Fwd: New Defects reported by Coverity Scan for Das U-Boot
Tom Rini
trini at konsulko.com
Tue Apr 28 16:04:33 CEST 2026
Here's the latest report.
---------- Forwarded message ---------
From: <scan-admin at coverity.com>
Date: Mon, Apr 27, 2026, 5:41 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini at gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to *Das U-Boot*
found with Coverity Scan.
- *New Defects Found:* 9
- 77 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.
- *Defects Shown:* Showing 9 of 9 defect(s)
Defect Details
** CID 645841: Incorrect expression (BAD_COMPARE)
/common/bloblist.c: 303 in bloblist_apply_blobs()
_____________________________________________________________________________________________
*** CID 645841: Incorrect expression (BAD_COMPARE)
/common/bloblist.c: 303 in bloblist_apply_blobs()
297 log_err("Failed to apply blob with tag %d\n",
298 tag);
299 return ret;
300 }
301
302 rec = rec_from_blob(blob - dat_off);
>>> CID 645841: Incorrect expression (BAD_COMPARE)
>>> Comparing pointer "rec" against "NULL" using anything besides "==" or "!=" is likely to be incorrect.
303 if (rec <= 0) {
304 log_err("Blob corrupted\n");
305 return -ENOENT;
306 }
307
308 /* Mark applied blob record as void */
** CID 645840: Uninitialized variables (UNINIT)
_____________________________________________________________________________________________
*** CID 645840: Uninitialized variables (UNINIT)
/lib/efi_loader/efi_device_path.c: 967 in efi_dp_from_http()
961 if ((server && strlen("http://") + strlen(server) + 1 >
sizeof(tmp)) ||
962 (!server && IS_ENABLED(CONFIG_NET_LWIP)))
963 return NULL;
964
965 efi_net_get_addr(&ip, &mask, NULL, dev);
966
>>> CID 645840: Uninitialized variables (UNINIT)
>>> Using uninitialized value "ip" when calling "efi_dp_from_ipv4".
967 dp1 = efi_dp_from_ipv4(&ip, &mask, NULL, dev);
968 if (!dp1)
969 return NULL;
970
971
972 strcpy(tmp, "http://");
** CID 645839: Error handling issues (CHECKED_RETURN)
/lib/fdtdec.c: 1785 in fdtdec_apply_bloblist_dtos()
_____________________________________________________________________________________________
*** CID 645839: Error handling issues (CHECKED_RETURN)
/lib/fdtdec.c: 1785 in fdtdec_apply_bloblist_dtos()
1779
1780 ret = bloblist_apply_blobs(BLOBLISTT_FDT_OVERLAY,
fdtdec_apply_dto_blob);
1781 if (ret)
1782 return ret;
1783
1784 /* Shink the blob to the actual FDT size */
>>> CID 645839: Error handling issues (CHECKED_RETURN)
>>> Calling "fdt_pack" without checking return value (as is done elsewhere 5 out of 6 times).
1785 fdt_pack(live_fdt);
1786 return bloblist_resize(BLOBLISTT_CONTROL_FDT,
fdt_totalsize(live_fdt));
1787 }
1788
1789 int fdtdec_setup(void)
1790 {
** CID 645838: Uninitialized variables (UNINIT)
_____________________________________________________________________________________________
*** CID 645838: Uninitialized variables (UNINIT)
/lib/efi_loader/efi_device_path.c: 967 in efi_dp_from_http()
961 if ((server && strlen("http://") + strlen(server) + 1 >
sizeof(tmp)) ||
962 (!server && IS_ENABLED(CONFIG_NET_LWIP)))
963 return NULL;
964
965 efi_net_get_addr(&ip, &mask, NULL, dev);
966
>>> CID 645838: Uninitialized variables (UNINIT)
>>> Using uninitialized value "mask" when calling "efi_dp_from_ipv4".
967 dp1 = efi_dp_from_ipv4(&ip, &mask, NULL, dev);
968 if (!dp1)
969 return NULL;
970
971
972 strcpy(tmp, "http://");
** CID 645837: (TAINTED_SCALAR)
_____________________________________________________________________________________________
*** CID 645837: (TAINTED_SCALAR)
/lib/fdtdec.c: 1775 in fdtdec_apply_bloblist_dtos()
1769 /* Resize if the current space is not sufficient */
1770 if (blob_size < padded_size) {
1771 ret = bloblist_resize(BLOBLISTT_CONTROL_FDT, padded_size);
1772 if (ret)
1773 return ret;
1774
>>> CID 645837: (TAINTED_SCALAR)
>>> Passing tainted expression "live_fdt->size_dt_struct" to "fdt_open_into", which uses it as an offset.
1775 ret = fdt_open_into(live_fdt, live_fdt, padded_size);
1776 if (ret)
1777 return ret;
1778 }
1779
1780 ret = bloblist_apply_blobs(BLOBLISTT_FDT_OVERLAY,
fdtdec_apply_dto_blob);
/lib/fdtdec.c: 1785 in fdtdec_apply_bloblist_dtos()
1779
1780 ret = bloblist_apply_blobs(BLOBLISTT_FDT_OVERLAY,
fdtdec_apply_dto_blob);
1781 if (ret)
1782 return ret;
1783
1784 /* Shink the blob to the actual FDT size */
>>> CID 645837: (TAINTED_SCALAR)
>>> Passing tainted expression "live_fdt->size_dt_struct" to "fdt_pack", which uses it as an offset.
1785 fdt_pack(live_fdt);
1786 return bloblist_resize(BLOBLISTT_CONTROL_FDT,
fdt_totalsize(live_fdt));
1787 }
1788
1789 int fdtdec_setup(void)
1790 {
/lib/fdtdec.c: 1775 in fdtdec_apply_bloblist_dtos()
1769 /* Resize if the current space is not sufficient */
1770 if (blob_size < padded_size) {
1771 ret = bloblist_resize(BLOBLISTT_CONTROL_FDT, padded_size);
1772 if (ret)
1773 return ret;
1774
>>> CID 645837: (TAINTED_SCALAR)
>>> Passing tainted expression "live_fdt->totalsize" to "fdt_open_into", which uses it as an offset.
1775 ret = fdt_open_into(live_fdt, live_fdt, padded_size);
1776 if (ret)
1777 return ret;
1778 }
1779
1780 ret = bloblist_apply_blobs(BLOBLISTT_FDT_OVERLAY,
fdtdec_apply_dto_blob);
/lib/fdtdec.c: 1786 in fdtdec_apply_bloblist_dtos()
1780 ret = bloblist_apply_blobs(BLOBLISTT_FDT_OVERLAY,
fdtdec_apply_dto_blob);
1781 if (ret)
1782 return ret;
1783
1784 /* Shink the blob to the actual FDT size */
1785 fdt_pack(live_fdt);
>>> CID 645837: (TAINTED_SCALAR)
>>> Passing tainted expression "fdt32_ld(&((struct fdt_header const *)live_fdt)->totalsize)" to "bloblist_resize", which uses it as an offset.
1786 return bloblist_resize(BLOBLISTT_CONTROL_FDT,
fdt_totalsize(live_fdt));
1787 }
1788
1789 int fdtdec_setup(void)
1790 {
1791 int ret = -ENOENT;
/lib/fdtdec.c: 1775 in fdtdec_apply_bloblist_dtos()
1769 /* Resize if the current space is not sufficient */
1770 if (blob_size < padded_size) {
1771 ret = bloblist_resize(BLOBLISTT_CONTROL_FDT, padded_size);
1772 if (ret)
1773 return ret;
1774
>>> CID 645837: (TAINTED_SCALAR)
>>> Passing tainted expression "live_fdt->size_dt_strings" to "fdt_open_into", which uses it as an offset.
1775 ret = fdt_open_into(live_fdt, live_fdt, padded_size);
1776 if (ret)
1777 return ret;
1778 }
1779
1780 ret = bloblist_apply_blobs(BLOBLISTT_FDT_OVERLAY,
fdtdec_apply_dto_blob);
/lib/fdtdec.c: 1785 in fdtdec_apply_bloblist_dtos()
1779
1780 ret = bloblist_apply_blobs(BLOBLISTT_FDT_OVERLAY,
fdtdec_apply_dto_blob);
1781 if (ret)
1782 return ret;
1783
1784 /* Shink the blob to the actual FDT size */
>>> CID 645837: (TAINTED_SCALAR)
>>> Passing tainted expression "live_fdt->size_dt_struct" to "fdt_pack", which uses it as an offset.
1785 fdt_pack(live_fdt);
1786 return bloblist_resize(BLOBLISTT_CONTROL_FDT,
fdt_totalsize(live_fdt));
1787 }
1788
1789 int fdtdec_setup(void)
1790 {
/lib/fdtdec.c: 1786 in fdtdec_apply_bloblist_dtos()
1780 ret = bloblist_apply_blobs(BLOBLISTT_FDT_OVERLAY,
fdtdec_apply_dto_blob);
1781 if (ret)
1782 return ret;
1783
1784 /* Shink the blob to the actual FDT size */
1785 fdt_pack(live_fdt);
>>> CID 645837: (TAINTED_SCALAR)
>>> Passing tainted expression "fdt32_ld(&((struct fdt_header const *)live_fdt)->totalsize)" to "bloblist_resize", which uses it as an offset.
1786 return bloblist_resize(BLOBLISTT_CONTROL_FDT,
fdt_totalsize(live_fdt));
1787 }
1788
1789 int fdtdec_setup(void)
1790 {
1791 int ret = -ENOENT;
/lib/fdtdec.c: 1785 in fdtdec_apply_bloblist_dtos()
1779
1780 ret = bloblist_apply_blobs(BLOBLISTT_FDT_OVERLAY,
fdtdec_apply_dto_blob);
1781 if (ret)
1782 return ret;
1783
1784 /* Shink the blob to the actual FDT size */
>>> CID 645837: (TAINTED_SCALAR)
>>> Passing tainted expression "live_fdt->size_dt_strings" to "fdt_pack", which uses it as an offset.
1785 fdt_pack(live_fdt);
1786 return bloblist_resize(BLOBLISTT_CONTROL_FDT,
fdt_totalsize(live_fdt));
1787 }
1788
1789 int fdtdec_setup(void)
1790 {
/lib/fdtdec.c: 1786 in fdtdec_apply_bloblist_dtos()
1780 ret = bloblist_apply_blobs(BLOBLISTT_FDT_OVERLAY,
fdtdec_apply_dto_blob);
1781 if (ret)
1782 return ret;
1783
1784 /* Shink the blob to the actual FDT size */
1785 fdt_pack(live_fdt);
>>> CID 645837: (TAINTED_SCALAR)
>>> Passing tainted expression "fdt32_ld(&((struct fdt_header const *)live_fdt)->totalsize)" to "bloblist_resize", which uses it as an offset.
1786 return bloblist_resize(BLOBLISTT_CONTROL_FDT,
fdt_totalsize(live_fdt));
1787 }
1788
1789 int fdtdec_setup(void)
1790 {
1791 int ret = -ENOENT;
/lib/fdtdec.c: 1786 in fdtdec_apply_bloblist_dtos()
1780 ret = bloblist_apply_blobs(BLOBLISTT_FDT_OVERLAY,
fdtdec_apply_dto_blob);
1781 if (ret)
1782 return ret;
1783
1784 /* Shink the blob to the actual FDT size */
1785 fdt_pack(live_fdt);
>>> CID 645837: (TAINTED_SCALAR)
>>> Passing tainted expression "fdt32_ld(&((struct fdt_header const *)live_fdt)->totalsize)" to "bloblist_resize", which uses it as an offset.
1786 return bloblist_resize(BLOBLISTT_CONTROL_FDT,
fdt_totalsize(live_fdt));
1787 }
1788
1789 int fdtdec_setup(void)
1790 {
1791 int ret = -ENOENT;
/lib/fdtdec.c: 1786 in fdtdec_apply_bloblist_dtos()
1780 ret = bloblist_apply_blobs(BLOBLISTT_FDT_OVERLAY,
fdtdec_apply_dto_blob);
1781 if (ret)
1782 return ret;
1783
1784 /* Shink the blob to the actual FDT size */
1785 fdt_pack(live_fdt);
>>> CID 645837: (TAINTED_SCALAR)
>>> Passing tainted expression "fdt32_ld(&((struct fdt_header const *)live_fdt)->totalsize)" to "bloblist_resize", which uses it as an offset.
1786 return bloblist_resize(BLOBLISTT_CONTROL_FDT,
fdt_totalsize(live_fdt));
1787 }
1788
1789 int fdtdec_setup(void)
1790 {
1791 int ret = -ENOENT;
/lib/fdtdec.c: 1785 in fdtdec_apply_bloblist_dtos()
1779
1780 ret = bloblist_apply_blobs(BLOBLISTT_FDT_OVERLAY,
fdtdec_apply_dto_blob);
1781 if (ret)
1782 return ret;
1783
1784 /* Shink the blob to the actual FDT size */
>>> CID 645837: (TAINTED_SCALAR)
>>> Passing tainted expression "live_fdt->size_dt_struct" to "fdt_pack", which uses it as an offset.
1785 fdt_pack(live_fdt);
1786 return bloblist_resize(BLOBLISTT_CONTROL_FDT,
fdt_totalsize(live_fdt));
1787 }
1788
1789 int fdtdec_setup(void)
1790 {
/lib/fdtdec.c: 1785 in fdtdec_apply_bloblist_dtos()
1779
1780 ret = bloblist_apply_blobs(BLOBLISTT_FDT_OVERLAY,
fdtdec_apply_dto_blob);
1781 if (ret)
1782 return ret;
1783
1784 /* Shink the blob to the actual FDT size */
>>> CID 645837: (TAINTED_SCALAR)
>>> Passing tainted expression "live_fdt->size_dt_strings" to "fdt_pack", which uses it as an offset.
1785 fdt_pack(live_fdt);
1786 return bloblist_resize(BLOBLISTT_CONTROL_FDT,
fdt_totalsize(live_fdt));
1787 }
1788
1789 int fdtdec_setup(void)
1790 {
/lib/fdtdec.c: 1786 in fdtdec_apply_bloblist_dtos()
1780 ret = bloblist_apply_blobs(BLOBLISTT_FDT_OVERLAY,
fdtdec_apply_dto_blob);
1781 if (ret)
1782 return ret;
1783
1784 /* Shink the blob to the actual FDT size */
1785 fdt_pack(live_fdt);
>>> CID 645837: (TAINTED_SCALAR)
>>> Passing tainted expression "fdt32_ld(&((struct fdt_header const *)live_fdt)->totalsize)" to "bloblist_resize", which uses it as an offset.
1786 return bloblist_resize(BLOBLISTT_CONTROL_FDT,
fdt_totalsize(live_fdt));
1787 }
1788
1789 int fdtdec_setup(void)
1790 {
1791 int ret = -ENOENT;
** CID 645836: Resource leaks (RESOURCE_LEAK)
/drivers/gpio/gpio_scmi.c: 201 in scmi_gpio_probe()
_____________________________________________________________________________________________
*** CID 645836: Resource leaks (RESOURCE_LEAK)
/drivers/gpio/gpio_scmi.c: 201 in scmi_gpio_probe()
195 return -ENOMEM;
196
197 range->base = args.args[0];
198 if (range->base != priv->num_pins) {
199 dev_err(dev, "no gaps allowed in between pins %d vs %d\n",
200 priv->num_pins, range->base);
>>> CID 645836: Resource leaks (RESOURCE_LEAK)
>>> Variable "range" going out of scope leaks the storage it points to.
201 return -EINVAL;
202 }
203 range->offset = args.args[1];
204 range->npins = args.args[2];
205 priv->num_pins += args.args[2];
206 list_add_tail(&range->list, &priv->gpio_ranges);
** CID 645835: Memory - corruptions (OVERRUN)
/lib/gunzip.c: 248 in gzwrite()
_____________________________________________________________________________________________
*** CID 645835: Memory - corruptions (OVERRUN)
/lib/gunzip.c: 248 in gzwrite()
242 s.avail_out = szwritebuf - numfilled;
243 s.next_out = writebuf + numfilled;
244 } else {
245 s.avail_out = szwritebuf;
246 s.next_out = writebuf;
247 }
>>> CID 645835: Memory - corruptions (OVERRUN)
>>> Calling "inflate" with "s.next_in" and "s.avail_in" is suspicious because of the very large index, 4294966272. The index may be due to a negative parameter being interpreted as unsigned. [Note: The source code implementation of the function has been overridden by a builtin model.]
248 r = inflate(&s, Z_SYNC_FLUSH);
249 if ((r != Z_OK) &&
250 (r != Z_STREAM_END)) {
251 printf("Error: inflate() returned %d\n", r);
252 goto out;
253 }
** CID 645834: Control flow issues (NO_EFFECT)
/drivers/virtio/virtio_blk.c: 184 in virtio_blk_do_req()
_____________________________________________________________________________________________
*** CID 645834: Control flow issues (NO_EFFECT)
/drivers/virtio/virtio_blk.c: 184 in virtio_blk_do_req()
178 */
179 while (i < blkcnt) {
180 u32 blk_per_sg = min(blkcnt - i, seg_sec_cnt * priv->seg_max);
181
182 ret = virtio_blk_do_single_req(dev, sector + i, blk_per_sg,
183 buffer + i * 512, type);
>>> CID 645834: Control flow issues (NO_EFFECT)
>>> This less-than-zero comparison of an unsigned value is never true. "ret < 0UL".
184 if (ret < 0)
185 return ret;
186 i += blk_per_sg;
187 }
188
189 return blkcnt >> priv->blksz_shift;
** CID 645833: Control flow issues (DEADCODE)
/drivers/virtio/virtio_blk.c: 185 in virtio_blk_do_req()
_____________________________________________________________________________________________
*** CID 645833: Control flow issues (DEADCODE)
/drivers/virtio/virtio_blk.c: 185 in virtio_blk_do_req()
179 while (i < blkcnt) {
180 u32 blk_per_sg = min(blkcnt - i, seg_sec_cnt * priv->seg_max);
181
182 ret = virtio_blk_do_single_req(dev, sector + i, blk_per_sg,
183 buffer + i * 512, type);
184 if (ret < 0)
>>> CID 645833: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "return ret;".
185 return ret;
186 i += blk_per_sg;
187 }
188
189 return blkcnt >> priv->blksz_shift;
190 }
View Defects in Coverity Scan
<https://scan.coverity.com/projects/das-u-boot?tab=overview>
Best regards,
The Coverity Scan Admin Team
----- End forwarded message -----
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20260428/3c23d77c/attachment.sig>
More information about the U-Boot
mailing list