[scan-admin at coverity.com: New Defects reported by Coverity Scan for Das U-Boot]
Tom Rini
trini at konsulko.com
Tue Feb 1 01:33:30 CET 2022
Hey folks,
Here's the latest report and I think some of these are new tests rather
than new code.
----- Forwarded message from scan-admin at coverity.com -----
Date: Mon, 31 Jan 2022 23:09:01 +0000 (UTC)
From: scan-admin at coverity.com
To: tom.rini at gmail.com
Subject: New Defects reported by Coverity Scan for Das U-Boot
Hi,
Please find the latest report on new defect(s) introduced to Das U-Boot found with Coverity Scan.
9 new defect(s) introduced to Das U-Boot found with Coverity Scan.
5 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 9 of 9 defect(s)
** CID 345920: API usage errors (CHAR_IO)
/tools/bmp_logo.c: 165 in main()
________________________________________________________________________________________________________
*** CID 345920: API usage errors (CHAR_IO)
/tools/bmp_logo.c: 165 in main()
159 "#define __BMP_LOGO_DATA_H__\n\n");
160
161 /* read and print the palette information */
162 printf("unsigned short bmp_logo_palette[] = {\n");
163
164 for (i=0; i<n_colors; ++i) {
>>> CID 345920: API usage errors (CHAR_IO)
>>> Assigning the return value of "fgetc" to char "b->palette[(int)(i * 3 + 2)]" truncates its value.
165 b->palette[(int)(i*3+2)] = fgetc(fp);
166 b->palette[(int)(i*3+1)] = fgetc(fp);
167 b->palette[(int)(i*3+0)] = fgetc(fp);
168 x=fgetc(fp);
169
170 printf ("%s0x0%X%X%X,%s",
** CID 345919: Resource leaks (RESOURCE_LEAK)
/tools/image-host.c: 969 in fit_config_get_regions()
________________________________________________________________________________________________________
*** CID 345919: Resource leaks (RESOURCE_LEAK)
/tools/image-host.c: 969 in fit_config_get_regions()
963 len += strlen(node_inc.strings[i]) + 1;
964 }
965 region_prop = malloc(len);
966 if (!region_prop) {
967 printf("Out of memory setting up regions for configuration '%s/%s'\n",
968 conf_name, sig_name);
>>> CID 345919: Resource leaks (RESOURCE_LEAK)
>>> Variable "region" going out of scope leaks the storage it points to.
969 return -ENOMEM;
970 }
971 for (i = len = 0; i < node_inc.count;
972 len += strlen(node_inc.strings[i]) + 1, i++)
973 strcpy(region_prop + len, node_inc.strings[i]);
974 strlist_free(&node_inc);
** CID 345918: Error handling issues (CHECKED_RETURN)
/tools/bmp_logo.c: 41 in skip_bytes()
________________________________________________________________________________________________________
*** CID 345918: Error handling issues (CHECKED_RETURN)
/tools/bmp_logo.c: 41 in skip_bytes()
35 return val;
36 }
37
38 void skip_bytes (FILE *fp, int n)
39 {
40 while (n-- > 0)
>>> CID 345918: Error handling issues (CHECKED_RETURN)
>>> Calling "fgetc(fp)" without checking return value. This library function may fail and return an error code. [Note: The source code implementation of the function has been overridden by a builtin model.]
41 fgetc (fp);
42 }
43
44 __attribute__ ((__noreturn__))
45 int error (char * msg, FILE *fp)
46 {
** CID 345917: Resource leaks (RESOURCE_LEAK)
/tools/mkeficapsule.c: 121 in read_bin_file()
________________________________________________________________________________________________________
*** CID 345917: Resource leaks (RESOURCE_LEAK)
/tools/mkeficapsule.c: 121 in read_bin_file()
115
116 *data = buf;
117 *bin_size = bin_stat.st_size;
118 err:
119 fclose(g);
120
>>> CID 345917: Resource leaks (RESOURCE_LEAK)
>>> Variable "buf" going out of scope leaks the storage it points to.
121 return ret;
122 }
123
124 /**
125 * write_capsule_file - write a capsule file
126 * @bin: FILE stream
** CID 345916: Code maintainability issues (UNUSED_VALUE)
/tools/bmp_logo.c: 168 in main()
________________________________________________________________________________________________________
*** CID 345916: Code maintainability issues (UNUSED_VALUE)
/tools/bmp_logo.c: 168 in main()
162 printf("unsigned short bmp_logo_palette[] = {\n");
163
164 for (i=0; i<n_colors; ++i) {
165 b->palette[(int)(i*3+2)] = fgetc(fp);
166 b->palette[(int)(i*3+1)] = fgetc(fp);
167 b->palette[(int)(i*3+0)] = fgetc(fp);
>>> CID 345916: Code maintainability issues (UNUSED_VALUE)
>>> Assigning value from "fgetc(fp)" to "x" here, but that stored value is overwritten before it can be used.
168 x=fgetc(fp);
169
170 printf ("%s0x0%X%X%X,%s",
171 ((i%8) == 0) ? "\t" : " ",
172 (b->palette[(int)(i*3+0)] >> 4) & 0x0F,
173 (b->palette[(int)(i*3+1)] >> 4) & 0x0F,
** CID 345915: Control flow issues (NO_EFFECT)
/lib/image-sparse.c: 214 in write_sparse_image()
________________________________________________________________________________________________________
*** CID 345915: Control flow issues (NO_EFFECT)
/lib/image-sparse.c: 214 in write_sparse_image()
208 response);
209 return -1;
210 }
211
212 blks = write_sparse_chunk_raw(info, blk, blkcnt,
213 data, response);
>>> CID 345915: Control flow issues (NO_EFFECT)
>>> This less-than-zero comparison of an unsigned value is never true. "blks < 0UL".
214 if (blks < 0)
215 return -1;
216
217 blk += blks;
218 bytes_written += ((u64)blkcnt) * info->blksz;
219 total_blocks += chunk_header->chunk_sz;
** CID 345914: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/tools/mkeficapsule.c: 96 in read_bin_file()
________________________________________________________________________________________________________
*** CID 345914: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/tools/mkeficapsule.c: 96 in read_bin_file()
90 }
91 if (stat(bin, &bin_stat) < 0) {
92 fprintf(stderr, "cannot determine the size of %s\n", bin);
93 ret = -1;
94 goto err;
95 }
>>> CID 345914: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
>>> "bin_stat.st_size > 18446744073709551615UL" is always false regardless of the values of its operands. This occurs as the logical operand of "if".
96 if (bin_stat.st_size > SIZE_MAX) {
97 fprintf(stderr, "file size is too large for malloc: %s\n", bin);
98 ret = -1;
99 goto err;
100 }
101 buf = malloc(bin_stat.st_size);
** CID 345913: (TAINTED_SCALAR)
/drivers/core/ofnode.c: 477 in ofnode_read_string_list()
________________________________________________________________________________________________________
*** CID 345913: (TAINTED_SCALAR)
/drivers/core/ofnode.c: 473 in ofnode_read_string_list()
467 count = ofnode_read_string_count(node, property);
468 if (count < 0)
469 return count;
470 if (!count)
471 return 0;
472
>>> CID 345913: (TAINTED_SCALAR)
>>> Passing tainted expression "count + 1" to "dlcalloc", which uses it as an offset.
473 prop = calloc(count + 1, sizeof(char *));
474 if (!prop)
475 return -ENOMEM;
476
477 for (i = 0; i < count; i++)
478 ofnode_read_string_index(node, property, i, &prop[i]);
/drivers/core/ofnode.c: 477 in ofnode_read_string_list()
471 return 0;
472
473 prop = calloc(count + 1, sizeof(char *));
474 if (!prop)
475 return -ENOMEM;
476
>>> CID 345913: (TAINTED_SCALAR)
>>> Using tainted variable "count" as a loop boundary.
477 for (i = 0; i < count; i++)
478 ofnode_read_string_index(node, property, i, &prop[i]);
479 prop[count] = NULL;
480 *listp = prop;
481
482 return count;
** CID 345912: Null pointer dereferences (FORWARD_NULL)
/lib/efi_loader/efi_signature.c: 232 in efi_signature_lookup_digest()
________________________________________________________________________________________________________
*** CID 345912: Null pointer dereferences (FORWARD_NULL)
/lib/efi_loader/efi_signature.c: 232 in efi_signature_lookup_digest()
226 sig_data = sig_data->next) {
227 #ifdef DEBUG
228 EFI_PRINT("Msg digest in database:\n");
229 print_hex_dump(" ", DUMP_PREFIX_OFFSET, 16, 1,
230 sig_data->data, sig_data->size, false);
231 #endif
>>> CID 345912: Null pointer dereferences (FORWARD_NULL)
>>> Passing null pointer "hash" to "memcmp", which dereferences it. [Note: The source code implementation of the function has been overridden by a builtin model.]
232 if (sig_data->size == size &&
233 !memcmp(sig_data->data, hash, size)) {
234 found = true;
235 free(hash);
236 goto out;
237 }
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoA22WlOQ-2By3ieUvdbKmOyw68TMVT4Kip-2BBzfOGWXJ5yIiYplmPF9KAnKIja4Zd7tU-3DDKue_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTuSTR0FmiqU27GON2I9OwY5WGDhGm0B966wHcuXU1-2FAw3I1WyHwNMgtGMOCa3zfgzO3mwIYqjUojcuMoMoDYdcvewXSwAEhrjnoEUuW1P7jZMkKegPKNElHEFXfD5RSxi9z9qHMwR-2BQoDabuhKt6QcxRUxX6HfnI4Rx23wgFEhKyA-3D-3D
To manage Coverity Scan email notifications for "tom.rini at gmail.com", click https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxWeIHzDeopm-2BEWQ6S6K-2FtUHv9ZTk8qZbuzkkz9sa-2BJFw4elYDyedRVZOC-2ButxjBZdouVmTGuWB6Aj6G7lm7t25-2Biv1B-2B9082pHzCCex2kqMs-3Dt4lb_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTuSTR0FmiqU27GON2I9OwY5iQ6QEKvvgo3kbcKQQzCeMzyYZUUiCCaPfKKIlYQsIBBmoj-2F-2F-2FVcReszYTf2sW-2Fwd1PrbdSELsWk-2FBSCGTEz-2B3dJauXj8pwgVdMYO3Z-2B05o5wBxdS6CNyX1ZFmrg4ubeFG97RpOh-2Fk-2FvV3V-2F9EveHkw-3D-3D
----- End forwarded message -----
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20220131/4f0cf9cc/attachment.sig>
More information about the U-Boot
mailing list