Hi,
Please find the latest report on new defect(s) introduced to coreboot found
with Coverity Scan.
6 new defect(s) introduced to coreboot found with Coverity Scan.
4 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent
build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 6 of 6 defect(s)
** CID 1639881: Insecure data handling (TAINTED_SCALAR)
_____________________________________________________________________________________________
*** CID 1639881: Insecure data handling (TAINTED_SCALAR)
/util/cbmem/sysfs_drv.c: 177 in cbmem_sysfs_get_cbmem_entry()
171
172 if (!cbmem_sysfs_probe_cbmem_entry(id, &addr, &size)) {
173 debug("CBMEM entry id: %#" PRIx32 " not found.\n", id);
174 return false;
175 }
176
>>> CID 1639881: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "size" to "fetch_cbmem_entry", which uses it
>>> as an allocation size.
177 fetch_cbmem_entry(id, size, buf_out);
178 if (size_out)
179 *size_out = size;
180 if (addr_out)
181 *addr_out = addr;
182 return true;
** CID 1639880: Resource leaks (RESOURCE_LEAK)
/util/cbmem/sysfs_drv.c: 91 in cbmem_sysfs_init()
_____________________________________________________________________________________________
*** CID 1639880: Resource leaks (RESOURCE_LEAK)
/util/cbmem/sysfs_drv.c: 91 in cbmem_sysfs_init()
85 return false;
86 }
87
88 uint8_t test_byte = 0;
89 if (fread(&test_byte, 1, 1, f) != 1) {
90 debug("Unable to read data from %s. Error: %s\n", path,
strerror(errno));
>>> CID 1639880: Resource leaks (RESOURCE_LEAK)
>>> Variable "f" going out of scope leaks the storage it points to.
91 return false;
92 }
93
94 fclose(f);
95 }
96 return true;
** CID 1639879: Memory - illegal accesses (UNINIT)
/util/cbmem/sysfs_drv.c: 255 in cbmem_sysfs_foreach_cbmem_entry()
_____________________________________________________________________________________________
*** CID 1639879: Memory - illegal accesses (UNINIT)
/util/cbmem/sysfs_drv.c: 255 in cbmem_sysfs_foreach_cbmem_entry()
249
250 if (with_contents)
251 fetch_cbmem_entry(id, size, &buf);
252
253 debug("Invoking callback on %s%s\n",
CBMEM_SYSFS_BASE_DIR, entry->d_name);
254
>>> CID 1639879: Memory - illegal accesses (UNINIT)
>>> Using uninitialized value "buf" when calling "cb".
255 const bool res = cb(id, addr, buf, size, data);
256
257 if (with_contents)
258 free(buf);
259
260 /* Finish iteration if callback requested it. */
** CID 1639878: Control flow issues (DEADCODE)
/src/lib/vga_gfx.c: 95 in draw_char()
_____________________________________________________________________________________________
*** CID 1639878: Control flow issues (DEADCODE)
/src/lib/vga_gfx.c: 95 in draw_char()
89 */
90 static void draw_char(int x, int y, char character)
91 {
92 const unsigned char *char_bitmap;
93 char_bitmap = vga_font_8x16[(uint8_t)character];
94 if (!char_bitmap)
>>> CID 1639878: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "return;".
95 return;
96
97 for (int row = 0; row < FONT_HEIGHT; row++) {
98 unsigned char row_data = char_bitmap[row];
99 for (int col = 0; col < FONT_WIDTH; col++) {
100 if ((row_data >> (FONT_WIDTH - 1 - col)) & 0x01)
** CID 1639877: Null pointer dereferences (REVERSE_INULL)
/util/cbmem/sysfs_drv.c: 154 in fetch_cbmem_entry()
_____________________________________________________________________________________________
*** CID 1639877: Null pointer dereferences (REVERSE_INULL)
/util/cbmem/sysfs_drv.c: 154 in fetch_cbmem_entry()
148 if (!mem_file)
149 die("Unable to open mem file for CBMEM entry id: %#"
PRIx32
150 " at %s. Error: %s\n",
151 id, path, strerror(errno));
152
153 *buf_out = malloc(size);
>>> CID 1639877: Null pointer dereferences (REVERSE_INULL)
>>> Null-checking "buf_out" suggests that it may be null, but it has
>>> already been dereferenced on all paths leading to the check.
154 if (!buf_out)
155 die("Unable to allocate memory for CBMEM entry id: %#"
PRIx32
156 " of size: %zuB.\n",
157 id, size);
158
159 if (fread(*buf_out, 1, size, mem_file) != size)
** CID 1639876: Insecure data handling (TAINTED_SCALAR)
_____________________________________________________________________________________________
*** CID 1639876: Insecure data handling (TAINTED_SCALAR)
/util/cbmem/sysfs_drv.c: 251 in cbmem_sysfs_foreach_cbmem_entry()
245 /* If entry was not found or previously matched
directory
246 does not contain necessary files, then omit the
entry. */
247 if (!cbmem_sysfs_probe_cbmem_entry(id, &addr, &size))
248 continue;
249
250 if (with_contents)
>>> CID 1639876: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "size" to "fetch_cbmem_entry", which uses it
>>> as an allocation size.
251 fetch_cbmem_entry(id, size, &buf);
252
253 debug("Invoking callback on %s%s\n",
CBMEM_SYSFS_BASE_DIR, entry->d_name);
254
255 const bool res = cb(id, addr, buf, size, data);
256
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit,
https://scan.coverity.com/projects/coreboot?tab=overview
_______________________________________________
coreboot mailing list -- [email protected]
To unsubscribe send an email to [email protected]
