Re: [scan-admin@coverity.com: New Defects reported by Coverity Scan for Das U-Boot]

public inbox for u-boot@lists.denx.de
 help / color / mirror / Atom feed

From: Tom Rini <trini@konsulko.com>
To: "Pali Rohár" <pali@kernel.org>
Cc: u-boot@lists.denx.de, "Simon Glass" <sjg@chromium.org>,
	"Alexandru Gagniuc" <mr.nuke.me@gmail.com>,
	"Stefan Roese" <sr@denx.de>, "Marek Behún" <marek.behun@nic.cz>
Subject: Re: [scan-admin@coverity.com: New Defects reported by Coverity Scan for Das U-Boot]
Date: Mon, 16 Aug 2021 16:20:27 -0400	[thread overview]
Message-ID: <20210816202027.GE858@bill-the-cat> (raw)
In-Reply-To: <20210816201549.kzjonaqei2rwpefq@pali>

[-- Attachment #1: Type: text/plain, Size: 4009 bytes --]

On Mon, Aug 16, 2021 at 10:15:49PM +0200, Pali Rohár wrote:
> + Stefan and Marek
> 
> On Monday 16 August 2021 15:57:26 Tom Rini wrote:
> > Hey all,
> > 
> > Can people please take a look?  I can mark as intentional anything that
> > really is intentional, thanks.
> 
> Hello Tom!
> 
> These kwbimage issues look to be a real issues. But I do not think that
> anybody touched these parts of kwbimage code recently. So looks like
> that Coverity must have run some more tests this time...

Yeah, that happens from time to time.

> 
> > ** CID 338491:  Null pointer dereferences  (NULL_RETURNS)
> > /tools/kwbimage.c: 1066 in export_pub_kak_hash()
> > 
> > 
> > ________________________________________________________________________________________________________
> > *** CID 338491:  Null pointer dereferences  (NULL_RETURNS)
> > /tools/kwbimage.c: 1066 in export_pub_kak_hash()
> > 1060     	int res;
> > 1061     
> > 1062     	hashf = fopen("pub_kak_hash.txt", "w");
> > 1063     
> > 1064     	res = kwb_export_pubkey(kak, &secure_hdr->kak, hashf, "KAK");
> > 1065     
> > >>>     CID 338491:  Null pointer dereferences  (NULL_RETURNS)
> > >>>     Dereferencing a pointer that might be "NULL" "hashf" when calling "fclose".
> > 1066     	fclose(hashf);
> > 1067     
> > 1068     	return res < 0 ? 1 : 0;
> > 1069     }
> > 1070     
> > 1071     int kwb_sign_csk_with_kak(struct image_tool_params *params,
> 
> There is really missing check that fopen() succeeded.
> 
> > ** CID 338488:  Memory - illegal accesses  (NEGATIVE_RETURNS)
> > /tools/kwbimage.c: 1093 in kwb_sign_csk_with_kak()
> > 
> > 
> > ________________________________________________________________________________________________________
> > *** CID 338488:  Memory - illegal accesses  (NEGATIVE_RETURNS)
> > /tools/kwbimage.c: 1093 in kwb_sign_csk_with_kak()
> > 1087     	if (export_pub_kak_hash(kak, secure_hdr))
> > 1088     		return 1;
> > 1089     
> > 1090     	if (kwb_import_pubkey(&kak_pub, &secure_hdr->kak, "KAK") < 0)
> > 1091     		return 1;
> > 1092     
> > >>>     CID 338488:  Memory - illegal accesses  (NEGATIVE_RETURNS)
> > >>>     Using variable "csk_idx" as an index to array "secure_hdr->csk".
> > 1093     	if (kwb_export_pubkey(csk, &secure_hdr->csk[csk_idx], NULL, "CSK") < 0)
> > 1094     		return 1;
> > 1095     
> > 1096     	if (kwb_sign_and_verify(kak, &secure_hdr->csk,
> > 1097     				sizeof(secure_hdr->csk) +
> > 1098     				sizeof(secure_hdr->csksig),
> 
> There is code:
> 
>   int csk_idx = image_get_csk_index();
>   ...
>   if (csk_idx >= 16) {
>     ...
>     return 1;
>   }
>   ... &secure_hdr->csk[csk_idx] ...
> 
> And ->csk is defined as:
> 
>   struct secure_hdr_v1 {
>     ..
>     struct pubkey_der_v1 csk[16]
>     ..
>   };
> 
> image_get_csk_index() returns int and it may returns also negative value
> on error. So there is really possible illegal memory access.
> 
> > ** CID 338486:  Null pointer dereferences  (NULL_RETURNS)
> > /tools/kwbimage.c: 836 in kwb_dump_fuse_cmds()
> > 
> > 
> > ________________________________________________________________________________________________________
> > *** CID 338486:  Null pointer dereferences  (NULL_RETURNS)
> > /tools/kwbimage.c: 836 in kwb_dump_fuse_cmds()
> > 830     		return 0;
> > 831     
> > 832     	if (!strcmp(e->name, "a38x")) {
> > 833     		FILE *out = fopen("kwb_fuses_a38x.txt", "w+");
> > 834     
> > 835     		kwb_dump_fuse_cmds_38x(out, sec_hdr);
> > >>>     CID 338486:  Null pointer dereferences  (NULL_RETURNS)
> > >>>     Dereferencing a pointer that might be "NULL" "out" when calling "fclose".
> > 836     		fclose(out);
> > 837     		goto done;
> > 838     	}
> > 839     
> > 840     	ret = -ENOSYS;
> > 841     
> 
> And there is also missing check that fopen() succeeded.

Since you've been in here and analyzed things (thanks!) can you make a
few patches for things?

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

next prev parent reply	other threads:[~2021-08-16 20:20 UTC|newest]

Thread overview: 46+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-08-16 19:57 [scan-admin@coverity.com: New Defects reported by Coverity Scan for Das U-Boot] Tom Rini
2021-08-16 20:15 ` Pali Rohár
2021-08-16 20:20   ` Tom Rini [this message]
  -- strict thread matches above, loose matches on Subject: below --
2022-09-06 15:50 Tom Rini
2022-05-09 17:22 Tom Rini
2022-04-25 23:41 Tom Rini
2022-03-05 18:27 Tom Rini
2022-02-15 19:29 Tom Rini
2022-02-01  0:33 Tom Rini
2021-11-15 18:02 Tom Rini
2021-11-02 16:22 Tom Rini
2021-11-01 20:06 Tom Rini
2021-09-15 14:11 Tom Rini
2021-08-30 17:39 Tom Rini
2021-08-31 15:18 ` Oleh Kravchenko
2021-09-06 14:05 ` Oleh Kravchenko
2021-09-06 15:23   ` Tom Rini
2021-07-27  2:52 Tom Rini
2021-07-27  3:26 ` Sean Anderson
2021-07-27 15:04   ` Tom Rini
2021-05-26 16:58 Tom Rini
2021-05-12 22:30 Tom Rini
2021-04-19 12:20 Tom Rini
2021-04-20  0:58 ` Asherah Connor
2021-04-20  1:17   ` Tom Rini
2021-04-20  6:13 ` Dario Binacchi
2021-03-30 19:55 Tom Rini
2021-03-02 14:42 Tom Rini
2021-02-23 16:15 Tom Rini
2021-02-01 19:51 Tom Rini
2021-01-26 16:41 Tom Rini
2021-01-20 19:04 Tom Rini
2021-01-20 20:43 ` Heinrich Schuchardt
2021-01-20 22:33   ` Heinrich Schuchardt
2021-01-21  2:09   ` AKASHI Takahiro
2021-01-26 17:02     ` Tom Rini
2021-01-20 21:03 ` Andre Przywara
2021-01-20 21:34   ` Tom Rini
2021-01-21 11:36 ` Sughosh Ganu
2021-01-21 13:44   ` Heinrich Schuchardt
2021-01-22  8:54     ` Sughosh Ganu
2021-01-22 11:37       ` Heinrich Schuchardt
2020-12-03 17:28 Tom Rini
2020-11-10 21:18 Tom Rini
2020-10-30 19:16 Tom Rini
2020-11-02 11:54 ` Pratyush Yadav

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210816202027.GE858@bill-the-cat \
    --to=trini@konsulko.com \
    --cc=marek.behun@nic.cz \
    --cc=mr.nuke.me@gmail.com \
    --cc=pali@kernel.org \
    --cc=sjg@chromium.org \
    --cc=sr@denx.de \
    --cc=u-boot@lists.denx.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox