From: Tom Rini <trini@konsulko.com>
To: u-boot@lists.denx.de
Cc: Simon Glass <sjg@chromium.org>,
Joao Marcos Costa <jmcosta944@gmail.com>,
Thomas Petazzoni <thomas.petazzoni@bootlin.com>,
Jerome Forissier <jerome.forissier@linaro.org>,
Sughosh Ganu <sughosh.ganu@linaro.org>,
Caleb Connolly <caleb.connolly@linaro.org>,
Richard Weinberger <richard@nod.at>
Subject: Fwd: New Defects reported by Coverity Scan for Das U-Boot
Date: Mon, 7 Oct 2024 11:15:05 -0600 [thread overview]
Message-ID: <20241007171505.GC4737@bill-the-cat> (raw)
[-- Attachment #1: Type: text/plain, Size: 30928 bytes --]
Now that I've merged next to master, there's a number of issues to
address.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Oct 7, 2024 at 10:59 AM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to Das
U-Boot found with Coverity Scan.
24 new defect(s) introduced to Das U-Boot found with Coverity Scan.
9 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 24 defect(s)
** CID 510469: (RESOURCE_LEAK)
/tools/mkeficapsule.c: 877 in load_dtb()
/tools/mkeficapsule.c: 862 in load_dtb()
/tools/mkeficapsule.c: 855 in load_dtb()
/tools/mkeficapsule.c: 870 in load_dtb()
________________________________________________________________________________________________________
*** CID 510469: (RESOURCE_LEAK)
/tools/mkeficapsule.c: 877 in load_dtb()
871 }
872
873 if (fread(dtb, dtb_size, 1, f) != 1) {
874 fprintf(stderr, "Can't read %ld bytes from %s\n",
875 dtb_size, path);
876 free(dtb);
>>> CID 510469: (RESOURCE_LEAK)
>>> Variable "f" going out of scope leaks the storage it points to.
877 return NULL;
878 }
879
880 fclose(f);
881
882 return dtb;
/tools/mkeficapsule.c: 862 in load_dtb()
856 }
857
858 dtb_size = ftell(f);
859 if (dtb_size < 0) {
860 fprintf(stderr, "Cannot ftell %s: %s\n",
861 path, strerror(errno));
>>> CID 510469: (RESOURCE_LEAK)
>>> Variable "f" going out of scope leaks the storage it points to.
862 return NULL;
863 }
864
865 fseek(f, 0, SEEK_SET);
866
867 dtb = malloc(dtb_size);
/tools/mkeficapsule.c: 855 in load_dtb()
849 return NULL;
850 }
851
852 if (fseek(f, 0, SEEK_END)) {
853 fprintf(stderr, "Cannot seek to the end of %s: %s\n",
854 path, strerror(errno));
>>> CID 510469: (RESOURCE_LEAK)
>>> Variable "f" going out of scope leaks the storage it points to.
855 return NULL;
856 }
857
858 dtb_size = ftell(f);
859 if (dtb_size < 0) {
860 fprintf(stderr, "Cannot ftell %s: %s\n",
/tools/mkeficapsule.c: 870 in load_dtb()
864
865 fseek(f, 0, SEEK_SET);
866
867 dtb = malloc(dtb_size);
868 if (!dtb) {
869 fprintf(stderr, "Can't allocated %ld\n", dtb_size);
>>> CID 510469: (RESOURCE_LEAK)
>>> Variable "f" going out of scope leaks the storage it points to.
870 return NULL;
871 }
872
873 if (fread(dtb, dtb_size, 1, f) != 1) {
874 fprintf(stderr, "Can't read %ld bytes from %s\n",
875 dtb_size, path);
** CID 510468: Integer handling issues (SIGN_EXTENSION)
/lib/alist.c: 65 in alist_expand_to()
________________________________________________________________________________________________________
*** CID 510468: Integer handling issues (SIGN_EXTENSION)
/lib/alist.c: 65 in alist_expand_to()
59 new_data = malloc(lst->obj_size * new_alloc);
60 if (!new_data) {
61 lst->flags |= ALISTF_FAIL;
62 return false;
63 }
64
>>> CID 510468: Integer handling issues (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "lst->obj_size" with type "u16" (16 bits, unsigned) is promoted in "lst->obj_size * lst->alloc" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "lst->obj_size * lst->alloc" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
65 memcpy(new_data, lst->data, lst->obj_size * lst->alloc);
66 free(lst->data);
67
68 memset(new_data + lst->obj_size * lst->alloc, '\0',
69 lst->obj_size * (new_alloc - lst->alloc));
70 lst->alloc = new_alloc;
** CID 510467: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/net/tcp.c: 497 in tcp_parse_options()
________________________________________________________________________________________________________
*** CID 510467: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/net/tcp.c: 497 in tcp_parse_options()
491 tsopt = (struct tcp_t_opt *)p;
492 rmt_timestamp = tsopt->t_snd;
493 return;
494 }
495
496 /* Process optional NOPs */
>>> CID 510467: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
>>> "p[0] == 16843009" is always false regardless of the values of its operands. This occurs as the logical operand of "if".
497 if (p[0] == TCP_O_NOP)
498 p++;
499 }
500 }
501
502 static u8 tcp_state_machine(u8 tcp_flags, u32 tcp_seq_num, int
payload_len)
** CID 510466: Control flow issues (NO_EFFECT)
/lib/uuid.c: 256 in uuid_guid_get_bin()
________________________________________________________________________________________________________
*** CID 510466: Control flow issues (NO_EFFECT)
/lib/uuid.c: 256 in uuid_guid_get_bin()
250 };
251
252 int uuid_guid_get_bin(const char *guid_str, unsigned char *guid_bin)
253 {
254 int i;
255
>>> CID 510466: Control flow issues (NO_EFFECT)
>>> This less-than-zero comparison of an unsigned value is never true. "i < 0UL".
256 for (i = 0; i < ARRAY_SIZE(list_guid); i++) {
257 if (!strcmp(list_guid[i].string, guid_str)) {
258 memcpy(guid_bin, &list_guid[i].guid, 16);
259 return 0;
260 }
261 }
** CID 510465: Uninitialized variables (UNINIT)
________________________________________________________________________________________________________
*** CID 510465: Uninitialized variables (UNINIT)
/cmd/upl.c: 59 in do_upl_write()
53 struct unit_test_state uts;
54 struct abuf buf;
55 oftree tree;
56 ulong addr;
57 int ret;
58
>>> CID 510465: Uninitialized variables (UNINIT)
>>> Using uninitialized value "uts.fail_count" when calling "upl_get_test_data".
59 upl_get_test_data(&uts, upl);
60
61 log_debug("Writing UPL\n");
62 ret = upl_create_handoff_tree(upl, &tree);
63 if (ret) {
64 log_err("Failed to write (err=%dE)\n", ret);
** CID 510464: Error handling issues (CHECKED_RETURN)
/net/wget.c: 259 in wget_connected()
________________________________________________________________________________________________________
*** CID 510464: Error handling issues (CHECKED_RETURN)
/net/wget.c: 259 in wget_connected()
253
254 pos = strstr((char *)pkt, content_len);
255 if (!pos) {
256 content_length = -1;
257 } else {
258 pos += sizeof(content_len) + 2;
>>> CID 510464: Error handling issues (CHECKED_RETURN)
>>> Calling "strict_strtoul" without checking return value (as is done elsewhere 8 out of 10 times).
259 strict_strtoul(pos, 10,
&content_length);
260 debug_cond(DEBUG_WGET,
261 "wget: Connected Len %lu\n",
262 content_length);
263 }
264
** CID 510463: Memory - illegal accesses (OVERRUN)
/lib/lmb.c: 37 in lmb_print_region_flags()
________________________________________________________________________________________________________
*** CID 510463: Memory - illegal accesses (OVERRUN)
/lib/lmb.c: 37 in lmb_print_region_flags()
31 {
32 u64 bitpos;
33 const char *flag_str[] = { "none", "no-map", "no-overwrite" };
34
35 do {
36 bitpos = flags ? fls(flags) - 1 : 0;
>>> CID 510463: Memory - illegal accesses (OVERRUN)
>>> Overrunning array "flag_str" of 3 8-byte elements at element index 31 (byte offset 255) using index "bitpos" (which evaluates to 31).
37 printf("%s", flag_str[bitpos]);
38 flags &= ~(1ull << bitpos);
39 puts(flags ? ", " : "\n");
40 } while (flags);
41 }
42
** CID 510462: Security best practices violations (DC.WEAK_CRYPTO)
/test/dm/nand.c: 67 in run_test_nand()
________________________________________________________________________________________________________
*** CID 510462: Security best practices violations (DC.WEAK_CRYPTO)
/test/dm/nand.c: 67 in run_test_nand()
61 ops.ooblen = mtd->oobsize;
62 ut_assertok(mtd_read_oob(mtd, mtd->erasesize, &ops));
63 ut_asserteq(0, oob[mtd_to_nand(mtd)->badblockpos]);
64
65 /* Generate some data and write it */
66 for (i = 0; i < size / sizeof(int); i++)
>>> CID 510462: Security best practices violations (DC.WEAK_CRYPTO)
>>> "rand" should not be used for security-related applications, because linear congruential algorithms are too easy to break.
67 gold[i] = rand();
68 ut_assertok(nand_write_skip_bad(mtd, off, &length, NULL, U64_MAX,
69 (void *)gold, 0));
70 ut_asserteq(size, length);
71
72 /* Verify */
** CID 510461: Code maintainability issues (UNUSED_VALUE)
/boot/upl_write.c: 237 in add_upl_image()
________________________________________________________________________________________________________
*** CID 510461: Code maintainability issues (UNUSED_VALUE)
/boot/upl_write.c: 237 in add_upl_image()
231 return log_msg_ret("sub", ret);
232
233 ret = write_addr(upl, subnode, UPLP_LOAD, img->load);
234 if (!ret)
235 ret = write_size(upl, subnode,
UPLP_SIZE, img->size);
236 if (!ret && img->offset)
>>> CID 510461: Code maintainability issues (UNUSED_VALUE)
>>> Assigning value from "ofnode_write_u32(subnode, "offset", img->offset)" to "ret" here, but that stored value is overwritten before it can be used.
237 ret = ofnode_write_u32(subnode, UPLP_OFFSET,
238 img->offset);
239 ret = ofnode_write_string(subnode, UPLP_DESCRIPTION,
240 img->description);
241 if (ret)
242 return log_msg_ret("sim", ret);
** CID 510460: Resource leaks (RESOURCE_LEAK)
/fs/ext4/ext4fs.c: 216 in ext4fs_exists()
________________________________________________________________________________________________________
*** CID 510460: Resource leaks (RESOURCE_LEAK)
/fs/ext4/ext4fs.c: 216 in ext4fs_exists()
210 struct ext2fs_node *dirnode = NULL;
211 int filetype;
212
213 if (!filename)
214 return 0;
215
>>> CID 510460: Resource leaks (RESOURCE_LEAK)
>>> Variable "dirnode" going out of scope leaks the storage it points to.
216 return ext4fs_find_file1(filename,
&ext4fs_root->diropen, &dirnode,
217 &filetype);
218 }
219
220 int ext4fs_size(const char *filename, loff_t *size)
221 {
** CID 510459: Incorrect expression (SIZEOF_MISMATCH)
/boot/upl_read.c: 523 in decode_upl_graphics()
________________________________________________________________________________________________________
*** CID 510459: Incorrect expression (SIZEOF_MISMATCH)
/boot/upl_read.c: 523 in decode_upl_graphics()
517 if (!buf) {
518 log_warning("Node '%s': Missing 'reg' property\n",
519 ofnode_get_name(node));
520 return log_msg_ret("reg", -EINVAL);
521 }
522
>>> CID 510459: Incorrect expression (SIZEOF_MISMATCH)
>>> Passing argument "buf" of type "char const *" and argument "8 /* sizeof (buf) */" to function "decode_addr_size" is suspicious.
523 len = decode_addr_size(upl, buf, sizeof(buf), &gra->reg);
524 if (len < 0)
525 return log_msg_ret("buf", len);
526
527 ret = read_uint(node, UPLP_WIDTH, &gra->width);
528 if (!ret)
** CID 510458: Control flow issues (NO_EFFECT)
/lib/uuid.c: 269 in uuid_guid_get_str()
________________________________________________________________________________________________________
*** CID 510458: Control flow issues (NO_EFFECT)
/lib/uuid.c: 269 in uuid_guid_get_str()
263 }
264
265 const char *uuid_guid_get_str(const unsigned char *guid_bin)
266 {
267 int i;
268
>>> CID 510458: Control flow issues (NO_EFFECT)
>>> This less-than-zero comparison of an unsigned value is never true. "i < 0UL".
269 for (i = 0; i < ARRAY_SIZE(list_guid); i++) {
270 if (!memcmp(list_guid[i].guid.b, guid_bin, 16)) {
271 return list_guid[i].string;
272 }
273 }
274 return NULL;
** CID 510457: (RESOURCE_LEAK)
/tools/mkeficapsule.c: 934 in genguid()
/tools/mkeficapsule.c: 930 in genguid()
/tools/mkeficapsule.c: 924 in genguid()
/tools/mkeficapsule.c: 944 in genguid()
/tools/mkeficapsule.c: 959 in genguid()
________________________________________________________________________________________________________
*** CID 510457: (RESOURCE_LEAK)
/tools/mkeficapsule.c: 934 in genguid()
928 if (!compatible) {
929 fprintf(stderr, "No compatible string found in DTB\n");
930 return -1;
931 }
932 if (strnlen(compatible, compatlen) >= compatlen) {
933 fprintf(stderr, "Compatible string not
null-terminated\n");
>>> CID 510457: (RESOURCE_LEAK)
>>> Variable "dtb" going out of scope leaks the storage it points to.
934 return -1;
935 }
936
937 printf("Generating GUIDs for %s with namespace %s:\n",
938 compatible, DEFAULT_NAMESPACE_GUID);
939 for (; idx < argc; idx++) {
/tools/mkeficapsule.c: 930 in genguid()
924 return -1;
925 }
926
927 compatible = fdt_getprop(dtb, 0, "compatible", &compatlen);
928 if (!compatible) {
929 fprintf(stderr, "No compatible string found in DTB\n");
>>> CID 510457: (RESOURCE_LEAK)
>>> Variable "dtb" going out of scope leaks the storage it points to.
930 return -1;
931 }
932 if (strnlen(compatible, compatlen) >= compatlen) {
933 fprintf(stderr, "Compatible string not
null-terminated\n");
934 return -1;
935 }
/tools/mkeficapsule.c: 924 in genguid()
918 if (!dtb)
919 return -1;
920
921 ret = fdt_check_header(dtb);
922 if (ret) {
923 fprintf(stderr, "Invalid DTB header: %d\n", ret);
>>> CID 510457: (RESOURCE_LEAK)
>>> Variable "dtb" going out of scope leaks the storage it points to.
924 return -1;
925 }
926
927 compatible = fdt_getprop(dtb, 0, "compatible", &compatlen);
928 if (!compatible) {
929 fprintf(stderr, "No compatible string found in DTB\n");
/tools/mkeficapsule.c: 944 in genguid()
938 compatible, DEFAULT_NAMESPACE_GUID);
939 for (; idx < argc; idx++) {
940 memset(fw_image, 0, sizeof(fw_image));
941 namelen = strlen(argv[idx]);
942 if (namelen > MAX_IMAGE_NAME_LEN) {
943 fprintf(stderr, "Image name too long:
%s\n", argv[idx]);
>>> CID 510457: (RESOURCE_LEAK)
>>> Variable "dtb" going out of scope leaks the storage it points to.
944 return -1;
945 }
946
947 for (int i = 0; i < namelen; i++)
948 fw_image[i] = (uint16_t)argv[idx][i];
949
/tools/mkeficapsule.c: 959 in genguid()
953 NULL);
954
955 printf("%s: ", argv[idx]);
956 print_guid(&image_type_id);
957 }
958
>>> CID 510457: (RESOURCE_LEAK)
>>> Variable "dtb" going out of scope leaks the storage it points to.
959 return 0;
960 }
961
962 /**
963 * main - main entry function of mkeficapsule
964 * @argc: Number of arguments
** CID 510456: Integer handling issues (NEGATIVE_RETURNS)
________________________________________________________________________________________________________
*** CID 510456: Integer handling issues (NEGATIVE_RETURNS)
/boot/upl_write.c: 432 in add_upl_memres()
426 ret = ofnode_add_subnode(mem_node, name, &node);
427 if (ret)
428 return log_msg_ret("memres", ret);
429
430 len = buffer_addr_size(upl, buf, sizeof(buf),
431 memres->region.count,
&memres->region);
>>> CID 510456: Integer handling issues (NEGATIVE_RETURNS)
>>> "len" is passed to a parameter that cannot be negative.
432 ret = ofnode_write_prop(node, UPLP_REG, buf, len, true);
433 if (!ret && memres->no_map)
434 ret = ofnode_write_bool(node, UPLP_NO_MAP,
435 memres->no_map);
436 if (ret)
437 return log_msg_ret("lst", ret);
** CID 510455: Memory - corruptions (OVERLAPPING_COPY)
/fs/squashfs/sqfs.c: 971 in sqfs_opendir_nest()
________________________________________________________________________________________________________
*** CID 510455: Memory - corruptions (OVERLAPPING_COPY)
/fs/squashfs/sqfs.c: 971 in sqfs_opendir_nest()
965 if (le16_to_cpu(dirs->i_dir.inode_type) == SQFS_DIR_TYPE)
966 dirs->size = le16_to_cpu(dirs->i_dir.file_size);
967 else
968 dirs->size = le32_to_cpu(dirs->i_ldir.file_size);
969
970 /* Setup directory header */
>>> CID 510455: Memory - corruptions (OVERLAPPING_COPY)
>>> Copying 12 bytes from "dirs->table" to "dirs->dir_header", which point to overlapping memory locations.
971 memcpy(dirs->dir_header, dirs->table, SQFS_DIR_HEADER_SIZE);
972 dirs->entry_count = dirs->dir_header->count + 1;
973 dirs->size -= SQFS_DIR_HEADER_SIZE;
974
975 /* Setup entry */
976 dirs->entry = NULL;
** CID 510454: (SIZEOF_MISMATCH)
/test/cmd/mbr.c: 280 in mbr_test_run()
/test/cmd/mbr.c: 421 in mbr_test_run()
/test/cmd/mbr.c: 351 in mbr_test_run()
/test/cmd/mbr.c: 316 in mbr_test_run()
/test/cmd/mbr.c: 386 in mbr_test_run()
________________________________________________________________________________________________________
*** CID 510454: (SIZEOF_MISMATCH)
/test/cmd/mbr.c: 280 in mbr_test_run()
274
275 /* Make sure mmc6 is 12+ MiB in size */
276 ut_assertok(run_commandf("mmc read %lx %lx 1", ra,
277 (ulong)0xbffe00 / BLKSZ));
278
279 /* Test one MBR partition */
>>> CID 510454: (SIZEOF_MISMATCH)
>>> Passing argument "mbr_wbuf" of type "unsigned char *" and argument "8UL /* sizeof (mbr_wbuf) */" to function "init_write_buffers" is suspicious.
280 init_write_buffers(mbr_wbuf, sizeof(mbr_wbuf),
ebr_wbuf, sizeof(ebr_wbuf), __LINE__);
281 ut_assertok(build_mbr_parts(mbr_parts_buf,
sizeof(mbr_parts_buf), 1));
282 ut_assertok(run_commandf("write mmc 6:0 %lx 0 1", mbr_wa));
283 memset(rbuf, '\0', BLKSZ);
284 ut_assertok(run_commandf("read mmc 6:0 %lx 0 1", ra));
285 ut_assertok(memcmp(mbr_wbuf, rbuf, BLKSZ));
/test/cmd/mbr.c: 421 in mbr_test_run()
415 ut_assertf(rbuf[mbr_cmp_start + i] ==
mbr_parts_ref_p4[i],
416 "4P MBR+0x%04X: expected %#02X,
actual: %#02X\n",
417 mbr_cmp_start + i,
mbr_parts_ref_p4[i], rbuf[mbr_cmp_start + i]);
418 }
419
420 /* Test five MBR partitions */
>>> CID 510454: (SIZEOF_MISMATCH)
>>> Passing argument "mbr_wbuf" of type "unsigned char *" and argument "8UL /* sizeof (mbr_wbuf) */" to function "init_write_buffers" is suspicious.
421 init_write_buffers(mbr_wbuf, sizeof(mbr_wbuf),
ebr_wbuf, sizeof(ebr_wbuf), __LINE__);
422 ut_assertok(build_mbr_parts(mbr_parts_buf,
sizeof(mbr_parts_buf), 5));
423 ut_assertok(run_commandf("write mmc 6:0 %lx 0 1", mbr_wa));
424 memset(rbuf, '\0', BLKSZ);
425 ut_assertok(run_commandf("read mmc 6:0 %lx 0 1", ra));
426 ut_assertok(memcmp(mbr_wbuf, rbuf, BLKSZ));
/test/cmd/mbr.c: 351 in mbr_test_run()
345 ut_assertf(rbuf[mbr_cmp_start + i] ==
mbr_parts_ref_p2[i],
346 "2P MBR+0x%04X: expected %#02X,
actual: %#02X\n",
347 mbr_cmp_start + i,
mbr_parts_ref_p2[i], rbuf[mbr_cmp_start + i]);
348 }
349
350 /* Test three MBR partitions */
>>> CID 510454: (SIZEOF_MISMATCH)
>>> Passing argument "mbr_wbuf" of type "unsigned char *" and argument "8UL /* sizeof (mbr_wbuf) */" to function "init_write_buffers" is suspicious.
351 init_write_buffers(mbr_wbuf, sizeof(mbr_wbuf),
ebr_wbuf, sizeof(ebr_wbuf), __LINE__);
352 ut_assertok(build_mbr_parts(mbr_parts_buf,
sizeof(mbr_parts_buf), 3));
353 ut_assertok(run_commandf("write mmc 6:0 %lx 0 1", mbr_wa));
354 memset(rbuf, '\0', BLKSZ);
355 ut_assertok(run_commandf("read mmc 6:0 %lx 0 1", ra));
356 ut_assertok(memcmp(mbr_wbuf, rbuf, BLKSZ));
/test/cmd/mbr.c: 316 in mbr_test_run()
310 ut_assertf(rbuf[mbr_cmp_start + i] ==
mbr_parts_ref_p1[i],
311 "1P MBR+0x%04X: expected %#02X,
actual: %#02X\n",
312 mbr_cmp_start + i,
mbr_parts_ref_p1[i], rbuf[mbr_cmp_start + i]);
313 }
314
315 /* Test two MBR partitions */
>>> CID 510454: (SIZEOF_MISMATCH)
>>> Passing argument "mbr_wbuf" of type "unsigned char *" and argument "8UL /* sizeof (mbr_wbuf) */" to function "init_write_buffers" is suspicious.
316 init_write_buffers(mbr_wbuf, sizeof(mbr_wbuf),
ebr_wbuf, sizeof(ebr_wbuf), __LINE__);
317 ut_assertok(build_mbr_parts(mbr_parts_buf,
sizeof(mbr_parts_buf), 2));
318 ut_assertok(run_commandf("write mmc 6:0 %lx 0 1", mbr_wa));
319 memset(rbuf, '\0', BLKSZ);
320 ut_assertok(run_commandf("read mmc 6:0 %lx 0 1", ra));
321 ut_assertok(memcmp(mbr_wbuf, rbuf, BLKSZ));
/test/cmd/mbr.c: 386 in mbr_test_run()
380 ut_assertf(rbuf[mbr_cmp_start + i] ==
mbr_parts_ref_p3[i],
381 "3P MBR+0x%04X: expected %#02X,
actual: %#02X\n",
382 mbr_cmp_start + i,
mbr_parts_ref_p3[i], rbuf[mbr_cmp_start + i]);
383 }
384
385 /* Test four MBR partitions */
>>> CID 510454: (SIZEOF_MISMATCH)
>>> Passing argument "mbr_wbuf" of type "unsigned char *" and argument "8UL /* sizeof (mbr_wbuf) */" to function "init_write_buffers" is suspicious.
386 init_write_buffers(mbr_wbuf, sizeof(mbr_wbuf),
ebr_wbuf, sizeof(ebr_wbuf), __LINE__);
387 ut_assertok(build_mbr_parts(mbr_parts_buf,
sizeof(mbr_parts_buf), 4));
388 ut_assertok(run_commandf("write mmc 6:0 %lx 0 1", mbr_wa));
389 memset(rbuf, '\0', BLKSZ);
390 ut_assertok(run_commandf("read mmc 6:0 %lx 0 1", ra));
391 ut_assertok(memcmp(mbr_wbuf, rbuf, BLKSZ));
** CID 510453: Null pointer dereferences (FORWARD_NULL)
/fs/squashfs/sqfs.c: 983 in sqfs_opendir_nest()
________________________________________________________________________________________________________
*** CID 510453: Null pointer dereferences (FORWARD_NULL)
/fs/squashfs/sqfs.c: 983 in sqfs_opendir_nest()
977 dirs->table += SQFS_DIR_HEADER_SIZE;
978
979 *dirsp = (struct fs_dir_stream *)dirs;
980
981 out:
982 for (j = 0; j < token_count; j++)
>>> CID 510453: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "token_list".
983 free(token_list[j]);
984 free(token_list);
985 free(pos_list);
986 free(path);
987 if (ret) {
988 free(inode_table);
** CID 510452: Null pointer dereferences (FORWARD_NULL)
/fs/squashfs/sqfs.c: 1676 in sqfs_size_nest()
________________________________________________________________________________________________________
*** CID 510452: Null pointer dereferences (FORWARD_NULL)
/fs/squashfs/sqfs.c: 1676 in sqfs_size_nest()
1670 printf("File not found.\n");
1671 *size = 0;
1672 ret = -EINVAL;
1673 goto free_strings;
1674 }
1675
>>> CID 510452: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "dirs->entry".
1676 i_number = dirs->dir_header->inode_number +
dirs->entry->inode_offset;
1677 ipos = sqfs_find_inode(dirs->inode_table, i_number,
sblk->inodes,
1678 sblk->block_size);
1679
1680 if (!ipos) {
1681 *size = 0;
** CID 510451: (TAINTED_SCALAR)
/fs/squashfs/sqfs.c: 1612 in sqfs_read_nest()
/fs/squashfs/sqfs.c: 1612 in sqfs_read_nest()
/fs/squashfs/sqfs.c: 1604 in sqfs_read_nest()
________________________________________________________________________________________________________
*** CID 510451: (TAINTED_SCALAR)
/fs/squashfs/sqfs.c: 1612 in sqfs_read_nest()
1606
1607 free(fragment_block);
1608
1609 } else if (finfo.frag && !finfo.comp) {
1610 fragment_block = (void *)fragment + table_offset;
1611
>>> CID 510451: (TAINTED_SCALAR)
>>> Using tainted variable "finfo.offset" as an index to pointer "fragment_block".
1612 memcpy(buf + *actread,
&fragment_block[finfo.offset], finfo.size - *actread);
1613 *actread = finfo.size;
1614 }
1615
1616 out:
1617 free(fragment);
/fs/squashfs/sqfs.c: 1612 in sqfs_read_nest()
1606
1607 free(fragment_block);
1608
1609 } else if (finfo.frag && !finfo.comp) {
1610 fragment_block = (void *)fragment + table_offset;
1611
>>> CID 510451: (TAINTED_SCALAR)
>>> Passing tainted expression "finfo.size - *actread" to "memcpy", which uses it as an offset. [Note: The source code implementation of the function has been overridden by a builtin model.]
1612 memcpy(buf + *actread,
&fragment_block[finfo.offset], finfo.size - *actread);
1613 *actread = finfo.size;
1614 }
1615
1616 out:
1617 free(fragment);
/fs/squashfs/sqfs.c: 1621 in sqfs_read_nest()
1615
1616 out:
1617 free(fragment);
1618 free(datablock);
1619 free(file);
1620 free(dir);
>>> CID 510451: (TAINTED_SCALAR)
>>> Passing tainted expression "*finfo.blk_sizes" to "dlfree", which uses it as an offset.
1621 free(finfo.blk_sizes);
1622 sqfs_closedir(dirsp);
1623
1624 return ret;
1625 }
1626
/fs/squashfs/sqfs.c: 1604 in sqfs_read_nest()
1598 frag_entry.size);
1599 if (ret) {
1600 free(fragment_block);
1601 goto out;
1602 }
1603
>>> CID 510451: (TAINTED_SCALAR)
>>> Using tainted variable "finfo.offset" as an index to pointer "fragment_block".
1604 memcpy(buf + *actread,
&fragment_block[finfo.offset], finfo.size - *actread);
1605 *actread = finfo.size;
1606
1607 free(fragment_block);
1608
1609 } else if (finfo.frag && !finfo.comp) {
** CID 510450: Code maintainability issues (UNUSED_VALUE)
/fs/squashfs/sqfs.c: 1506 in sqfs_read_nest()
________________________________________________________________________________________________________
*** CID 510450: Code maintainability issues (UNUSED_VALUE)
/fs/squashfs/sqfs.c: 1506 in sqfs_read_nest()
1500 n_blks = DIV_ROUND_UP(table_size + table_offset,
1501 ctxt.cur_dev->blksz);
1502
1503 /* Don't load any data for sparse blocks */
1504 if (finfo.blk_sizes[j] == 0) {
1505 n_blks = 0;
>>> CID 510450: Code maintainability issues (UNUSED_VALUE)
>>> Assigning value "0ULL" to "table_offset" here, but that stored value is overwritten before it can be used.
1506 table_offset = 0;
1507 data_buffer = NULL;
1508 data = NULL;
1509 } else {
1510 data_buffer =
malloc_cache_aligned(n_blks * ctxt.cur_dev->blksz);
1511
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
next reply other threads:[~2024-10-07 17:15 UTC|newest]
Thread overview: 107+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-07 17:15 Tom Rini [this message]
2024-10-07 18:17 ` New Defects reported by Coverity Scan for Das U-Boot Richard Weinberger
2024-10-07 20:01 ` Tom Rini
-- strict thread matches above, loose matches on Subject: below --
2026-04-06 19:12 Fwd: " Tom Rini
2026-03-09 21:23 Tom Rini
2026-03-09 22:05 ` Raphaël Gallais-Pou
2026-03-09 22:13 ` Tom Rini
2026-02-23 19:51 Tom Rini
2026-02-13 22:09 Tom Rini
2026-02-18 23:02 ` Chris Morgan
2026-02-20 16:11 ` Tom Rini
2026-02-20 16:23 ` Chris Morgan
2026-01-16 19:43 Tom Rini
2026-02-09 11:05 ` Guillaume La Roque
2026-02-20 16:11 ` Tom Rini
2026-01-06 20:36 Tom Rini
2026-01-05 23:58 Tom Rini
2026-01-06 9:37 ` Mattijs Korpershoek
2026-01-06 17:15 ` Tom Rini
2026-01-06 10:03 ` Heiko Schocher
2025-12-08 19:38 Tom Rini
2025-11-23 19:03 Tom Rini
2025-11-10 18:55 Tom Rini
2025-10-11 18:06 Tom Rini
2025-10-12 14:22 ` Mikhail Kshevetskiy
2025-10-12 19:07 ` Tom Rini
2025-11-01 6:32 ` Mikhail Kshevetskiy
2025-11-03 15:17 ` Tom Rini
2025-11-03 15:24 ` Michael Nazzareno Trimarchi
2025-08-06 18:35 Tom Rini
2025-08-07 9:17 ` Heiko Schocher
2025-08-08 3:37 ` Maniyam, Dinesh
2025-08-08 4:01 ` Heiko Schocher
2025-07-29 16:32 Tom Rini
2025-07-25 13:26 Tom Rini
2025-07-25 13:34 ` Michal Simek
2025-08-04 9:11 ` Alexander Dahl
2025-07-14 23:29 Tom Rini
2025-07-15 13:45 ` Rasmus Villemoes
2025-07-08 14:10 Tom Rini
2025-04-28 21:59 Tom Rini
2025-04-29 12:07 ` Jerome Forissier
2025-04-30 16:50 ` Marek Vasut
2025-04-30 17:01 ` Tom Rini
2025-04-30 18:23 ` Heinrich Schuchardt
2025-04-30 19:14 ` Tom Rini
2025-03-11 1:49 Tom Rini
2025-02-25 2:39 Tom Rini
2025-02-25 6:06 ` Heiko Schocher
2025-02-25 10:48 ` Quentin Schulz
2025-02-25 10:54 ` Heiko Schocher
2025-02-10 22:26 Tom Rini
2025-02-11 6:14 ` Heiko Schocher
2025-02-11 22:30 ` Tom Rini
2024-12-31 13:55 Tom Rini
2024-12-24 17:14 Tom Rini
2024-11-15 13:27 Tom Rini
2024-11-12 2:11 Tom Rini
2024-10-28 3:11 Tom Rini
2024-10-19 16:16 Tom Rini
2024-10-16 3:47 Tom Rini
2024-10-16 5:56 ` Tudor Ambarus
2024-07-23 14:18 Tom Rini
2024-07-24 9:21 ` Mattijs Korpershoek
2024-07-24 9:45 ` Heinrich Schuchardt
2024-07-24 9:56 ` Mattijs Korpershoek
2024-07-24 10:06 ` Heinrich Schuchardt
2024-07-24 22:40 ` Tom Rini
2024-07-25 8:04 ` Mattijs Korpershoek
2024-07-25 17:16 ` Tom Rini
2024-07-24 9:53 ` Mattijs Korpershoek
2024-04-22 21:48 Tom Rini
2024-01-29 23:55 Tom Rini
2024-01-30 8:14 ` Heinrich Schuchardt
[not found] <20240127154018.GC785631@bill-the-cat>
2024-01-27 20:56 ` Heinrich Schuchardt
2024-01-28 8:51 ` Heinrich Schuchardt
2024-01-22 23:52 Tom Rini
2024-01-22 23:30 Tom Rini
2024-01-23 8:15 ` Hugo Cornelis
[not found] <65a933ab652b3_da12cbd3e77f998728e5@prd-scan-dashboard-0.mail>
2024-01-19 8:47 ` Heinrich Schuchardt
2024-01-18 14:35 Tom Rini
2024-01-08 17:45 Tom Rini
2024-01-09 5:26 ` Sean Anderson
2024-01-09 22:18 ` Tom Rini
2023-08-21 21:09 Tom Rini
2023-08-24 9:27 ` Abdellatif El Khlifi
2023-08-28 16:09 ` Alvaro Fernando García
2023-08-28 16:11 ` Tom Rini
2023-10-20 11:57 ` Abdellatif El Khlifi
2023-10-25 14:57 ` Tom Rini
2023-10-25 15:12 ` Abdellatif El Khlifi
2023-10-25 15:15 ` Tom Rini
2023-10-31 14:21 ` Abdellatif El Khlifi
2023-05-08 20:20 Tom Rini
2023-05-15 21:59 ` Ehsan Mohandesi
2023-05-18 21:04 ` Sean Edmond
2023-02-14 14:26 Tom Rini
2022-11-21 19:43 Tom Rini
2022-11-09 15:40 Tom Rini
[not found] <62df3a0cb9fd2_30ed5f2acd4da7b9a431758@prd-scan-dashboard-0.mail>
2022-07-26 4:22 ` Heinrich Schuchardt
[not found] <611aaf735d268_21438d2b07184e399c79439@prd-scan-dashboard-0.mail>
2021-08-17 5:21 ` Heinrich Schuchardt
2021-08-17 15:17 ` Tom Rini
[not found] <6082f7faa423_5762a2b148d4af9a86820@prd-scan-dashboard-0.mail>
2021-04-24 4:52 ` Heinrich Schuchardt
[not found] <5ecd3c8249d1_d6f562acb748daf5820386@appnode-2.mail>
[not found] ` <CA+M6bX=AmT+SyM0Snt2POLy0-vpD__6CD4j6ifqMqh63yYJBLA@mail.gmail.com>
[not found] ` <8ea1ca2f-2826-58f2-4b6b-ed5cfe977467@gmx.de>
[not found] ` <20200526184027.GJ12717@bill-the-cat>
2020-05-26 20:02 ` Heinrich Schuchardt
2020-05-26 20:10 ` Tom Rini
2020-05-26 20:36 ` Heinrich Schuchardt
2020-05-26 20:48 ` Tom Rini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241007171505.GC4737@bill-the-cat \
--to=trini@konsulko.com \
--cc=caleb.connolly@linaro.org \
--cc=jerome.forissier@linaro.org \
--cc=jmcosta944@gmail.com \
--cc=richard@nod.at \
--cc=sjg@chromium.org \
--cc=sughosh.ganu@linaro.org \
--cc=thomas.petazzoni@bootlin.com \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox