Fwd: New Defects reported by Coverity Scan for Das U-Boot
Now that I've merged next to master, there's a number of issues to address.
---------- Forwarded message --------- From: scan-admin@coverity.com Date: Mon, Oct 7, 2024 at 10:59 AM Subject: New Defects reported by Coverity Scan for Das U-Boot To: tom.rini@gmail.com
Hi,
Please find the latest report on new defect(s) introduced to Das U-Boot found with Coverity Scan.
24 new defect(s) introduced to Das U-Boot found with Coverity Scan. 9 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan Showing 20 of 24 defect(s)
** CID 510469: (RESOURCE_LEAK) /tools/mkeficapsule.c: 877 in load_dtb() /tools/mkeficapsule.c: 862 in load_dtb() /tools/mkeficapsule.c: 855 in load_dtb() /tools/mkeficapsule.c: 870 in load_dtb()
________________________________________________________________________________________________________ *** CID 510469: (RESOURCE_LEAK) /tools/mkeficapsule.c: 877 in load_dtb() 871 } 872 873 if (fread(dtb, dtb_size, 1, f) != 1) { 874 fprintf(stderr, "Can't read %ld bytes from %s\n", 875 dtb_size, path); 876 free(dtb);
CID 510469: (RESOURCE_LEAK) Variable "f" going out of scope leaks the storage it points to.
877 return NULL; 878 } 879 880 fclose(f); 881 882 return dtb; /tools/mkeficapsule.c: 862 in load_dtb() 856 } 857 858 dtb_size = ftell(f); 859 if (dtb_size < 0) { 860 fprintf(stderr, "Cannot ftell %s: %s\n", 861 path, strerror(errno));
CID 510469: (RESOURCE_LEAK) Variable "f" going out of scope leaks the storage it points to.
862 return NULL; 863 } 864 865 fseek(f, 0, SEEK_SET); 866 867 dtb = malloc(dtb_size); /tools/mkeficapsule.c: 855 in load_dtb() 849 return NULL; 850 } 851 852 if (fseek(f, 0, SEEK_END)) { 853 fprintf(stderr, "Cannot seek to the end of %s: %s\n", 854 path, strerror(errno));
CID 510469: (RESOURCE_LEAK) Variable "f" going out of scope leaks the storage it points to.
855 return NULL; 856 } 857 858 dtb_size = ftell(f); 859 if (dtb_size < 0) { 860 fprintf(stderr, "Cannot ftell %s: %s\n", /tools/mkeficapsule.c: 870 in load_dtb() 864 865 fseek(f, 0, SEEK_SET); 866 867 dtb = malloc(dtb_size); 868 if (!dtb) { 869 fprintf(stderr, "Can't allocated %ld\n", dtb_size);
CID 510469: (RESOURCE_LEAK) Variable "f" going out of scope leaks the storage it points to.
870 return NULL; 871 } 872 873 if (fread(dtb, dtb_size, 1, f) != 1) { 874 fprintf(stderr, "Can't read %ld bytes from %s\n", 875 dtb_size, path);
** CID 510468: Integer handling issues (SIGN_EXTENSION) /lib/alist.c: 65 in alist_expand_to()
________________________________________________________________________________________________________ *** CID 510468: Integer handling issues (SIGN_EXTENSION) /lib/alist.c: 65 in alist_expand_to() 59 new_data = malloc(lst->obj_size * new_alloc); 60 if (!new_data) { 61 lst->flags |= ALISTF_FAIL; 62 return false; 63 } 64
CID 510468: Integer handling issues (SIGN_EXTENSION) Suspicious implicit sign extension: "lst->obj_size" with type "u16" (16 bits, unsigned) is promoted in "lst->obj_size * lst->alloc" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "lst->obj_size * lst->alloc" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
65 memcpy(new_data, lst->data, lst->obj_size * lst->alloc); 66 free(lst->data); 67 68 memset(new_data + lst->obj_size * lst->alloc, '\0', 69 lst->obj_size * (new_alloc - lst->alloc)); 70 lst->alloc = new_alloc;
** CID 510467: Integer handling issues (CONSTANT_EXPRESSION_RESULT) /net/tcp.c: 497 in tcp_parse_options()
________________________________________________________________________________________________________ *** CID 510467: Integer handling issues (CONSTANT_EXPRESSION_RESULT) /net/tcp.c: 497 in tcp_parse_options() 491 tsopt = (struct tcp_t_opt *)p; 492 rmt_timestamp = tsopt->t_snd; 493 return; 494 } 495 496 /* Process optional NOPs */
CID 510467: Integer handling issues (CONSTANT_EXPRESSION_RESULT) "p[0] == 16843009" is always false regardless of the values of its operands. This occurs as the logical operand of "if".
497 if (p[0] == TCP_O_NOP) 498 p++; 499 } 500 } 501 502 static u8 tcp_state_machine(u8 tcp_flags, u32 tcp_seq_num, int payload_len)
** CID 510466: Control flow issues (NO_EFFECT) /lib/uuid.c: 256 in uuid_guid_get_bin()
________________________________________________________________________________________________________ *** CID 510466: Control flow issues (NO_EFFECT) /lib/uuid.c: 256 in uuid_guid_get_bin() 250 }; 251 252 int uuid_guid_get_bin(const char *guid_str, unsigned char *guid_bin) 253 { 254 int i; 255
CID 510466: Control flow issues (NO_EFFECT) This less-than-zero comparison of an unsigned value is never true. "i < 0UL".
256 for (i = 0; i < ARRAY_SIZE(list_guid); i++) { 257 if (!strcmp(list_guid[i].string, guid_str)) { 258 memcpy(guid_bin, &list_guid[i].guid, 16); 259 return 0; 260 } 261 }
** CID 510465: Uninitialized variables (UNINIT)
________________________________________________________________________________________________________ *** CID 510465: Uninitialized variables (UNINIT) /cmd/upl.c: 59 in do_upl_write() 53 struct unit_test_state uts; 54 struct abuf buf; 55 oftree tree; 56 ulong addr; 57 int ret; 58
CID 510465: Uninitialized variables (UNINIT) Using uninitialized value "uts.fail_count" when calling "upl_get_test_data".
59 upl_get_test_data(&uts, upl); 60 61 log_debug("Writing UPL\n"); 62 ret = upl_create_handoff_tree(upl, &tree); 63 if (ret) { 64 log_err("Failed to write (err=%dE)\n", ret);
** CID 510464: Error handling issues (CHECKED_RETURN) /net/wget.c: 259 in wget_connected()
________________________________________________________________________________________________________ *** CID 510464: Error handling issues (CHECKED_RETURN) /net/wget.c: 259 in wget_connected() 253 254 pos = strstr((char *)pkt, content_len); 255 if (!pos) { 256 content_length = -1; 257 } else { 258 pos += sizeof(content_len) + 2;
CID 510464: Error handling issues (CHECKED_RETURN) Calling "strict_strtoul" without checking return value (as is done elsewhere 8 out of 10 times).
259 strict_strtoul(pos, 10, &content_length); 260 debug_cond(DEBUG_WGET, 261 "wget: Connected Len %lu\n", 262 content_length); 263 } 264
** CID 510463: Memory - illegal accesses (OVERRUN) /lib/lmb.c: 37 in lmb_print_region_flags()
________________________________________________________________________________________________________ *** CID 510463: Memory - illegal accesses (OVERRUN) /lib/lmb.c: 37 in lmb_print_region_flags() 31 { 32 u64 bitpos; 33 const char *flag_str[] = { "none", "no-map", "no-overwrite" }; 34 35 do { 36 bitpos = flags ? fls(flags) - 1 : 0;
CID 510463: Memory - illegal accesses (OVERRUN) Overrunning array "flag_str" of 3 8-byte elements at element index 31 (byte offset 255) using index "bitpos" (which evaluates to 31).
37 printf("%s", flag_str[bitpos]); 38 flags &= ~(1ull << bitpos); 39 puts(flags ? ", " : "\n"); 40 } while (flags); 41 } 42
** CID 510462: Security best practices violations (DC.WEAK_CRYPTO) /test/dm/nand.c: 67 in run_test_nand()
________________________________________________________________________________________________________ *** CID 510462: Security best practices violations (DC.WEAK_CRYPTO) /test/dm/nand.c: 67 in run_test_nand() 61 ops.ooblen = mtd->oobsize; 62 ut_assertok(mtd_read_oob(mtd, mtd->erasesize, &ops)); 63 ut_asserteq(0, oob[mtd_to_nand(mtd)->badblockpos]); 64 65 /* Generate some data and write it */ 66 for (i = 0; i < size / sizeof(int); i++)
CID 510462: Security best practices violations (DC.WEAK_CRYPTO) "rand" should not be used for security-related applications, because linear congruential algorithms are too easy to break.
67 gold[i] = rand(); 68 ut_assertok(nand_write_skip_bad(mtd, off, &length, NULL, U64_MAX, 69 (void *)gold, 0)); 70 ut_asserteq(size, length); 71 72 /* Verify */
** CID 510461: Code maintainability issues (UNUSED_VALUE) /boot/upl_write.c: 237 in add_upl_image()
________________________________________________________________________________________________________ *** CID 510461: Code maintainability issues (UNUSED_VALUE) /boot/upl_write.c: 237 in add_upl_image() 231 return log_msg_ret("sub", ret); 232 233 ret = write_addr(upl, subnode, UPLP_LOAD, img->load); 234 if (!ret) 235 ret = write_size(upl, subnode, UPLP_SIZE, img->size); 236 if (!ret && img->offset)
CID 510461: Code maintainability issues (UNUSED_VALUE) Assigning value from "ofnode_write_u32(subnode, "offset", img->offset)" to "ret" here, but that stored value is overwritten before it can be used.
237 ret = ofnode_write_u32(subnode, UPLP_OFFSET, 238 img->offset); 239 ret = ofnode_write_string(subnode, UPLP_DESCRIPTION, 240 img->description); 241 if (ret) 242 return log_msg_ret("sim", ret);
** CID 510460: Resource leaks (RESOURCE_LEAK) /fs/ext4/ext4fs.c: 216 in ext4fs_exists()
________________________________________________________________________________________________________ *** CID 510460: Resource leaks (RESOURCE_LEAK) /fs/ext4/ext4fs.c: 216 in ext4fs_exists() 210 struct ext2fs_node *dirnode = NULL; 211 int filetype; 212 213 if (!filename) 214 return 0; 215
CID 510460: Resource leaks (RESOURCE_LEAK) Variable "dirnode" going out of scope leaks the storage it points to.
216 return ext4fs_find_file1(filename, &ext4fs_root->diropen, &dirnode, 217 &filetype); 218 } 219 220 int ext4fs_size(const char *filename, loff_t *size) 221 {
** CID 510459: Incorrect expression (SIZEOF_MISMATCH) /boot/upl_read.c: 523 in decode_upl_graphics()
________________________________________________________________________________________________________ *** CID 510459: Incorrect expression (SIZEOF_MISMATCH) /boot/upl_read.c: 523 in decode_upl_graphics() 517 if (!buf) { 518 log_warning("Node '%s': Missing 'reg' property\n", 519 ofnode_get_name(node)); 520 return log_msg_ret("reg", -EINVAL); 521 } 522
CID 510459: Incorrect expression (SIZEOF_MISMATCH) Passing argument "buf" of type "char const *" and argument "8 /* sizeof (buf) */" to function "decode_addr_size" is suspicious.
523 len = decode_addr_size(upl, buf, sizeof(buf), &gra->reg); 524 if (len < 0) 525 return log_msg_ret("buf", len); 526 527 ret = read_uint(node, UPLP_WIDTH, &gra->width); 528 if (!ret)
** CID 510458: Control flow issues (NO_EFFECT) /lib/uuid.c: 269 in uuid_guid_get_str()
________________________________________________________________________________________________________ *** CID 510458: Control flow issues (NO_EFFECT) /lib/uuid.c: 269 in uuid_guid_get_str() 263 } 264 265 const char *uuid_guid_get_str(const unsigned char *guid_bin) 266 { 267 int i; 268
CID 510458: Control flow issues (NO_EFFECT) This less-than-zero comparison of an unsigned value is never true. "i < 0UL".
269 for (i = 0; i < ARRAY_SIZE(list_guid); i++) { 270 if (!memcmp(list_guid[i].guid.b, guid_bin, 16)) { 271 return list_guid[i].string; 272 } 273 } 274 return NULL;
** CID 510457: (RESOURCE_LEAK) /tools/mkeficapsule.c: 934 in genguid() /tools/mkeficapsule.c: 930 in genguid() /tools/mkeficapsule.c: 924 in genguid() /tools/mkeficapsule.c: 944 in genguid() /tools/mkeficapsule.c: 959 in genguid()
________________________________________________________________________________________________________ *** CID 510457: (RESOURCE_LEAK) /tools/mkeficapsule.c: 934 in genguid() 928 if (!compatible) { 929 fprintf(stderr, "No compatible string found in DTB\n"); 930 return -1; 931 } 932 if (strnlen(compatible, compatlen) >= compatlen) { 933 fprintf(stderr, "Compatible string not null-terminated\n");
CID 510457: (RESOURCE_LEAK) Variable "dtb" going out of scope leaks the storage it points to.
934 return -1; 935 } 936 937 printf("Generating GUIDs for %s with namespace %s:\n", 938 compatible, DEFAULT_NAMESPACE_GUID); 939 for (; idx < argc; idx++) { /tools/mkeficapsule.c: 930 in genguid() 924 return -1; 925 } 926 927 compatible = fdt_getprop(dtb, 0, "compatible", &compatlen); 928 if (!compatible) { 929 fprintf(stderr, "No compatible string found in DTB\n");
CID 510457: (RESOURCE_LEAK) Variable "dtb" going out of scope leaks the storage it points to.
930 return -1; 931 } 932 if (strnlen(compatible, compatlen) >= compatlen) { 933 fprintf(stderr, "Compatible string not null-terminated\n"); 934 return -1; 935 } /tools/mkeficapsule.c: 924 in genguid() 918 if (!dtb) 919 return -1; 920 921 ret = fdt_check_header(dtb); 922 if (ret) { 923 fprintf(stderr, "Invalid DTB header: %d\n", ret);
CID 510457: (RESOURCE_LEAK) Variable "dtb" going out of scope leaks the storage it points to.
924 return -1; 925 } 926 927 compatible = fdt_getprop(dtb, 0, "compatible", &compatlen); 928 if (!compatible) { 929 fprintf(stderr, "No compatible string found in DTB\n"); /tools/mkeficapsule.c: 944 in genguid() 938 compatible, DEFAULT_NAMESPACE_GUID); 939 for (; idx < argc; idx++) { 940 memset(fw_image, 0, sizeof(fw_image)); 941 namelen = strlen(argv[idx]); 942 if (namelen > MAX_IMAGE_NAME_LEN) { 943 fprintf(stderr, "Image name too long: %s\n", argv[idx]);
CID 510457: (RESOURCE_LEAK) Variable "dtb" going out of scope leaks the storage it points to.
944 return -1; 945 } 946 947 for (int i = 0; i < namelen; i++) 948 fw_image[i] = (uint16_t)argv[idx][i]; 949 /tools/mkeficapsule.c: 959 in genguid() 953 NULL); 954 955 printf("%s: ", argv[idx]); 956 print_guid(&image_type_id); 957 } 958
CID 510457: (RESOURCE_LEAK) Variable "dtb" going out of scope leaks the storage it points to.
959 return 0; 960 } 961 962 /** 963 * main - main entry function of mkeficapsule 964 * @argc: Number of arguments
** CID 510456: Integer handling issues (NEGATIVE_RETURNS)
________________________________________________________________________________________________________ *** CID 510456: Integer handling issues (NEGATIVE_RETURNS) /boot/upl_write.c: 432 in add_upl_memres() 426 ret = ofnode_add_subnode(mem_node, name, &node); 427 if (ret) 428 return log_msg_ret("memres", ret); 429 430 len = buffer_addr_size(upl, buf, sizeof(buf), 431 memres->region.count, &memres->region);
CID 510456: Integer handling issues (NEGATIVE_RETURNS) "len" is passed to a parameter that cannot be negative.
432 ret = ofnode_write_prop(node, UPLP_REG, buf, len, true); 433 if (!ret && memres->no_map) 434 ret = ofnode_write_bool(node, UPLP_NO_MAP, 435 memres->no_map); 436 if (ret) 437 return log_msg_ret("lst", ret);
** CID 510455: Memory - corruptions (OVERLAPPING_COPY) /fs/squashfs/sqfs.c: 971 in sqfs_opendir_nest()
________________________________________________________________________________________________________ *** CID 510455: Memory - corruptions (OVERLAPPING_COPY) /fs/squashfs/sqfs.c: 971 in sqfs_opendir_nest() 965 if (le16_to_cpu(dirs->i_dir.inode_type) == SQFS_DIR_TYPE) 966 dirs->size = le16_to_cpu(dirs->i_dir.file_size); 967 else 968 dirs->size = le32_to_cpu(dirs->i_ldir.file_size); 969 970 /* Setup directory header */
CID 510455: Memory - corruptions (OVERLAPPING_COPY) Copying 12 bytes from "dirs->table" to "dirs->dir_header", which point to overlapping memory locations.
971 memcpy(dirs->dir_header, dirs->table, SQFS_DIR_HEADER_SIZE); 972 dirs->entry_count = dirs->dir_header->count + 1; 973 dirs->size -= SQFS_DIR_HEADER_SIZE; 974 975 /* Setup entry */ 976 dirs->entry = NULL;
** CID 510454: (SIZEOF_MISMATCH) /test/cmd/mbr.c: 280 in mbr_test_run() /test/cmd/mbr.c: 421 in mbr_test_run() /test/cmd/mbr.c: 351 in mbr_test_run() /test/cmd/mbr.c: 316 in mbr_test_run() /test/cmd/mbr.c: 386 in mbr_test_run()
________________________________________________________________________________________________________ *** CID 510454: (SIZEOF_MISMATCH) /test/cmd/mbr.c: 280 in mbr_test_run() 274 275 /* Make sure mmc6 is 12+ MiB in size */ 276 ut_assertok(run_commandf("mmc read %lx %lx 1", ra, 277 (ulong)0xbffe00 / BLKSZ)); 278 279 /* Test one MBR partition */
CID 510454: (SIZEOF_MISMATCH) Passing argument "mbr_wbuf" of type "unsigned char *" and argument "8UL /* sizeof (mbr_wbuf) */" to function "init_write_buffers" is suspicious.
280 init_write_buffers(mbr_wbuf, sizeof(mbr_wbuf), ebr_wbuf, sizeof(ebr_wbuf), __LINE__); 281 ut_assertok(build_mbr_parts(mbr_parts_buf, sizeof(mbr_parts_buf), 1)); 282 ut_assertok(run_commandf("write mmc 6:0 %lx 0 1", mbr_wa)); 283 memset(rbuf, '\0', BLKSZ); 284 ut_assertok(run_commandf("read mmc 6:0 %lx 0 1", ra)); 285 ut_assertok(memcmp(mbr_wbuf, rbuf, BLKSZ)); /test/cmd/mbr.c: 421 in mbr_test_run() 415 ut_assertf(rbuf[mbr_cmp_start + i] == mbr_parts_ref_p4[i], 416 "4P MBR+0x%04X: expected %#02X, actual: %#02X\n", 417 mbr_cmp_start + i, mbr_parts_ref_p4[i], rbuf[mbr_cmp_start + i]); 418 } 419 420 /* Test five MBR partitions */
CID 510454: (SIZEOF_MISMATCH) Passing argument "mbr_wbuf" of type "unsigned char *" and argument "8UL /* sizeof (mbr_wbuf) */" to function "init_write_buffers" is suspicious.
421 init_write_buffers(mbr_wbuf, sizeof(mbr_wbuf), ebr_wbuf, sizeof(ebr_wbuf), __LINE__); 422 ut_assertok(build_mbr_parts(mbr_parts_buf, sizeof(mbr_parts_buf), 5)); 423 ut_assertok(run_commandf("write mmc 6:0 %lx 0 1", mbr_wa)); 424 memset(rbuf, '\0', BLKSZ); 425 ut_assertok(run_commandf("read mmc 6:0 %lx 0 1", ra)); 426 ut_assertok(memcmp(mbr_wbuf, rbuf, BLKSZ)); /test/cmd/mbr.c: 351 in mbr_test_run() 345 ut_assertf(rbuf[mbr_cmp_start + i] == mbr_parts_ref_p2[i], 346 "2P MBR+0x%04X: expected %#02X, actual: %#02X\n", 347 mbr_cmp_start + i, mbr_parts_ref_p2[i], rbuf[mbr_cmp_start + i]); 348 } 349 350 /* Test three MBR partitions */
CID 510454: (SIZEOF_MISMATCH) Passing argument "mbr_wbuf" of type "unsigned char *" and argument "8UL /* sizeof (mbr_wbuf) */" to function "init_write_buffers" is suspicious.
351 init_write_buffers(mbr_wbuf, sizeof(mbr_wbuf), ebr_wbuf, sizeof(ebr_wbuf), __LINE__); 352 ut_assertok(build_mbr_parts(mbr_parts_buf, sizeof(mbr_parts_buf), 3)); 353 ut_assertok(run_commandf("write mmc 6:0 %lx 0 1", mbr_wa)); 354 memset(rbuf, '\0', BLKSZ); 355 ut_assertok(run_commandf("read mmc 6:0 %lx 0 1", ra)); 356 ut_assertok(memcmp(mbr_wbuf, rbuf, BLKSZ)); /test/cmd/mbr.c: 316 in mbr_test_run() 310 ut_assertf(rbuf[mbr_cmp_start + i] == mbr_parts_ref_p1[i], 311 "1P MBR+0x%04X: expected %#02X, actual: %#02X\n", 312 mbr_cmp_start + i, mbr_parts_ref_p1[i], rbuf[mbr_cmp_start + i]); 313 } 314 315 /* Test two MBR partitions */
CID 510454: (SIZEOF_MISMATCH) Passing argument "mbr_wbuf" of type "unsigned char *" and argument "8UL /* sizeof (mbr_wbuf) */" to function "init_write_buffers" is suspicious.
316 init_write_buffers(mbr_wbuf, sizeof(mbr_wbuf), ebr_wbuf, sizeof(ebr_wbuf), __LINE__); 317 ut_assertok(build_mbr_parts(mbr_parts_buf, sizeof(mbr_parts_buf), 2)); 318 ut_assertok(run_commandf("write mmc 6:0 %lx 0 1", mbr_wa)); 319 memset(rbuf, '\0', BLKSZ); 320 ut_assertok(run_commandf("read mmc 6:0 %lx 0 1", ra)); 321 ut_assertok(memcmp(mbr_wbuf, rbuf, BLKSZ)); /test/cmd/mbr.c: 386 in mbr_test_run() 380 ut_assertf(rbuf[mbr_cmp_start + i] == mbr_parts_ref_p3[i], 381 "3P MBR+0x%04X: expected %#02X, actual: %#02X\n", 382 mbr_cmp_start + i, mbr_parts_ref_p3[i], rbuf[mbr_cmp_start + i]); 383 } 384 385 /* Test four MBR partitions */
CID 510454: (SIZEOF_MISMATCH) Passing argument "mbr_wbuf" of type "unsigned char *" and argument "8UL /* sizeof (mbr_wbuf) */" to function "init_write_buffers" is suspicious.
386 init_write_buffers(mbr_wbuf, sizeof(mbr_wbuf), ebr_wbuf, sizeof(ebr_wbuf), __LINE__); 387 ut_assertok(build_mbr_parts(mbr_parts_buf, sizeof(mbr_parts_buf), 4)); 388 ut_assertok(run_commandf("write mmc 6:0 %lx 0 1", mbr_wa)); 389 memset(rbuf, '\0', BLKSZ); 390 ut_assertok(run_commandf("read mmc 6:0 %lx 0 1", ra)); 391 ut_assertok(memcmp(mbr_wbuf, rbuf, BLKSZ));
** CID 510453: Null pointer dereferences (FORWARD_NULL) /fs/squashfs/sqfs.c: 983 in sqfs_opendir_nest()
________________________________________________________________________________________________________ *** CID 510453: Null pointer dereferences (FORWARD_NULL) /fs/squashfs/sqfs.c: 983 in sqfs_opendir_nest() 977 dirs->table += SQFS_DIR_HEADER_SIZE; 978 979 *dirsp = (struct fs_dir_stream *)dirs; 980 981 out: 982 for (j = 0; j < token_count; j++)
CID 510453: Null pointer dereferences (FORWARD_NULL) Dereferencing null pointer "token_list".
983 free(token_list[j]); 984 free(token_list); 985 free(pos_list); 986 free(path); 987 if (ret) { 988 free(inode_table);
** CID 510452: Null pointer dereferences (FORWARD_NULL) /fs/squashfs/sqfs.c: 1676 in sqfs_size_nest()
________________________________________________________________________________________________________ *** CID 510452: Null pointer dereferences (FORWARD_NULL) /fs/squashfs/sqfs.c: 1676 in sqfs_size_nest() 1670 printf("File not found.\n"); 1671 *size = 0; 1672 ret = -EINVAL; 1673 goto free_strings; 1674 } 1675
CID 510452: Null pointer dereferences (FORWARD_NULL) Dereferencing null pointer "dirs->entry".
1676 i_number = dirs->dir_header->inode_number + dirs->entry->inode_offset; 1677 ipos = sqfs_find_inode(dirs->inode_table, i_number, sblk->inodes, 1678 sblk->block_size); 1679 1680 if (!ipos) { 1681 *size = 0;
** CID 510451: (TAINTED_SCALAR) /fs/squashfs/sqfs.c: 1612 in sqfs_read_nest() /fs/squashfs/sqfs.c: 1612 in sqfs_read_nest() /fs/squashfs/sqfs.c: 1604 in sqfs_read_nest()
________________________________________________________________________________________________________ *** CID 510451: (TAINTED_SCALAR) /fs/squashfs/sqfs.c: 1612 in sqfs_read_nest() 1606 1607 free(fragment_block); 1608 1609 } else if (finfo.frag && !finfo.comp) { 1610 fragment_block = (void *)fragment + table_offset; 1611
CID 510451: (TAINTED_SCALAR) Using tainted variable "finfo.offset" as an index to pointer "fragment_block".
1612 memcpy(buf + *actread, &fragment_block[finfo.offset], finfo.size - *actread); 1613 *actread = finfo.size; 1614 } 1615 1616 out: 1617 free(fragment); /fs/squashfs/sqfs.c: 1612 in sqfs_read_nest() 1606 1607 free(fragment_block); 1608 1609 } else if (finfo.frag && !finfo.comp) { 1610 fragment_block = (void *)fragment + table_offset; 1611
CID 510451: (TAINTED_SCALAR) Passing tainted expression "finfo.size - *actread" to "memcpy", which uses it as an offset. [Note: The source code implementation of the function has been overridden by a builtin model.]
1612 memcpy(buf + *actread, &fragment_block[finfo.offset], finfo.size - *actread); 1613 *actread = finfo.size; 1614 } 1615 1616 out: 1617 free(fragment); /fs/squashfs/sqfs.c: 1621 in sqfs_read_nest() 1615 1616 out: 1617 free(fragment); 1618 free(datablock); 1619 free(file); 1620 free(dir);
CID 510451: (TAINTED_SCALAR) Passing tainted expression "*finfo.blk_sizes" to "dlfree", which uses it as an offset.
1621 free(finfo.blk_sizes); 1622 sqfs_closedir(dirsp); 1623 1624 return ret; 1625 } 1626 /fs/squashfs/sqfs.c: 1604 in sqfs_read_nest() 1598 frag_entry.size); 1599 if (ret) { 1600 free(fragment_block); 1601 goto out; 1602 } 1603
CID 510451: (TAINTED_SCALAR) Using tainted variable "finfo.offset" as an index to pointer "fragment_block".
1604 memcpy(buf + *actread, &fragment_block[finfo.offset], finfo.size - *actread); 1605 *actread = finfo.size; 1606 1607 free(fragment_block); 1608 1609 } else if (finfo.frag && !finfo.comp) {
** CID 510450: Code maintainability issues (UNUSED_VALUE) /fs/squashfs/sqfs.c: 1506 in sqfs_read_nest()
________________________________________________________________________________________________________ *** CID 510450: Code maintainability issues (UNUSED_VALUE) /fs/squashfs/sqfs.c: 1506 in sqfs_read_nest() 1500 n_blks = DIV_ROUND_UP(table_size + table_offset, 1501 ctxt.cur_dev->blksz); 1502 1503 /* Don't load any data for sparse blocks */ 1504 if (finfo.blk_sizes[j] == 0) { 1505 n_blks = 0;
CID 510450: Code maintainability issues (UNUSED_VALUE) Assigning value "0ULL" to "table_offset" here, but that stored value is overwritten before it can be used.
1506 table_offset = 0; 1507 data_buffer = NULL; 1508 data = NULL; 1509 } else { 1510 data_buffer = malloc_cache_aligned(n_blks * ctxt.cur_dev->blksz); 1511
----- End forwarded message -----
----- Ursprüngliche Mail -----
Von: "Tom Rini" trini@konsulko.com An: "u-boot" u-boot@lists.denx.de CC: "Simon Glass" sjg@chromium.org, "Joao Marcos Costa" jmcosta944@gmail.com, "Thomas Petazzoni" thomas.petazzoni@bootlin.com, "Jerome Forissier" jerome.forissier@linaro.org, "Sughosh Ganu" sughosh.ganu@linaro.org, "Caleb Connolly" caleb.connolly@linaro.org, "richard" richard@nod.at Gesendet: Montag, 7. Oktober 2024 19:15:05 Betreff: Fwd: New Defects reported by Coverity Scan for Das U-Boot
Now that I've merged next to master, there's a number of issues to address.
AFAICT, all issues in fs/{ext4, squashfs} are not new. Looks more like Coverity re-scanned these files because they have been touched by my fixes.
Later this week I'll have more time to triage these issues and post fixes.
Thanks, //richard
On Mon, Oct 07, 2024 at 08:17:44PM +0200, Richard Weinberger wrote:
----- Ursprüngliche Mail -----
Von: "Tom Rini" trini@konsulko.com An: "u-boot" u-boot@lists.denx.de CC: "Simon Glass" sjg@chromium.org, "Joao Marcos Costa" jmcosta944@gmail.com, "Thomas Petazzoni" thomas.petazzoni@bootlin.com, "Jerome Forissier" jerome.forissier@linaro.org, "Sughosh Ganu" sughosh.ganu@linaro.org, "Caleb Connolly" caleb.connolly@linaro.org, "richard" richard@nod.at Gesendet: Montag, 7. Oktober 2024 19:15:05 Betreff: Fwd: New Defects reported by Coverity Scan for Das U-Boot
Now that I've merged next to master, there's a number of issues to address.
AFAICT, all issues in fs/{ext4, squashfs} are not new. Looks more like Coverity re-scanned these files because they have been touched by my fixes.
Quite likely, yeah.
Later this week I'll have more time to triage these issues and post fixes.
Thanks!
participants (2)
-
Richard Weinberger -
Tom Rini