July 2019 - coreboot - mail.coreboot.org

New Defects reported by Coverity Scan for coreboot

by scan-admin＠coverity.com

Hi, Please find the latest report on new defect(s) introduced to coreboot found with Coverity Scan. 49 new defect(s) introduced to coreboot found with Coverity Scan. 124 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 20 of 49 defect(s) ** CID 1403651: Control flow issues (DEADCODE) /src/mainboard/purism/librem_skl/hda_verb.c: 51 in mb_hda_codec_init() ________________________________________________________________________________________________________ *** CID 1403651: Control flow issues (DEADCODE) /src/mainboard/purism/librem_skl/hda_verb.c: 51 in mb_hda_codec_init() 45 struct resource *res; 46 u32 codec_mask; 47 struct device *dev; 48 49 dev = SA_DEV_ROOT; 50 /* Check if HDA is enabled, else return */ >>> CID 1403651: Control flow issues (DEADCODE) >>> Execution cannot reach the expression "dev->chip_info == NULL" inside this statement: "if (dev == NULL || dev->chi...". 51 if (dev == NULL || dev->chip_info == NULL) 52 return; 53 54 config = dev->chip_info; 55 56 /* ** CID 1403002: (UNINIT) /src/soc/mediatek/mt8183/dramc_pi_calibration_api.c: 548 in dramc_find_gating_window() /src/soc/mediatek/mt8183/dramc_pi_calibration_api.c: 542 in dramc_find_gating_window() ________________________________________________________________________________________________________ *** CID 1403002: (UNINIT) /src/soc/mediatek/mt8183/dramc_pi_calibration_api.c: 548 in dramc_find_gating_window() 542 pass_count_1[dqs]++; 543 544 if (pass_begin[dqs] == 1 && 545 pass_count_1[dqs] * DQS_GW_FINE_STEP > DQS_GW_FINE_END) 546 dqs_high[dqs] = 0; 547 >>> CID 1403002: (UNINIT) >>> Using uninitialized value "pass_count_1[0]". 548 if (pass_count_1[0] * DQS_GW_FINE_STEP > DQS_GW_FINE_END && 549 pass_count_1[1] * DQS_GW_FINE_STEP > DQS_GW_FINE_END) { 550 dramc_dbg("All bytes gating window > 1 coarse_tune," 551 " Early break\n"); 552 *dly_fine_xt = DQS_GW_FINE_END; 553 *coarse_tune = GATING_END; /src/soc/mediatek/mt8183/dramc_pi_calibration_api.c: 542 in dramc_find_gating_window() 536 dramc_dbg("[Byte %d]First pass (%d, %d, %d)\n", 537 dqs, dly_coarse_large, 538 dly_coarse_0p5t, *dly_fine_xt); 539 } 540 541 if (pass_begin[dqs] == 1) >>> CID 1403002: (UNINIT) >>> Using uninitialized value "pass_count_1[dqs]". 542 pass_count_1[dqs]++; 543 544 if (pass_begin[dqs] == 1 && 545 pass_count_1[dqs] * DQS_GW_FINE_STEP > DQS_GW_FINE_END) 546 dqs_high[dqs] = 0; 547 ** CID 1403001: Null pointer dereferences (FORWARD_NULL) ________________________________________________________________________________________________________ *** CID 1403001: Null pointer dereferences (FORWARD_NULL) /src/soc/mediatek/mt8183/gpio.c: 184 in gpio_set_spi_driving() 178 case 5: 179 reg = (void *)(IOCFG_LM_BASE + GPIO_DRV0_OFFSET); 180 offset = 8; 181 break; 182 } 183 >>> CID 1403001: Null pointer dereferences (FORWARD_NULL) >>> Passing null pointer "reg" to "read32", which dereferences it. 184 clrsetbits_le32(reg, 0xf << offset, reg_val << offset); ** CID 1401793: Insecure data handling (INTEGER_OVERFLOW) /3rdparty/vboot/futility/updater.c: 240 in host_get_platform_version() ________________________________________________________________________________________________________ *** CID 1401793: Insecure data handling (INTEGER_OVERFLOW) /3rdparty/vboot/futility/updater.c: 240 in host_get_platform_version() 234 /* Result should be 'revN' */ 235 if (strncmp(result, STR_REV, strlen(STR_REV)) == 0) 236 rev = strtol(result + strlen(STR_REV), NULL, 0); 237 DEBUG("Raw data = [%s], parsed version is %d", result, rev); 238 239 free(result); >>> CID 1401793: Insecure data handling (INTEGER_OVERFLOW) >>> Overflowed or truncated value (or a value computed from an overflowed or truncated value) "rev" used as return value. 240 return rev; 241 } 242 243 /* 244 * A helper function to invoke flashrom(8) command. 245 * Returns 0 if success, non-zero if error. ** CID 1401086: Null pointer dereferences (FORWARD_NULL) ________________________________________________________________________________________________________ *** CID 1401086: Null pointer dereferences (FORWARD_NULL) /src/soc/qualcomm/qcs405/clock.c: 245 in clock_configure_spi() 239 } else if (blsp == 2) 240 spi_clk = (struct qcs405_clock *)&gcc->blsp2_qup0_spi_clk; 241 242 else 243 printk(BIOS_ERR, "BLSP%d not supported\n", blsp); 244 >>> CID 1401086: Null pointer dereferences (FORWARD_NULL) >>> Passing null pointer "spi_clk" to "clock_configure", which dereferences it. 245 clock_configure(spi_clk, spi_cfg, hz, ARRAY_SIZE(spi_cfg)); 246 } 247 248 void clock_configure_i2c(uint32_t hz) 249 { 250 struct qcs405_clock *i2c_clk = ** CID 1398603: (CONSTANT_EXPRESSION_RESULT) /src/soc/mediatek/mt8183/dramc_pi_basic_api.c: 125 in transfer_pll_to_spm_control() /src/soc/mediatek/mt8183/dramc_pi_basic_api.c: 124 in transfer_pll_to_spm_control() ________________________________________________________________________________________________________ *** CID 1398603: (CONSTANT_EXPRESSION_RESULT) /src/soc/mediatek/mt8183/dramc_pi_basic_api.c: 125 in transfer_pll_to_spm_control() 119 (0xffff << 16) | (0x1 << 0), 120 (0xb16 << 16) | (0x1 << 0)); 121 122 /* Set SPM pinmux */ 123 clrbits_le32(&mtk_spm->pcm_pwr_io_en, (0xff << 0) | (0xff << 16)); 124 setbits_le32(&mtk_spm->dramc_dpy_clk_sw_con_sel, 0xffffffff); >>> CID 1398603: (CONSTANT_EXPRESSION_RESULT) >>> "((uint32_t)read32(&mtk_spm->dramc_dpy_clk_sw_con_sel2) & 4294967295U /* ~((uint32_t)0) */) | 0xffffffffU" is always 0xffffffff regardless of the values of its operands. This occurs as an argument to a function call. 125 setbits_le32(&mtk_spm->dramc_dpy_clk_sw_con_sel2, 0xffffffff); 126 127 setbits_le32(&mtk_spm->spm_power_on_val0, (0x1 << 8) | (0xf << 12)); 128 setbits_le32(&mtk_spm->spm_s1_mode_ch, 0x3 << 0); 129 130 shu_lev = (shu_lev == 1) ? 2 : 1; /src/soc/mediatek/mt8183/dramc_pi_basic_api.c: 124 in transfer_pll_to_spm_control() 118 clrsetbits_le32(&mtk_spm->poweron_config_set, 119 (0xffff << 16) | (0x1 << 0), 120 (0xb16 << 16) | (0x1 << 0)); 121 122 /* Set SPM pinmux */ 123 clrbits_le32(&mtk_spm->pcm_pwr_io_en, (0xff << 0) | (0xff << 16)); >>> CID 1398603: (CONSTANT_EXPRESSION_RESULT) >>> "((uint32_t)read32(&mtk_spm->dramc_dpy_clk_sw_con_sel) & 4294967295U /* ~((uint32_t)0) */) | 0xffffffffU" is always 0xffffffff regardless of the values of its operands. This occurs as an argument to a function call. 124 setbits_le32(&mtk_spm->dramc_dpy_clk_sw_con_sel, 0xffffffff); 125 setbits_le32(&mtk_spm->dramc_dpy_clk_sw_con_sel2, 0xffffffff); 126 127 setbits_le32(&mtk_spm->spm_power_on_val0, (0x1 << 8) | (0xf << 12)); 128 setbits_le32(&mtk_spm->spm_s1_mode_ch, 0x3 << 0); 129 ** CID 1394268: Possible Control flow issues (DEADCODE) /src/vendorcode/cavium/bdk/libdram/libdram.c: 187 in bdk_libdram_tune_node() ________________________________________________________________________________________________________ *** CID 1394268: Possible Control flow issues (DEADCODE) /src/vendorcode/cavium/bdk/libdram/libdram.c: 187 in bdk_libdram_tune_node() 181 } 182 183 // disabled by default for now, does not seem to be needed much? 184 // Automatically tune the ECC byte DLL read offsets 185 // FIXME? allow override of the filtering 186 // FIXME? allow programmatic override, not via envvar? >>> CID 1394268: Possible Control flow issues (DEADCODE) >>> Execution cannot reach the expression "lmc_config.s.mode32b == 0" inside this statement: "if (do_eccdll && !do_dllro_...". 187 if (do_eccdll && !do_dllro_hw && (lmc_config.s.mode32b == 0)) { // do not do HW-assist twice for ECC 188 BDK_TRACE(DRAM, "N%d: Starting ECC DLL Read Offset Tuning for LMCs\n", node); 189 errs = perform_HW_dll_offset_tuning(node, 2, 8/* ECC bytelane */); 190 BDK_TRACE(DRAM, "N%d: Finished ECC DLL Read Offset Tuning for LMCs, %d errors\n", 191 node, errs); 192 tot_errs += errs; ** CID 1393983: (INTEGER_OVERFLOW) /src/vendorcode/cavium/bdk/libdram/lib_octeon_shared.c: 1146 in initialize_ddr_clock() /src/vendorcode/cavium/bdk/libdram/lib_octeon_shared.c: 1150 in initialize_ddr_clock() ________________________________________________________________________________________________________ *** CID 1393983: (INTEGER_OVERFLOW) /src/vendorcode/cavium/bdk/libdram/lib_octeon_shared.c: 1146 in initialize_ddr_clock() 1140 best_en_idx = strtoul(s, NULL, 0); 1141 override_pll_settings = 1; 1142 } 1143 1144 if (override_pll_settings) { 1145 best_pll_MHz = ddr_ref_hertz * (best_clkf+1) / (best_clkr+1) / 1000000; >>> CID 1393983: (INTEGER_OVERFLOW) >>> Overflowed or truncated value (or a value computed from an overflowed or truncated value) "best_en_idx" used as array index. 1146 best_calculated_ddr_hertz = ddr_ref_hertz * (best_clkf + 1) / ((best_clkr + 1) * (_en[best_en_idx])); 1147 best_error = ddr_hertz - best_calculated_ddr_hertz; 1148 } 1149 1150 ddr_print("clkr: %2llu, en[%d]: %2d, clkf: %4llu, pll_MHz: %4llu, ddr_hertz: %8llu, error: %8lld <==\n", 1151 best_clkr, best_en_idx, _en[best_en_idx], best_clkf, best_pll_MHz, /src/vendorcode/cavium/bdk/libdram/lib_octeon_shared.c: 1150 in initialize_ddr_clock() 1144 if (override_pll_settings) { 1145 best_pll_MHz = ddr_ref_hertz * (best_clkf+1) / (best_clkr+1) / 1000000; 1146 best_calculated_ddr_hertz = ddr_ref_hertz * (best_clkf + 1) / ((best_clkr + 1) * (_en[best_en_idx])); 1147 best_error = ddr_hertz - best_calculated_ddr_hertz; 1148 } 1149 >>> CID 1393983: (INTEGER_OVERFLOW) >>> Overflowed or truncated value (or a value computed from an overflowed or truncated value) "best_en_idx" used as array index. 1150 ddr_print("clkr: %2llu, en[%d]: %2d, clkf: %4llu, pll_MHz: %4llu, ddr_hertz: %8llu, error: %8lld <==\n", 1151 best_clkr, best_en_idx, _en[best_en_idx], best_clkf, best_pll_MHz, 1152 best_calculated_ddr_hertz, best_error); 1153 1154 /* Try lowering the frequency if we can't get a working configuration */ 1155 if (best_error == ddr_hertz) { ** CID 1393982: Memory - illegal accesses (UNINIT) ________________________________________________________________________________________________________ *** CID 1393982: Memory - illegal accesses (UNINIT) /src/vendorcode/cavium/bdk/libdram/dram-spd.c: 437 in report_ddr3_dimm() 431 volt_str = "1.5V"; 432 if (spd_voltage & 2) 433 volt_str = "1.35V"; 434 if (spd_voltage & 4) 435 volt_str = "1.2xV"; 436 >>> CID 1393982: Memory - illegal accesses (UNINIT) >>> Using uninitialized value "volt_str" when calling "report_common_dimm". 437 report_common_dimm(node, dimm_config, dimm, ddr3_dimm_types, 438 DDR3_DRAM, volt_str, ddr_interface_num, 439 num_ranks, dram_width, dimm_size_mb); 440 } 441 442 const char *ddr4_dimm_types[16] = { ** CID 1393981: Insecure data handling (TAINTED_SCALAR) /src/vendorcode/cavium/bdk/libdram/dram-init-ddr3.c: 745 in Perform_Read_Deskew_Training() ________________________________________________________________________________________________________ *** CID 1393981: Insecure data handling (TAINTED_SCALAR) /src/vendorcode/cavium/bdk/libdram/dram-init-ddr3.c: 745 in Perform_Read_Deskew_Training() 739 perform_octeon3_ddr3_sequence(node, rank_mask, ddr_interface_num, 0x0A); /* LMC Deskew Training */ 740 741 lock_retries = 0; 742 743 perform_read_deskew_training: 744 // maybe perform the NORMAL deskew training sequence multiple times before looking at lock status >>> CID 1393981: Insecure data handling (TAINTED_SCALAR) >>> Using tainted variable "normal_loops" as a loop boundary. 745 for (loops = 0; loops < normal_loops; loops++) { 746 DRAM_CSR_MODIFY(phy_ctl, node, BDK_LMCX_PHY_CTL(ddr_interface_num), 747 phy_ctl.s.phy_dsk_reset = 0); /* Normal Deskew sequence */ 748 perform_octeon3_ddr3_sequence(node, rank_mask, ddr_interface_num, 0x0A); /* LMC Deskew Training */ 749 } 750 // Moved this from Validate_Read_Deskew_Training ** CID 1393980: Incorrect expression (NO_EFFECT) /src/vendorcode/cavium/bdk/libdram/libdram.c: 89 in bdk_dram_clear_mem() ________________________________________________________________________________________________________ *** CID 1393980: Incorrect expression (NO_EFFECT) /src/vendorcode/cavium/bdk/libdram/libdram.c: 89 in bdk_dram_clear_mem() 83 /* The above pointer got address 8 to avoid NULL pointer checking 84 in bdk_phys_to_ptr(). Correct it here */ 85 ptr--; 86 uint64_t *end = bdk_phys_to_ptr(bdk_numa_get_address(node, skip)); 87 while (ptr < end) 88 { >>> CID 1393980: Incorrect expression (NO_EFFECT) >>> Assigning "*ptr" to itself has no effect. 89 *ptr = *ptr; 90 ptr++; 91 } 92 } 93 ddr_print("N%d: Clearing DRAM: start 0x%llx length 0x%llx\n", node, skip, len); 94 bdk_zero_memory(bdk_phys_to_ptr(bdk_numa_get_address(node, skip)), len); ** CID 1393973: (DEADCODE) /src/vendorcode/cavium/bdk/libdram/dram-spd.c: 101 in read_entire_spd() /src/vendorcode/cavium/bdk/libdram/dram-spd.c: 112 in read_entire_spd() /src/vendorcode/cavium/bdk/libdram/dram-spd.c: 120 in read_entire_spd() ________________________________________________________________________________________________________ *** CID 1393973: (DEADCODE) /src/vendorcode/cavium/bdk/libdram/dram-spd.c: 101 in read_entire_spd() 95 uint32_t *ptr = (uint32_t *)spd_buf; 96 97 for (int bank = 0; bank < (spd_size >> 8); bank++) 98 { 99 /* this should only happen for DDR4, which has a second bank of 256 bytes */ 100 if (bank) >>> CID 1393973: (DEADCODE) >>> Execution cannot reach this statement: "bdk_twsix_write_ia(node, bu...". 101 bdk_twsix_write_ia(node, bus, 0x36 | bank, 0, 2, 1, 0); 102 int bank_size = 256; 103 for (int i = 0; i < bank_size; i += 4) 104 { 105 int64_t data = bdk_twsix_read_ia(node, bus, address, i, 4, 1); 106 if (data < 0) /src/vendorcode/cavium/bdk/libdram/dram-spd.c: 112 in read_entire_spd() 106 if (data < 0) 107 { 108 free(spd_buf); 109 bdk_error("Failed to read SPD data at 0x%x\n", i + (bank << 8)); 110 /* Restore the bank to zero */ 111 if (bank) >>> CID 1393973: (DEADCODE) >>> Execution cannot reach this statement: "bdk_twsix_write_ia(node, bu...". 112 bdk_twsix_write_ia(node, bus, 0x36 | 0, 0, 2, 1, 0); 113 return -1; 114 } 115 else 116 *ptr++ = bdk_be32_to_cpu(data); 117 } /src/vendorcode/cavium/bdk/libdram/dram-spd.c: 120 in read_entire_spd() 114 } 115 else 116 *ptr++ = bdk_be32_to_cpu(data); 117 } 118 /* Restore the bank to zero */ 119 if (bank) >>> CID 1393973: (DEADCODE) >>> Execution cannot reach this statement: "bdk_twsix_write_ia(node, bu...". 120 bdk_twsix_write_ia(node, bus, 0x36 | 0, 0, 2, 1, 0); 121 } 122 123 /* Store the SPD in the device tree */ 124 /* FIXME(dhendrix): No need for this? cfg gets updated, so the caller 125 * (libdram_config()) has what it needs. */ ** CID 1393972: Insecure data handling (TAINTED_SCALAR) /src/vendorcode/cavium/bdk/libdram/dram-tune-ddr3.c: 1011 in perform_dll_offset_tuning() ________________________________________________________________________________________________________ *** CID 1393972: Insecure data handling (TAINTED_SCALAR) /src/vendorcode/cavium/bdk/libdram/dram-tune-ddr3.c: 1011 in perform_dll_offset_tuning() 1005 /* Disable l2 sets for DRAM testing */ 1006 limit_l2_ways(node, 0, ways_print); 1007 #endif 1008 1009 // testing is done on all LMCs simultaneously 1010 // FIXME: for now, loop here to show what happens multiple times >>> CID 1393972: Insecure data handling (TAINTED_SCALAR) >>> Using tainted variable "loops" as a loop boundary. 1011 for (loop = 0; loop < loops; loop++) { 1012 /* Perform DLL offset tuning */ 1013 errs = auto_set_dll_offset(node, dll_offset_mode, num_lmcs, ddr_interface_64b, do_tune); 1014 } 1015 1016 #if USE_L2_WAYS_LIMIT ** CID 1393971: Insecure data handling (TAINTED_SCALAR) /src/vendorcode/cavium/bdk/libdram/lib_octeon_shared.c: 1146 in initialize_ddr_clock() ________________________________________________________________________________________________________ *** CID 1393971: Insecure data handling (TAINTED_SCALAR) /src/vendorcode/cavium/bdk/libdram/lib_octeon_shared.c: 1146 in initialize_ddr_clock() 1140 best_en_idx = strtoul(s, NULL, 0); 1141 override_pll_settings = 1; 1142 } 1143 1144 if (override_pll_settings) { 1145 best_pll_MHz = ddr_ref_hertz * (best_clkf+1) / (best_clkr+1) / 1000000; >>> CID 1393971: Insecure data handling (TAINTED_SCALAR) >>> Using tainted variable "best_en_idx" as an index into an array "_en". 1146 best_calculated_ddr_hertz = ddr_ref_hertz * (best_clkf + 1) / ((best_clkr + 1) * (_en[best_en_idx])); 1147 best_error = ddr_hertz - best_calculated_ddr_hertz; 1148 } 1149 1150 ddr_print("clkr: %2llu, en[%d]: %2d, clkf: %4llu, pll_MHz: %4llu, ddr_hertz: %8llu, error: %8lld <==\n", 1151 best_clkr, best_en_idx, _en[best_en_idx], best_clkf, best_pll_MHz, ** CID 1393969: Possible Control flow issues (DEADCODE) /src/vendorcode/cavium/bdk/libbdk-hal/bdk-qlm.c: 421 in bdk_qlm_eye_display() ________________________________________________________________________________________________________ *** CID 1393969: Possible Control flow issues (DEADCODE) /src/vendorcode/cavium/bdk/libbdk-hal/bdk-qlm.c: 421 in bdk_qlm_eye_display() 415 result = 0; 416 } 417 else 418 result = -1; 419 420 if (need_free) >>> CID 1393969: Possible Control flow issues (DEADCODE) >>> Execution cannot reach this statement: "free((void *)eye);". 421 free((void*)eye); 422 return result; ** CID 1393967: Code maintainability issues (UNUSED_VALUE) /src/vendorcode/cavium/bdk/libdram/dram-tune-ddr3.c: 658 in auto_set_dll_offset() ________________________________________________________________________________________________________ *** CID 1393967: Code maintainability issues (UNUSED_VALUE) /src/vendorcode/cavium/bdk/libdram/dram-tune-ddr3.c: 658 in auto_set_dll_offset() 652 } /* for (lmc = 0; lmc < num_lmcs; lmc++) */ 653 654 bdk_watchdog_poke(); 655 656 // run the test(s) 657 // only 1 call should be enough, let the bursts, etc, control the load... >>> CID 1393967: Code maintainability issues (UNUSED_VALUE) >>> Assigning value from "run_dram_tuning_threads(node, num_lmcs, bytemask)" to "tot_errors" here, but that stored value is overwritten before it can be used. 658 tot_errors = run_dram_tuning_threads(node, num_lmcs, bytemask); 659 660 for (lmc = 0; lmc < num_lmcs; lmc++) { 661 // record stop cycle CSRs here for utilization measure 662 stop_dram_dclk[lmc] = BDK_CSR_READ(node, BDK_LMCX_DCLK_CNT(lmc)); 663 stop_dram_ops[lmc] = BDK_CSR_READ(node, BDK_LMCX_OPS_CNT(lmc)); ** CID 1393966: Control flow issues (DEADCODE) /src/soc/cavium/cn81xx/uart.c: 104 in uart_platform_refclk() ________________________________________________________________________________________________________ *** CID 1393966: Control flow issues (DEADCODE) /src/soc/cavium/cn81xx/uart.c: 104 in uart_platform_refclk() 98 unsigned int uart_platform_refclk(void) 99 { 100 struct cn81xx_uart *uart = 101 (struct cn81xx_uart *)CONFIG_CONSOLE_SERIAL_UART_ADDRESS; 102 103 if (!uart) >>> CID 1393966: Control flow issues (DEADCODE) >>> Execution cannot reach this statement: "return 0U;". 104 return 0; 105 106 return uart_hclk(uart); 107 } 108 109 uintptr_t uart_platform_base(int idx) ** CID 1393965: Control flow issues (DEADCODE) /src/vendorcode/cavium/bdk/libdram/lib_octeon_shared.c: 1880 in dbi_switchover_interface() ________________________________________________________________________________________________________ *** CID 1393965: Control flow issues (DEADCODE) /src/vendorcode/cavium/bdk/libdram/lib_octeon_shared.c: 1880 in dbi_switchover_interface() 1874 for (byte = 0; byte < (8+ecc_ena); byte++) { 1875 unlocked += (dbi_settings[byte] & 1) ^ 1; 1876 } 1877 1878 // FIXME: print out the DBI settings array after each rank? 1879 if (rank_max > 1) // only when doing more than 1 rank >>> CID 1393965: Control flow issues (DEADCODE) >>> Execution cannot reach this statement: "display_DAC_DBI_settings(no...". 1880 display_DAC_DBI_settings(node, lmc, /* DBI */0, ecc_ena, dbi_settings, " RANK"); 1881 1882 if (unlocked > 0) { 1883 ddr_print("N%d.LMC%d: DBI switchover: LOCK: %d still unlocked.\n", 1884 node, lmc, unlocked); 1885 ** CID 1393964: (TAINTED_SCALAR) ________________________________________________________________________________________________________ *** CID 1393964: (TAINTED_SCALAR) /src/vendorcode/cavium/bdk/libdram/lib_octeon_shared.c: 682 in perform_ddr_init_sequence() 676 677 bdk_wait_usec(1000); /* Wait a while. */ 678 679 if ((s = lookup_env_parameter("ddr_sequence1")) != NULL) { 680 int sequence1; 681 sequence1 = strtoul(s, NULL, 0); >>> CID 1393964: (TAINTED_SCALAR) >>> Passing tainted variable "sequence1" to a tainted sink. 682 perform_octeon3_ddr3_sequence(node, (1 << rankx), 683 ddr_interface_num, sequence1); 684 } 685 686 if ((s = lookup_env_parameter("ddr_sequence2")) != NULL) { 687 int sequence2; /src/vendorcode/cavium/bdk/libdram/lib_octeon_shared.c: 689 in perform_ddr_init_sequence() 683 ddr_interface_num, sequence1); 684 } 685 686 if ((s = lookup_env_parameter("ddr_sequence2")) != NULL) { 687 int sequence2; 688 sequence2 = strtoul(s, NULL, 0); >>> CID 1393964: (TAINTED_SCALAR) >>> Passing tainted variable "sequence2" to a tainted sink. 689 perform_octeon3_ddr3_sequence(node, (1 << rankx), 690 ddr_interface_num, sequence2); 691 } 692 } 693 } 694 } ** CID 1393962: Null pointer dereferences (FORWARD_NULL) ________________________________________________________________________________________________________ *** CID 1393962: Null pointer dereferences (FORWARD_NULL) /src/vendorcode/cavium/bdk/libbdk-dram/bdk-dram-test-addrbus.c: 64 in __bdk_dram_test_mem_address_bus() 58 { 59 int failures = 0; 60 61 /* Clear our work area. Checking for aliases later could get false 62 positives if it matched stale data */ 63 void *ptr = (area) ? bdk_phys_to_ptr(area) : NULL; >>> CID 1393962: Null pointer dereferences (FORWARD_NULL) >>> Passing null pointer "ptr" to "bdk_zero_memory", which dereferences it. 64 bdk_zero_memory(ptr, max_address - area); 65 __bdk_dram_flush_to_mem_range(area, max_address); 66 67 /* Each time we write, we'll write this pattern xored the address it is 68 written too */ 69 uint64_t pattern = 0x0fedcba987654321; ________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0...

7 months

1
0
0 0

Announcing coreboot 4.10

by Patrick Georgi

The 4.10 release covers commit a2faaa9a2 to commit ae317695e3 There is a pgp signed 4.10 tag in the git repository, and a branch will be created as needed. In nearly 8 months since 4.9 we had 198 authors commit 2538 changes to master. Of these, 85 authors made their first commit to coreboot: Welcome! Between the releases the tree grew by about 11000 lines of code plus 5000 lines of comments. Again, a big Thank You to all contributors who helped shape the coreboot project, community and code with their effort, no matter if through development, review, testing, documentation or by helping people asking questions on our venues like IRC or our mailing list. What's New ---------- Most of the changes were to mainboards, and on the chipset side, lots of activity concentrated on x86. However compared to previous releases activity (and therefore interest, probably) increased in vboot and in non-x86 architectures. However it's harder this time to give this release a single topic like the last: This release accumulates some of everything. Clean Up -------- As usual, there was a lot of cleaning up going on, and there notably, a good chunk of this year's Google Summer of Code project to clean out the issues reported by Coverity Scan is already in. The only larger scale change that was registered in the pre-release notes was also about cleaning up the tree: ### `device_t` is no more coreboot used to have a data type, `device_t` that changed shape depending on whether it is compiled for romstage (with limited memory) or ramstage (with unlimited memory as far as coreboot is concerned). It's an old relic from the time when romstage wasn't operated in Cache-As-RAM mode, but compiled with our romcc compiler. That data type is now gone. Release Notes maintenance ------------------------- Speaking of pre-release notes: After 4.10 we'll start a document for 4.11 in the git repository. Feel free to add notable achievements there so we remember to give them a shout out in the next release's notes. Known Issues ------------ Sadly, Google Cyan is broken in this release. It doesn't work with the "C environment" bootblock (as compared to the old romcc type bootblock) which is now the default. Sadly it doesn't help to simply revert that change because doing so breaks other boards. If you want to use Google Cyan with the release (or if you're tracking the master branch), please keep an eye on https://review.coreboot.org/c/coreboot/+/34304 where a solution for this issue is sought. Deprecations ------------ As announced in the 4.9 release notes, there are no deprecations after 4.10. While 4.10 is also released late and we target a 4.11 release in October we nonetheless want to announce deprecations this time: These are under discussion since January, people are working on mitigations for about as long and so it should be possible to resolve the outstanding issues by the end of October. Specifically, we want to require code to work with the following Kconfig options so we can remove the options and the code they disable: * C\_ENVIRONMENT\_BOOTBLOCK * NO\_CAR\_GLOBAL\_MIGRATION * RELOCATABLE\_RAMSTAGE These only affect x86. If your platform only works without them, please look into fixing that. Added 28 mainboards: -------------------- * ASROCK H110M-DVS * ASUS H61M-CS * ASUS P5G41T-M-LX * ASUS P5QPL-AM * ASUS P8Z77-M-PRO * FACEBOOK FBG1701 * FOXCONN G41M * GIGABYTE GA-H61MA-D3V * GOOGLE BLOOG * GOOGLE FLAPJACK * GOOGLE GARG * GOOGLE HATCH-WHL * GOOGLE HELIOS * GOOGLE KINDRED * GOOGLE KODAMA * GOOGLE KOHAKU * GOOGLE KRANE * GOOGLE MISTRAL * HP COMPAQ-8200-ELITE-SFF-PC * INTEL COMETLAKE-RVP * INTEL KBLRVP11 * LENOVO R500 * LENOVO X1 * MSI MS7707 * PORTWELL M107 * PURISM LIBREM13-V4 * PURISM LIBREM15-V4 * SUPERMICRO X10SLM-PLUS-F * UP SQUARED Removed 7 mainboards: --------------------- * GOOGLE BIP * GOOGLE DELAN * GOOGLE ROWAN * PCENGINES ALIX1C * PCENGINES ALIX2C * PCENGINES ALIX2D * PCENGINES ALIX6 Removed 3 processors: --------------------- * src/cpu/amd/geode\_lx * src/cpu/intel/model\_69x * src/cpu/intel/model\_6dx Added 2 socs: ------------- * src/soc/amd/picasso * src/soc/qualcomm/qcs405 Toolchain --------- * Update to gcc 8.3.0, binutils 2.32, IASL 20190509, clang 8 -- Google Germany GmbH, ABC-Str. 19, 20354 Hamburg Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg Geschäftsführer: Paul Manicle, Halimah DeLaine Prado

7 months

1
0
0 0

Preparing for the 4.10 release

by Patrick Georgi

Hi everybody, I'm _really_ late with the 4.10 release and I'm sorry. Too much other things intervened and then there were a few issues on a couple of targets that were close to being fixed. While we don't provide any guarantees for our releases, they're still a good opportunity to try to wrap things up. I tested the commit in question on all QEmu targets and on Getac/P470, and it's looking reasonable. So in the light of getting things out, I prepared the release notes and pushed them to https://review.coreboot.org/c/coreboot/+/34469. Please take a look and comment if there's anything missing. I plan to put up the release on Monday evening European time (Monday morning in the US, early Tuesday in Asia). Thanks, Patrick -- Google Germany GmbH, ABC-Str. 19, 20354 Hamburg Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg Geschäftsführer: Paul Manicle, Halimah DeLaine Prado

7 months

1
0
0 0

X131e: Status, experiences and remaining problems

by Robin Haberkorn

Hello! I wanted to share my experiences with corebooting the X131e (Intel edition) and hope to be able to resolve some of the remaining issues. Previously I used a corebooted X131e Chromebook (Stout) and it worked perfectly - I didn't have any of the issues, which I'm going to detail further down. I got the X131e Intel as an "upgrade" and because I thought that migrating would be trivial. I'm using the same peripherals with the Intel boards, but installed new RAM. Turns out the stock BIOS had hardware whitelists, so that was a good pretext to try out coreboot. I based my build on the 4.9 release but ended up applying some X131e patches by James Ye, which are still pending in Gerrit. The following changes on top of 4.9 to be precise: commit b21539d2c4f57518b964949b30ebdd200a8d1f5a Author: James Ye <jye836(a)gmail.com> Date: Thu Jan 24 00:18:28 2019 +1100 mb/lenovo/x131e: add function key support Enables function keys for X131e. SMI handler based on google/stout. ACPI code and event masks are reverse-engineered. The IT8518e EC of this board uses some different ACPI methods compared to the regular Lenovo H8. Add an option to use the alternative set of methods. Change-Id: Ib3a01f37a8b54889b55e92c501c9350e6c68bd57 commit 178cf723697b9d069810fd404dcabd448d136503 Author: James Ye <jye836(a)gmail.com> Date: Fri Feb 1 13:29:02 2019 +1100 mb/lenovo/x131e: correct USB port config Based on schematic and register dumps. Change-Id: I91fc47022988cfe986fb8c1ed21dc073ee7d16bc commit 750432f7a1487175243065d95c57f9e0e6c21204 Author: James Ye <jye836(a)gmail.com> Date: Tue Feb 12 22:17:52 2019 +1100 mb/lenovo/x131e: enable mSATA slot Per google/stout. Functionality untested. Change-Id: I7cc9837f572236acac2007e95990e64c25a5d6e2 commit 151019a9d21c612834dacad649cde7aec3132844 Author: James Ye <jye836(a)gmail.com> Date: Sat Jan 19 18:25:44 2019 +1100 mb/lenovo/x131e: enable WWAN detection Per schematic. Non-presence is detected correctly, but presence is untested. Change-Id: I4cfefb06556c9d69bc8e4a4f9d112246885c253a commit 5bdb3cd2a802b0654feeeb19471c719db62a23c4 Author: James Ye <jye836(a)gmail.com> Date: Sat Jan 19 18:25:04 2019 +1100 mb/lenovo/x131e: remove PMH7 This board does not have PMH7. Change-Id: I382958f012e5f4445efc76c7f36bbdf460c29be4 commit 1cd0a5920fb93489aa1fe5b1c0be6170f88f23da Author: James Ye <jye836(a)gmail.com> Date: Thu Jan 17 22:00:14 2019 +1100 mb/lenovo/x131e: add VBT VBT was extracted from VBIOS ROM. Tested with libgfxinit, booting SeaBIOS into Linux. Change-Id: Ibedb43852dc9b846850e1070b84f708c847b7dbf Here's the board-status report: https://coreboot.org/status/board-status.html#lenovo/x131e The EC is probably rather old, as I didn't do a BIOS upgrade before flashing coreboot. If possible, I'd like to avoid upgrading the EC now, as that would require extracting it from the Lenove BIOS and programming it externally. Isn't it? Now regarding the remaining issues, in order of significance (for me): 1.) There are infrequent system freezes - possibly a kernel panic? - without any visible reason in the system journal. Unfortunately, I haven't run the board long enough on the original BIOS to judge whether this is Coreboot-specific. At least I tried performing some SMART and memtest86 tests - to no avail. 2.) At some point during my experimenting, only 4 of the 8GB RAM I've installed would be detected. This wasn't the case in the beginning, when I started out with a clean 4.9-build. I've attached a board status report from this time. Maybe somebody can see why the 2nd 4GB module is no longer detected. Naturally, one of the commits I later added might be responsible. If really necessary, I could do a git-dissect. 3.) The internal speakers __sometimes__ don't work after startup. They are simply mute. I initially thought this depends on the headphones being plugged in at boot, but there is no causal relation. None of the thinkpad_acpi-kernel-modules' `volume_*` params have any effect. Changing the settings of the enigmatic "ThinkPad Console Audio Control" sound card (created if volume_mode != 2 (N/A)) does not have any audible effect at all - even while headphones are working. Rerouting pins with hdajackretask does not help. Comparing Linux kernel logs (dmesg) does not yield any difference between working and non-working boots in the output of the relevant audio drivers. 4.) My 1600Mhz DDR3 RAM supposedly runs at 666Mhz (dmidecode --type 17). I think it's running at 1330 MHz, though. I somewhere read that 1600 Mhz CL11 is equivalent to 1300 Mhz CL9, which could explain this. So I guess, I simply bought crappy RAM. 5.) The Fn-keys work after the corresponding patch. But is it possible to use the Fn-key like any other (modifier) key? I do not get separate key-down/release events and events for any other key-presses (except for a few that have assigned Fn-functions). That's a bit of a waste. I guess, this is an EC "feature"... 6.) I have a WWAN mPCI card (Sierra 7710). It used to be reported as always-hard-blocked (rfkill list). WWAN was enabled in NVRAM. All of these (WIFI, Bluethooth, WWAN) Enable-NVRAM-settings have no effect on the hard-block state of any of the corresponding devices, though. thinkpad_acpi reads these values from the EC via ACPI as far as I could follow the sources. So I conclude that this is probably a Coreboot-EC-communication problem!? h8_wwan_enable() probably has no effect on this board. The infamous trick of taping the miniPCI pin 20 did not help either in unblocking the card. Neither did disabling power-off mode per AT commands on the modem. Turned out however that the card wasn't really physically blocked, as scanning would still work via modem-manager-gui. thinkpad_acpi simply reported it as blocked, which is probably what rfkill reported as well. So I was able to work around this issue with the following module params (e.g. store as /etc/modprobe.d/thinkpad_acpi.conf): options thinkpad_acpi dbg_wwanemul=1 wwan_state=1 dbg_wlswemul=1 wlsw_state=1 (Interestingly `dbg_wwanemul` seems to have no effect.) The modem now appears to work. 7.) The internal PS2 keyboard does not work in some secondary payloads (eg. nvramcui). Only USB-keyboards do. That's a bit annoying in a notebook, especially since... 8.) nvramtool crashes. Is that known and fixed, or would you like a core dump? Needless to mention that I enabled CONFIG_USE_OPTION_TABLE and nvramcui also generally works. 9.) Waking up from sleep-mode does not work. I haven't investigated this thoroughly and I haven't tested hibernation. Quite possibly an OS issue. 10.) Maybe off-topic, but relevant for anybody trying to coreboot this board: flashrom had to be patched in order to work with the flash chip. Turns out the probing/identification command would not be answered correctly by the chip (found out after attaching a logic analyzer), even though I checked against the datasheet. Didn't dive into this question too deeply but simply worked around it by letting flashrom skip the probing. Flashing externally is quite unreliable, and needs to be repeated often until a complete image would be flashed. This could be because of long and crappy wires, though. Internal flashing does currently not work. In a related matter: There is zero documentation on how to coreboot this board in the entire internet AFAIK. That's a bit sad, as it significantly decreases its possible audience and might also result in the port dying once the initial maintainer looses interest. Maybe including documentation should be made mandatory for every new port? I can also confirm that the WWAN detection (I4cfefb06556c9d69bc8e4a4f9d112246885c253a) works for detecting a card's presence as well. Any ideas, especially on how to proceed with 1.) and 2.)? Best regards, Robin

7 months

1
1
0 0

Re: Question how to write protect flash

by Public Email Account

Yes its sandy bridge. What is proper way to do this though. On flash descriptor (and if so, how?) or through coreboot option? Sent with ProtonMail Secure Email. ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Monday, July 15, 2019 12:37 AM, werner.zeh(a)siemens.com <werner.zeh(a)siemens.com> wrote: > IIRC X220 uses Sandy Bridge. I think there is a flag somewhere in the descriptor where you can lock down your BIOS-region as read-only for the x86 host. > I never have tried it but in theory this should lead to errors on every write attempt to the BIOS region therefore disabling write access to the flash from OS/flashrom. > > Werner

7 months

4
5
0 0

New on blogs.coreboot.org: [GSoC] Ghidra firmware utilities, weeks 6-8

by blogs.coreboot.org

7 months

1
0
0 0

New on blogs.coreboot.org: [GSoC] How to Run C Code in Bootblock Stage for QEMU/AArch64

by blogs.coreboot.org

7 months

1
0
0 0

Request for review verified boot and measure boot implementation

by Frans Hendriks

Hi all, Have a few patchsets waiting for review related to vendor implementation of 'verified boot' and 'measure boot'. This implementation is working/booting on Facebook FBG1701 (Intel Braswell), but not chipset related. Anyone have time for review. Thanks in advance. Met vriendelijke groet / Best regards, Frans Hendriks www.eltan.com

7 months

1
0
0 0

Kernel Panics on corebooted systems with linux 4.19 ( >4.9)

by Kinky Nekoboi

Happend again for other Users/boards please somebody good investigate this further. see: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930029 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931639

7 months, 1 week

3
5
0 0

New Defects reported by Coverity Scan for coreboot

by scan-admin＠coverity.com

Hi, Please find the latest report on new defect(s) introduced to coreboot found with Coverity Scan. 123 new defect(s) introduced to coreboot found with Coverity Scan. 71 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 20 of 123 defect(s) ** CID 1402119: Memory - corruptions (ARRAY_VS_SINGLETON) /src/vendorcode/amd/agesa/f16kb/Proc/GNB/Modules/GnbInitKB/PcieLibKB.c: 416 in PcieTopologySelectMasterPllKB() ________________________________________________________________________________________________________ *** CID 1402119: Memory - corruptions (ARRAY_VS_SINGLETON) /src/vendorcode/amd/agesa/f16kb/Proc/GNB/Modules/GnbInitKB/PcieLibKB.c: 416 in PcieTopologySelectMasterPllKB() 410 MasterLane = (EngineMasterLane < MasterLane) ? EngineMasterLane : MasterLane; 411 if (PcieConfigIsSbPcieEngine (EngineList)) { 412 break; 413 } 414 } 415 } >>> CID 1402119: Memory - corruptions (ARRAY_VS_SINGLETON) >>> Using "EngineList" as an array. This might corrupt or misinterpret adjacent memory locations. 416 EngineList = PcieLibGetNextDescriptor (EngineList); 417 } 418 419 if (MasterLane == 0xffff) { 420 if (MasterHotplugLane != 0xffff) { 421 MasterLane = MasterHotplugLane; ** CID 1402118: (OVERRUN) ________________________________________________________________________________________________________ *** CID 1402118: (OVERRUN) /src/vendorcode/amd/cimx/sb900/SbCmn.c: 1219 in validateImcFirmware() 1213 ReadMEM ((ImcAddr + 0x2000), AccWidthUint32, &ImcBinSig0); 1214 ReadMEM ((ImcAddr + 0x2004), AccWidthUint32, &ImcBinSig1); 1215 ReadMEM ((ImcAddr + 0x2008), AccWidthUint16, &ImcBinSig2); 1216 if ((ImcBinSig0 == 0x444D415F) && (ImcBinSig1 == 0x434D495F) && (ImcBinSig2 == 0x435F) ) { 1217 dbIMCChecksume = 0; 1218 for ( CurAddr = ImcAddr; CurAddr < ImcAddr + 0x10000; CurAddr++ ) { >>> CID 1402118: (OVERRUN) >>> Overrunning buffer pointed to by "&dbIMC" of 1 bytes by passing it to a function which accesses it at byte offset 1. 1219 ReadMEM (CurAddr, AccWidthUint8, &dbIMC); 1220 dbIMCChecksume = dbIMCChecksume + dbIMC; 1221 } 1222 } 1223 } 1224 if ( dbIMCChecksume ) { /src/vendorcode/amd/cimx/sb800/SBCMN.c: 953 in validateImcFirmware() 947 ReadMEM ((ImcAddr + 0x2000), AccWidthUint32, &ImcBinSig0); 948 ReadMEM ((ImcAddr + 0x2004), AccWidthUint32, &ImcBinSig1); 949 ReadMEM ((ImcAddr + 0x2008), AccWidthUint16, &ImcBinSig2); 950 if ((ImcBinSig0 == 0x444D415F) && (ImcBinSig1 == 0x434D495F) && (ImcBinSig2 == 0x435F) ) { 951 dbIMCChecksume = 0; 952 for ( CurAddr = ImcAddr; CurAddr < ImcAddr + 0x10000; CurAddr++ ) { >>> CID 1402118: (OVERRUN) >>> Overrunning buffer pointed to by "&dbIMC" of 1 bytes by passing it to a function which accesses it at byte offset 1. 953 ReadMEM (CurAddr, AccWidthUint8, &dbIMC); 954 dbIMCChecksume = dbIMCChecksume + dbIMC; 955 } 956 } 957 } 958 if ( dbIMCChecksume ) { ** CID 1402117: Memory - corruptions (ARRAY_VS_SINGLETON) /src/vendorcode/amd/agesa/f12/Proc/GNB/PCIe/Family/LN/F12PcieWrapperServices.c: 434 in PcieLnConfigureDdiEnginesLaneAllocation() ________________________________________________________________________________________________________ *** CID 1402117: Memory - corruptions (ARRAY_VS_SINGLETON) /src/vendorcode/amd/agesa/f12/Proc/GNB/PCIe/Family/LN/F12PcieWrapperServices.c: 434 in PcieLnConfigureDdiEnginesLaneAllocation() 428 } 429 LaneIndex = 0; 430 while (EnginesList != NULL) { 431 PcieConfigResetDescriptorFlags (EnginesList, DESCRIPTOR_ALLOCATED); 432 EnginesList->EngineData.StartLane = DdiLaneConfigurationTable [ConfigurationId][LaneIndex++] + Wrapper->StartPhyLane; 433 EnginesList->EngineData.EndLane = DdiLaneConfigurationTable [ConfigurationId][LaneIndex++] + Wrapper->StartPhyLane; >>> CID 1402117: Memory - corruptions (ARRAY_VS_SINGLETON) >>> Using "EnginesList" as an array. This might corrupt or misinterpret adjacent memory locations. 434 EnginesList = PcieLibGetNextDescriptor (EnginesList); 435 } 436 return AGESA_SUCCESS; 437 } 438 439 /*----------------------------------------------------------------------------------------*/ ** CID 1402116: (ARRAY_VS_SINGLETON) /src/vendorcode/amd/agesa/f16kb/Proc/GNB/Modules/GnbPcieConfig/PcieMapTopology.c: 169 in PcieMapTopologyOnComplex() /src/vendorcode/amd/agesa/f15tn/Proc/GNB/Modules/GnbPcieConfig/PcieMapTopology.c: 169 in PcieMapTopologyOnComplex() /src/vendorcode/amd/agesa/f12/Proc/GNB/Modules/GnbPcieConfig/PcieMapTopology.c: 182 in PcieMapTopologyOnComplex() ________________________________________________________________________________________________________ *** CID 1402116: (ARRAY_VS_SINGLETON) /src/vendorcode/amd/agesa/f16kb/Proc/GNB/Modules/GnbPcieConfig/PcieMapTopology.c: 169 in PcieMapTopologyOnComplex() 163 PcieConfigDisableAllEngines (PciePortEngine | PcieDdiEngine, Wrapper); 164 IDS_HDT_CONSOLE (PCIE_MISC, " ERROR! Fail to map topology on %s Wrapper\n", 165 PcieFmDebugGetWrapperNameString (Wrapper) 166 ); 167 ASSERT (FALSE); 168 } >>> CID 1402116: (ARRAY_VS_SINGLETON) >>> Using "Wrapper" as an array. This might corrupt or misinterpret adjacent memory locations. 169 Wrapper = PcieLibGetNextDescriptor (Wrapper); 170 } 171 Status = PcieMapPortsPciAddresses (Silicon, Pcie); 172 AGESA_STATUS_UPDATE (Status, AgesaStatus); 173 Silicon = PcieLibGetNextDescriptor (Silicon); 174 } /src/vendorcode/amd/agesa/f15tn/Proc/GNB/Modules/GnbPcieConfig/PcieMapTopology.c: 169 in PcieMapTopologyOnComplex() 163 PcieConfigDisableAllEngines (PciePortEngine | PcieDdiEngine, Wrapper); 164 IDS_HDT_CONSOLE (PCIE_MISC, " ERROR! Fail to map topology on %s Wrapper\n", 165 PcieFmDebugGetWrapperNameString (Wrapper) 166 ); 167 ASSERT (FALSE); 168 } >>> CID 1402116: (ARRAY_VS_SINGLETON) >>> Using "Wrapper" as an array. This might corrupt or misinterpret adjacent memory locations. 169 Wrapper = PcieLibGetNextDescriptor (Wrapper); 170 } 171 Status = PcieMapPortsPciAddresses (Silicon, Pcie); 172 AGESA_STATUS_UPDATE (Status, AgesaStatus); 173 Silicon = PcieLibGetNextDescriptor (Silicon); 174 } /src/vendorcode/amd/agesa/f12/Proc/GNB/Modules/GnbPcieConfig/PcieMapTopology.c: 182 in PcieMapTopologyOnComplex() 176 PcieConfigDisableAllEngines (PciePortEngine | PcieDdiEngine, Wrapper); 177 IDS_HDT_CONSOLE (PCIE_MISC, " ERROR! Fail to map topology on %s Wrapper\n", 178 PcieFmDebugGetWrapperNameString (Wrapper) 179 ); 180 ASSERT (FALSE); 181 } >>> CID 1402116: (ARRAY_VS_SINGLETON) >>> Using "Wrapper" as an array. This might corrupt or misinterpret adjacent memory locations. 182 Wrapper = PcieLibGetNextDescriptor (Wrapper); 183 } 184 Status = PcieMapPortsPciAddresses (Silicon, Pcie); 185 AGESA_STATUS_UPDATE (Status, AgesaStatus); 186 Silicon = PcieLibGetNextDescriptor (Silicon); 187 } ** CID 1402115: Memory - corruptions (OVERRUN) ________________________________________________________________________________________________________ *** CID 1402115: Memory - corruptions (OVERRUN) /src/vendorcode/amd/cimx/sb800/SBPort.c: 249 in sbPowerOnInit() 243 // Set SPI MMio bit offset 00h[19] to 1 and offset 00h[26:24] to 111, offset 0ch[21:16] to 1, Set LPC cfg BBh[6] to 0 ( by default it is 0). 244 // if Ec is enable 245 // Maximum spi speed that can be supported by SB is 22M (SPI Mmio offset 0ch[13:12] to 10) if the rom can run at the speed. 246 // else 247 // Maximum spi speed that can be supported by SB is 33M (SPI Mmio offset 0ch[13:12] to 01 in normal mode or offset 0ch[15:14] in fast mode) if the rom can run at 248 // the speed. >>> CID 1402115: Memory - corruptions (OVERRUN) >>> Overrunning buffer pointed to by "&dbSysConfig" of 1 bytes by passing it to a function which accesses it at byte offset 1. 249 getChipSysMode (&dbSysConfig); 250 if (pConfig->BuildParameters.SpiSpeed < 0x02) { 251 pConfig->BuildParameters.SpiSpeed = 0x01; 252 if (dbSysConfig & ChipSysEcEnable) pConfig->BuildParameters.SpiSpeed = 0x02; 253 } 254 ** CID 1402114: Memory - corruptions (ARRAY_VS_SINGLETON) /src/vendorcode/amd/agesa/f15tn/Proc/GNB/Modules/GnbInitTN/GnbMidInitTN.c: 134 in GnbIommuMidInitCheckGfxPciePorts() ________________________________________________________________________________________________________ *** CID 1402114: Memory - corruptions (ARRAY_VS_SINGLETON) /src/vendorcode/amd/agesa/f15tn/Proc/GNB/Modules/GnbInitTN/GnbMidInitTN.c: 134 in GnbIommuMidInitCheckGfxPciePorts() 128 // GFX PCIe ports beeing used 129 GfxPciePortUsed = TRUE; 130 IDS_HDT_CONSOLE (GNB_TRACE, "GFX PCIe ports beeing used\n"); 131 break; 132 } 133 } >>> CID 1402114: Memory - corruptions (ARRAY_VS_SINGLETON) >>> Using "EngineList" as an array. This might corrupt or misinterpret adjacent memory locations. 134 EngineList = PcieLibGetNextDescriptor (EngineList); 135 } 136 } 137 138 if (!GfxPciePortUsed) { 139 //D0F2xF4_x57.Field.L1ImuPcieGfxDis needs to be set ** CID 1402113: Memory - corruptions (OVERRUN) ________________________________________________________________________________________________________ *** CID 1402113: Memory - corruptions (OVERRUN) /src/vendorcode/amd/cimx/sb900/SbCmn.c: 1442 in ValidateFchVariant() 1436 default: 1437 break; 1438 } 1439 1440 // add Efuse checking for Xhci enable/disable 1441 XhciEfuse = XHCI_EFUSE_LOCATION; >>> CID 1402113: Memory - corruptions (OVERRUN) >>> Overrunning buffer pointed to by "&XhciEfuse" of 1 bytes by passing it to a function which accesses it at byte offset 1. 1442 getEfuseStatus (&XhciEfuse); 1443 if ((XhciEfuse & (BIT0 + BIT1)) == (BIT0 + BIT1)) { 1444 pConfig->XhciSwitch = 0; 1445 } 1446 1447 // add Efuse checking for PCIE Gen2 enable ** CID 1402112: Memory - corruptions (ARRAY_VS_SINGLETON) /src/vendorcode/amd/agesa/f16kb/Proc/GNB/Modules/GnbInitKB/PcieEarlyInitKB.c: 362 in PcieTopologyApplyLaneMuxKB() ________________________________________________________________________________________________________ *** CID 1402112: Memory - corruptions (ARRAY_VS_SINGLETON) /src/vendorcode/amd/agesa/f16kb/Proc/GNB/Modules/GnbInitKB/PcieEarlyInitKB.c: 362 in PcieTopologyApplyLaneMuxKB() 356 } 357 358 CoreLaneBitmap &= (~ (1 << CurrentCoreLane)); 359 PifLaneBitmap &= (~ (1 << CurrentPifLane)); 360 } 361 } >>> CID 1402112: Memory - corruptions (ARRAY_VS_SINGLETON) >>> Using "EngineList" as an array. This might corrupt or misinterpret adjacent memory locations. 362 EngineList = PcieLibGetNextDescriptor (EngineList); 363 } 364 for (Index = 0; Index < 2; ++Index) { 365 PcieRegisterWrite ( 366 Wrapper, 367 WRAP_SPACE (Wrapper->WrapId, D0F0xE4_WRAP_8021_ADDRESS + Index), ** CID 1402111: Resource leaks (RESOURCE_LEAK) /3rdparty/vboot/firmware/bdb/host.c: 413 in bdb_create() ________________________________________________________________________________________________________ *** CID 1402111: Resource leaks (RESOURCE_LEAK) /3rdparty/vboot/firmware/bdb/host.c: 413 in bdb_create() 407 408 /* Copy hashes */ 409 memcpy(bnext, p->hash, hashes_size); 410 bnext += hashes_size; 411 412 /* Create data signature using private datakey */ >>> CID 1402111: Resource leaks (RESOURCE_LEAK) >>> Overwriting "sig" in "sig = bdb_create_sig(data, data->signed_size, p->private_datakey, p->datakey->sig_alg, p->data_sig_description)" leaks the storage that "sig" points to. 413 sig = bdb_create_sig(data, data->signed_size, p->private_datakey, 414 p->datakey->sig_alg, p->data_sig_description); 415 memcpy(bnext, sig, sig->struct_size); 416 417 /* Return the BDB */ 418 return h; ** CID 1402110: API usage errors (PRINTF_ARGS) /src/device/device_util.c: 233 in dev_path() ________________________________________________________________________________________________________ *** CID 1402110: API usage errors (PRINTF_ARGS) /src/device/device_util.c: 233 in dev_path() 227 case DEVICE_PATH_USB: 228 snprintf(buffer, sizeof(buffer), "USB%u port %u", 229 dev->path.usb.port_type, dev->path.usb.port_id); 230 break; 231 case DEVICE_PATH_MMIO: 232 snprintf(buffer, sizeof(buffer), "MMIO: %08x", >>> CID 1402110: API usage errors (PRINTF_ARGS) >>> Argument "dev->path.mmio.addr" to format specifier "%08x" was expected to have type "unsigned int" but has type "unsigned long". [Note: The source code implementation of the function has been overridden by a builtin model.] 233 dev->path.mmio.addr); 234 break; 235 default: 236 printk(BIOS_ERR, "Unknown device path type: %d\n", 237 dev->path.type); 238 break; ** CID 1402109: Memory - corruptions (ARRAY_VS_SINGLETON) /src/vendorcode/amd/agesa/f16kb/Proc/GNB/Modules/GnbInitKB/PcieConfigKB.c: 230 in PcieConfigureDdiEnginesLaneAllocation() ________________________________________________________________________________________________________ *** CID 1402109: Memory - corruptions (ARRAY_VS_SINGLETON) /src/vendorcode/amd/agesa/f16kb/Proc/GNB/Modules/GnbInitKB/PcieConfigKB.c: 230 in PcieConfigureDdiEnginesLaneAllocation() 224 while (EnginesList != NULL) { 225 if (PcieLibIsDdiEngine (EnginesList)) { 226 PcieConfigResetDescriptorFlags (EnginesList, DESCRIPTOR_ALLOCATED); 227 EnginesList->EngineData.StartLane = DdiLaneConfig->ConfigTable[LaneIndex++] + Wrapper->StartPhyLane; 228 EnginesList->EngineData.EndLane = DdiLaneConfig->ConfigTable[LaneIndex++] + Wrapper->StartPhyLane; 229 } >>> CID 1402109: Memory - corruptions (ARRAY_VS_SINGLETON) >>> Using "EnginesList" as an array. This might corrupt or misinterpret adjacent memory locations. 230 EnginesList = PcieLibGetNextDescriptor (EnginesList); 231 } 232 return AGESA_SUCCESS; 233 } 234 235 /*----------------------------------------------------------------------------------------*/ ** CID 1402107: API usage errors (PRINTF_ARGS) ________________________________________________________________________________________________________ *** CID 1402107: API usage errors (PRINTF_ARGS) /3rdparty/vboot/cgpt/cgpt_create.c: 83 in GptCreate() 77 size_t min_entries_size = MIN_NUMBER_OF_ENTRIES * h->size_of_entry; 78 size_t required_min_size = required_headers_size + min_entries_size; 79 size_t half_size = 80 (drive->gpt.gpt_drive_sectors / 2) * drive->gpt.sector_bytes; 81 if (half_size < required_min_size) { 82 Error("Not enough space to store GPT structures. Required %d bytes.\n", >>> CID 1402107: API usage errors (PRINTF_ARGS) >>> Argument "required_min_size * 2UL" to format specifier "%d" was expected to have type "int" but has type "unsigned long". 83 required_min_size * 2); 84 return -1; 85 } 86 size_t max_entries = 87 (half_size - required_headers_size) / h->size_of_entry; 88 if (h->number_of_entries > max_entries) { ** CID 1402106: Memory - corruptions (OVERRUN) ________________________________________________________________________________________________________ *** CID 1402106: Memory - corruptions (OVERRUN) /src/vendorcode/amd/cimx/sb900/SbPeLib.c: 346 in getEfuseByte() 340 getEfuseByte ( 341 IN UINT8 Index 342 ) 343 { 344 UINT8 Data; 345 WriteMEM (ACPI_MMIO_BASE + PMIO_BASE + SB_PMIOA_REGD8, AccWidthUint8, &Index); >>> CID 1402106: Memory - corruptions (OVERRUN) >>> Overrunning buffer pointed to by "&Data" of 1 bytes by passing it to a function which accesses it at byte offset 1. 346 ReadMEM (ACPI_MMIO_BASE + PMIO_BASE + SB_PMIOA_REGD8 + 1, AccWidthUint8, &Data); 347 return Data; 348 } 349 350 351 /** ** CID 1402105: (OVERRUN) ________________________________________________________________________________________________________ *** CID 1402105: (OVERRUN) /src/vendorcode/amd/cimx/sb800/SBCMN.c: 543 in commonInitEarlyPost() 537 // Misc_Reg[12:10]=9975be 538 // Misc_Reg0B=91 539 // Misc_Reg09=21 540 // Misc_Misc_Reg_08[0]=1 -> enable spread 541 RWMEM (ACPI_MMIO_BASE + MISC_BASE + 0x43, AccWidthUint8, ~BIT1, BIT1); 542 RWMEM (ACPI_MMIO_BASE + MISC_BASE + 0x19, AccWidthUint8, 0, 0x83); >>> CID 1402105: (OVERRUN) >>> Overrunning buffer pointed to by "&dbPortStatus" of 1 bytes by passing it to a function which accesses it at byte offset 1. 543 getChipSysMode (&dbPortStatus); 544 if ( ((dbPortStatus & ChipSysIntClkGen) != ChipSysIntClkGen) ) { 545 RWMEM (ACPI_MMIO_BASE + MISC_BASE + 0x1A, AccWidthUint8, ~(BIT5 + BIT6 + BIT7), 0x80); 546 } 547 548 if ( cimSpreadSpectrumType == 0 ) { /src/vendorcode/amd/cimx/sb900/SbCmn.c: 674 in commonInitEarlyPost() 668 } else { 669 RWMEM (ACPI_MMIO_BASE + PMIO_BASE + SB_PMIOA_REGD3, AccWidthUint8, 0xBF, 0x00); 670 } 671 672 // RPR PLL 100Mhz Reference Clock Buffer setting for internal clock generator mode (BIT5) 673 // RPR OSC Clock setting for internal clock generator mode (BIT6) >>> CID 1402105: (OVERRUN) >>> Overrunning buffer pointed to by "&dbPortStatus" of 1 bytes by passing it to a function which accesses it at byte offset 1. 674 getChipSysMode (&dbPortStatus); 675 if ( ((dbPortStatus & ChipSysIntClkGen) == ChipSysIntClkGen) ) { 676 RWMEM (ACPI_MMIO_BASE + MISC_BASE + SB_MISC_REG04 + 1, AccWidthUint8, ~(BIT5 + BIT6), BIT5 + BIT6); 677 } 678 679 // Set ASF SMBUS master function enabled here (temporary) /src/vendorcode/amd/cimx/sb900/SbCmn.c: 600 in commonInitEarlyPost() 594 // Misc_Reg[12:10]=9975be 595 // Misc_Reg0B=91 596 // Misc_Reg09=21 597 // Misc_Misc_Reg_08[0]=1 -> enable spread 598 RWMEM (ACPI_MMIO_BASE + MISC_BASE + 0x43, AccWidthUint8, ~BIT1, BIT1); 599 RWMEM (ACPI_MMIO_BASE + MISC_BASE + 0x19, AccWidthUint8, 0, 0x83); >>> CID 1402105: (OVERRUN) >>> Overrunning buffer pointed to by "&dbPortStatus" of 1 bytes by passing it to a function which accesses it at byte offset 1. 600 getChipSysMode (&dbPortStatus); 601 if ( ((dbPortStatus & ChipSysIntClkGen) != ChipSysIntClkGen) ) { 602 RWMEM (ACPI_MMIO_BASE + MISC_BASE + 0x1A, AccWidthUint8, ~(BIT5 + BIT6 + BIT7), 0x80); 603 } 604 RWMEM (ACPI_MMIO_BASE + MISC_BASE + 0x12, AccWidthUint8, 0, 0x99); 605 RWMEM (ACPI_MMIO_BASE + MISC_BASE + 0x11, AccWidthUint8, 0, 0x75); /src/vendorcode/amd/cimx/sb800/SBCMN.c: 574 in commonInitEarlyPost() 568 RWMEM (ACPI_MMIO_BASE + MISC_BASE + SB_MISC_REG08, AccWidthUint8, 0xFE, 0x01); 569 } else { 570 RWMEM (ACPI_MMIO_BASE + MISC_BASE + SB_MISC_REG08, AccWidthUint8, 0xFE, 0x00); 571 } 572 573 // RPR PLL 100Mhz Reference Clock Buffer setting for internal clock generator mode >>> CID 1402105: (OVERRUN) >>> Overrunning buffer pointed to by "&dbPortStatus" of 1 bytes by passing it to a function which accesses it at byte offset 1. 574 getChipSysMode (&dbPortStatus); 575 if ( ((dbPortStatus & ChipSysIntClkGen) == ChipSysIntClkGen) ) { 576 RWMEM (ACPI_MMIO_BASE + MISC_BASE + SB_MISC_REG04 + 1, AccWidthUint8, ~BIT5, BIT5); 577 } 578 579 // Set ASF SMBUS master function enabled here (temporary) ** CID 1402104: Memory - illegal accesses (BUFFER_SIZE) /src/mainboard/getac/p470/acpi_tables.c: 73 in acpi_create_ecdt() ________________________________________________________________________________________________________ *** CID 1402104: Memory - illegal accesses (BUFFER_SIZE) /src/mainboard/getac/p470/acpi_tables.c: 73 in acpi_create_ecdt() 67 ecdt->ec_data.addrh = 0; 68 69 ecdt->uid = 1; // Must match _UID of the EC0 node. 70 71 ecdt->gpe_bit = 23; // SCI interrupt within GPEx_STS 72 >>> CID 1402104: Memory - illegal accesses (BUFFER_SIZE) >>> Calling "strncpy" with a source string whose length (18 chars) is greater than or equal to the size argument (18) will fail to null-terminate "ecdt->ec_id". 73 strncpy((char *)ecdt->ec_id, ec_id, strlen(ec_id)); 74 75 header->checksum = 76 acpi_checksum((void *) ecdt, ecdt_len); 77 78 return header->length; ** CID 1402103: Memory - corruptions (OVERRUN) ________________________________________________________________________________________________________ *** CID 1402103: Memory - corruptions (OVERRUN) /src/vendorcode/amd/cimx/sb900/SbCmn.c: 1449 in ValidateFchVariant() 1443 if ((XhciEfuse & (BIT0 + BIT1)) == (BIT0 + BIT1)) { 1444 pConfig->XhciSwitch = 0; 1445 } 1446 1447 // add Efuse checking for PCIE Gen2 enable 1448 PcieEfuse = PCIE_FORCE_GEN1_EFUSE_LOCATION; >>> CID 1402103: Memory - corruptions (OVERRUN) >>> Overrunning buffer pointed to by "&PcieEfuse" of 1 bytes by passing it to a function which accesses it at byte offset 1. 1449 getEfuseStatus (&PcieEfuse); 1450 if ( PcieEfuse & BIT0 ) { 1451 pConfig->NbSbGen2 = 0; 1452 pConfig->GppGen2 = 0; 1453 } 1454 ** CID 1402102: Null pointer dereferences (FORWARD_NULL) ________________________________________________________________________________________________________ *** CID 1402102: Null pointer dereferences (FORWARD_NULL) /3rdparty/vboot/futility/cmd_bdb.c: 687 in do_bdb() 681 print_help(argc, argv); 682 return 1; 683 } 684 685 switch (mode) { 686 case OPT_MODE_ADD: >>> CID 1402102: Null pointer dereferences (FORWARD_NULL) >>> Passing null pointer "data_filename" to "do_add", which dereferences it. 687 return do_add(bdb_filename, data_filename, 688 offset, partition, type, load_address); 689 case OPT_MODE_CREATE: 690 return do_create(bdb_filename, bdbkey_pri_filename, 691 bdbkey_pub_filename, bdbkey_version, 692 datakey_pri_filename, datakey_pub_filename, ** CID 1402101: Memory - corruptions (OVERRUN) ________________________________________________________________________________________________________ *** CID 1402101: Memory - corruptions (OVERRUN) /src/vendorcode/amd/cimx/sb900/AmdSbLib.c: 310 in SbGpioControl() 304 VOID 305 SbGpioControl ( 306 IN SB_GPIO_CONTROL_ENTRY *SbGpio 307 ) 308 { 309 UINT8 GpioCurrent; >>> CID 1402101: Memory - corruptions (OVERRUN) >>> Overrunning buffer pointed to by "&GpioCurrent" of 1 bytes by passing it to a function which accesses it at byte offset 1. 310 ReadMEM (ACPI_MMIO_BASE + GPIO_BASE + SbGpio->GpioPin, AccWidthUint8, &GpioCurrent ); 311 if ((GpioCurrent & BIT5) == 0) { 312 RWMEM (ACPI_MMIO_BASE + GPIO_BASE + SbGpio->GpioPin, AccWidthUint8, ~ BIT6, (SbGpio->GpioControl << 6) ); 313 } 314 GpioCurrent &= BIT7; 315 SbGpio->GpioControl = GpioCurrent >> 7; ** CID 1402100: Memory - corruptions (ARRAY_VS_SINGLETON) /src/vendorcode/amd/agesa/f16kb/Proc/GNB/Modules/GnbPcieInitLibV5/PcieWrapperServicesV5.c: 120 in PcieTopologyIsGen3SupportedV5() ________________________________________________________________________________________________________ *** CID 1402100: Memory - corruptions (ARRAY_VS_SINGLETON) /src/vendorcode/amd/agesa/f16kb/Proc/GNB/Modules/GnbPcieInitLibV5/PcieWrapperServicesV5.c: 120 in PcieTopologyIsGen3SupportedV5() 114 if ((LaneBitmap & NibbleBitmap) != 0) { 115 if (++LaneNibbleArray [Nibble] > 1) { 116 return FALSE; 117 } 118 } 119 } >>> CID 1402100: Memory - corruptions (ARRAY_VS_SINGLETON) >>> Using "Engine" as an array. This might corrupt or misinterpret adjacent memory locations. 120 Engine = PcieLibGetNextDescriptor (Engine); 121 } 122 return TRUE; 123 } 124 125 /*----------------------------------------------------------------------------------------*/ ** CID 1402099: Parse warnings (PARSE_ERROR) /payloads/libpayload/include/arm64/arch/types.h: 48 in () ________________________________________________________________________________________________________ *** CID 1402099: Parse warnings (PARSE_ERROR) /payloads/libpayload/include/arm64/arch/types.h: 48 in () 42 43 typedef unsigned int uint32_t; 44 typedef unsigned int u32; 45 typedef signed int int32_t; 46 typedef signed int s32; 47 >>> CID 1402099: Parse warnings (PARSE_ERROR) >>> invalid redeclaration of type name "uint64_t" (declared at line 1417 of "/home/coreboot/slave-root/workspace/coreboot-coverity/cov-int/emit/63b4cc02a380/config/7c949609d3e4431ed76dcb649e695d10/gcc-config-0/coverity-compiler-compat.h") 48 typedef unsigned long long uint64_t; 49 typedef unsigned long long u64; 50 typedef signed long long int64_t; 51 typedef signed long long s64; 52 53 typedef long time_t; ________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0...

7 months, 1 week

1
0
0 0

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

coreboot July 2019