[scan-admin at coverity.com: New Defects reported by Coverity Scan for Das U-Boot]
Heinrich Schuchardt
xypron.glpk at gmx.de
Wed Jan 20 21:43:57 CET 2021
On 1/20/21 8:04 PM, Tom Rini wrote:
CC: Takahiro
> I decided to run Coverity part-way through the merge window this time
> and here's what's been found so far.
>
> ----- Forwarded message from scan-admin at coverity.com -----
>
> Date: Mon, 18 Jan 2021 17:53:19 +0000 (UTC)
> From: scan-admin at coverity.com
> To: tom.rini at gmail.com
> Subject: New Defects reported by Coverity Scan for Das U-Boot
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to Das U-Boot found with Coverity Scan.
>
> 23 new defect(s) introduced to Das U-Boot found with Coverity Scan.
> 2 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
>
> New defect(s) Reported-by: Coverity Scan
> Showing 20 of 23 defect(s)
>
>
> ** CID 316365: Memory - corruptions (STRING_OVERFLOW)
> /tools/sunxi_egon.c: 96 in egon_set_header()
>
>
> ________________________________________________________________________________________________________
> *** CID 316365: Memory - corruptions (STRING_OVERFLOW)
> /tools/sunxi_egon.c: 96 in egon_set_header()
> 90
> 91 /* If an image name has been provided, use it as the DT name. */
> 92 if (params->imagename && params->imagename[0]) {
> 93 if (strlen(params->imagename) > sizeof(header->string_pool) - 1)
> 94 printf("WARNING: DT name too long for SPL header!\n");
> 95 else {
>>>> CID 316365: Memory - corruptions (STRING_OVERFLOW)
>>>> You might overrun the 13-character destination string "header->string_pool" by writing 51 characters from "params->imagename".
> 96 strcpy((char *)header->string_pool, params->imagename);
> 97 value = offsetof(struct boot_file_head, string_pool);
> 98 header->dt_name_offset = cpu_to_le32(value);
> 99 header->spl_signature[3] = SPL_DT_HEADER_VERSION;
> 100 }
> 101 }
>
> ** CID 316364: Null pointer dereferences (FORWARD_NULL)
> /cmd/efidebug.c: 202 in do_efi_capsule_res()
>
>
> ________________________________________________________________________________________________________
> *** CID 316364: Null pointer dereferences (FORWARD_NULL)
> /cmd/efidebug.c: 202 in do_efi_capsule_res()
> 196 printf("Failed to get %ls\n", var_name16);
> 197
> 198 return CMD_RET_FAILURE;
> 199 }
> 200 }
> 201
>>>> CID 316364: Null pointer dereferences (FORWARD_NULL)
>>>> Dereferencing null pointer "result".
> 202 printf("Result total size: 0x%x\n", result->variable_total_size);
> 203 printf("Capsule guid: %pUl\n", &result->capsule_guid);
> 204 printf("Time processed: %04d-%02d-%02d %02d:%02d:%02d\n",
> 205 result->capsule_processed.year, result->capsule_processed.month,
> 206 result->capsule_processed.day, result->capsule_processed.hour,
> 207 result->capsule_processed.minute,
>
> ** CID 316363: Null pointer dereferences (REVERSE_INULL)
> /lib/efi_loader/efi_boottime.c: 1993 in efi_load_image_from_path()
>
>
> ________________________________________________________________________________________________________
> *** CID 316363: Null pointer dereferences (REVERSE_INULL)
> /lib/efi_loader/efi_boottime.c: 1993 in efi_load_image_from_path()
> 1987 ret = EFI_CALL(load_file_protocol->load_file(
> 1988 load_file_protocol, dp, boot_policy,
> 1989 &buffer_size, (void *)(uintptr_t)addr));
> 1990 if (ret != EFI_SUCCESS)
> 1991 efi_free_pages(addr, pages);
> 1992 out:
>>>> CID 316363: Null pointer dereferences (REVERSE_INULL)
>>>> Null-checking "load_file_protocol" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
> 1993 if (load_file_protocol)
> 1994 EFI_CALL(efi_close_protocol(device,
> 1995 &efi_guid_load_file2_protocol,
> 1996 efi_root, NULL));
> 1997 if (ret == EFI_SUCCESS) {
> 1998 *buffer = (void *)(uintptr_t)addr;
>
> ** CID 316362: Error handling issues (CHECKED_RETURN)
> /fs/fat/fat_write.c: 422 in fill_dir_slot()
>
>
> ________________________________________________________________________________________________________
> *** CID 316362: Error handling issues (CHECKED_RETURN)
> /fs/fat/fat_write.c: 422 in fill_dir_slot()
> 416 while (counter >= 1) {
> 417 memcpy(itr->dent, slotptr, sizeof(dir_slot));
> 418 slotptr--;
> 419 counter--;
> 420
> 421 if (itr->remaining == 0)
>>>> CID 316362: Error handling issues (CHECKED_RETURN)
>>>> Calling "flush_dir" without checking return value (as is done elsewhere 5 out of 6 times).
> 422 flush_dir(itr);
> 423
> 424 next_dent(itr);
> 425 if (!itr->dent)
> 426 return -EIO;
> 427 }
>
> ** CID 316361: Code maintainability issues (SIZEOF_MISMATCH)
> /lib/efi_loader/efi_capsule.c: 767 in efi_capsule_scan_dir()
>
>
> ________________________________________________________________________________________________________
> *** CID 316361: Code maintainability issues (SIZEOF_MISMATCH)
> /lib/efi_loader/efi_capsule.c: 767 in efi_capsule_scan_dir()
> 761
> 762 ret = EFI_CALL((*dirh->setpos)(dirh, 0));
> 763 if (ret != EFI_SUCCESS)
> 764 goto err;
> 765
> 766 /* make a list */
>>>> CID 316361: Code maintainability issues (SIZEOF_MISMATCH)
>>>> Passing argument "count * 8UL /* sizeof (*files) */" to function "dlmalloc" and then casting the return value to "u16 **" is suspicious. In this particular case "sizeof (u16 **)" happens to be equal to "sizeof (u16 *)", but this is not a portable assumption.
> 767 tmp_files = malloc(count * sizeof(*files));
> 768 if (!tmp_files) {
> 769 ret = EFI_OUT_OF_RESOURCES;
> 770 goto err;
> 771 }
> 772
>
> ** CID 316360: Uninitialized variables (UNINIT)
> /tools/mkeficapsule.c: 298 in create_fwbin()
>
>
> ________________________________________________________________________________________________________
> *** CID 316360: Uninitialized variables (UNINIT)
> /tools/mkeficapsule.c: 298 in create_fwbin()
> 292 goto err_3;
> 293 }
> 294
> 295 capsule.version = 0x00000001;
> 296 capsule.embedded_driver_count = 0;
> 297 capsule.payload_item_count = 1;
>>>> CID 316360: Uninitialized variables (UNINIT)
>>>> Using uninitialized value "capsule". Field "capsule.item_offset_list" is uninitialized when calling "fwrite".
> 298 size = fwrite(&capsule, 1, sizeof(capsule), f);
> 299 if (size < (sizeof(capsule))) {
> 300 printf("write failed (%lx)\n", size);
> 301 goto err_3;
> 302 }
> 303 offset = sizeof(capsule) + sizeof(u64);
>
> ** CID 316359: Null pointer dereferences (FORWARD_NULL)
>
>
> ________________________________________________________________________________________________________
> *** CID 316359: Null pointer dereferences (FORWARD_NULL)
> /lib/efi_loader/efi_capsule.c: 380 in efi_capsule_update_firmware()
> 374 ret = EFI_UNSUPPORTED;
> 375 goto out;
> 376 }
> 377
> 378 /* find a device for update firmware */
> 379 /* TODO: should we pass index as well, or nothing but type? */
>>>> CID 316359: Null pointer dereferences (FORWARD_NULL)
>>>> Passing null pointer "handles" to "efi_fmp_find", which dereferences it.
> 380 fmp = efi_fmp_find(&image->update_image_type_id,
> 381 image->update_hardware_instance,
> 382 handles, no_handles);
> 383 if (!fmp) {
> 384 log_err("EFI Capsule: driver not found for firmware type: %pUl, hardware instance: %lld\n",
> 385 &image->update_image_type_id,
>
> ** CID 316358: Memory - illegal accesses (BUFFER_SIZE_WARNING)
> /drivers/net/sandbox-raw.c: 163 in sb_eth_raw_of_to_plat()
>
>
> ________________________________________________________________________________________________________
> *** CID 316358: Memory - illegal accesses (BUFFER_SIZE_WARNING)
> /drivers/net/sandbox-raw.c: 163 in sb_eth_raw_of_to_plat()
> 157 int ret;
> 158
> 159 pdata->iobase = dev_read_addr(dev);
> 160
> 161 ifname = dev_read_string(dev, "host-raw-interface");
> 162 if (ifname) {
>>>> CID 316358: Memory - illegal accesses (BUFFER_SIZE_WARNING)
>>>> Calling "strncpy" with a maximum size argument of 16 bytes on destination array "priv->host_ifname" of size 16 bytes might leave the destination string unterminated.
> 163 strncpy(priv->host_ifname, ifname, IFNAMSIZ);
> 164 printf(": Using %s from DT\n", priv->host_ifname);
> 165 }
> 166 if (dev_read_u32(dev, "host-raw-interface-idx",
> 167 &priv->host_ifindex) < 0) {
> 168 priv->host_ifindex = 0;
>
> ** CID 316357: Memory - corruptions (BUFFER_SIZE)
> /fs/fat/fat_write.c: 1154 in fill_dentry()
>
>
> ________________________________________________________________________________________________________
> *** CID 316357: Memory - corruptions (BUFFER_SIZE)
> /fs/fat/fat_write.c: 1154 in fill_dentry()
> 1148
> 1149 set_start_cluster(mydata, dentptr, start_cluster);
> 1150 dentptr->size = cpu_to_le32(size);
> 1151
> 1152 dentptr->attr = attr;
> 1153
>>>> CID 316357: Memory - corruptions (BUFFER_SIZE)
>>>> You might overrun the 8 byte destination string "dentptr->name" by writing the maximum 11 bytes from "shortname".
> 1154 memcpy(dentptr->name, shortname, SHORT_NAME_SIZE);
> 1155 }
> 1156
> 1157 /**
> 1158 * find_directory_entry() - find a directory entry by filename
> 1159 *
>
> ** CID 316356: Resource leaks (RESOURCE_LEAK)
> /tools/mkeficapsule.c: 225 in add_public_key()
>
>
> ________________________________________________________________________________________________________
> *** CID 316356: Resource leaks (RESOURCE_LEAK)
> /tools/mkeficapsule.c: 225 in add_public_key()
> 219 if (ret < 0) {
> 220 fprintf(stderr, "%s: Unable to add public key to the FDT\n",
> 221 __func__);
> 222 goto err;
> 223 }
> 224
>>>> CID 316356: Resource leaks (RESOURCE_LEAK)
>>>> Handle variable "srcfd" going out of scope leaks the handle.
> 225 return 0;
> 226
> 227 err:
> 228 if (sptr)
> 229 munmap(sptr, src_size);
> 230
>
> ** CID 316355: Null pointer dereferences (FORWARD_NULL)
> /lib/efi_loader/efi_capsule.c: 848 in efi_capsule_read_file()
>
>
> ________________________________________________________________________________________________________
> *** CID 316355: Null pointer dereferences (FORWARD_NULL)
> /lib/efi_loader/efi_capsule.c: 848 in efi_capsule_read_file()
> 842 }
> 843 ret = EFI_CALL((*fh->getinfo)(fh, &efi_file_info_guid,
> 844 &size, file_info));
> 845 }
> 846 if (ret != EFI_SUCCESS)
> 847 goto err;
>>>> CID 316355: Null pointer dereferences (FORWARD_NULL)
>>>> Dereferencing null pointer "file_info".
> 848 size = file_info->file_size;
> 849 free(file_info);
> 850 buf = malloc(size);
> 851 if (!buf) {
> 852 ret = EFI_OUT_OF_RESOURCES;
> 853 goto err;
>
> ** CID 316354: Uninitialized variables (UNINIT)
> /tools/mkeficapsule.c: 318 in create_fwbin()
>
>
> ________________________________________________________________________________________________________
> *** CID 316354: Uninitialized variables (UNINIT)
> /tools/mkeficapsule.c: 318 in create_fwbin()
> 312 image.update_image_index = index;
> 313 image.update_image_size = bin_stat.st_size;
> 314 image.update_vendor_code_size = 0; /* none */
> 315 image.update_hardware_instance = instance;
> 316 image.image_capsule_support = 0;
> 317
>>>> CID 316354: Uninitialized variables (UNINIT)
>>>> Using uninitialized value "image". Field "image.reserved" is uninitialized when calling "fwrite".
> 318 size = fwrite(&image, 1, sizeof(image), f);
> 319 if (size < sizeof(image)) {
> 320 printf("write failed (%lx)\n", size);
> 321 goto err_3;
> 322 }
> 323 size = fread(data, 1, bin_stat.st_size, g);
>
> ** CID 316353: Resource leaks (RESOURCE_LEAK)
> /tools/mkeficapsule.c: 225 in add_public_key()
>
>
> ________________________________________________________________________________________________________
> *** CID 316353: Resource leaks (RESOURCE_LEAK)
> /tools/mkeficapsule.c: 225 in add_public_key()
> 219 if (ret < 0) {
> 220 fprintf(stderr, "%s: Unable to add public key to the FDT\n",
> 221 __func__);
> 222 goto err;
> 223 }
> 224
>>>> CID 316353: Resource leaks (RESOURCE_LEAK)
>>>> Variable "sptr" going out of scope leaks the storage it points to.
> 225 return 0;
> 226
> 227 err:
> 228 if (sptr)
> 229 munmap(sptr, src_size);
> 230
>
> ** CID 316352: Security best practices violations (STRING_OVERFLOW)
> /drivers/dfu/dfu.c: 490 in dfu_fill_entity()
>
>
> ________________________________________________________________________________________________________
> *** CID 316352: Security best practices violations (STRING_OVERFLOW)
> /drivers/dfu/dfu.c: 490 in dfu_fill_entity()
> 484 char *interface, char *devstr)
> 485 {
> 486 char *st;
> 487
> 488 debug("%s: %s interface: %s dev: %s\n", __func__, s, interface, devstr);
> 489 st = strsep(&s, " ");
>>>> CID 316352: Security best practices violations (STRING_OVERFLOW)
>>>> You might overrun the 32-character fixed-size string "dfu->name" by copying "st" without checking the length.
> 490 strcpy(dfu->name, st);
> 491
> 492 dfu->alt = alt;
> 493 dfu->max_buf_size = 0;
> 494 dfu->free_entity = NULL;
> 495
>
> ** CID 316351: Error handling issues (CHECKED_RETURN)
> /drivers/video/pwm_backlight.c: 230 in pwm_backlight_of_to_plat()
>
>
> ________________________________________________________________________________________________________
> *** CID 316351: Error handling issues (CHECKED_RETURN)
> /drivers/video/pwm_backlight.c: 230 in pwm_backlight_of_to_plat()
> 224 cell = dev_read_prop(dev, "brightness-levels", &len);
> 225 count = len / sizeof(u32);
> 226 if (cell && count > index) {
> 227 priv->levels = malloc(len);
> 228 if (!priv->levels)
> 229 return log_ret(-ENOMEM);
>>>> CID 316351: Error handling issues (CHECKED_RETURN)
>>>> Calling "dev_read_u32_array" without checking return value (as is done elsewhere 8 out of 9 times).
> 230 dev_read_u32_array(dev, "brightness-levels", priv->levels,
> 231 count);
> 232 priv->num_levels = count;
> 233 priv->default_level = priv->levels[index];
> 234 priv->max_level = priv->levels[count - 1];
> 235 } else {
>
> ** CID 316350: Memory - corruptions (OVERRUN)
> /fs/fat/fat_write.c: 1154 in fill_dentry()
>
>
> ________________________________________________________________________________________________________
> *** CID 316350: Memory - corruptions (OVERRUN)
> /fs/fat/fat_write.c: 1154 in fill_dentry()
> 1148
> 1149 set_start_cluster(mydata, dentptr, start_cluster);
> 1150 dentptr->size = cpu_to_le32(size);
> 1151
> 1152 dentptr->attr = attr;
> 1153
>>>> CID 316350: Memory - corruptions (OVERRUN)
>>>> Overrunning array "dentptr->name" of 8 bytes by passing it to a function which accesses it at byte offset 10 using argument "11UL". [Note: The source code implementation of the function has been overridden by a builtin model.]
> 1154 memcpy(dentptr->name, shortname, SHORT_NAME_SIZE);
> 1155 }
> 1156
> 1157 /**
> 1158 * find_directory_entry() - find a directory entry by filename
> 1159 *
>
> ** CID 316349: Resource leaks (RESOURCE_LEAK)
> /tools/mkeficapsule.c: 225 in add_public_key()
>
>
> ________________________________________________________________________________________________________
> *** CID 316349: Resource leaks (RESOURCE_LEAK)
> /tools/mkeficapsule.c: 225 in add_public_key()
> 219 if (ret < 0) {
> 220 fprintf(stderr, "%s: Unable to add public key to the FDT\n",
> 221 __func__);
> 222 goto err;
> 223 }
> 224
>>>> CID 316349: Resource leaks (RESOURCE_LEAK)
>>>> Handle variable "destfd" going out of scope leaks the handle.
> 225 return 0;
> 226
> 227 err:
> 228 if (sptr)
> 229 munmap(sptr, src_size);
> 230
>
> ** CID 316348: Memory - corruptions (OVERRUN)
> /fs/fat/fat_write.c: 188 in set_name()
>
>
> ________________________________________________________________________________________________________
> *** CID 316348: Memory - corruptions (OVERRUN)
> /fs/fat/fat_write.c: 188 in set_name()
> 182 /* Each long name directory entry takes 13 characters. */
> 183 ret = (strlen(filename) + 25) / 13;
> 184 goto out;
> 185 }
> 186 return -EIO;
> 187 out:
>>>> CID 316348: Memory - corruptions (OVERRUN)
>>>> Overrunning array "dirent.name" of 8 bytes by passing it to a function which accesses it at byte offset 10 using argument "11UL". [Note: The source code implementation of the function has been overridden by a builtin model.]
> 188 memcpy(shortname, dirent.name, SHORT_NAME_SIZE);
> 189 return ret;
> 190 }
> 191
> 192 static int total_sector;
> 193 static int disk_write(__u32 block, __u32 nr_blocks, void *buf)
>
> ** CID 316347: Null pointer dereferences (FORWARD_NULL)
> /cmd/sandbox/exception.c: 16 in do_sigsegv()
>
>
> ________________________________________________________________________________________________________
> *** CID 316347: Null pointer dereferences (FORWARD_NULL)
> /cmd/sandbox/exception.c: 16 in do_sigsegv()
> 10
> 11 static int do_sigsegv(struct cmd_tbl *cmdtp, int flag, int argc,
> 12 char *const argv[])
> 13 {
> 14 u8 *ptr = NULL;
> 15
>>>> CID 316347: Null pointer dereferences (FORWARD_NULL)
>>>> Dereferencing null pointer "ptr".
> 16 *ptr = 0;
> 17 return CMD_RET_FAILURE;
> 18 }
> 19
> 20 static int do_undefined(struct cmd_tbl *cmdtp, int flag, int argc,
> 21 char *const argv[])
>
> ** CID 316346: Control flow issues (UNREACHABLE)
> /test/cmd/setexpr.c: 275 in setexpr_test_backref()
>
>
> ________________________________________________________________________________________________________
> *** CID 316346: Control flow issues (UNREACHABLE)
> /test/cmd/setexpr.c: 275 in setexpr_test_backref()
> 269 "us \\1 \\2 \\3!", true));
> 270 ut_asserteq_str("us this is surely! a test is it? yes us this is indeed! a test",
> 271 buf);
> 272
> 273 /* The following checks fail at present due to a bug in setexpr */
> 274 return 0;
>>>> CID 316346: Control flow issues (UNREACHABLE)
>>>> This code cannot be reached: "i = 256;".
> 275 for (i = BUF_SIZE; i < 0x1000; i++) {
> 276 ut_assertf(buf[i] == (char)i,
> 277 "buf byte at %x should be %02x, got %02x)\n",
> 278 i, i & 0xff, (u8)buf[i]);
> 279 ut_assertf(nbuf[i] == (char)i,
> 280 "nbuf byte at %x should be %02x, got %02x)\n",
>
>
> ________________________________________________________________________________________________________
> To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoA22WlOQ-2By3ieUvdbKmOyw68TMVT4Kip-2BBzfOGWXJ5yIiYplmPF9KAnKIja4Zd7tU-3DzXLV_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTvNl0LKdSggNphGlGz-2FZpFlP-2B70lLxg94OYlINE3kVz2K7-2BaNONHtJP8TbjZRniVWbxuTUQjTtQl1N-2FQyFOjCv8gPw5EPU0ENb3p98VX92ve7SRBWt1r1v-2F-2F6AWroTa-2Bh7rN2QA2fbSgDcYmJ9RJ86TD6dhAH88KDOiq3Saai3zTbA9TSu9jcthFTuvEyi5KBE-3D
>
> To manage Coverity Scan email notifications for "tom.rini at gmail.com", click https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxWeIHzDeopm-2BEWQ6S6K-2FtUHv9ZTk8qZbuzkkz9sa-2BJFw4elYDyedRVZOC-2ButxjBZdouVmTGuWB6Aj6G7lm7t25-2Biv1B-2B9082pHzCCex2kqMs-3DBleN_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTvNl0LKdSggNphGlGz-2FZpFl83Kn4j1MsEeVR-2BhiT4TgLlRMzBzziPEpnjhf5UW-2FNLxwPg-2FlX4hM5uoZCyOPlCN-2BiReYf6wkiLt6iKknc3lnJUyqsWnyxIFGwSu2OUxAVy5vnsIFdRuglO4-2B9vJx2XrTM801x6AhuO0Zb5xr5hI9qgs9dwug2dbKvAt0T-2F-2Bv9VI-3D
>
>
> ----- End forwarded message -----
>
More information about the U-Boot
mailing list