Fwd: New Defects reported by Coverity Scan for Das U-Boot
Tom Rini
trini at konsulko.com
Mon Apr 6 21:12:15 CEST 2026
Here's the latest report, now that I've merged next to master, locally
at least.
---------- Forwarded message ---------
From: <scan-admin at coverity.com>
Date: Mon, Apr 6, 2026 at 12:40 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini at gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to *Das U-Boot*
found with Coverity Scan.
- *New Defects Found:* 11
- 15 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.
- *Defects Shown:* Showing 11 of 11 defect(s)
Defect Details
** CID 645496: (USE_AFTER_FREE)
/tools/fwumdata_src/fwumdata.c: 94 in parse_config()
/tools/fwumdata_src/fwumdata.c: 101 in parse_config()
_____________________________________________________________________________________________
*** CID 645496: (USE_AFTER_FREE)
/tools/fwumdata_src/fwumdata.c: 94 in parse_config()
88 &devname,
89 &devices[i].devoff,
90 &devices[i].mdata_size,
91 &devices[i].erase_size);
92
93 if (rc < 3) {
>>> CID 645496: (USE_AFTER_FREE)
>>> Calling "free" frees pointer "devname" which has already been freed.
94 free(devname);
95 continue;
96 }
97
98 if (rc < 4)
99 devices[i].erase_size = devices[i].mdata_size;
/tools/fwumdata_src/fwumdata.c: 101 in parse_config()
95 continue;
96 }
97
98 if (rc < 4)
99 devices[i].erase_size = devices[i].mdata_size;
100
>>> CID 645496: (USE_AFTER_FREE)
>>> Using freed pointer "devname".
101 devices[i].devname = devname;
102 i++;
103 }
104
105 free(line);
106 fclose(fp);
** CID 645495: Uninitialized variables (UNINIT)
/fs/fat/fat.c: 175 in disk_rw()
_____________________________________________________________________________________________
*** CID 645495: Uninitialized variables (UNINIT)
/fs/fat/fat.c: 175 in disk_rw()
169 }
170 }
171 exit:
172 if (block)
173 free(block);
174
>>> CID 645495: Uninitialized variables (UNINIT)
>>> Using uninitialized value "ret".
175 return (ret == -1) ? -1 : nr_sect;
176 }
177
178 static int disk_read(__u32 sect, __u32 nr_sect, void *buf)
179 {
180 return disk_rw(sect, nr_sect, buf, true);
** CID 645494: Integer handling issues (BAD_SHIFT)
/drivers/power/regulator/mt6359_regulator.c: 287 in
mt6359_get_voltage_sel()
_____________________________________________________________________________________________
*** CID 645494: Integer handling issues (BAD_SHIFT)
/drivers/power/regulator/mt6359_regulator.c: 287 in
mt6359_get_voltage_sel()
281
282 selector = pmic_reg_read(dev->parent, info->desc.vsel_reg);
283 if (selector < 0)
284 return selector;
285
286 selector &= info->desc.vsel_mask;
>>> CID 645494: Integer handling issues (BAD_SHIFT)
>>> In expression "selector >>= generic_ffs(info->desc.vsel_mask) - 1", shifting by a negative amount has undefined behavior. The shift amount, "generic_ffs(info->desc.vsel_mask) - 1", is -1.
287 selector >>= ffs(info->desc.vsel_mask) - 1;
288
289 return selector;
290 }
291
292 static int mt6359p_vemc_get_voltage_sel(struct udevice *dev,
struct mt6359_regulator_info *info)
** CID 645493: Control flow issues (DEADCODE)
/drivers/firmware/scmi/pinctrl.c: 206 in
scmi_pinctrl_settings_get_one()
_____________________________________________________________________________________________
*** CID 645493: Control flow issues (DEADCODE)
/drivers/firmware/scmi/pinctrl.c: 206 in
scmi_pinctrl_settings_get_one()
200
201 msg.out_msg = (u8 *)out;
202 msg.out_msg_sz = out_sz;
203 in.id = selector;
204 in.attr = 0;
205 if (config_type == SCMI_PINCTRL_CONFIG_SETTINGS_FUNCTION)
>>> CID 645493: Control flow issues (DEADCODE)
>>> Execution cannot reach the expression "in.attr" inside this statement: "in.attr = ({
({
do {...".
206 in.attr = FIELD_PREP(GENMASK(19, 18), 2);
207 in.attr |= FIELD_PREP(GENMASK(17, 16), select_type);
208 if (config_type != SCMI_PINCTRL_CONFIG_SETTINGS_FUNCTION)
209 in.attr |= FIELD_PREP(GENMASK(7, 0), config_type);
210
211 ret = devm_scmi_process_msg(dev, &msg);
** CID 645492: (BUFFER_SIZE)
/drivers/fwu-mdata/raw_mtd.c: 173 in get_fwu_mdata_dev()
/drivers/fwu-mdata/raw_mtd.c: 183 in get_fwu_mdata_dev()
_____________________________________________________________________________________________
*** CID 645492: (BUFFER_SIZE)
/drivers/fwu-mdata/raw_mtd.c: 173 in get_fwu_mdata_dev()
167 }
168
169 /* Get the offset of primary and secondary mdata */
170 ret = ofnode_read_string_index(dev_ofnode(dev),
"mdata-parts", 0, &label);
171 if (ret)
172 return ret;
>>> CID 645492: (BUFFER_SIZE)
>>> Calling "strncpy" with a maximum size argument of 50 bytes on destination array "mtd_priv->pri_label" of size 50 bytes might leave the destination string unterminated.
173 strncpy(mtd_priv->pri_label, label, 50);
174
175 ret = flash_partition_offset(mtd_dev, mtd_priv->pri_label, &offset);
176 if (ret <= 0)
177 return ret;
178 mtd_priv->pri_offset = offset;
/drivers/fwu-mdata/raw_mtd.c: 183 in get_fwu_mdata_dev()
177 return ret;
178 mtd_priv->pri_offset = offset;
179
180 ret = ofnode_read_string_index(dev_ofnode(dev),
"mdata-parts", 1, &label);
181 if (ret)
182 return ret;
>>> CID 645492: (BUFFER_SIZE)
>>> Calling "strncpy" with a maximum size argument of 50 bytes on destination array "mtd_priv->sec_label" of size 50 bytes might leave the destination string unterminated.
183 strncpy(mtd_priv->sec_label, label, 50);
184
185 ret = flash_partition_offset(mtd_dev, mtd_priv->sec_label, &offset);
186 if (ret <= 0)
187 return ret;
188 mtd_priv->sec_offset = offset;
** CID 645491: Security best practices violations (STRING_OVERFLOW)
/drivers/fwu-mdata/raw_mtd.c: 244 in fwu_mtd_image_info_populate()
_____________________________________________________________________________________________
*** CID 645491: Security best practices violations (STRING_OVERFLOW)
/drivers/fwu-mdata/raw_mtd.c: 244 in fwu_mtd_image_info_populate()
238 ofnode_read_u32(image, "size", &image_size);
239
240 mtd_images[off_img].start = bank_offset + image_offset;
241 mtd_images[off_img].size = image_size;
242 mtd_images[off_img].bank_num = bank_num;
243 mtd_images[off_img].image_num = image_num;
>>> CID 645491: Security best practices violations (STRING_OVERFLOW)
>>> You might overrun the 37-character fixed-size string "mtd_images[off_img].uuidbuf" by copying "uuid" without checking the length.
244 strcpy(mtd_images[off_img].uuidbuf, uuid);
245 log_debug("\tImage%d: %s @0x%x\n\n",
246 image_num, uuid, bank_offset + image_offset);
247 off_img++;
248 }
249 }
** CID 645490: Integer handling issues (BAD_SHIFT)
/drivers/power/regulator/mt6359_regulator.c: 245 in
mt6359p_vemc_set_voltage_sel()
_____________________________________________________________________________________________
*** CID 645490: Integer handling issues (BAD_SHIFT)
/drivers/power/regulator/mt6359_regulator.c: 245 in
mt6359p_vemc_set_voltage_sel()
239
240 static int mt6359p_vemc_set_voltage_sel(struct udevice *dev,
241 struct mt6359_regulator_info *info, unsigned int sel)
242 {
243 int ret;
244
>>> CID 645490: Integer handling issues (BAD_SHIFT)
>>> In expression "sel <<= generic_ffs(info->desc.vsel_mask) - 1", shifting by a negative amount has undefined behavior. The shift amount, "generic_ffs(info->desc.vsel_mask) - 1", is -1.
245 sel <<= ffs(info->desc.vsel_mask) - 1;
246 ret = pmic_reg_write(dev->parent, MT6359P_TMA_KEY_ADDR,
MT6359P_TMA_KEY);
247 if (ret)
248 return ret;
249
250 ret = pmic_reg_read(dev->parent, MT6359P_VM_MODE_ADDR);
** CID 645489: Integer handling issues (BAD_SHIFT)
/drivers/power/regulator/mt6359_regulator.c: 234 in
mt6359_set_voltage_sel_regmap()
_____________________________________________________________________________________________
*** CID 645489: Integer handling issues (BAD_SHIFT)
/drivers/power/regulator/mt6359_regulator.c: 234 in
mt6359_set_voltage_sel_regmap()
228 };
229
230 static int mt6359_set_voltage_sel_regmap(struct udevice *dev,
231 struct mt6359_regulator_info *info,
232 unsigned int sel)
233 {
>>> CID 645489: Integer handling issues (BAD_SHIFT)
>>> In expression "sel <<= generic_ffs(info->desc.vsel_mask) - 1", shifting by a negative amount has undefined behavior. The shift amount, "generic_ffs(info->desc.vsel_mask) - 1", is -1.
234 sel <<= ffs(info->desc.vsel_mask) - 1;
235
236 return pmic_clrsetbits(dev->parent, info->desc.vsel_reg,
237 info->desc.vsel_mask, sel);
238 }
239
** CID 645488: Error handling issues (CHECKED_RETURN)
/tools/fwumdata_src/fwumdata.c: 189 in read_device()
_____________________________________________________________________________________________
*** CID 645488: Error handling issues (CHECKED_RETURN)
/tools/fwumdata_src/fwumdata.c: 189 in read_device()
183 {
184 if (lseek(dev->fd, dev->devoff, SEEK_SET) < 0) {
185 fprintf(stderr, "Seek failed: %s\n", strerror(errno));
186 return -errno;
187 }
188
>>> CID 645488: Error handling issues (CHECKED_RETURN)
>>> "read(int, void *, size_t)" returns the number of bytes read, but it is ignored.
189 if (read(dev->fd, buf, count) < 0) {
190 fprintf(stderr, "Read failed: %s\n", strerror(errno));
191 return -errno;
192 }
193
194 return 0;
** CID 645487: Insecure data handling (TAINTED_SCALAR)
/lib/smbios.c: 1099 in smbios_write_type9_1slot()
_____________________________________________________________________________________________
*** CID 645487: Insecure data handling (TAINTED_SCALAR)
/lib/smbios.c: 1099 in smbios_write_type9_1slot()
1093 * TODO:
1094 * peer_groups = <peer_grouping_count> * SMBIOS_TYPE9_PGROUP_SIZE
1095 */
1096 len += pgroups_size;
1097
1098 t = map_sysmem(*current, len);
>>> CID 645487: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "len" to "memset", which uses it as an offset. [Note: The source code implementation of the function has been overridden by a builtin model.]
1099 memset(t, 0, len);
1100
1101 fill_smbios_header(t, SMBIOS_SYSTEM_SLOTS, len, handle);
1102
1103 /* eos is at the end of the structure */
1104 eos_addr = (u8 *)t + len - sizeof(t->eos);
** CID 645486: Integer handling issues (BAD_SHIFT)
/drivers/power/regulator/mt6359_regulator.c: 312 in
mt6359p_vemc_get_voltage_sel()
_____________________________________________________________________________________________
*** CID 645486: Integer handling issues (BAD_SHIFT)
/drivers/power/regulator/mt6359_regulator.c: 312 in
mt6359p_vemc_get_voltage_sel()
306 return -EINVAL;
307 }
308 if (selector < 0)
309 return selector;
310
311 selector &= info->desc.vsel_mask;
>>> CID 645486: Integer handling issues (BAD_SHIFT)
>>> In expression "selector >>= generic_ffs(info->desc.vsel_mask) - 1", shifting by a negative amount has undefined behavior. The shift amount, "generic_ffs(info->desc.vsel_mask) - 1", is -1.
312 selector >>= ffs(info->desc.vsel_mask) - 1;
313
314 return selector;
315 }
316
317 static int mt6359_get_enable(struct udevice *dev)
View Defects in Coverity Scan
<https://scan.coverity.com/projects/das-u-boot?tab=overview>
Best regards,
The Coverity Scan Admin Team
----- End forwarded message -----
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20260406/6a8281a9/attachment.sig>
More information about the U-Boot
mailing list