Hi, Please find the latest report on new defect(s) introduced to coreboot found with Coverity Scan.
47 new defect(s) introduced to coreboot found with Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 20 of 47 defect(s) ** CID 1366756: Control flow issues (DEADCODE) /src/lib/spd_bin.c: 165 in get_spd_smbus() ________________________________________________________________________________________________________ *** CID 1366756: Control flow issues (DEADCODE) /src/lib/spd_bin.c: 165 in get_spd_smbus() 159 get_spd(spd_data_ptr + i * CONFIG_DIMM_SPD_SIZE, 160 0xA0 + (i << 1)); 161 blk->spd_array[i] = spd_data_ptr + i * CONFIG_DIMM_SPD_SIZE; 162 } 163 164 for (j = i; j < CONFIG_DIMM_MAX; j++) >>> CID 1366756: Control flow issues (DEADCODE) >>> Execution cannot reach this statement: "blk->spd_array[j] = NULL;". 165 blk->spd_array[j] = NULL; 166 167 update_spd_len(blk); ** CID 1366755: Error handling issues (CHECKED_RETURN) /src/lib/spd_bin.c: 120 in get_spd_cbfs_rdev() ________________________________________________________________________________________________________ *** CID 1366755: Error handling issues (CHECKED_RETURN) /src/lib/spd_bin.c: 120 in get_spd_cbfs_rdev() 114 int get_spd_cbfs_rdev(struct region_device *spd_rdev, u8 spd_index) 115 { 116 struct cbfsf fh; 117 118 uint32_t cbfs_type = CBFS_TYPE_SPD; 119 >>> CID 1366755: Error handling issues (CHECKED_RETURN) >>> Calling "cbfs_boot_locate" without checking return value (as is done >>> elsewhere 10 out of 11 times). 120 cbfs_boot_locate(&fh, "spd.bin", &cbfs_type); 121 cbfs_file_data(spd_rdev, &fh); 122 return rdev_chain(spd_rdev, spd_rdev, spd_index * CONFIG_DIMM_SPD_SIZE, 123 CONFIG_DIMM_SPD_SIZE); 124 } 125 ** CID 1361275: (TAINTED_SCALAR) /util/cbfstool/ifwitool.c: 838 in parse_subpart_dir() ________________________________________________________________________________________________________ *** CID 1361275: (TAINTED_SCALAR) /util/cbfstool/ifwitool.c: 831 in parse_subpart_dir() 825 memcpy(hdr.name, data + offset, sizeof(hdr.name)); 826 offset += sizeof(hdr.name); 827 828 validate_subpart_dir_without_checksum((struct subpart_dir *)&hdr, name); 829 830 assert(size > subpart_dir_size(&hdr)); >>> CID 1361275: (TAINTED_SCALAR) >>> Passing tainted variable "subpart_dir_size(&hdr)" to a tainted sink. 831 alloc_buffer(subpart_dir_buf, subpart_dir_size(&hdr), "Subpart Dir"); 832 memcpy(buffer_get(subpart_dir_buf), &hdr, SUBPART_DIR_HEADER_SIZE); 833 834 /* Read Subpart Dir entries. */ 835 struct subpart_dir *subpart_dir = buffer_get(subpart_dir_buf); 836 struct subpart_dir_entry *e = &subpart_dir->e[0]; /util/cbfstool/ifwitool.c: 838 in parse_subpart_dir() 832 memcpy(buffer_get(subpart_dir_buf), &hdr, SUBPART_DIR_HEADER_SIZE); 833 834 /* Read Subpart Dir entries. */ 835 struct subpart_dir *subpart_dir = buffer_get(subpart_dir_buf); 836 struct subpart_dir_entry *e = &subpart_dir->e[0]; 837 uint32_t i; >>> CID 1361275: (TAINTED_SCALAR) >>> Using tainted variable "hdr.num_entries" as a loop boundary. 838 for (i = 0; i < hdr.num_entries; i++) { 839 memcpy(e[i].name, data + offset, sizeof(e[i].name)); 840 offset += sizeof(e[i].name); 841 offset = read_member(data, offset, sizeof(e[i].offset), 842 &e[i].offset); 843 offset = read_member(data, offset, sizeof(e[i].length), ** CID 1361274: Insecure data handling (TAINTED_SCALAR) ________________________________________________________________________________________________________ *** CID 1361274: Insecure data handling (TAINTED_SCALAR) /util/cbfstool/ifwitool.c: 717 in alloc_bpdt_buffer() 711 { 712 struct bpdt_header bpdt_header; 713 assert((offset + BPDT_HEADER_SIZE) < size); 714 bpdt_read_header((uint8_t *)data + offset, &bpdt_header, name); 715 716 /* Buffer to read BPDT header and entries. */ >>> CID 1361274: Insecure data handling (TAINTED_SCALAR) >>> Passing tainted variable "get_bpdt_size(&bpdt_header)" to a tainted >>> sink. 717 alloc_buffer(b, get_bpdt_size(&bpdt_header), name); 718 719 struct bpdt *bpdt = buffer_get(b); 720 memcpy(&bpdt->h, &bpdt_header, BPDT_HEADER_SIZE); 721 722 /* ** CID 1361253: Memory - illegal accesses (BUFFER_SIZE_WARNING) /util/cbfstool/ifwitool.c: 1300 in init_subpart_dir_entry() ________________________________________________________________________________________________________ *** CID 1361253: Memory - illegal accesses (BUFFER_SIZE_WARNING) /util/cbfstool/ifwitool.c: 1300 in init_subpart_dir_entry() 1294 static size_t init_subpart_dir_entry(struct subpart_dir_entry *e, 1295 struct buffer *b, size_t offset) 1296 { 1297 memset(e, 0, sizeof(*e)); 1298 1299 assert(strlen(b->name) <= sizeof(e->name)); >>> CID 1361253: Memory - illegal accesses (BUFFER_SIZE_WARNING) >>> Calling strncpy with a maximum size argument of 12 bytes on destination >>> array "e->name" of size 12 bytes might leave the destination string >>> unterminated. 1300 strncpy((char *)e->name, (char *)b->name, sizeof(e->name)); 1301 e->offset = offset; 1302 e->length = buffer_size(b); 1303 1304 return (offset + buffer_size(b)); 1305 } ** CID 1353793: Resource leaks (RESOURCE_LEAK) /util/nvidia/cbootimage/src/data_layout.c: 1096 in resign_bl() ________________________________________________________________________________________________________ *** CID 1353793: Resource leaks (RESOURCE_LEAK) /util/nvidia/cbootimage/src/data_layout.c: 1096 in resign_bl() 1090 1091 if (read_from_image(context->input_image_filename, 1092 offset, bl_length, 1093 &image, &image_actual_size, file_type_bin)) { 1094 printf("Error reading image file %s.\n", 1095 context->input_image_filename); >>> CID 1353793: Resource leaks (RESOURCE_LEAK) >>> Variable "image" going out of scope leaks the storage it points to. 1096 return -ENOMEM; 1097 } 1098 1099 pages_in_image = ICEIL(image_actual_size, page_size); 1100 1101 /* Create a local copy of the bl */ ** CID 1353781: Control flow issues (NO_EFFECT) /util/nvidia/cbootimage/src/cbootimage.c: 242 in main() ________________________________________________________________________________________________________ *** CID 1353781: Control flow issues (NO_EFFECT) /util/nvidia/cbootimage/src/cbootimage.c: 242 in main() 236 context.input_image_filename); 237 goto fail; 238 } 239 240 /* Get BCT_SIZE from input image file */ 241 bct_size = get_bct_size_from_image(&context); >>> CID 1353781: Control flow issues (NO_EFFECT) >>> This less-than-zero comparison of an unsigned value is never true. >>> "bct_size < 0U". 242 if (bct_size < 0) { 243 printf("Error: Invalid input image file %s\n", 244 context.input_image_filename); 245 goto fail; 246 } 247 ** CID 1353028: Error handling issues (NEGATIVE_RETURNS) /util/amdfwtool/amdfwtool.c: 341 in integrate_psp_firmwares() ________________________________________________________________________________________________________ *** CID 1353028: Error handling issues (NEGATIVE_RETURNS) /util/amdfwtool/amdfwtool.c: 341 in integrate_psp_firmwares() 335 pspdir[4+4*i+2] = 1; 336 pspdir[4+4*i+3] = 0; 337 } else if (fw_table[i].filename != NULL) { 338 pspdir[4+4*i+0] = fw_table[i].type; 339 340 fd = open(fw_table[i].filename, O_RDONLY); >>> CID 1353028: Error handling issues (NEGATIVE_RETURNS) >>> "fd" is passed to a parameter that cannot be negative. [Note: The >>> source code implementation of the function has been overridden by a builtin >>> model.] 341 fstat(fd, &fd_stat); 342 pspdir[4+4*i+1] = (uint32_t)fd_stat.st_size; 343 344 pspdir[4+4*i+2] = pos + rom_base_address; 345 pspdir[4+4*i+3] = 0; 346 ** CID 1353027: Error handling issues (NEGATIVE_RETURNS) /util/amdfwtool/amdfwtool.c: 284 in integrate_firmwares() ________________________________________________________________________________________________________ *** CID 1353027: Error handling issues (NEGATIVE_RETURNS) /util/amdfwtool/amdfwtool.c: 284 in integrate_firmwares() 278 int i; 279 uint32_t rom_base_address = 0xFFFFFFFF - rom_size + 1; 280 281 for (i = 0; fw_table[i].type != AMD_FW_INVALID; i++) { 282 if (fw_table[i].filename != NULL) { 283 fd = open(fw_table[i].filename, O_RDONLY); >>> CID 1353027: Error handling issues (NEGATIVE_RETURNS) >>> "fd" is passed to a parameter that cannot be negative. [Note: The >>> source code implementation of the function has been overridden by a builtin >>> model.] 284 fstat(fd, &fd_stat); 285 286 switch (fw_table[i].type) { 287 case AMD_FW_IMC: 288 pos = ALIGN(pos, 0x10000U); 289 romsig[1] = pos + rom_base_address; ** CID 1353022: Error handling issues (CHECKED_RETURN) /util/nvidia/cbootimage/src/cbootimage.c: 297 in main() ________________________________________________________________________________________________________ *** CID 1353022: Error handling issues (CHECKED_RETURN) /util/nvidia/cbootimage/src/cbootimage.c: 297 in main() 291 begin_update(&context); 292 /* Signing the bct. */ 293 e = sign_bct(&context, context.bct); 294 if (e != 0) 295 printf("Signing BCT failed, error: %d.\n", e); 296 >>> CID 1353022: Error handling issues (CHECKED_RETURN) >>> Calling "fwrite" without checking return value (as is done elsewhere 36 >>> out of 45 times). 297 fwrite(context.bct, 1, context.bct_size, 298 context.raw_file); 299 printf("New BCT file %s has been successfully generated!\n", 300 context.output_image_filename); 301 goto fail; 302 } ** CID 1353021: Error handling issues (CHECKED_RETURN) /util/amdfwtool/amdfwtool.c: 355 in integrate_psp_firmwares() ________________________________________________________________________________________________________ *** CID 1353021: Error handling issues (CHECKED_RETURN) /util/amdfwtool/amdfwtool.c: 355 in integrate_psp_firmwares() 349 " will not fit %s. Exiting.\n", 350 rom_size, fw_table[i].filename); 351 free(base); 352 exit(1); 353 } 354 >>> CID 1353021: Error handling issues (CHECKED_RETURN) >>> "read(int, void *, size_t)" returns the number of bytes read, but it is >>> ignored. 355 read(fd, (void *)(base + pos), (size_t)fd_stat.st_size); 356 357 pos += fd_stat.st_size; 358 close(fd); 359 pos = ALIGN(pos, 0x100U); 360 } else { ** CID 1353020: Error handling issues (CHECKED_RETURN) /util/amdfwtool/amdfwtool.c: 341 in integrate_psp_firmwares() ________________________________________________________________________________________________________ *** CID 1353020: Error handling issues (CHECKED_RETURN) /util/amdfwtool/amdfwtool.c: 341 in integrate_psp_firmwares() 335 pspdir[4+4*i+2] = 1; 336 pspdir[4+4*i+3] = 0; 337 } else if (fw_table[i].filename != NULL) { 338 pspdir[4+4*i+0] = fw_table[i].type; 339 340 fd = open(fw_table[i].filename, O_RDONLY); >>> CID 1353020: Error handling issues (CHECKED_RETURN) >>> Calling "fstat(fd, &fd_stat)" without checking return value. This >>> library function may fail and return an error code. [Note: The source code >>> implementation of the function has been overridden by a builtin model.] 341 fstat(fd, &fd_stat); 342 pspdir[4+4*i+1] = (uint32_t)fd_stat.st_size; 343 344 pspdir[4+4*i+2] = pos + rom_base_address; 345 pspdir[4+4*i+3] = 0; 346 ** CID 1353019: Error handling issues (CHECKED_RETURN) /util/amdfwtool/amdfwtool.c: 310 in integrate_firmwares() ________________________________________________________________________________________________________ *** CID 1353019: Error handling issues (CHECKED_RETURN) /util/amdfwtool/amdfwtool.c: 310 in integrate_firmwares() 304 " will not fit %s. Exiting.\n", 305 rom_size, fw_table[i].filename); 306 free(base); 307 exit(1); 308 } 309 >>> CID 1353019: Error handling issues (CHECKED_RETURN) >>> "read(int, void *, size_t)" returns the number of bytes read, but it is >>> ignored. 310 read(fd, (void *)(base + pos), (size_t)fd_stat.st_size); 311 312 pos += fd_stat.st_size; 313 close(fd); 314 pos = ALIGN(pos, 0x100U); 315 } ** CID 1353018: Error handling issues (CHECKED_RETURN) /util/amdfwtool/amdfwtool.c: 284 in integrate_firmwares() ________________________________________________________________________________________________________ *** CID 1353018: Error handling issues (CHECKED_RETURN) /util/amdfwtool/amdfwtool.c: 284 in integrate_firmwares() 278 int i; 279 uint32_t rom_base_address = 0xFFFFFFFF - rom_size + 1; 280 281 for (i = 0; fw_table[i].type != AMD_FW_INVALID; i++) { 282 if (fw_table[i].filename != NULL) { 283 fd = open(fw_table[i].filename, O_RDONLY); >>> CID 1353018: Error handling issues (CHECKED_RETURN) >>> Calling "fstat(fd, &fd_stat)" without checking return value. This >>> library function may fail and return an error code. [Note: The source code >>> implementation of the function has been overridden by a builtin model.] 284 fstat(fd, &fd_stat); 285 286 switch (fw_table[i].type) { 287 case AMD_FW_IMC: 288 pos = ALIGN(pos, 0x10000U); 289 romsig[1] = pos + rom_base_address; ** CID 1325840: Memory - illegal accesses (OVERRUN) /util/cbfstool/cbfs_image.c: 1406 in cbfs_print_entry_info() ________________________________________________________________________________________________________ *** CID 1325840: Memory - illegal accesses (OVERRUN) /util/cbfstool/cbfs_image.c: 1406 in cbfs_print_entry_info() 1400 while ((hash = cbfs_file_get_next_hash(entry, hash)) != NULL) { 1401 unsigned int hash_type = ntohl(hash->hash_type); 1402 if (hash_type > CBFS_NUM_SUPPORTED_HASHES) { 1403 fprintf(fp, "invalid hash type %d\n", hash_type); 1404 break; 1405 } >>> CID 1325840: Memory - illegal accesses (OVERRUN) >>> Overrunning array "widths_cbfs_hash" of 4 8-byte elements at element >>> index 4 (byte offset 32) using index "hash_type" (which evaluates to 4). 1406 size_t hash_len = widths_cbfs_hash[hash_type]; 1407 char *hash_str = bintohex(hash->hash_data, hash_len); 1408 uint8_t local_hash[hash_len]; 1409 if (vb2_digest_buffer(CBFS_SUBHEADER(entry), 1410 ntohl(entry->len), hash_type, local_hash, 1411 hash_len) != VB2_SUCCESS) { ** CID 1325836: Resource leaks (RESOURCE_LEAK) /util/cbfstool/cbfs_image.c: 1413 in cbfs_print_entry_info() ________________________________________________________________________________________________________ *** CID 1325836: Resource leaks (RESOURCE_LEAK) /util/cbfstool/cbfs_image.c: 1413 in cbfs_print_entry_info() 1407 char *hash_str = bintohex(hash->hash_data, hash_len); 1408 uint8_t local_hash[hash_len]; 1409 if (vb2_digest_buffer(CBFS_SUBHEADER(entry), 1410 ntohl(entry->len), hash_type, local_hash, 1411 hash_len) != VB2_SUCCESS) { 1412 fprintf(fp, "failed to hash '%s'\n", name); >>> CID 1325836: Resource leaks (RESOURCE_LEAK) >>> Variable "hash_str" going out of scope leaks the storage it points to. 1413 break; 1414 } 1415 int valid = memcmp(local_hash, hash->hash_data, hash_len) == 0; 1416 const char *valid_str = valid ? "valid" : "invalid"; 1417 1418 fprintf(fp, " hash %s:%s %s\n", ** CID 1323515: Error handling issues (CHECKED_RETURN) /util/broadcom/secimage/sbi.c: 112 in CreateSecureBootImage() ________________________________________________________________________________________________________ *** CID 1323515: Error handling issues (CHECKED_RETURN) /util/broadcom/secimage/sbi.c: 112 in CreateSecureBootImage() 106 } else { 107 return SBIUsage(); 108 } 109 --ac, ++av; 110 } 111 >>> CID 1323515: Error handling issues (CHECKED_RETURN) >>> Calling "stat(bl, &file_stat)" without checking return value. This >>> library function may fail and return an error code. [Note: The source code >>> implementation of the function has been overridden by a builtin model.] 112 stat(bl, &file_stat); 113 filesize = file_stat.st_size + MIN_SIZE; 114 buf = calloc(sizeof(uint8_t), filesize); 115 116 if (buf == NULL) { 117 puts("Memory allocation error"); ** CID 1323512: Null pointer dereferences (FORWARD_NULL) /util/broadcom/secimage/sbi.c: 112 in CreateSecureBootImage() ________________________________________________________________________________________________________ *** CID 1323512: Null pointer dereferences (FORWARD_NULL) /util/broadcom/secimage/sbi.c: 112 in CreateSecureBootImage() 106 } else { 107 return SBIUsage(); 108 } 109 --ac, ++av; 110 } 111 >>> CID 1323512: Null pointer dereferences (FORWARD_NULL) >>> Passing null pointer "bl" to "stat", which dereferences it. [Note: The >>> source code implementation of the function has been overridden by a builtin >>> model.] 112 stat(bl, &file_stat); 113 filesize = file_stat.st_size + MIN_SIZE; 114 buf = calloc(sizeof(uint8_t), filesize); 115 116 if (buf == NULL) { 117 puts("Memory allocation error"); ** CID 1323511: Null pointer dereferences (FORWARD_NULL) /util/broadcom/secimage/sbi.c: 80 in CreateSecureBootImage() ________________________________________________________________________________________________________ *** CID 1323511: Null pointer dereferences (FORWARD_NULL) /util/broadcom/secimage/sbi.c: 80 in CreateSecureBootImage() 74 * Purpose : 75 * Input : none 76 * Output : none 77 *---------------------------------------------------------------------*/ 78 int CreateSecureBootImage(int ac, char **av) 79 { >>> CID 1323511: Null pointer dereferences (FORWARD_NULL) >>> Assigning: "privkey" = "NULL". 80 char *outfile, *configfile, *arg, *privkey = NULL, *bl = NULL; 81 int status = 0; 82 uint32_t sbiLen; 83 struct stat file_stat; 84 uint32_t add_header = 1; 85 outfile = *av; ** CID 1323510: Error handling issues (NEGATIVE_RETURNS) /util/broadcom/secimage/io.c: 81 in DataRead() ________________________________________________________________________________________________________ *** CID 1323510: Error handling issues (NEGATIVE_RETURNS) /util/broadcom/secimage/io.c: 81 in DataRead() 75 len = FileSizeGet(file); 76 if (len < *length) 77 *length = len; 78 else 79 /* Do not exceed the maximum length of the buffer */ 80 len = *length; >>> CID 1323510: Error handling issues (NEGATIVE_RETURNS) >>> "len" is passed to a parameter that cannot be negative. 81 if (fread((uint8_t *)buf, 1, len, file) != len) { 82 printf("Error reading data (%d bytes) from file: %s\n", 83 len, filename); 84 return -1; 85 } 86 fclose(file); ________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRbLuoVetFLSjdonCi1EjfHRqWGQvojmmkYaBE-2BPJiTQvQ-3D-3D_q4bX76XMySz3BXBlWr5fXXJ4cvAsgEXEqC7dBPM7O5ZBKQPjLAs4fVKY6aHX2cyjJGGN2rKtDOoeFQFVv6St42gq8e-2Fc4KVFZnh9BtAalVwgbx4XC8NKNfMdE00-2BMF1gYJRpwjQdMWfBfeGls9ix6eL4VzQ3BHp9LwsJqhAOw6fHsmjC4ek-2FifR7pmyAWoGaELMES0wLiFBlBfNNQw6m2q3dD5p6tAQaivTLuIprVJs-3D To manage Coverity Scan email notifications for "coreboot@coreboot.org", click https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRbVDbis712qZDP-2FA8y06Nq4e-2BpBzwOa5gzBZa9dWpDbzfofODnVj1enK2UkK0-2BgCCqyeem8IVKvTxSaOFkteZFcnohwvb2rnYNjswGryEWCURnUk6WHU42sbOmtOjD-2Bx5c-3D_q4bX76XMySz3BXBlWr5fXXJ4cvAsgEXEqC7dBPM7O5ZBKQPjLAs4fVKY6aHX2cyjx0Zwpcs2gfpOf8q-2F4Y4JEkv1GWwU6ypqizIOrsvzIH3yHeJqfYRfNC2anTiVXIlUWhWa0KbeOT0IJrGoczMAYgJ65uOKTGJzncvITKht1j3e79zb6ljoOLRx6b7ScygzfKA3QOMpQSukivMrNqIE1TXRHaSKVhSEKGRoBXOKn-2Fg-3D -- coreboot mailing list: coreboot@coreboot.org https://www.coreboot.org/mailman/listinfo/coreboot