[scan-admin at coverity.com: New Defects reported by Coverity Scan for Das U-Boot]

Tom Rini trini at konsulko.com
Mon Aug 16 21:57:26 CEST 2021 

Hey all,

Can people please take a look?  I can mark as intentional anything that
really is intentional, thanks.

----- Forwarded message from scan-admin at coverity.com -----

Date: Mon, 16 Aug 2021 18:33:32 +0000 (UTC)
From: scan-admin at coverity.com
To: tom.rini at gmail.com
Subject: New Defects reported by Coverity Scan for Das U-Boot

Hi,

Please find the latest report on new defect(s) introduced to Das U-Boot found with Coverity Scan.

7 new defect(s) introduced to Das U-Boot found with Coverity Scan.
3 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 7 of 7 defect(s)


** CID 338491:  Null pointer dereferences  (NULL_RETURNS)
/tools/kwbimage.c: 1066 in export_pub_kak_hash()


________________________________________________________________________________________________________
*** CID 338491:  Null pointer dereferences  (NULL_RETURNS)
/tools/kwbimage.c: 1066 in export_pub_kak_hash()
1060     	int res;
1061     
1062     	hashf = fopen("pub_kak_hash.txt", "w");
1063     
1064     	res = kwb_export_pubkey(kak, &secure_hdr->kak, hashf, "KAK");
1065     
>>>     CID 338491:  Null pointer dereferences  (NULL_RETURNS)
>>>     Dereferencing a pointer that might be "NULL" "hashf" when calling "fclose".
1066     	fclose(hashf);
1067     
1068     	return res < 0 ? 1 : 0;
1069     }
1070     
1071     int kwb_sign_csk_with_kak(struct image_tool_params *params,

** CID 338490:  Control flow issues  (DEADCODE)
/drivers/tpm/sandbox_common.c: 34 in sb_tpm_index_to_seq()


________________________________________________________________________________________________________
*** CID 338490:  Control flow issues  (DEADCODE)
/drivers/tpm/sandbox_common.c: 34 in sb_tpm_index_to_seq()
28     	case FWMP_NV_INDEX:
29     		return NV_SEQ_FWMP;
30     	case MRC_REC_HASH_NV_INDEX:
31     		return NV_SEQ_REC_HASH;
32     	case 0:
33     		return NV_SEQ_GLOBAL_LOCK;
>>>     CID 338490:  Control flow issues  (DEADCODE)
>>>     Execution cannot reach this statement: "case TPM_NV_INDEX_LOCK:".
34     	case TPM_NV_INDEX_LOCK:
35     		return NV_SEQ_ENABLE_LOCKING;
36     	}
37     
38     	printf("Invalid nv index %#x\n", index);
39     	return -1;

** CID 338489:  Control flow issues  (DEADCODE)
/drivers/tpm/tpm2_tis_sandbox.c: 652 in sandbox_tpm2_xfer()


________________________________________________________________________________________________________
*** CID 338489:  Control flow issues  (DEADCODE)
/drivers/tpm/tpm2_tis_sandbox.c: 652 in sandbox_tpm2_xfer()
646     
647     		for (i = 0; i < SANDBOX_TPM_PCR_NB; i++)
648     			if (pcr_map & BIT(i))
649     				pcr_index = i;
650     
651     		if (pcr_index >= SANDBOX_TPM_PCR_NB) {
>>>     CID 338489:  Control flow issues  (DEADCODE)
>>>     Execution cannot reach this statement: "printf("Invalid index %d, s...".
652     			printf("Invalid index %d, sandbox TPM handles up to %d PCR(s)\n",
653     			       pcr_index, SANDBOX_TPM_PCR_NB);
654     			rc = TPM2_RC_VALUE;
655     			return sandbox_tpm2_fill_buf(recv, recv_len, tag, rc);
656     		}
657     

** CID 338488:  Memory - illegal accesses  (NEGATIVE_RETURNS)
/tools/kwbimage.c: 1093 in kwb_sign_csk_with_kak()


________________________________________________________________________________________________________
*** CID 338488:  Memory - illegal accesses  (NEGATIVE_RETURNS)
/tools/kwbimage.c: 1093 in kwb_sign_csk_with_kak()
1087     	if (export_pub_kak_hash(kak, secure_hdr))
1088     		return 1;
1089     
1090     	if (kwb_import_pubkey(&kak_pub, &secure_hdr->kak, "KAK") < 0)
1091     		return 1;
1092     
>>>     CID 338488:  Memory - illegal accesses  (NEGATIVE_RETURNS)
>>>     Using variable "csk_idx" as an index to array "secure_hdr->csk".
1093     	if (kwb_export_pubkey(csk, &secure_hdr->csk[csk_idx], NULL, "CSK") < 0)
1094     		return 1;
1095     
1096     	if (kwb_sign_and_verify(kak, &secure_hdr->csk,
1097     				sizeof(secure_hdr->csk) +
1098     				sizeof(secure_hdr->csksig),

** CID 338487:  Null pointer dereferences  (FORWARD_NULL)


________________________________________________________________________________________________________
*** CID 338487:  Null pointer dereferences  (FORWARD_NULL)
/test/dm/ecdsa.c: 34 in dm_test_ecdsa_verify()
28     	struct image_sign_info info = {
29     		.checksum = &algo,
30     	};
31     
32     	ut_assertok(uclass_get(UCLASS_ECDSA, &ucp));
33     	ut_assertnonnull(ucp);
>>>     CID 338487:  Null pointer dereferences  (FORWARD_NULL)
>>>     Passing "&info" to "ecdsa_verify", which dereferences null "info.fdt_blob".
34     	ut_asserteq(-ENODEV, ecdsa_verify(&info, NULL, 0, NULL, 0));
35     
36     	return 0;
37     }

** CID 338486:  Null pointer dereferences  (NULL_RETURNS)
/tools/kwbimage.c: 836 in kwb_dump_fuse_cmds()


________________________________________________________________________________________________________
*** CID 338486:  Null pointer dereferences  (NULL_RETURNS)
/tools/kwbimage.c: 836 in kwb_dump_fuse_cmds()
830     		return 0;
831     
832     	if (!strcmp(e->name, "a38x")) {
833     		FILE *out = fopen("kwb_fuses_a38x.txt", "w+");
834     
835     		kwb_dump_fuse_cmds_38x(out, sec_hdr);
>>>     CID 338486:  Null pointer dereferences  (NULL_RETURNS)
>>>     Dereferencing a pointer that might be "NULL" "out" when calling "fclose".
836     		fclose(out);
837     		goto done;
838     	}
839     
840     	ret = -ENOSYS;
841     

** CID 338485:  Security best practices violations  (STRING_OVERFLOW)
/test/str_ut.c: 126 in run_strtoull()


________________________________________________________________________________________________________
*** CID 338485:  Security best practices violations  (STRING_OVERFLOW)
/test/str_ut.c: 126 in run_strtoull()
120     			bool upper)
121     {
122     	char out[TEST_STR_SIZE];
123     	char *endp;
124     	unsigned long long val;
125     
>>>     CID 338485:  Security best practices violations  (STRING_OVERFLOW)
>>>     You might overrun the 200-character fixed-size string "out" by copying "str" without checking the length.
126     	strcpy(out, str);
127     	if (upper)
128     		str_to_upper(out, out, -1);
129     
130     	val = simple_strtoull(out, &endp, base);
131     	ut_asserteq(expect_val, val);


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoA22WlOQ-2By3ieUvdbKmOyw68TMVT4Kip-2BBzfOGWXJ5yIiYplmPF9KAnKIja4Zd7tU-3Dpne1_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTsGY-2Fdp5hfqC-2B6ss-2FtTgTZdxyWngwdNCSBcWaoglYsMi33qZ6o4IvlPo1NMZ6HKzSbi0k3YdDAC-2BTUaeXbDEnIRwEUtXC7QvseJgqoTO7Dy-2FbiEUFH4xtjfmqCkZmTJb3YVLV9-2Ba99V6cQv2l1vnfXAACur8TFDo8g-2FsXRbmip9nw-3D-3D

  To manage Coverity Scan email notifications for "tom.rini at gmail.com", click https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxWeIHzDeopm-2BEWQ6S6K-2FtUHv9ZTk8qZbuzkkz9sa-2BJFw4elYDyedRVZOC-2ButxjBZdouVmTGuWB6Aj6G7lm7t25-2Biv1B-2B9082pHzCCex2kqMs-3DZz5A_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTsGY-2Fdp5hfqC-2B6ss-2FtTgTZdXwxIYMpdS4H155aON0dxh2JciN9BuG3rKCbVzTcBZLXOvfO7Si-2FBGSpoJNCavkeTT3AGnasDLWxyxFydCRuDUJa2tYQzp6QhBJbaTuEIeds3Dm8aBmYjPfgEtJGmGgn084OEX2dKxosO7FhRlH0u8A-3D-3D


----- End forwarded message -----

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20210816/83f68093/attachment.sig>

More information about the U-Boot mailing list