From: Rasmus Villemoes <ravi@prevas.dk>
To: Tom Rini <trini@konsulko.com>
Cc: u-boot@lists.denx.de, Andrew Goodbody <andrew.goodbody@linaro.org>
Subject: Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
Date: Tue, 15 Jul 2025 15:45:29 +0200 [thread overview]
Message-ID: <87tt3dva86.fsf@prevas.dk> (raw)
In-Reply-To: <20250714232902.GB193579@bill-the-cat> (Tom Rini's message of "Mon, 14 Jul 2025 17:29:02 -0600")
On Mon, Jul 14 2025, Tom Rini <trini@konsulko.com> wrote:
> Here's the latest report from Coverity. Good news is closing 5 existing
> issues (overlap with smatch I think) but 3 new ones. Or maybe it's
> related to Rasmus' cleanup series? I can only run one report a day I
> think so I don't have granular breakdown on which changes today brought
> these up.
>
> From: <scan-admin@coverity.com>
> Subject: New Defects reported by Coverity Scan for Das U-Boot
> To: <tom.rini@gmail.com>
> Date: Mon, Jul 14, 2025 at 5:23 PM (1 day, 9 hours, 56 minutes ago)
>
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to *Das U-Boot*
> found with Coverity Scan.
>
> - *New Defects Found:* 3
> - 5 defect(s), reported by Coverity Scan earlier, were marked fixed in
> the recent build analyzed by Coverity Scan.
> - *Defects Shown:* Showing 3 of 3 defect(s)
>
> Defect Details
>
> ** CID 573150: Integer handling issues (INTEGER_OVERFLOW)
> /drivers/pci/pci-uclass.c: 1531 in dm_pci_map_ea_virt()
>
>
> _____________________________________________________________________________________________
> *** CID 573150: Integer handling issues (INTEGER_OVERFLOW)
> /drivers/pci/pci-uclass.c: 1531 in dm_pci_map_ea_virt()
> 1525 if (ea_entry & PCI_EA_IS_64) {
> 1526 /* MaxOffset 2nd DW */
> 1527 dm_pci_read_config32(dev, ea_off + 16, &ea_entry);
> 1528 sz |= ((u64)ea_entry) << 32;
> 1529 }
> 1530
>>>> CID 573150: Integer handling issues (INTEGER_OVERFLOW)
>>>> Expression "sz + 1UL", where "sz" is known to be equal to 18446744073709551615, overflows the type of "sz + 1UL", which is type "unsigned long".
> 1531 addr = (pdata->virtid - 1) * (sz + 1);
> 1532 }
> 1533
I don't see how this one could be due to the int limit patches, as I see
no reference to any _MIN/_MAX macro, also not indirectly via the
definition of PCI_EA_FIELD_MASK.
I also have no idea how Coverity can think that sz can be known to be
equal to ~0ULL. Sure, if it phrased it "if sz is equal to ..., then sz+1
overflows", but that's not what it says. Nor would that be very useful,
as just about _any_ arithmetic expression can overflow for _some_ values
of the referenced variables.
Honestly, this sounds like it has been AI-infected.
> 1534 return addr;
> 1535 }
> 1536
>
> ** CID 573149: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
> /lib/efi_loader/efi_file.c: 594 in efi_file_read_int()
>
>
> _____________________________________________________________________________________________
> *** CID 573149: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
> /lib/efi_loader/efi_file.c: 594 in efi_file_read_int()
> 588
> 589 bs = *buffer_size;
> 590 if (fh->isdir)
> 591 ret = dir_read(fh, &bs, buffer);
> 592 else
> 593 ret = file_read(fh, &bs, buffer);
>>>> CID 573149: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
>>>> "bs <= 18446744073709551615ULL /* 9223372036854775807LL * 2ULL + 1ULL */" is always true regardless of the values of its operands. This occurs as the logical operand of "if".
> 594 if (bs <= SIZE_MAX)
> 595 *buffer_size = bs;
> 596 else
> 597 *buffer_size = SIZE_MAX;
> 598
> 599 return ret;
>
So this one might be triggered by the new definition of SIZE_MAX, though
SIZE_MAX was also a compile-time (though not cpp) constant previously. I
think we should define SIZE_MAX properly instead of via that UINTPTR_MAX
indirection, which itself could use some cleanup.
But aside from that, we should be able to silence Coverity by either
just changing the <= to < (because in the == case the other branch of
the if would have the same effect, but it's no longer a tautology). Or
we could maybe do *buffer_size = min_t(u64, bs, SIZE_MAX), though that
might expand to something with the exact same problem.
> ** CID 573148: Integer handling issues (INTEGER_OVERFLOW)
> /drivers/pci/pci-uclass.c: 1581 in dm_pci_map_ea_bar()
>
>
> _____________________________________________________________________________________________
> *** CID 573148: Integer handling issues (INTEGER_OVERFLOW)
> /drivers/pci/pci-uclass.c: 1581 in dm_pci_map_ea_bar()
> 1575 addr |= ((u64)ea_entry) << 32;
> 1576 }
> 1577
> 1578 if (IS_ENABLED(CONFIG_PCI_SRIOV))
> 1579 addr += dm_pci_map_ea_virt(dev, ea_off, pdata);
> 1580
>>>> CID 573148: Integer handling issues (INTEGER_OVERFLOW)
>>>> Expression "4294967295U - addr", where "addr" is known to be equal to 4294967292, underflows the type of "4294967295U - addr", which is type "unsigned int".
> 1581 if (~((phys_addr_t)0) - addr < offset)
> 1582 return NULL;
> 1583
Wait, what? Just to be completely sure, I copy-pasted those two numbers:
4294967295
4294967292
I think my 8-year old can see that subtracting the second from the first
does not lead to a negative result.
So from my chair, that's another point added to the AI hypothesis.
Rasmus
next prev parent reply other threads:[~2025-07-15 13:45 UTC|newest]
Thread overview: 105+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-14 23:29 Fwd: New Defects reported by Coverity Scan for Das U-Boot Tom Rini
2025-07-15 13:45 ` Rasmus Villemoes [this message]
-- strict thread matches above, loose matches on Subject: below --
2026-04-06 19:12 Tom Rini
2026-03-09 21:23 Tom Rini
2026-03-09 22:05 ` Raphaël Gallais-Pou
2026-03-09 22:13 ` Tom Rini
2026-02-23 19:51 Tom Rini
2026-02-13 22:09 Tom Rini
2026-02-18 23:02 ` Chris Morgan
2026-02-20 16:11 ` Tom Rini
2026-02-20 16:23 ` Chris Morgan
2026-01-16 19:43 Tom Rini
2026-02-09 11:05 ` Guillaume La Roque
2026-02-20 16:11 ` Tom Rini
2026-01-06 20:36 Tom Rini
2026-01-05 23:58 Tom Rini
2026-01-06 9:37 ` Mattijs Korpershoek
2026-01-06 17:15 ` Tom Rini
2026-01-06 10:03 ` Heiko Schocher
2025-12-08 19:38 Tom Rini
2025-11-23 19:03 Tom Rini
2025-11-10 18:55 Tom Rini
2025-10-11 18:06 Tom Rini
2025-10-12 14:22 ` Mikhail Kshevetskiy
2025-10-12 19:07 ` Tom Rini
2025-11-01 6:32 ` Mikhail Kshevetskiy
2025-11-03 15:17 ` Tom Rini
2025-11-03 15:24 ` Michael Nazzareno Trimarchi
2025-08-06 18:35 Tom Rini
2025-08-07 9:17 ` Heiko Schocher
2025-08-08 3:37 ` Maniyam, Dinesh
2025-08-08 4:01 ` Heiko Schocher
2025-07-29 16:32 Tom Rini
2025-07-25 13:26 Tom Rini
2025-07-25 13:34 ` Michal Simek
2025-08-04 9:11 ` Alexander Dahl
2025-07-08 14:10 Tom Rini
2025-04-28 21:59 Tom Rini
2025-04-29 12:07 ` Jerome Forissier
2025-04-30 16:50 ` Marek Vasut
2025-04-30 17:01 ` Tom Rini
2025-04-30 18:23 ` Heinrich Schuchardt
2025-04-30 19:14 ` Tom Rini
2025-03-11 1:49 Tom Rini
2025-02-25 2:39 Tom Rini
2025-02-25 6:06 ` Heiko Schocher
2025-02-25 10:48 ` Quentin Schulz
2025-02-25 10:54 ` Heiko Schocher
2025-02-10 22:26 Tom Rini
2025-02-11 6:14 ` Heiko Schocher
2025-02-11 22:30 ` Tom Rini
2024-12-31 13:55 Tom Rini
2024-12-24 17:14 Tom Rini
2024-11-15 13:27 Tom Rini
2024-11-12 2:11 Tom Rini
2024-10-28 3:11 Tom Rini
2024-10-19 16:16 Tom Rini
2024-10-16 3:47 Tom Rini
2024-10-16 5:56 ` Tudor Ambarus
2024-10-07 17:15 Tom Rini
2024-07-23 14:18 Tom Rini
2024-07-24 9:21 ` Mattijs Korpershoek
2024-07-24 9:45 ` Heinrich Schuchardt
2024-07-24 9:56 ` Mattijs Korpershoek
2024-07-24 10:06 ` Heinrich Schuchardt
2024-07-24 22:40 ` Tom Rini
2024-07-25 8:04 ` Mattijs Korpershoek
2024-07-25 17:16 ` Tom Rini
2024-07-24 9:53 ` Mattijs Korpershoek
2024-04-22 21:48 Tom Rini
2024-01-29 23:55 Tom Rini
2024-01-30 8:14 ` Heinrich Schuchardt
[not found] <20240127154018.GC785631@bill-the-cat>
2024-01-27 20:56 ` Heinrich Schuchardt
2024-01-28 8:51 ` Heinrich Schuchardt
2024-01-22 23:52 Tom Rini
2024-01-22 23:30 Tom Rini
2024-01-23 8:15 ` Hugo Cornelis
[not found] <65a933ab652b3_da12cbd3e77f998728e5@prd-scan-dashboard-0.mail>
2024-01-19 8:47 ` Heinrich Schuchardt
2024-01-18 14:35 Tom Rini
2024-01-08 17:45 Tom Rini
2024-01-09 5:26 ` Sean Anderson
2024-01-09 22:18 ` Tom Rini
2023-08-21 21:09 Tom Rini
2023-08-24 9:27 ` Abdellatif El Khlifi
2023-08-28 16:09 ` Alvaro Fernando García
2023-08-28 16:11 ` Tom Rini
2023-10-20 11:57 ` Abdellatif El Khlifi
2023-10-25 14:57 ` Tom Rini
2023-10-25 15:12 ` Abdellatif El Khlifi
2023-10-25 15:15 ` Tom Rini
2023-10-31 14:21 ` Abdellatif El Khlifi
2023-05-08 20:20 Tom Rini
2023-05-15 21:59 ` Ehsan Mohandesi
2023-05-18 21:04 ` Sean Edmond
2023-02-14 14:26 Tom Rini
2022-11-21 19:43 Tom Rini
2022-11-09 15:40 Tom Rini
[not found] <62df3a0cb9fd2_30ed5f2acd4da7b9a431758@prd-scan-dashboard-0.mail>
2022-07-26 4:22 ` Heinrich Schuchardt
[not found] <611aaf735d268_21438d2b07184e399c79439@prd-scan-dashboard-0.mail>
2021-08-17 5:21 ` Heinrich Schuchardt
2021-08-17 15:17 ` Tom Rini
[not found] <6082f7faa423_5762a2b148d4af9a86820@prd-scan-dashboard-0.mail>
2021-04-24 4:52 ` Heinrich Schuchardt
[not found] <5ecd3c8249d1_d6f562acb748daf5820386@appnode-2.mail>
[not found] ` <CA+M6bX=AmT+SyM0Snt2POLy0-vpD__6CD4j6ifqMqh63yYJBLA@mail.gmail.com>
[not found] ` <8ea1ca2f-2826-58f2-4b6b-ed5cfe977467@gmx.de>
[not found] ` <20200526184027.GJ12717@bill-the-cat>
2020-05-26 20:02 ` Heinrich Schuchardt
2020-05-26 20:10 ` Tom Rini
2020-05-26 20:36 ` Heinrich Schuchardt
2020-05-26 20:48 ` Tom Rini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87tt3dva86.fsf@prevas.dk \
--to=ravi@prevas.dk \
--cc=andrew.goodbody@linaro.org \
--cc=trini@konsulko.com \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox