Fwd: New Defects reported by Coverity Scan for Das U-Boot
Heinrich Schuchardt
xypron.glpk at gmx.de
Sat Apr 24 06:52:33 CEST 2021
On 4/23/21 6:38 PM, scan-admin at coverity.com wrote:
> Hi,
>
> Please find the latest report on new defect(s) introduced to Das U-Boot found with Coverity Scan.
>
> 3 new defect(s) introduced to Das U-Boot found with Coverity Scan.
>
>
> New defect(s) Reported-by: Coverity Scan
> Showing 3 of 3 defect(s)
>
>
> ** CID 331185: Insecure data handling (TAINTED_SCALAR)
> /lib/lz4.c: 143 in LZ4_decompress_generic()
>
>
> ________________________________________________________________________________________________________
> *** CID 331185: Insecure data handling (TAINTED_SCALAR)
> /lib/lz4.c: 143 in LZ4_decompress_generic()
> 137 }
> 138 else
> 139 {
> 140 if ((!endOnInput) && (cpy != oend)) goto _output_error; /* Error : block decoding must stop exactly there */
> 141 if ((endOnInput) && ((ip+length != iend) || (cpy > oend))) goto _output_error; /* Error : input must be consumed */
> 142 }
>>>> CID 331185: Insecure data handling (TAINTED_SCALAR)
>>>> Passing tainted variable "length" to a tainted sink. [Note: The source code implementation of the function has been overridden by a builtin model.]
> 143 memcpy(op, ip, length);
> 144 ip += length;
> 145 op += length;
> 146 break; /* Necessarily EOF, due to parsing restrictions */
> 147 }
> 148 LZ4_wildCopy(op, ip, cpy);
>
> ** CID 331184: Memory - corruptions (OVERRUN)
> /cmd/stackprot_test.c: 14 in do_test_stackprot_fail()
>
>
> ________________________________________________________________________________________________________
> *** CID 331184: Memory - corruptions (OVERRUN)
> /cmd/stackprot_test.c: 14 in do_test_stackprot_fail()
> 8
> 9 static int do_test_stackprot_fail(struct cmd_tbl *cmdtp, int flag, int argc,
> 10 char *const argv[])
> 11 {
Hello Tom,
please, mark this finding as intentional in Coverity.
> 12 char a[128];
> 13
>>>> CID 331184: Memory - corruptions (OVERRUN)
>>>> Overrunning array "a" of 128 bytes by passing it to a function which accesses it at byte offset 511 using argument "512UL". [Note: The source code implementation of the function has been overridden by a builtin model.]
> 14 memset(a, 0xa5, 512);
> 15 return 0;
> 16 }
> 17
> 18 U_BOOT_CMD(stackprot_test, 1, 1, do_test_stackprot_fail,
>
> ** CID 331183: Memory - corruptions (BUFFER_SIZE)
> /cmd/stackprot_test.c: 14 in do_test_stackprot_fail()
>
>
> ________________________________________________________________________________________________________
> *** CID 331183: Memory - corruptions (BUFFER_SIZE)
> /cmd/stackprot_test.c: 14 in do_test_stackprot_fail()
same here
Best regards
Heinrich
> 8
> 9 static int do_test_stackprot_fail(struct cmd_tbl *cmdtp, int flag, int argc,
> 10 char *const argv[])
> 11 {
> 12 char a[128];
> 13
>>>> CID 331183: Memory - corruptions (BUFFER_SIZE)
>>>> You might overrun the 128 byte destination string "a" by writing the maximum 512 bytes from "165".
> 14 memset(a, 0xa5, 512);
> 15 return 0;
> 16 }
> 17
> 18 U_BOOT_CMD(stackprot_test, 1, 1, do_test_stackprot_fail,
>
>
> ________________________________________________________________________________________________________
> To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoA22WlOQ-2By3ieUvdbKmOyw68TMVT4Kip-2BBzfOGWXJ5yIiYplmPF9KAnKIja4Zd7tU-3DVLO3_N64QlSHam5hYYsLU0uvEm3xiMtcSlv2JwRoKVmjv-2F2X9PIw0aqIVMZlR6cmf9w8prU0ddkFkhQg-2B6p8UvlY-2FM51TBl-2FigNKw0KCrquAEkBb2jC3ZnWBwbVEZhLkDdq-2FMFkIpcluF4NvkPbaQ8l7PMYWmxLPqhtFLo01zbJ6O05zRrW9MzeWZiF82fugYqxJUGlLrQGmeTLuFDr2CDzEGJg-3D-3D
>
> To manage Coverity Scan email notifications for "xypron.glpk at gmx.de", click https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXx4Y-2F1WK-2FIlbEOzfoxXLI-2FdwA0wwGn90rGGrBgiHW-2ByLDLbUOEV7XOvtc9zJmj9LPyrT06WSaMnNrm6wfrUN-2BXuWoaHdqOoEyL7CQlGSiE-2BfE-3DtDQo_N64QlSHam5hYYsLU0uvEm3xiMtcSlv2JwRoKVmjv-2F2X9PIw0aqIVMZlR6cmf9w8pA8-2FW82eD6YTWlxlNXjrDSc-2B-2BfgU0QJMdYPvNOg-2Brk8a8VMShB-2FvhmE5GTrUF2ImOx4sRousy5Sh2qX6apgHec8wEC6ZWvhuro1Ua3CVllqnKzeW-2FmUepM3XfZqtYssGH0ujkCtgvKvxZfYpXxJdKdg-3D-3D
>
More information about the U-Boot
mailing list