Fwd: New Defects reported by Coverity Scan for Das U-Boot
Christian Pötzsch
christian.poetzsch at kernkonzept.com
Tue May 12 10:44:46 CEST 2026
Hi Tom,
On 4/28/26 4:04 PM, Tom Rini wrote:
> Here's the latest report.
>
> ---------- Forwarded message ---------
> From: <scan-admin at coverity.com>
> Date: Mon, Apr 27, 2026, 5:41 PM
> Subject: New Defects reported by Coverity Scan for Das U-Boot
> To: <tom.rini at gmail.com>
>
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to *Das U-Boot*
> found with Coverity Scan.
>
> - *New Defects Found:* 9
> - 77 defect(s), reported by Coverity Scan earlier, were marked fixed in
> the recent build analyzed by Coverity Scan.
> - *Defects Shown:* Showing 9 of 9 defect(s)
>
> Defect Details
>
>
> ** CID 645841: Incorrect expression (BAD_COMPARE)
> /common/bloblist.c: 303 in bloblist_apply_blobs()
>
>
> _____________________________________________________________________________________________
> *** CID 645841: Incorrect expression (BAD_COMPARE)
> /common/bloblist.c: 303 in bloblist_apply_blobs()
> 297 log_err("Failed to apply blob with tag %d\n",
> 298 tag);
> 299 return ret;
> 300 }
> 301
> 302 rec = rec_from_blob(blob - dat_off);
>>>> CID 645841: Incorrect expression (BAD_COMPARE)
>>>> Comparing pointer "rec" against "NULL" using anything besides "==" or "!=" is likely to be incorrect.
> 303 if (rec <= 0) {
> 304 log_err("Blob corrupted\n");
> 305 return -ENOENT;
> 306 }
> 307
> 308 /* Mark applied blob record as void */
>
> ** CID 645840: Uninitialized variables (UNINIT)
>
>
> _____________________________________________________________________________________________
> *** CID 645840: Uninitialized variables (UNINIT)
> /lib/efi_loader/efi_device_path.c: 967 in efi_dp_from_http()
> 961 if ((server && strlen("http://") + strlen(server) + 1 >
> sizeof(tmp)) ||
> 962 (!server && IS_ENABLED(CONFIG_NET_LWIP)))
> 963 return NULL;
> 964
> 965 efi_net_get_addr(&ip, &mask, NULL, dev);
> 966
>>>> CID 645840: Uninitialized variables (UNINIT)
>>>> Using uninitialized value "ip" when calling "efi_dp_from_ipv4".
> 967 dp1 = efi_dp_from_ipv4(&ip, &mask, NULL, dev);
> 968 if (!dp1)
> 969 return NULL;
> 970
> 971
> 972 strcpy(tmp, "http://");
>
> ** CID 645839: Error handling issues (CHECKED_RETURN)
> /lib/fdtdec.c: 1785 in fdtdec_apply_bloblist_dtos()
>
>
> _____________________________________________________________________________________________
> *** CID 645839: Error handling issues (CHECKED_RETURN)
> /lib/fdtdec.c: 1785 in fdtdec_apply_bloblist_dtos()
> 1779
> 1780 ret = bloblist_apply_blobs(BLOBLISTT_FDT_OVERLAY,
> fdtdec_apply_dto_blob);
> 1781 if (ret)
> 1782 return ret;
> 1783
> 1784 /* Shink the blob to the actual FDT size */
>>>> CID 645839: Error handling issues (CHECKED_RETURN)
>>>> Calling "fdt_pack" without checking return value (as is done elsewhere 5 out of 6 times).
> 1785 fdt_pack(live_fdt);
> 1786 return bloblist_resize(BLOBLISTT_CONTROL_FDT,
> fdt_totalsize(live_fdt));
> 1787 }
> 1788
> 1789 int fdtdec_setup(void)
> 1790 {
>
> ** CID 645838: Uninitialized variables (UNINIT)
>
>
> _____________________________________________________________________________________________
> *** CID 645838: Uninitialized variables (UNINIT)
> /lib/efi_loader/efi_device_path.c: 967 in efi_dp_from_http()
> 961 if ((server && strlen("http://") + strlen(server) + 1 >
> sizeof(tmp)) ||
> 962 (!server && IS_ENABLED(CONFIG_NET_LWIP)))
> 963 return NULL;
> 964
> 965 efi_net_get_addr(&ip, &mask, NULL, dev);
> 966
>>>> CID 645838: Uninitialized variables (UNINIT)
>>>> Using uninitialized value "mask" when calling "efi_dp_from_ipv4".
> 967 dp1 = efi_dp_from_ipv4(&ip, &mask, NULL, dev);
> 968 if (!dp1)
> 969 return NULL;
> 970
> 971
> 972 strcpy(tmp, "http://");
>
> ** CID 645837: (TAINTED_SCALAR)
>
>
> _____________________________________________________________________________________________
> *** CID 645837: (TAINTED_SCALAR)
> /lib/fdtdec.c: 1775 in fdtdec_apply_bloblist_dtos()
> 1769 /* Resize if the current space is not sufficient */
> 1770 if (blob_size < padded_size) {
> 1771 ret = bloblist_resize(BLOBLISTT_CONTROL_FDT, padded_size);
> 1772 if (ret)
> 1773 return ret;
> 1774
>>>> CID 645837: (TAINTED_SCALAR)
>>>> Passing tainted expression "live_fdt->size_dt_struct" to "fdt_open_into", which uses it as an offset.
> 1775 ret = fdt_open_into(live_fdt, live_fdt, padded_size);
> 1776 if (ret)
> 1777 return ret;
> 1778 }
> 1779
> 1780 ret = bloblist_apply_blobs(BLOBLISTT_FDT_OVERLAY,
> fdtdec_apply_dto_blob);
> /lib/fdtdec.c: 1785 in fdtdec_apply_bloblist_dtos()
> 1779
> 1780 ret = bloblist_apply_blobs(BLOBLISTT_FDT_OVERLAY,
> fdtdec_apply_dto_blob);
> 1781 if (ret)
> 1782 return ret;
> 1783
> 1784 /* Shink the blob to the actual FDT size */
>>>> CID 645837: (TAINTED_SCALAR)
>>>> Passing tainted expression "live_fdt->size_dt_struct" to "fdt_pack", which uses it as an offset.
> 1785 fdt_pack(live_fdt);
> 1786 return bloblist_resize(BLOBLISTT_CONTROL_FDT,
> fdt_totalsize(live_fdt));
> 1787 }
> 1788
> 1789 int fdtdec_setup(void)
> 1790 {
> /lib/fdtdec.c: 1775 in fdtdec_apply_bloblist_dtos()
> 1769 /* Resize if the current space is not sufficient */
> 1770 if (blob_size < padded_size) {
> 1771 ret = bloblist_resize(BLOBLISTT_CONTROL_FDT, padded_size);
> 1772 if (ret)
> 1773 return ret;
> 1774
>>>> CID 645837: (TAINTED_SCALAR)
>>>> Passing tainted expression "live_fdt->totalsize" to "fdt_open_into", which uses it as an offset.
> 1775 ret = fdt_open_into(live_fdt, live_fdt, padded_size);
> 1776 if (ret)
> 1777 return ret;
> 1778 }
> 1779
> 1780 ret = bloblist_apply_blobs(BLOBLISTT_FDT_OVERLAY,
> fdtdec_apply_dto_blob);
> /lib/fdtdec.c: 1786 in fdtdec_apply_bloblist_dtos()
> 1780 ret = bloblist_apply_blobs(BLOBLISTT_FDT_OVERLAY,
> fdtdec_apply_dto_blob);
> 1781 if (ret)
> 1782 return ret;
> 1783
> 1784 /* Shink the blob to the actual FDT size */
> 1785 fdt_pack(live_fdt);
>>>> CID 645837: (TAINTED_SCALAR)
>>>> Passing tainted expression "fdt32_ld(&((struct fdt_header const *)live_fdt)->totalsize)" to "bloblist_resize", which uses it as an offset.
> 1786 return bloblist_resize(BLOBLISTT_CONTROL_FDT,
> fdt_totalsize(live_fdt));
> 1787 }
> 1788
> 1789 int fdtdec_setup(void)
> 1790 {
> 1791 int ret = -ENOENT;
> /lib/fdtdec.c: 1775 in fdtdec_apply_bloblist_dtos()
> 1769 /* Resize if the current space is not sufficient */
> 1770 if (blob_size < padded_size) {
> 1771 ret = bloblist_resize(BLOBLISTT_CONTROL_FDT, padded_size);
> 1772 if (ret)
> 1773 return ret;
> 1774
>>>> CID 645837: (TAINTED_SCALAR)
>>>> Passing tainted expression "live_fdt->size_dt_strings" to "fdt_open_into", which uses it as an offset.
> 1775 ret = fdt_open_into(live_fdt, live_fdt, padded_size);
> 1776 if (ret)
> 1777 return ret;
> 1778 }
> 1779
> 1780 ret = bloblist_apply_blobs(BLOBLISTT_FDT_OVERLAY,
> fdtdec_apply_dto_blob);
> /lib/fdtdec.c: 1785 in fdtdec_apply_bloblist_dtos()
> 1779
> 1780 ret = bloblist_apply_blobs(BLOBLISTT_FDT_OVERLAY,
> fdtdec_apply_dto_blob);
> 1781 if (ret)
> 1782 return ret;
> 1783
> 1784 /* Shink the blob to the actual FDT size */
>>>> CID 645837: (TAINTED_SCALAR)
>>>> Passing tainted expression "live_fdt->size_dt_struct" to "fdt_pack", which uses it as an offset.
> 1785 fdt_pack(live_fdt);
> 1786 return bloblist_resize(BLOBLISTT_CONTROL_FDT,
> fdt_totalsize(live_fdt));
> 1787 }
> 1788
> 1789 int fdtdec_setup(void)
> 1790 {
> /lib/fdtdec.c: 1786 in fdtdec_apply_bloblist_dtos()
> 1780 ret = bloblist_apply_blobs(BLOBLISTT_FDT_OVERLAY,
> fdtdec_apply_dto_blob);
> 1781 if (ret)
> 1782 return ret;
> 1783
> 1784 /* Shink the blob to the actual FDT size */
> 1785 fdt_pack(live_fdt);
>>>> CID 645837: (TAINTED_SCALAR)
>>>> Passing tainted expression "fdt32_ld(&((struct fdt_header const *)live_fdt)->totalsize)" to "bloblist_resize", which uses it as an offset.
> 1786 return bloblist_resize(BLOBLISTT_CONTROL_FDT,
> fdt_totalsize(live_fdt));
> 1787 }
> 1788
> 1789 int fdtdec_setup(void)
> 1790 {
> 1791 int ret = -ENOENT;
> /lib/fdtdec.c: 1785 in fdtdec_apply_bloblist_dtos()
> 1779
> 1780 ret = bloblist_apply_blobs(BLOBLISTT_FDT_OVERLAY,
> fdtdec_apply_dto_blob);
> 1781 if (ret)
> 1782 return ret;
> 1783
> 1784 /* Shink the blob to the actual FDT size */
>>>> CID 645837: (TAINTED_SCALAR)
>>>> Passing tainted expression "live_fdt->size_dt_strings" to "fdt_pack", which uses it as an offset.
> 1785 fdt_pack(live_fdt);
> 1786 return bloblist_resize(BLOBLISTT_CONTROL_FDT,
> fdt_totalsize(live_fdt));
> 1787 }
> 1788
> 1789 int fdtdec_setup(void)
> 1790 {
> /lib/fdtdec.c: 1786 in fdtdec_apply_bloblist_dtos()
> 1780 ret = bloblist_apply_blobs(BLOBLISTT_FDT_OVERLAY,
> fdtdec_apply_dto_blob);
> 1781 if (ret)
> 1782 return ret;
> 1783
> 1784 /* Shink the blob to the actual FDT size */
> 1785 fdt_pack(live_fdt);
>>>> CID 645837: (TAINTED_SCALAR)
>>>> Passing tainted expression "fdt32_ld(&((struct fdt_header const *)live_fdt)->totalsize)" to "bloblist_resize", which uses it as an offset.
> 1786 return bloblist_resize(BLOBLISTT_CONTROL_FDT,
> fdt_totalsize(live_fdt));
> 1787 }
> 1788
> 1789 int fdtdec_setup(void)
> 1790 {
> 1791 int ret = -ENOENT;
> /lib/fdtdec.c: 1786 in fdtdec_apply_bloblist_dtos()
> 1780 ret = bloblist_apply_blobs(BLOBLISTT_FDT_OVERLAY,
> fdtdec_apply_dto_blob);
> 1781 if (ret)
> 1782 return ret;
> 1783
> 1784 /* Shink the blob to the actual FDT size */
> 1785 fdt_pack(live_fdt);
>>>> CID 645837: (TAINTED_SCALAR)
>>>> Passing tainted expression "fdt32_ld(&((struct fdt_header const *)live_fdt)->totalsize)" to "bloblist_resize", which uses it as an offset.
> 1786 return bloblist_resize(BLOBLISTT_CONTROL_FDT,
> fdt_totalsize(live_fdt));
> 1787 }
> 1788
> 1789 int fdtdec_setup(void)
> 1790 {
> 1791 int ret = -ENOENT;
> /lib/fdtdec.c: 1786 in fdtdec_apply_bloblist_dtos()
> 1780 ret = bloblist_apply_blobs(BLOBLISTT_FDT_OVERLAY,
> fdtdec_apply_dto_blob);
> 1781 if (ret)
> 1782 return ret;
> 1783
> 1784 /* Shink the blob to the actual FDT size */
> 1785 fdt_pack(live_fdt);
>>>> CID 645837: (TAINTED_SCALAR)
>>>> Passing tainted expression "fdt32_ld(&((struct fdt_header const *)live_fdt)->totalsize)" to "bloblist_resize", which uses it as an offset.
> 1786 return bloblist_resize(BLOBLISTT_CONTROL_FDT,
> fdt_totalsize(live_fdt));
> 1787 }
> 1788
> 1789 int fdtdec_setup(void)
> 1790 {
> 1791 int ret = -ENOENT;
> /lib/fdtdec.c: 1785 in fdtdec_apply_bloblist_dtos()
> 1779
> 1780 ret = bloblist_apply_blobs(BLOBLISTT_FDT_OVERLAY,
> fdtdec_apply_dto_blob);
> 1781 if (ret)
> 1782 return ret;
> 1783
> 1784 /* Shink the blob to the actual FDT size */
>>>> CID 645837: (TAINTED_SCALAR)
>>>> Passing tainted expression "live_fdt->size_dt_struct" to "fdt_pack", which uses it as an offset.
> 1785 fdt_pack(live_fdt);
> 1786 return bloblist_resize(BLOBLISTT_CONTROL_FDT,
> fdt_totalsize(live_fdt));
> 1787 }
> 1788
> 1789 int fdtdec_setup(void)
> 1790 {
> /lib/fdtdec.c: 1785 in fdtdec_apply_bloblist_dtos()
> 1779
> 1780 ret = bloblist_apply_blobs(BLOBLISTT_FDT_OVERLAY,
> fdtdec_apply_dto_blob);
> 1781 if (ret)
> 1782 return ret;
> 1783
> 1784 /* Shink the blob to the actual FDT size */
>>>> CID 645837: (TAINTED_SCALAR)
>>>> Passing tainted expression "live_fdt->size_dt_strings" to "fdt_pack", which uses it as an offset.
> 1785 fdt_pack(live_fdt);
> 1786 return bloblist_resize(BLOBLISTT_CONTROL_FDT,
> fdt_totalsize(live_fdt));
> 1787 }
> 1788
> 1789 int fdtdec_setup(void)
> 1790 {
> /lib/fdtdec.c: 1786 in fdtdec_apply_bloblist_dtos()
> 1780 ret = bloblist_apply_blobs(BLOBLISTT_FDT_OVERLAY,
> fdtdec_apply_dto_blob);
> 1781 if (ret)
> 1782 return ret;
> 1783
> 1784 /* Shink the blob to the actual FDT size */
> 1785 fdt_pack(live_fdt);
>>>> CID 645837: (TAINTED_SCALAR)
>>>> Passing tainted expression "fdt32_ld(&((struct fdt_header const *)live_fdt)->totalsize)" to "bloblist_resize", which uses it as an offset.
> 1786 return bloblist_resize(BLOBLISTT_CONTROL_FDT,
> fdt_totalsize(live_fdt));
> 1787 }
> 1788
> 1789 int fdtdec_setup(void)
> 1790 {
> 1791 int ret = -ENOENT;
>
> ** CID 645836: Resource leaks (RESOURCE_LEAK)
> /drivers/gpio/gpio_scmi.c: 201 in scmi_gpio_probe()
>
>
> _____________________________________________________________________________________________
> *** CID 645836: Resource leaks (RESOURCE_LEAK)
> /drivers/gpio/gpio_scmi.c: 201 in scmi_gpio_probe()
> 195 return -ENOMEM;
> 196
> 197 range->base = args.args[0];
> 198 if (range->base != priv->num_pins) {
> 199 dev_err(dev, "no gaps allowed in between pins %d vs %d\n",
> 200 priv->num_pins, range->base);
>>>> CID 645836: Resource leaks (RESOURCE_LEAK)
>>>> Variable "range" going out of scope leaks the storage it points to.
> 201 return -EINVAL;
> 202 }
> 203 range->offset = args.args[1];
> 204 range->npins = args.args[2];
> 205 priv->num_pins += args.args[2];
> 206 list_add_tail(&range->list, &priv->gpio_ranges);
>
> ** CID 645835: Memory - corruptions (OVERRUN)
> /lib/gunzip.c: 248 in gzwrite()
>
>
> _____________________________________________________________________________________________
> *** CID 645835: Memory - corruptions (OVERRUN)
> /lib/gunzip.c: 248 in gzwrite()
> 242 s.avail_out = szwritebuf - numfilled;
> 243 s.next_out = writebuf + numfilled;
> 244 } else {
> 245 s.avail_out = szwritebuf;
> 246 s.next_out = writebuf;
> 247 }
>>>> CID 645835: Memory - corruptions (OVERRUN)
>>>> Calling "inflate" with "s.next_in" and "s.avail_in" is suspicious because of the very large index, 4294966272. The index may be due to a negative parameter being interpreted as unsigned. [Note: The source code implementation of the function has been overridden by a builtin model.]
> 248 r = inflate(&s, Z_SYNC_FLUSH);
> 249 if ((r != Z_OK) &&
> 250 (r != Z_STREAM_END)) {
> 251 printf("Error: inflate() returned %d\n", r);
> 252 goto out;
> 253 }
>
> ** CID 645834: Control flow issues (NO_EFFECT)
> /drivers/virtio/virtio_blk.c: 184 in virtio_blk_do_req()
>
>
> _____________________________________________________________________________________________
> *** CID 645834: Control flow issues (NO_EFFECT)
> /drivers/virtio/virtio_blk.c: 184 in virtio_blk_do_req()
> 178 */
> 179 while (i < blkcnt) {
> 180 u32 blk_per_sg = min(blkcnt - i, seg_sec_cnt * priv->seg_max);
> 181
> 182 ret = virtio_blk_do_single_req(dev, sector + i, blk_per_sg,
> 183 buffer + i * 512, type);
>>>> CID 645834: Control flow issues (NO_EFFECT)
>>>> This less-than-zero comparison of an unsigned value is never true. "ret < 0UL".
> 184 if (ret < 0)
> 185 return ret;
> 186 i += blk_per_sg;
> 187 }
> 188
> 189 return blkcnt >> priv->blksz_shift;
>
> ** CID 645833: Control flow issues (DEADCODE)
> /drivers/virtio/virtio_blk.c: 185 in virtio_blk_do_req()
>
>
> _____________________________________________________________________________________________
> *** CID 645833: Control flow issues (DEADCODE)
> /drivers/virtio/virtio_blk.c: 185 in virtio_blk_do_req()
> 179 while (i < blkcnt) {
> 180 u32 blk_per_sg = min(blkcnt - i, seg_sec_cnt * priv->seg_max);
> 181
> 182 ret = virtio_blk_do_single_req(dev, sector + i, blk_per_sg,
> 183 buffer + i * 512, type);
> 184 if (ret < 0)
>>>> CID 645833: Control flow issues (DEADCODE)
>>>> Execution cannot reach this statement: "return ret;".
> 185 return ret;
> 186 i += blk_per_sg;
> 187 }
> 188
> 189 return blkcnt >> priv->blksz_shift;
> 190 }
The last two errors should hopefully be fixed by https://patchwork.ozlabs.org/project/uboot/patch/20260512083949.3493010-1-christian.poetzsch@kernkonzept.com/
>
>
>
> View Defects in Coverity Scan
> <https://scan.coverity.com/projects/das-u-boot?tab=overview>
>
> Best regards,
>
> The Coverity Scan Admin Team
>
> ----- End forwarded message -----
>
--
http://www.kernkonzept.com
Kernkonzept GmbH. Sitz: Dresden. Amtsgericht Dresden, HRB 31129.
Geschäftsführer: Dr.-Ing. Michael Hohmuth
More information about the U-Boot
mailing list