Fwd: New Defects reported by Coverity Scan for Das U-Boot

Tom Rini trini at konsulko.com
Wed Nov 9 16:40:55 CET 2022


Here's the latest report.

---------- Forwarded message ---------
From: <scan-admin at coverity.com>
Date: Mon, Nov 7, 2022 at 3:41 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini at gmail.com>


Hi,

Please find the latest report on new defect(s) introduced to Das
U-Boot found with Coverity Scan.

21 new defect(s) introduced to Das U-Boot found with Coverity Scan.
15 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 20 of 21 defect(s)


** CID 376213:  Memory - illegal accesses  (UNINIT)
/lib/efi_loader/efi_boottime.c: 2642 in
efi_install_multiple_protocol_interfaces_int()


________________________________________________________________________________________________________
*** CID 376213:  Memory - illegal accesses  (UNINIT)
/lib/efi_loader/efi_boottime.c: 2642 in
efi_install_multiple_protocol_interfaces_int()
2636            int i = 0;
2637            efi_va_list argptr_copy;
2638
2639            if (!handle)
2640                    return EFI_INVALID_PARAMETER;
2641
>>>     CID 376213:  Memory - illegal accesses  (UNINIT)
>>>     Using uninitialized value "argptr_copy" when calling "__builtin_ms_va_copy".
2642            efi_va_copy(argptr_copy, argptr);
2643            for (;;) {
2644                    protocol = efi_va_arg(argptr, efi_guid_t*);
2645                    if (!protocol)
2646                            break;
2647                    protocol_interface = efi_va_arg(argptr, void*);

** CID 376212:  Error handling issues  (CHECKED_RETURN)


________________________________________________________________________________________________________
*** CID 376212:  Error handling issues  (CHECKED_RETURN)
/drivers/usb/emul/sandbox_flash.c: 197 in handle_ufi_command()
191
192             ret = sb_scsi_emul_command(info, req, len);
193             if (!ret) {
194                     setup_response(priv);
195             } else if ((ret == SCSI_EMUL_DO_READ || ret ==
SCSI_EMUL_DO_WRITE) &&
196                        priv->fd != -1) {
>>>     CID 376212:  Error handling issues  (CHECKED_RETURN)
>>>     Calling "os_lseek(priv->fd, info->seek_block * info->block_size, 0)" without checking return value. It wraps a library function that may fail and return an error code.
197                     os_lseek(priv->fd, info->seek_block * info->block_size,
198                              OS_SEEK_SET);
199                     setup_response(priv);
200             } else {
201                     setup_fail_response(priv);
202             }

** CID 376211:    (TAINTED_SCALAR)


________________________________________________________________________________________________________
*** CID 376211:    (TAINTED_SCALAR)
/cmd/eficonfig.c: 1475 in eficonfig_edit_boot_option()
1469                    if (lo.file_path)
1470                            fill_file_info(lo.file_path,
&bo->file_info, device_dp);
1471
1472                    /* Initrd file path(optional) is placed at
second instance. */
1473                    initrd_dp = efi_dp_from_lo(&lo, &efi_lf2_initrd_guid);
1474                    if (initrd_dp) {
>>>     CID 376211:    (TAINTED_SCALAR)
>>>     Passing tainted expression "initrd_dp->length" to "fill_file_info", which uses it as an offset.
1475                            fill_file_info(initrd_dp,
&bo->initrd_info, initrd_device_dp);
1476                            efi_free_pool(initrd_dp);
1477                    }
1478
1479                    if (size > 0)
1480                            memcpy(bo->optional_data,
lo.optional_data, size);
/cmd/eficonfig.c: 1535 in eficonfig_edit_boot_option()
1529            ret = eficonfig_set_boot_option(varname, final_dp,
final_dp_size, bo->description, tmp);
1530            if (ret != EFI_SUCCESS)
1531                    goto out;
1532     out:
1533            free(tmp);
1534            free(bo->optional_data);
>>>     CID 376211:    (TAINTED_SCALAR)
>>>     Passing tainted expression "*bo->description" to "dlfree", which uses it as an offset.
1535            free(bo->description);
1536            free(bo->file_info.current_path);
1537            free(bo->initrd_info.current_path);
1538            efi_free_pool(device_dp);
1539            efi_free_pool(initrd_device_dp);
1540            efi_free_pool(initrd_dp);
/cmd/eficonfig.c: 1534 in eficonfig_edit_boot_option()
1528
1529            ret = eficonfig_set_boot_option(varname, final_dp,
final_dp_size, bo->description, tmp);
1530            if (ret != EFI_SUCCESS)
1531                    goto out;
1532     out:
1533            free(tmp);
>>>     CID 376211:    (TAINTED_SCALAR)
>>>     Passing tainted expression "*bo->optional_data" to "dlfree", which uses it as an offset.
1534            free(bo->optional_data);
1535            free(bo->description);
1536            free(bo->file_info.current_path);
1537            free(bo->initrd_info.current_path);
1538            efi_free_pool(device_dp);
1539            efi_free_pool(initrd_device_dp);
/cmd/eficonfig.c: 1534 in eficonfig_edit_boot_option()
1528
1529            ret = eficonfig_set_boot_option(varname, final_dp,
final_dp_size, bo->description, tmp);
1530            if (ret != EFI_SUCCESS)
1531                    goto out;
1532     out:
1533            free(tmp);
>>>     CID 376211:    (TAINTED_SCALAR)
>>>     Passing tainted expression "*bo->optional_data" to "dlfree", which uses it as an offset.
1534            free(bo->optional_data);
1535            free(bo->description);
1536            free(bo->file_info.current_path);
1537            free(bo->initrd_info.current_path);
1538            efi_free_pool(device_dp);
1539            efi_free_pool(initrd_device_dp);
/cmd/eficonfig.c: 1535 in eficonfig_edit_boot_option()
1529            ret = eficonfig_set_boot_option(varname, final_dp,
final_dp_size, bo->description, tmp);
1530            if (ret != EFI_SUCCESS)
1531                    goto out;
1532     out:
1533            free(tmp);
1534            free(bo->optional_data);
>>>     CID 376211:    (TAINTED_SCALAR)
>>>     Passing tainted expression "*bo->description" to "dlfree", which uses it as an offset.
1535            free(bo->description);
1536            free(bo->file_info.current_path);
1537            free(bo->initrd_info.current_path);
1538            efi_free_pool(device_dp);
1539            efi_free_pool(initrd_device_dp);
1540            efi_free_pool(initrd_dp);
/cmd/eficonfig.c: 1535 in eficonfig_edit_boot_option()
1529            ret = eficonfig_set_boot_option(varname, final_dp,
final_dp_size, bo->description, tmp);
1530            if (ret != EFI_SUCCESS)
1531                    goto out;
1532     out:
1533            free(tmp);
1534            free(bo->optional_data);
>>>     CID 376211:    (TAINTED_SCALAR)
>>>     Passing tainted expression "*bo->description" to "dlfree", which uses it as an offset.
1535            free(bo->description);
1536            free(bo->file_info.current_path);
1537            free(bo->initrd_info.current_path);
1538            efi_free_pool(device_dp);
1539            efi_free_pool(initrd_device_dp);
1540            efi_free_pool(initrd_dp);
/cmd/eficonfig.c: 1473 in eficonfig_edit_boot_option()
1467
1468                    /* EFI image file path is a first instance */
1469                    if (lo.file_path)
1470                            fill_file_info(lo.file_path,
&bo->file_info, device_dp);
1471
1472                    /* Initrd file path(optional) is placed at
second instance. */
>>>     CID 376211:    (TAINTED_SCALAR)
>>>     Passing tainted expression "lo.file_path" to "efi_dp_from_lo", which uses it as a loop boundary.
1473                    initrd_dp = efi_dp_from_lo(&lo, &efi_lf2_initrd_guid);
1474                    if (initrd_dp) {
1475                            fill_file_info(initrd_dp,
&bo->initrd_info, initrd_device_dp);
1476                            efi_free_pool(initrd_dp);
1477                    }
1478
/cmd/eficonfig.c: 1475 in eficonfig_edit_boot_option()
1469                    if (lo.file_path)
1470                            fill_file_info(lo.file_path,
&bo->file_info, device_dp);
1471
1472                    /* Initrd file path(optional) is placed at
second instance. */
1473                    initrd_dp = efi_dp_from_lo(&lo, &efi_lf2_initrd_guid);
1474                    if (initrd_dp) {
>>>     CID 376211:    (TAINTED_SCALAR)
>>>     Passing tainted expression "initrd_dp->str" to "fill_file_info", which uses it as an offset.
1475                            fill_file_info(initrd_dp,
&bo->initrd_info, initrd_device_dp);
1476                            efi_free_pool(initrd_dp);
1477                    }
1478
1479                    if (size > 0)
1480                            memcpy(bo->optional_data,
lo.optional_data, size);
/cmd/eficonfig.c: 1473 in eficonfig_edit_boot_option()
1467
1468                    /* EFI image file path is a first instance */
1469                    if (lo.file_path)
1470                            fill_file_info(lo.file_path,
&bo->file_info, device_dp);
1471
1472                    /* Initrd file path(optional) is placed at
second instance. */
>>>     CID 376211:    (TAINTED_SCALAR)
>>>     Passing tainted expression "lo.file_path_length" to "efi_dp_from_lo", which uses it as a loop boundary.
1473                    initrd_dp = efi_dp_from_lo(&lo, &efi_lf2_initrd_guid);
1474                    if (initrd_dp) {
1475                            fill_file_info(initrd_dp,
&bo->initrd_info, initrd_device_dp);
1476                            efi_free_pool(initrd_dp);
1477                    }
1478
/cmd/eficonfig.c: 1470 in eficonfig_edit_boot_option()
1464                            lo.label[EFICONFIG_DESCRIPTION_MAX - 1] = u'\0';
1465
1466                    u16_strcpy(bo->description, lo.label);
1467
1468                    /* EFI image file path is a first instance */
1469                    if (lo.file_path)
>>>     CID 376211:    (TAINTED_SCALAR)
>>>     Passing tainted expression "lo.file_path->str" to "fill_file_info", which uses it as an offset.
1470                            fill_file_info(lo.file_path,
&bo->file_info, device_dp);
1471
1472                    /* Initrd file path(optional) is placed at
second instance. */
1473                    initrd_dp = efi_dp_from_lo(&lo, &efi_lf2_initrd_guid);
1474                    if (initrd_dp) {
1475                            fill_file_info(initrd_dp,
&bo->initrd_info, initrd_device_dp);
/cmd/eficonfig.c: 1470 in eficonfig_edit_boot_option()
1464                            lo.label[EFICONFIG_DESCRIPTION_MAX - 1] = u'\0';
1465
1466                    u16_strcpy(bo->description, lo.label);
1467
1468                    /* EFI image file path is a first instance */
1469                    if (lo.file_path)
>>>     CID 376211:    (TAINTED_SCALAR)
>>>     Passing tainted expression "lo.file_path->length" to "fill_file_info", which uses it as an offset.
1470                            fill_file_info(lo.file_path,
&bo->file_info, device_dp);
1471
1472                    /* Initrd file path(optional) is placed at
second instance. */
1473                    initrd_dp = efi_dp_from_lo(&lo, &efi_lf2_initrd_guid);
1474                    if (initrd_dp) {
1475                            fill_file_info(initrd_dp,
&bo->initrd_info, initrd_device_dp);
/cmd/eficonfig.c: 1473 in eficonfig_edit_boot_option()
1467
1468                    /* EFI image file path is a first instance */
1469                    if (lo.file_path)
1470                            fill_file_info(lo.file_path,
&bo->file_info, device_dp);
1471
1472                    /* Initrd file path(optional) is placed at
second instance. */
>>>     CID 376211:    (TAINTED_SCALAR)
>>>     Passing tainted expression "lo.file_path_length" to "efi_dp_from_lo", which uses it as a loop boundary.
1473                    initrd_dp = efi_dp_from_lo(&lo, &efi_lf2_initrd_guid);
1474                    if (initrd_dp) {
1475                            fill_file_info(initrd_dp,
&bo->initrd_info, initrd_device_dp);
1476                            efi_free_pool(initrd_dp);
1477                    }
1478

** CID 376210:    (BUFFER_SIZE)
/drivers/scsi/scsi_emul.c: 35 in sb_scsi_emul_command()
/drivers/scsi/scsi_emul.c: 36 in sb_scsi_emul_command()


________________________________________________________________________________________________________
*** CID 376210:    (BUFFER_SIZE)
/drivers/scsi/scsi_emul.c: 35 in sb_scsi_emul_command()
29              struct scsi_inquiry_resp *resp = (void *)info->buff;
30
31              info->alloc_len = req->cmd[4];
32              memset(resp, '\0', sizeof(*resp));
33              resp->data_format = 1;
34              resp->additional_len = 0x1f;
>>>     CID 376210:    (BUFFER_SIZE)
>>>     Calling "strncpy" with a maximum size argument of 8 bytes on destination array "resp->vendor" of size 8 bytes might leave the destination string unterminated.
35              strncpy(resp->vendor, info->vendor, sizeof(resp->vendor));
36              strncpy(resp->product, info->product, sizeof(resp->product));
37              strncpy(resp->revision, "1.0", sizeof(resp->revision));
38              info->buff_used = sizeof(*resp);
39              break;
40      }
/drivers/scsi/scsi_emul.c: 36 in sb_scsi_emul_command()
30
31              info->alloc_len = req->cmd[4];
32              memset(resp, '\0', sizeof(*resp));
33              resp->data_format = 1;
34              resp->additional_len = 0x1f;
35              strncpy(resp->vendor, info->vendor, sizeof(resp->vendor));
>>>     CID 376210:    (BUFFER_SIZE)
>>>     Calling "strncpy" with a maximum size argument of 16 bytes on destination array "resp->product" of size 16 bytes might leave the destination string unterminated.
36              strncpy(resp->product, info->product, sizeof(resp->product));
37              strncpy(resp->revision, "1.0", sizeof(resp->revision));
38              info->buff_used = sizeof(*resp);
39              break;
40      }
41      case SCSI_TST_U_RDY:

** CID 376209:  Null pointer dereferences  (REVERSE_INULL)
/drivers/pci/pci-uclass.c: 1249 in pci_find_next_device()


________________________________________________________________________________________________________
*** CID 376209:  Null pointer dereferences  (REVERSE_INULL)
/drivers/pci/pci-uclass.c: 1249 in pci_find_next_device()
1243                    }
1244            }
1245
1246            /* We ran out of siblings. Try the next bus */
1247            uclass_next_device(&bus);
1248
>>>     CID 376209:  Null pointer dereferences  (REVERSE_INULL)
>>>     Null-checking "bus" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
1249            return bus ? skip_to_next_device(bus, devp) : 0;
1250     }
1251
1252     int pci_find_first_device(struct udevice **devp)
1253     {
1254            struct udevice *bus;

** CID 376208:  Null pointer dereferences  (REVERSE_INULL)
/cmd/virtio.c: 31 in do_virtio()


________________________________________________________________________________________________________
*** CID 376208:  Null pointer dereferences  (REVERSE_INULL)
/cmd/virtio.c: 31 in do_virtio()
25              struct udevice *bus, *child;
26
27              uclass_first_device(UCLASS_VIRTIO, &bus);
28              if (!bus)
29                      return CMD_RET_FAILURE;
30
>>>     CID 376208:  Null pointer dereferences  (REVERSE_INULL)
>>>     Null-checking "bus" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
31              while (bus) {
32                      device_foreach_child_probe(child, bus)
33                              ;
34                      uclass_next_device(&bus);
35              }
36

** CID 376207:  Uninitialized variables  (UNINIT)
/cmd/eficonfig.c: 2325 in eficonfig_delete_invalid_boot_option()


________________________________________________________________________________________________________
*** CID 376207:  Uninitialized variables  (UNINIT)
/cmd/eficonfig.c: 2325 in eficonfig_delete_invalid_boot_option()
2319                    }
2320     next:
2321                    free(load_option);
2322            }
2323
2324     out:
>>>     CID 376207:  Uninitialized variables  (UNINIT)
>>>     Using uninitialized value "ret".
2325            return ret;
2326     }
2327
2328     /**
2329      * eficonfig_generate_media_device_boot_option() - generate
the media device boot option
2330      *

** CID 376206:    (CHECKED_RETURN)
/cmd/eficonfig.c: 127 in eficonfig_print_msg()
/cmd/eficonfig.c: 134 in eficonfig_print_msg()


________________________________________________________________________________________________________
*** CID 376206:    (CHECKED_RETURN)
/cmd/eficonfig.c: 127 in eficonfig_print_msg()
121      * Return:      status code
122      */
123     void eficonfig_print_msg(char *msg)
124     {
125             /* Flush input */
126             while (tstc())
>>>     CID 376206:    (CHECKED_RETURN)
>>>     Calling "getchar()" without checking return value. This library function may fail and return an error code. [Note: The source code implementation of the function has been overridden by a builtin model.]
127                     getchar();
128
129             printf(ANSI_CURSOR_HIDE
130                    ANSI_CLEAR_CONSOLE
131                    ANSI_CURSOR_POSITION
132                    "%s\n\n  Press any key to continue", 3, 4, msg);
/cmd/eficonfig.c: 134 in eficonfig_print_msg()
128
129             printf(ANSI_CURSOR_HIDE
130                    ANSI_CLEAR_CONSOLE
131                    ANSI_CURSOR_POSITION
132                    "%s\n\n  Press any key to continue", 3, 4, msg);
133
>>>     CID 376206:    (CHECKED_RETURN)
>>>     Calling "getchar()" without checking return value. This library function may fail and return an error code. [Note: The source code implementation of the function has been overridden by a builtin model.]
134             getchar();
135     }
136
137     /**
138      * eficonfig_print_entry() - print each menu entry
139      *

** CID 376205:    (TAINTED_SCALAR)


________________________________________________________________________________________________________
*** CID 376205:    (TAINTED_SCALAR)
/test/test-main.c: 582 in ut_run_list()
576                     printf("Running %d %s tests\n", count, category);
577
578             uts.of_root = gd_of_root();
579             uts.runs_per_test = runs_per_test;
580             if (fdt_action() == FDTCHK_COPY && gd->fdt_blob) {
581                     uts.fdt_size = fdt_totalsize(gd->fdt_blob);
>>>     CID 376205:    (TAINTED_SCALAR)
>>>     Passing tainted expression "uts.fdt_size" to "os_malloc", which uses it as an offset.
582                     uts.fdt_copy = os_malloc(uts.fdt_size);
583                     if (!uts.fdt_copy) {
584                             printf("Out of memory for device tree copy\n");
585                             return -ENOMEM;
586                     }
587                     memcpy(uts.fdt_copy, gd->fdt_blob, uts.fdt_size);
/test/test-main.c: 596 in ut_run_list()
590             ret = ut_run_tests(&uts, prefix, tests, count, select_name);
591
592             /* Best efforts only...ignore errors */
593             if (has_dm_tests)
594                     dm_test_restore(uts.of_root);
595             if (IS_ENABLED(CONFIG_SANDBOX)) {
>>>     CID 376205:    (TAINTED_SCALAR)
>>>     Passing tainted expression "*uts.fdt_copy" to "os_free", which uses it as an offset.
596                     os_free(uts.fdt_copy);
597                     os_free(uts.other_fdt);
598             }
599
600             if (uts.skip_count)
601                     printf("Skipped: %d, ", uts.skip_count);

** CID 376204:  Memory - illegal accesses  (UNINIT)
/lib/efi_loader/efi_boottime.c: 2854 in
efi_uninstall_multiple_protocol_interfaces_ext()


________________________________________________________________________________________________________
*** CID 376204:  Memory - illegal accesses  (UNINIT)
/lib/efi_loader/efi_boottime.c: 2854 in
efi_uninstall_multiple_protocol_interfaces_ext()
2848     efi_uninstall_multiple_protocol_interfaces_ext(efi_handle_t
handle, ...)
2849     {
2850            EFI_ENTRY("%p", handle);
2851            efi_status_t ret;
2852            efi_va_list argptr;
2853
>>>     CID 376204:  Memory - illegal accesses  (UNINIT)
>>>     Using uninitialized value "argptr" when calling "__builtin_ms_va_start".
2854            efi_va_start(argptr, handle);
2855            ret =
efi_uninstall_multiple_protocol_interfaces_int(handle, argptr);
2856            efi_va_end(argptr);
2857            return EFI_EXIT(ret);
2858     }
2859

** CID 376203:  Memory - illegal accesses  (UNINIT)
/lib/efi_loader/efi_boottime.c: 2764 in
efi_uninstall_multiple_protocol_interfaces_int()


________________________________________________________________________________________________________
*** CID 376203:  Memory - illegal accesses  (UNINIT)
/lib/efi_loader/efi_boottime.c: 2764 in
efi_uninstall_multiple_protocol_interfaces_int()
2758            size_t i = 0;
2759            efi_va_list argptr_copy;
2760
2761            if (!handle)
2762                    return EFI_INVALID_PARAMETER;
2763
>>>     CID 376203:  Memory - illegal accesses  (UNINIT)
>>>     Using uninitialized value "argptr_copy" when calling "__builtin_ms_va_copy".
2764            efi_va_copy(argptr_copy, argptr);
2765            for (;;) {
2766                    protocol = efi_va_arg(argptr, efi_guid_t*);
2767                    if (!protocol)
2768                            break;
2769                    protocol_interface = efi_va_arg(argptr, void*);

** CID 376202:  Incorrect expression  (IDENTICAL_BRANCHES)
/cmd/eficonfig.c: 1530 in eficonfig_edit_boot_option()


________________________________________________________________________________________________________
*** CID 376202:  Incorrect expression  (IDENTICAL_BRANCHES)
/cmd/eficonfig.c: 1530 in eficonfig_edit_boot_option()
1524                            goto out;
1525                    p = tmp;
1526                    utf16_utf8_strncpy(&p, bo->optional_data,
u16_strlen(bo->optional_data));
1527            }
1528
1529            ret = eficonfig_set_boot_option(varname, final_dp,
final_dp_size, bo->description, tmp);
>>>     CID 376202:  Incorrect expression  (IDENTICAL_BRANCHES)
>>>     The same code is executed when the condition "ret != 0UL" is true or false, because the code in the if-then branch and after the if statement is identical. Should the if statement be removed?
1530            if (ret != EFI_SUCCESS)
1531                    goto out;
1532     out:
1533            free(tmp);
1534            free(bo->optional_data);
1535            free(bo->description);

** CID 376201:  Error handling issues  (CHECKED_RETURN)


________________________________________________________________________________________________________
*** CID 376201:  Error handling issues  (CHECKED_RETURN)
/drivers/scsi/sandbox_scsi.c: 54 in sandbox_scsi_exec()
48                        ret);
49              return ret;
50      } else if (ret == SCSI_EMUL_DO_READ && priv->fd != -1) {
51              long bytes_read;
52
53              log_debug("read %x %x\n", info->seek_block, info->read_len);
>>>     CID 376201:  Error handling issues  (CHECKED_RETURN)
>>>     Calling "os_lseek(priv->fd, info->seek_block * info->block_size, 0)" without checking return value. It wraps a library function that may fail and return an error code.
54              os_lseek(priv->fd, info->seek_block * info->block_size,
55                       OS_SEEK_SET);
56              bytes_read = os_read(priv->fd, req->pdata, info->buff_used);
57              if (bytes_read < 0)
58                      return bytes_read;
59              if (bytes_read != info->buff_used)

** CID 376200:  API usage errors  (VARARGS)
/lib/efi_loader/efi_boottime.c: 2787 in
efi_uninstall_multiple_protocol_interfaces_int()


________________________________________________________________________________________________________
*** CID 376200:  API usage errors  (VARARGS)
/lib/efi_loader/efi_boottime.c: 2787 in
efi_uninstall_multiple_protocol_interfaces_int()
2781                    }
2782                    goto out;
2783            }
2784
2785            /* If an error occurred undo all changes. */
2786            for (; i; --i) {
>>>     CID 376200:  API usage errors  (VARARGS)
>>>     Calling va_arg on va_list "argptr_copy", which has not been prepared with va_start().
2787                    protocol = efi_va_arg(argptr_copy, efi_guid_t*);
2788                    protocol_interface = efi_va_arg(argptr_copy, void*);
2789
EFI_CALL(efi_install_protocol_interface(&handle, protocol,
2790
EFI_NATIVE_INTERFACE,
2791
protocol_interface));
2792            }

** CID 376199:  Memory - illegal accesses  (UNINIT)
/lib/efi_loader/efi_boottime.c: 2733 in
efi_install_multiple_protocol_interfaces_ext()


________________________________________________________________________________________________________
*** CID 376199:  Memory - illegal accesses  (UNINIT)
/lib/efi_loader/efi_boottime.c: 2733 in
efi_install_multiple_protocol_interfaces_ext()
2727     efi_install_multiple_protocol_interfaces_ext(efi_handle_t *handle, ...)
2728     {
2729            EFI_ENTRY("%p", handle);
2730            efi_status_t ret;
2731            efi_va_list argptr;
2732
>>>     CID 376199:  Memory - illegal accesses  (UNINIT)
>>>     Using uninitialized value "argptr" when calling "__builtin_ms_va_start".
2733            efi_va_start(argptr, handle);
2734            ret =
efi_install_multiple_protocol_interfaces_int(handle, argptr);
2735            efi_va_end(argptr);
2736            return EFI_EXIT(ret);
2737     }
2738

** CID 376198:  Insecure data handling  (TAINTED_SCALAR)
/boot/image-fit.c: 1917 in fit_conf_get_prop_node()


________________________________________________________________________________________________________
*** CID 376198:  Insecure data handling  (TAINTED_SCALAR)
/boot/image-fit.c: 1917 in fit_conf_get_prop_node()
1911
1912            count = fit_conf_get_prop_node_count(fit, noffset, prop_name);
1913            if (count < 0)
1914                    return count;
1915
1916            /* check each image in the list */
>>>     CID 376198:  Insecure data handling  (TAINTED_SCALAR)
>>>     Using tainted variable "count" as a loop boundary.
1917            for (i = 0; i < count; i++) {
1918                    enum image_phase_t phase;
1919                    int ret, node;
1920
1921                    node = fit_conf_get_prop_node_index(fit,
noffset, prop_name, i);
1922                    ret = fit_image_get_phase(fit, node, &phase);

** CID 376197:  Incorrect expression  (UNUSED_VALUE)
/cmd/sf.c: 242 in spi_flash_update()


________________________________________________________________________________________________________
*** CID 376197:  Incorrect expression  (UNUSED_VALUE)
/cmd/sf.c: 242 in spi_flash_update()
236                     scale = (end - buf) / 100;
237             cmp_buf = memalign(ARCH_DMA_MINALIGN, flash->sector_size);
238             if (cmp_buf) {
239                     ulong last_update = get_timer(0);
240
241                     for (; buf < end && !err_oper; buf += todo,
offset += todo) {
>>>     CID 376197:  Incorrect expression  (UNUSED_VALUE)
>>>     Assigning value from "({...; (__min1 < __min2) ? __min1 : __min2;})" to "todo" here, but that stored value is overwritten before it can be used.
242                             todo = min_t(size_t, end - buf,
flash->sector_size);
243                             todo = min_t(size_t, end - buf,
244                                          flash->sector_size -
(offset % flash->sector_size));
245                             if (get_timer(last_update) > 100) {
246                                     printf("   \rUpdating, %zu%% %lu B/s",
247                                            100 - (end - buf) / scale,

** CID 376196:  Integer handling issues  (NEGATIVE_RETURNS)


________________________________________________________________________________________________________
*** CID 376196:  Integer handling issues  (NEGATIVE_RETURNS)
/boot/bootdev-uclass.c: 202 in bootdev_list()
196             printf("---  ------  ------  --------  ------------------\n");
197             if (probe)
198                     ret = uclass_first_device_check(UCLASS_BOOTDEV, &dev);
199             else
200                     ret = uclass_find_first_device(UCLASS_BOOTDEV, &dev);
201             for (i = 0; dev; i++) {
>>>     CID 376196:  Integer handling issues  (NEGATIVE_RETURNS)
>>>     "ret" is passed to a parameter that cannot be negative.
202                     printf("%3x   [ %c ]  %6s  %-9.9s %s\n", dev_seq(dev),
203                            device_active(dev) ? '+' : ' ',
204                            ret ? simple_itoa(ret) : "OK",
205
dev_get_uclass_name(dev_get_parent(dev)), dev->name);
206                     if (probe)
207                             ret = uclass_next_device_check(&dev);

** CID 376195:  Uninitialized variables  (UNINIT)
/lib/efi_loader/efi_boottime.c: 2776 in
efi_uninstall_multiple_protocol_interfaces_int()


________________________________________________________________________________________________________
*** CID 376195:  Uninitialized variables  (UNINIT)
/lib/efi_loader/efi_boottime.c: 2776 in
efi_uninstall_multiple_protocol_interfaces_int()
2770                    ret = efi_uninstall_protocol(handle, protocol,
2771                                                 protocol_interface);
2772                    if (ret != EFI_SUCCESS)
2773                            break;
2774                    i++;
2775            }
>>>     CID 376195:  Uninitialized variables  (UNINIT)
>>>     Using uninitialized value "ret".
2776            if (ret == EFI_SUCCESS) {
2777                    /* If the last protocol has been removed,
delete the handle. */
2778                    if (list_empty(&handle->protocols)) {
2779                            list_del(&handle->link);
2780                            free(handle);
2781                    }

** CID 376194:  Null pointer dereferences  (REVERSE_INULL)
/drivers/block/blk-uclass.c: 626 in blk_next_device_err()


________________________________________________________________________________________________________
*** CID 376194:  Null pointer dereferences  (REVERSE_INULL)
/drivers/block/blk-uclass.c: 626 in blk_next_device_err()
620             return -ENODEV;
621     }
622
623     int blk_next_device_err(enum blk_flag_t flags, struct udevice **devp)
624     {
625             for (uclass_next_device(devp);
>>>     CID 376194:  Null pointer dereferences  (REVERSE_INULL)
>>>     Null-checking "*devp" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
626                  *devp;
627                  uclass_next_device(devp)) {
628                     if (!blk_flags_check(*devp, flags))
629                             return 0;
630             }
631


________________________________________________________________________________________________________

----- End forwarded message -----

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20221109/c714570f/attachment.sig>


More information about the U-Boot mailing list