Hey all, Here's the latest set of Coverity defects. Please let me know if some of these are false positives for example, thanks.
---------- Forwarded message ---------
From: <scan-ad...@coverity.com>
Date: Mon, Apr 28, 2025 at 3:52 PM
Subject: New Defects reported by Coverity Scan for Das U-Boot
To: <tom.r...@gmail.com>
Hi,
Please find the latest report on new defect(s) introduced to Das U-Boot
found with Coverity Scan.
33 new defect(s) introduced to Das U-Boot found with Coverity Scan.
15 defect(s), reported by Coverity Scan earlier, were marked fixed in the
recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 33 defect(s)
** CID 550306: Control flow issues (DEADCODE)
/fs/exfat/io.c: 547 in exfat_generic_pwrite()
________________________________________________________________________________________________________
*** CID 550306: Control flow issues (DEADCODE)
/fs/exfat/io.c: 547 in exfat_generic_pwrite()
541 int rc;
542 cluster_t cluster;
543 const char* bufp = buffer;
544 off_t lsize, loffset, remainder;
545
546 if (offset < 0)
>>> CID 550306: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "return -22L;".
547 return -EINVAL;
548 if (uoffset > node->size)
549 {
550 rc = exfat_truncate(ef, node, uoffset, true);
551 if (rc != 0)
552 return rc;
** CID 550305: Security best practices violations (STRING_OVERFLOW)
/fs/exfat/io.c: 739 in exfat_fs_opendir()
________________________________________________________________________________________________________
*** CID 550305: Security best practices violations (STRING_OVERFLOW)
/fs/exfat/io.c: 739 in exfat_fs_opendir()
733 return err;
734
735 dirs = calloc(1, sizeof(*dirs));
736 if (!dirs)
737 return -ENOMEM;
738
>>> CID 550305: Security best practices violations (STRING_OVERFLOW)
>>> You might overrun the 1024-character fixed-size string
"dirs->dirname" by copying "filename" without checking the length.
739 strcpy(dirs->dirname, filename);
740 dirs->offset = -1;
741
742 *dirsp = &dirs->fs_dirs;
743
744 return 0;
** CID 550304: Error handling issues (NEGATIVE_RETURNS)
/tools/fit_check_sign.c: 98 in main()
________________________________________________________________________________________________________
*** CID 550304: Error handling issues (NEGATIVE_RETURNS)
/tools/fit_check_sign.c: 98 in main()
92 (void) munmap((void *)fit_blob, fsbuf.st_size);
93
94 if (key_blob)
95 (void)munmap((void *)key_blob, ksbuf.st_size);
96
97 close(ffd);
>>> CID 550304: Error handling issues (NEGATIVE_RETURNS)
>>> "kfd" is passed to a parameter that cannot be negative.
98 close(kfd);
99 exit(ret);
** CID 550303: Control flow issues (NO_EFFECT)
/tools/preload_check_sign.c: 132 in main()
________________________________________________________________________________________________________
*** CID 550303: Control flow issues (NO_EFFECT)
/tools/preload_check_sign.c: 132 in main()
126
127 info.algo_name = algo;
128 info.padding_name = padding;
129 info.key = (uint8_t *)pkey;
130 info.mandatory = 1;
131 info.sig_size = EVP_PKEY_size(pkey);
>>> CID 550303: Control flow issues (NO_EFFECT)
>>> This less-than-zero comparison of an unsigned value is never true.
"info.sig_size < 0U".
132 if (info.sig_size < 0) {
133 fprintf(stderr, "Fail to retrieve the signature
size: %s\n",
134 ERR_error_string(ERR_get_error(), NULL));
135 ret = EXIT_FAILURE;
136 goto out;
137 }
** CID 550302: (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 550302: (TAINTED_SCALAR)
/cmd/acpi.c: 118 in list_rsdt()
112 entry = rsdt->entry[i];
113 if (!entry)
114 break;
115 hdr = nomap_sysmem(entry, 0);
116 dump_hdr(hdr, chksums);
117 if (!memcmp(hdr->signature, "FACP", ACPI_NAME_LEN))
>>> CID 550302: (TAINTED_SCALAR)
>>> Passing tainted expression "((struct acpi_fadt
*)hdr)->firmware_ctrl" to "list_fadt", which uses it as a loop boundary.
118 list_fadt((struct acpi_fadt *)hdr, chksums);
119 }
120 }
121
122 static void list_rsdp(struct acpi_rsdp *rsdp, bool chksums)
123 {
/cmd/acpi.c: 118 in list_rsdt()
112 entry = rsdt->entry[i];
113 if (!entry)
114 break;
115 hdr = nomap_sysmem(entry, 0);
116 dump_hdr(hdr, chksums);
117 if (!memcmp(hdr->signature, "FACP", ACPI_NAME_LEN))
>>> CID 550302: (TAINTED_SCALAR)
>>> Passing tainted expression "((struct acpi_fadt *)hdr)->x_dsdt" to
"list_fadt", which uses it as a loop boundary.
118 list_fadt((struct acpi_fadt *)hdr, chksums);
119 }
120 }
121
122 static void list_rsdp(struct acpi_rsdp *rsdp, bool chksums)
123 {
/cmd/acpi.c: 118 in list_rsdt()
112 entry = rsdt->entry[i];
113 if (!entry)
114 break;
115 hdr = nomap_sysmem(entry, 0);
116 dump_hdr(hdr, chksums);
117 if (!memcmp(hdr->signature, "FACP", ACPI_NAME_LEN))
>>> CID 550302: (TAINTED_SCALAR)
>>> Passing tainted expression "((struct acpi_fadt *)hdr)->dsdt" to
"list_fadt", which uses it as a loop boundary.
118 list_fadt((struct acpi_fadt *)hdr, chksums);
119 }
120 }
121
122 static void list_rsdp(struct acpi_rsdp *rsdp, bool chksums)
123 {
/cmd/acpi.c: 116 in list_rsdt()
110 entry = xsdt->entry[i];
111 else
112 entry = rsdt->entry[i];
113 if (!entry)
114 break;
115 hdr = nomap_sysmem(entry, 0);
>>> CID 550302: (TAINTED_SCALAR)
>>> Passing tainted expression "hdr->length" to "dump_hdr", which uses
it as a loop boundary.
116 dump_hdr(hdr, chksums);
117 if (!memcmp(hdr->signature, "FACP", ACPI_NAME_LEN))
118 list_fadt((struct acpi_fadt *)hdr, chksums);
119 }
120 }
121
/cmd/acpi.c: 95 in list_rsdt()
89 if (rsdp->rsdt_address) {
90 rsdt = nomap_sysmem(rsdp->rsdt_address, 0);
91 dump_hdr(&rsdt->header, chksums);
92 }
93 if (rsdp->xsdt_address) {
94 xsdt = nomap_sysmem(rsdp->xsdt_address, 0);
>>> CID 550302: (TAINTED_SCALAR)
>>> Passing tainted expression "xsdt->header.length" to "dump_hdr",
which uses it as a loop boundary.
95 dump_hdr(&xsdt->header, chksums);
96 len = xsdt->header.length - sizeof(xsdt->header);
97 count = len / sizeof(u64);
98 } else if (rsdp->rsdt_address) {
99 len = rsdt->header.length - sizeof(rsdt->header);
100 count = len / sizeof(u32);
/cmd/acpi.c: 118 in list_rsdt()
112 entry = rsdt->entry[i];
113 if (!entry)
114 break;
115 hdr = nomap_sysmem(entry, 0);
116 dump_hdr(hdr, chksums);
117 if (!memcmp(hdr->signature, "FACP", ACPI_NAME_LEN))
>>> CID 550302: (TAINTED_SCALAR)
>>> Passing tainted expression "((struct acpi_fadt
*)hdr)->x_firmware_ctrl" to "list_fadt", which uses it as a loop boundary.
118 list_fadt((struct acpi_fadt *)hdr, chksums);
119 }
120 }
121
122 static void list_rsdp(struct acpi_rsdp *rsdp, bool chksums)
123 {
** CID 550301: (OVERRUN)
________________________________________________________________________________________________________
*** CID 550301: (OVERRUN)
/lib/acpi/acpi_table.c: 199 in acpi_add_table()
193
194 /* Fix RSDT length or the kernel will assume
invalid entries */
195 rsdt->header.length = sizeof(struct
acpi_table_header) +
196 (sizeof(u32) * (i + 1));
197
198 /* Re-calculate checksum */
>>> CID 550301: (OVERRUN)
>>> Overrunning struct type acpi_table_header of 36 bytes by passing it
to a function which accesses it at byte offset 39 using argument
"rsdt->header.length" (which evaluates to 40).
199 acpi_update_checksum(&rsdt->header);
200 }
201
202 if (ctx->xsdt) {
203 /*
204 * And now the same thing for the XSDT. We use the
same index as for
/lib/acpi/acpi_table.c: 230 in acpi_add_table()
224
225 /* Fix XSDT length */
226 xsdt->header.length = sizeof(struct
acpi_table_header) +
227 (sizeof(u64) * (i + 1));
228
229 /* Re-calculate checksum */
>>> CID 550301: (OVERRUN)
>>> Overrunning struct type acpi_table_header of 36 bytes by passing it
to a function which accesses it at byte offset 43 using argument
"xsdt->header.length" (which evaluates to 44).
230 acpi_update_checksum(&xsdt->header);
231 }
232
233 return 0;
234 }
235
** CID 550300: Integer handling issues (INTEGER_OVERFLOW)
/fs/exfat/utils.c: 146 in exfat_humanize_bytes()
________________________________________________________________________________________________________
*** CID 550300: Integer handling issues (INTEGER_OVERFLOW)
/fs/exfat/utils.c: 146 in exfat_humanize_bytes()
140 /* 16 EB (minus 1 byte) is the largest size that can be
represented by
141 uint64_t */
142 const char* units[] = {"bytes", "KB", "MB", "GB", "TB",
"PB", "EB"};
143 uint64_t divisor = 1;
144 uint64_t temp = 0;
145
>>> CID 550300: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "divisor", overflows the type of "divisor", which is
type "uint64_t".
146 for (i = 0; ; i++, divisor *= 1024)
147 {
148 temp = (value + divisor / 2) / divisor;
149
150 if (temp == 0)
151 break;
** CID 550299: Null pointer dereferences (FORWARD_NULL)
/lib/efi_loader/efi_file.c: 251 in file_open()
________________________________________________________________________________________________________
*** CID 550299: Null pointer dereferences (FORWARD_NULL)
/lib/efi_loader/efi_file.c: 251 in file_open()
245 strcpy(fh->path, "");
246 }
247
248 return &fh->base;
249
250 error:
>>> CID 550299: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "fh".
251 free(fh->path);
252 free(fh);
253 return NULL;
254 }
255
256 efi_status_t efi_file_open_int(struct efi_file_handle *this,
** CID 550298: Error handling issues (CHECKED_RETURN)
/lib/efi_loader/efi_net.c: 1054 in efi_netobj_get_dp()
________________________________________________________________________________________________________
*** CID 550298: Error handling issues (CHECKED_RETURN)
/lib/efi_loader/efi_net.c: 1054 in efi_netobj_get_dp()
1048 struct efi_handler *phandler;
1049
1050 if (!efi_netobj_is_active(netobj))
1051 return NULL;
1052
1053 phandler = NULL;
>>> CID 550298: Error handling issues (CHECKED_RETURN)
>>> Calling "efi_search_protocol" without checking return value (as is
done elsewhere 37 out of 42 times).
1054 efi_search_protocol(&netobj->header, &efi_guid_device_path,
&phandler);
1055
1056 if (phandler && phandler->protocol_interface)
1057 return efi_dp_dup(phandler->protocol_interface);
1058
1059 return NULL;
** CID 550297: Integer handling issues (INTEGER_OVERFLOW)
/cmd/spawn.c: 174 in do_wait()
________________________________________________________________________________________________________
*** CID 550297: Integer handling issues (INTEGER_OVERFLOW)
/cmd/spawn.c: 174 in do_wait()
168 ret = wait_job(i);
169 } else {
170 for (i = 1; i < argc; i++) {
171 id = dectoul(argv[i], NULL);
172 if (id < 0 || id >
CONFIG_CMD_SPAWN_NUM_JOBS)
173 return CMD_RET_USAGE;
>>> CID 550297: Integer handling issues (INTEGER_OVERFLOW)
>>> Expression "idx", where "(int)id - 1" is known to be equal to -1,
overflows the type of "idx", which is type "unsigned int".
174 idx = (int)id - 1;
175 ret = wait_job(idx);
176 }
177 }
178
179 return ret;
** CID 550296: Control flow issues (NO_EFFECT)
/cmd/spawn.c: 172 in do_wait()
________________________________________________________________________________________________________
*** CID 550296: Control flow issues (NO_EFFECT)
/cmd/spawn.c: 172 in do_wait()
166 for (i = 0; i < CONFIG_CMD_SPAWN_NUM_JOBS; i++)
167 if (job[i])
168 ret = wait_job(i);
169 } else {
170 for (i = 1; i < argc; i++) {
171 id = dectoul(argv[i], NULL);
>>> CID 550296: Control flow issues (NO_EFFECT)
>>> This less-than-zero comparison of an unsigned value is never true.
"id < 0UL".
172 if (id < 0 || id >
CONFIG_CMD_SPAWN_NUM_JOBS)
173 return CMD_RET_USAGE;
174 idx = (int)id - 1;
175 ret = wait_job(idx);
176 }
177 }
** CID 550295: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 550295: Insecure data handling (TAINTED_SCALAR)
/test/lib/membuf.c: 235 in lib_test_membuf_readline()
229 *ptr = '\n';
230 } else {
231 ut_assert(membuf_free(&mb));
232 }
233 }
234 membuf_dispose(&mb);
>>> CID 550295: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "*buf" to "os_free", which uses it as an
offset.
235 os_free(buf);
236
237 return 0;
238 }
** CID 550294: Code maintainability issues (UNUSED_VALUE)
/test/lib/membuf.c: 68 in lib_test_membuf_one()
________________________________________________________________________________________________________
*** CID 550294: Code maintainability issues (UNUSED_VALUE)
/test/lib/membuf.c: 68 in lib_test_membuf_one()
62 ut_assertok(membuf_check(uts, &mb, i));
63
64 ret = membuf_get(&mb, out, 0);
65 ret = membuf_get(&mb, out, size);
66 ut_asserteq(size, ret);
67
>>> CID 550294: Code maintainability issues (UNUSED_VALUE)
>>> Assigning value from "membuf_get(&mb, out, 0)" to "ret" here, but
that stored value is overwritten before it can be used.
68 ret = membuf_get(&mb, out, 0);
69 ut_assertok(membuf_check(uts, &mb, i));
70
71 ut_asserteq_mem(in, out, size);
72 }
73
** CID 550293: Memory - illegal accesses (STRING_NULL)
/test/lib/membuf.c: 224 in lib_test_membuf_readline()
________________________________________________________________________________________________________
*** CID 550293: Memory - illegal accesses (STRING_NULL)
/test/lib/membuf.c: 224 in lib_test_membuf_readline()
218 ret = membuf_readline(&mb, str, 256, 0, true);
219 ut_assertok(membuf_check(uts, &mb, i));
220 if (ret) {
221 char *ptr;
222
223 s = &buf[cmpptr];
>>> CID 550293: Memory - illegal accesses (STRING_NULL)
>>> Passing unterminated string "s" to "strchr", which expects a
null-terminated string. [Note: The source code implementation of the
function has been overridden by a builtin model.]
224 ptr = strchr(s, '\n');
225 *ptr = '\0';
226
227 ut_asserteq_str(s, str);
228 cmpptr += strlen(s) + 1;
229 *ptr = '\n';
** CID 550292: (BAD_SHIFT)
/drivers/scsi/scsi.c: 165 in scsi_setup_erase_ext()
/drivers/scsi/scsi.c: 166 in scsi_setup_erase_ext()
________________________________________________________________________________________________________
*** CID 550292: (BAD_SHIFT)
/drivers/scsi/scsi.c: 165 in scsi_setup_erase_ext()
159 param[10] = 0x0;
160 param[11] = 0x0;
161 param[12] = (start >> 24) & 0xff;
162 param[13] = (start >> 16) & 0xff;
163 param[14] = (start >> 8) & 0xff;
164 param[15] = (start) & 0xff;
>>> CID 550292: (BAD_SHIFT)
>>> In expression "blocks >> 24", right shifting "blocks" by more than
15 bits always yields zero. The shift amount is 24.
165 param[16] = (blocks >> 24) & 0xff;
166 param[17] = (blocks >> 16) & 0xff;
167 param[18] = (blocks >> 8) & 0xff;
168 param[19] = (blocks) & 0xff;
169
170 memset(pccb->cmd, 0, sizeof(pccb->cmd));
/drivers/scsi/scsi.c: 166 in scsi_setup_erase_ext()
160 param[11] = 0x0;
161 param[12] = (start >> 24) & 0xff;
162 param[13] = (start >> 16) & 0xff;
163 param[14] = (start >> 8) & 0xff;
164 param[15] = (start) & 0xff;
165 param[16] = (blocks >> 24) & 0xff;
>>> CID 550292: (BAD_SHIFT)
>>> In expression "blocks >> 16", right shifting "blocks" by more than
15 bits always yields zero. The shift amount is 16.
166 param[17] = (blocks >> 16) & 0xff;
167 param[18] = (blocks >> 8) & 0xff;
168 param[19] = (blocks) & 0xff;
169
170 memset(pccb->cmd, 0, sizeof(pccb->cmd));
171 pccb->cmd[0] = SCSI_UNMAP;
** CID 550291: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 550291: Memory - corruptions (OVERRUN)
/lib/acpi/acpi_table.c: 549 in acpi_write_spcr()
543 * to touch the configuration of the serial device.
544 */
545 if (serial_info.clock != SERIAL_DEFAULT_CLOCK)
546 spcr->baud_rate = 0;
547
548 /* Fix checksum */
>>> CID 550291: Memory - corruptions (OVERRUN)
>>> Overrunning struct type acpi_table_header of 36 bytes by passing it
to a function which accesses it at byte offset 79 using argument
"header->length" (which evaluates to 80).
549 acpi_update_checksum(header);
550
551 acpi_add_table(ctx, spcr);
552 acpi_inc(ctx, spcr->header.length);
553
554 return 0;
** CID 550290: Security best practices violations (DC.WEAK_CRYPTO)
/test/lib/membuf.c: 54 in lib_test_membuf_one()
________________________________________________________________________________________________________
*** CID 550290: Security best practices violations (DC.WEAK_CRYPTO)
/test/lib/membuf.c: 54 in lib_test_membuf_one()
48 }
49
50 test_size = TEST_SIZE;
51
52 for (i = 1; i < TEST_COUNT; i++) {
53 membuf_zero(&mb);
>>> CID 550290: Security best practices violations (DC.WEAK_CRYPTO)
>>> "rand" should not be used for security-related applications,
because linear congruential algorithms are too easy to break.
54 size = rand() % test_size;
55
56 // now write patterns and check they come back OK
57 ret = membuf_put(&mb, in, 0);
58 ret = membuf_put(&mb, in, size);
59 ut_asserteq(size, ret);
** CID 550289: (CONSTANT_EXPRESSION_RESULT)
/drivers/scsi/scsi.c: 166 in scsi_setup_erase_ext()
/drivers/scsi/scsi.c: 165 in scsi_setup_erase_ext()
________________________________________________________________________________________________________
*** CID 550289: (CONSTANT_EXPRESSION_RESULT)
/drivers/scsi/scsi.c: 166 in scsi_setup_erase_ext()
160 param[11] = 0x0;
161 param[12] = (start >> 24) & 0xff;
162 param[13] = (start >> 16) & 0xff;
163 param[14] = (start >> 8) & 0xff;
164 param[15] = (start) & 0xff;
165 param[16] = (blocks >> 24) & 0xff;
>>> CID 550289: (CONSTANT_EXPRESSION_RESULT)
>>> "blocks >> 16" is 0 regardless of the values of its operands. This
occurs as the bitwise first operand of "&".
166 param[17] = (blocks >> 16) & 0xff;
167 param[18] = (blocks >> 8) & 0xff;
168 param[19] = (blocks) & 0xff;
169
170 memset(pccb->cmd, 0, sizeof(pccb->cmd));
171 pccb->cmd[0] = SCSI_UNMAP;
/drivers/scsi/scsi.c: 165 in scsi_setup_erase_ext()
159 param[10] = 0x0;
160 param[11] = 0x0;
161 param[12] = (start >> 24) & 0xff;
162 param[13] = (start >> 16) & 0xff;
163 param[14] = (start >> 8) & 0xff;
164 param[15] = (start) & 0xff;
>>> CID 550289: (CONSTANT_EXPRESSION_RESULT)
>>> "blocks >> 24" is 0 regardless of the values of its operands. This
occurs as the bitwise first operand of "&".
165 param[16] = (blocks >> 24) & 0xff;
166 param[17] = (blocks >> 16) & 0xff;
167 param[18] = (blocks >> 8) & 0xff;
168 param[19] = (blocks) & 0xff;
169
170 memset(pccb->cmd, 0, sizeof(pccb->cmd));
** CID 550288: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 550288: Memory - corruptions (OVERRUN)
/lib/acpi/base.c: 53 in acpi_write_rsdt()
47 header->length = sizeof(struct acpi_rsdt);
48 header->revision = 1;
49
50 /* Entries are filled in later, we come with an empty set */
51
52 /* Fix checksum */
>>> CID 550288: Memory - corruptions (OVERRUN)
>>> Overrunning struct type acpi_table_header of 36 bytes by passing it
to a function which accesses it at byte offset 163 using argument
"header->length" (which evaluates to 164).
53 acpi_update_checksum(header);
54 }
55
56 static void acpi_write_xsdt(struct acpi_xsdt *xsdt)
57 {
58 struct acpi_table_header *header = &xsdt->header;
** CID 550287: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 550287: Memory - corruptions (OVERRUN)
/lib/acpi/acpi_table.c: 268 in acpi_write_fadt()
262 fadt->dsdt = fadt->x_dsdt;
263
264 fadt->preferred_pm_profile = ACPI_PM_UNSPECIFIED;
265
266 acpi_fill_fadt(fadt);
267
>>> CID 550287: Memory - corruptions (OVERRUN)
>>> Overrunning struct type acpi_table_header of 36 bytes by passing it
to a function which accesses it at byte offset 275 using argument
"header->length" (which evaluates to 276).
268 acpi_update_checksum(header);
269
270 return acpi_add_fadt(ctx, fadt);
271 }
272
273 #ifndef CONFIG_QFW_ACPI
----- End forwarded message -----
--
Tom
signature.asc
Description: PGP signature
