[scan-admin at coverity.com: New Defects reported by Coverity Scan for Das U-Boot]

Dario Binacchi dariobin at libero.it
Tue Apr 20 08:13:07 CEST 2021


Hi Tom,

> Il 19/04/2021 14:20 Tom Rini <trini at konsulko.com> ha scritto:
> 
>  
> Hey all,
> 
> Here's the latest report.
> 
> ----- Forwarded message from scan-admin at coverity.com -----
> 
> Date: Mon, 19 Apr 2021 01:18:55 +0000 (UTC)
> From: scan-admin at coverity.com
> To: tom.rini at gmail.com
> Subject: New Defects reported by Coverity Scan for Das U-Boot
> 
> Hi,
> 
> Please find the latest report on new defect(s) introduced to Das U-Boot found with Coverity Scan.
> 
> 13 new defect(s) introduced to Das U-Boot found with Coverity Scan.
> 5 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
> 
> New defect(s) Reported-by: Coverity Scan
> Showing 13 of 13 defect(s)
> 
> 
> ** CID 331158:  Control flow issues  (NO_EFFECT)
> /drivers/pinctrl/pinctrl-single.c: 347 in single_configure_bits()
> 
> 
> ________________________________________________________________________________________________________
> *** CID 331158:  Control flow issues  (NO_EFFECT)
> /drivers/pinctrl/pinctrl-single.c: 347 in single_configure_bits()
> 341     		return PTR_ERR(func);
> 342     
> 343     	func->name = fname;
> 344     	func->npins = 0;
> 345     	for (n = 0; n < count; n++, pins++) {
> 346     		offset = fdt32_to_cpu(pins->reg);
> >>>     CID 331158:  Control flow issues  (NO_EFFECT)
> >>>     This less-than-zero comparison of an unsigned value is never true. "offset < 0U".
> 347     		if (offset < 0 || offset > pdata->offset) {
> 348     			dev_dbg(dev, "  invalid register offset 0x%x\n",
> 349     				offset);
> 350     			continue;
> 351     		}
> 352     
> 
> ** CID 331157:  Null pointer dereferences  (NULL_RETURNS)
> /drivers/misc/cros_ec_sandbox.c: 229 in keyscan_read_fdt_matrix()
> 
> 
> ________________________________________________________________________________________________________
> *** CID 331157:  Null pointer dereferences  (NULL_RETURNS)
> /drivers/misc/cros_ec_sandbox.c: 229 in keyscan_read_fdt_matrix()
> 223     
> 224     	/* Now read the data */
> 225     	for (upto = 0; upto < ec->matrix_count; upto++) {
> 226     		struct ec_keymatrix_entry *matrix = &ec->matrix[upto];
> 227     		u32 word;
> 228     
> >>>     CID 331157:  Null pointer dereferences  (NULL_RETURNS)
> >>>     Incrementing a pointer which might be null: "cell".
> 229     		word = fdt32_to_cpu(*cell++);
> 230     		matrix->row = word >> 24;
> 231     		matrix->col = (word >> 16) & 0xff;
> 232     		matrix->keycode = word & 0xffff;
> 233     
> 234     		/* Hard-code some sanity limits for now */
> 
> ** CID 331156:  Incorrect expression  (UNUSED_VALUE)
> /cmd/qfw.c: 40 in qemu_fwcfg_cmd_setup_kernel()
> 
> 
> ________________________________________________________________________________________________________
> *** CID 331156:  Incorrect expression  (UNUSED_VALUE)
> /cmd/qfw.c: 40 in qemu_fwcfg_cmd_setup_kernel()
> 34     	qfw_read_entry(qfw_dev, FW_CFG_SETUP_DATA,
> 35     		       le32_to_cpu(setup_size), data_addr);
> 36     	data_addr += le32_to_cpu(setup_size);
> 37     
> 38     	qfw_read_entry(qfw_dev, FW_CFG_KERNEL_DATA,
> 39     		       le32_to_cpu(kernel_size), data_addr);
> >>>     CID 331156:  Incorrect expression  (UNUSED_VALUE)
> >>>     Assigning value from "(__u32)(__le32)kernel_size" to "data_addr" here, but that stored value is overwritten before it can be used.
> 40     	data_addr += le32_to_cpu(kernel_size);
> 41     
> 42     	data_addr = initrd_addr;
> 43     	qfw_read_entry(qfw_dev, FW_CFG_INITRD_SIZE, 4, &initrd_size);
> 44     	if (initrd_size == 0) {
> 45     		printf("warning: no initrd available\n");
> 
> ** CID 331155:  Insecure data handling  (TAINTED_SCALAR)
> 
> 
> ________________________________________________________________________________________________________
> *** CID 331155:  Insecure data handling  (TAINTED_SCALAR)
> /fs/cbfs/cbfs.c: 170 in file_cbfs_next_file()
> 164     			size -= align;
> 165     			start += align;
> 166     			continue;
> 167     		}
> 168     
> 169     		swap_file_header(&header, file_header);
> >>>     CID 331155:  Insecure data handling  (TAINTED_SCALAR)
> >>>     Passing tainted variable "header.offset" to a tainted sink.
> 170     		ret = fill_node(node, start, &header);
> 171     		if (ret) {
> 172     			priv->result = CBFS_BAD_FILE;
> 173     			return log_msg_ret("fill", ret);
> 174     		}
> 175     
> 
> ** CID 331154:  Integer handling issues  (DIVIDE_BY_ZERO)
> /drivers/pinctrl/pinctrl-single.c: 473 in single_probe()
> 
> 
> ________________________________________________________________________________________________________
> *** CID 331154:  Integer handling issues  (DIVIDE_BY_ZERO)
> /drivers/pinctrl/pinctrl-single.c: 473 in single_probe()
> 467     		return -ENOMEM;
> 468     	#endif
> 469     
> 470     	priv->npins = size / (pdata->width / BITS_PER_BYTE);
> 471     	if (pdata->bits_per_mux) {
> 472     		priv->bits_per_pin = fls(pdata->mask);
> >>>     CID 331154:  Integer handling issues  (DIVIDE_BY_ZERO)
> >>>     In expression "pdata->width / priv->bits_per_pin", division by expression "priv->bits_per_pin" which may be zero has undefined behavior.
> 473     		priv->npins *= (pdata->width / priv->bits_per_pin);
> 474     	}
> 475     
> 476     	dev_dbg(dev, "%d pins\n", priv->npins);
> 477     	return 0;
> 478     }
> 
> ** CID 331153:  Code maintainability issues  (UNUSED_VALUE)
> /lib/efi_loader/efi_capsule.c: 661 in find_boot_device()
> 
> 
> ________________________________________________________________________________________________________
> *** CID 331153:  Code maintainability issues  (UNUSED_VALUE)
> /lib/efi_loader/efi_capsule.c: 661 in find_boot_device()
> 655     	size = 0;
> 656     	ret = efi_get_variable_int(L"BootOrder", &efi_global_variable_guid,
> 657     				   NULL, &size, NULL, NULL);
> 658     	if (ret == EFI_BUFFER_TOO_SMALL) {
> 659     		boot_order = malloc(size);
> 660     		if (!boot_order) {
> >>>     CID 331153:  Code maintainability issues  (UNUSED_VALUE)
> >>>     Assigning value "9223372036854775817UL" to "ret" here, but that stored value is overwritten before it can be used.
> 661     			ret = EFI_OUT_OF_RESOURCES;
> 662     			goto out;
> 663     		}
> 664     
> 665     		ret = efi_get_variable_int(L"BootOrder",
> 666     					   &efi_global_variable_guid,
> 
> ** CID 331152:  Insecure data handling  (TAINTED_SCALAR)
> /lib/tpm-common.c: 180 in tpm_sendrecv_command()
> 
> 
> ________________________________________________________________________________________________________
> *** CID 331152:  Insecure data handling  (TAINTED_SCALAR)
> /lib/tpm-common.c: 180 in tpm_sendrecv_command()
> 174     		response = response_buffer;
> 175     		response_length = sizeof(response_buffer);
> 176     	}
> 177     
> 178     	size = tpm_command_size(command);
> 179     	log_debug("TPM request [size:%d]: ", size);
> >>>     CID 331152:  Insecure data handling  (TAINTED_SCALAR)
> >>>     Using tainted variable "size" as a loop boundary.
> 180     	for (i = 0; i < size; i++)
> 181     		log_debug("%02x ", ((u8 *)command)[i]);
> 182     	log_debug("\n");
> 183     
> 184     	err = tpm_xfer(dev, command, size, response, &response_length);
> 185     
> 
> ** CID 331151:  Resource leaks  (RESOURCE_LEAK)
> /drivers/pinctrl/pinctrl-single.c: 247 in single_allocate_function()
> 
> 
> ________________________________________________________________________________________________________
> *** CID 331151:  Resource leaks  (RESOURCE_LEAK)
> /drivers/pinctrl/pinctrl-single.c: 247 in single_allocate_function()
> 241     	if (!func)
> 242     		return ERR_PTR(-ENOMEM);
> 243     
> 244     	func->pins = devm_kmalloc(dev, sizeof(unsigned int) * group_pins,
> 245     				  GFP_KERNEL);
> 246     	if (!func->pins)
> >>>     CID 331151:  Resource leaks  (RESOURCE_LEAK)
> >>>     Variable "func" going out of scope leaks the storage it points to.
> 247     		return ERR_PTR(-ENOMEM);

Is this really a memory leak? I used devm_kmalloc() to not have to  manually free 
the allocated memory but delegating it to the device.

Thanks and regards,
Dario

> 248     
> 249     	return func;
> 250     }
> 251     
> 252     static int single_pin_compare(const void *s1, const void *s2)
> 
> ** CID 331150:  Memory - illegal accesses  (BUFFER_SIZE_WARNING)
> /net/dsa-uclass.c: 415 in dsa_post_bind()
> 
> 
> ________________________________________________________________________________________________________
> *** CID 331150:  Memory - illegal accesses  (BUFFER_SIZE_WARNING)
> /net/dsa-uclass.c: 415 in dsa_post_bind()
> 409     		err = device_bind_driver_to_node(dev, DSA_PORT_CHILD_DRV_NAME,
> 410     						 name, pnode, &pdev);
> 411     		if (pdev) {
> 412     			struct dsa_port_pdata *port_pdata;
> 413     
> 414     			port_pdata = dev_get_parent_plat(pdev);
> >>>     CID 331150:  Memory - illegal accesses  (BUFFER_SIZE_WARNING)
> >>>     Calling "strncpy" with a maximum size argument of 16 bytes on destination array "port_pdata->name" of size 16 bytes might leave the destination string unterminated.
> 415     			strncpy(port_pdata->name, name, DSA_PORT_NAME_LENGTH);
> 416     			pdev->name = port_pdata->name;
> 417     		}
> 418     
> 419     		/* try to bind all ports but keep 1st error */
> 420     		if (err && !first_err)
> 
> ** CID 331149:  Memory - illegal accesses  (BUFFER_SIZE_WARNING)
> /net/dsa-uclass.c: 224 in dsa_port_of_to_pdata()
> 
> 
> ________________________________________________________________________________________________________
> *** CID 331149:  Memory - illegal accesses  (BUFFER_SIZE_WARNING)
> /net/dsa-uclass.c: 224 in dsa_port_of_to_pdata()
> 218     
> 219     	port_pdata = dev_get_parent_plat(pdev);
> 220     	port_pdata->index = index;
> 221     
> 222     	label = ofnode_read_string(dev_ofnode(pdev), "label");
> 223     	if (label)
> >>>     CID 331149:  Memory - illegal accesses  (BUFFER_SIZE_WARNING)
> >>>     Calling "strncpy" with a maximum size argument of 16 bytes on destination array "port_pdata->name" of size 16 bytes might leave the destination string unterminated.
> 224     		strncpy(port_pdata->name, label, DSA_PORT_NAME_LENGTH);
> 225     
> 226     	eth_pdata = dev_get_plat(pdev);
> 227     	eth_pdata->priv_pdata = port_pdata;
> 228     
> 229     	dev_dbg(pdev, "port %d node %s\n", port_pdata->index,
> 
> ** CID 331148:  Control flow issues  (NO_EFFECT)
> /drivers/pinctrl/pinctrl-single.c: 298 in single_configure_pins()
> 
> 
> ________________________________________________________________________________________________________
> *** CID 331148:  Control flow issues  (NO_EFFECT)
> /drivers/pinctrl/pinctrl-single.c: 298 in single_configure_pins()
> 292     		return PTR_ERR(func);
> 293     
> 294     	func->name = fname;
> 295     	func->npins = 0;
> 296     	for (n = 0; n < count; n++, pins++) {
> 297     		offset = fdt32_to_cpu(pins->reg);
> >>>     CID 331148:  Control flow issues  (NO_EFFECT)
> >>>     This less-than-zero comparison of an unsigned value is never true. "offset < 0U".
> 298     		if (offset < 0 || offset > pdata->offset) {
> 299     			dev_err(dev, "  invalid register offset 0x%x\n",
> 300     				offset);
> 301     			continue;
> 302     		}
> 303     
> 
> ** CID 331147:  Code maintainability issues  (UNUSED_VALUE)
> /lib/efi_loader/efi_capsule.c: 456 in efi_update_capsule()
> 
> 
> ________________________________________________________________________________________________________
> *** CID 331147:  Code maintainability issues  (UNUSED_VALUE)
> /lib/efi_loader/efi_capsule.c: 456 in efi_update_capsule()
> 450     	efi_status_t ret;
> 451     
> 452     	EFI_ENTRY("%p, %zu, %llu\n", capsule_header_array, capsule_count,
> 453     		  scatter_gather_list);
> 454     
> 455     	if (!capsule_count) {
> >>>     CID 331147:  Code maintainability issues  (UNUSED_VALUE)
> >>>     Assigning value "9223372036854775810UL" to "ret" here, but that stored value is overwritten before it can be used.
> 456     		ret = EFI_INVALID_PARAMETER;
> 457     		goto out;
> 458     	}
> 459     
> 460     	ret = EFI_SUCCESS;
> 461     	for (i = 0, capsule = *capsule_header_array; i < capsule_count;
> 
> ** CID 165109:  Insecure data handling  (TAINTED_SCALAR)
> 
> 
> ________________________________________________________________________________________________________
> *** CID 165109:  Insecure data handling  (TAINTED_SCALAR)
> /arch/sandbox/cpu/state.c: 81 in state_read_file()
> 75     	os_close(fd);
> 76     
> 77     	return 0;
> 78     err_read:
> 79     	os_close(fd);
> 80     err_open:
> >>>     CID 165109:  Insecure data handling  (TAINTED_SCALAR)
> >>>     Passing tainted variable "state->state_fdt" to a tainted sink.
> 81     	os_free(state->state_fdt);
> 82     	state->state_fdt = NULL;
> 83     
> 84     	return ret;
> 85     }
> 86     
> 
> 
> ________________________________________________________________________________________________________
> To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoA22WlOQ-2By3ieUvdbKmOyw68TMVT4Kip-2BBzfOGWXJ5yIiYplmPF9KAnKIja4Zd7tU-3DZZ5O_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTtGHJmPef5TSDjCzuFmDLHCcVLNpHIs0AqBsXJPs2SOVhTXup007yHbqhSGIK1hyqPpz1vYe-2BN9550EDGrhLxMxHlBpTdungq17k4ECpA3No35lrqehPZZCZ5BAHvEzJczmieHTM7FI63-2BfXLhs4wtMUoPRU5sgDVix9YwcWKeyJg-3D-3D
> 
>   To manage Coverity Scan email notifications for "tom.rini at gmail.com", click https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxWeIHzDeopm-2BEWQ6S6K-2FtUHv9ZTk8qZbuzkkz9sa-2BJFw4elYDyedRVZOC-2ButxjBZdouVmTGuWB6Aj6G7lm7t25-2Biv1B-2B9082pHzCCex2kqMs-3D7Yww_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTtGHJmPef5TSDjCzuFmDLHCW8SwWH4xnbrtsvKIl7wSRW1TJ0hCM5LxXTBnJTFVzTPqGPjtEf73gX6pVG3GrWXNEgT0Oc3HyLVVXgFxESdYpPKxcdJpqRbkjikARwdrSNj3JcSFiRd69dOJds-2BH2aqoLVHmnb03BoAwP5b1o0enAw-3D-3D
> 
> 
> ----- End forwarded message -----
> 
> -- 
> Tom


More information about the U-Boot mailing list