Hi Tom,
On Mon, 10 Feb 2025 at 17:26, Tom Rini <tr...@konsulko.com> wrote:
>
> Here's the latest report.
>
> ---------- Forwarded message ---------
> From: <scan-ad...@coverity.com>
> Date: Mon, Feb 10, 2025 at 4:12 PM
> Subject: New Defects reported by Coverity Scan for Das U-Boot
> To: <tom.r...@gmail.com>
>
>
> Hi,
>
> Please find the latest report on new defect(s) introduced to Das U-Boot
> found with Coverity Scan.
>
> 3 new defect(s) introduced to Das U-Boot found with Coverity Scan.
>
>
> New defect(s) Reported-by: Coverity Scan
> Showing 3 of 3 defect(s)
>
>
> ** CID 541281: Insecure data handling (TAINTED_SCALAR)
> /lib/tpm-v2.c: 77 in tpm2_scan_masks()
>
>
> ________________________________________________________________________________________________________
> *** CID 541281: Insecure data handling (TAINTED_SCALAR)
> /lib/tpm-v2.c: 77 in tpm2_scan_masks()
> 71 *mask = 0;
> 72
> 73 rc = tpm2_get_pcr_info(dev, &pcrs);
> 74 if (rc)
> 75 return rc;
> 76
> >>> CID 541281: Insecure data handling (TAINTED_SCALAR)
> >>> Using tainted variable "pcrs.count" as a loop boundary.
We don't need to check the pcrs.count here, since tpm2_get_pcr_info()
will post an error if pcrs.count is not in a value from 1 to 4.
This is hardcoded in tpm2_get_pcr_info(), please see below:
```
/*
* We only support 4 algorithms for now so check against that
* instead of TPM2_NUM_PCR_BANKS
*/
if (pcrs->count > 4 || pcrs->count < 1) {
printf("%s: too many pcrs: %u\n", __func__, pcrs->count);
return -EMSGSIZE;
}
```
> 77 for (i = 0; i < pcrs.count; i++) {
> 78 struct tpms_pcr_selection *sel = &pcrs.selection[i];
> 79 size_t j;
> 80 u32 hash_mask = 0;
> 81
> 82 for (j = 0; j < ARRAY_SIZE(hash_algo_list); j++) {
>
> ** CID 541280: Insecure data handling (TAINTED_SCALAR)
> /cmd/tpm-v2.c: 307 in do_tpm2_pcrallocate()
>
>
> ________________________________________________________________________________________________________
> *** CID 541280: Insecure data handling (TAINTED_SCALAR)
> /cmd/tpm-v2.c: 307 in do_tpm2_pcrallocate()
> 301 * first call
> 302 */
> 303 ret = tpm2_get_pcr_info(dev, &pcr);
> 304 if (ret)
> 305 return ret;
> 306
> >>> CID 541280: Insecure data handling (TAINTED_SCALAR)
> >>> Using tainted variable "pcr.count" as a loop boundary.
Ditto.
Regards,
Raymond
> 307 for (i = 0; i < pcr.count; i++) {
> 308 struct tpms_pcr_selection *sel =
> &pcr.selection[i];
> 309 const char *name;
> 310
> 311 if (!tpm2_is_active_bank(sel))
> 312 continue;
>
> ** CID 541279: (TAINTED_SCALAR)
> /drivers/led/led-uclass.c: 284 in led_get_function_name()
> /drivers/led/led-uclass.c: 279 in led_get_function_name()
>
>
> ________________________________________________________________________________________________________
> *** CID 541279: (TAINTED_SCALAR)
> /drivers/led/led-uclass.c: 284 in led_get_function_name()
> 278 if (!ret) {
> 279 snprintf(uc_plat->name, LED_MAX_NAME_SIZE,
> 280 "%s:%s-%d",
> 281 cp ? "" : led_colors[color],
> 282 func ? func : "", enumerator);
> 283 } else {
> >>> CID 541279: (TAINTED_SCALAR)
> >>> Using tainted variable "color" as an index into an array
> "led_colors".
> 284 snprintf(uc_plat->name, LED_MAX_NAME_SIZE,
> 285 "%s:%s",
> 286 cp ? "" : led_colors[color],
> 287 func ? func : "");
> 288 }
> 289 uc_plat->label = uc_plat->name;
> /drivers/led/led-uclass.c: 279 in led_get_function_name()
> 273 /* Now try to detect function label name */
> 274 func = dev_read_string(dev, "function");
> 275 cp = dev_read_u32(dev, "color", &color);
> 276 if (cp == 0 || func) {
> 277 ret = dev_read_u32(dev, "function-enumerator",
> &enumerator);
> 278 if (!ret) {
> >>> CID 541279: (TAINTED_SCALAR)
> >>> Using tainted variable "color" as an index into an array
> "led_colors".
> 279 snprintf(uc_plat->name, LED_MAX_NAME_SIZE,
> 280 "%s:%s-%d",
> 281 cp ? "" : led_colors[color],
> 282 func ? func : "", enumerator);
> 283 } else {
> 284 snprintf(uc_plat->name, LED_MAX_NAME_SIZE,
>
>
> ----- End forwarded message -----
>
> --
> Tom
