There's a whole lot of new defects here because I noticed yesterday that there was a new stable version of the scanner, after running yesterdays normal post-RC scan. So here's a new scan done on current master.
----- Forwarded message from scan-ad...@coverity.com -----
Date: Tue, 02 Nov 2021 15:55:16 +0000 (UTC)
From: scan-ad...@coverity.com
To: tom.r...@gmail.com
Subject: New Defects reported by Coverity Scan for Das U-Boot
Hi,
Please find the latest report on new defect(s) introduced to Das U-Boot found
with Coverity Scan.
80 new defect(s) introduced to Das U-Boot found with Coverity Scan.
25 defect(s), reported by Coverity Scan earlier, were marked fixed in the
recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 80 defect(s)
** CID 340915: (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 340915: (TAINTED_SCALAR)
/drivers/input/key_matrix.c: 166 in key_matrix_decode_fdt()
160
161 prop = dev_read_prop(dev, "linux,fn-keymap", &proplen);
162 /* fn keymap is optional */
163 if (!prop)
164 goto done;
165
>>> CID 340915: (TAINTED_SCALAR)
>>> Passing tainted expression "proplen" to "create_keymap", which uses it
>>> as a loop boundary.
166 config->fn_keycode = create_keymap(config, prop, proplen, -1,
NULL);
167 /* Conversion error -> fail */
168 if (!config->fn_keycode) {
169 free(plain_keycode);
170 return -1;
171 }
/drivers/input/key_matrix.c: 154 in key_matrix_decode_fdt()
148 /* Basic keymap is required */
149 if (!prop) {
150 debug("%s: cannot find keycode-plain map\n", __func__);
151 return -1;
152 }
153
>>> CID 340915: (TAINTED_SCALAR)
>>> Passing tainted expression "proplen" to "create_keymap", which uses it
>>> as a loop boundary.
154 plain_keycode = create_keymap(config, prop, proplen, KEY_FN,
155 &config->fn_pos);
156 config->plain_keycode = plain_keycode;
157 /* Conversion error -> fail */
158 if (!config->plain_keycode)
159 return -1;
** CID 340914: (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 340914: (TAINTED_SCALAR)
/arch/sandbox/cpu/state.c: 38 in state_ensure_space()
32
33 size = used + extra_size;
34 buf = os_malloc(size);
35 if (!buf)
36 return -ENOMEM;
37
>>> CID 340914: (TAINTED_SCALAR)
>>> Passing tainted expression "blob->size_dt_strings" to "fdt_open_into",
>>> which uses it as an offset.
38 ret = fdt_open_into(blob, buf, size);
39 if (ret) {
40 os_free(buf);
41 return -EIO;
42 }
43
/arch/sandbox/cpu/state.c: 38 in state_ensure_space()
32
33 size = used + extra_size;
34 buf = os_malloc(size);
35 if (!buf)
36 return -ENOMEM;
37
>>> CID 340914: (TAINTED_SCALAR)
>>> Passing tainted expression "blob->totalsize" to "fdt_open_into", which
>>> uses it as an offset.
38 ret = fdt_open_into(blob, buf, size);
39 if (ret) {
40 os_free(buf);
41 return -EIO;
42 }
43
/arch/sandbox/cpu/state.c: 34 in state_ensure_space()
28 size = fdt_totalsize(blob);
29 free_bytes = size - used;
30 if (free_bytes > extra_size)
31 return 0;
32
33 size = used + extra_size;
>>> CID 340914: (TAINTED_SCALAR)
>>> Passing tainted expression "size" to "os_malloc", which uses it as an
>>> offset.
34 buf = os_malloc(size);
35 if (!buf)
36 return -ENOMEM;
37
38 ret = fdt_open_into(blob, buf, size);
39 if (ret) {
/arch/sandbox/cpu/state.c: 38 in state_ensure_space()
32
33 size = used + extra_size;
34 buf = os_malloc(size);
35 if (!buf)
36 return -ENOMEM;
37
>>> CID 340914: (TAINTED_SCALAR)
>>> Passing tainted expression "blob->size_dt_struct" to "fdt_open_into",
>>> which uses it as an offset.
38 ret = fdt_open_into(blob, buf, size);
39 if (ret) {
40 os_free(buf);
41 return -EIO;
42 }
43
/arch/sandbox/cpu/state.c: 44 in state_ensure_space()
38 ret = fdt_open_into(blob, buf, size);
39 if (ret) {
40 os_free(buf);
41 return -EIO;
42 }
43
>>> CID 340914: (TAINTED_SCALAR)
>>> Passing tainted expression "*blob" to "os_free", which uses it as an
>>> offset.
44 os_free(blob);
45 state->state_fdt = buf;
46 return 0;
47 }
48
49 static int state_read_file(struct sandbox_state *state, const char
*fname)
** CID 340913: Uninitialized variables (UNINIT)
/lib/gunzip.c: 298 in zunzip()
________________________________________________________________________________________________________
*** CID 340913: Uninitialized variables (UNINIT)
/lib/gunzip.c: 298 in zunzip()
292 }
293 s.next_in = src + offset;
294 s.avail_in = *lenp - offset;
295 s.next_out = dst;
296 s.avail_out = dstlen;
297 do {
>>> CID 340913: Uninitialized variables (UNINIT)
>>> Using uninitialized value "s.total_out" when calling "inflate". [Note:
>>> The source code implementation of the function has been overridden by a
>>> builtin model.]
298 r = inflate(&s, Z_FINISH);
299 if (stoponerr == 1 && r != Z_STREAM_END &&
300 (s.avail_in == 0 || s.avail_out == 0 || r !=
Z_BUF_ERROR)) {
301 printf("Error: inflate() returned %d\n", r);
302 err = -1;
303 break;
** CID 340912: (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 340912: (TAINTED_SCALAR)
/lib/efi_loader/efi_variable.c: 191 in efi_variable_authenticate()
185 ret = EFI_SUCCESS;
186
187 err:
188 efi_sigstore_free(truststore);
189 efi_sigstore_free(truststore2);
190 pkcs7_free_message(var_sig);
>>> CID 340912: (TAINTED_SCALAR)
>>> Passing tainted expression "*ebuf" to "dlfree", which uses it as an
>>> offset.
191 free(ebuf);
192 free(regs);
193
194 return ret;
195 }
196 #else
/lib/efi_loader/efi_variable.c: 133 in efi_variable_authenticate()
127
128 /* variable's signature list */
129 if (auth->auth_info.hdr.dwLength < sizeof(auth->auth_info))
130 goto err;
131
132 /* ebuf should be kept valid during the authentication */
>>> CID 340912: (TAINTED_SCALAR)
>>> Passing tainted expression "auth->auth_info.cert_data" to
>>> "efi_parse_pkcs7_header", which uses it as an offset.
133 var_sig = efi_parse_pkcs7_header(auth->auth_info.cert_data,
134 auth->auth_info.hdr.dwLength
135 - sizeof(auth->auth_info),
136 &ebuf);
137 if (!var_sig) {
138 EFI_PRINT("Parsing variable's signature failed\n");
** CID 340910: (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 340910: (TAINTED_SCALAR)
/arch/sandbox/cpu/state.c: 284 in sandbox_write_state()
278
279 if (ret == -EIO) {
280 printf("Could not write sandbox state\n");
281 goto err_create;
282 }
283
>>> CID 340910: (TAINTED_SCALAR)
>>> Passing tainted expression "state->state_fdt->size_dt_struct" to
>>> "fdt_pack", which uses it as an offset.
284 ret = fdt_pack(state->state_fdt);
285 if (ret < 0) {
286 printf("Cannot pack state FDT: %s\n",
fdt_strerror(ret));
287 ret = -EINVAL;
288 goto err_create;
289 }
/arch/sandbox/cpu/state.c: 311 in sandbox_write_state()
305 got_err ? " (with errors)" : "");
306
307 return 0;
308 err_write:
309 os_close(fd);
310 err_create:
>>> CID 340910: (TAINTED_SCALAR)
>>> Passing tainted expression "*state->state_fdt" to "os_free", which uses
>>> it as an offset.
311 os_free(state->state_fdt);
312
313 return ret;
314 }
315
316 int state_setprop(int node, const char *prop_name, const void *data,
int size)
/arch/sandbox/cpu/state.c: 284 in sandbox_write_state()
278
279 if (ret == -EIO) {
280 printf("Could not write sandbox state\n");
281 goto err_create;
282 }
283
>>> CID 340910: (TAINTED_SCALAR)
>>> Passing tainted expression "state->state_fdt->size_dt_strings" to
>>> "fdt_pack", which uses it as an offset.
284 ret = fdt_pack(state->state_fdt);
285 if (ret < 0) {
286 printf("Cannot pack state FDT: %s\n",
fdt_strerror(ret));
287 ret = -EINVAL;
288 goto err_create;
289 }
/arch/sandbox/cpu/state.c: 311 in sandbox_write_state()
305 got_err ? " (with errors)" : "");
306
307 return 0;
308 err_write:
309 os_close(fd);
310 err_create:
>>> CID 340910: (TAINTED_SCALAR)
>>> Passing tainted expression "*state->state_fdt" to "os_free", which uses
>>> it as an offset.
311 os_free(state->state_fdt);
312
313 return ret;
314 }
315
316 int state_setprop(int node, const char *prop_name, const void *data,
int size)
** CID 340909: Uninitialized variables (UNINIT)
/lib/gunzip.c: 226 in gzwrite()
________________________________________________________________________________________________________
*** CID 340909: Uninitialized variables (UNINIT)
/lib/gunzip.c: 226 in gzwrite()
220 unsigned long blocks_written;
221 int numfilled;
222 lbaint_t writeblocks;
223
224 s.avail_out = szwritebuf;
225 s.next_out = writebuf;
>>> CID 340909: Uninitialized variables (UNINIT)
>>> Using uninitialized value "s.total_out" when calling "inflate". [Note:
>>> The source code implementation of the function has been overridden by a
>>> builtin model.]
226 r = inflate(&s, Z_SYNC_FLUSH);
227 if ((r != Z_OK) &&
228 (r != Z_STREAM_END)) {
229 printf("Error: inflate() returned
%d\n", r);
230 goto out;
231 }
** CID 340908: Insecure data handling (TAINTED_SCALAR)
/common/board_f.c: 627 in reloc_fdt()
________________________________________________________________________________________________________
*** CID 340908: Insecure data handling (TAINTED_SCALAR)
/common/board_f.c: 627 in reloc_fdt()
621 static int reloc_fdt(void)
622 {
623 if (!IS_ENABLED(CONFIG_OF_EMBED)) {
624 if (gd->flags & GD_FLG_SKIP_RELOC)
625 return 0;
626 if (gd->new_fdt) {
>>> CID 340908: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "__fswab32((__u32)(__be32)((struct
>>> fdt_header const *)gd->fdt_blob)->totalsize)" to "memcpy", which uses it as
>>> an offset. [Note: The source code implementation of the function has been
>>> overridden by a builtin model.]
627 memcpy(gd->new_fdt, gd->fdt_blob,
628 fdt_totalsize(gd->fdt_blob));
629 gd->fdt_blob = gd->new_fdt;
630 }
631 }
632
** CID 340907: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 340907: Insecure data handling (TAINTED_SCALAR)
/cmd/fdt.c: 59 in fdt_value_env_set()
53 if (is_printable_string(nodep, len))
54 env_set(var, (void *)nodep);
55 else if (len == 4) {
56 char buf[11];
57
58 sprintf(buf, "0x%08X", fdt32_to_cpu(*(fdt32_t *)nodep));
>>> CID 340907: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "buf" to "env_set", which uses it as an
>>> offset.
59 env_set(var, buf);
60 } else if (len%4 == 0 && len <= 20) {
61 /* Needed to print things like sha1 hashes. */
62 char buf[41];
63 int i;
64
** CID 340906: (TAINTED_SCALAR)
/fs/squashfs/sqfs.c: 1059 in sqfs_readdir()
/fs/squashfs/sqfs.c: 1060 in sqfs_readdir()
/fs/squashfs/sqfs.c: 1060 in sqfs_readdir()
/fs/squashfs/sqfs.c: 1059 in sqfs_readdir()
________________________________________________________________________________________________________
*** CID 340906: (TAINTED_SCALAR)
/fs/squashfs/sqfs.c: 1059 in sqfs_readdir()
1053 break;
1054 default:
1055 return -SQFS_STOP_READDIR;
1056 }
1057
1058 /* Set entry name */
>>> CID 340906: (TAINTED_SCALAR)
>>> Passing tainted expression "dirs->entry->name_size + 1" to "strncpy",
>>> which uses it as an offset. [Note: The source code implementation of the
>>> function has been overridden by a builtin model.]
1059 strncpy(dent->name, dirs->entry->name, dirs->entry->name_size +
1);
1060 dent->name[dirs->entry->name_size + 1] = '\0';
1061
1062 offset = dirs->entry->name_size + 1 + SQFS_ENTRY_BASE_LENGTH;
1063 dirs->entry_count--;
1064
/fs/squashfs/sqfs.c: 1060 in sqfs_readdir()
1054 default:
1055 return -SQFS_STOP_READDIR;
1056 }
1057
1058 /* Set entry name */
1059 strncpy(dent->name, dirs->entry->name, dirs->entry->name_size +
1);
>>> CID 340906: (TAINTED_SCALAR)
>>> Using tainted variable "dirs->entry->name_size + 1" as an index into an
>>> array "dent->name".
1060 dent->name[dirs->entry->name_size + 1] = '\0';
1061
1062 offset = dirs->entry->name_size + 1 + SQFS_ENTRY_BASE_LENGTH;
1063 dirs->entry_count--;
1064
1065 /* Decrement size to be read */
/fs/squashfs/sqfs.c: 1060 in sqfs_readdir()
1054 default:
1055 return -SQFS_STOP_READDIR;
1056 }
1057
1058 /* Set entry name */
1059 strncpy(dent->name, dirs->entry->name, dirs->entry->name_size +
1);
>>> CID 340906: (TAINTED_SCALAR)
>>> Using tainted variable "dirs->entry->name_size + 1" as an index into an
>>> array "dent->name".
1060 dent->name[dirs->entry->name_size + 1] = '\0';
1061
1062 offset = dirs->entry->name_size + 1 + SQFS_ENTRY_BASE_LENGTH;
1063 dirs->entry_count--;
1064
1065 /* Decrement size to be read */
/fs/squashfs/sqfs.c: 1059 in sqfs_readdir()
1053 break;
1054 default:
1055 return -SQFS_STOP_READDIR;
1056 }
1057
1058 /* Set entry name */
>>> CID 340906: (TAINTED_SCALAR)
>>> Passing tainted expression "dirs->entry->name_size + 1" to "strncpy",
>>> which uses it as an offset. [Note: The source code implementation of the
>>> function has been overridden by a builtin model.]
1059 strncpy(dent->name, dirs->entry->name, dirs->entry->name_size +
1);
1060 dent->name[dirs->entry->name_size + 1] = '\0';
1061
1062 offset = dirs->entry->name_size + 1 + SQFS_ENTRY_BASE_LENGTH;
1063 dirs->entry_count--;
1064
** CID 340905: Insecure data handling (TAINTED_SCALAR)
/scripts/dtc/checks.c: 1163 in check_property_phandle_args()
________________________________________________________________________________________________________
*** CID 340905: Insecure data handling (TAINTED_SCALAR)
/scripts/dtc/checks.c: 1163 in check_property_phandle_args()
1157 FAIL_PROP(c, dti, node, prop,
1158 "property size (%d) is invalid, expected
multiple of %zu",
1159 prop->val.len, sizeof(cell_t));
1160 return;
1161 }
1162
>>> CID 340905: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "cell" as a loop boundary.
1163 for (cell = 0; cell < prop->val.len / sizeof(cell_t); cell +=
cellsize + 1) {
1164 struct node *provider_node;
1165 struct property *cellprop;
1166 int phandle;
1167
1168 phandle = propval_cell_n(prop, cell);
** CID 340904: (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 340904: (TAINTED_SCALAR)
/fs/ext4/ext4_journal.c: 580 in update_descriptor_block()
574
575 jdb.h_blocktype = cpu_to_be32(EXT3_JOURNAL_DESCRIPTOR_BLOCK);
576 jdb.h_magic = cpu_to_be32(EXT3_JOURNAL_MAGIC_NUMBER);
577 jdb.h_sequence = jsb->s_sequence;
578 buf = zalloc(fs->blksz);
579 if (!buf) {
>>> CID 340904: (TAINTED_SCALAR)
>>> Passing tainted expression "*temp_buff" to "dlfree", which uses it as
>>> an offset.
580 free(temp_buff);
581 return;
582 }
583 temp = buf;
584 memcpy(buf, &jdb, sizeof(struct journal_header_t));
585 temp += sizeof(struct journal_header_t);
/fs/ext4/ext4_journal.c: 603 in update_descriptor_block()
597 tag.block = cpu_to_be32(journal_ptr[--i]->blknr);
598 tag.flags = cpu_to_be32(EXT3_JOURNAL_FLAG_LAST_TAG);
599 memcpy(temp - sizeof(struct ext3_journal_block_tag), &tag,
600 sizeof(struct ext3_journal_block_tag));
601 put_ext4((uint64_t) ((uint64_t)blknr * (uint64_t)fs->blksz),
buf, (uint32_t) fs->blksz);
602
>>> CID 340904: (TAINTED_SCALAR)
>>> Passing tainted expression "*temp_buff" to "dlfree", which uses it as
>>> an offset.
603 free(temp_buff);
604 free(buf);
605 }
606
607 static void update_commit_block(long int blknr)
608 {
** CID 340903: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 340903: Insecure data handling (TAINTED_SCALAR)
/fs/btrfs/disk-io.c: 1036 in open_ctree_fs_info()
1030 fs_info->stripesize = btrfs_super_stripesize(disk_super);
1031
1032 ret = btrfs_check_fs_compatibility(fs_info->super_copy);
1033 if (ret)
1034 goto out_devices;
1035
>>> CID 340903: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "fs_info->nodesize" to
>>> "btrfs_setup_chunk_tree_and_device_map", which uses it as an offset.
1036 ret = btrfs_setup_chunk_tree_and_device_map(fs_info);
1037 if (ret)
1038 goto out_chunk;
1039
1040 /* Chunk tree root is unable to read, return directly */
1041 if (!fs_info->chunk_root)
** CID 340902: (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 340902: (TAINTED_SCALAR)
/common/fdt_support.c: 1784 in fdt_read_range()
1778
1779 /* Jump to the n'th entry */
1780 cell = n * (pacells + acells + scells);
1781
1782 /* Read <child address> */
1783 if (child_addr) {
>>> CID 340902: (TAINTED_SCALAR)
>>> Passing tainted expression "cell" to "fdt_read_prop", which uses it as
>>> an offset.
1784 r = fdt_read_prop(ranges, ranges_len, cell, child_addr,
1785 acells);
1786 if (r)
1787 return r;
1788 }
1789 cell += acells;
/common/fdt_support.c: 1784 in fdt_read_range()
1778
1779 /* Jump to the n'th entry */
1780 cell = n * (pacells + acells + scells);
1781
1782 /* Read <child address> */
1783 if (child_addr) {
>>> CID 340902: (TAINTED_SCALAR)
>>> Passing tainted expression "cell" to "fdt_read_prop", which uses it as
>>> an offset.
1784 r = fdt_read_prop(ranges, ranges_len, cell, child_addr,
1785 acells);
1786 if (r)
1787 return r;
1788 }
1789 cell += acells;
/common/fdt_support.c: 1798 in fdt_read_range()
1792 if (addr)
1793 *addr = fdt_translate_address(fdt, node, ranges + cell);
1794 cell += pacells;
1795
1796 /* Read <size in child address space> */
1797 if (len) {
>>> CID 340902: (TAINTED_SCALAR)
>>> Passing tainted expression "cell" to "fdt_read_prop", which uses it as
>>> an offset.
1798 r = fdt_read_prop(ranges, ranges_len, cell, len,
scells);
1799 if (r)
1800 return r;
1801 }
1802
1803 return 0;
** CID 340901: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 340901: Insecure data handling (TAINTED_SCALAR)
/scripts/dtc/libfdt/fdt_overlay.c: 643 in overlay_merge()
637 return overlay;
638
639 target = overlay_get_target(fdt, fdto, fragment, NULL);
640 if (target < 0)
641 return target;
642
>>> CID 340901: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "target" to "overlay_apply_node", which uses
>>> it as a loop boundary.
643 ret = overlay_apply_node(fdt, target, fdto, overlay);
644 if (ret)
645 return ret;
646 }
647
648 return 0;
** CID 340900: Error handling issues (NEGATIVE_RETURNS)
/fs/btrfs/inode.c: 644 in read_and_truncate_page()
________________________________________________________________________________________________________
*** CID 340900: Error handling issues (NEGATIVE_RETURNS)
/fs/btrfs/inode.c: 644 in read_and_truncate_page()
638 if (!buf)
639 return -ENOMEM;
640
641 extent_type = btrfs_file_extent_type(leaf, fi);
642 if (extent_type == BTRFS_FILE_EXTENT_INLINE) {
643 ret = btrfs_read_extent_inline(path, fi, buf);
>>> CID 340900: Error handling issues (NEGATIVE_RETURNS)
>>> "({...; (_min1 < _min2) ? _min1 : _min2;})" is passed to a parameter
>>> that cannot be negative. [Note: The source code implementation of the
>>> function has been overridden by a builtin model.]
644 memcpy(dest, buf + page_off, min(page_len, ret));
645 free(buf);
646 return len;
647 }
648
649 ret = btrfs_read_extent_reg(path, fi,
** CID 340899: Insecure data handling (TAINTED_SCALAR)
/fs/ext4/ext4_journal.c: 219 in print_revoke_blks()
________________________________________________________________________________________________________
*** CID 340899: Insecure data handling (TAINTED_SCALAR)
/fs/ext4/ext4_journal.c: 219 in print_revoke_blks()
213
214 header = (struct journal_revoke_header_t *) revk_blk;
215 offset = sizeof(struct journal_revoke_header_t);
216 max = be32_to_cpu(header->r_count);
217 printf("total bytes %d\n", max);
218
>>> CID 340899: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "max" as a loop boundary.
219 while (offset < max) {
220 blocknr = be32_to_cpu(*((__be32 *)(revk_blk + offset)));
221 printf("revoke blknr is %ld\n", blocknr);
222 offset += 4;
223 }
224 }
** CID 340898: Memory - illegal accesses (UNINIT)
/lib/efi_loader/efi_boottime.c: 2667 in
efi_uninstall_multiple_protocol_interfaces()
________________________________________________________________________________________________________
*** CID 340898: Memory - illegal accesses (UNINIT)
/lib/efi_loader/efi_boottime.c: 2667 in
efi_uninstall_multiple_protocol_interfaces()
2661 efi_status_t r = EFI_SUCCESS;
2662 size_t i = 0;
2663
2664 if (!handle)
2665 return EFI_EXIT(EFI_INVALID_PARAMETER);
2666
>>> CID 340898: Memory - illegal accesses (UNINIT)
>>> Using uninitialized value "argptr" when calling "__builtin_ms_va_start".
2667 efi_va_start(argptr, handle);
2668 for (;;) {
2669 protocol = efi_va_arg(argptr, efi_guid_t*);
2670 if (!protocol)
2671 break;
2672 protocol_interface = efi_va_arg(argptr, void*);
** CID 340897: Memory - illegal accesses (UNINIT)
/lib/efi_loader/efi_boottime.c: 2594 in
efi_install_multiple_protocol_interfaces()
________________________________________________________________________________________________________
*** CID 340897: Memory - illegal accesses (UNINIT)
/lib/efi_loader/efi_boottime.c: 2594 in
efi_install_multiple_protocol_interfaces()
2588 efi_status_t r = EFI_SUCCESS;
2589 int i = 0;
2590
2591 if (!handle)
2592 return EFI_EXIT(EFI_INVALID_PARAMETER);
2593
>>> CID 340897: Memory - illegal accesses (UNINIT)
>>> Using uninitialized value "argptr" when calling "__builtin_ms_va_start".
2594 efi_va_start(argptr, handle);
2595 for (;;) {
2596 protocol = efi_va_arg(argptr, efi_guid_t*);
2597 if (!protocol)
2598 break;
2599 protocol_interface = efi_va_arg(argptr, void*);
** CID 340896: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 340896: Insecure data handling (TAINTED_SCALAR)
/common/image-fdt.c: 510 in boot_get_fdt()
504 ulong fdt_data, fdt_len;
505 u32 fdt_size, dtb_idx;
506 /*
507 * Firstly check if this android boot image has dtb
field.
508 */
509 dtb_idx = (u32)env_get_ulong("adtb_idx", 10, 0);
>>> CID 340896: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "hdr" to "android_image_get_dtb_by_index",
>>> which uses it as a loop boundary.
510 if (android_image_get_dtb_by_index((ulong)hdr, dtb_idx,
&fdt_addr, &fdt_size)) {
511 fdt_blob = (char *)map_sysmem(fdt_addr, 0);
512 if (fdt_check_header(fdt_blob))
513 goto no_fdt;
514
515 debug("## Using FDT in Android image dtb area
with idx %u\n", dtb_idx);
** CID 340895: Insecure data handling (TAINTED_SCALAR)
/common/image-android-dt.c: 128 in android_dt_print_contents()
________________________________________________________________________________________________________
*** CID 340895: Insecure data handling (TAINTED_SCALAR)
/common/image-android-dt.c: 128 in android_dt_print_contents()
122 printf(" page_size = %d\n",
fdt32_to_cpu(hdr->page_size));
123 printf(" version = %d\n",
fdt32_to_cpu(hdr->version));
124
125 unmap_sysmem(hdr);
126
127 /* Print image entries info */
>>> CID 340895: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "entry_count" as a loop boundary.
128 for (i = 0; i < entry_count; ++i) {
129 const ulong e_addr = hdr_addr + entries_offset + i *
entry_size;
130 const struct dt_table_entry *e;
131 const struct fdt_header *fdt;
132 u32 dt_offset, dt_size;
133 u32 j;
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit,
https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoA22WlOQ-2By3ieUvdbKmOyw68TMVT4Kip-2BBzfOGWXJ5yIiYplmPF9KAnKIja4Zd7tU-3D9GGA_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTs3pBU8vxliBOfH1-2FBt0vqbdIx1mP6FC3-2FQe-2Fw-2F-2FDBEhKG26IbQfiRoX0gqXB9Wm6CFQKvUL203el0Uwq3R00CKZgVFh0pACrzKTpfyuRUH7ZMXL834xWtjRvq7oWINAt-2FvvOwfqgX9iTtocxbsR7P736LnIQHB4GthdbQG8xFv4Q-3D-3D
To manage Coverity Scan email notifications for "tom.r...@gmail.com", click
https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxWeIHzDeopm-2BEWQ6S6K-2FtUHv9ZTk8qZbuzkkz9sa-2BJFw4elYDyedRVZOC-2ButxjBZdouVmTGuWB6Aj6G7lm7t25-2Biv1B-2B9082pHzCCex2kqMs-3Dp1U4_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTs3pBU8vxliBOfH1-2FBt0vqbclVGnJdJ2jYQpaLHmC-2BWaiKYUmh5-2BWRNQHXgL0tqPDBr5zJNId2seKKN819S3BkxgDCXMchYRh-2BH6W8WhXwQjsEAGX5MWx-2FVvnCjUsyybd-2FX8yAQGOFpUWS11iICkcOGU8IXKIHrICdOOFVa3O8-2BPw-3D-3D
----- End forwarded message -----
--
Tom
signature.asc
Description: PGP signature
