Hi,
Please find the latest report on new defect(s) introduced to coreboot found with Coverity Scan.
17 new defect(s) introduced to coreboot found with Coverity Scan. 10 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan Showing 17 of 17 defect(s)
** CID 1498234: Memory - corruptions (ARRAY_VS_SINGLETON)
________________________________________________________________________________________________________ *** CID 1498234: Memory - corruptions (ARRAY_VS_SINGLETON) /3rdparty/opensbi/lib/sbi/sbi_pmu.c: 329 in pmu_ctr_start_hw() 323 324 /* 325 * Some of the hardware may not support mcountinhibit but perf stat 326 * still can work if supervisor mode programs the initial value. 327 */ 328 mctr_inhbt = csr_read(CSR_MCOUNTINHIBIT);
CID 1498234: Memory - corruptions (ARRAY_VS_SINGLETON) Passing "&mctr_inhbt" to function "__test_bit" which uses it as an array. This might corrupt or misinterpret adjacent memory locations.
329 if (!__test_bit(cidx, &mctr_inhbt)) 330 return SBI_EALREADY_STARTED; 331 332 __clear_bit(cidx, &mctr_inhbt); 333 334 if (sbi_hart_has_extension(scratch, SBI_HART_EXT_SSCOFPMF))
** CID 1498233: Memory - corruptions (ARRAY_VS_SINGLETON)
________________________________________________________________________________________________________ *** CID 1498233: Memory - corruptions (ARRAY_VS_SINGLETON) /3rdparty/opensbi/lib/sbi/sbi_pmu.c: 413 in pmu_ctr_stop_hw() 407 mctr_inhbt = csr_read(CSR_MCOUNTINHIBIT); 408 409 /* Make sure the counter index lies within the range and is not TM bit */ 410 if (cidx >= num_hw_ctrs || cidx == 1) 411 return SBI_EINVAL; 412
CID 1498233: Memory - corruptions (ARRAY_VS_SINGLETON) Passing "&mctr_inhbt" to function "__test_bit" which uses it as an array. This might corrupt or misinterpret adjacent memory locations.
413 if (!__test_bit(cidx, &mctr_inhbt)) { 414 __set_bit(cidx, &mctr_inhbt); 415 csr_write(CSR_MCOUNTINHIBIT, mctr_inhbt); 416 return 0; 417 } else 418 return SBI_EALREADY_STOPPED;
** CID 1498232: Integer handling issues (OVERFLOW_BEFORE_WIDEN) /src/drivers/uart/util.c: 64 in uart_bitbang_tx_byte()
________________________________________________________________________________________________________ *** CID 1498232: Integer handling issues (OVERFLOW_BEFORE_WIDEN) /src/drivers/uart/util.c: 64 in uart_bitbang_tx_byte() 58 stopwatch_tick(&sw); 59 60 /* 'i' counts the total bits sent at the end of the loop */ 61 for (i = 2; i < 10; i++) { 62 set_tx(data & 1); 63 data >>= 1;
CID 1498232: Integer handling issues (OVERFLOW_BEFORE_WIDEN) Potentially overflowing expression "i * 1000000" with type "int" (32 bits, signed) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "int64_t" (64 bits, signed).
64 while (stopwatch_duration_usecs(&sw) < i * MHz / baud_rate) 65 stopwatch_tick(&sw); 66 } 67 68 /* Send stop bit */ 69 set_tx(1); 70 while (stopwatch_duration_usecs(&sw) < i * MHz / baud_rate) 71 stopwatch_tick(&sw);
** CID 1498231: Error handling issues (CHECKED_RETURN) /3rdparty/opensbi/lib/utils/reset/fdt_reset_htif.c: 25 in htif_reset_init()
________________________________________________________________________________________________________ *** CID 1498231: Error handling issues (CHECKED_RETURN) /3rdparty/opensbi/lib/utils/reset/fdt_reset_htif.c: 25 in htif_reset_init() 19 20 if (!fdt_get_node_addr_size(fdt, nodeoff, 0, &fromhost_addr, NULL)) { 21 custom = true; 22 tohost_addr = fromhost_addr + sizeof(uint64_t); 23 } 24
CID 1498231: Error handling issues (CHECKED_RETURN) Calling "fdt_get_node_addr_size" without checking return value (as is done elsewhere 16 out of 18 times).
25 fdt_get_node_addr_size(fdt, nodeoff, 1, &tohost_addr, NULL); 26 27 return htif_system_reset_init(custom, fromhost_addr, tohost_addr); 28 } 29 30 static const struct fdt_match htif_reset_match[] = {
** CID 1498230: (ARRAY_VS_SINGLETON)
________________________________________________________________________________________________________ *** CID 1498230: (ARRAY_VS_SINGLETON) /3rdparty/opensbi/lib/sbi/sbi_pmu.c: 465 in sbi_pmu_ctr_stop() 459 uint32_t event_code; 460 int i, cidx; 461 462 if ((cbase + sbi_fls(cmask)) >= total_ctrs) 463 return SBI_EINVAL; 464
CID 1498230: (ARRAY_VS_SINGLETON) Passing "&cmask" to function "find_first_bit" which uses it as an array. This might corrupt or misinterpret adjacent memory locations.
465 for_each_set_bit(i, &cmask, total_ctrs) { 466 cidx = i + cbase; 467 event_idx_type = pmu_ctr_validate(cidx, &event_code); 468 if (event_idx_type < 0) 469 /* Continue the stop operation for other counters */ 470 continue; /3rdparty/opensbi/lib/sbi/sbi_pmu.c: 465 in sbi_pmu_ctr_stop() 459 uint32_t event_code; 460 int i, cidx; 461 462 if ((cbase + sbi_fls(cmask)) >= total_ctrs) 463 return SBI_EINVAL; 464
CID 1498230: (ARRAY_VS_SINGLETON) Passing "&cmask" to function "find_next_bit" which uses it as an array. This might corrupt or misinterpret adjacent memory locations.
465 for_each_set_bit(i, &cmask, total_ctrs) { 466 cidx = i + cbase; 467 event_idx_type = pmu_ctr_validate(cidx, &event_code); 468 if (event_idx_type < 0) 469 /* Continue the stop operation for other counters */ 470 continue;
** CID 1498229: Integer handling issues (BAD_SHIFT) /3rdparty/opensbi/lib/sbi/sbi_domain.c: 149 in is_region_valid()
________________________________________________________________________________________________________ *** CID 1498229: Integer handling issues (BAD_SHIFT) /3rdparty/opensbi/lib/sbi/sbi_domain.c: 149 in is_region_valid() 143 /* Check if region complies with constraints */ 144 static bool is_region_valid(const struct sbi_domain_memregion *reg) 145 { 146 if (reg->order < 3 || __riscv_xlen < reg->order) 147 return FALSE; 148
CID 1498229: Integer handling issues (BAD_SHIFT) In expression "1UL << reg->order", left shifting by more than 63 bits has undefined behavior. The shift amount, "reg->order", is as much as 64.
149 if (reg->base & (BIT(reg->order) - 1)) 150 return FALSE; 151 152 return TRUE; 153 } 154
** CID 1498228: Memory - corruptions (OVERRUN) /3rdparty/opensbi/lib/utils/ipi/aclint_mswi.c: 84 in aclint_mswi_cold_init()
________________________________________________________________________________________________________ *** CID 1498228: Memory - corruptions (OVERRUN) /3rdparty/opensbi/lib/utils/ipi/aclint_mswi.c: 84 in aclint_mswi_cold_init() 78 (mswi->first_hartid >= SBI_HARTMASK_MAX_BITS) || 79 (mswi->hart_count > ACLINT_MSWI_MAX_HARTS)) 80 return SBI_EINVAL; 81 82 /* Update MSWI hartid table */ 83 for (i = 0; i < mswi->hart_count; i++)
CID 1498228: Memory - corruptions (OVERRUN) Overrunning array "mswi_hartid2data" of 128 8-byte elements at element index 4221 (byte offset 33775) using index "mswi->first_hartid + i" (which evaluates to 4221).
84 mswi_hartid2data[mswi->first_hartid + i] = mswi; 85 86 /* Add MSWI regions to the root domain */ 87 for (pos = 0; pos < mswi->size; pos += ACLINT_MSWI_ALIGN) { 88 region_size = ((mswi->size - pos) < ACLINT_MSWI_ALIGN) ? 89 (mswi->size - pos) : ACLINT_MSWI_ALIGN;
** CID 1498227: (ARRAY_VS_SINGLETON)
________________________________________________________________________________________________________ *** CID 1498227: (ARRAY_VS_SINGLETON) /3rdparty/opensbi/lib/sbi/sbi_pmu.c: 635 in pmu_ctr_find_fw() 629 */ 630 static int pmu_ctr_find_fw(unsigned long cbase, unsigned long cmask, 631 uint32_t event_code, u32 hartid) 632 { 633 int i, cidx; 634
CID 1498227: (ARRAY_VS_SINGLETON) Passing "&cmask" to function "find_next_bit" which uses it as an array. This might corrupt or misinterpret adjacent memory locations.
635 for_each_set_bit(i, &cmask, BITS_PER_LONG) { 636 cidx = i + cbase; 637 if (cidx < num_hw_ctrs || total_ctrs <= cidx) 638 continue; 639 if (active_events[hartid][i] != SBI_PMU_EVENT_IDX_INVALID) 640 continue; /3rdparty/opensbi/lib/sbi/sbi_pmu.c: 635 in pmu_ctr_find_fw() 629 */ 630 static int pmu_ctr_find_fw(unsigned long cbase, unsigned long cmask, 631 uint32_t event_code, u32 hartid) 632 { 633 int i, cidx; 634
CID 1498227: (ARRAY_VS_SINGLETON) Passing "&cmask" to function "find_first_bit" which uses it as an array. This might corrupt or misinterpret adjacent memory locations.
635 for_each_set_bit(i, &cmask, BITS_PER_LONG) { 636 cidx = i + cbase; 637 if (cidx < num_hw_ctrs || total_ctrs <= cidx) 638 continue; 639 if (active_events[hartid][i] != SBI_PMU_EVENT_IDX_INVALID) 640 continue;
** CID 1498226: Memory - corruptions (OVERRUN) /3rdparty/opensbi/lib/utils/timer/aclint_mtimer.c: 207 in aclint_mtimer_cold_init()
________________________________________________________________________________________________________ *** CID 1498226: Memory - corruptions (OVERRUN) /3rdparty/opensbi/lib/utils/timer/aclint_mtimer.c: 207 in aclint_mtimer_cold_init() 201 mt->time_wr = mtimer_time_wr64; 202 } 203 #endif 204 205 /* Update MTIMER hartid table */ 206 for (i = 0; i < mt->hart_count; i++)
CID 1498226: Memory - corruptions (OVERRUN) Overrunning array "mtimer_hartid2data" of 128 8-byte elements at element index 4221 (byte offset 33775) using index "mt->first_hartid + i" (which evaluates to 4221).
207 mtimer_hartid2data[mt->first_hartid + i] = mt; 208 209 /* Add MTIMER regions to the root domain */ 210 if (mt->mtime_addr == (mt->mtimecmp_addr + mt->mtimecmp_size)) { 211 rc = aclint_mtimer_add_regions(mt->mtimecmp_addr, 212 mt->mtime_size + mt->mtimecmp_size);
** CID 1498225: Error handling issues (CHECKED_RETURN) /3rdparty/opensbi/lib/utils/serial/fdt_serial_htif.c: 30 in serial_htif_init()
________________________________________________________________________________________________________ *** CID 1498225: Error handling issues (CHECKED_RETURN) /3rdparty/opensbi/lib/utils/serial/fdt_serial_htif.c: 30 in serial_htif_init() 24 25 if (!fdt_get_node_addr_size(fdt, nodeoff, 0, &fromhost_addr, NULL)) { 26 custom = true; 27 tohost_addr = fromhost_addr + sizeof(uint64_t); 28 } 29
CID 1498225: Error handling issues (CHECKED_RETURN) Calling "fdt_get_node_addr_size" without checking return value (as is done elsewhere 16 out of 18 times).
30 fdt_get_node_addr_size(fdt, nodeoff, 1, &tohost_addr, NULL); 31 32 return htif_serial_init(custom, fromhost_addr, tohost_addr); 33 } 34 35 struct fdt_serial fdt_serial_htif = { 36 .match_table = serial_htif_match, 37 .init = serial_htif_init
** CID 1498224: Null pointer dereferences (FORWARD_NULL) /3rdparty/opensbi/lib/utils/fdt/fdt_domain.c: 251 in __fdt_parse_region()
________________________________________________________________________________________________________ *** CID 1498224: Null pointer dereferences (FORWARD_NULL) /3rdparty/opensbi/lib/utils/fdt/fdt_domain.c: 251 in __fdt_parse_region() 245 region = &fdt_regions[fdt_domains_count][*region_count]; 246 247 /* Read "base" DT property */ 248 val = fdt_getprop(fdt, region_offset, "base", &len); 249 if (!val && len >= 8) 250 return SBI_EINVAL;
CID 1498224: Null pointer dereferences (FORWARD_NULL) Dereferencing null pointer "val".
251 val64 = fdt32_to_cpu(val[0]); 252 val64 = (val64 << 32) | fdt32_to_cpu(val[1]); 253 region->base = val64; 254 255 /* Read "order" DT property */ 256 val = fdt_getprop(fdt, region_offset, "order", &len);
** CID 1498223: Parse warnings (PARSE_ERROR) /src/soc/intel/apollolake/chip.c: 19 in ()
________________________________________________________________________________________________________ *** CID 1498223: Parse warnings (PARSE_ERROR) /src/soc/intel/apollolake/chip.c: 19 in () 13 #include <intelblocks/cfg.h> 14 #include <intelblocks/fast_spi.h> 15 #include <intelblocks/msr.h> 16 #include <intelblocks/p2sb.h> 17 #include <intelblocks/power_limit.h> 18 #include <intelblocks/xdci.h>
CID 1498223: Parse warnings (PARSE_ERROR) cannot open source file "intelpch/lockdown.h"
19 #include <intelpch/lockdown.h> 20 #include <fsp/api.h> 21 #include <fsp/util.h> 22 #include <intelblocks/cpulib.h> 23 #include <intelblocks/gpio.h> 24 #include <intelblocks/itss.h>
** CID 1498222: (ARRAY_VS_SINGLETON)
________________________________________________________________________________________________________ *** CID 1498222: (ARRAY_VS_SINGLETON) /3rdparty/opensbi/lib/sbi/sbi_pmu.c: 384 in sbi_pmu_ctr_start() 378 if ((cbase + sbi_fls(cmask)) >= total_ctrs) 379 return ret; 380 381 if (flags & SBI_PMU_START_FLAG_SET_INIT_VALUE) 382 bUpdate = TRUE; 383
CID 1498222: (ARRAY_VS_SINGLETON) Passing "&cmask" to function "find_first_bit" which uses it as an array. This might corrupt or misinterpret adjacent memory locations.
384 for_each_set_bit(i, &cmask, total_ctrs) { 385 cidx = i + cbase; 386 event_idx_type = pmu_ctr_validate(cidx, &event_code); 387 if (event_idx_type < 0) 388 /* Continue the start operation for other counters */ 389 continue; /3rdparty/opensbi/lib/sbi/sbi_pmu.c: 384 in sbi_pmu_ctr_start() 378 if ((cbase + sbi_fls(cmask)) >= total_ctrs) 379 return ret; 380 381 if (flags & SBI_PMU_START_FLAG_SET_INIT_VALUE) 382 bUpdate = TRUE; 383
CID 1498222: (ARRAY_VS_SINGLETON) Passing "&cmask" to function "find_next_bit" which uses it as an array. This might corrupt or misinterpret adjacent memory locations.
384 for_each_set_bit(i, &cmask, total_ctrs) { 385 cidx = i + cbase; 386 event_idx_type = pmu_ctr_validate(cidx, &event_code); 387 if (event_idx_type < 0) 388 /* Continue the start operation for other counters */ 389 continue;
** CID 1498221: Control flow issues (DEADCODE) /3rdparty/opensbi/lib/utils/fdt/fdt_helper.c: 811 in fdt_parse_aclint_node()
________________________________________________________________________________________________________ *** CID 1498221: Control flow issues (DEADCODE) /3rdparty/opensbi/lib/utils/fdt/fdt_helper.c: 811 in fdt_parse_aclint_node() 805 cpu_intc_offset = fdt_node_offset_by_phandle(fdt, phandle); 806 if (cpu_intc_offset < 0) 807 continue; 808 809 cpu_offset = fdt_parent_offset(fdt, cpu_intc_offset); 810 if (cpu_intc_offset < 0)
CID 1498221: Control flow issues (DEADCODE) Execution cannot reach this statement: "continue;".
811 continue; 812 813 rc = fdt_parse_hart_id(fdt, cpu_offset, &hartid); 814 if (rc) 815 continue; 816
** CID 1498220: Control flow issues (DEADCODE) /3rdparty/opensbi/lib/utils/irqchip/fdt_irqchip_plic.c: 90 in irqchip_plic_update_hartid_table()
________________________________________________________________________________________________________ *** CID 1498220: Control flow issues (DEADCODE) /3rdparty/opensbi/lib/utils/irqchip/fdt_irqchip_plic.c: 90 in irqchip_plic_update_hartid_table() 84 cpu_intc_offset = fdt_node_offset_by_phandle(fdt, phandle); 85 if (cpu_intc_offset < 0) 86 continue; 87 88 cpu_offset = fdt_parent_offset(fdt, cpu_intc_offset); 89 if (cpu_intc_offset < 0)
CID 1498220: Control flow issues (DEADCODE) Execution cannot reach this statement: "continue;".
90 continue; 91 92 err = fdt_parse_hart_id(fdt, cpu_offset, &hartid); 93 if (err) 94 continue; 95
** CID 1498219: Memory - corruptions (ARRAY_VS_SINGLETON)
________________________________________________________________________________________________________ *** CID 1498219: Memory - corruptions (ARRAY_VS_SINGLETON) /3rdparty/opensbi/lib/sbi/sbi_pmu.c: 590 in pmu_ctr_find_hw() 584 if (temp->select != (data & select_mask)) 585 continue; 586 } 587 /* Fixed counters should not be part of the search */ 588 ctr_mask = temp->counters & (cmask << cbase) & 589 (~SBI_PMU_FIXED_CTR_MASK);
CID 1498219: Memory - corruptions (ARRAY_VS_SINGLETON) Passing "&ctr_mask" to function "find_next_bit" which uses it as an array. This might corrupt or misinterpret adjacent memory locations.
590 for_each_set_bit_from(cbase, &ctr_mask, SBI_PMU_HW_CTR_MAX) { 591 /** 592 * Some of the platform may not support mcountinhibit. 593 * Checking the active_events is enough for them 594 */ 595 if (active_events[hartid][cbase] != SBI_PMU_EVENT_IDX_INVALID)
** CID 1498218: Control flow issues (DEADCODE) /3rdparty/opensbi/lib/sbi/sbi_domain.c: 336 in sbi_domain_dump()
________________________________________________________________________________________________________ *** CID 1498218: Control flow issues (DEADCODE) /3rdparty/opensbi/lib/sbi/sbi_domain.c: 336 in sbi_domain_dump() 330 331 sbi_printf("Domain%d Region%02d %s: 0x%" PRILX "-0x%" PRILX " ", 332 dom->index, i, suffix, rstart, rend); 333 334 k = 0; 335 if (reg->flags & SBI_DOMAIN_MEMREGION_MMODE)
CID 1498218: Control flow issues (DEADCODE) Execution cannot reach the expression "44" inside this statement: "sbi_printf("%cM", (k++ ? 44...".
336 sbi_printf("%cM", (k++) ? ',' : '('); 337 if (reg->flags & SBI_DOMAIN_MEMREGION_MMIO) 338 sbi_printf("%cI", (k++) ? ',' : '('); 339 if (reg->flags & SBI_DOMAIN_MEMREGION_READABLE) 340 sbi_printf("%cR", (k++) ? ',' : '('); 341 if (reg->flags & SBI_DOMAIN_MEMREGION_WRITEABLE)
________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0...