----- Forwarded message from scan-ad...@coverity.com ----- Date: Tue, 06 Sep 2022 01:07:45 +0000 (UTC) From: scan-ad...@coverity.com To: tom.r...@gmail.com Subject: New Defects reported by Coverity Scan for Das U-Boot
Hi, Please find the latest report on new defect(s) introduced to Das U-Boot found with Coverity Scan. 2 new defect(s) introduced to Das U-Boot found with Coverity Scan. 2 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 2 of 2 defect(s) ** CID 356664: API usage errors (BUFFER_SIZE) /lib/tpm-v2.c: 703 in tpm2_report_state() ________________________________________________________________________________________________________ *** CID 356664: API usage errors (BUFFER_SIZE) /lib/tpm-v2.c: 703 in tpm2_report_state() 697 log_debug("ret=%s, %x\n", dev->name, ret); 698 if (ret) 699 return ret; 700 if (*recv_size < 12) 701 return -ENODATA; 702 *recv_size -= 12; >>> CID 356664: API usage errors (BUFFER_SIZE) >>> The source buffer "recvbuf + 12" potentially overlaps with the >>> destination buffer "recvbuf", which results in undefined behavior for >>> "memcpy". 703 memcpy(recvbuf, recvbuf + 12, *recv_size); 704 705 return 0; 706 } 707 708 u32 tpm2_enable_nvcommits(struct udevice *dev, uint vendor_cmd, ** CID 183377: (TAINTED_SCALAR) /drivers/tpm/tpm2_tis_sandbox.c: 735 in sandbox_tpm2_xfer() /drivers/tpm/tpm2_tis_sandbox.c: 586 in sandbox_tpm2_xfer() ________________________________________________________________________________________________________ *** CID 183377: (TAINTED_SCALAR) /drivers/tpm/tpm2_tis_sandbox.c: 735 in sandbox_tpm2_xfer() 729 seq = sb_tpm_index_to_seq(index); 730 if (seq < 0) 731 return log_msg_ret("index", -EINVAL); 732 printf("tpm: nvread index=%#02x, len=%#02x, seq=%#02x\n", index, 733 length, seq); 734 *recv_len = TPM2_HDR_LEN + 6 + length; >>> CID 183377: (TAINTED_SCALAR) >>> Passing tainted expression "*recv_len" to "memset", which uses it as an >>> offset. [Note: The source code implementation of the function has been >>> overridden by a builtin model.] 735 memset(recvbuf, '\0', *recv_len); 736 put_unaligned_be32(length, recvbuf + 2); 737 sb_tpm_read_data(tpm->nvdata, seq, recvbuf, 738 TPM2_HDR_LEN + 4 + 2, length); 739 break; 740 } /drivers/tpm/tpm2_tis_sandbox.c: 586 in sandbox_tpm2_xfer() 580 581 /* Give the number of properties that follow */ 582 put_unaligned_be32(property_count, recv); 583 recv += sizeof(property_count); 584 585 /* Fill with the properties */ >>> CID 183377: (TAINTED_SCALAR) >>> Using tainted variable "property_count" as a loop boundary. 586 for (i = 0; i < property_count; i++) { 587 put_unaligned_be32(TPM2_PROPERTIES_OFFSET + property + 588 i, recv); 589 recv += sizeof(property); 590 put_unaligned_be32(tpm->properties[property + i], 591 recv); ________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoA22WlOQ-2By3ieUvdbKmOyw68TMVT4Kip-2BBzfOGWXJ5yIiYplmPF9KAnKIja4Zd7tU-3D4Xh0_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTtsqJ39YESEW2nKPYCMHF70wsixkMVibSCjQ-2FGaGw5huIkg7-2FWaEDzqOUGcMyrbAAtsYzFGNDW0J6oj0eM4yvinWio8GHNygWR2n19gx10LjZwDEeBkQkwqkhNLGzEBh5ka4haIShtRdBfXm97-2BH2LxChYnqy6cvN-2BxDI2jW9HZJA-3D-3D To manage Coverity Scan email notifications for "tom.r...@gmail.com", click https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxWeIHzDeopm-2BEWQ6S6K-2FtUHv9ZTk8qZbuzkkz9sa-2BJFzf226DuRd-2B2ygQlLnerl-2BA3jN1AOYejXZ-2FNZ62waJHedPFGpqqjTx8fawy9KPJBno-3DsyQ2_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTtsqJ39YESEW2nKPYCMHF700mhadf4YcMAqAcj9oPFjTlJ2s4EcIQU2bFVkOb10WKv-2FZ2t9vT4MUzH6ZOeXZ7qzOdr4JI8cQEPg4D8Tf3kLp0qolYqirx5tuUYCJh6JJ8ik6zvle859z9fd8Tb07Eb4SVxS10DXjSaXXriNevOzvQ-3D-3D ----- End forwarded message ----- -- Tom
signature.asc
Description: PGP signature