New Defects reported by Coverity Scan for Das U-Boot

Adriana Nicolae adriana at arista.com
Tue Dec 9 12:06:28 CET 2025 

Hello,

A possible fix for fdtdec.c tests would be to validate the fdt size
before using it.
All 3 tests in this file are using the same approach, if the previous tests were
acceptable the newly added one has some identical parts.

If there is a way to test and fix all these 3 errors, I've put some
changes which
might be enough for Coverity to assume that the size of the fdt is safe. Let me
know how I can test it or should I send an email to post it as a
separate change?

diff --git a/test/dm/fdtdec.c b/test/dm/fdtdec.c
index ea5a494612c..a3c90d38115 100644
--- a/test/dm/fdtdec.c
+++ b/test/dm/fdtdec.c
@@ -14,14 +14,21 @@

 DECLARE_GLOBAL_DATA_PTR;

+#define FDTDEC_MAX_SIZE  (2 * 1024 * 1024)
+
 static int dm_test_fdtdec_set_carveout(struct unit_test_state *uts)
 {
  struct fdt_memory resv;
  void *blob;
  const fdt32_t *prop;
- int blob_sz, len, offset;
+ int blob_sz, len, offset, fdt_sz;
+
+ fdt_sz = fdt_totalsize(gd->fdt_blob);
+ if (fdt_sz <= 0 || fdt_sz > FDTDEC_MAX_SIZE) {
+ return -EINVAL;
+ }

- blob_sz = fdt_totalsize(gd->fdt_blob) + 4096;
+ blob_sz = fdt_sz + 4096;
  blob = malloc(blob_sz);
  ut_assertnonnull(blob);

@@ -67,10 +74,15 @@ static int
dm_test_fdtdec_add_reserved_memory(struct unit_test_state *uts)
  fdt_size_t size;
  void *blob;
  unsigned long flags = FDTDEC_RESERVED_MEMORY_NO_MAP;
- int blob_sz, parent, subnode;
+ int blob_sz, parent, subnode, fdt_sz;
  uint32_t phandle, phandle1;

- blob_sz = fdt_totalsize(gd->fdt_blob) + 128;
+ fdt_sz = fdt_totalsize(gd->fdt_blob);
+ if (fdt_sz <= 0 || fdt_sz > FDTDEC_MAX_SIZE) {
+ return -EINVAL;
+ }
+
+ blob_sz = fdt_sz + 128;
  blob = malloc(blob_sz);
  ut_assertnonnull(blob);

@@ -138,14 +150,19 @@ static int dm_test_fdt_chosen_smbios(struct
unit_test_state *uts)
  void *blob;
  ulong val;
  struct smbios3_entry *entry;
- int chosen, blob_sz;
+ int chosen, blob_sz, fdt_sz;
  const fdt64_t *prop;

  if (!CONFIG_IS_ENABLED(GENERATE_SMBIOS_TABLE)) {
  return -EAGAIN;
  }

- blob_sz = fdt_totalsize(gd->fdt_blob) + 4096;
+ fdt_sz = fdt_totalsize(gd->fdt_blob);
+ if (fdt_sz <= 0 || fdt_sz > FDTDEC_MAX_SIZE) {
+ return -EINVAL;
+ }
+
+ blob_sz = fdt_sz + 4096;
  blob = memalign(8, blob_sz);
  ut_assertnonnull(blob);



On Mon, Dec 8, 2025 at 9:38 PM Tom Rini <trini at konsulko.com> wrote:
>
> Here's the latest Coverity scan report. I think the test/dm/clk_ccf.c
> report is just a "works as intended" but I'm not sure off-hand about the
> fdtdec.c test. Might be the case the previous test in the file also has
> this problem, and since it's just test code, might also be fine enough.
>
> ---------- Forwarded message ---------
> From: <scan-admin at coverity.com>
> Date: Mon, Dec 8, 2025 at 1:23 PM
> Subject: New Defects reported by Coverity Scan for Das U-Boot
> To: <tom.rini at gmail.com>
>
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to *Das U-Boot*
> found with Coverity Scan.
>
>    - *New Defects Found:* 2
>    - 1 defect(s), reported by Coverity Scan earlier, were marked fixed in
>    the recent build analyzed by Coverity Scan.
>    - *Defects Shown:* Showing 2 of 2 defect(s)
>
> Defect Details
>
> ** CID 639831:         (TAINTED_SCALAR)
>
>
> _____________________________________________________________________________________________
> *** CID 639831:           (TAINTED_SCALAR)
> /test/dm/fdtdec.c: 153             in dm_test_fdt_chosen_smbios()
> 147
> 148             blob_sz = fdt_totalsize(gd->fdt_blob) + 4096;
> 149             blob = memalign(8, blob_sz);
> 150             ut_assertnonnull(blob);
> 151
> 152             /* Make a writable copy of the fdt blob */
> >>>     CID 639831:           (TAINTED_SCALAR)
> >>>     Passing tainted expression "gd->fdt_blob->totalsize" to "fdt_open_into", which uses it as an offset.
> 153             ut_assertok(fdt_open_into(gd->fdt_blob, blob, blob_sz));
> 154
> 155             /* Mock SMBIOS table */
> 156             entry = map_sysmem(gd->arch.smbios_start, sizeof(struct
> smbios3_entry));
> 157             memcpy(entry->anchor, "_SM3_", 5);
> 158             entry->length = sizeof(struct smbios3_entry);
> /test/dm/fdtdec.c: 153             in dm_test_fdt_chosen_smbios()
> 147
> 148             blob_sz = fdt_totalsize(gd->fdt_blob) + 4096;
> 149             blob = memalign(8, blob_sz);
> 150             ut_assertnonnull(blob);
> 151
> 152             /* Make a writable copy of the fdt blob */
> >>>     CID 639831:           (TAINTED_SCALAR)
> >>>     Passing tainted expression "gd->fdt_blob->size_dt_strings" to "fdt_open_into", which uses it as an offset.
> 153             ut_assertok(fdt_open_into(gd->fdt_blob, blob, blob_sz));
> 154
> 155             /* Mock SMBIOS table */
> 156             entry = map_sysmem(gd->arch.smbios_start, sizeof(struct
> smbios3_entry));
> 157             memcpy(entry->anchor, "_SM3_", 5);
> 158             entry->length = sizeof(struct smbios3_entry);
> /test/dm/fdtdec.c: 153             in dm_test_fdt_chosen_smbios()
> 147
> 148             blob_sz = fdt_totalsize(gd->fdt_blob) + 4096;
> 149             blob = memalign(8, blob_sz);
> 150             ut_assertnonnull(blob);
> 151
> 152             /* Make a writable copy of the fdt blob */
> >>>     CID 639831:           (TAINTED_SCALAR)
> >>>     Passing tainted expression "gd->fdt_blob->size_dt_struct" to "fdt_open_into", which uses it as an offset.
> 153             ut_assertok(fdt_open_into(gd->fdt_blob, blob, blob_sz));
> 154
> 155             /* Mock SMBIOS table */
> 156             entry = map_sysmem(gd->arch.smbios_start, sizeof(struct
> smbios3_entry));
> 157             memcpy(entry->anchor, "_SM3_", 5);
> 158             entry->length = sizeof(struct smbios3_entry);
>
> ** CID 639830:       Integer handling issues  (INTEGER_OVERFLOW)
> /test/dm/clk_ccf.c: 68           in dm_test_clk_ccf()
>
>
> _____________________________________________________________________________________________
> *** CID 639830:         Integer handling issues  (INTEGER_OVERFLOW)
> /test/dm/clk_ccf.c: 68             in dm_test_clk_ccf()
> 62      ut_asserteq(CLK_SET_RATE_NO_REPARENT, clk->flags);
> 63
> 64      rate = clk_get_parent_rate(clk);
> 65      ut_asserteq(rate, 60000000);
> 66
> 67      rate = clk_set_rate(clk, 60000000);
> >>>     CID 639830:         Integer handling issues  (INTEGER_OVERFLOW)
> >>>     Expression "_val1", where "rate" is known to be equal to -38, overflows the type of "_val1", which is type "unsigned int".
> 68      ut_asserteq(rate, -ENOSYS);
> 69
> 70      rate = clk_get_rate(clk);
> 71      ut_asserteq(rate, 60000000);
> 72
> 73      ret = clk_get_by_id(CLK_ID(dev, SANDBOX_CLK_PLL3_80M), &pclk);
>
>
>
> View Defects in Coverity Scan
> <https://scan.coverity.com/projects/das-u-boot?tab=overview>
>
> Best regards,
>
> The Coverity Scan Admin Team
>
> ----- End forwarded message -----
>
> --
> Tom

More information about the U-Boot mailing list