Hi,
Please find the latest report on new defect(s) introduced to coreboot found
with Coverity Scan.
12 new defect(s) introduced to coreboot found with Coverity Scan.
9 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent
build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 12 of 12 defect(s)
** CID 1404005: Integer handling issues (SIGN_EXTENSION)
/3rdparty/opensbi/lib/sbi/sbi_fifo.c: 79 in __sbi_fifo_reset()
________________________________________________________________________________________________________
*** CID 1404005: Integer handling issues (SIGN_EXTENSION)
/3rdparty/opensbi/lib/sbi/sbi_fifo.c: 79 in __sbi_fifo_reset()
73
74 /* Note: must be called with fifo->qlock held */
75 static inline void __sbi_fifo_reset(struct sbi_fifo *fifo)
76 {
77 fifo->avail = 0;
78 fifo->tail = 0;
>>> CID 1404005: Integer handling issues (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "fifo->entry_size" with type "u16"
>>> (16 bits, unsigned) is promoted in "fifo->num_entries * fifo->entry_size"
>>> to type "int" (32 bits, signed), then sign-extended to type "unsigned long"
>>> (64 bits, unsigned). If "fifo->num_entries * fifo->entry_size" is greater
>>> than 0x7FFFFFFF, the upper bits of the result will all be 1.
79 sbi_memset(fifo->queue, 0, fifo->num_entries * fifo->entry_size);
80 }
81
82 bool sbi_fifo_reset(struct sbi_fifo *fifo)
83 {
84 if (!fifo)
** CID 1404004: Control flow issues (NO_EFFECT)
/3rdparty/opensbi/lib/utils/irqchip/plic.c: 57 in plic_fdt_fixup()
________________________________________________________________________________________________________
*** CID 1404004: Control flow issues (NO_EFFECT)
/3rdparty/opensbi/lib/utils/irqchip/plic.c: 57 in plic_fdt_fixup()
51 {
52 u32 *cells;
53 int i, cells_count;
54 u32 plic_off;
55
56 plic_off = fdt_node_offset_by_compatible(fdt, 0, compat);
>>> CID 1404004: Control flow issues (NO_EFFECT)
>>> This less-than-zero comparison of an unsigned value is never true.
>>> "plic_off < 0U".
57 if (plic_off < 0)
58 return;
59
60 cells = (u32 *)fdt_getprop(fdt, plic_off,
61 "interrupts-extended", &cells_count);
62 if (!cells)
** CID 1404003: Memory - corruptions (ARRAY_VS_SINGLETON)
________________________________________________________________________________________________________
*** CID 1404003: Memory - corruptions (ARRAY_VS_SINGLETON)
/3rdparty/opensbi/lib/sbi/riscv_atomic.c: 221 in atomic_clear_bit()
215 {
216 return atomic_raw_set_bit(nr, (unsigned long *)&atom->counter);
217 }
218
219 inline int atomic_clear_bit(int nr, atomic_t *atom)
220 {
>>> CID 1404003: Memory - corruptions (ARRAY_VS_SINGLETON)
>>> Passing "(unsigned long *)&atom->counter" to function
>>> "atomic_raw_clear_bit" which uses it as an array. This might corrupt or
>>> misinterpret adjacent memory locations.
221 return atomic_raw_clear_bit(nr, (unsigned long
*)&atom->counter);
** CID 1404002: Integer handling issues (SIGN_EXTENSION)
/3rdparty/opensbi/lib/sbi/sbi_fifo.c: 79 in __sbi_fifo_reset()
________________________________________________________________________________________________________
*** CID 1404002: Integer handling issues (SIGN_EXTENSION)
/3rdparty/opensbi/lib/sbi/sbi_fifo.c: 79 in __sbi_fifo_reset()
73
74 /* Note: must be called with fifo->qlock held */
75 static inline void __sbi_fifo_reset(struct sbi_fifo *fifo)
76 {
77 fifo->avail = 0;
78 fifo->tail = 0;
>>> CID 1404002: Integer handling issues (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "fifo->num_entries" with type "u16"
>>> (16 bits, unsigned) is promoted in "fifo->num_entries * fifo->entry_size"
>>> to type "int" (32 bits, signed), then sign-extended to type "unsigned long"
>>> (64 bits, unsigned). If "fifo->num_entries * fifo->entry_size" is greater
>>> than 0x7FFFFFFF, the upper bits of the result will all be 1.
79 sbi_memset(fifo->queue, 0, fifo->num_entries * fifo->entry_size);
80 }
81
82 bool sbi_fifo_reset(struct sbi_fifo *fifo)
83 {
84 if (!fifo)
** CID 1404001: Memory - corruptions (ARRAY_VS_SINGLETON)
________________________________________________________________________________________________________
*** CID 1404001: Memory - corruptions (ARRAY_VS_SINGLETON)
/3rdparty/opensbi/lib/sbi/riscv_atomic.c: 216 in atomic_set_bit()
210 {
211 return __atomic_op_bit(and, __NOT, nr, addr);
212 }
213
214 inline int atomic_set_bit(int nr, atomic_t *atom)
215 {
>>> CID 1404001: Memory - corruptions (ARRAY_VS_SINGLETON)
>>> Passing "(unsigned long *)&atom->counter" to function
>>> "atomic_raw_set_bit" which uses it as an array. This might corrupt or
>>> misinterpret adjacent memory locations.
216 return atomic_raw_set_bit(nr, (unsigned long *)&atom->counter);
217 }
218
219 inline int atomic_clear_bit(int nr, atomic_t *atom)
220 {
221 return atomic_raw_clear_bit(nr, (unsigned long
*)&atom->counter);
** CID 1404000: Insecure data handling (TAINTED_SCALAR)
/src/drivers/crb/tpm.c: 257 in tpm2_process_command()
________________________________________________________________________________________________________
*** CID 1404000: Insecure data handling (TAINTED_SCALAR)
/src/drivers/crb/tpm.c: 257 in tpm2_process_command()
251
252 /* Response has to have at least 6 bytes */
253 if (length < 6)
254 return 1;
255
256 // Copy Response
>>> CID 1404000: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted variable "length" to a tainted sink. [Note: The source
>>> code implementation of the function has been overridden by a builtin model.]
257 memcpy(tpm2_response, control_area.response_bfr, length);
258
259 if (crb_switch_to_ready()) {
260 printk(BIOS_DEBUG, "TPM: Can not transition into ready
state again.\n");
261 return -1;
262 }
** CID 1403999: Null pointer dereferences (FORWARD_NULL)
/3rdparty/opensbi/lib/sbi/sbi_tlb.c: 74 in sbi_tlb_fifo_update_cb()
________________________________________________________________________________________________________
*** CID 1403999: Null pointer dereferences (FORWARD_NULL)
/3rdparty/opensbi/lib/sbi/sbi_tlb.c: 74 in sbi_tlb_fifo_update_cb()
68
69 if (!in && !!data)
70 return ret;
71
72 curr = (struct sbi_tlb_info *)data;
73 next = (struct sbi_tlb_info *)in;
>>> CID 1403999: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "next".
74 if (next->type == SBI_TLB_FLUSH_VMA_ASID &&
75 curr->type == SBI_TLB_FLUSH_VMA_ASID) {
76 if (next->asid == curr->asid)
77 ret = __sbi_tlb_fifo_range_check(curr, next);
78 } else if (next->type == SBI_TLB_FLUSH_VMA &&
79 curr->type == SBI_TLB_FLUSH_VMA) {
** CID 1403998: Integer handling issues (SIGN_EXTENSION)
/3rdparty/opensbi/lib/sbi/sbi_fifo.c: 23 in sbi_fifo_init()
________________________________________________________________________________________________________
*** CID 1403998: Integer handling issues (SIGN_EXTENSION)
/3rdparty/opensbi/lib/sbi/sbi_fifo.c: 23 in sbi_fifo_init()
17 {
18 fifo->queue = queue_mem;
19 fifo->num_entries = entries;
20 fifo->entry_size = entry_size;
21 SPIN_LOCK_INIT(&fifo->qlock);
22 fifo->avail = fifo->tail = 0;
>>> CID 1403998: Integer handling issues (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "entry_size" with type "u16" (16
>>> bits, unsigned) is promoted in "entries * entry_size" to type "int" (32
>>> bits, signed), then sign-extended to type "unsigned long" (64 bits,
>>> unsigned). If "entries * entry_size" is greater than 0x7FFFFFFF, the upper
>>> bits of the result will all be 1.
23 sbi_memset(fifo->queue, 0, entries * entry_size);
24 }
25
26 /* Note: must be called with fifo->qlock held */
27 static inline bool __sbi_fifo_is_full(struct sbi_fifo *fifo)
28 {
** CID 1403997: Integer handling issues (SIGN_EXTENSION)
/3rdparty/opensbi/lib/sbi/sbi_fifo.c: 23 in sbi_fifo_init()
________________________________________________________________________________________________________
*** CID 1403997: Integer handling issues (SIGN_EXTENSION)
/3rdparty/opensbi/lib/sbi/sbi_fifo.c: 23 in sbi_fifo_init()
17 {
18 fifo->queue = queue_mem;
19 fifo->num_entries = entries;
20 fifo->entry_size = entry_size;
21 SPIN_LOCK_INIT(&fifo->qlock);
22 fifo->avail = fifo->tail = 0;
>>> CID 1403997: Integer handling issues (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "entries" with type "u16" (16 bits,
>>> unsigned) is promoted in "entries * entry_size" to type "int" (32 bits,
>>> signed), then sign-extended to type "unsigned long" (64 bits, unsigned).
>>> If "entries * entry_size" is greater than 0x7FFFFFFF, the upper bits of the
>>> result will all be 1.
23 sbi_memset(fifo->queue, 0, entries * entry_size);
24 }
25
26 /* Note: must be called with fifo->qlock held */
27 static inline bool __sbi_fifo_is_full(struct sbi_fifo *fifo)
28 {
** CID 1403996: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/3rdparty/opensbi/lib/sbi/sbi_hart.c: 349 in sbi_hart_wait_for_coldboot()
________________________________________________________________________________________________________
*** CID 1403996: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/3rdparty/opensbi/lib/sbi/sbi_hart.c: 349 in sbi_hart_wait_for_coldboot()
343 wfi();
344 mipval = csr_read(CSR_MIP);
345
346 spin_lock(&coldboot_wait_bitmap_lock);
347 coldboot_wait_bitmap &= ~(1UL << hartid);
348 spin_unlock(&coldboot_wait_bitmap_lock);
>>> CID 1403996: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
>>> The expression "mipval && 1 /* 1 << 3 */" is suspicious because it
>>> performs a Boolean operation on a constant other than 0 or 1.
349 } while (!(mipval && MIP_MSIP));
350
351 csr_clear(CSR_MIP, MIP_MSIP);
352 }
353
354 void sbi_hart_wake_coldboot_harts(struct sbi_scratch *scratch, u32
hartid)
** CID 1403995: Memory - corruptions (ARRAY_VS_SINGLETON)
________________________________________________________________________________________________________
*** CID 1403995: Memory - corruptions (ARRAY_VS_SINGLETON)
/3rdparty/opensbi/lib/sbi/sbi_ipi.c: 122 in sbi_ipi_process()
116 sbi_tlb_fifo_process(scratch, ipi_event);
117 break;
118 case SBI_IPI_EVENT_HALT:
119 sbi_hart_hang();
120 break;
121 };
>>> CID 1403995: Memory - corruptions (ARRAY_VS_SINGLETON)
>>> Passing "&ipi_data->ipi_type" to function "atomic_raw_clear_bit" which
>>> uses it as an array. This might corrupt or misinterpret adjacent memory
>>> locations.
122 ipi_type = atomic_raw_clear_bit(ipi_event,
&ipi_data->ipi_type);
123 } while (ipi_type > 0);
124 }
125
126 int sbi_ipi_init(struct sbi_scratch *scratch, bool cold_boot)
127 {
** CID 1403994: Memory - corruptions (ARRAY_VS_SINGLETON)
________________________________________________________________________________________________________
*** CID 1403994: Memory - corruptions (ARRAY_VS_SINGLETON)
/3rdparty/opensbi/lib/sbi/sbi_ipi.c: 50 in sbi_ipi_send()
44 ret = sbi_tlb_fifo_update(remote_scratch, event, data);
45 if (ret > 0)
46 goto done;
47 else if (ret < 0)
48 return ret;
49 }
>>> CID 1403994: Memory - corruptions (ARRAY_VS_SINGLETON)
>>> Passing "&ipi_data->ipi_type" to function "atomic_raw_set_bit" which
>>> uses it as an array. This might corrupt or misinterpret adjacent memory
>>> locations.
50 atomic_raw_set_bit(event, &ipi_data->ipi_type);
51 mb();
52 sbi_platform_ipi_send(plat, hartid);
53 if (event != SBI_IPI_EVENT_SOFT)
54 sbi_platform_ipi_sync(plat, hartid);
55
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit,
https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRbLuoVetFLSjdonCi1EjfHRqWGQvojmmkYaBE-2BPJiTQvaU4HClancRgJSp1vcdHRWU-3D_q4bX76XMySz3BXBlWr5fXXJ4cvAsgEXEqC7dBPM7O5Z-2BmZTMJVuN5bAv8oTqj9s36QHUjJHO786FC3wx4pZ4BQPeZCAtED5abnTMblMoC9rMkN5xDJJjQn-2Fqawz-2BKmvgdvpta6Wl7TKijKSEVaUV-2Bx36CBOrrgmlJU8U1yjWmB7VDeewFwpFpbdq7Yx0u6QNSq5QQh7t1spSkiXLdJqUtO-2FZfTZWL-2FYj5we0G3sXQNo-3D
_______________________________________________
coreboot mailing list -- coreboot@coreboot.org
To unsubscribe send an email to coreboot-le...@coreboot.org
