* Fwd: New Defects reported by Coverity Scan for Das U-Boot
[not found] ` <20200526184027.GJ12717@bill-the-cat>
@ 2020-05-26 20:02 ` Heinrich Schuchardt
2020-05-26 20:10 ` Tom Rini
0 siblings, 1 reply; 105+ messages in thread
From: Heinrich Schuchardt @ 2020-05-26 20:02 UTC (permalink / raw)
To: u-boot
On 26.05.20 20:40, Tom Rini wrote:
> Ah, I thought you might not have been part of Coverity.
> https://scan.coverity.com/projects/das-u-boot is where to start, it will
> take GitHub credentials and then I can approve you.
Thanks for granting access. In the GUI one can really drill down into
the explanation of the problem. This is very helpful.
> ** CID 303760: (TAINTED_SCALAR)
>
>
>
________________________________________________________________________________________________________
> *** CID 303760: (TAINTED_SCALAR)
> /cmd/efidebug.c: 938 in show_efi_boot_order()
> 932 }
> 933 p = label;
> 934 utf16_utf8_strncpy(&p, lo.label, label_len16);
> 935 printf("%2d: %s: %s\n", i + 1, var_name, label);
> 936 free(label);
> 937
>>>> CID 303760: (TAINTED_SCALAR)
>>>> Passing tainted variable "data" to a tainted sink.
> 938 free(data);
> 939 }
> 940 out:
> 941 free(bootorder);
> 942
> 943 return ret;
> /cmd/efidebug.c: 929 in show_efi_boot_order()
> 923 efi_deserialize_load_option(&lo, data);
> 924
> 925 label_len16 = u16_strlen(lo.label);
> 926 label_len = utf16_utf8_strnlen(lo.label,
label_len16);
> 927 label = malloc(label_len + 1);
> 928 if (!label) {
>>>> CID 303760: (TAINTED_SCALAR)
>>>> Passing tainted variable "data" to a tainted sink.
> 929 free(data);
> 930 ret = CMD_RET_FAILURE;
> 931 goto out;
> 932 }
> 933 p = label;
> 934 utf16_utf8_strncpy(&p, lo.label, label_len16);
In CID 303760 the logic is as follows:
In show_efi_boot_order() we malloc() memory. The allocated buffer is
filled via byte swapping (get_unaligned_le16(), get_unaligned_le32()).
Here comes Coverity's logic: "byte_swapping: Performing a byte swapping
operation on ... implies that it came from an external source, and is
therefore tainted."
Now we pass the pointer to free(). Free() looks at 16 bytes preceding
the pointer. Therefore free() is considered a tainted sink and an issue
is raised.
https://community.synopsys.com/s/article/From-Case-Clearing-TAINTED-STRING
suggests to use Coverity specific comments to mark cleansing functions.
This is not what I am inclined to do.
CCing Takahiro as he had a hand in this code.
Best regards
Heinrich
^ permalink raw reply [flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
2020-05-26 20:02 ` Heinrich Schuchardt
@ 2020-05-26 20:10 ` Tom Rini
2020-05-26 20:36 ` Heinrich Schuchardt
0 siblings, 1 reply; 105+ messages in thread
From: Tom Rini @ 2020-05-26 20:10 UTC (permalink / raw)
To: u-boot
On Tue, May 26, 2020 at 10:02:36PM +0200, Heinrich Schuchardt wrote:
> On 26.05.20 20:40, Tom Rini wrote:
> > Ah, I thought you might not have been part of Coverity.
> > https://scan.coverity.com/projects/das-u-boot is where to start, it will
> > take GitHub credentials and then I can approve you.
>
> Thanks for granting access. In the GUI one can really drill down into
> the explanation of the problem. This is very helpful.
And thanks for digging more!
>
> > ** CID 303760: (TAINTED_SCALAR)
> >
> >
> >
> ________________________________________________________________________________________________________
> > *** CID 303760: (TAINTED_SCALAR)
> > /cmd/efidebug.c: 938 in show_efi_boot_order()
> > 932 }
> > 933 p = label;
> > 934 utf16_utf8_strncpy(&p, lo.label, label_len16);
> > 935 printf("%2d: %s: %s\n", i + 1, var_name, label);
> > 936 free(label);
> > 937
> >>>> CID 303760: (TAINTED_SCALAR)
> >>>> Passing tainted variable "data" to a tainted sink.
> > 938 free(data);
> > 939 }
> > 940 out:
> > 941 free(bootorder);
> > 942
> > 943 return ret;
> > /cmd/efidebug.c: 929 in show_efi_boot_order()
> > 923 efi_deserialize_load_option(&lo, data);
> > 924
> > 925 label_len16 = u16_strlen(lo.label);
> > 926 label_len = utf16_utf8_strnlen(lo.label,
> label_len16);
> > 927 label = malloc(label_len + 1);
> > 928 if (!label) {
> >>>> CID 303760: (TAINTED_SCALAR)
> >>>> Passing tainted variable "data" to a tainted sink.
> > 929 free(data);
> > 930 ret = CMD_RET_FAILURE;
> > 931 goto out;
> > 932 }
> > 933 p = label;
> > 934 utf16_utf8_strncpy(&p, lo.label, label_len16);
>
> In CID 303760 the logic is as follows:
>
> In show_efi_boot_order() we malloc() memory. The allocated buffer is
> filled via byte swapping (get_unaligned_le16(), get_unaligned_le32()).
>
> Here comes Coverity's logic: "byte_swapping: Performing a byte swapping
> operation on ... implies that it came from an external source, and is
> therefore tainted."
>
> Now we pass the pointer to free(). Free() looks at 16 bytes preceding
> the pointer. Therefore free() is considered a tainted sink and an issue
> is raised.
>
> https://community.synopsys.com/s/article/From-Case-Clearing-TAINTED-STRING
> suggests to use Coverity specific comments to mark cleansing functions.
> This is not what I am inclined to do.
>
> CCing Takahiro as he had a hand in this code.
So, option B on that link is what I was thinking about which is creating
a function in the model file to tell Coverity it's handled. I was
going to include what ours was already as I thought I had written one,
but there's not one in the dashboard currently. And frankly a drawback
of Coverity is that you can't iterate on testing those kind of things
easily.
Option C is to just mark this (and the similar ones you can see via the
dashboard) as false positive.
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20200526/d26215cb/attachment.sig>
^ permalink raw reply [flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
2020-05-26 20:10 ` Tom Rini
@ 2020-05-26 20:36 ` Heinrich Schuchardt
2020-05-26 20:48 ` Tom Rini
0 siblings, 1 reply; 105+ messages in thread
From: Heinrich Schuchardt @ 2020-05-26 20:36 UTC (permalink / raw)
To: u-boot
On 26.05.20 22:10, Tom Rini wrote:
> On Tue, May 26, 2020 at 10:02:36PM +0200, Heinrich Schuchardt
> wrote:
>> On 26.05.20 20:40, Tom Rini wrote:
>>> Ah, I thought you might not have been part of Coverity.
>>> https://scan.coverity.com/projects/das-u-boot is where to
>>> start, it will take GitHub credentials and then I can approve
>>> you.
>>
>> Thanks for granting access. In the GUI one can really drill down
>> into the explanation of the problem. This is very helpful.
>
> And thanks for digging more!
>
>>
>>> ** CID 303760: (TAINTED_SCALAR)
>>>
>>>
>>>
>> ________________________________________________________________________________________________________
>>>
>>
*** CID 303760: (TAINTED_SCALAR)
>>> /cmd/efidebug.c: 938 in show_efi_boot_order() 932
>>> } 933 p = label; 934
>>> utf16_utf8_strncpy(&p, lo.label, label_len16); 935
>>> printf("%2d: %s: %s\n", i + 1, var_name, label); 936
>>> free(label); 937
>>>>>> CID 303760: (TAINTED_SCALAR) Passing tainted variable
>>>>>> "data" to a tainted sink.
>>> 938 free(data); 939 } 940
>>> out: 941 free(bootorder); 942 943
>>> return ret; /cmd/efidebug.c: 929 in show_efi_boot_order() 923
>>> efi_deserialize_load_option(&lo, data); 924 925
>>> label_len16 = u16_strlen(lo.label); 926
>>> label_len = utf16_utf8_strnlen(lo.label,
>> label_len16);
>>> 927 label = malloc(label_len + 1); 928
>>> if (!label) {
>>>>>> CID 303760: (TAINTED_SCALAR) Passing tainted variable
>>>>>> "data" to a tainted sink.
>>> 929 free(data); 930
>>> ret = CMD_RET_FAILURE; 931 goto
>>> out; 932 } 933 p =
>>> label; 934 utf16_utf8_strncpy(&p, lo.label,
>>> label_len16);
>>
>> In CID 303760 the logic is as follows:
>>
>> In show_efi_boot_order() we malloc() memory. The allocated buffer
>> is filled via byte swapping (get_unaligned_le16(),
>> get_unaligned_le32()).
>>
>> Here comes Coverity's logic: "byte_swapping: Performing a byte
>> swapping operation on ... implies that it came from an external
>> source, and is therefore tainted."
>>
>> Now we pass the pointer to free(). Free() looks at 16 bytes
>> preceding the pointer. Therefore free() is considered a tainted
>> sink and an issue is raised.
>>
>> https://community.synopsys.com/s/article/From-Case-Clearing-TAINTED-STRING
>>
>>
suggests to use Coverity specific comments to mark cleansing functions.
>> This is not what I am inclined to do.
>>
>> CCing Takahiro as he had a hand in this code.
>
> So, option B on that link is what I was thinking about which is
> creating a function in the model file to tell Coverity it's
> handled. I was going to include what ours was already as I thought
> I had written one, but there's not one in the dashboard currently.
> And frankly a drawback of Coverity is that you can't iterate on
> testing those kind of things easily.
Here are example model files for Coverity:
https://github.com/qemu/qemu/blob/master/scripts/coverity-model.c
https://github.com/python/cpython/blob/master/Misc/coverity_model.c
How many functions do you think we will have to maintain in the model
file? Who will take the effort?
Best regards
Heinrich
>
> Option C is to just mark this (and the similar ones you can see via
> the dashboard) as false positive.
>
^ permalink raw reply [flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
2020-05-26 20:36 ` Heinrich Schuchardt
@ 2020-05-26 20:48 ` Tom Rini
0 siblings, 0 replies; 105+ messages in thread
From: Tom Rini @ 2020-05-26 20:48 UTC (permalink / raw)
To: u-boot
On Tue, May 26, 2020 at 10:36:44PM +0200, Heinrich Schuchardt wrote:
> On 26.05.20 22:10, Tom Rini wrote:
> > On Tue, May 26, 2020 at 10:02:36PM +0200, Heinrich Schuchardt
> > wrote:
> >> On 26.05.20 20:40, Tom Rini wrote:
> >>> Ah, I thought you might not have been part of Coverity.
> >>> https://scan.coverity.com/projects/das-u-boot is where to
> >>> start, it will take GitHub credentials and then I can approve
> >>> you.
> >>
> >> Thanks for granting access. In the GUI one can really drill down
> >> into the explanation of the problem. This is very helpful.
> >
> > And thanks for digging more!
> >
> >>
> >>> ** CID 303760: (TAINTED_SCALAR)
> >>>
> >>>
> >>>
> >> ________________________________________________________________________________________________________
> >>>
> >>
> *** CID 303760: (TAINTED_SCALAR)
> >>> /cmd/efidebug.c: 938 in show_efi_boot_order() 932
> >>> } 933 p = label; 934
> >>> utf16_utf8_strncpy(&p, lo.label, label_len16); 935
> >>> printf("%2d: %s: %s\n", i + 1, var_name, label); 936
> >>> free(label); 937
> >>>>>> CID 303760: (TAINTED_SCALAR) Passing tainted variable
> >>>>>> "data" to a tainted sink.
> >>> 938 free(data); 939 } 940
> >>> out: 941 free(bootorder); 942 943
> >>> return ret; /cmd/efidebug.c: 929 in show_efi_boot_order() 923
> >>> efi_deserialize_load_option(&lo, data); 924 925
> >>> label_len16 = u16_strlen(lo.label); 926
> >>> label_len = utf16_utf8_strnlen(lo.label,
> >> label_len16);
> >>> 927 label = malloc(label_len + 1); 928
> >>> if (!label) {
> >>>>>> CID 303760: (TAINTED_SCALAR) Passing tainted variable
> >>>>>> "data" to a tainted sink.
> >>> 929 free(data); 930
> >>> ret = CMD_RET_FAILURE; 931 goto
> >>> out; 932 } 933 p =
> >>> label; 934 utf16_utf8_strncpy(&p, lo.label,
> >>> label_len16);
> >>
> >> In CID 303760 the logic is as follows:
> >>
> >> In show_efi_boot_order() we malloc() memory. The allocated buffer
> >> is filled via byte swapping (get_unaligned_le16(),
> >> get_unaligned_le32()).
> >>
> >> Here comes Coverity's logic: "byte_swapping: Performing a byte
> >> swapping operation on ... implies that it came from an external
> >> source, and is therefore tainted."
> >>
> >> Now we pass the pointer to free(). Free() looks at 16 bytes
> >> preceding the pointer. Therefore free() is considered a tainted
> >> sink and an issue is raised.
> >>
> >> https://community.synopsys.com/s/article/From-Case-Clearing-TAINTED-STRING
> >>
> >>
> suggests to use Coverity specific comments to mark cleansing functions.
> >> This is not what I am inclined to do.
> >>
> >> CCing Takahiro as he had a hand in this code.
> >
> > So, option B on that link is what I was thinking about which is
> > creating a function in the model file to tell Coverity it's
> > handled. I was going to include what ours was already as I thought
> > I had written one, but there's not one in the dashboard currently.
> > And frankly a drawback of Coverity is that you can't iterate on
> > testing those kind of things easily.
>
> Here are example model files for Coverity:
>
> https://github.com/qemu/qemu/blob/master/scripts/coverity-model.c
> https://github.com/python/cpython/blob/master/Misc/coverity_model.c
>
> How many functions do you think we will have to maintain in the model
> file? Who will take the effort?
Ah yes, I think I looked at those a while ago and didn't come up with
anything that reduced our defects so I set it aside to look harder at
later. And haven't yet cycled back.
I would say once we have an initial functional skeleton in, any time
someone sees a Coverity defect that's a false positive and wants to
write a model function to cover it rather than just close it out in the
dashboard, we'll get an update to it and I'll push it to Coverity.
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20200526/79606bb2/attachment.sig>
^ permalink raw reply [flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
[not found] <6082f7faa423_5762a2b148d4af9a86820@prd-scan-dashboard-0.mail>
@ 2021-04-24 4:52 ` Heinrich Schuchardt
0 siblings, 0 replies; 105+ messages in thread
From: Heinrich Schuchardt @ 2021-04-24 4:52 UTC (permalink / raw)
To: u-boot
On 4/23/21 6:38 PM, scan-admin at coverity.com wrote:
> Hi,
>
> Please find the latest report on new defect(s) introduced to Das U-Boot found with Coverity Scan.
>
> 3 new defect(s) introduced to Das U-Boot found with Coverity Scan.
>
>
> New defect(s) Reported-by: Coverity Scan
> Showing 3 of 3 defect(s)
>
>
> ** CID 331185: Insecure data handling (TAINTED_SCALAR)
> /lib/lz4.c: 143 in LZ4_decompress_generic()
>
>
> ________________________________________________________________________________________________________
> *** CID 331185: Insecure data handling (TAINTED_SCALAR)
> /lib/lz4.c: 143 in LZ4_decompress_generic()
> 137 }
> 138 else
> 139 {
> 140 if ((!endOnInput) && (cpy != oend)) goto _output_error; /* Error : block decoding must stop exactly there */
> 141 if ((endOnInput) && ((ip+length != iend) || (cpy > oend))) goto _output_error; /* Error : input must be consumed */
> 142 }
>>>> CID 331185: Insecure data handling (TAINTED_SCALAR)
>>>> Passing tainted variable "length" to a tainted sink. [Note: The source code implementation of the function has been overridden by a builtin model.]
> 143 memcpy(op, ip, length);
> 144 ip += length;
> 145 op += length;
> 146 break; /* Necessarily EOF, due to parsing restrictions */
> 147 }
> 148 LZ4_wildCopy(op, ip, cpy);
>
> ** CID 331184: Memory - corruptions (OVERRUN)
> /cmd/stackprot_test.c: 14 in do_test_stackprot_fail()
>
>
> ________________________________________________________________________________________________________
> *** CID 331184: Memory - corruptions (OVERRUN)
> /cmd/stackprot_test.c: 14 in do_test_stackprot_fail()
> 8
> 9 static int do_test_stackprot_fail(struct cmd_tbl *cmdtp, int flag, int argc,
> 10 char *const argv[])
> 11 {
Hello Tom,
please, mark this finding as intentional in Coverity.
> 12 char a[128];
> 13
>>>> CID 331184: Memory - corruptions (OVERRUN)
>>>> Overrunning array "a" of 128 bytes by passing it to a function which accesses it at byte offset 511 using argument "512UL". [Note: The source code implementation of the function has been overridden by a builtin model.]
> 14 memset(a, 0xa5, 512);
> 15 return 0;
> 16 }
> 17
> 18 U_BOOT_CMD(stackprot_test, 1, 1, do_test_stackprot_fail,
>
> ** CID 331183: Memory - corruptions (BUFFER_SIZE)
> /cmd/stackprot_test.c: 14 in do_test_stackprot_fail()
>
>
> ________________________________________________________________________________________________________
> *** CID 331183: Memory - corruptions (BUFFER_SIZE)
> /cmd/stackprot_test.c: 14 in do_test_stackprot_fail()
same here
Best regards
Heinrich
> 8
> 9 static int do_test_stackprot_fail(struct cmd_tbl *cmdtp, int flag, int argc,
> 10 char *const argv[])
> 11 {
> 12 char a[128];
> 13
>>>> CID 331183: Memory - corruptions (BUFFER_SIZE)
>>>> You might overrun the 128 byte destination string "a" by writing the maximum 512 bytes from "165".
> 14 memset(a, 0xa5, 512);
> 15 return 0;
> 16 }
> 17
> 18 U_BOOT_CMD(stackprot_test, 1, 1, do_test_stackprot_fail,
>
>
> ________________________________________________________________________________________________________
> To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoA22WlOQ-2By3ieUvdbKmOyw68TMVT4Kip-2BBzfOGWXJ5yIiYplmPF9KAnKIja4Zd7tU-3DVLO3_N64QlSHam5hYYsLU0uvEm3xiMtcSlv2JwRoKVmjv-2F2X9PIw0aqIVMZlR6cmf9w8prU0ddkFkhQg-2B6p8UvlY-2FM51TBl-2FigNKw0KCrquAEkBb2jC3ZnWBwbVEZhLkDdq-2FMFkIpcluF4NvkPbaQ8l7PMYWmxLPqhtFLo01zbJ6O05zRrW9MzeWZiF82fugYqxJUGlLrQGmeTLuFDr2CDzEGJg-3D-3D
>
> To manage Coverity Scan email notifications for "xypron.glpk at gmx.de", click https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXx4Y-2F1WK-2FIlbEOzfoxXLI-2FdwA0wwGn90rGGrBgiHW-2ByLDLbUOEV7XOvtc9zJmj9LPyrT06WSaMnNrm6wfrUN-2BXuWoaHdqOoEyL7CQlGSiE-2BfE-3DtDQo_N64QlSHam5hYYsLU0uvEm3xiMtcSlv2JwRoKVmjv-2F2X9PIw0aqIVMZlR6cmf9w8pA8-2FW82eD6YTWlxlNXjrDSc-2B-2BfgU0QJMdYPvNOg-2Brk8a8VMShB-2FvhmE5GTrUF2ImOx4sRousy5Sh2qX6apgHec8wEC6ZWvhuro1Ua3CVllqnKzeW-2FmUepM3XfZqtYssGH0ujkCtgvKvxZfYpXxJdKdg-3D-3D
>
^ permalink raw reply [flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
[not found] <611aaf735d268_21438d2b07184e399c79439@prd-scan-dashboard-0.mail>
@ 2021-08-17 5:21 ` Heinrich Schuchardt
2021-08-17 15:17 ` Tom Rini
0 siblings, 1 reply; 105+ messages in thread
From: Heinrich Schuchardt @ 2021-08-17 5:21 UTC (permalink / raw)
To: Tom Rini; +Cc: Simon Glass, U-Boot Mailing List
Hello Tom,
I suggest to mark these as invalid:
CID 338485
CID 338490
CID 338489
Best regards
Heinrich
-------- Forwarded Message --------
Subject: New Defects reported by Coverity Scan for Das U-Boot
Date: Mon, 16 Aug 2021 18:33:23 +0000 (UTC)
From: scan-admin@coverity.com
To: xypron.glpk@gmx.de
Hi,
Please find the latest report on new defect(s) introduced to Das U-Boot
found with Coverity Scan.
7 new defect(s) introduced to Das U-Boot found with Coverity Scan.
3 defect(s), reported by Coverity Scan earlier, were marked fixed in the
recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 7 of 7 defect(s)
** CID 338491: Null pointer dereferences (NULL_RETURNS)
/tools/kwbimage.c: 1066 in export_pub_kak_hash()
________________________________________________________________________________________________________
*** CID 338491: Null pointer dereferences (NULL_RETURNS)
/tools/kwbimage.c: 1066 in export_pub_kak_hash()
1060 int res;
1061 1062 hashf = fopen("pub_kak_hash.txt", "w");
1063 1064 res = kwb_export_pubkey(kak, &secure_hdr->kak, hashf,
"KAK");
1065 >>> CID 338491: Null pointer dereferences (NULL_RETURNS)
>>> Dereferencing a pointer that might be "NULL" "hashf" when calling "fclose".
1066 fclose(hashf);
1067 1068 return res < 0 ? 1 : 0;
1069 }
1070 1071 int kwb_sign_csk_with_kak(struct image_tool_params
*params,
** CID 338490: Control flow issues (DEADCODE)
/drivers/tpm/sandbox_common.c: 34 in sb_tpm_index_to_seq()
________________________________________________________________________________________________________
*** CID 338490: Control flow issues (DEADCODE)
/drivers/tpm/sandbox_common.c: 34 in sb_tpm_index_to_seq()
28 case FWMP_NV_INDEX:
29 return NV_SEQ_FWMP;
30 case MRC_REC_HASH_NV_INDEX:
31 return NV_SEQ_REC_HASH;
32 case 0:
33 return NV_SEQ_GLOBAL_LOCK;
>>> CID 338490: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "case TPM_NV_INDEX_LOCK:".
34 case TPM_NV_INDEX_LOCK:
35 return NV_SEQ_ENABLE_LOCKING;
36 }
37 38 printf("Invalid nv index %#x\n", index);
39 return -1;
** CID 338489: Control flow issues (DEADCODE)
/drivers/tpm/tpm2_tis_sandbox.c: 652 in sandbox_tpm2_xfer()
________________________________________________________________________________________________________
*** CID 338489: Control flow issues (DEADCODE)
/drivers/tpm/tpm2_tis_sandbox.c: 652 in sandbox_tpm2_xfer()
646 647 for (i = 0; i < SANDBOX_TPM_PCR_NB; i++)
648 if (pcr_map & BIT(i))
649 pcr_index = i;
650 651 if (pcr_index >= SANDBOX_TPM_PCR_NB) {
>>> CID 338489: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "printf("Invalid index %d, s...".
652 printf("Invalid index %d, sandbox TPM handles up to %d PCR(s)\n",
653 pcr_index, SANDBOX_TPM_PCR_NB);
654 rc = TPM2_RC_VALUE;
655 return sandbox_tpm2_fill_buf(recv, recv_len, tag, rc);
656 }
657
** CID 338488: Memory - illegal accesses (NEGATIVE_RETURNS)
/tools/kwbimage.c: 1093 in kwb_sign_csk_with_kak()
________________________________________________________________________________________________________
*** CID 338488: Memory - illegal accesses (NEGATIVE_RETURNS)
/tools/kwbimage.c: 1093 in kwb_sign_csk_with_kak()
1087 if (export_pub_kak_hash(kak, secure_hdr))
1088 return 1;
1089 1090 if (kwb_import_pubkey(&kak_pub, &secure_hdr->kak,
"KAK") < 0)
1091 return 1;
1092 >>> CID 338488: Memory - illegal accesses (NEGATIVE_RETURNS)
>>> Using variable "csk_idx" as an index to array "secure_hdr->csk".
1093 if (kwb_export_pubkey(csk, &secure_hdr->csk[csk_idx], NULL,
"CSK") < 0)
1094 return 1;
1095 1096 if (kwb_sign_and_verify(kak, &secure_hdr->csk,
1097 sizeof(secure_hdr->csk) +
1098 sizeof(secure_hdr->csksig),
** CID 338487: Null pointer dereferences (FORWARD_NULL)
________________________________________________________________________________________________________
*** CID 338487: Null pointer dereferences (FORWARD_NULL)
/test/dm/ecdsa.c: 34 in dm_test_ecdsa_verify()
28 struct image_sign_info info = {
29 .checksum = &algo,
30 };
31 32 ut_assertok(uclass_get(UCLASS_ECDSA, &ucp));
33 ut_assertnonnull(ucp);
>>> CID 338487: Null pointer dereferences (FORWARD_NULL)
>>> Passing "&info" to "ecdsa_verify", which dereferences null "info.fdt_blob".
34 ut_asserteq(-ENODEV, ecdsa_verify(&info, NULL, 0, NULL, 0));
35 36 return 0;
37 }
** CID 338486: Null pointer dereferences (NULL_RETURNS)
/tools/kwbimage.c: 836 in kwb_dump_fuse_cmds()
________________________________________________________________________________________________________
*** CID 338486: Null pointer dereferences (NULL_RETURNS)
/tools/kwbimage.c: 836 in kwb_dump_fuse_cmds()
830 return 0;
831 832 if (!strcmp(e->name, "a38x")) {
833 FILE *out = fopen("kwb_fuses_a38x.txt", "w+");
834 835 kwb_dump_fuse_cmds_38x(out, sec_hdr);
>>> CID 338486: Null pointer dereferences (NULL_RETURNS)
>>> Dereferencing a pointer that might be "NULL" "out" when calling "fclose".
836 fclose(out);
837 goto done;
838 }
839 840 ret = -ENOSYS;
841
** CID 338485: Security best practices violations (STRING_OVERFLOW)
/test/str_ut.c: 126 in run_strtoull()
________________________________________________________________________________________________________
*** CID 338485: Security best practices violations (STRING_OVERFLOW)
/test/str_ut.c: 126 in run_strtoull()
120 bool upper)
121 {
122 char out[TEST_STR_SIZE];
123 char *endp;
124 unsigned long long val;
125 >>> CID 338485: Security best practices violations
(STRING_OVERFLOW)
>>> You might overrun the 200-character fixed-size string "out" by copying "str" without checking the length.
126 strcpy(out, str);
127 if (upper)
128 str_to_upper(out, out, -1);
129 130 val = simple_strtoull(out, &endp, base);
131 ut_asserteq(expect_val, val);
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit,
https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoA22WlOQ-2By3ieUvdbKmOyw68TMVT4Kip-2BBzfOGWXJ5yIiYplmPF9KAnKIja4Zd7tU-3DTOyS_N64QlSHam5hYYsLU0uvEm3xiMtcSlv2JwRoKVmjv-2F2W-2Bt1lOhx2R0KW7-2FLGCeFuld7ZlXBjbQfd5e2hCM-2BEvdEIHjMXCW-2B3DQc7pN8d55Py6IHBHtDywdLYofSZLYRoliG1Jt-2F9VcIWcj4wOYgz0KmpTLxnK-2FsIaUz26JI1WnWdPzQvLYFOv1ZWqRBfkRFJkNjWWQNM8drRfC5rWPO160w-3D-3D
To manage Coverity Scan email notifications for "xypron.glpk@gmx.de",
click
https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXx4Y-2F1WK-2FIlbEOzfoxXLI-2FdwA0wwGn90rGGrBgiHW-2ByLDLbUOEV7XOvtc9zJmj9LPyrT06WSaMnNrm6wfrUN-2BXuWoaHdqOoEyL7CQlGSiE-2BfE-3D9MA4_N64QlSHam5hYYsLU0uvEm3xiMtcSlv2JwRoKVmjv-2F2W-2Bt1lOhx2R0KW7-2FLGCeFul9vKV6MPfCXhJ2U2Vsc5BZ82XBwntw1jOvGCwwx08PHX5gHT6KmetbutfLsQSRAcWH5ZjapaXsfz24pAvhFoc7v3IDV6kpXprCynWhxTO-2BIBqoiwb55fqAbRuuYTILM-2Bcb9AXlhwuEBtFbnVou6zHNQ-3D-3D
^ permalink raw reply [flat|nested] 105+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2021-08-17 5:21 ` Heinrich Schuchardt
@ 2021-08-17 15:17 ` Tom Rini
0 siblings, 0 replies; 105+ messages in thread
From: Tom Rini @ 2021-08-17 15:17 UTC (permalink / raw)
To: Heinrich Schuchardt; +Cc: Simon Glass, U-Boot Mailing List
[-- Attachment #1: Type: text/plain, Size: 204 bytes --]
On Tue, Aug 17, 2021 at 07:21:43AM +0200, Heinrich Schuchardt wrote:
> Hello Tom,
>
> I suggest to mark these as invalid:
>
> CID 338485
> CID 338490
> CID 338489
Done, thanks.
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
[not found] <62df3a0cb9fd2_30ed5f2acd4da7b9a431758@prd-scan-dashboard-0.mail>
@ 2022-07-26 4:22 ` Heinrich Schuchardt
0 siblings, 0 replies; 105+ messages in thread
From: Heinrich Schuchardt @ 2022-07-26 4:22 UTC (permalink / raw)
To: Tom Rini; +Cc: U-Boot Mailing List, Steffen Jaeckel
Hello Tom,
could you, please, have a look at the problems reported by Coverity
concerning code introduced by you into U-Boot.
For SHA256_Update_recycle() I guess you just have to change the
signature of the function to
SHA256_Update_recycled (SHA256_CTX *ctx,
unsigned char *block, size_t len)
Looking at
https://scan8.scan.coverity.com/reports.htm#v40863/p10710/fileInstanceId=59559157&defectInstanceId=12260012&mergedDefectId=355364
https://scan8.scan.coverity.com/reports.htm#v40863/p10710/fileInstanceId=59559157&defectInstanceId=12260012&mergedDefectId=355365
and
https://scan8.scan.coverity.com/reports.htm#v40863/p10710/fileInstanceId=59559157&defectInstanceId=12260012&mergedDefectId=355366
I think the issues are false positives:
Coverity ignores that if the sha256_update() is called will length < 64
sha256_process() will be called with blocks = 0 and will not access the
buffer.
Best regards
Heinrich
-------- Forwarded Message --------
Subject: New Defects reported by Coverity Scan for Das U-Boot
Date: Tue, 26 Jul 2022 00:49:17 +0000 (UTC)
From: scan-admin@coverity.com
To: xypron.glpk@gmx.de
Hi,
Please find the latest report on new defect(s) introduced to Das U-Boot
found with Coverity Scan.
3 new defect(s) introduced to Das U-Boot found with Coverity Scan.
2 defect(s), reported by Coverity Scan earlier, were marked fixed in the
recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 3 of 3 defect(s)
** CID 355366: (OVERRUN)
________________________________________________________________________________________________________
*** CID 355366: (OVERRUN)
/lib/crypt/crypt-sha256.c: 104 in SHA256_Update_recycled()
98 SHA256_Update_recycled (SHA256_CTX *ctx,
99 unsigned char block[32], size_t len)
100 {
101 size_t cnt;
102 for (cnt = len; cnt >= 32; cnt -= 32)
103 SHA256_Update (ctx, block, 32);
>>> CID 355366: (OVERRUN)
>>> Overrunning buffer pointed to by "(void const *)block" of 32 bytes by passing it to a function which accesses it at byte offset 63.
104 SHA256_Update (ctx, block, cnt);
105 }
106 107 void
108 crypt_sha256crypt_rn (const char *phrase, size_t phr_size,
109 const char *setting, size_t ARG_UNUSED
(set_size),
/lib/crypt/crypt-sha256.c: 103 in SHA256_Update_recycled()
97 static void
98 SHA256_Update_recycled (SHA256_CTX *ctx,
99 unsigned char block[32], size_t len)
100 {
101 size_t cnt;
102 for (cnt = len; cnt >= 32; cnt -= 32)
>>> CID 355366: (OVERRUN)
>>> Overrunning buffer pointed to by "(void const *)block" of 32 bytes by passing it to a function which accesses it at byte offset 63.
103 SHA256_Update (ctx, block, 32);
104 SHA256_Update (ctx, block, cnt);
105 }
106 107 void
108 crypt_sha256crypt_rn (const char *phrase, size_t phr_size,
** CID 355365: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 355365: Memory - corruptions (OVERRUN)
/lib/crypt/crypt-sha256.c: 212 in crypt_sha256crypt_rn()
206 characters and it ends at the first `$' character (for
207 compatibility with existing implementations). */
208 SHA256_Update (ctx, salt, salt_size);
209 210 /* Add for any character in the phrase one byte of the
alternate sum. */
211 for (cnt = phr_size; cnt > 32; cnt -= 32)
>>> CID 355365: Memory - corruptions (OVERRUN)
>>> Overrunning buffer pointed to by "(void const *)result" of 32 bytes by passing it to a function which accesses it at byte offset 63.
212 SHA256_Update (ctx, result, 32);
213 SHA256_Update (ctx, result, cnt);
214 215 /* Take the binary representation of the length of the
phrase and for every
216 1 add the alternate sum, for every 0 the phrase. */
217 for (cnt = phr_size; cnt > 0; cnt >>= 1)
** CID 355364: (OVERRUN)
________________________________________________________________________________________________________
*** CID 355364: (OVERRUN)
/lib/sha256.c: 259 in sha256_finish()
253 PUT_UINT32_BE(low, msglen, 4);
254 255 last = ctx->total[0] & 0x3F;
256 padn = (last < 56) ? (56 - last) : (120 - last);
257 258 sha256_update(ctx, sha256_padding, padn);
>>> CID 355364: (OVERRUN)
>>> Overrunning array "msglen" of 8 bytes by passing it to a function which accesses it at byte offset 63.
259 sha256_update(ctx, msglen, 8);
260 261 PUT_UINT32_BE(ctx->state[0], digest, 0);
262 PUT_UINT32_BE(ctx->state[1], digest, 4);
263 PUT_UINT32_BE(ctx->state[2], digest, 8);
264 PUT_UINT32_BE(ctx->state[3], digest, 12);
/lib/sha256.c: 259 in sha256_finish()
253 PUT_UINT32_BE(low, msglen, 4);
254 255 last = ctx->total[0] & 0x3F;
256 padn = (last < 56) ? (56 - last) : (120 - last);
257 258 sha256_update(ctx, sha256_padding, padn);
>>> CID 355364: (OVERRUN)
>>> Overrunning array "msglen" of 8 bytes by passing it to a function which accesses it at byte offset 63.
259 sha256_update(ctx, msglen, 8);
260 261 PUT_UINT32_BE(ctx->state[0], digest, 0);
262 PUT_UINT32_BE(ctx->state[1], digest, 4);
263 PUT_UINT32_BE(ctx->state[2], digest, 8);
264 PUT_UINT32_BE(ctx->state[3], digest, 12);
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit,
https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoA22WlOQ-2By3ieUvdbKmOyw68TMVT4Kip-2BBzfOGWXJ5yIiYplmPF9KAnKIja4Zd7tU-3D2T0s_N64QlSHam5hYYsLU0uvEm3xiMtcSlv2JwRoKVmjv-2F2XoD3RFHsuIXMFMppPhcX3i-2BylqPVMQRSkcH-2F8FH0yrtiNsTyqrACwgwKzcFMo110d4rbYxVU-2B6HUewkm6-2BnWaHjEY6qmqSh3JibC9pdT8olo3BdbSy-2BWanWn1DBtOw1z1cdAbywwX9dt2U78a3fVdmOhb2POgsi0MvPp4Pxgp4Cg-3D-3D
To manage Coverity Scan email notifications for "xypron.glpk@gmx.de",
click
https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXx4Y-2F1WK-2FIlbEOzfoxXLI-2FdwA0wwGn90rGGrBgiHW-2ByLDLbUOEV7XOvtc9zJmj9LPyrT06WSaMnNrm6wfrUN-2BXuWoaHdqOoEyL7CQlGSiE-2BfE-3D_9qC_N64QlSHam5hYYsLU0uvEm3xiMtcSlv2JwRoKVmjv-2F2XoD3RFHsuIXMFMppPhcX3iF6KnEIxQAjMHO-2BlD-2FPGZz4TDSk0BBoeIgWfCDpuLTBt0y-2B4v9hleXOTCQWQXpAtOvLz9f5xcEFBHkc8v8-2FEgrl-2B-2FxBUaiZwIAadIw6kkwIOi1-2BjFknesS-2FQN5pLywQA-2FRiTVFu8P4KaYNq7QGyQkrQ-3D-3D
^ permalink raw reply [flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2022-11-09 15:40 Tom Rini
0 siblings, 0 replies; 105+ messages in thread
From: Tom Rini @ 2022-11-09 15:40 UTC (permalink / raw)
To: u-boot; +Cc: Simon Glass, Heinrich Schuchardt
[-- Attachment #1: Type: text/plain, Size: 32083 bytes --]
Here's the latest report.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Nov 7, 2022 at 3:41 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to Das
U-Boot found with Coverity Scan.
21 new defect(s) introduced to Das U-Boot found with Coverity Scan.
15 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 21 defect(s)
** CID 376213: Memory - illegal accesses (UNINIT)
/lib/efi_loader/efi_boottime.c: 2642 in
efi_install_multiple_protocol_interfaces_int()
________________________________________________________________________________________________________
*** CID 376213: Memory - illegal accesses (UNINIT)
/lib/efi_loader/efi_boottime.c: 2642 in
efi_install_multiple_protocol_interfaces_int()
2636 int i = 0;
2637 efi_va_list argptr_copy;
2638
2639 if (!handle)
2640 return EFI_INVALID_PARAMETER;
2641
>>> CID 376213: Memory - illegal accesses (UNINIT)
>>> Using uninitialized value "argptr_copy" when calling "__builtin_ms_va_copy".
2642 efi_va_copy(argptr_copy, argptr);
2643 for (;;) {
2644 protocol = efi_va_arg(argptr, efi_guid_t*);
2645 if (!protocol)
2646 break;
2647 protocol_interface = efi_va_arg(argptr, void*);
** CID 376212: Error handling issues (CHECKED_RETURN)
________________________________________________________________________________________________________
*** CID 376212: Error handling issues (CHECKED_RETURN)
/drivers/usb/emul/sandbox_flash.c: 197 in handle_ufi_command()
191
192 ret = sb_scsi_emul_command(info, req, len);
193 if (!ret) {
194 setup_response(priv);
195 } else if ((ret == SCSI_EMUL_DO_READ || ret ==
SCSI_EMUL_DO_WRITE) &&
196 priv->fd != -1) {
>>> CID 376212: Error handling issues (CHECKED_RETURN)
>>> Calling "os_lseek(priv->fd, info->seek_block * info->block_size, 0)" without checking return value. It wraps a library function that may fail and return an error code.
197 os_lseek(priv->fd, info->seek_block * info->block_size,
198 OS_SEEK_SET);
199 setup_response(priv);
200 } else {
201 setup_fail_response(priv);
202 }
** CID 376211: (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 376211: (TAINTED_SCALAR)
/cmd/eficonfig.c: 1475 in eficonfig_edit_boot_option()
1469 if (lo.file_path)
1470 fill_file_info(lo.file_path,
&bo->file_info, device_dp);
1471
1472 /* Initrd file path(optional) is placed at
second instance. */
1473 initrd_dp = efi_dp_from_lo(&lo, &efi_lf2_initrd_guid);
1474 if (initrd_dp) {
>>> CID 376211: (TAINTED_SCALAR)
>>> Passing tainted expression "initrd_dp->length" to "fill_file_info", which uses it as an offset.
1475 fill_file_info(initrd_dp,
&bo->initrd_info, initrd_device_dp);
1476 efi_free_pool(initrd_dp);
1477 }
1478
1479 if (size > 0)
1480 memcpy(bo->optional_data,
lo.optional_data, size);
/cmd/eficonfig.c: 1535 in eficonfig_edit_boot_option()
1529 ret = eficonfig_set_boot_option(varname, final_dp,
final_dp_size, bo->description, tmp);
1530 if (ret != EFI_SUCCESS)
1531 goto out;
1532 out:
1533 free(tmp);
1534 free(bo->optional_data);
>>> CID 376211: (TAINTED_SCALAR)
>>> Passing tainted expression "*bo->description" to "dlfree", which uses it as an offset.
1535 free(bo->description);
1536 free(bo->file_info.current_path);
1537 free(bo->initrd_info.current_path);
1538 efi_free_pool(device_dp);
1539 efi_free_pool(initrd_device_dp);
1540 efi_free_pool(initrd_dp);
/cmd/eficonfig.c: 1534 in eficonfig_edit_boot_option()
1528
1529 ret = eficonfig_set_boot_option(varname, final_dp,
final_dp_size, bo->description, tmp);
1530 if (ret != EFI_SUCCESS)
1531 goto out;
1532 out:
1533 free(tmp);
>>> CID 376211: (TAINTED_SCALAR)
>>> Passing tainted expression "*bo->optional_data" to "dlfree", which uses it as an offset.
1534 free(bo->optional_data);
1535 free(bo->description);
1536 free(bo->file_info.current_path);
1537 free(bo->initrd_info.current_path);
1538 efi_free_pool(device_dp);
1539 efi_free_pool(initrd_device_dp);
/cmd/eficonfig.c: 1534 in eficonfig_edit_boot_option()
1528
1529 ret = eficonfig_set_boot_option(varname, final_dp,
final_dp_size, bo->description, tmp);
1530 if (ret != EFI_SUCCESS)
1531 goto out;
1532 out:
1533 free(tmp);
>>> CID 376211: (TAINTED_SCALAR)
>>> Passing tainted expression "*bo->optional_data" to "dlfree", which uses it as an offset.
1534 free(bo->optional_data);
1535 free(bo->description);
1536 free(bo->file_info.current_path);
1537 free(bo->initrd_info.current_path);
1538 efi_free_pool(device_dp);
1539 efi_free_pool(initrd_device_dp);
/cmd/eficonfig.c: 1535 in eficonfig_edit_boot_option()
1529 ret = eficonfig_set_boot_option(varname, final_dp,
final_dp_size, bo->description, tmp);
1530 if (ret != EFI_SUCCESS)
1531 goto out;
1532 out:
1533 free(tmp);
1534 free(bo->optional_data);
>>> CID 376211: (TAINTED_SCALAR)
>>> Passing tainted expression "*bo->description" to "dlfree", which uses it as an offset.
1535 free(bo->description);
1536 free(bo->file_info.current_path);
1537 free(bo->initrd_info.current_path);
1538 efi_free_pool(device_dp);
1539 efi_free_pool(initrd_device_dp);
1540 efi_free_pool(initrd_dp);
/cmd/eficonfig.c: 1535 in eficonfig_edit_boot_option()
1529 ret = eficonfig_set_boot_option(varname, final_dp,
final_dp_size, bo->description, tmp);
1530 if (ret != EFI_SUCCESS)
1531 goto out;
1532 out:
1533 free(tmp);
1534 free(bo->optional_data);
>>> CID 376211: (TAINTED_SCALAR)
>>> Passing tainted expression "*bo->description" to "dlfree", which uses it as an offset.
1535 free(bo->description);
1536 free(bo->file_info.current_path);
1537 free(bo->initrd_info.current_path);
1538 efi_free_pool(device_dp);
1539 efi_free_pool(initrd_device_dp);
1540 efi_free_pool(initrd_dp);
/cmd/eficonfig.c: 1473 in eficonfig_edit_boot_option()
1467
1468 /* EFI image file path is a first instance */
1469 if (lo.file_path)
1470 fill_file_info(lo.file_path,
&bo->file_info, device_dp);
1471
1472 /* Initrd file path(optional) is placed at
second instance. */
>>> CID 376211: (TAINTED_SCALAR)
>>> Passing tainted expression "lo.file_path" to "efi_dp_from_lo", which uses it as a loop boundary.
1473 initrd_dp = efi_dp_from_lo(&lo, &efi_lf2_initrd_guid);
1474 if (initrd_dp) {
1475 fill_file_info(initrd_dp,
&bo->initrd_info, initrd_device_dp);
1476 efi_free_pool(initrd_dp);
1477 }
1478
/cmd/eficonfig.c: 1475 in eficonfig_edit_boot_option()
1469 if (lo.file_path)
1470 fill_file_info(lo.file_path,
&bo->file_info, device_dp);
1471
1472 /* Initrd file path(optional) is placed at
second instance. */
1473 initrd_dp = efi_dp_from_lo(&lo, &efi_lf2_initrd_guid);
1474 if (initrd_dp) {
>>> CID 376211: (TAINTED_SCALAR)
>>> Passing tainted expression "initrd_dp->str" to "fill_file_info", which uses it as an offset.
1475 fill_file_info(initrd_dp,
&bo->initrd_info, initrd_device_dp);
1476 efi_free_pool(initrd_dp);
1477 }
1478
1479 if (size > 0)
1480 memcpy(bo->optional_data,
lo.optional_data, size);
/cmd/eficonfig.c: 1473 in eficonfig_edit_boot_option()
1467
1468 /* EFI image file path is a first instance */
1469 if (lo.file_path)
1470 fill_file_info(lo.file_path,
&bo->file_info, device_dp);
1471
1472 /* Initrd file path(optional) is placed at
second instance. */
>>> CID 376211: (TAINTED_SCALAR)
>>> Passing tainted expression "lo.file_path_length" to "efi_dp_from_lo", which uses it as a loop boundary.
1473 initrd_dp = efi_dp_from_lo(&lo, &efi_lf2_initrd_guid);
1474 if (initrd_dp) {
1475 fill_file_info(initrd_dp,
&bo->initrd_info, initrd_device_dp);
1476 efi_free_pool(initrd_dp);
1477 }
1478
/cmd/eficonfig.c: 1470 in eficonfig_edit_boot_option()
1464 lo.label[EFICONFIG_DESCRIPTION_MAX - 1] = u'\0';
1465
1466 u16_strcpy(bo->description, lo.label);
1467
1468 /* EFI image file path is a first instance */
1469 if (lo.file_path)
>>> CID 376211: (TAINTED_SCALAR)
>>> Passing tainted expression "lo.file_path->str" to "fill_file_info", which uses it as an offset.
1470 fill_file_info(lo.file_path,
&bo->file_info, device_dp);
1471
1472 /* Initrd file path(optional) is placed at
second instance. */
1473 initrd_dp = efi_dp_from_lo(&lo, &efi_lf2_initrd_guid);
1474 if (initrd_dp) {
1475 fill_file_info(initrd_dp,
&bo->initrd_info, initrd_device_dp);
/cmd/eficonfig.c: 1470 in eficonfig_edit_boot_option()
1464 lo.label[EFICONFIG_DESCRIPTION_MAX - 1] = u'\0';
1465
1466 u16_strcpy(bo->description, lo.label);
1467
1468 /* EFI image file path is a first instance */
1469 if (lo.file_path)
>>> CID 376211: (TAINTED_SCALAR)
>>> Passing tainted expression "lo.file_path->length" to "fill_file_info", which uses it as an offset.
1470 fill_file_info(lo.file_path,
&bo->file_info, device_dp);
1471
1472 /* Initrd file path(optional) is placed at
second instance. */
1473 initrd_dp = efi_dp_from_lo(&lo, &efi_lf2_initrd_guid);
1474 if (initrd_dp) {
1475 fill_file_info(initrd_dp,
&bo->initrd_info, initrd_device_dp);
/cmd/eficonfig.c: 1473 in eficonfig_edit_boot_option()
1467
1468 /* EFI image file path is a first instance */
1469 if (lo.file_path)
1470 fill_file_info(lo.file_path,
&bo->file_info, device_dp);
1471
1472 /* Initrd file path(optional) is placed at
second instance. */
>>> CID 376211: (TAINTED_SCALAR)
>>> Passing tainted expression "lo.file_path_length" to "efi_dp_from_lo", which uses it as a loop boundary.
1473 initrd_dp = efi_dp_from_lo(&lo, &efi_lf2_initrd_guid);
1474 if (initrd_dp) {
1475 fill_file_info(initrd_dp,
&bo->initrd_info, initrd_device_dp);
1476 efi_free_pool(initrd_dp);
1477 }
1478
** CID 376210: (BUFFER_SIZE)
/drivers/scsi/scsi_emul.c: 35 in sb_scsi_emul_command()
/drivers/scsi/scsi_emul.c: 36 in sb_scsi_emul_command()
________________________________________________________________________________________________________
*** CID 376210: (BUFFER_SIZE)
/drivers/scsi/scsi_emul.c: 35 in sb_scsi_emul_command()
29 struct scsi_inquiry_resp *resp = (void *)info->buff;
30
31 info->alloc_len = req->cmd[4];
32 memset(resp, '\0', sizeof(*resp));
33 resp->data_format = 1;
34 resp->additional_len = 0x1f;
>>> CID 376210: (BUFFER_SIZE)
>>> Calling "strncpy" with a maximum size argument of 8 bytes on destination array "resp->vendor" of size 8 bytes might leave the destination string unterminated.
35 strncpy(resp->vendor, info->vendor, sizeof(resp->vendor));
36 strncpy(resp->product, info->product, sizeof(resp->product));
37 strncpy(resp->revision, "1.0", sizeof(resp->revision));
38 info->buff_used = sizeof(*resp);
39 break;
40 }
/drivers/scsi/scsi_emul.c: 36 in sb_scsi_emul_command()
30
31 info->alloc_len = req->cmd[4];
32 memset(resp, '\0', sizeof(*resp));
33 resp->data_format = 1;
34 resp->additional_len = 0x1f;
35 strncpy(resp->vendor, info->vendor, sizeof(resp->vendor));
>>> CID 376210: (BUFFER_SIZE)
>>> Calling "strncpy" with a maximum size argument of 16 bytes on destination array "resp->product" of size 16 bytes might leave the destination string unterminated.
36 strncpy(resp->product, info->product, sizeof(resp->product));
37 strncpy(resp->revision, "1.0", sizeof(resp->revision));
38 info->buff_used = sizeof(*resp);
39 break;
40 }
41 case SCSI_TST_U_RDY:
** CID 376209: Null pointer dereferences (REVERSE_INULL)
/drivers/pci/pci-uclass.c: 1249 in pci_find_next_device()
________________________________________________________________________________________________________
*** CID 376209: Null pointer dereferences (REVERSE_INULL)
/drivers/pci/pci-uclass.c: 1249 in pci_find_next_device()
1243 }
1244 }
1245
1246 /* We ran out of siblings. Try the next bus */
1247 uclass_next_device(&bus);
1248
>>> CID 376209: Null pointer dereferences (REVERSE_INULL)
>>> Null-checking "bus" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
1249 return bus ? skip_to_next_device(bus, devp) : 0;
1250 }
1251
1252 int pci_find_first_device(struct udevice **devp)
1253 {
1254 struct udevice *bus;
** CID 376208: Null pointer dereferences (REVERSE_INULL)
/cmd/virtio.c: 31 in do_virtio()
________________________________________________________________________________________________________
*** CID 376208: Null pointer dereferences (REVERSE_INULL)
/cmd/virtio.c: 31 in do_virtio()
25 struct udevice *bus, *child;
26
27 uclass_first_device(UCLASS_VIRTIO, &bus);
28 if (!bus)
29 return CMD_RET_FAILURE;
30
>>> CID 376208: Null pointer dereferences (REVERSE_INULL)
>>> Null-checking "bus" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
31 while (bus) {
32 device_foreach_child_probe(child, bus)
33 ;
34 uclass_next_device(&bus);
35 }
36
** CID 376207: Uninitialized variables (UNINIT)
/cmd/eficonfig.c: 2325 in eficonfig_delete_invalid_boot_option()
________________________________________________________________________________________________________
*** CID 376207: Uninitialized variables (UNINIT)
/cmd/eficonfig.c: 2325 in eficonfig_delete_invalid_boot_option()
2319 }
2320 next:
2321 free(load_option);
2322 }
2323
2324 out:
>>> CID 376207: Uninitialized variables (UNINIT)
>>> Using uninitialized value "ret".
2325 return ret;
2326 }
2327
2328 /**
2329 * eficonfig_generate_media_device_boot_option() - generate
the media device boot option
2330 *
** CID 376206: (CHECKED_RETURN)
/cmd/eficonfig.c: 127 in eficonfig_print_msg()
/cmd/eficonfig.c: 134 in eficonfig_print_msg()
________________________________________________________________________________________________________
*** CID 376206: (CHECKED_RETURN)
/cmd/eficonfig.c: 127 in eficonfig_print_msg()
121 * Return: status code
122 */
123 void eficonfig_print_msg(char *msg)
124 {
125 /* Flush input */
126 while (tstc())
>>> CID 376206: (CHECKED_RETURN)
>>> Calling "getchar()" without checking return value. This library function may fail and return an error code. [Note: The source code implementation of the function has been overridden by a builtin model.]
127 getchar();
128
129 printf(ANSI_CURSOR_HIDE
130 ANSI_CLEAR_CONSOLE
131 ANSI_CURSOR_POSITION
132 "%s\n\n Press any key to continue", 3, 4, msg);
/cmd/eficonfig.c: 134 in eficonfig_print_msg()
128
129 printf(ANSI_CURSOR_HIDE
130 ANSI_CLEAR_CONSOLE
131 ANSI_CURSOR_POSITION
132 "%s\n\n Press any key to continue", 3, 4, msg);
133
>>> CID 376206: (CHECKED_RETURN)
>>> Calling "getchar()" without checking return value. This library function may fail and return an error code. [Note: The source code implementation of the function has been overridden by a builtin model.]
134 getchar();
135 }
136
137 /**
138 * eficonfig_print_entry() - print each menu entry
139 *
** CID 376205: (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 376205: (TAINTED_SCALAR)
/test/test-main.c: 582 in ut_run_list()
576 printf("Running %d %s tests\n", count, category);
577
578 uts.of_root = gd_of_root();
579 uts.runs_per_test = runs_per_test;
580 if (fdt_action() == FDTCHK_COPY && gd->fdt_blob) {
581 uts.fdt_size = fdt_totalsize(gd->fdt_blob);
>>> CID 376205: (TAINTED_SCALAR)
>>> Passing tainted expression "uts.fdt_size" to "os_malloc", which uses it as an offset.
582 uts.fdt_copy = os_malloc(uts.fdt_size);
583 if (!uts.fdt_copy) {
584 printf("Out of memory for device tree copy\n");
585 return -ENOMEM;
586 }
587 memcpy(uts.fdt_copy, gd->fdt_blob, uts.fdt_size);
/test/test-main.c: 596 in ut_run_list()
590 ret = ut_run_tests(&uts, prefix, tests, count, select_name);
591
592 /* Best efforts only...ignore errors */
593 if (has_dm_tests)
594 dm_test_restore(uts.of_root);
595 if (IS_ENABLED(CONFIG_SANDBOX)) {
>>> CID 376205: (TAINTED_SCALAR)
>>> Passing tainted expression "*uts.fdt_copy" to "os_free", which uses it as an offset.
596 os_free(uts.fdt_copy);
597 os_free(uts.other_fdt);
598 }
599
600 if (uts.skip_count)
601 printf("Skipped: %d, ", uts.skip_count);
** CID 376204: Memory - illegal accesses (UNINIT)
/lib/efi_loader/efi_boottime.c: 2854 in
efi_uninstall_multiple_protocol_interfaces_ext()
________________________________________________________________________________________________________
*** CID 376204: Memory - illegal accesses (UNINIT)
/lib/efi_loader/efi_boottime.c: 2854 in
efi_uninstall_multiple_protocol_interfaces_ext()
2848 efi_uninstall_multiple_protocol_interfaces_ext(efi_handle_t
handle, ...)
2849 {
2850 EFI_ENTRY("%p", handle);
2851 efi_status_t ret;
2852 efi_va_list argptr;
2853
>>> CID 376204: Memory - illegal accesses (UNINIT)
>>> Using uninitialized value "argptr" when calling "__builtin_ms_va_start".
2854 efi_va_start(argptr, handle);
2855 ret =
efi_uninstall_multiple_protocol_interfaces_int(handle, argptr);
2856 efi_va_end(argptr);
2857 return EFI_EXIT(ret);
2858 }
2859
** CID 376203: Memory - illegal accesses (UNINIT)
/lib/efi_loader/efi_boottime.c: 2764 in
efi_uninstall_multiple_protocol_interfaces_int()
________________________________________________________________________________________________________
*** CID 376203: Memory - illegal accesses (UNINIT)
/lib/efi_loader/efi_boottime.c: 2764 in
efi_uninstall_multiple_protocol_interfaces_int()
2758 size_t i = 0;
2759 efi_va_list argptr_copy;
2760
2761 if (!handle)
2762 return EFI_INVALID_PARAMETER;
2763
>>> CID 376203: Memory - illegal accesses (UNINIT)
>>> Using uninitialized value "argptr_copy" when calling "__builtin_ms_va_copy".
2764 efi_va_copy(argptr_copy, argptr);
2765 for (;;) {
2766 protocol = efi_va_arg(argptr, efi_guid_t*);
2767 if (!protocol)
2768 break;
2769 protocol_interface = efi_va_arg(argptr, void*);
** CID 376202: Incorrect expression (IDENTICAL_BRANCHES)
/cmd/eficonfig.c: 1530 in eficonfig_edit_boot_option()
________________________________________________________________________________________________________
*** CID 376202: Incorrect expression (IDENTICAL_BRANCHES)
/cmd/eficonfig.c: 1530 in eficonfig_edit_boot_option()
1524 goto out;
1525 p = tmp;
1526 utf16_utf8_strncpy(&p, bo->optional_data,
u16_strlen(bo->optional_data));
1527 }
1528
1529 ret = eficonfig_set_boot_option(varname, final_dp,
final_dp_size, bo->description, tmp);
>>> CID 376202: Incorrect expression (IDENTICAL_BRANCHES)
>>> The same code is executed when the condition "ret != 0UL" is true or false, because the code in the if-then branch and after the if statement is identical. Should the if statement be removed?
1530 if (ret != EFI_SUCCESS)
1531 goto out;
1532 out:
1533 free(tmp);
1534 free(bo->optional_data);
1535 free(bo->description);
** CID 376201: Error handling issues (CHECKED_RETURN)
________________________________________________________________________________________________________
*** CID 376201: Error handling issues (CHECKED_RETURN)
/drivers/scsi/sandbox_scsi.c: 54 in sandbox_scsi_exec()
48 ret);
49 return ret;
50 } else if (ret == SCSI_EMUL_DO_READ && priv->fd != -1) {
51 long bytes_read;
52
53 log_debug("read %x %x\n", info->seek_block, info->read_len);
>>> CID 376201: Error handling issues (CHECKED_RETURN)
>>> Calling "os_lseek(priv->fd, info->seek_block * info->block_size, 0)" without checking return value. It wraps a library function that may fail and return an error code.
54 os_lseek(priv->fd, info->seek_block * info->block_size,
55 OS_SEEK_SET);
56 bytes_read = os_read(priv->fd, req->pdata, info->buff_used);
57 if (bytes_read < 0)
58 return bytes_read;
59 if (bytes_read != info->buff_used)
** CID 376200: API usage errors (VARARGS)
/lib/efi_loader/efi_boottime.c: 2787 in
efi_uninstall_multiple_protocol_interfaces_int()
________________________________________________________________________________________________________
*** CID 376200: API usage errors (VARARGS)
/lib/efi_loader/efi_boottime.c: 2787 in
efi_uninstall_multiple_protocol_interfaces_int()
2781 }
2782 goto out;
2783 }
2784
2785 /* If an error occurred undo all changes. */
2786 for (; i; --i) {
>>> CID 376200: API usage errors (VARARGS)
>>> Calling va_arg on va_list "argptr_copy", which has not been prepared with va_start().
2787 protocol = efi_va_arg(argptr_copy, efi_guid_t*);
2788 protocol_interface = efi_va_arg(argptr_copy, void*);
2789
EFI_CALL(efi_install_protocol_interface(&handle, protocol,
2790
EFI_NATIVE_INTERFACE,
2791
protocol_interface));
2792 }
** CID 376199: Memory - illegal accesses (UNINIT)
/lib/efi_loader/efi_boottime.c: 2733 in
efi_install_multiple_protocol_interfaces_ext()
________________________________________________________________________________________________________
*** CID 376199: Memory - illegal accesses (UNINIT)
/lib/efi_loader/efi_boottime.c: 2733 in
efi_install_multiple_protocol_interfaces_ext()
2727 efi_install_multiple_protocol_interfaces_ext(efi_handle_t *handle, ...)
2728 {
2729 EFI_ENTRY("%p", handle);
2730 efi_status_t ret;
2731 efi_va_list argptr;
2732
>>> CID 376199: Memory - illegal accesses (UNINIT)
>>> Using uninitialized value "argptr" when calling "__builtin_ms_va_start".
2733 efi_va_start(argptr, handle);
2734 ret =
efi_install_multiple_protocol_interfaces_int(handle, argptr);
2735 efi_va_end(argptr);
2736 return EFI_EXIT(ret);
2737 }
2738
** CID 376198: Insecure data handling (TAINTED_SCALAR)
/boot/image-fit.c: 1917 in fit_conf_get_prop_node()
________________________________________________________________________________________________________
*** CID 376198: Insecure data handling (TAINTED_SCALAR)
/boot/image-fit.c: 1917 in fit_conf_get_prop_node()
1911
1912 count = fit_conf_get_prop_node_count(fit, noffset, prop_name);
1913 if (count < 0)
1914 return count;
1915
1916 /* check each image in the list */
>>> CID 376198: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "count" as a loop boundary.
1917 for (i = 0; i < count; i++) {
1918 enum image_phase_t phase;
1919 int ret, node;
1920
1921 node = fit_conf_get_prop_node_index(fit,
noffset, prop_name, i);
1922 ret = fit_image_get_phase(fit, node, &phase);
** CID 376197: Incorrect expression (UNUSED_VALUE)
/cmd/sf.c: 242 in spi_flash_update()
________________________________________________________________________________________________________
*** CID 376197: Incorrect expression (UNUSED_VALUE)
/cmd/sf.c: 242 in spi_flash_update()
236 scale = (end - buf) / 100;
237 cmp_buf = memalign(ARCH_DMA_MINALIGN, flash->sector_size);
238 if (cmp_buf) {
239 ulong last_update = get_timer(0);
240
241 for (; buf < end && !err_oper; buf += todo,
offset += todo) {
>>> CID 376197: Incorrect expression (UNUSED_VALUE)
>>> Assigning value from "({...; (__min1 < __min2) ? __min1 : __min2;})" to "todo" here, but that stored value is overwritten before it can be used.
242 todo = min_t(size_t, end - buf,
flash->sector_size);
243 todo = min_t(size_t, end - buf,
244 flash->sector_size -
(offset % flash->sector_size));
245 if (get_timer(last_update) > 100) {
246 printf(" \rUpdating, %zu%% %lu B/s",
247 100 - (end - buf) / scale,
** CID 376196: Integer handling issues (NEGATIVE_RETURNS)
________________________________________________________________________________________________________
*** CID 376196: Integer handling issues (NEGATIVE_RETURNS)
/boot/bootdev-uclass.c: 202 in bootdev_list()
196 printf("--- ------ ------ -------- ------------------\n");
197 if (probe)
198 ret = uclass_first_device_check(UCLASS_BOOTDEV, &dev);
199 else
200 ret = uclass_find_first_device(UCLASS_BOOTDEV, &dev);
201 for (i = 0; dev; i++) {
>>> CID 376196: Integer handling issues (NEGATIVE_RETURNS)
>>> "ret" is passed to a parameter that cannot be negative.
202 printf("%3x [ %c ] %6s %-9.9s %s\n", dev_seq(dev),
203 device_active(dev) ? '+' : ' ',
204 ret ? simple_itoa(ret) : "OK",
205
dev_get_uclass_name(dev_get_parent(dev)), dev->name);
206 if (probe)
207 ret = uclass_next_device_check(&dev);
** CID 376195: Uninitialized variables (UNINIT)
/lib/efi_loader/efi_boottime.c: 2776 in
efi_uninstall_multiple_protocol_interfaces_int()
________________________________________________________________________________________________________
*** CID 376195: Uninitialized variables (UNINIT)
/lib/efi_loader/efi_boottime.c: 2776 in
efi_uninstall_multiple_protocol_interfaces_int()
2770 ret = efi_uninstall_protocol(handle, protocol,
2771 protocol_interface);
2772 if (ret != EFI_SUCCESS)
2773 break;
2774 i++;
2775 }
>>> CID 376195: Uninitialized variables (UNINIT)
>>> Using uninitialized value "ret".
2776 if (ret == EFI_SUCCESS) {
2777 /* If the last protocol has been removed,
delete the handle. */
2778 if (list_empty(&handle->protocols)) {
2779 list_del(&handle->link);
2780 free(handle);
2781 }
** CID 376194: Null pointer dereferences (REVERSE_INULL)
/drivers/block/blk-uclass.c: 626 in blk_next_device_err()
________________________________________________________________________________________________________
*** CID 376194: Null pointer dereferences (REVERSE_INULL)
/drivers/block/blk-uclass.c: 626 in blk_next_device_err()
620 return -ENODEV;
621 }
622
623 int blk_next_device_err(enum blk_flag_t flags, struct udevice **devp)
624 {
625 for (uclass_next_device(devp);
>>> CID 376194: Null pointer dereferences (REVERSE_INULL)
>>> Null-checking "*devp" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
626 *devp;
627 uclass_next_device(devp)) {
628 if (!blk_flags_check(*devp, flags))
629 return 0;
630 }
631
________________________________________________________________________________________________________
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2022-11-21 19:43 Tom Rini
0 siblings, 0 replies; 105+ messages in thread
From: Tom Rini @ 2022-11-21 19:43 UTC (permalink / raw)
To: u-boot; +Cc: Simon Glass
[-- Attachment #1: Type: text/plain, Size: 2708 bytes --]
Here's the latest report
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Nov 21, 2022 at 12:44 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to Das
U-Boot found with Coverity Scan.
2 new defect(s) introduced to Das U-Boot found with Coverity Scan.
3 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 2 of 2 defect(s)
** CID 376996: Error handling issues (CHECKED_RETURN)
/drivers/net/sandbox-raw-bus.c: 40 in eth_raw_bus_post_bind()
________________________________________________________________________________________________________
*** CID 376996: Error handling issues (CHECKED_RETURN)
/drivers/net/sandbox-raw-bus.c: 40 in eth_raw_bus_post_bind()
34 if (skip_localhost && local)
35 continue;
36
37 ub_ifname = calloc(IFNAMSIZ + sizeof(ub_ifname_pfx), 1);
38 strcpy(ub_ifname, ub_ifname_pfx);
39 strncat(ub_ifname, i->if_name, IFNAMSIZ);
>>> CID 376996: Error handling issues (CHECKED_RETURN)
>>> Calling "device_bind_driver" without checking return value (as is done elsewhere 12 out of 15 times).
40 device_bind_driver(dev, "eth_sandbox_raw", ub_ifname, &child);
41
42 device_set_name_alloced(child);
43 device_probe(child);
44 priv = dev_get_priv(child);
45 if (priv) {
** CID 376995: Null pointer dereferences (FORWARD_NULL)
/test/test-main.c: 518 in ut_run_tests()
________________________________________________________________________________________________________
*** CID 376995: Null pointer dereferences (FORWARD_NULL)
/test/test-main.c: 518 in ut_run_tests()
512 pos = dectoul(test_insert, NULL);
513 p = strchr(test_insert, ':');
514 if (p)
515 p++;
516
517 for (test = tests; test < tests + count; test++) {
>>> CID 376995: Null pointer dereferences (FORWARD_NULL)
>>> Passing null pointer "p" to "strcmp", which dereferences it. [Note: The source code implementation of the function has been overridden by a builtin model.]
518 if (!strcmp(p, test->name))
519 one = test;
520 }
521 }
522
523 for (upto = 0, test = tests; test < tests + count;
test++, upto++) {
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2023-02-14 14:26 Tom Rini
0 siblings, 0 replies; 105+ messages in thread
From: Tom Rini @ 2023-02-14 14:26 UTC (permalink / raw)
To: u-boot
[-- Attachment #1: Type: text/plain, Size: 2245 bytes --]
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Feb 13, 2023, 6:50 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to Das U-Boot
found with Coverity Scan.
2 new defect(s) introduced to Das U-Boot found with Coverity Scan.
3 defect(s), reported by Coverity Scan earlier, were marked fixed in the
recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 2 of 2 defect(s)
** CID 436073: Resource leaks (RESOURCE_LEAK)
/tools/proftool.c: 1853 in make_flamegraph()
________________________________________________________________________________________________________
*** CID 436073: Resource leaks (RESOURCE_LEAK)
/tools/proftool.c: 1853 in make_flamegraph()
1847
1848 if (make_flame_tree(out_format, &tree))
1849 return -1;
1850
1851 *str = '\0';
1852 if (output_tree(fout, out_format, tree, str, sizeof(str),
0))
>>> CID 436073: Resource leaks (RESOURCE_LEAK)
>>> Variable "tree" going out of scope leaks the storage it points to.
1853 return -1;
1854
1855 return 0;
1856 }
1857
1858 /**
** CID 436072: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 436072: Insecure data handling (TAINTED_SCALAR)
/tools/proftool.c: 515 in read_trace()
509 switch (hdr.type) {
510 case TRACE_CHUNK_FUNCS:
511 /* Ignored at present */
512 break;
513
514 case TRACE_CHUNK_CALLS:
>>> CID 436072: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "hdr.rec_count" to "read_calls", which
uses it as an allocation size.
515 if (read_calls(fin, hdr.rec_count))
516 return 1;
517 break;
518 }
519 }
520 return 0;
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2023-05-08 20:20 Tom Rini
2023-05-15 21:59 ` Ehsan Mohandesi
2023-05-18 21:04 ` Sean Edmond
0 siblings, 2 replies; 105+ messages in thread
From: Tom Rini @ 2023-05-08 20:20 UTC (permalink / raw)
To: u-boot; +Cc: Sean Edmond
[-- Attachment #1: Type: text/plain, Size: 11377 bytes --]
Here's the latest defect report:
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, May 8, 2023, 2:29 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to Das U-Boot
found with Coverity Scan.
5 new defect(s) introduced to Das U-Boot found with Coverity Scan.
1 defect(s), reported by Coverity Scan earlier, were marked fixed in the
recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 5 of 5 defect(s)
** CID 453851: Memory - corruptions (OVERLAPPING_COPY)
/cmd/net.c: 279 in netboot_update_env()
________________________________________________________________________________________________________
*** CID 453851: Memory - corruptions (OVERLAPPING_COPY)
/cmd/net.c: 279 in netboot_update_env()
273
274 if (IS_ENABLED(CONFIG_IPV6)) {
275 if (!ip6_is_unspecified_addr(&net_ip6) ||
276 net_prefix_length != 0) {
277 sprintf(tmp, "%pI6c", &net_ip6);
278 if (net_prefix_length != 0)
>>> CID 453851: Memory - corruptions (OVERLAPPING_COPY)
>>> In the call to function "sprintf", the arguments "tmp" and "tmp"
may point to the same object.
279 sprintf(tmp, "%s/%d", tmp,
net_prefix_length);
280
281 env_set("ip6addr", tmp);
282 }
283
284 if (!ip6_is_unspecified_addr(&net_server_ip6)) {
** CID 450971: Insecure data handling (TAINTED_SCALAR)
/net/ndisc.c: 391 in process_ra()
________________________________________________________________________________________________________
*** CID 450971: Insecure data handling (TAINTED_SCALAR)
/net/ndisc.c: 391 in process_ra()
385 /* Ignore the packet if router lifetime is 0. */
386 if (!icmp->icmp6_rt_lifetime)
387 return -EOPNOTSUPP;
388
389 /* Processing the options */
390 option = msg->opt;
>>> CID 450971: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "remaining_option_len" as a loop boundary.
391 while (remaining_option_len > 0) {
392 /* The 2nd byte of the option is its length. */
393 option_len = option[1];
394 /* All included options should have a positive
length. */
395 if (option_len == 0)
396 return -EINVAL;
** CID 450969: Security best practices violations (DC.WEAK_CRYPTO)
/net/ndisc.c: 209 in ip6_send_rs()
________________________________________________________________________________________________________
*** CID 450969: Security best practices violations (DC.WEAK_CRYPTO)
/net/ndisc.c: 209 in ip6_send_rs()
203 icmp_len, PROT_ICMPV6, pcsum);
204 msg->icmph.icmp6_cksum = csum;
205 pkt += icmp_len;
206
207 /* Wait up to 1 second if it is the first try to get the RA
*/
208 if (retry_count == 0)
>>> CID 450969: Security best practices violations (DC.WEAK_CRYPTO)
>>> "rand" should not be used for security-related applications,
because linear congruential algorithms are too easy to break.
209 udelay(((unsigned int)rand() % 1000000) *
MAX_SOLICITATION_DELAY);
210
211 /* send it! */
212 net_send_packet(net_tx_packet, (pkt - net_tx_packet));
213
214 retry_count++;
** CID 436282: (DC.WEAK_CRYPTO)
/net/dhcpv6.c: 621 in dhcp6_state_machine()
/net/dhcpv6.c: 627 in dhcp6_state_machine()
/net/dhcpv6.c: 628 in dhcp6_state_machine()
/net/dhcpv6.c: 662 in dhcp6_state_machine()
/net/dhcpv6.c: 613 in dhcp6_state_machine()
________________________________________________________________________________________________________
*** CID 436282: (DC.WEAK_CRYPTO)
/net/dhcpv6.c: 621 in dhcp6_state_machine()
615 /* handle state machine entry conditions */
616 if (sm_params.curr_state != sm_params.next_state) {
617 sm_params.retry_cnt = 0;
618
619 if (sm_params.next_state == DHCP6_SOLICIT) {
620 /* delay a random ammount (special for
SOLICIT) */
>>> CID 436282: (DC.WEAK_CRYPTO)
>>> "rand" should not be used for security-related applications,
because linear congruential algorithms are too easy to break.
621 udelay((rand() % SOL_MAX_DELAY_MS) * 1000);
622 /* init timestamp variables after SOLICIT
delay */
623 sm_params.dhcp6_start_ms = get_timer(0);
624 sm_params.dhcp6_retry_start_ms =
sm_params.dhcp6_start_ms;
625 sm_params.dhcp6_retry_ms =
sm_params.dhcp6_start_ms;
626 /* init transaction and ia_id */
/net/dhcpv6.c: 627 in dhcp6_state_machine()
621 udelay((rand() % SOL_MAX_DELAY_MS) * 1000);
622 /* init timestamp variables after SOLICIT
delay */
623 sm_params.dhcp6_start_ms = get_timer(0);
624 sm_params.dhcp6_retry_start_ms =
sm_params.dhcp6_start_ms;
625 sm_params.dhcp6_retry_ms =
sm_params.dhcp6_start_ms;
626 /* init transaction and ia_id */
>>> CID 436282: (DC.WEAK_CRYPTO)
>>> "rand" should not be used for security-related applications,
because linear congruential algorithms are too easy to break.
627 sm_params.trans_id = rand() & 0xFFFFFF;
628 sm_params.ia_id = rand();
629 /* initialize retransmission parameters */
630 sm_params.irt_ms = SOL_TIMEOUT_MS;
631 sm_params.mrt_ms = updated_sol_max_rt_ms;
632 /* RFCs default MRC is be 0 (try infinitely)
/net/dhcpv6.c: 628 in dhcp6_state_machine()
622 /* init timestamp variables after SOLICIT
delay */
623 sm_params.dhcp6_start_ms = get_timer(0);
624 sm_params.dhcp6_retry_start_ms =
sm_params.dhcp6_start_ms;
625 sm_params.dhcp6_retry_ms =
sm_params.dhcp6_start_ms;
626 /* init transaction and ia_id */
627 sm_params.trans_id = rand() & 0xFFFFFF;
>>> CID 436282: (DC.WEAK_CRYPTO)
>>> "rand" should not be used for security-related applications,
because linear congruential algorithms are too easy to break.
628 sm_params.ia_id = rand();
629 /* initialize retransmission parameters */
630 sm_params.irt_ms = SOL_TIMEOUT_MS;
631 sm_params.mrt_ms = updated_sol_max_rt_ms;
632 /* RFCs default MRC is be 0 (try infinitely)
633 * give up after CONFIG_NET_RETRY_COUNT
number of tries (same as DHCPv4)
/net/dhcpv6.c: 662 in dhcp6_state_machine()
656 (sm_params.mrd_ms != 0 &&
657 ((sm_params.dhcp6_retry_ms -
sm_params.dhcp6_retry_start_ms) >= sm_params.mrd_ms))) {
658 sm_params.next_state = DHCP6_FAIL;
659 }
660
661 /* calculate retransmission timeout (RT) */
>>> CID 436282: (DC.WEAK_CRYPTO)
>>> "rand" should not be used for security-related applications,
because linear congruential algorithms are too easy to break.
662 rand_minus_plus_100 = ((rand() % 200) - 100);
663 if (sm_params.retry_cnt == 0) {
664 sm_params.rt_ms = sm_params.irt_ms +
665 ((sm_params.irt_ms *
rand_minus_plus_100) / 1000);
666 } else {
667 sm_params.rt_ms = (2 * sm_params.rt_prev_ms) +
/net/dhcpv6.c: 613 in dhcp6_state_machine()
607 * Proceed anyway to proceed DONE/FAIL actions
608 */
609 debug("Unexpected DHCP6 state : %d\n",
sm_params.curr_state);
610 break;
611 }
612 /* re-seed the RNG */
>>> CID 436282: (DC.WEAK_CRYPTO)
>>> "rand" should not be used for security-related applications,
because linear congruential algorithms are too easy to break.
613 srand(get_ticks() + rand());
614
615 /* handle state machine entry conditions */
616 if (sm_params.curr_state != sm_params.next_state) {
617 sm_params.retry_cnt = 0;
618
** CID 436278: (TAINTED_SCALAR)
/net/dhcpv6.c: 321 in dhcp6_parse_options()
________________________________________________________________________________________________________
*** CID 436278: (TAINTED_SCALAR)
/net/dhcpv6.c: 376 in dhcp6_parse_options()
370 if (sm_params.curr_state ==
DHCP6_SOLICIT)
371 sm_params.mrt_ms =
updated_sol_max_rt_ms;
372 }
373 break;
374 case DHCP6_OPTION_OPT_BOOTFILE_URL:
375 debug("DHCP6_OPTION_OPT_BOOTFILE_URL
FOUND\n");
>>> CID 436278: (TAINTED_SCALAR)
>>> Passing tainted expression "option_len + 1" to "copy_filename",
which uses it as a loop boundary.
376 copy_filename(net_boot_file_name,
option_ptr, option_len + 1);
377 debug("net_boot_file_name: %s\n",
net_boot_file_name);
378
379 /* copy server_ip6 (required for PXE) */
380 s = strchr(net_boot_file_name, '[');
381 e = strchr(net_boot_file_name, ']');
/net/dhcpv6.c: 321 in dhcp6_parse_options()
315 while (option_hdr < (struct dhcp6_option_hdr *)(rx_pkt +
len)) {
316 option_ptr = ((uchar *)option_hdr) + sizeof(struct
dhcp6_hdr);
317 option_len = ntohs(option_hdr->option_len);
318
319 switch (ntohs(option_hdr->option_id)) {
320 case DHCP6_OPTION_CLIENTID:
>>> CID 436278: (TAINTED_SCALAR)
>>> Passing tainted expression "option_len" to "memcmp", which uses it
as an offset. [Note: The source code implementation of the function has
been overridden by a builtin model.]
321 if (memcmp(option_ptr, sm_params.duid,
option_len)
322 != 0) {
323 debug("CLIENT ID DOESN'T MATCH\n");
324 } else {
325 debug("CLIENT ID FOUND and
MATCHES\n");
326 sm_params.rx_status.client_id_match
= true;
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 105+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2023-05-08 20:20 Fwd: New Defects reported by Coverity Scan for Das U-Boot Tom Rini
@ 2023-05-15 21:59 ` Ehsan Mohandesi
2023-05-18 21:04 ` Sean Edmond
1 sibling, 0 replies; 105+ messages in thread
From: Ehsan Mohandesi @ 2023-05-15 21:59 UTC (permalink / raw)
To: Tom Rini, u-boot; +Cc: Sean Edmond
On 5/8/2023 3:20 PM, Tom Rini wrote:
> Here's the latest defect report:
>
> ---------- Forwarded message ---------
> From:<scan-admin@coverity.com>
> Date: Mon, May 8, 2023, 2:29 PM
> Subject: New Defects reported by Coverity Scan for Das U-Boot
> To:<tom.rini@gmail.com>
>
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to Das U-Boot
> found with Coverity Scan.
>
> 5 new defect(s) introduced to Das U-Boot found with Coverity Scan.
> 1 defect(s), reported by Coverity Scan earlier, were marked fixed in the
> recent build analyzed by Coverity Scan.
>
> New defect(s) Reported-by: Coverity Scan
> Showing 5 of 5 defect(s)
>
>
> ** CID 450971: Insecure data handling (TAINTED_SCALAR)
> /net/ndisc.c: 391 in process_ra()
>
>
> ________________________________________________________________________________________________________
> *** CID 450971: Insecure data handling (TAINTED_SCALAR)
> /net/ndisc.c: 391 in process_ra()
> 385 /* Ignore the packet if router lifetime is 0. */
> 386 if (!icmp->icmp6_rt_lifetime)
> 387 return -EOPNOTSUPP;
> 388
> 389 /* Processing the options */
> 390 option = msg->opt;
>>>> CID 450971: Insecure data handling (TAINTED_SCALAR)
>>>> Using tainted variable "remaining_option_len" as a loop boundary.
> 391 while (remaining_option_len > 0) {
> 392 /* The 2nd byte of the option is its length. */
> 393 option_len = option[1];
> 394 /* All included options should have a positive
> length. */
> 395 if (option_len == 0)
> 396 return -EINVAL;
The problem here is that although the lower bound of the variable
remaining_option_len is checked, the upper bound is not checked.
Coverity is complaining that the function's argument len which is read
from a packet content is assigned to remaining_option_len and therefore
has made it a tainted scalar.
I will compare the value of len with ETH_MAX_MTU constant and make sure
it is less than that as shown below.
if(len > ETH_MAX_MTU) return-EMSGSIZE;
> ** CID 450969: Security best practices violations (DC.WEAK_CRYPTO)
> /net/ndisc.c: 209 in ip6_send_rs()
>
>
> ________________________________________________________________________________________________________
> *** CID 450969: Security best practices violations (DC.WEAK_CRYPTO)
> /net/ndisc.c: 209 in ip6_send_rs()
> 203 icmp_len, PROT_ICMPV6, pcsum);
> 204 msg->icmph.icmp6_cksum = csum;
> 205 pkt += icmp_len;
> 206
> 207 /* Wait up to 1 second if it is the first try to get the RA
> */
> 208 if (retry_count == 0)
>>>> CID 450969: Security best practices violations (DC.WEAK_CRYPTO)
>>>> "rand" should not be used for security-related applications,
> because linear congruential algorithms are too easy to break.
> 209 udelay(((unsigned int)rand() % 1000000) *
> MAX_SOLICITATION_DELAY);
> 210
> 211 /* send it! */
> 212 net_send_packet(net_tx_packet, (pkt - net_tx_packet));
> 213
> 214 retry_count++;
This is a false positive. The function rand() is not used for encryption
here. It is used to just make a random delay to avoid collisions on the
network. It has nothing to do with encryption.
^ permalink raw reply [flat|nested] 105+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2023-05-08 20:20 Fwd: New Defects reported by Coverity Scan for Das U-Boot Tom Rini
2023-05-15 21:59 ` Ehsan Mohandesi
@ 2023-05-18 21:04 ` Sean Edmond
1 sibling, 0 replies; 105+ messages in thread
From: Sean Edmond @ 2023-05-18 21:04 UTC (permalink / raw)
To: Tom Rini, u-boot; +Cc: Sean Edmond
On 2023-05-08 1:20 p.m., Tom Rini wrote:
> Here's the latest defect report:
>
> ---------- Forwarded message ---------
> From: <scan-admin@coverity.com>
> Date: Mon, May 8, 2023, 2:29 PM
> Subject: New Defects reported by Coverity Scan for Das U-Boot
> To: <tom.rini@gmail.com>
>
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to Das U-Boot
> found with Coverity Scan.
>
> 5 new defect(s) introduced to Das U-Boot found with Coverity Scan.
> 1 defect(s), reported by Coverity Scan earlier, were marked fixed in the
> recent build analyzed by Coverity Scan.
>
> New defect(s) Reported-by: Coverity Scan
> Showing 5 of 5 defect(s)
>
>
> ** CID 453851: Memory - corruptions (OVERLAPPING_COPY)
> /cmd/net.c: 279 in netboot_update_env()
>
>
> ________________________________________________________________________________________________________
> *** CID 453851: Memory - corruptions (OVERLAPPING_COPY)
> /cmd/net.c: 279 in netboot_update_env()
> 273
> 274 if (IS_ENABLED(CONFIG_IPV6)) {
> 275 if (!ip6_is_unspecified_addr(&net_ip6) ||
> 276 net_prefix_length != 0) {
> 277 sprintf(tmp, "%pI6c", &net_ip6);
> 278 if (net_prefix_length != 0)
>>>> CID 453851: Memory - corruptions (OVERLAPPING_COPY)
>>>> In the call to function "sprintf", the arguments "tmp" and "tmp"
Just submitted a patch to fix 453851.
> may point to the same object.
> 279 sprintf(tmp, "%s/%d", tmp,
> net_prefix_length);
> 280
> 281 env_set("ip6addr", tmp);
> 282 }
> 283
> 284 if (!ip6_is_unspecified_addr(&net_server_ip6)) {
>
> ** CID 450971: Insecure data handling (TAINTED_SCALAR)
> /net/ndisc.c: 391 in process_ra()
>
>
> ________________________________________________________________________________________________________
> *** CID 450971: Insecure data handling (TAINTED_SCALAR)
> /net/ndisc.c: 391 in process_ra()
> 385 /* Ignore the packet if router lifetime is 0. */
> 386 if (!icmp->icmp6_rt_lifetime)
> 387 return -EOPNOTSUPP;
> 388
> 389 /* Processing the options */
> 390 option = msg->opt;
>>>> CID 450971: Insecure data handling (TAINTED_SCALAR)
>>>> Using tainted variable "remaining_option_len" as a loop boundary.
> 391 while (remaining_option_len > 0) {
> 392 /* The 2nd byte of the option is its length. */
> 393 option_len = option[1];
> 394 /* All included options should have a positive
> length. */
> 395 if (option_len == 0)
> 396 return -EINVAL;
>
> ** CID 450969: Security best practices violations (DC.WEAK_CRYPTO)
> /net/ndisc.c: 209 in ip6_send_rs()
>
>
> ________________________________________________________________________________________________________
> *** CID 450969: Security best practices violations (DC.WEAK_CRYPTO)
> /net/ndisc.c: 209 in ip6_send_rs()
> 203 icmp_len, PROT_ICMPV6, pcsum);
> 204 msg->icmph.icmp6_cksum = csum;
> 205 pkt += icmp_len;
> 206
> 207 /* Wait up to 1 second if it is the first try to get the RA
> */
> 208 if (retry_count == 0)
>>>> CID 450969: Security best practices violations (DC.WEAK_CRYPTO)
>>>> "rand" should not be used for security-related applications,
> because linear congruential algorithms are too easy to break.
> 209 udelay(((unsigned int)rand() % 1000000) *
> MAX_SOLICITATION_DELAY);
> 210
> 211 /* send it! */
> 212 net_send_packet(net_tx_packet, (pkt - net_tx_packet));
> 213
> 214 retry_count++;
>
> ** CID 436282: (DC.WEAK_CRYPTO)
> /net/dhcpv6.c: 621 in dhcp6_state_machine()
> /net/dhcpv6.c: 627 in dhcp6_state_machine()
> /net/dhcpv6.c: 628 in dhcp6_state_machine()
> /net/dhcpv6.c: 662 in dhcp6_state_machine()
> /net/dhcpv6.c: 613 in dhcp6_state_machine()
>
>
> ________________________________________________________________________________________________________
> *** CID 436282: (DC.WEAK_CRYPTO)
> /net/dhcpv6.c: 621 in dhcp6_state_machine()
> 615 /* handle state machine entry conditions */
> 616 if (sm_params.curr_state != sm_params.next_state) {
> 617 sm_params.retry_cnt = 0;
> 618
> 619 if (sm_params.next_state == DHCP6_SOLICIT) {
> 620 /* delay a random ammount (special for
> SOLICIT) */
>>>> CID 436282: (DC.WEAK_CRYPTO)
>>>> "rand" should not be used for security-related applications,
> because linear congruential algorithms are too easy to break.
> 621 udelay((rand() % SOL_MAX_DELAY_MS) * 1000);
> 622 /* init timestamp variables after SOLICIT
> delay */
> 623 sm_params.dhcp6_start_ms = get_timer(0);
> 624 sm_params.dhcp6_retry_start_ms =
> sm_params.dhcp6_start_ms;
> 625 sm_params.dhcp6_retry_ms =
> sm_params.dhcp6_start_ms;
> 626 /* init transaction and ia_id */
> /net/dhcpv6.c: 627 in dhcp6_state_machine()
> 621 udelay((rand() % SOL_MAX_DELAY_MS) * 1000);
> 622 /* init timestamp variables after SOLICIT
> delay */
> 623 sm_params.dhcp6_start_ms = get_timer(0);
> 624 sm_params.dhcp6_retry_start_ms =
> sm_params.dhcp6_start_ms;
> 625 sm_params.dhcp6_retry_ms =
> sm_params.dhcp6_start_ms;
> 626 /* init transaction and ia_id */
>>>> CID 436282: (DC.WEAK_CRYPTO)
>>>> "rand" should not be used for security-related applications,
> because linear congruential algorithms are too easy to break.
> 627 sm_params.trans_id = rand() & 0xFFFFFF;
> 628 sm_params.ia_id = rand();
> 629 /* initialize retransmission parameters */
> 630 sm_params.irt_ms = SOL_TIMEOUT_MS;
> 631 sm_params.mrt_ms = updated_sol_max_rt_ms;
> 632 /* RFCs default MRC is be 0 (try infinitely)
> /net/dhcpv6.c: 628 in dhcp6_state_machine()
> 622 /* init timestamp variables after SOLICIT
> delay */
> 623 sm_params.dhcp6_start_ms = get_timer(0);
> 624 sm_params.dhcp6_retry_start_ms =
> sm_params.dhcp6_start_ms;
> 625 sm_params.dhcp6_retry_ms =
> sm_params.dhcp6_start_ms;
> 626 /* init transaction and ia_id */
> 627 sm_params.trans_id = rand() & 0xFFFFFF;
>>>> CID 436282: (DC.WEAK_CRYPTO)
>>>> "rand" should not be used for security-related applications,
> because linear congruential algorithms are too easy to break.
> 628 sm_params.ia_id = rand();
> 629 /* initialize retransmission parameters */
> 630 sm_params.irt_ms = SOL_TIMEOUT_MS;
> 631 sm_params.mrt_ms = updated_sol_max_rt_ms;
> 632 /* RFCs default MRC is be 0 (try infinitely)
> 633 * give up after CONFIG_NET_RETRY_COUNT
> number of tries (same as DHCPv4)
> /net/dhcpv6.c: 662 in dhcp6_state_machine()
> 656 (sm_params.mrd_ms != 0 &&
> 657 ((sm_params.dhcp6_retry_ms -
> sm_params.dhcp6_retry_start_ms) >= sm_params.mrd_ms))) {
> 658 sm_params.next_state = DHCP6_FAIL;
> 659 }
> 660
> 661 /* calculate retransmission timeout (RT) */
>>>> CID 436282: (DC.WEAK_CRYPTO)
>>>> "rand" should not be used for security-related applications,
> because linear congruential algorithms are too easy to break.
> 662 rand_minus_plus_100 = ((rand() % 200) - 100);
> 663 if (sm_params.retry_cnt == 0) {
> 664 sm_params.rt_ms = sm_params.irt_ms +
> 665 ((sm_params.irt_ms *
> rand_minus_plus_100) / 1000);
> 666 } else {
> 667 sm_params.rt_ms = (2 * sm_params.rt_prev_ms) +
> /net/dhcpv6.c: 613 in dhcp6_state_machine()
> 607 * Proceed anyway to proceed DONE/FAIL actions
> 608 */
> 609 debug("Unexpected DHCP6 state : %d\n",
> sm_params.curr_state);
> 610 break;
> 611 }
> 612 /* re-seed the RNG */
>>>> CID 436282: (DC.WEAK_CRYPTO)
>>>> "rand" should not be used for security-related applications,
We can ignore 436282. For DHCP6, we seed using srand_mac() to ensure
that rand() will produce enough variation for each device on the
network. The numbers from rand() are used to introduce variation in the
delay between re-transmissions to avoid excessive server congestion if
all clients are started at the same time (such as a power loss). These
values are not used for crypto.
> because linear congruential algorithms are too easy to break.
> 613 srand(get_ticks() + rand());
> 614
> 615 /* handle state machine entry conditions */
> 616 if (sm_params.curr_state != sm_params.next_state) {
> 617 sm_params.retry_cnt = 0;
> 618
>
> ** CID 436278: (TAINTED_SCALAR)
> /net/dhcpv6.c: 321 in dhcp6_parse_options()
>
>
> ________________________________________________________________________________________________________
> *** CID 436278: (TAINTED_SCALAR)
> /net/dhcpv6.c: 376 in dhcp6_parse_options()
> 370 if (sm_params.curr_state ==
> DHCP6_SOLICIT)
> 371 sm_params.mrt_ms =
> updated_sol_max_rt_ms;
> 372 }
> 373 break;
> 374 case DHCP6_OPTION_OPT_BOOTFILE_URL:
> 375 debug("DHCP6_OPTION_OPT_BOOTFILE_URL
> FOUND\n");
>>>> CID 436278: (TAINTED_SCALAR)
>>>> Passing tainted expression "option_len + 1" to "copy_filename",
> which uses it as a loop boundary.
> 376 copy_filename(net_boot_file_name,
> option_ptr, option_len + 1);
> 377 debug("net_boot_file_name: %s\n",
> net_boot_file_name);
> 378
> 379 /* copy server_ip6 (required for PXE) */
> 380 s = strchr(net_boot_file_name, '[');
> 381 e = strchr(net_boot_file_name, ']');
> /net/dhcpv6.c: 321 in dhcp6_parse_options()
> 315 while (option_hdr < (struct dhcp6_option_hdr *)(rx_pkt +
> len)) {
> 316 option_ptr = ((uchar *)option_hdr) + sizeof(struct
> dhcp6_hdr);
> 317 option_len = ntohs(option_hdr->option_len);
> 318
> 319 switch (ntohs(option_hdr->option_id)) {
> 320 case DHCP6_OPTION_CLIENTID:
>>>> CID 436278: (TAINTED_SCALAR)
>>>> Passing tainted expression "option_len" to "memcmp", which uses it
Just submitted a patch to fix 436278.
> as an offset. [Note: The source code implementation of the function has
> been overridden by a builtin model.]
> 321 if (memcmp(option_ptr, sm_params.duid,
> option_len)
> 322 != 0) {
> 323 debug("CLIENT ID DOESN'T MATCH\n");
> 324 } else {
> 325 debug("CLIENT ID FOUND and
> MATCHES\n");
> 326 sm_params.rx_status.client_id_match
> = true;
>
>
^ permalink raw reply [flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2023-08-21 21:09 Tom Rini
2023-08-24 9:27 ` Abdellatif El Khlifi
2023-10-20 11:57 ` Abdellatif El Khlifi
0 siblings, 2 replies; 105+ messages in thread
From: Tom Rini @ 2023-08-21 21:09 UTC (permalink / raw)
To: u-boot, Alvaro Fernando García, Abdellatif El Khlifi
[-- Attachment #1: Type: text/plain, Size: 5339 bytes --]
Here's the latest report
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Aug 21, 2023 at 4:30 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to Das
U-Boot found with Coverity Scan.
4 new defect(s) introduced to Das U-Boot found with Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 4 of 4 defect(s)
** CID 464362: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
/drivers/video/pwm_backlight.c: 68 in set_pwm()
________________________________________________________________________________________________________
*** CID 464362: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
/drivers/video/pwm_backlight.c: 68 in set_pwm()
62 {
63 u64 width;
64 uint duty_cycle;
65 int ret;
66
67 if (priv->period_ns) {
>>> CID 464362: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
>>> Potentially overflowing expression "priv->period_ns * (priv->cur_level - priv->min_level)" with type "unsigned int" (32 bits, unsigned) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "u64" (64 bits, unsigned).
68 width = priv->period_ns * (priv->cur_level - priv->min_level);
69 duty_cycle = div_u64(width,
70 (priv->max_level - priv->min_level));
71 ret = pwm_set_config(priv->pwm, priv->channel, priv->period_ns,
72 duty_cycle);
73 } else {
** CID 464361: Control flow issues (DEADCODE)
/drivers/firmware/arm-ffa/arm-ffa-uclass.c: 148 in ffa_print_error_log()
________________________________________________________________________________________________________
*** CID 464361: Control flow issues (DEADCODE)
/drivers/firmware/arm-ffa/arm-ffa-uclass.c: 148 in ffa_print_error_log()
142
143 if (ffa_id < FFA_FIRST_ID || ffa_id > FFA_LAST_ID)
144 return -EINVAL;
145
146 abi_idx = FFA_ID_TO_ERRMAP_ID(ffa_id);
147 if (abi_idx < 0 || abi_idx >= FFA_ERRMAP_COUNT)
>>> CID 464361: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "return -22;".
148 return -EINVAL;
149
150 if (!err_msg_map[abi_idx].err_str[err_idx])
151 return -EINVAL;
152
153 log_err("%s\n", err_msg_map[abi_idx].err_str[err_idx]);
** CID 464360: Control flow issues (NO_EFFECT)
/drivers/firmware/arm-ffa/arm-ffa-uclass.c: 207 in ffa_get_version_hdlr()
________________________________________________________________________________________________________
*** CID 464360: Control flow issues (NO_EFFECT)
/drivers/firmware/arm-ffa/arm-ffa-uclass.c: 207 in ffa_get_version_hdlr()
201 major = GET_FFA_MAJOR_VERSION(res.a0);
202 minor = GET_FFA_MINOR_VERSION(res.a0);
203
204 log_debug("FF-A driver %d.%d\nFF-A framework %d.%d\n",
205 FFA_MAJOR_VERSION, FFA_MINOR_VERSION, major, minor);
206
>>> CID 464360: Control flow issues (NO_EFFECT)
>>> This greater-than-or-equal-to-zero comparison of an unsigned value is always true. "minor >= 0".
207 if (major == FFA_MAJOR_VERSION && minor >= FFA_MINOR_VERSION) {
208 log_debug("FF-A versions are compatible\n");
209
210 if (dev) {
211 uc_priv = dev_get_uclass_priv(dev);
212 if (uc_priv)
** CID 464359: (PASS_BY_VALUE)
/drivers/firmware/arm-ffa/arm-ffa-uclass.c: 168 in invoke_ffa_fn()
/drivers/firmware/arm-ffa/ffa-emul-uclass.c: 673 in invoke_ffa_fn()
________________________________________________________________________________________________________
*** CID 464359: (PASS_BY_VALUE)
/drivers/firmware/arm-ffa/arm-ffa-uclass.c: 168 in invoke_ffa_fn()
162 * @args: FF-A ABI arguments to be copied to Xn registers
163 * @res: FF-A ABI return data to be copied from Xn registers
164 *
165 * Calls low level SMC implementation.
166 * This function should be implemented by the user driver.
167 */
>>> CID 464359: (PASS_BY_VALUE)
>>> Passing parameter args of type "ffa_value_t" (size 144 bytes) by value, which exceeds the low threshold of 128 bytes.
168 void __weak invoke_ffa_fn(ffa_value_t args, ffa_value_t *res)
169 {
170 }
171
172 /**
173 * ffa_get_version_hdlr() - FFA_VERSION handler function
/drivers/firmware/arm-ffa/ffa-emul-uclass.c: 673 in invoke_ffa_fn()
667 * invoke_ffa_fn() - SMC wrapper
668 * @args: FF-A ABI arguments to be copied to Xn registers
669 * @res: FF-A ABI return data to be copied from Xn registers
670 *
671 * Calls the emulated SMC call.
672 */
>>> CID 464359: (PASS_BY_VALUE)
>>> Passing parameter args of type "ffa_value_t" (size 144 bytes) by value, which exceeds the low threshold of 128 bytes.
673 void invoke_ffa_fn(ffa_value_t args, ffa_value_t *res)
674 {
675 sandbox_arm_ffa_smccc_smc(&args, res);
676 }
677
678 /**
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 105+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2023-08-21 21:09 Tom Rini
@ 2023-08-24 9:27 ` Abdellatif El Khlifi
2023-08-28 16:09 ` Alvaro Fernando García
2023-10-20 11:57 ` Abdellatif El Khlifi
1 sibling, 1 reply; 105+ messages in thread
From: Abdellatif El Khlifi @ 2023-08-24 9:27 UTC (permalink / raw)
To: Tom Rini; +Cc: u-boot, nd
Hi Tom,
> Here's the latest report
>
> ---------- Forwarded message ---------
> From: <scan-admin@coverity.com>
> Date: Mon, Aug 21, 2023 at 4:30 PM
> Subject: New Defects reported by Coverity Scan for Das U-Boot
> To: <tom.rini@gmail.com>
>
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to Das
> U-Boot found with Coverity Scan.
>
> 4 new defect(s) introduced to Das U-Boot found with Coverity Scan.
>
>
> New defect(s) Reported-by: Coverity Scan
> Showing 4 of 4 defect(s)
>
>
> ** CID 464361: Control flow issues (DEADCODE)
> /drivers/firmware/arm-ffa/arm-ffa-uclass.c: 148 in ffa_print_error_log()
Well received, I started working on that.
I'll provide a fix after coming back fom holidays (mid September)
Cheers,
Abdellatif
^ permalink raw reply [flat|nested] 105+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2023-08-24 9:27 ` Abdellatif El Khlifi
@ 2023-08-28 16:09 ` Alvaro Fernando García
2023-08-28 16:11 ` Tom Rini
0 siblings, 1 reply; 105+ messages in thread
From: Alvaro Fernando García @ 2023-08-28 16:09 UTC (permalink / raw)
To: Abdellatif El Khlifi; +Cc: Tom Rini, U-Boot Mailing List, nd
Hello,
El jue, 24 ago. 2023 06:27, Abdellatif El Khlifi <
abdellatif.elkhlifi@arm.com> escribió:
> Hi Tom,
>
> > Here's the latest report
> >
> > ---------- Forwarded message ---------
> > From: <scan-admin@coverity.com>
> > Date: Mon, Aug 21, 2023 at 4:30 PM
> > Subject: New Defects reported by Coverity Scan for Das U-Boot
> > To: <tom.rini@gmail.com>
> >
> >
> > Hi,
> >
> > Please find the latest report on new defect(s) introduced to Das
> > U-Boot found with Coverity Scan.
> >
> > 4 new defect(s) introduced to Das U-Boot found with Coverity Scan.
> >
> >
> > New defect(s) Reported-by: Coverity Scan
> > Showing 4 of 4 defect(s)
> >
> >
> > ** CID 464361: Control flow issues (DEADCODE)
> > /drivers/firmware/arm-ffa/arm-ffa-uclass.c: 148 in ffa_print_error_log()
>
> Well received, I started working on that.
> I'll provide a fix after coming back fom holidays (mid September)
>
> Cheers,
> Abdellatif
>
Is there something I could do to help with this?
^ permalink raw reply [flat|nested] 105+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2023-08-28 16:09 ` Alvaro Fernando García
@ 2023-08-28 16:11 ` Tom Rini
0 siblings, 0 replies; 105+ messages in thread
From: Tom Rini @ 2023-08-28 16:11 UTC (permalink / raw)
To: Alvaro Fernando García; +Cc: Abdellatif El Khlifi, U-Boot Mailing List, nd
[-- Attachment #1: Type: text/plain, Size: 1225 bytes --]
On Mon, Aug 28, 2023 at 01:09:17PM -0300, Alvaro Fernando García wrote:
> Hello,
>
> El jue, 24 ago. 2023 06:27, Abdellatif El Khlifi <
> abdellatif.elkhlifi@arm.com> escribió:
>
> > Hi Tom,
> >
> > > Here's the latest report
> > >
> > > ---------- Forwarded message ---------
> > > From: <scan-admin@coverity.com>
> > > Date: Mon, Aug 21, 2023 at 4:30 PM
> > > Subject: New Defects reported by Coverity Scan for Das U-Boot
> > > To: <tom.rini@gmail.com>
> > >
> > >
> > > Hi,
> > >
> > > Please find the latest report on new defect(s) introduced to Das
> > > U-Boot found with Coverity Scan.
> > >
> > > 4 new defect(s) introduced to Das U-Boot found with Coverity Scan.
> > >
> > >
> > > New defect(s) Reported-by: Coverity Scan
> > > Showing 4 of 4 defect(s)
> > >
> > >
> > > ** CID 464361: Control flow issues (DEADCODE)
> > > /drivers/firmware/arm-ffa/arm-ffa-uclass.c: 148 in ffa_print_error_log()
> >
> > Well received, I started working on that.
> > I'll provide a fix after coming back fom holidays (mid September)
> >
> > Cheers,
> > Abdellatif
> >
>
> Is there something I could do to help with this?
Everyone is free to work on these issues, yes.
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 105+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2023-08-21 21:09 Tom Rini
2023-08-24 9:27 ` Abdellatif El Khlifi
@ 2023-10-20 11:57 ` Abdellatif El Khlifi
2023-10-25 14:57 ` Tom Rini
1 sibling, 1 reply; 105+ messages in thread
From: Abdellatif El Khlifi @ 2023-10-20 11:57 UTC (permalink / raw)
To: Tom Rini; +Cc: u-boot, nd, xueliang.zhong
Hi Tom,
> ________________________________________________________________________________________________________
> *** CID 464361: Control flow issues (DEADCODE)
> /drivers/firmware/arm-ffa/arm-ffa-uclass.c: 148 in ffa_print_error_log()
> 142
> 143 if (ffa_id < FFA_FIRST_ID || ffa_id > FFA_LAST_ID)
> 144 return -EINVAL;
> 145
> 146 abi_idx = FFA_ID_TO_ERRMAP_ID(ffa_id);
> 147 if (abi_idx < 0 || abi_idx >= FFA_ERRMAP_COUNT)
> >>> CID 464361: Control flow issues (DEADCODE)
> >>> Execution cannot reach this statement: "return -22;".
> 148 return -EINVAL;
This is a false positive.
abi_idx value could end up matching this condition "(abi_idx < 0 || abi_idx >= FFA_ERRMAP_COUNT)".
This happens when ffa_id value is above the allowed bounds. Example: when ffa_id is 0x50 or 0x80
ffa_print_error_log(0x50, ...); /* exceeding lower bound */
ffa_print_error_log(0x80, ...); /* exceeding upper bound */
In these cases "return -EINVAL;" is executed.
> ...
> ________________________________________________________________________________________________________
> *** CID 464360: Control flow issues (NO_EFFECT)
> /drivers/firmware/arm-ffa/arm-ffa-uclass.c: 207 in ffa_get_version_hdlr()
> 201 major = GET_FFA_MAJOR_VERSION(res.a0);
> 202 minor = GET_FFA_MINOR_VERSION(res.a0);
> 203
> 204 log_debug("FF-A driver %d.%d\nFF-A framework %d.%d\n",
> 205 FFA_MAJOR_VERSION, FFA_MINOR_VERSION, major, minor);
> 206
> >>> CID 464360: Control flow issues (NO_EFFECT)
> >>> This greater-than-or-equal-to-zero comparison of an unsigned value is always true. "minor >= 0".
> 207 if (major == FFA_MAJOR_VERSION && minor >= FFA_MINOR_VERSION) {
Providing the facts that:
#define FFA_MINOR_VERSION (0)
u16 minor;
Yes, currently this condition is always true: minor >= FFA_MINOR_VERSION
However, we might upgrade FFA_MINOR_VERSION in the future. If we remove the "minor >= FFA_MINOR_VERSION" ,
non compatible versions could pass which we don't want.
To keep this code scalable, I think it's better to keep this condition.
> ...
> ________________________________________________________________________________________________________
> *** CID 464359: (PASS_BY_VALUE)
> /drivers/firmware/arm-ffa/arm-ffa-uclass.c: 168 in invoke_ffa_fn()
> 162 * @args: FF-A ABI arguments to be copied to Xn registers
> 163 * @res: FF-A ABI return data to be copied from Xn registers
> 164 *
> 165 * Calls low level SMC implementation.
> 166 * This function should be implemented by the user driver.
> 167 */
> >>> CID 464359: (PASS_BY_VALUE)
> >>> Passing parameter args of type "ffa_value_t" (size 144 bytes) by value, which exceeds the low threshold of 128 bytes.
> 168 void __weak invoke_ffa_fn(ffa_value_t args, ffa_value_t *res)
We are using invoke_ffa_fn with the same arguments as in linux. The aim is to use the same interfaces as in the Linux FF-A
driver to make porting code easier.
In Linux, args is passed by value [1].
ffa_value_t is a structure with 18 "unsigned long" fields. So, the size is fixed.
[1]: invoke_ffa_fn arguments in the Linux FF-A driver
https://elixir.bootlin.com/linux/v6.6-rc6/source/drivers/firmware/arm_ffa/driver.c#L115
https://elixir.bootlin.com/linux/v6.6-rc6/source/drivers/firmware/arm_ffa/driver.c#L54
https://elixir.bootlin.com/linux/v6.6-rc6/source/drivers/firmware/arm_ffa/common.h#L15
[2]: include/linux/arm-smccc.h
> 169 {
> 170 }
> 171
> 172 /**
> 173 * ffa_get_version_hdlr() - FFA_VERSION handler function
> /drivers/firmware/arm-ffa/ffa-emul-uclass.c: 673 in invoke_ffa_fn()
> 667 * invoke_ffa_fn() - SMC wrapper
> 668 * @args: FF-A ABI arguments to be copied to Xn registers
> 669 * @res: FF-A ABI return data to be copied from Xn registers
> 670 *
> 671 * Calls the emulated SMC call.
> 672 */
> >>> CID 464359: (PASS_BY_VALUE)
> >>> Passing parameter args of type "ffa_value_t" (size 144 bytes) by value, which exceeds the low threshold of 128 bytes.
> 673 void invoke_ffa_fn(ffa_value_t args, ffa_value_t *res)
Same feedback as above.
Cheers,
Abdellatif
^ permalink raw reply [flat|nested] 105+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2023-10-20 11:57 ` Abdellatif El Khlifi
@ 2023-10-25 14:57 ` Tom Rini
2023-10-25 15:12 ` Abdellatif El Khlifi
0 siblings, 1 reply; 105+ messages in thread
From: Tom Rini @ 2023-10-25 14:57 UTC (permalink / raw)
To: Abdellatif El Khlifi; +Cc: u-boot, nd, xueliang.zhong
[-- Attachment #1: Type: text/plain, Size: 4911 bytes --]
On Fri, Oct 20, 2023 at 12:57:47PM +0100, Abdellatif El Khlifi wrote:
> Hi Tom,
>
> > ________________________________________________________________________________________________________
> > *** CID 464361: Control flow issues (DEADCODE)
> > /drivers/firmware/arm-ffa/arm-ffa-uclass.c: 148 in ffa_print_error_log()
> > 142
> > 143 if (ffa_id < FFA_FIRST_ID || ffa_id > FFA_LAST_ID)
> > 144 return -EINVAL;
> > 145
> > 146 abi_idx = FFA_ID_TO_ERRMAP_ID(ffa_id);
> > 147 if (abi_idx < 0 || abi_idx >= FFA_ERRMAP_COUNT)
> > >>> CID 464361: Control flow issues (DEADCODE)
> > >>> Execution cannot reach this statement: "return -22;".
> > 148 return -EINVAL;
>
> This is a false positive.
>
> abi_idx value could end up matching this condition "(abi_idx < 0 || abi_idx >= FFA_ERRMAP_COUNT)".
>
> This happens when ffa_id value is above the allowed bounds. Example: when ffa_id is 0x50 or 0x80
>
> ffa_print_error_log(0x50, ...); /* exceeding lower bound */
> ffa_print_error_log(0x80, ...); /* exceeding upper bound */
>
> In these cases "return -EINVAL;" is executed.
So those invalid values aren't caught by the previous check that ffa_id
falls within FFA_FIRST_ID to FFA_LAST_ID ?
> > ...
> > ________________________________________________________________________________________________________
> > *** CID 464360: Control flow issues (NO_EFFECT)
> > /drivers/firmware/arm-ffa/arm-ffa-uclass.c: 207 in ffa_get_version_hdlr()
> > 201 major = GET_FFA_MAJOR_VERSION(res.a0);
> > 202 minor = GET_FFA_MINOR_VERSION(res.a0);
> > 203
> > 204 log_debug("FF-A driver %d.%d\nFF-A framework %d.%d\n",
> > 205 FFA_MAJOR_VERSION, FFA_MINOR_VERSION, major, minor);
> > 206
> > >>> CID 464360: Control flow issues (NO_EFFECT)
> > >>> This greater-than-or-equal-to-zero comparison of an unsigned value is always true. "minor >= 0".
> > 207 if (major == FFA_MAJOR_VERSION && minor >= FFA_MINOR_VERSION) {
>
> Providing the facts that:
>
> #define FFA_MINOR_VERSION (0)
> u16 minor;
>
> Yes, currently this condition is always true: minor >= FFA_MINOR_VERSION
>
> However, we might upgrade FFA_MINOR_VERSION in the future. If we remove the "minor >= FFA_MINOR_VERSION" ,
> non compatible versions could pass which we don't want.
>
> To keep this code scalable, I think it's better to keep this condition.
OK, thanks this makes sense as an intentional change for future sanity
checking.
> > ________________________________________________________________________________________________________
> > *** CID 464359: (PASS_BY_VALUE)
> > /drivers/firmware/arm-ffa/arm-ffa-uclass.c: 168 in invoke_ffa_fn()
> > 162 * @args: FF-A ABI arguments to be copied to Xn registers
> > 163 * @res: FF-A ABI return data to be copied from Xn registers
> > 164 *
> > 165 * Calls low level SMC implementation.
> > 166 * This function should be implemented by the user driver.
> > 167 */
> > >>> CID 464359: (PASS_BY_VALUE)
> > >>> Passing parameter args of type "ffa_value_t" (size 144 bytes) by value, which exceeds the low threshold of 128 bytes.
> > 168 void __weak invoke_ffa_fn(ffa_value_t args, ffa_value_t *res)
>
> We are using invoke_ffa_fn with the same arguments as in linux. The aim is to use the same interfaces as in the Linux FF-A
> driver to make porting code easier.
>
> In Linux, args is passed by value [1].
> ffa_value_t is a structure with 18 "unsigned long" fields. So, the size is fixed.
>
> [1]: invoke_ffa_fn arguments in the Linux FF-A driver
>
> https://elixir.bootlin.com/linux/v6.6-rc6/source/drivers/firmware/arm_ffa/driver.c#L115
> https://elixir.bootlin.com/linux/v6.6-rc6/source/drivers/firmware/arm_ffa/driver.c#L54
> https://elixir.bootlin.com/linux/v6.6-rc6/source/drivers/firmware/arm_ffa/common.h#L15
>
> [2]: include/linux/arm-smccc.h
So this is intentional, OK.
>
> > 169 {
> > 170 }
> > 171
> > 172 /**
> > 173 * ffa_get_version_hdlr() - FFA_VERSION handler function
> > /drivers/firmware/arm-ffa/ffa-emul-uclass.c: 673 in invoke_ffa_fn()
> > 667 * invoke_ffa_fn() - SMC wrapper
> > 668 * @args: FF-A ABI arguments to be copied to Xn registers
> > 669 * @res: FF-A ABI return data to be copied from Xn registers
> > 670 *
> > 671 * Calls the emulated SMC call.
> > 672 */
> > >>> CID 464359: (PASS_BY_VALUE)
> > >>> Passing parameter args of type "ffa_value_t" (size 144 bytes) by value, which exceeds the low threshold of 128 bytes.
> > 673 void invoke_ffa_fn(ffa_value_t args, ffa_value_t *res)
>
> Same feedback as above.
Thanks. I'll update the last 3 CIDs shortly.
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 105+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2023-10-25 14:57 ` Tom Rini
@ 2023-10-25 15:12 ` Abdellatif El Khlifi
2023-10-25 15:15 ` Tom Rini
0 siblings, 1 reply; 105+ messages in thread
From: Abdellatif El Khlifi @ 2023-10-25 15:12 UTC (permalink / raw)
To: Tom Rini; +Cc: nd, trini, u-boot, xueliang.zhong
Hi Tom,
> > > ________________________________________________________________________________________________________
> > > *** CID 464361: Control flow issues (DEADCODE)
> > > /drivers/firmware/arm-ffa/arm-ffa-uclass.c: 148 in ffa_print_error_log()
> > > 142
> > > 143 if (ffa_id < FFA_FIRST_ID || ffa_id > FFA_LAST_ID)
> > > 144 return -EINVAL;
> > > 145
> > > 146 abi_idx = FFA_ID_TO_ERRMAP_ID(ffa_id);
> > > 147 if (abi_idx < 0 || abi_idx >= FFA_ERRMAP_COUNT)
> > > >>> CID 464361: Control flow issues (DEADCODE)
> > > >>> Execution cannot reach this statement: "return -22;".
> > > 148 return -EINVAL;
> >
> > This is a false positive.
> >
> > abi_idx value could end up matching this condition "(abi_idx < 0 || abi_idx >= FFA_ERRMAP_COUNT)".
> >
> > This happens when ffa_id value is above the allowed bounds. Example: when ffa_id is 0x50 or 0x80
> >
> > ffa_print_error_log(0x50, ...); /* exceeding lower bound */
> > ffa_print_error_log(0x80, ...); /* exceeding upper bound */
> >
> > In these cases "return -EINVAL;" is executed.
>
> So those invalid values aren't caught by the previous check that ffa_id
> falls within FFA_FIRST_ID to FFA_LAST_ID ?
I had a closer look at that and I agree that the deadcode defect is legitimate.
I already provided a fix [1].
[1]: https://lore.kernel.org/all/20231020131533.239591-1-abdellatif.elkhlifi@arm.com/
>
> > > ...
> > > ________________________________________________________________________________________________________
> > > *** CID 464360: Control flow issues (NO_EFFECT)
> > > /drivers/firmware/arm-ffa/arm-ffa-uclass.c: 207 in ffa_get_version_hdlr()
> > > 201 major = GET_FFA_MAJOR_VERSION(res.a0);
> > > 202 minor = GET_FFA_MINOR_VERSION(res.a0);
> > > 203
> > > 204 log_debug("FF-A driver %d.%d\nFF-A framework %d.%d\n",
> > > 205 FFA_MAJOR_VERSION, FFA_MINOR_VERSION, major, minor);
> > > 206
> > > >>> CID 464360: Control flow issues (NO_EFFECT)
> > > >>> This greater-than-or-equal-to-zero comparison of an unsigned value is always true. "minor >= 0".
> > > 207 if (major == FFA_MAJOR_VERSION && minor >= FFA_MINOR_VERSION) {
> >
> > Providing the facts that:
> >
> > #define FFA_MINOR_VERSION (0)
> > u16 minor;
> >
> > Yes, currently this condition is always true: minor >= FFA_MINOR_VERSION
> >
> > However, we might upgrade FFA_MINOR_VERSION in the future. If we remove the "minor >= FFA_MINOR_VERSION" ,
> > non compatible versions could pass which we don't want.
> >
> > To keep this code scalable, I think it's better to keep this condition.
>
> OK, thanks this makes sense as an intentional change for future sanity
> checking.
>
> > > ________________________________________________________________________________________________________
> > > *** CID 464359: (PASS_BY_VALUE)
> > > /drivers/firmware/arm-ffa/arm-ffa-uclass.c: 168 in invoke_ffa_fn()
> > > 162 * @args: FF-A ABI arguments to be copied to Xn registers
> > > 163 * @res: FF-A ABI return data to be copied from Xn registers
> > > 164 *
> > > 165 * Calls low level SMC implementation.
> > > 166 * This function should be implemented by the user driver.
> > > 167 */
> > > >>> CID 464359: (PASS_BY_VALUE)
> > > >>> Passing parameter args of type "ffa_value_t" (size 144 bytes) by value, which exceeds the low threshold of 128 bytes.
> > > 168 void __weak invoke_ffa_fn(ffa_value_t args, ffa_value_t *res)
> >
> > We are using invoke_ffa_fn with the same arguments as in linux. The aim is to use the same interfaces as in the Linux FF-A
> > driver to make porting code easier.
> >
> > In Linux, args is passed by value [1].
> > ffa_value_t is a structure with 18 "unsigned long" fields. So, the size is fixed.
> >
> > [1]: invoke_ffa_fn arguments in the Linux FF-A driver
> >
> > https://elixir.bootlin.com/linux/v6.6-rc6/source/drivers/firmware/arm_ffa/driver.c#L115
> > https://elixir.bootlin.com/linux/v6.6-rc6/source/drivers/firmware/arm_ffa/driver.c#L54
> > https://elixir.bootlin.com/linux/v6.6-rc6/source/drivers/firmware/arm_ffa/common.h#L15
> >
> > [2]: include/linux/arm-smccc.h
>
> So this is intentional, OK.
>
> >
> > > 169 {
> > > 170 }
> > > 171
> > > 172 /**
> > > 173 * ffa_get_version_hdlr() - FFA_VERSION handler function
> > > /drivers/firmware/arm-ffa/ffa-emul-uclass.c: 673 in invoke_ffa_fn()
> > > 667 * invoke_ffa_fn() - SMC wrapper
> > > 668 * @args: FF-A ABI arguments to be copied to Xn registers
> > > 669 * @res: FF-A ABI return data to be copied from Xn registers
> > > 670 *
> > > 671 * Calls the emulated SMC call.
> > > 672 */
> > > >>> CID 464359: (PASS_BY_VALUE)
> > > >>> Passing parameter args of type "ffa_value_t" (size 144 bytes) by value, which exceeds the low threshold of 128 bytes.
> > > 673 void invoke_ffa_fn(ffa_value_t args, ffa_value_t *res)
> >
> > Same feedback as above.
>
> Thanks. I'll update the last 3 CIDs shortly.
Thanks Tom :)
Cheers,
Abdellatif
^ permalink raw reply [flat|nested] 105+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2023-10-25 15:12 ` Abdellatif El Khlifi
@ 2023-10-25 15:15 ` Tom Rini
2023-10-31 14:21 ` Abdellatif El Khlifi
0 siblings, 1 reply; 105+ messages in thread
From: Tom Rini @ 2023-10-25 15:15 UTC (permalink / raw)
To: Abdellatif El Khlifi; +Cc: nd, u-boot, xueliang.zhong
[-- Attachment #1: Type: text/plain, Size: 1877 bytes --]
On Wed, Oct 25, 2023 at 04:12:37PM +0100, Abdellatif El Khlifi wrote:
> Hi Tom,
>
> > > > ________________________________________________________________________________________________________
> > > > *** CID 464361: Control flow issues (DEADCODE)
> > > > /drivers/firmware/arm-ffa/arm-ffa-uclass.c: 148 in ffa_print_error_log()
> > > > 142
> > > > 143 if (ffa_id < FFA_FIRST_ID || ffa_id > FFA_LAST_ID)
> > > > 144 return -EINVAL;
> > > > 145
> > > > 146 abi_idx = FFA_ID_TO_ERRMAP_ID(ffa_id);
> > > > 147 if (abi_idx < 0 || abi_idx >= FFA_ERRMAP_COUNT)
> > > > >>> CID 464361: Control flow issues (DEADCODE)
> > > > >>> Execution cannot reach this statement: "return -22;".
> > > > 148 return -EINVAL;
> > >
> > > This is a false positive.
> > >
> > > abi_idx value could end up matching this condition "(abi_idx < 0 || abi_idx >= FFA_ERRMAP_COUNT)".
> > >
> > > This happens when ffa_id value is above the allowed bounds. Example: when ffa_id is 0x50 or 0x80
> > >
> > > ffa_print_error_log(0x50, ...); /* exceeding lower bound */
> > > ffa_print_error_log(0x80, ...); /* exceeding upper bound */
> > >
> > > In these cases "return -EINVAL;" is executed.
> >
> > So those invalid values aren't caught by the previous check that ffa_id
> > falls within FFA_FIRST_ID to FFA_LAST_ID ?
>
> I had a closer look at that and I agree that the deadcode defect is legitimate.
> I already provided a fix [1].
>
> [1]: https://lore.kernel.org/all/20231020131533.239591-1-abdellatif.elkhlifi@arm.com/
Ah thanks. I had seen that posted but not put that together with this
email and assumed it was addressing something you hadn't talked about
here because you agreed with it being an issue. I will pick up the
above patch soon then.
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 105+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2023-10-25 15:15 ` Tom Rini
@ 2023-10-31 14:21 ` Abdellatif El Khlifi
0 siblings, 0 replies; 105+ messages in thread
From: Abdellatif El Khlifi @ 2023-10-31 14:21 UTC (permalink / raw)
To: Tom Rini; +Cc: u-boot, nd
Hi Tom,
> > > > > ________________________________________________________________________________________________________
> > > > > *** CID 464361: Control flow issues (DEADCODE)
> > > > > /drivers/firmware/arm-ffa/arm-ffa-uclass.c: 148 in ffa_print_error_log()
> > > > > 142
> > > > > 143 if (ffa_id < FFA_FIRST_ID || ffa_id > FFA_LAST_ID)
> > > > > 144 return -EINVAL;
> > > > > 145
> > > > > 146 abi_idx = FFA_ID_TO_ERRMAP_ID(ffa_id);
> > > > > 147 if (abi_idx < 0 || abi_idx >= FFA_ERRMAP_COUNT)
> > > > > >>> CID 464361: Control flow issues (DEADCODE)
> > > > > >>> Execution cannot reach this statement: "return -22;".
> > > > > 148 return -EINVAL;
> > > >
> > > > This is a false positive.
> > > >
> > > > abi_idx value could end up matching this condition "(abi_idx < 0 || abi_idx >= FFA_ERRMAP_COUNT)".
> > > >
> > > > This happens when ffa_id value is above the allowed bounds. Example: when ffa_id is 0x50 or 0x80
> > > >
> > > > ffa_print_error_log(0x50, ...); /* exceeding lower bound */
> > > > ffa_print_error_log(0x80, ...); /* exceeding upper bound */
> > > >
> > > > In these cases "return -EINVAL;" is executed.
> > >
> > > So those invalid values aren't caught by the previous check that ffa_id
> > > falls within FFA_FIRST_ID to FFA_LAST_ID ?
> >
> > I had a closer look at that and I agree that the deadcode defect is legitimate.
> > I already provided a fix [1].
> >
> > [1]: https://lore.kernel.org/all/20231020131533.239591-1-abdellatif.elkhlifi@arm.com/
>
> Ah thanks. I had seen that posted but not put that together with this
> email and assumed it was addressing something you hadn't talked about
> here because you agreed with it being an issue. I will pick up the
> above patch soon then.
Thank you very much.
Cheers,
Abdellatif
^ permalink raw reply [flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2024-01-08 17:45 Tom Rini
2024-01-09 5:26 ` Sean Anderson
0 siblings, 1 reply; 105+ messages in thread
From: Tom Rini @ 2024-01-08 17:45 UTC (permalink / raw)
To: u-boot, Francis Laniel, Sean Anderson
[-- Attachment #1: Type: text/plain, Size: 25689 bytes --]
Hey all,
Now that I've merged next I've re-run Coverity to get a start on issues
that've been added since last run. The report isn't complete because of
the number of issues, sadly, but if someone is interested in a specific
area contact me off-list and I can provide access to the dashboard.
For the hush related issues, this would be a good chance to work with
upstream and then backport the changes I suspect.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Jan 8, 2024 at 12:24 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to Das
U-Boot found with Coverity Scan.
41 new defect(s) introduced to Das U-Boot found with Coverity Scan.
4 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 41 defect(s)
** CID 477217: Memory - illegal accesses (NEGATIVE_RETURNS)
/common/cli_hush_upstream.c: 5518 in parse_dollar()
________________________________________________________________________________________________________
*** CID 477217: Memory - illegal accesses (NEGATIVE_RETURNS)
/common/cli_hush_upstream.c: 5518 in parse_dollar()
5512 break;
5513 if (--cnt == 0)
5514 goto bad_dollar_syntax;
5515 if (len_single_ch != '#' &&
strchr(VAR_SUBST_OPS, ch))
5516 /* ${NN<op>...} is valid */
5517 goto eat_until_closing;
>>> CID 477217: Memory - illegal accesses (NEGATIVE_RETURNS)
>>> Using variable "ch" as an index to array "_ctype".
5518 if (!isdigit(ch))
5519 goto bad_dollar_syntax;
5520 }
5521 } else
5522 while (1) {
5523 unsigned pos;
** CID 477216: (BAD_SHIFT)
/drivers/mtd/nand/raw/nand_base.c: 3921 in nand_flash_detect_onfi()
/drivers/mtd/nand/raw/nand_base.c: 3927 in nand_flash_detect_onfi()
________________________________________________________________________________________________________
*** CID 477216: (BAD_SHIFT)
/drivers/mtd/nand/raw/nand_base.c: 3921 in nand_flash_detect_onfi()
3915
3916 /*
3917 * pages_per_block and blocks_per_lun may not be a
power-of-2 size
3918 * (don't ask me who thought of this...). MTD assumes that these
3919 * dimensions will be power-of-2, so just truncate the
remaining area.
3920 */
>>> CID 477216: (BAD_SHIFT)
>>> In expression "1 << generic_fls((__u32)(__le32)p->pages_per_block) - 1", shifting by a negative amount has undefined behavior. The shift amount, "generic_fls((__u32)(__le32)p->pages_per_block) - 1", is -1.
3921 mtd->erasesize = 1 <<
(fls(le32_to_cpu(p->pages_per_block)) - 1);
3922 mtd->erasesize *= mtd->writesize;
3923
3924 mtd->oobsize = le16_to_cpu(p->spare_bytes_per_page);
3925
3926 /* See erasesize comment */
/drivers/mtd/nand/raw/nand_base.c: 3927 in nand_flash_detect_onfi()
3921 mtd->erasesize = 1 <<
(fls(le32_to_cpu(p->pages_per_block)) - 1);
3922 mtd->erasesize *= mtd->writesize;
3923
3924 mtd->oobsize = le16_to_cpu(p->spare_bytes_per_page);
3925
3926 /* See erasesize comment */
>>> CID 477216: (BAD_SHIFT)
>>> In expression "1 << generic_fls((__u32)(__le32)p->blocks_per_lun) - 1", shifting by a negative amount has undefined behavior. The shift amount, "generic_fls((__u32)(__le32)p->blocks_per_lun) - 1", is -1.
3927 chip->chipsize = 1 << (fls(le32_to_cpu(p->blocks_per_lun)) - 1);
3928 chip->chipsize *= (uint64_t)mtd->erasesize * p->lun_count;
3929 chip->bits_per_cell = p->bits_per_cell;
3930
3931 if (onfi_feature(chip) & ONFI_FEATURE_16_BIT_BUS)
3932 chip->options |= NAND_BUSWIDTH_16;
** CID 477215: Control flow issues (MISSING_BREAK)
/drivers/mtd/nand/raw/nand_base.c: 4978 in nand_scan_tail()
________________________________________________________________________________________________________
*** CID 477215: Control flow issues (MISSING_BREAK)
/drivers/mtd/nand/raw/nand_base.c: 4978 in nand_scan_tail()
4972 pr_warn("No ECC functions supplied;
hardware ECC not possible\n");
4973 BUG();
4974 }
4975 if (!ecc->read_page)
4976 ecc->read_page = nand_read_page_hwecc_oob_first;
4977
>>> CID 477215: Control flow issues (MISSING_BREAK)
>>> The case for value "NAND_ECC_HW" is not terminated by a "break" statement.
4978 case NAND_ECC_HW:
4979 /* Use standard hwecc read page function? */
4980 if (!ecc->read_page)
4981 ecc->read_page = nand_read_page_hwecc;
4982 if (!ecc->write_page)
4983 ecc->write_page = nand_write_page_hwecc;
** CID 477214: Integer handling issues (BAD_SHIFT)
/drivers/mtd/nand/raw/nand_base.c: 4397 in nand_detect()
________________________________________________________________________________________________________
*** CID 477214: Integer handling issues (BAD_SHIFT)
/drivers/mtd/nand/raw/nand_base.c: 4397 in nand_detect()
4391
4392 nand_decode_bbm_options(mtd, chip);
4393
4394 /* Calculate the address shift from the page size */
4395 chip->page_shift = ffs(mtd->writesize) - 1;
4396 /* Convert chipsize to number of pages per chip -1 */
>>> CID 477214: Integer handling issues (BAD_SHIFT)
>>> In expression "chip->chipsize >> chip->page_shift", shifting by a negative amount has undefined behavior. The shift amount, "chip->page_shift", is -1.
4397 chip->pagemask = (chip->chipsize >> chip->page_shift) - 1;
4398
4399 chip->bbt_erase_shift = chip->phys_erase_shift =
4400 ffs(mtd->erasesize) - 1;
4401 if (chip->chipsize & 0xffffffff)
4402 chip->chip_shift = ffs((unsigned)chip->chipsize) - 1;
** CID 477213: Security best practices violations (DC.WEAK_CRYPTO)
/test/dm/nand.c: 67 in dm_test_nand()
________________________________________________________________________________________________________
*** CID 477213: Security best practices violations (DC.WEAK_CRYPTO)
/test/dm/nand.c: 67 in dm_test_nand()
61 ops.ooblen = mtd->oobsize;
62 ut_assertok(mtd_read_oob(mtd, mtd->erasesize, &ops));
63 ut_asserteq(0, oob[mtd_to_nand(mtd)->badblockpos]);
64
65 /* Generate some data and write it */
66 for (i = 0; i < size / sizeof(int); i++)
>>> CID 477213: Security best practices violations (DC.WEAK_CRYPTO)
>>> "rand" should not be used for security-related applications, because linear congruential algorithms are too easy to break.
67 gold[i] = rand();
68 ut_assertok(nand_write_skip_bad(mtd, off, &length, NULL, U64_MAX,
69 (void *)gold, 0));
70 ut_asserteq(size, length);
71
72 /* Verify */
** CID 477212: Incorrect expression (SIZEOF_MISMATCH)
/lib/smbios.c: 595 in write_smbios_table()
________________________________________________________________________________________________________
*** CID 477212: Incorrect expression (SIZEOF_MISMATCH)
/lib/smbios.c: 595 in write_smbios_table()
589 * sandbox's DRAM buffer.
590 */
591 table_addr = (ulong)map_sysmem(tables, 0);
592
593 /* now go back and write the SMBIOS3 header */
594 se = map_sysmem(start_addr, sizeof(struct smbios_entry));
>>> CID 477212: Incorrect expression (SIZEOF_MISMATCH)
>>> Passing argument "se" of type "struct smbios3_entry *" and argument "31UL" ("sizeof (struct smbios_entry)") to function "memset" is suspicious because a multiple of "sizeof (struct smbios3_entry) /*24*/" is expected.
595 memset(se, '\0', sizeof(struct smbios_entry));
596 memcpy(se->anchor, "_SM3_", 5);
597 se->length = sizeof(struct smbios3_entry);
598 se->major_ver = SMBIOS_MAJOR_VER;
599 se->minor_ver = SMBIOS_MINOR_VER;
600 se->doc_rev = 0;
** CID 477211: API usage errors (ALLOC_FREE_MISMATCH)
/drivers/mtd/nand/raw/nand_bbt.c: 1133 in nand_scan_bbt()
________________________________________________________________________________________________________
*** CID 477211: API usage errors (ALLOC_FREE_MISMATCH)
/drivers/mtd/nand/raw/nand_bbt.c: 1133 in nand_scan_bbt()
1127
1128 /* Prevent the bbt regions from erasing / writing */
1129 mark_bbt_region(mtd, td);
1130 if (md)
1131 mark_bbt_region(mtd, md);
1132
>>> CID 477211: API usage errors (ALLOC_FREE_MISMATCH)
>>> Calling "vfree" frees "buf" using "vfree" but it should have been freed using "kfree". [Note: The source code implementation of the function has been overridden by a builtin model.]
1133 vfree(buf);
1134 return 0;
1135
1136 err:
1137 kfree(this->bbt);
1138 this->bbt = NULL;
** CID 477210: Security best practices violations (DC.WEAK_CRYPTO)
/drivers/mtd/nand/raw/sand_nand.c: 199 in sand_nand_read()
________________________________________________________________________________________________________
*** CID 477210: Security best practices violations (DC.WEAK_CRYPTO)
/drivers/mtd/nand/raw/sand_nand.c: 199 in sand_nand_read()
193 chip->tmp_dirty = true;
194 for (i = 0; i < chip->err_steps; i++) {
195 u32 bit_errors = chip->err_count;
196 unsigned int j = chip->err_step_bits + chip->ecc_bits;
197
198 while (bit_errors) {
>>> CID 477210: Security best practices violations (DC.WEAK_CRYPTO)
>>> "rand" should not be used for security-related applications, because linear congruential algorithms are too easy to break.
199 unsigned int u = rand();
200 float quot = 1ULL << 32;
201
202 do {
203 quot *= j - bit_errors;
204 quot /= j;
** CID 477209: Memory - illegal accesses (STRING_NULL)
________________________________________________________________________________________________________
*** CID 477209: Memory - illegal accesses (STRING_NULL)
/common/cli_hush_upstream.c: 4434 in reserved_word()
4428 str = old->as_string.data + len;
4429 if (str > old->as_string.data)
4430 str--; /* skip whitespace
after keyword */
4431 while (str > old->as_string.data &&
isalpha(str[-1]))
4432 str--;
4433 /* Ugh, we're done with this horrid hack */
>>> CID 477209: Memory - illegal accesses (STRING_NULL)
>>> Passing unterminated string "str" to "sandbox_strdup", which expects a null-terminated string.
4434 old->command->group_as_string = xstrdup(str);
4435 debug_printf_parse("pop, remembering as:'%s'\n",
4436 old->command->group_as_string);
4437 }
4438 # endif
4439 *ctx = *old; /* physical copy */
** CID 477208: Memory - illegal accesses (STRING_NULL)
________________________________________________________________________________________________________
*** CID 477208: Memory - illegal accesses (STRING_NULL)
/common/cli_hush_upstream.c: 7660 in expand_variables()
7654 output.o_expflags = expflags;
7655
7656 n = 0;
7657 for (;;) {
7658 /* go to next list[n] */
7659 output.ended_in_ifs = 0;
>>> CID 477208: Memory - illegal accesses (STRING_NULL)
>>> Passing unterminated string "output.data" to "o_save_ptr", which expects a null-terminated string.
7660 n = o_save_ptr(&output, n);
7661
7662 if (!*argv)
7663 break;
7664
7665 /* expand argv[i] */
** CID 477207: Control flow issues (MISSING_BREAK)
/drivers/mtd/nand/raw/nand_base.c: 4969 in nand_scan_tail()
________________________________________________________________________________________________________
*** CID 477207: Control flow issues (MISSING_BREAK)
/drivers/mtd/nand/raw/nand_base.c: 4969 in nand_scan_tail()
4963 /*
4964 * Check ECC mode, default to software if
3byte/512byte hardware ECC is
4965 * selected and we have 256 byte pagesize fallback to
software ECC
4966 */
4967
4968 switch (ecc->mode) {
>>> CID 477207: Control flow issues (MISSING_BREAK)
>>> The case for value "NAND_ECC_HW_OOB_FIRST" is not terminated by a "break" statement.
4969 case NAND_ECC_HW_OOB_FIRST:
4970 /* Similar to NAND_ECC_HW, but a separate
read_page handle */
4971 if (!ecc->calculate || !ecc->correct || !ecc->hwctl) {
4972 pr_warn("No ECC functions supplied;
hardware ECC not possible\n");
4973 BUG();
4974 }
** CID 477206: Memory - illegal accesses (NEGATIVE_RETURNS)
/common/cli_hush_upstream.c: 5544 in parse_dollar()
________________________________________________________________________________________________________
*** CID 477206: Memory - illegal accesses (NEGATIVE_RETURNS)
/common/cli_hush_upstream.c: 5544 in parse_dollar()
5538 * So, we need to authorize # to appear inside
5539 * variable name and then expand this variable.
5540 * NOTE Having # in variable name is
not permitted in
5541 * upstream hush but expansion will be
done (even though
5542 * the result will be empty).
5543 */
>>> CID 477206: Memory - illegal accesses (NEGATIVE_RETURNS)
>>> Using variable "ch" as an index to array "_ctype".
5544 if (!isalnum(ch) && ch != '_' && ch != '#') {
5545 #endif /* __U_BOOT__ */
5546 unsigned end_ch;
5547 #ifndef __U_BOOT__
5548 unsigned char last_ch;
5549 #endif /* !__U_BOOT__ */
** CID 477205: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
/cmd/mtd.c: 88 in mtd_dump_device_buf()
________________________________________________________________________________________________________
*** CID 477205: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
/cmd/mtd.c: 88 in mtd_dump_device_buf()
82 printf("\nDump %d data bytes from 0x%08llx:\n",
83 mtd->writesize, start_off + data_off);
84 mtd_dump_buf(&buf[data_off],
85 mtd->writesize, start_off + data_off);
86
87 if (woob) {
>>> CID 477205: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
>>> Potentially overflowing expression "page * mtd->oobsize" with type "unsigned int" (32 bits, unsigned) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "u64" (64 bits, unsigned).
88 u64 oob_off = page * mtd->oobsize;
89
90 printf("Dump %d OOB bytes from page at
0x%08llx:\n",
91 mtd->oobsize, start_off + data_off);
92 mtd_dump_buf(&buf[len + oob_off],
93 mtd->oobsize, 0);
** CID 477204: Memory - illegal accesses (STRING_NULL)
/common/cli_hush_upstream.c: 10553 in run_list()
________________________________________________________________________________________________________
*** CID 477204: Memory - illegal accesses (STRING_NULL)
/common/cli_hush_upstream.c: 10553 in run_list()
10547 /* We cannot use xasprintf, so we emulate it. */
10548 char *full_var;
10549 char *var = pi->cmds[0].argv[0];
10550 char *val = *for_lcur++;
10551
10552 /* + 1 to take into account =. */
>>> CID 477204: Memory - illegal accesses (STRING_NULL)
>>> Passing unterminated string "val" to "strlen", which expects a null-terminated string. [Note: The source code implementation of the function has been overridden by a builtin model.]
10553 full_var = xmalloc(strlen(var) +
strlen(val) + 1);
10554 sprintf(full_var, "%s=%s", var, val);
10555
10556 set_local_var_modern(full_var, /*flag:*/ 0);
10557 #endif /* __U_BOOT__ */
10558 continue;
** CID 477203: (UNINIT)
/boot/bootm.c: 705 in bootm_load_os()
/boot/bootm.c: 713 in bootm_load_os()
________________________________________________________________________________________________________
*** CID 477203: (UNINIT)
/boot/bootm.c: 705 in bootm_load_os()
699 printf("Failed to prep arm64 kernel
(err=%d)\n", ret);
700 return BOOTM_ERR_RESET;
701 }
702
703 /* Handle BOOTM_STATE_LOADOS */
704 if (relocated_addr != load) {
>>> CID 477203: (UNINIT)
>>> Using uninitialized value "image_size".
705 printf("Moving Image from 0x%lx to
0x%lx, end=%lx\n",
706 load, relocated_addr,
707 relocated_addr + image_size);
708 memmove((void *)relocated_addr,
load_buf, image_size);
709 }
710
/boot/bootm.c: 713 in bootm_load_os()
707 relocated_addr + image_size);
708 memmove((void *)relocated_addr,
load_buf, image_size);
709 }
710
711 images->ep = relocated_addr;
712 images->os.start = relocated_addr;
>>> CID 477203: (UNINIT)
>>> Using uninitialized value "image_size".
713 images->os.end = relocated_addr + image_size;
714 }
715
716 lmb_reserve(&images->lmb, images->os.load, (load_end -
717 images->os.load));
718 return 0;
** CID 477202: Null pointer dereferences (FORWARD_NULL)
________________________________________________________________________________________________________
*** CID 477202: Null pointer dereferences (FORWARD_NULL)
/common/cli_hush_upstream.c: 4425 in reserved_word()
4419 * with "if " remaining in old->as_string!
4420 */
4421 {
4422 char *str;
4423 int len = old->as_string.length;
4424 /* Concatenate halves */
>>> CID 477202: Null pointer dereferences (FORWARD_NULL)
>>> Passing null pointer "ctx->as_string.data" to "o_addstr", which dereferences it.
4425 o_addstr(&old->as_string, ctx->as_string.data);
4426 o_free(&ctx->as_string);
4427 /* Find where leading keyword starts
in first half */
4428 str = old->as_string.data + len;
4429 if (str > old->as_string.data)
4430 str--; /* skip whitespace
after keyword */
** CID 477201: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
/cmd/mtd.c: 80 in mtd_dump_device_buf()
________________________________________________________________________________________________________
*** CID 477201: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
/cmd/mtd.c: 80 in mtd_dump_device_buf()
74 mtd->type == MTD_MLCNANDFLASH;
75 int npages = mtd_len_to_pages(mtd, len);
76 uint page;
77
78 if (has_pages) {
79 for (page = 0; page < npages; page++) {
>>> CID 477201: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
>>> Potentially overflowing expression "page * mtd->writesize" with type "unsigned int" (32 bits, unsigned) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "u64" (64 bits, unsigned).
80 u64 data_off = page * mtd->writesize;
81
82 printf("\nDump %d data bytes from 0x%08llx:\n",
83 mtd->writesize, start_off + data_off);
84 mtd_dump_buf(&buf[data_off],
85 mtd->writesize, start_off + data_off);
** CID 477200: Security best practices violations (STRING_OVERFLOW)
/boot/bootm.c: 499 in bootm_find_images()
________________________________________________________________________________________________________
*** CID 477200: Security best practices violations (STRING_OVERFLOW)
/boot/bootm.c: 499 in bootm_find_images()
493 int ret;
494
495 if (IS_ENABLED(CONFIG_ANDROID_BOOT_IMAGE)) {
496 /* Look for an Android boot image */
497 buf = map_sysmem(images.os.start, 0);
498 if (buf && genimg_get_format(buf) ==
IMAGE_FORMAT_ANDROID) {
>>> CID 477200: Security best practices violations (STRING_OVERFLOW)
>>> You might overrun the 17-character fixed-size string "addr_str" by copying the return value of "simple_xtoa" without checking the length.
499 strcpy(addr_str, simple_xtoa(img_addr));
500 select = addr_str;
501 }
502 }
503
504 if (conf_ramdisk)
** CID 477199: (STRING_NULL)
________________________________________________________________________________________________________
*** CID 477199: (STRING_NULL)
/common/cli_hush_upstream.c: 10315 in run_pipe()
10309 if (cmd_no < pi->num_cmds)
10310 close(pipefds.wr);
10311 /* Pass read (output) pipe end to next iteration */
10312 next_infd = pipefds.rd;
10313 #else /* __U_BOOT__ */
10314 /* Process the command */
>>> CID 477199: (STRING_NULL)
>>> Passing unterminated string "*command->argv" to "cmd_process", which expects a null-terminated string.
10315 rcode = cmd_process(G.do_repeat ? CMD_FLAG_REPEAT : 0,
10316 command->argc, command->argv,
10317 &(G.flag_repeat), NULL);
10318
10319 if (argv_expanded) {
10320 /*
/common/cli_hush_upstream.c: 9984 in run_pipe()
9978 }
9979 #endif
9980 debug_printf_env("set shell
var:'%s'->'%s'\n", *argv, p);
9981 #ifndef __U_BOOT__
9982 if (set_local_var0(p)) {
9983 #else /* __U_BOOT__ */
>>> CID 477199: (STRING_NULL)
>>> Passing unterminated string "p" to "set_local_var_modern", which expects a null-terminated string.
9984 if (set_local_var_modern(p,
/*flag:*/ 0)) {
9985 #endif
9986 /* assignment to
readonly var / putenv error? */
9987 rcode = 1;
9988 }
9989 i++;
** CID 477198: Control flow issues (DEADCODE)
/cmd/bootflow.c: 547 in do_bootflow_cmdline()
________________________________________________________________________________________________________
*** CID 477198: Control flow issues (DEADCODE)
/cmd/bootflow.c: 547 in do_bootflow_cmdline()
541 }
542
543 op = argv[1];
544 arg = argv[2];
545 if (*op == 's') {
546 if (argc < 3)
>>> CID 477198: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "return CMD_RET_USAGE;".
547 return CMD_RET_USAGE;
548 val = argv[3] ?: (const char *)BOOTFLOWCL_EMPTY;
549 }
550
551 switch (*op) {
552 case 'c': /* clear */
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 105+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2024-01-08 17:45 Tom Rini
@ 2024-01-09 5:26 ` Sean Anderson
2024-01-09 22:18 ` Tom Rini
0 siblings, 1 reply; 105+ messages in thread
From: Sean Anderson @ 2024-01-09 5:26 UTC (permalink / raw)
To: Tom Rini, u-boot, Francis Laniel; +Cc: Michael Trimarchi, Dario Binacchi
Comments on NAND stuff only.
On 1/8/24 12:45, Tom Rini wrote:
> ________________________________________________________________________________________________________
> *** CID 477216: (BAD_SHIFT)
> /drivers/mtd/nand/raw/nand_base.c: 3921 in nand_flash_detect_onfi()
> 3915
> 3916 /*
> 3917 * pages_per_block and blocks_per_lun may not be a
> power-of-2 size
> 3918 * (don't ask me who thought of this...). MTD assumes that these
> 3919 * dimensions will be power-of-2, so just truncate the
> remaining area.
> 3920 */
>>>> CID 477216: (BAD_SHIFT)
>>>> In expression "1 << generic_fls((__u32)(__le32)p->pages_per_block) - 1", shifting by a negative amount has undefined behavior. The shift amount, "generic_fls((__u32)(__le32)p->pages_per_block) - 1", is -1.
> 3921 mtd->erasesize = 1 <<
> (fls(le32_to_cpu(p->pages_per_block)) - 1);
> 3922 mtd->erasesize *= mtd->writesize;
> 3923
> 3924 mtd->oobsize = le16_to_cpu(p->spare_bytes_per_page);
> 3925
> 3926 /* See erasesize comment */
> /drivers/mtd/nand/raw/nand_base.c: 3927 in nand_flash_detect_onfi()
> 3921 mtd->erasesize = 1 <<
> (fls(le32_to_cpu(p->pages_per_block)) - 1);
> 3922 mtd->erasesize *= mtd->writesize;
> 3923
> 3924 mtd->oobsize = le16_to_cpu(p->spare_bytes_per_page);
> 3925
> 3926 /* See erasesize comment */
>>>> CID 477216: (BAD_SHIFT)
>>>> In expression "1 << generic_fls((__u32)(__le32)p->blocks_per_lun) - 1", shifting by a negative amount has undefined behavior. The shift amount, "generic_fls((__u32)(__le32)p->blocks_per_lun) - 1", is -1.
> 3927 chip->chipsize = 1 << (fls(le32_to_cpu(p->blocks_per_lun)) - 1);
> 3928 chip->chipsize *= (uint64_t)mtd->erasesize * p->lun_count;
> 3929 chip->bits_per_cell = p->bits_per_cell;
> 3930
> 3931 if (onfi_feature(chip) & ONFI_FEATURE_16_BIT_BUS)
> 3932 chip->options |= NAND_BUSWIDTH_16;
Yeah, this looks like a bug.
> ** CID 477215: Control flow issues (MISSING_BREAK)
> /drivers/mtd/nand/raw/nand_base.c: 4978 in nand_scan_tail()
>
>
> ________________________________________________________________________________________________________
> *** CID 477215: Control flow issues (MISSING_BREAK)
> /drivers/mtd/nand/raw/nand_base.c: 4978 in nand_scan_tail()
> 4972 pr_warn("No ECC functions supplied;
> hardware ECC not possible\n");
> 4973 BUG();
> 4974 }
> 4975 if (!ecc->read_page)
> 4976 ecc->read_page = nand_read_page_hwecc_oob_first;
> 4977
>>>> CID 477215: Control flow issues (MISSING_BREAK)
>>>> The case for value "NAND_ECC_HW" is not terminated by a "break" statement.
> 4978 case NAND_ECC_HW:
> 4979 /* Use standard hwecc read page function? */
> 4980 if (!ecc->read_page)
> 4981 ecc->read_page = nand_read_page_hwecc;
> 4982 if (!ecc->write_page)
> 4983 ecc->write_page = nand_write_page_hwecc;
I think we just need a fallthrough comment here.
> ** CID 477214: Integer handling issues (BAD_SHIFT)
> /drivers/mtd/nand/raw/nand_base.c: 4397 in nand_detect()
>
>
> ________________________________________________________________________________________________________
> *** CID 477214: Integer handling issues (BAD_SHIFT)
> /drivers/mtd/nand/raw/nand_base.c: 4397 in nand_detect()
> 4391
> 4392 nand_decode_bbm_options(mtd, chip);
> 4393
> 4394 /* Calculate the address shift from the page size */
> 4395 chip->page_shift = ffs(mtd->writesize) - 1;
> 4396 /* Convert chipsize to number of pages per chip -1 */
>>>> CID 477214: Integer handling issues (BAD_SHIFT)
>>>> In expression "chip->chipsize >> chip->page_shift", shifting by a negative amount has undefined behavior. The shift amount, "chip->page_shift", is -1.
> 4397 chip->pagemask = (chip->chipsize >> chip->page_shift) - 1;
> 4398
> 4399 chip->bbt_erase_shift = chip->phys_erase_shift =
> 4400 ffs(mtd->erasesize) - 1;
> 4401 if (chip->chipsize & 0xffffffff)
> 4402 chip->chip_shift = ffs((unsigned)chip->chipsize) - 1;
Buggy, but only when writesize is 0 (which is a bigger bug in the nand chip).
> ** CID 477213: Security best practices violations (DC.WEAK_CRYPTO)
> /test/dm/nand.c: 67 in dm_test_nand()
>
>
> ________________________________________________________________________________________________________
> *** CID 477213: Security best practices violations (DC.WEAK_CRYPTO)
> /test/dm/nand.c: 67 in dm_test_nand()
> 61 ops.ooblen = mtd->oobsize;
> 62 ut_assertok(mtd_read_oob(mtd, mtd->erasesize, &ops));
> 63 ut_asserteq(0, oob[mtd_to_nand(mtd)->badblockpos]);
> 64
> 65 /* Generate some data and write it */
> 66 for (i = 0; i < size / sizeof(int); i++)
>>>> CID 477213: Security best practices violations (DC.WEAK_CRYPTO)
>>>> "rand" should not be used for security-related applications, because linear congruential algorithms are too easy to break.
> 67 gold[i] = rand();
> 68 ut_assertok(nand_write_skip_bad(mtd, off, &length, NULL, U64_MAX,
> 69 (void *)gold, 0));
> 70 ut_asserteq(size, length);
> 71
> 72 /* Verify */
Not a bug.
> ** CID 477211: API usage errors (ALLOC_FREE_MISMATCH)
> /drivers/mtd/nand/raw/nand_bbt.c: 1133 in nand_scan_bbt()
>
>
> ________________________________________________________________________________________________________
> *** CID 477211: API usage errors (ALLOC_FREE_MISMATCH)
> /drivers/mtd/nand/raw/nand_bbt.c: 1133 in nand_scan_bbt()
> 1127
> 1128 /* Prevent the bbt regions from erasing / writing */
> 1129 mark_bbt_region(mtd, td);
> 1130 if (md)
> 1131 mark_bbt_region(mtd, md);
> 1132
>>>> CID 477211: API usage errors (ALLOC_FREE_MISMATCH)
>>>> Calling "vfree" frees "buf" using "vfree" but it should have been freed using "kfree". [Note: The source code implementation of the function has been overridden by a builtin model.]
> 1133 vfree(buf);
> 1134 return 0;
> 1135
> 1136 err:
> 1137 kfree(this->bbt);
> 1138 this->bbt = NULL;
Not a bug, since these both call free().
> ** CID 477210: Security best practices violations (DC.WEAK_CRYPTO)
> /drivers/mtd/nand/raw/sand_nand.c: 199 in sand_nand_read()
>
>
> ________________________________________________________________________________________________________
> *** CID 477210: Security best practices violations (DC.WEAK_CRYPTO)
> /drivers/mtd/nand/raw/sand_nand.c: 199 in sand_nand_read()
> 193 chip->tmp_dirty = true;
> 194 for (i = 0; i < chip->err_steps; i++) {
> 195 u32 bit_errors = chip->err_count;
> 196 unsigned int j = chip->err_step_bits + chip->ecc_bits;
> 197
> 198 while (bit_errors) {
>>>> CID 477210: Security best practices violations (DC.WEAK_CRYPTO)
>>>> "rand" should not be used for security-related applications, because linear congruential algorithms are too easy to break.
> 199 unsigned int u = rand();
> 200 float quot = 1ULL << 32;
> 201
> 202 do {
> 203 quot *= j - bit_errors;
> 204 quot /= j;
Not a bug.
> ** CID 477207: Control flow issues (MISSING_BREAK)
> /drivers/mtd/nand/raw/nand_base.c: 4969 in nand_scan_tail()
>
>
> ________________________________________________________________________________________________________
> *** CID 477207: Control flow issues (MISSING_BREAK)
> /drivers/mtd/nand/raw/nand_base.c: 4969 in nand_scan_tail()
> 4963 /*
> 4964 * Check ECC mode, default to software if
> 3byte/512byte hardware ECC is
> 4965 * selected and we have 256 byte pagesize fallback to
> software ECC
> 4966 */
> 4967
> 4968 switch (ecc->mode) {
>>>> CID 477207: Control flow issues (MISSING_BREAK)
>>>> The case for value "NAND_ECC_HW_OOB_FIRST" is not terminated by a "break" statement.
> 4969 case NAND_ECC_HW_OOB_FIRST:
> 4970 /* Similar to NAND_ECC_HW, but a separate
> read_page handle */
> 4971 if (!ecc->calculate || !ecc->correct || !ecc->hwctl) {
> 4972 pr_warn("No ECC functions supplied;
> hardware ECC not possible\n");
> 4973 BUG();
> 4974 }
need a fallthrough comment
> ** CID 477205: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
> /cmd/mtd.c: 88 in mtd_dump_device_buf()
>
>
> ________________________________________________________________________________________________________
> *** CID 477205: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
> /cmd/mtd.c: 88 in mtd_dump_device_buf()
> 82 printf("\nDump %d data bytes from 0x%08llx:\n",
> 83 mtd->writesize, start_off + data_off);
> 84 mtd_dump_buf(&buf[data_off],
> 85 mtd->writesize, start_off + data_off);
> 86
> 87 if (woob) {
>>>> CID 477205: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
>>>> Potentially overflowing expression "page * mtd->oobsize" with type "unsigned int" (32 bits, unsigned) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "u64" (64 bits, unsigned).
> 88 u64 oob_off = page * mtd->oobsize;
> 89
> 90 printf("Dump %d OOB bytes from page at
> 0x%08llx:\n",
> 91 mtd->oobsize, start_off + data_off);
> 92 mtd_dump_buf(&buf[len + oob_off],
> 93 mtd->oobsize, 0);
In the Linux MTD list [1], the largest this can be is 0xe0000000 for MT29F512G08CUCAB. That's worryingly
close to overflow, so I'd say this is a bug.
--Sean
[1] http://linux-mtd.infradead.org/nand-data/nanddata.html
^ permalink raw reply [flat|nested] 105+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2024-01-09 5:26 ` Sean Anderson
@ 2024-01-09 22:18 ` Tom Rini
0 siblings, 0 replies; 105+ messages in thread
From: Tom Rini @ 2024-01-09 22:18 UTC (permalink / raw)
To: Sean Anderson; +Cc: u-boot, Francis Laniel, Michael Trimarchi, Dario Binacchi
[-- Attachment #1: Type: text/plain, Size: 11301 bytes --]
On Tue, Jan 09, 2024 at 12:26:13AM -0500, Sean Anderson wrote:
> Comments on NAND stuff only.
>
> On 1/8/24 12:45, Tom Rini wrote:
> > ________________________________________________________________________________________________________
> > *** CID 477216: (BAD_SHIFT)
> > /drivers/mtd/nand/raw/nand_base.c: 3921 in nand_flash_detect_onfi()
> > 3915
> > 3916 /*
> > 3917 * pages_per_block and blocks_per_lun may not be a
> > power-of-2 size
> > 3918 * (don't ask me who thought of this...). MTD assumes that these
> > 3919 * dimensions will be power-of-2, so just truncate the
> > remaining area.
> > 3920 */
> > > > > CID 477216: (BAD_SHIFT)
> > > > > In expression "1 << generic_fls((__u32)(__le32)p->pages_per_block) - 1", shifting by a negative amount has undefined behavior. The shift amount, "generic_fls((__u32)(__le32)p->pages_per_block) - 1", is -1.
> > 3921 mtd->erasesize = 1 <<
> > (fls(le32_to_cpu(p->pages_per_block)) - 1);
> > 3922 mtd->erasesize *= mtd->writesize;
> > 3923
> > 3924 mtd->oobsize = le16_to_cpu(p->spare_bytes_per_page);
> > 3925
> > 3926 /* See erasesize comment */
> > /drivers/mtd/nand/raw/nand_base.c: 3927 in nand_flash_detect_onfi()
> > 3921 mtd->erasesize = 1 <<
> > (fls(le32_to_cpu(p->pages_per_block)) - 1);
> > 3922 mtd->erasesize *= mtd->writesize;
> > 3923
> > 3924 mtd->oobsize = le16_to_cpu(p->spare_bytes_per_page);
> > 3925
> > 3926 /* See erasesize comment */
> > > > > CID 477216: (BAD_SHIFT)
> > > > > In expression "1 << generic_fls((__u32)(__le32)p->blocks_per_lun) - 1", shifting by a negative amount has undefined behavior. The shift amount, "generic_fls((__u32)(__le32)p->blocks_per_lun) - 1", is -1.
> > 3927 chip->chipsize = 1 << (fls(le32_to_cpu(p->blocks_per_lun)) - 1);
> > 3928 chip->chipsize *= (uint64_t)mtd->erasesize * p->lun_count;
> > 3929 chip->bits_per_cell = p->bits_per_cell;
> > 3930
> > 3931 if (onfi_feature(chip) & ONFI_FEATURE_16_BIT_BUS)
> > 3932 chip->options |= NAND_BUSWIDTH_16;
>
> Yeah, this looks like a bug.
>
> > ** CID 477215: Control flow issues (MISSING_BREAK)
> > /drivers/mtd/nand/raw/nand_base.c: 4978 in nand_scan_tail()
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 477215: Control flow issues (MISSING_BREAK)
> > /drivers/mtd/nand/raw/nand_base.c: 4978 in nand_scan_tail()
> > 4972 pr_warn("No ECC functions supplied;
> > hardware ECC not possible\n");
> > 4973 BUG();
> > 4974 }
> > 4975 if (!ecc->read_page)
> > 4976 ecc->read_page = nand_read_page_hwecc_oob_first;
> > 4977
> > > > > CID 477215: Control flow issues (MISSING_BREAK)
> > > > > The case for value "NAND_ECC_HW" is not terminated by a "break" statement.
> > 4978 case NAND_ECC_HW:
> > 4979 /* Use standard hwecc read page function? */
> > 4980 if (!ecc->read_page)
> > 4981 ecc->read_page = nand_read_page_hwecc;
> > 4982 if (!ecc->write_page)
> > 4983 ecc->write_page = nand_write_page_hwecc;
>
> I think we just need a fallthrough comment here.
>
> > ** CID 477214: Integer handling issues (BAD_SHIFT)
> > /drivers/mtd/nand/raw/nand_base.c: 4397 in nand_detect()
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 477214: Integer handling issues (BAD_SHIFT)
> > /drivers/mtd/nand/raw/nand_base.c: 4397 in nand_detect()
> > 4391
> > 4392 nand_decode_bbm_options(mtd, chip);
> > 4393
> > 4394 /* Calculate the address shift from the page size */
> > 4395 chip->page_shift = ffs(mtd->writesize) - 1;
> > 4396 /* Convert chipsize to number of pages per chip -1 */
> > > > > CID 477214: Integer handling issues (BAD_SHIFT)
> > > > > In expression "chip->chipsize >> chip->page_shift", shifting by a negative amount has undefined behavior. The shift amount, "chip->page_shift", is -1.
> > 4397 chip->pagemask = (chip->chipsize >> chip->page_shift) - 1;
> > 4398
> > 4399 chip->bbt_erase_shift = chip->phys_erase_shift =
> > 4400 ffs(mtd->erasesize) - 1;
> > 4401 if (chip->chipsize & 0xffffffff)
> > 4402 chip->chip_shift = ffs((unsigned)chip->chipsize) - 1;
>
> Buggy, but only when writesize is 0 (which is a bigger bug in the nand chip).
>
> > ** CID 477213: Security best practices violations (DC.WEAK_CRYPTO)
> > /test/dm/nand.c: 67 in dm_test_nand()
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 477213: Security best practices violations (DC.WEAK_CRYPTO)
> > /test/dm/nand.c: 67 in dm_test_nand()
> > 61 ops.ooblen = mtd->oobsize;
> > 62 ut_assertok(mtd_read_oob(mtd, mtd->erasesize, &ops));
> > 63 ut_asserteq(0, oob[mtd_to_nand(mtd)->badblockpos]);
> > 64
> > 65 /* Generate some data and write it */
> > 66 for (i = 0; i < size / sizeof(int); i++)
> > > > > CID 477213: Security best practices violations (DC.WEAK_CRYPTO)
> > > > > "rand" should not be used for security-related applications, because linear congruential algorithms are too easy to break.
> > 67 gold[i] = rand();
> > 68 ut_assertok(nand_write_skip_bad(mtd, off, &length, NULL, U64_MAX,
> > 69 (void *)gold, 0));
> > 70 ut_asserteq(size, length);
> > 71
> > 72 /* Verify */
>
> Not a bug.
>
> > ** CID 477211: API usage errors (ALLOC_FREE_MISMATCH)
> > /drivers/mtd/nand/raw/nand_bbt.c: 1133 in nand_scan_bbt()
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 477211: API usage errors (ALLOC_FREE_MISMATCH)
> > /drivers/mtd/nand/raw/nand_bbt.c: 1133 in nand_scan_bbt()
> > 1127
> > 1128 /* Prevent the bbt regions from erasing / writing */
> > 1129 mark_bbt_region(mtd, td);
> > 1130 if (md)
> > 1131 mark_bbt_region(mtd, md);
> > 1132
> > > > > CID 477211: API usage errors (ALLOC_FREE_MISMATCH)
> > > > > Calling "vfree" frees "buf" using "vfree" but it should have been freed using "kfree". [Note: The source code implementation of the function has been overridden by a builtin model.]
> > 1133 vfree(buf);
> > 1134 return 0;
> > 1135
> > 1136 err:
> > 1137 kfree(this->bbt);
> > 1138 this->bbt = NULL;
>
> Not a bug, since these both call free().
>
> > ** CID 477210: Security best practices violations (DC.WEAK_CRYPTO)
> > /drivers/mtd/nand/raw/sand_nand.c: 199 in sand_nand_read()
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 477210: Security best practices violations (DC.WEAK_CRYPTO)
> > /drivers/mtd/nand/raw/sand_nand.c: 199 in sand_nand_read()
> > 193 chip->tmp_dirty = true;
> > 194 for (i = 0; i < chip->err_steps; i++) {
> > 195 u32 bit_errors = chip->err_count;
> > 196 unsigned int j = chip->err_step_bits + chip->ecc_bits;
> > 197
> > 198 while (bit_errors) {
> > > > > CID 477210: Security best practices violations (DC.WEAK_CRYPTO)
> > > > > "rand" should not be used for security-related applications, because linear congruential algorithms are too easy to break.
> > 199 unsigned int u = rand();
> > 200 float quot = 1ULL << 32;
> > 201
> > 202 do {
> > 203 quot *= j - bit_errors;
> > 204 quot /= j;
>
> Not a bug.
>
> > ** CID 477207: Control flow issues (MISSING_BREAK)
> > /drivers/mtd/nand/raw/nand_base.c: 4969 in nand_scan_tail()
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 477207: Control flow issues (MISSING_BREAK)
> > /drivers/mtd/nand/raw/nand_base.c: 4969 in nand_scan_tail()
> > 4963 /*
> > 4964 * Check ECC mode, default to software if
> > 3byte/512byte hardware ECC is
> > 4965 * selected and we have 256 byte pagesize fallback to
> > software ECC
> > 4966 */
> > 4967
> > 4968 switch (ecc->mode) {
> > > > > CID 477207: Control flow issues (MISSING_BREAK)
> > > > > The case for value "NAND_ECC_HW_OOB_FIRST" is not terminated by a "break" statement.
> > 4969 case NAND_ECC_HW_OOB_FIRST:
> > 4970 /* Similar to NAND_ECC_HW, but a separate
> > read_page handle */
> > 4971 if (!ecc->calculate || !ecc->correct || !ecc->hwctl) {
> > 4972 pr_warn("No ECC functions supplied;
> > hardware ECC not possible\n");
> > 4973 BUG();
> > 4974 }
>
> need a fallthrough comment
>
> > ** CID 477205: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
> > /cmd/mtd.c: 88 in mtd_dump_device_buf()
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 477205: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
> > /cmd/mtd.c: 88 in mtd_dump_device_buf()
> > 82 printf("\nDump %d data bytes from 0x%08llx:\n",
> > 83 mtd->writesize, start_off + data_off);
> > 84 mtd_dump_buf(&buf[data_off],
> > 85 mtd->writesize, start_off + data_off);
> > 86
> > 87 if (woob) {
> > > > > CID 477205: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
> > > > > Potentially overflowing expression "page * mtd->oobsize" with type "unsigned int" (32 bits, unsigned) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "u64" (64 bits, unsigned).
> > 88 u64 oob_off = page * mtd->oobsize;
> > 89
> > 90 printf("Dump %d OOB bytes from page at
> > 0x%08llx:\n",
> > 91 mtd->oobsize, start_off + data_off);
> > 92 mtd_dump_buf(&buf[len + oob_off],
> > 93 mtd->oobsize, 0);
>
> In the Linux MTD list [1], the largest this can be is 0xe0000000 for MT29F512G08CUCAB. That's worryingly
> close to overflow, so I'd say this is a bug.
Thanks, I've updated the not a bug ones in the dashboard.
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2024-01-18 14:35 Tom Rini
0 siblings, 0 replies; 105+ messages in thread
From: Tom Rini @ 2024-01-18 14:35 UTC (permalink / raw)
To: u-boot, Ilias Apalodimas, Heinrich Schuchardt
[-- Attachment #1: Type: text/plain, Size: 2619 bytes --]
Here's the current set of new issues since I last ran Coverity.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Thu, Jan 18, 2024 at 9:20 AM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to Das
U-Boot found with Coverity Scan.
2 new defect(s) introduced to Das U-Boot found with Coverity Scan.
16 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 2 of 2 defect(s)
** CID 478334: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 478334: Memory - corruptions (OVERRUN)
/cmd/eficonfig.c: 534 in eficonfig_create_device_path()
528 p += fp_size;
529 *((struct efi_device_path *)p) = END;
530
531 dp = efi_dp_shorten(dp_volume);
532 if (!dp)
533 dp = dp_volume;
>>> CID 478334: Memory - corruptions (OVERRUN)
>>> Overrunning struct type efi_device_path of 4 bytes by passing it to a function which accesses it at byte offset 5 using argument "fp->dp.length" (which evaluates to 6).
534 dp = efi_dp_concat(dp, &fp->dp, false);
535 free(buf);
536
537 return dp;
538 }
539
** CID 478333: Error handling issues (CHECKED_RETURN)
/lib/efi_loader/efi_firmware.c: 413 in efi_firmware_set_fmp_state_var()
________________________________________________________________________________________________________
*** CID 478333: Error handling issues (CHECKED_RETURN)
/lib/efi_loader/efi_firmware.c: 413 in efi_firmware_set_fmp_state_var()
407 /*
408 * GetVariable may fail, EFI_NOT_FOUND is returned if FmpState
409 * variable has not been set yet.
410 * Ignore the error here since the correct FmpState variable
411 * is set later.
412 */
>>> CID 478333: Error handling issues (CHECKED_RETURN)
>>> Calling "efi_get_variable_int" without checking return value (as is done elsewhere 29 out of 33 times).
413 efi_get_variable_int(varname, image_type_id, NULL,
&size, var_state,
414 NULL);
415
416 /*
417 * Only the fw_version is set here.
418 * lowest_supported_version in FmpState variable is
ignored since
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
[not found] <65a933ab652b3_da12cbd3e77f998728e5@prd-scan-dashboard-0.mail>
@ 2024-01-19 8:47 ` Heinrich Schuchardt
0 siblings, 0 replies; 105+ messages in thread
From: Heinrich Schuchardt @ 2024-01-19 8:47 UTC (permalink / raw)
To: Masahisa Kojima; +Cc: U-Boot Mailing List, Ilias Apalodimas
________________________________________________________________________________________________________
*** CID 478333: Error handling issues (CHECKED_RETURN)
/lib/efi_loader/efi_firmware.c: 413 in efi_firmware_set_fmp_state_var()
407 /*
408 * GetVariable may fail, EFI_NOT_FOUND is returned if FmpState
409 * variable has not been set yet.
410 * Ignore the error here since the correct FmpState variable
411 * is set later.
412 */
>>> CID 478333: Error handling issues (CHECKED_RETURN)
>>> Calling "efi_get_variable_int" without checking return value (as is done elsewhere 29 out of 33 times).
413 efi_get_variable_int(varname, image_type_id, NULL, &size,
var_state,
414 NULL);
415 416 /*
417 * Only the fw_version is set here.
418 * lowest_supported_version in FmpState variable is ignored since
There are a lot of different return values that may occur when calling
efi_get_variable_int, e.g.
* EFI_BUFFER_TOO_SMALL
* EFI_DEVICE_ERROR
Should we overwrite the variable in these cases with NUL values except
for var_state[update_bank].fw_version?
Best regards
Heinrich
^ permalink raw reply [flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2024-01-22 23:30 Tom Rini
2024-01-23 8:15 ` Hugo Cornelis
0 siblings, 1 reply; 105+ messages in thread
From: Tom Rini @ 2024-01-22 23:30 UTC (permalink / raw)
To: u-boot, Hugo Cornelis
[-- Attachment #1: Type: text/plain, Size: 1752 bytes --]
Hey all,
Here's the latest Coverity scan report.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Jan 22, 2024 at 6:26 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to Das
U-Boot found with Coverity Scan.
1 new defect(s) introduced to Das U-Boot found with Coverity Scan.
7 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)
** CID 478860: Code maintainability issues (UNUSED_VALUE)
/tools/image-host.c: 359 in fit_image_read_key_iv_data()
________________________________________________________________________________________________________
*** CID 478860: Code maintainability issues (UNUSED_VALUE)
/tools/image-host.c: 359 in fit_image_read_key_iv_data()
353 if (ret >= sizeof(filename)) {
354 printf("Can't format the key or IV filename
when setting up the cipher: insufficient buffer space\n");
355 ret = -1;
356 }
357 if (ret < 0) {
358 printf("Can't format the key or IV filename
when setting up the cipher: snprintf error\n");
>>> CID 478860: Code maintainability issues (UNUSED_VALUE)
>>> Assigning value "-1" to "ret" here, but that stored value is overwritten before it can be used.
359 ret = -1;
360 }
361
362 ret = fit_image_read_data(filename, key_iv_data, expected_size);
363
364 return ret;
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2024-01-22 23:52 Tom Rini
0 siblings, 0 replies; 105+ messages in thread
From: Tom Rini @ 2024-01-22 23:52 UTC (permalink / raw)
To: u-boot
[-- Attachment #1: Type: text/plain, Size: 2614 bytes --]
I've now updated to the latest Coverity scan tool and that eliminated
some previous defects and found two new ones:
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Jan 22, 2024 at 6:42 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to Das
U-Boot found with Coverity Scan.
2 new defect(s) introduced to Das U-Boot found with Coverity Scan.
8 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 2 of 2 defect(s)
** CID 478862: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 478862: Memory - corruptions (OVERRUN)
/lib/initcall.c: 82 in initcall_run_list()
76 if (ret) {
77 if (CONFIG_IS_ENABLED(EVENT)) {
78 char buf[60];
79
80 /* don't worry about buf size as we are dying here */
81 if (type) {
>>> CID 478862: Memory - corruptions (OVERRUN)
>>> Overrunning callee's array of size 15 by passing argument "type" (which evaluates to 255) in call to "event_type_name".
82 sprintf(buf, "event %d/%s", type,
83 event_type_name(type));
84 } else {
85 sprintf(buf, "call %p", func);
86 }
87
** CID 478861: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 478861: Memory - corruptions (OVERRUN)
/cmd/nvedit.c: 356 in print_static_flags()
350 static int print_static_flags(const char *var_name, const char *flags,
351 void *priv)
352 {
353 enum env_flags_vartype type = env_flags_parse_vartype(flags);
354 enum env_flags_varaccess access =
env_flags_parse_varaccess(flags);
355
>>> CID 478861: Memory - corruptions (OVERRUN)
>>> Overrunning callee's array of size 4 by passing argument "access" (which evaluates to 4) in call to "env_flags_get_varaccess_name".
356 printf("\t%-20s %-20s %-20s\n", var_name,
357 env_flags_get_vartype_name(type),
358 env_flags_get_varaccess_name(access));
359
360 return 0;
361 }
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 105+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2024-01-22 23:30 Tom Rini
@ 2024-01-23 8:15 ` Hugo Cornelis
0 siblings, 0 replies; 105+ messages in thread
From: Hugo Cornelis @ 2024-01-23 8:15 UTC (permalink / raw)
To: u-boot, Tom Rini; +Cc: Hugo Cornelis
Hi Tom, sorry about that. Please find attached a patch.
Can you please review?
Thanks, Hugo
^ permalink raw reply [flat|nested] 105+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
[not found] <20240127154018.GC785631@bill-the-cat>
@ 2024-01-27 20:56 ` Heinrich Schuchardt
2024-01-28 8:51 ` Heinrich Schuchardt
0 siblings, 1 reply; 105+ messages in thread
From: Heinrich Schuchardt @ 2024-01-27 20:56 UTC (permalink / raw)
To: Tom Rini; +Cc: Ilias Apalodimas, u-boot
Am 27. Januar 2024 16:40:18 MEZ schrieb Tom Rini <trini@konsulko.com>:
>Hey, I'll just pass this on directly rather than to the list.
>
>---------- Forwarded message ---------
>From: <scan-admin@coverity.com>
>Date: Sat, Jan 27, 2024 at 10:36 AM
>Subject: New Defects reported by Coverity Scan for Das U-Boot
>To: <tom.rini@gmail.com>
>
>
>Hi,
>
>Please find the latest report on new defect(s) introduced to Das
>U-Boot found with Coverity Scan.
>
>1 new defect(s) introduced to Das U-Boot found with Coverity Scan.
>
>
>New defect(s) Reported-by: Coverity Scan
>Showing 1 of 1 defect(s)
>
>
>** CID 479279: (TAINTED_SCALAR)
>
>
>________________________________________________________________________________________________________
>*** CID 479279: (TAINTED_SCALAR)
>/cmd/smbios.c: 180 in do_smbios()
>174 smbios_print_type2((struct smbios_type2 *)pos);
>175 break;
>176 case 127:
>177 smbios_print_type127((struct
>smbios_type127 *)pos);
>178 break;
>179 default:
>>>> CID 479279: (TAINTED_SCALAR)
>>>> Passing tainted expression "pos->length" to "smbios_print_generic", which uses it as a loop boundary.
>180 smbios_print_generic(pos);
>181 break;
>182 }
>183 }
>184
>185 return CMD_RET_SUCCESS;
>/cmd/smbios.c: 154 in do_smbios()
>148 size = entry2->length;
>149 max_struct_size = entry2->max_struct_size;
>150 } else {
>151 log_err("Unknown SMBIOS anchor format\n");
>152 return CMD_RET_FAILURE;
>153 }
>>>> CID 479279: (TAINTED_SCALAR)
>>>> Passing tainted expression "size" to "table_compute_checksum", which uses it as a loop boundary.
>154 if (table_compute_checksum(entry, size)) {
>155 log_err("Invalid anchor checksum\n");
>156 return CMD_RET_FAILURE;
>157 }
>158 printf("SMBIOS %s present.\n", version);
>159
>/cmd/smbios.c: 174 in do_smbios()
>168 (unsigned long long)map_to_sysmem(pos));
>169 switch (pos->type) {
>170 case 1:
>171 smbios_print_type1((struct smbios_type1 *)pos);
>172 break;
>173 case 2:
>>>> CID 479279: (TAINTED_SCALAR)
>>>> Passing tainted expression "((struct smbios_type2 *)pos)->number_contained_objects" to "smbios_print_type2", which uses it as a loop boundary.
>174 smbios_print_type2((struct smbios_type2 *)pos);
>175 break;
>176 case 127:
>177 smbios_print_type127((struct
>smbios_type127 *)pos);
>178 break;
>179 default:
>/cmd/smbios.c: 154 in do_smbios()
>148 size = entry2->length;
>149 max_struct_size = entry2->max_struct_size;
>150 } else {
>151 log_err("Unknown SMBIOS anchor format\n");
>152 return CMD_RET_FAILURE;
>153 }
>>>> CID 479279: (TAINTED_SCALAR)
>>>> Passing tainted expression "size" to "table_compute_checksum", which uses it as a loop boundary.
>154 if (table_compute_checksum(entry, size)) {
>155 log_err("Invalid anchor checksum\n");
>156 return CMD_RET_FAILURE;
>157 }
>158 printf("SMBIOS %s present.\n", version);
>159
>/cmd/smbios.c: 180 in do_smbios()
>174 smbios_print_type2((struct smbios_type2 *)pos);
>175 break;
>176 case 127:
>177 smbios_print_type127((struct
>smbios_type127 *)pos);
>178 break;
>179 default:
>>>> CID 479279: (TAINTED_SCALAR)
>>>> Passing tainted expression "pos->length" to "smbios_print_generic", which uses it as a loop boundary.
>180 smbios_print_generic(pos);
>181 break;
>182 }
>183 }
>184
>185 return CMD_RET_SUCCESS;
>/cmd/smbios.c: 174 in do_smbios()
>168 (unsigned long long)map_to_sysmem(pos));
>169 switch (pos->type) {
>170 case 1:
>171 smbios_print_type1((struct smbios_type1 *)pos);
>172 break;
>173 case 2:
>>>> CID 479279: (TAINTED_SCALAR)
>>>> Passing tainted expression "((struct smbios_type2 *)pos)->number_contained_objects" to "smbios_print_type2", which uses it as a loop boundary.
>174 smbios_print_type2((struct smbios_type2 *)pos);
>175 break;
>176 case 127:
>177 smbios_print_type127((struct
>smbios_type127 *)pos);
>178 break;
>179 default:
>/cmd/smbios.c: 174 in do_smbios()
>168 (unsigned long long)map_to_sysmem(pos));
>169 switch (pos->type) {
>170 case 1:
>171 smbios_print_type1((struct smbios_type1 *)pos);
>172 break;
>173 case 2:
>>>> CID 479279: (TAINTED_SCALAR)
>>>> Passing tainted expression "((struct smbios_type2 *)pos)->number_contained_objects" to "smbios_print_type2", which uses it as a loop boundary.
>174 smbios_print_type2((struct smbios_type2 *)pos);
>175 break;
>176 case 127:
>177 smbios_print_type127((struct
>smbios_type127 *)pos);
>178 break;
>179 default:
>/cmd/smbios.c: 180 in do_smbios()
>174 smbios_print_type2((struct smbios_type2 *)pos);
>175 break;
>176 case 127:
>177 smbios_print_type127((struct
>smbios_type127 *)pos);
>178 break;
>179 default:
>>>> CID 479279: (TAINTED_SCALAR)
>>>> Passing tainted expression "pos->length" to "smbios_print_generic", which uses it as a loop boundary.
>180 smbios_print_generic(pos);
>181 break;
>182 }
>183 }
>184
>185 return CMD_RET_SUCCESS;
>/cmd/smbios.c: 180 in do_smbios()
>174 smbios_print_type2((struct smbios_type2 *)pos);
>175 break;
>176 case 127:
>177 smbios_print_type127((struct
>smbios_type127 *)pos);
>178 break;
>179 default:
>>>> CID 479279: (TAINTED_SCALAR)
>>>> Passing tainted expression "pos->length" to "smbios_print_generic", which uses it as a loop boundary.
>180 smbios_print_generic(pos);
>181 break;
>182 }
>183 }
>184
>185 return CMD_RET_SUCCESS;
>/cmd/smbios.c: 174 in do_smbios()
>168 (unsigned long long)map_to_sysmem(pos));
>169 switch (pos->type) {
>170 case 1:
>171 smbios_print_type1((struct smbios_type1 *)pos);
>172 break;
>173 case 2:
>>>> CID 479279: (TAINTED_SCALAR)
>>>> Passing tainted expression "((struct smbios_type2 *)pos)->number_contained_objects" to "smbios_print_type2", which uses it as a loop boundary.
>174 smbios_print_type2((struct smbios_type2 *)pos);
>175 break;
>176 case 127:
>177 smbios_print_type127((struct
>smbios_type127 *)pos);
>178 break;
>179 default:
>/cmd/smbios.c: 180 in do_smbios()
>174 smbios_print_type2((struct smbios_type2 *)pos);
>175 break;
>176 case 127:
>177 smbios_print_type127((struct
>smbios_type127 *)pos);
>178 break;
>179 default:
>>>> CID 479279: (TAINTED_SCALAR)
>>>> Passing tainted expression "pos->length" to "smbios_print_generic", which uses it as a loop boundary.
>180 smbios_print_generic(pos);
>181 break;
>182 }
>183 }
>184
>185 return CMD_RET_SUCCESS;
>/cmd/smbios.c: 174 in do_smbios()
>168 (unsigned long long)map_to_sysmem(pos));
>169 switch (pos->type) {
>170 case 1:
>171 smbios_print_type1((struct smbios_type1 *)pos);
>172 break;
>173 case 2:
>>>> CID 479279: (TAINTED_SCALAR)
>>>> Passing tainted expression "((struct smbios_type2 *)pos)->number_contained_objects" to "smbios_print_type2", which uses it as a loop boundary.
>174 smbios_print_type2((struct smbios_type2 *)pos);
>175 break;
>176 case 127:
>177 smbios_print_type127((struct
>smbios_type127 *)pos);
>178 break;
>179 default:
>
The values may come from QEMU, so may be "tainted". We could check the length of the individual structures against the total size of the SMBIOS table.
Best regards
Heinrich
^ permalink raw reply [flat|nested] 105+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2024-01-27 20:56 ` Heinrich Schuchardt
@ 2024-01-28 8:51 ` Heinrich Schuchardt
0 siblings, 0 replies; 105+ messages in thread
From: Heinrich Schuchardt @ 2024-01-28 8:51 UTC (permalink / raw)
To: Tom Rini; +Cc: Ilias Apalodimas, u-boot
On 1/27/24 21:56, Heinrich Schuchardt wrote:
>
>
> Am 27. Januar 2024 16:40:18 MEZ schrieb Tom Rini <trini@konsulko.com>:
>> Hey, I'll just pass this on directly rather than to the list.
>>
>> ---------- Forwarded message ---------
>> From: <scan-admin@coverity.com>
>> Date: Sat, Jan 27, 2024 at 10:36 AM
>> Subject: New Defects reported by Coverity Scan for Das U-Boot
>> To: <tom.rini@gmail.com>
>>
>>
>> Hi,
>>
>> Please find the latest report on new defect(s) introduced to Das
>> U-Boot found with Coverity Scan.
>>
>> 1 new defect(s) introduced to Das U-Boot found with Coverity Scan.
>>
>>
>> New defect(s) Reported-by: Coverity Scan
>> Showing 1 of 1 defect(s)
>>
>>
>> ** CID 479279: (TAINTED_SCALAR)
>>
>>
>> ________________________________________________________________________________________________________
>> *** CID 479279: (TAINTED_SCALAR)
>> /cmd/smbios.c: 180 in do_smbios()
>> 174 smbios_print_type2((struct smbios_type2 *)pos);
>> 175 break;
>> 176 case 127:
>> 177 smbios_print_type127((struct
>> smbios_type127 *)pos);
>> 178 break;
>> 179 default:
>>>>> CID 479279: (TAINTED_SCALAR)
>>>>> Passing tainted expression "pos->length" to "smbios_print_generic", which uses it as a loop boundary.
>> 180 smbios_print_generic(pos);
>> 181 break;
>> 182 }
>> 183 }
>> 184
>> 185 return CMD_RET_SUCCESS;
>> /cmd/smbios.c: 154 in do_smbios()
>> 148 size = entry2->length;
>> 149 max_struct_size = entry2->max_struct_size;
>> 150 } else {
>> 151 log_err("Unknown SMBIOS anchor format\n");
>> 152 return CMD_RET_FAILURE;
>> 153 }
>>>>> CID 479279: (TAINTED_SCALAR)
>>>>> Passing tainted expression "size" to "table_compute_checksum", which uses it as a loop boundary.
>> 154 if (table_compute_checksum(entry, size)) {
>> 155 log_err("Invalid anchor checksum\n");
>> 156 return CMD_RET_FAILURE;
>> 157 }
>> 158 printf("SMBIOS %s present.\n", version);
>> 159
>> /cmd/smbios.c: 174 in do_smbios()
>> 168 (unsigned long long)map_to_sysmem(pos));
>> 169 switch (pos->type) {
>> 170 case 1:
>> 171 smbios_print_type1((struct smbios_type1 *)pos);
>> 172 break;
>> 173 case 2:
>>>>> CID 479279: (TAINTED_SCALAR)
>>>>> Passing tainted expression "((struct smbios_type2 *)pos)->number_contained_objects" to "smbios_print_type2", which uses it as a loop boundary.
>> 174 smbios_print_type2((struct smbios_type2 *)pos);
>> 175 break;
>> 176 case 127:
>> 177 smbios_print_type127((struct
>> smbios_type127 *)pos);
>> 178 break;
>> 179 default:
>> /cmd/smbios.c: 154 in do_smbios()
>> 148 size = entry2->length;
>> 149 max_struct_size = entry2->max_struct_size;
>> 150 } else {
>> 151 log_err("Unknown SMBIOS anchor format\n");
>> 152 return CMD_RET_FAILURE;
>> 153 }
>>>>> CID 479279: (TAINTED_SCALAR)
>>>>> Passing tainted expression "size" to "table_compute_checksum", which uses it as a loop boundary.
>> 154 if (table_compute_checksum(entry, size)) {
>> 155 log_err("Invalid anchor checksum\n");
>> 156 return CMD_RET_FAILURE;
>> 157 }
>> 158 printf("SMBIOS %s present.\n", version);
>> 159
>> /cmd/smbios.c: 180 in do_smbios()
>> 174 smbios_print_type2((struct smbios_type2 *)pos);
>> 175 break;
>> 176 case 127:
>> 177 smbios_print_type127((struct
>> smbios_type127 *)pos);
>> 178 break;
>> 179 default:
>>>>> CID 479279: (TAINTED_SCALAR)
>>>>> Passing tainted expression "pos->length" to "smbios_print_generic", which uses it as a loop boundary.
>> 180 smbios_print_generic(pos);
>> 181 break;
>> 182 }
>> 183 }
>> 184
>> 185 return CMD_RET_SUCCESS;
>> /cmd/smbios.c: 174 in do_smbios()
>> 168 (unsigned long long)map_to_sysmem(pos));
>> 169 switch (pos->type) {
>> 170 case 1:
>> 171 smbios_print_type1((struct smbios_type1 *)pos);
>> 172 break;
>> 173 case 2:
>>>>> CID 479279: (TAINTED_SCALAR)
>>>>> Passing tainted expression "((struct smbios_type2 *)pos)->number_contained_objects" to "smbios_print_type2", which uses it as a loop boundary.
>> 174 smbios_print_type2((struct smbios_type2 *)pos);
>> 175 break;
>> 176 case 127:
>> 177 smbios_print_type127((struct
>> smbios_type127 *)pos);
>> 178 break;
>> 179 default:
>> /cmd/smbios.c: 174 in do_smbios()
>> 168 (unsigned long long)map_to_sysmem(pos));
>> 169 switch (pos->type) {
>> 170 case 1:
>> 171 smbios_print_type1((struct smbios_type1 *)pos);
>> 172 break;
>> 173 case 2:
>>>>> CID 479279: (TAINTED_SCALAR)
>>>>> Passing tainted expression "((struct smbios_type2 *)pos)->number_contained_objects" to "smbios_print_type2", which uses it as a loop boundary.
>> 174 smbios_print_type2((struct smbios_type2 *)pos);
>> 175 break;
>> 176 case 127:
>> 177 smbios_print_type127((struct
>> smbios_type127 *)pos);
>> 178 break;
>> 179 default:
>> /cmd/smbios.c: 180 in do_smbios()
>> 174 smbios_print_type2((struct smbios_type2 *)pos);
>> 175 break;
>> 176 case 127:
>> 177 smbios_print_type127((struct
>> smbios_type127 *)pos);
>> 178 break;
>> 179 default:
>>>>> CID 479279: (TAINTED_SCALAR)
>>>>> Passing tainted expression "pos->length" to "smbios_print_generic", which uses it as a loop boundary.
>> 180 smbios_print_generic(pos);
>> 181 break;
>> 182 }
>> 183 }
>> 184
>> 185 return CMD_RET_SUCCESS;
>> /cmd/smbios.c: 180 in do_smbios()
>> 174 smbios_print_type2((struct smbios_type2 *)pos);
>> 175 break;
>> 176 case 127:
>> 177 smbios_print_type127((struct
>> smbios_type127 *)pos);
>> 178 break;
>> 179 default:
>>>>> CID 479279: (TAINTED_SCALAR)
>>>>> Passing tainted expression "pos->length" to "smbios_print_generic", which uses it as a loop boundary.
>> 180 smbios_print_generic(pos);
>> 181 break;
>> 182 }
>> 183 }
>> 184
>> 185 return CMD_RET_SUCCESS;
>> /cmd/smbios.c: 174 in do_smbios()
>> 168 (unsigned long long)map_to_sysmem(pos));
>> 169 switch (pos->type) {
>> 170 case 1:
>> 171 smbios_print_type1((struct smbios_type1 *)pos);
>> 172 break;
>> 173 case 2:
>>>>> CID 479279: (TAINTED_SCALAR)
>>>>> Passing tainted expression "((struct smbios_type2 *)pos)->number_contained_objects" to "smbios_print_type2", which uses it as a loop boundary.
>> 174 smbios_print_type2((struct smbios_type2 *)pos);
>> 175 break;
>> 176 case 127:
>> 177 smbios_print_type127((struct
>> smbios_type127 *)pos);
>> 178 break;
>> 179 default:
>> /cmd/smbios.c: 180 in do_smbios()
>> 174 smbios_print_type2((struct smbios_type2 *)pos);
>> 175 break;
>> 176 case 127:
>> 177 smbios_print_type127((struct
>> smbios_type127 *)pos);
>> 178 break;
>> 179 default:
>>>>> CID 479279: (TAINTED_SCALAR)
>>>>> Passing tainted expression "pos->length" to "smbios_print_generic", which uses it as a loop boundary.
>> 180 smbios_print_generic(pos);
>> 181 break;
>> 182 }
>> 183 }
>> 184
>> 185 return CMD_RET_SUCCESS;
>> /cmd/smbios.c: 174 in do_smbios()
>> 168 (unsigned long long)map_to_sysmem(pos));
>> 169 switch (pos->type) {
>> 170 case 1:
>> 171 smbios_print_type1((struct smbios_type1 *)pos);
>> 172 break;
>> 173 case 2:
>>>>> CID 479279: (TAINTED_SCALAR)
>>>>> Passing tainted expression "((struct smbios_type2 *)pos)->number_contained_objects" to "smbios_print_type2", which uses it as a loop boundary.
>> 174 smbios_print_type2((struct smbios_type2 *)pos);
>> 175 break;
>> 176 case 127:
>> 177 smbios_print_type127((struct
>> smbios_type127 *)pos);
>> 178 break;
>> 179 default:
>>
>
> The values may come from QEMU, so may be "tainted". We could check the length of the individual structures against the total size of the SMBIOS table.
>
In Coverity I marked this as false positive with the following comment:
"The only case in which the data is tainted is when copying the smbios
table from a prior firmware state when running as EFI app or from QEMU.
Sanity checks should not be in the smbios command but where we import
the table."
Best regards
Heinrich
^ permalink raw reply [flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2024-01-29 23:55 Tom Rini
2024-01-30 8:14 ` Heinrich Schuchardt
0 siblings, 1 reply; 105+ messages in thread
From: Tom Rini @ 2024-01-29 23:55 UTC (permalink / raw)
To: u-boot, Heinrich Schuchardt
[-- Attachment #1: Type: text/plain, Size: 1971 bytes --]
Here's the latest report.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Jan 29, 2024 at 6:51 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to Das
U-Boot found with Coverity Scan.
1 new defect(s) introduced to Das U-Boot found with Coverity Scan.
1 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)
** CID 480240: Insecure data handling (TAINTED_SCALAR)
/cmd/efidebug.c: 192 in do_efi_capsule_esrt()
________________________________________________________________________________________________________
*** CID 480240: Insecure data handling (TAINTED_SCALAR)
/cmd/efidebug.c: 192 in do_efi_capsule_esrt()
186
187 printf("========================================\n");
188 printf("ESRT: fw_resource_count=%d\n", esrt->fw_resource_count);
189 printf("ESRT: fw_resource_count_max=%d\n",
esrt->fw_resource_count_max);
190 printf("ESRT: fw_resource_version=%lld\n",
esrt->fw_resource_version);
191
>>> CID 480240: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "esrt->fw_resource_count" as a loop boundary.
192 for (int idx = 0; idx < esrt->fw_resource_count; idx++) {
193 printf("[entry
%d]==============================\n", idx);
194 printf("ESRT: fw_class=%pUL\n",
&esrt->entries[idx].fw_class);
195 printf("ESRT: fw_type=%s\n",
EFI_FW_TYPE_STR_GET(esrt->entries[idx].fw_type));
196 printf("ESRT: fw_version=%d\n",
esrt->entries[idx].fw_version);
197 printf("ESRT: lowest_supported_fw_version=%d\n",
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 105+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2024-01-29 23:55 Tom Rini
@ 2024-01-30 8:14 ` Heinrich Schuchardt
0 siblings, 0 replies; 105+ messages in thread
From: Heinrich Schuchardt @ 2024-01-30 8:14 UTC (permalink / raw)
To: Tom Rini; +Cc: Ilias Apalodimas, u-boot
On 1/30/24 00:55, Tom Rini wrote:
> Here's the latest report.
>
> ---------- Forwarded message ---------
> From: <scan-admin@coverity.com>
> Date: Mon, Jan 29, 2024 at 6:51 PM
> Subject: New Defects reported by Coverity Scan for Das U-Boot
> To: <tom.rini@gmail.com>
>
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to Das
> U-Boot found with Coverity Scan.
>
> 1 new defect(s) introduced to Das U-Boot found with Coverity Scan.
> 1 defect(s), reported by Coverity Scan earlier, were marked fixed in
> the recent build analyzed by Coverity Scan.
>
> New defect(s) Reported-by: Coverity Scan
> Showing 1 of 1 defect(s)
>
>
> ** CID 480240: Insecure data handling (TAINTED_SCALAR)
> /cmd/efidebug.c: 192 in do_efi_capsule_esrt()
>
>
> ________________________________________________________________________________________________________
> *** CID 480240: Insecure data handling (TAINTED_SCALAR)
> /cmd/efidebug.c: 192 in do_efi_capsule_esrt()
> 186
> 187 printf("========================================\n");
> 188 printf("ESRT: fw_resource_count=%d\n", esrt->fw_resource_count);
> 189 printf("ESRT: fw_resource_count_max=%d\n",
> esrt->fw_resource_count_max);
> 190 printf("ESRT: fw_resource_version=%lld\n",
> esrt->fw_resource_version);
> 191
>>>> CID 480240: Insecure data handling (TAINTED_SCALAR)
>>>> Using tainted variable "esrt->fw_resource_count" as a loop boundary.
> 192 for (int idx = 0; idx < esrt->fw_resource_count; idx++) {
> 193 printf("[entry
> %d]==============================\n", idx);
> 194 printf("ESRT: fw_class=%pUL\n",
> &esrt->entries[idx].fw_class);
> 195 printf("ESRT: fw_type=%s\n",
> EFI_FW_TYPE_STR_GET(esrt->entries[idx].fw_type));
> 196 printf("ESRT: fw_version=%d\n",
> esrt->entries[idx].fw_version);
> 197 printf("ESRT: lowest_supported_fw_version=%d\n",
>
> ----- End forwarded message -----
>
Coverity sees any conversion from void * as a hint to tainted data. The
ESRT might be manipulated by some EFI app but we want to display it. So
I marked this Coverity issue as intentional.
Best regards
Heinrich
^ permalink raw reply [flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2024-04-22 21:48 Tom Rini
0 siblings, 0 replies; 105+ messages in thread
From: Tom Rini @ 2024-04-22 21:48 UTC (permalink / raw)
To: u-boot; +Cc: Charles Hardin, Ilias Apalodimas
[-- Attachment #1: Type: text/plain, Size: 2774 bytes --]
Here's the latest report.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Apr 22, 2024 at 3:23 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to Das
U-Boot found with Coverity Scan.
2 new defect(s) introduced to Das U-Boot found with Coverity Scan.
7 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 2 of 2 defect(s)
** CID 492766: Control flow issues (DEADCODE)
/lib/efi_loader/efi_var_mem.c: 236 in efi_var_mem_init()
________________________________________________________________________________________________________
*** CID 492766: Control flow issues (DEADCODE)
/lib/efi_loader/efi_var_mem.c: 236 in efi_var_mem_init()
230 memset(efi_var_buf, 0, EFI_VAR_BUF_SIZE);
231 efi_var_buf->magic = EFI_VAR_FILE_MAGIC;
232 efi_var_buf->length = (uintptr_t)efi_var_buf->var -
233 (uintptr_t)efi_var_buf;
234
235 if (ret != EFI_SUCCESS)
>>> CID 492766: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "return ret;".
236 return ret;
237 ret =
efi_create_event(EVT_SIGNAL_VIRTUAL_ADDRESS_CHANGE, TPL_CALLBACK,
238
efi_var_mem_notify_virtual_address_map, NULL,
239 NULL, &event);
240 if (ret != EFI_SUCCESS)
241 return ret;
** CID 492765: Uninitialized variables (UNINIT)
________________________________________________________________________________________________________
*** CID 492765: Uninitialized variables (UNINIT)
/net/bootp.c: 888 in dhcp_process_options()
882 net_root_path[size] = 0;
883 break;
884 case 28: /* Ignore Broadcast Address Option */
885 break;
886 case 40: /* NIS Domain name */
887 if (net_nis_domain[0] == 0) {
>>> CID 492765: Uninitialized variables (UNINIT)
>>> Using uninitialized value "size" when calling "truncate_sz".
888 size = truncate_sz("NIS Domain Name",
889 sizeof(net_nis_domain), size);
890 memcpy(&net_nis_domain, popt + 2, size);
891 net_nis_domain[size] = 0;
892 }
893 break;
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2024-07-23 14:18 Tom Rini
2024-07-24 9:21 ` Mattijs Korpershoek
0 siblings, 1 reply; 105+ messages in thread
From: Tom Rini @ 2024-07-23 14:18 UTC (permalink / raw)
To: u-boot, Mattijs Korpershoek, Ilias Apalodimas,
Heinrich Schuchardt, Marek Vasut, Dmitrii Merkurev
[-- Attachment #1: Type: text/plain, Size: 10282 bytes --]
Here's the latest report.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Jul 22, 2024, 8:07 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to Das U-Boot
found with Coverity Scan.
8 new defect(s) introduced to Das U-Boot found with Coverity Scan.
3 defect(s), reported by Coverity Scan earlier, were marked fixed in the
recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 8 of 8 defect(s)
** CID 501795: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 501795: Insecure data handling (TAINTED_SCALAR)
/boot/bootmeth_android.c: 96 in scan_boot_part()
90 if (!is_android_boot_image_header(buf)) {
91 free(buf);
92 return log_msg_ret("header", -ENOENT);
93 }
94
95 priv->header_version = ((struct andr_boot_img_hdr_v0
*)buf)->header_version;
>>> CID 501795: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "*buf" to "dlfree", which uses it as an
offset.
96 free(buf);
97
98 return 0;
99 }
100
101 static int scan_vendor_boot_part(struct udevice *blk, struct
android_priv *priv)
** CID 501794: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 501794: Memory - corruptions (OVERRUN)
/lib/tpm_tcg2.c: 640 in tcg2_measurement_init()
634 rc = tcg2_log_prepare_buffer(*dev, elog,
ignore_existing_log);
635 if (rc) {
636 tcg2_measurement_term(*dev, elog, true);
637 return rc;
638 }
639
>>> CID 501794: Memory - corruptions (OVERRUN)
>>> Overrunning array "version_string" of 50 bytes by passing it to a
function which accesses it at byte offset 63.
640 rc = tcg2_measure_event(*dev, elog, 0, EV_S_CRTM_VERSION,
641 strlen(version_string) + 1,
642 (u8 *)version_string);
643 if (rc) {
644 tcg2_measurement_term(*dev, elog, true);
645 return rc;
** CID 501793: Insecure data handling (TAINTED_SCALAR)
/lib/tpm-v2.c: 909 in tpm2_allow_extend()
________________________________________________________________________________________________________
*** CID 501793: Insecure data handling (TAINTED_SCALAR)
/lib/tpm-v2.c: 909 in tpm2_allow_extend()
903 int rc;
904
905 rc = tpm2_get_pcr_info(dev, &pcrs);
906 if (rc)
907 return false;
908
>>> CID 501793: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "pcrs.count" as a loop boundary.
909 for (i = 0; i < pcrs.count; i++) {
910 if (tpm2_is_active_pcr(&pcrs.selection[i]) &&
911 !tpm2_algorithm_to_len(pcrs.selection[i].hash))
912 return false;
913 }
914
915 return true;
** CID 501792: Control flow issues (DEADCODE)
/lib/efi_loader/efi_helper.c: 137 in efi_load_option_dp_join()
________________________________________________________________________________________________________
*** CID 501792: Control flow issues (DEADCODE)
/lib/efi_loader/efi_helper.c: 137 in efi_load_option_dp_join()
131 if (fdt_dp) {
132 struct efi_device_path *tmp_dp = *dp;
133
134 *dp = efi_dp_concat(tmp_dp, fdt_dp, *dp_size);
135 efi_free_pool(tmp_dp);
136 if (!dp)
>>> CID 501792: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "return
9223372036854775817UL;".
137 return EFI_OUT_OF_RESOURCES;
138 *dp_size += efi_dp_size(fdt_dp) + sizeof(END);
139 }
140
141 *dp_size += sizeof(END);
142
** CID 501791: (DEADCODE)
/drivers/usb/gadget/ether.c: 2219 in eth_bind()
/drivers/usb/gadget/ether.c: 2110 in eth_bind()
/drivers/usb/gadget/ether.c: 2071 in eth_bind()
/drivers/usb/gadget/ether.c: 2089 in eth_bind()
________________________________________________________________________________________________________
*** CID 501791: (DEADCODE)
/drivers/usb/gadget/ether.c: 2219 in eth_bind()
2213 out_ep->name, in_ep->name,
2214 status_ep ? " STATUS " : "",
2215 status_ep ? status_ep->name : ""
2216 );
2217 printf("MAC %pM\n", pdata->enetaddr);
2218
>>> CID 501791: (DEADCODE)
>>> Execution cannot reach the expression "rndis" inside this
statement: "if (cdc || rndis)
printf(...".
2219 if (cdc || rndis)
2220 printf("HOST MAC %02x:%02x:%02x:%02x:%02x:%02x\n",
2221 dev->host_mac[0], dev->host_mac[1],
2222 dev->host_mac[2], dev->host_mac[3],
2223 dev->host_mac[4], dev->host_mac[5]);
2224
/drivers/usb/gadget/ether.c: 2110 in eth_bind()
2104 device_desc.bNumConfigurations = 2;
2105
2106 if (gadget_is_dualspeed(gadget)) {
2107 if (rndis)
2108 dev_qualifier.bNumConfigurations = 2;
2109 else if (!cdc)
>>> CID 501791: (DEADCODE)
>>> Execution cannot reach this statement: "dev_qualifier.bDeviceClass
...".
2110 dev_qualifier.bDeviceClass =
USB_CLASS_VENDOR_SPEC;
2111
2112 /* assumes ep0 uses the same value for both speeds
... */
2113 dev_qualifier.bMaxPacketSize0 =
device_desc.bMaxPacketSize0;
2114
2115 /* and that all endpoints are dual-speed */
/drivers/usb/gadget/ether.c: 2071 in eth_bind()
2065
2066 #if defined(CONFIG_USB_ETH_CDC) || defined(CONFIG_USB_ETH_RNDIS)
2067 /*
2068 * CDC Ethernet control interface doesn't require a status
endpoint.
2069 * Since some hosts expect one, try to allocate one anyway.
2070 */
>>> CID 501791: (DEADCODE)
>>> Execution cannot reach the expression "rndis" inside this
statement: "if (cdc || rndis) {
statu...".
2071 if (cdc || rndis) {
2072 status_ep = usb_ep_autoconfig(gadget,
&fs_status_desc);
2073 if (status_ep) {
2074 status_ep->driver_data = status_ep; /*
claim */
2075 } else if (rndis) {
2076 pr_err("can't run RNDIS on %s",
gadget->name);
/drivers/usb/gadget/ether.c: 2089 in eth_bind()
2083 }
2084 }
2085 #endif
2086
2087 /* one config: cdc, else minimal subset */
2088 if (!cdc) {
>>> CID 501791: (DEADCODE)
>>> Execution cannot reach this statement: "eth_config.bNumInterfaces =
1;".
2089 eth_config.bNumInterfaces = 1;
2090 eth_config.iConfiguration = STRING_SUBSET;
2091
2092 /*
2093 * use functions to set these up, in case we're
built to work
2094 * with multiple controllers and must override CDC
Ethernet.
** CID 501790: Null pointer dereferences (FORWARD_NULL)
/cmd/bcb.c: 175 in __bcb_initialize()
________________________________________________________________________________________________________
*** CID 501790: Null pointer dereferences (FORWARD_NULL)
/cmd/bcb.c: 175 in __bcb_initialize()
169 }
170 }
171
172 return CMD_RET_SUCCESS;
173
174 err_read_fail:
>>> CID 501790: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "block".
175 printf("Error: %d %d:%s read failed (%d)\n",
block->uclass_id,
176 block->devnum, partition->name, ret);
177 __bcb_reset();
178 return CMD_RET_FAILURE;
179 }
180
** CID 501789: Insecure data handling (TAINTED_SCALAR)
/lib/tpm_tcg2.c: 41 in tcg2_get_pcr_info()
________________________________________________________________________________________________________
*** CID 501789: Insecure data handling (TAINTED_SCALAR)
/lib/tpm_tcg2.c: 41 in tcg2_get_pcr_info()
35 memset(response, 0, sizeof(response));
36
37 ret = tpm2_get_pcr_info(dev, &pcrs);
38 if (ret)
39 return ret;
40
>>> CID 501789: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "pcrs.count" as a loop boundary.
41 for (i = 0; i < pcrs.count; i++) {
42 u32 hash_mask =
tcg2_algorithm_to_mask(pcrs.selection[i].hash);
43
44 if (hash_mask) {
45 *supported_pcr |= hash_mask;
46 if (tpm2_is_active_pcr(&pcrs.selection[i]))
** CID 501788: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 501788: Memory - corruptions (OVERRUN)
/lib/tpm_tcg2.c: 658 in tcg2_measurement_term()
652 bool error)
653 {
654 u32 event = error ? 0x1 : 0xffffffff;
655 int i;
656
657 for (i = 0; i < 8; ++i)
>>> CID 501788: Memory - corruptions (OVERRUN)
>>> Overrunning buffer pointed to by "(u8 const *)&event" of 4 bytes by
passing it to a function which accesses it at byte offset 63.
658 tcg2_measure_event(dev, elog, i, EV_SEPARATOR,
sizeof(event),
659 (const u8 *)&event);
660
661 if (elog->log)
662 unmap_physmem(elog->log, MAP_NOCACHE);
663 }
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 105+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2024-07-23 14:18 Tom Rini
@ 2024-07-24 9:21 ` Mattijs Korpershoek
2024-07-24 9:45 ` Heinrich Schuchardt
2024-07-24 9:53 ` Mattijs Korpershoek
0 siblings, 2 replies; 105+ messages in thread
From: Mattijs Korpershoek @ 2024-07-24 9:21 UTC (permalink / raw)
To: Tom Rini, u-boot, Ilias Apalodimas, Heinrich Schuchardt,
Marek Vasut, Dmitrii Merkurev
Hi Tom,
Thank you for the report.
On mar., juil. 23, 2024 at 08:18, Tom Rini <trini@konsulko.com> wrote:
> Here's the latest report.
>
> ---------- Forwarded message ---------
> From: <scan-admin@coverity.com>
> Date: Mon, Jul 22, 2024, 8:07 PM
> Subject: New Defects reported by Coverity Scan for Das U-Boot
> To: <tom.rini@gmail.com>
>
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to Das U-Boot
> found with Coverity Scan.
>
> 8 new defect(s) introduced to Das U-Boot found with Coverity Scan.
> 3 defect(s), reported by Coverity Scan earlier, were marked fixed in the
> recent build analyzed by Coverity Scan.
>
> New defect(s) Reported-by: Coverity Scan
> Showing 8 of 8 defect(s)
>
>
> ** CID 501795: Insecure data handling (TAINTED_SCALAR)
>
>
> ________________________________________________________________________________________________________
> *** CID 501795: Insecure data handling (TAINTED_SCALAR)
> /boot/bootmeth_android.c: 96 in scan_boot_part()
> 90 if (!is_android_boot_image_header(buf)) {
> 91 free(buf);
> 92 return log_msg_ret("header", -ENOENT);
> 93 }
> 94
> 95 priv->header_version = ((struct andr_boot_img_hdr_v0
> *)buf)->header_version;
>>>> CID 501795: Insecure data handling (TAINTED_SCALAR)
>>>> Passing tainted expression "*buf" to "dlfree", which uses it as an
> offset.
scan_boot_part() generates this warning, but scan_vendor_boot_part()
does not.
Both functions follow a similar code flow.
The only reason scan_boot_part() generates this warning, is because of
the downcast into struct andr_boot_img_hdr_v0.
We can't change char* buf into struct andr_boot_img_hdr_v0 because we
need to be block aligned when calling blk_dread().
Per my understanding tainted data means it comes from user input (which
is true for both scan_boot_part() and scan_vendor_boot_part() because
both read from eMMC, which can be consider "user input".
Since I don't see any particular problem with this code I propose that
we ignore this warning.
> 96 free(buf);
> 97
> 98 return 0;
> 99 }
> 100
> 101 static int scan_vendor_boot_part(struct udevice *blk, struct
> android_priv *priv)
>
> ** CID 501794: Memory - corruptions (OVERRUN)
>
>
> ________________________________________________________________________________________________________
> *** CID 501794: Memory - corruptions (OVERRUN)
> /lib/tpm_tcg2.c: 640 in tcg2_measurement_init()
> 634 rc = tcg2_log_prepare_buffer(*dev, elog,
> ignore_existing_log);
> 635 if (rc) {
> 636 tcg2_measurement_term(*dev, elog, true);
> 637 return rc;
> 638 }
> 639
>>>> CID 501794: Memory - corruptions (OVERRUN)
>>>> Overrunning array "version_string" of 50 bytes by passing it to a
> function which accesses it at byte offset 63.
> 640 rc = tcg2_measure_event(*dev, elog, 0, EV_S_CRTM_VERSION,
> 641 strlen(version_string) + 1,
> 642 (u8 *)version_string);
> 643 if (rc) {
> 644 tcg2_measurement_term(*dev, elog, true);
> 645 return rc;
>
> ** CID 501793: Insecure data handling (TAINTED_SCALAR)
> /lib/tpm-v2.c: 909 in tpm2_allow_extend()
>
>
> ________________________________________________________________________________________________________
> *** CID 501793: Insecure data handling (TAINTED_SCALAR)
> /lib/tpm-v2.c: 909 in tpm2_allow_extend()
> 903 int rc;
> 904
> 905 rc = tpm2_get_pcr_info(dev, &pcrs);
> 906 if (rc)
> 907 return false;
> 908
>>>> CID 501793: Insecure data handling (TAINTED_SCALAR)
>>>> Using tainted variable "pcrs.count" as a loop boundary.
> 909 for (i = 0; i < pcrs.count; i++) {
> 910 if (tpm2_is_active_pcr(&pcrs.selection[i]) &&
> 911 !tpm2_algorithm_to_len(pcrs.selection[i].hash))
> 912 return false;
> 913 }
> 914
> 915 return true;
>
> ** CID 501792: Control flow issues (DEADCODE)
> /lib/efi_loader/efi_helper.c: 137 in efi_load_option_dp_join()
>
>
> ________________________________________________________________________________________________________
> *** CID 501792: Control flow issues (DEADCODE)
> /lib/efi_loader/efi_helper.c: 137 in efi_load_option_dp_join()
> 131 if (fdt_dp) {
> 132 struct efi_device_path *tmp_dp = *dp;
> 133
> 134 *dp = efi_dp_concat(tmp_dp, fdt_dp, *dp_size);
> 135 efi_free_pool(tmp_dp);
> 136 if (!dp)
>>>> CID 501792: Control flow issues (DEADCODE)
>>>> Execution cannot reach this statement: "return
> 9223372036854775817UL;".
> 137 return EFI_OUT_OF_RESOURCES;
> 138 *dp_size += efi_dp_size(fdt_dp) + sizeof(END);
> 139 }
> 140
> 141 *dp_size += sizeof(END);
> 142
>
> ** CID 501791: (DEADCODE)
> /drivers/usb/gadget/ether.c: 2219 in eth_bind()
> /drivers/usb/gadget/ether.c: 2110 in eth_bind()
> /drivers/usb/gadget/ether.c: 2071 in eth_bind()
> /drivers/usb/gadget/ether.c: 2089 in eth_bind()
>
>
> ________________________________________________________________________________________________________
> *** CID 501791: (DEADCODE)
> /drivers/usb/gadget/ether.c: 2219 in eth_bind()
> 2213 out_ep->name, in_ep->name,
> 2214 status_ep ? " STATUS " : "",
> 2215 status_ep ? status_ep->name : ""
> 2216 );
> 2217 printf("MAC %pM\n", pdata->enetaddr);
> 2218
>>>> CID 501791: (DEADCODE)
>>>> Execution cannot reach the expression "rndis" inside this
> statement: "if (cdc || rndis)
> printf(...".
> 2219 if (cdc || rndis)
> 2220 printf("HOST MAC %02x:%02x:%02x:%02x:%02x:%02x\n",
> 2221 dev->host_mac[0], dev->host_mac[1],
> 2222 dev->host_mac[2], dev->host_mac[3],
> 2223 dev->host_mac[4], dev->host_mac[5]);
> 2224
> /drivers/usb/gadget/ether.c: 2110 in eth_bind()
> 2104 device_desc.bNumConfigurations = 2;
> 2105
> 2106 if (gadget_is_dualspeed(gadget)) {
> 2107 if (rndis)
> 2108 dev_qualifier.bNumConfigurations = 2;
> 2109 else if (!cdc)
>>>> CID 501791: (DEADCODE)
>>>> Execution cannot reach this statement: "dev_qualifier.bDeviceClass
> ...".
> 2110 dev_qualifier.bDeviceClass =
> USB_CLASS_VENDOR_SPEC;
> 2111
> 2112 /* assumes ep0 uses the same value for both speeds
> ... */
> 2113 dev_qualifier.bMaxPacketSize0 =
> device_desc.bMaxPacketSize0;
> 2114
> 2115 /* and that all endpoints are dual-speed */
> /drivers/usb/gadget/ether.c: 2071 in eth_bind()
> 2065
> 2066 #if defined(CONFIG_USB_ETH_CDC) || defined(CONFIG_USB_ETH_RNDIS)
> 2067 /*
> 2068 * CDC Ethernet control interface doesn't require a status
> endpoint.
> 2069 * Since some hosts expect one, try to allocate one anyway.
> 2070 */
>>>> CID 501791: (DEADCODE)
>>>> Execution cannot reach the expression "rndis" inside this
> statement: "if (cdc || rndis) {
> statu...".
> 2071 if (cdc || rndis) {
> 2072 status_ep = usb_ep_autoconfig(gadget,
> &fs_status_desc);
> 2073 if (status_ep) {
> 2074 status_ep->driver_data = status_ep; /*
> claim */
> 2075 } else if (rndis) {
> 2076 pr_err("can't run RNDIS on %s",
> gadget->name);
> /drivers/usb/gadget/ether.c: 2089 in eth_bind()
> 2083 }
> 2084 }
> 2085 #endif
> 2086
> 2087 /* one config: cdc, else minimal subset */
> 2088 if (!cdc) {
>>>> CID 501791: (DEADCODE)
>>>> Execution cannot reach this statement: "eth_config.bNumInterfaces =
> 1;".
> 2089 eth_config.bNumInterfaces = 1;
> 2090 eth_config.iConfiguration = STRING_SUBSET;
> 2091
> 2092 /*
> 2093 * use functions to set these up, in case we're
> built to work
> 2094 * with multiple controllers and must override CDC
> Ethernet.
>
> ** CID 501790: Null pointer dereferences (FORWARD_NULL)
> /cmd/bcb.c: 175 in __bcb_initialize()
>
>
> ________________________________________________________________________________________________________
> *** CID 501790: Null pointer dereferences (FORWARD_NULL)
> /cmd/bcb.c: 175 in __bcb_initialize()
> 169 }
> 170 }
> 171
> 172 return CMD_RET_SUCCESS;
> 173
> 174 err_read_fail:
>>>> CID 501790: Null pointer dereferences (FORWARD_NULL)
>>>> Dereferencing null pointer "block".
> 175 printf("Error: %d %d:%s read failed (%d)\n",
> block->uclass_id,
> 176 block->devnum, partition->name, ret);
> 177 __bcb_reset();
> 178 return CMD_RET_FAILURE;
> 179 }
> 180
This probably deserves to be addressed. I don't know if Dmitrii is actively
watching the list so I'll study this in more detail and send a fix if appropriate.
>
> ** CID 501789: Insecure data handling (TAINTED_SCALAR)
> /lib/tpm_tcg2.c: 41 in tcg2_get_pcr_info()
>
>
> ________________________________________________________________________________________________________
> *** CID 501789: Insecure data handling (TAINTED_SCALAR)
> /lib/tpm_tcg2.c: 41 in tcg2_get_pcr_info()
> 35 memset(response, 0, sizeof(response));
> 36
> 37 ret = tpm2_get_pcr_info(dev, &pcrs);
> 38 if (ret)
> 39 return ret;
> 40
>>>> CID 501789: Insecure data handling (TAINTED_SCALAR)
>>>> Using tainted variable "pcrs.count" as a loop boundary.
> 41 for (i = 0; i < pcrs.count; i++) {
> 42 u32 hash_mask =
> tcg2_algorithm_to_mask(pcrs.selection[i].hash);
> 43
> 44 if (hash_mask) {
> 45 *supported_pcr |= hash_mask;
> 46 if (tpm2_is_active_pcr(&pcrs.selection[i]))
>
> ** CID 501788: Memory - corruptions (OVERRUN)
>
>
> ________________________________________________________________________________________________________
> *** CID 501788: Memory - corruptions (OVERRUN)
> /lib/tpm_tcg2.c: 658 in tcg2_measurement_term()
> 652 bool error)
> 653 {
> 654 u32 event = error ? 0x1 : 0xffffffff;
> 655 int i;
> 656
> 657 for (i = 0; i < 8; ++i)
>>>> CID 501788: Memory - corruptions (OVERRUN)
>>>> Overrunning buffer pointed to by "(u8 const *)&event" of 4 bytes by
> passing it to a function which accesses it at byte offset 63.
> 658 tcg2_measure_event(dev, elog, i, EV_SEPARATOR,
> sizeof(event),
> 659 (const u8 *)&event);
> 660
> 661 if (elog->log)
> 662 unmap_physmem(elog->log, MAP_NOCACHE);
> 663 }
>
>
>
> ----- End forwarded message -----
>
> --
> Tom
^ permalink raw reply [flat|nested] 105+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2024-07-24 9:21 ` Mattijs Korpershoek
@ 2024-07-24 9:45 ` Heinrich Schuchardt
2024-07-24 9:56 ` Mattijs Korpershoek
2024-07-24 9:53 ` Mattijs Korpershoek
1 sibling, 1 reply; 105+ messages in thread
From: Heinrich Schuchardt @ 2024-07-24 9:45 UTC (permalink / raw)
To: Mattijs Korpershoek
Cc: Tom Rini, u-boot, Ilias Apalodimas, Marek Vasut, Dmitrii Merkurev
On 24.07.24 11:21, Mattijs Korpershoek wrote:
> Hi Tom,
>
> Thank you for the report.
>
> On mar., juil. 23, 2024 at 08:18, Tom Rini <trini@konsulko.com> wrote:
>
>> Here's the latest report.
>>
>> ---------- Forwarded message ---------
>> From: <scan-admin@coverity.com>
>> Date: Mon, Jul 22, 2024, 8:07 PM
>> Subject: New Defects reported by Coverity Scan for Das U-Boot
>> To: <tom.rini@gmail.com>
>>
>>
>> Hi,
>>
>> Please find the latest report on new defect(s) introduced to Das U-Boot
>> found with Coverity Scan.
>>
>> 8 new defect(s) introduced to Das U-Boot found with Coverity Scan.
>> 3 defect(s), reported by Coverity Scan earlier, were marked fixed in the
>> recent build analyzed by Coverity Scan.
>>
>> New defect(s) Reported-by: Coverity Scan
>> Showing 8 of 8 defect(s)
>>
>>
>> ** CID 501795: Insecure data handling (TAINTED_SCALAR)
>>
>>
>> ________________________________________________________________________________________________________
>> *** CID 501795: Insecure data handling (TAINTED_SCALAR)
>> /boot/bootmeth_android.c: 96 in scan_boot_part()
>> 90 if (!is_android_boot_image_header(buf)) {
>> 91 free(buf);
>> 92 return log_msg_ret("header", -ENOENT);
>> 93 }
>> 94
>> 95 priv->header_version = ((struct andr_boot_img_hdr_v0
>> *)buf)->header_version;
>>>>> CID 501795: Insecure data handling (TAINTED_SCALAR)
>>>>> Passing tainted expression "*buf" to "dlfree", which uses it as an
>> offset.
>
> scan_boot_part() generates this warning, but scan_vendor_boot_part()
> does not.
> Both functions follow a similar code flow.
>
> The only reason scan_boot_part() generates this warning, is because of
> the downcast into struct andr_boot_img_hdr_v0.
>
> We can't change char* buf into struct andr_boot_img_hdr_v0 because we
> need to be block aligned when calling blk_dread().
>
> Per my understanding tainted data means it comes from user input (which
> is true for both scan_boot_part() and scan_vendor_boot_part() because
> both read from eMMC, which can be consider "user input".
>
> Since I don't see any particular problem with this code I propose that
> we ignore this warning.
The warning is specifically about invoking free for the buffer that we
have allocated via malloc(). Our implementation of malloc() and free()
stores some meta-information about allocated buffers at a negative
offset and we don't overwrite this area via blk_read().
>
>
>> 96 free(buf);
>> 97
>> 98 return 0;
>> 99 }
>> 100
>> 101 static int scan_vendor_boot_part(struct udevice *blk, struct
>> android_priv *priv)
>>
>> ** CID 501794: Memory - corruptions (OVERRUN)
>>
>>
>> ________________________________________________________________________________________________________
>> *** CID 501794: Memory - corruptions (OVERRUN)
>> /lib/tpm_tcg2.c: 640 in tcg2_measurement_init()
>> 634 rc = tcg2_log_prepare_buffer(*dev, elog,
>> ignore_existing_log);
>> 635 if (rc) {
>> 636 tcg2_measurement_term(*dev, elog, true);
>> 637 return rc;
>> 638 }
>> 639
>>>>> CID 501794: Memory - corruptions (OVERRUN)
>>>>> Overrunning array "version_string" of 50 bytes by passing it to a
>> function which accesses it at byte offset 63.
>> 640 rc = tcg2_measure_event(*dev, elog, 0, EV_S_CRTM_VERSION,
>> 641 strlen(version_string) + 1,
>> 642 (u8 *)version_string);
>> 643 if (rc) {
>> 644 tcg2_measurement_term(*dev, elog, true);
>> 645 return rc;
>>
>> ** CID 501793: Insecure data handling (TAINTED_SCALAR)
>> /lib/tpm-v2.c: 909 in tpm2_allow_extend()
>>
>>
>> ________________________________________________________________________________________________________
>> *** CID 501793: Insecure data handling (TAINTED_SCALAR)
>> /lib/tpm-v2.c: 909 in tpm2_allow_extend()
>> 903 int rc;
>> 904
>> 905 rc = tpm2_get_pcr_info(dev, &pcrs);
>> 906 if (rc)
>> 907 return false;
>> 908
>>>>> CID 501793: Insecure data handling (TAINTED_SCALAR)
>>>>> Using tainted variable "pcrs.count" as a loop boundary.
>> 909 for (i = 0; i < pcrs.count; i++) {
>> 910 if (tpm2_is_active_pcr(&pcrs.selection[i]) &&
>> 911 !tpm2_algorithm_to_len(pcrs.selection[i].hash))
>> 912 return false;
>> 913 }
>> 914
>> 915 return true;
>>
>> ** CID 501792: Control flow issues (DEADCODE)
>> /lib/efi_loader/efi_helper.c: 137 in efi_load_option_dp_join()
>>
>>
>> ________________________________________________________________________________________________________
>> *** CID 501792: Control flow issues (DEADCODE)
>> /lib/efi_loader/efi_helper.c: 137 in efi_load_option_dp_join()
>> 131 if (fdt_dp) {
>> 132 struct efi_device_path *tmp_dp = *dp;
>> 133
>> 134 *dp = efi_dp_concat(tmp_dp, fdt_dp, *dp_size);
>> 135 efi_free_pool(tmp_dp);
>> 136 if (!dp)
>>>>> CID 501792: Control flow issues (DEADCODE)
>>>>> Execution cannot reach this statement: "return
>> 9223372036854775817UL;".
>> 137 return EFI_OUT_OF_RESOURCES;
>> 138 *dp_size += efi_dp_size(fdt_dp) + sizeof(END);
>> 139 }
>> 140
>> 141 *dp_size += sizeof(END);
>> 142
>>
>> ** CID 501791: (DEADCODE)
>> /drivers/usb/gadget/ether.c: 2219 in eth_bind()
>> /drivers/usb/gadget/ether.c: 2110 in eth_bind()
>> /drivers/usb/gadget/ether.c: 2071 in eth_bind()
>> /drivers/usb/gadget/ether.c: 2089 in eth_bind()
>>
>>
>> ________________________________________________________________________________________________________
>> *** CID 501791: (DEADCODE)
>> /drivers/usb/gadget/ether.c: 2219 in eth_bind()
>> 2213 out_ep->name, in_ep->name,
>> 2214 status_ep ? " STATUS " : "",
>> 2215 status_ep ? status_ep->name : ""
>> 2216 );
>> 2217 printf("MAC %pM\n", pdata->enetaddr);
>> 2218
>>>>> CID 501791: (DEADCODE)
>>>>> Execution cannot reach the expression "rndis" inside this
>> statement: "if (cdc || rndis)
>> printf(...".
>> 2219 if (cdc || rndis)
>> 2220 printf("HOST MAC %02x:%02x:%02x:%02x:%02x:%02x\n",
>> 2221 dev->host_mac[0], dev->host_mac[1],
>> 2222 dev->host_mac[2], dev->host_mac[3],
>> 2223 dev->host_mac[4], dev->host_mac[5]);
>> 2224
>> /drivers/usb/gadget/ether.c: 2110 in eth_bind()
>> 2104 device_desc.bNumConfigurations = 2;
>> 2105
>> 2106 if (gadget_is_dualspeed(gadget)) {
>> 2107 if (rndis)
>> 2108 dev_qualifier.bNumConfigurations = 2;
>> 2109 else if (!cdc)
>>>>> CID 501791: (DEADCODE)
>>>>> Execution cannot reach this statement: "dev_qualifier.bDeviceClass
>> ...".
>> 2110 dev_qualifier.bDeviceClass =
>> USB_CLASS_VENDOR_SPEC;
>> 2111
>> 2112 /* assumes ep0 uses the same value for both speeds
>> ... */
>> 2113 dev_qualifier.bMaxPacketSize0 =
>> device_desc.bMaxPacketSize0;
>> 2114
>> 2115 /* and that all endpoints are dual-speed */
>> /drivers/usb/gadget/ether.c: 2071 in eth_bind()
>> 2065
>> 2066 #if defined(CONFIG_USB_ETH_CDC) || defined(CONFIG_USB_ETH_RNDIS)
>> 2067 /*
>> 2068 * CDC Ethernet control interface doesn't require a status
>> endpoint.
>> 2069 * Since some hosts expect one, try to allocate one anyway.
>> 2070 */
>>>>> CID 501791: (DEADCODE)
>>>>> Execution cannot reach the expression "rndis" inside this
>> statement: "if (cdc || rndis) {
>> statu...".
>> 2071 if (cdc || rndis) {
>> 2072 status_ep = usb_ep_autoconfig(gadget,
>> &fs_status_desc);
>> 2073 if (status_ep) {
>> 2074 status_ep->driver_data = status_ep; /*
>> claim */
>> 2075 } else if (rndis) {
>> 2076 pr_err("can't run RNDIS on %s",
>> gadget->name);
>> /drivers/usb/gadget/ether.c: 2089 in eth_bind()
>> 2083 }
>> 2084 }
>> 2085 #endif
>> 2086
>> 2087 /* one config: cdc, else minimal subset */
>> 2088 if (!cdc) {
>>>>> CID 501791: (DEADCODE)
>>>>> Execution cannot reach this statement: "eth_config.bNumInterfaces =
>> 1;".
>> 2089 eth_config.bNumInterfaces = 1;
>> 2090 eth_config.iConfiguration = STRING_SUBSET;
>> 2091
>> 2092 /*
>> 2093 * use functions to set these up, in case we're
>> built to work
>> 2094 * with multiple controllers and must override CDC
>> Ethernet.
>>
>> ** CID 501790: Null pointer dereferences (FORWARD_NULL)
>> /cmd/bcb.c: 175 in __bcb_initialize()
>>
>>
>> ________________________________________________________________________________________________________
>> *** CID 501790: Null pointer dereferences (FORWARD_NULL)
>> /cmd/bcb.c: 175 in __bcb_initialize()
>> 169 }
>> 170 }
>> 171
>> 172 return CMD_RET_SUCCESS;
>> 173
>> 174 err_read_fail:
>>>>> CID 501790: Null pointer dereferences (FORWARD_NULL)
>>>>> Dereferencing null pointer "block".
>> 175 printf("Error: %d %d:%s read failed (%d)\n",
>> block->uclass_id,
>> 176 block->devnum, partition->name, ret);
>> 177 __bcb_reset();
>> 178 return CMD_RET_FAILURE;
>> 179 }
>> 180
>
> This probably deserves to be addressed. I don't know if Dmitrii is actively
> watching the list so I'll study this in more detail and send a fix if appropriate.
If blk_get_dev() returns NULL, we should write a message like "No such
device" and return CMD_RET_FAILURE immediately.
Please, use log_err() for writing error messages. We don't need "Error:"
at the beginning of error messages.
Best regards
Heinrich
>
>>
>> ** CID 501789: Insecure data handling (TAINTED_SCALAR)
>> /lib/tpm_tcg2.c: 41 in tcg2_get_pcr_info()
>>
>>
>> ________________________________________________________________________________________________________
>> *** CID 501789: Insecure data handling (TAINTED_SCALAR)
>> /lib/tpm_tcg2.c: 41 in tcg2_get_pcr_info()
>> 35 memset(response, 0, sizeof(response));
>> 36
>> 37 ret = tpm2_get_pcr_info(dev, &pcrs);
>> 38 if (ret)
>> 39 return ret;
>> 40
>>>>> CID 501789: Insecure data handling (TAINTED_SCALAR)
>>>>> Using tainted variable "pcrs.count" as a loop boundary.
>> 41 for (i = 0; i < pcrs.count; i++) {
>> 42 u32 hash_mask =
>> tcg2_algorithm_to_mask(pcrs.selection[i].hash);
>> 43
>> 44 if (hash_mask) {
>> 45 *supported_pcr |= hash_mask;
>> 46 if (tpm2_is_active_pcr(&pcrs.selection[i]))
>>
>> ** CID 501788: Memory - corruptions (OVERRUN)
>>
>>
>> ________________________________________________________________________________________________________
>> *** CID 501788: Memory - corruptions (OVERRUN)
>> /lib/tpm_tcg2.c: 658 in tcg2_measurement_term()
>> 652 bool error)
>> 653 {
>> 654 u32 event = error ? 0x1 : 0xffffffff;
>> 655 int i;
>> 656
>> 657 for (i = 0; i < 8; ++i)
>>>>> CID 501788: Memory - corruptions (OVERRUN)
>>>>> Overrunning buffer pointed to by "(u8 const *)&event" of 4 bytes by
>> passing it to a function which accesses it at byte offset 63.
>> 658 tcg2_measure_event(dev, elog, i, EV_SEPARATOR,
>> sizeof(event),
>> 659 (const u8 *)&event);
>> 660
>> 661 if (elog->log)
>> 662 unmap_physmem(elog->log, MAP_NOCACHE);
>> 663 }
>>
>>
>>
>> ----- End forwarded message -----
>>
>> --
>> Tom
^ permalink raw reply [flat|nested] 105+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2024-07-24 9:21 ` Mattijs Korpershoek
2024-07-24 9:45 ` Heinrich Schuchardt
@ 2024-07-24 9:53 ` Mattijs Korpershoek
1 sibling, 0 replies; 105+ messages in thread
From: Mattijs Korpershoek @ 2024-07-24 9:53 UTC (permalink / raw)
To: Tom Rini, u-boot, Ilias Apalodimas, Heinrich Schuchardt,
Marek Vasut, Dmitrii Merkurev
On mer., juil. 24, 2024 at 11:21, Mattijs Korpershoek <mkorpershoek@baylibre.com> wrote:
> Hi Tom,
>
> Thank you for the report.
>
> On mar., juil. 23, 2024 at 08:18, Tom Rini <trini@konsulko.com> wrote:
>
>> Here's the latest report.
>>
>> ---------- Forwarded message ---------
>> From: <scan-admin@coverity.com>
>> Date: Mon, Jul 22, 2024, 8:07 PM
>> Subject: New Defects reported by Coverity Scan for Das U-Boot
>> To: <tom.rini@gmail.com>
>>
>>
>> Hi,
>>
>> Please find the latest report on new defect(s) introduced to Das U-Boot
>> found with Coverity Scan.
>>
>> 8 new defect(s) introduced to Das U-Boot found with Coverity Scan.
>> 3 defect(s), reported by Coverity Scan earlier, were marked fixed in the
>> recent build analyzed by Coverity Scan.
>>
>> New defect(s) Reported-by: Coverity Scan
>> Showing 8 of 8 defect(s)
>>
>>
>> ** CID 501795: Insecure data handling (TAINTED_SCALAR)
>>
>>
>> ________________________________________________________________________________________________________
>> *** CID 501795: Insecure data handling (TAINTED_SCALAR)
>> /boot/bootmeth_android.c: 96 in scan_boot_part()
>> 90 if (!is_android_boot_image_header(buf)) {
>> 91 free(buf);
>> 92 return log_msg_ret("header", -ENOENT);
>> 93 }
>> 94
>> 95 priv->header_version = ((struct andr_boot_img_hdr_v0
>> *)buf)->header_version;
>>>>> CID 501795: Insecure data handling (TAINTED_SCALAR)
>>>>> Passing tainted expression "*buf" to "dlfree", which uses it as an
>> offset.
>
> scan_boot_part() generates this warning, but scan_vendor_boot_part()
> does not.
> Both functions follow a similar code flow.
>
> The only reason scan_boot_part() generates this warning, is because of
> the downcast into struct andr_boot_img_hdr_v0.
>
> We can't change char* buf into struct andr_boot_img_hdr_v0 because we
> need to be block aligned when calling blk_dread().
>
> Per my understanding tainted data means it comes from user input (which
> is true for both scan_boot_part() and scan_vendor_boot_part() because
> both read from eMMC, which can be consider "user input".
>
> Since I don't see any particular problem with this code I propose that
> we ignore this warning.
>
>
>> 96 free(buf);
>> 97
>> 98 return 0;
>> 99 }
>> 100
>> 101 static int scan_vendor_boot_part(struct udevice *blk, struct
>> android_priv *priv)
>>
>> ** CID 501794: Memory - corruptions (OVERRUN)
>>
>>
>> ________________________________________________________________________________________________________
>> *** CID 501794: Memory - corruptions (OVERRUN)
>> /lib/tpm_tcg2.c: 640 in tcg2_measurement_init()
>> 634 rc = tcg2_log_prepare_buffer(*dev, elog,
>> ignore_existing_log);
>> 635 if (rc) {
>> 636 tcg2_measurement_term(*dev, elog, true);
>> 637 return rc;
>> 638 }
>> 639
>>>>> CID 501794: Memory - corruptions (OVERRUN)
>>>>> Overrunning array "version_string" of 50 bytes by passing it to a
>> function which accesses it at byte offset 63.
>> 640 rc = tcg2_measure_event(*dev, elog, 0, EV_S_CRTM_VERSION,
>> 641 strlen(version_string) + 1,
>> 642 (u8 *)version_string);
>> 643 if (rc) {
>> 644 tcg2_measurement_term(*dev, elog, true);
>> 645 return rc;
>>
>> ** CID 501793: Insecure data handling (TAINTED_SCALAR)
>> /lib/tpm-v2.c: 909 in tpm2_allow_extend()
>>
>>
>> ________________________________________________________________________________________________________
>> *** CID 501793: Insecure data handling (TAINTED_SCALAR)
>> /lib/tpm-v2.c: 909 in tpm2_allow_extend()
>> 903 int rc;
>> 904
>> 905 rc = tpm2_get_pcr_info(dev, &pcrs);
>> 906 if (rc)
>> 907 return false;
>> 908
>>>>> CID 501793: Insecure data handling (TAINTED_SCALAR)
>>>>> Using tainted variable "pcrs.count" as a loop boundary.
>> 909 for (i = 0; i < pcrs.count; i++) {
>> 910 if (tpm2_is_active_pcr(&pcrs.selection[i]) &&
>> 911 !tpm2_algorithm_to_len(pcrs.selection[i].hash))
>> 912 return false;
>> 913 }
>> 914
>> 915 return true;
>>
>> ** CID 501792: Control flow issues (DEADCODE)
>> /lib/efi_loader/efi_helper.c: 137 in efi_load_option_dp_join()
>>
>>
>> ________________________________________________________________________________________________________
>> *** CID 501792: Control flow issues (DEADCODE)
>> /lib/efi_loader/efi_helper.c: 137 in efi_load_option_dp_join()
>> 131 if (fdt_dp) {
>> 132 struct efi_device_path *tmp_dp = *dp;
>> 133
>> 134 *dp = efi_dp_concat(tmp_dp, fdt_dp, *dp_size);
>> 135 efi_free_pool(tmp_dp);
>> 136 if (!dp)
>>>>> CID 501792: Control flow issues (DEADCODE)
>>>>> Execution cannot reach this statement: "return
>> 9223372036854775817UL;".
>> 137 return EFI_OUT_OF_RESOURCES;
>> 138 *dp_size += efi_dp_size(fdt_dp) + sizeof(END);
>> 139 }
>> 140
>> 141 *dp_size += sizeof(END);
>> 142
>>
>> ** CID 501791: (DEADCODE)
>> /drivers/usb/gadget/ether.c: 2219 in eth_bind()
>> /drivers/usb/gadget/ether.c: 2110 in eth_bind()
>> /drivers/usb/gadget/ether.c: 2071 in eth_bind()
>> /drivers/usb/gadget/ether.c: 2089 in eth_bind()
>>
>>
>> ________________________________________________________________________________________________________
>> *** CID 501791: (DEADCODE)
>> /drivers/usb/gadget/ether.c: 2219 in eth_bind()
>> 2213 out_ep->name, in_ep->name,
>> 2214 status_ep ? " STATUS " : "",
>> 2215 status_ep ? status_ep->name : ""
>> 2216 );
>> 2217 printf("MAC %pM\n", pdata->enetaddr);
>> 2218
>>>>> CID 501791: (DEADCODE)
>>>>> Execution cannot reach the expression "rndis" inside this
>> statement: "if (cdc || rndis)
>> printf(...".
>> 2219 if (cdc || rndis)
>> 2220 printf("HOST MAC %02x:%02x:%02x:%02x:%02x:%02x\n",
>> 2221 dev->host_mac[0], dev->host_mac[1],
>> 2222 dev->host_mac[2], dev->host_mac[3],
>> 2223 dev->host_mac[4], dev->host_mac[5]);
>> 2224
>> /drivers/usb/gadget/ether.c: 2110 in eth_bind()
>> 2104 device_desc.bNumConfigurations = 2;
>> 2105
>> 2106 if (gadget_is_dualspeed(gadget)) {
>> 2107 if (rndis)
>> 2108 dev_qualifier.bNumConfigurations = 2;
>> 2109 else if (!cdc)
>>>>> CID 501791: (DEADCODE)
>>>>> Execution cannot reach this statement: "dev_qualifier.bDeviceClass
>> ...".
>> 2110 dev_qualifier.bDeviceClass =
>> USB_CLASS_VENDOR_SPEC;
>> 2111
>> 2112 /* assumes ep0 uses the same value for both speeds
>> ... */
>> 2113 dev_qualifier.bMaxPacketSize0 =
>> device_desc.bMaxPacketSize0;
>> 2114
>> 2115 /* and that all endpoints are dual-speed */
>> /drivers/usb/gadget/ether.c: 2071 in eth_bind()
>> 2065
>> 2066 #if defined(CONFIG_USB_ETH_CDC) || defined(CONFIG_USB_ETH_RNDIS)
>> 2067 /*
>> 2068 * CDC Ethernet control interface doesn't require a status
>> endpoint.
>> 2069 * Since some hosts expect one, try to allocate one anyway.
>> 2070 */
>>>>> CID 501791: (DEADCODE)
>>>>> Execution cannot reach the expression "rndis" inside this
>> statement: "if (cdc || rndis) {
>> statu...".
>> 2071 if (cdc || rndis) {
>> 2072 status_ep = usb_ep_autoconfig(gadget,
>> &fs_status_desc);
>> 2073 if (status_ep) {
>> 2074 status_ep->driver_data = status_ep; /*
>> claim */
>> 2075 } else if (rndis) {
>> 2076 pr_err("can't run RNDIS on %s",
>> gadget->name);
>> /drivers/usb/gadget/ether.c: 2089 in eth_bind()
>> 2083 }
>> 2084 }
>> 2085 #endif
>> 2086
>> 2087 /* one config: cdc, else minimal subset */
>> 2088 if (!cdc) {
>>>>> CID 501791: (DEADCODE)
>>>>> Execution cannot reach this statement: "eth_config.bNumInterfaces =
>> 1;".
>> 2089 eth_config.bNumInterfaces = 1;
>> 2090 eth_config.iConfiguration = STRING_SUBSET;
>> 2091
>> 2092 /*
>> 2093 * use functions to set these up, in case we're
>> built to work
>> 2094 * with multiple controllers and must override CDC
>> Ethernet.
>>
>> ** CID 501790: Null pointer dereferences (FORWARD_NULL)
>> /cmd/bcb.c: 175 in __bcb_initialize()
>>
>>
>> ________________________________________________________________________________________________________
>> *** CID 501790: Null pointer dereferences (FORWARD_NULL)
>> /cmd/bcb.c: 175 in __bcb_initialize()
>> 169 }
>> 170 }
>> 171
>> 172 return CMD_RET_SUCCESS;
>> 173
>> 174 err_read_fail:
>>>>> CID 501790: Null pointer dereferences (FORWARD_NULL)
>>>>> Dereferencing null pointer "block".
>> 175 printf("Error: %d %d:%s read failed (%d)\n",
>> block->uclass_id,
>> 176 block->devnum, partition->name, ret);
>> 177 __bcb_reset();
>> 178 return CMD_RET_FAILURE;
>> 179 }
>> 180
>
> This probably deserves to be addressed. I don't know if Dmitrii is actively
> watching the list so I'll study this in more detail and send a fix if appropriate.
Fix submitted here:
https://lore.kernel.org/all/20240724-bcb-crash-v1-1-44caff15bce4@baylibre.com/
>
>>
>> ** CID 501789: Insecure data handling (TAINTED_SCALAR)
>> /lib/tpm_tcg2.c: 41 in tcg2_get_pcr_info()
>>
>>
>> ________________________________________________________________________________________________________
>> *** CID 501789: Insecure data handling (TAINTED_SCALAR)
>> /lib/tpm_tcg2.c: 41 in tcg2_get_pcr_info()
>> 35 memset(response, 0, sizeof(response));
>> 36
>> 37 ret = tpm2_get_pcr_info(dev, &pcrs);
>> 38 if (ret)
>> 39 return ret;
>> 40
>>>>> CID 501789: Insecure data handling (TAINTED_SCALAR)
>>>>> Using tainted variable "pcrs.count" as a loop boundary.
>> 41 for (i = 0; i < pcrs.count; i++) {
>> 42 u32 hash_mask =
>> tcg2_algorithm_to_mask(pcrs.selection[i].hash);
>> 43
>> 44 if (hash_mask) {
>> 45 *supported_pcr |= hash_mask;
>> 46 if (tpm2_is_active_pcr(&pcrs.selection[i]))
>>
>> ** CID 501788: Memory - corruptions (OVERRUN)
>>
>>
>> ________________________________________________________________________________________________________
>> *** CID 501788: Memory - corruptions (OVERRUN)
>> /lib/tpm_tcg2.c: 658 in tcg2_measurement_term()
>> 652 bool error)
>> 653 {
>> 654 u32 event = error ? 0x1 : 0xffffffff;
>> 655 int i;
>> 656
>> 657 for (i = 0; i < 8; ++i)
>>>>> CID 501788: Memory - corruptions (OVERRUN)
>>>>> Overrunning buffer pointed to by "(u8 const *)&event" of 4 bytes by
>> passing it to a function which accesses it at byte offset 63.
>> 658 tcg2_measure_event(dev, elog, i, EV_SEPARATOR,
>> sizeof(event),
>> 659 (const u8 *)&event);
>> 660
>> 661 if (elog->log)
>> 662 unmap_physmem(elog->log, MAP_NOCACHE);
>> 663 }
>>
>>
>>
>> ----- End forwarded message -----
>>
>> --
>> Tom
^ permalink raw reply [flat|nested] 105+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2024-07-24 9:45 ` Heinrich Schuchardt
@ 2024-07-24 9:56 ` Mattijs Korpershoek
2024-07-24 10:06 ` Heinrich Schuchardt
0 siblings, 1 reply; 105+ messages in thread
From: Mattijs Korpershoek @ 2024-07-24 9:56 UTC (permalink / raw)
To: Heinrich Schuchardt
Cc: Tom Rini, u-boot, Ilias Apalodimas, Marek Vasut, Dmitrii Merkurev
Hi Heinrich,
On mer., juil. 24, 2024 at 11:45, Heinrich Schuchardt <xypron.glpk@gmx.de> wrote:
> On 24.07.24 11:21, Mattijs Korpershoek wrote:
>> Hi Tom,
>>
>> Thank you for the report.
>>
>> On mar., juil. 23, 2024 at 08:18, Tom Rini <trini@konsulko.com> wrote:
>>
>>> Here's the latest report.
>>>
>>> ---------- Forwarded message ---------
>>> From: <scan-admin@coverity.com>
>>> Date: Mon, Jul 22, 2024, 8:07 PM
>>> Subject: New Defects reported by Coverity Scan for Das U-Boot
>>> To: <tom.rini@gmail.com>
>>>
>>>
>>> Hi,
>>>
>>> Please find the latest report on new defect(s) introduced to Das U-Boot
>>> found with Coverity Scan.
>>>
>>> 8 new defect(s) introduced to Das U-Boot found with Coverity Scan.
>>> 3 defect(s), reported by Coverity Scan earlier, were marked fixed in the
>>> recent build analyzed by Coverity Scan.
>>>
>>> New defect(s) Reported-by: Coverity Scan
>>> Showing 8 of 8 defect(s)
>>>
>>>
>>> ** CID 501795: Insecure data handling (TAINTED_SCALAR)
>>>
>>>
>>> ________________________________________________________________________________________________________
>>> *** CID 501795: Insecure data handling (TAINTED_SCALAR)
>>> /boot/bootmeth_android.c: 96 in scan_boot_part()
>>> 90 if (!is_android_boot_image_header(buf)) {
>>> 91 free(buf);
>>> 92 return log_msg_ret("header", -ENOENT);
>>> 93 }
>>> 94
>>> 95 priv->header_version = ((struct andr_boot_img_hdr_v0
>>> *)buf)->header_version;
>>>>>> CID 501795: Insecure data handling (TAINTED_SCALAR)
>>>>>> Passing tainted expression "*buf" to "dlfree", which uses it as an
>>> offset.
>>
>> scan_boot_part() generates this warning, but scan_vendor_boot_part()
>> does not.
>> Both functions follow a similar code flow.
>>
>> The only reason scan_boot_part() generates this warning, is because of
>> the downcast into struct andr_boot_img_hdr_v0.
>>
>> We can't change char* buf into struct andr_boot_img_hdr_v0 because we
>> need to be block aligned when calling blk_dread().
>>
>> Per my understanding tainted data means it comes from user input (which
>> is true for both scan_boot_part() and scan_vendor_boot_part() because
>> both read from eMMC, which can be consider "user input".
>>
>> Since I don't see any particular problem with this code I propose that
>> we ignore this warning.
>
> The warning is specifically about invoking free for the buffer that we
> have allocated via malloc(). Our implementation of malloc() and free()
> stores some meta-information about allocated buffers at a negative
> offset and we don't overwrite this area via blk_read().
Ok, so does that mean that you agree that this code is safe and we don't
need any further action to fix it?
>
>>
>>
>>> 96 free(buf);
>>> 97
>>> 98 return 0;
>>> 99 }
>>> 100
>>> 101 static int scan_vendor_boot_part(struct udevice *blk, struct
>>> android_priv *priv)
>>>
>>> ** CID 501794: Memory - corruptions (OVERRUN)
>>>
>>>
>>> ________________________________________________________________________________________________________
>>> *** CID 501794: Memory - corruptions (OVERRUN)
>>> /lib/tpm_tcg2.c: 640 in tcg2_measurement_init()
>>> 634 rc = tcg2_log_prepare_buffer(*dev, elog,
>>> ignore_existing_log);
>>> 635 if (rc) {
>>> 636 tcg2_measurement_term(*dev, elog, true);
>>> 637 return rc;
>>> 638 }
>>> 639
>>>>>> CID 501794: Memory - corruptions (OVERRUN)
>>>>>> Overrunning array "version_string" of 50 bytes by passing it to a
>>> function which accesses it at byte offset 63.
>>> 640 rc = tcg2_measure_event(*dev, elog, 0, EV_S_CRTM_VERSION,
>>> 641 strlen(version_string) + 1,
>>> 642 (u8 *)version_string);
>>> 643 if (rc) {
>>> 644 tcg2_measurement_term(*dev, elog, true);
>>> 645 return rc;
>>>
>>> ** CID 501793: Insecure data handling (TAINTED_SCALAR)
>>> /lib/tpm-v2.c: 909 in tpm2_allow_extend()
>>>
>>>
>>> ________________________________________________________________________________________________________
>>> *** CID 501793: Insecure data handling (TAINTED_SCALAR)
>>> /lib/tpm-v2.c: 909 in tpm2_allow_extend()
>>> 903 int rc;
>>> 904
>>> 905 rc = tpm2_get_pcr_info(dev, &pcrs);
>>> 906 if (rc)
>>> 907 return false;
>>> 908
>>>>>> CID 501793: Insecure data handling (TAINTED_SCALAR)
>>>>>> Using tainted variable "pcrs.count" as a loop boundary.
>>> 909 for (i = 0; i < pcrs.count; i++) {
>>> 910 if (tpm2_is_active_pcr(&pcrs.selection[i]) &&
>>> 911 !tpm2_algorithm_to_len(pcrs.selection[i].hash))
>>> 912 return false;
>>> 913 }
>>> 914
>>> 915 return true;
>>>
>>> ** CID 501792: Control flow issues (DEADCODE)
>>> /lib/efi_loader/efi_helper.c: 137 in efi_load_option_dp_join()
>>>
>>>
>>> ________________________________________________________________________________________________________
>>> *** CID 501792: Control flow issues (DEADCODE)
>>> /lib/efi_loader/efi_helper.c: 137 in efi_load_option_dp_join()
>>> 131 if (fdt_dp) {
>>> 132 struct efi_device_path *tmp_dp = *dp;
>>> 133
>>> 134 *dp = efi_dp_concat(tmp_dp, fdt_dp, *dp_size);
>>> 135 efi_free_pool(tmp_dp);
>>> 136 if (!dp)
>>>>>> CID 501792: Control flow issues (DEADCODE)
>>>>>> Execution cannot reach this statement: "return
>>> 9223372036854775817UL;".
>>> 137 return EFI_OUT_OF_RESOURCES;
>>> 138 *dp_size += efi_dp_size(fdt_dp) + sizeof(END);
>>> 139 }
>>> 140
>>> 141 *dp_size += sizeof(END);
>>> 142
>>>
>>> ** CID 501791: (DEADCODE)
>>> /drivers/usb/gadget/ether.c: 2219 in eth_bind()
>>> /drivers/usb/gadget/ether.c: 2110 in eth_bind()
>>> /drivers/usb/gadget/ether.c: 2071 in eth_bind()
>>> /drivers/usb/gadget/ether.c: 2089 in eth_bind()
>>>
>>>
>>> ________________________________________________________________________________________________________
>>> *** CID 501791: (DEADCODE)
>>> /drivers/usb/gadget/ether.c: 2219 in eth_bind()
>>> 2213 out_ep->name, in_ep->name,
>>> 2214 status_ep ? " STATUS " : "",
>>> 2215 status_ep ? status_ep->name : ""
>>> 2216 );
>>> 2217 printf("MAC %pM\n", pdata->enetaddr);
>>> 2218
>>>>>> CID 501791: (DEADCODE)
>>>>>> Execution cannot reach the expression "rndis" inside this
>>> statement: "if (cdc || rndis)
>>> printf(...".
>>> 2219 if (cdc || rndis)
>>> 2220 printf("HOST MAC %02x:%02x:%02x:%02x:%02x:%02x\n",
>>> 2221 dev->host_mac[0], dev->host_mac[1],
>>> 2222 dev->host_mac[2], dev->host_mac[3],
>>> 2223 dev->host_mac[4], dev->host_mac[5]);
>>> 2224
>>> /drivers/usb/gadget/ether.c: 2110 in eth_bind()
>>> 2104 device_desc.bNumConfigurations = 2;
>>> 2105
>>> 2106 if (gadget_is_dualspeed(gadget)) {
>>> 2107 if (rndis)
>>> 2108 dev_qualifier.bNumConfigurations = 2;
>>> 2109 else if (!cdc)
>>>>>> CID 501791: (DEADCODE)
>>>>>> Execution cannot reach this statement: "dev_qualifier.bDeviceClass
>>> ...".
>>> 2110 dev_qualifier.bDeviceClass =
>>> USB_CLASS_VENDOR_SPEC;
>>> 2111
>>> 2112 /* assumes ep0 uses the same value for both speeds
>>> ... */
>>> 2113 dev_qualifier.bMaxPacketSize0 =
>>> device_desc.bMaxPacketSize0;
>>> 2114
>>> 2115 /* and that all endpoints are dual-speed */
>>> /drivers/usb/gadget/ether.c: 2071 in eth_bind()
>>> 2065
>>> 2066 #if defined(CONFIG_USB_ETH_CDC) || defined(CONFIG_USB_ETH_RNDIS)
>>> 2067 /*
>>> 2068 * CDC Ethernet control interface doesn't require a status
>>> endpoint.
>>> 2069 * Since some hosts expect one, try to allocate one anyway.
>>> 2070 */
>>>>>> CID 501791: (DEADCODE)
>>>>>> Execution cannot reach the expression "rndis" inside this
>>> statement: "if (cdc || rndis) {
>>> statu...".
>>> 2071 if (cdc || rndis) {
>>> 2072 status_ep = usb_ep_autoconfig(gadget,
>>> &fs_status_desc);
>>> 2073 if (status_ep) {
>>> 2074 status_ep->driver_data = status_ep; /*
>>> claim */
>>> 2075 } else if (rndis) {
>>> 2076 pr_err("can't run RNDIS on %s",
>>> gadget->name);
>>> /drivers/usb/gadget/ether.c: 2089 in eth_bind()
>>> 2083 }
>>> 2084 }
>>> 2085 #endif
>>> 2086
>>> 2087 /* one config: cdc, else minimal subset */
>>> 2088 if (!cdc) {
>>>>>> CID 501791: (DEADCODE)
>>>>>> Execution cannot reach this statement: "eth_config.bNumInterfaces =
>>> 1;".
>>> 2089 eth_config.bNumInterfaces = 1;
>>> 2090 eth_config.iConfiguration = STRING_SUBSET;
>>> 2091
>>> 2092 /*
>>> 2093 * use functions to set these up, in case we're
>>> built to work
>>> 2094 * with multiple controllers and must override CDC
>>> Ethernet.
>>>
>>> ** CID 501790: Null pointer dereferences (FORWARD_NULL)
>>> /cmd/bcb.c: 175 in __bcb_initialize()
>>>
>>>
>>> ________________________________________________________________________________________________________
>>> *** CID 501790: Null pointer dereferences (FORWARD_NULL)
>>> /cmd/bcb.c: 175 in __bcb_initialize()
>>> 169 }
>>> 170 }
>>> 171
>>> 172 return CMD_RET_SUCCESS;
>>> 173
>>> 174 err_read_fail:
>>>>>> CID 501790: Null pointer dereferences (FORWARD_NULL)
>>>>>> Dereferencing null pointer "block".
>>> 175 printf("Error: %d %d:%s read failed (%d)\n",
>>> block->uclass_id,
>>> 176 block->devnum, partition->name, ret);
>>> 177 __bcb_reset();
>>> 178 return CMD_RET_FAILURE;
>>> 179 }
>>> 180
>>
>> This probably deserves to be addressed. I don't know if Dmitrii is actively
>> watching the list so I'll study this in more detail and send a fix if appropriate.
>
> If blk_get_dev() returns NULL, we should write a message like "No such
> device" and return CMD_RET_FAILURE immediately.
Yes, thank you, I've submitted a fix:
https://lore.kernel.org/all/20240724-bcb-crash-v1-1-44caff15bce4@baylibre.com/
>
> Please, use log_err() for writing error messages. We don't need "Error:"
> at the beginning of error messages.
Is log_err() also the preferred way for commands? Since they are
interactive, it seems odd to have an "optional" message.
If it is, I'll convert the whole file in a separate, future patch.
>
> Best regards
>
> Heinrich
>
>>
>>>
>>> ** CID 501789: Insecure data handling (TAINTED_SCALAR)
>>> /lib/tpm_tcg2.c: 41 in tcg2_get_pcr_info()
>>>
>>>
>>> ________________________________________________________________________________________________________
>>> *** CID 501789: Insecure data handling (TAINTED_SCALAR)
>>> /lib/tpm_tcg2.c: 41 in tcg2_get_pcr_info()
>>> 35 memset(response, 0, sizeof(response));
>>> 36
>>> 37 ret = tpm2_get_pcr_info(dev, &pcrs);
>>> 38 if (ret)
>>> 39 return ret;
>>> 40
>>>>>> CID 501789: Insecure data handling (TAINTED_SCALAR)
>>>>>> Using tainted variable "pcrs.count" as a loop boundary.
>>> 41 for (i = 0; i < pcrs.count; i++) {
>>> 42 u32 hash_mask =
>>> tcg2_algorithm_to_mask(pcrs.selection[i].hash);
>>> 43
>>> 44 if (hash_mask) {
>>> 45 *supported_pcr |= hash_mask;
>>> 46 if (tpm2_is_active_pcr(&pcrs.selection[i]))
>>>
>>> ** CID 501788: Memory - corruptions (OVERRUN)
>>>
>>>
>>> ________________________________________________________________________________________________________
>>> *** CID 501788: Memory - corruptions (OVERRUN)
>>> /lib/tpm_tcg2.c: 658 in tcg2_measurement_term()
>>> 652 bool error)
>>> 653 {
>>> 654 u32 event = error ? 0x1 : 0xffffffff;
>>> 655 int i;
>>> 656
>>> 657 for (i = 0; i < 8; ++i)
>>>>>> CID 501788: Memory - corruptions (OVERRUN)
>>>>>> Overrunning buffer pointed to by "(u8 const *)&event" of 4 bytes by
>>> passing it to a function which accesses it at byte offset 63.
>>> 658 tcg2_measure_event(dev, elog, i, EV_SEPARATOR,
>>> sizeof(event),
>>> 659 (const u8 *)&event);
>>> 660
>>> 661 if (elog->log)
>>> 662 unmap_physmem(elog->log, MAP_NOCACHE);
>>> 663 }
>>>
>>>
>>>
>>> ----- End forwarded message -----
>>>
>>> --
>>> Tom
^ permalink raw reply [flat|nested] 105+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2024-07-24 9:56 ` Mattijs Korpershoek
@ 2024-07-24 10:06 ` Heinrich Schuchardt
2024-07-24 22:40 ` Tom Rini
0 siblings, 1 reply; 105+ messages in thread
From: Heinrich Schuchardt @ 2024-07-24 10:06 UTC (permalink / raw)
To: Mattijs Korpershoek
Cc: Tom Rini, u-boot, Ilias Apalodimas, Marek Vasut, Dmitrii Merkurev
Am 24. Juli 2024 11:56:17 MESZ schrieb Mattijs Korpershoek <mkorpershoek@baylibre.com>:
>Hi Heinrich,
>
>On mer., juil. 24, 2024 at 11:45, Heinrich Schuchardt <xypron.glpk@gmx.de> wrote:
>
>> On 24.07.24 11:21, Mattijs Korpershoek wrote:
>>> Hi Tom,
>>>
>>> Thank you for the report.
>>>
>>> On mar., juil. 23, 2024 at 08:18, Tom Rini <trini@konsulko.com> wrote:
>>>
>>>> Here's the latest report.
>>>>
>>>> ---------- Forwarded message ---------
>>>> From: <scan-admin@coverity.com>
>>>> Date: Mon, Jul 22, 2024, 8:07 PM
>>>> Subject: New Defects reported by Coverity Scan for Das U-Boot
>>>> To: <tom.rini@gmail.com>
>>>>
>>>>
>>>> Hi,
>>>>
>>>> Please find the latest report on new defect(s) introduced to Das U-Boot
>>>> found with Coverity Scan.
>>>>
>>>> 8 new defect(s) introduced to Das U-Boot found with Coverity Scan.
>>>> 3 defect(s), reported by Coverity Scan earlier, were marked fixed in the
>>>> recent build analyzed by Coverity Scan.
>>>>
>>>> New defect(s) Reported-by: Coverity Scan
>>>> Showing 8 of 8 defect(s)
>>>>
>>>>
>>>> ** CID 501795: Insecure data handling (TAINTED_SCALAR)
>>>>
>>>>
>>>> ________________________________________________________________________________________________________
>>>> *** CID 501795: Insecure data handling (TAINTED_SCALAR)
>>>> /boot/bootmeth_android.c: 96 in scan_boot_part()
>>>> 90 if (!is_android_boot_image_header(buf)) {
>>>> 91 free(buf);
>>>> 92 return log_msg_ret("header", -ENOENT);
>>>> 93 }
>>>> 94
>>>> 95 priv->header_version = ((struct andr_boot_img_hdr_v0
>>>> *)buf)->header_version;
>>>>>>> CID 501795: Insecure data handling (TAINTED_SCALAR)
>>>>>>> Passing tainted expression "*buf" to "dlfree", which uses it as an
>>>> offset.
>>>
>>> scan_boot_part() generates this warning, but scan_vendor_boot_part()
>>> does not.
>>> Both functions follow a similar code flow.
>>>
>>> The only reason scan_boot_part() generates this warning, is because of
>>> the downcast into struct andr_boot_img_hdr_v0.
>>>
>>> We can't change char* buf into struct andr_boot_img_hdr_v0 because we
>>> need to be block aligned when calling blk_dread().
>>>
>>> Per my understanding tainted data means it comes from user input (which
>>> is true for both scan_boot_part() and scan_vendor_boot_part() because
>>> both read from eMMC, which can be consider "user input".
>>>
>>> Since I don't see any particular problem with this code I propose that
>>> we ignore this warning.
>>
>> The warning is specifically about invoking free for the buffer that we
>> have allocated via malloc(). Our implementation of malloc() and free()
>> stores some meta-information about allocated buffers at a negative
>> offset and we don't overwrite this area via blk_read().
>
>Ok, so does that mean that you agree that this code is safe and we don't
>need any further action to fix it?
No fix needed.
Tom just needs to nark it in Coverity as "intended".
>
>>
>>>
>>>
>>>> 96 free(buf);
>>>> 97
>>>> 98 return 0;
>>>> 99 }
>>>> 100
>>>> 101 static int scan_vendor_boot_part(struct udevice *blk, struct
>>>> android_priv *priv)
>>>>
>>>> ** CID 501794: Memory - corruptions (OVERRUN)
>>>>
>>>>
>>>> ________________________________________________________________________________________________________
>>>> *** CID 501794: Memory - corruptions (OVERRUN)
>>>> /lib/tpm_tcg2.c: 640 in tcg2_measurement_init()
>>>> 634 rc = tcg2_log_prepare_buffer(*dev, elog,
>>>> ignore_existing_log);
>>>> 635 if (rc) {
>>>> 636 tcg2_measurement_term(*dev, elog, true);
>>>> 637 return rc;
>>>> 638 }
>>>> 639
>>>>>>> CID 501794: Memory - corruptions (OVERRUN)
>>>>>>> Overrunning array "version_string" of 50 bytes by passing it to a
>>>> function which accesses it at byte offset 63.
>>>> 640 rc = tcg2_measure_event(*dev, elog, 0, EV_S_CRTM_VERSION,
>>>> 641 strlen(version_string) + 1,
>>>> 642 (u8 *)version_string);
>>>> 643 if (rc) {
>>>> 644 tcg2_measurement_term(*dev, elog, true);
>>>> 645 return rc;
>>>>
>>>> ** CID 501793: Insecure data handling (TAINTED_SCALAR)
>>>> /lib/tpm-v2.c: 909 in tpm2_allow_extend()
>>>>
>>>>
>>>> ________________________________________________________________________________________________________
>>>> *** CID 501793: Insecure data handling (TAINTED_SCALAR)
>>>> /lib/tpm-v2.c: 909 in tpm2_allow_extend()
>>>> 903 int rc;
>>>> 904
>>>> 905 rc = tpm2_get_pcr_info(dev, &pcrs);
>>>> 906 if (rc)
>>>> 907 return false;
>>>> 908
>>>>>>> CID 501793: Insecure data handling (TAINTED_SCALAR)
>>>>>>> Using tainted variable "pcrs.count" as a loop boundary.
>>>> 909 for (i = 0; i < pcrs.count; i++) {
>>>> 910 if (tpm2_is_active_pcr(&pcrs.selection[i]) &&
>>>> 911 !tpm2_algorithm_to_len(pcrs.selection[i].hash))
>>>> 912 return false;
>>>> 913 }
>>>> 914
>>>> 915 return true;
>>>>
>>>> ** CID 501792: Control flow issues (DEADCODE)
>>>> /lib/efi_loader/efi_helper.c: 137 in efi_load_option_dp_join()
>>>>
>>>>
>>>> ________________________________________________________________________________________________________
>>>> *** CID 501792: Control flow issues (DEADCODE)
>>>> /lib/efi_loader/efi_helper.c: 137 in efi_load_option_dp_join()
>>>> 131 if (fdt_dp) {
>>>> 132 struct efi_device_path *tmp_dp = *dp;
>>>> 133
>>>> 134 *dp = efi_dp_concat(tmp_dp, fdt_dp, *dp_size);
>>>> 135 efi_free_pool(tmp_dp);
>>>> 136 if (!dp)
>>>>>>> CID 501792: Control flow issues (DEADCODE)
>>>>>>> Execution cannot reach this statement: "return
>>>> 9223372036854775817UL;".
>>>> 137 return EFI_OUT_OF_RESOURCES;
>>>> 138 *dp_size += efi_dp_size(fdt_dp) + sizeof(END);
>>>> 139 }
>>>> 140
>>>> 141 *dp_size += sizeof(END);
>>>> 142
>>>>
>>>> ** CID 501791: (DEADCODE)
>>>> /drivers/usb/gadget/ether.c: 2219 in eth_bind()
>>>> /drivers/usb/gadget/ether.c: 2110 in eth_bind()
>>>> /drivers/usb/gadget/ether.c: 2071 in eth_bind()
>>>> /drivers/usb/gadget/ether.c: 2089 in eth_bind()
>>>>
>>>>
>>>> ________________________________________________________________________________________________________
>>>> *** CID 501791: (DEADCODE)
>>>> /drivers/usb/gadget/ether.c: 2219 in eth_bind()
>>>> 2213 out_ep->name, in_ep->name,
>>>> 2214 status_ep ? " STATUS " : "",
>>>> 2215 status_ep ? status_ep->name : ""
>>>> 2216 );
>>>> 2217 printf("MAC %pM\n", pdata->enetaddr);
>>>> 2218
>>>>>>> CID 501791: (DEADCODE)
>>>>>>> Execution cannot reach the expression "rndis" inside this
>>>> statement: "if (cdc || rndis)
>>>> printf(...".
>>>> 2219 if (cdc || rndis)
>>>> 2220 printf("HOST MAC %02x:%02x:%02x:%02x:%02x:%02x\n",
>>>> 2221 dev->host_mac[0], dev->host_mac[1],
>>>> 2222 dev->host_mac[2], dev->host_mac[3],
>>>> 2223 dev->host_mac[4], dev->host_mac[5]);
>>>> 2224
>>>> /drivers/usb/gadget/ether.c: 2110 in eth_bind()
>>>> 2104 device_desc.bNumConfigurations = 2;
>>>> 2105
>>>> 2106 if (gadget_is_dualspeed(gadget)) {
>>>> 2107 if (rndis)
>>>> 2108 dev_qualifier.bNumConfigurations = 2;
>>>> 2109 else if (!cdc)
>>>>>>> CID 501791: (DEADCODE)
>>>>>>> Execution cannot reach this statement: "dev_qualifier.bDeviceClass
>>>> ...".
>>>> 2110 dev_qualifier.bDeviceClass =
>>>> USB_CLASS_VENDOR_SPEC;
>>>> 2111
>>>> 2112 /* assumes ep0 uses the same value for both speeds
>>>> ... */
>>>> 2113 dev_qualifier.bMaxPacketSize0 =
>>>> device_desc.bMaxPacketSize0;
>>>> 2114
>>>> 2115 /* and that all endpoints are dual-speed */
>>>> /drivers/usb/gadget/ether.c: 2071 in eth_bind()
>>>> 2065
>>>> 2066 #if defined(CONFIG_USB_ETH_CDC) || defined(CONFIG_USB_ETH_RNDIS)
>>>> 2067 /*
>>>> 2068 * CDC Ethernet control interface doesn't require a status
>>>> endpoint.
>>>> 2069 * Since some hosts expect one, try to allocate one anyway.
>>>> 2070 */
>>>>>>> CID 501791: (DEADCODE)
>>>>>>> Execution cannot reach the expression "rndis" inside this
>>>> statement: "if (cdc || rndis) {
>>>> statu...".
>>>> 2071 if (cdc || rndis) {
>>>> 2072 status_ep = usb_ep_autoconfig(gadget,
>>>> &fs_status_desc);
>>>> 2073 if (status_ep) {
>>>> 2074 status_ep->driver_data = status_ep; /*
>>>> claim */
>>>> 2075 } else if (rndis) {
>>>> 2076 pr_err("can't run RNDIS on %s",
>>>> gadget->name);
>>>> /drivers/usb/gadget/ether.c: 2089 in eth_bind()
>>>> 2083 }
>>>> 2084 }
>>>> 2085 #endif
>>>> 2086
>>>> 2087 /* one config: cdc, else minimal subset */
>>>> 2088 if (!cdc) {
>>>>>>> CID 501791: (DEADCODE)
>>>>>>> Execution cannot reach this statement: "eth_config.bNumInterfaces =
>>>> 1;".
>>>> 2089 eth_config.bNumInterfaces = 1;
>>>> 2090 eth_config.iConfiguration = STRING_SUBSET;
>>>> 2091
>>>> 2092 /*
>>>> 2093 * use functions to set these up, in case we're
>>>> built to work
>>>> 2094 * with multiple controllers and must override CDC
>>>> Ethernet.
>>>>
>>>> ** CID 501790: Null pointer dereferences (FORWARD_NULL)
>>>> /cmd/bcb.c: 175 in __bcb_initialize()
>>>>
>>>>
>>>> ________________________________________________________________________________________________________
>>>> *** CID 501790: Null pointer dereferences (FORWARD_NULL)
>>>> /cmd/bcb.c: 175 in __bcb_initialize()
>>>> 169 }
>>>> 170 }
>>>> 171
>>>> 172 return CMD_RET_SUCCESS;
>>>> 173
>>>> 174 err_read_fail:
>>>>>>> CID 501790: Null pointer dereferences (FORWARD_NULL)
>>>>>>> Dereferencing null pointer "block".
>>>> 175 printf("Error: %d %d:%s read failed (%d)\n",
>>>> block->uclass_id,
>>>> 176 block->devnum, partition->name, ret);
>>>> 177 __bcb_reset();
>>>> 178 return CMD_RET_FAILURE;
>>>> 179 }
>>>> 180
>>>
>>> This probably deserves to be addressed. I don't know if Dmitrii is actively
>>> watching the list so I'll study this in more detail and send a fix if appropriate.
>>
>> If blk_get_dev() returns NULL, we should write a message like "No such
>> device" and return CMD_RET_FAILURE immediately.
>
>Yes, thank you, I've submitted a fix:
>
>https://lore.kernel.org/all/20240724-bcb-crash-v1-1-44caff15bce4@baylibre.com/
>
>
>>
>> Please, use log_err() for writing error messages. We don't need "Error:"
>> at the beginning of error messages.
>
>Is log_err() also the preferred way for commands? Since they are
>interactive, it seems odd to have an "optional" message.
>
>If it is, I'll convert the whole file in a separate, future patch.
Messages written with the log functions can be written to a syslog server. Remote message logging may be of interest for commands executed in scripts.
Best regards
Heinrich
>
>>
>> Best regards
>>
>> Heinrich
>>
>>>
>>>>
>>>> ** CID 501789: Insecure data handling (TAINTED_SCALAR)
>>>> /lib/tpm_tcg2.c: 41 in tcg2_get_pcr_info()
>>>>
>>>>
>>>> ________________________________________________________________________________________________________
>>>> *** CID 501789: Insecure data handling (TAINTED_SCALAR)
>>>> /lib/tpm_tcg2.c: 41 in tcg2_get_pcr_info()
>>>> 35 memset(response, 0, sizeof(response));
>>>> 36
>>>> 37 ret = tpm2_get_pcr_info(dev, &pcrs);
>>>> 38 if (ret)
>>>> 39 return ret;
>>>> 40
>>>>>>> CID 501789: Insecure data handling (TAINTED_SCALAR)
>>>>>>> Using tainted variable "pcrs.count" as a loop boundary.
>>>> 41 for (i = 0; i < pcrs.count; i++) {
>>>> 42 u32 hash_mask =
>>>> tcg2_algorithm_to_mask(pcrs.selection[i].hash);
>>>> 43
>>>> 44 if (hash_mask) {
>>>> 45 *supported_pcr |= hash_mask;
>>>> 46 if (tpm2_is_active_pcr(&pcrs.selection[i]))
>>>>
>>>> ** CID 501788: Memory - corruptions (OVERRUN)
>>>>
>>>>
>>>> ________________________________________________________________________________________________________
>>>> *** CID 501788: Memory - corruptions (OVERRUN)
>>>> /lib/tpm_tcg2.c: 658 in tcg2_measurement_term()
>>>> 652 bool error)
>>>> 653 {
>>>> 654 u32 event = error ? 0x1 : 0xffffffff;
>>>> 655 int i;
>>>> 656
>>>> 657 for (i = 0; i < 8; ++i)
>>>>>>> CID 501788: Memory - corruptions (OVERRUN)
>>>>>>> Overrunning buffer pointed to by "(u8 const *)&event" of 4 bytes by
>>>> passing it to a function which accesses it at byte offset 63.
>>>> 658 tcg2_measure_event(dev, elog, i, EV_SEPARATOR,
>>>> sizeof(event),
>>>> 659 (const u8 *)&event);
>>>> 660
>>>> 661 if (elog->log)
>>>> 662 unmap_physmem(elog->log, MAP_NOCACHE);
>>>> 663 }
>>>>
>>>>
>>>>
>>>> ----- End forwarded message -----
>>>>
>>>> --
>>>> Tom
^ permalink raw reply [flat|nested] 105+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2024-07-24 10:06 ` Heinrich Schuchardt
@ 2024-07-24 22:40 ` Tom Rini
2024-07-25 8:04 ` Mattijs Korpershoek
0 siblings, 1 reply; 105+ messages in thread
From: Tom Rini @ 2024-07-24 22:40 UTC (permalink / raw)
To: Heinrich Schuchardt
Cc: Mattijs Korpershoek, u-boot, Ilias Apalodimas, Marek Vasut,
Dmitrii Merkurev
[-- Attachment #1: Type: text/plain, Size: 3364 bytes --]
On Wed, Jul 24, 2024 at 12:06:46PM +0200, Heinrich Schuchardt wrote:
>
>
> Am 24. Juli 2024 11:56:17 MESZ schrieb Mattijs Korpershoek <mkorpershoek@baylibre.com>:
> >Hi Heinrich,
> >
> >On mer., juil. 24, 2024 at 11:45, Heinrich Schuchardt <xypron.glpk@gmx.de> wrote:
> >
> >> On 24.07.24 11:21, Mattijs Korpershoek wrote:
> >>> Hi Tom,
> >>>
> >>> Thank you for the report.
> >>>
> >>> On mar., juil. 23, 2024 at 08:18, Tom Rini <trini@konsulko.com> wrote:
> >>>
> >>>> Here's the latest report.
> >>>>
> >>>> ---------- Forwarded message ---------
> >>>> From: <scan-admin@coverity.com>
> >>>> Date: Mon, Jul 22, 2024, 8:07 PM
> >>>> Subject: New Defects reported by Coverity Scan for Das U-Boot
> >>>> To: <tom.rini@gmail.com>
> >>>>
> >>>>
> >>>> Hi,
> >>>>
> >>>> Please find the latest report on new defect(s) introduced to Das U-Boot
> >>>> found with Coverity Scan.
> >>>>
> >>>> 8 new defect(s) introduced to Das U-Boot found with Coverity Scan.
> >>>> 3 defect(s), reported by Coverity Scan earlier, were marked fixed in the
> >>>> recent build analyzed by Coverity Scan.
> >>>>
> >>>> New defect(s) Reported-by: Coverity Scan
> >>>> Showing 8 of 8 defect(s)
> >>>>
> >>>>
> >>>> ** CID 501795: Insecure data handling (TAINTED_SCALAR)
> >>>>
> >>>>
> >>>> ________________________________________________________________________________________________________
> >>>> *** CID 501795: Insecure data handling (TAINTED_SCALAR)
> >>>> /boot/bootmeth_android.c: 96 in scan_boot_part()
> >>>> 90 if (!is_android_boot_image_header(buf)) {
> >>>> 91 free(buf);
> >>>> 92 return log_msg_ret("header", -ENOENT);
> >>>> 93 }
> >>>> 94
> >>>> 95 priv->header_version = ((struct andr_boot_img_hdr_v0
> >>>> *)buf)->header_version;
> >>>>>>> CID 501795: Insecure data handling (TAINTED_SCALAR)
> >>>>>>> Passing tainted expression "*buf" to "dlfree", which uses it as an
> >>>> offset.
> >>>
> >>> scan_boot_part() generates this warning, but scan_vendor_boot_part()
> >>> does not.
> >>> Both functions follow a similar code flow.
> >>>
> >>> The only reason scan_boot_part() generates this warning, is because of
> >>> the downcast into struct andr_boot_img_hdr_v0.
> >>>
> >>> We can't change char* buf into struct andr_boot_img_hdr_v0 because we
> >>> need to be block aligned when calling blk_dread().
> >>>
> >>> Per my understanding tainted data means it comes from user input (which
> >>> is true for both scan_boot_part() and scan_vendor_boot_part() because
> >>> both read from eMMC, which can be consider "user input".
> >>>
> >>> Since I don't see any particular problem with this code I propose that
> >>> we ignore this warning.
> >>
> >> The warning is specifically about invoking free for the buffer that we
> >> have allocated via malloc(). Our implementation of malloc() and free()
> >> stores some meta-information about allocated buffers at a negative
> >> offset and we don't overwrite this area via blk_read().
> >
> >Ok, so does that mean that you agree that this code is safe and we don't
> >need any further action to fix it?
>
> No fix needed.
>
> Tom just needs to nark it in Coverity as "intended".
Thanks. I'll copy/paste the explanation in and close it next time I'm
over there.
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 105+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2024-07-24 22:40 ` Tom Rini
@ 2024-07-25 8:04 ` Mattijs Korpershoek
2024-07-25 17:16 ` Tom Rini
0 siblings, 1 reply; 105+ messages in thread
From: Mattijs Korpershoek @ 2024-07-25 8:04 UTC (permalink / raw)
To: Tom Rini, Heinrich Schuchardt
Cc: u-boot, Ilias Apalodimas, Marek Vasut, Dmitrii Merkurev
On mer., juil. 24, 2024 at 16:40, Tom Rini <trini@konsulko.com> wrote:
[...]
>> >
>> >Ok, so does that mean that you agree that this code is safe and we don't
>> >need any further action to fix it?
>>
>> No fix needed.
>>
>> Tom just needs to nark it in Coverity as "intended".
>
> Thanks. I'll copy/paste the explanation in and close it next time I'm
> over there.
I've done it already, added a lore link to this thread as justification.
>
> --
> Tom
^ permalink raw reply [flat|nested] 105+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2024-07-25 8:04 ` Mattijs Korpershoek
@ 2024-07-25 17:16 ` Tom Rini
0 siblings, 0 replies; 105+ messages in thread
From: Tom Rini @ 2024-07-25 17:16 UTC (permalink / raw)
To: Mattijs Korpershoek
Cc: Heinrich Schuchardt, u-boot, Ilias Apalodimas, Marek Vasut,
Dmitrii Merkurev
[-- Attachment #1: Type: text/plain, Size: 585 bytes --]
On Thu, Jul 25, 2024 at 10:04:33AM +0200, Mattijs Korpershoek wrote:
> On mer., juil. 24, 2024 at 16:40, Tom Rini <trini@konsulko.com> wrote:
>
> [...]
>
> >> >
> >> >Ok, so does that mean that you agree that this code is safe and we don't
> >> >need any further action to fix it?
> >>
> >> No fix needed.
> >>
> >> Tom just needs to nark it in Coverity as "intended".
> >
> > Thanks. I'll copy/paste the explanation in and close it next time I'm
> > over there.
>
> I've done it already, added a lore link to this thread as justification.
Thanks!
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2024-10-07 17:15 Tom Rini
0 siblings, 0 replies; 105+ messages in thread
From: Tom Rini @ 2024-10-07 17:15 UTC (permalink / raw)
To: u-boot
Cc: Simon Glass, Joao Marcos Costa, Thomas Petazzoni,
Jerome Forissier, Sughosh Ganu, Caleb Connolly,
Richard Weinberger
[-- Attachment #1: Type: text/plain, Size: 30928 bytes --]
Now that I've merged next to master, there's a number of issues to
address.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Oct 7, 2024 at 10:59 AM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to Das
U-Boot found with Coverity Scan.
24 new defect(s) introduced to Das U-Boot found with Coverity Scan.
9 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 24 defect(s)
** CID 510469: (RESOURCE_LEAK)
/tools/mkeficapsule.c: 877 in load_dtb()
/tools/mkeficapsule.c: 862 in load_dtb()
/tools/mkeficapsule.c: 855 in load_dtb()
/tools/mkeficapsule.c: 870 in load_dtb()
________________________________________________________________________________________________________
*** CID 510469: (RESOURCE_LEAK)
/tools/mkeficapsule.c: 877 in load_dtb()
871 }
872
873 if (fread(dtb, dtb_size, 1, f) != 1) {
874 fprintf(stderr, "Can't read %ld bytes from %s\n",
875 dtb_size, path);
876 free(dtb);
>>> CID 510469: (RESOURCE_LEAK)
>>> Variable "f" going out of scope leaks the storage it points to.
877 return NULL;
878 }
879
880 fclose(f);
881
882 return dtb;
/tools/mkeficapsule.c: 862 in load_dtb()
856 }
857
858 dtb_size = ftell(f);
859 if (dtb_size < 0) {
860 fprintf(stderr, "Cannot ftell %s: %s\n",
861 path, strerror(errno));
>>> CID 510469: (RESOURCE_LEAK)
>>> Variable "f" going out of scope leaks the storage it points to.
862 return NULL;
863 }
864
865 fseek(f, 0, SEEK_SET);
866
867 dtb = malloc(dtb_size);
/tools/mkeficapsule.c: 855 in load_dtb()
849 return NULL;
850 }
851
852 if (fseek(f, 0, SEEK_END)) {
853 fprintf(stderr, "Cannot seek to the end of %s: %s\n",
854 path, strerror(errno));
>>> CID 510469: (RESOURCE_LEAK)
>>> Variable "f" going out of scope leaks the storage it points to.
855 return NULL;
856 }
857
858 dtb_size = ftell(f);
859 if (dtb_size < 0) {
860 fprintf(stderr, "Cannot ftell %s: %s\n",
/tools/mkeficapsule.c: 870 in load_dtb()
864
865 fseek(f, 0, SEEK_SET);
866
867 dtb = malloc(dtb_size);
868 if (!dtb) {
869 fprintf(stderr, "Can't allocated %ld\n", dtb_size);
>>> CID 510469: (RESOURCE_LEAK)
>>> Variable "f" going out of scope leaks the storage it points to.
870 return NULL;
871 }
872
873 if (fread(dtb, dtb_size, 1, f) != 1) {
874 fprintf(stderr, "Can't read %ld bytes from %s\n",
875 dtb_size, path);
** CID 510468: Integer handling issues (SIGN_EXTENSION)
/lib/alist.c: 65 in alist_expand_to()
________________________________________________________________________________________________________
*** CID 510468: Integer handling issues (SIGN_EXTENSION)
/lib/alist.c: 65 in alist_expand_to()
59 new_data = malloc(lst->obj_size * new_alloc);
60 if (!new_data) {
61 lst->flags |= ALISTF_FAIL;
62 return false;
63 }
64
>>> CID 510468: Integer handling issues (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "lst->obj_size" with type "u16" (16 bits, unsigned) is promoted in "lst->obj_size * lst->alloc" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "lst->obj_size * lst->alloc" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
65 memcpy(new_data, lst->data, lst->obj_size * lst->alloc);
66 free(lst->data);
67
68 memset(new_data + lst->obj_size * lst->alloc, '\0',
69 lst->obj_size * (new_alloc - lst->alloc));
70 lst->alloc = new_alloc;
** CID 510467: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/net/tcp.c: 497 in tcp_parse_options()
________________________________________________________________________________________________________
*** CID 510467: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/net/tcp.c: 497 in tcp_parse_options()
491 tsopt = (struct tcp_t_opt *)p;
492 rmt_timestamp = tsopt->t_snd;
493 return;
494 }
495
496 /* Process optional NOPs */
>>> CID 510467: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
>>> "p[0] == 16843009" is always false regardless of the values of its operands. This occurs as the logical operand of "if".
497 if (p[0] == TCP_O_NOP)
498 p++;
499 }
500 }
501
502 static u8 tcp_state_machine(u8 tcp_flags, u32 tcp_seq_num, int
payload_len)
** CID 510466: Control flow issues (NO_EFFECT)
/lib/uuid.c: 256 in uuid_guid_get_bin()
________________________________________________________________________________________________________
*** CID 510466: Control flow issues (NO_EFFECT)
/lib/uuid.c: 256 in uuid_guid_get_bin()
250 };
251
252 int uuid_guid_get_bin(const char *guid_str, unsigned char *guid_bin)
253 {
254 int i;
255
>>> CID 510466: Control flow issues (NO_EFFECT)
>>> This less-than-zero comparison of an unsigned value is never true. "i < 0UL".
256 for (i = 0; i < ARRAY_SIZE(list_guid); i++) {
257 if (!strcmp(list_guid[i].string, guid_str)) {
258 memcpy(guid_bin, &list_guid[i].guid, 16);
259 return 0;
260 }
261 }
** CID 510465: Uninitialized variables (UNINIT)
________________________________________________________________________________________________________
*** CID 510465: Uninitialized variables (UNINIT)
/cmd/upl.c: 59 in do_upl_write()
53 struct unit_test_state uts;
54 struct abuf buf;
55 oftree tree;
56 ulong addr;
57 int ret;
58
>>> CID 510465: Uninitialized variables (UNINIT)
>>> Using uninitialized value "uts.fail_count" when calling "upl_get_test_data".
59 upl_get_test_data(&uts, upl);
60
61 log_debug("Writing UPL\n");
62 ret = upl_create_handoff_tree(upl, &tree);
63 if (ret) {
64 log_err("Failed to write (err=%dE)\n", ret);
** CID 510464: Error handling issues (CHECKED_RETURN)
/net/wget.c: 259 in wget_connected()
________________________________________________________________________________________________________
*** CID 510464: Error handling issues (CHECKED_RETURN)
/net/wget.c: 259 in wget_connected()
253
254 pos = strstr((char *)pkt, content_len);
255 if (!pos) {
256 content_length = -1;
257 } else {
258 pos += sizeof(content_len) + 2;
>>> CID 510464: Error handling issues (CHECKED_RETURN)
>>> Calling "strict_strtoul" without checking return value (as is done elsewhere 8 out of 10 times).
259 strict_strtoul(pos, 10,
&content_length);
260 debug_cond(DEBUG_WGET,
261 "wget: Connected Len %lu\n",
262 content_length);
263 }
264
** CID 510463: Memory - illegal accesses (OVERRUN)
/lib/lmb.c: 37 in lmb_print_region_flags()
________________________________________________________________________________________________________
*** CID 510463: Memory - illegal accesses (OVERRUN)
/lib/lmb.c: 37 in lmb_print_region_flags()
31 {
32 u64 bitpos;
33 const char *flag_str[] = { "none", "no-map", "no-overwrite" };
34
35 do {
36 bitpos = flags ? fls(flags) - 1 : 0;
>>> CID 510463: Memory - illegal accesses (OVERRUN)
>>> Overrunning array "flag_str" of 3 8-byte elements at element index 31 (byte offset 255) using index "bitpos" (which evaluates to 31).
37 printf("%s", flag_str[bitpos]);
38 flags &= ~(1ull << bitpos);
39 puts(flags ? ", " : "\n");
40 } while (flags);
41 }
42
** CID 510462: Security best practices violations (DC.WEAK_CRYPTO)
/test/dm/nand.c: 67 in run_test_nand()
________________________________________________________________________________________________________
*** CID 510462: Security best practices violations (DC.WEAK_CRYPTO)
/test/dm/nand.c: 67 in run_test_nand()
61 ops.ooblen = mtd->oobsize;
62 ut_assertok(mtd_read_oob(mtd, mtd->erasesize, &ops));
63 ut_asserteq(0, oob[mtd_to_nand(mtd)->badblockpos]);
64
65 /* Generate some data and write it */
66 for (i = 0; i < size / sizeof(int); i++)
>>> CID 510462: Security best practices violations (DC.WEAK_CRYPTO)
>>> "rand" should not be used for security-related applications, because linear congruential algorithms are too easy to break.
67 gold[i] = rand();
68 ut_assertok(nand_write_skip_bad(mtd, off, &length, NULL, U64_MAX,
69 (void *)gold, 0));
70 ut_asserteq(size, length);
71
72 /* Verify */
** CID 510461: Code maintainability issues (UNUSED_VALUE)
/boot/upl_write.c: 237 in add_upl_image()
________________________________________________________________________________________________________
*** CID 510461: Code maintainability issues (UNUSED_VALUE)
/boot/upl_write.c: 237 in add_upl_image()
231 return log_msg_ret("sub", ret);
232
233 ret = write_addr(upl, subnode, UPLP_LOAD, img->load);
234 if (!ret)
235 ret = write_size(upl, subnode,
UPLP_SIZE, img->size);
236 if (!ret && img->offset)
>>> CID 510461: Code maintainability issues (UNUSED_VALUE)
>>> Assigning value from "ofnode_write_u32(subnode, "offset", img->offset)" to "ret" here, but that stored value is overwritten before it can be used.
237 ret = ofnode_write_u32(subnode, UPLP_OFFSET,
238 img->offset);
239 ret = ofnode_write_string(subnode, UPLP_DESCRIPTION,
240 img->description);
241 if (ret)
242 return log_msg_ret("sim", ret);
** CID 510460: Resource leaks (RESOURCE_LEAK)
/fs/ext4/ext4fs.c: 216 in ext4fs_exists()
________________________________________________________________________________________________________
*** CID 510460: Resource leaks (RESOURCE_LEAK)
/fs/ext4/ext4fs.c: 216 in ext4fs_exists()
210 struct ext2fs_node *dirnode = NULL;
211 int filetype;
212
213 if (!filename)
214 return 0;
215
>>> CID 510460: Resource leaks (RESOURCE_LEAK)
>>> Variable "dirnode" going out of scope leaks the storage it points to.
216 return ext4fs_find_file1(filename,
&ext4fs_root->diropen, &dirnode,
217 &filetype);
218 }
219
220 int ext4fs_size(const char *filename, loff_t *size)
221 {
** CID 510459: Incorrect expression (SIZEOF_MISMATCH)
/boot/upl_read.c: 523 in decode_upl_graphics()
________________________________________________________________________________________________________
*** CID 510459: Incorrect expression (SIZEOF_MISMATCH)
/boot/upl_read.c: 523 in decode_upl_graphics()
517 if (!buf) {
518 log_warning("Node '%s': Missing 'reg' property\n",
519 ofnode_get_name(node));
520 return log_msg_ret("reg", -EINVAL);
521 }
522
>>> CID 510459: Incorrect expression (SIZEOF_MISMATCH)
>>> Passing argument "buf" of type "char const *" and argument "8 /* sizeof (buf) */" to function "decode_addr_size" is suspicious.
523 len = decode_addr_size(upl, buf, sizeof(buf), &gra->reg);
524 if (len < 0)
525 return log_msg_ret("buf", len);
526
527 ret = read_uint(node, UPLP_WIDTH, &gra->width);
528 if (!ret)
** CID 510458: Control flow issues (NO_EFFECT)
/lib/uuid.c: 269 in uuid_guid_get_str()
________________________________________________________________________________________________________
*** CID 510458: Control flow issues (NO_EFFECT)
/lib/uuid.c: 269 in uuid_guid_get_str()
263 }
264
265 const char *uuid_guid_get_str(const unsigned char *guid_bin)
266 {
267 int i;
268
>>> CID 510458: Control flow issues (NO_EFFECT)
>>> This less-than-zero comparison of an unsigned value is never true. "i < 0UL".
269 for (i = 0; i < ARRAY_SIZE(list_guid); i++) {
270 if (!memcmp(list_guid[i].guid.b, guid_bin, 16)) {
271 return list_guid[i].string;
272 }
273 }
274 return NULL;
** CID 510457: (RESOURCE_LEAK)
/tools/mkeficapsule.c: 934 in genguid()
/tools/mkeficapsule.c: 930 in genguid()
/tools/mkeficapsule.c: 924 in genguid()
/tools/mkeficapsule.c: 944 in genguid()
/tools/mkeficapsule.c: 959 in genguid()
________________________________________________________________________________________________________
*** CID 510457: (RESOURCE_LEAK)
/tools/mkeficapsule.c: 934 in genguid()
928 if (!compatible) {
929 fprintf(stderr, "No compatible string found in DTB\n");
930 return -1;
931 }
932 if (strnlen(compatible, compatlen) >= compatlen) {
933 fprintf(stderr, "Compatible string not
null-terminated\n");
>>> CID 510457: (RESOURCE_LEAK)
>>> Variable "dtb" going out of scope leaks the storage it points to.
934 return -1;
935 }
936
937 printf("Generating GUIDs for %s with namespace %s:\n",
938 compatible, DEFAULT_NAMESPACE_GUID);
939 for (; idx < argc; idx++) {
/tools/mkeficapsule.c: 930 in genguid()
924 return -1;
925 }
926
927 compatible = fdt_getprop(dtb, 0, "compatible", &compatlen);
928 if (!compatible) {
929 fprintf(stderr, "No compatible string found in DTB\n");
>>> CID 510457: (RESOURCE_LEAK)
>>> Variable "dtb" going out of scope leaks the storage it points to.
930 return -1;
931 }
932 if (strnlen(compatible, compatlen) >= compatlen) {
933 fprintf(stderr, "Compatible string not
null-terminated\n");
934 return -1;
935 }
/tools/mkeficapsule.c: 924 in genguid()
918 if (!dtb)
919 return -1;
920
921 ret = fdt_check_header(dtb);
922 if (ret) {
923 fprintf(stderr, "Invalid DTB header: %d\n", ret);
>>> CID 510457: (RESOURCE_LEAK)
>>> Variable "dtb" going out of scope leaks the storage it points to.
924 return -1;
925 }
926
927 compatible = fdt_getprop(dtb, 0, "compatible", &compatlen);
928 if (!compatible) {
929 fprintf(stderr, "No compatible string found in DTB\n");
/tools/mkeficapsule.c: 944 in genguid()
938 compatible, DEFAULT_NAMESPACE_GUID);
939 for (; idx < argc; idx++) {
940 memset(fw_image, 0, sizeof(fw_image));
941 namelen = strlen(argv[idx]);
942 if (namelen > MAX_IMAGE_NAME_LEN) {
943 fprintf(stderr, "Image name too long:
%s\n", argv[idx]);
>>> CID 510457: (RESOURCE_LEAK)
>>> Variable "dtb" going out of scope leaks the storage it points to.
944 return -1;
945 }
946
947 for (int i = 0; i < namelen; i++)
948 fw_image[i] = (uint16_t)argv[idx][i];
949
/tools/mkeficapsule.c: 959 in genguid()
953 NULL);
954
955 printf("%s: ", argv[idx]);
956 print_guid(&image_type_id);
957 }
958
>>> CID 510457: (RESOURCE_LEAK)
>>> Variable "dtb" going out of scope leaks the storage it points to.
959 return 0;
960 }
961
962 /**
963 * main - main entry function of mkeficapsule
964 * @argc: Number of arguments
** CID 510456: Integer handling issues (NEGATIVE_RETURNS)
________________________________________________________________________________________________________
*** CID 510456: Integer handling issues (NEGATIVE_RETURNS)
/boot/upl_write.c: 432 in add_upl_memres()
426 ret = ofnode_add_subnode(mem_node, name, &node);
427 if (ret)
428 return log_msg_ret("memres", ret);
429
430 len = buffer_addr_size(upl, buf, sizeof(buf),
431 memres->region.count,
&memres->region);
>>> CID 510456: Integer handling issues (NEGATIVE_RETURNS)
>>> "len" is passed to a parameter that cannot be negative.
432 ret = ofnode_write_prop(node, UPLP_REG, buf, len, true);
433 if (!ret && memres->no_map)
434 ret = ofnode_write_bool(node, UPLP_NO_MAP,
435 memres->no_map);
436 if (ret)
437 return log_msg_ret("lst", ret);
** CID 510455: Memory - corruptions (OVERLAPPING_COPY)
/fs/squashfs/sqfs.c: 971 in sqfs_opendir_nest()
________________________________________________________________________________________________________
*** CID 510455: Memory - corruptions (OVERLAPPING_COPY)
/fs/squashfs/sqfs.c: 971 in sqfs_opendir_nest()
965 if (le16_to_cpu(dirs->i_dir.inode_type) == SQFS_DIR_TYPE)
966 dirs->size = le16_to_cpu(dirs->i_dir.file_size);
967 else
968 dirs->size = le32_to_cpu(dirs->i_ldir.file_size);
969
970 /* Setup directory header */
>>> CID 510455: Memory - corruptions (OVERLAPPING_COPY)
>>> Copying 12 bytes from "dirs->table" to "dirs->dir_header", which point to overlapping memory locations.
971 memcpy(dirs->dir_header, dirs->table, SQFS_DIR_HEADER_SIZE);
972 dirs->entry_count = dirs->dir_header->count + 1;
973 dirs->size -= SQFS_DIR_HEADER_SIZE;
974
975 /* Setup entry */
976 dirs->entry = NULL;
** CID 510454: (SIZEOF_MISMATCH)
/test/cmd/mbr.c: 280 in mbr_test_run()
/test/cmd/mbr.c: 421 in mbr_test_run()
/test/cmd/mbr.c: 351 in mbr_test_run()
/test/cmd/mbr.c: 316 in mbr_test_run()
/test/cmd/mbr.c: 386 in mbr_test_run()
________________________________________________________________________________________________________
*** CID 510454: (SIZEOF_MISMATCH)
/test/cmd/mbr.c: 280 in mbr_test_run()
274
275 /* Make sure mmc6 is 12+ MiB in size */
276 ut_assertok(run_commandf("mmc read %lx %lx 1", ra,
277 (ulong)0xbffe00 / BLKSZ));
278
279 /* Test one MBR partition */
>>> CID 510454: (SIZEOF_MISMATCH)
>>> Passing argument "mbr_wbuf" of type "unsigned char *" and argument "8UL /* sizeof (mbr_wbuf) */" to function "init_write_buffers" is suspicious.
280 init_write_buffers(mbr_wbuf, sizeof(mbr_wbuf),
ebr_wbuf, sizeof(ebr_wbuf), __LINE__);
281 ut_assertok(build_mbr_parts(mbr_parts_buf,
sizeof(mbr_parts_buf), 1));
282 ut_assertok(run_commandf("write mmc 6:0 %lx 0 1", mbr_wa));
283 memset(rbuf, '\0', BLKSZ);
284 ut_assertok(run_commandf("read mmc 6:0 %lx 0 1", ra));
285 ut_assertok(memcmp(mbr_wbuf, rbuf, BLKSZ));
/test/cmd/mbr.c: 421 in mbr_test_run()
415 ut_assertf(rbuf[mbr_cmp_start + i] ==
mbr_parts_ref_p4[i],
416 "4P MBR+0x%04X: expected %#02X,
actual: %#02X\n",
417 mbr_cmp_start + i,
mbr_parts_ref_p4[i], rbuf[mbr_cmp_start + i]);
418 }
419
420 /* Test five MBR partitions */
>>> CID 510454: (SIZEOF_MISMATCH)
>>> Passing argument "mbr_wbuf" of type "unsigned char *" and argument "8UL /* sizeof (mbr_wbuf) */" to function "init_write_buffers" is suspicious.
421 init_write_buffers(mbr_wbuf, sizeof(mbr_wbuf),
ebr_wbuf, sizeof(ebr_wbuf), __LINE__);
422 ut_assertok(build_mbr_parts(mbr_parts_buf,
sizeof(mbr_parts_buf), 5));
423 ut_assertok(run_commandf("write mmc 6:0 %lx 0 1", mbr_wa));
424 memset(rbuf, '\0', BLKSZ);
425 ut_assertok(run_commandf("read mmc 6:0 %lx 0 1", ra));
426 ut_assertok(memcmp(mbr_wbuf, rbuf, BLKSZ));
/test/cmd/mbr.c: 351 in mbr_test_run()
345 ut_assertf(rbuf[mbr_cmp_start + i] ==
mbr_parts_ref_p2[i],
346 "2P MBR+0x%04X: expected %#02X,
actual: %#02X\n",
347 mbr_cmp_start + i,
mbr_parts_ref_p2[i], rbuf[mbr_cmp_start + i]);
348 }
349
350 /* Test three MBR partitions */
>>> CID 510454: (SIZEOF_MISMATCH)
>>> Passing argument "mbr_wbuf" of type "unsigned char *" and argument "8UL /* sizeof (mbr_wbuf) */" to function "init_write_buffers" is suspicious.
351 init_write_buffers(mbr_wbuf, sizeof(mbr_wbuf),
ebr_wbuf, sizeof(ebr_wbuf), __LINE__);
352 ut_assertok(build_mbr_parts(mbr_parts_buf,
sizeof(mbr_parts_buf), 3));
353 ut_assertok(run_commandf("write mmc 6:0 %lx 0 1", mbr_wa));
354 memset(rbuf, '\0', BLKSZ);
355 ut_assertok(run_commandf("read mmc 6:0 %lx 0 1", ra));
356 ut_assertok(memcmp(mbr_wbuf, rbuf, BLKSZ));
/test/cmd/mbr.c: 316 in mbr_test_run()
310 ut_assertf(rbuf[mbr_cmp_start + i] ==
mbr_parts_ref_p1[i],
311 "1P MBR+0x%04X: expected %#02X,
actual: %#02X\n",
312 mbr_cmp_start + i,
mbr_parts_ref_p1[i], rbuf[mbr_cmp_start + i]);
313 }
314
315 /* Test two MBR partitions */
>>> CID 510454: (SIZEOF_MISMATCH)
>>> Passing argument "mbr_wbuf" of type "unsigned char *" and argument "8UL /* sizeof (mbr_wbuf) */" to function "init_write_buffers" is suspicious.
316 init_write_buffers(mbr_wbuf, sizeof(mbr_wbuf),
ebr_wbuf, sizeof(ebr_wbuf), __LINE__);
317 ut_assertok(build_mbr_parts(mbr_parts_buf,
sizeof(mbr_parts_buf), 2));
318 ut_assertok(run_commandf("write mmc 6:0 %lx 0 1", mbr_wa));
319 memset(rbuf, '\0', BLKSZ);
320 ut_assertok(run_commandf("read mmc 6:0 %lx 0 1", ra));
321 ut_assertok(memcmp(mbr_wbuf, rbuf, BLKSZ));
/test/cmd/mbr.c: 386 in mbr_test_run()
380 ut_assertf(rbuf[mbr_cmp_start + i] ==
mbr_parts_ref_p3[i],
381 "3P MBR+0x%04X: expected %#02X,
actual: %#02X\n",
382 mbr_cmp_start + i,
mbr_parts_ref_p3[i], rbuf[mbr_cmp_start + i]);
383 }
384
385 /* Test four MBR partitions */
>>> CID 510454: (SIZEOF_MISMATCH)
>>> Passing argument "mbr_wbuf" of type "unsigned char *" and argument "8UL /* sizeof (mbr_wbuf) */" to function "init_write_buffers" is suspicious.
386 init_write_buffers(mbr_wbuf, sizeof(mbr_wbuf),
ebr_wbuf, sizeof(ebr_wbuf), __LINE__);
387 ut_assertok(build_mbr_parts(mbr_parts_buf,
sizeof(mbr_parts_buf), 4));
388 ut_assertok(run_commandf("write mmc 6:0 %lx 0 1", mbr_wa));
389 memset(rbuf, '\0', BLKSZ);
390 ut_assertok(run_commandf("read mmc 6:0 %lx 0 1", ra));
391 ut_assertok(memcmp(mbr_wbuf, rbuf, BLKSZ));
** CID 510453: Null pointer dereferences (FORWARD_NULL)
/fs/squashfs/sqfs.c: 983 in sqfs_opendir_nest()
________________________________________________________________________________________________________
*** CID 510453: Null pointer dereferences (FORWARD_NULL)
/fs/squashfs/sqfs.c: 983 in sqfs_opendir_nest()
977 dirs->table += SQFS_DIR_HEADER_SIZE;
978
979 *dirsp = (struct fs_dir_stream *)dirs;
980
981 out:
982 for (j = 0; j < token_count; j++)
>>> CID 510453: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "token_list".
983 free(token_list[j]);
984 free(token_list);
985 free(pos_list);
986 free(path);
987 if (ret) {
988 free(inode_table);
** CID 510452: Null pointer dereferences (FORWARD_NULL)
/fs/squashfs/sqfs.c: 1676 in sqfs_size_nest()
________________________________________________________________________________________________________
*** CID 510452: Null pointer dereferences (FORWARD_NULL)
/fs/squashfs/sqfs.c: 1676 in sqfs_size_nest()
1670 printf("File not found.\n");
1671 *size = 0;
1672 ret = -EINVAL;
1673 goto free_strings;
1674 }
1675
>>> CID 510452: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "dirs->entry".
1676 i_number = dirs->dir_header->inode_number +
dirs->entry->inode_offset;
1677 ipos = sqfs_find_inode(dirs->inode_table, i_number,
sblk->inodes,
1678 sblk->block_size);
1679
1680 if (!ipos) {
1681 *size = 0;
** CID 510451: (TAINTED_SCALAR)
/fs/squashfs/sqfs.c: 1612 in sqfs_read_nest()
/fs/squashfs/sqfs.c: 1612 in sqfs_read_nest()
/fs/squashfs/sqfs.c: 1604 in sqfs_read_nest()
________________________________________________________________________________________________________
*** CID 510451: (TAINTED_SCALAR)
/fs/squashfs/sqfs.c: 1612 in sqfs_read_nest()
1606
1607 free(fragment_block);
1608
1609 } else if (finfo.frag && !finfo.comp) {
1610 fragment_block = (void *)fragment + table_offset;
1611
>>> CID 510451: (TAINTED_SCALAR)
>>> Using tainted variable "finfo.offset" as an index to pointer "fragment_block".
1612 memcpy(buf + *actread,
&fragment_block[finfo.offset], finfo.size - *actread);
1613 *actread = finfo.size;
1614 }
1615
1616 out:
1617 free(fragment);
/fs/squashfs/sqfs.c: 1612 in sqfs_read_nest()
1606
1607 free(fragment_block);
1608
1609 } else if (finfo.frag && !finfo.comp) {
1610 fragment_block = (void *)fragment + table_offset;
1611
>>> CID 510451: (TAINTED_SCALAR)
>>> Passing tainted expression "finfo.size - *actread" to "memcpy", which uses it as an offset. [Note: The source code implementation of the function has been overridden by a builtin model.]
1612 memcpy(buf + *actread,
&fragment_block[finfo.offset], finfo.size - *actread);
1613 *actread = finfo.size;
1614 }
1615
1616 out:
1617 free(fragment);
/fs/squashfs/sqfs.c: 1621 in sqfs_read_nest()
1615
1616 out:
1617 free(fragment);
1618 free(datablock);
1619 free(file);
1620 free(dir);
>>> CID 510451: (TAINTED_SCALAR)
>>> Passing tainted expression "*finfo.blk_sizes" to "dlfree", which uses it as an offset.
1621 free(finfo.blk_sizes);
1622 sqfs_closedir(dirsp);
1623
1624 return ret;
1625 }
1626
/fs/squashfs/sqfs.c: 1604 in sqfs_read_nest()
1598 frag_entry.size);
1599 if (ret) {
1600 free(fragment_block);
1601 goto out;
1602 }
1603
>>> CID 510451: (TAINTED_SCALAR)
>>> Using tainted variable "finfo.offset" as an index to pointer "fragment_block".
1604 memcpy(buf + *actread,
&fragment_block[finfo.offset], finfo.size - *actread);
1605 *actread = finfo.size;
1606
1607 free(fragment_block);
1608
1609 } else if (finfo.frag && !finfo.comp) {
** CID 510450: Code maintainability issues (UNUSED_VALUE)
/fs/squashfs/sqfs.c: 1506 in sqfs_read_nest()
________________________________________________________________________________________________________
*** CID 510450: Code maintainability issues (UNUSED_VALUE)
/fs/squashfs/sqfs.c: 1506 in sqfs_read_nest()
1500 n_blks = DIV_ROUND_UP(table_size + table_offset,
1501 ctxt.cur_dev->blksz);
1502
1503 /* Don't load any data for sparse blocks */
1504 if (finfo.blk_sizes[j] == 0) {
1505 n_blks = 0;
>>> CID 510450: Code maintainability issues (UNUSED_VALUE)
>>> Assigning value "0ULL" to "table_offset" here, but that stored value is overwritten before it can be used.
1506 table_offset = 0;
1507 data_buffer = NULL;
1508 data = NULL;
1509 } else {
1510 data_buffer =
malloc_cache_aligned(n_blks * ctxt.cur_dev->blksz);
1511
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2024-10-16 3:47 Tom Rini
2024-10-16 5:56 ` Tudor Ambarus
0 siblings, 1 reply; 105+ messages in thread
From: Tom Rini @ 2024-10-16 3:47 UTC (permalink / raw)
To: u-boot
Cc: Vignesh R, Takahiro Kuwano, Tudor Ambarus,
Venkatesh Yadav Abbarapu, Pratyush Yadav, Ashok Reddy Soma,
Joakim Tjernlund, Raymond Mao, Ilias Apalodimas
[-- Attachment #1: Type: text/plain, Size: 28517 bytes --]
Hey all, here's the latest report.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Tue, Oct 15, 2024 at 5:06 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to Das
U-Boot found with Coverity Scan.
22 new defect(s) introduced to Das U-Boot found with Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 22 defect(s)
** CID 510813: Control flow issues (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 1652 in spi_nor_read()
________________________________________________________________________________________________________
*** CID 510813: Control flow issues (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 1652 in spi_nor_read()
1646 goto read_err;
1647 }
1648 if (ret < 0)
1649 goto read_err;
1650
1651 if (is_ofst_odd == true) {
>>> CID 510813: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "memmove(buf, buf + 1, len -...".
1652 memmove(buf, (buf + 1), (len - 1));
1653 *retlen += (ret - 1);
1654 buf += ret - 1;
1655 is_ofst_odd = false;
1656 } else {
1657 *retlen += ret;
** CID 510812: (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 3573 in spi_nor_select_erase()
/drivers/mtd/spi/spi-nor-core.c: 3584 in spi_nor_select_erase()
/drivers/mtd/spi/spi-nor-core.c: 3610 in spi_nor_select_erase()
/drivers/mtd/spi/spi-nor-core.c: 3597 in spi_nor_select_erase()
________________________________________________________________________________________________________
*** CID 510812: (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 3573 in spi_nor_select_erase()
3567 /*
3568 * In parallel-memories the erase operation is
3569 * performed on both the flashes simultaneously
3570 * so, double the erasesize.
3571 */
3572 if (nor->flags & SNOR_F_HAS_PARALLEL)
>>> CID 510812: (DEADCODE)
>>> Execution cannot reach this statement: "mtd->erasesize = 8192U;".
3573 mtd->erasesize = 4096 * 2;
3574 else
3575 mtd->erasesize = 4096;
3576 } else if (info->flags & SECT_4K_PMC) {
3577 nor->erase_opcode = SPINOR_OP_BE_4K_PMC;
3578 /*
/drivers/mtd/spi/spi-nor-core.c: 3584 in spi_nor_select_erase()
3578 /*
3579 * In parallel-memories the erase operation is
3580 * performed on both the flashes simultaneously
3581 * so, double the erasesize.
3582 */
3583 if (nor->flags & SNOR_F_HAS_PARALLEL)
>>> CID 510812: (DEADCODE)
>>> Execution cannot reach this statement: "mtd->erasesize = 8192U;".
3584 mtd->erasesize = 4096 * 2;
3585 else
3586 mtd->erasesize = 4096;
3587 } else
3588 #endif
3589 {
/drivers/mtd/spi/spi-nor-core.c: 3610 in spi_nor_select_erase()
3604 /*
3605 * In parallel-memories the erase operation is
3606 * performed on both the flashes simultaneously
3607 * so, double the erasesize.
3608 */
3609 if (nor->flags & SNOR_F_HAS_PARALLEL)
>>> CID 510812: (DEADCODE)
>>> Execution cannot reach this statement: "mtd->erasesize = 8192U;".
3610 mtd->erasesize = 4096 * 2;
3611 else
3612 mtd->erasesize = 4096;
3613 }
3614
3615 return 0;
/drivers/mtd/spi/spi-nor-core.c: 3597 in spi_nor_select_erase()
3591 /*
3592 * In parallel-memories the erase operation is
3593 * performed on both the flashes simultaneously
3594 * so, double the erasesize.
3595 */
3596 if (nor->flags & SNOR_F_HAS_PARALLEL)
>>> CID 510812: (DEADCODE)
>>> Execution cannot reach this statement: "mtd->erasesize = info->sect...".
3597 mtd->erasesize = info->sector_size * 2;
3598 else
3599 mtd->erasesize = info->sector_size;
3600 }
3601
3602 if ((JEDEC_MFR(info) == SNOR_MFR_SST) && info->flags &
SECT_4K) {
** CID 510811: (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 1134 in spi_nor_erase()
/drivers/mtd/spi/spi-nor-core.c: 1137 in spi_nor_erase()
________________________________________________________________________________________________________
*** CID 510811: (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 1134 in spi_nor_erase()
1128 addr_known = false;
1129 ret = -EINTR;
1130 goto erase_err;
1131 }
1132 offset = addr;
1133 if (nor->flags & SNOR_F_HAS_PARALLEL)
>>> CID 510811: (DEADCODE)
>>> Execution cannot reach this statement: "offset /= 2U;".
1134 offset /= 2;
1135
1136 if (nor->flags & SNOR_F_HAS_STACKED) {
1137 if (offset >= (mtd->size / 2)) {
1138 offset = offset - (mtd->size / 2);
1139 nor->spi->flags |= SPI_XFER_U_PAGE;
/drivers/mtd/spi/spi-nor-core.c: 1137 in spi_nor_erase()
1131 }
1132 offset = addr;
1133 if (nor->flags & SNOR_F_HAS_PARALLEL)
1134 offset /= 2;
1135
1136 if (nor->flags & SNOR_F_HAS_STACKED) {
>>> CID 510811: (DEADCODE)
>>> Execution cannot reach this statement: "if (offset >= mtd->size / 2...".
1137 if (offset >= (mtd->size / 2)) {
1138 offset = offset - (mtd->size / 2);
1139 nor->spi->flags |= SPI_XFER_U_PAGE;
1140 } else {
1141 nor->spi->flags &= ~SPI_XFER_U_PAGE;
1142 }
** CID 510810: Control flow issues (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 1556 in spi_nor_read_id()
________________________________________________________________________________________________________
*** CID 510810: Control flow issues (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 1556 in spi_nor_read_id()
1550 {
1551 int tmp;
1552 u8 id[SPI_NOR_MAX_ID_LEN];
1553 const struct flash_info *info;
1554
1555 if (nor->flags & SNOR_F_HAS_PARALLEL)
>>> CID 510810: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "nor->spi->flags |= 0x100;".
1556 nor->spi->flags |= SPI_XFER_LOWER;
1557
1558 tmp = nor->read_reg(nor, SPINOR_OP_RDID, id,
SPI_NOR_MAX_ID_LEN);
1559 if (tmp < 0) {
1560 dev_dbg(nor->dev, "error %d reading JEDEC ID\n", tmp);
1561 return ERR_PTR(tmp);
** CID 510809: Resource leaks (RESOURCE_LEAK)
/lib/mbedtls/pkcs7_parser.c: 385 in x509_populate_sinfo()
________________________________________________________________________________________________________
*** CID 510809: Resource leaks (RESOURCE_LEAK)
/lib/mbedtls/pkcs7_parser.c: 385 in x509_populate_sinfo()
379 signed_info);
380 if (ret)
381 goto out_err_sinfo;
382
383 no_authattrs:
384 *sinfo = signed_info;
>>> CID 510809: Resource leaks (RESOURCE_LEAK)
>>> Variable "mctx" going out of scope leaks the storage it points to.
385 return 0;
386
387 out_err_sinfo:
388 pkcs7_free_sinfo_mbedtls_ctx(mctx);
389 out_no_mctx:
390 public_key_signature_free(s);
** CID 510808: Control flow issues (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 724 in spi_nor_set_4byte_opcodes()
________________________________________________________________________________________________________
*** CID 510808: Control flow issues (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 724 in spi_nor_set_4byte_opcodes()
718 static void spi_nor_set_4byte_opcodes(struct spi_nor *nor,
719 const struct flash_info *info)
720 {
721 bool shift = 0;
722
723 if (nor->flags & SNOR_F_HAS_PARALLEL)
>>> CID 510808: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "shift = true;".
724 shift = 1;
725
726 /* Do some manufacturer fixups first */
727 switch (JEDEC_MFR(info)) {
728 case SNOR_MFR_SPANSION:
729 /* No small sector erase for 4-byte command set */
** CID 510807: Control flow issues (DEADCODE)
/lib/mbedtls/external/mbedtls/library/x509_crt.c: 2750 in x509_inet_pton_ipv6()
________________________________________________________________________________________________________
*** CID 510807: Control flow issues (DEADCODE)
/lib/mbedtls/external/mbedtls/library/x509_crt.c: 2750 in x509_inet_pton_ipv6()
2744 MBEDTLS_PUT_UINT16_BE(group, addr, nonzero_groups);
2745 nonzero_groups++;
2746 if (*p == '\0') {
2747 break;
2748 } else if (*p == '.') {
2749 /* Don't accept IPv4 too early or late */
>>> CID 510807: Control flow issues (DEADCODE)
>>> Execution cannot reach the expression "zero_group_start == -1" inside this statement: "if ((nonzero_groups == 0 &&...".
2750 if ((nonzero_groups == 0 && zero_group_start == -1) ||
2751 nonzero_groups >= 7) {
2752 break;
2753 }
2754
2755 /* Walk back to prior ':', then parse as IPv4-mapped */
** CID 510806: Control flow issues (DEADCODE)
/lib/mbedtls/pkcs7_parser.c: 209 in authattrs_parse()
________________________________________________________________________________________________________
*** CID 510806: Control flow issues (DEADCODE)
/lib/mbedtls/pkcs7_parser.c: 209 in authattrs_parse()
203 return -EINVAL;
204 }
205
206 p += seq_len;
207 }
208
>>> CID 510806: Control flow issues (DEADCODE)
>>> Execution cannot reach the expression "ret != -96" inside this statement: "if (ret && ret != -96)
re...".
209 if (ret && ret != MBEDTLS_ERR_ASN1_OUT_OF_DATA)
210 return ret;
211
212 msg->have_authattrs = true;
213
214 /*
** CID 510805: Memory - illegal accesses (OVERRUN)
/lib/rsa/rsa-keyprop.c: 678 in rsa_gen_key_prop()
________________________________________________________________________________________________________
*** CID 510805: Memory - illegal accesses (OVERRUN)
/lib/rsa/rsa-keyprop.c: 678 in rsa_gen_key_prop()
672 (*prop)->num_bits = (rsa_key.n_sz - i) * 8;
673 (*prop)->modulus = malloc(rsa_key.n_sz - i);
674 if (!(*prop)->modulus) {
675 ret = -ENOMEM;
676 goto out;
677 }
>>> CID 510805: Memory - illegal accesses (OVERRUN)
>>> Overrunning dynamic array "rsa_key.n" at offset corresponding to index variable "i".
678 memcpy((void *)(*prop)->modulus, &rsa_key.n[i],
rsa_key.n_sz - i);
679
680 n = calloc(sizeof(uint32_t), 1 + ((*prop)->num_bits >> 5));
681 rr = calloc(sizeof(uint32_t), 1 + (((*prop)->num_bits
* 2) >> 5));
682 rrtmp = calloc(sizeof(uint32_t), 2 +
(((*prop)->num_bits * 2) >> 5));
683 if (!n || !rr || !rrtmp) {
** CID 510804: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/drivers/mtd/spi/spi-nor-core.c: 1556 in spi_nor_read_id()
________________________________________________________________________________________________________
*** CID 510804: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/drivers/mtd/spi/spi-nor-core.c: 1556 in spi_nor_read_id()
1550 {
1551 int tmp;
1552 u8 id[SPI_NOR_MAX_ID_LEN];
1553 const struct flash_info *info;
1554
1555 if (nor->flags & SNOR_F_HAS_PARALLEL)
>>> CID 510804: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
>>> In "nor->spi->flags |= 256 /* 1 << 8 */", wider "256 /* 1 << 8 */" has high-order bits (0x100) that don't affect the narrower left-hand side.
1556 nor->spi->flags |= SPI_XFER_LOWER;
1557
1558 tmp = nor->read_reg(nor, SPINOR_OP_RDID, id,
SPI_NOR_MAX_ID_LEN);
1559 if (tmp < 0) {
1560 dev_dbg(nor->dev, "error %d reading JEDEC ID\n", tmp);
1561 return ERR_PTR(tmp);
** CID 510803: Code maintainability issues (UNUSED_VALUE)
/drivers/mtd/spi/spi-nor-core.c: 1138 in spi_nor_erase()
________________________________________________________________________________________________________
*** CID 510803: Code maintainability issues (UNUSED_VALUE)
/drivers/mtd/spi/spi-nor-core.c: 1138 in spi_nor_erase()
1132 offset = addr;
1133 if (nor->flags & SNOR_F_HAS_PARALLEL)
1134 offset /= 2;
1135
1136 if (nor->flags & SNOR_F_HAS_STACKED) {
1137 if (offset >= (mtd->size / 2)) {
>>> CID 510803: Code maintainability issues (UNUSED_VALUE)
>>> Assigning value from "offset - mtd->size / 2ULL" to "offset" here, but that stored value is overwritten before it can be used.
1138 offset = offset - (mtd->size / 2);
1139 nor->spi->flags |= SPI_XFER_U_PAGE;
1140 } else {
1141 nor->spi->flags &= ~SPI_XFER_U_PAGE;
1142 }
1143 }
** CID 510802: Control flow issues (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 504 in read_sr()
________________________________________________________________________________________________________
*** CID 510802: Control flow issues (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 504 in read_sr()
498 * discard the second byte.
499 */
500 if (spi_nor_protocol_is_dtr(nor->reg_proto))
501 op.data.nbytes = 2;
502
503 if (nor->flags & SNOR_F_HAS_PARALLEL) {
>>> CID 510802: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "op.data.nbytes = 2U;".
504 op.data.nbytes = 2;
505 ret = spi_nor_read_write_reg(nor, &op, &val[0]);
506 if (ret < 0) {
507 pr_debug("error %d reading SR\n", (int)ret);
508 return ret;
509 }
** CID 510801: Null pointer dereferences (FORWARD_NULL)
________________________________________________________________________________________________________
*** CID 510801: Null pointer dereferences (FORWARD_NULL)
/lib/ecdsa/ecdsa-libcrypto.c: 365 in ecdsa_add_verify_data()
359 struct signer ctx;
360 int ret;
361
362 fdt_key_name = info->keyname ? info->keyname : "default-key";
363 ret = prepare_ctx(&ctx, info);
364 if (ret >= 0) {
>>> CID 510801: Null pointer dereferences (FORWARD_NULL)
>>> Passing "info" to "do_add", which dereferences null "info->keyname".
365 ret = do_add(&ctx, fdt, fdt_key_name, info);
366 if (ret < 0)
367 ret = ret == -FDT_ERR_NOSPACE ? -ENOSPC : -EIO;
368 }
369
370 free_ctx(&ctx);
371 return ret;
** CID 510800: (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 1620 in spi_nor_read()
/drivers/mtd/spi/spi-nor-core.c: 1590 in spi_nor_read()
/drivers/mtd/spi/spi-nor-core.c: 1611 in spi_nor_read()
/drivers/mtd/spi/spi-nor-core.c: 1600 in spi_nor_read()
________________________________________________________________________________________________________
*** CID 510800: (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 1620 in spi_nor_read()
1614 } else {
1615 nor->spi->flags &= ~SPI_XFER_U_PAGE;
1616 }
1617 }
1618
1619 if (nor->flags & SNOR_F_HAS_PARALLEL)
>>> CID 510800: (DEADCODE)
>>> Execution cannot reach this statement: "offset /= 2LL;".
1620 offset /= 2;
1621
1622 if (nor->addr_width == 3) {
1623 #ifdef CONFIG_SPI_FLASH_BAR
1624 ret = write_bar(nor, offset);
1625 if (ret < 0)
/drivers/mtd/spi/spi-nor-core.c: 1590 in spi_nor_read()
1584 u32 rem_bank_len = 0;
1585 u8 bank;
1586 bool is_ofst_odd = false;
1587
1588 dev_dbg(nor->dev, "from 0x%08x, len %zd\n", (u32)from, len);
1589
>>> CID 510800: (DEADCODE)
>>> Execution cannot reach the expression "offset & 1LL" inside this statement: "if (nor->flags & SNOR_F_HAS...".
1590 if ((nor->flags & SNOR_F_HAS_PARALLEL) && (offset & 1)) {
1591 /* We can hit this case when we use file system
like ubifs */
1592 from--;
1593 len++;
1594 is_ofst_odd = true;
1595 }
/drivers/mtd/spi/spi-nor-core.c: 1611 in spi_nor_read()
1605 rem_bank_len = (SZ_16M * (bank
+ 1)) - from;
1606 }
1607 }
1608 offset = from;
1609
1610 if (nor->flags & SNOR_F_HAS_STACKED) {
>>> CID 510800: (DEADCODE)
>>> Execution cannot reach this statement: "if (offset >= mtd->size / 2...".
1611 if (offset >= (mtd->size / 2)) {
1612 offset = offset - (mtd->size / 2);
1613 nor->spi->flags |= SPI_XFER_U_PAGE;
1614 } else {
1615 nor->spi->flags &= ~SPI_XFER_U_PAGE;
1616 }
/drivers/mtd/spi/spi-nor-core.c: 1600 in spi_nor_read()
1594 is_ofst_odd = true;
1595 }
1596
1597 while (len) {
1598 if (nor->addr_width == 3) {
1599 if (nor->flags & SNOR_F_HAS_PARALLEL) {
>>> CID 510800: (DEADCODE)
>>> Execution cannot reach this statement: "bank = (u32)from / 33554432U;".
1600 bank = (u32)from / (SZ_16M << 0x01);
1601 rem_bank_len = ((SZ_16M << 0x01) *
1602 (bank + 1)) - from;
1603 } else {
1604 bank = (u32)from / SZ_16M;
1605 rem_bank_len = (SZ_16M * (bank
+ 1)) - from;
** CID 510799: (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 1971 in spi_nor_write()
/drivers/mtd/spi/spi-nor-core.c: 2007 in spi_nor_write()
/drivers/mtd/spi/spi-nor-core.c: 2004 in spi_nor_write()
________________________________________________________________________________________________________
*** CID 510799: (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 1971 in spi_nor_write()
1965 return 0;
1966
1967 /*
1968 * Cannot write to odd offset in parallel mode,
1969 * so write 2 bytes first
1970 */
>>> CID 510799: (DEADCODE)
>>> Execution cannot reach the expression "to & 1LL" inside this statement: "if (nor->flags & SNOR_F_HAS...".
1971 if ((nor->flags & SNOR_F_HAS_PARALLEL) && (to & 1)) {
1972 u8 two[2] = {0xff, buf[0]};
1973 size_t local_retlen;
1974
1975 ret = spi_nor_write(mtd, to & ~1, 2,
&local_retlen, two);
1976 if (ret < 0)
/drivers/mtd/spi/spi-nor-core.c: 2007 in spi_nor_write()
2001 }
2002 offset = (to + i);
2003 if (nor->flags & SNOR_F_HAS_PARALLEL)
2004 offset /= 2;
2005
2006 if (nor->flags & SNOR_F_HAS_STACKED) {
>>> CID 510799: (DEADCODE)
>>> Execution cannot reach this statement: "if (offset >= mtd->size / 2...".
2007 if (offset >= (mtd->size / 2)) {
2008 offset = offset - (mtd->size / 2);
2009 nor->spi->flags |= SPI_XFER_U_PAGE;
2010 } else {
2011 nor->spi->flags &= ~SPI_XFER_U_PAGE;
2012 }
/drivers/mtd/spi/spi-nor-core.c: 2004 in spi_nor_write()
1998 u64 aux = addr;
1999
2000 page_offset = do_div(aux, nor->page_size);
2001 }
2002 offset = (to + i);
2003 if (nor->flags & SNOR_F_HAS_PARALLEL)
>>> CID 510799: (DEADCODE)
>>> Execution cannot reach this statement: "offset /= 2U;".
2004 offset /= 2;
2005
2006 if (nor->flags & SNOR_F_HAS_STACKED) {
2007 if (offset >= (mtd->size / 2)) {
2008 offset = offset - (mtd->size / 2);
2009 nor->spi->flags |= SPI_XFER_U_PAGE;
** CID 510798: Resource leaks (RESOURCE_LEAK)
/lib/mbedtls/x509_cert_parser.c: 220 in x509_populate_signature_params()
________________________________________________________________________________________________________
*** CID 510798: Resource leaks (RESOURCE_LEAK)
/lib/mbedtls/x509_cert_parser.c: 220 in x509_populate_signature_params()
214 }
215
216 ret = hash_calculate(s->hash_algo, ®ion, 1, s->digest);
217 if (!ret)
218 *sig = s;
219
>>> CID 510798: Resource leaks (RESOURCE_LEAK)
>>> Variable "s" going out of scope leaks the storage it points to.
220 return ret;
221
222 error_sig:
223 public_key_signature_free(s);
224 return ret;
225 }
** CID 510797: (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 4628 in spi_nor_scan()
/drivers/mtd/spi/spi-nor-core.c: 4598 in spi_nor_scan()
________________________________________________________________________________________________________
*** CID 510797: (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 4628 in spi_nor_scan()
4622 /* Send all the required SPI flash commands to
initialize device */
4623 ret = spi_nor_init(nor);
4624 if (ret)
4625 return ret;
4626
4627 if (nor->flags & SNOR_F_HAS_STACKED) {
>>> CID 510797: (DEADCODE)
>>> Execution cannot reach this statement: "nor->spi->flags |= 0x10UL;".
4628 nor->spi->flags |= SPI_XFER_U_PAGE;
4629 ret = spi_nor_init(nor);
4630 if (ret)
4631 return ret;
4632 nor->spi->flags &= ~SPI_XFER_U_PAGE;
4633 }
/drivers/mtd/spi/spi-nor-core.c: 4598 in spi_nor_scan()
4592 nor->addr_width = info->addr_width;
4593 } else {
4594 nor->addr_width = 3;
4595 }
4596
4597 if (nor->flags & (SNOR_F_HAS_PARALLEL | SNOR_F_HAS_STACKED))
>>> CID 510797: (DEADCODE)
>>> Execution cannot reach this statement: "shift = true;".
4598 shift = 1;
4599 if (nor->addr_width == 3 && (mtd->size >> shift) > SZ_16M) {
4600 #ifndef CONFIG_SPI_FLASH_BAR
4601 /* enable 4-byte addressing if the device
exceeds 16MiB */
4602 nor->addr_width = 4;
4603 if (JEDEC_MFR(info) == SNOR_MFR_SPANSION ||
** CID 510796: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 510796: Insecure data handling (TAINTED_SCALAR)
/lib/mbedtls/external/mbedtls/library/rsa.c: 1316 in rsa_prepare_blinding()
1310 }
1311
1312 MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&ctx->Vf,
ctx->len - 1, f_rng, p_rng));
1313
1314 /* Compute Vf^-1 as R * (R Vf)^-1 to avoid leaks from
inv_mod. */
1315 MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&R, ctx->len
- 1, f_rng, p_rng));
>>> CID 510796: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "*ctx->Vf.p" to "mbedtls_mpi_mul_mpi", which uses it as an offset.
1316 MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vi, &ctx->Vf, &R));
1317 MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vi,
&ctx->Vi, &ctx->N));
1318
1319 /* At this point, Vi is invertible mod N if and only
if both Vf and R
1320 * are invertible mod N. If one of them isn't, we
don't need to know
1321 * which one, we just loop and choose new values for
both of them.
** CID 510795: Control flow issues (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 4271 in spi_nor_init()
________________________________________________________________________________________________________
*** CID 510795: Control flow issues (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 4271 in spi_nor_init()
4265
4266 static int spi_nor_init(struct spi_nor *nor)
4267 {
4268 int err;
4269
4270 if (nor->flags & SNOR_F_HAS_PARALLEL)
>>> CID 510795: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "nor->spi->flags |= 3UL;".
4271 nor->spi->flags |= SPI_NOR_ENABLE_MULTI_CS;
4272
4273 err = spi_nor_octal_dtr_enable(nor);
4274 if (err) {
4275 dev_dbg(nor->dev, "Octal DTR mode not supported\n");
4276 return err;
** CID 510794: Control flow issues (NO_EFFECT)
/lib/mbedtls/x509_cert_parser.c: 78 in x509_populate_dn_name_string()
________________________________________________________________________________________________________
*** CID 510794: Control flow issues (NO_EFFECT)
/lib/mbedtls/x509_cert_parser.c: 78 in x509_populate_dn_name_string()
72 do {
73 name_str = kzalloc(len, GFP_KERNEL);
74 if (!name_str)
75 return NULL;
76
77 wb = mbedtls_x509_dn_gets(name_str, len, name);
>>> CID 510794: Control flow issues (NO_EFFECT)
>>> This less-than-zero comparison of an unsigned value is never true. "wb < 0UL".
78 if (wb < 0) {
79 pr_err("Get DN string failed, ret:-0x%04x\n",
80 (unsigned int)-wb);
81 kfree(name_str);
82 len = len * 2; /* Try with a bigger buffer */
83 }
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 105+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2024-10-16 3:47 Tom Rini
@ 2024-10-16 5:56 ` Tudor Ambarus
0 siblings, 0 replies; 105+ messages in thread
From: Tudor Ambarus @ 2024-10-16 5:56 UTC (permalink / raw)
To: Tom Rini, u-boot, Amit Kumar Mahapatra
Cc: Vignesh R, Takahiro Kuwano, Venkatesh Yadav Abbarapu,
Pratyush Yadav, Ashok Reddy Soma, Joakim Tjernlund, Raymond Mao,
Ilias Apalodimas
+ Amit
ugh, the parallel/stacked SPI NOR thingy was applied in u-boot. We
rejected it in linux, this support shall be above SPI NOR. How about
reverting the support until we have an agreement in linux?
Or, if we want to still keep it until we come with a better approach, it
would be good if Amit (now in To:) fixes all the bugs introduced.
^ permalink raw reply [flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2024-10-19 16:16 Tom Rini
0 siblings, 0 replies; 105+ messages in thread
From: Tom Rini @ 2024-10-19 16:16 UTC (permalink / raw)
To: u-boot, Simon Glass
[-- Attachment #1: Type: text/plain, Size: 2521 bytes --]
Here's a short update.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Sat, Oct 19, 2024, 8:35 AM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to Das U-Boot
found with Coverity Scan.
2 new defect(s) introduced to Das U-Boot found with Coverity Scan.
3 defect(s), reported by Coverity Scan earlier, were marked fixed in the
recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 2 of 2 defect(s)
** CID 510857: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 510857: Memory - corruptions (OVERRUN)
/test/boot/bootdev.c: 160 in bootdev_test_any()
154 */
155 if (CONFIG_IS_ENABLED(DSA_SANDBOX))
156 seq = "8";
157 else
158 seq = "6";
159
>>> CID 510857: Memory - corruptions (OVERRUN)
>>> Overrunning buffer pointed to by "seq" of 2 bytes by passing it to
a function which accesses it at byte offset 2.
160 ut_assertok(bootdev_find_by_any(seq, &dev, &mflags));
161 ut_asserteq(UCLASS_BOOTDEV, device_get_uclass_id(dev));
162 ut_asserteq(BOOTFLOW_METHF_SINGLE_DEV, mflags);
163 media = dev_get_parent(dev);
164 ut_asserteq(UCLASS_MMC, device_get_uclass_id(media));
165 ut_asserteq_str("mmc2", media->name);
** CID 510856: Control flow issues (UNREACHABLE)
/lib/binman.c: 142 in binman_init()
________________________________________________________________________________________________________
*** CID 510856: Control flow issues (UNREACHABLE)
/lib/binman.c: 142 in binman_init()
136 int binman_init(void)
137 {
138 int ret;
139
140 return 0;
141 binman = malloc(sizeof(struct binman_info));
>>> CID 510856: Control flow issues (UNREACHABLE)
>>> This code cannot be reached: "if (!binman)
return ((voi...".
142 if (!binman)
143 return log_msg_ret("space for binman", -ENOMEM);
144 ret = find_image_node(&binman->image);
145 if (ret)
146 return log_msg_ret("node", -ENOENT);
147 binman_set_rom_offset(ROM_OFFSET_NONE);
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2024-10-28 3:11 Tom Rini
0 siblings, 0 replies; 105+ messages in thread
From: Tom Rini @ 2024-10-28 3:11 UTC (permalink / raw)
To: u-boot, Patrick Rudolph
[-- Attachment #1: Type: text/plain, Size: 1801 bytes --]
Here's the latest report.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Sun, Oct 27, 2024 at 9:05 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to Das
U-Boot found with Coverity Scan.
1 new defect(s) introduced to Das U-Boot found with Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)
** CID 511435: Integer handling issues (SIGN_EXTENSION)
/lib/acpi/acpi_table.c: 476 in acpi_write_spcr()
________________________________________________________________________________________________________
*** CID 511435: Integer handling issues (SIGN_EXTENSION)
/lib/acpi/acpi_table.c: 476 in acpi_write_spcr()
470 default:
471 space_id = ACPI_ADDRESS_SPACE_IO;
472 break;
473 }
474
475 serial_width = serial_info.reg_width * 8;
>>> CID 511435: Integer handling issues (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "serial_info.reg_offset" with type "u8" (8 bits, unsigned) is promoted in "serial_info.reg_offset << serial_info.reg_shift" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "serial_info.reg_offset << serial_info.reg_shift" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
476 serial_offset = serial_info.reg_offset << serial_info.reg_shift;
477 serial_address = serial_info.addr + serial_offset;
478
479 /* Encode register access size */
480 switch (serial_info.reg_shift) {
481 case 0:
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2024-11-12 2:11 Tom Rini
0 siblings, 0 replies; 105+ messages in thread
From: Tom Rini @ 2024-11-12 2:11 UTC (permalink / raw)
To: u-boot, Heiko Schocher
[-- Attachment #1: Type: text/plain, Size: 1765 bytes --]
Here's the latest Coverity report.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Nov 11, 2024 at 10:24 AM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to Das
U-Boot found with Coverity Scan.
1 new defect(s) introduced to Das U-Boot found with Coverity Scan.
4 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)
** CID 514648: Control flow issues (MISSING_BREAK)
/tools/imx8image.c: 93 in parse_cfg_cmd()
________________________________________________________________________________________________________
*** CID 514648: Control flow issues (MISSING_BREAK)
/tools/imx8image.c: 93 in parse_cfg_cmd()
87 sector_size = get_table_entry_id(imx8image_sector_size,
88 "imximage boot option",
89 token);
90 if (!strncmp("emmc_fastboot", token, 13))
91 emmc_fastboot = true;
92 break;
>>> CID 514648: Control flow issues (MISSING_BREAK)
>>> The case for value "CMD_DCD_SKIP" is not terminated by a "break" statement.
93 case CMD_DCD_SKIP:
94 if (!strncmp("true", token, 4))
95 dcd_skip = true;
96 case CMD_FUSE_VERSION:
97 fuse_version = (uint8_t)(strtoll(token, NULL, 0) & 0xFF);
98 break;
________________________________________________________________________________________________________
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2024-11-15 13:27 Tom Rini
0 siblings, 0 replies; 105+ messages in thread
From: Tom Rini @ 2024-11-15 13:27 UTC (permalink / raw)
To: u-boot, Heinrich Schuchardt
[-- Attachment #1: Type: text/plain, Size: 3031 bytes --]
Hey all,
Here's the latest report.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Thu, Nov 14, 2024, 10:40 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to Das U-Boot
found with Coverity Scan.
2 new defect(s) introduced to Das U-Boot found with Coverity Scan.
3 defect(s), reported by Coverity Scan earlier, were marked fixed in the
recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 2 of 2 defect(s)
** CID 514958: Error handling issues (CHECKED_RETURN)
/test/cmd/hash.c: 80 in dm_test_cmd_hash_sha256()
________________________________________________________________________________________________________
*** CID 514958: Error handling issues (CHECKED_RETURN)
/test/cmd/hash.c: 80 in dm_test_cmd_hash_sha256()
74 ut_assertok(run_command("hash sha256 $loadaddr 0 foo; echo $foo",
0));
75 console_record_readline(uts->actual_str, sizeof(uts->actual_str));
76 ut_asserteq_ptr(uts->actual_str,
77 strstr(uts->actual_str, "sha256 for "));
78 ut_assert(strstr(uts->actual_str,
79
"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"));
>>> CID 514958: Error handling issues (CHECKED_RETURN)
>>> Calling "ut_check_console_line" without checking return value (as
is done elsewhere 683 out of 690 times).
80 ut_check_console_line(uts,
81
"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855");
82
83 if (!CONFIG_IS_ENABLED(HASH_VERIFY)) {
84 ut_assert(run_command("hash -v sha256 $loadaddr 0 foo", 0));
85 ut_check_console_line(uts, "hash - compute hash message
digest");
** CID 514957: Error handling issues (CHECKED_RETURN)
/test/cmd/hash.c: 36 in dm_test_cmd_hash_md5()
________________________________________________________________________________________________________
*** CID 514957: Error handling issues (CHECKED_RETURN)
/test/cmd/hash.c: 36 in dm_test_cmd_hash_md5()
30 ut_assertok(run_command("hash md5 $loadaddr 0 foo; echo $foo", 0));
31 console_record_readline(uts->actual_str, sizeof(uts->actual_str));
32 ut_asserteq_ptr(uts->actual_str,
33 strstr(uts->actual_str, "md5 for "));
34 ut_assert(strstr(uts->actual_str,
35 "d41d8cd98f00b204e9800998ecf8427e"));
>>> CID 514957: Error handling issues (CHECKED_RETURN)
>>> Calling "ut_check_console_line" without checking return value (as
is done elsewhere 683 out of 690 times).
36 ut_check_console_line(uts, "d41d8cd98f00b204e9800998ecf8427e");
37
38 if (!CONFIG_IS_ENABLED(HASH_VERIFY)) {
39 ut_assert(run_command("hash -v sha256 $loadaddr 0 foo", 0));
40 ut_check_console_line(uts, "hash - compute hash message
digest");
41
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2024-12-24 17:14 Tom Rini
0 siblings, 0 replies; 105+ messages in thread
From: Tom Rini @ 2024-12-24 17:14 UTC (permalink / raw)
To: u-boot, Nicolas Belin
[-- Attachment #1: Type: text/plain, Size: 1728 bytes --]
Hey all,
Unfortunately Coverity went a bit weird for a bit and stopped doing
emails, so there's a few other defects missing from this.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Tue, Dec 24, 2024 at 11:05 AM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to Das U-Boot
found with Coverity Scan.
1 new defect(s) introduced to Das U-Boot found with Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)
** CID 516463: Null pointer dereferences (FORWARD_NULL)
/boot/image-android.c: 300 in android_image_get_kernel()
________________________________________________________________________________________________________
*** CID 516463: Null pointer dereferences (FORWARD_NULL)
/boot/image-android.c: 300 in android_image_get_kernel()
294
295 if (*img_data.kcmdline) {
296 printf("Kernel command line: %s\n",
img_data.kcmdline);
297 len += strlen(img_data.kcmdline) + (len ? 1 : 0);
/* +1 for extra space */
298 }
299
>>> CID 516463: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "img_data.kcmdline_extra".
300 if (*img_data.kcmdline_extra) {
301 printf("Kernel extra command line: %s\n",
img_data.kcmdline_extra);
302 len += strlen(img_data.kcmdline_extra) + (len ? 1 :
0); /* +1 for extra space */
303 }
304
305 char *newbootargs = malloc(len + 1); /* +1 for the '\0' */
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2024-12-31 13:55 Tom Rini
0 siblings, 0 replies; 105+ messages in thread
From: Tom Rini @ 2024-12-31 13:55 UTC (permalink / raw)
To: u-boot, Venkatesh Yadav Abbarapu
[-- Attachment #1: Type: text/plain, Size: 2788 bytes --]
Hey all, here's the latest report.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Dec 30, 2024, 10:44 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to Das U-Boot
found with Coverity Scan.
2 new defect(s) introduced to Das U-Boot found with Coverity Scan.
1 defect(s), reported by Coverity Scan earlier, were marked fixed in the
recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 2 of 2 defect(s)
** CID 528528: Control flow issues (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 1644 in spi_nor_read()
________________________________________________________________________________________________________
*** CID 528528: Control flow issues (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 1644 in spi_nor_read()
1638 read_len = len;
1639 else
1640 read_len = rem_bank_len;
1641 #endif
1642
1643 if (read_len == 0)
>>> CID 528528: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "return -5;".
1644 return -EIO;
1645
1646 ret = nor->read(nor, offset, read_len, buf);
1647 if (ret == 0) {
1648 /* We shouldn't see 0-length reads */
1649 ret = -EIO;
** CID 528527: Code maintainability issues (UNUSED_VALUE)
/drivers/mtd/spi/spi-nor-core.c: 1613 in spi_nor_read()
________________________________________________________________________________________________________
*** CID 528527: Code maintainability issues (UNUSED_VALUE)
/drivers/mtd/spi/spi-nor-core.c: 1613 in spi_nor_read()
1607 }
1608 rem_bank_len = SZ_16M * (bank + 1);
1609 if
(CONFIG_IS_ENABLED(SPI_STACKED_PARALLEL)) {
1610 if (nor->flags &
SNOR_F_HAS_PARALLEL)
1611 rem_bank_len *= 2;
1612 }
>>> CID 528527: Code maintainability issues (UNUSED_VALUE)
>>> Assigning value from "rem_bank_len - from" to "rem_bank_len" here,
but that stored value is overwritten before it can be used.
1613 rem_bank_len -= from;
1614 }
1615
1616 if (CONFIG_IS_ENABLED(SPI_STACKED_PARALLEL)) {
1617 if (nor->flags & SNOR_F_HAS_STACKED) {
1618 stack_shift = 1;
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2025-02-10 22:26 Tom Rini
2025-02-11 6:14 ` Heiko Schocher
0 siblings, 1 reply; 105+ messages in thread
From: Tom Rini @ 2025-02-10 22:26 UTC (permalink / raw)
To: u-boot, Heiko Schocher, Raymond Mao, Ilias Apalodimas
[-- Attachment #1: Type: text/plain, Size: 4392 bytes --]
Here's the latest report.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Feb 10, 2025 at 4:12 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to Das U-Boot
found with Coverity Scan.
3 new defect(s) introduced to Das U-Boot found with Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 3 of 3 defect(s)
** CID 541281: Insecure data handling (TAINTED_SCALAR)
/lib/tpm-v2.c: 77 in tpm2_scan_masks()
________________________________________________________________________________________________________
*** CID 541281: Insecure data handling (TAINTED_SCALAR)
/lib/tpm-v2.c: 77 in tpm2_scan_masks()
71 *mask = 0;
72
73 rc = tpm2_get_pcr_info(dev, &pcrs);
74 if (rc)
75 return rc;
76
>>> CID 541281: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "pcrs.count" as a loop boundary.
77 for (i = 0; i < pcrs.count; i++) {
78 struct tpms_pcr_selection *sel = &pcrs.selection[i];
79 size_t j;
80 u32 hash_mask = 0;
81
82 for (j = 0; j < ARRAY_SIZE(hash_algo_list); j++) {
** CID 541280: Insecure data handling (TAINTED_SCALAR)
/cmd/tpm-v2.c: 307 in do_tpm2_pcrallocate()
________________________________________________________________________________________________________
*** CID 541280: Insecure data handling (TAINTED_SCALAR)
/cmd/tpm-v2.c: 307 in do_tpm2_pcrallocate()
301 * first call
302 */
303 ret = tpm2_get_pcr_info(dev, &pcr);
304 if (ret)
305 return ret;
306
>>> CID 541280: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "pcr.count" as a loop boundary.
307 for (i = 0; i < pcr.count; i++) {
308 struct tpms_pcr_selection *sel =
&pcr.selection[i];
309 const char *name;
310
311 if (!tpm2_is_active_bank(sel))
312 continue;
** CID 541279: (TAINTED_SCALAR)
/drivers/led/led-uclass.c: 284 in led_get_function_name()
/drivers/led/led-uclass.c: 279 in led_get_function_name()
________________________________________________________________________________________________________
*** CID 541279: (TAINTED_SCALAR)
/drivers/led/led-uclass.c: 284 in led_get_function_name()
278 if (!ret) {
279 snprintf(uc_plat->name, LED_MAX_NAME_SIZE,
280 "%s:%s-%d",
281 cp ? "" : led_colors[color],
282 func ? func : "", enumerator);
283 } else {
>>> CID 541279: (TAINTED_SCALAR)
>>> Using tainted variable "color" as an index into an array
"led_colors".
284 snprintf(uc_plat->name, LED_MAX_NAME_SIZE,
285 "%s:%s",
286 cp ? "" : led_colors[color],
287 func ? func : "");
288 }
289 uc_plat->label = uc_plat->name;
/drivers/led/led-uclass.c: 279 in led_get_function_name()
273 /* Now try to detect function label name */
274 func = dev_read_string(dev, "function");
275 cp = dev_read_u32(dev, "color", &color);
276 if (cp == 0 || func) {
277 ret = dev_read_u32(dev, "function-enumerator",
&enumerator);
278 if (!ret) {
>>> CID 541279: (TAINTED_SCALAR)
>>> Using tainted variable "color" as an index into an array
"led_colors".
279 snprintf(uc_plat->name, LED_MAX_NAME_SIZE,
280 "%s:%s-%d",
281 cp ? "" : led_colors[color],
282 func ? func : "", enumerator);
283 } else {
284 snprintf(uc_plat->name, LED_MAX_NAME_SIZE,
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 105+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2025-02-10 22:26 Tom Rini
@ 2025-02-11 6:14 ` Heiko Schocher
2025-02-11 22:30 ` Tom Rini
0 siblings, 1 reply; 105+ messages in thread
From: Heiko Schocher @ 2025-02-11 6:14 UTC (permalink / raw)
To: Tom Rini; +Cc: u-boot, Raymond Mao, Ilias Apalodimas
Hello Tom,
On 10.02.25 23:26, Tom Rini wrote:
> Here's the latest report.
>
> ---------- Forwarded message ---------
> From: <scan-admin@coverity.com>
> Date: Mon, Feb 10, 2025 at 4:12 PM
> Subject: New Defects reported by Coverity Scan for Das U-Boot
> To: <tom.rini@gmail.com>
>
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to Das U-Boot
> found with Coverity Scan.
>
> 3 new defect(s) introduced to Das U-Boot found with Coverity Scan.
>
>
> New defect(s) Reported-by: Coverity Scan
> Showing 3 of 3 defect(s)
>
>
> ** CID 541281: Insecure data handling (TAINTED_SCALAR)
> /lib/tpm-v2.c: 77 in tpm2_scan_masks()
>
>
> ________________________________________________________________________________________________________
> *** CID 541281: Insecure data handling (TAINTED_SCALAR)
> /lib/tpm-v2.c: 77 in tpm2_scan_masks()
> 71 *mask = 0;
> 72
> 73 rc = tpm2_get_pcr_info(dev, &pcrs);
> 74 if (rc)
> 75 return rc;
> 76
>>>> CID 541281: Insecure data handling (TAINTED_SCALAR)
>>>> Using tainted variable "pcrs.count" as a loop boundary.
> 77 for (i = 0; i < pcrs.count; i++) {
> 78 struct tpms_pcr_selection *sel = &pcrs.selection[i];
> 79 size_t j;
> 80 u32 hash_mask = 0;
> 81
> 82 for (j = 0; j < ARRAY_SIZE(hash_algo_list); j++) {
>
> ** CID 541280: Insecure data handling (TAINTED_SCALAR)
> /cmd/tpm-v2.c: 307 in do_tpm2_pcrallocate()
>
>
> ________________________________________________________________________________________________________
> *** CID 541280: Insecure data handling (TAINTED_SCALAR)
> /cmd/tpm-v2.c: 307 in do_tpm2_pcrallocate()
> 301 * first call
> 302 */
> 303 ret = tpm2_get_pcr_info(dev, &pcr);
> 304 if (ret)
> 305 return ret;
> 306
>>>> CID 541280: Insecure data handling (TAINTED_SCALAR)
>>>> Using tainted variable "pcr.count" as a loop boundary.
> 307 for (i = 0; i < pcr.count; i++) {
> 308 struct tpms_pcr_selection *sel =
> &pcr.selection[i];
> 309 const char *name;
> 310
> 311 if (!tpm2_is_active_bank(sel))
> 312 continue;
>
> ** CID 541279: (TAINTED_SCALAR)
> /drivers/led/led-uclass.c: 284 in led_get_function_name()
> /drivers/led/led-uclass.c: 279 in led_get_function_name()
>
>
> ________________________________________________________________________________________________________
> *** CID 541279: (TAINTED_SCALAR)
> /drivers/led/led-uclass.c: 284 in led_get_function_name()
> 278 if (!ret) {
> 279 snprintf(uc_plat->name, LED_MAX_NAME_SIZE,
> 280 "%s:%s-%d",
> 281 cp ? "" : led_colors[color],
> 282 func ? func : "", enumerator);
> 283 } else {
>>>> CID 541279: (TAINTED_SCALAR)
>>>> Using tainted variable "color" as an index into an array
> "led_colors".
> 284 snprintf(uc_plat->name, LED_MAX_NAME_SIZE,
> 285 "%s:%s",
> 286 cp ? "" : led_colors[color],
> 287 func ? func : "");
> 288 }
> 289 uc_plat->label = uc_plat->name;
> /drivers/led/led-uclass.c: 279 in led_get_function_name()
> 273 /* Now try to detect function label name */
> 274 func = dev_read_string(dev, "function");
> 275 cp = dev_read_u32(dev, "color", &color);
> 276 if (cp == 0 || func) {
> 277 ret = dev_read_u32(dev, "function-enumerator",
> &enumerator);
> 278 if (!ret) {
>>>> CID 541279: (TAINTED_SCALAR)
>>>> Using tainted variable "color" as an index into an array
> "led_colors".
> 279 snprintf(uc_plat->name, LED_MAX_NAME_SIZE,
> 280 "%s:%s-%d",
> 281 cp ? "" : led_colors[color],
> 282 func ? func : "", enumerator);
> 283 } else {
> 284 snprintf(uc_plat->name, LED_MAX_NAME_SIZE,
>
>
> ----- End forwarded message -----
>
Just a fast idea:
diff --git a/drivers/led/led-uclass.c b/drivers/led/led-uclass.c
index 27ef890ed0a..fc15a0811e0 100644
--- a/drivers/led/led-uclass.c
+++ b/drivers/led/led-uclass.c
@@ -273,6 +273,10 @@ static const char *led_get_function_name(struct udevice *dev)
/* Now try to detect function label name */
func = dev_read_string(dev, "function");
cp = dev_read_u32(dev, "color", &color);
+ // prevent coverity scan error CID 541279: (TAINTED_SCALAR)
+ if ((color < LED_COLOR_ID_WHITE) || (color >= LED_COLOR_ID_MAX))
+ cp = -EINVAL;
+
if (cp == 0 || func) {
ret = dev_read_u32(dev, "function-enumerator", &enumerator);
if (!ret) {
If okay, I can send a patch for this.
Or may better, we move this check into a new function:
int dev_read_min_max_u32(const struct udevice *dev, u32 min, u32 max, const char *propname, u32 *outp)
which returns -EINVAL, if readden value is not in [min, max] range?
So may this function can be used at other places too?
Thanks!
bye,
Heiko
--
DENX Software Engineering GmbH, Managing Director: Erika Unter
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: +49-8142-66989-52 Fax: +49-8142-66989-80 Email: hs@denx.de
^ permalink raw reply related [flat|nested] 105+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2025-02-11 6:14 ` Heiko Schocher
@ 2025-02-11 22:30 ` Tom Rini
0 siblings, 0 replies; 105+ messages in thread
From: Tom Rini @ 2025-02-11 22:30 UTC (permalink / raw)
To: Heiko Schocher; +Cc: u-boot, Raymond Mao, Ilias Apalodimas
[-- Attachment #1: Type: text/plain, Size: 6280 bytes --]
On Tue, Feb 11, 2025 at 07:14:19AM +0100, Heiko Schocher wrote:
> Hello Tom,
>
> On 10.02.25 23:26, Tom Rini wrote:
> > Here's the latest report.
> >
> > ---------- Forwarded message ---------
> > From: <scan-admin@coverity.com>
> > Date: Mon, Feb 10, 2025 at 4:12 PM
> > Subject: New Defects reported by Coverity Scan for Das U-Boot
> > To: <tom.rini@gmail.com>
> >
> >
> > Hi,
> >
> > Please find the latest report on new defect(s) introduced to Das U-Boot
> > found with Coverity Scan.
> >
> > 3 new defect(s) introduced to Das U-Boot found with Coverity Scan.
> >
> >
> > New defect(s) Reported-by: Coverity Scan
> > Showing 3 of 3 defect(s)
> >
> >
> > ** CID 541281: Insecure data handling (TAINTED_SCALAR)
> > /lib/tpm-v2.c: 77 in tpm2_scan_masks()
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 541281: Insecure data handling (TAINTED_SCALAR)
> > /lib/tpm-v2.c: 77 in tpm2_scan_masks()
> > 71 *mask = 0;
> > 72
> > 73 rc = tpm2_get_pcr_info(dev, &pcrs);
> > 74 if (rc)
> > 75 return rc;
> > 76
> > > > > CID 541281: Insecure data handling (TAINTED_SCALAR)
> > > > > Using tainted variable "pcrs.count" as a loop boundary.
> > 77 for (i = 0; i < pcrs.count; i++) {
> > 78 struct tpms_pcr_selection *sel = &pcrs.selection[i];
> > 79 size_t j;
> > 80 u32 hash_mask = 0;
> > 81
> > 82 for (j = 0; j < ARRAY_SIZE(hash_algo_list); j++) {
> >
> > ** CID 541280: Insecure data handling (TAINTED_SCALAR)
> > /cmd/tpm-v2.c: 307 in do_tpm2_pcrallocate()
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 541280: Insecure data handling (TAINTED_SCALAR)
> > /cmd/tpm-v2.c: 307 in do_tpm2_pcrallocate()
> > 301 * first call
> > 302 */
> > 303 ret = tpm2_get_pcr_info(dev, &pcr);
> > 304 if (ret)
> > 305 return ret;
> > 306
> > > > > CID 541280: Insecure data handling (TAINTED_SCALAR)
> > > > > Using tainted variable "pcr.count" as a loop boundary.
> > 307 for (i = 0; i < pcr.count; i++) {
> > 308 struct tpms_pcr_selection *sel =
> > &pcr.selection[i];
> > 309 const char *name;
> > 310
> > 311 if (!tpm2_is_active_bank(sel))
> > 312 continue;
> >
> > ** CID 541279: (TAINTED_SCALAR)
> > /drivers/led/led-uclass.c: 284 in led_get_function_name()
> > /drivers/led/led-uclass.c: 279 in led_get_function_name()
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 541279: (TAINTED_SCALAR)
> > /drivers/led/led-uclass.c: 284 in led_get_function_name()
> > 278 if (!ret) {
> > 279 snprintf(uc_plat->name, LED_MAX_NAME_SIZE,
> > 280 "%s:%s-%d",
> > 281 cp ? "" : led_colors[color],
> > 282 func ? func : "", enumerator);
> > 283 } else {
> > > > > CID 541279: (TAINTED_SCALAR)
> > > > > Using tainted variable "color" as an index into an array
> > "led_colors".
> > 284 snprintf(uc_plat->name, LED_MAX_NAME_SIZE,
> > 285 "%s:%s",
> > 286 cp ? "" : led_colors[color],
> > 287 func ? func : "");
> > 288 }
> > 289 uc_plat->label = uc_plat->name;
> > /drivers/led/led-uclass.c: 279 in led_get_function_name()
> > 273 /* Now try to detect function label name */
> > 274 func = dev_read_string(dev, "function");
> > 275 cp = dev_read_u32(dev, "color", &color);
> > 276 if (cp == 0 || func) {
> > 277 ret = dev_read_u32(dev, "function-enumerator",
> > &enumerator);
> > 278 if (!ret) {
> > > > > CID 541279: (TAINTED_SCALAR)
> > > > > Using tainted variable "color" as an index into an array
> > "led_colors".
> > 279 snprintf(uc_plat->name, LED_MAX_NAME_SIZE,
> > 280 "%s:%s-%d",
> > 281 cp ? "" : led_colors[color],
> > 282 func ? func : "", enumerator);
> > 283 } else {
> > 284 snprintf(uc_plat->name, LED_MAX_NAME_SIZE,
> >
> >
> > ----- End forwarded message -----
> >
>
> Just a fast idea:
>
> diff --git a/drivers/led/led-uclass.c b/drivers/led/led-uclass.c
> index 27ef890ed0a..fc15a0811e0 100644
> --- a/drivers/led/led-uclass.c
> +++ b/drivers/led/led-uclass.c
> @@ -273,6 +273,10 @@ static const char *led_get_function_name(struct udevice *dev)
> /* Now try to detect function label name */
> func = dev_read_string(dev, "function");
> cp = dev_read_u32(dev, "color", &color);
> + // prevent coverity scan error CID 541279: (TAINTED_SCALAR)
> + if ((color < LED_COLOR_ID_WHITE) || (color >= LED_COLOR_ID_MAX))
> + cp = -EINVAL;
> +
> if (cp == 0 || func) {
> ret = dev_read_u32(dev, "function-enumerator", &enumerator);
> if (!ret) {
>
> If okay, I can send a patch for this.
This is probably fine, thanks.
> Or may better, we move this check into a new function:
>
> int dev_read_min_max_u32(const struct udevice *dev, u32 min, u32 max, const char *propname, u32 *outp)
>
> which returns -EINVAL, if readden value is not in [min, max] range?
>
> So may this function can be used at other places too?
It would be good to spend some time looking at the codebase to see what
sort of generic wrapper may or may not help first I think.
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2025-02-25 2:39 Tom Rini
2025-02-25 6:06 ` Heiko Schocher
0 siblings, 1 reply; 105+ messages in thread
From: Tom Rini @ 2025-02-25 2:39 UTC (permalink / raw)
To: u-boot, Heiko Schocher
[-- Attachment #1: Type: text/plain, Size: 1795 bytes --]
Here's the latest report. Getting closer with the led change. I do wish
it was easier to test fixes here.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Feb 24, 2025, 5:05 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to Das U-Boot
found with Coverity Scan.
1 new defect(s) introduced to Das U-Boot found with Coverity Scan.
2 defect(s), reported by Coverity Scan earlier, were marked fixed in the
recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)
** CID 542488: Control flow issues (NO_EFFECT)
/drivers/led/led-uclass.c: 277 in led_get_function_name()
________________________________________________________________________________________________________
*** CID 542488: Control flow issues (NO_EFFECT)
/drivers/led/led-uclass.c: 277 in led_get_function_name()
271 return uc_plat->label;
272
273 /* Now try to detect function label name */
274 func = dev_read_string(dev, "function");
275 cp = dev_read_u32(dev, "color", &color);
276 // prevent coverity scan error CID 541279: (TAINTED_SCALAR)
>>> CID 542488: Control flow issues (NO_EFFECT)
>>> This less-than-zero comparison of an unsigned value is never true.
"color < 0U".
277 if (color < LED_COLOR_ID_WHITE || color >= LED_COLOR_ID_MAX)
278 cp = -EINVAL;
279
280 if (cp == 0 || func) {
281 ret = dev_read_u32(dev, "function-enumerator",
&enumerator);
282 if (!ret) {
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 105+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2025-02-25 2:39 Tom Rini
@ 2025-02-25 6:06 ` Heiko Schocher
2025-02-25 10:48 ` Quentin Schulz
0 siblings, 1 reply; 105+ messages in thread
From: Heiko Schocher @ 2025-02-25 6:06 UTC (permalink / raw)
To: Tom Rini, u-boot
Hello Tom,
On 25.02.25 03:39, Tom Rini wrote:
> Here's the latest report. Getting closer with the led change. I do wish
> it was easier to test fixes here.
Yes...
> ---------- Forwarded message ---------
> From: <scan-admin@coverity.com>
> Date: Mon, Feb 24, 2025, 5:05 PM
> Subject: New Defects reported by Coverity Scan for Das U-Boot
> To: <tom.rini@gmail.com>
>
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to Das U-Boot
> found with Coverity Scan.
>
> 1 new defect(s) introduced to Das U-Boot found with Coverity Scan.
> 2 defect(s), reported by Coverity Scan earlier, were marked fixed in the
> recent build analyzed by Coverity Scan.
>
> New defect(s) Reported-by: Coverity Scan
> Showing 1 of 1 defect(s)
>
>
> ** CID 542488: Control flow issues (NO_EFFECT)
> /drivers/led/led-uclass.c: 277 in led_get_function_name()
>
>
> ________________________________________________________________________________________________________
> *** CID 542488: Control flow issues (NO_EFFECT)
> /drivers/led/led-uclass.c: 277 in led_get_function_name()
> 271 return uc_plat->label;
> 272
> 273 /* Now try to detect function label name */
> 274 func = dev_read_string(dev, "function");
> 275 cp = dev_read_u32(dev, "color", &color);
> 276 // prevent coverity scan error CID 541279: (TAINTED_SCALAR)
>>>> CID 542488: Control flow issues (NO_EFFECT)
>>>> This less-than-zero comparison of an unsigned value is never true.
> "color < 0U".
> 277 if (color < LED_COLOR_ID_WHITE || color >= LED_COLOR_ID_MAX)
> 278 cp = -EINVAL;
So I simply remove this check ... and add a comment that LED_COLOR_ID_WHITE
must be 0...
> 279
> 280 if (cp == 0 || func) {
> 281 ret = dev_read_u32(dev, "function-enumerator",
> &enumerator);
> 282 if (!ret) {
>
>
> ----- End forwarded message -----
Send the fix, when CI succeeds:
https://dev.azure.com/hs0298/hs/_build/results?buildId=171&view=results
Thanks for the report.
bye,
Heiko
--
DENX Software Engineering GmbH, Managing Director: Erika Unter
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: +49-8142-66989-52 Fax: +49-8142-66989-80 Email: hs@denx.de
^ permalink raw reply [flat|nested] 105+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2025-02-25 6:06 ` Heiko Schocher
@ 2025-02-25 10:48 ` Quentin Schulz
2025-02-25 10:54 ` Heiko Schocher
0 siblings, 1 reply; 105+ messages in thread
From: Quentin Schulz @ 2025-02-25 10:48 UTC (permalink / raw)
To: hs, Tom Rini, u-boot
Hi Heiko,
On 2/25/25 7:06 AM, Heiko Schocher wrote:
> Hello Tom,
>
> On 25.02.25 03:39, Tom Rini wrote:
>> Here's the latest report. Getting closer with the led change. I do wish
>> it was easier to test fixes here.
>
> Yes...
>
>> ---------- Forwarded message ---------
>> From: <scan-admin@coverity.com>
>> Date: Mon, Feb 24, 2025, 5:05 PM
>> Subject: New Defects reported by Coverity Scan for Das U-Boot
>> To: <tom.rini@gmail.com>
>>
>>
>> Hi,
>>
>> Please find the latest report on new defect(s) introduced to Das U-Boot
>> found with Coverity Scan.
>>
>> 1 new defect(s) introduced to Das U-Boot found with Coverity Scan.
>> 2 defect(s), reported by Coverity Scan earlier, were marked fixed in the
>> recent build analyzed by Coverity Scan.
>>
>> New defect(s) Reported-by: Coverity Scan
>> Showing 1 of 1 defect(s)
>>
>>
>> ** CID 542488: Control flow issues (NO_EFFECT)
>> /drivers/led/led-uclass.c: 277 in led_get_function_name()
>>
>>
>> ________________________________________________________________________________________________________
>> *** CID 542488: Control flow issues (NO_EFFECT)
>> /drivers/led/led-uclass.c: 277 in led_get_function_name()
>> 271 return uc_plat->label;
>> 272
>> 273 /* Now try to detect function label name */
>> 274 func = dev_read_string(dev, "function");
>> 275 cp = dev_read_u32(dev, "color", &color);
>> 276 // prevent coverity scan error CID 541279:
>> (TAINTED_SCALAR)
>>>>> CID 542488: Control flow issues (NO_EFFECT)
>>>>> This less-than-zero comparison of an unsigned value is never
>>>>> true.
>> "color < 0U".
>> 277 if (color < LED_COLOR_ID_WHITE || color >=
>> LED_COLOR_ID_MAX)
>> 278 cp = -EINVAL;
>
> So I simply remove this check ... and add a comment that LED_COLOR_ID_WHITE
> must be 0...
>
It's part of the binding from the kernel, I assume it's safe to assume
it'll be 0?
Also, this is guaranteed by the fact color is a u32 in
led_get_function_name, so it cannot be < 0.
Cheers,
Quentin
^ permalink raw reply [flat|nested] 105+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2025-02-25 10:48 ` Quentin Schulz
@ 2025-02-25 10:54 ` Heiko Schocher
0 siblings, 0 replies; 105+ messages in thread
From: Heiko Schocher @ 2025-02-25 10:54 UTC (permalink / raw)
To: Quentin Schulz, Tom Rini, u-boot
Hello Quentin,
On 25.02.25 11:48, Quentin Schulz wrote:
> Hi Heiko,
>
> On 2/25/25 7:06 AM, Heiko Schocher wrote:
>> Hello Tom,
>>
>> On 25.02.25 03:39, Tom Rini wrote:
>>> Here's the latest report. Getting closer with the led change. I do wish
>>> it was easier to test fixes here.
>>
>> Yes...
>>
>>> ---------- Forwarded message ---------
>>> From: <scan-admin@coverity.com>
>>> Date: Mon, Feb 24, 2025, 5:05 PM
>>> Subject: New Defects reported by Coverity Scan for Das U-Boot
>>> To: <tom.rini@gmail.com>
>>>
>>>
>>> Hi,
>>>
>>> Please find the latest report on new defect(s) introduced to Das U-Boot
>>> found with Coverity Scan.
>>>
>>> 1 new defect(s) introduced to Das U-Boot found with Coverity Scan.
>>> 2 defect(s), reported by Coverity Scan earlier, were marked fixed in the
>>> recent build analyzed by Coverity Scan.
>>>
>>> New defect(s) Reported-by: Coverity Scan
>>> Showing 1 of 1 defect(s)
>>>
>>>
>>> ** CID 542488: Control flow issues (NO_EFFECT)
>>> /drivers/led/led-uclass.c: 277 in led_get_function_name()
>>>
>>>
>>> ________________________________________________________________________________________________________
>>>
>>> *** CID 542488: Control flow issues (NO_EFFECT)
>>> /drivers/led/led-uclass.c: 277 in led_get_function_name()
>>> 271 return uc_plat->label;
>>> 272
>>> 273 /* Now try to detect function label name */
>>> 274 func = dev_read_string(dev, "function");
>>> 275 cp = dev_read_u32(dev, "color", &color);
>>> 276 // prevent coverity scan error CID 541279: (TAINTED_SCALAR)
>>>>>> CID 542488: Control flow issues (NO_EFFECT)
>>>>>> This less-than-zero comparison of an unsigned value is never true.
>>> "color < 0U".
>>> 277 if (color < LED_COLOR_ID_WHITE || color >= LED_COLOR_ID_MAX)
>>> 278 cp = -EINVAL;
>>
>> So I simply remove this check ... and add a comment that LED_COLOR_ID_WHITE
>> must be 0...
>>
>
> It's part of the binding from the kernel, I assume it's safe to assume it'll be 0?
Yes it is.
> Also, this is guaranteed by the fact color is a u32 in led_get_function_name, so it cannot be < 0.
Posted a fix, see:
http://patchwork.ozlabs.org/project/uboot/patch/20250225094923.71364-1-hs@denx.de/
added a comment @LED_COLOR_ID_WHITE definition, so in case someone wants
to move LED_COLOR_ID_WHITE to another value... may it helps.
Thanks!
bye,
Heiko
--
DENX Software Engineering GmbH, Managing Director: Erika Unter
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: +49-8142-66989-52 Fax: +49-8142-66989-80 Email: hs@denx.de
^ permalink raw reply [flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2025-03-11 1:49 Tom Rini
0 siblings, 0 replies; 105+ messages in thread
From: Tom Rini @ 2025-03-11 1:49 UTC (permalink / raw)
To: u-boot, Adriano Cordova
[-- Attachment #1: Type: text/plain, Size: 1594 bytes --]
Here's the latest report.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Mar 10, 2025 at 5:43 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to Das U-Boot
found with Coverity Scan.
1 new defect(s) introduced to Das U-Boot found with Coverity Scan.
1 defect(s), reported by Coverity Scan earlier, were marked fixed in the
recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)
** CID 544194: Error handling issues (CHECKED_RETURN)
/lib/efi_loader/efi_net.c: 1084 in efi_net_set_dp()
________________________________________________________________________________________________________
*** CID 544194: Error handling issues (CHECKED_RETURN)
/lib/efi_loader/efi_net.c: 1084 in efi_net_set_dp()
1078 // If netobj is not started yet, end here.
1079 if (!netobj) {
1080 goto exit;
1081 }
1082
1083 phandler = NULL;
>>> CID 544194: Error handling issues (CHECKED_RETURN)
>>> Calling "efi_search_protocol" without checking return value (as is
done elsewhere 39 out of 43 times).
1084 efi_search_protocol(&netobj->header, &efi_guid_device_path,
&phandler);
1085
1086 // If the device path protocol is not yet installed,
install it
1087 if (!phandler)
1088 goto add;
1089
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2025-04-28 21:59 Tom Rini
2025-04-29 12:07 ` Jerome Forissier
` (2 more replies)
0 siblings, 3 replies; 105+ messages in thread
From: Tom Rini @ 2025-04-28 21:59 UTC (permalink / raw)
To: u-boot, Jerome Forissier, Varadarajan Narayanan, Casey Connolly,
Marek Vasut, Heinrich Schuchardt, Patrick Rudolph,
Adriano Cordova, Paul HENRYS, Daniel Golle, Simon Glass
[-- Attachment #1: Type: text/plain, Size: 25013 bytes --]
Hey all,
Here's the latest set of Coverity defects. Please let me know if some of
these are false positives for example, thanks.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Apr 28, 2025 at 3:52 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to Das U-Boot
found with Coverity Scan.
33 new defect(s) introduced to Das U-Boot found with Coverity Scan.
15 defect(s), reported by Coverity Scan earlier, were marked fixed in the
recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 33 defect(s)
** CID 550306: Control flow issues (DEADCODE)
/fs/exfat/io.c: 547 in exfat_generic_pwrite()
________________________________________________________________________________________________________
*** CID 550306: Control flow issues (DEADCODE)
/fs/exfat/io.c: 547 in exfat_generic_pwrite()
541 int rc;
542 cluster_t cluster;
543 const char* bufp = buffer;
544 off_t lsize, loffset, remainder;
545
546 if (offset < 0)
>>> CID 550306: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "return -22L;".
547 return -EINVAL;
548 if (uoffset > node->size)
549 {
550 rc = exfat_truncate(ef, node, uoffset, true);
551 if (rc != 0)
552 return rc;
** CID 550305: Security best practices violations (STRING_OVERFLOW)
/fs/exfat/io.c: 739 in exfat_fs_opendir()
________________________________________________________________________________________________________
*** CID 550305: Security best practices violations (STRING_OVERFLOW)
/fs/exfat/io.c: 739 in exfat_fs_opendir()
733 return err;
734
735 dirs = calloc(1, sizeof(*dirs));
736 if (!dirs)
737 return -ENOMEM;
738
>>> CID 550305: Security best practices violations (STRING_OVERFLOW)
>>> You might overrun the 1024-character fixed-size string
"dirs->dirname" by copying "filename" without checking the length.
739 strcpy(dirs->dirname, filename);
740 dirs->offset = -1;
741
742 *dirsp = &dirs->fs_dirs;
743
744 return 0;
** CID 550304: Error handling issues (NEGATIVE_RETURNS)
/tools/fit_check_sign.c: 98 in main()
________________________________________________________________________________________________________
*** CID 550304: Error handling issues (NEGATIVE_RETURNS)
/tools/fit_check_sign.c: 98 in main()
92 (void) munmap((void *)fit_blob, fsbuf.st_size);
93
94 if (key_blob)
95 (void)munmap((void *)key_blob, ksbuf.st_size);
96
97 close(ffd);
>>> CID 550304: Error handling issues (NEGATIVE_RETURNS)
>>> "kfd" is passed to a parameter that cannot be negative.
98 close(kfd);
99 exit(ret);
** CID 550303: Control flow issues (NO_EFFECT)
/tools/preload_check_sign.c: 132 in main()
________________________________________________________________________________________________________
*** CID 550303: Control flow issues (NO_EFFECT)
/tools/preload_check_sign.c: 132 in main()
126
127 info.algo_name = algo;
128 info.padding_name = padding;
129 info.key = (uint8_t *)pkey;
130 info.mandatory = 1;
131 info.sig_size = EVP_PKEY_size(pkey);
>>> CID 550303: Control flow issues (NO_EFFECT)
>>> This less-than-zero comparison of an unsigned value is never true.
"info.sig_size < 0U".
132 if (info.sig_size < 0) {
133 fprintf(stderr, "Fail to retrieve the signature
size: %s\n",
134 ERR_error_string(ERR_get_error(), NULL));
135 ret = EXIT_FAILURE;
136 goto out;
137 }
** CID 550302: (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 550302: (TAINTED_SCALAR)
/cmd/acpi.c: 118 in list_rsdt()
112 entry = rsdt->entry[i];
113 if (!entry)
114 break;
115 hdr = nomap_sysmem(entry, 0);
116 dump_hdr(hdr, chksums);
117 if (!memcmp(hdr->signature, "FACP", ACPI_NAME_LEN))
>>> CID 550302: (TAINTED_SCALAR)
>>> Passing tainted expression "((struct acpi_fadt
*)hdr)->firmware_ctrl" to "list_fadt", which uses it as a loop boundary.
118 list_fadt((struct acpi_fadt *)hdr, chksums);
119 }
120 }
121
122 static void list_rsdp(struct acpi_rsdp *rsdp, bool chksums)
123 {
/cmd/acpi.c: 118 in list_rsdt()
112 entry = rsdt->entry[i];
113 if (!entry)
114 break;
115 hdr = nomap_sysmem(entry, 0);
116 dump_hdr(hdr, chksums);
117 if (!memcmp(hdr->signature, "FACP", ACPI_NAME_LEN))
>>> CID 550302: (TAINTED_SCALAR)
>>> Passing tainted expression "((struct acpi_fadt *)hdr)->x_dsdt" to
"list_fadt", which uses it as a loop boundary.
118 list_fadt((struct acpi_fadt *)hdr, chksums);
119 }
120 }
121
122 static void list_rsdp(struct acpi_rsdp *rsdp, bool chksums)
123 {
/cmd/acpi.c: 118 in list_rsdt()
112 entry = rsdt->entry[i];
113 if (!entry)
114 break;
115 hdr = nomap_sysmem(entry, 0);
116 dump_hdr(hdr, chksums);
117 if (!memcmp(hdr->signature, "FACP", ACPI_NAME_LEN))
>>> CID 550302: (TAINTED_SCALAR)
>>> Passing tainted expression "((struct acpi_fadt *)hdr)->dsdt" to
"list_fadt", which uses it as a loop boundary.
118 list_fadt((struct acpi_fadt *)hdr, chksums);
119 }
120 }
121
122 static void list_rsdp(struct acpi_rsdp *rsdp, bool chksums)
123 {
/cmd/acpi.c: 116 in list_rsdt()
110 entry = xsdt->entry[i];
111 else
112 entry = rsdt->entry[i];
113 if (!entry)
114 break;
115 hdr = nomap_sysmem(entry, 0);
>>> CID 550302: (TAINTED_SCALAR)
>>> Passing tainted expression "hdr->length" to "dump_hdr", which uses
it as a loop boundary.
116 dump_hdr(hdr, chksums);
117 if (!memcmp(hdr->signature, "FACP", ACPI_NAME_LEN))
118 list_fadt((struct acpi_fadt *)hdr, chksums);
119 }
120 }
121
/cmd/acpi.c: 95 in list_rsdt()
89 if (rsdp->rsdt_address) {
90 rsdt = nomap_sysmem(rsdp->rsdt_address, 0);
91 dump_hdr(&rsdt->header, chksums);
92 }
93 if (rsdp->xsdt_address) {
94 xsdt = nomap_sysmem(rsdp->xsdt_address, 0);
>>> CID 550302: (TAINTED_SCALAR)
>>> Passing tainted expression "xsdt->header.length" to "dump_hdr",
which uses it as a loop boundary.
95 dump_hdr(&xsdt->header, chksums);
96 len = xsdt->header.length - sizeof(xsdt->header);
97 count = len / sizeof(u64);
98 } else if (rsdp->rsdt_address) {
99 len = rsdt->header.length - sizeof(rsdt->header);
100 count = len / sizeof(u32);
/cmd/acpi.c: 118 in list_rsdt()
112 entry = rsdt->entry[i];
113 if (!entry)
114 break;
115 hdr = nomap_sysmem(entry, 0);
116 dump_hdr(hdr, chksums);
117 if (!memcmp(hdr->signature, "FACP", ACPI_NAME_LEN))
>>> CID 550302: (TAINTED_SCALAR)
>>> Passing tainted expression "((struct acpi_fadt
*)hdr)->x_firmware_ctrl" to "list_fadt", which uses it as a loop boundary.
118 list_fadt((struct acpi_fadt *)hdr, chksums);
119 }
120 }
121
122 static void list_rsdp(struct acpi_rsdp *rsdp, bool chksums)
123 {
** CID 550301: (OVERRUN)
________________________________________________________________________________________________________
*** CID 550301: (OVERRUN)
/lib/acpi/acpi_table.c: 199 in acpi_add_table()
193
194 /* Fix RSDT length or the kernel will assume
invalid entries */
195 rsdt->header.length = sizeof(struct
acpi_table_header) +
196 (sizeof(u32) * (i + 1));
197
198 /* Re-calculate checksum */
>>> CID 550301: (OVERRUN)
>>> Overrunning struct type acpi_table_header of 36 bytes by passing it
to a function which accesses it at byte offset 39 using argument
"rsdt->header.length" (which evaluates to 40).
199 acpi_update_checksum(&rsdt->header);
200 }
201
202 if (ctx->xsdt) {
203 /*
204 * And now the same thing for the XSDT. We use the
same index as for
/lib/acpi/acpi_table.c: 230 in acpi_add_table()
224
225 /* Fix XSDT length */
226 xsdt->header.length = sizeof(struct
acpi_table_header) +
227 (sizeof(u64) * (i + 1));
228
229 /* Re-calculate checksum */
>>> CID 550301: (OVERRUN)
>>> Overrunning struct type acpi_table_header of 36 bytes by passing it
to a function which accesses it at byte offset 43 using argument
"xsdt->header.length" (which evaluates to 44).
230 acpi_update_checksum(&xsdt->header);
231 }
232
233 return 0;
234 }
235
** CID 550300: Integer handling issues (INTEGER_OVERFLOW)
/fs/exfat/utils.c: 146 in exfat_humanize_bytes()
________________________________________________________________________________________________________
*** CID 550300: Integer handling issues (INTEGER_OVERFLOW)
/fs/exfat/utils.c: 146 in exfat_humanize_bytes()
140 /* 16 EB (minus 1 byte) is the largest size that can be
represented by
141 uint64_t */
142 const char* units[] = {"bytes", "KB", "MB", "GB", "TB",
"PB", "EB"};
143 uint64_t divisor = 1;
144 uint64_t temp = 0;
145
>>> CID 550300: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "divisor", overflows the type of "divisor", which is
type "uint64_t".
146 for (i = 0; ; i++, divisor *= 1024)
147 {
148 temp = (value + divisor / 2) / divisor;
149
150 if (temp == 0)
151 break;
** CID 550299: Null pointer dereferences (FORWARD_NULL)
/lib/efi_loader/efi_file.c: 251 in file_open()
________________________________________________________________________________________________________
*** CID 550299: Null pointer dereferences (FORWARD_NULL)
/lib/efi_loader/efi_file.c: 251 in file_open()
245 strcpy(fh->path, "");
246 }
247
248 return &fh->base;
249
250 error:
>>> CID 550299: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "fh".
251 free(fh->path);
252 free(fh);
253 return NULL;
254 }
255
256 efi_status_t efi_file_open_int(struct efi_file_handle *this,
** CID 550298: Error handling issues (CHECKED_RETURN)
/lib/efi_loader/efi_net.c: 1054 in efi_netobj_get_dp()
________________________________________________________________________________________________________
*** CID 550298: Error handling issues (CHECKED_RETURN)
/lib/efi_loader/efi_net.c: 1054 in efi_netobj_get_dp()
1048 struct efi_handler *phandler;
1049
1050 if (!efi_netobj_is_active(netobj))
1051 return NULL;
1052
1053 phandler = NULL;
>>> CID 550298: Error handling issues (CHECKED_RETURN)
>>> Calling "efi_search_protocol" without checking return value (as is
done elsewhere 37 out of 42 times).
1054 efi_search_protocol(&netobj->header, &efi_guid_device_path,
&phandler);
1055
1056 if (phandler && phandler->protocol_interface)
1057 return efi_dp_dup(phandler->protocol_interface);
1058
1059 return NULL;
** CID 550297: Integer handling issues (INTEGER_OVERFLOW)
/cmd/spawn.c: 174 in do_wait()
________________________________________________________________________________________________________
*** CID 550297: Integer handling issues (INTEGER_OVERFLOW)
/cmd/spawn.c: 174 in do_wait()
168 ret = wait_job(i);
169 } else {
170 for (i = 1; i < argc; i++) {
171 id = dectoul(argv[i], NULL);
172 if (id < 0 || id >
CONFIG_CMD_SPAWN_NUM_JOBS)
173 return CMD_RET_USAGE;
>>> CID 550297: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "idx", where "(int)id - 1" is known to be equal to -1,
overflows the type of "idx", which is type "unsigned int".
174 idx = (int)id - 1;
175 ret = wait_job(idx);
176 }
177 }
178
179 return ret;
** CID 550296: Control flow issues (NO_EFFECT)
/cmd/spawn.c: 172 in do_wait()
________________________________________________________________________________________________________
*** CID 550296: Control flow issues (NO_EFFECT)
/cmd/spawn.c: 172 in do_wait()
166 for (i = 0; i < CONFIG_CMD_SPAWN_NUM_JOBS; i++)
167 if (job[i])
168 ret = wait_job(i);
169 } else {
170 for (i = 1; i < argc; i++) {
171 id = dectoul(argv[i], NULL);
>>> CID 550296: Control flow issues (NO_EFFECT)
>>> This less-than-zero comparison of an unsigned value is never true.
"id < 0UL".
172 if (id < 0 || id >
CONFIG_CMD_SPAWN_NUM_JOBS)
173 return CMD_RET_USAGE;
174 idx = (int)id - 1;
175 ret = wait_job(idx);
176 }
177 }
** CID 550295: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 550295: Insecure data handling (TAINTED_SCALAR)
/test/lib/membuf.c: 235 in lib_test_membuf_readline()
229 *ptr = '\n';
230 } else {
231 ut_assert(membuf_free(&mb));
232 }
233 }
234 membuf_dispose(&mb);
>>> CID 550295: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "*buf" to "os_free", which uses it as an
offset.
235 os_free(buf);
236
237 return 0;
238 }
** CID 550294: Code maintainability issues (UNUSED_VALUE)
/test/lib/membuf.c: 68 in lib_test_membuf_one()
________________________________________________________________________________________________________
*** CID 550294: Code maintainability issues (UNUSED_VALUE)
/test/lib/membuf.c: 68 in lib_test_membuf_one()
62 ut_assertok(membuf_check(uts, &mb, i));
63
64 ret = membuf_get(&mb, out, 0);
65 ret = membuf_get(&mb, out, size);
66 ut_asserteq(size, ret);
67
>>> CID 550294: Code maintainability issues (UNUSED_VALUE)
>>> Assigning value from "membuf_get(&mb, out, 0)" to "ret" here, but
that stored value is overwritten before it can be used.
68 ret = membuf_get(&mb, out, 0);
69 ut_assertok(membuf_check(uts, &mb, i));
70
71 ut_asserteq_mem(in, out, size);
72 }
73
** CID 550293: Memory - illegal accesses (STRING_NULL)
/test/lib/membuf.c: 224 in lib_test_membuf_readline()
________________________________________________________________________________________________________
*** CID 550293: Memory - illegal accesses (STRING_NULL)
/test/lib/membuf.c: 224 in lib_test_membuf_readline()
218 ret = membuf_readline(&mb, str, 256, 0, true);
219 ut_assertok(membuf_check(uts, &mb, i));
220 if (ret) {
221 char *ptr;
222
223 s = &buf[cmpptr];
>>> CID 550293: Memory - illegal accesses (STRING_NULL)
>>> Passing unterminated string "s" to "strchr", which expects a
null-terminated string. [Note: The source code implementation of the
function has been overridden by a builtin model.]
224 ptr = strchr(s, '\n');
225 *ptr = '\0';
226
227 ut_asserteq_str(s, str);
228 cmpptr += strlen(s) + 1;
229 *ptr = '\n';
** CID 550292: (BAD_SHIFT)
/drivers/scsi/scsi.c: 165 in scsi_setup_erase_ext()
/drivers/scsi/scsi.c: 166 in scsi_setup_erase_ext()
________________________________________________________________________________________________________
*** CID 550292: (BAD_SHIFT)
/drivers/scsi/scsi.c: 165 in scsi_setup_erase_ext()
159 param[10] = 0x0;
160 param[11] = 0x0;
161 param[12] = (start >> 24) & 0xff;
162 param[13] = (start >> 16) & 0xff;
163 param[14] = (start >> 8) & 0xff;
164 param[15] = (start) & 0xff;
>>> CID 550292: (BAD_SHIFT)
>>> In expression "blocks >> 24", right shifting "blocks" by more than
15 bits always yields zero. The shift amount is 24.
165 param[16] = (blocks >> 24) & 0xff;
166 param[17] = (blocks >> 16) & 0xff;
167 param[18] = (blocks >> 8) & 0xff;
168 param[19] = (blocks) & 0xff;
169
170 memset(pccb->cmd, 0, sizeof(pccb->cmd));
/drivers/scsi/scsi.c: 166 in scsi_setup_erase_ext()
160 param[11] = 0x0;
161 param[12] = (start >> 24) & 0xff;
162 param[13] = (start >> 16) & 0xff;
163 param[14] = (start >> 8) & 0xff;
164 param[15] = (start) & 0xff;
165 param[16] = (blocks >> 24) & 0xff;
>>> CID 550292: (BAD_SHIFT)
>>> In expression "blocks >> 16", right shifting "blocks" by more than
15 bits always yields zero. The shift amount is 16.
166 param[17] = (blocks >> 16) & 0xff;
167 param[18] = (blocks >> 8) & 0xff;
168 param[19] = (blocks) & 0xff;
169
170 memset(pccb->cmd, 0, sizeof(pccb->cmd));
171 pccb->cmd[0] = SCSI_UNMAP;
** CID 550291: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 550291: Memory - corruptions (OVERRUN)
/lib/acpi/acpi_table.c: 549 in acpi_write_spcr()
543 * to touch the configuration of the serial device.
544 */
545 if (serial_info.clock != SERIAL_DEFAULT_CLOCK)
546 spcr->baud_rate = 0;
547
548 /* Fix checksum */
>>> CID 550291: Memory - corruptions (OVERRUN)
>>> Overrunning struct type acpi_table_header of 36 bytes by passing it
to a function which accesses it at byte offset 79 using argument
"header->length" (which evaluates to 80).
549 acpi_update_checksum(header);
550
551 acpi_add_table(ctx, spcr);
552 acpi_inc(ctx, spcr->header.length);
553
554 return 0;
** CID 550290: Security best practices violations (DC.WEAK_CRYPTO)
/test/lib/membuf.c: 54 in lib_test_membuf_one()
________________________________________________________________________________________________________
*** CID 550290: Security best practices violations (DC.WEAK_CRYPTO)
/test/lib/membuf.c: 54 in lib_test_membuf_one()
48 }
49
50 test_size = TEST_SIZE;
51
52 for (i = 1; i < TEST_COUNT; i++) {
53 membuf_zero(&mb);
>>> CID 550290: Security best practices violations (DC.WEAK_CRYPTO)
>>> "rand" should not be used for security-related applications,
because linear congruential algorithms are too easy to break.
54 size = rand() % test_size;
55
56 // now write patterns and check they come back OK
57 ret = membuf_put(&mb, in, 0);
58 ret = membuf_put(&mb, in, size);
59 ut_asserteq(size, ret);
** CID 550289: (CONSTANT_EXPRESSION_RESULT)
/drivers/scsi/scsi.c: 166 in scsi_setup_erase_ext()
/drivers/scsi/scsi.c: 165 in scsi_setup_erase_ext()
________________________________________________________________________________________________________
*** CID 550289: (CONSTANT_EXPRESSION_RESULT)
/drivers/scsi/scsi.c: 166 in scsi_setup_erase_ext()
160 param[11] = 0x0;
161 param[12] = (start >> 24) & 0xff;
162 param[13] = (start >> 16) & 0xff;
163 param[14] = (start >> 8) & 0xff;
164 param[15] = (start) & 0xff;
165 param[16] = (blocks >> 24) & 0xff;
>>> CID 550289: (CONSTANT_EXPRESSION_RESULT)
>>> "blocks >> 16" is 0 regardless of the values of its operands. This
occurs as the bitwise first operand of "&".
166 param[17] = (blocks >> 16) & 0xff;
167 param[18] = (blocks >> 8) & 0xff;
168 param[19] = (blocks) & 0xff;
169
170 memset(pccb->cmd, 0, sizeof(pccb->cmd));
171 pccb->cmd[0] = SCSI_UNMAP;
/drivers/scsi/scsi.c: 165 in scsi_setup_erase_ext()
159 param[10] = 0x0;
160 param[11] = 0x0;
161 param[12] = (start >> 24) & 0xff;
162 param[13] = (start >> 16) & 0xff;
163 param[14] = (start >> 8) & 0xff;
164 param[15] = (start) & 0xff;
>>> CID 550289: (CONSTANT_EXPRESSION_RESULT)
>>> "blocks >> 24" is 0 regardless of the values of its operands. This
occurs as the bitwise first operand of "&".
165 param[16] = (blocks >> 24) & 0xff;
166 param[17] = (blocks >> 16) & 0xff;
167 param[18] = (blocks >> 8) & 0xff;
168 param[19] = (blocks) & 0xff;
169
170 memset(pccb->cmd, 0, sizeof(pccb->cmd));
** CID 550288: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 550288: Memory - corruptions (OVERRUN)
/lib/acpi/base.c: 53 in acpi_write_rsdt()
47 header->length = sizeof(struct acpi_rsdt);
48 header->revision = 1;
49
50 /* Entries are filled in later, we come with an empty set */
51
52 /* Fix checksum */
>>> CID 550288: Memory - corruptions (OVERRUN)
>>> Overrunning struct type acpi_table_header of 36 bytes by passing it
to a function which accesses it at byte offset 163 using argument
"header->length" (which evaluates to 164).
53 acpi_update_checksum(header);
54 }
55
56 static void acpi_write_xsdt(struct acpi_xsdt *xsdt)
57 {
58 struct acpi_table_header *header = &xsdt->header;
** CID 550287: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 550287: Memory - corruptions (OVERRUN)
/lib/acpi/acpi_table.c: 268 in acpi_write_fadt()
262 fadt->dsdt = fadt->x_dsdt;
263
264 fadt->preferred_pm_profile = ACPI_PM_UNSPECIFIED;
265
266 acpi_fill_fadt(fadt);
267
>>> CID 550287: Memory - corruptions (OVERRUN)
>>> Overrunning struct type acpi_table_header of 36 bytes by passing it
to a function which accesses it at byte offset 275 using argument
"header->length" (which evaluates to 276).
268 acpi_update_checksum(header);
269
270 return acpi_add_fadt(ctx, fadt);
271 }
272
273 #ifndef CONFIG_QFW_ACPI
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 105+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2025-04-28 21:59 Tom Rini
@ 2025-04-29 12:07 ` Jerome Forissier
2025-04-30 16:50 ` Marek Vasut
2025-04-30 18:23 ` Heinrich Schuchardt
2 siblings, 0 replies; 105+ messages in thread
From: Jerome Forissier @ 2025-04-29 12:07 UTC (permalink / raw)
To: Tom Rini, u-boot, Varadarajan Narayanan, Casey Connolly,
Marek Vasut, Heinrich Schuchardt, Patrick Rudolph,
Adriano Cordova, Paul HENRYS, Daniel Golle, Simon Glass
Hi Tom,
On 4/28/25 23:59, Tom Rini wrote:
> Hey all,
>
> Here's the latest set of Coverity defects. Please let me know if some of
> these are false positives for example, thanks.
>
> ---------- Forwarded message ---------
> From: <scan-admin@coverity.com>
> Date: Mon, Apr 28, 2025 at 3:52 PM
> Subject: New Defects reported by Coverity Scan for Das U-Boot
> To: <tom.rini@gmail.com>
>
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to Das U-Boot
> found with Coverity Scan.
>
> 33 new defect(s) introduced to Das U-Boot found with Coverity Scan.
> 15 defect(s), reported by Coverity Scan earlier, were marked fixed in the
> recent build analyzed by Coverity Scan.
>
> New defect(s) Reported-by: Coverity Scan
> Showing 20 of 33 defect(s)
>
[...]
> ** CID 550297: Integer handling issues (INTEGER_OVERFLOW)
> /cmd/spawn.c: 174 in do_wait()
>
>
> ________________________________________________________________________________________________________
> *** CID 550297: Integer handling issues (INTEGER_OVERFLOW)
> /cmd/spawn.c: 174 in do_wait()
> 168 ret = wait_job(i);
> 169 } else {
> 170 for (i = 1; i < argc; i++) {
> 171 id = dectoul(argv[i], NULL);
> 172 if (id < 0 || id >
> CONFIG_CMD_SPAWN_NUM_JOBS)
> 173 return CMD_RET_USAGE;
>>>> CID 550297: Integer handling issues (INTEGER_OVERFLOW)
>>>> Expression "idx", where "(int)id - 1" is known to be equal to -1,
> overflows the type of "idx", which is type "unsigned int".
> 174 idx = (int)id - 1;
> 175 ret = wait_job(idx);
> 176 }
> 177 }
> 178
> 179 return ret;
>
> ** CID 550296: Control flow issues (NO_EFFECT)
> /cmd/spawn.c: 172 in do_wait()
>
>
> ________________________________________________________________________________________________________
> *** CID 550296: Control flow issues (NO_EFFECT)
> /cmd/spawn.c: 172 in do_wait()
> 166 for (i = 0; i < CONFIG_CMD_SPAWN_NUM_JOBS; i++)
> 167 if (job[i])
> 168 ret = wait_job(i);
> 169 } else {
> 170 for (i = 1; i < argc; i++) {
> 171 id = dectoul(argv[i], NULL);
>>>> CID 550296: Control flow issues (NO_EFFECT)
>>>> This less-than-zero comparison of an unsigned value is never true.
> "id < 0UL".
> 172 if (id < 0 || id >
> CONFIG_CMD_SPAWN_NUM_JOBS)
> 173 return CMD_RET_USAGE;
> 174 idx = (int)id - 1;
> 175 ret = wait_job(idx);
> 176 }
> 177 }
These two are real issues and should be fixed by [1].
[1] https://lists.denx.de/pipermail/u-boot/2025-April/588272.html
Thanks,
--
Jerome
^ permalink raw reply [flat|nested] 105+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2025-04-28 21:59 Tom Rini
2025-04-29 12:07 ` Jerome Forissier
@ 2025-04-30 16:50 ` Marek Vasut
2025-04-30 17:01 ` Tom Rini
2025-04-30 18:23 ` Heinrich Schuchardt
2 siblings, 1 reply; 105+ messages in thread
From: Marek Vasut @ 2025-04-30 16:50 UTC (permalink / raw)
To: Tom Rini, u-boot, Jerome Forissier, Varadarajan Narayanan,
Casey Connolly, Heinrich Schuchardt, Patrick Rudolph,
Adriano Cordova, Paul HENRYS, Daniel Golle, Simon Glass
On 4/28/25 11:59 PM, Tom Rini wrote:
>
________________________________________________________________________________________________________
> *** CID 550306: Control flow issues (DEADCODE)
> /fs/exfat/io.c: 547 in exfat_generic_pwrite()
> 541 int rc;
> 542 cluster_t cluster;
> 543 const char* bufp = buffer;
> 544 off_t lsize, loffset, remainder;
> 545
> 546 if (offset < 0)
>>>> CID 550306: Control flow issues (DEADCODE)
>>>> Execution cannot reach this statement: "return -22L;".
> 547 return -EINVAL;
> 548 if (uoffset > node->size)
> 549 {
> 550 rc = exfat_truncate(ef, node, uoffset, true);
> 551 if (rc != 0)
> 552 return rc;
This one is I think false positive, off_t can be signed integer, so the
check should be in place.
> ** CID 550305: Security best practices violations (STRING_OVERFLOW)
> /fs/exfat/io.c: 739 in exfat_fs_opendir()
>
>
> ________________________________________________________________________________________________________
> *** CID 550305: Security best practices violations (STRING_OVERFLOW)
> /fs/exfat/io.c: 739 in exfat_fs_opendir()
> 733 return err;
> 734
> 735 dirs = calloc(1, sizeof(*dirs));
> 736 if (!dirs)
> 737 return -ENOMEM;
> 738
>>>> CID 550305: Security best practices violations (STRING_OVERFLOW)
>>>> You might overrun the 1024-character fixed-size string
> "dirs->dirname" by copying "filename" without checking the length.
> 739 strcpy(dirs->dirname, filename);
> 740 dirs->offset = -1;
> 741
> 742 *dirsp = &dirs->fs_dirs;
> 743
> 744 return 0;
>
> ** CID 550304: Error handling issues (NEGATIVE_RETURNS)
> /tools/fit_check_sign.c: 98 in main()
Fixed:
https://patchwork.ozlabs.org/project/uboot/patch/20250430164559.27095-1-marex@denx.de/
> ________________________________________________________________________________________________________
> *** CID 550300: Integer handling issues (INTEGER_OVERFLOW)
> /fs/exfat/utils.c: 146 in exfat_humanize_bytes()
> 140 /* 16 EB (minus 1 byte) is the largest size that can be
> represented by
> 141 uint64_t */
> 142 const char* units[] = {"bytes", "KB", "MB", "GB", "TB",
> "PB", "EB"};
> 143 uint64_t divisor = 1;
> 144 uint64_t temp = 0;
> 145
>>>> CID 550300: Integer handling issues (INTEGER_OVERFLOW)
>>>> Expression "divisor", overflows the type of "divisor", which is
> type "uint64_t".
> 146 for (i = 0; ; i++, divisor *= 1024)
> 147 {
> 148 temp = (value + divisor / 2) / divisor;
> 149
> 150 if (temp == 0)
> 151 break;
Fixed:
https://patchwork.ozlabs.org/project/uboot/patch/20250430164559.27095-2-marex@denx.de/
^ permalink raw reply [flat|nested] 105+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2025-04-30 16:50 ` Marek Vasut
@ 2025-04-30 17:01 ` Tom Rini
0 siblings, 0 replies; 105+ messages in thread
From: Tom Rini @ 2025-04-30 17:01 UTC (permalink / raw)
To: Marek Vasut
Cc: u-boot, Jerome Forissier, Varadarajan Narayanan, Casey Connolly,
Heinrich Schuchardt, Patrick Rudolph, Adriano Cordova,
Paul HENRYS, Daniel Golle, Simon Glass
[-- Attachment #1: Type: text/plain, Size: 3395 bytes --]
On Wed, Apr 30, 2025 at 06:50:50PM +0200, Marek Vasut wrote:
> On 4/28/25 11:59 PM, Tom Rini wrote:
> > ________________________________________________________________________________________________________
> > *** CID 550306: Control flow issues (DEADCODE)
> > /fs/exfat/io.c: 547 in exfat_generic_pwrite()
> > 541 int rc;
> > 542 cluster_t cluster;
> > 543 const char* bufp = buffer;
> > 544 off_t lsize, loffset, remainder;
> > 545
> > 546 if (offset < 0)
> > > > > CID 550306: Control flow issues (DEADCODE)
> > > > > Execution cannot reach this statement: "return -22L;".
> > 547 return -EINVAL;
> > 548 if (uoffset > node->size)
> > 549 {
> > 550 rc = exfat_truncate(ef, node, uoffset, true);
> > 551 if (rc != 0)
> > 552 return rc;
>
> This one is I think false positive, off_t can be signed integer, so the
> check should be in place.
I've updated Coverity with this comment.
> > ** CID 550305: Security best practices violations (STRING_OVERFLOW)
> > /fs/exfat/io.c: 739 in exfat_fs_opendir()
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 550305: Security best practices violations (STRING_OVERFLOW)
> > /fs/exfat/io.c: 739 in exfat_fs_opendir()
> > 733 return err;
> > 734
> > 735 dirs = calloc(1, sizeof(*dirs));
> > 736 if (!dirs)
> > 737 return -ENOMEM;
> > 738
> > > > > CID 550305: Security best practices violations (STRING_OVERFLOW)
> > > > > You might overrun the 1024-character fixed-size string
> > "dirs->dirname" by copying "filename" without checking the length.
> > 739 strcpy(dirs->dirname, filename);
> > 740 dirs->offset = -1;
> > 741
> > 742 *dirsp = &dirs->fs_dirs;
> > 743
> > 744 return 0;
> >
> > ** CID 550304: Error handling issues (NEGATIVE_RETURNS)
> > /tools/fit_check_sign.c: 98 in main()
>
> Fixed:
>
> https://patchwork.ozlabs.org/project/uboot/patch/20250430164559.27095-1-marex@denx.de/
>
> > ________________________________________________________________________________________________________
> > *** CID 550300: Integer handling issues (INTEGER_OVERFLOW)
> > /fs/exfat/utils.c: 146 in exfat_humanize_bytes()
> > 140 /* 16 EB (minus 1 byte) is the largest size that can be
> > represented by
> > 141 uint64_t */
> > 142 const char* units[] = {"bytes", "KB", "MB", "GB", "TB",
> > "PB", "EB"};
> > 143 uint64_t divisor = 1;
> > 144 uint64_t temp = 0;
> > 145
> > > > > CID 550300: Integer handling issues (INTEGER_OVERFLOW)
> > > > > Expression "divisor", overflows the type of "divisor", which is
> > type "uint64_t".
> > 146 for (i = 0; ; i++, divisor *= 1024)
> > 147 {
> > 148 temp = (value + divisor / 2) / divisor;
> > 149
> > 150 if (temp == 0)
> > 151 break;
> Fixed:
>
> https://patchwork.ozlabs.org/project/uboot/patch/20250430164559.27095-2-marex@denx.de/
Thanks!
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 105+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2025-04-28 21:59 Tom Rini
2025-04-29 12:07 ` Jerome Forissier
2025-04-30 16:50 ` Marek Vasut
@ 2025-04-30 18:23 ` Heinrich Schuchardt
2025-04-30 19:14 ` Tom Rini
2 siblings, 1 reply; 105+ messages in thread
From: Heinrich Schuchardt @ 2025-04-30 18:23 UTC (permalink / raw)
To: Tom Rini
Cc: u-boot, Jerome Forissier, Varadarajan Narayanan, Casey Connolly,
Marek Vasut, Patrick Rudolph, Adriano Cordova, Paul HENRYS,
Daniel Golle, Simon Glass
On 28.04.25 23:59, Tom Rini wrote:
> Hey all,
>
> Here's the latest set of Coverity defects. Please let me know if some of
> these are false positives for example, thanks.
Hello Tom,
I have marked the acpi_update_header() items as "intentional" in Coverity:
550301
550291
550288
550287
We could change the parameter of acpi_update_checksum() to const void *
to make Coverity happy but we would loose the type checking.
Best regards
Heinrich
>
> ---------- Forwarded message ---------
> From: <scan-admin@coverity.com>
> Date: Mon, Apr 28, 2025 at 3:52 PM
> Subject: New Defects reported by Coverity Scan for Das U-Boot
> To: <tom.rini@gmail.com>
>
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to Das U-Boot
> found with Coverity Scan.
>
> 33 new defect(s) introduced to Das U-Boot found with Coverity Scan.
> 15 defect(s), reported by Coverity Scan earlier, were marked fixed in the
> recent build analyzed by Coverity Scan.
>
> New defect(s) Reported-by: Coverity Scan
> Showing 20 of 33 defect(s)
>
>
> ** CID 550306: Control flow issues (DEADCODE)
> /fs/exfat/io.c: 547 in exfat_generic_pwrite()
>
>
> ________________________________________________________________________________________________________
> *** CID 550306: Control flow issues (DEADCODE)
> /fs/exfat/io.c: 547 in exfat_generic_pwrite()
> 541 int rc;
> 542 cluster_t cluster;
> 543 const char* bufp = buffer;
> 544 off_t lsize, loffset, remainder;
> 545
> 546 if (offset < 0)
>>>> CID 550306: Control flow issues (DEADCODE)
>>>> Execution cannot reach this statement: "return -22L;".
> 547 return -EINVAL;
> 548 if (uoffset > node->size)
> 549 {
> 550 rc = exfat_truncate(ef, node, uoffset, true);
> 551 if (rc != 0)
> 552 return rc;
>
> ** CID 550305: Security best practices violations (STRING_OVERFLOW)
> /fs/exfat/io.c: 739 in exfat_fs_opendir()
>
>
> ________________________________________________________________________________________________________
> *** CID 550305: Security best practices violations (STRING_OVERFLOW)
> /fs/exfat/io.c: 739 in exfat_fs_opendir()
> 733 return err;
> 734
> 735 dirs = calloc(1, sizeof(*dirs));
> 736 if (!dirs)
> 737 return -ENOMEM;
> 738
>>>> CID 550305: Security best practices violations (STRING_OVERFLOW)
>>>> You might overrun the 1024-character fixed-size string
> "dirs->dirname" by copying "filename" without checking the length.
> 739 strcpy(dirs->dirname, filename);
> 740 dirs->offset = -1;
> 741
> 742 *dirsp = &dirs->fs_dirs;
> 743
> 744 return 0;
>
> ** CID 550304: Error handling issues (NEGATIVE_RETURNS)
> /tools/fit_check_sign.c: 98 in main()
>
>
> ________________________________________________________________________________________________________
> *** CID 550304: Error handling issues (NEGATIVE_RETURNS)
> /tools/fit_check_sign.c: 98 in main()
> 92 (void) munmap((void *)fit_blob, fsbuf.st_size);
> 93
> 94 if (key_blob)
> 95 (void)munmap((void *)key_blob, ksbuf.st_size);
> 96
> 97 close(ffd);
>>>> CID 550304: Error handling issues (NEGATIVE_RETURNS)
>>>> "kfd" is passed to a parameter that cannot be negative.
> 98 close(kfd);
> 99 exit(ret);
>
> ** CID 550303: Control flow issues (NO_EFFECT)
> /tools/preload_check_sign.c: 132 in main()
>
>
> ________________________________________________________________________________________________________
> *** CID 550303: Control flow issues (NO_EFFECT)
> /tools/preload_check_sign.c: 132 in main()
> 126
> 127 info.algo_name = algo;
> 128 info.padding_name = padding;
> 129 info.key = (uint8_t *)pkey;
> 130 info.mandatory = 1;
> 131 info.sig_size = EVP_PKEY_size(pkey);
>>>> CID 550303: Control flow issues (NO_EFFECT)
>>>> This less-than-zero comparison of an unsigned value is never true.
> "info.sig_size < 0U".
> 132 if (info.sig_size < 0) {
> 133 fprintf(stderr, "Fail to retrieve the signature
> size: %s\n",
> 134 ERR_error_string(ERR_get_error(), NULL));
> 135 ret = EXIT_FAILURE;
> 136 goto out;
> 137 }
>
> ** CID 550302: (TAINTED_SCALAR)
>
>
> ________________________________________________________________________________________________________
> *** CID 550302: (TAINTED_SCALAR)
> /cmd/acpi.c: 118 in list_rsdt()
> 112 entry = rsdt->entry[i];
> 113 if (!entry)
> 114 break;
> 115 hdr = nomap_sysmem(entry, 0);
> 116 dump_hdr(hdr, chksums);
> 117 if (!memcmp(hdr->signature, "FACP", ACPI_NAME_LEN))
>>>> CID 550302: (TAINTED_SCALAR)
>>>> Passing tainted expression "((struct acpi_fadt
> *)hdr)->firmware_ctrl" to "list_fadt", which uses it as a loop boundary.
> 118 list_fadt((struct acpi_fadt *)hdr, chksums);
> 119 }
> 120 }
> 121
> 122 static void list_rsdp(struct acpi_rsdp *rsdp, bool chksums)
> 123 {
> /cmd/acpi.c: 118 in list_rsdt()
> 112 entry = rsdt->entry[i];
> 113 if (!entry)
> 114 break;
> 115 hdr = nomap_sysmem(entry, 0);
> 116 dump_hdr(hdr, chksums);
> 117 if (!memcmp(hdr->signature, "FACP", ACPI_NAME_LEN))
>>>> CID 550302: (TAINTED_SCALAR)
>>>> Passing tainted expression "((struct acpi_fadt *)hdr)->x_dsdt" to
> "list_fadt", which uses it as a loop boundary.
> 118 list_fadt((struct acpi_fadt *)hdr, chksums);
> 119 }
> 120 }
> 121
> 122 static void list_rsdp(struct acpi_rsdp *rsdp, bool chksums)
> 123 {
> /cmd/acpi.c: 118 in list_rsdt()
> 112 entry = rsdt->entry[i];
> 113 if (!entry)
> 114 break;
> 115 hdr = nomap_sysmem(entry, 0);
> 116 dump_hdr(hdr, chksums);
> 117 if (!memcmp(hdr->signature, "FACP", ACPI_NAME_LEN))
>>>> CID 550302: (TAINTED_SCALAR)
>>>> Passing tainted expression "((struct acpi_fadt *)hdr)->dsdt" to
> "list_fadt", which uses it as a loop boundary.
> 118 list_fadt((struct acpi_fadt *)hdr, chksums);
> 119 }
> 120 }
> 121
> 122 static void list_rsdp(struct acpi_rsdp *rsdp, bool chksums)
> 123 {
> /cmd/acpi.c: 116 in list_rsdt()
> 110 entry = xsdt->entry[i];
> 111 else
> 112 entry = rsdt->entry[i];
> 113 if (!entry)
> 114 break;
> 115 hdr = nomap_sysmem(entry, 0);
>>>> CID 550302: (TAINTED_SCALAR)
>>>> Passing tainted expression "hdr->length" to "dump_hdr", which uses
> it as a loop boundary.
> 116 dump_hdr(hdr, chksums);
> 117 if (!memcmp(hdr->signature, "FACP", ACPI_NAME_LEN))
> 118 list_fadt((struct acpi_fadt *)hdr, chksums);
> 119 }
> 120 }
> 121
> /cmd/acpi.c: 95 in list_rsdt()
> 89 if (rsdp->rsdt_address) {
> 90 rsdt = nomap_sysmem(rsdp->rsdt_address, 0);
> 91 dump_hdr(&rsdt->header, chksums);
> 92 }
> 93 if (rsdp->xsdt_address) {
> 94 xsdt = nomap_sysmem(rsdp->xsdt_address, 0);
>>>> CID 550302: (TAINTED_SCALAR)
>>>> Passing tainted expression "xsdt->header.length" to "dump_hdr",
> which uses it as a loop boundary.
> 95 dump_hdr(&xsdt->header, chksums);
> 96 len = xsdt->header.length - sizeof(xsdt->header);
> 97 count = len / sizeof(u64);
> 98 } else if (rsdp->rsdt_address) {
> 99 len = rsdt->header.length - sizeof(rsdt->header);
> 100 count = len / sizeof(u32);
> /cmd/acpi.c: 118 in list_rsdt()
> 112 entry = rsdt->entry[i];
> 113 if (!entry)
> 114 break;
> 115 hdr = nomap_sysmem(entry, 0);
> 116 dump_hdr(hdr, chksums);
> 117 if (!memcmp(hdr->signature, "FACP", ACPI_NAME_LEN))
>>>> CID 550302: (TAINTED_SCALAR)
>>>> Passing tainted expression "((struct acpi_fadt
> *)hdr)->x_firmware_ctrl" to "list_fadt", which uses it as a loop boundary.
> 118 list_fadt((struct acpi_fadt *)hdr, chksums);
> 119 }
> 120 }
> 121
> 122 static void list_rsdp(struct acpi_rsdp *rsdp, bool chksums)
> 123 {
>
> ** CID 550301: (OVERRUN)
>
>
> ________________________________________________________________________________________________________
> *** CID 550301: (OVERRUN)
> /lib/acpi/acpi_table.c: 199 in acpi_add_table()
> 193
> 194 /* Fix RSDT length or the kernel will assume
> invalid entries */
> 195 rsdt->header.length = sizeof(struct
> acpi_table_header) +
> 196 (sizeof(u32) * (i + 1));
> 197
> 198 /* Re-calculate checksum */
>>>> CID 550301: (OVERRUN)
>>>> Overrunning struct type acpi_table_header of 36 bytes by passing it
> to a function which accesses it at byte offset 39 using argument
> "rsdt->header.length" (which evaluates to 40).
> 199 acpi_update_checksum(&rsdt->header);
> 200 }
> 201
> 202 if (ctx->xsdt) {
> 203 /*
> 204 * And now the same thing for the XSDT. We use the
> same index as for
> /lib/acpi/acpi_table.c: 230 in acpi_add_table()
> 224
> 225 /* Fix XSDT length */
> 226 xsdt->header.length = sizeof(struct
> acpi_table_header) +
> 227 (sizeof(u64) * (i + 1));
> 228
> 229 /* Re-calculate checksum */
>>>> CID 550301: (OVERRUN)
>>>> Overrunning struct type acpi_table_header of 36 bytes by passing it
> to a function which accesses it at byte offset 43 using argument
> "xsdt->header.length" (which evaluates to 44).
> 230 acpi_update_checksum(&xsdt->header);
> 231 }
> 232
> 233 return 0;
> 234 }
> 235
>
> ** CID 550300: Integer handling issues (INTEGER_OVERFLOW)
> /fs/exfat/utils.c: 146 in exfat_humanize_bytes()
>
>
> ________________________________________________________________________________________________________
> *** CID 550300: Integer handling issues (INTEGER_OVERFLOW)
> /fs/exfat/utils.c: 146 in exfat_humanize_bytes()
> 140 /* 16 EB (minus 1 byte) is the largest size that can be
> represented by
> 141 uint64_t */
> 142 const char* units[] = {"bytes", "KB", "MB", "GB", "TB",
> "PB", "EB"};
> 143 uint64_t divisor = 1;
> 144 uint64_t temp = 0;
> 145
>>>> CID 550300: Integer handling issues (INTEGER_OVERFLOW)
>>>> Expression "divisor", overflows the type of "divisor", which is
> type "uint64_t".
> 146 for (i = 0; ; i++, divisor *= 1024)
> 147 {
> 148 temp = (value + divisor / 2) / divisor;
> 149
> 150 if (temp == 0)
> 151 break;
>
> ** CID 550299: Null pointer dereferences (FORWARD_NULL)
> /lib/efi_loader/efi_file.c: 251 in file_open()
>
>
> ________________________________________________________________________________________________________
> *** CID 550299: Null pointer dereferences (FORWARD_NULL)
> /lib/efi_loader/efi_file.c: 251 in file_open()
> 245 strcpy(fh->path, "");
> 246 }
> 247
> 248 return &fh->base;
> 249
> 250 error:
>>>> CID 550299: Null pointer dereferences (FORWARD_NULL)
>>>> Dereferencing null pointer "fh".
> 251 free(fh->path);
> 252 free(fh);
> 253 return NULL;
> 254 }
> 255
> 256 efi_status_t efi_file_open_int(struct efi_file_handle *this,
>
> ** CID 550298: Error handling issues (CHECKED_RETURN)
> /lib/efi_loader/efi_net.c: 1054 in efi_netobj_get_dp()
>
>
> ________________________________________________________________________________________________________
> *** CID 550298: Error handling issues (CHECKED_RETURN)
> /lib/efi_loader/efi_net.c: 1054 in efi_netobj_get_dp()
> 1048 struct efi_handler *phandler;
> 1049
> 1050 if (!efi_netobj_is_active(netobj))
> 1051 return NULL;
> 1052
> 1053 phandler = NULL;
>>>> CID 550298: Error handling issues (CHECKED_RETURN)
>>>> Calling "efi_search_protocol" without checking return value (as is
> done elsewhere 37 out of 42 times).
> 1054 efi_search_protocol(&netobj->header, &efi_guid_device_path,
> &phandler);
> 1055
> 1056 if (phandler && phandler->protocol_interface)
> 1057 return efi_dp_dup(phandler->protocol_interface);
> 1058
> 1059 return NULL;
>
> ** CID 550297: Integer handling issues (INTEGER_OVERFLOW)
> /cmd/spawn.c: 174 in do_wait()
>
>
> ________________________________________________________________________________________________________
> *** CID 550297: Integer handling issues (INTEGER_OVERFLOW)
> /cmd/spawn.c: 174 in do_wait()
> 168 ret = wait_job(i);
> 169 } else {
> 170 for (i = 1; i < argc; i++) {
> 171 id = dectoul(argv[i], NULL);
> 172 if (id < 0 || id >
> CONFIG_CMD_SPAWN_NUM_JOBS)
> 173 return CMD_RET_USAGE;
>>>> CID 550297: Integer handling issues (INTEGER_OVERFLOW)
>>>> Expression "idx", where "(int)id - 1" is known to be equal to -1,
> overflows the type of "idx", which is type "unsigned int".
> 174 idx = (int)id - 1;
> 175 ret = wait_job(idx);
> 176 }
> 177 }
> 178
> 179 return ret;
>
> ** CID 550296: Control flow issues (NO_EFFECT)
> /cmd/spawn.c: 172 in do_wait()
>
>
> ________________________________________________________________________________________________________
> *** CID 550296: Control flow issues (NO_EFFECT)
> /cmd/spawn.c: 172 in do_wait()
> 166 for (i = 0; i < CONFIG_CMD_SPAWN_NUM_JOBS; i++)
> 167 if (job[i])
> 168 ret = wait_job(i);
> 169 } else {
> 170 for (i = 1; i < argc; i++) {
> 171 id = dectoul(argv[i], NULL);
>>>> CID 550296: Control flow issues (NO_EFFECT)
>>>> This less-than-zero comparison of an unsigned value is never true.
> "id < 0UL".
> 172 if (id < 0 || id >
> CONFIG_CMD_SPAWN_NUM_JOBS)
> 173 return CMD_RET_USAGE;
> 174 idx = (int)id - 1;
> 175 ret = wait_job(idx);
> 176 }
> 177 }
>
> ** CID 550295: Insecure data handling (TAINTED_SCALAR)
>
>
> ________________________________________________________________________________________________________
> *** CID 550295: Insecure data handling (TAINTED_SCALAR)
> /test/lib/membuf.c: 235 in lib_test_membuf_readline()
> 229 *ptr = '\n';
> 230 } else {
> 231 ut_assert(membuf_free(&mb));
> 232 }
> 233 }
> 234 membuf_dispose(&mb);
>>>> CID 550295: Insecure data handling (TAINTED_SCALAR)
>>>> Passing tainted expression "*buf" to "os_free", which uses it as an
> offset.
> 235 os_free(buf);
> 236
> 237 return 0;
> 238 }
>
> ** CID 550294: Code maintainability issues (UNUSED_VALUE)
> /test/lib/membuf.c: 68 in lib_test_membuf_one()
>
>
> ________________________________________________________________________________________________________
> *** CID 550294: Code maintainability issues (UNUSED_VALUE)
> /test/lib/membuf.c: 68 in lib_test_membuf_one()
> 62 ut_assertok(membuf_check(uts, &mb, i));
> 63
> 64 ret = membuf_get(&mb, out, 0);
> 65 ret = membuf_get(&mb, out, size);
> 66 ut_asserteq(size, ret);
> 67
>>>> CID 550294: Code maintainability issues (UNUSED_VALUE)
>>>> Assigning value from "membuf_get(&mb, out, 0)" to "ret" here, but
> that stored value is overwritten before it can be used.
> 68 ret = membuf_get(&mb, out, 0);
> 69 ut_assertok(membuf_check(uts, &mb, i));
> 70
> 71 ut_asserteq_mem(in, out, size);
> 72 }
> 73
>
> ** CID 550293: Memory - illegal accesses (STRING_NULL)
> /test/lib/membuf.c: 224 in lib_test_membuf_readline()
>
>
> ________________________________________________________________________________________________________
> *** CID 550293: Memory - illegal accesses (STRING_NULL)
> /test/lib/membuf.c: 224 in lib_test_membuf_readline()
> 218 ret = membuf_readline(&mb, str, 256, 0, true);
> 219 ut_assertok(membuf_check(uts, &mb, i));
> 220 if (ret) {
> 221 char *ptr;
> 222
> 223 s = &buf[cmpptr];
>>>> CID 550293: Memory - illegal accesses (STRING_NULL)
>>>> Passing unterminated string "s" to "strchr", which expects a
> null-terminated string. [Note: The source code implementation of the
> function has been overridden by a builtin model.]
> 224 ptr = strchr(s, '\n');
> 225 *ptr = '\0';
> 226
> 227 ut_asserteq_str(s, str);
> 228 cmpptr += strlen(s) + 1;
> 229 *ptr = '\n';
>
> ** CID 550292: (BAD_SHIFT)
> /drivers/scsi/scsi.c: 165 in scsi_setup_erase_ext()
> /drivers/scsi/scsi.c: 166 in scsi_setup_erase_ext()
>
>
> ________________________________________________________________________________________________________
> *** CID 550292: (BAD_SHIFT)
> /drivers/scsi/scsi.c: 165 in scsi_setup_erase_ext()
> 159 param[10] = 0x0;
> 160 param[11] = 0x0;
> 161 param[12] = (start >> 24) & 0xff;
> 162 param[13] = (start >> 16) & 0xff;
> 163 param[14] = (start >> 8) & 0xff;
> 164 param[15] = (start) & 0xff;
>>>> CID 550292: (BAD_SHIFT)
>>>> In expression "blocks >> 24", right shifting "blocks" by more than
> 15 bits always yields zero. The shift amount is 24.
> 165 param[16] = (blocks >> 24) & 0xff;
> 166 param[17] = (blocks >> 16) & 0xff;
> 167 param[18] = (blocks >> 8) & 0xff;
> 168 param[19] = (blocks) & 0xff;
> 169
> 170 memset(pccb->cmd, 0, sizeof(pccb->cmd));
> /drivers/scsi/scsi.c: 166 in scsi_setup_erase_ext()
> 160 param[11] = 0x0;
> 161 param[12] = (start >> 24) & 0xff;
> 162 param[13] = (start >> 16) & 0xff;
> 163 param[14] = (start >> 8) & 0xff;
> 164 param[15] = (start) & 0xff;
> 165 param[16] = (blocks >> 24) & 0xff;
>>>> CID 550292: (BAD_SHIFT)
>>>> In expression "blocks >> 16", right shifting "blocks" by more than
> 15 bits always yields zero. The shift amount is 16.
> 166 param[17] = (blocks >> 16) & 0xff;
> 167 param[18] = (blocks >> 8) & 0xff;
> 168 param[19] = (blocks) & 0xff;
> 169
> 170 memset(pccb->cmd, 0, sizeof(pccb->cmd));
> 171 pccb->cmd[0] = SCSI_UNMAP;
>
> ** CID 550291: Memory - corruptions (OVERRUN)
>
>
> ________________________________________________________________________________________________________
> *** CID 550291: Memory - corruptions (OVERRUN)
> /lib/acpi/acpi_table.c: 549 in acpi_write_spcr()
> 543 * to touch the configuration of the serial device.
> 544 */
> 545 if (serial_info.clock != SERIAL_DEFAULT_CLOCK)
> 546 spcr->baud_rate = 0;
> 547
> 548 /* Fix checksum */
>>>> CID 550291: Memory - corruptions (OVERRUN)
>>>> Overrunning struct type acpi_table_header of 36 bytes by passing it
> to a function which accesses it at byte offset 79 using argument
> "header->length" (which evaluates to 80).
> 549 acpi_update_checksum(header);
> 550
> 551 acpi_add_table(ctx, spcr);
> 552 acpi_inc(ctx, spcr->header.length);
> 553
> 554 return 0;
>
> ** CID 550290: Security best practices violations (DC.WEAK_CRYPTO)
> /test/lib/membuf.c: 54 in lib_test_membuf_one()
>
>
> ________________________________________________________________________________________________________
> *** CID 550290: Security best practices violations (DC.WEAK_CRYPTO)
> /test/lib/membuf.c: 54 in lib_test_membuf_one()
> 48 }
> 49
> 50 test_size = TEST_SIZE;
> 51
> 52 for (i = 1; i < TEST_COUNT; i++) {
> 53 membuf_zero(&mb);
>>>> CID 550290: Security best practices violations (DC.WEAK_CRYPTO)
>>>> "rand" should not be used for security-related applications,
> because linear congruential algorithms are too easy to break.
> 54 size = rand() % test_size;
> 55
> 56 // now write patterns and check they come back OK
> 57 ret = membuf_put(&mb, in, 0);
> 58 ret = membuf_put(&mb, in, size);
> 59 ut_asserteq(size, ret);
>
> ** CID 550289: (CONSTANT_EXPRESSION_RESULT)
> /drivers/scsi/scsi.c: 166 in scsi_setup_erase_ext()
> /drivers/scsi/scsi.c: 165 in scsi_setup_erase_ext()
>
>
> ________________________________________________________________________________________________________
> *** CID 550289: (CONSTANT_EXPRESSION_RESULT)
> /drivers/scsi/scsi.c: 166 in scsi_setup_erase_ext()
> 160 param[11] = 0x0;
> 161 param[12] = (start >> 24) & 0xff;
> 162 param[13] = (start >> 16) & 0xff;
> 163 param[14] = (start >> 8) & 0xff;
> 164 param[15] = (start) & 0xff;
> 165 param[16] = (blocks >> 24) & 0xff;
>>>> CID 550289: (CONSTANT_EXPRESSION_RESULT)
>>>> "blocks >> 16" is 0 regardless of the values of its operands. This
> occurs as the bitwise first operand of "&".
> 166 param[17] = (blocks >> 16) & 0xff;
> 167 param[18] = (blocks >> 8) & 0xff;
> 168 param[19] = (blocks) & 0xff;
> 169
> 170 memset(pccb->cmd, 0, sizeof(pccb->cmd));
> 171 pccb->cmd[0] = SCSI_UNMAP;
> /drivers/scsi/scsi.c: 165 in scsi_setup_erase_ext()
> 159 param[10] = 0x0;
> 160 param[11] = 0x0;
> 161 param[12] = (start >> 24) & 0xff;
> 162 param[13] = (start >> 16) & 0xff;
> 163 param[14] = (start >> 8) & 0xff;
> 164 param[15] = (start) & 0xff;
>>>> CID 550289: (CONSTANT_EXPRESSION_RESULT)
>>>> "blocks >> 24" is 0 regardless of the values of its operands. This
> occurs as the bitwise first operand of "&".
> 165 param[16] = (blocks >> 24) & 0xff;
> 166 param[17] = (blocks >> 16) & 0xff;
> 167 param[18] = (blocks >> 8) & 0xff;
> 168 param[19] = (blocks) & 0xff;
> 169
> 170 memset(pccb->cmd, 0, sizeof(pccb->cmd));
>
> ** CID 550288: Memory - corruptions (OVERRUN)
>
>
> ________________________________________________________________________________________________________
> *** CID 550288: Memory - corruptions (OVERRUN)
> /lib/acpi/base.c: 53 in acpi_write_rsdt()
> 47 header->length = sizeof(struct acpi_rsdt);
> 48 header->revision = 1;
> 49
> 50 /* Entries are filled in later, we come with an empty set */
> 51
> 52 /* Fix checksum */
>>>> CID 550288: Memory - corruptions (OVERRUN)
>>>> Overrunning struct type acpi_table_header of 36 bytes by passing it
> to a function which accesses it at byte offset 163 using argument
> "header->length" (which evaluates to 164).
> 53 acpi_update_checksum(header);
> 54 }
> 55
> 56 static void acpi_write_xsdt(struct acpi_xsdt *xsdt)
> 57 {
> 58 struct acpi_table_header *header = &xsdt->header;
>
> ** CID 550287: Memory - corruptions (OVERRUN)
>
>
> ________________________________________________________________________________________________________
> *** CID 550287: Memory - corruptions (OVERRUN)
> /lib/acpi/acpi_table.c: 268 in acpi_write_fadt()
> 262 fadt->dsdt = fadt->x_dsdt;
> 263
> 264 fadt->preferred_pm_profile = ACPI_PM_UNSPECIFIED;
> 265
> 266 acpi_fill_fadt(fadt);
> 267
>>>> CID 550287: Memory - corruptions (OVERRUN)
>>>> Overrunning struct type acpi_table_header of 36 bytes by passing it
> to a function which accesses it at byte offset 275 using argument
> "header->length" (which evaluates to 276).
> 268 acpi_update_checksum(header);
> 269
> 270 return acpi_add_fadt(ctx, fadt);
> 271 }
> 272
> 273 #ifndef CONFIG_QFW_ACPI
>
>
> ----- End forwarded message -----
>
^ permalink raw reply [flat|nested] 105+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2025-04-30 18:23 ` Heinrich Schuchardt
@ 2025-04-30 19:14 ` Tom Rini
0 siblings, 0 replies; 105+ messages in thread
From: Tom Rini @ 2025-04-30 19:14 UTC (permalink / raw)
To: Heinrich Schuchardt
Cc: u-boot, Jerome Forissier, Varadarajan Narayanan, Casey Connolly,
Marek Vasut, Patrick Rudolph, Adriano Cordova, Paul HENRYS,
Daniel Golle, Simon Glass
[-- Attachment #1: Type: text/plain, Size: 581 bytes --]
On Wed, Apr 30, 2025 at 08:23:29PM +0200, Heinrich Schuchardt wrote:
> On 28.04.25 23:59, Tom Rini wrote:
> > Hey all,
> >
> > Here's the latest set of Coverity defects. Please let me know if some of
> > these are false positives for example, thanks.
>
> Hello Tom,
>
> I have marked the acpi_update_header() items as "intentional" in Coverity:
>
> 550301
> 550291
> 550288
> 550287
>
> We could change the parameter of acpi_update_checksum() to const void * to
> make Coverity happy but we would loose the type checking.
Sounds good, thanks!
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2025-07-08 14:10 Tom Rini
0 siblings, 0 replies; 105+ messages in thread
From: Tom Rini @ 2025-07-08 14:10 UTC (permalink / raw)
To: u-boot
Cc: Simon Glass, Heinrich Schuchardt, Ilias Apalodimas, Marek Vasut,
Sughosh Ganu, Ying-Chun Liu (PaulLiu), Aristo Chen,
Rasmus Villemoes, Sean Edmond, Miquel Raynal
[-- Attachment #1: Type: text/plain, Size: 21343 bytes --]
Hey all,
Good news, Coverity Scan resumed putting information in the email
report. Bad news, 20 new issues now that next has been merged.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Jul 7, 2025 at 5:39 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to *Das U-Boot*
found with Coverity Scan.
- *New Defects Found:* 20
- 6 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.
- *Defects Shown:* Showing 20 of 20 defect(s)
Defect Details
** CID 569500: Incorrect expression (UNUSED_VALUE)
/boot/bootflow_menu.c: 158 in bootflow_menu_add()
_____________________________________________________________________________________________
*** CID 569500: Incorrect expression (UNUSED_VALUE)
/boot/bootflow_menu.c: 158 in bootflow_menu_add()
152
153 if (!label) {
154 free(key);
155 return log_msg_ret("nam", -ENOMEM);
156 }
157
>>> CID 569500: Incorrect expression (UNUSED_VALUE)
>>> Assigning value from "priv->last_bootdev != bflow->dev" to "add_gap" here, but that stored value is overwritten before it can be used.
158 add_gap = priv->last_bootdev != bflow->dev;
159
160 /* disable this gap for now, since it looks a little ugly */
161 add_gap = false;
162 priv->last_bootdev = bflow->dev;
163
** CID 569499: Null pointer dereferences (NULL_RETURNS)
/lib/efi_loader/efi_memory.c: 719 in efi_realloc()
_____________________________________________________________________________________________
*** CID 569499: Null pointer dereferences (NULL_RETURNS)
/lib/efi_loader/efi_memory.c: 719 in efi_realloc()
713 old_size = alloc->num_pages * EFI_PAGE_SIZE -
714 sizeof(struct efi_pool_allocation);
715
716 new_ptr = efi_alloc(size);
717
718 /* copy old data to new alloced buffer */
>>> CID 569499: Null pointer dereferences (NULL_RETURNS)
>>> Dereferencing a pointer that might be "NULL" "new_ptr" when calling "memcpy". [Note: The source code implementation of the function has been overridden by a builtin model.]
719 memcpy(new_ptr, *ptr, min(size, old_size));
720
721 /* free the old buffer */
722 efi_free_pool(*ptr);
723
724 *ptr = new_ptr;
** CID 569498: Code maintainability issues (SIZEOF_MISMATCH)
/lib/efi_loader/efi_debug_support.c: 163 in
efi_core_remove_debug_image_info_entry()
_____________________________________________________________________________________________
*** CID 569498: Code maintainability issues (SIZEOF_MISMATCH)
/lib/efi_loader/efi_debug_support.c: 163 in
efi_core_remove_debug_image_info_entry()
157 table[index].normal_image->image_handle == image_handle) {
158 /* Found a match. Free up the table entry.
159 * Move the tail of the table one slot to the front.
160 */
161 efi_free_pool(table[index].normal_image);
162
>>> CID 569498: Code maintainability issues (SIZEOF_MISMATCH)
>>> Passing argument "&table[index]" of type "union efi_debug_image_info *" and argument "(efi_m_debug_info_table_header.table_size - index - 1) * 8UL /* sizeof (union efi_debug_image_info *) */" to function "memmove" is suspicious. In this case, "sizeof (union efi_debug_image_info *)" is equal to "sizeof (union efi_debug_image_info)", but this is not a portable assumption.
163 memmove(&table[index],
164 &table[index + 1],
165 (efi_m_debug_info_table_header.table_size -
166 index - 1) * EFI_DEBUG_TABLE_ENTRY_SIZE);
167
168 /* Decrease the number of EFI_DEBUG_IMAGE_INFO
** CID 569497: Null pointer dereferences (FORWARD_NULL)
/lib/efi_selftest/efi_selftest_esrt.c: 73 in
efi_test_fmp_get_image_info()
_____________________________________________________________________________________________
*** CID 569497: Null pointer dereferences (FORWARD_NULL)
/lib/efi_selftest/efi_selftest_esrt.c: 73 in
efi_test_fmp_get_image_info()
67 if (package_version)
68 *package_version = 0xffffffff;
69 if (package_version_name)
70 *package_version_name = NULL;
71
72 if (*image_info_size < sizeof(*image_info)) {
>>> CID 569497: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "descriptor_count".
73 *image_info_size = *descriptor_size * *descriptor_count;
74 return EFI_BUFFER_TOO_SMALL;
75 }
76
77 for (int idx = 0; idx < TEST_ESRT_NUM_ENTRIES; idx++)
78 image_info[idx] = static_img_info[idx];
** CID 569496: Integer handling issues (INTEGER_OVERFLOW)
/drivers/usb/emul/sandbox_hub.c: 298 in sandbox_child_post_bind()
_____________________________________________________________________________________________
*** CID 569496: Integer handling issues (INTEGER_OVERFLOW)
/drivers/usb/emul/sandbox_hub.c: 298 in sandbox_child_post_bind()
292 static int sandbox_child_post_bind(struct udevice *dev)
293 {
294 struct sandbox_hub_plat *plat = dev_get_parent_plat(dev);
295 struct usb_emul_plat *emul = dev_get_uclass_plat(dev);
296
297 plat->port = dev_read_u32_default(dev, "reg", -1);
>>> CID 569496: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "plat->port + 1", where "plat->port" is known to be equal to -1, overflows the type of "plat->port + 1", which is type "int".
298 emul->port1 = plat->port + 1;
299
300 return 0;
301 }
302
303 static const struct dm_usb_ops sandbox_usb_hub_ops = {
** CID 569495: Integer handling issues (NEGATIVE_RETURNS)
_____________________________________________________________________________________________
*** CID 569495: Integer handling issues (NEGATIVE_RETURNS)
/tools/fit_image.c: 921 in fit_handle_file()
915 do {
916 if (copyfile(bakfile, tmpfile) < 0) {
917 printf("Can't copy %s to %s\n", bakfile, tmpfile);
918 ret = -EIO;
919 break;
920 }
>>> CID 569495: Integer handling issues (NEGATIVE_RETURNS)
>>> "size_inc" is passed to a parameter that cannot be negative.
921 ret = fit_add_file_data(params, size_inc, tmpfile);
922 if (!ret || ret != -ENOSPC)
923 break;
924 size_inc += 1024;
925 } while (size_inc < 64 * 1024);
926
** CID 569494: Control flow issues (DEADCODE)
/lib/efi_selftest/efi_selftest_config_table.c: 129 in execute()
_____________________________________________________________________________________________
*** CID 569494: Control flow issues (DEADCODE)
/lib/efi_selftest/efi_selftest_config_table.c: 129 in execute()
123 return EFI_ST_FAILURE;
124 }
125 if (counter != 1) {
126 efi_st_error("Notification function was not called.\n");
127 return EFI_ST_FAILURE;
128 }
>>> CID 569494: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "if (table_count != sys_tabl...".
129 if (table_count != sys_table->nr_tables) {
130 efi_st_error("Incorrect table count %u, expected %u\n",
131 (unsigned int)sys_table->nr_tables,
132 (unsigned int)table_count);
133 return EFI_ST_FAILURE;
134 }
** CID 569493: Insecure data handling (TAINTED_SCALAR)
_____________________________________________________________________________________________
*** CID 569493: Insecure data handling (TAINTED_SCALAR)
/lib/efi_selftest/efi_selftest_esrt.c: 276 in execute()
270 efi_st_error("ESRT mismatch in new entry count (%d),
expected (%d).\n",
271 entry_delta, TEST_ESRT_NUM_ENTRIES);
272 return EFI_ST_FAILURE;
273 }
274
275 for (u32 idx = 0; idx < TEST_ESRT_NUM_ENTRIES; idx++)
>>> CID 569493: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "esrt->fw_resource_count" to "lib_test_check_uuid_entry", which uses it as a loop boundary.
276 if (!lib_test_check_uuid_entry(esrt, &static_img_info[idx])) {
277 efi_st_error("ESRT entry mismatch\n");
278 return EFI_ST_FAILURE;
279 }
280
281 return EFI_ST_SUCCESS;
** CID 569492: (DC.WEAK_CRYPTO)
/net/bootp.c: 442 in bootp_timeout_handler()
/net/bootp.c: 441 in bootp_timeout_handler()
_____________________________________________________________________________________________
*** CID 569492: (DC.WEAK_CRYPTO)
/net/bootp.c: 442 in bootp_timeout_handler()
436 bootp_timeout = retransmit_period_max_ms;
437
438 /* Randomize by adding bootp_timeout*RAND, where RAND
439 * is a randomization factor between -0.1..+0.1
440 */
441 srand(get_ticks() + rand());
>>> CID 569492: (DC.WEAK_CRYPTO)
>>> "rand" should not be used for security-related applications, because linear congruential algorithms are too easy to break.
442 rand_minus_plus_100 = ((rand() % 200) - 100);
443 bootp_timeout = bootp_timeout +
444 (((int)bootp_timeout * rand_minus_plus_100) / 1000);
445
446 net_set_timeout_handler(bootp_timeout, bootp_timeout_handler);
447 bootp_request();
/net/bootp.c: 441 in bootp_timeout_handler()
435 if (bootp_timeout > retransmit_period_max_ms)
436 bootp_timeout = retransmit_period_max_ms;
437
438 /* Randomize by adding bootp_timeout*RAND, where RAND
439 * is a randomization factor between -0.1..+0.1
440 */
>>> CID 569492: (DC.WEAK_CRYPTO)
>>> "rand" should not be used for security-related applications, because linear congruential algorithms are too easy to break.
441 srand(get_ticks() + rand());
442 rand_minus_plus_100 = ((rand() % 200) - 100);
443 bootp_timeout = bootp_timeout +
444 (((int)bootp_timeout * rand_minus_plus_100) / 1000);
445
446 net_set_timeout_handler(bootp_timeout, bootp_timeout_handler);
** CID 569491: Error handling issues (NEGATIVE_RETURNS)
/tools/file2include.c: 56 in main()
_____________________________________________________________________________________________
*** CID 569491: Error handling issues (NEGATIVE_RETURNS)
/tools/file2include.c: 56 in main()
50 if (!count) {
51 fprintf(stderr, "File %s has length 0\n", argv[1]);
52 return EXIT_FAILURE;
53 }
54 rewind(file);
55 /* Read file */
>>> CID 569491: Error handling issues (NEGATIVE_RETURNS)
>>> "count" is passed to a parameter that cannot be negative.
56 buf = malloc(count);
57 if (!buf) {
58 perror("calloc");
59 return EXIT_FAILURE;
60 }
61 count = fread(buf, 1, count, file);
** CID 569490: Null pointer dereferences (FORWARD_NULL)
/lib/efi_selftest/efi_selftest_esrt.c: 73 in
efi_test_fmp_get_image_info()
_____________________________________________________________________________________________
*** CID 569490: Null pointer dereferences (FORWARD_NULL)
/lib/efi_selftest/efi_selftest_esrt.c: 73 in
efi_test_fmp_get_image_info()
67 if (package_version)
68 *package_version = 0xffffffff;
69 if (package_version_name)
70 *package_version_name = NULL;
71
72 if (*image_info_size < sizeof(*image_info)) {
>>> CID 569490: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "descriptor_size".
73 *image_info_size = *descriptor_size * *descriptor_count;
74 return EFI_BUFFER_TOO_SMALL;
75 }
76
77 for (int idx = 0; idx < TEST_ESRT_NUM_ENTRIES; idx++)
78 image_info[idx] = static_img_info[idx];
** CID 569489: Integer handling issues (INTEGER_OVERFLOW)
/lib/efi_selftest/efi_selftest_bitblt.c: 83 in notify()
_____________________________________________________________________________________________
*** CID 569489: Integer handling issues (INTEGER_OVERFLOW)
/lib/efi_selftest/efi_selftest_bitblt.c: 83 in notify()
77 /* Increment position */
78 pos->x += 5;
79 if (pos->x >= WIDTH + gop->mode->info->width)
80 pos->x = 0;
81
82 width = WIDTH;
>>> CID 569489: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "pos->x - 200UL", where "pos->x" is known to be equal to 0, underflows the type of "pos->x - 200UL", which is type "unsigned long".
83 dx = pos->x - WIDTH;
84 sx = 0;
85 if (pos->x >= gop->mode->info->width) {
86 width = WIDTH + gop->mode->info->width - pos->x;
87 } else if (pos->x < WIDTH) {
88 dx = 0;
** CID 569488: Control flow issues (NO_EFFECT)
/tools/fit_image.c: 913 in fit_handle_file()
_____________________________________________________________________________________________
*** CID 569488: Control flow issues (NO_EFFECT)
/tools/fit_image.c: 913 in fit_handle_file()
907 * signatures. We do an attempt at estimating the expected
908 * extra size, but just in case that is not sufficient, keep
909 * trying adding 1K, with a reasonable upper bound of 64K
910 * total, until we succeed.
911 */
912 size_inc = fit_estimate_hash_sig_size(params, bakfile);
>>> CID 569488: Control flow issues (NO_EFFECT)
>>> This less-than-zero comparison of an unsigned value is never true. "size_inc < 0UL".
913 if (size_inc < 0)
914 goto err_system;
915 do {
916 if (copyfile(bakfile, tmpfile) < 0) {
917 printf("Can't copy %s to %s\n", bakfile, tmpfile);
918 ret = -EIO;
** CID 569487: Insecure data handling (TAINTED_SCALAR)
_____________________________________________________________________________________________
*** CID 569487: Insecure data handling (TAINTED_SCALAR)
/boot/cedit.c: 474 in cedit_write_settings()
468 }
469
470 ret = fdt_end_node(fdt);
471 if (!ret)
472 ret = fdt_end_node(fdt);
473 if (!ret)
>>> CID 569487: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "fdt->size_dt_strings" to "fdt_finish", which uses it as an offset.
474 ret = fdt_finish(fdt);
475 if (ret) {
476 log_debug("Failed to finish FDT (err=%d)\n", ret);
477 return log_msg_ret("fin", -EINVAL);
478 }
479
** CID 569486: Incorrect expression (SIZEOF_MISMATCH)
/lib/efi_selftest/efi_selftest_console.c: 242 in efi_st_printc()
_____________________________________________________________________________________________
*** CID 569486: Incorrect expression (SIZEOF_MISMATCH)
/lib/efi_selftest/efi_selftest_console.c: 242 in efi_st_printc()
236 break;
237 case 'U':
238 print_uuid(va_arg(args, void*), &pos);
239 break;
240 default:
241 --c;
>>> CID 569486: Incorrect expression (SIZEOF_MISMATCH)
>>> Passing argument "va_arg (args, void *)" of type "void *" and argument "16 /* 2 * sizeof (void *) */" to function "printx" is suspicious.
242 printx((uintptr_t)va_arg(args, void *),
243 2 * sizeof(void *), &pos);
244 break;
245 }
246 break;
247 case 's':
** CID 569485: (DC.WEAK_CRYPTO)
/net/bootp.c: 837 in bootp_request()
/net/bootp.c: 838 in bootp_request()
_____________________________________________________________________________________________
*** CID 569485: (DC.WEAK_CRYPTO)
/net/bootp.c: 837 in bootp_request()
831 extlen = bootp_extended((u8 *)bp->bp_vend);
832 #endif
833
834 /* Only generate a new transaction ID for each new BOOTP request */
835 if (bootp_try == 1) {
836 if (IS_ENABLED(CONFIG_BOOTP_RANDOM_XID)) {
>>> CID 569485: (DC.WEAK_CRYPTO)
>>> "rand" should not be used for security-related applications, because linear congruential algorithms are too easy to break.
837 srand(get_ticks() + rand());
838 bootp_id = rand();
839 } else {
840 /*
841 * Bootp ID is the lower 4 bytes of our ethernet address
842 * plus the current time in ms.
/net/bootp.c: 838 in bootp_request()
832 #endif
833
834 /* Only generate a new transaction ID for each new BOOTP request */
835 if (bootp_try == 1) {
836 if (IS_ENABLED(CONFIG_BOOTP_RANDOM_XID)) {
837 srand(get_ticks() + rand());
>>> CID 569485: (DC.WEAK_CRYPTO)
>>> "rand" should not be used for security-related applications, because linear congruential algorithms are too easy to break.
838 bootp_id = rand();
839 } else {
840 /*
841 * Bootp ID is the lower 4 bytes of our ethernet address
842 * plus the current time in ms.
843 */
** CID 569484: Insecure data handling (INTEGER_OVERFLOW)
/drivers/core/uclass.c: 339 in uclass_find_next_free_seq()
_____________________________________________________________________________________________
*** CID 569484: Insecure data handling (INTEGER_OVERFLOW)
/drivers/core/uclass.c: 339 in uclass_find_next_free_seq()
333 }
334 /*
335 * At this point, max will be -1 if there are no existing aliases or
336 * devices
337 */
338
>>> CID 569484: Insecure data handling (INTEGER_OVERFLOW)
>>> "max + 1", which might have overflowed, is returned from the function.
339 return max + 1;
340 }
341
342 int uclass_find_device_by_seq(enum uclass_id id, int seq,
struct udevice **devp)
343 {
344 struct uclass *uc;
** CID 569483: Control flow issues (DEADCODE)
/boot/bootflow_menu.c: 178 in bootflow_menu_add()
_____________________________________________________________________________________________
*** CID 569483: Control flow issues (DEADCODE)
/boot/bootflow_menu.c: 178 in bootflow_menu_add()
172 preview_id = 0;
173 if (bflow->logo) {
174 preview_id = ITEM_PREVIEW + seq;
175 ret |= scene_img(scn, "preview", preview_id,
176 bflow->logo, NULL);
177 }
>>> CID 569483: Control flow issues (DEADCODE)
>>> Execution cannot reach the expression "SCENEMIF_GAP_BEFORE" inside this statement: "ret |= scene_menuitem(scn, ...".
178 ret |= scene_menuitem(scn, OBJ_MENU, "item", ITEM + seq,
179 ITEM_KEY + seq, ITEM_LABEL + seq,
180 ITEM_DESC + seq, preview_id,
181 add_gap ? SCENEMIF_GAP_BEFORE : 0,
182 NULL);
183
** CID 569482: Control flow issues (DEADCODE)
/tools/fit_image.c: 914 in fit_handle_file()
_____________________________________________________________________________________________
*** CID 569482: Control flow issues (DEADCODE)
/tools/fit_image.c: 914 in fit_handle_file()
908 * extra size, but just in case that is not sufficient, keep
909 * trying adding 1K, with a reasonable upper bound of 64K
910 * total, until we succeed.
911 */
912 size_inc = fit_estimate_hash_sig_size(params, bakfile);
913 if (size_inc < 0)
>>> CID 569482: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "goto err_system;".
914 goto err_system;
915 do {
916 if (copyfile(bakfile, tmpfile) < 0) {
917 printf("Can't copy %s to %s\n", bakfile, tmpfile);
918 ret = -EIO;
919 break;
** CID 569481: Control flow issues (MISSING_BREAK)
/lib/lmb.c: 763 in lmb_alloc_mem()
_____________________________________________________________________________________________
*** CID 569481: Control flow issues (MISSING_BREAK)
/lib/lmb.c: 763 in lmb_alloc_mem()
757 return 0;
758
759 if (!addr)
760 return -EINVAL;
761
762 switch (type) {
>>> CID 569481: Control flow issues (MISSING_BREAK)
>>> The case for value "LMB_MEM_ALLOC_ANY" is not terminated by a "break" statement.
763 case LMB_MEM_ALLOC_ANY:
764 *addr = LMB_ALLOC_ANYWHERE;
765 case LMB_MEM_ALLOC_MAX:
766 ret = _lmb_alloc_base(size, align, addr, flags);
767 break;
768 case LMB_MEM_ALLOC_ADDR:
View Defects in Coverity Scan
<https://scan.coverity.com/projects/das-u-boot?tab=overview>
Best regards,
The Coverity Scan Admin Team
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2025-07-14 23:29 Tom Rini
2025-07-15 13:45 ` Rasmus Villemoes
0 siblings, 1 reply; 105+ messages in thread
From: Tom Rini @ 2025-07-14 23:29 UTC (permalink / raw)
To: u-boot, Andrew Goodbody, Rasmus Villemoes
[-- Attachment #1: Type: text/plain, Size: 3887 bytes --]
Here's the latest report from Coverity. Good news is closing 5 existing
issues (overlap with smatch I think) but 3 new ones. Or maybe it's
related to Rasmus' cleanup series? I can only run one report a day I
think so I don't have granular breakdown on which changes today brought
these up.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Jul 14, 2025 at 5:23 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to *Das U-Boot*
found with Coverity Scan.
- *New Defects Found:* 3
- 5 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.
- *Defects Shown:* Showing 3 of 3 defect(s)
Defect Details
** CID 573150: Integer handling issues (INTEGER_OVERFLOW)
/drivers/pci/pci-uclass.c: 1531 in dm_pci_map_ea_virt()
_____________________________________________________________________________________________
*** CID 573150: Integer handling issues (INTEGER_OVERFLOW)
/drivers/pci/pci-uclass.c: 1531 in dm_pci_map_ea_virt()
1525 if (ea_entry & PCI_EA_IS_64) {
1526 /* MaxOffset 2nd DW */
1527 dm_pci_read_config32(dev, ea_off + 16, &ea_entry);
1528 sz |= ((u64)ea_entry) << 32;
1529 }
1530
>>> CID 573150: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "sz + 1UL", where "sz" is known to be equal to 18446744073709551615, overflows the type of "sz + 1UL", which is type "unsigned long".
1531 addr = (pdata->virtid - 1) * (sz + 1);
1532 }
1533
1534 return addr;
1535 }
1536
** CID 573149: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/lib/efi_loader/efi_file.c: 594 in efi_file_read_int()
_____________________________________________________________________________________________
*** CID 573149: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/lib/efi_loader/efi_file.c: 594 in efi_file_read_int()
588
589 bs = *buffer_size;
590 if (fh->isdir)
591 ret = dir_read(fh, &bs, buffer);
592 else
593 ret = file_read(fh, &bs, buffer);
>>> CID 573149: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
>>> "bs <= 18446744073709551615ULL /* 9223372036854775807LL * 2ULL + 1ULL */" is always true regardless of the values of its operands. This occurs as the logical operand of "if".
594 if (bs <= SIZE_MAX)
595 *buffer_size = bs;
596 else
597 *buffer_size = SIZE_MAX;
598
599 return ret;
** CID 573148: Integer handling issues (INTEGER_OVERFLOW)
/drivers/pci/pci-uclass.c: 1581 in dm_pci_map_ea_bar()
_____________________________________________________________________________________________
*** CID 573148: Integer handling issues (INTEGER_OVERFLOW)
/drivers/pci/pci-uclass.c: 1581 in dm_pci_map_ea_bar()
1575 addr |= ((u64)ea_entry) << 32;
1576 }
1577
1578 if (IS_ENABLED(CONFIG_PCI_SRIOV))
1579 addr += dm_pci_map_ea_virt(dev, ea_off, pdata);
1580
>>> CID 573148: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "4294967295U - addr", where "addr" is known to be equal to 4294967292, underflows the type of "4294967295U - addr", which is type "unsigned int".
1581 if (~((phys_addr_t)0) - addr < offset)
1582 return NULL;
1583
1584 /* size ignored for now */
1585 return map_physmem(addr + offset, len, MAP_NOCACHE);
1586 }
View Defects in Coverity Scan
<https://scan.coverity.com/projects/das-u-boot?tab=overview>
Best regards,
The Coverity Scan Admin Team
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 105+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2025-07-14 23:29 Tom Rini
@ 2025-07-15 13:45 ` Rasmus Villemoes
0 siblings, 0 replies; 105+ messages in thread
From: Rasmus Villemoes @ 2025-07-15 13:45 UTC (permalink / raw)
To: Tom Rini; +Cc: u-boot, Andrew Goodbody
On Mon, Jul 14 2025, Tom Rini <trini@konsulko.com> wrote:
> Here's the latest report from Coverity. Good news is closing 5 existing
> issues (overlap with smatch I think) but 3 new ones. Or maybe it's
> related to Rasmus' cleanup series? I can only run one report a day I
> think so I don't have granular breakdown on which changes today brought
> these up.
>
> From: <scan-admin@coverity.com>
> Subject: New Defects reported by Coverity Scan for Das U-Boot
> To: <tom.rini@gmail.com>
> Date: Mon, Jul 14, 2025 at 5:23 PM (1 day, 9 hours, 56 minutes ago)
>
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to *Das U-Boot*
> found with Coverity Scan.
>
> - *New Defects Found:* 3
> - 5 defect(s), reported by Coverity Scan earlier, were marked fixed in
> the recent build analyzed by Coverity Scan.
> - *Defects Shown:* Showing 3 of 3 defect(s)
>
> Defect Details
>
> ** CID 573150: Integer handling issues (INTEGER_OVERFLOW)
> /drivers/pci/pci-uclass.c: 1531 in dm_pci_map_ea_virt()
>
>
> _____________________________________________________________________________________________
> *** CID 573150: Integer handling issues (INTEGER_OVERFLOW)
> /drivers/pci/pci-uclass.c: 1531 in dm_pci_map_ea_virt()
> 1525 if (ea_entry & PCI_EA_IS_64) {
> 1526 /* MaxOffset 2nd DW */
> 1527 dm_pci_read_config32(dev, ea_off + 16, &ea_entry);
> 1528 sz |= ((u64)ea_entry) << 32;
> 1529 }
> 1530
>>>> CID 573150: Integer handling issues (INTEGER_OVERFLOW)
>>>> Expression "sz + 1UL", where "sz" is known to be equal to 18446744073709551615, overflows the type of "sz + 1UL", which is type "unsigned long".
> 1531 addr = (pdata->virtid - 1) * (sz + 1);
> 1532 }
> 1533
I don't see how this one could be due to the int limit patches, as I see
no reference to any _MIN/_MAX macro, also not indirectly via the
definition of PCI_EA_FIELD_MASK.
I also have no idea how Coverity can think that sz can be known to be
equal to ~0ULL. Sure, if it phrased it "if sz is equal to ..., then sz+1
overflows", but that's not what it says. Nor would that be very useful,
as just about _any_ arithmetic expression can overflow for _some_ values
of the referenced variables.
Honestly, this sounds like it has been AI-infected.
> 1534 return addr;
> 1535 }
> 1536
>
> ** CID 573149: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
> /lib/efi_loader/efi_file.c: 594 in efi_file_read_int()
>
>
> _____________________________________________________________________________________________
> *** CID 573149: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
> /lib/efi_loader/efi_file.c: 594 in efi_file_read_int()
> 588
> 589 bs = *buffer_size;
> 590 if (fh->isdir)
> 591 ret = dir_read(fh, &bs, buffer);
> 592 else
> 593 ret = file_read(fh, &bs, buffer);
>>>> CID 573149: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
>>>> "bs <= 18446744073709551615ULL /* 9223372036854775807LL * 2ULL + 1ULL */" is always true regardless of the values of its operands. This occurs as the logical operand of "if".
> 594 if (bs <= SIZE_MAX)
> 595 *buffer_size = bs;
> 596 else
> 597 *buffer_size = SIZE_MAX;
> 598
> 599 return ret;
>
So this one might be triggered by the new definition of SIZE_MAX, though
SIZE_MAX was also a compile-time (though not cpp) constant previously. I
think we should define SIZE_MAX properly instead of via that UINTPTR_MAX
indirection, which itself could use some cleanup.
But aside from that, we should be able to silence Coverity by either
just changing the <= to < (because in the == case the other branch of
the if would have the same effect, but it's no longer a tautology). Or
we could maybe do *buffer_size = min_t(u64, bs, SIZE_MAX), though that
might expand to something with the exact same problem.
> ** CID 573148: Integer handling issues (INTEGER_OVERFLOW)
> /drivers/pci/pci-uclass.c: 1581 in dm_pci_map_ea_bar()
>
>
> _____________________________________________________________________________________________
> *** CID 573148: Integer handling issues (INTEGER_OVERFLOW)
> /drivers/pci/pci-uclass.c: 1581 in dm_pci_map_ea_bar()
> 1575 addr |= ((u64)ea_entry) << 32;
> 1576 }
> 1577
> 1578 if (IS_ENABLED(CONFIG_PCI_SRIOV))
> 1579 addr += dm_pci_map_ea_virt(dev, ea_off, pdata);
> 1580
>>>> CID 573148: Integer handling issues (INTEGER_OVERFLOW)
>>>> Expression "4294967295U - addr", where "addr" is known to be equal to 4294967292, underflows the type of "4294967295U - addr", which is type "unsigned int".
> 1581 if (~((phys_addr_t)0) - addr < offset)
> 1582 return NULL;
> 1583
Wait, what? Just to be completely sure, I copy-pasted those two numbers:
4294967295
4294967292
I think my 8-year old can see that subtracting the second from the first
does not lead to a negative result.
So from my chair, that's another point added to the AI hypothesis.
Rasmus
^ permalink raw reply [flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2025-07-25 13:26 Tom Rini
2025-07-25 13:34 ` Michal Simek
2025-08-04 9:11 ` Alexander Dahl
0 siblings, 2 replies; 105+ messages in thread
From: Tom Rini @ 2025-07-25 13:26 UTC (permalink / raw)
To: u-boot, Michal Simek
[-- Attachment #1: Type: text/plain, Size: 8942 bytes --]
Here's the latest report. These aren't new issues as much as they are
Coverity now looking at FPGA code issues.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Thu, Jul 24, 2025 at 8:03 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to *Das U-Boot*
found with Coverity Scan.
- *New Defects Found:* 8
- 3 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.
- *Defects Shown:* Showing 8 of 8 defect(s)
Defect Details
** CID 583150: Null pointer dereferences (NULL_RETURNS)
/drivers/fpga/xilinx.c: 54 in fpga_loadbitstream()
_____________________________________________________________________________________________
*** CID 583150: Null pointer dereferences (NULL_RETURNS)
/drivers/fpga/xilinx.c: 54 in fpga_loadbitstream()
48 xilinx_desc *xdesc;
49
50 dataptr = (unsigned char *)fpgadata;
51 /* Find out fpga_description */
52 desc = fpga_validate(devnum, dataptr, 0);
53 /* Assign xilinx device description */
>>> CID 583150: Null pointer dereferences (NULL_RETURNS)
>>> Dereferencing "desc", which is known to be "NULL".
54 xdesc = desc->devdesc;
55
56 /* skip the first bytes of the bitsteam, their meaning is unknown */
57 length = (*dataptr << 8) + *(dataptr + 1);
58 dataptr += 2;
59 dataptr += length;
** CID 583149: Control flow issues (DEADCODE)
/drivers/fpga/ACEX1K.c: 226 in ACEX1K_ps_load()
_____________________________________________________________________________________________
*** CID 583149: Control flow issues (DEADCODE)
/drivers/fpga/ACEX1K.c: 226 in ACEX1K_ps_load()
220
221 #ifdef CONFIG_SYS_FPGA_PROG_FEEDBACK
222 if (ret_val == FPGA_SUCCESS) {
223 puts ("Done.\n");
224 }
225 else {
>>> CID 583149: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "puts("Fail.\n");".
226 puts ("Fail.\n");
227 }
228 #endif
229 (*fn->post) (cookie);
230
231 } else {
** CID 583148: Control flow issues (DEADCODE)
/drivers/fpga/cyclon2.c: 180 in CYC2_ps_load()
_____________________________________________________________________________________________
*** CID 583148: Control flow issues (DEADCODE)
/drivers/fpga/cyclon2.c: 180 in CYC2_ps_load()
174 ret_val = FPGA_SUCCESS;
175
176 #ifdef CONFIG_SYS_FPGA_PROG_FEEDBACK
177 if (ret_val == FPGA_SUCCESS)
178 puts("Done.\n");
179 else
>>> CID 583148: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "puts("Fail.\n");".
180 puts("Fail.\n");
181 #endif
182
183 /*
184 * Run the post configuration function if there is one.
185 */
** CID 583147: Integer handling issues (NEGATIVE_RETURNS)
_____________________________________________________________________________________________
*** CID 583147: Integer handling issues (NEGATIVE_RETURNS)
/cmd/fpga.c: 305 in do_fpga_loadmk()
299 #if defined(CONFIG_GZIP)
300 ulong image_buf = image_get_data(hdr);
301 ulong image_size = ~0UL;
302
303 data = image_get_load(hdr);
304
>>> CID 583147: Integer handling issues (NEGATIVE_RETURNS)
>>> A negative constant "-1" is passed as an argument to a parameter that cannot be negative.
305 if (gunzip((void *)data, ~0U, (void *)image_buf,
306 &image_size) != 0) {
307 log_err("Gunzip error\n");
308 return CMD_RET_FAILURE;
309 }
310 data_size = image_size;
** CID 583146: Control flow issues (DEADCODE)
/drivers/fpga/ivm_core.c: 1306 in ispVMDataCode()
_____________________________________________________________________________________________
*** CID 583146: Control flow issues (DEADCODE)
/drivers/fpga/ivm_core.c: 1306 in ispVMDataCode()
1300 /*
1301 * Encountered invalid opcode.
1302 */
1303
1304 return VME_INVALID_FILE;
1305 } else {
>>> CID 583146: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "return 0;".
1306 return 0;
1307 }
1308 }
1309
1310 /*
1311 *
** CID 583145: (INTEGER_OVERFLOW)
/drivers/fpga/ivm_core.c: 1959 in ispVMBitShift()
/drivers/fpga/ivm_core.c: 1974 in ispVMBitShift()
_____________________________________________________________________________________________
*** CID 583145: (INTEGER_OVERFLOW)
/drivers/fpga/ivm_core.c: 1959 in ispVMBitShift()
1953 for (i = 0; i < size; i++) {
1954 if (g_pucInData[i] != 0) {
1955 tmpbits = bits;
1956 while (tmpbits > 0) {
1957 g_pucInData[i] <<= 1;
1958 if (g_pucInData[i] == 0) {
>>> CID 583145: (INTEGER_OVERFLOW)
>>> Expression "i--", where "i" is known to be equal to 0, underflows the type of "i--", which is type "unsigned short".
1959 i--;
1960 g_pucInData[i] = 1;
1961 }
1962 tmpbits--;
1963 }
1964 }
/drivers/fpga/ivm_core.c: 1974 in ispVMBitShift()
1968 for (i = 0; i < size; i++) {
1969 if (g_pucInData[i] != 0) {
1970 tmpbits = bits;
1971 while (tmpbits > 0) {
1972 g_pucInData[i] >>= 1;
1973 if (g_pucInData[i] == 0) {
>>> CID 583145: (INTEGER_OVERFLOW)
>>> Expression "i--", where "i" is known to be equal to 0, underflows the type of "i--", which is type "unsigned short".
1974 i--;
1975 g_pucInData[i] = 8;
1976 }
1977 tmpbits--;
1978 }
1979 }
** CID 583144: Null pointer dereferences (FORWARD_NULL)
/drivers/fpga/ivm_core.c: 2406 in ispVMBypass()
_____________________________________________________________________________________________
*** CID 583144: Null pointer dereferences (FORWARD_NULL)
/drivers/fpga/ivm_core.c: 2406 in ispVMBypass()
2400
2401 iSourceIndex = 0;
2402 cBitState = 0;
2403 for (iIndex = 0; iIndex < Bits - 1; iIndex++) {
2404 /* Scan instruction or bypass register */
2405 if (iIndex % 8 == 0) {
>>> CID 583144: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "pcSource".
2406 cCurByte = pcSource[iSourceIndex++];
2407 }
2408 cBitState = (unsigned char) (((cCurByte << iIndex % 8) & 0x80)
2409 ? 0x01 : 0x00);
2410 writePort(g_ucPinTDI, cBitState);
2411 sclock();
** CID 583143: (OVERRUN)
/drivers/fpga/ivm_core.c: 2455 in ispVMStateMachine()
/drivers/fpga/ivm_core.c: 2458 in ispVMStateMachine()
_____________________________________________________________________________________________
*** CID 583143: (OVERRUN)
/drivers/fpga/ivm_core.c: 2455 in ispVMStateMachine()
2449 g_JTAGTransistions[cStateIndex].NextState)) {
2450 break;
2451 }
2452 }
2453
2454 g_cCurrentJTAGState = cNextJTAGState;
>>> CID 583143: (OVERRUN)
>>> Overrunning array "g_JTAGTransistions" of 25 4-byte elements at element index 25 (byte offset 103) using index "cStateIndex" (which evaluates to 25).
2455 for (cPathIndex = 0;
2456 cPathIndex < g_JTAGTransistions[cStateIndex].Pulses;
2457 cPathIndex++) {
2458 if ((g_JTAGTransistions[cStateIndex].Pattern << cPathIndex)
2459 & 0x80) {
2460 writePort(g_ucPinTMS, (unsigned char) 0x01);
/drivers/fpga/ivm_core.c: 2458 in ispVMStateMachine()
2452 }
2453
2454 g_cCurrentJTAGState = cNextJTAGState;
2455 for (cPathIndex = 0;
2456 cPathIndex < g_JTAGTransistions[cStateIndex].Pulses;
2457 cPathIndex++) {
>>> CID 583143: (OVERRUN)
>>> Overrunning array "g_JTAGTransistions" of 25 4-byte elements at element index 25 (byte offset 103) using index "cStateIndex" (which evaluates to 25).
2458 if ((g_JTAGTransistions[cStateIndex].Pattern << cPathIndex)
2459 & 0x80) {
2460 writePort(g_ucPinTMS, (unsigned char) 0x01);
2461 } else {
2462 writePort(g_ucPinTMS, (unsigned char) 0x00);
2463 }
View Defects in Coverity Scan
<https://scan.coverity.com/projects/das-u-boot?tab=overview>
Best regards,
The Coverity Scan Admin Team
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
^ permalink raw reply [flat|nested] 105+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2025-07-25 13:26 Tom Rini
@ 2025-07-25 13:34 ` Michal Simek
2025-08-04 9:11 ` Alexander Dahl
1 sibling, 0 replies; 105+ messages in thread
From: Michal Simek @ 2025-07-25 13:34 UTC (permalink / raw)
To: Tom Rini, u-boot
Hi Tom,
On 7/25/25 15:26, Tom Rini wrote:
> Here's the latest report. These aren't new issues as much as they are
> Coverity now looking at FPGA code issues.
I have sent
https://lore.kernel.org/all/cover.1753442748.git.michal.simek@amd.com/
to address some of them.
Thanks,
Michal
^ permalink raw reply [flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2025-07-29 16:32 Tom Rini
0 siblings, 0 replies; 105+ messages in thread
From: Tom Rini @ 2025-07-29 16:32 UTC (permalink / raw)
To: u-boot; +Cc: Heiko Schocher, Heinrich Schuchardt
[-- Attachment #1: Type: text/plain, Size: 5060 bytes --]
So I ran Coverity with the newest scan version and this is good news.
Only a few newly found issues in existing code.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Tue, Jul 29, 2025 at 10:04 AM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to *Das U-Boot*
found with Coverity Scan.
- *New Defects Found:* 3
- 12 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.
- *Defects Shown:* Showing 3 of 3 defect(s)
Defect Details
** CID 583415: Integer handling issues (INTEGER_OVERFLOW)
/cmd/i2c.c: 369 in do_i2c_write()
_____________________________________________________________________________________________
*** CID 583415: Integer handling issues (INTEGER_OVERFLOW)
/cmd/i2c.c: 369 in do_i2c_write()
363 return i2c_report_err(ret, I2C_ERR_WRITE);
364 } else {
365 /*
366 * Repeated addressing - perform <length> separate
367 * write transactions of one byte each
368 */
>>> CID 583415: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "length--", where "length" is known to be equal to 0, underflows the type of "length--", which is type "uint".
369 while (length-- > 0) {
370 #if CONFIG_IS_ENABLED(DM_I2C)
371 i2c_chip->flags |= DM_I2C_CHIP_WR_ADDRESS;
372 ret = dm_i2c_write(dev, devaddr++, memaddr++, 1);
373 #else
374 ret = i2c_write(chip, devaddr++, alen, memaddr++, 1);
** CID 583414: Memory - corruptions (OVERRUN)
/cmd/eficonfig.c: 334 in eficonfig_append_menu_entry()
_____________________________________________________________________________________________
*** CID 583414: Memory - corruptions (OVERRUN)
/cmd/eficonfig.c: 334 in eficonfig_append_menu_entry()
328
329 entry = calloc(1, sizeof(struct eficonfig_entry));
330 if (!entry)
331 return EFI_OUT_OF_RESOURCES;
332
333 entry->title = title;
>>> CID 583414: Memory - corruptions (OVERRUN)
>>> "sprintf" will overrun its first argument "entry->key" which can accommodate 3 bytes. The number of bytes written may be 11 bytes, including the terminating null.
334 sprintf(entry->key, "%d", efi_menu->count);
335 entry->efi_menu = efi_menu;
336 entry->func = func;
337 entry->data = data;
338 entry->num = efi_menu->count++;
339 list_add_tail(&entry->list, &efi_menu->list);
** CID 583357: (INTEGER_OVERFLOW)
/lib/zlib/deflate.c: 1714 in deflate_slow()
/lib/zlib/deflate.c: 1706 in deflate_slow()
_____________________________________________________________________________________________
*** CID 583357: (INTEGER_OVERFLOW)
/lib/zlib/deflate.c: 1714 in deflate_slow()
1708
1709 /* Insert in hash table all strings up to the end
of the match.
1710 * strstart-1 and strstart are already inserted.
If there is not
1711 * enough lookahead, the last two strings are not
inserted in
1712 * the hash table.
1713 */
>>> CID 583357: (INTEGER_OVERFLOW)
>>> Expression "s->lookahead", where "s->prev_length - 1U" is known to be equal to 4294967270, underflows the type of "s->lookahead", which is type "uInt".
1714 s->lookahead -= s->prev_length-1;
1715 s->prev_length -= 2;
1716 do {
1717 if (++s->strstart <= max_insert) {
1718 INSERT_STRING(s, s->strstart, hash_head);
1719 }
/lib/zlib/deflate.c: 1706 in deflate_slow()
1700 if (s->prev_length >= MIN_MATCH && s->match_length <=
s->prev_length) {
1701 uInt max_insert = s->strstart + s->lookahead - MIN_MATCH;
1702 /* Do not insert strings in hash table beyond this. */
1703
1704 check_match(s, s->strstart-1, s->prev_match,
s->prev_length);
1705
>>> CID 583357: (INTEGER_OVERFLOW)
>>> Expression "len", where "s->prev_length - 3U" is known to be equal to 4294967267, overflows the type of "len", which is type "uch".
1706 _tr_tally_dist(s, s->strstart -1 - s->prev_match,
1707 s->prev_length - MIN_MATCH, bflush);
1708
1709 /* Insert in hash table all strings up to the end
of the match.
1710 * strstart-1 and strstart are already inserted.
If there is not
1711 * enough lookahead, the last two strings are not
inserted in
View Defects in Coverity Scan
<https://scan.coverity.com/projects/das-u-boot?tab=overview>
Best regards,
The Coverity Scan Admin Team
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
^ permalink raw reply [flat|nested] 105+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2025-07-25 13:26 Tom Rini
2025-07-25 13:34 ` Michal Simek
@ 2025-08-04 9:11 ` Alexander Dahl
1 sibling, 0 replies; 105+ messages in thread
From: Alexander Dahl @ 2025-08-04 9:11 UTC (permalink / raw)
To: Tom Rini; +Cc: u-boot, Michal Simek
Hello,
Am Fri, Jul 25, 2025 at 07:26:45AM -0600 schrieb Tom Rini:
> Here's the latest report. These aren't new issues as much as they are
> Coverity now looking at FPGA code issues.
>
> ---------- Forwarded message ---------
> From: <scan-admin@coverity.com>
> Date: Thu, Jul 24, 2025 at 8:03 PM
> Subject: New Defects reported by Coverity Scan for Das U-Boot
> To: <tom.rini@gmail.com>
>
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to *Das U-Boot*
> found with Coverity Scan.
>
> - *New Defects Found:* 8
> - 3 defect(s), reported by Coverity Scan earlier, were marked fixed in
> the recent build analyzed by Coverity Scan.
> - *Defects Shown:* Showing 8 of 8 defect(s)
>
> Defect Details
>
[…]
> ** CID 583148: Control flow issues (DEADCODE)
> /drivers/fpga/cyclon2.c: 180 in CYC2_ps_load()
>
>
> _____________________________________________________________________________________________
> *** CID 583148: Control flow issues (DEADCODE)
> /drivers/fpga/cyclon2.c: 180 in CYC2_ps_load()
> 174 ret_val = FPGA_SUCCESS;
> 175
> 176 #ifdef CONFIG_SYS_FPGA_PROG_FEEDBACK
> 177 if (ret_val == FPGA_SUCCESS)
> 178 puts("Done.\n");
> 179 else
> >>> CID 583148: Control flow issues (DEADCODE)
> >>> Execution cannot reach this statement: "puts("Fail.\n");".
> 180 puts("Fail.\n");
> 181 #endif
> 182
> 183 /*
> 184 * Run the post configuration function if there is one.
> 185 */
See
https://lore.kernel.org/u-boot/20250804090816.42603-1-ada@thorsis.com/T/#u
for a fix of the cyclon2 driver.
Greets
Alex
^ permalink raw reply [flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2025-08-06 18:35 Tom Rini
2025-08-07 9:17 ` Heiko Schocher
0 siblings, 1 reply; 105+ messages in thread
From: Tom Rini @ 2025-08-06 18:35 UTC (permalink / raw)
To: u-boot, Heiko Schocher, Dinesh Maniyam
[-- Attachment #1: Type: text/plain, Size: 13861 bytes --]
Here's the latest report. Lets get these new issues addressed ASAP
please, thanks.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Wed, Aug 6, 2025 at 12:23 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to *Das U-Boot*
found with Coverity Scan.
- *New Defects Found:* 8
- 4 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.
- *Defects Shown:* Showing 8 of 8 defect(s)
Defect Details
** CID 583812: Integer handling issues (BAD_SHIFT)
/drivers/i3c/master/dw-i3c-master.c: 1001 in dw_i3c_probe()
_____________________________________________________________________________________________
*** CID 583812: Integer handling issues (BAD_SHIFT)
/drivers/i3c/master/dw-i3c-master.c: 1001 in dw_i3c_probe()
995 ret = readl(master->regs + DATA_BUFFER_STATUS_LEVEL);
996 master->caps.datafifodepth = DATA_BUFFER_STATUS_LEVEL_TX(ret);
997
998 ret = readl(master->regs + DEVICE_ADDR_TABLE_POINTER);
999 master->datstartaddr = ret;
1000 master->maxdevs = ret >> 16;
>>> CID 583812: Integer handling issues (BAD_SHIFT)
>>> In expression "0xffffffffffffffffUL >> 63 - (master->maxdevs - 1)", right shifting by more than 63 bits has undefined behavior. The shift amount, "63 - (master->maxdevs - 1)", is 64.
1001 master->free_pos = GENMASK(master->maxdevs - 1, 0);
1002
1003 ret = i3c_master_register(&master->base, dev,
1004 &dw_mipi_i3c_ops, false);
1005 if (ret)
1006 goto err_assert_rst;
** CID 583811: (RESOURCE_LEAK)
/drivers/i3c/master.c: 1610 in of_i3c_master_add_i3c_boardinfo()
/drivers/i3c/master.c: 1586 in of_i3c_master_add_i3c_boardinfo()
/drivers/i3c/master.c: 1591 in of_i3c_master_add_i3c_boardinfo()
/drivers/i3c/master.c: 1598 in of_i3c_master_add_i3c_boardinfo()
/drivers/i3c/master.c: 1603 in of_i3c_master_add_i3c_boardinfo()
_____________________________________________________________________________________________
*** CID 583811: (RESOURCE_LEAK)
/drivers/i3c/master.c: 1610 in of_i3c_master_add_i3c_boardinfo()
1604 }
1605
1606 boardinfo->pid = ((u64)reg[1] << 32) | reg[2];
1607
1608 if ((boardinfo->pid & GENMASK_ULL(63, 48)) ||
1609 I3C_PID_RND_LOWER_32BITS(boardinfo->pid))
>>> CID 583811: (RESOURCE_LEAK)
>>> Variable "boardinfo" going out of scope leaks the storage it points to.
1610 return -EINVAL;
1611
1612 boardinfo->init_dyn_addr = init_dyn_addr;
1613 boardinfo->of_node = node;
1614 list_add_tail(&boardinfo->node, &master->boardinfo.i3c);
1615
/drivers/i3c/master.c: 1586 in of_i3c_master_add_i3c_boardinfo()
1580 boardinfo = devm_kzalloc(dev, sizeof(*boardinfo), GFP_KERNEL);
1581 if (!boardinfo)
1582 return -ENOMEM;
1583
1584 if (reg[0]) {
1585 if (reg[0] > I3C_MAX_ADDR)
>>> CID 583811: (RESOURCE_LEAK)
>>> Variable "boardinfo" going out of scope leaks the storage it points to.
1586 return -EINVAL;
1587
1588 addrstatus = i3c_bus_get_addr_slot_status(&master->bus,
1589 reg[0]);
1590 if (addrstatus != I3C_ADDR_SLOT_FREE)
1591 return -EINVAL;
/drivers/i3c/master.c: 1591 in of_i3c_master_add_i3c_boardinfo()
1585 if (reg[0] > I3C_MAX_ADDR)
1586 return -EINVAL;
1587
1588 addrstatus = i3c_bus_get_addr_slot_status(&master->bus,
1589 reg[0]);
1590 if (addrstatus != I3C_ADDR_SLOT_FREE)
>>> CID 583811: (RESOURCE_LEAK)
>>> Variable "boardinfo" going out of scope leaks the storage it points to.
1591 return -EINVAL;
1592 }
1593
1594 boardinfo->static_addr = reg[0];
1595
1596 if (!dev_read_u32(dev, "assigned-address", &init_dyn_addr)) {
/drivers/i3c/master.c: 1598 in of_i3c_master_add_i3c_boardinfo()
1592 }
1593
1594 boardinfo->static_addr = reg[0];
1595
1596 if (!dev_read_u32(dev, "assigned-address", &init_dyn_addr)) {
1597 if (init_dyn_addr > I3C_MAX_ADDR)
>>> CID 583811: (RESOURCE_LEAK)
>>> Variable "boardinfo" going out of scope leaks the storage it points to.
1598 return -EINVAL;
1599
1600 addrstatus = i3c_bus_get_addr_slot_status(&master->bus,
1601 init_dyn_addr);
1602 if (addrstatus != I3C_ADDR_SLOT_FREE)
1603 return -EINVAL;
/drivers/i3c/master.c: 1603 in of_i3c_master_add_i3c_boardinfo()
1597 if (init_dyn_addr > I3C_MAX_ADDR)
1598 return -EINVAL;
1599
1600 addrstatus = i3c_bus_get_addr_slot_status(&master->bus,
1601 init_dyn_addr);
1602 if (addrstatus != I3C_ADDR_SLOT_FREE)
>>> CID 583811: (RESOURCE_LEAK)
>>> Variable "boardinfo" going out of scope leaks the storage it points to.
1603 return -EINVAL;
1604 }
1605
1606 boardinfo->pid = ((u64)reg[1] << 32) | reg[2];
1607
1608 if ((boardinfo->pid & GENMASK_ULL(63, 48)) ||
** CID 298388: Integer handling issues (SIGN_EXTENSION)
/drivers/i3c/master/dw-i3c-master.c: 579 in dw_i3c_ccc_get()
_____________________________________________________________________________________________
*** CID 298388: Integer handling issues (SIGN_EXTENSION)
/drivers/i3c/master/dw-i3c-master.c: 579 in dw_i3c_ccc_get()
573 return -ENOMEM;
574
575 cmd = xfer->cmds;
576 cmd->rx_buf = ccc->dests[0].payload.data;
577 cmd->rx_len = ccc->dests[0].payload.len;
578
>>> CID 298388: Integer handling issues (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "ccc->dests[0].payload.len" with type "u16" (16 bits, unsigned) is promoted in "ccc->dests[0].payload.len << 16" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "ccc->dests[0].payload.len << 16" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
579 cmd->cmd_hi = COMMAND_PORT_ARG_DATA_LEN(ccc->dests[0].payload.len) |
580 COMMAND_PORT_TRANSFER_ARG;
581
582 cmd->cmd_lo = COMMAND_PORT_READ_TRANSFER |
583 COMMAND_PORT_CP |
584 COMMAND_PORT_DEV_INDEX(pos) |
** CID 298037: Integer handling issues (SIGN_EXTENSION)
/drivers/i3c/master/dw-i3c-master.c: 375 in dw_i3c_clk_cfg()
_____________________________________________________________________________________________
*** CID 298037: Integer handling issues (SIGN_EXTENSION)
/drivers/i3c/master/dw-i3c-master.c: 375 in dw_i3c_clk_cfg()
369 scl_timing = SCL_EXT_LCNT_1(lcnt);
370 lcnt = DIV_ROUND_UP(core_rate, I3C_BUS_SDR2_SCL_RATE) - hcnt;
371 scl_timing |= SCL_EXT_LCNT_2(lcnt);
372 lcnt = DIV_ROUND_UP(core_rate, I3C_BUS_SDR3_SCL_RATE) - hcnt;
373 scl_timing |= SCL_EXT_LCNT_3(lcnt);
374 lcnt = DIV_ROUND_UP(core_rate, I3C_BUS_SDR4_SCL_RATE) - hcnt;
>>> CID 298037: Integer handling issues (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "lcnt" with type "u8" (8 bits, unsigned) is promoted in "lcnt << 24" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "lcnt << 24" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
375 scl_timing |= SCL_EXT_LCNT_4(lcnt);
376 writel(scl_timing, master->regs + SCL_EXT_LCNT_TIMING);
377
378 return 0;
379 }
380
** CID 296053: Integer handling issues (SIGN_EXTENSION)
/drivers/i3c/master/dw-i3c-master.c: 535 in dw_i3c_ccc_set()
_____________________________________________________________________________________________
*** CID 296053: Integer handling issues (SIGN_EXTENSION)
/drivers/i3c/master/dw-i3c-master.c: 535 in dw_i3c_ccc_set()
529 return -ENOMEM;
530
531 cmd = xfer->cmds;
532 cmd->tx_buf = ccc->dests[0].payload.data;
533 cmd->tx_len = ccc->dests[0].payload.len;
534
>>> CID 296053: Integer handling issues (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "ccc->dests[0].payload.len" with type "u16" (16 bits, unsigned) is promoted in "ccc->dests[0].payload.len << 16" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "ccc->dests[0].payload.len << 16" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
535 cmd->cmd_hi = COMMAND_PORT_ARG_DATA_LEN(ccc->dests[0].payload.len) |
536 COMMAND_PORT_TRANSFER_ARG;
537
538 cmd->cmd_lo = COMMAND_PORT_CP |
539 COMMAND_PORT_DEV_INDEX(pos) |
540 COMMAND_PORT_CMD(ccc->id) |
** CID 295976: (SIGN_EXTENSION)
/drivers/i3c/master/dw-i3c-master.c: 395 in dw_i2c_clk_cfg()
/drivers/i3c/master/dw-i3c-master.c: 401 in dw_i2c_clk_cfg()
_____________________________________________________________________________________________
*** CID 295976: (SIGN_EXTENSION)
/drivers/i3c/master/dw-i3c-master.c: 395 in dw_i2c_clk_cfg()
389 return -EINVAL;
390
391 core_period = DIV_ROUND_UP(1000000000, core_rate);
392
393 lcnt = DIV_ROUND_UP(I3C_BUS_I2C_FMP_TLOW_MIN_NS, core_period);
394 hcnt = DIV_ROUND_UP(core_rate, I3C_BUS_I2C_FM_PLUS_SCL_RATE) - lcnt;
>>> CID 295976: (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "hcnt" with type "u16" (16 bits, unsigned) is promoted in "hcnt << 16" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "hcnt << 16" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
395 scl_timing = SCL_I2C_FMP_TIMING_HCNT(hcnt) |
396 SCL_I2C_FMP_TIMING_LCNT(lcnt);
397 writel(scl_timing, master->regs + SCL_I2C_FMP_TIMING);
398
399 lcnt = DIV_ROUND_UP(I3C_BUS_I2C_FM_TLOW_MIN_NS, core_period);
400 hcnt = DIV_ROUND_UP(core_rate, I3C_BUS_I2C_FM_SCL_RATE) - lcnt;
/drivers/i3c/master/dw-i3c-master.c: 401 in dw_i2c_clk_cfg()
395 scl_timing = SCL_I2C_FMP_TIMING_HCNT(hcnt) |
396 SCL_I2C_FMP_TIMING_LCNT(lcnt);
397 writel(scl_timing, master->regs + SCL_I2C_FMP_TIMING);
398
399 lcnt = DIV_ROUND_UP(I3C_BUS_I2C_FM_TLOW_MIN_NS, core_period);
400 hcnt = DIV_ROUND_UP(core_rate, I3C_BUS_I2C_FM_SCL_RATE) - lcnt;
>>> CID 295976: (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "hcnt" with type "u16" (16 bits, unsigned) is promoted in "hcnt << 16" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "hcnt << 16" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
401 scl_timing = SCL_I2C_FM_TIMING_HCNT(hcnt) |
402 SCL_I2C_FM_TIMING_LCNT(lcnt);
403 writel(scl_timing, master->regs + SCL_I2C_FM_TIMING);
404
405 writel(BUS_I3C_MST_FREE(lcnt), master->regs + BUS_FREE_TIMING);
406 writel(readl(master->regs + DEVICE_CTRL) | DEV_CTRL_I2C_SLAVE_PRESENT,
** CID 294913: Integer handling issues (SIGN_EXTENSION)
/drivers/i3c/master/dw-i3c-master.c: 724 in dw_i3c_master_priv_xfers()
_____________________________________________________________________________________________
*** CID 294913: Integer handling issues (SIGN_EXTENSION)
/drivers/i3c/master/dw-i3c-master.c: 724 in
dw_i3c_master_priv_xfers()
718 if (!xfer)
719 return -ENOMEM;
720
721 for (i = 0; i < i3c_nxfers; i++) {
722 struct dw_i3c_cmd *cmd = &xfer->cmds[i];
723
>>> CID 294913: Integer handling issues (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "i3c_xfers[i].len" with type "u16" (16 bits, unsigned) is promoted in "i3c_xfers[i].len << 16" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "i3c_xfers[i].len << 16" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
724 cmd->cmd_hi = COMMAND_PORT_ARG_DATA_LEN(i3c_xfers[i].len) |
725 COMMAND_PORT_TRANSFER_ARG;
726
727 if (i3c_xfers[i].rnw) {
728 cmd->rx_buf = i3c_xfers[i].data.in;
729 cmd->rx_len = i3c_xfers[i].len;
** CID 294627: Integer handling issues (BAD_SHIFT)
/drivers/i3c/master.c: 181 in i3c_bus_get_addr_slot_status()
_____________________________________________________________________________________________
*** CID 294627: Integer handling issues (BAD_SHIFT)
/drivers/i3c/master.c: 181 in i3c_bus_get_addr_slot_status()
175 int status, bitpos = addr * 2;
176
177 if (addr > I2C_MAX_ADDR)
178 return I3C_ADDR_SLOT_RSVD;
179
180 status = bus->addrslots[bitpos / BITS_PER_LONG];
>>> CID 294627: Integer handling issues (BAD_SHIFT)
>>> In expression "status >>= bitpos % 64", right shifting by more than 31 bits has undefined behavior. The shift amount, "bitpos % 64", is as much as 63.
181 status >>= bitpos % BITS_PER_LONG;
182
183 return status & I3C_ADDR_SLOT_STATUS_MASK;
184 }
185
186 static void i3c_bus_set_addr_slot_status(struct i3c_bus *bus, u16 addr,
View Defects in Coverity Scan
<https://scan.coverity.com/projects/das-u-boot?tab=overview>
Best regards,
The Coverity Scan Admin Team
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
^ permalink raw reply [flat|nested] 105+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2025-08-06 18:35 Tom Rini
@ 2025-08-07 9:17 ` Heiko Schocher
2025-08-08 3:37 ` Maniyam, Dinesh
0 siblings, 1 reply; 105+ messages in thread
From: Heiko Schocher @ 2025-08-07 9:17 UTC (permalink / raw)
To: u-boot, Dinesh Maniyam; +Cc: Tom Rini, Heiko Schocher
Hello Dinesh,
On 06.08.25 20:35, Tom Rini wrote:
> Here's the latest report. Lets get these new issues addressed ASAP
> please, thanks.
>
> ---------- Forwarded message ---------
> From: <scan-admin@coverity.com>
> Date: Wed, Aug 6, 2025 at 12:23 PM
> Subject: New Defects reported by Coverity Scan for Das U-Boot
> To: <tom.rini@gmail.com>
>
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to *Das U-Boot*
> found with Coverity Scan.
>
> - *New Defects Found:* 8
> - 4 defect(s), reported by Coverity Scan earlier, were marked fixed in
> the recent build analyzed by Coverity Scan.
> - *Defects Shown:* Showing 8 of 8 defect(s)
>
> Defect Details
>
> ** CID 583812: Integer handling issues (BAD_SHIFT)
> /drivers/i3c/master/dw-i3c-master.c: 1001 in dw_i3c_probe()
Could you please look at the issues on i3c parts, as I go on
vacation, thanks!
@Tom: Feel free to pick up fixes, thanks!
bye,
Heiko
>
>
> _____________________________________________________________________________________________
> *** CID 583812: Integer handling issues (BAD_SHIFT)
> /drivers/i3c/master/dw-i3c-master.c: 1001 in dw_i3c_probe()
> 995 ret = readl(master->regs + DATA_BUFFER_STATUS_LEVEL);
> 996 master->caps.datafifodepth = DATA_BUFFER_STATUS_LEVEL_TX(ret);
> 997
> 998 ret = readl(master->regs + DEVICE_ADDR_TABLE_POINTER);
> 999 master->datstartaddr = ret;
> 1000 master->maxdevs = ret >> 16;
>>>> CID 583812: Integer handling issues (BAD_SHIFT)
>>>> In expression "0xffffffffffffffffUL >> 63 - (master->maxdevs - 1)", right shifting by more than 63 bits has undefined behavior. The shift amount, "63 - (master->maxdevs - 1)", is 64.
> 1001 master->free_pos = GENMASK(master->maxdevs - 1, 0);
> 1002
> 1003 ret = i3c_master_register(&master->base, dev,
> 1004 &dw_mipi_i3c_ops, false);
> 1005 if (ret)
> 1006 goto err_assert_rst;
>
> ** CID 583811: (RESOURCE_LEAK)
> /drivers/i3c/master.c: 1610 in of_i3c_master_add_i3c_boardinfo()
> /drivers/i3c/master.c: 1586 in of_i3c_master_add_i3c_boardinfo()
> /drivers/i3c/master.c: 1591 in of_i3c_master_add_i3c_boardinfo()
> /drivers/i3c/master.c: 1598 in of_i3c_master_add_i3c_boardinfo()
> /drivers/i3c/master.c: 1603 in of_i3c_master_add_i3c_boardinfo()
>
>
> _____________________________________________________________________________________________
> *** CID 583811: (RESOURCE_LEAK)
> /drivers/i3c/master.c: 1610 in of_i3c_master_add_i3c_boardinfo()
> 1604 }
> 1605
> 1606 boardinfo->pid = ((u64)reg[1] << 32) | reg[2];
> 1607
> 1608 if ((boardinfo->pid & GENMASK_ULL(63, 48)) ||
> 1609 I3C_PID_RND_LOWER_32BITS(boardinfo->pid))
>>>> CID 583811: (RESOURCE_LEAK)
>>>> Variable "boardinfo" going out of scope leaks the storage it points to.
> 1610 return -EINVAL;
> 1611
> 1612 boardinfo->init_dyn_addr = init_dyn_addr;
> 1613 boardinfo->of_node = node;
> 1614 list_add_tail(&boardinfo->node, &master->boardinfo.i3c);
> 1615
> /drivers/i3c/master.c: 1586 in of_i3c_master_add_i3c_boardinfo()
> 1580 boardinfo = devm_kzalloc(dev, sizeof(*boardinfo), GFP_KERNEL);
> 1581 if (!boardinfo)
> 1582 return -ENOMEM;
> 1583
> 1584 if (reg[0]) {
> 1585 if (reg[0] > I3C_MAX_ADDR)
>>>> CID 583811: (RESOURCE_LEAK)
>>>> Variable "boardinfo" going out of scope leaks the storage it points to.
> 1586 return -EINVAL;
> 1587
> 1588 addrstatus = i3c_bus_get_addr_slot_status(&master->bus,
> 1589 reg[0]);
> 1590 if (addrstatus != I3C_ADDR_SLOT_FREE)
> 1591 return -EINVAL;
> /drivers/i3c/master.c: 1591 in of_i3c_master_add_i3c_boardinfo()
> 1585 if (reg[0] > I3C_MAX_ADDR)
> 1586 return -EINVAL;
> 1587
> 1588 addrstatus = i3c_bus_get_addr_slot_status(&master->bus,
> 1589 reg[0]);
> 1590 if (addrstatus != I3C_ADDR_SLOT_FREE)
>>>> CID 583811: (RESOURCE_LEAK)
>>>> Variable "boardinfo" going out of scope leaks the storage it points to.
> 1591 return -EINVAL;
> 1592 }
> 1593
> 1594 boardinfo->static_addr = reg[0];
> 1595
> 1596 if (!dev_read_u32(dev, "assigned-address", &init_dyn_addr)) {
> /drivers/i3c/master.c: 1598 in of_i3c_master_add_i3c_boardinfo()
> 1592 }
> 1593
> 1594 boardinfo->static_addr = reg[0];
> 1595
> 1596 if (!dev_read_u32(dev, "assigned-address", &init_dyn_addr)) {
> 1597 if (init_dyn_addr > I3C_MAX_ADDR)
>>>> CID 583811: (RESOURCE_LEAK)
>>>> Variable "boardinfo" going out of scope leaks the storage it points to.
> 1598 return -EINVAL;
> 1599
> 1600 addrstatus = i3c_bus_get_addr_slot_status(&master->bus,
> 1601 init_dyn_addr);
> 1602 if (addrstatus != I3C_ADDR_SLOT_FREE)
> 1603 return -EINVAL;
> /drivers/i3c/master.c: 1603 in of_i3c_master_add_i3c_boardinfo()
> 1597 if (init_dyn_addr > I3C_MAX_ADDR)
> 1598 return -EINVAL;
> 1599
> 1600 addrstatus = i3c_bus_get_addr_slot_status(&master->bus,
> 1601 init_dyn_addr);
> 1602 if (addrstatus != I3C_ADDR_SLOT_FREE)
>>>> CID 583811: (RESOURCE_LEAK)
>>>> Variable "boardinfo" going out of scope leaks the storage it points to.
> 1603 return -EINVAL;
> 1604 }
> 1605
> 1606 boardinfo->pid = ((u64)reg[1] << 32) | reg[2];
> 1607
> 1608 if ((boardinfo->pid & GENMASK_ULL(63, 48)) ||
>
> ** CID 298388: Integer handling issues (SIGN_EXTENSION)
> /drivers/i3c/master/dw-i3c-master.c: 579 in dw_i3c_ccc_get()
>
>
> _____________________________________________________________________________________________
> *** CID 298388: Integer handling issues (SIGN_EXTENSION)
> /drivers/i3c/master/dw-i3c-master.c: 579 in dw_i3c_ccc_get()
> 573 return -ENOMEM;
> 574
> 575 cmd = xfer->cmds;
> 576 cmd->rx_buf = ccc->dests[0].payload.data;
> 577 cmd->rx_len = ccc->dests[0].payload.len;
> 578
>>>> CID 298388: Integer handling issues (SIGN_EXTENSION)
>>>> Suspicious implicit sign extension: "ccc->dests[0].payload.len" with type "u16" (16 bits, unsigned) is promoted in "ccc->dests[0].payload.len << 16" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "ccc->dests[0].payload.len << 16" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
> 579 cmd->cmd_hi = COMMAND_PORT_ARG_DATA_LEN(ccc->dests[0].payload.len) |
> 580 COMMAND_PORT_TRANSFER_ARG;
> 581
> 582 cmd->cmd_lo = COMMAND_PORT_READ_TRANSFER |
> 583 COMMAND_PORT_CP |
> 584 COMMAND_PORT_DEV_INDEX(pos) |
>
> ** CID 298037: Integer handling issues (SIGN_EXTENSION)
> /drivers/i3c/master/dw-i3c-master.c: 375 in dw_i3c_clk_cfg()
>
>
> _____________________________________________________________________________________________
> *** CID 298037: Integer handling issues (SIGN_EXTENSION)
> /drivers/i3c/master/dw-i3c-master.c: 375 in dw_i3c_clk_cfg()
> 369 scl_timing = SCL_EXT_LCNT_1(lcnt);
> 370 lcnt = DIV_ROUND_UP(core_rate, I3C_BUS_SDR2_SCL_RATE) - hcnt;
> 371 scl_timing |= SCL_EXT_LCNT_2(lcnt);
> 372 lcnt = DIV_ROUND_UP(core_rate, I3C_BUS_SDR3_SCL_RATE) - hcnt;
> 373 scl_timing |= SCL_EXT_LCNT_3(lcnt);
> 374 lcnt = DIV_ROUND_UP(core_rate, I3C_BUS_SDR4_SCL_RATE) - hcnt;
>>>> CID 298037: Integer handling issues (SIGN_EXTENSION)
>>>> Suspicious implicit sign extension: "lcnt" with type "u8" (8 bits, unsigned) is promoted in "lcnt << 24" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "lcnt << 24" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
> 375 scl_timing |= SCL_EXT_LCNT_4(lcnt);
> 376 writel(scl_timing, master->regs + SCL_EXT_LCNT_TIMING);
> 377
> 378 return 0;
> 379 }
> 380
>
> ** CID 296053: Integer handling issues (SIGN_EXTENSION)
> /drivers/i3c/master/dw-i3c-master.c: 535 in dw_i3c_ccc_set()
>
>
> _____________________________________________________________________________________________
> *** CID 296053: Integer handling issues (SIGN_EXTENSION)
> /drivers/i3c/master/dw-i3c-master.c: 535 in dw_i3c_ccc_set()
> 529 return -ENOMEM;
> 530
> 531 cmd = xfer->cmds;
> 532 cmd->tx_buf = ccc->dests[0].payload.data;
> 533 cmd->tx_len = ccc->dests[0].payload.len;
> 534
>>>> CID 296053: Integer handling issues (SIGN_EXTENSION)
>>>> Suspicious implicit sign extension: "ccc->dests[0].payload.len" with type "u16" (16 bits, unsigned) is promoted in "ccc->dests[0].payload.len << 16" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "ccc->dests[0].payload.len << 16" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
> 535 cmd->cmd_hi = COMMAND_PORT_ARG_DATA_LEN(ccc->dests[0].payload.len) |
> 536 COMMAND_PORT_TRANSFER_ARG;
> 537
> 538 cmd->cmd_lo = COMMAND_PORT_CP |
> 539 COMMAND_PORT_DEV_INDEX(pos) |
> 540 COMMAND_PORT_CMD(ccc->id) |
>
> ** CID 295976: (SIGN_EXTENSION)
> /drivers/i3c/master/dw-i3c-master.c: 395 in dw_i2c_clk_cfg()
> /drivers/i3c/master/dw-i3c-master.c: 401 in dw_i2c_clk_cfg()
>
>
> _____________________________________________________________________________________________
> *** CID 295976: (SIGN_EXTENSION)
> /drivers/i3c/master/dw-i3c-master.c: 395 in dw_i2c_clk_cfg()
> 389 return -EINVAL;
> 390
> 391 core_period = DIV_ROUND_UP(1000000000, core_rate);
> 392
> 393 lcnt = DIV_ROUND_UP(I3C_BUS_I2C_FMP_TLOW_MIN_NS, core_period);
> 394 hcnt = DIV_ROUND_UP(core_rate, I3C_BUS_I2C_FM_PLUS_SCL_RATE) - lcnt;
>>>> CID 295976: (SIGN_EXTENSION)
>>>> Suspicious implicit sign extension: "hcnt" with type "u16" (16 bits, unsigned) is promoted in "hcnt << 16" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "hcnt << 16" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
> 395 scl_timing = SCL_I2C_FMP_TIMING_HCNT(hcnt) |
> 396 SCL_I2C_FMP_TIMING_LCNT(lcnt);
> 397 writel(scl_timing, master->regs + SCL_I2C_FMP_TIMING);
> 398
> 399 lcnt = DIV_ROUND_UP(I3C_BUS_I2C_FM_TLOW_MIN_NS, core_period);
> 400 hcnt = DIV_ROUND_UP(core_rate, I3C_BUS_I2C_FM_SCL_RATE) - lcnt;
> /drivers/i3c/master/dw-i3c-master.c: 401 in dw_i2c_clk_cfg()
> 395 scl_timing = SCL_I2C_FMP_TIMING_HCNT(hcnt) |
> 396 SCL_I2C_FMP_TIMING_LCNT(lcnt);
> 397 writel(scl_timing, master->regs + SCL_I2C_FMP_TIMING);
> 398
> 399 lcnt = DIV_ROUND_UP(I3C_BUS_I2C_FM_TLOW_MIN_NS, core_period);
> 400 hcnt = DIV_ROUND_UP(core_rate, I3C_BUS_I2C_FM_SCL_RATE) - lcnt;
>>>> CID 295976: (SIGN_EXTENSION)
>>>> Suspicious implicit sign extension: "hcnt" with type "u16" (16 bits, unsigned) is promoted in "hcnt << 16" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "hcnt << 16" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
> 401 scl_timing = SCL_I2C_FM_TIMING_HCNT(hcnt) |
> 402 SCL_I2C_FM_TIMING_LCNT(lcnt);
> 403 writel(scl_timing, master->regs + SCL_I2C_FM_TIMING);
> 404
> 405 writel(BUS_I3C_MST_FREE(lcnt), master->regs + BUS_FREE_TIMING);
> 406 writel(readl(master->regs + DEVICE_CTRL) | DEV_CTRL_I2C_SLAVE_PRESENT,
>
> ** CID 294913: Integer handling issues (SIGN_EXTENSION)
> /drivers/i3c/master/dw-i3c-master.c: 724 in dw_i3c_master_priv_xfers()
>
>
> _____________________________________________________________________________________________
> *** CID 294913: Integer handling issues (SIGN_EXTENSION)
> /drivers/i3c/master/dw-i3c-master.c: 724 in
> dw_i3c_master_priv_xfers()
> 718 if (!xfer)
> 719 return -ENOMEM;
> 720
> 721 for (i = 0; i < i3c_nxfers; i++) {
> 722 struct dw_i3c_cmd *cmd = &xfer->cmds[i];
> 723
>>>> CID 294913: Integer handling issues (SIGN_EXTENSION)
>>>> Suspicious implicit sign extension: "i3c_xfers[i].len" with type "u16" (16 bits, unsigned) is promoted in "i3c_xfers[i].len << 16" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "i3c_xfers[i].len << 16" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
> 724 cmd->cmd_hi = COMMAND_PORT_ARG_DATA_LEN(i3c_xfers[i].len) |
> 725 COMMAND_PORT_TRANSFER_ARG;
> 726
> 727 if (i3c_xfers[i].rnw) {
> 728 cmd->rx_buf = i3c_xfers[i].data.in;
> 729 cmd->rx_len = i3c_xfers[i].len;
>
> ** CID 294627: Integer handling issues (BAD_SHIFT)
> /drivers/i3c/master.c: 181 in i3c_bus_get_addr_slot_status()
>
>
> _____________________________________________________________________________________________
> *** CID 294627: Integer handling issues (BAD_SHIFT)
> /drivers/i3c/master.c: 181 in i3c_bus_get_addr_slot_status()
> 175 int status, bitpos = addr * 2;
> 176
> 177 if (addr > I2C_MAX_ADDR)
> 178 return I3C_ADDR_SLOT_RSVD;
> 179
> 180 status = bus->addrslots[bitpos / BITS_PER_LONG];
>>>> CID 294627: Integer handling issues (BAD_SHIFT)
>>>> In expression "status >>= bitpos % 64", right shifting by more than 31 bits has undefined behavior. The shift amount, "bitpos % 64", is as much as 63.
> 181 status >>= bitpos % BITS_PER_LONG;
> 182
> 183 return status & I3C_ADDR_SLOT_STATUS_MASK;
> 184 }
> 185
> 186 static void i3c_bus_set_addr_slot_status(struct i3c_bus *bus, u16 addr,
>
>
>
> View Defects in Coverity Scan
> <https://scan.coverity.com/projects/das-u-boot?tab=overview>
>
> Best regards,
>
> The Coverity Scan Admin Team
>
> ----- End forwarded message -----
>
--
Nabla Software Engineering
HRB 40522 Augsburg
Phone: +49 821 45592596
E-Mail: office@nabladev.com
Geschäftsführer : Stefano Babic
^ permalink raw reply [flat|nested] 105+ messages in thread
* RE: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2025-08-07 9:17 ` Heiko Schocher
@ 2025-08-08 3:37 ` Maniyam, Dinesh
2025-08-08 4:01 ` Heiko Schocher
0 siblings, 1 reply; 105+ messages in thread
From: Maniyam, Dinesh @ 2025-08-08 3:37 UTC (permalink / raw)
To: Heiko Schocher, u-boot@lists.denx.de; +Cc: Tom Rini, Heiko Schocher
Hi
> -----Original Message-----
> From: Heiko Schocher <hs@nabladev.com>
> Sent: Thursday, 7 August 2025 5:17 pm
> To: u-boot@lists.denx.de; Maniyam, Dinesh <dinesh.maniyam@altera.com>
> Cc: Tom Rini <trini@konsulko.com>; Heiko Schocher <hs@denx.de>
> Subject: Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
>
> [CAUTION: This email is from outside your organization. Unless you trust the
> sender, do not click on links or open attachments as it may be a fraudulent email
> attempting to steal your information and/or compromise your computer.]
>
> Hello Dinesh,
>
> On 06.08.25 20:35, Tom Rini wrote:
> > Here's the latest report. Lets get these new issues addressed ASAP
> > please, thanks.
> >
> > ---------- Forwarded message ---------
> > From: <scan-admin@coverity.com>
> > Date: Wed, Aug 6, 2025 at 12:23 PM
> > Subject: New Defects reported by Coverity Scan for Das U-Boot
> > To: <tom.rini@gmail.com>
> >
> >
> > Hi,
> >
> > Please find the latest report on new defect(s) introduced to *Das
> > U-Boot* found with Coverity Scan.
> >
> > - *New Defects Found:* 8
> > - 4 defect(s), reported by Coverity Scan earlier, were marked fixed in
> > the recent build analyzed by Coverity Scan.
> > - *Defects Shown:* Showing 8 of 8 defect(s)
> >
> > Defect Details
> >
> > ** CID 583812: Integer handling issues (BAD_SHIFT)
> > /drivers/i3c/master/dw-i3c-master.c: 1001 in dw_i3c_probe()
>
> Could you please look at the issues on i3c parts, as I go on vacation, thanks!
>
Yes, I am working on it, give me just a couple of days!
Thanks
Dinesh
> @Tom: Feel free to pick up fixes, thanks!
>
> bye,
> Heiko
> >
> >
> >
> _________________________________________________________________
> ____________________________
> > *** CID 583812: Integer handling issues (BAD_SHIFT)
> > /drivers/i3c/master/dw-i3c-master.c: 1001 in dw_i3c_probe()
> > 995 ret = readl(master->regs + DATA_BUFFER_STATUS_LEVEL);
> > 996 master->caps.datafifodepth = DATA_BUFFER_STATUS_LEVEL_TX(ret);
> > 997
> > 998 ret = readl(master->regs + DEVICE_ADDR_TABLE_POINTER);
> > 999 master->datstartaddr = ret;
> > 1000 master->maxdevs = ret >> 16;
> >>>> CID 583812: Integer handling issues (BAD_SHIFT)
> >>>> In expression "0xffffffffffffffffUL >> 63 - (master->maxdevs - 1)", right
> shifting by more than 63 bits has undefined behavior. The shift amount, "63 -
> (master->maxdevs - 1)", is 64.
> > 1001 master->free_pos = GENMASK(master->maxdevs - 1, 0);
> > 1002
> > 1003 ret = i3c_master_register(&master->base, dev,
> > 1004 &dw_mipi_i3c_ops, false);
> > 1005 if (ret)
> > 1006 goto err_assert_rst;
> >
> > ** CID 583811: (RESOURCE_LEAK)
> > /drivers/i3c/master.c: 1610 in of_i3c_master_add_i3c_boardinfo()
> > /drivers/i3c/master.c: 1586 in of_i3c_master_add_i3c_boardinfo()
> > /drivers/i3c/master.c: 1591 in of_i3c_master_add_i3c_boardinfo()
> > /drivers/i3c/master.c: 1598 in of_i3c_master_add_i3c_boardinfo()
> > /drivers/i3c/master.c: 1603 in of_i3c_master_add_i3c_boardinfo()
> >
> >
> >
> _________________________________________________________________
> ____________________________
> > *** CID 583811: (RESOURCE_LEAK)
> > /drivers/i3c/master.c: 1610 in of_i3c_master_add_i3c_boardinfo()
> > 1604 }
> > 1605
> > 1606 boardinfo->pid = ((u64)reg[1] << 32) | reg[2];
> > 1607
> > 1608 if ((boardinfo->pid & GENMASK_ULL(63, 48)) ||
> > 1609 I3C_PID_RND_LOWER_32BITS(boardinfo->pid))
> >>>> CID 583811: (RESOURCE_LEAK)
> >>>> Variable "boardinfo" going out of scope leaks the storage it points to.
> > 1610 return -EINVAL;
> > 1611
> > 1612 boardinfo->init_dyn_addr = init_dyn_addr;
> > 1613 boardinfo->of_node = node;
> > 1614 list_add_tail(&boardinfo->node, &master->boardinfo.i3c);
> > 1615
> > /drivers/i3c/master.c: 1586 in of_i3c_master_add_i3c_boardinfo()
> > 1580 boardinfo = devm_kzalloc(dev, sizeof(*boardinfo), GFP_KERNEL);
> > 1581 if (!boardinfo)
> > 1582 return -ENOMEM;
> > 1583
> > 1584 if (reg[0]) {
> > 1585 if (reg[0] > I3C_MAX_ADDR)
> >>>> CID 583811: (RESOURCE_LEAK)
> >>>> Variable "boardinfo" going out of scope leaks the storage it points to.
> > 1586 return -EINVAL;
> > 1587
> > 1588 addrstatus = i3c_bus_get_addr_slot_status(&master->bus,
> > 1589 reg[0]);
> > 1590 if (addrstatus != I3C_ADDR_SLOT_FREE)
> > 1591 return -EINVAL;
> > /drivers/i3c/master.c: 1591 in of_i3c_master_add_i3c_boardinfo()
> > 1585 if (reg[0] > I3C_MAX_ADDR)
> > 1586 return -EINVAL;
> > 1587
> > 1588 addrstatus = i3c_bus_get_addr_slot_status(&master->bus,
> > 1589 reg[0]);
> > 1590 if (addrstatus != I3C_ADDR_SLOT_FREE)
> >>>> CID 583811: (RESOURCE_LEAK)
> >>>> Variable "boardinfo" going out of scope leaks the storage it points to.
> > 1591 return -EINVAL;
> > 1592 }
> > 1593
> > 1594 boardinfo->static_addr = reg[0];
> > 1595
> > 1596 if (!dev_read_u32(dev, "assigned-address", &init_dyn_addr)) {
> > /drivers/i3c/master.c: 1598 in of_i3c_master_add_i3c_boardinfo()
> > 1592 }
> > 1593
> > 1594 boardinfo->static_addr = reg[0];
> > 1595
> > 1596 if (!dev_read_u32(dev, "assigned-address", &init_dyn_addr)) {
> > 1597 if (init_dyn_addr > I3C_MAX_ADDR)
> >>>> CID 583811: (RESOURCE_LEAK)
> >>>> Variable "boardinfo" going out of scope leaks the storage it points to.
> > 1598 return -EINVAL;
> > 1599
> > 1600 addrstatus = i3c_bus_get_addr_slot_status(&master->bus,
> > 1601 init_dyn_addr);
> > 1602 if (addrstatus != I3C_ADDR_SLOT_FREE)
> > 1603 return -EINVAL;
> > /drivers/i3c/master.c: 1603 in of_i3c_master_add_i3c_boardinfo()
> > 1597 if (init_dyn_addr > I3C_MAX_ADDR)
> > 1598 return -EINVAL;
> > 1599
> > 1600 addrstatus = i3c_bus_get_addr_slot_status(&master->bus,
> > 1601 init_dyn_addr);
> > 1602 if (addrstatus != I3C_ADDR_SLOT_FREE)
> >>>> CID 583811: (RESOURCE_LEAK)
> >>>> Variable "boardinfo" going out of scope leaks the storage it points to.
> > 1603 return -EINVAL;
> > 1604 }
> > 1605
> > 1606 boardinfo->pid = ((u64)reg[1] << 32) | reg[2];
> > 1607
> > 1608 if ((boardinfo->pid & GENMASK_ULL(63, 48)) ||
> >
> > ** CID 298388: Integer handling issues (SIGN_EXTENSION)
> > /drivers/i3c/master/dw-i3c-master.c: 579 in dw_i3c_ccc_get()
> >
> >
> >
> _________________________________________________________________
> ____________________________
> > *** CID 298388: Integer handling issues (SIGN_EXTENSION)
> > /drivers/i3c/master/dw-i3c-master.c: 579 in dw_i3c_ccc_get()
> > 573 return -ENOMEM;
> > 574
> > 575 cmd = xfer->cmds;
> > 576 cmd->rx_buf = ccc->dests[0].payload.data;
> > 577 cmd->rx_len = ccc->dests[0].payload.len;
> > 578
> >>>> CID 298388: Integer handling issues (SIGN_EXTENSION)
> >>>> Suspicious implicit sign extension: "ccc->dests[0].payload.len" with type
> "u16" (16 bits, unsigned) is promoted in "ccc->dests[0].payload.len << 16" to type
> "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits,
> unsigned). If "ccc->dests[0].payload.len << 16" is greater than 0x7FFFFFFF, the
> upper bits of the result will all be 1.
> > 579 cmd->cmd_hi = COMMAND_PORT_ARG_DATA_LEN(ccc-
> >dests[0].payload.len) |
> > 580 COMMAND_PORT_TRANSFER_ARG;
> > 581
> > 582 cmd->cmd_lo = COMMAND_PORT_READ_TRANSFER |
> > 583 COMMAND_PORT_CP |
> > 584 COMMAND_PORT_DEV_INDEX(pos) |
> >
> > ** CID 298037: Integer handling issues (SIGN_EXTENSION)
> > /drivers/i3c/master/dw-i3c-master.c: 375 in dw_i3c_clk_cfg()
> >
> >
> >
> _________________________________________________________________
> ____________________________
> > *** CID 298037: Integer handling issues (SIGN_EXTENSION)
> > /drivers/i3c/master/dw-i3c-master.c: 375 in dw_i3c_clk_cfg()
> > 369 scl_timing = SCL_EXT_LCNT_1(lcnt);
> > 370 lcnt = DIV_ROUND_UP(core_rate, I3C_BUS_SDR2_SCL_RATE) - hcnt;
> > 371 scl_timing |= SCL_EXT_LCNT_2(lcnt);
> > 372 lcnt = DIV_ROUND_UP(core_rate, I3C_BUS_SDR3_SCL_RATE) - hcnt;
> > 373 scl_timing |= SCL_EXT_LCNT_3(lcnt);
> > 374 lcnt = DIV_ROUND_UP(core_rate, I3C_BUS_SDR4_SCL_RATE) - hcnt;
> >>>> CID 298037: Integer handling issues (SIGN_EXTENSION)
> >>>> Suspicious implicit sign extension: "lcnt" with type "u8" (8 bits, unsigned)
> is promoted in "lcnt << 24" to type "int" (32 bits, signed), then sign-extended to
> type "unsigned long" (64 bits, unsigned). If "lcnt << 24" is greater than
> 0x7FFFFFFF, the upper bits of the result will all be 1.
> > 375 scl_timing |= SCL_EXT_LCNT_4(lcnt);
> > 376 writel(scl_timing, master->regs + SCL_EXT_LCNT_TIMING);
> > 377
> > 378 return 0;
> > 379 }
> > 380
> >
> > ** CID 296053: Integer handling issues (SIGN_EXTENSION)
> > /drivers/i3c/master/dw-i3c-master.c: 535 in dw_i3c_ccc_set()
> >
> >
> >
> _________________________________________________________________
> ____________________________
> > *** CID 296053: Integer handling issues (SIGN_EXTENSION)
> > /drivers/i3c/master/dw-i3c-master.c: 535 in dw_i3c_ccc_set()
> > 529 return -ENOMEM;
> > 530
> > 531 cmd = xfer->cmds;
> > 532 cmd->tx_buf = ccc->dests[0].payload.data;
> > 533 cmd->tx_len = ccc->dests[0].payload.len;
> > 534
> >>>> CID 296053: Integer handling issues (SIGN_EXTENSION)
> >>>> Suspicious implicit sign extension: "ccc->dests[0].payload.len" with type
> "u16" (16 bits, unsigned) is promoted in "ccc->dests[0].payload.len << 16" to type
> "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits,
> unsigned). If "ccc->dests[0].payload.len << 16" is greater than 0x7FFFFFFF, the
> upper bits of the result will all be 1.
> > 535 cmd->cmd_hi = COMMAND_PORT_ARG_DATA_LEN(ccc-
> >dests[0].payload.len) |
> > 536 COMMAND_PORT_TRANSFER_ARG;
> > 537
> > 538 cmd->cmd_lo = COMMAND_PORT_CP |
> > 539 COMMAND_PORT_DEV_INDEX(pos) |
> > 540 COMMAND_PORT_CMD(ccc->id) |
> >
> > ** CID 295976: (SIGN_EXTENSION)
> > /drivers/i3c/master/dw-i3c-master.c: 395 in dw_i2c_clk_cfg()
> > /drivers/i3c/master/dw-i3c-master.c: 401 in dw_i2c_clk_cfg()
> >
> >
> >
> _________________________________________________________________
> ____________________________
> > *** CID 295976: (SIGN_EXTENSION)
> > /drivers/i3c/master/dw-i3c-master.c: 395 in dw_i2c_clk_cfg()
> > 389 return -EINVAL;
> > 390
> > 391 core_period = DIV_ROUND_UP(1000000000, core_rate);
> > 392
> > 393 lcnt = DIV_ROUND_UP(I3C_BUS_I2C_FMP_TLOW_MIN_NS,
> core_period);
> > 394 hcnt = DIV_ROUND_UP(core_rate,
> I3C_BUS_I2C_FM_PLUS_SCL_RATE) - lcnt;
> >>>> CID 295976: (SIGN_EXTENSION)
> >>>> Suspicious implicit sign extension: "hcnt" with type "u16" (16 bits,
> unsigned) is promoted in "hcnt << 16" to type "int" (32 bits, signed), then sign-
> extended to type "unsigned long" (64 bits, unsigned). If "hcnt << 16" is greater
> than 0x7FFFFFFF, the upper bits of the result will all be 1.
> > 395 scl_timing = SCL_I2C_FMP_TIMING_HCNT(hcnt) |
> > 396 SCL_I2C_FMP_TIMING_LCNT(lcnt);
> > 397 writel(scl_timing, master->regs + SCL_I2C_FMP_TIMING);
> > 398
> > 399 lcnt = DIV_ROUND_UP(I3C_BUS_I2C_FM_TLOW_MIN_NS,
> core_period);
> > 400 hcnt = DIV_ROUND_UP(core_rate, I3C_BUS_I2C_FM_SCL_RATE) -
> lcnt;
> > /drivers/i3c/master/dw-i3c-master.c: 401 in dw_i2c_clk_cfg()
> > 395 scl_timing = SCL_I2C_FMP_TIMING_HCNT(hcnt) |
> > 396 SCL_I2C_FMP_TIMING_LCNT(lcnt);
> > 397 writel(scl_timing, master->regs + SCL_I2C_FMP_TIMING);
> > 398
> > 399 lcnt = DIV_ROUND_UP(I3C_BUS_I2C_FM_TLOW_MIN_NS,
> core_period);
> > 400 hcnt = DIV_ROUND_UP(core_rate, I3C_BUS_I2C_FM_SCL_RATE) -
> lcnt;
> >>>> CID 295976: (SIGN_EXTENSION)
> >>>> Suspicious implicit sign extension: "hcnt" with type "u16" (16 bits,
> unsigned) is promoted in "hcnt << 16" to type "int" (32 bits, signed), then sign-
> extended to type "unsigned long" (64 bits, unsigned). If "hcnt << 16" is greater
> than 0x7FFFFFFF, the upper bits of the result will all be 1.
> > 401 scl_timing = SCL_I2C_FM_TIMING_HCNT(hcnt) |
> > 402 SCL_I2C_FM_TIMING_LCNT(lcnt);
> > 403 writel(scl_timing, master->regs + SCL_I2C_FM_TIMING);
> > 404
> > 405 writel(BUS_I3C_MST_FREE(lcnt), master->regs +
> BUS_FREE_TIMING);
> > 406 writel(readl(master->regs + DEVICE_CTRL) |
> DEV_CTRL_I2C_SLAVE_PRESENT,
> >
> > ** CID 294913: Integer handling issues (SIGN_EXTENSION)
> > /drivers/i3c/master/dw-i3c-master.c: 724 in dw_i3c_master_priv_xfers()
> >
> >
> >
> _________________________________________________________________
> ____________________________
> > *** CID 294913: Integer handling issues (SIGN_EXTENSION)
> > /drivers/i3c/master/dw-i3c-master.c: 724 in
> > dw_i3c_master_priv_xfers()
> > 718 if (!xfer)
> > 719 return -ENOMEM;
> > 720
> > 721 for (i = 0; i < i3c_nxfers; i++) {
> > 722 struct dw_i3c_cmd *cmd = &xfer->cmds[i];
> > 723
> >>>> CID 294913: Integer handling issues (SIGN_EXTENSION)
> >>>> Suspicious implicit sign extension: "i3c_xfers[i].len" with type "u16" (16
> bits, unsigned) is promoted in "i3c_xfers[i].len << 16" to type "int" (32 bits,
> signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If
> "i3c_xfers[i].len << 16" is greater than 0x7FFFFFFF, the upper bits of the result will
> all be 1.
> > 724 cmd->cmd_hi =
> COMMAND_PORT_ARG_DATA_LEN(i3c_xfers[i].len) |
> > 725 COMMAND_PORT_TRANSFER_ARG;
> > 726
> > 727 if (i3c_xfers[i].rnw) {
> > 728 cmd->rx_buf = i3c_xfers[i].data.in;
> > 729 cmd->rx_len = i3c_xfers[i].len;
> >
> > ** CID 294627: Integer handling issues (BAD_SHIFT)
> > /drivers/i3c/master.c: 181 in i3c_bus_get_addr_slot_status()
> >
> >
> >
> _________________________________________________________________
> ____________________________
> > *** CID 294627: Integer handling issues (BAD_SHIFT)
> > /drivers/i3c/master.c: 181 in i3c_bus_get_addr_slot_status()
> > 175 int status, bitpos = addr * 2;
> > 176
> > 177 if (addr > I2C_MAX_ADDR)
> > 178 return I3C_ADDR_SLOT_RSVD;
> > 179
> > 180 status = bus->addrslots[bitpos / BITS_PER_LONG];
> >>>> CID 294627: Integer handling issues (BAD_SHIFT)
> >>>> In expression "status >>= bitpos % 64", right shifting by more than 31 bits
> has undefined behavior. The shift amount, "bitpos % 64", is as much as 63.
> > 181 status >>= bitpos % BITS_PER_LONG;
> > 182
> > 183 return status & I3C_ADDR_SLOT_STATUS_MASK;
> > 184 }
> > 185
> > 186 static void i3c_bus_set_addr_slot_status(struct i3c_bus *bus, u16 addr,
> >
> >
> >
> > View Defects in Coverity Scan
> > <https://scan.coverity.com/projects/das-u-boot?tab=overview>
> >
> > Best regards,
> >
> > The Coverity Scan Admin Team
> >
> > ----- End forwarded message -----
> >
>
> --
> Nabla Software Engineering
> HRB 40522 Augsburg
> Phone: +49 821 45592596
> E-Mail: office@nabladev.com
> Geschäftsführer : Stefano Babic
^ permalink raw reply [flat|nested] 105+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2025-08-08 3:37 ` Maniyam, Dinesh
@ 2025-08-08 4:01 ` Heiko Schocher
0 siblings, 0 replies; 105+ messages in thread
From: Heiko Schocher @ 2025-08-08 4:01 UTC (permalink / raw)
To: Maniyam, Dinesh, u-boot@lists.denx.de; +Cc: Tom Rini, Heiko Schocher
Hello Dinesh,
On 08.08.25 05:37, Maniyam, Dinesh wrote:
> Hi
>
>> -----Original Message-----
>> From: Heiko Schocher <hs@nabladev.com>
>> Sent: Thursday, 7 August 2025 5:17 pm
>> To: u-boot@lists.denx.de; Maniyam, Dinesh <dinesh.maniyam@altera.com>
>> Cc: Tom Rini <trini@konsulko.com>; Heiko Schocher <hs@denx.de>
>> Subject: Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
>>
>> [CAUTION: This email is from outside your organization. Unless you trust the
>> sender, do not click on links or open attachments as it may be a fraudulent email
>> attempting to steal your information and/or compromise your computer.]
>>
>> Hello Dinesh,
>>
>> On 06.08.25 20:35, Tom Rini wrote:
>>> Here's the latest report. Lets get these new issues addressed ASAP
>>> please, thanks.
>>>
>>> ---------- Forwarded message ---------
>>> From: <scan-admin@coverity.com>
>>> Date: Wed, Aug 6, 2025 at 12:23 PM
>>> Subject: New Defects reported by Coverity Scan for Das U-Boot
>>> To: <tom.rini@gmail.com>
>>>
>>>
>>> Hi,
>>>
>>> Please find the latest report on new defect(s) introduced to *Das
>>> U-Boot* found with Coverity Scan.
>>>
>>> - *New Defects Found:* 8
>>> - 4 defect(s), reported by Coverity Scan earlier, were marked fixed in
>>> the recent build analyzed by Coverity Scan.
>>> - *Defects Shown:* Showing 8 of 8 defect(s)
>>>
>>> Defect Details
>>>
>>> ** CID 583812: Integer handling issues (BAD_SHIFT)
>>> /drivers/i3c/master/dw-i3c-master.c: 1001 in dw_i3c_probe()
>>
>> Could you please look at the issues on i3c parts, as I go on vacation, thanks!
>>
>
> Yes, I am working on it, give me just a couple of days!
Of course, Thanks for your time!
bye,
Heiko
>
> Thanks
> Dinesh
>
>> @Tom: Feel free to pick up fixes, thanks!
>>
>> bye,
>> Heiko
>>>
>>>
>>>
>> _________________________________________________________________
>> ____________________________
>>> *** CID 583812: Integer handling issues (BAD_SHIFT)
>>> /drivers/i3c/master/dw-i3c-master.c: 1001 in dw_i3c_probe()
>>> 995 ret = readl(master->regs + DATA_BUFFER_STATUS_LEVEL);
>>> 996 master->caps.datafifodepth = DATA_BUFFER_STATUS_LEVEL_TX(ret);
>>> 997
>>> 998 ret = readl(master->regs + DEVICE_ADDR_TABLE_POINTER);
>>> 999 master->datstartaddr = ret;
>>> 1000 master->maxdevs = ret >> 16;
>>>>>> CID 583812: Integer handling issues (BAD_SHIFT)
>>>>>> In expression "0xffffffffffffffffUL >> 63 - (master->maxdevs - 1)", right
>> shifting by more than 63 bits has undefined behavior. The shift amount, "63 -
>> (master->maxdevs - 1)", is 64.
>>> 1001 master->free_pos = GENMASK(master->maxdevs - 1, 0);
>>> 1002
>>> 1003 ret = i3c_master_register(&master->base, dev,
>>> 1004 &dw_mipi_i3c_ops, false);
>>> 1005 if (ret)
>>> 1006 goto err_assert_rst;
>>>
>>> ** CID 583811: (RESOURCE_LEAK)
>>> /drivers/i3c/master.c: 1610 in of_i3c_master_add_i3c_boardinfo()
>>> /drivers/i3c/master.c: 1586 in of_i3c_master_add_i3c_boardinfo()
>>> /drivers/i3c/master.c: 1591 in of_i3c_master_add_i3c_boardinfo()
>>> /drivers/i3c/master.c: 1598 in of_i3c_master_add_i3c_boardinfo()
>>> /drivers/i3c/master.c: 1603 in of_i3c_master_add_i3c_boardinfo()
>>>
>>>
>>>
>> _________________________________________________________________
>> ____________________________
>>> *** CID 583811: (RESOURCE_LEAK)
>>> /drivers/i3c/master.c: 1610 in of_i3c_master_add_i3c_boardinfo()
>>> 1604 }
>>> 1605
>>> 1606 boardinfo->pid = ((u64)reg[1] << 32) | reg[2];
>>> 1607
>>> 1608 if ((boardinfo->pid & GENMASK_ULL(63, 48)) ||
>>> 1609 I3C_PID_RND_LOWER_32BITS(boardinfo->pid))
>>>>>> CID 583811: (RESOURCE_LEAK)
>>>>>> Variable "boardinfo" going out of scope leaks the storage it points to.
>>> 1610 return -EINVAL;
>>> 1611
>>> 1612 boardinfo->init_dyn_addr = init_dyn_addr;
>>> 1613 boardinfo->of_node = node;
>>> 1614 list_add_tail(&boardinfo->node, &master->boardinfo.i3c);
>>> 1615
>>> /drivers/i3c/master.c: 1586 in of_i3c_master_add_i3c_boardinfo()
>>> 1580 boardinfo = devm_kzalloc(dev, sizeof(*boardinfo), GFP_KERNEL);
>>> 1581 if (!boardinfo)
>>> 1582 return -ENOMEM;
>>> 1583
>>> 1584 if (reg[0]) {
>>> 1585 if (reg[0] > I3C_MAX_ADDR)
>>>>>> CID 583811: (RESOURCE_LEAK)
>>>>>> Variable "boardinfo" going out of scope leaks the storage it points to.
>>> 1586 return -EINVAL;
>>> 1587
>>> 1588 addrstatus = i3c_bus_get_addr_slot_status(&master->bus,
>>> 1589 reg[0]);
>>> 1590 if (addrstatus != I3C_ADDR_SLOT_FREE)
>>> 1591 return -EINVAL;
>>> /drivers/i3c/master.c: 1591 in of_i3c_master_add_i3c_boardinfo()
>>> 1585 if (reg[0] > I3C_MAX_ADDR)
>>> 1586 return -EINVAL;
>>> 1587
>>> 1588 addrstatus = i3c_bus_get_addr_slot_status(&master->bus,
>>> 1589 reg[0]);
>>> 1590 if (addrstatus != I3C_ADDR_SLOT_FREE)
>>>>>> CID 583811: (RESOURCE_LEAK)
>>>>>> Variable "boardinfo" going out of scope leaks the storage it points to.
>>> 1591 return -EINVAL;
>>> 1592 }
>>> 1593
>>> 1594 boardinfo->static_addr = reg[0];
>>> 1595
>>> 1596 if (!dev_read_u32(dev, "assigned-address", &init_dyn_addr)) {
>>> /drivers/i3c/master.c: 1598 in of_i3c_master_add_i3c_boardinfo()
>>> 1592 }
>>> 1593
>>> 1594 boardinfo->static_addr = reg[0];
>>> 1595
>>> 1596 if (!dev_read_u32(dev, "assigned-address", &init_dyn_addr)) {
>>> 1597 if (init_dyn_addr > I3C_MAX_ADDR)
>>>>>> CID 583811: (RESOURCE_LEAK)
>>>>>> Variable "boardinfo" going out of scope leaks the storage it points to.
>>> 1598 return -EINVAL;
>>> 1599
>>> 1600 addrstatus = i3c_bus_get_addr_slot_status(&master->bus,
>>> 1601 init_dyn_addr);
>>> 1602 if (addrstatus != I3C_ADDR_SLOT_FREE)
>>> 1603 return -EINVAL;
>>> /drivers/i3c/master.c: 1603 in of_i3c_master_add_i3c_boardinfo()
>>> 1597 if (init_dyn_addr > I3C_MAX_ADDR)
>>> 1598 return -EINVAL;
>>> 1599
>>> 1600 addrstatus = i3c_bus_get_addr_slot_status(&master->bus,
>>> 1601 init_dyn_addr);
>>> 1602 if (addrstatus != I3C_ADDR_SLOT_FREE)
>>>>>> CID 583811: (RESOURCE_LEAK)
>>>>>> Variable "boardinfo" going out of scope leaks the storage it points to.
>>> 1603 return -EINVAL;
>>> 1604 }
>>> 1605
>>> 1606 boardinfo->pid = ((u64)reg[1] << 32) | reg[2];
>>> 1607
>>> 1608 if ((boardinfo->pid & GENMASK_ULL(63, 48)) ||
>>>
>>> ** CID 298388: Integer handling issues (SIGN_EXTENSION)
>>> /drivers/i3c/master/dw-i3c-master.c: 579 in dw_i3c_ccc_get()
>>>
>>>
>>>
>> _________________________________________________________________
>> ____________________________
>>> *** CID 298388: Integer handling issues (SIGN_EXTENSION)
>>> /drivers/i3c/master/dw-i3c-master.c: 579 in dw_i3c_ccc_get()
>>> 573 return -ENOMEM;
>>> 574
>>> 575 cmd = xfer->cmds;
>>> 576 cmd->rx_buf = ccc->dests[0].payload.data;
>>> 577 cmd->rx_len = ccc->dests[0].payload.len;
>>> 578
>>>>>> CID 298388: Integer handling issues (SIGN_EXTENSION)
>>>>>> Suspicious implicit sign extension: "ccc->dests[0].payload.len" with type
>> "u16" (16 bits, unsigned) is promoted in "ccc->dests[0].payload.len << 16" to type
>> "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits,
>> unsigned). If "ccc->dests[0].payload.len << 16" is greater than 0x7FFFFFFF, the
>> upper bits of the result will all be 1.
>>> 579 cmd->cmd_hi = COMMAND_PORT_ARG_DATA_LEN(ccc-
>>> dests[0].payload.len) |
>>> 580 COMMAND_PORT_TRANSFER_ARG;
>>> 581
>>> 582 cmd->cmd_lo = COMMAND_PORT_READ_TRANSFER |
>>> 583 COMMAND_PORT_CP |
>>> 584 COMMAND_PORT_DEV_INDEX(pos) |
>>>
>>> ** CID 298037: Integer handling issues (SIGN_EXTENSION)
>>> /drivers/i3c/master/dw-i3c-master.c: 375 in dw_i3c_clk_cfg()
>>>
>>>
>>>
>> _________________________________________________________________
>> ____________________________
>>> *** CID 298037: Integer handling issues (SIGN_EXTENSION)
>>> /drivers/i3c/master/dw-i3c-master.c: 375 in dw_i3c_clk_cfg()
>>> 369 scl_timing = SCL_EXT_LCNT_1(lcnt);
>>> 370 lcnt = DIV_ROUND_UP(core_rate, I3C_BUS_SDR2_SCL_RATE) - hcnt;
>>> 371 scl_timing |= SCL_EXT_LCNT_2(lcnt);
>>> 372 lcnt = DIV_ROUND_UP(core_rate, I3C_BUS_SDR3_SCL_RATE) - hcnt;
>>> 373 scl_timing |= SCL_EXT_LCNT_3(lcnt);
>>> 374 lcnt = DIV_ROUND_UP(core_rate, I3C_BUS_SDR4_SCL_RATE) - hcnt;
>>>>>> CID 298037: Integer handling issues (SIGN_EXTENSION)
>>>>>> Suspicious implicit sign extension: "lcnt" with type "u8" (8 bits, unsigned)
>> is promoted in "lcnt << 24" to type "int" (32 bits, signed), then sign-extended to
>> type "unsigned long" (64 bits, unsigned). If "lcnt << 24" is greater than
>> 0x7FFFFFFF, the upper bits of the result will all be 1.
>>> 375 scl_timing |= SCL_EXT_LCNT_4(lcnt);
>>> 376 writel(scl_timing, master->regs + SCL_EXT_LCNT_TIMING);
>>> 377
>>> 378 return 0;
>>> 379 }
>>> 380
>>>
>>> ** CID 296053: Integer handling issues (SIGN_EXTENSION)
>>> /drivers/i3c/master/dw-i3c-master.c: 535 in dw_i3c_ccc_set()
>>>
>>>
>>>
>> _________________________________________________________________
>> ____________________________
>>> *** CID 296053: Integer handling issues (SIGN_EXTENSION)
>>> /drivers/i3c/master/dw-i3c-master.c: 535 in dw_i3c_ccc_set()
>>> 529 return -ENOMEM;
>>> 530
>>> 531 cmd = xfer->cmds;
>>> 532 cmd->tx_buf = ccc->dests[0].payload.data;
>>> 533 cmd->tx_len = ccc->dests[0].payload.len;
>>> 534
>>>>>> CID 296053: Integer handling issues (SIGN_EXTENSION)
>>>>>> Suspicious implicit sign extension: "ccc->dests[0].payload.len" with type
>> "u16" (16 bits, unsigned) is promoted in "ccc->dests[0].payload.len << 16" to type
>> "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits,
>> unsigned). If "ccc->dests[0].payload.len << 16" is greater than 0x7FFFFFFF, the
>> upper bits of the result will all be 1.
>>> 535 cmd->cmd_hi = COMMAND_PORT_ARG_DATA_LEN(ccc-
>>> dests[0].payload.len) |
>>> 536 COMMAND_PORT_TRANSFER_ARG;
>>> 537
>>> 538 cmd->cmd_lo = COMMAND_PORT_CP |
>>> 539 COMMAND_PORT_DEV_INDEX(pos) |
>>> 540 COMMAND_PORT_CMD(ccc->id) |
>>>
>>> ** CID 295976: (SIGN_EXTENSION)
>>> /drivers/i3c/master/dw-i3c-master.c: 395 in dw_i2c_clk_cfg()
>>> /drivers/i3c/master/dw-i3c-master.c: 401 in dw_i2c_clk_cfg()
>>>
>>>
>>>
>> _________________________________________________________________
>> ____________________________
>>> *** CID 295976: (SIGN_EXTENSION)
>>> /drivers/i3c/master/dw-i3c-master.c: 395 in dw_i2c_clk_cfg()
>>> 389 return -EINVAL;
>>> 390
>>> 391 core_period = DIV_ROUND_UP(1000000000, core_rate);
>>> 392
>>> 393 lcnt = DIV_ROUND_UP(I3C_BUS_I2C_FMP_TLOW_MIN_NS,
>> core_period);
>>> 394 hcnt = DIV_ROUND_UP(core_rate,
>> I3C_BUS_I2C_FM_PLUS_SCL_RATE) - lcnt;
>>>>>> CID 295976: (SIGN_EXTENSION)
>>>>>> Suspicious implicit sign extension: "hcnt" with type "u16" (16 bits,
>> unsigned) is promoted in "hcnt << 16" to type "int" (32 bits, signed), then sign-
>> extended to type "unsigned long" (64 bits, unsigned). If "hcnt << 16" is greater
>> than 0x7FFFFFFF, the upper bits of the result will all be 1.
>>> 395 scl_timing = SCL_I2C_FMP_TIMING_HCNT(hcnt) |
>>> 396 SCL_I2C_FMP_TIMING_LCNT(lcnt);
>>> 397 writel(scl_timing, master->regs + SCL_I2C_FMP_TIMING);
>>> 398
>>> 399 lcnt = DIV_ROUND_UP(I3C_BUS_I2C_FM_TLOW_MIN_NS,
>> core_period);
>>> 400 hcnt = DIV_ROUND_UP(core_rate, I3C_BUS_I2C_FM_SCL_RATE) -
>> lcnt;
>>> /drivers/i3c/master/dw-i3c-master.c: 401 in dw_i2c_clk_cfg()
>>> 395 scl_timing = SCL_I2C_FMP_TIMING_HCNT(hcnt) |
>>> 396 SCL_I2C_FMP_TIMING_LCNT(lcnt);
>>> 397 writel(scl_timing, master->regs + SCL_I2C_FMP_TIMING);
>>> 398
>>> 399 lcnt = DIV_ROUND_UP(I3C_BUS_I2C_FM_TLOW_MIN_NS,
>> core_period);
>>> 400 hcnt = DIV_ROUND_UP(core_rate, I3C_BUS_I2C_FM_SCL_RATE) -
>> lcnt;
>>>>>> CID 295976: (SIGN_EXTENSION)
>>>>>> Suspicious implicit sign extension: "hcnt" with type "u16" (16 bits,
>> unsigned) is promoted in "hcnt << 16" to type "int" (32 bits, signed), then sign-
>> extended to type "unsigned long" (64 bits, unsigned). If "hcnt << 16" is greater
>> than 0x7FFFFFFF, the upper bits of the result will all be 1.
>>> 401 scl_timing = SCL_I2C_FM_TIMING_HCNT(hcnt) |
>>> 402 SCL_I2C_FM_TIMING_LCNT(lcnt);
>>> 403 writel(scl_timing, master->regs + SCL_I2C_FM_TIMING);
>>> 404
>>> 405 writel(BUS_I3C_MST_FREE(lcnt), master->regs +
>> BUS_FREE_TIMING);
>>> 406 writel(readl(master->regs + DEVICE_CTRL) |
>> DEV_CTRL_I2C_SLAVE_PRESENT,
>>>
>>> ** CID 294913: Integer handling issues (SIGN_EXTENSION)
>>> /drivers/i3c/master/dw-i3c-master.c: 724 in dw_i3c_master_priv_xfers()
>>>
>>>
>>>
>> _________________________________________________________________
>> ____________________________
>>> *** CID 294913: Integer handling issues (SIGN_EXTENSION)
>>> /drivers/i3c/master/dw-i3c-master.c: 724 in
>>> dw_i3c_master_priv_xfers()
>>> 718 if (!xfer)
>>> 719 return -ENOMEM;
>>> 720
>>> 721 for (i = 0; i < i3c_nxfers; i++) {
>>> 722 struct dw_i3c_cmd *cmd = &xfer->cmds[i];
>>> 723
>>>>>> CID 294913: Integer handling issues (SIGN_EXTENSION)
>>>>>> Suspicious implicit sign extension: "i3c_xfers[i].len" with type "u16" (16
>> bits, unsigned) is promoted in "i3c_xfers[i].len << 16" to type "int" (32 bits,
>> signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If
>> "i3c_xfers[i].len << 16" is greater than 0x7FFFFFFF, the upper bits of the result will
>> all be 1.
>>> 724 cmd->cmd_hi =
>> COMMAND_PORT_ARG_DATA_LEN(i3c_xfers[i].len) |
>>> 725 COMMAND_PORT_TRANSFER_ARG;
>>> 726
>>> 727 if (i3c_xfers[i].rnw) {
>>> 728 cmd->rx_buf = i3c_xfers[i].data.in;
>>> 729 cmd->rx_len = i3c_xfers[i].len;
>>>
>>> ** CID 294627: Integer handling issues (BAD_SHIFT)
>>> /drivers/i3c/master.c: 181 in i3c_bus_get_addr_slot_status()
>>>
>>>
>>>
>> _________________________________________________________________
>> ____________________________
>>> *** CID 294627: Integer handling issues (BAD_SHIFT)
>>> /drivers/i3c/master.c: 181 in i3c_bus_get_addr_slot_status()
>>> 175 int status, bitpos = addr * 2;
>>> 176
>>> 177 if (addr > I2C_MAX_ADDR)
>>> 178 return I3C_ADDR_SLOT_RSVD;
>>> 179
>>> 180 status = bus->addrslots[bitpos / BITS_PER_LONG];
>>>>>> CID 294627: Integer handling issues (BAD_SHIFT)
>>>>>> In expression "status >>= bitpos % 64", right shifting by more than 31 bits
>> has undefined behavior. The shift amount, "bitpos % 64", is as much as 63.
>>> 181 status >>= bitpos % BITS_PER_LONG;
>>> 182
>>> 183 return status & I3C_ADDR_SLOT_STATUS_MASK;
>>> 184 }
>>> 185
>>> 186 static void i3c_bus_set_addr_slot_status(struct i3c_bus *bus, u16 addr,
>>>
>>>
>>>
>>> View Defects in Coverity Scan
>>> <https://scan.coverity.com/projects/das-u-boot?tab=overview>
>>>
>>> Best regards,
>>>
>>> The Coverity Scan Admin Team
>>>
>>> ----- End forwarded message -----
>>>
>>
>> --
>> Nabla Software Engineering
>> HRB 40522 Augsburg
>> Phone: +49 821 45592596
>> E-Mail: office@nabladev.com
>> Geschäftsführer : Stefano Babic
--
Nabla Software Engineering
HRB 40522 Augsburg
Phone: +49 821 45592596
E-Mail: office@nabladev.com
Geschäftsführer : Stefano Babic
^ permalink raw reply [flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2025-10-11 18:06 Tom Rini
2025-10-12 14:22 ` Mikhail Kshevetskiy
0 siblings, 1 reply; 105+ messages in thread
From: Tom Rini @ 2025-10-11 18:06 UTC (permalink / raw)
To: u-boot; +Cc: Mikhail Kshevetskiy, Dario Binacchi, Michael Trimarchi
[-- Attachment #1: Type: text/plain, Size: 1964 bytes --]
I think unfortunately the report email for when I merged in -next was
lost somewhere / wasn't sent. I may be able to get the details out the
dashboard.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Fri, Oct 10, 2025 at 7:08 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to *Das U-Boot*
found with Coverity Scan.
- *New Defects Found:* 1
- *Defects Shown:* Showing 1 of 1 defect(s)
Defect Details
** CID 537478: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
/drivers/spi/spi-mem.c: 528 in spi_mem_calc_op_duration()
_____________________________________________________________________________________________
*** CID 537478: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
/drivers/spi/spi-mem.c: 528 in spi_mem_calc_op_duration()
522 ncycles += ((op->addr.nbytes * 8) / op->addr.buswidth) /
(op->addr.dtr ? 2 : 1);
523
524 /* Dummy bytes are optional for some SPI flash memory operations */
525 if (op->dummy.nbytes)
526 ncycles += ((op->dummy.nbytes * 8) / op->dummy.buswidth) /
(op->dummy.dtr ? 2 : 1);
527
>>> CID 537478: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
>>> Potentially overflowing expression "op->data.nbytes * 8U" with type "unsigned int" (32 bits, unsigned) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "u64" (64 bits, unsigned).
528 ncycles += ((op->data.nbytes * 8) / op->data.buswidth) /
(op->data.dtr ? 2 : 1);
529
530 return ncycles;
531 }
532 EXPORT_SYMBOL_GPL(spi_mem_calc_op_duration);
533
View Defects in Coverity Scan
<https://scan.coverity.com/projects/das-u-boot?tab=overview>
Best regards,
The Coverity Scan Admin Team
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
^ permalink raw reply [flat|nested] 105+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2025-10-11 18:06 Tom Rini
@ 2025-10-12 14:22 ` Mikhail Kshevetskiy
2025-10-12 19:07 ` Tom Rini
0 siblings, 1 reply; 105+ messages in thread
From: Mikhail Kshevetskiy @ 2025-10-12 14:22 UTC (permalink / raw)
To: Tom Rini, u-boot; +Cc: Dario Binacchi, Michael Trimarchi
On 11.10.2025 21:06, Tom Rini wrote:
> I think unfortunately the report email for when I merged in -next was
> lost somewhere / wasn't sent. I may be able to get the details out the
> dashboard.
>
> ---------- Forwarded message ---------
> From: <scan-admin@coverity.com>
> Date: Fri, Oct 10, 2025 at 7:08 PM
> Subject: New Defects reported by Coverity Scan for Das U-Boot
> To: <tom.rini@gmail.com>
>
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to *Das U-Boot*
> found with Coverity Scan.
>
> - *New Defects Found:* 1
> - *Defects Shown:* Showing 1 of 1 defect(s)
>
> Defect Details
>
> ** CID 537478: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
> /drivers/spi/spi-mem.c: 528 in spi_mem_calc_op_duration()
>
>
> _____________________________________________________________________________________________
> *** CID 537478: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
> /drivers/spi/spi-mem.c: 528 in spi_mem_calc_op_duration()
> 522 ncycles += ((op->addr.nbytes * 8) / op->addr.buswidth) /
> (op->addr.dtr ? 2 : 1);
> 523
> 524 /* Dummy bytes are optional for some SPI flash memory operations */
> 525 if (op->dummy.nbytes)
> 526 ncycles += ((op->dummy.nbytes * 8) / op->dummy.buswidth) /
> (op->dummy.dtr ? 2 : 1);
> 527
>>>> CID 537478: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
>>>> Potentially overflowing expression "op->data.nbytes * 8U" with type "unsigned int" (32 bits, unsigned) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "u64" (64 bits, unsigned).
> 528 ncycles += ((op->data.nbytes * 8) / op->data.buswidth) /
> (op->data.dtr ? 2 : 1);
op->data.nbytes comes from file drivers/mtd/nand/spi/core.c, function
spinand_select_op_variant().
According to the code the max value of op->data.nbytes is
nanddev_per_page_oobsize(nand) + nanddev_page_size(nand)
thus it's slightly more than 4Kb (I never seen flashes with page size
large than 4Kb). According to this estimation the overflow will never
happen.
If it make sense, I can try to do something with it
Regards,
Mikhail Kshevetskiy
> 529
> 530 return ncycles;
> 531 }
> 532 EXPORT_SYMBOL_GPL(spi_mem_calc_op_duration);
> 533
>
> View Defects in Coverity Scan
> <https://scan.coverity.com/projects/das-u-boot?tab=overview>
>
> Best regards,
>
> The Coverity Scan Admin Team
>
> ----- End forwarded message -----
>
^ permalink raw reply [flat|nested] 105+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2025-10-12 14:22 ` Mikhail Kshevetskiy
@ 2025-10-12 19:07 ` Tom Rini
2025-11-01 6:32 ` Mikhail Kshevetskiy
0 siblings, 1 reply; 105+ messages in thread
From: Tom Rini @ 2025-10-12 19:07 UTC (permalink / raw)
To: Mikhail Kshevetskiy; +Cc: u-boot, Dario Binacchi, Michael Trimarchi
[-- Attachment #1: Type: text/plain, Size: 2531 bytes --]
On Sun, Oct 12, 2025 at 05:22:15PM +0300, Mikhail Kshevetskiy wrote:
>
> On 11.10.2025 21:06, Tom Rini wrote:
> > I think unfortunately the report email for when I merged in -next was
> > lost somewhere / wasn't sent. I may be able to get the details out the
> > dashboard.
> >
> > ---------- Forwarded message ---------
> > From: <scan-admin@coverity.com>
> > Date: Fri, Oct 10, 2025 at 7:08 PM
> > Subject: New Defects reported by Coverity Scan for Das U-Boot
> > To: <tom.rini@gmail.com>
> >
> >
> > Hi,
> >
> > Please find the latest report on new defect(s) introduced to *Das U-Boot*
> > found with Coverity Scan.
> >
> > - *New Defects Found:* 1
> > - *Defects Shown:* Showing 1 of 1 defect(s)
> >
> > Defect Details
> >
> > ** CID 537478: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
> > /drivers/spi/spi-mem.c: 528 in spi_mem_calc_op_duration()
> >
> >
> > _____________________________________________________________________________________________
> > *** CID 537478: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
> > /drivers/spi/spi-mem.c: 528 in spi_mem_calc_op_duration()
> > 522 ncycles += ((op->addr.nbytes * 8) / op->addr.buswidth) /
> > (op->addr.dtr ? 2 : 1);
> > 523
> > 524 /* Dummy bytes are optional for some SPI flash memory operations */
> > 525 if (op->dummy.nbytes)
> > 526 ncycles += ((op->dummy.nbytes * 8) / op->dummy.buswidth) /
> > (op->dummy.dtr ? 2 : 1);
> > 527
> >>>> CID 537478: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
> >>>> Potentially overflowing expression "op->data.nbytes * 8U" with type "unsigned int" (32 bits, unsigned) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "u64" (64 bits, unsigned).
> > 528 ncycles += ((op->data.nbytes * 8) / op->data.buswidth) /
> > (op->data.dtr ? 2 : 1);
>
>
> op->data.nbytes comes from file drivers/mtd/nand/spi/core.c, function
> spinand_select_op_variant().
> According to the code the max value of op->data.nbytes is
>
> nanddev_per_page_oobsize(nand) + nanddev_page_size(nand)
>
> thus it's slightly more than 4Kb (I never seen flashes with page size
> large than 4Kb). According to this estimation the overflow will never
> happen.
>
> If it make sense, I can try to do something with it
Yes, please see what you can do about it and thanks for explaining that
it shouldn't be an actual problem.
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
^ permalink raw reply [flat|nested] 105+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2025-10-12 19:07 ` Tom Rini
@ 2025-11-01 6:32 ` Mikhail Kshevetskiy
2025-11-03 15:17 ` Tom Rini
0 siblings, 1 reply; 105+ messages in thread
From: Mikhail Kshevetskiy @ 2025-11-01 6:32 UTC (permalink / raw)
To: Tom Rini; +Cc: u-boot, Dario Binacchi, Michael Trimarchi
Hello Tom,
I just sent a fix for the issue in the my "coverity and 64-bit division
fixes" series.
If it's needed I can split the series and send patches separately.
Regards,
Mikhail Kshevetskiy
On 10/12/25 22:07, Tom Rini wrote:
> On Sun, Oct 12, 2025 at 05:22:15PM +0300, Mikhail Kshevetskiy wrote:
>> On 11.10.2025 21:06, Tom Rini wrote:
>>> I think unfortunately the report email for when I merged in -next was
>>> lost somewhere / wasn't sent. I may be able to get the details out the
>>> dashboard.
>>>
>>> ---------- Forwarded message ---------
>>> From: <scan-admin@coverity.com>
>>> Date: Fri, Oct 10, 2025 at 7:08 PM
>>> Subject: New Defects reported by Coverity Scan for Das U-Boot
>>> To: <tom.rini@gmail.com>
>>>
>>>
>>> Hi,
>>>
>>> Please find the latest report on new defect(s) introduced to *Das U-Boot*
>>> found with Coverity Scan.
>>>
>>> - *New Defects Found:* 1
>>> - *Defects Shown:* Showing 1 of 1 defect(s)
>>>
>>> Defect Details
>>>
>>> ** CID 537478: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
>>> /drivers/spi/spi-mem.c: 528 in spi_mem_calc_op_duration()
>>>
>>>
>>> _____________________________________________________________________________________________
>>> *** CID 537478: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
>>> /drivers/spi/spi-mem.c: 528 in spi_mem_calc_op_duration()
>>> 522 ncycles += ((op->addr.nbytes * 8) / op->addr.buswidth) /
>>> (op->addr.dtr ? 2 : 1);
>>> 523
>>> 524 /* Dummy bytes are optional for some SPI flash memory operations */
>>> 525 if (op->dummy.nbytes)
>>> 526 ncycles += ((op->dummy.nbytes * 8) / op->dummy.buswidth) /
>>> (op->dummy.dtr ? 2 : 1);
>>> 527
>>>>>> CID 537478: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
>>>>>> Potentially overflowing expression "op->data.nbytes * 8U" with type "unsigned int" (32 bits, unsigned) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "u64" (64 bits, unsigned).
>>> 528 ncycles += ((op->data.nbytes * 8) / op->data.buswidth) /
>>> (op->data.dtr ? 2 : 1);
>>
>> op->data.nbytes comes from file drivers/mtd/nand/spi/core.c, function
>> spinand_select_op_variant().
>> According to the code the max value of op->data.nbytes is
>>
>> nanddev_per_page_oobsize(nand) + nanddev_page_size(nand)
>>
>> thus it's slightly more than 4Kb (I never seen flashes with page size
>> large than 4Kb). According to this estimation the overflow will never
>> happen.
>>
>> If it make sense, I can try to do something with it
> Yes, please see what you can do about it and thanks for explaining that
> it shouldn't be an actual problem.
>
^ permalink raw reply [flat|nested] 105+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2025-11-01 6:32 ` Mikhail Kshevetskiy
@ 2025-11-03 15:17 ` Tom Rini
2025-11-03 15:24 ` Michael Nazzareno Trimarchi
0 siblings, 1 reply; 105+ messages in thread
From: Tom Rini @ 2025-11-03 15:17 UTC (permalink / raw)
To: Mikhail Kshevetskiy; +Cc: u-boot, Dario Binacchi, Michael Trimarchi
[-- Attachment #1: Type: text/plain, Size: 307 bytes --]
On Sat, Nov 01, 2025 at 09:32:35AM +0300, Mikhail Kshevetskiy wrote:
p
> Hello Tom,
>
> I just sent a fix for the issue in the my "coverity and 64-bit division
> fixes" series.
> If it's needed I can split the series and send patches separately.
Thanks, that series looks fine to me.
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
^ permalink raw reply [flat|nested] 105+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2025-11-03 15:17 ` Tom Rini
@ 2025-11-03 15:24 ` Michael Nazzareno Trimarchi
0 siblings, 0 replies; 105+ messages in thread
From: Michael Nazzareno Trimarchi @ 2025-11-03 15:24 UTC (permalink / raw)
To: Tom Rini; +Cc: Mikhail Kshevetskiy, u-boot, Dario Binacchi
Hi Tom
On Mon, Nov 3, 2025 at 4:17 PM Tom Rini <trini@konsulko.com> wrote:
>
> On Sat, Nov 01, 2025 at 09:32:35AM +0300, Mikhail Kshevetskiy wrote:
> p
> > Hello Tom,
> >
> > I just sent a fix for the issue in the my "coverity and 64-bit division
> > fixes" series.
> > If it's needed I can split the series and send patches separately.
>
> Thanks, that series looks fine to me.
>
> --
I will pick with other series
Michael
> Tom
--
Michael Nazzareno Trimarchi
Co-Founder & Chief Executive Officer
M. +39 347 913 2170
michael@amarulasolutions.com
__________________________________
Amarula Solutions BV
Joop Geesinkweg 125, 1114 AB, Amsterdam, NL
T. +31 (0)85 111 9172
info@amarulasolutions.com
www.amarulasolutions.com
^ permalink raw reply [flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2025-11-10 18:55 Tom Rini
0 siblings, 0 replies; 105+ messages in thread
From: Tom Rini @ 2025-11-10 18:55 UTC (permalink / raw)
To: u-boot, Kory Maincent
[-- Attachment #1: Type: text/plain, Size: 2627 bytes --]
Here's the latest report. Just 2 new issues, both from the extensions
series. Can we please address these shortly? Thanks!
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Nov 10, 2025 at 12:44 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to *Das U-Boot*
found with Coverity Scan.
- *New Defects Found:* 2
- 1 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.
- *Defects Shown:* Showing 2 of 2 defect(s)
Defect Details
** CID 638558: Memory - illegal accesses (UNINIT)
/boot/pxe_utils.c: 485 in label_boot_extension()
_____________________________________________________________________________________________
*** CID 638558: Memory - illegal accesses (UNINIT)
/boot/pxe_utils.c: 485 in label_boot_extension()
479 return;
480
481 snprintf(overlay_dir, dir_len, "%s%s", label->fdtdir,
482 slash);
483 } else {
484 dir_len = 2;
>>> CID 638558: Memory - illegal accesses (UNINIT)
>>> Using uninitialized value "overlay_dir" when calling "snprintf". [Note: The source code implementation of the function has been overridden by a builtin model.]
485 snprintf(overlay_dir, dir_len, "/");
486 }
487
488 alist_for_each(extension, extension_list) {
489 char *overlay_file;
490 ulong size;
** CID 638557: Null pointer dereferences (NULL_RETURNS)
_____________________________________________________________________________________________
*** CID 638557: Null pointer dereferences (NULL_RETURNS)
/cmd/extension_board.c: 102 in do_extension_list()
96 {
97 struct alist *extension_list;
98 struct extension *extension;
99 int i = 0;
100
101 extension_list = extension_get_list();
>>> CID 638557: Null pointer dereferences (NULL_RETURNS)
>>> Dereferencing a pointer that might be "NULL" "extension_list" when calling "alist_get_ptr".
102 if (!alist_get_ptr(extension_list, 0)) {
103 printf("No extension registered - Please run \"extension scan\"\n");
104 return CMD_RET_SUCCESS;
105 }
106
107 alist_for_each(extension, extension_list) {
View Defects in Coverity Scan
<https://scan.coverity.com/projects/das-u-boot?tab=overview>
Best regards,
The Coverity Scan Admin Team
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
^ permalink raw reply [flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2025-11-23 19:03 Tom Rini
0 siblings, 0 replies; 105+ messages in thread
From: Tom Rini @ 2025-11-23 19:03 UTC (permalink / raw)
To: u-boot; +Cc: Marek Vasut, Heinrich Schuchardt
[-- Attachment #1: Type: text/plain, Size: 5351 bytes --]
Hey all,
Here's the latest report.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Sun, Nov 23, 2025 at 12:28 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to *Das U-Boot*
found with Coverity Scan.
- *New Defects Found:* 3
- 2 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.
- *Defects Shown:* Showing 3 of 3 defect(s)
Defect Details
** CID 639130: (CHECKED_RETURN)
/test/cmd/bdinfo.c: 166 in bdinfo_test_all()
/test/cmd/bdinfo.c: 164 in bdinfo_test_all()
/test/cmd/bdinfo.c: 165 in bdinfo_test_all()
_____________________________________________________________________________________________
*** CID 639130: (CHECKED_RETURN)
/test/cmd/bdinfo.c: 166 in bdinfo_test_all()
160
161 ut_assertok(bdinfo_check_mem(uts));
162
163 /* CONFIG_SYS_HAS_SRAM testing not supported */
164 ut_check_console_linen(uts, "flashstart");
165 ut_check_console_linen(uts, "flashsize");
>>> CID 639130: (CHECKED_RETURN)
>>> Calling "ut_check_console_linen" without checking return value (as is done elsewhere 166 out of 169 times).
166 ut_check_console_linen(uts, "flashoffset");
167 ut_assert_nextline("baudrate = %lu bps",
168 env_get_ulong("baudrate", 10, 1234));
169 ut_assertok(test_num_l(uts, "relocaddr", gd->relocaddr));
170 ut_assertok(test_num_l(uts, "reloc off", gd->reloc_off));
171 ut_assert_nextline("%-12s= %u-bit", "Build", (uint)sizeof(void *) * 8);
/test/cmd/bdinfo.c: 164 in bdinfo_test_all()
158 {
159 ut_assertok(test_num_l(uts, "boot_params", 0));
160
161 ut_assertok(bdinfo_check_mem(uts));
162
163 /* CONFIG_SYS_HAS_SRAM testing not supported */
>>> CID 639130: (CHECKED_RETURN)
>>> Calling "ut_check_console_linen" without checking return value (as is done elsewhere 166 out of 169 times).
164 ut_check_console_linen(uts, "flashstart");
165 ut_check_console_linen(uts, "flashsize");
166 ut_check_console_linen(uts, "flashoffset");
167 ut_assert_nextline("baudrate = %lu bps",
168 env_get_ulong("baudrate", 10, 1234));
169 ut_assertok(test_num_l(uts, "relocaddr", gd->relocaddr));
/test/cmd/bdinfo.c: 165 in bdinfo_test_all()
159 ut_assertok(test_num_l(uts, "boot_params", 0));
160
161 ut_assertok(bdinfo_check_mem(uts));
162
163 /* CONFIG_SYS_HAS_SRAM testing not supported */
164 ut_check_console_linen(uts, "flashstart");
>>> CID 639130: (CHECKED_RETURN)
>>> Calling "ut_check_console_linen" without checking return value (as is done elsewhere 166 out of 169 times).
165 ut_check_console_linen(uts, "flashsize");
166 ut_check_console_linen(uts, "flashoffset");
167 ut_assert_nextline("baudrate = %lu bps",
168 env_get_ulong("baudrate", 10, 1234));
169 ut_assertok(test_num_l(uts, "relocaddr", gd->relocaddr));
170 ut_assertok(test_num_l(uts, "reloc off", gd->reloc_off));
** CID 639129: Memory - illegal accesses (BUFFER_SIZE)
/drivers/clk/clk_scmi.c: 191 in scmi_clk_get_ctrl_flags()
_____________________________________________________________________________________________
*** CID 639129: Memory - illegal accesses (BUFFER_SIZE)
/drivers/clk/clk_scmi.c: 191 in scmi_clk_get_ctrl_flags()
185 char name[SCMI_CLOCK_NAME_LENGTH_MAX];
186 ret = scmi_clk_get_attibute(dev, clk->id & CLK_ID_MSK,
187 name, &attributes);
188 if (ret)
189 return ret;
190
>>> CID 639129: Memory - illegal accesses (BUFFER_SIZE)
>>> Calling "strncpy" with a maximum size argument of 16 bytes on destination array "clkscmi->name" of size 16 bytes might leave the destination string unterminated.
191 strncpy(clkscmi->name, name, SCMI_CLOCK_NAME_LENGTH_MAX);
192 if (CLK_HAS_RESTRICTIONS(attributes)) {
193 u32 perm;
194
195 ret = scmi_clk_get_permissions(dev, clk->id & CLK_ID_MSK, &perm);
196 if (ret < 0)
** CID 639128: Resource leaks (RESOURCE_LEAK)
/drivers/clk/clk_scmi.c: 373 in scmi_clk_probe()
_____________________________________________________________________________________________
*** CID 639128: Resource leaks (RESOURCE_LEAK)
/drivers/clk/clk_scmi.c: 373 in scmi_clk_probe()
367 return ret;
368
369 dev_clk_dm(dev, i, &clk_scmi->clk);
370 dev_set_parent_priv(clk_scmi->clk.dev, priv);
371 }
372
>>> CID 639128: Resource leaks (RESOURCE_LEAK)
>>> Variable "clk_scmi_bulk" going out of scope leaks the storage it points to.
373 return 0;
374 }
375
376 static int __scmi_clk_set_parent(struct clk *clk, struct clk *parent)
377 {
378 struct scmi_clk_parent_set_in in = {
View Defects in Coverity Scan
<https://scan.coverity.com/projects/das-u-boot?tab=overview>
Best regards,
The Coverity Scan Admin Team
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
^ permalink raw reply [flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2025-12-08 19:38 Tom Rini
0 siblings, 0 replies; 105+ messages in thread
From: Tom Rini @ 2025-12-08 19:38 UTC (permalink / raw)
To: u-boot, Adriana Nicolae
[-- Attachment #1: Type: text/plain, Size: 4279 bytes --]
Here's the latest Coverity scan report. I think the test/dm/clk_ccf.c
report is just a "works as intended" but I'm not sure off-hand about the
fdtdec.c test. Might be the case the previous test in the file also has
this problem, and since it's just test code, might also be fine enough.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Dec 8, 2025 at 1:23 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to *Das U-Boot*
found with Coverity Scan.
- *New Defects Found:* 2
- 1 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.
- *Defects Shown:* Showing 2 of 2 defect(s)
Defect Details
** CID 639831: (TAINTED_SCALAR)
_____________________________________________________________________________________________
*** CID 639831: (TAINTED_SCALAR)
/test/dm/fdtdec.c: 153 in dm_test_fdt_chosen_smbios()
147
148 blob_sz = fdt_totalsize(gd->fdt_blob) + 4096;
149 blob = memalign(8, blob_sz);
150 ut_assertnonnull(blob);
151
152 /* Make a writable copy of the fdt blob */
>>> CID 639831: (TAINTED_SCALAR)
>>> Passing tainted expression "gd->fdt_blob->totalsize" to "fdt_open_into", which uses it as an offset.
153 ut_assertok(fdt_open_into(gd->fdt_blob, blob, blob_sz));
154
155 /* Mock SMBIOS table */
156 entry = map_sysmem(gd->arch.smbios_start, sizeof(struct
smbios3_entry));
157 memcpy(entry->anchor, "_SM3_", 5);
158 entry->length = sizeof(struct smbios3_entry);
/test/dm/fdtdec.c: 153 in dm_test_fdt_chosen_smbios()
147
148 blob_sz = fdt_totalsize(gd->fdt_blob) + 4096;
149 blob = memalign(8, blob_sz);
150 ut_assertnonnull(blob);
151
152 /* Make a writable copy of the fdt blob */
>>> CID 639831: (TAINTED_SCALAR)
>>> Passing tainted expression "gd->fdt_blob->size_dt_strings" to "fdt_open_into", which uses it as an offset.
153 ut_assertok(fdt_open_into(gd->fdt_blob, blob, blob_sz));
154
155 /* Mock SMBIOS table */
156 entry = map_sysmem(gd->arch.smbios_start, sizeof(struct
smbios3_entry));
157 memcpy(entry->anchor, "_SM3_", 5);
158 entry->length = sizeof(struct smbios3_entry);
/test/dm/fdtdec.c: 153 in dm_test_fdt_chosen_smbios()
147
148 blob_sz = fdt_totalsize(gd->fdt_blob) + 4096;
149 blob = memalign(8, blob_sz);
150 ut_assertnonnull(blob);
151
152 /* Make a writable copy of the fdt blob */
>>> CID 639831: (TAINTED_SCALAR)
>>> Passing tainted expression "gd->fdt_blob->size_dt_struct" to "fdt_open_into", which uses it as an offset.
153 ut_assertok(fdt_open_into(gd->fdt_blob, blob, blob_sz));
154
155 /* Mock SMBIOS table */
156 entry = map_sysmem(gd->arch.smbios_start, sizeof(struct
smbios3_entry));
157 memcpy(entry->anchor, "_SM3_", 5);
158 entry->length = sizeof(struct smbios3_entry);
** CID 639830: Integer handling issues (INTEGER_OVERFLOW)
/test/dm/clk_ccf.c: 68 in dm_test_clk_ccf()
_____________________________________________________________________________________________
*** CID 639830: Integer handling issues (INTEGER_OVERFLOW)
/test/dm/clk_ccf.c: 68 in dm_test_clk_ccf()
62 ut_asserteq(CLK_SET_RATE_NO_REPARENT, clk->flags);
63
64 rate = clk_get_parent_rate(clk);
65 ut_asserteq(rate, 60000000);
66
67 rate = clk_set_rate(clk, 60000000);
>>> CID 639830: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "_val1", where "rate" is known to be equal to -38, overflows the type of "_val1", which is type "unsigned int".
68 ut_asserteq(rate, -ENOSYS);
69
70 rate = clk_get_rate(clk);
71 ut_asserteq(rate, 60000000);
72
73 ret = clk_get_by_id(CLK_ID(dev, SANDBOX_CLK_PLL3_80M), &pclk);
View Defects in Coverity Scan
<https://scan.coverity.com/projects/das-u-boot?tab=overview>
Best regards,
The Coverity Scan Admin Team
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
^ permalink raw reply [flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2026-01-05 23:58 Tom Rini
2026-01-06 9:37 ` Mattijs Korpershoek
2026-01-06 10:03 ` Heiko Schocher
0 siblings, 2 replies; 105+ messages in thread
From: Tom Rini @ 2026-01-05 23:58 UTC (permalink / raw)
To: u-boot
Cc: Dmitrii Merkurev, Mattijs Korpershoek, Neil Armstrong,
Heiko Schocher, Ilias Apalodimas
[-- Attachment #1: Type: text/plain, Size: 15754 bytes --]
Hey all,
Here's the latest report, now that next has been merged to master. A few
of these are oddly showing up now, despite being in older code that
hasn't been touched and was being built before.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Jan 5, 2026 at 3:24 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to *Das U-Boot*
found with Coverity Scan.
- *New Defects Found:* 15
- 23 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.
- *Defects Shown:* Showing 15 of 15 defect(s)
Defect Details
** CID 640423: Control flow issues (DEADCODE)
/drivers/fastboot/fb_common.c: 112 in fastboot_set_reboot_flag()
_____________________________________________________________________________________________
*** CID 640423: Control flow issues (DEADCODE)
/drivers/fastboot/fb_common.c: 112 in fastboot_set_reboot_flag()
106 }
107 const char *bcb_iface = config_opt_enabled(CONFIG_FASTBOOT_FLASH_BLOCK,
108 CONFIG_FASTBOOT_FLASH_BLOCK_INTERFACE_NAME,
109 "mmc");
110
111 if (device == -1)
>>> CID 640423: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "return -22;".
112 return -EINVAL;
113
114 if (reason >= FASTBOOT_REBOOT_REASONS_COUNT)
115 return -EINVAL;
116
117 ret = bcb_find_partition_and_load(bcb_iface, device, "misc");
** CID 640422: Error handling issues (CHECKED_RETURN)
/boot/fdt_region.c: 330 in fdt_include_supernodes()
_____________________________________________________________________________________________
*** CID 640422: Error handling issues (CHECKED_RETURN)
/boot/fdt_region.c: 330 in fdt_include_supernodes()
324 */
325 for (i = 0; i <= depth; i++) {
326 if (!info->stack[i].included) {
327 start = info->stack[i].offset;
328
329 /* Add the FDT_BEGIN_NODE tag of this supernode */
>>> CID 640422: Error handling issues (CHECKED_RETURN)
>>> Calling "fdt_next_tag" without checking return value (as is done elsewhere 12 out of 15 times).
330 fdt_next_tag(info->fdt, start, &stop_at);
331 if (fdt_add_region(info, base + start, stop_at - start))
332 return -1;
333
334 /* Remember that this supernode is now included */
335 info->stack[i].included = 1;
** CID 640421: Possible Control flow issues (DEADCODE)
/drivers/fastboot/fb_block.c: 138 in fastboot_block_get_part_info()
_____________________________________________________________________________________________
*** CID 640421: Possible Control flow issues (DEADCODE)
/drivers/fastboot/fb_block.c: 138 in fastboot_block_get_part_info()
132 CONFIG_FASTBOOT_FLASH_BLOCK_DEVICE_ID, -1);
133
134 if (!part_name || !strcmp(part_name, "")) {
135 fastboot_fail("partition not given", response);
136 return -ENOENT;
137 }
>>> CID 640421: Possible Control flow issues (DEADCODE)
>>> Execution cannot reach the expression "strcmp(interface, "")" inside this statement: "if (!interface || !strcmp(i...".
138 if (!interface || !strcmp(interface, "")) {
139 fastboot_fail("block interface isn't provided", response);
140 return -EINVAL;
141 }
142
143 *dev_desc = blk_get_dev(interface, device);
** CID 640420: Incorrect expression (CONSTANT_EXPRESSION_RESULT)
/env/fat.c: 49 in env_fat_get_dev_part()
_____________________________________________________________________________________________
*** CID 640420: Incorrect expression (CONSTANT_EXPRESSION_RESULT)
/env/fat.c: 49 in env_fat_get_dev_part()
43 __weak char *env_fat_get_dev_part(void)
44 {
45 #ifdef CONFIG_MMC
46 /* reserve one more char for the manipulation below */
47 static char part_str[] = CONFIG_ENV_FAT_DEVICE_AND_PART "\0";
48
>>> CID 640420: Incorrect expression (CONSTANT_EXPRESSION_RESULT)
>>> "strcmp("mmc", "mmc")" is always 0 because ""mmc"" is compared against itself.
49 if (!strcmp(CONFIG_ENV_FAT_INTERFACE, "mmc") && part_str[0] == ':') {
50 part_str[0] = '0' + mmc_get_env_dev();
51 strcpy(&part_str[1], CONFIG_ENV_FAT_DEVICE_AND_PART);
52 }
53
54 return part_str;
** CID 640419: Null pointer dereferences (REVERSE_INULL)
/drivers/fastboot/fb_block.c: 144 in fastboot_block_get_part_info()
_____________________________________________________________________________________________
*** CID 640419: Null pointer dereferences (REVERSE_INULL)
/drivers/fastboot/fb_block.c: 144 in fastboot_block_get_part_info()
138 if (!interface || !strcmp(interface, "")) {
139 fastboot_fail("block interface isn't provided", response);
140 return -EINVAL;
141 }
142
143 *dev_desc = blk_get_dev(interface, device);
>>> CID 640419: Null pointer dereferences (REVERSE_INULL)
>>> Null-checking "dev_desc" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
144 if (!dev_desc) {
145 fastboot_fail("no such device", response);
146 return -ENODEV;
147 }
148
149 ret = part_get_info_by_name(*dev_desc, part_name, part_info);
** CID 640418: Insecure data handling (TAINTED_SCALAR)
_____________________________________________________________________________________________
*** CID 640418: Insecure data handling (TAINTED_SCALAR)
/drivers/core/ofnode.c: 2098 in ofnode_copy_props()
2092
2093 val = ofprop_get_property(&prop, &name, &len);
2094 if (!val) {
2095 log_debug("Cannot read prop (err=%d)\n", len);
2096 return log_msg_ret("get", -EINVAL);
2097 }
>>> CID 640418: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "len" to "ofnode_write_prop", which uses it as an offset.
2098 ret = ofnode_write_prop(dst, name, val, len, true);
2099 if (ret) {
2100 log_debug("Cannot write prop (err=%d)\n", ret);
2101 return log_msg_ret("wr", -EINVAL);
2102 }
2103 }
** CID 640417: Insecure data handling (TAINTED_SCALAR)
/scripts/dtc/libfdt/fdt_ro.c: 546 in fdt_get_alias_namelen()
_____________________________________________________________________________________________
*** CID 640417: Insecure data handling (TAINTED_SCALAR)
/scripts/dtc/libfdt/fdt_ro.c: 546 in fdt_get_alias_namelen()
540 {
541 int len;
542 const char *alias;
543
544 alias = fdt_path_getprop_namelen(fdt, "/aliases", name, namelen, &len);
545
>>> CID 640417: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "len - 1" as an index to pointer "alias".
546 if (!can_assume(VALID_DTB) &&
547 !(alias && len > 0 && alias[len - 1] == '\0' && *alias == '/'))
548 return NULL;
549
550 return alias;
551 }
** CID 640416: Insecure data handling (TAINTED_SCALAR)
_____________________________________________________________________________________________
*** CID 640416: Insecure data handling (TAINTED_SCALAR)
/scripts/dtc/libfdt/fdt_overlay.c: 739 in
overlay_prevent_phandle_overwrite()
733 * will be overwritten.
734 */
735 continue;
736 else if (target < 0)
737 return target;
738
>>> CID 640416: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "target" to "overlay_prevent_phandle_overwrite_node", which uses it as a loop boundary.
739 ret = overlay_prevent_phandle_overwrite_node(fdt, target,
740 fdto, overlay);
741 if (ret)
742 return ret;
743 }
744
** CID 640415: Control flow issues (DEADCODE)
/scripts/dtc/pylibfdt/libfdt_wrap.c: 6728 in
_wrap_fdt_get_property_by_offset_w()
_____________________________________________________________________________________________
*** CID 640415: Control flow issues (DEADCODE)
/scripts/dtc/pylibfdt/libfdt_wrap.c: 6728 in
_wrap_fdt_get_property_by_offset_w()
6722 resultobj = SWIG_Python_AppendOutput(resultobj, buff);
6723 }
6724 }
6725 if (SWIG_IsTmpObj(res3)) {
6726 resultobj = SWIG_Python_AppendOutput(resultobj,
SWIG_From_int((*arg3)));
6727 } else {
>>> CID 640415: Control flow issues (DEADCODE)
>>> Execution cannot reach the expression "new_flags" inside this statement: "new_flags = ((res3 >= 0 && ...".
6728 int new_flags = SWIG_IsNewObj(res3) ? (SWIG_POINTER_OWN |
0 ) : 0 ;
6729 resultobj = SWIG_Python_AppendOutput(resultobj,
SWIG_NewPointerObj((void*)(arg3), SWIGTYPE_p_int, new_flags));
6730 }
6731 return resultobj;
6732 fail:
6733 return NULL;
** CID 640414: Resource leaks (RESOURCE_LEAK)
/drivers/interconnect/interconnect-uclass.c: 320 in icc_path_init()
_____________________________________________________________________________________________
*** CID 640414: Resource leaks (RESOURCE_LEAK)
/drivers/interconnect/interconnect-uclass.c: 320 in icc_path_init()
314 path->reqs[i].node = node;
315 path->reqs[i].enabled = true;
316
317 /* Probe this node since used in an active path */
318 ret = uclass_get_device_tail(node->dev, 0, &node_dev);
319 if (ret)
>>> CID 640414: Resource leaks (RESOURCE_LEAK)
>>> Variable "path" going out of scope leaks the storage it points to.
320 return ERR_PTR(ret);
321
322 node->users++;
323
324 /* reference to previous node was saved during path traversal */
325 node = node->reverse;
** CID 536550: Resource leaks (RESOURCE_LEAK)
/scripts/dtc/fstree.c: 57 in read_fstree()
_____________________________________________________________________________________________
*** CID 536550: Resource leaks (RESOURCE_LEAK)
/scripts/dtc/fstree.c: 57 in read_fstree()
51 fclose(pfile);
52 }
53 } else if (S_ISDIR(st.st_mode)) {
54 struct node *newchild;
55
56 newchild = read_fstree(tmpname);
>>> CID 536550: Resource leaks (RESOURCE_LEAK)
>>> Failing to save or free storage allocated by "xstrdup(de->d_name)" leaks it.
57 newchild = name_node(newchild, xstrdup(de->d_name));
58 add_child(tree, newchild);
59 }
60
61 free(tmpname);
62 }
** CID 536369: Resource leaks (RESOURCE_LEAK)
/scripts/dtc/flattree.c: 681 in flat_read_property()
_____________________________________________________________________________________________
*** CID 536369: Resource leaks (RESOURCE_LEAK)
/scripts/dtc/flattree.c: 681 in flat_read_property()
675
676 if ((flags & FTF_VARALIGN) && (proplen >= 8))
677 flat_realign(dtbuf, 8);
678
679 val = flat_read_data(dtbuf, proplen);
680
>>> CID 536369: Resource leaks (RESOURCE_LEAK)
>>> Variable "name" going out of scope leaks the storage it points to.
681 return build_property(name, val, NULL);
682 }
683
684 static struct reserve_info *flat_read_mem_reserve(struct inbuf *inb)
685 {
686 struct reserve_info *reservelist = NULL;
** CID 449815: Memory - illegal accesses (OVERRUN)
/lib/sm3.c: 252 in sm3_final()
_____________________________________________________________________________________________
*** CID 449815: Memory - illegal accesses (OVERRUN)
/lib/sm3.c: 252 in sm3_final()
246 unsigned int partial = sctx->count % SM3_BLOCK_SIZE;
247 u32 W[16];
248 int i;
249
250 sctx->buffer[partial++] = 0x80;
251 if (partial > bit_offset) {
>>> CID 449815: Memory - illegal accesses (OVERRUN)
>>> Overrunning array of 64 bytes at byte offset 64 by dereferencing pointer "sctx->buffer + partial". [Note: The source code implementation of the function has been overridden by a builtin model.]
252 memset(sctx->buffer + partial, 0, SM3_BLOCK_SIZE - partial);
253 partial = 0;
254
255 sm3_block(sctx, sctx->buffer, 1, W);
256 }
257
** CID 432237: Null pointer dereferences (NULL_RETURNS)
_____________________________________________________________________________________________
*** CID 432237: Null pointer dereferences (NULL_RETURNS)
/scripts/dtc/checks.c: 1618 in check_interrupt_map()
1612 if (node->addr_cells < 0) {
1613 FAIL(c, dti, node,
1614 "Missing '#address-cells' in interrupt-map provider");
1615 return;
1616 }
1617 cellsize = node_addr_cells(node);
>>> CID 432237: Null pointer dereferences (NULL_RETURNS)
>>> Dereferencing a pointer that might be "NULL" "get_property(node, "#interrupt-cells")" when calling "propval_cell".
1618 cellsize += propval_cell(get_property(node, "#interrupt-cells"));
1619
1620 prop = get_property(node, "interrupt-map-mask");
1621 if (prop && (prop->val.len != (cellsize * sizeof(cell_t))))
1622 FAIL_PROP(c, dti, node, prop,
1623 "property size (%d) is invalid, expected %zu",
** CID 328724: (TAINTED_SCALAR)
/scripts/dtc/fdtoverlay.c: 55 in apply_one()
/scripts/dtc/fdtoverlay.c: 69 in apply_one()
_____________________________________________________________________________________________
*** CID 328724: (TAINTED_SCALAR)
/scripts/dtc/fdtoverlay.c: 55 in apply_one()
49 bool has_symbols;
50
51 /*
52 * We take copies first, because a failed apply can trash
53 * both the base blob and the overlay
54 */
>>> CID 328724: (TAINTED_SCALAR)
>>> Passing tainted expression "fdt32_ld(&((struct fdt_header const *)overlay)->totalsize)" to "xmalloc", which uses it as an allocation size. [Note: The source code implementation of the function has been overridden by a builtin model.]
55 tmpo = xmalloc(fdt_totalsize(overlay));
56
57 do {
58 tmp = xrealloc(tmp, *buf_len);
59 ret = fdt_open_into(base, tmp, *buf_len);
60 if (ret) {
/scripts/dtc/fdtoverlay.c: 69 in apply_one()
63 fdt_strerror(ret));
64 goto fail;
65 }
66 ret = fdt_path_offset(tmp, "/__symbols__");
67 has_symbols = ret >= 0;
68
>>> CID 328724: (TAINTED_SCALAR)
>>> Passing tainted expression "fdt32_ld(&((struct fdt_header const *)overlay)->totalsize)" to "memcpy", which uses it as an offset. [Note: The source code implementation of the function has been overridden by a builtin model.]
69 memcpy(tmpo, overlay, fdt_totalsize(overlay));
70
71 ret = fdt_overlay_apply(tmp, tmpo);
72 if (ret == -FDT_ERR_NOSPACE) {
73 *buf_len += BUF_INCREMENT;
74 }
View Defects in Coverity Scan
<https://scan.coverity.com/projects/das-u-boot?tab=overview>
Best regards,
The Coverity Scan Admin Team
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
^ permalink raw reply [flat|nested] 105+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2026-01-05 23:58 Tom Rini
@ 2026-01-06 9:37 ` Mattijs Korpershoek
2026-01-06 17:15 ` Tom Rini
2026-01-06 10:03 ` Heiko Schocher
1 sibling, 1 reply; 105+ messages in thread
From: Mattijs Korpershoek @ 2026-01-06 9:37 UTC (permalink / raw)
To: Tom Rini, u-boot
Cc: Dmitrii Merkurev, Mattijs Korpershoek, Neil Armstrong,
Heiko Schocher, Ilias Apalodimas
Hi Tom,
On Mon, Jan 05, 2026 at 17:58, Tom Rini <trini@konsulko.com> wrote:
> Hey all,
>
> Here's the latest report, now that next has been merged to master. A few
> of these are oddly showing up now, despite being in older code that
> hasn't been touched and was being built before.
For fastboot, some code has been moved from mmc only support to
fb_block.c, which might explain the new errors.
See: https://lore.kernel.org/all/20251121-topic-fastboot-blk-v7-0-9589d902fc91@linaro.org/
>
> ---------- Forwarded message ---------
> From: <scan-admin@coverity.com>
> Date: Mon, Jan 5, 2026 at 3:24 PM
> Subject: New Defects reported by Coverity Scan for Das U-Boot
> To: <tom.rini@gmail.com>
>
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to *Das U-Boot*
> found with Coverity Scan.
>
> - *New Defects Found:* 15
> - 23 defect(s), reported by Coverity Scan earlier, were marked fixed in
> the recent build analyzed by Coverity Scan.
> - *Defects Shown:* Showing 15 of 15 defect(s)
>
> Defect Details
>
> ** CID 640423: Control flow issues (DEADCODE)
> /drivers/fastboot/fb_common.c: 112 in fastboot_set_reboot_flag()
>
>
> _____________________________________________________________________________________________
> *** CID 640423: Control flow issues (DEADCODE)
> /drivers/fastboot/fb_common.c: 112 in fastboot_set_reboot_flag()
> 106 }
> 107 const char *bcb_iface = config_opt_enabled(CONFIG_FASTBOOT_FLASH_BLOCK,
> 108 CONFIG_FASTBOOT_FLASH_BLOCK_INTERFACE_NAME,
> 109 "mmc");
> 110
> 111 if (device == -1)
>>>> CID 640423: Control flow issues (DEADCODE)
>>>> Execution cannot reach this statement: "return -22;".
I believe coverity is wrong here.
we call config_opt_enabled() which by default returns -1 so it's
possible to have device == -1
This can happen when both CONFIG_FASTBOOT_FLASH_BLOCK and
CONFIG_FASTBOOT_FLASH_MMC are unset.
(for example when we use CONFIG_FASTBOOT_FLASH_SPI)
> 112 return -EINVAL;
> 113
> 114 if (reason >= FASTBOOT_REBOOT_REASONS_COUNT)
> 115 return -EINVAL;
> 116
> 117 ret = bcb_find_partition_and_load(bcb_iface, device, "misc");
>
[...]
>
> ** CID 640421: Possible Control flow issues (DEADCODE)
> /drivers/fastboot/fb_block.c: 138 in fastboot_block_get_part_info()
>
>
> _____________________________________________________________________________________________
> *** CID 640421: Possible Control flow issues (DEADCODE)
> /drivers/fastboot/fb_block.c: 138 in fastboot_block_get_part_info()
> 132 CONFIG_FASTBOOT_FLASH_BLOCK_DEVICE_ID, -1);
> 133
> 134 if (!part_name || !strcmp(part_name, "")) {
> 135 fastboot_fail("partition not given", response);
> 136 return -ENOENT;
> 137 }
>>>> CID 640421: Possible Control flow issues (DEADCODE)
>>>> Execution cannot reach the expression "strcmp(interface, "")" inside this statement: "if (!interface || !strcmp(i...".
> 138 if (!interface || !strcmp(interface, "")) {
> 139 fastboot_fail("block interface isn't provided", response);
> 140 return -EINVAL;
I believe coverity is wrong here as well.
we call config_opt_enabled() which by default returns NULL for interface.
And when we enable CONFIG_FASTBOOT_FLASH_BLOCK,
CONFIG_FASTBOOT_FLASH_BLOCK_INTERFACE_NAME will be set to "" by default:
$ rg 'FASTBOOT_FLASH_BLOCK_INTERFACE_NAME' .config
1097:CONFIG_FASTBOOT_FLASH_BLOCK_INTERFACE_NAME=""
> 141 }
> 142
> 143 *dev_desc = blk_get_dev(interface, device);
>
[...]
>
> ** CID 640419: Null pointer dereferences (REVERSE_INULL)
> /drivers/fastboot/fb_block.c: 144 in fastboot_block_get_part_info()
>
>
> _____________________________________________________________________________________________
> *** CID 640419: Null pointer dereferences (REVERSE_INULL)
> /drivers/fastboot/fb_block.c: 144 in fastboot_block_get_part_info()
> 138 if (!interface || !strcmp(interface, "")) {
> 139 fastboot_fail("block interface isn't provided", response);
> 140 return -EINVAL;
> 141 }
> 142
> 143 *dev_desc = blk_get_dev(interface, device);
>>>> CID 640419: Null pointer dereferences (REVERSE_INULL)
>>>> Null-checking "dev_desc" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
> 144 if (!dev_desc) {
> 145 fastboot_fail("no such device", response);
> 146 return -ENODEV;
> 147 }
Fair enough for this one. We can check that dev_desc is not NULL to make
sure that the caller cannot call fastboot_block_get_part_info() with
NULL as second argument.
I'll submit a patch for this once I've cleared out my review queue.
> 148
> 149 ret = part_get_info_by_name(*dev_desc, part_name, part_info);
>
>
[...]
For the first 2, do you want me to update the coverity database online
with these explanations?
It has been a while but I think I can do that myself.
^ permalink raw reply [flat|nested] 105+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2026-01-05 23:58 Tom Rini
2026-01-06 9:37 ` Mattijs Korpershoek
@ 2026-01-06 10:03 ` Heiko Schocher
1 sibling, 0 replies; 105+ messages in thread
From: Heiko Schocher @ 2026-01-06 10:03 UTC (permalink / raw)
To: Tom Rini, u-boot
Cc: Dmitrii Merkurev, Mattijs Korpershoek, Neil Armstrong,
Ilias Apalodimas
Hello Tom,
On 06.01.26 00:58, Tom Rini wrote:
> ** CID 449815: Memory - illegal accesses (OVERRUN)
> /lib/sm3.c: 252 in sm3_final()
>
>
> _____________________________________________________________________________________________
> *** CID 449815: Memory - illegal accesses (OVERRUN)
> /lib/sm3.c: 252 in sm3_final()
> 246 unsigned int partial = sctx->count % SM3_BLOCK_SIZE;
> 247 u32 W[16];
> 248 int i;
> 249
> 250 sctx->buffer[partial++] = 0x80;
> 251 if (partial > bit_offset) {
>>>> CID 449815: Memory - illegal accesses (OVERRUN)
>>>> Overrunning array of 64 bytes at byte offset 64 by dereferencing pointer "sctx->buffer + partial". [Note: The source code implementation of the function has been overridden by a builtin model.]
> 252 memset(sctx->buffer + partial, 0, SM3_BLOCK_SIZE - partial);
> 253 partial = 0;
> 254
> 255 sm3_block(sctx, sctx->buffer, 1, W);
> 256 }
> 257
>
> ** CID 432237: Null pointer dereferences (NULL_RETURNS)
Good catch, as this part is completly from linux [1]
(nowaydays this code is gone at HEAD)
prepared patch, azure run started for it:
https://dev.azure.com/hs0298/hs/_build/results?buildId=197&view=results
if no problems found, I send it.
bye,
Heiko
[1] https://elixir.bootlin.com/linux/v6.14/source/include/crypto/sm3_base.h#L86
--
Nabla Software Engineering
HRB 40522 Augsburg
Phone: +49 821 45592596
E-Mail: office@nabladev.com
Geschäftsführer : Stefano Babic
^ permalink raw reply [flat|nested] 105+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2026-01-06 9:37 ` Mattijs Korpershoek
@ 2026-01-06 17:15 ` Tom Rini
0 siblings, 0 replies; 105+ messages in thread
From: Tom Rini @ 2026-01-06 17:15 UTC (permalink / raw)
To: Mattijs Korpershoek
Cc: u-boot, Dmitrii Merkurev, Neil Armstrong, Heiko Schocher,
Ilias Apalodimas
[-- Attachment #1: Type: text/plain, Size: 5777 bytes --]
On Tue, Jan 06, 2026 at 10:37:48AM +0100, Mattijs Korpershoek wrote:
> Hi Tom,
>
> On Mon, Jan 05, 2026 at 17:58, Tom Rini <trini@konsulko.com> wrote:
>
> > Hey all,
> >
> > Here's the latest report, now that next has been merged to master. A few
> > of these are oddly showing up now, despite being in older code that
> > hasn't been touched and was being built before.
>
> For fastboot, some code has been moved from mmc only support to
> fb_block.c, which might explain the new errors.
>
> See: https://lore.kernel.org/all/20251121-topic-fastboot-blk-v7-0-9589d902fc91@linaro.org/
>
> >
> > ---------- Forwarded message ---------
> > From: <scan-admin@coverity.com>
> > Date: Mon, Jan 5, 2026 at 3:24 PM
> > Subject: New Defects reported by Coverity Scan for Das U-Boot
> > To: <tom.rini@gmail.com>
> >
> >
> > Hi,
> >
> > Please find the latest report on new defect(s) introduced to *Das U-Boot*
> > found with Coverity Scan.
> >
> > - *New Defects Found:* 15
> > - 23 defect(s), reported by Coverity Scan earlier, were marked fixed in
> > the recent build analyzed by Coverity Scan.
> > - *Defects Shown:* Showing 15 of 15 defect(s)
> >
> > Defect Details
> >
> > ** CID 640423: Control flow issues (DEADCODE)
> > /drivers/fastboot/fb_common.c: 112 in fastboot_set_reboot_flag()
> >
> >
> > _____________________________________________________________________________________________
> > *** CID 640423: Control flow issues (DEADCODE)
> > /drivers/fastboot/fb_common.c: 112 in fastboot_set_reboot_flag()
> > 106 }
> > 107 const char *bcb_iface = config_opt_enabled(CONFIG_FASTBOOT_FLASH_BLOCK,
> > 108 CONFIG_FASTBOOT_FLASH_BLOCK_INTERFACE_NAME,
> > 109 "mmc");
> > 110
> > 111 if (device == -1)
> >>>> CID 640423: Control flow issues (DEADCODE)
> >>>> Execution cannot reach this statement: "return -22;".
>
> I believe coverity is wrong here.
> we call config_opt_enabled() which by default returns -1 so it's
> possible to have device == -1
>
> This can happen when both CONFIG_FASTBOOT_FLASH_BLOCK and
> CONFIG_FASTBOOT_FLASH_MMC are unset.
> (for example when we use CONFIG_FASTBOOT_FLASH_SPI)
>
> > 112 return -EINVAL;
> > 113
> > 114 if (reason >= FASTBOOT_REBOOT_REASONS_COUNT)
> > 115 return -EINVAL;
> > 116
> > 117 ret = bcb_find_partition_and_load(bcb_iface, device, "misc");
> >
>
> [...]
>
> >
> > ** CID 640421: Possible Control flow issues (DEADCODE)
> > /drivers/fastboot/fb_block.c: 138 in fastboot_block_get_part_info()
> >
> >
> > _____________________________________________________________________________________________
> > *** CID 640421: Possible Control flow issues (DEADCODE)
> > /drivers/fastboot/fb_block.c: 138 in fastboot_block_get_part_info()
> > 132 CONFIG_FASTBOOT_FLASH_BLOCK_DEVICE_ID, -1);
> > 133
> > 134 if (!part_name || !strcmp(part_name, "")) {
> > 135 fastboot_fail("partition not given", response);
> > 136 return -ENOENT;
> > 137 }
> >>>> CID 640421: Possible Control flow issues (DEADCODE)
> >>>> Execution cannot reach the expression "strcmp(interface, "")" inside this statement: "if (!interface || !strcmp(i...".
> > 138 if (!interface || !strcmp(interface, "")) {
> > 139 fastboot_fail("block interface isn't provided", response);
> > 140 return -EINVAL;
>
> I believe coverity is wrong here as well.
> we call config_opt_enabled() which by default returns NULL for interface.
>
> And when we enable CONFIG_FASTBOOT_FLASH_BLOCK,
> CONFIG_FASTBOOT_FLASH_BLOCK_INTERFACE_NAME will be set to "" by default:
>
> $ rg 'FASTBOOT_FLASH_BLOCK_INTERFACE_NAME' .config
> 1097:CONFIG_FASTBOOT_FLASH_BLOCK_INTERFACE_NAME=""
>
>
> > 141 }
> > 142
> > 143 *dev_desc = blk_get_dev(interface, device);
> >
>
> [...]
>
> >
> > ** CID 640419: Null pointer dereferences (REVERSE_INULL)
> > /drivers/fastboot/fb_block.c: 144 in fastboot_block_get_part_info()
> >
> >
> > _____________________________________________________________________________________________
> > *** CID 640419: Null pointer dereferences (REVERSE_INULL)
> > /drivers/fastboot/fb_block.c: 144 in fastboot_block_get_part_info()
> > 138 if (!interface || !strcmp(interface, "")) {
> > 139 fastboot_fail("block interface isn't provided", response);
> > 140 return -EINVAL;
> > 141 }
> > 142
> > 143 *dev_desc = blk_get_dev(interface, device);
> >>>> CID 640419: Null pointer dereferences (REVERSE_INULL)
> >>>> Null-checking "dev_desc" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
> > 144 if (!dev_desc) {
> > 145 fastboot_fail("no such device", response);
> > 146 return -ENODEV;
> > 147 }
>
> Fair enough for this one. We can check that dev_desc is not NULL to make
> sure that the caller cannot call fastboot_block_get_part_info() with
> NULL as second argument.
>
> I'll submit a patch for this once I've cleared out my review queue.
>
> > 148
> > 149 ret = part_get_info_by_name(*dev_desc, part_name, part_info);
> >
> >
>
> [...]
>
> For the first 2, do you want me to update the coverity database online
> with these explanations?
> It has been a while but I think I can do that myself.
Thanks for looking in to all of these. I've gone ahead and updated
Coverity, but in the future if you'd like to go in and do that while
composing the emails, please feel free.
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
^ permalink raw reply [flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2026-01-06 20:36 Tom Rini
0 siblings, 0 replies; 105+ messages in thread
From: Tom Rini @ 2026-01-06 20:36 UTC (permalink / raw)
To: u-boot
[-- Attachment #1: Type: text/plain, Size: 29243 bytes --]
Hey all,
This is really just to say that I've now been able to switch Coverity
scan over from "sandbox_defconfig" to "allyesconfig" (which is now also
in CI), so we have a lot more code being scanned. If you have access to
the dashboard already, and areas of interest, it's worth looking again
now. If you're already a project contributor and want to look for things
to work on, please let me know before asking for access to the
dashboard.
I am hopeful this will inspire people to make sure their code builds on
sandbox (and so allyesconfig) so that it can get further static checking
done to it, regularly.
And as a final funny to me note, while this email says 278 issues, the
other email (which just has high level info and I don't bother
forwarding) says 442 issues found.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Tue, Jan 6, 2026 at 2:18 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to *Das U-Boot*
found with Coverity Scan.
- *New Defects Found:* 278
- 49 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.
- *Defects Shown:* Showing 20 of 278 defect(s)
Defect Details
** CID 640717: Control flow issues (DEADCODE)
/drivers/sysinfo/gazerbeam.c: 125 in _read_sysinfo_variant_data()
_____________________________________________________________________________________________
*** CID 640717: Control flow issues (DEADCODE)
/drivers/sysinfo/gazerbeam.c: 125 in _read_sysinfo_variant_data()
119 dev->name, con);
120 return con;
121 }
122
123 priv->variant = con ? VAR_CON : VAR_CPU;
124
>>> CID 640717: Control flow issues (DEADCODE)
>>> Execution cannot reach the expression "0" inside this statement: "priv->multichannel = (mc4 ?...".
125 priv->multichannel = mc4 ? 4 : (mc2 ? 2 : (sc ? 1 : 0));
126
127 return 0;
128 }
129
130 /**
** CID 640716: Incorrect expression (SIZEOF_MISMATCH)
/drivers/rng/iproc_rng200.c: 158 in iproc_rng200_of_to_plat()
_____________________________________________________________________________________________
*** CID 640716: Incorrect expression (SIZEOF_MISMATCH)
/drivers/rng/iproc_rng200.c: 158 in iproc_rng200_of_to_plat()
152 }
153
154 static int iproc_rng200_of_to_plat(struct udevice *dev)
155 {
156 struct iproc_rng200_plat *pdata = dev_get_plat(dev);
157
>>> CID 640716: Incorrect expression (SIZEOF_MISMATCH)
>>> Passing argument "8UL /* sizeof (void *) */" to function "devfdt_map_physmem" which returns a value of type "void *" is suspicious.
158 pdata->base = devfdt_map_physmem(dev, sizeof(void *));
159 if (!pdata->base)
160 return -ENODEV;
161
162 return 0;
163 }
** CID 640715: (TAINTED_SCALAR)
_____________________________________________________________________________________________
*** CID 640715: (TAINTED_SCALAR)
/drivers/gpio/74x164_gpio.c: 145 in gen_74x164_probe()
139
140 /*
141 * See Linux kernel:
142 * Documentation/devicetree/bindings/gpio/gpio-74x164.txt
143 */
144 priv->nregs = fdtdec_get_int(fdt, node, "registers-number", 1);
>>> CID 640715: (TAINTED_SCALAR)
>>> Passing tainted expression "priv->nregs" to "dlcalloc", which uses it as an offset.
145 priv->buffer = calloc(priv->nregs, sizeof(u8));
146 if (!priv->buffer) {
147 ret = -ENOMEM;
148 goto free_str;
149 }
150
/drivers/gpio/74x164_gpio.c: 151 in gen_74x164_probe()
145 priv->buffer = calloc(priv->nregs, sizeof(u8));
146 if (!priv->buffer) {
147 ret = -ENOMEM;
148 goto free_str;
149 }
150
>>> CID 640715: (TAINTED_SCALAR)
>>> Passing tainted expression "priv->nregs" to "fdtdec_get_byte_array", which uses it as an offset.
151 ret = fdtdec_get_byte_array(fdt, node, "registers-default",
152 priv->buffer, priv->nregs);
153 if (ret)
154 dev_dbg(dev, "No registers-default property\n");
155
156 ret = gpio_request_by_name(dev, "oe-gpios", 0, &priv->oe,
** CID 640714: Control flow issues (DEADCODE)
/drivers/net/ftgmac100.c: 400 in ftgmac100_start()
_____________________________________________________________________________________________
*** CID 640714: Control flow issues (DEADCODE)
/drivers/net/ftgmac100.c: 400 in ftgmac100_start()
394 /* Configure TX/RX decsriptor size
395 * This size is calculated based on cache line.
396 */
397 desc_size = ARCH_DMA_MINALIGN / FTGMAC100_DESC_UNIT;
398 /* The descriptor size is at least 2 descriptor units. */
399 if (desc_size < 2)
>>> CID 640714: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "desc_size = 2U;".
400 desc_size = 2;
401 dblac = readl(&ftgmac100->dblac) & ~GENMASK(19, 12);
402 dblac |= FTGMAC100_DBLAC_RXDES_SIZE(desc_size) |
FTGMAC100_DBLAC_TXDES_SIZE(desc_size);
403 writel(dblac, &ftgmac100->dblac);
404
405 /* poll receive descriptor automatically */
** CID 640713: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/drivers/serial/serial_sifive.c: 121 in sifive_serial_setbrg()
_____________________________________________________________________________________________
*** CID 640713: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/drivers/serial/serial_sifive.c: 121 in sifive_serial_setbrg()
115 if (IS_ERR_VALUE(ret)) {
116 debug("SiFive UART clock not defined\n");
117 return 0;
118 }
119 } else {
120 clock = clk_get_rate(&clk);
>>> CID 640713: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
>>> "clock >= 18446744073709547521UL /* (unsigned long)-4095 */" is always false regardless of the values of its operands. This occurs as the logical operand of "!".
121 if (IS_ERR_VALUE(clock)) {
122 debug("SiFive UART clock get rate failed\n");
123 return 0;
124 }
125 }
126 plat->clock = clock;
** CID 640712: (BAD_SHIFT)
/drivers/pci/pcie_cdns_ti.c: 582 in pcie_cdns_ti_bar_ib_config()
/drivers/pci/pcie_cdns_ti.c: 585 in pcie_cdns_ti_bar_ib_config()
/drivers/pci/pcie_cdns_ti.c: 570 in pcie_cdns_ti_bar_ib_config()
/drivers/pci/pcie_cdns_ti.c: 577 in pcie_cdns_ti_bar_ib_config()
/drivers/pci/pcie_cdns_ti.c: 570 in pcie_cdns_ti_bar_ib_config()
/drivers/pci/pcie_cdns_ti.c: 578 in pcie_cdns_ti_bar_ib_config()
/drivers/pci/pcie_cdns_ti.c: 581 in pcie_cdns_ti_bar_ib_config()
/drivers/pci/pcie_cdns_ti.c: 570 in pcie_cdns_ti_bar_ib_config()
/drivers/pci/pcie_cdns_ti.c: 570 in pcie_cdns_ti_bar_ib_config()
/drivers/pci/pcie_cdns_ti.c: 570 in pcie_cdns_ti_bar_ib_config()
_____________________________________________________________________________________________
*** CID 640712: (BAD_SHIFT)
/drivers/pci/pcie_cdns_ti.c: 582 in pcie_cdns_ti_bar_ib_config()
576 if (!(flags & IORESOURCE_PREFETCH))
577 value |= LM_RC_BAR_CFG_CTRL_MEM_64BITS(bar);
578 value |= LM_RC_BAR_CFG_CTRL_PREF_MEM_64BITS(bar);
579 } else {
580 if (!(flags & IORESOURCE_PREFETCH))
581 value |= LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar);
>>> CID 640712: (BAD_SHIFT)
>>> In expression "5 << bar * 8 + 6", shifting by a negative amount has undefined behavior. The shift amount, "bar * 8 + 6", is as little as -2.
582 value |= LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar);
583 }
584
585 value |= LM_RC_BAR_CFG_APERTURE(bar, aperture);
586 pcie_cdns_ti_writel(pcie, CDNS_PCIE_LM_RC_BAR_CFG, value);
587
/drivers/pci/pcie_cdns_ti.c: 585 in pcie_cdns_ti_bar_ib_config()
579 } else {
580 if (!(flags & IORESOURCE_PREFETCH))
581 value |= LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar);
582 value |= LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar);
583 }
584
>>> CID 640712: (BAD_SHIFT)
>>> In expression "aperture - 2U << bar * 8", shifting by a negative amount has undefined behavior. The shift amount, "bar * 8", is as little as -8.
585 value |= LM_RC_BAR_CFG_APERTURE(bar, aperture);
586 pcie_cdns_ti_writel(pcie, CDNS_PCIE_LM_RC_BAR_CFG, value);
587
588 return 0;
589 }
590
/drivers/pci/pcie_cdns_ti.c: 570 in pcie_cdns_ti_bar_ib_config()
564 pcie_cdns_ti_writel(pcie, CDNS_PCIE_AT_IB_RP_BAR_ADDR1(bar), addr1);
565
566 if (bar == RP_NO_BAR)
567 return 0;
568
569 value = pcie_cdns_ti_readl(pcie, CDNS_PCIE_LM_RC_BAR_CFG);
>>> CID 640712: (BAD_SHIFT)
>>> In expression "bar_aperture_mask[bar] + 2 - 2 << bar * 8", shifting by a negative amount has undefined behavior. The shift amount, "bar * 8", is as little as -8.
570 value &= ~(LM_RC_BAR_CFG_CTRL_MEM_64BITS(bar) |
571 LM_RC_BAR_CFG_CTRL_PREF_MEM_64BITS(bar) |
572 LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar) |
573 LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar) |
574 LM_RC_BAR_CFG_APERTURE(bar, bar_aperture_mask[bar] + 2));
575 if (size + cpu_addr >= SZ_4G) {
/drivers/pci/pcie_cdns_ti.c: 577 in pcie_cdns_ti_bar_ib_config()
571 LM_RC_BAR_CFG_CTRL_PREF_MEM_64BITS(bar) |
572 LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar) |
573 LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar) |
574 LM_RC_BAR_CFG_APERTURE(bar, bar_aperture_mask[bar] + 2));
575 if (size + cpu_addr >= SZ_4G) {
576 if (!(flags & IORESOURCE_PREFETCH))
>>> CID 640712: (BAD_SHIFT)
>>> In expression "6 << bar * 8 + 6", shifting by a negative amount has undefined behavior. The shift amount, "bar * 8 + 6", is as little as -2.
577 value |= LM_RC_BAR_CFG_CTRL_MEM_64BITS(bar);
578 value |= LM_RC_BAR_CFG_CTRL_PREF_MEM_64BITS(bar);
579 } else {
580 if (!(flags & IORESOURCE_PREFETCH))
581 value |= LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar);
582 value |= LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar);
/drivers/pci/pcie_cdns_ti.c: 570 in pcie_cdns_ti_bar_ib_config()
564 pcie_cdns_ti_writel(pcie, CDNS_PCIE_AT_IB_RP_BAR_ADDR1(bar), addr1);
565
566 if (bar == RP_NO_BAR)
567 return 0;
568
569 value = pcie_cdns_ti_readl(pcie, CDNS_PCIE_LM_RC_BAR_CFG);
>>> CID 640712: (BAD_SHIFT)
>>> In expression "7 << bar * 8 + 6", shifting by a negative amount has undefined behavior. The shift amount, "bar * 8 + 6", is as little as -2.
570 value &= ~(LM_RC_BAR_CFG_CTRL_MEM_64BITS(bar) |
571 LM_RC_BAR_CFG_CTRL_PREF_MEM_64BITS(bar) |
572 LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar) |
573 LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar) |
574 LM_RC_BAR_CFG_APERTURE(bar, bar_aperture_mask[bar] + 2));
575 if (size + cpu_addr >= SZ_4G) {
/drivers/pci/pcie_cdns_ti.c: 578 in pcie_cdns_ti_bar_ib_config()
572 LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar) |
573 LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar) |
574 LM_RC_BAR_CFG_APERTURE(bar, bar_aperture_mask[bar] + 2));
575 if (size + cpu_addr >= SZ_4G) {
576 if (!(flags & IORESOURCE_PREFETCH))
577 value |= LM_RC_BAR_CFG_CTRL_MEM_64BITS(bar);
>>> CID 640712: (BAD_SHIFT)
>>> In expression "7 << bar * 8 + 6", shifting by a negative amount has undefined behavior. The shift amount, "bar * 8 + 6", is as little as -2.
578 value |= LM_RC_BAR_CFG_CTRL_PREF_MEM_64BITS(bar);
579 } else {
580 if (!(flags & IORESOURCE_PREFETCH))
581 value |= LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar);
582 value |= LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar);
583 }
/drivers/pci/pcie_cdns_ti.c: 581 in pcie_cdns_ti_bar_ib_config()
575 if (size + cpu_addr >= SZ_4G) {
576 if (!(flags & IORESOURCE_PREFETCH))
577 value |= LM_RC_BAR_CFG_CTRL_MEM_64BITS(bar);
578 value |= LM_RC_BAR_CFG_CTRL_PREF_MEM_64BITS(bar);
579 } else {
580 if (!(flags & IORESOURCE_PREFETCH))
>>> CID 640712: (BAD_SHIFT)
>>> In expression "4 << bar * 8 + 6", shifting by a negative amount has undefined behavior. The shift amount, "bar * 8 + 6", is as little as -2.
581 value |= LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar);
582 value |= LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar);
583 }
584
585 value |= LM_RC_BAR_CFG_APERTURE(bar, aperture);
586 pcie_cdns_ti_writel(pcie, CDNS_PCIE_LM_RC_BAR_CFG, value);
/drivers/pci/pcie_cdns_ti.c: 570 in pcie_cdns_ti_bar_ib_config()
564 pcie_cdns_ti_writel(pcie, CDNS_PCIE_AT_IB_RP_BAR_ADDR1(bar), addr1);
565
566 if (bar == RP_NO_BAR)
567 return 0;
568
569 value = pcie_cdns_ti_readl(pcie, CDNS_PCIE_LM_RC_BAR_CFG);
>>> CID 640712: (BAD_SHIFT)
>>> In expression "5 << bar * 8 + 6", shifting by a negative amount has undefined behavior. The shift amount, "bar * 8 + 6", is as little as -2.
570 value &= ~(LM_RC_BAR_CFG_CTRL_MEM_64BITS(bar) |
571 LM_RC_BAR_CFG_CTRL_PREF_MEM_64BITS(bar) |
572 LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar) |
573 LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar) |
574 LM_RC_BAR_CFG_APERTURE(bar, bar_aperture_mask[bar] + 2));
575 if (size + cpu_addr >= SZ_4G) {
/drivers/pci/pcie_cdns_ti.c: 570 in pcie_cdns_ti_bar_ib_config()
564 pcie_cdns_ti_writel(pcie, CDNS_PCIE_AT_IB_RP_BAR_ADDR1(bar), addr1);
565
566 if (bar == RP_NO_BAR)
567 return 0;
568
569 value = pcie_cdns_ti_readl(pcie, CDNS_PCIE_LM_RC_BAR_CFG);
>>> CID 640712: (BAD_SHIFT)
>>> In expression "4 << bar * 8 + 6", shifting by a negative amount has undefined behavior. The shift amount, "bar * 8 + 6", is as little as -2.
570 value &= ~(LM_RC_BAR_CFG_CTRL_MEM_64BITS(bar) |
571 LM_RC_BAR_CFG_CTRL_PREF_MEM_64BITS(bar) |
572 LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar) |
573 LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar) |
574 LM_RC_BAR_CFG_APERTURE(bar, bar_aperture_mask[bar] + 2));
575 if (size + cpu_addr >= SZ_4G) {
/drivers/pci/pcie_cdns_ti.c: 570 in pcie_cdns_ti_bar_ib_config()
564 pcie_cdns_ti_writel(pcie, CDNS_PCIE_AT_IB_RP_BAR_ADDR1(bar), addr1);
565
566 if (bar == RP_NO_BAR)
567 return 0;
568
569 value = pcie_cdns_ti_readl(pcie, CDNS_PCIE_LM_RC_BAR_CFG);
>>> CID 640712: (BAD_SHIFT)
>>> In expression "6 << bar * 8 + 6", shifting by a negative amount has undefined behavior. The shift amount, "bar * 8 + 6", is as little as -2.
570 value &= ~(LM_RC_BAR_CFG_CTRL_MEM_64BITS(bar) |
571 LM_RC_BAR_CFG_CTRL_PREF_MEM_64BITS(bar) |
572 LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar) |
573 LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar) |
574 LM_RC_BAR_CFG_APERTURE(bar, bar_aperture_mask[bar] + 2));
575 if (size + cpu_addr >= SZ_4G) {
** CID 640711: Memory - corruptions (OVERRUN)
_____________________________________________________________________________________________
*** CID 640711: Memory - corruptions (OVERRUN)
/cmd/ubi.c: 806 in do_ubi()
800 if (!size) {
801 size = (int64_t)ubi->avail_pebs * ubi->leb_size;
802 printf("No size specified -> Using max size (%lld)\n", size);
803 }
804 /* E.g., create volume */
805 if (argc == 3) {
>>> CID 640711: Memory - corruptions (OVERRUN)
>>> Overrunning callee's array of size 129 by passing argument "id" (which evaluates to 256) in call to "ubi_create_vol".
806 return ubi_create_vol(argv[2], size, dynamic, id,
807 skipcheck);
808 }
809 }
810
811 if (strncmp(argv[1], "remove", 6) == 0) {
** CID 640710: Insecure data handling (TAINTED_SCALAR)
/cmd/tpm-v1.c: 641 in do_tpm_list()
_____________________________________________________________________________________________
*** CID 640710: Insecure data handling (TAINTED_SCALAR)
/cmd/tpm-v1.c: 641 in do_tpm_list()
635 ptr = buf + 2;
636
637 printf("Resources of type %s (%02x):\n", argv[1], type);
638 if (!res_count) {
639 puts("None\n");
640 } else {
>>> CID 640710: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "res_count" as a loop boundary.
641 for (i = 0; i < res_count; ++i, ptr += 4)
642 printf("Index %d: %08x\n", i, get_unaligned_be32(ptr));
643 }
644
645 return 0;
646 }
** CID 640709: Integer handling issues (INTEGER_OVERFLOW)
/drivers/mfd/atmel-smc.c: 156 in atmel_smc_cs_conf_set_setup()
_____________________________________________________________________________________________
*** CID 640709: Integer handling issues (INTEGER_OVERFLOW)
/drivers/mfd/atmel-smc.c: 156 in atmel_smc_cs_conf_set_setup()
150 * The formula described in atmel datasheets (section "SMC Setup
151 * Register"):
152 *
153 * ncycles = (128 * xx_SETUP[5]) + xx_SETUP[4:0]
154 */
155 ret = atmel_smc_cs_encode_ncycles(ncycles, 5, 1, 128, &val);
>>> CID 640709: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "0xffffffffffffffffUL << shift", where "shift" is known to be equal to 24, overflows the type of "0xffffffffffffffffUL << shift", which is type "unsigned long".
156 conf->setup &= ~GENMASK(shift + 7, shift);
157 conf->setup |= val << shift;
158
159 return ret;
160 }
161 EXPORT_SYMBOL_GPL(atmel_smc_cs_conf_set_setup);
** CID 640708: Code maintainability issues (UNUSED_VALUE)
/drivers/video/tidss/tidss_oldi.c: 192 in get_parent_dss_vp()
_____________________________________________________________________________________________
*** CID 640708: Code maintainability issues (UNUSED_VALUE)
/drivers/video/tidss/tidss_oldi.c: 192 in get_parent_dss_vp()
186 int ret;
187
188 ep = ofnode_graph_get_endpoint_by_regs(oldi_tx, 0, -1);
189 if (ofnode_valid(ep)) {
190 dss_port = ofnode_graph_get_remote_port(ep);
191 if (!ofnode_valid(dss_port))
>>> CID 640708: Code maintainability issues (UNUSED_VALUE)
>>> Assigning value "-19" to "ret" here, but that stored value is overwritten before it can be used.
192 ret = -ENODEV;
193
194 ret = ofnode_read_u32(dss_port, "reg", parent_vp);
195 if (ret)
196 return -ENODEV;
197 return 0;
** CID 640707: Control flow issues (DEADCODE)
/drivers/power/regulator/max77663_regulator.c: 302 in
max77663_ldo_val()
_____________________________________________________________________________________________
*** CID 640707: Control flow issues (DEADCODE)
/drivers/power/regulator/max77663_regulator.c: 302 in
max77663_ldo_val()
296
297 if (op == PMIC_OP_GET) {
298 *uV = 0;
299
300 ret = max77663_ldo_hex2volt(idx, val & LDO_VOLT_MASK);
301 if (ret < 0)
>>> CID 640707: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "return ret;".
302 return ret;
303
304 *uV = ret;
305 return 0;
306 }
307
** CID 640706: (CHECKED_RETURN)
/drivers/gpio/gpio-aspeed.c: 277 in aspeed_gpio_probe()
/drivers/gpio/gpio-aspeed-g7.c: 133 in aspeed_gpio_probe()
_____________________________________________________________________________________________
*** CID 640706: (CHECKED_RETURN)
/drivers/gpio/gpio-aspeed.c: 277 in aspeed_gpio_probe()
271 static int aspeed_gpio_probe(struct udevice *dev)
272 {
273 struct gpio_dev_priv *uc_priv = dev_get_uclass_priv(dev);
274 struct aspeed_gpio_priv *priv = dev_get_priv(dev);
275
276 uc_priv->bank_name = dev->name;
>>> CID 640706: (CHECKED_RETURN)
>>> Calling "ofnode_read_u32" without checking return value (as is done elsewhere 101 out of 125 times).
277 ofnode_read_u32(dev_ofnode(dev), "ngpios", &uc_priv->gpio_count);
278 priv->regs = devfdt_get_addr_ptr(dev);
279
280 return 0;
281 }
282
/drivers/gpio/gpio-aspeed-g7.c: 133 in aspeed_gpio_probe()
127 static int aspeed_gpio_probe(struct udevice *dev)
128 {
129 struct gpio_dev_priv *uc_priv = dev_get_uclass_priv(dev);
130 struct aspeed_gpio_priv *priv = dev_get_priv(dev);
131
132 uc_priv->bank_name = dev->name;
>>> CID 640706: (CHECKED_RETURN)
>>> Calling "ofnode_read_u32" without checking return value (as is done elsewhere 101 out of 125 times).
133 ofnode_read_u32(dev_ofnode(dev), "ngpios", &uc_priv->gpio_count);
134 priv->regs = devfdt_get_addr_ptr(dev);
135
136 return 0;
137 }
138
** CID 640705: Insecure data handling (TAINTED_SCALAR)
/lib/tpm-v1.c: 863 in tpm1_find_key_sha1()
_____________________________________________________________________________________________
*** CID 640705: Insecure data handling (TAINTED_SCALAR)
/lib/tpm-v1.c: 863 in tpm1_find_key_sha1()
857 err = tpm1_get_capability(dev, TPM_CAP_HANDLE, TPM_RT_KEY, buf,
858 sizeof(buf));
859 if (err)
860 return -1;
861 key_count = get_unaligned_be16(buf);
862 ptr = buf + 2;
>>> CID 640705: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "key_count" as a loop boundary.
863 for (i = 0; i < key_count; ++i, ptr += 4)
864 key_handles[i] = get_unaligned_be32(ptr);
865
866 /* now search a(/ the) key which we can access with the given auth */
867 for (i = 0; i < key_count; ++i) {
868 buf_len = sizeof(buf);
** CID 640704: Uninitialized variables (UNINIT)
/drivers/mmc/sdhci-cadence6.c: 199 in sdhci_cdns6_reset_phy_dll()
_____________________________________________________________________________________________
*** CID 640704: Uninitialized variables (UNINIT)
/drivers/mmc/sdhci-cadence6.c: 199 in sdhci_cdns6_reset_phy_dll()
193 /* After reset, wait until HRS09.PHY_INIT_COMPLETE is set to
1 within 3000us*/
194 if (!reset) {
195 ret = readl_poll_timeout(reg, tmp, (tmp &
SDHCI_CDNS_HRS09_PHY_INIT_COMPLETE),
196 3000);
197 }
198
>>> CID 640704: Uninitialized variables (UNINIT)
>>> Using uninitialized value "ret".
199 return ret;
200 }
201
202 int sdhci_cdns6_phy_adj(struct udevice *dev, struct
sdhci_cdns_plat *plat, u32 mode)
203 {
204 struct sdhci_cdns6_phy_cfg *sdhci_cdns6_phy_cfgs;
** CID 640703: Integer handling issues (INTEGER_OVERFLOW)
/test/dm/test-fdt.c: 667 in dm_test_fdt_remap_addr_index_flat()
_____________________________________________________________________________________________
*** CID 640703: Integer handling issues (INTEGER_OVERFLOW)
/test/dm/test-fdt.c: 667 in dm_test_fdt_remap_addr_index_flat()
661 fdt_size_t size;
662 void *paddr;
663
664 ut_assertok(uclass_find_device_by_seq(UCLASS_TEST_DUMMY, 0, &dev));
665
666 addr = devfdt_get_addr_size_index(dev, 0, &size);
>>> CID 640703: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "_val2", where "addr" is known to be equal to 18446744073709551615, overflows the type of "_val2", which is type "unsigned int".
667 ut_asserteq(0x8000, addr);
668 ut_asserteq(0x1000, size);
669
670 paddr = map_physmem(addr, 0, MAP_NOCACHE);
671 ut_assertnonnull(paddr);
672 ut_asserteq_ptr(paddr, devfdt_remap_addr_index(dev, 0));
** CID 640702: Uninitialized variables (UNINIT)
/drivers/video/imx/ldb.c: 85 in imx_ldb_of_to_plat()
_____________________________________________________________________________________________
*** CID 640702: Uninitialized variables (UNINIT)
/drivers/video/imx/ldb.c: 85 in imx_ldb_of_to_plat()
79
80 uclass_get_device_by_endpoint(UCLASS_PANEL, dev, 1, -1, &priv->lvds1);
81 uclass_get_device_by_endpoint(UCLASS_PANEL, dev, 2, -1, &priv->lvds2);
82 if (!priv->lvds1 && !priv->lvds2) {
83 debug("ldb: No remote panel for '%s' (ret=%d)\n",
84 dev_read_name(dev), ret);
>>> CID 640702: Uninitialized variables (UNINIT)
>>> Using uninitialized value "ret".
85 return ret;
86 }
87
88 return 0;
89 }
90
** CID 640701: Uninitialized variables (UNINIT)
/drivers/spi/xilinx_spi.c: 377 in xilinx_spi_mem_exec_op()
_____________________________________________________________________________________________
*** CID 640701: Uninitialized variables (UNINIT)
/drivers/spi/xilinx_spi.c: 377 in xilinx_spi_mem_exec_op()
371 if (ret)
372 goto done;
373 }
374 done:
375 spi_cs_deactivate(spi->dev);
376
>>> CID 640701: Uninitialized variables (UNINIT)
>>> Using uninitialized value "ret".
377 return ret;
378 }
379
380 static int xilinx_qspi_check_buswidth(struct spi_slave *slave, u8 width)
381 {
382 u32 mode = slave->mode;
** CID 640700: Integer handling issues (BAD_SHIFT)
/drivers/net/phy/xilinx_gmii2rgmii.c: 43 in xilinxgmiitorgmii_config()
_____________________________________________________________________________________________
*** CID 640700: Integer handling issues (BAD_SHIFT)
/drivers/net/phy/xilinx_gmii2rgmii.c: 43 in
xilinxgmiitorgmii_config()
37 ret = ofnode_parse_phandle_with_args(node, "phy-handle",
38 NULL, 0, 0, &phandle);
39 if (ret)
40 return ret;
41
42 ext_phyaddr = ofnode_read_u32_default(phandle.node, "reg", -1);
>>> CID 640700: Integer handling issues (BAD_SHIFT)
>>> In expression "1 << ext_phyaddr", shifting by a negative amount has undefined behavior. The shift amount, "ext_phyaddr", is -1.
43 ext_phydev = phy_find_by_mask(phydev->bus,
44 1 << ext_phyaddr);
45 if (!ext_phydev) {
46 printf("%s, No external phy device found\n", __func__);
47 return -EINVAL;
48 }
** CID 640699: Control flow issues (DEADCODE)
/drivers/spi/atcspi200_spi.c: 262 in __atcspi200_spi_xfer()
_____________________________________________________________________________________________
*** CID 640699: Control flow issues (DEADCODE)
/drivers/spi/atcspi200_spi.c: 262 in __atcspi200_spi_xfer()
256
257 if ((event & RXFVE_MASK) && (data_in)) {
258 rf_cnt = ((event & RXFVE_MASK)>> RXFVE_OFFSET);
259 if (rf_cnt >= CHUNK_SIZE)
260 rx_bytes = CHUNK_SIZE;
261 else if (num_blks == 1 && rf_cnt == num_bytes)
>>> CID 640699: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "rx_bytes = num_bytes;".
262 rx_bytes = num_bytes;
263 else
264 continue;
265
266 if (__nspi_espi_rx(ns, din, rx_bytes) == rx_bytes) {
267 num_blks -= CHUNK_SIZE;
** CID 640698: Insecure data handling (TAINTED_SCALAR)
_____________________________________________________________________________________________
*** CID 640698: Insecure data handling (TAINTED_SCALAR)
/drivers/net/bnxt/bnxt.c: 446 in bnxt_hwrm_ver_get()
440 req = (struct hwrm_ver_get_input *)bp->hwrm_addr_req;
441 resp = (struct hwrm_ver_get_output *)bp->hwrm_addr_resp;
442 hwrm_init(bp, (void *)req, (u16)HWRM_VER_GET, cmd_len);
443 req->hwrm_intf_maj = HWRM_VERSION_MAJOR;
444 req->hwrm_intf_min = HWRM_VERSION_MINOR;
445 req->hwrm_intf_upd = HWRM_VERSION_UPDATE;
>>> CID 640698: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "*bp->hwrm_addr_resp" to "wait_resp", which uses it as an offset.
446 rc = wait_resp(bp, HWRM_CMD_DEFAULT_TIMEOUT, cmd_len, __func__);
447 if (rc)
448 return STATUS_FAILURE;
449
450 bp->hwrm_spec_code =
451 resp->hwrm_intf_maj_8b << 16 |
View Defects in Coverity Scan
<https://scan.coverity.com/projects/das-u-boot?tab=overview>
Best regards,
The Coverity Scan Admin Team
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
^ permalink raw reply [flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2026-01-16 19:43 Tom Rini
2026-02-09 11:05 ` Guillaume La Roque
0 siblings, 1 reply; 105+ messages in thread
From: Tom Rini @ 2026-01-16 19:43 UTC (permalink / raw)
To: u-boot; +Cc: Guillaume La Roque, Mattijs Korpershoek
[-- Attachment #1: Type: text/plain, Size: 12221 bytes --]
Hey all,
Here's the latest report from Coverity scan. For the LZMA ones, the
_pad_ stuff seems to be a false positive (the _pad_ byte is just for
padding and not refernced) and the flow control one is how that's
written for whatever reason the upstream author wanted it like that.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Fri, Jan 16, 2026 at 1:06 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to *Das U-Boot*
found with Coverity Scan.
- *New Defects Found:* 7
- 2 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.
- *Defects Shown:* Showing 7 of 7 defect(s)
Defect Details
** CID 641431: (TAINTED_SCALAR)
_____________________________________________________________________________________________
*** CID 641431: (TAINTED_SCALAR)
/boot/image-android.c: 434 in android_image_get_kernel()
428 if (*newbootargs) /* If there is something in newbootargs, a
space is needed */
429 strcat(newbootargs, " ");
430 strcat(newbootargs, img_data.kcmdline_extra);
431 }
432
433 env_set("bootargs", newbootargs);
>>> CID 641431: (TAINTED_SCALAR)
>>> Passing tainted expression "*newbootargs" to "dlfree", which uses it as an offset.
434 free(newbootargs);
435
436 if (os_data) {
437 if (image_get_magic(ihdr) == IH_MAGIC) {
438 *os_data = image_get_data(ihdr);
439 } else {
/boot/image-android.c: 433 in android_image_get_kernel()
427 if (img_data.kcmdline_extra && *img_data.kcmdline_extra) {
428 if (*newbootargs) /* If there is something in newbootargs, a
space is needed */
429 strcat(newbootargs, " ");
430 strcat(newbootargs, img_data.kcmdline_extra);
431 }
432
>>> CID 641431: (TAINTED_SCALAR)
>>> Passing tainted expression "newbootargs" to "env_set", which uses it as an offset.
433 env_set("bootargs", newbootargs);
434 free(newbootargs);
435
436 if (os_data) {
437 if (image_get_magic(ihdr) == IH_MAGIC) {
438 *os_data = image_get_data(ihdr);
/boot/image-android.c: 434 in android_image_get_kernel()
428 if (*newbootargs) /* If there is something in newbootargs, a
space is needed */
429 strcat(newbootargs, " ");
430 strcat(newbootargs, img_data.kcmdline_extra);
431 }
432
433 env_set("bootargs", newbootargs);
>>> CID 641431: (TAINTED_SCALAR)
>>> Passing tainted expression "*newbootargs" to "dlfree", which uses it as an offset.
434 free(newbootargs);
435
436 if (os_data) {
437 if (image_get_magic(ihdr) == IH_MAGIC) {
438 *os_data = image_get_data(ihdr);
439 } else {
/boot/image-android.c: 433 in android_image_get_kernel()
427 if (img_data.kcmdline_extra && *img_data.kcmdline_extra) {
428 if (*newbootargs) /* If there is something in newbootargs, a
space is needed */
429 strcat(newbootargs, " ");
430 strcat(newbootargs, img_data.kcmdline_extra);
431 }
432
>>> CID 641431: (TAINTED_SCALAR)
>>> Passing tainted expression "newbootargs" to "env_set", which uses it as an offset.
433 env_set("bootargs", newbootargs);
434 free(newbootargs);
435
436 if (os_data) {
437 if (image_get_magic(ihdr) == IH_MAGIC) {
438 *os_data = image_get_data(ihdr);
/boot/image-android.c: 433 in android_image_get_kernel()
427 if (img_data.kcmdline_extra && *img_data.kcmdline_extra) {
428 if (*newbootargs) /* If there is something in newbootargs, a
space is needed */
429 strcat(newbootargs, " ");
430 strcat(newbootargs, img_data.kcmdline_extra);
431 }
432
>>> CID 641431: (TAINTED_SCALAR)
>>> Passing tainted expression "newbootargs" to "env_set", which uses it as an offset.
433 env_set("bootargs", newbootargs);
434 free(newbootargs);
435
436 if (os_data) {
437 if (image_get_magic(ihdr) == IH_MAGIC) {
438 *os_data = image_get_data(ihdr);
/boot/image-android.c: 434 in android_image_get_kernel()
428 if (*newbootargs) /* If there is something in newbootargs, a
space is needed */
429 strcat(newbootargs, " ");
430 strcat(newbootargs, img_data.kcmdline_extra);
431 }
432
433 env_set("bootargs", newbootargs);
>>> CID 641431: (TAINTED_SCALAR)
>>> Passing tainted expression "*newbootargs" to "dlfree", which uses it as an offset.
434 free(newbootargs);
435
436 if (os_data) {
437 if (image_get_magic(ihdr) == IH_MAGIC) {
438 *os_data = image_get_data(ihdr);
439 } else {
** CID 641430: (TAINTED_SCALAR)
_____________________________________________________________________________________________
*** CID 641430: (TAINTED_SCALAR)
/cmd/abootimg.c: 244 in abootimg_get_ramdisk()
238 &rd_data, &rd_len))
239 return CMD_RET_FAILURE;
240
241 if (argc == 0) {
242 printf("%lx\n", rd_data);
243 } else {
>>> CID 641430: (TAINTED_SCALAR)
>>> Passing tainted expression "rd_data" to "env_set_hex", which uses it as an offset.
244 env_set_hex(argv[0], rd_data);
245 if (argc == 2)
246 env_set_hex(argv[1], rd_len);
247 }
248
249 return CMD_RET_SUCCESS;
/cmd/abootimg.c: 246 in abootimg_get_ramdisk()
240
241 if (argc == 0) {
242 printf("%lx\n", rd_data);
243 } else {
244 env_set_hex(argv[0], rd_data);
245 if (argc == 2)
>>> CID 641430: (TAINTED_SCALAR)
>>> Passing tainted expression "rd_len" to "env_set_hex", which uses it as an offset.
246 env_set_hex(argv[1], rd_len);
247 }
248
249 return CMD_RET_SUCCESS;
250 }
251
** CID 641429: Insecure data handling (TAINTED_SCALAR)
_____________________________________________________________________________________________
*** CID 641429: Insecure data handling (TAINTED_SCALAR)
/boot/image-android.c: 307 in android_image_get_data()
301 printf("Incorrect vendor boot image header\n");
302 unmap_sysmem(vhdr);
303 unmap_sysmem(bhdr);
304 return false;
305 }
306 android_boot_image_v3_v4_parse_hdr((const struct
andr_boot_img_hdr_v3 *)bhdr, data);
>>> CID 641429: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "vhdr->bootconfig_size" to "android_vendor_boot_image_v3_v4_parse_hdr", which uses it as a loop boundary.
307 android_vendor_boot_image_v3_v4_parse_hdr(vhdr, data);
308 unmap_sysmem(vhdr);
309 } else {
310 android_boot_image_v0_v1_v2_parse_hdr(bhdr, data);
311 }
312
** CID 641428: (TAINTED_SCALAR)
_____________________________________________________________________________________________
*** CID 641428: (TAINTED_SCALAR)
/boot/image-android.c: 658 in android_image_set_bootconfig()
652 total_size += params_len + BOOTCONFIG_TRAILER_SIZE;
653
654 /* Map Dest */
655 ramdisk_dest = map_sysmem(ramdisk_addr, total_size);
656
657 /* Copy data */
>>> CID 641428: (TAINTED_SCALAR)
>>> Passing tainted expression "img_data.vendor_ramdisk_size" to "android_boot_append_bootconfig", which uses it as an offset.
658 ret = android_boot_append_bootconfig(&img_data, params, params_len,
659 ramdisk_dest);
660
661 unmap_sysmem(ramdisk_dest);
662 free(params);
663 free(new_bootargs);
/boot/image-android.c: 658 in android_image_set_bootconfig()
652 total_size += params_len + BOOTCONFIG_TRAILER_SIZE;
653
654 /* Map Dest */
655 ramdisk_dest = map_sysmem(ramdisk_addr, total_size);
656
657 /* Copy data */
>>> CID 641428: (TAINTED_SCALAR)
>>> Passing tainted expression "img_data.bootconfig_size" to "android_boot_append_bootconfig", which uses it as an offset.
658 ret = android_boot_append_bootconfig(&img_data, params, params_len,
659 ramdisk_dest);
660
661 unmap_sysmem(ramdisk_dest);
662 free(params);
663 free(new_bootargs);
/boot/image-android.c: 658 in android_image_set_bootconfig()
652 total_size += params_len + BOOTCONFIG_TRAILER_SIZE;
653
654 /* Map Dest */
655 ramdisk_dest = map_sysmem(ramdisk_addr, total_size);
656
657 /* Copy data */
>>> CID 641428: (TAINTED_SCALAR)
>>> Passing tainted expression "img_data.boot_ramdisk_size" to "android_boot_append_bootconfig", which uses it as an offset.
658 ret = android_boot_append_bootconfig(&img_data, params, params_len,
659 ramdisk_dest);
660
661 unmap_sysmem(ramdisk_dest);
662 free(params);
663 free(new_bootargs);
** CID 332278: Control flow issues (UNREACHABLE)
/lib/lzma/LzmaDec.c: 720 in LzmaDec_TryDummy()
_____________________________________________________________________________________________
*** CID 332278: Control flow issues (UNREACHABLE)
/lib/lzma/LzmaDec.c: 720 in LzmaDec_TryDummy()
714 UInt32 code = p->code;
715 const Byte *bufLimit = *bufOut;
716 const CLzmaProb *probs = GET_PROBS;
717 unsigned state = (unsigned)p->state;
718 ELzmaDummy res;
719
>>> CID 332278: Control flow issues (UNREACHABLE)
>>> Since the loop increment is unreachable, the loop body will never execute more than once.
720 for (;;)
721 {
722 const CLzmaProb *prob;
723 UInt32 bound;
724 unsigned ttt;
725 unsigned posState = CALC_POS_STATE(p->processedPos,
((unsigned)1 << p->prop.pb) - 1);
** CID 252901: Uninitialized variables (UNINIT)
/lib/lzma/LzmaDec.c: 1295 in LzmaDec_AllocateProbs()
_____________________________________________________________________________________________
*** CID 252901: Uninitialized variables (UNINIT)
/lib/lzma/LzmaDec.c: 1295 in LzmaDec_AllocateProbs()
1289
1290 SRes LzmaDec_AllocateProbs(CLzmaDec *p, const Byte *props,
unsigned propsSize, ISzAllocPtr alloc)
1291 {
1292 CLzmaProps propNew;
1293 RINOK(LzmaProps_Decode(&propNew, props, propsSize))
1294 RINOK(LzmaDec_AllocateProbs2(p, &propNew, alloc))
>>> CID 252901: Uninitialized variables (UNINIT)
>>> Using uninitialized value "propNew". Field "propNew._pad_" is uninitialized.
1295 p->prop = propNew;
1296 return SZ_OK;
1297 }
1298
1299 SRes LzmaDec_Allocate(CLzmaDec *p, const Byte *props,
unsigned propsSize, ISzAllocPtr alloc)
1300 {
** CID 252579: Uninitialized variables (UNINIT)
/lib/lzma/LzmaDec.c: 1327 in LzmaDec_Allocate()
_____________________________________________________________________________________________
*** CID 252579: Uninitialized variables (UNINIT)
/lib/lzma/LzmaDec.c: 1327 in LzmaDec_Allocate()
1321 {
1322 LzmaDec_FreeProbs(p, alloc);
1323 return SZ_ERROR_MEM;
1324 }
1325 }
1326 p->dicBufSize = dicBufSize;
>>> CID 252579: Uninitialized variables (UNINIT)
>>> Using uninitialized value "propNew". Field "propNew._pad_" is uninitialized.
1327 p->prop = propNew;
1328 return SZ_OK;
1329 }
1330
1331 SRes LzmaDecode(Byte *dest, SizeT *destLen, const Byte *src,
SizeT *srcLen,
1332 const Byte *propData, unsigned propSize, ELzmaFinishMode
finishMode,
View Defects in Coverity Scan
<https://scan.coverity.com/projects/das-u-boot?tab=overview>
Best regards,
The Coverity Scan Admin Team
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
^ permalink raw reply [flat|nested] 105+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2026-01-16 19:43 Tom Rini
@ 2026-02-09 11:05 ` Guillaume La Roque
2026-02-20 16:11 ` Tom Rini
0 siblings, 1 reply; 105+ messages in thread
From: Guillaume La Roque @ 2026-02-09 11:05 UTC (permalink / raw)
To: Tom Rini, u-boot; +Cc: Mattijs Korpershoek
Hi Tom,
sorry for delay, i check defects please see my comments inline
Le 16/01/2026 à 20:43, Tom Rini a écrit :
> Hey all,
>
> Here's the latest report from Coverity scan. For the LZMA ones, the
> _pad_ stuff seems to be a false positive (the _pad_ byte is just for
> padding and not refernced) and the flow control one is how that's
> written for whatever reason the upstream author wanted it like that.
>
> ---------- Forwarded message ---------
> From: <scan-admin@coverity.com>
> Date: Fri, Jan 16, 2026 at 1:06 PM
> Subject: New Defects reported by Coverity Scan for Das U-Boot
> To: <tom.rini@gmail.com>
>
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to *Das U-Boot*
> found with Coverity Scan.
>
> - *New Defects Found:* 7
> - 2 defect(s), reported by Coverity Scan earlier, were marked fixed in
> the recent build analyzed by Coverity Scan.
> - *Defects Shown:* Showing 7 of 7 defect(s)
>
> Defect Details
>
> ** CID 641431: (TAINTED_SCALAR)
>
>
> _____________________________________________________________________________________________
> *** CID 641431: (TAINTED_SCALAR)
> /boot/image-android.c: 434 in android_image_get_kernel()
> 428 if (*newbootargs) /* If there is something in newbootargs, a
> space is needed */
> 429 strcat(newbootargs, " ");
> 430 strcat(newbootargs, img_data.kcmdline_extra);
> 431 }
> 432
> 433 env_set("bootargs", newbootargs);
>>>> CID 641431: (TAINTED_SCALAR)
>>>> Passing tainted expression "*newbootargs" to "dlfree", which uses it as an offset.
> 434 free(newbootargs);
> 435
> 436 if (os_data) {
> 437 if (image_get_magic(ihdr) == IH_MAGIC) {
> 438 *os_data = image_get_data(ihdr);
> 439 } else {
> /boot/image-android.c: 433 in android_image_get_kernel()
> 427 if (img_data.kcmdline_extra && *img_data.kcmdline_extra) {
> 428 if (*newbootargs) /* If there is something in newbootargs, a
> space is needed */
> 429 strcat(newbootargs, " ");
> 430 strcat(newbootargs, img_data.kcmdline_extra);
> 431 }
> 432
>>>> CID 641431: (TAINTED_SCALAR)
>>>> Passing tainted expression "newbootargs" to "env_set", which uses it as an offset.
> 433 env_set("bootargs", newbootargs);
> 434 free(newbootargs);
> 435
> 436 if (os_data) {
> 437 if (image_get_magic(ihdr) == IH_MAGIC) {
> 438 *os_data = image_get_data(ihdr);
> /boot/image-android.c: 434 in android_image_get_kernel()
> 428 if (*newbootargs) /* If there is something in newbootargs, a
> space is needed */
> 429 strcat(newbootargs, " ");
> 430 strcat(newbootargs, img_data.kcmdline_extra);
> 431 }
> 432
> 433 env_set("bootargs", newbootargs);
>>>> CID 641431: (TAINTED_SCALAR)
>>>> Passing tainted expression "*newbootargs" to "dlfree", which uses it as an offset.
> 434 free(newbootargs);
> 435
> 436 if (os_data) {
> 437 if (image_get_magic(ihdr) == IH_MAGIC) {
> 438 *os_data = image_get_data(ihdr);
> 439 } else {
> /boot/image-android.c: 433 in android_image_get_kernel()
> 427 if (img_data.kcmdline_extra && *img_data.kcmdline_extra) {
> 428 if (*newbootargs) /* If there is something in newbootargs, a
> space is needed */
> 429 strcat(newbootargs, " ");
> 430 strcat(newbootargs, img_data.kcmdline_extra);
> 431 }
> 432
>>>> CID 641431: (TAINTED_SCALAR)
>>>> Passing tainted expression "newbootargs" to "env_set", which uses it as an offset.
> 433 env_set("bootargs", newbootargs);
> 434 free(newbootargs);
> 435
> 436 if (os_data) {
> 437 if (image_get_magic(ihdr) == IH_MAGIC) {
> 438 *os_data = image_get_data(ihdr);
> /boot/image-android.c: 433 in android_image_get_kernel()
> 427 if (img_data.kcmdline_extra && *img_data.kcmdline_extra) {
> 428 if (*newbootargs) /* If there is something in newbootargs, a
> space is needed */
> 429 strcat(newbootargs, " ");
> 430 strcat(newbootargs, img_data.kcmdline_extra);
> 431 }
> 432
>>>> CID 641431: (TAINTED_SCALAR)
>>>> Passing tainted expression "newbootargs" to "env_set", which uses it as an offset.
> 433 env_set("bootargs", newbootargs);
> 434 free(newbootargs);
> 435
> 436 if (os_data) {
> 437 if (image_get_magic(ihdr) == IH_MAGIC) {
> 438 *os_data = image_get_data(ihdr);
> /boot/image-android.c: 434 in android_image_get_kernel()
> 428 if (*newbootargs) /* If there is something in newbootargs, a
> space is needed */
> 429 strcat(newbootargs, " ");
> 430 strcat(newbootargs, img_data.kcmdline_extra);
> 431 }
> 432
> 433 env_set("bootargs", newbootargs);
>>>> CID 641431: (TAINTED_SCALAR)
>>>> Passing tainted expression "*newbootargs" to "dlfree", which uses it as an offset.
For CID 641431 : for me it's a false positives defect, malloc was done
with strlen return and free done on malloc pointer.
> 434 free(newbootargs);
> 435
> 436 if (os_data) {
> 437 if (image_get_magic(ihdr) == IH_MAGIC) {
> 438 *os_data = image_get_data(ihdr);
> 439 } else {
>
> ** CID 641430: (TAINTED_SCALAR)
>
>
> _____________________________________________________________________________________________
> *** CID 641430: (TAINTED_SCALAR)
> /cmd/abootimg.c: 244 in abootimg_get_ramdisk()
> 238 &rd_data, &rd_len))
> 239 return CMD_RET_FAILURE;
> 240
> 241 if (argc == 0) {
> 242 printf("%lx\n", rd_data);
> 243 } else {
>>>> CID 641430: (TAINTED_SCALAR)
>>>> Passing tainted expression "rd_data" to "env_set_hex", which uses it as an offset.
> 244 env_set_hex(argv[0], rd_data);
> 245 if (argc == 2)
> 246 env_set_hex(argv[1], rd_len);
> 247 }
> 248
> 249 return CMD_RET_SUCCESS;
> /cmd/abootimg.c: 246 in abootimg_get_ramdisk()
> 240
> 241 if (argc == 0) {
> 242 printf("%lx\n", rd_data);
> 243 } else {
> 244 env_set_hex(argv[0], rd_data);
> 245 if (argc == 2)
>>>> CID 641430: (TAINTED_SCALAR)
>>>> Passing tainted expression "rd_len" to "env_set_hex", which uses it as an offset.
CID 641430: false positive too. env_set_hex convert value on an env variable , so convert rd_len and rd_data
in variable.
> 246 env_set_hex(argv[1], rd_len);
> 247 }
> 248
> 249 return CMD_RET_SUCCESS;
> 250 }
> 251
>
> ** CID 641429: Insecure data handling (TAINTED_SCALAR)
>
>
> _____________________________________________________________________________________________
> *** CID 641429: Insecure data handling (TAINTED_SCALAR)
> /boot/image-android.c: 307 in android_image_get_data()
> 301 printf("Incorrect vendor boot image header\n");
> 302 unmap_sysmem(vhdr);
> 303 unmap_sysmem(bhdr);
> 304 return false;
> 305 }
> 306 android_boot_image_v3_v4_parse_hdr((const struct
> andr_boot_img_hdr_v3 *)bhdr, data);
>>>> CID 641429: Insecure data handling (TAINTED_SCALAR)
>>>> Passing tainted expression "vhdr->bootconfig_size" to "android_vendor_boot_image_v3_v4_parse_hdr", which uses it as a loop boundary.
CID 641429: False positive too. "vhdr->bootconfig_size" come from android image so external source , not possible to validate if value is good or not except when AVB feature was enabled
> 307 android_vendor_boot_image_v3_v4_parse_hdr(vhdr, data);
> 308 unmap_sysmem(vhdr);
> 309 } else {
> 310 android_boot_image_v0_v1_v2_parse_hdr(bhdr, data);
> 311 }
> 312
>
> ** CID 641428: (TAINTED_SCALAR)
>
>
> _____________________________________________________________________________________________
> *** CID 641428: (TAINTED_SCALAR)
> /boot/image-android.c: 658 in android_image_set_bootconfig()
> 652 total_size += params_len + BOOTCONFIG_TRAILER_SIZE;
> 653
> 654 /* Map Dest */
> 655 ramdisk_dest = map_sysmem(ramdisk_addr, total_size);
> 656
> 657 /* Copy data */
>>>> CID 641428: (TAINTED_SCALAR)
>>>> Passing tainted expression "img_data.vendor_ramdisk_size" to "android_boot_append_bootconfig", which uses it as an offset.
> 658 ret = android_boot_append_bootconfig(&img_data, params, params_len,
> 659 ramdisk_dest);
> 660
> 661 unmap_sysmem(ramdisk_dest);
> 662 free(params);
> 663 free(new_bootargs);
> /boot/image-android.c: 658 in android_image_set_bootconfig()
> 652 total_size += params_len + BOOTCONFIG_TRAILER_SIZE;
> 653
> 654 /* Map Dest */
> 655 ramdisk_dest = map_sysmem(ramdisk_addr, total_size);
> 656
> 657 /* Copy data */
>>>> CID 641428: (TAINTED_SCALAR)
>>>> Passing tainted expression "img_data.bootconfig_size" to "android_boot_append_bootconfig", which uses it as an offset.
> 658 ret = android_boot_append_bootconfig(&img_data, params, params_len,
> 659 ramdisk_dest);
> 660
> 661 unmap_sysmem(ramdisk_dest);
> 662 free(params);
> 663 free(new_bootargs);
> /boot/image-android.c: 658 in android_image_set_bootconfig()
> 652 total_size += params_len + BOOTCONFIG_TRAILER_SIZE;
> 653
> 654 /* Map Dest */
> 655 ramdisk_dest = map_sysmem(ramdisk_addr, total_size);
> 656
> 657 /* Copy data */
>>>> CID 641428: (TAINTED_SCALAR)
>>>> Passing tainted expression "img_data.boot_ramdisk_size" to "android_boot_append_bootconfig", which uses it as an offset.
CID 641428: for me it's false positive too. img_data.boot_ramdisk_size and vendor_ramdisk_size come from android image, it could be corrupted if we corrupt android image but it's an external source so difficult to say if value is corrupted or not , it's why on real device we have AB features to check it.
> 658 ret = android_boot_append_bootconfig(&img_data, params, params_len,
> 659 ramdisk_dest);
> 660
> 661 unmap_sysmem(ramdisk_dest);
> 662 free(params);
> 663 free(new_bootargs);
>
> ** CID 332278: Control flow issues (UNREACHABLE)
> /lib/lzma/LzmaDec.c: 720 in LzmaDec_TryDummy()
>
>
> _____________________________________________________________________________________________
> *** CID 332278: Control flow issues (UNREACHABLE)
> /lib/lzma/LzmaDec.c: 720 in LzmaDec_TryDummy()
> 714 UInt32 code = p->code;
> 715 const Byte *bufLimit = *bufOut;
> 716 const CLzmaProb *probs = GET_PROBS;
> 717 unsigned state = (unsigned)p->state;
> 718 ELzmaDummy res;
> 719
>>>> CID 332278: Control flow issues (UNREACHABLE)
>>>> Since the loop increment is unreachable, the loop body will never execute more than once.
> 720 for (;;)
> 721 {
> 722 const CLzmaProb *prob;
> 723 UInt32 bound;
> 724 unsigned ttt;
> 725 unsigned posState = CALC_POS_STATE(p->processedPos,
> ((unsigned)1 << p->prop.pb) - 1);
>
> ** CID 252901: Uninitialized variables (UNINIT)
> /lib/lzma/LzmaDec.c: 1295 in LzmaDec_AllocateProbs()
>
>
> _____________________________________________________________________________________________
> *** CID 252901: Uninitialized variables (UNINIT)
> /lib/lzma/LzmaDec.c: 1295 in LzmaDec_AllocateProbs()
> 1289
> 1290 SRes LzmaDec_AllocateProbs(CLzmaDec *p, const Byte *props,
> unsigned propsSize, ISzAllocPtr alloc)
> 1291 {
> 1292 CLzmaProps propNew;
> 1293 RINOK(LzmaProps_Decode(&propNew, props, propsSize))
> 1294 RINOK(LzmaDec_AllocateProbs2(p, &propNew, alloc))
>>>> CID 252901: Uninitialized variables (UNINIT)
>>>> Using uninitialized value "propNew". Field "propNew._pad_" is uninitialized.
> 1295 p->prop = propNew;
> 1296 return SZ_OK;
> 1297 }
> 1298
> 1299 SRes LzmaDec_Allocate(CLzmaDec *p, const Byte *props,
> unsigned propsSize, ISzAllocPtr alloc)
> 1300 {
>
> ** CID 252579: Uninitialized variables (UNINIT)
> /lib/lzma/LzmaDec.c: 1327 in LzmaDec_Allocate()
>
>
> _____________________________________________________________________________________________
> *** CID 252579: Uninitialized variables (UNINIT)
> /lib/lzma/LzmaDec.c: 1327 in LzmaDec_Allocate()
> 1321 {
> 1322 LzmaDec_FreeProbs(p, alloc);
> 1323 return SZ_ERROR_MEM;
> 1324 }
> 1325 }
> 1326 p->dicBufSize = dicBufSize;
>>>> CID 252579: Uninitialized variables (UNINIT)
>>>> Using uninitialized value "propNew". Field "propNew._pad_" is uninitialized.
> 1327 p->prop = propNew;
> 1328 return SZ_OK;
> 1329 }
> 1330
> 1331 SRes LzmaDecode(Byte *dest, SizeT *destLen, const Byte *src,
> SizeT *srcLen,
> 1332 const Byte *propData, unsigned propSize, ELzmaFinishMode
> finishMode,
>
>
>
> View Defects in Coverity Scan
> <https://scan.coverity.com/projects/das-u-boot?tab=overview>
>
> Best regards,
>
> The Coverity Scan Admin Team
>
> ----- End forwarded message -----
>
Regards,
Guillaume
^ permalink raw reply [flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2026-02-13 22:09 Tom Rini
2026-02-18 23:02 ` Chris Morgan
0 siblings, 1 reply; 105+ messages in thread
From: Tom Rini @ 2026-02-13 22:09 UTC (permalink / raw)
To: u-boot, Chris Morgan, Mattijs Korpershoek
[-- Attachment #1: Type: text/plain, Size: 1731 bytes --]
Latest Coverity Scan report, now that it's back up and so a little out
of sync with the usual schedule.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Fri, Feb 13, 2026 at 4:03 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to *Das U-Boot*
found with Coverity Scan.
- *New Defects Found:* 1
- 2 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.
- *Defects Shown:* Showing 1 of 1 defect(s)
Defect Details
** CID 328330: Integer handling issues (NO_EFFECT)
/drivers/usb/dwc3/core.c: 106 in dwc3_core_soft_reset()
_____________________________________________________________________________________________
*** CID 328330: Integer handling issues (NO_EFFECT)
/drivers/usb/dwc3/core.c: 106 in dwc3_core_soft_reset()
100 done:
101 /*
102 * For DWC_usb31 controller 1.80a and prior, once DCTL.CSFRST bit
103 * is cleared, we must wait at least 50ms before accessing the PHY
104 * domain (synchronization delay).
105 */
>>> CID 328330: Integer handling issues (NO_EFFECT)
>>> This greater-than-or-equal-to-zero comparison of an unsigned value is always true. "dwc->revision >= 0U".
106 if (DWC3_VER_IS_WITHIN(DWC31, ANY, 180A))
107 mdelay(50);
108
109 return 0;
110 }
111
View Defects in Coverity Scan
<https://scan.coverity.com/projects/das-u-boot?tab=overview>
Best regards,
The Coverity Scan Admin Team
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
^ permalink raw reply [flat|nested] 105+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2026-02-13 22:09 Tom Rini
@ 2026-02-18 23:02 ` Chris Morgan
2026-02-20 16:11 ` Tom Rini
0 siblings, 1 reply; 105+ messages in thread
From: Chris Morgan @ 2026-02-18 23:02 UTC (permalink / raw)
To: Tom Rini; +Cc: u-boot, Mattijs Korpershoek
On Fri, Feb 13, 2026 at 04:09:27PM -0600, Tom Rini wrote:
> Latest Coverity Scan report, now that it's back up and so a little out
> of sync with the usual schedule.
>
> ---------- Forwarded message ---------
> From: <scan-admin@coverity.com>
> Date: Fri, Feb 13, 2026 at 4:03 PM
> Subject: New Defects reported by Coverity Scan for Das U-Boot
> To: <tom.rini@gmail.com>
>
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to *Das U-Boot*
> found with Coverity Scan.
>
> - *New Defects Found:* 1
> - 2 defect(s), reported by Coverity Scan earlier, were marked fixed in
> the recent build analyzed by Coverity Scan.
> - *Defects Shown:* Showing 1 of 1 defect(s)
>
> Defect Details
>
> ** CID 328330: Integer handling issues (NO_EFFECT)
> /drivers/usb/dwc3/core.c: 106 in dwc3_core_soft_reset()
>
>
> _____________________________________________________________________________________________
> *** CID 328330: Integer handling issues (NO_EFFECT)
> /drivers/usb/dwc3/core.c: 106 in dwc3_core_soft_reset()
> 100 done:
> 101 /*
> 102 * For DWC_usb31 controller 1.80a and prior, once DCTL.CSFRST bit
> 103 * is cleared, we must wait at least 50ms before accessing the PHY
> 104 * domain (synchronization delay).
> 105 */
> >>> CID 328330: Integer handling issues (NO_EFFECT)
> >>> This greater-than-or-equal-to-zero comparison of an unsigned value is always true. "dwc->revision >= 0U".
> 106 if (DWC3_VER_IS_WITHIN(DWC31, ANY, 180A))
> 107 mdelay(50);
> 108
> 109 return 0;
> 110 }
> 111
>
>
> View Defects in Coverity Scan
> <https://scan.coverity.com/projects/das-u-boot?tab=overview>
>
> Best regards,
>
> The Coverity Scan Admin Team
>
> ----- End forwarded message -----
>
> --
> Tom
I'm not *entirely* sure what to do to fix this issue, but it looks
like maybe the issue is that all we're trying to do here is make sure
that the version is DWC31_REVISION_180A or earlier, and this is done in
mainline by checking between revisions _ANY and revisions _180A
(instead of creating a new macro). Since the DWC31_REVISION_ANY is set
as 0 this means that condition will always evaluate as true. In this
case though that's fine, because all we really care about is if the
second condition of the macro is true (whether or not we are equal to
or less than revision _180A).
I copied this stuff directly out of the mainline Linux driver so as to
maintain some semblance of parity (and because I needed the stuff that
used this specific macro for gadget mode), however it looks like to stop
this Coverity error I need to create a new macro, possibly a
DWC3_VER_IS_AFTER() macro. Or is it simply fine to say that I
acknowledge the issue, but given the context don't think it's an issue
if the comparison to zero always returns true because it's just a reused
macro with two conditions and we only care about the second condition?
Thank you,
Chris
^ permalink raw reply [flat|nested] 105+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2026-02-09 11:05 ` Guillaume La Roque
@ 2026-02-20 16:11 ` Tom Rini
0 siblings, 0 replies; 105+ messages in thread
From: Tom Rini @ 2026-02-20 16:11 UTC (permalink / raw)
To: Guillaume La Roque; +Cc: u-boot, Mattijs Korpershoek
[-- Attachment #1: Type: text/plain, Size: 231 bytes --]
On Mon, Feb 09, 2026 at 12:05:40PM +0100, Guillaume La Roque wrote:
> Hi Tom,
>
>
> sorry for delay, i check defects please see my comments inline
Thanks for the details, I've updated the dashboard with them.
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
^ permalink raw reply [flat|nested] 105+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2026-02-18 23:02 ` Chris Morgan
@ 2026-02-20 16:11 ` Tom Rini
2026-02-20 16:23 ` Chris Morgan
0 siblings, 1 reply; 105+ messages in thread
From: Tom Rini @ 2026-02-20 16:11 UTC (permalink / raw)
To: Chris Morgan; +Cc: u-boot, Mattijs Korpershoek
[-- Attachment #1: Type: text/plain, Size: 3587 bytes --]
On Wed, Feb 18, 2026 at 05:02:27PM -0600, Chris Morgan wrote:
> On Fri, Feb 13, 2026 at 04:09:27PM -0600, Tom Rini wrote:
> > Latest Coverity Scan report, now that it's back up and so a little out
> > of sync with the usual schedule.
> >
> > ---------- Forwarded message ---------
> > From: <scan-admin@coverity.com>
> > Date: Fri, Feb 13, 2026 at 4:03 PM
> > Subject: New Defects reported by Coverity Scan for Das U-Boot
> > To: <tom.rini@gmail.com>
> >
> >
> > Hi,
> >
> > Please find the latest report on new defect(s) introduced to *Das U-Boot*
> > found with Coverity Scan.
> >
> > - *New Defects Found:* 1
> > - 2 defect(s), reported by Coverity Scan earlier, were marked fixed in
> > the recent build analyzed by Coverity Scan.
> > - *Defects Shown:* Showing 1 of 1 defect(s)
> >
> > Defect Details
> >
> > ** CID 328330: Integer handling issues (NO_EFFECT)
> > /drivers/usb/dwc3/core.c: 106 in dwc3_core_soft_reset()
> >
> >
> > _____________________________________________________________________________________________
> > *** CID 328330: Integer handling issues (NO_EFFECT)
> > /drivers/usb/dwc3/core.c: 106 in dwc3_core_soft_reset()
> > 100 done:
> > 101 /*
> > 102 * For DWC_usb31 controller 1.80a and prior, once DCTL.CSFRST bit
> > 103 * is cleared, we must wait at least 50ms before accessing the PHY
> > 104 * domain (synchronization delay).
> > 105 */
> > >>> CID 328330: Integer handling issues (NO_EFFECT)
> > >>> This greater-than-or-equal-to-zero comparison of an unsigned value is always true. "dwc->revision >= 0U".
> > 106 if (DWC3_VER_IS_WITHIN(DWC31, ANY, 180A))
> > 107 mdelay(50);
> > 108
> > 109 return 0;
> > 110 }
> > 111
> >
> >
> > View Defects in Coverity Scan
> > <https://scan.coverity.com/projects/das-u-boot?tab=overview>
> >
> > Best regards,
> >
> > The Coverity Scan Admin Team
> >
> > ----- End forwarded message -----
> >
> > --
> > Tom
>
> I'm not *entirely* sure what to do to fix this issue, but it looks
> like maybe the issue is that all we're trying to do here is make sure
> that the version is DWC31_REVISION_180A or earlier, and this is done in
> mainline by checking between revisions _ANY and revisions _180A
> (instead of creating a new macro). Since the DWC31_REVISION_ANY is set
> as 0 this means that condition will always evaluate as true. In this
> case though that's fine, because all we really care about is if the
> second condition of the macro is true (whether or not we are equal to
> or less than revision _180A).
>
> I copied this stuff directly out of the mainline Linux driver so as to
> maintain some semblance of parity (and because I needed the stuff that
> used this specific macro for gadget mode), however it looks like to stop
> this Coverity error I need to create a new macro, possibly a
> DWC3_VER_IS_AFTER() macro. Or is it simply fine to say that I
> acknowledge the issue, but given the context don't think it's an issue
> if the comparison to zero always returns true because it's just a reused
> macro with two conditions and we only care about the second condition?
So, looking at the Coverity Scan dashboard for the kernel, there's just
nothing on drivers/usb/dwc3/core.c (at all, even closed), which I think
is odd, but I also think I've updated the filter correctly. I'll put
your comments in the dashboard here for the issue and mark as
intentional, thanks!
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
^ permalink raw reply [flat|nested] 105+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2026-02-20 16:11 ` Tom Rini
@ 2026-02-20 16:23 ` Chris Morgan
0 siblings, 0 replies; 105+ messages in thread
From: Chris Morgan @ 2026-02-20 16:23 UTC (permalink / raw)
To: Tom Rini; +Cc: u-boot, Mattijs Korpershoek
On Fri, Feb 20, 2026 at 10:11:56AM -0600, Tom Rini wrote:
> On Wed, Feb 18, 2026 at 05:02:27PM -0600, Chris Morgan wrote:
> > On Fri, Feb 13, 2026 at 04:09:27PM -0600, Tom Rini wrote:
> > > Latest Coverity Scan report, now that it's back up and so a little out
> > > of sync with the usual schedule.
> > >
> > > ---------- Forwarded message ---------
> > > From: <scan-admin@coverity.com>
> > > Date: Fri, Feb 13, 2026 at 4:03 PM
> > > Subject: New Defects reported by Coverity Scan for Das U-Boot
> > > To: <tom.rini@gmail.com>
> > >
> > >
> > > Hi,
> > >
> > > Please find the latest report on new defect(s) introduced to *Das U-Boot*
> > > found with Coverity Scan.
> > >
> > > - *New Defects Found:* 1
> > > - 2 defect(s), reported by Coverity Scan earlier, were marked fixed in
> > > the recent build analyzed by Coverity Scan.
> > > - *Defects Shown:* Showing 1 of 1 defect(s)
> > >
> > > Defect Details
> > >
> > > ** CID 328330: Integer handling issues (NO_EFFECT)
> > > /drivers/usb/dwc3/core.c: 106 in dwc3_core_soft_reset()
> > >
> > >
> > > _____________________________________________________________________________________________
> > > *** CID 328330: Integer handling issues (NO_EFFECT)
> > > /drivers/usb/dwc3/core.c: 106 in dwc3_core_soft_reset()
> > > 100 done:
> > > 101 /*
> > > 102 * For DWC_usb31 controller 1.80a and prior, once DCTL.CSFRST bit
> > > 103 * is cleared, we must wait at least 50ms before accessing the PHY
> > > 104 * domain (synchronization delay).
> > > 105 */
> > > >>> CID 328330: Integer handling issues (NO_EFFECT)
> > > >>> This greater-than-or-equal-to-zero comparison of an unsigned value is always true. "dwc->revision >= 0U".
> > > 106 if (DWC3_VER_IS_WITHIN(DWC31, ANY, 180A))
> > > 107 mdelay(50);
> > > 108
> > > 109 return 0;
> > > 110 }
> > > 111
> > >
> > >
> > > View Defects in Coverity Scan
> > > <https://scan.coverity.com/projects/das-u-boot?tab=overview>
> > >
> > > Best regards,
> > >
> > > The Coverity Scan Admin Team
> > >
> > > ----- End forwarded message -----
> > >
> > > --
> > > Tom
> >
> > I'm not *entirely* sure what to do to fix this issue, but it looks
> > like maybe the issue is that all we're trying to do here is make sure
> > that the version is DWC31_REVISION_180A or earlier, and this is done in
> > mainline by checking between revisions _ANY and revisions _180A
> > (instead of creating a new macro). Since the DWC31_REVISION_ANY is set
> > as 0 this means that condition will always evaluate as true. In this
> > case though that's fine, because all we really care about is if the
> > second condition of the macro is true (whether or not we are equal to
> > or less than revision _180A).
> >
> > I copied this stuff directly out of the mainline Linux driver so as to
> > maintain some semblance of parity (and because I needed the stuff that
> > used this specific macro for gadget mode), however it looks like to stop
> > this Coverity error I need to create a new macro, possibly a
> > DWC3_VER_IS_AFTER() macro. Or is it simply fine to say that I
> > acknowledge the issue, but given the context don't think it's an issue
> > if the comparison to zero always returns true because it's just a reused
> > macro with two conditions and we only care about the second condition?
>
> So, looking at the Coverity Scan dashboard for the kernel, there's just
> nothing on drivers/usb/dwc3/core.c (at all, even closed), which I think
> is odd, but I also think I've updated the filter correctly. I'll put
> your comments in the dashboard here for the issue and mark as
> intentional, thanks!
>
> --
> Tom
Perfect, thank you.
^ permalink raw reply [flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2026-02-23 19:51 Tom Rini
0 siblings, 0 replies; 105+ messages in thread
From: Tom Rini @ 2026-02-23 19:51 UTC (permalink / raw)
To: u-boot; +Cc: James Hilliard, Marek Vasut
[-- Attachment #1: Type: text/plain, Size: 4672 bytes --]
Hey all,
Looks like Coverity is a little unhappy about the FIT alignment fixes,
but I'm not sure yet if we can just mark them as intentional and already
safety checked inputs or not.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Feb 23, 2026 at 1:34 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to *Das U-Boot*
found with Coverity Scan.
- *New Defects Found:* 1
- 1 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.
- *Defects Shown:* Showing 1 of 1 defect(s)
Defect Details
** CID 644638: (TAINTED_SCALAR)
_____________________________________________________________________________________________
*** CID 644638: (TAINTED_SCALAR)
/boot/image-fit.c: 2410 in boot_get_fdt_fit_into_buffer()
2404 */
2405 if (dstlen >= newdstlen && dstbuf == fdtsrcbuf)
2406 goto out;
2407
2408 /* Try to reuse existing destination buffer if it is large enough. */
2409 if (dstbuf && dstlen >= newdstlen) {
>>> CID 644638: (TAINTED_SCALAR)
>>> Passing tainted expression "fdtsrcbuf->size_dt_strings" to "fdt_open_into", which uses it as an offset.
2410 err = fdt_open_into(fdtsrcbuf, dstbuf, dstlen);
2411 goto out;
2412 }
2413
2414 newdstbuf = memalign(8, newdstlen);
2415 if (!newdstbuf) {
/boot/image-fit.c: 2420 in boot_get_fdt_fit_into_buffer()
2414 newdstbuf = memalign(8, newdstlen);
2415 if (!newdstbuf) {
2416 err = -ENOMEM;
2417 goto out;
2418 }
2419
>>> CID 644638: (TAINTED_SCALAR)
>>> Passing tainted expression "fdtsrcbuf->size_dt_struct" to "fdt_open_into", which uses it as an offset.
2420 err = fdt_open_into(fdtsrcbuf, newdstbuf, newdstlen);
2421 if (err < 0)
2422 goto out;
2423
2424 free(dstbuf);
2425 *fdtdstbuf = newdstbuf;
/boot/image-fit.c: 2420 in boot_get_fdt_fit_into_buffer()
2414 newdstbuf = memalign(8, newdstlen);
2415 if (!newdstbuf) {
2416 err = -ENOMEM;
2417 goto out;
2418 }
2419
>>> CID 644638: (TAINTED_SCALAR)
>>> Passing tainted expression "fdtsrcbuf->size_dt_strings" to "fdt_open_into", which uses it as an offset.
2420 err = fdt_open_into(fdtsrcbuf, newdstbuf, newdstlen);
2421 if (err < 0)
2422 goto out;
2423
2424 free(dstbuf);
2425 *fdtdstbuf = newdstbuf;
/boot/image-fit.c: 2420 in boot_get_fdt_fit_into_buffer()
2414 newdstbuf = memalign(8, newdstlen);
2415 if (!newdstbuf) {
2416 err = -ENOMEM;
2417 goto out;
2418 }
2419
>>> CID 644638: (TAINTED_SCALAR)
>>> Passing tainted expression "fdtsrcbuf->totalsize" to "fdt_open_into", which uses it as an offset.
2420 err = fdt_open_into(fdtsrcbuf, newdstbuf, newdstlen);
2421 if (err < 0)
2422 goto out;
2423
2424 free(dstbuf);
2425 *fdtdstbuf = newdstbuf;
/boot/image-fit.c: 2410 in boot_get_fdt_fit_into_buffer()
2404 */
2405 if (dstlen >= newdstlen && dstbuf == fdtsrcbuf)
2406 goto out;
2407
2408 /* Try to reuse existing destination buffer if it is large enough. */
2409 if (dstbuf && dstlen >= newdstlen) {
>>> CID 644638: (TAINTED_SCALAR)
>>> Passing tainted expression "fdtsrcbuf->totalsize" to "fdt_open_into", which uses it as an offset.
2410 err = fdt_open_into(fdtsrcbuf, dstbuf, dstlen);
2411 goto out;
2412 }
2413
2414 newdstbuf = memalign(8, newdstlen);
2415 if (!newdstbuf) {
/boot/image-fit.c: 2410 in boot_get_fdt_fit_into_buffer()
2404 */
2405 if (dstlen >= newdstlen && dstbuf == fdtsrcbuf)
2406 goto out;
2407
2408 /* Try to reuse existing destination buffer if it is large enough. */
2409 if (dstbuf && dstlen >= newdstlen) {
>>> CID 644638: (TAINTED_SCALAR)
>>> Passing tainted expression "fdtsrcbuf->size_dt_struct" to "fdt_open_into", which uses it as an offset.
2410 err = fdt_open_into(fdtsrcbuf, dstbuf, dstlen);
2411 goto out;
2412 }
2413
2414 newdstbuf = memalign(8, newdstlen);
2415 if (!newdstbuf) {
View Defects in Coverity Scan
<https://scan.coverity.com/projects/das-u-boot?tab=overview>
Best regards,
The Coverity Scan Admin Team
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
^ permalink raw reply [flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2026-03-09 21:23 Tom Rini
2026-03-09 22:05 ` Raphaël Gallais-Pou
0 siblings, 1 reply; 105+ messages in thread
From: Tom Rini @ 2026-03-09 21:23 UTC (permalink / raw)
To: u-boot, Simon Glass, Raphael Gallais-Pou, Patrick Delaunay,
Patrice Chotard
[-- Attachment #1: Type: text/plain, Size: 5016 bytes --]
Hey all,
Unfortunately for such a small set of changes (rc3 to rc4) a lot of new
Coverity scan issues have popped up. Please let me know if these appear
to be real issues or something that we can mark as intentional / false
positive. Thanks!
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Mar 9, 2026, 2:11 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to *Das U-Boot*
found with Coverity Scan.
- *New Defects Found:* 4
- *Defects Shown:* Showing 4 of 4 defect(s)
Defect Details
** CID 644836: Error handling issues (CHECKED_RETURN)
/drivers/video/stm32/stm32_dsi.c: 497 in stm32_dsi_probe()
_____________________________________________________________________________________________
*** CID 644836: Error handling issues (CHECKED_RETURN)
/drivers/video/stm32/stm32_dsi.c: 497 in stm32_dsi_probe()
491 priv->hw_version = dsi_read(plat->base, DSI_VERSION) & VERSION;
492 if (priv->hw_version != HWVER_130 &&
493 priv->hw_version != HWVER_131) {
494 dev_err(dev, "DSI version 0x%x not supported\n", priv->hw_version);
495 dev_dbg(dev, "remove and unbind all DSI child\n");
496 device_chld_remove(dev, NULL, DM_REMOVE_NORMAL);
>>> CID 644836: Error handling issues (CHECKED_RETURN)
>>> Calling "device_chld_unbind" without checking return value (as is done elsewhere 6 out of 7 times).
497 device_chld_unbind(dev, NULL);
498 ret = -ENODEV;
499 goto err_clk;
500 }
501
502 return 0;
** CID 644835: (TAINTED_SCALAR)
/common/menu.c: 589 in bootmenu_loop()
/common/menu.c: 589 in bootmenu_loop()
_____________________________________________________________________________________________
*** CID 644835: (TAINTED_SCALAR)
/common/menu.c: 589 in bootmenu_loop()
583 c = cli_ch_process(cch, c);
584 }
585 }
586
587 key = bootmenu_conv_key(c);
588
>>> CID 644835: (TAINTED_SCALAR)
>>> Using tainted variable "(int)(unsigned char)c" as an index into an array "_ctype".
589 if (key == BKEY_NONE && isalnum(c)) {
590 key = BKEY_SHORTCUT;
591 cch->shortcut_key = bootmenu_conv_shortcut_key(menu, c);
592 }
593
594 return key;
/common/menu.c: 589 in bootmenu_loop()
583 c = cli_ch_process(cch, c);
584 }
585 }
586
587 key = bootmenu_conv_key(c);
588
>>> CID 644835: (TAINTED_SCALAR)
>>> Using tainted variable "(int)(unsigned char)c" as an index into an array "_ctype".
589 if (key == BKEY_NONE && isalnum(c)) {
590 key = BKEY_SHORTCUT;
591 cch->shortcut_key = bootmenu_conv_shortcut_key(menu, c);
592 }
593
594 return key;
** CID 644834: Error handling issues (CHECKED_RETURN)
/drivers/video/stm32/stm32_dsi.c: 496 in stm32_dsi_probe()
_____________________________________________________________________________________________
*** CID 644834: Error handling issues (CHECKED_RETURN)
/drivers/video/stm32/stm32_dsi.c: 496 in stm32_dsi_probe()
490 /* check hardware version */
491 priv->hw_version = dsi_read(plat->base, DSI_VERSION) & VERSION;
492 if (priv->hw_version != HWVER_130 &&
493 priv->hw_version != HWVER_131) {
494 dev_err(dev, "DSI version 0x%x not supported\n", priv->hw_version);
495 dev_dbg(dev, "remove and unbind all DSI child\n");
>>> CID 644834: Error handling issues (CHECKED_RETURN)
>>> Calling "device_chld_remove" without checking return value (as is done elsewhere 4 out of 5 times).
496 device_chld_remove(dev, NULL, DM_REMOVE_NORMAL);
497 device_chld_unbind(dev, NULL);
498 ret = -ENODEV;
499 goto err_clk;
500 }
501
** CID 644833: Memory - illegal accesses (NEGATIVE_RETURNS)
/common/menu.c: 589 in bootmenu_loop()
_____________________________________________________________________________________________
*** CID 644833: Memory - illegal accesses (NEGATIVE_RETURNS)
/common/menu.c: 589 in bootmenu_loop()
583 c = cli_ch_process(cch, c);
584 }
585 }
586
587 key = bootmenu_conv_key(c);
588
>>> CID 644833: Memory - illegal accesses (NEGATIVE_RETURNS)
>>> Using variable "c" as an index to array "_ctype".
589 if (key == BKEY_NONE && isalnum(c)) {
590 key = BKEY_SHORTCUT;
591 cch->shortcut_key = bootmenu_conv_shortcut_key(menu, c);
592 }
593
594 return key;
View Defects in Coverity Scan
<https://scan.coverity.com/projects/das-u-boot?tab=overview>
Best regards,
The Coverity Scan Admin Team
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
^ permalink raw reply [flat|nested] 105+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2026-03-09 21:23 Tom Rini
@ 2026-03-09 22:05 ` Raphaël Gallais-Pou
2026-03-09 22:13 ` Tom Rini
0 siblings, 1 reply; 105+ messages in thread
From: Raphaël Gallais-Pou @ 2026-03-09 22:05 UTC (permalink / raw)
To: Tom Rini, u-boot, Simon Glass, Patrick Delaunay, Patrice Chotard
Cc: Raphael Gallais-Pou
Hi Tom,
Regarding both stm32_dsi errors:
It seems those errors are not linked to the patch you merged recently,
because it does not change the lines mentioned by Coverity.
Calls to device_chld_{remove, unbind} are introduced by commit
a6d047c0a86b ("video: stm32: remove all child of DSI bridge when its
probe failed").
My guess is that since my patch changed the file, it triggered the
Coverity Scan for the whole file.
Regardless, ret is overwritten right after the calls, so I don't think
checking the return value matters here except if there is a log information.
Tell me if you want me to provide a fix, but in this case I'm not sure
to see the point.
Best regards,
Raphaël
On 3/9/26 22:23, Tom Rini wrote:
> Hey all,
>
> Unfortunately for such a small set of changes (rc3 to rc4) a lot of new
> Coverity scan issues have popped up. Please let me know if these appear
> to be real issues or something that we can mark as intentional / false
> positive. Thanks!
>
> ---------- Forwarded message ---------
> From: <scan-admin@coverity.com>
> Date: Mon, Mar 9, 2026, 2:11 PM
> Subject: New Defects reported by Coverity Scan for Das U-Boot
> To: <tom.rini@gmail.com>
>
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to *Das U-Boot*
> found with Coverity Scan.
>
> - *New Defects Found:* 4
> - *Defects Shown:* Showing 4 of 4 defect(s)
>
> Defect Details
>
>
> ** CID 644836: Error handling issues (CHECKED_RETURN)
> /drivers/video/stm32/stm32_dsi.c: 497 in stm32_dsi_probe()
>
>
> _____________________________________________________________________________________________
> *** CID 644836: Error handling issues (CHECKED_RETURN)
> /drivers/video/stm32/stm32_dsi.c: 497 in stm32_dsi_probe()
> 491 priv->hw_version = dsi_read(plat->base, DSI_VERSION) & VERSION;
> 492 if (priv->hw_version != HWVER_130 &&
> 493 priv->hw_version != HWVER_131) {
> 494 dev_err(dev, "DSI version 0x%x not supported\n", priv->hw_version);
> 495 dev_dbg(dev, "remove and unbind all DSI child\n");
> 496 device_chld_remove(dev, NULL, DM_REMOVE_NORMAL);
>>>> CID 644836: Error handling issues (CHECKED_RETURN)
>>>> Calling "device_chld_unbind" without checking return value (as is done elsewhere 6 out of 7 times).
> 497 device_chld_unbind(dev, NULL);
> 498 ret = -ENODEV;
> 499 goto err_clk;
> 500 }
> 501
> 502 return 0;
>
> ** CID 644835: (TAINTED_SCALAR)
> /common/menu.c: 589 in bootmenu_loop()
> /common/menu.c: 589 in bootmenu_loop()
>
>
> _____________________________________________________________________________________________
> *** CID 644835: (TAINTED_SCALAR)
> /common/menu.c: 589 in bootmenu_loop()
> 583 c = cli_ch_process(cch, c);
> 584 }
> 585 }
> 586
> 587 key = bootmenu_conv_key(c);
> 588
>>>> CID 644835: (TAINTED_SCALAR)
>>>> Using tainted variable "(int)(unsigned char)c" as an index into an array "_ctype".
> 589 if (key == BKEY_NONE && isalnum(c)) {
> 590 key = BKEY_SHORTCUT;
> 591 cch->shortcut_key = bootmenu_conv_shortcut_key(menu, c);
> 592 }
> 593
> 594 return key;
> /common/menu.c: 589 in bootmenu_loop()
> 583 c = cli_ch_process(cch, c);
> 584 }
> 585 }
> 586
> 587 key = bootmenu_conv_key(c);
> 588
>>>> CID 644835: (TAINTED_SCALAR)
>>>> Using tainted variable "(int)(unsigned char)c" as an index into an array "_ctype".
> 589 if (key == BKEY_NONE && isalnum(c)) {
> 590 key = BKEY_SHORTCUT;
> 591 cch->shortcut_key = bootmenu_conv_shortcut_key(menu, c);
> 592 }
> 593
> 594 return key;
>
> ** CID 644834: Error handling issues (CHECKED_RETURN)
> /drivers/video/stm32/stm32_dsi.c: 496 in stm32_dsi_probe()
>
>
> _____________________________________________________________________________________________
> *** CID 644834: Error handling issues (CHECKED_RETURN)
> /drivers/video/stm32/stm32_dsi.c: 496 in stm32_dsi_probe()
> 490 /* check hardware version */
> 491 priv->hw_version = dsi_read(plat->base, DSI_VERSION) & VERSION;
> 492 if (priv->hw_version != HWVER_130 &&
> 493 priv->hw_version != HWVER_131) {
> 494 dev_err(dev, "DSI version 0x%x not supported\n", priv->hw_version);
> 495 dev_dbg(dev, "remove and unbind all DSI child\n");
>>>> CID 644834: Error handling issues (CHECKED_RETURN)
>>>> Calling "device_chld_remove" without checking return value (as is done elsewhere 4 out of 5 times).
> 496 device_chld_remove(dev, NULL, DM_REMOVE_NORMAL);
> 497 device_chld_unbind(dev, NULL);
> 498 ret = -ENODEV;
> 499 goto err_clk;
> 500 }
> 501
>
> ** CID 644833: Memory - illegal accesses (NEGATIVE_RETURNS)
> /common/menu.c: 589 in bootmenu_loop()
>
>
> _____________________________________________________________________________________________
> *** CID 644833: Memory - illegal accesses (NEGATIVE_RETURNS)
> /common/menu.c: 589 in bootmenu_loop()
> 583 c = cli_ch_process(cch, c);
> 584 }
> 585 }
> 586
> 587 key = bootmenu_conv_key(c);
> 588
>>>> CID 644833: Memory - illegal accesses (NEGATIVE_RETURNS)
>>>> Using variable "c" as an index to array "_ctype".
> 589 if (key == BKEY_NONE && isalnum(c)) {
> 590 key = BKEY_SHORTCUT;
> 591 cch->shortcut_key = bootmenu_conv_shortcut_key(menu, c);
> 592 }
> 593
> 594 return key;
>
>
>
> View Defects in Coverity Scan
> <https://scan.coverity.com/projects/das-u-boot?tab=overview>
>
> Best regards,
>
> The Coverity Scan Admin Team
>
> ----- End forwarded message -----
>
^ permalink raw reply [flat|nested] 105+ messages in thread
* Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
2026-03-09 22:05 ` Raphaël Gallais-Pou
@ 2026-03-09 22:13 ` Tom Rini
0 siblings, 0 replies; 105+ messages in thread
From: Tom Rini @ 2026-03-09 22:13 UTC (permalink / raw)
To: Raphaël Gallais-Pou
Cc: u-boot, Simon Glass, Patrick Delaunay, Patrice Chotard,
Raphael Gallais-Pou
[-- Attachment #1: Type: text/plain, Size: 985 bytes --]
On Mon, Mar 09, 2026 at 11:05:27PM +0100, Raphaël Gallais-Pou wrote:
> Hi Tom,
>
> Regarding both stm32_dsi errors:
>
> It seems those errors are not linked to the patch you merged recently,
> because it does not change the lines mentioned by Coverity.
Ah, likely so, yes.
> Calls to device_chld_{remove, unbind} are introduced by commit a6d047c0a86b
> ("video: stm32: remove all child of DSI bridge when its probe failed").
>
> My guess is that since my patch changed the file, it triggered the Coverity
> Scan for the whole file.
>
> Regardless, ret is overwritten right after the calls, so I don't think
> checking the return value matters here except if there is a log information.
>
> Tell me if you want me to provide a fix, but in this case I'm not sure to
> see the point.
It would be good to match the usual pattern (drivers/scsi/scsi.c and
drivers/ata/sata.c) even if it's an unlikey chain of events. Please send
a patch, thanks!
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
^ permalink raw reply [flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2026-04-06 19:12 Tom Rini
0 siblings, 0 replies; 105+ messages in thread
From: Tom Rini @ 2026-04-06 19:12 UTC (permalink / raw)
To: u-boot
Cc: Kory Maincent, Dan Carpenter, Varadarajan Narayanan, Bo-Chen Chen,
David Lechner, Raymond Mao, Ilias Apalodimas
[-- Attachment #1: Type: text/plain, Size: 12726 bytes --]
Here's the latest report, now that I've merged next to master, locally
at least.
---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Apr 6, 2026 at 12:40 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to *Das U-Boot*
found with Coverity Scan.
- *New Defects Found:* 11
- 15 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.
- *Defects Shown:* Showing 11 of 11 defect(s)
Defect Details
** CID 645496: (USE_AFTER_FREE)
/tools/fwumdata_src/fwumdata.c: 94 in parse_config()
/tools/fwumdata_src/fwumdata.c: 101 in parse_config()
_____________________________________________________________________________________________
*** CID 645496: (USE_AFTER_FREE)
/tools/fwumdata_src/fwumdata.c: 94 in parse_config()
88 &devname,
89 &devices[i].devoff,
90 &devices[i].mdata_size,
91 &devices[i].erase_size);
92
93 if (rc < 3) {
>>> CID 645496: (USE_AFTER_FREE)
>>> Calling "free" frees pointer "devname" which has already been freed.
94 free(devname);
95 continue;
96 }
97
98 if (rc < 4)
99 devices[i].erase_size = devices[i].mdata_size;
/tools/fwumdata_src/fwumdata.c: 101 in parse_config()
95 continue;
96 }
97
98 if (rc < 4)
99 devices[i].erase_size = devices[i].mdata_size;
100
>>> CID 645496: (USE_AFTER_FREE)
>>> Using freed pointer "devname".
101 devices[i].devname = devname;
102 i++;
103 }
104
105 free(line);
106 fclose(fp);
** CID 645495: Uninitialized variables (UNINIT)
/fs/fat/fat.c: 175 in disk_rw()
_____________________________________________________________________________________________
*** CID 645495: Uninitialized variables (UNINIT)
/fs/fat/fat.c: 175 in disk_rw()
169 }
170 }
171 exit:
172 if (block)
173 free(block);
174
>>> CID 645495: Uninitialized variables (UNINIT)
>>> Using uninitialized value "ret".
175 return (ret == -1) ? -1 : nr_sect;
176 }
177
178 static int disk_read(__u32 sect, __u32 nr_sect, void *buf)
179 {
180 return disk_rw(sect, nr_sect, buf, true);
** CID 645494: Integer handling issues (BAD_SHIFT)
/drivers/power/regulator/mt6359_regulator.c: 287 in
mt6359_get_voltage_sel()
_____________________________________________________________________________________________
*** CID 645494: Integer handling issues (BAD_SHIFT)
/drivers/power/regulator/mt6359_regulator.c: 287 in
mt6359_get_voltage_sel()
281
282 selector = pmic_reg_read(dev->parent, info->desc.vsel_reg);
283 if (selector < 0)
284 return selector;
285
286 selector &= info->desc.vsel_mask;
>>> CID 645494: Integer handling issues (BAD_SHIFT)
>>> In expression "selector >>= generic_ffs(info->desc.vsel_mask) - 1", shifting by a negative amount has undefined behavior. The shift amount, "generic_ffs(info->desc.vsel_mask) - 1", is -1.
287 selector >>= ffs(info->desc.vsel_mask) - 1;
288
289 return selector;
290 }
291
292 static int mt6359p_vemc_get_voltage_sel(struct udevice *dev,
struct mt6359_regulator_info *info)
** CID 645493: Control flow issues (DEADCODE)
/drivers/firmware/scmi/pinctrl.c: 206 in
scmi_pinctrl_settings_get_one()
_____________________________________________________________________________________________
*** CID 645493: Control flow issues (DEADCODE)
/drivers/firmware/scmi/pinctrl.c: 206 in
scmi_pinctrl_settings_get_one()
200
201 msg.out_msg = (u8 *)out;
202 msg.out_msg_sz = out_sz;
203 in.id = selector;
204 in.attr = 0;
205 if (config_type == SCMI_PINCTRL_CONFIG_SETTINGS_FUNCTION)
>>> CID 645493: Control flow issues (DEADCODE)
>>> Execution cannot reach the expression "in.attr" inside this statement: "in.attr = ({
({
do {...".
206 in.attr = FIELD_PREP(GENMASK(19, 18), 2);
207 in.attr |= FIELD_PREP(GENMASK(17, 16), select_type);
208 if (config_type != SCMI_PINCTRL_CONFIG_SETTINGS_FUNCTION)
209 in.attr |= FIELD_PREP(GENMASK(7, 0), config_type);
210
211 ret = devm_scmi_process_msg(dev, &msg);
** CID 645492: (BUFFER_SIZE)
/drivers/fwu-mdata/raw_mtd.c: 173 in get_fwu_mdata_dev()
/drivers/fwu-mdata/raw_mtd.c: 183 in get_fwu_mdata_dev()
_____________________________________________________________________________________________
*** CID 645492: (BUFFER_SIZE)
/drivers/fwu-mdata/raw_mtd.c: 173 in get_fwu_mdata_dev()
167 }
168
169 /* Get the offset of primary and secondary mdata */
170 ret = ofnode_read_string_index(dev_ofnode(dev),
"mdata-parts", 0, &label);
171 if (ret)
172 return ret;
>>> CID 645492: (BUFFER_SIZE)
>>> Calling "strncpy" with a maximum size argument of 50 bytes on destination array "mtd_priv->pri_label" of size 50 bytes might leave the destination string unterminated.
173 strncpy(mtd_priv->pri_label, label, 50);
174
175 ret = flash_partition_offset(mtd_dev, mtd_priv->pri_label, &offset);
176 if (ret <= 0)
177 return ret;
178 mtd_priv->pri_offset = offset;
/drivers/fwu-mdata/raw_mtd.c: 183 in get_fwu_mdata_dev()
177 return ret;
178 mtd_priv->pri_offset = offset;
179
180 ret = ofnode_read_string_index(dev_ofnode(dev),
"mdata-parts", 1, &label);
181 if (ret)
182 return ret;
>>> CID 645492: (BUFFER_SIZE)
>>> Calling "strncpy" with a maximum size argument of 50 bytes on destination array "mtd_priv->sec_label" of size 50 bytes might leave the destination string unterminated.
183 strncpy(mtd_priv->sec_label, label, 50);
184
185 ret = flash_partition_offset(mtd_dev, mtd_priv->sec_label, &offset);
186 if (ret <= 0)
187 return ret;
188 mtd_priv->sec_offset = offset;
** CID 645491: Security best practices violations (STRING_OVERFLOW)
/drivers/fwu-mdata/raw_mtd.c: 244 in fwu_mtd_image_info_populate()
_____________________________________________________________________________________________
*** CID 645491: Security best practices violations (STRING_OVERFLOW)
/drivers/fwu-mdata/raw_mtd.c: 244 in fwu_mtd_image_info_populate()
238 ofnode_read_u32(image, "size", &image_size);
239
240 mtd_images[off_img].start = bank_offset + image_offset;
241 mtd_images[off_img].size = image_size;
242 mtd_images[off_img].bank_num = bank_num;
243 mtd_images[off_img].image_num = image_num;
>>> CID 645491: Security best practices violations (STRING_OVERFLOW)
>>> You might overrun the 37-character fixed-size string "mtd_images[off_img].uuidbuf" by copying "uuid" without checking the length.
244 strcpy(mtd_images[off_img].uuidbuf, uuid);
245 log_debug("\tImage%d: %s @0x%x\n\n",
246 image_num, uuid, bank_offset + image_offset);
247 off_img++;
248 }
249 }
** CID 645490: Integer handling issues (BAD_SHIFT)
/drivers/power/regulator/mt6359_regulator.c: 245 in
mt6359p_vemc_set_voltage_sel()
_____________________________________________________________________________________________
*** CID 645490: Integer handling issues (BAD_SHIFT)
/drivers/power/regulator/mt6359_regulator.c: 245 in
mt6359p_vemc_set_voltage_sel()
239
240 static int mt6359p_vemc_set_voltage_sel(struct udevice *dev,
241 struct mt6359_regulator_info *info, unsigned int sel)
242 {
243 int ret;
244
>>> CID 645490: Integer handling issues (BAD_SHIFT)
>>> In expression "sel <<= generic_ffs(info->desc.vsel_mask) - 1", shifting by a negative amount has undefined behavior. The shift amount, "generic_ffs(info->desc.vsel_mask) - 1", is -1.
245 sel <<= ffs(info->desc.vsel_mask) - 1;
246 ret = pmic_reg_write(dev->parent, MT6359P_TMA_KEY_ADDR,
MT6359P_TMA_KEY);
247 if (ret)
248 return ret;
249
250 ret = pmic_reg_read(dev->parent, MT6359P_VM_MODE_ADDR);
** CID 645489: Integer handling issues (BAD_SHIFT)
/drivers/power/regulator/mt6359_regulator.c: 234 in
mt6359_set_voltage_sel_regmap()
_____________________________________________________________________________________________
*** CID 645489: Integer handling issues (BAD_SHIFT)
/drivers/power/regulator/mt6359_regulator.c: 234 in
mt6359_set_voltage_sel_regmap()
228 };
229
230 static int mt6359_set_voltage_sel_regmap(struct udevice *dev,
231 struct mt6359_regulator_info *info,
232 unsigned int sel)
233 {
>>> CID 645489: Integer handling issues (BAD_SHIFT)
>>> In expression "sel <<= generic_ffs(info->desc.vsel_mask) - 1", shifting by a negative amount has undefined behavior. The shift amount, "generic_ffs(info->desc.vsel_mask) - 1", is -1.
234 sel <<= ffs(info->desc.vsel_mask) - 1;
235
236 return pmic_clrsetbits(dev->parent, info->desc.vsel_reg,
237 info->desc.vsel_mask, sel);
238 }
239
** CID 645488: Error handling issues (CHECKED_RETURN)
/tools/fwumdata_src/fwumdata.c: 189 in read_device()
_____________________________________________________________________________________________
*** CID 645488: Error handling issues (CHECKED_RETURN)
/tools/fwumdata_src/fwumdata.c: 189 in read_device()
183 {
184 if (lseek(dev->fd, dev->devoff, SEEK_SET) < 0) {
185 fprintf(stderr, "Seek failed: %s\n", strerror(errno));
186 return -errno;
187 }
188
>>> CID 645488: Error handling issues (CHECKED_RETURN)
>>> "read(int, void *, size_t)" returns the number of bytes read, but it is ignored.
189 if (read(dev->fd, buf, count) < 0) {
190 fprintf(stderr, "Read failed: %s\n", strerror(errno));
191 return -errno;
192 }
193
194 return 0;
** CID 645487: Insecure data handling (TAINTED_SCALAR)
/lib/smbios.c: 1099 in smbios_write_type9_1slot()
_____________________________________________________________________________________________
*** CID 645487: Insecure data handling (TAINTED_SCALAR)
/lib/smbios.c: 1099 in smbios_write_type9_1slot()
1093 * TODO:
1094 * peer_groups = <peer_grouping_count> * SMBIOS_TYPE9_PGROUP_SIZE
1095 */
1096 len += pgroups_size;
1097
1098 t = map_sysmem(*current, len);
>>> CID 645487: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "len" to "memset", which uses it as an offset. [Note: The source code implementation of the function has been overridden by a builtin model.]
1099 memset(t, 0, len);
1100
1101 fill_smbios_header(t, SMBIOS_SYSTEM_SLOTS, len, handle);
1102
1103 /* eos is at the end of the structure */
1104 eos_addr = (u8 *)t + len - sizeof(t->eos);
** CID 645486: Integer handling issues (BAD_SHIFT)
/drivers/power/regulator/mt6359_regulator.c: 312 in
mt6359p_vemc_get_voltage_sel()
_____________________________________________________________________________________________
*** CID 645486: Integer handling issues (BAD_SHIFT)
/drivers/power/regulator/mt6359_regulator.c: 312 in
mt6359p_vemc_get_voltage_sel()
306 return -EINVAL;
307 }
308 if (selector < 0)
309 return selector;
310
311 selector &= info->desc.vsel_mask;
>>> CID 645486: Integer handling issues (BAD_SHIFT)
>>> In expression "selector >>= generic_ffs(info->desc.vsel_mask) - 1", shifting by a negative amount has undefined behavior. The shift amount, "generic_ffs(info->desc.vsel_mask) - 1", is -1.
312 selector >>= ffs(info->desc.vsel_mask) - 1;
313
314 return selector;
315 }
316
317 static int mt6359_get_enable(struct udevice *dev)
View Defects in Coverity Scan
<https://scan.coverity.com/projects/das-u-boot?tab=overview>
Best regards,
The Coverity Scan Admin Team
----- End forwarded message -----
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
^ permalink raw reply [flat|nested] 105+ messages in thread
end of thread, other threads:[~2026-04-06 19:12 UTC | newest]
Thread overview: 105+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-05-08 20:20 Fwd: New Defects reported by Coverity Scan for Das U-Boot Tom Rini
2023-05-15 21:59 ` Ehsan Mohandesi
2023-05-18 21:04 ` Sean Edmond
-- strict thread matches above, loose matches on Subject: below --
2026-04-06 19:12 Tom Rini
2026-03-09 21:23 Tom Rini
2026-03-09 22:05 ` Raphaël Gallais-Pou
2026-03-09 22:13 ` Tom Rini
2026-02-23 19:51 Tom Rini
2026-02-13 22:09 Tom Rini
2026-02-18 23:02 ` Chris Morgan
2026-02-20 16:11 ` Tom Rini
2026-02-20 16:23 ` Chris Morgan
2026-01-16 19:43 Tom Rini
2026-02-09 11:05 ` Guillaume La Roque
2026-02-20 16:11 ` Tom Rini
2026-01-06 20:36 Tom Rini
2026-01-05 23:58 Tom Rini
2026-01-06 9:37 ` Mattijs Korpershoek
2026-01-06 17:15 ` Tom Rini
2026-01-06 10:03 ` Heiko Schocher
2025-12-08 19:38 Tom Rini
2025-11-23 19:03 Tom Rini
2025-11-10 18:55 Tom Rini
2025-10-11 18:06 Tom Rini
2025-10-12 14:22 ` Mikhail Kshevetskiy
2025-10-12 19:07 ` Tom Rini
2025-11-01 6:32 ` Mikhail Kshevetskiy
2025-11-03 15:17 ` Tom Rini
2025-11-03 15:24 ` Michael Nazzareno Trimarchi
2025-08-06 18:35 Tom Rini
2025-08-07 9:17 ` Heiko Schocher
2025-08-08 3:37 ` Maniyam, Dinesh
2025-08-08 4:01 ` Heiko Schocher
2025-07-29 16:32 Tom Rini
2025-07-25 13:26 Tom Rini
2025-07-25 13:34 ` Michal Simek
2025-08-04 9:11 ` Alexander Dahl
2025-07-14 23:29 Tom Rini
2025-07-15 13:45 ` Rasmus Villemoes
2025-07-08 14:10 Tom Rini
2025-04-28 21:59 Tom Rini
2025-04-29 12:07 ` Jerome Forissier
2025-04-30 16:50 ` Marek Vasut
2025-04-30 17:01 ` Tom Rini
2025-04-30 18:23 ` Heinrich Schuchardt
2025-04-30 19:14 ` Tom Rini
2025-03-11 1:49 Tom Rini
2025-02-25 2:39 Tom Rini
2025-02-25 6:06 ` Heiko Schocher
2025-02-25 10:48 ` Quentin Schulz
2025-02-25 10:54 ` Heiko Schocher
2025-02-10 22:26 Tom Rini
2025-02-11 6:14 ` Heiko Schocher
2025-02-11 22:30 ` Tom Rini
2024-12-31 13:55 Tom Rini
2024-12-24 17:14 Tom Rini
2024-11-15 13:27 Tom Rini
2024-11-12 2:11 Tom Rini
2024-10-28 3:11 Tom Rini
2024-10-19 16:16 Tom Rini
2024-10-16 3:47 Tom Rini
2024-10-16 5:56 ` Tudor Ambarus
2024-10-07 17:15 Tom Rini
2024-07-23 14:18 Tom Rini
2024-07-24 9:21 ` Mattijs Korpershoek
2024-07-24 9:45 ` Heinrich Schuchardt
2024-07-24 9:56 ` Mattijs Korpershoek
2024-07-24 10:06 ` Heinrich Schuchardt
2024-07-24 22:40 ` Tom Rini
2024-07-25 8:04 ` Mattijs Korpershoek
2024-07-25 17:16 ` Tom Rini
2024-07-24 9:53 ` Mattijs Korpershoek
2024-04-22 21:48 Tom Rini
2024-01-29 23:55 Tom Rini
2024-01-30 8:14 ` Heinrich Schuchardt
[not found] <20240127154018.GC785631@bill-the-cat>
2024-01-27 20:56 ` Heinrich Schuchardt
2024-01-28 8:51 ` Heinrich Schuchardt
2024-01-22 23:52 Tom Rini
2024-01-22 23:30 Tom Rini
2024-01-23 8:15 ` Hugo Cornelis
[not found] <65a933ab652b3_da12cbd3e77f998728e5@prd-scan-dashboard-0.mail>
2024-01-19 8:47 ` Heinrich Schuchardt
2024-01-18 14:35 Tom Rini
2024-01-08 17:45 Tom Rini
2024-01-09 5:26 ` Sean Anderson
2024-01-09 22:18 ` Tom Rini
2023-08-21 21:09 Tom Rini
2023-08-24 9:27 ` Abdellatif El Khlifi
2023-08-28 16:09 ` Alvaro Fernando García
2023-08-28 16:11 ` Tom Rini
2023-10-20 11:57 ` Abdellatif El Khlifi
2023-10-25 14:57 ` Tom Rini
2023-10-25 15:12 ` Abdellatif El Khlifi
2023-10-25 15:15 ` Tom Rini
2023-10-31 14:21 ` Abdellatif El Khlifi
2023-02-14 14:26 Tom Rini
2022-11-21 19:43 Tom Rini
2022-11-09 15:40 Tom Rini
[not found] <62df3a0cb9fd2_30ed5f2acd4da7b9a431758@prd-scan-dashboard-0.mail>
2022-07-26 4:22 ` Heinrich Schuchardt
[not found] <611aaf735d268_21438d2b07184e399c79439@prd-scan-dashboard-0.mail>
2021-08-17 5:21 ` Heinrich Schuchardt
2021-08-17 15:17 ` Tom Rini
[not found] <6082f7faa423_5762a2b148d4af9a86820@prd-scan-dashboard-0.mail>
2021-04-24 4:52 ` Heinrich Schuchardt
[not found] <5ecd3c8249d1_d6f562acb748daf5820386@appnode-2.mail>
[not found] ` <CA+M6bX=AmT+SyM0Snt2POLy0-vpD__6CD4j6ifqMqh63yYJBLA@mail.gmail.com>
[not found] ` <8ea1ca2f-2826-58f2-4b6b-ed5cfe977467@gmx.de>
[not found] ` <20200526184027.GJ12717@bill-the-cat>
2020-05-26 20:02 ` Heinrich Schuchardt
2020-05-26 20:10 ` Tom Rini
2020-05-26 20:36 ` Heinrich Schuchardt
2020-05-26 20:48 ` Tom Rini
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox