----- Forwarded message from scan-ad...@coverity.com ----- Date: Tue, 06 Sep 2022 01:07:45 +0000 (UTC) From: scan-ad...@coverity.com To: tom.r...@gmail.com Subject: New Defects reported by Coverity Scan for Das U-Boot
Hi,
Please find the latest report on new defect(s) introduced to Das U-Boot found
with Coverity Scan.
2 new defect(s) introduced to Das U-Boot found with Coverity Scan.
2 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent
build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 2 of 2 defect(s)
** CID 356664: API usage errors (BUFFER_SIZE)
/lib/tpm-v2.c: 703 in tpm2_report_state()
________________________________________________________________________________________________________
*** CID 356664: API usage errors (BUFFER_SIZE)
/lib/tpm-v2.c: 703 in tpm2_report_state()
697 log_debug("ret=%s, %x\n", dev->name, ret);
698 if (ret)
699 return ret;
700 if (*recv_size < 12)
701 return -ENODATA;
702 *recv_size -= 12;
>>> CID 356664: API usage errors (BUFFER_SIZE)
>>> The source buffer "recvbuf + 12" potentially overlaps with the
>>> destination buffer "recvbuf", which results in undefined behavior for
>>> "memcpy".
703 memcpy(recvbuf, recvbuf + 12, *recv_size);
704
705 return 0;
706 }
707
708 u32 tpm2_enable_nvcommits(struct udevice *dev, uint vendor_cmd,
** CID 183377: (TAINTED_SCALAR)
/drivers/tpm/tpm2_tis_sandbox.c: 735 in sandbox_tpm2_xfer()
/drivers/tpm/tpm2_tis_sandbox.c: 586 in sandbox_tpm2_xfer()
________________________________________________________________________________________________________
*** CID 183377: (TAINTED_SCALAR)
/drivers/tpm/tpm2_tis_sandbox.c: 735 in sandbox_tpm2_xfer()
729 seq = sb_tpm_index_to_seq(index);
730 if (seq < 0)
731 return log_msg_ret("index", -EINVAL);
732 printf("tpm: nvread index=%#02x, len=%#02x,
seq=%#02x\n", index,
733 length, seq);
734 *recv_len = TPM2_HDR_LEN + 6 + length;
>>> CID 183377: (TAINTED_SCALAR)
>>> Passing tainted expression "*recv_len" to "memset", which uses it as an
>>> offset. [Note: The source code implementation of the function has been
>>> overridden by a builtin model.]
735 memset(recvbuf, '\0', *recv_len);
736 put_unaligned_be32(length, recvbuf + 2);
737 sb_tpm_read_data(tpm->nvdata, seq, recvbuf,
738 TPM2_HDR_LEN + 4 + 2, length);
739 break;
740 }
/drivers/tpm/tpm2_tis_sandbox.c: 586 in sandbox_tpm2_xfer()
580
581 /* Give the number of properties that follow */
582 put_unaligned_be32(property_count, recv);
583 recv += sizeof(property_count);
584
585 /* Fill with the properties */
>>> CID 183377: (TAINTED_SCALAR)
>>> Using tainted variable "property_count" as a loop boundary.
586 for (i = 0; i < property_count; i++) {
587 put_unaligned_be32(TPM2_PROPERTIES_OFFSET +
property +
588 i, recv);
589 recv += sizeof(property);
590 put_unaligned_be32(tpm->properties[property +
i],
591 recv);
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit,
https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoA22WlOQ-2By3ieUvdbKmOyw68TMVT4Kip-2BBzfOGWXJ5yIiYplmPF9KAnKIja4Zd7tU-3D4Xh0_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTtsqJ39YESEW2nKPYCMHF70wsixkMVibSCjQ-2FGaGw5huIkg7-2FWaEDzqOUGcMyrbAAtsYzFGNDW0J6oj0eM4yvinWio8GHNygWR2n19gx10LjZwDEeBkQkwqkhNLGzEBh5ka4haIShtRdBfXm97-2BH2LxChYnqy6cvN-2BxDI2jW9HZJA-3D-3D
To manage Coverity Scan email notifications for "tom.r...@gmail.com", click
https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxWeIHzDeopm-2BEWQ6S6K-2FtUHv9ZTk8qZbuzkkz9sa-2BJFzf226DuRd-2B2ygQlLnerl-2BA3jN1AOYejXZ-2FNZ62waJHedPFGpqqjTx8fawy9KPJBno-3DsyQ2_EEm8SbLgSDsaDZif-2Bv7ch8WqhKpLoKErHi4nXpwDNTtsqJ39YESEW2nKPYCMHF700mhadf4YcMAqAcj9oPFjTlJ2s4EcIQU2bFVkOb10WKv-2FZ2t9vT4MUzH6ZOeXZ7qzOdr4JI8cQEPg4D8Tf3kLp0qolYqirx5tuUYCJh6JJ8ik6zvle859z9fd8Tb07Eb4SVxS10DXjSaXXriNevOzvQ-3D-3D
----- End forwarded message -----
--
Tom
signature.asc
Description: PGP signature
