From: Guillaume La Roque <glaroque@baylibre.com>
To: Tom Rini <trini@konsulko.com>, u-boot@lists.denx.de
Cc: Mattijs Korpershoek <mkorpershoek@kernel.org>
Subject: Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
Date: Mon, 9 Feb 2026 12:05:40 +0100 [thread overview]
Message-ID: <80dd375b-e905-46c5-b43d-dd4c87e71c98@baylibre.com> (raw)
In-Reply-To: <20260116194323.GP3416603@bill-the-cat>
Hi Tom,
sorry for delay, i check defects please see my comments inline
Le 16/01/2026 à 20:43, Tom Rini a écrit :
> Hey all,
>
> Here's the latest report from Coverity scan. For the LZMA ones, the
> _pad_ stuff seems to be a false positive (the _pad_ byte is just for
> padding and not refernced) and the flow control one is how that's
> written for whatever reason the upstream author wanted it like that.
>
> ---------- Forwarded message ---------
> From: <scan-admin@coverity.com>
> Date: Fri, Jan 16, 2026 at 1:06 PM
> Subject: New Defects reported by Coverity Scan for Das U-Boot
> To: <tom.rini@gmail.com>
>
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to *Das U-Boot*
> found with Coverity Scan.
>
> - *New Defects Found:* 7
> - 2 defect(s), reported by Coverity Scan earlier, were marked fixed in
> the recent build analyzed by Coverity Scan.
> - *Defects Shown:* Showing 7 of 7 defect(s)
>
> Defect Details
>
> ** CID 641431: (TAINTED_SCALAR)
>
>
> _____________________________________________________________________________________________
> *** CID 641431: (TAINTED_SCALAR)
> /boot/image-android.c: 434 in android_image_get_kernel()
> 428 if (*newbootargs) /* If there is something in newbootargs, a
> space is needed */
> 429 strcat(newbootargs, " ");
> 430 strcat(newbootargs, img_data.kcmdline_extra);
> 431 }
> 432
> 433 env_set("bootargs", newbootargs);
>>>> CID 641431: (TAINTED_SCALAR)
>>>> Passing tainted expression "*newbootargs" to "dlfree", which uses it as an offset.
> 434 free(newbootargs);
> 435
> 436 if (os_data) {
> 437 if (image_get_magic(ihdr) == IH_MAGIC) {
> 438 *os_data = image_get_data(ihdr);
> 439 } else {
> /boot/image-android.c: 433 in android_image_get_kernel()
> 427 if (img_data.kcmdline_extra && *img_data.kcmdline_extra) {
> 428 if (*newbootargs) /* If there is something in newbootargs, a
> space is needed */
> 429 strcat(newbootargs, " ");
> 430 strcat(newbootargs, img_data.kcmdline_extra);
> 431 }
> 432
>>>> CID 641431: (TAINTED_SCALAR)
>>>> Passing tainted expression "newbootargs" to "env_set", which uses it as an offset.
> 433 env_set("bootargs", newbootargs);
> 434 free(newbootargs);
> 435
> 436 if (os_data) {
> 437 if (image_get_magic(ihdr) == IH_MAGIC) {
> 438 *os_data = image_get_data(ihdr);
> /boot/image-android.c: 434 in android_image_get_kernel()
> 428 if (*newbootargs) /* If there is something in newbootargs, a
> space is needed */
> 429 strcat(newbootargs, " ");
> 430 strcat(newbootargs, img_data.kcmdline_extra);
> 431 }
> 432
> 433 env_set("bootargs", newbootargs);
>>>> CID 641431: (TAINTED_SCALAR)
>>>> Passing tainted expression "*newbootargs" to "dlfree", which uses it as an offset.
> 434 free(newbootargs);
> 435
> 436 if (os_data) {
> 437 if (image_get_magic(ihdr) == IH_MAGIC) {
> 438 *os_data = image_get_data(ihdr);
> 439 } else {
> /boot/image-android.c: 433 in android_image_get_kernel()
> 427 if (img_data.kcmdline_extra && *img_data.kcmdline_extra) {
> 428 if (*newbootargs) /* If there is something in newbootargs, a
> space is needed */
> 429 strcat(newbootargs, " ");
> 430 strcat(newbootargs, img_data.kcmdline_extra);
> 431 }
> 432
>>>> CID 641431: (TAINTED_SCALAR)
>>>> Passing tainted expression "newbootargs" to "env_set", which uses it as an offset.
> 433 env_set("bootargs", newbootargs);
> 434 free(newbootargs);
> 435
> 436 if (os_data) {
> 437 if (image_get_magic(ihdr) == IH_MAGIC) {
> 438 *os_data = image_get_data(ihdr);
> /boot/image-android.c: 433 in android_image_get_kernel()
> 427 if (img_data.kcmdline_extra && *img_data.kcmdline_extra) {
> 428 if (*newbootargs) /* If there is something in newbootargs, a
> space is needed */
> 429 strcat(newbootargs, " ");
> 430 strcat(newbootargs, img_data.kcmdline_extra);
> 431 }
> 432
>>>> CID 641431: (TAINTED_SCALAR)
>>>> Passing tainted expression "newbootargs" to "env_set", which uses it as an offset.
> 433 env_set("bootargs", newbootargs);
> 434 free(newbootargs);
> 435
> 436 if (os_data) {
> 437 if (image_get_magic(ihdr) == IH_MAGIC) {
> 438 *os_data = image_get_data(ihdr);
> /boot/image-android.c: 434 in android_image_get_kernel()
> 428 if (*newbootargs) /* If there is something in newbootargs, a
> space is needed */
> 429 strcat(newbootargs, " ");
> 430 strcat(newbootargs, img_data.kcmdline_extra);
> 431 }
> 432
> 433 env_set("bootargs", newbootargs);
>>>> CID 641431: (TAINTED_SCALAR)
>>>> Passing tainted expression "*newbootargs" to "dlfree", which uses it as an offset.
For CID 641431 : for me it's a false positives defect, malloc was done
with strlen return and free done on malloc pointer.
> 434 free(newbootargs);
> 435
> 436 if (os_data) {
> 437 if (image_get_magic(ihdr) == IH_MAGIC) {
> 438 *os_data = image_get_data(ihdr);
> 439 } else {
>
> ** CID 641430: (TAINTED_SCALAR)
>
>
> _____________________________________________________________________________________________
> *** CID 641430: (TAINTED_SCALAR)
> /cmd/abootimg.c: 244 in abootimg_get_ramdisk()
> 238 &rd_data, &rd_len))
> 239 return CMD_RET_FAILURE;
> 240
> 241 if (argc == 0) {
> 242 printf("%lx\n", rd_data);
> 243 } else {
>>>> CID 641430: (TAINTED_SCALAR)
>>>> Passing tainted expression "rd_data" to "env_set_hex", which uses it as an offset.
> 244 env_set_hex(argv[0], rd_data);
> 245 if (argc == 2)
> 246 env_set_hex(argv[1], rd_len);
> 247 }
> 248
> 249 return CMD_RET_SUCCESS;
> /cmd/abootimg.c: 246 in abootimg_get_ramdisk()
> 240
> 241 if (argc == 0) {
> 242 printf("%lx\n", rd_data);
> 243 } else {
> 244 env_set_hex(argv[0], rd_data);
> 245 if (argc == 2)
>>>> CID 641430: (TAINTED_SCALAR)
>>>> Passing tainted expression "rd_len" to "env_set_hex", which uses it as an offset.
CID 641430: false positive too. env_set_hex convert value on an env variable , so convert rd_len and rd_data
in variable.
> 246 env_set_hex(argv[1], rd_len);
> 247 }
> 248
> 249 return CMD_RET_SUCCESS;
> 250 }
> 251
>
> ** CID 641429: Insecure data handling (TAINTED_SCALAR)
>
>
> _____________________________________________________________________________________________
> *** CID 641429: Insecure data handling (TAINTED_SCALAR)
> /boot/image-android.c: 307 in android_image_get_data()
> 301 printf("Incorrect vendor boot image header\n");
> 302 unmap_sysmem(vhdr);
> 303 unmap_sysmem(bhdr);
> 304 return false;
> 305 }
> 306 android_boot_image_v3_v4_parse_hdr((const struct
> andr_boot_img_hdr_v3 *)bhdr, data);
>>>> CID 641429: Insecure data handling (TAINTED_SCALAR)
>>>> Passing tainted expression "vhdr->bootconfig_size" to "android_vendor_boot_image_v3_v4_parse_hdr", which uses it as a loop boundary.
CID 641429: False positive too. "vhdr->bootconfig_size" come from android image so external source , not possible to validate if value is good or not except when AVB feature was enabled
> 307 android_vendor_boot_image_v3_v4_parse_hdr(vhdr, data);
> 308 unmap_sysmem(vhdr);
> 309 } else {
> 310 android_boot_image_v0_v1_v2_parse_hdr(bhdr, data);
> 311 }
> 312
>
> ** CID 641428: (TAINTED_SCALAR)
>
>
> _____________________________________________________________________________________________
> *** CID 641428: (TAINTED_SCALAR)
> /boot/image-android.c: 658 in android_image_set_bootconfig()
> 652 total_size += params_len + BOOTCONFIG_TRAILER_SIZE;
> 653
> 654 /* Map Dest */
> 655 ramdisk_dest = map_sysmem(ramdisk_addr, total_size);
> 656
> 657 /* Copy data */
>>>> CID 641428: (TAINTED_SCALAR)
>>>> Passing tainted expression "img_data.vendor_ramdisk_size" to "android_boot_append_bootconfig", which uses it as an offset.
> 658 ret = android_boot_append_bootconfig(&img_data, params, params_len,
> 659 ramdisk_dest);
> 660
> 661 unmap_sysmem(ramdisk_dest);
> 662 free(params);
> 663 free(new_bootargs);
> /boot/image-android.c: 658 in android_image_set_bootconfig()
> 652 total_size += params_len + BOOTCONFIG_TRAILER_SIZE;
> 653
> 654 /* Map Dest */
> 655 ramdisk_dest = map_sysmem(ramdisk_addr, total_size);
> 656
> 657 /* Copy data */
>>>> CID 641428: (TAINTED_SCALAR)
>>>> Passing tainted expression "img_data.bootconfig_size" to "android_boot_append_bootconfig", which uses it as an offset.
> 658 ret = android_boot_append_bootconfig(&img_data, params, params_len,
> 659 ramdisk_dest);
> 660
> 661 unmap_sysmem(ramdisk_dest);
> 662 free(params);
> 663 free(new_bootargs);
> /boot/image-android.c: 658 in android_image_set_bootconfig()
> 652 total_size += params_len + BOOTCONFIG_TRAILER_SIZE;
> 653
> 654 /* Map Dest */
> 655 ramdisk_dest = map_sysmem(ramdisk_addr, total_size);
> 656
> 657 /* Copy data */
>>>> CID 641428: (TAINTED_SCALAR)
>>>> Passing tainted expression "img_data.boot_ramdisk_size" to "android_boot_append_bootconfig", which uses it as an offset.
CID 641428: for me it's false positive too. img_data.boot_ramdisk_size and vendor_ramdisk_size come from android image, it could be corrupted if we corrupt android image but it's an external source so difficult to say if value is corrupted or not , it's why on real device we have AB features to check it.
> 658 ret = android_boot_append_bootconfig(&img_data, params, params_len,
> 659 ramdisk_dest);
> 660
> 661 unmap_sysmem(ramdisk_dest);
> 662 free(params);
> 663 free(new_bootargs);
>
> ** CID 332278: Control flow issues (UNREACHABLE)
> /lib/lzma/LzmaDec.c: 720 in LzmaDec_TryDummy()
>
>
> _____________________________________________________________________________________________
> *** CID 332278: Control flow issues (UNREACHABLE)
> /lib/lzma/LzmaDec.c: 720 in LzmaDec_TryDummy()
> 714 UInt32 code = p->code;
> 715 const Byte *bufLimit = *bufOut;
> 716 const CLzmaProb *probs = GET_PROBS;
> 717 unsigned state = (unsigned)p->state;
> 718 ELzmaDummy res;
> 719
>>>> CID 332278: Control flow issues (UNREACHABLE)
>>>> Since the loop increment is unreachable, the loop body will never execute more than once.
> 720 for (;;)
> 721 {
> 722 const CLzmaProb *prob;
> 723 UInt32 bound;
> 724 unsigned ttt;
> 725 unsigned posState = CALC_POS_STATE(p->processedPos,
> ((unsigned)1 << p->prop.pb) - 1);
>
> ** CID 252901: Uninitialized variables (UNINIT)
> /lib/lzma/LzmaDec.c: 1295 in LzmaDec_AllocateProbs()
>
>
> _____________________________________________________________________________________________
> *** CID 252901: Uninitialized variables (UNINIT)
> /lib/lzma/LzmaDec.c: 1295 in LzmaDec_AllocateProbs()
> 1289
> 1290 SRes LzmaDec_AllocateProbs(CLzmaDec *p, const Byte *props,
> unsigned propsSize, ISzAllocPtr alloc)
> 1291 {
> 1292 CLzmaProps propNew;
> 1293 RINOK(LzmaProps_Decode(&propNew, props, propsSize))
> 1294 RINOK(LzmaDec_AllocateProbs2(p, &propNew, alloc))
>>>> CID 252901: Uninitialized variables (UNINIT)
>>>> Using uninitialized value "propNew". Field "propNew._pad_" is uninitialized.
> 1295 p->prop = propNew;
> 1296 return SZ_OK;
> 1297 }
> 1298
> 1299 SRes LzmaDec_Allocate(CLzmaDec *p, const Byte *props,
> unsigned propsSize, ISzAllocPtr alloc)
> 1300 {
>
> ** CID 252579: Uninitialized variables (UNINIT)
> /lib/lzma/LzmaDec.c: 1327 in LzmaDec_Allocate()
>
>
> _____________________________________________________________________________________________
> *** CID 252579: Uninitialized variables (UNINIT)
> /lib/lzma/LzmaDec.c: 1327 in LzmaDec_Allocate()
> 1321 {
> 1322 LzmaDec_FreeProbs(p, alloc);
> 1323 return SZ_ERROR_MEM;
> 1324 }
> 1325 }
> 1326 p->dicBufSize = dicBufSize;
>>>> CID 252579: Uninitialized variables (UNINIT)
>>>> Using uninitialized value "propNew". Field "propNew._pad_" is uninitialized.
> 1327 p->prop = propNew;
> 1328 return SZ_OK;
> 1329 }
> 1330
> 1331 SRes LzmaDecode(Byte *dest, SizeT *destLen, const Byte *src,
> SizeT *srcLen,
> 1332 const Byte *propData, unsigned propSize, ELzmaFinishMode
> finishMode,
>
>
>
> View Defects in Coverity Scan
> <https://scan.coverity.com/projects/das-u-boot?tab=overview>
>
> Best regards,
>
> The Coverity Scan Admin Team
>
> ----- End forwarded message -----
>
Regards,
Guillaume
next prev parent reply other threads:[~2026-02-09 11:05 UTC|newest]
Thread overview: 105+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-16 19:43 Fwd: New Defects reported by Coverity Scan for Das U-Boot Tom Rini
2026-02-09 11:05 ` Guillaume La Roque [this message]
2026-02-20 16:11 ` Tom Rini
-- strict thread matches above, loose matches on Subject: below --
2026-04-06 19:12 Tom Rini
2026-03-09 21:23 Tom Rini
2026-03-09 22:05 ` Raphaël Gallais-Pou
2026-03-09 22:13 ` Tom Rini
2026-02-23 19:51 Tom Rini
2026-02-13 22:09 Tom Rini
2026-02-18 23:02 ` Chris Morgan
2026-02-20 16:11 ` Tom Rini
2026-02-20 16:23 ` Chris Morgan
2026-01-06 20:36 Tom Rini
2026-01-05 23:58 Tom Rini
2026-01-06 9:37 ` Mattijs Korpershoek
2026-01-06 17:15 ` Tom Rini
2026-01-06 10:03 ` Heiko Schocher
2025-12-08 19:38 Tom Rini
2025-11-23 19:03 Tom Rini
2025-11-10 18:55 Tom Rini
2025-10-11 18:06 Tom Rini
2025-10-12 14:22 ` Mikhail Kshevetskiy
2025-10-12 19:07 ` Tom Rini
2025-11-01 6:32 ` Mikhail Kshevetskiy
2025-11-03 15:17 ` Tom Rini
2025-11-03 15:24 ` Michael Nazzareno Trimarchi
2025-08-06 18:35 Tom Rini
2025-08-07 9:17 ` Heiko Schocher
2025-08-08 3:37 ` Maniyam, Dinesh
2025-08-08 4:01 ` Heiko Schocher
2025-07-29 16:32 Tom Rini
2025-07-25 13:26 Tom Rini
2025-07-25 13:34 ` Michal Simek
2025-08-04 9:11 ` Alexander Dahl
2025-07-14 23:29 Tom Rini
2025-07-15 13:45 ` Rasmus Villemoes
2025-07-08 14:10 Tom Rini
2025-04-28 21:59 Tom Rini
2025-04-29 12:07 ` Jerome Forissier
2025-04-30 16:50 ` Marek Vasut
2025-04-30 17:01 ` Tom Rini
2025-04-30 18:23 ` Heinrich Schuchardt
2025-04-30 19:14 ` Tom Rini
2025-03-11 1:49 Tom Rini
2025-02-25 2:39 Tom Rini
2025-02-25 6:06 ` Heiko Schocher
2025-02-25 10:48 ` Quentin Schulz
2025-02-25 10:54 ` Heiko Schocher
2025-02-10 22:26 Tom Rini
2025-02-11 6:14 ` Heiko Schocher
2025-02-11 22:30 ` Tom Rini
2024-12-31 13:55 Tom Rini
2024-12-24 17:14 Tom Rini
2024-11-15 13:27 Tom Rini
2024-11-12 2:11 Tom Rini
2024-10-28 3:11 Tom Rini
2024-10-19 16:16 Tom Rini
2024-10-16 3:47 Tom Rini
2024-10-16 5:56 ` Tudor Ambarus
2024-10-07 17:15 Tom Rini
2024-07-23 14:18 Tom Rini
2024-07-24 9:21 ` Mattijs Korpershoek
2024-07-24 9:45 ` Heinrich Schuchardt
2024-07-24 9:56 ` Mattijs Korpershoek
2024-07-24 10:06 ` Heinrich Schuchardt
2024-07-24 22:40 ` Tom Rini
2024-07-25 8:04 ` Mattijs Korpershoek
2024-07-25 17:16 ` Tom Rini
2024-07-24 9:53 ` Mattijs Korpershoek
2024-04-22 21:48 Tom Rini
2024-01-29 23:55 Tom Rini
2024-01-30 8:14 ` Heinrich Schuchardt
[not found] <20240127154018.GC785631@bill-the-cat>
2024-01-27 20:56 ` Heinrich Schuchardt
2024-01-28 8:51 ` Heinrich Schuchardt
2024-01-22 23:52 Tom Rini
2024-01-22 23:30 Tom Rini
2024-01-23 8:15 ` Hugo Cornelis
[not found] <65a933ab652b3_da12cbd3e77f998728e5@prd-scan-dashboard-0.mail>
2024-01-19 8:47 ` Heinrich Schuchardt
2024-01-18 14:35 Tom Rini
2024-01-08 17:45 Tom Rini
2024-01-09 5:26 ` Sean Anderson
2024-01-09 22:18 ` Tom Rini
2023-08-21 21:09 Tom Rini
2023-08-24 9:27 ` Abdellatif El Khlifi
2023-08-28 16:09 ` Alvaro Fernando García
2023-08-28 16:11 ` Tom Rini
2023-10-20 11:57 ` Abdellatif El Khlifi
2023-10-25 14:57 ` Tom Rini
2023-10-25 15:12 ` Abdellatif El Khlifi
2023-10-25 15:15 ` Tom Rini
2023-10-31 14:21 ` Abdellatif El Khlifi
2023-05-08 20:20 Tom Rini
2023-05-15 21:59 ` Ehsan Mohandesi
2023-05-18 21:04 ` Sean Edmond
2023-02-14 14:26 Tom Rini
2022-11-21 19:43 Tom Rini
2022-11-09 15:40 Tom Rini
[not found] <62df3a0cb9fd2_30ed5f2acd4da7b9a431758@prd-scan-dashboard-0.mail>
2022-07-26 4:22 ` Heinrich Schuchardt
[not found] <611aaf735d268_21438d2b07184e399c79439@prd-scan-dashboard-0.mail>
2021-08-17 5:21 ` Heinrich Schuchardt
2021-08-17 15:17 ` Tom Rini
[not found] <6082f7faa423_5762a2b148d4af9a86820@prd-scan-dashboard-0.mail>
2021-04-24 4:52 ` Heinrich Schuchardt
[not found] <5ecd3c8249d1_d6f562acb748daf5820386@appnode-2.mail>
[not found] ` <CA+M6bX=AmT+SyM0Snt2POLy0-vpD__6CD4j6ifqMqh63yYJBLA@mail.gmail.com>
[not found] ` <8ea1ca2f-2826-58f2-4b6b-ed5cfe977467@gmx.de>
[not found] ` <20200526184027.GJ12717@bill-the-cat>
2020-05-26 20:02 ` Heinrich Schuchardt
2020-05-26 20:10 ` Tom Rini
2020-05-26 20:36 ` Heinrich Schuchardt
2020-05-26 20:48 ` Tom Rini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=80dd375b-e905-46c5-b43d-dd4c87e71c98@baylibre.com \
--to=glaroque@baylibre.com \
--cc=mkorpershoek@kernel.org \
--cc=trini@konsulko.com \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox