From: Tom Rini <trini@konsulko.com>
To: u-boot@lists.denx.de
Subject: [scan-admin@coverity.com: New Defects reported by Coverity Scan for Das U-Boot]
Date: Tue, 2 Nov 2021 12:22:07 -0400 [thread overview]
Message-ID: <20211102162207.GP24579@bill-the-cat> (raw)
[-- Attachment #1: Type: text/plain, Size: 27904 bytes --]
There's a whole lot of new defects here because I noticed yesterday that
there was a new stable version of the scanner, after running yesterdays
normal post-RC scan. So here's a new scan done on current master.
----- Forwarded message from scan-admin@coverity.com -----
Date: Tue, 02 Nov 2021 15:55:16 +0000 (UTC)
From: scan-admin@coverity.com
To: tom.rini@gmail.com
Subject: New Defects reported by Coverity Scan for Das U-Boot
Hi,
Please find the latest report on new defect(s) introduced to Das U-Boot found with Coverity Scan.
80 new defect(s) introduced to Das U-Boot found with Coverity Scan.
25 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 80 defect(s)
** CID 340915: (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 340915: (TAINTED_SCALAR)
/drivers/input/key_matrix.c: 166 in key_matrix_decode_fdt()
160
161 prop = dev_read_prop(dev, "linux,fn-keymap", &proplen);
162 /* fn keymap is optional */
163 if (!prop)
164 goto done;
165
>>> CID 340915: (TAINTED_SCALAR)
>>> Passing tainted expression "proplen" to "create_keymap", which uses it as a loop boundary.
166 config->fn_keycode = create_keymap(config, prop, proplen, -1, NULL);
167 /* Conversion error -> fail */
168 if (!config->fn_keycode) {
169 free(plain_keycode);
170 return -1;
171 }
/drivers/input/key_matrix.c: 154 in key_matrix_decode_fdt()
148 /* Basic keymap is required */
149 if (!prop) {
150 debug("%s: cannot find keycode-plain map\n", __func__);
151 return -1;
152 }
153
>>> CID 340915: (TAINTED_SCALAR)
>>> Passing tainted expression "proplen" to "create_keymap", which uses it as a loop boundary.
154 plain_keycode = create_keymap(config, prop, proplen, KEY_FN,
155 &config->fn_pos);
156 config->plain_keycode = plain_keycode;
157 /* Conversion error -> fail */
158 if (!config->plain_keycode)
159 return -1;
** CID 340914: (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 340914: (TAINTED_SCALAR)
/arch/sandbox/cpu/state.c: 38 in state_ensure_space()
32
33 size = used + extra_size;
34 buf = os_malloc(size);
35 if (!buf)
36 return -ENOMEM;
37
>>> CID 340914: (TAINTED_SCALAR)
>>> Passing tainted expression "blob->size_dt_strings" to "fdt_open_into", which uses it as an offset.
38 ret = fdt_open_into(blob, buf, size);
39 if (ret) {
40 os_free(buf);
41 return -EIO;
42 }
43
/arch/sandbox/cpu/state.c: 38 in state_ensure_space()
32
33 size = used + extra_size;
34 buf = os_malloc(size);
35 if (!buf)
36 return -ENOMEM;
37
>>> CID 340914: (TAINTED_SCALAR)
>>> Passing tainted expression "blob->totalsize" to "fdt_open_into", which uses it as an offset.
38 ret = fdt_open_into(blob, buf, size);
39 if (ret) {
40 os_free(buf);
41 return -EIO;
42 }
43
/arch/sandbox/cpu/state.c: 34 in state_ensure_space()
28 size = fdt_totalsize(blob);
29 free_bytes = size - used;
30 if (free_bytes > extra_size)
31 return 0;
32
33 size = used + extra_size;
>>> CID 340914: (TAINTED_SCALAR)
>>> Passing tainted expression "size" to "os_malloc", which uses it as an offset.
34 buf = os_malloc(size);
35 if (!buf)
36 return -ENOMEM;
37
38 ret = fdt_open_into(blob, buf, size);
39 if (ret) {
/arch/sandbox/cpu/state.c: 38 in state_ensure_space()
32
33 size = used + extra_size;
34 buf = os_malloc(size);
35 if (!buf)
36 return -ENOMEM;
37
>>> CID 340914: (TAINTED_SCALAR)
>>> Passing tainted expression "blob->size_dt_struct" to "fdt_open_into", which uses it as an offset.
38 ret = fdt_open_into(blob, buf, size);
39 if (ret) {
40 os_free(buf);
41 return -EIO;
42 }
43
/arch/sandbox/cpu/state.c: 44 in state_ensure_space()
38 ret = fdt_open_into(blob, buf, size);
39 if (ret) {
40 os_free(buf);
41 return -EIO;
42 }
43
>>> CID 340914: (TAINTED_SCALAR)
>>> Passing tainted expression "*blob" to "os_free", which uses it as an offset.
44 os_free(blob);
45 state->state_fdt = buf;
46 return 0;
47 }
48
49 static int state_read_file(struct sandbox_state *state, const char *fname)
** CID 340913: Uninitialized variables (UNINIT)
/lib/gunzip.c: 298 in zunzip()
________________________________________________________________________________________________________
*** CID 340913: Uninitialized variables (UNINIT)
/lib/gunzip.c: 298 in zunzip()
292 }
293 s.next_in = src + offset;
294 s.avail_in = *lenp - offset;
295 s.next_out = dst;
296 s.avail_out = dstlen;
297 do {
>>> CID 340913: Uninitialized variables (UNINIT)
>>> Using uninitialized value "s.total_out" when calling "inflate". [Note: The source code implementation of the function has been overridden by a builtin model.]
298 r = inflate(&s, Z_FINISH);
299 if (stoponerr == 1 && r != Z_STREAM_END &&
300 (s.avail_in == 0 || s.avail_out == 0 || r != Z_BUF_ERROR)) {
301 printf("Error: inflate() returned %d\n", r);
302 err = -1;
303 break;
** CID 340912: (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 340912: (TAINTED_SCALAR)
/lib/efi_loader/efi_variable.c: 191 in efi_variable_authenticate()
185 ret = EFI_SUCCESS;
186
187 err:
188 efi_sigstore_free(truststore);
189 efi_sigstore_free(truststore2);
190 pkcs7_free_message(var_sig);
>>> CID 340912: (TAINTED_SCALAR)
>>> Passing tainted expression "*ebuf" to "dlfree", which uses it as an offset.
191 free(ebuf);
192 free(regs);
193
194 return ret;
195 }
196 #else
/lib/efi_loader/efi_variable.c: 133 in efi_variable_authenticate()
127
128 /* variable's signature list */
129 if (auth->auth_info.hdr.dwLength < sizeof(auth->auth_info))
130 goto err;
131
132 /* ebuf should be kept valid during the authentication */
>>> CID 340912: (TAINTED_SCALAR)
>>> Passing tainted expression "auth->auth_info.cert_data" to "efi_parse_pkcs7_header", which uses it as an offset.
133 var_sig = efi_parse_pkcs7_header(auth->auth_info.cert_data,
134 auth->auth_info.hdr.dwLength
135 - sizeof(auth->auth_info),
136 &ebuf);
137 if (!var_sig) {
138 EFI_PRINT("Parsing variable's signature failed\n");
** CID 340910: (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 340910: (TAINTED_SCALAR)
/arch/sandbox/cpu/state.c: 284 in sandbox_write_state()
278
279 if (ret == -EIO) {
280 printf("Could not write sandbox state\n");
281 goto err_create;
282 }
283
>>> CID 340910: (TAINTED_SCALAR)
>>> Passing tainted expression "state->state_fdt->size_dt_struct" to "fdt_pack", which uses it as an offset.
284 ret = fdt_pack(state->state_fdt);
285 if (ret < 0) {
286 printf("Cannot pack state FDT: %s\n", fdt_strerror(ret));
287 ret = -EINVAL;
288 goto err_create;
289 }
/arch/sandbox/cpu/state.c: 311 in sandbox_write_state()
305 got_err ? " (with errors)" : "");
306
307 return 0;
308 err_write:
309 os_close(fd);
310 err_create:
>>> CID 340910: (TAINTED_SCALAR)
>>> Passing tainted expression "*state->state_fdt" to "os_free", which uses it as an offset.
311 os_free(state->state_fdt);
312
313 return ret;
314 }
315
316 int state_setprop(int node, const char *prop_name, const void *data, int size)
/arch/sandbox/cpu/state.c: 284 in sandbox_write_state()
278
279 if (ret == -EIO) {
280 printf("Could not write sandbox state\n");
281 goto err_create;
282 }
283
>>> CID 340910: (TAINTED_SCALAR)
>>> Passing tainted expression "state->state_fdt->size_dt_strings" to "fdt_pack", which uses it as an offset.
284 ret = fdt_pack(state->state_fdt);
285 if (ret < 0) {
286 printf("Cannot pack state FDT: %s\n", fdt_strerror(ret));
287 ret = -EINVAL;
288 goto err_create;
289 }
/arch/sandbox/cpu/state.c: 311 in sandbox_write_state()
305 got_err ? " (with errors)" : "");
306
307 return 0;
308 err_write:
309 os_close(fd);
310 err_create:
>>> CID 340910: (TAINTED_SCALAR)
>>> Passing tainted expression "*state->state_fdt" to "os_free", which uses it as an offset.
311 os_free(state->state_fdt);
312
313 return ret;
314 }
315
316 int state_setprop(int node, const char *prop_name, const void *data, int size)
** CID 340909: Uninitialized variables (UNINIT)
/lib/gunzip.c: 226 in gzwrite()
________________________________________________________________________________________________________
*** CID 340909: Uninitialized variables (UNINIT)
/lib/gunzip.c: 226 in gzwrite()
220 unsigned long blocks_written;
221 int numfilled;
222 lbaint_t writeblocks;
223
224 s.avail_out = szwritebuf;
225 s.next_out = writebuf;
>>> CID 340909: Uninitialized variables (UNINIT)
>>> Using uninitialized value "s.total_out" when calling "inflate". [Note: The source code implementation of the function has been overridden by a builtin model.]
226 r = inflate(&s, Z_SYNC_FLUSH);
227 if ((r != Z_OK) &&
228 (r != Z_STREAM_END)) {
229 printf("Error: inflate() returned %d\n", r);
230 goto out;
231 }
** CID 340908: Insecure data handling (TAINTED_SCALAR)
/common/board_f.c: 627 in reloc_fdt()
________________________________________________________________________________________________________
*** CID 340908: Insecure data handling (TAINTED_SCALAR)
/common/board_f.c: 627 in reloc_fdt()
621 static int reloc_fdt(void)
622 {
623 if (!IS_ENABLED(CONFIG_OF_EMBED)) {
624 if (gd->flags & GD_FLG_SKIP_RELOC)
625 return 0;
626 if (gd->new_fdt) {
>>> CID 340908: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "__fswab32((__u32)(__be32)((struct fdt_header const *)gd->fdt_blob)->totalsize)" to "memcpy", which uses it as an offset. [Note: The source code implementation of the function has been overridden by a builtin model.]
627 memcpy(gd->new_fdt, gd->fdt_blob,
628 fdt_totalsize(gd->fdt_blob));
629 gd->fdt_blob = gd->new_fdt;
630 }
631 }
632
** CID 340907: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 340907: Insecure data handling (TAINTED_SCALAR)
/cmd/fdt.c: 59 in fdt_value_env_set()
53 if (is_printable_string(nodep, len))
54 env_set(var, (void *)nodep);
55 else if (len == 4) {
56 char buf[11];
57
58 sprintf(buf, "0x%08X", fdt32_to_cpu(*(fdt32_t *)nodep));
>>> CID 340907: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "buf" to "env_set", which uses it as an offset.
59 env_set(var, buf);
60 } else if (len%4 == 0 && len <= 20) {
61 /* Needed to print things like sha1 hashes. */
62 char buf[41];
63 int i;
64
** CID 340906: (TAINTED_SCALAR)
/fs/squashfs/sqfs.c: 1059 in sqfs_readdir()
/fs/squashfs/sqfs.c: 1060 in sqfs_readdir()
/fs/squashfs/sqfs.c: 1060 in sqfs_readdir()
/fs/squashfs/sqfs.c: 1059 in sqfs_readdir()
________________________________________________________________________________________________________
*** CID 340906: (TAINTED_SCALAR)
/fs/squashfs/sqfs.c: 1059 in sqfs_readdir()
1053 break;
1054 default:
1055 return -SQFS_STOP_READDIR;
1056 }
1057
1058 /* Set entry name */
>>> CID 340906: (TAINTED_SCALAR)
>>> Passing tainted expression "dirs->entry->name_size + 1" to "strncpy", which uses it as an offset. [Note: The source code implementation of the function has been overridden by a builtin model.]
1059 strncpy(dent->name, dirs->entry->name, dirs->entry->name_size + 1);
1060 dent->name[dirs->entry->name_size + 1] = '\0';
1061
1062 offset = dirs->entry->name_size + 1 + SQFS_ENTRY_BASE_LENGTH;
1063 dirs->entry_count--;
1064
/fs/squashfs/sqfs.c: 1060 in sqfs_readdir()
1054 default:
1055 return -SQFS_STOP_READDIR;
1056 }
1057
1058 /* Set entry name */
1059 strncpy(dent->name, dirs->entry->name, dirs->entry->name_size + 1);
>>> CID 340906: (TAINTED_SCALAR)
>>> Using tainted variable "dirs->entry->name_size + 1" as an index into an array "dent->name".
1060 dent->name[dirs->entry->name_size + 1] = '\0';
1061
1062 offset = dirs->entry->name_size + 1 + SQFS_ENTRY_BASE_LENGTH;
1063 dirs->entry_count--;
1064
1065 /* Decrement size to be read */
/fs/squashfs/sqfs.c: 1060 in sqfs_readdir()
1054 default:
1055 return -SQFS_STOP_READDIR;
1056 }
1057
1058 /* Set entry name */
1059 strncpy(dent->name, dirs->entry->name, dirs->entry->name_size + 1);
>>> CID 340906: (TAINTED_SCALAR)
>>> Using tainted variable "dirs->entry->name_size + 1" as an index into an array "dent->name".
1060 dent->name[dirs->entry->name_size + 1] = '\0';
1061
1062 offset = dirs->entry->name_size + 1 + SQFS_ENTRY_BASE_LENGTH;
1063 dirs->entry_count--;
1064
1065 /* Decrement size to be read */
/fs/squashfs/sqfs.c: 1059 in sqfs_readdir()
1053 break;
1054 default:
1055 return -SQFS_STOP_READDIR;
1056 }
1057
1058 /* Set entry name */
>>> CID 340906: (TAINTED_SCALAR)
>>> Passing tainted expression "dirs->entry->name_size + 1" to "strncpy", which uses it as an offset. [Note: The source code implementation of the function has been overridden by a builtin model.]
1059 strncpy(dent->name, dirs->entry->name, dirs->entry->name_size + 1);
1060 dent->name[dirs->entry->name_size + 1] = '\0';
1061
1062 offset = dirs->entry->name_size + 1 + SQFS_ENTRY_BASE_LENGTH;
1063 dirs->entry_count--;
1064
** CID 340905: Insecure data handling (TAINTED_SCALAR)
/scripts/dtc/checks.c: 1163 in check_property_phandle_args()
________________________________________________________________________________________________________
*** CID 340905: Insecure data handling (TAINTED_SCALAR)
/scripts/dtc/checks.c: 1163 in check_property_phandle_args()
1157 FAIL_PROP(c, dti, node, prop,
1158 "property size (%d) is invalid, expected multiple of %zu",
1159 prop->val.len, sizeof(cell_t));
1160 return;
1161 }
1162
>>> CID 340905: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "cell" as a loop boundary.
1163 for (cell = 0; cell < prop->val.len / sizeof(cell_t); cell += cellsize + 1) {
1164 struct node *provider_node;
1165 struct property *cellprop;
1166 int phandle;
1167
1168 phandle = propval_cell_n(prop, cell);
** CID 340904: (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 340904: (TAINTED_SCALAR)
/fs/ext4/ext4_journal.c: 580 in update_descriptor_block()
574
575 jdb.h_blocktype = cpu_to_be32(EXT3_JOURNAL_DESCRIPTOR_BLOCK);
576 jdb.h_magic = cpu_to_be32(EXT3_JOURNAL_MAGIC_NUMBER);
577 jdb.h_sequence = jsb->s_sequence;
578 buf = zalloc(fs->blksz);
579 if (!buf) {
>>> CID 340904: (TAINTED_SCALAR)
>>> Passing tainted expression "*temp_buff" to "dlfree", which uses it as an offset.
580 free(temp_buff);
581 return;
582 }
583 temp = buf;
584 memcpy(buf, &jdb, sizeof(struct journal_header_t));
585 temp += sizeof(struct journal_header_t);
/fs/ext4/ext4_journal.c: 603 in update_descriptor_block()
597 tag.block = cpu_to_be32(journal_ptr[--i]->blknr);
598 tag.flags = cpu_to_be32(EXT3_JOURNAL_FLAG_LAST_TAG);
599 memcpy(temp - sizeof(struct ext3_journal_block_tag), &tag,
600 sizeof(struct ext3_journal_block_tag));
601 put_ext4((uint64_t) ((uint64_t)blknr * (uint64_t)fs->blksz), buf, (uint32_t) fs->blksz);
602
>>> CID 340904: (TAINTED_SCALAR)
>>> Passing tainted expression "*temp_buff" to "dlfree", which uses it as an offset.
603 free(temp_buff);
604 free(buf);
605 }
606
607 static void update_commit_block(long int blknr)
608 {
** CID 340903: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 340903: Insecure data handling (TAINTED_SCALAR)
/fs/btrfs/disk-io.c: 1036 in open_ctree_fs_info()
1030 fs_info->stripesize = btrfs_super_stripesize(disk_super);
1031
1032 ret = btrfs_check_fs_compatibility(fs_info->super_copy);
1033 if (ret)
1034 goto out_devices;
1035
>>> CID 340903: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "fs_info->nodesize" to "btrfs_setup_chunk_tree_and_device_map", which uses it as an offset.
1036 ret = btrfs_setup_chunk_tree_and_device_map(fs_info);
1037 if (ret)
1038 goto out_chunk;
1039
1040 /* Chunk tree root is unable to read, return directly */
1041 if (!fs_info->chunk_root)
** CID 340902: (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 340902: (TAINTED_SCALAR)
/common/fdt_support.c: 1784 in fdt_read_range()
1778
1779 /* Jump to the n'th entry */
1780 cell = n * (pacells + acells + scells);
1781
1782 /* Read <child address> */
1783 if (child_addr) {
>>> CID 340902: (TAINTED_SCALAR)
>>> Passing tainted expression "cell" to "fdt_read_prop", which uses it as an offset.
1784 r = fdt_read_prop(ranges, ranges_len, cell, child_addr,
1785 acells);
1786 if (r)
1787 return r;
1788 }
1789 cell += acells;
/common/fdt_support.c: 1784 in fdt_read_range()
1778
1779 /* Jump to the n'th entry */
1780 cell = n * (pacells + acells + scells);
1781
1782 /* Read <child address> */
1783 if (child_addr) {
>>> CID 340902: (TAINTED_SCALAR)
>>> Passing tainted expression "cell" to "fdt_read_prop", which uses it as an offset.
1784 r = fdt_read_prop(ranges, ranges_len, cell, child_addr,
1785 acells);
1786 if (r)
1787 return r;
1788 }
1789 cell += acells;
/common/fdt_support.c: 1798 in fdt_read_range()
1792 if (addr)
1793 *addr = fdt_translate_address(fdt, node, ranges + cell);
1794 cell += pacells;
1795
1796 /* Read <size in child address space> */
1797 if (len) {
>>> CID 340902: (TAINTED_SCALAR)
>>> Passing tainted expression "cell" to "fdt_read_prop", which uses it as an offset.
1798 r = fdt_read_prop(ranges, ranges_len, cell, len, scells);
1799 if (r)
1800 return r;
1801 }
1802
1803 return 0;
** CID 340901: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 340901: Insecure data handling (TAINTED_SCALAR)
/scripts/dtc/libfdt/fdt_overlay.c: 643 in overlay_merge()
637 return overlay;
638
639 target = overlay_get_target(fdt, fdto, fragment, NULL);
640 if (target < 0)
641 return target;
642
>>> CID 340901: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "target" to "overlay_apply_node", which uses it as a loop boundary.
643 ret = overlay_apply_node(fdt, target, fdto, overlay);
644 if (ret)
645 return ret;
646 }
647
648 return 0;
** CID 340900: Error handling issues (NEGATIVE_RETURNS)
/fs/btrfs/inode.c: 644 in read_and_truncate_page()
________________________________________________________________________________________________________
*** CID 340900: Error handling issues (NEGATIVE_RETURNS)
/fs/btrfs/inode.c: 644 in read_and_truncate_page()
638 if (!buf)
639 return -ENOMEM;
640
641 extent_type = btrfs_file_extent_type(leaf, fi);
642 if (extent_type == BTRFS_FILE_EXTENT_INLINE) {
643 ret = btrfs_read_extent_inline(path, fi, buf);
>>> CID 340900: Error handling issues (NEGATIVE_RETURNS)
>>> "({...; (_min1 < _min2) ? _min1 : _min2;})" is passed to a parameter that cannot be negative. [Note: The source code implementation of the function has been overridden by a builtin model.]
644 memcpy(dest, buf + page_off, min(page_len, ret));
645 free(buf);
646 return len;
647 }
648
649 ret = btrfs_read_extent_reg(path, fi,
** CID 340899: Insecure data handling (TAINTED_SCALAR)
/fs/ext4/ext4_journal.c: 219 in print_revoke_blks()
________________________________________________________________________________________________________
*** CID 340899: Insecure data handling (TAINTED_SCALAR)
/fs/ext4/ext4_journal.c: 219 in print_revoke_blks()
213
214 header = (struct journal_revoke_header_t *) revk_blk;
215 offset = sizeof(struct journal_revoke_header_t);
216 max = be32_to_cpu(header->r_count);
217 printf("total bytes %d\n", max);
218
>>> CID 340899: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "max" as a loop boundary.
219 while (offset < max) {
220 blocknr = be32_to_cpu(*((__be32 *)(revk_blk + offset)));
221 printf("revoke blknr is %ld\n", blocknr);
222 offset += 4;
223 }
224 }
** CID 340898: Memory - illegal accesses (UNINIT)
/lib/efi_loader/efi_boottime.c: 2667 in efi_uninstall_multiple_protocol_interfaces()
________________________________________________________________________________________________________
*** CID 340898: Memory - illegal accesses (UNINIT)
/lib/efi_loader/efi_boottime.c: 2667 in efi_uninstall_multiple_protocol_interfaces()
2661 efi_status_t r = EFI_SUCCESS;
2662 size_t i = 0;
2663
2664 if (!handle)
2665 return EFI_EXIT(EFI_INVALID_PARAMETER);
2666
>>> CID 340898: Memory - illegal accesses (UNINIT)
>>> Using uninitialized value "argptr" when calling "__builtin_ms_va_start".
2667 efi_va_start(argptr, handle);
2668 for (;;) {
2669 protocol = efi_va_arg(argptr, efi_guid_t*);
2670 if (!protocol)
2671 break;
2672 protocol_interface = efi_va_arg(argptr, void*);
** CID 340897: Memory - illegal accesses (UNINIT)
/lib/efi_loader/efi_boottime.c: 2594 in efi_install_multiple_protocol_interfaces()
________________________________________________________________________________________________________
*** CID 340897: Memory - illegal accesses (UNINIT)
/lib/efi_loader/efi_boottime.c: 2594 in efi_install_multiple_protocol_interfaces()
2588 efi_status_t r = EFI_SUCCESS;
2589 int i = 0;
2590
2591 if (!handle)
2592 return EFI_EXIT(EFI_INVALID_PARAMETER);
2593
>>> CID 340897: Memory - illegal accesses (UNINIT)
>>> Using uninitialized value "argptr" when calling "__builtin_ms_va_start".
2594 efi_va_start(argptr, handle);
2595 for (;;) {
2596 protocol = efi_va_arg(argptr, efi_guid_t*);
2597 if (!protocol)
2598 break;
2599 protocol_interface = efi_va_arg(argptr, void*);
** CID 340896: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 340896: Insecure data handling (TAINTED_SCALAR)
/common/image-fdt.c: 510 in boot_get_fdt()
504 ulong fdt_data, fdt_len;
505 u32 fdt_size, dtb_idx;
506 /*
507 * Firstly check if this android boot image has dtb field.
508 */
509 dtb_idx = (u32)env_get_ulong("adtb_idx", 10, 0);
>>> CID 340896: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "hdr" to "android_image_get_dtb_by_index", which uses it as a loop boundary.
510 if (android_image_get_dtb_by_index((ulong)hdr, dtb_idx, &fdt_addr, &fdt_size)) {
511 fdt_blob = (char *)map_sysmem(fdt_addr, 0);
512 if (fdt_check_header(fdt_blob))
513 goto no_fdt;
514
515 debug("## Using FDT in Android image dtb area with idx %u\n", dtb_idx);
** CID 340895: Insecure data handling (TAINTED_SCALAR)
/common/image-android-dt.c: 128 in android_dt_print_contents()
________________________________________________________________________________________________________
*** CID 340895: Insecure data handling (TAINTED_SCALAR)
/common/image-android-dt.c: 128 in android_dt_print_contents()
122 printf(" page_size = %d\n", fdt32_to_cpu(hdr->page_size));
123 printf(" version = %d\n", fdt32_to_cpu(hdr->version));
124
125 unmap_sysmem(hdr);
126
127 /* Print image entries info */
>>> CID 340895: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "entry_count" as a loop boundary.
128 for (i = 0; i < entry_count; ++i) {
129 const ulong e_addr = hdr_addr + entries_offset + i * entry_size;
130 const struct dt_table_entry *e;
131 const struct fdt_header *fdt;
132 u32 dt_offset, dt_size;
133 u32 j;
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoA22WlOQ-2By3ieUvdbKmOyw68TMVT4Kip-2BBzfOGWXJ5yIiYplmPF9KAnKIja4Zd7tU-3D9GGA_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTs3pBU8vxliBOfH1-2FBt0vqbdIx1mP6FC3-2FQe-2Fw-2F-2FDBEhKG26IbQfiRoX0gqXB9Wm6CFQKvUL203el0Uwq3R00CKZgVFh0pACrzKTpfyuRUH7ZMXL834xWtjRvq7oWINAt-2FvvOwfqgX9iTtocxbsR7P736LnIQHB4GthdbQG8xFv4Q-3D-3D
To manage Coverity Scan email notifications for "tom.rini@gmail.com", click https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxWeIHzDeopm-2BEWQ6S6K-2FtUHv9ZTk8qZbuzkkz9sa-2BJFw4elYDyedRVZOC-2ButxjBZdouVmTGuWB6Aj6G7lm7t25-2Biv1B-2B9082pHzCCex2kqMs-3Dp1U4_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTs3pBU8vxliBOfH1-2FBt0vqbclVGnJdJ2jYQpaLHmC-2BWaiKYUmh5-2BWRNQHXgL0tqPDBr5zJNId2seKKN819S3BkxgDCXMchYRh-2BH6W8WhXwQjsEAGX5MWx-2FVvnCjUsyybd-2FX8yAQGOFpUWS11iICkcOGU8IXKIHrICdOOFVa3O8-2BPw-3D-3D
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
next reply other threads:[~2021-11-02 16:22 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-02 16:22 Tom Rini [this message]
-- strict thread matches above, loose matches on Subject: below --
2022-09-06 15:50 [scan-admin@coverity.com: New Defects reported by Coverity Scan for Das U-Boot] Tom Rini
2022-05-09 17:22 Tom Rini
2022-04-25 23:41 Tom Rini
2022-03-05 18:27 Tom Rini
2022-02-15 19:29 Tom Rini
2022-02-01 0:33 Tom Rini
2021-11-15 18:02 Tom Rini
2021-11-01 20:06 Tom Rini
2021-09-15 14:11 Tom Rini
2021-08-30 17:39 Tom Rini
2021-08-31 15:18 ` Oleh Kravchenko
2021-09-06 14:05 ` Oleh Kravchenko
2021-09-06 15:23 ` Tom Rini
2021-08-16 19:57 Tom Rini
2021-08-16 20:15 ` Pali Rohár
2021-08-16 20:20 ` Tom Rini
2021-07-27 2:52 Tom Rini
2021-07-27 3:26 ` Sean Anderson
2021-07-27 15:04 ` Tom Rini
2021-05-26 16:58 Tom Rini
2021-05-12 22:30 Tom Rini
2021-04-19 12:20 Tom Rini
2021-04-20 0:58 ` Asherah Connor
2021-04-20 1:17 ` Tom Rini
2021-04-20 6:13 ` Dario Binacchi
2021-03-30 19:55 Tom Rini
2021-03-02 14:42 Tom Rini
2021-02-23 16:15 Tom Rini
2021-02-01 19:51 Tom Rini
2021-01-26 16:41 Tom Rini
2021-01-20 19:04 Tom Rini
2021-01-20 20:43 ` Heinrich Schuchardt
2021-01-20 22:33 ` Heinrich Schuchardt
2021-01-21 2:09 ` AKASHI Takahiro
2021-01-26 17:02 ` Tom Rini
2021-01-20 21:03 ` Andre Przywara
2021-01-20 21:34 ` Tom Rini
2021-01-21 11:36 ` Sughosh Ganu
2021-01-21 13:44 ` Heinrich Schuchardt
2021-01-22 8:54 ` Sughosh Ganu
2021-01-22 11:37 ` Heinrich Schuchardt
2020-12-03 17:28 Tom Rini
2020-11-10 21:18 Tom Rini
2020-10-30 19:16 Tom Rini
2020-11-02 11:54 ` Pratyush Yadav
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211102162207.GP24579@bill-the-cat \
--to=trini@konsulko.com \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.