Hey all, Here's the latest report, now that next has been merged to master. A few of these are oddly showing up now, despite being in older code that hasn't been touched and was being built before.
---------- Forwarded message --------- From: <[email protected]> Date: Mon, Jan 5, 2026 at 3:24 PM Subject: New Defects reported by Coverity Scan for Das U-Boot To: <[email protected]> Hi, Please find the latest report on new defect(s) introduced to *Das U-Boot* found with Coverity Scan. - *New Defects Found:* 15 - 23 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan. - *Defects Shown:* Showing 15 of 15 defect(s) Defect Details ** CID 640423: Control flow issues (DEADCODE) /drivers/fastboot/fb_common.c: 112 in fastboot_set_reboot_flag() _____________________________________________________________________________________________ *** CID 640423: Control flow issues (DEADCODE) /drivers/fastboot/fb_common.c: 112 in fastboot_set_reboot_flag() 106 } 107 const char *bcb_iface = config_opt_enabled(CONFIG_FASTBOOT_FLASH_BLOCK, 108 CONFIG_FASTBOOT_FLASH_BLOCK_INTERFACE_NAME, 109 "mmc"); 110 111 if (device == -1) >>> CID 640423: Control flow issues (DEADCODE) >>> Execution cannot reach this statement: "return -22;". 112 return -EINVAL; 113 114 if (reason >= FASTBOOT_REBOOT_REASONS_COUNT) 115 return -EINVAL; 116 117 ret = bcb_find_partition_and_load(bcb_iface, device, "misc"); ** CID 640422: Error handling issues (CHECKED_RETURN) /boot/fdt_region.c: 330 in fdt_include_supernodes() _____________________________________________________________________________________________ *** CID 640422: Error handling issues (CHECKED_RETURN) /boot/fdt_region.c: 330 in fdt_include_supernodes() 324 */ 325 for (i = 0; i <= depth; i++) { 326 if (!info->stack[i].included) { 327 start = info->stack[i].offset; 328 329 /* Add the FDT_BEGIN_NODE tag of this supernode */ >>> CID 640422: Error handling issues (CHECKED_RETURN) >>> Calling "fdt_next_tag" without checking return value (as is done >>> elsewhere 12 out of 15 times). 330 fdt_next_tag(info->fdt, start, &stop_at); 331 if (fdt_add_region(info, base + start, stop_at - start)) 332 return -1; 333 334 /* Remember that this supernode is now included */ 335 info->stack[i].included = 1; ** CID 640421: Possible Control flow issues (DEADCODE) /drivers/fastboot/fb_block.c: 138 in fastboot_block_get_part_info() _____________________________________________________________________________________________ *** CID 640421: Possible Control flow issues (DEADCODE) /drivers/fastboot/fb_block.c: 138 in fastboot_block_get_part_info() 132 CONFIG_FASTBOOT_FLASH_BLOCK_DEVICE_ID, -1); 133 134 if (!part_name || !strcmp(part_name, "")) { 135 fastboot_fail("partition not given", response); 136 return -ENOENT; 137 } >>> CID 640421: Possible Control flow issues (DEADCODE) >>> Execution cannot reach the expression "strcmp(interface, "")" inside >>> this statement: "if (!interface || !strcmp(i...". 138 if (!interface || !strcmp(interface, "")) { 139 fastboot_fail("block interface isn't provided", response); 140 return -EINVAL; 141 } 142 143 *dev_desc = blk_get_dev(interface, device); ** CID 640420: Incorrect expression (CONSTANT_EXPRESSION_RESULT) /env/fat.c: 49 in env_fat_get_dev_part() _____________________________________________________________________________________________ *** CID 640420: Incorrect expression (CONSTANT_EXPRESSION_RESULT) /env/fat.c: 49 in env_fat_get_dev_part() 43 __weak char *env_fat_get_dev_part(void) 44 { 45 #ifdef CONFIG_MMC 46 /* reserve one more char for the manipulation below */ 47 static char part_str[] = CONFIG_ENV_FAT_DEVICE_AND_PART "\0"; 48 >>> CID 640420: Incorrect expression (CONSTANT_EXPRESSION_RESULT) >>> "strcmp("mmc", "mmc")" is always 0 because ""mmc"" is compared against >>> itself. 49 if (!strcmp(CONFIG_ENV_FAT_INTERFACE, "mmc") && part_str[0] == ':') { 50 part_str[0] = '0' + mmc_get_env_dev(); 51 strcpy(&part_str[1], CONFIG_ENV_FAT_DEVICE_AND_PART); 52 } 53 54 return part_str; ** CID 640419: Null pointer dereferences (REVERSE_INULL) /drivers/fastboot/fb_block.c: 144 in fastboot_block_get_part_info() _____________________________________________________________________________________________ *** CID 640419: Null pointer dereferences (REVERSE_INULL) /drivers/fastboot/fb_block.c: 144 in fastboot_block_get_part_info() 138 if (!interface || !strcmp(interface, "")) { 139 fastboot_fail("block interface isn't provided", response); 140 return -EINVAL; 141 } 142 143 *dev_desc = blk_get_dev(interface, device); >>> CID 640419: Null pointer dereferences (REVERSE_INULL) >>> Null-checking "dev_desc" suggests that it may be null, but it has >>> already been dereferenced on all paths leading to the check. 144 if (!dev_desc) { 145 fastboot_fail("no such device", response); 146 return -ENODEV; 147 } 148 149 ret = part_get_info_by_name(*dev_desc, part_name, part_info); ** CID 640418: Insecure data handling (TAINTED_SCALAR) _____________________________________________________________________________________________ *** CID 640418: Insecure data handling (TAINTED_SCALAR) /drivers/core/ofnode.c: 2098 in ofnode_copy_props() 2092 2093 val = ofprop_get_property(&prop, &name, &len); 2094 if (!val) { 2095 log_debug("Cannot read prop (err=%d)\n", len); 2096 return log_msg_ret("get", -EINVAL); 2097 } >>> CID 640418: Insecure data handling (TAINTED_SCALAR) >>> Passing tainted expression "len" to "ofnode_write_prop", which uses it >>> as an offset. 2098 ret = ofnode_write_prop(dst, name, val, len, true); 2099 if (ret) { 2100 log_debug("Cannot write prop (err=%d)\n", ret); 2101 return log_msg_ret("wr", -EINVAL); 2102 } 2103 } ** CID 640417: Insecure data handling (TAINTED_SCALAR) /scripts/dtc/libfdt/fdt_ro.c: 546 in fdt_get_alias_namelen() _____________________________________________________________________________________________ *** CID 640417: Insecure data handling (TAINTED_SCALAR) /scripts/dtc/libfdt/fdt_ro.c: 546 in fdt_get_alias_namelen() 540 { 541 int len; 542 const char *alias; 543 544 alias = fdt_path_getprop_namelen(fdt, "/aliases", name, namelen, &len); 545 >>> CID 640417: Insecure data handling (TAINTED_SCALAR) >>> Using tainted variable "len - 1" as an index to pointer "alias". 546 if (!can_assume(VALID_DTB) && 547 !(alias && len > 0 && alias[len - 1] == '\0' && *alias == '/')) 548 return NULL; 549 550 return alias; 551 } ** CID 640416: Insecure data handling (TAINTED_SCALAR) _____________________________________________________________________________________________ *** CID 640416: Insecure data handling (TAINTED_SCALAR) /scripts/dtc/libfdt/fdt_overlay.c: 739 in overlay_prevent_phandle_overwrite() 733 * will be overwritten. 734 */ 735 continue; 736 else if (target < 0) 737 return target; 738 >>> CID 640416: Insecure data handling (TAINTED_SCALAR) >>> Passing tainted expression "target" to >>> "overlay_prevent_phandle_overwrite_node", which uses it as a loop boundary. 739 ret = overlay_prevent_phandle_overwrite_node(fdt, target, 740 fdto, overlay); 741 if (ret) 742 return ret; 743 } 744 ** CID 640415: Control flow issues (DEADCODE) /scripts/dtc/pylibfdt/libfdt_wrap.c: 6728 in _wrap_fdt_get_property_by_offset_w() _____________________________________________________________________________________________ *** CID 640415: Control flow issues (DEADCODE) /scripts/dtc/pylibfdt/libfdt_wrap.c: 6728 in _wrap_fdt_get_property_by_offset_w() 6722 resultobj = SWIG_Python_AppendOutput(resultobj, buff); 6723 } 6724 } 6725 if (SWIG_IsTmpObj(res3)) { 6726 resultobj = SWIG_Python_AppendOutput(resultobj, SWIG_From_int((*arg3))); 6727 } else { >>> CID 640415: Control flow issues (DEADCODE) >>> Execution cannot reach the expression "new_flags" inside this >>> statement: "new_flags = ((res3 >= 0 && ...". 6728 int new_flags = SWIG_IsNewObj(res3) ? (SWIG_POINTER_OWN | 0 ) : 0 ; 6729 resultobj = SWIG_Python_AppendOutput(resultobj, SWIG_NewPointerObj((void*)(arg3), SWIGTYPE_p_int, new_flags)); 6730 } 6731 return resultobj; 6732 fail: 6733 return NULL; ** CID 640414: Resource leaks (RESOURCE_LEAK) /drivers/interconnect/interconnect-uclass.c: 320 in icc_path_init() _____________________________________________________________________________________________ *** CID 640414: Resource leaks (RESOURCE_LEAK) /drivers/interconnect/interconnect-uclass.c: 320 in icc_path_init() 314 path->reqs[i].node = node; 315 path->reqs[i].enabled = true; 316 317 /* Probe this node since used in an active path */ 318 ret = uclass_get_device_tail(node->dev, 0, &node_dev); 319 if (ret) >>> CID 640414: Resource leaks (RESOURCE_LEAK) >>> Variable "path" going out of scope leaks the storage it points to. 320 return ERR_PTR(ret); 321 322 node->users++; 323 324 /* reference to previous node was saved during path traversal */ 325 node = node->reverse; ** CID 536550: Resource leaks (RESOURCE_LEAK) /scripts/dtc/fstree.c: 57 in read_fstree() _____________________________________________________________________________________________ *** CID 536550: Resource leaks (RESOURCE_LEAK) /scripts/dtc/fstree.c: 57 in read_fstree() 51 fclose(pfile); 52 } 53 } else if (S_ISDIR(st.st_mode)) { 54 struct node *newchild; 55 56 newchild = read_fstree(tmpname); >>> CID 536550: Resource leaks (RESOURCE_LEAK) >>> Failing to save or free storage allocated by "xstrdup(de->d_name)" >>> leaks it. 57 newchild = name_node(newchild, xstrdup(de->d_name)); 58 add_child(tree, newchild); 59 } 60 61 free(tmpname); 62 } ** CID 536369: Resource leaks (RESOURCE_LEAK) /scripts/dtc/flattree.c: 681 in flat_read_property() _____________________________________________________________________________________________ *** CID 536369: Resource leaks (RESOURCE_LEAK) /scripts/dtc/flattree.c: 681 in flat_read_property() 675 676 if ((flags & FTF_VARALIGN) && (proplen >= 8)) 677 flat_realign(dtbuf, 8); 678 679 val = flat_read_data(dtbuf, proplen); 680 >>> CID 536369: Resource leaks (RESOURCE_LEAK) >>> Variable "name" going out of scope leaks the storage it points to. 681 return build_property(name, val, NULL); 682 } 683 684 static struct reserve_info *flat_read_mem_reserve(struct inbuf *inb) 685 { 686 struct reserve_info *reservelist = NULL; ** CID 449815: Memory - illegal accesses (OVERRUN) /lib/sm3.c: 252 in sm3_final() _____________________________________________________________________________________________ *** CID 449815: Memory - illegal accesses (OVERRUN) /lib/sm3.c: 252 in sm3_final() 246 unsigned int partial = sctx->count % SM3_BLOCK_SIZE; 247 u32 W[16]; 248 int i; 249 250 sctx->buffer[partial++] = 0x80; 251 if (partial > bit_offset) { >>> CID 449815: Memory - illegal accesses (OVERRUN) >>> Overrunning array of 64 bytes at byte offset 64 by dereferencing >>> pointer "sctx->buffer + partial". [Note: The source code implementation of >>> the function has been overridden by a builtin model.] 252 memset(sctx->buffer + partial, 0, SM3_BLOCK_SIZE - partial); 253 partial = 0; 254 255 sm3_block(sctx, sctx->buffer, 1, W); 256 } 257 ** CID 432237: Null pointer dereferences (NULL_RETURNS) _____________________________________________________________________________________________ *** CID 432237: Null pointer dereferences (NULL_RETURNS) /scripts/dtc/checks.c: 1618 in check_interrupt_map() 1612 if (node->addr_cells < 0) { 1613 FAIL(c, dti, node, 1614 "Missing '#address-cells' in interrupt-map provider"); 1615 return; 1616 } 1617 cellsize = node_addr_cells(node); >>> CID 432237: Null pointer dereferences (NULL_RETURNS) >>> Dereferencing a pointer that might be "NULL" "get_property(node, >>> "#interrupt-cells")" when calling "propval_cell". 1618 cellsize += propval_cell(get_property(node, "#interrupt-cells")); 1619 1620 prop = get_property(node, "interrupt-map-mask"); 1621 if (prop && (prop->val.len != (cellsize * sizeof(cell_t)))) 1622 FAIL_PROP(c, dti, node, prop, 1623 "property size (%d) is invalid, expected %zu", ** CID 328724: (TAINTED_SCALAR) /scripts/dtc/fdtoverlay.c: 55 in apply_one() /scripts/dtc/fdtoverlay.c: 69 in apply_one() _____________________________________________________________________________________________ *** CID 328724: (TAINTED_SCALAR) /scripts/dtc/fdtoverlay.c: 55 in apply_one() 49 bool has_symbols; 50 51 /* 52 * We take copies first, because a failed apply can trash 53 * both the base blob and the overlay 54 */ >>> CID 328724: (TAINTED_SCALAR) >>> Passing tainted expression "fdt32_ld(&((struct fdt_header const >>> *)overlay)->totalsize)" to "xmalloc", which uses it as an allocation size. >>> [Note: The source code implementation of the function has been overridden >>> by a builtin model.] 55 tmpo = xmalloc(fdt_totalsize(overlay)); 56 57 do { 58 tmp = xrealloc(tmp, *buf_len); 59 ret = fdt_open_into(base, tmp, *buf_len); 60 if (ret) { /scripts/dtc/fdtoverlay.c: 69 in apply_one() 63 fdt_strerror(ret)); 64 goto fail; 65 } 66 ret = fdt_path_offset(tmp, "/__symbols__"); 67 has_symbols = ret >= 0; 68 >>> CID 328724: (TAINTED_SCALAR) >>> Passing tainted expression "fdt32_ld(&((struct fdt_header const >>> *)overlay)->totalsize)" to "memcpy", which uses it as an offset. [Note: The >>> source code implementation of the function has been overridden by a builtin >>> model.] 69 memcpy(tmpo, overlay, fdt_totalsize(overlay)); 70 71 ret = fdt_overlay_apply(tmp, tmpo); 72 if (ret == -FDT_ERR_NOSPACE) { 73 *buf_len += BUF_INCREMENT; 74 } View Defects in Coverity Scan <https://scan.coverity.com/projects/das-u-boot?tab=overview> Best regards, The Coverity Scan Admin Team ----- End forwarded message ----- -- Tom
signature.asc
Description: PGP signature
