[scan-admin at coverity.com: New Defects reported by Coverity Scan for Das U-Boot]
Tom Rini
trini at konsulko.com
Mon Apr 19 14:20:46 CEST 2021
Hey all,
Here's the latest report.
----- Forwarded message from scan-admin at coverity.com -----
Date: Mon, 19 Apr 2021 01:18:55 +0000 (UTC)
From: scan-admin at coverity.com
To: tom.rini at gmail.com
Subject: New Defects reported by Coverity Scan for Das U-Boot
Hi,
Please find the latest report on new defect(s) introduced to Das U-Boot found with Coverity Scan.
13 new defect(s) introduced to Das U-Boot found with Coverity Scan.
5 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 13 of 13 defect(s)
** CID 331158: Control flow issues (NO_EFFECT)
/drivers/pinctrl/pinctrl-single.c: 347 in single_configure_bits()
________________________________________________________________________________________________________
*** CID 331158: Control flow issues (NO_EFFECT)
/drivers/pinctrl/pinctrl-single.c: 347 in single_configure_bits()
341 return PTR_ERR(func);
342
343 func->name = fname;
344 func->npins = 0;
345 for (n = 0; n < count; n++, pins++) {
346 offset = fdt32_to_cpu(pins->reg);
>>> CID 331158: Control flow issues (NO_EFFECT)
>>> This less-than-zero comparison of an unsigned value is never true. "offset < 0U".
347 if (offset < 0 || offset > pdata->offset) {
348 dev_dbg(dev, " invalid register offset 0x%x\n",
349 offset);
350 continue;
351 }
352
** CID 331157: Null pointer dereferences (NULL_RETURNS)
/drivers/misc/cros_ec_sandbox.c: 229 in keyscan_read_fdt_matrix()
________________________________________________________________________________________________________
*** CID 331157: Null pointer dereferences (NULL_RETURNS)
/drivers/misc/cros_ec_sandbox.c: 229 in keyscan_read_fdt_matrix()
223
224 /* Now read the data */
225 for (upto = 0; upto < ec->matrix_count; upto++) {
226 struct ec_keymatrix_entry *matrix = &ec->matrix[upto];
227 u32 word;
228
>>> CID 331157: Null pointer dereferences (NULL_RETURNS)
>>> Incrementing a pointer which might be null: "cell".
229 word = fdt32_to_cpu(*cell++);
230 matrix->row = word >> 24;
231 matrix->col = (word >> 16) & 0xff;
232 matrix->keycode = word & 0xffff;
233
234 /* Hard-code some sanity limits for now */
** CID 331156: Incorrect expression (UNUSED_VALUE)
/cmd/qfw.c: 40 in qemu_fwcfg_cmd_setup_kernel()
________________________________________________________________________________________________________
*** CID 331156: Incorrect expression (UNUSED_VALUE)
/cmd/qfw.c: 40 in qemu_fwcfg_cmd_setup_kernel()
34 qfw_read_entry(qfw_dev, FW_CFG_SETUP_DATA,
35 le32_to_cpu(setup_size), data_addr);
36 data_addr += le32_to_cpu(setup_size);
37
38 qfw_read_entry(qfw_dev, FW_CFG_KERNEL_DATA,
39 le32_to_cpu(kernel_size), data_addr);
>>> CID 331156: Incorrect expression (UNUSED_VALUE)
>>> Assigning value from "(__u32)(__le32)kernel_size" to "data_addr" here, but that stored value is overwritten before it can be used.
40 data_addr += le32_to_cpu(kernel_size);
41
42 data_addr = initrd_addr;
43 qfw_read_entry(qfw_dev, FW_CFG_INITRD_SIZE, 4, &initrd_size);
44 if (initrd_size == 0) {
45 printf("warning: no initrd available\n");
** CID 331155: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 331155: Insecure data handling (TAINTED_SCALAR)
/fs/cbfs/cbfs.c: 170 in file_cbfs_next_file()
164 size -= align;
165 start += align;
166 continue;
167 }
168
169 swap_file_header(&header, file_header);
>>> CID 331155: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted variable "header.offset" to a tainted sink.
170 ret = fill_node(node, start, &header);
171 if (ret) {
172 priv->result = CBFS_BAD_FILE;
173 return log_msg_ret("fill", ret);
174 }
175
** CID 331154: Integer handling issues (DIVIDE_BY_ZERO)
/drivers/pinctrl/pinctrl-single.c: 473 in single_probe()
________________________________________________________________________________________________________
*** CID 331154: Integer handling issues (DIVIDE_BY_ZERO)
/drivers/pinctrl/pinctrl-single.c: 473 in single_probe()
467 return -ENOMEM;
468 #endif
469
470 priv->npins = size / (pdata->width / BITS_PER_BYTE);
471 if (pdata->bits_per_mux) {
472 priv->bits_per_pin = fls(pdata->mask);
>>> CID 331154: Integer handling issues (DIVIDE_BY_ZERO)
>>> In expression "pdata->width / priv->bits_per_pin", division by expression "priv->bits_per_pin" which may be zero has undefined behavior.
473 priv->npins *= (pdata->width / priv->bits_per_pin);
474 }
475
476 dev_dbg(dev, "%d pins\n", priv->npins);
477 return 0;
478 }
** CID 331153: Code maintainability issues (UNUSED_VALUE)
/lib/efi_loader/efi_capsule.c: 661 in find_boot_device()
________________________________________________________________________________________________________
*** CID 331153: Code maintainability issues (UNUSED_VALUE)
/lib/efi_loader/efi_capsule.c: 661 in find_boot_device()
655 size = 0;
656 ret = efi_get_variable_int(L"BootOrder", &efi_global_variable_guid,
657 NULL, &size, NULL, NULL);
658 if (ret == EFI_BUFFER_TOO_SMALL) {
659 boot_order = malloc(size);
660 if (!boot_order) {
>>> CID 331153: Code maintainability issues (UNUSED_VALUE)
>>> Assigning value "9223372036854775817UL" to "ret" here, but that stored value is overwritten before it can be used.
661 ret = EFI_OUT_OF_RESOURCES;
662 goto out;
663 }
664
665 ret = efi_get_variable_int(L"BootOrder",
666 &efi_global_variable_guid,
** CID 331152: Insecure data handling (TAINTED_SCALAR)
/lib/tpm-common.c: 180 in tpm_sendrecv_command()
________________________________________________________________________________________________________
*** CID 331152: Insecure data handling (TAINTED_SCALAR)
/lib/tpm-common.c: 180 in tpm_sendrecv_command()
174 response = response_buffer;
175 response_length = sizeof(response_buffer);
176 }
177
178 size = tpm_command_size(command);
179 log_debug("TPM request [size:%d]: ", size);
>>> CID 331152: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "size" as a loop boundary.
180 for (i = 0; i < size; i++)
181 log_debug("%02x ", ((u8 *)command)[i]);
182 log_debug("\n");
183
184 err = tpm_xfer(dev, command, size, response, &response_length);
185
** CID 331151: Resource leaks (RESOURCE_LEAK)
/drivers/pinctrl/pinctrl-single.c: 247 in single_allocate_function()
________________________________________________________________________________________________________
*** CID 331151: Resource leaks (RESOURCE_LEAK)
/drivers/pinctrl/pinctrl-single.c: 247 in single_allocate_function()
241 if (!func)
242 return ERR_PTR(-ENOMEM);
243
244 func->pins = devm_kmalloc(dev, sizeof(unsigned int) * group_pins,
245 GFP_KERNEL);
246 if (!func->pins)
>>> CID 331151: Resource leaks (RESOURCE_LEAK)
>>> Variable "func" going out of scope leaks the storage it points to.
247 return ERR_PTR(-ENOMEM);
248
249 return func;
250 }
251
252 static int single_pin_compare(const void *s1, const void *s2)
** CID 331150: Memory - illegal accesses (BUFFER_SIZE_WARNING)
/net/dsa-uclass.c: 415 in dsa_post_bind()
________________________________________________________________________________________________________
*** CID 331150: Memory - illegal accesses (BUFFER_SIZE_WARNING)
/net/dsa-uclass.c: 415 in dsa_post_bind()
409 err = device_bind_driver_to_node(dev, DSA_PORT_CHILD_DRV_NAME,
410 name, pnode, &pdev);
411 if (pdev) {
412 struct dsa_port_pdata *port_pdata;
413
414 port_pdata = dev_get_parent_plat(pdev);
>>> CID 331150: Memory - illegal accesses (BUFFER_SIZE_WARNING)
>>> Calling "strncpy" with a maximum size argument of 16 bytes on destination array "port_pdata->name" of size 16 bytes might leave the destination string unterminated.
415 strncpy(port_pdata->name, name, DSA_PORT_NAME_LENGTH);
416 pdev->name = port_pdata->name;
417 }
418
419 /* try to bind all ports but keep 1st error */
420 if (err && !first_err)
** CID 331149: Memory - illegal accesses (BUFFER_SIZE_WARNING)
/net/dsa-uclass.c: 224 in dsa_port_of_to_pdata()
________________________________________________________________________________________________________
*** CID 331149: Memory - illegal accesses (BUFFER_SIZE_WARNING)
/net/dsa-uclass.c: 224 in dsa_port_of_to_pdata()
218
219 port_pdata = dev_get_parent_plat(pdev);
220 port_pdata->index = index;
221
222 label = ofnode_read_string(dev_ofnode(pdev), "label");
223 if (label)
>>> CID 331149: Memory - illegal accesses (BUFFER_SIZE_WARNING)
>>> Calling "strncpy" with a maximum size argument of 16 bytes on destination array "port_pdata->name" of size 16 bytes might leave the destination string unterminated.
224 strncpy(port_pdata->name, label, DSA_PORT_NAME_LENGTH);
225
226 eth_pdata = dev_get_plat(pdev);
227 eth_pdata->priv_pdata = port_pdata;
228
229 dev_dbg(pdev, "port %d node %s\n", port_pdata->index,
** CID 331148: Control flow issues (NO_EFFECT)
/drivers/pinctrl/pinctrl-single.c: 298 in single_configure_pins()
________________________________________________________________________________________________________
*** CID 331148: Control flow issues (NO_EFFECT)
/drivers/pinctrl/pinctrl-single.c: 298 in single_configure_pins()
292 return PTR_ERR(func);
293
294 func->name = fname;
295 func->npins = 0;
296 for (n = 0; n < count; n++, pins++) {
297 offset = fdt32_to_cpu(pins->reg);
>>> CID 331148: Control flow issues (NO_EFFECT)
>>> This less-than-zero comparison of an unsigned value is never true. "offset < 0U".
298 if (offset < 0 || offset > pdata->offset) {
299 dev_err(dev, " invalid register offset 0x%x\n",
300 offset);
301 continue;
302 }
303
** CID 331147: Code maintainability issues (UNUSED_VALUE)
/lib/efi_loader/efi_capsule.c: 456 in efi_update_capsule()
________________________________________________________________________________________________________
*** CID 331147: Code maintainability issues (UNUSED_VALUE)
/lib/efi_loader/efi_capsule.c: 456 in efi_update_capsule()
450 efi_status_t ret;
451
452 EFI_ENTRY("%p, %zu, %llu\n", capsule_header_array, capsule_count,
453 scatter_gather_list);
454
455 if (!capsule_count) {
>>> CID 331147: Code maintainability issues (UNUSED_VALUE)
>>> Assigning value "9223372036854775810UL" to "ret" here, but that stored value is overwritten before it can be used.
456 ret = EFI_INVALID_PARAMETER;
457 goto out;
458 }
459
460 ret = EFI_SUCCESS;
461 for (i = 0, capsule = *capsule_header_array; i < capsule_count;
** CID 165109: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 165109: Insecure data handling (TAINTED_SCALAR)
/arch/sandbox/cpu/state.c: 81 in state_read_file()
75 os_close(fd);
76
77 return 0;
78 err_read:
79 os_close(fd);
80 err_open:
>>> CID 165109: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted variable "state->state_fdt" to a tainted sink.
81 os_free(state->state_fdt);
82 state->state_fdt = NULL;
83
84 return ret;
85 }
86
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoA22WlOQ-2By3ieUvdbKmOyw68TMVT4Kip-2BBzfOGWXJ5yIiYplmPF9KAnKIja4Zd7tU-3DZZ5O_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTtGHJmPef5TSDjCzuFmDLHCcVLNpHIs0AqBsXJPs2SOVhTXup007yHbqhSGIK1hyqPpz1vYe-2BN9550EDGrhLxMxHlBpTdungq17k4ECpA3No35lrqehPZZCZ5BAHvEzJczmieHTM7FI63-2BfXLhs4wtMUoPRU5sgDVix9YwcWKeyJg-3D-3D
To manage Coverity Scan email notifications for "tom.rini at gmail.com", click https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxWeIHzDeopm-2BEWQ6S6K-2FtUHv9ZTk8qZbuzkkz9sa-2BJFw4elYDyedRVZOC-2ButxjBZdouVmTGuWB6Aj6G7lm7t25-2Biv1B-2B9082pHzCCex2kqMs-3D7Yww_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTtGHJmPef5TSDjCzuFmDLHCW8SwWH4xnbrtsvKIl7wSRW1TJ0hCM5LxXTBnJTFVzTPqGPjtEf73gX6pVG3GrWXNEgT0Oc3HyLVVXgFxESdYpPKxcdJpqRbkjikARwdrSNj3JcSFiRd69dOJds-2BH2aqoLVHmnb03BoAwP5b1o0enAw-3D-3D
----- End forwarded message -----
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20210419/67b2ece7/attachment.sig>
More information about the U-Boot
mailing list