New Defects reported by Coverity Scan for Das U-Boot

Tom Rini trini at konsulko.com
Tue Feb 11 23:30:37 CET 2025 

On Tue, Feb 11, 2025 at 05:24:02PM -0500, Raymond Mao wrote:
> Hi Tom,
> 
> On Mon, 10 Feb 2025 at 17:26, Tom Rini <trini at konsulko.com> wrote:
> >
> > Here's the latest report.
> >
> > ---------- Forwarded message ---------
> > From: <scan-admin at coverity.com>
> > Date: Mon, Feb 10, 2025 at 4:12 PM
> > Subject: New Defects reported by Coverity Scan for Das U-Boot
> > To: <tom.rini at gmail.com>
> >
> >
> > Hi,
> >
> > Please find the latest report on new defect(s) introduced to Das U-Boot
> > found with Coverity Scan.
> >
> > 3 new defect(s) introduced to Das U-Boot found with Coverity Scan.
> >
> >
> > New defect(s) Reported-by: Coverity Scan
> > Showing 3 of 3 defect(s)
> >
> >
> > ** CID 541281:  Insecure data handling  (TAINTED_SCALAR)
> > /lib/tpm-v2.c: 77 in tpm2_scan_masks()
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 541281:  Insecure data handling  (TAINTED_SCALAR)
> > /lib/tpm-v2.c: 77 in tpm2_scan_masks()
> > 71      *mask = 0;
> > 72
> > 73      rc = tpm2_get_pcr_info(dev, &pcrs);
> > 74      if (rc)
> > 75              return rc;
> > 76
> > >>>     CID 541281:  Insecure data handling  (TAINTED_SCALAR)
> > >>>     Using tainted variable "pcrs.count" as a loop boundary.
> 
> We don't need to check the pcrs.count here, since tpm2_get_pcr_info()
> will post an error if pcrs.count is not in a value from 1 to 4.
> This is hardcoded in tpm2_get_pcr_info(), please see below:
> ```
> /*
> * We only support 4 algorithms for now so check against that
> * instead of TPM2_NUM_PCR_BANKS
> */
> if (pcrs->count > 4 || pcrs->count < 1) {
> printf("%s: too many pcrs: %u\n", __func__, pcrs->count);
> return -EMSGSIZE;
> }
> ```
> 
> > 77      for (i = 0; i < pcrs.count; i++) {
> > 78              struct tpms_pcr_selection *sel = &pcrs.selection[i];
> > 79              size_t j;
> > 80              u32 hash_mask = 0;
> > 81
> > 82              for (j = 0; j < ARRAY_SIZE(hash_algo_list); j++) {
> >
> > ** CID 541280:  Insecure data handling  (TAINTED_SCALAR)
> > /cmd/tpm-v2.c: 307 in do_tpm2_pcrallocate()
> >
> >
> > ________________________________________________________________________________________________________
> > *** CID 541280:  Insecure data handling  (TAINTED_SCALAR)
> > /cmd/tpm-v2.c: 307 in do_tpm2_pcrallocate()
> > 301                      * first call
> > 302                      */
> > 303                     ret = tpm2_get_pcr_info(dev, &pcr);
> > 304                     if (ret)
> > 305                             return ret;
> > 306
> > >>>     CID 541280:  Insecure data handling  (TAINTED_SCALAR)
> > >>>     Using tainted variable "pcr.count" as a loop boundary.
> 
> Ditto.

OK, thanks!

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20250211/93d9ec0f/attachment.sig>

More information about the U-Boot mailing list