Fwd: New Defects reported by Coverity Scan for Das U-Boot
Tom Rini
trini at konsulko.com
Tue Jan 6 00:58:13 CET 2026
Hey all,
Here's the latest report, now that next has been merged to master. A few
of these are oddly showing up now, despite being in older code that
hasn't been touched and was being built before.
---------- Forwarded message ---------
From: <scan-admin at coverity.com>
Date: Mon, Jan 5, 2026 at 3:24 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.rini at gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to *Das U-Boot*
found with Coverity Scan.
- *New Defects Found:* 15
- 23 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.
- *Defects Shown:* Showing 15 of 15 defect(s)
Defect Details
** CID 640423: Control flow issues (DEADCODE)
/drivers/fastboot/fb_common.c: 112 in fastboot_set_reboot_flag()
_____________________________________________________________________________________________
*** CID 640423: Control flow issues (DEADCODE)
/drivers/fastboot/fb_common.c: 112 in fastboot_set_reboot_flag()
106 }
107 const char *bcb_iface = config_opt_enabled(CONFIG_FASTBOOT_FLASH_BLOCK,
108 CONFIG_FASTBOOT_FLASH_BLOCK_INTERFACE_NAME,
109 "mmc");
110
111 if (device == -1)
>>> CID 640423: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "return -22;".
112 return -EINVAL;
113
114 if (reason >= FASTBOOT_REBOOT_REASONS_COUNT)
115 return -EINVAL;
116
117 ret = bcb_find_partition_and_load(bcb_iface, device, "misc");
** CID 640422: Error handling issues (CHECKED_RETURN)
/boot/fdt_region.c: 330 in fdt_include_supernodes()
_____________________________________________________________________________________________
*** CID 640422: Error handling issues (CHECKED_RETURN)
/boot/fdt_region.c: 330 in fdt_include_supernodes()
324 */
325 for (i = 0; i <= depth; i++) {
326 if (!info->stack[i].included) {
327 start = info->stack[i].offset;
328
329 /* Add the FDT_BEGIN_NODE tag of this supernode */
>>> CID 640422: Error handling issues (CHECKED_RETURN)
>>> Calling "fdt_next_tag" without checking return value (as is done elsewhere 12 out of 15 times).
330 fdt_next_tag(info->fdt, start, &stop_at);
331 if (fdt_add_region(info, base + start, stop_at - start))
332 return -1;
333
334 /* Remember that this supernode is now included */
335 info->stack[i].included = 1;
** CID 640421: Possible Control flow issues (DEADCODE)
/drivers/fastboot/fb_block.c: 138 in fastboot_block_get_part_info()
_____________________________________________________________________________________________
*** CID 640421: Possible Control flow issues (DEADCODE)
/drivers/fastboot/fb_block.c: 138 in fastboot_block_get_part_info()
132 CONFIG_FASTBOOT_FLASH_BLOCK_DEVICE_ID, -1);
133
134 if (!part_name || !strcmp(part_name, "")) {
135 fastboot_fail("partition not given", response);
136 return -ENOENT;
137 }
>>> CID 640421: Possible Control flow issues (DEADCODE)
>>> Execution cannot reach the expression "strcmp(interface, "")" inside this statement: "if (!interface || !strcmp(i...".
138 if (!interface || !strcmp(interface, "")) {
139 fastboot_fail("block interface isn't provided", response);
140 return -EINVAL;
141 }
142
143 *dev_desc = blk_get_dev(interface, device);
** CID 640420: Incorrect expression (CONSTANT_EXPRESSION_RESULT)
/env/fat.c: 49 in env_fat_get_dev_part()
_____________________________________________________________________________________________
*** CID 640420: Incorrect expression (CONSTANT_EXPRESSION_RESULT)
/env/fat.c: 49 in env_fat_get_dev_part()
43 __weak char *env_fat_get_dev_part(void)
44 {
45 #ifdef CONFIG_MMC
46 /* reserve one more char for the manipulation below */
47 static char part_str[] = CONFIG_ENV_FAT_DEVICE_AND_PART "\0";
48
>>> CID 640420: Incorrect expression (CONSTANT_EXPRESSION_RESULT)
>>> "strcmp("mmc", "mmc")" is always 0 because ""mmc"" is compared against itself.
49 if (!strcmp(CONFIG_ENV_FAT_INTERFACE, "mmc") && part_str[0] == ':') {
50 part_str[0] = '0' + mmc_get_env_dev();
51 strcpy(&part_str[1], CONFIG_ENV_FAT_DEVICE_AND_PART);
52 }
53
54 return part_str;
** CID 640419: Null pointer dereferences (REVERSE_INULL)
/drivers/fastboot/fb_block.c: 144 in fastboot_block_get_part_info()
_____________________________________________________________________________________________
*** CID 640419: Null pointer dereferences (REVERSE_INULL)
/drivers/fastboot/fb_block.c: 144 in fastboot_block_get_part_info()
138 if (!interface || !strcmp(interface, "")) {
139 fastboot_fail("block interface isn't provided", response);
140 return -EINVAL;
141 }
142
143 *dev_desc = blk_get_dev(interface, device);
>>> CID 640419: Null pointer dereferences (REVERSE_INULL)
>>> Null-checking "dev_desc" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
144 if (!dev_desc) {
145 fastboot_fail("no such device", response);
146 return -ENODEV;
147 }
148
149 ret = part_get_info_by_name(*dev_desc, part_name, part_info);
** CID 640418: Insecure data handling (TAINTED_SCALAR)
_____________________________________________________________________________________________
*** CID 640418: Insecure data handling (TAINTED_SCALAR)
/drivers/core/ofnode.c: 2098 in ofnode_copy_props()
2092
2093 val = ofprop_get_property(&prop, &name, &len);
2094 if (!val) {
2095 log_debug("Cannot read prop (err=%d)\n", len);
2096 return log_msg_ret("get", -EINVAL);
2097 }
>>> CID 640418: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "len" to "ofnode_write_prop", which uses it as an offset.
2098 ret = ofnode_write_prop(dst, name, val, len, true);
2099 if (ret) {
2100 log_debug("Cannot write prop (err=%d)\n", ret);
2101 return log_msg_ret("wr", -EINVAL);
2102 }
2103 }
** CID 640417: Insecure data handling (TAINTED_SCALAR)
/scripts/dtc/libfdt/fdt_ro.c: 546 in fdt_get_alias_namelen()
_____________________________________________________________________________________________
*** CID 640417: Insecure data handling (TAINTED_SCALAR)
/scripts/dtc/libfdt/fdt_ro.c: 546 in fdt_get_alias_namelen()
540 {
541 int len;
542 const char *alias;
543
544 alias = fdt_path_getprop_namelen(fdt, "/aliases", name, namelen, &len);
545
>>> CID 640417: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "len - 1" as an index to pointer "alias".
546 if (!can_assume(VALID_DTB) &&
547 !(alias && len > 0 && alias[len - 1] == '\0' && *alias == '/'))
548 return NULL;
549
550 return alias;
551 }
** CID 640416: Insecure data handling (TAINTED_SCALAR)
_____________________________________________________________________________________________
*** CID 640416: Insecure data handling (TAINTED_SCALAR)
/scripts/dtc/libfdt/fdt_overlay.c: 739 in
overlay_prevent_phandle_overwrite()
733 * will be overwritten.
734 */
735 continue;
736 else if (target < 0)
737 return target;
738
>>> CID 640416: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "target" to "overlay_prevent_phandle_overwrite_node", which uses it as a loop boundary.
739 ret = overlay_prevent_phandle_overwrite_node(fdt, target,
740 fdto, overlay);
741 if (ret)
742 return ret;
743 }
744
** CID 640415: Control flow issues (DEADCODE)
/scripts/dtc/pylibfdt/libfdt_wrap.c: 6728 in
_wrap_fdt_get_property_by_offset_w()
_____________________________________________________________________________________________
*** CID 640415: Control flow issues (DEADCODE)
/scripts/dtc/pylibfdt/libfdt_wrap.c: 6728 in
_wrap_fdt_get_property_by_offset_w()
6722 resultobj = SWIG_Python_AppendOutput(resultobj, buff);
6723 }
6724 }
6725 if (SWIG_IsTmpObj(res3)) {
6726 resultobj = SWIG_Python_AppendOutput(resultobj,
SWIG_From_int((*arg3)));
6727 } else {
>>> CID 640415: Control flow issues (DEADCODE)
>>> Execution cannot reach the expression "new_flags" inside this statement: "new_flags = ((res3 >= 0 && ...".
6728 int new_flags = SWIG_IsNewObj(res3) ? (SWIG_POINTER_OWN |
0 ) : 0 ;
6729 resultobj = SWIG_Python_AppendOutput(resultobj,
SWIG_NewPointerObj((void*)(arg3), SWIGTYPE_p_int, new_flags));
6730 }
6731 return resultobj;
6732 fail:
6733 return NULL;
** CID 640414: Resource leaks (RESOURCE_LEAK)
/drivers/interconnect/interconnect-uclass.c: 320 in icc_path_init()
_____________________________________________________________________________________________
*** CID 640414: Resource leaks (RESOURCE_LEAK)
/drivers/interconnect/interconnect-uclass.c: 320 in icc_path_init()
314 path->reqs[i].node = node;
315 path->reqs[i].enabled = true;
316
317 /* Probe this node since used in an active path */
318 ret = uclass_get_device_tail(node->dev, 0, &node_dev);
319 if (ret)
>>> CID 640414: Resource leaks (RESOURCE_LEAK)
>>> Variable "path" going out of scope leaks the storage it points to.
320 return ERR_PTR(ret);
321
322 node->users++;
323
324 /* reference to previous node was saved during path traversal */
325 node = node->reverse;
** CID 536550: Resource leaks (RESOURCE_LEAK)
/scripts/dtc/fstree.c: 57 in read_fstree()
_____________________________________________________________________________________________
*** CID 536550: Resource leaks (RESOURCE_LEAK)
/scripts/dtc/fstree.c: 57 in read_fstree()
51 fclose(pfile);
52 }
53 } else if (S_ISDIR(st.st_mode)) {
54 struct node *newchild;
55
56 newchild = read_fstree(tmpname);
>>> CID 536550: Resource leaks (RESOURCE_LEAK)
>>> Failing to save or free storage allocated by "xstrdup(de->d_name)" leaks it.
57 newchild = name_node(newchild, xstrdup(de->d_name));
58 add_child(tree, newchild);
59 }
60
61 free(tmpname);
62 }
** CID 536369: Resource leaks (RESOURCE_LEAK)
/scripts/dtc/flattree.c: 681 in flat_read_property()
_____________________________________________________________________________________________
*** CID 536369: Resource leaks (RESOURCE_LEAK)
/scripts/dtc/flattree.c: 681 in flat_read_property()
675
676 if ((flags & FTF_VARALIGN) && (proplen >= 8))
677 flat_realign(dtbuf, 8);
678
679 val = flat_read_data(dtbuf, proplen);
680
>>> CID 536369: Resource leaks (RESOURCE_LEAK)
>>> Variable "name" going out of scope leaks the storage it points to.
681 return build_property(name, val, NULL);
682 }
683
684 static struct reserve_info *flat_read_mem_reserve(struct inbuf *inb)
685 {
686 struct reserve_info *reservelist = NULL;
** CID 449815: Memory - illegal accesses (OVERRUN)
/lib/sm3.c: 252 in sm3_final()
_____________________________________________________________________________________________
*** CID 449815: Memory - illegal accesses (OVERRUN)
/lib/sm3.c: 252 in sm3_final()
246 unsigned int partial = sctx->count % SM3_BLOCK_SIZE;
247 u32 W[16];
248 int i;
249
250 sctx->buffer[partial++] = 0x80;
251 if (partial > bit_offset) {
>>> CID 449815: Memory - illegal accesses (OVERRUN)
>>> Overrunning array of 64 bytes at byte offset 64 by dereferencing pointer "sctx->buffer + partial". [Note: The source code implementation of the function has been overridden by a builtin model.]
252 memset(sctx->buffer + partial, 0, SM3_BLOCK_SIZE - partial);
253 partial = 0;
254
255 sm3_block(sctx, sctx->buffer, 1, W);
256 }
257
** CID 432237: Null pointer dereferences (NULL_RETURNS)
_____________________________________________________________________________________________
*** CID 432237: Null pointer dereferences (NULL_RETURNS)
/scripts/dtc/checks.c: 1618 in check_interrupt_map()
1612 if (node->addr_cells < 0) {
1613 FAIL(c, dti, node,
1614 "Missing '#address-cells' in interrupt-map provider");
1615 return;
1616 }
1617 cellsize = node_addr_cells(node);
>>> CID 432237: Null pointer dereferences (NULL_RETURNS)
>>> Dereferencing a pointer that might be "NULL" "get_property(node, "#interrupt-cells")" when calling "propval_cell".
1618 cellsize += propval_cell(get_property(node, "#interrupt-cells"));
1619
1620 prop = get_property(node, "interrupt-map-mask");
1621 if (prop && (prop->val.len != (cellsize * sizeof(cell_t))))
1622 FAIL_PROP(c, dti, node, prop,
1623 "property size (%d) is invalid, expected %zu",
** CID 328724: (TAINTED_SCALAR)
/scripts/dtc/fdtoverlay.c: 55 in apply_one()
/scripts/dtc/fdtoverlay.c: 69 in apply_one()
_____________________________________________________________________________________________
*** CID 328724: (TAINTED_SCALAR)
/scripts/dtc/fdtoverlay.c: 55 in apply_one()
49 bool has_symbols;
50
51 /*
52 * We take copies first, because a failed apply can trash
53 * both the base blob and the overlay
54 */
>>> CID 328724: (TAINTED_SCALAR)
>>> Passing tainted expression "fdt32_ld(&((struct fdt_header const *)overlay)->totalsize)" to "xmalloc", which uses it as an allocation size. [Note: The source code implementation of the function has been overridden by a builtin model.]
55 tmpo = xmalloc(fdt_totalsize(overlay));
56
57 do {
58 tmp = xrealloc(tmp, *buf_len);
59 ret = fdt_open_into(base, tmp, *buf_len);
60 if (ret) {
/scripts/dtc/fdtoverlay.c: 69 in apply_one()
63 fdt_strerror(ret));
64 goto fail;
65 }
66 ret = fdt_path_offset(tmp, "/__symbols__");
67 has_symbols = ret >= 0;
68
>>> CID 328724: (TAINTED_SCALAR)
>>> Passing tainted expression "fdt32_ld(&((struct fdt_header const *)overlay)->totalsize)" to "memcpy", which uses it as an offset. [Note: The source code implementation of the function has been overridden by a builtin model.]
69 memcpy(tmpo, overlay, fdt_totalsize(overlay));
70
71 ret = fdt_overlay_apply(tmp, tmpo);
72 if (ret == -FDT_ERR_NOSPACE) {
73 *buf_len += BUF_INCREMENT;
74 }
View Defects in Coverity Scan
<https://scan.coverity.com/projects/das-u-boot?tab=overview>
Best regards,
The Coverity Scan Admin Team
----- End forwarded message -----
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20260105/c3fb184e/attachment.sig>
More information about the U-Boot
mailing list