Discussion:
New Defects reported by Coverity Scan for coreboot
(too old to reply)
s***@coverity.com
2018-10-05 14:25:54 UTC
Permalink
Hi,

Please find the latest report on new defect(s) introduced to coreboot found with Coverity Scan.

1 new defect(s) introduced to coreboot found with Coverity Scan.


New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)


** CID 1396010: Null pointer dereferences (FORWARD_NULL)
/src/security/tpm/tss/tcg-2.0/tss.c: 68 in tlcl_send_startup()


________________________________________________________________________________________________________
*** CID 1396010: Null pointer dereferences (FORWARD_NULL)
/src/security/tpm/tss/tcg-2.0/tss.c: 68 in tlcl_send_startup()
62 response = tpm_process_command(TPM2_Startup, &startup);
63
64 if (response && (response->hdr.tpm_code == 0 ||
65 response->hdr.tpm_code == TPM_RC_INITIALIZE)) {
66 return TPM_SUCCESS;
67 }
CID 1396010: Null pointer dereferences (FORWARD_NULL)
Dereferencing null pointer "response".
68 printk(BIOS_INFO, "%s: Startup return code is %x\n",
69 __func__, response->hdr.tpm_code);
70 return TPM_E_IOERROR;
71 }
72
73 uint32_t tlcl_resume(void)


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRbLuoVetFLSjdonCi1EjfHRqWGQvojmmkYaBE-2BPJiTQvQ-3D-3D_q4bX76XMySz3BXBlWr5fXXJ4cvAsgEXEqC7dBPM7O5bH-2FZ483O-2BcxFXL8EnScZk-2FK03sQPuIY-2F-2BUC5-2F1MeibpqZsG2gXVlJA6FVsrtmuM9Ns-2FKS5K-2B4Be9MvFTuwTv9EAL55BaWDAMdHVuxqXH7XPbEH2HA46iXnpL5-2BV2L6i0-2Bcr5zLQ81YuKKOXlIIygMe0YQPW74Y4gQNVJoNbSMTASg6DbeYITRMKVyEtWm0qAU-3D
--
coreboot mailing list: ***@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot
s***@coverity.com
2018-10-09 14:27:26 UTC
Permalink
Hi,

Please find the latest report on new defect(s) introduced to coreboot found with Coverity Scan.

9 new defect(s) introduced to coreboot found with Coverity Scan.


New defect(s) Reported-by: Coverity Scan
Showing 9 of 9 defect(s)


** CID 1396055: Incorrect expression (SIZEOF_MISMATCH)
/src/drivers/generic/generic/generic.c: 67 in generic_autogen_name()


________________________________________________________________________________________________________
*** CID 1396055: Incorrect expression (SIZEOF_MISMATCH)
/src/drivers/generic/generic/generic.c: 67 in generic_autogen_name()
61 char *name = &config->autogen_name[0];
62 static unsigned int id;
63
64 if (name[0] != '\0')
65 return name;
66
CID 1396055: Incorrect expression (SIZEOF_MISMATCH)
Passing argument "name" of type "char *" and argument "4UL /* sizeof (name) */" to function "snprintf" is suspicious.
67 snprintf(name, sizeof(name), "G%03.3X", id++);
68 name[4] = '\0';
69 return name;
70 }
71
72 static const char *generic_dev_acpi_name(const struct device *dev)

** CID 1396054: Null pointer dereferences (NULL_RETURNS)


________________________________________________________________________________________________________
*** CID 1396054: Null pointer dereferences (NULL_RETURNS)
/src/drivers/generic/generic/generic.c: 38 in generic_dev_fill_ssdt_generator()
32
33 if (!config->hid) {
34 printk(BIOS_ERR, "%s: ERROR: _HID required\n", dev_path(dev));
35 return;
36 }
37
CID 1396054: Null pointer dereferences (NULL_RETURNS)
Dereferencing a pointer that might be null "acpi_device_scope(dev)" when calling "acpigen_write_scope".
38 acpigen_write_scope(acpi_device_scope(dev));
39 acpigen_write_device(acpi_device_name(dev));
40 acpigen_write_name_string("_HID", config->hid);
41 if (config->cid)
42 acpigen_write_name_string("_CID", config->cid);
43 acpigen_write_name_integer("_UID", config->uid);

** CID 1396053: Parse warnings (PARSE_ERROR)
/src/soc/nvidia/tegra124/lp0/tegra_lp0_resume.c: 652 in ()


________________________________________________________________________________________________________
*** CID 1396053: Parse warnings (PARSE_ERROR)
/src/soc/nvidia/tegra124/lp0/tegra_lp0_resume.c: 652 in ()
646 } __packed;
647
648 struct lp0_header header __attribute__((section(".header"))) =
649 {
650 .length_insecure = (uintptr_t)&blob_total_size,
651 .length_secure = (uintptr_t)&blob_total_size,
CID 1396053: Parse warnings (PARSE_ERROR)
identifier "blob_data" is undefined
652 .destination = (uintptr_t)&blob_data,
653 .entry_point = (uintptr_t)&lp0_resume,
654 .code_length = (uintptr_t)&blob_data_size

** CID 1396052: (RESOURCE_LEAK)
/util/intelvbttool/intelvbttool.c: 993 in fix_vbios_checksum()
/util/intelvbttool/intelvbttool.c: 998 in fix_vbios_checksum()


________________________________________________________________________________________________________
*** CID 1396052: (RESOURCE_LEAK)
/util/intelvbttool/intelvbttool.c: 993 in fix_vbios_checksum()
987 if (!fo) {
988 printerr("%s open failed\n", filename);
989 return 1;
990 }
991
992 if (fo->size < sizeof(optionrom_header_t))
CID 1396052: (RESOURCE_LEAK)
Variable "fo" going out of scope leaks the storage it points to.
993 return 1;
994
995 optionrom_header_t *oh = (optionrom_header_t *)fo->data;
996
997 if (oh->size * 512 > fo->size)
998 return 1;
/util/intelvbttool/intelvbttool.c: 998 in fix_vbios_checksum()
992 if (fo->size < sizeof(optionrom_header_t))
993 return 1;
994
995 optionrom_header_t *oh = (optionrom_header_t *)fo->data;
996
997 if (oh->size * 512 > fo->size)
CID 1396052: (RESOURCE_LEAK)
Variable "fo" going out of scope leaks the storage it points to.
998 return 1;
999
1000 /* fix checksum */
1001 oh->checksum = -(checksum_vbios(oh) - oh->checksum);
1002
1003 if (write_file(filename, fo)) {

** CID 1396051: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/util/intelvbttool/intelvbttool.c: 394 in read_file()


________________________________________________________________________________________________________
*** CID 1396051: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/util/intelvbttool/intelvbttool.c: 394 in read_file()
388 printerr("%s seek failed: %s\n", filename, strerror(errno));
389 fclose(fd);
390 return NULL;
391 }
392
393 const off_t size = ftell(fd);
CID 1396051: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
"size > 18446744073709551615UL" is always false regardless of the values of its operands. This occurs as the logical second operand of "||".
394 if (size < 0 || size > SIZE_MAX) {
395 printerr("%s tell failed: %s\n", filename, strerror(errno));
396 fclose(fd);
397 return NULL;
398 }
399

** CID 1396050: Resource leaks (RESOURCE_LEAK)
/util/intelvbttool/intelvbttool.c: 794 in parse_vbt()


________________________________________________________________________________________________________
*** CID 1396050: Resource leaks (RESOURCE_LEAK)
/util/intelvbttool/intelvbttool.c: 794 in parse_vbt()
788 if (!bdb_head->header_size || bdb_head->header_size > fo->size) {
789 printerr("invalid BDB header size\n");
790 return;
791 }
792
793 /* Duplicate fo as caller is owner and remalloc frees the object */
CID 1396050: Resource leaks (RESOURCE_LEAK)
Failing to save or free storage allocated by "malloc_fo_sub(fo, 0UL)" leaks it.
794 *vbt = remalloc_fo(malloc_fo_sub(fo, 0), head->vbt_size);
795 }
796
797 /* Option ROM checksum */
798 static u8 checksum_vbios(const optionrom_header_t *oh)
799 {

** CID 1396049: Parse warnings (PARSE_ERROR)
/src/soc/nvidia/tegra124/lp0/tegra_lp0_resume.c: 653 in ()


________________________________________________________________________________________________________
*** CID 1396049: Parse warnings (PARSE_ERROR)
/src/soc/nvidia/tegra124/lp0/tegra_lp0_resume.c: 653 in ()
647
648 struct lp0_header header __attribute__((section(".header"))) =
649 {
650 .length_insecure = (uintptr_t)&blob_total_size,
651 .length_secure = (uintptr_t)&blob_total_size,
652 .destination = (uintptr_t)&blob_data,
CID 1396049: Parse warnings (PARSE_ERROR)
identifier "lp0_resume" is undefined
653 .entry_point = (uintptr_t)&lp0_resume,
654 .code_length = (uintptr_t)&blob_data_size

** CID 1396048: (PARSE_ERROR)
/src/soc/nvidia/tegra124/lp0/tegra_lp0_resume.c: 266 in ()
/src/soc/nvidia/tegra210/lp0/tegra_lp0_resume.c: 430 in ()


________________________________________________________________________________________________________
*** CID 1396048: (PARSE_ERROR)
/src/soc/nvidia/tegra124/lp0/tegra_lp0_resume.c: 266 in ()
260 static uint32_t *sysctr_cntfid0_ptr = (void *)(SYSCTR_CTLR_BASE + 0x20);
261
262
263
264 /* Utility functions. */
265
CID 1396048: (PARSE_ERROR)
expected a ";"
266 static __always_inline void __noreturn halt(void)
267 {
268 for (;;);
269 }
270
271 static inline uint32_t read32(const void *addr)
/src/soc/nvidia/tegra210/lp0/tegra_lp0_resume.c: 430 in ()
424 #define MAX77621_VOUT_VAL (0x80 | 0x27)
425 #define MAX77621_VOUT_DATA (MAX77621_VOUT_REG | (MAX77621_VOUT_VAL << 8))
426
427
428 /* Utility functions. */
429
CID 1396048: (PARSE_ERROR)
expected a ";"
430 static __always_inline void __noreturn halt(void)
431 {
432 for (;;);
433 }
434
435 static inline uint32_t read32(const void *addr)

** CID 1396047: (RESOURCE_LEAK)
/util/intelvbttool/intelvbttool.c: 1041 in patch_vbios()
/util/intelvbttool/intelvbttool.c: 1045 in patch_vbios()


________________________________________________________________________________________________________
*** CID 1396047: (RESOURCE_LEAK)
/util/intelvbttool/intelvbttool.c: 1041 in patch_vbios()
1035 parse_vbios(fo, &old_vbt);
1036
1037 if (old_vbt) {
1038 if (oh->vbt_offset + vbt_size(old_vbt) == fo->size) {
1039 /* Located at the end of file - reduce file size */
1040 if (fo->size < vbt_size(old_vbt))
CID 1396047: (RESOURCE_LEAK)
Variable "old_vbt" going out of scope leaks the storage it points to.
1041 return 1;
1042 fo = remalloc_fo(fo, fo->size - vbt_size(old_vbt));
1043 if (!fo) {
1044 printerr("Failed to allocate memory\n");
1045 return 1;
1046 }
/util/intelvbttool/intelvbttool.c: 1045 in patch_vbios()
1039 /* Located at the end of file - reduce file size */
1040 if (fo->size < vbt_size(old_vbt))
1041 return 1;
1042 fo = remalloc_fo(fo, fo->size - vbt_size(old_vbt));
1043 if (!fo) {
1044 printerr("Failed to allocate memory\n");
CID 1396047: (RESOURCE_LEAK)
Variable "old_vbt" going out of scope leaks the storage it points to.
1045 return 1;
1046 }
1047 oh->vbt_offset = 0;
1048 } else if (vbt_size(old_vbt) < vbt_size(fo_vbt)) {
1049 /* In the middle of the file - Remove old VBT */
1050 memset(fo->data + oh->vbt_offset, 0xff,


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRbLuoVetFLSjdonCi1EjfHRqWGQvojmmkYaBE-2BPJiTQvQ-3D-3D_q4bX76XMySz3BXBlWr5fXXJ4cvAsgEXEqC7dBPM7O5bOy3AWPfQ3nD9AkRtyiSLXO7H14lQOr9-2BjeTrnJDrqEIpgFK2pq-2F9qmWpOUeIbXNCxaXNENW-2FtPU9KydOMHP-2F6u3xTdRldolq3WLF6DC83YarQxS24f4OoX-2FSuiI7d3Qr8Khg7h2oWVPX7KzNxFQrdqEuyCbffLbz5mTDuSWix5xciaVavZ8Rv0cYsWZBsCI8-3D
--
coreboot mailing list: ***@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot
s***@coverity.com
2018-10-12 14:28:38 UTC
Permalink
Hi,

Please find the latest report on new defect(s) introduced to coreboot found with Coverity Scan.

1 new defect(s) introduced to coreboot found with Coverity Scan.
3 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 1 of 1 defect(s)


** CID 1396100: Memory - corruptions (ARRAY_VS_SINGLETON)


________________________________________________________________________________________________________
*** CID 1396100: Memory - corruptions (ARRAY_VS_SINGLETON)
/src/lib/selfboot.c: 236 in selfload()
230 data = rdev_mmap_full(prog_rdev(payload));
231
232 if (data == NULL)
233 return false;
234
235 cbfssegs = &((struct cbfs_payload *)data)->segments;
CID 1396100: Memory - corruptions (ARRAY_VS_SINGLETON)
Passing "cbfssegs" to function "load_payload_segments" which uses it as an array. This might corrupt or misinterpret adjacent memory locations.
236 if (load_payload_segments(cbfssegs, check_regions, &entry))
237 goto out;
238
239 printk(BIOS_SPEW, "Loaded segments\n");
240
241 rdev_munmap(prog_rdev(payload), data);


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRbLuoVetFLSjdonCi1EjfHRqWGQvojmmkYaBE-2BPJiTQvQ-3D-3D_q4bX76XMySz3BXBlWr5fXXJ4cvAsgEXEqC7dBPM7O5aPNVLSVuib0YHFrGR07W6WEe3JeaM4almF5Vjpbfd3gKwn9hf-2BsFJAVGl02vtJw27-2Fnc6zW1UOED2NZmlyhqZl5iCU-2BGk2pIrSp5fFPu44cX7baqS70chg2zMkIUm1pCNhY2mngryLy-2FkLN1WHdh2qW4-2FFw2XrHp5AXiL9s57V2xJA4Rbtm334tBNmmhGr4nc-3D
--
coreboot mailing list: ***@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot
Loading...