[scan-admin at coverity.com: New Defects reported by Coverity Scan for Das U-Boot]
Pali Rohár
pali at kernel.org
Mon Aug 16 22:15:49 CEST 2021
+ Stefan and Marek
On Monday 16 August 2021 15:57:26 Tom Rini wrote:
> Hey all,
>
> Can people please take a look? I can mark as intentional anything that
> really is intentional, thanks.
Hello Tom!
These kwbimage issues look to be a real issues. But I do not think that
anybody touched these parts of kwbimage code recently. So looks like
that Coverity must have run some more tests this time...
> ** CID 338491: Null pointer dereferences (NULL_RETURNS)
> /tools/kwbimage.c: 1066 in export_pub_kak_hash()
>
>
> ________________________________________________________________________________________________________
> *** CID 338491: Null pointer dereferences (NULL_RETURNS)
> /tools/kwbimage.c: 1066 in export_pub_kak_hash()
> 1060 int res;
> 1061
> 1062 hashf = fopen("pub_kak_hash.txt", "w");
> 1063
> 1064 res = kwb_export_pubkey(kak, &secure_hdr->kak, hashf, "KAK");
> 1065
> >>> CID 338491: Null pointer dereferences (NULL_RETURNS)
> >>> Dereferencing a pointer that might be "NULL" "hashf" when calling "fclose".
> 1066 fclose(hashf);
> 1067
> 1068 return res < 0 ? 1 : 0;
> 1069 }
> 1070
> 1071 int kwb_sign_csk_with_kak(struct image_tool_params *params,
There is really missing check that fopen() succeeded.
> ** CID 338488: Memory - illegal accesses (NEGATIVE_RETURNS)
> /tools/kwbimage.c: 1093 in kwb_sign_csk_with_kak()
>
>
> ________________________________________________________________________________________________________
> *** CID 338488: Memory - illegal accesses (NEGATIVE_RETURNS)
> /tools/kwbimage.c: 1093 in kwb_sign_csk_with_kak()
> 1087 if (export_pub_kak_hash(kak, secure_hdr))
> 1088 return 1;
> 1089
> 1090 if (kwb_import_pubkey(&kak_pub, &secure_hdr->kak, "KAK") < 0)
> 1091 return 1;
> 1092
> >>> CID 338488: Memory - illegal accesses (NEGATIVE_RETURNS)
> >>> Using variable "csk_idx" as an index to array "secure_hdr->csk".
> 1093 if (kwb_export_pubkey(csk, &secure_hdr->csk[csk_idx], NULL, "CSK") < 0)
> 1094 return 1;
> 1095
> 1096 if (kwb_sign_and_verify(kak, &secure_hdr->csk,
> 1097 sizeof(secure_hdr->csk) +
> 1098 sizeof(secure_hdr->csksig),
There is code:
int csk_idx = image_get_csk_index();
...
if (csk_idx >= 16) {
...
return 1;
}
... &secure_hdr->csk[csk_idx] ...
And ->csk is defined as:
struct secure_hdr_v1 {
..
struct pubkey_der_v1 csk[16]
..
};
image_get_csk_index() returns int and it may returns also negative value
on error. So there is really possible illegal memory access.
> ** CID 338486: Null pointer dereferences (NULL_RETURNS)
> /tools/kwbimage.c: 836 in kwb_dump_fuse_cmds()
>
>
> ________________________________________________________________________________________________________
> *** CID 338486: Null pointer dereferences (NULL_RETURNS)
> /tools/kwbimage.c: 836 in kwb_dump_fuse_cmds()
> 830 return 0;
> 831
> 832 if (!strcmp(e->name, "a38x")) {
> 833 FILE *out = fopen("kwb_fuses_a38x.txt", "w+");
> 834
> 835 kwb_dump_fuse_cmds_38x(out, sec_hdr);
> >>> CID 338486: Null pointer dereferences (NULL_RETURNS)
> >>> Dereferencing a pointer that might be "NULL" "out" when calling "fclose".
> 836 fclose(out);
> 837 goto done;
> 838 }
> 839
> 840 ret = -ENOSYS;
> 841
And there is also missing check that fopen() succeeded.
More information about the U-Boot
mailing list