From: Tom Rini <trini@konsulko.com>
To: u-boot@lists.denx.de
Cc: Guillaume La Roque <glaroque@baylibre.com>,
Mattijs Korpershoek <mkorpershoek@kernel.org>
Subject: Fwd: New Defects reported by Coverity Scan for Das U-Boot
Date: Fri, 16 Jan 2026 13:43:23 -0600 [thread overview]
Message-ID: <20260116194323.GP3416603@bill-the-cat> (raw)
[-- Attachment #1: Type: text/plain, Size: 12221 bytes --]
Hey all,
Here's the latest report from Coverity scan. For the LZMA ones, the
_pad_ stuff seems to be a false positive (the _pad_ byte is just for
padding and not refernced) and the flow control one is how that's
written for whatever reason the upstream author wanted it like that.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Fri, Jan 16, 2026 at 1:06 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to *Das U-Boot*
found with Coverity Scan.
- *New Defects Found:* 7
- 2 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.
- *Defects Shown:* Showing 7 of 7 defect(s)
Defect Details
** CID 641431: (TAINTED_SCALAR)
_____________________________________________________________________________________________
*** CID 641431: (TAINTED_SCALAR)
/boot/image-android.c: 434 in android_image_get_kernel()
428 if (*newbootargs) /* If there is something in newbootargs, a
space is needed */
429 strcat(newbootargs, " ");
430 strcat(newbootargs, img_data.kcmdline_extra);
431 }
432
433 env_set("bootargs", newbootargs);
>>> CID 641431: (TAINTED_SCALAR)
>>> Passing tainted expression "*newbootargs" to "dlfree", which uses it as an offset.
434 free(newbootargs);
435
436 if (os_data) {
437 if (image_get_magic(ihdr) == IH_MAGIC) {
438 *os_data = image_get_data(ihdr);
439 } else {
/boot/image-android.c: 433 in android_image_get_kernel()
427 if (img_data.kcmdline_extra && *img_data.kcmdline_extra) {
428 if (*newbootargs) /* If there is something in newbootargs, a
space is needed */
429 strcat(newbootargs, " ");
430 strcat(newbootargs, img_data.kcmdline_extra);
431 }
432
>>> CID 641431: (TAINTED_SCALAR)
>>> Passing tainted expression "newbootargs" to "env_set", which uses it as an offset.
433 env_set("bootargs", newbootargs);
434 free(newbootargs);
435
436 if (os_data) {
437 if (image_get_magic(ihdr) == IH_MAGIC) {
438 *os_data = image_get_data(ihdr);
/boot/image-android.c: 434 in android_image_get_kernel()
428 if (*newbootargs) /* If there is something in newbootargs, a
space is needed */
429 strcat(newbootargs, " ");
430 strcat(newbootargs, img_data.kcmdline_extra);
431 }
432
433 env_set("bootargs", newbootargs);
>>> CID 641431: (TAINTED_SCALAR)
>>> Passing tainted expression "*newbootargs" to "dlfree", which uses it as an offset.
434 free(newbootargs);
435
436 if (os_data) {
437 if (image_get_magic(ihdr) == IH_MAGIC) {
438 *os_data = image_get_data(ihdr);
439 } else {
/boot/image-android.c: 433 in android_image_get_kernel()
427 if (img_data.kcmdline_extra && *img_data.kcmdline_extra) {
428 if (*newbootargs) /* If there is something in newbootargs, a
space is needed */
429 strcat(newbootargs, " ");
430 strcat(newbootargs, img_data.kcmdline_extra);
431 }
432
>>> CID 641431: (TAINTED_SCALAR)
>>> Passing tainted expression "newbootargs" to "env_set", which uses it as an offset.
433 env_set("bootargs", newbootargs);
434 free(newbootargs);
435
436 if (os_data) {
437 if (image_get_magic(ihdr) == IH_MAGIC) {
438 *os_data = image_get_data(ihdr);
/boot/image-android.c: 433 in android_image_get_kernel()
427 if (img_data.kcmdline_extra && *img_data.kcmdline_extra) {
428 if (*newbootargs) /* If there is something in newbootargs, a
space is needed */
429 strcat(newbootargs, " ");
430 strcat(newbootargs, img_data.kcmdline_extra);
431 }
432
>>> CID 641431: (TAINTED_SCALAR)
>>> Passing tainted expression "newbootargs" to "env_set", which uses it as an offset.
433 env_set("bootargs", newbootargs);
434 free(newbootargs);
435
436 if (os_data) {
437 if (image_get_magic(ihdr) == IH_MAGIC) {
438 *os_data = image_get_data(ihdr);
/boot/image-android.c: 434 in android_image_get_kernel()
428 if (*newbootargs) /* If there is something in newbootargs, a
space is needed */
429 strcat(newbootargs, " ");
430 strcat(newbootargs, img_data.kcmdline_extra);
431 }
432
433 env_set("bootargs", newbootargs);
>>> CID 641431: (TAINTED_SCALAR)
>>> Passing tainted expression "*newbootargs" to "dlfree", which uses it as an offset.
434 free(newbootargs);
435
436 if (os_data) {
437 if (image_get_magic(ihdr) == IH_MAGIC) {
438 *os_data = image_get_data(ihdr);
439 } else {
** CID 641430: (TAINTED_SCALAR)
_____________________________________________________________________________________________
*** CID 641430: (TAINTED_SCALAR)
/cmd/abootimg.c: 244 in abootimg_get_ramdisk()
238 &rd_data, &rd_len))
239 return CMD_RET_FAILURE;
240
241 if (argc == 0) {
242 printf("%lx\n", rd_data);
243 } else {
>>> CID 641430: (TAINTED_SCALAR)
>>> Passing tainted expression "rd_data" to "env_set_hex", which uses it as an offset.
244 env_set_hex(argv[0], rd_data);
245 if (argc == 2)
246 env_set_hex(argv[1], rd_len);
247 }
248
249 return CMD_RET_SUCCESS;
/cmd/abootimg.c: 246 in abootimg_get_ramdisk()
240
241 if (argc == 0) {
242 printf("%lx\n", rd_data);
243 } else {
244 env_set_hex(argv[0], rd_data);
245 if (argc == 2)
>>> CID 641430: (TAINTED_SCALAR)
>>> Passing tainted expression "rd_len" to "env_set_hex", which uses it as an offset.
246 env_set_hex(argv[1], rd_len);
247 }
248
249 return CMD_RET_SUCCESS;
250 }
251
** CID 641429: Insecure data handling (TAINTED_SCALAR)
_____________________________________________________________________________________________
*** CID 641429: Insecure data handling (TAINTED_SCALAR)
/boot/image-android.c: 307 in android_image_get_data()
301 printf("Incorrect vendor boot image header\n");
302 unmap_sysmem(vhdr);
303 unmap_sysmem(bhdr);
304 return false;
305 }
306 android_boot_image_v3_v4_parse_hdr((const struct
andr_boot_img_hdr_v3 *)bhdr, data);
>>> CID 641429: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "vhdr->bootconfig_size" to "android_vendor_boot_image_v3_v4_parse_hdr", which uses it as a loop boundary.
307 android_vendor_boot_image_v3_v4_parse_hdr(vhdr, data);
308 unmap_sysmem(vhdr);
309 } else {
310 android_boot_image_v0_v1_v2_parse_hdr(bhdr, data);
311 }
312
** CID 641428: (TAINTED_SCALAR)
_____________________________________________________________________________________________
*** CID 641428: (TAINTED_SCALAR)
/boot/image-android.c: 658 in android_image_set_bootconfig()
652 total_size += params_len + BOOTCONFIG_TRAILER_SIZE;
653
654 /* Map Dest */
655 ramdisk_dest = map_sysmem(ramdisk_addr, total_size);
656
657 /* Copy data */
>>> CID 641428: (TAINTED_SCALAR)
>>> Passing tainted expression "img_data.vendor_ramdisk_size" to "android_boot_append_bootconfig", which uses it as an offset.
658 ret = android_boot_append_bootconfig(&img_data, params, params_len,
659 ramdisk_dest);
660
661 unmap_sysmem(ramdisk_dest);
662 free(params);
663 free(new_bootargs);
/boot/image-android.c: 658 in android_image_set_bootconfig()
652 total_size += params_len + BOOTCONFIG_TRAILER_SIZE;
653
654 /* Map Dest */
655 ramdisk_dest = map_sysmem(ramdisk_addr, total_size);
656
657 /* Copy data */
>>> CID 641428: (TAINTED_SCALAR)
>>> Passing tainted expression "img_data.bootconfig_size" to "android_boot_append_bootconfig", which uses it as an offset.
658 ret = android_boot_append_bootconfig(&img_data, params, params_len,
659 ramdisk_dest);
660
661 unmap_sysmem(ramdisk_dest);
662 free(params);
663 free(new_bootargs);
/boot/image-android.c: 658 in android_image_set_bootconfig()
652 total_size += params_len + BOOTCONFIG_TRAILER_SIZE;
653
654 /* Map Dest */
655 ramdisk_dest = map_sysmem(ramdisk_addr, total_size);
656
657 /* Copy data */
>>> CID 641428: (TAINTED_SCALAR)
>>> Passing tainted expression "img_data.boot_ramdisk_size" to "android_boot_append_bootconfig", which uses it as an offset.
658 ret = android_boot_append_bootconfig(&img_data, params, params_len,
659 ramdisk_dest);
660
661 unmap_sysmem(ramdisk_dest);
662 free(params);
663 free(new_bootargs);
** CID 332278: Control flow issues (UNREACHABLE)
/lib/lzma/LzmaDec.c: 720 in LzmaDec_TryDummy()
_____________________________________________________________________________________________
*** CID 332278: Control flow issues (UNREACHABLE)
/lib/lzma/LzmaDec.c: 720 in LzmaDec_TryDummy()
714 UInt32 code = p->code;
715 const Byte *bufLimit = *bufOut;
716 const CLzmaProb *probs = GET_PROBS;
717 unsigned state = (unsigned)p->state;
718 ELzmaDummy res;
719
>>> CID 332278: Control flow issues (UNREACHABLE)
>>> Since the loop increment is unreachable, the loop body will never execute more than once.
720 for (;;)
721 {
722 const CLzmaProb *prob;
723 UInt32 bound;
724 unsigned ttt;
725 unsigned posState = CALC_POS_STATE(p->processedPos,
((unsigned)1 << p->prop.pb) - 1);
** CID 252901: Uninitialized variables (UNINIT)
/lib/lzma/LzmaDec.c: 1295 in LzmaDec_AllocateProbs()
_____________________________________________________________________________________________
*** CID 252901: Uninitialized variables (UNINIT)
/lib/lzma/LzmaDec.c: 1295 in LzmaDec_AllocateProbs()
1289
1290 SRes LzmaDec_AllocateProbs(CLzmaDec *p, const Byte *props,
unsigned propsSize, ISzAllocPtr alloc)
1291 {
1292 CLzmaProps propNew;
1293 RINOK(LzmaProps_Decode(&propNew, props, propsSize))
1294 RINOK(LzmaDec_AllocateProbs2(p, &propNew, alloc))
>>> CID 252901: Uninitialized variables (UNINIT)
>>> Using uninitialized value "propNew". Field "propNew._pad_" is uninitialized.
1295 p->prop = propNew;
1296 return SZ_OK;
1297 }
1298
1299 SRes LzmaDec_Allocate(CLzmaDec *p, const Byte *props,
unsigned propsSize, ISzAllocPtr alloc)
1300 {
** CID 252579: Uninitialized variables (UNINIT)
/lib/lzma/LzmaDec.c: 1327 in LzmaDec_Allocate()
_____________________________________________________________________________________________
*** CID 252579: Uninitialized variables (UNINIT)
/lib/lzma/LzmaDec.c: 1327 in LzmaDec_Allocate()
1321 {
1322 LzmaDec_FreeProbs(p, alloc);
1323 return SZ_ERROR_MEM;
1324 }
1325 }
1326 p->dicBufSize = dicBufSize;
>>> CID 252579: Uninitialized variables (UNINIT)
>>> Using uninitialized value "propNew". Field "propNew._pad_" is uninitialized.
1327 p->prop = propNew;
1328 return SZ_OK;
1329 }
1330
1331 SRes LzmaDecode(Byte *dest, SizeT *destLen, const Byte *src,
SizeT *srcLen,
1332 const Byte *propData, unsigned propSize, ELzmaFinishMode
finishMode,
View Defects in Coverity Scan
<https://scan.coverity.com/projects/das-u-boot?tab=overview>
Best regards,
The Coverity Scan Admin Team
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
next reply other threads:[~2026-01-16 19:43 UTC|newest]
Thread overview: 99+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-16 19:43 Tom Rini [this message]
2026-02-09 11:05 ` Fwd: New Defects reported by Coverity Scan for Das U-Boot Guillaume La Roque
2026-02-20 16:11 ` Tom Rini
-- strict thread matches above, loose matches on Subject: below --
2026-05-11 22:35 Tom Rini
2026-05-08 23:42 Tom Rini
2026-05-14 15:39 ` Lucien.Jheng
2026-04-28 14:04 Tom Rini
2026-04-29 6:31 ` Michal Simek
2026-05-01 22:51 ` Raymond Mao
2026-05-12 8:44 ` Christian Pötzsch
2026-05-12 18:38 ` Tom Rini
2026-04-06 19:12 Tom Rini
2026-03-09 21:23 Tom Rini
2026-03-09 22:05 ` Raphaël Gallais-Pou
2026-03-09 22:13 ` Tom Rini
2026-02-23 19:51 Tom Rini
2026-02-13 22:09 Tom Rini
2026-02-18 23:02 ` Chris Morgan
2026-02-20 16:11 ` Tom Rini
2026-02-20 16:23 ` Chris Morgan
2026-01-06 20:36 Tom Rini
2026-01-05 23:58 Tom Rini
2026-01-06 9:37 ` Mattijs Korpershoek
2026-01-06 17:15 ` Tom Rini
2026-01-06 10:03 ` Heiko Schocher
2025-12-08 19:38 Tom Rini
2025-11-23 19:03 Tom Rini
2025-11-10 18:55 Tom Rini
2025-10-11 18:06 Tom Rini
2025-10-12 14:22 ` Mikhail Kshevetskiy
2025-10-12 19:07 ` Tom Rini
2025-11-01 6:32 ` Mikhail Kshevetskiy
2025-11-03 15:17 ` Tom Rini
2025-11-03 15:24 ` Michael Nazzareno Trimarchi
2025-08-06 18:35 Tom Rini
2025-08-07 9:17 ` Heiko Schocher
2025-08-08 3:37 ` Maniyam, Dinesh
2025-08-08 4:01 ` Heiko Schocher
2025-07-29 16:32 Tom Rini
2025-07-25 13:26 Tom Rini
2025-07-25 13:34 ` Michal Simek
2025-08-04 9:11 ` Alexander Dahl
2025-07-14 23:29 Tom Rini
2025-07-15 13:45 ` Rasmus Villemoes
2025-07-08 14:10 Tom Rini
2025-04-28 21:59 Tom Rini
2025-04-29 12:07 ` Jerome Forissier
2025-04-30 16:50 ` Marek Vasut
2025-04-30 17:01 ` Tom Rini
2025-04-30 18:23 ` Heinrich Schuchardt
2025-04-30 19:14 ` Tom Rini
2025-03-11 1:49 Tom Rini
2025-02-25 2:39 Tom Rini
2025-02-25 6:06 ` Heiko Schocher
2025-02-25 10:48 ` Quentin Schulz
2025-02-25 10:54 ` Heiko Schocher
2025-02-10 22:26 Tom Rini
2025-02-11 6:14 ` Heiko Schocher
2025-02-11 22:30 ` Tom Rini
2024-12-31 13:55 Tom Rini
2024-12-24 17:14 Tom Rini
2024-11-15 13:27 Tom Rini
2024-11-12 2:11 Tom Rini
2024-10-28 3:11 Tom Rini
2024-10-19 16:16 Tom Rini
2024-10-16 3:47 Tom Rini
2024-10-16 5:56 ` Tudor Ambarus
2024-10-07 17:15 Tom Rini
2024-07-23 14:18 Tom Rini
2024-07-24 9:21 ` Mattijs Korpershoek
2024-07-24 9:45 ` Heinrich Schuchardt
2024-07-24 9:56 ` Mattijs Korpershoek
2024-07-24 10:06 ` Heinrich Schuchardt
2024-07-24 22:40 ` Tom Rini
2024-07-25 8:04 ` Mattijs Korpershoek
2024-07-25 17:16 ` Tom Rini
2024-07-24 9:53 ` Mattijs Korpershoek
2024-04-22 21:48 Tom Rini
2024-01-29 23:55 Tom Rini
2024-01-30 8:14 ` Heinrich Schuchardt
[not found] <20240127154018.GC785631@bill-the-cat>
2024-01-27 20:56 ` Heinrich Schuchardt
2024-01-28 8:51 ` Heinrich Schuchardt
2024-01-22 23:52 Tom Rini
2024-01-22 23:30 Tom Rini
2024-01-23 8:15 ` Hugo Cornelis
[not found] <65a933ab652b3_da12cbd3e77f998728e5@prd-scan-dashboard-0.mail>
2024-01-19 8:47 ` Heinrich Schuchardt
2024-01-18 14:35 Tom Rini
2024-01-08 17:45 Tom Rini
2024-01-09 5:26 ` Sean Anderson
2024-01-09 22:18 ` Tom Rini
2023-08-21 21:09 Tom Rini
2023-08-24 9:27 ` Abdellatif El Khlifi
2023-08-28 16:09 ` Alvaro Fernando García
2023-08-28 16:11 ` Tom Rini
2023-10-20 11:57 ` Abdellatif El Khlifi
2023-10-25 14:57 ` Tom Rini
2023-10-25 15:12 ` Abdellatif El Khlifi
2023-10-25 15:15 ` Tom Rini
2023-10-31 14:21 ` Abdellatif El Khlifi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260116194323.GP3416603@bill-the-cat \
--to=trini@konsulko.com \
--cc=glaroque@baylibre.com \
--cc=mkorpershoek@kernel.org \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.