[tom.rini@gmail.com: Fwd: New Defects reported by Coverity Scan for Das U-Boot]
----- Forwarded message from Tom Rini tom.rini@gmail.com -----
Date: Tue, 31 Jan 2023 07:30:23 -0500 From: Tom Rini tom.rini@gmail.com To: trini@konsulko.com Subject: Fwd: New Defects reported by Coverity Scan for Das U-Boot
On Mon, Jan 30, 2023, 4:15 PM scan-admin@coverity.com wrote:
Hi,
Please find the latest report on new defect(s) introduced to Das U-Boot found with Coverity Scan.
18 new defect(s) introduced to Das U-Boot found with Coverity Scan. 9 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan Showing 18 of 18 defect(s)
** CID 435669: Control flow issues (MISSING_BREAK) /lib/vsprintf.c: 681 in vsnprintf_internal()
*** CID 435669: Control flow issues (MISSING_BREAK) /lib/vsprintf.c: 681 in vsnprintf_internal() 675 case 'x': 676 flags |= SMALL; 677 case 'X': 678 base = 16; 679 break; 680
CID 435669: Control flow issues (MISSING_BREAK) The case for value "'d'" is not terminated by a "break" statement.681 case 'd': 682 if (fmt[1] == 'E') 683 flags |= ERRSTR; 684 case 'i': 685 flags |= SIGN; 686 case 'u':
** CID 435668: Insecure data handling (TAINTED_SCALAR) /boot/image-fdt.c: 397 in select_fdt()
*** CID 435668: Insecure data handling (TAINTED_SCALAR) /boot/image-fdt.c: 397 in select_fdt() 391 return -EFAULT; 392 } 393 394 debug(" Loading FDT from 0x%08lx to 0x%08lx\n", 395 image_data, load); 396
CID 435668: Insecure data handling (TAINTED_SCALAR) Passing tainted expression "image_get_data_size(fdt_hdr)" to"memmove", which uses it as an offset. [Note: The source code implementation of the function has been overridden by a builtin model.] 397 memmove((void *)load, 398 (void *)image_data, 399 image_get_data_size(fdt_hdr)); 400 401 fdt_addr = load; 402 break;
** CID 435667: Memory - corruptions (OVERRUN)
*** CID 435667: Memory - corruptions (OVERRUN) /lib/zstd/decompress/zstd_decompress.c: 88 in ZSTD_DDictHashSet_getIndex() 82 #define DDICT_HASHSET_RESIZE_FACTOR 2 83 84 /* Hash function to determine starting position of dict insertion within the table 85 * Returns an index between [0, hashSet->ddictPtrTableSize] 86 */ 87 static size_t ZSTD_DDictHashSet_getIndex(const ZSTD_DDictHashSet* hashSet, U32 dictID) {
CID 435667: Memory - corruptions (OVERRUN) Overrunning buffer pointed to by "&dictID" of 4 bytes by passingit to a function which accesses it at byte offset 7. 88 const U64 hash = xxh64(&dictID, sizeof(U32), 0); 89 /* DDict ptr table size is a multiple of 2, use size - 1 as mask to get index within [0, hashSet->ddictPtrTableSize) */ 90 return hash & (hashSet->ddictPtrTableSize - 1); 91 } 92 93 /* Adds DDict to a hashset without resizing it.
** CID 435666: Insecure data handling (TAINTED_SCALAR)
*** CID 435666: Insecure data handling (TAINTED_SCALAR) /common/command.c: 674 in cmd_source_script() 668 ret = image_locate_script(buf, 0, fit_uname, confname, &data, &len); 669 unmap_sysmem(buf); 670 if (ret) 671 return CMD_RET_FAILURE; 672 673 debug("** Script length: %d\n", len);
CID 435666: Insecure data handling (TAINTED_SCALAR) Passing tainted expression "len" to "run_command_list", which usesit as an offset. 674 return run_command_list(data, len, 0);
** CID 435665: (DEADCODE) /tools/fit_image.c: 342 in fit_write_images() /tools/fit_image.c: 322 in fit_write_images()
*** CID 435665: (DEADCODE) /tools/fit_image.c: 342 in fit_write_images() 336 ret = fdt_property_file(params, fdt, FIT_DATA_PROP, 337 params->fit_ramdisk); 338 if (ret) 339 return ret; 340 fit_add_hash_or_sign(params, fdt, true); 341 if (ret)
CID 435665: (DEADCODE) Execution cannot reach this statement: "return ret;".342 return ret; 343 fdt_end_node(fdt); 344 } 345 346 fdt_end_node(fdt); 347 /tools/fit_image.c: 322 in fit_write_images() 316 fdt_property_string(fdt, FIT_ARCH_PROP, 317 genimg_get_arch_short_name(params->arch)); 318 fdt_property_string(fdt, FIT_COMP_PROP, 319 genimg_get_comp_short_name(IH_COMP_NONE)); 320 fit_add_hash_or_sign(params, fdt, true); 321 if (ret)
CID 435665: (DEADCODE) Execution cannot reach this statement: "return ret;".322 return ret; 323 fdt_end_node(fdt); 324 } 325 326 /* And a ramdisk file if available */ 327 if (params->fit_ramdisk) {
** CID 435664: Insecure data handling (TAINTED_SCALAR)
*** CID 435664: Insecure data handling (TAINTED_SCALAR) /drivers/iommu/iommu-uclass.c: 71 in dev_pci_iommu_enable() 65 return ret; 66 } 67 dev->iommu = dev_iommu; 68 break; 69 } 70
CID 435664: Insecure data handling (TAINTED_SCALAR) Passing tainted expression "*iommu_map" to "dlfree", which uses itas an offset. 71 free(iommu_map); 72 return 0; 73 } 74 #endif 75 76 int dev_iommu_enable(struct udevice *dev)
** CID 435663: Code maintainability issues (UNUSED_VALUE) /boot/bootdev-uclass.c: 703 in bootdev_setup_iter()
*** CID 435663: Code maintainability issues (UNUSED_VALUE) /boot/bootdev-uclass.c: 703 in bootdev_setup_iter() 697 iter->labels = bootstd_get_bootdev_order(bootstd, &ok); 698 if (!ok) 699 return log_msg_ret("ord", -ENOMEM); 700 log_debug("setup labels %p\n", iter->labels); 701 if (iter->labels) { 702 iter->cur_label = -1;
CID 435663: Code maintainability issues (UNUSED_VALUE) Assigning value from "bootdev_next_label(iter, &dev,&method_flags)" to "ret" here, but that stored value is overwritten before it can be used. 703 ret = bootdev_next_label(iter, &dev, &method_flags); 704 } else { 705 ret = bootdev_next_prio(iter, &dev); 706 method_flags = 0; 707 } 708 if (!dev)
** CID 435662: Null pointer dereferences (REVERSE_INULL) /boot/scene_menu.c: 385 in scene_menu_display()
*** CID 435662: Null pointer dereferences (REVERSE_INULL) /boot/scene_menu.c: 385 in scene_menu_display() 379 380 desc = scene_obj_find(scn, item->desc_id, SCENEOBJT_TEXT); 381 if (desc) 382 dstr = expo_get_str(exp, desc->str_id); 383 384 printf("%3s %3s %-10s %s\n",
CID 435662: Null pointer dereferences (REVERSE_INULL) Null-checking "pointer" suggests that it may be null, but it hasalready been dereferenced on all paths leading to the check. 385 pointer && menu->cur_item_id == item->id ? pstr : "", 386 kstr, lstr, dstr); 387 } 388 389 return -ENOTSUPP;
** CID 435661: (TAINTED_SCALAR)
*** CID 435661: (TAINTED_SCALAR) /lib/zstd/decompress/huf_decompress.c: 591 in HUF_decompress4X1_usingDTable_internal_body() 585 DTableDesc const dtd = HUF_getDTableDesc(DTable); 586 U32 const dtLog = dtd.tableLog; 587 U32 endSignal = 1; 588 589 if (length4 > cSrcSize) return ERROR(corruption_detected); /* overflow */ 590 if (opStart4 > oend) return ERROR(corruption_detected); /* overflow */
CID 435661: (TAINTED_SCALAR) Passing tainted expression "length1" to "BIT_initDStream", whichuses it as an offset. 591 CHECK_F( BIT_initDStream(&bitD1, istart1, length1) ); 592 CHECK_F( BIT_initDStream(&bitD2, istart2, length2) ); 593 CHECK_F( BIT_initDStream(&bitD3, istart3, length3) ); 594 CHECK_F( BIT_initDStream(&bitD4, istart4, length4) ); 595 596 /* up to 16 symbols per loop (4 symbols per stream) in 64-bit mode */ /lib/zstd/decompress/huf_decompress.c: 593 in HUF_decompress4X1_usingDTable_internal_body() 587 U32 endSignal = 1; 588 589 if (length4 > cSrcSize) return ERROR(corruption_detected); /* overflow */ 590 if (opStart4 > oend) return ERROR(corruption_detected); /* overflow */ 591 CHECK_F( BIT_initDStream(&bitD1, istart1, length1) ); 592 CHECK_F( BIT_initDStream(&bitD2, istart2, length2) );
CID 435661: (TAINTED_SCALAR) Passing tainted expression "length3" to "BIT_initDStream", whichuses it as an offset. 593 CHECK_F( BIT_initDStream(&bitD3, istart3, length3) ); 594 CHECK_F( BIT_initDStream(&bitD4, istart4, length4) ); 595 596 /* up to 16 symbols per loop (4 symbols per stream) in 64-bit mode */ 597 if ((size_t)(oend - op4) >= sizeof(size_t)) { 598 for ( ; (endSignal) & (op4 < olimit) ; ) { /lib/zstd/decompress/huf_decompress.c: 592 in HUF_decompress4X1_usingDTable_internal_body() 586 U32 const dtLog = dtd.tableLog; 587 U32 endSignal = 1; 588 589 if (length4 > cSrcSize) return ERROR(corruption_detected); /* overflow */ 590 if (opStart4 > oend) return ERROR(corruption_detected); /* overflow */ 591 CHECK_F( BIT_initDStream(&bitD1, istart1, length1) );
CID 435661: (TAINTED_SCALAR) Passing tainted expression "length2" to "BIT_initDStream", whichuses it as an offset. 592 CHECK_F( BIT_initDStream(&bitD2, istart2, length2) ); 593 CHECK_F( BIT_initDStream(&bitD3, istart3, length3) ); 594 CHECK_F( BIT_initDStream(&bitD4, istart4, length4) ); 595 596 /* up to 16 symbols per loop (4 symbols per stream) in 64-bit mode */ 597 if ((size_t)(oend - op4) >= sizeof(size_t)) {
** CID 435660: (PRINTF_ARGS)
*** CID 435660: (PRINTF_ARGS) /test/cmd/exit.c: 69 in cmd_exit_test() 63 ut_assertok(run_commandf("setenv foo 'echo bar ; exit ; echo baz' ; run foo ; echo $?", i)); 64 ut_assert_nextline("bar"); 65 ut_assert_nextline("0"); 66 ut_assertok(ut_check_console_end(uts)); 67 68 ut_assertok(console_record_reset_enable());
CID 435660: (PRINTF_ARGS) This argument was not used by the format string: "i".69 ut_assertok(run_commandf("setenv foo 'echo bar ; exit ; echo baz' ; run foo && echo quux ; echo $?", i)); 70 ut_assert_nextline("bar"); 71 ut_assert_nextline("quux"); 72 ut_assert_nextline("0"); 73 ut_assertok(ut_check_console_end(uts)); 74 /test/cmd/exit.c: 104 in cmd_exit_test() 98 ut_assert_nextline("bar"); 99 /* The 'true' returns 0 */ 100 ut_assert_nextline("0"); 101 ut_assertok(ut_check_console_end(uts)); 102 103 ut_assertok(console_record_reset_enable());
CID 435660: (PRINTF_ARGS) This argument was not used by the format string: "i".104 ut_assertok(run_commandf("setenv foo 'echo bar ; false' ; run foo ; echo $?", i)); 105 ut_assert_nextline("bar"); 106 ut_assert_nextline("1"); 107 ut_assertok(ut_check_console_end(uts)); 108 109 ut_assertok(console_record_reset_enable()); /test/cmd/exit.c: 110 in cmd_exit_test() 104 ut_assertok(run_commandf("setenv foo 'echo bar ; false' ; run foo ; echo $?", i)); 105 ut_assert_nextline("bar"); 106 ut_assert_nextline("1"); 107 ut_assertok(ut_check_console_end(uts)); 108 109 ut_assertok(console_record_reset_enable());
CID 435660: (PRINTF_ARGS) This argument was not used by the format string: "i".110 ut_assertok(run_commandf("setenv foo 'echo bar ; false' ; run foo && echo quux ; echo $?", i)); 111 ut_assert_nextline("bar"); 112 ut_assert_nextline("1"); 113 ut_assertok(ut_check_console_end(uts)); 114 115 ut_assertok(console_record_reset_enable()); /test/cmd/exit.c: 63 in cmd_exit_test() 57 ut_assert_nextline("0"); 58 ut_assertok(ut_check_console_end(uts)); 59 } 60 61 /* Validate that 'exit' behaves the same way as 'exit 0' */ 62 ut_assertok(console_record_reset_enable());
CID 435660: (PRINTF_ARGS) This argument was not used by the format string: "i".63 ut_assertok(run_commandf("setenv foo 'echo bar ; exit ; echo baz' ; run foo ; echo $?", i)); 64 ut_assert_nextline("bar"); 65 ut_assert_nextline("0"); 66 ut_assertok(ut_check_console_end(uts)); 67 68 ut_assertok(console_record_reset_enable()); /test/cmd/exit.c: 84 in cmd_exit_test() 78 /* Either 'exit' returns 0, or 'echo quux' returns 0 */ 79 ut_assert_nextline("0"); 80 ut_assertok(ut_check_console_end(uts)); 81 82 /* Validate that return value still propagates from 'run' command */ 83 ut_assertok(console_record_reset_enable());
CID 435660: (PRINTF_ARGS) This argument was not used by the format string: "i".84 ut_assertok(run_commandf("setenv foo 'echo bar ; true' ; run foo ; echo $?", i)); 85 ut_assert_nextline("bar"); 86 ut_assert_nextline("0"); 87 ut_assertok(ut_check_console_end(uts)); 88 89 ut_assertok(console_record_reset_enable()); /test/cmd/exit.c: 116 in cmd_exit_test() 110 ut_assertok(run_commandf("setenv foo 'echo bar ; false' ; run foo && echo quux ; echo $?", i)); 111 ut_assert_nextline("bar"); 112 ut_assert_nextline("1"); 113 ut_assertok(ut_check_console_end(uts)); 114 115 ut_assertok(console_record_reset_enable());
CID 435660: (PRINTF_ARGS) This argument was not used by the format string: "i".116 ut_assertok(run_commandf("setenv foo 'echo bar ; false' ; run foo || echo quux ; echo $?", i)); 117 ut_assert_nextline("bar"); 118 ut_assert_nextline("quux"); 119 /* The 'echo quux' returns 0 */ 120 ut_assert_nextline("0"); 121 ut_assertok(ut_check_console_end(uts)); /test/cmd/exit.c: 76 in cmd_exit_test() 70 ut_assert_nextline("bar"); 71 ut_assert_nextline("quux"); 72 ut_assert_nextline("0"); 73 ut_assertok(ut_check_console_end(uts)); 74 75 ut_assertok(console_record_reset_enable());
CID 435660: (PRINTF_ARGS) This argument was not used by the format string: "i".76 ut_assertok(run_commandf("setenv foo 'echo bar ; exit ; echo baz' ; run foo || echo quux ; echo $?", i)); 77 ut_assert_nextline("bar"); 78 /* Either 'exit' returns 0, or 'echo quux' returns 0 */ 79 ut_assert_nextline("0"); 80 ut_assertok(ut_check_console_end(uts)); 81 /test/cmd/exit.c: 90 in cmd_exit_test() 84 ut_assertok(run_commandf("setenv foo 'echo bar ; true' ; run foo ; echo $?", i)); 85 ut_assert_nextline("bar"); 86 ut_assert_nextline("0"); 87 ut_assertok(ut_check_console_end(uts)); 88 89 ut_assertok(console_record_reset_enable());
CID 435660: (PRINTF_ARGS) This argument was not used by the format string: "i".90 ut_assertok(run_commandf("setenv foo 'echo bar ; true' ; run foo && echo quux ; echo $?", i)); 91 ut_assert_nextline("bar"); 92 ut_assert_nextline("quux"); 93 ut_assert_nextline("0"); 94 ut_assertok(ut_check_console_end(uts)); 95 /test/cmd/exit.c: 97 in cmd_exit_test() 91 ut_assert_nextline("bar"); 92 ut_assert_nextline("quux"); 93 ut_assert_nextline("0"); 94 ut_assertok(ut_check_console_end(uts)); 95 96 ut_assertok(console_record_reset_enable());
CID 435660: (PRINTF_ARGS) This argument was not used by the format string: "i".97 ut_assertok(run_commandf("setenv foo 'echo bar ; true' ; run foo || echo quux ; echo $?", i)); 98 ut_assert_nextline("bar"); 99 /* The 'true' returns 0 */ 100 ut_assert_nextline("0"); 101 ut_assertok(ut_check_console_end(uts)); 102
** CID 435659: Integer handling issues (CONSTANT_EXPRESSION_RESULT) /cmd/eficonfig.c: 429 in eficonfig_process_common()
*** CID 435659: Integer handling issues (CONSTANT_EXPRESSION_RESULT) /cmd/eficonfig.c: 429 in eficonfig_process_common() 423 struct menu *menu; 424 void *choice = NULL; 425 struct list_head *pos, *n; 426 struct eficonfig_entry *entry; 427 efi_status_t ret = EFI_SUCCESS; 428
CID 435659: Integer handling issues (CONSTANT_EXPRESSION_RESULT) "efi_menu->count > 2147483647 /* (int)(~0U >> 1) */" is alwaysfalse regardless of the values of its operands. This occurs as the logical operand of "if". 429 if (efi_menu->count > EFICONFIG_ENTRY_NUM_MAX) 430 return EFI_OUT_OF_RESOURCES; 431 432 efi_menu->delay = -1; 433 efi_menu->active = 0; 434 efi_menu->start = 0;
** CID 435658: Insecure data handling (TAINTED_SCALAR)
*** CID 435658: Insecure data handling (TAINTED_SCALAR) /cmd/ximg.c: 256 in do_imgextract() 250 puts("OK\n"); 251 } 252 253 flush_cache(dest, ALIGN(len, ARCH_DMA_MINALIGN)); 254 255 env_set_hex("fileaddr", data);
CID 435658: Insecure data handling (TAINTED_SCALAR) Passing tainted expression "len" to "env_set_hex", which uses itas an offset. 256 env_set_hex("filesize", len); 257 258 return 0; 259 } 260 261 #ifdef CONFIG_SYS_LONGHELP
** CID 435657: Integer handling issues (NEGATIVE_RETURNS)
*** CID 435657: Integer handling issues (NEGATIVE_RETURNS) /fs/squashfs/sqfs_decompressor.c: 146 in sqfs_decompress() 140 break; 141 #endif 142 #if IS_ENABLED(CONFIG_ZSTD) 143 case SQFS_COMP_ZSTD: 144 ret = sqfs_zstd_decompress(ctxt, dest, *dest_len, source, src_len); 145 if (ret) {
CID 435657: Integer handling issues (NEGATIVE_RETURNS) "ret" is passed to a parameter that cannot be negative.146 printf("ZSTD Error code: %d\n", zstd_get_error_code(ret)); 147 return -EINVAL; 148 } 149 150 break; 151 #endif
** CID 435656: Code maintainability issues (UNUSED_VALUE) /boot/bootdev-uclass.c: 705 in bootdev_setup_iter()
*** CID 435656: Code maintainability issues (UNUSED_VALUE) /boot/bootdev-uclass.c: 705 in bootdev_setup_iter() 699 return log_msg_ret("ord", -ENOMEM); 700 log_debug("setup labels %p\n", iter->labels); 701 if (iter->labels) { 702 iter->cur_label = -1; 703 ret = bootdev_next_label(iter, &dev, &method_flags); 704 } else {
CID 435656: Code maintainability issues (UNUSED_VALUE) Assigning value from "bootdev_next_prio(iter, &dev)" to "ret"here, but that stored value is overwritten before it can be used. 705 ret = bootdev_next_prio(iter, &dev); 706 method_flags = 0; 707 } 708 if (!dev) 709 return log_msg_ret("fin", -ENOENT); 710 log_debug("Selected bootdev: %s\n", dev->name);
** CID 435655: Error handling issues (CHECKED_RETURN) /boot/scene.c: 219 in scene_obj_set_pos()
*** CID 435655: Error handling issues (CHECKED_RETURN) /boot/scene.c: 219 in scene_obj_set_pos() 213 obj = scene_obj_find(scn, id, SCENEOBJT_NONE); 214 if (!obj) 215 return log_msg_ret("find", -ENOENT); 216 obj->x = x; 217 obj->y = y; 218 if (obj->type == SCENEOBJT_MENU)
CID 435655: Error handling issues (CHECKED_RETURN) Calling "scene_menu_arrange" without checking return value (as isdone elsewhere 4 out of 5 times). 219 scene_menu_arrange(scn, (struct scene_obj_menu *)obj); 220 221 return 0; 222 } 223 224 int scene_obj_set_hide(struct scene *scn, uint id, bool hide)
** CID 435654: Null pointer dereferences (NULL_RETURNS) /boot/scene_menu.c: 365 in scene_menu_display()
*** CID 435654: Null pointer dereferences (NULL_RETURNS) /boot/scene_menu.c: 365 in scene_menu_display() 359 } 360 361 if (list_empty(&menu->item_head)) 362 return 0; 363 364 pointer = scene_obj_find(scn, menu->pointer_id, SCENEOBJT_TEXT);
CID 435654: Null pointer dereferences (NULL_RETURNS) Dereferencing "pointer", which is known to be "NULL".365 pstr = expo_get_str(scn->expo, pointer->str_id); 366 367 list_for_each_entry(item, &menu->item_head, sibling) { 368 struct scene_obj_txt *key = NULL, *label = NULL; 369 struct scene_obj_txt *desc = NULL; 370 const char *kstr = NULL, *lstr = NULL, *dstr = NULL;
** CID 435653: Code maintainability issues (UNUSED_VALUE) /boot/scene.c: 290 in scene_obj_render()
*** CID 435653: Code maintainability issues (UNUSED_VALUE) /boot/scene.c: 290 in scene_obj_render() 284 struct expo *exp = scn->expo; 285 struct udevice *cons, *dev = exp->display; 286 int x, y, ret; 287 288 cons = NULL; 289 if (!text_mode) {
CID 435653: Code maintainability issues (UNUSED_VALUE) Assigning value from "device_find_first_child_by_uclass(dev,UCLASS_VIDEO_CONSOLE, &cons)" to "ret" here, but that stored value is overwritten before it can be used. 290 ret = device_find_first_child_by_uclass(dev, 291 UCLASS_VIDEO_CONSOLE, 292 &cons); 293 } 294 295 x = obj->x;
** CID 188663: Control flow issues (DEADCODE) /lib/zstd/decompress/zstd_decompress_block.c: 1989 in ZSTD_decompressBlock_internal()
*** CID 188663: Control flow issues (DEADCODE) /lib/zstd/decompress/zstd_decompress_block.c: 1989 in ZSTD_decompressBlock_internal() 1983 /* isLongOffset must be true if there are long offsets. 1984 * Offsets are long if they are larger than 2^STREAM_ACCUMULATOR_MIN. 1985 * We don't expect that to be the case in 64-bit mode. 1986 * In block mode, window size is not known, so we have to be conservative. 1987 * (note: but it could be evaluated from current-lowLimit) 1988 */
CID 188663: Control flow issues (DEADCODE) Execution cannot reach the expression "57" inside this statement:"isLongOffset = (ZSTD_longOf...". 1989 ZSTD_longOffset_e const isLongOffset = (ZSTD_longOffset_e)(MEM_32bits() && (!frame || (dctx->fParams.windowSize > (1ULL << STREAM_ACCUMULATOR_MIN)))); 1990 DEBUGLOG(5, "ZSTD_decompressBlock_internal (size : %u)", (U32)srcSize); 1991 1992 RETURN_ERROR_IF(srcSize >= ZSTD_BLOCKSIZE_MAX, srcSize_wrong, ""); 1993 1994 /* Decode literals section */
----- End forwarded message -----
participants (1)
-
Tom Rini