* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2023-08-21 21:09 Tom Rini
2023-08-24 9:27 ` Abdellatif El Khlifi
2023-10-20 11:57 ` Abdellatif El Khlifi
0 siblings, 2 replies; 99+ messages in thread
From: Tom Rini @ 2023-08-21 21:09 UTC (permalink / raw)
To: u-boot, Alvaro Fernando García, Abdellatif El Khlifi
[-- Attachment #1: Type: text/plain, Size: 5339 bytes --]
Here's the latest report
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Aug 21, 2023 at 4:30 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to Das
U-Boot found with Coverity Scan.
4 new defect(s) introduced to Das U-Boot found with Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 4 of 4 defect(s)
** CID 464362: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
/drivers/video/pwm_backlight.c: 68 in set_pwm()
________________________________________________________________________________________________________
*** CID 464362: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
/drivers/video/pwm_backlight.c: 68 in set_pwm()
62 {
63 u64 width;
64 uint duty_cycle;
65 int ret;
66
67 if (priv->period_ns) {
>>> CID 464362: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
>>> Potentially overflowing expression "priv->period_ns * (priv->cur_level - priv->min_level)" with type "unsigned int" (32 bits, unsigned) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "u64" (64 bits, unsigned).
68 width = priv->period_ns * (priv->cur_level - priv->min_level);
69 duty_cycle = div_u64(width,
70 (priv->max_level - priv->min_level));
71 ret = pwm_set_config(priv->pwm, priv->channel, priv->period_ns,
72 duty_cycle);
73 } else {
** CID 464361: Control flow issues (DEADCODE)
/drivers/firmware/arm-ffa/arm-ffa-uclass.c: 148 in ffa_print_error_log()
________________________________________________________________________________________________________
*** CID 464361: Control flow issues (DEADCODE)
/drivers/firmware/arm-ffa/arm-ffa-uclass.c: 148 in ffa_print_error_log()
142
143 if (ffa_id < FFA_FIRST_ID || ffa_id > FFA_LAST_ID)
144 return -EINVAL;
145
146 abi_idx = FFA_ID_TO_ERRMAP_ID(ffa_id);
147 if (abi_idx < 0 || abi_idx >= FFA_ERRMAP_COUNT)
>>> CID 464361: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "return -22;".
148 return -EINVAL;
149
150 if (!err_msg_map[abi_idx].err_str[err_idx])
151 return -EINVAL;
152
153 log_err("%s\n", err_msg_map[abi_idx].err_str[err_idx]);
** CID 464360: Control flow issues (NO_EFFECT)
/drivers/firmware/arm-ffa/arm-ffa-uclass.c: 207 in ffa_get_version_hdlr()
________________________________________________________________________________________________________
*** CID 464360: Control flow issues (NO_EFFECT)
/drivers/firmware/arm-ffa/arm-ffa-uclass.c: 207 in ffa_get_version_hdlr()
201 major = GET_FFA_MAJOR_VERSION(res.a0);
202 minor = GET_FFA_MINOR_VERSION(res.a0);
203
204 log_debug("FF-A driver %d.%d\nFF-A framework %d.%d\n",
205 FFA_MAJOR_VERSION, FFA_MINOR_VERSION, major, minor);
206
>>> CID 464360: Control flow issues (NO_EFFECT)
>>> This greater-than-or-equal-to-zero comparison of an unsigned value is always true. "minor >= 0".
207 if (major == FFA_MAJOR_VERSION && minor >= FFA_MINOR_VERSION) {
208 log_debug("FF-A versions are compatible\n");
209
210 if (dev) {
211 uc_priv = dev_get_uclass_priv(dev);
212 if (uc_priv)
** CID 464359: (PASS_BY_VALUE)
/drivers/firmware/arm-ffa/arm-ffa-uclass.c: 168 in invoke_ffa_fn()
/drivers/firmware/arm-ffa/ffa-emul-uclass.c: 673 in invoke_ffa_fn()
________________________________________________________________________________________________________
*** CID 464359: (PASS_BY_VALUE)
/drivers/firmware/arm-ffa/arm-ffa-uclass.c: 168 in invoke_ffa_fn()
162 * @args: FF-A ABI arguments to be copied to Xn registers
163 * @res: FF-A ABI return data to be copied from Xn registers
164 *
165 * Calls low level SMC implementation.
166 * This function should be implemented by the user driver.
167 */
>>> CID 464359: (PASS_BY_VALUE)
>>> Passing parameter args of type "ffa_value_t" (size 144 bytes) by value, which exceeds the low threshold of 128 bytes.
168 void __weak invoke_ffa_fn(ffa_value_t args, ffa_value_t *res)
169 {
170 }
171
172 /**
173 * ffa_get_version_hdlr() - FFA_VERSION handler function
/drivers/firmware/arm-ffa/ffa-emul-uclass.c: 673 in invoke_ffa_fn()
667 * invoke_ffa_fn() - SMC wrapper
668 * @args: FF-A ABI arguments to be copied to Xn registers
669 * @res: FF-A ABI return data to be copied from Xn registers
670 *
671 * Calls the emulated SMC call.
672 */
>>> CID 464359: (PASS_BY_VALUE)
>>> Passing parameter args of type "ffa_value_t" (size 144 bytes) by value, which exceeds the low threshold of 128 bytes.
673 void invoke_ffa_fn(ffa_value_t args, ffa_value_t *res)
674 {
675 sandbox_arm_ffa_smccc_smc(&args, res);
676 }
677
678 /**
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2023-08-21 21:09 Tom Rini
@ 2023-08-24 9:27 ` Abdellatif El Khlifi
2023-08-28 16:09 ` Alvaro Fernando García
2023-10-20 11:57 ` Abdellatif El Khlifi
1 sibling, 1 reply; 99+ messages in thread
From: Abdellatif El Khlifi @ 2023-08-24 9:27 UTC (permalink / raw)
To: Tom Rini; +Cc: u-boot, nd
Hi Tom,
> Here's the latest report
>
> ---------- Forwarded message ---------
> From: <scan-admin@coverity.com>
> Date: Mon, Aug 21, 2023 at 4:30 PM
> Subject: New Defects reported by Coverity Scan for Das U-Boot
> To: <tom.rini@gmail.com>
>
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to Das
> U-Boot found with Coverity Scan.
>
> 4 new defect(s) introduced to Das U-Boot found with Coverity Scan.
>
>
> New defect(s) Reported-by: Coverity Scan
> Showing 4 of 4 defect(s)
>
>
> ** CID 464361: Control flow issues (DEADCODE)
> /drivers/firmware/arm-ffa/arm-ffa-uclass.c: 148 in ffa_print_error_log()
Well received, I started working on that.
I'll provide a fix after coming back fom holidays (mid September)
Cheers,
Abdellatif
^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2023-08-24 9:27 ` Abdellatif El Khlifi
@ 2023-08-28 16:09 ` Alvaro Fernando García
2023-08-28 16:11 ` Tom Rini
0 siblings, 1 reply; 99+ messages in thread
From: Alvaro Fernando García @ 2023-08-28 16:09 UTC (permalink / raw)
To: Abdellatif El Khlifi; +Cc: Tom Rini, U-Boot Mailing List, nd
Hello,
El jue, 24 ago. 2023 06:27, Abdellatif El Khlifi <
abdellatif.elkhlifi@arm.com> escribió:
> Hi Tom,
>
> > Here's the latest report
> >
> > ---------- Forwarded message ---------
> > From: <scan-admin@coverity.com>
> > Date: Mon, Aug 21, 2023 at 4:30 PM
> > Subject: New Defects reported by Coverity Scan for Das U-Boot
> > To: <tom.rini@gmail.com>
> >
> >
> > Hi,
> >
> > Please find the latest report on new defect(s) introduced to Das
> > U-Boot found with Coverity Scan.
> >
> > 4 new defect(s) introduced to Das U-Boot found with Coverity Scan.
> >
> >
> > New defect(s) Reported-by: Coverity Scan
> > Showing 4 of 4 defect(s)
> >
> >
> > ** CID 464361: Control flow issues (DEADCODE)
> > /drivers/firmware/arm-ffa/arm-ffa-uclass.c: 148 in ffa_print_error_log()
>
> Well received, I started working on that.
> I'll provide a fix after coming back fom holidays (mid September)
>
> Cheers,
> Abdellatif
>
Is there something I could do to help with this?
^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2023-08-28 16:09 ` Alvaro Fernando García
@ 2023-08-28 16:11 ` Tom Rini
0 siblings, 0 replies; 99+ messages in thread
From: Tom Rini @ 2023-08-28 16:11 UTC (permalink / raw)
To: Alvaro Fernando García; +Cc: Abdellatif El Khlifi, U-Boot Mailing List, nd
[-- Attachment #1: Type: text/plain, Size: 1225 bytes --]
On Mon, Aug 28, 2023 at 01:09:17PM -0300, Alvaro Fernando García wrote:
> Hello,
>
> El jue, 24 ago. 2023 06:27, Abdellatif El Khlifi <
> abdellatif.elkhlifi@arm.com> escribió:
>
> > Hi Tom,
> >
> > > Here's the latest report
> > >
> > > ---------- Forwarded message ---------
> > > From: <scan-admin@coverity.com>
> > > Date: Mon, Aug 21, 2023 at 4:30 PM
> > > Subject: New Defects reported by Coverity Scan for Das U-Boot
> > > To: <tom.rini@gmail.com>
> > >
> > >
> > > Hi,
> > >
> > > Please find the latest report on new defect(s) introduced to Das
> > > U-Boot found with Coverity Scan.
> > >
> > > 4 new defect(s) introduced to Das U-Boot found with Coverity Scan.
> > >
> > >
> > > New defect(s) Reported-by: Coverity Scan
> > > Showing 4 of 4 defect(s)
> > >
> > >
> > > ** CID 464361: Control flow issues (DEADCODE)
> > > /drivers/firmware/arm-ffa/arm-ffa-uclass.c: 148 in ffa_print_error_log()
> >
> > Well received, I started working on that.
> > I'll provide a fix after coming back fom holidays (mid September)
> >
> > Cheers,
> > Abdellatif
> >
>
> Is there something I could do to help with this?
Everyone is free to work on these issues, yes.
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2023-08-21 21:09 Tom Rini
2023-08-24 9:27 ` Abdellatif El Khlifi
@ 2023-10-20 11:57 ` Abdellatif El Khlifi
2023-10-25 14:57 ` Tom Rini
1 sibling, 1 reply; 99+ messages in thread
From: Abdellatif El Khlifi @ 2023-10-20 11:57 UTC (permalink / raw)
To: Tom Rini; +Cc: u-boot, nd, xueliang.zhong
Hi Tom,
> ________________________________________________________________________________________________________
> *** CID 464361: Control flow issues (DEADCODE)
> /drivers/firmware/arm-ffa/arm-ffa-uclass.c: 148 in ffa_print_error_log()
> 142
> 143 if (ffa_id < FFA_FIRST_ID || ffa_id > FFA_LAST_ID)
> 144 return -EINVAL;
> 145
> 146 abi_idx = FFA_ID_TO_ERRMAP_ID(ffa_id);
> 147 if (abi_idx < 0 || abi_idx >= FFA_ERRMAP_COUNT)
> >>> CID 464361: Control flow issues (DEADCODE)
> >>> Execution cannot reach this statement: "return -22;".
> 148 return -EINVAL;
This is a false positive.
abi_idx value could end up matching this condition "(abi_idx < 0 || abi_idx >= FFA_ERRMAP_COUNT)".
This happens when ffa_id value is above the allowed bounds. Example: when ffa_id is 0x50 or 0x80
ffa_print_error_log(0x50, ...); /* exceeding lower bound */
ffa_print_error_log(0x80, ...); /* exceeding upper bound */
In these cases "return -EINVAL;" is executed.
> ...
> ________________________________________________________________________________________________________
> *** CID 464360: Control flow issues (NO_EFFECT)
> /drivers/firmware/arm-ffa/arm-ffa-uclass.c: 207 in ffa_get_version_hdlr()
> 201 major = GET_FFA_MAJOR_VERSION(res.a0);
> 202 minor = GET_FFA_MINOR_VERSION(res.a0);
> 203
> 204 log_debug("FF-A driver %d.%d\nFF-A framework %d.%d\n",
> 205 FFA_MAJOR_VERSION, FFA_MINOR_VERSION, major, minor);
> 206
> >>> CID 464360: Control flow issues (NO_EFFECT)
> >>> This greater-than-or-equal-to-zero comparison of an unsigned value is always true. "minor >= 0".
> 207 if (major == FFA_MAJOR_VERSION && minor >= FFA_MINOR_VERSION) {
Providing the facts that:
#define FFA_MINOR_VERSION (0)
u16 minor;
Yes, currently this condition is always true: minor >= FFA_MINOR_VERSION
However, we might upgrade FFA_MINOR_VERSION in the future. If we remove the "minor >= FFA_MINOR_VERSION" ,
non compatible versions could pass which we don't want.
To keep this code scalable, I think it's better to keep this condition.
> ...
> ________________________________________________________________________________________________________
> *** CID 464359: (PASS_BY_VALUE)
> /drivers/firmware/arm-ffa/arm-ffa-uclass.c: 168 in invoke_ffa_fn()
> 162 * @args: FF-A ABI arguments to be copied to Xn registers
> 163 * @res: FF-A ABI return data to be copied from Xn registers
> 164 *
> 165 * Calls low level SMC implementation.
> 166 * This function should be implemented by the user driver.
> 167 */
> >>> CID 464359: (PASS_BY_VALUE)
> >>> Passing parameter args of type "ffa_value_t" (size 144 bytes) by value, which exceeds the low threshold of 128 bytes.
> 168 void __weak invoke_ffa_fn(ffa_value_t args, ffa_value_t *res)
We are using invoke_ffa_fn with the same arguments as in linux. The aim is to use the same interfaces as in the Linux FF-A
driver to make porting code easier.
In Linux, args is passed by value [1].
ffa_value_t is a structure with 18 "unsigned long" fields. So, the size is fixed.
[1]: invoke_ffa_fn arguments in the Linux FF-A driver
https://elixir.bootlin.com/linux/v6.6-rc6/source/drivers/firmware/arm_ffa/driver.c#L115
https://elixir.bootlin.com/linux/v6.6-rc6/source/drivers/firmware/arm_ffa/driver.c#L54
https://elixir.bootlin.com/linux/v6.6-rc6/source/drivers/firmware/arm_ffa/common.h#L15
[2]: include/linux/arm-smccc.h
> 169 {
> 170 }
> 171
> 172 /**
> 173 * ffa_get_version_hdlr() - FFA_VERSION handler function
> /drivers/firmware/arm-ffa/ffa-emul-uclass.c: 673 in invoke_ffa_fn()
> 667 * invoke_ffa_fn() - SMC wrapper
> 668 * @args: FF-A ABI arguments to be copied to Xn registers
> 669 * @res: FF-A ABI return data to be copied from Xn registers
> 670 *
> 671 * Calls the emulated SMC call.
> 672 */
> >>> CID 464359: (PASS_BY_VALUE)
> >>> Passing parameter args of type "ffa_value_t" (size 144 bytes) by value, which exceeds the low threshold of 128 bytes.
> 673 void invoke_ffa_fn(ffa_value_t args, ffa_value_t *res)
Same feedback as above.
Cheers,
Abdellatif
^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2023-10-20 11:57 ` Abdellatif El Khlifi
@ 2023-10-25 14:57 ` Tom Rini
2023-10-25 15:12 ` Abdellatif El Khlifi
0 siblings, 1 reply; 99+ messages in thread
From: Tom Rini @ 2023-10-25 14:57 UTC (permalink / raw)
To: Abdellatif El Khlifi; +Cc: u-boot, nd, xueliang.zhong
[-- Attachment #1: Type: text/plain, Size: 4911 bytes --]
On Fri, Oct 20, 2023 at 12:57:47PM +0100, Abdellatif El Khlifi wrote:
> Hi Tom,
>
> > ________________________________________________________________________________________________________
> > *** CID 464361: Control flow issues (DEADCODE)
> > /drivers/firmware/arm-ffa/arm-ffa-uclass.c: 148 in ffa_print_error_log()
> > 142
> > 143 if (ffa_id < FFA_FIRST_ID || ffa_id > FFA_LAST_ID)
> > 144 return -EINVAL;
> > 145
> > 146 abi_idx = FFA_ID_TO_ERRMAP_ID(ffa_id);
> > 147 if (abi_idx < 0 || abi_idx >= FFA_ERRMAP_COUNT)
> > >>> CID 464361: Control flow issues (DEADCODE)
> > >>> Execution cannot reach this statement: "return -22;".
> > 148 return -EINVAL;
>
> This is a false positive.
>
> abi_idx value could end up matching this condition "(abi_idx < 0 || abi_idx >= FFA_ERRMAP_COUNT)".
>
> This happens when ffa_id value is above the allowed bounds. Example: when ffa_id is 0x50 or 0x80
>
> ffa_print_error_log(0x50, ...); /* exceeding lower bound */
> ffa_print_error_log(0x80, ...); /* exceeding upper bound */
>
> In these cases "return -EINVAL;" is executed.
So those invalid values aren't caught by the previous check that ffa_id
falls within FFA_FIRST_ID to FFA_LAST_ID ?
> > ...
> > ________________________________________________________________________________________________________
> > *** CID 464360: Control flow issues (NO_EFFECT)
> > /drivers/firmware/arm-ffa/arm-ffa-uclass.c: 207 in ffa_get_version_hdlr()
> > 201 major = GET_FFA_MAJOR_VERSION(res.a0);
> > 202 minor = GET_FFA_MINOR_VERSION(res.a0);
> > 203
> > 204 log_debug("FF-A driver %d.%d\nFF-A framework %d.%d\n",
> > 205 FFA_MAJOR_VERSION, FFA_MINOR_VERSION, major, minor);
> > 206
> > >>> CID 464360: Control flow issues (NO_EFFECT)
> > >>> This greater-than-or-equal-to-zero comparison of an unsigned value is always true. "minor >= 0".
> > 207 if (major == FFA_MAJOR_VERSION && minor >= FFA_MINOR_VERSION) {
>
> Providing the facts that:
>
> #define FFA_MINOR_VERSION (0)
> u16 minor;
>
> Yes, currently this condition is always true: minor >= FFA_MINOR_VERSION
>
> However, we might upgrade FFA_MINOR_VERSION in the future. If we remove the "minor >= FFA_MINOR_VERSION" ,
> non compatible versions could pass which we don't want.
>
> To keep this code scalable, I think it's better to keep this condition.
OK, thanks this makes sense as an intentional change for future sanity
checking.
> > ________________________________________________________________________________________________________
> > *** CID 464359: (PASS_BY_VALUE)
> > /drivers/firmware/arm-ffa/arm-ffa-uclass.c: 168 in invoke_ffa_fn()
> > 162 * @args: FF-A ABI arguments to be copied to Xn registers
> > 163 * @res: FF-A ABI return data to be copied from Xn registers
> > 164 *
> > 165 * Calls low level SMC implementation.
> > 166 * This function should be implemented by the user driver.
> > 167 */
> > >>> CID 464359: (PASS_BY_VALUE)
> > >>> Passing parameter args of type "ffa_value_t" (size 144 bytes) by value, which exceeds the low threshold of 128 bytes.
> > 168 void __weak invoke_ffa_fn(ffa_value_t args, ffa_value_t *res)
>
> We are using invoke_ffa_fn with the same arguments as in linux. The aim is to use the same interfaces as in the Linux FF-A
> driver to make porting code easier.
>
> In Linux, args is passed by value [1].
> ffa_value_t is a structure with 18 "unsigned long" fields. So, the size is fixed.
>
> [1]: invoke_ffa_fn arguments in the Linux FF-A driver
>
> https://elixir.bootlin.com/linux/v6.6-rc6/source/drivers/firmware/arm_ffa/driver.c#L115
> https://elixir.bootlin.com/linux/v6.6-rc6/source/drivers/firmware/arm_ffa/driver.c#L54
> https://elixir.bootlin.com/linux/v6.6-rc6/source/drivers/firmware/arm_ffa/common.h#L15
>
> [2]: include/linux/arm-smccc.h
So this is intentional, OK.
>
> > 169 {
> > 170 }
> > 171
> > 172 /**
> > 173 * ffa_get_version_hdlr() - FFA_VERSION handler function
> > /drivers/firmware/arm-ffa/ffa-emul-uclass.c: 673 in invoke_ffa_fn()
> > 667 * invoke_ffa_fn() - SMC wrapper
> > 668 * @args: FF-A ABI arguments to be copied to Xn registers
> > 669 * @res: FF-A ABI return data to be copied from Xn registers
> > 670 *
> > 671 * Calls the emulated SMC call.
> > 672 */
> > >>> CID 464359: (PASS_BY_VALUE)
> > >>> Passing parameter args of type "ffa_value_t" (size 144 bytes) by value, which exceeds the low threshold of 128 bytes.
> > 673 void invoke_ffa_fn(ffa_value_t args, ffa_value_t *res)
>
> Same feedback as above.
Thanks. I'll update the last 3 CIDs shortly.
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2023-10-25 14:57 ` Tom Rini
@ 2023-10-25 15:12 ` Abdellatif El Khlifi
2023-10-25 15:15 ` Tom Rini
0 siblings, 1 reply; 99+ messages in thread
From: Abdellatif El Khlifi @ 2023-10-25 15:12 UTC (permalink / raw)
To: Tom Rini; +Cc: nd, trini, u-boot, xueliang.zhong
Hi Tom,
> > > ________________________________________________________________________________________________________
> > > *** CID 464361: Control flow issues (DEADCODE)
> > > /drivers/firmware/arm-ffa/arm-ffa-uclass.c: 148 in ffa_print_error_log()
> > > 142
> > > 143 if (ffa_id < FFA_FIRST_ID || ffa_id > FFA_LAST_ID)
> > > 144 return -EINVAL;
> > > 145
> > > 146 abi_idx = FFA_ID_TO_ERRMAP_ID(ffa_id);
> > > 147 if (abi_idx < 0 || abi_idx >= FFA_ERRMAP_COUNT)
> > > >>> CID 464361: Control flow issues (DEADCODE)
> > > >>> Execution cannot reach this statement: "return -22;".
> > > 148 return -EINVAL;
> >
> > This is a false positive.
> >
> > abi_idx value could end up matching this condition "(abi_idx < 0 || abi_idx >= FFA_ERRMAP_COUNT)".
> >
> > This happens when ffa_id value is above the allowed bounds. Example: when ffa_id is 0x50 or 0x80
> >
> > ffa_print_error_log(0x50, ...); /* exceeding lower bound */
> > ffa_print_error_log(0x80, ...); /* exceeding upper bound */
> >
> > In these cases "return -EINVAL;" is executed.
>
> So those invalid values aren't caught by the previous check that ffa_id
> falls within FFA_FIRST_ID to FFA_LAST_ID ?
I had a closer look at that and I agree that the deadcode defect is legitimate.
I already provided a fix [1].
[1]: https://lore.kernel.org/all/20231020131533.239591-1-abdellatif.elkhlifi@arm.com/
>
> > > ...
> > > ________________________________________________________________________________________________________
> > > *** CID 464360: Control flow issues (NO_EFFECT)
> > > /drivers/firmware/arm-ffa/arm-ffa-uclass.c: 207 in ffa_get_version_hdlr()
> > > 201 major = GET_FFA_MAJOR_VERSION(res.a0);
> > > 202 minor = GET_FFA_MINOR_VERSION(res.a0);
> > > 203
> > > 204 log_debug("FF-A driver %d.%d\nFF-A framework %d.%d\n",
> > > 205 FFA_MAJOR_VERSION, FFA_MINOR_VERSION, major, minor);
> > > 206
> > > >>> CID 464360: Control flow issues (NO_EFFECT)
> > > >>> This greater-than-or-equal-to-zero comparison of an unsigned value is always true. "minor >= 0".
> > > 207 if (major == FFA_MAJOR_VERSION && minor >= FFA_MINOR_VERSION) {
> >
> > Providing the facts that:
> >
> > #define FFA_MINOR_VERSION (0)
> > u16 minor;
> >
> > Yes, currently this condition is always true: minor >= FFA_MINOR_VERSION
> >
> > However, we might upgrade FFA_MINOR_VERSION in the future. If we remove the "minor >= FFA_MINOR_VERSION" ,
> > non compatible versions could pass which we don't want.
> >
> > To keep this code scalable, I think it's better to keep this condition.
>
> OK, thanks this makes sense as an intentional change for future sanity
> checking.
>
> > > ________________________________________________________________________________________________________
> > > *** CID 464359: (PASS_BY_VALUE)
> > > /drivers/firmware/arm-ffa/arm-ffa-uclass.c: 168 in invoke_ffa_fn()
> > > 162 * @args: FF-A ABI arguments to be copied to Xn registers
> > > 163 * @res: FF-A ABI return data to be copied from Xn registers
> > > 164 *
> > > 165 * Calls low level SMC implementation.
> > > 166 * This function should be implemented by the user driver.
> > > 167 */
> > > >>> CID 464359: (PASS_BY_VALUE)
> > > >>> Passing parameter args of type "ffa_value_t" (size 144 bytes) by value, which exceeds the low threshold of 128 bytes.
> > > 168 void __weak invoke_ffa_fn(ffa_value_t args, ffa_value_t *res)
> >
> > We are using invoke_ffa_fn with the same arguments as in linux. The aim is to use the same interfaces as in the Linux FF-A
> > driver to make porting code easier.
> >
> > In Linux, args is passed by value [1].
> > ffa_value_t is a structure with 18 "unsigned long" fields. So, the size is fixed.
> >
> > [1]: invoke_ffa_fn arguments in the Linux FF-A driver
> >
> > https://elixir.bootlin.com/linux/v6.6-rc6/source/drivers/firmware/arm_ffa/driver.c#L115
> > https://elixir.bootlin.com/linux/v6.6-rc6/source/drivers/firmware/arm_ffa/driver.c#L54
> > https://elixir.bootlin.com/linux/v6.6-rc6/source/drivers/firmware/arm_ffa/common.h#L15
> >
> > [2]: include/linux/arm-smccc.h
>
> So this is intentional, OK.
>
> >
> > > 169 {
> > > 170 }
> > > 171
> > > 172 /**
> > > 173 * ffa_get_version_hdlr() - FFA_VERSION handler function
> > > /drivers/firmware/arm-ffa/ffa-emul-uclass.c: 673 in invoke_ffa_fn()
> > > 667 * invoke_ffa_fn() - SMC wrapper
> > > 668 * @args: FF-A ABI arguments to be copied to Xn registers
> > > 669 * @res: FF-A ABI return data to be copied from Xn registers
> > > 670 *
> > > 671 * Calls the emulated SMC call.
> > > 672 */
> > > >>> CID 464359: (PASS_BY_VALUE)
> > > >>> Passing parameter args of type "ffa_value_t" (size 144 bytes) by value, which exceeds the low threshold of 128 bytes.
> > > 673 void invoke_ffa_fn(ffa_value_t args, ffa_value_t *res)
> >
> > Same feedback as above.
>
> Thanks. I'll update the last 3 CIDs shortly.
Thanks Tom :)
Cheers,
Abdellatif
^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2023-10-25 15:12 ` Abdellatif El Khlifi
@ 2023-10-25 15:15 ` Tom Rini
2023-10-31 14:21 ` Abdellatif El Khlifi
0 siblings, 1 reply; 99+ messages in thread
From: Tom Rini @ 2023-10-25 15:15 UTC (permalink / raw)
To: Abdellatif El Khlifi; +Cc: nd, u-boot, xueliang.zhong
[-- Attachment #1: Type: text/plain, Size: 1877 bytes --]
On Wed, Oct 25, 2023 at 04:12:37PM +0100, Abdellatif El Khlifi wrote:
> Hi Tom,
>
> > > > ________________________________________________________________________________________________________
> > > > *** CID 464361: Control flow issues (DEADCODE)
> > > > /drivers/firmware/arm-ffa/arm-ffa-uclass.c: 148 in ffa_print_error_log()
> > > > 142
> > > > 143 if (ffa_id < FFA_FIRST_ID || ffa_id > FFA_LAST_ID)
> > > > 144 return -EINVAL;
> > > > 145
> > > > 146 abi_idx = FFA_ID_TO_ERRMAP_ID(ffa_id);
> > > > 147 if (abi_idx < 0 || abi_idx >= FFA_ERRMAP_COUNT)
> > > > >>> CID 464361: Control flow issues (DEADCODE)
> > > > >>> Execution cannot reach this statement: "return -22;".
> > > > 148 return -EINVAL;
> > >
> > > This is a false positive.
> > >
> > > abi_idx value could end up matching this condition "(abi_idx < 0 || abi_idx >= FFA_ERRMAP_COUNT)".
> > >
> > > This happens when ffa_id value is above the allowed bounds. Example: when ffa_id is 0x50 or 0x80
> > >
> > > ffa_print_error_log(0x50, ...); /* exceeding lower bound */
> > > ffa_print_error_log(0x80, ...); /* exceeding upper bound */
> > >
> > > In these cases "return -EINVAL;" is executed.
> >
> > So those invalid values aren't caught by the previous check that ffa_id
> > falls within FFA_FIRST_ID to FFA_LAST_ID ?
>
> I had a closer look at that and I agree that the deadcode defect is legitimate.
> I already provided a fix [1].
>
> [1]: https://lore.kernel.org/all/20231020131533.239591-1-abdellatif.elkhlifi@arm.com/
Ah thanks. I had seen that posted but not put that together with this
email and assumed it was addressing something you hadn't talked about
here because you agreed with it being an issue. I will pick up the
above patch soon then.
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2023-10-25 15:15 ` Tom Rini
@ 2023-10-31 14:21 ` Abdellatif El Khlifi
0 siblings, 0 replies; 99+ messages in thread
From: Abdellatif El Khlifi @ 2023-10-31 14:21 UTC (permalink / raw)
To: Tom Rini; +Cc: u-boot, nd
Hi Tom,
> > > > > ________________________________________________________________________________________________________
> > > > > *** CID 464361: Control flow issues (DEADCODE)
> > > > > /drivers/firmware/arm-ffa/arm-ffa-uclass.c: 148 in ffa_print_error_log()
> > > > > 142
> > > > > 143 if (ffa_id < FFA_FIRST_ID || ffa_id > FFA_LAST_ID)
> > > > > 144 return -EINVAL;
> > > > > 145
> > > > > 146 abi_idx = FFA_ID_TO_ERRMAP_ID(ffa_id);
> > > > > 147 if (abi_idx < 0 || abi_idx >= FFA_ERRMAP_COUNT)
> > > > > >>> CID 464361: Control flow issues (DEADCODE)
> > > > > >>> Execution cannot reach this statement: "return -22;".
> > > > > 148 return -EINVAL;
> > > >
> > > > This is a false positive.
> > > >
> > > > abi_idx value could end up matching this condition "(abi_idx < 0 || abi_idx >= FFA_ERRMAP_COUNT)".
> > > >
> > > > This happens when ffa_id value is above the allowed bounds. Example: when ffa_id is 0x50 or 0x80
> > > >
> > > > ffa_print_error_log(0x50, ...); /* exceeding lower bound */
> > > > ffa_print_error_log(0x80, ...); /* exceeding upper bound */
> > > >
> > > > In these cases "return -EINVAL;" is executed.
> > >
> > > So those invalid values aren't caught by the previous check that ffa_id
> > > falls within FFA_FIRST_ID to FFA_LAST_ID ?
> >
> > I had a closer look at that and I agree that the deadcode defect is legitimate.
> > I already provided a fix [1].
> >
> > [1]: https://lore.kernel.org/all/20231020131533.239591-1-abdellatif.elkhlifi@arm.com/
>
> Ah thanks. I had seen that posted but not put that together with this
> email and assumed it was addressing something you hadn't talked about
> here because you agreed with it being an issue. I will pick up the
> above patch soon then.
Thank you very much.
Cheers,
Abdellatif
^ permalink raw reply [flat|nested] 99+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2024-01-08 17:45 Tom Rini
2024-01-09 5:26 ` Sean Anderson
0 siblings, 1 reply; 99+ messages in thread
From: Tom Rini @ 2024-01-08 17:45 UTC (permalink / raw)
To: u-boot, Francis Laniel, Sean Anderson
[-- Attachment #1: Type: text/plain, Size: 25689 bytes --]
Hey all,
Now that I've merged next I've re-run Coverity to get a start on issues
that've been added since last run. The report isn't complete because of
the number of issues, sadly, but if someone is interested in a specific
area contact me off-list and I can provide access to the dashboard.
For the hush related issues, this would be a good chance to work with
upstream and then backport the changes I suspect.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Jan 8, 2024 at 12:24 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to Das
U-Boot found with Coverity Scan.
41 new defect(s) introduced to Das U-Boot found with Coverity Scan.
4 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 41 defect(s)
** CID 477217: Memory - illegal accesses (NEGATIVE_RETURNS)
/common/cli_hush_upstream.c: 5518 in parse_dollar()
________________________________________________________________________________________________________
*** CID 477217: Memory - illegal accesses (NEGATIVE_RETURNS)
/common/cli_hush_upstream.c: 5518 in parse_dollar()
5512 break;
5513 if (--cnt == 0)
5514 goto bad_dollar_syntax;
5515 if (len_single_ch != '#' &&
strchr(VAR_SUBST_OPS, ch))
5516 /* ${NN<op>...} is valid */
5517 goto eat_until_closing;
>>> CID 477217: Memory - illegal accesses (NEGATIVE_RETURNS)
>>> Using variable "ch" as an index to array "_ctype".
5518 if (!isdigit(ch))
5519 goto bad_dollar_syntax;
5520 }
5521 } else
5522 while (1) {
5523 unsigned pos;
** CID 477216: (BAD_SHIFT)
/drivers/mtd/nand/raw/nand_base.c: 3921 in nand_flash_detect_onfi()
/drivers/mtd/nand/raw/nand_base.c: 3927 in nand_flash_detect_onfi()
________________________________________________________________________________________________________
*** CID 477216: (BAD_SHIFT)
/drivers/mtd/nand/raw/nand_base.c: 3921 in nand_flash_detect_onfi()
3915
3916 /*
3917 * pages_per_block and blocks_per_lun may not be a
power-of-2 size
3918 * (don't ask me who thought of this...). MTD assumes that these
3919 * dimensions will be power-of-2, so just truncate the
remaining area.
3920 */
>>> CID 477216: (BAD_SHIFT)
>>> In expression "1 << generic_fls((__u32)(__le32)p->pages_per_block) - 1", shifting by a negative amount has undefined behavior. The shift amount, "generic_fls((__u32)(__le32)p->pages_per_block) - 1", is -1.
3921 mtd->erasesize = 1 <<
(fls(le32_to_cpu(p->pages_per_block)) - 1);
3922 mtd->erasesize *= mtd->writesize;
3923
3924 mtd->oobsize = le16_to_cpu(p->spare_bytes_per_page);
3925
3926 /* See erasesize comment */
/drivers/mtd/nand/raw/nand_base.c: 3927 in nand_flash_detect_onfi()
3921 mtd->erasesize = 1 <<
(fls(le32_to_cpu(p->pages_per_block)) - 1);
3922 mtd->erasesize *= mtd->writesize;
3923
3924 mtd->oobsize = le16_to_cpu(p->spare_bytes_per_page);
3925
3926 /* See erasesize comment */
>>> CID 477216: (BAD_SHIFT)
>>> In expression "1 << generic_fls((__u32)(__le32)p->blocks_per_lun) - 1", shifting by a negative amount has undefined behavior. The shift amount, "generic_fls((__u32)(__le32)p->blocks_per_lun) - 1", is -1.
3927 chip->chipsize = 1 << (fls(le32_to_cpu(p->blocks_per_lun)) - 1);
3928 chip->chipsize *= (uint64_t)mtd->erasesize * p->lun_count;
3929 chip->bits_per_cell = p->bits_per_cell;
3930
3931 if (onfi_feature(chip) & ONFI_FEATURE_16_BIT_BUS)
3932 chip->options |= NAND_BUSWIDTH_16;
** CID 477215: Control flow issues (MISSING_BREAK)
/drivers/mtd/nand/raw/nand_base.c: 4978 in nand_scan_tail()
________________________________________________________________________________________________________
*** CID 477215: Control flow issues (MISSING_BREAK)
/drivers/mtd/nand/raw/nand_base.c: 4978 in nand_scan_tail()
4972 pr_warn("No ECC functions supplied;
hardware ECC not possible\n");
4973 BUG();
4974 }
4975 if (!ecc->read_page)
4976 ecc->read_page = nand_read_page_hwecc_oob_first;
4977
>>> CID 477215: Control flow issues (MISSING_BREAK)
>>> The case for value "NAND_ECC_HW" is not terminated by a "break" statement.
4978 case NAND_ECC_HW:
4979 /* Use standard hwecc read page function? */
4980 if (!ecc->read_page)
4981 ecc->read_page = nand_read_page_hwecc;
4982 if (!ecc->write_page)
4983 ecc->write_page = nand_write_page_hwecc;
** CID 477214: Integer handling issues (BAD_SHIFT)
/drivers/mtd/nand/raw/nand_base.c: 4397 in nand_detect()
________________________________________________________________________________________________________
*** CID 477214: Integer handling issues (BAD_SHIFT)
/drivers/mtd/nand/raw/nand_base.c: 4397 in nand_detect()
4391
4392 nand_decode_bbm_options(mtd, chip);
4393
4394 /* Calculate the address shift from the page size */
4395 chip->page_shift = ffs(mtd->writesize) - 1;
4396 /* Convert chipsize to number of pages per chip -1 */
>>> CID 477214: Integer handling issues (BAD_SHIFT)
>>> In expression "chip->chipsize >> chip->page_shift", shifting by a negative amount has undefined behavior. The shift amount, "chip->page_shift", is -1.
4397 chip->pagemask = (chip->chipsize >> chip->page_shift) - 1;
4398
4399 chip->bbt_erase_shift = chip->phys_erase_shift =
4400 ffs(mtd->erasesize) - 1;
4401 if (chip->chipsize & 0xffffffff)
4402 chip->chip_shift = ffs((unsigned)chip->chipsize) - 1;
** CID 477213: Security best practices violations (DC.WEAK_CRYPTO)
/test/dm/nand.c: 67 in dm_test_nand()
________________________________________________________________________________________________________
*** CID 477213: Security best practices violations (DC.WEAK_CRYPTO)
/test/dm/nand.c: 67 in dm_test_nand()
61 ops.ooblen = mtd->oobsize;
62 ut_assertok(mtd_read_oob(mtd, mtd->erasesize, &ops));
63 ut_asserteq(0, oob[mtd_to_nand(mtd)->badblockpos]);
64
65 /* Generate some data and write it */
66 for (i = 0; i < size / sizeof(int); i++)
>>> CID 477213: Security best practices violations (DC.WEAK_CRYPTO)
>>> "rand" should not be used for security-related applications, because linear congruential algorithms are too easy to break.
67 gold[i] = rand();
68 ut_assertok(nand_write_skip_bad(mtd, off, &length, NULL, U64_MAX,
69 (void *)gold, 0));
70 ut_asserteq(size, length);
71
72 /* Verify */
** CID 477212: Incorrect expression (SIZEOF_MISMATCH)
/lib/smbios.c: 595 in write_smbios_table()
________________________________________________________________________________________________________
*** CID 477212: Incorrect expression (SIZEOF_MISMATCH)
/lib/smbios.c: 595 in write_smbios_table()
589 * sandbox's DRAM buffer.
590 */
591 table_addr = (ulong)map_sysmem(tables, 0);
592
593 /* now go back and write the SMBIOS3 header */
594 se = map_sysmem(start_addr, sizeof(struct smbios_entry));
>>> CID 477212: Incorrect expression (SIZEOF_MISMATCH)
>>> Passing argument "se" of type "struct smbios3_entry *" and argument "31UL" ("sizeof (struct smbios_entry)") to function "memset" is suspicious because a multiple of "sizeof (struct smbios3_entry) /*24*/" is expected.
595 memset(se, '\0', sizeof(struct smbios_entry));
596 memcpy(se->anchor, "_SM3_", 5);
597 se->length = sizeof(struct smbios3_entry);
598 se->major_ver = SMBIOS_MAJOR_VER;
599 se->minor_ver = SMBIOS_MINOR_VER;
600 se->doc_rev = 0;
** CID 477211: API usage errors (ALLOC_FREE_MISMATCH)
/drivers/mtd/nand/raw/nand_bbt.c: 1133 in nand_scan_bbt()
________________________________________________________________________________________________________
*** CID 477211: API usage errors (ALLOC_FREE_MISMATCH)
/drivers/mtd/nand/raw/nand_bbt.c: 1133 in nand_scan_bbt()
1127
1128 /* Prevent the bbt regions from erasing / writing */
1129 mark_bbt_region(mtd, td);
1130 if (md)
1131 mark_bbt_region(mtd, md);
1132
>>> CID 477211: API usage errors (ALLOC_FREE_MISMATCH)
>>> Calling "vfree" frees "buf" using "vfree" but it should have been freed using "kfree". [Note: The source code implementation of the function has been overridden by a builtin model.]
1133 vfree(buf);
1134 return 0;
1135
1136 err:
1137 kfree(this->bbt);
1138 this->bbt = NULL;
** CID 477210: Security best practices violations (DC.WEAK_CRYPTO)
/drivers/mtd/nand/raw/sand_nand.c: 199 in sand_nand_read()
________________________________________________________________________________________________________
*** CID 477210: Security best practices violations (DC.WEAK_CRYPTO)
/drivers/mtd/nand/raw/sand_nand.c: 199 in sand_nand_read()
193 chip->tmp_dirty = true;
194 for (i = 0; i < chip->err_steps; i++) {
195 u32 bit_errors = chip->err_count;
196 unsigned int j = chip->err_step_bits + chip->ecc_bits;
197
198 while (bit_errors) {
>>> CID 477210: Security best practices violations (DC.WEAK_CRYPTO)
>>> "rand" should not be used for security-related applications, because linear congruential algorithms are too easy to break.
199 unsigned int u = rand();
200 float quot = 1ULL << 32;
201
202 do {
203 quot *= j - bit_errors;
204 quot /= j;
** CID 477209: Memory - illegal accesses (STRING_NULL)
________________________________________________________________________________________________________
*** CID 477209: Memory - illegal accesses (STRING_NULL)
/common/cli_hush_upstream.c: 4434 in reserved_word()
4428 str = old->as_string.data + len;
4429 if (str > old->as_string.data)
4430 str--; /* skip whitespace
after keyword */
4431 while (str > old->as_string.data &&
isalpha(str[-1]))
4432 str--;
4433 /* Ugh, we're done with this horrid hack */
>>> CID 477209: Memory - illegal accesses (STRING_NULL)
>>> Passing unterminated string "str" to "sandbox_strdup", which expects a null-terminated string.
4434 old->command->group_as_string = xstrdup(str);
4435 debug_printf_parse("pop, remembering as:'%s'\n",
4436 old->command->group_as_string);
4437 }
4438 # endif
4439 *ctx = *old; /* physical copy */
** CID 477208: Memory - illegal accesses (STRING_NULL)
________________________________________________________________________________________________________
*** CID 477208: Memory - illegal accesses (STRING_NULL)
/common/cli_hush_upstream.c: 7660 in expand_variables()
7654 output.o_expflags = expflags;
7655
7656 n = 0;
7657 for (;;) {
7658 /* go to next list[n] */
7659 output.ended_in_ifs = 0;
>>> CID 477208: Memory - illegal accesses (STRING_NULL)
>>> Passing unterminated string "output.data" to "o_save_ptr", which expects a null-terminated string.
7660 n = o_save_ptr(&output, n);
7661
7662 if (!*argv)
7663 break;
7664
7665 /* expand argv[i] */
** CID 477207: Control flow issues (MISSING_BREAK)
/drivers/mtd/nand/raw/nand_base.c: 4969 in nand_scan_tail()
________________________________________________________________________________________________________
*** CID 477207: Control flow issues (MISSING_BREAK)
/drivers/mtd/nand/raw/nand_base.c: 4969 in nand_scan_tail()
4963 /*
4964 * Check ECC mode, default to software if
3byte/512byte hardware ECC is
4965 * selected and we have 256 byte pagesize fallback to
software ECC
4966 */
4967
4968 switch (ecc->mode) {
>>> CID 477207: Control flow issues (MISSING_BREAK)
>>> The case for value "NAND_ECC_HW_OOB_FIRST" is not terminated by a "break" statement.
4969 case NAND_ECC_HW_OOB_FIRST:
4970 /* Similar to NAND_ECC_HW, but a separate
read_page handle */
4971 if (!ecc->calculate || !ecc->correct || !ecc->hwctl) {
4972 pr_warn("No ECC functions supplied;
hardware ECC not possible\n");
4973 BUG();
4974 }
** CID 477206: Memory - illegal accesses (NEGATIVE_RETURNS)
/common/cli_hush_upstream.c: 5544 in parse_dollar()
________________________________________________________________________________________________________
*** CID 477206: Memory - illegal accesses (NEGATIVE_RETURNS)
/common/cli_hush_upstream.c: 5544 in parse_dollar()
5538 * So, we need to authorize # to appear inside
5539 * variable name and then expand this variable.
5540 * NOTE Having # in variable name is
not permitted in
5541 * upstream hush but expansion will be
done (even though
5542 * the result will be empty).
5543 */
>>> CID 477206: Memory - illegal accesses (NEGATIVE_RETURNS)
>>> Using variable "ch" as an index to array "_ctype".
5544 if (!isalnum(ch) && ch != '_' && ch != '#') {
5545 #endif /* __U_BOOT__ */
5546 unsigned end_ch;
5547 #ifndef __U_BOOT__
5548 unsigned char last_ch;
5549 #endif /* !__U_BOOT__ */
** CID 477205: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
/cmd/mtd.c: 88 in mtd_dump_device_buf()
________________________________________________________________________________________________________
*** CID 477205: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
/cmd/mtd.c: 88 in mtd_dump_device_buf()
82 printf("\nDump %d data bytes from 0x%08llx:\n",
83 mtd->writesize, start_off + data_off);
84 mtd_dump_buf(&buf[data_off],
85 mtd->writesize, start_off + data_off);
86
87 if (woob) {
>>> CID 477205: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
>>> Potentially overflowing expression "page * mtd->oobsize" with type "unsigned int" (32 bits, unsigned) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "u64" (64 bits, unsigned).
88 u64 oob_off = page * mtd->oobsize;
89
90 printf("Dump %d OOB bytes from page at
0x%08llx:\n",
91 mtd->oobsize, start_off + data_off);
92 mtd_dump_buf(&buf[len + oob_off],
93 mtd->oobsize, 0);
** CID 477204: Memory - illegal accesses (STRING_NULL)
/common/cli_hush_upstream.c: 10553 in run_list()
________________________________________________________________________________________________________
*** CID 477204: Memory - illegal accesses (STRING_NULL)
/common/cli_hush_upstream.c: 10553 in run_list()
10547 /* We cannot use xasprintf, so we emulate it. */
10548 char *full_var;
10549 char *var = pi->cmds[0].argv[0];
10550 char *val = *for_lcur++;
10551
10552 /* + 1 to take into account =. */
>>> CID 477204: Memory - illegal accesses (STRING_NULL)
>>> Passing unterminated string "val" to "strlen", which expects a null-terminated string. [Note: The source code implementation of the function has been overridden by a builtin model.]
10553 full_var = xmalloc(strlen(var) +
strlen(val) + 1);
10554 sprintf(full_var, "%s=%s", var, val);
10555
10556 set_local_var_modern(full_var, /*flag:*/ 0);
10557 #endif /* __U_BOOT__ */
10558 continue;
** CID 477203: (UNINIT)
/boot/bootm.c: 705 in bootm_load_os()
/boot/bootm.c: 713 in bootm_load_os()
________________________________________________________________________________________________________
*** CID 477203: (UNINIT)
/boot/bootm.c: 705 in bootm_load_os()
699 printf("Failed to prep arm64 kernel
(err=%d)\n", ret);
700 return BOOTM_ERR_RESET;
701 }
702
703 /* Handle BOOTM_STATE_LOADOS */
704 if (relocated_addr != load) {
>>> CID 477203: (UNINIT)
>>> Using uninitialized value "image_size".
705 printf("Moving Image from 0x%lx to
0x%lx, end=%lx\n",
706 load, relocated_addr,
707 relocated_addr + image_size);
708 memmove((void *)relocated_addr,
load_buf, image_size);
709 }
710
/boot/bootm.c: 713 in bootm_load_os()
707 relocated_addr + image_size);
708 memmove((void *)relocated_addr,
load_buf, image_size);
709 }
710
711 images->ep = relocated_addr;
712 images->os.start = relocated_addr;
>>> CID 477203: (UNINIT)
>>> Using uninitialized value "image_size".
713 images->os.end = relocated_addr + image_size;
714 }
715
716 lmb_reserve(&images->lmb, images->os.load, (load_end -
717 images->os.load));
718 return 0;
** CID 477202: Null pointer dereferences (FORWARD_NULL)
________________________________________________________________________________________________________
*** CID 477202: Null pointer dereferences (FORWARD_NULL)
/common/cli_hush_upstream.c: 4425 in reserved_word()
4419 * with "if " remaining in old->as_string!
4420 */
4421 {
4422 char *str;
4423 int len = old->as_string.length;
4424 /* Concatenate halves */
>>> CID 477202: Null pointer dereferences (FORWARD_NULL)
>>> Passing null pointer "ctx->as_string.data" to "o_addstr", which dereferences it.
4425 o_addstr(&old->as_string, ctx->as_string.data);
4426 o_free(&ctx->as_string);
4427 /* Find where leading keyword starts
in first half */
4428 str = old->as_string.data + len;
4429 if (str > old->as_string.data)
4430 str--; /* skip whitespace
after keyword */
** CID 477201: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
/cmd/mtd.c: 80 in mtd_dump_device_buf()
________________________________________________________________________________________________________
*** CID 477201: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
/cmd/mtd.c: 80 in mtd_dump_device_buf()
74 mtd->type == MTD_MLCNANDFLASH;
75 int npages = mtd_len_to_pages(mtd, len);
76 uint page;
77
78 if (has_pages) {
79 for (page = 0; page < npages; page++) {
>>> CID 477201: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
>>> Potentially overflowing expression "page * mtd->writesize" with type "unsigned int" (32 bits, unsigned) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "u64" (64 bits, unsigned).
80 u64 data_off = page * mtd->writesize;
81
82 printf("\nDump %d data bytes from 0x%08llx:\n",
83 mtd->writesize, start_off + data_off);
84 mtd_dump_buf(&buf[data_off],
85 mtd->writesize, start_off + data_off);
** CID 477200: Security best practices violations (STRING_OVERFLOW)
/boot/bootm.c: 499 in bootm_find_images()
________________________________________________________________________________________________________
*** CID 477200: Security best practices violations (STRING_OVERFLOW)
/boot/bootm.c: 499 in bootm_find_images()
493 int ret;
494
495 if (IS_ENABLED(CONFIG_ANDROID_BOOT_IMAGE)) {
496 /* Look for an Android boot image */
497 buf = map_sysmem(images.os.start, 0);
498 if (buf && genimg_get_format(buf) ==
IMAGE_FORMAT_ANDROID) {
>>> CID 477200: Security best practices violations (STRING_OVERFLOW)
>>> You might overrun the 17-character fixed-size string "addr_str" by copying the return value of "simple_xtoa" without checking the length.
499 strcpy(addr_str, simple_xtoa(img_addr));
500 select = addr_str;
501 }
502 }
503
504 if (conf_ramdisk)
** CID 477199: (STRING_NULL)
________________________________________________________________________________________________________
*** CID 477199: (STRING_NULL)
/common/cli_hush_upstream.c: 10315 in run_pipe()
10309 if (cmd_no < pi->num_cmds)
10310 close(pipefds.wr);
10311 /* Pass read (output) pipe end to next iteration */
10312 next_infd = pipefds.rd;
10313 #else /* __U_BOOT__ */
10314 /* Process the command */
>>> CID 477199: (STRING_NULL)
>>> Passing unterminated string "*command->argv" to "cmd_process", which expects a null-terminated string.
10315 rcode = cmd_process(G.do_repeat ? CMD_FLAG_REPEAT : 0,
10316 command->argc, command->argv,
10317 &(G.flag_repeat), NULL);
10318
10319 if (argv_expanded) {
10320 /*
/common/cli_hush_upstream.c: 9984 in run_pipe()
9978 }
9979 #endif
9980 debug_printf_env("set shell
var:'%s'->'%s'\n", *argv, p);
9981 #ifndef __U_BOOT__
9982 if (set_local_var0(p)) {
9983 #else /* __U_BOOT__ */
>>> CID 477199: (STRING_NULL)
>>> Passing unterminated string "p" to "set_local_var_modern", which expects a null-terminated string.
9984 if (set_local_var_modern(p,
/*flag:*/ 0)) {
9985 #endif
9986 /* assignment to
readonly var / putenv error? */
9987 rcode = 1;
9988 }
9989 i++;
** CID 477198: Control flow issues (DEADCODE)
/cmd/bootflow.c: 547 in do_bootflow_cmdline()
________________________________________________________________________________________________________
*** CID 477198: Control flow issues (DEADCODE)
/cmd/bootflow.c: 547 in do_bootflow_cmdline()
541 }
542
543 op = argv[1];
544 arg = argv[2];
545 if (*op == 's') {
546 if (argc < 3)
>>> CID 477198: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "return CMD_RET_USAGE;".
547 return CMD_RET_USAGE;
548 val = argv[3] ?: (const char *)BOOTFLOWCL_EMPTY;
549 }
550
551 switch (*op) {
552 case 'c': /* clear */
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2024-01-08 17:45 Tom Rini
@ 2024-01-09 5:26 ` Sean Anderson
2024-01-09 22:18 ` Tom Rini
0 siblings, 1 reply; 99+ messages in thread
From: Sean Anderson @ 2024-01-09 5:26 UTC (permalink / raw)
To: Tom Rini, u-boot, Francis Laniel; +Cc: Michael Trimarchi, Dario Binacchi
Comments on NAND stuff only.
On 1/8/24 12:45, Tom Rini wrote:
> ________________________________________________________________________________________________________
> *** CID 477216: (BAD_SHIFT)
> /drivers/mtd/nand/raw/nand_base.c: 3921 in nand_flash_detect_onfi()
> 3915
> 3916 /*
> 3917 * pages_per_block and blocks_per_lun may not be a
> power-of-2 size
> 3918 * (don't ask me who thought of this...). MTD assumes that these
> 3919 * dimensions will be power-of-2, so just truncate the
> remaining area.
> 3920 */
>>>> CID 477216: (BAD_SHIFT)
>>>> In expression "1 << generic_fls((__u32)(__le32)p->pages_per_block) - 1", shifting by a negative amount has undefined behavior. The shift amount, "generic_fls((__u32)(__le32)p->pages_per_block) - 1", is -1.
> 3921 mtd->erasesize = 1 <<
> (fls(le32_to_cpu(p->pages_per_block)) - 1);
> 3922 mtd->erasesize *= mtd->writesize;
> 3923
> 3924 mtd->oobsize = le16_to_cpu(p->spare_bytes_per_page);
> 3925
> 3926 /* See erasesize comment */
> /drivers/mtd/nand/raw/nand_base.c: 3927 in nand_flash_detect_onfi()
> 3921 mtd->erasesize = 1 <<
> (fls(le32_to_cpu(p->pages_per_block)) - 1);
> 3922 mtd->erasesize *= mtd->writesize;
> 3923
> 3924 mtd->oobsize = le16_to_cpu(p->spare_bytes_per_page);
> 3925
> 3926 /* See erasesize comment */
>>>> CID 477216: (BAD_SHIFT)
>>>> In expression "1 << generic_fls((__u32)(__le32)p->blocks_per_lun) - 1", shifting by a negative amount has undefined behavior. The shift amount, "generic_fls((__u32)(__le32)p->blocks_per_lun) - 1", is -1.
> 3927 chip->chipsize = 1 << (fls(le32_to_cpu(p->blocks_per_lun)) - 1);
> 3928 chip->chipsize *= (uint64_t)mtd->erasesize * p->lun_count;
> 3929 chip->bits_per_cell = p->bits_per_cell;
> 3930
> 3931 if (onfi_feature(chip) & ONFI_FEATURE_16_BIT_BUS)
> 3932 chip->options |= NAND_BUSWIDTH_16;
Yeah, this looks like a bug.
> ** CID 477215: Control flow issues (MISSING_BREAK)
> /drivers/mtd/nand/raw/nand_base.c: 4978 in nand_scan_tail()
>
>
> ________________________________________________________________________________________________________
> *** CID 477215: Control flow issues (MISSING_BREAK)
> /drivers/mtd/nand/raw/nand_base.c: 4978 in nand_scan_tail()
> 4972 pr_warn("No ECC functions supplied;
> hardware ECC not possible\n");
> 4973 BUG();
> 4974 }
> 4975 if (!ecc->read_page)
> 4976 ecc->read_page = nand_read_page_hwecc_oob_first;
> 4977
>>>> CID 477215: Control flow issues (MISSING_BREAK)
>>>> The case for value "NAND_ECC_HW" is not terminated by a "break" statement.
> 4978 case NAND_ECC_HW:
> 4979 /* Use standard hwecc read page function? */
> 4980 if (!ecc->read_page)
> 4981 ecc->read_page = nand_read_page_hwecc;
> 4982 if (!ecc->write_page)
> 4983 ecc->write_page = nand_write_page_hwecc;
I think we just need a fallthrough comment here.
> ** CID 477214: Integer handling issues (BAD_SHIFT)
> /drivers/mtd/nand/raw/nand_base.c: 4397 in nand_detect()
>
>
> ________________________________________________________________________________________________________
> *** CID 477214: Integer handling issues (BAD_SHIFT)
> /drivers/mtd/nand/raw/nand_base.c: 4397 in nand_detect()
> 4391
> 4392 nand_decode_bbm_options(mtd, chip);
> 4393
> 4394 /* Calculate the address shift from the page size */
> 4395 chip->page_shift = ffs(mtd->writesize) - 1;
> 4396 /* Convert chipsize to number of pages per chip -1 */
>>>> CID 477214: Integer handling issues (BAD_SHIFT)
>>>> In expression "chip->chipsize >> chip->page_shift", shifting by a negative amount has undefined behavior. The shift amount, "chip->page_shift", is -1.
> 4397 chip->pagemask = (chip->chipsize >> chip->page_shift) - 1;
> 4398
> 4399 chip->bbt_erase_shift = chip->phys_erase_shift =
> 4400 ffs(mtd->erasesize) - 1;
> 4401 if (chip->chipsize & 0xffffffff)
> 4402 chip->chip_shift = ffs((unsigned)chip->chipsize) - 1;
Buggy, but only when writesize is 0 (which is a bigger bug in the nand chip).
> ** CID 477213: Security best practices violations (DC.WEAK_CRYPTO)
> /test/dm/nand.c: 67 in dm_test_nand()
>
>
> ________________________________________________________________________________________________________
> *** CID 477213: Security best practices violations (DC.WEAK_CRYPTO)
> /test/dm/nand.c: 67 in dm_test_nand()
> 61 ops.ooblen = mtd->oobsize;
> 62 ut_assertok(mtd_read_oob(mtd, mtd->erasesize, &ops));
> 63 ut_asserteq(0, oob[mtd_to_nand(mtd)->badblockpos]);
> 64
> 65 /* Generate some data and write it */
> 66 for (i = 0; i < size / sizeof(int); i++)
>>>> CID 477213: Security best practices violations (DC.WEAK_CRYPTO)
>>>> "rand" should not be used for security-related applications, because linear congruential algorithms are too easy to break.
> 67 gold[i] = rand();
> 68 ut_assertok(nand_write_skip_bad(mtd, off, &length, NULL, U64_MAX,
> 69 (void *)gold, 0));
> 70 ut_asserteq(size, length);
> 71
> 72 /* Verify */
Not a bug.
> ** CID 477211: API usage errors (ALLOC_FREE_MISMATCH)
> /drivers/mtd/nand/raw/nand_bbt.c: 1133 in nand_scan_bbt()
>
>
> ________________________________________________________________________________________________________
> *** CID 477211: API usage errors (ALLOC_FREE_MISMATCH)
> /drivers/mtd/nand/raw/nand_bbt.c: 1133 in nand_scan_bbt()
> 1127
> 1128 /* Prevent the bbt regions from erasing / writing */
> 1129 mark_bbt_region(mtd, td);
> 1130 if (md)
> 1131 mark_bbt_region(mtd, md);
> 1132
>>>> CID 477211: API usage errors (ALLOC_FREE_MISMATCH)
>>>> Calling "vfree" frees "buf" using "vfree" but it should have been freed using "kfree". [Note: The source code implementation of the function has been overridden by a builtin model.]
> 1133 vfree(buf);
> 1134 return 0;
> 1135
> 1136 err:
> 1137 kfree(this->bbt);
> 1138 this->bbt = NULL;
Not a bug, since these both call free().
> ** CID 477210: Security best practices violations (DC.WEAK_CRYPTO)
> /drivers/mtd/nand/raw/sand_nand.c: 199 in sand_nand_read()
>
>
> ________________________________________________________________________________________________________
> *** CID 477210: Security best practices violations (DC.WEAK_CRYPTO)
> /drivers/mtd/nand/raw/sand_nand.c: 199 in sand_nand_read()
> 193 chip->tmp_dirty = true;
> 194 for (i = 0; i < chip->err_steps; i++) {
> 195 u32 bit_errors = chip->err_count;
> 196 unsigned int j = chip->err_step_bits + chip->ecc_bits;
> 197
> 198 while (bit_errors) {
>>>> CID 477210: Security best practices violations (DC.WEAK_CRYPTO)
>>>> "rand" should not be used for security-related applications, because linear congruential algorithms are too easy to break.
> 199 unsigned int u = rand();
> 200 float quot = 1ULL << 32;
> 201
> 202 do {
> 203 quot *= j - bit_errors;
> 204 quot /= j;
Not a bug.
> ** CID 477207: Control flow issues (MISSING_BREAK)
> /drivers/mtd/nand/raw/nand_base.c: 4969 in nand_scan_tail()
>
>
> ________________________________________________________________________________________________________
> *** CID 477207: Control flow issues (MISSING_BREAK)
> /drivers/mtd/nand/raw/nand_base.c: 4969 in nand_scan_tail()
> 4963 /*
> 4964 * Check ECC mode, default to software if
> 3byte/512byte hardware ECC is
> 4965 * selected and we have 256 byte pagesize fallback to
> software ECC
> 4966 */
> 4967
> 4968 switch (ecc->mode) {
>>>> CID 477207: Control flow issues (MISSING_BREAK)
>>>> The case for value "NAND_ECC_HW_OOB_FIRST" is not terminated by a "break" statement.
> 4969 case NAND_ECC_HW_OOB_FIRST:
> 4970 /* Similar to NAND_ECC_HW, but a separate
> read_page handle */
> 4971 if (!ecc->calculate || !ecc->correct || !ecc->hwctl) {
> 4972 pr_warn("No ECC functions supplied;
> hardware ECC not possible\n");
> 4973 BUG();
> 4974 }
need a fallthrough comment
> ** CID 477205: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
> /cmd/mtd.c: 88 in mtd_dump_device_buf()
>
>
> ________________________________________________________________________________________________________
> *** CID 477205: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
> /cmd/mtd.c: 88 in mtd_dump_device_buf()
> 82 printf("\nDump %d data bytes from 0x%08llx:\n",
> 83 mtd->writesize, start_off + data_off);
> 84 mtd_dump_buf(&buf[data_off],
> 85 mtd->writesize, start_off + data_off);
> 86
> 87 if (woob) {
>>>> CID 477205: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
>>>> Potentially overflowing expression "page * mtd->oobsize" with type "unsigned int" (32 bits, unsigned) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "u64" (64 bits, unsigned).
> 88 u64 oob_off = page * mtd->oobsize;
> 89
> 90 printf("Dump %d OOB bytes from page at
> 0x%08llx:\n",
> 91 mtd->oobsize, start_off + data_off);
> 92 mtd_dump_buf(&buf[len + oob_off],
> 93 mtd->oobsize, 0);
In the Linux MTD list [1], the largest this can be is 0xe0000000 for MT29F512G08CUCAB. That's worryingly
close to overflow, so I'd say this is a bug.
--Sean
[1] http://linux-mtd.infradead.org/nand-data/nanddata.html
^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2024-01-09 5:26 ` Sean Anderson
@ 2024-01-09 22:18 ` Tom Rini
0 siblings, 0 replies; 99+ messages in thread
From: Tom Rini @ 2024-01-09 22:18 UTC (permalink / raw)
To: Sean Anderson; +Cc: u-boot, Francis Laniel, Michael Trimarchi, Dario Binacchi
[-- Attachment #1: Type: text/plain, Size: 11301 bytes --]
On Tue, Jan 09, 2024 at 12:26:13AM -0500, Sean Anderson wrote:
> Comments on NAND stuff only.
>
> On 1/8/24 12:45, Tom Rini wrote:
> > ________________________________________________________________________________________________________
> > *** CID 477216: (BAD_SHIFT)
> > /drivers/mtd/nand/raw/nand_base.c: 3921 in nand_flash_detect_onfi()
> > 3915
> > 3916 /*
> > 3917 * pages_per_block and blocks_per_lun may not be a
> > power-of-2 size
> > 3918 * (don't ask me who thought of this...). MTD assumes that these
> > 3919 * dimensions will be power-of-2, so just truncate the
> > remaining area.
> > 3920 */
> > > > > CID 477216: (BAD_SHIFT)
> > > > > In expression "1 << generic_fls((__u32)(__le32)p->pages_per_block) - 1", shifting by a negative amount has undefined behavior. The shift amount, "generic_fls((__u32)(__le32)p->pages_per_block) - 1", is -1.
> > 3921 mtd->erasesize = 1 <<
> > (fls(le32_to_cpu(p->pages_per_block)) - 1);
> > 3922 mtd->erasesize *= mtd->writesize;
> > 3923
> > 3924 mtd->oobsize = le16_to_cpu(p->spare_bytes_per_page);
> > 3925
> > 3926 /* See erasesize comment */
> > /drivers/mtd/nand/raw/nand_base.c: 3927 in nand_flash_detect_onfi()
> > 3921 mtd->erasesize = 1 <<
> > (fls(le32_to_cpu(p->pages_per_block)) - 1);
> > 3922 mtd->erasesize *= mtd->writesize;
> > 3923
> > 3924 mtd->oobsize = le16_to_cpu(p->spare_bytes_per_page);
> > 3925
> > 3926 /* See erasesize comment */
> > > > > CID 477216: (BAD_SHIFT)
> > > > > In expression "1 << generic_fls((__u32)(__le32)p->blocks_per_lun) - 1", shifting by a negative amount has undefined behavior. The shift amount, "generic_fls((__u32)(__le32)p->blocks_per_lun) - 1", is -1.
> > 3927 chip->chipsize = 1 << (fls(le32_to_cpu(p->blocks_per_lun)) - 1);
> > 3928 chip->chipsize *= (uint64_t)mtd->erasesize * p->lun_count;
> > 3929 chip->bits_per_cell = p->bits_per_cell;
> > 3930
> > 3931 if (onfi_feature(chip) & ONFI_FEATURE_16_BIT_BUS)
> > 3932 chip->options |= NAND_BUSWIDTH_16;
>
> Yeah, this looks like a bug.
>
> > ** CID 477215: Control flow issues (MISSING_BREAK)
> > /drivers/mtd/nand/raw/nand_base.c: 4978 in nand_scan_tail()
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 477215: Control flow issues (MISSING_BREAK)
> > /drivers/mtd/nand/raw/nand_base.c: 4978 in nand_scan_tail()
> > 4972 pr_warn("No ECC functions supplied;
> > hardware ECC not possible\n");
> > 4973 BUG();
> > 4974 }
> > 4975 if (!ecc->read_page)
> > 4976 ecc->read_page = nand_read_page_hwecc_oob_first;
> > 4977
> > > > > CID 477215: Control flow issues (MISSING_BREAK)
> > > > > The case for value "NAND_ECC_HW" is not terminated by a "break" statement.
> > 4978 case NAND_ECC_HW:
> > 4979 /* Use standard hwecc read page function? */
> > 4980 if (!ecc->read_page)
> > 4981 ecc->read_page = nand_read_page_hwecc;
> > 4982 if (!ecc->write_page)
> > 4983 ecc->write_page = nand_write_page_hwecc;
>
> I think we just need a fallthrough comment here.
>
> > ** CID 477214: Integer handling issues (BAD_SHIFT)
> > /drivers/mtd/nand/raw/nand_base.c: 4397 in nand_detect()
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 477214: Integer handling issues (BAD_SHIFT)
> > /drivers/mtd/nand/raw/nand_base.c: 4397 in nand_detect()
> > 4391
> > 4392 nand_decode_bbm_options(mtd, chip);
> > 4393
> > 4394 /* Calculate the address shift from the page size */
> > 4395 chip->page_shift = ffs(mtd->writesize) - 1;
> > 4396 /* Convert chipsize to number of pages per chip -1 */
> > > > > CID 477214: Integer handling issues (BAD_SHIFT)
> > > > > In expression "chip->chipsize >> chip->page_shift", shifting by a negative amount has undefined behavior. The shift amount, "chip->page_shift", is -1.
> > 4397 chip->pagemask = (chip->chipsize >> chip->page_shift) - 1;
> > 4398
> > 4399 chip->bbt_erase_shift = chip->phys_erase_shift =
> > 4400 ffs(mtd->erasesize) - 1;
> > 4401 if (chip->chipsize & 0xffffffff)
> > 4402 chip->chip_shift = ffs((unsigned)chip->chipsize) - 1;
>
> Buggy, but only when writesize is 0 (which is a bigger bug in the nand chip).
>
> > ** CID 477213: Security best practices violations (DC.WEAK_CRYPTO)
> > /test/dm/nand.c: 67 in dm_test_nand()
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 477213: Security best practices violations (DC.WEAK_CRYPTO)
> > /test/dm/nand.c: 67 in dm_test_nand()
> > 61 ops.ooblen = mtd->oobsize;
> > 62 ut_assertok(mtd_read_oob(mtd, mtd->erasesize, &ops));
> > 63 ut_asserteq(0, oob[mtd_to_nand(mtd)->badblockpos]);
> > 64
> > 65 /* Generate some data and write it */
> > 66 for (i = 0; i < size / sizeof(int); i++)
> > > > > CID 477213: Security best practices violations (DC.WEAK_CRYPTO)
> > > > > "rand" should not be used for security-related applications, because linear congruential algorithms are too easy to break.
> > 67 gold[i] = rand();
> > 68 ut_assertok(nand_write_skip_bad(mtd, off, &length, NULL, U64_MAX,
> > 69 (void *)gold, 0));
> > 70 ut_asserteq(size, length);
> > 71
> > 72 /* Verify */
>
> Not a bug.
>
> > ** CID 477211: API usage errors (ALLOC_FREE_MISMATCH)
> > /drivers/mtd/nand/raw/nand_bbt.c: 1133 in nand_scan_bbt()
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 477211: API usage errors (ALLOC_FREE_MISMATCH)
> > /drivers/mtd/nand/raw/nand_bbt.c: 1133 in nand_scan_bbt()
> > 1127
> > 1128 /* Prevent the bbt regions from erasing / writing */
> > 1129 mark_bbt_region(mtd, td);
> > 1130 if (md)
> > 1131 mark_bbt_region(mtd, md);
> > 1132
> > > > > CID 477211: API usage errors (ALLOC_FREE_MISMATCH)
> > > > > Calling "vfree" frees "buf" using "vfree" but it should have been freed using "kfree". [Note: The source code implementation of the function has been overridden by a builtin model.]
> > 1133 vfree(buf);
> > 1134 return 0;
> > 1135
> > 1136 err:
> > 1137 kfree(this->bbt);
> > 1138 this->bbt = NULL;
>
> Not a bug, since these both call free().
>
> > ** CID 477210: Security best practices violations (DC.WEAK_CRYPTO)
> > /drivers/mtd/nand/raw/sand_nand.c: 199 in sand_nand_read()
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 477210: Security best practices violations (DC.WEAK_CRYPTO)
> > /drivers/mtd/nand/raw/sand_nand.c: 199 in sand_nand_read()
> > 193 chip->tmp_dirty = true;
> > 194 for (i = 0; i < chip->err_steps; i++) {
> > 195 u32 bit_errors = chip->err_count;
> > 196 unsigned int j = chip->err_step_bits + chip->ecc_bits;
> > 197
> > 198 while (bit_errors) {
> > > > > CID 477210: Security best practices violations (DC.WEAK_CRYPTO)
> > > > > "rand" should not be used for security-related applications, because linear congruential algorithms are too easy to break.
> > 199 unsigned int u = rand();
> > 200 float quot = 1ULL << 32;
> > 201
> > 202 do {
> > 203 quot *= j - bit_errors;
> > 204 quot /= j;
>
> Not a bug.
>
> > ** CID 477207: Control flow issues (MISSING_BREAK)
> > /drivers/mtd/nand/raw/nand_base.c: 4969 in nand_scan_tail()
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 477207: Control flow issues (MISSING_BREAK)
> > /drivers/mtd/nand/raw/nand_base.c: 4969 in nand_scan_tail()
> > 4963 /*
> > 4964 * Check ECC mode, default to software if
> > 3byte/512byte hardware ECC is
> > 4965 * selected and we have 256 byte pagesize fallback to
> > software ECC
> > 4966 */
> > 4967
> > 4968 switch (ecc->mode) {
> > > > > CID 477207: Control flow issues (MISSING_BREAK)
> > > > > The case for value "NAND_ECC_HW_OOB_FIRST" is not terminated by a "break" statement.
> > 4969 case NAND_ECC_HW_OOB_FIRST:
> > 4970 /* Similar to NAND_ECC_HW, but a separate
> > read_page handle */
> > 4971 if (!ecc->calculate || !ecc->correct || !ecc->hwctl) {
> > 4972 pr_warn("No ECC functions supplied;
> > hardware ECC not possible\n");
> > 4973 BUG();
> > 4974 }
>
> need a fallthrough comment
>
> > ** CID 477205: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
> > /cmd/mtd.c: 88 in mtd_dump_device_buf()
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 477205: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
> > /cmd/mtd.c: 88 in mtd_dump_device_buf()
> > 82 printf("\nDump %d data bytes from 0x%08llx:\n",
> > 83 mtd->writesize, start_off + data_off);
> > 84 mtd_dump_buf(&buf[data_off],
> > 85 mtd->writesize, start_off + data_off);
> > 86
> > 87 if (woob) {
> > > > > CID 477205: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
> > > > > Potentially overflowing expression "page * mtd->oobsize" with type "unsigned int" (32 bits, unsigned) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "u64" (64 bits, unsigned).
> > 88 u64 oob_off = page * mtd->oobsize;
> > 89
> > 90 printf("Dump %d OOB bytes from page at
> > 0x%08llx:\n",
> > 91 mtd->oobsize, start_off + data_off);
> > 92 mtd_dump_buf(&buf[len + oob_off],
> > 93 mtd->oobsize, 0);
>
> In the Linux MTD list [1], the largest this can be is 0xe0000000 for MT29F512G08CUCAB. That's worryingly
> close to overflow, so I'd say this is a bug.
Thanks, I've updated the not a bug ones in the dashboard.
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 99+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2024-01-18 14:35 Tom Rini
0 siblings, 0 replies; 99+ messages in thread
From: Tom Rini @ 2024-01-18 14:35 UTC (permalink / raw)
To: u-boot, Ilias Apalodimas, Heinrich Schuchardt
[-- Attachment #1: Type: text/plain, Size: 2619 bytes --]
Here's the current set of new issues since I last ran Coverity.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Thu, Jan 18, 2024 at 9:20 AM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to Das
U-Boot found with Coverity Scan.
2 new defect(s) introduced to Das U-Boot found with Coverity Scan.
16 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 2 of 2 defect(s)
** CID 478334: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 478334: Memory - corruptions (OVERRUN)
/cmd/eficonfig.c: 534 in eficonfig_create_device_path()
528 p += fp_size;
529 *((struct efi_device_path *)p) = END;
530
531 dp = efi_dp_shorten(dp_volume);
532 if (!dp)
533 dp = dp_volume;
>>> CID 478334: Memory - corruptions (OVERRUN)
>>> Overrunning struct type efi_device_path of 4 bytes by passing it to a function which accesses it at byte offset 5 using argument "fp->dp.length" (which evaluates to 6).
534 dp = efi_dp_concat(dp, &fp->dp, false);
535 free(buf);
536
537 return dp;
538 }
539
** CID 478333: Error handling issues (CHECKED_RETURN)
/lib/efi_loader/efi_firmware.c: 413 in efi_firmware_set_fmp_state_var()
________________________________________________________________________________________________________
*** CID 478333: Error handling issues (CHECKED_RETURN)
/lib/efi_loader/efi_firmware.c: 413 in efi_firmware_set_fmp_state_var()
407 /*
408 * GetVariable may fail, EFI_NOT_FOUND is returned if FmpState
409 * variable has not been set yet.
410 * Ignore the error here since the correct FmpState variable
411 * is set later.
412 */
>>> CID 478333: Error handling issues (CHECKED_RETURN)
>>> Calling "efi_get_variable_int" without checking return value (as is done elsewhere 29 out of 33 times).
413 efi_get_variable_int(varname, image_type_id, NULL,
&size, var_state,
414 NULL);
415
416 /*
417 * Only the fw_version is set here.
418 * lowest_supported_version in FmpState variable is
ignored since
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 99+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
[not found] <65a933ab652b3_da12cbd3e77f998728e5@prd-scan-dashboard-0.mail>
@ 2024-01-19 8:47 ` Heinrich Schuchardt
0 siblings, 0 replies; 99+ messages in thread
From: Heinrich Schuchardt @ 2024-01-19 8:47 UTC (permalink / raw)
To: Masahisa Kojima; +Cc: U-Boot Mailing List, Ilias Apalodimas
________________________________________________________________________________________________________
*** CID 478333: Error handling issues (CHECKED_RETURN)
/lib/efi_loader/efi_firmware.c: 413 in efi_firmware_set_fmp_state_var()
407 /*
408 * GetVariable may fail, EFI_NOT_FOUND is returned if FmpState
409 * variable has not been set yet.
410 * Ignore the error here since the correct FmpState variable
411 * is set later.
412 */
>>> CID 478333: Error handling issues (CHECKED_RETURN)
>>> Calling "efi_get_variable_int" without checking return value (as is done elsewhere 29 out of 33 times).
413 efi_get_variable_int(varname, image_type_id, NULL, &size,
var_state,
414 NULL);
415 416 /*
417 * Only the fw_version is set here.
418 * lowest_supported_version in FmpState variable is ignored since
There are a lot of different return values that may occur when calling
efi_get_variable_int, e.g.
* EFI_BUFFER_TOO_SMALL
* EFI_DEVICE_ERROR
Should we overwrite the variable in these cases with NUL values except
for var_state[update_bank].fw_version?
Best regards
Heinrich
^ permalink raw reply [flat|nested] 99+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2024-01-22 23:30 Tom Rini
2024-01-23 8:15 ` Hugo Cornelis
0 siblings, 1 reply; 99+ messages in thread
From: Tom Rini @ 2024-01-22 23:30 UTC (permalink / raw)
To: u-boot, Hugo Cornelis
[-- Attachment #1: Type: text/plain, Size: 1752 bytes --]
Hey all,
Here's the latest Coverity scan report.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Jan 22, 2024 at 6:26 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to Das
U-Boot found with Coverity Scan.
1 new defect(s) introduced to Das U-Boot found with Coverity Scan.
7 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)
** CID 478860: Code maintainability issues (UNUSED_VALUE)
/tools/image-host.c: 359 in fit_image_read_key_iv_data()
________________________________________________________________________________________________________
*** CID 478860: Code maintainability issues (UNUSED_VALUE)
/tools/image-host.c: 359 in fit_image_read_key_iv_data()
353 if (ret >= sizeof(filename)) {
354 printf("Can't format the key or IV filename
when setting up the cipher: insufficient buffer space\n");
355 ret = -1;
356 }
357 if (ret < 0) {
358 printf("Can't format the key or IV filename
when setting up the cipher: snprintf error\n");
>>> CID 478860: Code maintainability issues (UNUSED_VALUE)
>>> Assigning value "-1" to "ret" here, but that stored value is overwritten before it can be used.
359 ret = -1;
360 }
361
362 ret = fit_image_read_data(filename, key_iv_data, expected_size);
363
364 return ret;
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 99+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2024-01-22 23:52 Tom Rini
0 siblings, 0 replies; 99+ messages in thread
From: Tom Rini @ 2024-01-22 23:52 UTC (permalink / raw)
To: u-boot
[-- Attachment #1: Type: text/plain, Size: 2614 bytes --]
I've now updated to the latest Coverity scan tool and that eliminated
some previous defects and found two new ones:
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Jan 22, 2024 at 6:42 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to Das
U-Boot found with Coverity Scan.
2 new defect(s) introduced to Das U-Boot found with Coverity Scan.
8 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 2 of 2 defect(s)
** CID 478862: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 478862: Memory - corruptions (OVERRUN)
/lib/initcall.c: 82 in initcall_run_list()
76 if (ret) {
77 if (CONFIG_IS_ENABLED(EVENT)) {
78 char buf[60];
79
80 /* don't worry about buf size as we are dying here */
81 if (type) {
>>> CID 478862: Memory - corruptions (OVERRUN)
>>> Overrunning callee's array of size 15 by passing argument "type" (which evaluates to 255) in call to "event_type_name".
82 sprintf(buf, "event %d/%s", type,
83 event_type_name(type));
84 } else {
85 sprintf(buf, "call %p", func);
86 }
87
** CID 478861: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 478861: Memory - corruptions (OVERRUN)
/cmd/nvedit.c: 356 in print_static_flags()
350 static int print_static_flags(const char *var_name, const char *flags,
351 void *priv)
352 {
353 enum env_flags_vartype type = env_flags_parse_vartype(flags);
354 enum env_flags_varaccess access =
env_flags_parse_varaccess(flags);
355
>>> CID 478861: Memory - corruptions (OVERRUN)
>>> Overrunning callee's array of size 4 by passing argument "access" (which evaluates to 4) in call to "env_flags_get_varaccess_name".
356 printf("\t%-20s %-20s %-20s\n", var_name,
357 env_flags_get_vartype_name(type),
358 env_flags_get_varaccess_name(access));
359
360 return 0;
361 }
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2024-01-22 23:30 Tom Rini
@ 2024-01-23 8:15 ` Hugo Cornelis
0 siblings, 0 replies; 99+ messages in thread
From: Hugo Cornelis @ 2024-01-23 8:15 UTC (permalink / raw)
To: u-boot, Tom Rini; +Cc: Hugo Cornelis
Hi Tom, sorry about that. Please find attached a patch.
Can you please review?
Thanks, Hugo
^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
[not found] <20240127154018.GC785631@bill-the-cat>
@ 2024-01-27 20:56 ` Heinrich Schuchardt
2024-01-28 8:51 ` Heinrich Schuchardt
0 siblings, 1 reply; 99+ messages in thread
From: Heinrich Schuchardt @ 2024-01-27 20:56 UTC (permalink / raw)
To: Tom Rini; +Cc: Ilias Apalodimas, u-boot
Am 27. Januar 2024 16:40:18 MEZ schrieb Tom Rini <trini@konsulko.com>:
>Hey, I'll just pass this on directly rather than to the list.
>
>---------- Forwarded message ---------
>From: <scan-admin@coverity.com>
>Date: Sat, Jan 27, 2024 at 10:36 AM
>Subject: New Defects reported by Coverity Scan for Das U-Boot
>To: <tom.rini@gmail.com>
>
>
>Hi,
>
>Please find the latest report on new defect(s) introduced to Das
>U-Boot found with Coverity Scan.
>
>1 new defect(s) introduced to Das U-Boot found with Coverity Scan.
>
>
>New defect(s) Reported-by: Coverity Scan
>Showing 1 of 1 defect(s)
>
>
>** CID 479279: (TAINTED_SCALAR)
>
>
>________________________________________________________________________________________________________
>*** CID 479279: (TAINTED_SCALAR)
>/cmd/smbios.c: 180 in do_smbios()
>174 smbios_print_type2((struct smbios_type2 *)pos);
>175 break;
>176 case 127:
>177 smbios_print_type127((struct
>smbios_type127 *)pos);
>178 break;
>179 default:
>>>> CID 479279: (TAINTED_SCALAR)
>>>> Passing tainted expression "pos->length" to "smbios_print_generic", which uses it as a loop boundary.
>180 smbios_print_generic(pos);
>181 break;
>182 }
>183 }
>184
>185 return CMD_RET_SUCCESS;
>/cmd/smbios.c: 154 in do_smbios()
>148 size = entry2->length;
>149 max_struct_size = entry2->max_struct_size;
>150 } else {
>151 log_err("Unknown SMBIOS anchor format\n");
>152 return CMD_RET_FAILURE;
>153 }
>>>> CID 479279: (TAINTED_SCALAR)
>>>> Passing tainted expression "size" to "table_compute_checksum", which uses it as a loop boundary.
>154 if (table_compute_checksum(entry, size)) {
>155 log_err("Invalid anchor checksum\n");
>156 return CMD_RET_FAILURE;
>157 }
>158 printf("SMBIOS %s present.\n", version);
>159
>/cmd/smbios.c: 174 in do_smbios()
>168 (unsigned long long)map_to_sysmem(pos));
>169 switch (pos->type) {
>170 case 1:
>171 smbios_print_type1((struct smbios_type1 *)pos);
>172 break;
>173 case 2:
>>>> CID 479279: (TAINTED_SCALAR)
>>>> Passing tainted expression "((struct smbios_type2 *)pos)->number_contained_objects" to "smbios_print_type2", which uses it as a loop boundary.
>174 smbios_print_type2((struct smbios_type2 *)pos);
>175 break;
>176 case 127:
>177 smbios_print_type127((struct
>smbios_type127 *)pos);
>178 break;
>179 default:
>/cmd/smbios.c: 154 in do_smbios()
>148 size = entry2->length;
>149 max_struct_size = entry2->max_struct_size;
>150 } else {
>151 log_err("Unknown SMBIOS anchor format\n");
>152 return CMD_RET_FAILURE;
>153 }
>>>> CID 479279: (TAINTED_SCALAR)
>>>> Passing tainted expression "size" to "table_compute_checksum", which uses it as a loop boundary.
>154 if (table_compute_checksum(entry, size)) {
>155 log_err("Invalid anchor checksum\n");
>156 return CMD_RET_FAILURE;
>157 }
>158 printf("SMBIOS %s present.\n", version);
>159
>/cmd/smbios.c: 180 in do_smbios()
>174 smbios_print_type2((struct smbios_type2 *)pos);
>175 break;
>176 case 127:
>177 smbios_print_type127((struct
>smbios_type127 *)pos);
>178 break;
>179 default:
>>>> CID 479279: (TAINTED_SCALAR)
>>>> Passing tainted expression "pos->length" to "smbios_print_generic", which uses it as a loop boundary.
>180 smbios_print_generic(pos);
>181 break;
>182 }
>183 }
>184
>185 return CMD_RET_SUCCESS;
>/cmd/smbios.c: 174 in do_smbios()
>168 (unsigned long long)map_to_sysmem(pos));
>169 switch (pos->type) {
>170 case 1:
>171 smbios_print_type1((struct smbios_type1 *)pos);
>172 break;
>173 case 2:
>>>> CID 479279: (TAINTED_SCALAR)
>>>> Passing tainted expression "((struct smbios_type2 *)pos)->number_contained_objects" to "smbios_print_type2", which uses it as a loop boundary.
>174 smbios_print_type2((struct smbios_type2 *)pos);
>175 break;
>176 case 127:
>177 smbios_print_type127((struct
>smbios_type127 *)pos);
>178 break;
>179 default:
>/cmd/smbios.c: 174 in do_smbios()
>168 (unsigned long long)map_to_sysmem(pos));
>169 switch (pos->type) {
>170 case 1:
>171 smbios_print_type1((struct smbios_type1 *)pos);
>172 break;
>173 case 2:
>>>> CID 479279: (TAINTED_SCALAR)
>>>> Passing tainted expression "((struct smbios_type2 *)pos)->number_contained_objects" to "smbios_print_type2", which uses it as a loop boundary.
>174 smbios_print_type2((struct smbios_type2 *)pos);
>175 break;
>176 case 127:
>177 smbios_print_type127((struct
>smbios_type127 *)pos);
>178 break;
>179 default:
>/cmd/smbios.c: 180 in do_smbios()
>174 smbios_print_type2((struct smbios_type2 *)pos);
>175 break;
>176 case 127:
>177 smbios_print_type127((struct
>smbios_type127 *)pos);
>178 break;
>179 default:
>>>> CID 479279: (TAINTED_SCALAR)
>>>> Passing tainted expression "pos->length" to "smbios_print_generic", which uses it as a loop boundary.
>180 smbios_print_generic(pos);
>181 break;
>182 }
>183 }
>184
>185 return CMD_RET_SUCCESS;
>/cmd/smbios.c: 180 in do_smbios()
>174 smbios_print_type2((struct smbios_type2 *)pos);
>175 break;
>176 case 127:
>177 smbios_print_type127((struct
>smbios_type127 *)pos);
>178 break;
>179 default:
>>>> CID 479279: (TAINTED_SCALAR)
>>>> Passing tainted expression "pos->length" to "smbios_print_generic", which uses it as a loop boundary.
>180 smbios_print_generic(pos);
>181 break;
>182 }
>183 }
>184
>185 return CMD_RET_SUCCESS;
>/cmd/smbios.c: 174 in do_smbios()
>168 (unsigned long long)map_to_sysmem(pos));
>169 switch (pos->type) {
>170 case 1:
>171 smbios_print_type1((struct smbios_type1 *)pos);
>172 break;
>173 case 2:
>>>> CID 479279: (TAINTED_SCALAR)
>>>> Passing tainted expression "((struct smbios_type2 *)pos)->number_contained_objects" to "smbios_print_type2", which uses it as a loop boundary.
>174 smbios_print_type2((struct smbios_type2 *)pos);
>175 break;
>176 case 127:
>177 smbios_print_type127((struct
>smbios_type127 *)pos);
>178 break;
>179 default:
>/cmd/smbios.c: 180 in do_smbios()
>174 smbios_print_type2((struct smbios_type2 *)pos);
>175 break;
>176 case 127:
>177 smbios_print_type127((struct
>smbios_type127 *)pos);
>178 break;
>179 default:
>>>> CID 479279: (TAINTED_SCALAR)
>>>> Passing tainted expression "pos->length" to "smbios_print_generic", which uses it as a loop boundary.
>180 smbios_print_generic(pos);
>181 break;
>182 }
>183 }
>184
>185 return CMD_RET_SUCCESS;
>/cmd/smbios.c: 174 in do_smbios()
>168 (unsigned long long)map_to_sysmem(pos));
>169 switch (pos->type) {
>170 case 1:
>171 smbios_print_type1((struct smbios_type1 *)pos);
>172 break;
>173 case 2:
>>>> CID 479279: (TAINTED_SCALAR)
>>>> Passing tainted expression "((struct smbios_type2 *)pos)->number_contained_objects" to "smbios_print_type2", which uses it as a loop boundary.
>174 smbios_print_type2((struct smbios_type2 *)pos);
>175 break;
>176 case 127:
>177 smbios_print_type127((struct
>smbios_type127 *)pos);
>178 break;
>179 default:
>
The values may come from QEMU, so may be "tainted". We could check the length of the individual structures against the total size of the SMBIOS table.
Best regards
Heinrich
^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2024-01-27 20:56 ` Heinrich Schuchardt
@ 2024-01-28 8:51 ` Heinrich Schuchardt
0 siblings, 0 replies; 99+ messages in thread
From: Heinrich Schuchardt @ 2024-01-28 8:51 UTC (permalink / raw)
To: Tom Rini; +Cc: Ilias Apalodimas, u-boot
On 1/27/24 21:56, Heinrich Schuchardt wrote:
>
>
> Am 27. Januar 2024 16:40:18 MEZ schrieb Tom Rini <trini@konsulko.com>:
>> Hey, I'll just pass this on directly rather than to the list.
>>
>> ---------- Forwarded message ---------
>> From: <scan-admin@coverity.com>
>> Date: Sat, Jan 27, 2024 at 10:36 AM
>> Subject: New Defects reported by Coverity Scan for Das U-Boot
>> To: <tom.rini@gmail.com>
>>
>>
>> Hi,
>>
>> Please find the latest report on new defect(s) introduced to Das
>> U-Boot found with Coverity Scan.
>>
>> 1 new defect(s) introduced to Das U-Boot found with Coverity Scan.
>>
>>
>> New defect(s) Reported-by: Coverity Scan
>> Showing 1 of 1 defect(s)
>>
>>
>> ** CID 479279: (TAINTED_SCALAR)
>>
>>
>> ________________________________________________________________________________________________________
>> *** CID 479279: (TAINTED_SCALAR)
>> /cmd/smbios.c: 180 in do_smbios()
>> 174 smbios_print_type2((struct smbios_type2 *)pos);
>> 175 break;
>> 176 case 127:
>> 177 smbios_print_type127((struct
>> smbios_type127 *)pos);
>> 178 break;
>> 179 default:
>>>>> CID 479279: (TAINTED_SCALAR)
>>>>> Passing tainted expression "pos->length" to "smbios_print_generic", which uses it as a loop boundary.
>> 180 smbios_print_generic(pos);
>> 181 break;
>> 182 }
>> 183 }
>> 184
>> 185 return CMD_RET_SUCCESS;
>> /cmd/smbios.c: 154 in do_smbios()
>> 148 size = entry2->length;
>> 149 max_struct_size = entry2->max_struct_size;
>> 150 } else {
>> 151 log_err("Unknown SMBIOS anchor format\n");
>> 152 return CMD_RET_FAILURE;
>> 153 }
>>>>> CID 479279: (TAINTED_SCALAR)
>>>>> Passing tainted expression "size" to "table_compute_checksum", which uses it as a loop boundary.
>> 154 if (table_compute_checksum(entry, size)) {
>> 155 log_err("Invalid anchor checksum\n");
>> 156 return CMD_RET_FAILURE;
>> 157 }
>> 158 printf("SMBIOS %s present.\n", version);
>> 159
>> /cmd/smbios.c: 174 in do_smbios()
>> 168 (unsigned long long)map_to_sysmem(pos));
>> 169 switch (pos->type) {
>> 170 case 1:
>> 171 smbios_print_type1((struct smbios_type1 *)pos);
>> 172 break;
>> 173 case 2:
>>>>> CID 479279: (TAINTED_SCALAR)
>>>>> Passing tainted expression "((struct smbios_type2 *)pos)->number_contained_objects" to "smbios_print_type2", which uses it as a loop boundary.
>> 174 smbios_print_type2((struct smbios_type2 *)pos);
>> 175 break;
>> 176 case 127:
>> 177 smbios_print_type127((struct
>> smbios_type127 *)pos);
>> 178 break;
>> 179 default:
>> /cmd/smbios.c: 154 in do_smbios()
>> 148 size = entry2->length;
>> 149 max_struct_size = entry2->max_struct_size;
>> 150 } else {
>> 151 log_err("Unknown SMBIOS anchor format\n");
>> 152 return CMD_RET_FAILURE;
>> 153 }
>>>>> CID 479279: (TAINTED_SCALAR)
>>>>> Passing tainted expression "size" to "table_compute_checksum", which uses it as a loop boundary.
>> 154 if (table_compute_checksum(entry, size)) {
>> 155 log_err("Invalid anchor checksum\n");
>> 156 return CMD_RET_FAILURE;
>> 157 }
>> 158 printf("SMBIOS %s present.\n", version);
>> 159
>> /cmd/smbios.c: 180 in do_smbios()
>> 174 smbios_print_type2((struct smbios_type2 *)pos);
>> 175 break;
>> 176 case 127:
>> 177 smbios_print_type127((struct
>> smbios_type127 *)pos);
>> 178 break;
>> 179 default:
>>>>> CID 479279: (TAINTED_SCALAR)
>>>>> Passing tainted expression "pos->length" to "smbios_print_generic", which uses it as a loop boundary.
>> 180 smbios_print_generic(pos);
>> 181 break;
>> 182 }
>> 183 }
>> 184
>> 185 return CMD_RET_SUCCESS;
>> /cmd/smbios.c: 174 in do_smbios()
>> 168 (unsigned long long)map_to_sysmem(pos));
>> 169 switch (pos->type) {
>> 170 case 1:
>> 171 smbios_print_type1((struct smbios_type1 *)pos);
>> 172 break;
>> 173 case 2:
>>>>> CID 479279: (TAINTED_SCALAR)
>>>>> Passing tainted expression "((struct smbios_type2 *)pos)->number_contained_objects" to "smbios_print_type2", which uses it as a loop boundary.
>> 174 smbios_print_type2((struct smbios_type2 *)pos);
>> 175 break;
>> 176 case 127:
>> 177 smbios_print_type127((struct
>> smbios_type127 *)pos);
>> 178 break;
>> 179 default:
>> /cmd/smbios.c: 174 in do_smbios()
>> 168 (unsigned long long)map_to_sysmem(pos));
>> 169 switch (pos->type) {
>> 170 case 1:
>> 171 smbios_print_type1((struct smbios_type1 *)pos);
>> 172 break;
>> 173 case 2:
>>>>> CID 479279: (TAINTED_SCALAR)
>>>>> Passing tainted expression "((struct smbios_type2 *)pos)->number_contained_objects" to "smbios_print_type2", which uses it as a loop boundary.
>> 174 smbios_print_type2((struct smbios_type2 *)pos);
>> 175 break;
>> 176 case 127:
>> 177 smbios_print_type127((struct
>> smbios_type127 *)pos);
>> 178 break;
>> 179 default:
>> /cmd/smbios.c: 180 in do_smbios()
>> 174 smbios_print_type2((struct smbios_type2 *)pos);
>> 175 break;
>> 176 case 127:
>> 177 smbios_print_type127((struct
>> smbios_type127 *)pos);
>> 178 break;
>> 179 default:
>>>>> CID 479279: (TAINTED_SCALAR)
>>>>> Passing tainted expression "pos->length" to "smbios_print_generic", which uses it as a loop boundary.
>> 180 smbios_print_generic(pos);
>> 181 break;
>> 182 }
>> 183 }
>> 184
>> 185 return CMD_RET_SUCCESS;
>> /cmd/smbios.c: 180 in do_smbios()
>> 174 smbios_print_type2((struct smbios_type2 *)pos);
>> 175 break;
>> 176 case 127:
>> 177 smbios_print_type127((struct
>> smbios_type127 *)pos);
>> 178 break;
>> 179 default:
>>>>> CID 479279: (TAINTED_SCALAR)
>>>>> Passing tainted expression "pos->length" to "smbios_print_generic", which uses it as a loop boundary.
>> 180 smbios_print_generic(pos);
>> 181 break;
>> 182 }
>> 183 }
>> 184
>> 185 return CMD_RET_SUCCESS;
>> /cmd/smbios.c: 174 in do_smbios()
>> 168 (unsigned long long)map_to_sysmem(pos));
>> 169 switch (pos->type) {
>> 170 case 1:
>> 171 smbios_print_type1((struct smbios_type1 *)pos);
>> 172 break;
>> 173 case 2:
>>>>> CID 479279: (TAINTED_SCALAR)
>>>>> Passing tainted expression "((struct smbios_type2 *)pos)->number_contained_objects" to "smbios_print_type2", which uses it as a loop boundary.
>> 174 smbios_print_type2((struct smbios_type2 *)pos);
>> 175 break;
>> 176 case 127:
>> 177 smbios_print_type127((struct
>> smbios_type127 *)pos);
>> 178 break;
>> 179 default:
>> /cmd/smbios.c: 180 in do_smbios()
>> 174 smbios_print_type2((struct smbios_type2 *)pos);
>> 175 break;
>> 176 case 127:
>> 177 smbios_print_type127((struct
>> smbios_type127 *)pos);
>> 178 break;
>> 179 default:
>>>>> CID 479279: (TAINTED_SCALAR)
>>>>> Passing tainted expression "pos->length" to "smbios_print_generic", which uses it as a loop boundary.
>> 180 smbios_print_generic(pos);
>> 181 break;
>> 182 }
>> 183 }
>> 184
>> 185 return CMD_RET_SUCCESS;
>> /cmd/smbios.c: 174 in do_smbios()
>> 168 (unsigned long long)map_to_sysmem(pos));
>> 169 switch (pos->type) {
>> 170 case 1:
>> 171 smbios_print_type1((struct smbios_type1 *)pos);
>> 172 break;
>> 173 case 2:
>>>>> CID 479279: (TAINTED_SCALAR)
>>>>> Passing tainted expression "((struct smbios_type2 *)pos)->number_contained_objects" to "smbios_print_type2", which uses it as a loop boundary.
>> 174 smbios_print_type2((struct smbios_type2 *)pos);
>> 175 break;
>> 176 case 127:
>> 177 smbios_print_type127((struct
>> smbios_type127 *)pos);
>> 178 break;
>> 179 default:
>>
>
> The values may come from QEMU, so may be "tainted". We could check the length of the individual structures against the total size of the SMBIOS table.
>
In Coverity I marked this as false positive with the following comment:
"The only case in which the data is tainted is when copying the smbios
table from a prior firmware state when running as EFI app or from QEMU.
Sanity checks should not be in the smbios command but where we import
the table."
Best regards
Heinrich
^ permalink raw reply [flat|nested] 99+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2024-01-29 23:55 Tom Rini
2024-01-30 8:14 ` Heinrich Schuchardt
0 siblings, 1 reply; 99+ messages in thread
From: Tom Rini @ 2024-01-29 23:55 UTC (permalink / raw)
To: u-boot, Heinrich Schuchardt
[-- Attachment #1: Type: text/plain, Size: 1971 bytes --]
Here's the latest report.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Jan 29, 2024 at 6:51 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to Das
U-Boot found with Coverity Scan.
1 new defect(s) introduced to Das U-Boot found with Coverity Scan.
1 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)
** CID 480240: Insecure data handling (TAINTED_SCALAR)
/cmd/efidebug.c: 192 in do_efi_capsule_esrt()
________________________________________________________________________________________________________
*** CID 480240: Insecure data handling (TAINTED_SCALAR)
/cmd/efidebug.c: 192 in do_efi_capsule_esrt()
186
187 printf("========================================\n");
188 printf("ESRT: fw_resource_count=%d\n", esrt->fw_resource_count);
189 printf("ESRT: fw_resource_count_max=%d\n",
esrt->fw_resource_count_max);
190 printf("ESRT: fw_resource_version=%lld\n",
esrt->fw_resource_version);
191
>>> CID 480240: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "esrt->fw_resource_count" as a loop boundary.
192 for (int idx = 0; idx < esrt->fw_resource_count; idx++) {
193 printf("[entry
%d]==============================\n", idx);
194 printf("ESRT: fw_class=%pUL\n",
&esrt->entries[idx].fw_class);
195 printf("ESRT: fw_type=%s\n",
EFI_FW_TYPE_STR_GET(esrt->entries[idx].fw_type));
196 printf("ESRT: fw_version=%d\n",
esrt->entries[idx].fw_version);
197 printf("ESRT: lowest_supported_fw_version=%d\n",
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2024-01-29 23:55 Tom Rini
@ 2024-01-30 8:14 ` Heinrich Schuchardt
0 siblings, 0 replies; 99+ messages in thread
From: Heinrich Schuchardt @ 2024-01-30 8:14 UTC (permalink / raw)
To: Tom Rini; +Cc: Ilias Apalodimas, u-boot
On 1/30/24 00:55, Tom Rini wrote:
> Here's the latest report.
>
> ---------- Forwarded message ---------
> From: <scan-admin@coverity.com>
> Date: Mon, Jan 29, 2024 at 6:51 PM
> Subject: New Defects reported by Coverity Scan for Das U-Boot
> To: <tom.rini@gmail.com>
>
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to Das
> U-Boot found with Coverity Scan.
>
> 1 new defect(s) introduced to Das U-Boot found with Coverity Scan.
> 1 defect(s), reported by Coverity Scan earlier, were marked fixed in
> the recent build analyzed by Coverity Scan.
>
> New defect(s) Reported-by: Coverity Scan
> Showing 1 of 1 defect(s)
>
>
> ** CID 480240: Insecure data handling (TAINTED_SCALAR)
> /cmd/efidebug.c: 192 in do_efi_capsule_esrt()
>
>
> ________________________________________________________________________________________________________
> *** CID 480240: Insecure data handling (TAINTED_SCALAR)
> /cmd/efidebug.c: 192 in do_efi_capsule_esrt()
> 186
> 187 printf("========================================\n");
> 188 printf("ESRT: fw_resource_count=%d\n", esrt->fw_resource_count);
> 189 printf("ESRT: fw_resource_count_max=%d\n",
> esrt->fw_resource_count_max);
> 190 printf("ESRT: fw_resource_version=%lld\n",
> esrt->fw_resource_version);
> 191
>>>> CID 480240: Insecure data handling (TAINTED_SCALAR)
>>>> Using tainted variable "esrt->fw_resource_count" as a loop boundary.
> 192 for (int idx = 0; idx < esrt->fw_resource_count; idx++) {
> 193 printf("[entry
> %d]==============================\n", idx);
> 194 printf("ESRT: fw_class=%pUL\n",
> &esrt->entries[idx].fw_class);
> 195 printf("ESRT: fw_type=%s\n",
> EFI_FW_TYPE_STR_GET(esrt->entries[idx].fw_type));
> 196 printf("ESRT: fw_version=%d\n",
> esrt->entries[idx].fw_version);
> 197 printf("ESRT: lowest_supported_fw_version=%d\n",
>
> ----- End forwarded message -----
>
Coverity sees any conversion from void * as a hint to tainted data. The
ESRT might be manipulated by some EFI app but we want to display it. So
I marked this Coverity issue as intentional.
Best regards
Heinrich
^ permalink raw reply [flat|nested] 99+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2024-04-22 21:48 Tom Rini
0 siblings, 0 replies; 99+ messages in thread
From: Tom Rini @ 2024-04-22 21:48 UTC (permalink / raw)
To: u-boot; +Cc: Charles Hardin, Ilias Apalodimas
[-- Attachment #1: Type: text/plain, Size: 2774 bytes --]
Here's the latest report.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Apr 22, 2024 at 3:23 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to Das
U-Boot found with Coverity Scan.
2 new defect(s) introduced to Das U-Boot found with Coverity Scan.
7 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 2 of 2 defect(s)
** CID 492766: Control flow issues (DEADCODE)
/lib/efi_loader/efi_var_mem.c: 236 in efi_var_mem_init()
________________________________________________________________________________________________________
*** CID 492766: Control flow issues (DEADCODE)
/lib/efi_loader/efi_var_mem.c: 236 in efi_var_mem_init()
230 memset(efi_var_buf, 0, EFI_VAR_BUF_SIZE);
231 efi_var_buf->magic = EFI_VAR_FILE_MAGIC;
232 efi_var_buf->length = (uintptr_t)efi_var_buf->var -
233 (uintptr_t)efi_var_buf;
234
235 if (ret != EFI_SUCCESS)
>>> CID 492766: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "return ret;".
236 return ret;
237 ret =
efi_create_event(EVT_SIGNAL_VIRTUAL_ADDRESS_CHANGE, TPL_CALLBACK,
238
efi_var_mem_notify_virtual_address_map, NULL,
239 NULL, &event);
240 if (ret != EFI_SUCCESS)
241 return ret;
** CID 492765: Uninitialized variables (UNINIT)
________________________________________________________________________________________________________
*** CID 492765: Uninitialized variables (UNINIT)
/net/bootp.c: 888 in dhcp_process_options()
882 net_root_path[size] = 0;
883 break;
884 case 28: /* Ignore Broadcast Address Option */
885 break;
886 case 40: /* NIS Domain name */
887 if (net_nis_domain[0] == 0) {
>>> CID 492765: Uninitialized variables (UNINIT)
>>> Using uninitialized value "size" when calling "truncate_sz".
888 size = truncate_sz("NIS Domain Name",
889 sizeof(net_nis_domain), size);
890 memcpy(&net_nis_domain, popt + 2, size);
891 net_nis_domain[size] = 0;
892 }
893 break;
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 99+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2024-07-23 14:18 Tom Rini
2024-07-24 9:21 ` Mattijs Korpershoek
0 siblings, 1 reply; 99+ messages in thread
From: Tom Rini @ 2024-07-23 14:18 UTC (permalink / raw)
To: u-boot, Mattijs Korpershoek, Ilias Apalodimas,
Heinrich Schuchardt, Marek Vasut, Dmitrii Merkurev
[-- Attachment #1: Type: text/plain, Size: 10282 bytes --]
Here's the latest report.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Jul 22, 2024, 8:07 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to Das U-Boot
found with Coverity Scan.
8 new defect(s) introduced to Das U-Boot found with Coverity Scan.
3 defect(s), reported by Coverity Scan earlier, were marked fixed in the
recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 8 of 8 defect(s)
** CID 501795: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 501795: Insecure data handling (TAINTED_SCALAR)
/boot/bootmeth_android.c: 96 in scan_boot_part()
90 if (!is_android_boot_image_header(buf)) {
91 free(buf);
92 return log_msg_ret("header", -ENOENT);
93 }
94
95 priv->header_version = ((struct andr_boot_img_hdr_v0
*)buf)->header_version;
>>> CID 501795: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "*buf" to "dlfree", which uses it as an
offset.
96 free(buf);
97
98 return 0;
99 }
100
101 static int scan_vendor_boot_part(struct udevice *blk, struct
android_priv *priv)
** CID 501794: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 501794: Memory - corruptions (OVERRUN)
/lib/tpm_tcg2.c: 640 in tcg2_measurement_init()
634 rc = tcg2_log_prepare_buffer(*dev, elog,
ignore_existing_log);
635 if (rc) {
636 tcg2_measurement_term(*dev, elog, true);
637 return rc;
638 }
639
>>> CID 501794: Memory - corruptions (OVERRUN)
>>> Overrunning array "version_string" of 50 bytes by passing it to a
function which accesses it at byte offset 63.
640 rc = tcg2_measure_event(*dev, elog, 0, EV_S_CRTM_VERSION,
641 strlen(version_string) + 1,
642 (u8 *)version_string);
643 if (rc) {
644 tcg2_measurement_term(*dev, elog, true);
645 return rc;
** CID 501793: Insecure data handling (TAINTED_SCALAR)
/lib/tpm-v2.c: 909 in tpm2_allow_extend()
________________________________________________________________________________________________________
*** CID 501793: Insecure data handling (TAINTED_SCALAR)
/lib/tpm-v2.c: 909 in tpm2_allow_extend()
903 int rc;
904
905 rc = tpm2_get_pcr_info(dev, &pcrs);
906 if (rc)
907 return false;
908
>>> CID 501793: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "pcrs.count" as a loop boundary.
909 for (i = 0; i < pcrs.count; i++) {
910 if (tpm2_is_active_pcr(&pcrs.selection[i]) &&
911 !tpm2_algorithm_to_len(pcrs.selection[i].hash))
912 return false;
913 }
914
915 return true;
** CID 501792: Control flow issues (DEADCODE)
/lib/efi_loader/efi_helper.c: 137 in efi_load_option_dp_join()
________________________________________________________________________________________________________
*** CID 501792: Control flow issues (DEADCODE)
/lib/efi_loader/efi_helper.c: 137 in efi_load_option_dp_join()
131 if (fdt_dp) {
132 struct efi_device_path *tmp_dp = *dp;
133
134 *dp = efi_dp_concat(tmp_dp, fdt_dp, *dp_size);
135 efi_free_pool(tmp_dp);
136 if (!dp)
>>> CID 501792: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "return
9223372036854775817UL;".
137 return EFI_OUT_OF_RESOURCES;
138 *dp_size += efi_dp_size(fdt_dp) + sizeof(END);
139 }
140
141 *dp_size += sizeof(END);
142
** CID 501791: (DEADCODE)
/drivers/usb/gadget/ether.c: 2219 in eth_bind()
/drivers/usb/gadget/ether.c: 2110 in eth_bind()
/drivers/usb/gadget/ether.c: 2071 in eth_bind()
/drivers/usb/gadget/ether.c: 2089 in eth_bind()
________________________________________________________________________________________________________
*** CID 501791: (DEADCODE)
/drivers/usb/gadget/ether.c: 2219 in eth_bind()
2213 out_ep->name, in_ep->name,
2214 status_ep ? " STATUS " : "",
2215 status_ep ? status_ep->name : ""
2216 );
2217 printf("MAC %pM\n", pdata->enetaddr);
2218
>>> CID 501791: (DEADCODE)
>>> Execution cannot reach the expression "rndis" inside this
statement: "if (cdc || rndis)
printf(...".
2219 if (cdc || rndis)
2220 printf("HOST MAC %02x:%02x:%02x:%02x:%02x:%02x\n",
2221 dev->host_mac[0], dev->host_mac[1],
2222 dev->host_mac[2], dev->host_mac[3],
2223 dev->host_mac[4], dev->host_mac[5]);
2224
/drivers/usb/gadget/ether.c: 2110 in eth_bind()
2104 device_desc.bNumConfigurations = 2;
2105
2106 if (gadget_is_dualspeed(gadget)) {
2107 if (rndis)
2108 dev_qualifier.bNumConfigurations = 2;
2109 else if (!cdc)
>>> CID 501791: (DEADCODE)
>>> Execution cannot reach this statement: "dev_qualifier.bDeviceClass
...".
2110 dev_qualifier.bDeviceClass =
USB_CLASS_VENDOR_SPEC;
2111
2112 /* assumes ep0 uses the same value for both speeds
... */
2113 dev_qualifier.bMaxPacketSize0 =
device_desc.bMaxPacketSize0;
2114
2115 /* and that all endpoints are dual-speed */
/drivers/usb/gadget/ether.c: 2071 in eth_bind()
2065
2066 #if defined(CONFIG_USB_ETH_CDC) || defined(CONFIG_USB_ETH_RNDIS)
2067 /*
2068 * CDC Ethernet control interface doesn't require a status
endpoint.
2069 * Since some hosts expect one, try to allocate one anyway.
2070 */
>>> CID 501791: (DEADCODE)
>>> Execution cannot reach the expression "rndis" inside this
statement: "if (cdc || rndis) {
statu...".
2071 if (cdc || rndis) {
2072 status_ep = usb_ep_autoconfig(gadget,
&fs_status_desc);
2073 if (status_ep) {
2074 status_ep->driver_data = status_ep; /*
claim */
2075 } else if (rndis) {
2076 pr_err("can't run RNDIS on %s",
gadget->name);
/drivers/usb/gadget/ether.c: 2089 in eth_bind()
2083 }
2084 }
2085 #endif
2086
2087 /* one config: cdc, else minimal subset */
2088 if (!cdc) {
>>> CID 501791: (DEADCODE)
>>> Execution cannot reach this statement: "eth_config.bNumInterfaces =
1;".
2089 eth_config.bNumInterfaces = 1;
2090 eth_config.iConfiguration = STRING_SUBSET;
2091
2092 /*
2093 * use functions to set these up, in case we're
built to work
2094 * with multiple controllers and must override CDC
Ethernet.
** CID 501790: Null pointer dereferences (FORWARD_NULL)
/cmd/bcb.c: 175 in __bcb_initialize()
________________________________________________________________________________________________________
*** CID 501790: Null pointer dereferences (FORWARD_NULL)
/cmd/bcb.c: 175 in __bcb_initialize()
169 }
170 }
171
172 return CMD_RET_SUCCESS;
173
174 err_read_fail:
>>> CID 501790: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "block".
175 printf("Error: %d %d:%s read failed (%d)\n",
block->uclass_id,
176 block->devnum, partition->name, ret);
177 __bcb_reset();
178 return CMD_RET_FAILURE;
179 }
180
** CID 501789: Insecure data handling (TAINTED_SCALAR)
/lib/tpm_tcg2.c: 41 in tcg2_get_pcr_info()
________________________________________________________________________________________________________
*** CID 501789: Insecure data handling (TAINTED_SCALAR)
/lib/tpm_tcg2.c: 41 in tcg2_get_pcr_info()
35 memset(response, 0, sizeof(response));
36
37 ret = tpm2_get_pcr_info(dev, &pcrs);
38 if (ret)
39 return ret;
40
>>> CID 501789: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "pcrs.count" as a loop boundary.
41 for (i = 0; i < pcrs.count; i++) {
42 u32 hash_mask =
tcg2_algorithm_to_mask(pcrs.selection[i].hash);
43
44 if (hash_mask) {
45 *supported_pcr |= hash_mask;
46 if (tpm2_is_active_pcr(&pcrs.selection[i]))
** CID 501788: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 501788: Memory - corruptions (OVERRUN)
/lib/tpm_tcg2.c: 658 in tcg2_measurement_term()
652 bool error)
653 {
654 u32 event = error ? 0x1 : 0xffffffff;
655 int i;
656
657 for (i = 0; i < 8; ++i)
>>> CID 501788: Memory - corruptions (OVERRUN)
>>> Overrunning buffer pointed to by "(u8 const *)&event" of 4 bytes by
passing it to a function which accesses it at byte offset 63.
658 tcg2_measure_event(dev, elog, i, EV_SEPARATOR,
sizeof(event),
659 (const u8 *)&event);
660
661 if (elog->log)
662 unmap_physmem(elog->log, MAP_NOCACHE);
663 }
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2024-07-23 14:18 Tom Rini
@ 2024-07-24 9:21 ` Mattijs Korpershoek
2024-07-24 9:45 ` Heinrich Schuchardt
2024-07-24 9:53 ` Mattijs Korpershoek
0 siblings, 2 replies; 99+ messages in thread
From: Mattijs Korpershoek @ 2024-07-24 9:21 UTC (permalink / raw)
To: Tom Rini, u-boot, Ilias Apalodimas, Heinrich Schuchardt,
Marek Vasut, Dmitrii Merkurev
Hi Tom,
Thank you for the report.
On mar., juil. 23, 2024 at 08:18, Tom Rini <trini@konsulko.com> wrote:
> Here's the latest report.
>
> ---------- Forwarded message ---------
> From: <scan-admin@coverity.com>
> Date: Mon, Jul 22, 2024, 8:07 PM
> Subject: New Defects reported by Coverity Scan for Das U-Boot
> To: <tom.rini@gmail.com>
>
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to Das U-Boot
> found with Coverity Scan.
>
> 8 new defect(s) introduced to Das U-Boot found with Coverity Scan.
> 3 defect(s), reported by Coverity Scan earlier, were marked fixed in the
> recent build analyzed by Coverity Scan.
>
> New defect(s) Reported-by: Coverity Scan
> Showing 8 of 8 defect(s)
>
>
> ** CID 501795: Insecure data handling (TAINTED_SCALAR)
>
>
> ________________________________________________________________________________________________________
> *** CID 501795: Insecure data handling (TAINTED_SCALAR)
> /boot/bootmeth_android.c: 96 in scan_boot_part()
> 90 if (!is_android_boot_image_header(buf)) {
> 91 free(buf);
> 92 return log_msg_ret("header", -ENOENT);
> 93 }
> 94
> 95 priv->header_version = ((struct andr_boot_img_hdr_v0
> *)buf)->header_version;
>>>> CID 501795: Insecure data handling (TAINTED_SCALAR)
>>>> Passing tainted expression "*buf" to "dlfree", which uses it as an
> offset.
scan_boot_part() generates this warning, but scan_vendor_boot_part()
does not.
Both functions follow a similar code flow.
The only reason scan_boot_part() generates this warning, is because of
the downcast into struct andr_boot_img_hdr_v0.
We can't change char* buf into struct andr_boot_img_hdr_v0 because we
need to be block aligned when calling blk_dread().
Per my understanding tainted data means it comes from user input (which
is true for both scan_boot_part() and scan_vendor_boot_part() because
both read from eMMC, which can be consider "user input".
Since I don't see any particular problem with this code I propose that
we ignore this warning.
> 96 free(buf);
> 97
> 98 return 0;
> 99 }
> 100
> 101 static int scan_vendor_boot_part(struct udevice *blk, struct
> android_priv *priv)
>
> ** CID 501794: Memory - corruptions (OVERRUN)
>
>
> ________________________________________________________________________________________________________
> *** CID 501794: Memory - corruptions (OVERRUN)
> /lib/tpm_tcg2.c: 640 in tcg2_measurement_init()
> 634 rc = tcg2_log_prepare_buffer(*dev, elog,
> ignore_existing_log);
> 635 if (rc) {
> 636 tcg2_measurement_term(*dev, elog, true);
> 637 return rc;
> 638 }
> 639
>>>> CID 501794: Memory - corruptions (OVERRUN)
>>>> Overrunning array "version_string" of 50 bytes by passing it to a
> function which accesses it at byte offset 63.
> 640 rc = tcg2_measure_event(*dev, elog, 0, EV_S_CRTM_VERSION,
> 641 strlen(version_string) + 1,
> 642 (u8 *)version_string);
> 643 if (rc) {
> 644 tcg2_measurement_term(*dev, elog, true);
> 645 return rc;
>
> ** CID 501793: Insecure data handling (TAINTED_SCALAR)
> /lib/tpm-v2.c: 909 in tpm2_allow_extend()
>
>
> ________________________________________________________________________________________________________
> *** CID 501793: Insecure data handling (TAINTED_SCALAR)
> /lib/tpm-v2.c: 909 in tpm2_allow_extend()
> 903 int rc;
> 904
> 905 rc = tpm2_get_pcr_info(dev, &pcrs);
> 906 if (rc)
> 907 return false;
> 908
>>>> CID 501793: Insecure data handling (TAINTED_SCALAR)
>>>> Using tainted variable "pcrs.count" as a loop boundary.
> 909 for (i = 0; i < pcrs.count; i++) {
> 910 if (tpm2_is_active_pcr(&pcrs.selection[i]) &&
> 911 !tpm2_algorithm_to_len(pcrs.selection[i].hash))
> 912 return false;
> 913 }
> 914
> 915 return true;
>
> ** CID 501792: Control flow issues (DEADCODE)
> /lib/efi_loader/efi_helper.c: 137 in efi_load_option_dp_join()
>
>
> ________________________________________________________________________________________________________
> *** CID 501792: Control flow issues (DEADCODE)
> /lib/efi_loader/efi_helper.c: 137 in efi_load_option_dp_join()
> 131 if (fdt_dp) {
> 132 struct efi_device_path *tmp_dp = *dp;
> 133
> 134 *dp = efi_dp_concat(tmp_dp, fdt_dp, *dp_size);
> 135 efi_free_pool(tmp_dp);
> 136 if (!dp)
>>>> CID 501792: Control flow issues (DEADCODE)
>>>> Execution cannot reach this statement: "return
> 9223372036854775817UL;".
> 137 return EFI_OUT_OF_RESOURCES;
> 138 *dp_size += efi_dp_size(fdt_dp) + sizeof(END);
> 139 }
> 140
> 141 *dp_size += sizeof(END);
> 142
>
> ** CID 501791: (DEADCODE)
> /drivers/usb/gadget/ether.c: 2219 in eth_bind()
> /drivers/usb/gadget/ether.c: 2110 in eth_bind()
> /drivers/usb/gadget/ether.c: 2071 in eth_bind()
> /drivers/usb/gadget/ether.c: 2089 in eth_bind()
>
>
> ________________________________________________________________________________________________________
> *** CID 501791: (DEADCODE)
> /drivers/usb/gadget/ether.c: 2219 in eth_bind()
> 2213 out_ep->name, in_ep->name,
> 2214 status_ep ? " STATUS " : "",
> 2215 status_ep ? status_ep->name : ""
> 2216 );
> 2217 printf("MAC %pM\n", pdata->enetaddr);
> 2218
>>>> CID 501791: (DEADCODE)
>>>> Execution cannot reach the expression "rndis" inside this
> statement: "if (cdc || rndis)
> printf(...".
> 2219 if (cdc || rndis)
> 2220 printf("HOST MAC %02x:%02x:%02x:%02x:%02x:%02x\n",
> 2221 dev->host_mac[0], dev->host_mac[1],
> 2222 dev->host_mac[2], dev->host_mac[3],
> 2223 dev->host_mac[4], dev->host_mac[5]);
> 2224
> /drivers/usb/gadget/ether.c: 2110 in eth_bind()
> 2104 device_desc.bNumConfigurations = 2;
> 2105
> 2106 if (gadget_is_dualspeed(gadget)) {
> 2107 if (rndis)
> 2108 dev_qualifier.bNumConfigurations = 2;
> 2109 else if (!cdc)
>>>> CID 501791: (DEADCODE)
>>>> Execution cannot reach this statement: "dev_qualifier.bDeviceClass
> ...".
> 2110 dev_qualifier.bDeviceClass =
> USB_CLASS_VENDOR_SPEC;
> 2111
> 2112 /* assumes ep0 uses the same value for both speeds
> ... */
> 2113 dev_qualifier.bMaxPacketSize0 =
> device_desc.bMaxPacketSize0;
> 2114
> 2115 /* and that all endpoints are dual-speed */
> /drivers/usb/gadget/ether.c: 2071 in eth_bind()
> 2065
> 2066 #if defined(CONFIG_USB_ETH_CDC) || defined(CONFIG_USB_ETH_RNDIS)
> 2067 /*
> 2068 * CDC Ethernet control interface doesn't require a status
> endpoint.
> 2069 * Since some hosts expect one, try to allocate one anyway.
> 2070 */
>>>> CID 501791: (DEADCODE)
>>>> Execution cannot reach the expression "rndis" inside this
> statement: "if (cdc || rndis) {
> statu...".
> 2071 if (cdc || rndis) {
> 2072 status_ep = usb_ep_autoconfig(gadget,
> &fs_status_desc);
> 2073 if (status_ep) {
> 2074 status_ep->driver_data = status_ep; /*
> claim */
> 2075 } else if (rndis) {
> 2076 pr_err("can't run RNDIS on %s",
> gadget->name);
> /drivers/usb/gadget/ether.c: 2089 in eth_bind()
> 2083 }
> 2084 }
> 2085 #endif
> 2086
> 2087 /* one config: cdc, else minimal subset */
> 2088 if (!cdc) {
>>>> CID 501791: (DEADCODE)
>>>> Execution cannot reach this statement: "eth_config.bNumInterfaces =
> 1;".
> 2089 eth_config.bNumInterfaces = 1;
> 2090 eth_config.iConfiguration = STRING_SUBSET;
> 2091
> 2092 /*
> 2093 * use functions to set these up, in case we're
> built to work
> 2094 * with multiple controllers and must override CDC
> Ethernet.
>
> ** CID 501790: Null pointer dereferences (FORWARD_NULL)
> /cmd/bcb.c: 175 in __bcb_initialize()
>
>
> ________________________________________________________________________________________________________
> *** CID 501790: Null pointer dereferences (FORWARD_NULL)
> /cmd/bcb.c: 175 in __bcb_initialize()
> 169 }
> 170 }
> 171
> 172 return CMD_RET_SUCCESS;
> 173
> 174 err_read_fail:
>>>> CID 501790: Null pointer dereferences (FORWARD_NULL)
>>>> Dereferencing null pointer "block".
> 175 printf("Error: %d %d:%s read failed (%d)\n",
> block->uclass_id,
> 176 block->devnum, partition->name, ret);
> 177 __bcb_reset();
> 178 return CMD_RET_FAILURE;
> 179 }
> 180
This probably deserves to be addressed. I don't know if Dmitrii is actively
watching the list so I'll study this in more detail and send a fix if appropriate.
>
> ** CID 501789: Insecure data handling (TAINTED_SCALAR)
> /lib/tpm_tcg2.c: 41 in tcg2_get_pcr_info()
>
>
> ________________________________________________________________________________________________________
> *** CID 501789: Insecure data handling (TAINTED_SCALAR)
> /lib/tpm_tcg2.c: 41 in tcg2_get_pcr_info()
> 35 memset(response, 0, sizeof(response));
> 36
> 37 ret = tpm2_get_pcr_info(dev, &pcrs);
> 38 if (ret)
> 39 return ret;
> 40
>>>> CID 501789: Insecure data handling (TAINTED_SCALAR)
>>>> Using tainted variable "pcrs.count" as a loop boundary.
> 41 for (i = 0; i < pcrs.count; i++) {
> 42 u32 hash_mask =
> tcg2_algorithm_to_mask(pcrs.selection[i].hash);
> 43
> 44 if (hash_mask) {
> 45 *supported_pcr |= hash_mask;
> 46 if (tpm2_is_active_pcr(&pcrs.selection[i]))
>
> ** CID 501788: Memory - corruptions (OVERRUN)
>
>
> ________________________________________________________________________________________________________
> *** CID 501788: Memory - corruptions (OVERRUN)
> /lib/tpm_tcg2.c: 658 in tcg2_measurement_term()
> 652 bool error)
> 653 {
> 654 u32 event = error ? 0x1 : 0xffffffff;
> 655 int i;
> 656
> 657 for (i = 0; i < 8; ++i)
>>>> CID 501788: Memory - corruptions (OVERRUN)
>>>> Overrunning buffer pointed to by "(u8 const *)&event" of 4 bytes by
> passing it to a function which accesses it at byte offset 63.
> 658 tcg2_measure_event(dev, elog, i, EV_SEPARATOR,
> sizeof(event),
> 659 (const u8 *)&event);
> 660
> 661 if (elog->log)
> 662 unmap_physmem(elog->log, MAP_NOCACHE);
> 663 }
>
>
>
> ----- End forwarded message -----
>
> --
> Tom
^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2024-07-24 9:21 ` Mattijs Korpershoek
@ 2024-07-24 9:45 ` Heinrich Schuchardt
2024-07-24 9:56 ` Mattijs Korpershoek
2024-07-24 9:53 ` Mattijs Korpershoek
1 sibling, 1 reply; 99+ messages in thread
From: Heinrich Schuchardt @ 2024-07-24 9:45 UTC (permalink / raw)
To: Mattijs Korpershoek
Cc: Tom Rini, u-boot, Ilias Apalodimas, Marek Vasut, Dmitrii Merkurev
On 24.07.24 11:21, Mattijs Korpershoek wrote:
> Hi Tom,
>
> Thank you for the report.
>
> On mar., juil. 23, 2024 at 08:18, Tom Rini <trini@konsulko.com> wrote:
>
>> Here's the latest report.
>>
>> ---------- Forwarded message ---------
>> From: <scan-admin@coverity.com>
>> Date: Mon, Jul 22, 2024, 8:07 PM
>> Subject: New Defects reported by Coverity Scan for Das U-Boot
>> To: <tom.rini@gmail.com>
>>
>>
>> Hi,
>>
>> Please find the latest report on new defect(s) introduced to Das U-Boot
>> found with Coverity Scan.
>>
>> 8 new defect(s) introduced to Das U-Boot found with Coverity Scan.
>> 3 defect(s), reported by Coverity Scan earlier, were marked fixed in the
>> recent build analyzed by Coverity Scan.
>>
>> New defect(s) Reported-by: Coverity Scan
>> Showing 8 of 8 defect(s)
>>
>>
>> ** CID 501795: Insecure data handling (TAINTED_SCALAR)
>>
>>
>> ________________________________________________________________________________________________________
>> *** CID 501795: Insecure data handling (TAINTED_SCALAR)
>> /boot/bootmeth_android.c: 96 in scan_boot_part()
>> 90 if (!is_android_boot_image_header(buf)) {
>> 91 free(buf);
>> 92 return log_msg_ret("header", -ENOENT);
>> 93 }
>> 94
>> 95 priv->header_version = ((struct andr_boot_img_hdr_v0
>> *)buf)->header_version;
>>>>> CID 501795: Insecure data handling (TAINTED_SCALAR)
>>>>> Passing tainted expression "*buf" to "dlfree", which uses it as an
>> offset.
>
> scan_boot_part() generates this warning, but scan_vendor_boot_part()
> does not.
> Both functions follow a similar code flow.
>
> The only reason scan_boot_part() generates this warning, is because of
> the downcast into struct andr_boot_img_hdr_v0.
>
> We can't change char* buf into struct andr_boot_img_hdr_v0 because we
> need to be block aligned when calling blk_dread().
>
> Per my understanding tainted data means it comes from user input (which
> is true for both scan_boot_part() and scan_vendor_boot_part() because
> both read from eMMC, which can be consider "user input".
>
> Since I don't see any particular problem with this code I propose that
> we ignore this warning.
The warning is specifically about invoking free for the buffer that we
have allocated via malloc(). Our implementation of malloc() and free()
stores some meta-information about allocated buffers at a negative
offset and we don't overwrite this area via blk_read().
>
>
>> 96 free(buf);
>> 97
>> 98 return 0;
>> 99 }
>> 100
>> 101 static int scan_vendor_boot_part(struct udevice *blk, struct
>> android_priv *priv)
>>
>> ** CID 501794: Memory - corruptions (OVERRUN)
>>
>>
>> ________________________________________________________________________________________________________
>> *** CID 501794: Memory - corruptions (OVERRUN)
>> /lib/tpm_tcg2.c: 640 in tcg2_measurement_init()
>> 634 rc = tcg2_log_prepare_buffer(*dev, elog,
>> ignore_existing_log);
>> 635 if (rc) {
>> 636 tcg2_measurement_term(*dev, elog, true);
>> 637 return rc;
>> 638 }
>> 639
>>>>> CID 501794: Memory - corruptions (OVERRUN)
>>>>> Overrunning array "version_string" of 50 bytes by passing it to a
>> function which accesses it at byte offset 63.
>> 640 rc = tcg2_measure_event(*dev, elog, 0, EV_S_CRTM_VERSION,
>> 641 strlen(version_string) + 1,
>> 642 (u8 *)version_string);
>> 643 if (rc) {
>> 644 tcg2_measurement_term(*dev, elog, true);
>> 645 return rc;
>>
>> ** CID 501793: Insecure data handling (TAINTED_SCALAR)
>> /lib/tpm-v2.c: 909 in tpm2_allow_extend()
>>
>>
>> ________________________________________________________________________________________________________
>> *** CID 501793: Insecure data handling (TAINTED_SCALAR)
>> /lib/tpm-v2.c: 909 in tpm2_allow_extend()
>> 903 int rc;
>> 904
>> 905 rc = tpm2_get_pcr_info(dev, &pcrs);
>> 906 if (rc)
>> 907 return false;
>> 908
>>>>> CID 501793: Insecure data handling (TAINTED_SCALAR)
>>>>> Using tainted variable "pcrs.count" as a loop boundary.
>> 909 for (i = 0; i < pcrs.count; i++) {
>> 910 if (tpm2_is_active_pcr(&pcrs.selection[i]) &&
>> 911 !tpm2_algorithm_to_len(pcrs.selection[i].hash))
>> 912 return false;
>> 913 }
>> 914
>> 915 return true;
>>
>> ** CID 501792: Control flow issues (DEADCODE)
>> /lib/efi_loader/efi_helper.c: 137 in efi_load_option_dp_join()
>>
>>
>> ________________________________________________________________________________________________________
>> *** CID 501792: Control flow issues (DEADCODE)
>> /lib/efi_loader/efi_helper.c: 137 in efi_load_option_dp_join()
>> 131 if (fdt_dp) {
>> 132 struct efi_device_path *tmp_dp = *dp;
>> 133
>> 134 *dp = efi_dp_concat(tmp_dp, fdt_dp, *dp_size);
>> 135 efi_free_pool(tmp_dp);
>> 136 if (!dp)
>>>>> CID 501792: Control flow issues (DEADCODE)
>>>>> Execution cannot reach this statement: "return
>> 9223372036854775817UL;".
>> 137 return EFI_OUT_OF_RESOURCES;
>> 138 *dp_size += efi_dp_size(fdt_dp) + sizeof(END);
>> 139 }
>> 140
>> 141 *dp_size += sizeof(END);
>> 142
>>
>> ** CID 501791: (DEADCODE)
>> /drivers/usb/gadget/ether.c: 2219 in eth_bind()
>> /drivers/usb/gadget/ether.c: 2110 in eth_bind()
>> /drivers/usb/gadget/ether.c: 2071 in eth_bind()
>> /drivers/usb/gadget/ether.c: 2089 in eth_bind()
>>
>>
>> ________________________________________________________________________________________________________
>> *** CID 501791: (DEADCODE)
>> /drivers/usb/gadget/ether.c: 2219 in eth_bind()
>> 2213 out_ep->name, in_ep->name,
>> 2214 status_ep ? " STATUS " : "",
>> 2215 status_ep ? status_ep->name : ""
>> 2216 );
>> 2217 printf("MAC %pM\n", pdata->enetaddr);
>> 2218
>>>>> CID 501791: (DEADCODE)
>>>>> Execution cannot reach the expression "rndis" inside this
>> statement: "if (cdc || rndis)
>> printf(...".
>> 2219 if (cdc || rndis)
>> 2220 printf("HOST MAC %02x:%02x:%02x:%02x:%02x:%02x\n",
>> 2221 dev->host_mac[0], dev->host_mac[1],
>> 2222 dev->host_mac[2], dev->host_mac[3],
>> 2223 dev->host_mac[4], dev->host_mac[5]);
>> 2224
>> /drivers/usb/gadget/ether.c: 2110 in eth_bind()
>> 2104 device_desc.bNumConfigurations = 2;
>> 2105
>> 2106 if (gadget_is_dualspeed(gadget)) {
>> 2107 if (rndis)
>> 2108 dev_qualifier.bNumConfigurations = 2;
>> 2109 else if (!cdc)
>>>>> CID 501791: (DEADCODE)
>>>>> Execution cannot reach this statement: "dev_qualifier.bDeviceClass
>> ...".
>> 2110 dev_qualifier.bDeviceClass =
>> USB_CLASS_VENDOR_SPEC;
>> 2111
>> 2112 /* assumes ep0 uses the same value for both speeds
>> ... */
>> 2113 dev_qualifier.bMaxPacketSize0 =
>> device_desc.bMaxPacketSize0;
>> 2114
>> 2115 /* and that all endpoints are dual-speed */
>> /drivers/usb/gadget/ether.c: 2071 in eth_bind()
>> 2065
>> 2066 #if defined(CONFIG_USB_ETH_CDC) || defined(CONFIG_USB_ETH_RNDIS)
>> 2067 /*
>> 2068 * CDC Ethernet control interface doesn't require a status
>> endpoint.
>> 2069 * Since some hosts expect one, try to allocate one anyway.
>> 2070 */
>>>>> CID 501791: (DEADCODE)
>>>>> Execution cannot reach the expression "rndis" inside this
>> statement: "if (cdc || rndis) {
>> statu...".
>> 2071 if (cdc || rndis) {
>> 2072 status_ep = usb_ep_autoconfig(gadget,
>> &fs_status_desc);
>> 2073 if (status_ep) {
>> 2074 status_ep->driver_data = status_ep; /*
>> claim */
>> 2075 } else if (rndis) {
>> 2076 pr_err("can't run RNDIS on %s",
>> gadget->name);
>> /drivers/usb/gadget/ether.c: 2089 in eth_bind()
>> 2083 }
>> 2084 }
>> 2085 #endif
>> 2086
>> 2087 /* one config: cdc, else minimal subset */
>> 2088 if (!cdc) {
>>>>> CID 501791: (DEADCODE)
>>>>> Execution cannot reach this statement: "eth_config.bNumInterfaces =
>> 1;".
>> 2089 eth_config.bNumInterfaces = 1;
>> 2090 eth_config.iConfiguration = STRING_SUBSET;
>> 2091
>> 2092 /*
>> 2093 * use functions to set these up, in case we're
>> built to work
>> 2094 * with multiple controllers and must override CDC
>> Ethernet.
>>
>> ** CID 501790: Null pointer dereferences (FORWARD_NULL)
>> /cmd/bcb.c: 175 in __bcb_initialize()
>>
>>
>> ________________________________________________________________________________________________________
>> *** CID 501790: Null pointer dereferences (FORWARD_NULL)
>> /cmd/bcb.c: 175 in __bcb_initialize()
>> 169 }
>> 170 }
>> 171
>> 172 return CMD_RET_SUCCESS;
>> 173
>> 174 err_read_fail:
>>>>> CID 501790: Null pointer dereferences (FORWARD_NULL)
>>>>> Dereferencing null pointer "block".
>> 175 printf("Error: %d %d:%s read failed (%d)\n",
>> block->uclass_id,
>> 176 block->devnum, partition->name, ret);
>> 177 __bcb_reset();
>> 178 return CMD_RET_FAILURE;
>> 179 }
>> 180
>
> This probably deserves to be addressed. I don't know if Dmitrii is actively
> watching the list so I'll study this in more detail and send a fix if appropriate.
If blk_get_dev() returns NULL, we should write a message like "No such
device" and return CMD_RET_FAILURE immediately.
Please, use log_err() for writing error messages. We don't need "Error:"
at the beginning of error messages.
Best regards
Heinrich
>
>>
>> ** CID 501789: Insecure data handling (TAINTED_SCALAR)
>> /lib/tpm_tcg2.c: 41 in tcg2_get_pcr_info()
>>
>>
>> ________________________________________________________________________________________________________
>> *** CID 501789: Insecure data handling (TAINTED_SCALAR)
>> /lib/tpm_tcg2.c: 41 in tcg2_get_pcr_info()
>> 35 memset(response, 0, sizeof(response));
>> 36
>> 37 ret = tpm2_get_pcr_info(dev, &pcrs);
>> 38 if (ret)
>> 39 return ret;
>> 40
>>>>> CID 501789: Insecure data handling (TAINTED_SCALAR)
>>>>> Using tainted variable "pcrs.count" as a loop boundary.
>> 41 for (i = 0; i < pcrs.count; i++) {
>> 42 u32 hash_mask =
>> tcg2_algorithm_to_mask(pcrs.selection[i].hash);
>> 43
>> 44 if (hash_mask) {
>> 45 *supported_pcr |= hash_mask;
>> 46 if (tpm2_is_active_pcr(&pcrs.selection[i]))
>>
>> ** CID 501788: Memory - corruptions (OVERRUN)
>>
>>
>> ________________________________________________________________________________________________________
>> *** CID 501788: Memory - corruptions (OVERRUN)
>> /lib/tpm_tcg2.c: 658 in tcg2_measurement_term()
>> 652 bool error)
>> 653 {
>> 654 u32 event = error ? 0x1 : 0xffffffff;
>> 655 int i;
>> 656
>> 657 for (i = 0; i < 8; ++i)
>>>>> CID 501788: Memory - corruptions (OVERRUN)
>>>>> Overrunning buffer pointed to by "(u8 const *)&event" of 4 bytes by
>> passing it to a function which accesses it at byte offset 63.
>> 658 tcg2_measure_event(dev, elog, i, EV_SEPARATOR,
>> sizeof(event),
>> 659 (const u8 *)&event);
>> 660
>> 661 if (elog->log)
>> 662 unmap_physmem(elog->log, MAP_NOCACHE);
>> 663 }
>>
>>
>>
>> ----- End forwarded message -----
>>
>> --
>> Tom
^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2024-07-24 9:21 ` Mattijs Korpershoek
2024-07-24 9:45 ` Heinrich Schuchardt
@ 2024-07-24 9:53 ` Mattijs Korpershoek
1 sibling, 0 replies; 99+ messages in thread
From: Mattijs Korpershoek @ 2024-07-24 9:53 UTC (permalink / raw)
To: Tom Rini, u-boot, Ilias Apalodimas, Heinrich Schuchardt,
Marek Vasut, Dmitrii Merkurev
On mer., juil. 24, 2024 at 11:21, Mattijs Korpershoek <mkorpershoek@baylibre.com> wrote:
> Hi Tom,
>
> Thank you for the report.
>
> On mar., juil. 23, 2024 at 08:18, Tom Rini <trini@konsulko.com> wrote:
>
>> Here's the latest report.
>>
>> ---------- Forwarded message ---------
>> From: <scan-admin@coverity.com>
>> Date: Mon, Jul 22, 2024, 8:07 PM
>> Subject: New Defects reported by Coverity Scan for Das U-Boot
>> To: <tom.rini@gmail.com>
>>
>>
>> Hi,
>>
>> Please find the latest report on new defect(s) introduced to Das U-Boot
>> found with Coverity Scan.
>>
>> 8 new defect(s) introduced to Das U-Boot found with Coverity Scan.
>> 3 defect(s), reported by Coverity Scan earlier, were marked fixed in the
>> recent build analyzed by Coverity Scan.
>>
>> New defect(s) Reported-by: Coverity Scan
>> Showing 8 of 8 defect(s)
>>
>>
>> ** CID 501795: Insecure data handling (TAINTED_SCALAR)
>>
>>
>> ________________________________________________________________________________________________________
>> *** CID 501795: Insecure data handling (TAINTED_SCALAR)
>> /boot/bootmeth_android.c: 96 in scan_boot_part()
>> 90 if (!is_android_boot_image_header(buf)) {
>> 91 free(buf);
>> 92 return log_msg_ret("header", -ENOENT);
>> 93 }
>> 94
>> 95 priv->header_version = ((struct andr_boot_img_hdr_v0
>> *)buf)->header_version;
>>>>> CID 501795: Insecure data handling (TAINTED_SCALAR)
>>>>> Passing tainted expression "*buf" to "dlfree", which uses it as an
>> offset.
>
> scan_boot_part() generates this warning, but scan_vendor_boot_part()
> does not.
> Both functions follow a similar code flow.
>
> The only reason scan_boot_part() generates this warning, is because of
> the downcast into struct andr_boot_img_hdr_v0.
>
> We can't change char* buf into struct andr_boot_img_hdr_v0 because we
> need to be block aligned when calling blk_dread().
>
> Per my understanding tainted data means it comes from user input (which
> is true for both scan_boot_part() and scan_vendor_boot_part() because
> both read from eMMC, which can be consider "user input".
>
> Since I don't see any particular problem with this code I propose that
> we ignore this warning.
>
>
>> 96 free(buf);
>> 97
>> 98 return 0;
>> 99 }
>> 100
>> 101 static int scan_vendor_boot_part(struct udevice *blk, struct
>> android_priv *priv)
>>
>> ** CID 501794: Memory - corruptions (OVERRUN)
>>
>>
>> ________________________________________________________________________________________________________
>> *** CID 501794: Memory - corruptions (OVERRUN)
>> /lib/tpm_tcg2.c: 640 in tcg2_measurement_init()
>> 634 rc = tcg2_log_prepare_buffer(*dev, elog,
>> ignore_existing_log);
>> 635 if (rc) {
>> 636 tcg2_measurement_term(*dev, elog, true);
>> 637 return rc;
>> 638 }
>> 639
>>>>> CID 501794: Memory - corruptions (OVERRUN)
>>>>> Overrunning array "version_string" of 50 bytes by passing it to a
>> function which accesses it at byte offset 63.
>> 640 rc = tcg2_measure_event(*dev, elog, 0, EV_S_CRTM_VERSION,
>> 641 strlen(version_string) + 1,
>> 642 (u8 *)version_string);
>> 643 if (rc) {
>> 644 tcg2_measurement_term(*dev, elog, true);
>> 645 return rc;
>>
>> ** CID 501793: Insecure data handling (TAINTED_SCALAR)
>> /lib/tpm-v2.c: 909 in tpm2_allow_extend()
>>
>>
>> ________________________________________________________________________________________________________
>> *** CID 501793: Insecure data handling (TAINTED_SCALAR)
>> /lib/tpm-v2.c: 909 in tpm2_allow_extend()
>> 903 int rc;
>> 904
>> 905 rc = tpm2_get_pcr_info(dev, &pcrs);
>> 906 if (rc)
>> 907 return false;
>> 908
>>>>> CID 501793: Insecure data handling (TAINTED_SCALAR)
>>>>> Using tainted variable "pcrs.count" as a loop boundary.
>> 909 for (i = 0; i < pcrs.count; i++) {
>> 910 if (tpm2_is_active_pcr(&pcrs.selection[i]) &&
>> 911 !tpm2_algorithm_to_len(pcrs.selection[i].hash))
>> 912 return false;
>> 913 }
>> 914
>> 915 return true;
>>
>> ** CID 501792: Control flow issues (DEADCODE)
>> /lib/efi_loader/efi_helper.c: 137 in efi_load_option_dp_join()
>>
>>
>> ________________________________________________________________________________________________________
>> *** CID 501792: Control flow issues (DEADCODE)
>> /lib/efi_loader/efi_helper.c: 137 in efi_load_option_dp_join()
>> 131 if (fdt_dp) {
>> 132 struct efi_device_path *tmp_dp = *dp;
>> 133
>> 134 *dp = efi_dp_concat(tmp_dp, fdt_dp, *dp_size);
>> 135 efi_free_pool(tmp_dp);
>> 136 if (!dp)
>>>>> CID 501792: Control flow issues (DEADCODE)
>>>>> Execution cannot reach this statement: "return
>> 9223372036854775817UL;".
>> 137 return EFI_OUT_OF_RESOURCES;
>> 138 *dp_size += efi_dp_size(fdt_dp) + sizeof(END);
>> 139 }
>> 140
>> 141 *dp_size += sizeof(END);
>> 142
>>
>> ** CID 501791: (DEADCODE)
>> /drivers/usb/gadget/ether.c: 2219 in eth_bind()
>> /drivers/usb/gadget/ether.c: 2110 in eth_bind()
>> /drivers/usb/gadget/ether.c: 2071 in eth_bind()
>> /drivers/usb/gadget/ether.c: 2089 in eth_bind()
>>
>>
>> ________________________________________________________________________________________________________
>> *** CID 501791: (DEADCODE)
>> /drivers/usb/gadget/ether.c: 2219 in eth_bind()
>> 2213 out_ep->name, in_ep->name,
>> 2214 status_ep ? " STATUS " : "",
>> 2215 status_ep ? status_ep->name : ""
>> 2216 );
>> 2217 printf("MAC %pM\n", pdata->enetaddr);
>> 2218
>>>>> CID 501791: (DEADCODE)
>>>>> Execution cannot reach the expression "rndis" inside this
>> statement: "if (cdc || rndis)
>> printf(...".
>> 2219 if (cdc || rndis)
>> 2220 printf("HOST MAC %02x:%02x:%02x:%02x:%02x:%02x\n",
>> 2221 dev->host_mac[0], dev->host_mac[1],
>> 2222 dev->host_mac[2], dev->host_mac[3],
>> 2223 dev->host_mac[4], dev->host_mac[5]);
>> 2224
>> /drivers/usb/gadget/ether.c: 2110 in eth_bind()
>> 2104 device_desc.bNumConfigurations = 2;
>> 2105
>> 2106 if (gadget_is_dualspeed(gadget)) {
>> 2107 if (rndis)
>> 2108 dev_qualifier.bNumConfigurations = 2;
>> 2109 else if (!cdc)
>>>>> CID 501791: (DEADCODE)
>>>>> Execution cannot reach this statement: "dev_qualifier.bDeviceClass
>> ...".
>> 2110 dev_qualifier.bDeviceClass =
>> USB_CLASS_VENDOR_SPEC;
>> 2111
>> 2112 /* assumes ep0 uses the same value for both speeds
>> ... */
>> 2113 dev_qualifier.bMaxPacketSize0 =
>> device_desc.bMaxPacketSize0;
>> 2114
>> 2115 /* and that all endpoints are dual-speed */
>> /drivers/usb/gadget/ether.c: 2071 in eth_bind()
>> 2065
>> 2066 #if defined(CONFIG_USB_ETH_CDC) || defined(CONFIG_USB_ETH_RNDIS)
>> 2067 /*
>> 2068 * CDC Ethernet control interface doesn't require a status
>> endpoint.
>> 2069 * Since some hosts expect one, try to allocate one anyway.
>> 2070 */
>>>>> CID 501791: (DEADCODE)
>>>>> Execution cannot reach the expression "rndis" inside this
>> statement: "if (cdc || rndis) {
>> statu...".
>> 2071 if (cdc || rndis) {
>> 2072 status_ep = usb_ep_autoconfig(gadget,
>> &fs_status_desc);
>> 2073 if (status_ep) {
>> 2074 status_ep->driver_data = status_ep; /*
>> claim */
>> 2075 } else if (rndis) {
>> 2076 pr_err("can't run RNDIS on %s",
>> gadget->name);
>> /drivers/usb/gadget/ether.c: 2089 in eth_bind()
>> 2083 }
>> 2084 }
>> 2085 #endif
>> 2086
>> 2087 /* one config: cdc, else minimal subset */
>> 2088 if (!cdc) {
>>>>> CID 501791: (DEADCODE)
>>>>> Execution cannot reach this statement: "eth_config.bNumInterfaces =
>> 1;".
>> 2089 eth_config.bNumInterfaces = 1;
>> 2090 eth_config.iConfiguration = STRING_SUBSET;
>> 2091
>> 2092 /*
>> 2093 * use functions to set these up, in case we're
>> built to work
>> 2094 * with multiple controllers and must override CDC
>> Ethernet.
>>
>> ** CID 501790: Null pointer dereferences (FORWARD_NULL)
>> /cmd/bcb.c: 175 in __bcb_initialize()
>>
>>
>> ________________________________________________________________________________________________________
>> *** CID 501790: Null pointer dereferences (FORWARD_NULL)
>> /cmd/bcb.c: 175 in __bcb_initialize()
>> 169 }
>> 170 }
>> 171
>> 172 return CMD_RET_SUCCESS;
>> 173
>> 174 err_read_fail:
>>>>> CID 501790: Null pointer dereferences (FORWARD_NULL)
>>>>> Dereferencing null pointer "block".
>> 175 printf("Error: %d %d:%s read failed (%d)\n",
>> block->uclass_id,
>> 176 block->devnum, partition->name, ret);
>> 177 __bcb_reset();
>> 178 return CMD_RET_FAILURE;
>> 179 }
>> 180
>
> This probably deserves to be addressed. I don't know if Dmitrii is actively
> watching the list so I'll study this in more detail and send a fix if appropriate.
Fix submitted here:
https://lore.kernel.org/all/20240724-bcb-crash-v1-1-44caff15bce4@baylibre.com/
>
>>
>> ** CID 501789: Insecure data handling (TAINTED_SCALAR)
>> /lib/tpm_tcg2.c: 41 in tcg2_get_pcr_info()
>>
>>
>> ________________________________________________________________________________________________________
>> *** CID 501789: Insecure data handling (TAINTED_SCALAR)
>> /lib/tpm_tcg2.c: 41 in tcg2_get_pcr_info()
>> 35 memset(response, 0, sizeof(response));
>> 36
>> 37 ret = tpm2_get_pcr_info(dev, &pcrs);
>> 38 if (ret)
>> 39 return ret;
>> 40
>>>>> CID 501789: Insecure data handling (TAINTED_SCALAR)
>>>>> Using tainted variable "pcrs.count" as a loop boundary.
>> 41 for (i = 0; i < pcrs.count; i++) {
>> 42 u32 hash_mask =
>> tcg2_algorithm_to_mask(pcrs.selection[i].hash);
>> 43
>> 44 if (hash_mask) {
>> 45 *supported_pcr |= hash_mask;
>> 46 if (tpm2_is_active_pcr(&pcrs.selection[i]))
>>
>> ** CID 501788: Memory - corruptions (OVERRUN)
>>
>>
>> ________________________________________________________________________________________________________
>> *** CID 501788: Memory - corruptions (OVERRUN)
>> /lib/tpm_tcg2.c: 658 in tcg2_measurement_term()
>> 652 bool error)
>> 653 {
>> 654 u32 event = error ? 0x1 : 0xffffffff;
>> 655 int i;
>> 656
>> 657 for (i = 0; i < 8; ++i)
>>>>> CID 501788: Memory - corruptions (OVERRUN)
>>>>> Overrunning buffer pointed to by "(u8 const *)&event" of 4 bytes by
>> passing it to a function which accesses it at byte offset 63.
>> 658 tcg2_measure_event(dev, elog, i, EV_SEPARATOR,
>> sizeof(event),
>> 659 (const u8 *)&event);
>> 660
>> 661 if (elog->log)
>> 662 unmap_physmem(elog->log, MAP_NOCACHE);
>> 663 }
>>
>>
>>
>> ----- End forwarded message -----
>>
>> --
>> Tom
^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2024-07-24 9:45 ` Heinrich Schuchardt
@ 2024-07-24 9:56 ` Mattijs Korpershoek
2024-07-24 10:06 ` Heinrich Schuchardt
0 siblings, 1 reply; 99+ messages in thread
From: Mattijs Korpershoek @ 2024-07-24 9:56 UTC (permalink / raw)
To: Heinrich Schuchardt
Cc: Tom Rini, u-boot, Ilias Apalodimas, Marek Vasut, Dmitrii Merkurev
Hi Heinrich,
On mer., juil. 24, 2024 at 11:45, Heinrich Schuchardt <xypron.glpk@gmx.de> wrote:
> On 24.07.24 11:21, Mattijs Korpershoek wrote:
>> Hi Tom,
>>
>> Thank you for the report.
>>
>> On mar., juil. 23, 2024 at 08:18, Tom Rini <trini@konsulko.com> wrote:
>>
>>> Here's the latest report.
>>>
>>> ---------- Forwarded message ---------
>>> From: <scan-admin@coverity.com>
>>> Date: Mon, Jul 22, 2024, 8:07 PM
>>> Subject: New Defects reported by Coverity Scan for Das U-Boot
>>> To: <tom.rini@gmail.com>
>>>
>>>
>>> Hi,
>>>
>>> Please find the latest report on new defect(s) introduced to Das U-Boot
>>> found with Coverity Scan.
>>>
>>> 8 new defect(s) introduced to Das U-Boot found with Coverity Scan.
>>> 3 defect(s), reported by Coverity Scan earlier, were marked fixed in the
>>> recent build analyzed by Coverity Scan.
>>>
>>> New defect(s) Reported-by: Coverity Scan
>>> Showing 8 of 8 defect(s)
>>>
>>>
>>> ** CID 501795: Insecure data handling (TAINTED_SCALAR)
>>>
>>>
>>> ________________________________________________________________________________________________________
>>> *** CID 501795: Insecure data handling (TAINTED_SCALAR)
>>> /boot/bootmeth_android.c: 96 in scan_boot_part()
>>> 90 if (!is_android_boot_image_header(buf)) {
>>> 91 free(buf);
>>> 92 return log_msg_ret("header", -ENOENT);
>>> 93 }
>>> 94
>>> 95 priv->header_version = ((struct andr_boot_img_hdr_v0
>>> *)buf)->header_version;
>>>>>> CID 501795: Insecure data handling (TAINTED_SCALAR)
>>>>>> Passing tainted expression "*buf" to "dlfree", which uses it as an
>>> offset.
>>
>> scan_boot_part() generates this warning, but scan_vendor_boot_part()
>> does not.
>> Both functions follow a similar code flow.
>>
>> The only reason scan_boot_part() generates this warning, is because of
>> the downcast into struct andr_boot_img_hdr_v0.
>>
>> We can't change char* buf into struct andr_boot_img_hdr_v0 because we
>> need to be block aligned when calling blk_dread().
>>
>> Per my understanding tainted data means it comes from user input (which
>> is true for both scan_boot_part() and scan_vendor_boot_part() because
>> both read from eMMC, which can be consider "user input".
>>
>> Since I don't see any particular problem with this code I propose that
>> we ignore this warning.
>
> The warning is specifically about invoking free for the buffer that we
> have allocated via malloc(). Our implementation of malloc() and free()
> stores some meta-information about allocated buffers at a negative
> offset and we don't overwrite this area via blk_read().
Ok, so does that mean that you agree that this code is safe and we don't
need any further action to fix it?
>
>>
>>
>>> 96 free(buf);
>>> 97
>>> 98 return 0;
>>> 99 }
>>> 100
>>> 101 static int scan_vendor_boot_part(struct udevice *blk, struct
>>> android_priv *priv)
>>>
>>> ** CID 501794: Memory - corruptions (OVERRUN)
>>>
>>>
>>> ________________________________________________________________________________________________________
>>> *** CID 501794: Memory - corruptions (OVERRUN)
>>> /lib/tpm_tcg2.c: 640 in tcg2_measurement_init()
>>> 634 rc = tcg2_log_prepare_buffer(*dev, elog,
>>> ignore_existing_log);
>>> 635 if (rc) {
>>> 636 tcg2_measurement_term(*dev, elog, true);
>>> 637 return rc;
>>> 638 }
>>> 639
>>>>>> CID 501794: Memory - corruptions (OVERRUN)
>>>>>> Overrunning array "version_string" of 50 bytes by passing it to a
>>> function which accesses it at byte offset 63.
>>> 640 rc = tcg2_measure_event(*dev, elog, 0, EV_S_CRTM_VERSION,
>>> 641 strlen(version_string) + 1,
>>> 642 (u8 *)version_string);
>>> 643 if (rc) {
>>> 644 tcg2_measurement_term(*dev, elog, true);
>>> 645 return rc;
>>>
>>> ** CID 501793: Insecure data handling (TAINTED_SCALAR)
>>> /lib/tpm-v2.c: 909 in tpm2_allow_extend()
>>>
>>>
>>> ________________________________________________________________________________________________________
>>> *** CID 501793: Insecure data handling (TAINTED_SCALAR)
>>> /lib/tpm-v2.c: 909 in tpm2_allow_extend()
>>> 903 int rc;
>>> 904
>>> 905 rc = tpm2_get_pcr_info(dev, &pcrs);
>>> 906 if (rc)
>>> 907 return false;
>>> 908
>>>>>> CID 501793: Insecure data handling (TAINTED_SCALAR)
>>>>>> Using tainted variable "pcrs.count" as a loop boundary.
>>> 909 for (i = 0; i < pcrs.count; i++) {
>>> 910 if (tpm2_is_active_pcr(&pcrs.selection[i]) &&
>>> 911 !tpm2_algorithm_to_len(pcrs.selection[i].hash))
>>> 912 return false;
>>> 913 }
>>> 914
>>> 915 return true;
>>>
>>> ** CID 501792: Control flow issues (DEADCODE)
>>> /lib/efi_loader/efi_helper.c: 137 in efi_load_option_dp_join()
>>>
>>>
>>> ________________________________________________________________________________________________________
>>> *** CID 501792: Control flow issues (DEADCODE)
>>> /lib/efi_loader/efi_helper.c: 137 in efi_load_option_dp_join()
>>> 131 if (fdt_dp) {
>>> 132 struct efi_device_path *tmp_dp = *dp;
>>> 133
>>> 134 *dp = efi_dp_concat(tmp_dp, fdt_dp, *dp_size);
>>> 135 efi_free_pool(tmp_dp);
>>> 136 if (!dp)
>>>>>> CID 501792: Control flow issues (DEADCODE)
>>>>>> Execution cannot reach this statement: "return
>>> 9223372036854775817UL;".
>>> 137 return EFI_OUT_OF_RESOURCES;
>>> 138 *dp_size += efi_dp_size(fdt_dp) + sizeof(END);
>>> 139 }
>>> 140
>>> 141 *dp_size += sizeof(END);
>>> 142
>>>
>>> ** CID 501791: (DEADCODE)
>>> /drivers/usb/gadget/ether.c: 2219 in eth_bind()
>>> /drivers/usb/gadget/ether.c: 2110 in eth_bind()
>>> /drivers/usb/gadget/ether.c: 2071 in eth_bind()
>>> /drivers/usb/gadget/ether.c: 2089 in eth_bind()
>>>
>>>
>>> ________________________________________________________________________________________________________
>>> *** CID 501791: (DEADCODE)
>>> /drivers/usb/gadget/ether.c: 2219 in eth_bind()
>>> 2213 out_ep->name, in_ep->name,
>>> 2214 status_ep ? " STATUS " : "",
>>> 2215 status_ep ? status_ep->name : ""
>>> 2216 );
>>> 2217 printf("MAC %pM\n", pdata->enetaddr);
>>> 2218
>>>>>> CID 501791: (DEADCODE)
>>>>>> Execution cannot reach the expression "rndis" inside this
>>> statement: "if (cdc || rndis)
>>> printf(...".
>>> 2219 if (cdc || rndis)
>>> 2220 printf("HOST MAC %02x:%02x:%02x:%02x:%02x:%02x\n",
>>> 2221 dev->host_mac[0], dev->host_mac[1],
>>> 2222 dev->host_mac[2], dev->host_mac[3],
>>> 2223 dev->host_mac[4], dev->host_mac[5]);
>>> 2224
>>> /drivers/usb/gadget/ether.c: 2110 in eth_bind()
>>> 2104 device_desc.bNumConfigurations = 2;
>>> 2105
>>> 2106 if (gadget_is_dualspeed(gadget)) {
>>> 2107 if (rndis)
>>> 2108 dev_qualifier.bNumConfigurations = 2;
>>> 2109 else if (!cdc)
>>>>>> CID 501791: (DEADCODE)
>>>>>> Execution cannot reach this statement: "dev_qualifier.bDeviceClass
>>> ...".
>>> 2110 dev_qualifier.bDeviceClass =
>>> USB_CLASS_VENDOR_SPEC;
>>> 2111
>>> 2112 /* assumes ep0 uses the same value for both speeds
>>> ... */
>>> 2113 dev_qualifier.bMaxPacketSize0 =
>>> device_desc.bMaxPacketSize0;
>>> 2114
>>> 2115 /* and that all endpoints are dual-speed */
>>> /drivers/usb/gadget/ether.c: 2071 in eth_bind()
>>> 2065
>>> 2066 #if defined(CONFIG_USB_ETH_CDC) || defined(CONFIG_USB_ETH_RNDIS)
>>> 2067 /*
>>> 2068 * CDC Ethernet control interface doesn't require a status
>>> endpoint.
>>> 2069 * Since some hosts expect one, try to allocate one anyway.
>>> 2070 */
>>>>>> CID 501791: (DEADCODE)
>>>>>> Execution cannot reach the expression "rndis" inside this
>>> statement: "if (cdc || rndis) {
>>> statu...".
>>> 2071 if (cdc || rndis) {
>>> 2072 status_ep = usb_ep_autoconfig(gadget,
>>> &fs_status_desc);
>>> 2073 if (status_ep) {
>>> 2074 status_ep->driver_data = status_ep; /*
>>> claim */
>>> 2075 } else if (rndis) {
>>> 2076 pr_err("can't run RNDIS on %s",
>>> gadget->name);
>>> /drivers/usb/gadget/ether.c: 2089 in eth_bind()
>>> 2083 }
>>> 2084 }
>>> 2085 #endif
>>> 2086
>>> 2087 /* one config: cdc, else minimal subset */
>>> 2088 if (!cdc) {
>>>>>> CID 501791: (DEADCODE)
>>>>>> Execution cannot reach this statement: "eth_config.bNumInterfaces =
>>> 1;".
>>> 2089 eth_config.bNumInterfaces = 1;
>>> 2090 eth_config.iConfiguration = STRING_SUBSET;
>>> 2091
>>> 2092 /*
>>> 2093 * use functions to set these up, in case we're
>>> built to work
>>> 2094 * with multiple controllers and must override CDC
>>> Ethernet.
>>>
>>> ** CID 501790: Null pointer dereferences (FORWARD_NULL)
>>> /cmd/bcb.c: 175 in __bcb_initialize()
>>>
>>>
>>> ________________________________________________________________________________________________________
>>> *** CID 501790: Null pointer dereferences (FORWARD_NULL)
>>> /cmd/bcb.c: 175 in __bcb_initialize()
>>> 169 }
>>> 170 }
>>> 171
>>> 172 return CMD_RET_SUCCESS;
>>> 173
>>> 174 err_read_fail:
>>>>>> CID 501790: Null pointer dereferences (FORWARD_NULL)
>>>>>> Dereferencing null pointer "block".
>>> 175 printf("Error: %d %d:%s read failed (%d)\n",
>>> block->uclass_id,
>>> 176 block->devnum, partition->name, ret);
>>> 177 __bcb_reset();
>>> 178 return CMD_RET_FAILURE;
>>> 179 }
>>> 180
>>
>> This probably deserves to be addressed. I don't know if Dmitrii is actively
>> watching the list so I'll study this in more detail and send a fix if appropriate.
>
> If blk_get_dev() returns NULL, we should write a message like "No such
> device" and return CMD_RET_FAILURE immediately.
Yes, thank you, I've submitted a fix:
https://lore.kernel.org/all/20240724-bcb-crash-v1-1-44caff15bce4@baylibre.com/
>
> Please, use log_err() for writing error messages. We don't need "Error:"
> at the beginning of error messages.
Is log_err() also the preferred way for commands? Since they are
interactive, it seems odd to have an "optional" message.
If it is, I'll convert the whole file in a separate, future patch.
>
> Best regards
>
> Heinrich
>
>>
>>>
>>> ** CID 501789: Insecure data handling (TAINTED_SCALAR)
>>> /lib/tpm_tcg2.c: 41 in tcg2_get_pcr_info()
>>>
>>>
>>> ________________________________________________________________________________________________________
>>> *** CID 501789: Insecure data handling (TAINTED_SCALAR)
>>> /lib/tpm_tcg2.c: 41 in tcg2_get_pcr_info()
>>> 35 memset(response, 0, sizeof(response));
>>> 36
>>> 37 ret = tpm2_get_pcr_info(dev, &pcrs);
>>> 38 if (ret)
>>> 39 return ret;
>>> 40
>>>>>> CID 501789: Insecure data handling (TAINTED_SCALAR)
>>>>>> Using tainted variable "pcrs.count" as a loop boundary.
>>> 41 for (i = 0; i < pcrs.count; i++) {
>>> 42 u32 hash_mask =
>>> tcg2_algorithm_to_mask(pcrs.selection[i].hash);
>>> 43
>>> 44 if (hash_mask) {
>>> 45 *supported_pcr |= hash_mask;
>>> 46 if (tpm2_is_active_pcr(&pcrs.selection[i]))
>>>
>>> ** CID 501788: Memory - corruptions (OVERRUN)
>>>
>>>
>>> ________________________________________________________________________________________________________
>>> *** CID 501788: Memory - corruptions (OVERRUN)
>>> /lib/tpm_tcg2.c: 658 in tcg2_measurement_term()
>>> 652 bool error)
>>> 653 {
>>> 654 u32 event = error ? 0x1 : 0xffffffff;
>>> 655 int i;
>>> 656
>>> 657 for (i = 0; i < 8; ++i)
>>>>>> CID 501788: Memory - corruptions (OVERRUN)
>>>>>> Overrunning buffer pointed to by "(u8 const *)&event" of 4 bytes by
>>> passing it to a function which accesses it at byte offset 63.
>>> 658 tcg2_measure_event(dev, elog, i, EV_SEPARATOR,
>>> sizeof(event),
>>> 659 (const u8 *)&event);
>>> 660
>>> 661 if (elog->log)
>>> 662 unmap_physmem(elog->log, MAP_NOCACHE);
>>> 663 }
>>>
>>>
>>>
>>> ----- End forwarded message -----
>>>
>>> --
>>> Tom
^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2024-07-24 9:56 ` Mattijs Korpershoek
@ 2024-07-24 10:06 ` Heinrich Schuchardt
2024-07-24 22:40 ` Tom Rini
0 siblings, 1 reply; 99+ messages in thread
From: Heinrich Schuchardt @ 2024-07-24 10:06 UTC (permalink / raw)
To: Mattijs Korpershoek
Cc: Tom Rini, u-boot, Ilias Apalodimas, Marek Vasut, Dmitrii Merkurev
Am 24. Juli 2024 11:56:17 MESZ schrieb Mattijs Korpershoek <mkorpershoek@baylibre.com>:
>Hi Heinrich,
>
>On mer., juil. 24, 2024 at 11:45, Heinrich Schuchardt <xypron.glpk@gmx.de> wrote:
>
>> On 24.07.24 11:21, Mattijs Korpershoek wrote:
>>> Hi Tom,
>>>
>>> Thank you for the report.
>>>
>>> On mar., juil. 23, 2024 at 08:18, Tom Rini <trini@konsulko.com> wrote:
>>>
>>>> Here's the latest report.
>>>>
>>>> ---------- Forwarded message ---------
>>>> From: <scan-admin@coverity.com>
>>>> Date: Mon, Jul 22, 2024, 8:07 PM
>>>> Subject: New Defects reported by Coverity Scan for Das U-Boot
>>>> To: <tom.rini@gmail.com>
>>>>
>>>>
>>>> Hi,
>>>>
>>>> Please find the latest report on new defect(s) introduced to Das U-Boot
>>>> found with Coverity Scan.
>>>>
>>>> 8 new defect(s) introduced to Das U-Boot found with Coverity Scan.
>>>> 3 defect(s), reported by Coverity Scan earlier, were marked fixed in the
>>>> recent build analyzed by Coverity Scan.
>>>>
>>>> New defect(s) Reported-by: Coverity Scan
>>>> Showing 8 of 8 defect(s)
>>>>
>>>>
>>>> ** CID 501795: Insecure data handling (TAINTED_SCALAR)
>>>>
>>>>
>>>> ________________________________________________________________________________________________________
>>>> *** CID 501795: Insecure data handling (TAINTED_SCALAR)
>>>> /boot/bootmeth_android.c: 96 in scan_boot_part()
>>>> 90 if (!is_android_boot_image_header(buf)) {
>>>> 91 free(buf);
>>>> 92 return log_msg_ret("header", -ENOENT);
>>>> 93 }
>>>> 94
>>>> 95 priv->header_version = ((struct andr_boot_img_hdr_v0
>>>> *)buf)->header_version;
>>>>>>> CID 501795: Insecure data handling (TAINTED_SCALAR)
>>>>>>> Passing tainted expression "*buf" to "dlfree", which uses it as an
>>>> offset.
>>>
>>> scan_boot_part() generates this warning, but scan_vendor_boot_part()
>>> does not.
>>> Both functions follow a similar code flow.
>>>
>>> The only reason scan_boot_part() generates this warning, is because of
>>> the downcast into struct andr_boot_img_hdr_v0.
>>>
>>> We can't change char* buf into struct andr_boot_img_hdr_v0 because we
>>> need to be block aligned when calling blk_dread().
>>>
>>> Per my understanding tainted data means it comes from user input (which
>>> is true for both scan_boot_part() and scan_vendor_boot_part() because
>>> both read from eMMC, which can be consider "user input".
>>>
>>> Since I don't see any particular problem with this code I propose that
>>> we ignore this warning.
>>
>> The warning is specifically about invoking free for the buffer that we
>> have allocated via malloc(). Our implementation of malloc() and free()
>> stores some meta-information about allocated buffers at a negative
>> offset and we don't overwrite this area via blk_read().
>
>Ok, so does that mean that you agree that this code is safe and we don't
>need any further action to fix it?
No fix needed.
Tom just needs to nark it in Coverity as "intended".
>
>>
>>>
>>>
>>>> 96 free(buf);
>>>> 97
>>>> 98 return 0;
>>>> 99 }
>>>> 100
>>>> 101 static int scan_vendor_boot_part(struct udevice *blk, struct
>>>> android_priv *priv)
>>>>
>>>> ** CID 501794: Memory - corruptions (OVERRUN)
>>>>
>>>>
>>>> ________________________________________________________________________________________________________
>>>> *** CID 501794: Memory - corruptions (OVERRUN)
>>>> /lib/tpm_tcg2.c: 640 in tcg2_measurement_init()
>>>> 634 rc = tcg2_log_prepare_buffer(*dev, elog,
>>>> ignore_existing_log);
>>>> 635 if (rc) {
>>>> 636 tcg2_measurement_term(*dev, elog, true);
>>>> 637 return rc;
>>>> 638 }
>>>> 639
>>>>>>> CID 501794: Memory - corruptions (OVERRUN)
>>>>>>> Overrunning array "version_string" of 50 bytes by passing it to a
>>>> function which accesses it at byte offset 63.
>>>> 640 rc = tcg2_measure_event(*dev, elog, 0, EV_S_CRTM_VERSION,
>>>> 641 strlen(version_string) + 1,
>>>> 642 (u8 *)version_string);
>>>> 643 if (rc) {
>>>> 644 tcg2_measurement_term(*dev, elog, true);
>>>> 645 return rc;
>>>>
>>>> ** CID 501793: Insecure data handling (TAINTED_SCALAR)
>>>> /lib/tpm-v2.c: 909 in tpm2_allow_extend()
>>>>
>>>>
>>>> ________________________________________________________________________________________________________
>>>> *** CID 501793: Insecure data handling (TAINTED_SCALAR)
>>>> /lib/tpm-v2.c: 909 in tpm2_allow_extend()
>>>> 903 int rc;
>>>> 904
>>>> 905 rc = tpm2_get_pcr_info(dev, &pcrs);
>>>> 906 if (rc)
>>>> 907 return false;
>>>> 908
>>>>>>> CID 501793: Insecure data handling (TAINTED_SCALAR)
>>>>>>> Using tainted variable "pcrs.count" as a loop boundary.
>>>> 909 for (i = 0; i < pcrs.count; i++) {
>>>> 910 if (tpm2_is_active_pcr(&pcrs.selection[i]) &&
>>>> 911 !tpm2_algorithm_to_len(pcrs.selection[i].hash))
>>>> 912 return false;
>>>> 913 }
>>>> 914
>>>> 915 return true;
>>>>
>>>> ** CID 501792: Control flow issues (DEADCODE)
>>>> /lib/efi_loader/efi_helper.c: 137 in efi_load_option_dp_join()
>>>>
>>>>
>>>> ________________________________________________________________________________________________________
>>>> *** CID 501792: Control flow issues (DEADCODE)
>>>> /lib/efi_loader/efi_helper.c: 137 in efi_load_option_dp_join()
>>>> 131 if (fdt_dp) {
>>>> 132 struct efi_device_path *tmp_dp = *dp;
>>>> 133
>>>> 134 *dp = efi_dp_concat(tmp_dp, fdt_dp, *dp_size);
>>>> 135 efi_free_pool(tmp_dp);
>>>> 136 if (!dp)
>>>>>>> CID 501792: Control flow issues (DEADCODE)
>>>>>>> Execution cannot reach this statement: "return
>>>> 9223372036854775817UL;".
>>>> 137 return EFI_OUT_OF_RESOURCES;
>>>> 138 *dp_size += efi_dp_size(fdt_dp) + sizeof(END);
>>>> 139 }
>>>> 140
>>>> 141 *dp_size += sizeof(END);
>>>> 142
>>>>
>>>> ** CID 501791: (DEADCODE)
>>>> /drivers/usb/gadget/ether.c: 2219 in eth_bind()
>>>> /drivers/usb/gadget/ether.c: 2110 in eth_bind()
>>>> /drivers/usb/gadget/ether.c: 2071 in eth_bind()
>>>> /drivers/usb/gadget/ether.c: 2089 in eth_bind()
>>>>
>>>>
>>>> ________________________________________________________________________________________________________
>>>> *** CID 501791: (DEADCODE)
>>>> /drivers/usb/gadget/ether.c: 2219 in eth_bind()
>>>> 2213 out_ep->name, in_ep->name,
>>>> 2214 status_ep ? " STATUS " : "",
>>>> 2215 status_ep ? status_ep->name : ""
>>>> 2216 );
>>>> 2217 printf("MAC %pM\n", pdata->enetaddr);
>>>> 2218
>>>>>>> CID 501791: (DEADCODE)
>>>>>>> Execution cannot reach the expression "rndis" inside this
>>>> statement: "if (cdc || rndis)
>>>> printf(...".
>>>> 2219 if (cdc || rndis)
>>>> 2220 printf("HOST MAC %02x:%02x:%02x:%02x:%02x:%02x\n",
>>>> 2221 dev->host_mac[0], dev->host_mac[1],
>>>> 2222 dev->host_mac[2], dev->host_mac[3],
>>>> 2223 dev->host_mac[4], dev->host_mac[5]);
>>>> 2224
>>>> /drivers/usb/gadget/ether.c: 2110 in eth_bind()
>>>> 2104 device_desc.bNumConfigurations = 2;
>>>> 2105
>>>> 2106 if (gadget_is_dualspeed(gadget)) {
>>>> 2107 if (rndis)
>>>> 2108 dev_qualifier.bNumConfigurations = 2;
>>>> 2109 else if (!cdc)
>>>>>>> CID 501791: (DEADCODE)
>>>>>>> Execution cannot reach this statement: "dev_qualifier.bDeviceClass
>>>> ...".
>>>> 2110 dev_qualifier.bDeviceClass =
>>>> USB_CLASS_VENDOR_SPEC;
>>>> 2111
>>>> 2112 /* assumes ep0 uses the same value for both speeds
>>>> ... */
>>>> 2113 dev_qualifier.bMaxPacketSize0 =
>>>> device_desc.bMaxPacketSize0;
>>>> 2114
>>>> 2115 /* and that all endpoints are dual-speed */
>>>> /drivers/usb/gadget/ether.c: 2071 in eth_bind()
>>>> 2065
>>>> 2066 #if defined(CONFIG_USB_ETH_CDC) || defined(CONFIG_USB_ETH_RNDIS)
>>>> 2067 /*
>>>> 2068 * CDC Ethernet control interface doesn't require a status
>>>> endpoint.
>>>> 2069 * Since some hosts expect one, try to allocate one anyway.
>>>> 2070 */
>>>>>>> CID 501791: (DEADCODE)
>>>>>>> Execution cannot reach the expression "rndis" inside this
>>>> statement: "if (cdc || rndis) {
>>>> statu...".
>>>> 2071 if (cdc || rndis) {
>>>> 2072 status_ep = usb_ep_autoconfig(gadget,
>>>> &fs_status_desc);
>>>> 2073 if (status_ep) {
>>>> 2074 status_ep->driver_data = status_ep; /*
>>>> claim */
>>>> 2075 } else if (rndis) {
>>>> 2076 pr_err("can't run RNDIS on %s",
>>>> gadget->name);
>>>> /drivers/usb/gadget/ether.c: 2089 in eth_bind()
>>>> 2083 }
>>>> 2084 }
>>>> 2085 #endif
>>>> 2086
>>>> 2087 /* one config: cdc, else minimal subset */
>>>> 2088 if (!cdc) {
>>>>>>> CID 501791: (DEADCODE)
>>>>>>> Execution cannot reach this statement: "eth_config.bNumInterfaces =
>>>> 1;".
>>>> 2089 eth_config.bNumInterfaces = 1;
>>>> 2090 eth_config.iConfiguration = STRING_SUBSET;
>>>> 2091
>>>> 2092 /*
>>>> 2093 * use functions to set these up, in case we're
>>>> built to work
>>>> 2094 * with multiple controllers and must override CDC
>>>> Ethernet.
>>>>
>>>> ** CID 501790: Null pointer dereferences (FORWARD_NULL)
>>>> /cmd/bcb.c: 175 in __bcb_initialize()
>>>>
>>>>
>>>> ________________________________________________________________________________________________________
>>>> *** CID 501790: Null pointer dereferences (FORWARD_NULL)
>>>> /cmd/bcb.c: 175 in __bcb_initialize()
>>>> 169 }
>>>> 170 }
>>>> 171
>>>> 172 return CMD_RET_SUCCESS;
>>>> 173
>>>> 174 err_read_fail:
>>>>>>> CID 501790: Null pointer dereferences (FORWARD_NULL)
>>>>>>> Dereferencing null pointer "block".
>>>> 175 printf("Error: %d %d:%s read failed (%d)\n",
>>>> block->uclass_id,
>>>> 176 block->devnum, partition->name, ret);
>>>> 177 __bcb_reset();
>>>> 178 return CMD_RET_FAILURE;
>>>> 179 }
>>>> 180
>>>
>>> This probably deserves to be addressed. I don't know if Dmitrii is actively
>>> watching the list so I'll study this in more detail and send a fix if appropriate.
>>
>> If blk_get_dev() returns NULL, we should write a message like "No such
>> device" and return CMD_RET_FAILURE immediately.
>
>Yes, thank you, I've submitted a fix:
>
>https://lore.kernel.org/all/20240724-bcb-crash-v1-1-44caff15bce4@baylibre.com/
>
>
>>
>> Please, use log_err() for writing error messages. We don't need "Error:"
>> at the beginning of error messages.
>
>Is log_err() also the preferred way for commands? Since they are
>interactive, it seems odd to have an "optional" message.
>
>If it is, I'll convert the whole file in a separate, future patch.
Messages written with the log functions can be written to a syslog server. Remote message logging may be of interest for commands executed in scripts.
Best regards
Heinrich
>
>>
>> Best regards
>>
>> Heinrich
>>
>>>
>>>>
>>>> ** CID 501789: Insecure data handling (TAINTED_SCALAR)
>>>> /lib/tpm_tcg2.c: 41 in tcg2_get_pcr_info()
>>>>
>>>>
>>>> ________________________________________________________________________________________________________
>>>> *** CID 501789: Insecure data handling (TAINTED_SCALAR)
>>>> /lib/tpm_tcg2.c: 41 in tcg2_get_pcr_info()
>>>> 35 memset(response, 0, sizeof(response));
>>>> 36
>>>> 37 ret = tpm2_get_pcr_info(dev, &pcrs);
>>>> 38 if (ret)
>>>> 39 return ret;
>>>> 40
>>>>>>> CID 501789: Insecure data handling (TAINTED_SCALAR)
>>>>>>> Using tainted variable "pcrs.count" as a loop boundary.
>>>> 41 for (i = 0; i < pcrs.count; i++) {
>>>> 42 u32 hash_mask =
>>>> tcg2_algorithm_to_mask(pcrs.selection[i].hash);
>>>> 43
>>>> 44 if (hash_mask) {
>>>> 45 *supported_pcr |= hash_mask;
>>>> 46 if (tpm2_is_active_pcr(&pcrs.selection[i]))
>>>>
>>>> ** CID 501788: Memory - corruptions (OVERRUN)
>>>>
>>>>
>>>> ________________________________________________________________________________________________________
>>>> *** CID 501788: Memory - corruptions (OVERRUN)
>>>> /lib/tpm_tcg2.c: 658 in tcg2_measurement_term()
>>>> 652 bool error)
>>>> 653 {
>>>> 654 u32 event = error ? 0x1 : 0xffffffff;
>>>> 655 int i;
>>>> 656
>>>> 657 for (i = 0; i < 8; ++i)
>>>>>>> CID 501788: Memory - corruptions (OVERRUN)
>>>>>>> Overrunning buffer pointed to by "(u8 const *)&event" of 4 bytes by
>>>> passing it to a function which accesses it at byte offset 63.
>>>> 658 tcg2_measure_event(dev, elog, i, EV_SEPARATOR,
>>>> sizeof(event),
>>>> 659 (const u8 *)&event);
>>>> 660
>>>> 661 if (elog->log)
>>>> 662 unmap_physmem(elog->log, MAP_NOCACHE);
>>>> 663 }
>>>>
>>>>
>>>>
>>>> ----- End forwarded message -----
>>>>
>>>> --
>>>> Tom
^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2024-07-24 10:06 ` Heinrich Schuchardt
@ 2024-07-24 22:40 ` Tom Rini
2024-07-25 8:04 ` Mattijs Korpershoek
0 siblings, 1 reply; 99+ messages in thread
From: Tom Rini @ 2024-07-24 22:40 UTC (permalink / raw)
To: Heinrich Schuchardt
Cc: Mattijs Korpershoek, u-boot, Ilias Apalodimas, Marek Vasut,
Dmitrii Merkurev
[-- Attachment #1: Type: text/plain, Size: 3364 bytes --]
On Wed, Jul 24, 2024 at 12:06:46PM +0200, Heinrich Schuchardt wrote:
>
>
> Am 24. Juli 2024 11:56:17 MESZ schrieb Mattijs Korpershoek <mkorpershoek@baylibre.com>:
> >Hi Heinrich,
> >
> >On mer., juil. 24, 2024 at 11:45, Heinrich Schuchardt <xypron.glpk@gmx.de> wrote:
> >
> >> On 24.07.24 11:21, Mattijs Korpershoek wrote:
> >>> Hi Tom,
> >>>
> >>> Thank you for the report.
> >>>
> >>> On mar., juil. 23, 2024 at 08:18, Tom Rini <trini@konsulko.com> wrote:
> >>>
> >>>> Here's the latest report.
> >>>>
> >>>> ---------- Forwarded message ---------
> >>>> From: <scan-admin@coverity.com>
> >>>> Date: Mon, Jul 22, 2024, 8:07 PM
> >>>> Subject: New Defects reported by Coverity Scan for Das U-Boot
> >>>> To: <tom.rini@gmail.com>
> >>>>
> >>>>
> >>>> Hi,
> >>>>
> >>>> Please find the latest report on new defect(s) introduced to Das U-Boot
> >>>> found with Coverity Scan.
> >>>>
> >>>> 8 new defect(s) introduced to Das U-Boot found with Coverity Scan.
> >>>> 3 defect(s), reported by Coverity Scan earlier, were marked fixed in the
> >>>> recent build analyzed by Coverity Scan.
> >>>>
> >>>> New defect(s) Reported-by: Coverity Scan
> >>>> Showing 8 of 8 defect(s)
> >>>>
> >>>>
> >>>> ** CID 501795: Insecure data handling (TAINTED_SCALAR)
> >>>>
> >>>>
> >>>> ________________________________________________________________________________________________________
> >>>> *** CID 501795: Insecure data handling (TAINTED_SCALAR)
> >>>> /boot/bootmeth_android.c: 96 in scan_boot_part()
> >>>> 90 if (!is_android_boot_image_header(buf)) {
> >>>> 91 free(buf);
> >>>> 92 return log_msg_ret("header", -ENOENT);
> >>>> 93 }
> >>>> 94
> >>>> 95 priv->header_version = ((struct andr_boot_img_hdr_v0
> >>>> *)buf)->header_version;
> >>>>>>> CID 501795: Insecure data handling (TAINTED_SCALAR)
> >>>>>>> Passing tainted expression "*buf" to "dlfree", which uses it as an
> >>>> offset.
> >>>
> >>> scan_boot_part() generates this warning, but scan_vendor_boot_part()
> >>> does not.
> >>> Both functions follow a similar code flow.
> >>>
> >>> The only reason scan_boot_part() generates this warning, is because of
> >>> the downcast into struct andr_boot_img_hdr_v0.
> >>>
> >>> We can't change char* buf into struct andr_boot_img_hdr_v0 because we
> >>> need to be block aligned when calling blk_dread().
> >>>
> >>> Per my understanding tainted data means it comes from user input (which
> >>> is true for both scan_boot_part() and scan_vendor_boot_part() because
> >>> both read from eMMC, which can be consider "user input".
> >>>
> >>> Since I don't see any particular problem with this code I propose that
> >>> we ignore this warning.
> >>
> >> The warning is specifically about invoking free for the buffer that we
> >> have allocated via malloc(). Our implementation of malloc() and free()
> >> stores some meta-information about allocated buffers at a negative
> >> offset and we don't overwrite this area via blk_read().
> >
> >Ok, so does that mean that you agree that this code is safe and we don't
> >need any further action to fix it?
>
> No fix needed.
>
> Tom just needs to nark it in Coverity as "intended".
Thanks. I'll copy/paste the explanation in and close it next time I'm
over there.
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2024-07-24 22:40 ` Tom Rini
@ 2024-07-25 8:04 ` Mattijs Korpershoek
2024-07-25 17:16 ` Tom Rini
0 siblings, 1 reply; 99+ messages in thread
From: Mattijs Korpershoek @ 2024-07-25 8:04 UTC (permalink / raw)
To: Tom Rini, Heinrich Schuchardt
Cc: u-boot, Ilias Apalodimas, Marek Vasut, Dmitrii Merkurev
On mer., juil. 24, 2024 at 16:40, Tom Rini <trini@konsulko.com> wrote:
[...]
>> >
>> >Ok, so does that mean that you agree that this code is safe and we don't
>> >need any further action to fix it?
>>
>> No fix needed.
>>
>> Tom just needs to nark it in Coverity as "intended".
>
> Thanks. I'll copy/paste the explanation in and close it next time I'm
> over there.
I've done it already, added a lore link to this thread as justification.
>
> --
> Tom
^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2024-07-25 8:04 ` Mattijs Korpershoek
@ 2024-07-25 17:16 ` Tom Rini
0 siblings, 0 replies; 99+ messages in thread
From: Tom Rini @ 2024-07-25 17:16 UTC (permalink / raw)
To: Mattijs Korpershoek
Cc: Heinrich Schuchardt, u-boot, Ilias Apalodimas, Marek Vasut,
Dmitrii Merkurev
[-- Attachment #1: Type: text/plain, Size: 585 bytes --]
On Thu, Jul 25, 2024 at 10:04:33AM +0200, Mattijs Korpershoek wrote:
> On mer., juil. 24, 2024 at 16:40, Tom Rini <trini@konsulko.com> wrote:
>
> [...]
>
> >> >
> >> >Ok, so does that mean that you agree that this code is safe and we don't
> >> >need any further action to fix it?
> >>
> >> No fix needed.
> >>
> >> Tom just needs to nark it in Coverity as "intended".
> >
> > Thanks. I'll copy/paste the explanation in and close it next time I'm
> > over there.
>
> I've done it already, added a lore link to this thread as justification.
Thanks!
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 99+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2024-10-07 17:15 Tom Rini
0 siblings, 0 replies; 99+ messages in thread
From: Tom Rini @ 2024-10-07 17:15 UTC (permalink / raw)
To: u-boot
Cc: Simon Glass, Joao Marcos Costa, Thomas Petazzoni,
Jerome Forissier, Sughosh Ganu, Caleb Connolly,
Richard Weinberger
[-- Attachment #1: Type: text/plain, Size: 30928 bytes --]
Now that I've merged next to master, there's a number of issues to
address.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Oct 7, 2024 at 10:59 AM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to Das
U-Boot found with Coverity Scan.
24 new defect(s) introduced to Das U-Boot found with Coverity Scan.
9 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 24 defect(s)
** CID 510469: (RESOURCE_LEAK)
/tools/mkeficapsule.c: 877 in load_dtb()
/tools/mkeficapsule.c: 862 in load_dtb()
/tools/mkeficapsule.c: 855 in load_dtb()
/tools/mkeficapsule.c: 870 in load_dtb()
________________________________________________________________________________________________________
*** CID 510469: (RESOURCE_LEAK)
/tools/mkeficapsule.c: 877 in load_dtb()
871 }
872
873 if (fread(dtb, dtb_size, 1, f) != 1) {
874 fprintf(stderr, "Can't read %ld bytes from %s\n",
875 dtb_size, path);
876 free(dtb);
>>> CID 510469: (RESOURCE_LEAK)
>>> Variable "f" going out of scope leaks the storage it points to.
877 return NULL;
878 }
879
880 fclose(f);
881
882 return dtb;
/tools/mkeficapsule.c: 862 in load_dtb()
856 }
857
858 dtb_size = ftell(f);
859 if (dtb_size < 0) {
860 fprintf(stderr, "Cannot ftell %s: %s\n",
861 path, strerror(errno));
>>> CID 510469: (RESOURCE_LEAK)
>>> Variable "f" going out of scope leaks the storage it points to.
862 return NULL;
863 }
864
865 fseek(f, 0, SEEK_SET);
866
867 dtb = malloc(dtb_size);
/tools/mkeficapsule.c: 855 in load_dtb()
849 return NULL;
850 }
851
852 if (fseek(f, 0, SEEK_END)) {
853 fprintf(stderr, "Cannot seek to the end of %s: %s\n",
854 path, strerror(errno));
>>> CID 510469: (RESOURCE_LEAK)
>>> Variable "f" going out of scope leaks the storage it points to.
855 return NULL;
856 }
857
858 dtb_size = ftell(f);
859 if (dtb_size < 0) {
860 fprintf(stderr, "Cannot ftell %s: %s\n",
/tools/mkeficapsule.c: 870 in load_dtb()
864
865 fseek(f, 0, SEEK_SET);
866
867 dtb = malloc(dtb_size);
868 if (!dtb) {
869 fprintf(stderr, "Can't allocated %ld\n", dtb_size);
>>> CID 510469: (RESOURCE_LEAK)
>>> Variable "f" going out of scope leaks the storage it points to.
870 return NULL;
871 }
872
873 if (fread(dtb, dtb_size, 1, f) != 1) {
874 fprintf(stderr, "Can't read %ld bytes from %s\n",
875 dtb_size, path);
** CID 510468: Integer handling issues (SIGN_EXTENSION)
/lib/alist.c: 65 in alist_expand_to()
________________________________________________________________________________________________________
*** CID 510468: Integer handling issues (SIGN_EXTENSION)
/lib/alist.c: 65 in alist_expand_to()
59 new_data = malloc(lst->obj_size * new_alloc);
60 if (!new_data) {
61 lst->flags |= ALISTF_FAIL;
62 return false;
63 }
64
>>> CID 510468: Integer handling issues (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "lst->obj_size" with type "u16" (16 bits, unsigned) is promoted in "lst->obj_size * lst->alloc" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "lst->obj_size * lst->alloc" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
65 memcpy(new_data, lst->data, lst->obj_size * lst->alloc);
66 free(lst->data);
67
68 memset(new_data + lst->obj_size * lst->alloc, '\0',
69 lst->obj_size * (new_alloc - lst->alloc));
70 lst->alloc = new_alloc;
** CID 510467: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/net/tcp.c: 497 in tcp_parse_options()
________________________________________________________________________________________________________
*** CID 510467: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/net/tcp.c: 497 in tcp_parse_options()
491 tsopt = (struct tcp_t_opt *)p;
492 rmt_timestamp = tsopt->t_snd;
493 return;
494 }
495
496 /* Process optional NOPs */
>>> CID 510467: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
>>> "p[0] == 16843009" is always false regardless of the values of its operands. This occurs as the logical operand of "if".
497 if (p[0] == TCP_O_NOP)
498 p++;
499 }
500 }
501
502 static u8 tcp_state_machine(u8 tcp_flags, u32 tcp_seq_num, int
payload_len)
** CID 510466: Control flow issues (NO_EFFECT)
/lib/uuid.c: 256 in uuid_guid_get_bin()
________________________________________________________________________________________________________
*** CID 510466: Control flow issues (NO_EFFECT)
/lib/uuid.c: 256 in uuid_guid_get_bin()
250 };
251
252 int uuid_guid_get_bin(const char *guid_str, unsigned char *guid_bin)
253 {
254 int i;
255
>>> CID 510466: Control flow issues (NO_EFFECT)
>>> This less-than-zero comparison of an unsigned value is never true. "i < 0UL".
256 for (i = 0; i < ARRAY_SIZE(list_guid); i++) {
257 if (!strcmp(list_guid[i].string, guid_str)) {
258 memcpy(guid_bin, &list_guid[i].guid, 16);
259 return 0;
260 }
261 }
** CID 510465: Uninitialized variables (UNINIT)
________________________________________________________________________________________________________
*** CID 510465: Uninitialized variables (UNINIT)
/cmd/upl.c: 59 in do_upl_write()
53 struct unit_test_state uts;
54 struct abuf buf;
55 oftree tree;
56 ulong addr;
57 int ret;
58
>>> CID 510465: Uninitialized variables (UNINIT)
>>> Using uninitialized value "uts.fail_count" when calling "upl_get_test_data".
59 upl_get_test_data(&uts, upl);
60
61 log_debug("Writing UPL\n");
62 ret = upl_create_handoff_tree(upl, &tree);
63 if (ret) {
64 log_err("Failed to write (err=%dE)\n", ret);
** CID 510464: Error handling issues (CHECKED_RETURN)
/net/wget.c: 259 in wget_connected()
________________________________________________________________________________________________________
*** CID 510464: Error handling issues (CHECKED_RETURN)
/net/wget.c: 259 in wget_connected()
253
254 pos = strstr((char *)pkt, content_len);
255 if (!pos) {
256 content_length = -1;
257 } else {
258 pos += sizeof(content_len) + 2;
>>> CID 510464: Error handling issues (CHECKED_RETURN)
>>> Calling "strict_strtoul" without checking return value (as is done elsewhere 8 out of 10 times).
259 strict_strtoul(pos, 10,
&content_length);
260 debug_cond(DEBUG_WGET,
261 "wget: Connected Len %lu\n",
262 content_length);
263 }
264
** CID 510463: Memory - illegal accesses (OVERRUN)
/lib/lmb.c: 37 in lmb_print_region_flags()
________________________________________________________________________________________________________
*** CID 510463: Memory - illegal accesses (OVERRUN)
/lib/lmb.c: 37 in lmb_print_region_flags()
31 {
32 u64 bitpos;
33 const char *flag_str[] = { "none", "no-map", "no-overwrite" };
34
35 do {
36 bitpos = flags ? fls(flags) - 1 : 0;
>>> CID 510463: Memory - illegal accesses (OVERRUN)
>>> Overrunning array "flag_str" of 3 8-byte elements at element index 31 (byte offset 255) using index "bitpos" (which evaluates to 31).
37 printf("%s", flag_str[bitpos]);
38 flags &= ~(1ull << bitpos);
39 puts(flags ? ", " : "\n");
40 } while (flags);
41 }
42
** CID 510462: Security best practices violations (DC.WEAK_CRYPTO)
/test/dm/nand.c: 67 in run_test_nand()
________________________________________________________________________________________________________
*** CID 510462: Security best practices violations (DC.WEAK_CRYPTO)
/test/dm/nand.c: 67 in run_test_nand()
61 ops.ooblen = mtd->oobsize;
62 ut_assertok(mtd_read_oob(mtd, mtd->erasesize, &ops));
63 ut_asserteq(0, oob[mtd_to_nand(mtd)->badblockpos]);
64
65 /* Generate some data and write it */
66 for (i = 0; i < size / sizeof(int); i++)
>>> CID 510462: Security best practices violations (DC.WEAK_CRYPTO)
>>> "rand" should not be used for security-related applications, because linear congruential algorithms are too easy to break.
67 gold[i] = rand();
68 ut_assertok(nand_write_skip_bad(mtd, off, &length, NULL, U64_MAX,
69 (void *)gold, 0));
70 ut_asserteq(size, length);
71
72 /* Verify */
** CID 510461: Code maintainability issues (UNUSED_VALUE)
/boot/upl_write.c: 237 in add_upl_image()
________________________________________________________________________________________________________
*** CID 510461: Code maintainability issues (UNUSED_VALUE)
/boot/upl_write.c: 237 in add_upl_image()
231 return log_msg_ret("sub", ret);
232
233 ret = write_addr(upl, subnode, UPLP_LOAD, img->load);
234 if (!ret)
235 ret = write_size(upl, subnode,
UPLP_SIZE, img->size);
236 if (!ret && img->offset)
>>> CID 510461: Code maintainability issues (UNUSED_VALUE)
>>> Assigning value from "ofnode_write_u32(subnode, "offset", img->offset)" to "ret" here, but that stored value is overwritten before it can be used.
237 ret = ofnode_write_u32(subnode, UPLP_OFFSET,
238 img->offset);
239 ret = ofnode_write_string(subnode, UPLP_DESCRIPTION,
240 img->description);
241 if (ret)
242 return log_msg_ret("sim", ret);
** CID 510460: Resource leaks (RESOURCE_LEAK)
/fs/ext4/ext4fs.c: 216 in ext4fs_exists()
________________________________________________________________________________________________________
*** CID 510460: Resource leaks (RESOURCE_LEAK)
/fs/ext4/ext4fs.c: 216 in ext4fs_exists()
210 struct ext2fs_node *dirnode = NULL;
211 int filetype;
212
213 if (!filename)
214 return 0;
215
>>> CID 510460: Resource leaks (RESOURCE_LEAK)
>>> Variable "dirnode" going out of scope leaks the storage it points to.
216 return ext4fs_find_file1(filename,
&ext4fs_root->diropen, &dirnode,
217 &filetype);
218 }
219
220 int ext4fs_size(const char *filename, loff_t *size)
221 {
** CID 510459: Incorrect expression (SIZEOF_MISMATCH)
/boot/upl_read.c: 523 in decode_upl_graphics()
________________________________________________________________________________________________________
*** CID 510459: Incorrect expression (SIZEOF_MISMATCH)
/boot/upl_read.c: 523 in decode_upl_graphics()
517 if (!buf) {
518 log_warning("Node '%s': Missing 'reg' property\n",
519 ofnode_get_name(node));
520 return log_msg_ret("reg", -EINVAL);
521 }
522
>>> CID 510459: Incorrect expression (SIZEOF_MISMATCH)
>>> Passing argument "buf" of type "char const *" and argument "8 /* sizeof (buf) */" to function "decode_addr_size" is suspicious.
523 len = decode_addr_size(upl, buf, sizeof(buf), &gra->reg);
524 if (len < 0)
525 return log_msg_ret("buf", len);
526
527 ret = read_uint(node, UPLP_WIDTH, &gra->width);
528 if (!ret)
** CID 510458: Control flow issues (NO_EFFECT)
/lib/uuid.c: 269 in uuid_guid_get_str()
________________________________________________________________________________________________________
*** CID 510458: Control flow issues (NO_EFFECT)
/lib/uuid.c: 269 in uuid_guid_get_str()
263 }
264
265 const char *uuid_guid_get_str(const unsigned char *guid_bin)
266 {
267 int i;
268
>>> CID 510458: Control flow issues (NO_EFFECT)
>>> This less-than-zero comparison of an unsigned value is never true. "i < 0UL".
269 for (i = 0; i < ARRAY_SIZE(list_guid); i++) {
270 if (!memcmp(list_guid[i].guid.b, guid_bin, 16)) {
271 return list_guid[i].string;
272 }
273 }
274 return NULL;
** CID 510457: (RESOURCE_LEAK)
/tools/mkeficapsule.c: 934 in genguid()
/tools/mkeficapsule.c: 930 in genguid()
/tools/mkeficapsule.c: 924 in genguid()
/tools/mkeficapsule.c: 944 in genguid()
/tools/mkeficapsule.c: 959 in genguid()
________________________________________________________________________________________________________
*** CID 510457: (RESOURCE_LEAK)
/tools/mkeficapsule.c: 934 in genguid()
928 if (!compatible) {
929 fprintf(stderr, "No compatible string found in DTB\n");
930 return -1;
931 }
932 if (strnlen(compatible, compatlen) >= compatlen) {
933 fprintf(stderr, "Compatible string not
null-terminated\n");
>>> CID 510457: (RESOURCE_LEAK)
>>> Variable "dtb" going out of scope leaks the storage it points to.
934 return -1;
935 }
936
937 printf("Generating GUIDs for %s with namespace %s:\n",
938 compatible, DEFAULT_NAMESPACE_GUID);
939 for (; idx < argc; idx++) {
/tools/mkeficapsule.c: 930 in genguid()
924 return -1;
925 }
926
927 compatible = fdt_getprop(dtb, 0, "compatible", &compatlen);
928 if (!compatible) {
929 fprintf(stderr, "No compatible string found in DTB\n");
>>> CID 510457: (RESOURCE_LEAK)
>>> Variable "dtb" going out of scope leaks the storage it points to.
930 return -1;
931 }
932 if (strnlen(compatible, compatlen) >= compatlen) {
933 fprintf(stderr, "Compatible string not
null-terminated\n");
934 return -1;
935 }
/tools/mkeficapsule.c: 924 in genguid()
918 if (!dtb)
919 return -1;
920
921 ret = fdt_check_header(dtb);
922 if (ret) {
923 fprintf(stderr, "Invalid DTB header: %d\n", ret);
>>> CID 510457: (RESOURCE_LEAK)
>>> Variable "dtb" going out of scope leaks the storage it points to.
924 return -1;
925 }
926
927 compatible = fdt_getprop(dtb, 0, "compatible", &compatlen);
928 if (!compatible) {
929 fprintf(stderr, "No compatible string found in DTB\n");
/tools/mkeficapsule.c: 944 in genguid()
938 compatible, DEFAULT_NAMESPACE_GUID);
939 for (; idx < argc; idx++) {
940 memset(fw_image, 0, sizeof(fw_image));
941 namelen = strlen(argv[idx]);
942 if (namelen > MAX_IMAGE_NAME_LEN) {
943 fprintf(stderr, "Image name too long:
%s\n", argv[idx]);
>>> CID 510457: (RESOURCE_LEAK)
>>> Variable "dtb" going out of scope leaks the storage it points to.
944 return -1;
945 }
946
947 for (int i = 0; i < namelen; i++)
948 fw_image[i] = (uint16_t)argv[idx][i];
949
/tools/mkeficapsule.c: 959 in genguid()
953 NULL);
954
955 printf("%s: ", argv[idx]);
956 print_guid(&image_type_id);
957 }
958
>>> CID 510457: (RESOURCE_LEAK)
>>> Variable "dtb" going out of scope leaks the storage it points to.
959 return 0;
960 }
961
962 /**
963 * main - main entry function of mkeficapsule
964 * @argc: Number of arguments
** CID 510456: Integer handling issues (NEGATIVE_RETURNS)
________________________________________________________________________________________________________
*** CID 510456: Integer handling issues (NEGATIVE_RETURNS)
/boot/upl_write.c: 432 in add_upl_memres()
426 ret = ofnode_add_subnode(mem_node, name, &node);
427 if (ret)
428 return log_msg_ret("memres", ret);
429
430 len = buffer_addr_size(upl, buf, sizeof(buf),
431 memres->region.count,
&memres->region);
>>> CID 510456: Integer handling issues (NEGATIVE_RETURNS)
>>> "len" is passed to a parameter that cannot be negative.
432 ret = ofnode_write_prop(node, UPLP_REG, buf, len, true);
433 if (!ret && memres->no_map)
434 ret = ofnode_write_bool(node, UPLP_NO_MAP,
435 memres->no_map);
436 if (ret)
437 return log_msg_ret("lst", ret);
** CID 510455: Memory - corruptions (OVERLAPPING_COPY)
/fs/squashfs/sqfs.c: 971 in sqfs_opendir_nest()
________________________________________________________________________________________________________
*** CID 510455: Memory - corruptions (OVERLAPPING_COPY)
/fs/squashfs/sqfs.c: 971 in sqfs_opendir_nest()
965 if (le16_to_cpu(dirs->i_dir.inode_type) == SQFS_DIR_TYPE)
966 dirs->size = le16_to_cpu(dirs->i_dir.file_size);
967 else
968 dirs->size = le32_to_cpu(dirs->i_ldir.file_size);
969
970 /* Setup directory header */
>>> CID 510455: Memory - corruptions (OVERLAPPING_COPY)
>>> Copying 12 bytes from "dirs->table" to "dirs->dir_header", which point to overlapping memory locations.
971 memcpy(dirs->dir_header, dirs->table, SQFS_DIR_HEADER_SIZE);
972 dirs->entry_count = dirs->dir_header->count + 1;
973 dirs->size -= SQFS_DIR_HEADER_SIZE;
974
975 /* Setup entry */
976 dirs->entry = NULL;
** CID 510454: (SIZEOF_MISMATCH)
/test/cmd/mbr.c: 280 in mbr_test_run()
/test/cmd/mbr.c: 421 in mbr_test_run()
/test/cmd/mbr.c: 351 in mbr_test_run()
/test/cmd/mbr.c: 316 in mbr_test_run()
/test/cmd/mbr.c: 386 in mbr_test_run()
________________________________________________________________________________________________________
*** CID 510454: (SIZEOF_MISMATCH)
/test/cmd/mbr.c: 280 in mbr_test_run()
274
275 /* Make sure mmc6 is 12+ MiB in size */
276 ut_assertok(run_commandf("mmc read %lx %lx 1", ra,
277 (ulong)0xbffe00 / BLKSZ));
278
279 /* Test one MBR partition */
>>> CID 510454: (SIZEOF_MISMATCH)
>>> Passing argument "mbr_wbuf" of type "unsigned char *" and argument "8UL /* sizeof (mbr_wbuf) */" to function "init_write_buffers" is suspicious.
280 init_write_buffers(mbr_wbuf, sizeof(mbr_wbuf),
ebr_wbuf, sizeof(ebr_wbuf), __LINE__);
281 ut_assertok(build_mbr_parts(mbr_parts_buf,
sizeof(mbr_parts_buf), 1));
282 ut_assertok(run_commandf("write mmc 6:0 %lx 0 1", mbr_wa));
283 memset(rbuf, '\0', BLKSZ);
284 ut_assertok(run_commandf("read mmc 6:0 %lx 0 1", ra));
285 ut_assertok(memcmp(mbr_wbuf, rbuf, BLKSZ));
/test/cmd/mbr.c: 421 in mbr_test_run()
415 ut_assertf(rbuf[mbr_cmp_start + i] ==
mbr_parts_ref_p4[i],
416 "4P MBR+0x%04X: expected %#02X,
actual: %#02X\n",
417 mbr_cmp_start + i,
mbr_parts_ref_p4[i], rbuf[mbr_cmp_start + i]);
418 }
419
420 /* Test five MBR partitions */
>>> CID 510454: (SIZEOF_MISMATCH)
>>> Passing argument "mbr_wbuf" of type "unsigned char *" and argument "8UL /* sizeof (mbr_wbuf) */" to function "init_write_buffers" is suspicious.
421 init_write_buffers(mbr_wbuf, sizeof(mbr_wbuf),
ebr_wbuf, sizeof(ebr_wbuf), __LINE__);
422 ut_assertok(build_mbr_parts(mbr_parts_buf,
sizeof(mbr_parts_buf), 5));
423 ut_assertok(run_commandf("write mmc 6:0 %lx 0 1", mbr_wa));
424 memset(rbuf, '\0', BLKSZ);
425 ut_assertok(run_commandf("read mmc 6:0 %lx 0 1", ra));
426 ut_assertok(memcmp(mbr_wbuf, rbuf, BLKSZ));
/test/cmd/mbr.c: 351 in mbr_test_run()
345 ut_assertf(rbuf[mbr_cmp_start + i] ==
mbr_parts_ref_p2[i],
346 "2P MBR+0x%04X: expected %#02X,
actual: %#02X\n",
347 mbr_cmp_start + i,
mbr_parts_ref_p2[i], rbuf[mbr_cmp_start + i]);
348 }
349
350 /* Test three MBR partitions */
>>> CID 510454: (SIZEOF_MISMATCH)
>>> Passing argument "mbr_wbuf" of type "unsigned char *" and argument "8UL /* sizeof (mbr_wbuf) */" to function "init_write_buffers" is suspicious.
351 init_write_buffers(mbr_wbuf, sizeof(mbr_wbuf),
ebr_wbuf, sizeof(ebr_wbuf), __LINE__);
352 ut_assertok(build_mbr_parts(mbr_parts_buf,
sizeof(mbr_parts_buf), 3));
353 ut_assertok(run_commandf("write mmc 6:0 %lx 0 1", mbr_wa));
354 memset(rbuf, '\0', BLKSZ);
355 ut_assertok(run_commandf("read mmc 6:0 %lx 0 1", ra));
356 ut_assertok(memcmp(mbr_wbuf, rbuf, BLKSZ));
/test/cmd/mbr.c: 316 in mbr_test_run()
310 ut_assertf(rbuf[mbr_cmp_start + i] ==
mbr_parts_ref_p1[i],
311 "1P MBR+0x%04X: expected %#02X,
actual: %#02X\n",
312 mbr_cmp_start + i,
mbr_parts_ref_p1[i], rbuf[mbr_cmp_start + i]);
313 }
314
315 /* Test two MBR partitions */
>>> CID 510454: (SIZEOF_MISMATCH)
>>> Passing argument "mbr_wbuf" of type "unsigned char *" and argument "8UL /* sizeof (mbr_wbuf) */" to function "init_write_buffers" is suspicious.
316 init_write_buffers(mbr_wbuf, sizeof(mbr_wbuf),
ebr_wbuf, sizeof(ebr_wbuf), __LINE__);
317 ut_assertok(build_mbr_parts(mbr_parts_buf,
sizeof(mbr_parts_buf), 2));
318 ut_assertok(run_commandf("write mmc 6:0 %lx 0 1", mbr_wa));
319 memset(rbuf, '\0', BLKSZ);
320 ut_assertok(run_commandf("read mmc 6:0 %lx 0 1", ra));
321 ut_assertok(memcmp(mbr_wbuf, rbuf, BLKSZ));
/test/cmd/mbr.c: 386 in mbr_test_run()
380 ut_assertf(rbuf[mbr_cmp_start + i] ==
mbr_parts_ref_p3[i],
381 "3P MBR+0x%04X: expected %#02X,
actual: %#02X\n",
382 mbr_cmp_start + i,
mbr_parts_ref_p3[i], rbuf[mbr_cmp_start + i]);
383 }
384
385 /* Test four MBR partitions */
>>> CID 510454: (SIZEOF_MISMATCH)
>>> Passing argument "mbr_wbuf" of type "unsigned char *" and argument "8UL /* sizeof (mbr_wbuf) */" to function "init_write_buffers" is suspicious.
386 init_write_buffers(mbr_wbuf, sizeof(mbr_wbuf),
ebr_wbuf, sizeof(ebr_wbuf), __LINE__);
387 ut_assertok(build_mbr_parts(mbr_parts_buf,
sizeof(mbr_parts_buf), 4));
388 ut_assertok(run_commandf("write mmc 6:0 %lx 0 1", mbr_wa));
389 memset(rbuf, '\0', BLKSZ);
390 ut_assertok(run_commandf("read mmc 6:0 %lx 0 1", ra));
391 ut_assertok(memcmp(mbr_wbuf, rbuf, BLKSZ));
** CID 510453: Null pointer dereferences (FORWARD_NULL)
/fs/squashfs/sqfs.c: 983 in sqfs_opendir_nest()
________________________________________________________________________________________________________
*** CID 510453: Null pointer dereferences (FORWARD_NULL)
/fs/squashfs/sqfs.c: 983 in sqfs_opendir_nest()
977 dirs->table += SQFS_DIR_HEADER_SIZE;
978
979 *dirsp = (struct fs_dir_stream *)dirs;
980
981 out:
982 for (j = 0; j < token_count; j++)
>>> CID 510453: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "token_list".
983 free(token_list[j]);
984 free(token_list);
985 free(pos_list);
986 free(path);
987 if (ret) {
988 free(inode_table);
** CID 510452: Null pointer dereferences (FORWARD_NULL)
/fs/squashfs/sqfs.c: 1676 in sqfs_size_nest()
________________________________________________________________________________________________________
*** CID 510452: Null pointer dereferences (FORWARD_NULL)
/fs/squashfs/sqfs.c: 1676 in sqfs_size_nest()
1670 printf("File not found.\n");
1671 *size = 0;
1672 ret = -EINVAL;
1673 goto free_strings;
1674 }
1675
>>> CID 510452: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "dirs->entry".
1676 i_number = dirs->dir_header->inode_number +
dirs->entry->inode_offset;
1677 ipos = sqfs_find_inode(dirs->inode_table, i_number,
sblk->inodes,
1678 sblk->block_size);
1679
1680 if (!ipos) {
1681 *size = 0;
** CID 510451: (TAINTED_SCALAR)
/fs/squashfs/sqfs.c: 1612 in sqfs_read_nest()
/fs/squashfs/sqfs.c: 1612 in sqfs_read_nest()
/fs/squashfs/sqfs.c: 1604 in sqfs_read_nest()
________________________________________________________________________________________________________
*** CID 510451: (TAINTED_SCALAR)
/fs/squashfs/sqfs.c: 1612 in sqfs_read_nest()
1606
1607 free(fragment_block);
1608
1609 } else if (finfo.frag && !finfo.comp) {
1610 fragment_block = (void *)fragment + table_offset;
1611
>>> CID 510451: (TAINTED_SCALAR)
>>> Using tainted variable "finfo.offset" as an index to pointer "fragment_block".
1612 memcpy(buf + *actread,
&fragment_block[finfo.offset], finfo.size - *actread);
1613 *actread = finfo.size;
1614 }
1615
1616 out:
1617 free(fragment);
/fs/squashfs/sqfs.c: 1612 in sqfs_read_nest()
1606
1607 free(fragment_block);
1608
1609 } else if (finfo.frag && !finfo.comp) {
1610 fragment_block = (void *)fragment + table_offset;
1611
>>> CID 510451: (TAINTED_SCALAR)
>>> Passing tainted expression "finfo.size - *actread" to "memcpy", which uses it as an offset. [Note: The source code implementation of the function has been overridden by a builtin model.]
1612 memcpy(buf + *actread,
&fragment_block[finfo.offset], finfo.size - *actread);
1613 *actread = finfo.size;
1614 }
1615
1616 out:
1617 free(fragment);
/fs/squashfs/sqfs.c: 1621 in sqfs_read_nest()
1615
1616 out:
1617 free(fragment);
1618 free(datablock);
1619 free(file);
1620 free(dir);
>>> CID 510451: (TAINTED_SCALAR)
>>> Passing tainted expression "*finfo.blk_sizes" to "dlfree", which uses it as an offset.
1621 free(finfo.blk_sizes);
1622 sqfs_closedir(dirsp);
1623
1624 return ret;
1625 }
1626
/fs/squashfs/sqfs.c: 1604 in sqfs_read_nest()
1598 frag_entry.size);
1599 if (ret) {
1600 free(fragment_block);
1601 goto out;
1602 }
1603
>>> CID 510451: (TAINTED_SCALAR)
>>> Using tainted variable "finfo.offset" as an index to pointer "fragment_block".
1604 memcpy(buf + *actread,
&fragment_block[finfo.offset], finfo.size - *actread);
1605 *actread = finfo.size;
1606
1607 free(fragment_block);
1608
1609 } else if (finfo.frag && !finfo.comp) {
** CID 510450: Code maintainability issues (UNUSED_VALUE)
/fs/squashfs/sqfs.c: 1506 in sqfs_read_nest()
________________________________________________________________________________________________________
*** CID 510450: Code maintainability issues (UNUSED_VALUE)
/fs/squashfs/sqfs.c: 1506 in sqfs_read_nest()
1500 n_blks = DIV_ROUND_UP(table_size + table_offset,
1501 ctxt.cur_dev->blksz);
1502
1503 /* Don't load any data for sparse blocks */
1504 if (finfo.blk_sizes[j] == 0) {
1505 n_blks = 0;
>>> CID 510450: Code maintainability issues (UNUSED_VALUE)
>>> Assigning value "0ULL" to "table_offset" here, but that stored value is overwritten before it can be used.
1506 table_offset = 0;
1507 data_buffer = NULL;
1508 data = NULL;
1509 } else {
1510 data_buffer =
malloc_cache_aligned(n_blks * ctxt.cur_dev->blksz);
1511
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 99+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2024-10-16 3:47 Tom Rini
2024-10-16 5:56 ` Tudor Ambarus
0 siblings, 1 reply; 99+ messages in thread
From: Tom Rini @ 2024-10-16 3:47 UTC (permalink / raw)
To: u-boot
Cc: Vignesh R, Takahiro Kuwano, Tudor Ambarus,
Venkatesh Yadav Abbarapu, Pratyush Yadav, Ashok Reddy Soma,
Joakim Tjernlund, Raymond Mao, Ilias Apalodimas
[-- Attachment #1: Type: text/plain, Size: 28517 bytes --]
Hey all, here's the latest report.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Tue, Oct 15, 2024 at 5:06 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to Das
U-Boot found with Coverity Scan.
22 new defect(s) introduced to Das U-Boot found with Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 22 defect(s)
** CID 510813: Control flow issues (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 1652 in spi_nor_read()
________________________________________________________________________________________________________
*** CID 510813: Control flow issues (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 1652 in spi_nor_read()
1646 goto read_err;
1647 }
1648 if (ret < 0)
1649 goto read_err;
1650
1651 if (is_ofst_odd == true) {
>>> CID 510813: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "memmove(buf, buf + 1, len -...".
1652 memmove(buf, (buf + 1), (len - 1));
1653 *retlen += (ret - 1);
1654 buf += ret - 1;
1655 is_ofst_odd = false;
1656 } else {
1657 *retlen += ret;
** CID 510812: (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 3573 in spi_nor_select_erase()
/drivers/mtd/spi/spi-nor-core.c: 3584 in spi_nor_select_erase()
/drivers/mtd/spi/spi-nor-core.c: 3610 in spi_nor_select_erase()
/drivers/mtd/spi/spi-nor-core.c: 3597 in spi_nor_select_erase()
________________________________________________________________________________________________________
*** CID 510812: (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 3573 in spi_nor_select_erase()
3567 /*
3568 * In parallel-memories the erase operation is
3569 * performed on both the flashes simultaneously
3570 * so, double the erasesize.
3571 */
3572 if (nor->flags & SNOR_F_HAS_PARALLEL)
>>> CID 510812: (DEADCODE)
>>> Execution cannot reach this statement: "mtd->erasesize = 8192U;".
3573 mtd->erasesize = 4096 * 2;
3574 else
3575 mtd->erasesize = 4096;
3576 } else if (info->flags & SECT_4K_PMC) {
3577 nor->erase_opcode = SPINOR_OP_BE_4K_PMC;
3578 /*
/drivers/mtd/spi/spi-nor-core.c: 3584 in spi_nor_select_erase()
3578 /*
3579 * In parallel-memories the erase operation is
3580 * performed on both the flashes simultaneously
3581 * so, double the erasesize.
3582 */
3583 if (nor->flags & SNOR_F_HAS_PARALLEL)
>>> CID 510812: (DEADCODE)
>>> Execution cannot reach this statement: "mtd->erasesize = 8192U;".
3584 mtd->erasesize = 4096 * 2;
3585 else
3586 mtd->erasesize = 4096;
3587 } else
3588 #endif
3589 {
/drivers/mtd/spi/spi-nor-core.c: 3610 in spi_nor_select_erase()
3604 /*
3605 * In parallel-memories the erase operation is
3606 * performed on both the flashes simultaneously
3607 * so, double the erasesize.
3608 */
3609 if (nor->flags & SNOR_F_HAS_PARALLEL)
>>> CID 510812: (DEADCODE)
>>> Execution cannot reach this statement: "mtd->erasesize = 8192U;".
3610 mtd->erasesize = 4096 * 2;
3611 else
3612 mtd->erasesize = 4096;
3613 }
3614
3615 return 0;
/drivers/mtd/spi/spi-nor-core.c: 3597 in spi_nor_select_erase()
3591 /*
3592 * In parallel-memories the erase operation is
3593 * performed on both the flashes simultaneously
3594 * so, double the erasesize.
3595 */
3596 if (nor->flags & SNOR_F_HAS_PARALLEL)
>>> CID 510812: (DEADCODE)
>>> Execution cannot reach this statement: "mtd->erasesize = info->sect...".
3597 mtd->erasesize = info->sector_size * 2;
3598 else
3599 mtd->erasesize = info->sector_size;
3600 }
3601
3602 if ((JEDEC_MFR(info) == SNOR_MFR_SST) && info->flags &
SECT_4K) {
** CID 510811: (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 1134 in spi_nor_erase()
/drivers/mtd/spi/spi-nor-core.c: 1137 in spi_nor_erase()
________________________________________________________________________________________________________
*** CID 510811: (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 1134 in spi_nor_erase()
1128 addr_known = false;
1129 ret = -EINTR;
1130 goto erase_err;
1131 }
1132 offset = addr;
1133 if (nor->flags & SNOR_F_HAS_PARALLEL)
>>> CID 510811: (DEADCODE)
>>> Execution cannot reach this statement: "offset /= 2U;".
1134 offset /= 2;
1135
1136 if (nor->flags & SNOR_F_HAS_STACKED) {
1137 if (offset >= (mtd->size / 2)) {
1138 offset = offset - (mtd->size / 2);
1139 nor->spi->flags |= SPI_XFER_U_PAGE;
/drivers/mtd/spi/spi-nor-core.c: 1137 in spi_nor_erase()
1131 }
1132 offset = addr;
1133 if (nor->flags & SNOR_F_HAS_PARALLEL)
1134 offset /= 2;
1135
1136 if (nor->flags & SNOR_F_HAS_STACKED) {
>>> CID 510811: (DEADCODE)
>>> Execution cannot reach this statement: "if (offset >= mtd->size / 2...".
1137 if (offset >= (mtd->size / 2)) {
1138 offset = offset - (mtd->size / 2);
1139 nor->spi->flags |= SPI_XFER_U_PAGE;
1140 } else {
1141 nor->spi->flags &= ~SPI_XFER_U_PAGE;
1142 }
** CID 510810: Control flow issues (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 1556 in spi_nor_read_id()
________________________________________________________________________________________________________
*** CID 510810: Control flow issues (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 1556 in spi_nor_read_id()
1550 {
1551 int tmp;
1552 u8 id[SPI_NOR_MAX_ID_LEN];
1553 const struct flash_info *info;
1554
1555 if (nor->flags & SNOR_F_HAS_PARALLEL)
>>> CID 510810: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "nor->spi->flags |= 0x100;".
1556 nor->spi->flags |= SPI_XFER_LOWER;
1557
1558 tmp = nor->read_reg(nor, SPINOR_OP_RDID, id,
SPI_NOR_MAX_ID_LEN);
1559 if (tmp < 0) {
1560 dev_dbg(nor->dev, "error %d reading JEDEC ID\n", tmp);
1561 return ERR_PTR(tmp);
** CID 510809: Resource leaks (RESOURCE_LEAK)
/lib/mbedtls/pkcs7_parser.c: 385 in x509_populate_sinfo()
________________________________________________________________________________________________________
*** CID 510809: Resource leaks (RESOURCE_LEAK)
/lib/mbedtls/pkcs7_parser.c: 385 in x509_populate_sinfo()
379 signed_info);
380 if (ret)
381 goto out_err_sinfo;
382
383 no_authattrs:
384 *sinfo = signed_info;
>>> CID 510809: Resource leaks (RESOURCE_LEAK)
>>> Variable "mctx" going out of scope leaks the storage it points to.
385 return 0;
386
387 out_err_sinfo:
388 pkcs7_free_sinfo_mbedtls_ctx(mctx);
389 out_no_mctx:
390 public_key_signature_free(s);
** CID 510808: Control flow issues (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 724 in spi_nor_set_4byte_opcodes()
________________________________________________________________________________________________________
*** CID 510808: Control flow issues (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 724 in spi_nor_set_4byte_opcodes()
718 static void spi_nor_set_4byte_opcodes(struct spi_nor *nor,
719 const struct flash_info *info)
720 {
721 bool shift = 0;
722
723 if (nor->flags & SNOR_F_HAS_PARALLEL)
>>> CID 510808: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "shift = true;".
724 shift = 1;
725
726 /* Do some manufacturer fixups first */
727 switch (JEDEC_MFR(info)) {
728 case SNOR_MFR_SPANSION:
729 /* No small sector erase for 4-byte command set */
** CID 510807: Control flow issues (DEADCODE)
/lib/mbedtls/external/mbedtls/library/x509_crt.c: 2750 in x509_inet_pton_ipv6()
________________________________________________________________________________________________________
*** CID 510807: Control flow issues (DEADCODE)
/lib/mbedtls/external/mbedtls/library/x509_crt.c: 2750 in x509_inet_pton_ipv6()
2744 MBEDTLS_PUT_UINT16_BE(group, addr, nonzero_groups);
2745 nonzero_groups++;
2746 if (*p == '\0') {
2747 break;
2748 } else if (*p == '.') {
2749 /* Don't accept IPv4 too early or late */
>>> CID 510807: Control flow issues (DEADCODE)
>>> Execution cannot reach the expression "zero_group_start == -1" inside this statement: "if ((nonzero_groups == 0 &&...".
2750 if ((nonzero_groups == 0 && zero_group_start == -1) ||
2751 nonzero_groups >= 7) {
2752 break;
2753 }
2754
2755 /* Walk back to prior ':', then parse as IPv4-mapped */
** CID 510806: Control flow issues (DEADCODE)
/lib/mbedtls/pkcs7_parser.c: 209 in authattrs_parse()
________________________________________________________________________________________________________
*** CID 510806: Control flow issues (DEADCODE)
/lib/mbedtls/pkcs7_parser.c: 209 in authattrs_parse()
203 return -EINVAL;
204 }
205
206 p += seq_len;
207 }
208
>>> CID 510806: Control flow issues (DEADCODE)
>>> Execution cannot reach the expression "ret != -96" inside this statement: "if (ret && ret != -96)
re...".
209 if (ret && ret != MBEDTLS_ERR_ASN1_OUT_OF_DATA)
210 return ret;
211
212 msg->have_authattrs = true;
213
214 /*
** CID 510805: Memory - illegal accesses (OVERRUN)
/lib/rsa/rsa-keyprop.c: 678 in rsa_gen_key_prop()
________________________________________________________________________________________________________
*** CID 510805: Memory - illegal accesses (OVERRUN)
/lib/rsa/rsa-keyprop.c: 678 in rsa_gen_key_prop()
672 (*prop)->num_bits = (rsa_key.n_sz - i) * 8;
673 (*prop)->modulus = malloc(rsa_key.n_sz - i);
674 if (!(*prop)->modulus) {
675 ret = -ENOMEM;
676 goto out;
677 }
>>> CID 510805: Memory - illegal accesses (OVERRUN)
>>> Overrunning dynamic array "rsa_key.n" at offset corresponding to index variable "i".
678 memcpy((void *)(*prop)->modulus, &rsa_key.n[i],
rsa_key.n_sz - i);
679
680 n = calloc(sizeof(uint32_t), 1 + ((*prop)->num_bits >> 5));
681 rr = calloc(sizeof(uint32_t), 1 + (((*prop)->num_bits
* 2) >> 5));
682 rrtmp = calloc(sizeof(uint32_t), 2 +
(((*prop)->num_bits * 2) >> 5));
683 if (!n || !rr || !rrtmp) {
** CID 510804: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/drivers/mtd/spi/spi-nor-core.c: 1556 in spi_nor_read_id()
________________________________________________________________________________________________________
*** CID 510804: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/drivers/mtd/spi/spi-nor-core.c: 1556 in spi_nor_read_id()
1550 {
1551 int tmp;
1552 u8 id[SPI_NOR_MAX_ID_LEN];
1553 const struct flash_info *info;
1554
1555 if (nor->flags & SNOR_F_HAS_PARALLEL)
>>> CID 510804: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
>>> In "nor->spi->flags |= 256 /* 1 << 8 */", wider "256 /* 1 << 8 */" has high-order bits (0x100) that don't affect the narrower left-hand side.
1556 nor->spi->flags |= SPI_XFER_LOWER;
1557
1558 tmp = nor->read_reg(nor, SPINOR_OP_RDID, id,
SPI_NOR_MAX_ID_LEN);
1559 if (tmp < 0) {
1560 dev_dbg(nor->dev, "error %d reading JEDEC ID\n", tmp);
1561 return ERR_PTR(tmp);
** CID 510803: Code maintainability issues (UNUSED_VALUE)
/drivers/mtd/spi/spi-nor-core.c: 1138 in spi_nor_erase()
________________________________________________________________________________________________________
*** CID 510803: Code maintainability issues (UNUSED_VALUE)
/drivers/mtd/spi/spi-nor-core.c: 1138 in spi_nor_erase()
1132 offset = addr;
1133 if (nor->flags & SNOR_F_HAS_PARALLEL)
1134 offset /= 2;
1135
1136 if (nor->flags & SNOR_F_HAS_STACKED) {
1137 if (offset >= (mtd->size / 2)) {
>>> CID 510803: Code maintainability issues (UNUSED_VALUE)
>>> Assigning value from "offset - mtd->size / 2ULL" to "offset" here, but that stored value is overwritten before it can be used.
1138 offset = offset - (mtd->size / 2);
1139 nor->spi->flags |= SPI_XFER_U_PAGE;
1140 } else {
1141 nor->spi->flags &= ~SPI_XFER_U_PAGE;
1142 }
1143 }
** CID 510802: Control flow issues (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 504 in read_sr()
________________________________________________________________________________________________________
*** CID 510802: Control flow issues (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 504 in read_sr()
498 * discard the second byte.
499 */
500 if (spi_nor_protocol_is_dtr(nor->reg_proto))
501 op.data.nbytes = 2;
502
503 if (nor->flags & SNOR_F_HAS_PARALLEL) {
>>> CID 510802: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "op.data.nbytes = 2U;".
504 op.data.nbytes = 2;
505 ret = spi_nor_read_write_reg(nor, &op, &val[0]);
506 if (ret < 0) {
507 pr_debug("error %d reading SR\n", (int)ret);
508 return ret;
509 }
** CID 510801: Null pointer dereferences (FORWARD_NULL)
________________________________________________________________________________________________________
*** CID 510801: Null pointer dereferences (FORWARD_NULL)
/lib/ecdsa/ecdsa-libcrypto.c: 365 in ecdsa_add_verify_data()
359 struct signer ctx;
360 int ret;
361
362 fdt_key_name = info->keyname ? info->keyname : "default-key";
363 ret = prepare_ctx(&ctx, info);
364 if (ret >= 0) {
>>> CID 510801: Null pointer dereferences (FORWARD_NULL)
>>> Passing "info" to "do_add", which dereferences null "info->keyname".
365 ret = do_add(&ctx, fdt, fdt_key_name, info);
366 if (ret < 0)
367 ret = ret == -FDT_ERR_NOSPACE ? -ENOSPC : -EIO;
368 }
369
370 free_ctx(&ctx);
371 return ret;
** CID 510800: (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 1620 in spi_nor_read()
/drivers/mtd/spi/spi-nor-core.c: 1590 in spi_nor_read()
/drivers/mtd/spi/spi-nor-core.c: 1611 in spi_nor_read()
/drivers/mtd/spi/spi-nor-core.c: 1600 in spi_nor_read()
________________________________________________________________________________________________________
*** CID 510800: (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 1620 in spi_nor_read()
1614 } else {
1615 nor->spi->flags &= ~SPI_XFER_U_PAGE;
1616 }
1617 }
1618
1619 if (nor->flags & SNOR_F_HAS_PARALLEL)
>>> CID 510800: (DEADCODE)
>>> Execution cannot reach this statement: "offset /= 2LL;".
1620 offset /= 2;
1621
1622 if (nor->addr_width == 3) {
1623 #ifdef CONFIG_SPI_FLASH_BAR
1624 ret = write_bar(nor, offset);
1625 if (ret < 0)
/drivers/mtd/spi/spi-nor-core.c: 1590 in spi_nor_read()
1584 u32 rem_bank_len = 0;
1585 u8 bank;
1586 bool is_ofst_odd = false;
1587
1588 dev_dbg(nor->dev, "from 0x%08x, len %zd\n", (u32)from, len);
1589
>>> CID 510800: (DEADCODE)
>>> Execution cannot reach the expression "offset & 1LL" inside this statement: "if (nor->flags & SNOR_F_HAS...".
1590 if ((nor->flags & SNOR_F_HAS_PARALLEL) && (offset & 1)) {
1591 /* We can hit this case when we use file system
like ubifs */
1592 from--;
1593 len++;
1594 is_ofst_odd = true;
1595 }
/drivers/mtd/spi/spi-nor-core.c: 1611 in spi_nor_read()
1605 rem_bank_len = (SZ_16M * (bank
+ 1)) - from;
1606 }
1607 }
1608 offset = from;
1609
1610 if (nor->flags & SNOR_F_HAS_STACKED) {
>>> CID 510800: (DEADCODE)
>>> Execution cannot reach this statement: "if (offset >= mtd->size / 2...".
1611 if (offset >= (mtd->size / 2)) {
1612 offset = offset - (mtd->size / 2);
1613 nor->spi->flags |= SPI_XFER_U_PAGE;
1614 } else {
1615 nor->spi->flags &= ~SPI_XFER_U_PAGE;
1616 }
/drivers/mtd/spi/spi-nor-core.c: 1600 in spi_nor_read()
1594 is_ofst_odd = true;
1595 }
1596
1597 while (len) {
1598 if (nor->addr_width == 3) {
1599 if (nor->flags & SNOR_F_HAS_PARALLEL) {
>>> CID 510800: (DEADCODE)
>>> Execution cannot reach this statement: "bank = (u32)from / 33554432U;".
1600 bank = (u32)from / (SZ_16M << 0x01);
1601 rem_bank_len = ((SZ_16M << 0x01) *
1602 (bank + 1)) - from;
1603 } else {
1604 bank = (u32)from / SZ_16M;
1605 rem_bank_len = (SZ_16M * (bank
+ 1)) - from;
** CID 510799: (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 1971 in spi_nor_write()
/drivers/mtd/spi/spi-nor-core.c: 2007 in spi_nor_write()
/drivers/mtd/spi/spi-nor-core.c: 2004 in spi_nor_write()
________________________________________________________________________________________________________
*** CID 510799: (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 1971 in spi_nor_write()
1965 return 0;
1966
1967 /*
1968 * Cannot write to odd offset in parallel mode,
1969 * so write 2 bytes first
1970 */
>>> CID 510799: (DEADCODE)
>>> Execution cannot reach the expression "to & 1LL" inside this statement: "if (nor->flags & SNOR_F_HAS...".
1971 if ((nor->flags & SNOR_F_HAS_PARALLEL) && (to & 1)) {
1972 u8 two[2] = {0xff, buf[0]};
1973 size_t local_retlen;
1974
1975 ret = spi_nor_write(mtd, to & ~1, 2,
&local_retlen, two);
1976 if (ret < 0)
/drivers/mtd/spi/spi-nor-core.c: 2007 in spi_nor_write()
2001 }
2002 offset = (to + i);
2003 if (nor->flags & SNOR_F_HAS_PARALLEL)
2004 offset /= 2;
2005
2006 if (nor->flags & SNOR_F_HAS_STACKED) {
>>> CID 510799: (DEADCODE)
>>> Execution cannot reach this statement: "if (offset >= mtd->size / 2...".
2007 if (offset >= (mtd->size / 2)) {
2008 offset = offset - (mtd->size / 2);
2009 nor->spi->flags |= SPI_XFER_U_PAGE;
2010 } else {
2011 nor->spi->flags &= ~SPI_XFER_U_PAGE;
2012 }
/drivers/mtd/spi/spi-nor-core.c: 2004 in spi_nor_write()
1998 u64 aux = addr;
1999
2000 page_offset = do_div(aux, nor->page_size);
2001 }
2002 offset = (to + i);
2003 if (nor->flags & SNOR_F_HAS_PARALLEL)
>>> CID 510799: (DEADCODE)
>>> Execution cannot reach this statement: "offset /= 2U;".
2004 offset /= 2;
2005
2006 if (nor->flags & SNOR_F_HAS_STACKED) {
2007 if (offset >= (mtd->size / 2)) {
2008 offset = offset - (mtd->size / 2);
2009 nor->spi->flags |= SPI_XFER_U_PAGE;
** CID 510798: Resource leaks (RESOURCE_LEAK)
/lib/mbedtls/x509_cert_parser.c: 220 in x509_populate_signature_params()
________________________________________________________________________________________________________
*** CID 510798: Resource leaks (RESOURCE_LEAK)
/lib/mbedtls/x509_cert_parser.c: 220 in x509_populate_signature_params()
214 }
215
216 ret = hash_calculate(s->hash_algo, ®ion, 1, s->digest);
217 if (!ret)
218 *sig = s;
219
>>> CID 510798: Resource leaks (RESOURCE_LEAK)
>>> Variable "s" going out of scope leaks the storage it points to.
220 return ret;
221
222 error_sig:
223 public_key_signature_free(s);
224 return ret;
225 }
** CID 510797: (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 4628 in spi_nor_scan()
/drivers/mtd/spi/spi-nor-core.c: 4598 in spi_nor_scan()
________________________________________________________________________________________________________
*** CID 510797: (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 4628 in spi_nor_scan()
4622 /* Send all the required SPI flash commands to
initialize device */
4623 ret = spi_nor_init(nor);
4624 if (ret)
4625 return ret;
4626
4627 if (nor->flags & SNOR_F_HAS_STACKED) {
>>> CID 510797: (DEADCODE)
>>> Execution cannot reach this statement: "nor->spi->flags |= 0x10UL;".
4628 nor->spi->flags |= SPI_XFER_U_PAGE;
4629 ret = spi_nor_init(nor);
4630 if (ret)
4631 return ret;
4632 nor->spi->flags &= ~SPI_XFER_U_PAGE;
4633 }
/drivers/mtd/spi/spi-nor-core.c: 4598 in spi_nor_scan()
4592 nor->addr_width = info->addr_width;
4593 } else {
4594 nor->addr_width = 3;
4595 }
4596
4597 if (nor->flags & (SNOR_F_HAS_PARALLEL | SNOR_F_HAS_STACKED))
>>> CID 510797: (DEADCODE)
>>> Execution cannot reach this statement: "shift = true;".
4598 shift = 1;
4599 if (nor->addr_width == 3 && (mtd->size >> shift) > SZ_16M) {
4600 #ifndef CONFIG_SPI_FLASH_BAR
4601 /* enable 4-byte addressing if the device
exceeds 16MiB */
4602 nor->addr_width = 4;
4603 if (JEDEC_MFR(info) == SNOR_MFR_SPANSION ||
** CID 510796: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 510796: Insecure data handling (TAINTED_SCALAR)
/lib/mbedtls/external/mbedtls/library/rsa.c: 1316 in rsa_prepare_blinding()
1310 }
1311
1312 MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&ctx->Vf,
ctx->len - 1, f_rng, p_rng));
1313
1314 /* Compute Vf^-1 as R * (R Vf)^-1 to avoid leaks from
inv_mod. */
1315 MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&R, ctx->len
- 1, f_rng, p_rng));
>>> CID 510796: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "*ctx->Vf.p" to "mbedtls_mpi_mul_mpi", which uses it as an offset.
1316 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vi, &ctx->Vf, &R));
1317 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vi,
&ctx->Vi, &ctx->N));
1318
1319 /* At this point, Vi is invertible mod N if and only
if both Vf and R
1320 * are invertible mod N. If one of them isn't, we
don't need to know
1321 * which one, we just loop and choose new values for
both of them.
** CID 510795: Control flow issues (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 4271 in spi_nor_init()
________________________________________________________________________________________________________
*** CID 510795: Control flow issues (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 4271 in spi_nor_init()
4265
4266 static int spi_nor_init(struct spi_nor *nor)
4267 {
4268 int err;
4269
4270 if (nor->flags & SNOR_F_HAS_PARALLEL)
>>> CID 510795: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "nor->spi->flags |= 3UL;".
4271 nor->spi->flags |= SPI_NOR_ENABLE_MULTI_CS;
4272
4273 err = spi_nor_octal_dtr_enable(nor);
4274 if (err) {
4275 dev_dbg(nor->dev, "Octal DTR mode not supported\n");
4276 return err;
** CID 510794: Control flow issues (NO_EFFECT)
/lib/mbedtls/x509_cert_parser.c: 78 in x509_populate_dn_name_string()
________________________________________________________________________________________________________
*** CID 510794: Control flow issues (NO_EFFECT)
/lib/mbedtls/x509_cert_parser.c: 78 in x509_populate_dn_name_string()
72 do {
73 name_str = kzalloc(len, GFP_KERNEL);
74 if (!name_str)
75 return NULL;
76
77 wb = mbedtls_x509_dn_gets(name_str, len, name);
>>> CID 510794: Control flow issues (NO_EFFECT)
>>> This less-than-zero comparison of an unsigned value is never true. "wb < 0UL".
78 if (wb < 0) {
79 pr_err("Get DN string failed, ret:-0x%04x\n",
80 (unsigned int)-wb);
81 kfree(name_str);
82 len = len * 2; /* Try with a bigger buffer */
83 }
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2024-10-16 3:47 Tom Rini
@ 2024-10-16 5:56 ` Tudor Ambarus
0 siblings, 0 replies; 99+ messages in thread
From: Tudor Ambarus @ 2024-10-16 5:56 UTC (permalink / raw)
To: Tom Rini, u-boot, Amit Kumar Mahapatra
Cc: Vignesh R, Takahiro Kuwano, Venkatesh Yadav Abbarapu,
Pratyush Yadav, Ashok Reddy Soma, Joakim Tjernlund, Raymond Mao,
Ilias Apalodimas
+ Amit
ugh, the parallel/stacked SPI NOR thingy was applied in u-boot. We
rejected it in linux, this support shall be above SPI NOR. How about
reverting the support until we have an agreement in linux?
Or, if we want to still keep it until we come with a better approach, it
would be good if Amit (now in To:) fixes all the bugs introduced.
^ permalink raw reply [flat|nested] 99+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2024-10-19 16:16 Tom Rini
0 siblings, 0 replies; 99+ messages in thread
From: Tom Rini @ 2024-10-19 16:16 UTC (permalink / raw)
To: u-boot, Simon Glass
[-- Attachment #1: Type: text/plain, Size: 2521 bytes --]
Here's a short update.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Sat, Oct 19, 2024, 8:35 AM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to Das U-Boot
found with Coverity Scan.
2 new defect(s) introduced to Das U-Boot found with Coverity Scan.
3 defect(s), reported by Coverity Scan earlier, were marked fixed in the
recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 2 of 2 defect(s)
** CID 510857: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 510857: Memory - corruptions (OVERRUN)
/test/boot/bootdev.c: 160 in bootdev_test_any()
154 */
155 if (CONFIG_IS_ENABLED(DSA_SANDBOX))
156 seq = "8";
157 else
158 seq = "6";
159
>>> CID 510857: Memory - corruptions (OVERRUN)
>>> Overrunning buffer pointed to by "seq" of 2 bytes by passing it to
a function which accesses it at byte offset 2.
160 ut_assertok(bootdev_find_by_any(seq, &dev, &mflags));
161 ut_asserteq(UCLASS_BOOTDEV, device_get_uclass_id(dev));
162 ut_asserteq(BOOTFLOW_METHF_SINGLE_DEV, mflags);
163 media = dev_get_parent(dev);
164 ut_asserteq(UCLASS_MMC, device_get_uclass_id(media));
165 ut_asserteq_str("mmc2", media->name);
** CID 510856: Control flow issues (UNREACHABLE)
/lib/binman.c: 142 in binman_init()
________________________________________________________________________________________________________
*** CID 510856: Control flow issues (UNREACHABLE)
/lib/binman.c: 142 in binman_init()
136 int binman_init(void)
137 {
138 int ret;
139
140 return 0;
141 binman = malloc(sizeof(struct binman_info));
>>> CID 510856: Control flow issues (UNREACHABLE)
>>> This code cannot be reached: "if (!binman)
return ((voi...".
142 if (!binman)
143 return log_msg_ret("space for binman", -ENOMEM);
144 ret = find_image_node(&binman->image);
145 if (ret)
146 return log_msg_ret("node", -ENOENT);
147 binman_set_rom_offset(ROM_OFFSET_NONE);
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 99+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2024-10-28 3:11 Tom Rini
0 siblings, 0 replies; 99+ messages in thread
From: Tom Rini @ 2024-10-28 3:11 UTC (permalink / raw)
To: u-boot, Patrick Rudolph
[-- Attachment #1: Type: text/plain, Size: 1801 bytes --]
Here's the latest report.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Sun, Oct 27, 2024 at 9:05 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to Das
U-Boot found with Coverity Scan.
1 new defect(s) introduced to Das U-Boot found with Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)
** CID 511435: Integer handling issues (SIGN_EXTENSION)
/lib/acpi/acpi_table.c: 476 in acpi_write_spcr()
________________________________________________________________________________________________________
*** CID 511435: Integer handling issues (SIGN_EXTENSION)
/lib/acpi/acpi_table.c: 476 in acpi_write_spcr()
470 default:
471 space_id = ACPI_ADDRESS_SPACE_IO;
472 break;
473 }
474
475 serial_width = serial_info.reg_width * 8;
>>> CID 511435: Integer handling issues (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "serial_info.reg_offset" with type "u8" (8 bits, unsigned) is promoted in "serial_info.reg_offset << serial_info.reg_shift" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "serial_info.reg_offset << serial_info.reg_shift" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
476 serial_offset = serial_info.reg_offset << serial_info.reg_shift;
477 serial_address = serial_info.addr + serial_offset;
478
479 /* Encode register access size */
480 switch (serial_info.reg_shift) {
481 case 0:
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 99+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2024-11-12 2:11 Tom Rini
0 siblings, 0 replies; 99+ messages in thread
From: Tom Rini @ 2024-11-12 2:11 UTC (permalink / raw)
To: u-boot, Heiko Schocher
[-- Attachment #1: Type: text/plain, Size: 1765 bytes --]
Here's the latest Coverity report.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Nov 11, 2024 at 10:24 AM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to Das
U-Boot found with Coverity Scan.
1 new defect(s) introduced to Das U-Boot found with Coverity Scan.
4 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)
** CID 514648: Control flow issues (MISSING_BREAK)
/tools/imx8image.c: 93 in parse_cfg_cmd()
________________________________________________________________________________________________________
*** CID 514648: Control flow issues (MISSING_BREAK)
/tools/imx8image.c: 93 in parse_cfg_cmd()
87 sector_size = get_table_entry_id(imx8image_sector_size,
88 "imximage boot option",
89 token);
90 if (!strncmp("emmc_fastboot", token, 13))
91 emmc_fastboot = true;
92 break;
>>> CID 514648: Control flow issues (MISSING_BREAK)
>>> The case for value "CMD_DCD_SKIP" is not terminated by a "break" statement.
93 case CMD_DCD_SKIP:
94 if (!strncmp("true", token, 4))
95 dcd_skip = true;
96 case CMD_FUSE_VERSION:
97 fuse_version = (uint8_t)(strtoll(token, NULL, 0) & 0xFF);
98 break;
________________________________________________________________________________________________________
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 99+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2024-11-15 13:27 Tom Rini
0 siblings, 0 replies; 99+ messages in thread
From: Tom Rini @ 2024-11-15 13:27 UTC (permalink / raw)
To: u-boot, Heinrich Schuchardt
[-- Attachment #1: Type: text/plain, Size: 3031 bytes --]
Hey all,
Here's the latest report.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Thu, Nov 14, 2024, 10:40 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to Das U-Boot
found with Coverity Scan.
2 new defect(s) introduced to Das U-Boot found with Coverity Scan.
3 defect(s), reported by Coverity Scan earlier, were marked fixed in the
recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 2 of 2 defect(s)
** CID 514958: Error handling issues (CHECKED_RETURN)
/test/cmd/hash.c: 80 in dm_test_cmd_hash_sha256()
________________________________________________________________________________________________________
*** CID 514958: Error handling issues (CHECKED_RETURN)
/test/cmd/hash.c: 80 in dm_test_cmd_hash_sha256()
74 ut_assertok(run_command("hash sha256 $loadaddr 0 foo; echo $foo",
0));
75 console_record_readline(uts->actual_str, sizeof(uts->actual_str));
76 ut_asserteq_ptr(uts->actual_str,
77 strstr(uts->actual_str, "sha256 for "));
78 ut_assert(strstr(uts->actual_str,
79
"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"));
>>> CID 514958: Error handling issues (CHECKED_RETURN)
>>> Calling "ut_check_console_line" without checking return value (as
is done elsewhere 683 out of 690 times).
80 ut_check_console_line(uts,
81
"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855");
82
83 if (!CONFIG_IS_ENABLED(HASH_VERIFY)) {
84 ut_assert(run_command("hash -v sha256 $loadaddr 0 foo", 0));
85 ut_check_console_line(uts, "hash - compute hash message
digest");
** CID 514957: Error handling issues (CHECKED_RETURN)
/test/cmd/hash.c: 36 in dm_test_cmd_hash_md5()
________________________________________________________________________________________________________
*** CID 514957: Error handling issues (CHECKED_RETURN)
/test/cmd/hash.c: 36 in dm_test_cmd_hash_md5()
30 ut_assertok(run_command("hash md5 $loadaddr 0 foo; echo $foo", 0));
31 console_record_readline(uts->actual_str, sizeof(uts->actual_str));
32 ut_asserteq_ptr(uts->actual_str,
33 strstr(uts->actual_str, "md5 for "));
34 ut_assert(strstr(uts->actual_str,
35 "d41d8cd98f00b204e9800998ecf8427e"));
>>> CID 514957: Error handling issues (CHECKED_RETURN)
>>> Calling "ut_check_console_line" without checking return value (as
is done elsewhere 683 out of 690 times).
36 ut_check_console_line(uts, "d41d8cd98f00b204e9800998ecf8427e");
37
38 if (!CONFIG_IS_ENABLED(HASH_VERIFY)) {
39 ut_assert(run_command("hash -v sha256 $loadaddr 0 foo", 0));
40 ut_check_console_line(uts, "hash - compute hash message
digest");
41
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 99+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2024-12-24 17:14 Tom Rini
0 siblings, 0 replies; 99+ messages in thread
From: Tom Rini @ 2024-12-24 17:14 UTC (permalink / raw)
To: u-boot, Nicolas Belin
[-- Attachment #1: Type: text/plain, Size: 1728 bytes --]
Hey all,
Unfortunately Coverity went a bit weird for a bit and stopped doing
emails, so there's a few other defects missing from this.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Tue, Dec 24, 2024 at 11:05 AM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to Das U-Boot
found with Coverity Scan.
1 new defect(s) introduced to Das U-Boot found with Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)
** CID 516463: Null pointer dereferences (FORWARD_NULL)
/boot/image-android.c: 300 in android_image_get_kernel()
________________________________________________________________________________________________________
*** CID 516463: Null pointer dereferences (FORWARD_NULL)
/boot/image-android.c: 300 in android_image_get_kernel()
294
295 if (*img_data.kcmdline) {
296 printf("Kernel command line: %s\n",
img_data.kcmdline);
297 len += strlen(img_data.kcmdline) + (len ? 1 : 0);
/* +1 for extra space */
298 }
299
>>> CID 516463: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "img_data.kcmdline_extra".
300 if (*img_data.kcmdline_extra) {
301 printf("Kernel extra command line: %s\n",
img_data.kcmdline_extra);
302 len += strlen(img_data.kcmdline_extra) + (len ? 1 :
0); /* +1 for extra space */
303 }
304
305 char *newbootargs = malloc(len + 1); /* +1 for the '\0' */
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 99+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2024-12-31 13:55 Tom Rini
0 siblings, 0 replies; 99+ messages in thread
From: Tom Rini @ 2024-12-31 13:55 UTC (permalink / raw)
To: u-boot, Venkatesh Yadav Abbarapu
[-- Attachment #1: Type: text/plain, Size: 2788 bytes --]
Hey all, here's the latest report.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Dec 30, 2024, 10:44 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to Das U-Boot
found with Coverity Scan.
2 new defect(s) introduced to Das U-Boot found with Coverity Scan.
1 defect(s), reported by Coverity Scan earlier, were marked fixed in the
recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 2 of 2 defect(s)
** CID 528528: Control flow issues (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 1644 in spi_nor_read()
________________________________________________________________________________________________________
*** CID 528528: Control flow issues (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 1644 in spi_nor_read()
1638 read_len = len;
1639 else
1640 read_len = rem_bank_len;
1641 #endif
1642
1643 if (read_len == 0)
>>> CID 528528: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "return -5;".
1644 return -EIO;
1645
1646 ret = nor->read(nor, offset, read_len, buf);
1647 if (ret == 0) {
1648 /* We shouldn't see 0-length reads */
1649 ret = -EIO;
** CID 528527: Code maintainability issues (UNUSED_VALUE)
/drivers/mtd/spi/spi-nor-core.c: 1613 in spi_nor_read()
________________________________________________________________________________________________________
*** CID 528527: Code maintainability issues (UNUSED_VALUE)
/drivers/mtd/spi/spi-nor-core.c: 1613 in spi_nor_read()
1607 }
1608 rem_bank_len = SZ_16M * (bank + 1);
1609 if
(CONFIG_IS_ENABLED(SPI_STACKED_PARALLEL)) {
1610 if (nor->flags &
SNOR_F_HAS_PARALLEL)
1611 rem_bank_len *= 2;
1612 }
>>> CID 528527: Code maintainability issues (UNUSED_VALUE)
>>> Assigning value from "rem_bank_len - from" to "rem_bank_len" here,
but that stored value is overwritten before it can be used.
1613 rem_bank_len -= from;
1614 }
1615
1616 if (CONFIG_IS_ENABLED(SPI_STACKED_PARALLEL)) {
1617 if (nor->flags & SNOR_F_HAS_STACKED) {
1618 stack_shift = 1;
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 99+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2025-02-10 22:26 Tom Rini
2025-02-11 6:14 ` Heiko Schocher
0 siblings, 1 reply; 99+ messages in thread
From: Tom Rini @ 2025-02-10 22:26 UTC (permalink / raw)
To: u-boot, Heiko Schocher, Raymond Mao, Ilias Apalodimas
[-- Attachment #1: Type: text/plain, Size: 4392 bytes --]
Here's the latest report.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Feb 10, 2025 at 4:12 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to Das U-Boot
found with Coverity Scan.
3 new defect(s) introduced to Das U-Boot found with Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 3 of 3 defect(s)
** CID 541281: Insecure data handling (TAINTED_SCALAR)
/lib/tpm-v2.c: 77 in tpm2_scan_masks()
________________________________________________________________________________________________________
*** CID 541281: Insecure data handling (TAINTED_SCALAR)
/lib/tpm-v2.c: 77 in tpm2_scan_masks()
71 *mask = 0;
72
73 rc = tpm2_get_pcr_info(dev, &pcrs);
74 if (rc)
75 return rc;
76
>>> CID 541281: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "pcrs.count" as a loop boundary.
77 for (i = 0; i < pcrs.count; i++) {
78 struct tpms_pcr_selection *sel = &pcrs.selection[i];
79 size_t j;
80 u32 hash_mask = 0;
81
82 for (j = 0; j < ARRAY_SIZE(hash_algo_list); j++) {
** CID 541280: Insecure data handling (TAINTED_SCALAR)
/cmd/tpm-v2.c: 307 in do_tpm2_pcrallocate()
________________________________________________________________________________________________________
*** CID 541280: Insecure data handling (TAINTED_SCALAR)
/cmd/tpm-v2.c: 307 in do_tpm2_pcrallocate()
301 * first call
302 */
303 ret = tpm2_get_pcr_info(dev, &pcr);
304 if (ret)
305 return ret;
306
>>> CID 541280: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "pcr.count" as a loop boundary.
307 for (i = 0; i < pcr.count; i++) {
308 struct tpms_pcr_selection *sel =
&pcr.selection[i];
309 const char *name;
310
311 if (!tpm2_is_active_bank(sel))
312 continue;
** CID 541279: (TAINTED_SCALAR)
/drivers/led/led-uclass.c: 284 in led_get_function_name()
/drivers/led/led-uclass.c: 279 in led_get_function_name()
________________________________________________________________________________________________________
*** CID 541279: (TAINTED_SCALAR)
/drivers/led/led-uclass.c: 284 in led_get_function_name()
278 if (!ret) {
279 snprintf(uc_plat->name, LED_MAX_NAME_SIZE,
280 "%s:%s-%d",
281 cp ? "" : led_colors[color],
282 func ? func : "", enumerator);
283 } else {
>>> CID 541279: (TAINTED_SCALAR)
>>> Using tainted variable "color" as an index into an array
"led_colors".
284 snprintf(uc_plat->name, LED_MAX_NAME_SIZE,
285 "%s:%s",
286 cp ? "" : led_colors[color],
287 func ? func : "");
288 }
289 uc_plat->label = uc_plat->name;
/drivers/led/led-uclass.c: 279 in led_get_function_name()
273 /* Now try to detect function label name */
274 func = dev_read_string(dev, "function");
275 cp = dev_read_u32(dev, "color", &color);
276 if (cp == 0 || func) {
277 ret = dev_read_u32(dev, "function-enumerator",
&enumerator);
278 if (!ret) {
>>> CID 541279: (TAINTED_SCALAR)
>>> Using tainted variable "color" as an index into an array
"led_colors".
279 snprintf(uc_plat->name, LED_MAX_NAME_SIZE,
280 "%s:%s-%d",
281 cp ? "" : led_colors[color],
282 func ? func : "", enumerator);
283 } else {
284 snprintf(uc_plat->name, LED_MAX_NAME_SIZE,
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2025-02-10 22:26 Tom Rini
@ 2025-02-11 6:14 ` Heiko Schocher
2025-02-11 22:30 ` Tom Rini
0 siblings, 1 reply; 99+ messages in thread
From: Heiko Schocher @ 2025-02-11 6:14 UTC (permalink / raw)
To: Tom Rini; +Cc: u-boot, Raymond Mao, Ilias Apalodimas
Hello Tom,
On 10.02.25 23:26, Tom Rini wrote:
> Here's the latest report.
>
> ---------- Forwarded message ---------
> From: <scan-admin@coverity.com>
> Date: Mon, Feb 10, 2025 at 4:12 PM
> Subject: New Defects reported by Coverity Scan for Das U-Boot
> To: <tom.rini@gmail.com>
>
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to Das U-Boot
> found with Coverity Scan.
>
> 3 new defect(s) introduced to Das U-Boot found with Coverity Scan.
>
>
> New defect(s) Reported-by: Coverity Scan
> Showing 3 of 3 defect(s)
>
>
> ** CID 541281: Insecure data handling (TAINTED_SCALAR)
> /lib/tpm-v2.c: 77 in tpm2_scan_masks()
>
>
> ________________________________________________________________________________________________________
> *** CID 541281: Insecure data handling (TAINTED_SCALAR)
> /lib/tpm-v2.c: 77 in tpm2_scan_masks()
> 71 *mask = 0;
> 72
> 73 rc = tpm2_get_pcr_info(dev, &pcrs);
> 74 if (rc)
> 75 return rc;
> 76
>>>> CID 541281: Insecure data handling (TAINTED_SCALAR)
>>>> Using tainted variable "pcrs.count" as a loop boundary.
> 77 for (i = 0; i < pcrs.count; i++) {
> 78 struct tpms_pcr_selection *sel = &pcrs.selection[i];
> 79 size_t j;
> 80 u32 hash_mask = 0;
> 81
> 82 for (j = 0; j < ARRAY_SIZE(hash_algo_list); j++) {
>
> ** CID 541280: Insecure data handling (TAINTED_SCALAR)
> /cmd/tpm-v2.c: 307 in do_tpm2_pcrallocate()
>
>
> ________________________________________________________________________________________________________
> *** CID 541280: Insecure data handling (TAINTED_SCALAR)
> /cmd/tpm-v2.c: 307 in do_tpm2_pcrallocate()
> 301 * first call
> 302 */
> 303 ret = tpm2_get_pcr_info(dev, &pcr);
> 304 if (ret)
> 305 return ret;
> 306
>>>> CID 541280: Insecure data handling (TAINTED_SCALAR)
>>>> Using tainted variable "pcr.count" as a loop boundary.
> 307 for (i = 0; i < pcr.count; i++) {
> 308 struct tpms_pcr_selection *sel =
> &pcr.selection[i];
> 309 const char *name;
> 310
> 311 if (!tpm2_is_active_bank(sel))
> 312 continue;
>
> ** CID 541279: (TAINTED_SCALAR)
> /drivers/led/led-uclass.c: 284 in led_get_function_name()
> /drivers/led/led-uclass.c: 279 in led_get_function_name()
>
>
> ________________________________________________________________________________________________________
> *** CID 541279: (TAINTED_SCALAR)
> /drivers/led/led-uclass.c: 284 in led_get_function_name()
> 278 if (!ret) {
> 279 snprintf(uc_plat->name, LED_MAX_NAME_SIZE,
> 280 "%s:%s-%d",
> 281 cp ? "" : led_colors[color],
> 282 func ? func : "", enumerator);
> 283 } else {
>>>> CID 541279: (TAINTED_SCALAR)
>>>> Using tainted variable "color" as an index into an array
> "led_colors".
> 284 snprintf(uc_plat->name, LED_MAX_NAME_SIZE,
> 285 "%s:%s",
> 286 cp ? "" : led_colors[color],
> 287 func ? func : "");
> 288 }
> 289 uc_plat->label = uc_plat->name;
> /drivers/led/led-uclass.c: 279 in led_get_function_name()
> 273 /* Now try to detect function label name */
> 274 func = dev_read_string(dev, "function");
> 275 cp = dev_read_u32(dev, "color", &color);
> 276 if (cp == 0 || func) {
> 277 ret = dev_read_u32(dev, "function-enumerator",
> &enumerator);
> 278 if (!ret) {
>>>> CID 541279: (TAINTED_SCALAR)
>>>> Using tainted variable "color" as an index into an array
> "led_colors".
> 279 snprintf(uc_plat->name, LED_MAX_NAME_SIZE,
> 280 "%s:%s-%d",
> 281 cp ? "" : led_colors[color],
> 282 func ? func : "", enumerator);
> 283 } else {
> 284 snprintf(uc_plat->name, LED_MAX_NAME_SIZE,
>
>
> ----- End forwarded message -----
>
Just a fast idea:
diff --git a/drivers/led/led-uclass.c b/drivers/led/led-uclass.c
index 27ef890ed0a..fc15a0811e0 100644
--- a/drivers/led/led-uclass.c
+++ b/drivers/led/led-uclass.c
@@ -273,6 +273,10 @@ static const char *led_get_function_name(struct udevice *dev)
/* Now try to detect function label name */
func = dev_read_string(dev, "function");
cp = dev_read_u32(dev, "color", &color);
+ // prevent coverity scan error CID 541279: (TAINTED_SCALAR)
+ if ((color < LED_COLOR_ID_WHITE) || (color >= LED_COLOR_ID_MAX))
+ cp = -EINVAL;
+
if (cp == 0 || func) {
ret = dev_read_u32(dev, "function-enumerator", &enumerator);
if (!ret) {
If okay, I can send a patch for this.
Or may better, we move this check into a new function:
int dev_read_min_max_u32(const struct udevice *dev, u32 min, u32 max, const char *propname, u32 *outp)
which returns -EINVAL, if readden value is not in [min, max] range?
So may this function can be used at other places too?
Thanks!
bye,
Heiko
--
DENX Software Engineering GmbH, Managing Director: Erika Unter
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: +49-8142-66989-52 Fax: +49-8142-66989-80 Email: hs@denx.de
^ permalink raw reply related [flat|nested] 99+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2025-02-11 6:14 ` Heiko Schocher
@ 2025-02-11 22:30 ` Tom Rini
0 siblings, 0 replies; 99+ messages in thread
From: Tom Rini @ 2025-02-11 22:30 UTC (permalink / raw)
To: Heiko Schocher; +Cc: u-boot, Raymond Mao, Ilias Apalodimas
[-- Attachment #1: Type: text/plain, Size: 6280 bytes --]
On Tue, Feb 11, 2025 at 07:14:19AM +0100, Heiko Schocher wrote:
> Hello Tom,
>
> On 10.02.25 23:26, Tom Rini wrote:
> > Here's the latest report.
> >
> > ---------- Forwarded message ---------
> > From: <scan-admin@coverity.com>
> > Date: Mon, Feb 10, 2025 at 4:12 PM
> > Subject: New Defects reported by Coverity Scan for Das U-Boot
> > To: <tom.rini@gmail.com>
> >
> >
> > Hi,
> >
> > Please find the latest report on new defect(s) introduced to Das U-Boot
> > found with Coverity Scan.
> >
> > 3 new defect(s) introduced to Das U-Boot found with Coverity Scan.
> >
> >
> > New defect(s) Reported-by: Coverity Scan
> > Showing 3 of 3 defect(s)
> >
> >
> > ** CID 541281: Insecure data handling (TAINTED_SCALAR)
> > /lib/tpm-v2.c: 77 in tpm2_scan_masks()
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 541281: Insecure data handling (TAINTED_SCALAR)
> > /lib/tpm-v2.c: 77 in tpm2_scan_masks()
> > 71 *mask = 0;
> > 72
> > 73 rc = tpm2_get_pcr_info(dev, &pcrs);
> > 74 if (rc)
> > 75 return rc;
> > 76
> > > > > CID 541281: Insecure data handling (TAINTED_SCALAR)
> > > > > Using tainted variable "pcrs.count" as a loop boundary.
> > 77 for (i = 0; i < pcrs.count; i++) {
> > 78 struct tpms_pcr_selection *sel = &pcrs.selection[i];
> > 79 size_t j;
> > 80 u32 hash_mask = 0;
> > 81
> > 82 for (j = 0; j < ARRAY_SIZE(hash_algo_list); j++) {
> >
> > ** CID 541280: Insecure data handling (TAINTED_SCALAR)
> > /cmd/tpm-v2.c: 307 in do_tpm2_pcrallocate()
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 541280: Insecure data handling (TAINTED_SCALAR)
> > /cmd/tpm-v2.c: 307 in do_tpm2_pcrallocate()
> > 301 * first call
> > 302 */
> > 303 ret = tpm2_get_pcr_info(dev, &pcr);
> > 304 if (ret)
> > 305 return ret;
> > 306
> > > > > CID 541280: Insecure data handling (TAINTED_SCALAR)
> > > > > Using tainted variable "pcr.count" as a loop boundary.
> > 307 for (i = 0; i < pcr.count; i++) {
> > 308 struct tpms_pcr_selection *sel =
> > &pcr.selection[i];
> > 309 const char *name;
> > 310
> > 311 if (!tpm2_is_active_bank(sel))
> > 312 continue;
> >
> > ** CID 541279: (TAINTED_SCALAR)
> > /drivers/led/led-uclass.c: 284 in led_get_function_name()
> > /drivers/led/led-uclass.c: 279 in led_get_function_name()
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 541279: (TAINTED_SCALAR)
> > /drivers/led/led-uclass.c: 284 in led_get_function_name()
> > 278 if (!ret) {
> > 279 snprintf(uc_plat->name, LED_MAX_NAME_SIZE,
> > 280 "%s:%s-%d",
> > 281 cp ? "" : led_colors[color],
> > 282 func ? func : "", enumerator);
> > 283 } else {
> > > > > CID 541279: (TAINTED_SCALAR)
> > > > > Using tainted variable "color" as an index into an array
> > "led_colors".
> > 284 snprintf(uc_plat->name, LED_MAX_NAME_SIZE,
> > 285 "%s:%s",
> > 286 cp ? "" : led_colors[color],
> > 287 func ? func : "");
> > 288 }
> > 289 uc_plat->label = uc_plat->name;
> > /drivers/led/led-uclass.c: 279 in led_get_function_name()
> > 273 /* Now try to detect function label name */
> > 274 func = dev_read_string(dev, "function");
> > 275 cp = dev_read_u32(dev, "color", &color);
> > 276 if (cp == 0 || func) {
> > 277 ret = dev_read_u32(dev, "function-enumerator",
> > &enumerator);
> > 278 if (!ret) {
> > > > > CID 541279: (TAINTED_SCALAR)
> > > > > Using tainted variable "color" as an index into an array
> > "led_colors".
> > 279 snprintf(uc_plat->name, LED_MAX_NAME_SIZE,
> > 280 "%s:%s-%d",
> > 281 cp ? "" : led_colors[color],
> > 282 func ? func : "", enumerator);
> > 283 } else {
> > 284 snprintf(uc_plat->name, LED_MAX_NAME_SIZE,
> >
> >
> > ----- End forwarded message -----
> >
>
> Just a fast idea:
>
> diff --git a/drivers/led/led-uclass.c b/drivers/led/led-uclass.c
> index 27ef890ed0a..fc15a0811e0 100644
> --- a/drivers/led/led-uclass.c
> +++ b/drivers/led/led-uclass.c
> @@ -273,6 +273,10 @@ static const char *led_get_function_name(struct udevice *dev)
> /* Now try to detect function label name */
> func = dev_read_string(dev, "function");
> cp = dev_read_u32(dev, "color", &color);
> + // prevent coverity scan error CID 541279: (TAINTED_SCALAR)
> + if ((color < LED_COLOR_ID_WHITE) || (color >= LED_COLOR_ID_MAX))
> + cp = -EINVAL;
> +
> if (cp == 0 || func) {
> ret = dev_read_u32(dev, "function-enumerator", &enumerator);
> if (!ret) {
>
> If okay, I can send a patch for this.
This is probably fine, thanks.
> Or may better, we move this check into a new function:
>
> int dev_read_min_max_u32(const struct udevice *dev, u32 min, u32 max, const char *propname, u32 *outp)
>
> which returns -EINVAL, if readden value is not in [min, max] range?
>
> So may this function can be used at other places too?
It would be good to spend some time looking at the codebase to see what
sort of generic wrapper may or may not help first I think.
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 99+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2025-02-25 2:39 Tom Rini
2025-02-25 6:06 ` Heiko Schocher
0 siblings, 1 reply; 99+ messages in thread
From: Tom Rini @ 2025-02-25 2:39 UTC (permalink / raw)
To: u-boot, Heiko Schocher
[-- Attachment #1: Type: text/plain, Size: 1795 bytes --]
Here's the latest report. Getting closer with the led change. I do wish
it was easier to test fixes here.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Feb 24, 2025, 5:05 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to Das U-Boot
found with Coverity Scan.
1 new defect(s) introduced to Das U-Boot found with Coverity Scan.
2 defect(s), reported by Coverity Scan earlier, were marked fixed in the
recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)
** CID 542488: Control flow issues (NO_EFFECT)
/drivers/led/led-uclass.c: 277 in led_get_function_name()
________________________________________________________________________________________________________
*** CID 542488: Control flow issues (NO_EFFECT)
/drivers/led/led-uclass.c: 277 in led_get_function_name()
271 return uc_plat->label;
272
273 /* Now try to detect function label name */
274 func = dev_read_string(dev, "function");
275 cp = dev_read_u32(dev, "color", &color);
276 // prevent coverity scan error CID 541279: (TAINTED_SCALAR)
>>> CID 542488: Control flow issues (NO_EFFECT)
>>> This less-than-zero comparison of an unsigned value is never true.
"color < 0U".
277 if (color < LED_COLOR_ID_WHITE || color >= LED_COLOR_ID_MAX)
278 cp = -EINVAL;
279
280 if (cp == 0 || func) {
281 ret = dev_read_u32(dev, "function-enumerator",
&enumerator);
282 if (!ret) {
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2025-02-25 2:39 Tom Rini
@ 2025-02-25 6:06 ` Heiko Schocher
2025-02-25 10:48 ` Quentin Schulz
0 siblings, 1 reply; 99+ messages in thread
From: Heiko Schocher @ 2025-02-25 6:06 UTC (permalink / raw)
To: Tom Rini, u-boot
Hello Tom,
On 25.02.25 03:39, Tom Rini wrote:
> Here's the latest report. Getting closer with the led change. I do wish
> it was easier to test fixes here.
Yes...
> ---------- Forwarded message ---------
> From: <scan-admin@coverity.com>
> Date: Mon, Feb 24, 2025, 5:05 PM
> Subject: New Defects reported by Coverity Scan for Das U-Boot
> To: <tom.rini@gmail.com>
>
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to Das U-Boot
> found with Coverity Scan.
>
> 1 new defect(s) introduced to Das U-Boot found with Coverity Scan.
> 2 defect(s), reported by Coverity Scan earlier, were marked fixed in the
> recent build analyzed by Coverity Scan.
>
> New defect(s) Reported-by: Coverity Scan
> Showing 1 of 1 defect(s)
>
>
> ** CID 542488: Control flow issues (NO_EFFECT)
> /drivers/led/led-uclass.c: 277 in led_get_function_name()
>
>
> ________________________________________________________________________________________________________
> *** CID 542488: Control flow issues (NO_EFFECT)
> /drivers/led/led-uclass.c: 277 in led_get_function_name()
> 271 return uc_plat->label;
> 272
> 273 /* Now try to detect function label name */
> 274 func = dev_read_string(dev, "function");
> 275 cp = dev_read_u32(dev, "color", &color);
> 276 // prevent coverity scan error CID 541279: (TAINTED_SCALAR)
>>>> CID 542488: Control flow issues (NO_EFFECT)
>>>> This less-than-zero comparison of an unsigned value is never true.
> "color < 0U".
> 277 if (color < LED_COLOR_ID_WHITE || color >= LED_COLOR_ID_MAX)
> 278 cp = -EINVAL;
So I simply remove this check ... and add a comment that LED_COLOR_ID_WHITE
must be 0...
> 279
> 280 if (cp == 0 || func) {
> 281 ret = dev_read_u32(dev, "function-enumerator",
> &enumerator);
> 282 if (!ret) {
>
>
> ----- End forwarded message -----
Send the fix, when CI succeeds:
https://dev.azure.com/hs0298/hs/_build/results?buildId=171&view=results
Thanks for the report.
bye,
Heiko
--
DENX Software Engineering GmbH, Managing Director: Erika Unter
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: +49-8142-66989-52 Fax: +49-8142-66989-80 Email: hs@denx.de
^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2025-02-25 6:06 ` Heiko Schocher
@ 2025-02-25 10:48 ` Quentin Schulz
2025-02-25 10:54 ` Heiko Schocher
0 siblings, 1 reply; 99+ messages in thread
From: Quentin Schulz @ 2025-02-25 10:48 UTC (permalink / raw)
To: hs, Tom Rini, u-boot
Hi Heiko,
On 2/25/25 7:06 AM, Heiko Schocher wrote:
> Hello Tom,
>
> On 25.02.25 03:39, Tom Rini wrote:
>> Here's the latest report. Getting closer with the led change. I do wish
>> it was easier to test fixes here.
>
> Yes...
>
>> ---------- Forwarded message ---------
>> From: <scan-admin@coverity.com>
>> Date: Mon, Feb 24, 2025, 5:05 PM
>> Subject: New Defects reported by Coverity Scan for Das U-Boot
>> To: <tom.rini@gmail.com>
>>
>>
>> Hi,
>>
>> Please find the latest report on new defect(s) introduced to Das U-Boot
>> found with Coverity Scan.
>>
>> 1 new defect(s) introduced to Das U-Boot found with Coverity Scan.
>> 2 defect(s), reported by Coverity Scan earlier, were marked fixed in the
>> recent build analyzed by Coverity Scan.
>>
>> New defect(s) Reported-by: Coverity Scan
>> Showing 1 of 1 defect(s)
>>
>>
>> ** CID 542488: Control flow issues (NO_EFFECT)
>> /drivers/led/led-uclass.c: 277 in led_get_function_name()
>>
>>
>> ________________________________________________________________________________________________________
>> *** CID 542488: Control flow issues (NO_EFFECT)
>> /drivers/led/led-uclass.c: 277 in led_get_function_name()
>> 271 return uc_plat->label;
>> 272
>> 273 /* Now try to detect function label name */
>> 274 func = dev_read_string(dev, "function");
>> 275 cp = dev_read_u32(dev, "color", &color);
>> 276 // prevent coverity scan error CID 541279:
>> (TAINTED_SCALAR)
>>>>> CID 542488: Control flow issues (NO_EFFECT)
>>>>> This less-than-zero comparison of an unsigned value is never
>>>>> true.
>> "color < 0U".
>> 277 if (color < LED_COLOR_ID_WHITE || color >=
>> LED_COLOR_ID_MAX)
>> 278 cp = -EINVAL;
>
> So I simply remove this check ... and add a comment that LED_COLOR_ID_WHITE
> must be 0...
>
It's part of the binding from the kernel, I assume it's safe to assume
it'll be 0?
Also, this is guaranteed by the fact color is a u32 in
led_get_function_name, so it cannot be < 0.
Cheers,
Quentin
^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2025-02-25 10:48 ` Quentin Schulz
@ 2025-02-25 10:54 ` Heiko Schocher
0 siblings, 0 replies; 99+ messages in thread
From: Heiko Schocher @ 2025-02-25 10:54 UTC (permalink / raw)
To: Quentin Schulz, Tom Rini, u-boot
Hello Quentin,
On 25.02.25 11:48, Quentin Schulz wrote:
> Hi Heiko,
>
> On 2/25/25 7:06 AM, Heiko Schocher wrote:
>> Hello Tom,
>>
>> On 25.02.25 03:39, Tom Rini wrote:
>>> Here's the latest report. Getting closer with the led change. I do wish
>>> it was easier to test fixes here.
>>
>> Yes...
>>
>>> ---------- Forwarded message ---------
>>> From: <scan-admin@coverity.com>
>>> Date: Mon, Feb 24, 2025, 5:05 PM
>>> Subject: New Defects reported by Coverity Scan for Das U-Boot
>>> To: <tom.rini@gmail.com>
>>>
>>>
>>> Hi,
>>>
>>> Please find the latest report on new defect(s) introduced to Das U-Boot
>>> found with Coverity Scan.
>>>
>>> 1 new defect(s) introduced to Das U-Boot found with Coverity Scan.
>>> 2 defect(s), reported by Coverity Scan earlier, were marked fixed in the
>>> recent build analyzed by Coverity Scan.
>>>
>>> New defect(s) Reported-by: Coverity Scan
>>> Showing 1 of 1 defect(s)
>>>
>>>
>>> ** CID 542488: Control flow issues (NO_EFFECT)
>>> /drivers/led/led-uclass.c: 277 in led_get_function_name()
>>>
>>>
>>> ________________________________________________________________________________________________________
>>>
>>> *** CID 542488: Control flow issues (NO_EFFECT)
>>> /drivers/led/led-uclass.c: 277 in led_get_function_name()
>>> 271 return uc_plat->label;
>>> 272
>>> 273 /* Now try to detect function label name */
>>> 274 func = dev_read_string(dev, "function");
>>> 275 cp = dev_read_u32(dev, "color", &color);
>>> 276 // prevent coverity scan error CID 541279: (TAINTED_SCALAR)
>>>>>> CID 542488: Control flow issues (NO_EFFECT)
>>>>>> This less-than-zero comparison of an unsigned value is never true.
>>> "color < 0U".
>>> 277 if (color < LED_COLOR_ID_WHITE || color >= LED_COLOR_ID_MAX)
>>> 278 cp = -EINVAL;
>>
>> So I simply remove this check ... and add a comment that LED_COLOR_ID_WHITE
>> must be 0...
>>
>
> It's part of the binding from the kernel, I assume it's safe to assume it'll be 0?
Yes it is.
> Also, this is guaranteed by the fact color is a u32 in led_get_function_name, so it cannot be < 0.
Posted a fix, see:
http://patchwork.ozlabs.org/project/uboot/patch/20250225094923.71364-1-hs@denx.de/
added a comment @LED_COLOR_ID_WHITE definition, so in case someone wants
to move LED_COLOR_ID_WHITE to another value... may it helps.
Thanks!
bye,
Heiko
--
DENX Software Engineering GmbH, Managing Director: Erika Unter
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: +49-8142-66989-52 Fax: +49-8142-66989-80 Email: hs@denx.de
^ permalink raw reply [flat|nested] 99+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2025-03-11 1:49 Tom Rini
0 siblings, 0 replies; 99+ messages in thread
From: Tom Rini @ 2025-03-11 1:49 UTC (permalink / raw)
To: u-boot, Adriano Cordova
[-- Attachment #1: Type: text/plain, Size: 1594 bytes --]
Here's the latest report.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Mar 10, 2025 at 5:43 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to Das U-Boot
found with Coverity Scan.
1 new defect(s) introduced to Das U-Boot found with Coverity Scan.
1 defect(s), reported by Coverity Scan earlier, were marked fixed in the
recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)
** CID 544194: Error handling issues (CHECKED_RETURN)
/lib/efi_loader/efi_net.c: 1084 in efi_net_set_dp()
________________________________________________________________________________________________________
*** CID 544194: Error handling issues (CHECKED_RETURN)
/lib/efi_loader/efi_net.c: 1084 in efi_net_set_dp()
1078 // If netobj is not started yet, end here.
1079 if (!netobj) {
1080 goto exit;
1081 }
1082
1083 phandler = NULL;
>>> CID 544194: Error handling issues (CHECKED_RETURN)
>>> Calling "efi_search_protocol" without checking return value (as is
done elsewhere 39 out of 43 times).
1084 efi_search_protocol(&netobj->header, &efi_guid_device_path,
&phandler);
1085
1086 // If the device path protocol is not yet installed,
install it
1087 if (!phandler)
1088 goto add;
1089
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 99+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2025-04-28 21:59 Tom Rini
2025-04-29 12:07 ` Jerome Forissier
` (2 more replies)
0 siblings, 3 replies; 99+ messages in thread
From: Tom Rini @ 2025-04-28 21:59 UTC (permalink / raw)
To: u-boot, Jerome Forissier, Varadarajan Narayanan, Casey Connolly,
Marek Vasut, Heinrich Schuchardt, Patrick Rudolph,
Adriano Cordova, Paul HENRYS, Daniel Golle, Simon Glass
[-- Attachment #1: Type: text/plain, Size: 25013 bytes --]
Hey all,
Here's the latest set of Coverity defects. Please let me know if some of
these are false positives for example, thanks.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Apr 28, 2025 at 3:52 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to Das U-Boot
found with Coverity Scan.
33 new defect(s) introduced to Das U-Boot found with Coverity Scan.
15 defect(s), reported by Coverity Scan earlier, were marked fixed in the
recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 33 defect(s)
** CID 550306: Control flow issues (DEADCODE)
/fs/exfat/io.c: 547 in exfat_generic_pwrite()
________________________________________________________________________________________________________
*** CID 550306: Control flow issues (DEADCODE)
/fs/exfat/io.c: 547 in exfat_generic_pwrite()
541 int rc;
542 cluster_t cluster;
543 const char* bufp = buffer;
544 off_t lsize, loffset, remainder;
545
546 if (offset < 0)
>>> CID 550306: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "return -22L;".
547 return -EINVAL;
548 if (uoffset > node->size)
549 {
550 rc = exfat_truncate(ef, node, uoffset, true);
551 if (rc != 0)
552 return rc;
** CID 550305: Security best practices violations (STRING_OVERFLOW)
/fs/exfat/io.c: 739 in exfat_fs_opendir()
________________________________________________________________________________________________________
*** CID 550305: Security best practices violations (STRING_OVERFLOW)
/fs/exfat/io.c: 739 in exfat_fs_opendir()
733 return err;
734
735 dirs = calloc(1, sizeof(*dirs));
736 if (!dirs)
737 return -ENOMEM;
738
>>> CID 550305: Security best practices violations (STRING_OVERFLOW)
>>> You might overrun the 1024-character fixed-size string
"dirs->dirname" by copying "filename" without checking the length.
739 strcpy(dirs->dirname, filename);
740 dirs->offset = -1;
741
742 *dirsp = &dirs->fs_dirs;
743
744 return 0;
** CID 550304: Error handling issues (NEGATIVE_RETURNS)
/tools/fit_check_sign.c: 98 in main()
________________________________________________________________________________________________________
*** CID 550304: Error handling issues (NEGATIVE_RETURNS)
/tools/fit_check_sign.c: 98 in main()
92 (void) munmap((void *)fit_blob, fsbuf.st_size);
93
94 if (key_blob)
95 (void)munmap((void *)key_blob, ksbuf.st_size);
96
97 close(ffd);
>>> CID 550304: Error handling issues (NEGATIVE_RETURNS)
>>> "kfd" is passed to a parameter that cannot be negative.
98 close(kfd);
99 exit(ret);
** CID 550303: Control flow issues (NO_EFFECT)
/tools/preload_check_sign.c: 132 in main()
________________________________________________________________________________________________________
*** CID 550303: Control flow issues (NO_EFFECT)
/tools/preload_check_sign.c: 132 in main()
126
127 info.algo_name = algo;
128 info.padding_name = padding;
129 info.key = (uint8_t *)pkey;
130 info.mandatory = 1;
131 info.sig_size = EVP_PKEY_size(pkey);
>>> CID 550303: Control flow issues (NO_EFFECT)
>>> This less-than-zero comparison of an unsigned value is never true.
"info.sig_size < 0U".
132 if (info.sig_size < 0) {
133 fprintf(stderr, "Fail to retrieve the signature
size: %s\n",
134 ERR_error_string(ERR_get_error(), NULL));
135 ret = EXIT_FAILURE;
136 goto out;
137 }
** CID 550302: (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 550302: (TAINTED_SCALAR)
/cmd/acpi.c: 118 in list_rsdt()
112 entry = rsdt->entry[i];
113 if (!entry)
114 break;
115 hdr = nomap_sysmem(entry, 0);
116 dump_hdr(hdr, chksums);
117 if (!memcmp(hdr->signature, "FACP", ACPI_NAME_LEN))
>>> CID 550302: (TAINTED_SCALAR)
>>> Passing tainted expression "((struct acpi_fadt
*)hdr)->firmware_ctrl" to "list_fadt", which uses it as a loop boundary.
118 list_fadt((struct acpi_fadt *)hdr, chksums);
119 }
120 }
121
122 static void list_rsdp(struct acpi_rsdp *rsdp, bool chksums)
123 {
/cmd/acpi.c: 118 in list_rsdt()
112 entry = rsdt->entry[i];
113 if (!entry)
114 break;
115 hdr = nomap_sysmem(entry, 0);
116 dump_hdr(hdr, chksums);
117 if (!memcmp(hdr->signature, "FACP", ACPI_NAME_LEN))
>>> CID 550302: (TAINTED_SCALAR)
>>> Passing tainted expression "((struct acpi_fadt *)hdr)->x_dsdt" to
"list_fadt", which uses it as a loop boundary.
118 list_fadt((struct acpi_fadt *)hdr, chksums);
119 }
120 }
121
122 static void list_rsdp(struct acpi_rsdp *rsdp, bool chksums)
123 {
/cmd/acpi.c: 118 in list_rsdt()
112 entry = rsdt->entry[i];
113 if (!entry)
114 break;
115 hdr = nomap_sysmem(entry, 0);
116 dump_hdr(hdr, chksums);
117 if (!memcmp(hdr->signature, "FACP", ACPI_NAME_LEN))
>>> CID 550302: (TAINTED_SCALAR)
>>> Passing tainted expression "((struct acpi_fadt *)hdr)->dsdt" to
"list_fadt", which uses it as a loop boundary.
118 list_fadt((struct acpi_fadt *)hdr, chksums);
119 }
120 }
121
122 static void list_rsdp(struct acpi_rsdp *rsdp, bool chksums)
123 {
/cmd/acpi.c: 116 in list_rsdt()
110 entry = xsdt->entry[i];
111 else
112 entry = rsdt->entry[i];
113 if (!entry)
114 break;
115 hdr = nomap_sysmem(entry, 0);
>>> CID 550302: (TAINTED_SCALAR)
>>> Passing tainted expression "hdr->length" to "dump_hdr", which uses
it as a loop boundary.
116 dump_hdr(hdr, chksums);
117 if (!memcmp(hdr->signature, "FACP", ACPI_NAME_LEN))
118 list_fadt((struct acpi_fadt *)hdr, chksums);
119 }
120 }
121
/cmd/acpi.c: 95 in list_rsdt()
89 if (rsdp->rsdt_address) {
90 rsdt = nomap_sysmem(rsdp->rsdt_address, 0);
91 dump_hdr(&rsdt->header, chksums);
92 }
93 if (rsdp->xsdt_address) {
94 xsdt = nomap_sysmem(rsdp->xsdt_address, 0);
>>> CID 550302: (TAINTED_SCALAR)
>>> Passing tainted expression "xsdt->header.length" to "dump_hdr",
which uses it as a loop boundary.
95 dump_hdr(&xsdt->header, chksums);
96 len = xsdt->header.length - sizeof(xsdt->header);
97 count = len / sizeof(u64);
98 } else if (rsdp->rsdt_address) {
99 len = rsdt->header.length - sizeof(rsdt->header);
100 count = len / sizeof(u32);
/cmd/acpi.c: 118 in list_rsdt()
112 entry = rsdt->entry[i];
113 if (!entry)
114 break;
115 hdr = nomap_sysmem(entry, 0);
116 dump_hdr(hdr, chksums);
117 if (!memcmp(hdr->signature, "FACP", ACPI_NAME_LEN))
>>> CID 550302: (TAINTED_SCALAR)
>>> Passing tainted expression "((struct acpi_fadt
*)hdr)->x_firmware_ctrl" to "list_fadt", which uses it as a loop boundary.
118 list_fadt((struct acpi_fadt *)hdr, chksums);
119 }
120 }
121
122 static void list_rsdp(struct acpi_rsdp *rsdp, bool chksums)
123 {
** CID 550301: (OVERRUN)
________________________________________________________________________________________________________
*** CID 550301: (OVERRUN)
/lib/acpi/acpi_table.c: 199 in acpi_add_table()
193
194 /* Fix RSDT length or the kernel will assume
invalid entries */
195 rsdt->header.length = sizeof(struct
acpi_table_header) +
196 (sizeof(u32) * (i + 1));
197
198 /* Re-calculate checksum */
>>> CID 550301: (OVERRUN)
>>> Overrunning struct type acpi_table_header of 36 bytes by passing it
to a function which accesses it at byte offset 39 using argument
"rsdt->header.length" (which evaluates to 40).
199 acpi_update_checksum(&rsdt->header);
200 }
201
202 if (ctx->xsdt) {
203 /*
204 * And now the same thing for the XSDT. We use the
same index as for
/lib/acpi/acpi_table.c: 230 in acpi_add_table()
224
225 /* Fix XSDT length */
226 xsdt->header.length = sizeof(struct
acpi_table_header) +
227 (sizeof(u64) * (i + 1));
228
229 /* Re-calculate checksum */
>>> CID 550301: (OVERRUN)
>>> Overrunning struct type acpi_table_header of 36 bytes by passing it
to a function which accesses it at byte offset 43 using argument
"xsdt->header.length" (which evaluates to 44).
230 acpi_update_checksum(&xsdt->header);
231 }
232
233 return 0;
234 }
235
** CID 550300: Integer handling issues (INTEGER_OVERFLOW)
/fs/exfat/utils.c: 146 in exfat_humanize_bytes()
________________________________________________________________________________________________________
*** CID 550300: Integer handling issues (INTEGER_OVERFLOW)
/fs/exfat/utils.c: 146 in exfat_humanize_bytes()
140 /* 16 EB (minus 1 byte) is the largest size that can be
represented by
141 uint64_t */
142 const char* units[] = {"bytes", "KB", "MB", "GB", "TB",
"PB", "EB"};
143 uint64_t divisor = 1;
144 uint64_t temp = 0;
145
>>> CID 550300: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "divisor", overflows the type of "divisor", which is
type "uint64_t".
146 for (i = 0; ; i++, divisor *= 1024)
147 {
148 temp = (value + divisor / 2) / divisor;
149
150 if (temp == 0)
151 break;
** CID 550299: Null pointer dereferences (FORWARD_NULL)
/lib/efi_loader/efi_file.c: 251 in file_open()
________________________________________________________________________________________________________
*** CID 550299: Null pointer dereferences (FORWARD_NULL)
/lib/efi_loader/efi_file.c: 251 in file_open()
245 strcpy(fh->path, "");
246 }
247
248 return &fh->base;
249
250 error:
>>> CID 550299: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "fh".
251 free(fh->path);
252 free(fh);
253 return NULL;
254 }
255
256 efi_status_t efi_file_open_int(struct efi_file_handle *this,
** CID 550298: Error handling issues (CHECKED_RETURN)
/lib/efi_loader/efi_net.c: 1054 in efi_netobj_get_dp()
________________________________________________________________________________________________________
*** CID 550298: Error handling issues (CHECKED_RETURN)
/lib/efi_loader/efi_net.c: 1054 in efi_netobj_get_dp()
1048 struct efi_handler *phandler;
1049
1050 if (!efi_netobj_is_active(netobj))
1051 return NULL;
1052
1053 phandler = NULL;
>>> CID 550298: Error handling issues (CHECKED_RETURN)
>>> Calling "efi_search_protocol" without checking return value (as is
done elsewhere 37 out of 42 times).
1054 efi_search_protocol(&netobj->header, &efi_guid_device_path,
&phandler);
1055
1056 if (phandler && phandler->protocol_interface)
1057 return efi_dp_dup(phandler->protocol_interface);
1058
1059 return NULL;
** CID 550297: Integer handling issues (INTEGER_OVERFLOW)
/cmd/spawn.c: 174 in do_wait()
________________________________________________________________________________________________________
*** CID 550297: Integer handling issues (INTEGER_OVERFLOW)
/cmd/spawn.c: 174 in do_wait()
168 ret = wait_job(i);
169 } else {
170 for (i = 1; i < argc; i++) {
171 id = dectoul(argv[i], NULL);
172 if (id < 0 || id >
CONFIG_CMD_SPAWN_NUM_JOBS)
173 return CMD_RET_USAGE;
>>> CID 550297: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "idx", where "(int)id - 1" is known to be equal to -1,
overflows the type of "idx", which is type "unsigned int".
174 idx = (int)id - 1;
175 ret = wait_job(idx);
176 }
177 }
178
179 return ret;
** CID 550296: Control flow issues (NO_EFFECT)
/cmd/spawn.c: 172 in do_wait()
________________________________________________________________________________________________________
*** CID 550296: Control flow issues (NO_EFFECT)
/cmd/spawn.c: 172 in do_wait()
166 for (i = 0; i < CONFIG_CMD_SPAWN_NUM_JOBS; i++)
167 if (job[i])
168 ret = wait_job(i);
169 } else {
170 for (i = 1; i < argc; i++) {
171 id = dectoul(argv[i], NULL);
>>> CID 550296: Control flow issues (NO_EFFECT)
>>> This less-than-zero comparison of an unsigned value is never true.
"id < 0UL".
172 if (id < 0 || id >
CONFIG_CMD_SPAWN_NUM_JOBS)
173 return CMD_RET_USAGE;
174 idx = (int)id - 1;
175 ret = wait_job(idx);
176 }
177 }
** CID 550295: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 550295: Insecure data handling (TAINTED_SCALAR)
/test/lib/membuf.c: 235 in lib_test_membuf_readline()
229 *ptr = '\n';
230 } else {
231 ut_assert(membuf_free(&mb));
232 }
233 }
234 membuf_dispose(&mb);
>>> CID 550295: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "*buf" to "os_free", which uses it as an
offset.
235 os_free(buf);
236
237 return 0;
238 }
** CID 550294: Code maintainability issues (UNUSED_VALUE)
/test/lib/membuf.c: 68 in lib_test_membuf_one()
________________________________________________________________________________________________________
*** CID 550294: Code maintainability issues (UNUSED_VALUE)
/test/lib/membuf.c: 68 in lib_test_membuf_one()
62 ut_assertok(membuf_check(uts, &mb, i));
63
64 ret = membuf_get(&mb, out, 0);
65 ret = membuf_get(&mb, out, size);
66 ut_asserteq(size, ret);
67
>>> CID 550294: Code maintainability issues (UNUSED_VALUE)
>>> Assigning value from "membuf_get(&mb, out, 0)" to "ret" here, but
that stored value is overwritten before it can be used.
68 ret = membuf_get(&mb, out, 0);
69 ut_assertok(membuf_check(uts, &mb, i));
70
71 ut_asserteq_mem(in, out, size);
72 }
73
** CID 550293: Memory - illegal accesses (STRING_NULL)
/test/lib/membuf.c: 224 in lib_test_membuf_readline()
________________________________________________________________________________________________________
*** CID 550293: Memory - illegal accesses (STRING_NULL)
/test/lib/membuf.c: 224 in lib_test_membuf_readline()
218 ret = membuf_readline(&mb, str, 256, 0, true);
219 ut_assertok(membuf_check(uts, &mb, i));
220 if (ret) {
221 char *ptr;
222
223 s = &buf[cmpptr];
>>> CID 550293: Memory - illegal accesses (STRING_NULL)
>>> Passing unterminated string "s" to "strchr", which expects a
null-terminated string. [Note: The source code implementation of the
function has been overridden by a builtin model.]
224 ptr = strchr(s, '\n');
225 *ptr = '\0';
226
227 ut_asserteq_str(s, str);
228 cmpptr += strlen(s) + 1;
229 *ptr = '\n';
** CID 550292: (BAD_SHIFT)
/drivers/scsi/scsi.c: 165 in scsi_setup_erase_ext()
/drivers/scsi/scsi.c: 166 in scsi_setup_erase_ext()
________________________________________________________________________________________________________
*** CID 550292: (BAD_SHIFT)
/drivers/scsi/scsi.c: 165 in scsi_setup_erase_ext()
159 param[10] = 0x0;
160 param[11] = 0x0;
161 param[12] = (start >> 24) & 0xff;
162 param[13] = (start >> 16) & 0xff;
163 param[14] = (start >> 8) & 0xff;
164 param[15] = (start) & 0xff;
>>> CID 550292: (BAD_SHIFT)
>>> In expression "blocks >> 24", right shifting "blocks" by more than
15 bits always yields zero. The shift amount is 24.
165 param[16] = (blocks >> 24) & 0xff;
166 param[17] = (blocks >> 16) & 0xff;
167 param[18] = (blocks >> 8) & 0xff;
168 param[19] = (blocks) & 0xff;
169
170 memset(pccb->cmd, 0, sizeof(pccb->cmd));
/drivers/scsi/scsi.c: 166 in scsi_setup_erase_ext()
160 param[11] = 0x0;
161 param[12] = (start >> 24) & 0xff;
162 param[13] = (start >> 16) & 0xff;
163 param[14] = (start >> 8) & 0xff;
164 param[15] = (start) & 0xff;
165 param[16] = (blocks >> 24) & 0xff;
>>> CID 550292: (BAD_SHIFT)
>>> In expression "blocks >> 16", right shifting "blocks" by more than
15 bits always yields zero. The shift amount is 16.
166 param[17] = (blocks >> 16) & 0xff;
167 param[18] = (blocks >> 8) & 0xff;
168 param[19] = (blocks) & 0xff;
169
170 memset(pccb->cmd, 0, sizeof(pccb->cmd));
171 pccb->cmd[0] = SCSI_UNMAP;
** CID 550291: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 550291: Memory - corruptions (OVERRUN)
/lib/acpi/acpi_table.c: 549 in acpi_write_spcr()
543 * to touch the configuration of the serial device.
544 */
545 if (serial_info.clock != SERIAL_DEFAULT_CLOCK)
546 spcr->baud_rate = 0;
547
548 /* Fix checksum */
>>> CID 550291: Memory - corruptions (OVERRUN)
>>> Overrunning struct type acpi_table_header of 36 bytes by passing it
to a function which accesses it at byte offset 79 using argument
"header->length" (which evaluates to 80).
549 acpi_update_checksum(header);
550
551 acpi_add_table(ctx, spcr);
552 acpi_inc(ctx, spcr->header.length);
553
554 return 0;
** CID 550290: Security best practices violations (DC.WEAK_CRYPTO)
/test/lib/membuf.c: 54 in lib_test_membuf_one()
________________________________________________________________________________________________________
*** CID 550290: Security best practices violations (DC.WEAK_CRYPTO)
/test/lib/membuf.c: 54 in lib_test_membuf_one()
48 }
49
50 test_size = TEST_SIZE;
51
52 for (i = 1; i < TEST_COUNT; i++) {
53 membuf_zero(&mb);
>>> CID 550290: Security best practices violations (DC.WEAK_CRYPTO)
>>> "rand" should not be used for security-related applications,
because linear congruential algorithms are too easy to break.
54 size = rand() % test_size;
55
56 // now write patterns and check they come back OK
57 ret = membuf_put(&mb, in, 0);
58 ret = membuf_put(&mb, in, size);
59 ut_asserteq(size, ret);
** CID 550289: (CONSTANT_EXPRESSION_RESULT)
/drivers/scsi/scsi.c: 166 in scsi_setup_erase_ext()
/drivers/scsi/scsi.c: 165 in scsi_setup_erase_ext()
________________________________________________________________________________________________________
*** CID 550289: (CONSTANT_EXPRESSION_RESULT)
/drivers/scsi/scsi.c: 166 in scsi_setup_erase_ext()
160 param[11] = 0x0;
161 param[12] = (start >> 24) & 0xff;
162 param[13] = (start >> 16) & 0xff;
163 param[14] = (start >> 8) & 0xff;
164 param[15] = (start) & 0xff;
165 param[16] = (blocks >> 24) & 0xff;
>>> CID 550289: (CONSTANT_EXPRESSION_RESULT)
>>> "blocks >> 16" is 0 regardless of the values of its operands. This
occurs as the bitwise first operand of "&".
166 param[17] = (blocks >> 16) & 0xff;
167 param[18] = (blocks >> 8) & 0xff;
168 param[19] = (blocks) & 0xff;
169
170 memset(pccb->cmd, 0, sizeof(pccb->cmd));
171 pccb->cmd[0] = SCSI_UNMAP;
/drivers/scsi/scsi.c: 165 in scsi_setup_erase_ext()
159 param[10] = 0x0;
160 param[11] = 0x0;
161 param[12] = (start >> 24) & 0xff;
162 param[13] = (start >> 16) & 0xff;
163 param[14] = (start >> 8) & 0xff;
164 param[15] = (start) & 0xff;
>>> CID 550289: (CONSTANT_EXPRESSION_RESULT)
>>> "blocks >> 24" is 0 regardless of the values of its operands. This
occurs as the bitwise first operand of "&".
165 param[16] = (blocks >> 24) & 0xff;
166 param[17] = (blocks >> 16) & 0xff;
167 param[18] = (blocks >> 8) & 0xff;
168 param[19] = (blocks) & 0xff;
169
170 memset(pccb->cmd, 0, sizeof(pccb->cmd));
** CID 550288: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 550288: Memory - corruptions (OVERRUN)
/lib/acpi/base.c: 53 in acpi_write_rsdt()
47 header->length = sizeof(struct acpi_rsdt);
48 header->revision = 1;
49
50 /* Entries are filled in later, we come with an empty set */
51
52 /* Fix checksum */
>>> CID 550288: Memory - corruptions (OVERRUN)
>>> Overrunning struct type acpi_table_header of 36 bytes by passing it
to a function which accesses it at byte offset 163 using argument
"header->length" (which evaluates to 164).
53 acpi_update_checksum(header);
54 }
55
56 static void acpi_write_xsdt(struct acpi_xsdt *xsdt)
57 {
58 struct acpi_table_header *header = &xsdt->header;
** CID 550287: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 550287: Memory - corruptions (OVERRUN)
/lib/acpi/acpi_table.c: 268 in acpi_write_fadt()
262 fadt->dsdt = fadt->x_dsdt;
263
264 fadt->preferred_pm_profile = ACPI_PM_UNSPECIFIED;
265
266 acpi_fill_fadt(fadt);
267
>>> CID 550287: Memory - corruptions (OVERRUN)
>>> Overrunning struct type acpi_table_header of 36 bytes by passing it
to a function which accesses it at byte offset 275 using argument
"header->length" (which evaluates to 276).
268 acpi_update_checksum(header);
269
270 return acpi_add_fadt(ctx, fadt);
271 }
272
273 #ifndef CONFIG_QFW_ACPI
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2025-04-28 21:59 Tom Rini
@ 2025-04-29 12:07 ` Jerome Forissier
2025-04-30 16:50 ` Marek Vasut
2025-04-30 18:23 ` Heinrich Schuchardt
2 siblings, 0 replies; 99+ messages in thread
From: Jerome Forissier @ 2025-04-29 12:07 UTC (permalink / raw)
To: Tom Rini, u-boot, Varadarajan Narayanan, Casey Connolly,
Marek Vasut, Heinrich Schuchardt, Patrick Rudolph,
Adriano Cordova, Paul HENRYS, Daniel Golle, Simon Glass
Hi Tom,
On 4/28/25 23:59, Tom Rini wrote:
> Hey all,
>
> Here's the latest set of Coverity defects. Please let me know if some of
> these are false positives for example, thanks.
>
> ---------- Forwarded message ---------
> From: <scan-admin@coverity.com>
> Date: Mon, Apr 28, 2025 at 3:52 PM
> Subject: New Defects reported by Coverity Scan for Das U-Boot
> To: <tom.rini@gmail.com>
>
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to Das U-Boot
> found with Coverity Scan.
>
> 33 new defect(s) introduced to Das U-Boot found with Coverity Scan.
> 15 defect(s), reported by Coverity Scan earlier, were marked fixed in the
> recent build analyzed by Coverity Scan.
>
> New defect(s) Reported-by: Coverity Scan
> Showing 20 of 33 defect(s)
>
[...]
> ** CID 550297: Integer handling issues (INTEGER_OVERFLOW)
> /cmd/spawn.c: 174 in do_wait()
>
>
> ________________________________________________________________________________________________________
> *** CID 550297: Integer handling issues (INTEGER_OVERFLOW)
> /cmd/spawn.c: 174 in do_wait()
> 168 ret = wait_job(i);
> 169 } else {
> 170 for (i = 1; i < argc; i++) {
> 171 id = dectoul(argv[i], NULL);
> 172 if (id < 0 || id >
> CONFIG_CMD_SPAWN_NUM_JOBS)
> 173 return CMD_RET_USAGE;
>>>> CID 550297: Integer handling issues (INTEGER_OVERFLOW)
>>>> Expression "idx", where "(int)id - 1" is known to be equal to -1,
> overflows the type of "idx", which is type "unsigned int".
> 174 idx = (int)id - 1;
> 175 ret = wait_job(idx);
> 176 }
> 177 }
> 178
> 179 return ret;
>
> ** CID 550296: Control flow issues (NO_EFFECT)
> /cmd/spawn.c: 172 in do_wait()
>
>
> ________________________________________________________________________________________________________
> *** CID 550296: Control flow issues (NO_EFFECT)
> /cmd/spawn.c: 172 in do_wait()
> 166 for (i = 0; i < CONFIG_CMD_SPAWN_NUM_JOBS; i++)
> 167 if (job[i])
> 168 ret = wait_job(i);
> 169 } else {
> 170 for (i = 1; i < argc; i++) {
> 171 id = dectoul(argv[i], NULL);
>>>> CID 550296: Control flow issues (NO_EFFECT)
>>>> This less-than-zero comparison of an unsigned value is never true.
> "id < 0UL".
> 172 if (id < 0 || id >
> CONFIG_CMD_SPAWN_NUM_JOBS)
> 173 return CMD_RET_USAGE;
> 174 idx = (int)id - 1;
> 175 ret = wait_job(idx);
> 176 }
> 177 }
These two are real issues and should be fixed by [1].
[1] https://lists.denx.de/pipermail/u-boot/2025-April/588272.html
Thanks,
--
Jerome
^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2025-04-28 21:59 Tom Rini
2025-04-29 12:07 ` Jerome Forissier
@ 2025-04-30 16:50 ` Marek Vasut
2025-04-30 17:01 ` Tom Rini
2025-04-30 18:23 ` Heinrich Schuchardt
2 siblings, 1 reply; 99+ messages in thread
From: Marek Vasut @ 2025-04-30 16:50 UTC (permalink / raw)
To: Tom Rini, u-boot, Jerome Forissier, Varadarajan Narayanan,
Casey Connolly, Heinrich Schuchardt, Patrick Rudolph,
Adriano Cordova, Paul HENRYS, Daniel Golle, Simon Glass
On 4/28/25 11:59 PM, Tom Rini wrote:
>
________________________________________________________________________________________________________
> *** CID 550306: Control flow issues (DEADCODE)
> /fs/exfat/io.c: 547 in exfat_generic_pwrite()
> 541 int rc;
> 542 cluster_t cluster;
> 543 const char* bufp = buffer;
> 544 off_t lsize, loffset, remainder;
> 545
> 546 if (offset < 0)
>>>> CID 550306: Control flow issues (DEADCODE)
>>>> Execution cannot reach this statement: "return -22L;".
> 547 return -EINVAL;
> 548 if (uoffset > node->size)
> 549 {
> 550 rc = exfat_truncate(ef, node, uoffset, true);
> 551 if (rc != 0)
> 552 return rc;
This one is I think false positive, off_t can be signed integer, so the
check should be in place.
> ** CID 550305: Security best practices violations (STRING_OVERFLOW)
> /fs/exfat/io.c: 739 in exfat_fs_opendir()
>
>
> ________________________________________________________________________________________________________
> *** CID 550305: Security best practices violations (STRING_OVERFLOW)
> /fs/exfat/io.c: 739 in exfat_fs_opendir()
> 733 return err;
> 734
> 735 dirs = calloc(1, sizeof(*dirs));
> 736 if (!dirs)
> 737 return -ENOMEM;
> 738
>>>> CID 550305: Security best practices violations (STRING_OVERFLOW)
>>>> You might overrun the 1024-character fixed-size string
> "dirs->dirname" by copying "filename" without checking the length.
> 739 strcpy(dirs->dirname, filename);
> 740 dirs->offset = -1;
> 741
> 742 *dirsp = &dirs->fs_dirs;
> 743
> 744 return 0;
>
> ** CID 550304: Error handling issues (NEGATIVE_RETURNS)
> /tools/fit_check_sign.c: 98 in main()
Fixed:
https://patchwork.ozlabs.org/project/uboot/patch/20250430164559.27095-1-marex@denx.de/
> ________________________________________________________________________________________________________
> *** CID 550300: Integer handling issues (INTEGER_OVERFLOW)
> /fs/exfat/utils.c: 146 in exfat_humanize_bytes()
> 140 /* 16 EB (minus 1 byte) is the largest size that can be
> represented by
> 141 uint64_t */
> 142 const char* units[] = {"bytes", "KB", "MB", "GB", "TB",
> "PB", "EB"};
> 143 uint64_t divisor = 1;
> 144 uint64_t temp = 0;
> 145
>>>> CID 550300: Integer handling issues (INTEGER_OVERFLOW)
>>>> Expression "divisor", overflows the type of "divisor", which is
> type "uint64_t".
> 146 for (i = 0; ; i++, divisor *= 1024)
> 147 {
> 148 temp = (value + divisor / 2) / divisor;
> 149
> 150 if (temp == 0)
> 151 break;
Fixed:
https://patchwork.ozlabs.org/project/uboot/patch/20250430164559.27095-2-marex@denx.de/
^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2025-04-30 16:50 ` Marek Vasut
@ 2025-04-30 17:01 ` Tom Rini
0 siblings, 0 replies; 99+ messages in thread
From: Tom Rini @ 2025-04-30 17:01 UTC (permalink / raw)
To: Marek Vasut
Cc: u-boot, Jerome Forissier, Varadarajan Narayanan, Casey Connolly,
Heinrich Schuchardt, Patrick Rudolph, Adriano Cordova,
Paul HENRYS, Daniel Golle, Simon Glass
[-- Attachment #1: Type: text/plain, Size: 3395 bytes --]
On Wed, Apr 30, 2025 at 06:50:50PM +0200, Marek Vasut wrote:
> On 4/28/25 11:59 PM, Tom Rini wrote:
> > ________________________________________________________________________________________________________
> > *** CID 550306: Control flow issues (DEADCODE)
> > /fs/exfat/io.c: 547 in exfat_generic_pwrite()
> > 541 int rc;
> > 542 cluster_t cluster;
> > 543 const char* bufp = buffer;
> > 544 off_t lsize, loffset, remainder;
> > 545
> > 546 if (offset < 0)
> > > > > CID 550306: Control flow issues (DEADCODE)
> > > > > Execution cannot reach this statement: "return -22L;".
> > 547 return -EINVAL;
> > 548 if (uoffset > node->size)
> > 549 {
> > 550 rc = exfat_truncate(ef, node, uoffset, true);
> > 551 if (rc != 0)
> > 552 return rc;
>
> This one is I think false positive, off_t can be signed integer, so the
> check should be in place.
I've updated Coverity with this comment.
> > ** CID 550305: Security best practices violations (STRING_OVERFLOW)
> > /fs/exfat/io.c: 739 in exfat_fs_opendir()
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 550305: Security best practices violations (STRING_OVERFLOW)
> > /fs/exfat/io.c: 739 in exfat_fs_opendir()
> > 733 return err;
> > 734
> > 735 dirs = calloc(1, sizeof(*dirs));
> > 736 if (!dirs)
> > 737 return -ENOMEM;
> > 738
> > > > > CID 550305: Security best practices violations (STRING_OVERFLOW)
> > > > > You might overrun the 1024-character fixed-size string
> > "dirs->dirname" by copying "filename" without checking the length.
> > 739 strcpy(dirs->dirname, filename);
> > 740 dirs->offset = -1;
> > 741
> > 742 *dirsp = &dirs->fs_dirs;
> > 743
> > 744 return 0;
> >
> > ** CID 550304: Error handling issues (NEGATIVE_RETURNS)
> > /tools/fit_check_sign.c: 98 in main()
>
> Fixed:
>
> https://patchwork.ozlabs.org/project/uboot/patch/20250430164559.27095-1-marex@denx.de/
>
> > ________________________________________________________________________________________________________
> > *** CID 550300: Integer handling issues (INTEGER_OVERFLOW)
> > /fs/exfat/utils.c: 146 in exfat_humanize_bytes()
> > 140 /* 16 EB (minus 1 byte) is the largest size that can be
> > represented by
> > 141 uint64_t */
> > 142 const char* units[] = {"bytes", "KB", "MB", "GB", "TB",
> > "PB", "EB"};
> > 143 uint64_t divisor = 1;
> > 144 uint64_t temp = 0;
> > 145
> > > > > CID 550300: Integer handling issues (INTEGER_OVERFLOW)
> > > > > Expression "divisor", overflows the type of "divisor", which is
> > type "uint64_t".
> > 146 for (i = 0; ; i++, divisor *= 1024)
> > 147 {
> > 148 temp = (value + divisor / 2) / divisor;
> > 149
> > 150 if (temp == 0)
> > 151 break;
> Fixed:
>
> https://patchwork.ozlabs.org/project/uboot/patch/20250430164559.27095-2-marex@denx.de/
Thanks!
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2025-04-28 21:59 Tom Rini
2025-04-29 12:07 ` Jerome Forissier
2025-04-30 16:50 ` Marek Vasut
@ 2025-04-30 18:23 ` Heinrich Schuchardt
2025-04-30 19:14 ` Tom Rini
2 siblings, 1 reply; 99+ messages in thread
From: Heinrich Schuchardt @ 2025-04-30 18:23 UTC (permalink / raw)
To: Tom Rini
Cc: u-boot, Jerome Forissier, Varadarajan Narayanan, Casey Connolly,
Marek Vasut, Patrick Rudolph, Adriano Cordova, Paul HENRYS,
Daniel Golle, Simon Glass
On 28.04.25 23:59, Tom Rini wrote:
> Hey all,
>
> Here's the latest set of Coverity defects. Please let me know if some of
> these are false positives for example, thanks.
Hello Tom,
I have marked the acpi_update_header() items as "intentional" in Coverity:
550301
550291
550288
550287
We could change the parameter of acpi_update_checksum() to const void *
to make Coverity happy but we would loose the type checking.
Best regards
Heinrich
>
> ---------- Forwarded message ---------
> From: <scan-admin@coverity.com>
> Date: Mon, Apr 28, 2025 at 3:52 PM
> Subject: New Defects reported by Coverity Scan for Das U-Boot
> To: <tom.rini@gmail.com>
>
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to Das U-Boot
> found with Coverity Scan.
>
> 33 new defect(s) introduced to Das U-Boot found with Coverity Scan.
> 15 defect(s), reported by Coverity Scan earlier, were marked fixed in the
> recent build analyzed by Coverity Scan.
>
> New defect(s) Reported-by: Coverity Scan
> Showing 20 of 33 defect(s)
>
>
> ** CID 550306: Control flow issues (DEADCODE)
> /fs/exfat/io.c: 547 in exfat_generic_pwrite()
>
>
> ________________________________________________________________________________________________________
> *** CID 550306: Control flow issues (DEADCODE)
> /fs/exfat/io.c: 547 in exfat_generic_pwrite()
> 541 int rc;
> 542 cluster_t cluster;
> 543 const char* bufp = buffer;
> 544 off_t lsize, loffset, remainder;
> 545
> 546 if (offset < 0)
>>>> CID 550306: Control flow issues (DEADCODE)
>>>> Execution cannot reach this statement: "return -22L;".
> 547 return -EINVAL;
> 548 if (uoffset > node->size)
> 549 {
> 550 rc = exfat_truncate(ef, node, uoffset, true);
> 551 if (rc != 0)
> 552 return rc;
>
> ** CID 550305: Security best practices violations (STRING_OVERFLOW)
> /fs/exfat/io.c: 739 in exfat_fs_opendir()
>
>
> ________________________________________________________________________________________________________
> *** CID 550305: Security best practices violations (STRING_OVERFLOW)
> /fs/exfat/io.c: 739 in exfat_fs_opendir()
> 733 return err;
> 734
> 735 dirs = calloc(1, sizeof(*dirs));
> 736 if (!dirs)
> 737 return -ENOMEM;
> 738
>>>> CID 550305: Security best practices violations (STRING_OVERFLOW)
>>>> You might overrun the 1024-character fixed-size string
> "dirs->dirname" by copying "filename" without checking the length.
> 739 strcpy(dirs->dirname, filename);
> 740 dirs->offset = -1;
> 741
> 742 *dirsp = &dirs->fs_dirs;
> 743
> 744 return 0;
>
> ** CID 550304: Error handling issues (NEGATIVE_RETURNS)
> /tools/fit_check_sign.c: 98 in main()
>
>
> ________________________________________________________________________________________________________
> *** CID 550304: Error handling issues (NEGATIVE_RETURNS)
> /tools/fit_check_sign.c: 98 in main()
> 92 (void) munmap((void *)fit_blob, fsbuf.st_size);
> 93
> 94 if (key_blob)
> 95 (void)munmap((void *)key_blob, ksbuf.st_size);
> 96
> 97 close(ffd);
>>>> CID 550304: Error handling issues (NEGATIVE_RETURNS)
>>>> "kfd" is passed to a parameter that cannot be negative.
> 98 close(kfd);
> 99 exit(ret);
>
> ** CID 550303: Control flow issues (NO_EFFECT)
> /tools/preload_check_sign.c: 132 in main()
>
>
> ________________________________________________________________________________________________________
> *** CID 550303: Control flow issues (NO_EFFECT)
> /tools/preload_check_sign.c: 132 in main()
> 126
> 127 info.algo_name = algo;
> 128 info.padding_name = padding;
> 129 info.key = (uint8_t *)pkey;
> 130 info.mandatory = 1;
> 131 info.sig_size = EVP_PKEY_size(pkey);
>>>> CID 550303: Control flow issues (NO_EFFECT)
>>>> This less-than-zero comparison of an unsigned value is never true.
> "info.sig_size < 0U".
> 132 if (info.sig_size < 0) {
> 133 fprintf(stderr, "Fail to retrieve the signature
> size: %s\n",
> 134 ERR_error_string(ERR_get_error(), NULL));
> 135 ret = EXIT_FAILURE;
> 136 goto out;
> 137 }
>
> ** CID 550302: (TAINTED_SCALAR)
>
>
> ________________________________________________________________________________________________________
> *** CID 550302: (TAINTED_SCALAR)
> /cmd/acpi.c: 118 in list_rsdt()
> 112 entry = rsdt->entry[i];
> 113 if (!entry)
> 114 break;
> 115 hdr = nomap_sysmem(entry, 0);
> 116 dump_hdr(hdr, chksums);
> 117 if (!memcmp(hdr->signature, "FACP", ACPI_NAME_LEN))
>>>> CID 550302: (TAINTED_SCALAR)
>>>> Passing tainted expression "((struct acpi_fadt
> *)hdr)->firmware_ctrl" to "list_fadt", which uses it as a loop boundary.
> 118 list_fadt((struct acpi_fadt *)hdr, chksums);
> 119 }
> 120 }
> 121
> 122 static void list_rsdp(struct acpi_rsdp *rsdp, bool chksums)
> 123 {
> /cmd/acpi.c: 118 in list_rsdt()
> 112 entry = rsdt->entry[i];
> 113 if (!entry)
> 114 break;
> 115 hdr = nomap_sysmem(entry, 0);
> 116 dump_hdr(hdr, chksums);
> 117 if (!memcmp(hdr->signature, "FACP", ACPI_NAME_LEN))
>>>> CID 550302: (TAINTED_SCALAR)
>>>> Passing tainted expression "((struct acpi_fadt *)hdr)->x_dsdt" to
> "list_fadt", which uses it as a loop boundary.
> 118 list_fadt((struct acpi_fadt *)hdr, chksums);
> 119 }
> 120 }
> 121
> 122 static void list_rsdp(struct acpi_rsdp *rsdp, bool chksums)
> 123 {
> /cmd/acpi.c: 118 in list_rsdt()
> 112 entry = rsdt->entry[i];
> 113 if (!entry)
> 114 break;
> 115 hdr = nomap_sysmem(entry, 0);
> 116 dump_hdr(hdr, chksums);
> 117 if (!memcmp(hdr->signature, "FACP", ACPI_NAME_LEN))
>>>> CID 550302: (TAINTED_SCALAR)
>>>> Passing tainted expression "((struct acpi_fadt *)hdr)->dsdt" to
> "list_fadt", which uses it as a loop boundary.
> 118 list_fadt((struct acpi_fadt *)hdr, chksums);
> 119 }
> 120 }
> 121
> 122 static void list_rsdp(struct acpi_rsdp *rsdp, bool chksums)
> 123 {
> /cmd/acpi.c: 116 in list_rsdt()
> 110 entry = xsdt->entry[i];
> 111 else
> 112 entry = rsdt->entry[i];
> 113 if (!entry)
> 114 break;
> 115 hdr = nomap_sysmem(entry, 0);
>>>> CID 550302: (TAINTED_SCALAR)
>>>> Passing tainted expression "hdr->length" to "dump_hdr", which uses
> it as a loop boundary.
> 116 dump_hdr(hdr, chksums);
> 117 if (!memcmp(hdr->signature, "FACP", ACPI_NAME_LEN))
> 118 list_fadt((struct acpi_fadt *)hdr, chksums);
> 119 }
> 120 }
> 121
> /cmd/acpi.c: 95 in list_rsdt()
> 89 if (rsdp->rsdt_address) {
> 90 rsdt = nomap_sysmem(rsdp->rsdt_address, 0);
> 91 dump_hdr(&rsdt->header, chksums);
> 92 }
> 93 if (rsdp->xsdt_address) {
> 94 xsdt = nomap_sysmem(rsdp->xsdt_address, 0);
>>>> CID 550302: (TAINTED_SCALAR)
>>>> Passing tainted expression "xsdt->header.length" to "dump_hdr",
> which uses it as a loop boundary.
> 95 dump_hdr(&xsdt->header, chksums);
> 96 len = xsdt->header.length - sizeof(xsdt->header);
> 97 count = len / sizeof(u64);
> 98 } else if (rsdp->rsdt_address) {
> 99 len = rsdt->header.length - sizeof(rsdt->header);
> 100 count = len / sizeof(u32);
> /cmd/acpi.c: 118 in list_rsdt()
> 112 entry = rsdt->entry[i];
> 113 if (!entry)
> 114 break;
> 115 hdr = nomap_sysmem(entry, 0);
> 116 dump_hdr(hdr, chksums);
> 117 if (!memcmp(hdr->signature, "FACP", ACPI_NAME_LEN))
>>>> CID 550302: (TAINTED_SCALAR)
>>>> Passing tainted expression "((struct acpi_fadt
> *)hdr)->x_firmware_ctrl" to "list_fadt", which uses it as a loop boundary.
> 118 list_fadt((struct acpi_fadt *)hdr, chksums);
> 119 }
> 120 }
> 121
> 122 static void list_rsdp(struct acpi_rsdp *rsdp, bool chksums)
> 123 {
>
> ** CID 550301: (OVERRUN)
>
>
> ________________________________________________________________________________________________________
> *** CID 550301: (OVERRUN)
> /lib/acpi/acpi_table.c: 199 in acpi_add_table()
> 193
> 194 /* Fix RSDT length or the kernel will assume
> invalid entries */
> 195 rsdt->header.length = sizeof(struct
> acpi_table_header) +
> 196 (sizeof(u32) * (i + 1));
> 197
> 198 /* Re-calculate checksum */
>>>> CID 550301: (OVERRUN)
>>>> Overrunning struct type acpi_table_header of 36 bytes by passing it
> to a function which accesses it at byte offset 39 using argument
> "rsdt->header.length" (which evaluates to 40).
> 199 acpi_update_checksum(&rsdt->header);
> 200 }
> 201
> 202 if (ctx->xsdt) {
> 203 /*
> 204 * And now the same thing for the XSDT. We use the
> same index as for
> /lib/acpi/acpi_table.c: 230 in acpi_add_table()
> 224
> 225 /* Fix XSDT length */
> 226 xsdt->header.length = sizeof(struct
> acpi_table_header) +
> 227 (sizeof(u64) * (i + 1));
> 228
> 229 /* Re-calculate checksum */
>>>> CID 550301: (OVERRUN)
>>>> Overrunning struct type acpi_table_header of 36 bytes by passing it
> to a function which accesses it at byte offset 43 using argument
> "xsdt->header.length" (which evaluates to 44).
> 230 acpi_update_checksum(&xsdt->header);
> 231 }
> 232
> 233 return 0;
> 234 }
> 235
>
> ** CID 550300: Integer handling issues (INTEGER_OVERFLOW)
> /fs/exfat/utils.c: 146 in exfat_humanize_bytes()
>
>
> ________________________________________________________________________________________________________
> *** CID 550300: Integer handling issues (INTEGER_OVERFLOW)
> /fs/exfat/utils.c: 146 in exfat_humanize_bytes()
> 140 /* 16 EB (minus 1 byte) is the largest size that can be
> represented by
> 141 uint64_t */
> 142 const char* units[] = {"bytes", "KB", "MB", "GB", "TB",
> "PB", "EB"};
> 143 uint64_t divisor = 1;
> 144 uint64_t temp = 0;
> 145
>>>> CID 550300: Integer handling issues (INTEGER_OVERFLOW)
>>>> Expression "divisor", overflows the type of "divisor", which is
> type "uint64_t".
> 146 for (i = 0; ; i++, divisor *= 1024)
> 147 {
> 148 temp = (value + divisor / 2) / divisor;
> 149
> 150 if (temp == 0)
> 151 break;
>
> ** CID 550299: Null pointer dereferences (FORWARD_NULL)
> /lib/efi_loader/efi_file.c: 251 in file_open()
>
>
> ________________________________________________________________________________________________________
> *** CID 550299: Null pointer dereferences (FORWARD_NULL)
> /lib/efi_loader/efi_file.c: 251 in file_open()
> 245 strcpy(fh->path, "");
> 246 }
> 247
> 248 return &fh->base;
> 249
> 250 error:
>>>> CID 550299: Null pointer dereferences (FORWARD_NULL)
>>>> Dereferencing null pointer "fh".
> 251 free(fh->path);
> 252 free(fh);
> 253 return NULL;
> 254 }
> 255
> 256 efi_status_t efi_file_open_int(struct efi_file_handle *this,
>
> ** CID 550298: Error handling issues (CHECKED_RETURN)
> /lib/efi_loader/efi_net.c: 1054 in efi_netobj_get_dp()
>
>
> ________________________________________________________________________________________________________
> *** CID 550298: Error handling issues (CHECKED_RETURN)
> /lib/efi_loader/efi_net.c: 1054 in efi_netobj_get_dp()
> 1048 struct efi_handler *phandler;
> 1049
> 1050 if (!efi_netobj_is_active(netobj))
> 1051 return NULL;
> 1052
> 1053 phandler = NULL;
>>>> CID 550298: Error handling issues (CHECKED_RETURN)
>>>> Calling "efi_search_protocol" without checking return value (as is
> done elsewhere 37 out of 42 times).
> 1054 efi_search_protocol(&netobj->header, &efi_guid_device_path,
> &phandler);
> 1055
> 1056 if (phandler && phandler->protocol_interface)
> 1057 return efi_dp_dup(phandler->protocol_interface);
> 1058
> 1059 return NULL;
>
> ** CID 550297: Integer handling issues (INTEGER_OVERFLOW)
> /cmd/spawn.c: 174 in do_wait()
>
>
> ________________________________________________________________________________________________________
> *** CID 550297: Integer handling issues (INTEGER_OVERFLOW)
> /cmd/spawn.c: 174 in do_wait()
> 168 ret = wait_job(i);
> 169 } else {
> 170 for (i = 1; i < argc; i++) {
> 171 id = dectoul(argv[i], NULL);
> 172 if (id < 0 || id >
> CONFIG_CMD_SPAWN_NUM_JOBS)
> 173 return CMD_RET_USAGE;
>>>> CID 550297: Integer handling issues (INTEGER_OVERFLOW)
>>>> Expression "idx", where "(int)id - 1" is known to be equal to -1,
> overflows the type of "idx", which is type "unsigned int".
> 174 idx = (int)id - 1;
> 175 ret = wait_job(idx);
> 176 }
> 177 }
> 178
> 179 return ret;
>
> ** CID 550296: Control flow issues (NO_EFFECT)
> /cmd/spawn.c: 172 in do_wait()
>
>
> ________________________________________________________________________________________________________
> *** CID 550296: Control flow issues (NO_EFFECT)
> /cmd/spawn.c: 172 in do_wait()
> 166 for (i = 0; i < CONFIG_CMD_SPAWN_NUM_JOBS; i++)
> 167 if (job[i])
> 168 ret = wait_job(i);
> 169 } else {
> 170 for (i = 1; i < argc; i++) {
> 171 id = dectoul(argv[i], NULL);
>>>> CID 550296: Control flow issues (NO_EFFECT)
>>>> This less-than-zero comparison of an unsigned value is never true.
> "id < 0UL".
> 172 if (id < 0 || id >
> CONFIG_CMD_SPAWN_NUM_JOBS)
> 173 return CMD_RET_USAGE;
> 174 idx = (int)id - 1;
> 175 ret = wait_job(idx);
> 176 }
> 177 }
>
> ** CID 550295: Insecure data handling (TAINTED_SCALAR)
>
>
> ________________________________________________________________________________________________________
> *** CID 550295: Insecure data handling (TAINTED_SCALAR)
> /test/lib/membuf.c: 235 in lib_test_membuf_readline()
> 229 *ptr = '\n';
> 230 } else {
> 231 ut_assert(membuf_free(&mb));
> 232 }
> 233 }
> 234 membuf_dispose(&mb);
>>>> CID 550295: Insecure data handling (TAINTED_SCALAR)
>>>> Passing tainted expression "*buf" to "os_free", which uses it as an
> offset.
> 235 os_free(buf);
> 236
> 237 return 0;
> 238 }
>
> ** CID 550294: Code maintainability issues (UNUSED_VALUE)
> /test/lib/membuf.c: 68 in lib_test_membuf_one()
>
>
> ________________________________________________________________________________________________________
> *** CID 550294: Code maintainability issues (UNUSED_VALUE)
> /test/lib/membuf.c: 68 in lib_test_membuf_one()
> 62 ut_assertok(membuf_check(uts, &mb, i));
> 63
> 64 ret = membuf_get(&mb, out, 0);
> 65 ret = membuf_get(&mb, out, size);
> 66 ut_asserteq(size, ret);
> 67
>>>> CID 550294: Code maintainability issues (UNUSED_VALUE)
>>>> Assigning value from "membuf_get(&mb, out, 0)" to "ret" here, but
> that stored value is overwritten before it can be used.
> 68 ret = membuf_get(&mb, out, 0);
> 69 ut_assertok(membuf_check(uts, &mb, i));
> 70
> 71 ut_asserteq_mem(in, out, size);
> 72 }
> 73
>
> ** CID 550293: Memory - illegal accesses (STRING_NULL)
> /test/lib/membuf.c: 224 in lib_test_membuf_readline()
>
>
> ________________________________________________________________________________________________________
> *** CID 550293: Memory - illegal accesses (STRING_NULL)
> /test/lib/membuf.c: 224 in lib_test_membuf_readline()
> 218 ret = membuf_readline(&mb, str, 256, 0, true);
> 219 ut_assertok(membuf_check(uts, &mb, i));
> 220 if (ret) {
> 221 char *ptr;
> 222
> 223 s = &buf[cmpptr];
>>>> CID 550293: Memory - illegal accesses (STRING_NULL)
>>>> Passing unterminated string "s" to "strchr", which expects a
> null-terminated string. [Note: The source code implementation of the
> function has been overridden by a builtin model.]
> 224 ptr = strchr(s, '\n');
> 225 *ptr = '\0';
> 226
> 227 ut_asserteq_str(s, str);
> 228 cmpptr += strlen(s) + 1;
> 229 *ptr = '\n';
>
> ** CID 550292: (BAD_SHIFT)
> /drivers/scsi/scsi.c: 165 in scsi_setup_erase_ext()
> /drivers/scsi/scsi.c: 166 in scsi_setup_erase_ext()
>
>
> ________________________________________________________________________________________________________
> *** CID 550292: (BAD_SHIFT)
> /drivers/scsi/scsi.c: 165 in scsi_setup_erase_ext()
> 159 param[10] = 0x0;
> 160 param[11] = 0x0;
> 161 param[12] = (start >> 24) & 0xff;
> 162 param[13] = (start >> 16) & 0xff;
> 163 param[14] = (start >> 8) & 0xff;
> 164 param[15] = (start) & 0xff;
>>>> CID 550292: (BAD_SHIFT)
>>>> In expression "blocks >> 24", right shifting "blocks" by more than
> 15 bits always yields zero. The shift amount is 24.
> 165 param[16] = (blocks >> 24) & 0xff;
> 166 param[17] = (blocks >> 16) & 0xff;
> 167 param[18] = (blocks >> 8) & 0xff;
> 168 param[19] = (blocks) & 0xff;
> 169
> 170 memset(pccb->cmd, 0, sizeof(pccb->cmd));
> /drivers/scsi/scsi.c: 166 in scsi_setup_erase_ext()
> 160 param[11] = 0x0;
> 161 param[12] = (start >> 24) & 0xff;
> 162 param[13] = (start >> 16) & 0xff;
> 163 param[14] = (start >> 8) & 0xff;
> 164 param[15] = (start) & 0xff;
> 165 param[16] = (blocks >> 24) & 0xff;
>>>> CID 550292: (BAD_SHIFT)
>>>> In expression "blocks >> 16", right shifting "blocks" by more than
> 15 bits always yields zero. The shift amount is 16.
> 166 param[17] = (blocks >> 16) & 0xff;
> 167 param[18] = (blocks >> 8) & 0xff;
> 168 param[19] = (blocks) & 0xff;
> 169
> 170 memset(pccb->cmd, 0, sizeof(pccb->cmd));
> 171 pccb->cmd[0] = SCSI_UNMAP;
>
> ** CID 550291: Memory - corruptions (OVERRUN)
>
>
> ________________________________________________________________________________________________________
> *** CID 550291: Memory - corruptions (OVERRUN)
> /lib/acpi/acpi_table.c: 549 in acpi_write_spcr()
> 543 * to touch the configuration of the serial device.
> 544 */
> 545 if (serial_info.clock != SERIAL_DEFAULT_CLOCK)
> 546 spcr->baud_rate = 0;
> 547
> 548 /* Fix checksum */
>>>> CID 550291: Memory - corruptions (OVERRUN)
>>>> Overrunning struct type acpi_table_header of 36 bytes by passing it
> to a function which accesses it at byte offset 79 using argument
> "header->length" (which evaluates to 80).
> 549 acpi_update_checksum(header);
> 550
> 551 acpi_add_table(ctx, spcr);
> 552 acpi_inc(ctx, spcr->header.length);
> 553
> 554 return 0;
>
> ** CID 550290: Security best practices violations (DC.WEAK_CRYPTO)
> /test/lib/membuf.c: 54 in lib_test_membuf_one()
>
>
> ________________________________________________________________________________________________________
> *** CID 550290: Security best practices violations (DC.WEAK_CRYPTO)
> /test/lib/membuf.c: 54 in lib_test_membuf_one()
> 48 }
> 49
> 50 test_size = TEST_SIZE;
> 51
> 52 for (i = 1; i < TEST_COUNT; i++) {
> 53 membuf_zero(&mb);
>>>> CID 550290: Security best practices violations (DC.WEAK_CRYPTO)
>>>> "rand" should not be used for security-related applications,
> because linear congruential algorithms are too easy to break.
> 54 size = rand() % test_size;
> 55
> 56 // now write patterns and check they come back OK
> 57 ret = membuf_put(&mb, in, 0);
> 58 ret = membuf_put(&mb, in, size);
> 59 ut_asserteq(size, ret);
>
> ** CID 550289: (CONSTANT_EXPRESSION_RESULT)
> /drivers/scsi/scsi.c: 166 in scsi_setup_erase_ext()
> /drivers/scsi/scsi.c: 165 in scsi_setup_erase_ext()
>
>
> ________________________________________________________________________________________________________
> *** CID 550289: (CONSTANT_EXPRESSION_RESULT)
> /drivers/scsi/scsi.c: 166 in scsi_setup_erase_ext()
> 160 param[11] = 0x0;
> 161 param[12] = (start >> 24) & 0xff;
> 162 param[13] = (start >> 16) & 0xff;
> 163 param[14] = (start >> 8) & 0xff;
> 164 param[15] = (start) & 0xff;
> 165 param[16] = (blocks >> 24) & 0xff;
>>>> CID 550289: (CONSTANT_EXPRESSION_RESULT)
>>>> "blocks >> 16" is 0 regardless of the values of its operands. This
> occurs as the bitwise first operand of "&".
> 166 param[17] = (blocks >> 16) & 0xff;
> 167 param[18] = (blocks >> 8) & 0xff;
> 168 param[19] = (blocks) & 0xff;
> 169
> 170 memset(pccb->cmd, 0, sizeof(pccb->cmd));
> 171 pccb->cmd[0] = SCSI_UNMAP;
> /drivers/scsi/scsi.c: 165 in scsi_setup_erase_ext()
> 159 param[10] = 0x0;
> 160 param[11] = 0x0;
> 161 param[12] = (start >> 24) & 0xff;
> 162 param[13] = (start >> 16) & 0xff;
> 163 param[14] = (start >> 8) & 0xff;
> 164 param[15] = (start) & 0xff;
>>>> CID 550289: (CONSTANT_EXPRESSION_RESULT)
>>>> "blocks >> 24" is 0 regardless of the values of its operands. This
> occurs as the bitwise first operand of "&".
> 165 param[16] = (blocks >> 24) & 0xff;
> 166 param[17] = (blocks >> 16) & 0xff;
> 167 param[18] = (blocks >> 8) & 0xff;
> 168 param[19] = (blocks) & 0xff;
> 169
> 170 memset(pccb->cmd, 0, sizeof(pccb->cmd));
>
> ** CID 550288: Memory - corruptions (OVERRUN)
>
>
> ________________________________________________________________________________________________________
> *** CID 550288: Memory - corruptions (OVERRUN)
> /lib/acpi/base.c: 53 in acpi_write_rsdt()
> 47 header->length = sizeof(struct acpi_rsdt);
> 48 header->revision = 1;
> 49
> 50 /* Entries are filled in later, we come with an empty set */
> 51
> 52 /* Fix checksum */
>>>> CID 550288: Memory - corruptions (OVERRUN)
>>>> Overrunning struct type acpi_table_header of 36 bytes by passing it
> to a function which accesses it at byte offset 163 using argument
> "header->length" (which evaluates to 164).
> 53 acpi_update_checksum(header);
> 54 }
> 55
> 56 static void acpi_write_xsdt(struct acpi_xsdt *xsdt)
> 57 {
> 58 struct acpi_table_header *header = &xsdt->header;
>
> ** CID 550287: Memory - corruptions (OVERRUN)
>
>
> ________________________________________________________________________________________________________
> *** CID 550287: Memory - corruptions (OVERRUN)
> /lib/acpi/acpi_table.c: 268 in acpi_write_fadt()
> 262 fadt->dsdt = fadt->x_dsdt;
> 263
> 264 fadt->preferred_pm_profile = ACPI_PM_UNSPECIFIED;
> 265
> 266 acpi_fill_fadt(fadt);
> 267
>>>> CID 550287: Memory - corruptions (OVERRUN)
>>>> Overrunning struct type acpi_table_header of 36 bytes by passing it
> to a function which accesses it at byte offset 275 using argument
> "header->length" (which evaluates to 276).
> 268 acpi_update_checksum(header);
> 269
> 270 return acpi_add_fadt(ctx, fadt);
> 271 }
> 272
> 273 #ifndef CONFIG_QFW_ACPI
>
>
> ----- End forwarded message -----
>
^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2025-04-30 18:23 ` Heinrich Schuchardt
@ 2025-04-30 19:14 ` Tom Rini
0 siblings, 0 replies; 99+ messages in thread
From: Tom Rini @ 2025-04-30 19:14 UTC (permalink / raw)
To: Heinrich Schuchardt
Cc: u-boot, Jerome Forissier, Varadarajan Narayanan, Casey Connolly,
Marek Vasut, Patrick Rudolph, Adriano Cordova, Paul HENRYS,
Daniel Golle, Simon Glass
[-- Attachment #1: Type: text/plain, Size: 581 bytes --]
On Wed, Apr 30, 2025 at 08:23:29PM +0200, Heinrich Schuchardt wrote:
> On 28.04.25 23:59, Tom Rini wrote:
> > Hey all,
> >
> > Here's the latest set of Coverity defects. Please let me know if some of
> > these are false positives for example, thanks.
>
> Hello Tom,
>
> I have marked the acpi_update_header() items as "intentional" in Coverity:
>
> 550301
> 550291
> 550288
> 550287
>
> We could change the parameter of acpi_update_checksum() to const void * to
> make Coverity happy but we would loose the type checking.
Sounds good, thanks!
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 99+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2025-07-08 14:10 Tom Rini
0 siblings, 0 replies; 99+ messages in thread
From: Tom Rini @ 2025-07-08 14:10 UTC (permalink / raw)
To: u-boot
Cc: Simon Glass, Heinrich Schuchardt, Ilias Apalodimas, Marek Vasut,
Sughosh Ganu, Ying-Chun Liu (PaulLiu), Aristo Chen,
Rasmus Villemoes, Sean Edmond, Miquel Raynal
[-- Attachment #1: Type: text/plain, Size: 21343 bytes --]
Hey all,
Good news, Coverity Scan resumed putting information in the email
report. Bad news, 20 new issues now that next has been merged.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Jul 7, 2025 at 5:39 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to *Das U-Boot*
found with Coverity Scan.
- *New Defects Found:* 20
- 6 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.
- *Defects Shown:* Showing 20 of 20 defect(s)
Defect Details
** CID 569500: Incorrect expression (UNUSED_VALUE)
/boot/bootflow_menu.c: 158 in bootflow_menu_add()
_____________________________________________________________________________________________
*** CID 569500: Incorrect expression (UNUSED_VALUE)
/boot/bootflow_menu.c: 158 in bootflow_menu_add()
152
153 if (!label) {
154 free(key);
155 return log_msg_ret("nam", -ENOMEM);
156 }
157
>>> CID 569500: Incorrect expression (UNUSED_VALUE)
>>> Assigning value from "priv->last_bootdev != bflow->dev" to "add_gap" here, but that stored value is overwritten before it can be used.
158 add_gap = priv->last_bootdev != bflow->dev;
159
160 /* disable this gap for now, since it looks a little ugly */
161 add_gap = false;
162 priv->last_bootdev = bflow->dev;
163
** CID 569499: Null pointer dereferences (NULL_RETURNS)
/lib/efi_loader/efi_memory.c: 719 in efi_realloc()
_____________________________________________________________________________________________
*** CID 569499: Null pointer dereferences (NULL_RETURNS)
/lib/efi_loader/efi_memory.c: 719 in efi_realloc()
713 old_size = alloc->num_pages * EFI_PAGE_SIZE -
714 sizeof(struct efi_pool_allocation);
715
716 new_ptr = efi_alloc(size);
717
718 /* copy old data to new alloced buffer */
>>> CID 569499: Null pointer dereferences (NULL_RETURNS)
>>> Dereferencing a pointer that might be "NULL" "new_ptr" when calling "memcpy". [Note: The source code implementation of the function has been overridden by a builtin model.]
719 memcpy(new_ptr, *ptr, min(size, old_size));
720
721 /* free the old buffer */
722 efi_free_pool(*ptr);
723
724 *ptr = new_ptr;
** CID 569498: Code maintainability issues (SIZEOF_MISMATCH)
/lib/efi_loader/efi_debug_support.c: 163 in
efi_core_remove_debug_image_info_entry()
_____________________________________________________________________________________________
*** CID 569498: Code maintainability issues (SIZEOF_MISMATCH)
/lib/efi_loader/efi_debug_support.c: 163 in
efi_core_remove_debug_image_info_entry()
157 table[index].normal_image->image_handle == image_handle) {
158 /* Found a match. Free up the table entry.
159 * Move the tail of the table one slot to the front.
160 */
161 efi_free_pool(table[index].normal_image);
162
>>> CID 569498: Code maintainability issues (SIZEOF_MISMATCH)
>>> Passing argument "&table[index]" of type "union efi_debug_image_info *" and argument "(efi_m_debug_info_table_header.table_size - index - 1) * 8UL /* sizeof (union efi_debug_image_info *) */" to function "memmove" is suspicious. In this case, "sizeof (union efi_debug_image_info *)" is equal to "sizeof (union efi_debug_image_info)", but this is not a portable assumption.
163 memmove(&table[index],
164 &table[index + 1],
165 (efi_m_debug_info_table_header.table_size -
166 index - 1) * EFI_DEBUG_TABLE_ENTRY_SIZE);
167
168 /* Decrease the number of EFI_DEBUG_IMAGE_INFO
** CID 569497: Null pointer dereferences (FORWARD_NULL)
/lib/efi_selftest/efi_selftest_esrt.c: 73 in
efi_test_fmp_get_image_info()
_____________________________________________________________________________________________
*** CID 569497: Null pointer dereferences (FORWARD_NULL)
/lib/efi_selftest/efi_selftest_esrt.c: 73 in
efi_test_fmp_get_image_info()
67 if (package_version)
68 *package_version = 0xffffffff;
69 if (package_version_name)
70 *package_version_name = NULL;
71
72 if (*image_info_size < sizeof(*image_info)) {
>>> CID 569497: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "descriptor_count".
73 *image_info_size = *descriptor_size * *descriptor_count;
74 return EFI_BUFFER_TOO_SMALL;
75 }
76
77 for (int idx = 0; idx < TEST_ESRT_NUM_ENTRIES; idx++)
78 image_info[idx] = static_img_info[idx];
** CID 569496: Integer handling issues (INTEGER_OVERFLOW)
/drivers/usb/emul/sandbox_hub.c: 298 in sandbox_child_post_bind()
_____________________________________________________________________________________________
*** CID 569496: Integer handling issues (INTEGER_OVERFLOW)
/drivers/usb/emul/sandbox_hub.c: 298 in sandbox_child_post_bind()
292 static int sandbox_child_post_bind(struct udevice *dev)
293 {
294 struct sandbox_hub_plat *plat = dev_get_parent_plat(dev);
295 struct usb_emul_plat *emul = dev_get_uclass_plat(dev);
296
297 plat->port = dev_read_u32_default(dev, "reg", -1);
>>> CID 569496: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "plat->port + 1", where "plat->port" is known to be equal to -1, overflows the type of "plat->port + 1", which is type "int".
298 emul->port1 = plat->port + 1;
299
300 return 0;
301 }
302
303 static const struct dm_usb_ops sandbox_usb_hub_ops = {
** CID 569495: Integer handling issues (NEGATIVE_RETURNS)
_____________________________________________________________________________________________
*** CID 569495: Integer handling issues (NEGATIVE_RETURNS)
/tools/fit_image.c: 921 in fit_handle_file()
915 do {
916 if (copyfile(bakfile, tmpfile) < 0) {
917 printf("Can't copy %s to %s\n", bakfile, tmpfile);
918 ret = -EIO;
919 break;
920 }
>>> CID 569495: Integer handling issues (NEGATIVE_RETURNS)
>>> "size_inc" is passed to a parameter that cannot be negative.
921 ret = fit_add_file_data(params, size_inc, tmpfile);
922 if (!ret || ret != -ENOSPC)
923 break;
924 size_inc += 1024;
925 } while (size_inc < 64 * 1024);
926
** CID 569494: Control flow issues (DEADCODE)
/lib/efi_selftest/efi_selftest_config_table.c: 129 in execute()
_____________________________________________________________________________________________
*** CID 569494: Control flow issues (DEADCODE)
/lib/efi_selftest/efi_selftest_config_table.c: 129 in execute()
123 return EFI_ST_FAILURE;
124 }
125 if (counter != 1) {
126 efi_st_error("Notification function was not called.\n");
127 return EFI_ST_FAILURE;
128 }
>>> CID 569494: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "if (table_count != sys_tabl...".
129 if (table_count != sys_table->nr_tables) {
130 efi_st_error("Incorrect table count %u, expected %u\n",
131 (unsigned int)sys_table->nr_tables,
132 (unsigned int)table_count);
133 return EFI_ST_FAILURE;
134 }
** CID 569493: Insecure data handling (TAINTED_SCALAR)
_____________________________________________________________________________________________
*** CID 569493: Insecure data handling (TAINTED_SCALAR)
/lib/efi_selftest/efi_selftest_esrt.c: 276 in execute()
270 efi_st_error("ESRT mismatch in new entry count (%d),
expected (%d).\n",
271 entry_delta, TEST_ESRT_NUM_ENTRIES);
272 return EFI_ST_FAILURE;
273 }
274
275 for (u32 idx = 0; idx < TEST_ESRT_NUM_ENTRIES; idx++)
>>> CID 569493: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "esrt->fw_resource_count" to "lib_test_check_uuid_entry", which uses it as a loop boundary.
276 if (!lib_test_check_uuid_entry(esrt, &static_img_info[idx])) {
277 efi_st_error("ESRT entry mismatch\n");
278 return EFI_ST_FAILURE;
279 }
280
281 return EFI_ST_SUCCESS;
** CID 569492: (DC.WEAK_CRYPTO)
/net/bootp.c: 442 in bootp_timeout_handler()
/net/bootp.c: 441 in bootp_timeout_handler()
_____________________________________________________________________________________________
*** CID 569492: (DC.WEAK_CRYPTO)
/net/bootp.c: 442 in bootp_timeout_handler()
436 bootp_timeout = retransmit_period_max_ms;
437
438 /* Randomize by adding bootp_timeout*RAND, where RAND
439 * is a randomization factor between -0.1..+0.1
440 */
441 srand(get_ticks() + rand());
>>> CID 569492: (DC.WEAK_CRYPTO)
>>> "rand" should not be used for security-related applications, because linear congruential algorithms are too easy to break.
442 rand_minus_plus_100 = ((rand() % 200) - 100);
443 bootp_timeout = bootp_timeout +
444 (((int)bootp_timeout * rand_minus_plus_100) / 1000);
445
446 net_set_timeout_handler(bootp_timeout, bootp_timeout_handler);
447 bootp_request();
/net/bootp.c: 441 in bootp_timeout_handler()
435 if (bootp_timeout > retransmit_period_max_ms)
436 bootp_timeout = retransmit_period_max_ms;
437
438 /* Randomize by adding bootp_timeout*RAND, where RAND
439 * is a randomization factor between -0.1..+0.1
440 */
>>> CID 569492: (DC.WEAK_CRYPTO)
>>> "rand" should not be used for security-related applications, because linear congruential algorithms are too easy to break.
441 srand(get_ticks() + rand());
442 rand_minus_plus_100 = ((rand() % 200) - 100);
443 bootp_timeout = bootp_timeout +
444 (((int)bootp_timeout * rand_minus_plus_100) / 1000);
445
446 net_set_timeout_handler(bootp_timeout, bootp_timeout_handler);
** CID 569491: Error handling issues (NEGATIVE_RETURNS)
/tools/file2include.c: 56 in main()
_____________________________________________________________________________________________
*** CID 569491: Error handling issues (NEGATIVE_RETURNS)
/tools/file2include.c: 56 in main()
50 if (!count) {
51 fprintf(stderr, "File %s has length 0\n", argv[1]);
52 return EXIT_FAILURE;
53 }
54 rewind(file);
55 /* Read file */
>>> CID 569491: Error handling issues (NEGATIVE_RETURNS)
>>> "count" is passed to a parameter that cannot be negative.
56 buf = malloc(count);
57 if (!buf) {
58 perror("calloc");
59 return EXIT_FAILURE;
60 }
61 count = fread(buf, 1, count, file);
** CID 569490: Null pointer dereferences (FORWARD_NULL)
/lib/efi_selftest/efi_selftest_esrt.c: 73 in
efi_test_fmp_get_image_info()
_____________________________________________________________________________________________
*** CID 569490: Null pointer dereferences (FORWARD_NULL)
/lib/efi_selftest/efi_selftest_esrt.c: 73 in
efi_test_fmp_get_image_info()
67 if (package_version)
68 *package_version = 0xffffffff;
69 if (package_version_name)
70 *package_version_name = NULL;
71
72 if (*image_info_size < sizeof(*image_info)) {
>>> CID 569490: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "descriptor_size".
73 *image_info_size = *descriptor_size * *descriptor_count;
74 return EFI_BUFFER_TOO_SMALL;
75 }
76
77 for (int idx = 0; idx < TEST_ESRT_NUM_ENTRIES; idx++)
78 image_info[idx] = static_img_info[idx];
** CID 569489: Integer handling issues (INTEGER_OVERFLOW)
/lib/efi_selftest/efi_selftest_bitblt.c: 83 in notify()
_____________________________________________________________________________________________
*** CID 569489: Integer handling issues (INTEGER_OVERFLOW)
/lib/efi_selftest/efi_selftest_bitblt.c: 83 in notify()
77 /* Increment position */
78 pos->x += 5;
79 if (pos->x >= WIDTH + gop->mode->info->width)
80 pos->x = 0;
81
82 width = WIDTH;
>>> CID 569489: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "pos->x - 200UL", where "pos->x" is known to be equal to 0, underflows the type of "pos->x - 200UL", which is type "unsigned long".
83 dx = pos->x - WIDTH;
84 sx = 0;
85 if (pos->x >= gop->mode->info->width) {
86 width = WIDTH + gop->mode->info->width - pos->x;
87 } else if (pos->x < WIDTH) {
88 dx = 0;
** CID 569488: Control flow issues (NO_EFFECT)
/tools/fit_image.c: 913 in fit_handle_file()
_____________________________________________________________________________________________
*** CID 569488: Control flow issues (NO_EFFECT)
/tools/fit_image.c: 913 in fit_handle_file()
907 * signatures. We do an attempt at estimating the expected
908 * extra size, but just in case that is not sufficient, keep
909 * trying adding 1K, with a reasonable upper bound of 64K
910 * total, until we succeed.
911 */
912 size_inc = fit_estimate_hash_sig_size(params, bakfile);
>>> CID 569488: Control flow issues (NO_EFFECT)
>>> This less-than-zero comparison of an unsigned value is never true. "size_inc < 0UL".
913 if (size_inc < 0)
914 goto err_system;
915 do {
916 if (copyfile(bakfile, tmpfile) < 0) {
917 printf("Can't copy %s to %s\n", bakfile, tmpfile);
918 ret = -EIO;
** CID 569487: Insecure data handling (TAINTED_SCALAR)
_____________________________________________________________________________________________
*** CID 569487: Insecure data handling (TAINTED_SCALAR)
/boot/cedit.c: 474 in cedit_write_settings()
468 }
469
470 ret = fdt_end_node(fdt);
471 if (!ret)
472 ret = fdt_end_node(fdt);
473 if (!ret)
>>> CID 569487: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "fdt->size_dt_strings" to "fdt_finish", which uses it as an offset.
474 ret = fdt_finish(fdt);
475 if (ret) {
476 log_debug("Failed to finish FDT (err=%d)\n", ret);
477 return log_msg_ret("fin", -EINVAL);
478 }
479
** CID 569486: Incorrect expression (SIZEOF_MISMATCH)
/lib/efi_selftest/efi_selftest_console.c: 242 in efi_st_printc()
_____________________________________________________________________________________________
*** CID 569486: Incorrect expression (SIZEOF_MISMATCH)
/lib/efi_selftest/efi_selftest_console.c: 242 in efi_st_printc()
236 break;
237 case 'U':
238 print_uuid(va_arg(args, void*), &pos);
239 break;
240 default:
241 --c;
>>> CID 569486: Incorrect expression (SIZEOF_MISMATCH)
>>> Passing argument "va_arg (args, void *)" of type "void *" and argument "16 /* 2 * sizeof (void *) */" to function "printx" is suspicious.
242 printx((uintptr_t)va_arg(args, void *),
243 2 * sizeof(void *), &pos);
244 break;
245 }
246 break;
247 case 's':
** CID 569485: (DC.WEAK_CRYPTO)
/net/bootp.c: 837 in bootp_request()
/net/bootp.c: 838 in bootp_request()
_____________________________________________________________________________________________
*** CID 569485: (DC.WEAK_CRYPTO)
/net/bootp.c: 837 in bootp_request()
831 extlen = bootp_extended((u8 *)bp->bp_vend);
832 #endif
833
834 /* Only generate a new transaction ID for each new BOOTP request */
835 if (bootp_try == 1) {
836 if (IS_ENABLED(CONFIG_BOOTP_RANDOM_XID)) {
>>> CID 569485: (DC.WEAK_CRYPTO)
>>> "rand" should not be used for security-related applications, because linear congruential algorithms are too easy to break.
837 srand(get_ticks() + rand());
838 bootp_id = rand();
839 } else {
840 /*
841 * Bootp ID is the lower 4 bytes of our ethernet address
842 * plus the current time in ms.
/net/bootp.c: 838 in bootp_request()
832 #endif
833
834 /* Only generate a new transaction ID for each new BOOTP request */
835 if (bootp_try == 1) {
836 if (IS_ENABLED(CONFIG_BOOTP_RANDOM_XID)) {
837 srand(get_ticks() + rand());
>>> CID 569485: (DC.WEAK_CRYPTO)
>>> "rand" should not be used for security-related applications, because linear congruential algorithms are too easy to break.
838 bootp_id = rand();
839 } else {
840 /*
841 * Bootp ID is the lower 4 bytes of our ethernet address
842 * plus the current time in ms.
843 */
** CID 569484: Insecure data handling (INTEGER_OVERFLOW)
/drivers/core/uclass.c: 339 in uclass_find_next_free_seq()
_____________________________________________________________________________________________
*** CID 569484: Insecure data handling (INTEGER_OVERFLOW)
/drivers/core/uclass.c: 339 in uclass_find_next_free_seq()
333 }
334 /*
335 * At this point, max will be -1 if there are no existing aliases or
336 * devices
337 */
338
>>> CID 569484: Insecure data handling (INTEGER_OVERFLOW)
>>> "max + 1", which might have overflowed, is returned from the function.
339 return max + 1;
340 }
341
342 int uclass_find_device_by_seq(enum uclass_id id, int seq,
struct udevice **devp)
343 {
344 struct uclass *uc;
** CID 569483: Control flow issues (DEADCODE)
/boot/bootflow_menu.c: 178 in bootflow_menu_add()
_____________________________________________________________________________________________
*** CID 569483: Control flow issues (DEADCODE)
/boot/bootflow_menu.c: 178 in bootflow_menu_add()
172 preview_id = 0;
173 if (bflow->logo) {
174 preview_id = ITEM_PREVIEW + seq;
175 ret |= scene_img(scn, "preview", preview_id,
176 bflow->logo, NULL);
177 }
>>> CID 569483: Control flow issues (DEADCODE)
>>> Execution cannot reach the expression "SCENEMIF_GAP_BEFORE" inside this statement: "ret |= scene_menuitem(scn, ...".
178 ret |= scene_menuitem(scn, OBJ_MENU, "item", ITEM + seq,
179 ITEM_KEY + seq, ITEM_LABEL + seq,
180 ITEM_DESC + seq, preview_id,
181 add_gap ? SCENEMIF_GAP_BEFORE : 0,
182 NULL);
183
** CID 569482: Control flow issues (DEADCODE)
/tools/fit_image.c: 914 in fit_handle_file()
_____________________________________________________________________________________________
*** CID 569482: Control flow issues (DEADCODE)
/tools/fit_image.c: 914 in fit_handle_file()
908 * extra size, but just in case that is not sufficient, keep
909 * trying adding 1K, with a reasonable upper bound of 64K
910 * total, until we succeed.
911 */
912 size_inc = fit_estimate_hash_sig_size(params, bakfile);
913 if (size_inc < 0)
>>> CID 569482: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "goto err_system;".
914 goto err_system;
915 do {
916 if (copyfile(bakfile, tmpfile) < 0) {
917 printf("Can't copy %s to %s\n", bakfile, tmpfile);
918 ret = -EIO;
919 break;
** CID 569481: Control flow issues (MISSING_BREAK)
/lib/lmb.c: 763 in lmb_alloc_mem()
_____________________________________________________________________________________________
*** CID 569481: Control flow issues (MISSING_BREAK)
/lib/lmb.c: 763 in lmb_alloc_mem()
757 return 0;
758
759 if (!addr)
760 return -EINVAL;
761
762 switch (type) {
>>> CID 569481: Control flow issues (MISSING_BREAK)
>>> The case for value "LMB_MEM_ALLOC_ANY" is not terminated by a "break" statement.
763 case LMB_MEM_ALLOC_ANY:
764 *addr = LMB_ALLOC_ANYWHERE;
765 case LMB_MEM_ALLOC_MAX:
766 ret = _lmb_alloc_base(size, align, addr, flags);
767 break;
768 case LMB_MEM_ALLOC_ADDR:
View Defects in Coverity Scan
<https://scan.coverity.com/projects/das-u-boot?tab=overview>
Best regards,
The Coverity Scan Admin Team
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 99+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2025-07-14 23:29 Tom Rini
2025-07-15 13:45 ` Rasmus Villemoes
0 siblings, 1 reply; 99+ messages in thread
From: Tom Rini @ 2025-07-14 23:29 UTC (permalink / raw)
To: u-boot, Andrew Goodbody, Rasmus Villemoes
[-- Attachment #1: Type: text/plain, Size: 3887 bytes --]
Here's the latest report from Coverity. Good news is closing 5 existing
issues (overlap with smatch I think) but 3 new ones. Or maybe it's
related to Rasmus' cleanup series? I can only run one report a day I
think so I don't have granular breakdown on which changes today brought
these up.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Jul 14, 2025 at 5:23 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to *Das U-Boot*
found with Coverity Scan.
- *New Defects Found:* 3
- 5 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.
- *Defects Shown:* Showing 3 of 3 defect(s)
Defect Details
** CID 573150: Integer handling issues (INTEGER_OVERFLOW)
/drivers/pci/pci-uclass.c: 1531 in dm_pci_map_ea_virt()
_____________________________________________________________________________________________
*** CID 573150: Integer handling issues (INTEGER_OVERFLOW)
/drivers/pci/pci-uclass.c: 1531 in dm_pci_map_ea_virt()
1525 if (ea_entry & PCI_EA_IS_64) {
1526 /* MaxOffset 2nd DW */
1527 dm_pci_read_config32(dev, ea_off + 16, &ea_entry);
1528 sz |= ((u64)ea_entry) << 32;
1529 }
1530
>>> CID 573150: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "sz + 1UL", where "sz" is known to be equal to 18446744073709551615, overflows the type of "sz + 1UL", which is type "unsigned long".
1531 addr = (pdata->virtid - 1) * (sz + 1);
1532 }
1533
1534 return addr;
1535 }
1536
** CID 573149: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/lib/efi_loader/efi_file.c: 594 in efi_file_read_int()
_____________________________________________________________________________________________
*** CID 573149: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/lib/efi_loader/efi_file.c: 594 in efi_file_read_int()
588
589 bs = *buffer_size;
590 if (fh->isdir)
591 ret = dir_read(fh, &bs, buffer);
592 else
593 ret = file_read(fh, &bs, buffer);
>>> CID 573149: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
>>> "bs <= 18446744073709551615ULL /* 9223372036854775807LL * 2ULL + 1ULL */" is always true regardless of the values of its operands. This occurs as the logical operand of "if".
594 if (bs <= SIZE_MAX)
595 *buffer_size = bs;
596 else
597 *buffer_size = SIZE_MAX;
598
599 return ret;
** CID 573148: Integer handling issues (INTEGER_OVERFLOW)
/drivers/pci/pci-uclass.c: 1581 in dm_pci_map_ea_bar()
_____________________________________________________________________________________________
*** CID 573148: Integer handling issues (INTEGER_OVERFLOW)
/drivers/pci/pci-uclass.c: 1581 in dm_pci_map_ea_bar()
1575 addr |= ((u64)ea_entry) << 32;
1576 }
1577
1578 if (IS_ENABLED(CONFIG_PCI_SRIOV))
1579 addr += dm_pci_map_ea_virt(dev, ea_off, pdata);
1580
>>> CID 573148: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "4294967295U - addr", where "addr" is known to be equal to 4294967292, underflows the type of "4294967295U - addr", which is type "unsigned int".
1581 if (~((phys_addr_t)0) - addr < offset)
1582 return NULL;
1583
1584 /* size ignored for now */
1585 return map_physmem(addr + offset, len, MAP_NOCACHE);
1586 }
View Defects in Coverity Scan
<https://scan.coverity.com/projects/das-u-boot?tab=overview>
Best regards,
The Coverity Scan Admin Team
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2025-07-14 23:29 Tom Rini
@ 2025-07-15 13:45 ` Rasmus Villemoes
0 siblings, 0 replies; 99+ messages in thread
From: Rasmus Villemoes @ 2025-07-15 13:45 UTC (permalink / raw)
To: Tom Rini; +Cc: u-boot, Andrew Goodbody
On Mon, Jul 14 2025, Tom Rini <trini@konsulko.com> wrote:
> Here's the latest report from Coverity. Good news is closing 5 existing
> issues (overlap with smatch I think) but 3 new ones. Or maybe it's
> related to Rasmus' cleanup series? I can only run one report a day I
> think so I don't have granular breakdown on which changes today brought
> these up.
>
> From: <scan-admin@coverity.com>
> Subject: New Defects reported by Coverity Scan for Das U-Boot
> To: <tom.rini@gmail.com>
> Date: Mon, Jul 14, 2025 at 5:23 PM (1 day, 9 hours, 56 minutes ago)
>
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to *Das U-Boot*
> found with Coverity Scan.
>
> - *New Defects Found:* 3
> - 5 defect(s), reported by Coverity Scan earlier, were marked fixed in
> the recent build analyzed by Coverity Scan.
> - *Defects Shown:* Showing 3 of 3 defect(s)
>
> Defect Details
>
> ** CID 573150: Integer handling issues (INTEGER_OVERFLOW)
> /drivers/pci/pci-uclass.c: 1531 in dm_pci_map_ea_virt()
>
>
> _____________________________________________________________________________________________
> *** CID 573150: Integer handling issues (INTEGER_OVERFLOW)
> /drivers/pci/pci-uclass.c: 1531 in dm_pci_map_ea_virt()
> 1525 if (ea_entry & PCI_EA_IS_64) {
> 1526 /* MaxOffset 2nd DW */
> 1527 dm_pci_read_config32(dev, ea_off + 16, &ea_entry);
> 1528 sz |= ((u64)ea_entry) << 32;
> 1529 }
> 1530
>>>> CID 573150: Integer handling issues (INTEGER_OVERFLOW)
>>>> Expression "sz + 1UL", where "sz" is known to be equal to 18446744073709551615, overflows the type of "sz + 1UL", which is type "unsigned long".
> 1531 addr = (pdata->virtid - 1) * (sz + 1);
> 1532 }
> 1533
I don't see how this one could be due to the int limit patches, as I see
no reference to any _MIN/_MAX macro, also not indirectly via the
definition of PCI_EA_FIELD_MASK.
I also have no idea how Coverity can think that sz can be known to be
equal to ~0ULL. Sure, if it phrased it "if sz is equal to ..., then sz+1
overflows", but that's not what it says. Nor would that be very useful,
as just about _any_ arithmetic expression can overflow for _some_ values
of the referenced variables.
Honestly, this sounds like it has been AI-infected.
> 1534 return addr;
> 1535 }
> 1536
>
> ** CID 573149: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
> /lib/efi_loader/efi_file.c: 594 in efi_file_read_int()
>
>
> _____________________________________________________________________________________________
> *** CID 573149: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
> /lib/efi_loader/efi_file.c: 594 in efi_file_read_int()
> 588
> 589 bs = *buffer_size;
> 590 if (fh->isdir)
> 591 ret = dir_read(fh, &bs, buffer);
> 592 else
> 593 ret = file_read(fh, &bs, buffer);
>>>> CID 573149: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
>>>> "bs <= 18446744073709551615ULL /* 9223372036854775807LL * 2ULL + 1ULL */" is always true regardless of the values of its operands. This occurs as the logical operand of "if".
> 594 if (bs <= SIZE_MAX)
> 595 *buffer_size = bs;
> 596 else
> 597 *buffer_size = SIZE_MAX;
> 598
> 599 return ret;
>
So this one might be triggered by the new definition of SIZE_MAX, though
SIZE_MAX was also a compile-time (though not cpp) constant previously. I
think we should define SIZE_MAX properly instead of via that UINTPTR_MAX
indirection, which itself could use some cleanup.
But aside from that, we should be able to silence Coverity by either
just changing the <= to < (because in the == case the other branch of
the if would have the same effect, but it's no longer a tautology). Or
we could maybe do *buffer_size = min_t(u64, bs, SIZE_MAX), though that
might expand to something with the exact same problem.
> ** CID 573148: Integer handling issues (INTEGER_OVERFLOW)
> /drivers/pci/pci-uclass.c: 1581 in dm_pci_map_ea_bar()
>
>
> _____________________________________________________________________________________________
> *** CID 573148: Integer handling issues (INTEGER_OVERFLOW)
> /drivers/pci/pci-uclass.c: 1581 in dm_pci_map_ea_bar()
> 1575 addr |= ((u64)ea_entry) << 32;
> 1576 }
> 1577
> 1578 if (IS_ENABLED(CONFIG_PCI_SRIOV))
> 1579 addr += dm_pci_map_ea_virt(dev, ea_off, pdata);
> 1580
>>>> CID 573148: Integer handling issues (INTEGER_OVERFLOW)
>>>> Expression "4294967295U - addr", where "addr" is known to be equal to 4294967292, underflows the type of "4294967295U - addr", which is type "unsigned int".
> 1581 if (~((phys_addr_t)0) - addr < offset)
> 1582 return NULL;
> 1583
Wait, what? Just to be completely sure, I copy-pasted those two numbers:
4294967295
4294967292
I think my 8-year old can see that subtracting the second from the first
does not lead to a negative result.
So from my chair, that's another point added to the AI hypothesis.
Rasmus
^ permalink raw reply [flat|nested] 99+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2025-07-25 13:26 Tom Rini
2025-07-25 13:34 ` Michal Simek
2025-08-04 9:11 ` Alexander Dahl
0 siblings, 2 replies; 99+ messages in thread
From: Tom Rini @ 2025-07-25 13:26 UTC (permalink / raw)
To: u-boot, Michal Simek
[-- Attachment #1: Type: text/plain, Size: 8942 bytes --]
Here's the latest report. These aren't new issues as much as they are
Coverity now looking at FPGA code issues.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Thu, Jul 24, 2025 at 8:03 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to *Das U-Boot*
found with Coverity Scan.
- *New Defects Found:* 8
- 3 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.
- *Defects Shown:* Showing 8 of 8 defect(s)
Defect Details
** CID 583150: Null pointer dereferences (NULL_RETURNS)
/drivers/fpga/xilinx.c: 54 in fpga_loadbitstream()
_____________________________________________________________________________________________
*** CID 583150: Null pointer dereferences (NULL_RETURNS)
/drivers/fpga/xilinx.c: 54 in fpga_loadbitstream()
48 xilinx_desc *xdesc;
49
50 dataptr = (unsigned char *)fpgadata;
51 /* Find out fpga_description */
52 desc = fpga_validate(devnum, dataptr, 0);
53 /* Assign xilinx device description */
>>> CID 583150: Null pointer dereferences (NULL_RETURNS)
>>> Dereferencing "desc", which is known to be "NULL".
54 xdesc = desc->devdesc;
55
56 /* skip the first bytes of the bitsteam, their meaning is unknown */
57 length = (*dataptr << 8) + *(dataptr + 1);
58 dataptr += 2;
59 dataptr += length;
** CID 583149: Control flow issues (DEADCODE)
/drivers/fpga/ACEX1K.c: 226 in ACEX1K_ps_load()
_____________________________________________________________________________________________
*** CID 583149: Control flow issues (DEADCODE)
/drivers/fpga/ACEX1K.c: 226 in ACEX1K_ps_load()
220
221 #ifdef CONFIG_SYS_FPGA_PROG_FEEDBACK
222 if (ret_val == FPGA_SUCCESS) {
223 puts ("Done.\n");
224 }
225 else {
>>> CID 583149: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "puts("Fail.\n");".
226 puts ("Fail.\n");
227 }
228 #endif
229 (*fn->post) (cookie);
230
231 } else {
** CID 583148: Control flow issues (DEADCODE)
/drivers/fpga/cyclon2.c: 180 in CYC2_ps_load()
_____________________________________________________________________________________________
*** CID 583148: Control flow issues (DEADCODE)
/drivers/fpga/cyclon2.c: 180 in CYC2_ps_load()
174 ret_val = FPGA_SUCCESS;
175
176 #ifdef CONFIG_SYS_FPGA_PROG_FEEDBACK
177 if (ret_val == FPGA_SUCCESS)
178 puts("Done.\n");
179 else
>>> CID 583148: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "puts("Fail.\n");".
180 puts("Fail.\n");
181 #endif
182
183 /*
184 * Run the post configuration function if there is one.
185 */
** CID 583147: Integer handling issues (NEGATIVE_RETURNS)
_____________________________________________________________________________________________
*** CID 583147: Integer handling issues (NEGATIVE_RETURNS)
/cmd/fpga.c: 305 in do_fpga_loadmk()
299 #if defined(CONFIG_GZIP)
300 ulong image_buf = image_get_data(hdr);
301 ulong image_size = ~0UL;
302
303 data = image_get_load(hdr);
304
>>> CID 583147: Integer handling issues (NEGATIVE_RETURNS)
>>> A negative constant "-1" is passed as an argument to a parameter that cannot be negative.
305 if (gunzip((void *)data, ~0U, (void *)image_buf,
306 &image_size) != 0) {
307 log_err("Gunzip error\n");
308 return CMD_RET_FAILURE;
309 }
310 data_size = image_size;
** CID 583146: Control flow issues (DEADCODE)
/drivers/fpga/ivm_core.c: 1306 in ispVMDataCode()
_____________________________________________________________________________________________
*** CID 583146: Control flow issues (DEADCODE)
/drivers/fpga/ivm_core.c: 1306 in ispVMDataCode()
1300 /*
1301 * Encountered invalid opcode.
1302 */
1303
1304 return VME_INVALID_FILE;
1305 } else {
>>> CID 583146: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "return 0;".
1306 return 0;
1307 }
1308 }
1309
1310 /*
1311 *
** CID 583145: (INTEGER_OVERFLOW)
/drivers/fpga/ivm_core.c: 1959 in ispVMBitShift()
/drivers/fpga/ivm_core.c: 1974 in ispVMBitShift()
_____________________________________________________________________________________________
*** CID 583145: (INTEGER_OVERFLOW)
/drivers/fpga/ivm_core.c: 1959 in ispVMBitShift()
1953 for (i = 0; i < size; i++) {
1954 if (g_pucInData[i] != 0) {
1955 tmpbits = bits;
1956 while (tmpbits > 0) {
1957 g_pucInData[i] <<= 1;
1958 if (g_pucInData[i] == 0) {
>>> CID 583145: (INTEGER_OVERFLOW)
>>> Expression "i--", where "i" is known to be equal to 0, underflows the type of "i--", which is type "unsigned short".
1959 i--;
1960 g_pucInData[i] = 1;
1961 }
1962 tmpbits--;
1963 }
1964 }
/drivers/fpga/ivm_core.c: 1974 in ispVMBitShift()
1968 for (i = 0; i < size; i++) {
1969 if (g_pucInData[i] != 0) {
1970 tmpbits = bits;
1971 while (tmpbits > 0) {
1972 g_pucInData[i] >>= 1;
1973 if (g_pucInData[i] == 0) {
>>> CID 583145: (INTEGER_OVERFLOW)
>>> Expression "i--", where "i" is known to be equal to 0, underflows the type of "i--", which is type "unsigned short".
1974 i--;
1975 g_pucInData[i] = 8;
1976 }
1977 tmpbits--;
1978 }
1979 }
** CID 583144: Null pointer dereferences (FORWARD_NULL)
/drivers/fpga/ivm_core.c: 2406 in ispVMBypass()
_____________________________________________________________________________________________
*** CID 583144: Null pointer dereferences (FORWARD_NULL)
/drivers/fpga/ivm_core.c: 2406 in ispVMBypass()
2400
2401 iSourceIndex = 0;
2402 cBitState = 0;
2403 for (iIndex = 0; iIndex < Bits - 1; iIndex++) {
2404 /* Scan instruction or bypass register */
2405 if (iIndex % 8 == 0) {
>>> CID 583144: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "pcSource".
2406 cCurByte = pcSource[iSourceIndex++];
2407 }
2408 cBitState = (unsigned char) (((cCurByte << iIndex % 8) & 0x80)
2409 ? 0x01 : 0x00);
2410 writePort(g_ucPinTDI, cBitState);
2411 sclock();
** CID 583143: (OVERRUN)
/drivers/fpga/ivm_core.c: 2455 in ispVMStateMachine()
/drivers/fpga/ivm_core.c: 2458 in ispVMStateMachine()
_____________________________________________________________________________________________
*** CID 583143: (OVERRUN)
/drivers/fpga/ivm_core.c: 2455 in ispVMStateMachine()
2449 g_JTAGTransistions[cStateIndex].NextState)) {
2450 break;
2451 }
2452 }
2453
2454 g_cCurrentJTAGState = cNextJTAGState;
>>> CID 583143: (OVERRUN)
>>> Overrunning array "g_JTAGTransistions" of 25 4-byte elements at element index 25 (byte offset 103) using index "cStateIndex" (which evaluates to 25).
2455 for (cPathIndex = 0;
2456 cPathIndex < g_JTAGTransistions[cStateIndex].Pulses;
2457 cPathIndex++) {
2458 if ((g_JTAGTransistions[cStateIndex].Pattern << cPathIndex)
2459 & 0x80) {
2460 writePort(g_ucPinTMS, (unsigned char) 0x01);
/drivers/fpga/ivm_core.c: 2458 in ispVMStateMachine()
2452 }
2453
2454 g_cCurrentJTAGState = cNextJTAGState;
2455 for (cPathIndex = 0;
2456 cPathIndex < g_JTAGTransistions[cStateIndex].Pulses;
2457 cPathIndex++) {
>>> CID 583143: (OVERRUN)
>>> Overrunning array "g_JTAGTransistions" of 25 4-byte elements at element index 25 (byte offset 103) using index "cStateIndex" (which evaluates to 25).
2458 if ((g_JTAGTransistions[cStateIndex].Pattern << cPathIndex)
2459 & 0x80) {
2460 writePort(g_ucPinTMS, (unsigned char) 0x01);
2461 } else {
2462 writePort(g_ucPinTMS, (unsigned char) 0x00);
2463 }
View Defects in Coverity Scan
<https://scan.coverity.com/projects/das-u-boot?tab=overview>
Best regards,
The Coverity Scan Admin Team
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2025-07-25 13:26 Tom Rini
@ 2025-07-25 13:34 ` Michal Simek
2025-08-04 9:11 ` Alexander Dahl
1 sibling, 0 replies; 99+ messages in thread
From: Michal Simek @ 2025-07-25 13:34 UTC (permalink / raw)
To: Tom Rini, u-boot
Hi Tom,
On 7/25/25 15:26, Tom Rini wrote:
> Here's the latest report. These aren't new issues as much as they are
> Coverity now looking at FPGA code issues.
I have sent
https://lore.kernel.org/all/cover.1753442748.git.michal.simek@amd.com/
to address some of them.
Thanks,
Michal
^ permalink raw reply [flat|nested] 99+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2025-07-29 16:32 Tom Rini
0 siblings, 0 replies; 99+ messages in thread
From: Tom Rini @ 2025-07-29 16:32 UTC (permalink / raw)
To: u-boot; +Cc: Heiko Schocher, Heinrich Schuchardt
[-- Attachment #1: Type: text/plain, Size: 5060 bytes --]
So I ran Coverity with the newest scan version and this is good news.
Only a few newly found issues in existing code.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Tue, Jul 29, 2025 at 10:04 AM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to *Das U-Boot*
found with Coverity Scan.
- *New Defects Found:* 3
- 12 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.
- *Defects Shown:* Showing 3 of 3 defect(s)
Defect Details
** CID 583415: Integer handling issues (INTEGER_OVERFLOW)
/cmd/i2c.c: 369 in do_i2c_write()
_____________________________________________________________________________________________
*** CID 583415: Integer handling issues (INTEGER_OVERFLOW)
/cmd/i2c.c: 369 in do_i2c_write()
363 return i2c_report_err(ret, I2C_ERR_WRITE);
364 } else {
365 /*
366 * Repeated addressing - perform <length> separate
367 * write transactions of one byte each
368 */
>>> CID 583415: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "length--", where "length" is known to be equal to 0, underflows the type of "length--", which is type "uint".
369 while (length-- > 0) {
370 #if CONFIG_IS_ENABLED(DM_I2C)
371 i2c_chip->flags |= DM_I2C_CHIP_WR_ADDRESS;
372 ret = dm_i2c_write(dev, devaddr++, memaddr++, 1);
373 #else
374 ret = i2c_write(chip, devaddr++, alen, memaddr++, 1);
** CID 583414: Memory - corruptions (OVERRUN)
/cmd/eficonfig.c: 334 in eficonfig_append_menu_entry()
_____________________________________________________________________________________________
*** CID 583414: Memory - corruptions (OVERRUN)
/cmd/eficonfig.c: 334 in eficonfig_append_menu_entry()
328
329 entry = calloc(1, sizeof(struct eficonfig_entry));
330 if (!entry)
331 return EFI_OUT_OF_RESOURCES;
332
333 entry->title = title;
>>> CID 583414: Memory - corruptions (OVERRUN)
>>> "sprintf" will overrun its first argument "entry->key" which can accommodate 3 bytes. The number of bytes written may be 11 bytes, including the terminating null.
334 sprintf(entry->key, "%d", efi_menu->count);
335 entry->efi_menu = efi_menu;
336 entry->func = func;
337 entry->data = data;
338 entry->num = efi_menu->count++;
339 list_add_tail(&entry->list, &efi_menu->list);
** CID 583357: (INTEGER_OVERFLOW)
/lib/zlib/deflate.c: 1714 in deflate_slow()
/lib/zlib/deflate.c: 1706 in deflate_slow()
_____________________________________________________________________________________________
*** CID 583357: (INTEGER_OVERFLOW)
/lib/zlib/deflate.c: 1714 in deflate_slow()
1708
1709 /* Insert in hash table all strings up to the end
of the match.
1710 * strstart-1 and strstart are already inserted.
If there is not
1711 * enough lookahead, the last two strings are not
inserted in
1712 * the hash table.
1713 */
>>> CID 583357: (INTEGER_OVERFLOW)
>>> Expression "s->lookahead", where "s->prev_length - 1U" is known to be equal to 4294967270, underflows the type of "s->lookahead", which is type "uInt".
1714 s->lookahead -= s->prev_length-1;
1715 s->prev_length -= 2;
1716 do {
1717 if (++s->strstart <= max_insert) {
1718 INSERT_STRING(s, s->strstart, hash_head);
1719 }
/lib/zlib/deflate.c: 1706 in deflate_slow()
1700 if (s->prev_length >= MIN_MATCH && s->match_length <=
s->prev_length) {
1701 uInt max_insert = s->strstart + s->lookahead - MIN_MATCH;
1702 /* Do not insert strings in hash table beyond this. */
1703
1704 check_match(s, s->strstart-1, s->prev_match,
s->prev_length);
1705
>>> CID 583357: (INTEGER_OVERFLOW)
>>> Expression "len", where "s->prev_length - 3U" is known to be equal to 4294967267, overflows the type of "len", which is type "uch".
1706 _tr_tally_dist(s, s->strstart -1 - s->prev_match,
1707 s->prev_length - MIN_MATCH, bflush);
1708
1709 /* Insert in hash table all strings up to the end
of the match.
1710 * strstart-1 and strstart are already inserted.
If there is not
1711 * enough lookahead, the last two strings are not
inserted in
View Defects in Coverity Scan
<https://scan.coverity.com/projects/das-u-boot?tab=overview>
Best regards,
The Coverity Scan Admin Team
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2025-07-25 13:26 Tom Rini
2025-07-25 13:34 ` Michal Simek
@ 2025-08-04 9:11 ` Alexander Dahl
1 sibling, 0 replies; 99+ messages in thread
From: Alexander Dahl @ 2025-08-04 9:11 UTC (permalink / raw)
To: Tom Rini; +Cc: u-boot, Michal Simek
Hello,
Am Fri, Jul 25, 2025 at 07:26:45AM -0600 schrieb Tom Rini:
> Here's the latest report. These aren't new issues as much as they are
> Coverity now looking at FPGA code issues.
>
> ---------- Forwarded message ---------
> From: <scan-admin@coverity.com>
> Date: Thu, Jul 24, 2025 at 8:03 PM
> Subject: New Defects reported by Coverity Scan for Das U-Boot
> To: <tom.rini@gmail.com>
>
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to *Das U-Boot*
> found with Coverity Scan.
>
> - *New Defects Found:* 8
> - 3 defect(s), reported by Coverity Scan earlier, were marked fixed in
> the recent build analyzed by Coverity Scan.
> - *Defects Shown:* Showing 8 of 8 defect(s)
>
> Defect Details
>
[…]
> ** CID 583148: Control flow issues (DEADCODE)
> /drivers/fpga/cyclon2.c: 180 in CYC2_ps_load()
>
>
> _____________________________________________________________________________________________
> *** CID 583148: Control flow issues (DEADCODE)
> /drivers/fpga/cyclon2.c: 180 in CYC2_ps_load()
> 174 ret_val = FPGA_SUCCESS;
> 175
> 176 #ifdef CONFIG_SYS_FPGA_PROG_FEEDBACK
> 177 if (ret_val == FPGA_SUCCESS)
> 178 puts("Done.\n");
> 179 else
> >>> CID 583148: Control flow issues (DEADCODE)
> >>> Execution cannot reach this statement: "puts("Fail.\n");".
> 180 puts("Fail.\n");
> 181 #endif
> 182
> 183 /*
> 184 * Run the post configuration function if there is one.
> 185 */
See
https://lore.kernel.org/u-boot/20250804090816.42603-1-ada@thorsis.com/T/#u
for a fix of the cyclon2 driver.
Greets
Alex
^ permalink raw reply [flat|nested] 99+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2025-08-06 18:35 Tom Rini
2025-08-07 9:17 ` Heiko Schocher
0 siblings, 1 reply; 99+ messages in thread
From: Tom Rini @ 2025-08-06 18:35 UTC (permalink / raw)
To: u-boot, Heiko Schocher, Dinesh Maniyam
[-- Attachment #1: Type: text/plain, Size: 13861 bytes --]
Here's the latest report. Lets get these new issues addressed ASAP
please, thanks.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Wed, Aug 6, 2025 at 12:23 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to *Das U-Boot*
found with Coverity Scan.
- *New Defects Found:* 8
- 4 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.
- *Defects Shown:* Showing 8 of 8 defect(s)
Defect Details
** CID 583812: Integer handling issues (BAD_SHIFT)
/drivers/i3c/master/dw-i3c-master.c: 1001 in dw_i3c_probe()
_____________________________________________________________________________________________
*** CID 583812: Integer handling issues (BAD_SHIFT)
/drivers/i3c/master/dw-i3c-master.c: 1001 in dw_i3c_probe()
995 ret = readl(master->regs + DATA_BUFFER_STATUS_LEVEL);
996 master->caps.datafifodepth = DATA_BUFFER_STATUS_LEVEL_TX(ret);
997
998 ret = readl(master->regs + DEVICE_ADDR_TABLE_POINTER);
999 master->datstartaddr = ret;
1000 master->maxdevs = ret >> 16;
>>> CID 583812: Integer handling issues (BAD_SHIFT)
>>> In expression "0xffffffffffffffffUL >> 63 - (master->maxdevs - 1)", right shifting by more than 63 bits has undefined behavior. The shift amount, "63 - (master->maxdevs - 1)", is 64.
1001 master->free_pos = GENMASK(master->maxdevs - 1, 0);
1002
1003 ret = i3c_master_register(&master->base, dev,
1004 &dw_mipi_i3c_ops, false);
1005 if (ret)
1006 goto err_assert_rst;
** CID 583811: (RESOURCE_LEAK)
/drivers/i3c/master.c: 1610 in of_i3c_master_add_i3c_boardinfo()
/drivers/i3c/master.c: 1586 in of_i3c_master_add_i3c_boardinfo()
/drivers/i3c/master.c: 1591 in of_i3c_master_add_i3c_boardinfo()
/drivers/i3c/master.c: 1598 in of_i3c_master_add_i3c_boardinfo()
/drivers/i3c/master.c: 1603 in of_i3c_master_add_i3c_boardinfo()
_____________________________________________________________________________________________
*** CID 583811: (RESOURCE_LEAK)
/drivers/i3c/master.c: 1610 in of_i3c_master_add_i3c_boardinfo()
1604 }
1605
1606 boardinfo->pid = ((u64)reg[1] << 32) | reg[2];
1607
1608 if ((boardinfo->pid & GENMASK_ULL(63, 48)) ||
1609 I3C_PID_RND_LOWER_32BITS(boardinfo->pid))
>>> CID 583811: (RESOURCE_LEAK)
>>> Variable "boardinfo" going out of scope leaks the storage it points to.
1610 return -EINVAL;
1611
1612 boardinfo->init_dyn_addr = init_dyn_addr;
1613 boardinfo->of_node = node;
1614 list_add_tail(&boardinfo->node, &master->boardinfo.i3c);
1615
/drivers/i3c/master.c: 1586 in of_i3c_master_add_i3c_boardinfo()
1580 boardinfo = devm_kzalloc(dev, sizeof(*boardinfo), GFP_KERNEL);
1581 if (!boardinfo)
1582 return -ENOMEM;
1583
1584 if (reg[0]) {
1585 if (reg[0] > I3C_MAX_ADDR)
>>> CID 583811: (RESOURCE_LEAK)
>>> Variable "boardinfo" going out of scope leaks the storage it points to.
1586 return -EINVAL;
1587
1588 addrstatus = i3c_bus_get_addr_slot_status(&master->bus,
1589 reg[0]);
1590 if (addrstatus != I3C_ADDR_SLOT_FREE)
1591 return -EINVAL;
/drivers/i3c/master.c: 1591 in of_i3c_master_add_i3c_boardinfo()
1585 if (reg[0] > I3C_MAX_ADDR)
1586 return -EINVAL;
1587
1588 addrstatus = i3c_bus_get_addr_slot_status(&master->bus,
1589 reg[0]);
1590 if (addrstatus != I3C_ADDR_SLOT_FREE)
>>> CID 583811: (RESOURCE_LEAK)
>>> Variable "boardinfo" going out of scope leaks the storage it points to.
1591 return -EINVAL;
1592 }
1593
1594 boardinfo->static_addr = reg[0];
1595
1596 if (!dev_read_u32(dev, "assigned-address", &init_dyn_addr)) {
/drivers/i3c/master.c: 1598 in of_i3c_master_add_i3c_boardinfo()
1592 }
1593
1594 boardinfo->static_addr = reg[0];
1595
1596 if (!dev_read_u32(dev, "assigned-address", &init_dyn_addr)) {
1597 if (init_dyn_addr > I3C_MAX_ADDR)
>>> CID 583811: (RESOURCE_LEAK)
>>> Variable "boardinfo" going out of scope leaks the storage it points to.
1598 return -EINVAL;
1599
1600 addrstatus = i3c_bus_get_addr_slot_status(&master->bus,
1601 init_dyn_addr);
1602 if (addrstatus != I3C_ADDR_SLOT_FREE)
1603 return -EINVAL;
/drivers/i3c/master.c: 1603 in of_i3c_master_add_i3c_boardinfo()
1597 if (init_dyn_addr > I3C_MAX_ADDR)
1598 return -EINVAL;
1599
1600 addrstatus = i3c_bus_get_addr_slot_status(&master->bus,
1601 init_dyn_addr);
1602 if (addrstatus != I3C_ADDR_SLOT_FREE)
>>> CID 583811: (RESOURCE_LEAK)
>>> Variable "boardinfo" going out of scope leaks the storage it points to.
1603 return -EINVAL;
1604 }
1605
1606 boardinfo->pid = ((u64)reg[1] << 32) | reg[2];
1607
1608 if ((boardinfo->pid & GENMASK_ULL(63, 48)) ||
** CID 298388: Integer handling issues (SIGN_EXTENSION)
/drivers/i3c/master/dw-i3c-master.c: 579 in dw_i3c_ccc_get()
_____________________________________________________________________________________________
*** CID 298388: Integer handling issues (SIGN_EXTENSION)
/drivers/i3c/master/dw-i3c-master.c: 579 in dw_i3c_ccc_get()
573 return -ENOMEM;
574
575 cmd = xfer->cmds;
576 cmd->rx_buf = ccc->dests[0].payload.data;
577 cmd->rx_len = ccc->dests[0].payload.len;
578
>>> CID 298388: Integer handling issues (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "ccc->dests[0].payload.len" with type "u16" (16 bits, unsigned) is promoted in "ccc->dests[0].payload.len << 16" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "ccc->dests[0].payload.len << 16" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
579 cmd->cmd_hi = COMMAND_PORT_ARG_DATA_LEN(ccc->dests[0].payload.len) |
580 COMMAND_PORT_TRANSFER_ARG;
581
582 cmd->cmd_lo = COMMAND_PORT_READ_TRANSFER |
583 COMMAND_PORT_CP |
584 COMMAND_PORT_DEV_INDEX(pos) |
** CID 298037: Integer handling issues (SIGN_EXTENSION)
/drivers/i3c/master/dw-i3c-master.c: 375 in dw_i3c_clk_cfg()
_____________________________________________________________________________________________
*** CID 298037: Integer handling issues (SIGN_EXTENSION)
/drivers/i3c/master/dw-i3c-master.c: 375 in dw_i3c_clk_cfg()
369 scl_timing = SCL_EXT_LCNT_1(lcnt);
370 lcnt = DIV_ROUND_UP(core_rate, I3C_BUS_SDR2_SCL_RATE) - hcnt;
371 scl_timing |= SCL_EXT_LCNT_2(lcnt);
372 lcnt = DIV_ROUND_UP(core_rate, I3C_BUS_SDR3_SCL_RATE) - hcnt;
373 scl_timing |= SCL_EXT_LCNT_3(lcnt);
374 lcnt = DIV_ROUND_UP(core_rate, I3C_BUS_SDR4_SCL_RATE) - hcnt;
>>> CID 298037: Integer handling issues (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "lcnt" with type "u8" (8 bits, unsigned) is promoted in "lcnt << 24" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "lcnt << 24" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
375 scl_timing |= SCL_EXT_LCNT_4(lcnt);
376 writel(scl_timing, master->regs + SCL_EXT_LCNT_TIMING);
377
378 return 0;
379 }
380
** CID 296053: Integer handling issues (SIGN_EXTENSION)
/drivers/i3c/master/dw-i3c-master.c: 535 in dw_i3c_ccc_set()
_____________________________________________________________________________________________
*** CID 296053: Integer handling issues (SIGN_EXTENSION)
/drivers/i3c/master/dw-i3c-master.c: 535 in dw_i3c_ccc_set()
529 return -ENOMEM;
530
531 cmd = xfer->cmds;
532 cmd->tx_buf = ccc->dests[0].payload.data;
533 cmd->tx_len = ccc->dests[0].payload.len;
534
>>> CID 296053: Integer handling issues (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "ccc->dests[0].payload.len" with type "u16" (16 bits, unsigned) is promoted in "ccc->dests[0].payload.len << 16" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "ccc->dests[0].payload.len << 16" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
535 cmd->cmd_hi = COMMAND_PORT_ARG_DATA_LEN(ccc->dests[0].payload.len) |
536 COMMAND_PORT_TRANSFER_ARG;
537
538 cmd->cmd_lo = COMMAND_PORT_CP |
539 COMMAND_PORT_DEV_INDEX(pos) |
540 COMMAND_PORT_CMD(ccc->id) |
** CID 295976: (SIGN_EXTENSION)
/drivers/i3c/master/dw-i3c-master.c: 395 in dw_i2c_clk_cfg()
/drivers/i3c/master/dw-i3c-master.c: 401 in dw_i2c_clk_cfg()
_____________________________________________________________________________________________
*** CID 295976: (SIGN_EXTENSION)
/drivers/i3c/master/dw-i3c-master.c: 395 in dw_i2c_clk_cfg()
389 return -EINVAL;
390
391 core_period = DIV_ROUND_UP(1000000000, core_rate);
392
393 lcnt = DIV_ROUND_UP(I3C_BUS_I2C_FMP_TLOW_MIN_NS, core_period);
394 hcnt = DIV_ROUND_UP(core_rate, I3C_BUS_I2C_FM_PLUS_SCL_RATE) - lcnt;
>>> CID 295976: (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "hcnt" with type "u16" (16 bits, unsigned) is promoted in "hcnt << 16" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "hcnt << 16" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
395 scl_timing = SCL_I2C_FMP_TIMING_HCNT(hcnt) |
396 SCL_I2C_FMP_TIMING_LCNT(lcnt);
397 writel(scl_timing, master->regs + SCL_I2C_FMP_TIMING);
398
399 lcnt = DIV_ROUND_UP(I3C_BUS_I2C_FM_TLOW_MIN_NS, core_period);
400 hcnt = DIV_ROUND_UP(core_rate, I3C_BUS_I2C_FM_SCL_RATE) - lcnt;
/drivers/i3c/master/dw-i3c-master.c: 401 in dw_i2c_clk_cfg()
395 scl_timing = SCL_I2C_FMP_TIMING_HCNT(hcnt) |
396 SCL_I2C_FMP_TIMING_LCNT(lcnt);
397 writel(scl_timing, master->regs + SCL_I2C_FMP_TIMING);
398
399 lcnt = DIV_ROUND_UP(I3C_BUS_I2C_FM_TLOW_MIN_NS, core_period);
400 hcnt = DIV_ROUND_UP(core_rate, I3C_BUS_I2C_FM_SCL_RATE) - lcnt;
>>> CID 295976: (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "hcnt" with type "u16" (16 bits, unsigned) is promoted in "hcnt << 16" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "hcnt << 16" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
401 scl_timing = SCL_I2C_FM_TIMING_HCNT(hcnt) |
402 SCL_I2C_FM_TIMING_LCNT(lcnt);
403 writel(scl_timing, master->regs + SCL_I2C_FM_TIMING);
404
405 writel(BUS_I3C_MST_FREE(lcnt), master->regs + BUS_FREE_TIMING);
406 writel(readl(master->regs + DEVICE_CTRL) | DEV_CTRL_I2C_SLAVE_PRESENT,
** CID 294913: Integer handling issues (SIGN_EXTENSION)
/drivers/i3c/master/dw-i3c-master.c: 724 in dw_i3c_master_priv_xfers()
_____________________________________________________________________________________________
*** CID 294913: Integer handling issues (SIGN_EXTENSION)
/drivers/i3c/master/dw-i3c-master.c: 724 in
dw_i3c_master_priv_xfers()
718 if (!xfer)
719 return -ENOMEM;
720
721 for (i = 0; i < i3c_nxfers; i++) {
722 struct dw_i3c_cmd *cmd = &xfer->cmds[i];
723
>>> CID 294913: Integer handling issues (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "i3c_xfers[i].len" with type "u16" (16 bits, unsigned) is promoted in "i3c_xfers[i].len << 16" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "i3c_xfers[i].len << 16" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
724 cmd->cmd_hi = COMMAND_PORT_ARG_DATA_LEN(i3c_xfers[i].len) |
725 COMMAND_PORT_TRANSFER_ARG;
726
727 if (i3c_xfers[i].rnw) {
728 cmd->rx_buf = i3c_xfers[i].data.in;
729 cmd->rx_len = i3c_xfers[i].len;
** CID 294627: Integer handling issues (BAD_SHIFT)
/drivers/i3c/master.c: 181 in i3c_bus_get_addr_slot_status()
_____________________________________________________________________________________________
*** CID 294627: Integer handling issues (BAD_SHIFT)
/drivers/i3c/master.c: 181 in i3c_bus_get_addr_slot_status()
175 int status, bitpos = addr * 2;
176
177 if (addr > I2C_MAX_ADDR)
178 return I3C_ADDR_SLOT_RSVD;
179
180 status = bus->addrslots[bitpos / BITS_PER_LONG];
>>> CID 294627: Integer handling issues (BAD_SHIFT)
>>> In expression "status >>= bitpos % 64", right shifting by more than 31 bits has undefined behavior. The shift amount, "bitpos % 64", is as much as 63.
181 status >>= bitpos % BITS_PER_LONG;
182
183 return status & I3C_ADDR_SLOT_STATUS_MASK;
184 }
185
186 static void i3c_bus_set_addr_slot_status(struct i3c_bus *bus, u16 addr,
View Defects in Coverity Scan
<https://scan.coverity.com/projects/das-u-boot?tab=overview>
Best regards,
The Coverity Scan Admin Team
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2025-08-06 18:35 Tom Rini
@ 2025-08-07 9:17 ` Heiko Schocher
2025-08-08 3:37 ` Maniyam, Dinesh
0 siblings, 1 reply; 99+ messages in thread
From: Heiko Schocher @ 2025-08-07 9:17 UTC (permalink / raw)
To: u-boot, Dinesh Maniyam; +Cc: Tom Rini, Heiko Schocher
Hello Dinesh,
On 06.08.25 20:35, Tom Rini wrote:
> Here's the latest report. Lets get these new issues addressed ASAP
> please, thanks.
>
> ---------- Forwarded message ---------
> From: <scan-admin@coverity.com>
> Date: Wed, Aug 6, 2025 at 12:23 PM
> Subject: New Defects reported by Coverity Scan for Das U-Boot
> To: <tom.rini@gmail.com>
>
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to *Das U-Boot*
> found with Coverity Scan.
>
> - *New Defects Found:* 8
> - 4 defect(s), reported by Coverity Scan earlier, were marked fixed in
> the recent build analyzed by Coverity Scan.
> - *Defects Shown:* Showing 8 of 8 defect(s)
>
> Defect Details
>
> ** CID 583812: Integer handling issues (BAD_SHIFT)
> /drivers/i3c/master/dw-i3c-master.c: 1001 in dw_i3c_probe()
Could you please look at the issues on i3c parts, as I go on
vacation, thanks!
@Tom: Feel free to pick up fixes, thanks!
bye,
Heiko
>
>
> _____________________________________________________________________________________________
> *** CID 583812: Integer handling issues (BAD_SHIFT)
> /drivers/i3c/master/dw-i3c-master.c: 1001 in dw_i3c_probe()
> 995 ret = readl(master->regs + DATA_BUFFER_STATUS_LEVEL);
> 996 master->caps.datafifodepth = DATA_BUFFER_STATUS_LEVEL_TX(ret);
> 997
> 998 ret = readl(master->regs + DEVICE_ADDR_TABLE_POINTER);
> 999 master->datstartaddr = ret;
> 1000 master->maxdevs = ret >> 16;
>>>> CID 583812: Integer handling issues (BAD_SHIFT)
>>>> In expression "0xffffffffffffffffUL >> 63 - (master->maxdevs - 1)", right shifting by more than 63 bits has undefined behavior. The shift amount, "63 - (master->maxdevs - 1)", is 64.
> 1001 master->free_pos = GENMASK(master->maxdevs - 1, 0);
> 1002
> 1003 ret = i3c_master_register(&master->base, dev,
> 1004 &dw_mipi_i3c_ops, false);
> 1005 if (ret)
> 1006 goto err_assert_rst;
>
> ** CID 583811: (RESOURCE_LEAK)
> /drivers/i3c/master.c: 1610 in of_i3c_master_add_i3c_boardinfo()
> /drivers/i3c/master.c: 1586 in of_i3c_master_add_i3c_boardinfo()
> /drivers/i3c/master.c: 1591 in of_i3c_master_add_i3c_boardinfo()
> /drivers/i3c/master.c: 1598 in of_i3c_master_add_i3c_boardinfo()
> /drivers/i3c/master.c: 1603 in of_i3c_master_add_i3c_boardinfo()
>
>
> _____________________________________________________________________________________________
> *** CID 583811: (RESOURCE_LEAK)
> /drivers/i3c/master.c: 1610 in of_i3c_master_add_i3c_boardinfo()
> 1604 }
> 1605
> 1606 boardinfo->pid = ((u64)reg[1] << 32) | reg[2];
> 1607
> 1608 if ((boardinfo->pid & GENMASK_ULL(63, 48)) ||
> 1609 I3C_PID_RND_LOWER_32BITS(boardinfo->pid))
>>>> CID 583811: (RESOURCE_LEAK)
>>>> Variable "boardinfo" going out of scope leaks the storage it points to.
> 1610 return -EINVAL;
> 1611
> 1612 boardinfo->init_dyn_addr = init_dyn_addr;
> 1613 boardinfo->of_node = node;
> 1614 list_add_tail(&boardinfo->node, &master->boardinfo.i3c);
> 1615
> /drivers/i3c/master.c: 1586 in of_i3c_master_add_i3c_boardinfo()
> 1580 boardinfo = devm_kzalloc(dev, sizeof(*boardinfo), GFP_KERNEL);
> 1581 if (!boardinfo)
> 1582 return -ENOMEM;
> 1583
> 1584 if (reg[0]) {
> 1585 if (reg[0] > I3C_MAX_ADDR)
>>>> CID 583811: (RESOURCE_LEAK)
>>>> Variable "boardinfo" going out of scope leaks the storage it points to.
> 1586 return -EINVAL;
> 1587
> 1588 addrstatus = i3c_bus_get_addr_slot_status(&master->bus,
> 1589 reg[0]);
> 1590 if (addrstatus != I3C_ADDR_SLOT_FREE)
> 1591 return -EINVAL;
> /drivers/i3c/master.c: 1591 in of_i3c_master_add_i3c_boardinfo()
> 1585 if (reg[0] > I3C_MAX_ADDR)
> 1586 return -EINVAL;
> 1587
> 1588 addrstatus = i3c_bus_get_addr_slot_status(&master->bus,
> 1589 reg[0]);
> 1590 if (addrstatus != I3C_ADDR_SLOT_FREE)
>>>> CID 583811: (RESOURCE_LEAK)
>>>> Variable "boardinfo" going out of scope leaks the storage it points to.
> 1591 return -EINVAL;
> 1592 }
> 1593
> 1594 boardinfo->static_addr = reg[0];
> 1595
> 1596 if (!dev_read_u32(dev, "assigned-address", &init_dyn_addr)) {
> /drivers/i3c/master.c: 1598 in of_i3c_master_add_i3c_boardinfo()
> 1592 }
> 1593
> 1594 boardinfo->static_addr = reg[0];
> 1595
> 1596 if (!dev_read_u32(dev, "assigned-address", &init_dyn_addr)) {
> 1597 if (init_dyn_addr > I3C_MAX_ADDR)
>>>> CID 583811: (RESOURCE_LEAK)
>>>> Variable "boardinfo" going out of scope leaks the storage it points to.
> 1598 return -EINVAL;
> 1599
> 1600 addrstatus = i3c_bus_get_addr_slot_status(&master->bus,
> 1601 init_dyn_addr);
> 1602 if (addrstatus != I3C_ADDR_SLOT_FREE)
> 1603 return -EINVAL;
> /drivers/i3c/master.c: 1603 in of_i3c_master_add_i3c_boardinfo()
> 1597 if (init_dyn_addr > I3C_MAX_ADDR)
> 1598 return -EINVAL;
> 1599
> 1600 addrstatus = i3c_bus_get_addr_slot_status(&master->bus,
> 1601 init_dyn_addr);
> 1602 if (addrstatus != I3C_ADDR_SLOT_FREE)
>>>> CID 583811: (RESOURCE_LEAK)
>>>> Variable "boardinfo" going out of scope leaks the storage it points to.
> 1603 return -EINVAL;
> 1604 }
> 1605
> 1606 boardinfo->pid = ((u64)reg[1] << 32) | reg[2];
> 1607
> 1608 if ((boardinfo->pid & GENMASK_ULL(63, 48)) ||
>
> ** CID 298388: Integer handling issues (SIGN_EXTENSION)
> /drivers/i3c/master/dw-i3c-master.c: 579 in dw_i3c_ccc_get()
>
>
> _____________________________________________________________________________________________
> *** CID 298388: Integer handling issues (SIGN_EXTENSION)
> /drivers/i3c/master/dw-i3c-master.c: 579 in dw_i3c_ccc_get()
> 573 return -ENOMEM;
> 574
> 575 cmd = xfer->cmds;
> 576 cmd->rx_buf = ccc->dests[0].payload.data;
> 577 cmd->rx_len = ccc->dests[0].payload.len;
> 578
>>>> CID 298388: Integer handling issues (SIGN_EXTENSION)
>>>> Suspicious implicit sign extension: "ccc->dests[0].payload.len" with type "u16" (16 bits, unsigned) is promoted in "ccc->dests[0].payload.len << 16" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "ccc->dests[0].payload.len << 16" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
> 579 cmd->cmd_hi = COMMAND_PORT_ARG_DATA_LEN(ccc->dests[0].payload.len) |
> 580 COMMAND_PORT_TRANSFER_ARG;
> 581
> 582 cmd->cmd_lo = COMMAND_PORT_READ_TRANSFER |
> 583 COMMAND_PORT_CP |
> 584 COMMAND_PORT_DEV_INDEX(pos) |
>
> ** CID 298037: Integer handling issues (SIGN_EXTENSION)
> /drivers/i3c/master/dw-i3c-master.c: 375 in dw_i3c_clk_cfg()
>
>
> _____________________________________________________________________________________________
> *** CID 298037: Integer handling issues (SIGN_EXTENSION)
> /drivers/i3c/master/dw-i3c-master.c: 375 in dw_i3c_clk_cfg()
> 369 scl_timing = SCL_EXT_LCNT_1(lcnt);
> 370 lcnt = DIV_ROUND_UP(core_rate, I3C_BUS_SDR2_SCL_RATE) - hcnt;
> 371 scl_timing |= SCL_EXT_LCNT_2(lcnt);
> 372 lcnt = DIV_ROUND_UP(core_rate, I3C_BUS_SDR3_SCL_RATE) - hcnt;
> 373 scl_timing |= SCL_EXT_LCNT_3(lcnt);
> 374 lcnt = DIV_ROUND_UP(core_rate, I3C_BUS_SDR4_SCL_RATE) - hcnt;
>>>> CID 298037: Integer handling issues (SIGN_EXTENSION)
>>>> Suspicious implicit sign extension: "lcnt" with type "u8" (8 bits, unsigned) is promoted in "lcnt << 24" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "lcnt << 24" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
> 375 scl_timing |= SCL_EXT_LCNT_4(lcnt);
> 376 writel(scl_timing, master->regs + SCL_EXT_LCNT_TIMING);
> 377
> 378 return 0;
> 379 }
> 380
>
> ** CID 296053: Integer handling issues (SIGN_EXTENSION)
> /drivers/i3c/master/dw-i3c-master.c: 535 in dw_i3c_ccc_set()
>
>
> _____________________________________________________________________________________________
> *** CID 296053: Integer handling issues (SIGN_EXTENSION)
> /drivers/i3c/master/dw-i3c-master.c: 535 in dw_i3c_ccc_set()
> 529 return -ENOMEM;
> 530
> 531 cmd = xfer->cmds;
> 532 cmd->tx_buf = ccc->dests[0].payload.data;
> 533 cmd->tx_len = ccc->dests[0].payload.len;
> 534
>>>> CID 296053: Integer handling issues (SIGN_EXTENSION)
>>>> Suspicious implicit sign extension: "ccc->dests[0].payload.len" with type "u16" (16 bits, unsigned) is promoted in "ccc->dests[0].payload.len << 16" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "ccc->dests[0].payload.len << 16" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
> 535 cmd->cmd_hi = COMMAND_PORT_ARG_DATA_LEN(ccc->dests[0].payload.len) |
> 536 COMMAND_PORT_TRANSFER_ARG;
> 537
> 538 cmd->cmd_lo = COMMAND_PORT_CP |
> 539 COMMAND_PORT_DEV_INDEX(pos) |
> 540 COMMAND_PORT_CMD(ccc->id) |
>
> ** CID 295976: (SIGN_EXTENSION)
> /drivers/i3c/master/dw-i3c-master.c: 395 in dw_i2c_clk_cfg()
> /drivers/i3c/master/dw-i3c-master.c: 401 in dw_i2c_clk_cfg()
>
>
> _____________________________________________________________________________________________
> *** CID 295976: (SIGN_EXTENSION)
> /drivers/i3c/master/dw-i3c-master.c: 395 in dw_i2c_clk_cfg()
> 389 return -EINVAL;
> 390
> 391 core_period = DIV_ROUND_UP(1000000000, core_rate);
> 392
> 393 lcnt = DIV_ROUND_UP(I3C_BUS_I2C_FMP_TLOW_MIN_NS, core_period);
> 394 hcnt = DIV_ROUND_UP(core_rate, I3C_BUS_I2C_FM_PLUS_SCL_RATE) - lcnt;
>>>> CID 295976: (SIGN_EXTENSION)
>>>> Suspicious implicit sign extension: "hcnt" with type "u16" (16 bits, unsigned) is promoted in "hcnt << 16" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "hcnt << 16" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
> 395 scl_timing = SCL_I2C_FMP_TIMING_HCNT(hcnt) |
> 396 SCL_I2C_FMP_TIMING_LCNT(lcnt);
> 397 writel(scl_timing, master->regs + SCL_I2C_FMP_TIMING);
> 398
> 399 lcnt = DIV_ROUND_UP(I3C_BUS_I2C_FM_TLOW_MIN_NS, core_period);
> 400 hcnt = DIV_ROUND_UP(core_rate, I3C_BUS_I2C_FM_SCL_RATE) - lcnt;
> /drivers/i3c/master/dw-i3c-master.c: 401 in dw_i2c_clk_cfg()
> 395 scl_timing = SCL_I2C_FMP_TIMING_HCNT(hcnt) |
> 396 SCL_I2C_FMP_TIMING_LCNT(lcnt);
> 397 writel(scl_timing, master->regs + SCL_I2C_FMP_TIMING);
> 398
> 399 lcnt = DIV_ROUND_UP(I3C_BUS_I2C_FM_TLOW_MIN_NS, core_period);
> 400 hcnt = DIV_ROUND_UP(core_rate, I3C_BUS_I2C_FM_SCL_RATE) - lcnt;
>>>> CID 295976: (SIGN_EXTENSION)
>>>> Suspicious implicit sign extension: "hcnt" with type "u16" (16 bits, unsigned) is promoted in "hcnt << 16" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "hcnt << 16" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
> 401 scl_timing = SCL_I2C_FM_TIMING_HCNT(hcnt) |
> 402 SCL_I2C_FM_TIMING_LCNT(lcnt);
> 403 writel(scl_timing, master->regs + SCL_I2C_FM_TIMING);
> 404
> 405 writel(BUS_I3C_MST_FREE(lcnt), master->regs + BUS_FREE_TIMING);
> 406 writel(readl(master->regs + DEVICE_CTRL) | DEV_CTRL_I2C_SLAVE_PRESENT,
>
> ** CID 294913: Integer handling issues (SIGN_EXTENSION)
> /drivers/i3c/master/dw-i3c-master.c: 724 in dw_i3c_master_priv_xfers()
>
>
> _____________________________________________________________________________________________
> *** CID 294913: Integer handling issues (SIGN_EXTENSION)
> /drivers/i3c/master/dw-i3c-master.c: 724 in
> dw_i3c_master_priv_xfers()
> 718 if (!xfer)
> 719 return -ENOMEM;
> 720
> 721 for (i = 0; i < i3c_nxfers; i++) {
> 722 struct dw_i3c_cmd *cmd = &xfer->cmds[i];
> 723
>>>> CID 294913: Integer handling issues (SIGN_EXTENSION)
>>>> Suspicious implicit sign extension: "i3c_xfers[i].len" with type "u16" (16 bits, unsigned) is promoted in "i3c_xfers[i].len << 16" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "i3c_xfers[i].len << 16" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
> 724 cmd->cmd_hi = COMMAND_PORT_ARG_DATA_LEN(i3c_xfers[i].len) |
> 725 COMMAND_PORT_TRANSFER_ARG;
> 726
> 727 if (i3c_xfers[i].rnw) {
> 728 cmd->rx_buf = i3c_xfers[i].data.in;
> 729 cmd->rx_len = i3c_xfers[i].len;
>
> ** CID 294627: Integer handling issues (BAD_SHIFT)
> /drivers/i3c/master.c: 181 in i3c_bus_get_addr_slot_status()
>
>
> _____________________________________________________________________________________________
> *** CID 294627: Integer handling issues (BAD_SHIFT)
> /drivers/i3c/master.c: 181 in i3c_bus_get_addr_slot_status()
> 175 int status, bitpos = addr * 2;
> 176
> 177 if (addr > I2C_MAX_ADDR)
> 178 return I3C_ADDR_SLOT_RSVD;
> 179
> 180 status = bus->addrslots[bitpos / BITS_PER_LONG];
>>>> CID 294627: Integer handling issues (BAD_SHIFT)
>>>> In expression "status >>= bitpos % 64", right shifting by more than 31 bits has undefined behavior. The shift amount, "bitpos % 64", is as much as 63.
> 181 status >>= bitpos % BITS_PER_LONG;
> 182
> 183 return status & I3C_ADDR_SLOT_STATUS_MASK;
> 184 }
> 185
> 186 static void i3c_bus_set_addr_slot_status(struct i3c_bus *bus, u16 addr,
>
>
>
> View Defects in Coverity Scan
> <https://scan.coverity.com/projects/das-u-boot?tab=overview>
>
> Best regards,
>
> The Coverity Scan Admin Team
>
> ----- End forwarded message -----
>
--
Nabla Software Engineering
HRB 40522 Augsburg
Phone: +49 821 45592596
E-Mail: office@nabladev.com
Geschäftsführer : Stefano Babic
^ permalink raw reply [flat|nested] 99+ messages in thread
* RE: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2025-08-07 9:17 ` Heiko Schocher
@ 2025-08-08 3:37 ` Maniyam, Dinesh
2025-08-08 4:01 ` Heiko Schocher
0 siblings, 1 reply; 99+ messages in thread
From: Maniyam, Dinesh @ 2025-08-08 3:37 UTC (permalink / raw)
To: Heiko Schocher, u-boot@lists.denx.de; +Cc: Tom Rini, Heiko Schocher
Hi
> -----Original Message-----
> From: Heiko Schocher <hs@nabladev.com>
> Sent: Thursday, 7 August 2025 5:17 pm
> To: u-boot@lists.denx.de; Maniyam, Dinesh <dinesh.maniyam@altera.com>
> Cc: Tom Rini <trini@konsulko.com>; Heiko Schocher <hs@denx.de>
> Subject: Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
>
> [CAUTION: This email is from outside your organization. Unless you trust the
> sender, do not click on links or open attachments as it may be a fraudulent email
> attempting to steal your information and/or compromise your computer.]
>
> Hello Dinesh,
>
> On 06.08.25 20:35, Tom Rini wrote:
> > Here's the latest report. Lets get these new issues addressed ASAP
> > please, thanks.
> >
> > ---------- Forwarded message ---------
> > From: <scan-admin@coverity.com>
> > Date: Wed, Aug 6, 2025 at 12:23 PM
> > Subject: New Defects reported by Coverity Scan for Das U-Boot
> > To: <tom.rini@gmail.com>
> >
> >
> > Hi,
> >
> > Please find the latest report on new defect(s) introduced to *Das
> > U-Boot* found with Coverity Scan.
> >
> > - *New Defects Found:* 8
> > - 4 defect(s), reported by Coverity Scan earlier, were marked fixed in
> > the recent build analyzed by Coverity Scan.
> > - *Defects Shown:* Showing 8 of 8 defect(s)
> >
> > Defect Details
> >
> > ** CID 583812: Integer handling issues (BAD_SHIFT)
> > /drivers/i3c/master/dw-i3c-master.c: 1001 in dw_i3c_probe()
>
> Could you please look at the issues on i3c parts, as I go on vacation, thanks!
>
Yes, I am working on it, give me just a couple of days!
Thanks
Dinesh
> @Tom: Feel free to pick up fixes, thanks!
>
> bye,
> Heiko
> >
> >
> >
> _________________________________________________________________
> ____________________________
> > *** CID 583812: Integer handling issues (BAD_SHIFT)
> > /drivers/i3c/master/dw-i3c-master.c: 1001 in dw_i3c_probe()
> > 995 ret = readl(master->regs + DATA_BUFFER_STATUS_LEVEL);
> > 996 master->caps.datafifodepth = DATA_BUFFER_STATUS_LEVEL_TX(ret);
> > 997
> > 998 ret = readl(master->regs + DEVICE_ADDR_TABLE_POINTER);
> > 999 master->datstartaddr = ret;
> > 1000 master->maxdevs = ret >> 16;
> >>>> CID 583812: Integer handling issues (BAD_SHIFT)
> >>>> In expression "0xffffffffffffffffUL >> 63 - (master->maxdevs - 1)", right
> shifting by more than 63 bits has undefined behavior. The shift amount, "63 -
> (master->maxdevs - 1)", is 64.
> > 1001 master->free_pos = GENMASK(master->maxdevs - 1, 0);
> > 1002
> > 1003 ret = i3c_master_register(&master->base, dev,
> > 1004 &dw_mipi_i3c_ops, false);
> > 1005 if (ret)
> > 1006 goto err_assert_rst;
> >
> > ** CID 583811: (RESOURCE_LEAK)
> > /drivers/i3c/master.c: 1610 in of_i3c_master_add_i3c_boardinfo()
> > /drivers/i3c/master.c: 1586 in of_i3c_master_add_i3c_boardinfo()
> > /drivers/i3c/master.c: 1591 in of_i3c_master_add_i3c_boardinfo()
> > /drivers/i3c/master.c: 1598 in of_i3c_master_add_i3c_boardinfo()
> > /drivers/i3c/master.c: 1603 in of_i3c_master_add_i3c_boardinfo()
> >
> >
> >
> _________________________________________________________________
> ____________________________
> > *** CID 583811: (RESOURCE_LEAK)
> > /drivers/i3c/master.c: 1610 in of_i3c_master_add_i3c_boardinfo()
> > 1604 }
> > 1605
> > 1606 boardinfo->pid = ((u64)reg[1] << 32) | reg[2];
> > 1607
> > 1608 if ((boardinfo->pid & GENMASK_ULL(63, 48)) ||
> > 1609 I3C_PID_RND_LOWER_32BITS(boardinfo->pid))
> >>>> CID 583811: (RESOURCE_LEAK)
> >>>> Variable "boardinfo" going out of scope leaks the storage it points to.
> > 1610 return -EINVAL;
> > 1611
> > 1612 boardinfo->init_dyn_addr = init_dyn_addr;
> > 1613 boardinfo->of_node = node;
> > 1614 list_add_tail(&boardinfo->node, &master->boardinfo.i3c);
> > 1615
> > /drivers/i3c/master.c: 1586 in of_i3c_master_add_i3c_boardinfo()
> > 1580 boardinfo = devm_kzalloc(dev, sizeof(*boardinfo), GFP_KERNEL);
> > 1581 if (!boardinfo)
> > 1582 return -ENOMEM;
> > 1583
> > 1584 if (reg[0]) {
> > 1585 if (reg[0] > I3C_MAX_ADDR)
> >>>> CID 583811: (RESOURCE_LEAK)
> >>>> Variable "boardinfo" going out of scope leaks the storage it points to.
> > 1586 return -EINVAL;
> > 1587
> > 1588 addrstatus = i3c_bus_get_addr_slot_status(&master->bus,
> > 1589 reg[0]);
> > 1590 if (addrstatus != I3C_ADDR_SLOT_FREE)
> > 1591 return -EINVAL;
> > /drivers/i3c/master.c: 1591 in of_i3c_master_add_i3c_boardinfo()
> > 1585 if (reg[0] > I3C_MAX_ADDR)
> > 1586 return -EINVAL;
> > 1587
> > 1588 addrstatus = i3c_bus_get_addr_slot_status(&master->bus,
> > 1589 reg[0]);
> > 1590 if (addrstatus != I3C_ADDR_SLOT_FREE)
> >>>> CID 583811: (RESOURCE_LEAK)
> >>>> Variable "boardinfo" going out of scope leaks the storage it points to.
> > 1591 return -EINVAL;
> > 1592 }
> > 1593
> > 1594 boardinfo->static_addr = reg[0];
> > 1595
> > 1596 if (!dev_read_u32(dev, "assigned-address", &init_dyn_addr)) {
> > /drivers/i3c/master.c: 1598 in of_i3c_master_add_i3c_boardinfo()
> > 1592 }
> > 1593
> > 1594 boardinfo->static_addr = reg[0];
> > 1595
> > 1596 if (!dev_read_u32(dev, "assigned-address", &init_dyn_addr)) {
> > 1597 if (init_dyn_addr > I3C_MAX_ADDR)
> >>>> CID 583811: (RESOURCE_LEAK)
> >>>> Variable "boardinfo" going out of scope leaks the storage it points to.
> > 1598 return -EINVAL;
> > 1599
> > 1600 addrstatus = i3c_bus_get_addr_slot_status(&master->bus,
> > 1601 init_dyn_addr);
> > 1602 if (addrstatus != I3C_ADDR_SLOT_FREE)
> > 1603 return -EINVAL;
> > /drivers/i3c/master.c: 1603 in of_i3c_master_add_i3c_boardinfo()
> > 1597 if (init_dyn_addr > I3C_MAX_ADDR)
> > 1598 return -EINVAL;
> > 1599
> > 1600 addrstatus = i3c_bus_get_addr_slot_status(&master->bus,
> > 1601 init_dyn_addr);
> > 1602 if (addrstatus != I3C_ADDR_SLOT_FREE)
> >>>> CID 583811: (RESOURCE_LEAK)
> >>>> Variable "boardinfo" going out of scope leaks the storage it points to.
> > 1603 return -EINVAL;
> > 1604 }
> > 1605
> > 1606 boardinfo->pid = ((u64)reg[1] << 32) | reg[2];
> > 1607
> > 1608 if ((boardinfo->pid & GENMASK_ULL(63, 48)) ||
> >
> > ** CID 298388: Integer handling issues (SIGN_EXTENSION)
> > /drivers/i3c/master/dw-i3c-master.c: 579 in dw_i3c_ccc_get()
> >
> >
> >
> _________________________________________________________________
> ____________________________
> > *** CID 298388: Integer handling issues (SIGN_EXTENSION)
> > /drivers/i3c/master/dw-i3c-master.c: 579 in dw_i3c_ccc_get()
> > 573 return -ENOMEM;
> > 574
> > 575 cmd = xfer->cmds;
> > 576 cmd->rx_buf = ccc->dests[0].payload.data;
> > 577 cmd->rx_len = ccc->dests[0].payload.len;
> > 578
> >>>> CID 298388: Integer handling issues (SIGN_EXTENSION)
> >>>> Suspicious implicit sign extension: "ccc->dests[0].payload.len" with type
> "u16" (16 bits, unsigned) is promoted in "ccc->dests[0].payload.len << 16" to type
> "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits,
> unsigned). If "ccc->dests[0].payload.len << 16" is greater than 0x7FFFFFFF, the
> upper bits of the result will all be 1.
> > 579 cmd->cmd_hi = COMMAND_PORT_ARG_DATA_LEN(ccc-
> >dests[0].payload.len) |
> > 580 COMMAND_PORT_TRANSFER_ARG;
> > 581
> > 582 cmd->cmd_lo = COMMAND_PORT_READ_TRANSFER |
> > 583 COMMAND_PORT_CP |
> > 584 COMMAND_PORT_DEV_INDEX(pos) |
> >
> > ** CID 298037: Integer handling issues (SIGN_EXTENSION)
> > /drivers/i3c/master/dw-i3c-master.c: 375 in dw_i3c_clk_cfg()
> >
> >
> >
> _________________________________________________________________
> ____________________________
> > *** CID 298037: Integer handling issues (SIGN_EXTENSION)
> > /drivers/i3c/master/dw-i3c-master.c: 375 in dw_i3c_clk_cfg()
> > 369 scl_timing = SCL_EXT_LCNT_1(lcnt);
> > 370 lcnt = DIV_ROUND_UP(core_rate, I3C_BUS_SDR2_SCL_RATE) - hcnt;
> > 371 scl_timing |= SCL_EXT_LCNT_2(lcnt);
> > 372 lcnt = DIV_ROUND_UP(core_rate, I3C_BUS_SDR3_SCL_RATE) - hcnt;
> > 373 scl_timing |= SCL_EXT_LCNT_3(lcnt);
> > 374 lcnt = DIV_ROUND_UP(core_rate, I3C_BUS_SDR4_SCL_RATE) - hcnt;
> >>>> CID 298037: Integer handling issues (SIGN_EXTENSION)
> >>>> Suspicious implicit sign extension: "lcnt" with type "u8" (8 bits, unsigned)
> is promoted in "lcnt << 24" to type "int" (32 bits, signed), then sign-extended to
> type "unsigned long" (64 bits, unsigned). If "lcnt << 24" is greater than
> 0x7FFFFFFF, the upper bits of the result will all be 1.
> > 375 scl_timing |= SCL_EXT_LCNT_4(lcnt);
> > 376 writel(scl_timing, master->regs + SCL_EXT_LCNT_TIMING);
> > 377
> > 378 return 0;
> > 379 }
> > 380
> >
> > ** CID 296053: Integer handling issues (SIGN_EXTENSION)
> > /drivers/i3c/master/dw-i3c-master.c: 535 in dw_i3c_ccc_set()
> >
> >
> >
> _________________________________________________________________
> ____________________________
> > *** CID 296053: Integer handling issues (SIGN_EXTENSION)
> > /drivers/i3c/master/dw-i3c-master.c: 535 in dw_i3c_ccc_set()
> > 529 return -ENOMEM;
> > 530
> > 531 cmd = xfer->cmds;
> > 532 cmd->tx_buf = ccc->dests[0].payload.data;
> > 533 cmd->tx_len = ccc->dests[0].payload.len;
> > 534
> >>>> CID 296053: Integer handling issues (SIGN_EXTENSION)
> >>>> Suspicious implicit sign extension: "ccc->dests[0].payload.len" with type
> "u16" (16 bits, unsigned) is promoted in "ccc->dests[0].payload.len << 16" to type
> "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits,
> unsigned). If "ccc->dests[0].payload.len << 16" is greater than 0x7FFFFFFF, the
> upper bits of the result will all be 1.
> > 535 cmd->cmd_hi = COMMAND_PORT_ARG_DATA_LEN(ccc-
> >dests[0].payload.len) |
> > 536 COMMAND_PORT_TRANSFER_ARG;
> > 537
> > 538 cmd->cmd_lo = COMMAND_PORT_CP |
> > 539 COMMAND_PORT_DEV_INDEX(pos) |
> > 540 COMMAND_PORT_CMD(ccc->id) |
> >
> > ** CID 295976: (SIGN_EXTENSION)
> > /drivers/i3c/master/dw-i3c-master.c: 395 in dw_i2c_clk_cfg()
> > /drivers/i3c/master/dw-i3c-master.c: 401 in dw_i2c_clk_cfg()
> >
> >
> >
> _________________________________________________________________
> ____________________________
> > *** CID 295976: (SIGN_EXTENSION)
> > /drivers/i3c/master/dw-i3c-master.c: 395 in dw_i2c_clk_cfg()
> > 389 return -EINVAL;
> > 390
> > 391 core_period = DIV_ROUND_UP(1000000000, core_rate);
> > 392
> > 393 lcnt = DIV_ROUND_UP(I3C_BUS_I2C_FMP_TLOW_MIN_NS,
> core_period);
> > 394 hcnt = DIV_ROUND_UP(core_rate,
> I3C_BUS_I2C_FM_PLUS_SCL_RATE) - lcnt;
> >>>> CID 295976: (SIGN_EXTENSION)
> >>>> Suspicious implicit sign extension: "hcnt" with type "u16" (16 bits,
> unsigned) is promoted in "hcnt << 16" to type "int" (32 bits, signed), then sign-
> extended to type "unsigned long" (64 bits, unsigned). If "hcnt << 16" is greater
> than 0x7FFFFFFF, the upper bits of the result will all be 1.
> > 395 scl_timing = SCL_I2C_FMP_TIMING_HCNT(hcnt) |
> > 396 SCL_I2C_FMP_TIMING_LCNT(lcnt);
> > 397 writel(scl_timing, master->regs + SCL_I2C_FMP_TIMING);
> > 398
> > 399 lcnt = DIV_ROUND_UP(I3C_BUS_I2C_FM_TLOW_MIN_NS,
> core_period);
> > 400 hcnt = DIV_ROUND_UP(core_rate, I3C_BUS_I2C_FM_SCL_RATE) -
> lcnt;
> > /drivers/i3c/master/dw-i3c-master.c: 401 in dw_i2c_clk_cfg()
> > 395 scl_timing = SCL_I2C_FMP_TIMING_HCNT(hcnt) |
> > 396 SCL_I2C_FMP_TIMING_LCNT(lcnt);
> > 397 writel(scl_timing, master->regs + SCL_I2C_FMP_TIMING);
> > 398
> > 399 lcnt = DIV_ROUND_UP(I3C_BUS_I2C_FM_TLOW_MIN_NS,
> core_period);
> > 400 hcnt = DIV_ROUND_UP(core_rate, I3C_BUS_I2C_FM_SCL_RATE) -
> lcnt;
> >>>> CID 295976: (SIGN_EXTENSION)
> >>>> Suspicious implicit sign extension: "hcnt" with type "u16" (16 bits,
> unsigned) is promoted in "hcnt << 16" to type "int" (32 bits, signed), then sign-
> extended to type "unsigned long" (64 bits, unsigned). If "hcnt << 16" is greater
> than 0x7FFFFFFF, the upper bits of the result will all be 1.
> > 401 scl_timing = SCL_I2C_FM_TIMING_HCNT(hcnt) |
> > 402 SCL_I2C_FM_TIMING_LCNT(lcnt);
> > 403 writel(scl_timing, master->regs + SCL_I2C_FM_TIMING);
> > 404
> > 405 writel(BUS_I3C_MST_FREE(lcnt), master->regs +
> BUS_FREE_TIMING);
> > 406 writel(readl(master->regs + DEVICE_CTRL) |
> DEV_CTRL_I2C_SLAVE_PRESENT,
> >
> > ** CID 294913: Integer handling issues (SIGN_EXTENSION)
> > /drivers/i3c/master/dw-i3c-master.c: 724 in dw_i3c_master_priv_xfers()
> >
> >
> >
> _________________________________________________________________
> ____________________________
> > *** CID 294913: Integer handling issues (SIGN_EXTENSION)
> > /drivers/i3c/master/dw-i3c-master.c: 724 in
> > dw_i3c_master_priv_xfers()
> > 718 if (!xfer)
> > 719 return -ENOMEM;
> > 720
> > 721 for (i = 0; i < i3c_nxfers; i++) {
> > 722 struct dw_i3c_cmd *cmd = &xfer->cmds[i];
> > 723
> >>>> CID 294913: Integer handling issues (SIGN_EXTENSION)
> >>>> Suspicious implicit sign extension: "i3c_xfers[i].len" with type "u16" (16
> bits, unsigned) is promoted in "i3c_xfers[i].len << 16" to type "int" (32 bits,
> signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If
> "i3c_xfers[i].len << 16" is greater than 0x7FFFFFFF, the upper bits of the result will
> all be 1.
> > 724 cmd->cmd_hi =
> COMMAND_PORT_ARG_DATA_LEN(i3c_xfers[i].len) |
> > 725 COMMAND_PORT_TRANSFER_ARG;
> > 726
> > 727 if (i3c_xfers[i].rnw) {
> > 728 cmd->rx_buf = i3c_xfers[i].data.in;
> > 729 cmd->rx_len = i3c_xfers[i].len;
> >
> > ** CID 294627: Integer handling issues (BAD_SHIFT)
> > /drivers/i3c/master.c: 181 in i3c_bus_get_addr_slot_status()
> >
> >
> >
> _________________________________________________________________
> ____________________________
> > *** CID 294627: Integer handling issues (BAD_SHIFT)
> > /drivers/i3c/master.c: 181 in i3c_bus_get_addr_slot_status()
> > 175 int status, bitpos = addr * 2;
> > 176
> > 177 if (addr > I2C_MAX_ADDR)
> > 178 return I3C_ADDR_SLOT_RSVD;
> > 179
> > 180 status = bus->addrslots[bitpos / BITS_PER_LONG];
> >>>> CID 294627: Integer handling issues (BAD_SHIFT)
> >>>> In expression "status >>= bitpos % 64", right shifting by more than 31 bits
> has undefined behavior. The shift amount, "bitpos % 64", is as much as 63.
> > 181 status >>= bitpos % BITS_PER_LONG;
> > 182
> > 183 return status & I3C_ADDR_SLOT_STATUS_MASK;
> > 184 }
> > 185
> > 186 static void i3c_bus_set_addr_slot_status(struct i3c_bus *bus, u16 addr,
> >
> >
> >
> > View Defects in Coverity Scan
> > <https://scan.coverity.com/projects/das-u-boot?tab=overview>
> >
> > Best regards,
> >
> > The Coverity Scan Admin Team
> >
> > ----- End forwarded message -----
> >
>
> --
> Nabla Software Engineering
> HRB 40522 Augsburg
> Phone: +49 821 45592596
> E-Mail: office@nabladev.com
> Geschäftsführer : Stefano Babic
^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2025-08-08 3:37 ` Maniyam, Dinesh
@ 2025-08-08 4:01 ` Heiko Schocher
0 siblings, 0 replies; 99+ messages in thread
From: Heiko Schocher @ 2025-08-08 4:01 UTC (permalink / raw)
To: Maniyam, Dinesh, u-boot@lists.denx.de; +Cc: Tom Rini, Heiko Schocher
Hello Dinesh,
On 08.08.25 05:37, Maniyam, Dinesh wrote:
> Hi
>
>> -----Original Message-----
>> From: Heiko Schocher <hs@nabladev.com>
>> Sent: Thursday, 7 August 2025 5:17 pm
>> To: u-boot@lists.denx.de; Maniyam, Dinesh <dinesh.maniyam@altera.com>
>> Cc: Tom Rini <trini@konsulko.com>; Heiko Schocher <hs@denx.de>
>> Subject: Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
>>
>> [CAUTION: This email is from outside your organization. Unless you trust the
>> sender, do not click on links or open attachments as it may be a fraudulent email
>> attempting to steal your information and/or compromise your computer.]
>>
>> Hello Dinesh,
>>
>> On 06.08.25 20:35, Tom Rini wrote:
>>> Here's the latest report. Lets get these new issues addressed ASAP
>>> please, thanks.
>>>
>>> ---------- Forwarded message ---------
>>> From: <scan-admin@coverity.com>
>>> Date: Wed, Aug 6, 2025 at 12:23 PM
>>> Subject: New Defects reported by Coverity Scan for Das U-Boot
>>> To: <tom.rini@gmail.com>
>>>
>>>
>>> Hi,
>>>
>>> Please find the latest report on new defect(s) introduced to *Das
>>> U-Boot* found with Coverity Scan.
>>>
>>> - *New Defects Found:* 8
>>> - 4 defect(s), reported by Coverity Scan earlier, were marked fixed in
>>> the recent build analyzed by Coverity Scan.
>>> - *Defects Shown:* Showing 8 of 8 defect(s)
>>>
>>> Defect Details
>>>
>>> ** CID 583812: Integer handling issues (BAD_SHIFT)
>>> /drivers/i3c/master/dw-i3c-master.c: 1001 in dw_i3c_probe()
>>
>> Could you please look at the issues on i3c parts, as I go on vacation, thanks!
>>
>
> Yes, I am working on it, give me just a couple of days!
Of course, Thanks for your time!
bye,
Heiko
>
> Thanks
> Dinesh
>
>> @Tom: Feel free to pick up fixes, thanks!
>>
>> bye,
>> Heiko
>>>
>>>
>>>
>> _________________________________________________________________
>> ____________________________
>>> *** CID 583812: Integer handling issues (BAD_SHIFT)
>>> /drivers/i3c/master/dw-i3c-master.c: 1001 in dw_i3c_probe()
>>> 995 ret = readl(master->regs + DATA_BUFFER_STATUS_LEVEL);
>>> 996 master->caps.datafifodepth = DATA_BUFFER_STATUS_LEVEL_TX(ret);
>>> 997
>>> 998 ret = readl(master->regs + DEVICE_ADDR_TABLE_POINTER);
>>> 999 master->datstartaddr = ret;
>>> 1000 master->maxdevs = ret >> 16;
>>>>>> CID 583812: Integer handling issues (BAD_SHIFT)
>>>>>> In expression "0xffffffffffffffffUL >> 63 - (master->maxdevs - 1)", right
>> shifting by more than 63 bits has undefined behavior. The shift amount, "63 -
>> (master->maxdevs - 1)", is 64.
>>> 1001 master->free_pos = GENMASK(master->maxdevs - 1, 0);
>>> 1002
>>> 1003 ret = i3c_master_register(&master->base, dev,
>>> 1004 &dw_mipi_i3c_ops, false);
>>> 1005 if (ret)
>>> 1006 goto err_assert_rst;
>>>
>>> ** CID 583811: (RESOURCE_LEAK)
>>> /drivers/i3c/master.c: 1610 in of_i3c_master_add_i3c_boardinfo()
>>> /drivers/i3c/master.c: 1586 in of_i3c_master_add_i3c_boardinfo()
>>> /drivers/i3c/master.c: 1591 in of_i3c_master_add_i3c_boardinfo()
>>> /drivers/i3c/master.c: 1598 in of_i3c_master_add_i3c_boardinfo()
>>> /drivers/i3c/master.c: 1603 in of_i3c_master_add_i3c_boardinfo()
>>>
>>>
>>>
>> _________________________________________________________________
>> ____________________________
>>> *** CID 583811: (RESOURCE_LEAK)
>>> /drivers/i3c/master.c: 1610 in of_i3c_master_add_i3c_boardinfo()
>>> 1604 }
>>> 1605
>>> 1606 boardinfo->pid = ((u64)reg[1] << 32) | reg[2];
>>> 1607
>>> 1608 if ((boardinfo->pid & GENMASK_ULL(63, 48)) ||
>>> 1609 I3C_PID_RND_LOWER_32BITS(boardinfo->pid))
>>>>>> CID 583811: (RESOURCE_LEAK)
>>>>>> Variable "boardinfo" going out of scope leaks the storage it points to.
>>> 1610 return -EINVAL;
>>> 1611
>>> 1612 boardinfo->init_dyn_addr = init_dyn_addr;
>>> 1613 boardinfo->of_node = node;
>>> 1614 list_add_tail(&boardinfo->node, &master->boardinfo.i3c);
>>> 1615
>>> /drivers/i3c/master.c: 1586 in of_i3c_master_add_i3c_boardinfo()
>>> 1580 boardinfo = devm_kzalloc(dev, sizeof(*boardinfo), GFP_KERNEL);
>>> 1581 if (!boardinfo)
>>> 1582 return -ENOMEM;
>>> 1583
>>> 1584 if (reg[0]) {
>>> 1585 if (reg[0] > I3C_MAX_ADDR)
>>>>>> CID 583811: (RESOURCE_LEAK)
>>>>>> Variable "boardinfo" going out of scope leaks the storage it points to.
>>> 1586 return -EINVAL;
>>> 1587
>>> 1588 addrstatus = i3c_bus_get_addr_slot_status(&master->bus,
>>> 1589 reg[0]);
>>> 1590 if (addrstatus != I3C_ADDR_SLOT_FREE)
>>> 1591 return -EINVAL;
>>> /drivers/i3c/master.c: 1591 in of_i3c_master_add_i3c_boardinfo()
>>> 1585 if (reg[0] > I3C_MAX_ADDR)
>>> 1586 return -EINVAL;
>>> 1587
>>> 1588 addrstatus = i3c_bus_get_addr_slot_status(&master->bus,
>>> 1589 reg[0]);
>>> 1590 if (addrstatus != I3C_ADDR_SLOT_FREE)
>>>>>> CID 583811: (RESOURCE_LEAK)
>>>>>> Variable "boardinfo" going out of scope leaks the storage it points to.
>>> 1591 return -EINVAL;
>>> 1592 }
>>> 1593
>>> 1594 boardinfo->static_addr = reg[0];
>>> 1595
>>> 1596 if (!dev_read_u32(dev, "assigned-address", &init_dyn_addr)) {
>>> /drivers/i3c/master.c: 1598 in of_i3c_master_add_i3c_boardinfo()
>>> 1592 }
>>> 1593
>>> 1594 boardinfo->static_addr = reg[0];
>>> 1595
>>> 1596 if (!dev_read_u32(dev, "assigned-address", &init_dyn_addr)) {
>>> 1597 if (init_dyn_addr > I3C_MAX_ADDR)
>>>>>> CID 583811: (RESOURCE_LEAK)
>>>>>> Variable "boardinfo" going out of scope leaks the storage it points to.
>>> 1598 return -EINVAL;
>>> 1599
>>> 1600 addrstatus = i3c_bus_get_addr_slot_status(&master->bus,
>>> 1601 init_dyn_addr);
>>> 1602 if (addrstatus != I3C_ADDR_SLOT_FREE)
>>> 1603 return -EINVAL;
>>> /drivers/i3c/master.c: 1603 in of_i3c_master_add_i3c_boardinfo()
>>> 1597 if (init_dyn_addr > I3C_MAX_ADDR)
>>> 1598 return -EINVAL;
>>> 1599
>>> 1600 addrstatus = i3c_bus_get_addr_slot_status(&master->bus,
>>> 1601 init_dyn_addr);
>>> 1602 if (addrstatus != I3C_ADDR_SLOT_FREE)
>>>>>> CID 583811: (RESOURCE_LEAK)
>>>>>> Variable "boardinfo" going out of scope leaks the storage it points to.
>>> 1603 return -EINVAL;
>>> 1604 }
>>> 1605
>>> 1606 boardinfo->pid = ((u64)reg[1] << 32) | reg[2];
>>> 1607
>>> 1608 if ((boardinfo->pid & GENMASK_ULL(63, 48)) ||
>>>
>>> ** CID 298388: Integer handling issues (SIGN_EXTENSION)
>>> /drivers/i3c/master/dw-i3c-master.c: 579 in dw_i3c_ccc_get()
>>>
>>>
>>>
>> _________________________________________________________________
>> ____________________________
>>> *** CID 298388: Integer handling issues (SIGN_EXTENSION)
>>> /drivers/i3c/master/dw-i3c-master.c: 579 in dw_i3c_ccc_get()
>>> 573 return -ENOMEM;
>>> 574
>>> 575 cmd = xfer->cmds;
>>> 576 cmd->rx_buf = ccc->dests[0].payload.data;
>>> 577 cmd->rx_len = ccc->dests[0].payload.len;
>>> 578
>>>>>> CID 298388: Integer handling issues (SIGN_EXTENSION)
>>>>>> Suspicious implicit sign extension: "ccc->dests[0].payload.len" with type
>> "u16" (16 bits, unsigned) is promoted in "ccc->dests[0].payload.len << 16" to type
>> "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits,
>> unsigned). If "ccc->dests[0].payload.len << 16" is greater than 0x7FFFFFFF, the
>> upper bits of the result will all be 1.
>>> 579 cmd->cmd_hi = COMMAND_PORT_ARG_DATA_LEN(ccc-
>>> dests[0].payload.len) |
>>> 580 COMMAND_PORT_TRANSFER_ARG;
>>> 581
>>> 582 cmd->cmd_lo = COMMAND_PORT_READ_TRANSFER |
>>> 583 COMMAND_PORT_CP |
>>> 584 COMMAND_PORT_DEV_INDEX(pos) |
>>>
>>> ** CID 298037: Integer handling issues (SIGN_EXTENSION)
>>> /drivers/i3c/master/dw-i3c-master.c: 375 in dw_i3c_clk_cfg()
>>>
>>>
>>>
>> _________________________________________________________________
>> ____________________________
>>> *** CID 298037: Integer handling issues (SIGN_EXTENSION)
>>> /drivers/i3c/master/dw-i3c-master.c: 375 in dw_i3c_clk_cfg()
>>> 369 scl_timing = SCL_EXT_LCNT_1(lcnt);
>>> 370 lcnt = DIV_ROUND_UP(core_rate, I3C_BUS_SDR2_SCL_RATE) - hcnt;
>>> 371 scl_timing |= SCL_EXT_LCNT_2(lcnt);
>>> 372 lcnt = DIV_ROUND_UP(core_rate, I3C_BUS_SDR3_SCL_RATE) - hcnt;
>>> 373 scl_timing |= SCL_EXT_LCNT_3(lcnt);
>>> 374 lcnt = DIV_ROUND_UP(core_rate, I3C_BUS_SDR4_SCL_RATE) - hcnt;
>>>>>> CID 298037: Integer handling issues (SIGN_EXTENSION)
>>>>>> Suspicious implicit sign extension: "lcnt" with type "u8" (8 bits, unsigned)
>> is promoted in "lcnt << 24" to type "int" (32 bits, signed), then sign-extended to
>> type "unsigned long" (64 bits, unsigned). If "lcnt << 24" is greater than
>> 0x7FFFFFFF, the upper bits of the result will all be 1.
>>> 375 scl_timing |= SCL_EXT_LCNT_4(lcnt);
>>> 376 writel(scl_timing, master->regs + SCL_EXT_LCNT_TIMING);
>>> 377
>>> 378 return 0;
>>> 379 }
>>> 380
>>>
>>> ** CID 296053: Integer handling issues (SIGN_EXTENSION)
>>> /drivers/i3c/master/dw-i3c-master.c: 535 in dw_i3c_ccc_set()
>>>
>>>
>>>
>> _________________________________________________________________
>> ____________________________
>>> *** CID 296053: Integer handling issues (SIGN_EXTENSION)
>>> /drivers/i3c/master/dw-i3c-master.c: 535 in dw_i3c_ccc_set()
>>> 529 return -ENOMEM;
>>> 530
>>> 531 cmd = xfer->cmds;
>>> 532 cmd->tx_buf = ccc->dests[0].payload.data;
>>> 533 cmd->tx_len = ccc->dests[0].payload.len;
>>> 534
>>>>>> CID 296053: Integer handling issues (SIGN_EXTENSION)
>>>>>> Suspicious implicit sign extension: "ccc->dests[0].payload.len" with type
>> "u16" (16 bits, unsigned) is promoted in "ccc->dests[0].payload.len << 16" to type
>> "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits,
>> unsigned). If "ccc->dests[0].payload.len << 16" is greater than 0x7FFFFFFF, the
>> upper bits of the result will all be 1.
>>> 535 cmd->cmd_hi = COMMAND_PORT_ARG_DATA_LEN(ccc-
>>> dests[0].payload.len) |
>>> 536 COMMAND_PORT_TRANSFER_ARG;
>>> 537
>>> 538 cmd->cmd_lo = COMMAND_PORT_CP |
>>> 539 COMMAND_PORT_DEV_INDEX(pos) |
>>> 540 COMMAND_PORT_CMD(ccc->id) |
>>>
>>> ** CID 295976: (SIGN_EXTENSION)
>>> /drivers/i3c/master/dw-i3c-master.c: 395 in dw_i2c_clk_cfg()
>>> /drivers/i3c/master/dw-i3c-master.c: 401 in dw_i2c_clk_cfg()
>>>
>>>
>>>
>> _________________________________________________________________
>> ____________________________
>>> *** CID 295976: (SIGN_EXTENSION)
>>> /drivers/i3c/master/dw-i3c-master.c: 395 in dw_i2c_clk_cfg()
>>> 389 return -EINVAL;
>>> 390
>>> 391 core_period = DIV_ROUND_UP(1000000000, core_rate);
>>> 392
>>> 393 lcnt = DIV_ROUND_UP(I3C_BUS_I2C_FMP_TLOW_MIN_NS,
>> core_period);
>>> 394 hcnt = DIV_ROUND_UP(core_rate,
>> I3C_BUS_I2C_FM_PLUS_SCL_RATE) - lcnt;
>>>>>> CID 295976: (SIGN_EXTENSION)
>>>>>> Suspicious implicit sign extension: "hcnt" with type "u16" (16 bits,
>> unsigned) is promoted in "hcnt << 16" to type "int" (32 bits, signed), then sign-
>> extended to type "unsigned long" (64 bits, unsigned). If "hcnt << 16" is greater
>> than 0x7FFFFFFF, the upper bits of the result will all be 1.
>>> 395 scl_timing = SCL_I2C_FMP_TIMING_HCNT(hcnt) |
>>> 396 SCL_I2C_FMP_TIMING_LCNT(lcnt);
>>> 397 writel(scl_timing, master->regs + SCL_I2C_FMP_TIMING);
>>> 398
>>> 399 lcnt = DIV_ROUND_UP(I3C_BUS_I2C_FM_TLOW_MIN_NS,
>> core_period);
>>> 400 hcnt = DIV_ROUND_UP(core_rate, I3C_BUS_I2C_FM_SCL_RATE) -
>> lcnt;
>>> /drivers/i3c/master/dw-i3c-master.c: 401 in dw_i2c_clk_cfg()
>>> 395 scl_timing = SCL_I2C_FMP_TIMING_HCNT(hcnt) |
>>> 396 SCL_I2C_FMP_TIMING_LCNT(lcnt);
>>> 397 writel(scl_timing, master->regs + SCL_I2C_FMP_TIMING);
>>> 398
>>> 399 lcnt = DIV_ROUND_UP(I3C_BUS_I2C_FM_TLOW_MIN_NS,
>> core_period);
>>> 400 hcnt = DIV_ROUND_UP(core_rate, I3C_BUS_I2C_FM_SCL_RATE) -
>> lcnt;
>>>>>> CID 295976: (SIGN_EXTENSION)
>>>>>> Suspicious implicit sign extension: "hcnt" with type "u16" (16 bits,
>> unsigned) is promoted in "hcnt << 16" to type "int" (32 bits, signed), then sign-
>> extended to type "unsigned long" (64 bits, unsigned). If "hcnt << 16" is greater
>> than 0x7FFFFFFF, the upper bits of the result will all be 1.
>>> 401 scl_timing = SCL_I2C_FM_TIMING_HCNT(hcnt) |
>>> 402 SCL_I2C_FM_TIMING_LCNT(lcnt);
>>> 403 writel(scl_timing, master->regs + SCL_I2C_FM_TIMING);
>>> 404
>>> 405 writel(BUS_I3C_MST_FREE(lcnt), master->regs +
>> BUS_FREE_TIMING);
>>> 406 writel(readl(master->regs + DEVICE_CTRL) |
>> DEV_CTRL_I2C_SLAVE_PRESENT,
>>>
>>> ** CID 294913: Integer handling issues (SIGN_EXTENSION)
>>> /drivers/i3c/master/dw-i3c-master.c: 724 in dw_i3c_master_priv_xfers()
>>>
>>>
>>>
>> _________________________________________________________________
>> ____________________________
>>> *** CID 294913: Integer handling issues (SIGN_EXTENSION)
>>> /drivers/i3c/master/dw-i3c-master.c: 724 in
>>> dw_i3c_master_priv_xfers()
>>> 718 if (!xfer)
>>> 719 return -ENOMEM;
>>> 720
>>> 721 for (i = 0; i < i3c_nxfers; i++) {
>>> 722 struct dw_i3c_cmd *cmd = &xfer->cmds[i];
>>> 723
>>>>>> CID 294913: Integer handling issues (SIGN_EXTENSION)
>>>>>> Suspicious implicit sign extension: "i3c_xfers[i].len" with type "u16" (16
>> bits, unsigned) is promoted in "i3c_xfers[i].len << 16" to type "int" (32 bits,
>> signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If
>> "i3c_xfers[i].len << 16" is greater than 0x7FFFFFFF, the upper bits of the result will
>> all be 1.
>>> 724 cmd->cmd_hi =
>> COMMAND_PORT_ARG_DATA_LEN(i3c_xfers[i].len) |
>>> 725 COMMAND_PORT_TRANSFER_ARG;
>>> 726
>>> 727 if (i3c_xfers[i].rnw) {
>>> 728 cmd->rx_buf = i3c_xfers[i].data.in;
>>> 729 cmd->rx_len = i3c_xfers[i].len;
>>>
>>> ** CID 294627: Integer handling issues (BAD_SHIFT)
>>> /drivers/i3c/master.c: 181 in i3c_bus_get_addr_slot_status()
>>>
>>>
>>>
>> _________________________________________________________________
>> ____________________________
>>> *** CID 294627: Integer handling issues (BAD_SHIFT)
>>> /drivers/i3c/master.c: 181 in i3c_bus_get_addr_slot_status()
>>> 175 int status, bitpos = addr * 2;
>>> 176
>>> 177 if (addr > I2C_MAX_ADDR)
>>> 178 return I3C_ADDR_SLOT_RSVD;
>>> 179
>>> 180 status = bus->addrslots[bitpos / BITS_PER_LONG];
>>>>>> CID 294627: Integer handling issues (BAD_SHIFT)
>>>>>> In expression "status >>= bitpos % 64", right shifting by more than 31 bits
>> has undefined behavior. The shift amount, "bitpos % 64", is as much as 63.
>>> 181 status >>= bitpos % BITS_PER_LONG;
>>> 182
>>> 183 return status & I3C_ADDR_SLOT_STATUS_MASK;
>>> 184 }
>>> 185
>>> 186 static void i3c_bus_set_addr_slot_status(struct i3c_bus *bus, u16 addr,
>>>
>>>
>>>
>>> View Defects in Coverity Scan
>>> <https://scan.coverity.com/projects/das-u-boot?tab=overview>
>>>
>>> Best regards,
>>>
>>> The Coverity Scan Admin Team
>>>
>>> ----- End forwarded message -----
>>>
>>
>> --
>> Nabla Software Engineering
>> HRB 40522 Augsburg
>> Phone: +49 821 45592596
>> E-Mail: office@nabladev.com
>> Geschäftsführer : Stefano Babic
--
Nabla Software Engineering
HRB 40522 Augsburg
Phone: +49 821 45592596
E-Mail: office@nabladev.com
Geschäftsführer : Stefano Babic
^ permalink raw reply [flat|nested] 99+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2025-10-11 18:06 Tom Rini
2025-10-12 14:22 ` Mikhail Kshevetskiy
0 siblings, 1 reply; 99+ messages in thread
From: Tom Rini @ 2025-10-11 18:06 UTC (permalink / raw)
To: u-boot; +Cc: Mikhail Kshevetskiy, Dario Binacchi, Michael Trimarchi
[-- Attachment #1: Type: text/plain, Size: 1964 bytes --]
I think unfortunately the report email for when I merged in -next was
lost somewhere / wasn't sent. I may be able to get the details out the
dashboard.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Fri, Oct 10, 2025 at 7:08 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to *Das U-Boot*
found with Coverity Scan.
- *New Defects Found:* 1
- *Defects Shown:* Showing 1 of 1 defect(s)
Defect Details
** CID 537478: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
/drivers/spi/spi-mem.c: 528 in spi_mem_calc_op_duration()
_____________________________________________________________________________________________
*** CID 537478: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
/drivers/spi/spi-mem.c: 528 in spi_mem_calc_op_duration()
522 ncycles += ((op->addr.nbytes * 8) / op->addr.buswidth) /
(op->addr.dtr ? 2 : 1);
523
524 /* Dummy bytes are optional for some SPI flash memory operations */
525 if (op->dummy.nbytes)
526 ncycles += ((op->dummy.nbytes * 8) / op->dummy.buswidth) /
(op->dummy.dtr ? 2 : 1);
527
>>> CID 537478: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
>>> Potentially overflowing expression "op->data.nbytes * 8U" with type "unsigned int" (32 bits, unsigned) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "u64" (64 bits, unsigned).
528 ncycles += ((op->data.nbytes * 8) / op->data.buswidth) /
(op->data.dtr ? 2 : 1);
529
530 return ncycles;
531 }
532 EXPORT_SYMBOL_GPL(spi_mem_calc_op_duration);
533
View Defects in Coverity Scan
<https://scan.coverity.com/projects/das-u-boot?tab=overview>
Best regards,
The Coverity Scan Admin Team
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2025-10-11 18:06 Tom Rini
@ 2025-10-12 14:22 ` Mikhail Kshevetskiy
2025-10-12 19:07 ` Tom Rini
0 siblings, 1 reply; 99+ messages in thread
From: Mikhail Kshevetskiy @ 2025-10-12 14:22 UTC (permalink / raw)
To: Tom Rini, u-boot; +Cc: Dario Binacchi, Michael Trimarchi
On 11.10.2025 21:06, Tom Rini wrote:
> I think unfortunately the report email for when I merged in -next was
> lost somewhere / wasn't sent. I may be able to get the details out the
> dashboard.
>
> ---------- Forwarded message ---------
> From: <scan-admin@coverity.com>
> Date: Fri, Oct 10, 2025 at 7:08 PM
> Subject: New Defects reported by Coverity Scan for Das U-Boot
> To: <tom.rini@gmail.com>
>
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to *Das U-Boot*
> found with Coverity Scan.
>
> - *New Defects Found:* 1
> - *Defects Shown:* Showing 1 of 1 defect(s)
>
> Defect Details
>
> ** CID 537478: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
> /drivers/spi/spi-mem.c: 528 in spi_mem_calc_op_duration()
>
>
> _____________________________________________________________________________________________
> *** CID 537478: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
> /drivers/spi/spi-mem.c: 528 in spi_mem_calc_op_duration()
> 522 ncycles += ((op->addr.nbytes * 8) / op->addr.buswidth) /
> (op->addr.dtr ? 2 : 1);
> 523
> 524 /* Dummy bytes are optional for some SPI flash memory operations */
> 525 if (op->dummy.nbytes)
> 526 ncycles += ((op->dummy.nbytes * 8) / op->dummy.buswidth) /
> (op->dummy.dtr ? 2 : 1);
> 527
>>>> CID 537478: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
>>>> Potentially overflowing expression "op->data.nbytes * 8U" with type "unsigned int" (32 bits, unsigned) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "u64" (64 bits, unsigned).
> 528 ncycles += ((op->data.nbytes * 8) / op->data.buswidth) /
> (op->data.dtr ? 2 : 1);
op->data.nbytes comes from file drivers/mtd/nand/spi/core.c, function
spinand_select_op_variant().
According to the code the max value of op->data.nbytes is
nanddev_per_page_oobsize(nand) + nanddev_page_size(nand)
thus it's slightly more than 4Kb (I never seen flashes with page size
large than 4Kb). According to this estimation the overflow will never
happen.
If it make sense, I can try to do something with it
Regards,
Mikhail Kshevetskiy
> 529
> 530 return ncycles;
> 531 }
> 532 EXPORT_SYMBOL_GPL(spi_mem_calc_op_duration);
> 533
>
> View Defects in Coverity Scan
> <https://scan.coverity.com/projects/das-u-boot?tab=overview>
>
> Best regards,
>
> The Coverity Scan Admin Team
>
> ----- End forwarded message -----
>
^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2025-10-12 14:22 ` Mikhail Kshevetskiy
@ 2025-10-12 19:07 ` Tom Rini
2025-11-01 6:32 ` Mikhail Kshevetskiy
0 siblings, 1 reply; 99+ messages in thread
From: Tom Rini @ 2025-10-12 19:07 UTC (permalink / raw)
To: Mikhail Kshevetskiy; +Cc: u-boot, Dario Binacchi, Michael Trimarchi
[-- Attachment #1: Type: text/plain, Size: 2531 bytes --]
On Sun, Oct 12, 2025 at 05:22:15PM +0300, Mikhail Kshevetskiy wrote:
>
> On 11.10.2025 21:06, Tom Rini wrote:
> > I think unfortunately the report email for when I merged in -next was
> > lost somewhere / wasn't sent. I may be able to get the details out the
> > dashboard.
> >
> > ---------- Forwarded message ---------
> > From: <scan-admin@coverity.com>
> > Date: Fri, Oct 10, 2025 at 7:08 PM
> > Subject: New Defects reported by Coverity Scan for Das U-Boot
> > To: <tom.rini@gmail.com>
> >
> >
> > Hi,
> >
> > Please find the latest report on new defect(s) introduced to *Das U-Boot*
> > found with Coverity Scan.
> >
> > - *New Defects Found:* 1
> > - *Defects Shown:* Showing 1 of 1 defect(s)
> >
> > Defect Details
> >
> > ** CID 537478: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
> > /drivers/spi/spi-mem.c: 528 in spi_mem_calc_op_duration()
> >
> >
> > _____________________________________________________________________________________________
> > *** CID 537478: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
> > /drivers/spi/spi-mem.c: 528 in spi_mem_calc_op_duration()
> > 522 ncycles += ((op->addr.nbytes * 8) / op->addr.buswidth) /
> > (op->addr.dtr ? 2 : 1);
> > 523
> > 524 /* Dummy bytes are optional for some SPI flash memory operations */
> > 525 if (op->dummy.nbytes)
> > 526 ncycles += ((op->dummy.nbytes * 8) / op->dummy.buswidth) /
> > (op->dummy.dtr ? 2 : 1);
> > 527
> >>>> CID 537478: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
> >>>> Potentially overflowing expression "op->data.nbytes * 8U" with type "unsigned int" (32 bits, unsigned) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "u64" (64 bits, unsigned).
> > 528 ncycles += ((op->data.nbytes * 8) / op->data.buswidth) /
> > (op->data.dtr ? 2 : 1);
>
>
> op->data.nbytes comes from file drivers/mtd/nand/spi/core.c, function
> spinand_select_op_variant().
> According to the code the max value of op->data.nbytes is
>
> nanddev_per_page_oobsize(nand) + nanddev_page_size(nand)
>
> thus it's slightly more than 4Kb (I never seen flashes with page size
> large than 4Kb). According to this estimation the overflow will never
> happen.
>
> If it make sense, I can try to do something with it
Yes, please see what you can do about it and thanks for explaining that
it shouldn't be an actual problem.
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2025-10-12 19:07 ` Tom Rini
@ 2025-11-01 6:32 ` Mikhail Kshevetskiy
2025-11-03 15:17 ` Tom Rini
0 siblings, 1 reply; 99+ messages in thread
From: Mikhail Kshevetskiy @ 2025-11-01 6:32 UTC (permalink / raw)
To: Tom Rini; +Cc: u-boot, Dario Binacchi, Michael Trimarchi
Hello Tom,
I just sent a fix for the issue in the my "coverity and 64-bit division
fixes" series.
If it's needed I can split the series and send patches separately.
Regards,
Mikhail Kshevetskiy
On 10/12/25 22:07, Tom Rini wrote:
> On Sun, Oct 12, 2025 at 05:22:15PM +0300, Mikhail Kshevetskiy wrote:
>> On 11.10.2025 21:06, Tom Rini wrote:
>>> I think unfortunately the report email for when I merged in -next was
>>> lost somewhere / wasn't sent. I may be able to get the details out the
>>> dashboard.
>>>
>>> ---------- Forwarded message ---------
>>> From: <scan-admin@coverity.com>
>>> Date: Fri, Oct 10, 2025 at 7:08 PM
>>> Subject: New Defects reported by Coverity Scan for Das U-Boot
>>> To: <tom.rini@gmail.com>
>>>
>>>
>>> Hi,
>>>
>>> Please find the latest report on new defect(s) introduced to *Das U-Boot*
>>> found with Coverity Scan.
>>>
>>> - *New Defects Found:* 1
>>> - *Defects Shown:* Showing 1 of 1 defect(s)
>>>
>>> Defect Details
>>>
>>> ** CID 537478: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
>>> /drivers/spi/spi-mem.c: 528 in spi_mem_calc_op_duration()
>>>
>>>
>>> _____________________________________________________________________________________________
>>> *** CID 537478: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
>>> /drivers/spi/spi-mem.c: 528 in spi_mem_calc_op_duration()
>>> 522 ncycles += ((op->addr.nbytes * 8) / op->addr.buswidth) /
>>> (op->addr.dtr ? 2 : 1);
>>> 523
>>> 524 /* Dummy bytes are optional for some SPI flash memory operations */
>>> 525 if (op->dummy.nbytes)
>>> 526 ncycles += ((op->dummy.nbytes * 8) / op->dummy.buswidth) /
>>> (op->dummy.dtr ? 2 : 1);
>>> 527
>>>>>> CID 537478: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
>>>>>> Potentially overflowing expression "op->data.nbytes * 8U" with type "unsigned int" (32 bits, unsigned) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "u64" (64 bits, unsigned).
>>> 528 ncycles += ((op->data.nbytes * 8) / op->data.buswidth) /
>>> (op->data.dtr ? 2 : 1);
>>
>> op->data.nbytes comes from file drivers/mtd/nand/spi/core.c, function
>> spinand_select_op_variant().
>> According to the code the max value of op->data.nbytes is
>>
>> nanddev_per_page_oobsize(nand) + nanddev_page_size(nand)
>>
>> thus it's slightly more than 4Kb (I never seen flashes with page size
>> large than 4Kb). According to this estimation the overflow will never
>> happen.
>>
>> If it make sense, I can try to do something with it
> Yes, please see what you can do about it and thanks for explaining that
> it shouldn't be an actual problem.
>
^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2025-11-01 6:32 ` Mikhail Kshevetskiy
@ 2025-11-03 15:17 ` Tom Rini
2025-11-03 15:24 ` Michael Nazzareno Trimarchi
0 siblings, 1 reply; 99+ messages in thread
From: Tom Rini @ 2025-11-03 15:17 UTC (permalink / raw)
To: Mikhail Kshevetskiy; +Cc: u-boot, Dario Binacchi, Michael Trimarchi
[-- Attachment #1: Type: text/plain, Size: 307 bytes --]
On Sat, Nov 01, 2025 at 09:32:35AM +0300, Mikhail Kshevetskiy wrote:
p
> Hello Tom,
>
> I just sent a fix for the issue in the my "coverity and 64-bit division
> fixes" series.
> If it's needed I can split the series and send patches separately.
Thanks, that series looks fine to me.
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2025-11-03 15:17 ` Tom Rini
@ 2025-11-03 15:24 ` Michael Nazzareno Trimarchi
0 siblings, 0 replies; 99+ messages in thread
From: Michael Nazzareno Trimarchi @ 2025-11-03 15:24 UTC (permalink / raw)
To: Tom Rini; +Cc: Mikhail Kshevetskiy, u-boot, Dario Binacchi
Hi Tom
On Mon, Nov 3, 2025 at 4:17 PM Tom Rini <trini@konsulko.com> wrote:
>
> On Sat, Nov 01, 2025 at 09:32:35AM +0300, Mikhail Kshevetskiy wrote:
> p
> > Hello Tom,
> >
> > I just sent a fix for the issue in the my "coverity and 64-bit division
> > fixes" series.
> > If it's needed I can split the series and send patches separately.
>
> Thanks, that series looks fine to me.
>
> --
I will pick with other series
Michael
> Tom
--
Michael Nazzareno Trimarchi
Co-Founder & Chief Executive Officer
M. +39 347 913 2170
michael@amarulasolutions.com
__________________________________
Amarula Solutions BV
Joop Geesinkweg 125, 1114 AB, Amsterdam, NL
T. +31 (0)85 111 9172
info@amarulasolutions.com
www.amarulasolutions.com
^ permalink raw reply [flat|nested] 99+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2025-11-10 18:55 Tom Rini
0 siblings, 0 replies; 99+ messages in thread
From: Tom Rini @ 2025-11-10 18:55 UTC (permalink / raw)
To: u-boot, Kory Maincent
[-- Attachment #1: Type: text/plain, Size: 2627 bytes --]
Here's the latest report. Just 2 new issues, both from the extensions
series. Can we please address these shortly? Thanks!
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Nov 10, 2025 at 12:44 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to *Das U-Boot*
found with Coverity Scan.
- *New Defects Found:* 2
- 1 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.
- *Defects Shown:* Showing 2 of 2 defect(s)
Defect Details
** CID 638558: Memory - illegal accesses (UNINIT)
/boot/pxe_utils.c: 485 in label_boot_extension()
_____________________________________________________________________________________________
*** CID 638558: Memory - illegal accesses (UNINIT)
/boot/pxe_utils.c: 485 in label_boot_extension()
479 return;
480
481 snprintf(overlay_dir, dir_len, "%s%s", label->fdtdir,
482 slash);
483 } else {
484 dir_len = 2;
>>> CID 638558: Memory - illegal accesses (UNINIT)
>>> Using uninitialized value "overlay_dir" when calling "snprintf". [Note: The source code implementation of the function has been overridden by a builtin model.]
485 snprintf(overlay_dir, dir_len, "/");
486 }
487
488 alist_for_each(extension, extension_list) {
489 char *overlay_file;
490 ulong size;
** CID 638557: Null pointer dereferences (NULL_RETURNS)
_____________________________________________________________________________________________
*** CID 638557: Null pointer dereferences (NULL_RETURNS)
/cmd/extension_board.c: 102 in do_extension_list()
96 {
97 struct alist *extension_list;
98 struct extension *extension;
99 int i = 0;
100
101 extension_list = extension_get_list();
>>> CID 638557: Null pointer dereferences (NULL_RETURNS)
>>> Dereferencing a pointer that might be "NULL" "extension_list" when calling "alist_get_ptr".
102 if (!alist_get_ptr(extension_list, 0)) {
103 printf("No extension registered - Please run \"extension scan\"\n");
104 return CMD_RET_SUCCESS;
105 }
106
107 alist_for_each(extension, extension_list) {
View Defects in Coverity Scan
<https://scan.coverity.com/projects/das-u-boot?tab=overview>
Best regards,
The Coverity Scan Admin Team
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
^ permalink raw reply [flat|nested] 99+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2025-11-23 19:03 Tom Rini
0 siblings, 0 replies; 99+ messages in thread
From: Tom Rini @ 2025-11-23 19:03 UTC (permalink / raw)
To: u-boot; +Cc: Marek Vasut, Heinrich Schuchardt
[-- Attachment #1: Type: text/plain, Size: 5351 bytes --]
Hey all,
Here's the latest report.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Sun, Nov 23, 2025 at 12:28 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to *Das U-Boot*
found with Coverity Scan.
- *New Defects Found:* 3
- 2 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.
- *Defects Shown:* Showing 3 of 3 defect(s)
Defect Details
** CID 639130: (CHECKED_RETURN)
/test/cmd/bdinfo.c: 166 in bdinfo_test_all()
/test/cmd/bdinfo.c: 164 in bdinfo_test_all()
/test/cmd/bdinfo.c: 165 in bdinfo_test_all()
_____________________________________________________________________________________________
*** CID 639130: (CHECKED_RETURN)
/test/cmd/bdinfo.c: 166 in bdinfo_test_all()
160
161 ut_assertok(bdinfo_check_mem(uts));
162
163 /* CONFIG_SYS_HAS_SRAM testing not supported */
164 ut_check_console_linen(uts, "flashstart");
165 ut_check_console_linen(uts, "flashsize");
>>> CID 639130: (CHECKED_RETURN)
>>> Calling "ut_check_console_linen" without checking return value (as is done elsewhere 166 out of 169 times).
166 ut_check_console_linen(uts, "flashoffset");
167 ut_assert_nextline("baudrate = %lu bps",
168 env_get_ulong("baudrate", 10, 1234));
169 ut_assertok(test_num_l(uts, "relocaddr", gd->relocaddr));
170 ut_assertok(test_num_l(uts, "reloc off", gd->reloc_off));
171 ut_assert_nextline("%-12s= %u-bit", "Build", (uint)sizeof(void *) * 8);
/test/cmd/bdinfo.c: 164 in bdinfo_test_all()
158 {
159 ut_assertok(test_num_l(uts, "boot_params", 0));
160
161 ut_assertok(bdinfo_check_mem(uts));
162
163 /* CONFIG_SYS_HAS_SRAM testing not supported */
>>> CID 639130: (CHECKED_RETURN)
>>> Calling "ut_check_console_linen" without checking return value (as is done elsewhere 166 out of 169 times).
164 ut_check_console_linen(uts, "flashstart");
165 ut_check_console_linen(uts, "flashsize");
166 ut_check_console_linen(uts, "flashoffset");
167 ut_assert_nextline("baudrate = %lu bps",
168 env_get_ulong("baudrate", 10, 1234));
169 ut_assertok(test_num_l(uts, "relocaddr", gd->relocaddr));
/test/cmd/bdinfo.c: 165 in bdinfo_test_all()
159 ut_assertok(test_num_l(uts, "boot_params", 0));
160
161 ut_assertok(bdinfo_check_mem(uts));
162
163 /* CONFIG_SYS_HAS_SRAM testing not supported */
164 ut_check_console_linen(uts, "flashstart");
>>> CID 639130: (CHECKED_RETURN)
>>> Calling "ut_check_console_linen" without checking return value (as is done elsewhere 166 out of 169 times).
165 ut_check_console_linen(uts, "flashsize");
166 ut_check_console_linen(uts, "flashoffset");
167 ut_assert_nextline("baudrate = %lu bps",
168 env_get_ulong("baudrate", 10, 1234));
169 ut_assertok(test_num_l(uts, "relocaddr", gd->relocaddr));
170 ut_assertok(test_num_l(uts, "reloc off", gd->reloc_off));
** CID 639129: Memory - illegal accesses (BUFFER_SIZE)
/drivers/clk/clk_scmi.c: 191 in scmi_clk_get_ctrl_flags()
_____________________________________________________________________________________________
*** CID 639129: Memory - illegal accesses (BUFFER_SIZE)
/drivers/clk/clk_scmi.c: 191 in scmi_clk_get_ctrl_flags()
185 char name[SCMI_CLOCK_NAME_LENGTH_MAX];
186 ret = scmi_clk_get_attibute(dev, clk->id & CLK_ID_MSK,
187 name, &attributes);
188 if (ret)
189 return ret;
190
>>> CID 639129: Memory - illegal accesses (BUFFER_SIZE)
>>> Calling "strncpy" with a maximum size argument of 16 bytes on destination array "clkscmi->name" of size 16 bytes might leave the destination string unterminated.
191 strncpy(clkscmi->name, name, SCMI_CLOCK_NAME_LENGTH_MAX);
192 if (CLK_HAS_RESTRICTIONS(attributes)) {
193 u32 perm;
194
195 ret = scmi_clk_get_permissions(dev, clk->id & CLK_ID_MSK, &perm);
196 if (ret < 0)
** CID 639128: Resource leaks (RESOURCE_LEAK)
/drivers/clk/clk_scmi.c: 373 in scmi_clk_probe()
_____________________________________________________________________________________________
*** CID 639128: Resource leaks (RESOURCE_LEAK)
/drivers/clk/clk_scmi.c: 373 in scmi_clk_probe()
367 return ret;
368
369 dev_clk_dm(dev, i, &clk_scmi->clk);
370 dev_set_parent_priv(clk_scmi->clk.dev, priv);
371 }
372
>>> CID 639128: Resource leaks (RESOURCE_LEAK)
>>> Variable "clk_scmi_bulk" going out of scope leaks the storage it points to.
373 return 0;
374 }
375
376 static int __scmi_clk_set_parent(struct clk *clk, struct clk *parent)
377 {
378 struct scmi_clk_parent_set_in in = {
View Defects in Coverity Scan
<https://scan.coverity.com/projects/das-u-boot?tab=overview>
Best regards,
The Coverity Scan Admin Team
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
^ permalink raw reply [flat|nested] 99+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2025-12-08 19:38 Tom Rini
0 siblings, 0 replies; 99+ messages in thread
From: Tom Rini @ 2025-12-08 19:38 UTC (permalink / raw)
To: u-boot, Adriana Nicolae
[-- Attachment #1: Type: text/plain, Size: 4279 bytes --]
Here's the latest Coverity scan report. I think the test/dm/clk_ccf.c
report is just a "works as intended" but I'm not sure off-hand about the
fdtdec.c test. Might be the case the previous test in the file also has
this problem, and since it's just test code, might also be fine enough.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Dec 8, 2025 at 1:23 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to *Das U-Boot*
found with Coverity Scan.
- *New Defects Found:* 2
- 1 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.
- *Defects Shown:* Showing 2 of 2 defect(s)
Defect Details
** CID 639831: (TAINTED_SCALAR)
_____________________________________________________________________________________________
*** CID 639831: (TAINTED_SCALAR)
/test/dm/fdtdec.c: 153 in dm_test_fdt_chosen_smbios()
147
148 blob_sz = fdt_totalsize(gd->fdt_blob) + 4096;
149 blob = memalign(8, blob_sz);
150 ut_assertnonnull(blob);
151
152 /* Make a writable copy of the fdt blob */
>>> CID 639831: (TAINTED_SCALAR)
>>> Passing tainted expression "gd->fdt_blob->totalsize" to "fdt_open_into", which uses it as an offset.
153 ut_assertok(fdt_open_into(gd->fdt_blob, blob, blob_sz));
154
155 /* Mock SMBIOS table */
156 entry = map_sysmem(gd->arch.smbios_start, sizeof(struct
smbios3_entry));
157 memcpy(entry->anchor, "_SM3_", 5);
158 entry->length = sizeof(struct smbios3_entry);
/test/dm/fdtdec.c: 153 in dm_test_fdt_chosen_smbios()
147
148 blob_sz = fdt_totalsize(gd->fdt_blob) + 4096;
149 blob = memalign(8, blob_sz);
150 ut_assertnonnull(blob);
151
152 /* Make a writable copy of the fdt blob */
>>> CID 639831: (TAINTED_SCALAR)
>>> Passing tainted expression "gd->fdt_blob->size_dt_strings" to "fdt_open_into", which uses it as an offset.
153 ut_assertok(fdt_open_into(gd->fdt_blob, blob, blob_sz));
154
155 /* Mock SMBIOS table */
156 entry = map_sysmem(gd->arch.smbios_start, sizeof(struct
smbios3_entry));
157 memcpy(entry->anchor, "_SM3_", 5);
158 entry->length = sizeof(struct smbios3_entry);
/test/dm/fdtdec.c: 153 in dm_test_fdt_chosen_smbios()
147
148 blob_sz = fdt_totalsize(gd->fdt_blob) + 4096;
149 blob = memalign(8, blob_sz);
150 ut_assertnonnull(blob);
151
152 /* Make a writable copy of the fdt blob */
>>> CID 639831: (TAINTED_SCALAR)
>>> Passing tainted expression "gd->fdt_blob->size_dt_struct" to "fdt_open_into", which uses it as an offset.
153 ut_assertok(fdt_open_into(gd->fdt_blob, blob, blob_sz));
154
155 /* Mock SMBIOS table */
156 entry = map_sysmem(gd->arch.smbios_start, sizeof(struct
smbios3_entry));
157 memcpy(entry->anchor, "_SM3_", 5);
158 entry->length = sizeof(struct smbios3_entry);
** CID 639830: Integer handling issues (INTEGER_OVERFLOW)
/test/dm/clk_ccf.c: 68 in dm_test_clk_ccf()
_____________________________________________________________________________________________
*** CID 639830: Integer handling issues (INTEGER_OVERFLOW)
/test/dm/clk_ccf.c: 68 in dm_test_clk_ccf()
62 ut_asserteq(CLK_SET_RATE_NO_REPARENT, clk->flags);
63
64 rate = clk_get_parent_rate(clk);
65 ut_asserteq(rate, 60000000);
66
67 rate = clk_set_rate(clk, 60000000);
>>> CID 639830: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "_val1", where "rate" is known to be equal to -38, overflows the type of "_val1", which is type "unsigned int".
68 ut_asserteq(rate, -ENOSYS);
69
70 rate = clk_get_rate(clk);
71 ut_asserteq(rate, 60000000);
72
73 ret = clk_get_by_id(CLK_ID(dev, SANDBOX_CLK_PLL3_80M), &pclk);
View Defects in Coverity Scan
<https://scan.coverity.com/projects/das-u-boot?tab=overview>
Best regards,
The Coverity Scan Admin Team
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
^ permalink raw reply [flat|nested] 99+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2026-01-05 23:58 Tom Rini
2026-01-06 9:37 ` Mattijs Korpershoek
2026-01-06 10:03 ` Heiko Schocher
0 siblings, 2 replies; 99+ messages in thread
From: Tom Rini @ 2026-01-05 23:58 UTC (permalink / raw)
To: u-boot
Cc: Dmitrii Merkurev, Mattijs Korpershoek, Neil Armstrong,
Heiko Schocher, Ilias Apalodimas
[-- Attachment #1: Type: text/plain, Size: 15754 bytes --]
Hey all,
Here's the latest report, now that next has been merged to master. A few
of these are oddly showing up now, despite being in older code that
hasn't been touched and was being built before.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Jan 5, 2026 at 3:24 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to *Das U-Boot*
found with Coverity Scan.
- *New Defects Found:* 15
- 23 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.
- *Defects Shown:* Showing 15 of 15 defect(s)
Defect Details
** CID 640423: Control flow issues (DEADCODE)
/drivers/fastboot/fb_common.c: 112 in fastboot_set_reboot_flag()
_____________________________________________________________________________________________
*** CID 640423: Control flow issues (DEADCODE)
/drivers/fastboot/fb_common.c: 112 in fastboot_set_reboot_flag()
106 }
107 const char *bcb_iface = config_opt_enabled(CONFIG_FASTBOOT_FLASH_BLOCK,
108 CONFIG_FASTBOOT_FLASH_BLOCK_INTERFACE_NAME,
109 "mmc");
110
111 if (device == -1)
>>> CID 640423: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "return -22;".
112 return -EINVAL;
113
114 if (reason >= FASTBOOT_REBOOT_REASONS_COUNT)
115 return -EINVAL;
116
117 ret = bcb_find_partition_and_load(bcb_iface, device, "misc");
** CID 640422: Error handling issues (CHECKED_RETURN)
/boot/fdt_region.c: 330 in fdt_include_supernodes()
_____________________________________________________________________________________________
*** CID 640422: Error handling issues (CHECKED_RETURN)
/boot/fdt_region.c: 330 in fdt_include_supernodes()
324 */
325 for (i = 0; i <= depth; i++) {
326 if (!info->stack[i].included) {
327 start = info->stack[i].offset;
328
329 /* Add the FDT_BEGIN_NODE tag of this supernode */
>>> CID 640422: Error handling issues (CHECKED_RETURN)
>>> Calling "fdt_next_tag" without checking return value (as is done elsewhere 12 out of 15 times).
330 fdt_next_tag(info->fdt, start, &stop_at);
331 if (fdt_add_region(info, base + start, stop_at - start))
332 return -1;
333
334 /* Remember that this supernode is now included */
335 info->stack[i].included = 1;
** CID 640421: Possible Control flow issues (DEADCODE)
/drivers/fastboot/fb_block.c: 138 in fastboot_block_get_part_info()
_____________________________________________________________________________________________
*** CID 640421: Possible Control flow issues (DEADCODE)
/drivers/fastboot/fb_block.c: 138 in fastboot_block_get_part_info()
132 CONFIG_FASTBOOT_FLASH_BLOCK_DEVICE_ID, -1);
133
134 if (!part_name || !strcmp(part_name, "")) {
135 fastboot_fail("partition not given", response);
136 return -ENOENT;
137 }
>>> CID 640421: Possible Control flow issues (DEADCODE)
>>> Execution cannot reach the expression "strcmp(interface, "")" inside this statement: "if (!interface || !strcmp(i...".
138 if (!interface || !strcmp(interface, "")) {
139 fastboot_fail("block interface isn't provided", response);
140 return -EINVAL;
141 }
142
143 *dev_desc = blk_get_dev(interface, device);
** CID 640420: Incorrect expression (CONSTANT_EXPRESSION_RESULT)
/env/fat.c: 49 in env_fat_get_dev_part()
_____________________________________________________________________________________________
*** CID 640420: Incorrect expression (CONSTANT_EXPRESSION_RESULT)
/env/fat.c: 49 in env_fat_get_dev_part()
43 __weak char *env_fat_get_dev_part(void)
44 {
45 #ifdef CONFIG_MMC
46 /* reserve one more char for the manipulation below */
47 static char part_str[] = CONFIG_ENV_FAT_DEVICE_AND_PART "\0";
48
>>> CID 640420: Incorrect expression (CONSTANT_EXPRESSION_RESULT)
>>> "strcmp("mmc", "mmc")" is always 0 because ""mmc"" is compared against itself.
49 if (!strcmp(CONFIG_ENV_FAT_INTERFACE, "mmc") && part_str[0] == ':') {
50 part_str[0] = '0' + mmc_get_env_dev();
51 strcpy(&part_str[1], CONFIG_ENV_FAT_DEVICE_AND_PART);
52 }
53
54 return part_str;
** CID 640419: Null pointer dereferences (REVERSE_INULL)
/drivers/fastboot/fb_block.c: 144 in fastboot_block_get_part_info()
_____________________________________________________________________________________________
*** CID 640419: Null pointer dereferences (REVERSE_INULL)
/drivers/fastboot/fb_block.c: 144 in fastboot_block_get_part_info()
138 if (!interface || !strcmp(interface, "")) {
139 fastboot_fail("block interface isn't provided", response);
140 return -EINVAL;
141 }
142
143 *dev_desc = blk_get_dev(interface, device);
>>> CID 640419: Null pointer dereferences (REVERSE_INULL)
>>> Null-checking "dev_desc" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
144 if (!dev_desc) {
145 fastboot_fail("no such device", response);
146 return -ENODEV;
147 }
148
149 ret = part_get_info_by_name(*dev_desc, part_name, part_info);
** CID 640418: Insecure data handling (TAINTED_SCALAR)
_____________________________________________________________________________________________
*** CID 640418: Insecure data handling (TAINTED_SCALAR)
/drivers/core/ofnode.c: 2098 in ofnode_copy_props()
2092
2093 val = ofprop_get_property(&prop, &name, &len);
2094 if (!val) {
2095 log_debug("Cannot read prop (err=%d)\n", len);
2096 return log_msg_ret("get", -EINVAL);
2097 }
>>> CID 640418: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "len" to "ofnode_write_prop", which uses it as an offset.
2098 ret = ofnode_write_prop(dst, name, val, len, true);
2099 if (ret) {
2100 log_debug("Cannot write prop (err=%d)\n", ret);
2101 return log_msg_ret("wr", -EINVAL);
2102 }
2103 }
** CID 640417: Insecure data handling (TAINTED_SCALAR)
/scripts/dtc/libfdt/fdt_ro.c: 546 in fdt_get_alias_namelen()
_____________________________________________________________________________________________
*** CID 640417: Insecure data handling (TAINTED_SCALAR)
/scripts/dtc/libfdt/fdt_ro.c: 546 in fdt_get_alias_namelen()
540 {
541 int len;
542 const char *alias;
543
544 alias = fdt_path_getprop_namelen(fdt, "/aliases", name, namelen, &len);
545
>>> CID 640417: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "len - 1" as an index to pointer "alias".
546 if (!can_assume(VALID_DTB) &&
547 !(alias && len > 0 && alias[len - 1] == '\0' && *alias == '/'))
548 return NULL;
549
550 return alias;
551 }
** CID 640416: Insecure data handling (TAINTED_SCALAR)
_____________________________________________________________________________________________
*** CID 640416: Insecure data handling (TAINTED_SCALAR)
/scripts/dtc/libfdt/fdt_overlay.c: 739 in
overlay_prevent_phandle_overwrite()
733 * will be overwritten.
734 */
735 continue;
736 else if (target < 0)
737 return target;
738
>>> CID 640416: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "target" to "overlay_prevent_phandle_overwrite_node", which uses it as a loop boundary.
739 ret = overlay_prevent_phandle_overwrite_node(fdt, target,
740 fdto, overlay);
741 if (ret)
742 return ret;
743 }
744
** CID 640415: Control flow issues (DEADCODE)
/scripts/dtc/pylibfdt/libfdt_wrap.c: 6728 in
_wrap_fdt_get_property_by_offset_w()
_____________________________________________________________________________________________
*** CID 640415: Control flow issues (DEADCODE)
/scripts/dtc/pylibfdt/libfdt_wrap.c: 6728 in
_wrap_fdt_get_property_by_offset_w()
6722 resultobj = SWIG_Python_AppendOutput(resultobj, buff);
6723 }
6724 }
6725 if (SWIG_IsTmpObj(res3)) {
6726 resultobj = SWIG_Python_AppendOutput(resultobj,
SWIG_From_int((*arg3)));
6727 } else {
>>> CID 640415: Control flow issues (DEADCODE)
>>> Execution cannot reach the expression "new_flags" inside this statement: "new_flags = ((res3 >= 0 && ...".
6728 int new_flags = SWIG_IsNewObj(res3) ? (SWIG_POINTER_OWN |
0 ) : 0 ;
6729 resultobj = SWIG_Python_AppendOutput(resultobj,
SWIG_NewPointerObj((void*)(arg3), SWIGTYPE_p_int, new_flags));
6730 }
6731 return resultobj;
6732 fail:
6733 return NULL;
** CID 640414: Resource leaks (RESOURCE_LEAK)
/drivers/interconnect/interconnect-uclass.c: 320 in icc_path_init()
_____________________________________________________________________________________________
*** CID 640414: Resource leaks (RESOURCE_LEAK)
/drivers/interconnect/interconnect-uclass.c: 320 in icc_path_init()
314 path->reqs[i].node = node;
315 path->reqs[i].enabled = true;
316
317 /* Probe this node since used in an active path */
318 ret = uclass_get_device_tail(node->dev, 0, &node_dev);
319 if (ret)
>>> CID 640414: Resource leaks (RESOURCE_LEAK)
>>> Variable "path" going out of scope leaks the storage it points to.
320 return ERR_PTR(ret);
321
322 node->users++;
323
324 /* reference to previous node was saved during path traversal */
325 node = node->reverse;
** CID 536550: Resource leaks (RESOURCE_LEAK)
/scripts/dtc/fstree.c: 57 in read_fstree()
_____________________________________________________________________________________________
*** CID 536550: Resource leaks (RESOURCE_LEAK)
/scripts/dtc/fstree.c: 57 in read_fstree()
51 fclose(pfile);
52 }
53 } else if (S_ISDIR(st.st_mode)) {
54 struct node *newchild;
55
56 newchild = read_fstree(tmpname);
>>> CID 536550: Resource leaks (RESOURCE_LEAK)
>>> Failing to save or free storage allocated by "xstrdup(de->d_name)" leaks it.
57 newchild = name_node(newchild, xstrdup(de->d_name));
58 add_child(tree, newchild);
59 }
60
61 free(tmpname);
62 }
** CID 536369: Resource leaks (RESOURCE_LEAK)
/scripts/dtc/flattree.c: 681 in flat_read_property()
_____________________________________________________________________________________________
*** CID 536369: Resource leaks (RESOURCE_LEAK)
/scripts/dtc/flattree.c: 681 in flat_read_property()
675
676 if ((flags & FTF_VARALIGN) && (proplen >= 8))
677 flat_realign(dtbuf, 8);
678
679 val = flat_read_data(dtbuf, proplen);
680
>>> CID 536369: Resource leaks (RESOURCE_LEAK)
>>> Variable "name" going out of scope leaks the storage it points to.
681 return build_property(name, val, NULL);
682 }
683
684 static struct reserve_info *flat_read_mem_reserve(struct inbuf *inb)
685 {
686 struct reserve_info *reservelist = NULL;
** CID 449815: Memory - illegal accesses (OVERRUN)
/lib/sm3.c: 252 in sm3_final()
_____________________________________________________________________________________________
*** CID 449815: Memory - illegal accesses (OVERRUN)
/lib/sm3.c: 252 in sm3_final()
246 unsigned int partial = sctx->count % SM3_BLOCK_SIZE;
247 u32 W[16];
248 int i;
249
250 sctx->buffer[partial++] = 0x80;
251 if (partial > bit_offset) {
>>> CID 449815: Memory - illegal accesses (OVERRUN)
>>> Overrunning array of 64 bytes at byte offset 64 by dereferencing pointer "sctx->buffer + partial". [Note: The source code implementation of the function has been overridden by a builtin model.]
252 memset(sctx->buffer + partial, 0, SM3_BLOCK_SIZE - partial);
253 partial = 0;
254
255 sm3_block(sctx, sctx->buffer, 1, W);
256 }
257
** CID 432237: Null pointer dereferences (NULL_RETURNS)
_____________________________________________________________________________________________
*** CID 432237: Null pointer dereferences (NULL_RETURNS)
/scripts/dtc/checks.c: 1618 in check_interrupt_map()
1612 if (node->addr_cells < 0) {
1613 FAIL(c, dti, node,
1614 "Missing '#address-cells' in interrupt-map provider");
1615 return;
1616 }
1617 cellsize = node_addr_cells(node);
>>> CID 432237: Null pointer dereferences (NULL_RETURNS)
>>> Dereferencing a pointer that might be "NULL" "get_property(node, "#interrupt-cells")" when calling "propval_cell".
1618 cellsize += propval_cell(get_property(node, "#interrupt-cells"));
1619
1620 prop = get_property(node, "interrupt-map-mask");
1621 if (prop && (prop->val.len != (cellsize * sizeof(cell_t))))
1622 FAIL_PROP(c, dti, node, prop,
1623 "property size (%d) is invalid, expected %zu",
** CID 328724: (TAINTED_SCALAR)
/scripts/dtc/fdtoverlay.c: 55 in apply_one()
/scripts/dtc/fdtoverlay.c: 69 in apply_one()
_____________________________________________________________________________________________
*** CID 328724: (TAINTED_SCALAR)
/scripts/dtc/fdtoverlay.c: 55 in apply_one()
49 bool has_symbols;
50
51 /*
52 * We take copies first, because a failed apply can trash
53 * both the base blob and the overlay
54 */
>>> CID 328724: (TAINTED_SCALAR)
>>> Passing tainted expression "fdt32_ld(&((struct fdt_header const *)overlay)->totalsize)" to "xmalloc", which uses it as an allocation size. [Note: The source code implementation of the function has been overridden by a builtin model.]
55 tmpo = xmalloc(fdt_totalsize(overlay));
56
57 do {
58 tmp = xrealloc(tmp, *buf_len);
59 ret = fdt_open_into(base, tmp, *buf_len);
60 if (ret) {
/scripts/dtc/fdtoverlay.c: 69 in apply_one()
63 fdt_strerror(ret));
64 goto fail;
65 }
66 ret = fdt_path_offset(tmp, "/__symbols__");
67 has_symbols = ret >= 0;
68
>>> CID 328724: (TAINTED_SCALAR)
>>> Passing tainted expression "fdt32_ld(&((struct fdt_header const *)overlay)->totalsize)" to "memcpy", which uses it as an offset. [Note: The source code implementation of the function has been overridden by a builtin model.]
69 memcpy(tmpo, overlay, fdt_totalsize(overlay));
70
71 ret = fdt_overlay_apply(tmp, tmpo);
72 if (ret == -FDT_ERR_NOSPACE) {
73 *buf_len += BUF_INCREMENT;
74 }
View Defects in Coverity Scan
<https://scan.coverity.com/projects/das-u-boot?tab=overview>
Best regards,
The Coverity Scan Admin Team
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2026-01-05 23:58 Tom Rini
@ 2026-01-06 9:37 ` Mattijs Korpershoek
2026-01-06 17:15 ` Tom Rini
2026-01-06 10:03 ` Heiko Schocher
1 sibling, 1 reply; 99+ messages in thread
From: Mattijs Korpershoek @ 2026-01-06 9:37 UTC (permalink / raw)
To: Tom Rini, u-boot
Cc: Dmitrii Merkurev, Mattijs Korpershoek, Neil Armstrong,
Heiko Schocher, Ilias Apalodimas
Hi Tom,
On Mon, Jan 05, 2026 at 17:58, Tom Rini <trini@konsulko.com> wrote:
> Hey all,
>
> Here's the latest report, now that next has been merged to master. A few
> of these are oddly showing up now, despite being in older code that
> hasn't been touched and was being built before.
For fastboot, some code has been moved from mmc only support to
fb_block.c, which might explain the new errors.
See: https://lore.kernel.org/all/20251121-topic-fastboot-blk-v7-0-9589d902fc91@linaro.org/
>
> ---------- Forwarded message ---------
> From: <scan-admin@coverity.com>
> Date: Mon, Jan 5, 2026 at 3:24 PM
> Subject: New Defects reported by Coverity Scan for Das U-Boot
> To: <tom.rini@gmail.com>
>
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to *Das U-Boot*
> found with Coverity Scan.
>
> - *New Defects Found:* 15
> - 23 defect(s), reported by Coverity Scan earlier, were marked fixed in
> the recent build analyzed by Coverity Scan.
> - *Defects Shown:* Showing 15 of 15 defect(s)
>
> Defect Details
>
> ** CID 640423: Control flow issues (DEADCODE)
> /drivers/fastboot/fb_common.c: 112 in fastboot_set_reboot_flag()
>
>
> _____________________________________________________________________________________________
> *** CID 640423: Control flow issues (DEADCODE)
> /drivers/fastboot/fb_common.c: 112 in fastboot_set_reboot_flag()
> 106 }
> 107 const char *bcb_iface = config_opt_enabled(CONFIG_FASTBOOT_FLASH_BLOCK,
> 108 CONFIG_FASTBOOT_FLASH_BLOCK_INTERFACE_NAME,
> 109 "mmc");
> 110
> 111 if (device == -1)
>>>> CID 640423: Control flow issues (DEADCODE)
>>>> Execution cannot reach this statement: "return -22;".
I believe coverity is wrong here.
we call config_opt_enabled() which by default returns -1 so it's
possible to have device == -1
This can happen when both CONFIG_FASTBOOT_FLASH_BLOCK and
CONFIG_FASTBOOT_FLASH_MMC are unset.
(for example when we use CONFIG_FASTBOOT_FLASH_SPI)
> 112 return -EINVAL;
> 113
> 114 if (reason >= FASTBOOT_REBOOT_REASONS_COUNT)
> 115 return -EINVAL;
> 116
> 117 ret = bcb_find_partition_and_load(bcb_iface, device, "misc");
>
[...]
>
> ** CID 640421: Possible Control flow issues (DEADCODE)
> /drivers/fastboot/fb_block.c: 138 in fastboot_block_get_part_info()
>
>
> _____________________________________________________________________________________________
> *** CID 640421: Possible Control flow issues (DEADCODE)
> /drivers/fastboot/fb_block.c: 138 in fastboot_block_get_part_info()
> 132 CONFIG_FASTBOOT_FLASH_BLOCK_DEVICE_ID, -1);
> 133
> 134 if (!part_name || !strcmp(part_name, "")) {
> 135 fastboot_fail("partition not given", response);
> 136 return -ENOENT;
> 137 }
>>>> CID 640421: Possible Control flow issues (DEADCODE)
>>>> Execution cannot reach the expression "strcmp(interface, "")" inside this statement: "if (!interface || !strcmp(i...".
> 138 if (!interface || !strcmp(interface, "")) {
> 139 fastboot_fail("block interface isn't provided", response);
> 140 return -EINVAL;
I believe coverity is wrong here as well.
we call config_opt_enabled() which by default returns NULL for interface.
And when we enable CONFIG_FASTBOOT_FLASH_BLOCK,
CONFIG_FASTBOOT_FLASH_BLOCK_INTERFACE_NAME will be set to "" by default:
$ rg 'FASTBOOT_FLASH_BLOCK_INTERFACE_NAME' .config
1097:CONFIG_FASTBOOT_FLASH_BLOCK_INTERFACE_NAME=""
> 141 }
> 142
> 143 *dev_desc = blk_get_dev(interface, device);
>
[...]
>
> ** CID 640419: Null pointer dereferences (REVERSE_INULL)
> /drivers/fastboot/fb_block.c: 144 in fastboot_block_get_part_info()
>
>
> _____________________________________________________________________________________________
> *** CID 640419: Null pointer dereferences (REVERSE_INULL)
> /drivers/fastboot/fb_block.c: 144 in fastboot_block_get_part_info()
> 138 if (!interface || !strcmp(interface, "")) {
> 139 fastboot_fail("block interface isn't provided", response);
> 140 return -EINVAL;
> 141 }
> 142
> 143 *dev_desc = blk_get_dev(interface, device);
>>>> CID 640419: Null pointer dereferences (REVERSE_INULL)
>>>> Null-checking "dev_desc" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
> 144 if (!dev_desc) {
> 145 fastboot_fail("no such device", response);
> 146 return -ENODEV;
> 147 }
Fair enough for this one. We can check that dev_desc is not NULL to make
sure that the caller cannot call fastboot_block_get_part_info() with
NULL as second argument.
I'll submit a patch for this once I've cleared out my review queue.
> 148
> 149 ret = part_get_info_by_name(*dev_desc, part_name, part_info);
>
>
[...]
For the first 2, do you want me to update the coverity database online
with these explanations?
It has been a while but I think I can do that myself.
^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2026-01-05 23:58 Tom Rini
2026-01-06 9:37 ` Mattijs Korpershoek
@ 2026-01-06 10:03 ` Heiko Schocher
1 sibling, 0 replies; 99+ messages in thread
From: Heiko Schocher @ 2026-01-06 10:03 UTC (permalink / raw)
To: Tom Rini, u-boot
Cc: Dmitrii Merkurev, Mattijs Korpershoek, Neil Armstrong,
Ilias Apalodimas
Hello Tom,
On 06.01.26 00:58, Tom Rini wrote:
> ** CID 449815: Memory - illegal accesses (OVERRUN)
> /lib/sm3.c: 252 in sm3_final()
>
>
> _____________________________________________________________________________________________
> *** CID 449815: Memory - illegal accesses (OVERRUN)
> /lib/sm3.c: 252 in sm3_final()
> 246 unsigned int partial = sctx->count % SM3_BLOCK_SIZE;
> 247 u32 W[16];
> 248 int i;
> 249
> 250 sctx->buffer[partial++] = 0x80;
> 251 if (partial > bit_offset) {
>>>> CID 449815: Memory - illegal accesses (OVERRUN)
>>>> Overrunning array of 64 bytes at byte offset 64 by dereferencing pointer "sctx->buffer + partial". [Note: The source code implementation of the function has been overridden by a builtin model.]
> 252 memset(sctx->buffer + partial, 0, SM3_BLOCK_SIZE - partial);
> 253 partial = 0;
> 254
> 255 sm3_block(sctx, sctx->buffer, 1, W);
> 256 }
> 257
>
> ** CID 432237: Null pointer dereferences (NULL_RETURNS)
Good catch, as this part is completly from linux [1]
(nowaydays this code is gone at HEAD)
prepared patch, azure run started for it:
https://dev.azure.com/hs0298/hs/_build/results?buildId=197&view=results
if no problems found, I send it.
bye,
Heiko
[1] https://elixir.bootlin.com/linux/v6.14/source/include/crypto/sm3_base.h#L86
--
Nabla Software Engineering
HRB 40522 Augsburg
Phone: +49 821 45592596
E-Mail: office@nabladev.com
Geschäftsführer : Stefano Babic
^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2026-01-06 9:37 ` Mattijs Korpershoek
@ 2026-01-06 17:15 ` Tom Rini
0 siblings, 0 replies; 99+ messages in thread
From: Tom Rini @ 2026-01-06 17:15 UTC (permalink / raw)
To: Mattijs Korpershoek
Cc: u-boot, Dmitrii Merkurev, Neil Armstrong, Heiko Schocher,
Ilias Apalodimas
[-- Attachment #1: Type: text/plain, Size: 5777 bytes --]
On Tue, Jan 06, 2026 at 10:37:48AM +0100, Mattijs Korpershoek wrote:
> Hi Tom,
>
> On Mon, Jan 05, 2026 at 17:58, Tom Rini <trini@konsulko.com> wrote:
>
> > Hey all,
> >
> > Here's the latest report, now that next has been merged to master. A few
> > of these are oddly showing up now, despite being in older code that
> > hasn't been touched and was being built before.
>
> For fastboot, some code has been moved from mmc only support to
> fb_block.c, which might explain the new errors.
>
> See: https://lore.kernel.org/all/20251121-topic-fastboot-blk-v7-0-9589d902fc91@linaro.org/
>
> >
> > ---------- Forwarded message ---------
> > From: <scan-admin@coverity.com>
> > Date: Mon, Jan 5, 2026 at 3:24 PM
> > Subject: New Defects reported by Coverity Scan for Das U-Boot
> > To: <tom.rini@gmail.com>
> >
> >
> > Hi,
> >
> > Please find the latest report on new defect(s) introduced to *Das U-Boot*
> > found with Coverity Scan.
> >
> > - *New Defects Found:* 15
> > - 23 defect(s), reported by Coverity Scan earlier, were marked fixed in
> > the recent build analyzed by Coverity Scan.
> > - *Defects Shown:* Showing 15 of 15 defect(s)
> >
> > Defect Details
> >
> > ** CID 640423: Control flow issues (DEADCODE)
> > /drivers/fastboot/fb_common.c: 112 in fastboot_set_reboot_flag()
> >
> >
> > _____________________________________________________________________________________________
> > *** CID 640423: Control flow issues (DEADCODE)
> > /drivers/fastboot/fb_common.c: 112 in fastboot_set_reboot_flag()
> > 106 }
> > 107 const char *bcb_iface = config_opt_enabled(CONFIG_FASTBOOT_FLASH_BLOCK,
> > 108 CONFIG_FASTBOOT_FLASH_BLOCK_INTERFACE_NAME,
> > 109 "mmc");
> > 110
> > 111 if (device == -1)
> >>>> CID 640423: Control flow issues (DEADCODE)
> >>>> Execution cannot reach this statement: "return -22;".
>
> I believe coverity is wrong here.
> we call config_opt_enabled() which by default returns -1 so it's
> possible to have device == -1
>
> This can happen when both CONFIG_FASTBOOT_FLASH_BLOCK and
> CONFIG_FASTBOOT_FLASH_MMC are unset.
> (for example when we use CONFIG_FASTBOOT_FLASH_SPI)
>
> > 112 return -EINVAL;
> > 113
> > 114 if (reason >= FASTBOOT_REBOOT_REASONS_COUNT)
> > 115 return -EINVAL;
> > 116
> > 117 ret = bcb_find_partition_and_load(bcb_iface, device, "misc");
> >
>
> [...]
>
> >
> > ** CID 640421: Possible Control flow issues (DEADCODE)
> > /drivers/fastboot/fb_block.c: 138 in fastboot_block_get_part_info()
> >
> >
> > _____________________________________________________________________________________________
> > *** CID 640421: Possible Control flow issues (DEADCODE)
> > /drivers/fastboot/fb_block.c: 138 in fastboot_block_get_part_info()
> > 132 CONFIG_FASTBOOT_FLASH_BLOCK_DEVICE_ID, -1);
> > 133
> > 134 if (!part_name || !strcmp(part_name, "")) {
> > 135 fastboot_fail("partition not given", response);
> > 136 return -ENOENT;
> > 137 }
> >>>> CID 640421: Possible Control flow issues (DEADCODE)
> >>>> Execution cannot reach the expression "strcmp(interface, "")" inside this statement: "if (!interface || !strcmp(i...".
> > 138 if (!interface || !strcmp(interface, "")) {
> > 139 fastboot_fail("block interface isn't provided", response);
> > 140 return -EINVAL;
>
> I believe coverity is wrong here as well.
> we call config_opt_enabled() which by default returns NULL for interface.
>
> And when we enable CONFIG_FASTBOOT_FLASH_BLOCK,
> CONFIG_FASTBOOT_FLASH_BLOCK_INTERFACE_NAME will be set to "" by default:
>
> $ rg 'FASTBOOT_FLASH_BLOCK_INTERFACE_NAME' .config
> 1097:CONFIG_FASTBOOT_FLASH_BLOCK_INTERFACE_NAME=""
>
>
> > 141 }
> > 142
> > 143 *dev_desc = blk_get_dev(interface, device);
> >
>
> [...]
>
> >
> > ** CID 640419: Null pointer dereferences (REVERSE_INULL)
> > /drivers/fastboot/fb_block.c: 144 in fastboot_block_get_part_info()
> >
> >
> > _____________________________________________________________________________________________
> > *** CID 640419: Null pointer dereferences (REVERSE_INULL)
> > /drivers/fastboot/fb_block.c: 144 in fastboot_block_get_part_info()
> > 138 if (!interface || !strcmp(interface, "")) {
> > 139 fastboot_fail("block interface isn't provided", response);
> > 140 return -EINVAL;
> > 141 }
> > 142
> > 143 *dev_desc = blk_get_dev(interface, device);
> >>>> CID 640419: Null pointer dereferences (REVERSE_INULL)
> >>>> Null-checking "dev_desc" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
> > 144 if (!dev_desc) {
> > 145 fastboot_fail("no such device", response);
> > 146 return -ENODEV;
> > 147 }
>
> Fair enough for this one. We can check that dev_desc is not NULL to make
> sure that the caller cannot call fastboot_block_get_part_info() with
> NULL as second argument.
>
> I'll submit a patch for this once I've cleared out my review queue.
>
> > 148
> > 149 ret = part_get_info_by_name(*dev_desc, part_name, part_info);
> >
> >
>
> [...]
>
> For the first 2, do you want me to update the coverity database online
> with these explanations?
> It has been a while but I think I can do that myself.
Thanks for looking in to all of these. I've gone ahead and updated
Coverity, but in the future if you'd like to go in and do that while
composing the emails, please feel free.
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
^ permalink raw reply [flat|nested] 99+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2026-01-06 20:36 Tom Rini
0 siblings, 0 replies; 99+ messages in thread
From: Tom Rini @ 2026-01-06 20:36 UTC (permalink / raw)
To: u-boot
[-- Attachment #1: Type: text/plain, Size: 29243 bytes --]
Hey all,
This is really just to say that I've now been able to switch Coverity
scan over from "sandbox_defconfig" to "allyesconfig" (which is now also
in CI), so we have a lot more code being scanned. If you have access to
the dashboard already, and areas of interest, it's worth looking again
now. If you're already a project contributor and want to look for things
to work on, please let me know before asking for access to the
dashboard.
I am hopeful this will inspire people to make sure their code builds on
sandbox (and so allyesconfig) so that it can get further static checking
done to it, regularly.
And as a final funny to me note, while this email says 278 issues, the
other email (which just has high level info and I don't bother
forwarding) says 442 issues found.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Tue, Jan 6, 2026 at 2:18 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to *Das U-Boot*
found with Coverity Scan.
- *New Defects Found:* 278
- 49 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.
- *Defects Shown:* Showing 20 of 278 defect(s)
Defect Details
** CID 640717: Control flow issues (DEADCODE)
/drivers/sysinfo/gazerbeam.c: 125 in _read_sysinfo_variant_data()
_____________________________________________________________________________________________
*** CID 640717: Control flow issues (DEADCODE)
/drivers/sysinfo/gazerbeam.c: 125 in _read_sysinfo_variant_data()
119 dev->name, con);
120 return con;
121 }
122
123 priv->variant = con ? VAR_CON : VAR_CPU;
124
>>> CID 640717: Control flow issues (DEADCODE)
>>> Execution cannot reach the expression "0" inside this statement: "priv->multichannel = (mc4 ?...".
125 priv->multichannel = mc4 ? 4 : (mc2 ? 2 : (sc ? 1 : 0));
126
127 return 0;
128 }
129
130 /**
** CID 640716: Incorrect expression (SIZEOF_MISMATCH)
/drivers/rng/iproc_rng200.c: 158 in iproc_rng200_of_to_plat()
_____________________________________________________________________________________________
*** CID 640716: Incorrect expression (SIZEOF_MISMATCH)
/drivers/rng/iproc_rng200.c: 158 in iproc_rng200_of_to_plat()
152 }
153
154 static int iproc_rng200_of_to_plat(struct udevice *dev)
155 {
156 struct iproc_rng200_plat *pdata = dev_get_plat(dev);
157
>>> CID 640716: Incorrect expression (SIZEOF_MISMATCH)
>>> Passing argument "8UL /* sizeof (void *) */" to function "devfdt_map_physmem" which returns a value of type "void *" is suspicious.
158 pdata->base = devfdt_map_physmem(dev, sizeof(void *));
159 if (!pdata->base)
160 return -ENODEV;
161
162 return 0;
163 }
** CID 640715: (TAINTED_SCALAR)
_____________________________________________________________________________________________
*** CID 640715: (TAINTED_SCALAR)
/drivers/gpio/74x164_gpio.c: 145 in gen_74x164_probe()
139
140 /*
141 * See Linux kernel:
142 * Documentation/devicetree/bindings/gpio/gpio-74x164.txt
143 */
144 priv->nregs = fdtdec_get_int(fdt, node, "registers-number", 1);
>>> CID 640715: (TAINTED_SCALAR)
>>> Passing tainted expression "priv->nregs" to "dlcalloc", which uses it as an offset.
145 priv->buffer = calloc(priv->nregs, sizeof(u8));
146 if (!priv->buffer) {
147 ret = -ENOMEM;
148 goto free_str;
149 }
150
/drivers/gpio/74x164_gpio.c: 151 in gen_74x164_probe()
145 priv->buffer = calloc(priv->nregs, sizeof(u8));
146 if (!priv->buffer) {
147 ret = -ENOMEM;
148 goto free_str;
149 }
150
>>> CID 640715: (TAINTED_SCALAR)
>>> Passing tainted expression "priv->nregs" to "fdtdec_get_byte_array", which uses it as an offset.
151 ret = fdtdec_get_byte_array(fdt, node, "registers-default",
152 priv->buffer, priv->nregs);
153 if (ret)
154 dev_dbg(dev, "No registers-default property\n");
155
156 ret = gpio_request_by_name(dev, "oe-gpios", 0, &priv->oe,
** CID 640714: Control flow issues (DEADCODE)
/drivers/net/ftgmac100.c: 400 in ftgmac100_start()
_____________________________________________________________________________________________
*** CID 640714: Control flow issues (DEADCODE)
/drivers/net/ftgmac100.c: 400 in ftgmac100_start()
394 /* Configure TX/RX decsriptor size
395 * This size is calculated based on cache line.
396 */
397 desc_size = ARCH_DMA_MINALIGN / FTGMAC100_DESC_UNIT;
398 /* The descriptor size is at least 2 descriptor units. */
399 if (desc_size < 2)
>>> CID 640714: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "desc_size = 2U;".
400 desc_size = 2;
401 dblac = readl(&ftgmac100->dblac) & ~GENMASK(19, 12);
402 dblac |= FTGMAC100_DBLAC_RXDES_SIZE(desc_size) |
FTGMAC100_DBLAC_TXDES_SIZE(desc_size);
403 writel(dblac, &ftgmac100->dblac);
404
405 /* poll receive descriptor automatically */
** CID 640713: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/drivers/serial/serial_sifive.c: 121 in sifive_serial_setbrg()
_____________________________________________________________________________________________
*** CID 640713: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/drivers/serial/serial_sifive.c: 121 in sifive_serial_setbrg()
115 if (IS_ERR_VALUE(ret)) {
116 debug("SiFive UART clock not defined\n");
117 return 0;
118 }
119 } else {
120 clock = clk_get_rate(&clk);
>>> CID 640713: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
>>> "clock >= 18446744073709547521UL /* (unsigned long)-4095 */" is always false regardless of the values of its operands. This occurs as the logical operand of "!".
121 if (IS_ERR_VALUE(clock)) {
122 debug("SiFive UART clock get rate failed\n");
123 return 0;
124 }
125 }
126 plat->clock = clock;
** CID 640712: (BAD_SHIFT)
/drivers/pci/pcie_cdns_ti.c: 582 in pcie_cdns_ti_bar_ib_config()
/drivers/pci/pcie_cdns_ti.c: 585 in pcie_cdns_ti_bar_ib_config()
/drivers/pci/pcie_cdns_ti.c: 570 in pcie_cdns_ti_bar_ib_config()
/drivers/pci/pcie_cdns_ti.c: 577 in pcie_cdns_ti_bar_ib_config()
/drivers/pci/pcie_cdns_ti.c: 570 in pcie_cdns_ti_bar_ib_config()
/drivers/pci/pcie_cdns_ti.c: 578 in pcie_cdns_ti_bar_ib_config()
/drivers/pci/pcie_cdns_ti.c: 581 in pcie_cdns_ti_bar_ib_config()
/drivers/pci/pcie_cdns_ti.c: 570 in pcie_cdns_ti_bar_ib_config()
/drivers/pci/pcie_cdns_ti.c: 570 in pcie_cdns_ti_bar_ib_config()
/drivers/pci/pcie_cdns_ti.c: 570 in pcie_cdns_ti_bar_ib_config()
_____________________________________________________________________________________________
*** CID 640712: (BAD_SHIFT)
/drivers/pci/pcie_cdns_ti.c: 582 in pcie_cdns_ti_bar_ib_config()
576 if (!(flags & IORESOURCE_PREFETCH))
577 value |= LM_RC_BAR_CFG_CTRL_MEM_64BITS(bar);
578 value |= LM_RC_BAR_CFG_CTRL_PREF_MEM_64BITS(bar);
579 } else {
580 if (!(flags & IORESOURCE_PREFETCH))
581 value |= LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar);
>>> CID 640712: (BAD_SHIFT)
>>> In expression "5 << bar * 8 + 6", shifting by a negative amount has undefined behavior. The shift amount, "bar * 8 + 6", is as little as -2.
582 value |= LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar);
583 }
584
585 value |= LM_RC_BAR_CFG_APERTURE(bar, aperture);
586 pcie_cdns_ti_writel(pcie, CDNS_PCIE_LM_RC_BAR_CFG, value);
587
/drivers/pci/pcie_cdns_ti.c: 585 in pcie_cdns_ti_bar_ib_config()
579 } else {
580 if (!(flags & IORESOURCE_PREFETCH))
581 value |= LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar);
582 value |= LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar);
583 }
584
>>> CID 640712: (BAD_SHIFT)
>>> In expression "aperture - 2U << bar * 8", shifting by a negative amount has undefined behavior. The shift amount, "bar * 8", is as little as -8.
585 value |= LM_RC_BAR_CFG_APERTURE(bar, aperture);
586 pcie_cdns_ti_writel(pcie, CDNS_PCIE_LM_RC_BAR_CFG, value);
587
588 return 0;
589 }
590
/drivers/pci/pcie_cdns_ti.c: 570 in pcie_cdns_ti_bar_ib_config()
564 pcie_cdns_ti_writel(pcie, CDNS_PCIE_AT_IB_RP_BAR_ADDR1(bar), addr1);
565
566 if (bar == RP_NO_BAR)
567 return 0;
568
569 value = pcie_cdns_ti_readl(pcie, CDNS_PCIE_LM_RC_BAR_CFG);
>>> CID 640712: (BAD_SHIFT)
>>> In expression "bar_aperture_mask[bar] + 2 - 2 << bar * 8", shifting by a negative amount has undefined behavior. The shift amount, "bar * 8", is as little as -8.
570 value &= ~(LM_RC_BAR_CFG_CTRL_MEM_64BITS(bar) |
571 LM_RC_BAR_CFG_CTRL_PREF_MEM_64BITS(bar) |
572 LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar) |
573 LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar) |
574 LM_RC_BAR_CFG_APERTURE(bar, bar_aperture_mask[bar] + 2));
575 if (size + cpu_addr >= SZ_4G) {
/drivers/pci/pcie_cdns_ti.c: 577 in pcie_cdns_ti_bar_ib_config()
571 LM_RC_BAR_CFG_CTRL_PREF_MEM_64BITS(bar) |
572 LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar) |
573 LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar) |
574 LM_RC_BAR_CFG_APERTURE(bar, bar_aperture_mask[bar] + 2));
575 if (size + cpu_addr >= SZ_4G) {
576 if (!(flags & IORESOURCE_PREFETCH))
>>> CID 640712: (BAD_SHIFT)
>>> In expression "6 << bar * 8 + 6", shifting by a negative amount has undefined behavior. The shift amount, "bar * 8 + 6", is as little as -2.
577 value |= LM_RC_BAR_CFG_CTRL_MEM_64BITS(bar);
578 value |= LM_RC_BAR_CFG_CTRL_PREF_MEM_64BITS(bar);
579 } else {
580 if (!(flags & IORESOURCE_PREFETCH))
581 value |= LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar);
582 value |= LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar);
/drivers/pci/pcie_cdns_ti.c: 570 in pcie_cdns_ti_bar_ib_config()
564 pcie_cdns_ti_writel(pcie, CDNS_PCIE_AT_IB_RP_BAR_ADDR1(bar), addr1);
565
566 if (bar == RP_NO_BAR)
567 return 0;
568
569 value = pcie_cdns_ti_readl(pcie, CDNS_PCIE_LM_RC_BAR_CFG);
>>> CID 640712: (BAD_SHIFT)
>>> In expression "7 << bar * 8 + 6", shifting by a negative amount has undefined behavior. The shift amount, "bar * 8 + 6", is as little as -2.
570 value &= ~(LM_RC_BAR_CFG_CTRL_MEM_64BITS(bar) |
571 LM_RC_BAR_CFG_CTRL_PREF_MEM_64BITS(bar) |
572 LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar) |
573 LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar) |
574 LM_RC_BAR_CFG_APERTURE(bar, bar_aperture_mask[bar] + 2));
575 if (size + cpu_addr >= SZ_4G) {
/drivers/pci/pcie_cdns_ti.c: 578 in pcie_cdns_ti_bar_ib_config()
572 LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar) |
573 LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar) |
574 LM_RC_BAR_CFG_APERTURE(bar, bar_aperture_mask[bar] + 2));
575 if (size + cpu_addr >= SZ_4G) {
576 if (!(flags & IORESOURCE_PREFETCH))
577 value |= LM_RC_BAR_CFG_CTRL_MEM_64BITS(bar);
>>> CID 640712: (BAD_SHIFT)
>>> In expression "7 << bar * 8 + 6", shifting by a negative amount has undefined behavior. The shift amount, "bar * 8 + 6", is as little as -2.
578 value |= LM_RC_BAR_CFG_CTRL_PREF_MEM_64BITS(bar);
579 } else {
580 if (!(flags & IORESOURCE_PREFETCH))
581 value |= LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar);
582 value |= LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar);
583 }
/drivers/pci/pcie_cdns_ti.c: 581 in pcie_cdns_ti_bar_ib_config()
575 if (size + cpu_addr >= SZ_4G) {
576 if (!(flags & IORESOURCE_PREFETCH))
577 value |= LM_RC_BAR_CFG_CTRL_MEM_64BITS(bar);
578 value |= LM_RC_BAR_CFG_CTRL_PREF_MEM_64BITS(bar);
579 } else {
580 if (!(flags & IORESOURCE_PREFETCH))
>>> CID 640712: (BAD_SHIFT)
>>> In expression "4 << bar * 8 + 6", shifting by a negative amount has undefined behavior. The shift amount, "bar * 8 + 6", is as little as -2.
581 value |= LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar);
582 value |= LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar);
583 }
584
585 value |= LM_RC_BAR_CFG_APERTURE(bar, aperture);
586 pcie_cdns_ti_writel(pcie, CDNS_PCIE_LM_RC_BAR_CFG, value);
/drivers/pci/pcie_cdns_ti.c: 570 in pcie_cdns_ti_bar_ib_config()
564 pcie_cdns_ti_writel(pcie, CDNS_PCIE_AT_IB_RP_BAR_ADDR1(bar), addr1);
565
566 if (bar == RP_NO_BAR)
567 return 0;
568
569 value = pcie_cdns_ti_readl(pcie, CDNS_PCIE_LM_RC_BAR_CFG);
>>> CID 640712: (BAD_SHIFT)
>>> In expression "5 << bar * 8 + 6", shifting by a negative amount has undefined behavior. The shift amount, "bar * 8 + 6", is as little as -2.
570 value &= ~(LM_RC_BAR_CFG_CTRL_MEM_64BITS(bar) |
571 LM_RC_BAR_CFG_CTRL_PREF_MEM_64BITS(bar) |
572 LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar) |
573 LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar) |
574 LM_RC_BAR_CFG_APERTURE(bar, bar_aperture_mask[bar] + 2));
575 if (size + cpu_addr >= SZ_4G) {
/drivers/pci/pcie_cdns_ti.c: 570 in pcie_cdns_ti_bar_ib_config()
564 pcie_cdns_ti_writel(pcie, CDNS_PCIE_AT_IB_RP_BAR_ADDR1(bar), addr1);
565
566 if (bar == RP_NO_BAR)
567 return 0;
568
569 value = pcie_cdns_ti_readl(pcie, CDNS_PCIE_LM_RC_BAR_CFG);
>>> CID 640712: (BAD_SHIFT)
>>> In expression "4 << bar * 8 + 6", shifting by a negative amount has undefined behavior. The shift amount, "bar * 8 + 6", is as little as -2.
570 value &= ~(LM_RC_BAR_CFG_CTRL_MEM_64BITS(bar) |
571 LM_RC_BAR_CFG_CTRL_PREF_MEM_64BITS(bar) |
572 LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar) |
573 LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar) |
574 LM_RC_BAR_CFG_APERTURE(bar, bar_aperture_mask[bar] + 2));
575 if (size + cpu_addr >= SZ_4G) {
/drivers/pci/pcie_cdns_ti.c: 570 in pcie_cdns_ti_bar_ib_config()
564 pcie_cdns_ti_writel(pcie, CDNS_PCIE_AT_IB_RP_BAR_ADDR1(bar), addr1);
565
566 if (bar == RP_NO_BAR)
567 return 0;
568
569 value = pcie_cdns_ti_readl(pcie, CDNS_PCIE_LM_RC_BAR_CFG);
>>> CID 640712: (BAD_SHIFT)
>>> In expression "6 << bar * 8 + 6", shifting by a negative amount has undefined behavior. The shift amount, "bar * 8 + 6", is as little as -2.
570 value &= ~(LM_RC_BAR_CFG_CTRL_MEM_64BITS(bar) |
571 LM_RC_BAR_CFG_CTRL_PREF_MEM_64BITS(bar) |
572 LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar) |
573 LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar) |
574 LM_RC_BAR_CFG_APERTURE(bar, bar_aperture_mask[bar] + 2));
575 if (size + cpu_addr >= SZ_4G) {
** CID 640711: Memory - corruptions (OVERRUN)
_____________________________________________________________________________________________
*** CID 640711: Memory - corruptions (OVERRUN)
/cmd/ubi.c: 806 in do_ubi()
800 if (!size) {
801 size = (int64_t)ubi->avail_pebs * ubi->leb_size;
802 printf("No size specified -> Using max size (%lld)\n", size);
803 }
804 /* E.g., create volume */
805 if (argc == 3) {
>>> CID 640711: Memory - corruptions (OVERRUN)
>>> Overrunning callee's array of size 129 by passing argument "id" (which evaluates to 256) in call to "ubi_create_vol".
806 return ubi_create_vol(argv[2], size, dynamic, id,
807 skipcheck);
808 }
809 }
810
811 if (strncmp(argv[1], "remove", 6) == 0) {
** CID 640710: Insecure data handling (TAINTED_SCALAR)
/cmd/tpm-v1.c: 641 in do_tpm_list()
_____________________________________________________________________________________________
*** CID 640710: Insecure data handling (TAINTED_SCALAR)
/cmd/tpm-v1.c: 641 in do_tpm_list()
635 ptr = buf + 2;
636
637 printf("Resources of type %s (%02x):\n", argv[1], type);
638 if (!res_count) {
639 puts("None\n");
640 } else {
>>> CID 640710: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "res_count" as a loop boundary.
641 for (i = 0; i < res_count; ++i, ptr += 4)
642 printf("Index %d: %08x\n", i, get_unaligned_be32(ptr));
643 }
644
645 return 0;
646 }
** CID 640709: Integer handling issues (INTEGER_OVERFLOW)
/drivers/mfd/atmel-smc.c: 156 in atmel_smc_cs_conf_set_setup()
_____________________________________________________________________________________________
*** CID 640709: Integer handling issues (INTEGER_OVERFLOW)
/drivers/mfd/atmel-smc.c: 156 in atmel_smc_cs_conf_set_setup()
150 * The formula described in atmel datasheets (section "SMC Setup
151 * Register"):
152 *
153 * ncycles = (128 * xx_SETUP[5]) + xx_SETUP[4:0]
154 */
155 ret = atmel_smc_cs_encode_ncycles(ncycles, 5, 1, 128, &val);
>>> CID 640709: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "0xffffffffffffffffUL << shift", where "shift" is known to be equal to 24, overflows the type of "0xffffffffffffffffUL << shift", which is type "unsigned long".
156 conf->setup &= ~GENMASK(shift + 7, shift);
157 conf->setup |= val << shift;
158
159 return ret;
160 }
161 EXPORT_SYMBOL_GPL(atmel_smc_cs_conf_set_setup);
** CID 640708: Code maintainability issues (UNUSED_VALUE)
/drivers/video/tidss/tidss_oldi.c: 192 in get_parent_dss_vp()
_____________________________________________________________________________________________
*** CID 640708: Code maintainability issues (UNUSED_VALUE)
/drivers/video/tidss/tidss_oldi.c: 192 in get_parent_dss_vp()
186 int ret;
187
188 ep = ofnode_graph_get_endpoint_by_regs(oldi_tx, 0, -1);
189 if (ofnode_valid(ep)) {
190 dss_port = ofnode_graph_get_remote_port(ep);
191 if (!ofnode_valid(dss_port))
>>> CID 640708: Code maintainability issues (UNUSED_VALUE)
>>> Assigning value "-19" to "ret" here, but that stored value is overwritten before it can be used.
192 ret = -ENODEV;
193
194 ret = ofnode_read_u32(dss_port, "reg", parent_vp);
195 if (ret)
196 return -ENODEV;
197 return 0;
** CID 640707: Control flow issues (DEADCODE)
/drivers/power/regulator/max77663_regulator.c: 302 in
max77663_ldo_val()
_____________________________________________________________________________________________
*** CID 640707: Control flow issues (DEADCODE)
/drivers/power/regulator/max77663_regulator.c: 302 in
max77663_ldo_val()
296
297 if (op == PMIC_OP_GET) {
298 *uV = 0;
299
300 ret = max77663_ldo_hex2volt(idx, val & LDO_VOLT_MASK);
301 if (ret < 0)
>>> CID 640707: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "return ret;".
302 return ret;
303
304 *uV = ret;
305 return 0;
306 }
307
** CID 640706: (CHECKED_RETURN)
/drivers/gpio/gpio-aspeed.c: 277 in aspeed_gpio_probe()
/drivers/gpio/gpio-aspeed-g7.c: 133 in aspeed_gpio_probe()
_____________________________________________________________________________________________
*** CID 640706: (CHECKED_RETURN)
/drivers/gpio/gpio-aspeed.c: 277 in aspeed_gpio_probe()
271 static int aspeed_gpio_probe(struct udevice *dev)
272 {
273 struct gpio_dev_priv *uc_priv = dev_get_uclass_priv(dev);
274 struct aspeed_gpio_priv *priv = dev_get_priv(dev);
275
276 uc_priv->bank_name = dev->name;
>>> CID 640706: (CHECKED_RETURN)
>>> Calling "ofnode_read_u32" without checking return value (as is done elsewhere 101 out of 125 times).
277 ofnode_read_u32(dev_ofnode(dev), "ngpios", &uc_priv->gpio_count);
278 priv->regs = devfdt_get_addr_ptr(dev);
279
280 return 0;
281 }
282
/drivers/gpio/gpio-aspeed-g7.c: 133 in aspeed_gpio_probe()
127 static int aspeed_gpio_probe(struct udevice *dev)
128 {
129 struct gpio_dev_priv *uc_priv = dev_get_uclass_priv(dev);
130 struct aspeed_gpio_priv *priv = dev_get_priv(dev);
131
132 uc_priv->bank_name = dev->name;
>>> CID 640706: (CHECKED_RETURN)
>>> Calling "ofnode_read_u32" without checking return value (as is done elsewhere 101 out of 125 times).
133 ofnode_read_u32(dev_ofnode(dev), "ngpios", &uc_priv->gpio_count);
134 priv->regs = devfdt_get_addr_ptr(dev);
135
136 return 0;
137 }
138
** CID 640705: Insecure data handling (TAINTED_SCALAR)
/lib/tpm-v1.c: 863 in tpm1_find_key_sha1()
_____________________________________________________________________________________________
*** CID 640705: Insecure data handling (TAINTED_SCALAR)
/lib/tpm-v1.c: 863 in tpm1_find_key_sha1()
857 err = tpm1_get_capability(dev, TPM_CAP_HANDLE, TPM_RT_KEY, buf,
858 sizeof(buf));
859 if (err)
860 return -1;
861 key_count = get_unaligned_be16(buf);
862 ptr = buf + 2;
>>> CID 640705: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "key_count" as a loop boundary.
863 for (i = 0; i < key_count; ++i, ptr += 4)
864 key_handles[i] = get_unaligned_be32(ptr);
865
866 /* now search a(/ the) key which we can access with the given auth */
867 for (i = 0; i < key_count; ++i) {
868 buf_len = sizeof(buf);
** CID 640704: Uninitialized variables (UNINIT)
/drivers/mmc/sdhci-cadence6.c: 199 in sdhci_cdns6_reset_phy_dll()
_____________________________________________________________________________________________
*** CID 640704: Uninitialized variables (UNINIT)
/drivers/mmc/sdhci-cadence6.c: 199 in sdhci_cdns6_reset_phy_dll()
193 /* After reset, wait until HRS09.PHY_INIT_COMPLETE is set to
1 within 3000us*/
194 if (!reset) {
195 ret = readl_poll_timeout(reg, tmp, (tmp &
SDHCI_CDNS_HRS09_PHY_INIT_COMPLETE),
196 3000);
197 }
198
>>> CID 640704: Uninitialized variables (UNINIT)
>>> Using uninitialized value "ret".
199 return ret;
200 }
201
202 int sdhci_cdns6_phy_adj(struct udevice *dev, struct
sdhci_cdns_plat *plat, u32 mode)
203 {
204 struct sdhci_cdns6_phy_cfg *sdhci_cdns6_phy_cfgs;
** CID 640703: Integer handling issues (INTEGER_OVERFLOW)
/test/dm/test-fdt.c: 667 in dm_test_fdt_remap_addr_index_flat()
_____________________________________________________________________________________________
*** CID 640703: Integer handling issues (INTEGER_OVERFLOW)
/test/dm/test-fdt.c: 667 in dm_test_fdt_remap_addr_index_flat()
661 fdt_size_t size;
662 void *paddr;
663
664 ut_assertok(uclass_find_device_by_seq(UCLASS_TEST_DUMMY, 0, &dev));
665
666 addr = devfdt_get_addr_size_index(dev, 0, &size);
>>> CID 640703: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "_val2", where "addr" is known to be equal to 18446744073709551615, overflows the type of "_val2", which is type "unsigned int".
667 ut_asserteq(0x8000, addr);
668 ut_asserteq(0x1000, size);
669
670 paddr = map_physmem(addr, 0, MAP_NOCACHE);
671 ut_assertnonnull(paddr);
672 ut_asserteq_ptr(paddr, devfdt_remap_addr_index(dev, 0));
** CID 640702: Uninitialized variables (UNINIT)
/drivers/video/imx/ldb.c: 85 in imx_ldb_of_to_plat()
_____________________________________________________________________________________________
*** CID 640702: Uninitialized variables (UNINIT)
/drivers/video/imx/ldb.c: 85 in imx_ldb_of_to_plat()
79
80 uclass_get_device_by_endpoint(UCLASS_PANEL, dev, 1, -1, &priv->lvds1);
81 uclass_get_device_by_endpoint(UCLASS_PANEL, dev, 2, -1, &priv->lvds2);
82 if (!priv->lvds1 && !priv->lvds2) {
83 debug("ldb: No remote panel for '%s' (ret=%d)\n",
84 dev_read_name(dev), ret);
>>> CID 640702: Uninitialized variables (UNINIT)
>>> Using uninitialized value "ret".
85 return ret;
86 }
87
88 return 0;
89 }
90
** CID 640701: Uninitialized variables (UNINIT)
/drivers/spi/xilinx_spi.c: 377 in xilinx_spi_mem_exec_op()
_____________________________________________________________________________________________
*** CID 640701: Uninitialized variables (UNINIT)
/drivers/spi/xilinx_spi.c: 377 in xilinx_spi_mem_exec_op()
371 if (ret)
372 goto done;
373 }
374 done:
375 spi_cs_deactivate(spi->dev);
376
>>> CID 640701: Uninitialized variables (UNINIT)
>>> Using uninitialized value "ret".
377 return ret;
378 }
379
380 static int xilinx_qspi_check_buswidth(struct spi_slave *slave, u8 width)
381 {
382 u32 mode = slave->mode;
** CID 640700: Integer handling issues (BAD_SHIFT)
/drivers/net/phy/xilinx_gmii2rgmii.c: 43 in xilinxgmiitorgmii_config()
_____________________________________________________________________________________________
*** CID 640700: Integer handling issues (BAD_SHIFT)
/drivers/net/phy/xilinx_gmii2rgmii.c: 43 in
xilinxgmiitorgmii_config()
37 ret = ofnode_parse_phandle_with_args(node, "phy-handle",
38 NULL, 0, 0, &phandle);
39 if (ret)
40 return ret;
41
42 ext_phyaddr = ofnode_read_u32_default(phandle.node, "reg", -1);
>>> CID 640700: Integer handling issues (BAD_SHIFT)
>>> In expression "1 << ext_phyaddr", shifting by a negative amount has undefined behavior. The shift amount, "ext_phyaddr", is -1.
43 ext_phydev = phy_find_by_mask(phydev->bus,
44 1 << ext_phyaddr);
45 if (!ext_phydev) {
46 printf("%s, No external phy device found\n", __func__);
47 return -EINVAL;
48 }
** CID 640699: Control flow issues (DEADCODE)
/drivers/spi/atcspi200_spi.c: 262 in __atcspi200_spi_xfer()
_____________________________________________________________________________________________
*** CID 640699: Control flow issues (DEADCODE)
/drivers/spi/atcspi200_spi.c: 262 in __atcspi200_spi_xfer()
256
257 if ((event & RXFVE_MASK) && (data_in)) {
258 rf_cnt = ((event & RXFVE_MASK)>> RXFVE_OFFSET);
259 if (rf_cnt >= CHUNK_SIZE)
260 rx_bytes = CHUNK_SIZE;
261 else if (num_blks == 1 && rf_cnt == num_bytes)
>>> CID 640699: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "rx_bytes = num_bytes;".
262 rx_bytes = num_bytes;
263 else
264 continue;
265
266 if (__nspi_espi_rx(ns, din, rx_bytes) == rx_bytes) {
267 num_blks -= CHUNK_SIZE;
** CID 640698: Insecure data handling (TAINTED_SCALAR)
_____________________________________________________________________________________________
*** CID 640698: Insecure data handling (TAINTED_SCALAR)
/drivers/net/bnxt/bnxt.c: 446 in bnxt_hwrm_ver_get()
440 req = (struct hwrm_ver_get_input *)bp->hwrm_addr_req;
441 resp = (struct hwrm_ver_get_output *)bp->hwrm_addr_resp;
442 hwrm_init(bp, (void *)req, (u16)HWRM_VER_GET, cmd_len);
443 req->hwrm_intf_maj = HWRM_VERSION_MAJOR;
444 req->hwrm_intf_min = HWRM_VERSION_MINOR;
445 req->hwrm_intf_upd = HWRM_VERSION_UPDATE;
>>> CID 640698: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "*bp->hwrm_addr_resp" to "wait_resp", which uses it as an offset.
446 rc = wait_resp(bp, HWRM_CMD_DEFAULT_TIMEOUT, cmd_len, __func__);
447 if (rc)
448 return STATUS_FAILURE;
449
450 bp->hwrm_spec_code =
451 resp->hwrm_intf_maj_8b << 16 |
View Defects in Coverity Scan
<https://scan.coverity.com/projects/das-u-boot?tab=overview>
Best regards,
The Coverity Scan Admin Team
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
^ permalink raw reply [flat|nested] 99+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2026-01-16 19:43 Tom Rini
2026-02-09 11:05 ` Guillaume La Roque
0 siblings, 1 reply; 99+ messages in thread
From: Tom Rini @ 2026-01-16 19:43 UTC (permalink / raw)
To: u-boot; +Cc: Guillaume La Roque, Mattijs Korpershoek
[-- Attachment #1: Type: text/plain, Size: 12221 bytes --]
Hey all,
Here's the latest report from Coverity scan. For the LZMA ones, the
_pad_ stuff seems to be a false positive (the _pad_ byte is just for
padding and not refernced) and the flow control one is how that's
written for whatever reason the upstream author wanted it like that.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Fri, Jan 16, 2026 at 1:06 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to *Das U-Boot*
found with Coverity Scan.
- *New Defects Found:* 7
- 2 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.
- *Defects Shown:* Showing 7 of 7 defect(s)
Defect Details
** CID 641431: (TAINTED_SCALAR)
_____________________________________________________________________________________________
*** CID 641431: (TAINTED_SCALAR)
/boot/image-android.c: 434 in android_image_get_kernel()
428 if (*newbootargs) /* If there is something in newbootargs, a
space is needed */
429 strcat(newbootargs, " ");
430 strcat(newbootargs, img_data.kcmdline_extra);
431 }
432
433 env_set("bootargs", newbootargs);
>>> CID 641431: (TAINTED_SCALAR)
>>> Passing tainted expression "*newbootargs" to "dlfree", which uses it as an offset.
434 free(newbootargs);
435
436 if (os_data) {
437 if (image_get_magic(ihdr) == IH_MAGIC) {
438 *os_data = image_get_data(ihdr);
439 } else {
/boot/image-android.c: 433 in android_image_get_kernel()
427 if (img_data.kcmdline_extra && *img_data.kcmdline_extra) {
428 if (*newbootargs) /* If there is something in newbootargs, a
space is needed */
429 strcat(newbootargs, " ");
430 strcat(newbootargs, img_data.kcmdline_extra);
431 }
432
>>> CID 641431: (TAINTED_SCALAR)
>>> Passing tainted expression "newbootargs" to "env_set", which uses it as an offset.
433 env_set("bootargs", newbootargs);
434 free(newbootargs);
435
436 if (os_data) {
437 if (image_get_magic(ihdr) == IH_MAGIC) {
438 *os_data = image_get_data(ihdr);
/boot/image-android.c: 434 in android_image_get_kernel()
428 if (*newbootargs) /* If there is something in newbootargs, a
space is needed */
429 strcat(newbootargs, " ");
430 strcat(newbootargs, img_data.kcmdline_extra);
431 }
432
433 env_set("bootargs", newbootargs);
>>> CID 641431: (TAINTED_SCALAR)
>>> Passing tainted expression "*newbootargs" to "dlfree", which uses it as an offset.
434 free(newbootargs);
435
436 if (os_data) {
437 if (image_get_magic(ihdr) == IH_MAGIC) {
438 *os_data = image_get_data(ihdr);
439 } else {
/boot/image-android.c: 433 in android_image_get_kernel()
427 if (img_data.kcmdline_extra && *img_data.kcmdline_extra) {
428 if (*newbootargs) /* If there is something in newbootargs, a
space is needed */
429 strcat(newbootargs, " ");
430 strcat(newbootargs, img_data.kcmdline_extra);
431 }
432
>>> CID 641431: (TAINTED_SCALAR)
>>> Passing tainted expression "newbootargs" to "env_set", which uses it as an offset.
433 env_set("bootargs", newbootargs);
434 free(newbootargs);
435
436 if (os_data) {
437 if (image_get_magic(ihdr) == IH_MAGIC) {
438 *os_data = image_get_data(ihdr);
/boot/image-android.c: 433 in android_image_get_kernel()
427 if (img_data.kcmdline_extra && *img_data.kcmdline_extra) {
428 if (*newbootargs) /* If there is something in newbootargs, a
space is needed */
429 strcat(newbootargs, " ");
430 strcat(newbootargs, img_data.kcmdline_extra);
431 }
432
>>> CID 641431: (TAINTED_SCALAR)
>>> Passing tainted expression "newbootargs" to "env_set", which uses it as an offset.
433 env_set("bootargs", newbootargs);
434 free(newbootargs);
435
436 if (os_data) {
437 if (image_get_magic(ihdr) == IH_MAGIC) {
438 *os_data = image_get_data(ihdr);
/boot/image-android.c: 434 in android_image_get_kernel()
428 if (*newbootargs) /* If there is something in newbootargs, a
space is needed */
429 strcat(newbootargs, " ");
430 strcat(newbootargs, img_data.kcmdline_extra);
431 }
432
433 env_set("bootargs", newbootargs);
>>> CID 641431: (TAINTED_SCALAR)
>>> Passing tainted expression "*newbootargs" to "dlfree", which uses it as an offset.
434 free(newbootargs);
435
436 if (os_data) {
437 if (image_get_magic(ihdr) == IH_MAGIC) {
438 *os_data = image_get_data(ihdr);
439 } else {
** CID 641430: (TAINTED_SCALAR)
_____________________________________________________________________________________________
*** CID 641430: (TAINTED_SCALAR)
/cmd/abootimg.c: 244 in abootimg_get_ramdisk()
238 &rd_data, &rd_len))
239 return CMD_RET_FAILURE;
240
241 if (argc == 0) {
242 printf("%lx\n", rd_data);
243 } else {
>>> CID 641430: (TAINTED_SCALAR)
>>> Passing tainted expression "rd_data" to "env_set_hex", which uses it as an offset.
244 env_set_hex(argv[0], rd_data);
245 if (argc == 2)
246 env_set_hex(argv[1], rd_len);
247 }
248
249 return CMD_RET_SUCCESS;
/cmd/abootimg.c: 246 in abootimg_get_ramdisk()
240
241 if (argc == 0) {
242 printf("%lx\n", rd_data);
243 } else {
244 env_set_hex(argv[0], rd_data);
245 if (argc == 2)
>>> CID 641430: (TAINTED_SCALAR)
>>> Passing tainted expression "rd_len" to "env_set_hex", which uses it as an offset.
246 env_set_hex(argv[1], rd_len);
247 }
248
249 return CMD_RET_SUCCESS;
250 }
251
** CID 641429: Insecure data handling (TAINTED_SCALAR)
_____________________________________________________________________________________________
*** CID 641429: Insecure data handling (TAINTED_SCALAR)
/boot/image-android.c: 307 in android_image_get_data()
301 printf("Incorrect vendor boot image header\n");
302 unmap_sysmem(vhdr);
303 unmap_sysmem(bhdr);
304 return false;
305 }
306 android_boot_image_v3_v4_parse_hdr((const struct
andr_boot_img_hdr_v3 *)bhdr, data);
>>> CID 641429: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "vhdr->bootconfig_size" to "android_vendor_boot_image_v3_v4_parse_hdr", which uses it as a loop boundary.
307 android_vendor_boot_image_v3_v4_parse_hdr(vhdr, data);
308 unmap_sysmem(vhdr);
309 } else {
310 android_boot_image_v0_v1_v2_parse_hdr(bhdr, data);
311 }
312
** CID 641428: (TAINTED_SCALAR)
_____________________________________________________________________________________________
*** CID 641428: (TAINTED_SCALAR)
/boot/image-android.c: 658 in android_image_set_bootconfig()
652 total_size += params_len + BOOTCONFIG_TRAILER_SIZE;
653
654 /* Map Dest */
655 ramdisk_dest = map_sysmem(ramdisk_addr, total_size);
656
657 /* Copy data */
>>> CID 641428: (TAINTED_SCALAR)
>>> Passing tainted expression "img_data.vendor_ramdisk_size" to "android_boot_append_bootconfig", which uses it as an offset.
658 ret = android_boot_append_bootconfig(&img_data, params, params_len,
659 ramdisk_dest);
660
661 unmap_sysmem(ramdisk_dest);
662 free(params);
663 free(new_bootargs);
/boot/image-android.c: 658 in android_image_set_bootconfig()
652 total_size += params_len + BOOTCONFIG_TRAILER_SIZE;
653
654 /* Map Dest */
655 ramdisk_dest = map_sysmem(ramdisk_addr, total_size);
656
657 /* Copy data */
>>> CID 641428: (TAINTED_SCALAR)
>>> Passing tainted expression "img_data.bootconfig_size" to "android_boot_append_bootconfig", which uses it as an offset.
658 ret = android_boot_append_bootconfig(&img_data, params, params_len,
659 ramdisk_dest);
660
661 unmap_sysmem(ramdisk_dest);
662 free(params);
663 free(new_bootargs);
/boot/image-android.c: 658 in android_image_set_bootconfig()
652 total_size += params_len + BOOTCONFIG_TRAILER_SIZE;
653
654 /* Map Dest */
655 ramdisk_dest = map_sysmem(ramdisk_addr, total_size);
656
657 /* Copy data */
>>> CID 641428: (TAINTED_SCALAR)
>>> Passing tainted expression "img_data.boot_ramdisk_size" to "android_boot_append_bootconfig", which uses it as an offset.
658 ret = android_boot_append_bootconfig(&img_data, params, params_len,
659 ramdisk_dest);
660
661 unmap_sysmem(ramdisk_dest);
662 free(params);
663 free(new_bootargs);
** CID 332278: Control flow issues (UNREACHABLE)
/lib/lzma/LzmaDec.c: 720 in LzmaDec_TryDummy()
_____________________________________________________________________________________________
*** CID 332278: Control flow issues (UNREACHABLE)
/lib/lzma/LzmaDec.c: 720 in LzmaDec_TryDummy()
714 UInt32 code = p->code;
715 const Byte *bufLimit = *bufOut;
716 const CLzmaProb *probs = GET_PROBS;
717 unsigned state = (unsigned)p->state;
718 ELzmaDummy res;
719
>>> CID 332278: Control flow issues (UNREACHABLE)
>>> Since the loop increment is unreachable, the loop body will never execute more than once.
720 for (;;)
721 {
722 const CLzmaProb *prob;
723 UInt32 bound;
724 unsigned ttt;
725 unsigned posState = CALC_POS_STATE(p->processedPos,
((unsigned)1 << p->prop.pb) - 1);
** CID 252901: Uninitialized variables (UNINIT)
/lib/lzma/LzmaDec.c: 1295 in LzmaDec_AllocateProbs()
_____________________________________________________________________________________________
*** CID 252901: Uninitialized variables (UNINIT)
/lib/lzma/LzmaDec.c: 1295 in LzmaDec_AllocateProbs()
1289
1290 SRes LzmaDec_AllocateProbs(CLzmaDec *p, const Byte *props,
unsigned propsSize, ISzAllocPtr alloc)
1291 {
1292 CLzmaProps propNew;
1293 RINOK(LzmaProps_Decode(&propNew, props, propsSize))
1294 RINOK(LzmaDec_AllocateProbs2(p, &propNew, alloc))
>>> CID 252901: Uninitialized variables (UNINIT)
>>> Using uninitialized value "propNew". Field "propNew._pad_" is uninitialized.
1295 p->prop = propNew;
1296 return SZ_OK;
1297 }
1298
1299 SRes LzmaDec_Allocate(CLzmaDec *p, const Byte *props,
unsigned propsSize, ISzAllocPtr alloc)
1300 {
** CID 252579: Uninitialized variables (UNINIT)
/lib/lzma/LzmaDec.c: 1327 in LzmaDec_Allocate()
_____________________________________________________________________________________________
*** CID 252579: Uninitialized variables (UNINIT)
/lib/lzma/LzmaDec.c: 1327 in LzmaDec_Allocate()
1321 {
1322 LzmaDec_FreeProbs(p, alloc);
1323 return SZ_ERROR_MEM;
1324 }
1325 }
1326 p->dicBufSize = dicBufSize;
>>> CID 252579: Uninitialized variables (UNINIT)
>>> Using uninitialized value "propNew". Field "propNew._pad_" is uninitialized.
1327 p->prop = propNew;
1328 return SZ_OK;
1329 }
1330
1331 SRes LzmaDecode(Byte *dest, SizeT *destLen, const Byte *src,
SizeT *srcLen,
1332 const Byte *propData, unsigned propSize, ELzmaFinishMode
finishMode,
View Defects in Coverity Scan
<https://scan.coverity.com/projects/das-u-boot?tab=overview>
Best regards,
The Coverity Scan Admin Team
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2026-01-16 19:43 Tom Rini
@ 2026-02-09 11:05 ` Guillaume La Roque
2026-02-20 16:11 ` Tom Rini
0 siblings, 1 reply; 99+ messages in thread
From: Guillaume La Roque @ 2026-02-09 11:05 UTC (permalink / raw)
To: Tom Rini, u-boot; +Cc: Mattijs Korpershoek
Hi Tom,
sorry for delay, i check defects please see my comments inline
Le 16/01/2026 à 20:43, Tom Rini a écrit :
> Hey all,
>
> Here's the latest report from Coverity scan. For the LZMA ones, the
> _pad_ stuff seems to be a false positive (the _pad_ byte is just for
> padding and not refernced) and the flow control one is how that's
> written for whatever reason the upstream author wanted it like that.
>
> ---------- Forwarded message ---------
> From: <scan-admin@coverity.com>
> Date: Fri, Jan 16, 2026 at 1:06 PM
> Subject: New Defects reported by Coverity Scan for Das U-Boot
> To: <tom.rini@gmail.com>
>
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to *Das U-Boot*
> found with Coverity Scan.
>
> - *New Defects Found:* 7
> - 2 defect(s), reported by Coverity Scan earlier, were marked fixed in
> the recent build analyzed by Coverity Scan.
> - *Defects Shown:* Showing 7 of 7 defect(s)
>
> Defect Details
>
> ** CID 641431: (TAINTED_SCALAR)
>
>
> _____________________________________________________________________________________________
> *** CID 641431: (TAINTED_SCALAR)
> /boot/image-android.c: 434 in android_image_get_kernel()
> 428 if (*newbootargs) /* If there is something in newbootargs, a
> space is needed */
> 429 strcat(newbootargs, " ");
> 430 strcat(newbootargs, img_data.kcmdline_extra);
> 431 }
> 432
> 433 env_set("bootargs", newbootargs);
>>>> CID 641431: (TAINTED_SCALAR)
>>>> Passing tainted expression "*newbootargs" to "dlfree", which uses it as an offset.
> 434 free(newbootargs);
> 435
> 436 if (os_data) {
> 437 if (image_get_magic(ihdr) == IH_MAGIC) {
> 438 *os_data = image_get_data(ihdr);
> 439 } else {
> /boot/image-android.c: 433 in android_image_get_kernel()
> 427 if (img_data.kcmdline_extra && *img_data.kcmdline_extra) {
> 428 if (*newbootargs) /* If there is something in newbootargs, a
> space is needed */
> 429 strcat(newbootargs, " ");
> 430 strcat(newbootargs, img_data.kcmdline_extra);
> 431 }
> 432
>>>> CID 641431: (TAINTED_SCALAR)
>>>> Passing tainted expression "newbootargs" to "env_set", which uses it as an offset.
> 433 env_set("bootargs", newbootargs);
> 434 free(newbootargs);
> 435
> 436 if (os_data) {
> 437 if (image_get_magic(ihdr) == IH_MAGIC) {
> 438 *os_data = image_get_data(ihdr);
> /boot/image-android.c: 434 in android_image_get_kernel()
> 428 if (*newbootargs) /* If there is something in newbootargs, a
> space is needed */
> 429 strcat(newbootargs, " ");
> 430 strcat(newbootargs, img_data.kcmdline_extra);
> 431 }
> 432
> 433 env_set("bootargs", newbootargs);
>>>> CID 641431: (TAINTED_SCALAR)
>>>> Passing tainted expression "*newbootargs" to "dlfree", which uses it as an offset.
> 434 free(newbootargs);
> 435
> 436 if (os_data) {
> 437 if (image_get_magic(ihdr) == IH_MAGIC) {
> 438 *os_data = image_get_data(ihdr);
> 439 } else {
> /boot/image-android.c: 433 in android_image_get_kernel()
> 427 if (img_data.kcmdline_extra && *img_data.kcmdline_extra) {
> 428 if (*newbootargs) /* If there is something in newbootargs, a
> space is needed */
> 429 strcat(newbootargs, " ");
> 430 strcat(newbootargs, img_data.kcmdline_extra);
> 431 }
> 432
>>>> CID 641431: (TAINTED_SCALAR)
>>>> Passing tainted expression "newbootargs" to "env_set", which uses it as an offset.
> 433 env_set("bootargs", newbootargs);
> 434 free(newbootargs);
> 435
> 436 if (os_data) {
> 437 if (image_get_magic(ihdr) == IH_MAGIC) {
> 438 *os_data = image_get_data(ihdr);
> /boot/image-android.c: 433 in android_image_get_kernel()
> 427 if (img_data.kcmdline_extra && *img_data.kcmdline_extra) {
> 428 if (*newbootargs) /* If there is something in newbootargs, a
> space is needed */
> 429 strcat(newbootargs, " ");
> 430 strcat(newbootargs, img_data.kcmdline_extra);
> 431 }
> 432
>>>> CID 641431: (TAINTED_SCALAR)
>>>> Passing tainted expression "newbootargs" to "env_set", which uses it as an offset.
> 433 env_set("bootargs", newbootargs);
> 434 free(newbootargs);
> 435
> 436 if (os_data) {
> 437 if (image_get_magic(ihdr) == IH_MAGIC) {
> 438 *os_data = image_get_data(ihdr);
> /boot/image-android.c: 434 in android_image_get_kernel()
> 428 if (*newbootargs) /* If there is something in newbootargs, a
> space is needed */
> 429 strcat(newbootargs, " ");
> 430 strcat(newbootargs, img_data.kcmdline_extra);
> 431 }
> 432
> 433 env_set("bootargs", newbootargs);
>>>> CID 641431: (TAINTED_SCALAR)
>>>> Passing tainted expression "*newbootargs" to "dlfree", which uses it as an offset.
For CID 641431 : for me it's a false positives defect, malloc was done
with strlen return and free done on malloc pointer.
> 434 free(newbootargs);
> 435
> 436 if (os_data) {
> 437 if (image_get_magic(ihdr) == IH_MAGIC) {
> 438 *os_data = image_get_data(ihdr);
> 439 } else {
>
> ** CID 641430: (TAINTED_SCALAR)
>
>
> _____________________________________________________________________________________________
> *** CID 641430: (TAINTED_SCALAR)
> /cmd/abootimg.c: 244 in abootimg_get_ramdisk()
> 238 &rd_data, &rd_len))
> 239 return CMD_RET_FAILURE;
> 240
> 241 if (argc == 0) {
> 242 printf("%lx\n", rd_data);
> 243 } else {
>>>> CID 641430: (TAINTED_SCALAR)
>>>> Passing tainted expression "rd_data" to "env_set_hex", which uses it as an offset.
> 244 env_set_hex(argv[0], rd_data);
> 245 if (argc == 2)
> 246 env_set_hex(argv[1], rd_len);
> 247 }
> 248
> 249 return CMD_RET_SUCCESS;
> /cmd/abootimg.c: 246 in abootimg_get_ramdisk()
> 240
> 241 if (argc == 0) {
> 242 printf("%lx\n", rd_data);
> 243 } else {
> 244 env_set_hex(argv[0], rd_data);
> 245 if (argc == 2)
>>>> CID 641430: (TAINTED_SCALAR)
>>>> Passing tainted expression "rd_len" to "env_set_hex", which uses it as an offset.
CID 641430: false positive too. env_set_hex convert value on an env variable , so convert rd_len and rd_data
in variable.
> 246 env_set_hex(argv[1], rd_len);
> 247 }
> 248
> 249 return CMD_RET_SUCCESS;
> 250 }
> 251
>
> ** CID 641429: Insecure data handling (TAINTED_SCALAR)
>
>
> _____________________________________________________________________________________________
> *** CID 641429: Insecure data handling (TAINTED_SCALAR)
> /boot/image-android.c: 307 in android_image_get_data()
> 301 printf("Incorrect vendor boot image header\n");
> 302 unmap_sysmem(vhdr);
> 303 unmap_sysmem(bhdr);
> 304 return false;
> 305 }
> 306 android_boot_image_v3_v4_parse_hdr((const struct
> andr_boot_img_hdr_v3 *)bhdr, data);
>>>> CID 641429: Insecure data handling (TAINTED_SCALAR)
>>>> Passing tainted expression "vhdr->bootconfig_size" to "android_vendor_boot_image_v3_v4_parse_hdr", which uses it as a loop boundary.
CID 641429: False positive too. "vhdr->bootconfig_size" come from android image so external source , not possible to validate if value is good or not except when AVB feature was enabled
> 307 android_vendor_boot_image_v3_v4_parse_hdr(vhdr, data);
> 308 unmap_sysmem(vhdr);
> 309 } else {
> 310 android_boot_image_v0_v1_v2_parse_hdr(bhdr, data);
> 311 }
> 312
>
> ** CID 641428: (TAINTED_SCALAR)
>
>
> _____________________________________________________________________________________________
> *** CID 641428: (TAINTED_SCALAR)
> /boot/image-android.c: 658 in android_image_set_bootconfig()
> 652 total_size += params_len + BOOTCONFIG_TRAILER_SIZE;
> 653
> 654 /* Map Dest */
> 655 ramdisk_dest = map_sysmem(ramdisk_addr, total_size);
> 656
> 657 /* Copy data */
>>>> CID 641428: (TAINTED_SCALAR)
>>>> Passing tainted expression "img_data.vendor_ramdisk_size" to "android_boot_append_bootconfig", which uses it as an offset.
> 658 ret = android_boot_append_bootconfig(&img_data, params, params_len,
> 659 ramdisk_dest);
> 660
> 661 unmap_sysmem(ramdisk_dest);
> 662 free(params);
> 663 free(new_bootargs);
> /boot/image-android.c: 658 in android_image_set_bootconfig()
> 652 total_size += params_len + BOOTCONFIG_TRAILER_SIZE;
> 653
> 654 /* Map Dest */
> 655 ramdisk_dest = map_sysmem(ramdisk_addr, total_size);
> 656
> 657 /* Copy data */
>>>> CID 641428: (TAINTED_SCALAR)
>>>> Passing tainted expression "img_data.bootconfig_size" to "android_boot_append_bootconfig", which uses it as an offset.
> 658 ret = android_boot_append_bootconfig(&img_data, params, params_len,
> 659 ramdisk_dest);
> 660
> 661 unmap_sysmem(ramdisk_dest);
> 662 free(params);
> 663 free(new_bootargs);
> /boot/image-android.c: 658 in android_image_set_bootconfig()
> 652 total_size += params_len + BOOTCONFIG_TRAILER_SIZE;
> 653
> 654 /* Map Dest */
> 655 ramdisk_dest = map_sysmem(ramdisk_addr, total_size);
> 656
> 657 /* Copy data */
>>>> CID 641428: (TAINTED_SCALAR)
>>>> Passing tainted expression "img_data.boot_ramdisk_size" to "android_boot_append_bootconfig", which uses it as an offset.
CID 641428: for me it's false positive too. img_data.boot_ramdisk_size and vendor_ramdisk_size come from android image, it could be corrupted if we corrupt android image but it's an external source so difficult to say if value is corrupted or not , it's why on real device we have AB features to check it.
> 658 ret = android_boot_append_bootconfig(&img_data, params, params_len,
> 659 ramdisk_dest);
> 660
> 661 unmap_sysmem(ramdisk_dest);
> 662 free(params);
> 663 free(new_bootargs);
>
> ** CID 332278: Control flow issues (UNREACHABLE)
> /lib/lzma/LzmaDec.c: 720 in LzmaDec_TryDummy()
>
>
> _____________________________________________________________________________________________
> *** CID 332278: Control flow issues (UNREACHABLE)
> /lib/lzma/LzmaDec.c: 720 in LzmaDec_TryDummy()
> 714 UInt32 code = p->code;
> 715 const Byte *bufLimit = *bufOut;
> 716 const CLzmaProb *probs = GET_PROBS;
> 717 unsigned state = (unsigned)p->state;
> 718 ELzmaDummy res;
> 719
>>>> CID 332278: Control flow issues (UNREACHABLE)
>>>> Since the loop increment is unreachable, the loop body will never execute more than once.
> 720 for (;;)
> 721 {
> 722 const CLzmaProb *prob;
> 723 UInt32 bound;
> 724 unsigned ttt;
> 725 unsigned posState = CALC_POS_STATE(p->processedPos,
> ((unsigned)1 << p->prop.pb) - 1);
>
> ** CID 252901: Uninitialized variables (UNINIT)
> /lib/lzma/LzmaDec.c: 1295 in LzmaDec_AllocateProbs()
>
>
> _____________________________________________________________________________________________
> *** CID 252901: Uninitialized variables (UNINIT)
> /lib/lzma/LzmaDec.c: 1295 in LzmaDec_AllocateProbs()
> 1289
> 1290 SRes LzmaDec_AllocateProbs(CLzmaDec *p, const Byte *props,
> unsigned propsSize, ISzAllocPtr alloc)
> 1291 {
> 1292 CLzmaProps propNew;
> 1293 RINOK(LzmaProps_Decode(&propNew, props, propsSize))
> 1294 RINOK(LzmaDec_AllocateProbs2(p, &propNew, alloc))
>>>> CID 252901: Uninitialized variables (UNINIT)
>>>> Using uninitialized value "propNew". Field "propNew._pad_" is uninitialized.
> 1295 p->prop = propNew;
> 1296 return SZ_OK;
> 1297 }
> 1298
> 1299 SRes LzmaDec_Allocate(CLzmaDec *p, const Byte *props,
> unsigned propsSize, ISzAllocPtr alloc)
> 1300 {
>
> ** CID 252579: Uninitialized variables (UNINIT)
> /lib/lzma/LzmaDec.c: 1327 in LzmaDec_Allocate()
>
>
> _____________________________________________________________________________________________
> *** CID 252579: Uninitialized variables (UNINIT)
> /lib/lzma/LzmaDec.c: 1327 in LzmaDec_Allocate()
> 1321 {
> 1322 LzmaDec_FreeProbs(p, alloc);
> 1323 return SZ_ERROR_MEM;
> 1324 }
> 1325 }
> 1326 p->dicBufSize = dicBufSize;
>>>> CID 252579: Uninitialized variables (UNINIT)
>>>> Using uninitialized value "propNew". Field "propNew._pad_" is uninitialized.
> 1327 p->prop = propNew;
> 1328 return SZ_OK;
> 1329 }
> 1330
> 1331 SRes LzmaDecode(Byte *dest, SizeT *destLen, const Byte *src,
> SizeT *srcLen,
> 1332 const Byte *propData, unsigned propSize, ELzmaFinishMode
> finishMode,
>
>
>
> View Defects in Coverity Scan
> <https://scan.coverity.com/projects/das-u-boot?tab=overview>
>
> Best regards,
>
> The Coverity Scan Admin Team
>
> ----- End forwarded message -----
>
Regards,
Guillaume
^ permalink raw reply [flat|nested] 99+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2026-02-13 22:09 Tom Rini
2026-02-18 23:02 ` Chris Morgan
0 siblings, 1 reply; 99+ messages in thread
From: Tom Rini @ 2026-02-13 22:09 UTC (permalink / raw)
To: u-boot, Chris Morgan, Mattijs Korpershoek
[-- Attachment #1: Type: text/plain, Size: 1731 bytes --]
Latest Coverity Scan report, now that it's back up and so a little out
of sync with the usual schedule.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Fri, Feb 13, 2026 at 4:03 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to *Das U-Boot*
found with Coverity Scan.
- *New Defects Found:* 1
- 2 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.
- *Defects Shown:* Showing 1 of 1 defect(s)
Defect Details
** CID 328330: Integer handling issues (NO_EFFECT)
/drivers/usb/dwc3/core.c: 106 in dwc3_core_soft_reset()
_____________________________________________________________________________________________
*** CID 328330: Integer handling issues (NO_EFFECT)
/drivers/usb/dwc3/core.c: 106 in dwc3_core_soft_reset()
100 done:
101 /*
102 * For DWC_usb31 controller 1.80a and prior, once DCTL.CSFRST bit
103 * is cleared, we must wait at least 50ms before accessing the PHY
104 * domain (synchronization delay).
105 */
>>> CID 328330: Integer handling issues (NO_EFFECT)
>>> This greater-than-or-equal-to-zero comparison of an unsigned value is always true. "dwc->revision >= 0U".
106 if (DWC3_VER_IS_WITHIN(DWC31, ANY, 180A))
107 mdelay(50);
108
109 return 0;
110 }
111
View Defects in Coverity Scan
<https://scan.coverity.com/projects/das-u-boot?tab=overview>
Best regards,
The Coverity Scan Admin Team
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2026-02-13 22:09 Tom Rini
@ 2026-02-18 23:02 ` Chris Morgan
2026-02-20 16:11 ` Tom Rini
0 siblings, 1 reply; 99+ messages in thread
From: Chris Morgan @ 2026-02-18 23:02 UTC (permalink / raw)
To: Tom Rini; +Cc: u-boot, Mattijs Korpershoek
On Fri, Feb 13, 2026 at 04:09:27PM -0600, Tom Rini wrote:
> Latest Coverity Scan report, now that it's back up and so a little out
> of sync with the usual schedule.
>
> ---------- Forwarded message ---------
> From: <scan-admin@coverity.com>
> Date: Fri, Feb 13, 2026 at 4:03 PM
> Subject: New Defects reported by Coverity Scan for Das U-Boot
> To: <tom.rini@gmail.com>
>
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to *Das U-Boot*
> found with Coverity Scan.
>
> - *New Defects Found:* 1
> - 2 defect(s), reported by Coverity Scan earlier, were marked fixed in
> the recent build analyzed by Coverity Scan.
> - *Defects Shown:* Showing 1 of 1 defect(s)
>
> Defect Details
>
> ** CID 328330: Integer handling issues (NO_EFFECT)
> /drivers/usb/dwc3/core.c: 106 in dwc3_core_soft_reset()
>
>
> _____________________________________________________________________________________________
> *** CID 328330: Integer handling issues (NO_EFFECT)
> /drivers/usb/dwc3/core.c: 106 in dwc3_core_soft_reset()
> 100 done:
> 101 /*
> 102 * For DWC_usb31 controller 1.80a and prior, once DCTL.CSFRST bit
> 103 * is cleared, we must wait at least 50ms before accessing the PHY
> 104 * domain (synchronization delay).
> 105 */
> >>> CID 328330: Integer handling issues (NO_EFFECT)
> >>> This greater-than-or-equal-to-zero comparison of an unsigned value is always true. "dwc->revision >= 0U".
> 106 if (DWC3_VER_IS_WITHIN(DWC31, ANY, 180A))
> 107 mdelay(50);
> 108
> 109 return 0;
> 110 }
> 111
>
>
> View Defects in Coverity Scan
> <https://scan.coverity.com/projects/das-u-boot?tab=overview>
>
> Best regards,
>
> The Coverity Scan Admin Team
>
> ----- End forwarded message -----
>
> --
> Tom
I'm not *entirely* sure what to do to fix this issue, but it looks
like maybe the issue is that all we're trying to do here is make sure
that the version is DWC31_REVISION_180A or earlier, and this is done in
mainline by checking between revisions _ANY and revisions _180A
(instead of creating a new macro). Since the DWC31_REVISION_ANY is set
as 0 this means that condition will always evaluate as true. In this
case though that's fine, because all we really care about is if the
second condition of the macro is true (whether or not we are equal to
or less than revision _180A).
I copied this stuff directly out of the mainline Linux driver so as to
maintain some semblance of parity (and because I needed the stuff that
used this specific macro for gadget mode), however it looks like to stop
this Coverity error I need to create a new macro, possibly a
DWC3_VER_IS_AFTER() macro. Or is it simply fine to say that I
acknowledge the issue, but given the context don't think it's an issue
if the comparison to zero always returns true because it's just a reused
macro with two conditions and we only care about the second condition?
Thank you,
Chris
^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2026-02-09 11:05 ` Guillaume La Roque
@ 2026-02-20 16:11 ` Tom Rini
0 siblings, 0 replies; 99+ messages in thread
From: Tom Rini @ 2026-02-20 16:11 UTC (permalink / raw)
To: Guillaume La Roque; +Cc: u-boot, Mattijs Korpershoek
[-- Attachment #1: Type: text/plain, Size: 231 bytes --]
On Mon, Feb 09, 2026 at 12:05:40PM +0100, Guillaume La Roque wrote:
> Hi Tom,
>
>
> sorry for delay, i check defects please see my comments inline
Thanks for the details, I've updated the dashboard with them.
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2026-02-18 23:02 ` Chris Morgan
@ 2026-02-20 16:11 ` Tom Rini
2026-02-20 16:23 ` Chris Morgan
0 siblings, 1 reply; 99+ messages in thread
From: Tom Rini @ 2026-02-20 16:11 UTC (permalink / raw)
To: Chris Morgan; +Cc: u-boot, Mattijs Korpershoek
[-- Attachment #1: Type: text/plain, Size: 3587 bytes --]
On Wed, Feb 18, 2026 at 05:02:27PM -0600, Chris Morgan wrote:
> On Fri, Feb 13, 2026 at 04:09:27PM -0600, Tom Rini wrote:
> > Latest Coverity Scan report, now that it's back up and so a little out
> > of sync with the usual schedule.
> >
> > ---------- Forwarded message ---------
> > From: <scan-admin@coverity.com>
> > Date: Fri, Feb 13, 2026 at 4:03 PM
> > Subject: New Defects reported by Coverity Scan for Das U-Boot
> > To: <tom.rini@gmail.com>
> >
> >
> > Hi,
> >
> > Please find the latest report on new defect(s) introduced to *Das U-Boot*
> > found with Coverity Scan.
> >
> > - *New Defects Found:* 1
> > - 2 defect(s), reported by Coverity Scan earlier, were marked fixed in
> > the recent build analyzed by Coverity Scan.
> > - *Defects Shown:* Showing 1 of 1 defect(s)
> >
> > Defect Details
> >
> > ** CID 328330: Integer handling issues (NO_EFFECT)
> > /drivers/usb/dwc3/core.c: 106 in dwc3_core_soft_reset()
> >
> >
> > _____________________________________________________________________________________________
> > *** CID 328330: Integer handling issues (NO_EFFECT)
> > /drivers/usb/dwc3/core.c: 106 in dwc3_core_soft_reset()
> > 100 done:
> > 101 /*
> > 102 * For DWC_usb31 controller 1.80a and prior, once DCTL.CSFRST bit
> > 103 * is cleared, we must wait at least 50ms before accessing the PHY
> > 104 * domain (synchronization delay).
> > 105 */
> > >>> CID 328330: Integer handling issues (NO_EFFECT)
> > >>> This greater-than-or-equal-to-zero comparison of an unsigned value is always true. "dwc->revision >= 0U".
> > 106 if (DWC3_VER_IS_WITHIN(DWC31, ANY, 180A))
> > 107 mdelay(50);
> > 108
> > 109 return 0;
> > 110 }
> > 111
> >
> >
> > View Defects in Coverity Scan
> > <https://scan.coverity.com/projects/das-u-boot?tab=overview>
> >
> > Best regards,
> >
> > The Coverity Scan Admin Team
> >
> > ----- End forwarded message -----
> >
> > --
> > Tom
>
> I'm not *entirely* sure what to do to fix this issue, but it looks
> like maybe the issue is that all we're trying to do here is make sure
> that the version is DWC31_REVISION_180A or earlier, and this is done in
> mainline by checking between revisions _ANY and revisions _180A
> (instead of creating a new macro). Since the DWC31_REVISION_ANY is set
> as 0 this means that condition will always evaluate as true. In this
> case though that's fine, because all we really care about is if the
> second condition of the macro is true (whether or not we are equal to
> or less than revision _180A).
>
> I copied this stuff directly out of the mainline Linux driver so as to
> maintain some semblance of parity (and because I needed the stuff that
> used this specific macro for gadget mode), however it looks like to stop
> this Coverity error I need to create a new macro, possibly a
> DWC3_VER_IS_AFTER() macro. Or is it simply fine to say that I
> acknowledge the issue, but given the context don't think it's an issue
> if the comparison to zero always returns true because it's just a reused
> macro with two conditions and we only care about the second condition?
So, looking at the Coverity Scan dashboard for the kernel, there's just
nothing on drivers/usb/dwc3/core.c (at all, even closed), which I think
is odd, but I also think I've updated the filter correctly. I'll put
your comments in the dashboard here for the issue and mark as
intentional, thanks!
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2026-02-20 16:11 ` Tom Rini
@ 2026-02-20 16:23 ` Chris Morgan
0 siblings, 0 replies; 99+ messages in thread
From: Chris Morgan @ 2026-02-20 16:23 UTC (permalink / raw)
To: Tom Rini; +Cc: u-boot, Mattijs Korpershoek
On Fri, Feb 20, 2026 at 10:11:56AM -0600, Tom Rini wrote:
> On Wed, Feb 18, 2026 at 05:02:27PM -0600, Chris Morgan wrote:
> > On Fri, Feb 13, 2026 at 04:09:27PM -0600, Tom Rini wrote:
> > > Latest Coverity Scan report, now that it's back up and so a little out
> > > of sync with the usual schedule.
> > >
> > > ---------- Forwarded message ---------
> > > From: <scan-admin@coverity.com>
> > > Date: Fri, Feb 13, 2026 at 4:03 PM
> > > Subject: New Defects reported by Coverity Scan for Das U-Boot
> > > To: <tom.rini@gmail.com>
> > >
> > >
> > > Hi,
> > >
> > > Please find the latest report on new defect(s) introduced to *Das U-Boot*
> > > found with Coverity Scan.
> > >
> > > - *New Defects Found:* 1
> > > - 2 defect(s), reported by Coverity Scan earlier, were marked fixed in
> > > the recent build analyzed by Coverity Scan.
> > > - *Defects Shown:* Showing 1 of 1 defect(s)
> > >
> > > Defect Details
> > >
> > > ** CID 328330: Integer handling issues (NO_EFFECT)
> > > /drivers/usb/dwc3/core.c: 106 in dwc3_core_soft_reset()
> > >
> > >
> > > _____________________________________________________________________________________________
> > > *** CID 328330: Integer handling issues (NO_EFFECT)
> > > /drivers/usb/dwc3/core.c: 106 in dwc3_core_soft_reset()
> > > 100 done:
> > > 101 /*
> > > 102 * For DWC_usb31 controller 1.80a and prior, once DCTL.CSFRST bit
> > > 103 * is cleared, we must wait at least 50ms before accessing the PHY
> > > 104 * domain (synchronization delay).
> > > 105 */
> > > >>> CID 328330: Integer handling issues (NO_EFFECT)
> > > >>> This greater-than-or-equal-to-zero comparison of an unsigned value is always true. "dwc->revision >= 0U".
> > > 106 if (DWC3_VER_IS_WITHIN(DWC31, ANY, 180A))
> > > 107 mdelay(50);
> > > 108
> > > 109 return 0;
> > > 110 }
> > > 111
> > >
> > >
> > > View Defects in Coverity Scan
> > > <https://scan.coverity.com/projects/das-u-boot?tab=overview>
> > >
> > > Best regards,
> > >
> > > The Coverity Scan Admin Team
> > >
> > > ----- End forwarded message -----
> > >
> > > --
> > > Tom
> >
> > I'm not *entirely* sure what to do to fix this issue, but it looks
> > like maybe the issue is that all we're trying to do here is make sure
> > that the version is DWC31_REVISION_180A or earlier, and this is done in
> > mainline by checking between revisions _ANY and revisions _180A
> > (instead of creating a new macro). Since the DWC31_REVISION_ANY is set
> > as 0 this means that condition will always evaluate as true. In this
> > case though that's fine, because all we really care about is if the
> > second condition of the macro is true (whether or not we are equal to
> > or less than revision _180A).
> >
> > I copied this stuff directly out of the mainline Linux driver so as to
> > maintain some semblance of parity (and because I needed the stuff that
> > used this specific macro for gadget mode), however it looks like to stop
> > this Coverity error I need to create a new macro, possibly a
> > DWC3_VER_IS_AFTER() macro. Or is it simply fine to say that I
> > acknowledge the issue, but given the context don't think it's an issue
> > if the comparison to zero always returns true because it's just a reused
> > macro with two conditions and we only care about the second condition?
>
> So, looking at the Coverity Scan dashboard for the kernel, there's just
> nothing on drivers/usb/dwc3/core.c (at all, even closed), which I think
> is odd, but I also think I've updated the filter correctly. I'll put
> your comments in the dashboard here for the issue and mark as
> intentional, thanks!
>
> --
> Tom
Perfect, thank you.
^ permalink raw reply [flat|nested] 99+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2026-02-23 19:51 Tom Rini
0 siblings, 0 replies; 99+ messages in thread
From: Tom Rini @ 2026-02-23 19:51 UTC (permalink / raw)
To: u-boot; +Cc: James Hilliard, Marek Vasut
[-- Attachment #1: Type: text/plain, Size: 4672 bytes --]
Hey all,
Looks like Coverity is a little unhappy about the FIT alignment fixes,
but I'm not sure yet if we can just mark them as intentional and already
safety checked inputs or not.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Feb 23, 2026 at 1:34 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to *Das U-Boot*
found with Coverity Scan.
- *New Defects Found:* 1
- 1 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.
- *Defects Shown:* Showing 1 of 1 defect(s)
Defect Details
** CID 644638: (TAINTED_SCALAR)
_____________________________________________________________________________________________
*** CID 644638: (TAINTED_SCALAR)
/boot/image-fit.c: 2410 in boot_get_fdt_fit_into_buffer()
2404 */
2405 if (dstlen >= newdstlen && dstbuf == fdtsrcbuf)
2406 goto out;
2407
2408 /* Try to reuse existing destination buffer if it is large enough. */
2409 if (dstbuf && dstlen >= newdstlen) {
>>> CID 644638: (TAINTED_SCALAR)
>>> Passing tainted expression "fdtsrcbuf->size_dt_strings" to "fdt_open_into", which uses it as an offset.
2410 err = fdt_open_into(fdtsrcbuf, dstbuf, dstlen);
2411 goto out;
2412 }
2413
2414 newdstbuf = memalign(8, newdstlen);
2415 if (!newdstbuf) {
/boot/image-fit.c: 2420 in boot_get_fdt_fit_into_buffer()
2414 newdstbuf = memalign(8, newdstlen);
2415 if (!newdstbuf) {
2416 err = -ENOMEM;
2417 goto out;
2418 }
2419
>>> CID 644638: (TAINTED_SCALAR)
>>> Passing tainted expression "fdtsrcbuf->size_dt_struct" to "fdt_open_into", which uses it as an offset.
2420 err = fdt_open_into(fdtsrcbuf, newdstbuf, newdstlen);
2421 if (err < 0)
2422 goto out;
2423
2424 free(dstbuf);
2425 *fdtdstbuf = newdstbuf;
/boot/image-fit.c: 2420 in boot_get_fdt_fit_into_buffer()
2414 newdstbuf = memalign(8, newdstlen);
2415 if (!newdstbuf) {
2416 err = -ENOMEM;
2417 goto out;
2418 }
2419
>>> CID 644638: (TAINTED_SCALAR)
>>> Passing tainted expression "fdtsrcbuf->size_dt_strings" to "fdt_open_into", which uses it as an offset.
2420 err = fdt_open_into(fdtsrcbuf, newdstbuf, newdstlen);
2421 if (err < 0)
2422 goto out;
2423
2424 free(dstbuf);
2425 *fdtdstbuf = newdstbuf;
/boot/image-fit.c: 2420 in boot_get_fdt_fit_into_buffer()
2414 newdstbuf = memalign(8, newdstlen);
2415 if (!newdstbuf) {
2416 err = -ENOMEM;
2417 goto out;
2418 }
2419
>>> CID 644638: (TAINTED_SCALAR)
>>> Passing tainted expression "fdtsrcbuf->totalsize" to "fdt_open_into", which uses it as an offset.
2420 err = fdt_open_into(fdtsrcbuf, newdstbuf, newdstlen);
2421 if (err < 0)
2422 goto out;
2423
2424 free(dstbuf);
2425 *fdtdstbuf = newdstbuf;
/boot/image-fit.c: 2410 in boot_get_fdt_fit_into_buffer()
2404 */
2405 if (dstlen >= newdstlen && dstbuf == fdtsrcbuf)
2406 goto out;
2407
2408 /* Try to reuse existing destination buffer if it is large enough. */
2409 if (dstbuf && dstlen >= newdstlen) {
>>> CID 644638: (TAINTED_SCALAR)
>>> Passing tainted expression "fdtsrcbuf->totalsize" to "fdt_open_into", which uses it as an offset.
2410 err = fdt_open_into(fdtsrcbuf, dstbuf, dstlen);
2411 goto out;
2412 }
2413
2414 newdstbuf = memalign(8, newdstlen);
2415 if (!newdstbuf) {
/boot/image-fit.c: 2410 in boot_get_fdt_fit_into_buffer()
2404 */
2405 if (dstlen >= newdstlen && dstbuf == fdtsrcbuf)
2406 goto out;
2407
2408 /* Try to reuse existing destination buffer if it is large enough. */
2409 if (dstbuf && dstlen >= newdstlen) {
>>> CID 644638: (TAINTED_SCALAR)
>>> Passing tainted expression "fdtsrcbuf->size_dt_struct" to "fdt_open_into", which uses it as an offset.
2410 err = fdt_open_into(fdtsrcbuf, dstbuf, dstlen);
2411 goto out;
2412 }
2413
2414 newdstbuf = memalign(8, newdstlen);
2415 if (!newdstbuf) {
View Defects in Coverity Scan
<https://scan.coverity.com/projects/das-u-boot?tab=overview>
Best regards,
The Coverity Scan Admin Team
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
^ permalink raw reply [flat|nested] 99+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2026-03-09 21:23 Tom Rini
2026-03-09 22:05 ` Raphaël Gallais-Pou
0 siblings, 1 reply; 99+ messages in thread
From: Tom Rini @ 2026-03-09 21:23 UTC (permalink / raw)
To: u-boot, Simon Glass, Raphael Gallais-Pou, Patrick Delaunay,
Patrice Chotard
[-- Attachment #1: Type: text/plain, Size: 5016 bytes --]
Hey all,
Unfortunately for such a small set of changes (rc3 to rc4) a lot of new
Coverity scan issues have popped up. Please let me know if these appear
to be real issues or something that we can mark as intentional / false
positive. Thanks!
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Mar 9, 2026, 2:11 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to *Das U-Boot*
found with Coverity Scan.
- *New Defects Found:* 4
- *Defects Shown:* Showing 4 of 4 defect(s)
Defect Details
** CID 644836: Error handling issues (CHECKED_RETURN)
/drivers/video/stm32/stm32_dsi.c: 497 in stm32_dsi_probe()
_____________________________________________________________________________________________
*** CID 644836: Error handling issues (CHECKED_RETURN)
/drivers/video/stm32/stm32_dsi.c: 497 in stm32_dsi_probe()
491 priv->hw_version = dsi_read(plat->base, DSI_VERSION) & VERSION;
492 if (priv->hw_version != HWVER_130 &&
493 priv->hw_version != HWVER_131) {
494 dev_err(dev, "DSI version 0x%x not supported\n", priv->hw_version);
495 dev_dbg(dev, "remove and unbind all DSI child\n");
496 device_chld_remove(dev, NULL, DM_REMOVE_NORMAL);
>>> CID 644836: Error handling issues (CHECKED_RETURN)
>>> Calling "device_chld_unbind" without checking return value (as is done elsewhere 6 out of 7 times).
497 device_chld_unbind(dev, NULL);
498 ret = -ENODEV;
499 goto err_clk;
500 }
501
502 return 0;
** CID 644835: (TAINTED_SCALAR)
/common/menu.c: 589 in bootmenu_loop()
/common/menu.c: 589 in bootmenu_loop()
_____________________________________________________________________________________________
*** CID 644835: (TAINTED_SCALAR)
/common/menu.c: 589 in bootmenu_loop()
583 c = cli_ch_process(cch, c);
584 }
585 }
586
587 key = bootmenu_conv_key(c);
588
>>> CID 644835: (TAINTED_SCALAR)
>>> Using tainted variable "(int)(unsigned char)c" as an index into an array "_ctype".
589 if (key == BKEY_NONE && isalnum(c)) {
590 key = BKEY_SHORTCUT;
591 cch->shortcut_key = bootmenu_conv_shortcut_key(menu, c);
592 }
593
594 return key;
/common/menu.c: 589 in bootmenu_loop()
583 c = cli_ch_process(cch, c);
584 }
585 }
586
587 key = bootmenu_conv_key(c);
588
>>> CID 644835: (TAINTED_SCALAR)
>>> Using tainted variable "(int)(unsigned char)c" as an index into an array "_ctype".
589 if (key == BKEY_NONE && isalnum(c)) {
590 key = BKEY_SHORTCUT;
591 cch->shortcut_key = bootmenu_conv_shortcut_key(menu, c);
592 }
593
594 return key;
** CID 644834: Error handling issues (CHECKED_RETURN)
/drivers/video/stm32/stm32_dsi.c: 496 in stm32_dsi_probe()
_____________________________________________________________________________________________
*** CID 644834: Error handling issues (CHECKED_RETURN)
/drivers/video/stm32/stm32_dsi.c: 496 in stm32_dsi_probe()
490 /* check hardware version */
491 priv->hw_version = dsi_read(plat->base, DSI_VERSION) & VERSION;
492 if (priv->hw_version != HWVER_130 &&
493 priv->hw_version != HWVER_131) {
494 dev_err(dev, "DSI version 0x%x not supported\n", priv->hw_version);
495 dev_dbg(dev, "remove and unbind all DSI child\n");
>>> CID 644834: Error handling issues (CHECKED_RETURN)
>>> Calling "device_chld_remove" without checking return value (as is done elsewhere 4 out of 5 times).
496 device_chld_remove(dev, NULL, DM_REMOVE_NORMAL);
497 device_chld_unbind(dev, NULL);
498 ret = -ENODEV;
499 goto err_clk;
500 }
501
** CID 644833: Memory - illegal accesses (NEGATIVE_RETURNS)
/common/menu.c: 589 in bootmenu_loop()
_____________________________________________________________________________________________
*** CID 644833: Memory - illegal accesses (NEGATIVE_RETURNS)
/common/menu.c: 589 in bootmenu_loop()
583 c = cli_ch_process(cch, c);
584 }
585 }
586
587 key = bootmenu_conv_key(c);
588
>>> CID 644833: Memory - illegal accesses (NEGATIVE_RETURNS)
>>> Using variable "c" as an index to array "_ctype".
589 if (key == BKEY_NONE && isalnum(c)) {
590 key = BKEY_SHORTCUT;
591 cch->shortcut_key = bootmenu_conv_shortcut_key(menu, c);
592 }
593
594 return key;
View Defects in Coverity Scan
<https://scan.coverity.com/projects/das-u-boot?tab=overview>
Best regards,
The Coverity Scan Admin Team
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2026-03-09 21:23 Tom Rini
@ 2026-03-09 22:05 ` Raphaël Gallais-Pou
2026-03-09 22:13 ` Tom Rini
0 siblings, 1 reply; 99+ messages in thread
From: Raphaël Gallais-Pou @ 2026-03-09 22:05 UTC (permalink / raw)
To: Tom Rini, u-boot, Simon Glass, Patrick Delaunay, Patrice Chotard
Cc: Raphael Gallais-Pou
Hi Tom,
Regarding both stm32_dsi errors:
It seems those errors are not linked to the patch you merged recently,
because it does not change the lines mentioned by Coverity.
Calls to device_chld_{remove, unbind} are introduced by commit
a6d047c0a86b ("video: stm32: remove all child of DSI bridge when its
probe failed").
My guess is that since my patch changed the file, it triggered the
Coverity Scan for the whole file.
Regardless, ret is overwritten right after the calls, so I don't think
checking the return value matters here except if there is a log information.
Tell me if you want me to provide a fix, but in this case I'm not sure
to see the point.
Best regards,
Raphaël
On 3/9/26 22:23, Tom Rini wrote:
> Hey all,
>
> Unfortunately for such a small set of changes (rc3 to rc4) a lot of new
> Coverity scan issues have popped up. Please let me know if these appear
> to be real issues or something that we can mark as intentional / false
> positive. Thanks!
>
> ---------- Forwarded message ---------
> From: <scan-admin@coverity.com>
> Date: Mon, Mar 9, 2026, 2:11 PM
> Subject: New Defects reported by Coverity Scan for Das U-Boot
> To: <tom.rini@gmail.com>
>
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to *Das U-Boot*
> found with Coverity Scan.
>
> - *New Defects Found:* 4
> - *Defects Shown:* Showing 4 of 4 defect(s)
>
> Defect Details
>
>
> ** CID 644836: Error handling issues (CHECKED_RETURN)
> /drivers/video/stm32/stm32_dsi.c: 497 in stm32_dsi_probe()
>
>
> _____________________________________________________________________________________________
> *** CID 644836: Error handling issues (CHECKED_RETURN)
> /drivers/video/stm32/stm32_dsi.c: 497 in stm32_dsi_probe()
> 491 priv->hw_version = dsi_read(plat->base, DSI_VERSION) & VERSION;
> 492 if (priv->hw_version != HWVER_130 &&
> 493 priv->hw_version != HWVER_131) {
> 494 dev_err(dev, "DSI version 0x%x not supported\n", priv->hw_version);
> 495 dev_dbg(dev, "remove and unbind all DSI child\n");
> 496 device_chld_remove(dev, NULL, DM_REMOVE_NORMAL);
>>>> CID 644836: Error handling issues (CHECKED_RETURN)
>>>> Calling "device_chld_unbind" without checking return value (as is done elsewhere 6 out of 7 times).
> 497 device_chld_unbind(dev, NULL);
> 498 ret = -ENODEV;
> 499 goto err_clk;
> 500 }
> 501
> 502 return 0;
>
> ** CID 644835: (TAINTED_SCALAR)
> /common/menu.c: 589 in bootmenu_loop()
> /common/menu.c: 589 in bootmenu_loop()
>
>
> _____________________________________________________________________________________________
> *** CID 644835: (TAINTED_SCALAR)
> /common/menu.c: 589 in bootmenu_loop()
> 583 c = cli_ch_process(cch, c);
> 584 }
> 585 }
> 586
> 587 key = bootmenu_conv_key(c);
> 588
>>>> CID 644835: (TAINTED_SCALAR)
>>>> Using tainted variable "(int)(unsigned char)c" as an index into an array "_ctype".
> 589 if (key == BKEY_NONE && isalnum(c)) {
> 590 key = BKEY_SHORTCUT;
> 591 cch->shortcut_key = bootmenu_conv_shortcut_key(menu, c);
> 592 }
> 593
> 594 return key;
> /common/menu.c: 589 in bootmenu_loop()
> 583 c = cli_ch_process(cch, c);
> 584 }
> 585 }
> 586
> 587 key = bootmenu_conv_key(c);
> 588
>>>> CID 644835: (TAINTED_SCALAR)
>>>> Using tainted variable "(int)(unsigned char)c" as an index into an array "_ctype".
> 589 if (key == BKEY_NONE && isalnum(c)) {
> 590 key = BKEY_SHORTCUT;
> 591 cch->shortcut_key = bootmenu_conv_shortcut_key(menu, c);
> 592 }
> 593
> 594 return key;
>
> ** CID 644834: Error handling issues (CHECKED_RETURN)
> /drivers/video/stm32/stm32_dsi.c: 496 in stm32_dsi_probe()
>
>
> _____________________________________________________________________________________________
> *** CID 644834: Error handling issues (CHECKED_RETURN)
> /drivers/video/stm32/stm32_dsi.c: 496 in stm32_dsi_probe()
> 490 /* check hardware version */
> 491 priv->hw_version = dsi_read(plat->base, DSI_VERSION) & VERSION;
> 492 if (priv->hw_version != HWVER_130 &&
> 493 priv->hw_version != HWVER_131) {
> 494 dev_err(dev, "DSI version 0x%x not supported\n", priv->hw_version);
> 495 dev_dbg(dev, "remove and unbind all DSI child\n");
>>>> CID 644834: Error handling issues (CHECKED_RETURN)
>>>> Calling "device_chld_remove" without checking return value (as is done elsewhere 4 out of 5 times).
> 496 device_chld_remove(dev, NULL, DM_REMOVE_NORMAL);
> 497 device_chld_unbind(dev, NULL);
> 498 ret = -ENODEV;
> 499 goto err_clk;
> 500 }
> 501
>
> ** CID 644833: Memory - illegal accesses (NEGATIVE_RETURNS)
> /common/menu.c: 589 in bootmenu_loop()
>
>
> _____________________________________________________________________________________________
> *** CID 644833: Memory - illegal accesses (NEGATIVE_RETURNS)
> /common/menu.c: 589 in bootmenu_loop()
> 583 c = cli_ch_process(cch, c);
> 584 }
> 585 }
> 586
> 587 key = bootmenu_conv_key(c);
> 588
>>>> CID 644833: Memory - illegal accesses (NEGATIVE_RETURNS)
>>>> Using variable "c" as an index to array "_ctype".
> 589 if (key == BKEY_NONE && isalnum(c)) {
> 590 key = BKEY_SHORTCUT;
> 591 cch->shortcut_key = bootmenu_conv_shortcut_key(menu, c);
> 592 }
> 593
> 594 return key;
>
>
>
> View Defects in Coverity Scan
> <https://scan.coverity.com/projects/das-u-boot?tab=overview>
>
> Best regards,
>
> The Coverity Scan Admin Team
>
> ----- End forwarded message -----
>
^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2026-03-09 22:05 ` Raphaël Gallais-Pou
@ 2026-03-09 22:13 ` Tom Rini
0 siblings, 0 replies; 99+ messages in thread
From: Tom Rini @ 2026-03-09 22:13 UTC (permalink / raw)
To: Raphaël Gallais-Pou
Cc: u-boot, Simon Glass, Patrick Delaunay, Patrice Chotard,
Raphael Gallais-Pou
[-- Attachment #1: Type: text/plain, Size: 985 bytes --]
On Mon, Mar 09, 2026 at 11:05:27PM +0100, Raphaël Gallais-Pou wrote:
> Hi Tom,
>
> Regarding both stm32_dsi errors:
>
> It seems those errors are not linked to the patch you merged recently,
> because it does not change the lines mentioned by Coverity.
Ah, likely so, yes.
> Calls to device_chld_{remove, unbind} are introduced by commit a6d047c0a86b
> ("video: stm32: remove all child of DSI bridge when its probe failed").
>
> My guess is that since my patch changed the file, it triggered the Coverity
> Scan for the whole file.
>
> Regardless, ret is overwritten right after the calls, so I don't think
> checking the return value matters here except if there is a log information.
>
> Tell me if you want me to provide a fix, but in this case I'm not sure to
> see the point.
It would be good to match the usual pattern (drivers/scsi/scsi.c and
drivers/ata/sata.c) even if it's an unlikey chain of events. Please send
a patch, thanks!
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
^ permalink raw reply [flat|nested] 99+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2026-04-06 19:12 Tom Rini
0 siblings, 0 replies; 99+ messages in thread
From: Tom Rini @ 2026-04-06 19:12 UTC (permalink / raw)
To: u-boot
Cc: Kory Maincent, Dan Carpenter, Varadarajan Narayanan, Bo-Chen Chen,
David Lechner, Raymond Mao, Ilias Apalodimas
[-- Attachment #1: Type: text/plain, Size: 12726 bytes --]
Here's the latest report, now that I've merged next to master, locally
at least.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Apr 6, 2026 at 12:40 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to *Das U-Boot*
found with Coverity Scan.
- *New Defects Found:* 11
- 15 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.
- *Defects Shown:* Showing 11 of 11 defect(s)
Defect Details
** CID 645496: (USE_AFTER_FREE)
/tools/fwumdata_src/fwumdata.c: 94 in parse_config()
/tools/fwumdata_src/fwumdata.c: 101 in parse_config()
_____________________________________________________________________________________________
*** CID 645496: (USE_AFTER_FREE)
/tools/fwumdata_src/fwumdata.c: 94 in parse_config()
88 &devname,
89 &devices[i].devoff,
90 &devices[i].mdata_size,
91 &devices[i].erase_size);
92
93 if (rc < 3) {
>>> CID 645496: (USE_AFTER_FREE)
>>> Calling "free" frees pointer "devname" which has already been freed.
94 free(devname);
95 continue;
96 }
97
98 if (rc < 4)
99 devices[i].erase_size = devices[i].mdata_size;
/tools/fwumdata_src/fwumdata.c: 101 in parse_config()
95 continue;
96 }
97
98 if (rc < 4)
99 devices[i].erase_size = devices[i].mdata_size;
100
>>> CID 645496: (USE_AFTER_FREE)
>>> Using freed pointer "devname".
101 devices[i].devname = devname;
102 i++;
103 }
104
105 free(line);
106 fclose(fp);
** CID 645495: Uninitialized variables (UNINIT)
/fs/fat/fat.c: 175 in disk_rw()
_____________________________________________________________________________________________
*** CID 645495: Uninitialized variables (UNINIT)
/fs/fat/fat.c: 175 in disk_rw()
169 }
170 }
171 exit:
172 if (block)
173 free(block);
174
>>> CID 645495: Uninitialized variables (UNINIT)
>>> Using uninitialized value "ret".
175 return (ret == -1) ? -1 : nr_sect;
176 }
177
178 static int disk_read(__u32 sect, __u32 nr_sect, void *buf)
179 {
180 return disk_rw(sect, nr_sect, buf, true);
** CID 645494: Integer handling issues (BAD_SHIFT)
/drivers/power/regulator/mt6359_regulator.c: 287 in
mt6359_get_voltage_sel()
_____________________________________________________________________________________________
*** CID 645494: Integer handling issues (BAD_SHIFT)
/drivers/power/regulator/mt6359_regulator.c: 287 in
mt6359_get_voltage_sel()
281
282 selector = pmic_reg_read(dev->parent, info->desc.vsel_reg);
283 if (selector < 0)
284 return selector;
285
286 selector &= info->desc.vsel_mask;
>>> CID 645494: Integer handling issues (BAD_SHIFT)
>>> In expression "selector >>= generic_ffs(info->desc.vsel_mask) - 1", shifting by a negative amount has undefined behavior. The shift amount, "generic_ffs(info->desc.vsel_mask) - 1", is -1.
287 selector >>= ffs(info->desc.vsel_mask) - 1;
288
289 return selector;
290 }
291
292 static int mt6359p_vemc_get_voltage_sel(struct udevice *dev,
struct mt6359_regulator_info *info)
** CID 645493: Control flow issues (DEADCODE)
/drivers/firmware/scmi/pinctrl.c: 206 in
scmi_pinctrl_settings_get_one()
_____________________________________________________________________________________________
*** CID 645493: Control flow issues (DEADCODE)
/drivers/firmware/scmi/pinctrl.c: 206 in
scmi_pinctrl_settings_get_one()
200
201 msg.out_msg = (u8 *)out;
202 msg.out_msg_sz = out_sz;
203 in.id = selector;
204 in.attr = 0;
205 if (config_type == SCMI_PINCTRL_CONFIG_SETTINGS_FUNCTION)
>>> CID 645493: Control flow issues (DEADCODE)
>>> Execution cannot reach the expression "in.attr" inside this statement: "in.attr = ({
({
do {...".
206 in.attr = FIELD_PREP(GENMASK(19, 18), 2);
207 in.attr |= FIELD_PREP(GENMASK(17, 16), select_type);
208 if (config_type != SCMI_PINCTRL_CONFIG_SETTINGS_FUNCTION)
209 in.attr |= FIELD_PREP(GENMASK(7, 0), config_type);
210
211 ret = devm_scmi_process_msg(dev, &msg);
** CID 645492: (BUFFER_SIZE)
/drivers/fwu-mdata/raw_mtd.c: 173 in get_fwu_mdata_dev()
/drivers/fwu-mdata/raw_mtd.c: 183 in get_fwu_mdata_dev()
_____________________________________________________________________________________________
*** CID 645492: (BUFFER_SIZE)
/drivers/fwu-mdata/raw_mtd.c: 173 in get_fwu_mdata_dev()
167 }
168
169 /* Get the offset of primary and secondary mdata */
170 ret = ofnode_read_string_index(dev_ofnode(dev),
"mdata-parts", 0, &label);
171 if (ret)
172 return ret;
>>> CID 645492: (BUFFER_SIZE)
>>> Calling "strncpy" with a maximum size argument of 50 bytes on destination array "mtd_priv->pri_label" of size 50 bytes might leave the destination string unterminated.
173 strncpy(mtd_priv->pri_label, label, 50);
174
175 ret = flash_partition_offset(mtd_dev, mtd_priv->pri_label, &offset);
176 if (ret <= 0)
177 return ret;
178 mtd_priv->pri_offset = offset;
/drivers/fwu-mdata/raw_mtd.c: 183 in get_fwu_mdata_dev()
177 return ret;
178 mtd_priv->pri_offset = offset;
179
180 ret = ofnode_read_string_index(dev_ofnode(dev),
"mdata-parts", 1, &label);
181 if (ret)
182 return ret;
>>> CID 645492: (BUFFER_SIZE)
>>> Calling "strncpy" with a maximum size argument of 50 bytes on destination array "mtd_priv->sec_label" of size 50 bytes might leave the destination string unterminated.
183 strncpy(mtd_priv->sec_label, label, 50);
184
185 ret = flash_partition_offset(mtd_dev, mtd_priv->sec_label, &offset);
186 if (ret <= 0)
187 return ret;
188 mtd_priv->sec_offset = offset;
** CID 645491: Security best practices violations (STRING_OVERFLOW)
/drivers/fwu-mdata/raw_mtd.c: 244 in fwu_mtd_image_info_populate()
_____________________________________________________________________________________________
*** CID 645491: Security best practices violations (STRING_OVERFLOW)
/drivers/fwu-mdata/raw_mtd.c: 244 in fwu_mtd_image_info_populate()
238 ofnode_read_u32(image, "size", &image_size);
239
240 mtd_images[off_img].start = bank_offset + image_offset;
241 mtd_images[off_img].size = image_size;
242 mtd_images[off_img].bank_num = bank_num;
243 mtd_images[off_img].image_num = image_num;
>>> CID 645491: Security best practices violations (STRING_OVERFLOW)
>>> You might overrun the 37-character fixed-size string "mtd_images[off_img].uuidbuf" by copying "uuid" without checking the length.
244 strcpy(mtd_images[off_img].uuidbuf, uuid);
245 log_debug("\tImage%d: %s @0x%x\n\n",
246 image_num, uuid, bank_offset + image_offset);
247 off_img++;
248 }
249 }
** CID 645490: Integer handling issues (BAD_SHIFT)
/drivers/power/regulator/mt6359_regulator.c: 245 in
mt6359p_vemc_set_voltage_sel()
_____________________________________________________________________________________________
*** CID 645490: Integer handling issues (BAD_SHIFT)
/drivers/power/regulator/mt6359_regulator.c: 245 in
mt6359p_vemc_set_voltage_sel()
239
240 static int mt6359p_vemc_set_voltage_sel(struct udevice *dev,
241 struct mt6359_regulator_info *info, unsigned int sel)
242 {
243 int ret;
244
>>> CID 645490: Integer handling issues (BAD_SHIFT)
>>> In expression "sel <<= generic_ffs(info->desc.vsel_mask) - 1", shifting by a negative amount has undefined behavior. The shift amount, "generic_ffs(info->desc.vsel_mask) - 1", is -1.
245 sel <<= ffs(info->desc.vsel_mask) - 1;
246 ret = pmic_reg_write(dev->parent, MT6359P_TMA_KEY_ADDR,
MT6359P_TMA_KEY);
247 if (ret)
248 return ret;
249
250 ret = pmic_reg_read(dev->parent, MT6359P_VM_MODE_ADDR);
** CID 645489: Integer handling issues (BAD_SHIFT)
/drivers/power/regulator/mt6359_regulator.c: 234 in
mt6359_set_voltage_sel_regmap()
_____________________________________________________________________________________________
*** CID 645489: Integer handling issues (BAD_SHIFT)
/drivers/power/regulator/mt6359_regulator.c: 234 in
mt6359_set_voltage_sel_regmap()
228 };
229
230 static int mt6359_set_voltage_sel_regmap(struct udevice *dev,
231 struct mt6359_regulator_info *info,
232 unsigned int sel)
233 {
>>> CID 645489: Integer handling issues (BAD_SHIFT)
>>> In expression "sel <<= generic_ffs(info->desc.vsel_mask) - 1", shifting by a negative amount has undefined behavior. The shift amount, "generic_ffs(info->desc.vsel_mask) - 1", is -1.
234 sel <<= ffs(info->desc.vsel_mask) - 1;
235
236 return pmic_clrsetbits(dev->parent, info->desc.vsel_reg,
237 info->desc.vsel_mask, sel);
238 }
239
** CID 645488: Error handling issues (CHECKED_RETURN)
/tools/fwumdata_src/fwumdata.c: 189 in read_device()
_____________________________________________________________________________________________
*** CID 645488: Error handling issues (CHECKED_RETURN)
/tools/fwumdata_src/fwumdata.c: 189 in read_device()
183 {
184 if (lseek(dev->fd, dev->devoff, SEEK_SET) < 0) {
185 fprintf(stderr, "Seek failed: %s\n", strerror(errno));
186 return -errno;
187 }
188
>>> CID 645488: Error handling issues (CHECKED_RETURN)
>>> "read(int, void *, size_t)" returns the number of bytes read, but it is ignored.
189 if (read(dev->fd, buf, count) < 0) {
190 fprintf(stderr, "Read failed: %s\n", strerror(errno));
191 return -errno;
192 }
193
194 return 0;
** CID 645487: Insecure data handling (TAINTED_SCALAR)
/lib/smbios.c: 1099 in smbios_write_type9_1slot()
_____________________________________________________________________________________________
*** CID 645487: Insecure data handling (TAINTED_SCALAR)
/lib/smbios.c: 1099 in smbios_write_type9_1slot()
1093 * TODO:
1094 * peer_groups = <peer_grouping_count> * SMBIOS_TYPE9_PGROUP_SIZE
1095 */
1096 len += pgroups_size;
1097
1098 t = map_sysmem(*current, len);
>>> CID 645487: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "len" to "memset", which uses it as an offset. [Note: The source code implementation of the function has been overridden by a builtin model.]
1099 memset(t, 0, len);
1100
1101 fill_smbios_header(t, SMBIOS_SYSTEM_SLOTS, len, handle);
1102
1103 /* eos is at the end of the structure */
1104 eos_addr = (u8 *)t + len - sizeof(t->eos);
** CID 645486: Integer handling issues (BAD_SHIFT)
/drivers/power/regulator/mt6359_regulator.c: 312 in
mt6359p_vemc_get_voltage_sel()
_____________________________________________________________________________________________
*** CID 645486: Integer handling issues (BAD_SHIFT)
/drivers/power/regulator/mt6359_regulator.c: 312 in
mt6359p_vemc_get_voltage_sel()
306 return -EINVAL;
307 }
308 if (selector < 0)
309 return selector;
310
311 selector &= info->desc.vsel_mask;
>>> CID 645486: Integer handling issues (BAD_SHIFT)
>>> In expression "selector >>= generic_ffs(info->desc.vsel_mask) - 1", shifting by a negative amount has undefined behavior. The shift amount, "generic_ffs(info->desc.vsel_mask) - 1", is -1.
312 selector >>= ffs(info->desc.vsel_mask) - 1;
313
314 return selector;
315 }
316
317 static int mt6359_get_enable(struct udevice *dev)
View Defects in Coverity Scan
<https://scan.coverity.com/projects/das-u-boot?tab=overview>
Best regards,
The Coverity Scan Admin Team
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
^ permalink raw reply [flat|nested] 99+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2026-04-28 14:04 Tom Rini
2026-04-29 6:31 ` Michal Simek
2026-05-12 8:44 ` Christian Pötzsch
0 siblings, 2 replies; 99+ messages in thread
From: Tom Rini @ 2026-04-28 14:04 UTC (permalink / raw)
To: u-boot
Cc: Raymond Mao, Ilias Apalodimas, Michal Simek,
Christian Pötzsch, Marek Vasut
[-- Attachment #1: Type: text/plain, Size: 16974 bytes --]
Here's the latest report.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Apr 27, 2026, 5:41 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to *Das U-Boot*
found with Coverity Scan.
- *New Defects Found:* 9
- 77 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.
- *Defects Shown:* Showing 9 of 9 defect(s)
Defect Details
** CID 645841: Incorrect expression (BAD_COMPARE)
/common/bloblist.c: 303 in bloblist_apply_blobs()
_____________________________________________________________________________________________
*** CID 645841: Incorrect expression (BAD_COMPARE)
/common/bloblist.c: 303 in bloblist_apply_blobs()
297 log_err("Failed to apply blob with tag %d\n",
298 tag);
299 return ret;
300 }
301
302 rec = rec_from_blob(blob - dat_off);
>>> CID 645841: Incorrect expression (BAD_COMPARE)
>>> Comparing pointer "rec" against "NULL" using anything besides "==" or "!=" is likely to be incorrect.
303 if (rec <= 0) {
304 log_err("Blob corrupted\n");
305 return -ENOENT;
306 }
307
308 /* Mark applied blob record as void */
** CID 645840: Uninitialized variables (UNINIT)
_____________________________________________________________________________________________
*** CID 645840: Uninitialized variables (UNINIT)
/lib/efi_loader/efi_device_path.c: 967 in efi_dp_from_http()
961 if ((server && strlen("http://") + strlen(server) + 1 >
sizeof(tmp)) ||
962 (!server && IS_ENABLED(CONFIG_NET_LWIP)))
963 return NULL;
964
965 efi_net_get_addr(&ip, &mask, NULL, dev);
966
>>> CID 645840: Uninitialized variables (UNINIT)
>>> Using uninitialized value "ip" when calling "efi_dp_from_ipv4".
967 dp1 = efi_dp_from_ipv4(&ip, &mask, NULL, dev);
968 if (!dp1)
969 return NULL;
970
971
972 strcpy(tmp, "http://");
** CID 645839: Error handling issues (CHECKED_RETURN)
/lib/fdtdec.c: 1785 in fdtdec_apply_bloblist_dtos()
_____________________________________________________________________________________________
*** CID 645839: Error handling issues (CHECKED_RETURN)
/lib/fdtdec.c: 1785 in fdtdec_apply_bloblist_dtos()
1779
1780 ret = bloblist_apply_blobs(BLOBLISTT_FDT_OVERLAY,
fdtdec_apply_dto_blob);
1781 if (ret)
1782 return ret;
1783
1784 /* Shink the blob to the actual FDT size */
>>> CID 645839: Error handling issues (CHECKED_RETURN)
>>> Calling "fdt_pack" without checking return value (as is done elsewhere 5 out of 6 times).
1785 fdt_pack(live_fdt);
1786 return bloblist_resize(BLOBLISTT_CONTROL_FDT,
fdt_totalsize(live_fdt));
1787 }
1788
1789 int fdtdec_setup(void)
1790 {
** CID 645838: Uninitialized variables (UNINIT)
_____________________________________________________________________________________________
*** CID 645838: Uninitialized variables (UNINIT)
/lib/efi_loader/efi_device_path.c: 967 in efi_dp_from_http()
961 if ((server && strlen("http://") + strlen(server) + 1 >
sizeof(tmp)) ||
962 (!server && IS_ENABLED(CONFIG_NET_LWIP)))
963 return NULL;
964
965 efi_net_get_addr(&ip, &mask, NULL, dev);
966
>>> CID 645838: Uninitialized variables (UNINIT)
>>> Using uninitialized value "mask" when calling "efi_dp_from_ipv4".
967 dp1 = efi_dp_from_ipv4(&ip, &mask, NULL, dev);
968 if (!dp1)
969 return NULL;
970
971
972 strcpy(tmp, "http://");
** CID 645837: (TAINTED_SCALAR)
_____________________________________________________________________________________________
*** CID 645837: (TAINTED_SCALAR)
/lib/fdtdec.c: 1775 in fdtdec_apply_bloblist_dtos()
1769 /* Resize if the current space is not sufficient */
1770 if (blob_size < padded_size) {
1771 ret = bloblist_resize(BLOBLISTT_CONTROL_FDT, padded_size);
1772 if (ret)
1773 return ret;
1774
>>> CID 645837: (TAINTED_SCALAR)
>>> Passing tainted expression "live_fdt->size_dt_struct" to "fdt_open_into", which uses it as an offset.
1775 ret = fdt_open_into(live_fdt, live_fdt, padded_size);
1776 if (ret)
1777 return ret;
1778 }
1779
1780 ret = bloblist_apply_blobs(BLOBLISTT_FDT_OVERLAY,
fdtdec_apply_dto_blob);
/lib/fdtdec.c: 1785 in fdtdec_apply_bloblist_dtos()
1779
1780 ret = bloblist_apply_blobs(BLOBLISTT_FDT_OVERLAY,
fdtdec_apply_dto_blob);
1781 if (ret)
1782 return ret;
1783
1784 /* Shink the blob to the actual FDT size */
>>> CID 645837: (TAINTED_SCALAR)
>>> Passing tainted expression "live_fdt->size_dt_struct" to "fdt_pack", which uses it as an offset.
1785 fdt_pack(live_fdt);
1786 return bloblist_resize(BLOBLISTT_CONTROL_FDT,
fdt_totalsize(live_fdt));
1787 }
1788
1789 int fdtdec_setup(void)
1790 {
/lib/fdtdec.c: 1775 in fdtdec_apply_bloblist_dtos()
1769 /* Resize if the current space is not sufficient */
1770 if (blob_size < padded_size) {
1771 ret = bloblist_resize(BLOBLISTT_CONTROL_FDT, padded_size);
1772 if (ret)
1773 return ret;
1774
>>> CID 645837: (TAINTED_SCALAR)
>>> Passing tainted expression "live_fdt->totalsize" to "fdt_open_into", which uses it as an offset.
1775 ret = fdt_open_into(live_fdt, live_fdt, padded_size);
1776 if (ret)
1777 return ret;
1778 }
1779
1780 ret = bloblist_apply_blobs(BLOBLISTT_FDT_OVERLAY,
fdtdec_apply_dto_blob);
/lib/fdtdec.c: 1786 in fdtdec_apply_bloblist_dtos()
1780 ret = bloblist_apply_blobs(BLOBLISTT_FDT_OVERLAY,
fdtdec_apply_dto_blob);
1781 if (ret)
1782 return ret;
1783
1784 /* Shink the blob to the actual FDT size */
1785 fdt_pack(live_fdt);
>>> CID 645837: (TAINTED_SCALAR)
>>> Passing tainted expression "fdt32_ld(&((struct fdt_header const *)live_fdt)->totalsize)" to "bloblist_resize", which uses it as an offset.
1786 return bloblist_resize(BLOBLISTT_CONTROL_FDT,
fdt_totalsize(live_fdt));
1787 }
1788
1789 int fdtdec_setup(void)
1790 {
1791 int ret = -ENOENT;
/lib/fdtdec.c: 1775 in fdtdec_apply_bloblist_dtos()
1769 /* Resize if the current space is not sufficient */
1770 if (blob_size < padded_size) {
1771 ret = bloblist_resize(BLOBLISTT_CONTROL_FDT, padded_size);
1772 if (ret)
1773 return ret;
1774
>>> CID 645837: (TAINTED_SCALAR)
>>> Passing tainted expression "live_fdt->size_dt_strings" to "fdt_open_into", which uses it as an offset.
1775 ret = fdt_open_into(live_fdt, live_fdt, padded_size);
1776 if (ret)
1777 return ret;
1778 }
1779
1780 ret = bloblist_apply_blobs(BLOBLISTT_FDT_OVERLAY,
fdtdec_apply_dto_blob);
/lib/fdtdec.c: 1785 in fdtdec_apply_bloblist_dtos()
1779
1780 ret = bloblist_apply_blobs(BLOBLISTT_FDT_OVERLAY,
fdtdec_apply_dto_blob);
1781 if (ret)
1782 return ret;
1783
1784 /* Shink the blob to the actual FDT size */
>>> CID 645837: (TAINTED_SCALAR)
>>> Passing tainted expression "live_fdt->size_dt_struct" to "fdt_pack", which uses it as an offset.
1785 fdt_pack(live_fdt);
1786 return bloblist_resize(BLOBLISTT_CONTROL_FDT,
fdt_totalsize(live_fdt));
1787 }
1788
1789 int fdtdec_setup(void)
1790 {
/lib/fdtdec.c: 1786 in fdtdec_apply_bloblist_dtos()
1780 ret = bloblist_apply_blobs(BLOBLISTT_FDT_OVERLAY,
fdtdec_apply_dto_blob);
1781 if (ret)
1782 return ret;
1783
1784 /* Shink the blob to the actual FDT size */
1785 fdt_pack(live_fdt);
>>> CID 645837: (TAINTED_SCALAR)
>>> Passing tainted expression "fdt32_ld(&((struct fdt_header const *)live_fdt)->totalsize)" to "bloblist_resize", which uses it as an offset.
1786 return bloblist_resize(BLOBLISTT_CONTROL_FDT,
fdt_totalsize(live_fdt));
1787 }
1788
1789 int fdtdec_setup(void)
1790 {
1791 int ret = -ENOENT;
/lib/fdtdec.c: 1785 in fdtdec_apply_bloblist_dtos()
1779
1780 ret = bloblist_apply_blobs(BLOBLISTT_FDT_OVERLAY,
fdtdec_apply_dto_blob);
1781 if (ret)
1782 return ret;
1783
1784 /* Shink the blob to the actual FDT size */
>>> CID 645837: (TAINTED_SCALAR)
>>> Passing tainted expression "live_fdt->size_dt_strings" to "fdt_pack", which uses it as an offset.
1785 fdt_pack(live_fdt);
1786 return bloblist_resize(BLOBLISTT_CONTROL_FDT,
fdt_totalsize(live_fdt));
1787 }
1788
1789 int fdtdec_setup(void)
1790 {
/lib/fdtdec.c: 1786 in fdtdec_apply_bloblist_dtos()
1780 ret = bloblist_apply_blobs(BLOBLISTT_FDT_OVERLAY,
fdtdec_apply_dto_blob);
1781 if (ret)
1782 return ret;
1783
1784 /* Shink the blob to the actual FDT size */
1785 fdt_pack(live_fdt);
>>> CID 645837: (TAINTED_SCALAR)
>>> Passing tainted expression "fdt32_ld(&((struct fdt_header const *)live_fdt)->totalsize)" to "bloblist_resize", which uses it as an offset.
1786 return bloblist_resize(BLOBLISTT_CONTROL_FDT,
fdt_totalsize(live_fdt));
1787 }
1788
1789 int fdtdec_setup(void)
1790 {
1791 int ret = -ENOENT;
/lib/fdtdec.c: 1786 in fdtdec_apply_bloblist_dtos()
1780 ret = bloblist_apply_blobs(BLOBLISTT_FDT_OVERLAY,
fdtdec_apply_dto_blob);
1781 if (ret)
1782 return ret;
1783
1784 /* Shink the blob to the actual FDT size */
1785 fdt_pack(live_fdt);
>>> CID 645837: (TAINTED_SCALAR)
>>> Passing tainted expression "fdt32_ld(&((struct fdt_header const *)live_fdt)->totalsize)" to "bloblist_resize", which uses it as an offset.
1786 return bloblist_resize(BLOBLISTT_CONTROL_FDT,
fdt_totalsize(live_fdt));
1787 }
1788
1789 int fdtdec_setup(void)
1790 {
1791 int ret = -ENOENT;
/lib/fdtdec.c: 1786 in fdtdec_apply_bloblist_dtos()
1780 ret = bloblist_apply_blobs(BLOBLISTT_FDT_OVERLAY,
fdtdec_apply_dto_blob);
1781 if (ret)
1782 return ret;
1783
1784 /* Shink the blob to the actual FDT size */
1785 fdt_pack(live_fdt);
>>> CID 645837: (TAINTED_SCALAR)
>>> Passing tainted expression "fdt32_ld(&((struct fdt_header const *)live_fdt)->totalsize)" to "bloblist_resize", which uses it as an offset.
1786 return bloblist_resize(BLOBLISTT_CONTROL_FDT,
fdt_totalsize(live_fdt));
1787 }
1788
1789 int fdtdec_setup(void)
1790 {
1791 int ret = -ENOENT;
/lib/fdtdec.c: 1785 in fdtdec_apply_bloblist_dtos()
1779
1780 ret = bloblist_apply_blobs(BLOBLISTT_FDT_OVERLAY,
fdtdec_apply_dto_blob);
1781 if (ret)
1782 return ret;
1783
1784 /* Shink the blob to the actual FDT size */
>>> CID 645837: (TAINTED_SCALAR)
>>> Passing tainted expression "live_fdt->size_dt_struct" to "fdt_pack", which uses it as an offset.
1785 fdt_pack(live_fdt);
1786 return bloblist_resize(BLOBLISTT_CONTROL_FDT,
fdt_totalsize(live_fdt));
1787 }
1788
1789 int fdtdec_setup(void)
1790 {
/lib/fdtdec.c: 1785 in fdtdec_apply_bloblist_dtos()
1779
1780 ret = bloblist_apply_blobs(BLOBLISTT_FDT_OVERLAY,
fdtdec_apply_dto_blob);
1781 if (ret)
1782 return ret;
1783
1784 /* Shink the blob to the actual FDT size */
>>> CID 645837: (TAINTED_SCALAR)
>>> Passing tainted expression "live_fdt->size_dt_strings" to "fdt_pack", which uses it as an offset.
1785 fdt_pack(live_fdt);
1786 return bloblist_resize(BLOBLISTT_CONTROL_FDT,
fdt_totalsize(live_fdt));
1787 }
1788
1789 int fdtdec_setup(void)
1790 {
/lib/fdtdec.c: 1786 in fdtdec_apply_bloblist_dtos()
1780 ret = bloblist_apply_blobs(BLOBLISTT_FDT_OVERLAY,
fdtdec_apply_dto_blob);
1781 if (ret)
1782 return ret;
1783
1784 /* Shink the blob to the actual FDT size */
1785 fdt_pack(live_fdt);
>>> CID 645837: (TAINTED_SCALAR)
>>> Passing tainted expression "fdt32_ld(&((struct fdt_header const *)live_fdt)->totalsize)" to "bloblist_resize", which uses it as an offset.
1786 return bloblist_resize(BLOBLISTT_CONTROL_FDT,
fdt_totalsize(live_fdt));
1787 }
1788
1789 int fdtdec_setup(void)
1790 {
1791 int ret = -ENOENT;
** CID 645836: Resource leaks (RESOURCE_LEAK)
/drivers/gpio/gpio_scmi.c: 201 in scmi_gpio_probe()
_____________________________________________________________________________________________
*** CID 645836: Resource leaks (RESOURCE_LEAK)
/drivers/gpio/gpio_scmi.c: 201 in scmi_gpio_probe()
195 return -ENOMEM;
196
197 range->base = args.args[0];
198 if (range->base != priv->num_pins) {
199 dev_err(dev, "no gaps allowed in between pins %d vs %d\n",
200 priv->num_pins, range->base);
>>> CID 645836: Resource leaks (RESOURCE_LEAK)
>>> Variable "range" going out of scope leaks the storage it points to.
201 return -EINVAL;
202 }
203 range->offset = args.args[1];
204 range->npins = args.args[2];
205 priv->num_pins += args.args[2];
206 list_add_tail(&range->list, &priv->gpio_ranges);
** CID 645835: Memory - corruptions (OVERRUN)
/lib/gunzip.c: 248 in gzwrite()
_____________________________________________________________________________________________
*** CID 645835: Memory - corruptions (OVERRUN)
/lib/gunzip.c: 248 in gzwrite()
242 s.avail_out = szwritebuf - numfilled;
243 s.next_out = writebuf + numfilled;
244 } else {
245 s.avail_out = szwritebuf;
246 s.next_out = writebuf;
247 }
>>> CID 645835: Memory - corruptions (OVERRUN)
>>> Calling "inflate" with "s.next_in" and "s.avail_in" is suspicious because of the very large index, 4294966272. The index may be due to a negative parameter being interpreted as unsigned. [Note: The source code implementation of the function has been overridden by a builtin model.]
248 r = inflate(&s, Z_SYNC_FLUSH);
249 if ((r != Z_OK) &&
250 (r != Z_STREAM_END)) {
251 printf("Error: inflate() returned %d\n", r);
252 goto out;
253 }
** CID 645834: Control flow issues (NO_EFFECT)
/drivers/virtio/virtio_blk.c: 184 in virtio_blk_do_req()
_____________________________________________________________________________________________
*** CID 645834: Control flow issues (NO_EFFECT)
/drivers/virtio/virtio_blk.c: 184 in virtio_blk_do_req()
178 */
179 while (i < blkcnt) {
180 u32 blk_per_sg = min(blkcnt - i, seg_sec_cnt * priv->seg_max);
181
182 ret = virtio_blk_do_single_req(dev, sector + i, blk_per_sg,
183 buffer + i * 512, type);
>>> CID 645834: Control flow issues (NO_EFFECT)
>>> This less-than-zero comparison of an unsigned value is never true. "ret < 0UL".
184 if (ret < 0)
185 return ret;
186 i += blk_per_sg;
187 }
188
189 return blkcnt >> priv->blksz_shift;
** CID 645833: Control flow issues (DEADCODE)
/drivers/virtio/virtio_blk.c: 185 in virtio_blk_do_req()
_____________________________________________________________________________________________
*** CID 645833: Control flow issues (DEADCODE)
/drivers/virtio/virtio_blk.c: 185 in virtio_blk_do_req()
179 while (i < blkcnt) {
180 u32 blk_per_sg = min(blkcnt - i, seg_sec_cnt * priv->seg_max);
181
182 ret = virtio_blk_do_single_req(dev, sector + i, blk_per_sg,
183 buffer + i * 512, type);
184 if (ret < 0)
>>> CID 645833: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "return ret;".
185 return ret;
186 i += blk_per_sg;
187 }
188
189 return blkcnt >> priv->blksz_shift;
190 }
View Defects in Coverity Scan
<https://scan.coverity.com/projects/das-u-boot?tab=overview>
Best regards,
The Coverity Scan Admin Team
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2026-04-28 14:04 Tom Rini
@ 2026-04-29 6:31 ` Michal Simek
2026-05-01 22:51 ` Raymond Mao
2026-05-12 8:44 ` Christian Pötzsch
1 sibling, 1 reply; 99+ messages in thread
From: Michal Simek @ 2026-04-29 6:31 UTC (permalink / raw)
To: Tom Rini, u-boot
Cc: Raymond Mao, Ilias Apalodimas, Christian Pötzsch,
Marek Vasut
On 4/28/26 16:04, Tom Rini wrote:
> Here's the latest report.
>
> ---------- Forwarded message ---------
> From: <scan-admin@coverity.com>
> Date: Mon, Apr 27, 2026, 5:41 PM
> Subject: New Defects reported by Coverity Scan for Das U-Boot
> To: <tom.rini@gmail.com>
>
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to *Das U-Boot*
> found with Coverity Scan.
>
> - *New Defects Found:* 9
> - 77 defect(s), reported by Coverity Scan earlier, were marked fixed in
> the recent build analyzed by Coverity Scan.
> - *Defects Shown:* Showing 9 of 9 defect(s)
>
> Defect Details
>
>
> ** CID 645841: Incorrect expression (BAD_COMPARE)
> /common/bloblist.c: 303 in bloblist_apply_blobs()
>
>
> _____________________________________________________________________________________________
> *** CID 645841: Incorrect expression (BAD_COMPARE)
> /common/bloblist.c: 303 in bloblist_apply_blobs()
> 297 log_err("Failed to apply blob with tag %d\n",
> 298 tag);
> 299 return ret;
> 300 }
> 301
> 302 rec = rec_from_blob(blob - dat_off);
>>>> CID 645841: Incorrect expression (BAD_COMPARE)
>>>> Comparing pointer "rec" against "NULL" using anything besides "==" or "!=" is likely to be incorrect.
> 303 if (rec <= 0) {
> 304 log_err("Blob corrupted\n");
> 305 return -ENOENT;
> 306 }
> 307
> 308 /* Mark applied blob record as void */
>
I sent a patch for this one.
> ** CID 645839: Error handling issues (CHECKED_RETURN)
> /lib/fdtdec.c: 1785 in fdtdec_apply_bloblist_dtos()
>
>
> _____________________________________________________________________________________________
> *** CID 645839: Error handling issues (CHECKED_RETURN)
> /lib/fdtdec.c: 1785 in fdtdec_apply_bloblist_dtos()
> 1779
> 1780 ret = bloblist_apply_blobs(BLOBLISTT_FDT_OVERLAY,
> fdtdec_apply_dto_blob);
> 1781 if (ret)
> 1782 return ret;
> 1783
> 1784 /* Shink the blob to the actual FDT size */
>>>> CID 645839: Error handling issues (CHECKED_RETURN)
>>>> Calling "fdt_pack" without checking return value (as is done elsewhere 5 out of 6 times).
> 1785 fdt_pack(live_fdt);
> 1786 return bloblist_resize(BLOBLISTT_CONTROL_FDT,
> fdt_totalsize(live_fdt));
> 1787 }
> 1788
> 1789 int fdtdec_setup(void)
> 1790 {
>
And this one.
M
^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2026-04-29 6:31 ` Michal Simek
@ 2026-05-01 22:51 ` Raymond Mao
0 siblings, 0 replies; 99+ messages in thread
From: Raymond Mao @ 2026-05-01 22:51 UTC (permalink / raw)
To: Michal Simek
Cc: Tom Rini, u-boot, Ilias Apalodimas, Christian Pötzsch,
Marek Vasut
Hi Michal,
On Wed, Apr 29, 2026 at 2:31 AM Michal Simek <michal.simek@amd.com> wrote:
>
>
>
> On 4/28/26 16:04, Tom Rini wrote:
> > Here's the latest report.
> >
> > ---------- Forwarded message ---------
> > From: <scan-admin@coverity.com>
> > Date: Mon, Apr 27, 2026, 5:41 PM
> > Subject: New Defects reported by Coverity Scan for Das U-Boot
> > To: <tom.rini@gmail.com>
> >
> >
> > Hi,
> >
> > Please find the latest report on new defect(s) introduced to *Das U-Boot*
> > found with Coverity Scan.
> >
> > - *New Defects Found:* 9
> > - 77 defect(s), reported by Coverity Scan earlier, were marked fixed in
> > the recent build analyzed by Coverity Scan.
> > - *Defects Shown:* Showing 9 of 9 defect(s)
> >
> > Defect Details
> >
> >
> > ** CID 645841: Incorrect expression (BAD_COMPARE)
> > /common/bloblist.c: 303 in bloblist_apply_blobs()
> >
> >
> > _____________________________________________________________________________________________
> > *** CID 645841: Incorrect expression (BAD_COMPARE)
> > /common/bloblist.c: 303 in bloblist_apply_blobs()
> > 297 log_err("Failed to apply blob with tag %d\n",
> > 298 tag);
> > 299 return ret;
> > 300 }
> > 301
> > 302 rec = rec_from_blob(blob - dat_off);
> >>>> CID 645841: Incorrect expression (BAD_COMPARE)
> >>>> Comparing pointer "rec" against "NULL" using anything besides "==" or "!=" is likely to be incorrect.
> > 303 if (rec <= 0) {
> > 304 log_err("Blob corrupted\n");
> > 305 return -ENOENT;
> > 306 }
> > 307
> > 308 /* Mark applied blob record as void */
> >
>
> I sent a patch for this one.
>
>
> > ** CID 645839: Error handling issues (CHECKED_RETURN)
> > /lib/fdtdec.c: 1785 in fdtdec_apply_bloblist_dtos()
> >
> >
> > _____________________________________________________________________________________________
> > *** CID 645839: Error handling issues (CHECKED_RETURN)
> > /lib/fdtdec.c: 1785 in fdtdec_apply_bloblist_dtos()
> > 1779
> > 1780 ret = bloblist_apply_blobs(BLOBLISTT_FDT_OVERLAY,
> > fdtdec_apply_dto_blob);
> > 1781 if (ret)
> > 1782 return ret;
> > 1783
> > 1784 /* Shink the blob to the actual FDT size */
> >>>> CID 645839: Error handling issues (CHECKED_RETURN)
> >>>> Calling "fdt_pack" without checking return value (as is done elsewhere 5 out of 6 times).
> > 1785 fdt_pack(live_fdt);
> > 1786 return bloblist_resize(BLOBLISTT_CONTROL_FDT,
> > fdt_totalsize(live_fdt));
> > 1787 }
> > 1788
> > 1789 int fdtdec_setup(void)
> > 1790 {
> >
>
> And this one.
>
Thanks for solving these two.
Raymond
> M
^ permalink raw reply [flat|nested] 99+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2026-05-08 23:42 Tom Rini
2026-05-14 15:39 ` Lucien.Jheng
0 siblings, 1 reply; 99+ messages in thread
From: Tom Rini @ 2026-05-08 23:42 UTC (permalink / raw)
To: u-boot; +Cc: Lucien.Jheng
[-- Attachment #1: Type: text/plain, Size: 20108 bytes --]
Here's the latest report. I think test code matters because it sets bad
examples, or might not really end up testing things the way we want them
to, and so should be fixed. Thanks!
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Fri, May 8, 2026 at 5:31 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to *Das U-Boot*
found with Coverity Scan.
- *New Defects Found:* 17
- 3 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.
- *Defects Shown:* Showing 17 of 17 defect(s)
Defect Details
** CID 646011: Integer handling issues (INTEGER_OVERFLOW)
/test/dm/phy_common_props.c: 164 in
dm_test_phy_common_props_rx_unsupported()
_____________________________________________________________________________________________
*** CID 646011: Integer handling issues (INTEGER_OVERFLOW)
/test/dm/phy_common_props.c: 164 in
dm_test_phy_common_props_rx_unsupported()
158 unsigned int val;
159 int ret;
160
161 ut_assert(ofnode_valid(node));
162
163 ret = phy_get_manual_rx_polarity(node, "sgmii", &val);
>>> CID 646011: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "_val2", where "ret" is known to be equal to -95, overflows the type of "_val2", which is type "unsigned int".
164 ut_asserteq(-EOPNOTSUPP, ret);
165
166 return 0;
167 }
168
169 DM_TEST(dm_test_phy_common_props_rx_unsupported, UTF_SCAN_FDT);
** CID 646010: Integer handling issues (INTEGER_OVERFLOW)
/test/dm/phy_common_props.c: 236 in
dm_test_phy_common_props_tx_more_names()
_____________________________________________________________________________________________
*** CID 646010: Integer handling issues (INTEGER_OVERFLOW)
/test/dm/phy_common_props.c: 236 in
dm_test_phy_common_props_tx_more_names()
230 unsigned int val;
231 int ret;
232
233 ut_assert(ofnode_valid(node));
234
235 ret = phy_get_manual_tx_polarity(node, "sgmii", &val);
>>> CID 646010: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "_val2", where "ret" is known to be equal to -95, overflows the type of "_val2", which is type "unsigned int".
236 ut_asserteq(-EINVAL, ret);
237
238 return 0;
239 }
240
241 DM_TEST(dm_test_phy_common_props_tx_more_names, UTF_SCAN_FDT);
** CID 646009: (INTEGER_OVERFLOW)
/test/dm/phy_common_props.c: 253 in
dm_test_phy_common_props_tx_find_by_name()
/test/dm/phy_common_props.c: 257 in
dm_test_phy_common_props_tx_find_by_name()
/test/dm/phy_common_props.c: 261 in
dm_test_phy_common_props_tx_find_by_name()
_____________________________________________________________________________________________
*** CID 646009: (INTEGER_OVERFLOW)
/test/dm/phy_common_props.c: 253 in
dm_test_phy_common_props_tx_find_by_name()
247 unsigned int val;
248 int ret;
249
250 ut_assert(ofnode_valid(node));
251
252 ret = phy_get_manual_tx_polarity(node, "sgmii", &val);
>>> CID 646009: (INTEGER_OVERFLOW)
>>> Expression "_val2", where "ret" is known to be equal to -95, overflows the type of "_val2", which is type "unsigned int".
253 ut_asserteq(0, ret);
254 ut_asserteq(PHY_POL_NORMAL, val);
255
256 ret = phy_get_manual_tx_polarity(node, "2500base-x", &val);
257 ut_asserteq(0, ret);
258 ut_asserteq(PHY_POL_INVERT, val);
/test/dm/phy_common_props.c: 257 in
dm_test_phy_common_props_tx_find_by_name()
251
252 ret = phy_get_manual_tx_polarity(node, "sgmii", &val);
253 ut_asserteq(0, ret);
254 ut_asserteq(PHY_POL_NORMAL, val);
255
256 ret = phy_get_manual_tx_polarity(node, "2500base-x", &val);
>>> CID 646009: (INTEGER_OVERFLOW)
>>> Expression "_val2", where "ret" is known to be equal to -95, overflows the type of "_val2", which is type "unsigned int".
257 ut_asserteq(0, ret);
258 ut_asserteq(PHY_POL_INVERT, val);
259
260 ret = phy_get_manual_tx_polarity(node, "1000base-x", &val);
261 ut_asserteq(0, ret);
262 ut_asserteq(PHY_POL_NORMAL, val);
/test/dm/phy_common_props.c: 261 in
dm_test_phy_common_props_tx_find_by_name()
255
256 ret = phy_get_manual_tx_polarity(node, "2500base-x", &val);
257 ut_asserteq(0, ret);
258 ut_asserteq(PHY_POL_INVERT, val);
259
260 ret = phy_get_manual_tx_polarity(node, "1000base-x", &val);
>>> CID 646009: (INTEGER_OVERFLOW)
>>> Expression "_val2", where "ret" is known to be equal to -95, overflows the type of "_val2", which is type "unsigned int".
261 ut_asserteq(0, ret);
262 ut_asserteq(PHY_POL_NORMAL, val);
263
264 return 0;
265 }
266
** CID 646008: Integer handling issues (INTEGER_OVERFLOW)
/test/dm/phy_common_props.c: 31 in
dm_test_phy_common_props_rx_missing()
_____________________________________________________________________________________________
*** CID 646008: Integer handling issues (INTEGER_OVERFLOW)
/test/dm/phy_common_props.c: 31 in
dm_test_phy_common_props_rx_missing()
25 unsigned int val;
26 int ret;
27
28 ut_assert(ofnode_valid(node));
29
30 ret = phy_get_manual_rx_polarity(node, "sgmii", &val);
>>> CID 646008: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "_val2", where "ret" is known to be equal to -95, overflows the type of "_val2", which is type "unsigned int".
31 ut_asserteq(0, ret);
32 ut_asserteq(PHY_POL_NORMAL, val);
33
34 return 0;
35 }
36
** CID 646007: Integer handling issues (INTEGER_OVERFLOW)
/test/dm/phy_common_props.c: 296 in
dm_test_phy_common_props_tx_with_default()
_____________________________________________________________________________________________
*** CID 646007: Integer handling issues (INTEGER_OVERFLOW)
/test/dm/phy_common_props.c: 296 in
dm_test_phy_common_props_tx_with_default()
290 unsigned int val;
291 int ret;
292
293 ut_assert(ofnode_valid(node));
294
295 ret = phy_get_manual_tx_polarity(node, "sgmii", &val);
>>> CID 646007: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "_val2", where "ret" is known to be equal to -95, overflows the type of "_val2", which is type "unsigned int".
296 ut_asserteq(0, ret);
297 ut_asserteq(PHY_POL_INVERT, val);
298
299 return 0;
300 }
301
** CID 646006: Integer handling issues (INTEGER_OVERFLOW)
/test/dm/phy_common_props.c: 314 in
dm_test_phy_common_props_tx_unsupported()
_____________________________________________________________________________________________
*** CID 646006: Integer handling issues (INTEGER_OVERFLOW)
/test/dm/phy_common_props.c: 314 in
dm_test_phy_common_props_tx_unsupported()
308 unsigned int val;
309 int ret;
310
311 ut_assert(ofnode_valid(node));
312
313 ret = phy_get_manual_tx_polarity(node, "sgmii", &val);
>>> CID 646006: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "_val2", where "ret" is known to be equal to -95, overflows the type of "_val2", which is type "unsigned int".
314 ut_asserteq(-EOPNOTSUPP, ret);
315
316 return 0;
317 }
318
** CID 646005: (INTEGER_OVERFLOW)
/test/dm/phy_common_props.c: 111 in
dm_test_phy_common_props_rx_find_by_name()
/test/dm/phy_common_props.c: 105 in
dm_test_phy_common_props_rx_find_by_name()
/test/dm/phy_common_props.c: 101 in
dm_test_phy_common_props_rx_find_by_name()
_____________________________________________________________________________________________
*** CID 646005: (INTEGER_OVERFLOW)
/test/dm/phy_common_props.c: 111 in
dm_test_phy_common_props_rx_find_by_name()
105 ut_asserteq(0, ret);
106 ut_asserteq(PHY_POL_INVERT, val);
107
108 /* "usb-ss" has PHY_POL_AUTO; auto is supported here */
109 ret = phy_get_rx_polarity(node, "usb-ss", BIT(PHY_POL_AUTO),
110 PHY_POL_AUTO, &val);
>>> CID 646005: (INTEGER_OVERFLOW)
>>> Expression "_val2", where "ret" is known to be equal to -95, overflows the type of "_val2", which is type "unsigned int".
111 ut_asserteq(0, ret);
112 ut_asserteq(PHY_POL_AUTO, val);
113
114 return 0;
115 }
116
/test/dm/phy_common_props.c: 105 in
dm_test_phy_common_props_rx_find_by_name()
99
100 ret = phy_get_manual_rx_polarity(node, "sgmii", &val);
101 ut_asserteq(0, ret);
102 ut_asserteq(PHY_POL_NORMAL, val);
103
104 ret = phy_get_manual_rx_polarity(node, "2500base-x", &val);
>>> CID 646005: (INTEGER_OVERFLOW)
>>> Expression "_val2", where "ret" is known to be equal to -95, overflows the type of "_val2", which is type "unsigned int".
105 ut_asserteq(0, ret);
106 ut_asserteq(PHY_POL_INVERT, val);
107
108 /* "usb-ss" has PHY_POL_AUTO; auto is supported here */
109 ret = phy_get_rx_polarity(node, "usb-ss", BIT(PHY_POL_AUTO),
110 PHY_POL_AUTO, &val);
/test/dm/phy_common_props.c: 101 in
dm_test_phy_common_props_rx_find_by_name()
95 unsigned int val;
96 int ret;
97
98 ut_assert(ofnode_valid(node));
99
100 ret = phy_get_manual_rx_polarity(node, "sgmii", &val);
>>> CID 646005: (INTEGER_OVERFLOW)
>>> Expression "_val2", where "ret" is known to be equal to -95, overflows the type of "_val2", which is type "unsigned int".
101 ut_asserteq(0, ret);
102 ut_asserteq(PHY_POL_NORMAL, val);
103
104 ret = phy_get_manual_rx_polarity(node, "2500base-x", &val);
105 ut_asserteq(0, ret);
106 ut_asserteq(PHY_POL_INVERT, val);
** CID 646004: Integer handling issues (INTEGER_OVERFLOW)
/test/dm/phy_common_props.c: 183 in
dm_test_phy_common_props_tx_missing()
_____________________________________________________________________________________________
*** CID 646004: Integer handling issues (INTEGER_OVERFLOW)
/test/dm/phy_common_props.c: 183 in
dm_test_phy_common_props_tx_missing()
177 unsigned int val;
178 int ret;
179
180 ut_assert(ofnode_valid(node));
181
182 ret = phy_get_manual_tx_polarity(node, "sgmii", &val);
>>> CID 646004: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "_val2", where "ret" is known to be equal to -95, overflows the type of "_val2", which is type "unsigned int".
183 ut_asserteq(0, ret);
184 ut_asserteq(PHY_POL_NORMAL, val);
185
186 return 0;
187 }
188
** CID 646003: Integer handling issues (INTEGER_OVERFLOW)
/test/dm/phy_common_props.c: 49 in
dm_test_phy_common_props_rx_more_values()
_____________________________________________________________________________________________
*** CID 646003: Integer handling issues (INTEGER_OVERFLOW)
/test/dm/phy_common_props.c: 49 in
dm_test_phy_common_props_rx_more_values()
43 unsigned int val;
44 int ret;
45
46 ut_assert(ofnode_valid(node));
47
48 ret = phy_get_manual_rx_polarity(node, "sgmii", &val);
>>> CID 646003: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "_val2", where "ret" is known to be equal to -95, overflows the type of "_val2", which is type "unsigned int".
49 ut_asserteq(-EINVAL, ret);
50
51 return 0;
52 }
53
54 DM_TEST(dm_test_phy_common_props_rx_more_values, UTF_SCAN_FDT);
** CID 646002: Integer handling issues (INTEGER_OVERFLOW)
/test/dm/phy_common_props.c: 146 in
dm_test_phy_common_props_rx_with_default()
_____________________________________________________________________________________________
*** CID 646002: Integer handling issues (INTEGER_OVERFLOW)
/test/dm/phy_common_props.c: 146 in
dm_test_phy_common_props_rx_with_default()
140 unsigned int val;
141 int ret;
142
143 ut_assert(ofnode_valid(node));
144
145 ret = phy_get_manual_rx_polarity(node, "sgmii", &val);
>>> CID 646002: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "_val2", where "ret" is known to be equal to -95, overflows the type of "_val2", which is type "unsigned int".
146 ut_asserteq(0, ret);
147 ut_asserteq(PHY_POL_INVERT, val);
148
149 return 0;
150 }
151
** CID 646001: Integer handling issues (INTEGER_OVERFLOW)
/test/dm/phy_common_props.c: 66 in
dm_test_phy_common_props_rx_single_value()
_____________________________________________________________________________________________
*** CID 646001: Integer handling issues (INTEGER_OVERFLOW)
/test/dm/phy_common_props.c: 66 in
dm_test_phy_common_props_rx_single_value()
60 unsigned int val;
61 int ret;
62
63 ut_assert(ofnode_valid(node));
64
65 ret = phy_get_manual_rx_polarity(node, "sgmii", &val);
>>> CID 646001: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "_val2", where "ret" is known to be equal to -95, overflows the type of "_val2", which is type "unsigned int".
66 ut_asserteq(0, ret);
67 ut_asserteq(PHY_POL_INVERT, val);
68
69 return 0;
70 }
71
** CID 646000: Integer handling issues (INTEGER_OVERFLOW)
/test/dm/phy_common_props.c: 129 in
dm_test_phy_common_props_rx_no_default()
_____________________________________________________________________________________________
*** CID 646000: Integer handling issues (INTEGER_OVERFLOW)
/test/dm/phy_common_props.c: 129 in
dm_test_phy_common_props_rx_no_default()
123 unsigned int val;
124 int ret;
125
126 ut_assert(ofnode_valid(node));
127
128 ret = phy_get_manual_rx_polarity(node, "sgmii", &val);
>>> CID 646000: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "_val2", where "ret" is known to be equal to -95, overflows the type of "_val2", which is type "unsigned int".
129 ut_asserteq(-EINVAL, ret);
130
131 return 0;
132 }
133
134 DM_TEST(dm_test_phy_common_props_rx_no_default, UTF_SCAN_FDT);
** CID 645999: Integer handling issues (INTEGER_OVERFLOW)
/test/dm/phy_common_props.c: 84 in
dm_test_phy_common_props_rx_more_names()
_____________________________________________________________________________________________
*** CID 645999: Integer handling issues (INTEGER_OVERFLOW)
/test/dm/phy_common_props.c: 84 in
dm_test_phy_common_props_rx_more_names()
78 unsigned int val;
79 int ret;
80
81 ut_assert(ofnode_valid(node));
82
83 ret = phy_get_manual_rx_polarity(node, "sgmii", &val);
>>> CID 645999: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "_val2", where "ret" is known to be equal to -95, overflows the type of "_val2", which is type "unsigned int".
84 ut_asserteq(-EINVAL, ret);
85
86 return 0;
87 }
88
89 DM_TEST(dm_test_phy_common_props_rx_more_names, UTF_SCAN_FDT);
** CID 645998: Integer handling issues (INTEGER_OVERFLOW)
/test/dm/phy_common_props.c: 218 in
dm_test_phy_common_props_tx_single_value()
_____________________________________________________________________________________________
*** CID 645998: Integer handling issues (INTEGER_OVERFLOW)
/test/dm/phy_common_props.c: 218 in
dm_test_phy_common_props_tx_single_value()
212 unsigned int val;
213 int ret;
214
215 ut_assert(ofnode_valid(node));
216
217 ret = phy_get_manual_tx_polarity(node, "sgmii", &val);
>>> CID 645998: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "_val2", where "ret" is known to be equal to -95, overflows the type of "_val2", which is type "unsigned int".
218 ut_asserteq(0, ret);
219 ut_asserteq(PHY_POL_INVERT, val);
220
221 return 0;
222 }
223
** CID 646014: Integer handling issues (INTEGER_OVERFLOW)
/test/dm/phy_common_props.c: 201 in
dm_test_phy_common_props_tx_more_values()
_____________________________________________________________________________________________
*** CID 646014: Integer handling issues (INTEGER_OVERFLOW)
/test/dm/phy_common_props.c: 201 in
dm_test_phy_common_props_tx_more_values()
195 unsigned int val;
196 int ret;
197
198 ut_assert(ofnode_valid(node));
199
200 ret = phy_get_manual_tx_polarity(node, "sgmii", &val);
>>> CID 646014: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "_val2", where "ret" is known to be equal to -95, overflows the type of "_val2", which is type "unsigned int".
201 ut_asserteq(-EINVAL, ret);
202
203 return 0;
204 }
205
206 DM_TEST(dm_test_phy_common_props_tx_more_values, UTF_SCAN_FDT);
** CID 646013: Integer handling issues (INTEGER_OVERFLOW)
/test/dm/phy_common_props.c: 279 in
dm_test_phy_common_props_tx_no_default()
_____________________________________________________________________________________________
*** CID 646013: Integer handling issues (INTEGER_OVERFLOW)
/test/dm/phy_common_props.c: 279 in
dm_test_phy_common_props_tx_no_default()
273 unsigned int val;
274 int ret;
275
276 ut_assert(ofnode_valid(node));
277
278 ret = phy_get_manual_tx_polarity(node, "sgmii", &val);
>>> CID 646013: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "_val2", where "ret" is known to be equal to -95, overflows the type of "_val2", which is type "unsigned int".
279 ut_asserteq(-EINVAL, ret);
280
281 return 0;
282 }
283
284 DM_TEST(dm_test_phy_common_props_tx_no_default, UTF_SCAN_FDT);
** CID 646012: (TAINTED_SCALAR)
/drivers/phy/phy-common-props.c: 156 in ofnode_get_u32_prop_for_name()
_____________________________________________________________________________________________
*** CID 646012: (TAINTED_SCALAR)
/drivers/phy/phy-common-props.c: 156 in
ofnode_get_u32_prop_for_name()
150 props = calloc(n_props, sizeof(*props));
151 if (!props)
152 return -ENOMEM;
153
154 err = ofnode_read_u32_array(node, props_title, props, n_props);
155 if (err >= 0) {
>>> CID 646012: (TAINTED_SCALAR)
>>> Using tainted variable "idx" as an index to pointer "props".
156 *val = props[idx];
157 pr_debug("%s: resolved value %u at index %d for name '%s'
from '%s'\n",
158 __func__, *val, idx, name, props_title);
159 } else {
160 pr_debug("%s: failed to read u32 array '%s' (err=%d)\n",
161 __func__, props_title, err);
/drivers/phy/phy-common-props.c: 164 in
ofnode_get_u32_prop_for_name()
158 __func__, *val, idx, name, props_title);
159 } else {
160 pr_debug("%s: failed to read u32 array '%s' (err=%d)\n",
161 __func__, props_title, err);
162 }
163
>>> CID 646012: (TAINTED_SCALAR)
>>> Passing tainted expression "*props" to "dlfree", which uses it as an offset.
164 free(props);
165
166 return err;
167 }
168
169 /**
View Defects in Coverity Scan
<https://scan.coverity.com/projects/das-u-boot?tab=overview>
Best regards,
The Coverity Scan Admin Team
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
^ permalink raw reply [flat|nested] 99+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2026-05-11 22:35 Tom Rini
0 siblings, 0 replies; 99+ messages in thread
From: Tom Rini @ 2026-05-11 22:35 UTC (permalink / raw)
To: u-boot, Peter Collingbourne
[-- Attachment #1: Type: text/plain, Size: 1445 bytes --]
Here's the latest report.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, May 11, 2026 at 4:22 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to *Das U-Boot*
found with Coverity Scan.
- *New Defects Found:* 1
- 4 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.
- *Defects Shown:* Showing 1 of 1 defect(s)
Defect Details
** CID 646039: Control flow issues (UNREACHABLE)
/fs/ubifs/ubifs.c: 612 in ubifs_findfile()
_____________________________________________________________________________________________
*** CID 646039: Control flow issues (UNREACHABLE)
/fs/ubifs/ubifs.c: 612 in ubifs_findfile()
606 }
607
608 root_inum = inum;
609 name = next;
610 }
611
>>> CID 646039: Control flow issues (UNREACHABLE)
>>> This code cannot be reached: "kfree(buf);".
612 kfree(buf);
613 return 0;
614 }
615
616 int ubifs_set_blk_dev(struct blk_desc *rbdd, struct
disk_partition *info)
617 {
View Defects in Coverity Scan
<https://scan.coverity.com/projects/das-u-boot?tab=overview>
Best regards,
The Coverity Scan Admin Team
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2026-04-28 14:04 Tom Rini
2026-04-29 6:31 ` Michal Simek
@ 2026-05-12 8:44 ` Christian Pötzsch
2026-05-12 18:38 ` Tom Rini
1 sibling, 1 reply; 99+ messages in thread
From: Christian Pötzsch @ 2026-05-12 8:44 UTC (permalink / raw)
To: Tom Rini, u-boot; +Cc: Raymond Mao, Ilias Apalodimas, Michal Simek, Marek Vasut
Hi Tom,
On 4/28/26 4:04 PM, Tom Rini wrote:
> Here's the latest report.
>
> ---------- Forwarded message ---------
> From: <scan-admin@coverity.com>
> Date: Mon, Apr 27, 2026, 5:41 PM
> Subject: New Defects reported by Coverity Scan for Das U-Boot
> To: <tom.rini@gmail.com>
>
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to *Das U-Boot*
> found with Coverity Scan.
>
> - *New Defects Found:* 9
> - 77 defect(s), reported by Coverity Scan earlier, were marked fixed in
> the recent build analyzed by Coverity Scan.
> - *Defects Shown:* Showing 9 of 9 defect(s)
>
> Defect Details
>
>
> ** CID 645841: Incorrect expression (BAD_COMPARE)
> /common/bloblist.c: 303 in bloblist_apply_blobs()
>
>
> _____________________________________________________________________________________________
> *** CID 645841: Incorrect expression (BAD_COMPARE)
> /common/bloblist.c: 303 in bloblist_apply_blobs()
> 297 log_err("Failed to apply blob with tag %d\n",
> 298 tag);
> 299 return ret;
> 300 }
> 301
> 302 rec = rec_from_blob(blob - dat_off);
>>>> CID 645841: Incorrect expression (BAD_COMPARE)
>>>> Comparing pointer "rec" against "NULL" using anything besides "==" or "!=" is likely to be incorrect.
> 303 if (rec <= 0) {
> 304 log_err("Blob corrupted\n");
> 305 return -ENOENT;
> 306 }
> 307
> 308 /* Mark applied blob record as void */
>
> ** CID 645840: Uninitialized variables (UNINIT)
>
>
> _____________________________________________________________________________________________
> *** CID 645840: Uninitialized variables (UNINIT)
> /lib/efi_loader/efi_device_path.c: 967 in efi_dp_from_http()
> 961 if ((server && strlen("http://") + strlen(server) + 1 >
> sizeof(tmp)) ||
> 962 (!server && IS_ENABLED(CONFIG_NET_LWIP)))
> 963 return NULL;
> 964
> 965 efi_net_get_addr(&ip, &mask, NULL, dev);
> 966
>>>> CID 645840: Uninitialized variables (UNINIT)
>>>> Using uninitialized value "ip" when calling "efi_dp_from_ipv4".
> 967 dp1 = efi_dp_from_ipv4(&ip, &mask, NULL, dev);
> 968 if (!dp1)
> 969 return NULL;
> 970
> 971
> 972 strcpy(tmp, "http://");
>
> ** CID 645839: Error handling issues (CHECKED_RETURN)
> /lib/fdtdec.c: 1785 in fdtdec_apply_bloblist_dtos()
>
>
> _____________________________________________________________________________________________
> *** CID 645839: Error handling issues (CHECKED_RETURN)
> /lib/fdtdec.c: 1785 in fdtdec_apply_bloblist_dtos()
> 1779
> 1780 ret = bloblist_apply_blobs(BLOBLISTT_FDT_OVERLAY,
> fdtdec_apply_dto_blob);
> 1781 if (ret)
> 1782 return ret;
> 1783
> 1784 /* Shink the blob to the actual FDT size */
>>>> CID 645839: Error handling issues (CHECKED_RETURN)
>>>> Calling "fdt_pack" without checking return value (as is done elsewhere 5 out of 6 times).
> 1785 fdt_pack(live_fdt);
> 1786 return bloblist_resize(BLOBLISTT_CONTROL_FDT,
> fdt_totalsize(live_fdt));
> 1787 }
> 1788
> 1789 int fdtdec_setup(void)
> 1790 {
>
> ** CID 645838: Uninitialized variables (UNINIT)
>
>
> _____________________________________________________________________________________________
> *** CID 645838: Uninitialized variables (UNINIT)
> /lib/efi_loader/efi_device_path.c: 967 in efi_dp_from_http()
> 961 if ((server && strlen("http://") + strlen(server) + 1 >
> sizeof(tmp)) ||
> 962 (!server && IS_ENABLED(CONFIG_NET_LWIP)))
> 963 return NULL;
> 964
> 965 efi_net_get_addr(&ip, &mask, NULL, dev);
> 966
>>>> CID 645838: Uninitialized variables (UNINIT)
>>>> Using uninitialized value "mask" when calling "efi_dp_from_ipv4".
> 967 dp1 = efi_dp_from_ipv4(&ip, &mask, NULL, dev);
> 968 if (!dp1)
> 969 return NULL;
> 970
> 971
> 972 strcpy(tmp, "http://");
>
> ** CID 645837: (TAINTED_SCALAR)
>
>
> _____________________________________________________________________________________________
> *** CID 645837: (TAINTED_SCALAR)
> /lib/fdtdec.c: 1775 in fdtdec_apply_bloblist_dtos()
> 1769 /* Resize if the current space is not sufficient */
> 1770 if (blob_size < padded_size) {
> 1771 ret = bloblist_resize(BLOBLISTT_CONTROL_FDT, padded_size);
> 1772 if (ret)
> 1773 return ret;
> 1774
>>>> CID 645837: (TAINTED_SCALAR)
>>>> Passing tainted expression "live_fdt->size_dt_struct" to "fdt_open_into", which uses it as an offset.
> 1775 ret = fdt_open_into(live_fdt, live_fdt, padded_size);
> 1776 if (ret)
> 1777 return ret;
> 1778 }
> 1779
> 1780 ret = bloblist_apply_blobs(BLOBLISTT_FDT_OVERLAY,
> fdtdec_apply_dto_blob);
> /lib/fdtdec.c: 1785 in fdtdec_apply_bloblist_dtos()
> 1779
> 1780 ret = bloblist_apply_blobs(BLOBLISTT_FDT_OVERLAY,
> fdtdec_apply_dto_blob);
> 1781 if (ret)
> 1782 return ret;
> 1783
> 1784 /* Shink the blob to the actual FDT size */
>>>> CID 645837: (TAINTED_SCALAR)
>>>> Passing tainted expression "live_fdt->size_dt_struct" to "fdt_pack", which uses it as an offset.
> 1785 fdt_pack(live_fdt);
> 1786 return bloblist_resize(BLOBLISTT_CONTROL_FDT,
> fdt_totalsize(live_fdt));
> 1787 }
> 1788
> 1789 int fdtdec_setup(void)
> 1790 {
> /lib/fdtdec.c: 1775 in fdtdec_apply_bloblist_dtos()
> 1769 /* Resize if the current space is not sufficient */
> 1770 if (blob_size < padded_size) {
> 1771 ret = bloblist_resize(BLOBLISTT_CONTROL_FDT, padded_size);
> 1772 if (ret)
> 1773 return ret;
> 1774
>>>> CID 645837: (TAINTED_SCALAR)
>>>> Passing tainted expression "live_fdt->totalsize" to "fdt_open_into", which uses it as an offset.
> 1775 ret = fdt_open_into(live_fdt, live_fdt, padded_size);
> 1776 if (ret)
> 1777 return ret;
> 1778 }
> 1779
> 1780 ret = bloblist_apply_blobs(BLOBLISTT_FDT_OVERLAY,
> fdtdec_apply_dto_blob);
> /lib/fdtdec.c: 1786 in fdtdec_apply_bloblist_dtos()
> 1780 ret = bloblist_apply_blobs(BLOBLISTT_FDT_OVERLAY,
> fdtdec_apply_dto_blob);
> 1781 if (ret)
> 1782 return ret;
> 1783
> 1784 /* Shink the blob to the actual FDT size */
> 1785 fdt_pack(live_fdt);
>>>> CID 645837: (TAINTED_SCALAR)
>>>> Passing tainted expression "fdt32_ld(&((struct fdt_header const *)live_fdt)->totalsize)" to "bloblist_resize", which uses it as an offset.
> 1786 return bloblist_resize(BLOBLISTT_CONTROL_FDT,
> fdt_totalsize(live_fdt));
> 1787 }
> 1788
> 1789 int fdtdec_setup(void)
> 1790 {
> 1791 int ret = -ENOENT;
> /lib/fdtdec.c: 1775 in fdtdec_apply_bloblist_dtos()
> 1769 /* Resize if the current space is not sufficient */
> 1770 if (blob_size < padded_size) {
> 1771 ret = bloblist_resize(BLOBLISTT_CONTROL_FDT, padded_size);
> 1772 if (ret)
> 1773 return ret;
> 1774
>>>> CID 645837: (TAINTED_SCALAR)
>>>> Passing tainted expression "live_fdt->size_dt_strings" to "fdt_open_into", which uses it as an offset.
> 1775 ret = fdt_open_into(live_fdt, live_fdt, padded_size);
> 1776 if (ret)
> 1777 return ret;
> 1778 }
> 1779
> 1780 ret = bloblist_apply_blobs(BLOBLISTT_FDT_OVERLAY,
> fdtdec_apply_dto_blob);
> /lib/fdtdec.c: 1785 in fdtdec_apply_bloblist_dtos()
> 1779
> 1780 ret = bloblist_apply_blobs(BLOBLISTT_FDT_OVERLAY,
> fdtdec_apply_dto_blob);
> 1781 if (ret)
> 1782 return ret;
> 1783
> 1784 /* Shink the blob to the actual FDT size */
>>>> CID 645837: (TAINTED_SCALAR)
>>>> Passing tainted expression "live_fdt->size_dt_struct" to "fdt_pack", which uses it as an offset.
> 1785 fdt_pack(live_fdt);
> 1786 return bloblist_resize(BLOBLISTT_CONTROL_FDT,
> fdt_totalsize(live_fdt));
> 1787 }
> 1788
> 1789 int fdtdec_setup(void)
> 1790 {
> /lib/fdtdec.c: 1786 in fdtdec_apply_bloblist_dtos()
> 1780 ret = bloblist_apply_blobs(BLOBLISTT_FDT_OVERLAY,
> fdtdec_apply_dto_blob);
> 1781 if (ret)
> 1782 return ret;
> 1783
> 1784 /* Shink the blob to the actual FDT size */
> 1785 fdt_pack(live_fdt);
>>>> CID 645837: (TAINTED_SCALAR)
>>>> Passing tainted expression "fdt32_ld(&((struct fdt_header const *)live_fdt)->totalsize)" to "bloblist_resize", which uses it as an offset.
> 1786 return bloblist_resize(BLOBLISTT_CONTROL_FDT,
> fdt_totalsize(live_fdt));
> 1787 }
> 1788
> 1789 int fdtdec_setup(void)
> 1790 {
> 1791 int ret = -ENOENT;
> /lib/fdtdec.c: 1785 in fdtdec_apply_bloblist_dtos()
> 1779
> 1780 ret = bloblist_apply_blobs(BLOBLISTT_FDT_OVERLAY,
> fdtdec_apply_dto_blob);
> 1781 if (ret)
> 1782 return ret;
> 1783
> 1784 /* Shink the blob to the actual FDT size */
>>>> CID 645837: (TAINTED_SCALAR)
>>>> Passing tainted expression "live_fdt->size_dt_strings" to "fdt_pack", which uses it as an offset.
> 1785 fdt_pack(live_fdt);
> 1786 return bloblist_resize(BLOBLISTT_CONTROL_FDT,
> fdt_totalsize(live_fdt));
> 1787 }
> 1788
> 1789 int fdtdec_setup(void)
> 1790 {
> /lib/fdtdec.c: 1786 in fdtdec_apply_bloblist_dtos()
> 1780 ret = bloblist_apply_blobs(BLOBLISTT_FDT_OVERLAY,
> fdtdec_apply_dto_blob);
> 1781 if (ret)
> 1782 return ret;
> 1783
> 1784 /* Shink the blob to the actual FDT size */
> 1785 fdt_pack(live_fdt);
>>>> CID 645837: (TAINTED_SCALAR)
>>>> Passing tainted expression "fdt32_ld(&((struct fdt_header const *)live_fdt)->totalsize)" to "bloblist_resize", which uses it as an offset.
> 1786 return bloblist_resize(BLOBLISTT_CONTROL_FDT,
> fdt_totalsize(live_fdt));
> 1787 }
> 1788
> 1789 int fdtdec_setup(void)
> 1790 {
> 1791 int ret = -ENOENT;
> /lib/fdtdec.c: 1786 in fdtdec_apply_bloblist_dtos()
> 1780 ret = bloblist_apply_blobs(BLOBLISTT_FDT_OVERLAY,
> fdtdec_apply_dto_blob);
> 1781 if (ret)
> 1782 return ret;
> 1783
> 1784 /* Shink the blob to the actual FDT size */
> 1785 fdt_pack(live_fdt);
>>>> CID 645837: (TAINTED_SCALAR)
>>>> Passing tainted expression "fdt32_ld(&((struct fdt_header const *)live_fdt)->totalsize)" to "bloblist_resize", which uses it as an offset.
> 1786 return bloblist_resize(BLOBLISTT_CONTROL_FDT,
> fdt_totalsize(live_fdt));
> 1787 }
> 1788
> 1789 int fdtdec_setup(void)
> 1790 {
> 1791 int ret = -ENOENT;
> /lib/fdtdec.c: 1786 in fdtdec_apply_bloblist_dtos()
> 1780 ret = bloblist_apply_blobs(BLOBLISTT_FDT_OVERLAY,
> fdtdec_apply_dto_blob);
> 1781 if (ret)
> 1782 return ret;
> 1783
> 1784 /* Shink the blob to the actual FDT size */
> 1785 fdt_pack(live_fdt);
>>>> CID 645837: (TAINTED_SCALAR)
>>>> Passing tainted expression "fdt32_ld(&((struct fdt_header const *)live_fdt)->totalsize)" to "bloblist_resize", which uses it as an offset.
> 1786 return bloblist_resize(BLOBLISTT_CONTROL_FDT,
> fdt_totalsize(live_fdt));
> 1787 }
> 1788
> 1789 int fdtdec_setup(void)
> 1790 {
> 1791 int ret = -ENOENT;
> /lib/fdtdec.c: 1785 in fdtdec_apply_bloblist_dtos()
> 1779
> 1780 ret = bloblist_apply_blobs(BLOBLISTT_FDT_OVERLAY,
> fdtdec_apply_dto_blob);
> 1781 if (ret)
> 1782 return ret;
> 1783
> 1784 /* Shink the blob to the actual FDT size */
>>>> CID 645837: (TAINTED_SCALAR)
>>>> Passing tainted expression "live_fdt->size_dt_struct" to "fdt_pack", which uses it as an offset.
> 1785 fdt_pack(live_fdt);
> 1786 return bloblist_resize(BLOBLISTT_CONTROL_FDT,
> fdt_totalsize(live_fdt));
> 1787 }
> 1788
> 1789 int fdtdec_setup(void)
> 1790 {
> /lib/fdtdec.c: 1785 in fdtdec_apply_bloblist_dtos()
> 1779
> 1780 ret = bloblist_apply_blobs(BLOBLISTT_FDT_OVERLAY,
> fdtdec_apply_dto_blob);
> 1781 if (ret)
> 1782 return ret;
> 1783
> 1784 /* Shink the blob to the actual FDT size */
>>>> CID 645837: (TAINTED_SCALAR)
>>>> Passing tainted expression "live_fdt->size_dt_strings" to "fdt_pack", which uses it as an offset.
> 1785 fdt_pack(live_fdt);
> 1786 return bloblist_resize(BLOBLISTT_CONTROL_FDT,
> fdt_totalsize(live_fdt));
> 1787 }
> 1788
> 1789 int fdtdec_setup(void)
> 1790 {
> /lib/fdtdec.c: 1786 in fdtdec_apply_bloblist_dtos()
> 1780 ret = bloblist_apply_blobs(BLOBLISTT_FDT_OVERLAY,
> fdtdec_apply_dto_blob);
> 1781 if (ret)
> 1782 return ret;
> 1783
> 1784 /* Shink the blob to the actual FDT size */
> 1785 fdt_pack(live_fdt);
>>>> CID 645837: (TAINTED_SCALAR)
>>>> Passing tainted expression "fdt32_ld(&((struct fdt_header const *)live_fdt)->totalsize)" to "bloblist_resize", which uses it as an offset.
> 1786 return bloblist_resize(BLOBLISTT_CONTROL_FDT,
> fdt_totalsize(live_fdt));
> 1787 }
> 1788
> 1789 int fdtdec_setup(void)
> 1790 {
> 1791 int ret = -ENOENT;
>
> ** CID 645836: Resource leaks (RESOURCE_LEAK)
> /drivers/gpio/gpio_scmi.c: 201 in scmi_gpio_probe()
>
>
> _____________________________________________________________________________________________
> *** CID 645836: Resource leaks (RESOURCE_LEAK)
> /drivers/gpio/gpio_scmi.c: 201 in scmi_gpio_probe()
> 195 return -ENOMEM;
> 196
> 197 range->base = args.args[0];
> 198 if (range->base != priv->num_pins) {
> 199 dev_err(dev, "no gaps allowed in between pins %d vs %d\n",
> 200 priv->num_pins, range->base);
>>>> CID 645836: Resource leaks (RESOURCE_LEAK)
>>>> Variable "range" going out of scope leaks the storage it points to.
> 201 return -EINVAL;
> 202 }
> 203 range->offset = args.args[1];
> 204 range->npins = args.args[2];
> 205 priv->num_pins += args.args[2];
> 206 list_add_tail(&range->list, &priv->gpio_ranges);
>
> ** CID 645835: Memory - corruptions (OVERRUN)
> /lib/gunzip.c: 248 in gzwrite()
>
>
> _____________________________________________________________________________________________
> *** CID 645835: Memory - corruptions (OVERRUN)
> /lib/gunzip.c: 248 in gzwrite()
> 242 s.avail_out = szwritebuf - numfilled;
> 243 s.next_out = writebuf + numfilled;
> 244 } else {
> 245 s.avail_out = szwritebuf;
> 246 s.next_out = writebuf;
> 247 }
>>>> CID 645835: Memory - corruptions (OVERRUN)
>>>> Calling "inflate" with "s.next_in" and "s.avail_in" is suspicious because of the very large index, 4294966272. The index may be due to a negative parameter being interpreted as unsigned. [Note: The source code implementation of the function has been overridden by a builtin model.]
> 248 r = inflate(&s, Z_SYNC_FLUSH);
> 249 if ((r != Z_OK) &&
> 250 (r != Z_STREAM_END)) {
> 251 printf("Error: inflate() returned %d\n", r);
> 252 goto out;
> 253 }
>
> ** CID 645834: Control flow issues (NO_EFFECT)
> /drivers/virtio/virtio_blk.c: 184 in virtio_blk_do_req()
>
>
> _____________________________________________________________________________________________
> *** CID 645834: Control flow issues (NO_EFFECT)
> /drivers/virtio/virtio_blk.c: 184 in virtio_blk_do_req()
> 178 */
> 179 while (i < blkcnt) {
> 180 u32 blk_per_sg = min(blkcnt - i, seg_sec_cnt * priv->seg_max);
> 181
> 182 ret = virtio_blk_do_single_req(dev, sector + i, blk_per_sg,
> 183 buffer + i * 512, type);
>>>> CID 645834: Control flow issues (NO_EFFECT)
>>>> This less-than-zero comparison of an unsigned value is never true. "ret < 0UL".
> 184 if (ret < 0)
> 185 return ret;
> 186 i += blk_per_sg;
> 187 }
> 188
> 189 return blkcnt >> priv->blksz_shift;
>
> ** CID 645833: Control flow issues (DEADCODE)
> /drivers/virtio/virtio_blk.c: 185 in virtio_blk_do_req()
>
>
> _____________________________________________________________________________________________
> *** CID 645833: Control flow issues (DEADCODE)
> /drivers/virtio/virtio_blk.c: 185 in virtio_blk_do_req()
> 179 while (i < blkcnt) {
> 180 u32 blk_per_sg = min(blkcnt - i, seg_sec_cnt * priv->seg_max);
> 181
> 182 ret = virtio_blk_do_single_req(dev, sector + i, blk_per_sg,
> 183 buffer + i * 512, type);
> 184 if (ret < 0)
>>>> CID 645833: Control flow issues (DEADCODE)
>>>> Execution cannot reach this statement: "return ret;".
> 185 return ret;
> 186 i += blk_per_sg;
> 187 }
> 188
> 189 return blkcnt >> priv->blksz_shift;
> 190 }
The last two errors should hopefully be fixed by https://patchwork.ozlabs.org/project/uboot/patch/20260512083949.3493010-1-christian.poetzsch@kernkonzept.com/
>
>
>
> View Defects in Coverity Scan
> <https://scan.coverity.com/projects/das-u-boot?tab=overview>
>
> Best regards,
>
> The Coverity Scan Admin Team
>
> ----- End forwarded message -----
>
--
http://www.kernkonzept.com
Kernkonzept GmbH. Sitz: Dresden. Amtsgericht Dresden, HRB 31129.
Geschäftsführer: Dr.-Ing. Michael Hohmuth
^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2026-05-12 8:44 ` Christian Pötzsch
@ 2026-05-12 18:38 ` Tom Rini
0 siblings, 0 replies; 99+ messages in thread
From: Tom Rini @ 2026-05-12 18:38 UTC (permalink / raw)
To: Christian Pötzsch
Cc: u-boot, Raymond Mao, Ilias Apalodimas, Michal Simek, Marek Vasut
[-- Attachment #1: Type: text/plain, Size: 2261 bytes --]
On Tue, May 12, 2026 at 10:44:46AM +0200, Christian Pötzsch wrote:
> Hi Tom,
>
> On 4/28/26 4:04 PM, Tom Rini wrote:
> > Here's the latest report.
[snip]
> > ** CID 645834: Control flow issues (NO_EFFECT)
> > /drivers/virtio/virtio_blk.c: 184 in virtio_blk_do_req()
> >
> >
> > _____________________________________________________________________________________________
> > *** CID 645834: Control flow issues (NO_EFFECT)
> > /drivers/virtio/virtio_blk.c: 184 in virtio_blk_do_req()
> > 178 */
> > 179 while (i < blkcnt) {
> > 180 u32 blk_per_sg = min(blkcnt - i, seg_sec_cnt * priv->seg_max);
> > 181
> > 182 ret = virtio_blk_do_single_req(dev, sector + i, blk_per_sg,
> > 183 buffer + i * 512, type);
> > > > > CID 645834: Control flow issues (NO_EFFECT)
> > > > > This less-than-zero comparison of an unsigned value is never true. "ret < 0UL".
> > 184 if (ret < 0)
> > 185 return ret;
> > 186 i += blk_per_sg;
> > 187 }
> > 188
> > 189 return blkcnt >> priv->blksz_shift;
> >
> > ** CID 645833: Control flow issues (DEADCODE)
> > /drivers/virtio/virtio_blk.c: 185 in virtio_blk_do_req()
> >
> >
> > _____________________________________________________________________________________________
> > *** CID 645833: Control flow issues (DEADCODE)
> > /drivers/virtio/virtio_blk.c: 185 in virtio_blk_do_req()
> > 179 while (i < blkcnt) {
> > 180 u32 blk_per_sg = min(blkcnt - i, seg_sec_cnt * priv->seg_max);
> > 181
> > 182 ret = virtio_blk_do_single_req(dev, sector + i, blk_per_sg,
> > 183 buffer + i * 512, type);
> > 184 if (ret < 0)
> > > > > CID 645833: Control flow issues (DEADCODE)
> > > > > Execution cannot reach this statement: "return ret;".
> > 185 return ret;
> > 186 i += blk_per_sg;
> > 187 }
> > 188
> > 189 return blkcnt >> priv->blksz_shift;
> > 190 }
> The last two errors should hopefully be fixed by https://patchwork.ozlabs.org/project/uboot/patch/20260512083949.3493010-1-christian.poetzsch@kernkonzept.com/
Thanks!
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
^ permalink raw reply [flat|nested] 99+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2026-05-08 23:42 Tom Rini
@ 2026-05-14 15:39 ` Lucien.Jheng
0 siblings, 0 replies; 99+ messages in thread
From: Lucien.Jheng @ 2026-05-14 15:39 UTC (permalink / raw)
To: Tom Rini, u-boot
Hi Tom
I will fix coverity issue in the next patch.
Tom Rini 於 2026/5/9 上午 07:42 寫道:
> Here's the latest report. I think test code matters because it sets bad
> examples, or might not really end up testing things the way we want them
> to, and so should be fixed. Thanks!
>
> ---------- Forwarded message ---------
> From: <scan-admin@coverity.com>
> Date: Fri, May 8, 2026 at 5:31 PM
> Subject: New Defects reported by Coverity Scan for Das U-Boot
> To: <tom.rini@gmail.com>
>
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to *Das U-Boot*
> found with Coverity Scan.
>
> - *New Defects Found:* 17
> - 3 defect(s), reported by Coverity Scan earlier, were marked fixed in
> the recent build analyzed by Coverity Scan.
> - *Defects Shown:* Showing 17 of 17 defect(s)
>
> Defect Details
>
> ** CID 646011: Integer handling issues (INTEGER_OVERFLOW)
> /test/dm/phy_common_props.c: 164 in
> dm_test_phy_common_props_rx_unsupported()
>
>
> _____________________________________________________________________________________________
> *** CID 646011: Integer handling issues (INTEGER_OVERFLOW)
> /test/dm/phy_common_props.c: 164 in
> dm_test_phy_common_props_rx_unsupported()
> 158 unsigned int val;
> 159 int ret;
> 160
> 161 ut_assert(ofnode_valid(node));
> 162
> 163 ret = phy_get_manual_rx_polarity(node, "sgmii", &val);
>>>> CID 646011: Integer handling issues (INTEGER_OVERFLOW)
>>>> Expression "_val2", where "ret" is known to be equal to -95, overflows the type of "_val2", which is type "unsigned int".
> 164 ut_asserteq(-EOPNOTSUPP, ret);
> 165
> 166 return 0;
> 167 }
> 168
> 169 DM_TEST(dm_test_phy_common_props_rx_unsupported, UTF_SCAN_FDT);
>
> ** CID 646010: Integer handling issues (INTEGER_OVERFLOW)
> /test/dm/phy_common_props.c: 236 in
> dm_test_phy_common_props_tx_more_names()
>
>
> _____________________________________________________________________________________________
> *** CID 646010: Integer handling issues (INTEGER_OVERFLOW)
> /test/dm/phy_common_props.c: 236 in
> dm_test_phy_common_props_tx_more_names()
> 230 unsigned int val;
> 231 int ret;
> 232
> 233 ut_assert(ofnode_valid(node));
> 234
> 235 ret = phy_get_manual_tx_polarity(node, "sgmii", &val);
>>>> CID 646010: Integer handling issues (INTEGER_OVERFLOW)
>>>> Expression "_val2", where "ret" is known to be equal to -95, overflows the type of "_val2", which is type "unsigned int".
> 236 ut_asserteq(-EINVAL, ret);
> 237
> 238 return 0;
> 239 }
> 240
> 241 DM_TEST(dm_test_phy_common_props_tx_more_names, UTF_SCAN_FDT);
>
> ** CID 646009: (INTEGER_OVERFLOW)
> /test/dm/phy_common_props.c: 253 in
> dm_test_phy_common_props_tx_find_by_name()
> /test/dm/phy_common_props.c: 257 in
> dm_test_phy_common_props_tx_find_by_name()
> /test/dm/phy_common_props.c: 261 in
> dm_test_phy_common_props_tx_find_by_name()
>
>
> _____________________________________________________________________________________________
> *** CID 646009: (INTEGER_OVERFLOW)
> /test/dm/phy_common_props.c: 253 in
> dm_test_phy_common_props_tx_find_by_name()
> 247 unsigned int val;
> 248 int ret;
> 249
> 250 ut_assert(ofnode_valid(node));
> 251
> 252 ret = phy_get_manual_tx_polarity(node, "sgmii", &val);
>>>> CID 646009: (INTEGER_OVERFLOW)
>>>> Expression "_val2", where "ret" is known to be equal to -95, overflows the type of "_val2", which is type "unsigned int".
> 253 ut_asserteq(0, ret);
> 254 ut_asserteq(PHY_POL_NORMAL, val);
> 255
> 256 ret = phy_get_manual_tx_polarity(node, "2500base-x", &val);
> 257 ut_asserteq(0, ret);
> 258 ut_asserteq(PHY_POL_INVERT, val);
> /test/dm/phy_common_props.c: 257 in
> dm_test_phy_common_props_tx_find_by_name()
> 251
> 252 ret = phy_get_manual_tx_polarity(node, "sgmii", &val);
> 253 ut_asserteq(0, ret);
> 254 ut_asserteq(PHY_POL_NORMAL, val);
> 255
> 256 ret = phy_get_manual_tx_polarity(node, "2500base-x", &val);
>>>> CID 646009: (INTEGER_OVERFLOW)
>>>> Expression "_val2", where "ret" is known to be equal to -95, overflows the type of "_val2", which is type "unsigned int".
> 257 ut_asserteq(0, ret);
> 258 ut_asserteq(PHY_POL_INVERT, val);
> 259
> 260 ret = phy_get_manual_tx_polarity(node, "1000base-x", &val);
> 261 ut_asserteq(0, ret);
> 262 ut_asserteq(PHY_POL_NORMAL, val);
> /test/dm/phy_common_props.c: 261 in
> dm_test_phy_common_props_tx_find_by_name()
> 255
> 256 ret = phy_get_manual_tx_polarity(node, "2500base-x", &val);
> 257 ut_asserteq(0, ret);
> 258 ut_asserteq(PHY_POL_INVERT, val);
> 259
> 260 ret = phy_get_manual_tx_polarity(node, "1000base-x", &val);
>>>> CID 646009: (INTEGER_OVERFLOW)
>>>> Expression "_val2", where "ret" is known to be equal to -95, overflows the type of "_val2", which is type "unsigned int".
> 261 ut_asserteq(0, ret);
> 262 ut_asserteq(PHY_POL_NORMAL, val);
> 263
> 264 return 0;
> 265 }
> 266
>
> ** CID 646008: Integer handling issues (INTEGER_OVERFLOW)
> /test/dm/phy_common_props.c: 31 in
> dm_test_phy_common_props_rx_missing()
>
>
> _____________________________________________________________________________________________
> *** CID 646008: Integer handling issues (INTEGER_OVERFLOW)
> /test/dm/phy_common_props.c: 31 in
> dm_test_phy_common_props_rx_missing()
> 25 unsigned int val;
> 26 int ret;
> 27
> 28 ut_assert(ofnode_valid(node));
> 29
> 30 ret = phy_get_manual_rx_polarity(node, "sgmii", &val);
>>>> CID 646008: Integer handling issues (INTEGER_OVERFLOW)
>>>> Expression "_val2", where "ret" is known to be equal to -95, overflows the type of "_val2", which is type "unsigned int".
> 31 ut_asserteq(0, ret);
> 32 ut_asserteq(PHY_POL_NORMAL, val);
> 33
> 34 return 0;
> 35 }
> 36
>
> ** CID 646007: Integer handling issues (INTEGER_OVERFLOW)
> /test/dm/phy_common_props.c: 296 in
> dm_test_phy_common_props_tx_with_default()
>
>
> _____________________________________________________________________________________________
> *** CID 646007: Integer handling issues (INTEGER_OVERFLOW)
> /test/dm/phy_common_props.c: 296 in
> dm_test_phy_common_props_tx_with_default()
> 290 unsigned int val;
> 291 int ret;
> 292
> 293 ut_assert(ofnode_valid(node));
> 294
> 295 ret = phy_get_manual_tx_polarity(node, "sgmii", &val);
>>>> CID 646007: Integer handling issues (INTEGER_OVERFLOW)
>>>> Expression "_val2", where "ret" is known to be equal to -95, overflows the type of "_val2", which is type "unsigned int".
> 296 ut_asserteq(0, ret);
> 297 ut_asserteq(PHY_POL_INVERT, val);
> 298
> 299 return 0;
> 300 }
> 301
>
> ** CID 646006: Integer handling issues (INTEGER_OVERFLOW)
> /test/dm/phy_common_props.c: 314 in
> dm_test_phy_common_props_tx_unsupported()
>
>
> _____________________________________________________________________________________________
> *** CID 646006: Integer handling issues (INTEGER_OVERFLOW)
> /test/dm/phy_common_props.c: 314 in
> dm_test_phy_common_props_tx_unsupported()
> 308 unsigned int val;
> 309 int ret;
> 310
> 311 ut_assert(ofnode_valid(node));
> 312
> 313 ret = phy_get_manual_tx_polarity(node, "sgmii", &val);
>>>> CID 646006: Integer handling issues (INTEGER_OVERFLOW)
>>>> Expression "_val2", where "ret" is known to be equal to -95, overflows the type of "_val2", which is type "unsigned int".
> 314 ut_asserteq(-EOPNOTSUPP, ret);
> 315
> 316 return 0;
> 317 }
> 318
>
> ** CID 646005: (INTEGER_OVERFLOW)
> /test/dm/phy_common_props.c: 111 in
> dm_test_phy_common_props_rx_find_by_name()
> /test/dm/phy_common_props.c: 105 in
> dm_test_phy_common_props_rx_find_by_name()
> /test/dm/phy_common_props.c: 101 in
> dm_test_phy_common_props_rx_find_by_name()
>
>
> _____________________________________________________________________________________________
> *** CID 646005: (INTEGER_OVERFLOW)
> /test/dm/phy_common_props.c: 111 in
> dm_test_phy_common_props_rx_find_by_name()
> 105 ut_asserteq(0, ret);
> 106 ut_asserteq(PHY_POL_INVERT, val);
> 107
> 108 /* "usb-ss" has PHY_POL_AUTO; auto is supported here */
> 109 ret = phy_get_rx_polarity(node, "usb-ss", BIT(PHY_POL_AUTO),
> 110 PHY_POL_AUTO, &val);
>>>> CID 646005: (INTEGER_OVERFLOW)
>>>> Expression "_val2", where "ret" is known to be equal to -95, overflows the type of "_val2", which is type "unsigned int".
> 111 ut_asserteq(0, ret);
> 112 ut_asserteq(PHY_POL_AUTO, val);
> 113
> 114 return 0;
> 115 }
> 116
> /test/dm/phy_common_props.c: 105 in
> dm_test_phy_common_props_rx_find_by_name()
> 99
> 100 ret = phy_get_manual_rx_polarity(node, "sgmii", &val);
> 101 ut_asserteq(0, ret);
> 102 ut_asserteq(PHY_POL_NORMAL, val);
> 103
> 104 ret = phy_get_manual_rx_polarity(node, "2500base-x", &val);
>>>> CID 646005: (INTEGER_OVERFLOW)
>>>> Expression "_val2", where "ret" is known to be equal to -95, overflows the type of "_val2", which is type "unsigned int".
> 105 ut_asserteq(0, ret);
> 106 ut_asserteq(PHY_POL_INVERT, val);
> 107
> 108 /* "usb-ss" has PHY_POL_AUTO; auto is supported here */
> 109 ret = phy_get_rx_polarity(node, "usb-ss", BIT(PHY_POL_AUTO),
> 110 PHY_POL_AUTO, &val);
> /test/dm/phy_common_props.c: 101 in
> dm_test_phy_common_props_rx_find_by_name()
> 95 unsigned int val;
> 96 int ret;
> 97
> 98 ut_assert(ofnode_valid(node));
> 99
> 100 ret = phy_get_manual_rx_polarity(node, "sgmii", &val);
>>>> CID 646005: (INTEGER_OVERFLOW)
>>>> Expression "_val2", where "ret" is known to be equal to -95, overflows the type of "_val2", which is type "unsigned int".
> 101 ut_asserteq(0, ret);
> 102 ut_asserteq(PHY_POL_NORMAL, val);
> 103
> 104 ret = phy_get_manual_rx_polarity(node, "2500base-x", &val);
> 105 ut_asserteq(0, ret);
> 106 ut_asserteq(PHY_POL_INVERT, val);
>
> ** CID 646004: Integer handling issues (INTEGER_OVERFLOW)
> /test/dm/phy_common_props.c: 183 in
> dm_test_phy_common_props_tx_missing()
>
>
> _____________________________________________________________________________________________
> *** CID 646004: Integer handling issues (INTEGER_OVERFLOW)
> /test/dm/phy_common_props.c: 183 in
> dm_test_phy_common_props_tx_missing()
> 177 unsigned int val;
> 178 int ret;
> 179
> 180 ut_assert(ofnode_valid(node));
> 181
> 182 ret = phy_get_manual_tx_polarity(node, "sgmii", &val);
>>>> CID 646004: Integer handling issues (INTEGER_OVERFLOW)
>>>> Expression "_val2", where "ret" is known to be equal to -95, overflows the type of "_val2", which is type "unsigned int".
> 183 ut_asserteq(0, ret);
> 184 ut_asserteq(PHY_POL_NORMAL, val);
> 185
> 186 return 0;
> 187 }
> 188
>
> ** CID 646003: Integer handling issues (INTEGER_OVERFLOW)
> /test/dm/phy_common_props.c: 49 in
> dm_test_phy_common_props_rx_more_values()
>
>
> _____________________________________________________________________________________________
> *** CID 646003: Integer handling issues (INTEGER_OVERFLOW)
> /test/dm/phy_common_props.c: 49 in
> dm_test_phy_common_props_rx_more_values()
> 43 unsigned int val;
> 44 int ret;
> 45
> 46 ut_assert(ofnode_valid(node));
> 47
> 48 ret = phy_get_manual_rx_polarity(node, "sgmii", &val);
>>>> CID 646003: Integer handling issues (INTEGER_OVERFLOW)
>>>> Expression "_val2", where "ret" is known to be equal to -95, overflows the type of "_val2", which is type "unsigned int".
> 49 ut_asserteq(-EINVAL, ret);
> 50
> 51 return 0;
> 52 }
> 53
> 54 DM_TEST(dm_test_phy_common_props_rx_more_values, UTF_SCAN_FDT);
>
> ** CID 646002: Integer handling issues (INTEGER_OVERFLOW)
> /test/dm/phy_common_props.c: 146 in
> dm_test_phy_common_props_rx_with_default()
>
>
> _____________________________________________________________________________________________
> *** CID 646002: Integer handling issues (INTEGER_OVERFLOW)
> /test/dm/phy_common_props.c: 146 in
> dm_test_phy_common_props_rx_with_default()
> 140 unsigned int val;
> 141 int ret;
> 142
> 143 ut_assert(ofnode_valid(node));
> 144
> 145 ret = phy_get_manual_rx_polarity(node, "sgmii", &val);
>>>> CID 646002: Integer handling issues (INTEGER_OVERFLOW)
>>>> Expression "_val2", where "ret" is known to be equal to -95, overflows the type of "_val2", which is type "unsigned int".
> 146 ut_asserteq(0, ret);
> 147 ut_asserteq(PHY_POL_INVERT, val);
> 148
> 149 return 0;
> 150 }
> 151
>
> ** CID 646001: Integer handling issues (INTEGER_OVERFLOW)
> /test/dm/phy_common_props.c: 66 in
> dm_test_phy_common_props_rx_single_value()
>
>
> _____________________________________________________________________________________________
> *** CID 646001: Integer handling issues (INTEGER_OVERFLOW)
> /test/dm/phy_common_props.c: 66 in
> dm_test_phy_common_props_rx_single_value()
> 60 unsigned int val;
> 61 int ret;
> 62
> 63 ut_assert(ofnode_valid(node));
> 64
> 65 ret = phy_get_manual_rx_polarity(node, "sgmii", &val);
>>>> CID 646001: Integer handling issues (INTEGER_OVERFLOW)
>>>> Expression "_val2", where "ret" is known to be equal to -95, overflows the type of "_val2", which is type "unsigned int".
> 66 ut_asserteq(0, ret);
> 67 ut_asserteq(PHY_POL_INVERT, val);
> 68
> 69 return 0;
> 70 }
> 71
>
> ** CID 646000: Integer handling issues (INTEGER_OVERFLOW)
> /test/dm/phy_common_props.c: 129 in
> dm_test_phy_common_props_rx_no_default()
>
>
> _____________________________________________________________________________________________
> *** CID 646000: Integer handling issues (INTEGER_OVERFLOW)
> /test/dm/phy_common_props.c: 129 in
> dm_test_phy_common_props_rx_no_default()
> 123 unsigned int val;
> 124 int ret;
> 125
> 126 ut_assert(ofnode_valid(node));
> 127
> 128 ret = phy_get_manual_rx_polarity(node, "sgmii", &val);
>>>> CID 646000: Integer handling issues (INTEGER_OVERFLOW)
>>>> Expression "_val2", where "ret" is known to be equal to -95, overflows the type of "_val2", which is type "unsigned int".
> 129 ut_asserteq(-EINVAL, ret);
> 130
> 131 return 0;
> 132 }
> 133
> 134 DM_TEST(dm_test_phy_common_props_rx_no_default, UTF_SCAN_FDT);
>
> ** CID 645999: Integer handling issues (INTEGER_OVERFLOW)
> /test/dm/phy_common_props.c: 84 in
> dm_test_phy_common_props_rx_more_names()
>
>
> _____________________________________________________________________________________________
> *** CID 645999: Integer handling issues (INTEGER_OVERFLOW)
> /test/dm/phy_common_props.c: 84 in
> dm_test_phy_common_props_rx_more_names()
> 78 unsigned int val;
> 79 int ret;
> 80
> 81 ut_assert(ofnode_valid(node));
> 82
> 83 ret = phy_get_manual_rx_polarity(node, "sgmii", &val);
>>>> CID 645999: Integer handling issues (INTEGER_OVERFLOW)
>>>> Expression "_val2", where "ret" is known to be equal to -95, overflows the type of "_val2", which is type "unsigned int".
> 84 ut_asserteq(-EINVAL, ret);
> 85
> 86 return 0;
> 87 }
> 88
> 89 DM_TEST(dm_test_phy_common_props_rx_more_names, UTF_SCAN_FDT);
>
> ** CID 645998: Integer handling issues (INTEGER_OVERFLOW)
> /test/dm/phy_common_props.c: 218 in
> dm_test_phy_common_props_tx_single_value()
>
>
> _____________________________________________________________________________________________
> *** CID 645998: Integer handling issues (INTEGER_OVERFLOW)
> /test/dm/phy_common_props.c: 218 in
> dm_test_phy_common_props_tx_single_value()
> 212 unsigned int val;
> 213 int ret;
> 214
> 215 ut_assert(ofnode_valid(node));
> 216
> 217 ret = phy_get_manual_tx_polarity(node, "sgmii", &val);
>>>> CID 645998: Integer handling issues (INTEGER_OVERFLOW)
>>>> Expression "_val2", where "ret" is known to be equal to -95, overflows the type of "_val2", which is type "unsigned int".
> 218 ut_asserteq(0, ret);
> 219 ut_asserteq(PHY_POL_INVERT, val);
> 220
> 221 return 0;
> 222 }
> 223
>
> ** CID 646014: Integer handling issues (INTEGER_OVERFLOW)
> /test/dm/phy_common_props.c: 201 in
> dm_test_phy_common_props_tx_more_values()
>
>
> _____________________________________________________________________________________________
> *** CID 646014: Integer handling issues (INTEGER_OVERFLOW)
> /test/dm/phy_common_props.c: 201 in
> dm_test_phy_common_props_tx_more_values()
> 195 unsigned int val;
> 196 int ret;
> 197
> 198 ut_assert(ofnode_valid(node));
> 199
> 200 ret = phy_get_manual_tx_polarity(node, "sgmii", &val);
>>>> CID 646014: Integer handling issues (INTEGER_OVERFLOW)
>>>> Expression "_val2", where "ret" is known to be equal to -95, overflows the type of "_val2", which is type "unsigned int".
> 201 ut_asserteq(-EINVAL, ret);
> 202
> 203 return 0;
> 204 }
> 205
> 206 DM_TEST(dm_test_phy_common_props_tx_more_values, UTF_SCAN_FDT);
>
> ** CID 646013: Integer handling issues (INTEGER_OVERFLOW)
> /test/dm/phy_common_props.c: 279 in
> dm_test_phy_common_props_tx_no_default()
>
>
> _____________________________________________________________________________________________
> *** CID 646013: Integer handling issues (INTEGER_OVERFLOW)
> /test/dm/phy_common_props.c: 279 in
> dm_test_phy_common_props_tx_no_default()
> 273 unsigned int val;
> 274 int ret;
> 275
> 276 ut_assert(ofnode_valid(node));
> 277
> 278 ret = phy_get_manual_tx_polarity(node, "sgmii", &val);
>>>> CID 646013: Integer handling issues (INTEGER_OVERFLOW)
>>>> Expression "_val2", where "ret" is known to be equal to -95, overflows the type of "_val2", which is type "unsigned int".
> 279 ut_asserteq(-EINVAL, ret);
> 280
> 281 return 0;
> 282 }
> 283
> 284 DM_TEST(dm_test_phy_common_props_tx_no_default, UTF_SCAN_FDT);
>
> ** CID 646012: (TAINTED_SCALAR)
> /drivers/phy/phy-common-props.c: 156 in ofnode_get_u32_prop_for_name()
>
>
> _____________________________________________________________________________________________
> *** CID 646012: (TAINTED_SCALAR)
> /drivers/phy/phy-common-props.c: 156 in
> ofnode_get_u32_prop_for_name()
> 150 props = calloc(n_props, sizeof(*props));
> 151 if (!props)
> 152 return -ENOMEM;
> 153
> 154 err = ofnode_read_u32_array(node, props_title, props, n_props);
> 155 if (err >= 0) {
>>>> CID 646012: (TAINTED_SCALAR)
>>>> Using tainted variable "idx" as an index to pointer "props".
> 156 *val = props[idx];
> 157 pr_debug("%s: resolved value %u at index %d for name '%s'
> from '%s'\n",
> 158 __func__, *val, idx, name, props_title);
> 159 } else {
> 160 pr_debug("%s: failed to read u32 array '%s' (err=%d)\n",
> 161 __func__, props_title, err);
> /drivers/phy/phy-common-props.c: 164 in
> ofnode_get_u32_prop_for_name()
> 158 __func__, *val, idx, name, props_title);
> 159 } else {
> 160 pr_debug("%s: failed to read u32 array '%s' (err=%d)\n",
> 161 __func__, props_title, err);
> 162 }
> 163
>>>> CID 646012: (TAINTED_SCALAR)
>>>> Passing tainted expression "*props" to "dlfree", which uses it as an offset.
> 164 free(props);
> 165
> 166 return err;
> 167 }
> 168
> 169 /**
>
>
>
> View Defects in Coverity Scan
> <https://scan.coverity.com/projects/das-u-boot?tab=overview>
>
> Best regards,
>
> The Coverity Scan Admin Team
>
> ----- End forwarded message -----
>
^ permalink raw reply [flat|nested] 99+ messages in thread
end of thread, other threads:[~2026-05-14 17:13 UTC | newest]
Thread overview: 99+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-03-11 1:49 Fwd: New Defects reported by Coverity Scan for Das U-Boot Tom Rini
-- strict thread matches above, loose matches on Subject: below --
2026-05-11 22:35 Tom Rini
2026-05-08 23:42 Tom Rini
2026-05-14 15:39 ` Lucien.Jheng
2026-04-28 14:04 Tom Rini
2026-04-29 6:31 ` Michal Simek
2026-05-01 22:51 ` Raymond Mao
2026-05-12 8:44 ` Christian Pötzsch
2026-05-12 18:38 ` Tom Rini
2026-04-06 19:12 Tom Rini
2026-03-09 21:23 Tom Rini
2026-03-09 22:05 ` Raphaël Gallais-Pou
2026-03-09 22:13 ` Tom Rini
2026-02-23 19:51 Tom Rini
2026-02-13 22:09 Tom Rini
2026-02-18 23:02 ` Chris Morgan
2026-02-20 16:11 ` Tom Rini
2026-02-20 16:23 ` Chris Morgan
2026-01-16 19:43 Tom Rini
2026-02-09 11:05 ` Guillaume La Roque
2026-02-20 16:11 ` Tom Rini
2026-01-06 20:36 Tom Rini
2026-01-05 23:58 Tom Rini
2026-01-06 9:37 ` Mattijs Korpershoek
2026-01-06 17:15 ` Tom Rini
2026-01-06 10:03 ` Heiko Schocher
2025-12-08 19:38 Tom Rini
2025-11-23 19:03 Tom Rini
2025-11-10 18:55 Tom Rini
2025-10-11 18:06 Tom Rini
2025-10-12 14:22 ` Mikhail Kshevetskiy
2025-10-12 19:07 ` Tom Rini
2025-11-01 6:32 ` Mikhail Kshevetskiy
2025-11-03 15:17 ` Tom Rini
2025-11-03 15:24 ` Michael Nazzareno Trimarchi
2025-08-06 18:35 Tom Rini
2025-08-07 9:17 ` Heiko Schocher
2025-08-08 3:37 ` Maniyam, Dinesh
2025-08-08 4:01 ` Heiko Schocher
2025-07-29 16:32 Tom Rini
2025-07-25 13:26 Tom Rini
2025-07-25 13:34 ` Michal Simek
2025-08-04 9:11 ` Alexander Dahl
2025-07-14 23:29 Tom Rini
2025-07-15 13:45 ` Rasmus Villemoes
2025-07-08 14:10 Tom Rini
2025-04-28 21:59 Tom Rini
2025-04-29 12:07 ` Jerome Forissier
2025-04-30 16:50 ` Marek Vasut
2025-04-30 17:01 ` Tom Rini
2025-04-30 18:23 ` Heinrich Schuchardt
2025-04-30 19:14 ` Tom Rini
2025-02-25 2:39 Tom Rini
2025-02-25 6:06 ` Heiko Schocher
2025-02-25 10:48 ` Quentin Schulz
2025-02-25 10:54 ` Heiko Schocher
2025-02-10 22:26 Tom Rini
2025-02-11 6:14 ` Heiko Schocher
2025-02-11 22:30 ` Tom Rini
2024-12-31 13:55 Tom Rini
2024-12-24 17:14 Tom Rini
2024-11-15 13:27 Tom Rini
2024-11-12 2:11 Tom Rini
2024-10-28 3:11 Tom Rini
2024-10-19 16:16 Tom Rini
2024-10-16 3:47 Tom Rini
2024-10-16 5:56 ` Tudor Ambarus
2024-10-07 17:15 Tom Rini
2024-07-23 14:18 Tom Rini
2024-07-24 9:21 ` Mattijs Korpershoek
2024-07-24 9:45 ` Heinrich Schuchardt
2024-07-24 9:56 ` Mattijs Korpershoek
2024-07-24 10:06 ` Heinrich Schuchardt
2024-07-24 22:40 ` Tom Rini
2024-07-25 8:04 ` Mattijs Korpershoek
2024-07-25 17:16 ` Tom Rini
2024-07-24 9:53 ` Mattijs Korpershoek
2024-04-22 21:48 Tom Rini
2024-01-29 23:55 Tom Rini
2024-01-30 8:14 ` Heinrich Schuchardt
[not found] <20240127154018.GC785631@bill-the-cat>
2024-01-27 20:56 ` Heinrich Schuchardt
2024-01-28 8:51 ` Heinrich Schuchardt
2024-01-22 23:52 Tom Rini
2024-01-22 23:30 Tom Rini
2024-01-23 8:15 ` Hugo Cornelis
[not found] <65a933ab652b3_da12cbd3e77f998728e5@prd-scan-dashboard-0.mail>
2024-01-19 8:47 ` Heinrich Schuchardt
2024-01-18 14:35 Tom Rini
2024-01-08 17:45 Tom Rini
2024-01-09 5:26 ` Sean Anderson
2024-01-09 22:18 ` Tom Rini
2023-08-21 21:09 Tom Rini
2023-08-24 9:27 ` Abdellatif El Khlifi
2023-08-28 16:09 ` Alvaro Fernando García
2023-08-28 16:11 ` Tom Rini
2023-10-20 11:57 ` Abdellatif El Khlifi
2023-10-25 14:57 ` Tom Rini
2023-10-25 15:12 ` Abdellatif El Khlifi
2023-10-25 15:15 ` Tom Rini
2023-10-31 14:21 ` Abdellatif El Khlifi
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.