Hey folks, Here's the latest report and I think some of these are new tests rather than new code.
----- Forwarded message from scan-ad...@coverity.com ----- Date: Mon, 31 Jan 2022 23:09:01 +0000 (UTC) From: scan-ad...@coverity.com To: tom.r...@gmail.com Subject: New Defects reported by Coverity Scan for Das U-Boot Hi, Please find the latest report on new defect(s) introduced to Das U-Boot found with Coverity Scan. 9 new defect(s) introduced to Das U-Boot found with Coverity Scan. 5 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 9 of 9 defect(s) ** CID 345920: API usage errors (CHAR_IO) /tools/bmp_logo.c: 165 in main() ________________________________________________________________________________________________________ *** CID 345920: API usage errors (CHAR_IO) /tools/bmp_logo.c: 165 in main() 159 "#define __BMP_LOGO_DATA_H__\n\n"); 160 161 /* read and print the palette information */ 162 printf("unsigned short bmp_logo_palette[] = {\n"); 163 164 for (i=0; i<n_colors; ++i) { >>> CID 345920: API usage errors (CHAR_IO) >>> Assigning the return value of "fgetc" to char "b->palette[(int)(i * 3 + >>> 2)]" truncates its value. 165 b->palette[(int)(i*3+2)] = fgetc(fp); 166 b->palette[(int)(i*3+1)] = fgetc(fp); 167 b->palette[(int)(i*3+0)] = fgetc(fp); 168 x=fgetc(fp); 169 170 printf ("%s0x0%X%X%X,%s", ** CID 345919: Resource leaks (RESOURCE_LEAK) /tools/image-host.c: 969 in fit_config_get_regions() ________________________________________________________________________________________________________ *** CID 345919: Resource leaks (RESOURCE_LEAK) /tools/image-host.c: 969 in fit_config_get_regions() 963 len += strlen(node_inc.strings[i]) + 1; 964 } 965 region_prop = malloc(len); 966 if (!region_prop) { 967 printf("Out of memory setting up regions for configuration '%s/%s'\n", 968 conf_name, sig_name); >>> CID 345919: Resource leaks (RESOURCE_LEAK) >>> Variable "region" going out of scope leaks the storage it points to. 969 return -ENOMEM; 970 } 971 for (i = len = 0; i < node_inc.count; 972 len += strlen(node_inc.strings[i]) + 1, i++) 973 strcpy(region_prop + len, node_inc.strings[i]); 974 strlist_free(&node_inc); ** CID 345918: Error handling issues (CHECKED_RETURN) /tools/bmp_logo.c: 41 in skip_bytes() ________________________________________________________________________________________________________ *** CID 345918: Error handling issues (CHECKED_RETURN) /tools/bmp_logo.c: 41 in skip_bytes() 35 return val; 36 } 37 38 void skip_bytes (FILE *fp, int n) 39 { 40 while (n-- > 0) >>> CID 345918: Error handling issues (CHECKED_RETURN) >>> Calling "fgetc(fp)" without checking return value. This library >>> function may fail and return an error code. [Note: The source code >>> implementation of the function has been overridden by a builtin model.] 41 fgetc (fp); 42 } 43 44 __attribute__ ((__noreturn__)) 45 int error (char * msg, FILE *fp) 46 { ** CID 345917: Resource leaks (RESOURCE_LEAK) /tools/mkeficapsule.c: 121 in read_bin_file() ________________________________________________________________________________________________________ *** CID 345917: Resource leaks (RESOURCE_LEAK) /tools/mkeficapsule.c: 121 in read_bin_file() 115 116 *data = buf; 117 *bin_size = bin_stat.st_size; 118 err: 119 fclose(g); 120 >>> CID 345917: Resource leaks (RESOURCE_LEAK) >>> Variable "buf" going out of scope leaks the storage it points to. 121 return ret; 122 } 123 124 /** 125 * write_capsule_file - write a capsule file 126 * @bin: FILE stream ** CID 345916: Code maintainability issues (UNUSED_VALUE) /tools/bmp_logo.c: 168 in main() ________________________________________________________________________________________________________ *** CID 345916: Code maintainability issues (UNUSED_VALUE) /tools/bmp_logo.c: 168 in main() 162 printf("unsigned short bmp_logo_palette[] = {\n"); 163 164 for (i=0; i<n_colors; ++i) { 165 b->palette[(int)(i*3+2)] = fgetc(fp); 166 b->palette[(int)(i*3+1)] = fgetc(fp); 167 b->palette[(int)(i*3+0)] = fgetc(fp); >>> CID 345916: Code maintainability issues (UNUSED_VALUE) >>> Assigning value from "fgetc(fp)" to "x" here, but that stored value is >>> overwritten before it can be used. 168 x=fgetc(fp); 169 170 printf ("%s0x0%X%X%X,%s", 171 ((i%8) == 0) ? "\t" : " ", 172 (b->palette[(int)(i*3+0)] >> 4) & 0x0F, 173 (b->palette[(int)(i*3+1)] >> 4) & 0x0F, ** CID 345915: Control flow issues (NO_EFFECT) /lib/image-sparse.c: 214 in write_sparse_image() ________________________________________________________________________________________________________ *** CID 345915: Control flow issues (NO_EFFECT) /lib/image-sparse.c: 214 in write_sparse_image() 208 response); 209 return -1; 210 } 211 212 blks = write_sparse_chunk_raw(info, blk, blkcnt, 213 data, response); >>> CID 345915: Control flow issues (NO_EFFECT) >>> This less-than-zero comparison of an unsigned value is never true. >>> "blks < 0UL". 214 if (blks < 0) 215 return -1; 216 217 blk += blks; 218 bytes_written += ((u64)blkcnt) * info->blksz; 219 total_blocks += chunk_header->chunk_sz; ** CID 345914: Integer handling issues (CONSTANT_EXPRESSION_RESULT) /tools/mkeficapsule.c: 96 in read_bin_file() ________________________________________________________________________________________________________ *** CID 345914: Integer handling issues (CONSTANT_EXPRESSION_RESULT) /tools/mkeficapsule.c: 96 in read_bin_file() 90 } 91 if (stat(bin, &bin_stat) < 0) { 92 fprintf(stderr, "cannot determine the size of %s\n", bin); 93 ret = -1; 94 goto err; 95 } >>> CID 345914: Integer handling issues (CONSTANT_EXPRESSION_RESULT) >>> "bin_stat.st_size > 18446744073709551615UL" is always false regardless >>> of the values of its operands. This occurs as the logical operand of "if". 96 if (bin_stat.st_size > SIZE_MAX) { 97 fprintf(stderr, "file size is too large for malloc: %s\n", bin); 98 ret = -1; 99 goto err; 100 } 101 buf = malloc(bin_stat.st_size); ** CID 345913: (TAINTED_SCALAR) /drivers/core/ofnode.c: 477 in ofnode_read_string_list() ________________________________________________________________________________________________________ *** CID 345913: (TAINTED_SCALAR) /drivers/core/ofnode.c: 473 in ofnode_read_string_list() 467 count = ofnode_read_string_count(node, property); 468 if (count < 0) 469 return count; 470 if (!count) 471 return 0; 472 >>> CID 345913: (TAINTED_SCALAR) >>> Passing tainted expression "count + 1" to "dlcalloc", which uses it as >>> an offset. 473 prop = calloc(count + 1, sizeof(char *)); 474 if (!prop) 475 return -ENOMEM; 476 477 for (i = 0; i < count; i++) 478 ofnode_read_string_index(node, property, i, &prop[i]); /drivers/core/ofnode.c: 477 in ofnode_read_string_list() 471 return 0; 472 473 prop = calloc(count + 1, sizeof(char *)); 474 if (!prop) 475 return -ENOMEM; 476 >>> CID 345913: (TAINTED_SCALAR) >>> Using tainted variable "count" as a loop boundary. 477 for (i = 0; i < count; i++) 478 ofnode_read_string_index(node, property, i, &prop[i]); 479 prop[count] = NULL; 480 *listp = prop; 481 482 return count; ** CID 345912: Null pointer dereferences (FORWARD_NULL) /lib/efi_loader/efi_signature.c: 232 in efi_signature_lookup_digest() ________________________________________________________________________________________________________ *** CID 345912: Null pointer dereferences (FORWARD_NULL) /lib/efi_loader/efi_signature.c: 232 in efi_signature_lookup_digest() 226 sig_data = sig_data->next) { 227 #ifdef DEBUG 228 EFI_PRINT("Msg digest in database:\n"); 229 print_hex_dump(" ", DUMP_PREFIX_OFFSET, 16, 1, 230 sig_data->data, sig_data->size, false); 231 #endif >>> CID 345912: Null pointer dereferences (FORWARD_NULL) >>> Passing null pointer "hash" to "memcmp", which dereferences it. [Note: >>> The source code implementation of the function has been overridden by a >>> builtin model.] 232 if (sig_data->size == size && 233 !memcmp(sig_data->data, hash, size)) { 234 found = true; 235 free(hash); 236 goto out; 237 } ________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoA22WlOQ-2By3ieUvdbKmOyw68TMVT4Kip-2BBzfOGWXJ5yIiYplmPF9KAnKIja4Zd7tU-3DDKue_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTuSTR0FmiqU27GON2I9OwY5WGDhGm0B966wHcuXU1-2FAw3I1WyHwNMgtGMOCa3zfgzO3mwIYqjUojcuMoMoDYdcvewXSwAEhrjnoEUuW1P7jZMkKegPKNElHEFXfD5RSxi9z9qHMwR-2BQoDabuhKt6QcxRUxX6HfnI4Rx23wgFEhKyA-3D-3D To manage Coverity Scan email notifications for "tom.r...@gmail.com", click https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxWeIHzDeopm-2BEWQ6S6K-2FtUHv9ZTk8qZbuzkkz9sa-2BJFw4elYDyedRVZOC-2ButxjBZdouVmTGuWB6Aj6G7lm7t25-2Biv1B-2B9082pHzCCex2kqMs-3Dt4lb_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTuSTR0FmiqU27GON2I9OwY5iQ6QEKvvgo3kbcKQQzCeMzyYZUUiCCaPfKKIlYQsIBBmoj-2F-2F-2FVcReszYTf2sW-2Fwd1PrbdSELsWk-2FBSCGTEz-2B3dJauXj8pwgVdMYO3Z-2B05o5wBxdS6CNyX1ZFmrg4ubeFG97RpOh-2Fk-2FvV3V-2F9EveHkw-3D-3D ----- End forwarded message ----- -- Tom
signature.asc
Description: PGP signature