From: Guillaume La Roque <glaroque@baylibre.com>
To: Tom Rini <trini@konsulko.com>, u-boot@lists.denx.de
Cc: Mattijs Korpershoek <mkorpershoek@kernel.org>
Subject: Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
Date: Mon, 9 Feb 2026 12:05:40 +0100 [thread overview]
Message-ID: <80dd375b-e905-46c5-b43d-dd4c87e71c98@baylibre.com> (raw)
In-Reply-To: <20260116194323.GP3416603@bill-the-cat>
Hi Tom,
sorry for delay, i check defects please see my comments inline
Le 16/01/2026 à 20:43, Tom Rini a écrit :
> Hey all,
>
> Here's the latest report from Coverity scan. For the LZMA ones, the
> _pad_ stuff seems to be a false positive (the _pad_ byte is just for
> padding and not refernced) and the flow control one is how that's
> written for whatever reason the upstream author wanted it like that.
>
> ---------- Forwarded message ---------
> From: <scan-admin@coverity.com>
> Date: Fri, Jan 16, 2026 at 1:06 PM
> Subject: New Defects reported by Coverity Scan for Das U-Boot
> To: <tom.rini@gmail.com>
>
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to *Das U-Boot*
> found with Coverity Scan.
>
> - *New Defects Found:* 7
> - 2 defect(s), reported by Coverity Scan earlier, were marked fixed in
> the recent build analyzed by Coverity Scan.
> - *Defects Shown:* Showing 7 of 7 defect(s)
>
> Defect Details
>
> ** CID 641431: (TAINTED_SCALAR)
>
>
> _____________________________________________________________________________________________
> *** CID 641431: (TAINTED_SCALAR)
> /boot/image-android.c: 434 in android_image_get_kernel()
> 428 if (*newbootargs) /* If there is something in newbootargs, a
> space is needed */
> 429 strcat(newbootargs, " ");
> 430 strcat(newbootargs, img_data.kcmdline_extra);
> 431 }
> 432
> 433 env_set("bootargs", newbootargs);
>>>> CID 641431: (TAINTED_SCALAR)
>>>> Passing tainted expression "*newbootargs" to "dlfree", which uses it as an offset.
> 434 free(newbootargs);
> 435
> 436 if (os_data) {
> 437 if (image_get_magic(ihdr) == IH_MAGIC) {
> 438 *os_data = image_get_data(ihdr);
> 439 } else {
> /boot/image-android.c: 433 in android_image_get_kernel()
> 427 if (img_data.kcmdline_extra && *img_data.kcmdline_extra) {
> 428 if (*newbootargs) /* If there is something in newbootargs, a
> space is needed */
> 429 strcat(newbootargs, " ");
> 430 strcat(newbootargs, img_data.kcmdline_extra);
> 431 }
> 432
>>>> CID 641431: (TAINTED_SCALAR)
>>>> Passing tainted expression "newbootargs" to "env_set", which uses it as an offset.
> 433 env_set("bootargs", newbootargs);
> 434 free(newbootargs);
> 435
> 436 if (os_data) {
> 437 if (image_get_magic(ihdr) == IH_MAGIC) {
> 438 *os_data = image_get_data(ihdr);
> /boot/image-android.c: 434 in android_image_get_kernel()
> 428 if (*newbootargs) /* If there is something in newbootargs, a
> space is needed */
> 429 strcat(newbootargs, " ");
> 430 strcat(newbootargs, img_data.kcmdline_extra);
> 431 }
> 432
> 433 env_set("bootargs", newbootargs);
>>>> CID 641431: (TAINTED_SCALAR)
>>>> Passing tainted expression "*newbootargs" to "dlfree", which uses it as an offset.
> 434 free(newbootargs);
> 435
> 436 if (os_data) {
> 437 if (image_get_magic(ihdr) == IH_MAGIC) {
> 438 *os_data = image_get_data(ihdr);
> 439 } else {
> /boot/image-android.c: 433 in android_image_get_kernel()
> 427 if (img_data.kcmdline_extra && *img_data.kcmdline_extra) {
> 428 if (*newbootargs) /* If there is something in newbootargs, a
> space is needed */
> 429 strcat(newbootargs, " ");
> 430 strcat(newbootargs, img_data.kcmdline_extra);
> 431 }
> 432
>>>> CID 641431: (TAINTED_SCALAR)
>>>> Passing tainted expression "newbootargs" to "env_set", which uses it as an offset.
> 433 env_set("bootargs", newbootargs);
> 434 free(newbootargs);
> 435
> 436 if (os_data) {
> 437 if (image_get_magic(ihdr) == IH_MAGIC) {
> 438 *os_data = image_get_data(ihdr);
> /boot/image-android.c: 433 in android_image_get_kernel()
> 427 if (img_data.kcmdline_extra && *img_data.kcmdline_extra) {
> 428 if (*newbootargs) /* If there is something in newbootargs, a
> space is needed */
> 429 strcat(newbootargs, " ");
> 430 strcat(newbootargs, img_data.kcmdline_extra);
> 431 }
> 432
>>>> CID 641431: (TAINTED_SCALAR)
>>>> Passing tainted expression "newbootargs" to "env_set", which uses it as an offset.
> 433 env_set("bootargs", newbootargs);
> 434 free(newbootargs);
> 435
> 436 if (os_data) {
> 437 if (image_get_magic(ihdr) == IH_MAGIC) {
> 438 *os_data = image_get_data(ihdr);
> /boot/image-android.c: 434 in android_image_get_kernel()
> 428 if (*newbootargs) /* If there is something in newbootargs, a
> space is needed */
> 429 strcat(newbootargs, " ");
> 430 strcat(newbootargs, img_data.kcmdline_extra);
> 431 }
> 432
> 433 env_set("bootargs", newbootargs);
>>>> CID 641431: (TAINTED_SCALAR)
>>>> Passing tainted expression "*newbootargs" to "dlfree", which uses it as an offset.
For CID 641431 : for me it's a false positives defect, malloc was done
with strlen return and free done on malloc pointer.
> 434 free(newbootargs);
> 435
> 436 if (os_data) {
> 437 if (image_get_magic(ihdr) == IH_MAGIC) {
> 438 *os_data = image_get_data(ihdr);
> 439 } else {
>
> ** CID 641430: (TAINTED_SCALAR)
>
>
> _____________________________________________________________________________________________
> *** CID 641430: (TAINTED_SCALAR)
> /cmd/abootimg.c: 244 in abootimg_get_ramdisk()
> 238 &rd_data, &rd_len))
> 239 return CMD_RET_FAILURE;
> 240
> 241 if (argc == 0) {
> 242 printf("%lx\n", rd_data);
> 243 } else {
>>>> CID 641430: (TAINTED_SCALAR)
>>>> Passing tainted expression "rd_data" to "env_set_hex", which uses it as an offset.
> 244 env_set_hex(argv[0], rd_data);
> 245 if (argc == 2)
> 246 env_set_hex(argv[1], rd_len);
> 247 }
> 248
> 249 return CMD_RET_SUCCESS;
> /cmd/abootimg.c: 246 in abootimg_get_ramdisk()
> 240
> 241 if (argc == 0) {
> 242 printf("%lx\n", rd_data);
> 243 } else {
> 244 env_set_hex(argv[0], rd_data);
> 245 if (argc == 2)
>>>> CID 641430: (TAINTED_SCALAR)
>>>> Passing tainted expression "rd_len" to "env_set_hex", which uses it as an offset.
CID 641430: false positive too. env_set_hex convert value on an env variable , so convert rd_len and rd_data
in variable.
> 246 env_set_hex(argv[1], rd_len);
> 247 }
> 248
> 249 return CMD_RET_SUCCESS;
> 250 }
> 251
>
> ** CID 641429: Insecure data handling (TAINTED_SCALAR)
>
>
> _____________________________________________________________________________________________
> *** CID 641429: Insecure data handling (TAINTED_SCALAR)
> /boot/image-android.c: 307 in android_image_get_data()
> 301 printf("Incorrect vendor boot image header\n");
> 302 unmap_sysmem(vhdr);
> 303 unmap_sysmem(bhdr);
> 304 return false;
> 305 }
> 306 android_boot_image_v3_v4_parse_hdr((const struct
> andr_boot_img_hdr_v3 *)bhdr, data);
>>>> CID 641429: Insecure data handling (TAINTED_SCALAR)
>>>> Passing tainted expression "vhdr->bootconfig_size" to "android_vendor_boot_image_v3_v4_parse_hdr", which uses it as a loop boundary.
CID 641429: False positive too. "vhdr->bootconfig_size" come from android image so external source , not possible to validate if value is good or not except when AVB feature was enabled
> 307 android_vendor_boot_image_v3_v4_parse_hdr(vhdr, data);
> 308 unmap_sysmem(vhdr);
> 309 } else {
> 310 android_boot_image_v0_v1_v2_parse_hdr(bhdr, data);
> 311 }
> 312
>
> ** CID 641428: (TAINTED_SCALAR)
>
>
> _____________________________________________________________________________________________
> *** CID 641428: (TAINTED_SCALAR)
> /boot/image-android.c: 658 in android_image_set_bootconfig()
> 652 total_size += params_len + BOOTCONFIG_TRAILER_SIZE;
> 653
> 654 /* Map Dest */
> 655 ramdisk_dest = map_sysmem(ramdisk_addr, total_size);
> 656
> 657 /* Copy data */
>>>> CID 641428: (TAINTED_SCALAR)
>>>> Passing tainted expression "img_data.vendor_ramdisk_size" to "android_boot_append_bootconfig", which uses it as an offset.
> 658 ret = android_boot_append_bootconfig(&img_data, params, params_len,
> 659 ramdisk_dest);
> 660
> 661 unmap_sysmem(ramdisk_dest);
> 662 free(params);
> 663 free(new_bootargs);
> /boot/image-android.c: 658 in android_image_set_bootconfig()
> 652 total_size += params_len + BOOTCONFIG_TRAILER_SIZE;
> 653
> 654 /* Map Dest */
> 655 ramdisk_dest = map_sysmem(ramdisk_addr, total_size);
> 656
> 657 /* Copy data */
>>>> CID 641428: (TAINTED_SCALAR)
>>>> Passing tainted expression "img_data.bootconfig_size" to "android_boot_append_bootconfig", which uses it as an offset.
> 658 ret = android_boot_append_bootconfig(&img_data, params, params_len,
> 659 ramdisk_dest);
> 660
> 661 unmap_sysmem(ramdisk_dest);
> 662 free(params);
> 663 free(new_bootargs);
> /boot/image-android.c: 658 in android_image_set_bootconfig()
> 652 total_size += params_len + BOOTCONFIG_TRAILER_SIZE;
> 653
> 654 /* Map Dest */
> 655 ramdisk_dest = map_sysmem(ramdisk_addr, total_size);
> 656
> 657 /* Copy data */
>>>> CID 641428: (TAINTED_SCALAR)
>>>> Passing tainted expression "img_data.boot_ramdisk_size" to "android_boot_append_bootconfig", which uses it as an offset.
CID 641428: for me it's false positive too. img_data.boot_ramdisk_size and vendor_ramdisk_size come from android image, it could be corrupted if we corrupt android image but it's an external source so difficult to say if value is corrupted or not , it's why on real device we have AB features to check it.
> 658 ret = android_boot_append_bootconfig(&img_data, params, params_len,
> 659 ramdisk_dest);
> 660
> 661 unmap_sysmem(ramdisk_dest);
> 662 free(params);
> 663 free(new_bootargs);
>
> ** CID 332278: Control flow issues (UNREACHABLE)
> /lib/lzma/LzmaDec.c: 720 in LzmaDec_TryDummy()
>
>
> _____________________________________________________________________________________________
> *** CID 332278: Control flow issues (UNREACHABLE)
> /lib/lzma/LzmaDec.c: 720 in LzmaDec_TryDummy()
> 714 UInt32 code = p->code;
> 715 const Byte *bufLimit = *bufOut;
> 716 const CLzmaProb *probs = GET_PROBS;
> 717 unsigned state = (unsigned)p->state;
> 718 ELzmaDummy res;
> 719
>>>> CID 332278: Control flow issues (UNREACHABLE)
>>>> Since the loop increment is unreachable, the loop body will never execute more than once.
> 720 for (;;)
> 721 {
> 722 const CLzmaProb *prob;
> 723 UInt32 bound;
> 724 unsigned ttt;
> 725 unsigned posState = CALC_POS_STATE(p->processedPos,
> ((unsigned)1 << p->prop.pb) - 1);
>
> ** CID 252901: Uninitialized variables (UNINIT)
> /lib/lzma/LzmaDec.c: 1295 in LzmaDec_AllocateProbs()
>
>
> _____________________________________________________________________________________________
> *** CID 252901: Uninitialized variables (UNINIT)
> /lib/lzma/LzmaDec.c: 1295 in LzmaDec_AllocateProbs()
> 1289
> 1290 SRes LzmaDec_AllocateProbs(CLzmaDec *p, const Byte *props,
> unsigned propsSize, ISzAllocPtr alloc)
> 1291 {
> 1292 CLzmaProps propNew;
> 1293 RINOK(LzmaProps_Decode(&propNew, props, propsSize))
> 1294 RINOK(LzmaDec_AllocateProbs2(p, &propNew, alloc))
>>>> CID 252901: Uninitialized variables (UNINIT)
>>>> Using uninitialized value "propNew". Field "propNew._pad_" is uninitialized.
> 1295 p->prop = propNew;
> 1296 return SZ_OK;
> 1297 }
> 1298
> 1299 SRes LzmaDec_Allocate(CLzmaDec *p, const Byte *props,
> unsigned propsSize, ISzAllocPtr alloc)
> 1300 {
>
> ** CID 252579: Uninitialized variables (UNINIT)
> /lib/lzma/LzmaDec.c: 1327 in LzmaDec_Allocate()
>
>
> _____________________________________________________________________________________________
> *** CID 252579: Uninitialized variables (UNINIT)
> /lib/lzma/LzmaDec.c: 1327 in LzmaDec_Allocate()
> 1321 {
> 1322 LzmaDec_FreeProbs(p, alloc);
> 1323 return SZ_ERROR_MEM;
> 1324 }
> 1325 }
> 1326 p->dicBufSize = dicBufSize;
>>>> CID 252579: Uninitialized variables (UNINIT)
>>>> Using uninitialized value "propNew". Field "propNew._pad_" is uninitialized.
> 1327 p->prop = propNew;
> 1328 return SZ_OK;
> 1329 }
> 1330
> 1331 SRes LzmaDecode(Byte *dest, SizeT *destLen, const Byte *src,
> SizeT *srcLen,
> 1332 const Byte *propData, unsigned propSize, ELzmaFinishMode
> finishMode,
>
>
>
> View Defects in Coverity Scan
> <https://scan.coverity.com/projects/das-u-boot?tab=overview>
>
> Best regards,
>
> The Coverity Scan Admin Team
>
> ----- End forwarded message -----
>
Regards,
Guillaume
next prev parent reply other threads:[~2026-02-09 11:05 UTC|newest]
Thread overview: 99+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-16 19:43 Fwd: New Defects reported by Coverity Scan for Das U-Boot Tom Rini
2026-02-09 11:05 ` Guillaume La Roque [this message]
2026-02-20 16:11 ` Tom Rini
-- strict thread matches above, loose matches on Subject: below --
2026-05-11 22:35 Tom Rini
2026-05-08 23:42 Tom Rini
2026-05-14 15:39 ` Lucien.Jheng
2026-04-28 14:04 Tom Rini
2026-04-29 6:31 ` Michal Simek
2026-05-01 22:51 ` Raymond Mao
2026-05-12 8:44 ` Christian Pötzsch
2026-05-12 18:38 ` Tom Rini
2026-04-06 19:12 Tom Rini
2026-03-09 21:23 Tom Rini
2026-03-09 22:05 ` Raphaël Gallais-Pou
2026-03-09 22:13 ` Tom Rini
2026-02-23 19:51 Tom Rini
2026-02-13 22:09 Tom Rini
2026-02-18 23:02 ` Chris Morgan
2026-02-20 16:11 ` Tom Rini
2026-02-20 16:23 ` Chris Morgan
2026-01-06 20:36 Tom Rini
2026-01-05 23:58 Tom Rini
2026-01-06 9:37 ` Mattijs Korpershoek
2026-01-06 17:15 ` Tom Rini
2026-01-06 10:03 ` Heiko Schocher
2025-12-08 19:38 Tom Rini
2025-11-23 19:03 Tom Rini
2025-11-10 18:55 Tom Rini
2025-10-11 18:06 Tom Rini
2025-10-12 14:22 ` Mikhail Kshevetskiy
2025-10-12 19:07 ` Tom Rini
2025-11-01 6:32 ` Mikhail Kshevetskiy
2025-11-03 15:17 ` Tom Rini
2025-11-03 15:24 ` Michael Nazzareno Trimarchi
2025-08-06 18:35 Tom Rini
2025-08-07 9:17 ` Heiko Schocher
2025-08-08 3:37 ` Maniyam, Dinesh
2025-08-08 4:01 ` Heiko Schocher
2025-07-29 16:32 Tom Rini
2025-07-25 13:26 Tom Rini
2025-07-25 13:34 ` Michal Simek
2025-08-04 9:11 ` Alexander Dahl
2025-07-14 23:29 Tom Rini
2025-07-15 13:45 ` Rasmus Villemoes
2025-07-08 14:10 Tom Rini
2025-04-28 21:59 Tom Rini
2025-04-29 12:07 ` Jerome Forissier
2025-04-30 16:50 ` Marek Vasut
2025-04-30 17:01 ` Tom Rini
2025-04-30 18:23 ` Heinrich Schuchardt
2025-04-30 19:14 ` Tom Rini
2025-03-11 1:49 Tom Rini
2025-02-25 2:39 Tom Rini
2025-02-25 6:06 ` Heiko Schocher
2025-02-25 10:48 ` Quentin Schulz
2025-02-25 10:54 ` Heiko Schocher
2025-02-10 22:26 Tom Rini
2025-02-11 6:14 ` Heiko Schocher
2025-02-11 22:30 ` Tom Rini
2024-12-31 13:55 Tom Rini
2024-12-24 17:14 Tom Rini
2024-11-15 13:27 Tom Rini
2024-11-12 2:11 Tom Rini
2024-10-28 3:11 Tom Rini
2024-10-19 16:16 Tom Rini
2024-10-16 3:47 Tom Rini
2024-10-16 5:56 ` Tudor Ambarus
2024-10-07 17:15 Tom Rini
2024-07-23 14:18 Tom Rini
2024-07-24 9:21 ` Mattijs Korpershoek
2024-07-24 9:45 ` Heinrich Schuchardt
2024-07-24 9:56 ` Mattijs Korpershoek
2024-07-24 10:06 ` Heinrich Schuchardt
2024-07-24 22:40 ` Tom Rini
2024-07-25 8:04 ` Mattijs Korpershoek
2024-07-25 17:16 ` Tom Rini
2024-07-24 9:53 ` Mattijs Korpershoek
2024-04-22 21:48 Tom Rini
2024-01-29 23:55 Tom Rini
2024-01-30 8:14 ` Heinrich Schuchardt
[not found] <20240127154018.GC785631@bill-the-cat>
2024-01-27 20:56 ` Heinrich Schuchardt
2024-01-28 8:51 ` Heinrich Schuchardt
2024-01-22 23:52 Tom Rini
2024-01-22 23:30 Tom Rini
2024-01-23 8:15 ` Hugo Cornelis
[not found] <65a933ab652b3_da12cbd3e77f998728e5@prd-scan-dashboard-0.mail>
2024-01-19 8:47 ` Heinrich Schuchardt
2024-01-18 14:35 Tom Rini
2024-01-08 17:45 Tom Rini
2024-01-09 5:26 ` Sean Anderson
2024-01-09 22:18 ` Tom Rini
2023-08-21 21:09 Tom Rini
2023-08-24 9:27 ` Abdellatif El Khlifi
2023-08-28 16:09 ` Alvaro Fernando García
2023-08-28 16:11 ` Tom Rini
2023-10-20 11:57 ` Abdellatif El Khlifi
2023-10-25 14:57 ` Tom Rini
2023-10-25 15:12 ` Abdellatif El Khlifi
2023-10-25 15:15 ` Tom Rini
2023-10-31 14:21 ` Abdellatif El Khlifi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=80dd375b-e905-46c5-b43d-dd4c87e71c98@baylibre.com \
--to=glaroque@baylibre.com \
--cc=mkorpershoek@kernel.org \
--cc=trini@konsulko.com \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.