So I've updated to the latest tool and that's why there's so many new
defects found in old code.

----- Forwarded message from scan-ad...@coverity.com -----

Date: Sat, 05 Mar 2022 17:28:09 +0000 (UTC)
From: scan-ad...@coverity.com
To: tom.r...@gmail.com
Subject: New Defects reported by Coverity Scan for Das U-Boot

Hi,

Please find the latest report on new defect(s) introduced to Das U-Boot found 
with Coverity Scan.

43 new defect(s) introduced to Das U-Boot found with Coverity Scan.
3 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent 
build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 20 of 43 defect(s)


** CID 350448:  Insecure data handling  (TAINTED_SCALAR)


________________________________________________________________________________________________________
*** CID 350448:  Insecure data handling  (TAINTED_SCALAR)
/cmd/abootimg.c: 90 in abootimg_get_dtb_load_addr()
84              goto exit;
85      }
86     
87      if (argc == 0)
88              printf("%lx\n", (ulong)hdr->dtb_addr);
89      else
>>>     CID 350448:  Insecure data handling  (TAINTED_SCALAR)
>>>     Passing tainted expression "hdr->dtb_addr" to "env_set_hex", which uses 
>>> it as an offset.
90              env_set_hex(argv[0], (ulong)hdr->dtb_addr);
91     
92     exit:
93      unmap_sysmem(hdr);
94      return res;
95     }

** CID 350447:  Integer handling issues  (OVERFLOW_BEFORE_WIDEN)
/drivers/nvme/nvme.c: 772 in nvme_blk_rw()


________________________________________________________________________________________________________
*** CID 350447:  Integer handling issues  (OVERFLOW_BEFORE_WIDEN)
/drivers/nvme/nvme.c: 772 in nvme_blk_rw()
766                     c.rw.prp1 = cpu_to_le64(temp_buffer);
767                     c.rw.prp2 = cpu_to_le64(prp2);
768                     status = nvme_submit_sync_cmd(dev->queues[NVME_IO_Q],
769                                     &c, NULL, IO_TIMEOUT);
770                     if (status)
771                             break;
>>>     CID 350447:  Integer handling issues  (OVERFLOW_BEFORE_WIDEN)
>>>     Potentially overflowing expression "(u32)lbas << ns->lba_shift" with 
>>> type "u32" (32 bits, unsigned) is evaluated using 32-bit arithmetic, and 
>>> then used in a context that expects an expression of type "u64" (64 bits, 
>>> unsigned).
772                     temp_len -= (u32)lbas << ns->lba_shift;
773                     temp_buffer += lbas << ns->lba_shift;
774             }
775     
776             if (read)
777                     invalidate_dcache_range((unsigned long)buffer,

** CID 350446:    (TAINTED_SCALAR)


________________________________________________________________________________________________________
*** CID 350446:    (TAINTED_SCALAR)
/fs/fat/fat.c: 1016 in fat_itr_next()
1010                    }
1011     
1012                    /* short file name */
1013                    break;
1014            }
1015     
>>>     CID 350446:    (TAINTED_SCALAR)
>>>     Passing tainted expression "dent->nameext" to "get_name", which uses it 
>>> as an offset.
1016            get_name(dent, itr->s_name);
1017            if (!itr->name)
1018                    itr->name = itr->s_name;
1019     
1020            return 1;
1021     }
/fs/fat/fat.c: 1016 in fat_itr_next()
1010                    }
1011     
1012                    /* short file name */
1013                    break;
1014            }
1015     
>>>     CID 350446:    (TAINTED_SCALAR)
>>>     Passing tainted expression "dent->nameext" to "get_name", which uses it 
>>> as an offset.
1016            get_name(dent, itr->s_name);
1017            if (!itr->name)
1018                    itr->name = itr->s_name;
1019     
1020            return 1;
1021     }
/fs/fat/fat.c: 1016 in fat_itr_next()
1010                    }
1011     
1012                    /* short file name */
1013                    break;
1014            }
1015     
>>>     CID 350446:    (TAINTED_SCALAR)
>>>     Passing tainted expression "dent->nameext" to "get_name", which uses it 
>>> as an offset.
1016            get_name(dent, itr->s_name);
1017            if (!itr->name)
1018                    itr->name = itr->s_name;
1019     
1020            return 1;
1021     }

** CID 350445:    (TAINTED_SCALAR)


________________________________________________________________________________________________________
*** CID 350445:    (TAINTED_SCALAR)
/tools/kwbimage.c: 2452 in kwbimage_extract_subimage()
2446                                    fprintf(stderr, " -p N   - Nth binary 
header image (totally: %d)\n",
2447                                            cur_idx - 1);
2448                            return -1;
2449                    }
2450            }
2451     
>>>     CID 350445:    (TAINTED_SCALAR)
>>>     Passing tainted expression "size" to "imagetool_save_subimage", which 
>>> uses it as an offset.
2452            return imagetool_save_subimage(params->outfile, image, size);
2453     }
2454     
2455     /*
2456      * Report Error if xflag is set in addition to default
2457      */
/tools/kwbimage.c: 2452 in kwbimage_extract_subimage()
2446                                    fprintf(stderr, " -p N   - Nth binary 
header image (totally: %d)\n",
2447                                            cur_idx - 1);
2448                            return -1;
2449                    }
2450            }
2451     
>>>     CID 350445:    (TAINTED_SCALAR)
>>>     Passing tainted expression "size" to "imagetool_save_subimage", which 
>>> uses it as an offset.
2452            return imagetool_save_subimage(params->outfile, image, size);
2453     }
2454     
2455     /*
2456      * Report Error if xflag is set in addition to default
2457      */
/tools/kwbimage.c: 2452 in kwbimage_extract_subimage()
2446                                    fprintf(stderr, " -p N   - Nth binary 
header image (totally: %d)\n",
2447                                            cur_idx - 1);
2448                            return -1;
2449                    }
2450            }
2451     
>>>     CID 350445:    (TAINTED_SCALAR)
>>>     Passing tainted expression "size" to "imagetool_save_subimage", which 
>>> uses it as an offset.
2452            return imagetool_save_subimage(params->outfile, image, size);
2453     }
2454     
2455     /*
2456      * Report Error if xflag is set in addition to default
2457      */
/tools/kwbimage.c: 2452 in kwbimage_extract_subimage()
2446                                    fprintf(stderr, " -p N   - Nth binary 
header image (totally: %d)\n",
2447                                            cur_idx - 1);
2448                            return -1;
2449                    }
2450            }
2451     
>>>     CID 350445:    (TAINTED_SCALAR)
>>>     Passing tainted expression "size" to "imagetool_save_subimage", which 
>>> uses it as an offset.
2452            return imagetool_save_subimage(params->outfile, image, size);
2453     }
2454     
2455     /*
2456      * Report Error if xflag is set in addition to default
2457      */

** CID 350444:  Insecure data handling  (TAINTED_SCALAR)
/boot/image-android.c: 354 in android_image_get_dtb_by_index()


________________________________________________________________________________________________________
*** CID 350444:  Insecure data handling  (TAINTED_SCALAR)
/boot/image-android.c: 354 in android_image_get_dtb_by_index()
348             /* Find out the address of DTB with specified index in concat 
blobs */
349             hdr = map_sysmem(hdr_addr, sizeof(*hdr));
350             dtb_img_size = hdr->dtb_size;
351             unmap_sysmem(hdr);
352             i = 0;
353             dtb_addr = dtb_img_addr;
>>>     CID 350444:  Insecure data handling  (TAINTED_SCALAR)
>>>     Using tainted variable "dtb_img_addr + dtb_img_size" as a loop boundary.
354             while (dtb_addr < dtb_img_addr + dtb_img_size) {
355                     const struct fdt_header *fdt;
356                     u32 dtb_size;
357     
358                     fdt = map_sysmem(dtb_addr, sizeof(*fdt));
359                     if (fdt_check_header(fdt) != 0) {

** CID 350443:    (TAINTED_SCALAR)
/drivers/nvme/nvme.c: 862 in nvme_init()


________________________________________________________________________________________________________
*** CID 350443:    (TAINTED_SCALAR)
/drivers/nvme/nvme.c: 862 in nvme_init()
856             id = memalign(ndev->page_size, sizeof(struct nvme_id_ns));
857             if (!id) {
858                     ret = -ENOMEM;
859                     goto free_queue;
860             }
861     
>>>     CID 350443:    (TAINTED_SCALAR)
>>>     Using tainted variable "ndev->nn" as a loop boundary.
862             for (int i = 1; i <= ndev->nn; i++) {
863                     struct udevice *ns_udev;
864                     char name[20];
865     
866                     memset(id, 0, sizeof(*id));
867                     if (nvme_identify(ndev, i, 0, (dma_addr_t)(long)id)) {
/drivers/nvme/nvme.c: 889 in nvme_init()
883                     ret = blk_create_devicef(udev, "nvme-blk", name, 
IF_TYPE_NVME,
884                                              -1, 512, 0, &ns_udev);
885                     if (ret)
886                             goto free_id;
887             }
888     
>>>     CID 350443:    (TAINTED_SCALAR)
>>>     Passing tainted expression "*id" to "dlfree", which uses it as an 
>>> offset.
889             free(id);
890             return 0;
891     
892     free_id:
893             free(id);
894     free_queue:
/drivers/nvme/nvme.c: 893 in nvme_init()
887             }
888     
889             free(id);
890             return 0;
891     
892     free_id:
>>>     CID 350443:    (TAINTED_SCALAR)
>>>     Passing tainted expression "*id" to "dlfree", which uses it as an 
>>> offset.
893             free(id);
894     free_queue:
895             free((void *)ndev->queues);
896     free_nvme:
897             return ret;
898     }

** CID 350442:  Memory - corruptions  (OVERRUN)
/env/common.c: 103 in eth_env_set_enetaddr()


________________________________________________________________________________________________________
*** CID 350442:  Memory - corruptions  (OVERRUN)
/env/common.c: 103 in eth_env_set_enetaddr()
97     {
98      char buf[ARP_HLEN_ASCII + 1];
99     
100             if (eth_env_get_enetaddr(name, (uint8_t *)buf))
101                     return -EEXIST;
102     
>>>     CID 350442:  Memory - corruptions  (OVERRUN)
>>>     "sprintf" will overrun its first argument "buf" which can accommodate 
>>> 18 bytes.  The number of bytes written may be 20 bytes, including the 
>>> terminating null.
103             sprintf(buf, "%pM", enetaddr);
104     
105             return env_set(name, buf);
106     }
107     
108     /*

** CID 350441:    (TAINTED_SCALAR)
/tools/ifwitool.c: 1888 in ifwi_dir_extract()


________________________________________________________________________________________________________
*** CID 350441:    (TAINTED_SCALAR)
/tools/ifwitool.c: 1907 in ifwi_dir_extract()
1901     
1902            DEBUG("Splicing buffer at 0x%x size 0x%x\n", s->e[i].offset,
1903                  s->e[i].length);
1904            buffer_splice(&dst, &ifwi_image.subpart_buf[type], 
s->e[i].offset,
1905                          s->e[i].length);
1906     
>>>     CID 350441:    (TAINTED_SCALAR)
>>>     Passing tainted expression "dst.size" to "buffer_write_file", which 
>>> uses it as an offset.
1907            if (buffer_write_file(&dst, param.file_name))
1908                    return COMMAND_ERR;
1909     
1910            printf("Sub-Partition %s(%d), entry(%s) stored in %s.\n",
1911                   param.subpart_name, type, param.dentry_name, 
param.file_name);
1912     
/tools/ifwitool.c: 1888 in ifwi_dir_extract()
1882            parse_subpart_dir(&subpart_dir_buff, 
&ifwi_image.subpart_buf[type],
1883                              subparts[type].name);
1884     
1885            uint32_t i;
1886            struct subpart_dir *s = buffer_get(&subpart_dir_buff);
1887     
>>>     CID 350441:    (TAINTED_SCALAR)
>>>     Using tainted variable "s->h.num_entries" as a loop boundary.
1888            for (i = 0; i < s->h.num_entries; i++) {
1889                    if (!strncmp((char *)s->e[i].name, param.dentry_name,
1890                                 sizeof(s->e[i].name)))
1891                            break;
1892            }
1893     

** CID 350440:  Memory - corruptions  (OVERRUN)


________________________________________________________________________________________________________
*** CID 350440:  Memory - corruptions  (OVERRUN)
/drivers/block/ide.c: 615 in ide_ident()
609     #endif
610     
611             ide_input_swap_data(device, (ulong *)&iop, ATA_SECTORWORDS);
612     
613             ident_cpy((unsigned char *)dev_desc->revision, iop.fw_rev,
614                       sizeof(dev_desc->revision));
>>>     CID 350440:  Memory - corruptions  (OVERRUN)
>>>     Overrunning array "iop.model" of 40 bytes by passing it to a function 
>>> which accesses it at byte offset 40 using argument "41U".
615             ident_cpy((unsigned char *)dev_desc->vendor, iop.model,
616                       sizeof(dev_desc->vendor));
617             ident_cpy((unsigned char *)dev_desc->product, iop.serial_no,
618                       sizeof(dev_desc->product));
619     
620             if ((iop.config & 0x0080) == 0x0080)

** CID 350439:  Insecure data handling  (TAINTED_SCALAR)


________________________________________________________________________________________________________
*** CID 350439:  Insecure data handling  (TAINTED_SCALAR)
/disk/part_efi.c: 257 in part_print_efi()
251                             printf("\ttype:\t%pUl\n", uuid);
252                     uuid = (unsigned char 
*)gpt_pte[i].unique_partition_guid.b;
253                     printf("\tguid:\t%pUl\n", uuid);
254             }
255     
256             /* Remember to free pte */
>>>     CID 350439:  Insecure data handling  (TAINTED_SCALAR)
>>>     Passing tainted expression "*gpt_pte" to "dlfree", which uses it as an 
>>> offset.
257             free(gpt_pte);
258             return;
259     }
260     
261     int part_get_info_efi(struct blk_desc *dev_desc, int part,
262                           struct disk_partition *info)

** CID 350438:    (TAINTED_SCALAR)


________________________________________________________________________________________________________
*** CID 350438:    (TAINTED_SCALAR)
/disk/part_efi.c: 281 in part_get_info_efi()
275                     return -1;
276     
277             if (part > le32_to_cpu(gpt_head->num_partition_entries) ||
278                 !is_pte_valid(&gpt_pte[part - 1])) {
279                     debug("%s: *** ERROR: Invalid partition number %d 
***\n",
280                             __func__, part);
>>>     CID 350438:    (TAINTED_SCALAR)
>>>     Passing tainted expression "*gpt_pte" to "dlfree", which uses it as an 
>>> offset.
281                     free(gpt_pte);
282                     return -1;
283             }
284     
285             /* The 'lbaint_t' casting may limit the maximum disk size to 2 
TB */
286             info->start = (lbaint_t)le64_to_cpu(gpt_pte[part - 
1].starting_lba);
/disk/part_efi.c: 309 in part_get_info_efi()
303     #endif
304     
305             debug("%s: start 0x" LBAF ", size 0x" LBAF ", name %s\n", 
__func__,
306                   info->start, info->size, info->name);
307     
308             /* Remember to free pte */
>>>     CID 350438:    (TAINTED_SCALAR)
>>>     Passing tainted expression "*gpt_pte" to "dlfree", which uses it as an 
>>> offset.
309             free(gpt_pte);
310             return 0;
311     }
312     
313     static int part_test_efi(struct blk_desc *dev_desc)
314     {

** CID 350437:  Insecure data handling  (TAINTED_SCALAR)


________________________________________________________________________________________________________
*** CID 350437:  Insecure data handling  (TAINTED_SCALAR)
/disk/part_efi.c: 687 in gpt_verify_headers()
681                     printf("%s: *** ERROR: Invalid GPT ***\n",
682                            __func__);
683                     return -1;
684             }
685     
686             /* Free pte before allocating again */
>>>     CID 350437:  Insecure data handling  (TAINTED_SCALAR)
>>>     Passing tainted expression "**gpt_pte" to "dlfree", which uses it as an 
>>> offset.
687             free(*gpt_pte);
688     
689             /*
690              * Check that the alternate_lba entry points to the last LBA
691              */
692             if (le64_to_cpu(gpt_head->alternate_lba) != (dev_desc->lba - 
1)) {

** CID 350436:  Insecure data handling  (TAINTED_SCALAR)
/tools/ifwitool.c: 1456 in bpdt_fixup_write_buffer()


________________________________________________________________________________________________________
*** CID 350436:  Insecure data handling  (TAINTED_SCALAR)
/tools/ifwitool.c: 1456 in bpdt_fixup_write_buffer()
1450            offset = fix_member(&h->ifwi_version, offset, 
sizeof(h->ifwi_version));
1451            offset = fix_member(&h->fit_tool_version, offset,
1452                                sizeof(h->fit_tool_version));
1453     
1454            uint32_t i;
1455     
>>>     CID 350436:  Insecure data handling  (TAINTED_SCALAR)
>>>     Using tainted variable "count" as a loop boundary.
1456            for (i = 0; i < count; i++) {
1457                    offset = fix_member(&e[i].type, offset, 
sizeof(e[i].type));
1458                    offset = fix_member(&e[i].flags, offset, 
sizeof(e[i].flags));
1459                    offset = fix_member(&e[i].offset, offset, 
sizeof(e[i].offset));
1460                    offset = fix_member(&e[i].size, offset, 
sizeof(e[i].size));
1461            }

** CID 350435:  Insecure data handling  (TAINTED_SCALAR)


________________________________________________________________________________________________________
*** CID 350435:  Insecure data handling  (TAINTED_SCALAR)
/cmd/extension_board.c: 56 in extension_apply()
50     
51      blob = map_sysmem(overlay_addr, 0);
52      if (!fdt_valid(&blob))
53              return CMD_RET_FAILURE;
54     
55      /* apply method prints messages on error */
>>>     CID 350435:  Insecure data handling  (TAINTED_SCALAR)
>>>     Passing tainted expression "*blob" to "fdt_overlay_apply_verbose", 
>>> which uses it as an offset.
56      if (fdt_overlay_apply_verbose(working_fdt, blob))
57              return CMD_RET_FAILURE;
58     
59      return CMD_RET_SUCCESS;
60     }
61     

** CID 350434:  Uninitialized variables  (UNINIT)


________________________________________________________________________________________________________
*** CID 350434:  Uninitialized variables  (UNINIT)
/lib/efi_loader/efi_device_path_to_text.c: 435 in 
efi_convert_device_path_to_text()
429                             str = efi_convert_single_device_node_to_text(
430                                                             str, 
device_path);
431                     }
432                     *(u8 **)&device_path += device_path->length;
433             }
434     
>>>     CID 350434:  Uninitialized variables  (UNINIT)
>>>     Using uninitialized value "*buffer" when calling "efi_str_to_u16".
435             text = efi_str_to_u16(buffer);
436     
437     out:
438             EFI_EXIT(EFI_SUCCESS);
439             return text;
440     }

** CID 350433:  Memory - corruptions  (OVERRUN)


________________________________________________________________________________________________________
*** CID 350433:  Memory - corruptions  (OVERRUN)
/drivers/block/ide.c: 613 in ide_ident()
607             if (retries == 2)       /* Not found */
608                     return;
609     #endif
610     
611             ide_input_swap_data(device, (ulong *)&iop, ATA_SECTORWORDS);
612     
>>>     CID 350433:  Memory - corruptions  (OVERRUN)
>>>     Overrunning array "iop.fw_rev" of 8 bytes by passing it to a function 
>>> which accesses it at byte offset 8 using argument "9U".
613             ident_cpy((unsigned char *)dev_desc->revision, iop.fw_rev,
614                       sizeof(dev_desc->revision));
615             ident_cpy((unsigned char *)dev_desc->vendor, iop.model,
616                       sizeof(dev_desc->vendor));
617             ident_cpy((unsigned char *)dev_desc->product, iop.serial_no,
618                       sizeof(dev_desc->product));

** CID 350432:    (TAINTED_SCALAR)


________________________________________________________________________________________________________
*** CID 350432:    (TAINTED_SCALAR)
/cmd/gpt.c: 650 in gpt_verify()
644             /* Check partition layout with provided pattern */
645             ret = gpt_verify_partitions(blk_dev_desc, partitions, 
part_count,
646                                         gpt_head, &gpt_pte);
647             free(str_disk_guid);
648             free(partitions);
649      out:
>>>     CID 350432:    (TAINTED_SCALAR)
>>>     Passing tainted expression "*gpt_pte" to "dlfree", which uses it as an 
>>> offset.
650             free(gpt_pte);
651             return ret;
652     }
653     
654     /**
655      * gpt_enumerate() - Enumerate partition names into environment 
variable.
/cmd/gpt.c: 650 in gpt_verify()
644             /* Check partition layout with provided pattern */
645             ret = gpt_verify_partitions(blk_dev_desc, partitions, 
part_count,
646                                         gpt_head, &gpt_pte);
647             free(str_disk_guid);
648             free(partitions);
649      out:
>>>     CID 350432:    (TAINTED_SCALAR)
>>>     Passing tainted expression "*gpt_pte" to "dlfree", which uses it as an 
>>> offset.
650             free(gpt_pte);
651             return ret;
652     }
653     
654     /**
655      * gpt_enumerate() - Enumerate partition names into environment 
variable.
/cmd/gpt.c: 650 in gpt_verify()
644             /* Check partition layout with provided pattern */
645             ret = gpt_verify_partitions(blk_dev_desc, partitions, 
part_count,
646                                         gpt_head, &gpt_pte);
647             free(str_disk_guid);
648             free(partitions);
649      out:
>>>     CID 350432:    (TAINTED_SCALAR)
>>>     Passing tainted expression "*gpt_pte" to "dlfree", which uses it as an 
>>> offset.
650             free(gpt_pte);
651             return ret;
652     }
653     
654     /**
655      * gpt_enumerate() - Enumerate partition names into environment 
variable.
/cmd/gpt.c: 650 in gpt_verify()
644             /* Check partition layout with provided pattern */
645             ret = gpt_verify_partitions(blk_dev_desc, partitions, 
part_count,
646                                         gpt_head, &gpt_pte);
647             free(str_disk_guid);
648             free(partitions);
649      out:
>>>     CID 350432:    (TAINTED_SCALAR)
>>>     Passing tainted expression "*gpt_pte" to "dlfree", which uses it as an 
>>> offset.
650             free(gpt_pte);
651             return ret;
652     }
653     
654     /**
655      * gpt_enumerate() - Enumerate partition names into environment 
variable.

** CID 350431:    (TAINTED_SCALAR)


________________________________________________________________________________________________________
*** CID 350431:    (TAINTED_SCALAR)
/tools/ifwitool.c: 1974 in ifwi_print()
1968     
1969            bpdt_print_header(&b->h, "BPDT");
1970            bpdt_print_entries(&b->e[0], b->h.descriptor_count, "BPDT");
1971     
1972            b = buffer_get(&ifwi_image.subpart_buf[S_BPDT_TYPE]);
1973            bpdt_print_header(&b->h, "S-BPDT");
>>>     CID 350431:    (TAINTED_SCALAR)
>>>     Passing tainted expression "b->h.descriptor_count" to 
>>> "bpdt_print_entries", which uses it as a loop boundary.
1974            bpdt_print_entries(&b->e[0], b->h.descriptor_count, "S-BPDT");
1975     
1976            if (param.dir_ops == 0) {
1977                    verbose -= 2;
1978                    return NO_ACTION_REQUIRED;
1979            }
/tools/ifwitool.c: 1970 in ifwi_print()
1964     {
1965            verbose += 2;
1966     
1967            struct bpdt *b = buffer_get(&ifwi_image.bpdt);
1968     
1969            bpdt_print_header(&b->h, "BPDT");
>>>     CID 350431:    (TAINTED_SCALAR)
>>>     Passing tainted expression "b->h.descriptor_count" to 
>>> "bpdt_print_entries", which uses it as a loop boundary.
1970            bpdt_print_entries(&b->e[0], b->h.descriptor_count, "BPDT");
1971     
1972            b = buffer_get(&ifwi_image.subpart_buf[S_BPDT_TYPE]);
1973            bpdt_print_header(&b->h, "S-BPDT");
1974            bpdt_print_entries(&b->e[0], b->h.descriptor_count, "S-BPDT");
1975     
/tools/ifwitool.c: 1989 in ifwi_print()
1983     
1984            for (i = 0; i < MAX_SUBPARTS ; i++) {
1985                    if (!(subparts[i].attr & CONTAINS_DIR) ||
1986                        (buffer_size(&ifwi_image.subpart_buf[i]) == 0))
1987                            continue;
1988     
>>>     CID 350431:    (TAINTED_SCALAR)
>>>     Passing tainted expression "*subpart_dir_buf.data" to 
>>> "parse_subpart_dir", which uses it as a loop boundary.
1989                    parse_subpart_dir(&subpart_dir_buf, 
&ifwi_image.subpart_buf[i],
1990                                      subparts[i].name);
1991                    buffer_delete(&subpart_dir_buf);
1992            }
1993     
1994            verbose -= 2;
/tools/ifwitool.c: 1970 in ifwi_print()
1964     {
1965            verbose += 2;
1966     
1967            struct bpdt *b = buffer_get(&ifwi_image.bpdt);
1968     
1969            bpdt_print_header(&b->h, "BPDT");
>>>     CID 350431:    (TAINTED_SCALAR)
>>>     Passing tainted expression "b->e[0].type" to "bpdt_print_entries", 
>>> which uses it as an offset.
1970            bpdt_print_entries(&b->e[0], b->h.descriptor_count, "BPDT");
1971     
1972            b = buffer_get(&ifwi_image.subpart_buf[S_BPDT_TYPE]);
1973            bpdt_print_header(&b->h, "S-BPDT");
1974            bpdt_print_entries(&b->e[0], b->h.descriptor_count, "S-BPDT");
1975     
/tools/ifwitool.c: 1974 in ifwi_print()
1968     
1969            bpdt_print_header(&b->h, "BPDT");
1970            bpdt_print_entries(&b->e[0], b->h.descriptor_count, "BPDT");
1971     
1972            b = buffer_get(&ifwi_image.subpart_buf[S_BPDT_TYPE]);
1973            bpdt_print_header(&b->h, "S-BPDT");
>>>     CID 350431:    (TAINTED_SCALAR)
>>>     Passing tainted expression "b->e[0].type" to "bpdt_print_entries", 
>>> which uses it as an offset.
1974            bpdt_print_entries(&b->e[0], b->h.descriptor_count, "S-BPDT");
1975     
1976            if (param.dir_ops == 0) {
1977                    verbose -= 2;
1978                    return NO_ACTION_REQUIRED;
1979            }

** CID 350430:  Insecure data handling  (TAINTED_SCALAR)


________________________________________________________________________________________________________
*** CID 350430:  Insecure data handling  (TAINTED_SCALAR)
/disk/part_efi.c: 1072 in alloc_read_gpt_entries()
1066     
1067            /* Read GPT Entries from device */
1068            blk = le64_to_cpu(pgpt_head->partition_entry_lba);
1069            blk_cnt = BLOCK_CNT(count, dev_desc);
1070            if (blk_dread(dev_desc, blk, (lbaint_t)blk_cnt, pte) != 
blk_cnt) {
1071                    printf("*** ERROR: Can't read GPT Entries ***\n");
>>>     CID 350430:  Insecure data handling  (TAINTED_SCALAR)
>>>     Passing tainted expression "*pte" to "dlfree", which uses it as an 
>>> offset.
1072                    free(pte);
1073                    return NULL;
1074            }
1075            return pte;
1076     }
1077     

** CID 350429:  Insecure data handling  (TAINTED_SCALAR)
/tools/ifwitool.c: 1671 in subpart_dir_fixup_write_buffer()


________________________________________________________________________________________________________
*** CID 350429:  Insecure data handling  (TAINTED_SCALAR)
/tools/ifwitool.c: 1671 in subpart_dir_fixup_write_buffer()
1665                                sizeof(h->header_length));
1666            offset = fix_member(&h->checksum, offset, sizeof(h->checksum));
1667            offset += sizeof(h->name);
1668     
1669            uint32_t i;
1670     
>>>     CID 350429:  Insecure data handling  (TAINTED_SCALAR)
>>>     Using tainted variable "count" as a loop boundary.
1671            for (i = 0; i < count; i++) {
1672                    offset += sizeof(e[i].name);
1673                    offset = fix_member(&e[i].offset, offset, 
sizeof(e[i].offset));
1674                    offset = fix_member(&e[i].length, offset, 
sizeof(e[i].length));
1675                    offset = fix_member(&e[i].rsvd, offset, 
sizeof(e[i].rsvd));
1676            }


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, 
https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoA22WlOQ-2By3ieUvdbKmOyw68TMVT4Kip-2BBzfOGWXJ5yIiYplmPF9KAnKIja4Zd7tU-3DGKvW_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTtc7gEAOgWMAeiVB7LaCwibvgJK-2BuYN7whAG3Emw0bQHn1Oa8Pcu5zkc9xjCGLkZ-2BEFifG0kw14m6L3JHaODpHs3zvdstJCbcIrf3zAfeJAJpnLuNKaD25DMT20lk8wd23-2FKhn6sgueK1Gl-2F0NAhAGzLJwzuClWIrLkqo2p6t1WFg-3D-3D

  To manage Coverity Scan email notifications for "tom.r...@gmail.com", click 
https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxWeIHzDeopm-2BEWQ6S6K-2FtUHv9ZTk8qZbuzkkz9sa-2BJFw4elYDyedRVZOC-2ButxjBZdouVmTGuWB6Aj6G7lm7t25-2Biv1B-2B9082pHzCCex2kqMs-3DDVrT_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTtc7gEAOgWMAeiVB7LaCwib75SfFPYaKzdACS1Z9ToCtOsih-2BMTLyAxlDzAd-2FLeYHYEN1IK1-2Fbn-2FLcv9ogc83QsLVvCuIi9jVi1nxPXJ7JAS96hMH2EUN-2FLKJO15sWXsEMyXEZiSQMhnxAEbzlEnt5Ya7usI0bf1TIUf2uxUNF2bQ-3D-3D


----- End forwarded message -----

-- 
Tom

Attachment: signature.asc
Description: PGP signature

Reply via email to