From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 532E2C7EE25 for ; Mon, 15 May 2023 22:00:01 +0000 (UTC) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 1B65184670; Mon, 15 May 2023 23:59:59 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=linux.microsoft.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=linux.microsoft.com header.i=@linux.microsoft.com header.b="WaKSnW6g"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 0DEE98466F; Mon, 15 May 2023 23:59:57 +0200 (CEST) Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by phobos.denx.de (Postfix) with ESMTP id 02FB6846BD for ; Mon, 15 May 2023 23:59:54 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linux.microsoft.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=emohandesi@linux.microsoft.com Received: from [192.168.1.15] (cpe-76-184-105-90.tx.res.rr.com [76.184.105.90]) by linux.microsoft.com (Postfix) with ESMTPSA id 2ECE520EBE2D; Mon, 15 May 2023 14:59:52 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 2ECE520EBE2D DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1684187992; bh=BrIif2M6+Ib/y8FMZvVzYsj6Wk7bHq7LX5nPq3+J8l8=; h=Date:From:Subject:To:Cc:References:In-Reply-To:From; b=WaKSnW6g5n9t76zjYSnMFlMNNKof/URcB4wxVNmrTfteOlvh0WWp2FGLShZYgZBJW dvFy1tKD9nKYxySJJlkBV6muRhCAEP4EvYYOO2YozF9rHOzbSstqTwypHTmUQz3IbN Dy1JdWsyMl+C0o5mDRmG3z6KyYugDomUEB6M9+QY= Message-ID: <4ab5e4f6-e99f-cc8b-5fae-a06aeecad2fe@linux.microsoft.com> Date: Mon, 15 May 2023 16:59:46 -0500 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.11.0 From: Ehsan Mohandesi Subject: Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot To: Tom Rini , u-boot@lists.denx.de Cc: Sean Edmond References: <20230508202020.GI2398826@bill-the-cat> Content-Language: en-US In-Reply-To: <20230508202020.GI2398826@bill-the-cat> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.39 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean On 5/8/2023 3:20 PM, Tom Rini wrote: > Here's the latest defect report: > > ---------- Forwarded message --------- > From: > Date: Mon, May 8, 2023, 2:29 PM > Subject: New Defects reported by Coverity Scan for Das U-Boot > To: > > > Hi, > > Please find the latest report on new defect(s) introduced to Das U-Boot > found with Coverity Scan. > > 5 new defect(s) introduced to Das U-Boot found with Coverity Scan. > 1 defect(s), reported by Coverity Scan earlier, were marked fixed in the > recent build analyzed by Coverity Scan. > > New defect(s) Reported-by: Coverity Scan > Showing 5 of 5 defect(s) > > > ** CID 450971: Insecure data handling (TAINTED_SCALAR) > /net/ndisc.c: 391 in process_ra() > > > ________________________________________________________________________________________________________ > *** CID 450971: Insecure data handling (TAINTED_SCALAR) > /net/ndisc.c: 391 in process_ra() > 385 /* Ignore the packet if router lifetime is 0. */ > 386 if (!icmp->icmp6_rt_lifetime) > 387 return -EOPNOTSUPP; > 388 > 389 /* Processing the options */ > 390 option = msg->opt; >>>> CID 450971: Insecure data handling (TAINTED_SCALAR) >>>> Using tainted variable "remaining_option_len" as a loop boundary. > 391 while (remaining_option_len > 0) { > 392 /* The 2nd byte of the option is its length. */ > 393 option_len = option[1]; > 394 /* All included options should have a positive > length. */ > 395 if (option_len == 0) > 396 return -EINVAL; The problem here is that although the lower bound of the variable remaining_option_len is checked, the upper bound is not checked. Coverity is complaining that the function's argument len which is read from a packet content is assigned to remaining_option_len and therefore has made it a tainted scalar. I will compare the value of len with ETH_MAX_MTU constant and make sure it is less than that as shown below. if(len > ETH_MAX_MTU) return-EMSGSIZE; > ** CID 450969: Security best practices violations (DC.WEAK_CRYPTO) > /net/ndisc.c: 209 in ip6_send_rs() > > > ________________________________________________________________________________________________________ > *** CID 450969: Security best practices violations (DC.WEAK_CRYPTO) > /net/ndisc.c: 209 in ip6_send_rs() > 203 icmp_len, PROT_ICMPV6, pcsum); > 204 msg->icmph.icmp6_cksum = csum; > 205 pkt += icmp_len; > 206 > 207 /* Wait up to 1 second if it is the first try to get the RA > */ > 208 if (retry_count == 0) >>>> CID 450969: Security best practices violations (DC.WEAK_CRYPTO) >>>> "rand" should not be used for security-related applications, > because linear congruential algorithms are too easy to break. > 209 udelay(((unsigned int)rand() % 1000000) * > MAX_SOLICITATION_DELAY); > 210 > 211 /* send it! */ > 212 net_send_packet(net_tx_packet, (pkt - net_tx_packet)); > 213 > 214 retry_count++; This is a false positive. The function rand() is not used for encryption here. It is used to just make a random delay to avoid collisions on the network. It has nothing to do with encryption.