Fwd: New Defects reported by Coverity Scan for Das U-Boot

Heinrich Schuchardt xypron.glpk at gmx.de
Sat Apr 24 06:52:33 CEST 2021


On 4/23/21 6:38 PM, scan-admin at coverity.com wrote:
> Hi,
>
> Please find the latest report on new defect(s) introduced to Das U-Boot found with Coverity Scan.
>
> 3 new defect(s) introduced to Das U-Boot found with Coverity Scan.
>
>
> New defect(s) Reported-by: Coverity Scan
> Showing 3 of 3 defect(s)
>
>
> ** CID 331185:  Insecure data handling  (TAINTED_SCALAR)
> /lib/lz4.c: 143 in LZ4_decompress_generic()
>
>
> ________________________________________________________________________________________________________
> *** CID 331185:  Insecure data handling  (TAINTED_SCALAR)
> /lib/lz4.c: 143 in LZ4_decompress_generic()
> 137                 }
> 138                 else
> 139                 {
> 140                     if ((!endOnInput) && (cpy != oend)) goto _output_error;       /* Error : block decoding must stop exactly there */
> 141                     if ((endOnInput) && ((ip+length != iend) || (cpy > oend))) goto _output_error;   /* Error : input must be consumed */
> 142                 }
>>>>      CID 331185:  Insecure data handling  (TAINTED_SCALAR)
>>>>      Passing tainted variable "length" to a tainted sink. [Note: The source code implementation of the function has been overridden by a builtin model.]
> 143                 memcpy(op, ip, length);
> 144                 ip += length;
> 145                 op += length;
> 146                 break;     /* Necessarily EOF, due to parsing restrictions */
> 147             }
> 148             LZ4_wildCopy(op, ip, cpy);
>
> ** CID 331184:  Memory - corruptions  (OVERRUN)
> /cmd/stackprot_test.c: 14 in do_test_stackprot_fail()
>
>
> ________________________________________________________________________________________________________
> *** CID 331184:  Memory - corruptions  (OVERRUN)
> /cmd/stackprot_test.c: 14 in do_test_stackprot_fail()
> 8
> 9     static int do_test_stackprot_fail(struct cmd_tbl *cmdtp, int flag, int argc,
> 10     				  char *const argv[])
> 11     {
Hello Tom,

please, mark this finding as intentional in Coverity.

> 12     	char a[128];
> 13
>>>>      CID 331184:  Memory - corruptions  (OVERRUN)
>>>>      Overrunning array "a" of 128 bytes by passing it to a function which accesses it at byte offset 511 using argument "512UL". [Note: The source code implementation of the function has been overridden by a builtin model.]
> 14     	memset(a, 0xa5, 512);
> 15     	return 0;
> 16     }
> 17
> 18     U_BOOT_CMD(stackprot_test, 1, 1, do_test_stackprot_fail,
>
> ** CID 331183:  Memory - corruptions  (BUFFER_SIZE)
> /cmd/stackprot_test.c: 14 in do_test_stackprot_fail()
>
>
> ________________________________________________________________________________________________________
> *** CID 331183:  Memory - corruptions  (BUFFER_SIZE)
> /cmd/stackprot_test.c: 14 in do_test_stackprot_fail()

same here

Best regards

Heinrich

> 8
> 9     static int do_test_stackprot_fail(struct cmd_tbl *cmdtp, int flag, int argc,
> 10     				  char *const argv[])
> 11     {
> 12     	char a[128];
> 13
>>>>      CID 331183:  Memory - corruptions  (BUFFER_SIZE)
>>>>      You might overrun the 128 byte destination string "a" by writing the maximum 512 bytes from "165".
> 14     	memset(a, 0xa5, 512);
> 15     	return 0;
> 16     }
> 17
> 18     U_BOOT_CMD(stackprot_test, 1, 1, do_test_stackprot_fail,
>
>
> ________________________________________________________________________________________________________
> To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoA22WlOQ-2By3ieUvdbKmOyw68TMVT4Kip-2BBzfOGWXJ5yIiYplmPF9KAnKIja4Zd7tU-3DVLO3_N64QlSHam5hYYsLU0uvEm3xiMtcSlv2JwRoKVmjv-2F2X9PIw0aqIVMZlR6cmf9w8prU0ddkFkhQg-2B6p8UvlY-2FM51TBl-2FigNKw0KCrquAEkBb2jC3ZnWBwbVEZhLkDdq-2FMFkIpcluF4NvkPbaQ8l7PMYWmxLPqhtFLo01zbJ6O05zRrW9MzeWZiF82fugYqxJUGlLrQGmeTLuFDr2CDzEGJg-3D-3D
>
>    To manage Coverity Scan email notifications for "xypron.glpk at gmx.de", click https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXx4Y-2F1WK-2FIlbEOzfoxXLI-2FdwA0wwGn90rGGrBgiHW-2ByLDLbUOEV7XOvtc9zJmj9LPyrT06WSaMnNrm6wfrUN-2BXuWoaHdqOoEyL7CQlGSiE-2BfE-3DtDQo_N64QlSHam5hYYsLU0uvEm3xiMtcSlv2JwRoKVmjv-2F2X9PIw0aqIVMZlR6cmf9w8pA8-2FW82eD6YTWlxlNXjrDSc-2B-2BfgU0QJMdYPvNOg-2Brk8a8VMShB-2FvhmE5GTrUF2ImOx4sRousy5Sh2qX6apgHec8wEC6ZWvhuro1Ua3CVllqnKzeW-2FmUepM3XfZqtYssGH0ujkCtgvKvxZfYpXxJdKdg-3D-3D
>



More information about the U-Boot mailing list