Hey all, Here's the report now that next has been merged to master. And part of this looks like backend updates finding new issues in existing code.
---------- Forwarded message --------- From: <[email protected]> Date: Tue, Jul 7, 2026 at 12:39 PM Subject: New Defects reported by Coverity Scan for Das U-Boot To: <[email protected]> Hi, Please find the latest report on new defect(s) introduced to *Das U-Boot* found with Coverity Scan. - *New Defects Found:* 35 - 10 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan. - *Defects Shown:* Showing 20 of 35 defect(s) Defect Details ** CID 648967: Null pointer dereferences (NULL_RETURNS) /api/api.c: 545 in API_env_enum() _____________________________________________________________________________________________ *** CID 648967: Null pointer dereferences (NULL_RETURNS) /api/api.c: 545 in API_env_enum() 539 /* match the next entry after i */ 540 i = hmatch_r("", i, &match, &env_htab); 541 if (i == 0) 542 goto done; 543 buflen = strlen(match->key) + strlen(match->data) + 2; 544 var = realloc(var, buflen); >>> CID 648967: Null pointer dereferences (NULL_RETURNS) >>> Dereferencing a pointer that might be "NULL" "var" when calling >>> "snprintf". [Note: The source code implementation of the function has been >>> overridden by a builtin model.] 545 snprintf(var, buflen, "%s=%s", match->key, match->data); 546 *next = var; 547 return 0; 548 549 done: 550 free(var); ** CID 648966: Memory - illegal accesses (STRING_NULL) _____________________________________________________________________________________________ *** CID 648966: Memory - illegal accesses (STRING_NULL) /boot/vbe_request.c: 204 in bootmeth_vbe_ft_fixup() 198 ofnode_get_name(dest), ret); 199 if (*result.err_str) { 200 char *msg = strdup(result.err_str); 201 202 if (!msg) 203 return log_msg_ret("msg", -ENOMEM); >>> CID 648966: Memory - illegal accesses (STRING_NULL) >>> Passing unterminated string "msg" to "ofnode_write_string", which >>> expects a null-terminated string. 204 ret = ofnode_write_string(dest, "vbe,error", 205 msg); 206 if (ret) { 207 free(msg); 208 return log_msg_ret("str", -ENOMEM); 209 } ** CID 648965: (TOCTOU) /tools/image-host.c: 923 in fit_image_process_verity() /tools/image-host.c: 923 in fit_image_process_verity() _____________________________________________________________________________________________ *** CID 648965: (TOCTOU) /tools/image-host.c: 923 in fit_image_process_verity() 917 fprintf(stderr, "Invalid hex in veritysetup output for '%s'\n", 918 image_name); 919 ret = -EINVAL; 920 goto err_unlink; 921 } 922 >>> CID 648965: (TOCTOU) >>> Calling function "stat" to perform check on "tmpfile". 923 if (stat(tmpfile, &st)) { 924 fprintf(stderr, "Can't stat temp file: %s\n", 925 strerror(errno)); 926 ret = -EIO; 927 goto err_unlink; 928 } /tools/image-host.c: 923 in fit_image_process_verity() 917 fprintf(stderr, "Invalid hex in veritysetup output for '%s'\n", 918 image_name); 919 ret = -EINVAL; 920 goto err_unlink; 921 } 922 >>> CID 648965: (TOCTOU) >>> Calling function "stat" to perform check on "tmpfile". 923 if (stat(tmpfile, &st)) { 924 fprintf(stderr, "Can't stat temp file: %s\n", 925 strerror(errno)); 926 ret = -EIO; 927 goto err_unlink; 928 } ** CID 648964: Memory - illegal accesses (STRING_NULL) _____________________________________________________________________________________________ *** CID 648964: Memory - illegal accesses (STRING_NULL) /fs/fat/fat_write.c: 1489 in file_fat_write_at() 1483 debug("writing %s\n", filename); 1484 1485 filename_copy = strdup(filename); 1486 if (!filename_copy) 1487 return -ENOMEM; 1488 >>> CID 648964: Memory - illegal accesses (STRING_NULL) >>> Passing unterminated string "filename_copy" to "split_filename", which >>> expects a null-terminated string. 1489 split_filename(filename_copy, &parent, &basename); 1490 if (!strlen(basename)) { 1491 ret = -EINVAL; 1492 goto exit; 1493 } 1494 ** CID 648963: Memory - illegal accesses (STRING_NULL) _____________________________________________________________________________________________ *** CID 648963: Memory - illegal accesses (STRING_NULL) /boot/bootmeth_extlinux.c: 164 in extlinux_read_bootflow() 158 ret = bootmeth_try_file(bflow, desc, prefix, EXTLINUX_FNAME); 159 } while (ret && prefixes && prefixes[++i]); 160 if (ret) 161 return log_msg_ret("try", ret); 162 size = bflow->size; 163 >>> CID 648963: Memory - illegal accesses (STRING_NULL) >>> Passing unterminated string "bflow->fname" to "bootmeth_alloc_file", >>> which expects a null-terminated string. 164 ret = bootmeth_alloc_file(bflow, 0x10000, ARCH_DMA_MINALIGN, 165 BFI_EXTLINUX_CFG); 166 if (ret) 167 return log_msg_ret("read", ret); 168 169 ret = extlinux_fill_info(bflow); ** CID 648962: (STRING_NULL) _____________________________________________________________________________________________ *** CID 648962: (STRING_NULL) /drivers/dfu/dfu.c: 183 in dfu_init_env_entities() 177 pr_err("\"dfu_alt_info\" env variable not defined!\n"); 178 return -EINVAL; 179 } 180 181 env_bkp = strdup(str_env); 182 if (!interface && !devstr) >>> CID 648962: (STRING_NULL) >>> Passing unterminated string "env_bkp" to "dfu_config_interfaces", which >>> expects a null-terminated string. 183 ret = dfu_config_interfaces(env_bkp); 184 else 185 ret = dfu_config_entities(env_bkp, interface, devstr); 186 187 if (ret) { 188 pr_err("DFU entities configuration failed: %d\n", ret); /drivers/dfu/dfu.c: 185 in dfu_init_env_entities() 179 } 180 181 env_bkp = strdup(str_env); 182 if (!interface && !devstr) 183 ret = dfu_config_interfaces(env_bkp); 184 else >>> CID 648962: (STRING_NULL) >>> Passing unterminated string "env_bkp" to "dfu_config_entities", which >>> expects a null-terminated string. 185 ret = dfu_config_entities(env_bkp, interface, devstr); 186 187 if (ret) { 188 pr_err("DFU entities configuration failed: %d\n", ret); 189 pr_err("(partition table does not match dfu_alt_info?)\n"); 190 goto done; ** CID 648961: (STRING_NULL) _____________________________________________________________________________________________ *** CID 648961: (STRING_NULL) /fs/squashfs/sqfs.c: 1243 in sqfs_split_path() 1237 } 1238 tmp_path[0] = '/'; 1239 strcpy(tmp_path + 1, path); 1240 } 1241 1242 /* String duplicates */ >>> CID 648961: (STRING_NULL) >>> Passing unterminated string "tmp_path" to "sandbox_strdup", which >>> expects a null-terminated string. 1243 dirc = strdup(tmp_path); 1244 if (!dirc) { 1245 ret = -ENOMEM; 1246 goto out; 1247 } 1248 /fs/squashfs/sqfs.c: 1255 in sqfs_split_path() 1249 basec = strdup(tmp_path); 1250 if (!basec) { 1251 ret = -ENOMEM; 1252 goto out; 1253 } 1254 >>> CID 648961: (STRING_NULL) >>> Passing unterminated string "dirc" to "sqfs_dirname", which expects a >>> null-terminated string. 1255 dname = sqfs_dirname(dirc); 1256 bname = sqfs_basename(basec); 1257 1258 *file = strdup(bname); 1259 1260 if (!*file) { /fs/squashfs/sqfs.c: 1256 in sqfs_split_path() 1250 if (!basec) { 1251 ret = -ENOMEM; 1252 goto out; 1253 } 1254 1255 dname = sqfs_dirname(dirc); >>> CID 648961: (STRING_NULL) >>> Passing unterminated string "basec" to "sqfs_basename", which expects a >>> null-terminated string. 1256 bname = sqfs_basename(basec); 1257 1258 *file = strdup(bname); 1259 1260 if (!*file) { 1261 ret = -ENOMEM; ** CID 648944: Memory - illegal accesses (STRING_NULL) /cmd/gpt.c: 60 in extract_env() _____________________________________________________________________________________________ *** CID 648944: Memory - illegal accesses (STRING_NULL) /cmd/gpt.c: 60 in extract_env() 54 return -1; 55 56 s = strdup(str); 57 if (s == NULL) 58 return -1; 59 >>> CID 648944: Memory - illegal accesses (STRING_NULL) >>> Passing unterminated string "s" to "strlen", which expects a >>> null-terminated string. [Note: The source code implementation of the >>> function has been overridden by a builtin model.] 60 memset(s + strlen(s) - 1, '\0', 1); 61 memmove(s, s + 2, strlen(s) - 1); 62 63 e = env_get(s); 64 if (e == NULL) { 65 #ifdef CONFIG_RANDOM_UUID ** CID 648943: (STRING_NULL) _____________________________________________________________________________________________ *** CID 648943: (STRING_NULL) /fs/fat/fat_write.c: 2013 in fat_rename() 2007 if (!old_path_copy || !new_path_copy || !old_itr || !new_itr) { 2008 log_debug("Error: out of memory\n"); 2009 ret = -ENOMEM; 2010 goto exit; 2011 } 2012 split_filename(old_path_copy, &old_dirname, &old_basename); >>> CID 648943: (STRING_NULL) >>> Passing unterminated string "new_path_copy" to "split_filename", which >>> expects a null-terminated string. 2013 split_filename(new_path_copy, &new_dirname, &new_basename); 2014 2015 if (normalize_longname(l_new_basename, new_basename)) { 2016 log_debug("FAT: illegal filename (%s)\n", new_basename); 2017 ret = -EINVAL; 2018 goto exit; /fs/fat/fat_write.c: 2012 in fat_rename() 2006 new_itr = malloc_cache_aligned(sizeof(fat_itr)); 2007 if (!old_path_copy || !new_path_copy || !old_itr || !new_itr) { 2008 log_debug("Error: out of memory\n"); 2009 ret = -ENOMEM; 2010 goto exit; 2011 } >>> CID 648943: (STRING_NULL) >>> Passing unterminated string "old_path_copy" to "split_filename", which >>> expects a null-terminated string. 2012 split_filename(old_path_copy, &old_dirname, &old_basename); 2013 split_filename(new_path_copy, &new_dirname, &new_basename); 2014 2015 if (normalize_longname(l_new_basename, new_basename)) { 2016 log_debug("FAT: illegal filename (%s)\n", new_basename); 2017 ret = -EINVAL; ** CID 648942: Memory - illegal accesses (STRING_NULL) _____________________________________________________________________________________________ *** CID 648942: Memory - illegal accesses (STRING_NULL) /boot/bootmeth_android.c: 414 in avb_append_commandline() 408 static int avb_append_commandline(struct bootflow *bflow, char *cmdline) 409 { 410 char *arg = strsep(&cmdline, " "); 411 int ret; 412 413 while (arg) { >>> CID 648942: Memory - illegal accesses (STRING_NULL) >>> Passing unterminated string "bflow->cmdline" to >>> "avb_append_commandline_arg", which expects a null-terminated string. 414 ret = avb_append_commandline_arg(bflow, arg); 415 if (ret < 0) 416 return ret; 417 418 arg = strsep(&cmdline, " "); 419 } ** CID 648941: Memory - illegal accesses (STRING_NULL) _____________________________________________________________________________________________ *** CID 648941: Memory - illegal accesses (STRING_NULL) /fs/fat/fat_write.c: 1738 in fat_unlink() 1732 itr = malloc_cache_aligned(sizeof(fat_itr)); 1733 if (!itr || !filename_copy) { 1734 printf("Error: out of memory\n"); 1735 ret = -ENOMEM; 1736 goto exit; 1737 } >>> CID 648941: Memory - illegal accesses (STRING_NULL) >>> Passing unterminated string "filename_copy" to "split_filename", which >>> expects a null-terminated string. 1738 split_filename(filename_copy, &dirname, &basename); 1739 1740 if (!strcmp(dirname, "/") && !strcmp(basename, "")) { 1741 printf("Error: cannot remove root\n"); 1742 ret = -EINVAL; 1743 goto exit; ** CID 648940: Memory - illegal accesses (STRING_NULL) /common/cli_hush.c: 2169 in set_local_var() _____________________________________________________________________________________________ *** CID 648940: Memory - illegal accesses (STRING_NULL) /common/cli_hush.c: 2169 in set_local_var() 2163 2164 name=strdup(s); 2165 2166 /* Assume when we enter this function that we are already in 2167 * NAME=VALUE format. So the first order of business is to 2168 * split 's' on the '=' into 'name' and 'value' */ >>> CID 648940: Memory - illegal accesses (STRING_NULL) >>> Passing unterminated string "name" to "strchr", which expects a >>> null-terminated string. [Note: The source code implementation of the >>> function has been overridden by a builtin model.] 2169 value = strchr(name, '='); 2170 if (!value) { 2171 free(name); 2172 return -1; 2173 } 2174 *value++ = 0; ** CID 648939: (STRING_NULL) _____________________________________________________________________________________________ *** CID 648939: (STRING_NULL) /boot/bootmeth_script.c: 110 in script_read_bootflow_file() 104 return log_msg_ret("read", ret); 105 106 ret = script_fill_info(bflow); 107 if (ret) 108 return log_msg_ret("inf", ret); 109 >>> CID 648939: (STRING_NULL) >>> Passing unterminated string "bflow->subdir" to "bootmeth_alloc_other", >>> which expects a null-terminated string. 110 ret = bootmeth_alloc_other(bflow, "boot.bmp", BFI_LOGO, 111 &bflow->logo, &bflow->logo_size); 112 /* ignore error */ 113 114 return 0; 115 } /boot/bootmeth_script.c: 101 in script_read_bootflow_file() 95 return log_msg_ret("try", ret); 96 97 bflow->subdir = strdup(prefix ? prefix : ""); 98 if (!bflow->subdir) 99 return log_msg_ret("prefix", -ENOMEM); 100 >>> CID 648939: (STRING_NULL) >>> Passing unterminated string "bflow->fname" to "bootmeth_alloc_file", >>> which expects a null-terminated string. 101 ret = bootmeth_alloc_file(bflow, 0x10000, ARCH_DMA_MINALIGN, 102 (enum bootflow_img_t)IH_TYPE_SCRIPT); 103 if (ret) 104 return log_msg_ret("read", ret); 105 106 ret = script_fill_info(bflow); /boot/bootmeth_script.c: 101 in script_read_bootflow_file() 95 return log_msg_ret("try", ret); 96 97 bflow->subdir = strdup(prefix ? prefix : ""); 98 if (!bflow->subdir) 99 return log_msg_ret("prefix", -ENOMEM); 100 >>> CID 648939: (STRING_NULL) >>> Passing unterminated string "bflow->fname" to "bootmeth_alloc_file", >>> which expects a null-terminated string. 101 ret = bootmeth_alloc_file(bflow, 0x10000, ARCH_DMA_MINALIGN, 102 (enum bootflow_img_t)IH_TYPE_SCRIPT); 103 if (ret) 104 return log_msg_ret("read", ret); 105 106 ret = script_fill_info(bflow); ** CID 648938: Error handling issues (CHECKED_RETURN) /cmd/fastboot.c: 108 in do_fastboot_usb() _____________________________________________________________________________________________ *** CID 648938: Error handling issues (CHECKED_RETURN) /cmd/fastboot.c: 108 in do_fastboot_usb() 102 103 while (1) { 104 if (g_dnl_detach()) 105 break; 106 if (IS_ENABLED(CONFIG_CMD_FASTBOOT_ABORT_KEYED)) { 107 if (tstc()) { >>> CID 648938: Error handling issues (CHECKED_RETURN) >>> Calling "getchar()" without checking return value. This library >>> function may fail and return an error code. [Note: The source code >>> implementation of the function has been overridden by a builtin model.] 108 getchar(); 109 puts("\rOperation aborted.\n"); 110 break; 111 } 112 } else if (ctrlc()) { 113 break; ** CID 648937: (TAINTED_SCALAR) /boot/image-fit.c: 259 in fit_image_print_dm_verity() /boot/image-fit.c: 259 in fit_image_print_dm_verity() /boot/image-fit.c: 268 in fit_image_print_dm_verity() /boot/image-fit.c: 268 in fit_image_print_dm_verity() _____________________________________________________________________________________________ *** CID 648937: (TAINTED_SCALAR) /boot/image-fit.c: 259 in fit_image_print_dm_verity() 253 printf("%s Verity algo: %s\n", p, algo); 254 255 bin = fdt_getprop(fit, noffset, FIT_VERITY_DIGEST_PROP, 256 &len); 257 if (bin && len > 0) { 258 printf("%s Verity hash: ", p); >>> CID 648937: (TAINTED_SCALAR) >>> Using tainted variable "len" as a loop boundary. 259 for (i = 0; i < len; i++) 260 printf("%02x", bin[i]); 261 printf("\n"); 262 } 263 264 bin = fdt_getprop(fit, noffset, FIT_VERITY_SALT_PROP, /boot/image-fit.c: 259 in fit_image_print_dm_verity() 253 printf("%s Verity algo: %s\n", p, algo); 254 255 bin = fdt_getprop(fit, noffset, FIT_VERITY_DIGEST_PROP, 256 &len); 257 if (bin && len > 0) { 258 printf("%s Verity hash: ", p); >>> CID 648937: (TAINTED_SCALAR) >>> Using tainted variable "len" as a loop boundary. 259 for (i = 0; i < len; i++) 260 printf("%02x", bin[i]); 261 printf("\n"); 262 } 263 264 bin = fdt_getprop(fit, noffset, FIT_VERITY_SALT_PROP, /boot/image-fit.c: 268 in fit_image_print_dm_verity() 262 } 263 264 bin = fdt_getprop(fit, noffset, FIT_VERITY_SALT_PROP, 265 &len); 266 if (bin && len > 0) { 267 printf("%s Verity salt: ", p); >>> CID 648937: (TAINTED_SCALAR) >>> Using tainted variable "len" as a loop boundary. 268 for (i = 0; i < len; i++) 269 printf("%02x", bin[i]); 270 printf("\n"); 271 } 272 #endif 273 } /boot/image-fit.c: 268 in fit_image_print_dm_verity() 262 } 263 264 bin = fdt_getprop(fit, noffset, FIT_VERITY_SALT_PROP, 265 &len); 266 if (bin && len > 0) { 267 printf("%s Verity salt: ", p); >>> CID 648937: (TAINTED_SCALAR) >>> Using tainted variable "len" as a loop boundary. 268 for (i = 0; i < len; i++) 269 printf("%02x", bin[i]); 270 printf("\n"); 271 } 272 #endif 273 } ** CID 648936: (STRING_NULL) /fs/squashfs/sqfs.c: 1417 in sqfs_read_nest() _____________________________________________________________________________________________ *** CID 648936: (STRING_NULL) /fs/squashfs/sqfs.c: 1408 in sqfs_read_nest() 1402 1403 /* 1404 * sqfs_opendir_nest will uncompress inode and directory tables, and will 1405 * return a pointer to the directory that contains the requested file. 1406 */ 1407 sqfs_split_path(&file, &dir, filename); >>> CID 648936: (STRING_NULL) >>> Passing unterminated string "dir" to "sqfs_opendir_nest", which expects >>> a null-terminated string. 1408 ret = sqfs_opendir_nest(dir, &dirsp); 1409 if (ret) { 1410 goto out; 1411 } 1412 1413 dirs = (struct squashfs_dir_stream *)dirsp; /fs/squashfs/sqfs.c: 1417 in sqfs_read_nest() 1411 } 1412 1413 dirs = (struct squashfs_dir_stream *)dirsp; 1414 1415 /* For now, only regular files are able to be loaded */ 1416 while (!sqfs_readdir_nest(dirsp, &dent)) { >>> CID 648936: (STRING_NULL) >>> Passing unterminated string "file" to "strcmp", which expects a >>> null-terminated string. [Note: The source code implementation of the >>> function has been overridden by a builtin model.] 1417 ret = strcmp(dent->name, file); 1418 if (!ret) 1419 break; 1420 1421 free(dirs->entry); 1422 dirs->entry = NULL; ** CID 648935: Integer handling issues (INTEGER_OVERFLOW) /test/boot/fit_verity.c: 257 in fit_verity_test_bad_blocksize() _____________________________________________________________________________________________ *** CID 648935: Integer handling issues (INTEGER_OVERFLOW) /test/boot/fit_verity.c: 257 in fit_verity_test_bad_blocksize() 251 struct bootm_headers images; 252 int images_node, conf_node, confs_node, img_node, verity_node; 253 fdt32_t val; 254 int ret; 255 256 ret = fdt_create_empty_tree(buf, FIT_BUF_SIZE); >>> CID 648935: Integer handling issues (INTEGER_OVERFLOW) >>> Expression "_val2", where "ret" is known to be equal to -18, overflows >>> the type of "_val2", which is type "unsigned int". 257 ut_assertok(ret); 258 259 images_node = fdt_add_subnode(buf, 0, "images"); 260 ut_assert(images_node >= 0); 261 262 img_node = fdt_add_subnode(buf, images_node, "rootfs"); ** CID 648934: Memory - illegal accesses (STRING_NULL) /common/iomux.c: 58 in iomux_doenv() _____________________________________________________________________________________________ *** CID 648934: Memory - illegal accesses (STRING_NULL) /common/iomux.c: 58 in iomux_doenv() 52 i = 0; 53 temp = console_args; 54 for (;;) { 55 /* There's always one entry more than the number of commas. */ 56 i++; 57 >>> CID 648934: Memory - illegal accesses (STRING_NULL) >>> Passing unterminated string "temp" to "strchr", which expects a >>> null-terminated string. [Note: The source code implementation of the >>> function has been overridden by a builtin model.] 58 temp = strchr(temp, ','); 59 if (temp == NULL) 60 break; 61 62 temp++; 63 } ** CID 648933: Memory - illegal accesses (STRING_NULL) /fs/squashfs/sqfs.c: 316 in sqfs_tokenize() _____________________________________________________________________________________________ *** CID 648933: Memory - illegal accesses (STRING_NULL) /fs/squashfs/sqfs.c: 316 in sqfs_tokenize() 310 char *aux, *strc; 311 312 strc = strdup(str); 313 if (!strc) 314 return -ENOMEM; 315 >>> CID 648933: Memory - illegal accesses (STRING_NULL) >>> Passing unterminated string "strc" to "strcmp", which expects a >>> null-terminated string. [Note: The source code implementation of the >>> function has been overridden by a builtin model.] 316 if (!strcmp(strc, "/")) { 317 tokens[0] = strdup(strc); 318 if (!tokens[0]) { 319 ret = -ENOMEM; 320 goto free_strc; 321 } ** CID 648960: (TAINTED_SCALAR) /test/boot/image_fdt.c: 53 in test_boot_fdt_add_mem_rsv_regions() _____________________________________________________________________________________________ *** CID 648960: (TAINTED_SCALAR) /test/boot/image_fdt.c: 80 in test_boot_fdt_add_mem_rsv_regions() 74 75 /* Cleanup */ 76 switch_fdt: 77 boot_fdt_add_mem_rsv_regions(old_blob); 78 gd->fdt_blob = old_blob; 79 free_blob: >>> CID 648960: (TAINTED_SCALAR) >>> Passing tainted expression "*new_blob" to "dlfree", which uses it as an >>> offset. 80 free(new_blob); 81 return ret; 82 } /test/boot/image_fdt.c: 53 in test_boot_fdt_add_mem_rsv_regions() 47 ut_assert_console_end(); 48 49 /* Loading a new_blob device tree should be allowed */ 50 fdt_sz = fdt_totalsize(gd->fdt_blob); 51 new_blob = malloc(fdt_sz); 52 ut_assertnonnull(new_blob); >>> CID 648960: (TAINTED_SCALAR) >>> Passing tainted expression "fdt_sz" to "memcpy", which uses it as an >>> offset. [Note: The source code implementation of the function has been >>> overridden by a builtin model.] 53 memcpy(new_blob, gd->fdt_blob, fdt_sz); 54 55 nodeoffset = fdt_path_offset(new_blob, "/reserved-memory"); 56 if (nodeoffset < 0) 57 goto free_blob; 58 View Defects in Coverity Scan <https://scan.coverity.com/projects/das-u-boot?tab=overview> Best regards, The Coverity Scan Admin Team ----- End forwarded message ----- -- Tom
signature.asc
Description: PGP signature

