Fwd: New Defects reported by Coverity Scan for Das U-Boot

Sean Edmond seanedmond at linux.microsoft.com
Thu May 18 23:04:37 CEST 2023


On 2023-05-08 1:20 p.m., Tom Rini wrote:
> Here's the latest defect report:
>
> ---------- Forwarded message ---------
> From: <scan-admin at coverity.com>
> Date: Mon, May 8, 2023, 2:29 PM
> Subject: New Defects reported by Coverity Scan for Das U-Boot
> To: <tom.rini at gmail.com>
>
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to Das U-Boot
> found with Coverity Scan.
>
> 5 new defect(s) introduced to Das U-Boot found with Coverity Scan.
> 1 defect(s), reported by Coverity Scan earlier, were marked fixed in the
> recent build analyzed by Coverity Scan.
>
> New defect(s) Reported-by: Coverity Scan
> Showing 5 of 5 defect(s)
>
>
> ** CID 453851:  Memory - corruptions  (OVERLAPPING_COPY)
> /cmd/net.c: 279 in netboot_update_env()
>
>
> ________________________________________________________________________________________________________
> *** CID 453851:  Memory - corruptions  (OVERLAPPING_COPY)
> /cmd/net.c: 279 in netboot_update_env()
> 273
> 274             if (IS_ENABLED(CONFIG_IPV6)) {
> 275                     if (!ip6_is_unspecified_addr(&net_ip6) ||
> 276                         net_prefix_length != 0) {
> 277                             sprintf(tmp, "%pI6c", &net_ip6);
> 278                             if (net_prefix_length != 0)
>>>>      CID 453851:  Memory - corruptions  (OVERLAPPING_COPY)
>>>>      In the call to function "sprintf", the arguments "tmp" and "tmp"
Just submitted a patch to fix 453851.
> may point to the same object.
> 279                                     sprintf(tmp, "%s/%d", tmp,
> net_prefix_length);
> 280
> 281                             env_set("ip6addr", tmp);
> 282                     }
> 283
> 284                     if (!ip6_is_unspecified_addr(&net_server_ip6)) {
>
> ** CID 450971:  Insecure data handling  (TAINTED_SCALAR)
> /net/ndisc.c: 391 in process_ra()
>
>
> ________________________________________________________________________________________________________
> *** CID 450971:  Insecure data handling  (TAINTED_SCALAR)
> /net/ndisc.c: 391 in process_ra()
> 385             /* Ignore the packet if router lifetime is 0. */
> 386             if (!icmp->icmp6_rt_lifetime)
> 387                     return -EOPNOTSUPP;
> 388
> 389             /* Processing the options */
> 390             option = msg->opt;
>>>>      CID 450971:  Insecure data handling  (TAINTED_SCALAR)
>>>>      Using tainted variable "remaining_option_len" as a loop boundary.
> 391             while (remaining_option_len > 0) {
> 392                     /* The 2nd byte of the option is its length. */
> 393                     option_len = option[1];
> 394                     /* All included options should have a positive
> length. */
> 395                     if (option_len == 0)
> 396                             return -EINVAL;
>
> ** CID 450969:  Security best practices violations  (DC.WEAK_CRYPTO)
> /net/ndisc.c: 209 in ip6_send_rs()
>
>
> ________________________________________________________________________________________________________
> *** CID 450969:  Security best practices violations  (DC.WEAK_CRYPTO)
> /net/ndisc.c: 209 in ip6_send_rs()
> 203                                    icmp_len, PROT_ICMPV6, pcsum);
> 204             msg->icmph.icmp6_cksum = csum;
> 205             pkt += icmp_len;
> 206
> 207             /* Wait up to 1 second if it is the first try to get the RA
> */
> 208             if (retry_count == 0)
>>>>      CID 450969:  Security best practices violations  (DC.WEAK_CRYPTO)
>>>>      "rand" should not be used for security-related applications,
> because linear congruential algorithms are too easy to break.
> 209                     udelay(((unsigned int)rand() % 1000000) *
> MAX_SOLICITATION_DELAY);
> 210
> 211             /* send it! */
> 212             net_send_packet(net_tx_packet, (pkt - net_tx_packet));
> 213
> 214             retry_count++;
>
> ** CID 436282:    (DC.WEAK_CRYPTO)
> /net/dhcpv6.c: 621 in dhcp6_state_machine()
> /net/dhcpv6.c: 627 in dhcp6_state_machine()
> /net/dhcpv6.c: 628 in dhcp6_state_machine()
> /net/dhcpv6.c: 662 in dhcp6_state_machine()
> /net/dhcpv6.c: 613 in dhcp6_state_machine()
>
>
> ________________________________________________________________________________________________________
> *** CID 436282:    (DC.WEAK_CRYPTO)
> /net/dhcpv6.c: 621 in dhcp6_state_machine()
> 615             /* handle state machine entry conditions */
> 616             if (sm_params.curr_state != sm_params.next_state) {
> 617                     sm_params.retry_cnt = 0;
> 618
> 619                     if (sm_params.next_state == DHCP6_SOLICIT) {
> 620                             /* delay a random ammount (special for
> SOLICIT) */
>>>>      CID 436282:    (DC.WEAK_CRYPTO)
>>>>      "rand" should not be used for security-related applications,
> because linear congruential algorithms are too easy to break.
> 621                             udelay((rand() % SOL_MAX_DELAY_MS) * 1000);
> 622                             /* init timestamp variables after SOLICIT
> delay */
> 623                             sm_params.dhcp6_start_ms = get_timer(0);
> 624                             sm_params.dhcp6_retry_start_ms =
> sm_params.dhcp6_start_ms;
> 625                             sm_params.dhcp6_retry_ms =
> sm_params.dhcp6_start_ms;
> 626                             /* init transaction and ia_id */
> /net/dhcpv6.c: 627 in dhcp6_state_machine()
> 621                             udelay((rand() % SOL_MAX_DELAY_MS) * 1000);
> 622                             /* init timestamp variables after SOLICIT
> delay */
> 623                             sm_params.dhcp6_start_ms = get_timer(0);
> 624                             sm_params.dhcp6_retry_start_ms =
> sm_params.dhcp6_start_ms;
> 625                             sm_params.dhcp6_retry_ms =
> sm_params.dhcp6_start_ms;
> 626                             /* init transaction and ia_id */
>>>>      CID 436282:    (DC.WEAK_CRYPTO)
>>>>      "rand" should not be used for security-related applications,
> because linear congruential algorithms are too easy to break.
> 627                             sm_params.trans_id = rand() & 0xFFFFFF;
> 628                             sm_params.ia_id = rand();
> 629                             /* initialize retransmission parameters */
> 630                             sm_params.irt_ms = SOL_TIMEOUT_MS;
> 631                             sm_params.mrt_ms = updated_sol_max_rt_ms;
> 632                             /* RFCs default MRC is be 0 (try infinitely)
> /net/dhcpv6.c: 628 in dhcp6_state_machine()
> 622                             /* init timestamp variables after SOLICIT
> delay */
> 623                             sm_params.dhcp6_start_ms = get_timer(0);
> 624                             sm_params.dhcp6_retry_start_ms =
> sm_params.dhcp6_start_ms;
> 625                             sm_params.dhcp6_retry_ms =
> sm_params.dhcp6_start_ms;
> 626                             /* init transaction and ia_id */
> 627                             sm_params.trans_id = rand() & 0xFFFFFF;
>>>>      CID 436282:    (DC.WEAK_CRYPTO)
>>>>      "rand" should not be used for security-related applications,
> because linear congruential algorithms are too easy to break.
> 628                             sm_params.ia_id = rand();
> 629                             /* initialize retransmission parameters */
> 630                             sm_params.irt_ms = SOL_TIMEOUT_MS;
> 631                             sm_params.mrt_ms = updated_sol_max_rt_ms;
> 632                             /* RFCs default MRC is be 0 (try infinitely)
> 633                              * give up after CONFIG_NET_RETRY_COUNT
> number of tries (same as DHCPv4)
> /net/dhcpv6.c: 662 in dhcp6_state_machine()
> 656                 (sm_params.mrd_ms != 0 &&
> 657                  ((sm_params.dhcp6_retry_ms -
> sm_params.dhcp6_retry_start_ms) >= sm_params.mrd_ms))) {
> 658                     sm_params.next_state = DHCP6_FAIL;
> 659             }
> 660
> 661             /* calculate retransmission timeout (RT) */
>>>>      CID 436282:    (DC.WEAK_CRYPTO)
>>>>      "rand" should not be used for security-related applications,
> because linear congruential algorithms are too easy to break.
> 662             rand_minus_plus_100 = ((rand() % 200) - 100);
> 663             if (sm_params.retry_cnt == 0) {
> 664                     sm_params.rt_ms = sm_params.irt_ms +
> 665                                       ((sm_params.irt_ms *
> rand_minus_plus_100) / 1000);
> 666             } else {
> 667                     sm_params.rt_ms = (2 * sm_params.rt_prev_ms) +
> /net/dhcpv6.c: 613 in dhcp6_state_machine()
> 607                      * Proceed anyway to proceed DONE/FAIL actions
> 608                      */
> 609                     debug("Unexpected DHCP6 state : %d\n",
> sm_params.curr_state);
> 610                     break;
> 611             }
> 612             /* re-seed the RNG */
>>>>      CID 436282:    (DC.WEAK_CRYPTO)
>>>>      "rand" should not be used for security-related applications,
We can ignore 436282. For DHCP6, we seed using srand_mac() to ensure 
that rand() will produce enough variation for each device on the 
network.  The numbers from rand() are used to introduce variation in the 
delay between re-transmissions to avoid excessive server congestion if 
all clients are started at the same time (such as a power loss).  These 
values are not used for crypto.
> because linear congruential algorithms are too easy to break.
> 613             srand(get_ticks() + rand());
> 614
> 615             /* handle state machine entry conditions */
> 616             if (sm_params.curr_state != sm_params.next_state) {
> 617                     sm_params.retry_cnt = 0;
> 618
>
> ** CID 436278:    (TAINTED_SCALAR)
> /net/dhcpv6.c: 321 in dhcp6_parse_options()
>
>
> ________________________________________________________________________________________________________
> *** CID 436278:    (TAINTED_SCALAR)
> /net/dhcpv6.c: 376 in dhcp6_parse_options()
> 370                                     if (sm_params.curr_state ==
> DHCP6_SOLICIT)
> 371                                             sm_params.mrt_ms =
> updated_sol_max_rt_ms;
> 372                             }
> 373                             break;
> 374                     case DHCP6_OPTION_OPT_BOOTFILE_URL:
> 375                             debug("DHCP6_OPTION_OPT_BOOTFILE_URL
> FOUND\n");
>>>>      CID 436278:    (TAINTED_SCALAR)
>>>>      Passing tainted expression "option_len + 1" to "copy_filename",
> which uses it as a loop boundary.
> 376                             copy_filename(net_boot_file_name,
> option_ptr, option_len + 1);
> 377                             debug("net_boot_file_name: %s\n",
> net_boot_file_name);
> 378
> 379                             /* copy server_ip6 (required for PXE) */
> 380                             s = strchr(net_boot_file_name, '[');
> 381                             e = strchr(net_boot_file_name, ']');
> /net/dhcpv6.c: 321 in dhcp6_parse_options()
> 315             while (option_hdr < (struct dhcp6_option_hdr *)(rx_pkt +
> len)) {
> 316                     option_ptr = ((uchar *)option_hdr) + sizeof(struct
> dhcp6_hdr);
> 317                     option_len = ntohs(option_hdr->option_len);
> 318
> 319                     switch (ntohs(option_hdr->option_id)) {
> 320                     case DHCP6_OPTION_CLIENTID:
>>>>      CID 436278:    (TAINTED_SCALAR)
>>>>      Passing tainted expression "option_len" to "memcmp", which uses it

Just submitted a patch to fix 436278.

> as an offset. [Note: The source code implementation of the function has
> been overridden by a builtin model.]
> 321                             if (memcmp(option_ptr, sm_params.duid,
> option_len)
> 322                                 != 0) {
> 323                                     debug("CLIENT ID DOESN'T MATCH\n");
> 324                             } else {
> 325                                     debug("CLIENT ID FOUND and
> MATCHES\n");
> 326                                     sm_params.rx_status.client_id_match
> = true;
>
>


More information about the U-Boot mailing list