Here's the latest report ---------- Forwarded message --------- From: <scan-ad...@coverity.com> Date: Mon, Oct 23, 2023 at 4:40 PM Subject: New Defects reported by Coverity Scan for Das U-Boot To: <tom.r...@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to Das
U-Boot found with Coverity Scan.
16 new defect(s) introduced to Das U-Boot found with Coverity Scan.
6 defect(s), reported by Coverity Scan earlier, were marked fixed in
the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 16 of 16 defect(s)
** CID 467060: (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 467060: (TAINTED_SCALAR)
/boot/bootmeth_cros.c: 184 in scan_part()
178 if (ret != num_blks) {
179 free(hdr);
180 return log_msg_ret("inf", -EIO);
181 }
182
183 if (memcmp(VB2_KEYBLOCK_MAGIC, hdr->magic,
VB2_KEYBLOCK_MAGIC_SIZE)) {
>>> CID 467060: (TAINTED_SCALAR)
>>> Passing tainted expression "*hdr" to "dlfree", which uses it as an
>>> offset.
184 free(hdr);
185 log_debug("no magic\n");
186 return -ENOENT;
187 }
188
189 *hdrp = hdr;
/boot/bootmeth_cros.c: 179 in scan_part()
173 blk->name, (ulong)info->start, num_blks);
174 hdr = memalign(SZ_1K, PROBE_SIZE);
175 if (!hdr)
176 return log_msg_ret("hdr", -ENOMEM);
177 ret = blk_read(blk, info->start, num_blks, hdr);
178 if (ret != num_blks) {
>>> CID 467060: (TAINTED_SCALAR)
>>> Passing tainted expression "*hdr" to "dlfree", which uses it as an
>>> offset.
179 free(hdr);
180 return log_msg_ret("inf", -EIO);
181 }
182
183 if (memcmp(VB2_KEYBLOCK_MAGIC, hdr->magic,
VB2_KEYBLOCK_MAGIC_SIZE)) {
184 free(hdr);
** CID 467059: Integer handling issues (INCOMPATIBLE_CAST)
________________________________________________________________________________________________________
*** CID 467059: Integer handling issues (INCOMPATIBLE_CAST)
/drivers/mtd/nvmxip/nvmxip_qspi.c: 47 in nvmxip_qspi_of_to_plat()
41 ret = dev_read_u32(dev, "lba_shift", &plat->lba_shift);
42 if (ret) {
43 log_err("[%s]: can not get lba_shift from device
tree\n", dev->name);
44 return -EINVAL;
45 }
46
>>> CID 467059: Integer handling issues (INCOMPATIBLE_CAST)
>>> Pointer "&plat->lba" points to an object whose effective type is
>>> "unsigned long" (64 bits, unsigned) but is dereferenced as a narrower
>>> "unsigned int" (32 bits, unsigned). This may lead to unexpected results
>>> depending on machine endianness.
47 ret = dev_read_u32(dev, "lba", (u32 *)&plat->lba);
48 if (ret) {
49 log_err("[%s]: can not get lba from device tree\n", dev->name);
50 return -EINVAL;
51 }
52
** CID 467058: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 467058: Insecure data handling (TAINTED_SCALAR)
/drivers/core/ofnode.c: 1629 in ofnode_write_u32()
1623 log_debug("%s = %x", propname, value);
1624 val = malloc(sizeof(*val));
1625 if (!val)
1626 return -ENOMEM;
1627 *val = cpu_to_fdt32(value);
1628
>>> CID 467058: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "*val" to "ofnode_write_prop", which uses it
>>> as an offset.
1629 return ofnode_write_prop(node, propname, val,
sizeof(value), true);
1630 }
1631
1632 int ofnode_write_u64(ofnode node, const char *propname, u64 value)
1633 {
1634 fdt64_t *val;
** CID 467057: Uninitialized variables (UNINIT)
________________________________________________________________________________________________________
*** CID 467057: Uninitialized variables (UNINIT)
/boot/bootflow.c: 320 in iter_incr()
314 * Probe the bootdev. This does not
probe any attached
315 * block device, since they are siblings
316 */
317 ret = device_probe(dev);
318 log_debug("probe %s %d\n", dev->name, ret);
319 if (!log_msg_ret("probe", ret))
>>> CID 467057: Uninitialized variables (UNINIT)
>>> Using uninitialized value "method_flags" when calling
>>> "bootflow_iter_set_dev".
320 bootflow_iter_set_dev(iter,
dev, method_flags);
321 }
322 }
323
324 /* if there are no more bootdevs, give up */
325 if (ret)
** CID 467056: Control flow issues (NO_EFFECT)
/common/cli_readline.c: 321 in cread_line_process_ch()
________________________________________________________________________________________________________
*** CID 467056: Control flow issues (NO_EFFECT)
/common/cli_readline.c: 321 in cread_line_process_ch()
315 break;
316 case CTL_CH('w'):
317 if (cls->num) {
318 uint base, wlen;
319
320 for (base = cls->num - 1;
>>> CID 467056: Control flow issues (NO_EFFECT)
>>> This greater-than-or-equal-to-zero comparison of an unsigned value is
>>> always true. "base >= 0U".
321 base >= 0 && buf[base] == ' ';)
322 base--;
323 for (; base > 0 && buf[base - 1] != ' ';)
324 base--;
325
326 /* now delete chars from base to cls->num */
** CID 467055: (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 467055: (TAINTED_SCALAR)
/boot/bootmeth_cros.c: 372 in cros_read_bootflow()
366 log_debug("- scan failed: err=%d\n", ret);
367 return log_msg_ret("scan", ret);
368 }
369
370 priv = malloc(sizeof(struct cros_priv));
371 if (!priv) {
>>> CID 467055: (TAINTED_SCALAR)
>>> Passing tainted expression "*hdr" to "dlfree", which uses it as an
>>> offset.
372 free(hdr);
373 return log_msg_ret("buf", -ENOMEM);
374 }
375 bflow->bootmeth_priv = priv;
376
377 log_debug("Selected partition %d, header at %lx\n", bflow->part,
/boot/bootmeth_cros.c: 391 in cros_read_bootflow()
385 /* Now read everything we can learn about kernel */
386 #if CONFIG_IS_ENABLED(PARTITION_UUIDS)
387 uuid = info.uuid;
388 #endif
389 ret = cros_read_info(bflow, uuid, preamble);
390 preamble = NULL;
>>> CID 467055: (TAINTED_SCALAR)
>>> Passing tainted expression "*hdr" to "dlfree", which uses it as an
>>> offset.
391 free(hdr);
392 if (ret) {
393 free(priv->info_buf);
394 free(priv);
395 return log_msg_ret("inf", ret);
396 }
** CID 467054: Resource leaks (RESOURCE_LEAK)
/tools/sfspl.c: 118 in sfspl_image_extract_subimage()
________________________________________________________________________________________________________
*** CID 467054: Resource leaks (RESOURCE_LEAK)
/tools/sfspl.c: 118 in sfspl_image_extract_subimage()
112 if (fd == -1) {
113 perror("Can write file");
114 return EXIT_FAILURE;
115 }
116 if (write(fd, &buf[hdr_size], file_size) != file_size) {
117 perror("Cannot write file");
>>> CID 467054: Resource leaks (RESOURCE_LEAK)
>>> Handle variable "fd" going out of scope leaks the handle.
118 return EXIT_FAILURE;
119 }
120 close(fd);
121
122 return EXIT_SUCCESS;
123 }
** CID 467053: (RESOURCE_LEAK)
/tools/mkeficapsule.c: 859 in dump_capsule_contents()
/tools/mkeficapsule.c: 859 in dump_capsule_contents()
________________________________________________________________________________________________________
*** CID 467053: (RESOURCE_LEAK)
/tools/mkeficapsule.c: 859 in dump_capsule_contents()
853 empty_capsule_dump(ptr);
854 } else {
855 fprintf(stderr, "Unable to decode the capsule
file: %s\n",
856 capsule_file);
857 exit(EXIT_FAILURE);
858 }
>>> CID 467053: (RESOURCE_LEAK)
>>> Variable "ptr" going out of scope leaks the storage it points to.
859 }
860
861 /**
862 * main - main entry function of mkeficapsule
863 * @argc: Number of arguments
864 * @argv: Array of pointers to arguments
/tools/mkeficapsule.c: 859 in dump_capsule_contents()
853 empty_capsule_dump(ptr);
854 } else {
855 fprintf(stderr, "Unable to decode the capsule
file: %s\n",
856 capsule_file);
857 exit(EXIT_FAILURE);
858 }
>>> CID 467053: (RESOURCE_LEAK)
>>> Variable "ptr" going out of scope leaks the storage it points to.
859 }
860
861 /**
862 * main - main entry function of mkeficapsule
863 * @argc: Number of arguments
864 * @argv: Array of pointers to arguments
** CID 467052: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 467052: Insecure data handling (TAINTED_SCALAR)
/drivers/core/ofnode.c: 1644 in ofnode_write_u64()
1638 log_debug("%s = %llx", propname, (unsigned long long)value);
1639 val = malloc(sizeof(*val));
1640 if (!val)
1641 return -ENOMEM;
1642 *val = cpu_to_fdt64(value);
1643
>>> CID 467052: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "*val" to "ofnode_write_prop", which uses it
>>> as an offset.
1644 return ofnode_write_prop(node, propname, val,
sizeof(value), true);
1645 }
1646
1647 int ofnode_write_bool(ofnode node, const char *propname, bool value)
1648 {
1649 if (value)
** CID 467051: API usage errors (CHAR_IO)
/common/cli_readline.c: 550 in cread_line_simple()
________________________________________________________________________________________________________
*** CID 467051: API usage errors (CHAR_IO)
/common/cli_readline.c: 550 in cread_line_simple()
544
545 for (;;) {
546 if (bootretry_tstc_timeout())
547 return -2; /* timed out */
548 schedule(); /* Trigger watchdog, if needed */
549
>>> CID 467051: API usage errors (CHAR_IO)
>>> Assigning the return value of "getchar" to char "c" truncates its value.
550 c = getchar();
551
552 /*
553 * Special character handling
554 */
555 switch (c) {
** CID 467050: Control flow issues (NO_EFFECT)
/drivers/firmware/scmi/sandbox-scmi_agent.c: 220 in
sandbox_scmi_base_message_attrs()
________________________________________________________________________________________________________
*** CID 467050: Control flow issues (NO_EFFECT)
/drivers/firmware/scmi/sandbox-scmi_agent.c: 220 in
sandbox_scmi_base_message_attrs()
214 !msg->out_msg || msg->out_msg_sz < sizeof(*out))
215 return -EINVAL;
216
217 message_id = *(u32 *)msg->in_msg;
218 out = (struct scmi_protocol_msg_attrs_out *)msg->out_msg;
219
>>> CID 467050: Control flow issues (NO_EFFECT)
>>> This greater-than-or-equal-to-zero comparison of an unsigned value is
>>> always true. "message_id >= SCMI_PROTOCOL_VERSION".
220 if (message_id >= SCMI_PROTOCOL_VERSION &&
221 message_id <= SCMI_BASE_RESET_AGENT_CONFIGURATION &&
222 message_id != SCMI_BASE_NOTIFY_ERRORS) {
223 out->attributes = 0;
224 out->status = SCMI_SUCCESS;
225 } else {
** CID 467049: Null pointer dereferences (REVERSE_INULL)
/drivers/core/ofnode.c: 1764 in ofnode_read_bootscript_flash()
________________________________________________________________________________________________________
*** CID 467049: Null pointer dereferences (REVERSE_INULL)
/drivers/core/ofnode.c: 1764 in ofnode_read_bootscript_flash()
1758
1759 ret = ofnode_read_u64(uboot, "bootscr-flash-size",
1760 bootscr_flash_size);
1761 if (ret)
1762 return -EINVAL;
1763
>>> CID 467049: Null pointer dereferences (REVERSE_INULL)
>>> Null-checking "bootscr_flash_size" suggests that it may be null, but it
>>> has already been dereferenced on all paths leading to the check.
1764 if (!bootscr_flash_size) {
1765 debug("bootscr-flash-size is zero. Ignoring
properties!\n");
1766 *bootscr_flash_offset = 0;
1767 return -EINVAL;
1768 }
1769
** CID 467048: Null pointer dereferences (FORWARD_NULL)
________________________________________________________________________________________________________
*** CID 467048: Null pointer dereferences (FORWARD_NULL)
/common/cli_readline.c: 602 in cread_line_simple()
596 if (IS_ENABLED(CONFIG_AUTO_COMPLETE)) {
597 /*
598 * if auto-completion
triggered just
599 * continue
600 */
601 *p = '\0';
>>> CID 467048: Null pointer dereferences (FORWARD_NULL)
>>> Passing null pointer "prompt" to "cmd_auto_complete", which
>>> dereferences it.
602 if (cmd_auto_complete(prompt,
603
console_buffer,
604
&n, &col)) {
605 p = p_buf + n;
/* reset */
606 continue;
607 }
** CID 467047: Error handling issues (CHECKED_RETURN)
/boot/image-fit.c: 2477 in boot_get_fdt_fit()
________________________________________________________________________________________________________
*** CID 467047: Error handling issues (CHECKED_RETURN)
/boot/image-fit.c: 2477 in boot_get_fdt_fit()
2471 /* the verbose method prints out messages on error */
2472 err = fdt_overlay_apply_verbose(base, ovcopy);
2473 if (err < 0) {
2474 fdt_noffset = err;
2475 goto out;
2476 }
>>> CID 467047: Error handling issues (CHECKED_RETURN)
>>> Calling "fdt_pack" without checking return value (as is done elsewhere
>>> 4 out of 5 times).
2477 fdt_pack(base);
2478 len = fdt_totalsize(base);
2479 }
2480 #else
2481 printf("config with overlays but
CONFIG_OF_LIBFDT_OVERLAY not set\n");
2482 fdt_noffset = -EBADF;
** CID 467046: Error handling issues (CHECKED_RETURN)
/drivers/phy/phy-uclass.c: 331 in generic_phy_power_on()
________________________________________________________________________________________________________
*** CID 467046: Error handling issues (CHECKED_RETURN)
/drivers/phy/phy-uclass.c: 331 in generic_phy_power_on()
325 ops = phy_dev_ops(phy->dev);
326 if (ops->power_on) {
327 ret = ops->power_on(phy);
328 if (ret) {
329 dev_err(phy->dev, "PHY: Failed to
power on %s: %d.\n",
330 phy->dev->name, ret);
>>> CID 467046: Error handling issues (CHECKED_RETURN)
>>> Calling "regulator_set_enable_if_allowed" without checking return value
>>> (as is done elsewhere 9 out of 11 times).
331
regulator_set_enable_if_allowed(counts->supply, false);
332 return ret;
333 }
334 }
335 counts->power_on_count = 1;
336
** CID 467045: Resource leaks (RESOURCE_LEAK)
/tools/mkeficapsule.c: 859 in dump_capsule_contents()
________________________________________________________________________________________________________
*** CID 467045: Resource leaks (RESOURCE_LEAK)
/tools/mkeficapsule.c: 859 in dump_capsule_contents()
853 empty_capsule_dump(ptr);
854 } else {
855 fprintf(stderr, "Unable to decode the capsule
file: %s\n",
856 capsule_file);
857 exit(EXIT_FAILURE);
858 }
>>> CID 467045: Resource leaks (RESOURCE_LEAK)
>>> Handle variable "fd" going out of scope leaks the handle.
859 }
860
861 /**
862 * main - main entry function of mkeficapsule
863 * @argc: Number of arguments
864 * @argv: Array of pointers to arguments
signature.asc
Description: PGP signature
