Fwd: New Defects reported by Coverity Scan for Das U-Boot
Tom Rini
trini at konsulko.com
Mon Oct 7 19:15:05 CEST 2024
Now that I've merged next to master, there's a number of issues to
address.
---------- Forwarded message ---------
From: <scan-admin at coverity.com>
Date: Mon, Oct 7, 2024 at 10:59 AM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini at gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to Das
U-Boot found with Coverity Scan.
24 new defect(s) introduced to Das U-Boot found with Coverity Scan.
9 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 24 defect(s)
** CID 510469: (RESOURCE_LEAK)
/tools/mkeficapsule.c: 877 in load_dtb()
/tools/mkeficapsule.c: 862 in load_dtb()
/tools/mkeficapsule.c: 855 in load_dtb()
/tools/mkeficapsule.c: 870 in load_dtb()
________________________________________________________________________________________________________
*** CID 510469: (RESOURCE_LEAK)
/tools/mkeficapsule.c: 877 in load_dtb()
871 }
872
873 if (fread(dtb, dtb_size, 1, f) != 1) {
874 fprintf(stderr, "Can't read %ld bytes from %s\n",
875 dtb_size, path);
876 free(dtb);
>>> CID 510469: (RESOURCE_LEAK)
>>> Variable "f" going out of scope leaks the storage it points to.
877 return NULL;
878 }
879
880 fclose(f);
881
882 return dtb;
/tools/mkeficapsule.c: 862 in load_dtb()
856 }
857
858 dtb_size = ftell(f);
859 if (dtb_size < 0) {
860 fprintf(stderr, "Cannot ftell %s: %s\n",
861 path, strerror(errno));
>>> CID 510469: (RESOURCE_LEAK)
>>> Variable "f" going out of scope leaks the storage it points to.
862 return NULL;
863 }
864
865 fseek(f, 0, SEEK_SET);
866
867 dtb = malloc(dtb_size);
/tools/mkeficapsule.c: 855 in load_dtb()
849 return NULL;
850 }
851
852 if (fseek(f, 0, SEEK_END)) {
853 fprintf(stderr, "Cannot seek to the end of %s: %s\n",
854 path, strerror(errno));
>>> CID 510469: (RESOURCE_LEAK)
>>> Variable "f" going out of scope leaks the storage it points to.
855 return NULL;
856 }
857
858 dtb_size = ftell(f);
859 if (dtb_size < 0) {
860 fprintf(stderr, "Cannot ftell %s: %s\n",
/tools/mkeficapsule.c: 870 in load_dtb()
864
865 fseek(f, 0, SEEK_SET);
866
867 dtb = malloc(dtb_size);
868 if (!dtb) {
869 fprintf(stderr, "Can't allocated %ld\n", dtb_size);
>>> CID 510469: (RESOURCE_LEAK)
>>> Variable "f" going out of scope leaks the storage it points to.
870 return NULL;
871 }
872
873 if (fread(dtb, dtb_size, 1, f) != 1) {
874 fprintf(stderr, "Can't read %ld bytes from %s\n",
875 dtb_size, path);
** CID 510468: Integer handling issues (SIGN_EXTENSION)
/lib/alist.c: 65 in alist_expand_to()
________________________________________________________________________________________________________
*** CID 510468: Integer handling issues (SIGN_EXTENSION)
/lib/alist.c: 65 in alist_expand_to()
59 new_data = malloc(lst->obj_size * new_alloc);
60 if (!new_data) {
61 lst->flags |= ALISTF_FAIL;
62 return false;
63 }
64
>>> CID 510468: Integer handling issues (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "lst->obj_size" with type "u16" (16 bits, unsigned) is promoted in "lst->obj_size * lst->alloc" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "lst->obj_size * lst->alloc" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
65 memcpy(new_data, lst->data, lst->obj_size * lst->alloc);
66 free(lst->data);
67
68 memset(new_data + lst->obj_size * lst->alloc, '\0',
69 lst->obj_size * (new_alloc - lst->alloc));
70 lst->alloc = new_alloc;
** CID 510467: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/net/tcp.c: 497 in tcp_parse_options()
________________________________________________________________________________________________________
*** CID 510467: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/net/tcp.c: 497 in tcp_parse_options()
491 tsopt = (struct tcp_t_opt *)p;
492 rmt_timestamp = tsopt->t_snd;
493 return;
494 }
495
496 /* Process optional NOPs */
>>> CID 510467: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
>>> "p[0] == 16843009" is always false regardless of the values of its operands. This occurs as the logical operand of "if".
497 if (p[0] == TCP_O_NOP)
498 p++;
499 }
500 }
501
502 static u8 tcp_state_machine(u8 tcp_flags, u32 tcp_seq_num, int
payload_len)
** CID 510466: Control flow issues (NO_EFFECT)
/lib/uuid.c: 256 in uuid_guid_get_bin()
________________________________________________________________________________________________________
*** CID 510466: Control flow issues (NO_EFFECT)
/lib/uuid.c: 256 in uuid_guid_get_bin()
250 };
251
252 int uuid_guid_get_bin(const char *guid_str, unsigned char *guid_bin)
253 {
254 int i;
255
>>> CID 510466: Control flow issues (NO_EFFECT)
>>> This less-than-zero comparison of an unsigned value is never true. "i < 0UL".
256 for (i = 0; i < ARRAY_SIZE(list_guid); i++) {
257 if (!strcmp(list_guid[i].string, guid_str)) {
258 memcpy(guid_bin, &list_guid[i].guid, 16);
259 return 0;
260 }
261 }
** CID 510465: Uninitialized variables (UNINIT)
________________________________________________________________________________________________________
*** CID 510465: Uninitialized variables (UNINIT)
/cmd/upl.c: 59 in do_upl_write()
53 struct unit_test_state uts;
54 struct abuf buf;
55 oftree tree;
56 ulong addr;
57 int ret;
58
>>> CID 510465: Uninitialized variables (UNINIT)
>>> Using uninitialized value "uts.fail_count" when calling "upl_get_test_data".
59 upl_get_test_data(&uts, upl);
60
61 log_debug("Writing UPL\n");
62 ret = upl_create_handoff_tree(upl, &tree);
63 if (ret) {
64 log_err("Failed to write (err=%dE)\n", ret);
** CID 510464: Error handling issues (CHECKED_RETURN)
/net/wget.c: 259 in wget_connected()
________________________________________________________________________________________________________
*** CID 510464: Error handling issues (CHECKED_RETURN)
/net/wget.c: 259 in wget_connected()
253
254 pos = strstr((char *)pkt, content_len);
255 if (!pos) {
256 content_length = -1;
257 } else {
258 pos += sizeof(content_len) + 2;
>>> CID 510464: Error handling issues (CHECKED_RETURN)
>>> Calling "strict_strtoul" without checking return value (as is done elsewhere 8 out of 10 times).
259 strict_strtoul(pos, 10,
&content_length);
260 debug_cond(DEBUG_WGET,
261 "wget: Connected Len %lu\n",
262 content_length);
263 }
264
** CID 510463: Memory - illegal accesses (OVERRUN)
/lib/lmb.c: 37 in lmb_print_region_flags()
________________________________________________________________________________________________________
*** CID 510463: Memory - illegal accesses (OVERRUN)
/lib/lmb.c: 37 in lmb_print_region_flags()
31 {
32 u64 bitpos;
33 const char *flag_str[] = { "none", "no-map", "no-overwrite" };
34
35 do {
36 bitpos = flags ? fls(flags) - 1 : 0;
>>> CID 510463: Memory - illegal accesses (OVERRUN)
>>> Overrunning array "flag_str" of 3 8-byte elements at element index 31 (byte offset 255) using index "bitpos" (which evaluates to 31).
37 printf("%s", flag_str[bitpos]);
38 flags &= ~(1ull << bitpos);
39 puts(flags ? ", " : "\n");
40 } while (flags);
41 }
42
** CID 510462: Security best practices violations (DC.WEAK_CRYPTO)
/test/dm/nand.c: 67 in run_test_nand()
________________________________________________________________________________________________________
*** CID 510462: Security best practices violations (DC.WEAK_CRYPTO)
/test/dm/nand.c: 67 in run_test_nand()
61 ops.ooblen = mtd->oobsize;
62 ut_assertok(mtd_read_oob(mtd, mtd->erasesize, &ops));
63 ut_asserteq(0, oob[mtd_to_nand(mtd)->badblockpos]);
64
65 /* Generate some data and write it */
66 for (i = 0; i < size / sizeof(int); i++)
>>> CID 510462: Security best practices violations (DC.WEAK_CRYPTO)
>>> "rand" should not be used for security-related applications, because linear congruential algorithms are too easy to break.
67 gold[i] = rand();
68 ut_assertok(nand_write_skip_bad(mtd, off, &length, NULL, U64_MAX,
69 (void *)gold, 0));
70 ut_asserteq(size, length);
71
72 /* Verify */
** CID 510461: Code maintainability issues (UNUSED_VALUE)
/boot/upl_write.c: 237 in add_upl_image()
________________________________________________________________________________________________________
*** CID 510461: Code maintainability issues (UNUSED_VALUE)
/boot/upl_write.c: 237 in add_upl_image()
231 return log_msg_ret("sub", ret);
232
233 ret = write_addr(upl, subnode, UPLP_LOAD, img->load);
234 if (!ret)
235 ret = write_size(upl, subnode,
UPLP_SIZE, img->size);
236 if (!ret && img->offset)
>>> CID 510461: Code maintainability issues (UNUSED_VALUE)
>>> Assigning value from "ofnode_write_u32(subnode, "offset", img->offset)" to "ret" here, but that stored value is overwritten before it can be used.
237 ret = ofnode_write_u32(subnode, UPLP_OFFSET,
238 img->offset);
239 ret = ofnode_write_string(subnode, UPLP_DESCRIPTION,
240 img->description);
241 if (ret)
242 return log_msg_ret("sim", ret);
** CID 510460: Resource leaks (RESOURCE_LEAK)
/fs/ext4/ext4fs.c: 216 in ext4fs_exists()
________________________________________________________________________________________________________
*** CID 510460: Resource leaks (RESOURCE_LEAK)
/fs/ext4/ext4fs.c: 216 in ext4fs_exists()
210 struct ext2fs_node *dirnode = NULL;
211 int filetype;
212
213 if (!filename)
214 return 0;
215
>>> CID 510460: Resource leaks (RESOURCE_LEAK)
>>> Variable "dirnode" going out of scope leaks the storage it points to.
216 return ext4fs_find_file1(filename,
&ext4fs_root->diropen, &dirnode,
217 &filetype);
218 }
219
220 int ext4fs_size(const char *filename, loff_t *size)
221 {
** CID 510459: Incorrect expression (SIZEOF_MISMATCH)
/boot/upl_read.c: 523 in decode_upl_graphics()
________________________________________________________________________________________________________
*** CID 510459: Incorrect expression (SIZEOF_MISMATCH)
/boot/upl_read.c: 523 in decode_upl_graphics()
517 if (!buf) {
518 log_warning("Node '%s': Missing 'reg' property\n",
519 ofnode_get_name(node));
520 return log_msg_ret("reg", -EINVAL);
521 }
522
>>> CID 510459: Incorrect expression (SIZEOF_MISMATCH)
>>> Passing argument "buf" of type "char const *" and argument "8 /* sizeof (buf) */" to function "decode_addr_size" is suspicious.
523 len = decode_addr_size(upl, buf, sizeof(buf), &gra->reg);
524 if (len < 0)
525 return log_msg_ret("buf", len);
526
527 ret = read_uint(node, UPLP_WIDTH, &gra->width);
528 if (!ret)
** CID 510458: Control flow issues (NO_EFFECT)
/lib/uuid.c: 269 in uuid_guid_get_str()
________________________________________________________________________________________________________
*** CID 510458: Control flow issues (NO_EFFECT)
/lib/uuid.c: 269 in uuid_guid_get_str()
263 }
264
265 const char *uuid_guid_get_str(const unsigned char *guid_bin)
266 {
267 int i;
268
>>> CID 510458: Control flow issues (NO_EFFECT)
>>> This less-than-zero comparison of an unsigned value is never true. "i < 0UL".
269 for (i = 0; i < ARRAY_SIZE(list_guid); i++) {
270 if (!memcmp(list_guid[i].guid.b, guid_bin, 16)) {
271 return list_guid[i].string;
272 }
273 }
274 return NULL;
** CID 510457: (RESOURCE_LEAK)
/tools/mkeficapsule.c: 934 in genguid()
/tools/mkeficapsule.c: 930 in genguid()
/tools/mkeficapsule.c: 924 in genguid()
/tools/mkeficapsule.c: 944 in genguid()
/tools/mkeficapsule.c: 959 in genguid()
________________________________________________________________________________________________________
*** CID 510457: (RESOURCE_LEAK)
/tools/mkeficapsule.c: 934 in genguid()
928 if (!compatible) {
929 fprintf(stderr, "No compatible string found in DTB\n");
930 return -1;
931 }
932 if (strnlen(compatible, compatlen) >= compatlen) {
933 fprintf(stderr, "Compatible string not
null-terminated\n");
>>> CID 510457: (RESOURCE_LEAK)
>>> Variable "dtb" going out of scope leaks the storage it points to.
934 return -1;
935 }
936
937 printf("Generating GUIDs for %s with namespace %s:\n",
938 compatible, DEFAULT_NAMESPACE_GUID);
939 for (; idx < argc; idx++) {
/tools/mkeficapsule.c: 930 in genguid()
924 return -1;
925 }
926
927 compatible = fdt_getprop(dtb, 0, "compatible", &compatlen);
928 if (!compatible) {
929 fprintf(stderr, "No compatible string found in DTB\n");
>>> CID 510457: (RESOURCE_LEAK)
>>> Variable "dtb" going out of scope leaks the storage it points to.
930 return -1;
931 }
932 if (strnlen(compatible, compatlen) >= compatlen) {
933 fprintf(stderr, "Compatible string not
null-terminated\n");
934 return -1;
935 }
/tools/mkeficapsule.c: 924 in genguid()
918 if (!dtb)
919 return -1;
920
921 ret = fdt_check_header(dtb);
922 if (ret) {
923 fprintf(stderr, "Invalid DTB header: %d\n", ret);
>>> CID 510457: (RESOURCE_LEAK)
>>> Variable "dtb" going out of scope leaks the storage it points to.
924 return -1;
925 }
926
927 compatible = fdt_getprop(dtb, 0, "compatible", &compatlen);
928 if (!compatible) {
929 fprintf(stderr, "No compatible string found in DTB\n");
/tools/mkeficapsule.c: 944 in genguid()
938 compatible, DEFAULT_NAMESPACE_GUID);
939 for (; idx < argc; idx++) {
940 memset(fw_image, 0, sizeof(fw_image));
941 namelen = strlen(argv[idx]);
942 if (namelen > MAX_IMAGE_NAME_LEN) {
943 fprintf(stderr, "Image name too long:
%s\n", argv[idx]);
>>> CID 510457: (RESOURCE_LEAK)
>>> Variable "dtb" going out of scope leaks the storage it points to.
944 return -1;
945 }
946
947 for (int i = 0; i < namelen; i++)
948 fw_image[i] = (uint16_t)argv[idx][i];
949
/tools/mkeficapsule.c: 959 in genguid()
953 NULL);
954
955 printf("%s: ", argv[idx]);
956 print_guid(&image_type_id);
957 }
958
>>> CID 510457: (RESOURCE_LEAK)
>>> Variable "dtb" going out of scope leaks the storage it points to.
959 return 0;
960 }
961
962 /**
963 * main - main entry function of mkeficapsule
964 * @argc: Number of arguments
** CID 510456: Integer handling issues (NEGATIVE_RETURNS)
________________________________________________________________________________________________________
*** CID 510456: Integer handling issues (NEGATIVE_RETURNS)
/boot/upl_write.c: 432 in add_upl_memres()
426 ret = ofnode_add_subnode(mem_node, name, &node);
427 if (ret)
428 return log_msg_ret("memres", ret);
429
430 len = buffer_addr_size(upl, buf, sizeof(buf),
431 memres->region.count,
&memres->region);
>>> CID 510456: Integer handling issues (NEGATIVE_RETURNS)
>>> "len" is passed to a parameter that cannot be negative.
432 ret = ofnode_write_prop(node, UPLP_REG, buf, len, true);
433 if (!ret && memres->no_map)
434 ret = ofnode_write_bool(node, UPLP_NO_MAP,
435 memres->no_map);
436 if (ret)
437 return log_msg_ret("lst", ret);
** CID 510455: Memory - corruptions (OVERLAPPING_COPY)
/fs/squashfs/sqfs.c: 971 in sqfs_opendir_nest()
________________________________________________________________________________________________________
*** CID 510455: Memory - corruptions (OVERLAPPING_COPY)
/fs/squashfs/sqfs.c: 971 in sqfs_opendir_nest()
965 if (le16_to_cpu(dirs->i_dir.inode_type) == SQFS_DIR_TYPE)
966 dirs->size = le16_to_cpu(dirs->i_dir.file_size);
967 else
968 dirs->size = le32_to_cpu(dirs->i_ldir.file_size);
969
970 /* Setup directory header */
>>> CID 510455: Memory - corruptions (OVERLAPPING_COPY)
>>> Copying 12 bytes from "dirs->table" to "dirs->dir_header", which point to overlapping memory locations.
971 memcpy(dirs->dir_header, dirs->table, SQFS_DIR_HEADER_SIZE);
972 dirs->entry_count = dirs->dir_header->count + 1;
973 dirs->size -= SQFS_DIR_HEADER_SIZE;
974
975 /* Setup entry */
976 dirs->entry = NULL;
** CID 510454: (SIZEOF_MISMATCH)
/test/cmd/mbr.c: 280 in mbr_test_run()
/test/cmd/mbr.c: 421 in mbr_test_run()
/test/cmd/mbr.c: 351 in mbr_test_run()
/test/cmd/mbr.c: 316 in mbr_test_run()
/test/cmd/mbr.c: 386 in mbr_test_run()
________________________________________________________________________________________________________
*** CID 510454: (SIZEOF_MISMATCH)
/test/cmd/mbr.c: 280 in mbr_test_run()
274
275 /* Make sure mmc6 is 12+ MiB in size */
276 ut_assertok(run_commandf("mmc read %lx %lx 1", ra,
277 (ulong)0xbffe00 / BLKSZ));
278
279 /* Test one MBR partition */
>>> CID 510454: (SIZEOF_MISMATCH)
>>> Passing argument "mbr_wbuf" of type "unsigned char *" and argument "8UL /* sizeof (mbr_wbuf) */" to function "init_write_buffers" is suspicious.
280 init_write_buffers(mbr_wbuf, sizeof(mbr_wbuf),
ebr_wbuf, sizeof(ebr_wbuf), __LINE__);
281 ut_assertok(build_mbr_parts(mbr_parts_buf,
sizeof(mbr_parts_buf), 1));
282 ut_assertok(run_commandf("write mmc 6:0 %lx 0 1", mbr_wa));
283 memset(rbuf, '\0', BLKSZ);
284 ut_assertok(run_commandf("read mmc 6:0 %lx 0 1", ra));
285 ut_assertok(memcmp(mbr_wbuf, rbuf, BLKSZ));
/test/cmd/mbr.c: 421 in mbr_test_run()
415 ut_assertf(rbuf[mbr_cmp_start + i] ==
mbr_parts_ref_p4[i],
416 "4P MBR+0x%04X: expected %#02X,
actual: %#02X\n",
417 mbr_cmp_start + i,
mbr_parts_ref_p4[i], rbuf[mbr_cmp_start + i]);
418 }
419
420 /* Test five MBR partitions */
>>> CID 510454: (SIZEOF_MISMATCH)
>>> Passing argument "mbr_wbuf" of type "unsigned char *" and argument "8UL /* sizeof (mbr_wbuf) */" to function "init_write_buffers" is suspicious.
421 init_write_buffers(mbr_wbuf, sizeof(mbr_wbuf),
ebr_wbuf, sizeof(ebr_wbuf), __LINE__);
422 ut_assertok(build_mbr_parts(mbr_parts_buf,
sizeof(mbr_parts_buf), 5));
423 ut_assertok(run_commandf("write mmc 6:0 %lx 0 1", mbr_wa));
424 memset(rbuf, '\0', BLKSZ);
425 ut_assertok(run_commandf("read mmc 6:0 %lx 0 1", ra));
426 ut_assertok(memcmp(mbr_wbuf, rbuf, BLKSZ));
/test/cmd/mbr.c: 351 in mbr_test_run()
345 ut_assertf(rbuf[mbr_cmp_start + i] ==
mbr_parts_ref_p2[i],
346 "2P MBR+0x%04X: expected %#02X,
actual: %#02X\n",
347 mbr_cmp_start + i,
mbr_parts_ref_p2[i], rbuf[mbr_cmp_start + i]);
348 }
349
350 /* Test three MBR partitions */
>>> CID 510454: (SIZEOF_MISMATCH)
>>> Passing argument "mbr_wbuf" of type "unsigned char *" and argument "8UL /* sizeof (mbr_wbuf) */" to function "init_write_buffers" is suspicious.
351 init_write_buffers(mbr_wbuf, sizeof(mbr_wbuf),
ebr_wbuf, sizeof(ebr_wbuf), __LINE__);
352 ut_assertok(build_mbr_parts(mbr_parts_buf,
sizeof(mbr_parts_buf), 3));
353 ut_assertok(run_commandf("write mmc 6:0 %lx 0 1", mbr_wa));
354 memset(rbuf, '\0', BLKSZ);
355 ut_assertok(run_commandf("read mmc 6:0 %lx 0 1", ra));
356 ut_assertok(memcmp(mbr_wbuf, rbuf, BLKSZ));
/test/cmd/mbr.c: 316 in mbr_test_run()
310 ut_assertf(rbuf[mbr_cmp_start + i] ==
mbr_parts_ref_p1[i],
311 "1P MBR+0x%04X: expected %#02X,
actual: %#02X\n",
312 mbr_cmp_start + i,
mbr_parts_ref_p1[i], rbuf[mbr_cmp_start + i]);
313 }
314
315 /* Test two MBR partitions */
>>> CID 510454: (SIZEOF_MISMATCH)
>>> Passing argument "mbr_wbuf" of type "unsigned char *" and argument "8UL /* sizeof (mbr_wbuf) */" to function "init_write_buffers" is suspicious.
316 init_write_buffers(mbr_wbuf, sizeof(mbr_wbuf),
ebr_wbuf, sizeof(ebr_wbuf), __LINE__);
317 ut_assertok(build_mbr_parts(mbr_parts_buf,
sizeof(mbr_parts_buf), 2));
318 ut_assertok(run_commandf("write mmc 6:0 %lx 0 1", mbr_wa));
319 memset(rbuf, '\0', BLKSZ);
320 ut_assertok(run_commandf("read mmc 6:0 %lx 0 1", ra));
321 ut_assertok(memcmp(mbr_wbuf, rbuf, BLKSZ));
/test/cmd/mbr.c: 386 in mbr_test_run()
380 ut_assertf(rbuf[mbr_cmp_start + i] ==
mbr_parts_ref_p3[i],
381 "3P MBR+0x%04X: expected %#02X,
actual: %#02X\n",
382 mbr_cmp_start + i,
mbr_parts_ref_p3[i], rbuf[mbr_cmp_start + i]);
383 }
384
385 /* Test four MBR partitions */
>>> CID 510454: (SIZEOF_MISMATCH)
>>> Passing argument "mbr_wbuf" of type "unsigned char *" and argument "8UL /* sizeof (mbr_wbuf) */" to function "init_write_buffers" is suspicious.
386 init_write_buffers(mbr_wbuf, sizeof(mbr_wbuf),
ebr_wbuf, sizeof(ebr_wbuf), __LINE__);
387 ut_assertok(build_mbr_parts(mbr_parts_buf,
sizeof(mbr_parts_buf), 4));
388 ut_assertok(run_commandf("write mmc 6:0 %lx 0 1", mbr_wa));
389 memset(rbuf, '\0', BLKSZ);
390 ut_assertok(run_commandf("read mmc 6:0 %lx 0 1", ra));
391 ut_assertok(memcmp(mbr_wbuf, rbuf, BLKSZ));
** CID 510453: Null pointer dereferences (FORWARD_NULL)
/fs/squashfs/sqfs.c: 983 in sqfs_opendir_nest()
________________________________________________________________________________________________________
*** CID 510453: Null pointer dereferences (FORWARD_NULL)
/fs/squashfs/sqfs.c: 983 in sqfs_opendir_nest()
977 dirs->table += SQFS_DIR_HEADER_SIZE;
978
979 *dirsp = (struct fs_dir_stream *)dirs;
980
981 out:
982 for (j = 0; j < token_count; j++)
>>> CID 510453: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "token_list".
983 free(token_list[j]);
984 free(token_list);
985 free(pos_list);
986 free(path);
987 if (ret) {
988 free(inode_table);
** CID 510452: Null pointer dereferences (FORWARD_NULL)
/fs/squashfs/sqfs.c: 1676 in sqfs_size_nest()
________________________________________________________________________________________________________
*** CID 510452: Null pointer dereferences (FORWARD_NULL)
/fs/squashfs/sqfs.c: 1676 in sqfs_size_nest()
1670 printf("File not found.\n");
1671 *size = 0;
1672 ret = -EINVAL;
1673 goto free_strings;
1674 }
1675
>>> CID 510452: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "dirs->entry".
1676 i_number = dirs->dir_header->inode_number +
dirs->entry->inode_offset;
1677 ipos = sqfs_find_inode(dirs->inode_table, i_number,
sblk->inodes,
1678 sblk->block_size);
1679
1680 if (!ipos) {
1681 *size = 0;
** CID 510451: (TAINTED_SCALAR)
/fs/squashfs/sqfs.c: 1612 in sqfs_read_nest()
/fs/squashfs/sqfs.c: 1612 in sqfs_read_nest()
/fs/squashfs/sqfs.c: 1604 in sqfs_read_nest()
________________________________________________________________________________________________________
*** CID 510451: (TAINTED_SCALAR)
/fs/squashfs/sqfs.c: 1612 in sqfs_read_nest()
1606
1607 free(fragment_block);
1608
1609 } else if (finfo.frag && !finfo.comp) {
1610 fragment_block = (void *)fragment + table_offset;
1611
>>> CID 510451: (TAINTED_SCALAR)
>>> Using tainted variable "finfo.offset" as an index to pointer "fragment_block".
1612 memcpy(buf + *actread,
&fragment_block[finfo.offset], finfo.size - *actread);
1613 *actread = finfo.size;
1614 }
1615
1616 out:
1617 free(fragment);
/fs/squashfs/sqfs.c: 1612 in sqfs_read_nest()
1606
1607 free(fragment_block);
1608
1609 } else if (finfo.frag && !finfo.comp) {
1610 fragment_block = (void *)fragment + table_offset;
1611
>>> CID 510451: (TAINTED_SCALAR)
>>> Passing tainted expression "finfo.size - *actread" to "memcpy", which uses it as an offset. [Note: The source code implementation of the function has been overridden by a builtin model.]
1612 memcpy(buf + *actread,
&fragment_block[finfo.offset], finfo.size - *actread);
1613 *actread = finfo.size;
1614 }
1615
1616 out:
1617 free(fragment);
/fs/squashfs/sqfs.c: 1621 in sqfs_read_nest()
1615
1616 out:
1617 free(fragment);
1618 free(datablock);
1619 free(file);
1620 free(dir);
>>> CID 510451: (TAINTED_SCALAR)
>>> Passing tainted expression "*finfo.blk_sizes" to "dlfree", which uses it as an offset.
1621 free(finfo.blk_sizes);
1622 sqfs_closedir(dirsp);
1623
1624 return ret;
1625 }
1626
/fs/squashfs/sqfs.c: 1604 in sqfs_read_nest()
1598 frag_entry.size);
1599 if (ret) {
1600 free(fragment_block);
1601 goto out;
1602 }
1603
>>> CID 510451: (TAINTED_SCALAR)
>>> Using tainted variable "finfo.offset" as an index to pointer "fragment_block".
1604 memcpy(buf + *actread,
&fragment_block[finfo.offset], finfo.size - *actread);
1605 *actread = finfo.size;
1606
1607 free(fragment_block);
1608
1609 } else if (finfo.frag && !finfo.comp) {
** CID 510450: Code maintainability issues (UNUSED_VALUE)
/fs/squashfs/sqfs.c: 1506 in sqfs_read_nest()
________________________________________________________________________________________________________
*** CID 510450: Code maintainability issues (UNUSED_VALUE)
/fs/squashfs/sqfs.c: 1506 in sqfs_read_nest()
1500 n_blks = DIV_ROUND_UP(table_size + table_offset,
1501 ctxt.cur_dev->blksz);
1502
1503 /* Don't load any data for sparse blocks */
1504 if (finfo.blk_sizes[j] == 0) {
1505 n_blks = 0;
>>> CID 510450: Code maintainability issues (UNUSED_VALUE)
>>> Assigning value "0ULL" to "table_offset" here, but that stored value is overwritten before it can be used.
1506 table_offset = 0;
1507 data_buffer = NULL;
1508 data = NULL;
1509 } else {
1510 data_buffer =
malloc_cache_aligned(n_blks * ctxt.cur_dev->blksz);
1511
----- End forwarded message -----
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20241007/e13ebb60/attachment.sig>
More information about the U-Boot
mailing list