From: Rasmus Villemoes <ravi@prevas.dk>
To: Tom Rini <trini@konsulko.com>
Cc: u-boot@lists.denx.de, Andrew Goodbody <andrew.goodbody@linaro.org>
Subject: Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
Date: Tue, 15 Jul 2025 15:45:29 +0200 [thread overview]
Message-ID: <87tt3dva86.fsf@prevas.dk> (raw)
In-Reply-To: <20250714232902.GB193579@bill-the-cat> (Tom Rini's message of "Mon, 14 Jul 2025 17:29:02 -0600")
On Mon, Jul 14 2025, Tom Rini <trini@konsulko.com> wrote:
> Here's the latest report from Coverity. Good news is closing 5 existing
> issues (overlap with smatch I think) but 3 new ones. Or maybe it's
> related to Rasmus' cleanup series? I can only run one report a day I
> think so I don't have granular breakdown on which changes today brought
> these up.
>
> From: <scan-admin@coverity.com>
> Subject: New Defects reported by Coverity Scan for Das U-Boot
> To: <tom.rini@gmail.com>
> Date: Mon, Jul 14, 2025 at 5:23 PM (1 day, 9 hours, 56 minutes ago)
>
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to *Das U-Boot*
> found with Coverity Scan.
>
> - *New Defects Found:* 3
> - 5 defect(s), reported by Coverity Scan earlier, were marked fixed in
> the recent build analyzed by Coverity Scan.
> - *Defects Shown:* Showing 3 of 3 defect(s)
>
> Defect Details
>
> ** CID 573150: Integer handling issues (INTEGER_OVERFLOW)
> /drivers/pci/pci-uclass.c: 1531 in dm_pci_map_ea_virt()
>
>
> _____________________________________________________________________________________________
> *** CID 573150: Integer handling issues (INTEGER_OVERFLOW)
> /drivers/pci/pci-uclass.c: 1531 in dm_pci_map_ea_virt()
> 1525 if (ea_entry & PCI_EA_IS_64) {
> 1526 /* MaxOffset 2nd DW */
> 1527 dm_pci_read_config32(dev, ea_off + 16, &ea_entry);
> 1528 sz |= ((u64)ea_entry) << 32;
> 1529 }
> 1530
>>>> CID 573150: Integer handling issues (INTEGER_OVERFLOW)
>>>> Expression "sz + 1UL", where "sz" is known to be equal to 18446744073709551615, overflows the type of "sz + 1UL", which is type "unsigned long".
> 1531 addr = (pdata->virtid - 1) * (sz + 1);
> 1532 }
> 1533
I don't see how this one could be due to the int limit patches, as I see
no reference to any _MIN/_MAX macro, also not indirectly via the
definition of PCI_EA_FIELD_MASK.
I also have no idea how Coverity can think that sz can be known to be
equal to ~0ULL. Sure, if it phrased it "if sz is equal to ..., then sz+1
overflows", but that's not what it says. Nor would that be very useful,
as just about _any_ arithmetic expression can overflow for _some_ values
of the referenced variables.
Honestly, this sounds like it has been AI-infected.
> 1534 return addr;
> 1535 }
> 1536
>
> ** CID 573149: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
> /lib/efi_loader/efi_file.c: 594 in efi_file_read_int()
>
>
> _____________________________________________________________________________________________
> *** CID 573149: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
> /lib/efi_loader/efi_file.c: 594 in efi_file_read_int()
> 588
> 589 bs = *buffer_size;
> 590 if (fh->isdir)
> 591 ret = dir_read(fh, &bs, buffer);
> 592 else
> 593 ret = file_read(fh, &bs, buffer);
>>>> CID 573149: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
>>>> "bs <= 18446744073709551615ULL /* 9223372036854775807LL * 2ULL + 1ULL */" is always true regardless of the values of its operands. This occurs as the logical operand of "if".
> 594 if (bs <= SIZE_MAX)
> 595 *buffer_size = bs;
> 596 else
> 597 *buffer_size = SIZE_MAX;
> 598
> 599 return ret;
>
So this one might be triggered by the new definition of SIZE_MAX, though
SIZE_MAX was also a compile-time (though not cpp) constant previously. I
think we should define SIZE_MAX properly instead of via that UINTPTR_MAX
indirection, which itself could use some cleanup.
But aside from that, we should be able to silence Coverity by either
just changing the <= to < (because in the == case the other branch of
the if would have the same effect, but it's no longer a tautology). Or
we could maybe do *buffer_size = min_t(u64, bs, SIZE_MAX), though that
might expand to something with the exact same problem.
> ** CID 573148: Integer handling issues (INTEGER_OVERFLOW)
> /drivers/pci/pci-uclass.c: 1581 in dm_pci_map_ea_bar()
>
>
> _____________________________________________________________________________________________
> *** CID 573148: Integer handling issues (INTEGER_OVERFLOW)
> /drivers/pci/pci-uclass.c: 1581 in dm_pci_map_ea_bar()
> 1575 addr |= ((u64)ea_entry) << 32;
> 1576 }
> 1577
> 1578 if (IS_ENABLED(CONFIG_PCI_SRIOV))
> 1579 addr += dm_pci_map_ea_virt(dev, ea_off, pdata);
> 1580
>>>> CID 573148: Integer handling issues (INTEGER_OVERFLOW)
>>>> Expression "4294967295U - addr", where "addr" is known to be equal to 4294967292, underflows the type of "4294967295U - addr", which is type "unsigned int".
> 1581 if (~((phys_addr_t)0) - addr < offset)
> 1582 return NULL;
> 1583
Wait, what? Just to be completely sure, I copy-pasted those two numbers:
4294967295
4294967292
I think my 8-year old can see that subtracting the second from the first
does not lead to a negative result.
So from my chair, that's another point added to the AI hypothesis.
Rasmus
next prev parent reply other threads:[~2025-07-15 13:45 UTC|newest]
Thread overview: 99+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-14 23:29 Fwd: New Defects reported by Coverity Scan for Das U-Boot Tom Rini
2025-07-15 13:45 ` Rasmus Villemoes [this message]
-- strict thread matches above, loose matches on Subject: below --
2026-05-11 22:35 Tom Rini
2026-05-08 23:42 Tom Rini
2026-05-14 15:39 ` Lucien.Jheng
2026-04-28 14:04 Tom Rini
2026-04-29 6:31 ` Michal Simek
2026-05-01 22:51 ` Raymond Mao
2026-05-12 8:44 ` Christian Pötzsch
2026-05-12 18:38 ` Tom Rini
2026-04-06 19:12 Tom Rini
2026-03-09 21:23 Tom Rini
2026-03-09 22:05 ` Raphaël Gallais-Pou
2026-03-09 22:13 ` Tom Rini
2026-02-23 19:51 Tom Rini
2026-02-13 22:09 Tom Rini
2026-02-18 23:02 ` Chris Morgan
2026-02-20 16:11 ` Tom Rini
2026-02-20 16:23 ` Chris Morgan
2026-01-16 19:43 Tom Rini
2026-02-09 11:05 ` Guillaume La Roque
2026-02-20 16:11 ` Tom Rini
2026-01-06 20:36 Tom Rini
2026-01-05 23:58 Tom Rini
2026-01-06 9:37 ` Mattijs Korpershoek
2026-01-06 17:15 ` Tom Rini
2026-01-06 10:03 ` Heiko Schocher
2025-12-08 19:38 Tom Rini
2025-11-23 19:03 Tom Rini
2025-11-10 18:55 Tom Rini
2025-10-11 18:06 Tom Rini
2025-10-12 14:22 ` Mikhail Kshevetskiy
2025-10-12 19:07 ` Tom Rini
2025-11-01 6:32 ` Mikhail Kshevetskiy
2025-11-03 15:17 ` Tom Rini
2025-11-03 15:24 ` Michael Nazzareno Trimarchi
2025-08-06 18:35 Tom Rini
2025-08-07 9:17 ` Heiko Schocher
2025-08-08 3:37 ` Maniyam, Dinesh
2025-08-08 4:01 ` Heiko Schocher
2025-07-29 16:32 Tom Rini
2025-07-25 13:26 Tom Rini
2025-07-25 13:34 ` Michal Simek
2025-08-04 9:11 ` Alexander Dahl
2025-07-08 14:10 Tom Rini
2025-04-28 21:59 Tom Rini
2025-04-29 12:07 ` Jerome Forissier
2025-04-30 16:50 ` Marek Vasut
2025-04-30 17:01 ` Tom Rini
2025-04-30 18:23 ` Heinrich Schuchardt
2025-04-30 19:14 ` Tom Rini
2025-03-11 1:49 Tom Rini
2025-02-25 2:39 Tom Rini
2025-02-25 6:06 ` Heiko Schocher
2025-02-25 10:48 ` Quentin Schulz
2025-02-25 10:54 ` Heiko Schocher
2025-02-10 22:26 Tom Rini
2025-02-11 6:14 ` Heiko Schocher
2025-02-11 22:30 ` Tom Rini
2024-12-31 13:55 Tom Rini
2024-12-24 17:14 Tom Rini
2024-11-15 13:27 Tom Rini
2024-11-12 2:11 Tom Rini
2024-10-28 3:11 Tom Rini
2024-10-19 16:16 Tom Rini
2024-10-16 3:47 Tom Rini
2024-10-16 5:56 ` Tudor Ambarus
2024-10-07 17:15 Tom Rini
2024-07-23 14:18 Tom Rini
2024-07-24 9:21 ` Mattijs Korpershoek
2024-07-24 9:45 ` Heinrich Schuchardt
2024-07-24 9:56 ` Mattijs Korpershoek
2024-07-24 10:06 ` Heinrich Schuchardt
2024-07-24 22:40 ` Tom Rini
2024-07-25 8:04 ` Mattijs Korpershoek
2024-07-25 17:16 ` Tom Rini
2024-07-24 9:53 ` Mattijs Korpershoek
2024-04-22 21:48 Tom Rini
2024-01-29 23:55 Tom Rini
2024-01-30 8:14 ` Heinrich Schuchardt
[not found] <20240127154018.GC785631@bill-the-cat>
2024-01-27 20:56 ` Heinrich Schuchardt
2024-01-28 8:51 ` Heinrich Schuchardt
2024-01-22 23:52 Tom Rini
2024-01-22 23:30 Tom Rini
2024-01-23 8:15 ` Hugo Cornelis
[not found] <65a933ab652b3_da12cbd3e77f998728e5@prd-scan-dashboard-0.mail>
2024-01-19 8:47 ` Heinrich Schuchardt
2024-01-18 14:35 Tom Rini
2024-01-08 17:45 Tom Rini
2024-01-09 5:26 ` Sean Anderson
2024-01-09 22:18 ` Tom Rini
2023-08-21 21:09 Tom Rini
2023-08-24 9:27 ` Abdellatif El Khlifi
2023-08-28 16:09 ` Alvaro Fernando García
2023-08-28 16:11 ` Tom Rini
2023-10-20 11:57 ` Abdellatif El Khlifi
2023-10-25 14:57 ` Tom Rini
2023-10-25 15:12 ` Abdellatif El Khlifi
2023-10-25 15:15 ` Tom Rini
2023-10-31 14:21 ` Abdellatif El Khlifi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87tt3dva86.fsf@prevas.dk \
--to=ravi@prevas.dk \
--cc=andrew.goodbody@linaro.org \
--cc=trini@konsulko.com \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.