Fwd: New Defects reported by Coverity Scan for Das U-Boot
Heinrich Schuchardt
xypron.glpk at gmx.de
Wed Apr 30 20:23:29 CEST 2025
On 28.04.25 23:59, Tom Rini wrote:
> Hey all,
>
> Here's the latest set of Coverity defects. Please let me know if some of
> these are false positives for example, thanks.
Hello Tom,
I have marked the acpi_update_header() items as "intentional" in Coverity:
550301
550291
550288
550287
We could change the parameter of acpi_update_checksum() to const void *
to make Coverity happy but we would loose the type checking.
Best regards
Heinrich
>
> ---------- Forwarded message ---------
> From: <scan-admin at coverity.com>
> Date: Mon, Apr 28, 2025 at 3:52 PM
> Subject: New Defects reported by Coverity Scan for Das U-Boot
> To: <tom.rini at gmail.com>
>
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to Das U-Boot
> found with Coverity Scan.
>
> 33 new defect(s) introduced to Das U-Boot found with Coverity Scan.
> 15 defect(s), reported by Coverity Scan earlier, were marked fixed in the
> recent build analyzed by Coverity Scan.
>
> New defect(s) Reported-by: Coverity Scan
> Showing 20 of 33 defect(s)
>
>
> ** CID 550306: Control flow issues (DEADCODE)
> /fs/exfat/io.c: 547 in exfat_generic_pwrite()
>
>
> ________________________________________________________________________________________________________
> *** CID 550306: Control flow issues (DEADCODE)
> /fs/exfat/io.c: 547 in exfat_generic_pwrite()
> 541 int rc;
> 542 cluster_t cluster;
> 543 const char* bufp = buffer;
> 544 off_t lsize, loffset, remainder;
> 545
> 546 if (offset < 0)
>>>> CID 550306: Control flow issues (DEADCODE)
>>>> Execution cannot reach this statement: "return -22L;".
> 547 return -EINVAL;
> 548 if (uoffset > node->size)
> 549 {
> 550 rc = exfat_truncate(ef, node, uoffset, true);
> 551 if (rc != 0)
> 552 return rc;
>
> ** CID 550305: Security best practices violations (STRING_OVERFLOW)
> /fs/exfat/io.c: 739 in exfat_fs_opendir()
>
>
> ________________________________________________________________________________________________________
> *** CID 550305: Security best practices violations (STRING_OVERFLOW)
> /fs/exfat/io.c: 739 in exfat_fs_opendir()
> 733 return err;
> 734
> 735 dirs = calloc(1, sizeof(*dirs));
> 736 if (!dirs)
> 737 return -ENOMEM;
> 738
>>>> CID 550305: Security best practices violations (STRING_OVERFLOW)
>>>> You might overrun the 1024-character fixed-size string
> "dirs->dirname" by copying "filename" without checking the length.
> 739 strcpy(dirs->dirname, filename);
> 740 dirs->offset = -1;
> 741
> 742 *dirsp = &dirs->fs_dirs;
> 743
> 744 return 0;
>
> ** CID 550304: Error handling issues (NEGATIVE_RETURNS)
> /tools/fit_check_sign.c: 98 in main()
>
>
> ________________________________________________________________________________________________________
> *** CID 550304: Error handling issues (NEGATIVE_RETURNS)
> /tools/fit_check_sign.c: 98 in main()
> 92 (void) munmap((void *)fit_blob, fsbuf.st_size);
> 93
> 94 if (key_blob)
> 95 (void)munmap((void *)key_blob, ksbuf.st_size);
> 96
> 97 close(ffd);
>>>> CID 550304: Error handling issues (NEGATIVE_RETURNS)
>>>> "kfd" is passed to a parameter that cannot be negative.
> 98 close(kfd);
> 99 exit(ret);
>
> ** CID 550303: Control flow issues (NO_EFFECT)
> /tools/preload_check_sign.c: 132 in main()
>
>
> ________________________________________________________________________________________________________
> *** CID 550303: Control flow issues (NO_EFFECT)
> /tools/preload_check_sign.c: 132 in main()
> 126
> 127 info.algo_name = algo;
> 128 info.padding_name = padding;
> 129 info.key = (uint8_t *)pkey;
> 130 info.mandatory = 1;
> 131 info.sig_size = EVP_PKEY_size(pkey);
>>>> CID 550303: Control flow issues (NO_EFFECT)
>>>> This less-than-zero comparison of an unsigned value is never true.
> "info.sig_size < 0U".
> 132 if (info.sig_size < 0) {
> 133 fprintf(stderr, "Fail to retrieve the signature
> size: %s\n",
> 134 ERR_error_string(ERR_get_error(), NULL));
> 135 ret = EXIT_FAILURE;
> 136 goto out;
> 137 }
>
> ** CID 550302: (TAINTED_SCALAR)
>
>
> ________________________________________________________________________________________________________
> *** CID 550302: (TAINTED_SCALAR)
> /cmd/acpi.c: 118 in list_rsdt()
> 112 entry = rsdt->entry[i];
> 113 if (!entry)
> 114 break;
> 115 hdr = nomap_sysmem(entry, 0);
> 116 dump_hdr(hdr, chksums);
> 117 if (!memcmp(hdr->signature, "FACP", ACPI_NAME_LEN))
>>>> CID 550302: (TAINTED_SCALAR)
>>>> Passing tainted expression "((struct acpi_fadt
> *)hdr)->firmware_ctrl" to "list_fadt", which uses it as a loop boundary.
> 118 list_fadt((struct acpi_fadt *)hdr, chksums);
> 119 }
> 120 }
> 121
> 122 static void list_rsdp(struct acpi_rsdp *rsdp, bool chksums)
> 123 {
> /cmd/acpi.c: 118 in list_rsdt()
> 112 entry = rsdt->entry[i];
> 113 if (!entry)
> 114 break;
> 115 hdr = nomap_sysmem(entry, 0);
> 116 dump_hdr(hdr, chksums);
> 117 if (!memcmp(hdr->signature, "FACP", ACPI_NAME_LEN))
>>>> CID 550302: (TAINTED_SCALAR)
>>>> Passing tainted expression "((struct acpi_fadt *)hdr)->x_dsdt" to
> "list_fadt", which uses it as a loop boundary.
> 118 list_fadt((struct acpi_fadt *)hdr, chksums);
> 119 }
> 120 }
> 121
> 122 static void list_rsdp(struct acpi_rsdp *rsdp, bool chksums)
> 123 {
> /cmd/acpi.c: 118 in list_rsdt()
> 112 entry = rsdt->entry[i];
> 113 if (!entry)
> 114 break;
> 115 hdr = nomap_sysmem(entry, 0);
> 116 dump_hdr(hdr, chksums);
> 117 if (!memcmp(hdr->signature, "FACP", ACPI_NAME_LEN))
>>>> CID 550302: (TAINTED_SCALAR)
>>>> Passing tainted expression "((struct acpi_fadt *)hdr)->dsdt" to
> "list_fadt", which uses it as a loop boundary.
> 118 list_fadt((struct acpi_fadt *)hdr, chksums);
> 119 }
> 120 }
> 121
> 122 static void list_rsdp(struct acpi_rsdp *rsdp, bool chksums)
> 123 {
> /cmd/acpi.c: 116 in list_rsdt()
> 110 entry = xsdt->entry[i];
> 111 else
> 112 entry = rsdt->entry[i];
> 113 if (!entry)
> 114 break;
> 115 hdr = nomap_sysmem(entry, 0);
>>>> CID 550302: (TAINTED_SCALAR)
>>>> Passing tainted expression "hdr->length" to "dump_hdr", which uses
> it as a loop boundary.
> 116 dump_hdr(hdr, chksums);
> 117 if (!memcmp(hdr->signature, "FACP", ACPI_NAME_LEN))
> 118 list_fadt((struct acpi_fadt *)hdr, chksums);
> 119 }
> 120 }
> 121
> /cmd/acpi.c: 95 in list_rsdt()
> 89 if (rsdp->rsdt_address) {
> 90 rsdt = nomap_sysmem(rsdp->rsdt_address, 0);
> 91 dump_hdr(&rsdt->header, chksums);
> 92 }
> 93 if (rsdp->xsdt_address) {
> 94 xsdt = nomap_sysmem(rsdp->xsdt_address, 0);
>>>> CID 550302: (TAINTED_SCALAR)
>>>> Passing tainted expression "xsdt->header.length" to "dump_hdr",
> which uses it as a loop boundary.
> 95 dump_hdr(&xsdt->header, chksums);
> 96 len = xsdt->header.length - sizeof(xsdt->header);
> 97 count = len / sizeof(u64);
> 98 } else if (rsdp->rsdt_address) {
> 99 len = rsdt->header.length - sizeof(rsdt->header);
> 100 count = len / sizeof(u32);
> /cmd/acpi.c: 118 in list_rsdt()
> 112 entry = rsdt->entry[i];
> 113 if (!entry)
> 114 break;
> 115 hdr = nomap_sysmem(entry, 0);
> 116 dump_hdr(hdr, chksums);
> 117 if (!memcmp(hdr->signature, "FACP", ACPI_NAME_LEN))
>>>> CID 550302: (TAINTED_SCALAR)
>>>> Passing tainted expression "((struct acpi_fadt
> *)hdr)->x_firmware_ctrl" to "list_fadt", which uses it as a loop boundary.
> 118 list_fadt((struct acpi_fadt *)hdr, chksums);
> 119 }
> 120 }
> 121
> 122 static void list_rsdp(struct acpi_rsdp *rsdp, bool chksums)
> 123 {
>
> ** CID 550301: (OVERRUN)
>
>
> ________________________________________________________________________________________________________
> *** CID 550301: (OVERRUN)
> /lib/acpi/acpi_table.c: 199 in acpi_add_table()
> 193
> 194 /* Fix RSDT length or the kernel will assume
> invalid entries */
> 195 rsdt->header.length = sizeof(struct
> acpi_table_header) +
> 196 (sizeof(u32) * (i + 1));
> 197
> 198 /* Re-calculate checksum */
>>>> CID 550301: (OVERRUN)
>>>> Overrunning struct type acpi_table_header of 36 bytes by passing it
> to a function which accesses it at byte offset 39 using argument
> "rsdt->header.length" (which evaluates to 40).
> 199 acpi_update_checksum(&rsdt->header);
> 200 }
> 201
> 202 if (ctx->xsdt) {
> 203 /*
> 204 * And now the same thing for the XSDT. We use the
> same index as for
> /lib/acpi/acpi_table.c: 230 in acpi_add_table()
> 224
> 225 /* Fix XSDT length */
> 226 xsdt->header.length = sizeof(struct
> acpi_table_header) +
> 227 (sizeof(u64) * (i + 1));
> 228
> 229 /* Re-calculate checksum */
>>>> CID 550301: (OVERRUN)
>>>> Overrunning struct type acpi_table_header of 36 bytes by passing it
> to a function which accesses it at byte offset 43 using argument
> "xsdt->header.length" (which evaluates to 44).
> 230 acpi_update_checksum(&xsdt->header);
> 231 }
> 232
> 233 return 0;
> 234 }
> 235
>
> ** CID 550300: Integer handling issues (INTEGER_OVERFLOW)
> /fs/exfat/utils.c: 146 in exfat_humanize_bytes()
>
>
> ________________________________________________________________________________________________________
> *** CID 550300: Integer handling issues (INTEGER_OVERFLOW)
> /fs/exfat/utils.c: 146 in exfat_humanize_bytes()
> 140 /* 16 EB (minus 1 byte) is the largest size that can be
> represented by
> 141 uint64_t */
> 142 const char* units[] = {"bytes", "KB", "MB", "GB", "TB",
> "PB", "EB"};
> 143 uint64_t divisor = 1;
> 144 uint64_t temp = 0;
> 145
>>>> CID 550300: Integer handling issues (INTEGER_OVERFLOW)
>>>> Expression "divisor", overflows the type of "divisor", which is
> type "uint64_t".
> 146 for (i = 0; ; i++, divisor *= 1024)
> 147 {
> 148 temp = (value + divisor / 2) / divisor;
> 149
> 150 if (temp == 0)
> 151 break;
>
> ** CID 550299: Null pointer dereferences (FORWARD_NULL)
> /lib/efi_loader/efi_file.c: 251 in file_open()
>
>
> ________________________________________________________________________________________________________
> *** CID 550299: Null pointer dereferences (FORWARD_NULL)
> /lib/efi_loader/efi_file.c: 251 in file_open()
> 245 strcpy(fh->path, "");
> 246 }
> 247
> 248 return &fh->base;
> 249
> 250 error:
>>>> CID 550299: Null pointer dereferences (FORWARD_NULL)
>>>> Dereferencing null pointer "fh".
> 251 free(fh->path);
> 252 free(fh);
> 253 return NULL;
> 254 }
> 255
> 256 efi_status_t efi_file_open_int(struct efi_file_handle *this,
>
> ** CID 550298: Error handling issues (CHECKED_RETURN)
> /lib/efi_loader/efi_net.c: 1054 in efi_netobj_get_dp()
>
>
> ________________________________________________________________________________________________________
> *** CID 550298: Error handling issues (CHECKED_RETURN)
> /lib/efi_loader/efi_net.c: 1054 in efi_netobj_get_dp()
> 1048 struct efi_handler *phandler;
> 1049
> 1050 if (!efi_netobj_is_active(netobj))
> 1051 return NULL;
> 1052
> 1053 phandler = NULL;
>>>> CID 550298: Error handling issues (CHECKED_RETURN)
>>>> Calling "efi_search_protocol" without checking return value (as is
> done elsewhere 37 out of 42 times).
> 1054 efi_search_protocol(&netobj->header, &efi_guid_device_path,
> &phandler);
> 1055
> 1056 if (phandler && phandler->protocol_interface)
> 1057 return efi_dp_dup(phandler->protocol_interface);
> 1058
> 1059 return NULL;
>
> ** CID 550297: Integer handling issues (INTEGER_OVERFLOW)
> /cmd/spawn.c: 174 in do_wait()
>
>
> ________________________________________________________________________________________________________
> *** CID 550297: Integer handling issues (INTEGER_OVERFLOW)
> /cmd/spawn.c: 174 in do_wait()
> 168 ret = wait_job(i);
> 169 } else {
> 170 for (i = 1; i < argc; i++) {
> 171 id = dectoul(argv[i], NULL);
> 172 if (id < 0 || id >
> CONFIG_CMD_SPAWN_NUM_JOBS)
> 173 return CMD_RET_USAGE;
>>>> CID 550297: Integer handling issues (INTEGER_OVERFLOW)
>>>> Expression "idx", where "(int)id - 1" is known to be equal to -1,
> overflows the type of "idx", which is type "unsigned int".
> 174 idx = (int)id - 1;
> 175 ret = wait_job(idx);
> 176 }
> 177 }
> 178
> 179 return ret;
>
> ** CID 550296: Control flow issues (NO_EFFECT)
> /cmd/spawn.c: 172 in do_wait()
>
>
> ________________________________________________________________________________________________________
> *** CID 550296: Control flow issues (NO_EFFECT)
> /cmd/spawn.c: 172 in do_wait()
> 166 for (i = 0; i < CONFIG_CMD_SPAWN_NUM_JOBS; i++)
> 167 if (job[i])
> 168 ret = wait_job(i);
> 169 } else {
> 170 for (i = 1; i < argc; i++) {
> 171 id = dectoul(argv[i], NULL);
>>>> CID 550296: Control flow issues (NO_EFFECT)
>>>> This less-than-zero comparison of an unsigned value is never true.
> "id < 0UL".
> 172 if (id < 0 || id >
> CONFIG_CMD_SPAWN_NUM_JOBS)
> 173 return CMD_RET_USAGE;
> 174 idx = (int)id - 1;
> 175 ret = wait_job(idx);
> 176 }
> 177 }
>
> ** CID 550295: Insecure data handling (TAINTED_SCALAR)
>
>
> ________________________________________________________________________________________________________
> *** CID 550295: Insecure data handling (TAINTED_SCALAR)
> /test/lib/membuf.c: 235 in lib_test_membuf_readline()
> 229 *ptr = '\n';
> 230 } else {
> 231 ut_assert(membuf_free(&mb));
> 232 }
> 233 }
> 234 membuf_dispose(&mb);
>>>> CID 550295: Insecure data handling (TAINTED_SCALAR)
>>>> Passing tainted expression "*buf" to "os_free", which uses it as an
> offset.
> 235 os_free(buf);
> 236
> 237 return 0;
> 238 }
>
> ** CID 550294: Code maintainability issues (UNUSED_VALUE)
> /test/lib/membuf.c: 68 in lib_test_membuf_one()
>
>
> ________________________________________________________________________________________________________
> *** CID 550294: Code maintainability issues (UNUSED_VALUE)
> /test/lib/membuf.c: 68 in lib_test_membuf_one()
> 62 ut_assertok(membuf_check(uts, &mb, i));
> 63
> 64 ret = membuf_get(&mb, out, 0);
> 65 ret = membuf_get(&mb, out, size);
> 66 ut_asserteq(size, ret);
> 67
>>>> CID 550294: Code maintainability issues (UNUSED_VALUE)
>>>> Assigning value from "membuf_get(&mb, out, 0)" to "ret" here, but
> that stored value is overwritten before it can be used.
> 68 ret = membuf_get(&mb, out, 0);
> 69 ut_assertok(membuf_check(uts, &mb, i));
> 70
> 71 ut_asserteq_mem(in, out, size);
> 72 }
> 73
>
> ** CID 550293: Memory - illegal accesses (STRING_NULL)
> /test/lib/membuf.c: 224 in lib_test_membuf_readline()
>
>
> ________________________________________________________________________________________________________
> *** CID 550293: Memory - illegal accesses (STRING_NULL)
> /test/lib/membuf.c: 224 in lib_test_membuf_readline()
> 218 ret = membuf_readline(&mb, str, 256, 0, true);
> 219 ut_assertok(membuf_check(uts, &mb, i));
> 220 if (ret) {
> 221 char *ptr;
> 222
> 223 s = &buf[cmpptr];
>>>> CID 550293: Memory - illegal accesses (STRING_NULL)
>>>> Passing unterminated string "s" to "strchr", which expects a
> null-terminated string. [Note: The source code implementation of the
> function has been overridden by a builtin model.]
> 224 ptr = strchr(s, '\n');
> 225 *ptr = '\0';
> 226
> 227 ut_asserteq_str(s, str);
> 228 cmpptr += strlen(s) + 1;
> 229 *ptr = '\n';
>
> ** CID 550292: (BAD_SHIFT)
> /drivers/scsi/scsi.c: 165 in scsi_setup_erase_ext()
> /drivers/scsi/scsi.c: 166 in scsi_setup_erase_ext()
>
>
> ________________________________________________________________________________________________________
> *** CID 550292: (BAD_SHIFT)
> /drivers/scsi/scsi.c: 165 in scsi_setup_erase_ext()
> 159 param[10] = 0x0;
> 160 param[11] = 0x0;
> 161 param[12] = (start >> 24) & 0xff;
> 162 param[13] = (start >> 16) & 0xff;
> 163 param[14] = (start >> 8) & 0xff;
> 164 param[15] = (start) & 0xff;
>>>> CID 550292: (BAD_SHIFT)
>>>> In expression "blocks >> 24", right shifting "blocks" by more than
> 15 bits always yields zero. The shift amount is 24.
> 165 param[16] = (blocks >> 24) & 0xff;
> 166 param[17] = (blocks >> 16) & 0xff;
> 167 param[18] = (blocks >> 8) & 0xff;
> 168 param[19] = (blocks) & 0xff;
> 169
> 170 memset(pccb->cmd, 0, sizeof(pccb->cmd));
> /drivers/scsi/scsi.c: 166 in scsi_setup_erase_ext()
> 160 param[11] = 0x0;
> 161 param[12] = (start >> 24) & 0xff;
> 162 param[13] = (start >> 16) & 0xff;
> 163 param[14] = (start >> 8) & 0xff;
> 164 param[15] = (start) & 0xff;
> 165 param[16] = (blocks >> 24) & 0xff;
>>>> CID 550292: (BAD_SHIFT)
>>>> In expression "blocks >> 16", right shifting "blocks" by more than
> 15 bits always yields zero. The shift amount is 16.
> 166 param[17] = (blocks >> 16) & 0xff;
> 167 param[18] = (blocks >> 8) & 0xff;
> 168 param[19] = (blocks) & 0xff;
> 169
> 170 memset(pccb->cmd, 0, sizeof(pccb->cmd));
> 171 pccb->cmd[0] = SCSI_UNMAP;
>
> ** CID 550291: Memory - corruptions (OVERRUN)
>
>
> ________________________________________________________________________________________________________
> *** CID 550291: Memory - corruptions (OVERRUN)
> /lib/acpi/acpi_table.c: 549 in acpi_write_spcr()
> 543 * to touch the configuration of the serial device.
> 544 */
> 545 if (serial_info.clock != SERIAL_DEFAULT_CLOCK)
> 546 spcr->baud_rate = 0;
> 547
> 548 /* Fix checksum */
>>>> CID 550291: Memory - corruptions (OVERRUN)
>>>> Overrunning struct type acpi_table_header of 36 bytes by passing it
> to a function which accesses it at byte offset 79 using argument
> "header->length" (which evaluates to 80).
> 549 acpi_update_checksum(header);
> 550
> 551 acpi_add_table(ctx, spcr);
> 552 acpi_inc(ctx, spcr->header.length);
> 553
> 554 return 0;
>
> ** CID 550290: Security best practices violations (DC.WEAK_CRYPTO)
> /test/lib/membuf.c: 54 in lib_test_membuf_one()
>
>
> ________________________________________________________________________________________________________
> *** CID 550290: Security best practices violations (DC.WEAK_CRYPTO)
> /test/lib/membuf.c: 54 in lib_test_membuf_one()
> 48 }
> 49
> 50 test_size = TEST_SIZE;
> 51
> 52 for (i = 1; i < TEST_COUNT; i++) {
> 53 membuf_zero(&mb);
>>>> CID 550290: Security best practices violations (DC.WEAK_CRYPTO)
>>>> "rand" should not be used for security-related applications,
> because linear congruential algorithms are too easy to break.
> 54 size = rand() % test_size;
> 55
> 56 // now write patterns and check they come back OK
> 57 ret = membuf_put(&mb, in, 0);
> 58 ret = membuf_put(&mb, in, size);
> 59 ut_asserteq(size, ret);
>
> ** CID 550289: (CONSTANT_EXPRESSION_RESULT)
> /drivers/scsi/scsi.c: 166 in scsi_setup_erase_ext()
> /drivers/scsi/scsi.c: 165 in scsi_setup_erase_ext()
>
>
> ________________________________________________________________________________________________________
> *** CID 550289: (CONSTANT_EXPRESSION_RESULT)
> /drivers/scsi/scsi.c: 166 in scsi_setup_erase_ext()
> 160 param[11] = 0x0;
> 161 param[12] = (start >> 24) & 0xff;
> 162 param[13] = (start >> 16) & 0xff;
> 163 param[14] = (start >> 8) & 0xff;
> 164 param[15] = (start) & 0xff;
> 165 param[16] = (blocks >> 24) & 0xff;
>>>> CID 550289: (CONSTANT_EXPRESSION_RESULT)
>>>> "blocks >> 16" is 0 regardless of the values of its operands. This
> occurs as the bitwise first operand of "&".
> 166 param[17] = (blocks >> 16) & 0xff;
> 167 param[18] = (blocks >> 8) & 0xff;
> 168 param[19] = (blocks) & 0xff;
> 169
> 170 memset(pccb->cmd, 0, sizeof(pccb->cmd));
> 171 pccb->cmd[0] = SCSI_UNMAP;
> /drivers/scsi/scsi.c: 165 in scsi_setup_erase_ext()
> 159 param[10] = 0x0;
> 160 param[11] = 0x0;
> 161 param[12] = (start >> 24) & 0xff;
> 162 param[13] = (start >> 16) & 0xff;
> 163 param[14] = (start >> 8) & 0xff;
> 164 param[15] = (start) & 0xff;
>>>> CID 550289: (CONSTANT_EXPRESSION_RESULT)
>>>> "blocks >> 24" is 0 regardless of the values of its operands. This
> occurs as the bitwise first operand of "&".
> 165 param[16] = (blocks >> 24) & 0xff;
> 166 param[17] = (blocks >> 16) & 0xff;
> 167 param[18] = (blocks >> 8) & 0xff;
> 168 param[19] = (blocks) & 0xff;
> 169
> 170 memset(pccb->cmd, 0, sizeof(pccb->cmd));
>
> ** CID 550288: Memory - corruptions (OVERRUN)
>
>
> ________________________________________________________________________________________________________
> *** CID 550288: Memory - corruptions (OVERRUN)
> /lib/acpi/base.c: 53 in acpi_write_rsdt()
> 47 header->length = sizeof(struct acpi_rsdt);
> 48 header->revision = 1;
> 49
> 50 /* Entries are filled in later, we come with an empty set */
> 51
> 52 /* Fix checksum */
>>>> CID 550288: Memory - corruptions (OVERRUN)
>>>> Overrunning struct type acpi_table_header of 36 bytes by passing it
> to a function which accesses it at byte offset 163 using argument
> "header->length" (which evaluates to 164).
> 53 acpi_update_checksum(header);
> 54 }
> 55
> 56 static void acpi_write_xsdt(struct acpi_xsdt *xsdt)
> 57 {
> 58 struct acpi_table_header *header = &xsdt->header;
>
> ** CID 550287: Memory - corruptions (OVERRUN)
>
>
> ________________________________________________________________________________________________________
> *** CID 550287: Memory - corruptions (OVERRUN)
> /lib/acpi/acpi_table.c: 268 in acpi_write_fadt()
> 262 fadt->dsdt = fadt->x_dsdt;
> 263
> 264 fadt->preferred_pm_profile = ACPI_PM_UNSPECIFIED;
> 265
> 266 acpi_fill_fadt(fadt);
> 267
>>>> CID 550287: Memory - corruptions (OVERRUN)
>>>> Overrunning struct type acpi_table_header of 36 bytes by passing it
> to a function which accesses it at byte offset 275 using argument
> "header->length" (which evaluates to 276).
> 268 acpi_update_checksum(header);
> 269
> 270 return acpi_add_fadt(ctx, fadt);
> 271 }
> 272
> 273 #ifndef CONFIG_QFW_ACPI
>
>
> ----- End forwarded message -----
>
More information about the U-Boot
mailing list