Hi,
Please find the latest report on new defect(s) introduced to coreboot found
with Coverity Scan.
35 new defect(s) introduced to coreboot found with Coverity Scan.
45 defect(s), reported by Coverity Scan earlier, were marked fixed in the
recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 35 defect(s)
** CID 1513104: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/src/arch/riscv/trap_handler.c: 114 in trap_handler()
________________________________________________________________________________________________________
*** CID 1513104: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/src/arch/riscv/trap_handler.c: 114 in trap_handler()
108 break;
109 }
110 }
111 void trap_handler(trapframe *tf)
112 {
113 write_csr(mscratch, tf);
>>> CID 1513104: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
>>> "tf->cause & 0x8000000000000000ULL" is always 0 regardless of the
>>> values of its operands. This occurs as the logical operand of "if".
114 if (tf->cause & 0x8000000000000000ULL) {
115 interrupt_handler(tf);
116 return;
117 }
118
119 switch (tf->cause) {
** CID 1513103: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 1513103: Insecure data handling (TAINTED_SCALAR)
/src/security/tpm/tspi/crtm.c: 223 in recover_tpm_log()
217
218 if (ram_log == NULL) {
219 printk(BIOS_WARNING, "TPM LOG: CBMEM not available,
something went wrong\n");
220 return;
221 }
222
>>> CID 1513103: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "ram_log->vendor" to "tpm_log_copy_entries",
>>> which uses it as an offset.
223 tpm_log_copy_entries(_tpm_log, ram_log);
224 }
225 CBMEM_CREATION_HOOK(recover_tpm_log);
226 #endif
227
** CID 1513102: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 1513102: Memory - corruptions (OVERRUN)
/src/mainboard/ti/beaglebone/sd_media.c: 109 in boot_device_init()
103 if (init_done)
104 return;
105
106 sd_host.sd_clock_hz = 96000000;
107 sd_host.reg = (void *)MMCHS0_BASE;
108 am335x_mmc_init_storage(&sd_host);
>>> CID 1513102: Memory - corruptions (OVERRUN)
>>> Overrunning struct type storage_media of 152 bytes by passing it to a
>>> function which accesses it at byte offset 159.
109 storage_setup_media(&media, &sd_host.sd_mmc_ctrlr);
110 storage_display_setup(&media);
111
112 init_done = true;
113 }
114
115 const struct region_device *boot_device_ro(void)
116 {
117 return &sd_mdev.rdev;
** CID 1513101: Memory - corruptions (OVERRUN)
/util/cbfstool/flashmap/fmap.c: 571 in fmap_find_test()
________________________________________________________________________________________________________
*** CID 1513101: Memory - corruptions (OVERRUN)
/util/cbfstool/flashmap/fmap.c: 571 in fmap_find_test()
565 printf("FAILURE: bsearch returned false positive\n");
566 goto fmap_find_test_exit;
567 }
568
569 /* simple test case: fmap at (total_size / 2) + 1 */
570 offset = (total_size / 2) + 1;
>>> CID 1513101: Memory - corruptions (OVERRUN)
>>> Calling "memcpy" with "fmap" and "fmap_size(fmap)" is suspicious
>>> because of the very large index, 18446744073709551615. The index may be due
>>> to a negative parameter being interpreted as unsigned. [Note: The source
>>> code implementation of the function has been overridden by a builtin model.]
571 memcpy(&buf[offset], fmap, fmap_size(fmap));
572
573 if ((unsigned)fmap_find(buf, total_size - 1) != offset) {
574 printf("FAILURE: lsearch failed to find fmap\n");
575 goto fmap_find_test_exit;
576 }
** CID 1513100: Insecure data handling (TAINTED_SCALAR)
/src/soc/intel/xeon_sp/spr/soc_acpi.c: 561 in acpi_fill_cedt()
________________________________________________________________________________________________________
*** CID 1513100: Insecure data handling (TAINTED_SCALAR)
/src/soc/intel/xeon_sp/spr/soc_acpi.c: 561 in acpi_fill_cedt()
555 u32 cxl_ver;
556 u64 base;
557
558 cxl_uid.byte0 = 'C';
559 cxl_uid.byte1 = 'X';
560 /* Loop through all sockets and stacks, add CHBS for each CXL
IIO stack */
>>> CID 1513100: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "hob->PlatformData.numofIIO" as a loop boundary.
561 for (uint8_t s = 0; s < hob->PlatformData.numofIIO; ++s) {
562 for (int x = 0; x < MAX_LOGIC_IIO_STACK; ++x) {
563 const STACK_RES *ri =
&hob->PlatformData.IIO_resource[s].StackRes[x];
564 if (!is_iio_cxl_stack_res(ri))
565 continue;
566 /* uid needs to match with ACPI CXL device ID,
eg. acpi/iiostack.asl */
** CID 1513099: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 1513099: Memory - corruptions (OVERRUN)
/payloads/libpayload/arch/x86/sysinfo.c: 82 in lib_get_sysinfo()
76 lib_sysinfo.memrange[1].base = 1024 * 1024;
77 lib_sysinfo.memrange[1].size = 31 * 1024 * 1024;
78 lib_sysinfo.memrange[1].type = CB_MEM_RAM;
79 }
80
81 #if CONFIG(LP_PCI)
>>> CID 1513099: Memory - corruptions (OVERRUN)
>>> Overrunning struct type pci_access of 8 bytes by passing it to a
>>> function which accesses it at byte offset 15.
82 pci_init(&lib_sysinfo.pacc);
83 pci_scan_bus(&lib_sysinfo.pacc);
84 #endif
85
86 return ret;
** CID 1513098: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 1513098: Memory - corruptions (OVERRUN)
/src/soc/mediatek/common/mmu_operations.c: 19 in mtk_mmu_init()
13
14 /*
15 * Set 0x0 to 8GB address as device memory. We want to config IO_PHYS
16 * address to DEV_MEM, and map a proper range of dram for the memory
17 * test during calibration.
18 */
>>> CID 1513098: Memory - corruptions (OVERRUN)
>>> Calling "mmu_config_range" with "NULL" and "8589934592UL" is suspicious
>>> because of the very large index, 8589934592. The index may be due to a
>>> negative parameter being interpreted as unsigned.
19 mmu_config_range((void *)0, (uintptr_t)8U * GiB, DEV_MEM);
20
21 /* SRAM is cached */
22 mmu_config_range(_sram, REGION_SIZE(sram), SECURE_CACHED_MEM);
23
24 /* L2C SRAM is cached */
** CID 1513097: (TAINTED_SCALAR)
/src/security/tpm/tspi/log-tpm2.c: 105 in tpm2_log_dump()
/src/security/tpm/tspi/log-tpm2.c: 105 in tpm2_log_dump()
________________________________________________________________________________________________________
*** CID 1513097: (TAINTED_SCALAR)
/src/security/tpm/tspi/log-tpm2.c: 105 in tpm2_log_dump()
99 return;
100
101 hash_size = vb2_digest_size(TPM_MEASURE_ALGO);
102 alg_name = vb2_get_hash_algorithm_name(TPM_MEASURE_ALGO);
103
104 printk(BIOS_INFO, "coreboot TPM 2.0 measurements:\n\n");
>>> CID 1513097: (TAINTED_SCALAR)
>>> Using tainted variable "le16toh(tclt->vendor.num_entries)" as a loop
>>> boundary.
105 for (i = 0; i < le16toh(tclt->vendor.num_entries); i++) {
106 struct tpm_2_log_entry *tce = &tclt->entries[i];
107
108 printk(BIOS_INFO, " PCR-%u ", le32toh(tce->pcr));
109
110 for (j = 0; j < hash_size; j++)
/src/security/tpm/tspi/log-tpm2.c: 105 in tpm2_log_dump()
99 return;
100
101 hash_size = vb2_digest_size(TPM_MEASURE_ALGO);
102 alg_name = vb2_get_hash_algorithm_name(TPM_MEASURE_ALGO);
103
104 printk(BIOS_INFO, "coreboot TPM 2.0 measurements:\n\n");
>>> CID 1513097: (TAINTED_SCALAR)
>>> Using tainted variable "le16toh(tclt->vendor.num_entries)" as a loop
>>> boundary.
105 for (i = 0; i < le16toh(tclt->vendor.num_entries); i++) {
106 struct tpm_2_log_entry *tce = &tclt->entries[i];
107
108 printk(BIOS_INFO, " PCR-%u ", le32toh(tce->pcr));
109
110 for (j = 0; j < hash_size; j++)
** CID 1513096: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 1513096: Memory - corruptions (OVERRUN)
/3rdparty/chromeec/common/usb_common.c: 576 in pd_send_hard_reset()
570 if (IS_ENABLED(CONFIG_USBC_PPC_SBU))
571 ppc_set_sbu(port, 0);
572 }
573
574 static void pd_send_hard_reset(int port)
575 {
>>> CID 1513096: Memory - corruptions (OVERRUN)
>>> Overrunning callee's array of size 15 by passing argument "255" in call
>>> to "task_set_event".
576 task_set_event(PD_PORT_TO_TASK_ID(port),
PD_EVENT_SEND_HARD_RESET);
577 }
578
579 #ifdef CONFIG_USBC_OCP
580
581 static atomic_t port_oc_reset_req;
** CID 1513095: High impact quality (WRITE_CONST_FIELD)
/3rdparty/vboot/firmware/2lib/2context.c: 39 in vb2api_init()
________________________________________________________________________________________________________
*** CID 1513095: High impact quality (WRITE_CONST_FIELD)
/3rdparty/vboot/firmware/2lib/2context.c: 39 in vb2api_init()
33 return VB2_ERROR_WORKBUF_ALIGN;
34
35 if (size < vb2_wb_round_up(sizeof(*sd)))
36 return VB2_ERROR_WORKBUF_SMALL;
37
38 /* Zero out vb2_shared_data (which includes vb2_context). */
>>> CID 1513095: High impact quality (WRITE_CONST_FIELD)
>>> A write to an aggregate overwrites a const-qualified field within the
>>> aggregate.
39 memset(sd, 0, sizeof(*sd));
40
41 /* Initialize shared data. */
42 sd->magic = VB2_SHARED_DATA_MAGIC;
43 sd->struct_version_major = VB2_SHARED_DATA_VERSION_MAJOR;
44 sd->struct_version_minor = VB2_SHARED_DATA_VERSION_MINOR;
** CID 1513094: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 1513094: Memory - corruptions (OVERRUN)
/src/soc/cavium/cn81xx/mmu.c: 28 in soc_mmu_init()
22 /* IO space has the MSB set and is divided into 4 sub-regions:
23 * * NCB
24 * * SLI
25 * * RSL
26 * * AP
27 */
>>> CID 1513094: Memory - corruptions (OVERRUN)
>>> Calling "mmu_config_range" with "(void *)0x800000000000" and
>>> "17592186044416UL" is suspicious because of the very large index,
>>> 17592186044416. The index may be due to a negative parameter being
>>> interpreted as unsigned.
28 mmu_config_range((void *)IO_SPACE_START, IO_SPACE_SIZE, devmem);
29
30 mmu_enable();
** CID 1513093: (OVERRUN)
/src/soc/intel/common/block/acpi/cpu_hybrid.c: 57 in
acpi_set_hybrid_cpu_apicid_order()
/src/soc/intel/common/block/acpi/cpu_hybrid.c: 58 in
acpi_set_hybrid_cpu_apicid_order()
/src/soc/intel/common/block/acpi/cpu_hybrid.c: 61 in
acpi_set_hybrid_cpu_apicid_order()
________________________________________________________________________________________________________
*** CID 1513093: (OVERRUN)
/src/soc/intel/common/block/acpi/cpu_hybrid.c: 57 in
acpi_set_hybrid_cpu_apicid_order()
51 size_t perf_core_cnt = 0, eff_core_cnt = 0;
52 int32_t eff_apic_ids[CONFIG_MAX_CPUS] = {0};
53 extern struct cpu_info cpu_infos[];
54 uint32_t i, j = 0;
55
56 for (i = 0; i < ARRAY_SIZE(cpu_apic_info.apic_ids); i++) {
>>> CID 1513093: (OVERRUN)
>>> Overrunning array "cpu_infos" of 16 8-byte elements at element index 21
>>> (byte offset 175) using index "i" (which evaluates to 21).
57 if (cpu_infos[i].cpu->path.apic.core_type == CPU_TYPE_PERF)
58 cpu_apic_info.apic_ids[perf_core_cnt++] =
59 cpu_infos[i].cpu->path.apic.apic_id;
60 else
61 eff_apic_ids[eff_core_cnt++] =
62 cpu_infos[i].cpu->path.apic.apic_id;
/src/soc/intel/common/block/acpi/cpu_hybrid.c: 58 in
acpi_set_hybrid_cpu_apicid_order()
52 int32_t eff_apic_ids[CONFIG_MAX_CPUS] = {0};
53 extern struct cpu_info cpu_infos[];
54 uint32_t i, j = 0;
55
56 for (i = 0; i < ARRAY_SIZE(cpu_apic_info.apic_ids); i++) {
57 if (cpu_infos[i].cpu->path.apic.core_type == CPU_TYPE_PERF)
>>> CID 1513093: (OVERRUN)
>>> Overrunning array "cpu_infos" of 16 8-byte elements at element index 21
>>> (byte offset 175) using index "i" (which evaluates to 21).
58 cpu_apic_info.apic_ids[perf_core_cnt++] =
59 cpu_infos[i].cpu->path.apic.apic_id;
60 else
61 eff_apic_ids[eff_core_cnt++] =
62 cpu_infos[i].cpu->path.apic.apic_id;
63 }
/src/soc/intel/common/block/acpi/cpu_hybrid.c: 61 in
acpi_set_hybrid_cpu_apicid_order()
55
56 for (i = 0; i < ARRAY_SIZE(cpu_apic_info.apic_ids); i++) {
57 if (cpu_infos[i].cpu->path.apic.core_type == CPU_TYPE_PERF)
58 cpu_apic_info.apic_ids[perf_core_cnt++] =
59 cpu_infos[i].cpu->path.apic.apic_id;
60 else
>>> CID 1513093: (OVERRUN)
>>> Overrunning array "cpu_infos" of 16 8-byte elements at element index 21
>>> (byte offset 175) using index "i" (which evaluates to 21).
61 eff_apic_ids[eff_core_cnt++] =
62 cpu_infos[i].cpu->path.apic.apic_id;
63 }
64
65 if (perf_core_cnt > 1)
66 bubblesort(cpu_apic_info.apic_ids, perf_core_cnt,
NUM_ASCENDING);
** CID 1513092: Memory - corruptions (OVERRUN)
/payloads/libpayload/libc/printf.c: 799 in vsprintf()
________________________________________________________________________________________________________
*** CID 1513092: Memory - corruptions (OVERRUN)
/payloads/libpayload/libc/printf.c: 799 in vsprintf()
793 /* vsnprintf_write() ensures that str will be terminated by
zero. */
794 return printf_core(fmt, &ps, ap);
795 }
796
797 int vsprintf(char *str, const char *fmt, va_list ap)
798 {
>>> CID 1513092: Memory - corruptions (OVERRUN)
>>> Calling "vsnprintf" with "str" and "18446744073709551615UL" is
>>> suspicious because of the very large index, 18446744073709551615. The index
>>> may be due to a negative parameter being interpreted as unsigned. [Note:
>>> The source code implementation of the function has been overridden by a
>>> builtin model.]
799 return vsnprintf(str, (size_t) - 1, fmt, ap);
800 }
801
802 int printf(const char *fmt, ...)
803 {
804 int ret;
** CID 1513091: (OVERRUN)
________________________________________________________________________________________________________
*** CID 1513091: (OVERRUN)
/src/soc/intel/apollolake/elog.c: 107 in elog_gsmi_cb_platform_log_wake_source()
101 }
102
103 void elog_gsmi_cb_platform_log_wake_source(void)
104 {
105 struct chipset_power_state ps;
106
>>> CID 1513091: (OVERRUN)
>>> Overrunning struct type chipset_power_state of 64 bytes by passing it
>>> to a function which accesses it at byte offset 67.
107 pmc_fill_pm_reg_info(&ps);
108 pch_log_wake_source(&ps);
/src/soc/intel/jasperlake/elog.c: 188 in elog_gsmi_cb_platform_log_wake_source()
182
183 BOOT_STATE_INIT_ENTRY(BS_DEV_INIT, BS_ON_EXIT, pch_log_state, NULL);
184
185 void elog_gsmi_cb_platform_log_wake_source(void)
186 {
187 struct chipset_power_state ps;
>>> CID 1513091: (OVERRUN)
>>> Overrunning struct type chipset_power_state of 64 bytes by passing it
>>> to a function which accesses it at byte offset 67.
188 pmc_fill_pm_reg_info(&ps);
189 pch_log_wake_source(&ps);
/src/soc/intel/skylake/elog.c: 251 in elog_gsmi_cb_platform_log_wake_source()
245
246 BOOT_STATE_INIT_ENTRY(BS_DEV_INIT, BS_ON_EXIT, pch_log_state, NULL);
247
248 void elog_gsmi_cb_platform_log_wake_source(void)
249 {
250 struct chipset_power_state ps;
>>> CID 1513091: (OVERRUN)
>>> Overrunning struct type chipset_power_state of 64 bytes by passing it
>>> to a function which accesses it at byte offset 67.
251 pmc_fill_pm_reg_info(&ps);
252 pch_log_wake_source(&ps);
** CID 1513090: (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 1513090: (TAINTED_SCALAR)
/3rdparty/vboot/cgpt/cgpt_repair.c: 27 in CgptRepair()
21
22 int gpt_retval = GptValidityCheck(&drive.gpt);
23 if (params->verbose)
24 printf("GptValidityCheck() returned %d: %s\n",
25 gpt_retval, GptError(gpt_retval));
26
>>> CID 1513090: (TAINTED_SCALAR)
>>> Passing tainted expression "*drive.gpt.primary_header" to "GptRepair",
>>> which uses it as a loop boundary.
27 GptRepair(&drive.gpt);
28 if (drive.gpt.modified & GPT_MODIFIED_HEADER1)
29 printf("Primary Header is updated.\n");
30 if (drive.gpt.modified & GPT_MODIFIED_ENTRIES1)
31 printf("Primary Entries is updated.\n");
32 if (drive.gpt.modified & GPT_MODIFIED_ENTRIES2)
/3rdparty/vboot/cgpt/cgpt_repair.c: 27 in CgptRepair()
21
22 int gpt_retval = GptValidityCheck(&drive.gpt);
23 if (params->verbose)
24 printf("GptValidityCheck() returned %d: %s\n",
25 gpt_retval, GptError(gpt_retval));
26
>>> CID 1513090: (TAINTED_SCALAR)
>>> Passing tainted expression "*drive.gpt.primary_header" to "GptRepair",
>>> which uses it as an offset.
27 GptRepair(&drive.gpt);
28 if (drive.gpt.modified & GPT_MODIFIED_HEADER1)
29 printf("Primary Header is updated.\n");
30 if (drive.gpt.modified & GPT_MODIFIED_ENTRIES1)
31 printf("Primary Entries is updated.\n");
32 if (drive.gpt.modified & GPT_MODIFIED_ENTRIES2)
/3rdparty/vboot/cgpt/cgpt_repair.c: 27 in CgptRepair()
21
22 int gpt_retval = GptValidityCheck(&drive.gpt);
23 if (params->verbose)
24 printf("GptValidityCheck() returned %d: %s\n",
25 gpt_retval, GptError(gpt_retval));
26
>>> CID 1513090: (TAINTED_SCALAR)
>>> Passing tainted expression "*drive.gpt.secondary_header" to
>>> "GptRepair", which uses it as a loop boundary.
27 GptRepair(&drive.gpt);
28 if (drive.gpt.modified & GPT_MODIFIED_HEADER1)
29 printf("Primary Header is updated.\n");
30 if (drive.gpt.modified & GPT_MODIFIED_ENTRIES1)
31 printf("Primary Entries is updated.\n");
32 if (drive.gpt.modified & GPT_MODIFIED_ENTRIES2)
** CID 1513089: Integer handling issues (SIGN_EXTENSION)
/src/northbridge/intel/ironlake/raminit.c: 1742 in write_testing_type2()
________________________________________________________________________________________________________
*** CID 1513089: Integer handling issues (SIGN_EXTENSION)
/src/northbridge/intel/ironlake/raminit.c: 1742 in write_testing_type2()
1736 static void
1737 write_testing_type2(struct raminfo *info, u8 totalrank, u8 region, u8
block,
1738 char flip)
1739 {
1740 int i;
1741 for (i = 0; i < 2048; i++)
>>> CID 1513089: Integer handling issues (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "totalrank" with type "u8" (8 bits,
>>> unsigned) is promoted in "(totalrank << 28) | (region << 25) | (block <<
>>> 16) | (i << 2)" to type "int" (32 bits, signed), then sign-extended to type
>>> "unsigned long" (64 bits, unsigned). If "(totalrank << 28) | (region <<
>>> 25) | (block << 16) | (i << 2)" is greater than 0x7FFFFFFF, the upper bits
>>> of the result will all be 1.
1742 write32p((totalrank << 28) | (region << 25) | (block <<
16) |
1743 (i << 2), get_etalon(flip, (block << 16) | (i
<< 2)));
1744 }
1745
1746 static u8
1747 check_testing_type2(struct raminfo *info, u8 totalrank, u8 region, u8
block,
** CID 1513088: (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 1513088: (TAINTED_SCALAR)
/3rdparty/vboot/firmware/lib/cgptlib/cgptlib.c: 28 in GptInit()
22 retval = GptValidityCheck(gpt);
23 if (GPT_SUCCESS != retval) {
24 VB2_DEBUG("GptInit() failed validity check\n");
25 return retval;
26 }
27
>>> CID 1513088: (TAINTED_SCALAR)
>>> Passing tainted expression "*gpt->secondary_header" to "GptRepair",
>>> which uses it as a loop boundary.
28 GptRepair(gpt);
29 return GPT_SUCCESS;
30 }
31
32 int GptNextKernelEntry(GptData *gpt, uint64_t *start_sector, uint64_t
*size)
33 {
/3rdparty/vboot/firmware/lib/cgptlib/cgptlib.c: 28 in GptInit()
22 retval = GptValidityCheck(gpt);
23 if (GPT_SUCCESS != retval) {
24 VB2_DEBUG("GptInit() failed validity check\n");
25 return retval;
26 }
27
>>> CID 1513088: (TAINTED_SCALAR)
>>> Passing tainted expression "*gpt->primary_header" to "GptRepair", which
>>> uses it as a loop boundary.
28 GptRepair(gpt);
29 return GPT_SUCCESS;
30 }
31
32 int GptNextKernelEntry(GptData *gpt, uint64_t *start_sector, uint64_t
*size)
33 {
/3rdparty/vboot/firmware/lib/cgptlib/cgptlib.c: 28 in GptInit()
22 retval = GptValidityCheck(gpt);
23 if (GPT_SUCCESS != retval) {
24 VB2_DEBUG("GptInit() failed validity check\n");
25 return retval;
26 }
27
>>> CID 1513088: (TAINTED_SCALAR)
>>> Passing tainted expression "*gpt->primary_header" to "GptRepair", which
>>> uses it as an offset.
28 GptRepair(gpt);
29 return GPT_SUCCESS;
30 }
31
32 int GptNextKernelEntry(GptData *gpt, uint64_t *start_sector, uint64_t
*size)
33 {
** CID 1513087: Integer handling issues (NO_EFFECT)
/3rdparty/arm-trusted-firmware/lib/xlat_tables_v2/aarch64/xlat_tables_arch.c:
30 in xlat_arch_is_granule_size_supported()
________________________________________________________________________________________________________
*** CID 1513087: Integer handling issues (NO_EFFECT)
/3rdparty/arm-trusted-firmware/lib/xlat_tables_v2/aarch64/xlat_tables_arch.c:
30 in xlat_arch_is_granule_size_supported()
24 {
25 unsigned int tgranx;
26
27 if (size == PAGE_SIZE_4KB) {
28 tgranx = read_id_aa64mmfr0_el0_tgran4_field();
29 /* MSB of TGRAN4 field will be '1' for unsupported feature */
>>> CID 1513087: Integer handling issues (NO_EFFECT)
>>> This greater-than-or-equal-to-zero comparison of an unsigned value is
>>> always true. "tgranx >= 0ULL".
30 return ((tgranx >= ID_AA64MMFR0_EL1_TGRAN4_SUPPORTED) &&
31 (tgranx < 8U));
32 } else if (size == PAGE_SIZE_16KB) {
33 tgranx = read_id_aa64mmfr0_el0_tgran16_field();
34 return (tgranx >= ID_AA64MMFR0_EL1_TGRAN16_SUPPORTED);
35 } else if (size == PAGE_SIZE_64KB) {
** CID 1513086: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 1513086: Memory - corruptions (OVERRUN)
/payloads/libpayload/arch/arm64/mmu.c: 285 in mmu_init()
279 * To keep things simple we start with mapping the entire base
4GB as
280 * device memory. This accommodates various architectures'
default
281 * settings (for instance rk3399 mmio starts at 0xf8000000); it
is
282 * fine tuned (e.g. mapping DRAM areas as write-back) later in
the
283 * boot process.
284 */
>>> CID 1513086: Memory - corruptions (OVERRUN)
>>> Calling "mmu_config_range" with "NULL" and "4294967296UL" is suspicious
>>> because of the very large index, 4294967296. The index may be due to a
>>> negative parameter being interpreted as unsigned.
285 mmu_config_range(NULL, 0x100000000, TYPE_DEV_MEM);
286
287 for (; i < mmu_ranges->used; i++)
288 mmu_config_range((void *)mmu_ranges->entries[i].base,
289 mmu_ranges->entries[i].size,
290 mmu_ranges->entries[i].type);
** CID 1513085: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 1513085: Memory - corruptions (OVERRUN)
/src/soc/qualcomm/sc7280/mmu.c: 14 in sc7280_mmu_init()
8 #include <soc/symbols_common.h>
9
10 void sc7280_mmu_init(void)
11 {
12 mmu_init();
13
>>> CID 1513085: Memory - corruptions (OVERRUN)
>>> Calling "mmu_config_range" with "(void *)0x1000" and "4294963200UL" is
>>> suspicious because of the very large index, 4294963200. The index may be
>>> due to a negative parameter being interpreted as unsigned.
14 mmu_config_range((void *)(4 * KiB), ((4UL * GiB) - (4 * KiB)), DEV_MEM);
15 mmu_config_range((void *)_ssram, REGION_SIZE(ssram), CACHED_RAM);
16 mmu_config_range((void *)_bsram, REGION_SIZE(bsram), CACHED_RAM);
17 mmu_config_range((void *)_dma_coherent, REGION_SIZE(dma_coherent),
18 UNCACHED_RAM);
19
20 mmu_enable();
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit,
https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yq2SfQfrHt3Prsn4qSLrYIrajINpiFX8l0vrlNSf8iCrS27qY0Cr0DkycwNUgGZJj8-3DaX_o_L-2FDzr14mnrsJO5b1wX1hp9b1MAQygl7x-2B74RAaH2cn091zNOyzROFPO-2F8xrir2EnCt0Yp438ZqJop6r8ymtlIQtAiy5RYNVg2zhrK5Ajtw3rc0s0v2uaif1IBBL0m3hv1RcshkVHBbSYE7SWqzoAOKyjN49VMHOnPPAgZtw-2FOIKtXqL94LZguNB1uAoiFQDiGZL1x1y9rTteXhRKZaYl6A-3D-3D
_______________________________________________
coreboot mailing list -- coreboot@coreboot.org
To unsubscribe send an email to coreboot-le...@coreboot.org
