Hi,
Please find the latest report on new defect(s) introduced to coreboot found
with Coverity Scan.
10 new defect(s) introduced to coreboot found with Coverity Scan.
1 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent
build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 10 of 10 defect(s)
** CID 1302458: Control flow issues (DEADCODE)
/src/cpu/amd/model_10xxx/powernow_acpi.c: 75 in write_pstates_for_core()
________________________________________________________________________________________________________
*** CID 1302458: Control flow issues (DEADCODE)
/src/cpu/amd/model_10xxx/powernow_acpi.c: 75 in write_pstates_for_core()
69 /* Write PPC object */
70 acpigen_write_PPC(pstate_num);
71
72 /* Write PSD indicating coordination type */
73 if ((single_link) && (mctGetLogicalCPUID(0) & AMD_DR_GT_Bx)) {
74 /* Revision C or greater single-link processor */
>>> CID 1302458: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "cpuid1 = cpuid(-2147483640);".
75 cpuid1 = cpuid(0x80000008);
76 acpigen_write_PSD_package(0, (cpuid1.ecx & 0xff) + 1, SW_ALL);
77 }
78 else {
79 /* Find the local APIC ID for the specified core ID */
80 struct device* cpu;
** CID 1302457: Control flow issues (MISSING_RESTORE)
/util/cbfstool/flashmap/fmap.c: 452 in fmap_append_area_test()
________________________________________________________________________________________________________
*** CID 1302457: Control flow issues (MISSING_RESTORE)
/util/cbfstool/flashmap/fmap.c: 452 in fmap_append_area_test()
446 if ((*fmap)->nareas != 1) {
447 printf("FAILURE: failed to increment number of
areas\n");
448 goto fmap_append_area_test_exit;
449 }
450
451 status = pass;
>>> CID 1302457: Control flow issues (MISSING_RESTORE)
>>> Jumped to here, skipping restore.
452 fmap_append_area_test_exit:
453 return status;
454 }
455
456 static int fmap_find_area_test(struct fmap *fmap)
457 {
** CID 1302456: Error handling issues (NEGATIVE_RETURNS)
/util/cbfstool/flashmap/fmap.c: 568 in fmap_find_test()
________________________________________________________________________________________________________
*** CID 1302456: Error handling issues (NEGATIVE_RETURNS)
/util/cbfstool/flashmap/fmap.c: 568 in fmap_find_test()
562 printf("FAILURE: bsearch returned false positive\n");
563 goto fmap_find_test_exit;
564 }
565
566 /* simple test case: fmap at (total_size / 2) + 1 */
567 offset = (total_size / 2) + 1;
>>> CID 1302456: Error handling issues (NEGATIVE_RETURNS)
>>> "fmap_size(fmap)" is passed to a parameter that cannot be negative.
>>> [Note: The source code implementation of the function has been overridden
>>> by a builtin model.]
568 memcpy(&buf[offset], fmap, fmap_size(fmap));
569
570 if ((unsigned)fmap_find(buf, total_size - 1) != offset) {
571 printf("FAILURE: lsearch failed to find fmap\n");
572 goto fmap_find_test_exit;
573 }
** CID 1302455: Null pointer dereferences (NULL_RETURNS)
/util/cbfstool/partitioned_file.c: 204 in partitioned_file_reopen()
________________________________________________________________________________________________________
*** CID 1302455: Null pointer dereferences (NULL_RETURNS)
/util/cbfstool/partitioned_file.c: 204 in partitioned_file_reopen()
198 partitioned_file_close(file);
199 return NULL;
200 }
201
202 const struct fmap_area *fmap_fmap_entry =
203 fmap_find_area(file->fmap,
SECTION_NAME_FMAP);
>>> CID 1302455: Null pointer dereferences (NULL_RETURNS)
>>> Dereferencing a null pointer "fmap_fmap_entry".
204 if ((long)fmap_fmap_entry->offset != fmap_region_offset) {
205 ERROR("FMAP's '%s' section doesn't point back to FMAP
start (did something corrupt this file?)\n",
206
SECTION_NAME_FMAP);
207 partitioned_file_close(file);
208 return NULL;
209 }
** CID 1302454: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 1302454: Memory - corruptions (OVERRUN)
/util/cbfstool/flashmap/fmap.c: 342 in fmap_create_test()
336 uint64_t base = 0;
337 uint32_t size = 0x100000;
338 char name[] = "test_fmap";
339
340 status = fail;
341
>>> CID 1302454: Memory - corruptions (OVERRUN)
>>> Overrunning array "name" of 10 bytes by passing it to a function which
>>> accesses it at byte offset 31.
342 fmap = fmap_create(base, size, (uint8_t *)name);
343 if (!fmap)
344 return NULL;
345
346 if (memcmp(&fmap->signature, FMAP_SIGNATURE,
strlen(FMAP_SIGNATURE))) {
347 printf("FAILURE: signature is incorrect\n");
** CID 1302453: Resource leaks (RESOURCE_LEAK)
/util/cbfstool/flashmap/fmap.c: 530 in fmap_flags_to_string_test()
________________________________________________________________________________________________________
*** CID 1302453: Resource leaks (RESOURCE_LEAK)
/util/cbfstool/flashmap/fmap.c: 530 in fmap_flags_to_string_test()
524 }
525 free(my_str);
526 free(str);
527
528 status = pass;
529 fmap_flags_to_string_test_exit:
>>> CID 1302453: Resource leaks (RESOURCE_LEAK)
>>> Variable "my_str" going out of scope leaks the storage it points to.
530 return status;
531
532 }
533
534 static int fmap_find_test(struct fmap *fmap)
535 {
** CID 1302452: (RESOURCE_LEAK)
/util/cbfstool/flashmap/fmap.c: 530 in fmap_flags_to_string_test()
/util/cbfstool/flashmap/fmap.c: 530 in fmap_flags_to_string_test()
________________________________________________________________________________________________________
*** CID 1302452: (RESOURCE_LEAK)
/util/cbfstool/flashmap/fmap.c: 530 in fmap_flags_to_string_test()
524 }
525 free(my_str);
526 free(str);
527
528 status = pass;
529 fmap_flags_to_string_test_exit:
>>> CID 1302452: (RESOURCE_LEAK)
>>> Variable "str" going out of scope leaks the storage it points to.
530 return status;
531
532 }
533
534 static int fmap_find_test(struct fmap *fmap)
535 {
/util/cbfstool/flashmap/fmap.c: 530 in fmap_flags_to_string_test()
524 }
525 free(my_str);
526 free(str);
527
528 status = pass;
529 fmap_flags_to_string_test_exit:
>>> CID 1302452: (RESOURCE_LEAK)
>>> Variable "str" going out of scope leaks the storage it points to.
530 return status;
531
532 }
533
534 static int fmap_find_test(struct fmap *fmap)
535 {
** CID 1302451: Resource leaks (RESOURCE_LEAK)
/util/cbfstool/flashmap/fmap.c: 207 in fmap_print()
________________________________________________________________________________________________________
*** CID 1302451: Resource leaks (RESOURCE_LEAK)
/util/cbfstool/flashmap/fmap.c: 207 in fmap_print()
201 kv_pair_fmt(pair, "area_flags_raw", "0x%02x",
202 fmap->areas[i].flags);
203
204 /* Print descriptive strings for flags rather than the
field */
205 flags = fmap->areas[i].flags;
206 if ((str = fmap_flags_to_string(flags)) == NULL)
>>> CID 1302451: Resource leaks (RESOURCE_LEAK)
>>> Variable "pair" going out of scope leaks the storage it points to.
207 return -1;
208 kv_pair_fmt(pair, "area_flags", "%s", str);
209 free(str);
210
211 kv_pair_print(pair);
212 kv_pair_free(pair);
** CID 1302450: Security best practices violations (STRING_OVERFLOW)
/src/drivers/intel/gma/acpi.c: 50 in drivers_intel_gma_displays_ssdt_generate()
________________________________________________________________________________________________________
*** CID 1302450: Security best practices violations (STRING_OVERFLOW)
/src/drivers/intel/gma/acpi.c: 50 in drivers_intel_gma_displays_ssdt_generate()
44 char *ptr;
45 int kind;
46 kind = (conf->did[i] >> 8) & 0xf;
47 if (kind >= ARRAY_SIZE(names)) {
48 kind = 0;
49 }
>>> CID 1302450: Security best practices violations (STRING_OVERFLOW)
>>> You might overrun the 10 byte fixed-size string "name" by copying
>>> "names[kind]" without checking the length.
50 strcpy(name, names[kind]);
51 for (ptr = name; *ptr; ptr++);
52 *ptr++ = counters[kind] + '0';
53 *ptr++ = '\0';
54 counters[kind]++;
55 acpigen_write_device(name);
** CID 1256584: Error handling issues (CHECKED_RETURN)
/src/ec/google/chromeec/ec_spi.c: 52 in crosec_spi_io()
________________________________________________________________________________________________________
*** CID 1256584: Error handling issues (CHECKED_RETURN)
/src/ec/google/chromeec/ec_spi.c: 52 in crosec_spi_io()
46 }
47
48 static int crosec_spi_io(size_t req_size, size_t resp_size, void
*context)
49 {
50 struct spi_slave *slave = (struct spi_slave *)context;
51
>>> CID 1256584: Error handling issues (CHECKED_RETURN)
>>> Calling "spi_claim_bus" without checking return value (as is done
>>> elsewhere 4 out of 5 times).
52 spi_claim_bus(slave);
53
54 /* Allow EC to ramp up clock after being awaken.
55 * See chrome-os-partner:32223 for more details. */
56 udelay(CONFIG_EC_GOOGLE_CHROMEEC_SPI_WAKEUP_DELAY_US);
57
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit,
https://scan.coverity.com/projects/1016?tab=overview
To manage Coverity Scan email notifications for "[email protected]", click
https://scan.coverity.com/subscriptions/edit?email=coreboot%40coreboot.org&token=49533df725f93b78361afb7b89ccde93
.
--
coreboot mailing list: [email protected]
http://www.coreboot.org/mailman/listinfo/coreboot
