New Defects reported by Coverity Scan for Das U-Boot
Raymond Mao
raymondmaoca at gmail.com
Tue Apr 7 22:44:36 CEST 2026
Hi Tom,
On Mon, Apr 6, 2026 at 3:12 PM Tom Rini <trini at konsulko.com> wrote:
>
> Here's the latest report, now that I've merged next to master, locally
> at least.
>
> ---------- Forwarded message ---------
> From: <scan-admin at coverity.com>
> Date: Mon, Apr 6, 2026 at 12:40 PM
> Subject: New Defects reported by Coverity Scan for Das U-Boot
> To: <tom.rini at gmail.com>
>
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to *Das U-Boot*
> found with Coverity Scan.
>
> - *New Defects Found:* 11
> - 15 defect(s), reported by Coverity Scan earlier, were marked fixed in
> the recent build analyzed by Coverity Scan.
> - *Defects Shown:* Showing 11 of 11 defect(s)
>
> Defect Details
>
> ** CID 645496: (USE_AFTER_FREE)
> /tools/fwumdata_src/fwumdata.c: 94 in parse_config()
> /tools/fwumdata_src/fwumdata.c: 101 in parse_config()
>
>
> _____________________________________________________________________________________________
> *** CID 645496: (USE_AFTER_FREE)
> /tools/fwumdata_src/fwumdata.c: 94 in parse_config()
> 88 &devname,
> 89 &devices[i].devoff,
> 90 &devices[i].mdata_size,
> 91 &devices[i].erase_size);
> 92
> 93 if (rc < 3) {
> >>> CID 645496: (USE_AFTER_FREE)
> >>> Calling "free" frees pointer "devname" which has already been freed.
> 94 free(devname);
> 95 continue;
> 96 }
> 97
> 98 if (rc < 4)
> 99 devices[i].erase_size = devices[i].mdata_size;
> /tools/fwumdata_src/fwumdata.c: 101 in parse_config()
> 95 continue;
> 96 }
> 97
> 98 if (rc < 4)
> 99 devices[i].erase_size = devices[i].mdata_size;
> 100
> >>> CID 645496: (USE_AFTER_FREE)
> >>> Using freed pointer "devname".
> 101 devices[i].devname = devname;
> 102 i++;
> 103 }
> 104
> 105 free(line);
> 106 fclose(fp);
>
> ** CID 645495: Uninitialized variables (UNINIT)
> /fs/fat/fat.c: 175 in disk_rw()
>
>
> _____________________________________________________________________________________________
> *** CID 645495: Uninitialized variables (UNINIT)
> /fs/fat/fat.c: 175 in disk_rw()
> 169 }
> 170 }
> 171 exit:
> 172 if (block)
> 173 free(block);
> 174
> >>> CID 645495: Uninitialized variables (UNINIT)
> >>> Using uninitialized value "ret".
> 175 return (ret == -1) ? -1 : nr_sect;
> 176 }
> 177
> 178 static int disk_read(__u32 sect, __u32 nr_sect, void *buf)
> 179 {
> 180 return disk_rw(sect, nr_sect, buf, true);
>
> ** CID 645494: Integer handling issues (BAD_SHIFT)
> /drivers/power/regulator/mt6359_regulator.c: 287 in
> mt6359_get_voltage_sel()
>
>
> _____________________________________________________________________________________________
> *** CID 645494: Integer handling issues (BAD_SHIFT)
> /drivers/power/regulator/mt6359_regulator.c: 287 in
> mt6359_get_voltage_sel()
> 281
> 282 selector = pmic_reg_read(dev->parent, info->desc.vsel_reg);
> 283 if (selector < 0)
> 284 return selector;
> 285
> 286 selector &= info->desc.vsel_mask;
> >>> CID 645494: Integer handling issues (BAD_SHIFT)
> >>> In expression "selector >>= generic_ffs(info->desc.vsel_mask) - 1", shifting by a negative amount has undefined behavior. The shift amount, "generic_ffs(info->desc.vsel_mask) - 1", is -1.
> 287 selector >>= ffs(info->desc.vsel_mask) - 1;
> 288
> 289 return selector;
> 290 }
> 291
> 292 static int mt6359p_vemc_get_voltage_sel(struct udevice *dev,
> struct mt6359_regulator_info *info)
>
> ** CID 645493: Control flow issues (DEADCODE)
> /drivers/firmware/scmi/pinctrl.c: 206 in
> scmi_pinctrl_settings_get_one()
>
>
> _____________________________________________________________________________________________
> *** CID 645493: Control flow issues (DEADCODE)
> /drivers/firmware/scmi/pinctrl.c: 206 in
> scmi_pinctrl_settings_get_one()
> 200
> 201 msg.out_msg = (u8 *)out;
> 202 msg.out_msg_sz = out_sz;
> 203 in.id = selector;
> 204 in.attr = 0;
> 205 if (config_type == SCMI_PINCTRL_CONFIG_SETTINGS_FUNCTION)
> >>> CID 645493: Control flow issues (DEADCODE)
> >>> Execution cannot reach the expression "in.attr" inside this statement: "in.attr = ({
> ({
> do {...".
> 206 in.attr = FIELD_PREP(GENMASK(19, 18), 2);
> 207 in.attr |= FIELD_PREP(GENMASK(17, 16), select_type);
> 208 if (config_type != SCMI_PINCTRL_CONFIG_SETTINGS_FUNCTION)
> 209 in.attr |= FIELD_PREP(GENMASK(7, 0), config_type);
> 210
> 211 ret = devm_scmi_process_msg(dev, &msg);
>
> ** CID 645492: (BUFFER_SIZE)
> /drivers/fwu-mdata/raw_mtd.c: 173 in get_fwu_mdata_dev()
> /drivers/fwu-mdata/raw_mtd.c: 183 in get_fwu_mdata_dev()
>
>
> _____________________________________________________________________________________________
> *** CID 645492: (BUFFER_SIZE)
> /drivers/fwu-mdata/raw_mtd.c: 173 in get_fwu_mdata_dev()
> 167 }
> 168
> 169 /* Get the offset of primary and secondary mdata */
> 170 ret = ofnode_read_string_index(dev_ofnode(dev),
> "mdata-parts", 0, &label);
> 171 if (ret)
> 172 return ret;
> >>> CID 645492: (BUFFER_SIZE)
> >>> Calling "strncpy" with a maximum size argument of 50 bytes on destination array "mtd_priv->pri_label" of size 50 bytes might leave the destination string unterminated.
> 173 strncpy(mtd_priv->pri_label, label, 50);
> 174
> 175 ret = flash_partition_offset(mtd_dev, mtd_priv->pri_label, &offset);
> 176 if (ret <= 0)
> 177 return ret;
> 178 mtd_priv->pri_offset = offset;
> /drivers/fwu-mdata/raw_mtd.c: 183 in get_fwu_mdata_dev()
> 177 return ret;
> 178 mtd_priv->pri_offset = offset;
> 179
> 180 ret = ofnode_read_string_index(dev_ofnode(dev),
> "mdata-parts", 1, &label);
> 181 if (ret)
> 182 return ret;
> >>> CID 645492: (BUFFER_SIZE)
> >>> Calling "strncpy" with a maximum size argument of 50 bytes on destination array "mtd_priv->sec_label" of size 50 bytes might leave the destination string unterminated.
> 183 strncpy(mtd_priv->sec_label, label, 50);
> 184
> 185 ret = flash_partition_offset(mtd_dev, mtd_priv->sec_label, &offset);
> 186 if (ret <= 0)
> 187 return ret;
> 188 mtd_priv->sec_offset = offset;
>
> ** CID 645491: Security best practices violations (STRING_OVERFLOW)
> /drivers/fwu-mdata/raw_mtd.c: 244 in fwu_mtd_image_info_populate()
>
>
> _____________________________________________________________________________________________
> *** CID 645491: Security best practices violations (STRING_OVERFLOW)
> /drivers/fwu-mdata/raw_mtd.c: 244 in fwu_mtd_image_info_populate()
> 238 ofnode_read_u32(image, "size", &image_size);
> 239
> 240 mtd_images[off_img].start = bank_offset + image_offset;
> 241 mtd_images[off_img].size = image_size;
> 242 mtd_images[off_img].bank_num = bank_num;
> 243 mtd_images[off_img].image_num = image_num;
> >>> CID 645491: Security best practices violations (STRING_OVERFLOW)
> >>> You might overrun the 37-character fixed-size string "mtd_images[off_img].uuidbuf" by copying "uuid" without checking the length.
> 244 strcpy(mtd_images[off_img].uuidbuf, uuid);
> 245 log_debug("\tImage%d: %s @0x%x\n\n",
> 246 image_num, uuid, bank_offset + image_offset);
> 247 off_img++;
> 248 }
> 249 }
>
> ** CID 645490: Integer handling issues (BAD_SHIFT)
> /drivers/power/regulator/mt6359_regulator.c: 245 in
> mt6359p_vemc_set_voltage_sel()
>
>
> _____________________________________________________________________________________________
> *** CID 645490: Integer handling issues (BAD_SHIFT)
> /drivers/power/regulator/mt6359_regulator.c: 245 in
> mt6359p_vemc_set_voltage_sel()
> 239
> 240 static int mt6359p_vemc_set_voltage_sel(struct udevice *dev,
> 241 struct mt6359_regulator_info *info, unsigned int sel)
> 242 {
> 243 int ret;
> 244
> >>> CID 645490: Integer handling issues (BAD_SHIFT)
> >>> In expression "sel <<= generic_ffs(info->desc.vsel_mask) - 1", shifting by a negative amount has undefined behavior. The shift amount, "generic_ffs(info->desc.vsel_mask) - 1", is -1.
> 245 sel <<= ffs(info->desc.vsel_mask) - 1;
> 246 ret = pmic_reg_write(dev->parent, MT6359P_TMA_KEY_ADDR,
> MT6359P_TMA_KEY);
> 247 if (ret)
> 248 return ret;
> 249
> 250 ret = pmic_reg_read(dev->parent, MT6359P_VM_MODE_ADDR);
>
> ** CID 645489: Integer handling issues (BAD_SHIFT)
> /drivers/power/regulator/mt6359_regulator.c: 234 in
> mt6359_set_voltage_sel_regmap()
>
>
> _____________________________________________________________________________________________
> *** CID 645489: Integer handling issues (BAD_SHIFT)
> /drivers/power/regulator/mt6359_regulator.c: 234 in
> mt6359_set_voltage_sel_regmap()
> 228 };
> 229
> 230 static int mt6359_set_voltage_sel_regmap(struct udevice *dev,
> 231 struct mt6359_regulator_info *info,
> 232 unsigned int sel)
> 233 {
> >>> CID 645489: Integer handling issues (BAD_SHIFT)
> >>> In expression "sel <<= generic_ffs(info->desc.vsel_mask) - 1", shifting by a negative amount has undefined behavior. The shift amount, "generic_ffs(info->desc.vsel_mask) - 1", is -1.
> 234 sel <<= ffs(info->desc.vsel_mask) - 1;
> 235
> 236 return pmic_clrsetbits(dev->parent, info->desc.vsel_reg,
> 237 info->desc.vsel_mask, sel);
> 238 }
> 239
>
> ** CID 645488: Error handling issues (CHECKED_RETURN)
> /tools/fwumdata_src/fwumdata.c: 189 in read_device()
>
>
> _____________________________________________________________________________________________
> *** CID 645488: Error handling issues (CHECKED_RETURN)
> /tools/fwumdata_src/fwumdata.c: 189 in read_device()
> 183 {
> 184 if (lseek(dev->fd, dev->devoff, SEEK_SET) < 0) {
> 185 fprintf(stderr, "Seek failed: %s\n", strerror(errno));
> 186 return -errno;
> 187 }
> 188
> >>> CID 645488: Error handling issues (CHECKED_RETURN)
> >>> "read(int, void *, size_t)" returns the number of bytes read, but it is ignored.
> 189 if (read(dev->fd, buf, count) < 0) {
> 190 fprintf(stderr, "Read failed: %s\n", strerror(errno));
> 191 return -errno;
> 192 }
> 193
> 194 return 0;
>
> ** CID 645487: Insecure data handling (TAINTED_SCALAR)
> /lib/smbios.c: 1099 in smbios_write_type9_1slot()
>
>
> _____________________________________________________________________________________________
> *** CID 645487: Insecure data handling (TAINTED_SCALAR)
> /lib/smbios.c: 1099 in smbios_write_type9_1slot()
> 1093 * TODO:
> 1094 * peer_groups = <peer_grouping_count> * SMBIOS_TYPE9_PGROUP_SIZE
> 1095 */
> 1096 len += pgroups_size;
> 1097
> 1098 t = map_sysmem(*current, len);
> >>> CID 645487: Insecure data handling (TAINTED_SCALAR)
> >>> Passing tainted expression "len" to "memset", which uses it as an offset. [Note: The source code implementation of the function has been overridden by a builtin model.]
Fixed with patch at:
https://lore.kernel.org/u-boot/20260407204113.3102785-1-raymondmaoca@gmail.com/T/#u
Regards,
Raymond
> 1099 memset(t, 0, len);
> 1100
> 1101 fill_smbios_header(t, SMBIOS_SYSTEM_SLOTS, len, handle);
> 1102
> 1103 /* eos is at the end of the structure */
> 1104 eos_addr = (u8 *)t + len - sizeof(t->eos);
>
> ** CID 645486: Integer handling issues (BAD_SHIFT)
> /drivers/power/regulator/mt6359_regulator.c: 312 in
> mt6359p_vemc_get_voltage_sel()
>
>
> _____________________________________________________________________________________________
> *** CID 645486: Integer handling issues (BAD_SHIFT)
> /drivers/power/regulator/mt6359_regulator.c: 312 in
> mt6359p_vemc_get_voltage_sel()
> 306 return -EINVAL;
> 307 }
> 308 if (selector < 0)
> 309 return selector;
> 310
> 311 selector &= info->desc.vsel_mask;
> >>> CID 645486: Integer handling issues (BAD_SHIFT)
> >>> In expression "selector >>= generic_ffs(info->desc.vsel_mask) - 1", shifting by a negative amount has undefined behavior. The shift amount, "generic_ffs(info->desc.vsel_mask) - 1", is -1.
> 312 selector >>= ffs(info->desc.vsel_mask) - 1;
> 313
> 314 return selector;
> 315 }
> 316
> 317 static int mt6359_get_enable(struct udevice *dev)
>
>
>
> View Defects in Coverity Scan
> <https://scan.coverity.com/projects/das-u-boot?tab=overview>
>
> Best regards,
>
> The Coverity Scan Admin Team
>
> ----- End forwarded message -----
>
> --
> Tom
More information about the U-Boot
mailing list