[scan-admin at coverity.com: New Defects reported by Coverity Scan for Das U-Boot]

Tom Rini trini at konsulko.com
Wed Jan 20 20:04:18 CET 2021


I decided to run Coverity part-way through the merge window this time
and here's what's been found so far.

----- Forwarded message from scan-admin at coverity.com -----

Date: Mon, 18 Jan 2021 17:53:19 +0000 (UTC)
From: scan-admin at coverity.com
To: tom.rini at gmail.com
Subject: New Defects reported by Coverity Scan for Das U-Boot

Hi,

Please find the latest report on new defect(s) introduced to Das U-Boot found with Coverity Scan.

23 new defect(s) introduced to Das U-Boot found with Coverity Scan.
2 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 20 of 23 defect(s)


** CID 316365:  Memory - corruptions  (STRING_OVERFLOW)
/tools/sunxi_egon.c: 96 in egon_set_header()


________________________________________________________________________________________________________
*** CID 316365:  Memory - corruptions  (STRING_OVERFLOW)
/tools/sunxi_egon.c: 96 in egon_set_header()
90     
91     	/* If an image name has been provided, use it as the DT name. */
92     	if (params->imagename && params->imagename[0]) {
93     		if (strlen(params->imagename) > sizeof(header->string_pool) - 1)
94     			printf("WARNING: DT name too long for SPL header!\n");
95     		else {
>>>     CID 316365:  Memory - corruptions  (STRING_OVERFLOW)
>>>     You might overrun the 13-character destination string "header->string_pool" by writing 51 characters from "params->imagename".
96     			strcpy((char *)header->string_pool, params->imagename);
97     			value = offsetof(struct boot_file_head, string_pool);
98     			header->dt_name_offset = cpu_to_le32(value);
99     			header->spl_signature[3] = SPL_DT_HEADER_VERSION;
100     		}
101     	}

** CID 316364:  Null pointer dereferences  (FORWARD_NULL)
/cmd/efidebug.c: 202 in do_efi_capsule_res()


________________________________________________________________________________________________________
*** CID 316364:  Null pointer dereferences  (FORWARD_NULL)
/cmd/efidebug.c: 202 in do_efi_capsule_res()
196     			printf("Failed to get %ls\n", var_name16);
197     
198     			return CMD_RET_FAILURE;
199     		}
200     	}
201     
>>>     CID 316364:  Null pointer dereferences  (FORWARD_NULL)
>>>     Dereferencing null pointer "result".
202     	printf("Result total size: 0x%x\n", result->variable_total_size);
203     	printf("Capsule guid: %pUl\n", &result->capsule_guid);
204     	printf("Time processed: %04d-%02d-%02d %02d:%02d:%02d\n",
205     	       result->capsule_processed.year, result->capsule_processed.month,
206     	       result->capsule_processed.day, result->capsule_processed.hour,
207     	       result->capsule_processed.minute,

** CID 316363:  Null pointer dereferences  (REVERSE_INULL)
/lib/efi_loader/efi_boottime.c: 1993 in efi_load_image_from_path()


________________________________________________________________________________________________________
*** CID 316363:  Null pointer dereferences  (REVERSE_INULL)
/lib/efi_loader/efi_boottime.c: 1993 in efi_load_image_from_path()
1987     	ret = EFI_CALL(load_file_protocol->load_file(
1988     					load_file_protocol, dp, boot_policy,
1989     					&buffer_size, (void *)(uintptr_t)addr));
1990     	if (ret != EFI_SUCCESS)
1991     		efi_free_pages(addr, pages);
1992     out:
>>>     CID 316363:  Null pointer dereferences  (REVERSE_INULL)
>>>     Null-checking "load_file_protocol" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
1993     	if (load_file_protocol)
1994     		EFI_CALL(efi_close_protocol(device,
1995     					    &efi_guid_load_file2_protocol,
1996     					    efi_root, NULL));
1997     	if (ret == EFI_SUCCESS) {
1998     		*buffer = (void *)(uintptr_t)addr;

** CID 316362:  Error handling issues  (CHECKED_RETURN)
/fs/fat/fat_write.c: 422 in fill_dir_slot()


________________________________________________________________________________________________________
*** CID 316362:  Error handling issues  (CHECKED_RETURN)
/fs/fat/fat_write.c: 422 in fill_dir_slot()
416     	while (counter >= 1) {
417     		memcpy(itr->dent, slotptr, sizeof(dir_slot));
418     		slotptr--;
419     		counter--;
420     
421     		if (itr->remaining == 0)
>>>     CID 316362:  Error handling issues  (CHECKED_RETURN)
>>>     Calling "flush_dir" without checking return value (as is done elsewhere 5 out of 6 times).
422     			flush_dir(itr);
423     
424     		next_dent(itr);
425     		if (!itr->dent)
426     			return -EIO;
427     	}

** CID 316361:  Code maintainability issues  (SIZEOF_MISMATCH)
/lib/efi_loader/efi_capsule.c: 767 in efi_capsule_scan_dir()


________________________________________________________________________________________________________
*** CID 316361:  Code maintainability issues  (SIZEOF_MISMATCH)
/lib/efi_loader/efi_capsule.c: 767 in efi_capsule_scan_dir()
761     
762     	ret = EFI_CALL((*dirh->setpos)(dirh, 0));
763     	if (ret != EFI_SUCCESS)
764     		goto err;
765     
766     	/* make a list */
>>>     CID 316361:  Code maintainability issues  (SIZEOF_MISMATCH)
>>>     Passing argument "count * 8UL /* sizeof (*files) */" to function "dlmalloc" and then casting the return value to "u16 **" is suspicious.  In this particular case "sizeof (u16 **)" happens to be equal to "sizeof (u16 *)", but this is not a portable assumption.
767     	tmp_files = malloc(count * sizeof(*files));
768     	if (!tmp_files) {
769     		ret = EFI_OUT_OF_RESOURCES;
770     		goto err;
771     	}
772     

** CID 316360:  Uninitialized variables  (UNINIT)
/tools/mkeficapsule.c: 298 in create_fwbin()


________________________________________________________________________________________________________
*** CID 316360:  Uninitialized variables  (UNINIT)
/tools/mkeficapsule.c: 298 in create_fwbin()
292     		goto err_3;
293     	}
294     
295     	capsule.version = 0x00000001;
296     	capsule.embedded_driver_count = 0;
297     	capsule.payload_item_count = 1;
>>>     CID 316360:  Uninitialized variables  (UNINIT)
>>>     Using uninitialized value "capsule". Field "capsule.item_offset_list" is uninitialized when calling "fwrite".
298     	size = fwrite(&capsule, 1, sizeof(capsule), f);
299     	if (size < (sizeof(capsule))) {
300     		printf("write failed (%lx)\n", size);
301     		goto err_3;
302     	}
303     	offset = sizeof(capsule) + sizeof(u64);

** CID 316359:  Null pointer dereferences  (FORWARD_NULL)


________________________________________________________________________________________________________
*** CID 316359:  Null pointer dereferences  (FORWARD_NULL)
/lib/efi_loader/efi_capsule.c: 380 in efi_capsule_update_firmware()
374     			ret = EFI_UNSUPPORTED;
375     			goto out;
376     		}
377     
378     		/* find a device for update firmware */
379     		/* TODO: should we pass index as well, or nothing but type? */
>>>     CID 316359:  Null pointer dereferences  (FORWARD_NULL)
>>>     Passing null pointer "handles" to "efi_fmp_find", which dereferences it.
380     		fmp = efi_fmp_find(&image->update_image_type_id,
381     				   image->update_hardware_instance,
382     				   handles, no_handles);
383     		if (!fmp) {
384     			log_err("EFI Capsule: driver not found for firmware type: %pUl, hardware instance: %lld\n",
385     				&image->update_image_type_id,

** CID 316358:  Memory - illegal accesses  (BUFFER_SIZE_WARNING)
/drivers/net/sandbox-raw.c: 163 in sb_eth_raw_of_to_plat()


________________________________________________________________________________________________________
*** CID 316358:  Memory - illegal accesses  (BUFFER_SIZE_WARNING)
/drivers/net/sandbox-raw.c: 163 in sb_eth_raw_of_to_plat()
157     	int ret;
158     
159     	pdata->iobase = dev_read_addr(dev);
160     
161     	ifname = dev_read_string(dev, "host-raw-interface");
162     	if (ifname) {
>>>     CID 316358:  Memory - illegal accesses  (BUFFER_SIZE_WARNING)
>>>     Calling "strncpy" with a maximum size argument of 16 bytes on destination array "priv->host_ifname" of size 16 bytes might leave the destination string unterminated.
163     		strncpy(priv->host_ifname, ifname, IFNAMSIZ);
164     		printf(": Using %s from DT\n", priv->host_ifname);
165     	}
166     	if (dev_read_u32(dev, "host-raw-interface-idx",
167     			 &priv->host_ifindex) < 0) {
168     		priv->host_ifindex = 0;

** CID 316357:  Memory - corruptions  (BUFFER_SIZE)
/fs/fat/fat_write.c: 1154 in fill_dentry()


________________________________________________________________________________________________________
*** CID 316357:  Memory - corruptions  (BUFFER_SIZE)
/fs/fat/fat_write.c: 1154 in fill_dentry()
1148     
1149     	set_start_cluster(mydata, dentptr, start_cluster);
1150     	dentptr->size = cpu_to_le32(size);
1151     
1152     	dentptr->attr = attr;
1153     
>>>     CID 316357:  Memory - corruptions  (BUFFER_SIZE)
>>>     You might overrun the 8 byte destination string "dentptr->name" by writing the maximum 11 bytes from "shortname".
1154     	memcpy(dentptr->name, shortname, SHORT_NAME_SIZE);
1155     }
1156     
1157     /**
1158      * find_directory_entry() - find a directory entry by filename
1159      *

** CID 316356:  Resource leaks  (RESOURCE_LEAK)
/tools/mkeficapsule.c: 225 in add_public_key()


________________________________________________________________________________________________________
*** CID 316356:  Resource leaks  (RESOURCE_LEAK)
/tools/mkeficapsule.c: 225 in add_public_key()
219     	if (ret < 0) {
220     		fprintf(stderr, "%s: Unable to add public key to the FDT\n",
221     			__func__);
222     		goto err;
223     	}
224     
>>>     CID 316356:  Resource leaks  (RESOURCE_LEAK)
>>>     Handle variable "srcfd" going out of scope leaks the handle.
225     	return 0;
226     
227     err:
228     	if (sptr)
229     		munmap(sptr, src_size);
230     

** CID 316355:  Null pointer dereferences  (FORWARD_NULL)
/lib/efi_loader/efi_capsule.c: 848 in efi_capsule_read_file()


________________________________________________________________________________________________________
*** CID 316355:  Null pointer dereferences  (FORWARD_NULL)
/lib/efi_loader/efi_capsule.c: 848 in efi_capsule_read_file()
842     		}
843     		ret = EFI_CALL((*fh->getinfo)(fh, &efi_file_info_guid,
844     					      &size, file_info));
845     	}
846     	if (ret != EFI_SUCCESS)
847     		goto err;
>>>     CID 316355:  Null pointer dereferences  (FORWARD_NULL)
>>>     Dereferencing null pointer "file_info".
848     	size = file_info->file_size;
849     	free(file_info);
850     	buf = malloc(size);
851     	if (!buf) {
852     		ret = EFI_OUT_OF_RESOURCES;
853     		goto err;

** CID 316354:  Uninitialized variables  (UNINIT)
/tools/mkeficapsule.c: 318 in create_fwbin()


________________________________________________________________________________________________________
*** CID 316354:  Uninitialized variables  (UNINIT)
/tools/mkeficapsule.c: 318 in create_fwbin()
312     	image.update_image_index = index;
313     	image.update_image_size = bin_stat.st_size;
314     	image.update_vendor_code_size = 0; /* none */
315     	image.update_hardware_instance = instance;
316     	image.image_capsule_support = 0;
317     
>>>     CID 316354:  Uninitialized variables  (UNINIT)
>>>     Using uninitialized value "image". Field "image.reserved" is uninitialized when calling "fwrite".
318     	size = fwrite(&image, 1, sizeof(image), f);
319     	if (size < sizeof(image)) {
320     		printf("write failed (%lx)\n", size);
321     		goto err_3;
322     	}
323     	size = fread(data, 1, bin_stat.st_size, g);

** CID 316353:  Resource leaks  (RESOURCE_LEAK)
/tools/mkeficapsule.c: 225 in add_public_key()


________________________________________________________________________________________________________
*** CID 316353:  Resource leaks  (RESOURCE_LEAK)
/tools/mkeficapsule.c: 225 in add_public_key()
219     	if (ret < 0) {
220     		fprintf(stderr, "%s: Unable to add public key to the FDT\n",
221     			__func__);
222     		goto err;
223     	}
224     
>>>     CID 316353:  Resource leaks  (RESOURCE_LEAK)
>>>     Variable "sptr" going out of scope leaks the storage it points to.
225     	return 0;
226     
227     err:
228     	if (sptr)
229     		munmap(sptr, src_size);
230     

** CID 316352:  Security best practices violations  (STRING_OVERFLOW)
/drivers/dfu/dfu.c: 490 in dfu_fill_entity()


________________________________________________________________________________________________________
*** CID 316352:  Security best practices violations  (STRING_OVERFLOW)
/drivers/dfu/dfu.c: 490 in dfu_fill_entity()
484     			   char *interface, char *devstr)
485     {
486     	char *st;
487     
488     	debug("%s: %s interface: %s dev: %s\n", __func__, s, interface, devstr);
489     	st = strsep(&s, " ");
>>>     CID 316352:  Security best practices violations  (STRING_OVERFLOW)
>>>     You might overrun the 32-character fixed-size string "dfu->name" by copying "st" without checking the length.
490     	strcpy(dfu->name, st);
491     
492     	dfu->alt = alt;
493     	dfu->max_buf_size = 0;
494     	dfu->free_entity = NULL;
495     

** CID 316351:  Error handling issues  (CHECKED_RETURN)
/drivers/video/pwm_backlight.c: 230 in pwm_backlight_of_to_plat()


________________________________________________________________________________________________________
*** CID 316351:  Error handling issues  (CHECKED_RETURN)
/drivers/video/pwm_backlight.c: 230 in pwm_backlight_of_to_plat()
224     	cell = dev_read_prop(dev, "brightness-levels", &len);
225     	count = len / sizeof(u32);
226     	if (cell && count > index) {
227     		priv->levels = malloc(len);
228     		if (!priv->levels)
229     			return log_ret(-ENOMEM);
>>>     CID 316351:  Error handling issues  (CHECKED_RETURN)
>>>     Calling "dev_read_u32_array" without checking return value (as is done elsewhere 8 out of 9 times).
230     		dev_read_u32_array(dev, "brightness-levels", priv->levels,
231     				   count);
232     		priv->num_levels = count;
233     		priv->default_level = priv->levels[index];
234     		priv->max_level = priv->levels[count - 1];
235     	} else {

** CID 316350:  Memory - corruptions  (OVERRUN)
/fs/fat/fat_write.c: 1154 in fill_dentry()


________________________________________________________________________________________________________
*** CID 316350:  Memory - corruptions  (OVERRUN)
/fs/fat/fat_write.c: 1154 in fill_dentry()
1148     
1149     	set_start_cluster(mydata, dentptr, start_cluster);
1150     	dentptr->size = cpu_to_le32(size);
1151     
1152     	dentptr->attr = attr;
1153     
>>>     CID 316350:  Memory - corruptions  (OVERRUN)
>>>     Overrunning array "dentptr->name" of 8 bytes by passing it to a function which accesses it at byte offset 10 using argument "11UL". [Note: The source code implementation of the function has been overridden by a builtin model.]
1154     	memcpy(dentptr->name, shortname, SHORT_NAME_SIZE);
1155     }
1156     
1157     /**
1158      * find_directory_entry() - find a directory entry by filename
1159      *

** CID 316349:  Resource leaks  (RESOURCE_LEAK)
/tools/mkeficapsule.c: 225 in add_public_key()


________________________________________________________________________________________________________
*** CID 316349:  Resource leaks  (RESOURCE_LEAK)
/tools/mkeficapsule.c: 225 in add_public_key()
219     	if (ret < 0) {
220     		fprintf(stderr, "%s: Unable to add public key to the FDT\n",
221     			__func__);
222     		goto err;
223     	}
224     
>>>     CID 316349:  Resource leaks  (RESOURCE_LEAK)
>>>     Handle variable "destfd" going out of scope leaks the handle.
225     	return 0;
226     
227     err:
228     	if (sptr)
229     		munmap(sptr, src_size);
230     

** CID 316348:  Memory - corruptions  (OVERRUN)
/fs/fat/fat_write.c: 188 in set_name()


________________________________________________________________________________________________________
*** CID 316348:  Memory - corruptions  (OVERRUN)
/fs/fat/fat_write.c: 188 in set_name()
182     		/* Each long name directory entry takes 13 characters. */
183     		ret = (strlen(filename) + 25) / 13;
184     		goto out;
185     	}
186     	return -EIO;
187     out:
>>>     CID 316348:  Memory - corruptions  (OVERRUN)
>>>     Overrunning array "dirent.name" of 8 bytes by passing it to a function which accesses it at byte offset 10 using argument "11UL". [Note: The source code implementation of the function has been overridden by a builtin model.]
188     	memcpy(shortname, dirent.name, SHORT_NAME_SIZE);
189     	return ret;
190     }
191     
192     static int total_sector;
193     static int disk_write(__u32 block, __u32 nr_blocks, void *buf)

** CID 316347:  Null pointer dereferences  (FORWARD_NULL)
/cmd/sandbox/exception.c: 16 in do_sigsegv()


________________________________________________________________________________________________________
*** CID 316347:  Null pointer dereferences  (FORWARD_NULL)
/cmd/sandbox/exception.c: 16 in do_sigsegv()
10     
11     static int do_sigsegv(struct cmd_tbl *cmdtp, int flag, int argc,
12     		      char *const argv[])
13     {
14     	u8 *ptr = NULL;
15     
>>>     CID 316347:  Null pointer dereferences  (FORWARD_NULL)
>>>     Dereferencing null pointer "ptr".
16     	*ptr = 0;
17     	return CMD_RET_FAILURE;
18     }
19     
20     static int do_undefined(struct cmd_tbl *cmdtp, int flag, int argc,
21     			char *const argv[])

** CID 316346:  Control flow issues  (UNREACHABLE)
/test/cmd/setexpr.c: 275 in setexpr_test_backref()


________________________________________________________________________________________________________
*** CID 316346:  Control flow issues  (UNREACHABLE)
/test/cmd/setexpr.c: 275 in setexpr_test_backref()
269     				      "us \\1 \\2 \\3!", true));
270     	ut_asserteq_str("us this is surely! a test is it? yes us this is indeed! a test",
271     			buf);
272     
273     	/* The following checks fail at present due to a bug in setexpr */
274     	return 0;
>>>     CID 316346:  Control flow issues  (UNREACHABLE)
>>>     This code cannot be reached: "i = 256;".
275     	for (i = BUF_SIZE; i < 0x1000; i++) {
276     		ut_assertf(buf[i] == (char)i,
277     			   "buf byte at %x should be %02x, got %02x)\n",
278     			   i, i & 0xff, (u8)buf[i]);
279     		ut_assertf(nbuf[i] == (char)i,
280     			   "nbuf byte at %x should be %02x, got %02x)\n",


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoA22WlOQ-2By3ieUvdbKmOyw68TMVT4Kip-2BBzfOGWXJ5yIiYplmPF9KAnKIja4Zd7tU-3DzXLV_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTvNl0LKdSggNphGlGz-2FZpFlP-2B70lLxg94OYlINE3kVz2K7-2BaNONHtJP8TbjZRniVWbxuTUQjTtQl1N-2FQyFOjCv8gPw5EPU0ENb3p98VX92ve7SRBWt1r1v-2F-2F6AWroTa-2Bh7rN2QA2fbSgDcYmJ9RJ86TD6dhAH88KDOiq3Saai3zTbA9TSu9jcthFTuvEyi5KBE-3D

  To manage Coverity Scan email notifications for "tom.rini at gmail.com", click https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxWeIHzDeopm-2BEWQ6S6K-2FtUHv9ZTk8qZbuzkkz9sa-2BJFw4elYDyedRVZOC-2ButxjBZdouVmTGuWB6Aj6G7lm7t25-2Biv1B-2B9082pHzCCex2kqMs-3DBleN_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTvNl0LKdSggNphGlGz-2FZpFl83Kn4j1MsEeVR-2BhiT4TgLlRMzBzziPEpnjhf5UW-2FNLxwPg-2FlX4hM5uoZCyOPlCN-2BiReYf6wkiLt6iKknc3lnJUyqsWnyxIFGwSu2OUxAVy5vnsIFdRuglO4-2B9vJx2XrTM801x6AhuO0Zb5xr5hI9qgs9dwug2dbKvAt0T-2F-2Bv9VI-3D


----- End forwarded message -----

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20210120/58b3178c/attachment.sig>


More information about the U-Boot mailing list