New Defects reported by Coverity Scan for Das U-Boot

Simon Glass sjg at chromium.org
Wed Mar 24 23:00:00 CET 2021 

+U-Boot Mailing List

On Wed, 3 Mar 2021 at 03:44, Heinrich Schuchardt <xypron.glpk at gmx.de> wrote:
>
> On 02.03.21 14:30, scan-admin at coverity.com wrote:
> > Hi,
> >
> > Please find the latest report on new defect(s) introduced to Das U-Boot found with Coverity Scan.
> >
> > 2 new defect(s) introduced to Das U-Boot found with Coverity Scan.
> > 3 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
> >
> > New defect(s) Reported-by: Coverity Scan
> > Showing 2 of 2 defect(s)
> >
> >
> > ** CID 325866:  Error handling issues  (CHECKED_RETURN)
> > /drivers/core/ofnode.c: 77 in ofnode_read_s32_default()
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 325866:  Error handling issues  (CHECKED_RETURN)
> > /drivers/core/ofnode.c: 77 in ofnode_read_s32_default()
> > 71            return def;
> > 72     }
> > 73
> > 74     int ofnode_read_s32_default(ofnode node, const char *propname, s32 def)
> > 75     {
> > 76            assert(ofnode_valid(node));
> >>>>     CID 325866:  Error handling issues  (CHECKED_RETURN)
> >>>>     Calling "ofnode_read_u32" without checking return value (as is done elsewhere 14 out of 17 times).
>
> This is a false positive. If the node is not found, def remains
> unchanged which matches the function description.
>
> > 77            ofnode_read_u32(node, propname, (u32 *)&def);
> > 78
> > 79            return def;
> > 80     }
> > 81
> > 82     int ofnode_read_u64(ofnode node, const char *propname, u64 *outp)
> >
> > ** CID 325865:  Memory - illegal accesses  (BUFFER_SIZE_WARNING)
> > /drivers/fastboot/fb_mmc.c: 64 in raw_part_get_info_by_name()
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 325865:  Memory - illegal accesses  (BUFFER_SIZE_WARNING)
> > /drivers/fastboot/fb_mmc.c: 64 in raw_part_get_info_by_name()
> > 58                    }
> > 59            }
> > 60
> > 61            info->start = simple_strtoul(argv[0], NULL, 0);
> > 62            info->size = simple_strtoul(argv[1], NULL, 0);
> > 63            info->blksz = dev_desc->blksz;
> >>>>     CID 325865:  Memory - illegal accesses  (BUFFER_SIZE_WARNING)
> >>>>     Calling "strncpy" with a maximum size argument of 32 bytes on destination array "info->name" of size 32 bytes might leave the destination string unterminated.
>
> Here we have a real issue.
>
> info->name is assumed to be null-terminated in different library calls,
> e.g. when calling part_get_info_by_name().
>
> Inside cmd/cpt.c we find the following conflicting lines:
>
> cmd/gpt.c:209:
> newpart->gpt_part_info.name[PART_NAME_LEN - 1] = '\0';
>
> cmd/gpt.c:842:
> if ((strlen(name1) > PART_NAME_LEN) || (strlen(name2) > PART_NAME_LEN)) {
>     printf("Names longer than %d characters are truncated.\n",
>
> So in line 209 we assume that PART_NAME_LEN includes the terminating NUL
> while in line 842 we assume that it does not.
>
> What needs to be done is:
>
> * document the structure field disk_partition.name so that it is
>   clear if this field is null-terminated or not
> * document the meaning of PART_NAME_LEN
> * check all usages of the field and PART_NAME_LEN
>
> Best regards
>
> Heinrich
>
>
> > 64            strncpy((char *)info->name, name, PART_NAME_LEN);
> > 65
> > 66            if (raw_part_desc) {
> > 67                    if (strcmp(strsep(&raw_part_desc, " "), "mmcpart") == 0) {
> > 68                            ulong mmcpart = simple_strtoul(raw_part_desc, NULL, 0);
> > 69                            int ret = blk_dselect_hwpart(dev_desc, mmcpart);
> >
> >
> > ________________________________________________________________________________________________________
> > To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoA22WlOQ-2By3ieUvdbKmOyw68TMVT4Kip-2BBzfOGWXJ5yIiYplmPF9KAnKIja4Zd7tU-3DbjkX_N64QlSHam5hYYsLU0uvEm3xiMtcSlv2JwRoKVmjv-2F2W9scyTee7fb3OFpRv9kImrRqsKxlWoCO8zAeiIiAhqzSbrl4dXq9dXyAqi-2Fc0Jnwl-2FtH-2F6CeLIdaJ1B6nYgbrPrfQp-2FcoNWNRxS33O5yOY4dM-2FGF7XqrRr5G9AcX6O5K68VD-2FUnecqWgoMQ1p8zvxz5uSqy-2BRTvJPOAZAR5wWVKAbb5ohWYJh4aaJ24cyyKlc-3D
> >
> >   To manage Coverity Scan email notifications for "xypron.glpk at gmx.de", click https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXx4Y-2F1WK-2FIlbEOzfoxXLI-2FdwA0wwGn90rGGrBgiHW-2ByLDLbUOEV7XOvtc9zJmj9LPyrT06WSaMnNrm6wfrUN-2BXuWoaHdqOoEyL7CQlGSiE-2BfE-3DDif__N64QlSHam5hYYsLU0uvEm3xiMtcSlv2JwRoKVmjv-2F2W9scyTee7fb3OFpRv9kImr5eGADaWc9Gt2gE-2B5omGfwd2OEqtcwui0xgv2IURP-2BE-2BQ7i8p1lcSxhNpWKzf-2FstT1hBUmr8A-2Bondt-2Fcoj1lkWT-2BUp3IZnpnAzSzRNjIb0r85mSanNDe7kFVu6nNNGP4Gqpy1eEdxEVV3XbHRIfaxr0nF6YselCjEp-2BLdL5Rzfmg-3D
> >
>

More information about the U-Boot mailing list