From: Tom Rini <trini@konsulko.com>
To: u-boot@lists.denx.de, "Simon Glass" <sjg@chromium.org>,
"Pali Rohár" <pali@kernel.org>,
"Alexandru Gagniuc" <mr.nuke.me@gmail.com>
Subject: [scan-admin@coverity.com: New Defects reported by Coverity Scan for Das U-Boot]
Date: Mon, 16 Aug 2021 15:57:26 -0400 [thread overview]
Message-ID: <20210816195726.GD858@bill-the-cat> (raw)
[-- Attachment #1: Type: text/plain, Size: 7666 bytes --]
Hey all,
Can people please take a look? I can mark as intentional anything that
really is intentional, thanks.
----- Forwarded message from scan-admin@coverity.com -----
Date: Mon, 16 Aug 2021 18:33:32 +0000 (UTC)
From: scan-admin@coverity.com
To: tom.rini@gmail.com
Subject: New Defects reported by Coverity Scan for Das U-Boot
Hi,
Please find the latest report on new defect(s) introduced to Das U-Boot found with Coverity Scan.
7 new defect(s) introduced to Das U-Boot found with Coverity Scan.
3 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 7 of 7 defect(s)
** CID 338491: Null pointer dereferences (NULL_RETURNS)
/tools/kwbimage.c: 1066 in export_pub_kak_hash()
________________________________________________________________________________________________________
*** CID 338491: Null pointer dereferences (NULL_RETURNS)
/tools/kwbimage.c: 1066 in export_pub_kak_hash()
1060 int res;
1061
1062 hashf = fopen("pub_kak_hash.txt", "w");
1063
1064 res = kwb_export_pubkey(kak, &secure_hdr->kak, hashf, "KAK");
1065
>>> CID 338491: Null pointer dereferences (NULL_RETURNS)
>>> Dereferencing a pointer that might be "NULL" "hashf" when calling "fclose".
1066 fclose(hashf);
1067
1068 return res < 0 ? 1 : 0;
1069 }
1070
1071 int kwb_sign_csk_with_kak(struct image_tool_params *params,
** CID 338490: Control flow issues (DEADCODE)
/drivers/tpm/sandbox_common.c: 34 in sb_tpm_index_to_seq()
________________________________________________________________________________________________________
*** CID 338490: Control flow issues (DEADCODE)
/drivers/tpm/sandbox_common.c: 34 in sb_tpm_index_to_seq()
28 case FWMP_NV_INDEX:
29 return NV_SEQ_FWMP;
30 case MRC_REC_HASH_NV_INDEX:
31 return NV_SEQ_REC_HASH;
32 case 0:
33 return NV_SEQ_GLOBAL_LOCK;
>>> CID 338490: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "case TPM_NV_INDEX_LOCK:".
34 case TPM_NV_INDEX_LOCK:
35 return NV_SEQ_ENABLE_LOCKING;
36 }
37
38 printf("Invalid nv index %#x\n", index);
39 return -1;
** CID 338489: Control flow issues (DEADCODE)
/drivers/tpm/tpm2_tis_sandbox.c: 652 in sandbox_tpm2_xfer()
________________________________________________________________________________________________________
*** CID 338489: Control flow issues (DEADCODE)
/drivers/tpm/tpm2_tis_sandbox.c: 652 in sandbox_tpm2_xfer()
646
647 for (i = 0; i < SANDBOX_TPM_PCR_NB; i++)
648 if (pcr_map & BIT(i))
649 pcr_index = i;
650
651 if (pcr_index >= SANDBOX_TPM_PCR_NB) {
>>> CID 338489: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "printf("Invalid index %d, s...".
652 printf("Invalid index %d, sandbox TPM handles up to %d PCR(s)\n",
653 pcr_index, SANDBOX_TPM_PCR_NB);
654 rc = TPM2_RC_VALUE;
655 return sandbox_tpm2_fill_buf(recv, recv_len, tag, rc);
656 }
657
** CID 338488: Memory - illegal accesses (NEGATIVE_RETURNS)
/tools/kwbimage.c: 1093 in kwb_sign_csk_with_kak()
________________________________________________________________________________________________________
*** CID 338488: Memory - illegal accesses (NEGATIVE_RETURNS)
/tools/kwbimage.c: 1093 in kwb_sign_csk_with_kak()
1087 if (export_pub_kak_hash(kak, secure_hdr))
1088 return 1;
1089
1090 if (kwb_import_pubkey(&kak_pub, &secure_hdr->kak, "KAK") < 0)
1091 return 1;
1092
>>> CID 338488: Memory - illegal accesses (NEGATIVE_RETURNS)
>>> Using variable "csk_idx" as an index to array "secure_hdr->csk".
1093 if (kwb_export_pubkey(csk, &secure_hdr->csk[csk_idx], NULL, "CSK") < 0)
1094 return 1;
1095
1096 if (kwb_sign_and_verify(kak, &secure_hdr->csk,
1097 sizeof(secure_hdr->csk) +
1098 sizeof(secure_hdr->csksig),
** CID 338487: Null pointer dereferences (FORWARD_NULL)
________________________________________________________________________________________________________
*** CID 338487: Null pointer dereferences (FORWARD_NULL)
/test/dm/ecdsa.c: 34 in dm_test_ecdsa_verify()
28 struct image_sign_info info = {
29 .checksum = &algo,
30 };
31
32 ut_assertok(uclass_get(UCLASS_ECDSA, &ucp));
33 ut_assertnonnull(ucp);
>>> CID 338487: Null pointer dereferences (FORWARD_NULL)
>>> Passing "&info" to "ecdsa_verify", which dereferences null "info.fdt_blob".
34 ut_asserteq(-ENODEV, ecdsa_verify(&info, NULL, 0, NULL, 0));
35
36 return 0;
37 }
** CID 338486: Null pointer dereferences (NULL_RETURNS)
/tools/kwbimage.c: 836 in kwb_dump_fuse_cmds()
________________________________________________________________________________________________________
*** CID 338486: Null pointer dereferences (NULL_RETURNS)
/tools/kwbimage.c: 836 in kwb_dump_fuse_cmds()
830 return 0;
831
832 if (!strcmp(e->name, "a38x")) {
833 FILE *out = fopen("kwb_fuses_a38x.txt", "w+");
834
835 kwb_dump_fuse_cmds_38x(out, sec_hdr);
>>> CID 338486: Null pointer dereferences (NULL_RETURNS)
>>> Dereferencing a pointer that might be "NULL" "out" when calling "fclose".
836 fclose(out);
837 goto done;
838 }
839
840 ret = -ENOSYS;
841
** CID 338485: Security best practices violations (STRING_OVERFLOW)
/test/str_ut.c: 126 in run_strtoull()
________________________________________________________________________________________________________
*** CID 338485: Security best practices violations (STRING_OVERFLOW)
/test/str_ut.c: 126 in run_strtoull()
120 bool upper)
121 {
122 char out[TEST_STR_SIZE];
123 char *endp;
124 unsigned long long val;
125
>>> CID 338485: Security best practices violations (STRING_OVERFLOW)
>>> You might overrun the 200-character fixed-size string "out" by copying "str" without checking the length.
126 strcpy(out, str);
127 if (upper)
128 str_to_upper(out, out, -1);
129
130 val = simple_strtoull(out, &endp, base);
131 ut_asserteq(expect_val, val);
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoA22WlOQ-2By3ieUvdbKmOyw68TMVT4Kip-2BBzfOGWXJ5yIiYplmPF9KAnKIja4Zd7tU-3Dpne1_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTsGY-2Fdp5hfqC-2B6ss-2FtTgTZdxyWngwdNCSBcWaoglYsMi33qZ6o4IvlPo1NMZ6HKzSbi0k3YdDAC-2BTUaeXbDEnIRwEUtXC7QvseJgqoTO7Dy-2FbiEUFH4xtjfmqCkZmTJb3YVLV9-2Ba99V6cQv2l1vnfXAACur8TFDo8g-2FsXRbmip9nw-3D-3D
To manage Coverity Scan email notifications for "tom.rini@gmail.com", click https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxWeIHzDeopm-2BEWQ6S6K-2FtUHv9ZTk8qZbuzkkz9sa-2BJFw4elYDyedRVZOC-2ButxjBZdouVmTGuWB6Aj6G7lm7t25-2Biv1B-2B9082pHzCCex2kqMs-3DZz5A_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTsGY-2Fdp5hfqC-2B6ss-2FtTgTZdXwxIYMpdS4H155aON0dxh2JciN9BuG3rKCbVzTcBZLXOvfO7Si-2FBGSpoJNCavkeTT3AGnasDLWxyxFydCRuDUJa2tYQzp6QhBJbaTuEIeds3Dm8aBmYjPfgEtJGmGgn084OEX2dKxosO7FhRlH0u8A-3D-3D
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
next reply other threads:[~2021-08-16 19:57 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-16 19:57 Tom Rini [this message]
2021-08-16 20:15 ` [scan-admin@coverity.com: New Defects reported by Coverity Scan for Das U-Boot] Pali Rohár
2021-08-16 20:20 ` Tom Rini
-- strict thread matches above, loose matches on Subject: below --
2022-09-06 15:50 Tom Rini
2022-05-09 17:22 Tom Rini
2022-04-25 23:41 Tom Rini
2022-03-05 18:27 Tom Rini
2022-02-15 19:29 Tom Rini
2022-02-01 0:33 Tom Rini
2021-11-15 18:02 Tom Rini
2021-11-02 16:22 Tom Rini
2021-11-01 20:06 Tom Rini
2021-09-15 14:11 Tom Rini
2021-08-30 17:39 Tom Rini
2021-08-31 15:18 ` Oleh Kravchenko
2021-09-06 14:05 ` Oleh Kravchenko
2021-09-06 15:23 ` Tom Rini
2021-07-27 2:52 Tom Rini
2021-07-27 3:26 ` Sean Anderson
2021-07-27 15:04 ` Tom Rini
2021-05-26 16:58 Tom Rini
2021-05-12 22:30 Tom Rini
2021-04-19 12:20 Tom Rini
2021-04-20 0:58 ` Asherah Connor
2021-04-20 1:17 ` Tom Rini
2021-04-20 6:13 ` Dario Binacchi
2021-03-30 19:55 Tom Rini
2021-03-02 14:42 Tom Rini
2021-02-23 16:15 Tom Rini
2021-02-01 19:51 Tom Rini
2021-01-26 16:41 Tom Rini
2021-01-20 19:04 Tom Rini
2021-01-20 20:43 ` Heinrich Schuchardt
2021-01-20 22:33 ` Heinrich Schuchardt
2021-01-21 2:09 ` AKASHI Takahiro
2021-01-26 17:02 ` Tom Rini
2021-01-20 21:03 ` Andre Przywara
2021-01-20 21:34 ` Tom Rini
2021-01-21 11:36 ` Sughosh Ganu
2021-01-21 13:44 ` Heinrich Schuchardt
2021-01-22 8:54 ` Sughosh Ganu
2021-01-22 11:37 ` Heinrich Schuchardt
2020-12-03 17:28 Tom Rini
2020-11-10 21:18 Tom Rini
2020-10-30 19:16 Tom Rini
2020-11-02 11:54 ` Pratyush Yadav
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210816195726.GD858@bill-the-cat \
--to=trini@konsulko.com \
--cc=mr.nuke.me@gmail.com \
--cc=pali@kernel.org \
--cc=sjg@chromium.org \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox