Hi,
Please find the latest report on new defect(s) introduced to coreboot found
with Coverity Scan.
24 new defect(s) introduced to coreboot found with Coverity Scan.
14 defect(s), reported by Coverity Scan earlier, were marked fixed in the
recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 24 defect(s)
** CID 1383919: Resource leaks (RESOURCE_LEAK)
/util/cbfstool/partitioned_file.c: 201 in partitioned_file_reopen()
________________________________________________________________________________________________________
*** CID 1383919: Resource leaks (RESOURCE_LEAK)
/util/cbfstool/partitioned_file.c: 201 in partitioned_file_reopen()
195 }
196
197 const struct fmap_area *fmap_fmap_entry =
198 fmap_find_area(file->fmap,
SECTION_NAME_FMAP);
199
200 if (!fmap_fmap_entry)
>>> CID 1383919: Resource leaks (RESOURCE_LEAK)
>>> Variable "file" going out of scope leaks the storage it points to.
201 return NULL;
202
203 if ((long)fmap_fmap_entry->offset != fmap_region_offset) {
204 ERROR("FMAP's '%s' section doesn't point back to FMAP
start (did something corrupt this file?)\n",
205
SECTION_NAME_FMAP);
206 partitioned_file_close(file);
** CID 1361275: (TAINTED_SCALAR)
/util/cbfstool/ifwitool.c: 839 in parse_subpart_dir()
________________________________________________________________________________________________________
*** CID 1361275: (TAINTED_SCALAR)
/util/cbfstool/ifwitool.c: 832 in parse_subpart_dir()
826 memcpy(hdr.name, data + offset, sizeof(hdr.name));
827 offset += sizeof(hdr.name);
828
829 validate_subpart_dir_without_checksum((struct subpart_dir
*)&hdr, name);
830
831 assert(size > subpart_dir_size(&hdr));
>>> CID 1361275: (TAINTED_SCALAR)
>>> Passing tainted variable "subpart_dir_size(&hdr)" to a tainted sink.
832 alloc_buffer(subpart_dir_buf, subpart_dir_size(&hdr), "Subpart
Dir");
833 memcpy(buffer_get(subpart_dir_buf), &hdr,
SUBPART_DIR_HEADER_SIZE);
834
835 /* Read Subpart Dir entries. */
836 struct subpart_dir *subpart_dir = buffer_get(subpart_dir_buf);
837 struct subpart_dir_entry *e = &subpart_dir->e[0];
/util/cbfstool/ifwitool.c: 839 in parse_subpart_dir()
833 memcpy(buffer_get(subpart_dir_buf), &hdr,
SUBPART_DIR_HEADER_SIZE);
834
835 /* Read Subpart Dir entries. */
836 struct subpart_dir *subpart_dir = buffer_get(subpart_dir_buf);
837 struct subpart_dir_entry *e = &subpart_dir->e[0];
838 uint32_t i;
>>> CID 1361275: (TAINTED_SCALAR)
>>> Using tainted variable "hdr.num_entries" as a loop boundary.
839 for (i = 0; i < hdr.num_entries; i++) {
840 memcpy(e[i].name, data + offset, sizeof(e[i].name));
841 offset += sizeof(e[i].name);
842 offset = read_member(data, offset, sizeof(e[i].offset),
843 &e[i].offset);
844 offset = read_member(data, offset, sizeof(e[i].length),
** CID 1361274: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 1361274: Insecure data handling (TAINTED_SCALAR)
/util/cbfstool/ifwitool.c: 718 in alloc_bpdt_buffer()
712 {
713 struct bpdt_header bpdt_header;
714 assert((offset + BPDT_HEADER_SIZE) < size);
715 bpdt_read_header((uint8_t *)data + offset, &bpdt_header, name);
716
717 /* Buffer to read BPDT header and entries. */
>>> CID 1361274: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted variable "get_bpdt_size(&bpdt_header)" to a tainted
>>> sink.
718 alloc_buffer(b, get_bpdt_size(&bpdt_header), name);
719
720 struct bpdt *bpdt = buffer_get(b);
721 memcpy(&bpdt->h, &bpdt_header, BPDT_HEADER_SIZE);
722
723 /*
** CID 1361253: Memory - illegal accesses (BUFFER_SIZE_WARNING)
/util/cbfstool/ifwitool.c: 1301 in init_subpart_dir_entry()
________________________________________________________________________________________________________
*** CID 1361253: Memory - illegal accesses (BUFFER_SIZE_WARNING)
/util/cbfstool/ifwitool.c: 1301 in init_subpart_dir_entry()
1295 static size_t init_subpart_dir_entry(struct subpart_dir_entry *e,
1296 struct buffer *b, size_t offset)
1297 {
1298 memset(e, 0, sizeof(*e));
1299
1300 assert(strlen(b->name) <= sizeof(e->name));
>>> CID 1361253: Memory - illegal accesses (BUFFER_SIZE_WARNING)
>>> Calling strncpy with a maximum size argument of 12 bytes on destination
>>> array "e->name" of size 12 bytes might leave the destination string
>>> unterminated.
1301 strncpy((char *)e->name, (char *)b->name, sizeof(e->name));
1302 e->offset = offset;
1303 e->length = buffer_size(b);
1304
1305 return (offset + buffer_size(b));
1306 }
** CID 1353022: Error handling issues (CHECKED_RETURN)
/util/nvidia/cbootimage/src/cbootimage.c: 297 in main()
________________________________________________________________________________________________________
*** CID 1353022: Error handling issues (CHECKED_RETURN)
/util/nvidia/cbootimage/src/cbootimage.c: 297 in main()
291 begin_update(&context);
292 /* Signing the bct. */
293 e = sign_bct(&context, context.bct);
294 if (e != 0)
295 printf("Signing BCT failed, error: %d.\n", e);
296
>>> CID 1353022: Error handling issues (CHECKED_RETURN)
>>> Calling "fwrite" without checking return value (as is done elsewhere 39
>>> out of 48 times).
297 fwrite(context.bct, 1, context.bct_size,
298 context.raw_file);
299 printf("New BCT file %s has been successfully
generated!\n",
300 context.output_image_filename);
301 goto fail;
302 }
** CID 1353020: Error handling issues (CHECKED_RETURN)
/util/amdfwtool/amdfwtool.c: 372 in integrate_psp_firmwares()
________________________________________________________________________________________________________
*** CID 1353020: Error handling issues (CHECKED_RETURN)
/util/amdfwtool/amdfwtool.c: 372 in integrate_psp_firmwares()
366 fd = open(fw_table[i].filename, O_RDONLY);
367 if (fd < 0) {
368 printf("Error: %s\n", strerror(errno));
369 free(base);
370 exit(1);
371 }
>>> CID 1353020: Error handling issues (CHECKED_RETURN)
>>> Calling "fstat(fd, &fd_stat)" without checking return value. This
>>> library function may fail and return an error code. [Note: The source code
>>> implementation of the function has been overridden by a builtin model.]
372 fstat(fd, &fd_stat);
373 pspdir[4+4*i+1] = (uint32_t)fd_stat.st_size;
374
375 pspdir[4+4*i+2] = pos + rom_base_address;
376 pspdir[4+4*i+3] = 0;
377
** CID 1353018: Error handling issues (CHECKED_RETURN)
/util/amdfwtool/amdfwtool.c: 301 in integrate_firmwares()
________________________________________________________________________________________________________
*** CID 1353018: Error handling issues (CHECKED_RETURN)
/util/amdfwtool/amdfwtool.c: 301 in integrate_firmwares()
295 fd = open(fw_table[i].filename, O_RDONLY);
296 if (fd < 0) {
297 printf("Error: %s\n", strerror(errno));
298 free(base);
299 exit(1);
300 }
>>> CID 1353018: Error handling issues (CHECKED_RETURN)
>>> Calling "fstat(fd, &fd_stat)" without checking return value. This
>>> library function may fail and return an error code. [Note: The source code
>>> implementation of the function has been overridden by a builtin model.]
301 fstat(fd, &fd_stat);
302
303 switch (fw_table[i].type) {
304 case AMD_FW_IMC:
305 pos = ALIGN(pos, 0x10000U);
306 romsig[1] = pos + rom_base_address;
** CID 1347335: (UNINIT)
/util/cbfstool/elfheaders.c: 1000 in write_phdrs()
/util/cbfstool/elfheaders.c: 1002 in write_phdrs()
/util/cbfstool/elfheaders.c: 1003 in write_phdrs()
/util/cbfstool/elfheaders.c: 1004 in write_phdrs()
________________________________________________________________________________________________________
*** CID 1347335: (UNINIT)
/util/cbfstool/elfheaders.c: 1000 in write_phdrs()
994 } else {
995 /* Accumulate file size and memsize. The
assumption
996 * is that each section is either NOBITS or full
997 * (sh_size == file size). This is standard in
that
998 * an ELF section doesn't have a file size
component. */
999 if (sec->shdr.sh_flags & SHF_EXECINSTR)
>>> CID 1347335: (UNINIT)
>>> Using uninitialized value "phdr.p_flags".
1000 phdr.p_flags |= PF_X | PF_R;
1001 if (sec->shdr.sh_flags & SHF_WRITE)
1002 phdr.p_flags |= PF_W;
1003 phdr.p_filesz += buffer_size(&sec->content);
1004 phdr.p_memsz += sec->shdr.sh_size;
1005 }
/util/cbfstool/elfheaders.c: 1002 in write_phdrs()
996 * is that each section is either NOBITS or full
997 * (sh_size == file size). This is standard in
that
998 * an ELF section doesn't have a file size
component. */
999 if (sec->shdr.sh_flags & SHF_EXECINSTR)
1000 phdr.p_flags |= PF_X | PF_R;
1001 if (sec->shdr.sh_flags & SHF_WRITE)
>>> CID 1347335: (UNINIT)
>>> Using uninitialized value "phdr.p_flags".
1002 phdr.p_flags |= PF_W;
1003 phdr.p_filesz += buffer_size(&sec->content);
1004 phdr.p_memsz += sec->shdr.sh_size;
1005 }
1006 }
1007
/util/cbfstool/elfheaders.c: 1003 in write_phdrs()
997 * (sh_size == file size). This is standard in
that
998 * an ELF section doesn't have a file size
component. */
999 if (sec->shdr.sh_flags & SHF_EXECINSTR)
1000 phdr.p_flags |= PF_X | PF_R;
1001 if (sec->shdr.sh_flags & SHF_WRITE)
1002 phdr.p_flags |= PF_W;
>>> CID 1347335: (UNINIT)
>>> Using uninitialized value "phdr.p_filesz".
1003 phdr.p_filesz += buffer_size(&sec->content);
1004 phdr.p_memsz += sec->shdr.sh_size;
1005 }
1006 }
1007
1008 /* Write out the last phdr. */
/util/cbfstool/elfheaders.c: 1004 in write_phdrs()
998 * an ELF section doesn't have a file size
component. */
999 if (sec->shdr.sh_flags & SHF_EXECINSTR)
1000 phdr.p_flags |= PF_X | PF_R;
1001 if (sec->shdr.sh_flags & SHF_WRITE)
1002 phdr.p_flags |= PF_W;
1003 phdr.p_filesz += buffer_size(&sec->content);
>>> CID 1347335: (UNINIT)
>>> Using uninitialized value "phdr.p_memsz".
1004 phdr.p_memsz += sec->shdr.sh_size;
1005 }
1006 }
1007
1008 /* Write out the last phdr. */
1009 if (num_needs_write != num_written) {
** CID 1302457: Control flow issues (MISSING_RESTORE)
/util/cbfstool/flashmap/fmap.c: 486 in fmap_append_area_test()
________________________________________________________________________________________________________
*** CID 1302457: Control flow issues (MISSING_RESTORE)
/util/cbfstool/flashmap/fmap.c: 486 in fmap_append_area_test()
480 printf("FAILURE: failed to increment number of
areas\n");
481 goto fmap_append_area_test_exit;
482 }
483
484 status = pass;
485 fmap_append_area_test_exit:
>>> CID 1302457: Control flow issues (MISSING_RESTORE)
>>> Value of non-local "(*fmap)->nareas" that was saved in "nareas_orig" is
>>> not restored as it was along other paths.
486 return status;
487 }
488
489 static int fmap_find_area_test(struct fmap *fmap)
490 {
491 status = fail;
** CID 1302456: Error handling issues (NEGATIVE_RETURNS)
/util/cbfstool/flashmap/fmap.c: 601 in fmap_find_test()
________________________________________________________________________________________________________
*** CID 1302456: Error handling issues (NEGATIVE_RETURNS)
/util/cbfstool/flashmap/fmap.c: 601 in fmap_find_test()
595 printf("FAILURE: bsearch returned false positive\n");
596 goto fmap_find_test_exit;
597 }
598
599 /* simple test case: fmap at (total_size / 2) + 1 */
600 offset = (total_size / 2) + 1;
>>> CID 1302456: Error handling issues (NEGATIVE_RETURNS)
>>> "fmap_size(fmap)" is passed to a parameter that cannot be negative.
>>> [Note: The source code implementation of the function has been overridden
>>> by a builtin model.]
601 memcpy(&buf[offset], fmap, fmap_size(fmap));
602
603 if ((unsigned)fmap_find(buf, total_size - 1) != offset) {
604 printf("FAILURE: lsearch failed to find fmap\n");
605 goto fmap_find_test_exit;
606 }
** CID 1302453: Resource leaks (RESOURCE_LEAK)
/util/cbfstool/flashmap/fmap.c: 563 in fmap_flags_to_string_test()
________________________________________________________________________________________________________
*** CID 1302453: Resource leaks (RESOURCE_LEAK)
/util/cbfstool/flashmap/fmap.c: 563 in fmap_flags_to_string_test()
557 }
558 free(my_str);
559 free(str);
560
561 status = pass;
562 fmap_flags_to_string_test_exit:
>>> CID 1302453: Resource leaks (RESOURCE_LEAK)
>>> Variable "my_str" going out of scope leaks the storage it points to.
563 return status;
564
565 }
566
567 static int fmap_find_test(struct fmap *fmap)
568 {
** CID 1302452: (RESOURCE_LEAK)
/util/cbfstool/flashmap/fmap.c: 563 in fmap_flags_to_string_test()
/util/cbfstool/flashmap/fmap.c: 563 in fmap_flags_to_string_test()
________________________________________________________________________________________________________
*** CID 1302452: (RESOURCE_LEAK)
/util/cbfstool/flashmap/fmap.c: 563 in fmap_flags_to_string_test()
557 }
558 free(my_str);
559 free(str);
560
561 status = pass;
562 fmap_flags_to_string_test_exit:
>>> CID 1302452: (RESOURCE_LEAK)
>>> Variable "str" going out of scope leaks the storage it points to.
563 return status;
564
565 }
566
567 static int fmap_find_test(struct fmap *fmap)
568 {
/util/cbfstool/flashmap/fmap.c: 563 in fmap_flags_to_string_test()
557 }
558 free(my_str);
559 free(str);
560
561 status = pass;
562 fmap_flags_to_string_test_exit:
>>> CID 1302452: (RESOURCE_LEAK)
>>> Variable "str" going out of scope leaks the storage it points to.
563 return status;
564
565 }
566
567 static int fmap_find_test(struct fmap *fmap)
568 {
** CID 1302451: Resource leaks (RESOURCE_LEAK)
/util/cbfstool/flashmap/fmap.c: 240 in fmap_print()
________________________________________________________________________________________________________
*** CID 1302451: Resource leaks (RESOURCE_LEAK)
/util/cbfstool/flashmap/fmap.c: 240 in fmap_print()
234 kv_pair_fmt(pair, "area_flags_raw", "0x%02x",
235 fmap->areas[i].flags);
236
237 /* Print descriptive strings for flags rather than the
field */
238 flags = fmap->areas[i].flags;
239 if ((str = fmap_flags_to_string(flags)) == NULL)
>>> CID 1302451: Resource leaks (RESOURCE_LEAK)
>>> Variable "pair" going out of scope leaks the storage it points to.
240 return -1;
241 kv_pair_fmt(pair, "area_flags", "%s", str);
242 free(str);
243
244 kv_pair_print(pair);
245 kv_pair_free(pair);
** CID 1241790: Insecure data handling (TAINTED_SCALAR)
/util/cbfstool/lzma/C/LzFind.c: 653 in Bt2_MatchFinder_Skip()
________________________________________________________________________________________________________
*** CID 1241790: Insecure data handling (TAINTED_SCALAR)
/util/cbfstool/lzma/C/LzFind.c: 653 in Bt2_MatchFinder_Skip()
647 static void Bt2_MatchFinder_Skip(struct CMatchFinder *p, uint32_t num)
648 {
649 do
650 {
651 SKIP_HEADER(2)
652 HASH2_CALC;
>>> CID 1241790: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "hashValue" as an index to pointer "p->hash".
653 curMatch = p->hash[hashValue];
654 p->hash[hashValue] = p->pos;
655 SKIP_FOOTER
656 }
657 while (--num != 0);
658 }
** CID 1241788: Insecure data handling (TAINTED_SCALAR)
/util/cbfstool/lzma/C/LzFind.c: 489 in Bt2_MatchFinder_GetMatches()
________________________________________________________________________________________________________
*** CID 1241788: Insecure data handling (TAINTED_SCALAR)
/util/cbfstool/lzma/C/LzFind.c: 489 in Bt2_MatchFinder_GetMatches()
483
484 static uint32_t Bt2_MatchFinder_GetMatches(struct CMatchFinder *p,
uint32_t *distances)
485 {
486 uint32_t offset;
487 GET_MATCHES_HEADER(2)
488 HASH2_CALC;
>>> CID 1241788: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "hashValue" as an index to pointer "p->hash".
489 curMatch = p->hash[hashValue];
490 p->hash[hashValue] = p->pos;
491 offset = 0;
492 GET_MATCHES_FOOTER(offset, 1)
493 }
494
** CID 1229710: Integer handling issues (SIGN_EXTENSION)
/util/cbfstool/elfheaders.c: 265 in phdr_read()
________________________________________________________________________________________________________
*** CID 1229710: Integer handling issues (SIGN_EXTENSION)
/util/cbfstool/elfheaders.c: 265 in phdr_read()
259 ehdr = &pelf->ehdr;
260 /* cons up an input buffer for the headers.
261 * Note that the program headers can be anywhere,
262 * per the ELF spec, You'd be surprised how many ELF
263 * readers miss this little detail.
264 */
>>> CID 1229710: Integer handling issues (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "ehdr->e_phentsize" with type
>>> "Elf64_Half" (16 bits, unsigned) is promoted in "ehdr->e_phentsize *
>>> ehdr->e_phnum" to type "int" (32 bits, signed), then sign-extended to type
>>> "unsigned long" (64 bits, unsigned). If "ehdr->e_phentsize *
>>> ehdr->e_phnum" is greater than 0x7FFFFFFF, the upper bits of the result
>>> will all be 1.
265 buffer_splice(&b, in, ehdr->e_phoff, ehdr->e_phentsize *
ehdr->e_phnum);
266 if (check_size(in, ehdr->e_phoff, buffer_size(&b), "program
headers"))
267 return -1;
268
269 /* gather up all the phdrs.
270 * We do them all at once because there is more
** CID 1229709: Integer handling issues (SIGN_EXTENSION)
/util/cbfstool/elfheaders.c: 265 in phdr_read()
________________________________________________________________________________________________________
*** CID 1229709: Integer handling issues (SIGN_EXTENSION)
/util/cbfstool/elfheaders.c: 265 in phdr_read()
259 ehdr = &pelf->ehdr;
260 /* cons up an input buffer for the headers.
261 * Note that the program headers can be anywhere,
262 * per the ELF spec, You'd be surprised how many ELF
263 * readers miss this little detail.
264 */
>>> CID 1229709: Integer handling issues (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "ehdr->e_phnum" with type
>>> "Elf64_Half" (16 bits, unsigned) is promoted in "ehdr->e_phentsize *
>>> ehdr->e_phnum" to type "int" (32 bits, signed), then sign-extended to type
>>> "unsigned long" (64 bits, unsigned). If "ehdr->e_phentsize *
>>> ehdr->e_phnum" is greater than 0x7FFFFFFF, the upper bits of the result
>>> will all be 1.
265 buffer_splice(&b, in, ehdr->e_phoff, ehdr->e_phentsize *
ehdr->e_phnum);
266 if (check_size(in, ehdr->e_phoff, buffer_size(&b), "program
headers"))
267 return -1;
268
269 /* gather up all the phdrs.
270 * We do them all at once because there is more
** CID 1229708: Integer handling issues (SIGN_EXTENSION)
/util/cbfstool/elfheaders.c: 307 in shdr_read()
________________________________________________________________________________________________________
*** CID 1229708: Integer handling issues (SIGN_EXTENSION)
/util/cbfstool/elfheaders.c: 307 in shdr_read()
301
302 /* cons up an input buffer for the section headers.
303 * Note that the section headers can be anywhere,
304 * per the ELF spec, You'd be surprised how many ELF
305 * readers miss this little detail.
306 */
>>> CID 1229708: Integer handling issues (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "ehdr->e_shentsize" with type
>>> "Elf64_Half" (16 bits, unsigned) is promoted in "ehdr->e_shentsize *
>>> ehdr->e_shnum" to type "int" (32 bits, signed), then sign-extended to type
>>> "unsigned long" (64 bits, unsigned). If "ehdr->e_shentsize *
>>> ehdr->e_shnum" is greater than 0x7FFFFFFF, the upper bits of the result
>>> will all be 1.
307 buffer_splice(&b, in, ehdr->e_shoff, ehdr->e_shentsize *
ehdr->e_shnum);
308 if (check_size(in, ehdr->e_shoff, buffer_size(&b), "section
headers"))
309 return -1;
310
311 /* gather up all the shdrs. */
312 shdr = calloc(ehdr->e_shnum, sizeof(*shdr));
** CID 1229707: Integer handling issues (SIGN_EXTENSION)
/util/cbfstool/elfheaders.c: 307 in shdr_read()
________________________________________________________________________________________________________
*** CID 1229707: Integer handling issues (SIGN_EXTENSION)
/util/cbfstool/elfheaders.c: 307 in shdr_read()
301
302 /* cons up an input buffer for the section headers.
303 * Note that the section headers can be anywhere,
304 * per the ELF spec, You'd be surprised how many ELF
305 * readers miss this little detail.
306 */
>>> CID 1229707: Integer handling issues (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "ehdr->e_shnum" with type
>>> "Elf64_Half" (16 bits, unsigned) is promoted in "ehdr->e_shentsize *
>>> ehdr->e_shnum" to type "int" (32 bits, signed), then sign-extended to type
>>> "unsigned long" (64 bits, unsigned). If "ehdr->e_shentsize *
>>> ehdr->e_shnum" is greater than 0x7FFFFFFF, the upper bits of the result
>>> will all be 1.
307 buffer_splice(&b, in, ehdr->e_shoff, ehdr->e_shentsize *
ehdr->e_shnum);
308 if (check_size(in, ehdr->e_shoff, buffer_size(&b), "section
headers"))
309 return -1;
310
311 /* gather up all the shdrs. */
312 shdr = calloc(ehdr->e_shnum, sizeof(*shdr));
** CID 1229706: (SIGN_EXTENSION)
/util/cbfstool/elfheaders.c: 1181 in elf_writer_serialize()
/util/cbfstool/elfheaders.c: 1204 in elf_writer_serialize()
________________________________________________________________________________________________________
*** CID 1229706: (SIGN_EXTENSION)
/util/cbfstool/elfheaders.c: 1181 in elf_writer_serialize()
1175 }
1176 }
1177 ew->ehdr.e_shnum = ew->num_secs;
1178 metadata_size = 0;
1179 metadata_size += ew->ehdr.e_ehsize;
1180 metadata_size += ew->ehdr.e_shnum * ew->ehdr.e_shentsize;
>>> CID 1229706: (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "ew->ehdr.e_phentsize" with type
>>> "Elf64_Half" (16 bits, unsigned) is promoted in "ew->ehdr.e_phnum *
>>> ew->ehdr.e_phentsize" to type "int" (32 bits, signed), then sign-extended
>>> to type "unsigned long" (64 bits, unsigned). If "ew->ehdr.e_phnum *
>>> ew->ehdr.e_phentsize" is greater than 0x7FFFFFFF, the upper bits of the
>>> result will all be 1.
1181 metadata_size += ew->ehdr.e_phnum * ew->ehdr.e_phentsize;
1182 shstroffset = metadata_size;
1183 /* Align up section header string size and metadata size to
4KiB */
1184 metadata_size = ALIGN(metadata_size + shstrlen, 4096);
1185
1186 if (buffer_create(out, metadata_size + program_size, "elfout"))
{
/util/cbfstool/elfheaders.c: 1204 in elf_writer_serialize()
1198 ew->ehdr.e_shoff = ew->ehdr.e_ehsize;
1199 ew->ehdr.e_phoff = ew->ehdr.e_shoff +
1200 ew->ehdr.e_shnum * ew->ehdr.e_shentsize;
1201
1202 buffer_splice(&metadata, out, 0, metadata_size);
1203 buffer_splice(&phdrs, out, ew->ehdr.e_phoff,
>>> CID 1229706: (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "ew->ehdr.e_phentsize" with type
>>> "Elf64_Half" (16 bits, unsigned) is promoted in "ew->ehdr.e_phnum *
>>> ew->ehdr.e_phentsize" to type "int" (32 bits, signed), then sign-extended
>>> to type "unsigned long" (64 bits, unsigned). If "ew->ehdr.e_phnum *
>>> ew->ehdr.e_phentsize" is greater than 0x7FFFFFFF, the upper bits of the
>>> result will all be 1.
1204 ew->ehdr.e_phnum * ew->ehdr.e_phentsize);
1205 buffer_splice(&data, out, metadata_size, program_size);
1206 /* Set up the section header string table contents. */
1207 strtab = &ew->shstrtab_sec->content;
1208 buffer_splice(strtab, out, shstroffset, shstrlen);
1209 ew->shstrtab_sec->shdr.sh_size = shstrlen;
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit,
https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRbLuoVetFLSjdonCi1EjfHRqWGQvojmmkYaBE-2BPJiTQvQ-3D-3D_q4bX76XMySz3BXBlWr5fXXJ4cvAsgEXEqC7dBPM7O5YlaIoZ9FRM1ZQOliQrFonPEjZsIkM-2FsFb9jFb5BkaQ4DqJaxXXFNPPbidAF0E5gb1vH-2ButoNvJ1M3jxRiRaerw4mHvzWzRmTERKl5pzKEVJo-2Feh8L69CGDIgbcoYwZHDQbiwSqLiM-2BftqiOXy42xFIIEuEt37-2FT7g11msUdFgp-2FkMDG9tEWUq-2BhTcaLt-2FtCNI-3D
--
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot
