Here's the list of new defects from v2022.01-rc1 ----- Forwarded message from scan-ad...@coverity.com -----
Date: Mon, 01 Nov 2021 19:29:37 +0000 (UTC) From: scan-ad...@coverity.com To: tom.r...@gmail.com Subject: New Defects reported by Coverity Scan for Das U-Boot Hi, Please find the latest report on new defect(s) introduced to Das U-Boot found with Coverity Scan. 10 new defect(s) introduced to Das U-Boot found with Coverity Scan. 10 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 10 of 10 defect(s) ** CID 340850: Control flow issues (UNREACHABLE) /test/lib/abuf.c: 81 in lib_test_abuf_realloc() ________________________________________________________________________________________________________ *** CID 340850: Control flow issues (UNREACHABLE) /test/lib/abuf.c: 81 in lib_test_abuf_realloc() 75 /* 76 * TODO: crashes on sandbox sometimes due to an apparent bug in 77 * realloc(). 78 */ 79 return 0; 80 >>> CID 340850: Control flow issues (UNREACHABLE) >>> This code cannot be reached: "start = ut_check_free();". 81 start = ut_check_free(); 82 83 abuf_init(&buf); 84 85 /* Allocate an empty buffer */ 86 ut_asserteq(true, abuf_realloc(&buf, 0)); ** CID 340849: Uninitialized variables (UNINIT) /lib/efi_loader/efi_boottime.c: 1991 in efi_load_image_from_path() ________________________________________________________________________________________________________ *** CID 340849: Uninitialized variables (UNINIT) /lib/efi_loader/efi_boottime.c: 1991 in efi_load_image_from_path() 1985 &buffer_size, (void *)(uintptr_t)addr)); 1986 if (ret != EFI_SUCCESS) 1987 efi_free_pages(addr, pages); 1988 out: 1989 EFI_CALL(efi_close_protocol(device, guid, efi_root, NULL)); 1990 if (ret == EFI_SUCCESS) { >>> CID 340849: Uninitialized variables (UNINIT) >>> Using uninitialized value "addr". 1991 *buffer = (void *)(uintptr_t)addr; 1992 *size = buffer_size; 1993 } 1994 1995 return ret; 1996 } ** CID 340848: Control flow issues (DEADCODE) /lib/rsa/rsa-sign.c: 255 in rsa_engine_get_priv_key() ________________________________________________________________________________________________________ *** CID 340848: Control flow issues (DEADCODE) /lib/rsa/rsa-sign.c: 255 in rsa_engine_get_priv_key() 249 } else if (engine_id) { 250 if (keydir && name) 251 snprintf(key_id, sizeof(key_id), 252 "%s%s", 253 keydir, name); 254 else if (name) >>> CID 340848: Control flow issues (DEADCODE) >>> Execution cannot reach the expression """" inside this statement: >>> "snprintf(key_id, 1024UL, "%...". 255 snprintf(key_id, sizeof(key_id), 256 "%s", 257 name ? name : ""); 258 else if (keyfile) 259 snprintf(key_id, sizeof(key_id), "%s", keyfile); 260 else ** CID 340847: (TAINTED_SCALAR) ________________________________________________________________________________________________________ *** CID 340847: (TAINTED_SCALAR) /lib/zstd/zstd.c: 49 in zstd_decompress() 43 out_buf.pos = 0; 44 out_buf.size = abuf_size(out); 45 46 while (1) { 47 size_t res; 48 >>> CID 340847: (TAINTED_SCALAR) >>> Passing tainted variable "dstream->inBuff" to a tainted sink. 49 res = ZSTD_decompressStream(dstream, &out_buf, &in_buf); 50 if (ZSTD_isError(res)) { 51 ret = ZSTD_getErrorCode(res); 52 log_err("ZSTD_decompressStream error %d\n", ret); 53 goto do_free; 54 } /lib/zstd/zstd.c: 49 in zstd_decompress() 43 out_buf.pos = 0; 44 out_buf.size = abuf_size(out); 45 46 while (1) { 47 size_t res; 48 >>> CID 340847: (TAINTED_SCALAR) >>> Passing tainted variable "in_buf.src" to a tainted sink. 49 res = ZSTD_decompressStream(dstream, &out_buf, &in_buf); 50 if (ZSTD_isError(res)) { 51 ret = ZSTD_getErrorCode(res); 52 log_err("ZSTD_decompressStream error %d\n", ret); 53 goto do_free; 54 } ** CID 340846: Control flow issues (UNREACHABLE) /test/lib/abuf.c: 144 in lib_test_abuf_large() ________________________________________________________________________________________________________ *** CID 340846: Control flow issues (UNREACHABLE) /test/lib/abuf.c: 144 in lib_test_abuf_large() 138 /* 139 * This crashes at present due to trying to allocate more memory than 140 * available, which breaks something on sandbox. 141 */ 142 return 0; 143 >>> CID 340846: Control flow issues (UNREACHABLE) >>> This code cannot be reached: "start = ut_check_free();". 144 start = ut_check_free(); 145 146 /* Try an impossible size */ 147 abuf_init(&buf); 148 ut_asserteq(false, abuf_realloc(&buf, CONFIG_SYS_MALLOC_LEN)); 149 ut_assertnull(buf.data); ** CID 340845: Control flow issues (UNREACHABLE) /test/lib/abuf.c: 211 in lib_test_abuf_uninit_move() ________________________________________________________________________________________________________ *** CID 340845: Control flow issues (UNREACHABLE) /test/lib/abuf.c: 211 in lib_test_abuf_uninit_move() 205 * TODO: crashes on sandbox sometimes due to an apparent bug in 206 * realloc(). 207 */ 208 return 0; 209 210 /* Move an empty buffer */ >>> CID 340845: Control flow issues (UNREACHABLE) >>> This code cannot be reached: "abuf_init(&buf);". 211 abuf_init(&buf); 212 ut_assertnull(abuf_uninit_move(&buf, &size)); 213 ut_asserteq(0, size); 214 ut_assertnull(abuf_uninit_move(&buf, NULL)); 215 216 /* Move an unallocated buffer */ ** CID 340844: (DEADCODE) /drivers/usb/gadget/ether.c: 2078 in eth_bind() /drivers/usb/gadget/ether.c: 2178 in eth_bind() /drivers/usb/gadget/ether.c: 2174 in eth_bind() /drivers/usb/gadget/ether.c: 2310 in eth_bind() /drivers/usb/gadget/ether.c: 2246 in eth_bind() ________________________________________________________________________________________________________ *** CID 340844: (DEADCODE) /drivers/usb/gadget/ether.c: 2078 in eth_bind() 2072 * needed to install MSFT drivers. Current Linux kernels will use 2073 * the second configuration if it's CDC Ethernet, and need some help 2074 * to choose the right configuration otherwise. 2075 */ 2076 if (rndis) { 2077 #if defined(CONFIG_USB_GADGET_VENDOR_NUM) && defined(CONFIG_USB_GADGET_PRODUCT_NUM) >>> CID 340844: (DEADCODE) >>> Execution cannot reach this statement: "device_desc.idVendor = 0;". 2078 device_desc.idVendor = 2079 __constant_cpu_to_le16(CONFIG_USB_GADGET_VENDOR_NUM); 2080 device_desc.idProduct = 2081 __constant_cpu_to_le16(CONFIG_USB_GADGET_PRODUCT_NUM); 2082 #else 2083 device_desc.idVendor = /drivers/usb/gadget/ether.c: 2178 in eth_bind() 2172 /* For now RNDIS is always a second config */ 2173 if (rndis) 2174 device_desc.bNumConfigurations = 2; 2175 2176 if (gadget_is_dualspeed(gadget)) { 2177 if (rndis) >>> CID 340844: (DEADCODE) >>> Execution cannot reach this statement: "dev_qualifier.bNumConfigura...". 2178 dev_qualifier.bNumConfigurations = 2; 2179 else if (!cdc) 2180 dev_qualifier.bDeviceClass = USB_CLASS_VENDOR_SPEC; 2181 2182 /* assumes ep0 uses the same value for both speeds ... */ 2183 dev_qualifier.bMaxPacketSize0 = device_desc.bMaxPacketSize0; /drivers/usb/gadget/ether.c: 2174 in eth_bind() 2168 } 2169 2170 usb_gadget_set_selfpowered(gadget); 2171 2172 /* For now RNDIS is always a second config */ 2173 if (rndis) >>> CID 340844: (DEADCODE) >>> Execution cannot reach this statement: "device_desc.bNumConfigurati...". 2174 device_desc.bNumConfigurations = 2; 2175 2176 if (gadget_is_dualspeed(gadget)) { 2177 if (rndis) 2178 dev_qualifier.bNumConfigurations = 2; 2179 else if (!cdc) /drivers/usb/gadget/ether.c: 2310 in eth_bind() 2304 printf("HOST MAC %02x:%02x:%02x:%02x:%02x:%02x\n", 2305 dev->host_mac[0], dev->host_mac[1], 2306 dev->host_mac[2], dev->host_mac[3], 2307 dev->host_mac[4], dev->host_mac[5]); 2308 2309 if (rndis) { >>> CID 340844: (DEADCODE) >>> Execution cannot reach this statement: "vendorID = 0U;". 2310 u32 vendorID = 0; 2311 2312 /* FIXME RNDIS vendor id == "vendor NIC code" == ? */ 2313 2314 dev->rndis_config = rndis_register(rndis_control_ack); 2315 if (dev->rndis_config < 0) { /drivers/usb/gadget/ether.c: 2246 in eth_bind() 2240 sprintf(ethaddr, "%02X%02X%02X%02X%02X%02X", 2241 dev->host_mac[0], dev->host_mac[1], 2242 dev->host_mac[2], dev->host_mac[3], 2243 dev->host_mac[4], dev->host_mac[5]); 2244 2245 if (rndis) { >>> CID 340844: (DEADCODE) >>> Execution cannot reach this statement: "status = rndis_init();". 2246 status = rndis_init(); 2247 if (status < 0) { 2248 pr_err("can't init RNDIS, %d", status); 2249 goto fail; 2250 } 2251 } ** CID 340843: Control flow issues (UNREACHABLE) /test/lib/abuf.c: 315 in lib_test_abuf_init_move() ________________________________________________________________________________________________________ *** CID 340843: Control flow issues (UNREACHABLE) /test/lib/abuf.c: 315 in lib_test_abuf_init_move() 309 /* 310 * TODO: crashes on sandbox sometimes due to an apparent bug in 311 * realloc(). 312 */ 313 return 0; 314 >>> CID 340843: Control flow issues (UNREACHABLE) >>> This code cannot be reached: "ptr = sandbox_strdup(test_d...". 315 ptr = strdup(test_data); 316 ut_assertnonnull(ptr); 317 318 free(ptr); 319 320 abuf_init_move(&buf, ptr, TEST_DATA_LEN); ** CID 312933: Error handling issues (CHECKED_RETURN) /net/mdio-uclass.c: 33 in dm_mdio_probe_devices() ________________________________________________________________________________________________________ *** CID 312933: Error handling issues (CHECKED_RETURN) /net/mdio-uclass.c: 33 in dm_mdio_probe_devices() 27 28 void dm_mdio_probe_devices(void) 29 { 30 struct udevice *it; 31 struct uclass *uc; 32 >>> CID 312933: Error handling issues (CHECKED_RETURN) >>> Calling "uclass_get" without checking return value (as is done >>> elsewhere 58 out of 72 times). 33 uclass_get(UCLASS_MDIO, &uc); 34 uclass_foreach_dev(it, uc) { 35 device_probe(it); 36 } 37 } 38 ** CID 166730: Integer handling issues (SIGN_EXTENSION) /drivers/nvme/nvme.c: 786 in nvme_blk_rw() ________________________________________________________________________________________________________ *** CID 166730: Integer handling issues (SIGN_EXTENSION) /drivers/nvme/nvme.c: 786 in nvme_blk_rw() 780 c.rw.prp2 = cpu_to_le64(prp2); 781 status = nvme_submit_sync_cmd(dev->queues[NVME_IO_Q], 782 &c, NULL, IO_TIMEOUT); 783 if (status) 784 break; 785 temp_len -= (u32)lbas << ns->lba_shift; >>> CID 166730: Integer handling issues (SIGN_EXTENSION) >>> Suspicious implicit sign extension: "lbas" with type "u16" (16 bits, >>> unsigned) is promoted in "lbas << ns->lba_shift" to type "int" (32 bits, >>> signed), then sign-extended to type "unsigned long" (64 bits, unsigned). >>> If "lbas << ns->lba_shift" is greater than 0x7FFFFFFF, the upper bits of >>> the result will all be 1. 786 temp_buffer += lbas << ns->lba_shift; 787 } 788 789 if (read) 790 invalidate_dcache_range((unsigned long)buffer, 791 (unsigned long)buffer + total_len); ________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoA22WlOQ-2By3ieUvdbKmOyw68TMVT4Kip-2BBzfOGWXJ5yIiYplmPF9KAnKIja4Zd7tU-3DK7Ur_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTv2MEevk0ukd8spynR-2FdwIfCJVVOYA1tleqY-2BXaL0cBMwJ1IN62SlBYZTWeyGVfETq6dQU5Z757a9RpEHNUetHBLhP7WTf2pUXtpaHKgIB-2BJJRnCYvASPy63SZJeEuGhZMbVagadPofKk4H4PHfCFB4dVqyklahj-2B1P0DPRbe8B-2FA-3D-3D To manage Coverity Scan email notifications for "tom.r...@gmail.com", click https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxWeIHzDeopm-2BEWQ6S6K-2FtUHv9ZTk8qZbuzkkz9sa-2BJFw4elYDyedRVZOC-2ButxjBZdouVmTGuWB6Aj6G7lm7t25-2Biv1B-2B9082pHzCCex2kqMs-3Df7A0_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTv2MEevk0ukd8spynR-2FdwIfZbk3JZAsjphuB5i-2F95GC4r6B5TgK6GVnvqd9jOzi-2FEfG49B6RT8uHLKl7eUBwzIhiQw7Of4LExH3CBUAOZ-2FoJWB0qOI-2BfaE7KqJUeo7jWelN0MfiQxJASUMfn4ddaknmL09WtkO5D1OelUIYvbTZ2w-3D-3D ----- End forwarded message ----- -- Tom
signature.asc
Description: PGP signature