From: Tom Rini <trini@konsulko.com>
To: u-boot@lists.denx.de
Cc: Vignesh R <vigneshr@ti.com>,
Takahiro Kuwano <Takahiro.Kuwano@infineon.com>,
Tudor Ambarus <tudor.ambarus@linaro.org>,
Venkatesh Yadav Abbarapu <venkatesh.abbarapu@amd.com>,
Pratyush Yadav <p.yadav@ti.com>,
Ashok Reddy Soma <ashok.reddy.soma@amd.com>,
Joakim Tjernlund <joakim.tjernlund@infinera.com>,
Raymond Mao <raymond.mao@linaro.org>,
Ilias Apalodimas <ilias.apalodimas@linaro.org>
Subject: Fwd: New Defects reported by Coverity Scan for Das U-Boot
Date: Tue, 15 Oct 2024 21:47:25 -0600 [thread overview]
Message-ID: <20241016034725.GD6412@bill-the-cat> (raw)
[-- Attachment #1: Type: text/plain, Size: 28517 bytes --]
Hey all, here's the latest report.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Tue, Oct 15, 2024 at 5:06 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to Das
U-Boot found with Coverity Scan.
22 new defect(s) introduced to Das U-Boot found with Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 22 defect(s)
** CID 510813: Control flow issues (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 1652 in spi_nor_read()
________________________________________________________________________________________________________
*** CID 510813: Control flow issues (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 1652 in spi_nor_read()
1646 goto read_err;
1647 }
1648 if (ret < 0)
1649 goto read_err;
1650
1651 if (is_ofst_odd == true) {
>>> CID 510813: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "memmove(buf, buf + 1, len -...".
1652 memmove(buf, (buf + 1), (len - 1));
1653 *retlen += (ret - 1);
1654 buf += ret - 1;
1655 is_ofst_odd = false;
1656 } else {
1657 *retlen += ret;
** CID 510812: (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 3573 in spi_nor_select_erase()
/drivers/mtd/spi/spi-nor-core.c: 3584 in spi_nor_select_erase()
/drivers/mtd/spi/spi-nor-core.c: 3610 in spi_nor_select_erase()
/drivers/mtd/spi/spi-nor-core.c: 3597 in spi_nor_select_erase()
________________________________________________________________________________________________________
*** CID 510812: (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 3573 in spi_nor_select_erase()
3567 /*
3568 * In parallel-memories the erase operation is
3569 * performed on both the flashes simultaneously
3570 * so, double the erasesize.
3571 */
3572 if (nor->flags & SNOR_F_HAS_PARALLEL)
>>> CID 510812: (DEADCODE)
>>> Execution cannot reach this statement: "mtd->erasesize = 8192U;".
3573 mtd->erasesize = 4096 * 2;
3574 else
3575 mtd->erasesize = 4096;
3576 } else if (info->flags & SECT_4K_PMC) {
3577 nor->erase_opcode = SPINOR_OP_BE_4K_PMC;
3578 /*
/drivers/mtd/spi/spi-nor-core.c: 3584 in spi_nor_select_erase()
3578 /*
3579 * In parallel-memories the erase operation is
3580 * performed on both the flashes simultaneously
3581 * so, double the erasesize.
3582 */
3583 if (nor->flags & SNOR_F_HAS_PARALLEL)
>>> CID 510812: (DEADCODE)
>>> Execution cannot reach this statement: "mtd->erasesize = 8192U;".
3584 mtd->erasesize = 4096 * 2;
3585 else
3586 mtd->erasesize = 4096;
3587 } else
3588 #endif
3589 {
/drivers/mtd/spi/spi-nor-core.c: 3610 in spi_nor_select_erase()
3604 /*
3605 * In parallel-memories the erase operation is
3606 * performed on both the flashes simultaneously
3607 * so, double the erasesize.
3608 */
3609 if (nor->flags & SNOR_F_HAS_PARALLEL)
>>> CID 510812: (DEADCODE)
>>> Execution cannot reach this statement: "mtd->erasesize = 8192U;".
3610 mtd->erasesize = 4096 * 2;
3611 else
3612 mtd->erasesize = 4096;
3613 }
3614
3615 return 0;
/drivers/mtd/spi/spi-nor-core.c: 3597 in spi_nor_select_erase()
3591 /*
3592 * In parallel-memories the erase operation is
3593 * performed on both the flashes simultaneously
3594 * so, double the erasesize.
3595 */
3596 if (nor->flags & SNOR_F_HAS_PARALLEL)
>>> CID 510812: (DEADCODE)
>>> Execution cannot reach this statement: "mtd->erasesize = info->sect...".
3597 mtd->erasesize = info->sector_size * 2;
3598 else
3599 mtd->erasesize = info->sector_size;
3600 }
3601
3602 if ((JEDEC_MFR(info) == SNOR_MFR_SST) && info->flags &
SECT_4K) {
** CID 510811: (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 1134 in spi_nor_erase()
/drivers/mtd/spi/spi-nor-core.c: 1137 in spi_nor_erase()
________________________________________________________________________________________________________
*** CID 510811: (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 1134 in spi_nor_erase()
1128 addr_known = false;
1129 ret = -EINTR;
1130 goto erase_err;
1131 }
1132 offset = addr;
1133 if (nor->flags & SNOR_F_HAS_PARALLEL)
>>> CID 510811: (DEADCODE)
>>> Execution cannot reach this statement: "offset /= 2U;".
1134 offset /= 2;
1135
1136 if (nor->flags & SNOR_F_HAS_STACKED) {
1137 if (offset >= (mtd->size / 2)) {
1138 offset = offset - (mtd->size / 2);
1139 nor->spi->flags |= SPI_XFER_U_PAGE;
/drivers/mtd/spi/spi-nor-core.c: 1137 in spi_nor_erase()
1131 }
1132 offset = addr;
1133 if (nor->flags & SNOR_F_HAS_PARALLEL)
1134 offset /= 2;
1135
1136 if (nor->flags & SNOR_F_HAS_STACKED) {
>>> CID 510811: (DEADCODE)
>>> Execution cannot reach this statement: "if (offset >= mtd->size / 2...".
1137 if (offset >= (mtd->size / 2)) {
1138 offset = offset - (mtd->size / 2);
1139 nor->spi->flags |= SPI_XFER_U_PAGE;
1140 } else {
1141 nor->spi->flags &= ~SPI_XFER_U_PAGE;
1142 }
** CID 510810: Control flow issues (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 1556 in spi_nor_read_id()
________________________________________________________________________________________________________
*** CID 510810: Control flow issues (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 1556 in spi_nor_read_id()
1550 {
1551 int tmp;
1552 u8 id[SPI_NOR_MAX_ID_LEN];
1553 const struct flash_info *info;
1554
1555 if (nor->flags & SNOR_F_HAS_PARALLEL)
>>> CID 510810: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "nor->spi->flags |= 0x100;".
1556 nor->spi->flags |= SPI_XFER_LOWER;
1557
1558 tmp = nor->read_reg(nor, SPINOR_OP_RDID, id,
SPI_NOR_MAX_ID_LEN);
1559 if (tmp < 0) {
1560 dev_dbg(nor->dev, "error %d reading JEDEC ID\n", tmp);
1561 return ERR_PTR(tmp);
** CID 510809: Resource leaks (RESOURCE_LEAK)
/lib/mbedtls/pkcs7_parser.c: 385 in x509_populate_sinfo()
________________________________________________________________________________________________________
*** CID 510809: Resource leaks (RESOURCE_LEAK)
/lib/mbedtls/pkcs7_parser.c: 385 in x509_populate_sinfo()
379 signed_info);
380 if (ret)
381 goto out_err_sinfo;
382
383 no_authattrs:
384 *sinfo = signed_info;
>>> CID 510809: Resource leaks (RESOURCE_LEAK)
>>> Variable "mctx" going out of scope leaks the storage it points to.
385 return 0;
386
387 out_err_sinfo:
388 pkcs7_free_sinfo_mbedtls_ctx(mctx);
389 out_no_mctx:
390 public_key_signature_free(s);
** CID 510808: Control flow issues (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 724 in spi_nor_set_4byte_opcodes()
________________________________________________________________________________________________________
*** CID 510808: Control flow issues (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 724 in spi_nor_set_4byte_opcodes()
718 static void spi_nor_set_4byte_opcodes(struct spi_nor *nor,
719 const struct flash_info *info)
720 {
721 bool shift = 0;
722
723 if (nor->flags & SNOR_F_HAS_PARALLEL)
>>> CID 510808: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "shift = true;".
724 shift = 1;
725
726 /* Do some manufacturer fixups first */
727 switch (JEDEC_MFR(info)) {
728 case SNOR_MFR_SPANSION:
729 /* No small sector erase for 4-byte command set */
** CID 510807: Control flow issues (DEADCODE)
/lib/mbedtls/external/mbedtls/library/x509_crt.c: 2750 in x509_inet_pton_ipv6()
________________________________________________________________________________________________________
*** CID 510807: Control flow issues (DEADCODE)
/lib/mbedtls/external/mbedtls/library/x509_crt.c: 2750 in x509_inet_pton_ipv6()
2744 MBEDTLS_PUT_UINT16_BE(group, addr, nonzero_groups);
2745 nonzero_groups++;
2746 if (*p == '\0') {
2747 break;
2748 } else if (*p == '.') {
2749 /* Don't accept IPv4 too early or late */
>>> CID 510807: Control flow issues (DEADCODE)
>>> Execution cannot reach the expression "zero_group_start == -1" inside this statement: "if ((nonzero_groups == 0 &&...".
2750 if ((nonzero_groups == 0 && zero_group_start == -1) ||
2751 nonzero_groups >= 7) {
2752 break;
2753 }
2754
2755 /* Walk back to prior ':', then parse as IPv4-mapped */
** CID 510806: Control flow issues (DEADCODE)
/lib/mbedtls/pkcs7_parser.c: 209 in authattrs_parse()
________________________________________________________________________________________________________
*** CID 510806: Control flow issues (DEADCODE)
/lib/mbedtls/pkcs7_parser.c: 209 in authattrs_parse()
203 return -EINVAL;
204 }
205
206 p += seq_len;
207 }
208
>>> CID 510806: Control flow issues (DEADCODE)
>>> Execution cannot reach the expression "ret != -96" inside this statement: "if (ret && ret != -96)
re...".
209 if (ret && ret != MBEDTLS_ERR_ASN1_OUT_OF_DATA)
210 return ret;
211
212 msg->have_authattrs = true;
213
214 /*
** CID 510805: Memory - illegal accesses (OVERRUN)
/lib/rsa/rsa-keyprop.c: 678 in rsa_gen_key_prop()
________________________________________________________________________________________________________
*** CID 510805: Memory - illegal accesses (OVERRUN)
/lib/rsa/rsa-keyprop.c: 678 in rsa_gen_key_prop()
672 (*prop)->num_bits = (rsa_key.n_sz - i) * 8;
673 (*prop)->modulus = malloc(rsa_key.n_sz - i);
674 if (!(*prop)->modulus) {
675 ret = -ENOMEM;
676 goto out;
677 }
>>> CID 510805: Memory - illegal accesses (OVERRUN)
>>> Overrunning dynamic array "rsa_key.n" at offset corresponding to index variable "i".
678 memcpy((void *)(*prop)->modulus, &rsa_key.n[i],
rsa_key.n_sz - i);
679
680 n = calloc(sizeof(uint32_t), 1 + ((*prop)->num_bits >> 5));
681 rr = calloc(sizeof(uint32_t), 1 + (((*prop)->num_bits
* 2) >> 5));
682 rrtmp = calloc(sizeof(uint32_t), 2 +
(((*prop)->num_bits * 2) >> 5));
683 if (!n || !rr || !rrtmp) {
** CID 510804: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/drivers/mtd/spi/spi-nor-core.c: 1556 in spi_nor_read_id()
________________________________________________________________________________________________________
*** CID 510804: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/drivers/mtd/spi/spi-nor-core.c: 1556 in spi_nor_read_id()
1550 {
1551 int tmp;
1552 u8 id[SPI_NOR_MAX_ID_LEN];
1553 const struct flash_info *info;
1554
1555 if (nor->flags & SNOR_F_HAS_PARALLEL)
>>> CID 510804: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
>>> In "nor->spi->flags |= 256 /* 1 << 8 */", wider "256 /* 1 << 8 */" has high-order bits (0x100) that don't affect the narrower left-hand side.
1556 nor->spi->flags |= SPI_XFER_LOWER;
1557
1558 tmp = nor->read_reg(nor, SPINOR_OP_RDID, id,
SPI_NOR_MAX_ID_LEN);
1559 if (tmp < 0) {
1560 dev_dbg(nor->dev, "error %d reading JEDEC ID\n", tmp);
1561 return ERR_PTR(tmp);
** CID 510803: Code maintainability issues (UNUSED_VALUE)
/drivers/mtd/spi/spi-nor-core.c: 1138 in spi_nor_erase()
________________________________________________________________________________________________________
*** CID 510803: Code maintainability issues (UNUSED_VALUE)
/drivers/mtd/spi/spi-nor-core.c: 1138 in spi_nor_erase()
1132 offset = addr;
1133 if (nor->flags & SNOR_F_HAS_PARALLEL)
1134 offset /= 2;
1135
1136 if (nor->flags & SNOR_F_HAS_STACKED) {
1137 if (offset >= (mtd->size / 2)) {
>>> CID 510803: Code maintainability issues (UNUSED_VALUE)
>>> Assigning value from "offset - mtd->size / 2ULL" to "offset" here, but that stored value is overwritten before it can be used.
1138 offset = offset - (mtd->size / 2);
1139 nor->spi->flags |= SPI_XFER_U_PAGE;
1140 } else {
1141 nor->spi->flags &= ~SPI_XFER_U_PAGE;
1142 }
1143 }
** CID 510802: Control flow issues (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 504 in read_sr()
________________________________________________________________________________________________________
*** CID 510802: Control flow issues (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 504 in read_sr()
498 * discard the second byte.
499 */
500 if (spi_nor_protocol_is_dtr(nor->reg_proto))
501 op.data.nbytes = 2;
502
503 if (nor->flags & SNOR_F_HAS_PARALLEL) {
>>> CID 510802: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "op.data.nbytes = 2U;".
504 op.data.nbytes = 2;
505 ret = spi_nor_read_write_reg(nor, &op, &val[0]);
506 if (ret < 0) {
507 pr_debug("error %d reading SR\n", (int)ret);
508 return ret;
509 }
** CID 510801: Null pointer dereferences (FORWARD_NULL)
________________________________________________________________________________________________________
*** CID 510801: Null pointer dereferences (FORWARD_NULL)
/lib/ecdsa/ecdsa-libcrypto.c: 365 in ecdsa_add_verify_data()
359 struct signer ctx;
360 int ret;
361
362 fdt_key_name = info->keyname ? info->keyname : "default-key";
363 ret = prepare_ctx(&ctx, info);
364 if (ret >= 0) {
>>> CID 510801: Null pointer dereferences (FORWARD_NULL)
>>> Passing "info" to "do_add", which dereferences null "info->keyname".
365 ret = do_add(&ctx, fdt, fdt_key_name, info);
366 if (ret < 0)
367 ret = ret == -FDT_ERR_NOSPACE ? -ENOSPC : -EIO;
368 }
369
370 free_ctx(&ctx);
371 return ret;
** CID 510800: (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 1620 in spi_nor_read()
/drivers/mtd/spi/spi-nor-core.c: 1590 in spi_nor_read()
/drivers/mtd/spi/spi-nor-core.c: 1611 in spi_nor_read()
/drivers/mtd/spi/spi-nor-core.c: 1600 in spi_nor_read()
________________________________________________________________________________________________________
*** CID 510800: (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 1620 in spi_nor_read()
1614 } else {
1615 nor->spi->flags &= ~SPI_XFER_U_PAGE;
1616 }
1617 }
1618
1619 if (nor->flags & SNOR_F_HAS_PARALLEL)
>>> CID 510800: (DEADCODE)
>>> Execution cannot reach this statement: "offset /= 2LL;".
1620 offset /= 2;
1621
1622 if (nor->addr_width == 3) {
1623 #ifdef CONFIG_SPI_FLASH_BAR
1624 ret = write_bar(nor, offset);
1625 if (ret < 0)
/drivers/mtd/spi/spi-nor-core.c: 1590 in spi_nor_read()
1584 u32 rem_bank_len = 0;
1585 u8 bank;
1586 bool is_ofst_odd = false;
1587
1588 dev_dbg(nor->dev, "from 0x%08x, len %zd\n", (u32)from, len);
1589
>>> CID 510800: (DEADCODE)
>>> Execution cannot reach the expression "offset & 1LL" inside this statement: "if (nor->flags & SNOR_F_HAS...".
1590 if ((nor->flags & SNOR_F_HAS_PARALLEL) && (offset & 1)) {
1591 /* We can hit this case when we use file system
like ubifs */
1592 from--;
1593 len++;
1594 is_ofst_odd = true;
1595 }
/drivers/mtd/spi/spi-nor-core.c: 1611 in spi_nor_read()
1605 rem_bank_len = (SZ_16M * (bank
+ 1)) - from;
1606 }
1607 }
1608 offset = from;
1609
1610 if (nor->flags & SNOR_F_HAS_STACKED) {
>>> CID 510800: (DEADCODE)
>>> Execution cannot reach this statement: "if (offset >= mtd->size / 2...".
1611 if (offset >= (mtd->size / 2)) {
1612 offset = offset - (mtd->size / 2);
1613 nor->spi->flags |= SPI_XFER_U_PAGE;
1614 } else {
1615 nor->spi->flags &= ~SPI_XFER_U_PAGE;
1616 }
/drivers/mtd/spi/spi-nor-core.c: 1600 in spi_nor_read()
1594 is_ofst_odd = true;
1595 }
1596
1597 while (len) {
1598 if (nor->addr_width == 3) {
1599 if (nor->flags & SNOR_F_HAS_PARALLEL) {
>>> CID 510800: (DEADCODE)
>>> Execution cannot reach this statement: "bank = (u32)from / 33554432U;".
1600 bank = (u32)from / (SZ_16M << 0x01);
1601 rem_bank_len = ((SZ_16M << 0x01) *
1602 (bank + 1)) - from;
1603 } else {
1604 bank = (u32)from / SZ_16M;
1605 rem_bank_len = (SZ_16M * (bank
+ 1)) - from;
** CID 510799: (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 1971 in spi_nor_write()
/drivers/mtd/spi/spi-nor-core.c: 2007 in spi_nor_write()
/drivers/mtd/spi/spi-nor-core.c: 2004 in spi_nor_write()
________________________________________________________________________________________________________
*** CID 510799: (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 1971 in spi_nor_write()
1965 return 0;
1966
1967 /*
1968 * Cannot write to odd offset in parallel mode,
1969 * so write 2 bytes first
1970 */
>>> CID 510799: (DEADCODE)
>>> Execution cannot reach the expression "to & 1LL" inside this statement: "if (nor->flags & SNOR_F_HAS...".
1971 if ((nor->flags & SNOR_F_HAS_PARALLEL) && (to & 1)) {
1972 u8 two[2] = {0xff, buf[0]};
1973 size_t local_retlen;
1974
1975 ret = spi_nor_write(mtd, to & ~1, 2,
&local_retlen, two);
1976 if (ret < 0)
/drivers/mtd/spi/spi-nor-core.c: 2007 in spi_nor_write()
2001 }
2002 offset = (to + i);
2003 if (nor->flags & SNOR_F_HAS_PARALLEL)
2004 offset /= 2;
2005
2006 if (nor->flags & SNOR_F_HAS_STACKED) {
>>> CID 510799: (DEADCODE)
>>> Execution cannot reach this statement: "if (offset >= mtd->size / 2...".
2007 if (offset >= (mtd->size / 2)) {
2008 offset = offset - (mtd->size / 2);
2009 nor->spi->flags |= SPI_XFER_U_PAGE;
2010 } else {
2011 nor->spi->flags &= ~SPI_XFER_U_PAGE;
2012 }
/drivers/mtd/spi/spi-nor-core.c: 2004 in spi_nor_write()
1998 u64 aux = addr;
1999
2000 page_offset = do_div(aux, nor->page_size);
2001 }
2002 offset = (to + i);
2003 if (nor->flags & SNOR_F_HAS_PARALLEL)
>>> CID 510799: (DEADCODE)
>>> Execution cannot reach this statement: "offset /= 2U;".
2004 offset /= 2;
2005
2006 if (nor->flags & SNOR_F_HAS_STACKED) {
2007 if (offset >= (mtd->size / 2)) {
2008 offset = offset - (mtd->size / 2);
2009 nor->spi->flags |= SPI_XFER_U_PAGE;
** CID 510798: Resource leaks (RESOURCE_LEAK)
/lib/mbedtls/x509_cert_parser.c: 220 in x509_populate_signature_params()
________________________________________________________________________________________________________
*** CID 510798: Resource leaks (RESOURCE_LEAK)
/lib/mbedtls/x509_cert_parser.c: 220 in x509_populate_signature_params()
214 }
215
216 ret = hash_calculate(s->hash_algo, ®ion, 1, s->digest);
217 if (!ret)
218 *sig = s;
219
>>> CID 510798: Resource leaks (RESOURCE_LEAK)
>>> Variable "s" going out of scope leaks the storage it points to.
220 return ret;
221
222 error_sig:
223 public_key_signature_free(s);
224 return ret;
225 }
** CID 510797: (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 4628 in spi_nor_scan()
/drivers/mtd/spi/spi-nor-core.c: 4598 in spi_nor_scan()
________________________________________________________________________________________________________
*** CID 510797: (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 4628 in spi_nor_scan()
4622 /* Send all the required SPI flash commands to
initialize device */
4623 ret = spi_nor_init(nor);
4624 if (ret)
4625 return ret;
4626
4627 if (nor->flags & SNOR_F_HAS_STACKED) {
>>> CID 510797: (DEADCODE)
>>> Execution cannot reach this statement: "nor->spi->flags |= 0x10UL;".
4628 nor->spi->flags |= SPI_XFER_U_PAGE;
4629 ret = spi_nor_init(nor);
4630 if (ret)
4631 return ret;
4632 nor->spi->flags &= ~SPI_XFER_U_PAGE;
4633 }
/drivers/mtd/spi/spi-nor-core.c: 4598 in spi_nor_scan()
4592 nor->addr_width = info->addr_width;
4593 } else {
4594 nor->addr_width = 3;
4595 }
4596
4597 if (nor->flags & (SNOR_F_HAS_PARALLEL | SNOR_F_HAS_STACKED))
>>> CID 510797: (DEADCODE)
>>> Execution cannot reach this statement: "shift = true;".
4598 shift = 1;
4599 if (nor->addr_width == 3 && (mtd->size >> shift) > SZ_16M) {
4600 #ifndef CONFIG_SPI_FLASH_BAR
4601 /* enable 4-byte addressing if the device
exceeds 16MiB */
4602 nor->addr_width = 4;
4603 if (JEDEC_MFR(info) == SNOR_MFR_SPANSION ||
** CID 510796: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 510796: Insecure data handling (TAINTED_SCALAR)
/lib/mbedtls/external/mbedtls/library/rsa.c: 1316 in rsa_prepare_blinding()
1310 }
1311
1312 MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&ctx->Vf,
ctx->len - 1, f_rng, p_rng));
1313
1314 /* Compute Vf^-1 as R * (R Vf)^-1 to avoid leaks from
inv_mod. */
1315 MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&R, ctx->len
- 1, f_rng, p_rng));
>>> CID 510796: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "*ctx->Vf.p" to "mbedtls_mpi_mul_mpi", which uses it as an offset.
1316 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vi, &ctx->Vf, &R));
1317 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vi,
&ctx->Vi, &ctx->N));
1318
1319 /* At this point, Vi is invertible mod N if and only
if both Vf and R
1320 * are invertible mod N. If one of them isn't, we
don't need to know
1321 * which one, we just loop and choose new values for
both of them.
** CID 510795: Control flow issues (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 4271 in spi_nor_init()
________________________________________________________________________________________________________
*** CID 510795: Control flow issues (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 4271 in spi_nor_init()
4265
4266 static int spi_nor_init(struct spi_nor *nor)
4267 {
4268 int err;
4269
4270 if (nor->flags & SNOR_F_HAS_PARALLEL)
>>> CID 510795: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "nor->spi->flags |= 3UL;".
4271 nor->spi->flags |= SPI_NOR_ENABLE_MULTI_CS;
4272
4273 err = spi_nor_octal_dtr_enable(nor);
4274 if (err) {
4275 dev_dbg(nor->dev, "Octal DTR mode not supported\n");
4276 return err;
** CID 510794: Control flow issues (NO_EFFECT)
/lib/mbedtls/x509_cert_parser.c: 78 in x509_populate_dn_name_string()
________________________________________________________________________________________________________
*** CID 510794: Control flow issues (NO_EFFECT)
/lib/mbedtls/x509_cert_parser.c: 78 in x509_populate_dn_name_string()
72 do {
73 name_str = kzalloc(len, GFP_KERNEL);
74 if (!name_str)
75 return NULL;
76
77 wb = mbedtls_x509_dn_gets(name_str, len, name);
>>> CID 510794: Control flow issues (NO_EFFECT)
>>> This less-than-zero comparison of an unsigned value is never true. "wb < 0UL".
78 if (wb < 0) {
79 pr_err("Get DN string failed, ret:-0x%04x\n",
80 (unsigned int)-wb);
81 kfree(name_str);
82 len = len * 2; /* Try with a bigger buffer */
83 }
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
next reply other threads:[~2024-10-16 3:47 UTC|newest]
Thread overview: 102+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-16 3:47 Tom Rini [this message]
2024-10-16 5:56 ` Fwd: New Defects reported by Coverity Scan for Das U-Boot Tudor Ambarus
2024-10-16 6:12 ` Ilias Apalodimas
2024-10-16 8:20 ` Abbarapu, Venkatesh
2024-10-16 15:23 ` Raymond Mao
-- strict thread matches above, loose matches on Subject: below --
2026-05-11 22:35 Fwd: " Tom Rini
2026-05-08 23:42 Tom Rini
2026-05-14 15:39 ` Lucien.Jheng
2026-04-28 14:04 Tom Rini
2026-04-29 6:31 ` Michal Simek
2026-05-01 22:51 ` Raymond Mao
2026-05-12 8:44 ` Christian Pötzsch
2026-05-12 18:38 ` Tom Rini
2026-04-06 19:12 Tom Rini
2026-03-09 21:23 Tom Rini
2026-03-09 22:05 ` Raphaël Gallais-Pou
2026-03-09 22:13 ` Tom Rini
2026-02-23 19:51 Tom Rini
2026-02-13 22:09 Tom Rini
2026-02-18 23:02 ` Chris Morgan
2026-02-20 16:11 ` Tom Rini
2026-02-20 16:23 ` Chris Morgan
2026-01-16 19:43 Tom Rini
2026-02-09 11:05 ` Guillaume La Roque
2026-02-20 16:11 ` Tom Rini
2026-01-06 20:36 Tom Rini
2026-01-05 23:58 Tom Rini
2026-01-06 9:37 ` Mattijs Korpershoek
2026-01-06 17:15 ` Tom Rini
2026-01-06 10:03 ` Heiko Schocher
2025-12-08 19:38 Tom Rini
2025-11-23 19:03 Tom Rini
2025-11-10 18:55 Tom Rini
2025-10-11 18:06 Tom Rini
2025-10-12 14:22 ` Mikhail Kshevetskiy
2025-10-12 19:07 ` Tom Rini
2025-11-01 6:32 ` Mikhail Kshevetskiy
2025-11-03 15:17 ` Tom Rini
2025-11-03 15:24 ` Michael Nazzareno Trimarchi
2025-08-06 18:35 Tom Rini
2025-08-07 9:17 ` Heiko Schocher
2025-08-08 3:37 ` Maniyam, Dinesh
2025-08-08 4:01 ` Heiko Schocher
2025-07-29 16:32 Tom Rini
2025-07-25 13:26 Tom Rini
2025-07-25 13:34 ` Michal Simek
2025-08-04 9:11 ` Alexander Dahl
2025-07-14 23:29 Tom Rini
2025-07-15 13:45 ` Rasmus Villemoes
2025-07-08 14:10 Tom Rini
2025-04-28 21:59 Tom Rini
2025-04-29 12:07 ` Jerome Forissier
2025-04-30 16:50 ` Marek Vasut
2025-04-30 17:01 ` Tom Rini
2025-04-30 18:23 ` Heinrich Schuchardt
2025-04-30 19:14 ` Tom Rini
2025-03-11 1:49 Tom Rini
2025-02-25 2:39 Tom Rini
2025-02-25 6:06 ` Heiko Schocher
2025-02-25 10:48 ` Quentin Schulz
2025-02-25 10:54 ` Heiko Schocher
2025-02-10 22:26 Tom Rini
2025-02-11 6:14 ` Heiko Schocher
2025-02-11 22:30 ` Tom Rini
2024-12-31 13:55 Tom Rini
2024-12-24 17:14 Tom Rini
2024-11-15 13:27 Tom Rini
2024-11-12 2:11 Tom Rini
2024-10-28 3:11 Tom Rini
2024-10-19 16:16 Tom Rini
2024-10-07 17:15 Tom Rini
2024-07-23 14:18 Tom Rini
2024-07-24 9:21 ` Mattijs Korpershoek
2024-07-24 9:45 ` Heinrich Schuchardt
2024-07-24 9:56 ` Mattijs Korpershoek
2024-07-24 10:06 ` Heinrich Schuchardt
2024-07-24 22:40 ` Tom Rini
2024-07-25 8:04 ` Mattijs Korpershoek
2024-07-25 17:16 ` Tom Rini
2024-07-24 9:53 ` Mattijs Korpershoek
2024-04-22 21:48 Tom Rini
2024-01-29 23:55 Tom Rini
2024-01-30 8:14 ` Heinrich Schuchardt
[not found] <20240127154018.GC785631@bill-the-cat>
2024-01-27 20:56 ` Heinrich Schuchardt
2024-01-28 8:51 ` Heinrich Schuchardt
2024-01-22 23:52 Tom Rini
2024-01-22 23:30 Tom Rini
2024-01-23 8:15 ` Hugo Cornelis
[not found] <65a933ab652b3_da12cbd3e77f998728e5@prd-scan-dashboard-0.mail>
2024-01-19 8:47 ` Heinrich Schuchardt
2024-01-18 14:35 Tom Rini
2024-01-08 17:45 Tom Rini
2024-01-09 5:26 ` Sean Anderson
2024-01-09 22:18 ` Tom Rini
2023-08-21 21:09 Tom Rini
2023-08-24 9:27 ` Abdellatif El Khlifi
2023-08-28 16:09 ` Alvaro Fernando García
2023-08-28 16:11 ` Tom Rini
2023-10-20 11:57 ` Abdellatif El Khlifi
2023-10-25 14:57 ` Tom Rini
2023-10-25 15:12 ` Abdellatif El Khlifi
2023-10-25 15:15 ` Tom Rini
2023-10-31 14:21 ` Abdellatif El Khlifi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241016034725.GD6412@bill-the-cat \
--to=trini@konsulko.com \
--cc=Takahiro.Kuwano@infineon.com \
--cc=ashok.reddy.soma@amd.com \
--cc=ilias.apalodimas@linaro.org \
--cc=joakim.tjernlund@infinera.com \
--cc=p.yadav@ti.com \
--cc=raymond.mao@linaro.org \
--cc=tudor.ambarus@linaro.org \
--cc=u-boot@lists.denx.de \
--cc=venkatesh.abbarapu@amd.com \
--cc=vigneshr@ti.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.