So I've updated to the latest tool and that's why there's so many new defects found in old code.
----- Forwarded message from scan-ad...@coverity.com -----
Date: Sat, 05 Mar 2022 17:28:09 +0000 (UTC)
From: scan-ad...@coverity.com
To: tom.r...@gmail.com
Subject: New Defects reported by Coverity Scan for Das U-Boot
Hi,
Please find the latest report on new defect(s) introduced to Das U-Boot found
with Coverity Scan.
43 new defect(s) introduced to Das U-Boot found with Coverity Scan.
3 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent
build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 43 defect(s)
** CID 350448: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 350448: Insecure data handling (TAINTED_SCALAR)
/cmd/abootimg.c: 90 in abootimg_get_dtb_load_addr()
84 goto exit;
85 }
86
87 if (argc == 0)
88 printf("%lx\n", (ulong)hdr->dtb_addr);
89 else
>>> CID 350448: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "hdr->dtb_addr" to "env_set_hex", which uses
>>> it as an offset.
90 env_set_hex(argv[0], (ulong)hdr->dtb_addr);
91
92 exit:
93 unmap_sysmem(hdr);
94 return res;
95 }
** CID 350447: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
/drivers/nvme/nvme.c: 772 in nvme_blk_rw()
________________________________________________________________________________________________________
*** CID 350447: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
/drivers/nvme/nvme.c: 772 in nvme_blk_rw()
766 c.rw.prp1 = cpu_to_le64(temp_buffer);
767 c.rw.prp2 = cpu_to_le64(prp2);
768 status = nvme_submit_sync_cmd(dev->queues[NVME_IO_Q],
769 &c, NULL, IO_TIMEOUT);
770 if (status)
771 break;
>>> CID 350447: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
>>> Potentially overflowing expression "(u32)lbas << ns->lba_shift" with
>>> type "u32" (32 bits, unsigned) is evaluated using 32-bit arithmetic, and
>>> then used in a context that expects an expression of type "u64" (64 bits,
>>> unsigned).
772 temp_len -= (u32)lbas << ns->lba_shift;
773 temp_buffer += lbas << ns->lba_shift;
774 }
775
776 if (read)
777 invalidate_dcache_range((unsigned long)buffer,
** CID 350446: (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 350446: (TAINTED_SCALAR)
/fs/fat/fat.c: 1016 in fat_itr_next()
1010 }
1011
1012 /* short file name */
1013 break;
1014 }
1015
>>> CID 350446: (TAINTED_SCALAR)
>>> Passing tainted expression "dent->nameext" to "get_name", which uses it
>>> as an offset.
1016 get_name(dent, itr->s_name);
1017 if (!itr->name)
1018 itr->name = itr->s_name;
1019
1020 return 1;
1021 }
/fs/fat/fat.c: 1016 in fat_itr_next()
1010 }
1011
1012 /* short file name */
1013 break;
1014 }
1015
>>> CID 350446: (TAINTED_SCALAR)
>>> Passing tainted expression "dent->nameext" to "get_name", which uses it
>>> as an offset.
1016 get_name(dent, itr->s_name);
1017 if (!itr->name)
1018 itr->name = itr->s_name;
1019
1020 return 1;
1021 }
/fs/fat/fat.c: 1016 in fat_itr_next()
1010 }
1011
1012 /* short file name */
1013 break;
1014 }
1015
>>> CID 350446: (TAINTED_SCALAR)
>>> Passing tainted expression "dent->nameext" to "get_name", which uses it
>>> as an offset.
1016 get_name(dent, itr->s_name);
1017 if (!itr->name)
1018 itr->name = itr->s_name;
1019
1020 return 1;
1021 }
** CID 350445: (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 350445: (TAINTED_SCALAR)
/tools/kwbimage.c: 2452 in kwbimage_extract_subimage()
2446 fprintf(stderr, " -p N - Nth binary
header image (totally: %d)\n",
2447 cur_idx - 1);
2448 return -1;
2449 }
2450 }
2451
>>> CID 350445: (TAINTED_SCALAR)
>>> Passing tainted expression "size" to "imagetool_save_subimage", which
>>> uses it as an offset.
2452 return imagetool_save_subimage(params->outfile, image, size);
2453 }
2454
2455 /*
2456 * Report Error if xflag is set in addition to default
2457 */
/tools/kwbimage.c: 2452 in kwbimage_extract_subimage()
2446 fprintf(stderr, " -p N - Nth binary
header image (totally: %d)\n",
2447 cur_idx - 1);
2448 return -1;
2449 }
2450 }
2451
>>> CID 350445: (TAINTED_SCALAR)
>>> Passing tainted expression "size" to "imagetool_save_subimage", which
>>> uses it as an offset.
2452 return imagetool_save_subimage(params->outfile, image, size);
2453 }
2454
2455 /*
2456 * Report Error if xflag is set in addition to default
2457 */
/tools/kwbimage.c: 2452 in kwbimage_extract_subimage()
2446 fprintf(stderr, " -p N - Nth binary
header image (totally: %d)\n",
2447 cur_idx - 1);
2448 return -1;
2449 }
2450 }
2451
>>> CID 350445: (TAINTED_SCALAR)
>>> Passing tainted expression "size" to "imagetool_save_subimage", which
>>> uses it as an offset.
2452 return imagetool_save_subimage(params->outfile, image, size);
2453 }
2454
2455 /*
2456 * Report Error if xflag is set in addition to default
2457 */
/tools/kwbimage.c: 2452 in kwbimage_extract_subimage()
2446 fprintf(stderr, " -p N - Nth binary
header image (totally: %d)\n",
2447 cur_idx - 1);
2448 return -1;
2449 }
2450 }
2451
>>> CID 350445: (TAINTED_SCALAR)
>>> Passing tainted expression "size" to "imagetool_save_subimage", which
>>> uses it as an offset.
2452 return imagetool_save_subimage(params->outfile, image, size);
2453 }
2454
2455 /*
2456 * Report Error if xflag is set in addition to default
2457 */
** CID 350444: Insecure data handling (TAINTED_SCALAR)
/boot/image-android.c: 354 in android_image_get_dtb_by_index()
________________________________________________________________________________________________________
*** CID 350444: Insecure data handling (TAINTED_SCALAR)
/boot/image-android.c: 354 in android_image_get_dtb_by_index()
348 /* Find out the address of DTB with specified index in concat
blobs */
349 hdr = map_sysmem(hdr_addr, sizeof(*hdr));
350 dtb_img_size = hdr->dtb_size;
351 unmap_sysmem(hdr);
352 i = 0;
353 dtb_addr = dtb_img_addr;
>>> CID 350444: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "dtb_img_addr + dtb_img_size" as a loop boundary.
354 while (dtb_addr < dtb_img_addr + dtb_img_size) {
355 const struct fdt_header *fdt;
356 u32 dtb_size;
357
358 fdt = map_sysmem(dtb_addr, sizeof(*fdt));
359 if (fdt_check_header(fdt) != 0) {
** CID 350443: (TAINTED_SCALAR)
/drivers/nvme/nvme.c: 862 in nvme_init()
________________________________________________________________________________________________________
*** CID 350443: (TAINTED_SCALAR)
/drivers/nvme/nvme.c: 862 in nvme_init()
856 id = memalign(ndev->page_size, sizeof(struct nvme_id_ns));
857 if (!id) {
858 ret = -ENOMEM;
859 goto free_queue;
860 }
861
>>> CID 350443: (TAINTED_SCALAR)
>>> Using tainted variable "ndev->nn" as a loop boundary.
862 for (int i = 1; i <= ndev->nn; i++) {
863 struct udevice *ns_udev;
864 char name[20];
865
866 memset(id, 0, sizeof(*id));
867 if (nvme_identify(ndev, i, 0, (dma_addr_t)(long)id)) {
/drivers/nvme/nvme.c: 889 in nvme_init()
883 ret = blk_create_devicef(udev, "nvme-blk", name,
IF_TYPE_NVME,
884 -1, 512, 0, &ns_udev);
885 if (ret)
886 goto free_id;
887 }
888
>>> CID 350443: (TAINTED_SCALAR)
>>> Passing tainted expression "*id" to "dlfree", which uses it as an
>>> offset.
889 free(id);
890 return 0;
891
892 free_id:
893 free(id);
894 free_queue:
/drivers/nvme/nvme.c: 893 in nvme_init()
887 }
888
889 free(id);
890 return 0;
891
892 free_id:
>>> CID 350443: (TAINTED_SCALAR)
>>> Passing tainted expression "*id" to "dlfree", which uses it as an
>>> offset.
893 free(id);
894 free_queue:
895 free((void *)ndev->queues);
896 free_nvme:
897 return ret;
898 }
** CID 350442: Memory - corruptions (OVERRUN)
/env/common.c: 103 in eth_env_set_enetaddr()
________________________________________________________________________________________________________
*** CID 350442: Memory - corruptions (OVERRUN)
/env/common.c: 103 in eth_env_set_enetaddr()
97 {
98 char buf[ARP_HLEN_ASCII + 1];
99
100 if (eth_env_get_enetaddr(name, (uint8_t *)buf))
101 return -EEXIST;
102
>>> CID 350442: Memory - corruptions (OVERRUN)
>>> "sprintf" will overrun its first argument "buf" which can accommodate
>>> 18 bytes. The number of bytes written may be 20 bytes, including the
>>> terminating null.
103 sprintf(buf, "%pM", enetaddr);
104
105 return env_set(name, buf);
106 }
107
108 /*
** CID 350441: (TAINTED_SCALAR)
/tools/ifwitool.c: 1888 in ifwi_dir_extract()
________________________________________________________________________________________________________
*** CID 350441: (TAINTED_SCALAR)
/tools/ifwitool.c: 1907 in ifwi_dir_extract()
1901
1902 DEBUG("Splicing buffer at 0x%x size 0x%x\n", s->e[i].offset,
1903 s->e[i].length);
1904 buffer_splice(&dst, &ifwi_image.subpart_buf[type],
s->e[i].offset,
1905 s->e[i].length);
1906
>>> CID 350441: (TAINTED_SCALAR)
>>> Passing tainted expression "dst.size" to "buffer_write_file", which
>>> uses it as an offset.
1907 if (buffer_write_file(&dst, param.file_name))
1908 return COMMAND_ERR;
1909
1910 printf("Sub-Partition %s(%d), entry(%s) stored in %s.\n",
1911 param.subpart_name, type, param.dentry_name,
param.file_name);
1912
/tools/ifwitool.c: 1888 in ifwi_dir_extract()
1882 parse_subpart_dir(&subpart_dir_buff,
&ifwi_image.subpart_buf[type],
1883 subparts[type].name);
1884
1885 uint32_t i;
1886 struct subpart_dir *s = buffer_get(&subpart_dir_buff);
1887
>>> CID 350441: (TAINTED_SCALAR)
>>> Using tainted variable "s->h.num_entries" as a loop boundary.
1888 for (i = 0; i < s->h.num_entries; i++) {
1889 if (!strncmp((char *)s->e[i].name, param.dentry_name,
1890 sizeof(s->e[i].name)))
1891 break;
1892 }
1893
** CID 350440: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 350440: Memory - corruptions (OVERRUN)
/drivers/block/ide.c: 615 in ide_ident()
609 #endif
610
611 ide_input_swap_data(device, (ulong *)&iop, ATA_SECTORWORDS);
612
613 ident_cpy((unsigned char *)dev_desc->revision, iop.fw_rev,
614 sizeof(dev_desc->revision));
>>> CID 350440: Memory - corruptions (OVERRUN)
>>> Overrunning array "iop.model" of 40 bytes by passing it to a function
>>> which accesses it at byte offset 40 using argument "41U".
615 ident_cpy((unsigned char *)dev_desc->vendor, iop.model,
616 sizeof(dev_desc->vendor));
617 ident_cpy((unsigned char *)dev_desc->product, iop.serial_no,
618 sizeof(dev_desc->product));
619
620 if ((iop.config & 0x0080) == 0x0080)
** CID 350439: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 350439: Insecure data handling (TAINTED_SCALAR)
/disk/part_efi.c: 257 in part_print_efi()
251 printf("\ttype:\t%pUl\n", uuid);
252 uuid = (unsigned char
*)gpt_pte[i].unique_partition_guid.b;
253 printf("\tguid:\t%pUl\n", uuid);
254 }
255
256 /* Remember to free pte */
>>> CID 350439: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "*gpt_pte" to "dlfree", which uses it as an
>>> offset.
257 free(gpt_pte);
258 return;
259 }
260
261 int part_get_info_efi(struct blk_desc *dev_desc, int part,
262 struct disk_partition *info)
** CID 350438: (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 350438: (TAINTED_SCALAR)
/disk/part_efi.c: 281 in part_get_info_efi()
275 return -1;
276
277 if (part > le32_to_cpu(gpt_head->num_partition_entries) ||
278 !is_pte_valid(&gpt_pte[part - 1])) {
279 debug("%s: *** ERROR: Invalid partition number %d
***\n",
280 __func__, part);
>>> CID 350438: (TAINTED_SCALAR)
>>> Passing tainted expression "*gpt_pte" to "dlfree", which uses it as an
>>> offset.
281 free(gpt_pte);
282 return -1;
283 }
284
285 /* The 'lbaint_t' casting may limit the maximum disk size to 2
TB */
286 info->start = (lbaint_t)le64_to_cpu(gpt_pte[part -
1].starting_lba);
/disk/part_efi.c: 309 in part_get_info_efi()
303 #endif
304
305 debug("%s: start 0x" LBAF ", size 0x" LBAF ", name %s\n",
__func__,
306 info->start, info->size, info->name);
307
308 /* Remember to free pte */
>>> CID 350438: (TAINTED_SCALAR)
>>> Passing tainted expression "*gpt_pte" to "dlfree", which uses it as an
>>> offset.
309 free(gpt_pte);
310 return 0;
311 }
312
313 static int part_test_efi(struct blk_desc *dev_desc)
314 {
** CID 350437: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 350437: Insecure data handling (TAINTED_SCALAR)
/disk/part_efi.c: 687 in gpt_verify_headers()
681 printf("%s: *** ERROR: Invalid GPT ***\n",
682 __func__);
683 return -1;
684 }
685
686 /* Free pte before allocating again */
>>> CID 350437: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "**gpt_pte" to "dlfree", which uses it as an
>>> offset.
687 free(*gpt_pte);
688
689 /*
690 * Check that the alternate_lba entry points to the last LBA
691 */
692 if (le64_to_cpu(gpt_head->alternate_lba) != (dev_desc->lba -
1)) {
** CID 350436: Insecure data handling (TAINTED_SCALAR)
/tools/ifwitool.c: 1456 in bpdt_fixup_write_buffer()
________________________________________________________________________________________________________
*** CID 350436: Insecure data handling (TAINTED_SCALAR)
/tools/ifwitool.c: 1456 in bpdt_fixup_write_buffer()
1450 offset = fix_member(&h->ifwi_version, offset,
sizeof(h->ifwi_version));
1451 offset = fix_member(&h->fit_tool_version, offset,
1452 sizeof(h->fit_tool_version));
1453
1454 uint32_t i;
1455
>>> CID 350436: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "count" as a loop boundary.
1456 for (i = 0; i < count; i++) {
1457 offset = fix_member(&e[i].type, offset,
sizeof(e[i].type));
1458 offset = fix_member(&e[i].flags, offset,
sizeof(e[i].flags));
1459 offset = fix_member(&e[i].offset, offset,
sizeof(e[i].offset));
1460 offset = fix_member(&e[i].size, offset,
sizeof(e[i].size));
1461 }
** CID 350435: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 350435: Insecure data handling (TAINTED_SCALAR)
/cmd/extension_board.c: 56 in extension_apply()
50
51 blob = map_sysmem(overlay_addr, 0);
52 if (!fdt_valid(&blob))
53 return CMD_RET_FAILURE;
54
55 /* apply method prints messages on error */
>>> CID 350435: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "*blob" to "fdt_overlay_apply_verbose",
>>> which uses it as an offset.
56 if (fdt_overlay_apply_verbose(working_fdt, blob))
57 return CMD_RET_FAILURE;
58
59 return CMD_RET_SUCCESS;
60 }
61
** CID 350434: Uninitialized variables (UNINIT)
________________________________________________________________________________________________________
*** CID 350434: Uninitialized variables (UNINIT)
/lib/efi_loader/efi_device_path_to_text.c: 435 in
efi_convert_device_path_to_text()
429 str = efi_convert_single_device_node_to_text(
430 str,
device_path);
431 }
432 *(u8 **)&device_path += device_path->length;
433 }
434
>>> CID 350434: Uninitialized variables (UNINIT)
>>> Using uninitialized value "*buffer" when calling "efi_str_to_u16".
435 text = efi_str_to_u16(buffer);
436
437 out:
438 EFI_EXIT(EFI_SUCCESS);
439 return text;
440 }
** CID 350433: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 350433: Memory - corruptions (OVERRUN)
/drivers/block/ide.c: 613 in ide_ident()
607 if (retries == 2) /* Not found */
608 return;
609 #endif
610
611 ide_input_swap_data(device, (ulong *)&iop, ATA_SECTORWORDS);
612
>>> CID 350433: Memory - corruptions (OVERRUN)
>>> Overrunning array "iop.fw_rev" of 8 bytes by passing it to a function
>>> which accesses it at byte offset 8 using argument "9U".
613 ident_cpy((unsigned char *)dev_desc->revision, iop.fw_rev,
614 sizeof(dev_desc->revision));
615 ident_cpy((unsigned char *)dev_desc->vendor, iop.model,
616 sizeof(dev_desc->vendor));
617 ident_cpy((unsigned char *)dev_desc->product, iop.serial_no,
618 sizeof(dev_desc->product));
** CID 350432: (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 350432: (TAINTED_SCALAR)
/cmd/gpt.c: 650 in gpt_verify()
644 /* Check partition layout with provided pattern */
645 ret = gpt_verify_partitions(blk_dev_desc, partitions,
part_count,
646 gpt_head, &gpt_pte);
647 free(str_disk_guid);
648 free(partitions);
649 out:
>>> CID 350432: (TAINTED_SCALAR)
>>> Passing tainted expression "*gpt_pte" to "dlfree", which uses it as an
>>> offset.
650 free(gpt_pte);
651 return ret;
652 }
653
654 /**
655 * gpt_enumerate() - Enumerate partition names into environment
variable.
/cmd/gpt.c: 650 in gpt_verify()
644 /* Check partition layout with provided pattern */
645 ret = gpt_verify_partitions(blk_dev_desc, partitions,
part_count,
646 gpt_head, &gpt_pte);
647 free(str_disk_guid);
648 free(partitions);
649 out:
>>> CID 350432: (TAINTED_SCALAR)
>>> Passing tainted expression "*gpt_pte" to "dlfree", which uses it as an
>>> offset.
650 free(gpt_pte);
651 return ret;
652 }
653
654 /**
655 * gpt_enumerate() - Enumerate partition names into environment
variable.
/cmd/gpt.c: 650 in gpt_verify()
644 /* Check partition layout with provided pattern */
645 ret = gpt_verify_partitions(blk_dev_desc, partitions,
part_count,
646 gpt_head, &gpt_pte);
647 free(str_disk_guid);
648 free(partitions);
649 out:
>>> CID 350432: (TAINTED_SCALAR)
>>> Passing tainted expression "*gpt_pte" to "dlfree", which uses it as an
>>> offset.
650 free(gpt_pte);
651 return ret;
652 }
653
654 /**
655 * gpt_enumerate() - Enumerate partition names into environment
variable.
/cmd/gpt.c: 650 in gpt_verify()
644 /* Check partition layout with provided pattern */
645 ret = gpt_verify_partitions(blk_dev_desc, partitions,
part_count,
646 gpt_head, &gpt_pte);
647 free(str_disk_guid);
648 free(partitions);
649 out:
>>> CID 350432: (TAINTED_SCALAR)
>>> Passing tainted expression "*gpt_pte" to "dlfree", which uses it as an
>>> offset.
650 free(gpt_pte);
651 return ret;
652 }
653
654 /**
655 * gpt_enumerate() - Enumerate partition names into environment
variable.
** CID 350431: (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 350431: (TAINTED_SCALAR)
/tools/ifwitool.c: 1974 in ifwi_print()
1968
1969 bpdt_print_header(&b->h, "BPDT");
1970 bpdt_print_entries(&b->e[0], b->h.descriptor_count, "BPDT");
1971
1972 b = buffer_get(&ifwi_image.subpart_buf[S_BPDT_TYPE]);
1973 bpdt_print_header(&b->h, "S-BPDT");
>>> CID 350431: (TAINTED_SCALAR)
>>> Passing tainted expression "b->h.descriptor_count" to
>>> "bpdt_print_entries", which uses it as a loop boundary.
1974 bpdt_print_entries(&b->e[0], b->h.descriptor_count, "S-BPDT");
1975
1976 if (param.dir_ops == 0) {
1977 verbose -= 2;
1978 return NO_ACTION_REQUIRED;
1979 }
/tools/ifwitool.c: 1970 in ifwi_print()
1964 {
1965 verbose += 2;
1966
1967 struct bpdt *b = buffer_get(&ifwi_image.bpdt);
1968
1969 bpdt_print_header(&b->h, "BPDT");
>>> CID 350431: (TAINTED_SCALAR)
>>> Passing tainted expression "b->h.descriptor_count" to
>>> "bpdt_print_entries", which uses it as a loop boundary.
1970 bpdt_print_entries(&b->e[0], b->h.descriptor_count, "BPDT");
1971
1972 b = buffer_get(&ifwi_image.subpart_buf[S_BPDT_TYPE]);
1973 bpdt_print_header(&b->h, "S-BPDT");
1974 bpdt_print_entries(&b->e[0], b->h.descriptor_count, "S-BPDT");
1975
/tools/ifwitool.c: 1989 in ifwi_print()
1983
1984 for (i = 0; i < MAX_SUBPARTS ; i++) {
1985 if (!(subparts[i].attr & CONTAINS_DIR) ||
1986 (buffer_size(&ifwi_image.subpart_buf[i]) == 0))
1987 continue;
1988
>>> CID 350431: (TAINTED_SCALAR)
>>> Passing tainted expression "*subpart_dir_buf.data" to
>>> "parse_subpart_dir", which uses it as a loop boundary.
1989 parse_subpart_dir(&subpart_dir_buf,
&ifwi_image.subpart_buf[i],
1990 subparts[i].name);
1991 buffer_delete(&subpart_dir_buf);
1992 }
1993
1994 verbose -= 2;
/tools/ifwitool.c: 1970 in ifwi_print()
1964 {
1965 verbose += 2;
1966
1967 struct bpdt *b = buffer_get(&ifwi_image.bpdt);
1968
1969 bpdt_print_header(&b->h, "BPDT");
>>> CID 350431: (TAINTED_SCALAR)
>>> Passing tainted expression "b->e[0].type" to "bpdt_print_entries",
>>> which uses it as an offset.
1970 bpdt_print_entries(&b->e[0], b->h.descriptor_count, "BPDT");
1971
1972 b = buffer_get(&ifwi_image.subpart_buf[S_BPDT_TYPE]);
1973 bpdt_print_header(&b->h, "S-BPDT");
1974 bpdt_print_entries(&b->e[0], b->h.descriptor_count, "S-BPDT");
1975
/tools/ifwitool.c: 1974 in ifwi_print()
1968
1969 bpdt_print_header(&b->h, "BPDT");
1970 bpdt_print_entries(&b->e[0], b->h.descriptor_count, "BPDT");
1971
1972 b = buffer_get(&ifwi_image.subpart_buf[S_BPDT_TYPE]);
1973 bpdt_print_header(&b->h, "S-BPDT");
>>> CID 350431: (TAINTED_SCALAR)
>>> Passing tainted expression "b->e[0].type" to "bpdt_print_entries",
>>> which uses it as an offset.
1974 bpdt_print_entries(&b->e[0], b->h.descriptor_count, "S-BPDT");
1975
1976 if (param.dir_ops == 0) {
1977 verbose -= 2;
1978 return NO_ACTION_REQUIRED;
1979 }
** CID 350430: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 350430: Insecure data handling (TAINTED_SCALAR)
/disk/part_efi.c: 1072 in alloc_read_gpt_entries()
1066
1067 /* Read GPT Entries from device */
1068 blk = le64_to_cpu(pgpt_head->partition_entry_lba);
1069 blk_cnt = BLOCK_CNT(count, dev_desc);
1070 if (blk_dread(dev_desc, blk, (lbaint_t)blk_cnt, pte) !=
blk_cnt) {
1071 printf("*** ERROR: Can't read GPT Entries ***\n");
>>> CID 350430: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "*pte" to "dlfree", which uses it as an
>>> offset.
1072 free(pte);
1073 return NULL;
1074 }
1075 return pte;
1076 }
1077
** CID 350429: Insecure data handling (TAINTED_SCALAR)
/tools/ifwitool.c: 1671 in subpart_dir_fixup_write_buffer()
________________________________________________________________________________________________________
*** CID 350429: Insecure data handling (TAINTED_SCALAR)
/tools/ifwitool.c: 1671 in subpart_dir_fixup_write_buffer()
1665 sizeof(h->header_length));
1666 offset = fix_member(&h->checksum, offset, sizeof(h->checksum));
1667 offset += sizeof(h->name);
1668
1669 uint32_t i;
1670
>>> CID 350429: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "count" as a loop boundary.
1671 for (i = 0; i < count; i++) {
1672 offset += sizeof(e[i].name);
1673 offset = fix_member(&e[i].offset, offset,
sizeof(e[i].offset));
1674 offset = fix_member(&e[i].length, offset,
sizeof(e[i].length));
1675 offset = fix_member(&e[i].rsvd, offset,
sizeof(e[i].rsvd));
1676 }
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit,
https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoA22WlOQ-2By3ieUvdbKmOyw68TMVT4Kip-2BBzfOGWXJ5yIiYplmPF9KAnKIja4Zd7tU-3DGKvW_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTtc7gEAOgWMAeiVB7LaCwibvgJK-2BuYN7whAG3Emw0bQHn1Oa8Pcu5zkc9xjCGLkZ-2BEFifG0kw14m6L3JHaODpHs3zvdstJCbcIrf3zAfeJAJpnLuNKaD25DMT20lk8wd23-2FKhn6sgueK1Gl-2F0NAhAGzLJwzuClWIrLkqo2p6t1WFg-3D-3D
To manage Coverity Scan email notifications for "tom.r...@gmail.com", click
https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxWeIHzDeopm-2BEWQ6S6K-2FtUHv9ZTk8qZbuzkkz9sa-2BJFw4elYDyedRVZOC-2ButxjBZdouVmTGuWB6Aj6G7lm7t25-2Biv1B-2B9082pHzCCex2kqMs-3DDVrT_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTtc7gEAOgWMAeiVB7LaCwib75SfFPYaKzdACS1Z9ToCtOsih-2BMTLyAxlDzAd-2FLeYHYEN1IK1-2Fbn-2FLcv9ogc83QsLVvCuIi9jVi1nxPXJ7JAS96hMH2EUN-2FLKJO15sWXsEMyXEZiSQMhnxAEbzlEnt5Ya7usI0bf1TIUf2uxUNF2bQ-3D-3D
----- End forwarded message -----
--
Tom
signature.asc
Description: PGP signature
