[scan-admin at coverity.com: New Defects reported by Coverity Scan for Das U-Boot]
Andre Przywara
andre.przywara at arm.com
Wed Jan 20 22:03:40 CET 2021
On Wed, 20 Jan 2021 14:04:18 -0500
Tom Rini <trini at konsulko.com> wrote:
Hi Tom,
> I decided to run Coverity part-way through the merge window this time
> and here's what's been found so far.
Thanks for that!
>
> ----- Forwarded message from scan-admin at coverity.com -----
>
> Date: Mon, 18 Jan 2021 17:53:19 +0000 (UTC)
> From: scan-admin at coverity.com
> To: tom.rini at gmail.com
> Subject: New Defects reported by Coverity Scan for Das U-Boot
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to Das
> U-Boot found with Coverity Scan.
>
> 23 new defect(s) introduced to Das U-Boot found with Coverity Scan.
> 2 defect(s), reported by Coverity Scan earlier, were marked fixed in
> the recent build analyzed by Coverity Scan.
>
> New defect(s) Reported-by: Coverity Scan
> Showing 20 of 23 defect(s)
>
>
> ** CID 316365: Memory - corruptions (STRING_OVERFLOW)
> /tools/sunxi_egon.c: 96 in egon_set_header()
>
>
> ________________________________________________________________________________________________________
> *** CID 316365: Memory - corruptions (STRING_OVERFLOW)
> /tools/sunxi_egon.c: 96 in egon_set_header()
> 90
> 91 /* If an image name has been provided, use it as the DT name.*/
> 92 if (params->imagename && params->imagename[0]) {
> 93 if (strlen(params->imagename) >
> sizeof(header->string_pool) - 1)
> 94 printf("WARNING: DT name too long for SPL
> header!\n");
> 95 else {
> >>> CID 316365: Memory - corruptions (STRING_OVERFLOW)
> >>> You might overrun the 13-character destination string
> >>> "header->string_pool" by writing 51 characters from
> >>> "params->imagename".
So this is a false report, as string_pool is 13 *words*:
uint32_t string_pool[13];
And I explicitly used sizeof() to avoid any ambiguities here.
One could argue that this is at least misleading for a human reader, and
a string pool should indeed be made of "char"s (which looks like indeed
worth a patch), but the buffer is definitely 52 bytes long (and sizeof
reports that).
Not sure if that's worth reporting to Coverity, or we do just ignore it?
Cheers,
Andre
> 96 strcpy((char *)header->string_pool, params->imagename);
More information about the U-Boot
mailing list