGV6Z7EGpfLe-2BlLR9a0mH6FT79NVGEnUb524AuEBT1KpEATUtbdFb2CgkRtf3b0mTZ7Y4y71adI-3D
----- End forwarded message -----
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20201110/8e3bf2b2/attachment.sig>
^ permalink raw reply [flat|nested] 46+ messages in thread
* [scan-admin@coverity.com: New Defects reported by Coverity Scan for Das U-Boot]
2020-10-30 19:16 Tom Rini
@ 2020-11-02 11:54 ` Pratyush Yadav
0 siblings, 0 replies; 46+ messages in thread
From: Pratyush Yadav @ 2020-11-02 11:54 UTC (permalink / raw)
To: u-boot
[Copy-pasting my reply to the off-list thread].
Hi,
On 30/10/20 10:45AM, Tom Rini wrote:
> Hey all,
>
> Here's the latest report from Coverity on new issues. Please take a
> look and let me know if any of these are false positives or things
> that we should try and adopt a Coverity model to cover. Thanks!
>
> ---------- Forwarded message ---------
> From: <scan-admin@coverity.com>
> Date: Wed, Oct 28, 2020 at 4:41 PM
> Subject: New Defects reported by Coverity Scan for Das U-Boot
> To: <tom.rini@gmail.com>
>
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to Das
> U-Boot found with Coverity Scan.
>
> 37 new defect(s) introduced to Das U-Boot found with Coverity Scan.
> 5 defect(s), reported by Coverity Scan earlier, were marked fixed in
> the recent build analyzed by Coverity Scan.
>
> New defect(s) Reported-by: Coverity Scan
> Showing 20 of 37 defect(s)
>
>
> ** CID 312960: Integer handling issues (BAD_SHIFT)
> /drivers/mux/mmio.c: 107 in mmio_mux_probe()
>
>
> ________________________________________________________________________________________________________
> *** CID 312960: Integer handling issues (BAD_SHIFT)
> /drivers/mux/mmio.c: 107 in mmio_mux_probe()
> 101 mask = mux_reg_masks[2 * i + 1];
> 102
> 103 field.reg = reg;
> 104 field.msb = fls(mask) - 1;
> 105 field.lsb = ffs(mask) - 1;
> 106
> >>> CID 312960: Integer handling issues (BAD_SHIFT)
> >>> In expression "0xffffffffffffffffUL << field.lsb", left shifting by more than 63 bits has undefined behavior. The shift amount, "field.lsb", is 4294967295.
> 107 if (mask != GENMASK(field.msb, field.lsb))
> 108 return log_msg_ret("invalid mask", -EINVAL);
Sounds like a legitimate complaint. If the mask is 0 then fls and ffs
will return 0, and so msb and lsb will be 0xffffffff each. This will
result in GENMASK() doing ~0UL << 0xffffffff. Of course, a mask of 0 is
invalid but then this condition is supposed to check for invalid masks
so that just defeats the purpose.
This code seems to check if a mask is all 1s or not. So it will catch a
mask like 0b11101. But it will trip up on a mask like 0. My suggestion
is to make the check something like:
if (ffs(mask) == 0 || mask != GENMASK(field.msb, field.lsb))
> 109
> 110 fields[i] = devm_regmap_field_alloc(dev, regmap, field);
> 111 if (IS_ERR(fields[i])) {
> 112 ret = PTR_ERR(fields[i]);
>
> ** CID 312959: (RESOURCE_LEAK)
> /drivers/mux/mmio.c: 113 in mmio_mux_probe()
> /drivers/mux/mmio.c: 108 in mmio_mux_probe()
>
>
> ________________________________________________________________________________________________________
> *** CID 312959: (RESOURCE_LEAK)
> /drivers/mux/mmio.c: 113 in mmio_mux_probe()
> 107 if (mask != GENMASK(field.msb, field.lsb))
> 108 return log_msg_ret("invalid mask", -EINVAL);
> 109
> 110 fields[i] = devm_regmap_field_alloc(dev, regmap, field);
> 111 if (IS_ERR(fields[i])) {
> 112 ret = PTR_ERR(fields[i]);
> >>> CID 312959: (RESOURCE_LEAK)
> >>> Variable "idle_states" going out of scope leaks the storage it points to.
Hmm... Not sure if this is actually a leak. idle_states is allocated
using devm_kmalloc(), so if the probe fails the device should be
destroyed, and idle_states with it. I'm not very well versed with
managed APIs so maybe this is wrong. Dunno.
Anyway, idle_states is local to this function so I don't know if
devm_kmalloc() is even needed. We might as well use regular kmalloc()
because we free it at the end of probe anyway.
Any advice on this?
> 113 return log_msg_ret("regmap_field_alloc", ret);
> 114 }
> 115
> 116 bits = 1 + field.msb - field.lsb;
> 117 mux->states = 1 << bits;
> 118
> /drivers/mux/mmio.c: 108 in mmio_mux_probe()
> 102
> 103 field.reg = reg;
> 104 field.msb = fls(mask) - 1;
> 105 field.lsb = ffs(mask) - 1;
> 106
> 107 if (mask != GENMASK(field.msb, field.lsb))
> >>> CID 312959: (RESOURCE_LEAK)
> >>> Variable "idle_states" going out of scope leaks the storage it points to.
Same as above.
> 108 return log_msg_ret("invalid mask", -EINVAL);
> 109
> 110 fields[i] = devm_regmap_field_alloc(dev, regmap, field);
> 111 if (IS_ERR(fields[i])) {
> 112 ret = PTR_ERR(fields[i]);
> 113 return log_msg_ret("regmap_field_alloc", ret);
>
> ________________________________________________________________________________________________________
> *** CID 312954: (DC.WEAK_CRYPTO)
> /test/dm/mux-cmd.c: 133 in dm_test_cmd_mux_select()
> 127 ut_assertnonnull(chip);
> 128
> 129 srand(get_ticks() + rand());
> 130 for (i = 0; i < chip->controllers; i++) {
> 131 mux = &chip->mux[i];
> 132
> >>> CID 312954: (DC.WEAK_CRYPTO)
> >>> "rand" should not be used for security-related applications, because linear congruential algorithms are too easy to break.
Not used for any security-related applications. No changes needed.
BTW, is the assertion that rand() is "linear congruential" even true for
U-Boot's rand() or is it only true for the libc rand()?
> 133 state = rand() % mux->states;
> 134
> 135 snprintf(cmd, BUF_SIZE, "mux select
> a-mux-controller %x %x", i,
> 136 state);
> 137 run_command(cmd, 0);
> 138 ut_asserteq(!!mux->in_use, true);
> /test/dm/mux-cmd.c: 129 in dm_test_cmd_mux_select()
> 123
> 124 ut_assertok(uclass_get_device_by_name(UCLASS_MUX,
> "a-mux-controller",
> 125 &dev));
> 126 chip = dev_get_uclass_priv(dev);
> 127 ut_assertnonnull(chip);
> 128
> >>> CID 312954: (DC.WEAK_CRYPTO)
> >>> "rand" should not be used for security-related applications, because linear congruential algorithms are too easy to break.
Same as above.
> 129 srand(get_ticks() + rand());
> 130 for (i = 0; i < chip->controllers; i++) {
> 131 mux = &chip->mux[i];
> 132
> 133 state = rand() % mux->states;
> 134
>
> *** CID 312952: Resource leaks (RESOURCE_LEAK)
> /drivers/reset/reset-uclass.c: 331 in devm_reset_bulk_get_by_node()
> 325 __GFP_ZERO);
> 326 if (unlikely(!bulk))
> 327 return ERR_PTR(-ENOMEM);
> 328
> 329 rc = __reset_get_bulk(dev, node, bulk);
> 330 if (rc)
> >>> CID 312952: Resource leaks (RESOURCE_LEAK)
> >>> Variable "bulk" going out of scope leaks the storage it points to.
Similar problem as that of idle_states above. Not sure if memory
allocated by devres_alloc() gets freed automatically but in this case I
get the feeling it won't be.
> 331 return ERR_PTR(rc);
> 332
> 333 devres_add(dev, bulk);
> 334 return bulk;
> 335 }
> 336
>
> ** CID 312951: (RESOURCE_LEAK)
> /drivers/core/regmap.c: 315 in devm_regmap_init()
> /drivers/core/regmap.c: 315 in devm_regmap_init()
> /drivers/core/regmap.c: 306 in devm_regmap_init()
> /drivers/core/regmap.c: 306 in devm_regmap_init()
>
>
> ________________________________________________________________________________________________________
> *** CID 312951: (RESOURCE_LEAK)
> /drivers/core/regmap.c: 315 in devm_regmap_init()
> 309 if (config) {
> 310 map->width = config->width;
> 311 map->reg_offset_shift = config->reg_offset_shift;
> 312 }
> 313
> 314 devres_add(dev, mapp);
> >>> CID 312951: (RESOURCE_LEAK)
> >>> Variable "mapp" going out of scope leaks the storage it points to.
False positive because mapp is passed to devres_add().
> 315 return *mapp;
> 316 }
> 317 #endif
> 318
> 319 void *regmap_get_range(struct regmap *map, unsigned int range_num)
> 320 {
> /drivers/core/regmap.c: 315 in devm_regmap_init()
> 309 if (config) {
> 310 map->width = config->width;
> 311 map->reg_offset_shift = config->reg_offset_shift;
> 312 }
> 313
> 314 devres_add(dev, mapp);
> >>> CID 312951: (RESOURCE_LEAK)
> >>> Variable "mapp" going out of scope leaks the storage it points to.
Same as above.
> 315 return *mapp;
> 316 }
> 317 #endif
> 318
> 319 void *regmap_get_range(struct regmap *map, unsigned int range_num)
> 320 {
> /drivers/core/regmap.c: 306 in devm_regmap_init()
> 300 if (config && config->r_size != 0)
> 301 rc = regmap_init_mem_range(dev_ofnode(dev),
> config->r_start,
> 302 config->r_size, mapp);
> 303 else
> 304 rc = regmap_init_mem(dev_ofnode(dev), mapp);
> 305 if (rc)
> >>> CID 312951: (RESOURCE_LEAK)
> >>> Variable "mapp" going out of scope leaks the storage it points to.
Hmm... We have not passed it to devres_add() yet. So this looks same as
the problem with 'bulk' above. I think it is a leak but I would like
someone to confirm my suspicion.
> 306 return ERR_PTR(rc);
> 307
> 308 map = *mapp;
> 309 if (config) {
> 310 map->width = config->width;
> 311 map->reg_offset_shift = config->reg_offset_shift;
> /drivers/core/regmap.c: 306 in devm_regmap_init()
> 300 if (config && config->r_size != 0)
> 301 rc = regmap_init_mem_range(dev_ofnode(dev),
> config->r_start,
> 302 config->r_size, mapp);
> 303 else
> 304 rc = regmap_init_mem(dev_ofnode(dev), mapp);
> 305 if (rc)
> >>> CID 312951: (RESOURCE_LEAK)
> >>> Variable "mapp" going out of scope leaks the storage it points to.
Same as above.
> 306 return ERR_PTR(rc);
> 307
> 308 map = *mapp;
> 309 if (config) {
> 310 map->width = config->width;
> 311 map->reg_offset_shift = config->reg_offset_shift;
> ________________________________________________________________________________________________________
> *** CID 312949: (DC.WEAK_CRYPTO)
> /test/dm/regmap.c: 310 in dm_test_devm_regmap()
> 304 ut_assertok(uclass_get_device_by_name(UCLASS_NOP,
> "regmap-test_0",
> 305 &dev));
> 306 priv = dev_get_priv(dev);
> 307
> 308 srand(get_ticks() + rand());
> 309 for (i = 0; i < REGMAP_TEST_BUF_SZ; i++) {
> >>> CID 312949: (DC.WEAK_CRYPTO)
> >>> "rand" should not be used for security-related applications, because linear congruential algorithms are too easy to break.
False positive. Not used for any security-related applications.
> 310 pattern[i] = rand();
> 311 ut_assertok(regmap_write(priv->cfg_regmap, i,
> pattern[i]));
> 312 }
> 313 for (i = 0; i < REGMAP_TEST_BUF_SZ; i++) {
> 314 ut_assertok(regmap_read(priv->cfg_regmap, i, &val));
> 315 ut_asserteq(val, buffer[i]);
> /test/dm/regmap.c: 308 in dm_test_devm_regmap()
> 302 REGMAP_TEST_BUF_SZ * 2, MAP_NOCACHE);
> 303
> 304 ut_assertok(uclass_get_device_by_name(UCLASS_NOP,
> "regmap-test_0",
> 305 &dev));
> 306 priv = dev_get_priv(dev);
> 307
> >>> CID 312949: (DC.WEAK_CRYPTO)
> >>> "rand" should not be used for security-related applications, because linear congruential algorithms are too easy to break.
> 308 srand(get_ticks() + rand());
> 309 for (i = 0; i < REGMAP_TEST_BUF_SZ; i++) {
> 310 pattern[i] = rand();
> 311 ut_assertok(regmap_write(priv->cfg_regmap, i,
> pattern[i]));
> 312 }
> 313 for (i = 0; i < REGMAP_TEST_BUF_SZ; i++) {
>
> ________________________________________________________________________________________________________
> *** CID 312944: Integer handling issues (BAD_SHIFT)
> /drivers/mux/mmio.c: 107 in mmio_mux_probe()
> 101 mask = mux_reg_masks[2 * i + 1];
> 102
> 103 field.reg = reg;
> 104 field.msb = fls(mask) - 1;
> 105 field.lsb = ffs(mask) - 1;
> 106
> >>> CID 312944: Integer handling issues (BAD_SHIFT)
> >>> In expression "0xffffffffffffffffUL >> 63U - field.msb", right shifting by more than 63 bits has undefined behavior. The shift amount, "63U - field.msb", is 64.
Same problem as above. The tool should show issues with one file in
sequence...
> 107 if (mask != GENMASK(field.msb, field.lsb))
> 108 return log_msg_ret("invalid mask", -EINVAL);
> 109
> 110 fields[i] = devm_regmap_field_alloc(dev, regmap, field);
> 111 if (IS_ERR(fields[i])) {
> 112 ret = PTR_ERR(fields[i]);
>
> ________________________________________________________________________________________________________
> To view the defects in Coverity Scan visit,
> https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoA22WlOQ-2By3ieUvdbKmOyw68TMVT4Kip-2BBzfOGWXJ5yIiYplmPF9KAnKIja4Zd7tU-3DG16z_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTttU5wxtf-2BIrYIlH6m8usGJ6Lj2sxuVx1MrdzdzgACo0LT3OFouHYVv45XtjGnMdnBHVdXsmw-2F0hVbOCFNnsrngQZqCc0sAyWQDCDYCMOEtivMS6hgdPFHSlGRRb51oma2tiPKUAklqWROrvI4MyXxqrp-2Fd4gBcYvc7-2FLXQFG0CyHS3IAPBDTyEFObYQ4RE2yA-3D
>
> To manage Coverity Scan email notifications for
> "tom.rini at gmail.com", click
> https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxWeIHzDeopm-2BEWQ6S6K-2FtUHv9ZTk8qZbuzkkz9sa-2BJFw4elYDyedRVZOC-2ButxjBZdouVmTGuWB6Aj6G7lm7t25-2Biv1B-2B9082pHzCCex2kqMs-3DEOqJ_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTttU5wxtf-2BIrYIlH6m8usGJzaB1PzDyVpqw-2FdKI2nmJ1aeEn5herkK9wV7V6RjSEoYxghGutNP9BcObkZR3VG0GThMSPIO3YwHDptrjReecWG99Q7RAogK2ghwHTok4ICj9O-2FAA-2FumHtxTSCVEgN8DQdszAdaF0kCwbpvbxr33-2Bx8r4btBT-2Bj-2BqyAjW5wzAVl4-3D
Whew! That's a lot of issues with the patches I submitted! IMO the tool
is mostly raising valid concerns and I think most of these are actual
bugs.
I don't know how useful the rand() warning is though. I think it will be
a false positive most of the time but maybe it is worth it for the one
time it actually catches a security issue. Dunno.
--
Regards,
Pratyush Yadav
Texas Instruments India
^ permalink raw reply [flat|nested] 46+ messages in thread
* [scan-admin@coverity.com: New Defects reported by Coverity Scan for Das U-Boot]
@ 2020-10-30 19:16 Tom Rini
2020-11-02 11:54 ` Pratyush Yadav
0 siblings, 1 reply; 46+ messages in thread
From: Tom Rini @ 2020-10-30 19:16 UTC (permalink / raw)
To: u-boot
Here's the latest report from Coverity scan. I think it's more helpful
to send these to the list so that anyone can help advise on solutions
than to send it only to people that may have introduced the problem, as
I have previously been forwarding to. I don't recall why I got in the
habit to start with, so, breaking that habit now.
----- Forwarded message from scan-admin at coverity.com -----
Date: Wed, 28 Oct 2020 20:41:49 +0000 (UTC)
From: scan-admin@coverity.com
To: tom.rini at gmail.com
Subject: New Defects reported by Coverity Scan for Das U-Boot
Hi,
Please find the latest report on new defect(s) introduced to Das U-Boot found with Coverity Scan.
37 new defect(s) introduced to Das U-Boot found with Coverity Scan.
5 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 37 defect(s)
** CID 312960: Integer handling issues (BAD_SHIFT)
/drivers/mux/mmio.c: 107 in mmio_mux_probe()
________________________________________________________________________________________________________
*** CID 312960: Integer handling issues (BAD_SHIFT)
/drivers/mux/mmio.c: 107 in mmio_mux_probe()
101 mask = mux_reg_masks[2 * i + 1];
102
103 field.reg = reg;
104 field.msb = fls(mask) - 1;
105 field.lsb = ffs(mask) - 1;
106
>>> CID 312960: Integer handling issues (BAD_SHIFT)
>>> In expression "0xffffffffffffffffUL << field.lsb", left shifting by more than 63 bits has undefined behavior. The shift amount, "field.lsb", is 4294967295.
107 if (mask != GENMASK(field.msb, field.lsb))
108 return log_msg_ret("invalid mask", -EINVAL);
109
110 fields[i] = devm_regmap_field_alloc(dev, regmap, field);
111 if (IS_ERR(fields[i])) {
112 ret = PTR_ERR(fields[i]);
** CID 312959: (RESOURCE_LEAK)
/drivers/mux/mmio.c: 113 in mmio_mux_probe()
/drivers/mux/mmio.c: 108 in mmio_mux_probe()
________________________________________________________________________________________________________
*** CID 312959: (RESOURCE_LEAK)
/drivers/mux/mmio.c: 113 in mmio_mux_probe()
107 if (mask != GENMASK(field.msb, field.lsb))
108 return log_msg_ret("invalid mask", -EINVAL);
109
110 fields[i] = devm_regmap_field_alloc(dev, regmap, field);
111 if (IS_ERR(fields[i])) {
112 ret = PTR_ERR(fields[i]);
>>> CID 312959: (RESOURCE_LEAK)
>>> Variable "idle_states" going out of scope leaks the storage it points to.
113 return log_msg_ret("regmap_field_alloc", ret);
114 }
115
116 bits = 1 + field.msb - field.lsb;
117 mux->states = 1 << bits;
118
/drivers/mux/mmio.c: 108 in mmio_mux_probe()
102
103 field.reg = reg;
104 field.msb = fls(mask) - 1;
105 field.lsb = ffs(mask) - 1;
106
107 if (mask != GENMASK(field.msb, field.lsb))
>>> CID 312959: (RESOURCE_LEAK)
>>> Variable "idle_states" going out of scope leaks the storage it points to.
108 return log_msg_ret("invalid mask", -EINVAL);
109
110 fields[i] = devm_regmap_field_alloc(dev, regmap, field);
111 if (IS_ERR(fields[i])) {
112 ret = PTR_ERR(fields[i]);
113 return log_msg_ret("regmap_field_alloc", ret);
** CID 312958: Uninitialized variables (UNINIT)
/fs/btrfs/inode.c: 341 in btrfs_lookup_path()
________________________________________________________________________________________________________
*** CID 312958: Uninitialized variables (UNINIT)
/fs/btrfs/inode.c: 341 in btrfs_lookup_path()
335 cur += len;
336 }
337
338 if (!ret) {
339 *root_ret = root;
340 *ino_ret = ino;
>>> CID 312958: Uninitialized variables (UNINIT)
>>> Using uninitialized value "type".
341 *type_ret = type;
342 }
343
344 return ret;
345 }
346
** CID 312957: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
/fs/btrfs/volumes.c: 1106 in __btrfs_map_block()
________________________________________________________________________________________________________
*** CID 312957: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
/fs/btrfs/volumes.c: 1106 in __btrfs_map_block()
1100 stripe_nr = stripe_nr / nr_data_stripes(map);
1101
1102 /* Work out the disk rotation on this stripe-set */
1103 rot = stripe_nr % map->num_stripes;
1104
1105 /* Fill in the logical address of each stripe */
>>> CID 312957: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
>>> Potentially overflowing expression "stripe_nr * nr_data_stripes(map)" with type "int" (32 bits, signed) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "u64" (64 bits, unsigned).
1106 tmp = stripe_nr * nr_data_stripes(map);
1107
1108 for (i = 0; i < nr_data_stripes(map); i++)
1109 raid_map[(i+rot) % map->num_stripes] =
1110 ce->start + (tmp + i) * map->stripe_len;
1111
** CID 312956: Error handling issues (NEGATIVE_RETURNS)
/tools/image-host.c: 337 in get_random_data()
________________________________________________________________________________________________________
*** CID 312956: Error handling issues (NEGATIVE_RETURNS)
/tools/image-host.c: 337 in get_random_data()
331 ret = -1;
332 goto out;
333 }
334
335 ret = clock_gettime(CLOCK_MONOTONIC, &date);
336 if (ret < 0) {
>>> CID 312956: Error handling issues (NEGATIVE_RETURNS)
>>> "ret" is passed to a parameter that cannot be negative.
337 printf("%s: clock_gettime has failed (err=%d, str=%s)\n",
338 __func__, ret, strerror(ret));
339 goto out;
340 }
341
342 srand(date.tv_nsec);
** CID 312955: Uninitialized variables (UNINIT)
/fs/btrfs/btrfs.c: 113 in show_dir()
________________________________________________________________________________________________________
*** CID 312955: Uninitialized variables (UNINIT)
/fs/btrfs/btrfs.c: 113 in show_dir()
107 printf("%24.24s %.*s", filetime, btrfs_dir_name_len(eb, di), namebuf);
108 if (type == BTRFS_FT_SYMLINK)
109 printf(" -> %s", target ? target : "?");
110 printf("\n");
111 out:
112 free(target);
>>> CID 312955: Uninitialized variables (UNINIT)
>>> Using uninitialized value "ret".
113 return ret;
114 }
115
116 int btrfs_probe(struct blk_desc *fs_dev_desc,
117 struct disk_partition *fs_partition)
118 {
** CID 312954: (DC.WEAK_CRYPTO)
/test/dm/mux-cmd.c: 133 in dm_test_cmd_mux_select()
/test/dm/mux-cmd.c: 129 in dm_test_cmd_mux_select()
________________________________________________________________________________________________________
*** CID 312954: (DC.WEAK_CRYPTO)
/test/dm/mux-cmd.c: 133 in dm_test_cmd_mux_select()
127 ut_assertnonnull(chip);
128
129 srand(get_ticks() + rand());
130 for (i = 0; i < chip->controllers; i++) {
131 mux = &chip->mux[i];
132
>>> CID 312954: (DC.WEAK_CRYPTO)
>>> "rand" should not be used for security-related applications, because linear congruential algorithms are too easy to break.
133 state = rand() % mux->states;
134
135 snprintf(cmd, BUF_SIZE, "mux select a-mux-controller %x %x", i,
136 state);
137 run_command(cmd, 0);
138 ut_asserteq(!!mux->in_use, true);
/test/dm/mux-cmd.c: 129 in dm_test_cmd_mux_select()
123
124 ut_assertok(uclass_get_device_by_name(UCLASS_MUX, "a-mux-controller",
125 &dev));
126 chip = dev_get_uclass_priv(dev);
127 ut_assertnonnull(chip);
128
>>> CID 312954: (DC.WEAK_CRYPTO)
>>> "rand" should not be used for security-related applications, because linear congruential algorithms are too easy to break.
129 srand(get_ticks() + rand());
130 for (i = 0; i < chip->controllers; i++) {
131 mux = &chip->mux[i];
132
133 state = rand() % mux->states;
134
** CID 312953: Security best practices violations (DC.WEAK_CRYPTO)
/tools/image-host.c: 345 in get_random_data()
________________________________________________________________________________________________________
*** CID 312953: Security best practices violations (DC.WEAK_CRYPTO)
/tools/image-host.c: 345 in get_random_data()
339 goto out;
340 }
341
342 srand(date.tv_nsec);
343
344 for (i = 0; i < size; i++) {
>>> CID 312953: Security best practices violations (DC.WEAK_CRYPTO)
>>> "rand" should not be used for security-related applications, because linear congruential algorithms are too easy to break.
345 *tmp = rand() & 0xff;
346 tmp++;
347 }
348
349 out:
350 return ret;
** CID 312952: Resource leaks (RESOURCE_LEAK)
/drivers/reset/reset-uclass.c: 331 in devm_reset_bulk_get_by_node()
________________________________________________________________________________________________________
*** CID 312952: Resource leaks (RESOURCE_LEAK)
/drivers/reset/reset-uclass.c: 331 in devm_reset_bulk_get_by_node()
325 __GFP_ZERO);
326 if (unlikely(!bulk))
327 return ERR_PTR(-ENOMEM);
328
329 rc = __reset_get_bulk(dev, node, bulk);
330 if (rc)
>>> CID 312952: Resource leaks (RESOURCE_LEAK)
>>> Variable "bulk" going out of scope leaks the storage it points to.
331 return ERR_PTR(rc);
332
333 devres_add(dev, bulk);
334 return bulk;
335 }
336
** CID 312951: (RESOURCE_LEAK)
/drivers/core/regmap.c: 315 in devm_regmap_init()
/drivers/core/regmap.c: 315 in devm_regmap_init()
/drivers/core/regmap.c: 306 in devm_regmap_init()
/drivers/core/regmap.c: 306 in devm_regmap_init()
________________________________________________________________________________________________________
*** CID 312951: (RESOURCE_LEAK)
/drivers/core/regmap.c: 315 in devm_regmap_init()
309 if (config) {
310 map->width = config->width;
311 map->reg_offset_shift = config->reg_offset_shift;
312 }
313
314 devres_add(dev, mapp);
>>> CID 312951: (RESOURCE_LEAK)
>>> Variable "mapp" going out of scope leaks the storage it points to.
315 return *mapp;
316 }
317 #endif
318
319 void *regmap_get_range(struct regmap *map, unsigned int range_num)
320 {
/drivers/core/regmap.c: 315 in devm_regmap_init()
309 if (config) {
310 map->width = config->width;
311 map->reg_offset_shift = config->reg_offset_shift;
312 }
313
314 devres_add(dev, mapp);
>>> CID 312951: (RESOURCE_LEAK)
>>> Variable "mapp" going out of scope leaks the storage it points to.
315 return *mapp;
316 }
317 #endif
318
319 void *regmap_get_range(struct regmap *map, unsigned int range_num)
320 {
/drivers/core/regmap.c: 306 in devm_regmap_init()
300 if (config && config->r_size != 0)
301 rc = regmap_init_mem_range(dev_ofnode(dev), config->r_start,
302 config->r_size, mapp);
303 else
304 rc = regmap_init_mem(dev_ofnode(dev), mapp);
305 if (rc)
>>> CID 312951: (RESOURCE_LEAK)
>>> Variable "mapp" going out of scope leaks the storage it points to.
306 return ERR_PTR(rc);
307
308 map = *mapp;
309 if (config) {
310 map->width = config->width;
311 map->reg_offset_shift = config->reg_offset_shift;
/drivers/core/regmap.c: 306 in devm_regmap_init()
300 if (config && config->r_size != 0)
301 rc = regmap_init_mem_range(dev_ofnode(dev), config->r_start,
302 config->r_size, mapp);
303 else
304 rc = regmap_init_mem(dev_ofnode(dev), mapp);
305 if (rc)
>>> CID 312951: (RESOURCE_LEAK)
>>> Variable "mapp" going out of scope leaks the storage it points to.
306 return ERR_PTR(rc);
307
308 map = *mapp;
309 if (config) {
310 map->width = config->width;
311 map->reg_offset_shift = config->reg_offset_shift;
** CID 312950: Uninitialized variables (UNINIT)
________________________________________________________________________________________________________
*** CID 312950: Uninitialized variables (UNINIT)
/fs/btrfs/btrfs.c: 96 in show_dir()
90 if (type < ARRAY_SIZE(dir_item_str) && dir_item_str[type])
91 printf("<%s> ", dir_item_str[type]);
92 else
93 printf("DIR_ITEM.%u", type);
94 if (type == BTRFS_FT_CHRDEV || type == BTRFS_FT_BLKDEV) {
95 ASSERT(key.type == BTRFS_INODE_ITEM_KEY);
>>> CID 312950: Uninitialized variables (UNINIT)
>>> Using uninitialized value "ii.rdev" when calling "btrfs_stack_inode_rdev".
96 printf("%4llu,%5llu ", btrfs_stack_inode_rdev(&ii) >> 20,
97 btrfs_stack_inode_rdev(&ii) & 0xfffff);
98 } else {
99 if (key.type == BTRFS_INODE_ITEM_KEY)
100 printf("%10llu ", btrfs_stack_inode_size(&ii));
101 else
** CID 312949: (DC.WEAK_CRYPTO)
/test/dm/regmap.c: 310 in dm_test_devm_regmap()
/test/dm/regmap.c: 308 in dm_test_devm_regmap()
________________________________________________________________________________________________________
*** CID 312949: (DC.WEAK_CRYPTO)
/test/dm/regmap.c: 310 in dm_test_devm_regmap()
304 ut_assertok(uclass_get_device_by_name(UCLASS_NOP, "regmap-test_0",
305 &dev));
306 priv = dev_get_priv(dev);
307
308 srand(get_ticks() + rand());
309 for (i = 0; i < REGMAP_TEST_BUF_SZ; i++) {
>>> CID 312949: (DC.WEAK_CRYPTO)
>>> "rand" should not be used for security-related applications, because linear congruential algorithms are too easy to break.
310 pattern[i] = rand();
311 ut_assertok(regmap_write(priv->cfg_regmap, i, pattern[i]));
312 }
313 for (i = 0; i < REGMAP_TEST_BUF_SZ; i++) {
314 ut_assertok(regmap_read(priv->cfg_regmap, i, &val));
315 ut_asserteq(val, buffer[i]);
/test/dm/regmap.c: 308 in dm_test_devm_regmap()
302 REGMAP_TEST_BUF_SZ * 2, MAP_NOCACHE);
303
304 ut_assertok(uclass_get_device_by_name(UCLASS_NOP, "regmap-test_0",
305 &dev));
306 priv = dev_get_priv(dev);
307
>>> CID 312949: (DC.WEAK_CRYPTO)
>>> "rand" should not be used for security-related applications, because linear congruential algorithms are too easy to break.
308 srand(get_ticks() + rand());
309 for (i = 0; i < REGMAP_TEST_BUF_SZ; i++) {
310 pattern[i] = rand();
311 ut_assertok(regmap_write(priv->cfg_regmap, i, pattern[i]));
312 }
313 for (i = 0; i < REGMAP_TEST_BUF_SZ; i++) {
** CID 312948: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
/fs/btrfs/volumes.c: 1033 in __btrfs_map_block()
________________________________________________________________________________________________________
*** CID 312948: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
/fs/btrfs/volumes.c: 1033 in __btrfs_map_block()
1027 /*
1028 * stripe_nr counts the total number of stripes we have to stride
1029 * to get to this block
1030 */
1031 stripe_nr = stripe_nr / map->stripe_len;
1032
>>> CID 312948: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
>>> Potentially overflowing expression "stripe_nr * map->stripe_len" with type "int" (32 bits, signed) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "u64" (64 bits, unsigned).
1033 stripe_offset = stripe_nr * map->stripe_len;
1034 BUG_ON(offset < stripe_offset);
1035
1036 /* stripe_offset is the offset of this block in its stripe*/
1037 stripe_offset = offset - stripe_offset;
1038
** CID 312947: Error handling issues (CHECKED_RETURN)
/drivers/core/dump.c: 137 in dm_dump_drivers()
________________________________________________________________________________________________________
*** CID 312947: Error handling issues (CHECKED_RETURN)
/drivers/core/dump.c: 137 in dm_dump_drivers()
131 int i;
132
133 puts("Driver uid uclass Devices\n");
134 puts("----------------------------------------------------------\n");
135
136 for (entry = d; entry < d + n_ents; entry++) {
>>> CID 312947: Error handling issues (CHECKED_RETURN)
>>> Calling "uclass_get" without checking return value (as is done elsewhere 52 out of 65 times).
137 uclass_get(entry->id, &uc);
138
139 printf("%-25.25s %-3.3d %-20.20s ", entry->name, entry->id,
140 uc ? uc->uc_drv->name : "<no uclass>");
141
142 if (!uc) {
** CID 312946: Incorrect expression (USELESS_CALL)
________________________________________________________________________________________________________
*** CID 312946: Incorrect expression (USELESS_CALL)
/drivers/clk/clk-uclass.c: 201 in clk_set_default_get_by_id()
195 if (CONFIG_IS_ENABLED(CLK_CCF)) {
196 int ret = clk_get_by_id(clk->id, &c);
197
198 if (ret) {
199 debug("%s(): could not get parent clock pointer, id %lu\n",
200 __func__, clk->id);
>>> CID 312946: Incorrect expression (USELESS_CALL)
>>> Calling "ERR_PTR(ret)" is only useful for its return value, which is ignored.
201 ERR_PTR(ret);
202 }
203 }
204
205 return c;
206 }
** CID 312945: Error handling issues (CHECKED_RETURN)
/lib/efi_loader/efi_console.c: 272 in query_console_serial()
________________________________________________________________________________________________________
*** CID 312945: Error handling issues (CHECKED_RETURN)
/lib/efi_loader/efi_console.c: 272 in query_console_serial()
266 {
267 int ret = 0;
268 int n[2];
269
270 /* Empty input buffer */
271 while (tstc())
>>> CID 312945: Error handling issues (CHECKED_RETURN)
>>> Calling "getchar()" without checking return value. This library function may fail and return an error code. [Note: The source code implementation of the function has been overridden by a builtin model.]
272 getchar();
273
274 /*
275 * Not all terminals understand CSI [18t for querying the console size.
276 * We should adhere to escape sequences documented in the console_codes
277 * man page and the ECMA-48 standard.
** CID 312944: Integer handling issues (BAD_SHIFT)
/drivers/mux/mmio.c: 107 in mmio_mux_probe()
________________________________________________________________________________________________________
*** CID 312944: Integer handling issues (BAD_SHIFT)
/drivers/mux/mmio.c: 107 in mmio_mux_probe()
101 mask = mux_reg_masks[2 * i + 1];
102
103 field.reg = reg;
104 field.msb = fls(mask) - 1;
105 field.lsb = ffs(mask) - 1;
106
>>> CID 312944: Integer handling issues (BAD_SHIFT)
>>> In expression "0xffffffffffffffffUL >> 63U - field.msb", right shifting by more than 63 bits has undefined behavior. The shift amount, "63U - field.msb", is 64.
107 if (mask != GENMASK(field.msb, field.lsb))
108 return log_msg_ret("invalid mask", -EINVAL);
109
110 fields[i] = devm_regmap_field_alloc(dev, regmap, field);
111 if (IS_ERR(fields[i])) {
112 ret = PTR_ERR(fields[i]);
** CID 312943: (TAINTED_SCALAR)
/fs/btrfs/volumes.c: 563 in read_one_chunk()
/fs/btrfs/volumes.c: 549 in read_one_chunk()
________________________________________________________________________________________________________
*** CID 312943: (TAINTED_SCALAR)
/fs/btrfs/volumes.c: 563 in read_one_chunk()
557 map->io_align = btrfs_chunk_io_align(leaf, chunk);
558 map->sector_size = btrfs_chunk_sector_size(leaf, chunk);
559 map->stripe_len = btrfs_chunk_stripe_len(leaf, chunk);
560 map->type = btrfs_chunk_type(leaf, chunk);
561 map->sub_stripes = btrfs_chunk_sub_stripes(leaf, chunk);
562
>>> CID 312943: (TAINTED_SCALAR)
>>> Using tainted variable "num_stripes" as a loop boundary.
563 for (i = 0; i < num_stripes; i++) {
564 map->stripes[i].physical =
565 btrfs_stripe_offset_nr(leaf, chunk, i);
566 devid = btrfs_stripe_devid_nr(leaf, chunk, i);
567 read_extent_buffer(leaf, uuid, (unsigned long)
568 btrfs_stripe_dev_uuid_nr(chunk, i),
/fs/btrfs/volumes.c: 549 in read_one_chunk()
543
544 /* already mapped? */
545 if (ce && ce->start <= logical && ce->start + ce->size > logical) {
546 return 0;
547 }
548
>>> CID 312943: (TAINTED_SCALAR)
>>> Passing tainted variable "80UL + 16UL * num_stripes" to a tainted sink. [Note: The source code implementation of the function has been overridden by a builtin model.]
549 map = kmalloc(btrfs_map_lookup_size(num_stripes), GFP_NOFS);
550 if (!map)
551 return -ENOMEM;
552
553 map->ce.start = logical;
554 map->ce.size = length;
** CID 312942: Control flow issues (DEADCODE)
/drivers/firmware/scmi/sandbox-scmi_devices.c: 96 in sandbox_scmi_devices_probe()
________________________________________________________________________________________________________
*** CID 312942: Control flow issues (DEADCODE)
/drivers/firmware/scmi/sandbox-scmi_devices.c: 96 in sandbox_scmi_devices_probe()
90 }
91
92 return 0;
93
94 err_reset:
95 for (; n > 0; n--)
>>> CID 312942: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "reset_free(priv->devices.re...".
96 reset_free(priv->devices.reset + n - 1);
97
98 return ret;
99 }
100
101 static const struct udevice_id sandbox_scmi_devices_ids[] = {
** CID 312941: Insecure data handling (TAINTED_SCALAR)
/fs/btrfs/dir-item.c: 57 in btrfs_match_dir_item_name()
________________________________________________________________________________________________________
*** CID 312941: Insecure data handling (TAINTED_SCALAR)
/fs/btrfs/dir-item.c: 57 in btrfs_match_dir_item_name()
51 leaf = path->nodes[0];
52 dir_item = btrfs_item_ptr(leaf, path->slots[0], struct btrfs_dir_item);
53 total_len = btrfs_item_size_nr(leaf, path->slots[0]);
54 if (verify_dir_item(root, leaf, dir_item))
55 return NULL;
56
>>> CID 312941: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "total_len" as a loop boundary.
57 while(cur < total_len) {
58 this_len = sizeof(*dir_item) +
59 btrfs_dir_name_len(leaf, dir_item) +
60 btrfs_dir_data_len(leaf, dir_item);
61 if (this_len > (total_len - cur)) {
62 fprintf(stderr, "invalid dir item size\n");
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoA22WlOQ-2By3ieUvdbKmOyw68TMVT4Kip-2BBzfOGWXJ5yIiYplmPF9KAnKIja4Zd7tU-3DG16z_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTttU5wxtf-2BIrYIlH6m8usGJ6Lj2sxuVx1MrdzdzgACo0LT3OFouHYVv45XtjGnMdnBHVdXsmw-2F0hVbOCFNnsrngQZqCc0sAyWQDCDYCMOEtivMS6hgdPFHSlGRRb51oma2tiPKUAklqWROrvI4MyXxqrp-2Fd4gBcYvc7-2FLXQFG0CyHS3IAPBDTyEFObYQ4RE2yA-3D
To manage Coverity Scan email notifications for "tom.rini at gmail.com", click https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxWeIHzDeopm-2BEWQ6S6K-2FtUHv9ZTk8qZbuzkkz9sa-2BJFw4elYDyedRVZOC-2ButxjBZdouVmTGuWB6Aj6G7lm7t25-2Biv1B-2B9082pHzCCex2kqMs-3DEOqJ_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTttU5wxtf-2BIrYIlH6m8usGJzaB1PzDyVpqw-2FdKI2nmJ1aeEn5herkK9wV7V6RjSEoYxghGutNP9BcObkZR3VG0GThMSPIO3YwHDptrjReecWG99Q7RAogK2ghwHTok4ICj9O-2FAA-2FumHtxTSCVEgN8DQdszAdaF0kCwbpvbxr33-2Bx8r4btBT-2Bj-2BqyAjW5wzAVl4-3D
----- End forwarded message -----
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20201030/a918e140/attachment-0001.sig>
^ permalink raw reply [flat|nested] 46+ messages in thread
end of thread, other threads:[~2022-09-06 15:50 UTC | newest]
Thread overview: 46+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-07-27 2:52 [scan-admin@coverity.com: New Defects reported by Coverity Scan for Das U-Boot] Tom Rini
2021-07-27 3:26 ` Sean Anderson
2021-07-27 15:04 ` Tom Rini
-- strict thread matches above, loose matches on Subject: below --
2022-09-06 15:50 Tom Rini
2022-05-09 17:22 Tom Rini
2022-04-25 23:41 Tom Rini
2022-03-05 18:27 Tom Rini
2022-02-15 19:29 Tom Rini
2022-02-01 0:33 Tom Rini
2021-11-15 18:02 Tom Rini
2021-11-02 16:22 Tom Rini
2021-11-01 20:06 Tom Rini
2021-09-15 14:11 Tom Rini
2021-08-30 17:39 Tom Rini
2021-08-31 15:18 ` Oleh Kravchenko
2021-09-06 14:05 ` Oleh Kravchenko
2021-09-06 15:23 ` Tom Rini
2021-08-16 19:57 Tom Rini
2021-08-16 20:15 ` Pali Rohár
2021-08-16 20:20 ` Tom Rini
2021-05-26 16:58 Tom Rini
2021-05-12 22:30 Tom Rini
2021-04-19 12:20 Tom Rini
2021-04-20 0:58 ` Asherah Connor
2021-04-20 1:17 ` Tom Rini
2021-04-20 6:13 ` Dario Binacchi
2021-03-30 19:55 Tom Rini
2021-03-02 14:42 Tom Rini
2021-02-23 16:15 Tom Rini
2021-02-01 19:51 Tom Rini
2021-01-26 16:41 Tom Rini
2021-01-20 19:04 Tom Rini
2021-01-20 20:43 ` Heinrich Schuchardt
2021-01-20 22:33 ` Heinrich Schuchardt
2021-01-21 2:09 ` AKASHI Takahiro
2021-01-26 17:02 ` Tom Rini
2021-01-20 21:03 ` Andre Przywara
2021-01-20 21:34 ` Tom Rini
2021-01-21 11:36 ` Sughosh Ganu
2021-01-21 13:44 ` Heinrich Schuchardt
2021-01-22 8:54 ` Sughosh Ganu
2021-01-22 11:37 ` Heinrich Schuchardt
2020-12-03 17:28 Tom Rini
2020-11-10 21:18 Tom Rini
2020-10-30 19:16 Tom Rini
2020-11-02 11:54 ` Pratyush Yadav
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.