From: Sean Edmond <seanedmond@linux.microsoft.com>
To: Tom Rini <trini@konsulko.com>, u-boot@lists.denx.de
Cc: Sean Edmond <seanedmond@microsoft.com>
Subject: Re: Fwd: New Defects reported by Coverity Scan for Das U-Boot
Date: Thu, 18 May 2023 14:04:37 -0700 [thread overview]
Message-ID: <8ed48347-1e66-0f4f-3c7c-28e7b56bd3e4@linux.microsoft.com> (raw)
In-Reply-To: <20230508202020.GI2398826@bill-the-cat>
On 2023-05-08 1:20 p.m., Tom Rini wrote:
> Here's the latest defect report:
>
> ---------- Forwarded message ---------
> From: <scan-admin@coverity.com>
> Date: Mon, May 8, 2023, 2:29 PM
> Subject: New Defects reported by Coverity Scan for Das U-Boot
> To: <tom.rini@gmail.com>
>
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to Das U-Boot
> found with Coverity Scan.
>
> 5 new defect(s) introduced to Das U-Boot found with Coverity Scan.
> 1 defect(s), reported by Coverity Scan earlier, were marked fixed in the
> recent build analyzed by Coverity Scan.
>
> New defect(s) Reported-by: Coverity Scan
> Showing 5 of 5 defect(s)
>
>
> ** CID 453851: Memory - corruptions (OVERLAPPING_COPY)
> /cmd/net.c: 279 in netboot_update_env()
>
>
> ________________________________________________________________________________________________________
> *** CID 453851: Memory - corruptions (OVERLAPPING_COPY)
> /cmd/net.c: 279 in netboot_update_env()
> 273
> 274 if (IS_ENABLED(CONFIG_IPV6)) {
> 275 if (!ip6_is_unspecified_addr(&net_ip6) ||
> 276 net_prefix_length != 0) {
> 277 sprintf(tmp, "%pI6c", &net_ip6);
> 278 if (net_prefix_length != 0)
>>>> CID 453851: Memory - corruptions (OVERLAPPING_COPY)
>>>> In the call to function "sprintf", the arguments "tmp" and "tmp"
Just submitted a patch to fix 453851.
> may point to the same object.
> 279 sprintf(tmp, "%s/%d", tmp,
> net_prefix_length);
> 280
> 281 env_set("ip6addr", tmp);
> 282 }
> 283
> 284 if (!ip6_is_unspecified_addr(&net_server_ip6)) {
>
> ** CID 450971: Insecure data handling (TAINTED_SCALAR)
> /net/ndisc.c: 391 in process_ra()
>
>
> ________________________________________________________________________________________________________
> *** CID 450971: Insecure data handling (TAINTED_SCALAR)
> /net/ndisc.c: 391 in process_ra()
> 385 /* Ignore the packet if router lifetime is 0. */
> 386 if (!icmp->icmp6_rt_lifetime)
> 387 return -EOPNOTSUPP;
> 388
> 389 /* Processing the options */
> 390 option = msg->opt;
>>>> CID 450971: Insecure data handling (TAINTED_SCALAR)
>>>> Using tainted variable "remaining_option_len" as a loop boundary.
> 391 while (remaining_option_len > 0) {
> 392 /* The 2nd byte of the option is its length. */
> 393 option_len = option[1];
> 394 /* All included options should have a positive
> length. */
> 395 if (option_len == 0)
> 396 return -EINVAL;
>
> ** CID 450969: Security best practices violations (DC.WEAK_CRYPTO)
> /net/ndisc.c: 209 in ip6_send_rs()
>
>
> ________________________________________________________________________________________________________
> *** CID 450969: Security best practices violations (DC.WEAK_CRYPTO)
> /net/ndisc.c: 209 in ip6_send_rs()
> 203 icmp_len, PROT_ICMPV6, pcsum);
> 204 msg->icmph.icmp6_cksum = csum;
> 205 pkt += icmp_len;
> 206
> 207 /* Wait up to 1 second if it is the first try to get the RA
> */
> 208 if (retry_count == 0)
>>>> CID 450969: Security best practices violations (DC.WEAK_CRYPTO)
>>>> "rand" should not be used for security-related applications,
> because linear congruential algorithms are too easy to break.
> 209 udelay(((unsigned int)rand() % 1000000) *
> MAX_SOLICITATION_DELAY);
> 210
> 211 /* send it! */
> 212 net_send_packet(net_tx_packet, (pkt - net_tx_packet));
> 213
> 214 retry_count++;
>
> ** CID 436282: (DC.WEAK_CRYPTO)
> /net/dhcpv6.c: 621 in dhcp6_state_machine()
> /net/dhcpv6.c: 627 in dhcp6_state_machine()
> /net/dhcpv6.c: 628 in dhcp6_state_machine()
> /net/dhcpv6.c: 662 in dhcp6_state_machine()
> /net/dhcpv6.c: 613 in dhcp6_state_machine()
>
>
> ________________________________________________________________________________________________________
> *** CID 436282: (DC.WEAK_CRYPTO)
> /net/dhcpv6.c: 621 in dhcp6_state_machine()
> 615 /* handle state machine entry conditions */
> 616 if (sm_params.curr_state != sm_params.next_state) {
> 617 sm_params.retry_cnt = 0;
> 618
> 619 if (sm_params.next_state == DHCP6_SOLICIT) {
> 620 /* delay a random ammount (special for
> SOLICIT) */
>>>> CID 436282: (DC.WEAK_CRYPTO)
>>>> "rand" should not be used for security-related applications,
> because linear congruential algorithms are too easy to break.
> 621 udelay((rand() % SOL_MAX_DELAY_MS) * 1000);
> 622 /* init timestamp variables after SOLICIT
> delay */
> 623 sm_params.dhcp6_start_ms = get_timer(0);
> 624 sm_params.dhcp6_retry_start_ms =
> sm_params.dhcp6_start_ms;
> 625 sm_params.dhcp6_retry_ms =
> sm_params.dhcp6_start_ms;
> 626 /* init transaction and ia_id */
> /net/dhcpv6.c: 627 in dhcp6_state_machine()
> 621 udelay((rand() % SOL_MAX_DELAY_MS) * 1000);
> 622 /* init timestamp variables after SOLICIT
> delay */
> 623 sm_params.dhcp6_start_ms = get_timer(0);
> 624 sm_params.dhcp6_retry_start_ms =
> sm_params.dhcp6_start_ms;
> 625 sm_params.dhcp6_retry_ms =
> sm_params.dhcp6_start_ms;
> 626 /* init transaction and ia_id */
>>>> CID 436282: (DC.WEAK_CRYPTO)
>>>> "rand" should not be used for security-related applications,
> because linear congruential algorithms are too easy to break.
> 627 sm_params.trans_id = rand() & 0xFFFFFF;
> 628 sm_params.ia_id = rand();
> 629 /* initialize retransmission parameters */
> 630 sm_params.irt_ms = SOL_TIMEOUT_MS;
> 631 sm_params.mrt_ms = updated_sol_max_rt_ms;
> 632 /* RFCs default MRC is be 0 (try infinitely)
> /net/dhcpv6.c: 628 in dhcp6_state_machine()
> 622 /* init timestamp variables after SOLICIT
> delay */
> 623 sm_params.dhcp6_start_ms = get_timer(0);
> 624 sm_params.dhcp6_retry_start_ms =
> sm_params.dhcp6_start_ms;
> 625 sm_params.dhcp6_retry_ms =
> sm_params.dhcp6_start_ms;
> 626 /* init transaction and ia_id */
> 627 sm_params.trans_id = rand() & 0xFFFFFF;
>>>> CID 436282: (DC.WEAK_CRYPTO)
>>>> "rand" should not be used for security-related applications,
> because linear congruential algorithms are too easy to break.
> 628 sm_params.ia_id = rand();
> 629 /* initialize retransmission parameters */
> 630 sm_params.irt_ms = SOL_TIMEOUT_MS;
> 631 sm_params.mrt_ms = updated_sol_max_rt_ms;
> 632 /* RFCs default MRC is be 0 (try infinitely)
> 633 * give up after CONFIG_NET_RETRY_COUNT
> number of tries (same as DHCPv4)
> /net/dhcpv6.c: 662 in dhcp6_state_machine()
> 656 (sm_params.mrd_ms != 0 &&
> 657 ((sm_params.dhcp6_retry_ms -
> sm_params.dhcp6_retry_start_ms) >= sm_params.mrd_ms))) {
> 658 sm_params.next_state = DHCP6_FAIL;
> 659 }
> 660
> 661 /* calculate retransmission timeout (RT) */
>>>> CID 436282: (DC.WEAK_CRYPTO)
>>>> "rand" should not be used for security-related applications,
> because linear congruential algorithms are too easy to break.
> 662 rand_minus_plus_100 = ((rand() % 200) - 100);
> 663 if (sm_params.retry_cnt == 0) {
> 664 sm_params.rt_ms = sm_params.irt_ms +
> 665 ((sm_params.irt_ms *
> rand_minus_plus_100) / 1000);
> 666 } else {
> 667 sm_params.rt_ms = (2 * sm_params.rt_prev_ms) +
> /net/dhcpv6.c: 613 in dhcp6_state_machine()
> 607 * Proceed anyway to proceed DONE/FAIL actions
> 608 */
> 609 debug("Unexpected DHCP6 state : %d\n",
> sm_params.curr_state);
> 610 break;
> 611 }
> 612 /* re-seed the RNG */
>>>> CID 436282: (DC.WEAK_CRYPTO)
>>>> "rand" should not be used for security-related applications,
We can ignore 436282. For DHCP6, we seed using srand_mac() to ensure
that rand() will produce enough variation for each device on the
network. The numbers from rand() are used to introduce variation in the
delay between re-transmissions to avoid excessive server congestion if
all clients are started at the same time (such as a power loss). These
values are not used for crypto.
> because linear congruential algorithms are too easy to break.
> 613 srand(get_ticks() + rand());
> 614
> 615 /* handle state machine entry conditions */
> 616 if (sm_params.curr_state != sm_params.next_state) {
> 617 sm_params.retry_cnt = 0;
> 618
>
> ** CID 436278: (TAINTED_SCALAR)
> /net/dhcpv6.c: 321 in dhcp6_parse_options()
>
>
> ________________________________________________________________________________________________________
> *** CID 436278: (TAINTED_SCALAR)
> /net/dhcpv6.c: 376 in dhcp6_parse_options()
> 370 if (sm_params.curr_state ==
> DHCP6_SOLICIT)
> 371 sm_params.mrt_ms =
> updated_sol_max_rt_ms;
> 372 }
> 373 break;
> 374 case DHCP6_OPTION_OPT_BOOTFILE_URL:
> 375 debug("DHCP6_OPTION_OPT_BOOTFILE_URL
> FOUND\n");
>>>> CID 436278: (TAINTED_SCALAR)
>>>> Passing tainted expression "option_len + 1" to "copy_filename",
> which uses it as a loop boundary.
> 376 copy_filename(net_boot_file_name,
> option_ptr, option_len + 1);
> 377 debug("net_boot_file_name: %s\n",
> net_boot_file_name);
> 378
> 379 /* copy server_ip6 (required for PXE) */
> 380 s = strchr(net_boot_file_name, '[');
> 381 e = strchr(net_boot_file_name, ']');
> /net/dhcpv6.c: 321 in dhcp6_parse_options()
> 315 while (option_hdr < (struct dhcp6_option_hdr *)(rx_pkt +
> len)) {
> 316 option_ptr = ((uchar *)option_hdr) + sizeof(struct
> dhcp6_hdr);
> 317 option_len = ntohs(option_hdr->option_len);
> 318
> 319 switch (ntohs(option_hdr->option_id)) {
> 320 case DHCP6_OPTION_CLIENTID:
>>>> CID 436278: (TAINTED_SCALAR)
>>>> Passing tainted expression "option_len" to "memcmp", which uses it
Just submitted a patch to fix 436278.
> as an offset. [Note: The source code implementation of the function has
> been overridden by a builtin model.]
> 321 if (memcmp(option_ptr, sm_params.duid,
> option_len)
> 322 != 0) {
> 323 debug("CLIENT ID DOESN'T MATCH\n");
> 324 } else {
> 325 debug("CLIENT ID FOUND and
> MATCHES\n");
> 326 sm_params.rx_status.client_id_match
> = true;
>
>
next prev parent reply other threads:[~2023-05-18 21:04 UTC|newest]
Thread overview: 105+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-08 20:20 Fwd: New Defects reported by Coverity Scan for Das U-Boot Tom Rini
2023-05-15 21:59 ` Ehsan Mohandesi
2023-05-18 21:04 ` Sean Edmond [this message]
-- strict thread matches above, loose matches on Subject: below --
2026-04-06 19:12 Tom Rini
2026-03-09 21:23 Tom Rini
2026-03-09 22:05 ` Raphaël Gallais-Pou
2026-03-09 22:13 ` Tom Rini
2026-02-23 19:51 Tom Rini
2026-02-13 22:09 Tom Rini
2026-02-18 23:02 ` Chris Morgan
2026-02-20 16:11 ` Tom Rini
2026-02-20 16:23 ` Chris Morgan
2026-01-16 19:43 Tom Rini
2026-02-09 11:05 ` Guillaume La Roque
2026-02-20 16:11 ` Tom Rini
2026-01-06 20:36 Tom Rini
2026-01-05 23:58 Tom Rini
2026-01-06 9:37 ` Mattijs Korpershoek
2026-01-06 17:15 ` Tom Rini
2026-01-06 10:03 ` Heiko Schocher
2025-12-08 19:38 Tom Rini
2025-11-23 19:03 Tom Rini
2025-11-10 18:55 Tom Rini
2025-10-11 18:06 Tom Rini
2025-10-12 14:22 ` Mikhail Kshevetskiy
2025-10-12 19:07 ` Tom Rini
2025-11-01 6:32 ` Mikhail Kshevetskiy
2025-11-03 15:17 ` Tom Rini
2025-11-03 15:24 ` Michael Nazzareno Trimarchi
2025-08-06 18:35 Tom Rini
2025-08-07 9:17 ` Heiko Schocher
2025-08-08 3:37 ` Maniyam, Dinesh
2025-08-08 4:01 ` Heiko Schocher
2025-07-29 16:32 Tom Rini
2025-07-25 13:26 Tom Rini
2025-07-25 13:34 ` Michal Simek
2025-08-04 9:11 ` Alexander Dahl
2025-07-14 23:29 Tom Rini
2025-07-15 13:45 ` Rasmus Villemoes
2025-07-08 14:10 Tom Rini
2025-04-28 21:59 Tom Rini
2025-04-29 12:07 ` Jerome Forissier
2025-04-30 16:50 ` Marek Vasut
2025-04-30 17:01 ` Tom Rini
2025-04-30 18:23 ` Heinrich Schuchardt
2025-04-30 19:14 ` Tom Rini
2025-03-11 1:49 Tom Rini
2025-02-25 2:39 Tom Rini
2025-02-25 6:06 ` Heiko Schocher
2025-02-25 10:48 ` Quentin Schulz
2025-02-25 10:54 ` Heiko Schocher
2025-02-10 22:26 Tom Rini
2025-02-11 6:14 ` Heiko Schocher
2025-02-11 22:30 ` Tom Rini
2024-12-31 13:55 Tom Rini
2024-12-24 17:14 Tom Rini
2024-11-15 13:27 Tom Rini
2024-11-12 2:11 Tom Rini
2024-10-28 3:11 Tom Rini
2024-10-19 16:16 Tom Rini
2024-10-16 3:47 Tom Rini
2024-10-16 5:56 ` Tudor Ambarus
2024-10-07 17:15 Tom Rini
2024-07-23 14:18 Tom Rini
2024-07-24 9:21 ` Mattijs Korpershoek
2024-07-24 9:45 ` Heinrich Schuchardt
2024-07-24 9:56 ` Mattijs Korpershoek
2024-07-24 10:06 ` Heinrich Schuchardt
2024-07-24 22:40 ` Tom Rini
2024-07-25 8:04 ` Mattijs Korpershoek
2024-07-25 17:16 ` Tom Rini
2024-07-24 9:53 ` Mattijs Korpershoek
2024-04-22 21:48 Tom Rini
2024-01-29 23:55 Tom Rini
2024-01-30 8:14 ` Heinrich Schuchardt
[not found] <20240127154018.GC785631@bill-the-cat>
2024-01-27 20:56 ` Heinrich Schuchardt
2024-01-28 8:51 ` Heinrich Schuchardt
2024-01-22 23:52 Tom Rini
2024-01-22 23:30 Tom Rini
2024-01-23 8:15 ` Hugo Cornelis
[not found] <65a933ab652b3_da12cbd3e77f998728e5@prd-scan-dashboard-0.mail>
2024-01-19 8:47 ` Heinrich Schuchardt
2024-01-18 14:35 Tom Rini
2024-01-08 17:45 Tom Rini
2024-01-09 5:26 ` Sean Anderson
2024-01-09 22:18 ` Tom Rini
2023-08-21 21:09 Tom Rini
2023-08-24 9:27 ` Abdellatif El Khlifi
2023-08-28 16:09 ` Alvaro Fernando García
2023-08-28 16:11 ` Tom Rini
2023-10-20 11:57 ` Abdellatif El Khlifi
2023-10-25 14:57 ` Tom Rini
2023-10-25 15:12 ` Abdellatif El Khlifi
2023-10-25 15:15 ` Tom Rini
2023-10-31 14:21 ` Abdellatif El Khlifi
2023-02-14 14:26 Tom Rini
2022-11-21 19:43 Tom Rini
2022-11-09 15:40 Tom Rini
[not found] <62df3a0cb9fd2_30ed5f2acd4da7b9a431758@prd-scan-dashboard-0.mail>
2022-07-26 4:22 ` Heinrich Schuchardt
[not found] <611aaf735d268_21438d2b07184e399c79439@prd-scan-dashboard-0.mail>
2021-08-17 5:21 ` Heinrich Schuchardt
2021-08-17 15:17 ` Tom Rini
[not found] <6082f7faa423_5762a2b148d4af9a86820@prd-scan-dashboard-0.mail>
2021-04-24 4:52 ` Heinrich Schuchardt
[not found] <5ecd3c8249d1_d6f562acb748daf5820386@appnode-2.mail>
[not found] ` <CA+M6bX=AmT+SyM0Snt2POLy0-vpD__6CD4j6ifqMqh63yYJBLA@mail.gmail.com>
[not found] ` <8ea1ca2f-2826-58f2-4b6b-ed5cfe977467@gmx.de>
[not found] ` <20200526184027.GJ12717@bill-the-cat>
2020-05-26 20:02 ` Heinrich Schuchardt
2020-05-26 20:10 ` Tom Rini
2020-05-26 20:36 ` Heinrich Schuchardt
2020-05-26 20:48 ` Tom Rini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8ed48347-1e66-0f4f-3c7c-28e7b56bd3e4@linux.microsoft.com \
--to=seanedmond@linux.microsoft.com \
--cc=seanedmond@microsoft.com \
--cc=trini@konsulko.com \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox