From: Tom Rini <trini@konsulko.com>
To: u-boot@lists.denx.de
Subject: [scan-admin@coverity.com: New Defects reported by Coverity Scan for Das U-Boot]
Date: Wed, 20 Jan 2021 14:04:18 -0500 [thread overview]
Message-ID: <20210120190418.GA9782@bill-the-cat> (raw)
I decided to run Coverity part-way through the merge window this time
and here's what's been found so far.
----- Forwarded message from scan-admin at coverity.com -----
Date: Mon, 18 Jan 2021 17:53:19 +0000 (UTC)
From: scan-admin@coverity.com
To: tom.rini at gmail.com
Subject: New Defects reported by Coverity Scan for Das U-Boot
Hi,
Please find the latest report on new defect(s) introduced to Das U-Boot found with Coverity Scan.
23 new defect(s) introduced to Das U-Boot found with Coverity Scan.
2 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 23 defect(s)
** CID 316365: Memory - corruptions (STRING_OVERFLOW)
/tools/sunxi_egon.c: 96 in egon_set_header()
________________________________________________________________________________________________________
*** CID 316365: Memory - corruptions (STRING_OVERFLOW)
/tools/sunxi_egon.c: 96 in egon_set_header()
90
91 /* If an image name has been provided, use it as the DT name. */
92 if (params->imagename && params->imagename[0]) {
93 if (strlen(params->imagename) > sizeof(header->string_pool) - 1)
94 printf("WARNING: DT name too long for SPL header!\n");
95 else {
>>> CID 316365: Memory - corruptions (STRING_OVERFLOW)
>>> You might overrun the 13-character destination string "header->string_pool" by writing 51 characters from "params->imagename".
96 strcpy((char *)header->string_pool, params->imagename);
97 value = offsetof(struct boot_file_head, string_pool);
98 header->dt_name_offset = cpu_to_le32(value);
99 header->spl_signature[3] = SPL_DT_HEADER_VERSION;
100 }
101 }
** CID 316364: Null pointer dereferences (FORWARD_NULL)
/cmd/efidebug.c: 202 in do_efi_capsule_res()
________________________________________________________________________________________________________
*** CID 316364: Null pointer dereferences (FORWARD_NULL)
/cmd/efidebug.c: 202 in do_efi_capsule_res()
196 printf("Failed to get %ls\n", var_name16);
197
198 return CMD_RET_FAILURE;
199 }
200 }
201
>>> CID 316364: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "result".
202 printf("Result total size: 0x%x\n", result->variable_total_size);
203 printf("Capsule guid: %pUl\n", &result->capsule_guid);
204 printf("Time processed: %04d-%02d-%02d %02d:%02d:%02d\n",
205 result->capsule_processed.year, result->capsule_processed.month,
206 result->capsule_processed.day, result->capsule_processed.hour,
207 result->capsule_processed.minute,
** CID 316363: Null pointer dereferences (REVERSE_INULL)
/lib/efi_loader/efi_boottime.c: 1993 in efi_load_image_from_path()
________________________________________________________________________________________________________
*** CID 316363: Null pointer dereferences (REVERSE_INULL)
/lib/efi_loader/efi_boottime.c: 1993 in efi_load_image_from_path()
1987 ret = EFI_CALL(load_file_protocol->load_file(
1988 load_file_protocol, dp, boot_policy,
1989 &buffer_size, (void *)(uintptr_t)addr));
1990 if (ret != EFI_SUCCESS)
1991 efi_free_pages(addr, pages);
1992 out:
>>> CID 316363: Null pointer dereferences (REVERSE_INULL)
>>> Null-checking "load_file_protocol" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
1993 if (load_file_protocol)
1994 EFI_CALL(efi_close_protocol(device,
1995 &efi_guid_load_file2_protocol,
1996 efi_root, NULL));
1997 if (ret == EFI_SUCCESS) {
1998 *buffer = (void *)(uintptr_t)addr;
** CID 316362: Error handling issues (CHECKED_RETURN)
/fs/fat/fat_write.c: 422 in fill_dir_slot()
________________________________________________________________________________________________________
*** CID 316362: Error handling issues (CHECKED_RETURN)
/fs/fat/fat_write.c: 422 in fill_dir_slot()
416 while (counter >= 1) {
417 memcpy(itr->dent, slotptr, sizeof(dir_slot));
418 slotptr--;
419 counter--;
420
421 if (itr->remaining == 0)
>>> CID 316362: Error handling issues (CHECKED_RETURN)
>>> Calling "flush_dir" without checking return value (as is done elsewhere 5 out of 6 times).
422 flush_dir(itr);
423
424 next_dent(itr);
425 if (!itr->dent)
426 return -EIO;
427 }
** CID 316361: Code maintainability issues (SIZEOF_MISMATCH)
/lib/efi_loader/efi_capsule.c: 767 in efi_capsule_scan_dir()
________________________________________________________________________________________________________
*** CID 316361: Code maintainability issues (SIZEOF_MISMATCH)
/lib/efi_loader/efi_capsule.c: 767 in efi_capsule_scan_dir()
761
762 ret = EFI_CALL((*dirh->setpos)(dirh, 0));
763 if (ret != EFI_SUCCESS)
764 goto err;
765
766 /* make a list */
>>> CID 316361: Code maintainability issues (SIZEOF_MISMATCH)
>>> Passing argument "count * 8UL /* sizeof (*files) */" to function "dlmalloc" and then casting the return value to "u16 **" is suspicious. In this particular case "sizeof (u16 **)" happens to be equal to "sizeof (u16 *)", but this is not a portable assumption.
767 tmp_files = malloc(count * sizeof(*files));
768 if (!tmp_files) {
769 ret = EFI_OUT_OF_RESOURCES;
770 goto err;
771 }
772
** CID 316360: Uninitialized variables (UNINIT)
/tools/mkeficapsule.c: 298 in create_fwbin()
________________________________________________________________________________________________________
*** CID 316360: Uninitialized variables (UNINIT)
/tools/mkeficapsule.c: 298 in create_fwbin()
292 goto err_3;
293 }
294
295 capsule.version = 0x00000001;
296 capsule.embedded_driver_count = 0;
297 capsule.payload_item_count = 1;
>>> CID 316360: Uninitialized variables (UNINIT)
>>> Using uninitialized value "capsule". Field "capsule.item_offset_list" is uninitialized when calling "fwrite".
298 size = fwrite(&capsule, 1, sizeof(capsule), f);
299 if (size < (sizeof(capsule))) {
300 printf("write failed (%lx)\n", size);
301 goto err_3;
302 }
303 offset = sizeof(capsule) + sizeof(u64);
** CID 316359: Null pointer dereferences (FORWARD_NULL)
________________________________________________________________________________________________________
*** CID 316359: Null pointer dereferences (FORWARD_NULL)
/lib/efi_loader/efi_capsule.c: 380 in efi_capsule_update_firmware()
374 ret = EFI_UNSUPPORTED;
375 goto out;
376 }
377
378 /* find a device for update firmware */
379 /* TODO: should we pass index as well, or nothing but type? */
>>> CID 316359: Null pointer dereferences (FORWARD_NULL)
>>> Passing null pointer "handles" to "efi_fmp_find", which dereferences it.
380 fmp = efi_fmp_find(&image->update_image_type_id,
381 image->update_hardware_instance,
382 handles, no_handles);
383 if (!fmp) {
384 log_err("EFI Capsule: driver not found for firmware type: %pUl, hardware instance: %lld\n",
385 &image->update_image_type_id,
** CID 316358: Memory - illegal accesses (BUFFER_SIZE_WARNING)
/drivers/net/sandbox-raw.c: 163 in sb_eth_raw_of_to_plat()
________________________________________________________________________________________________________
*** CID 316358: Memory - illegal accesses (BUFFER_SIZE_WARNING)
/drivers/net/sandbox-raw.c: 163 in sb_eth_raw_of_to_plat()
157 int ret;
158
159 pdata->iobase = dev_read_addr(dev);
160
161 ifname = dev_read_string(dev, "host-raw-interface");
162 if (ifname) {
>>> CID 316358: Memory - illegal accesses (BUFFER_SIZE_WARNING)
>>> Calling "strncpy" with a maximum size argument of 16 bytes on destination array "priv->host_ifname" of size 16 bytes might leave the destination string unterminated.
163 strncpy(priv->host_ifname, ifname, IFNAMSIZ);
164 printf(": Using %s from DT\n", priv->host_ifname);
165 }
166 if (dev_read_u32(dev, "host-raw-interface-idx",
167 &priv->host_ifindex) < 0) {
168 priv->host_ifindex = 0;
** CID 316357: Memory - corruptions (BUFFER_SIZE)
/fs/fat/fat_write.c: 1154 in fill_dentry()
________________________________________________________________________________________________________
*** CID 316357: Memory - corruptions (BUFFER_SIZE)
/fs/fat/fat_write.c: 1154 in fill_dentry()
1148
1149 set_start_cluster(mydata, dentptr, start_cluster);
1150 dentptr->size = cpu_to_le32(size);
1151
1152 dentptr->attr = attr;
1153
>>> CID 316357: Memory - corruptions (BUFFER_SIZE)
>>> You might overrun the 8 byte destination string "dentptr->name" by writing the maximum 11 bytes from "shortname".
1154 memcpy(dentptr->name, shortname, SHORT_NAME_SIZE);
1155 }
1156
1157 /**
1158 * find_directory_entry() - find a directory entry by filename
1159 *
** CID 316356: Resource leaks (RESOURCE_LEAK)
/tools/mkeficapsule.c: 225 in add_public_key()
________________________________________________________________________________________________________
*** CID 316356: Resource leaks (RESOURCE_LEAK)
/tools/mkeficapsule.c: 225 in add_public_key()
219 if (ret < 0) {
220 fprintf(stderr, "%s: Unable to add public key to the FDT\n",
221 __func__);
222 goto err;
223 }
224
>>> CID 316356: Resource leaks (RESOURCE_LEAK)
>>> Handle variable "srcfd" going out of scope leaks the handle.
225 return 0;
226
227 err:
228 if (sptr)
229 munmap(sptr, src_size);
230
** CID 316355: Null pointer dereferences (FORWARD_NULL)
/lib/efi_loader/efi_capsule.c: 848 in efi_capsule_read_file()
________________________________________________________________________________________________________
*** CID 316355: Null pointer dereferences (FORWARD_NULL)
/lib/efi_loader/efi_capsule.c: 848 in efi_capsule_read_file()
842 }
843 ret = EFI_CALL((*fh->getinfo)(fh, &efi_file_info_guid,
844 &size, file_info));
845 }
846 if (ret != EFI_SUCCESS)
847 goto err;
>>> CID 316355: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "file_info".
848 size = file_info->file_size;
849 free(file_info);
850 buf = malloc(size);
851 if (!buf) {
852 ret = EFI_OUT_OF_RESOURCES;
853 goto err;
** CID 316354: Uninitialized variables (UNINIT)
/tools/mkeficapsule.c: 318 in create_fwbin()
________________________________________________________________________________________________________
*** CID 316354: Uninitialized variables (UNINIT)
/tools/mkeficapsule.c: 318 in create_fwbin()
312 image.update_image_index = index;
313 image.update_image_size = bin_stat.st_size;
314 image.update_vendor_code_size = 0; /* none */
315 image.update_hardware_instance = instance;
316 image.image_capsule_support = 0;
317
>>> CID 316354: Uninitialized variables (UNINIT)
>>> Using uninitialized value "image". Field "image.reserved" is uninitialized when calling "fwrite".
318 size = fwrite(&image, 1, sizeof(image), f);
319 if (size < sizeof(image)) {
320 printf("write failed (%lx)\n", size);
321 goto err_3;
322 }
323 size = fread(data, 1, bin_stat.st_size, g);
** CID 316353: Resource leaks (RESOURCE_LEAK)
/tools/mkeficapsule.c: 225 in add_public_key()
________________________________________________________________________________________________________
*** CID 316353: Resource leaks (RESOURCE_LEAK)
/tools/mkeficapsule.c: 225 in add_public_key()
219 if (ret < 0) {
220 fprintf(stderr, "%s: Unable to add public key to the FDT\n",
221 __func__);
222 goto err;
223 }
224
>>> CID 316353: Resource leaks (RESOURCE_LEAK)
>>> Variable "sptr" going out of scope leaks the storage it points to.
225 return 0;
226
227 err:
228 if (sptr)
229 munmap(sptr, src_size);
230
** CID 316352: Security best practices violations (STRING_OVERFLOW)
/drivers/dfu/dfu.c: 490 in dfu_fill_entity()
________________________________________________________________________________________________________
*** CID 316352: Security best practices violations (STRING_OVERFLOW)
/drivers/dfu/dfu.c: 490 in dfu_fill_entity()
484 char *interface, char *devstr)
485 {
486 char *st;
487
488 debug("%s: %s interface: %s dev: %s\n", __func__, s, interface, devstr);
489 st = strsep(&s, " ");
>>> CID 316352: Security best practices violations (STRING_OVERFLOW)
>>> You might overrun the 32-character fixed-size string "dfu->name" by copying "st" without checking the length.
490 strcpy(dfu->name, st);
491
492 dfu->alt = alt;
493 dfu->max_buf_size = 0;
494 dfu->free_entity = NULL;
495
** CID 316351: Error handling issues (CHECKED_RETURN)
/drivers/video/pwm_backlight.c: 230 in pwm_backlight_of_to_plat()
________________________________________________________________________________________________________
*** CID 316351: Error handling issues (CHECKED_RETURN)
/drivers/video/pwm_backlight.c: 230 in pwm_backlight_of_to_plat()
224 cell = dev_read_prop(dev, "brightness-levels", &len);
225 count = len / sizeof(u32);
226 if (cell && count > index) {
227 priv->levels = malloc(len);
228 if (!priv->levels)
229 return log_ret(-ENOMEM);
>>> CID 316351: Error handling issues (CHECKED_RETURN)
>>> Calling "dev_read_u32_array" without checking return value (as is done elsewhere 8 out of 9 times).
230 dev_read_u32_array(dev, "brightness-levels", priv->levels,
231 count);
232 priv->num_levels = count;
233 priv->default_level = priv->levels[index];
234 priv->max_level = priv->levels[count - 1];
235 } else {
** CID 316350: Memory - corruptions (OVERRUN)
/fs/fat/fat_write.c: 1154 in fill_dentry()
________________________________________________________________________________________________________
*** CID 316350: Memory - corruptions (OVERRUN)
/fs/fat/fat_write.c: 1154 in fill_dentry()
1148
1149 set_start_cluster(mydata, dentptr, start_cluster);
1150 dentptr->size = cpu_to_le32(size);
1151
1152 dentptr->attr = attr;
1153
>>> CID 316350: Memory - corruptions (OVERRUN)
>>> Overrunning array "dentptr->name" of 8 bytes by passing it to a function which accesses it at byte offset 10 using argument "11UL". [Note: The source code implementation of the function has been overridden by a builtin model.]
1154 memcpy(dentptr->name, shortname, SHORT_NAME_SIZE);
1155 }
1156
1157 /**
1158 * find_directory_entry() - find a directory entry by filename
1159 *
** CID 316349: Resource leaks (RESOURCE_LEAK)
/tools/mkeficapsule.c: 225 in add_public_key()
________________________________________________________________________________________________________
*** CID 316349: Resource leaks (RESOURCE_LEAK)
/tools/mkeficapsule.c: 225 in add_public_key()
219 if (ret < 0) {
220 fprintf(stderr, "%s: Unable to add public key to the FDT\n",
221 __func__);
222 goto err;
223 }
224
>>> CID 316349: Resource leaks (RESOURCE_LEAK)
>>> Handle variable "destfd" going out of scope leaks the handle.
225 return 0;
226
227 err:
228 if (sptr)
229 munmap(sptr, src_size);
230
** CID 316348: Memory - corruptions (OVERRUN)
/fs/fat/fat_write.c: 188 in set_name()
________________________________________________________________________________________________________
*** CID 316348: Memory - corruptions (OVERRUN)
/fs/fat/fat_write.c: 188 in set_name()
182 /* Each long name directory entry takes 13 characters. */
183 ret = (strlen(filename) + 25) / 13;
184 goto out;
185 }
186 return -EIO;
187 out:
>>> CID 316348: Memory - corruptions (OVERRUN)
>>> Overrunning array "dirent.name" of 8 bytes by passing it to a function which accesses it at byte offset 10 using argument "11UL". [Note: The source code implementation of the function has been overridden by a builtin model.]
188 memcpy(shortname, dirent.name, SHORT_NAME_SIZE);
189 return ret;
190 }
191
192 static int total_sector;
193 static int disk_write(__u32 block, __u32 nr_blocks, void *buf)
** CID 316347: Null pointer dereferences (FORWARD_NULL)
/cmd/sandbox/exception.c: 16 in do_sigsegv()
________________________________________________________________________________________________________
*** CID 316347: Null pointer dereferences (FORWARD_NULL)
/cmd/sandbox/exception.c: 16 in do_sigsegv()
10
11 static int do_sigsegv(struct cmd_tbl *cmdtp, int flag, int argc,
12 char *const argv[])
13 {
14 u8 *ptr = NULL;
15
>>> CID 316347: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "ptr".
16 *ptr = 0;
17 return CMD_RET_FAILURE;
18 }
19
20 static int do_undefined(struct cmd_tbl *cmdtp, int flag, int argc,
21 char *const argv[])
** CID 316346: Control flow issues (UNREACHABLE)
/test/cmd/setexpr.c: 275 in setexpr_test_backref()
________________________________________________________________________________________________________
*** CID 316346: Control flow issues (UNREACHABLE)
/test/cmd/setexpr.c: 275 in setexpr_test_backref()
269 "us \\1 \\2 \\3!", true));
270 ut_asserteq_str("us this is surely! a test is it? yes us this is indeed! a test",
271 buf);
272
273 /* The following checks fail at present due to a bug in setexpr */
274 return 0;
>>> CID 316346: Control flow issues (UNREACHABLE)
>>> This code cannot be reached: "i = 256;".
275 for (i = BUF_SIZE; i < 0x1000; i++) {
276 ut_assertf(buf[i] == (char)i,
277 "buf byte at %x should be %02x, got %02x)\n",
278 i, i & 0xff, (u8)buf[i]);
279 ut_assertf(nbuf[i] == (char)i,
280 "nbuf byte at %x should be %02x, got %02x)\n",
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoA22WlOQ-2By3ieUvdbKmOyw68TMVT4Kip-2BBzfOGWXJ5yIiYplmPF9KAnKIja4Zd7tU-3DzXLV_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTvNl0LKdSggNphGlGz-2FZpFlP-2B70lLxg94OYlINE3kVz2K7-2BaNONHtJP8TbjZRniVWbxuTUQjTtQl1N-2FQyFOjCv8gPw5EPU0ENb3p98VX92ve7SRBWt1r1v-2F-2F6AWroTa-2Bh7rN2QA2fbSgDcYmJ9RJ86TD6dhAH88KDOiq3Saai3zTbA9TSu9jcthFTuvEyi5KBE-3D
To manage Coverity Scan email notifications for "tom.rini@gmail.com", click https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxWeIHzDeopm-2BEWQ6S6K-2FtUHv9ZTk8qZbuzkkz9sa-2BJFw4elYDyedRVZOC-2ButxjBZdouVmTGuWB6Aj6G7lm7t25-2Biv1B-2B9082pHzCCex2kqMs-3DBleN_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTvNl0LKdSggNphGlGz-2FZpFl83Kn4j1MsEeVR-2BhiT4TgLlRMzBzziPEpnjhf5UW-2FNLxwPg-2FlX4hM5uoZCyOPlCN-2BiReYf6wkiLt6iKknc3lnJUyqsWnyxIFGwSu2OUxAVy5vnsIFdRuglO4-2B9vJx2XrTM801x6AhuO0Zb5xr5hI9qgs9dwug2dbKvAt0T-2F-2Bv9VI-3D
----- End forwarded message -----
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20210120/58b3178c/attachment.sig>
next reply other threads:[~2021-01-20 19:04 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-20 19:04 Tom Rini [this message]
2021-01-20 20:43 ` [scan-admin@coverity.com: New Defects reported by Coverity Scan for Das U-Boot] Heinrich Schuchardt
2021-01-20 22:33 ` Heinrich Schuchardt
2021-01-21 2:09 ` AKASHI Takahiro
2021-01-26 17:02 ` Tom Rini
2021-01-20 21:03 ` Andre Przywara
2021-01-20 21:34 ` Tom Rini
2021-01-21 11:36 ` Sughosh Ganu
2021-01-21 13:44 ` Heinrich Schuchardt
2021-01-22 8:54 ` Sughosh Ganu
2021-01-22 11:37 ` Heinrich Schuchardt
-- strict thread matches above, loose matches on Subject: below --
2022-09-06 15:50 Tom Rini
2022-05-09 17:22 Tom Rini
2022-04-25 23:41 Tom Rini
2022-03-05 18:27 Tom Rini
2022-02-15 19:29 Tom Rini
2022-02-01 0:33 Tom Rini
2021-11-15 18:02 Tom Rini
2021-11-02 16:22 Tom Rini
2021-11-01 20:06 Tom Rini
2021-09-15 14:11 Tom Rini
2021-08-30 17:39 Tom Rini
2021-08-31 15:18 ` Oleh Kravchenko
2021-09-06 14:05 ` Oleh Kravchenko
2021-09-06 15:23 ` Tom Rini
2021-08-16 19:57 Tom Rini
2021-08-16 20:15 ` Pali Rohár
2021-08-16 20:20 ` Tom Rini
2021-07-27 2:52 Tom Rini
2021-07-27 3:26 ` Sean Anderson
2021-07-27 15:04 ` Tom Rini
2021-05-26 16:58 Tom Rini
2021-05-12 22:30 Tom Rini
2021-04-19 12:20 Tom Rini
2021-04-20 0:58 ` Asherah Connor
2021-04-20 1:17 ` Tom Rini
2021-04-20 6:13 ` Dario Binacchi
2021-03-30 19:55 Tom Rini
2021-03-02 14:42 Tom Rini
2021-02-23 16:15 Tom Rini
2021-02-01 19:51 Tom Rini
2021-01-26 16:41 Tom Rini
2020-12-03 17:28 Tom Rini
2020-11-10 21:18 Tom Rini
2020-10-30 19:16 Tom Rini
2020-11-02 11:54 ` Pratyush Yadav
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210120190418.GA9782@bill-the-cat \
--to=trini@konsulko.com \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.