public inbox for u-boot@lists.denx.de
 help / color / mirror / Atom feed
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2026-01-05 23:58 Tom Rini
  2026-01-06  9:37 ` Mattijs Korpershoek
  2026-01-06 10:03 ` Heiko Schocher
  0 siblings, 2 replies; 105+ messages in thread
From: Tom Rini @ 2026-01-05 23:58 UTC (permalink / raw)
  To: u-boot
  Cc: Dmitrii Merkurev, Mattijs Korpershoek, Neil Armstrong,
	Heiko Schocher, Ilias Apalodimas

[-- Attachment #1: Type: text/plain, Size: 15754 bytes --]

Hey all,

Here's the latest report, now that next has been merged to master. A few
of these are oddly showing up now, despite being in older code that
hasn't been touched and was being built before.

---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Jan 5, 2026 at 3:24 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>


Hi,

Please find the latest report on new defect(s) introduced to *Das U-Boot*
found with Coverity Scan.

   - *New Defects Found:* 15
   - 23 defect(s), reported by Coverity Scan earlier, were marked fixed in
   the recent build analyzed by Coverity Scan.
   - *Defects Shown:* Showing 15 of 15 defect(s)

Defect Details

** CID 640423:       Control flow issues  (DEADCODE)
/drivers/fastboot/fb_common.c: 112           in fastboot_set_reboot_flag()


_____________________________________________________________________________________________
*** CID 640423:         Control flow issues  (DEADCODE)
/drivers/fastboot/fb_common.c: 112             in fastboot_set_reboot_flag()
106     	}
107     	const char *bcb_iface = config_opt_enabled(CONFIG_FASTBOOT_FLASH_BLOCK,
108     						   CONFIG_FASTBOOT_FLASH_BLOCK_INTERFACE_NAME,
109     						   "mmc");
110
111     	if (device == -1)
>>>     CID 640423:         Control flow issues  (DEADCODE)
>>>     Execution cannot reach this statement: "return -22;".
112     		return -EINVAL;
113
114     	if (reason >= FASTBOOT_REBOOT_REASONS_COUNT)
115     		return -EINVAL;
116
117     	ret = bcb_find_partition_and_load(bcb_iface, device, "misc");

** CID 640422:       Error handling issues  (CHECKED_RETURN)
/boot/fdt_region.c: 330           in fdt_include_supernodes()


_____________________________________________________________________________________________
*** CID 640422:         Error handling issues  (CHECKED_RETURN)
/boot/fdt_region.c: 330             in fdt_include_supernodes()
324     	 */
325     	for (i = 0; i <= depth; i++) {
326     		if (!info->stack[i].included) {
327     			start = info->stack[i].offset;
328
329     			/* Add the FDT_BEGIN_NODE tag of this supernode */
>>>     CID 640422:         Error handling issues  (CHECKED_RETURN)
>>>     Calling "fdt_next_tag" without checking return value (as is done elsewhere 12 out of 15 times).
330     			fdt_next_tag(info->fdt, start, &stop_at);
331     			if (fdt_add_region(info, base + start, stop_at - start))
332     				return -1;
333
334     			/* Remember that this supernode is now included */
335     			info->stack[i].included = 1;

** CID 640421:       Possible Control flow issues  (DEADCODE)
/drivers/fastboot/fb_block.c: 138           in fastboot_block_get_part_info()


_____________________________________________________________________________________________
*** CID 640421:         Possible Control flow issues  (DEADCODE)
/drivers/fastboot/fb_block.c: 138             in fastboot_block_get_part_info()
132     					      CONFIG_FASTBOOT_FLASH_BLOCK_DEVICE_ID, -1);
133
134     	if (!part_name || !strcmp(part_name, "")) {
135     		fastboot_fail("partition not given", response);
136     		return -ENOENT;
137     	}
>>>     CID 640421:         Possible Control flow issues  (DEADCODE)
>>>     Execution cannot reach the expression "strcmp(interface, "")" inside this statement: "if (!interface || !strcmp(i...".
138     	if (!interface || !strcmp(interface, "")) {
139     		fastboot_fail("block interface isn't provided", response);
140     		return -EINVAL;
141     	}
142
143     	*dev_desc = blk_get_dev(interface, device);

** CID 640420:       Incorrect expression  (CONSTANT_EXPRESSION_RESULT)
/env/fat.c: 49           in env_fat_get_dev_part()


_____________________________________________________________________________________________
*** CID 640420:         Incorrect expression  (CONSTANT_EXPRESSION_RESULT)
/env/fat.c: 49             in env_fat_get_dev_part()
43     __weak char *env_fat_get_dev_part(void)
44     {
45     #ifdef CONFIG_MMC
46     	/* reserve one more char for the manipulation below */
47     	static char part_str[] = CONFIG_ENV_FAT_DEVICE_AND_PART "\0";
48
>>>     CID 640420:         Incorrect expression  (CONSTANT_EXPRESSION_RESULT)
>>>     "strcmp("mmc", "mmc")" is always 0 because ""mmc"" is compared against itself.
49     	if (!strcmp(CONFIG_ENV_FAT_INTERFACE, "mmc") && part_str[0] == ':') {
50     		part_str[0] = '0' + mmc_get_env_dev();
51     		strcpy(&part_str[1], CONFIG_ENV_FAT_DEVICE_AND_PART);
52     	}
53
54     	return part_str;

** CID 640419:       Null pointer dereferences  (REVERSE_INULL)
/drivers/fastboot/fb_block.c: 144           in fastboot_block_get_part_info()


_____________________________________________________________________________________________
*** CID 640419:         Null pointer dereferences  (REVERSE_INULL)
/drivers/fastboot/fb_block.c: 144             in fastboot_block_get_part_info()
138     	if (!interface || !strcmp(interface, "")) {
139     		fastboot_fail("block interface isn't provided", response);
140     		return -EINVAL;
141     	}
142
143     	*dev_desc = blk_get_dev(interface, device);
>>>     CID 640419:         Null pointer dereferences  (REVERSE_INULL)
>>>     Null-checking "dev_desc" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
144     	if (!dev_desc) {
145     		fastboot_fail("no such device", response);
146     		return -ENODEV;
147     	}
148
149     	ret = part_get_info_by_name(*dev_desc, part_name, part_info);

** CID 640418:       Insecure data handling  (TAINTED_SCALAR)


_____________________________________________________________________________________________
*** CID 640418:         Insecure data handling  (TAINTED_SCALAR)
/drivers/core/ofnode.c: 2098             in ofnode_copy_props()
2092
2093     		val = ofprop_get_property(&prop, &name, &len);
2094     		if (!val) {
2095     			log_debug("Cannot read prop (err=%d)\n", len);
2096     			return log_msg_ret("get", -EINVAL);
2097     		}
>>>     CID 640418:         Insecure data handling  (TAINTED_SCALAR)
>>>     Passing tainted expression "len" to "ofnode_write_prop", which uses it as an offset.
2098     		ret = ofnode_write_prop(dst, name, val, len, true);
2099     		if (ret) {
2100     			log_debug("Cannot write prop (err=%d)\n", ret);
2101     			return log_msg_ret("wr", -EINVAL);
2102     		}
2103     	}

** CID 640417:       Insecure data handling  (TAINTED_SCALAR)
/scripts/dtc/libfdt/fdt_ro.c: 546           in fdt_get_alias_namelen()


_____________________________________________________________________________________________
*** CID 640417:         Insecure data handling  (TAINTED_SCALAR)
/scripts/dtc/libfdt/fdt_ro.c: 546             in fdt_get_alias_namelen()
540     {
541     	int len;
542     	const char *alias;
543
544     	alias = fdt_path_getprop_namelen(fdt, "/aliases", name, namelen, &len);
545
>>>     CID 640417:         Insecure data handling  (TAINTED_SCALAR)
>>>     Using tainted variable "len - 1" as an index to pointer "alias".
546     	if (!can_assume(VALID_DTB) &&
547     	    !(alias && len > 0 && alias[len - 1] == '\0' && *alias == '/'))
548     		return NULL;
549
550     	return alias;
551     }

** CID 640416:       Insecure data handling  (TAINTED_SCALAR)


_____________________________________________________________________________________________
*** CID 640416:         Insecure data handling  (TAINTED_SCALAR)
/scripts/dtc/libfdt/fdt_overlay.c: 739             in
overlay_prevent_phandle_overwrite()
733     			 * will be overwritten.
734     			 */
735     			continue;
736     		else if (target < 0)
737     			return target;
738
>>>     CID 640416:         Insecure data handling  (TAINTED_SCALAR)
>>>     Passing tainted expression "target" to "overlay_prevent_phandle_overwrite_node", which uses it as a loop boundary.
739     		ret = overlay_prevent_phandle_overwrite_node(fdt, target,
740     							     fdto, overlay);
741     		if (ret)
742     			return ret;
743     	}
744

** CID 640415:       Control flow issues  (DEADCODE)
/scripts/dtc/pylibfdt/libfdt_wrap.c: 6728           in
_wrap_fdt_get_property_by_offset_w()


_____________________________________________________________________________________________
*** CID 640415:         Control flow issues  (DEADCODE)
/scripts/dtc/pylibfdt/libfdt_wrap.c: 6728             in
_wrap_fdt_get_property_by_offset_w()
6722           resultobj = SWIG_Python_AppendOutput(resultobj, buff);
6723         }
6724       }
6725       if (SWIG_IsTmpObj(res3)) {
6726         resultobj = SWIG_Python_AppendOutput(resultobj,
SWIG_From_int((*arg3)));
6727       } else {
>>>     CID 640415:         Control flow issues  (DEADCODE)
>>>     Execution cannot reach the expression "new_flags" inside this statement: "new_flags = ((res3 >= 0 && ...".
6728         int new_flags = SWIG_IsNewObj(res3) ? (SWIG_POINTER_OWN |
 0 ) :  0 ;
6729         resultobj = SWIG_Python_AppendOutput(resultobj,
SWIG_NewPointerObj((void*)(arg3), SWIGTYPE_p_int, new_flags));
6730       }
6731       return resultobj;
6732     fail:
6733       return NULL;

** CID 640414:       Resource leaks  (RESOURCE_LEAK)
/drivers/interconnect/interconnect-uclass.c: 320           in icc_path_init()


_____________________________________________________________________________________________
*** CID 640414:         Resource leaks  (RESOURCE_LEAK)
/drivers/interconnect/interconnect-uclass.c: 320             in icc_path_init()
314     		path->reqs[i].node = node;
315     		path->reqs[i].enabled = true;
316
317     		/* Probe this node since used in an active path */
318     		ret = uclass_get_device_tail(node->dev, 0, &node_dev);
319     		if (ret)
>>>     CID 640414:         Resource leaks  (RESOURCE_LEAK)
>>>     Variable "path" going out of scope leaks the storage it points to.
320     			return ERR_PTR(ret);
321
322     		node->users++;
323
324     		/* reference to previous node was saved during path traversal */
325     		node = node->reverse;

** CID 536550:       Resource leaks  (RESOURCE_LEAK)
/scripts/dtc/fstree.c: 57           in read_fstree()


_____________________________________________________________________________________________
*** CID 536550:         Resource leaks  (RESOURCE_LEAK)
/scripts/dtc/fstree.c: 57             in read_fstree()
51     				fclose(pfile);
52     			}
53     		} else if (S_ISDIR(st.st_mode)) {
54     			struct node *newchild;
55
56     			newchild = read_fstree(tmpname);
>>>     CID 536550:         Resource leaks  (RESOURCE_LEAK)
>>>     Failing to save or free storage allocated by "xstrdup(de->d_name)" leaks it.
57     			newchild = name_node(newchild, xstrdup(de->d_name));
58     			add_child(tree, newchild);
59     		}
60
61     		free(tmpname);
62     	}

** CID 536369:       Resource leaks  (RESOURCE_LEAK)
/scripts/dtc/flattree.c: 681           in flat_read_property()


_____________________________________________________________________________________________
*** CID 536369:         Resource leaks  (RESOURCE_LEAK)
/scripts/dtc/flattree.c: 681             in flat_read_property()
675
676     	if ((flags & FTF_VARALIGN) && (proplen >= 8))
677     		flat_realign(dtbuf, 8);
678
679     	val = flat_read_data(dtbuf, proplen);
680
>>>     CID 536369:         Resource leaks  (RESOURCE_LEAK)
>>>     Variable "name" going out of scope leaks the storage it points to.
681     	return build_property(name, val, NULL);
682     }
683
684     static struct reserve_info *flat_read_mem_reserve(struct inbuf *inb)
685     {
686     	struct reserve_info *reservelist = NULL;

** CID 449815:       Memory - illegal accesses  (OVERRUN)
/lib/sm3.c: 252           in sm3_final()


_____________________________________________________________________________________________
*** CID 449815:         Memory - illegal accesses  (OVERRUN)
/lib/sm3.c: 252             in sm3_final()
246     	unsigned int partial = sctx->count % SM3_BLOCK_SIZE;
247     	u32 W[16];
248     	int i;
249
250     	sctx->buffer[partial++] = 0x80;
251     	if (partial > bit_offset) {
>>>     CID 449815:         Memory - illegal accesses  (OVERRUN)
>>>     Overrunning array of 64 bytes at byte offset 64 by dereferencing pointer "sctx->buffer + partial". [Note: The source code implementation of the function has been overridden by a builtin model.]
252     		memset(sctx->buffer + partial, 0, SM3_BLOCK_SIZE - partial);
253     		partial = 0;
254
255     		sm3_block(sctx, sctx->buffer, 1, W);
256     	}
257

** CID 432237:       Null pointer dereferences  (NULL_RETURNS)


_____________________________________________________________________________________________
*** CID 432237:         Null pointer dereferences  (NULL_RETURNS)
/scripts/dtc/checks.c: 1618             in check_interrupt_map()
1612     	if (node->addr_cells < 0) {
1613     		FAIL(c, dti, node,
1614     		     "Missing '#address-cells' in interrupt-map provider");
1615     		return;
1616     	}
1617     	cellsize = node_addr_cells(node);
>>>     CID 432237:         Null pointer dereferences  (NULL_RETURNS)
>>>     Dereferencing a pointer that might be "NULL" "get_property(node, "#interrupt-cells")" when calling "propval_cell".
1618     	cellsize += propval_cell(get_property(node, "#interrupt-cells"));
1619
1620     	prop = get_property(node, "interrupt-map-mask");
1621     	if (prop && (prop->val.len != (cellsize * sizeof(cell_t))))
1622     		FAIL_PROP(c, dti, node, prop,
1623     			  "property size (%d) is invalid, expected %zu",

** CID 328724:         (TAINTED_SCALAR)
/scripts/dtc/fdtoverlay.c: 55           in apply_one()
/scripts/dtc/fdtoverlay.c: 69           in apply_one()


_____________________________________________________________________________________________
*** CID 328724:           (TAINTED_SCALAR)
/scripts/dtc/fdtoverlay.c: 55             in apply_one()
49     	bool has_symbols;
50
51     	/*
52     	 * We take copies first, because a failed apply can trash
53     	 * both the base blob and the overlay
54     	 */
>>>     CID 328724:           (TAINTED_SCALAR)
>>>     Passing tainted expression "fdt32_ld(&((struct fdt_header const *)overlay)->totalsize)" to "xmalloc", which uses it as an allocation size. [Note: The source code implementation of the function has been overridden by a builtin model.]
55     	tmpo = xmalloc(fdt_totalsize(overlay));
56
57     	do {
58     		tmp = xrealloc(tmp, *buf_len);
59     		ret = fdt_open_into(base, tmp, *buf_len);
60     		if (ret) {
/scripts/dtc/fdtoverlay.c: 69             in apply_one()
63     				fdt_strerror(ret));
64     			goto fail;
65     		}
66     		ret = fdt_path_offset(tmp, "/__symbols__");
67     		has_symbols = ret >= 0;
68
>>>     CID 328724:           (TAINTED_SCALAR)
>>>     Passing tainted expression "fdt32_ld(&((struct fdt_header const *)overlay)->totalsize)" to "memcpy", which uses it as an offset. [Note: The source code implementation of the function has been overridden by a builtin model.]
69     		memcpy(tmpo, overlay, fdt_totalsize(overlay));
70
71     		ret = fdt_overlay_apply(tmp, tmpo);
72     		if (ret == -FDT_ERR_NOSPACE) {
73     			*buf_len += BUF_INCREMENT;
74     		}



View Defects in Coverity Scan
<https://scan.coverity.com/projects/das-u-boot?tab=overview>

Best regards,

The Coverity Scan Admin Team

----- End forwarded message -----

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

^ permalink raw reply	[flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2026-04-06 19:12 Tom Rini
  0 siblings, 0 replies; 105+ messages in thread
From: Tom Rini @ 2026-04-06 19:12 UTC (permalink / raw)
  To: u-boot
  Cc: Kory Maincent, Dan Carpenter, Varadarajan Narayanan, Bo-Chen Chen,
	David Lechner, Raymond Mao, Ilias Apalodimas

[-- Attachment #1: Type: text/plain, Size: 12726 bytes --]

Here's the latest report, now that I've merged next to master, locally
at least.

---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Apr 6, 2026 at 12:40 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>


Hi,

Please find the latest report on new defect(s) introduced to *Das U-Boot*
found with Coverity Scan.

   - *New Defects Found:* 11
   - 15 defect(s), reported by Coverity Scan earlier, were marked fixed in
   the recent build analyzed by Coverity Scan.
   - *Defects Shown:* Showing 11 of 11 defect(s)

Defect Details

** CID 645496:         (USE_AFTER_FREE)
/tools/fwumdata_src/fwumdata.c: 94           in parse_config()
/tools/fwumdata_src/fwumdata.c: 101           in parse_config()


_____________________________________________________________________________________________
*** CID 645496:           (USE_AFTER_FREE)
/tools/fwumdata_src/fwumdata.c: 94             in parse_config()
88     			    &devname,
89     			    &devices[i].devoff,
90     			    &devices[i].mdata_size,
91     			    &devices[i].erase_size);
92
93     		if (rc < 3) {
>>>     CID 645496:           (USE_AFTER_FREE)
>>>     Calling "free" frees pointer "devname" which has already been freed.
94     			free(devname);
95     			continue;
96     		}
97
98     		if (rc < 4)
99     			devices[i].erase_size = devices[i].mdata_size;
/tools/fwumdata_src/fwumdata.c: 101             in parse_config()
95     			continue;
96     		}
97
98     		if (rc < 4)
99     			devices[i].erase_size = devices[i].mdata_size;
100
>>>     CID 645496:           (USE_AFTER_FREE)
>>>     Using freed pointer "devname".
101     		devices[i].devname = devname;
102     		i++;
103     	}
104
105     	free(line);
106     	fclose(fp);

** CID 645495:       Uninitialized variables  (UNINIT)
/fs/fat/fat.c: 175           in disk_rw()


_____________________________________________________________________________________________
*** CID 645495:         Uninitialized variables  (UNINIT)
/fs/fat/fat.c: 175             in disk_rw()
169     		}
170     	}
171     exit:
172     	if (block)
173     		free(block);
174
>>>     CID 645495:         Uninitialized variables  (UNINIT)
>>>     Using uninitialized value "ret".
175     	return (ret == -1) ? -1 : nr_sect;
176     }
177
178     static int disk_read(__u32 sect, __u32 nr_sect, void *buf)
179     {
180     	return disk_rw(sect, nr_sect, buf, true);

** CID 645494:       Integer handling issues  (BAD_SHIFT)
/drivers/power/regulator/mt6359_regulator.c: 287           in
mt6359_get_voltage_sel()


_____________________________________________________________________________________________
*** CID 645494:         Integer handling issues  (BAD_SHIFT)
/drivers/power/regulator/mt6359_regulator.c: 287             in
mt6359_get_voltage_sel()
281
282     	selector = pmic_reg_read(dev->parent, info->desc.vsel_reg);
283     	if (selector < 0)
284     		return selector;
285
286     	selector &= info->desc.vsel_mask;
>>>     CID 645494:         Integer handling issues  (BAD_SHIFT)
>>>     In expression "selector >>= generic_ffs(info->desc.vsel_mask) - 1", shifting by a negative amount has undefined behavior.  The shift amount, "generic_ffs(info->desc.vsel_mask) - 1", is -1.
287     	selector >>= ffs(info->desc.vsel_mask) - 1;
288
289     	return selector;
290     }
291
292     static int mt6359p_vemc_get_voltage_sel(struct udevice *dev,
struct mt6359_regulator_info *info)

** CID 645493:       Control flow issues  (DEADCODE)
/drivers/firmware/scmi/pinctrl.c: 206           in
scmi_pinctrl_settings_get_one()


_____________________________________________________________________________________________
*** CID 645493:         Control flow issues  (DEADCODE)
/drivers/firmware/scmi/pinctrl.c: 206             in
scmi_pinctrl_settings_get_one()
200
201     	msg.out_msg = (u8 *)out;
202     	msg.out_msg_sz = out_sz;
203     	in.id = selector;
204     	in.attr = 0;
205     	if (config_type == SCMI_PINCTRL_CONFIG_SETTINGS_FUNCTION)
>>>     CID 645493:         Control flow issues  (DEADCODE)
>>>     Execution cannot reach the expression "in.attr" inside this statement: "in.attr = ({
  ({
    do  {...".
206     		in.attr = FIELD_PREP(GENMASK(19, 18), 2);
207     	in.attr |= FIELD_PREP(GENMASK(17, 16), select_type);
208     	if (config_type != SCMI_PINCTRL_CONFIG_SETTINGS_FUNCTION)
209     		in.attr |= FIELD_PREP(GENMASK(7, 0), config_type);
210
211     	ret = devm_scmi_process_msg(dev, &msg);

** CID 645492:         (BUFFER_SIZE)
/drivers/fwu-mdata/raw_mtd.c: 173           in get_fwu_mdata_dev()
/drivers/fwu-mdata/raw_mtd.c: 183           in get_fwu_mdata_dev()


_____________________________________________________________________________________________
*** CID 645492:           (BUFFER_SIZE)
/drivers/fwu-mdata/raw_mtd.c: 173             in get_fwu_mdata_dev()
167     	}
168
169     	/* Get the offset of primary and secondary mdata */
170     	ret = ofnode_read_string_index(dev_ofnode(dev),
"mdata-parts", 0, &label);
171     	if (ret)
172     		return ret;
>>>     CID 645492:           (BUFFER_SIZE)
>>>     Calling "strncpy" with a maximum size argument of 50 bytes on destination array "mtd_priv->pri_label" of size 50 bytes might leave the destination string unterminated.
173     	strncpy(mtd_priv->pri_label, label, 50);
174
175     	ret = flash_partition_offset(mtd_dev, mtd_priv->pri_label, &offset);
176     	if (ret <= 0)
177     		return ret;
178     	mtd_priv->pri_offset = offset;
/drivers/fwu-mdata/raw_mtd.c: 183             in get_fwu_mdata_dev()
177     		return ret;
178     	mtd_priv->pri_offset = offset;
179
180     	ret = ofnode_read_string_index(dev_ofnode(dev),
"mdata-parts", 1, &label);
181     	if (ret)
182     		return ret;
>>>     CID 645492:           (BUFFER_SIZE)
>>>     Calling "strncpy" with a maximum size argument of 50 bytes on destination array "mtd_priv->sec_label" of size 50 bytes might leave the destination string unterminated.
183     	strncpy(mtd_priv->sec_label, label, 50);
184
185     	ret = flash_partition_offset(mtd_dev, mtd_priv->sec_label, &offset);
186     	if (ret <= 0)
187     		return ret;
188     	mtd_priv->sec_offset = offset;

** CID 645491:       Security best practices violations  (STRING_OVERFLOW)
/drivers/fwu-mdata/raw_mtd.c: 244           in fwu_mtd_image_info_populate()


_____________________________________________________________________________________________
*** CID 645491:         Security best practices violations  (STRING_OVERFLOW)
/drivers/fwu-mdata/raw_mtd.c: 244             in fwu_mtd_image_info_populate()
238     			ofnode_read_u32(image, "size", &image_size);
239
240     			mtd_images[off_img].start = bank_offset + image_offset;
241     			mtd_images[off_img].size = image_size;
242     			mtd_images[off_img].bank_num = bank_num;
243     			mtd_images[off_img].image_num = image_num;
>>>     CID 645491:         Security best practices violations  (STRING_OVERFLOW)
>>>     You might overrun the 37-character fixed-size string "mtd_images[off_img].uuidbuf" by copying "uuid" without checking the length.
244     			strcpy(mtd_images[off_img].uuidbuf, uuid);
245     			log_debug("\tImage%d: %s @0x%x\n\n",
246     				  image_num, uuid, bank_offset + image_offset);
247     			off_img++;
248     		}
249     	}

** CID 645490:       Integer handling issues  (BAD_SHIFT)
/drivers/power/regulator/mt6359_regulator.c: 245           in
mt6359p_vemc_set_voltage_sel()


_____________________________________________________________________________________________
*** CID 645490:         Integer handling issues  (BAD_SHIFT)
/drivers/power/regulator/mt6359_regulator.c: 245             in
mt6359p_vemc_set_voltage_sel()
239
240     static int mt6359p_vemc_set_voltage_sel(struct udevice *dev,
241     					struct mt6359_regulator_info *info, unsigned int sel)
242     {
243     	int ret;
244
>>>     CID 645490:         Integer handling issues  (BAD_SHIFT)
>>>     In expression "sel <<= generic_ffs(info->desc.vsel_mask) - 1", shifting by a negative amount has undefined behavior.  The shift amount, "generic_ffs(info->desc.vsel_mask) - 1", is -1.
245     	sel <<= ffs(info->desc.vsel_mask) - 1;
246     	ret = pmic_reg_write(dev->parent, MT6359P_TMA_KEY_ADDR,
MT6359P_TMA_KEY);
247     	if (ret)
248     		return ret;
249
250     	ret = pmic_reg_read(dev->parent, MT6359P_VM_MODE_ADDR);

** CID 645489:       Integer handling issues  (BAD_SHIFT)
/drivers/power/regulator/mt6359_regulator.c: 234           in
mt6359_set_voltage_sel_regmap()


_____________________________________________________________________________________________
*** CID 645489:         Integer handling issues  (BAD_SHIFT)
/drivers/power/regulator/mt6359_regulator.c: 234             in
mt6359_set_voltage_sel_regmap()
228     };
229
230     static int mt6359_set_voltage_sel_regmap(struct udevice *dev,
231     					 struct mt6359_regulator_info *info,
232     					 unsigned int sel)
233     {
>>>     CID 645489:         Integer handling issues  (BAD_SHIFT)
>>>     In expression "sel <<= generic_ffs(info->desc.vsel_mask) - 1", shifting by a negative amount has undefined behavior.  The shift amount, "generic_ffs(info->desc.vsel_mask) - 1", is -1.
234     	sel <<= ffs(info->desc.vsel_mask) - 1;
235
236     	return pmic_clrsetbits(dev->parent, info->desc.vsel_reg,
237     			       info->desc.vsel_mask, sel);
238     }
239

** CID 645488:       Error handling issues  (CHECKED_RETURN)
/tools/fwumdata_src/fwumdata.c: 189           in read_device()


_____________________________________________________________________________________________
*** CID 645488:         Error handling issues  (CHECKED_RETURN)
/tools/fwumdata_src/fwumdata.c: 189             in read_device()
183     {
184     	if (lseek(dev->fd, dev->devoff, SEEK_SET) < 0) {
185     		fprintf(stderr, "Seek failed: %s\n", strerror(errno));
186     		return -errno;
187     	}
188
>>>     CID 645488:         Error handling issues  (CHECKED_RETURN)
>>>     "read(int, void *, size_t)" returns the number of bytes read, but it is ignored.
189     	if (read(dev->fd, buf, count) < 0) {
190     		fprintf(stderr, "Read failed: %s\n", strerror(errno));
191     		return -errno;
192     	}
193
194     	return 0;

** CID 645487:       Insecure data handling  (TAINTED_SCALAR)
/lib/smbios.c: 1099           in smbios_write_type9_1slot()


_____________________________________________________________________________________________
*** CID 645487:         Insecure data handling  (TAINTED_SCALAR)
/lib/smbios.c: 1099             in smbios_write_type9_1slot()
1093     	 * TODO:
1094     	 * peer_groups = <peer_grouping_count> * SMBIOS_TYPE9_PGROUP_SIZE
1095     	 */
1096     	len += pgroups_size;
1097
1098     	t = map_sysmem(*current, len);
>>>     CID 645487:         Insecure data handling  (TAINTED_SCALAR)
>>>     Passing tainted expression "len" to "memset", which uses it as an offset. [Note: The source code implementation of the function has been overridden by a builtin model.]
1099     	memset(t, 0, len);
1100
1101     	fill_smbios_header(t, SMBIOS_SYSTEM_SLOTS, len, handle);
1102
1103     	/* eos is at the end of the structure */
1104     	eos_addr = (u8 *)t + len - sizeof(t->eos);

** CID 645486:       Integer handling issues  (BAD_SHIFT)
/drivers/power/regulator/mt6359_regulator.c: 312           in
mt6359p_vemc_get_voltage_sel()


_____________________________________________________________________________________________
*** CID 645486:         Integer handling issues  (BAD_SHIFT)
/drivers/power/regulator/mt6359_regulator.c: 312             in
mt6359p_vemc_get_voltage_sel()
306     		return -EINVAL;
307     	}
308     	if (selector < 0)
309     		return selector;
310
311     	selector &= info->desc.vsel_mask;
>>>     CID 645486:         Integer handling issues  (BAD_SHIFT)
>>>     In expression "selector >>= generic_ffs(info->desc.vsel_mask) - 1", shifting by a negative amount has undefined behavior.  The shift amount, "generic_ffs(info->desc.vsel_mask) - 1", is -1.
312     	selector >>= ffs(info->desc.vsel_mask) - 1;
313
314     	return selector;
315     }
316
317     static int mt6359_get_enable(struct udevice *dev)



View Defects in Coverity Scan
<https://scan.coverity.com/projects/das-u-boot?tab=overview>

Best regards,

The Coverity Scan Admin Team

----- End forwarded message -----

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

^ permalink raw reply	[flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2026-03-09 21:23 Tom Rini
  2026-03-09 22:05 ` Raphaël Gallais-Pou
  0 siblings, 1 reply; 105+ messages in thread
From: Tom Rini @ 2026-03-09 21:23 UTC (permalink / raw)
  To: u-boot, Simon Glass, Raphael Gallais-Pou, Patrick Delaunay,
	Patrice Chotard

[-- Attachment #1: Type: text/plain, Size: 5016 bytes --]

Hey all,

Unfortunately for such a small set of changes (rc3 to rc4) a lot of new
Coverity scan issues have popped up. Please let me know if these appear
to be real issues or something that we can mark as intentional / false
positive. Thanks!

---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Mar 9, 2026, 2:11 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>


Hi,

Please find the latest report on new defect(s) introduced to *Das U-Boot*
found with Coverity Scan.

   - *New Defects Found:* 4
   - *Defects Shown:* Showing 4 of 4 defect(s)

Defect Details


** CID 644836:       Error handling issues  (CHECKED_RETURN)
/drivers/video/stm32/stm32_dsi.c: 497           in stm32_dsi_probe()


_____________________________________________________________________________________________
*** CID 644836:         Error handling issues  (CHECKED_RETURN)
/drivers/video/stm32/stm32_dsi.c: 497             in stm32_dsi_probe()
491     	priv->hw_version = dsi_read(plat->base, DSI_VERSION) & VERSION;
492     	if (priv->hw_version != HWVER_130 &&
493     	    priv->hw_version != HWVER_131) {
494     		dev_err(dev, "DSI version 0x%x not supported\n", priv->hw_version);
495     		dev_dbg(dev, "remove and unbind all DSI child\n");
496     		device_chld_remove(dev, NULL, DM_REMOVE_NORMAL);
>>>     CID 644836:         Error handling issues  (CHECKED_RETURN)
>>>     Calling "device_chld_unbind" without checking return value (as is done elsewhere 6 out of 7 times).
497     		device_chld_unbind(dev, NULL);
498     		ret = -ENODEV;
499     		goto err_clk;
500     	}
501
502     	return 0;

** CID 644835:         (TAINTED_SCALAR)
/common/menu.c: 589           in bootmenu_loop()
/common/menu.c: 589           in bootmenu_loop()


_____________________________________________________________________________________________
*** CID 644835:           (TAINTED_SCALAR)
/common/menu.c: 589             in bootmenu_loop()
583     			c = cli_ch_process(cch, c);
584     		}
585     	}
586
587     	key = bootmenu_conv_key(c);
588
>>>     CID 644835:           (TAINTED_SCALAR)
>>>     Using tainted variable "(int)(unsigned char)c" as an index into an array "_ctype".
589     	if (key == BKEY_NONE && isalnum(c)) {
590     		key = BKEY_SHORTCUT;
591     		cch->shortcut_key = bootmenu_conv_shortcut_key(menu, c);
592     	}
593
594     	return key;
/common/menu.c: 589             in bootmenu_loop()
583     			c = cli_ch_process(cch, c);
584     		}
585     	}
586
587     	key = bootmenu_conv_key(c);
588
>>>     CID 644835:           (TAINTED_SCALAR)
>>>     Using tainted variable "(int)(unsigned char)c" as an index into an array "_ctype".
589     	if (key == BKEY_NONE && isalnum(c)) {
590     		key = BKEY_SHORTCUT;
591     		cch->shortcut_key = bootmenu_conv_shortcut_key(menu, c);
592     	}
593
594     	return key;

** CID 644834:       Error handling issues  (CHECKED_RETURN)
/drivers/video/stm32/stm32_dsi.c: 496           in stm32_dsi_probe()


_____________________________________________________________________________________________
*** CID 644834:         Error handling issues  (CHECKED_RETURN)
/drivers/video/stm32/stm32_dsi.c: 496             in stm32_dsi_probe()
490     	/* check hardware version */
491     	priv->hw_version = dsi_read(plat->base, DSI_VERSION) & VERSION;
492     	if (priv->hw_version != HWVER_130 &&
493     	    priv->hw_version != HWVER_131) {
494     		dev_err(dev, "DSI version 0x%x not supported\n", priv->hw_version);
495     		dev_dbg(dev, "remove and unbind all DSI child\n");
>>>     CID 644834:         Error handling issues  (CHECKED_RETURN)
>>>     Calling "device_chld_remove" without checking return value (as is done elsewhere 4 out of 5 times).
496     		device_chld_remove(dev, NULL, DM_REMOVE_NORMAL);
497     		device_chld_unbind(dev, NULL);
498     		ret = -ENODEV;
499     		goto err_clk;
500     	}
501

** CID 644833:       Memory - illegal accesses  (NEGATIVE_RETURNS)
/common/menu.c: 589           in bootmenu_loop()


_____________________________________________________________________________________________
*** CID 644833:         Memory - illegal accesses  (NEGATIVE_RETURNS)
/common/menu.c: 589             in bootmenu_loop()
583     			c = cli_ch_process(cch, c);
584     		}
585     	}
586
587     	key = bootmenu_conv_key(c);
588
>>>     CID 644833:         Memory - illegal accesses  (NEGATIVE_RETURNS)
>>>     Using variable "c" as an index to array "_ctype".
589     	if (key == BKEY_NONE && isalnum(c)) {
590     		key = BKEY_SHORTCUT;
591     		cch->shortcut_key = bootmenu_conv_shortcut_key(menu, c);
592     	}
593
594     	return key;



View Defects in Coverity Scan
<https://scan.coverity.com/projects/das-u-boot?tab=overview>

Best regards,

The Coverity Scan Admin Team

----- End forwarded message -----

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

^ permalink raw reply	[flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2026-02-23 19:51 Tom Rini
  0 siblings, 0 replies; 105+ messages in thread
From: Tom Rini @ 2026-02-23 19:51 UTC (permalink / raw)
  To: u-boot; +Cc: James Hilliard, Marek Vasut

[-- Attachment #1: Type: text/plain, Size: 4672 bytes --]

Hey all,

Looks like Coverity is a little unhappy about the FIT alignment fixes,
but I'm not sure yet if we can just mark them as intentional and already
safety checked inputs or not.

---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Feb 23, 2026 at 1:34 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>


Hi,

Please find the latest report on new defect(s) introduced to *Das U-Boot*
found with Coverity Scan.

   - *New Defects Found:* 1
   - 1 defect(s), reported by Coverity Scan earlier, were marked fixed in
   the recent build analyzed by Coverity Scan.
   - *Defects Shown:* Showing 1 of 1 defect(s)

Defect Details

** CID 644638:         (TAINTED_SCALAR)


_____________________________________________________________________________________________
*** CID 644638:           (TAINTED_SCALAR)
/boot/image-fit.c: 2410             in boot_get_fdt_fit_into_buffer()
2404     	 */
2405     	if (dstlen >= newdstlen && dstbuf == fdtsrcbuf)
2406     		goto out;
2407
2408     	/* Try to reuse existing destination buffer if it is large enough. */
2409     	if (dstbuf && dstlen >= newdstlen) {
>>>     CID 644638:           (TAINTED_SCALAR)
>>>     Passing tainted expression "fdtsrcbuf->size_dt_strings" to "fdt_open_into", which uses it as an offset.
2410     		err = fdt_open_into(fdtsrcbuf, dstbuf, dstlen);
2411     		goto out;
2412     	}
2413
2414     	newdstbuf = memalign(8, newdstlen);
2415     	if (!newdstbuf) {
/boot/image-fit.c: 2420             in boot_get_fdt_fit_into_buffer()
2414     	newdstbuf = memalign(8, newdstlen);
2415     	if (!newdstbuf) {
2416     		err = -ENOMEM;
2417     		goto out;
2418     	}
2419
>>>     CID 644638:           (TAINTED_SCALAR)
>>>     Passing tainted expression "fdtsrcbuf->size_dt_struct" to "fdt_open_into", which uses it as an offset.
2420     	err = fdt_open_into(fdtsrcbuf, newdstbuf, newdstlen);
2421     	if (err < 0)
2422     		goto out;
2423
2424     	free(dstbuf);
2425     	*fdtdstbuf = newdstbuf;
/boot/image-fit.c: 2420             in boot_get_fdt_fit_into_buffer()
2414     	newdstbuf = memalign(8, newdstlen);
2415     	if (!newdstbuf) {
2416     		err = -ENOMEM;
2417     		goto out;
2418     	}
2419
>>>     CID 644638:           (TAINTED_SCALAR)
>>>     Passing tainted expression "fdtsrcbuf->size_dt_strings" to "fdt_open_into", which uses it as an offset.
2420     	err = fdt_open_into(fdtsrcbuf, newdstbuf, newdstlen);
2421     	if (err < 0)
2422     		goto out;
2423
2424     	free(dstbuf);
2425     	*fdtdstbuf = newdstbuf;
/boot/image-fit.c: 2420             in boot_get_fdt_fit_into_buffer()
2414     	newdstbuf = memalign(8, newdstlen);
2415     	if (!newdstbuf) {
2416     		err = -ENOMEM;
2417     		goto out;
2418     	}
2419
>>>     CID 644638:           (TAINTED_SCALAR)
>>>     Passing tainted expression "fdtsrcbuf->totalsize" to "fdt_open_into", which uses it as an offset.
2420     	err = fdt_open_into(fdtsrcbuf, newdstbuf, newdstlen);
2421     	if (err < 0)
2422     		goto out;
2423
2424     	free(dstbuf);
2425     	*fdtdstbuf = newdstbuf;
/boot/image-fit.c: 2410             in boot_get_fdt_fit_into_buffer()
2404     	 */
2405     	if (dstlen >= newdstlen && dstbuf == fdtsrcbuf)
2406     		goto out;
2407
2408     	/* Try to reuse existing destination buffer if it is large enough. */
2409     	if (dstbuf && dstlen >= newdstlen) {
>>>     CID 644638:           (TAINTED_SCALAR)
>>>     Passing tainted expression "fdtsrcbuf->totalsize" to "fdt_open_into", which uses it as an offset.
2410     		err = fdt_open_into(fdtsrcbuf, dstbuf, dstlen);
2411     		goto out;
2412     	}
2413
2414     	newdstbuf = memalign(8, newdstlen);
2415     	if (!newdstbuf) {
/boot/image-fit.c: 2410             in boot_get_fdt_fit_into_buffer()
2404     	 */
2405     	if (dstlen >= newdstlen && dstbuf == fdtsrcbuf)
2406     		goto out;
2407
2408     	/* Try to reuse existing destination buffer if it is large enough. */
2409     	if (dstbuf && dstlen >= newdstlen) {
>>>     CID 644638:           (TAINTED_SCALAR)
>>>     Passing tainted expression "fdtsrcbuf->size_dt_struct" to "fdt_open_into", which uses it as an offset.
2410     		err = fdt_open_into(fdtsrcbuf, dstbuf, dstlen);
2411     		goto out;
2412     	}
2413
2414     	newdstbuf = memalign(8, newdstlen);
2415     	if (!newdstbuf) {



View Defects in Coverity Scan
<https://scan.coverity.com/projects/das-u-boot?tab=overview>

Best regards,

The Coverity Scan Admin Team

----- End forwarded message -----

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

^ permalink raw reply	[flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2026-02-13 22:09 Tom Rini
  2026-02-18 23:02 ` Chris Morgan
  0 siblings, 1 reply; 105+ messages in thread
From: Tom Rini @ 2026-02-13 22:09 UTC (permalink / raw)
  To: u-boot, Chris Morgan, Mattijs Korpershoek

[-- Attachment #1: Type: text/plain, Size: 1731 bytes --]

Latest Coverity Scan report, now that it's back up and so a little out
of sync with the usual schedule.

---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Fri, Feb 13, 2026 at 4:03 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>


Hi,

Please find the latest report on new defect(s) introduced to *Das U-Boot*
found with Coverity Scan.

   - *New Defects Found:* 1
   - 2 defect(s), reported by Coverity Scan earlier, were marked fixed in
   the recent build analyzed by Coverity Scan.
   - *Defects Shown:* Showing 1 of 1 defect(s)

Defect Details

** CID 328330:       Integer handling issues  (NO_EFFECT)
/drivers/usb/dwc3/core.c: 106           in dwc3_core_soft_reset()


_____________________________________________________________________________________________
*** CID 328330:         Integer handling issues  (NO_EFFECT)
/drivers/usb/dwc3/core.c: 106             in dwc3_core_soft_reset()
100     done:
101     	/*
102     	 * For DWC_usb31 controller 1.80a and prior, once DCTL.CSFRST bit
103     	 * is cleared, we must wait at least 50ms before accessing the PHY
104     	 * domain (synchronization delay).
105     	 */
>>>     CID 328330:         Integer handling issues  (NO_EFFECT)
>>>     This greater-than-or-equal-to-zero comparison of an unsigned value is always true. "dwc->revision >= 0U".
106     	if (DWC3_VER_IS_WITHIN(DWC31, ANY, 180A))
107     		mdelay(50);
108
109     	return 0;
110     }
111


View Defects in Coverity Scan
<https://scan.coverity.com/projects/das-u-boot?tab=overview>

Best regards,

The Coverity Scan Admin Team

----- End forwarded message -----

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

^ permalink raw reply	[flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2026-01-16 19:43 Tom Rini
  2026-02-09 11:05 ` Guillaume La Roque
  0 siblings, 1 reply; 105+ messages in thread
From: Tom Rini @ 2026-01-16 19:43 UTC (permalink / raw)
  To: u-boot; +Cc: Guillaume La Roque, Mattijs Korpershoek

[-- Attachment #1: Type: text/plain, Size: 12221 bytes --]

Hey all,

Here's the latest report from Coverity scan. For the LZMA ones, the
_pad_ stuff seems to be a false positive (the _pad_ byte is just for
padding and not refernced) and the flow control one is how that's
written for whatever reason the upstream author wanted it like that.

---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Fri, Jan 16, 2026 at 1:06 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>


Hi,

Please find the latest report on new defect(s) introduced to *Das U-Boot*
found with Coverity Scan.

   - *New Defects Found:* 7
   - 2 defect(s), reported by Coverity Scan earlier, were marked fixed in
   the recent build analyzed by Coverity Scan.
   - *Defects Shown:* Showing 7 of 7 defect(s)

Defect Details

** CID 641431:         (TAINTED_SCALAR)


_____________________________________________________________________________________________
*** CID 641431:           (TAINTED_SCALAR)
/boot/image-android.c: 434             in android_image_get_kernel()
428     		if (*newbootargs) /* If there is something in newbootargs, a
space is needed */
429     			strcat(newbootargs, " ");
430     		strcat(newbootargs, img_data.kcmdline_extra);
431     	}
432
433     	env_set("bootargs", newbootargs);
>>>     CID 641431:           (TAINTED_SCALAR)
>>>     Passing tainted expression "*newbootargs" to "dlfree", which uses it as an offset.
434     	free(newbootargs);
435
436     	if (os_data) {
437     		if (image_get_magic(ihdr) == IH_MAGIC) {
438     			*os_data = image_get_data(ihdr);
439     		} else {
/boot/image-android.c: 433             in android_image_get_kernel()
427     	if (img_data.kcmdline_extra && *img_data.kcmdline_extra) {
428     		if (*newbootargs) /* If there is something in newbootargs, a
space is needed */
429     			strcat(newbootargs, " ");
430     		strcat(newbootargs, img_data.kcmdline_extra);
431     	}
432
>>>     CID 641431:           (TAINTED_SCALAR)
>>>     Passing tainted expression "newbootargs" to "env_set", which uses it as an offset.
433     	env_set("bootargs", newbootargs);
434     	free(newbootargs);
435
436     	if (os_data) {
437     		if (image_get_magic(ihdr) == IH_MAGIC) {
438     			*os_data = image_get_data(ihdr);
/boot/image-android.c: 434             in android_image_get_kernel()
428     		if (*newbootargs) /* If there is something in newbootargs, a
space is needed */
429     			strcat(newbootargs, " ");
430     		strcat(newbootargs, img_data.kcmdline_extra);
431     	}
432
433     	env_set("bootargs", newbootargs);
>>>     CID 641431:           (TAINTED_SCALAR)
>>>     Passing tainted expression "*newbootargs" to "dlfree", which uses it as an offset.
434     	free(newbootargs);
435
436     	if (os_data) {
437     		if (image_get_magic(ihdr) == IH_MAGIC) {
438     			*os_data = image_get_data(ihdr);
439     		} else {
/boot/image-android.c: 433             in android_image_get_kernel()
427     	if (img_data.kcmdline_extra && *img_data.kcmdline_extra) {
428     		if (*newbootargs) /* If there is something in newbootargs, a
space is needed */
429     			strcat(newbootargs, " ");
430     		strcat(newbootargs, img_data.kcmdline_extra);
431     	}
432
>>>     CID 641431:           (TAINTED_SCALAR)
>>>     Passing tainted expression "newbootargs" to "env_set", which uses it as an offset.
433     	env_set("bootargs", newbootargs);
434     	free(newbootargs);
435
436     	if (os_data) {
437     		if (image_get_magic(ihdr) == IH_MAGIC) {
438     			*os_data = image_get_data(ihdr);
/boot/image-android.c: 433             in android_image_get_kernel()
427     	if (img_data.kcmdline_extra && *img_data.kcmdline_extra) {
428     		if (*newbootargs) /* If there is something in newbootargs, a
space is needed */
429     			strcat(newbootargs, " ");
430     		strcat(newbootargs, img_data.kcmdline_extra);
431     	}
432
>>>     CID 641431:           (TAINTED_SCALAR)
>>>     Passing tainted expression "newbootargs" to "env_set", which uses it as an offset.
433     	env_set("bootargs", newbootargs);
434     	free(newbootargs);
435
436     	if (os_data) {
437     		if (image_get_magic(ihdr) == IH_MAGIC) {
438     			*os_data = image_get_data(ihdr);
/boot/image-android.c: 434             in android_image_get_kernel()
428     		if (*newbootargs) /* If there is something in newbootargs, a
space is needed */
429     			strcat(newbootargs, " ");
430     		strcat(newbootargs, img_data.kcmdline_extra);
431     	}
432
433     	env_set("bootargs", newbootargs);
>>>     CID 641431:           (TAINTED_SCALAR)
>>>     Passing tainted expression "*newbootargs" to "dlfree", which uses it as an offset.
434     	free(newbootargs);
435
436     	if (os_data) {
437     		if (image_get_magic(ihdr) == IH_MAGIC) {
438     			*os_data = image_get_data(ihdr);
439     		} else {

** CID 641430:         (TAINTED_SCALAR)


_____________________________________________________________________________________________
*** CID 641430:           (TAINTED_SCALAR)
/cmd/abootimg.c: 244             in abootimg_get_ramdisk()
238     				      &rd_data, &rd_len))
239     		return CMD_RET_FAILURE;
240
241     	if (argc == 0) {
242     		printf("%lx\n", rd_data);
243     	} else {
>>>     CID 641430:           (TAINTED_SCALAR)
>>>     Passing tainted expression "rd_data" to "env_set_hex", which uses it as an offset.
244     		env_set_hex(argv[0], rd_data);
245     		if (argc == 2)
246     			env_set_hex(argv[1], rd_len);
247     	}
248
249     	return CMD_RET_SUCCESS;
/cmd/abootimg.c: 246             in abootimg_get_ramdisk()
240
241     	if (argc == 0) {
242     		printf("%lx\n", rd_data);
243     	} else {
244     		env_set_hex(argv[0], rd_data);
245     		if (argc == 2)
>>>     CID 641430:           (TAINTED_SCALAR)
>>>     Passing tainted expression "rd_len" to "env_set_hex", which uses it as an offset.
246     			env_set_hex(argv[1], rd_len);
247     	}
248
249     	return CMD_RET_SUCCESS;
250     }
251

** CID 641429:       Insecure data handling  (TAINTED_SCALAR)


_____________________________________________________________________________________________
*** CID 641429:         Insecure data handling  (TAINTED_SCALAR)
/boot/image-android.c: 307             in android_image_get_data()
301     			printf("Incorrect vendor boot image header\n");
302     			unmap_sysmem(vhdr);
303     			unmap_sysmem(bhdr);
304     			return false;
305     		}
306     		android_boot_image_v3_v4_parse_hdr((const struct
andr_boot_img_hdr_v3 *)bhdr, data);
>>>     CID 641429:         Insecure data handling  (TAINTED_SCALAR)
>>>     Passing tainted expression "vhdr->bootconfig_size" to "android_vendor_boot_image_v3_v4_parse_hdr", which uses it as a loop boundary.
307     		android_vendor_boot_image_v3_v4_parse_hdr(vhdr, data);
308     		unmap_sysmem(vhdr);
309     	} else {
310     		android_boot_image_v0_v1_v2_parse_hdr(bhdr, data);
311     	}
312

** CID 641428:         (TAINTED_SCALAR)


_____________________________________________________________________________________________
*** CID 641428:           (TAINTED_SCALAR)
/boot/image-android.c: 658             in android_image_set_bootconfig()
652     		total_size += params_len + BOOTCONFIG_TRAILER_SIZE;
653
654     	/* Map Dest */
655     	ramdisk_dest = map_sysmem(ramdisk_addr, total_size);
656
657     	/* Copy data */
>>>     CID 641428:           (TAINTED_SCALAR)
>>>     Passing tainted expression "img_data.vendor_ramdisk_size" to "android_boot_append_bootconfig", which uses it as an offset.
658     	ret = android_boot_append_bootconfig(&img_data, params, params_len,
659     					     ramdisk_dest);
660
661     	unmap_sysmem(ramdisk_dest);
662     	free(params);
663     	free(new_bootargs);
/boot/image-android.c: 658             in android_image_set_bootconfig()
652     		total_size += params_len + BOOTCONFIG_TRAILER_SIZE;
653
654     	/* Map Dest */
655     	ramdisk_dest = map_sysmem(ramdisk_addr, total_size);
656
657     	/* Copy data */
>>>     CID 641428:           (TAINTED_SCALAR)
>>>     Passing tainted expression "img_data.bootconfig_size" to "android_boot_append_bootconfig", which uses it as an offset.
658     	ret = android_boot_append_bootconfig(&img_data, params, params_len,
659     					     ramdisk_dest);
660
661     	unmap_sysmem(ramdisk_dest);
662     	free(params);
663     	free(new_bootargs);
/boot/image-android.c: 658             in android_image_set_bootconfig()
652     		total_size += params_len + BOOTCONFIG_TRAILER_SIZE;
653
654     	/* Map Dest */
655     	ramdisk_dest = map_sysmem(ramdisk_addr, total_size);
656
657     	/* Copy data */
>>>     CID 641428:           (TAINTED_SCALAR)
>>>     Passing tainted expression "img_data.boot_ramdisk_size" to "android_boot_append_bootconfig", which uses it as an offset.
658     	ret = android_boot_append_bootconfig(&img_data, params, params_len,
659     					     ramdisk_dest);
660
661     	unmap_sysmem(ramdisk_dest);
662     	free(params);
663     	free(new_bootargs);

** CID 332278:       Control flow issues  (UNREACHABLE)
/lib/lzma/LzmaDec.c: 720           in LzmaDec_TryDummy()


_____________________________________________________________________________________________
*** CID 332278:         Control flow issues  (UNREACHABLE)
/lib/lzma/LzmaDec.c: 720             in LzmaDec_TryDummy()
714       UInt32 code = p->code;
715       const Byte *bufLimit = *bufOut;
716       const CLzmaProb *probs = GET_PROBS;
717       unsigned state = (unsigned)p->state;
718       ELzmaDummy res;
719
>>>     CID 332278:         Control flow issues  (UNREACHABLE)
>>>     Since the loop increment is unreachable, the loop body will never execute more than once.
720       for (;;)
721       {
722         const CLzmaProb *prob;
723         UInt32 bound;
724         unsigned ttt;
725         unsigned posState = CALC_POS_STATE(p->processedPos,
((unsigned)1 << p->prop.pb) - 1);

** CID 252901:       Uninitialized variables  (UNINIT)
/lib/lzma/LzmaDec.c: 1295           in LzmaDec_AllocateProbs()


_____________________________________________________________________________________________
*** CID 252901:         Uninitialized variables  (UNINIT)
/lib/lzma/LzmaDec.c: 1295             in LzmaDec_AllocateProbs()
1289
1290     SRes LzmaDec_AllocateProbs(CLzmaDec *p, const Byte *props,
unsigned propsSize, ISzAllocPtr alloc)
1291     {
1292       CLzmaProps propNew;
1293       RINOK(LzmaProps_Decode(&propNew, props, propsSize))
1294       RINOK(LzmaDec_AllocateProbs2(p, &propNew, alloc))
>>>     CID 252901:         Uninitialized variables  (UNINIT)
>>>     Using uninitialized value "propNew". Field "propNew._pad_" is uninitialized.
1295       p->prop = propNew;
1296       return SZ_OK;
1297     }
1298
1299     SRes LzmaDec_Allocate(CLzmaDec *p, const Byte *props,
unsigned propsSize, ISzAllocPtr alloc)
1300     {

** CID 252579:       Uninitialized variables  (UNINIT)
/lib/lzma/LzmaDec.c: 1327           in LzmaDec_Allocate()


_____________________________________________________________________________________________
*** CID 252579:         Uninitialized variables  (UNINIT)
/lib/lzma/LzmaDec.c: 1327             in LzmaDec_Allocate()
1321         {
1322           LzmaDec_FreeProbs(p, alloc);
1323           return SZ_ERROR_MEM;
1324         }
1325       }
1326       p->dicBufSize = dicBufSize;
>>>     CID 252579:         Uninitialized variables  (UNINIT)
>>>     Using uninitialized value "propNew". Field "propNew._pad_" is uninitialized.
1327       p->prop = propNew;
1328       return SZ_OK;
1329     }
1330
1331     SRes LzmaDecode(Byte *dest, SizeT *destLen, const Byte *src,
SizeT *srcLen,
1332         const Byte *propData, unsigned propSize, ELzmaFinishMode
finishMode,



View Defects in Coverity Scan
<https://scan.coverity.com/projects/das-u-boot?tab=overview>

Best regards,

The Coverity Scan Admin Team

----- End forwarded message -----

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

^ permalink raw reply	[flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2026-01-06 20:36 Tom Rini
  0 siblings, 0 replies; 105+ messages in thread
From: Tom Rini @ 2026-01-06 20:36 UTC (permalink / raw)
  To: u-boot

[-- Attachment #1: Type: text/plain, Size: 29243 bytes --]

Hey all,

This is really just to say that I've now been able to switch Coverity
scan over from "sandbox_defconfig" to "allyesconfig" (which is now also
in CI), so we have a lot more code being scanned. If you have access to
the dashboard already, and areas of interest, it's worth looking again
now. If you're already a project contributor and want to look for things
to work on, please let me know before asking for access to the
dashboard.

I am hopeful this will inspire people to make sure their code builds on
sandbox (and so allyesconfig) so that it can get further static checking
done to it, regularly.

And as a final funny to me note, while this email says 278 issues, the
other email (which just has high level info and I don't bother
forwarding) says 442 issues found.

---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Tue, Jan 6, 2026 at 2:18 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>


Hi,

Please find the latest report on new defect(s) introduced to *Das U-Boot*
found with Coverity Scan.

   - *New Defects Found:* 278
   - 49 defect(s), reported by Coverity Scan earlier, were marked fixed in
   the recent build analyzed by Coverity Scan.
   - *Defects Shown:* Showing 20 of 278 defect(s)

Defect Details

** CID 640717:       Control flow issues  (DEADCODE)
/drivers/sysinfo/gazerbeam.c: 125           in _read_sysinfo_variant_data()


_____________________________________________________________________________________________
*** CID 640717:         Control flow issues  (DEADCODE)
/drivers/sysinfo/gazerbeam.c: 125             in _read_sysinfo_variant_data()
119     		      dev->name, con);
120     		return con;
121     	}
122
123     	priv->variant = con ? VAR_CON : VAR_CPU;
124
>>>     CID 640717:         Control flow issues  (DEADCODE)
>>>     Execution cannot reach the expression "0" inside this statement: "priv->multichannel = (mc4 ?...".
125     	priv->multichannel = mc4 ? 4 : (mc2 ? 2 : (sc ? 1 : 0));
126
127     	return 0;
128     }
129
130     /**

** CID 640716:       Incorrect expression  (SIZEOF_MISMATCH)
/drivers/rng/iproc_rng200.c: 158           in iproc_rng200_of_to_plat()


_____________________________________________________________________________________________
*** CID 640716:         Incorrect expression  (SIZEOF_MISMATCH)
/drivers/rng/iproc_rng200.c: 158             in iproc_rng200_of_to_plat()
152     }
153
154     static int iproc_rng200_of_to_plat(struct udevice *dev)
155     {
156     	struct iproc_rng200_plat *pdata = dev_get_plat(dev);
157
>>>     CID 640716:         Incorrect expression  (SIZEOF_MISMATCH)
>>>     Passing argument "8UL /* sizeof (void *) */" to function "devfdt_map_physmem" which returns a value of type "void *" is suspicious.
158     	pdata->base = devfdt_map_physmem(dev, sizeof(void *));
159     	if (!pdata->base)
160     		return -ENODEV;
161
162     	return 0;
163     }

** CID 640715:         (TAINTED_SCALAR)


_____________________________________________________________________________________________
*** CID 640715:           (TAINTED_SCALAR)
/drivers/gpio/74x164_gpio.c: 145             in gen_74x164_probe()
139
140     	/*
141     	 * See Linux kernel:
142     	 * Documentation/devicetree/bindings/gpio/gpio-74x164.txt
143     	 */
144     	priv->nregs = fdtdec_get_int(fdt, node, "registers-number", 1);
>>>     CID 640715:           (TAINTED_SCALAR)
>>>     Passing tainted expression "priv->nregs" to "dlcalloc", which uses it as an offset.
145     	priv->buffer = calloc(priv->nregs, sizeof(u8));
146     	if (!priv->buffer) {
147     		ret = -ENOMEM;
148     		goto free_str;
149     	}
150
/drivers/gpio/74x164_gpio.c: 151             in gen_74x164_probe()
145     	priv->buffer = calloc(priv->nregs, sizeof(u8));
146     	if (!priv->buffer) {
147     		ret = -ENOMEM;
148     		goto free_str;
149     	}
150
>>>     CID 640715:           (TAINTED_SCALAR)
>>>     Passing tainted expression "priv->nregs" to "fdtdec_get_byte_array", which uses it as an offset.
151     	ret = fdtdec_get_byte_array(fdt, node, "registers-default",
152     				    priv->buffer, priv->nregs);
153     	if (ret)
154     		dev_dbg(dev, "No registers-default property\n");
155
156     	ret = gpio_request_by_name(dev, "oe-gpios", 0, &priv->oe,

** CID 640714:       Control flow issues  (DEADCODE)
/drivers/net/ftgmac100.c: 400           in ftgmac100_start()


_____________________________________________________________________________________________
*** CID 640714:         Control flow issues  (DEADCODE)
/drivers/net/ftgmac100.c: 400             in ftgmac100_start()
394     	/* Configure TX/RX decsriptor size
395     	 * This size is calculated based on cache line.
396     	 */
397     	desc_size = ARCH_DMA_MINALIGN / FTGMAC100_DESC_UNIT;
398     	/* The descriptor size is at least 2 descriptor units. */
399     	if (desc_size < 2)
>>>     CID 640714:         Control flow issues  (DEADCODE)
>>>     Execution cannot reach this statement: "desc_size = 2U;".
400     		desc_size = 2;
401     	dblac = readl(&ftgmac100->dblac) & ~GENMASK(19, 12);
402     	dblac |= FTGMAC100_DBLAC_RXDES_SIZE(desc_size) |
FTGMAC100_DBLAC_TXDES_SIZE(desc_size);
403     	writel(dblac, &ftgmac100->dblac);
404
405     	/* poll receive descriptor automatically */

** CID 640713:       Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/drivers/serial/serial_sifive.c: 121           in sifive_serial_setbrg()


_____________________________________________________________________________________________
*** CID 640713:         Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/drivers/serial/serial_sifive.c: 121             in sifive_serial_setbrg()
115     		if (IS_ERR_VALUE(ret)) {
116     			debug("SiFive UART clock not defined\n");
117     			return 0;
118     		}
119     	} else {
120     		clock = clk_get_rate(&clk);
>>>     CID 640713:         Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
>>>     "clock >= 18446744073709547521UL /* (unsigned long)-4095 */" is always false regardless of the values of its operands. This occurs as the logical operand of "!".
121     		if (IS_ERR_VALUE(clock)) {
122     			debug("SiFive UART clock get rate failed\n");
123     			return 0;
124     		}
125     	}
126     	plat->clock = clock;

** CID 640712:         (BAD_SHIFT)
/drivers/pci/pcie_cdns_ti.c: 582           in pcie_cdns_ti_bar_ib_config()
/drivers/pci/pcie_cdns_ti.c: 585           in pcie_cdns_ti_bar_ib_config()
/drivers/pci/pcie_cdns_ti.c: 570           in pcie_cdns_ti_bar_ib_config()
/drivers/pci/pcie_cdns_ti.c: 577           in pcie_cdns_ti_bar_ib_config()
/drivers/pci/pcie_cdns_ti.c: 570           in pcie_cdns_ti_bar_ib_config()
/drivers/pci/pcie_cdns_ti.c: 578           in pcie_cdns_ti_bar_ib_config()
/drivers/pci/pcie_cdns_ti.c: 581           in pcie_cdns_ti_bar_ib_config()
/drivers/pci/pcie_cdns_ti.c: 570           in pcie_cdns_ti_bar_ib_config()
/drivers/pci/pcie_cdns_ti.c: 570           in pcie_cdns_ti_bar_ib_config()
/drivers/pci/pcie_cdns_ti.c: 570           in pcie_cdns_ti_bar_ib_config()


_____________________________________________________________________________________________
*** CID 640712:           (BAD_SHIFT)
/drivers/pci/pcie_cdns_ti.c: 582             in pcie_cdns_ti_bar_ib_config()
576     		if (!(flags & IORESOURCE_PREFETCH))
577     			value |= LM_RC_BAR_CFG_CTRL_MEM_64BITS(bar);
578     		value |= LM_RC_BAR_CFG_CTRL_PREF_MEM_64BITS(bar);
579     	} else {
580     		if (!(flags & IORESOURCE_PREFETCH))
581     			value |= LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar);
>>>     CID 640712:           (BAD_SHIFT)
>>>     In expression "5 << bar * 8 + 6", shifting by a negative amount has undefined behavior.  The shift amount, "bar * 8 + 6", is as little as -2.
582     		value |= LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar);
583     	}
584
585     	value |= LM_RC_BAR_CFG_APERTURE(bar, aperture);
586     	pcie_cdns_ti_writel(pcie, CDNS_PCIE_LM_RC_BAR_CFG, value);
587
/drivers/pci/pcie_cdns_ti.c: 585             in pcie_cdns_ti_bar_ib_config()
579     	} else {
580     		if (!(flags & IORESOURCE_PREFETCH))
581     			value |= LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar);
582     		value |= LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar);
583     	}
584
>>>     CID 640712:           (BAD_SHIFT)
>>>     In expression "aperture - 2U << bar * 8", shifting by a negative amount has undefined behavior.  The shift amount, "bar * 8", is as little as -8.
585     	value |= LM_RC_BAR_CFG_APERTURE(bar, aperture);
586     	pcie_cdns_ti_writel(pcie, CDNS_PCIE_LM_RC_BAR_CFG, value);
587
588     	return 0;
589     }
590
/drivers/pci/pcie_cdns_ti.c: 570             in pcie_cdns_ti_bar_ib_config()
564     	pcie_cdns_ti_writel(pcie, CDNS_PCIE_AT_IB_RP_BAR_ADDR1(bar), addr1);
565
566     	if (bar == RP_NO_BAR)
567     		return 0;
568
569     	value = pcie_cdns_ti_readl(pcie, CDNS_PCIE_LM_RC_BAR_CFG);
>>>     CID 640712:           (BAD_SHIFT)
>>>     In expression "bar_aperture_mask[bar] + 2 - 2 << bar * 8", shifting by a negative amount has undefined behavior.  The shift amount, "bar * 8", is as little as -8.
570     	value &= ~(LM_RC_BAR_CFG_CTRL_MEM_64BITS(bar) |
571     		   LM_RC_BAR_CFG_CTRL_PREF_MEM_64BITS(bar) |
572     		   LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar) |
573     		   LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar) |
574     		   LM_RC_BAR_CFG_APERTURE(bar, bar_aperture_mask[bar] + 2));
575     	if (size + cpu_addr >= SZ_4G) {
/drivers/pci/pcie_cdns_ti.c: 577             in pcie_cdns_ti_bar_ib_config()
571     		   LM_RC_BAR_CFG_CTRL_PREF_MEM_64BITS(bar) |
572     		   LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar) |
573     		   LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar) |
574     		   LM_RC_BAR_CFG_APERTURE(bar, bar_aperture_mask[bar] + 2));
575     	if (size + cpu_addr >= SZ_4G) {
576     		if (!(flags & IORESOURCE_PREFETCH))
>>>     CID 640712:           (BAD_SHIFT)
>>>     In expression "6 << bar * 8 + 6", shifting by a negative amount has undefined behavior.  The shift amount, "bar * 8 + 6", is as little as -2.
577     			value |= LM_RC_BAR_CFG_CTRL_MEM_64BITS(bar);
578     		value |= LM_RC_BAR_CFG_CTRL_PREF_MEM_64BITS(bar);
579     	} else {
580     		if (!(flags & IORESOURCE_PREFETCH))
581     			value |= LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar);
582     		value |= LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar);
/drivers/pci/pcie_cdns_ti.c: 570             in pcie_cdns_ti_bar_ib_config()
564     	pcie_cdns_ti_writel(pcie, CDNS_PCIE_AT_IB_RP_BAR_ADDR1(bar), addr1);
565
566     	if (bar == RP_NO_BAR)
567     		return 0;
568
569     	value = pcie_cdns_ti_readl(pcie, CDNS_PCIE_LM_RC_BAR_CFG);
>>>     CID 640712:           (BAD_SHIFT)
>>>     In expression "7 << bar * 8 + 6", shifting by a negative amount has undefined behavior.  The shift amount, "bar * 8 + 6", is as little as -2.
570     	value &= ~(LM_RC_BAR_CFG_CTRL_MEM_64BITS(bar) |
571     		   LM_RC_BAR_CFG_CTRL_PREF_MEM_64BITS(bar) |
572     		   LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar) |
573     		   LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar) |
574     		   LM_RC_BAR_CFG_APERTURE(bar, bar_aperture_mask[bar] + 2));
575     	if (size + cpu_addr >= SZ_4G) {
/drivers/pci/pcie_cdns_ti.c: 578             in pcie_cdns_ti_bar_ib_config()
572     		   LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar) |
573     		   LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar) |
574     		   LM_RC_BAR_CFG_APERTURE(bar, bar_aperture_mask[bar] + 2));
575     	if (size + cpu_addr >= SZ_4G) {
576     		if (!(flags & IORESOURCE_PREFETCH))
577     			value |= LM_RC_BAR_CFG_CTRL_MEM_64BITS(bar);
>>>     CID 640712:           (BAD_SHIFT)
>>>     In expression "7 << bar * 8 + 6", shifting by a negative amount has undefined behavior.  The shift amount, "bar * 8 + 6", is as little as -2.
578     		value |= LM_RC_BAR_CFG_CTRL_PREF_MEM_64BITS(bar);
579     	} else {
580     		if (!(flags & IORESOURCE_PREFETCH))
581     			value |= LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar);
582     		value |= LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar);
583     	}
/drivers/pci/pcie_cdns_ti.c: 581             in pcie_cdns_ti_bar_ib_config()
575     	if (size + cpu_addr >= SZ_4G) {
576     		if (!(flags & IORESOURCE_PREFETCH))
577     			value |= LM_RC_BAR_CFG_CTRL_MEM_64BITS(bar);
578     		value |= LM_RC_BAR_CFG_CTRL_PREF_MEM_64BITS(bar);
579     	} else {
580     		if (!(flags & IORESOURCE_PREFETCH))
>>>     CID 640712:           (BAD_SHIFT)
>>>     In expression "4 << bar * 8 + 6", shifting by a negative amount has undefined behavior.  The shift amount, "bar * 8 + 6", is as little as -2.
581     			value |= LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar);
582     		value |= LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar);
583     	}
584
585     	value |= LM_RC_BAR_CFG_APERTURE(bar, aperture);
586     	pcie_cdns_ti_writel(pcie, CDNS_PCIE_LM_RC_BAR_CFG, value);
/drivers/pci/pcie_cdns_ti.c: 570             in pcie_cdns_ti_bar_ib_config()
564     	pcie_cdns_ti_writel(pcie, CDNS_PCIE_AT_IB_RP_BAR_ADDR1(bar), addr1);
565
566     	if (bar == RP_NO_BAR)
567     		return 0;
568
569     	value = pcie_cdns_ti_readl(pcie, CDNS_PCIE_LM_RC_BAR_CFG);
>>>     CID 640712:           (BAD_SHIFT)
>>>     In expression "5 << bar * 8 + 6", shifting by a negative amount has undefined behavior.  The shift amount, "bar * 8 + 6", is as little as -2.
570     	value &= ~(LM_RC_BAR_CFG_CTRL_MEM_64BITS(bar) |
571     		   LM_RC_BAR_CFG_CTRL_PREF_MEM_64BITS(bar) |
572     		   LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar) |
573     		   LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar) |
574     		   LM_RC_BAR_CFG_APERTURE(bar, bar_aperture_mask[bar] + 2));
575     	if (size + cpu_addr >= SZ_4G) {
/drivers/pci/pcie_cdns_ti.c: 570             in pcie_cdns_ti_bar_ib_config()
564     	pcie_cdns_ti_writel(pcie, CDNS_PCIE_AT_IB_RP_BAR_ADDR1(bar), addr1);
565
566     	if (bar == RP_NO_BAR)
567     		return 0;
568
569     	value = pcie_cdns_ti_readl(pcie, CDNS_PCIE_LM_RC_BAR_CFG);
>>>     CID 640712:           (BAD_SHIFT)
>>>     In expression "4 << bar * 8 + 6", shifting by a negative amount has undefined behavior.  The shift amount, "bar * 8 + 6", is as little as -2.
570     	value &= ~(LM_RC_BAR_CFG_CTRL_MEM_64BITS(bar) |
571     		   LM_RC_BAR_CFG_CTRL_PREF_MEM_64BITS(bar) |
572     		   LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar) |
573     		   LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar) |
574     		   LM_RC_BAR_CFG_APERTURE(bar, bar_aperture_mask[bar] + 2));
575     	if (size + cpu_addr >= SZ_4G) {
/drivers/pci/pcie_cdns_ti.c: 570             in pcie_cdns_ti_bar_ib_config()
564     	pcie_cdns_ti_writel(pcie, CDNS_PCIE_AT_IB_RP_BAR_ADDR1(bar), addr1);
565
566     	if (bar == RP_NO_BAR)
567     		return 0;
568
569     	value = pcie_cdns_ti_readl(pcie, CDNS_PCIE_LM_RC_BAR_CFG);
>>>     CID 640712:           (BAD_SHIFT)
>>>     In expression "6 << bar * 8 + 6", shifting by a negative amount has undefined behavior.  The shift amount, "bar * 8 + 6", is as little as -2.
570     	value &= ~(LM_RC_BAR_CFG_CTRL_MEM_64BITS(bar) |
571     		   LM_RC_BAR_CFG_CTRL_PREF_MEM_64BITS(bar) |
572     		   LM_RC_BAR_CFG_CTRL_MEM_32BITS(bar) |
573     		   LM_RC_BAR_CFG_CTRL_PREF_MEM_32BITS(bar) |
574     		   LM_RC_BAR_CFG_APERTURE(bar, bar_aperture_mask[bar] + 2));
575     	if (size + cpu_addr >= SZ_4G) {

** CID 640711:       Memory - corruptions  (OVERRUN)


_____________________________________________________________________________________________
*** CID 640711:         Memory - corruptions  (OVERRUN)
/cmd/ubi.c: 806             in do_ubi()
800     		if (!size) {
801     			size = (int64_t)ubi->avail_pebs * ubi->leb_size;
802     			printf("No size specified -> Using max size (%lld)\n", size);
803     		}
804     		/* E.g., create volume */
805     		if (argc == 3) {
>>>     CID 640711:         Memory - corruptions  (OVERRUN)
>>>     Overrunning callee's array of size 129 by passing argument "id" (which evaluates to 256) in call to "ubi_create_vol".
806     			return ubi_create_vol(argv[2], size, dynamic, id,
807     					      skipcheck);
808     		}
809     	}
810
811     	if (strncmp(argv[1], "remove", 6) == 0) {

** CID 640710:       Insecure data handling  (TAINTED_SCALAR)
/cmd/tpm-v1.c: 641           in do_tpm_list()


_____________________________________________________________________________________________
*** CID 640710:         Insecure data handling  (TAINTED_SCALAR)
/cmd/tpm-v1.c: 641             in do_tpm_list()
635     	ptr = buf + 2;
636
637     	printf("Resources of type %s (%02x):\n", argv[1], type);
638     	if (!res_count) {
639     		puts("None\n");
640     	} else {
>>>     CID 640710:         Insecure data handling  (TAINTED_SCALAR)
>>>     Using tainted variable "res_count" as a loop boundary.
641     		for (i = 0; i < res_count; ++i, ptr += 4)
642     			printf("Index %d: %08x\n", i, get_unaligned_be32(ptr));
643     	}
644
645     	return 0;
646     }

** CID 640709:       Integer handling issues  (INTEGER_OVERFLOW)
/drivers/mfd/atmel-smc.c: 156           in atmel_smc_cs_conf_set_setup()


_____________________________________________________________________________________________
*** CID 640709:         Integer handling issues  (INTEGER_OVERFLOW)
/drivers/mfd/atmel-smc.c: 156             in atmel_smc_cs_conf_set_setup()
150     	 * The formula described in atmel datasheets (section "SMC Setup
151     	 * Register"):
152     	 *
153     	 * ncycles = (128 * xx_SETUP[5]) + xx_SETUP[4:0]
154     	 */
155     	ret = atmel_smc_cs_encode_ncycles(ncycles, 5, 1, 128, &val);
>>>     CID 640709:         Integer handling issues  (INTEGER_OVERFLOW)
>>>     Expression "0xffffffffffffffffUL << shift", where "shift" is known to be equal to 24, overflows the type of "0xffffffffffffffffUL << shift", which is type "unsigned long".
156     	conf->setup &= ~GENMASK(shift + 7, shift);
157     	conf->setup |= val << shift;
158
159     	return ret;
160     }
161     EXPORT_SYMBOL_GPL(atmel_smc_cs_conf_set_setup);

** CID 640708:       Code maintainability issues  (UNUSED_VALUE)
/drivers/video/tidss/tidss_oldi.c: 192           in get_parent_dss_vp()


_____________________________________________________________________________________________
*** CID 640708:         Code maintainability issues  (UNUSED_VALUE)
/drivers/video/tidss/tidss_oldi.c: 192             in get_parent_dss_vp()
186     	int ret;
187
188     	ep = ofnode_graph_get_endpoint_by_regs(oldi_tx, 0, -1);
189     	if (ofnode_valid(ep)) {
190     		dss_port = ofnode_graph_get_remote_port(ep);
191     		if (!ofnode_valid(dss_port))
>>>     CID 640708:         Code maintainability issues  (UNUSED_VALUE)
>>>     Assigning value "-19" to "ret" here, but that stored value is overwritten before it can be used.
192     			ret = -ENODEV;
193
194     		ret = ofnode_read_u32(dss_port, "reg", parent_vp);
195     		if (ret)
196     			return -ENODEV;
197     		return 0;

** CID 640707:       Control flow issues  (DEADCODE)
/drivers/power/regulator/max77663_regulator.c: 302           in
max77663_ldo_val()


_____________________________________________________________________________________________
*** CID 640707:         Control flow issues  (DEADCODE)
/drivers/power/regulator/max77663_regulator.c: 302             in
max77663_ldo_val()
296
297     	if (op == PMIC_OP_GET) {
298     		*uV = 0;
299
300     		ret = max77663_ldo_hex2volt(idx, val & LDO_VOLT_MASK);
301     		if (ret < 0)
>>>     CID 640707:         Control flow issues  (DEADCODE)
>>>     Execution cannot reach this statement: "return ret;".
302     			return ret;
303
304     		*uV = ret;
305     		return 0;
306     	}
307

** CID 640706:         (CHECKED_RETURN)
/drivers/gpio/gpio-aspeed.c: 277           in aspeed_gpio_probe()
/drivers/gpio/gpio-aspeed-g7.c: 133           in aspeed_gpio_probe()


_____________________________________________________________________________________________
*** CID 640706:           (CHECKED_RETURN)
/drivers/gpio/gpio-aspeed.c: 277             in aspeed_gpio_probe()
271     static int aspeed_gpio_probe(struct udevice *dev)
272     {
273     	struct gpio_dev_priv *uc_priv = dev_get_uclass_priv(dev);
274     	struct aspeed_gpio_priv *priv = dev_get_priv(dev);
275
276     	uc_priv->bank_name = dev->name;
>>>     CID 640706:           (CHECKED_RETURN)
>>>     Calling "ofnode_read_u32" without checking return value (as is done elsewhere 101 out of 125 times).
277     	ofnode_read_u32(dev_ofnode(dev), "ngpios", &uc_priv->gpio_count);
278     	priv->regs = devfdt_get_addr_ptr(dev);
279
280     	return 0;
281     }
282
/drivers/gpio/gpio-aspeed-g7.c: 133             in aspeed_gpio_probe()
127     static int aspeed_gpio_probe(struct udevice *dev)
128     {
129     	struct gpio_dev_priv *uc_priv = dev_get_uclass_priv(dev);
130     	struct aspeed_gpio_priv *priv = dev_get_priv(dev);
131
132     	uc_priv->bank_name = dev->name;
>>>     CID 640706:           (CHECKED_RETURN)
>>>     Calling "ofnode_read_u32" without checking return value (as is done elsewhere 101 out of 125 times).
133     	ofnode_read_u32(dev_ofnode(dev), "ngpios", &uc_priv->gpio_count);
134     	priv->regs = devfdt_get_addr_ptr(dev);
135
136     	return 0;
137     }
138

** CID 640705:       Insecure data handling  (TAINTED_SCALAR)
/lib/tpm-v1.c: 863           in tpm1_find_key_sha1()


_____________________________________________________________________________________________
*** CID 640705:         Insecure data handling  (TAINTED_SCALAR)
/lib/tpm-v1.c: 863             in tpm1_find_key_sha1()
857     	err = tpm1_get_capability(dev, TPM_CAP_HANDLE, TPM_RT_KEY, buf,
858     				 sizeof(buf));
859     	if (err)
860     		return -1;
861     	key_count = get_unaligned_be16(buf);
862     	ptr = buf + 2;
>>>     CID 640705:         Insecure data handling  (TAINTED_SCALAR)
>>>     Using tainted variable "key_count" as a loop boundary.
863     	for (i = 0; i < key_count; ++i, ptr += 4)
864     		key_handles[i] = get_unaligned_be32(ptr);
865
866     	/* now search a(/ the) key which we can access with the given auth */
867     	for (i = 0; i < key_count; ++i) {
868     		buf_len = sizeof(buf);

** CID 640704:       Uninitialized variables  (UNINIT)
/drivers/mmc/sdhci-cadence6.c: 199           in sdhci_cdns6_reset_phy_dll()


_____________________________________________________________________________________________
*** CID 640704:         Uninitialized variables  (UNINIT)
/drivers/mmc/sdhci-cadence6.c: 199             in sdhci_cdns6_reset_phy_dll()
193     	/* After reset, wait until HRS09.PHY_INIT_COMPLETE is set to
1 within 3000us*/
194     	if (!reset) {
195     		ret = readl_poll_timeout(reg, tmp, (tmp &
SDHCI_CDNS_HRS09_PHY_INIT_COMPLETE),
196     					 3000);
197     	}
198
>>>     CID 640704:         Uninitialized variables  (UNINIT)
>>>     Using uninitialized value "ret".
199     	return ret;
200     }
201
202     int sdhci_cdns6_phy_adj(struct udevice *dev, struct
sdhci_cdns_plat *plat, u32 mode)
203     {
204     	struct sdhci_cdns6_phy_cfg *sdhci_cdns6_phy_cfgs;

** CID 640703:       Integer handling issues  (INTEGER_OVERFLOW)
/test/dm/test-fdt.c: 667           in dm_test_fdt_remap_addr_index_flat()


_____________________________________________________________________________________________
*** CID 640703:         Integer handling issues  (INTEGER_OVERFLOW)
/test/dm/test-fdt.c: 667             in dm_test_fdt_remap_addr_index_flat()
661     	fdt_size_t size;
662     	void *paddr;
663
664     	ut_assertok(uclass_find_device_by_seq(UCLASS_TEST_DUMMY, 0, &dev));
665
666     	addr = devfdt_get_addr_size_index(dev, 0, &size);
>>>     CID 640703:         Integer handling issues  (INTEGER_OVERFLOW)
>>>     Expression "_val2", where "addr" is known to be equal to 18446744073709551615, overflows the type of "_val2", which is type "unsigned int".
667     	ut_asserteq(0x8000, addr);
668     	ut_asserteq(0x1000, size);
669
670     	paddr = map_physmem(addr, 0, MAP_NOCACHE);
671     	ut_assertnonnull(paddr);
672     	ut_asserteq_ptr(paddr, devfdt_remap_addr_index(dev, 0));

** CID 640702:       Uninitialized variables  (UNINIT)
/drivers/video/imx/ldb.c: 85           in imx_ldb_of_to_plat()


_____________________________________________________________________________________________
*** CID 640702:         Uninitialized variables  (UNINIT)
/drivers/video/imx/ldb.c: 85             in imx_ldb_of_to_plat()
79
80     	uclass_get_device_by_endpoint(UCLASS_PANEL, dev, 1, -1, &priv->lvds1);
81     	uclass_get_device_by_endpoint(UCLASS_PANEL, dev, 2, -1, &priv->lvds2);
82     	if (!priv->lvds1 && !priv->lvds2) {
83     		debug("ldb: No remote panel for '%s' (ret=%d)\n",
84     		      dev_read_name(dev), ret);
>>>     CID 640702:         Uninitialized variables  (UNINIT)
>>>     Using uninitialized value "ret".
85     		return ret;
86     	}
87
88     	return 0;
89     }
90

** CID 640701:       Uninitialized variables  (UNINIT)
/drivers/spi/xilinx_spi.c: 377           in xilinx_spi_mem_exec_op()


_____________________________________________________________________________________________
*** CID 640701:         Uninitialized variables  (UNINIT)
/drivers/spi/xilinx_spi.c: 377             in xilinx_spi_mem_exec_op()
371     		if (ret)
372     			goto done;
373     	}
374     done:
375     	spi_cs_deactivate(spi->dev);
376
>>>     CID 640701:         Uninitialized variables  (UNINIT)
>>>     Using uninitialized value "ret".
377     	return ret;
378     }
379
380     static int xilinx_qspi_check_buswidth(struct spi_slave *slave, u8 width)
381     {
382     	u32 mode = slave->mode;

** CID 640700:       Integer handling issues  (BAD_SHIFT)
/drivers/net/phy/xilinx_gmii2rgmii.c: 43           in xilinxgmiitorgmii_config()


_____________________________________________________________________________________________
*** CID 640700:         Integer handling issues  (BAD_SHIFT)
/drivers/net/phy/xilinx_gmii2rgmii.c: 43             in
xilinxgmiitorgmii_config()
37     	ret = ofnode_parse_phandle_with_args(node, "phy-handle",
38     					     NULL, 0, 0, &phandle);
39     	if (ret)
40     		return ret;
41
42     	ext_phyaddr = ofnode_read_u32_default(phandle.node, "reg", -1);
>>>     CID 640700:         Integer handling issues  (BAD_SHIFT)
>>>     In expression "1 << ext_phyaddr", shifting by a negative amount has undefined behavior.  The shift amount, "ext_phyaddr", is -1.
43     	ext_phydev = phy_find_by_mask(phydev->bus,
44     				      1 << ext_phyaddr);
45     	if (!ext_phydev) {
46     		printf("%s, No external phy device found\n", __func__);
47     		return -EINVAL;
48     	}

** CID 640699:       Control flow issues  (DEADCODE)
/drivers/spi/atcspi200_spi.c: 262           in __atcspi200_spi_xfer()


_____________________________________________________________________________________________
*** CID 640699:         Control flow issues  (DEADCODE)
/drivers/spi/atcspi200_spi.c: 262             in __atcspi200_spi_xfer()
256
257     				if ((event & RXFVE_MASK) && (data_in)) {
258     					rf_cnt = ((event & RXFVE_MASK)>> RXFVE_OFFSET);
259     					if (rf_cnt >= CHUNK_SIZE)
260     						rx_bytes = CHUNK_SIZE;
261     					else if (num_blks == 1 && rf_cnt == num_bytes)
>>>     CID 640699:         Control flow issues  (DEADCODE)
>>>     Execution cannot reach this statement: "rx_bytes = num_bytes;".
262     						rx_bytes = num_bytes;
263     					else
264     						continue;
265
266     					if (__nspi_espi_rx(ns, din, rx_bytes) == rx_bytes) {
267     						num_blks -= CHUNK_SIZE;

** CID 640698:       Insecure data handling  (TAINTED_SCALAR)


_____________________________________________________________________________________________
*** CID 640698:         Insecure data handling  (TAINTED_SCALAR)
/drivers/net/bnxt/bnxt.c: 446             in bnxt_hwrm_ver_get()
440     	req = (struct hwrm_ver_get_input *)bp->hwrm_addr_req;
441     	resp = (struct hwrm_ver_get_output *)bp->hwrm_addr_resp;
442     	hwrm_init(bp, (void *)req, (u16)HWRM_VER_GET, cmd_len);
443     	req->hwrm_intf_maj = HWRM_VERSION_MAJOR;
444     	req->hwrm_intf_min = HWRM_VERSION_MINOR;
445     	req->hwrm_intf_upd = HWRM_VERSION_UPDATE;
>>>     CID 640698:         Insecure data handling  (TAINTED_SCALAR)
>>>     Passing tainted expression "*bp->hwrm_addr_resp" to "wait_resp", which uses it as an offset.
446     	rc = wait_resp(bp, HWRM_CMD_DEFAULT_TIMEOUT, cmd_len, __func__);
447     	if (rc)
448     		return STATUS_FAILURE;
449
450     	bp->hwrm_spec_code =
451     		resp->hwrm_intf_maj_8b << 16 |



View Defects in Coverity Scan
<https://scan.coverity.com/projects/das-u-boot?tab=overview>

Best regards,

The Coverity Scan Admin Team

----- End forwarded message -----

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

^ permalink raw reply	[flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2025-12-08 19:38 Tom Rini
  0 siblings, 0 replies; 105+ messages in thread
From: Tom Rini @ 2025-12-08 19:38 UTC (permalink / raw)
  To: u-boot, Adriana Nicolae

[-- Attachment #1: Type: text/plain, Size: 4279 bytes --]

Here's the latest Coverity scan report. I think the test/dm/clk_ccf.c
report is just a "works as intended" but I'm not sure off-hand about the
fdtdec.c test. Might be the case the previous test in the file also has
this problem, and since it's just test code, might also be fine enough.

---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Dec 8, 2025 at 1:23 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>


Hi,

Please find the latest report on new defect(s) introduced to *Das U-Boot*
found with Coverity Scan.

   - *New Defects Found:* 2
   - 1 defect(s), reported by Coverity Scan earlier, were marked fixed in
   the recent build analyzed by Coverity Scan.
   - *Defects Shown:* Showing 2 of 2 defect(s)

Defect Details

** CID 639831:         (TAINTED_SCALAR)


_____________________________________________________________________________________________
*** CID 639831:           (TAINTED_SCALAR)
/test/dm/fdtdec.c: 153             in dm_test_fdt_chosen_smbios()
147
148     	blob_sz = fdt_totalsize(gd->fdt_blob) + 4096;
149     	blob = memalign(8, blob_sz);
150     	ut_assertnonnull(blob);
151
152     	/* Make a writable copy of the fdt blob */
>>>     CID 639831:           (TAINTED_SCALAR)
>>>     Passing tainted expression "gd->fdt_blob->totalsize" to "fdt_open_into", which uses it as an offset.
153     	ut_assertok(fdt_open_into(gd->fdt_blob, blob, blob_sz));
154
155     	/* Mock SMBIOS table */
156     	entry = map_sysmem(gd->arch.smbios_start, sizeof(struct
smbios3_entry));
157     	memcpy(entry->anchor, "_SM3_", 5);
158     	entry->length = sizeof(struct smbios3_entry);
/test/dm/fdtdec.c: 153             in dm_test_fdt_chosen_smbios()
147
148     	blob_sz = fdt_totalsize(gd->fdt_blob) + 4096;
149     	blob = memalign(8, blob_sz);
150     	ut_assertnonnull(blob);
151
152     	/* Make a writable copy of the fdt blob */
>>>     CID 639831:           (TAINTED_SCALAR)
>>>     Passing tainted expression "gd->fdt_blob->size_dt_strings" to "fdt_open_into", which uses it as an offset.
153     	ut_assertok(fdt_open_into(gd->fdt_blob, blob, blob_sz));
154
155     	/* Mock SMBIOS table */
156     	entry = map_sysmem(gd->arch.smbios_start, sizeof(struct
smbios3_entry));
157     	memcpy(entry->anchor, "_SM3_", 5);
158     	entry->length = sizeof(struct smbios3_entry);
/test/dm/fdtdec.c: 153             in dm_test_fdt_chosen_smbios()
147
148     	blob_sz = fdt_totalsize(gd->fdt_blob) + 4096;
149     	blob = memalign(8, blob_sz);
150     	ut_assertnonnull(blob);
151
152     	/* Make a writable copy of the fdt blob */
>>>     CID 639831:           (TAINTED_SCALAR)
>>>     Passing tainted expression "gd->fdt_blob->size_dt_struct" to "fdt_open_into", which uses it as an offset.
153     	ut_assertok(fdt_open_into(gd->fdt_blob, blob, blob_sz));
154
155     	/* Mock SMBIOS table */
156     	entry = map_sysmem(gd->arch.smbios_start, sizeof(struct
smbios3_entry));
157     	memcpy(entry->anchor, "_SM3_", 5);
158     	entry->length = sizeof(struct smbios3_entry);

** CID 639830:       Integer handling issues  (INTEGER_OVERFLOW)
/test/dm/clk_ccf.c: 68           in dm_test_clk_ccf()


_____________________________________________________________________________________________
*** CID 639830:         Integer handling issues  (INTEGER_OVERFLOW)
/test/dm/clk_ccf.c: 68             in dm_test_clk_ccf()
62     	ut_asserteq(CLK_SET_RATE_NO_REPARENT, clk->flags);
63
64     	rate = clk_get_parent_rate(clk);
65     	ut_asserteq(rate, 60000000);
66
67     	rate = clk_set_rate(clk, 60000000);
>>>     CID 639830:         Integer handling issues  (INTEGER_OVERFLOW)
>>>     Expression "_val1", where "rate" is known to be equal to -38, overflows the type of "_val1", which is type "unsigned int".
68     	ut_asserteq(rate, -ENOSYS);
69
70     	rate = clk_get_rate(clk);
71     	ut_asserteq(rate, 60000000);
72
73     	ret = clk_get_by_id(CLK_ID(dev, SANDBOX_CLK_PLL3_80M), &pclk);



View Defects in Coverity Scan
<https://scan.coverity.com/projects/das-u-boot?tab=overview>

Best regards,

The Coverity Scan Admin Team

----- End forwarded message -----

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

^ permalink raw reply	[flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2025-11-23 19:03 Tom Rini
  0 siblings, 0 replies; 105+ messages in thread
From: Tom Rini @ 2025-11-23 19:03 UTC (permalink / raw)
  To: u-boot; +Cc: Marek Vasut, Heinrich Schuchardt

[-- Attachment #1: Type: text/plain, Size: 5351 bytes --]

Hey all,

Here's the latest report.

---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Sun, Nov 23, 2025 at 12:28 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>


Hi,

Please find the latest report on new defect(s) introduced to *Das U-Boot*
found with Coverity Scan.

   - *New Defects Found:* 3
   - 2 defect(s), reported by Coverity Scan earlier, were marked fixed in
   the recent build analyzed by Coverity Scan.
   - *Defects Shown:* Showing 3 of 3 defect(s)

Defect Details

** CID 639130:         (CHECKED_RETURN)
/test/cmd/bdinfo.c: 166           in bdinfo_test_all()
/test/cmd/bdinfo.c: 164           in bdinfo_test_all()
/test/cmd/bdinfo.c: 165           in bdinfo_test_all()


_____________________________________________________________________________________________
*** CID 639130:           (CHECKED_RETURN)
/test/cmd/bdinfo.c: 166             in bdinfo_test_all()
160
161     	ut_assertok(bdinfo_check_mem(uts));
162
163     	/* CONFIG_SYS_HAS_SRAM testing not supported */
164     	ut_check_console_linen(uts, "flashstart");
165     	ut_check_console_linen(uts, "flashsize");
>>>     CID 639130:           (CHECKED_RETURN)
>>>     Calling "ut_check_console_linen" without checking return value (as is done elsewhere 166 out of 169 times).
166     	ut_check_console_linen(uts, "flashoffset");
167     	ut_assert_nextline("baudrate    = %lu bps",
168     			   env_get_ulong("baudrate", 10, 1234));
169     	ut_assertok(test_num_l(uts, "relocaddr", gd->relocaddr));
170     	ut_assertok(test_num_l(uts, "reloc off", gd->reloc_off));
171     	ut_assert_nextline("%-12s= %u-bit", "Build", (uint)sizeof(void *) * 8);
/test/cmd/bdinfo.c: 164             in bdinfo_test_all()
158     {
159     	ut_assertok(test_num_l(uts, "boot_params", 0));
160
161     	ut_assertok(bdinfo_check_mem(uts));
162
163     	/* CONFIG_SYS_HAS_SRAM testing not supported */
>>>     CID 639130:           (CHECKED_RETURN)
>>>     Calling "ut_check_console_linen" without checking return value (as is done elsewhere 166 out of 169 times).
164     	ut_check_console_linen(uts, "flashstart");
165     	ut_check_console_linen(uts, "flashsize");
166     	ut_check_console_linen(uts, "flashoffset");
167     	ut_assert_nextline("baudrate    = %lu bps",
168     			   env_get_ulong("baudrate", 10, 1234));
169     	ut_assertok(test_num_l(uts, "relocaddr", gd->relocaddr));
/test/cmd/bdinfo.c: 165             in bdinfo_test_all()
159     	ut_assertok(test_num_l(uts, "boot_params", 0));
160
161     	ut_assertok(bdinfo_check_mem(uts));
162
163     	/* CONFIG_SYS_HAS_SRAM testing not supported */
164     	ut_check_console_linen(uts, "flashstart");
>>>     CID 639130:           (CHECKED_RETURN)
>>>     Calling "ut_check_console_linen" without checking return value (as is done elsewhere 166 out of 169 times).
165     	ut_check_console_linen(uts, "flashsize");
166     	ut_check_console_linen(uts, "flashoffset");
167     	ut_assert_nextline("baudrate    = %lu bps",
168     			   env_get_ulong("baudrate", 10, 1234));
169     	ut_assertok(test_num_l(uts, "relocaddr", gd->relocaddr));
170     	ut_assertok(test_num_l(uts, "reloc off", gd->reloc_off));

** CID 639129:       Memory - illegal accesses  (BUFFER_SIZE)
/drivers/clk/clk_scmi.c: 191           in scmi_clk_get_ctrl_flags()


_____________________________________________________________________________________________
*** CID 639129:         Memory - illegal accesses  (BUFFER_SIZE)
/drivers/clk/clk_scmi.c: 191             in scmi_clk_get_ctrl_flags()
185     		char name[SCMI_CLOCK_NAME_LENGTH_MAX];
186     		ret = scmi_clk_get_attibute(dev, clk->id & CLK_ID_MSK,
187     					    name, &attributes);
188     		if (ret)
189     			return ret;
190
>>>     CID 639129:         Memory - illegal accesses  (BUFFER_SIZE)
>>>     Calling "strncpy" with a maximum size argument of 16 bytes on destination array "clkscmi->name" of size 16 bytes might leave the destination string unterminated.
191     		strncpy(clkscmi->name, name, SCMI_CLOCK_NAME_LENGTH_MAX);
192     		if (CLK_HAS_RESTRICTIONS(attributes)) {
193     			u32 perm;
194
195     			ret = scmi_clk_get_permissions(dev, clk->id & CLK_ID_MSK, &perm);
196     			if (ret < 0)

** CID 639128:       Resource leaks  (RESOURCE_LEAK)
/drivers/clk/clk_scmi.c: 373           in scmi_clk_probe()


_____________________________________________________________________________________________
*** CID 639128:         Resource leaks  (RESOURCE_LEAK)
/drivers/clk/clk_scmi.c: 373             in scmi_clk_probe()
367     			return ret;
368
369     		dev_clk_dm(dev, i, &clk_scmi->clk);
370     		dev_set_parent_priv(clk_scmi->clk.dev, priv);
371     	}
372
>>>     CID 639128:         Resource leaks  (RESOURCE_LEAK)
>>>     Variable "clk_scmi_bulk" going out of scope leaks the storage it points to.
373     	return 0;
374     }
375
376     static int __scmi_clk_set_parent(struct clk *clk, struct clk *parent)
377     {
378     	struct scmi_clk_parent_set_in in = {



View Defects in Coverity Scan
<https://scan.coverity.com/projects/das-u-boot?tab=overview>

Best regards,

The Coverity Scan Admin Team

----- End forwarded message -----

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

^ permalink raw reply	[flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2025-11-10 18:55 Tom Rini
  0 siblings, 0 replies; 105+ messages in thread
From: Tom Rini @ 2025-11-10 18:55 UTC (permalink / raw)
  To: u-boot, Kory Maincent

[-- Attachment #1: Type: text/plain, Size: 2627 bytes --]

Here's the latest report. Just 2 new issues, both from the extensions
series. Can we please address these shortly? Thanks!

---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Nov 10, 2025 at 12:44 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>


Hi,

Please find the latest report on new defect(s) introduced to *Das U-Boot*
found with Coverity Scan.

   - *New Defects Found:* 2
   - 1 defect(s), reported by Coverity Scan earlier, were marked fixed in
   the recent build analyzed by Coverity Scan.
   - *Defects Shown:* Showing 2 of 2 defect(s)

Defect Details

** CID 638558:       Memory - illegal accesses  (UNINIT)
/boot/pxe_utils.c: 485           in label_boot_extension()


_____________________________________________________________________________________________
*** CID 638558:         Memory - illegal accesses  (UNINIT)
/boot/pxe_utils.c: 485             in label_boot_extension()
479     			return;
480
481     		snprintf(overlay_dir, dir_len, "%s%s", label->fdtdir,
482     			 slash);
483     	} else {
484     		dir_len = 2;
>>>     CID 638558:         Memory - illegal accesses  (UNINIT)
>>>     Using uninitialized value "overlay_dir" when calling "snprintf". [Note: The source code implementation of the function has been overridden by a builtin model.]
485     		snprintf(overlay_dir, dir_len, "/");
486     	}
487
488     	alist_for_each(extension, extension_list) {
489     		char *overlay_file;
490     		ulong size;

** CID 638557:       Null pointer dereferences  (NULL_RETURNS)


_____________________________________________________________________________________________
*** CID 638557:         Null pointer dereferences  (NULL_RETURNS)
/cmd/extension_board.c: 102             in do_extension_list()
96     {
97     	struct alist *extension_list;
98     	struct extension *extension;
99     	int i = 0;
100
101     	extension_list = extension_get_list();
>>>     CID 638557:         Null pointer dereferences  (NULL_RETURNS)
>>>     Dereferencing a pointer that might be "NULL" "extension_list" when calling "alist_get_ptr".
102     	if (!alist_get_ptr(extension_list, 0)) {
103     		printf("No extension registered - Please run \"extension scan\"\n");
104     		return CMD_RET_SUCCESS;
105     	}
106
107     	alist_for_each(extension, extension_list) {



View Defects in Coverity Scan
<https://scan.coverity.com/projects/das-u-boot?tab=overview>

Best regards,

The Coverity Scan Admin Team

----- End forwarded message -----

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

^ permalink raw reply	[flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2025-10-11 18:06 Tom Rini
  2025-10-12 14:22 ` Mikhail Kshevetskiy
  0 siblings, 1 reply; 105+ messages in thread
From: Tom Rini @ 2025-10-11 18:06 UTC (permalink / raw)
  To: u-boot; +Cc: Mikhail Kshevetskiy, Dario Binacchi, Michael Trimarchi

[-- Attachment #1: Type: text/plain, Size: 1964 bytes --]

I think unfortunately the report email for when I merged in -next was
lost somewhere / wasn't sent. I may be able to get the details out the
dashboard.

---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Fri, Oct 10, 2025 at 7:08 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>


Hi,

Please find the latest report on new defect(s) introduced to *Das U-Boot*
found with Coverity Scan.

   - *New Defects Found:* 1
   - *Defects Shown:* Showing 1 of 1 defect(s)

Defect Details

** CID 537478:       Integer handling issues  (OVERFLOW_BEFORE_WIDEN)
/drivers/spi/spi-mem.c: 528           in spi_mem_calc_op_duration()


_____________________________________________________________________________________________
*** CID 537478:         Integer handling issues  (OVERFLOW_BEFORE_WIDEN)
/drivers/spi/spi-mem.c: 528             in spi_mem_calc_op_duration()
522     	ncycles += ((op->addr.nbytes * 8) / op->addr.buswidth) /
(op->addr.dtr ? 2 : 1);
523
524     	/* Dummy bytes are optional for some SPI flash memory operations */
525     	if (op->dummy.nbytes)
526     		ncycles += ((op->dummy.nbytes * 8) / op->dummy.buswidth) /
(op->dummy.dtr ? 2 : 1);
527
>>>     CID 537478:         Integer handling issues  (OVERFLOW_BEFORE_WIDEN)
>>>     Potentially overflowing expression "op->data.nbytes * 8U" with type "unsigned int" (32 bits, unsigned) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "u64" (64 bits, unsigned).
528     	ncycles += ((op->data.nbytes * 8) / op->data.buswidth) /
(op->data.dtr ? 2 : 1);
529
530     	return ncycles;
531     }
532     EXPORT_SYMBOL_GPL(spi_mem_calc_op_duration);
533

View Defects in Coverity Scan
<https://scan.coverity.com/projects/das-u-boot?tab=overview>

Best regards,

The Coverity Scan Admin Team

----- End forwarded message -----

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

^ permalink raw reply	[flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2025-08-06 18:35 Tom Rini
  2025-08-07  9:17 ` Heiko Schocher
  0 siblings, 1 reply; 105+ messages in thread
From: Tom Rini @ 2025-08-06 18:35 UTC (permalink / raw)
  To: u-boot, Heiko Schocher, Dinesh Maniyam

[-- Attachment #1: Type: text/plain, Size: 13861 bytes --]

Here's the latest report. Lets get these new issues addressed ASAP
please, thanks.

---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Wed, Aug 6, 2025 at 12:23 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>


Hi,

Please find the latest report on new defect(s) introduced to *Das U-Boot*
found with Coverity Scan.

   - *New Defects Found:* 8
   - 4 defect(s), reported by Coverity Scan earlier, were marked fixed in
   the recent build analyzed by Coverity Scan.
   - *Defects Shown:* Showing 8 of 8 defect(s)

Defect Details

** CID 583812:       Integer handling issues  (BAD_SHIFT)
/drivers/i3c/master/dw-i3c-master.c: 1001           in dw_i3c_probe()


_____________________________________________________________________________________________
*** CID 583812:         Integer handling issues  (BAD_SHIFT)
/drivers/i3c/master/dw-i3c-master.c: 1001             in dw_i3c_probe()
995     	ret = readl(master->regs + DATA_BUFFER_STATUS_LEVEL);
996     	master->caps.datafifodepth = DATA_BUFFER_STATUS_LEVEL_TX(ret);
997
998     	ret = readl(master->regs + DEVICE_ADDR_TABLE_POINTER);
999     	master->datstartaddr = ret;
1000     	master->maxdevs = ret >> 16;
>>>     CID 583812:         Integer handling issues  (BAD_SHIFT)
>>>     In expression "0xffffffffffffffffUL >> 63 - (master->maxdevs - 1)", right shifting by more than 63 bits has undefined behavior.  The shift amount, "63 - (master->maxdevs - 1)", is 64.
1001     	master->free_pos = GENMASK(master->maxdevs - 1, 0);
1002
1003     	ret = i3c_master_register(&master->base, dev,
1004     				  &dw_mipi_i3c_ops, false);
1005     	if (ret)
1006     		goto err_assert_rst;

** CID 583811:         (RESOURCE_LEAK)
/drivers/i3c/master.c: 1610           in of_i3c_master_add_i3c_boardinfo()
/drivers/i3c/master.c: 1586           in of_i3c_master_add_i3c_boardinfo()
/drivers/i3c/master.c: 1591           in of_i3c_master_add_i3c_boardinfo()
/drivers/i3c/master.c: 1598           in of_i3c_master_add_i3c_boardinfo()
/drivers/i3c/master.c: 1603           in of_i3c_master_add_i3c_boardinfo()


_____________________________________________________________________________________________
*** CID 583811:           (RESOURCE_LEAK)
/drivers/i3c/master.c: 1610             in of_i3c_master_add_i3c_boardinfo()
1604     	}
1605
1606     	boardinfo->pid = ((u64)reg[1] << 32) | reg[2];
1607
1608     	if ((boardinfo->pid & GENMASK_ULL(63, 48)) ||
1609     	    I3C_PID_RND_LOWER_32BITS(boardinfo->pid))
>>>     CID 583811:           (RESOURCE_LEAK)
>>>     Variable "boardinfo" going out of scope leaks the storage it points to.
1610     		return -EINVAL;
1611
1612     	boardinfo->init_dyn_addr = init_dyn_addr;
1613     	boardinfo->of_node = node;
1614     	list_add_tail(&boardinfo->node, &master->boardinfo.i3c);
1615
/drivers/i3c/master.c: 1586             in of_i3c_master_add_i3c_boardinfo()
1580     	boardinfo = devm_kzalloc(dev, sizeof(*boardinfo), GFP_KERNEL);
1581     	if (!boardinfo)
1582     		return -ENOMEM;
1583
1584     	if (reg[0]) {
1585     		if (reg[0] > I3C_MAX_ADDR)
>>>     CID 583811:           (RESOURCE_LEAK)
>>>     Variable "boardinfo" going out of scope leaks the storage it points to.
1586     			return -EINVAL;
1587
1588     		addrstatus = i3c_bus_get_addr_slot_status(&master->bus,
1589     							  reg[0]);
1590     		if (addrstatus != I3C_ADDR_SLOT_FREE)
1591     			return -EINVAL;
/drivers/i3c/master.c: 1591             in of_i3c_master_add_i3c_boardinfo()
1585     		if (reg[0] > I3C_MAX_ADDR)
1586     			return -EINVAL;
1587
1588     		addrstatus = i3c_bus_get_addr_slot_status(&master->bus,
1589     							  reg[0]);
1590     		if (addrstatus != I3C_ADDR_SLOT_FREE)
>>>     CID 583811:           (RESOURCE_LEAK)
>>>     Variable "boardinfo" going out of scope leaks the storage it points to.
1591     			return -EINVAL;
1592     	}
1593
1594     	boardinfo->static_addr = reg[0];
1595
1596     	if (!dev_read_u32(dev, "assigned-address", &init_dyn_addr)) {
/drivers/i3c/master.c: 1598             in of_i3c_master_add_i3c_boardinfo()
1592     	}
1593
1594     	boardinfo->static_addr = reg[0];
1595
1596     	if (!dev_read_u32(dev, "assigned-address", &init_dyn_addr)) {
1597     		if (init_dyn_addr > I3C_MAX_ADDR)
>>>     CID 583811:           (RESOURCE_LEAK)
>>>     Variable "boardinfo" going out of scope leaks the storage it points to.
1598     			return -EINVAL;
1599
1600     		addrstatus = i3c_bus_get_addr_slot_status(&master->bus,
1601     							  init_dyn_addr);
1602     		if (addrstatus != I3C_ADDR_SLOT_FREE)
1603     			return -EINVAL;
/drivers/i3c/master.c: 1603             in of_i3c_master_add_i3c_boardinfo()
1597     		if (init_dyn_addr > I3C_MAX_ADDR)
1598     			return -EINVAL;
1599
1600     		addrstatus = i3c_bus_get_addr_slot_status(&master->bus,
1601     							  init_dyn_addr);
1602     		if (addrstatus != I3C_ADDR_SLOT_FREE)
>>>     CID 583811:           (RESOURCE_LEAK)
>>>     Variable "boardinfo" going out of scope leaks the storage it points to.
1603     			return -EINVAL;
1604     	}
1605
1606     	boardinfo->pid = ((u64)reg[1] << 32) | reg[2];
1607
1608     	if ((boardinfo->pid & GENMASK_ULL(63, 48)) ||

** CID 298388:       Integer handling issues  (SIGN_EXTENSION)
/drivers/i3c/master/dw-i3c-master.c: 579           in dw_i3c_ccc_get()


_____________________________________________________________________________________________
*** CID 298388:         Integer handling issues  (SIGN_EXTENSION)
/drivers/i3c/master/dw-i3c-master.c: 579             in dw_i3c_ccc_get()
573     		return -ENOMEM;
574
575     	cmd = xfer->cmds;
576     	cmd->rx_buf = ccc->dests[0].payload.data;
577     	cmd->rx_len = ccc->dests[0].payload.len;
578
>>>     CID 298388:         Integer handling issues  (SIGN_EXTENSION)
>>>     Suspicious implicit sign extension: "ccc->dests[0].payload.len" with type "u16" (16 bits, unsigned) is promoted in "ccc->dests[0].payload.len << 16" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned).  If "ccc->dests[0].payload.len << 16" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
579     	cmd->cmd_hi = COMMAND_PORT_ARG_DATA_LEN(ccc->dests[0].payload.len) |
580     		      COMMAND_PORT_TRANSFER_ARG;
581
582     	cmd->cmd_lo = COMMAND_PORT_READ_TRANSFER |
583     		      COMMAND_PORT_CP |
584     		      COMMAND_PORT_DEV_INDEX(pos) |

** CID 298037:       Integer handling issues  (SIGN_EXTENSION)
/drivers/i3c/master/dw-i3c-master.c: 375           in dw_i3c_clk_cfg()


_____________________________________________________________________________________________
*** CID 298037:         Integer handling issues  (SIGN_EXTENSION)
/drivers/i3c/master/dw-i3c-master.c: 375             in dw_i3c_clk_cfg()
369     	scl_timing = SCL_EXT_LCNT_1(lcnt);
370     	lcnt = DIV_ROUND_UP(core_rate, I3C_BUS_SDR2_SCL_RATE) - hcnt;
371     	scl_timing |= SCL_EXT_LCNT_2(lcnt);
372     	lcnt = DIV_ROUND_UP(core_rate, I3C_BUS_SDR3_SCL_RATE) - hcnt;
373     	scl_timing |= SCL_EXT_LCNT_3(lcnt);
374     	lcnt = DIV_ROUND_UP(core_rate, I3C_BUS_SDR4_SCL_RATE) - hcnt;
>>>     CID 298037:         Integer handling issues  (SIGN_EXTENSION)
>>>     Suspicious implicit sign extension: "lcnt" with type "u8" (8 bits, unsigned) is promoted in "lcnt << 24" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned).  If "lcnt << 24" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
375     	scl_timing |= SCL_EXT_LCNT_4(lcnt);
376     	writel(scl_timing, master->regs + SCL_EXT_LCNT_TIMING);
377
378     	return 0;
379     }
380

** CID 296053:       Integer handling issues  (SIGN_EXTENSION)
/drivers/i3c/master/dw-i3c-master.c: 535           in dw_i3c_ccc_set()


_____________________________________________________________________________________________
*** CID 296053:         Integer handling issues  (SIGN_EXTENSION)
/drivers/i3c/master/dw-i3c-master.c: 535             in dw_i3c_ccc_set()
529     		return -ENOMEM;
530
531     	cmd = xfer->cmds;
532     	cmd->tx_buf = ccc->dests[0].payload.data;
533     	cmd->tx_len = ccc->dests[0].payload.len;
534
>>>     CID 296053:         Integer handling issues  (SIGN_EXTENSION)
>>>     Suspicious implicit sign extension: "ccc->dests[0].payload.len" with type "u16" (16 bits, unsigned) is promoted in "ccc->dests[0].payload.len << 16" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned).  If "ccc->dests[0].payload.len << 16" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
535     	cmd->cmd_hi = COMMAND_PORT_ARG_DATA_LEN(ccc->dests[0].payload.len) |
536     		      COMMAND_PORT_TRANSFER_ARG;
537
538     	cmd->cmd_lo = COMMAND_PORT_CP |
539     		      COMMAND_PORT_DEV_INDEX(pos) |
540     		      COMMAND_PORT_CMD(ccc->id) |

** CID 295976:         (SIGN_EXTENSION)
/drivers/i3c/master/dw-i3c-master.c: 395           in dw_i2c_clk_cfg()
/drivers/i3c/master/dw-i3c-master.c: 401           in dw_i2c_clk_cfg()


_____________________________________________________________________________________________
*** CID 295976:           (SIGN_EXTENSION)
/drivers/i3c/master/dw-i3c-master.c: 395             in dw_i2c_clk_cfg()
389     		return -EINVAL;
390
391     	core_period = DIV_ROUND_UP(1000000000, core_rate);
392
393     	lcnt = DIV_ROUND_UP(I3C_BUS_I2C_FMP_TLOW_MIN_NS, core_period);
394     	hcnt = DIV_ROUND_UP(core_rate, I3C_BUS_I2C_FM_PLUS_SCL_RATE) - lcnt;
>>>     CID 295976:           (SIGN_EXTENSION)
>>>     Suspicious implicit sign extension: "hcnt" with type "u16" (16 bits, unsigned) is promoted in "hcnt << 16" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned).  If "hcnt << 16" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
395     	scl_timing = SCL_I2C_FMP_TIMING_HCNT(hcnt) |
396     		     SCL_I2C_FMP_TIMING_LCNT(lcnt);
397     	writel(scl_timing, master->regs + SCL_I2C_FMP_TIMING);
398
399     	lcnt = DIV_ROUND_UP(I3C_BUS_I2C_FM_TLOW_MIN_NS, core_period);
400     	hcnt = DIV_ROUND_UP(core_rate, I3C_BUS_I2C_FM_SCL_RATE) - lcnt;
/drivers/i3c/master/dw-i3c-master.c: 401             in dw_i2c_clk_cfg()
395     	scl_timing = SCL_I2C_FMP_TIMING_HCNT(hcnt) |
396     		     SCL_I2C_FMP_TIMING_LCNT(lcnt);
397     	writel(scl_timing, master->regs + SCL_I2C_FMP_TIMING);
398
399     	lcnt = DIV_ROUND_UP(I3C_BUS_I2C_FM_TLOW_MIN_NS, core_period);
400     	hcnt = DIV_ROUND_UP(core_rate, I3C_BUS_I2C_FM_SCL_RATE) - lcnt;
>>>     CID 295976:           (SIGN_EXTENSION)
>>>     Suspicious implicit sign extension: "hcnt" with type "u16" (16 bits, unsigned) is promoted in "hcnt << 16" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned).  If "hcnt << 16" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
401     	scl_timing = SCL_I2C_FM_TIMING_HCNT(hcnt) |
402     		     SCL_I2C_FM_TIMING_LCNT(lcnt);
403     	writel(scl_timing, master->regs + SCL_I2C_FM_TIMING);
404
405     	writel(BUS_I3C_MST_FREE(lcnt), master->regs + BUS_FREE_TIMING);
406     	writel(readl(master->regs + DEVICE_CTRL) | DEV_CTRL_I2C_SLAVE_PRESENT,

** CID 294913:       Integer handling issues  (SIGN_EXTENSION)
/drivers/i3c/master/dw-i3c-master.c: 724           in dw_i3c_master_priv_xfers()


_____________________________________________________________________________________________
*** CID 294913:         Integer handling issues  (SIGN_EXTENSION)
/drivers/i3c/master/dw-i3c-master.c: 724             in
dw_i3c_master_priv_xfers()
718     	if (!xfer)
719     		return -ENOMEM;
720
721     	for (i = 0; i < i3c_nxfers; i++) {
722     		struct dw_i3c_cmd *cmd = &xfer->cmds[i];
723
>>>     CID 294913:         Integer handling issues  (SIGN_EXTENSION)
>>>     Suspicious implicit sign extension: "i3c_xfers[i].len" with type "u16" (16 bits, unsigned) is promoted in "i3c_xfers[i].len << 16" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned).  If "i3c_xfers[i].len << 16" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
724     		cmd->cmd_hi = COMMAND_PORT_ARG_DATA_LEN(i3c_xfers[i].len) |
725     			COMMAND_PORT_TRANSFER_ARG;
726
727     		if (i3c_xfers[i].rnw) {
728     			cmd->rx_buf = i3c_xfers[i].data.in;
729     			cmd->rx_len = i3c_xfers[i].len;

** CID 294627:       Integer handling issues  (BAD_SHIFT)
/drivers/i3c/master.c: 181           in i3c_bus_get_addr_slot_status()


_____________________________________________________________________________________________
*** CID 294627:         Integer handling issues  (BAD_SHIFT)
/drivers/i3c/master.c: 181             in i3c_bus_get_addr_slot_status()
175     	int status, bitpos = addr * 2;
176
177     	if (addr > I2C_MAX_ADDR)
178     		return I3C_ADDR_SLOT_RSVD;
179
180     	status = bus->addrslots[bitpos / BITS_PER_LONG];
>>>     CID 294627:         Integer handling issues  (BAD_SHIFT)
>>>     In expression "status >>= bitpos % 64", right shifting by more than 31 bits has undefined behavior.  The shift amount, "bitpos % 64", is as much as 63.
181     	status >>= bitpos % BITS_PER_LONG;
182
183     	return status & I3C_ADDR_SLOT_STATUS_MASK;
184     }
185
186     static void i3c_bus_set_addr_slot_status(struct i3c_bus *bus, u16 addr,



View Defects in Coverity Scan
<https://scan.coverity.com/projects/das-u-boot?tab=overview>

Best regards,

The Coverity Scan Admin Team

----- End forwarded message -----

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

^ permalink raw reply	[flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2025-07-29 16:32 Tom Rini
  0 siblings, 0 replies; 105+ messages in thread
From: Tom Rini @ 2025-07-29 16:32 UTC (permalink / raw)
  To: u-boot; +Cc: Heiko Schocher, Heinrich Schuchardt

[-- Attachment #1: Type: text/plain, Size: 5060 bytes --]

So I ran Coverity with the newest scan version and this is good news.
Only a few newly found issues in existing code.

---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Tue, Jul 29, 2025 at 10:04 AM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>


Hi,

Please find the latest report on new defect(s) introduced to *Das U-Boot*
found with Coverity Scan.

   - *New Defects Found:* 3
   - 12 defect(s), reported by Coverity Scan earlier, were marked fixed in
   the recent build analyzed by Coverity Scan.
   - *Defects Shown:* Showing 3 of 3 defect(s)

Defect Details

** CID 583415:       Integer handling issues  (INTEGER_OVERFLOW)
/cmd/i2c.c: 369           in do_i2c_write()


_____________________________________________________________________________________________
*** CID 583415:         Integer handling issues  (INTEGER_OVERFLOW)
/cmd/i2c.c: 369             in do_i2c_write()
363     			return i2c_report_err(ret, I2C_ERR_WRITE);
364     	} else {
365     		/*
366     		 * Repeated addressing - perform <length> separate
367     		 * write transactions of one byte each
368     		 */
>>>     CID 583415:         Integer handling issues  (INTEGER_OVERFLOW)
>>>     Expression "length--", where "length" is known to be equal to 0, underflows the type of "length--", which is type "uint".
369     		while (length-- > 0) {
370     #if CONFIG_IS_ENABLED(DM_I2C)
371     			i2c_chip->flags |= DM_I2C_CHIP_WR_ADDRESS;
372     			ret = dm_i2c_write(dev, devaddr++, memaddr++, 1);
373     #else
374     			ret = i2c_write(chip, devaddr++, alen, memaddr++, 1);

** CID 583414:       Memory - corruptions  (OVERRUN)
/cmd/eficonfig.c: 334           in eficonfig_append_menu_entry()


_____________________________________________________________________________________________
*** CID 583414:         Memory - corruptions  (OVERRUN)
/cmd/eficonfig.c: 334             in eficonfig_append_menu_entry()
328
329     	entry = calloc(1, sizeof(struct eficonfig_entry));
330     	if (!entry)
331     		return EFI_OUT_OF_RESOURCES;
332
333     	entry->title = title;
>>>     CID 583414:         Memory - corruptions  (OVERRUN)
>>>     "sprintf" will overrun its first argument "entry->key" which can accommodate 3 bytes.  The number of bytes written may be 11 bytes, including the terminating null.
334     	sprintf(entry->key, "%d", efi_menu->count);
335     	entry->efi_menu = efi_menu;
336     	entry->func = func;
337     	entry->data = data;
338     	entry->num = efi_menu->count++;
339     	list_add_tail(&entry->list, &efi_menu->list);

** CID 583357:         (INTEGER_OVERFLOW)
/lib/zlib/deflate.c: 1714           in deflate_slow()
/lib/zlib/deflate.c: 1706           in deflate_slow()


_____________________________________________________________________________________________
*** CID 583357:           (INTEGER_OVERFLOW)
/lib/zlib/deflate.c: 1714             in deflate_slow()
1708
1709                 /* Insert in hash table all strings up to the end
of the match.
1710                  * strstart-1 and strstart are already inserted.
If there is not
1711                  * enough lookahead, the last two strings are not
inserted in
1712                  * the hash table.
1713                  */
>>>     CID 583357:           (INTEGER_OVERFLOW)
>>>     Expression "s->lookahead", where "s->prev_length - 1U" is known to be equal to 4294967270, underflows the type of "s->lookahead", which is type "uInt".
1714                 s->lookahead -= s->prev_length-1;
1715                 s->prev_length -= 2;
1716                 do {
1717                     if (++s->strstart <= max_insert) {
1718                         INSERT_STRING(s, s->strstart, hash_head);
1719                     }
/lib/zlib/deflate.c: 1706             in deflate_slow()
1700             if (s->prev_length >= MIN_MATCH && s->match_length <=
s->prev_length) {
1701                 uInt max_insert = s->strstart + s->lookahead - MIN_MATCH;
1702                 /* Do not insert strings in hash table beyond this. */
1703
1704                 check_match(s, s->strstart-1, s->prev_match,
s->prev_length);
1705
>>>     CID 583357:           (INTEGER_OVERFLOW)
>>>     Expression "len", where "s->prev_length - 3U" is known to be equal to 4294967267, overflows the type of "len", which is type "uch".
1706                 _tr_tally_dist(s, s->strstart -1 - s->prev_match,
1707                                s->prev_length - MIN_MATCH, bflush);
1708
1709                 /* Insert in hash table all strings up to the end
of the match.
1710                  * strstart-1 and strstart are already inserted.
If there is not
1711                  * enough lookahead, the last two strings are not
inserted in



View Defects in Coverity Scan
<https://scan.coverity.com/projects/das-u-boot?tab=overview>

Best regards,

The Coverity Scan Admin Team

----- End forwarded message -----

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

^ permalink raw reply	[flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2025-07-25 13:26 Tom Rini
  2025-07-25 13:34 ` Michal Simek
  2025-08-04  9:11 ` Alexander Dahl
  0 siblings, 2 replies; 105+ messages in thread
From: Tom Rini @ 2025-07-25 13:26 UTC (permalink / raw)
  To: u-boot, Michal Simek

[-- Attachment #1: Type: text/plain, Size: 8942 bytes --]

Here's the latest report. These aren't new issues as much as they are
Coverity now looking at FPGA code issues.

---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Thu, Jul 24, 2025 at 8:03 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>


Hi,

Please find the latest report on new defect(s) introduced to *Das U-Boot*
found with Coverity Scan.

   - *New Defects Found:* 8
   - 3 defect(s), reported by Coverity Scan earlier, were marked fixed in
   the recent build analyzed by Coverity Scan.
   - *Defects Shown:* Showing 8 of 8 defect(s)

Defect Details

** CID 583150:       Null pointer dereferences  (NULL_RETURNS)
/drivers/fpga/xilinx.c: 54           in fpga_loadbitstream()


_____________________________________________________________________________________________
*** CID 583150:         Null pointer dereferences  (NULL_RETURNS)
/drivers/fpga/xilinx.c: 54             in fpga_loadbitstream()
48     	xilinx_desc *xdesc;
49
50     	dataptr = (unsigned char *)fpgadata;
51     	/* Find out fpga_description */
52     	desc = fpga_validate(devnum, dataptr, 0);
53     	/* Assign xilinx device description */
>>>     CID 583150:         Null pointer dereferences  (NULL_RETURNS)
>>>     Dereferencing "desc", which is known to be "NULL".
54     	xdesc = desc->devdesc;
55
56     	/* skip the first bytes of the bitsteam, their meaning is unknown */
57     	length = (*dataptr << 8) + *(dataptr + 1);
58     	dataptr += 2;
59     	dataptr += length;

** CID 583149:       Control flow issues  (DEADCODE)
/drivers/fpga/ACEX1K.c: 226           in ACEX1K_ps_load()


_____________________________________________________________________________________________
*** CID 583149:         Control flow issues  (DEADCODE)
/drivers/fpga/ACEX1K.c: 226             in ACEX1K_ps_load()
220
221     #ifdef CONFIG_SYS_FPGA_PROG_FEEDBACK
222     		if (ret_val == FPGA_SUCCESS) {
223     			puts ("Done.\n");
224     		}
225     		else {
>>>     CID 583149:         Control flow issues  (DEADCODE)
>>>     Execution cannot reach this statement: "puts("Fail.\n");".
226     			puts ("Fail.\n");
227     		}
228     #endif
229     	(*fn->post) (cookie);
230
231     	} else {

** CID 583148:       Control flow issues  (DEADCODE)
/drivers/fpga/cyclon2.c: 180           in CYC2_ps_load()


_____________________________________________________________________________________________
*** CID 583148:         Control flow issues  (DEADCODE)
/drivers/fpga/cyclon2.c: 180             in CYC2_ps_load()
174     		ret_val = FPGA_SUCCESS;
175
176     #ifdef CONFIG_SYS_FPGA_PROG_FEEDBACK
177     		if (ret_val == FPGA_SUCCESS)
178     			puts("Done.\n");
179     		else
>>>     CID 583148:         Control flow issues  (DEADCODE)
>>>     Execution cannot reach this statement: "puts("Fail.\n");".
180     			puts("Fail.\n");
181     #endif
182
183     		/*
184     		 * Run the post configuration function if there is one.
185     		 */

** CID 583147:       Integer handling issues  (NEGATIVE_RETURNS)


_____________________________________________________________________________________________
*** CID 583147:         Integer handling issues  (NEGATIVE_RETURNS)
/cmd/fpga.c: 305             in do_fpga_loadmk()
299     #if defined(CONFIG_GZIP)
300     			ulong image_buf = image_get_data(hdr);
301     			ulong image_size = ~0UL;
302
303     			data = image_get_load(hdr);
304
>>>     CID 583147:         Integer handling issues  (NEGATIVE_RETURNS)
>>>     A negative constant "-1" is passed as an argument to a parameter that cannot be negative.
305     			if (gunzip((void *)data, ~0U, (void *)image_buf,
306     				   &image_size) != 0) {
307     				log_err("Gunzip error\n");
308     				return CMD_RET_FAILURE;
309     			}
310     			data_size = image_size;

** CID 583146:       Control flow issues  (DEADCODE)
/drivers/fpga/ivm_core.c: 1306           in ispVMDataCode()


_____________________________________________________________________________________________
*** CID 583146:         Control flow issues  (DEADCODE)
/drivers/fpga/ivm_core.c: 1306             in ispVMDataCode()
1300     		/*
1301     		 * Encountered invalid opcode.
1302     		 */
1303
1304     		return VME_INVALID_FILE;
1305     	} else {
>>>     CID 583146:         Control flow issues  (DEADCODE)
>>>     Execution cannot reach this statement: "return 0;".
1306     		return 0;
1307     	}
1308     }
1309
1310     /*
1311      *

** CID 583145:         (INTEGER_OVERFLOW)
/drivers/fpga/ivm_core.c: 1959           in ispVMBitShift()
/drivers/fpga/ivm_core.c: 1974           in ispVMBitShift()


_____________________________________________________________________________________________
*** CID 583145:           (INTEGER_OVERFLOW)
/drivers/fpga/ivm_core.c: 1959             in ispVMBitShift()
1953     		for (i = 0; i < size; i++) {
1954     			if (g_pucInData[i] != 0) {
1955     				tmpbits = bits;
1956     				while (tmpbits > 0) {
1957     					g_pucInData[i] <<= 1;
1958     					if (g_pucInData[i] == 0) {
>>>     CID 583145:           (INTEGER_OVERFLOW)
>>>     Expression "i--", where "i" is known to be equal to 0, underflows the type of "i--", which is type "unsigned short".
1959     						i--;
1960     						g_pucInData[i] = 1;
1961     					}
1962     					tmpbits--;
1963     				}
1964     			}
/drivers/fpga/ivm_core.c: 1974             in ispVMBitShift()
1968     		for (i = 0; i < size; i++) {
1969     			if (g_pucInData[i] != 0) {
1970     				tmpbits = bits;
1971     				while (tmpbits > 0) {
1972     					g_pucInData[i] >>= 1;
1973     					if (g_pucInData[i] == 0) {
>>>     CID 583145:           (INTEGER_OVERFLOW)
>>>     Expression "i--", where "i" is known to be equal to 0, underflows the type of "i--", which is type "unsigned short".
1974     						i--;
1975     						g_pucInData[i] = 8;
1976     					}
1977     					tmpbits--;
1978     				}
1979     			}

** CID 583144:       Null pointer dereferences  (FORWARD_NULL)
/drivers/fpga/ivm_core.c: 2406           in ispVMBypass()


_____________________________________________________________________________________________
*** CID 583144:         Null pointer dereferences  (FORWARD_NULL)
/drivers/fpga/ivm_core.c: 2406             in ispVMBypass()
2400
2401     	iSourceIndex = 0;
2402     	cBitState = 0;
2403     	for (iIndex = 0; iIndex < Bits - 1; iIndex++) {
2404     		/* Scan instruction or bypass register */
2405     		if (iIndex % 8 == 0) {
>>>     CID 583144:         Null pointer dereferences  (FORWARD_NULL)
>>>     Dereferencing null pointer "pcSource".
2406     			cCurByte = pcSource[iSourceIndex++];
2407     		}
2408     		cBitState = (unsigned char) (((cCurByte << iIndex % 8) & 0x80)
2409     			? 0x01 : 0x00);
2410     		writePort(g_ucPinTDI, cBitState);
2411     		sclock();

** CID 583143:         (OVERRUN)
/drivers/fpga/ivm_core.c: 2455           in ispVMStateMachine()
/drivers/fpga/ivm_core.c: 2458           in ispVMStateMachine()


_____________________________________________________________________________________________
*** CID 583143:           (OVERRUN)
/drivers/fpga/ivm_core.c: 2455             in ispVMStateMachine()
2449     				 g_JTAGTransistions[cStateIndex].NextState)) {
2450     			break;
2451     		}
2452     	}
2453
2454     	g_cCurrentJTAGState = cNextJTAGState;
>>>     CID 583143:           (OVERRUN)
>>>     Overrunning array "g_JTAGTransistions" of 25 4-byte elements at element index 25 (byte offset 103) using index "cStateIndex" (which evaluates to 25).
2455     	for (cPathIndex = 0;
2456     		cPathIndex < g_JTAGTransistions[cStateIndex].Pulses;
2457     		cPathIndex++) {
2458     		if ((g_JTAGTransistions[cStateIndex].Pattern << cPathIndex)
2459     			& 0x80) {
2460     			writePort(g_ucPinTMS, (unsigned char) 0x01);
/drivers/fpga/ivm_core.c: 2458             in ispVMStateMachine()
2452     	}
2453
2454     	g_cCurrentJTAGState = cNextJTAGState;
2455     	for (cPathIndex = 0;
2456     		cPathIndex < g_JTAGTransistions[cStateIndex].Pulses;
2457     		cPathIndex++) {
>>>     CID 583143:           (OVERRUN)
>>>     Overrunning array "g_JTAGTransistions" of 25 4-byte elements at element index 25 (byte offset 103) using index "cStateIndex" (which evaluates to 25).
2458     		if ((g_JTAGTransistions[cStateIndex].Pattern << cPathIndex)
2459     			& 0x80) {
2460     			writePort(g_ucPinTMS, (unsigned char) 0x01);
2461     		} else {
2462     			writePort(g_ucPinTMS, (unsigned char) 0x00);
2463     		}



View Defects in Coverity Scan
<https://scan.coverity.com/projects/das-u-boot?tab=overview>

Best regards,

The Coverity Scan Admin Team

----- End forwarded message -----

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

^ permalink raw reply	[flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2025-07-14 23:29 Tom Rini
  2025-07-15 13:45 ` Rasmus Villemoes
  0 siblings, 1 reply; 105+ messages in thread
From: Tom Rini @ 2025-07-14 23:29 UTC (permalink / raw)
  To: u-boot, Andrew Goodbody, Rasmus Villemoes

[-- Attachment #1: Type: text/plain, Size: 3887 bytes --]

Here's the latest report from Coverity. Good news is closing 5 existing
issues (overlap with smatch I think) but 3 new ones. Or maybe it's
related to Rasmus' cleanup series? I can only run one report a day I
think so I don't have granular breakdown on which changes today brought
these up.

---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Jul 14, 2025 at 5:23 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>


Hi,

Please find the latest report on new defect(s) introduced to *Das U-Boot*
found with Coverity Scan.

   - *New Defects Found:* 3
   - 5 defect(s), reported by Coverity Scan earlier, were marked fixed in
   the recent build analyzed by Coverity Scan.
   - *Defects Shown:* Showing 3 of 3 defect(s)

Defect Details

** CID 573150:       Integer handling issues  (INTEGER_OVERFLOW)
/drivers/pci/pci-uclass.c: 1531           in dm_pci_map_ea_virt()


_____________________________________________________________________________________________
*** CID 573150:         Integer handling issues  (INTEGER_OVERFLOW)
/drivers/pci/pci-uclass.c: 1531             in dm_pci_map_ea_virt()
1525     		if (ea_entry & PCI_EA_IS_64) {
1526     			/* MaxOffset 2nd DW */
1527     			dm_pci_read_config32(dev, ea_off + 16, &ea_entry);
1528     			sz |= ((u64)ea_entry) << 32;
1529     		}
1530
>>>     CID 573150:         Integer handling issues  (INTEGER_OVERFLOW)
>>>     Expression "sz + 1UL", where "sz" is known to be equal to 18446744073709551615, overflows the type of "sz + 1UL", which is type "unsigned long".
1531     		addr = (pdata->virtid - 1) * (sz + 1);
1532     	}
1533
1534     	return addr;
1535     }
1536

** CID 573149:       Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/lib/efi_loader/efi_file.c: 594           in efi_file_read_int()


_____________________________________________________________________________________________
*** CID 573149:         Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/lib/efi_loader/efi_file.c: 594             in efi_file_read_int()
588
589     	bs = *buffer_size;
590     	if (fh->isdir)
591     		ret = dir_read(fh, &bs, buffer);
592     	else
593     		ret = file_read(fh, &bs, buffer);
>>>     CID 573149:         Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
>>>     "bs <= 18446744073709551615ULL /* 9223372036854775807LL * 2ULL + 1ULL */" is always true regardless of the values of its operands. This occurs as the logical operand of "if".
594     	if (bs <= SIZE_MAX)
595     		*buffer_size = bs;
596     	else
597     		*buffer_size = SIZE_MAX;
598
599     	return ret;

** CID 573148:       Integer handling issues  (INTEGER_OVERFLOW)
/drivers/pci/pci-uclass.c: 1581           in dm_pci_map_ea_bar()


_____________________________________________________________________________________________
*** CID 573148:         Integer handling issues  (INTEGER_OVERFLOW)
/drivers/pci/pci-uclass.c: 1581             in dm_pci_map_ea_bar()
1575     			addr |= ((u64)ea_entry) << 32;
1576     		}
1577
1578     		if (IS_ENABLED(CONFIG_PCI_SRIOV))
1579     			addr += dm_pci_map_ea_virt(dev, ea_off, pdata);
1580
>>>     CID 573148:         Integer handling issues  (INTEGER_OVERFLOW)
>>>     Expression "4294967295U - addr", where "addr" is known to be equal to 4294967292, underflows the type of "4294967295U - addr", which is type "unsigned int".
1581     		if (~((phys_addr_t)0) - addr < offset)
1582     			return NULL;
1583
1584     		/* size ignored for now */
1585     		return map_physmem(addr + offset, len, MAP_NOCACHE);
1586     	}



View Defects in Coverity Scan
<https://scan.coverity.com/projects/das-u-boot?tab=overview>

Best regards,

The Coverity Scan Admin Team

----- End forwarded message -----

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

^ permalink raw reply	[flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2025-07-08 14:10 Tom Rini
  0 siblings, 0 replies; 105+ messages in thread
From: Tom Rini @ 2025-07-08 14:10 UTC (permalink / raw)
  To: u-boot
  Cc: Simon Glass, Heinrich Schuchardt, Ilias Apalodimas, Marek Vasut,
	Sughosh Ganu, Ying-Chun Liu (PaulLiu), Aristo Chen,
	Rasmus Villemoes, Sean Edmond, Miquel Raynal

[-- Attachment #1: Type: text/plain, Size: 21343 bytes --]

Hey all,

Good news, Coverity Scan resumed putting information in the email
report. Bad news, 20 new issues now that next has been merged.

---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Jul 7, 2025 at 5:39 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>


Hi,

Please find the latest report on new defect(s) introduced to *Das U-Boot*
found with Coverity Scan.

   - *New Defects Found:* 20
   - 6 defect(s), reported by Coverity Scan earlier, were marked fixed in
   the recent build analyzed by Coverity Scan.
   - *Defects Shown:* Showing 20 of 20 defect(s)

Defect Details

** CID 569500:       Incorrect expression  (UNUSED_VALUE)
/boot/bootflow_menu.c: 158           in bootflow_menu_add()


_____________________________________________________________________________________________
*** CID 569500:         Incorrect expression  (UNUSED_VALUE)
/boot/bootflow_menu.c: 158             in bootflow_menu_add()
152
153     	if (!label) {
154     		free(key);
155     		return log_msg_ret("nam", -ENOMEM);
156     	}
157
>>>     CID 569500:         Incorrect expression  (UNUSED_VALUE)
>>>     Assigning value from "priv->last_bootdev != bflow->dev" to "add_gap" here, but that stored value is overwritten before it can be used.
158     	add_gap = priv->last_bootdev != bflow->dev;
159
160     	/* disable this gap for now, since it looks a little ugly */
161     	add_gap = false;
162     	priv->last_bootdev = bflow->dev;
163

** CID 569499:       Null pointer dereferences  (NULL_RETURNS)
/lib/efi_loader/efi_memory.c: 719           in efi_realloc()


_____________________________________________________________________________________________
*** CID 569499:         Null pointer dereferences  (NULL_RETURNS)
/lib/efi_loader/efi_memory.c: 719             in efi_realloc()
713     	old_size = alloc->num_pages * EFI_PAGE_SIZE -
714     		sizeof(struct efi_pool_allocation);
715
716     	new_ptr = efi_alloc(size);
717
718     	/* copy old data to new alloced buffer */
>>>     CID 569499:         Null pointer dereferences  (NULL_RETURNS)
>>>     Dereferencing a pointer that might be "NULL" "new_ptr" when calling "memcpy". [Note: The source code implementation of the function has been overridden by a builtin model.]
719     	memcpy(new_ptr, *ptr, min(size, old_size));
720
721     	/* free the old buffer */
722     	efi_free_pool(*ptr);
723
724     	*ptr = new_ptr;

** CID 569498:       Code maintainability issues  (SIZEOF_MISMATCH)
/lib/efi_loader/efi_debug_support.c: 163           in
efi_core_remove_debug_image_info_entry()


_____________________________________________________________________________________________
*** CID 569498:         Code maintainability issues  (SIZEOF_MISMATCH)
/lib/efi_loader/efi_debug_support.c: 163             in
efi_core_remove_debug_image_info_entry()
157     		    table[index].normal_image->image_handle == image_handle) {
158     			/* Found a match. Free up the table entry.
159     			 * Move the tail of the table one slot to the front.
160     			 */
161     			efi_free_pool(table[index].normal_image);
162
>>>     CID 569498:         Code maintainability issues  (SIZEOF_MISMATCH)
>>>     Passing argument "&table[index]" of type "union efi_debug_image_info *" and argument "(efi_m_debug_info_table_header.table_size - index - 1) * 8UL /* sizeof (union efi_debug_image_info *) */" to function "memmove" is suspicious. In this case, "sizeof (union efi_debug_image_info *)" is equal to "sizeof (union efi_debug_image_info)", but this is not a portable assumption.
163     			memmove(&table[index],
164     				&table[index + 1],
165     				(efi_m_debug_info_table_header.table_size -
166     				 index - 1) * EFI_DEBUG_TABLE_ENTRY_SIZE);
167
168     			/* Decrease the number of EFI_DEBUG_IMAGE_INFO

** CID 569497:       Null pointer dereferences  (FORWARD_NULL)
/lib/efi_selftest/efi_selftest_esrt.c: 73           in
efi_test_fmp_get_image_info()


_____________________________________________________________________________________________
*** CID 569497:         Null pointer dereferences  (FORWARD_NULL)
/lib/efi_selftest/efi_selftest_esrt.c: 73             in
efi_test_fmp_get_image_info()
67     	if (package_version)
68     		*package_version = 0xffffffff;
69     	if (package_version_name)
70     		*package_version_name = NULL;
71
72     	if (*image_info_size < sizeof(*image_info)) {
>>>     CID 569497:         Null pointer dereferences  (FORWARD_NULL)
>>>     Dereferencing null pointer "descriptor_count".
73     		*image_info_size = *descriptor_size * *descriptor_count;
74     		return EFI_BUFFER_TOO_SMALL;
75     	}
76
77     	for (int idx = 0; idx < TEST_ESRT_NUM_ENTRIES; idx++)
78     		image_info[idx] = static_img_info[idx];

** CID 569496:       Integer handling issues  (INTEGER_OVERFLOW)
/drivers/usb/emul/sandbox_hub.c: 298           in sandbox_child_post_bind()


_____________________________________________________________________________________________
*** CID 569496:         Integer handling issues  (INTEGER_OVERFLOW)
/drivers/usb/emul/sandbox_hub.c: 298             in sandbox_child_post_bind()
292     static int sandbox_child_post_bind(struct udevice *dev)
293     {
294     	struct sandbox_hub_plat *plat = dev_get_parent_plat(dev);
295     	struct usb_emul_plat *emul = dev_get_uclass_plat(dev);
296
297     	plat->port = dev_read_u32_default(dev, "reg", -1);
>>>     CID 569496:         Integer handling issues  (INTEGER_OVERFLOW)
>>>     Expression "plat->port + 1", where "plat->port" is known to be equal to -1, overflows the type of "plat->port + 1", which is type "int".
298     	emul->port1 = plat->port + 1;
299
300     	return 0;
301     }
302
303     static const struct dm_usb_ops sandbox_usb_hub_ops = {

** CID 569495:       Integer handling issues  (NEGATIVE_RETURNS)


_____________________________________________________________________________________________
*** CID 569495:         Integer handling issues  (NEGATIVE_RETURNS)
/tools/fit_image.c: 921             in fit_handle_file()
915     	do {
916     		if (copyfile(bakfile, tmpfile) < 0) {
917     			printf("Can't copy %s to %s\n", bakfile, tmpfile);
918     			ret = -EIO;
919     			break;
920     		}
>>>     CID 569495:         Integer handling issues  (NEGATIVE_RETURNS)
>>>     "size_inc" is passed to a parameter that cannot be negative.
921     		ret = fit_add_file_data(params, size_inc, tmpfile);
922     		if (!ret || ret != -ENOSPC)
923     			break;
924     		size_inc += 1024;
925     	} while (size_inc < 64 * 1024);
926

** CID 569494:       Control flow issues  (DEADCODE)
/lib/efi_selftest/efi_selftest_config_table.c: 129           in execute()


_____________________________________________________________________________________________
*** CID 569494:         Control flow issues  (DEADCODE)
/lib/efi_selftest/efi_selftest_config_table.c: 129             in execute()
123     		return EFI_ST_FAILURE;
124     	}
125     	if (counter != 1) {
126     		efi_st_error("Notification function was not called.\n");
127     		return EFI_ST_FAILURE;
128     	}
>>>     CID 569494:         Control flow issues  (DEADCODE)
>>>     Execution cannot reach this statement: "if (table_count != sys_tabl...".
129     	if (table_count != sys_table->nr_tables) {
130     		efi_st_error("Incorrect table count %u, expected %u\n",
131     			     (unsigned int)sys_table->nr_tables,
132     			     (unsigned int)table_count);
133     		return EFI_ST_FAILURE;
134     	}

** CID 569493:       Insecure data handling  (TAINTED_SCALAR)


_____________________________________________________________________________________________
*** CID 569493:         Insecure data handling  (TAINTED_SCALAR)
/lib/efi_selftest/efi_selftest_esrt.c: 276             in execute()
270     		efi_st_error("ESRT mismatch in new entry count (%d),
expected (%d).\n",
271     			     entry_delta, TEST_ESRT_NUM_ENTRIES);
272     		return EFI_ST_FAILURE;
273     	}
274
275     	for (u32 idx = 0; idx < TEST_ESRT_NUM_ENTRIES; idx++)
>>>     CID 569493:         Insecure data handling  (TAINTED_SCALAR)
>>>     Passing tainted expression "esrt->fw_resource_count" to "lib_test_check_uuid_entry", which uses it as a loop boundary.
276     		if (!lib_test_check_uuid_entry(esrt, &static_img_info[idx])) {
277     			efi_st_error("ESRT entry mismatch\n");
278     			return EFI_ST_FAILURE;
279     		}
280
281     	return EFI_ST_SUCCESS;

** CID 569492:         (DC.WEAK_CRYPTO)
/net/bootp.c: 442           in bootp_timeout_handler()
/net/bootp.c: 441           in bootp_timeout_handler()


_____________________________________________________________________________________________
*** CID 569492:           (DC.WEAK_CRYPTO)
/net/bootp.c: 442             in bootp_timeout_handler()
436     			bootp_timeout = retransmit_period_max_ms;
437
438     		/* Randomize by adding bootp_timeout*RAND, where RAND
439     		 * is a randomization factor between -0.1..+0.1
440     		 */
441     		srand(get_ticks() + rand());
>>>     CID 569492:           (DC.WEAK_CRYPTO)
>>>     "rand" should not be used for security-related applications, because linear congruential algorithms are too easy to break.
442     		rand_minus_plus_100 = ((rand() % 200) - 100);
443     		bootp_timeout = bootp_timeout +
444     				(((int)bootp_timeout * rand_minus_plus_100) / 1000);
445
446     		net_set_timeout_handler(bootp_timeout, bootp_timeout_handler);
447     		bootp_request();
/net/bootp.c: 441             in bootp_timeout_handler()
435     		if (bootp_timeout > retransmit_period_max_ms)
436     			bootp_timeout = retransmit_period_max_ms;
437
438     		/* Randomize by adding bootp_timeout*RAND, where RAND
439     		 * is a randomization factor between -0.1..+0.1
440     		 */
>>>     CID 569492:           (DC.WEAK_CRYPTO)
>>>     "rand" should not be used for security-related applications, because linear congruential algorithms are too easy to break.
441     		srand(get_ticks() + rand());
442     		rand_minus_plus_100 = ((rand() % 200) - 100);
443     		bootp_timeout = bootp_timeout +
444     				(((int)bootp_timeout * rand_minus_plus_100) / 1000);
445
446     		net_set_timeout_handler(bootp_timeout, bootp_timeout_handler);

** CID 569491:       Error handling issues  (NEGATIVE_RETURNS)
/tools/file2include.c: 56           in main()


_____________________________________________________________________________________________
*** CID 569491:         Error handling issues  (NEGATIVE_RETURNS)
/tools/file2include.c: 56             in main()
50     	if (!count) {
51     		fprintf(stderr, "File %s has length 0\n", argv[1]);
52     		return EXIT_FAILURE;
53     	}
54     	rewind(file);
55     	/* Read file */
>>>     CID 569491:         Error handling issues  (NEGATIVE_RETURNS)
>>>     "count" is passed to a parameter that cannot be negative.
56     	buf = malloc(count);
57     	if (!buf) {
58     		perror("calloc");
59     		return EXIT_FAILURE;
60     	}
61     	count = fread(buf, 1, count, file);

** CID 569490:       Null pointer dereferences  (FORWARD_NULL)
/lib/efi_selftest/efi_selftest_esrt.c: 73           in
efi_test_fmp_get_image_info()


_____________________________________________________________________________________________
*** CID 569490:         Null pointer dereferences  (FORWARD_NULL)
/lib/efi_selftest/efi_selftest_esrt.c: 73             in
efi_test_fmp_get_image_info()
67     	if (package_version)
68     		*package_version = 0xffffffff;
69     	if (package_version_name)
70     		*package_version_name = NULL;
71
72     	if (*image_info_size < sizeof(*image_info)) {
>>>     CID 569490:         Null pointer dereferences  (FORWARD_NULL)
>>>     Dereferencing null pointer "descriptor_size".
73     		*image_info_size = *descriptor_size * *descriptor_count;
74     		return EFI_BUFFER_TOO_SMALL;
75     	}
76
77     	for (int idx = 0; idx < TEST_ESRT_NUM_ENTRIES; idx++)
78     		image_info[idx] = static_img_info[idx];

** CID 569489:       Integer handling issues  (INTEGER_OVERFLOW)
/lib/efi_selftest/efi_selftest_bitblt.c: 83           in notify()


_____________________________________________________________________________________________
*** CID 569489:         Integer handling issues  (INTEGER_OVERFLOW)
/lib/efi_selftest/efi_selftest_bitblt.c: 83             in notify()
77     	/* Increment position */
78     	pos->x += 5;
79     	if (pos->x >= WIDTH + gop->mode->info->width)
80     		pos->x = 0;
81
82     	width = WIDTH;
>>>     CID 569489:         Integer handling issues  (INTEGER_OVERFLOW)
>>>     Expression "pos->x - 200UL", where "pos->x" is known to be equal to 0, underflows the type of "pos->x - 200UL", which is type "unsigned long".
83     	dx = pos->x - WIDTH;
84     	sx = 0;
85     	if (pos->x >= gop->mode->info->width) {
86     		width = WIDTH +  gop->mode->info->width - pos->x;
87     	} else if (pos->x < WIDTH) {
88     		dx = 0;

** CID 569488:       Control flow issues  (NO_EFFECT)
/tools/fit_image.c: 913           in fit_handle_file()


_____________________________________________________________________________________________
*** CID 569488:         Control flow issues  (NO_EFFECT)
/tools/fit_image.c: 913             in fit_handle_file()
907     	 * signatures. We do an attempt at estimating the expected
908     	 * extra size, but just in case that is not sufficient, keep
909     	 * trying adding 1K, with a reasonable upper bound of 64K
910     	 * total, until we succeed.
911     	 */
912     	size_inc = fit_estimate_hash_sig_size(params, bakfile);
>>>     CID 569488:         Control flow issues  (NO_EFFECT)
>>>     This less-than-zero comparison of an unsigned value is never true. "size_inc < 0UL".
913     	if (size_inc < 0)
914     		goto err_system;
915     	do {
916     		if (copyfile(bakfile, tmpfile) < 0) {
917     			printf("Can't copy %s to %s\n", bakfile, tmpfile);
918     			ret = -EIO;

** CID 569487:       Insecure data handling  (TAINTED_SCALAR)


_____________________________________________________________________________________________
*** CID 569487:         Insecure data handling  (TAINTED_SCALAR)
/boot/cedit.c: 474             in cedit_write_settings()
468     	}
469
470     	ret = fdt_end_node(fdt);
471     	if (!ret)
472     		ret = fdt_end_node(fdt);
473     	if (!ret)
>>>     CID 569487:         Insecure data handling  (TAINTED_SCALAR)
>>>     Passing tainted expression "fdt->size_dt_strings" to "fdt_finish", which uses it as an offset.
474     		ret = fdt_finish(fdt);
475     	if (ret) {
476     		log_debug("Failed to finish FDT (err=%d)\n", ret);
477     		return log_msg_ret("fin", -EINVAL);
478     	}
479

** CID 569486:       Incorrect expression  (SIZEOF_MISMATCH)
/lib/efi_selftest/efi_selftest_console.c: 242           in efi_st_printc()


_____________________________________________________________________________________________
*** CID 569486:         Incorrect expression  (SIZEOF_MISMATCH)
/lib/efi_selftest/efi_selftest_console.c: 242             in efi_st_printc()
236     					break;
237     				case 'U':
238     					print_uuid(va_arg(args, void*), &pos);
239     					break;
240     				default:
241     					--c;
>>>     CID 569486:         Incorrect expression  (SIZEOF_MISMATCH)
>>>     Passing argument "va_arg (args, void *)" of type "void *" and argument "16 /* 2 * sizeof (void *) */" to function "printx" is suspicious.
242     					printx((uintptr_t)va_arg(args, void *),
243     					       2 * sizeof(void *), &pos);
244     					break;
245     				}
246     				break;
247     			case 's':

** CID 569485:         (DC.WEAK_CRYPTO)
/net/bootp.c: 837           in bootp_request()
/net/bootp.c: 838           in bootp_request()


_____________________________________________________________________________________________
*** CID 569485:           (DC.WEAK_CRYPTO)
/net/bootp.c: 837             in bootp_request()
831     	extlen = bootp_extended((u8 *)bp->bp_vend);
832     #endif
833
834     	/* Only generate a new transaction ID for each new BOOTP request */
835     	if (bootp_try == 1) {
836     		if (IS_ENABLED(CONFIG_BOOTP_RANDOM_XID)) {
>>>     CID 569485:           (DC.WEAK_CRYPTO)
>>>     "rand" should not be used for security-related applications, because linear congruential algorithms are too easy to break.
837     			srand(get_ticks() + rand());
838     			bootp_id = rand();
839     		} else {
840     			/*
841     			 *	Bootp ID is the lower 4 bytes of our ethernet address
842     			 *	plus the current time in ms.
/net/bootp.c: 838             in bootp_request()
832     #endif
833
834     	/* Only generate a new transaction ID for each new BOOTP request */
835     	if (bootp_try == 1) {
836     		if (IS_ENABLED(CONFIG_BOOTP_RANDOM_XID)) {
837     			srand(get_ticks() + rand());
>>>     CID 569485:           (DC.WEAK_CRYPTO)
>>>     "rand" should not be used for security-related applications, because linear congruential algorithms are too easy to break.
838     			bootp_id = rand();
839     		} else {
840     			/*
841     			 *	Bootp ID is the lower 4 bytes of our ethernet address
842     			 *	plus the current time in ms.
843     			 */

** CID 569484:       Insecure data handling  (INTEGER_OVERFLOW)
/drivers/core/uclass.c: 339           in uclass_find_next_free_seq()


_____________________________________________________________________________________________
*** CID 569484:         Insecure data handling  (INTEGER_OVERFLOW)
/drivers/core/uclass.c: 339             in uclass_find_next_free_seq()
333     	}
334     	/*
335     	 * At this point, max will be -1 if there are no existing aliases or
336     	 * devices
337     	 */
338
>>>     CID 569484:         Insecure data handling  (INTEGER_OVERFLOW)
>>>     "max + 1", which might have overflowed, is returned from the function.
339     	return max + 1;
340     }
341
342     int uclass_find_device_by_seq(enum uclass_id id, int seq,
struct udevice **devp)
343     {
344     	struct uclass *uc;

** CID 569483:       Control flow issues  (DEADCODE)
/boot/bootflow_menu.c: 178           in bootflow_menu_add()


_____________________________________________________________________________________________
*** CID 569483:         Control flow issues  (DEADCODE)
/boot/bootflow_menu.c: 178             in bootflow_menu_add()
172     	preview_id = 0;
173     	if (bflow->logo) {
174     		preview_id = ITEM_PREVIEW + seq;
175     		ret |= scene_img(scn, "preview", preview_id,
176     				     bflow->logo, NULL);
177     	}
>>>     CID 569483:         Control flow issues  (DEADCODE)
>>>     Execution cannot reach the expression "SCENEMIF_GAP_BEFORE" inside this statement: "ret |= scene_menuitem(scn, ...".
178     	ret |= scene_menuitem(scn, OBJ_MENU, "item", ITEM + seq,
179     				  ITEM_KEY + seq, ITEM_LABEL + seq,
180     				  ITEM_DESC + seq, preview_id,
181     				  add_gap ? SCENEMIF_GAP_BEFORE : 0,
182     				  NULL);
183

** CID 569482:       Control flow issues  (DEADCODE)
/tools/fit_image.c: 914           in fit_handle_file()


_____________________________________________________________________________________________
*** CID 569482:         Control flow issues  (DEADCODE)
/tools/fit_image.c: 914             in fit_handle_file()
908     	 * extra size, but just in case that is not sufficient, keep
909     	 * trying adding 1K, with a reasonable upper bound of 64K
910     	 * total, until we succeed.
911     	 */
912     	size_inc = fit_estimate_hash_sig_size(params, bakfile);
913     	if (size_inc < 0)
>>>     CID 569482:         Control flow issues  (DEADCODE)
>>>     Execution cannot reach this statement: "goto err_system;".
914     		goto err_system;
915     	do {
916     		if (copyfile(bakfile, tmpfile) < 0) {
917     			printf("Can't copy %s to %s\n", bakfile, tmpfile);
918     			ret = -EIO;
919     			break;

** CID 569481:       Control flow issues  (MISSING_BREAK)
/lib/lmb.c: 763           in lmb_alloc_mem()


_____________________________________________________________________________________________
*** CID 569481:         Control flow issues  (MISSING_BREAK)
/lib/lmb.c: 763             in lmb_alloc_mem()
757     		return 0;
758
759     	if (!addr)
760     		return -EINVAL;
761
762     	switch (type) {
>>>     CID 569481:         Control flow issues  (MISSING_BREAK)
>>>     The case for value "LMB_MEM_ALLOC_ANY" is not terminated by a "break" statement.
763     	case LMB_MEM_ALLOC_ANY:
764     		*addr = LMB_ALLOC_ANYWHERE;
765     	case LMB_MEM_ALLOC_MAX:
766     		ret = _lmb_alloc_base(size, align, addr, flags);
767     		break;
768     	case LMB_MEM_ALLOC_ADDR:



View Defects in Coverity Scan
<https://scan.coverity.com/projects/das-u-boot?tab=overview>

Best regards,

The Coverity Scan Admin Team

----- End forwarded message -----

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

^ permalink raw reply	[flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2025-04-28 21:59 Tom Rini
  2025-04-29 12:07 ` Jerome Forissier
                   ` (2 more replies)
  0 siblings, 3 replies; 105+ messages in thread
From: Tom Rini @ 2025-04-28 21:59 UTC (permalink / raw)
  To: u-boot, Jerome Forissier, Varadarajan Narayanan, Casey Connolly,
	Marek Vasut, Heinrich Schuchardt, Patrick Rudolph,
	Adriano Cordova, Paul HENRYS, Daniel Golle, Simon Glass

[-- Attachment #1: Type: text/plain, Size: 25013 bytes --]

Hey all,

Here's the latest set of Coverity defects. Please let me know if some of
these are false positives for example, thanks.

---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Apr 28, 2025 at 3:52 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>


Hi,

Please find the latest report on new defect(s) introduced to Das U-Boot
found with Coverity Scan.

33 new defect(s) introduced to Das U-Boot found with Coverity Scan.
15 defect(s), reported by Coverity Scan earlier, were marked fixed in the
recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 20 of 33 defect(s)


** CID 550306:  Control flow issues  (DEADCODE)
/fs/exfat/io.c: 547 in exfat_generic_pwrite()


________________________________________________________________________________________________________
*** CID 550306:  Control flow issues  (DEADCODE)
/fs/exfat/io.c: 547 in exfat_generic_pwrite()
541             int rc;
542             cluster_t cluster;
543             const char* bufp = buffer;
544             off_t lsize, loffset, remainder;
545
546             if (offset < 0)
>>>     CID 550306:  Control flow issues  (DEADCODE)
>>>     Execution cannot reach this statement: "return -22L;".
547                     return -EINVAL;
548             if (uoffset > node->size)
549             {
550                     rc = exfat_truncate(ef, node, uoffset, true);
551                     if (rc != 0)
552                             return rc;

** CID 550305:  Security best practices violations  (STRING_OVERFLOW)
/fs/exfat/io.c: 739 in exfat_fs_opendir()


________________________________________________________________________________________________________
*** CID 550305:  Security best practices violations  (STRING_OVERFLOW)
/fs/exfat/io.c: 739 in exfat_fs_opendir()
733                     return err;
734
735             dirs = calloc(1, sizeof(*dirs));
736             if (!dirs)
737                     return -ENOMEM;
738
>>>     CID 550305:  Security best practices violations  (STRING_OVERFLOW)
>>>     You might overrun the 1024-character fixed-size string
"dirs->dirname" by copying "filename" without checking the length.
739             strcpy(dirs->dirname, filename);
740             dirs->offset = -1;
741
742             *dirsp = &dirs->fs_dirs;
743
744             return 0;

** CID 550304:  Error handling issues  (NEGATIVE_RETURNS)
/tools/fit_check_sign.c: 98 in main()


________________________________________________________________________________________________________
*** CID 550304:  Error handling issues  (NEGATIVE_RETURNS)
/tools/fit_check_sign.c: 98 in main()
92      (void) munmap((void *)fit_blob, fsbuf.st_size);
93
94      if (key_blob)
95              (void)munmap((void *)key_blob, ksbuf.st_size);
96
97      close(ffd);
>>>     CID 550304:  Error handling issues  (NEGATIVE_RETURNS)
>>>     "kfd" is passed to a parameter that cannot be negative.
98      close(kfd);
99      exit(ret);

** CID 550303:  Control flow issues  (NO_EFFECT)
/tools/preload_check_sign.c: 132 in main()


________________________________________________________________________________________________________
*** CID 550303:  Control flow issues  (NO_EFFECT)
/tools/preload_check_sign.c: 132 in main()
126
127             info.algo_name = algo;
128             info.padding_name = padding;
129             info.key = (uint8_t *)pkey;
130             info.mandatory = 1;
131             info.sig_size = EVP_PKEY_size(pkey);
>>>     CID 550303:  Control flow issues  (NO_EFFECT)
>>>     This less-than-zero comparison of an unsigned value is never true.
"info.sig_size < 0U".
132             if (info.sig_size < 0) {
133                     fprintf(stderr, "Fail to retrieve the signature
size: %s\n",
134                             ERR_error_string(ERR_get_error(), NULL));
135                     ret = EXIT_FAILURE;
136                     goto out;
137             }

** CID 550302:    (TAINTED_SCALAR)


________________________________________________________________________________________________________
*** CID 550302:    (TAINTED_SCALAR)
/cmd/acpi.c: 118 in list_rsdt()
112                             entry = rsdt->entry[i];
113                     if (!entry)
114                             break;
115                     hdr = nomap_sysmem(entry, 0);
116                     dump_hdr(hdr, chksums);
117                     if (!memcmp(hdr->signature, "FACP", ACPI_NAME_LEN))
>>>     CID 550302:    (TAINTED_SCALAR)
>>>     Passing tainted expression "((struct acpi_fadt
*)hdr)->firmware_ctrl" to "list_fadt", which uses it as a loop boundary.
118                             list_fadt((struct acpi_fadt *)hdr, chksums);
119             }
120     }
121
122     static void list_rsdp(struct acpi_rsdp *rsdp, bool chksums)
123     {
/cmd/acpi.c: 118 in list_rsdt()
112                             entry = rsdt->entry[i];
113                     if (!entry)
114                             break;
115                     hdr = nomap_sysmem(entry, 0);
116                     dump_hdr(hdr, chksums);
117                     if (!memcmp(hdr->signature, "FACP", ACPI_NAME_LEN))
>>>     CID 550302:    (TAINTED_SCALAR)
>>>     Passing tainted expression "((struct acpi_fadt *)hdr)->x_dsdt" to
"list_fadt", which uses it as a loop boundary.
118                             list_fadt((struct acpi_fadt *)hdr, chksums);
119             }
120     }
121
122     static void list_rsdp(struct acpi_rsdp *rsdp, bool chksums)
123     {
/cmd/acpi.c: 118 in list_rsdt()
112                             entry = rsdt->entry[i];
113                     if (!entry)
114                             break;
115                     hdr = nomap_sysmem(entry, 0);
116                     dump_hdr(hdr, chksums);
117                     if (!memcmp(hdr->signature, "FACP", ACPI_NAME_LEN))
>>>     CID 550302:    (TAINTED_SCALAR)
>>>     Passing tainted expression "((struct acpi_fadt *)hdr)->dsdt" to
"list_fadt", which uses it as a loop boundary.
118                             list_fadt((struct acpi_fadt *)hdr, chksums);
119             }
120     }
121
122     static void list_rsdp(struct acpi_rsdp *rsdp, bool chksums)
123     {
/cmd/acpi.c: 116 in list_rsdt()
110                             entry = xsdt->entry[i];
111                     else
112                             entry = rsdt->entry[i];
113                     if (!entry)
114                             break;
115                     hdr = nomap_sysmem(entry, 0);
>>>     CID 550302:    (TAINTED_SCALAR)
>>>     Passing tainted expression "hdr->length" to "dump_hdr", which uses
it as a loop boundary.
116                     dump_hdr(hdr, chksums);
117                     if (!memcmp(hdr->signature, "FACP", ACPI_NAME_LEN))
118                             list_fadt((struct acpi_fadt *)hdr, chksums);
119             }
120     }
121
/cmd/acpi.c: 95 in list_rsdt()
89      if (rsdp->rsdt_address) {
90              rsdt = nomap_sysmem(rsdp->rsdt_address, 0);
91              dump_hdr(&rsdt->header, chksums);
92      }
93      if (rsdp->xsdt_address) {
94              xsdt = nomap_sysmem(rsdp->xsdt_address, 0);
>>>     CID 550302:    (TAINTED_SCALAR)
>>>     Passing tainted expression "xsdt->header.length" to "dump_hdr",
which uses it as a loop boundary.
95              dump_hdr(&xsdt->header, chksums);
96              len = xsdt->header.length - sizeof(xsdt->header);
97              count = len / sizeof(u64);
98      } else if (rsdp->rsdt_address) {
99              len = rsdt->header.length - sizeof(rsdt->header);
100                     count = len / sizeof(u32);
/cmd/acpi.c: 118 in list_rsdt()
112                             entry = rsdt->entry[i];
113                     if (!entry)
114                             break;
115                     hdr = nomap_sysmem(entry, 0);
116                     dump_hdr(hdr, chksums);
117                     if (!memcmp(hdr->signature, "FACP", ACPI_NAME_LEN))
>>>     CID 550302:    (TAINTED_SCALAR)
>>>     Passing tainted expression "((struct acpi_fadt
*)hdr)->x_firmware_ctrl" to "list_fadt", which uses it as a loop boundary.
118                             list_fadt((struct acpi_fadt *)hdr, chksums);
119             }
120     }
121
122     static void list_rsdp(struct acpi_rsdp *rsdp, bool chksums)
123     {

** CID 550301:    (OVERRUN)


________________________________________________________________________________________________________
*** CID 550301:    (OVERRUN)
/lib/acpi/acpi_table.c: 199 in acpi_add_table()
193
194                     /* Fix RSDT length or the kernel will assume
invalid entries */
195                     rsdt->header.length = sizeof(struct
acpi_table_header) +
196                                             (sizeof(u32) * (i + 1));
197
198                     /* Re-calculate checksum */
>>>     CID 550301:    (OVERRUN)
>>>     Overrunning struct type acpi_table_header of 36 bytes by passing it
to a function which accesses it at byte offset 39 using argument
"rsdt->header.length" (which evaluates to 40).
199                     acpi_update_checksum(&rsdt->header);
200             }
201
202             if (ctx->xsdt) {
203                     /*
204                      * And now the same thing for the XSDT. We use the
same index as for
/lib/acpi/acpi_table.c: 230 in acpi_add_table()
224
225                     /* Fix XSDT length */
226                     xsdt->header.length = sizeof(struct
acpi_table_header) +
227                                             (sizeof(u64) * (i + 1));
228
229                     /* Re-calculate checksum */
>>>     CID 550301:    (OVERRUN)
>>>     Overrunning struct type acpi_table_header of 36 bytes by passing it
to a function which accesses it at byte offset 43 using argument
"xsdt->header.length" (which evaluates to 44).
230                     acpi_update_checksum(&xsdt->header);
231             }
232
233             return 0;
234     }
235

** CID 550300:  Integer handling issues  (INTEGER_OVERFLOW)
/fs/exfat/utils.c: 146 in exfat_humanize_bytes()


________________________________________________________________________________________________________
*** CID 550300:  Integer handling issues  (INTEGER_OVERFLOW)
/fs/exfat/utils.c: 146 in exfat_humanize_bytes()
140             /* 16 EB (minus 1 byte) is the largest size that can be
represented by
141                uint64_t */
142             const char* units[] = {"bytes", "KB", "MB", "GB", "TB",
"PB", "EB"};
143             uint64_t divisor = 1;
144             uint64_t temp = 0;
145
>>>     CID 550300:  Integer handling issues  (INTEGER_OVERFLOW)
>>>     Expression "divisor", overflows the type of "divisor", which is
type "uint64_t".
146             for (i = 0; ; i++, divisor *= 1024)
147             {
148                     temp = (value + divisor / 2) / divisor;
149
150                     if (temp == 0)
151                             break;

** CID 550299:  Null pointer dereferences  (FORWARD_NULL)
/lib/efi_loader/efi_file.c: 251 in file_open()


________________________________________________________________________________________________________
*** CID 550299:  Null pointer dereferences  (FORWARD_NULL)
/lib/efi_loader/efi_file.c: 251 in file_open()
245                     strcpy(fh->path, "");
246             }
247
248             return &fh->base;
249
250     error:
>>>     CID 550299:  Null pointer dereferences  (FORWARD_NULL)
>>>     Dereferencing null pointer "fh".
251             free(fh->path);
252             free(fh);
253             return NULL;
254     }
255
256     efi_status_t efi_file_open_int(struct efi_file_handle *this,

** CID 550298:  Error handling issues  (CHECKED_RETURN)
/lib/efi_loader/efi_net.c: 1054 in efi_netobj_get_dp()


________________________________________________________________________________________________________
*** CID 550298:  Error handling issues  (CHECKED_RETURN)
/lib/efi_loader/efi_net.c: 1054 in efi_netobj_get_dp()
1048            struct efi_handler *phandler;
1049
1050            if (!efi_netobj_is_active(netobj))
1051                    return NULL;
1052
1053            phandler = NULL;
>>>     CID 550298:  Error handling issues  (CHECKED_RETURN)
>>>     Calling "efi_search_protocol" without checking return value (as is
done elsewhere 37 out of 42 times).
1054            efi_search_protocol(&netobj->header, &efi_guid_device_path,
&phandler);
1055
1056            if (phandler && phandler->protocol_interface)
1057                    return efi_dp_dup(phandler->protocol_interface);
1058
1059            return NULL;

** CID 550297:  Integer handling issues  (INTEGER_OVERFLOW)
/cmd/spawn.c: 174 in do_wait()


________________________________________________________________________________________________________
*** CID 550297:  Integer handling issues  (INTEGER_OVERFLOW)
/cmd/spawn.c: 174 in do_wait()
168                                     ret = wait_job(i);
169             } else {
170                     for (i = 1; i < argc; i++) {
171                             id = dectoul(argv[i], NULL);
172                             if (id < 0 || id >
CONFIG_CMD_SPAWN_NUM_JOBS)
173                                     return CMD_RET_USAGE;
>>>     CID 550297:  Integer handling issues  (INTEGER_OVERFLOW)
>>>     Expression "idx", where "(int)id - 1" is known to be equal to -1,
overflows the type of "idx", which is type "unsigned int".
174                             idx = (int)id - 1;
175                             ret = wait_job(idx);
176                     }
177             }
178
179             return ret;

** CID 550296:  Control flow issues  (NO_EFFECT)
/cmd/spawn.c: 172 in do_wait()


________________________________________________________________________________________________________
*** CID 550296:  Control flow issues  (NO_EFFECT)
/cmd/spawn.c: 172 in do_wait()
166                     for (i = 0; i < CONFIG_CMD_SPAWN_NUM_JOBS; i++)
167                             if (job[i])
168                                     ret = wait_job(i);
169             } else {
170                     for (i = 1; i < argc; i++) {
171                             id = dectoul(argv[i], NULL);
>>>     CID 550296:  Control flow issues  (NO_EFFECT)
>>>     This less-than-zero comparison of an unsigned value is never true.
"id < 0UL".
172                             if (id < 0 || id >
CONFIG_CMD_SPAWN_NUM_JOBS)
173                                     return CMD_RET_USAGE;
174                             idx = (int)id - 1;
175                             ret = wait_job(idx);
176                     }
177             }

** CID 550295:  Insecure data handling  (TAINTED_SCALAR)


________________________________________________________________________________________________________
*** CID 550295:  Insecure data handling  (TAINTED_SCALAR)
/test/lib/membuf.c: 235 in lib_test_membuf_readline()
229                             *ptr = '\n';
230                     } else {
231                             ut_assert(membuf_free(&mb));
232                     }
233             }
234             membuf_dispose(&mb);
>>>     CID 550295:  Insecure data handling  (TAINTED_SCALAR)
>>>     Passing tainted expression "*buf" to "os_free", which uses it as an
offset.
235             os_free(buf);
236
237             return 0;
238     }

** CID 550294:  Code maintainability issues  (UNUSED_VALUE)
/test/lib/membuf.c: 68 in lib_test_membuf_one()


________________________________________________________________________________________________________
*** CID 550294:  Code maintainability issues  (UNUSED_VALUE)
/test/lib/membuf.c: 68 in lib_test_membuf_one()
62              ut_assertok(membuf_check(uts, &mb, i));
63
64              ret = membuf_get(&mb, out, 0);
65              ret = membuf_get(&mb, out, size);
66              ut_asserteq(size, ret);
67
>>>     CID 550294:  Code maintainability issues  (UNUSED_VALUE)
>>>     Assigning value from "membuf_get(&mb, out, 0)" to "ret" here, but
that stored value is overwritten before it can be used.
68              ret = membuf_get(&mb, out, 0);
69              ut_assertok(membuf_check(uts, &mb, i));
70
71              ut_asserteq_mem(in, out, size);
72      }
73

** CID 550293:  Memory - illegal accesses  (STRING_NULL)
/test/lib/membuf.c: 224 in lib_test_membuf_readline()


________________________________________________________________________________________________________
*** CID 550293:  Memory - illegal accesses  (STRING_NULL)
/test/lib/membuf.c: 224 in lib_test_membuf_readline()
218                     ret = membuf_readline(&mb, str, 256, 0, true);
219                     ut_assertok(membuf_check(uts, &mb, i));
220                     if (ret) {
221                             char *ptr;
222
223                             s = &buf[cmpptr];
>>>     CID 550293:  Memory - illegal accesses  (STRING_NULL)
>>>     Passing unterminated string "s" to "strchr", which expects a
null-terminated string. [Note: The source code implementation of the
function has been overridden by a builtin model.]
224                             ptr = strchr(s, '\n');
225                             *ptr = '\0';
226
227                             ut_asserteq_str(s, str);
228                             cmpptr += strlen(s) + 1;
229                             *ptr = '\n';

** CID 550292:    (BAD_SHIFT)
/drivers/scsi/scsi.c: 165 in scsi_setup_erase_ext()
/drivers/scsi/scsi.c: 166 in scsi_setup_erase_ext()


________________________________________________________________________________________________________
*** CID 550292:    (BAD_SHIFT)
/drivers/scsi/scsi.c: 165 in scsi_setup_erase_ext()
159             param[10] = 0x0;
160             param[11] = 0x0;
161             param[12] = (start >> 24) & 0xff;
162             param[13] = (start >> 16) & 0xff;
163             param[14] = (start >> 8) & 0xff;
164             param[15] = (start) & 0xff;
>>>     CID 550292:    (BAD_SHIFT)
>>>     In expression "blocks >> 24", right shifting "blocks" by more than
15 bits always yields zero.  The shift amount is 24.
165             param[16] = (blocks >> 24) & 0xff;
166             param[17] = (blocks >> 16) & 0xff;
167             param[18] = (blocks >> 8) & 0xff;
168             param[19] = (blocks) & 0xff;
169
170             memset(pccb->cmd, 0, sizeof(pccb->cmd));
/drivers/scsi/scsi.c: 166 in scsi_setup_erase_ext()
160             param[11] = 0x0;
161             param[12] = (start >> 24) & 0xff;
162             param[13] = (start >> 16) & 0xff;
163             param[14] = (start >> 8) & 0xff;
164             param[15] = (start) & 0xff;
165             param[16] = (blocks >> 24) & 0xff;
>>>     CID 550292:    (BAD_SHIFT)
>>>     In expression "blocks >> 16", right shifting "blocks" by more than
15 bits always yields zero.  The shift amount is 16.
166             param[17] = (blocks >> 16) & 0xff;
167             param[18] = (blocks >> 8) & 0xff;
168             param[19] = (blocks) & 0xff;
169
170             memset(pccb->cmd, 0, sizeof(pccb->cmd));
171             pccb->cmd[0] = SCSI_UNMAP;

** CID 550291:  Memory - corruptions  (OVERRUN)


________________________________________________________________________________________________________
*** CID 550291:  Memory - corruptions  (OVERRUN)
/lib/acpi/acpi_table.c: 549 in acpi_write_spcr()
543              * to touch the configuration of the serial device.
544              */
545             if (serial_info.clock != SERIAL_DEFAULT_CLOCK)
546                     spcr->baud_rate = 0;
547
548             /* Fix checksum */
>>>     CID 550291:  Memory - corruptions  (OVERRUN)
>>>     Overrunning struct type acpi_table_header of 36 bytes by passing it
to a function which accesses it at byte offset 79 using argument
"header->length" (which evaluates to 80).
549             acpi_update_checksum(header);
550
551             acpi_add_table(ctx, spcr);
552             acpi_inc(ctx, spcr->header.length);
553
554             return 0;

** CID 550290:  Security best practices violations  (DC.WEAK_CRYPTO)
/test/lib/membuf.c: 54 in lib_test_membuf_one()


________________________________________________________________________________________________________
*** CID 550290:  Security best practices violations  (DC.WEAK_CRYPTO)
/test/lib/membuf.c: 54 in lib_test_membuf_one()
48      }
49
50      test_size = TEST_SIZE;
51
52      for (i = 1; i < TEST_COUNT; i++) {
53              membuf_zero(&mb);
>>>     CID 550290:  Security best practices violations  (DC.WEAK_CRYPTO)
>>>     "rand" should not be used for security-related applications,
because linear congruential algorithms are too easy to break.
54              size = rand() % test_size;
55
56              // now write patterns and check they come back OK
57              ret = membuf_put(&mb, in, 0);
58              ret = membuf_put(&mb, in, size);
59              ut_asserteq(size, ret);

** CID 550289:    (CONSTANT_EXPRESSION_RESULT)
/drivers/scsi/scsi.c: 166 in scsi_setup_erase_ext()
/drivers/scsi/scsi.c: 165 in scsi_setup_erase_ext()


________________________________________________________________________________________________________
*** CID 550289:    (CONSTANT_EXPRESSION_RESULT)
/drivers/scsi/scsi.c: 166 in scsi_setup_erase_ext()
160             param[11] = 0x0;
161             param[12] = (start >> 24) & 0xff;
162             param[13] = (start >> 16) & 0xff;
163             param[14] = (start >> 8) & 0xff;
164             param[15] = (start) & 0xff;
165             param[16] = (blocks >> 24) & 0xff;
>>>     CID 550289:    (CONSTANT_EXPRESSION_RESULT)
>>>     "blocks >> 16" is 0 regardless of the values of its operands. This
occurs as the bitwise first operand of "&".
166             param[17] = (blocks >> 16) & 0xff;
167             param[18] = (blocks >> 8) & 0xff;
168             param[19] = (blocks) & 0xff;
169
170             memset(pccb->cmd, 0, sizeof(pccb->cmd));
171             pccb->cmd[0] = SCSI_UNMAP;
/drivers/scsi/scsi.c: 165 in scsi_setup_erase_ext()
159             param[10] = 0x0;
160             param[11] = 0x0;
161             param[12] = (start >> 24) & 0xff;
162             param[13] = (start >> 16) & 0xff;
163             param[14] = (start >> 8) & 0xff;
164             param[15] = (start) & 0xff;
>>>     CID 550289:    (CONSTANT_EXPRESSION_RESULT)
>>>     "blocks >> 24" is 0 regardless of the values of its operands. This
occurs as the bitwise first operand of "&".
165             param[16] = (blocks >> 24) & 0xff;
166             param[17] = (blocks >> 16) & 0xff;
167             param[18] = (blocks >> 8) & 0xff;
168             param[19] = (blocks) & 0xff;
169
170             memset(pccb->cmd, 0, sizeof(pccb->cmd));

** CID 550288:  Memory - corruptions  (OVERRUN)


________________________________________________________________________________________________________
*** CID 550288:  Memory - corruptions  (OVERRUN)
/lib/acpi/base.c: 53 in acpi_write_rsdt()
47      header->length = sizeof(struct acpi_rsdt);
48      header->revision = 1;
49
50      /* Entries are filled in later, we come with an empty set */
51
52      /* Fix checksum */
>>>     CID 550288:  Memory - corruptions  (OVERRUN)
>>>     Overrunning struct type acpi_table_header of 36 bytes by passing it
to a function which accesses it at byte offset 163 using argument
"header->length" (which evaluates to 164).
53      acpi_update_checksum(header);
54     }
55
56     static void acpi_write_xsdt(struct acpi_xsdt *xsdt)
57     {
58      struct acpi_table_header *header = &xsdt->header;

** CID 550287:  Memory - corruptions  (OVERRUN)


________________________________________________________________________________________________________
*** CID 550287:  Memory - corruptions  (OVERRUN)
/lib/acpi/acpi_table.c: 268 in acpi_write_fadt()
262                     fadt->dsdt = fadt->x_dsdt;
263
264             fadt->preferred_pm_profile = ACPI_PM_UNSPECIFIED;
265
266             acpi_fill_fadt(fadt);
267
>>>     CID 550287:  Memory - corruptions  (OVERRUN)
>>>     Overrunning struct type acpi_table_header of 36 bytes by passing it
to a function which accesses it at byte offset 275 using argument
"header->length" (which evaluates to 276).
268             acpi_update_checksum(header);
269
270             return acpi_add_fadt(ctx, fadt);
271     }
272
273     #ifndef CONFIG_QFW_ACPI


----- End forwarded message -----

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

^ permalink raw reply	[flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2025-03-11  1:49 Tom Rini
  0 siblings, 0 replies; 105+ messages in thread
From: Tom Rini @ 2025-03-11  1:49 UTC (permalink / raw)
  To: u-boot, Adriano Cordova

[-- Attachment #1: Type: text/plain, Size: 1594 bytes --]

Here's the latest report.

---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Mar 10, 2025 at 5:43 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>


Hi,

Please find the latest report on new defect(s) introduced to Das U-Boot
found with Coverity Scan.

1 new defect(s) introduced to Das U-Boot found with Coverity Scan.
1 defect(s), reported by Coverity Scan earlier, were marked fixed in the
recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)


** CID 544194:  Error handling issues  (CHECKED_RETURN)
/lib/efi_loader/efi_net.c: 1084 in efi_net_set_dp()


________________________________________________________________________________________________________
*** CID 544194:  Error handling issues  (CHECKED_RETURN)
/lib/efi_loader/efi_net.c: 1084 in efi_net_set_dp()
1078            // If netobj is not started yet, end here.
1079            if (!netobj) {
1080                    goto exit;
1081            }
1082
1083            phandler = NULL;
>>>     CID 544194:  Error handling issues  (CHECKED_RETURN)
>>>     Calling "efi_search_protocol" without checking return value (as is
done elsewhere 39 out of 43 times).
1084            efi_search_protocol(&netobj->header, &efi_guid_device_path,
&phandler);
1085
1086            // If the device path protocol is not yet installed,
install it
1087            if (!phandler)
1088                    goto add;
1089


----- End forwarded message -----

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

^ permalink raw reply	[flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2025-02-25  2:39 Tom Rini
  2025-02-25  6:06 ` Heiko Schocher
  0 siblings, 1 reply; 105+ messages in thread
From: Tom Rini @ 2025-02-25  2:39 UTC (permalink / raw)
  To: u-boot, Heiko Schocher

[-- Attachment #1: Type: text/plain, Size: 1795 bytes --]

Here's the latest report. Getting closer with the led change. I do wish
it was easier to test fixes here.

---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Feb 24, 2025, 5:05 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>


Hi,

Please find the latest report on new defect(s) introduced to Das U-Boot
found with Coverity Scan.

1 new defect(s) introduced to Das U-Boot found with Coverity Scan.
2 defect(s), reported by Coverity Scan earlier, were marked fixed in the
recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)


** CID 542488:  Control flow issues  (NO_EFFECT)
/drivers/led/led-uclass.c: 277 in led_get_function_name()


________________________________________________________________________________________________________
*** CID 542488:  Control flow issues  (NO_EFFECT)
/drivers/led/led-uclass.c: 277 in led_get_function_name()
271                     return uc_plat->label;
272
273             /* Now try to detect function label name */
274             func = dev_read_string(dev, "function");
275             cp = dev_read_u32(dev, "color", &color);
276             // prevent coverity scan error CID 541279: (TAINTED_SCALAR)
>>>     CID 542488:  Control flow issues  (NO_EFFECT)
>>>     This less-than-zero comparison of an unsigned value is never true.
"color < 0U".
277             if (color < LED_COLOR_ID_WHITE || color >= LED_COLOR_ID_MAX)
278                     cp = -EINVAL;
279
280             if (cp == 0 || func) {
281                     ret = dev_read_u32(dev, "function-enumerator",
&enumerator);
282                     if (!ret) {


----- End forwarded message -----

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

^ permalink raw reply	[flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2025-02-10 22:26 Tom Rini
  2025-02-11  6:14 ` Heiko Schocher
  0 siblings, 1 reply; 105+ messages in thread
From: Tom Rini @ 2025-02-10 22:26 UTC (permalink / raw)
  To: u-boot, Heiko Schocher, Raymond Mao, Ilias Apalodimas

[-- Attachment #1: Type: text/plain, Size: 4392 bytes --]

Here's the latest report.

---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Feb 10, 2025 at 4:12 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>


Hi,

Please find the latest report on new defect(s) introduced to Das U-Boot
found with Coverity Scan.

3 new defect(s) introduced to Das U-Boot found with Coverity Scan.


New defect(s) Reported-by: Coverity Scan
Showing 3 of 3 defect(s)


** CID 541281:  Insecure data handling  (TAINTED_SCALAR)
/lib/tpm-v2.c: 77 in tpm2_scan_masks()


________________________________________________________________________________________________________
*** CID 541281:  Insecure data handling  (TAINTED_SCALAR)
/lib/tpm-v2.c: 77 in tpm2_scan_masks()
71      *mask = 0;
72
73      rc = tpm2_get_pcr_info(dev, &pcrs);
74      if (rc)
75              return rc;
76
>>>     CID 541281:  Insecure data handling  (TAINTED_SCALAR)
>>>     Using tainted variable "pcrs.count" as a loop boundary.
77      for (i = 0; i < pcrs.count; i++) {
78              struct tpms_pcr_selection *sel = &pcrs.selection[i];
79              size_t j;
80              u32 hash_mask = 0;
81
82              for (j = 0; j < ARRAY_SIZE(hash_algo_list); j++) {

** CID 541280:  Insecure data handling  (TAINTED_SCALAR)
/cmd/tpm-v2.c: 307 in do_tpm2_pcrallocate()


________________________________________________________________________________________________________
*** CID 541280:  Insecure data handling  (TAINTED_SCALAR)
/cmd/tpm-v2.c: 307 in do_tpm2_pcrallocate()
301                      * first call
302                      */
303                     ret = tpm2_get_pcr_info(dev, &pcr);
304                     if (ret)
305                             return ret;
306
>>>     CID 541280:  Insecure data handling  (TAINTED_SCALAR)
>>>     Using tainted variable "pcr.count" as a loop boundary.
307                     for (i = 0; i < pcr.count; i++) {
308                             struct tpms_pcr_selection *sel =
&pcr.selection[i];
309                             const char *name;
310
311                             if (!tpm2_is_active_bank(sel))
312                                     continue;

** CID 541279:    (TAINTED_SCALAR)
/drivers/led/led-uclass.c: 284 in led_get_function_name()
/drivers/led/led-uclass.c: 279 in led_get_function_name()


________________________________________________________________________________________________________
*** CID 541279:    (TAINTED_SCALAR)
/drivers/led/led-uclass.c: 284 in led_get_function_name()
278                     if (!ret) {
279                             snprintf(uc_plat->name, LED_MAX_NAME_SIZE,
280                                      "%s:%s-%d",
281                                      cp ? "" : led_colors[color],
282                                      func ? func : "", enumerator);
283                     } else {
>>>     CID 541279:    (TAINTED_SCALAR)
>>>     Using tainted variable "color" as an index into an array
"led_colors".
284                             snprintf(uc_plat->name, LED_MAX_NAME_SIZE,
285                                      "%s:%s",
286                                      cp ? "" : led_colors[color],
287                                      func ? func : "");
288                     }
289                     uc_plat->label = uc_plat->name;
/drivers/led/led-uclass.c: 279 in led_get_function_name()
273             /* Now try to detect function label name */
274             func = dev_read_string(dev, "function");
275             cp = dev_read_u32(dev, "color", &color);
276             if (cp == 0 || func) {
277                     ret = dev_read_u32(dev, "function-enumerator",
&enumerator);
278                     if (!ret) {
>>>     CID 541279:    (TAINTED_SCALAR)
>>>     Using tainted variable "color" as an index into an array
"led_colors".
279                             snprintf(uc_plat->name, LED_MAX_NAME_SIZE,
280                                      "%s:%s-%d",
281                                      cp ? "" : led_colors[color],
282                                      func ? func : "", enumerator);
283                     } else {
284                             snprintf(uc_plat->name, LED_MAX_NAME_SIZE,


----- End forwarded message -----

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

^ permalink raw reply	[flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2024-12-31 13:55 Tom Rini
  0 siblings, 0 replies; 105+ messages in thread
From: Tom Rini @ 2024-12-31 13:55 UTC (permalink / raw)
  To: u-boot, Venkatesh Yadav Abbarapu

[-- Attachment #1: Type: text/plain, Size: 2788 bytes --]

Hey all, here's the latest report.

---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Dec 30, 2024, 10:44 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>


Hi,

Please find the latest report on new defect(s) introduced to Das U-Boot
found with Coverity Scan.

2 new defect(s) introduced to Das U-Boot found with Coverity Scan.
1 defect(s), reported by Coverity Scan earlier, were marked fixed in the
recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 2 of 2 defect(s)


** CID 528528:  Control flow issues  (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 1644 in spi_nor_read()


________________________________________________________________________________________________________
*** CID 528528:  Control flow issues  (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 1644 in spi_nor_read()
1638                            read_len = len;
1639                    else
1640                            read_len = rem_bank_len;
1641     #endif
1642
1643                    if (read_len == 0)
>>>     CID 528528:  Control flow issues  (DEADCODE)
>>>     Execution cannot reach this statement: "return -5;".
1644                            return -EIO;
1645
1646                    ret = nor->read(nor, offset, read_len, buf);
1647                    if (ret == 0) {
1648                            /* We shouldn't see 0-length reads */
1649                            ret = -EIO;

** CID 528527:  Code maintainability issues  (UNUSED_VALUE)
/drivers/mtd/spi/spi-nor-core.c: 1613 in spi_nor_read()


________________________________________________________________________________________________________
*** CID 528527:  Code maintainability issues  (UNUSED_VALUE)
/drivers/mtd/spi/spi-nor-core.c: 1613 in spi_nor_read()
1607                            }
1608                            rem_bank_len = SZ_16M * (bank + 1);
1609                            if
(CONFIG_IS_ENABLED(SPI_STACKED_PARALLEL)) {
1610                                    if (nor->flags &
SNOR_F_HAS_PARALLEL)
1611                                            rem_bank_len *= 2;
1612                            }
>>>     CID 528527:  Code maintainability issues  (UNUSED_VALUE)
>>>     Assigning value from "rem_bank_len - from" to "rem_bank_len" here,
but that stored value is overwritten before it can be used.
1613                            rem_bank_len -= from;
1614                    }
1615
1616                    if (CONFIG_IS_ENABLED(SPI_STACKED_PARALLEL)) {
1617                            if (nor->flags & SNOR_F_HAS_STACKED) {
1618                                    stack_shift = 1;


----- End forwarded message -----

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

^ permalink raw reply	[flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2024-12-24 17:14 Tom Rini
  0 siblings, 0 replies; 105+ messages in thread
From: Tom Rini @ 2024-12-24 17:14 UTC (permalink / raw)
  To: u-boot, Nicolas Belin

[-- Attachment #1: Type: text/plain, Size: 1728 bytes --]

Hey all,

Unfortunately Coverity went a bit weird for a bit and stopped doing
emails, so there's a few other defects missing from this.

---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Tue, Dec 24, 2024 at 11:05 AM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>


Hi,

Please find the latest report on new defect(s) introduced to Das U-Boot
found with Coverity Scan.

1 new defect(s) introduced to Das U-Boot found with Coverity Scan.


New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)


** CID 516463:  Null pointer dereferences  (FORWARD_NULL)
/boot/image-android.c: 300 in android_image_get_kernel()


________________________________________________________________________________________________________
*** CID 516463:  Null pointer dereferences  (FORWARD_NULL)
/boot/image-android.c: 300 in android_image_get_kernel()
294
295             if (*img_data.kcmdline) {
296                     printf("Kernel command line: %s\n",
img_data.kcmdline);
297                     len += strlen(img_data.kcmdline) + (len ? 1 : 0);
/* +1 for extra space */
298             }
299
>>>     CID 516463:  Null pointer dereferences  (FORWARD_NULL)
>>>     Dereferencing null pointer "img_data.kcmdline_extra".
300             if (*img_data.kcmdline_extra) {
301                     printf("Kernel extra command line: %s\n",
img_data.kcmdline_extra);
302                     len += strlen(img_data.kcmdline_extra) + (len ? 1 :
0); /* +1 for extra space */
303             }
304
305             char *newbootargs = malloc(len + 1); /* +1 for the '\0' */


----- End forwarded message -----

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

^ permalink raw reply	[flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2024-11-15 13:27 Tom Rini
  0 siblings, 0 replies; 105+ messages in thread
From: Tom Rini @ 2024-11-15 13:27 UTC (permalink / raw)
  To: u-boot, Heinrich Schuchardt

[-- Attachment #1: Type: text/plain, Size: 3031 bytes --]

Hey all,

Here's the latest report.

---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Thu, Nov 14, 2024, 10:40 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>


Hi,

Please find the latest report on new defect(s) introduced to Das U-Boot
found with Coverity Scan.

2 new defect(s) introduced to Das U-Boot found with Coverity Scan.
3 defect(s), reported by Coverity Scan earlier, were marked fixed in the
recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 2 of 2 defect(s)


** CID 514958:  Error handling issues  (CHECKED_RETURN)
/test/cmd/hash.c: 80 in dm_test_cmd_hash_sha256()


________________________________________________________________________________________________________
*** CID 514958:  Error handling issues  (CHECKED_RETURN)
/test/cmd/hash.c: 80 in dm_test_cmd_hash_sha256()
74      ut_assertok(run_command("hash sha256 $loadaddr 0 foo; echo $foo",
0));
75      console_record_readline(uts->actual_str, sizeof(uts->actual_str));
76      ut_asserteq_ptr(uts->actual_str,
77                      strstr(uts->actual_str, "sha256 for "));
78      ut_assert(strstr(uts->actual_str,
79
 "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"));
>>>     CID 514958:  Error handling issues  (CHECKED_RETURN)
>>>     Calling "ut_check_console_line" without checking return value (as
is done elsewhere 683 out of 690 times).
80      ut_check_console_line(uts,
81
"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855");
82
83      if (!CONFIG_IS_ENABLED(HASH_VERIFY)) {
84              ut_assert(run_command("hash -v sha256 $loadaddr 0 foo", 0));
85              ut_check_console_line(uts, "hash - compute hash message
digest");

** CID 514957:  Error handling issues  (CHECKED_RETURN)
/test/cmd/hash.c: 36 in dm_test_cmd_hash_md5()


________________________________________________________________________________________________________
*** CID 514957:  Error handling issues  (CHECKED_RETURN)
/test/cmd/hash.c: 36 in dm_test_cmd_hash_md5()
30      ut_assertok(run_command("hash md5 $loadaddr 0 foo; echo $foo", 0));
31      console_record_readline(uts->actual_str, sizeof(uts->actual_str));
32      ut_asserteq_ptr(uts->actual_str,
33                      strstr(uts->actual_str, "md5 for "));
34      ut_assert(strstr(uts->actual_str,
35                       "d41d8cd98f00b204e9800998ecf8427e"));
>>>     CID 514957:  Error handling issues  (CHECKED_RETURN)
>>>     Calling "ut_check_console_line" without checking return value (as
is done elsewhere 683 out of 690 times).
36      ut_check_console_line(uts, "d41d8cd98f00b204e9800998ecf8427e");
37
38      if (!CONFIG_IS_ENABLED(HASH_VERIFY)) {
39              ut_assert(run_command("hash -v sha256 $loadaddr 0 foo", 0));
40              ut_check_console_line(uts, "hash - compute hash message
digest");
41


----- End forwarded message -----

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

^ permalink raw reply	[flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2024-11-12  2:11 Tom Rini
  0 siblings, 0 replies; 105+ messages in thread
From: Tom Rini @ 2024-11-12  2:11 UTC (permalink / raw)
  To: u-boot, Heiko Schocher

[-- Attachment #1: Type: text/plain, Size: 1765 bytes --]

Here's the latest Coverity report.

---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Nov 11, 2024 at 10:24 AM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>


Hi,

Please find the latest report on new defect(s) introduced to Das
U-Boot found with Coverity Scan.

1 new defect(s) introduced to Das U-Boot found with Coverity Scan.
4 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)


** CID 514648:  Control flow issues  (MISSING_BREAK)
/tools/imx8image.c: 93 in parse_cfg_cmd()


________________________________________________________________________________________________________
*** CID 514648:  Control flow issues  (MISSING_BREAK)
/tools/imx8image.c: 93 in parse_cfg_cmd()
87              sector_size = get_table_entry_id(imx8image_sector_size,
88                                               "imximage boot option",
89                                               token);
90              if (!strncmp("emmc_fastboot", token, 13))
91                      emmc_fastboot = true;
92              break;
>>>     CID 514648:  Control flow issues  (MISSING_BREAK)
>>>     The case for value "CMD_DCD_SKIP" is not terminated by a "break" statement.
93      case CMD_DCD_SKIP:
94              if (!strncmp("true", token, 4))
95                      dcd_skip = true;
96      case CMD_FUSE_VERSION:
97              fuse_version = (uint8_t)(strtoll(token, NULL, 0) & 0xFF);
98              break;


________________________________________________________________________________________________________

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

^ permalink raw reply	[flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2024-10-28  3:11 Tom Rini
  0 siblings, 0 replies; 105+ messages in thread
From: Tom Rini @ 2024-10-28  3:11 UTC (permalink / raw)
  To: u-boot, Patrick Rudolph

[-- Attachment #1: Type: text/plain, Size: 1801 bytes --]

Here's the latest report.

---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Sun, Oct 27, 2024 at 9:05 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>


Hi,

Please find the latest report on new defect(s) introduced to Das
U-Boot found with Coverity Scan.

1 new defect(s) introduced to Das U-Boot found with Coverity Scan.


New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)


** CID 511435:  Integer handling issues  (SIGN_EXTENSION)
/lib/acpi/acpi_table.c: 476 in acpi_write_spcr()


________________________________________________________________________________________________________
*** CID 511435:  Integer handling issues  (SIGN_EXTENSION)
/lib/acpi/acpi_table.c: 476 in acpi_write_spcr()
470             default:
471                     space_id = ACPI_ADDRESS_SPACE_IO;
472                     break;
473             }
474
475             serial_width = serial_info.reg_width * 8;
>>>     CID 511435:  Integer handling issues  (SIGN_EXTENSION)
>>>     Suspicious implicit sign extension: "serial_info.reg_offset" with type "u8" (8 bits, unsigned) is promoted in "serial_info.reg_offset << serial_info.reg_shift" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned).  If "serial_info.reg_offset << serial_info.reg_shift" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
476             serial_offset = serial_info.reg_offset << serial_info.reg_shift;
477             serial_address = serial_info.addr + serial_offset;
478
479             /* Encode register access size */
480             switch (serial_info.reg_shift) {
481             case 0:

----- End forwarded message -----

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

^ permalink raw reply	[flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2024-10-19 16:16 Tom Rini
  0 siblings, 0 replies; 105+ messages in thread
From: Tom Rini @ 2024-10-19 16:16 UTC (permalink / raw)
  To: u-boot, Simon Glass

[-- Attachment #1: Type: text/plain, Size: 2521 bytes --]

Here's a short update.

---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Sat, Oct 19, 2024, 8:35 AM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>


Hi,

Please find the latest report on new defect(s) introduced to Das U-Boot
found with Coverity Scan.

2 new defect(s) introduced to Das U-Boot found with Coverity Scan.
3 defect(s), reported by Coverity Scan earlier, were marked fixed in the
recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 2 of 2 defect(s)


** CID 510857:  Memory - corruptions  (OVERRUN)


________________________________________________________________________________________________________
*** CID 510857:  Memory - corruptions  (OVERRUN)
/test/boot/bootdev.c: 160 in bootdev_test_any()
154              */
155             if (CONFIG_IS_ENABLED(DSA_SANDBOX))
156                     seq = "8";
157             else
158                     seq = "6";
159
>>>     CID 510857:  Memory - corruptions  (OVERRUN)
>>>     Overrunning buffer pointed to by "seq" of 2 bytes by passing it to
a function which accesses it at byte offset 2.
160             ut_assertok(bootdev_find_by_any(seq, &dev, &mflags));
161             ut_asserteq(UCLASS_BOOTDEV, device_get_uclass_id(dev));
162             ut_asserteq(BOOTFLOW_METHF_SINGLE_DEV, mflags);
163             media = dev_get_parent(dev);
164             ut_asserteq(UCLASS_MMC, device_get_uclass_id(media));
165             ut_asserteq_str("mmc2", media->name);

** CID 510856:  Control flow issues  (UNREACHABLE)
/lib/binman.c: 142 in binman_init()


________________________________________________________________________________________________________
*** CID 510856:  Control flow issues  (UNREACHABLE)
/lib/binman.c: 142 in binman_init()
136     int binman_init(void)
137     {
138             int ret;
139
140             return 0;
141             binman = malloc(sizeof(struct binman_info));
>>>     CID 510856:  Control flow issues  (UNREACHABLE)
>>>     This code cannot be reached: "if (!binman)
  return ((voi...".
142             if (!binman)
143                     return log_msg_ret("space for binman", -ENOMEM);
144             ret = find_image_node(&binman->image);
145             if (ret)
146                     return log_msg_ret("node", -ENOENT);
147             binman_set_rom_offset(ROM_OFFSET_NONE);


----- End forwarded message -----

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

^ permalink raw reply	[flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2024-10-16  3:47 Tom Rini
  2024-10-16  5:56 ` Tudor Ambarus
  0 siblings, 1 reply; 105+ messages in thread
From: Tom Rini @ 2024-10-16  3:47 UTC (permalink / raw)
  To: u-boot
  Cc: Vignesh R, Takahiro Kuwano, Tudor Ambarus,
	Venkatesh Yadav Abbarapu, Pratyush Yadav, Ashok Reddy Soma,
	Joakim Tjernlund, Raymond Mao, Ilias Apalodimas

[-- Attachment #1: Type: text/plain, Size: 28517 bytes --]

Hey all, here's the latest report.

---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Tue, Oct 15, 2024 at 5:06 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>


Hi,

Please find the latest report on new defect(s) introduced to Das
U-Boot found with Coverity Scan.

22 new defect(s) introduced to Das U-Boot found with Coverity Scan.


New defect(s) Reported-by: Coverity Scan
Showing 20 of 22 defect(s)


** CID 510813:  Control flow issues  (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 1652 in spi_nor_read()


________________________________________________________________________________________________________
*** CID 510813:  Control flow issues  (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 1652 in spi_nor_read()
1646                            goto read_err;
1647                    }
1648                    if (ret < 0)
1649                            goto read_err;
1650
1651                    if (is_ofst_odd == true) {
>>>     CID 510813:  Control flow issues  (DEADCODE)
>>>     Execution cannot reach this statement: "memmove(buf, buf + 1, len -...".
1652                            memmove(buf, (buf + 1), (len - 1));
1653                            *retlen += (ret - 1);
1654                            buf += ret - 1;
1655                            is_ofst_odd = false;
1656                    } else {
1657                            *retlen += ret;

** CID 510812:    (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 3573 in spi_nor_select_erase()
/drivers/mtd/spi/spi-nor-core.c: 3584 in spi_nor_select_erase()
/drivers/mtd/spi/spi-nor-core.c: 3610 in spi_nor_select_erase()
/drivers/mtd/spi/spi-nor-core.c: 3597 in spi_nor_select_erase()


________________________________________________________________________________________________________
*** CID 510812:    (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 3573 in spi_nor_select_erase()
3567                    /*
3568                     * In parallel-memories the erase operation is
3569                     * performed on both the flashes simultaneously
3570                     * so, double the erasesize.
3571                     */
3572                    if (nor->flags & SNOR_F_HAS_PARALLEL)
>>>     CID 510812:    (DEADCODE)
>>>     Execution cannot reach this statement: "mtd->erasesize = 8192U;".
3573                            mtd->erasesize = 4096 * 2;
3574                    else
3575                            mtd->erasesize = 4096;
3576            } else if (info->flags & SECT_4K_PMC) {
3577                    nor->erase_opcode = SPINOR_OP_BE_4K_PMC;
3578                    /*
/drivers/mtd/spi/spi-nor-core.c: 3584 in spi_nor_select_erase()
3578                    /*
3579                     * In parallel-memories the erase operation is
3580                     * performed on both the flashes simultaneously
3581                     * so, double the erasesize.
3582                     */
3583                    if (nor->flags & SNOR_F_HAS_PARALLEL)
>>>     CID 510812:    (DEADCODE)
>>>     Execution cannot reach this statement: "mtd->erasesize = 8192U;".
3584                            mtd->erasesize = 4096 * 2;
3585                    else
3586                            mtd->erasesize = 4096;
3587            } else
3588     #endif
3589            {
/drivers/mtd/spi/spi-nor-core.c: 3610 in spi_nor_select_erase()
3604                    /*
3605                     * In parallel-memories the erase operation is
3606                     * performed on both the flashes simultaneously
3607                     * so, double the erasesize.
3608                     */
3609                    if (nor->flags & SNOR_F_HAS_PARALLEL)
>>>     CID 510812:    (DEADCODE)
>>>     Execution cannot reach this statement: "mtd->erasesize = 8192U;".
3610                            mtd->erasesize = 4096 * 2;
3611                    else
3612                            mtd->erasesize = 4096;
3613            }
3614
3615            return 0;
/drivers/mtd/spi/spi-nor-core.c: 3597 in spi_nor_select_erase()
3591                    /*
3592                     * In parallel-memories the erase operation is
3593                     * performed on both the flashes simultaneously
3594                     * so, double the erasesize.
3595                     */
3596                    if (nor->flags & SNOR_F_HAS_PARALLEL)
>>>     CID 510812:    (DEADCODE)
>>>     Execution cannot reach this statement: "mtd->erasesize = info->sect...".
3597                            mtd->erasesize = info->sector_size * 2;
3598                    else
3599                            mtd->erasesize = info->sector_size;
3600            }
3601
3602            if ((JEDEC_MFR(info) == SNOR_MFR_SST) && info->flags &
SECT_4K) {

** CID 510811:    (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 1134 in spi_nor_erase()
/drivers/mtd/spi/spi-nor-core.c: 1137 in spi_nor_erase()


________________________________________________________________________________________________________
*** CID 510811:    (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 1134 in spi_nor_erase()
1128                            addr_known = false;
1129                            ret = -EINTR;
1130                            goto erase_err;
1131                    }
1132                    offset = addr;
1133                    if (nor->flags & SNOR_F_HAS_PARALLEL)
>>>     CID 510811:    (DEADCODE)
>>>     Execution cannot reach this statement: "offset /= 2U;".
1134                            offset /= 2;
1135
1136                    if (nor->flags & SNOR_F_HAS_STACKED) {
1137                            if (offset >= (mtd->size / 2)) {
1138                                    offset = offset - (mtd->size / 2);
1139                                    nor->spi->flags |= SPI_XFER_U_PAGE;
/drivers/mtd/spi/spi-nor-core.c: 1137 in spi_nor_erase()
1131                    }
1132                    offset = addr;
1133                    if (nor->flags & SNOR_F_HAS_PARALLEL)
1134                            offset /= 2;
1135
1136                    if (nor->flags & SNOR_F_HAS_STACKED) {
>>>     CID 510811:    (DEADCODE)
>>>     Execution cannot reach this statement: "if (offset >= mtd->size / 2...".
1137                            if (offset >= (mtd->size / 2)) {
1138                                    offset = offset - (mtd->size / 2);
1139                                    nor->spi->flags |= SPI_XFER_U_PAGE;
1140                            } else {
1141                                    nor->spi->flags &= ~SPI_XFER_U_PAGE;
1142                            }

** CID 510810:  Control flow issues  (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 1556 in spi_nor_read_id()


________________________________________________________________________________________________________
*** CID 510810:  Control flow issues  (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 1556 in spi_nor_read_id()
1550     {
1551            int                     tmp;
1552            u8                      id[SPI_NOR_MAX_ID_LEN];
1553            const struct flash_info *info;
1554
1555            if (nor->flags & SNOR_F_HAS_PARALLEL)
>>>     CID 510810:  Control flow issues  (DEADCODE)
>>>     Execution cannot reach this statement: "nor->spi->flags |= 0x100;".
1556                    nor->spi->flags |= SPI_XFER_LOWER;
1557
1558            tmp = nor->read_reg(nor, SPINOR_OP_RDID, id,
SPI_NOR_MAX_ID_LEN);
1559            if (tmp < 0) {
1560                    dev_dbg(nor->dev, "error %d reading JEDEC ID\n", tmp);
1561                    return ERR_PTR(tmp);

** CID 510809:  Resource leaks  (RESOURCE_LEAK)
/lib/mbedtls/pkcs7_parser.c: 385 in x509_populate_sinfo()


________________________________________________________________________________________________________
*** CID 510809:  Resource leaks  (RESOURCE_LEAK)
/lib/mbedtls/pkcs7_parser.c: 385 in x509_populate_sinfo()
379                                   signed_info);
380             if (ret)
381                     goto out_err_sinfo;
382
383     no_authattrs:
384             *sinfo = signed_info;
>>>     CID 510809:  Resource leaks  (RESOURCE_LEAK)
>>>     Variable "mctx" going out of scope leaks the storage it points to.
385             return 0;
386
387     out_err_sinfo:
388             pkcs7_free_sinfo_mbedtls_ctx(mctx);
389     out_no_mctx:
390             public_key_signature_free(s);

** CID 510808:  Control flow issues  (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 724 in spi_nor_set_4byte_opcodes()


________________________________________________________________________________________________________
*** CID 510808:  Control flow issues  (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 724 in spi_nor_set_4byte_opcodes()
718     static void spi_nor_set_4byte_opcodes(struct spi_nor *nor,
719                                           const struct flash_info *info)
720     {
721             bool shift = 0;
722
723             if (nor->flags & SNOR_F_HAS_PARALLEL)
>>>     CID 510808:  Control flow issues  (DEADCODE)
>>>     Execution cannot reach this statement: "shift = true;".
724                     shift = 1;
725
726             /* Do some manufacturer fixups first */
727             switch (JEDEC_MFR(info)) {
728             case SNOR_MFR_SPANSION:
729                     /* No small sector erase for 4-byte command set */

** CID 510807:  Control flow issues  (DEADCODE)
/lib/mbedtls/external/mbedtls/library/x509_crt.c: 2750 in x509_inet_pton_ipv6()


________________________________________________________________________________________________________
*** CID 510807:  Control flow issues  (DEADCODE)
/lib/mbedtls/external/mbedtls/library/x509_crt.c: 2750 in x509_inet_pton_ipv6()
2744                 MBEDTLS_PUT_UINT16_BE(group, addr, nonzero_groups);
2745                 nonzero_groups++;
2746                 if (*p == '\0') {
2747                     break;
2748                 } else if (*p == '.') {
2749                     /* Don't accept IPv4 too early or late */
>>>     CID 510807:  Control flow issues  (DEADCODE)
>>>     Execution cannot reach the expression "zero_group_start == -1" inside this statement: "if ((nonzero_groups == 0 &&...".
2750                     if ((nonzero_groups == 0 && zero_group_start == -1) ||
2751                         nonzero_groups >= 7) {
2752                         break;
2753                     }
2754
2755                     /* Walk back to prior ':', then parse as IPv4-mapped */

** CID 510806:  Control flow issues  (DEADCODE)
/lib/mbedtls/pkcs7_parser.c: 209 in authattrs_parse()


________________________________________________________________________________________________________
*** CID 510806:  Control flow issues  (DEADCODE)
/lib/mbedtls/pkcs7_parser.c: 209 in authattrs_parse()
203                                     return -EINVAL;
204                     }
205
206                     p += seq_len;
207             }
208
>>>     CID 510806:  Control flow issues  (DEADCODE)
>>>     Execution cannot reach the expression "ret != -96" inside this statement: "if (ret && ret != -96)
  re...".
209             if (ret && ret !=  MBEDTLS_ERR_ASN1_OUT_OF_DATA)
210                     return ret;
211
212             msg->have_authattrs = true;
213
214             /*

** CID 510805:  Memory - illegal accesses  (OVERRUN)
/lib/rsa/rsa-keyprop.c: 678 in rsa_gen_key_prop()


________________________________________________________________________________________________________
*** CID 510805:  Memory - illegal accesses  (OVERRUN)
/lib/rsa/rsa-keyprop.c: 678 in rsa_gen_key_prop()
672             (*prop)->num_bits = (rsa_key.n_sz - i) * 8;
673             (*prop)->modulus = malloc(rsa_key.n_sz - i);
674             if (!(*prop)->modulus) {
675                     ret = -ENOMEM;
676                     goto out;
677             }
>>>     CID 510805:  Memory - illegal accesses  (OVERRUN)
>>>     Overrunning dynamic array "rsa_key.n" at offset corresponding to index variable "i".
678             memcpy((void *)(*prop)->modulus, &rsa_key.n[i],
rsa_key.n_sz - i);
679
680             n = calloc(sizeof(uint32_t), 1 + ((*prop)->num_bits >> 5));
681             rr = calloc(sizeof(uint32_t), 1 + (((*prop)->num_bits
* 2) >> 5));
682             rrtmp = calloc(sizeof(uint32_t), 2 +
(((*prop)->num_bits * 2) >> 5));
683             if (!n || !rr || !rrtmp) {

** CID 510804:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/drivers/mtd/spi/spi-nor-core.c: 1556 in spi_nor_read_id()


________________________________________________________________________________________________________
*** CID 510804:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/drivers/mtd/spi/spi-nor-core.c: 1556 in spi_nor_read_id()
1550     {
1551            int                     tmp;
1552            u8                      id[SPI_NOR_MAX_ID_LEN];
1553            const struct flash_info *info;
1554
1555            if (nor->flags & SNOR_F_HAS_PARALLEL)
>>>     CID 510804:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
>>>     In "nor->spi->flags |= 256 /* 1 << 8 */", wider "256 /* 1 << 8 */" has high-order bits (0x100) that don't affect the narrower left-hand side.
1556                    nor->spi->flags |= SPI_XFER_LOWER;
1557
1558            tmp = nor->read_reg(nor, SPINOR_OP_RDID, id,
SPI_NOR_MAX_ID_LEN);
1559            if (tmp < 0) {
1560                    dev_dbg(nor->dev, "error %d reading JEDEC ID\n", tmp);
1561                    return ERR_PTR(tmp);

** CID 510803:  Code maintainability issues  (UNUSED_VALUE)
/drivers/mtd/spi/spi-nor-core.c: 1138 in spi_nor_erase()


________________________________________________________________________________________________________
*** CID 510803:  Code maintainability issues  (UNUSED_VALUE)
/drivers/mtd/spi/spi-nor-core.c: 1138 in spi_nor_erase()
1132                    offset = addr;
1133                    if (nor->flags & SNOR_F_HAS_PARALLEL)
1134                            offset /= 2;
1135
1136                    if (nor->flags & SNOR_F_HAS_STACKED) {
1137                            if (offset >= (mtd->size / 2)) {
>>>     CID 510803:  Code maintainability issues  (UNUSED_VALUE)
>>>     Assigning value from "offset - mtd->size / 2ULL" to "offset" here, but that stored value is overwritten before it can be used.
1138                                    offset = offset - (mtd->size / 2);
1139                                    nor->spi->flags |= SPI_XFER_U_PAGE;
1140                            } else {
1141                                    nor->spi->flags &= ~SPI_XFER_U_PAGE;
1142                            }
1143                    }

** CID 510802:  Control flow issues  (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 504 in read_sr()


________________________________________________________________________________________________________
*** CID 510802:  Control flow issues  (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 504 in read_sr()
498              * discard the second byte.
499              */
500             if (spi_nor_protocol_is_dtr(nor->reg_proto))
501                     op.data.nbytes = 2;
502
503             if (nor->flags & SNOR_F_HAS_PARALLEL) {
>>>     CID 510802:  Control flow issues  (DEADCODE)
>>>     Execution cannot reach this statement: "op.data.nbytes = 2U;".
504                     op.data.nbytes = 2;
505                     ret = spi_nor_read_write_reg(nor, &op, &val[0]);
506                     if (ret < 0) {
507                             pr_debug("error %d reading SR\n", (int)ret);
508                             return ret;
509                     }

** CID 510801:  Null pointer dereferences  (FORWARD_NULL)


________________________________________________________________________________________________________
*** CID 510801:  Null pointer dereferences  (FORWARD_NULL)
/lib/ecdsa/ecdsa-libcrypto.c: 365 in ecdsa_add_verify_data()
359             struct signer ctx;
360             int ret;
361
362             fdt_key_name = info->keyname ? info->keyname : "default-key";
363             ret = prepare_ctx(&ctx, info);
364             if (ret >= 0) {
>>>     CID 510801:  Null pointer dereferences  (FORWARD_NULL)
>>>     Passing "info" to "do_add", which dereferences null "info->keyname".
365                     ret = do_add(&ctx, fdt, fdt_key_name, info);
366                     if (ret < 0)
367                             ret = ret == -FDT_ERR_NOSPACE ? -ENOSPC : -EIO;
368             }
369
370             free_ctx(&ctx);
371             return ret;

** CID 510800:    (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 1620 in spi_nor_read()
/drivers/mtd/spi/spi-nor-core.c: 1590 in spi_nor_read()
/drivers/mtd/spi/spi-nor-core.c: 1611 in spi_nor_read()
/drivers/mtd/spi/spi-nor-core.c: 1600 in spi_nor_read()


________________________________________________________________________________________________________
*** CID 510800:    (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 1620 in spi_nor_read()
1614                            } else {
1615                                    nor->spi->flags &= ~SPI_XFER_U_PAGE;
1616                            }
1617                    }
1618
1619                    if (nor->flags & SNOR_F_HAS_PARALLEL)
>>>     CID 510800:    (DEADCODE)
>>>     Execution cannot reach this statement: "offset /= 2LL;".
1620                            offset /= 2;
1621
1622                    if (nor->addr_width == 3) {
1623     #ifdef CONFIG_SPI_FLASH_BAR
1624                            ret = write_bar(nor, offset);
1625                            if (ret < 0)
/drivers/mtd/spi/spi-nor-core.c: 1590 in spi_nor_read()
1584            u32 rem_bank_len = 0;
1585            u8 bank;
1586            bool is_ofst_odd = false;
1587
1588            dev_dbg(nor->dev, "from 0x%08x, len %zd\n", (u32)from, len);
1589
>>>     CID 510800:    (DEADCODE)
>>>     Execution cannot reach the expression "offset & 1LL" inside this statement: "if (nor->flags & SNOR_F_HAS...".
1590            if ((nor->flags & SNOR_F_HAS_PARALLEL) && (offset & 1)) {
1591                /* We can hit this case when we use file system
like ubifs */
1592                    from--;
1593                    len++;
1594                    is_ofst_odd = true;
1595            }
/drivers/mtd/spi/spi-nor-core.c: 1611 in spi_nor_read()
1605                                    rem_bank_len = (SZ_16M * (bank
+ 1)) - from;
1606                            }
1607                    }
1608                    offset = from;
1609
1610                    if (nor->flags & SNOR_F_HAS_STACKED) {
>>>     CID 510800:    (DEADCODE)
>>>     Execution cannot reach this statement: "if (offset >= mtd->size / 2...".
1611                            if (offset >= (mtd->size / 2)) {
1612                                    offset = offset - (mtd->size / 2);
1613                                    nor->spi->flags |= SPI_XFER_U_PAGE;
1614                            } else {
1615                                    nor->spi->flags &= ~SPI_XFER_U_PAGE;
1616                            }
/drivers/mtd/spi/spi-nor-core.c: 1600 in spi_nor_read()
1594                    is_ofst_odd = true;
1595            }
1596
1597            while (len) {
1598                    if (nor->addr_width == 3) {
1599                            if (nor->flags & SNOR_F_HAS_PARALLEL) {
>>>     CID 510800:    (DEADCODE)
>>>     Execution cannot reach this statement: "bank = (u32)from / 33554432U;".
1600                                    bank = (u32)from / (SZ_16M << 0x01);
1601                                    rem_bank_len = ((SZ_16M << 0x01) *
1602                                            (bank + 1)) - from;
1603                            } else {
1604                                    bank = (u32)from / SZ_16M;
1605                                    rem_bank_len = (SZ_16M * (bank
+ 1)) - from;

** CID 510799:    (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 1971 in spi_nor_write()
/drivers/mtd/spi/spi-nor-core.c: 2007 in spi_nor_write()
/drivers/mtd/spi/spi-nor-core.c: 2004 in spi_nor_write()


________________________________________________________________________________________________________
*** CID 510799:    (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 1971 in spi_nor_write()
1965                    return 0;
1966
1967            /*
1968             * Cannot write to odd offset in parallel mode,
1969             * so write 2 bytes first
1970             */
>>>     CID 510799:    (DEADCODE)
>>>     Execution cannot reach the expression "to & 1LL" inside this statement: "if (nor->flags & SNOR_F_HAS...".
1971            if ((nor->flags & SNOR_F_HAS_PARALLEL) && (to & 1)) {
1972                    u8 two[2] = {0xff, buf[0]};
1973                    size_t local_retlen;
1974
1975                    ret = spi_nor_write(mtd, to & ~1, 2,
&local_retlen, two);
1976                    if (ret < 0)
/drivers/mtd/spi/spi-nor-core.c: 2007 in spi_nor_write()
2001                    }
2002                    offset = (to + i);
2003                    if (nor->flags & SNOR_F_HAS_PARALLEL)
2004                            offset /= 2;
2005
2006                    if (nor->flags & SNOR_F_HAS_STACKED) {
>>>     CID 510799:    (DEADCODE)
>>>     Execution cannot reach this statement: "if (offset >= mtd->size / 2...".
2007                            if (offset >= (mtd->size / 2)) {
2008                                    offset = offset - (mtd->size / 2);
2009                                    nor->spi->flags |= SPI_XFER_U_PAGE;
2010                            } else {
2011                                    nor->spi->flags &= ~SPI_XFER_U_PAGE;
2012                            }
/drivers/mtd/spi/spi-nor-core.c: 2004 in spi_nor_write()
1998                            u64 aux = addr;
1999
2000                            page_offset = do_div(aux, nor->page_size);
2001                    }
2002                    offset = (to + i);
2003                    if (nor->flags & SNOR_F_HAS_PARALLEL)
>>>     CID 510799:    (DEADCODE)
>>>     Execution cannot reach this statement: "offset /= 2U;".
2004                            offset /= 2;
2005
2006                    if (nor->flags & SNOR_F_HAS_STACKED) {
2007                            if (offset >= (mtd->size / 2)) {
2008                                    offset = offset - (mtd->size / 2);
2009                                    nor->spi->flags |= SPI_XFER_U_PAGE;

** CID 510798:  Resource leaks  (RESOURCE_LEAK)
/lib/mbedtls/x509_cert_parser.c: 220 in x509_populate_signature_params()


________________________________________________________________________________________________________
*** CID 510798:  Resource leaks  (RESOURCE_LEAK)
/lib/mbedtls/x509_cert_parser.c: 220 in x509_populate_signature_params()
214             }
215
216             ret = hash_calculate(s->hash_algo, &region, 1, s->digest);
217             if (!ret)
218                     *sig = s;
219
>>>     CID 510798:  Resource leaks  (RESOURCE_LEAK)
>>>     Variable "s" going out of scope leaks the storage it points to.
220             return ret;
221
222     error_sig:
223             public_key_signature_free(s);
224             return ret;
225     }

** CID 510797:    (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 4628 in spi_nor_scan()
/drivers/mtd/spi/spi-nor-core.c: 4598 in spi_nor_scan()


________________________________________________________________________________________________________
*** CID 510797:    (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 4628 in spi_nor_scan()
4622            /* Send all the required SPI flash commands to
initialize device */
4623            ret = spi_nor_init(nor);
4624            if (ret)
4625                    return ret;
4626
4627            if (nor->flags & SNOR_F_HAS_STACKED) {
>>>     CID 510797:    (DEADCODE)
>>>     Execution cannot reach this statement: "nor->spi->flags |= 0x10UL;".
4628                    nor->spi->flags |= SPI_XFER_U_PAGE;
4629                    ret = spi_nor_init(nor);
4630                    if (ret)
4631                            return ret;
4632                    nor->spi->flags &= ~SPI_XFER_U_PAGE;
4633            }
/drivers/mtd/spi/spi-nor-core.c: 4598 in spi_nor_scan()
4592                    nor->addr_width = info->addr_width;
4593            } else {
4594                    nor->addr_width = 3;
4595            }
4596
4597            if (nor->flags & (SNOR_F_HAS_PARALLEL | SNOR_F_HAS_STACKED))
>>>     CID 510797:    (DEADCODE)
>>>     Execution cannot reach this statement: "shift = true;".
4598                    shift = 1;
4599            if (nor->addr_width == 3 && (mtd->size >> shift) > SZ_16M) {
4600     #ifndef CONFIG_SPI_FLASH_BAR
4601                    /* enable 4-byte addressing if the device
exceeds 16MiB */
4602                    nor->addr_width = 4;
4603                    if (JEDEC_MFR(info) == SNOR_MFR_SPANSION ||

** CID 510796:  Insecure data handling  (TAINTED_SCALAR)


________________________________________________________________________________________________________
*** CID 510796:  Insecure data handling  (TAINTED_SCALAR)
/lib/mbedtls/external/mbedtls/library/rsa.c: 1316 in rsa_prepare_blinding()
1310             }
1311
1312             MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&ctx->Vf,
ctx->len - 1, f_rng, p_rng));
1313
1314             /* Compute Vf^-1 as R * (R Vf)^-1 to avoid leaks from
inv_mod. */
1315             MBEDTLS_MPI_CHK(mbedtls_mpi_fill_random(&R, ctx->len
- 1, f_rng, p_rng));
>>>     CID 510796:  Insecure data handling  (TAINTED_SCALAR)
>>>     Passing tainted expression "*ctx->Vf.p" to "mbedtls_mpi_mul_mpi", which uses it as an offset.
1316             MBEDTLS_MPI_CHK(mbedtls_mpi_mul_mpi(&ctx->Vi, &ctx->Vf, &R));
1317             MBEDTLS_MPI_CHK(mbedtls_mpi_mod_mpi(&ctx->Vi,
&ctx->Vi, &ctx->N));
1318
1319             /* At this point, Vi is invertible mod N if and only
if both Vf and R
1320              * are invertible mod N. If one of them isn't, we
don't need to know
1321              * which one, we just loop and choose new values for
both of them.

** CID 510795:  Control flow issues  (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 4271 in spi_nor_init()


________________________________________________________________________________________________________
*** CID 510795:  Control flow issues  (DEADCODE)
/drivers/mtd/spi/spi-nor-core.c: 4271 in spi_nor_init()
4265
4266     static int spi_nor_init(struct spi_nor *nor)
4267     {
4268            int err;
4269
4270            if (nor->flags & SNOR_F_HAS_PARALLEL)
>>>     CID 510795:  Control flow issues  (DEADCODE)
>>>     Execution cannot reach this statement: "nor->spi->flags |= 3UL;".
4271                    nor->spi->flags |= SPI_NOR_ENABLE_MULTI_CS;
4272
4273            err = spi_nor_octal_dtr_enable(nor);
4274            if (err) {
4275                    dev_dbg(nor->dev, "Octal DTR mode not supported\n");
4276                    return err;

** CID 510794:  Control flow issues  (NO_EFFECT)
/lib/mbedtls/x509_cert_parser.c: 78 in x509_populate_dn_name_string()


________________________________________________________________________________________________________
*** CID 510794:  Control flow issues  (NO_EFFECT)
/lib/mbedtls/x509_cert_parser.c: 78 in x509_populate_dn_name_string()
72      do {
73              name_str = kzalloc(len, GFP_KERNEL);
74              if (!name_str)
75                      return NULL;
76
77              wb = mbedtls_x509_dn_gets(name_str, len, name);
>>>     CID 510794:  Control flow issues  (NO_EFFECT)
>>>     This less-than-zero comparison of an unsigned value is never true. "wb < 0UL".
78              if (wb < 0) {
79                      pr_err("Get DN string failed, ret:-0x%04x\n",
80                             (unsigned int)-wb);
81                      kfree(name_str);
82                      len = len * 2; /* Try with a bigger buffer */
83              }

----- End forwarded message -----

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

^ permalink raw reply	[flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2024-10-07 17:15 Tom Rini
  0 siblings, 0 replies; 105+ messages in thread
From: Tom Rini @ 2024-10-07 17:15 UTC (permalink / raw)
  To: u-boot
  Cc: Simon Glass, Joao Marcos Costa, Thomas Petazzoni,
	Jerome Forissier, Sughosh Ganu, Caleb Connolly,
	Richard Weinberger

[-- Attachment #1: Type: text/plain, Size: 30928 bytes --]

Now that I've merged next to master, there's a number of issues to
address.

---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Oct 7, 2024 at 10:59 AM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>


Hi,

Please find the latest report on new defect(s) introduced to Das
U-Boot found with Coverity Scan.

24 new defect(s) introduced to Das U-Boot found with Coverity Scan.
9 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 20 of 24 defect(s)


** CID 510469:    (RESOURCE_LEAK)
/tools/mkeficapsule.c: 877 in load_dtb()
/tools/mkeficapsule.c: 862 in load_dtb()
/tools/mkeficapsule.c: 855 in load_dtb()
/tools/mkeficapsule.c: 870 in load_dtb()


________________________________________________________________________________________________________
*** CID 510469:    (RESOURCE_LEAK)
/tools/mkeficapsule.c: 877 in load_dtb()
871             }
872
873             if (fread(dtb, dtb_size, 1, f) != 1) {
874                     fprintf(stderr, "Can't read %ld bytes from %s\n",
875                             dtb_size, path);
876                     free(dtb);
>>>     CID 510469:    (RESOURCE_LEAK)
>>>     Variable "f" going out of scope leaks the storage it points to.
877                     return NULL;
878             }
879
880             fclose(f);
881
882             return dtb;
/tools/mkeficapsule.c: 862 in load_dtb()
856             }
857
858             dtb_size = ftell(f);
859             if (dtb_size < 0) {
860                     fprintf(stderr, "Cannot ftell %s: %s\n",
861                             path, strerror(errno));
>>>     CID 510469:    (RESOURCE_LEAK)
>>>     Variable "f" going out of scope leaks the storage it points to.
862                     return NULL;
863             }
864
865             fseek(f, 0, SEEK_SET);
866
867             dtb = malloc(dtb_size);
/tools/mkeficapsule.c: 855 in load_dtb()
849                     return NULL;
850             }
851
852             if (fseek(f, 0, SEEK_END)) {
853                     fprintf(stderr, "Cannot seek to the end of %s: %s\n",
854                             path, strerror(errno));
>>>     CID 510469:    (RESOURCE_LEAK)
>>>     Variable "f" going out of scope leaks the storage it points to.
855                     return NULL;
856             }
857
858             dtb_size = ftell(f);
859             if (dtb_size < 0) {
860                     fprintf(stderr, "Cannot ftell %s: %s\n",
/tools/mkeficapsule.c: 870 in load_dtb()
864
865             fseek(f, 0, SEEK_SET);
866
867             dtb = malloc(dtb_size);
868             if (!dtb) {
869                     fprintf(stderr, "Can't allocated %ld\n", dtb_size);
>>>     CID 510469:    (RESOURCE_LEAK)
>>>     Variable "f" going out of scope leaks the storage it points to.
870                     return NULL;
871             }
872
873             if (fread(dtb, dtb_size, 1, f) != 1) {
874                     fprintf(stderr, "Can't read %ld bytes from %s\n",
875                             dtb_size, path);

** CID 510468:  Integer handling issues  (SIGN_EXTENSION)
/lib/alist.c: 65 in alist_expand_to()


________________________________________________________________________________________________________
*** CID 510468:  Integer handling issues  (SIGN_EXTENSION)
/lib/alist.c: 65 in alist_expand_to()
59      new_data = malloc(lst->obj_size * new_alloc);
60      if (!new_data) {
61              lst->flags |= ALISTF_FAIL;
62              return false;
63      }
64
>>>     CID 510468:  Integer handling issues  (SIGN_EXTENSION)
>>>     Suspicious implicit sign extension: "lst->obj_size" with type "u16" (16 bits, unsigned) is promoted in "lst->obj_size * lst->alloc" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned).  If "lst->obj_size * lst->alloc" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
65      memcpy(new_data, lst->data, lst->obj_size * lst->alloc);
66      free(lst->data);
67
68      memset(new_data + lst->obj_size * lst->alloc, '\0',
69             lst->obj_size * (new_alloc - lst->alloc));
70      lst->alloc = new_alloc;

** CID 510467:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/net/tcp.c: 497 in tcp_parse_options()


________________________________________________________________________________________________________
*** CID 510467:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/net/tcp.c: 497 in tcp_parse_options()
491                             tsopt = (struct tcp_t_opt *)p;
492                             rmt_timestamp = tsopt->t_snd;
493                             return;
494                     }
495
496                     /* Process optional NOPs */
>>>     CID 510467:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
>>>     "p[0] == 16843009" is always false regardless of the values of its operands. This occurs as the logical operand of "if".
497                     if (p[0] == TCP_O_NOP)
498                             p++;
499             }
500     }
501
502     static u8 tcp_state_machine(u8 tcp_flags, u32 tcp_seq_num, int
payload_len)

** CID 510466:  Control flow issues  (NO_EFFECT)
/lib/uuid.c: 256 in uuid_guid_get_bin()


________________________________________________________________________________________________________
*** CID 510466:  Control flow issues  (NO_EFFECT)
/lib/uuid.c: 256 in uuid_guid_get_bin()
250     };
251
252     int uuid_guid_get_bin(const char *guid_str, unsigned char *guid_bin)
253     {
254             int i;
255
>>>     CID 510466:  Control flow issues  (NO_EFFECT)
>>>     This less-than-zero comparison of an unsigned value is never true. "i < 0UL".
256             for (i = 0; i < ARRAY_SIZE(list_guid); i++) {
257                     if (!strcmp(list_guid[i].string, guid_str)) {
258                             memcpy(guid_bin, &list_guid[i].guid, 16);
259                             return 0;
260                     }
261             }

** CID 510465:  Uninitialized variables  (UNINIT)


________________________________________________________________________________________________________
*** CID 510465:  Uninitialized variables  (UNINIT)
/cmd/upl.c: 59 in do_upl_write()
53      struct unit_test_state uts;
54      struct abuf buf;
55      oftree tree;
56      ulong addr;
57      int ret;
58
>>>     CID 510465:  Uninitialized variables  (UNINIT)
>>>     Using uninitialized value "uts.fail_count" when calling "upl_get_test_data".
59      upl_get_test_data(&uts, upl);
60
61      log_debug("Writing UPL\n");
62      ret = upl_create_handoff_tree(upl, &tree);
63      if (ret) {
64              log_err("Failed to write (err=%dE)\n", ret);

** CID 510464:  Error handling issues  (CHECKED_RETURN)
/net/wget.c: 259 in wget_connected()


________________________________________________________________________________________________________
*** CID 510464:  Error handling issues  (CHECKED_RETURN)
/net/wget.c: 259 in wget_connected()
253
254                             pos = strstr((char *)pkt, content_len);
255                             if (!pos) {
256                                     content_length = -1;
257                             } else {
258                                     pos += sizeof(content_len) + 2;
>>>     CID 510464:  Error handling issues  (CHECKED_RETURN)
>>>     Calling "strict_strtoul" without checking return value (as is done elsewhere 8 out of 10 times).
259                                     strict_strtoul(pos, 10,
&content_length);
260                                     debug_cond(DEBUG_WGET,
261                                                "wget: Connected Len %lu\n",
262                                                content_length);
263                             }
264

** CID 510463:  Memory - illegal accesses  (OVERRUN)
/lib/lmb.c: 37 in lmb_print_region_flags()


________________________________________________________________________________________________________
*** CID 510463:  Memory - illegal accesses  (OVERRUN)
/lib/lmb.c: 37 in lmb_print_region_flags()
31     {
32      u64 bitpos;
33      const char *flag_str[] = { "none", "no-map", "no-overwrite" };
34
35      do {
36              bitpos = flags ? fls(flags) - 1 : 0;
>>>     CID 510463:  Memory - illegal accesses  (OVERRUN)
>>>     Overrunning array "flag_str" of 3 8-byte elements at element index 31 (byte offset 255) using index "bitpos" (which evaluates to 31).
37              printf("%s", flag_str[bitpos]);
38              flags &= ~(1ull << bitpos);
39              puts(flags ? ", " : "\n");
40      } while (flags);
41     }
42

** CID 510462:  Security best practices violations  (DC.WEAK_CRYPTO)
/test/dm/nand.c: 67 in run_test_nand()


________________________________________________________________________________________________________
*** CID 510462:  Security best practices violations  (DC.WEAK_CRYPTO)
/test/dm/nand.c: 67 in run_test_nand()
61      ops.ooblen = mtd->oobsize;
62      ut_assertok(mtd_read_oob(mtd, mtd->erasesize, &ops));
63      ut_asserteq(0, oob[mtd_to_nand(mtd)->badblockpos]);
64
65      /* Generate some data and write it */
66      for (i = 0; i < size / sizeof(int); i++)
>>>     CID 510462:  Security best practices violations  (DC.WEAK_CRYPTO)
>>>     "rand" should not be used for security-related applications, because linear congruential algorithms are too easy to break.
67              gold[i] = rand();
68      ut_assertok(nand_write_skip_bad(mtd, off, &length, NULL, U64_MAX,
69                                      (void *)gold, 0));
70      ut_asserteq(size, length);
71
72      /* Verify */

** CID 510461:  Code maintainability issues  (UNUSED_VALUE)
/boot/upl_write.c: 237 in add_upl_image()


________________________________________________________________________________________________________
*** CID 510461:  Code maintainability issues  (UNUSED_VALUE)
/boot/upl_write.c: 237 in add_upl_image()
231                             return log_msg_ret("sub", ret);
232
233                     ret = write_addr(upl, subnode, UPLP_LOAD, img->load);
234                     if (!ret)
235                             ret = write_size(upl, subnode,
UPLP_SIZE, img->size);
236                     if (!ret && img->offset)
>>>     CID 510461:  Code maintainability issues  (UNUSED_VALUE)
>>>     Assigning value from "ofnode_write_u32(subnode, "offset", img->offset)" to "ret" here, but that stored value is overwritten before it can be used.
237                             ret = ofnode_write_u32(subnode, UPLP_OFFSET,
238                                                    img->offset);
239                     ret = ofnode_write_string(subnode, UPLP_DESCRIPTION,
240                                               img->description);
241                     if (ret)
242                             return log_msg_ret("sim", ret);

** CID 510460:  Resource leaks  (RESOURCE_LEAK)
/fs/ext4/ext4fs.c: 216 in ext4fs_exists()


________________________________________________________________________________________________________
*** CID 510460:  Resource leaks  (RESOURCE_LEAK)
/fs/ext4/ext4fs.c: 216 in ext4fs_exists()
210             struct ext2fs_node *dirnode = NULL;
211             int filetype;
212
213             if (!filename)
214                     return 0;
215
>>>     CID 510460:  Resource leaks  (RESOURCE_LEAK)
>>>     Variable "dirnode" going out of scope leaks the storage it points to.
216             return ext4fs_find_file1(filename,
&ext4fs_root->diropen, &dirnode,
217                                      &filetype);
218     }
219
220     int ext4fs_size(const char *filename, loff_t *size)
221     {

** CID 510459:  Incorrect expression  (SIZEOF_MISMATCH)
/boot/upl_read.c: 523 in decode_upl_graphics()


________________________________________________________________________________________________________
*** CID 510459:  Incorrect expression  (SIZEOF_MISMATCH)
/boot/upl_read.c: 523 in decode_upl_graphics()
517             if (!buf) {
518                     log_warning("Node '%s': Missing 'reg' property\n",
519                                 ofnode_get_name(node));
520                     return log_msg_ret("reg", -EINVAL);
521             }
522
>>>     CID 510459:  Incorrect expression  (SIZEOF_MISMATCH)
>>>     Passing argument "buf" of type "char const *" and argument "8 /* sizeof (buf) */" to function "decode_addr_size" is suspicious.
523             len = decode_addr_size(upl, buf, sizeof(buf), &gra->reg);
524             if (len < 0)
525                     return log_msg_ret("buf", len);
526
527             ret = read_uint(node, UPLP_WIDTH, &gra->width);
528             if (!ret)

** CID 510458:  Control flow issues  (NO_EFFECT)
/lib/uuid.c: 269 in uuid_guid_get_str()


________________________________________________________________________________________________________
*** CID 510458:  Control flow issues  (NO_EFFECT)
/lib/uuid.c: 269 in uuid_guid_get_str()
263     }
264
265     const char *uuid_guid_get_str(const unsigned char *guid_bin)
266     {
267             int i;
268
>>>     CID 510458:  Control flow issues  (NO_EFFECT)
>>>     This less-than-zero comparison of an unsigned value is never true. "i < 0UL".
269             for (i = 0; i < ARRAY_SIZE(list_guid); i++) {
270                     if (!memcmp(list_guid[i].guid.b, guid_bin, 16)) {
271                             return list_guid[i].string;
272                     }
273             }
274             return NULL;

** CID 510457:    (RESOURCE_LEAK)
/tools/mkeficapsule.c: 934 in genguid()
/tools/mkeficapsule.c: 930 in genguid()
/tools/mkeficapsule.c: 924 in genguid()
/tools/mkeficapsule.c: 944 in genguid()
/tools/mkeficapsule.c: 959 in genguid()


________________________________________________________________________________________________________
*** CID 510457:    (RESOURCE_LEAK)
/tools/mkeficapsule.c: 934 in genguid()
928             if (!compatible) {
929                     fprintf(stderr, "No compatible string found in DTB\n");
930                     return -1;
931             }
932             if (strnlen(compatible, compatlen) >= compatlen) {
933                     fprintf(stderr, "Compatible string not
null-terminated\n");
>>>     CID 510457:    (RESOURCE_LEAK)
>>>     Variable "dtb" going out of scope leaks the storage it points to.
934                     return -1;
935             }
936
937             printf("Generating GUIDs for %s with namespace %s:\n",
938                    compatible, DEFAULT_NAMESPACE_GUID);
939             for (; idx < argc; idx++) {
/tools/mkeficapsule.c: 930 in genguid()
924                     return -1;
925             }
926
927             compatible = fdt_getprop(dtb, 0, "compatible", &compatlen);
928             if (!compatible) {
929                     fprintf(stderr, "No compatible string found in DTB\n");
>>>     CID 510457:    (RESOURCE_LEAK)
>>>     Variable "dtb" going out of scope leaks the storage it points to.
930                     return -1;
931             }
932             if (strnlen(compatible, compatlen) >= compatlen) {
933                     fprintf(stderr, "Compatible string not
null-terminated\n");
934                     return -1;
935             }
/tools/mkeficapsule.c: 924 in genguid()
918             if (!dtb)
919                     return -1;
920
921             ret = fdt_check_header(dtb);
922             if (ret) {
923                     fprintf(stderr, "Invalid DTB header: %d\n", ret);
>>>     CID 510457:    (RESOURCE_LEAK)
>>>     Variable "dtb" going out of scope leaks the storage it points to.
924                     return -1;
925             }
926
927             compatible = fdt_getprop(dtb, 0, "compatible", &compatlen);
928             if (!compatible) {
929                     fprintf(stderr, "No compatible string found in DTB\n");
/tools/mkeficapsule.c: 944 in genguid()
938                    compatible, DEFAULT_NAMESPACE_GUID);
939             for (; idx < argc; idx++) {
940                     memset(fw_image, 0, sizeof(fw_image));
941                     namelen = strlen(argv[idx]);
942                     if (namelen > MAX_IMAGE_NAME_LEN) {
943                             fprintf(stderr, "Image name too long:
%s\n", argv[idx]);
>>>     CID 510457:    (RESOURCE_LEAK)
>>>     Variable "dtb" going out of scope leaks the storage it points to.
944                             return -1;
945                     }
946
947                     for (int i = 0; i < namelen; i++)
948                             fw_image[i] = (uint16_t)argv[idx][i];
949
/tools/mkeficapsule.c: 959 in genguid()
953                                 NULL);
954
955                     printf("%s: ", argv[idx]);
956                     print_guid(&image_type_id);
957             }
958
>>>     CID 510457:    (RESOURCE_LEAK)
>>>     Variable "dtb" going out of scope leaks the storage it points to.
959             return 0;
960     }
961
962     /**
963      * main - main entry function of mkeficapsule
964      * @argc:       Number of arguments

** CID 510456:  Integer handling issues  (NEGATIVE_RETURNS)


________________________________________________________________________________________________________
*** CID 510456:  Integer handling issues  (NEGATIVE_RETURNS)
/boot/upl_write.c: 432 in add_upl_memres()
426                     ret = ofnode_add_subnode(mem_node, name, &node);
427                     if (ret)
428                             return log_msg_ret("memres", ret);
429
430                     len = buffer_addr_size(upl, buf, sizeof(buf),
431                                            memres->region.count,
&memres->region);
>>>     CID 510456:  Integer handling issues  (NEGATIVE_RETURNS)
>>>     "len" is passed to a parameter that cannot be negative.
432                     ret = ofnode_write_prop(node, UPLP_REG, buf, len, true);
433                     if (!ret && memres->no_map)
434                             ret = ofnode_write_bool(node, UPLP_NO_MAP,
435                                                     memres->no_map);
436                     if (ret)
437                             return log_msg_ret("lst", ret);

** CID 510455:  Memory - corruptions  (OVERLAPPING_COPY)
/fs/squashfs/sqfs.c: 971 in sqfs_opendir_nest()


________________________________________________________________________________________________________
*** CID 510455:  Memory - corruptions  (OVERLAPPING_COPY)
/fs/squashfs/sqfs.c: 971 in sqfs_opendir_nest()
965             if (le16_to_cpu(dirs->i_dir.inode_type) == SQFS_DIR_TYPE)
966                     dirs->size = le16_to_cpu(dirs->i_dir.file_size);
967             else
968                     dirs->size = le32_to_cpu(dirs->i_ldir.file_size);
969
970             /* Setup directory header */
>>>     CID 510455:  Memory - corruptions  (OVERLAPPING_COPY)
>>>     Copying 12 bytes from "dirs->table" to "dirs->dir_header", which point to overlapping memory locations.
971             memcpy(dirs->dir_header, dirs->table, SQFS_DIR_HEADER_SIZE);
972             dirs->entry_count = dirs->dir_header->count + 1;
973             dirs->size -= SQFS_DIR_HEADER_SIZE;
974
975             /* Setup entry */
976             dirs->entry = NULL;

** CID 510454:    (SIZEOF_MISMATCH)
/test/cmd/mbr.c: 280 in mbr_test_run()
/test/cmd/mbr.c: 421 in mbr_test_run()
/test/cmd/mbr.c: 351 in mbr_test_run()
/test/cmd/mbr.c: 316 in mbr_test_run()
/test/cmd/mbr.c: 386 in mbr_test_run()


________________________________________________________________________________________________________
*** CID 510454:    (SIZEOF_MISMATCH)
/test/cmd/mbr.c: 280 in mbr_test_run()
274
275             /* Make sure mmc6 is 12+ MiB in size */
276             ut_assertok(run_commandf("mmc read %lx %lx 1", ra,
277                                      (ulong)0xbffe00 / BLKSZ));
278
279             /* Test one MBR partition */
>>>     CID 510454:    (SIZEOF_MISMATCH)
>>>     Passing argument "mbr_wbuf" of type "unsigned char *" and argument "8UL /* sizeof (mbr_wbuf) */" to function "init_write_buffers" is suspicious.
280             init_write_buffers(mbr_wbuf, sizeof(mbr_wbuf),
ebr_wbuf, sizeof(ebr_wbuf), __LINE__);
281             ut_assertok(build_mbr_parts(mbr_parts_buf,
sizeof(mbr_parts_buf), 1));
282             ut_assertok(run_commandf("write mmc 6:0 %lx 0 1", mbr_wa));
283             memset(rbuf, '\0', BLKSZ);
284             ut_assertok(run_commandf("read mmc 6:0 %lx 0 1", ra));
285             ut_assertok(memcmp(mbr_wbuf, rbuf, BLKSZ));
/test/cmd/mbr.c: 421 in mbr_test_run()
415                     ut_assertf(rbuf[mbr_cmp_start + i] ==
mbr_parts_ref_p4[i],
416                             "4P MBR+0x%04X: expected %#02X,
actual: %#02X\n",
417                             mbr_cmp_start + i,
mbr_parts_ref_p4[i], rbuf[mbr_cmp_start + i]);
418             }
419
420             /* Test five MBR partitions */
>>>     CID 510454:    (SIZEOF_MISMATCH)
>>>     Passing argument "mbr_wbuf" of type "unsigned char *" and argument "8UL /* sizeof (mbr_wbuf) */" to function "init_write_buffers" is suspicious.
421             init_write_buffers(mbr_wbuf, sizeof(mbr_wbuf),
ebr_wbuf, sizeof(ebr_wbuf), __LINE__);
422             ut_assertok(build_mbr_parts(mbr_parts_buf,
sizeof(mbr_parts_buf), 5));
423             ut_assertok(run_commandf("write mmc 6:0 %lx 0 1", mbr_wa));
424             memset(rbuf, '\0', BLKSZ);
425             ut_assertok(run_commandf("read mmc 6:0 %lx 0 1", ra));
426             ut_assertok(memcmp(mbr_wbuf, rbuf, BLKSZ));
/test/cmd/mbr.c: 351 in mbr_test_run()
345                     ut_assertf(rbuf[mbr_cmp_start + i] ==
mbr_parts_ref_p2[i],
346                             "2P MBR+0x%04X: expected %#02X,
actual: %#02X\n",
347                             mbr_cmp_start + i,
mbr_parts_ref_p2[i], rbuf[mbr_cmp_start + i]);
348             }
349
350             /* Test three MBR partitions */
>>>     CID 510454:    (SIZEOF_MISMATCH)
>>>     Passing argument "mbr_wbuf" of type "unsigned char *" and argument "8UL /* sizeof (mbr_wbuf) */" to function "init_write_buffers" is suspicious.
351             init_write_buffers(mbr_wbuf, sizeof(mbr_wbuf),
ebr_wbuf, sizeof(ebr_wbuf), __LINE__);
352             ut_assertok(build_mbr_parts(mbr_parts_buf,
sizeof(mbr_parts_buf), 3));
353             ut_assertok(run_commandf("write mmc 6:0 %lx 0 1", mbr_wa));
354             memset(rbuf, '\0', BLKSZ);
355             ut_assertok(run_commandf("read mmc 6:0 %lx 0 1", ra));
356             ut_assertok(memcmp(mbr_wbuf, rbuf, BLKSZ));
/test/cmd/mbr.c: 316 in mbr_test_run()
310                     ut_assertf(rbuf[mbr_cmp_start + i] ==
mbr_parts_ref_p1[i],
311                             "1P MBR+0x%04X: expected %#02X,
actual: %#02X\n",
312                             mbr_cmp_start + i,
mbr_parts_ref_p1[i], rbuf[mbr_cmp_start + i]);
313             }
314
315             /* Test two MBR partitions */
>>>     CID 510454:    (SIZEOF_MISMATCH)
>>>     Passing argument "mbr_wbuf" of type "unsigned char *" and argument "8UL /* sizeof (mbr_wbuf) */" to function "init_write_buffers" is suspicious.
316             init_write_buffers(mbr_wbuf, sizeof(mbr_wbuf),
ebr_wbuf, sizeof(ebr_wbuf), __LINE__);
317             ut_assertok(build_mbr_parts(mbr_parts_buf,
sizeof(mbr_parts_buf), 2));
318             ut_assertok(run_commandf("write mmc 6:0 %lx 0 1", mbr_wa));
319             memset(rbuf, '\0', BLKSZ);
320             ut_assertok(run_commandf("read mmc 6:0 %lx 0 1", ra));
321             ut_assertok(memcmp(mbr_wbuf, rbuf, BLKSZ));
/test/cmd/mbr.c: 386 in mbr_test_run()
380                     ut_assertf(rbuf[mbr_cmp_start + i] ==
mbr_parts_ref_p3[i],
381                             "3P MBR+0x%04X: expected %#02X,
actual: %#02X\n",
382                             mbr_cmp_start + i,
mbr_parts_ref_p3[i], rbuf[mbr_cmp_start + i]);
383             }
384
385             /* Test four MBR partitions */
>>>     CID 510454:    (SIZEOF_MISMATCH)
>>>     Passing argument "mbr_wbuf" of type "unsigned char *" and argument "8UL /* sizeof (mbr_wbuf) */" to function "init_write_buffers" is suspicious.
386             init_write_buffers(mbr_wbuf, sizeof(mbr_wbuf),
ebr_wbuf, sizeof(ebr_wbuf), __LINE__);
387             ut_assertok(build_mbr_parts(mbr_parts_buf,
sizeof(mbr_parts_buf), 4));
388             ut_assertok(run_commandf("write mmc 6:0 %lx 0 1", mbr_wa));
389             memset(rbuf, '\0', BLKSZ);
390             ut_assertok(run_commandf("read mmc 6:0 %lx 0 1", ra));
391             ut_assertok(memcmp(mbr_wbuf, rbuf, BLKSZ));

** CID 510453:  Null pointer dereferences  (FORWARD_NULL)
/fs/squashfs/sqfs.c: 983 in sqfs_opendir_nest()


________________________________________________________________________________________________________
*** CID 510453:  Null pointer dereferences  (FORWARD_NULL)
/fs/squashfs/sqfs.c: 983 in sqfs_opendir_nest()
977             dirs->table += SQFS_DIR_HEADER_SIZE;
978
979             *dirsp = (struct fs_dir_stream *)dirs;
980
981     out:
982             for (j = 0; j < token_count; j++)
>>>     CID 510453:  Null pointer dereferences  (FORWARD_NULL)
>>>     Dereferencing null pointer "token_list".
983                     free(token_list[j]);
984             free(token_list);
985             free(pos_list);
986             free(path);
987             if (ret) {
988                     free(inode_table);

** CID 510452:  Null pointer dereferences  (FORWARD_NULL)
/fs/squashfs/sqfs.c: 1676 in sqfs_size_nest()


________________________________________________________________________________________________________
*** CID 510452:  Null pointer dereferences  (FORWARD_NULL)
/fs/squashfs/sqfs.c: 1676 in sqfs_size_nest()
1670                    printf("File not found.\n");
1671                    *size = 0;
1672                    ret = -EINVAL;
1673                    goto free_strings;
1674            }
1675
>>>     CID 510452:  Null pointer dereferences  (FORWARD_NULL)
>>>     Dereferencing null pointer "dirs->entry".
1676            i_number = dirs->dir_header->inode_number +
dirs->entry->inode_offset;
1677            ipos = sqfs_find_inode(dirs->inode_table, i_number,
sblk->inodes,
1678                                   sblk->block_size);
1679
1680            if (!ipos) {
1681                    *size = 0;

** CID 510451:    (TAINTED_SCALAR)
/fs/squashfs/sqfs.c: 1612 in sqfs_read_nest()
/fs/squashfs/sqfs.c: 1612 in sqfs_read_nest()
/fs/squashfs/sqfs.c: 1604 in sqfs_read_nest()


________________________________________________________________________________________________________
*** CID 510451:    (TAINTED_SCALAR)
/fs/squashfs/sqfs.c: 1612 in sqfs_read_nest()
1606
1607                    free(fragment_block);
1608
1609            } else if (finfo.frag && !finfo.comp) {
1610                    fragment_block = (void *)fragment + table_offset;
1611
>>>     CID 510451:    (TAINTED_SCALAR)
>>>     Using tainted variable "finfo.offset" as an index to pointer "fragment_block".
1612                    memcpy(buf + *actread,
&fragment_block[finfo.offset], finfo.size - *actread);
1613                    *actread = finfo.size;
1614            }
1615
1616     out:
1617            free(fragment);
/fs/squashfs/sqfs.c: 1612 in sqfs_read_nest()
1606
1607                    free(fragment_block);
1608
1609            } else if (finfo.frag && !finfo.comp) {
1610                    fragment_block = (void *)fragment + table_offset;
1611
>>>     CID 510451:    (TAINTED_SCALAR)
>>>     Passing tainted expression "finfo.size - *actread" to "memcpy", which uses it as an offset. [Note: The source code implementation of the function has been overridden by a builtin model.]
1612                    memcpy(buf + *actread,
&fragment_block[finfo.offset], finfo.size - *actread);
1613                    *actread = finfo.size;
1614            }
1615
1616     out:
1617            free(fragment);
/fs/squashfs/sqfs.c: 1621 in sqfs_read_nest()
1615
1616     out:
1617            free(fragment);
1618            free(datablock);
1619            free(file);
1620            free(dir);
>>>     CID 510451:    (TAINTED_SCALAR)
>>>     Passing tainted expression "*finfo.blk_sizes" to "dlfree", which uses it as an offset.
1621            free(finfo.blk_sizes);
1622            sqfs_closedir(dirsp);
1623
1624            return ret;
1625     }
1626
/fs/squashfs/sqfs.c: 1604 in sqfs_read_nest()
1598                                          frag_entry.size);
1599                    if (ret) {
1600                            free(fragment_block);
1601                            goto out;
1602                    }
1603
>>>     CID 510451:    (TAINTED_SCALAR)
>>>     Using tainted variable "finfo.offset" as an index to pointer "fragment_block".
1604                    memcpy(buf + *actread,
&fragment_block[finfo.offset], finfo.size - *actread);
1605                    *actread = finfo.size;
1606
1607                    free(fragment_block);
1608
1609            } else if (finfo.frag && !finfo.comp) {

** CID 510450:  Code maintainability issues  (UNUSED_VALUE)
/fs/squashfs/sqfs.c: 1506 in sqfs_read_nest()


________________________________________________________________________________________________________
*** CID 510450:  Code maintainability issues  (UNUSED_VALUE)
/fs/squashfs/sqfs.c: 1506 in sqfs_read_nest()
1500                    n_blks = DIV_ROUND_UP(table_size + table_offset,
1501                                          ctxt.cur_dev->blksz);
1502
1503                    /* Don't load any data for sparse blocks */
1504                    if (finfo.blk_sizes[j] == 0) {
1505                            n_blks = 0;
>>>     CID 510450:  Code maintainability issues  (UNUSED_VALUE)
>>>     Assigning value "0ULL" to "table_offset" here, but that stored value is overwritten before it can be used.
1506                            table_offset = 0;
1507                            data_buffer = NULL;
1508                            data = NULL;
1509                    } else {
1510                            data_buffer =
malloc_cache_aligned(n_blks * ctxt.cur_dev->blksz);
1511

----- End forwarded message -----

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

^ permalink raw reply	[flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2024-07-23 14:18 Tom Rini
  2024-07-24  9:21 ` Mattijs Korpershoek
  0 siblings, 1 reply; 105+ messages in thread
From: Tom Rini @ 2024-07-23 14:18 UTC (permalink / raw)
  To: u-boot, Mattijs Korpershoek, Ilias Apalodimas,
	Heinrich Schuchardt, Marek Vasut, Dmitrii Merkurev

[-- Attachment #1: Type: text/plain, Size: 10282 bytes --]

Here's the latest report.

---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Jul 22, 2024, 8:07 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>


Hi,

Please find the latest report on new defect(s) introduced to Das U-Boot
found with Coverity Scan.

8 new defect(s) introduced to Das U-Boot found with Coverity Scan.
3 defect(s), reported by Coverity Scan earlier, were marked fixed in the
recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 8 of 8 defect(s)


** CID 501795:  Insecure data handling  (TAINTED_SCALAR)


________________________________________________________________________________________________________
*** CID 501795:  Insecure data handling  (TAINTED_SCALAR)
/boot/bootmeth_android.c: 96 in scan_boot_part()
90      if (!is_android_boot_image_header(buf)) {
91              free(buf);
92              return log_msg_ret("header", -ENOENT);
93      }
94
95      priv->header_version = ((struct andr_boot_img_hdr_v0
*)buf)->header_version;
>>>     CID 501795:  Insecure data handling  (TAINTED_SCALAR)
>>>     Passing tainted expression "*buf" to "dlfree", which uses it as an
offset.
96      free(buf);
97
98      return 0;
99     }
100
101     static int scan_vendor_boot_part(struct udevice *blk, struct
android_priv *priv)

** CID 501794:  Memory - corruptions  (OVERRUN)


________________________________________________________________________________________________________
*** CID 501794:  Memory - corruptions  (OVERRUN)
/lib/tpm_tcg2.c: 640 in tcg2_measurement_init()
634             rc = tcg2_log_prepare_buffer(*dev, elog,
ignore_existing_log);
635             if (rc) {
636                     tcg2_measurement_term(*dev, elog, true);
637                     return rc;
638             }
639
>>>     CID 501794:  Memory - corruptions  (OVERRUN)
>>>     Overrunning array "version_string" of 50 bytes by passing it to a
function which accesses it at byte offset 63.
640             rc = tcg2_measure_event(*dev, elog, 0, EV_S_CRTM_VERSION,
641                                     strlen(version_string) + 1,
642                                     (u8 *)version_string);
643             if (rc) {
644                     tcg2_measurement_term(*dev, elog, true);
645                     return rc;

** CID 501793:  Insecure data handling  (TAINTED_SCALAR)
/lib/tpm-v2.c: 909 in tpm2_allow_extend()


________________________________________________________________________________________________________
*** CID 501793:  Insecure data handling  (TAINTED_SCALAR)
/lib/tpm-v2.c: 909 in tpm2_allow_extend()
903             int rc;
904
905             rc = tpm2_get_pcr_info(dev, &pcrs);
906             if (rc)
907                     return false;
908
>>>     CID 501793:  Insecure data handling  (TAINTED_SCALAR)
>>>     Using tainted variable "pcrs.count" as a loop boundary.
909             for (i = 0; i < pcrs.count; i++) {
910                     if (tpm2_is_active_pcr(&pcrs.selection[i]) &&
911                         !tpm2_algorithm_to_len(pcrs.selection[i].hash))
912                             return false;
913             }
914
915             return true;

** CID 501792:  Control flow issues  (DEADCODE)
/lib/efi_loader/efi_helper.c: 137 in efi_load_option_dp_join()


________________________________________________________________________________________________________
*** CID 501792:  Control flow issues  (DEADCODE)
/lib/efi_loader/efi_helper.c: 137 in efi_load_option_dp_join()
131             if (fdt_dp) {
132                     struct efi_device_path *tmp_dp = *dp;
133
134                     *dp = efi_dp_concat(tmp_dp, fdt_dp, *dp_size);
135                     efi_free_pool(tmp_dp);
136                     if (!dp)
>>>     CID 501792:  Control flow issues  (DEADCODE)
>>>     Execution cannot reach this statement: "return
9223372036854775817UL;".
137                             return EFI_OUT_OF_RESOURCES;
138                     *dp_size += efi_dp_size(fdt_dp) + sizeof(END);
139             }
140
141             *dp_size += sizeof(END);
142

** CID 501791:    (DEADCODE)
/drivers/usb/gadget/ether.c: 2219 in eth_bind()
/drivers/usb/gadget/ether.c: 2110 in eth_bind()
/drivers/usb/gadget/ether.c: 2071 in eth_bind()
/drivers/usb/gadget/ether.c: 2089 in eth_bind()


________________________________________________________________________________________________________
*** CID 501791:    (DEADCODE)
/drivers/usb/gadget/ether.c: 2219 in eth_bind()
2213                    out_ep->name, in_ep->name,
2214                    status_ep ? " STATUS " : "",
2215                    status_ep ? status_ep->name : ""
2216                    );
2217            printf("MAC %pM\n", pdata->enetaddr);
2218
>>>     CID 501791:    (DEADCODE)
>>>     Execution cannot reach the expression "rndis" inside this
statement: "if (cdc || rndis)
  printf(...".
2219            if (cdc || rndis)
2220                    printf("HOST MAC %02x:%02x:%02x:%02x:%02x:%02x\n",
2221                            dev->host_mac[0], dev->host_mac[1],
2222                            dev->host_mac[2], dev->host_mac[3],
2223                            dev->host_mac[4], dev->host_mac[5]);
2224
/drivers/usb/gadget/ether.c: 2110 in eth_bind()
2104                    device_desc.bNumConfigurations = 2;
2105
2106            if (gadget_is_dualspeed(gadget)) {
2107                    if (rndis)
2108                            dev_qualifier.bNumConfigurations = 2;
2109                    else if (!cdc)
>>>     CID 501791:    (DEADCODE)
>>>     Execution cannot reach this statement: "dev_qualifier.bDeviceClass
...".
2110                            dev_qualifier.bDeviceClass =
USB_CLASS_VENDOR_SPEC;
2111
2112                    /* assumes ep0 uses the same value for both speeds
... */
2113                    dev_qualifier.bMaxPacketSize0 =
device_desc.bMaxPacketSize0;
2114
2115                    /* and that all endpoints are dual-speed */
/drivers/usb/gadget/ether.c: 2071 in eth_bind()
2065
2066     #if defined(CONFIG_USB_ETH_CDC) || defined(CONFIG_USB_ETH_RNDIS)
2067            /*
2068             * CDC Ethernet control interface doesn't require a status
endpoint.
2069             * Since some hosts expect one, try to allocate one anyway.
2070             */
>>>     CID 501791:    (DEADCODE)
>>>     Execution cannot reach the expression "rndis" inside this
statement: "if (cdc || rndis) {
  statu...".
2071            if (cdc || rndis) {
2072                    status_ep = usb_ep_autoconfig(gadget,
&fs_status_desc);
2073                    if (status_ep) {
2074                            status_ep->driver_data = status_ep;     /*
claim */
2075                    } else if (rndis) {
2076                            pr_err("can't run RNDIS on %s",
gadget->name);
/drivers/usb/gadget/ether.c: 2089 in eth_bind()
2083                    }
2084            }
2085     #endif
2086
2087            /* one config:  cdc, else minimal subset */
2088            if (!cdc) {
>>>     CID 501791:    (DEADCODE)
>>>     Execution cannot reach this statement: "eth_config.bNumInterfaces =
1;".
2089                    eth_config.bNumInterfaces = 1;
2090                    eth_config.iConfiguration = STRING_SUBSET;
2091
2092                    /*
2093                     * use functions to set these up, in case we're
built to work
2094                     * with multiple controllers and must override CDC
Ethernet.

** CID 501790:  Null pointer dereferences  (FORWARD_NULL)
/cmd/bcb.c: 175 in __bcb_initialize()


________________________________________________________________________________________________________
*** CID 501790:  Null pointer dereferences  (FORWARD_NULL)
/cmd/bcb.c: 175 in __bcb_initialize()
169                     }
170             }
171
172             return CMD_RET_SUCCESS;
173
174     err_read_fail:
>>>     CID 501790:  Null pointer dereferences  (FORWARD_NULL)
>>>     Dereferencing null pointer "block".
175             printf("Error: %d %d:%s read failed (%d)\n",
block->uclass_id,
176                    block->devnum, partition->name, ret);
177             __bcb_reset();
178             return CMD_RET_FAILURE;
179     }
180

** CID 501789:  Insecure data handling  (TAINTED_SCALAR)
/lib/tpm_tcg2.c: 41 in tcg2_get_pcr_info()


________________________________________________________________________________________________________
*** CID 501789:  Insecure data handling  (TAINTED_SCALAR)
/lib/tpm_tcg2.c: 41 in tcg2_get_pcr_info()
35      memset(response, 0, sizeof(response));
36
37      ret = tpm2_get_pcr_info(dev, &pcrs);
38      if (ret)
39              return ret;
40
>>>     CID 501789:  Insecure data handling  (TAINTED_SCALAR)
>>>     Using tainted variable "pcrs.count" as a loop boundary.
41      for (i = 0; i < pcrs.count; i++) {
42              u32 hash_mask =
tcg2_algorithm_to_mask(pcrs.selection[i].hash);
43
44              if (hash_mask) {
45                      *supported_pcr |= hash_mask;
46                      if (tpm2_is_active_pcr(&pcrs.selection[i]))

** CID 501788:  Memory - corruptions  (OVERRUN)


________________________________________________________________________________________________________
*** CID 501788:  Memory - corruptions  (OVERRUN)
/lib/tpm_tcg2.c: 658 in tcg2_measurement_term()
652                                bool error)
653     {
654             u32 event = error ? 0x1 : 0xffffffff;
655             int i;
656
657             for (i = 0; i < 8; ++i)
>>>     CID 501788:  Memory - corruptions  (OVERRUN)
>>>     Overrunning buffer pointed to by "(u8 const *)&event" of 4 bytes by
passing it to a function which accesses it at byte offset 63.
658                     tcg2_measure_event(dev, elog, i, EV_SEPARATOR,
sizeof(event),
659                                        (const u8 *)&event);
660
661             if (elog->log)
662                     unmap_physmem(elog->log, MAP_NOCACHE);
663     }



----- End forwarded message -----

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

^ permalink raw reply	[flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2024-04-22 21:48 Tom Rini
  0 siblings, 0 replies; 105+ messages in thread
From: Tom Rini @ 2024-04-22 21:48 UTC (permalink / raw)
  To: u-boot; +Cc: Charles Hardin, Ilias Apalodimas

[-- Attachment #1: Type: text/plain, Size: 2774 bytes --]

Here's the latest report.

---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Apr 22, 2024 at 3:23 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>


Hi,

Please find the latest report on new defect(s) introduced to Das
U-Boot found with Coverity Scan.

2 new defect(s) introduced to Das U-Boot found with Coverity Scan.
7 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 2 of 2 defect(s)


** CID 492766:  Control flow issues  (DEADCODE)
/lib/efi_loader/efi_var_mem.c: 236 in efi_var_mem_init()


________________________________________________________________________________________________________
*** CID 492766:  Control flow issues  (DEADCODE)
/lib/efi_loader/efi_var_mem.c: 236 in efi_var_mem_init()
230             memset(efi_var_buf, 0, EFI_VAR_BUF_SIZE);
231             efi_var_buf->magic = EFI_VAR_FILE_MAGIC;
232             efi_var_buf->length = (uintptr_t)efi_var_buf->var -
233                                   (uintptr_t)efi_var_buf;
234
235             if (ret != EFI_SUCCESS)
>>>     CID 492766:  Control flow issues  (DEADCODE)
>>>     Execution cannot reach this statement: "return ret;".
236                     return ret;
237             ret =
efi_create_event(EVT_SIGNAL_VIRTUAL_ADDRESS_CHANGE, TPL_CALLBACK,
238
efi_var_mem_notify_virtual_address_map, NULL,
239                                    NULL, &event);
240             if (ret != EFI_SUCCESS)
241                     return ret;

** CID 492765:  Uninitialized variables  (UNINIT)


________________________________________________________________________________________________________
*** CID 492765:  Uninitialized variables  (UNINIT)
/net/bootp.c: 888 in dhcp_process_options()
882                             net_root_path[size] = 0;
883                             break;
884                     case 28:        /* Ignore Broadcast Address Option */
885                             break;
886                     case 40:        /* NIS Domain name */
887                             if (net_nis_domain[0] == 0) {
>>>     CID 492765:  Uninitialized variables  (UNINIT)
>>>     Using uninitialized value "size" when calling "truncate_sz".
888                                     size = truncate_sz("NIS Domain Name",
889                                             sizeof(net_nis_domain), size);
890                                     memcpy(&net_nis_domain, popt + 2, size);
891                                     net_nis_domain[size] = 0;
892                             }
893                             break;


-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

^ permalink raw reply	[flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2024-01-29 23:55 Tom Rini
  2024-01-30  8:14 ` Heinrich Schuchardt
  0 siblings, 1 reply; 105+ messages in thread
From: Tom Rini @ 2024-01-29 23:55 UTC (permalink / raw)
  To: u-boot, Heinrich Schuchardt

[-- Attachment #1: Type: text/plain, Size: 1971 bytes --]

Here's the latest report.

---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Jan 29, 2024 at 6:51 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>


Hi,

Please find the latest report on new defect(s) introduced to Das
U-Boot found with Coverity Scan.

1 new defect(s) introduced to Das U-Boot found with Coverity Scan.
1 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)


** CID 480240:  Insecure data handling  (TAINTED_SCALAR)
/cmd/efidebug.c: 192 in do_efi_capsule_esrt()


________________________________________________________________________________________________________
*** CID 480240:  Insecure data handling  (TAINTED_SCALAR)
/cmd/efidebug.c: 192 in do_efi_capsule_esrt()
186
187             printf("========================================\n");
188             printf("ESRT: fw_resource_count=%d\n", esrt->fw_resource_count);
189             printf("ESRT: fw_resource_count_max=%d\n",
esrt->fw_resource_count_max);
190             printf("ESRT: fw_resource_version=%lld\n",
esrt->fw_resource_version);
191
>>>     CID 480240:  Insecure data handling  (TAINTED_SCALAR)
>>>     Using tainted variable "esrt->fw_resource_count" as a loop boundary.
192             for (int idx = 0; idx < esrt->fw_resource_count; idx++) {
193                     printf("[entry
%d]==============================\n", idx);
194                     printf("ESRT: fw_class=%pUL\n",
&esrt->entries[idx].fw_class);
195                     printf("ESRT: fw_type=%s\n",
EFI_FW_TYPE_STR_GET(esrt->entries[idx].fw_type));
196                     printf("ESRT: fw_version=%d\n",
esrt->entries[idx].fw_version);
197                     printf("ESRT: lowest_supported_fw_version=%d\n",

----- End forwarded message -----

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

^ permalink raw reply	[flat|nested] 105+ messages in thread
[parent not found: <20240127154018.GC785631@bill-the-cat>]
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2024-01-22 23:52 Tom Rini
  0 siblings, 0 replies; 105+ messages in thread
From: Tom Rini @ 2024-01-22 23:52 UTC (permalink / raw)
  To: u-boot

[-- Attachment #1: Type: text/plain, Size: 2614 bytes --]

I've now updated to the latest Coverity scan tool and that eliminated
some previous defects and found two new ones:

---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Jan 22, 2024 at 6:42 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>


Hi,

Please find the latest report on new defect(s) introduced to Das
U-Boot found with Coverity Scan.

2 new defect(s) introduced to Das U-Boot found with Coverity Scan.
8 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 2 of 2 defect(s)


** CID 478862:  Memory - corruptions  (OVERRUN)


________________________________________________________________________________________________________
*** CID 478862:  Memory - corruptions  (OVERRUN)
/lib/initcall.c: 82 in initcall_run_list()
76      if (ret) {
77              if (CONFIG_IS_ENABLED(EVENT)) {
78                      char buf[60];
79
80                      /* don't worry about buf size as we are dying here */
81                      if (type) {
>>>     CID 478862:  Memory - corruptions  (OVERRUN)
>>>     Overrunning callee's array of size 15 by passing argument "type" (which evaluates to 255) in call to "event_type_name".
82                              sprintf(buf, "event %d/%s", type,
83                                      event_type_name(type));
84                      } else {
85                              sprintf(buf, "call %p", func);
86                      }
87

** CID 478861:  Memory - corruptions  (OVERRUN)


________________________________________________________________________________________________________
*** CID 478861:  Memory - corruptions  (OVERRUN)
/cmd/nvedit.c: 356 in print_static_flags()
350     static int print_static_flags(const char *var_name, const char *flags,
351                                   void *priv)
352     {
353             enum env_flags_vartype type = env_flags_parse_vartype(flags);
354             enum env_flags_varaccess access =
env_flags_parse_varaccess(flags);
355
>>>     CID 478861:  Memory - corruptions  (OVERRUN)
>>>     Overrunning callee's array of size 4 by passing argument "access" (which evaluates to 4) in call to "env_flags_get_varaccess_name".
356             printf("\t%-20s %-20s %-20s\n", var_name,
357                     env_flags_get_vartype_name(type),
358                     env_flags_get_varaccess_name(access));
359
360             return 0;
361     }

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

^ permalink raw reply	[flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2024-01-22 23:30 Tom Rini
  2024-01-23  8:15 ` Hugo Cornelis
  0 siblings, 1 reply; 105+ messages in thread
From: Tom Rini @ 2024-01-22 23:30 UTC (permalink / raw)
  To: u-boot, Hugo Cornelis

[-- Attachment #1: Type: text/plain, Size: 1752 bytes --]

Hey all,

Here's the latest Coverity scan report.

---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Jan 22, 2024 at 6:26 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>


Hi,

Please find the latest report on new defect(s) introduced to Das
U-Boot found with Coverity Scan.

1 new defect(s) introduced to Das U-Boot found with Coverity Scan.
7 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)


** CID 478860:  Code maintainability issues  (UNUSED_VALUE)
/tools/image-host.c: 359 in fit_image_read_key_iv_data()


________________________________________________________________________________________________________
*** CID 478860:  Code maintainability issues  (UNUSED_VALUE)
/tools/image-host.c: 359 in fit_image_read_key_iv_data()
353             if (ret >= sizeof(filename)) {
354                     printf("Can't format the key or IV filename
when setting up the cipher: insufficient buffer space\n");
355                     ret = -1;
356             }
357             if (ret < 0) {
358                     printf("Can't format the key or IV filename
when setting up the cipher: snprintf error\n");
>>>     CID 478860:  Code maintainability issues  (UNUSED_VALUE)
>>>     Assigning value "-1" to "ret" here, but that stored value is overwritten before it can be used.
359                     ret = -1;
360             }
361
362             ret = fit_image_read_data(filename, key_iv_data, expected_size);
363
364             return ret;


----- End forwarded message -----

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

^ permalink raw reply	[flat|nested] 105+ messages in thread
[parent not found: <65a933ab652b3_da12cbd3e77f998728e5@prd-scan-dashboard-0.mail>]
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2024-01-18 14:35 Tom Rini
  0 siblings, 0 replies; 105+ messages in thread
From: Tom Rini @ 2024-01-18 14:35 UTC (permalink / raw)
  To: u-boot, Ilias Apalodimas, Heinrich Schuchardt

[-- Attachment #1: Type: text/plain, Size: 2619 bytes --]

Here's the current set of new issues since I last ran Coverity.

---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Thu, Jan 18, 2024 at 9:20 AM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>


Hi,

Please find the latest report on new defect(s) introduced to Das
U-Boot found with Coverity Scan.

2 new defect(s) introduced to Das U-Boot found with Coverity Scan.
16 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 2 of 2 defect(s)


** CID 478334:  Memory - corruptions  (OVERRUN)


________________________________________________________________________________________________________
*** CID 478334:  Memory - corruptions  (OVERRUN)
/cmd/eficonfig.c: 534 in eficonfig_create_device_path()
528             p += fp_size;
529             *((struct efi_device_path *)p) = END;
530
531             dp = efi_dp_shorten(dp_volume);
532             if (!dp)
533                     dp = dp_volume;
>>>     CID 478334:  Memory - corruptions  (OVERRUN)
>>>     Overrunning struct type efi_device_path of 4 bytes by passing it to a function which accesses it at byte offset 5 using argument "fp->dp.length" (which evaluates to 6).
534             dp = efi_dp_concat(dp, &fp->dp, false);
535             free(buf);
536
537             return dp;
538     }
539

** CID 478333:  Error handling issues  (CHECKED_RETURN)
/lib/efi_loader/efi_firmware.c: 413 in efi_firmware_set_fmp_state_var()


________________________________________________________________________________________________________
*** CID 478333:  Error handling issues  (CHECKED_RETURN)
/lib/efi_loader/efi_firmware.c: 413 in efi_firmware_set_fmp_state_var()
407             /*
408              * GetVariable may fail, EFI_NOT_FOUND is returned if FmpState
409              * variable has not been set yet.
410              * Ignore the error here since the correct FmpState variable
411              * is set later.
412              */
>>>     CID 478333:  Error handling issues  (CHECKED_RETURN)
>>>     Calling "efi_get_variable_int" without checking return value (as is done elsewhere 29 out of 33 times).
413             efi_get_variable_int(varname, image_type_id, NULL,
&size, var_state,
414                                  NULL);
415
416             /*
417              * Only the fw_version is set here.
418              * lowest_supported_version in FmpState variable is
ignored since



-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

^ permalink raw reply	[flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2024-01-08 17:45 Tom Rini
  2024-01-09  5:26 ` Sean Anderson
  0 siblings, 1 reply; 105+ messages in thread
From: Tom Rini @ 2024-01-08 17:45 UTC (permalink / raw)
  To: u-boot, Francis Laniel, Sean Anderson

[-- Attachment #1: Type: text/plain, Size: 25689 bytes --]

Hey all,

Now that I've merged next I've re-run Coverity to get a start on issues
that've been added since last run. The report isn't complete because of
the number of issues, sadly, but if someone is interested in a specific
area contact me off-list and I can provide access to the dashboard.

For the hush related issues, this would be a good chance to work with
upstream and then backport the changes I suspect.

---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Jan 8, 2024 at 12:24 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>


Hi,

Please find the latest report on new defect(s) introduced to Das
U-Boot found with Coverity Scan.

41 new defect(s) introduced to Das U-Boot found with Coverity Scan.
4 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 20 of 41 defect(s)


** CID 477217:  Memory - illegal accesses  (NEGATIVE_RETURNS)
/common/cli_hush_upstream.c: 5518 in parse_dollar()


________________________________________________________________________________________________________
*** CID 477217:  Memory - illegal accesses  (NEGATIVE_RETURNS)
/common/cli_hush_upstream.c: 5518 in parse_dollar()
5512                                            break;
5513                                    if (--cnt == 0)
5514                                            goto bad_dollar_syntax;
5515                                    if (len_single_ch != '#' &&
strchr(VAR_SUBST_OPS, ch))
5516                                            /* ${NN<op>...} is valid */
5517                                            goto eat_until_closing;
>>>     CID 477217:  Memory - illegal accesses  (NEGATIVE_RETURNS)
>>>     Using variable "ch" as an index to array "_ctype".
5518                                    if (!isdigit(ch))
5519                                            goto bad_dollar_syntax;
5520                            }
5521                    } else
5522                    while (1) {
5523                            unsigned pos;

** CID 477216:    (BAD_SHIFT)
/drivers/mtd/nand/raw/nand_base.c: 3921 in nand_flash_detect_onfi()
/drivers/mtd/nand/raw/nand_base.c: 3927 in nand_flash_detect_onfi()


________________________________________________________________________________________________________
*** CID 477216:    (BAD_SHIFT)
/drivers/mtd/nand/raw/nand_base.c: 3921 in nand_flash_detect_onfi()
3915
3916            /*
3917             * pages_per_block and blocks_per_lun may not be a
power-of-2 size
3918             * (don't ask me who thought of this...). MTD assumes that these
3919             * dimensions will be power-of-2, so just truncate the
remaining area.
3920             */
>>>     CID 477216:    (BAD_SHIFT)
>>>     In expression "1 << generic_fls((__u32)(__le32)p->pages_per_block) - 1", shifting by a negative amount has undefined behavior.  The shift amount, "generic_fls((__u32)(__le32)p->pages_per_block) - 1", is -1.
3921            mtd->erasesize = 1 <<
(fls(le32_to_cpu(p->pages_per_block)) - 1);
3922            mtd->erasesize *= mtd->writesize;
3923
3924            mtd->oobsize = le16_to_cpu(p->spare_bytes_per_page);
3925
3926            /* See erasesize comment */
/drivers/mtd/nand/raw/nand_base.c: 3927 in nand_flash_detect_onfi()
3921            mtd->erasesize = 1 <<
(fls(le32_to_cpu(p->pages_per_block)) - 1);
3922            mtd->erasesize *= mtd->writesize;
3923
3924            mtd->oobsize = le16_to_cpu(p->spare_bytes_per_page);
3925
3926            /* See erasesize comment */
>>>     CID 477216:    (BAD_SHIFT)
>>>     In expression "1 << generic_fls((__u32)(__le32)p->blocks_per_lun) - 1", shifting by a negative amount has undefined behavior.  The shift amount, "generic_fls((__u32)(__le32)p->blocks_per_lun) - 1", is -1.
3927            chip->chipsize = 1 << (fls(le32_to_cpu(p->blocks_per_lun)) - 1);
3928            chip->chipsize *= (uint64_t)mtd->erasesize * p->lun_count;
3929            chip->bits_per_cell = p->bits_per_cell;
3930
3931            if (onfi_feature(chip) & ONFI_FEATURE_16_BIT_BUS)
3932                    chip->options |= NAND_BUSWIDTH_16;

** CID 477215:  Control flow issues  (MISSING_BREAK)
/drivers/mtd/nand/raw/nand_base.c: 4978 in nand_scan_tail()


________________________________________________________________________________________________________
*** CID 477215:  Control flow issues  (MISSING_BREAK)
/drivers/mtd/nand/raw/nand_base.c: 4978 in nand_scan_tail()
4972                            pr_warn("No ECC functions supplied;
hardware ECC not possible\n");
4973                            BUG();
4974                    }
4975                    if (!ecc->read_page)
4976                            ecc->read_page = nand_read_page_hwecc_oob_first;
4977
>>>     CID 477215:  Control flow issues  (MISSING_BREAK)
>>>     The case for value "NAND_ECC_HW" is not terminated by a "break" statement.
4978            case NAND_ECC_HW:
4979                    /* Use standard hwecc read page function? */
4980                    if (!ecc->read_page)
4981                            ecc->read_page = nand_read_page_hwecc;
4982                    if (!ecc->write_page)
4983                            ecc->write_page = nand_write_page_hwecc;

** CID 477214:  Integer handling issues  (BAD_SHIFT)
/drivers/mtd/nand/raw/nand_base.c: 4397 in nand_detect()


________________________________________________________________________________________________________
*** CID 477214:  Integer handling issues  (BAD_SHIFT)
/drivers/mtd/nand/raw/nand_base.c: 4397 in nand_detect()
4391
4392            nand_decode_bbm_options(mtd, chip);
4393
4394            /* Calculate the address shift from the page size */
4395            chip->page_shift = ffs(mtd->writesize) - 1;
4396            /* Convert chipsize to number of pages per chip -1 */
>>>     CID 477214:  Integer handling issues  (BAD_SHIFT)
>>>     In expression "chip->chipsize >> chip->page_shift", shifting by a negative amount has undefined behavior.  The shift amount, "chip->page_shift", is -1.
4397            chip->pagemask = (chip->chipsize >> chip->page_shift) - 1;
4398
4399            chip->bbt_erase_shift = chip->phys_erase_shift =
4400                    ffs(mtd->erasesize) - 1;
4401            if (chip->chipsize & 0xffffffff)
4402                    chip->chip_shift = ffs((unsigned)chip->chipsize) - 1;

** CID 477213:  Security best practices violations  (DC.WEAK_CRYPTO)
/test/dm/nand.c: 67 in dm_test_nand()


________________________________________________________________________________________________________
*** CID 477213:  Security best practices violations  (DC.WEAK_CRYPTO)
/test/dm/nand.c: 67 in dm_test_nand()
61      ops.ooblen = mtd->oobsize;
62      ut_assertok(mtd_read_oob(mtd, mtd->erasesize, &ops));
63      ut_asserteq(0, oob[mtd_to_nand(mtd)->badblockpos]);
64
65      /* Generate some data and write it */
66      for (i = 0; i < size / sizeof(int); i++)
>>>     CID 477213:  Security best practices violations  (DC.WEAK_CRYPTO)
>>>     "rand" should not be used for security-related applications, because linear congruential algorithms are too easy to break.
67              gold[i] = rand();
68      ut_assertok(nand_write_skip_bad(mtd, off, &length, NULL, U64_MAX,
69                                      (void *)gold, 0));
70      ut_asserteq(size, length);
71
72      /* Verify */

** CID 477212:  Incorrect expression  (SIZEOF_MISMATCH)
/lib/smbios.c: 595 in write_smbios_table()


________________________________________________________________________________________________________
*** CID 477212:  Incorrect expression  (SIZEOF_MISMATCH)
/lib/smbios.c: 595 in write_smbios_table()
589              * sandbox's DRAM buffer.
590              */
591             table_addr = (ulong)map_sysmem(tables, 0);
592
593             /* now go back and write the SMBIOS3 header */
594             se = map_sysmem(start_addr, sizeof(struct smbios_entry));
>>>     CID 477212:  Incorrect expression  (SIZEOF_MISMATCH)
>>>     Passing argument "se" of type "struct smbios3_entry *" and argument "31UL" ("sizeof (struct smbios_entry)") to function "memset" is suspicious because a multiple of "sizeof (struct smbios3_entry) /*24*/" is expected.
595             memset(se, '\0', sizeof(struct smbios_entry));
596             memcpy(se->anchor, "_SM3_", 5);
597             se->length = sizeof(struct smbios3_entry);
598             se->major_ver = SMBIOS_MAJOR_VER;
599             se->minor_ver = SMBIOS_MINOR_VER;
600             se->doc_rev = 0;

** CID 477211:  API usage errors  (ALLOC_FREE_MISMATCH)
/drivers/mtd/nand/raw/nand_bbt.c: 1133 in nand_scan_bbt()


________________________________________________________________________________________________________
*** CID 477211:  API usage errors  (ALLOC_FREE_MISMATCH)
/drivers/mtd/nand/raw/nand_bbt.c: 1133 in nand_scan_bbt()
1127
1128            /* Prevent the bbt regions from erasing / writing */
1129            mark_bbt_region(mtd, td);
1130            if (md)
1131                    mark_bbt_region(mtd, md);
1132
>>>     CID 477211:  API usage errors  (ALLOC_FREE_MISMATCH)
>>>     Calling "vfree" frees "buf" using "vfree" but it should have been freed using "kfree". [Note: The source code implementation of the function has been overridden by a builtin model.]
1133            vfree(buf);
1134            return 0;
1135
1136     err:
1137            kfree(this->bbt);
1138            this->bbt = NULL;

** CID 477210:  Security best practices violations  (DC.WEAK_CRYPTO)
/drivers/mtd/nand/raw/sand_nand.c: 199 in sand_nand_read()


________________________________________________________________________________________________________
*** CID 477210:  Security best practices violations  (DC.WEAK_CRYPTO)
/drivers/mtd/nand/raw/sand_nand.c: 199 in sand_nand_read()
193             chip->tmp_dirty = true;
194             for (i = 0; i < chip->err_steps; i++) {
195                     u32 bit_errors = chip->err_count;
196                     unsigned int j = chip->err_step_bits + chip->ecc_bits;
197
198                     while (bit_errors) {
>>>     CID 477210:  Security best practices violations  (DC.WEAK_CRYPTO)
>>>     "rand" should not be used for security-related applications, because linear congruential algorithms are too easy to break.
199                             unsigned int u = rand();
200                             float quot = 1ULL << 32;
201
202                             do {
203                                     quot *= j - bit_errors;
204                                     quot /= j;

** CID 477209:  Memory - illegal accesses  (STRING_NULL)


________________________________________________________________________________________________________
*** CID 477209:  Memory - illegal accesses  (STRING_NULL)
/common/cli_hush_upstream.c: 4434 in reserved_word()
4428                            str = old->as_string.data + len;
4429                            if (str > old->as_string.data)
4430                                    str--; /* skip whitespace
after keyword */
4431                            while (str > old->as_string.data &&
isalpha(str[-1]))
4432                                    str--;
4433                            /* Ugh, we're done with this horrid hack */
>>>     CID 477209:  Memory - illegal accesses  (STRING_NULL)
>>>     Passing unterminated string "str" to "sandbox_strdup", which expects a null-terminated string.
4434                            old->command->group_as_string = xstrdup(str);
4435                            debug_printf_parse("pop, remembering as:'%s'\n",
4436                                            old->command->group_as_string);
4437                    }
4438     # endif
4439                    *ctx = *old;   /* physical copy */

** CID 477208:  Memory - illegal accesses  (STRING_NULL)


________________________________________________________________________________________________________
*** CID 477208:  Memory - illegal accesses  (STRING_NULL)
/common/cli_hush_upstream.c: 7660 in expand_variables()
7654            output.o_expflags = expflags;
7655
7656            n = 0;
7657            for (;;) {
7658                    /* go to next list[n] */
7659                    output.ended_in_ifs = 0;
>>>     CID 477208:  Memory - illegal accesses  (STRING_NULL)
>>>     Passing unterminated string "output.data" to "o_save_ptr", which expects a null-terminated string.
7660                    n = o_save_ptr(&output, n);
7661
7662                    if (!*argv)
7663                            break;
7664
7665                    /* expand argv[i] */

** CID 477207:  Control flow issues  (MISSING_BREAK)
/drivers/mtd/nand/raw/nand_base.c: 4969 in nand_scan_tail()


________________________________________________________________________________________________________
*** CID 477207:  Control flow issues  (MISSING_BREAK)
/drivers/mtd/nand/raw/nand_base.c: 4969 in nand_scan_tail()
4963            /*
4964             * Check ECC mode, default to software if
3byte/512byte hardware ECC is
4965             * selected and we have 256 byte pagesize fallback to
software ECC
4966             */
4967
4968            switch (ecc->mode) {
>>>     CID 477207:  Control flow issues  (MISSING_BREAK)
>>>     The case for value "NAND_ECC_HW_OOB_FIRST" is not terminated by a "break" statement.
4969            case NAND_ECC_HW_OOB_FIRST:
4970                    /* Similar to NAND_ECC_HW, but a separate
read_page handle */
4971                    if (!ecc->calculate || !ecc->correct || !ecc->hwctl) {
4972                            pr_warn("No ECC functions supplied;
hardware ECC not possible\n");
4973                            BUG();
4974                    }

** CID 477206:  Memory - illegal accesses  (NEGATIVE_RETURNS)
/common/cli_hush_upstream.c: 5544 in parse_dollar()


________________________________________________________________________________________________________
*** CID 477206:  Memory - illegal accesses  (NEGATIVE_RETURNS)
/common/cli_hush_upstream.c: 5544 in parse_dollar()
5538                             * So, we need to authorize # to appear inside
5539                             * variable name and then expand this variable.
5540                             * NOTE Having # in variable name is
not permitted in
5541                             * upstream hush but expansion will be
done (even though
5542                             * the result will be empty).
5543                             */
>>>     CID 477206:  Memory - illegal accesses  (NEGATIVE_RETURNS)
>>>     Using variable "ch" as an index to array "_ctype".
5544                            if (!isalnum(ch) && ch != '_' && ch != '#') {
5545     #endif /* __U_BOOT__ */
5546                                    unsigned end_ch;
5547     #ifndef __U_BOOT__
5548                                    unsigned char last_ch;
5549     #endif /* !__U_BOOT__ */

** CID 477205:  Integer handling issues  (OVERFLOW_BEFORE_WIDEN)
/cmd/mtd.c: 88 in mtd_dump_device_buf()


________________________________________________________________________________________________________
*** CID 477205:  Integer handling issues  (OVERFLOW_BEFORE_WIDEN)
/cmd/mtd.c: 88 in mtd_dump_device_buf()
82                      printf("\nDump %d data bytes from 0x%08llx:\n",
83                             mtd->writesize, start_off + data_off);
84                      mtd_dump_buf(&buf[data_off],
85                                   mtd->writesize, start_off + data_off);
86
87                      if (woob) {
>>>     CID 477205:  Integer handling issues  (OVERFLOW_BEFORE_WIDEN)
>>>     Potentially overflowing expression "page * mtd->oobsize" with type "unsigned int" (32 bits, unsigned) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "u64" (64 bits, unsigned).
88                              u64 oob_off = page * mtd->oobsize;
89
90                              printf("Dump %d OOB bytes from page at
0x%08llx:\n",
91                                     mtd->oobsize, start_off + data_off);
92                              mtd_dump_buf(&buf[len + oob_off],
93                                           mtd->oobsize, 0);

** CID 477204:  Memory - illegal accesses  (STRING_NULL)
/common/cli_hush_upstream.c: 10553 in run_list()


________________________________________________________________________________________________________
*** CID 477204:  Memory - illegal accesses  (STRING_NULL)
/common/cli_hush_upstream.c: 10553 in run_list()
10547                           /* We cannot use xasprintf, so we emulate it. */
10548                           char *full_var;
10549                           char *var = pi->cmds[0].argv[0];
10550                           char *val = *for_lcur++;
10551
10552                           /* + 1 to take into account =. */
>>>     CID 477204:  Memory - illegal accesses  (STRING_NULL)
>>>     Passing unterminated string "val" to "strlen", which expects a null-terminated string. [Note: The source code implementation of the function has been overridden by a builtin model.]
10553                           full_var = xmalloc(strlen(var) +
strlen(val) + 1);
10554                           sprintf(full_var, "%s=%s", var, val);
10555
10556                           set_local_var_modern(full_var, /*flag:*/ 0);
10557     #endif /* __U_BOOT__ */
10558                           continue;

** CID 477203:    (UNINIT)
/boot/bootm.c: 705 in bootm_load_os()
/boot/bootm.c: 713 in bootm_load_os()


________________________________________________________________________________________________________
*** CID 477203:    (UNINIT)
/boot/bootm.c: 705 in bootm_load_os()
699                             printf("Failed to prep arm64 kernel
(err=%d)\n", ret);
700                             return BOOTM_ERR_RESET;
701                     }
702
703                     /* Handle BOOTM_STATE_LOADOS */
704                     if (relocated_addr != load) {
>>>     CID 477203:    (UNINIT)
>>>     Using uninitialized value "image_size".
705                             printf("Moving Image from 0x%lx to
0x%lx, end=%lx\n",
706                                    load, relocated_addr,
707                                    relocated_addr + image_size);
708                             memmove((void *)relocated_addr,
load_buf, image_size);
709                     }
710
/boot/bootm.c: 713 in bootm_load_os()
707                                    relocated_addr + image_size);
708                             memmove((void *)relocated_addr,
load_buf, image_size);
709                     }
710
711                     images->ep = relocated_addr;
712                     images->os.start = relocated_addr;
>>>     CID 477203:    (UNINIT)
>>>     Using uninitialized value "image_size".
713                     images->os.end = relocated_addr + image_size;
714             }
715
716             lmb_reserve(&images->lmb, images->os.load, (load_end -
717                                                         images->os.load));
718             return 0;

** CID 477202:  Null pointer dereferences  (FORWARD_NULL)


________________________________________________________________________________________________________
*** CID 477202:  Null pointer dereferences  (FORWARD_NULL)
/common/cli_hush_upstream.c: 4425 in reserved_word()
4419                     * with "if " remaining in old->as_string!
4420                     */
4421                    {
4422                            char *str;
4423                            int len = old->as_string.length;
4424                            /* Concatenate halves */
>>>     CID 477202:  Null pointer dereferences  (FORWARD_NULL)
>>>     Passing null pointer "ctx->as_string.data" to "o_addstr", which dereferences it.
4425                            o_addstr(&old->as_string, ctx->as_string.data);
4426                            o_free(&ctx->as_string);
4427                            /* Find where leading keyword starts
in first half */
4428                            str = old->as_string.data + len;
4429                            if (str > old->as_string.data)
4430                                    str--; /* skip whitespace
after keyword */

** CID 477201:  Integer handling issues  (OVERFLOW_BEFORE_WIDEN)
/cmd/mtd.c: 80 in mtd_dump_device_buf()


________________________________________________________________________________________________________
*** CID 477201:  Integer handling issues  (OVERFLOW_BEFORE_WIDEN)
/cmd/mtd.c: 80 in mtd_dump_device_buf()
74              mtd->type == MTD_MLCNANDFLASH;
75      int npages = mtd_len_to_pages(mtd, len);
76      uint page;
77
78      if (has_pages) {
79              for (page = 0; page < npages; page++) {
>>>     CID 477201:  Integer handling issues  (OVERFLOW_BEFORE_WIDEN)
>>>     Potentially overflowing expression "page * mtd->writesize" with type "unsigned int" (32 bits, unsigned) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "u64" (64 bits, unsigned).
80                      u64 data_off = page * mtd->writesize;
81
82                      printf("\nDump %d data bytes from 0x%08llx:\n",
83                             mtd->writesize, start_off + data_off);
84                      mtd_dump_buf(&buf[data_off],
85                                   mtd->writesize, start_off + data_off);

** CID 477200:  Security best practices violations  (STRING_OVERFLOW)
/boot/bootm.c: 499 in bootm_find_images()


________________________________________________________________________________________________________
*** CID 477200:  Security best practices violations  (STRING_OVERFLOW)
/boot/bootm.c: 499 in bootm_find_images()
493             int ret;
494
495             if (IS_ENABLED(CONFIG_ANDROID_BOOT_IMAGE)) {
496                     /* Look for an Android boot image */
497                     buf = map_sysmem(images.os.start, 0);
498                     if (buf && genimg_get_format(buf) ==
IMAGE_FORMAT_ANDROID) {
>>>     CID 477200:  Security best practices violations  (STRING_OVERFLOW)
>>>     You might overrun the 17-character fixed-size string "addr_str" by copying the return value of "simple_xtoa" without checking the length.
499                             strcpy(addr_str, simple_xtoa(img_addr));
500                             select = addr_str;
501                     }
502             }
503
504             if (conf_ramdisk)

** CID 477199:    (STRING_NULL)


________________________________________________________________________________________________________
*** CID 477199:    (STRING_NULL)
/common/cli_hush_upstream.c: 10315 in run_pipe()
10309                   if (cmd_no < pi->num_cmds)
10310                           close(pipefds.wr);
10311                   /* Pass read (output) pipe end to next iteration */
10312                   next_infd = pipefds.rd;
10313     #else /* __U_BOOT__ */
10314                   /* Process the command */
>>>     CID 477199:    (STRING_NULL)
>>>     Passing unterminated string "*command->argv" to "cmd_process", which expects a null-terminated string.
10315                   rcode = cmd_process(G.do_repeat ? CMD_FLAG_REPEAT : 0,
10316                                       command->argc, command->argv,
10317                                       &(G.flag_repeat), NULL);
10318
10319                   if (argv_expanded) {
10320                           /*
/common/cli_hush_upstream.c: 9984 in run_pipe()
9978                                    }
9979     #endif
9980                                    debug_printf_env("set shell
var:'%s'->'%s'\n", *argv, p);
9981     #ifndef __U_BOOT__
9982                                    if (set_local_var0(p)) {
9983     #else /* __U_BOOT__ */
>>>     CID 477199:    (STRING_NULL)
>>>     Passing unterminated string "p" to "set_local_var_modern", which expects a null-terminated string.
9984                                    if (set_local_var_modern(p,
/*flag:*/ 0)) {
9985     #endif
9986                                            /* assignment to
readonly var / putenv error? */
9987                                            rcode = 1;
9988                                    }
9989                                    i++;

** CID 477198:  Control flow issues  (DEADCODE)
/cmd/bootflow.c: 547 in do_bootflow_cmdline()


________________________________________________________________________________________________________
*** CID 477198:  Control flow issues  (DEADCODE)
/cmd/bootflow.c: 547 in do_bootflow_cmdline()
541             }
542
543             op = argv[1];
544             arg = argv[2];
545             if (*op == 's') {
546                     if (argc < 3)
>>>     CID 477198:  Control flow issues  (DEADCODE)
>>>     Execution cannot reach this statement: "return CMD_RET_USAGE;".
547                             return CMD_RET_USAGE;
548                     val = argv[3] ?: (const char *)BOOTFLOWCL_EMPTY;
549             }
550
551             switch (*op) {
552             case 'c':       /* clear */


-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

^ permalink raw reply	[flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2023-08-21 21:09 Tom Rini
  2023-08-24  9:27 ` Abdellatif El Khlifi
  2023-10-20 11:57 ` Abdellatif El Khlifi
  0 siblings, 2 replies; 105+ messages in thread
From: Tom Rini @ 2023-08-21 21:09 UTC (permalink / raw)
  To: u-boot, Alvaro Fernando García, Abdellatif El Khlifi

[-- Attachment #1: Type: text/plain, Size: 5339 bytes --]

Here's the latest report

---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Aug 21, 2023 at 4:30 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>


Hi,

Please find the latest report on new defect(s) introduced to Das
U-Boot found with Coverity Scan.

4 new defect(s) introduced to Das U-Boot found with Coverity Scan.


New defect(s) Reported-by: Coverity Scan
Showing 4 of 4 defect(s)


** CID 464362:  Integer handling issues  (OVERFLOW_BEFORE_WIDEN)
/drivers/video/pwm_backlight.c: 68 in set_pwm()


________________________________________________________________________________________________________
*** CID 464362:  Integer handling issues  (OVERFLOW_BEFORE_WIDEN)
/drivers/video/pwm_backlight.c: 68 in set_pwm()
62     {
63      u64 width;
64      uint duty_cycle;
65      int ret;
66
67      if (priv->period_ns) {
>>>     CID 464362:  Integer handling issues  (OVERFLOW_BEFORE_WIDEN)
>>>     Potentially overflowing expression "priv->period_ns * (priv->cur_level - priv->min_level)" with type "unsigned int" (32 bits, unsigned) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "u64" (64 bits, unsigned).
68              width = priv->period_ns * (priv->cur_level - priv->min_level);
69              duty_cycle = div_u64(width,
70                                   (priv->max_level - priv->min_level));
71              ret = pwm_set_config(priv->pwm, priv->channel, priv->period_ns,
72                                   duty_cycle);
73      } else {

** CID 464361:  Control flow issues  (DEADCODE)
/drivers/firmware/arm-ffa/arm-ffa-uclass.c: 148 in ffa_print_error_log()


________________________________________________________________________________________________________
*** CID 464361:  Control flow issues  (DEADCODE)
/drivers/firmware/arm-ffa/arm-ffa-uclass.c: 148 in ffa_print_error_log()
142
143             if (ffa_id < FFA_FIRST_ID || ffa_id > FFA_LAST_ID)
144                     return -EINVAL;
145
146             abi_idx = FFA_ID_TO_ERRMAP_ID(ffa_id);
147             if (abi_idx < 0 || abi_idx >= FFA_ERRMAP_COUNT)
>>>     CID 464361:  Control flow issues  (DEADCODE)
>>>     Execution cannot reach this statement: "return -22;".
148                     return -EINVAL;
149
150             if (!err_msg_map[abi_idx].err_str[err_idx])
151                     return -EINVAL;
152
153             log_err("%s\n", err_msg_map[abi_idx].err_str[err_idx]);

** CID 464360:  Control flow issues  (NO_EFFECT)
/drivers/firmware/arm-ffa/arm-ffa-uclass.c: 207 in ffa_get_version_hdlr()


________________________________________________________________________________________________________
*** CID 464360:  Control flow issues  (NO_EFFECT)
/drivers/firmware/arm-ffa/arm-ffa-uclass.c: 207 in ffa_get_version_hdlr()
201             major = GET_FFA_MAJOR_VERSION(res.a0);
202             minor = GET_FFA_MINOR_VERSION(res.a0);
203
204             log_debug("FF-A driver %d.%d\nFF-A framework %d.%d\n",
205                      FFA_MAJOR_VERSION, FFA_MINOR_VERSION, major, minor);
206
>>>     CID 464360:  Control flow issues  (NO_EFFECT)
>>>     This greater-than-or-equal-to-zero comparison of an unsigned value is always true. "minor >= 0".
207             if (major == FFA_MAJOR_VERSION && minor >= FFA_MINOR_VERSION) {
208                     log_debug("FF-A versions are compatible\n");
209
210                     if (dev) {
211                             uc_priv = dev_get_uclass_priv(dev);
212                             if (uc_priv)

** CID 464359:    (PASS_BY_VALUE)
/drivers/firmware/arm-ffa/arm-ffa-uclass.c: 168 in invoke_ffa_fn()
/drivers/firmware/arm-ffa/ffa-emul-uclass.c: 673 in invoke_ffa_fn()


________________________________________________________________________________________________________
*** CID 464359:    (PASS_BY_VALUE)
/drivers/firmware/arm-ffa/arm-ffa-uclass.c: 168 in invoke_ffa_fn()
162      * @args: FF-A ABI arguments to be copied to Xn registers
163      * @res: FF-A ABI return data to be copied from Xn registers
164      *
165      * Calls low level SMC implementation.
166      * This function should be implemented by the user driver.
167      */
>>>     CID 464359:    (PASS_BY_VALUE)
>>>     Passing parameter args of type "ffa_value_t" (size 144 bytes) by value, which exceeds the low threshold of 128 bytes.
168     void __weak invoke_ffa_fn(ffa_value_t args, ffa_value_t *res)
169     {
170     }
171
172     /**
173      * ffa_get_version_hdlr() - FFA_VERSION handler function
/drivers/firmware/arm-ffa/ffa-emul-uclass.c: 673 in invoke_ffa_fn()
667      * invoke_ffa_fn() - SMC wrapper
668      * @args: FF-A ABI arguments to be copied to Xn registers
669      * @res: FF-A ABI return data to be copied from Xn registers
670      *
671      * Calls the emulated SMC call.
672      */
>>>     CID 464359:    (PASS_BY_VALUE)
>>>     Passing parameter args of type "ffa_value_t" (size 144 bytes) by value, which exceeds the low threshold of 128 bytes.
673     void invoke_ffa_fn(ffa_value_t args, ffa_value_t *res)
674     {
675             sandbox_arm_ffa_smccc_smc(&args, res);
676     }
677
678     /**

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

^ permalink raw reply	[flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2023-05-08 20:20 Tom Rini
  2023-05-15 21:59 ` Ehsan Mohandesi
  2023-05-18 21:04 ` Sean Edmond
  0 siblings, 2 replies; 105+ messages in thread
From: Tom Rini @ 2023-05-08 20:20 UTC (permalink / raw)
  To: u-boot; +Cc: Sean Edmond

[-- Attachment #1: Type: text/plain, Size: 11377 bytes --]

Here's the latest defect report:

---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, May 8, 2023, 2:29 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>


Hi,

Please find the latest report on new defect(s) introduced to Das U-Boot
found with Coverity Scan.

5 new defect(s) introduced to Das U-Boot found with Coverity Scan.
1 defect(s), reported by Coverity Scan earlier, were marked fixed in the
recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 5 of 5 defect(s)


** CID 453851:  Memory - corruptions  (OVERLAPPING_COPY)
/cmd/net.c: 279 in netboot_update_env()


________________________________________________________________________________________________________
*** CID 453851:  Memory - corruptions  (OVERLAPPING_COPY)
/cmd/net.c: 279 in netboot_update_env()
273
274             if (IS_ENABLED(CONFIG_IPV6)) {
275                     if (!ip6_is_unspecified_addr(&net_ip6) ||
276                         net_prefix_length != 0) {
277                             sprintf(tmp, "%pI6c", &net_ip6);
278                             if (net_prefix_length != 0)
>>>     CID 453851:  Memory - corruptions  (OVERLAPPING_COPY)
>>>     In the call to function "sprintf", the arguments "tmp" and "tmp"
may point to the same object.
279                                     sprintf(tmp, "%s/%d", tmp,
net_prefix_length);
280
281                             env_set("ip6addr", tmp);
282                     }
283
284                     if (!ip6_is_unspecified_addr(&net_server_ip6)) {

** CID 450971:  Insecure data handling  (TAINTED_SCALAR)
/net/ndisc.c: 391 in process_ra()


________________________________________________________________________________________________________
*** CID 450971:  Insecure data handling  (TAINTED_SCALAR)
/net/ndisc.c: 391 in process_ra()
385             /* Ignore the packet if router lifetime is 0. */
386             if (!icmp->icmp6_rt_lifetime)
387                     return -EOPNOTSUPP;
388
389             /* Processing the options */
390             option = msg->opt;
>>>     CID 450971:  Insecure data handling  (TAINTED_SCALAR)
>>>     Using tainted variable "remaining_option_len" as a loop boundary.
391             while (remaining_option_len > 0) {
392                     /* The 2nd byte of the option is its length. */
393                     option_len = option[1];
394                     /* All included options should have a positive
length. */
395                     if (option_len == 0)
396                             return -EINVAL;

** CID 450969:  Security best practices violations  (DC.WEAK_CRYPTO)
/net/ndisc.c: 209 in ip6_send_rs()


________________________________________________________________________________________________________
*** CID 450969:  Security best practices violations  (DC.WEAK_CRYPTO)
/net/ndisc.c: 209 in ip6_send_rs()
203                                    icmp_len, PROT_ICMPV6, pcsum);
204             msg->icmph.icmp6_cksum = csum;
205             pkt += icmp_len;
206
207             /* Wait up to 1 second if it is the first try to get the RA
*/
208             if (retry_count == 0)
>>>     CID 450969:  Security best practices violations  (DC.WEAK_CRYPTO)
>>>     "rand" should not be used for security-related applications,
because linear congruential algorithms are too easy to break.
209                     udelay(((unsigned int)rand() % 1000000) *
MAX_SOLICITATION_DELAY);
210
211             /* send it! */
212             net_send_packet(net_tx_packet, (pkt - net_tx_packet));
213
214             retry_count++;

** CID 436282:    (DC.WEAK_CRYPTO)
/net/dhcpv6.c: 621 in dhcp6_state_machine()
/net/dhcpv6.c: 627 in dhcp6_state_machine()
/net/dhcpv6.c: 628 in dhcp6_state_machine()
/net/dhcpv6.c: 662 in dhcp6_state_machine()
/net/dhcpv6.c: 613 in dhcp6_state_machine()


________________________________________________________________________________________________________
*** CID 436282:    (DC.WEAK_CRYPTO)
/net/dhcpv6.c: 621 in dhcp6_state_machine()
615             /* handle state machine entry conditions */
616             if (sm_params.curr_state != sm_params.next_state) {
617                     sm_params.retry_cnt = 0;
618
619                     if (sm_params.next_state == DHCP6_SOLICIT) {
620                             /* delay a random ammount (special for
SOLICIT) */
>>>     CID 436282:    (DC.WEAK_CRYPTO)
>>>     "rand" should not be used for security-related applications,
because linear congruential algorithms are too easy to break.
621                             udelay((rand() % SOL_MAX_DELAY_MS) * 1000);
622                             /* init timestamp variables after SOLICIT
delay */
623                             sm_params.dhcp6_start_ms = get_timer(0);
624                             sm_params.dhcp6_retry_start_ms =
sm_params.dhcp6_start_ms;
625                             sm_params.dhcp6_retry_ms =
sm_params.dhcp6_start_ms;
626                             /* init transaction and ia_id */
/net/dhcpv6.c: 627 in dhcp6_state_machine()
621                             udelay((rand() % SOL_MAX_DELAY_MS) * 1000);
622                             /* init timestamp variables after SOLICIT
delay */
623                             sm_params.dhcp6_start_ms = get_timer(0);
624                             sm_params.dhcp6_retry_start_ms =
sm_params.dhcp6_start_ms;
625                             sm_params.dhcp6_retry_ms =
sm_params.dhcp6_start_ms;
626                             /* init transaction and ia_id */
>>>     CID 436282:    (DC.WEAK_CRYPTO)
>>>     "rand" should not be used for security-related applications,
because linear congruential algorithms are too easy to break.
627                             sm_params.trans_id = rand() & 0xFFFFFF;
628                             sm_params.ia_id = rand();
629                             /* initialize retransmission parameters */
630                             sm_params.irt_ms = SOL_TIMEOUT_MS;
631                             sm_params.mrt_ms = updated_sol_max_rt_ms;
632                             /* RFCs default MRC is be 0 (try infinitely)
/net/dhcpv6.c: 628 in dhcp6_state_machine()
622                             /* init timestamp variables after SOLICIT
delay */
623                             sm_params.dhcp6_start_ms = get_timer(0);
624                             sm_params.dhcp6_retry_start_ms =
sm_params.dhcp6_start_ms;
625                             sm_params.dhcp6_retry_ms =
sm_params.dhcp6_start_ms;
626                             /* init transaction and ia_id */
627                             sm_params.trans_id = rand() & 0xFFFFFF;
>>>     CID 436282:    (DC.WEAK_CRYPTO)
>>>     "rand" should not be used for security-related applications,
because linear congruential algorithms are too easy to break.
628                             sm_params.ia_id = rand();
629                             /* initialize retransmission parameters */
630                             sm_params.irt_ms = SOL_TIMEOUT_MS;
631                             sm_params.mrt_ms = updated_sol_max_rt_ms;
632                             /* RFCs default MRC is be 0 (try infinitely)
633                              * give up after CONFIG_NET_RETRY_COUNT
number of tries (same as DHCPv4)
/net/dhcpv6.c: 662 in dhcp6_state_machine()
656                 (sm_params.mrd_ms != 0 &&
657                  ((sm_params.dhcp6_retry_ms -
sm_params.dhcp6_retry_start_ms) >= sm_params.mrd_ms))) {
658                     sm_params.next_state = DHCP6_FAIL;
659             }
660
661             /* calculate retransmission timeout (RT) */
>>>     CID 436282:    (DC.WEAK_CRYPTO)
>>>     "rand" should not be used for security-related applications,
because linear congruential algorithms are too easy to break.
662             rand_minus_plus_100 = ((rand() % 200) - 100);
663             if (sm_params.retry_cnt == 0) {
664                     sm_params.rt_ms = sm_params.irt_ms +
665                                       ((sm_params.irt_ms *
rand_minus_plus_100) / 1000);
666             } else {
667                     sm_params.rt_ms = (2 * sm_params.rt_prev_ms) +
/net/dhcpv6.c: 613 in dhcp6_state_machine()
607                      * Proceed anyway to proceed DONE/FAIL actions
608                      */
609                     debug("Unexpected DHCP6 state : %d\n",
sm_params.curr_state);
610                     break;
611             }
612             /* re-seed the RNG */
>>>     CID 436282:    (DC.WEAK_CRYPTO)
>>>     "rand" should not be used for security-related applications,
because linear congruential algorithms are too easy to break.
613             srand(get_ticks() + rand());
614
615             /* handle state machine entry conditions */
616             if (sm_params.curr_state != sm_params.next_state) {
617                     sm_params.retry_cnt = 0;
618

** CID 436278:    (TAINTED_SCALAR)
/net/dhcpv6.c: 321 in dhcp6_parse_options()


________________________________________________________________________________________________________
*** CID 436278:    (TAINTED_SCALAR)
/net/dhcpv6.c: 376 in dhcp6_parse_options()
370                                     if (sm_params.curr_state ==
DHCP6_SOLICIT)
371                                             sm_params.mrt_ms =
updated_sol_max_rt_ms;
372                             }
373                             break;
374                     case DHCP6_OPTION_OPT_BOOTFILE_URL:
375                             debug("DHCP6_OPTION_OPT_BOOTFILE_URL
FOUND\n");
>>>     CID 436278:    (TAINTED_SCALAR)
>>>     Passing tainted expression "option_len + 1" to "copy_filename",
which uses it as a loop boundary.
376                             copy_filename(net_boot_file_name,
option_ptr, option_len + 1);
377                             debug("net_boot_file_name: %s\n",
net_boot_file_name);
378
379                             /* copy server_ip6 (required for PXE) */
380                             s = strchr(net_boot_file_name, '[');
381                             e = strchr(net_boot_file_name, ']');
/net/dhcpv6.c: 321 in dhcp6_parse_options()
315             while (option_hdr < (struct dhcp6_option_hdr *)(rx_pkt +
len)) {
316                     option_ptr = ((uchar *)option_hdr) + sizeof(struct
dhcp6_hdr);
317                     option_len = ntohs(option_hdr->option_len);
318
319                     switch (ntohs(option_hdr->option_id)) {
320                     case DHCP6_OPTION_CLIENTID:
>>>     CID 436278:    (TAINTED_SCALAR)
>>>     Passing tainted expression "option_len" to "memcmp", which uses it
as an offset. [Note: The source code implementation of the function has
been overridden by a builtin model.]
321                             if (memcmp(option_ptr, sm_params.duid,
option_len)
322                                 != 0) {
323                                     debug("CLIENT ID DOESN'T MATCH\n");
324                             } else {
325                                     debug("CLIENT ID FOUND and
MATCHES\n");
326                                     sm_params.rx_status.client_id_match
= true;


-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

^ permalink raw reply	[flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2023-02-14 14:26 Tom Rini
  0 siblings, 0 replies; 105+ messages in thread
From: Tom Rini @ 2023-02-14 14:26 UTC (permalink / raw)
  To: u-boot

[-- Attachment #1: Type: text/plain, Size: 2245 bytes --]

---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Feb 13, 2023, 6:50 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>


Hi,

Please find the latest report on new defect(s) introduced to Das U-Boot
found with Coverity Scan.

2 new defect(s) introduced to Das U-Boot found with Coverity Scan.
3 defect(s), reported by Coverity Scan earlier, were marked fixed in the
recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 2 of 2 defect(s)


** CID 436073:  Resource leaks  (RESOURCE_LEAK)
/tools/proftool.c: 1853 in make_flamegraph()


________________________________________________________________________________________________________
*** CID 436073:  Resource leaks  (RESOURCE_LEAK)
/tools/proftool.c: 1853 in make_flamegraph()
1847
1848            if (make_flame_tree(out_format, &tree))
1849                    return -1;
1850
1851            *str = '\0';
1852            if (output_tree(fout, out_format, tree, str, sizeof(str),
0))
>>>     CID 436073:  Resource leaks  (RESOURCE_LEAK)
>>>     Variable "tree" going out of scope leaks the storage it points to.
1853                    return -1;
1854
1855            return 0;
1856     }
1857
1858     /**

** CID 436072:  Insecure data handling  (TAINTED_SCALAR)


________________________________________________________________________________________________________
*** CID 436072:  Insecure data handling  (TAINTED_SCALAR)
/tools/proftool.c: 515 in read_trace()
509                     switch (hdr.type) {
510                     case TRACE_CHUNK_FUNCS:
511                             /* Ignored at present */
512                             break;
513
514                     case TRACE_CHUNK_CALLS:
>>>     CID 436072:  Insecure data handling  (TAINTED_SCALAR)
>>>     Passing tainted expression "hdr.rec_count" to "read_calls", which
uses it as an allocation size.
515                             if (read_calls(fin, hdr.rec_count))
516                                     return 1;
517                             break;
518                     }
519             }
520             return 0;


-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

^ permalink raw reply	[flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2022-11-21 19:43 Tom Rini
  0 siblings, 0 replies; 105+ messages in thread
From: Tom Rini @ 2022-11-21 19:43 UTC (permalink / raw)
  To: u-boot; +Cc: Simon Glass

[-- Attachment #1: Type: text/plain, Size: 2708 bytes --]

Here's the latest report

---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Nov 21, 2022 at 12:44 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>


Hi,

Please find the latest report on new defect(s) introduced to Das
U-Boot found with Coverity Scan.

2 new defect(s) introduced to Das U-Boot found with Coverity Scan.
3 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 2 of 2 defect(s)


** CID 376996:  Error handling issues  (CHECKED_RETURN)
/drivers/net/sandbox-raw-bus.c: 40 in eth_raw_bus_post_bind()


________________________________________________________________________________________________________
*** CID 376996:  Error handling issues  (CHECKED_RETURN)
/drivers/net/sandbox-raw-bus.c: 40 in eth_raw_bus_post_bind()
34              if (skip_localhost && local)
35                      continue;
36
37              ub_ifname = calloc(IFNAMSIZ + sizeof(ub_ifname_pfx), 1);
38              strcpy(ub_ifname, ub_ifname_pfx);
39              strncat(ub_ifname, i->if_name, IFNAMSIZ);
>>>     CID 376996:  Error handling issues  (CHECKED_RETURN)
>>>     Calling "device_bind_driver" without checking return value (as is done elsewhere 12 out of 15 times).
40              device_bind_driver(dev, "eth_sandbox_raw", ub_ifname, &child);
41
42              device_set_name_alloced(child);
43              device_probe(child);
44              priv = dev_get_priv(child);
45              if (priv) {

** CID 376995:  Null pointer dereferences  (FORWARD_NULL)
/test/test-main.c: 518 in ut_run_tests()


________________________________________________________________________________________________________
*** CID 376995:  Null pointer dereferences  (FORWARD_NULL)
/test/test-main.c: 518 in ut_run_tests()
512                     pos = dectoul(test_insert, NULL);
513                     p = strchr(test_insert, ':');
514                     if (p)
515                             p++;
516
517                     for (test = tests; test < tests + count; test++) {
>>>     CID 376995:  Null pointer dereferences  (FORWARD_NULL)
>>>     Passing null pointer "p" to "strcmp", which dereferences it. [Note: The source code implementation of the function has been overridden by a builtin model.]
518                             if (!strcmp(p, test->name))
519                                     one = test;
520                     }
521             }
522
523             for (upto = 0, test = tests; test < tests + count;
test++, upto++) {

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

^ permalink raw reply	[flat|nested] 105+ messages in thread
* Fwd: New Defects reported by Coverity Scan for Das U-Boot
@ 2022-11-09 15:40 Tom Rini
  0 siblings, 0 replies; 105+ messages in thread
From: Tom Rini @ 2022-11-09 15:40 UTC (permalink / raw)
  To: u-boot; +Cc: Simon Glass, Heinrich Schuchardt

[-- Attachment #1: Type: text/plain, Size: 32083 bytes --]

Here's the latest report.

---------- Forwarded message ---------
From: <scan-admin@coverity.com>
Date: Mon, Nov 7, 2022 at 3:41 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini@gmail.com>


Hi,

Please find the latest report on new defect(s) introduced to Das
U-Boot found with Coverity Scan.

21 new defect(s) introduced to Das U-Boot found with Coverity Scan.
15 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 20 of 21 defect(s)


** CID 376213:  Memory - illegal accesses  (UNINIT)
/lib/efi_loader/efi_boottime.c: 2642 in
efi_install_multiple_protocol_interfaces_int()


________________________________________________________________________________________________________
*** CID 376213:  Memory - illegal accesses  (UNINIT)
/lib/efi_loader/efi_boottime.c: 2642 in
efi_install_multiple_protocol_interfaces_int()
2636            int i = 0;
2637            efi_va_list argptr_copy;
2638
2639            if (!handle)
2640                    return EFI_INVALID_PARAMETER;
2641
>>>     CID 376213:  Memory - illegal accesses  (UNINIT)
>>>     Using uninitialized value "argptr_copy" when calling "__builtin_ms_va_copy".
2642            efi_va_copy(argptr_copy, argptr);
2643            for (;;) {
2644                    protocol = efi_va_arg(argptr, efi_guid_t*);
2645                    if (!protocol)
2646                            break;
2647                    protocol_interface = efi_va_arg(argptr, void*);

** CID 376212:  Error handling issues  (CHECKED_RETURN)


________________________________________________________________________________________________________
*** CID 376212:  Error handling issues  (CHECKED_RETURN)
/drivers/usb/emul/sandbox_flash.c: 197 in handle_ufi_command()
191
192             ret = sb_scsi_emul_command(info, req, len);
193             if (!ret) {
194                     setup_response(priv);
195             } else if ((ret == SCSI_EMUL_DO_READ || ret ==
SCSI_EMUL_DO_WRITE) &&
196                        priv->fd != -1) {
>>>     CID 376212:  Error handling issues  (CHECKED_RETURN)
>>>     Calling "os_lseek(priv->fd, info->seek_block * info->block_size, 0)" without checking return value. It wraps a library function that may fail and return an error code.
197                     os_lseek(priv->fd, info->seek_block * info->block_size,
198                              OS_SEEK_SET);
199                     setup_response(priv);
200             } else {
201                     setup_fail_response(priv);
202             }

** CID 376211:    (TAINTED_SCALAR)


________________________________________________________________________________________________________
*** CID 376211:    (TAINTED_SCALAR)
/cmd/eficonfig.c: 1475 in eficonfig_edit_boot_option()
1469                    if (lo.file_path)
1470                            fill_file_info(lo.file_path,
&bo->file_info, device_dp);
1471
1472                    /* Initrd file path(optional) is placed at
second instance. */
1473                    initrd_dp = efi_dp_from_lo(&lo, &efi_lf2_initrd_guid);
1474                    if (initrd_dp) {
>>>     CID 376211:    (TAINTED_SCALAR)
>>>     Passing tainted expression "initrd_dp->length" to "fill_file_info", which uses it as an offset.
1475                            fill_file_info(initrd_dp,
&bo->initrd_info, initrd_device_dp);
1476                            efi_free_pool(initrd_dp);
1477                    }
1478
1479                    if (size > 0)
1480                            memcpy(bo->optional_data,
lo.optional_data, size);
/cmd/eficonfig.c: 1535 in eficonfig_edit_boot_option()
1529            ret = eficonfig_set_boot_option(varname, final_dp,
final_dp_size, bo->description, tmp);
1530            if (ret != EFI_SUCCESS)
1531                    goto out;
1532     out:
1533            free(tmp);
1534            free(bo->optional_data);
>>>     CID 376211:    (TAINTED_SCALAR)
>>>     Passing tainted expression "*bo->description" to "dlfree", which uses it as an offset.
1535            free(bo->description);
1536            free(bo->file_info.current_path);
1537            free(bo->initrd_info.current_path);
1538            efi_free_pool(device_dp);
1539            efi_free_pool(initrd_device_dp);
1540            efi_free_pool(initrd_dp);
/cmd/eficonfig.c: 1534 in eficonfig_edit_boot_option()
1528
1529            ret = eficonfig_set_boot_option(varname, final_dp,
final_dp_size, bo->description, tmp);
1530            if (ret != EFI_SUCCESS)
1531                    goto out;
1532     out:
1533            free(tmp);
>>>     CID 376211:    (TAINTED_SCALAR)
>>>     Passing tainted expression "*bo->optional_data" to "dlfree", which uses it as an offset.
1534            free(bo->optional_data);
1535            free(bo->description);
1536            free(bo->file_info.current_path);
1537            free(bo->initrd_info.current_path);
1538            efi_free_pool(device_dp);
1539            efi_free_pool(initrd_device_dp);
/cmd/eficonfig.c: 1534 in eficonfig_edit_boot_option()
1528
1529            ret = eficonfig_set_boot_option(varname, final_dp,
final_dp_size, bo->description, tmp);
1530            if (ret != EFI_SUCCESS)
1531                    goto out;
1532     out:
1533            free(tmp);
>>>     CID 376211:    (TAINTED_SCALAR)
>>>     Passing tainted expression "*bo->optional_data" to "dlfree", which uses it as an offset.
1534            free(bo->optional_data);
1535            free(bo->description);
1536            free(bo->file_info.current_path);
1537            free(bo->initrd_info.current_path);
1538            efi_free_pool(device_dp);
1539            efi_free_pool(initrd_device_dp);
/cmd/eficonfig.c: 1535 in eficonfig_edit_boot_option()
1529            ret = eficonfig_set_boot_option(varname, final_dp,
final_dp_size, bo->description, tmp);
1530            if (ret != EFI_SUCCESS)
1531                    goto out;
1532     out:
1533            free(tmp);
1534            free(bo->optional_data);
>>>     CID 376211:    (TAINTED_SCALAR)
>>>     Passing tainted expression "*bo->description" to "dlfree", which uses it as an offset.
1535            free(bo->description);
1536            free(bo->file_info.current_path);
1537            free(bo->initrd_info.current_path);
1538            efi_free_pool(device_dp);
1539            efi_free_pool(initrd_device_dp);
1540            efi_free_pool(initrd_dp);
/cmd/eficonfig.c: 1535 in eficonfig_edit_boot_option()
1529            ret = eficonfig_set_boot_option(varname, final_dp,
final_dp_size, bo->description, tmp);
1530            if (ret != EFI_SUCCESS)
1531                    goto out;
1532     out:
1533            free(tmp);
1534            free(bo->optional_data);
>>>     CID 376211:    (TAINTED_SCALAR)
>>>     Passing tainted expression "*bo->description" to "dlfree", which uses it as an offset.
1535            free(bo->description);
1536            free(bo->file_info.current_path);
1537            free(bo->initrd_info.current_path);
1538            efi_free_pool(device_dp);
1539            efi_free_pool(initrd_device_dp);
1540            efi_free_pool(initrd_dp);
/cmd/eficonfig.c: 1473 in eficonfig_edit_boot_option()
1467
1468                    /* EFI image file path is a first instance */
1469                    if (lo.file_path)
1470                            fill_file_info(lo.file_path,
&bo->file_info, device_dp);
1471
1472                    /* Initrd file path(optional) is placed at
second instance. */
>>>     CID 376211:    (TAINTED_SCALAR)
>>>     Passing tainted expression "lo.file_path" to "efi_dp_from_lo", which uses it as a loop boundary.
1473                    initrd_dp = efi_dp_from_lo(&lo, &efi_lf2_initrd_guid);
1474                    if (initrd_dp) {
1475                            fill_file_info(initrd_dp,
&bo->initrd_info, initrd_device_dp);
1476                            efi_free_pool(initrd_dp);
1477                    }
1478
/cmd/eficonfig.c: 1475 in eficonfig_edit_boot_option()
1469                    if (lo.file_path)
1470                            fill_file_info(lo.file_path,
&bo->file_info, device_dp);
1471
1472                    /* Initrd file path(optional) is placed at
second instance. */
1473                    initrd_dp = efi_dp_from_lo(&lo, &efi_lf2_initrd_guid);
1474                    if (initrd_dp) {
>>>     CID 376211:    (TAINTED_SCALAR)
>>>     Passing tainted expression "initrd_dp->str" to "fill_file_info", which uses it as an offset.
1475                            fill_file_info(initrd_dp,
&bo->initrd_info, initrd_device_dp);
1476                            efi_free_pool(initrd_dp);
1477                    }
1478
1479                    if (size > 0)
1480                            memcpy(bo->optional_data,
lo.optional_data, size);
/cmd/eficonfig.c: 1473 in eficonfig_edit_boot_option()
1467
1468                    /* EFI image file path is a first instance */
1469                    if (lo.file_path)
1470                            fill_file_info(lo.file_path,
&bo->file_info, device_dp);
1471
1472                    /* Initrd file path(optional) is placed at
second instance. */
>>>     CID 376211:    (TAINTED_SCALAR)
>>>     Passing tainted expression "lo.file_path_length" to "efi_dp_from_lo", which uses it as a loop boundary.
1473                    initrd_dp = efi_dp_from_lo(&lo, &efi_lf2_initrd_guid);
1474                    if (initrd_dp) {
1475                            fill_file_info(initrd_dp,
&bo->initrd_info, initrd_device_dp);
1476                            efi_free_pool(initrd_dp);
1477                    }
1478
/cmd/eficonfig.c: 1470 in eficonfig_edit_boot_option()
1464                            lo.label[EFICONFIG_DESCRIPTION_MAX - 1] = u'\0';
1465
1466                    u16_strcpy(bo->description, lo.label);
1467
1468                    /* EFI image file path is a first instance */
1469                    if (lo.file_path)
>>>     CID 376211:    (TAINTED_SCALAR)
>>>     Passing tainted expression "lo.file_path->str" to "fill_file_info", which uses it as an offset.
1470                            fill_file_info(lo.file_path,
&bo->file_info, device_dp);
1471
1472                    /* Initrd file path(optional) is placed at
second instance. */
1473                    initrd_dp = efi_dp_from_lo(&lo, &efi_lf2_initrd_guid);
1474                    if (initrd_dp) {
1475                            fill_file_info(initrd_dp,
&bo->initrd_info, initrd_device_dp);
/cmd/eficonfig.c: 1470 in eficonfig_edit_boot_option()
1464                            lo.label[EFICONFIG_DESCRIPTION_MAX - 1] = u'\0';
1465
1466                    u16_strcpy(bo->description, lo.label);
1467
1468                    /* EFI image file path is a first instance */
1469                    if (lo.file_path)
>>>     CID 376211:    (TAINTED_SCALAR)
>>>     Passing tainted expression "lo.file_path->length" to "fill_file_info", which uses it as an offset.
1470                            fill_file_info(lo.file_path,
&bo->file_info, device_dp);
1471
1472                    /* Initrd file path(optional) is placed at
second instance. */
1473                    initrd_dp = efi_dp_from_lo(&lo, &efi_lf2_initrd_guid);
1474                    if (initrd_dp) {
1475                            fill_file_info(initrd_dp,
&bo->initrd_info, initrd_device_dp);
/cmd/eficonfig.c: 1473 in eficonfig_edit_boot_option()
1467
1468                    /* EFI image file path is a first instance */
1469                    if (lo.file_path)
1470                            fill_file_info(lo.file_path,
&bo->file_info, device_dp);
1471
1472                    /* Initrd file path(optional) is placed at
second instance. */
>>>     CID 376211:    (TAINTED_SCALAR)
>>>     Passing tainted expression "lo.file_path_length" to "efi_dp_from_lo", which uses it as a loop boundary.
1473                    initrd_dp = efi_dp_from_lo(&lo, &efi_lf2_initrd_guid);
1474                    if (initrd_dp) {
1475                            fill_file_info(initrd_dp,
&bo->initrd_info, initrd_device_dp);
1476                            efi_free_pool(initrd_dp);
1477                    }
1478

** CID 376210:    (BUFFER_SIZE)
/drivers/scsi/scsi_emul.c: 35 in sb_scsi_emul_command()
/drivers/scsi/scsi_emul.c: 36 in sb_scsi_emul_command()


________________________________________________________________________________________________________
*** CID 376210:    (BUFFER_SIZE)
/drivers/scsi/scsi_emul.c: 35 in sb_scsi_emul_command()
29              struct scsi_inquiry_resp *resp = (void *)info->buff;
30
31              info->alloc_len = req->cmd[4];
32              memset(resp, '\0', sizeof(*resp));
33              resp->data_format = 1;
34              resp->additional_len = 0x1f;
>>>     CID 376210:    (BUFFER_SIZE)
>>>     Calling "strncpy" with a maximum size argument of 8 bytes on destination array "resp->vendor" of size 8 bytes might leave the destination string unterminated.
35              strncpy(resp->vendor, info->vendor, sizeof(resp->vendor));
36              strncpy(resp->product, info->product, sizeof(resp->product));
37              strncpy(resp->revision, "1.0", sizeof(resp->revision));
38              info->buff_used = sizeof(*resp);
39              break;
40      }
/drivers/scsi/scsi_emul.c: 36 in sb_scsi_emul_command()
30
31              info->alloc_len = req->cmd[4];
32              memset(resp, '\0', sizeof(*resp));
33              resp->data_format = 1;
34              resp->additional_len = 0x1f;
35              strncpy(resp->vendor, info->vendor, sizeof(resp->vendor));
>>>     CID 376210:    (BUFFER_SIZE)
>>>     Calling "strncpy" with a maximum size argument of 16 bytes on destination array "resp->product" of size 16 bytes might leave the destination string unterminated.
36              strncpy(resp->product, info->product, sizeof(resp->product));
37              strncpy(resp->revision, "1.0", sizeof(resp->revision));
38              info->buff_used = sizeof(*resp);
39              break;
40      }
41      case SCSI_TST_U_RDY:

** CID 376209:  Null pointer dereferences  (REVERSE_INULL)
/drivers/pci/pci-uclass.c: 1249 in pci_find_next_device()


________________________________________________________________________________________________________
*** CID 376209:  Null pointer dereferences  (REVERSE_INULL)
/drivers/pci/pci-uclass.c: 1249 in pci_find_next_device()
1243                    }
1244            }
1245
1246            /* We ran out of siblings. Try the next bus */
1247            uclass_next_device(&bus);
1248
>>>     CID 376209:  Null pointer dereferences  (REVERSE_INULL)
>>>     Null-checking "bus" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
1249            return bus ? skip_to_next_device(bus, devp) : 0;
1250     }
1251
1252     int pci_find_first_device(struct udevice **devp)
1253     {
1254            struct udevice *bus;

** CID 376208:  Null pointer dereferences  (REVERSE_INULL)
/cmd/virtio.c: 31 in do_virtio()


________________________________________________________________________________________________________
*** CID 376208:  Null pointer dereferences  (REVERSE_INULL)
/cmd/virtio.c: 31 in do_virtio()
25              struct udevice *bus, *child;
26
27              uclass_first_device(UCLASS_VIRTIO, &bus);
28              if (!bus)
29                      return CMD_RET_FAILURE;
30
>>>     CID 376208:  Null pointer dereferences  (REVERSE_INULL)
>>>     Null-checking "bus" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
31              while (bus) {
32                      device_foreach_child_probe(child, bus)
33                              ;
34                      uclass_next_device(&bus);
35              }
36

** CID 376207:  Uninitialized variables  (UNINIT)
/cmd/eficonfig.c: 2325 in eficonfig_delete_invalid_boot_option()


________________________________________________________________________________________________________
*** CID 376207:  Uninitialized variables  (UNINIT)
/cmd/eficonfig.c: 2325 in eficonfig_delete_invalid_boot_option()
2319                    }
2320     next:
2321                    free(load_option);
2322            }
2323
2324     out:
>>>     CID 376207:  Uninitialized variables  (UNINIT)
>>>     Using uninitialized value "ret".
2325            return ret;
2326     }
2327
2328     /**
2329      * eficonfig_generate_media_device_boot_option() - generate
the media device boot option
2330      *

** CID 376206:    (CHECKED_RETURN)
/cmd/eficonfig.c: 127 in eficonfig_print_msg()
/cmd/eficonfig.c: 134 in eficonfig_print_msg()


________________________________________________________________________________________________________
*** CID 376206:    (CHECKED_RETURN)
/cmd/eficonfig.c: 127 in eficonfig_print_msg()
121      * Return:      status code
122      */
123     void eficonfig_print_msg(char *msg)
124     {
125             /* Flush input */
126             while (tstc())
>>>     CID 376206:    (CHECKED_RETURN)
>>>     Calling "getchar()" without checking return value. This library function may fail and return an error code. [Note: The source code implementation of the function has been overridden by a builtin model.]
127                     getchar();
128
129             printf(ANSI_CURSOR_HIDE
130                    ANSI_CLEAR_CONSOLE
131                    ANSI_CURSOR_POSITION
132                    "%s\n\n  Press any key to continue", 3, 4, msg);
/cmd/eficonfig.c: 134 in eficonfig_print_msg()
128
129             printf(ANSI_CURSOR_HIDE
130                    ANSI_CLEAR_CONSOLE
131                    ANSI_CURSOR_POSITION
132                    "%s\n\n  Press any key to continue", 3, 4, msg);
133
>>>     CID 376206:    (CHECKED_RETURN)
>>>     Calling "getchar()" without checking return value. This library function may fail and return an error code. [Note: The source code implementation of the function has been overridden by a builtin model.]
134             getchar();
135     }
136
137     /**
138      * eficonfig_print_entry() - print each menu entry
139      *

** CID 376205:    (TAINTED_SCALAR)


________________________________________________________________________________________________________
*** CID 376205:    (TAINTED_SCALAR)
/test/test-main.c: 582 in ut_run_list()
576                     printf("Running %d %s tests\n", count, category);
577
578             uts.of_root = gd_of_root();
579             uts.runs_per_test = runs_per_test;
580             if (fdt_action() == FDTCHK_COPY && gd->fdt_blob) {
581                     uts.fdt_size = fdt_totalsize(gd->fdt_blob);
>>>     CID 376205:    (TAINTED_SCALAR)
>>>     Passing tainted expression "uts.fdt_size" to "os_malloc", which uses it as an offset.
582                     uts.fdt_copy = os_malloc(uts.fdt_size);
583                     if (!uts.fdt_copy) {
584                             printf("Out of memory for device tree copy\n");
585                             return -ENOMEM;
586                     }
587                     memcpy(uts.fdt_copy, gd->fdt_blob, uts.fdt_size);
/test/test-main.c: 596 in ut_run_list()
590             ret = ut_run_tests(&uts, prefix, tests, count, select_name);
591
592             /* Best efforts only...ignore errors */
593             if (has_dm_tests)
594                     dm_test_restore(uts.of_root);
595             if (IS_ENABLED(CONFIG_SANDBOX)) {
>>>     CID 376205:    (TAINTED_SCALAR)
>>>     Passing tainted expression "*uts.fdt_copy" to "os_free", which uses it as an offset.
596                     os_free(uts.fdt_copy);
597                     os_free(uts.other_fdt);
598             }
599
600             if (uts.skip_count)
601                     printf("Skipped: %d, ", uts.skip_count);

** CID 376204:  Memory - illegal accesses  (UNINIT)
/lib/efi_loader/efi_boottime.c: 2854 in
efi_uninstall_multiple_protocol_interfaces_ext()


________________________________________________________________________________________________________
*** CID 376204:  Memory - illegal accesses  (UNINIT)
/lib/efi_loader/efi_boottime.c: 2854 in
efi_uninstall_multiple_protocol_interfaces_ext()
2848     efi_uninstall_multiple_protocol_interfaces_ext(efi_handle_t
handle, ...)
2849     {
2850            EFI_ENTRY("%p", handle);
2851            efi_status_t ret;
2852            efi_va_list argptr;
2853
>>>     CID 376204:  Memory - illegal accesses  (UNINIT)
>>>     Using uninitialized value "argptr" when calling "__builtin_ms_va_start".
2854            efi_va_start(argptr, handle);
2855            ret =
efi_uninstall_multiple_protocol_interfaces_int(handle, argptr);
2856            efi_va_end(argptr);
2857            return EFI_EXIT(ret);
2858     }
2859

** CID 376203:  Memory - illegal accesses  (UNINIT)
/lib/efi_loader/efi_boottime.c: 2764 in
efi_uninstall_multiple_protocol_interfaces_int()


________________________________________________________________________________________________________
*** CID 376203:  Memory - illegal accesses  (UNINIT)
/lib/efi_loader/efi_boottime.c: 2764 in
efi_uninstall_multiple_protocol_interfaces_int()
2758            size_t i = 0;
2759            efi_va_list argptr_copy;
2760
2761            if (!handle)
2762                    return EFI_INVALID_PARAMETER;
2763
>>>     CID 376203:  Memory - illegal accesses  (UNINIT)
>>>     Using uninitialized value "argptr_copy" when calling "__builtin_ms_va_copy".
2764            efi_va_copy(argptr_copy, argptr);
2765            for (;;) {
2766                    protocol = efi_va_arg(argptr, efi_guid_t*);
2767                    if (!protocol)
2768                            break;
2769                    protocol_interface = efi_va_arg(argptr, void*);

** CID 376202:  Incorrect expression  (IDENTICAL_BRANCHES)
/cmd/eficonfig.c: 1530 in eficonfig_edit_boot_option()


________________________________________________________________________________________________________
*** CID 376202:  Incorrect expression  (IDENTICAL_BRANCHES)
/cmd/eficonfig.c: 1530 in eficonfig_edit_boot_option()
1524                            goto out;
1525                    p = tmp;
1526                    utf16_utf8_strncpy(&p, bo->optional_data,
u16_strlen(bo->optional_data));
1527            }
1528
1529            ret = eficonfig_set_boot_option(varname, final_dp,
final_dp_size, bo->description, tmp);
>>>     CID 376202:  Incorrect expression  (IDENTICAL_BRANCHES)
>>>     The same code is executed when the condition "ret != 0UL" is true or false, because the code in the if-then branch and after the if statement is identical. Should the if statement be removed?
1530            if (ret != EFI_SUCCESS)
1531                    goto out;
1532     out:
1533            free(tmp);
1534            free(bo->optional_data);
1535            free(bo->description);

** CID 376201:  Error handling issues  (CHECKED_RETURN)


________________________________________________________________________________________________________
*** CID 376201:  Error handling issues  (CHECKED_RETURN)
/drivers/scsi/sandbox_scsi.c: 54 in sandbox_scsi_exec()
48                        ret);
49              return ret;
50      } else if (ret == SCSI_EMUL_DO_READ && priv->fd != -1) {
51              long bytes_read;
52
53              log_debug("read %x %x\n", info->seek_block, info->read_len);
>>>     CID 376201:  Error handling issues  (CHECKED_RETURN)
>>>     Calling "os_lseek(priv->fd, info->seek_block * info->block_size, 0)" without checking return value. It wraps a library function that may fail and return an error code.
54              os_lseek(priv->fd, info->seek_block * info->block_size,
55                       OS_SEEK_SET);
56              bytes_read = os_read(priv->fd, req->pdata, info->buff_used);
57              if (bytes_read < 0)
58                      return bytes_read;
59              if (bytes_read != info->buff_used)

** CID 376200:  API usage errors  (VARARGS)
/lib/efi_loader/efi_boottime.c: 2787 in
efi_uninstall_multiple_protocol_interfaces_int()


________________________________________________________________________________________________________
*** CID 376200:  API usage errors  (VARARGS)
/lib/efi_loader/efi_boottime.c: 2787 in
efi_uninstall_multiple_protocol_interfaces_int()
2781                    }
2782                    goto out;
2783            }
2784
2785            /* If an error occurred undo all changes. */
2786            for (; i; --i) {
>>>     CID 376200:  API usage errors  (VARARGS)
>>>     Calling va_arg on va_list "argptr_copy", which has not been prepared with va_start().
2787                    protocol = efi_va_arg(argptr_copy, efi_guid_t*);
2788                    protocol_interface = efi_va_arg(argptr_copy, void*);
2789
EFI_CALL(efi_install_protocol_interface(&handle, protocol,
2790
EFI_NATIVE_INTERFACE,
2791
protocol_interface));
2792            }

** CID 376199:  Memory - illegal accesses  (UNINIT)
/lib/efi_loader/efi_boottime.c: 2733 in
efi_install_multiple_protocol_interfaces_ext()


________________________________________________________________________________________________________
*** CID 376199:  Memory - illegal accesses  (UNINIT)
/lib/efi_loader/efi_boottime.c: 2733 in
efi_install_multiple_protocol_interfaces_ext()
2727     efi_install_multiple_protocol_interfaces_ext(efi_handle_t *handle, ...)
2728     {
2729            EFI_ENTRY("%p", handle);
2730            efi_status_t ret;
2731            efi_va_list argptr;
2732
>>>     CID 376199:  Memory - illegal accesses  (UNINIT)
>>>     Using uninitialized value "argptr" when calling "__builtin_ms_va_start".
2733            efi_va_start(argptr, handle);
2734            ret =
efi_install_multiple_protocol_interfaces_int(handle, argptr);
2735            efi_va_end(argptr);
2736            return EFI_EXIT(ret);
2737     }
2738

** CID 376198:  Insecure data handling  (TAINTED_SCALAR)
/boot/image-fit.c: 1917 in fit_conf_get_prop_node()


________________________________________________________________________________________________________
*** CID 376198:  Insecure data handling  (TAINTED_SCALAR)
/boot/image-fit.c: 1917 in fit_conf_get_prop_node()
1911
1912            count = fit_conf_get_prop_node_count(fit, noffset, prop_name);
1913            if (count < 0)
1914                    return count;
1915
1916            /* check each image in the list */
>>>     CID 376198:  Insecure data handling  (TAINTED_SCALAR)
>>>     Using tainted variable "count" as a loop boundary.
1917            for (i = 0; i < count; i++) {
1918                    enum image_phase_t phase;
1919                    int ret, node;
1920
1921                    node = fit_conf_get_prop_node_index(fit,
noffset, prop_name, i);
1922                    ret = fit_image_get_phase(fit, node, &phase);

** CID 376197:  Incorrect expression  (UNUSED_VALUE)
/cmd/sf.c: 242 in spi_flash_update()


________________________________________________________________________________________________________
*** CID 376197:  Incorrect expression  (UNUSED_VALUE)
/cmd/sf.c: 242 in spi_flash_update()
236                     scale = (end - buf) / 100;
237             cmp_buf = memalign(ARCH_DMA_MINALIGN, flash->sector_size);
238             if (cmp_buf) {
239                     ulong last_update = get_timer(0);
240
241                     for (; buf < end && !err_oper; buf += todo,
offset += todo) {
>>>     CID 376197:  Incorrect expression  (UNUSED_VALUE)
>>>     Assigning value from "({...; (__min1 < __min2) ? __min1 : __min2;})" to "todo" here, but that stored value is overwritten before it can be used.
242                             todo = min_t(size_t, end - buf,
flash->sector_size);
243                             todo = min_t(size_t, end - buf,
244                                          flash->sector_size -
(offset % flash->sector_size));
245                             if (get_timer(last_update) > 100) {
246                                     printf("   \rUpdating, %zu%% %lu B/s",
247                                            100 - (end - buf) / scale,

** CID 376196:  Integer handling issues  (NEGATIVE_RETURNS)


________________________________________________________________________________________________________
*** CID 376196:  Integer handling issues  (NEGATIVE_RETURNS)
/boot/bootdev-uclass.c: 202 in bootdev_list()
196             printf("---  ------  ------  --------  ------------------\n");
197             if (probe)
198                     ret = uclass_first_device_check(UCLASS_BOOTDEV, &dev);
199             else
200                     ret = uclass_find_first_device(UCLASS_BOOTDEV, &dev);
201             for (i = 0; dev; i++) {
>>>     CID 376196:  Integer handling issues  (NEGATIVE_RETURNS)
>>>     "ret" is passed to a parameter that cannot be negative.
202                     printf("%3x   [ %c ]  %6s  %-9.9s %s\n", dev_seq(dev),
203                            device_active(dev) ? '+' : ' ',
204                            ret ? simple_itoa(ret) : "OK",
205
dev_get_uclass_name(dev_get_parent(dev)), dev->name);
206                     if (probe)
207                             ret = uclass_next_device_check(&dev);

** CID 376195:  Uninitialized variables  (UNINIT)
/lib/efi_loader/efi_boottime.c: 2776 in
efi_uninstall_multiple_protocol_interfaces_int()


________________________________________________________________________________________________________
*** CID 376195:  Uninitialized variables  (UNINIT)
/lib/efi_loader/efi_boottime.c: 2776 in
efi_uninstall_multiple_protocol_interfaces_int()
2770                    ret = efi_uninstall_protocol(handle, protocol,
2771                                                 protocol_interface);
2772                    if (ret != EFI_SUCCESS)
2773                            break;
2774                    i++;
2775            }
>>>     CID 376195:  Uninitialized variables  (UNINIT)
>>>     Using uninitialized value "ret".
2776            if (ret == EFI_SUCCESS) {
2777                    /* If the last protocol has been removed,
delete the handle. */
2778                    if (list_empty(&handle->protocols)) {
2779                            list_del(&handle->link);
2780                            free(handle);
2781                    }

** CID 376194:  Null pointer dereferences  (REVERSE_INULL)
/drivers/block/blk-uclass.c: 626 in blk_next_device_err()


________________________________________________________________________________________________________
*** CID 376194:  Null pointer dereferences  (REVERSE_INULL)
/drivers/block/blk-uclass.c: 626 in blk_next_device_err()
620             return -ENODEV;
621     }
622
623     int blk_next_device_err(enum blk_flag_t flags, struct udevice **devp)
624     {
625             for (uclass_next_device(devp);
>>>     CID 376194:  Null pointer dereferences  (REVERSE_INULL)
>>>     Null-checking "*devp" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
626                  *devp;
627                  uclass_next_device(devp)) {
628                     if (!blk_flags_check(*devp, flags))
629                             return 0;
630             }
631


________________________________________________________________________________________________________

----- End forwarded message -----

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

^ permalink raw reply	[flat|nested] 105+ messages in thread
[parent not found: <62df3a0cb9fd2_30ed5f2acd4da7b9a431758@prd-scan-dashboard-0.mail>]
[parent not found: <611aaf735d268_21438d2b07184e399c79439@prd-scan-dashboard-0.mail>]
[parent not found: <6082f7faa423_5762a2b148d4af9a86820@prd-scan-dashboard-0.mail>]
[parent not found: <5ecd3c8249d1_d6f562acb748daf5820386@appnode-2.mail>]
end of thread, other threads:[~2026-04-06 19:12 UTC | newest]

Thread overview: 105+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-01-05 23:58 Fwd: New Defects reported by Coverity Scan for Das U-Boot Tom Rini
2026-01-06  9:37 ` Mattijs Korpershoek
2026-01-06 17:15   ` Tom Rini
2026-01-06 10:03 ` Heiko Schocher
  -- strict thread matches above, loose matches on Subject: below --
2026-04-06 19:12 Tom Rini
2026-03-09 21:23 Tom Rini
2026-03-09 22:05 ` Raphaël Gallais-Pou
2026-03-09 22:13   ` Tom Rini
2026-02-23 19:51 Tom Rini
2026-02-13 22:09 Tom Rini
2026-02-18 23:02 ` Chris Morgan
2026-02-20 16:11   ` Tom Rini
2026-02-20 16:23     ` Chris Morgan
2026-01-16 19:43 Tom Rini
2026-02-09 11:05 ` Guillaume La Roque
2026-02-20 16:11   ` Tom Rini
2026-01-06 20:36 Tom Rini
2025-12-08 19:38 Tom Rini
2025-11-23 19:03 Tom Rini
2025-11-10 18:55 Tom Rini
2025-10-11 18:06 Tom Rini
2025-10-12 14:22 ` Mikhail Kshevetskiy
2025-10-12 19:07   ` Tom Rini
2025-11-01  6:32     ` Mikhail Kshevetskiy
2025-11-03 15:17       ` Tom Rini
2025-11-03 15:24         ` Michael Nazzareno Trimarchi
2025-08-06 18:35 Tom Rini
2025-08-07  9:17 ` Heiko Schocher
2025-08-08  3:37   ` Maniyam, Dinesh
2025-08-08  4:01     ` Heiko Schocher
2025-07-29 16:32 Tom Rini
2025-07-25 13:26 Tom Rini
2025-07-25 13:34 ` Michal Simek
2025-08-04  9:11 ` Alexander Dahl
2025-07-14 23:29 Tom Rini
2025-07-15 13:45 ` Rasmus Villemoes
2025-07-08 14:10 Tom Rini
2025-04-28 21:59 Tom Rini
2025-04-29 12:07 ` Jerome Forissier
2025-04-30 16:50 ` Marek Vasut
2025-04-30 17:01   ` Tom Rini
2025-04-30 18:23 ` Heinrich Schuchardt
2025-04-30 19:14   ` Tom Rini
2025-03-11  1:49 Tom Rini
2025-02-25  2:39 Tom Rini
2025-02-25  6:06 ` Heiko Schocher
2025-02-25 10:48   ` Quentin Schulz
2025-02-25 10:54     ` Heiko Schocher
2025-02-10 22:26 Tom Rini
2025-02-11  6:14 ` Heiko Schocher
2025-02-11 22:30   ` Tom Rini
2024-12-31 13:55 Tom Rini
2024-12-24 17:14 Tom Rini
2024-11-15 13:27 Tom Rini
2024-11-12  2:11 Tom Rini
2024-10-28  3:11 Tom Rini
2024-10-19 16:16 Tom Rini
2024-10-16  3:47 Tom Rini
2024-10-16  5:56 ` Tudor Ambarus
2024-10-07 17:15 Tom Rini
2024-07-23 14:18 Tom Rini
2024-07-24  9:21 ` Mattijs Korpershoek
2024-07-24  9:45   ` Heinrich Schuchardt
2024-07-24  9:56     ` Mattijs Korpershoek
2024-07-24 10:06       ` Heinrich Schuchardt
2024-07-24 22:40         ` Tom Rini
2024-07-25  8:04           ` Mattijs Korpershoek
2024-07-25 17:16             ` Tom Rini
2024-07-24  9:53   ` Mattijs Korpershoek
2024-04-22 21:48 Tom Rini
2024-01-29 23:55 Tom Rini
2024-01-30  8:14 ` Heinrich Schuchardt
     [not found] <20240127154018.GC785631@bill-the-cat>
2024-01-27 20:56 ` Heinrich Schuchardt
2024-01-28  8:51   ` Heinrich Schuchardt
2024-01-22 23:52 Tom Rini
2024-01-22 23:30 Tom Rini
2024-01-23  8:15 ` Hugo Cornelis
     [not found] <65a933ab652b3_da12cbd3e77f998728e5@prd-scan-dashboard-0.mail>
2024-01-19  8:47 ` Heinrich Schuchardt
2024-01-18 14:35 Tom Rini
2024-01-08 17:45 Tom Rini
2024-01-09  5:26 ` Sean Anderson
2024-01-09 22:18   ` Tom Rini
2023-08-21 21:09 Tom Rini
2023-08-24  9:27 ` Abdellatif El Khlifi
2023-08-28 16:09   ` Alvaro Fernando García
2023-08-28 16:11     ` Tom Rini
2023-10-20 11:57 ` Abdellatif El Khlifi
2023-10-25 14:57   ` Tom Rini
2023-10-25 15:12     ` Abdellatif El Khlifi
2023-10-25 15:15       ` Tom Rini
2023-10-31 14:21         ` Abdellatif El Khlifi
2023-05-08 20:20 Tom Rini
2023-05-15 21:59 ` Ehsan Mohandesi
2023-05-18 21:04 ` Sean Edmond
2023-02-14 14:26 Tom Rini
2022-11-21 19:43 Tom Rini
2022-11-09 15:40 Tom Rini
     [not found] <62df3a0cb9fd2_30ed5f2acd4da7b9a431758@prd-scan-dashboard-0.mail>
2022-07-26  4:22 ` Heinrich Schuchardt
     [not found] <611aaf735d268_21438d2b07184e399c79439@prd-scan-dashboard-0.mail>
2021-08-17  5:21 ` Heinrich Schuchardt
2021-08-17 15:17   ` Tom Rini
     [not found] <6082f7faa423_5762a2b148d4af9a86820@prd-scan-dashboard-0.mail>
2021-04-24  4:52 ` Heinrich Schuchardt
     [not found] <5ecd3c8249d1_d6f562acb748daf5820386@appnode-2.mail>
     [not found] ` <CA+M6bX=AmT+SyM0Snt2POLy0-vpD__6CD4j6ifqMqh63yYJBLA@mail.gmail.com>
     [not found]   ` <8ea1ca2f-2826-58f2-4b6b-ed5cfe977467@gmx.de>
     [not found]     ` <20200526184027.GJ12717@bill-the-cat>
2020-05-26 20:02       ` Heinrich Schuchardt
2020-05-26 20:10         ` Tom Rini
2020-05-26 20:36           ` Heinrich Schuchardt
2020-05-26 20:48             ` Tom Rini

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox