Fwd: New Defects reported by Coverity Scan for Das U-Boot
On 4/23/21 6:38 PM, scan-admin@coverity.com wrote:
Hi,
Please find the latest report on new defect(s) introduced to Das U-Boot found with Coverity Scan.
3 new defect(s) introduced to Das U-Boot found with Coverity Scan.
New defect(s) Reported-by: Coverity Scan Showing 3 of 3 defect(s)
** CID 331185: Insecure data handling (TAINTED_SCALAR) /lib/lz4.c: 143 in LZ4_decompress_generic()
*** CID 331185: Insecure data handling (TAINTED_SCALAR) /lib/lz4.c: 143 in LZ4_decompress_generic() 137 } 138 else 139 { 140 if ((!endOnInput) && (cpy != oend)) goto _output_error; /* Error : block decoding must stop exactly there */ 141 if ((endOnInput) && ((ip+length != iend) || (cpy > oend))) goto _output_error; /* Error : input must be consumed */ 142 }
CID 331185: Insecure data handling (TAINTED_SCALAR) Passing tainted variable "length" to a tainted sink. [Note: The source code implementation of the function has been overridden by a builtin model.]143 memcpy(op, ip, length); 144 ip += length; 145 op += length; 146 break; /* Necessarily EOF, due to parsing restrictions */ 147 } 148 LZ4_wildCopy(op, ip, cpy);
** CID 331184: Memory - corruptions (OVERRUN) /cmd/stackprot_test.c: 14 in do_test_stackprot_fail()
*** CID 331184: Memory - corruptions (OVERRUN) /cmd/stackprot_test.c: 14 in do_test_stackprot_fail() 8 9 static int do_test_stackprot_fail(struct cmd_tbl *cmdtp, int flag, int argc, 10 char *const argv[]) 11 {
Hello Tom,
please, mark this finding as intentional in Coverity.
12 char a[128]; 13
CID 331184: Memory - corruptions (OVERRUN) Overrunning array "a" of 128 bytes by passing it to a function which accesses it at byte offset 511 using argument "512UL". [Note: The source code implementation of the function has been overridden by a builtin model.]14 memset(a, 0xa5, 512); 15 return 0; 16 } 17 18 U_BOOT_CMD(stackprot_test, 1, 1, do_test_stackprot_fail,
** CID 331183: Memory - corruptions (BUFFER_SIZE) /cmd/stackprot_test.c: 14 in do_test_stackprot_fail()
*** CID 331183: Memory - corruptions (BUFFER_SIZE) /cmd/stackprot_test.c: 14 in do_test_stackprot_fail()
same here
Best regards
Heinrich
8 9 static int do_test_stackprot_fail(struct cmd_tbl *cmdtp, int flag, int argc, 10 char *const argv[]) 11 { 12 char a[128]; 13
CID 331183: Memory - corruptions (BUFFER_SIZE) You might overrun the 128 byte destination string "a" by writing the maximum 512 bytes from "165".14 memset(a, 0xa5, 512); 15 return 0; 16 } 17 18 U_BOOT_CMD(stackprot_test, 1, 1, do_test_stackprot_fail,
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0...
To manage Coverity Scan email notifications for "xypron.glpk@gmx.de", click https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0...
participants (1)
-
Heinrich Schuchardt