Fwd: New Defects reported by Coverity Scan for Das U-Boot
Tom Rini
trini at konsulko.com
Wed Nov 9 16:40:55 CET 2022
Here's the latest report.
---------- Forwarded message ---------
From: <scan-admin at coverity.com>
Date: Mon, Nov 7, 2022 at 3:41 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini at gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to Das
U-Boot found with Coverity Scan.
21 new defect(s) introduced to Das U-Boot found with Coverity Scan.
15 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 21 defect(s)
** CID 376213: Memory - illegal accesses (UNINIT)
/lib/efi_loader/efi_boottime.c: 2642 in
efi_install_multiple_protocol_interfaces_int()
________________________________________________________________________________________________________
*** CID 376213: Memory - illegal accesses (UNINIT)
/lib/efi_loader/efi_boottime.c: 2642 in
efi_install_multiple_protocol_interfaces_int()
2636 int i = 0;
2637 efi_va_list argptr_copy;
2638
2639 if (!handle)
2640 return EFI_INVALID_PARAMETER;
2641
>>> CID 376213: Memory - illegal accesses (UNINIT)
>>> Using uninitialized value "argptr_copy" when calling "__builtin_ms_va_copy".
2642 efi_va_copy(argptr_copy, argptr);
2643 for (;;) {
2644 protocol = efi_va_arg(argptr, efi_guid_t*);
2645 if (!protocol)
2646 break;
2647 protocol_interface = efi_va_arg(argptr, void*);
** CID 376212: Error handling issues (CHECKED_RETURN)
________________________________________________________________________________________________________
*** CID 376212: Error handling issues (CHECKED_RETURN)
/drivers/usb/emul/sandbox_flash.c: 197 in handle_ufi_command()
191
192 ret = sb_scsi_emul_command(info, req, len);
193 if (!ret) {
194 setup_response(priv);
195 } else if ((ret == SCSI_EMUL_DO_READ || ret ==
SCSI_EMUL_DO_WRITE) &&
196 priv->fd != -1) {
>>> CID 376212: Error handling issues (CHECKED_RETURN)
>>> Calling "os_lseek(priv->fd, info->seek_block * info->block_size, 0)" without checking return value. It wraps a library function that may fail and return an error code.
197 os_lseek(priv->fd, info->seek_block * info->block_size,
198 OS_SEEK_SET);
199 setup_response(priv);
200 } else {
201 setup_fail_response(priv);
202 }
** CID 376211: (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 376211: (TAINTED_SCALAR)
/cmd/eficonfig.c: 1475 in eficonfig_edit_boot_option()
1469 if (lo.file_path)
1470 fill_file_info(lo.file_path,
&bo->file_info, device_dp);
1471
1472 /* Initrd file path(optional) is placed at
second instance. */
1473 initrd_dp = efi_dp_from_lo(&lo, &efi_lf2_initrd_guid);
1474 if (initrd_dp) {
>>> CID 376211: (TAINTED_SCALAR)
>>> Passing tainted expression "initrd_dp->length" to "fill_file_info", which uses it as an offset.
1475 fill_file_info(initrd_dp,
&bo->initrd_info, initrd_device_dp);
1476 efi_free_pool(initrd_dp);
1477 }
1478
1479 if (size > 0)
1480 memcpy(bo->optional_data,
lo.optional_data, size);
/cmd/eficonfig.c: 1535 in eficonfig_edit_boot_option()
1529 ret = eficonfig_set_boot_option(varname, final_dp,
final_dp_size, bo->description, tmp);
1530 if (ret != EFI_SUCCESS)
1531 goto out;
1532 out:
1533 free(tmp);
1534 free(bo->optional_data);
>>> CID 376211: (TAINTED_SCALAR)
>>> Passing tainted expression "*bo->description" to "dlfree", which uses it as an offset.
1535 free(bo->description);
1536 free(bo->file_info.current_path);
1537 free(bo->initrd_info.current_path);
1538 efi_free_pool(device_dp);
1539 efi_free_pool(initrd_device_dp);
1540 efi_free_pool(initrd_dp);
/cmd/eficonfig.c: 1534 in eficonfig_edit_boot_option()
1528
1529 ret = eficonfig_set_boot_option(varname, final_dp,
final_dp_size, bo->description, tmp);
1530 if (ret != EFI_SUCCESS)
1531 goto out;
1532 out:
1533 free(tmp);
>>> CID 376211: (TAINTED_SCALAR)
>>> Passing tainted expression "*bo->optional_data" to "dlfree", which uses it as an offset.
1534 free(bo->optional_data);
1535 free(bo->description);
1536 free(bo->file_info.current_path);
1537 free(bo->initrd_info.current_path);
1538 efi_free_pool(device_dp);
1539 efi_free_pool(initrd_device_dp);
/cmd/eficonfig.c: 1534 in eficonfig_edit_boot_option()
1528
1529 ret = eficonfig_set_boot_option(varname, final_dp,
final_dp_size, bo->description, tmp);
1530 if (ret != EFI_SUCCESS)
1531 goto out;
1532 out:
1533 free(tmp);
>>> CID 376211: (TAINTED_SCALAR)
>>> Passing tainted expression "*bo->optional_data" to "dlfree", which uses it as an offset.
1534 free(bo->optional_data);
1535 free(bo->description);
1536 free(bo->file_info.current_path);
1537 free(bo->initrd_info.current_path);
1538 efi_free_pool(device_dp);
1539 efi_free_pool(initrd_device_dp);
/cmd/eficonfig.c: 1535 in eficonfig_edit_boot_option()
1529 ret = eficonfig_set_boot_option(varname, final_dp,
final_dp_size, bo->description, tmp);
1530 if (ret != EFI_SUCCESS)
1531 goto out;
1532 out:
1533 free(tmp);
1534 free(bo->optional_data);
>>> CID 376211: (TAINTED_SCALAR)
>>> Passing tainted expression "*bo->description" to "dlfree", which uses it as an offset.
1535 free(bo->description);
1536 free(bo->file_info.current_path);
1537 free(bo->initrd_info.current_path);
1538 efi_free_pool(device_dp);
1539 efi_free_pool(initrd_device_dp);
1540 efi_free_pool(initrd_dp);
/cmd/eficonfig.c: 1535 in eficonfig_edit_boot_option()
1529 ret = eficonfig_set_boot_option(varname, final_dp,
final_dp_size, bo->description, tmp);
1530 if (ret != EFI_SUCCESS)
1531 goto out;
1532 out:
1533 free(tmp);
1534 free(bo->optional_data);
>>> CID 376211: (TAINTED_SCALAR)
>>> Passing tainted expression "*bo->description" to "dlfree", which uses it as an offset.
1535 free(bo->description);
1536 free(bo->file_info.current_path);
1537 free(bo->initrd_info.current_path);
1538 efi_free_pool(device_dp);
1539 efi_free_pool(initrd_device_dp);
1540 efi_free_pool(initrd_dp);
/cmd/eficonfig.c: 1473 in eficonfig_edit_boot_option()
1467
1468 /* EFI image file path is a first instance */
1469 if (lo.file_path)
1470 fill_file_info(lo.file_path,
&bo->file_info, device_dp);
1471
1472 /* Initrd file path(optional) is placed at
second instance. */
>>> CID 376211: (TAINTED_SCALAR)
>>> Passing tainted expression "lo.file_path" to "efi_dp_from_lo", which uses it as a loop boundary.
1473 initrd_dp = efi_dp_from_lo(&lo, &efi_lf2_initrd_guid);
1474 if (initrd_dp) {
1475 fill_file_info(initrd_dp,
&bo->initrd_info, initrd_device_dp);
1476 efi_free_pool(initrd_dp);
1477 }
1478
/cmd/eficonfig.c: 1475 in eficonfig_edit_boot_option()
1469 if (lo.file_path)
1470 fill_file_info(lo.file_path,
&bo->file_info, device_dp);
1471
1472 /* Initrd file path(optional) is placed at
second instance. */
1473 initrd_dp = efi_dp_from_lo(&lo, &efi_lf2_initrd_guid);
1474 if (initrd_dp) {
>>> CID 376211: (TAINTED_SCALAR)
>>> Passing tainted expression "initrd_dp->str" to "fill_file_info", which uses it as an offset.
1475 fill_file_info(initrd_dp,
&bo->initrd_info, initrd_device_dp);
1476 efi_free_pool(initrd_dp);
1477 }
1478
1479 if (size > 0)
1480 memcpy(bo->optional_data,
lo.optional_data, size);
/cmd/eficonfig.c: 1473 in eficonfig_edit_boot_option()
1467
1468 /* EFI image file path is a first instance */
1469 if (lo.file_path)
1470 fill_file_info(lo.file_path,
&bo->file_info, device_dp);
1471
1472 /* Initrd file path(optional) is placed at
second instance. */
>>> CID 376211: (TAINTED_SCALAR)
>>> Passing tainted expression "lo.file_path_length" to "efi_dp_from_lo", which uses it as a loop boundary.
1473 initrd_dp = efi_dp_from_lo(&lo, &efi_lf2_initrd_guid);
1474 if (initrd_dp) {
1475 fill_file_info(initrd_dp,
&bo->initrd_info, initrd_device_dp);
1476 efi_free_pool(initrd_dp);
1477 }
1478
/cmd/eficonfig.c: 1470 in eficonfig_edit_boot_option()
1464 lo.label[EFICONFIG_DESCRIPTION_MAX - 1] = u'\0';
1465
1466 u16_strcpy(bo->description, lo.label);
1467
1468 /* EFI image file path is a first instance */
1469 if (lo.file_path)
>>> CID 376211: (TAINTED_SCALAR)
>>> Passing tainted expression "lo.file_path->str" to "fill_file_info", which uses it as an offset.
1470 fill_file_info(lo.file_path,
&bo->file_info, device_dp);
1471
1472 /* Initrd file path(optional) is placed at
second instance. */
1473 initrd_dp = efi_dp_from_lo(&lo, &efi_lf2_initrd_guid);
1474 if (initrd_dp) {
1475 fill_file_info(initrd_dp,
&bo->initrd_info, initrd_device_dp);
/cmd/eficonfig.c: 1470 in eficonfig_edit_boot_option()
1464 lo.label[EFICONFIG_DESCRIPTION_MAX - 1] = u'\0';
1465
1466 u16_strcpy(bo->description, lo.label);
1467
1468 /* EFI image file path is a first instance */
1469 if (lo.file_path)
>>> CID 376211: (TAINTED_SCALAR)
>>> Passing tainted expression "lo.file_path->length" to "fill_file_info", which uses it as an offset.
1470 fill_file_info(lo.file_path,
&bo->file_info, device_dp);
1471
1472 /* Initrd file path(optional) is placed at
second instance. */
1473 initrd_dp = efi_dp_from_lo(&lo, &efi_lf2_initrd_guid);
1474 if (initrd_dp) {
1475 fill_file_info(initrd_dp,
&bo->initrd_info, initrd_device_dp);
/cmd/eficonfig.c: 1473 in eficonfig_edit_boot_option()
1467
1468 /* EFI image file path is a first instance */
1469 if (lo.file_path)
1470 fill_file_info(lo.file_path,
&bo->file_info, device_dp);
1471
1472 /* Initrd file path(optional) is placed at
second instance. */
>>> CID 376211: (TAINTED_SCALAR)
>>> Passing tainted expression "lo.file_path_length" to "efi_dp_from_lo", which uses it as a loop boundary.
1473 initrd_dp = efi_dp_from_lo(&lo, &efi_lf2_initrd_guid);
1474 if (initrd_dp) {
1475 fill_file_info(initrd_dp,
&bo->initrd_info, initrd_device_dp);
1476 efi_free_pool(initrd_dp);
1477 }
1478
** CID 376210: (BUFFER_SIZE)
/drivers/scsi/scsi_emul.c: 35 in sb_scsi_emul_command()
/drivers/scsi/scsi_emul.c: 36 in sb_scsi_emul_command()
________________________________________________________________________________________________________
*** CID 376210: (BUFFER_SIZE)
/drivers/scsi/scsi_emul.c: 35 in sb_scsi_emul_command()
29 struct scsi_inquiry_resp *resp = (void *)info->buff;
30
31 info->alloc_len = req->cmd[4];
32 memset(resp, '\0', sizeof(*resp));
33 resp->data_format = 1;
34 resp->additional_len = 0x1f;
>>> CID 376210: (BUFFER_SIZE)
>>> Calling "strncpy" with a maximum size argument of 8 bytes on destination array "resp->vendor" of size 8 bytes might leave the destination string unterminated.
35 strncpy(resp->vendor, info->vendor, sizeof(resp->vendor));
36 strncpy(resp->product, info->product, sizeof(resp->product));
37 strncpy(resp->revision, "1.0", sizeof(resp->revision));
38 info->buff_used = sizeof(*resp);
39 break;
40 }
/drivers/scsi/scsi_emul.c: 36 in sb_scsi_emul_command()
30
31 info->alloc_len = req->cmd[4];
32 memset(resp, '\0', sizeof(*resp));
33 resp->data_format = 1;
34 resp->additional_len = 0x1f;
35 strncpy(resp->vendor, info->vendor, sizeof(resp->vendor));
>>> CID 376210: (BUFFER_SIZE)
>>> Calling "strncpy" with a maximum size argument of 16 bytes on destination array "resp->product" of size 16 bytes might leave the destination string unterminated.
36 strncpy(resp->product, info->product, sizeof(resp->product));
37 strncpy(resp->revision, "1.0", sizeof(resp->revision));
38 info->buff_used = sizeof(*resp);
39 break;
40 }
41 case SCSI_TST_U_RDY:
** CID 376209: Null pointer dereferences (REVERSE_INULL)
/drivers/pci/pci-uclass.c: 1249 in pci_find_next_device()
________________________________________________________________________________________________________
*** CID 376209: Null pointer dereferences (REVERSE_INULL)
/drivers/pci/pci-uclass.c: 1249 in pci_find_next_device()
1243 }
1244 }
1245
1246 /* We ran out of siblings. Try the next bus */
1247 uclass_next_device(&bus);
1248
>>> CID 376209: Null pointer dereferences (REVERSE_INULL)
>>> Null-checking "bus" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
1249 return bus ? skip_to_next_device(bus, devp) : 0;
1250 }
1251
1252 int pci_find_first_device(struct udevice **devp)
1253 {
1254 struct udevice *bus;
** CID 376208: Null pointer dereferences (REVERSE_INULL)
/cmd/virtio.c: 31 in do_virtio()
________________________________________________________________________________________________________
*** CID 376208: Null pointer dereferences (REVERSE_INULL)
/cmd/virtio.c: 31 in do_virtio()
25 struct udevice *bus, *child;
26
27 uclass_first_device(UCLASS_VIRTIO, &bus);
28 if (!bus)
29 return CMD_RET_FAILURE;
30
>>> CID 376208: Null pointer dereferences (REVERSE_INULL)
>>> Null-checking "bus" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
31 while (bus) {
32 device_foreach_child_probe(child, bus)
33 ;
34 uclass_next_device(&bus);
35 }
36
** CID 376207: Uninitialized variables (UNINIT)
/cmd/eficonfig.c: 2325 in eficonfig_delete_invalid_boot_option()
________________________________________________________________________________________________________
*** CID 376207: Uninitialized variables (UNINIT)
/cmd/eficonfig.c: 2325 in eficonfig_delete_invalid_boot_option()
2319 }
2320 next:
2321 free(load_option);
2322 }
2323
2324 out:
>>> CID 376207: Uninitialized variables (UNINIT)
>>> Using uninitialized value "ret".
2325 return ret;
2326 }
2327
2328 /**
2329 * eficonfig_generate_media_device_boot_option() - generate
the media device boot option
2330 *
** CID 376206: (CHECKED_RETURN)
/cmd/eficonfig.c: 127 in eficonfig_print_msg()
/cmd/eficonfig.c: 134 in eficonfig_print_msg()
________________________________________________________________________________________________________
*** CID 376206: (CHECKED_RETURN)
/cmd/eficonfig.c: 127 in eficonfig_print_msg()
121 * Return: status code
122 */
123 void eficonfig_print_msg(char *msg)
124 {
125 /* Flush input */
126 while (tstc())
>>> CID 376206: (CHECKED_RETURN)
>>> Calling "getchar()" without checking return value. This library function may fail and return an error code. [Note: The source code implementation of the function has been overridden by a builtin model.]
127 getchar();
128
129 printf(ANSI_CURSOR_HIDE
130 ANSI_CLEAR_CONSOLE
131 ANSI_CURSOR_POSITION
132 "%s\n\n Press any key to continue", 3, 4, msg);
/cmd/eficonfig.c: 134 in eficonfig_print_msg()
128
129 printf(ANSI_CURSOR_HIDE
130 ANSI_CLEAR_CONSOLE
131 ANSI_CURSOR_POSITION
132 "%s\n\n Press any key to continue", 3, 4, msg);
133
>>> CID 376206: (CHECKED_RETURN)
>>> Calling "getchar()" without checking return value. This library function may fail and return an error code. [Note: The source code implementation of the function has been overridden by a builtin model.]
134 getchar();
135 }
136
137 /**
138 * eficonfig_print_entry() - print each menu entry
139 *
** CID 376205: (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 376205: (TAINTED_SCALAR)
/test/test-main.c: 582 in ut_run_list()
576 printf("Running %d %s tests\n", count, category);
577
578 uts.of_root = gd_of_root();
579 uts.runs_per_test = runs_per_test;
580 if (fdt_action() == FDTCHK_COPY && gd->fdt_blob) {
581 uts.fdt_size = fdt_totalsize(gd->fdt_blob);
>>> CID 376205: (TAINTED_SCALAR)
>>> Passing tainted expression "uts.fdt_size" to "os_malloc", which uses it as an offset.
582 uts.fdt_copy = os_malloc(uts.fdt_size);
583 if (!uts.fdt_copy) {
584 printf("Out of memory for device tree copy\n");
585 return -ENOMEM;
586 }
587 memcpy(uts.fdt_copy, gd->fdt_blob, uts.fdt_size);
/test/test-main.c: 596 in ut_run_list()
590 ret = ut_run_tests(&uts, prefix, tests, count, select_name);
591
592 /* Best efforts only...ignore errors */
593 if (has_dm_tests)
594 dm_test_restore(uts.of_root);
595 if (IS_ENABLED(CONFIG_SANDBOX)) {
>>> CID 376205: (TAINTED_SCALAR)
>>> Passing tainted expression "*uts.fdt_copy" to "os_free", which uses it as an offset.
596 os_free(uts.fdt_copy);
597 os_free(uts.other_fdt);
598 }
599
600 if (uts.skip_count)
601 printf("Skipped: %d, ", uts.skip_count);
** CID 376204: Memory - illegal accesses (UNINIT)
/lib/efi_loader/efi_boottime.c: 2854 in
efi_uninstall_multiple_protocol_interfaces_ext()
________________________________________________________________________________________________________
*** CID 376204: Memory - illegal accesses (UNINIT)
/lib/efi_loader/efi_boottime.c: 2854 in
efi_uninstall_multiple_protocol_interfaces_ext()
2848 efi_uninstall_multiple_protocol_interfaces_ext(efi_handle_t
handle, ...)
2849 {
2850 EFI_ENTRY("%p", handle);
2851 efi_status_t ret;
2852 efi_va_list argptr;
2853
>>> CID 376204: Memory - illegal accesses (UNINIT)
>>> Using uninitialized value "argptr" when calling "__builtin_ms_va_start".
2854 efi_va_start(argptr, handle);
2855 ret =
efi_uninstall_multiple_protocol_interfaces_int(handle, argptr);
2856 efi_va_end(argptr);
2857 return EFI_EXIT(ret);
2858 }
2859
** CID 376203: Memory - illegal accesses (UNINIT)
/lib/efi_loader/efi_boottime.c: 2764 in
efi_uninstall_multiple_protocol_interfaces_int()
________________________________________________________________________________________________________
*** CID 376203: Memory - illegal accesses (UNINIT)
/lib/efi_loader/efi_boottime.c: 2764 in
efi_uninstall_multiple_protocol_interfaces_int()
2758 size_t i = 0;
2759 efi_va_list argptr_copy;
2760
2761 if (!handle)
2762 return EFI_INVALID_PARAMETER;
2763
>>> CID 376203: Memory - illegal accesses (UNINIT)
>>> Using uninitialized value "argptr_copy" when calling "__builtin_ms_va_copy".
2764 efi_va_copy(argptr_copy, argptr);
2765 for (;;) {
2766 protocol = efi_va_arg(argptr, efi_guid_t*);
2767 if (!protocol)
2768 break;
2769 protocol_interface = efi_va_arg(argptr, void*);
** CID 376202: Incorrect expression (IDENTICAL_BRANCHES)
/cmd/eficonfig.c: 1530 in eficonfig_edit_boot_option()
________________________________________________________________________________________________________
*** CID 376202: Incorrect expression (IDENTICAL_BRANCHES)
/cmd/eficonfig.c: 1530 in eficonfig_edit_boot_option()
1524 goto out;
1525 p = tmp;
1526 utf16_utf8_strncpy(&p, bo->optional_data,
u16_strlen(bo->optional_data));
1527 }
1528
1529 ret = eficonfig_set_boot_option(varname, final_dp,
final_dp_size, bo->description, tmp);
>>> CID 376202: Incorrect expression (IDENTICAL_BRANCHES)
>>> The same code is executed when the condition "ret != 0UL" is true or false, because the code in the if-then branch and after the if statement is identical. Should the if statement be removed?
1530 if (ret != EFI_SUCCESS)
1531 goto out;
1532 out:
1533 free(tmp);
1534 free(bo->optional_data);
1535 free(bo->description);
** CID 376201: Error handling issues (CHECKED_RETURN)
________________________________________________________________________________________________________
*** CID 376201: Error handling issues (CHECKED_RETURN)
/drivers/scsi/sandbox_scsi.c: 54 in sandbox_scsi_exec()
48 ret);
49 return ret;
50 } else if (ret == SCSI_EMUL_DO_READ && priv->fd != -1) {
51 long bytes_read;
52
53 log_debug("read %x %x\n", info->seek_block, info->read_len);
>>> CID 376201: Error handling issues (CHECKED_RETURN)
>>> Calling "os_lseek(priv->fd, info->seek_block * info->block_size, 0)" without checking return value. It wraps a library function that may fail and return an error code.
54 os_lseek(priv->fd, info->seek_block * info->block_size,
55 OS_SEEK_SET);
56 bytes_read = os_read(priv->fd, req->pdata, info->buff_used);
57 if (bytes_read < 0)
58 return bytes_read;
59 if (bytes_read != info->buff_used)
** CID 376200: API usage errors (VARARGS)
/lib/efi_loader/efi_boottime.c: 2787 in
efi_uninstall_multiple_protocol_interfaces_int()
________________________________________________________________________________________________________
*** CID 376200: API usage errors (VARARGS)
/lib/efi_loader/efi_boottime.c: 2787 in
efi_uninstall_multiple_protocol_interfaces_int()
2781 }
2782 goto out;
2783 }
2784
2785 /* If an error occurred undo all changes. */
2786 for (; i; --i) {
>>> CID 376200: API usage errors (VARARGS)
>>> Calling va_arg on va_list "argptr_copy", which has not been prepared with va_start().
2787 protocol = efi_va_arg(argptr_copy, efi_guid_t*);
2788 protocol_interface = efi_va_arg(argptr_copy, void*);
2789
EFI_CALL(efi_install_protocol_interface(&handle, protocol,
2790
EFI_NATIVE_INTERFACE,
2791
protocol_interface));
2792 }
** CID 376199: Memory - illegal accesses (UNINIT)
/lib/efi_loader/efi_boottime.c: 2733 in
efi_install_multiple_protocol_interfaces_ext()
________________________________________________________________________________________________________
*** CID 376199: Memory - illegal accesses (UNINIT)
/lib/efi_loader/efi_boottime.c: 2733 in
efi_install_multiple_protocol_interfaces_ext()
2727 efi_install_multiple_protocol_interfaces_ext(efi_handle_t *handle, ...)
2728 {
2729 EFI_ENTRY("%p", handle);
2730 efi_status_t ret;
2731 efi_va_list argptr;
2732
>>> CID 376199: Memory - illegal accesses (UNINIT)
>>> Using uninitialized value "argptr" when calling "__builtin_ms_va_start".
2733 efi_va_start(argptr, handle);
2734 ret =
efi_install_multiple_protocol_interfaces_int(handle, argptr);
2735 efi_va_end(argptr);
2736 return EFI_EXIT(ret);
2737 }
2738
** CID 376198: Insecure data handling (TAINTED_SCALAR)
/boot/image-fit.c: 1917 in fit_conf_get_prop_node()
________________________________________________________________________________________________________
*** CID 376198: Insecure data handling (TAINTED_SCALAR)
/boot/image-fit.c: 1917 in fit_conf_get_prop_node()
1911
1912 count = fit_conf_get_prop_node_count(fit, noffset, prop_name);
1913 if (count < 0)
1914 return count;
1915
1916 /* check each image in the list */
>>> CID 376198: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "count" as a loop boundary.
1917 for (i = 0; i < count; i++) {
1918 enum image_phase_t phase;
1919 int ret, node;
1920
1921 node = fit_conf_get_prop_node_index(fit,
noffset, prop_name, i);
1922 ret = fit_image_get_phase(fit, node, &phase);
** CID 376197: Incorrect expression (UNUSED_VALUE)
/cmd/sf.c: 242 in spi_flash_update()
________________________________________________________________________________________________________
*** CID 376197: Incorrect expression (UNUSED_VALUE)
/cmd/sf.c: 242 in spi_flash_update()
236 scale = (end - buf) / 100;
237 cmp_buf = memalign(ARCH_DMA_MINALIGN, flash->sector_size);
238 if (cmp_buf) {
239 ulong last_update = get_timer(0);
240
241 for (; buf < end && !err_oper; buf += todo,
offset += todo) {
>>> CID 376197: Incorrect expression (UNUSED_VALUE)
>>> Assigning value from "({...; (__min1 < __min2) ? __min1 : __min2;})" to "todo" here, but that stored value is overwritten before it can be used.
242 todo = min_t(size_t, end - buf,
flash->sector_size);
243 todo = min_t(size_t, end - buf,
244 flash->sector_size -
(offset % flash->sector_size));
245 if (get_timer(last_update) > 100) {
246 printf(" \rUpdating, %zu%% %lu B/s",
247 100 - (end - buf) / scale,
** CID 376196: Integer handling issues (NEGATIVE_RETURNS)
________________________________________________________________________________________________________
*** CID 376196: Integer handling issues (NEGATIVE_RETURNS)
/boot/bootdev-uclass.c: 202 in bootdev_list()
196 printf("--- ------ ------ -------- ------------------\n");
197 if (probe)
198 ret = uclass_first_device_check(UCLASS_BOOTDEV, &dev);
199 else
200 ret = uclass_find_first_device(UCLASS_BOOTDEV, &dev);
201 for (i = 0; dev; i++) {
>>> CID 376196: Integer handling issues (NEGATIVE_RETURNS)
>>> "ret" is passed to a parameter that cannot be negative.
202 printf("%3x [ %c ] %6s %-9.9s %s\n", dev_seq(dev),
203 device_active(dev) ? '+' : ' ',
204 ret ? simple_itoa(ret) : "OK",
205
dev_get_uclass_name(dev_get_parent(dev)), dev->name);
206 if (probe)
207 ret = uclass_next_device_check(&dev);
** CID 376195: Uninitialized variables (UNINIT)
/lib/efi_loader/efi_boottime.c: 2776 in
efi_uninstall_multiple_protocol_interfaces_int()
________________________________________________________________________________________________________
*** CID 376195: Uninitialized variables (UNINIT)
/lib/efi_loader/efi_boottime.c: 2776 in
efi_uninstall_multiple_protocol_interfaces_int()
2770 ret = efi_uninstall_protocol(handle, protocol,
2771 protocol_interface);
2772 if (ret != EFI_SUCCESS)
2773 break;
2774 i++;
2775 }
>>> CID 376195: Uninitialized variables (UNINIT)
>>> Using uninitialized value "ret".
2776 if (ret == EFI_SUCCESS) {
2777 /* If the last protocol has been removed,
delete the handle. */
2778 if (list_empty(&handle->protocols)) {
2779 list_del(&handle->link);
2780 free(handle);
2781 }
** CID 376194: Null pointer dereferences (REVERSE_INULL)
/drivers/block/blk-uclass.c: 626 in blk_next_device_err()
________________________________________________________________________________________________________
*** CID 376194: Null pointer dereferences (REVERSE_INULL)
/drivers/block/blk-uclass.c: 626 in blk_next_device_err()
620 return -ENODEV;
621 }
622
623 int blk_next_device_err(enum blk_flag_t flags, struct udevice **devp)
624 {
625 for (uclass_next_device(devp);
>>> CID 376194: Null pointer dereferences (REVERSE_INULL)
>>> Null-checking "*devp" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
626 *devp;
627 uclass_next_device(devp)) {
628 if (!blk_flags_check(*devp, flags))
629 return 0;
630 }
631
________________________________________________________________________________________________________
----- End forwarded message -----
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20221109/c714570f/attachment.sig>
More information about the U-Boot
mailing list