New Defects reported by Coverity Scan for Das U-Boot
Heinrich Schuchardt
xypron.glpk at gmx.de
Mon Nov 1 21:21:34 CET 2021
Hello Tom,
CID 340849: Uninitialized variables (UNINIT)
is invalid: If efi_allocate_pages fails, addr is not used.
CID 166730: Integer handling issues (SIGN_EXTENSION)
is invalid. u16 is first promoted to u32 (not int) and then shifted and
then promoted to u64.
Best regards
Heinrich
On 11/1/21 20:29, scan-admin at coverity.com wrote:
> Hi,
>
> Please find the latest report on new defect(s) introduced to Das U-Boot found with Coverity Scan.
>
> 10 new defect(s) introduced to Das U-Boot found with Coverity Scan.
> 10 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
>
> New defect(s) Reported-by: Coverity Scan
> Showing 10 of 10 defect(s)
>
>
> ** CID 340850: Control flow issues (UNREACHABLE)
> /test/lib/abuf.c: 81 in lib_test_abuf_realloc()
>
>
> ________________________________________________________________________________________________________
> *** CID 340850: Control flow issues (UNREACHABLE)
> /test/lib/abuf.c: 81 in lib_test_abuf_realloc()
> 75 /*
> 76 * TODO: crashes on sandbox sometimes due to an apparent bug in
> 77 * realloc().
> 78 */
> 79 return 0;
> 80
>>>> CID 340850: Control flow issues (UNREACHABLE)
>>>> This code cannot be reached: "start = ut_check_free();".
> 81 start = ut_check_free();
> 82
> 83 abuf_init(&buf);
> 84
> 85 /* Allocate an empty buffer */
> 86 ut_asserteq(true, abuf_realloc(&buf, 0));
>
> ** CID 340849: Uninitialized variables (UNINIT)
> /lib/efi_loader/efi_boottime.c: 1991 in efi_load_image_from_path()
>
>
> ________________________________________________________________________________________________________
> *** CID 340849: Uninitialized variables (UNINIT)
> /lib/efi_loader/efi_boottime.c: 1991 in efi_load_image_from_path()
> 1985 &buffer_size, (void *)(uintptr_t)addr));
> 1986 if (ret != EFI_SUCCESS)
> 1987 efi_free_pages(addr, pages);
> 1988 out:
> 1989 EFI_CALL(efi_close_protocol(device, guid, efi_root, NULL));
> 1990 if (ret == EFI_SUCCESS) {
>>>> CID 340849: Uninitialized variables (UNINIT)
>>>> Using uninitialized value "addr".
> 1991 *buffer = (void *)(uintptr_t)addr;
> 1992 *size = buffer_size;
> 1993 }
> 1994
> 1995 return ret;
> 1996 }
>
> ** CID 340848: Control flow issues (DEADCODE)
> /lib/rsa/rsa-sign.c: 255 in rsa_engine_get_priv_key()
>
>
> ________________________________________________________________________________________________________
> *** CID 340848: Control flow issues (DEADCODE)
> /lib/rsa/rsa-sign.c: 255 in rsa_engine_get_priv_key()
> 249 } else if (engine_id) {
> 250 if (keydir && name)
> 251 snprintf(key_id, sizeof(key_id),
> 252 "%s%s",
> 253 keydir, name);
> 254 else if (name)
>>>> CID 340848: Control flow issues (DEADCODE)
>>>> Execution cannot reach the expression """" inside this statement: "snprintf(key_id, 1024UL, "%...".
> 255 snprintf(key_id, sizeof(key_id),
> 256 "%s",
> 257 name ? name : "");
> 258 else if (keyfile)
> 259 snprintf(key_id, sizeof(key_id), "%s", keyfile);
> 260 else
>
> ** CID 340847: (TAINTED_SCALAR)
>
>
> ________________________________________________________________________________________________________
> *** CID 340847: (TAINTED_SCALAR)
> /lib/zstd/zstd.c: 49 in zstd_decompress()
> 43 out_buf.pos = 0;
> 44 out_buf.size = abuf_size(out);
> 45
> 46 while (1) {
> 47 size_t res;
> 48
>>>> CID 340847: (TAINTED_SCALAR)
>>>> Passing tainted variable "dstream->inBuff" to a tainted sink.
> 49 res = ZSTD_decompressStream(dstream, &out_buf, &in_buf);
> 50 if (ZSTD_isError(res)) {
> 51 ret = ZSTD_getErrorCode(res);
> 52 log_err("ZSTD_decompressStream error %d\n", ret);
> 53 goto do_free;
> 54 }
> /lib/zstd/zstd.c: 49 in zstd_decompress()
> 43 out_buf.pos = 0;
> 44 out_buf.size = abuf_size(out);
> 45
> 46 while (1) {
> 47 size_t res;
> 48
>>>> CID 340847: (TAINTED_SCALAR)
>>>> Passing tainted variable "in_buf.src" to a tainted sink.
> 49 res = ZSTD_decompressStream(dstream, &out_buf, &in_buf);
> 50 if (ZSTD_isError(res)) {
> 51 ret = ZSTD_getErrorCode(res);
> 52 log_err("ZSTD_decompressStream error %d\n", ret);
> 53 goto do_free;
> 54 }
>
> ** CID 340846: Control flow issues (UNREACHABLE)
> /test/lib/abuf.c: 144 in lib_test_abuf_large()
>
>
> ________________________________________________________________________________________________________
> *** CID 340846: Control flow issues (UNREACHABLE)
> /test/lib/abuf.c: 144 in lib_test_abuf_large()
> 138 /*
> 139 * This crashes at present due to trying to allocate more memory than
> 140 * available, which breaks something on sandbox.
> 141 */
> 142 return 0;
> 143
>>>> CID 340846: Control flow issues (UNREACHABLE)
>>>> This code cannot be reached: "start = ut_check_free();".
> 144 start = ut_check_free();
> 145
> 146 /* Try an impossible size */
> 147 abuf_init(&buf);
> 148 ut_asserteq(false, abuf_realloc(&buf, CONFIG_SYS_MALLOC_LEN));
> 149 ut_assertnull(buf.data);
>
> ** CID 340845: Control flow issues (UNREACHABLE)
> /test/lib/abuf.c: 211 in lib_test_abuf_uninit_move()
>
>
> ________________________________________________________________________________________________________
> *** CID 340845: Control flow issues (UNREACHABLE)
> /test/lib/abuf.c: 211 in lib_test_abuf_uninit_move()
> 205 * TODO: crashes on sandbox sometimes due to an apparent bug in
> 206 * realloc().
> 207 */
> 208 return 0;
> 209
> 210 /* Move an empty buffer */
>>>> CID 340845: Control flow issues (UNREACHABLE)
>>>> This code cannot be reached: "abuf_init(&buf);".
> 211 abuf_init(&buf);
> 212 ut_assertnull(abuf_uninit_move(&buf, &size));
> 213 ut_asserteq(0, size);
> 214 ut_assertnull(abuf_uninit_move(&buf, NULL));
> 215
> 216 /* Move an unallocated buffer */
>
> ** CID 340844: (DEADCODE)
> /drivers/usb/gadget/ether.c: 2078 in eth_bind()
> /drivers/usb/gadget/ether.c: 2178 in eth_bind()
> /drivers/usb/gadget/ether.c: 2174 in eth_bind()
> /drivers/usb/gadget/ether.c: 2310 in eth_bind()
> /drivers/usb/gadget/ether.c: 2246 in eth_bind()
>
>
> ________________________________________________________________________________________________________
> *** CID 340844: (DEADCODE)
> /drivers/usb/gadget/ether.c: 2078 in eth_bind()
> 2072 * needed to install MSFT drivers. Current Linux kernels will use
> 2073 * the second configuration if it's CDC Ethernet, and need some help
> 2074 * to choose the right configuration otherwise.
> 2075 */
> 2076 if (rndis) {
> 2077 #if defined(CONFIG_USB_GADGET_VENDOR_NUM) && defined(CONFIG_USB_GADGET_PRODUCT_NUM)
>>>> CID 340844: (DEADCODE)
>>>> Execution cannot reach this statement: "device_desc.idVendor = 0;".
> 2078 device_desc.idVendor =
> 2079 __constant_cpu_to_le16(CONFIG_USB_GADGET_VENDOR_NUM);
> 2080 device_desc.idProduct =
> 2081 __constant_cpu_to_le16(CONFIG_USB_GADGET_PRODUCT_NUM);
> 2082 #else
> 2083 device_desc.idVendor =
> /drivers/usb/gadget/ether.c: 2178 in eth_bind()
> 2172 /* For now RNDIS is always a second config */
> 2173 if (rndis)
> 2174 device_desc.bNumConfigurations = 2;
> 2175
> 2176 if (gadget_is_dualspeed(gadget)) {
> 2177 if (rndis)
>>>> CID 340844: (DEADCODE)
>>>> Execution cannot reach this statement: "dev_qualifier.bNumConfigura...".
> 2178 dev_qualifier.bNumConfigurations = 2;
> 2179 else if (!cdc)
> 2180 dev_qualifier.bDeviceClass = USB_CLASS_VENDOR_SPEC;
> 2181
> 2182 /* assumes ep0 uses the same value for both speeds ... */
> 2183 dev_qualifier.bMaxPacketSize0 = device_desc.bMaxPacketSize0;
> /drivers/usb/gadget/ether.c: 2174 in eth_bind()
> 2168 }
> 2169
> 2170 usb_gadget_set_selfpowered(gadget);
> 2171
> 2172 /* For now RNDIS is always a second config */
> 2173 if (rndis)
>>>> CID 340844: (DEADCODE)
>>>> Execution cannot reach this statement: "device_desc.bNumConfigurati...".
> 2174 device_desc.bNumConfigurations = 2;
> 2175
> 2176 if (gadget_is_dualspeed(gadget)) {
> 2177 if (rndis)
> 2178 dev_qualifier.bNumConfigurations = 2;
> 2179 else if (!cdc)
> /drivers/usb/gadget/ether.c: 2310 in eth_bind()
> 2304 printf("HOST MAC %02x:%02x:%02x:%02x:%02x:%02x\n",
> 2305 dev->host_mac[0], dev->host_mac[1],
> 2306 dev->host_mac[2], dev->host_mac[3],
> 2307 dev->host_mac[4], dev->host_mac[5]);
> 2308
> 2309 if (rndis) {
>>>> CID 340844: (DEADCODE)
>>>> Execution cannot reach this statement: "vendorID = 0U;".
> 2310 u32 vendorID = 0;
> 2311
> 2312 /* FIXME RNDIS vendor id == "vendor NIC code" == ? */
> 2313
> 2314 dev->rndis_config = rndis_register(rndis_control_ack);
> 2315 if (dev->rndis_config < 0) {
> /drivers/usb/gadget/ether.c: 2246 in eth_bind()
> 2240 sprintf(ethaddr, "%02X%02X%02X%02X%02X%02X",
> 2241 dev->host_mac[0], dev->host_mac[1],
> 2242 dev->host_mac[2], dev->host_mac[3],
> 2243 dev->host_mac[4], dev->host_mac[5]);
> 2244
> 2245 if (rndis) {
>>>> CID 340844: (DEADCODE)
>>>> Execution cannot reach this statement: "status = rndis_init();".
> 2246 status = rndis_init();
> 2247 if (status < 0) {
> 2248 pr_err("can't init RNDIS, %d", status);
> 2249 goto fail;
> 2250 }
> 2251 }
>
> ** CID 340843: Control flow issues (UNREACHABLE)
> /test/lib/abuf.c: 315 in lib_test_abuf_init_move()
>
>
> ________________________________________________________________________________________________________
> *** CID 340843: Control flow issues (UNREACHABLE)
> /test/lib/abuf.c: 315 in lib_test_abuf_init_move()
> 309 /*
> 310 * TODO: crashes on sandbox sometimes due to an apparent bug in
> 311 * realloc().
> 312 */
> 313 return 0;
> 314
>>>> CID 340843: Control flow issues (UNREACHABLE)
>>>> This code cannot be reached: "ptr = sandbox_strdup(test_d...".
> 315 ptr = strdup(test_data);
> 316 ut_assertnonnull(ptr);
> 317
> 318 free(ptr);
> 319
> 320 abuf_init_move(&buf, ptr, TEST_DATA_LEN);
>
> ** CID 312933: Error handling issues (CHECKED_RETURN)
> /net/mdio-uclass.c: 33 in dm_mdio_probe_devices()
>
>
> ________________________________________________________________________________________________________
> *** CID 312933: Error handling issues (CHECKED_RETURN)
> /net/mdio-uclass.c: 33 in dm_mdio_probe_devices()
> 27
> 28 void dm_mdio_probe_devices(void)
> 29 {
> 30 struct udevice *it;
> 31 struct uclass *uc;
> 32
>>>> CID 312933: Error handling issues (CHECKED_RETURN)
>>>> Calling "uclass_get" without checking return value (as is done elsewhere 58 out of 72 times).
> 33 uclass_get(UCLASS_MDIO, &uc);
> 34 uclass_foreach_dev(it, uc) {
> 35 device_probe(it);
> 36 }
> 37 }
> 38
>
> ** CID 166730: Integer handling issues (SIGN_EXTENSION)
> /drivers/nvme/nvme.c: 786 in nvme_blk_rw()
>
>
> ________________________________________________________________________________________________________
> *** CID 166730: Integer handling issues (SIGN_EXTENSION)
> /drivers/nvme/nvme.c: 786 in nvme_blk_rw()
> 780 c.rw.prp2 = cpu_to_le64(prp2);
> 781 status = nvme_submit_sync_cmd(dev->queues[NVME_IO_Q],
> 782 &c, NULL, IO_TIMEOUT);
> 783 if (status)
> 784 break;
> 785 temp_len -= (u32)lbas << ns->lba_shift;
>>>> CID 166730: Integer handling issues (SIGN_EXTENSION)
>>>> Suspicious implicit sign extension: "lbas" with type "u16" (16 bits, unsigned) is promoted in "lbas << ns->lba_shift" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "lbas << ns->lba_shift" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
> 786 temp_buffer += lbas << ns->lba_shift;
> 787 }
> 788
> 789 if (read)
> 790 invalidate_dcache_range((unsigned long)buffer,
> 791 (unsigned long)buffer + total_len);
>
>
> ________________________________________________________________________________________________________
> To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoA22WlOQ-2By3ieUvdbKmOyw68TMVT4Kip-2BBzfOGWXJ5yIiYplmPF9KAnKIja4Zd7tU-3DZsDS_N64QlSHam5hYYsLU0uvEm3xiMtcSlv2JwRoKVmjv-2F2UsMGDkb6QQ9zv03O-2B521th4jk9hdxmyjqr4mvO8TNNoh0FnQ-2B5N3U5DGzMq2yk1UZZ-2FQb1oOcWdWOfY78ZlgiVwleQahFPDPcwRvW6D61sR497IHf99iJnYLg00Ftzy7iWuIa28dd2x3FHtb4iktmmQnx-2FyuscxPEBjMTurr2nmw-3D-3D
>
> To manage Coverity Scan email notifications for "xypron.glpk at gmx.de", click https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXx4Y-2F1WK-2FIlbEOzfoxXLI-2FdwA0wwGn90rGGrBgiHW-2ByLDLbUOEV7XOvtc9zJmj9LPyrT06WSaMnNrm6wfrUN-2BXuWoaHdqOoEyL7CQlGSiE-2BfE-3D8EDp_N64QlSHam5hYYsLU0uvEm3xiMtcSlv2JwRoKVmjv-2F2UsMGDkb6QQ9zv03O-2B521thJABpoyXzmILBz-2BmBPIJrfwYv1VTyAhy-2B9qTGTR8xpLaJ-2FMpjceXc35Vn8wZ1WXx-2BK2Clwq4JsG5Hq1xEX0r8P-2FIujbH5BmoWs4V889wI4hYkm9RxslrZI3cXv39AA01GmDd-2F7x5qGQhqwowNrPodNg-3D-3D
>
More information about the U-Boot
mailing list