[scan-admin@coverity.com: New Defects reported by Coverity Scan for Das U-Boot]
Hey all,
Here's the latest report.
----- Forwarded message from scan-admin@coverity.com -----
Date: Mon, 19 Apr 2021 01:18:55 +0000 (UTC) From: scan-admin@coverity.com To: tom.rini@gmail.com Subject: New Defects reported by Coverity Scan for Das U-Boot
Hi,
Please find the latest report on new defect(s) introduced to Das U-Boot found with Coverity Scan.
13 new defect(s) introduced to Das U-Boot found with Coverity Scan. 5 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan Showing 13 of 13 defect(s)
** CID 331158: Control flow issues (NO_EFFECT) /drivers/pinctrl/pinctrl-single.c: 347 in single_configure_bits()
________________________________________________________________________________________________________ *** CID 331158: Control flow issues (NO_EFFECT) /drivers/pinctrl/pinctrl-single.c: 347 in single_configure_bits() 341 return PTR_ERR(func); 342 343 func->name = fname; 344 func->npins = 0; 345 for (n = 0; n < count; n++, pins++) { 346 offset = fdt32_to_cpu(pins->reg);
CID 331158: Control flow issues (NO_EFFECT) This less-than-zero comparison of an unsigned value is never true. "offset < 0U".
347 if (offset < 0 || offset > pdata->offset) { 348 dev_dbg(dev, " invalid register offset 0x%x\n", 349 offset); 350 continue; 351 } 352
** CID 331157: Null pointer dereferences (NULL_RETURNS) /drivers/misc/cros_ec_sandbox.c: 229 in keyscan_read_fdt_matrix()
________________________________________________________________________________________________________ *** CID 331157: Null pointer dereferences (NULL_RETURNS) /drivers/misc/cros_ec_sandbox.c: 229 in keyscan_read_fdt_matrix() 223 224 /* Now read the data */ 225 for (upto = 0; upto < ec->matrix_count; upto++) { 226 struct ec_keymatrix_entry *matrix = &ec->matrix[upto]; 227 u32 word; 228
CID 331157: Null pointer dereferences (NULL_RETURNS) Incrementing a pointer which might be null: "cell".
229 word = fdt32_to_cpu(*cell++); 230 matrix->row = word >> 24; 231 matrix->col = (word >> 16) & 0xff; 232 matrix->keycode = word & 0xffff; 233 234 /* Hard-code some sanity limits for now */
** CID 331156: Incorrect expression (UNUSED_VALUE) /cmd/qfw.c: 40 in qemu_fwcfg_cmd_setup_kernel()
________________________________________________________________________________________________________ *** CID 331156: Incorrect expression (UNUSED_VALUE) /cmd/qfw.c: 40 in qemu_fwcfg_cmd_setup_kernel() 34 qfw_read_entry(qfw_dev, FW_CFG_SETUP_DATA, 35 le32_to_cpu(setup_size), data_addr); 36 data_addr += le32_to_cpu(setup_size); 37 38 qfw_read_entry(qfw_dev, FW_CFG_KERNEL_DATA, 39 le32_to_cpu(kernel_size), data_addr);
CID 331156: Incorrect expression (UNUSED_VALUE) Assigning value from "(__u32)(__le32)kernel_size" to "data_addr" here, but that stored value is overwritten before it can be used.
40 data_addr += le32_to_cpu(kernel_size); 41 42 data_addr = initrd_addr; 43 qfw_read_entry(qfw_dev, FW_CFG_INITRD_SIZE, 4, &initrd_size); 44 if (initrd_size == 0) { 45 printf("warning: no initrd available\n");
** CID 331155: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________ *** CID 331155: Insecure data handling (TAINTED_SCALAR) /fs/cbfs/cbfs.c: 170 in file_cbfs_next_file() 164 size -= align; 165 start += align; 166 continue; 167 } 168 169 swap_file_header(&header, file_header);
CID 331155: Insecure data handling (TAINTED_SCALAR) Passing tainted variable "header.offset" to a tainted sink.
170 ret = fill_node(node, start, &header); 171 if (ret) { 172 priv->result = CBFS_BAD_FILE; 173 return log_msg_ret("fill", ret); 174 } 175
** CID 331154: Integer handling issues (DIVIDE_BY_ZERO) /drivers/pinctrl/pinctrl-single.c: 473 in single_probe()
________________________________________________________________________________________________________ *** CID 331154: Integer handling issues (DIVIDE_BY_ZERO) /drivers/pinctrl/pinctrl-single.c: 473 in single_probe() 467 return -ENOMEM; 468 #endif 469 470 priv->npins = size / (pdata->width / BITS_PER_BYTE); 471 if (pdata->bits_per_mux) { 472 priv->bits_per_pin = fls(pdata->mask);
CID 331154: Integer handling issues (DIVIDE_BY_ZERO) In expression "pdata->width / priv->bits_per_pin", division by expression "priv->bits_per_pin" which may be zero has undefined behavior.
473 priv->npins *= (pdata->width / priv->bits_per_pin); 474 } 475 476 dev_dbg(dev, "%d pins\n", priv->npins); 477 return 0; 478 }
** CID 331153: Code maintainability issues (UNUSED_VALUE) /lib/efi_loader/efi_capsule.c: 661 in find_boot_device()
________________________________________________________________________________________________________ *** CID 331153: Code maintainability issues (UNUSED_VALUE) /lib/efi_loader/efi_capsule.c: 661 in find_boot_device() 655 size = 0; 656 ret = efi_get_variable_int(L"BootOrder", &efi_global_variable_guid, 657 NULL, &size, NULL, NULL); 658 if (ret == EFI_BUFFER_TOO_SMALL) { 659 boot_order = malloc(size); 660 if (!boot_order) {
CID 331153: Code maintainability issues (UNUSED_VALUE) Assigning value "9223372036854775817UL" to "ret" here, but that stored value is overwritten before it can be used.
661 ret = EFI_OUT_OF_RESOURCES; 662 goto out; 663 } 664 665 ret = efi_get_variable_int(L"BootOrder", 666 &efi_global_variable_guid,
** CID 331152: Insecure data handling (TAINTED_SCALAR) /lib/tpm-common.c: 180 in tpm_sendrecv_command()
________________________________________________________________________________________________________ *** CID 331152: Insecure data handling (TAINTED_SCALAR) /lib/tpm-common.c: 180 in tpm_sendrecv_command() 174 response = response_buffer; 175 response_length = sizeof(response_buffer); 176 } 177 178 size = tpm_command_size(command); 179 log_debug("TPM request [size:%d]: ", size);
CID 331152: Insecure data handling (TAINTED_SCALAR) Using tainted variable "size" as a loop boundary.
180 for (i = 0; i < size; i++) 181 log_debug("%02x ", ((u8 *)command)[i]); 182 log_debug("\n"); 183 184 err = tpm_xfer(dev, command, size, response, &response_length); 185
** CID 331151: Resource leaks (RESOURCE_LEAK) /drivers/pinctrl/pinctrl-single.c: 247 in single_allocate_function()
________________________________________________________________________________________________________ *** CID 331151: Resource leaks (RESOURCE_LEAK) /drivers/pinctrl/pinctrl-single.c: 247 in single_allocate_function() 241 if (!func) 242 return ERR_PTR(-ENOMEM); 243 244 func->pins = devm_kmalloc(dev, sizeof(unsigned int) * group_pins, 245 GFP_KERNEL); 246 if (!func->pins)
CID 331151: Resource leaks (RESOURCE_LEAK) Variable "func" going out of scope leaks the storage it points to.
247 return ERR_PTR(-ENOMEM); 248 249 return func; 250 } 251 252 static int single_pin_compare(const void *s1, const void *s2)
** CID 331150: Memory - illegal accesses (BUFFER_SIZE_WARNING) /net/dsa-uclass.c: 415 in dsa_post_bind()
________________________________________________________________________________________________________ *** CID 331150: Memory - illegal accesses (BUFFER_SIZE_WARNING) /net/dsa-uclass.c: 415 in dsa_post_bind() 409 err = device_bind_driver_to_node(dev, DSA_PORT_CHILD_DRV_NAME, 410 name, pnode, &pdev); 411 if (pdev) { 412 struct dsa_port_pdata *port_pdata; 413 414 port_pdata = dev_get_parent_plat(pdev);
CID 331150: Memory - illegal accesses (BUFFER_SIZE_WARNING) Calling "strncpy" with a maximum size argument of 16 bytes on destination array "port_pdata->name" of size 16 bytes might leave the destination string unterminated.
415 strncpy(port_pdata->name, name, DSA_PORT_NAME_LENGTH); 416 pdev->name = port_pdata->name; 417 } 418 419 /* try to bind all ports but keep 1st error */ 420 if (err && !first_err)
** CID 331149: Memory - illegal accesses (BUFFER_SIZE_WARNING) /net/dsa-uclass.c: 224 in dsa_port_of_to_pdata()
________________________________________________________________________________________________________ *** CID 331149: Memory - illegal accesses (BUFFER_SIZE_WARNING) /net/dsa-uclass.c: 224 in dsa_port_of_to_pdata() 218 219 port_pdata = dev_get_parent_plat(pdev); 220 port_pdata->index = index; 221 222 label = ofnode_read_string(dev_ofnode(pdev), "label"); 223 if (label)
CID 331149: Memory - illegal accesses (BUFFER_SIZE_WARNING) Calling "strncpy" with a maximum size argument of 16 bytes on destination array "port_pdata->name" of size 16 bytes might leave the destination string unterminated.
224 strncpy(port_pdata->name, label, DSA_PORT_NAME_LENGTH); 225 226 eth_pdata = dev_get_plat(pdev); 227 eth_pdata->priv_pdata = port_pdata; 228 229 dev_dbg(pdev, "port %d node %s\n", port_pdata->index,
** CID 331148: Control flow issues (NO_EFFECT) /drivers/pinctrl/pinctrl-single.c: 298 in single_configure_pins()
________________________________________________________________________________________________________ *** CID 331148: Control flow issues (NO_EFFECT) /drivers/pinctrl/pinctrl-single.c: 298 in single_configure_pins() 292 return PTR_ERR(func); 293 294 func->name = fname; 295 func->npins = 0; 296 for (n = 0; n < count; n++, pins++) { 297 offset = fdt32_to_cpu(pins->reg);
CID 331148: Control flow issues (NO_EFFECT) This less-than-zero comparison of an unsigned value is never true. "offset < 0U".
298 if (offset < 0 || offset > pdata->offset) { 299 dev_err(dev, " invalid register offset 0x%x\n", 300 offset); 301 continue; 302 } 303
** CID 331147: Code maintainability issues (UNUSED_VALUE) /lib/efi_loader/efi_capsule.c: 456 in efi_update_capsule()
________________________________________________________________________________________________________ *** CID 331147: Code maintainability issues (UNUSED_VALUE) /lib/efi_loader/efi_capsule.c: 456 in efi_update_capsule() 450 efi_status_t ret; 451 452 EFI_ENTRY("%p, %zu, %llu\n", capsule_header_array, capsule_count, 453 scatter_gather_list); 454 455 if (!capsule_count) {
CID 331147: Code maintainability issues (UNUSED_VALUE) Assigning value "9223372036854775810UL" to "ret" here, but that stored value is overwritten before it can be used.
456 ret = EFI_INVALID_PARAMETER; 457 goto out; 458 } 459 460 ret = EFI_SUCCESS; 461 for (i = 0, capsule = *capsule_header_array; i < capsule_count;
** CID 165109: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________ *** CID 165109: Insecure data handling (TAINTED_SCALAR) /arch/sandbox/cpu/state.c: 81 in state_read_file() 75 os_close(fd); 76 77 return 0; 78 err_read: 79 os_close(fd); 80 err_open:
CID 165109: Insecure data handling (TAINTED_SCALAR) Passing tainted variable "state->state_fdt" to a tainted sink.
81 os_free(state->state_fdt); 82 state->state_fdt = NULL; 83 84 return ret; 85 } 86
________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0...
To manage Coverity Scan email notifications for "tom.rini@gmail.com", click https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0...
----- End forwarded message -----
Looking at cmd/qfw.c as I touched it last:
On 21/04/19 08:04:p, Tom Rini wrote:
** CID 331156: Incorrect expression (UNUSED_VALUE) /cmd/qfw.c: 40 in qemu_fwcfg_cmd_setup_kernel()
*** CID 331156: Incorrect expression (UNUSED_VALUE) /cmd/qfw.c: 40 in qemu_fwcfg_cmd_setup_kernel() 34 qfw_read_entry(qfw_dev, FW_CFG_SETUP_DATA, 35 le32_to_cpu(setup_size), data_addr); 36 data_addr += le32_to_cpu(setup_size); 37 38 qfw_read_entry(qfw_dev, FW_CFG_KERNEL_DATA, 39 le32_to_cpu(kernel_size), data_addr);
CID 331156: Incorrect expression (UNUSED_VALUE) Assigning value from "(__u32)(__le32)kernel_size" to "data_addr" here, but that stored value is overwritten before it can be used.40 data_addr += le32_to_cpu(kernel_size); 41 42 data_addr = initrd_addr; 43 qfw_read_entry(qfw_dev, FW_CFG_INITRD_SIZE, 4, &initrd_size); 44 if (initrd_size == 0) { 45 printf("warning: no initrd available\n");
This is unchanged since 2016 and I think is fine to leave as-is. The data_addr increment goes together with the qfw_read_entry() to keep advancing the data_addr pointer correctly.
It does get immediately thrown away in this case, but if we moved any part of this around or changed it we'd want to keep it, so the warning is likely best ignored.
Asherah
On Tue, Apr 20, 2021 at 12:58:28AM +0000, Asherah Connor wrote:
Looking at cmd/qfw.c as I touched it last:
On 21/04/19 08:04:p, Tom Rini wrote:
** CID 331156: Incorrect expression (UNUSED_VALUE) /cmd/qfw.c: 40 in qemu_fwcfg_cmd_setup_kernel()
*** CID 331156: Incorrect expression (UNUSED_VALUE) /cmd/qfw.c: 40 in qemu_fwcfg_cmd_setup_kernel() 34 qfw_read_entry(qfw_dev, FW_CFG_SETUP_DATA, 35 le32_to_cpu(setup_size), data_addr); 36 data_addr += le32_to_cpu(setup_size); 37 38 qfw_read_entry(qfw_dev, FW_CFG_KERNEL_DATA, 39 le32_to_cpu(kernel_size), data_addr);
CID 331156: Incorrect expression (UNUSED_VALUE) Assigning value from "(__u32)(__le32)kernel_size" to "data_addr" here, but that stored value is overwritten before it can be used.40 data_addr += le32_to_cpu(kernel_size); 41 42 data_addr = initrd_addr; 43 qfw_read_entry(qfw_dev, FW_CFG_INITRD_SIZE, 4, &initrd_size); 44 if (initrd_size == 0) { 45 printf("warning: no initrd available\n");
This is unchanged since 2016 and I think is fine to leave as-is. The data_addr increment goes together with the qfw_read_entry() to keep advancing the data_addr pointer correctly.
It does get immediately thrown away in this case, but if we moved any part of this around or changed it we'd want to keep it, so the warning is likely best ignored.
Thanks, I'll mark it as intentional in the dashboard.
Hi Tom,
Il 19/04/2021 14:20 Tom Rini trini@konsulko.com ha scritto:
Hey all,
Here's the latest report.
----- Forwarded message from scan-admin@coverity.com -----
Date: Mon, 19 Apr 2021 01:18:55 +0000 (UTC) From: scan-admin@coverity.com To: tom.rini@gmail.com Subject: New Defects reported by Coverity Scan for Das U-Boot
Hi,
Please find the latest report on new defect(s) introduced to Das U-Boot found with Coverity Scan.
13 new defect(s) introduced to Das U-Boot found with Coverity Scan. 5 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan Showing 13 of 13 defect(s)
** CID 331158: Control flow issues (NO_EFFECT) /drivers/pinctrl/pinctrl-single.c: 347 in single_configure_bits()
*** CID 331158: Control flow issues (NO_EFFECT) /drivers/pinctrl/pinctrl-single.c: 347 in single_configure_bits() 341 return PTR_ERR(func); 342 343 func->name = fname; 344 func->npins = 0; 345 for (n = 0; n < count; n++, pins++) { 346 offset = fdt32_to_cpu(pins->reg);
CID 331158: Control flow issues (NO_EFFECT) This less-than-zero comparison of an unsigned value is never true. "offset < 0U".347 if (offset < 0 || offset > pdata->offset) { 348 dev_dbg(dev, " invalid register offset 0x%x\n", 349 offset); 350 continue; 351 } 352
** CID 331157: Null pointer dereferences (NULL_RETURNS) /drivers/misc/cros_ec_sandbox.c: 229 in keyscan_read_fdt_matrix()
*** CID 331157: Null pointer dereferences (NULL_RETURNS) /drivers/misc/cros_ec_sandbox.c: 229 in keyscan_read_fdt_matrix() 223 224 /* Now read the data */ 225 for (upto = 0; upto < ec->matrix_count; upto++) { 226 struct ec_keymatrix_entry *matrix = &ec->matrix[upto]; 227 u32 word; 228
CID 331157: Null pointer dereferences (NULL_RETURNS) Incrementing a pointer which might be null: "cell".229 word = fdt32_to_cpu(*cell++); 230 matrix->row = word >> 24; 231 matrix->col = (word >> 16) & 0xff; 232 matrix->keycode = word & 0xffff; 233 234 /* Hard-code some sanity limits for now */
** CID 331156: Incorrect expression (UNUSED_VALUE) /cmd/qfw.c: 40 in qemu_fwcfg_cmd_setup_kernel()
*** CID 331156: Incorrect expression (UNUSED_VALUE) /cmd/qfw.c: 40 in qemu_fwcfg_cmd_setup_kernel() 34 qfw_read_entry(qfw_dev, FW_CFG_SETUP_DATA, 35 le32_to_cpu(setup_size), data_addr); 36 data_addr += le32_to_cpu(setup_size); 37 38 qfw_read_entry(qfw_dev, FW_CFG_KERNEL_DATA, 39 le32_to_cpu(kernel_size), data_addr);
CID 331156: Incorrect expression (UNUSED_VALUE) Assigning value from "(__u32)(__le32)kernel_size" to "data_addr" here, but that stored value is overwritten before it can be used.40 data_addr += le32_to_cpu(kernel_size); 41 42 data_addr = initrd_addr; 43 qfw_read_entry(qfw_dev, FW_CFG_INITRD_SIZE, 4, &initrd_size); 44 if (initrd_size == 0) { 45 printf("warning: no initrd available\n");
** CID 331155: Insecure data handling (TAINTED_SCALAR)
*** CID 331155: Insecure data handling (TAINTED_SCALAR) /fs/cbfs/cbfs.c: 170 in file_cbfs_next_file() 164 size -= align; 165 start += align; 166 continue; 167 } 168 169 swap_file_header(&header, file_header);
CID 331155: Insecure data handling (TAINTED_SCALAR) Passing tainted variable "header.offset" to a tainted sink.170 ret = fill_node(node, start, &header); 171 if (ret) { 172 priv->result = CBFS_BAD_FILE; 173 return log_msg_ret("fill", ret); 174 } 175
** CID 331154: Integer handling issues (DIVIDE_BY_ZERO) /drivers/pinctrl/pinctrl-single.c: 473 in single_probe()
*** CID 331154: Integer handling issues (DIVIDE_BY_ZERO) /drivers/pinctrl/pinctrl-single.c: 473 in single_probe() 467 return -ENOMEM; 468 #endif 469 470 priv->npins = size / (pdata->width / BITS_PER_BYTE); 471 if (pdata->bits_per_mux) { 472 priv->bits_per_pin = fls(pdata->mask);
CID 331154: Integer handling issues (DIVIDE_BY_ZERO) In expression "pdata->width / priv->bits_per_pin", division by expression "priv->bits_per_pin" which may be zero has undefined behavior.473 priv->npins *= (pdata->width / priv->bits_per_pin); 474 } 475 476 dev_dbg(dev, "%d pins\n", priv->npins); 477 return 0; 478 }
** CID 331153: Code maintainability issues (UNUSED_VALUE) /lib/efi_loader/efi_capsule.c: 661 in find_boot_device()
*** CID 331153: Code maintainability issues (UNUSED_VALUE) /lib/efi_loader/efi_capsule.c: 661 in find_boot_device() 655 size = 0; 656 ret = efi_get_variable_int(L"BootOrder", &efi_global_variable_guid, 657 NULL, &size, NULL, NULL); 658 if (ret == EFI_BUFFER_TOO_SMALL) { 659 boot_order = malloc(size); 660 if (!boot_order) {
CID 331153: Code maintainability issues (UNUSED_VALUE) Assigning value "9223372036854775817UL" to "ret" here, but that stored value is overwritten before it can be used.661 ret = EFI_OUT_OF_RESOURCES; 662 goto out; 663 } 664 665 ret = efi_get_variable_int(L"BootOrder", 666 &efi_global_variable_guid,
** CID 331152: Insecure data handling (TAINTED_SCALAR) /lib/tpm-common.c: 180 in tpm_sendrecv_command()
*** CID 331152: Insecure data handling (TAINTED_SCALAR) /lib/tpm-common.c: 180 in tpm_sendrecv_command() 174 response = response_buffer; 175 response_length = sizeof(response_buffer); 176 } 177 178 size = tpm_command_size(command); 179 log_debug("TPM request [size:%d]: ", size);
CID 331152: Insecure data handling (TAINTED_SCALAR) Using tainted variable "size" as a loop boundary.180 for (i = 0; i < size; i++) 181 log_debug("%02x ", ((u8 *)command)[i]); 182 log_debug("\n"); 183 184 err = tpm_xfer(dev, command, size, response, &response_length); 185
** CID 331151: Resource leaks (RESOURCE_LEAK) /drivers/pinctrl/pinctrl-single.c: 247 in single_allocate_function()
*** CID 331151: Resource leaks (RESOURCE_LEAK) /drivers/pinctrl/pinctrl-single.c: 247 in single_allocate_function() 241 if (!func) 242 return ERR_PTR(-ENOMEM); 243 244 func->pins = devm_kmalloc(dev, sizeof(unsigned int) * group_pins, 245 GFP_KERNEL); 246 if (!func->pins)
CID 331151: Resource leaks (RESOURCE_LEAK) Variable "func" going out of scope leaks the storage it points to.247 return ERR_PTR(-ENOMEM);
Is this really a memory leak? I used devm_kmalloc() to not have to manually free the allocated memory but delegating it to the device.
Thanks and regards, Dario
248 249 return func; 250 } 251 252 static int single_pin_compare(const void *s1, const void *s2)
** CID 331150: Memory - illegal accesses (BUFFER_SIZE_WARNING) /net/dsa-uclass.c: 415 in dsa_post_bind()
*** CID 331150: Memory - illegal accesses (BUFFER_SIZE_WARNING) /net/dsa-uclass.c: 415 in dsa_post_bind() 409 err = device_bind_driver_to_node(dev, DSA_PORT_CHILD_DRV_NAME, 410 name, pnode, &pdev); 411 if (pdev) { 412 struct dsa_port_pdata *port_pdata; 413 414 port_pdata = dev_get_parent_plat(pdev);
CID 331150: Memory - illegal accesses (BUFFER_SIZE_WARNING) Calling "strncpy" with a maximum size argument of 16 bytes on destination array "port_pdata->name" of size 16 bytes might leave the destination string unterminated.415 strncpy(port_pdata->name, name, DSA_PORT_NAME_LENGTH); 416 pdev->name = port_pdata->name; 417 } 418 419 /* try to bind all ports but keep 1st error */ 420 if (err && !first_err)
** CID 331149: Memory - illegal accesses (BUFFER_SIZE_WARNING) /net/dsa-uclass.c: 224 in dsa_port_of_to_pdata()
*** CID 331149: Memory - illegal accesses (BUFFER_SIZE_WARNING) /net/dsa-uclass.c: 224 in dsa_port_of_to_pdata() 218 219 port_pdata = dev_get_parent_plat(pdev); 220 port_pdata->index = index; 221 222 label = ofnode_read_string(dev_ofnode(pdev), "label"); 223 if (label)
CID 331149: Memory - illegal accesses (BUFFER_SIZE_WARNING) Calling "strncpy" with a maximum size argument of 16 bytes on destination array "port_pdata->name" of size 16 bytes might leave the destination string unterminated.224 strncpy(port_pdata->name, label, DSA_PORT_NAME_LENGTH); 225 226 eth_pdata = dev_get_plat(pdev); 227 eth_pdata->priv_pdata = port_pdata; 228 229 dev_dbg(pdev, "port %d node %s\n", port_pdata->index,
** CID 331148: Control flow issues (NO_EFFECT) /drivers/pinctrl/pinctrl-single.c: 298 in single_configure_pins()
*** CID 331148: Control flow issues (NO_EFFECT) /drivers/pinctrl/pinctrl-single.c: 298 in single_configure_pins() 292 return PTR_ERR(func); 293 294 func->name = fname; 295 func->npins = 0; 296 for (n = 0; n < count; n++, pins++) { 297 offset = fdt32_to_cpu(pins->reg);
CID 331148: Control flow issues (NO_EFFECT) This less-than-zero comparison of an unsigned value is never true. "offset < 0U".298 if (offset < 0 || offset > pdata->offset) { 299 dev_err(dev, " invalid register offset 0x%x\n", 300 offset); 301 continue; 302 } 303
** CID 331147: Code maintainability issues (UNUSED_VALUE) /lib/efi_loader/efi_capsule.c: 456 in efi_update_capsule()
*** CID 331147: Code maintainability issues (UNUSED_VALUE) /lib/efi_loader/efi_capsule.c: 456 in efi_update_capsule() 450 efi_status_t ret; 451 452 EFI_ENTRY("%p, %zu, %llu\n", capsule_header_array, capsule_count, 453 scatter_gather_list); 454 455 if (!capsule_count) {
CID 331147: Code maintainability issues (UNUSED_VALUE) Assigning value "9223372036854775810UL" to "ret" here, but that stored value is overwritten before it can be used.456 ret = EFI_INVALID_PARAMETER; 457 goto out; 458 } 459 460 ret = EFI_SUCCESS; 461 for (i = 0, capsule = *capsule_header_array; i < capsule_count;
** CID 165109: Insecure data handling (TAINTED_SCALAR)
*** CID 165109: Insecure data handling (TAINTED_SCALAR) /arch/sandbox/cpu/state.c: 81 in state_read_file() 75 os_close(fd); 76 77 return 0; 78 err_read: 79 os_close(fd); 80 err_open:
CID 165109: Insecure data handling (TAINTED_SCALAR) Passing tainted variable "state->state_fdt" to a tainted sink.81 os_free(state->state_fdt); 82 state->state_fdt = NULL; 83 84 return ret; 85 } 86
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0...
To manage Coverity Scan email notifications for "tom.rini@gmail.com", click https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0...
----- End forwarded message -----
-- Tom
participants (3)
-
Asherah Connor -
Dario Binacchi -
Tom Rini