[scan-admin@coverity.com: New Defects reported by Coverity Scan for Das U-Boot]
----- Forwarded message from scan-admin@coverity.com -----
Date: Tue, 06 Sep 2022 01:07:45 +0000 (UTC) From: scan-admin@coverity.com To: tom.rini@gmail.com Subject: New Defects reported by Coverity Scan for Das U-Boot
Hi,
Please find the latest report on new defect(s) introduced to Das U-Boot found with Coverity Scan.
2 new defect(s) introduced to Das U-Boot found with Coverity Scan. 2 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan Showing 2 of 2 defect(s)
** CID 356664: API usage errors (BUFFER_SIZE) /lib/tpm-v2.c: 703 in tpm2_report_state()
________________________________________________________________________________________________________ *** CID 356664: API usage errors (BUFFER_SIZE) /lib/tpm-v2.c: 703 in tpm2_report_state() 697 log_debug("ret=%s, %x\n", dev->name, ret); 698 if (ret) 699 return ret; 700 if (*recv_size < 12) 701 return -ENODATA; 702 *recv_size -= 12;
CID 356664: API usage errors (BUFFER_SIZE) The source buffer "recvbuf + 12" potentially overlaps with the destination buffer "recvbuf", which results in undefined behavior for "memcpy".
703 memcpy(recvbuf, recvbuf + 12, *recv_size); 704 705 return 0; 706 } 707 708 u32 tpm2_enable_nvcommits(struct udevice *dev, uint vendor_cmd,
** CID 183377: (TAINTED_SCALAR) /drivers/tpm/tpm2_tis_sandbox.c: 735 in sandbox_tpm2_xfer() /drivers/tpm/tpm2_tis_sandbox.c: 586 in sandbox_tpm2_xfer()
________________________________________________________________________________________________________ *** CID 183377: (TAINTED_SCALAR) /drivers/tpm/tpm2_tis_sandbox.c: 735 in sandbox_tpm2_xfer() 729 seq = sb_tpm_index_to_seq(index); 730 if (seq < 0) 731 return log_msg_ret("index", -EINVAL); 732 printf("tpm: nvread index=%#02x, len=%#02x, seq=%#02x\n", index, 733 length, seq); 734 *recv_len = TPM2_HDR_LEN + 6 + length;
CID 183377: (TAINTED_SCALAR) Passing tainted expression "*recv_len" to "memset", which uses it as an offset. [Note: The source code implementation of the function has been overridden by a builtin model.]
735 memset(recvbuf, '\0', *recv_len); 736 put_unaligned_be32(length, recvbuf + 2); 737 sb_tpm_read_data(tpm->nvdata, seq, recvbuf, 738 TPM2_HDR_LEN + 4 + 2, length); 739 break; 740 } /drivers/tpm/tpm2_tis_sandbox.c: 586 in sandbox_tpm2_xfer() 580 581 /* Give the number of properties that follow */ 582 put_unaligned_be32(property_count, recv); 583 recv += sizeof(property_count); 584 585 /* Fill with the properties */
CID 183377: (TAINTED_SCALAR) Using tainted variable "property_count" as a loop boundary.
586 for (i = 0; i < property_count; i++) { 587 put_unaligned_be32(TPM2_PROPERTIES_OFFSET + property + 588 i, recv); 589 recv += sizeof(property); 590 put_unaligned_be32(tpm->properties[property + i], 591 recv);
________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0...
To manage Coverity Scan email notifications for "tom.rini@gmail.com", click https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0...
----- End forwarded message -----
participants (1)
-
Tom Rini