Hi, Please find the latest report on new defect(s) introduced to coreboot found with Coverity Scan.
12 new defect(s) introduced to coreboot found with Coverity Scan. 9 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 12 of 12 defect(s) ** CID 1404005: Integer handling issues (SIGN_EXTENSION) /3rdparty/opensbi/lib/sbi/sbi_fifo.c: 79 in __sbi_fifo_reset() ________________________________________________________________________________________________________ *** CID 1404005: Integer handling issues (SIGN_EXTENSION) /3rdparty/opensbi/lib/sbi/sbi_fifo.c: 79 in __sbi_fifo_reset() 73 74 /* Note: must be called with fifo->qlock held */ 75 static inline void __sbi_fifo_reset(struct sbi_fifo *fifo) 76 { 77 fifo->avail = 0; 78 fifo->tail = 0; >>> CID 1404005: Integer handling issues (SIGN_EXTENSION) >>> Suspicious implicit sign extension: "fifo->entry_size" with type "u16" >>> (16 bits, unsigned) is promoted in "fifo->num_entries * fifo->entry_size" >>> to type "int" (32 bits, signed), then sign-extended to type "unsigned long" >>> (64 bits, unsigned). If "fifo->num_entries * fifo->entry_size" is greater >>> than 0x7FFFFFFF, the upper bits of the result will all be 1. 79 sbi_memset(fifo->queue, 0, fifo->num_entries * fifo->entry_size); 80 } 81 82 bool sbi_fifo_reset(struct sbi_fifo *fifo) 83 { 84 if (!fifo) ** CID 1404004: Control flow issues (NO_EFFECT) /3rdparty/opensbi/lib/utils/irqchip/plic.c: 57 in plic_fdt_fixup() ________________________________________________________________________________________________________ *** CID 1404004: Control flow issues (NO_EFFECT) /3rdparty/opensbi/lib/utils/irqchip/plic.c: 57 in plic_fdt_fixup() 51 { 52 u32 *cells; 53 int i, cells_count; 54 u32 plic_off; 55 56 plic_off = fdt_node_offset_by_compatible(fdt, 0, compat); >>> CID 1404004: Control flow issues (NO_EFFECT) >>> This less-than-zero comparison of an unsigned value is never true. >>> "plic_off < 0U". 57 if (plic_off < 0) 58 return; 59 60 cells = (u32 *)fdt_getprop(fdt, plic_off, 61 "interrupts-extended", &cells_count); 62 if (!cells) ** CID 1404003: Memory - corruptions (ARRAY_VS_SINGLETON) ________________________________________________________________________________________________________ *** CID 1404003: Memory - corruptions (ARRAY_VS_SINGLETON) /3rdparty/opensbi/lib/sbi/riscv_atomic.c: 221 in atomic_clear_bit() 215 { 216 return atomic_raw_set_bit(nr, (unsigned long *)&atom->counter); 217 } 218 219 inline int atomic_clear_bit(int nr, atomic_t *atom) 220 { >>> CID 1404003: Memory - corruptions (ARRAY_VS_SINGLETON) >>> Passing "(unsigned long *)&atom->counter" to function >>> "atomic_raw_clear_bit" which uses it as an array. This might corrupt or >>> misinterpret adjacent memory locations. 221 return atomic_raw_clear_bit(nr, (unsigned long *)&atom->counter); ** CID 1404002: Integer handling issues (SIGN_EXTENSION) /3rdparty/opensbi/lib/sbi/sbi_fifo.c: 79 in __sbi_fifo_reset() ________________________________________________________________________________________________________ *** CID 1404002: Integer handling issues (SIGN_EXTENSION) /3rdparty/opensbi/lib/sbi/sbi_fifo.c: 79 in __sbi_fifo_reset() 73 74 /* Note: must be called with fifo->qlock held */ 75 static inline void __sbi_fifo_reset(struct sbi_fifo *fifo) 76 { 77 fifo->avail = 0; 78 fifo->tail = 0; >>> CID 1404002: Integer handling issues (SIGN_EXTENSION) >>> Suspicious implicit sign extension: "fifo->num_entries" with type "u16" >>> (16 bits, unsigned) is promoted in "fifo->num_entries * fifo->entry_size" >>> to type "int" (32 bits, signed), then sign-extended to type "unsigned long" >>> (64 bits, unsigned). If "fifo->num_entries * fifo->entry_size" is greater >>> than 0x7FFFFFFF, the upper bits of the result will all be 1. 79 sbi_memset(fifo->queue, 0, fifo->num_entries * fifo->entry_size); 80 } 81 82 bool sbi_fifo_reset(struct sbi_fifo *fifo) 83 { 84 if (!fifo) ** CID 1404001: Memory - corruptions (ARRAY_VS_SINGLETON) ________________________________________________________________________________________________________ *** CID 1404001: Memory - corruptions (ARRAY_VS_SINGLETON) /3rdparty/opensbi/lib/sbi/riscv_atomic.c: 216 in atomic_set_bit() 210 { 211 return __atomic_op_bit(and, __NOT, nr, addr); 212 } 213 214 inline int atomic_set_bit(int nr, atomic_t *atom) 215 { >>> CID 1404001: Memory - corruptions (ARRAY_VS_SINGLETON) >>> Passing "(unsigned long *)&atom->counter" to function >>> "atomic_raw_set_bit" which uses it as an array. This might corrupt or >>> misinterpret adjacent memory locations. 216 return atomic_raw_set_bit(nr, (unsigned long *)&atom->counter); 217 } 218 219 inline int atomic_clear_bit(int nr, atomic_t *atom) 220 { 221 return atomic_raw_clear_bit(nr, (unsigned long *)&atom->counter); ** CID 1404000: Insecure data handling (TAINTED_SCALAR) /src/drivers/crb/tpm.c: 257 in tpm2_process_command() ________________________________________________________________________________________________________ *** CID 1404000: Insecure data handling (TAINTED_SCALAR) /src/drivers/crb/tpm.c: 257 in tpm2_process_command() 251 252 /* Response has to have at least 6 bytes */ 253 if (length < 6) 254 return 1; 255 256 // Copy Response >>> CID 1404000: Insecure data handling (TAINTED_SCALAR) >>> Passing tainted variable "length" to a tainted sink. [Note: The source >>> code implementation of the function has been overridden by a builtin model.] 257 memcpy(tpm2_response, control_area.response_bfr, length); 258 259 if (crb_switch_to_ready()) { 260 printk(BIOS_DEBUG, "TPM: Can not transition into ready state again.\n"); 261 return -1; 262 } ** CID 1403999: Null pointer dereferences (FORWARD_NULL) /3rdparty/opensbi/lib/sbi/sbi_tlb.c: 74 in sbi_tlb_fifo_update_cb() ________________________________________________________________________________________________________ *** CID 1403999: Null pointer dereferences (FORWARD_NULL) /3rdparty/opensbi/lib/sbi/sbi_tlb.c: 74 in sbi_tlb_fifo_update_cb() 68 69 if (!in && !!data) 70 return ret; 71 72 curr = (struct sbi_tlb_info *)data; 73 next = (struct sbi_tlb_info *)in; >>> CID 1403999: Null pointer dereferences (FORWARD_NULL) >>> Dereferencing null pointer "next". 74 if (next->type == SBI_TLB_FLUSH_VMA_ASID && 75 curr->type == SBI_TLB_FLUSH_VMA_ASID) { 76 if (next->asid == curr->asid) 77 ret = __sbi_tlb_fifo_range_check(curr, next); 78 } else if (next->type == SBI_TLB_FLUSH_VMA && 79 curr->type == SBI_TLB_FLUSH_VMA) { ** CID 1403998: Integer handling issues (SIGN_EXTENSION) /3rdparty/opensbi/lib/sbi/sbi_fifo.c: 23 in sbi_fifo_init() ________________________________________________________________________________________________________ *** CID 1403998: Integer handling issues (SIGN_EXTENSION) /3rdparty/opensbi/lib/sbi/sbi_fifo.c: 23 in sbi_fifo_init() 17 { 18 fifo->queue = queue_mem; 19 fifo->num_entries = entries; 20 fifo->entry_size = entry_size; 21 SPIN_LOCK_INIT(&fifo->qlock); 22 fifo->avail = fifo->tail = 0; >>> CID 1403998: Integer handling issues (SIGN_EXTENSION) >>> Suspicious implicit sign extension: "entry_size" with type "u16" (16 >>> bits, unsigned) is promoted in "entries * entry_size" to type "int" (32 >>> bits, signed), then sign-extended to type "unsigned long" (64 bits, >>> unsigned). If "entries * entry_size" is greater than 0x7FFFFFFF, the upper >>> bits of the result will all be 1. 23 sbi_memset(fifo->queue, 0, entries * entry_size); 24 } 25 26 /* Note: must be called with fifo->qlock held */ 27 static inline bool __sbi_fifo_is_full(struct sbi_fifo *fifo) 28 { ** CID 1403997: Integer handling issues (SIGN_EXTENSION) /3rdparty/opensbi/lib/sbi/sbi_fifo.c: 23 in sbi_fifo_init() ________________________________________________________________________________________________________ *** CID 1403997: Integer handling issues (SIGN_EXTENSION) /3rdparty/opensbi/lib/sbi/sbi_fifo.c: 23 in sbi_fifo_init() 17 { 18 fifo->queue = queue_mem; 19 fifo->num_entries = entries; 20 fifo->entry_size = entry_size; 21 SPIN_LOCK_INIT(&fifo->qlock); 22 fifo->avail = fifo->tail = 0; >>> CID 1403997: Integer handling issues (SIGN_EXTENSION) >>> Suspicious implicit sign extension: "entries" with type "u16" (16 bits, >>> unsigned) is promoted in "entries * entry_size" to type "int" (32 bits, >>> signed), then sign-extended to type "unsigned long" (64 bits, unsigned). >>> If "entries * entry_size" is greater than 0x7FFFFFFF, the upper bits of the >>> result will all be 1. 23 sbi_memset(fifo->queue, 0, entries * entry_size); 24 } 25 26 /* Note: must be called with fifo->qlock held */ 27 static inline bool __sbi_fifo_is_full(struct sbi_fifo *fifo) 28 { ** CID 1403996: Integer handling issues (CONSTANT_EXPRESSION_RESULT) /3rdparty/opensbi/lib/sbi/sbi_hart.c: 349 in sbi_hart_wait_for_coldboot() ________________________________________________________________________________________________________ *** CID 1403996: Integer handling issues (CONSTANT_EXPRESSION_RESULT) /3rdparty/opensbi/lib/sbi/sbi_hart.c: 349 in sbi_hart_wait_for_coldboot() 343 wfi(); 344 mipval = csr_read(CSR_MIP); 345 346 spin_lock(&coldboot_wait_bitmap_lock); 347 coldboot_wait_bitmap &= ~(1UL << hartid); 348 spin_unlock(&coldboot_wait_bitmap_lock); >>> CID 1403996: Integer handling issues (CONSTANT_EXPRESSION_RESULT) >>> The expression "mipval && 1 /* 1 << 3 */" is suspicious because it >>> performs a Boolean operation on a constant other than 0 or 1. 349 } while (!(mipval && MIP_MSIP)); 350 351 csr_clear(CSR_MIP, MIP_MSIP); 352 } 353 354 void sbi_hart_wake_coldboot_harts(struct sbi_scratch *scratch, u32 hartid) ** CID 1403995: Memory - corruptions (ARRAY_VS_SINGLETON) ________________________________________________________________________________________________________ *** CID 1403995: Memory - corruptions (ARRAY_VS_SINGLETON) /3rdparty/opensbi/lib/sbi/sbi_ipi.c: 122 in sbi_ipi_process() 116 sbi_tlb_fifo_process(scratch, ipi_event); 117 break; 118 case SBI_IPI_EVENT_HALT: 119 sbi_hart_hang(); 120 break; 121 }; >>> CID 1403995: Memory - corruptions (ARRAY_VS_SINGLETON) >>> Passing "&ipi_data->ipi_type" to function "atomic_raw_clear_bit" which >>> uses it as an array. This might corrupt or misinterpret adjacent memory >>> locations. 122 ipi_type = atomic_raw_clear_bit(ipi_event, &ipi_data->ipi_type); 123 } while (ipi_type > 0); 124 } 125 126 int sbi_ipi_init(struct sbi_scratch *scratch, bool cold_boot) 127 { ** CID 1403994: Memory - corruptions (ARRAY_VS_SINGLETON) ________________________________________________________________________________________________________ *** CID 1403994: Memory - corruptions (ARRAY_VS_SINGLETON) /3rdparty/opensbi/lib/sbi/sbi_ipi.c: 50 in sbi_ipi_send() 44 ret = sbi_tlb_fifo_update(remote_scratch, event, data); 45 if (ret > 0) 46 goto done; 47 else if (ret < 0) 48 return ret; 49 } >>> CID 1403994: Memory - corruptions (ARRAY_VS_SINGLETON) >>> Passing "&ipi_data->ipi_type" to function "atomic_raw_set_bit" which >>> uses it as an array. This might corrupt or misinterpret adjacent memory >>> locations. 50 atomic_raw_set_bit(event, &ipi_data->ipi_type); 51 mb(); 52 sbi_platform_ipi_send(plat, hartid); 53 if (event != SBI_IPI_EVENT_SOFT) 54 sbi_platform_ipi_sync(plat, hartid); 55 ________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRbLuoVetFLSjdonCi1EjfHRqWGQvojmmkYaBE-2BPJiTQvaU4HClancRgJSp1vcdHRWU-3D_q4bX76XMySz3BXBlWr5fXXJ4cvAsgEXEqC7dBPM7O5Z-2BmZTMJVuN5bAv8oTqj9s36QHUjJHO786FC3wx4pZ4BQPeZCAtED5abnTMblMoC9rMkN5xDJJjQn-2Fqawz-2BKmvgdvpta6Wl7TKijKSEVaUV-2Bx36CBOrrgmlJU8U1yjWmB7VDeewFwpFpbdq7Yx0u6QNSq5QQh7t1spSkiXLdJqUtO-2FZfTZWL-2FYj5we0G3sXQNo-3D _______________________________________________ coreboot mailing list -- coreboot@coreboot.org To unsubscribe send an email to coreboot-le...@coreboot.org