New Defects reported by Coverity Scan for coreboot
Hi, Please find the latest report on new defect(s) introduced to coreboot found with Coverity Scan. 10 new defect(s) introduced to coreboot found with Coverity Scan. 1 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 10 of 10 defect(s) ** CID 1302458: Control flow issues (DEADCODE) /src/cpu/amd/model_10xxx/powernow_acpi.c: 75 in write_pstates_for_core() ________________________________________________________________________________________________________ *** CID 1302458: Control flow issues (DEADCODE) /src/cpu/amd/model_10xxx/powernow_acpi.c: 75 in write_pstates_for_core() 69 /* Write PPC object */ 70 acpigen_write_PPC(pstate_num); 71 72 /* Write PSD indicating coordination type */ 73 if ((single_link) && (mctGetLogicalCPUID(0) & AMD_DR_GT_Bx)) { 74 /* Revision C or greater single-link processor */
CID 1302458: Control flow issues (DEADCODE) Execution cannot reach this statement: "cpuid1 = cpuid(-2147483640);".
75 cpuid1 = cpuid(0x80000008); 76 acpigen_write_PSD_package(0, (cpuid1.ecx & 0xff) + 1, SW_ALL); 77 } 78 else { 79 /* Find the local APIC ID for the specified core ID */ 80 struct device* cpu;
** CID 1302457: Control flow issues (MISSING_RESTORE) /util/cbfstool/flashmap/fmap.c: 452 in fmap_append_area_test() ________________________________________________________________________________________________________ *** CID 1302457: Control flow issues (MISSING_RESTORE) /util/cbfstool/flashmap/fmap.c: 452 in fmap_append_area_test() 446 if ((*fmap)->nareas != 1) { 447 printf("FAILURE: failed to increment number of areas\n"); 448 goto fmap_append_area_test_exit; 449 } 450 451 status = pass;
CID 1302457: Control flow issues (MISSING_RESTORE) Jumped to here, skipping restore.
452 fmap_append_area_test_exit: 453 return status; 454 } 455 456 static int fmap_find_area_test(struct fmap *fmap) 457 {
** CID 1302456: Error handling issues (NEGATIVE_RETURNS) /util/cbfstool/flashmap/fmap.c: 568 in fmap_find_test() ________________________________________________________________________________________________________ *** CID 1302456: Error handling issues (NEGATIVE_RETURNS) /util/cbfstool/flashmap/fmap.c: 568 in fmap_find_test() 562 printf("FAILURE: bsearch returned false positive\n"); 563 goto fmap_find_test_exit; 564 } 565 566 /* simple test case: fmap at (total_size / 2) + 1 */ 567 offset = (total_size / 2) + 1;
CID 1302456: Error handling issues (NEGATIVE_RETURNS) "fmap_size(fmap)" is passed to a parameter that cannot be negative. [Note: The source code implementation of the function has been overridden by a builtin model.]
568 memcpy(&buf[offset], fmap, fmap_size(fmap)); 569 570 if ((unsigned)fmap_find(buf, total_size - 1) != offset) { 571 printf("FAILURE: lsearch failed to find fmap\n"); 572 goto fmap_find_test_exit; 573 }
** CID 1302455: Null pointer dereferences (NULL_RETURNS) /util/cbfstool/partitioned_file.c: 204 in partitioned_file_reopen() ________________________________________________________________________________________________________ *** CID 1302455: Null pointer dereferences (NULL_RETURNS) /util/cbfstool/partitioned_file.c: 204 in partitioned_file_reopen() 198 partitioned_file_close(file); 199 return NULL; 200 } 201 202 const struct fmap_area *fmap_fmap_entry = 203 fmap_find_area(file->fmap, SECTION_NAME_FMAP);
CID 1302455: Null pointer dereferences (NULL_RETURNS) Dereferencing a null pointer "fmap_fmap_entry".
204 if ((long)fmap_fmap_entry->offset != fmap_region_offset) { 205 ERROR("FMAP's '%s' section doesn't point back to FMAP start (did something corrupt this file?)\n", 206 SECTION_NAME_FMAP); 207 partitioned_file_close(file); 208 return NULL; 209 }
** CID 1302454: Memory - corruptions (OVERRUN) ________________________________________________________________________________________________________ *** CID 1302454: Memory - corruptions (OVERRUN) /util/cbfstool/flashmap/fmap.c: 342 in fmap_create_test() 336 uint64_t base = 0; 337 uint32_t size = 0x100000; 338 char name[] = "test_fmap"; 339 340 status = fail; 341
CID 1302454: Memory - corruptions (OVERRUN) Overrunning array "name" of 10 bytes by passing it to a function which accesses it at byte offset 31.
342 fmap = fmap_create(base, size, (uint8_t *)name); 343 if (!fmap) 344 return NULL; 345 346 if (memcmp(&fmap->signature, FMAP_SIGNATURE, strlen(FMAP_SIGNATURE))) { 347 printf("FAILURE: signature is incorrect\n");
** CID 1302453: Resource leaks (RESOURCE_LEAK) /util/cbfstool/flashmap/fmap.c: 530 in fmap_flags_to_string_test() ________________________________________________________________________________________________________ *** CID 1302453: Resource leaks (RESOURCE_LEAK) /util/cbfstool/flashmap/fmap.c: 530 in fmap_flags_to_string_test() 524 } 525 free(my_str); 526 free(str); 527 528 status = pass; 529 fmap_flags_to_string_test_exit:
CID 1302453: Resource leaks (RESOURCE_LEAK) Variable "my_str" going out of scope leaks the storage it points to.
530 return status; 531 532 } 533 534 static int fmap_find_test(struct fmap *fmap) 535 {
** CID 1302452: (RESOURCE_LEAK) /util/cbfstool/flashmap/fmap.c: 530 in fmap_flags_to_string_test() /util/cbfstool/flashmap/fmap.c: 530 in fmap_flags_to_string_test() ________________________________________________________________________________________________________ *** CID 1302452: (RESOURCE_LEAK) /util/cbfstool/flashmap/fmap.c: 530 in fmap_flags_to_string_test() 524 } 525 free(my_str); 526 free(str); 527 528 status = pass; 529 fmap_flags_to_string_test_exit:
CID 1302452: (RESOURCE_LEAK) Variable "str" going out of scope leaks the storage it points to.
530 return status; 531 532 } 533 534 static int fmap_find_test(struct fmap *fmap) 535 { /util/cbfstool/flashmap/fmap.c: 530 in fmap_flags_to_string_test() 524 } 525 free(my_str); 526 free(str); 527 528 status = pass; 529 fmap_flags_to_string_test_exit:
CID 1302452: (RESOURCE_LEAK) Variable "str" going out of scope leaks the storage it points to.
530 return status; 531 532 } 533 534 static int fmap_find_test(struct fmap *fmap) 535 {
** CID 1302451: Resource leaks (RESOURCE_LEAK) /util/cbfstool/flashmap/fmap.c: 207 in fmap_print() ________________________________________________________________________________________________________ *** CID 1302451: Resource leaks (RESOURCE_LEAK) /util/cbfstool/flashmap/fmap.c: 207 in fmap_print() 201 kv_pair_fmt(pair, "area_flags_raw", "0x%02x", 202 fmap->areas[i].flags); 203 204 /* Print descriptive strings for flags rather than the field */ 205 flags = fmap->areas[i].flags; 206 if ((str = fmap_flags_to_string(flags)) == NULL)
CID 1302451: Resource leaks (RESOURCE_LEAK) Variable "pair" going out of scope leaks the storage it points to.
207 return -1; 208 kv_pair_fmt(pair, "area_flags", "%s", str); 209 free(str); 210 211 kv_pair_print(pair); 212 kv_pair_free(pair);
** CID 1302450: Security best practices violations (STRING_OVERFLOW) /src/drivers/intel/gma/acpi.c: 50 in drivers_intel_gma_displays_ssdt_generate() ________________________________________________________________________________________________________ *** CID 1302450: Security best practices violations (STRING_OVERFLOW) /src/drivers/intel/gma/acpi.c: 50 in drivers_intel_gma_displays_ssdt_generate() 44 char *ptr; 45 int kind; 46 kind = (conf->did[i] >> 8) & 0xf; 47 if (kind >= ARRAY_SIZE(names)) { 48 kind = 0; 49 }
CID 1302450: Security best practices violations (STRING_OVERFLOW) You might overrun the 10 byte fixed-size string "name" by copying "names[kind]" without checking the length.
50 strcpy(name, names[kind]); 51 for (ptr = name; *ptr; ptr++); 52 *ptr++ = counters[kind] + '0'; 53 *ptr++ = '\0'; 54 counters[kind]++; 55 acpigen_write_device(name);
** CID 1256584: Error handling issues (CHECKED_RETURN) /src/ec/google/chromeec/ec_spi.c: 52 in crosec_spi_io() ________________________________________________________________________________________________________ *** CID 1256584: Error handling issues (CHECKED_RETURN) /src/ec/google/chromeec/ec_spi.c: 52 in crosec_spi_io() 46 } 47 48 static int crosec_spi_io(size_t req_size, size_t resp_size, void *context) 49 { 50 struct spi_slave *slave = (struct spi_slave *)context; 51
CID 1256584: Error handling issues (CHECKED_RETURN) Calling "spi_claim_bus" without checking return value (as is done elsewhere 4 out of 5 times).
52 spi_claim_bus(slave); 53 54 /* Allow EC to ramp up clock after being awaken. 55 * See chrome-os-partner:32223 for more details. */ 56 udelay(CONFIG_EC_GOOGLE_CHROMEEC_SPI_WAKEUP_DELAY_US); 57
________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/1016?tab=overview To manage Coverity Scan email notifications for "coreboot@coreboot.org", click https://scan.coverity.com/subscriptions/edit?email=coreboot%40coreboot.org&t... .
participants (1)
-
scan-admin@coverity.com