Here's the list of new defects from v2022.01-rc1

----- Forwarded message from scan-ad...@coverity.com -----

Date: Mon, 01 Nov 2021 19:29:37 +0000 (UTC)
From: scan-ad...@coverity.com
To: tom.r...@gmail.com
Subject: New Defects reported by Coverity Scan for Das U-Boot

Hi,

Please find the latest report on new defect(s) introduced to Das U-Boot found 
with Coverity Scan.

10 new defect(s) introduced to Das U-Boot found with Coverity Scan.
10 defect(s), reported by Coverity Scan earlier, were marked fixed in the 
recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 10 of 10 defect(s)


** CID 340850:  Control flow issues  (UNREACHABLE)
/test/lib/abuf.c: 81 in lib_test_abuf_realloc()


________________________________________________________________________________________________________
*** CID 340850:  Control flow issues  (UNREACHABLE)
/test/lib/abuf.c: 81 in lib_test_abuf_realloc()
75      /*
76       * TODO: crashes on sandbox sometimes due to an apparent bug in
77       * realloc().
78       */
79      return 0;
80     
>>>     CID 340850:  Control flow issues  (UNREACHABLE)
>>>     This code cannot be reached: "start = ut_check_free();".
81      start = ut_check_free();
82     
83      abuf_init(&buf);
84     
85      /* Allocate an empty buffer */
86      ut_asserteq(true, abuf_realloc(&buf, 0));

** CID 340849:  Uninitialized variables  (UNINIT)
/lib/efi_loader/efi_boottime.c: 1991 in efi_load_image_from_path()


________________________________________________________________________________________________________
*** CID 340849:  Uninitialized variables  (UNINIT)
/lib/efi_loader/efi_boottime.c: 1991 in efi_load_image_from_path()
1985                                            &buffer_size, (void 
*)(uintptr_t)addr));
1986            if (ret != EFI_SUCCESS)
1987                    efi_free_pages(addr, pages);
1988     out:
1989            EFI_CALL(efi_close_protocol(device, guid, efi_root, NULL));
1990            if (ret == EFI_SUCCESS) {
>>>     CID 340849:  Uninitialized variables  (UNINIT)
>>>     Using uninitialized value "addr".
1991                    *buffer = (void *)(uintptr_t)addr;
1992                    *size = buffer_size;
1993            }
1994     
1995            return ret;
1996     }

** CID 340848:  Control flow issues  (DEADCODE)
/lib/rsa/rsa-sign.c: 255 in rsa_engine_get_priv_key()


________________________________________________________________________________________________________
*** CID 340848:  Control flow issues  (DEADCODE)
/lib/rsa/rsa-sign.c: 255 in rsa_engine_get_priv_key()
249             } else if (engine_id) {
250                     if (keydir && name)
251                             snprintf(key_id, sizeof(key_id),
252                                      "%s%s",
253                                      keydir, name);
254                     else if (name)
>>>     CID 340848:  Control flow issues  (DEADCODE)
>>>     Execution cannot reach the expression """" inside this statement: 
>>> "snprintf(key_id, 1024UL, "%...".
255                             snprintf(key_id, sizeof(key_id),
256                                      "%s",
257                                      name ? name : "");
258                     else if (keyfile)
259                             snprintf(key_id, sizeof(key_id), "%s", keyfile);
260                     else

** CID 340847:    (TAINTED_SCALAR)


________________________________________________________________________________________________________
*** CID 340847:    (TAINTED_SCALAR)
/lib/zstd/zstd.c: 49 in zstd_decompress()
43      out_buf.pos = 0;
44      out_buf.size = abuf_size(out);
45     
46      while (1) {
47              size_t res;
48     
>>>     CID 340847:    (TAINTED_SCALAR)
>>>     Passing tainted variable "dstream->inBuff" to a tainted sink.
49              res = ZSTD_decompressStream(dstream, &out_buf, &in_buf);
50              if (ZSTD_isError(res)) {
51                      ret = ZSTD_getErrorCode(res);
52                      log_err("ZSTD_decompressStream error %d\n", ret);
53                      goto do_free;
54              }
/lib/zstd/zstd.c: 49 in zstd_decompress()
43      out_buf.pos = 0;
44      out_buf.size = abuf_size(out);
45     
46      while (1) {
47              size_t res;
48     
>>>     CID 340847:    (TAINTED_SCALAR)
>>>     Passing tainted variable "in_buf.src" to a tainted sink.
49              res = ZSTD_decompressStream(dstream, &out_buf, &in_buf);
50              if (ZSTD_isError(res)) {
51                      ret = ZSTD_getErrorCode(res);
52                      log_err("ZSTD_decompressStream error %d\n", ret);
53                      goto do_free;
54              }

** CID 340846:  Control flow issues  (UNREACHABLE)
/test/lib/abuf.c: 144 in lib_test_abuf_large()


________________________________________________________________________________________________________
*** CID 340846:  Control flow issues  (UNREACHABLE)
/test/lib/abuf.c: 144 in lib_test_abuf_large()
138             /*
139              * This crashes at present due to trying to allocate more 
memory than
140              * available, which breaks something on sandbox.
141              */
142             return 0;
143     
>>>     CID 340846:  Control flow issues  (UNREACHABLE)
>>>     This code cannot be reached: "start = ut_check_free();".
144             start = ut_check_free();
145     
146             /* Try an impossible size */
147             abuf_init(&buf);
148             ut_asserteq(false, abuf_realloc(&buf, CONFIG_SYS_MALLOC_LEN));
149             ut_assertnull(buf.data);

** CID 340845:  Control flow issues  (UNREACHABLE)
/test/lib/abuf.c: 211 in lib_test_abuf_uninit_move()


________________________________________________________________________________________________________
*** CID 340845:  Control flow issues  (UNREACHABLE)
/test/lib/abuf.c: 211 in lib_test_abuf_uninit_move()
205              * TODO: crashes on sandbox sometimes due to an apparent bug in
206              * realloc().
207              */
208             return 0;
209     
210             /* Move an empty buffer */
>>>     CID 340845:  Control flow issues  (UNREACHABLE)
>>>     This code cannot be reached: "abuf_init(&buf);".
211             abuf_init(&buf);
212             ut_assertnull(abuf_uninit_move(&buf, &size));
213             ut_asserteq(0, size);
214             ut_assertnull(abuf_uninit_move(&buf, NULL));
215     
216             /* Move an unallocated buffer */

** CID 340844:    (DEADCODE)
/drivers/usb/gadget/ether.c: 2078 in eth_bind()
/drivers/usb/gadget/ether.c: 2178 in eth_bind()
/drivers/usb/gadget/ether.c: 2174 in eth_bind()
/drivers/usb/gadget/ether.c: 2310 in eth_bind()
/drivers/usb/gadget/ether.c: 2246 in eth_bind()


________________________________________________________________________________________________________
*** CID 340844:    (DEADCODE)
/drivers/usb/gadget/ether.c: 2078 in eth_bind()
2072             * needed to install MSFT drivers.  Current Linux kernels will 
use
2073             * the second configuration if it's CDC Ethernet, and need some 
help
2074             * to choose the right configuration otherwise.
2075             */
2076            if (rndis) {
2077     #if defined(CONFIG_USB_GADGET_VENDOR_NUM) && 
defined(CONFIG_USB_GADGET_PRODUCT_NUM)
>>>     CID 340844:    (DEADCODE)
>>>     Execution cannot reach this statement: "device_desc.idVendor = 0;".
2078                    device_desc.idVendor =
2079                            
__constant_cpu_to_le16(CONFIG_USB_GADGET_VENDOR_NUM);
2080                    device_desc.idProduct =
2081                            
__constant_cpu_to_le16(CONFIG_USB_GADGET_PRODUCT_NUM);
2082     #else
2083                    device_desc.idVendor =
/drivers/usb/gadget/ether.c: 2178 in eth_bind()
2172            /* For now RNDIS is always a second config */
2173            if (rndis)
2174                    device_desc.bNumConfigurations = 2;
2175     
2176            if (gadget_is_dualspeed(gadget)) {
2177                    if (rndis)
>>>     CID 340844:    (DEADCODE)
>>>     Execution cannot reach this statement: "dev_qualifier.bNumConfigura...".
2178                            dev_qualifier.bNumConfigurations = 2;
2179                    else if (!cdc)
2180                            dev_qualifier.bDeviceClass = 
USB_CLASS_VENDOR_SPEC;
2181     
2182                    /* assumes ep0 uses the same value for both speeds ... 
*/
2183                    dev_qualifier.bMaxPacketSize0 = 
device_desc.bMaxPacketSize0;
/drivers/usb/gadget/ether.c: 2174 in eth_bind()
2168            }
2169     
2170            usb_gadget_set_selfpowered(gadget);
2171     
2172            /* For now RNDIS is always a second config */
2173            if (rndis)
>>>     CID 340844:    (DEADCODE)
>>>     Execution cannot reach this statement: "device_desc.bNumConfigurati...".
2174                    device_desc.bNumConfigurations = 2;
2175     
2176            if (gadget_is_dualspeed(gadget)) {
2177                    if (rndis)
2178                            dev_qualifier.bNumConfigurations = 2;
2179                    else if (!cdc)
/drivers/usb/gadget/ether.c: 2310 in eth_bind()
2304                    printf("HOST MAC %02x:%02x:%02x:%02x:%02x:%02x\n",
2305                            dev->host_mac[0], dev->host_mac[1],
2306                            dev->host_mac[2], dev->host_mac[3],
2307                            dev->host_mac[4], dev->host_mac[5]);
2308     
2309            if (rndis) {
>>>     CID 340844:    (DEADCODE)
>>>     Execution cannot reach this statement: "vendorID = 0U;".
2310                    u32     vendorID = 0;
2311     
2312                    /* FIXME RNDIS vendor id == "vendor NIC code" == ? */
2313     
2314                    dev->rndis_config = rndis_register(rndis_control_ack);
2315                    if (dev->rndis_config < 0) {
/drivers/usb/gadget/ether.c: 2246 in eth_bind()
2240            sprintf(ethaddr, "%02X%02X%02X%02X%02X%02X",
2241                    dev->host_mac[0], dev->host_mac[1],
2242                            dev->host_mac[2], dev->host_mac[3],
2243                            dev->host_mac[4], dev->host_mac[5]);
2244     
2245            if (rndis) {
>>>     CID 340844:    (DEADCODE)
>>>     Execution cannot reach this statement: "status = rndis_init();".
2246                    status = rndis_init();
2247                    if (status < 0) {
2248                            pr_err("can't init RNDIS, %d", status);
2249                            goto fail;
2250                    }
2251            }

** CID 340843:  Control flow issues  (UNREACHABLE)
/test/lib/abuf.c: 315 in lib_test_abuf_init_move()


________________________________________________________________________________________________________
*** CID 340843:  Control flow issues  (UNREACHABLE)
/test/lib/abuf.c: 315 in lib_test_abuf_init_move()
309             /*
310              * TODO: crashes on sandbox sometimes due to an apparent bug in
311              * realloc().
312              */
313             return 0;
314     
>>>     CID 340843:  Control flow issues  (UNREACHABLE)
>>>     This code cannot be reached: "ptr = sandbox_strdup(test_d...".
315             ptr = strdup(test_data);
316             ut_assertnonnull(ptr);
317     
318             free(ptr);
319     
320             abuf_init_move(&buf, ptr, TEST_DATA_LEN);

** CID 312933:  Error handling issues  (CHECKED_RETURN)
/net/mdio-uclass.c: 33 in dm_mdio_probe_devices()


________________________________________________________________________________________________________
*** CID 312933:  Error handling issues  (CHECKED_RETURN)
/net/mdio-uclass.c: 33 in dm_mdio_probe_devices()
27     
28     void dm_mdio_probe_devices(void)
29     {
30      struct udevice *it;
31      struct uclass *uc;
32     
>>>     CID 312933:  Error handling issues  (CHECKED_RETURN)
>>>     Calling "uclass_get" without checking return value (as is done 
>>> elsewhere 58 out of 72 times).
33      uclass_get(UCLASS_MDIO, &uc);
34      uclass_foreach_dev(it, uc) {
35              device_probe(it);
36      }
37     }
38     

** CID 166730:  Integer handling issues  (SIGN_EXTENSION)
/drivers/nvme/nvme.c: 786 in nvme_blk_rw()


________________________________________________________________________________________________________
*** CID 166730:  Integer handling issues  (SIGN_EXTENSION)
/drivers/nvme/nvme.c: 786 in nvme_blk_rw()
780                     c.rw.prp2 = cpu_to_le64(prp2);
781                     status = nvme_submit_sync_cmd(dev->queues[NVME_IO_Q],
782                                     &c, NULL, IO_TIMEOUT);
783                     if (status)
784                             break;
785                     temp_len -= (u32)lbas << ns->lba_shift;
>>>     CID 166730:  Integer handling issues  (SIGN_EXTENSION)
>>>     Suspicious implicit sign extension: "lbas" with type "u16" (16 bits, 
>>> unsigned) is promoted in "lbas << ns->lba_shift" to type "int" (32 bits, 
>>> signed), then sign-extended to type "unsigned long" (64 bits, unsigned).  
>>> If "lbas << ns->lba_shift" is greater than 0x7FFFFFFF, the upper bits of 
>>> the result will all be 1.
786                     temp_buffer += lbas << ns->lba_shift;
787             }
788     
789             if (read)
790                     invalidate_dcache_range((unsigned long)buffer,
791                                             (unsigned long)buffer + 
total_len);


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, 
https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoA22WlOQ-2By3ieUvdbKmOyw68TMVT4Kip-2BBzfOGWXJ5yIiYplmPF9KAnKIja4Zd7tU-3DK7Ur_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTv2MEevk0ukd8spynR-2FdwIfCJVVOYA1tleqY-2BXaL0cBMwJ1IN62SlBYZTWeyGVfETq6dQU5Z757a9RpEHNUetHBLhP7WTf2pUXtpaHKgIB-2BJJRnCYvASPy63SZJeEuGhZMbVagadPofKk4H4PHfCFB4dVqyklahj-2B1P0DPRbe8B-2FA-3D-3D

  To manage Coverity Scan email notifications for "tom.r...@gmail.com", click 
https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxWeIHzDeopm-2BEWQ6S6K-2FtUHv9ZTk8qZbuzkkz9sa-2BJFw4elYDyedRVZOC-2ButxjBZdouVmTGuWB6Aj6G7lm7t25-2Biv1B-2B9082pHzCCex2kqMs-3Df7A0_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTv2MEevk0ukd8spynR-2FdwIfZbk3JZAsjphuB5i-2F95GC4r6B5TgK6GVnvqd9jOzi-2FEfG49B6RT8uHLKl7eUBwzIhiQw7Of4LExH3CBUAOZ-2FoJWB0qOI-2BfaE7KqJUeo7jWelN0MfiQxJASUMfn4ddaknmL09WtkO5D1OelUIYvbTZ2w-3D-3D


----- End forwarded message -----

-- 
Tom

Attachment: signature.asc
Description: PGP signature

Reply via email to