Hi,
Please find the latest report on new defect(s) introduced to coreboot found
with Coverity Scan.
34 new defect(s) introduced to coreboot found with Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 34 defect(s)
** CID 1370577: Resource leaks (RESOURCE_LEAK)
/util/cbfstool/cbfscomptool.c: 83 in benchmark()
________________________________________________________________________________________________________
*** CID 1370577: Resource leaks (RESOURCE_LEAK)
/util/cbfstool/cbfscomptool.c: 83 in benchmark()
77
78 clock_gettime(CLOCK_MONOTONIC, &t_e);
79 printf("compressing %d bytes to %d took %ld seconds\n",
80 bufsize, outsize,
81 t_e.tv_sec - t_s.tv_sec);
82 }
>>> CID 1370577: Resource leaks (RESOURCE_LEAK)
>>> Variable "compressed_data" going out of scope leaks the storage it
>>> points to.
83 return 0;
84 }
85
86 int compress(char *infile, char *outfile, char *algoname)
87 {
88 int err = 1;
** CID 1370575: Resource leaks (RESOURCE_LEAK)
/util/cbfstool/cbfscomptool.c: 83 in benchmark()
________________________________________________________________________________________________________
*** CID 1370575: Resource leaks (RESOURCE_LEAK)
/util/cbfstool/cbfscomptool.c: 83 in benchmark()
77
78 clock_gettime(CLOCK_MONOTONIC, &t_e);
79 printf("compressing %d bytes to %d took %ld seconds\n",
80 bufsize, outsize,
81 t_e.tv_sec - t_s.tv_sec);
82 }
>>> CID 1370575: Resource leaks (RESOURCE_LEAK)
>>> Variable "data" going out of scope leaks the storage it points to.
83 return 0;
84 }
85
86 int compress(char *infile, char *outfile, char *algoname)
87 {
88 int err = 1;
** CID 1361275: (TAINTED_SCALAR)
/util/cbfstool/ifwitool.c: 838 in parse_subpart_dir()
________________________________________________________________________________________________________
*** CID 1361275: (TAINTED_SCALAR)
/util/cbfstool/ifwitool.c: 831 in parse_subpart_dir()
825 memcpy(hdr.name, data + offset, sizeof(hdr.name));
826 offset += sizeof(hdr.name);
827
828 validate_subpart_dir_without_checksum((struct subpart_dir
*)&hdr, name);
829
830 assert(size > subpart_dir_size(&hdr));
>>> CID 1361275: (TAINTED_SCALAR)
>>> Passing tainted variable "subpart_dir_size(&hdr)" to a tainted sink.
831 alloc_buffer(subpart_dir_buf, subpart_dir_size(&hdr), "Subpart
Dir");
832 memcpy(buffer_get(subpart_dir_buf), &hdr,
SUBPART_DIR_HEADER_SIZE);
833
834 /* Read Subpart Dir entries. */
835 struct subpart_dir *subpart_dir = buffer_get(subpart_dir_buf);
836 struct subpart_dir_entry *e = &subpart_dir->e[0];
/util/cbfstool/ifwitool.c: 838 in parse_subpart_dir()
832 memcpy(buffer_get(subpart_dir_buf), &hdr,
SUBPART_DIR_HEADER_SIZE);
833
834 /* Read Subpart Dir entries. */
835 struct subpart_dir *subpart_dir = buffer_get(subpart_dir_buf);
836 struct subpart_dir_entry *e = &subpart_dir->e[0];
837 uint32_t i;
>>> CID 1361275: (TAINTED_SCALAR)
>>> Using tainted variable "hdr.num_entries" as a loop boundary.
838 for (i = 0; i < hdr.num_entries; i++) {
839 memcpy(e[i].name, data + offset, sizeof(e[i].name));
840 offset += sizeof(e[i].name);
841 offset = read_member(data, offset, sizeof(e[i].offset),
842 &e[i].offset);
843 offset = read_member(data, offset, sizeof(e[i].length),
** CID 1361274: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 1361274: Insecure data handling (TAINTED_SCALAR)
/util/cbfstool/ifwitool.c: 717 in alloc_bpdt_buffer()
711 {
712 struct bpdt_header bpdt_header;
713 assert((offset + BPDT_HEADER_SIZE) < size);
714 bpdt_read_header((uint8_t *)data + offset, &bpdt_header, name);
715
716 /* Buffer to read BPDT header and entries. */
>>> CID 1361274: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted variable "get_bpdt_size(&bpdt_header)" to a tainted
>>> sink.
717 alloc_buffer(b, get_bpdt_size(&bpdt_header), name);
718
719 struct bpdt *bpdt = buffer_get(b);
720 memcpy(&bpdt->h, &bpdt_header, BPDT_HEADER_SIZE);
721
722 /*
** CID 1361253: Memory - illegal accesses (BUFFER_SIZE_WARNING)
/util/cbfstool/ifwitool.c: 1300 in init_subpart_dir_entry()
________________________________________________________________________________________________________
*** CID 1361253: Memory - illegal accesses (BUFFER_SIZE_WARNING)
/util/cbfstool/ifwitool.c: 1300 in init_subpart_dir_entry()
1294 static size_t init_subpart_dir_entry(struct subpart_dir_entry *e,
1295 struct buffer *b, size_t offset)
1296 {
1297 memset(e, 0, sizeof(*e));
1298
1299 assert(strlen(b->name) <= sizeof(e->name));
>>> CID 1361253: Memory - illegal accesses (BUFFER_SIZE_WARNING)
>>> Calling strncpy with a maximum size argument of 12 bytes on destination
>>> array "e->name" of size 12 bytes might leave the destination string
>>> unterminated.
1300 strncpy((char *)e->name, (char *)b->name, sizeof(e->name));
1301 e->offset = offset;
1302 e->length = buffer_size(b);
1303
1304 return (offset + buffer_size(b));
1305 }
** CID 1353793: Resource leaks (RESOURCE_LEAK)
/util/nvidia/cbootimage/src/data_layout.c: 1096 in resign_bl()
________________________________________________________________________________________________________
*** CID 1353793: Resource leaks (RESOURCE_LEAK)
/util/nvidia/cbootimage/src/data_layout.c: 1096 in resign_bl()
1090
1091 if (read_from_image(context->input_image_filename,
1092 offset, bl_length,
1093 &image, &image_actual_size,
file_type_bin)) {
1094 printf("Error reading image file %s.\n",
1095 context->input_image_filename);
>>> CID 1353793: Resource leaks (RESOURCE_LEAK)
>>> Variable "image" going out of scope leaks the storage it points to.
1096 return -ENOMEM;
1097 }
1098
1099 pages_in_image = ICEIL(image_actual_size, page_size);
1100
1101 /* Create a local copy of the bl */
** CID 1353781: Control flow issues (NO_EFFECT)
/util/nvidia/cbootimage/src/cbootimage.c: 242 in main()
________________________________________________________________________________________________________
*** CID 1353781: Control flow issues (NO_EFFECT)
/util/nvidia/cbootimage/src/cbootimage.c: 242 in main()
236 context.input_image_filename);
237 goto fail;
238 }
239
240 /* Get BCT_SIZE from input image file */
241 bct_size = get_bct_size_from_image(&context);
>>> CID 1353781: Control flow issues (NO_EFFECT)
>>> This less-than-zero comparison of an unsigned value is never true.
>>> "bct_size < 0U".
242 if (bct_size < 0) {
243 printf("Error: Invalid input image file %s\n",
244 context.input_image_filename);
245 goto fail;
246 }
247
** CID 1353028: Error handling issues (NEGATIVE_RETURNS)
/util/amdfwtool/amdfwtool.c: 341 in integrate_psp_firmwares()
________________________________________________________________________________________________________
*** CID 1353028: Error handling issues (NEGATIVE_RETURNS)
/util/amdfwtool/amdfwtool.c: 341 in integrate_psp_firmwares()
335 pspdir[4+4*i+2] = 1;
336 pspdir[4+4*i+3] = 0;
337 } else if (fw_table[i].filename != NULL) {
338 pspdir[4+4*i+0] = fw_table[i].type;
339
340 fd = open(fw_table[i].filename, O_RDONLY);
>>> CID 1353028: Error handling issues (NEGATIVE_RETURNS)
>>> "fd" is passed to a parameter that cannot be negative. [Note: The
>>> source code implementation of the function has been overridden by a builtin
>>> model.]
341 fstat(fd, &fd_stat);
342 pspdir[4+4*i+1] = (uint32_t)fd_stat.st_size;
343
344 pspdir[4+4*i+2] = pos + rom_base_address;
345 pspdir[4+4*i+3] = 0;
346
** CID 1353027: Error handling issues (NEGATIVE_RETURNS)
/util/amdfwtool/amdfwtool.c: 284 in integrate_firmwares()
________________________________________________________________________________________________________
*** CID 1353027: Error handling issues (NEGATIVE_RETURNS)
/util/amdfwtool/amdfwtool.c: 284 in integrate_firmwares()
278 int i;
279 uint32_t rom_base_address = 0xFFFFFFFF - rom_size + 1;
280
281 for (i = 0; fw_table[i].type != AMD_FW_INVALID; i++) {
282 if (fw_table[i].filename != NULL) {
283 fd = open(fw_table[i].filename, O_RDONLY);
>>> CID 1353027: Error handling issues (NEGATIVE_RETURNS)
>>> "fd" is passed to a parameter that cannot be negative. [Note: The
>>> source code implementation of the function has been overridden by a builtin
>>> model.]
284 fstat(fd, &fd_stat);
285
286 switch (fw_table[i].type) {
287 case AMD_FW_IMC:
288 pos = ALIGN(pos, 0x10000U);
289 romsig[1] = pos + rom_base_address;
** CID 1353022: Error handling issues (CHECKED_RETURN)
/util/nvidia/cbootimage/src/cbootimage.c: 297 in main()
________________________________________________________________________________________________________
*** CID 1353022: Error handling issues (CHECKED_RETURN)
/util/nvidia/cbootimage/src/cbootimage.c: 297 in main()
291 begin_update(&context);
292 /* Signing the bct. */
293 e = sign_bct(&context, context.bct);
294 if (e != 0)
295 printf("Signing BCT failed, error: %d.\n", e);
296
>>> CID 1353022: Error handling issues (CHECKED_RETURN)
>>> Calling "fwrite" without checking return value (as is done elsewhere 38
>>> out of 47 times).
297 fwrite(context.bct, 1, context.bct_size,
298 context.raw_file);
299 printf("New BCT file %s has been successfully
generated!\n",
300 context.output_image_filename);
301 goto fail;
302 }
** CID 1353021: Error handling issues (CHECKED_RETURN)
/util/amdfwtool/amdfwtool.c: 355 in integrate_psp_firmwares()
________________________________________________________________________________________________________
*** CID 1353021: Error handling issues (CHECKED_RETURN)
/util/amdfwtool/amdfwtool.c: 355 in integrate_psp_firmwares()
349 " will not fit %s. Exiting.\n",
350 rom_size, fw_table[i].filename);
351 free(base);
352 exit(1);
353 }
354
>>> CID 1353021: Error handling issues (CHECKED_RETURN)
>>> "read(int, void *, size_t)" returns the number of bytes read, but it is
>>> ignored.
355 read(fd, (void *)(base + pos),
(size_t)fd_stat.st_size);
356
357 pos += fd_stat.st_size;
358 close(fd);
359 pos = ALIGN(pos, 0x100U);
360 } else {
** CID 1353020: Error handling issues (CHECKED_RETURN)
/util/amdfwtool/amdfwtool.c: 341 in integrate_psp_firmwares()
________________________________________________________________________________________________________
*** CID 1353020: Error handling issues (CHECKED_RETURN)
/util/amdfwtool/amdfwtool.c: 341 in integrate_psp_firmwares()
335 pspdir[4+4*i+2] = 1;
336 pspdir[4+4*i+3] = 0;
337 } else if (fw_table[i].filename != NULL) {
338 pspdir[4+4*i+0] = fw_table[i].type;
339
340 fd = open(fw_table[i].filename, O_RDONLY);
>>> CID 1353020: Error handling issues (CHECKED_RETURN)
>>> Calling "fstat(fd, &fd_stat)" without checking return value. This
>>> library function may fail and return an error code. [Note: The source code
>>> implementation of the function has been overridden by a builtin model.]
341 fstat(fd, &fd_stat);
342 pspdir[4+4*i+1] = (uint32_t)fd_stat.st_size;
343
344 pspdir[4+4*i+2] = pos + rom_base_address;
345 pspdir[4+4*i+3] = 0;
346
** CID 1353019: Error handling issues (CHECKED_RETURN)
/util/amdfwtool/amdfwtool.c: 310 in integrate_firmwares()
________________________________________________________________________________________________________
*** CID 1353019: Error handling issues (CHECKED_RETURN)
/util/amdfwtool/amdfwtool.c: 310 in integrate_firmwares()
304 " will not fit %s. Exiting.\n",
305 rom_size, fw_table[i].filename);
306 free(base);
307 exit(1);
308 }
309
>>> CID 1353019: Error handling issues (CHECKED_RETURN)
>>> "read(int, void *, size_t)" returns the number of bytes read, but it is
>>> ignored.
310 read(fd, (void *)(base + pos),
(size_t)fd_stat.st_size);
311
312 pos += fd_stat.st_size;
313 close(fd);
314 pos = ALIGN(pos, 0x100U);
315 }
** CID 1353018: Error handling issues (CHECKED_RETURN)
/util/amdfwtool/amdfwtool.c: 284 in integrate_firmwares()
________________________________________________________________________________________________________
*** CID 1353018: Error handling issues (CHECKED_RETURN)
/util/amdfwtool/amdfwtool.c: 284 in integrate_firmwares()
278 int i;
279 uint32_t rom_base_address = 0xFFFFFFFF - rom_size + 1;
280
281 for (i = 0; fw_table[i].type != AMD_FW_INVALID; i++) {
282 if (fw_table[i].filename != NULL) {
283 fd = open(fw_table[i].filename, O_RDONLY);
>>> CID 1353018: Error handling issues (CHECKED_RETURN)
>>> Calling "fstat(fd, &fd_stat)" without checking return value. This
>>> library function may fail and return an error code. [Note: The source code
>>> implementation of the function has been overridden by a builtin model.]
284 fstat(fd, &fd_stat);
285
286 switch (fw_table[i].type) {
287 case AMD_FW_IMC:
288 pos = ALIGN(pos, 0x10000U);
289 romsig[1] = pos + rom_base_address;
** CID 1347335: (UNINIT)
/util/cbfstool/elfheaders.c: 999 in write_phdrs()
/util/cbfstool/elfheaders.c: 1001 in write_phdrs()
/util/cbfstool/elfheaders.c: 1002 in write_phdrs()
/util/cbfstool/elfheaders.c: 1003 in write_phdrs()
________________________________________________________________________________________________________
*** CID 1347335: (UNINIT)
/util/cbfstool/elfheaders.c: 999 in write_phdrs()
993 } else {
994 /* Accumulate file size and memsize. The
assumption
995 * is that each section is either NOBITS or full
996 * (sh_size == file size). This is standard in
that
997 * an ELF section doesn't have a file size
component. */
998 if (sec->shdr.sh_flags & SHF_EXECINSTR)
>>> CID 1347335: (UNINIT)
>>> Using uninitialized value "phdr.p_flags".
999 phdr.p_flags |= PF_X | PF_R;
1000 if (sec->shdr.sh_flags & SHF_WRITE)
1001 phdr.p_flags |= PF_W;
1002 phdr.p_filesz += buffer_size(&sec->content);
1003 phdr.p_memsz += sec->shdr.sh_size;
1004 }
/util/cbfstool/elfheaders.c: 1001 in write_phdrs()
995 * is that each section is either NOBITS or full
996 * (sh_size == file size). This is standard in
that
997 * an ELF section doesn't have a file size
component. */
998 if (sec->shdr.sh_flags & SHF_EXECINSTR)
999 phdr.p_flags |= PF_X | PF_R;
1000 if (sec->shdr.sh_flags & SHF_WRITE)
>>> CID 1347335: (UNINIT)
>>> Using uninitialized value "phdr.p_flags".
1001 phdr.p_flags |= PF_W;
1002 phdr.p_filesz += buffer_size(&sec->content);
1003 phdr.p_memsz += sec->shdr.sh_size;
1004 }
1005 }
1006
/util/cbfstool/elfheaders.c: 1002 in write_phdrs()
996 * (sh_size == file size). This is standard in
that
997 * an ELF section doesn't have a file size
component. */
998 if (sec->shdr.sh_flags & SHF_EXECINSTR)
999 phdr.p_flags |= PF_X | PF_R;
1000 if (sec->shdr.sh_flags & SHF_WRITE)
1001 phdr.p_flags |= PF_W;
>>> CID 1347335: (UNINIT)
>>> Using uninitialized value "phdr.p_filesz".
1002 phdr.p_filesz += buffer_size(&sec->content);
1003 phdr.p_memsz += sec->shdr.sh_size;
1004 }
1005 }
1006
1007 /* Write out the last phdr. */
/util/cbfstool/elfheaders.c: 1003 in write_phdrs()
997 * an ELF section doesn't have a file size
component. */
998 if (sec->shdr.sh_flags & SHF_EXECINSTR)
999 phdr.p_flags |= PF_X | PF_R;
1000 if (sec->shdr.sh_flags & SHF_WRITE)
1001 phdr.p_flags |= PF_W;
1002 phdr.p_filesz += buffer_size(&sec->content);
>>> CID 1347335: (UNINIT)
>>> Using uninitialized value "phdr.p_memsz".
1003 phdr.p_memsz += sec->shdr.sh_size;
1004 }
1005 }
1006
1007 /* Write out the last phdr. */
1008 if (num_needs_write != num_written) {
** CID 1302457: Control flow issues (MISSING_RESTORE)
/util/cbfstool/flashmap/fmap.c: 485 in fmap_append_area_test()
________________________________________________________________________________________________________
*** CID 1302457: Control flow issues (MISSING_RESTORE)
/util/cbfstool/flashmap/fmap.c: 485 in fmap_append_area_test()
479 if ((*fmap)->nareas != 1) {
480 printf("FAILURE: failed to increment number of
areas\n");
481 goto fmap_append_area_test_exit;
482 }
483
484 status = pass;
>>> CID 1302457: Control flow issues (MISSING_RESTORE)
>>> Jumped to here, skipping restore.
485 fmap_append_area_test_exit:
486 return status;
487 }
488
489 static int fmap_find_area_test(struct fmap *fmap)
490 {
** CID 1302456: Error handling issues (NEGATIVE_RETURNS)
/util/cbfstool/flashmap/fmap.c: 601 in fmap_find_test()
________________________________________________________________________________________________________
*** CID 1302456: Error handling issues (NEGATIVE_RETURNS)
/util/cbfstool/flashmap/fmap.c: 601 in fmap_find_test()
595 printf("FAILURE: bsearch returned false positive\n");
596 goto fmap_find_test_exit;
597 }
598
599 /* simple test case: fmap at (total_size / 2) + 1 */
600 offset = (total_size / 2) + 1;
>>> CID 1302456: Error handling issues (NEGATIVE_RETURNS)
>>> "fmap_size(fmap)" is passed to a parameter that cannot be negative.
>>> [Note: The source code implementation of the function has been overridden
>>> by a builtin model.]
601 memcpy(&buf[offset], fmap, fmap_size(fmap));
602
603 if ((unsigned)fmap_find(buf, total_size - 1) != offset) {
604 printf("FAILURE: lsearch failed to find fmap\n");
605 goto fmap_find_test_exit;
606 }
** CID 1302455: Null pointer dereferences (NULL_RETURNS)
/util/cbfstool/partitioned_file.c: 199 in partitioned_file_reopen()
________________________________________________________________________________________________________
*** CID 1302455: Null pointer dereferences (NULL_RETURNS)
/util/cbfstool/partitioned_file.c: 199 in partitioned_file_reopen()
193 partitioned_file_close(file);
194 return NULL;
195 }
196
197 const struct fmap_area *fmap_fmap_entry =
198 fmap_find_area(file->fmap,
SECTION_NAME_FMAP);
>>> CID 1302455: Null pointer dereferences (NULL_RETURNS)
>>> Dereferencing a null pointer "fmap_fmap_entry".
199 if ((long)fmap_fmap_entry->offset != fmap_region_offset) {
200 ERROR("FMAP's '%s' section doesn't point back to FMAP
start (did something corrupt this file?)\n",
201
SECTION_NAME_FMAP);
202 partitioned_file_close(file);
203 return NULL;
204 }
** CID 1302453: Resource leaks (RESOURCE_LEAK)
/util/cbfstool/flashmap/fmap.c: 563 in fmap_flags_to_string_test()
________________________________________________________________________________________________________
*** CID 1302453: Resource leaks (RESOURCE_LEAK)
/util/cbfstool/flashmap/fmap.c: 563 in fmap_flags_to_string_test()
557 }
558 free(my_str);
559 free(str);
560
561 status = pass;
562 fmap_flags_to_string_test_exit:
>>> CID 1302453: Resource leaks (RESOURCE_LEAK)
>>> Variable "my_str" going out of scope leaks the storage it points to.
563 return status;
564
565 }
566
567 static int fmap_find_test(struct fmap *fmap)
568 {
** CID 1302452: (RESOURCE_LEAK)
/util/cbfstool/flashmap/fmap.c: 563 in fmap_flags_to_string_test()
/util/cbfstool/flashmap/fmap.c: 563 in fmap_flags_to_string_test()
________________________________________________________________________________________________________
*** CID 1302452: (RESOURCE_LEAK)
/util/cbfstool/flashmap/fmap.c: 563 in fmap_flags_to_string_test()
557 }
558 free(my_str);
559 free(str);
560
561 status = pass;
562 fmap_flags_to_string_test_exit:
>>> CID 1302452: (RESOURCE_LEAK)
>>> Variable "str" going out of scope leaks the storage it points to.
563 return status;
564
565 }
566
567 static int fmap_find_test(struct fmap *fmap)
568 {
/util/cbfstool/flashmap/fmap.c: 563 in fmap_flags_to_string_test()
557 }
558 free(my_str);
559 free(str);
560
561 status = pass;
562 fmap_flags_to_string_test_exit:
>>> CID 1302452: (RESOURCE_LEAK)
>>> Variable "str" going out of scope leaks the storage it points to.
563 return status;
564
565 }
566
567 static int fmap_find_test(struct fmap *fmap)
568 {
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit,
https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRbLuoVetFLSjdonCi1EjfHRqWGQvojmmkYaBE-2BPJiTQvQ-3D-3D_q4bX76XMySz3BXBlWr5fXXJ4cvAsgEXEqC7dBPM7O5aIf0f9YvSC9EkfuNlr7Xb65rcILd7x3Fn5uy0rkNWyAHL5uki8v-2FvwBNJNxIATEAV2Pw4aVip7A1R6c5HnCBfHXSzwxrFMmGYnMd1vPbwIpItmxl4BEVkSnKmT6QqAkA2SsrdOslZoR-2BHEHjKkH1VEwfxN0c6wt6ApspHSD4KOry9Y0qn8qS-2BUW-2F4sXqRUKMQ-3D
To manage Coverity Scan email notifications for "coreboot@coreboot.org", click
https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRbVDbis712qZDP-2FA8y06Nq4e-2BpBzwOa5gzBZa9dWpDbzfofODnVj1enK2UkK0-2BgCCqyeem8IVKvTxSaOFkteZFcnohwvb2rnYNjswGryEWCURnUk6WHU42sbOmtOjD-2Bx5c-3D_q4bX76XMySz3BXBlWr5fXXJ4cvAsgEXEqC7dBPM7O5aIf0f9YvSC9EkfuNlr7Xb6oawH1tw2F1tsnbpoi3SMFtatFfVQkINUyRbImjlz3G5MQ2DSTvSr8F6uAcRClJdFGYGkOTTodfxA86EOp-2BsSulMo6wp9TYInOnyZUU9TGl9micWYOqsUGb9BX7x5hOoq5gBC9eSJKgN-2BN7XiOyHLRjdDOE5wW7FnFeo7ipt8xe0-3D
--
coreboot mailing list: coreboot@coreboot.org
https://www.coreboot.org/mailman/listinfo/coreboot
