So I've updated to the latest tool and that's why there's so many new defects found in old code.
----- Forwarded message from scan-ad...@coverity.com ----- Date: Sat, 05 Mar 2022 17:28:09 +0000 (UTC) From: scan-ad...@coverity.com To: tom.r...@gmail.com Subject: New Defects reported by Coverity Scan for Das U-Boot Hi, Please find the latest report on new defect(s) introduced to Das U-Boot found with Coverity Scan. 43 new defect(s) introduced to Das U-Boot found with Coverity Scan. 3 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 20 of 43 defect(s) ** CID 350448: Insecure data handling (TAINTED_SCALAR) ________________________________________________________________________________________________________ *** CID 350448: Insecure data handling (TAINTED_SCALAR) /cmd/abootimg.c: 90 in abootimg_get_dtb_load_addr() 84 goto exit; 85 } 86 87 if (argc == 0) 88 printf("%lx\n", (ulong)hdr->dtb_addr); 89 else >>> CID 350448: Insecure data handling (TAINTED_SCALAR) >>> Passing tainted expression "hdr->dtb_addr" to "env_set_hex", which uses >>> it as an offset. 90 env_set_hex(argv[0], (ulong)hdr->dtb_addr); 91 92 exit: 93 unmap_sysmem(hdr); 94 return res; 95 } ** CID 350447: Integer handling issues (OVERFLOW_BEFORE_WIDEN) /drivers/nvme/nvme.c: 772 in nvme_blk_rw() ________________________________________________________________________________________________________ *** CID 350447: Integer handling issues (OVERFLOW_BEFORE_WIDEN) /drivers/nvme/nvme.c: 772 in nvme_blk_rw() 766 c.rw.prp1 = cpu_to_le64(temp_buffer); 767 c.rw.prp2 = cpu_to_le64(prp2); 768 status = nvme_submit_sync_cmd(dev->queues[NVME_IO_Q], 769 &c, NULL, IO_TIMEOUT); 770 if (status) 771 break; >>> CID 350447: Integer handling issues (OVERFLOW_BEFORE_WIDEN) >>> Potentially overflowing expression "(u32)lbas << ns->lba_shift" with >>> type "u32" (32 bits, unsigned) is evaluated using 32-bit arithmetic, and >>> then used in a context that expects an expression of type "u64" (64 bits, >>> unsigned). 772 temp_len -= (u32)lbas << ns->lba_shift; 773 temp_buffer += lbas << ns->lba_shift; 774 } 775 776 if (read) 777 invalidate_dcache_range((unsigned long)buffer, ** CID 350446: (TAINTED_SCALAR) ________________________________________________________________________________________________________ *** CID 350446: (TAINTED_SCALAR) /fs/fat/fat.c: 1016 in fat_itr_next() 1010 } 1011 1012 /* short file name */ 1013 break; 1014 } 1015 >>> CID 350446: (TAINTED_SCALAR) >>> Passing tainted expression "dent->nameext" to "get_name", which uses it >>> as an offset. 1016 get_name(dent, itr->s_name); 1017 if (!itr->name) 1018 itr->name = itr->s_name; 1019 1020 return 1; 1021 } /fs/fat/fat.c: 1016 in fat_itr_next() 1010 } 1011 1012 /* short file name */ 1013 break; 1014 } 1015 >>> CID 350446: (TAINTED_SCALAR) >>> Passing tainted expression "dent->nameext" to "get_name", which uses it >>> as an offset. 1016 get_name(dent, itr->s_name); 1017 if (!itr->name) 1018 itr->name = itr->s_name; 1019 1020 return 1; 1021 } /fs/fat/fat.c: 1016 in fat_itr_next() 1010 } 1011 1012 /* short file name */ 1013 break; 1014 } 1015 >>> CID 350446: (TAINTED_SCALAR) >>> Passing tainted expression "dent->nameext" to "get_name", which uses it >>> as an offset. 1016 get_name(dent, itr->s_name); 1017 if (!itr->name) 1018 itr->name = itr->s_name; 1019 1020 return 1; 1021 } ** CID 350445: (TAINTED_SCALAR) ________________________________________________________________________________________________________ *** CID 350445: (TAINTED_SCALAR) /tools/kwbimage.c: 2452 in kwbimage_extract_subimage() 2446 fprintf(stderr, " -p N - Nth binary header image (totally: %d)\n", 2447 cur_idx - 1); 2448 return -1; 2449 } 2450 } 2451 >>> CID 350445: (TAINTED_SCALAR) >>> Passing tainted expression "size" to "imagetool_save_subimage", which >>> uses it as an offset. 2452 return imagetool_save_subimage(params->outfile, image, size); 2453 } 2454 2455 /* 2456 * Report Error if xflag is set in addition to default 2457 */ /tools/kwbimage.c: 2452 in kwbimage_extract_subimage() 2446 fprintf(stderr, " -p N - Nth binary header image (totally: %d)\n", 2447 cur_idx - 1); 2448 return -1; 2449 } 2450 } 2451 >>> CID 350445: (TAINTED_SCALAR) >>> Passing tainted expression "size" to "imagetool_save_subimage", which >>> uses it as an offset. 2452 return imagetool_save_subimage(params->outfile, image, size); 2453 } 2454 2455 /* 2456 * Report Error if xflag is set in addition to default 2457 */ /tools/kwbimage.c: 2452 in kwbimage_extract_subimage() 2446 fprintf(stderr, " -p N - Nth binary header image (totally: %d)\n", 2447 cur_idx - 1); 2448 return -1; 2449 } 2450 } 2451 >>> CID 350445: (TAINTED_SCALAR) >>> Passing tainted expression "size" to "imagetool_save_subimage", which >>> uses it as an offset. 2452 return imagetool_save_subimage(params->outfile, image, size); 2453 } 2454 2455 /* 2456 * Report Error if xflag is set in addition to default 2457 */ /tools/kwbimage.c: 2452 in kwbimage_extract_subimage() 2446 fprintf(stderr, " -p N - Nth binary header image (totally: %d)\n", 2447 cur_idx - 1); 2448 return -1; 2449 } 2450 } 2451 >>> CID 350445: (TAINTED_SCALAR) >>> Passing tainted expression "size" to "imagetool_save_subimage", which >>> uses it as an offset. 2452 return imagetool_save_subimage(params->outfile, image, size); 2453 } 2454 2455 /* 2456 * Report Error if xflag is set in addition to default 2457 */ ** CID 350444: Insecure data handling (TAINTED_SCALAR) /boot/image-android.c: 354 in android_image_get_dtb_by_index() ________________________________________________________________________________________________________ *** CID 350444: Insecure data handling (TAINTED_SCALAR) /boot/image-android.c: 354 in android_image_get_dtb_by_index() 348 /* Find out the address of DTB with specified index in concat blobs */ 349 hdr = map_sysmem(hdr_addr, sizeof(*hdr)); 350 dtb_img_size = hdr->dtb_size; 351 unmap_sysmem(hdr); 352 i = 0; 353 dtb_addr = dtb_img_addr; >>> CID 350444: Insecure data handling (TAINTED_SCALAR) >>> Using tainted variable "dtb_img_addr + dtb_img_size" as a loop boundary. 354 while (dtb_addr < dtb_img_addr + dtb_img_size) { 355 const struct fdt_header *fdt; 356 u32 dtb_size; 357 358 fdt = map_sysmem(dtb_addr, sizeof(*fdt)); 359 if (fdt_check_header(fdt) != 0) { ** CID 350443: (TAINTED_SCALAR) /drivers/nvme/nvme.c: 862 in nvme_init() ________________________________________________________________________________________________________ *** CID 350443: (TAINTED_SCALAR) /drivers/nvme/nvme.c: 862 in nvme_init() 856 id = memalign(ndev->page_size, sizeof(struct nvme_id_ns)); 857 if (!id) { 858 ret = -ENOMEM; 859 goto free_queue; 860 } 861 >>> CID 350443: (TAINTED_SCALAR) >>> Using tainted variable "ndev->nn" as a loop boundary. 862 for (int i = 1; i <= ndev->nn; i++) { 863 struct udevice *ns_udev; 864 char name[20]; 865 866 memset(id, 0, sizeof(*id)); 867 if (nvme_identify(ndev, i, 0, (dma_addr_t)(long)id)) { /drivers/nvme/nvme.c: 889 in nvme_init() 883 ret = blk_create_devicef(udev, "nvme-blk", name, IF_TYPE_NVME, 884 -1, 512, 0, &ns_udev); 885 if (ret) 886 goto free_id; 887 } 888 >>> CID 350443: (TAINTED_SCALAR) >>> Passing tainted expression "*id" to "dlfree", which uses it as an >>> offset. 889 free(id); 890 return 0; 891 892 free_id: 893 free(id); 894 free_queue: /drivers/nvme/nvme.c: 893 in nvme_init() 887 } 888 889 free(id); 890 return 0; 891 892 free_id: >>> CID 350443: (TAINTED_SCALAR) >>> Passing tainted expression "*id" to "dlfree", which uses it as an >>> offset. 893 free(id); 894 free_queue: 895 free((void *)ndev->queues); 896 free_nvme: 897 return ret; 898 } ** CID 350442: Memory - corruptions (OVERRUN) /env/common.c: 103 in eth_env_set_enetaddr() ________________________________________________________________________________________________________ *** CID 350442: Memory - corruptions (OVERRUN) /env/common.c: 103 in eth_env_set_enetaddr() 97 { 98 char buf[ARP_HLEN_ASCII + 1]; 99 100 if (eth_env_get_enetaddr(name, (uint8_t *)buf)) 101 return -EEXIST; 102 >>> CID 350442: Memory - corruptions (OVERRUN) >>> "sprintf" will overrun its first argument "buf" which can accommodate >>> 18 bytes. The number of bytes written may be 20 bytes, including the >>> terminating null. 103 sprintf(buf, "%pM", enetaddr); 104 105 return env_set(name, buf); 106 } 107 108 /* ** CID 350441: (TAINTED_SCALAR) /tools/ifwitool.c: 1888 in ifwi_dir_extract() ________________________________________________________________________________________________________ *** CID 350441: (TAINTED_SCALAR) /tools/ifwitool.c: 1907 in ifwi_dir_extract() 1901 1902 DEBUG("Splicing buffer at 0x%x size 0x%x\n", s->e[i].offset, 1903 s->e[i].length); 1904 buffer_splice(&dst, &ifwi_image.subpart_buf[type], s->e[i].offset, 1905 s->e[i].length); 1906 >>> CID 350441: (TAINTED_SCALAR) >>> Passing tainted expression "dst.size" to "buffer_write_file", which >>> uses it as an offset. 1907 if (buffer_write_file(&dst, param.file_name)) 1908 return COMMAND_ERR; 1909 1910 printf("Sub-Partition %s(%d), entry(%s) stored in %s.\n", 1911 param.subpart_name, type, param.dentry_name, param.file_name); 1912 /tools/ifwitool.c: 1888 in ifwi_dir_extract() 1882 parse_subpart_dir(&subpart_dir_buff, &ifwi_image.subpart_buf[type], 1883 subparts[type].name); 1884 1885 uint32_t i; 1886 struct subpart_dir *s = buffer_get(&subpart_dir_buff); 1887 >>> CID 350441: (TAINTED_SCALAR) >>> Using tainted variable "s->h.num_entries" as a loop boundary. 1888 for (i = 0; i < s->h.num_entries; i++) { 1889 if (!strncmp((char *)s->e[i].name, param.dentry_name, 1890 sizeof(s->e[i].name))) 1891 break; 1892 } 1893 ** CID 350440: Memory - corruptions (OVERRUN) ________________________________________________________________________________________________________ *** CID 350440: Memory - corruptions (OVERRUN) /drivers/block/ide.c: 615 in ide_ident() 609 #endif 610 611 ide_input_swap_data(device, (ulong *)&iop, ATA_SECTORWORDS); 612 613 ident_cpy((unsigned char *)dev_desc->revision, iop.fw_rev, 614 sizeof(dev_desc->revision)); >>> CID 350440: Memory - corruptions (OVERRUN) >>> Overrunning array "iop.model" of 40 bytes by passing it to a function >>> which accesses it at byte offset 40 using argument "41U". 615 ident_cpy((unsigned char *)dev_desc->vendor, iop.model, 616 sizeof(dev_desc->vendor)); 617 ident_cpy((unsigned char *)dev_desc->product, iop.serial_no, 618 sizeof(dev_desc->product)); 619 620 if ((iop.config & 0x0080) == 0x0080) ** CID 350439: Insecure data handling (TAINTED_SCALAR) ________________________________________________________________________________________________________ *** CID 350439: Insecure data handling (TAINTED_SCALAR) /disk/part_efi.c: 257 in part_print_efi() 251 printf("\ttype:\t%pUl\n", uuid); 252 uuid = (unsigned char *)gpt_pte[i].unique_partition_guid.b; 253 printf("\tguid:\t%pUl\n", uuid); 254 } 255 256 /* Remember to free pte */ >>> CID 350439: Insecure data handling (TAINTED_SCALAR) >>> Passing tainted expression "*gpt_pte" to "dlfree", which uses it as an >>> offset. 257 free(gpt_pte); 258 return; 259 } 260 261 int part_get_info_efi(struct blk_desc *dev_desc, int part, 262 struct disk_partition *info) ** CID 350438: (TAINTED_SCALAR) ________________________________________________________________________________________________________ *** CID 350438: (TAINTED_SCALAR) /disk/part_efi.c: 281 in part_get_info_efi() 275 return -1; 276 277 if (part > le32_to_cpu(gpt_head->num_partition_entries) || 278 !is_pte_valid(&gpt_pte[part - 1])) { 279 debug("%s: *** ERROR: Invalid partition number %d ***\n", 280 __func__, part); >>> CID 350438: (TAINTED_SCALAR) >>> Passing tainted expression "*gpt_pte" to "dlfree", which uses it as an >>> offset. 281 free(gpt_pte); 282 return -1; 283 } 284 285 /* The 'lbaint_t' casting may limit the maximum disk size to 2 TB */ 286 info->start = (lbaint_t)le64_to_cpu(gpt_pte[part - 1].starting_lba); /disk/part_efi.c: 309 in part_get_info_efi() 303 #endif 304 305 debug("%s: start 0x" LBAF ", size 0x" LBAF ", name %s\n", __func__, 306 info->start, info->size, info->name); 307 308 /* Remember to free pte */ >>> CID 350438: (TAINTED_SCALAR) >>> Passing tainted expression "*gpt_pte" to "dlfree", which uses it as an >>> offset. 309 free(gpt_pte); 310 return 0; 311 } 312 313 static int part_test_efi(struct blk_desc *dev_desc) 314 { ** CID 350437: Insecure data handling (TAINTED_SCALAR) ________________________________________________________________________________________________________ *** CID 350437: Insecure data handling (TAINTED_SCALAR) /disk/part_efi.c: 687 in gpt_verify_headers() 681 printf("%s: *** ERROR: Invalid GPT ***\n", 682 __func__); 683 return -1; 684 } 685 686 /* Free pte before allocating again */ >>> CID 350437: Insecure data handling (TAINTED_SCALAR) >>> Passing tainted expression "**gpt_pte" to "dlfree", which uses it as an >>> offset. 687 free(*gpt_pte); 688 689 /* 690 * Check that the alternate_lba entry points to the last LBA 691 */ 692 if (le64_to_cpu(gpt_head->alternate_lba) != (dev_desc->lba - 1)) { ** CID 350436: Insecure data handling (TAINTED_SCALAR) /tools/ifwitool.c: 1456 in bpdt_fixup_write_buffer() ________________________________________________________________________________________________________ *** CID 350436: Insecure data handling (TAINTED_SCALAR) /tools/ifwitool.c: 1456 in bpdt_fixup_write_buffer() 1450 offset = fix_member(&h->ifwi_version, offset, sizeof(h->ifwi_version)); 1451 offset = fix_member(&h->fit_tool_version, offset, 1452 sizeof(h->fit_tool_version)); 1453 1454 uint32_t i; 1455 >>> CID 350436: Insecure data handling (TAINTED_SCALAR) >>> Using tainted variable "count" as a loop boundary. 1456 for (i = 0; i < count; i++) { 1457 offset = fix_member(&e[i].type, offset, sizeof(e[i].type)); 1458 offset = fix_member(&e[i].flags, offset, sizeof(e[i].flags)); 1459 offset = fix_member(&e[i].offset, offset, sizeof(e[i].offset)); 1460 offset = fix_member(&e[i].size, offset, sizeof(e[i].size)); 1461 } ** CID 350435: Insecure data handling (TAINTED_SCALAR) ________________________________________________________________________________________________________ *** CID 350435: Insecure data handling (TAINTED_SCALAR) /cmd/extension_board.c: 56 in extension_apply() 50 51 blob = map_sysmem(overlay_addr, 0); 52 if (!fdt_valid(&blob)) 53 return CMD_RET_FAILURE; 54 55 /* apply method prints messages on error */ >>> CID 350435: Insecure data handling (TAINTED_SCALAR) >>> Passing tainted expression "*blob" to "fdt_overlay_apply_verbose", >>> which uses it as an offset. 56 if (fdt_overlay_apply_verbose(working_fdt, blob)) 57 return CMD_RET_FAILURE; 58 59 return CMD_RET_SUCCESS; 60 } 61 ** CID 350434: Uninitialized variables (UNINIT) ________________________________________________________________________________________________________ *** CID 350434: Uninitialized variables (UNINIT) /lib/efi_loader/efi_device_path_to_text.c: 435 in efi_convert_device_path_to_text() 429 str = efi_convert_single_device_node_to_text( 430 str, device_path); 431 } 432 *(u8 **)&device_path += device_path->length; 433 } 434 >>> CID 350434: Uninitialized variables (UNINIT) >>> Using uninitialized value "*buffer" when calling "efi_str_to_u16". 435 text = efi_str_to_u16(buffer); 436 437 out: 438 EFI_EXIT(EFI_SUCCESS); 439 return text; 440 } ** CID 350433: Memory - corruptions (OVERRUN) ________________________________________________________________________________________________________ *** CID 350433: Memory - corruptions (OVERRUN) /drivers/block/ide.c: 613 in ide_ident() 607 if (retries == 2) /* Not found */ 608 return; 609 #endif 610 611 ide_input_swap_data(device, (ulong *)&iop, ATA_SECTORWORDS); 612 >>> CID 350433: Memory - corruptions (OVERRUN) >>> Overrunning array "iop.fw_rev" of 8 bytes by passing it to a function >>> which accesses it at byte offset 8 using argument "9U". 613 ident_cpy((unsigned char *)dev_desc->revision, iop.fw_rev, 614 sizeof(dev_desc->revision)); 615 ident_cpy((unsigned char *)dev_desc->vendor, iop.model, 616 sizeof(dev_desc->vendor)); 617 ident_cpy((unsigned char *)dev_desc->product, iop.serial_no, 618 sizeof(dev_desc->product)); ** CID 350432: (TAINTED_SCALAR) ________________________________________________________________________________________________________ *** CID 350432: (TAINTED_SCALAR) /cmd/gpt.c: 650 in gpt_verify() 644 /* Check partition layout with provided pattern */ 645 ret = gpt_verify_partitions(blk_dev_desc, partitions, part_count, 646 gpt_head, &gpt_pte); 647 free(str_disk_guid); 648 free(partitions); 649 out: >>> CID 350432: (TAINTED_SCALAR) >>> Passing tainted expression "*gpt_pte" to "dlfree", which uses it as an >>> offset. 650 free(gpt_pte); 651 return ret; 652 } 653 654 /** 655 * gpt_enumerate() - Enumerate partition names into environment variable. /cmd/gpt.c: 650 in gpt_verify() 644 /* Check partition layout with provided pattern */ 645 ret = gpt_verify_partitions(blk_dev_desc, partitions, part_count, 646 gpt_head, &gpt_pte); 647 free(str_disk_guid); 648 free(partitions); 649 out: >>> CID 350432: (TAINTED_SCALAR) >>> Passing tainted expression "*gpt_pte" to "dlfree", which uses it as an >>> offset. 650 free(gpt_pte); 651 return ret; 652 } 653 654 /** 655 * gpt_enumerate() - Enumerate partition names into environment variable. /cmd/gpt.c: 650 in gpt_verify() 644 /* Check partition layout with provided pattern */ 645 ret = gpt_verify_partitions(blk_dev_desc, partitions, part_count, 646 gpt_head, &gpt_pte); 647 free(str_disk_guid); 648 free(partitions); 649 out: >>> CID 350432: (TAINTED_SCALAR) >>> Passing tainted expression "*gpt_pte" to "dlfree", which uses it as an >>> offset. 650 free(gpt_pte); 651 return ret; 652 } 653 654 /** 655 * gpt_enumerate() - Enumerate partition names into environment variable. /cmd/gpt.c: 650 in gpt_verify() 644 /* Check partition layout with provided pattern */ 645 ret = gpt_verify_partitions(blk_dev_desc, partitions, part_count, 646 gpt_head, &gpt_pte); 647 free(str_disk_guid); 648 free(partitions); 649 out: >>> CID 350432: (TAINTED_SCALAR) >>> Passing tainted expression "*gpt_pte" to "dlfree", which uses it as an >>> offset. 650 free(gpt_pte); 651 return ret; 652 } 653 654 /** 655 * gpt_enumerate() - Enumerate partition names into environment variable. ** CID 350431: (TAINTED_SCALAR) ________________________________________________________________________________________________________ *** CID 350431: (TAINTED_SCALAR) /tools/ifwitool.c: 1974 in ifwi_print() 1968 1969 bpdt_print_header(&b->h, "BPDT"); 1970 bpdt_print_entries(&b->e[0], b->h.descriptor_count, "BPDT"); 1971 1972 b = buffer_get(&ifwi_image.subpart_buf[S_BPDT_TYPE]); 1973 bpdt_print_header(&b->h, "S-BPDT"); >>> CID 350431: (TAINTED_SCALAR) >>> Passing tainted expression "b->h.descriptor_count" to >>> "bpdt_print_entries", which uses it as a loop boundary. 1974 bpdt_print_entries(&b->e[0], b->h.descriptor_count, "S-BPDT"); 1975 1976 if (param.dir_ops == 0) { 1977 verbose -= 2; 1978 return NO_ACTION_REQUIRED; 1979 } /tools/ifwitool.c: 1970 in ifwi_print() 1964 { 1965 verbose += 2; 1966 1967 struct bpdt *b = buffer_get(&ifwi_image.bpdt); 1968 1969 bpdt_print_header(&b->h, "BPDT"); >>> CID 350431: (TAINTED_SCALAR) >>> Passing tainted expression "b->h.descriptor_count" to >>> "bpdt_print_entries", which uses it as a loop boundary. 1970 bpdt_print_entries(&b->e[0], b->h.descriptor_count, "BPDT"); 1971 1972 b = buffer_get(&ifwi_image.subpart_buf[S_BPDT_TYPE]); 1973 bpdt_print_header(&b->h, "S-BPDT"); 1974 bpdt_print_entries(&b->e[0], b->h.descriptor_count, "S-BPDT"); 1975 /tools/ifwitool.c: 1989 in ifwi_print() 1983 1984 for (i = 0; i < MAX_SUBPARTS ; i++) { 1985 if (!(subparts[i].attr & CONTAINS_DIR) || 1986 (buffer_size(&ifwi_image.subpart_buf[i]) == 0)) 1987 continue; 1988 >>> CID 350431: (TAINTED_SCALAR) >>> Passing tainted expression "*subpart_dir_buf.data" to >>> "parse_subpart_dir", which uses it as a loop boundary. 1989 parse_subpart_dir(&subpart_dir_buf, &ifwi_image.subpart_buf[i], 1990 subparts[i].name); 1991 buffer_delete(&subpart_dir_buf); 1992 } 1993 1994 verbose -= 2; /tools/ifwitool.c: 1970 in ifwi_print() 1964 { 1965 verbose += 2; 1966 1967 struct bpdt *b = buffer_get(&ifwi_image.bpdt); 1968 1969 bpdt_print_header(&b->h, "BPDT"); >>> CID 350431: (TAINTED_SCALAR) >>> Passing tainted expression "b->e[0].type" to "bpdt_print_entries", >>> which uses it as an offset. 1970 bpdt_print_entries(&b->e[0], b->h.descriptor_count, "BPDT"); 1971 1972 b = buffer_get(&ifwi_image.subpart_buf[S_BPDT_TYPE]); 1973 bpdt_print_header(&b->h, "S-BPDT"); 1974 bpdt_print_entries(&b->e[0], b->h.descriptor_count, "S-BPDT"); 1975 /tools/ifwitool.c: 1974 in ifwi_print() 1968 1969 bpdt_print_header(&b->h, "BPDT"); 1970 bpdt_print_entries(&b->e[0], b->h.descriptor_count, "BPDT"); 1971 1972 b = buffer_get(&ifwi_image.subpart_buf[S_BPDT_TYPE]); 1973 bpdt_print_header(&b->h, "S-BPDT"); >>> CID 350431: (TAINTED_SCALAR) >>> Passing tainted expression "b->e[0].type" to "bpdt_print_entries", >>> which uses it as an offset. 1974 bpdt_print_entries(&b->e[0], b->h.descriptor_count, "S-BPDT"); 1975 1976 if (param.dir_ops == 0) { 1977 verbose -= 2; 1978 return NO_ACTION_REQUIRED; 1979 } ** CID 350430: Insecure data handling (TAINTED_SCALAR) ________________________________________________________________________________________________________ *** CID 350430: Insecure data handling (TAINTED_SCALAR) /disk/part_efi.c: 1072 in alloc_read_gpt_entries() 1066 1067 /* Read GPT Entries from device */ 1068 blk = le64_to_cpu(pgpt_head->partition_entry_lba); 1069 blk_cnt = BLOCK_CNT(count, dev_desc); 1070 if (blk_dread(dev_desc, blk, (lbaint_t)blk_cnt, pte) != blk_cnt) { 1071 printf("*** ERROR: Can't read GPT Entries ***\n"); >>> CID 350430: Insecure data handling (TAINTED_SCALAR) >>> Passing tainted expression "*pte" to "dlfree", which uses it as an >>> offset. 1072 free(pte); 1073 return NULL; 1074 } 1075 return pte; 1076 } 1077 ** CID 350429: Insecure data handling (TAINTED_SCALAR) /tools/ifwitool.c: 1671 in subpart_dir_fixup_write_buffer() ________________________________________________________________________________________________________ *** CID 350429: Insecure data handling (TAINTED_SCALAR) /tools/ifwitool.c: 1671 in subpart_dir_fixup_write_buffer() 1665 sizeof(h->header_length)); 1666 offset = fix_member(&h->checksum, offset, sizeof(h->checksum)); 1667 offset += sizeof(h->name); 1668 1669 uint32_t i; 1670 >>> CID 350429: Insecure data handling (TAINTED_SCALAR) >>> Using tainted variable "count" as a loop boundary. 1671 for (i = 0; i < count; i++) { 1672 offset += sizeof(e[i].name); 1673 offset = fix_member(&e[i].offset, offset, sizeof(e[i].offset)); 1674 offset = fix_member(&e[i].length, offset, sizeof(e[i].length)); 1675 offset = fix_member(&e[i].rsvd, offset, sizeof(e[i].rsvd)); 1676 } ________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoA22WlOQ-2By3ieUvdbKmOyw68TMVT4Kip-2BBzfOGWXJ5yIiYplmPF9KAnKIja4Zd7tU-3DGKvW_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTtc7gEAOgWMAeiVB7LaCwibvgJK-2BuYN7whAG3Emw0bQHn1Oa8Pcu5zkc9xjCGLkZ-2BEFifG0kw14m6L3JHaODpHs3zvdstJCbcIrf3zAfeJAJpnLuNKaD25DMT20lk8wd23-2FKhn6sgueK1Gl-2F0NAhAGzLJwzuClWIrLkqo2p6t1WFg-3D-3D To manage Coverity Scan email notifications for "tom.r...@gmail.com", click https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxWeIHzDeopm-2BEWQ6S6K-2FtUHv9ZTk8qZbuzkkz9sa-2BJFw4elYDyedRVZOC-2ButxjBZdouVmTGuWB6Aj6G7lm7t25-2Biv1B-2B9082pHzCCex2kqMs-3DDVrT_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTtc7gEAOgWMAeiVB7LaCwib75SfFPYaKzdACS1Z9ToCtOsih-2BMTLyAxlDzAd-2FLeYHYEN1IK1-2Fbn-2FLcv9ogc83QsLVvCuIi9jVi1nxPXJ7JAS96hMH2EUN-2FLKJO15sWXsEMyXEZiSQMhnxAEbzlEnt5Ya7usI0bf1TIUf2uxUNF2bQ-3D-3D ----- End forwarded message ----- -- Tom
signature.asc
Description: PGP signature