Hi,
Please find the latest report on new defect(s) introduced to coreboot found
with Coverity Scan.
6 new defect(s) introduced to coreboot found with Coverity Scan.
16 defect(s), reported by Coverity Scan earlier, were marked fixed in the
recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 6 of 6 defect(s)
** CID 1401305: Memory - illegal accesses (BUFFER_SIZE_WARNING)
/src/soc/qualcomm/common/qclib.c: 44 in qclib_add_if_table_entry()
________________________________________________________________________________________________________
*** CID 1401305: Memory - illegal accesses (BUFFER_SIZE_WARNING)
/src/soc/qualcomm/common/qclib.c: 44 in qclib_add_if_table_entry()
38 void qclib_add_if_table_entry(const char *name, void *base,
39 uint32_t size, uint32_t attrs)
40 {
41 struct qclib_cb_if_table_entry *te =
42 &qclib_cb_if_table.te[qclib_cb_if_table.num_entries++];
43 assert(qclib_cb_if_table.num_entries <= qclib_cb_if_table.max_entries);
>>> CID 1401305: Memory - illegal accesses (BUFFER_SIZE_WARNING)
>>> Calling strncpy with a maximum size argument of 24 bytes on destination
>>> array "te->name" of size 24 bytes might leave the destination string
>>> unterminated.
44 strncpy(te->name, name, sizeof(te->name));
45 te->blob_address = (uintptr_t)base;
46 te->size = size;
47 te->blob_attributes = attrs;
48 }
49
** CID 1401304: Control flow issues (NO_EFFECT)
/3rdparty/vboot/firmware/2lib/2misc.c: 131 in vb2_init_context()
________________________________________________________________________________________________________
*** CID 1401304: Control flow issues (NO_EFFECT)
/3rdparty/vboot/firmware/2lib/2misc.c: 131 in vb2_init_context()
125 * initialized. */
126 if (ctx->workbuf_used) {
127 if (sd->magic != VB2_SHARED_DATA_MAGIC)
128 return VB2_ERROR_SHARED_DATA_MAGIC;
129
130 if (sd->struct_version_major !=
VB2_SHARED_DATA_VERSION_MAJOR ||
>>> CID 1401304: Control flow issues (NO_EFFECT)
>>> This less-than-zero comparison of an unsigned value is never true.
>>> "sd->struct_version_minor < 0".
131 sd->struct_version_minor <
VB2_SHARED_DATA_VERSION_MINOR)
132 return VB2_ERROR_SHARED_DATA_VERSION;
133
134 return VB2_SUCCESS;
135 }
136
** CID 1381814: (BUFFER_SIZE)
/src/soc/intel/cannonlake/fsp_params.c: 281 in
platform_fsp_silicon_init_params_cb()
/src/soc/intel/cannonlake/fsp_params.c: 283 in
platform_fsp_silicon_init_params_cb()
________________________________________________________________________________________________________
*** CID 1381814: (BUFFER_SIZE)
/src/soc/intel/cannonlake/fsp_params.c: 281 in
platform_fsp_silicon_init_params_cb()
275 #endif
276 /* PCI Express */
277 for (i = 0; i < ARRAY_SIZE(config->PcieClkSrcUsage); i++) {
278 if (config->PcieClkSrcUsage[i] == 0)
279 config->PcieClkSrcUsage[i] = PCIE_CLK_NOTUSED;
280 }
>>> CID 1381814: (BUFFER_SIZE)
>>> You might overrun the 16 byte destination string
>>> "params->PcieClkSrcUsage" by writing the maximum 24 bytes from
>>> "config->PcieClkSrcUsage".
281 memcpy(params->PcieClkSrcUsage, config->PcieClkSrcUsage,
282 sizeof(config->PcieClkSrcUsage));
283 memcpy(params->PcieClkSrcClkReq, config->PcieClkSrcClkReq,
284 sizeof(config->PcieClkSrcClkReq));
285 memcpy(params->PcieRpLtrEnable, config->PcieRpLtrEnable,
286 sizeof(config->PcieRpLtrEnable));
/src/soc/intel/cannonlake/fsp_params.c: 283 in
platform_fsp_silicon_init_params_cb()
277 for (i = 0; i < ARRAY_SIZE(config->PcieClkSrcUsage); i++) {
278 if (config->PcieClkSrcUsage[i] == 0)
279 config->PcieClkSrcUsage[i] = PCIE_CLK_NOTUSED;
280 }
281 memcpy(params->PcieClkSrcUsage, config->PcieClkSrcUsage,
282 sizeof(config->PcieClkSrcUsage));
>>> CID 1381814: (BUFFER_SIZE)
>>> You might overrun the 16 byte destination string
>>> "params->PcieClkSrcClkReq" by writing the maximum 24 bytes from
>>> "config->PcieClkSrcClkReq".
283 memcpy(params->PcieClkSrcClkReq, config->PcieClkSrcClkReq,
284 sizeof(config->PcieClkSrcClkReq));
285 memcpy(params->PcieRpLtrEnable, config->PcieRpLtrEnable,
286 sizeof(config->PcieRpLtrEnable));
287 memcpy(params->PcieRpHotPlug, config->PcieRpHotPlug,
288 sizeof(config->PcieRpHotPlug));
** CID 1381813: Memory - corruptions (OVERRUN)
/src/soc/intel/cannonlake/fsp_params.c: 281 in
platform_fsp_silicon_init_params_cb()
________________________________________________________________________________________________________
*** CID 1381813: Memory - corruptions (OVERRUN)
/src/soc/intel/cannonlake/fsp_params.c: 281 in
platform_fsp_silicon_init_params_cb()
275 #endif
276 /* PCI Express */
277 for (i = 0; i < ARRAY_SIZE(config->PcieClkSrcUsage); i++) {
278 if (config->PcieClkSrcUsage[i] == 0)
279 config->PcieClkSrcUsage[i] = PCIE_CLK_NOTUSED;
280 }
>>> CID 1381813: Memory - corruptions (OVERRUN)
>>> Overrunning array "params->PcieClkSrcUsage" of 16 bytes by passing it
>>> to a function which accesses it at byte offset 23 using argument "24UL".
>>> [Note: The source code implementation of the function has been overridden
>>> by a builtin model.]
281 memcpy(params->PcieClkSrcUsage, config->PcieClkSrcUsage,
282 sizeof(config->PcieClkSrcUsage));
283 memcpy(params->PcieClkSrcClkReq, config->PcieClkSrcClkReq,
284 sizeof(config->PcieClkSrcClkReq));
285 memcpy(params->PcieRpLtrEnable, config->PcieRpLtrEnable,
286 sizeof(config->PcieRpLtrEnable));
** CID 1381812: Memory - corruptions (OVERRUN)
/src/soc/intel/cannonlake/fsp_params.c: 283 in
platform_fsp_silicon_init_params_cb()
________________________________________________________________________________________________________
*** CID 1381812: Memory - corruptions (OVERRUN)
/src/soc/intel/cannonlake/fsp_params.c: 283 in
platform_fsp_silicon_init_params_cb()
277 for (i = 0; i < ARRAY_SIZE(config->PcieClkSrcUsage); i++) {
278 if (config->PcieClkSrcUsage[i] == 0)
279 config->PcieClkSrcUsage[i] = PCIE_CLK_NOTUSED;
280 }
281 memcpy(params->PcieClkSrcUsage, config->PcieClkSrcUsage,
282 sizeof(config->PcieClkSrcUsage));
>>> CID 1381812: Memory - corruptions (OVERRUN)
>>> Overrunning array "params->PcieClkSrcClkReq" of 16 bytes by passing it
>>> to a function which accesses it at byte offset 23 using argument "24UL".
>>> [Note: The source code implementation of the function has been overridden
>>> by a builtin model.]
283 memcpy(params->PcieClkSrcClkReq, config->PcieClkSrcClkReq,
284 sizeof(config->PcieClkSrcClkReq));
285 memcpy(params->PcieRpLtrEnable, config->PcieRpLtrEnable,
286 sizeof(config->PcieRpLtrEnable));
287 memcpy(params->PcieRpHotPlug, config->PcieRpHotPlug,
288 sizeof(config->PcieRpHotPlug));
** CID 1353342: (OVERRUN)
________________________________________________________________________________________________________
*** CID 1353342: (OVERRUN)
/3rdparty/chromeec/common/pwm.c: 120 in cc_pwm_duty()
114 char *e;
115 char *raw;
116
117 if (argc < 2) {
118 ccprintf("PWM channels:\n");
119 for (ch = 0; ch < PWM_CH_COUNT; ch++)
>>> CID 1353342: (OVERRUN)
>>> Overrunning callee's array of size 1 by passing argument "ch" (which
>>> evaluates to 2) in call to "print_channel".
120 print_channel(ch, max_duty);
121 return EC_SUCCESS;
122 }
123
124 ch = strtoi(argv[1], &e, 0);
125 if (*e || ch < 0 || ch >= PWM_CH_COUNT)
/3rdparty/chromeec/common/pwm.c: 148 in cc_pwm_duty()
142 return EC_ERROR_PARAM2;
143 } else if (value < 0) {
144 /* Negative = disable */
145 pwm_enable(ch, 0);
146 } else {
147 ccprintf("Setting channel %d to %d\n", ch,
value);
>>> CID 1353342: (OVERRUN)
>>> Overrunning callee's array of size 1 by passing argument "ch" (which
>>> evaluates to 2) in call to "pwm_enable".
148 pwm_enable(ch, 1);
149 (max_duty == 100) ? pwm_set_duty(ch, value) :
150 pwm_set_raw_duty(ch, value);
151 }
152 }
153
/3rdparty/chromeec/common/pwm.c: 149 in cc_pwm_duty()
143 } else if (value < 0) {
144 /* Negative = disable */
145 pwm_enable(ch, 0);
146 } else {
147 ccprintf("Setting channel %d to %d\n", ch,
value);
148 pwm_enable(ch, 1);
>>> CID 1353342: (OVERRUN)
>>> Overrunning callee's array of size 1 by passing argument "ch" (which
>>> evaluates to 2) in call to "pwm_set_raw_duty".
149 (max_duty == 100) ? pwm_set_duty(ch, value) :
150 pwm_set_raw_duty(ch, value);
151 }
152 }
153
154 print_channel(ch, max_duty);
/3rdparty/chromeec/common/pwm.c: 154 in cc_pwm_duty()
148 pwm_enable(ch, 1);
149 (max_duty == 100) ? pwm_set_duty(ch, value) :
150 pwm_set_raw_duty(ch, value);
151 }
152 }
153
>>> CID 1353342: (OVERRUN)
>>> Overrunning callee's array of size 1 by passing argument "ch" (which
>>> evaluates to 2) in call to "print_channel".
154 print_channel(ch, max_duty);
155
156 return EC_SUCCESS;
157 }
158 DECLARE_CONSOLE_COMMAND(pwmduty, cc_pwm_duty,
159 "[channel [<percent> | -1=disable] | [raw
<value>]]",
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit,
https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRbLuoVetFLSjdonCi1EjfHRqWGQvojmmkYaBE-2BPJiTQvaU4HClancRgJSp1vcdHRWU-3D_q4bX76XMySz3BXBlWr5fXXJ4cvAsgEXEqC7dBPM7O5ZD4wjpWRrfm0oxUomQ8C6yuM2iLq6-2Fy-2F6ZPOm8NbGh4KVkQBWHH-2FC4-2B-2BATpqhZ5M9cyrfUYZEb8a9YBe-2FKAQwcVG9518Ap-2FOVn5-2FayhTSmSabjQY4WCDDevR1HfGkWGyarvKdASLDBz2rOMi16xNWNHxBm34u7DZEBOSXYcBgkW7-2BR35iqNMxUUMeE3w3Nf-2Bc-3D
_______________________________________________
coreboot mailing list -- coreboot@coreboot.org
To unsubscribe send an email to coreboot-le...@coreboot.org
