Hey all, Here's the latest report.
----- Forwarded message from [email protected] ----- Date: Mon, 19 Apr 2021 01:18:55 +0000 (UTC) From: [email protected] To: [email protected] Subject: New Defects reported by Coverity Scan for Das U-Boot Hi, Please find the latest report on new defect(s) introduced to Das U-Boot found with Coverity Scan. 13 new defect(s) introduced to Das U-Boot found with Coverity Scan. 5 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 13 of 13 defect(s) ** CID 331158: Control flow issues (NO_EFFECT) /drivers/pinctrl/pinctrl-single.c: 347 in single_configure_bits() ________________________________________________________________________________________________________ *** CID 331158: Control flow issues (NO_EFFECT) /drivers/pinctrl/pinctrl-single.c: 347 in single_configure_bits() 341 return PTR_ERR(func); 342 343 func->name = fname; 344 func->npins = 0; 345 for (n = 0; n < count; n++, pins++) { 346 offset = fdt32_to_cpu(pins->reg); >>> CID 331158: Control flow issues (NO_EFFECT) >>> This less-than-zero comparison of an unsigned value is never true. >>> "offset < 0U". 347 if (offset < 0 || offset > pdata->offset) { 348 dev_dbg(dev, " invalid register offset 0x%x\n", 349 offset); 350 continue; 351 } 352 ** CID 331157: Null pointer dereferences (NULL_RETURNS) /drivers/misc/cros_ec_sandbox.c: 229 in keyscan_read_fdt_matrix() ________________________________________________________________________________________________________ *** CID 331157: Null pointer dereferences (NULL_RETURNS) /drivers/misc/cros_ec_sandbox.c: 229 in keyscan_read_fdt_matrix() 223 224 /* Now read the data */ 225 for (upto = 0; upto < ec->matrix_count; upto++) { 226 struct ec_keymatrix_entry *matrix = &ec->matrix[upto]; 227 u32 word; 228 >>> CID 331157: Null pointer dereferences (NULL_RETURNS) >>> Incrementing a pointer which might be null: "cell". 229 word = fdt32_to_cpu(*cell++); 230 matrix->row = word >> 24; 231 matrix->col = (word >> 16) & 0xff; 232 matrix->keycode = word & 0xffff; 233 234 /* Hard-code some sanity limits for now */ ** CID 331156: Incorrect expression (UNUSED_VALUE) /cmd/qfw.c: 40 in qemu_fwcfg_cmd_setup_kernel() ________________________________________________________________________________________________________ *** CID 331156: Incorrect expression (UNUSED_VALUE) /cmd/qfw.c: 40 in qemu_fwcfg_cmd_setup_kernel() 34 qfw_read_entry(qfw_dev, FW_CFG_SETUP_DATA, 35 le32_to_cpu(setup_size), data_addr); 36 data_addr += le32_to_cpu(setup_size); 37 38 qfw_read_entry(qfw_dev, FW_CFG_KERNEL_DATA, 39 le32_to_cpu(kernel_size), data_addr); >>> CID 331156: Incorrect expression (UNUSED_VALUE) >>> Assigning value from "(__u32)(__le32)kernel_size" to "data_addr" here, >>> but that stored value is overwritten before it can be used. 40 data_addr += le32_to_cpu(kernel_size); 41 42 data_addr = initrd_addr; 43 qfw_read_entry(qfw_dev, FW_CFG_INITRD_SIZE, 4, &initrd_size); 44 if (initrd_size == 0) { 45 printf("warning: no initrd available\n"); ** CID 331155: Insecure data handling (TAINTED_SCALAR) ________________________________________________________________________________________________________ *** CID 331155: Insecure data handling (TAINTED_SCALAR) /fs/cbfs/cbfs.c: 170 in file_cbfs_next_file() 164 size -= align; 165 start += align; 166 continue; 167 } 168 169 swap_file_header(&header, file_header); >>> CID 331155: Insecure data handling (TAINTED_SCALAR) >>> Passing tainted variable "header.offset" to a tainted sink. 170 ret = fill_node(node, start, &header); 171 if (ret) { 172 priv->result = CBFS_BAD_FILE; 173 return log_msg_ret("fill", ret); 174 } 175 ** CID 331154: Integer handling issues (DIVIDE_BY_ZERO) /drivers/pinctrl/pinctrl-single.c: 473 in single_probe() ________________________________________________________________________________________________________ *** CID 331154: Integer handling issues (DIVIDE_BY_ZERO) /drivers/pinctrl/pinctrl-single.c: 473 in single_probe() 467 return -ENOMEM; 468 #endif 469 470 priv->npins = size / (pdata->width / BITS_PER_BYTE); 471 if (pdata->bits_per_mux) { 472 priv->bits_per_pin = fls(pdata->mask); >>> CID 331154: Integer handling issues (DIVIDE_BY_ZERO) >>> In expression "pdata->width / priv->bits_per_pin", division by >>> expression "priv->bits_per_pin" which may be zero has undefined behavior. 473 priv->npins *= (pdata->width / priv->bits_per_pin); 474 } 475 476 dev_dbg(dev, "%d pins\n", priv->npins); 477 return 0; 478 } ** CID 331153: Code maintainability issues (UNUSED_VALUE) /lib/efi_loader/efi_capsule.c: 661 in find_boot_device() ________________________________________________________________________________________________________ *** CID 331153: Code maintainability issues (UNUSED_VALUE) /lib/efi_loader/efi_capsule.c: 661 in find_boot_device() 655 size = 0; 656 ret = efi_get_variable_int(L"BootOrder", &efi_global_variable_guid, 657 NULL, &size, NULL, NULL); 658 if (ret == EFI_BUFFER_TOO_SMALL) { 659 boot_order = malloc(size); 660 if (!boot_order) { >>> CID 331153: Code maintainability issues (UNUSED_VALUE) >>> Assigning value "9223372036854775817UL" to "ret" here, but that stored >>> value is overwritten before it can be used. 661 ret = EFI_OUT_OF_RESOURCES; 662 goto out; 663 } 664 665 ret = efi_get_variable_int(L"BootOrder", 666 &efi_global_variable_guid, ** CID 331152: Insecure data handling (TAINTED_SCALAR) /lib/tpm-common.c: 180 in tpm_sendrecv_command() ________________________________________________________________________________________________________ *** CID 331152: Insecure data handling (TAINTED_SCALAR) /lib/tpm-common.c: 180 in tpm_sendrecv_command() 174 response = response_buffer; 175 response_length = sizeof(response_buffer); 176 } 177 178 size = tpm_command_size(command); 179 log_debug("TPM request [size:%d]: ", size); >>> CID 331152: Insecure data handling (TAINTED_SCALAR) >>> Using tainted variable "size" as a loop boundary. 180 for (i = 0; i < size; i++) 181 log_debug("%02x ", ((u8 *)command)[i]); 182 log_debug("\n"); 183 184 err = tpm_xfer(dev, command, size, response, &response_length); 185 ** CID 331151: Resource leaks (RESOURCE_LEAK) /drivers/pinctrl/pinctrl-single.c: 247 in single_allocate_function() ________________________________________________________________________________________________________ *** CID 331151: Resource leaks (RESOURCE_LEAK) /drivers/pinctrl/pinctrl-single.c: 247 in single_allocate_function() 241 if (!func) 242 return ERR_PTR(-ENOMEM); 243 244 func->pins = devm_kmalloc(dev, sizeof(unsigned int) * group_pins, 245 GFP_KERNEL); 246 if (!func->pins) >>> CID 331151: Resource leaks (RESOURCE_LEAK) >>> Variable "func" going out of scope leaks the storage it points to. 247 return ERR_PTR(-ENOMEM); 248 249 return func; 250 } 251 252 static int single_pin_compare(const void *s1, const void *s2) ** CID 331150: Memory - illegal accesses (BUFFER_SIZE_WARNING) /net/dsa-uclass.c: 415 in dsa_post_bind() ________________________________________________________________________________________________________ *** CID 331150: Memory - illegal accesses (BUFFER_SIZE_WARNING) /net/dsa-uclass.c: 415 in dsa_post_bind() 409 err = device_bind_driver_to_node(dev, DSA_PORT_CHILD_DRV_NAME, 410 name, pnode, &pdev); 411 if (pdev) { 412 struct dsa_port_pdata *port_pdata; 413 414 port_pdata = dev_get_parent_plat(pdev); >>> CID 331150: Memory - illegal accesses (BUFFER_SIZE_WARNING) >>> Calling "strncpy" with a maximum size argument of 16 bytes on >>> destination array "port_pdata->name" of size 16 bytes might leave the >>> destination string unterminated. 415 strncpy(port_pdata->name, name, DSA_PORT_NAME_LENGTH); 416 pdev->name = port_pdata->name; 417 } 418 419 /* try to bind all ports but keep 1st error */ 420 if (err && !first_err) ** CID 331149: Memory - illegal accesses (BUFFER_SIZE_WARNING) /net/dsa-uclass.c: 224 in dsa_port_of_to_pdata() ________________________________________________________________________________________________________ *** CID 331149: Memory - illegal accesses (BUFFER_SIZE_WARNING) /net/dsa-uclass.c: 224 in dsa_port_of_to_pdata() 218 219 port_pdata = dev_get_parent_plat(pdev); 220 port_pdata->index = index; 221 222 label = ofnode_read_string(dev_ofnode(pdev), "label"); 223 if (label) >>> CID 331149: Memory - illegal accesses (BUFFER_SIZE_WARNING) >>> Calling "strncpy" with a maximum size argument of 16 bytes on >>> destination array "port_pdata->name" of size 16 bytes might leave the >>> destination string unterminated. 224 strncpy(port_pdata->name, label, DSA_PORT_NAME_LENGTH); 225 226 eth_pdata = dev_get_plat(pdev); 227 eth_pdata->priv_pdata = port_pdata; 228 229 dev_dbg(pdev, "port %d node %s\n", port_pdata->index, ** CID 331148: Control flow issues (NO_EFFECT) /drivers/pinctrl/pinctrl-single.c: 298 in single_configure_pins() ________________________________________________________________________________________________________ *** CID 331148: Control flow issues (NO_EFFECT) /drivers/pinctrl/pinctrl-single.c: 298 in single_configure_pins() 292 return PTR_ERR(func); 293 294 func->name = fname; 295 func->npins = 0; 296 for (n = 0; n < count; n++, pins++) { 297 offset = fdt32_to_cpu(pins->reg); >>> CID 331148: Control flow issues (NO_EFFECT) >>> This less-than-zero comparison of an unsigned value is never true. >>> "offset < 0U". 298 if (offset < 0 || offset > pdata->offset) { 299 dev_err(dev, " invalid register offset 0x%x\n", 300 offset); 301 continue; 302 } 303 ** CID 331147: Code maintainability issues (UNUSED_VALUE) /lib/efi_loader/efi_capsule.c: 456 in efi_update_capsule() ________________________________________________________________________________________________________ *** CID 331147: Code maintainability issues (UNUSED_VALUE) /lib/efi_loader/efi_capsule.c: 456 in efi_update_capsule() 450 efi_status_t ret; 451 452 EFI_ENTRY("%p, %zu, %llu\n", capsule_header_array, capsule_count, 453 scatter_gather_list); 454 455 if (!capsule_count) { >>> CID 331147: Code maintainability issues (UNUSED_VALUE) >>> Assigning value "9223372036854775810UL" to "ret" here, but that stored >>> value is overwritten before it can be used. 456 ret = EFI_INVALID_PARAMETER; 457 goto out; 458 } 459 460 ret = EFI_SUCCESS; 461 for (i = 0, capsule = *capsule_header_array; i < capsule_count; ** CID 165109: Insecure data handling (TAINTED_SCALAR) ________________________________________________________________________________________________________ *** CID 165109: Insecure data handling (TAINTED_SCALAR) /arch/sandbox/cpu/state.c: 81 in state_read_file() 75 os_close(fd); 76 77 return 0; 78 err_read: 79 os_close(fd); 80 err_open: >>> CID 165109: Insecure data handling (TAINTED_SCALAR) >>> Passing tainted variable "state->state_fdt" to a tainted sink. 81 os_free(state->state_fdt); 82 state->state_fdt = NULL; 83 84 return ret; 85 } 86 ________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoA22WlOQ-2By3ieUvdbKmOyw68TMVT4Kip-2BBzfOGWXJ5yIiYplmPF9KAnKIja4Zd7tU-3DZZ5O_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTtGHJmPef5TSDjCzuFmDLHCcVLNpHIs0AqBsXJPs2SOVhTXup007yHbqhSGIK1hyqPpz1vYe-2BN9550EDGrhLxMxHlBpTdungq17k4ECpA3No35lrqehPZZCZ5BAHvEzJczmieHTM7FI63-2BfXLhs4wtMUoPRU5sgDVix9YwcWKeyJg-3D-3D To manage Coverity Scan email notifications for "[email protected]", click https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxWeIHzDeopm-2BEWQ6S6K-2FtUHv9ZTk8qZbuzkkz9sa-2BJFw4elYDyedRVZOC-2ButxjBZdouVmTGuWB6Aj6G7lm7t25-2Biv1B-2B9082pHzCCex2kqMs-3D7Yww_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTtGHJmPef5TSDjCzuFmDLHCW8SwWH4xnbrtsvKIl7wSRW1TJ0hCM5LxXTBnJTFVzTPqGPjtEf73gX6pVG3GrWXNEgT0Oc3HyLVVXgFxESdYpPKxcdJpqRbkjikARwdrSNj3JcSFiRd69dOJds-2BH2aqoLVHmnb03BoAwP5b1o0enAw-3D-3D ----- End forwarded message ----- -- Tom
signature.asc
Description: PGP signature
