Hi,
Please find the latest report on new defect(s) introduced to coreboot found with Coverity Scan.
200 new defect(s) introduced to coreboot found with Coverity Scan. 26 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan Showing 20 of 200 defect(s)
** CID 1487449: Memory - corruptions (STRING_OVERFLOW)
________________________________________________________________________________________________________ *** CID 1487449: Memory - corruptions (STRING_OVERFLOW) /src/arch/x86/smbios_defaults.c: 27 in smbios_fill_dimm_asset_tag() 21 __weak void smbios_fill_dimm_asset_tag(const struct dimm_info *dimm, struct smbios_type17 *t) 22 { 23 char buf[40]; 24 25 snprintf(buf, sizeof(buf), "Channel-%d-DIMM-%d-AssetTag", 26 dimm->channel_num, dimm->dimm_num);
CID 1487449: Memory - corruptions (STRING_OVERFLOW) You might overrun the 2-character destination string "t->eos" by writing 40 characters from "buf".
27 t->asset_tag = smbios_add_string(t->eos, buf); 28 } 29 30 __weak smbios_wakeup_type smbios_system_wakeup_type(void) 31 { 32 return SMBIOS_WAKEUP_TYPE_RESERVED;
** CID 1487448: Insecure data handling (TAINTED_SCALAR) /util/cbfstool/ifwitool.c: 1160 in bpdt_fixup_write_buffer()
________________________________________________________________________________________________________ *** CID 1487448: Insecure data handling (TAINTED_SCALAR) /util/cbfstool/ifwitool.c: 1160 in bpdt_fixup_write_buffer() 1154 sizeof(h->xor_redundant_block)); 1155 offset = fix_member(&h->ifwi_version, offset, sizeof(h->ifwi_version)); 1156 offset = fix_member(&h->fit_tool_version, offset, 1157 sizeof(h->fit_tool_version)); 1158 1159 uint32_t i;
CID 1487448: Insecure data handling (TAINTED_SCALAR) Using tainted variable "count" as a loop boundary.
1160 for (i = 0; i < count; i++) { 1161 offset = fix_member(&e[i].type, offset, sizeof(e[i].type)); 1162 offset = fix_member(&e[i].flags, offset, sizeof(e[i].flags)); 1163 offset = fix_member(&e[i].offset, offset, sizeof(e[i].offset)); 1164 offset = fix_member(&e[i].size, offset, sizeof(e[i].size)); 1165 }
** CID 1487447: Audit impact security (SUPPRESSED_ERROR) /home/coreboot/go/pkg/mod/github.com/ulikunitz/xz@v0.5.8/internal/xlog/xlog.go: 259 in github.com/ulikunitz/xz/internal/xlog.Fatal([]interface{})()
________________________________________________________________________________________________________ *** CID 1487447: Audit impact security (SUPPRESSED_ERROR) /home/coreboot/go/pkg/mod/github.com/ulikunitz/xz@v0.5.8/internal/xlog/xlog.go: 259 in github.com/ulikunitz/xz/internal/xlog.Fatal([]interface{})() 253 os.Exit(1) 254 } 255 256 // Fatal prints the message like Print and calls os.Exit(1). The 257 // printing might be suppressed by the flag Lnofatal. 258 func Fatal(v ...interface{}) {
CID 1487447: Audit impact security (SUPPRESSED_ERROR) The error returned by the function "std.Output(2, 64, v)" is not explicitly checked.
259 std.Output(2, Lnofatal, v...) 260 os.Exit(1) 261 } 262 263 // Fatalf prints the message like Printf and calls os.Exit(1). The 264 // printing might be suppressed by the flag Lnofatal.
** CID 1487446: Memory - corruptions (OVERRUN) /payloads/libpayload/drivers/usb/xhci.c: 921 in xhci_destroy_intr_queue()
________________________________________________________________________________________________________ *** CID 1487446: Memory - corruptions (OVERRUN) /payloads/libpayload/drivers/usb/xhci.c: 921 in xhci_destroy_intr_queue() 915 /* Free all pending transfers and the interrupt queue structure */ 916 int i; 917 for (i = 0; i < intrq->count; ++i) { 918 free(phys_to_virt(intrq->next->ptr_low)); 919 intrq->next = xhci_next_trb(intrq->next, NULL); 920 }
CID 1487446: Memory - corruptions (OVERRUN) Overrunning array "xhci->dev[slot_id].interrupt_queues" of 32 4-byte elements at element index 255 (byte offset 1023) using index "ep_id" (which evaluates to 255).
921 xhci->dev[slot_id].interrupt_queues[ep_id] = NULL; 922 free((void *)intrq); 923 924 /* Reset the controller's dequeue pointer and reinitialize the ring */ 925 xhci_cmd_set_tr_dq(xhci, slot_id, ep_id, tr->ring, 1); 926 xhci_init_cycle_ring(tr, TRANSFER_RING_SIZE);
** CID 1487445: Audit impact security (SUPPRESSED_ERROR) /home/coreboot/go/pkg/mod/github.com/ulikunitz/xz@v0.5.8/internal/xlog/xlog.go: 372 in github.com/ulikunitz/xz/internal/xlog.Debug([]interface{})()
________________________________________________________________________________________________________ *** CID 1487445: Audit impact security (SUPPRESSED_ERROR) /home/coreboot/go/pkg/mod/github.com/ulikunitz/xz@v0.5.8/internal/xlog/xlog.go: 372 in github.com/ulikunitz/xz/internal/xlog.Debug([]interface{})() 366 l.Output(2, Lnodebug, v...) 367 } 368 369 // Debug prints the message like Print. The printing might be suppressed 370 // by the flag Lnodebug. 371 func Debug(v ...interface{}) {
CID 1487445: Audit impact security (SUPPRESSED_ERROR) The error returned by the function "std.Output(2, 512, v)" is not explicitly checked.
372 std.Output(2, Lnodebug, v...) 373 } 374 375 // Debugf prints the message like Printf. The printing might be suppressed 376 // by the flag Lnodebug. 377 func (l *Logger) Debugf(format string, v ...interface{}) {
** CID 1487444: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________ *** CID 1487444: Insecure data handling (TAINTED_SCALAR) /3rdparty/vboot/firmware/lib/tpm2_lite/tlcl.c: 142 in TlclSendReceive() 136 uint32_t TlclSendReceive(const uint8_t *request, uint8_t *response, 137 int max_length) 138 { 139 uint32_t rv, resp_size; 140 141 resp_size = max_length;
CID 1487444: Insecure data handling (TAINTED_SCALAR) Passing tainted expression "tpm_get_packet_size(request)" to "vb2ex_tpm_send_recv", which uses it as an offset.
142 rv = vb2ex_tpm_send_recv(request, tpm_get_packet_size(request), 143 response, &resp_size); 144 145 return rv ? rv : tpm_get_packet_response_code(response); 146 } 147
** CID 1487443: Memory - illegal accesses (UNINIT)
________________________________________________________________________________________________________ *** CID 1487443: Memory - illegal accesses (UNINIT) /src/vendorcode/amd/agesa/f16kb/Proc/CPU/Family/0x16/KB/F16KbCoreAfterReset.c: 146 in F16KbPmCoreAfterReset() 140 HwPsMaxVal = ((CLK_PWR_TIMING_CTRL2_REGISTER *) &HwPsMaxVal)->HwPstateMaxVal; 141 142 // Launch each local core to perform steps 1 through 4. 143 TaskPtr.FuncAddress.PfApTask = F16KbPmCoreAfterResetPhase1OnCore; 144 TaskPtr.DataTransfer.DataSizeInDwords = 0; 145 TaskPtr.ExeFlags = WAIT_FOR_CORE;
CID 1487443: Memory - illegal accesses (UNINIT) Using uninitialized value "TaskPtr.DataTransfer.DataPtr" when calling "ApUtilRunCodeOnAllLocalCoresAtEarly".
146 ApUtilRunCodeOnAllLocalCoresAtEarly (&TaskPtr, StdHeader, CpuEarlyParamsPtr); 147 148 // Launch each local core to perform steps 5 through 7. 149 TaskPtr.FuncAddress.PfApTaskI = F16KbPmCoreAfterResetPhase2OnCore; 150 TaskPtr.DataTransfer.DataSizeInDwords = 1; 151 TaskPtr.DataTransfer.DataPtr = &HwPsMaxVal;
** CID 1487442: Insecure data handling (TAINTED_SCALAR) /src/soc/intel/xeon_sp/skx/hob_display.c: 154 in soc_display_iio_universal_data_hob()
________________________________________________________________________________________________________ *** CID 1487442: Insecure data handling (TAINTED_SCALAR) /src/soc/intel/xeon_sp/skx/hob_display.c: 154 in soc_display_iio_universal_data_hob() 148 printk(BIOS_DEBUG, "\tMaxBusNumber: 0x%x\n", hob->PlatformData.MaxBusNumber); 149 printk(BIOS_DEBUG, "\tIoGranularity: 0x%x\n", hob->PlatformData.IoGranularity); 150 printk(BIOS_DEBUG, "\tMmiolGranularity: 0x%x\n", hob->PlatformData.MmiolGranularity); 151 printk(BIOS_DEBUG, "\tMmiohGranularity: hi: 0x%x, lo:0x%x\n", 152 hob->PlatformData.MmiohGranularity.hi, hob->PlatformData.MmiohGranularity.lo); 153
CID 1487442: Insecure data handling (TAINTED_SCALAR) Using tainted variable "hob->PlatformData.numofIIO" as a loop boundary.
154 for (int s = 0; s < hob->PlatformData.numofIIO; ++s) { 155 printk(BIOS_DEBUG, "\t============ Socket %d Info ================\n", s); 156 printk(BIOS_DEBUG, "\tSocketID: 0x%x\n", 157 hob->PlatformData.IIO_resource[s].SocketID); 158 printk(BIOS_DEBUG, "\tBusBase: 0x%x\n", 159 hob->PlatformData.IIO_resource[s].BusBase);
** CID 1487441: (STRING_OVERFLOW)
________________________________________________________________________________________________________ *** CID 1487441: (STRING_OVERFLOW) /src/arch/x86/smbios.c: 487 in smbios_write_type2() 481 struct smbios_type2 *t = smbios_carve_table(*current, SMBIOS_BOARD_INFORMATION, 482 sizeof(*t), handle); 483 484 t->manufacturer = smbios_add_string(t->eos, smbios_mainboard_manufacturer()); 485 t->product_name = smbios_add_string(t->eos, smbios_mainboard_product_name()); 486 t->serial_number = smbios_add_string(t->eos, smbios_mainboard_serial_number());
CID 1487441: (STRING_OVERFLOW) You might overrun the 2-character destination string "t->eos" by writing 4 characters from "smbios_mainboard_version()".
487 t->version = smbios_add_string(t->eos, smbios_mainboard_version()); 488 t->asset_tag = smbios_add_string(t->eos, smbios_mainboard_asset_tag()); 489 t->feature_flags = smbios_mainboard_feature_flags(); 490 t->location_in_chassis = smbios_add_string(t->eos, 491 smbios_mainboard_location_in_chassis()); 492 t->board_type = smbios_mainboard_board_type(); /src/arch/x86/smbios.c: 485 in smbios_write_type2() 479 static int smbios_write_type2(unsigned long *current, int handle, const int chassis_handle) 480 { 481 struct smbios_type2 *t = smbios_carve_table(*current, SMBIOS_BOARD_INFORMATION, 482 sizeof(*t), handle); 483 484 t->manufacturer = smbios_add_string(t->eos, smbios_mainboard_manufacturer());
CID 1487441: (STRING_OVERFLOW) You might overrun the 2-character destination string "t->eos" by writing 7 characters from "smbios_mainboard_product_name()".
485 t->product_name = smbios_add_string(t->eos, smbios_mainboard_product_name()); 486 t->serial_number = smbios_add_string(t->eos, smbios_mainboard_serial_number()); 487 t->version = smbios_add_string(t->eos, smbios_mainboard_version()); 488 t->asset_tag = smbios_add_string(t->eos, smbios_mainboard_asset_tag()); 489 t->feature_flags = smbios_mainboard_feature_flags(); 490 t->location_in_chassis = smbios_add_string(t->eos, /src/arch/x86/smbios.c: 484 in smbios_write_type2() 478 479 static int smbios_write_type2(unsigned long *current, int handle, const int chassis_handle) 480 { 481 struct smbios_type2 *t = smbios_carve_table(*current, SMBIOS_BOARD_INFORMATION, 482 sizeof(*t), handle); 483
CID 1487441: (STRING_OVERFLOW) You might overrun the 2-character destination string "t->eos" by writing 7 characters from "smbios_mainboard_manufacturer()".
484 t->manufacturer = smbios_add_string(t->eos, smbios_mainboard_manufacturer()); 485 t->product_name = smbios_add_string(t->eos, smbios_mainboard_product_name()); 486 t->serial_number = smbios_add_string(t->eos, smbios_mainboard_serial_number()); 487 t->version = smbios_add_string(t->eos, smbios_mainboard_version()); 488 t->asset_tag = smbios_add_string(t->eos, smbios_mainboard_asset_tag()); 489 t->feature_flags = smbios_mainboard_feature_flags(); /src/arch/x86/smbios.c: 486 in smbios_write_type2() 480 { 481 struct smbios_type2 *t = smbios_carve_table(*current, SMBIOS_BOARD_INFORMATION, 482 sizeof(*t), handle); 483 484 t->manufacturer = smbios_add_string(t->eos, smbios_mainboard_manufacturer()); 485 t->product_name = smbios_add_string(t->eos, smbios_mainboard_product_name());
CID 1487441: (STRING_OVERFLOW) You might overrun the 2-character destination string "t->eos" by writing 10 characters from "smbios_mainboard_serial_number()".
486 t->serial_number = smbios_add_string(t->eos, smbios_mainboard_serial_number()); 487 t->version = smbios_add_string(t->eos, smbios_mainboard_version()); 488 t->asset_tag = smbios_add_string(t->eos, smbios_mainboard_asset_tag()); 489 t->feature_flags = smbios_mainboard_feature_flags(); 490 t->location_in_chassis = smbios_add_string(t->eos, 491 smbios_mainboard_location_in_chassis());
** CID 1487440: (OVERRUN)
________________________________________________________________________________________________________ *** CID 1487440: (OVERRUN) /src/vendorcode/amd/cimx/sb800/SBCMN.c: 1020 in softwareToggleImcStrapping() 1014 } else { 1015 abValue1 &= ~BIT2; // bit2=0 EcEnableStrap 1016 } 1017 WriteMEM ((ACPI_MMIO_BASE + MISC_BASE + SB_MISC_REG84), AccWidthUint32, &abValue1); 1018 dbValue |= BIT6; // PwrGoodOut =1 1019 dbValue &= ~BIT7; // PwrGoodEnB =0
CID 1487440: (OVERRUN) Overrunning buffer pointed to by "&dbValue" of 1 bytes by passing it to a function which accesses it at byte offset 2.
1020 WritePMIO (SB_PMIOA_REGBF, AccWidthUint8, &dbValue); 1021 1022 dbValue = 06; 1023 WriteIO (0xcf9, AccWidthUint8, &dbValue); 1024 SbStall (0xffffffff); 1025 } /src/vendorcode/amd/cimx/sb800/SBCMN.c: 984 in softwareToggleImcStrapping() 978 UINT8 dbPortStatus; 979 UINT32 abValue; 980 UINT32 abValue1; 981 982 getChipSysMode (&dbPortStatus); 983
CID 1487440: (OVERRUN) Overrunning buffer pointed to by "&dbValue" of 1 bytes by passing it to a function which accesses it at byte offset 2.
984 ReadPMIO (SB_PMIOA_REGBF, AccWidthUint8, &dbValue); 985 //if ( (dbValue & (BIT6 + BIT7)) != 0xC0 ) { // PwrGoodOut =1, PwrGoodEnB=1 986 //The strapStatus register is not mapped into StrapOveride not in the same bit position. The following is difference. 987 988 //StrapStatus StrapOverride 989 // bit4 bit17
** CID 1487439: Memory - illegal accesses (OVERRUN) /payloads/libpayload/drivers/usb/xhci.c: 744 in xhci_bulk()
________________________________________________________________________________________________________ *** CID 1487439: Memory - illegal accesses (OVERRUN) /payloads/libpayload/drivers/usb/xhci.c: 744 in xhci_bulk() 738 739 u8 *data = src; 740 xhci_t *const xhci = XHCI_INST(ep->dev->controller); 741 const int slot_id = ep->dev->address; 742 const int ep_id = xhci_ep_id(ep); 743 epctx_t *const epctx = xhci->dev[slot_id].ctx.ep[ep_id];
CID 1487439: Memory - illegal accesses (OVERRUN) Overrunning array "xhci->dev[slot_id].transfer_rings" of 32 4-byte elements at element index 255 (byte offset 1023) using index "ep_id" (which evaluates to 255).
744 transfer_ring_t *const tr = xhci->dev[slot_id].transfer_rings[ep_id]; 745 746 const size_t off = (size_t)data & 0xffff; 747 if ((off + size) > ((TRANSFER_RING_SIZE - 2) << 16)) { 748 xhci_debug("Unsupported transfer size\n"); 749 return -1;
** CID 1487438: (UNSAFE_FUNCTIONALITY) /home/coreboot/go/pkg/mod/golang.org/x/sys@v0.0.0-20210218155724-8ebf48af031b/unix/syscall_linux.go: 1750 in golang.org/x/sys/unix.direntReclen([]byte)(uint64, bool)() /home/coreboot/go/pkg/mod/golang.org/x/sys@v0.0.0-20210218155724-8ebf48af031b/unix/syscall_linux.go: 1750 in golang.org/x/sys/unix.direntReclen([]byte)(uint64, bool)()
________________________________________________________________________________________________________ *** CID 1487438: (UNSAFE_FUNCTIONALITY) /home/coreboot/go/pkg/mod/golang.org/x/sys@v0.0.0-20210218155724-8ebf48af031b/unix/syscall_linux.go: 1750 in golang.org/x/sys/unix.direntReclen([]byte)(uint64, bool)() 1744 1745 func direntIno(buf []byte) (uint64, bool) { 1746 return readInt(buf, unsafe.Offsetof(Dirent{}.Ino), unsafe.Sizeof(Dirent{}.Ino)) 1747 } 1748 1749 func direntReclen(buf []byte) (uint64, bool) {
CID 1487438: (UNSAFE_FUNCTIONALITY) Using unsafe function Offsetof.
1750 return readInt(buf, unsafe.Offsetof(Dirent{}.Reclen), unsafe.Sizeof(Dirent{}.Reclen)) 1751 } 1752 1753 func direntNamlen(buf []byte) (uint64, bool) { 1754 reclen, ok := direntReclen(buf) 1755 if !ok { /home/coreboot/go/pkg/mod/golang.org/x/sys@v0.0.0-20210218155724-8ebf48af031b/unix/syscall_linux.go: 1750 in golang.org/x/sys/unix.direntReclen([]byte)(uint64, bool)() 1744 1745 func direntIno(buf []byte) (uint64, bool) { 1746 return readInt(buf, unsafe.Offsetof(Dirent{}.Ino), unsafe.Sizeof(Dirent{}.Ino)) 1747 } 1748 1749 func direntReclen(buf []byte) (uint64, bool) {
CID 1487438: (UNSAFE_FUNCTIONALITY) Using unsafe function Sizeof.
1750 return readInt(buf, unsafe.Offsetof(Dirent{}.Reclen), unsafe.Sizeof(Dirent{}.Reclen)) 1751 } 1752 1753 func direntNamlen(buf []byte) (uint64, bool) { 1754 reclen, ok := direntReclen(buf) 1755 if !ok {
** CID 1487437: (SUPPRESSED_ERROR) /home/coreboot/go/pkg/mod/github.com/dustin/go-humanize@v1.0.0/commaf.go: 27 in github.com/dustin/go-humanize.BigCommaf(*math/big.Float)string() /home/coreboot/go/pkg/mod/github.com/dustin/go-humanize@v1.0.0/commaf.go: 36 in github.com/dustin/go-humanize.BigCommaf(*math/big.Float)string() /home/coreboot/go/pkg/mod/github.com/dustin/go-humanize@v1.0.0/commaf.go: 37 in github.com/dustin/go-humanize.BigCommaf(*math/big.Float)string() /home/coreboot/go/pkg/mod/github.com/dustin/go-humanize@v1.0.0/commaf.go: 16 in github.com/dustin/go-humanize.BigCommaf(*math/big.Float)string() /home/coreboot/go/pkg/mod/github.com/dustin/go-humanize@v1.0.0/commaf.go: 26 in github.com/dustin/go-humanize.BigCommaf(*math/big.Float)string() /home/coreboot/go/pkg/mod/github.com/dustin/go-humanize@v1.0.0/commaf.go: 30 in github.com/dustin/go-humanize.BigCommaf(*math/big.Float)string() /home/coreboot/go/pkg/mod/github.com/dustin/go-humanize@v1.0.0/commaf.go: 31 in github.com/dustin/go-humanize.BigCommaf(*math/big.Float)string()
________________________________________________________________________________________________________ *** CID 1487437: (SUPPRESSED_ERROR) /home/coreboot/go/pkg/mod/github.com/dustin/go-humanize@v1.0.0/commaf.go: 27 in github.com/dustin/go-humanize.BigCommaf(*math/big.Float)string() 21 22 parts := strings.Split(v.Text('f', -1), ".") 23 pos := 0 24 if len(parts[0])%3 != 0 { 25 pos += len(parts[0]) % 3 26 buf.WriteString(parts[0][:pos])
CID 1487437: (SUPPRESSED_ERROR) The error returned by the function "buf.Write(comma)" is not explicitly checked.
27 buf.Write(comma) 28 } 29 for ; pos < len(parts[0]); pos += 3 { 30 buf.WriteString(parts[0][pos : pos+3]) 31 buf.Write(comma) 32 } /home/coreboot/go/pkg/mod/github.com/dustin/go-humanize@v1.0.0/commaf.go: 36 in github.com/dustin/go-humanize.BigCommaf(*math/big.Float)string() 30 buf.WriteString(parts[0][pos : pos+3]) 31 buf.Write(comma) 32 } 33 buf.Truncate(buf.Len() - 1) 34 35 if len(parts) > 1 {
CID 1487437: (SUPPRESSED_ERROR) The error returned by the function "buf.Write({46})" is not explicitly checked.
36 buf.Write([]byte{'.'}) 37 buf.WriteString(parts[1]) 38 } 39 return buf.String() /home/coreboot/go/pkg/mod/github.com/dustin/go-humanize@v1.0.0/commaf.go: 37 in github.com/dustin/go-humanize.BigCommaf(*math/big.Float)string() 31 buf.Write(comma) 32 } 33 buf.Truncate(buf.Len() - 1) 34 35 if len(parts) > 1 { 36 buf.Write([]byte{'.'})
CID 1487437: (SUPPRESSED_ERROR) The error returned by the function "buf.WriteString(parts[1])" is not explicitly checked.
37 buf.WriteString(parts[1]) 38 } 39 return buf.String() /home/coreboot/go/pkg/mod/github.com/dustin/go-humanize@v1.0.0/commaf.go: 16 in github.com/dustin/go-humanize.BigCommaf(*math/big.Float)string() 10 11 // BigCommaf produces a string form of the given big.Float in base 10 12 // with commas after every three orders of magnitude. 13 func BigCommaf(v *big.Float) string { 14 buf := &bytes.Buffer{} 15 if v.Sign() < 0 {
CID 1487437: (SUPPRESSED_ERROR) The error returned by the function "buf.Write({45})" is not explicitly checked.
16 buf.Write([]byte{'-'}) 17 v.Abs(v) 18 } 19 20 comma := []byte{','} 21 /home/coreboot/go/pkg/mod/github.com/dustin/go-humanize@v1.0.0/commaf.go: 26 in github.com/dustin/go-humanize.BigCommaf(*math/big.Float)string() 20 comma := []byte{','} 21 22 parts := strings.Split(v.Text('f', -1), ".") 23 pos := 0 24 if len(parts[0])%3 != 0 { 25 pos += len(parts[0]) % 3
CID 1487437: (SUPPRESSED_ERROR) The error returned by the function "buf.WriteString(parts[0][nil:pos:nil])" is not explicitly checked.
26 buf.WriteString(parts[0][:pos]) 27 buf.Write(comma) 28 } 29 for ; pos < len(parts[0]); pos += 3 { 30 buf.WriteString(parts[0][pos : pos+3]) 31 buf.Write(comma) /home/coreboot/go/pkg/mod/github.com/dustin/go-humanize@v1.0.0/commaf.go: 30 in github.com/dustin/go-humanize.BigCommaf(*math/big.Float)string() 24 if len(parts[0])%3 != 0 { 25 pos += len(parts[0]) % 3 26 buf.WriteString(parts[0][:pos]) 27 buf.Write(comma) 28 } 29 for ; pos < len(parts[0]); pos += 3 {
CID 1487437: (SUPPRESSED_ERROR) The error returned by the function "buf.WriteString(parts[0][pos:pos + 3:nil])" is not explicitly checked.
30 buf.WriteString(parts[0][pos : pos+3]) 31 buf.Write(comma) 32 } 33 buf.Truncate(buf.Len() - 1) 34 35 if len(parts) > 1 { /home/coreboot/go/pkg/mod/github.com/dustin/go-humanize@v1.0.0/commaf.go: 31 in github.com/dustin/go-humanize.BigCommaf(*math/big.Float)string() 25 pos += len(parts[0]) % 3 26 buf.WriteString(parts[0][:pos]) 27 buf.Write(comma) 28 } 29 for ; pos < len(parts[0]); pos += 3 { 30 buf.WriteString(parts[0][pos : pos+3])
CID 1487437: (SUPPRESSED_ERROR) The error returned by the function "buf.Write(comma)" is not explicitly checked.
31 buf.Write(comma) 32 } 33 buf.Truncate(buf.Len() - 1) 34 35 if len(parts) > 1 { 36 buf.Write([]byte{'.'}) 37 buf.WriteString(parts[1]) 38 } 39 return buf.String()
** CID 1487436: Audit impact security (SUPPRESSED_ERROR) /3rdparty/intel-sec-tools/pkg/tools/lcp.go: 599 in github.com/9elements/converged-security-suite/v2/pkg/tools.parsePolicyElementMLE(*bytes.Reader, *github.com/9elements/converged-security-suite/v2/pkg/tools.LCPPolicyMLE)error()
________________________________________________________________________________________________________ *** CID 1487436: Audit impact security (SUPPRESSED_ERROR) /3rdparty/intel-sec-tools/pkg/tools/lcp.go: 599 in github.com/9elements/converged-security-suite/v2/pkg/tools.parsePolicyElementMLE(*bytes.Reader, *github.com/9elements/converged-security-suite/v2/pkg/tools.LCPPolicyMLE)error() 593 if err != nil { 594 return err 595 } 596 597 pol.Hashes = make([][20]byte, pol.NumHashes) 598 for i := 0; i < int(pol.NumHashes); i++ {
CID 1487436: Audit impact security (SUPPRESSED_ERROR) The error returned by the function "Read(buf, LittleEndian, &pol.Hashes[i])" is not explicitly checked.
599 binary.Read(buf, binary.LittleEndian, &pol.Hashes[i]) 600 } 601 return nil 602 } 603 604 func parsePolicyElementSBIOS(buf *bytes.Reader, pol *LCPPolicySBIOS) error {
** CID 1487435: Audit impact security (SUPPRESSED_ERROR) /home/coreboot/go/pkg/mod/github.com/ulikunitz/xz@v0.5.8/internal/xlog/xlog.go: 220 in github.com/ulikunitz/xz/internal/xlog.Logger.Panicf(string, []interface{})()
________________________________________________________________________________________________________ *** CID 1487435: Audit impact security (SUPPRESSED_ERROR) /home/coreboot/go/pkg/mod/github.com/ulikunitz/xz@v0.5.8/internal/xlog/xlog.go: 220 in github.com/ulikunitz/xz/internal/xlog.Logger.Panicf(string, []interface{})() 214 panic(s) 215 } 216 217 // Panicf prints the message like Printf and calls panic. The printing 218 // might be suppressed by the flag Lnopanic. 219 func (l *Logger) Panicf(format string, v ...interface{}) {
CID 1487435: Audit impact security (SUPPRESSED_ERROR) The error returned by the function "l.Outputf(2, 32, format, v)" is not explicitly checked.
220 l.Outputf(2, Lnopanic, format, v...) 221 s := fmt.Sprintf(format, v...) 222 panic(s) 223 } 224 225 // Panicf prints the message like Printf and calls panic. The printing
** CID 1487434: Uninitialized variables (UNINIT) /3rdparty/vboot/firmware/lib/vboot_kernel.c: 521 in try_minios_sectors()
________________________________________________________________________________________________________ *** CID 1487434: Uninitialized variables (UNINIT) /3rdparty/vboot/firmware/lib/vboot_kernel.c: 521 in try_minios_sectors() 515 VbExStreamClose(stream); 516 return rv; 517 } 518 VbExStreamClose(stream); 519 520 for (isector = 0; isector < count; isector++) {
CID 1487434: Uninitialized variables (UNINIT) Using uninitialized value "*(buf + isector * disk_info->bytes_per_lba)" when calling "memcmp". [Note: The source code implementation of the function has been overridden by a builtin model.]
521 if (memcmp(buf + isector * disk_info->bytes_per_lba, 522 VB2_KEYBLOCK_MAGIC, VB2_KEYBLOCK_MAGIC_SIZE)) 523 continue; 524 VB2_DEBUG("Match on sector %" PRIu64 " / %" PRIu64 "\n", 525 start + isector, 526 disk_info->lba_count - 1);
** CID 1487433: Memory - illegal accesses (UNINIT)
________________________________________________________________________________________________________ *** CID 1487433: Memory - illegal accesses (UNINIT) /src/vendorcode/amd/agesa/f16kb/Proc/CPU/Family/0x16/KB/F16KbNbAfterReset.c: 183 in F16KbPmNbAfterReset() 177 if (GetGivenModuleCoreRange (Socket, Module, &TaskedCore, &Ignored, StdHeader)) { 178 if (TaskedCore != 0) { 179 ApUtilRunCodeOnSocketCore ((UINT8) Socket, (UINT8) TaskedCore, &TaskPtr, StdHeader); 180 } 181 } 182 }
CID 1487433: Memory - illegal accesses (UNINIT) Using uninitialized value "TaskPtr.DataTransfer.DataPtr" when calling "ApUtilTaskOnExecutingCore".
183 ApUtilTaskOnExecutingCore (&TaskPtr, StdHeader, (VOID *) CpuEarlyParamsPtr); 184 } 185 186 /*--------------------------------------------------------------------------------------- 187 * L O C A L F U N C T I O N S 188 *---------------------------------------------------------------------------------------
** CID 1487432: (STRING_OVERFLOW)
________________________________________________________________________________________________________ *** CID 1487432: (STRING_OVERFLOW) /src/mainboard/ocp/deltalake/ramstage.c: 149 in dl_oem_smbios_strings() 143 t->count = smbios_add_oem_string(t->eos, "0x0: Unknown"); 144 break; 145 case PCIE_CONFIG_A: 146 t->count = smbios_add_oem_string(t->eos, "0x1: YV3 Config-A"); 147 break; 148 case PCIE_CONFIG_B:
CID 1487432: (STRING_OVERFLOW) You might overrun the 2-character destination string "t->eos" by writing 18 characters from ""0x2: YV3 Config-B"".
149 t->count = smbios_add_oem_string(t->eos, "0x2: YV3 Config-B"); 150 break; 151 case PCIE_CONFIG_C: 152 t->count = smbios_add_oem_string(t->eos, "0x3: YV3 Config-C"); 153 break; 154 case PCIE_CONFIG_D: /src/mainboard/ocp/deltalake/ramstage.c: 155 in dl_oem_smbios_strings() 149 t->count = smbios_add_oem_string(t->eos, "0x2: YV3 Config-B"); 150 break; 151 case PCIE_CONFIG_C: 152 t->count = smbios_add_oem_string(t->eos, "0x3: YV3 Config-C"); 153 break; 154 case PCIE_CONFIG_D:
CID 1487432: (STRING_OVERFLOW) You might overrun the 2-character destination string "t->eos" by writing 18 characters from ""0x4: YV3 Config-D"".
155 t->count = smbios_add_oem_string(t->eos, "0x4: YV3 Config-D"); 156 break; 157 default: 158 t->count = smbios_add_oem_string(t->eos, "Check BMC return data"); 159 } 160 } else { /src/mainboard/ocp/deltalake/ramstage.c: 158 in dl_oem_smbios_strings() 152 t->count = smbios_add_oem_string(t->eos, "0x3: YV3 Config-C"); 153 break; 154 case PCIE_CONFIG_D: 155 t->count = smbios_add_oem_string(t->eos, "0x4: YV3 Config-D"); 156 break; 157 default:
CID 1487432: (STRING_OVERFLOW) You might overrun the 2-character destination string "t->eos" by writing 22 characters from ""Check BMC return data"".
158 t->count = smbios_add_oem_string(t->eos, "Check BMC return data"); 159 } 160 } else { 161 printk(BIOS_ERR, "Failed to get IPMI PCIe config\n"); 162 } 163 } /src/mainboard/ocp/deltalake/ramstage.c: 146 in dl_oem_smbios_strings() 140 if (ipmi_get_pcie_config(&pcie_config) == CB_SUCCESS) { 141 switch (pcie_config) { 142 case PCIE_CONFIG_UNKNOWN: 143 t->count = smbios_add_oem_string(t->eos, "0x0: Unknown"); 144 break; 145 case PCIE_CONFIG_A:
CID 1487432: (STRING_OVERFLOW) You might overrun the 2-character destination string "t->eos" by writing 18 characters from ""0x1: YV3 Config-A"".
146 t->count = smbios_add_oem_string(t->eos, "0x1: YV3 Config-A"); 147 break; 148 case PCIE_CONFIG_B: 149 t->count = smbios_add_oem_string(t->eos, "0x2: YV3 Config-B"); 150 break; 151 case PCIE_CONFIG_C: /src/mainboard/ocp/deltalake/ramstage.c: 152 in dl_oem_smbios_strings() 146 t->count = smbios_add_oem_string(t->eos, "0x1: YV3 Config-A"); 147 break; 148 case PCIE_CONFIG_B: 149 t->count = smbios_add_oem_string(t->eos, "0x2: YV3 Config-B"); 150 break; 151 case PCIE_CONFIG_C:
CID 1487432: (STRING_OVERFLOW) You might overrun the 2-character destination string "t->eos" by writing 18 characters from ""0x3: YV3 Config-C"".
152 t->count = smbios_add_oem_string(t->eos, "0x3: YV3 Config-C"); 153 break; 154 case PCIE_CONFIG_D: 155 t->count = smbios_add_oem_string(t->eos, "0x4: YV3 Config-D"); 156 break; 157 default: /src/mainboard/ocp/deltalake/ramstage.c: 143 in dl_oem_smbios_strings() 137 t->count = smbios_add_oem_string(t->eos, oem_str7); 138 139 /* Add OEM string 8 */ 140 if (ipmi_get_pcie_config(&pcie_config) == CB_SUCCESS) { 141 switch (pcie_config) { 142 case PCIE_CONFIG_UNKNOWN:
CID 1487432: (STRING_OVERFLOW) You might overrun the 2-character destination string "t->eos" by writing 13 characters from ""0x0: Unknown"".
143 t->count = smbios_add_oem_string(t->eos, "0x0: Unknown"); 144 break; 145 case PCIE_CONFIG_A: 146 t->count = smbios_add_oem_string(t->eos, "0x1: YV3 Config-A"); 147 break; 148 case PCIE_CONFIG_B: /src/mainboard/ocp/deltalake/ramstage.c: 137 in dl_oem_smbios_strings() 131 for (int dimm = 0; dimm < MAX_IMC; dimm++) { 132 write_oem_word(hob->Socket[0].ChannelInfo[ch].DimmInfo[dimm].SPDRegVen, 133 spd_reg_vid); 134 oem_str7 = strconcat(oem_str7, spd_reg_vid); 135 } 136 }
CID 1487432: (STRING_OVERFLOW) You might overrun the 2-character fixed-size string "t->eos" by copying "oem_str7" without checking the length.
137 t->count = smbios_add_oem_string(t->eos, oem_str7); 138 139 /* Add OEM string 8 */ 140 if (ipmi_get_pcie_config(&pcie_config) == CB_SUCCESS) { 141 switch (pcie_config) { 142 case PCIE_CONFIG_UNKNOWN:
** CID 1487431: (TAINTED_SCALAR)
________________________________________________________________________________________________________ *** CID 1487431: (TAINTED_SCALAR) /util/cbfstool/ifwitool.c: 1666 in ifwi_print() 1660 1661 bpdt_print_header(&b->h, "BPDT"); 1662 bpdt_print_entries(&b->e[0], b->h.descriptor_count, "BPDT"); 1663 1664 b = buffer_get(&ifwi_image.subpart_buf[S_BPDT_TYPE]); 1665 bpdt_print_header(&b->h, "S-BPDT");
CID 1487431: (TAINTED_SCALAR) Passing tainted expression "b->h.descriptor_count" to "bpdt_print_entries", which uses it as a loop boundary.
1666 bpdt_print_entries(&b->e[0], b->h.descriptor_count, "S-BPDT"); 1667 1668 if (param.dir_ops == 0) { 1669 verbose -= 2; 1670 return NO_ACTION_REQUIRED; 1671 } /util/cbfstool/ifwitool.c: 1666 in ifwi_print() 1660 1661 bpdt_print_header(&b->h, "BPDT"); 1662 bpdt_print_entries(&b->e[0], b->h.descriptor_count, "BPDT"); 1663 1664 b = buffer_get(&ifwi_image.subpart_buf[S_BPDT_TYPE]); 1665 bpdt_print_header(&b->h, "S-BPDT");
CID 1487431: (TAINTED_SCALAR) Passing tainted expression "b->e[0].type" to "bpdt_print_entries", which uses it as an offset.
1666 bpdt_print_entries(&b->e[0], b->h.descriptor_count, "S-BPDT"); 1667 1668 if (param.dir_ops == 0) { 1669 verbose -= 2; 1670 return NO_ACTION_REQUIRED; 1671 } /util/cbfstool/ifwitool.c: 1662 in ifwi_print() 1656 { 1657 verbose += 2; 1658 1659 struct bpdt *b = buffer_get(&ifwi_image.bpdt); 1660 1661 bpdt_print_header(&b->h, "BPDT");
CID 1487431: (TAINTED_SCALAR) Passing tainted expression "b->h.descriptor_count" to "bpdt_print_entries", which uses it as a loop boundary.
1662 bpdt_print_entries(&b->e[0], b->h.descriptor_count, "BPDT"); 1663 1664 b = buffer_get(&ifwi_image.subpart_buf[S_BPDT_TYPE]); 1665 bpdt_print_header(&b->h, "S-BPDT"); 1666 bpdt_print_entries(&b->e[0], b->h.descriptor_count, "S-BPDT"); 1667 /util/cbfstool/ifwitool.c: 1662 in ifwi_print() 1656 { 1657 verbose += 2; 1658 1659 struct bpdt *b = buffer_get(&ifwi_image.bpdt); 1660 1661 bpdt_print_header(&b->h, "BPDT");
CID 1487431: (TAINTED_SCALAR) Passing tainted expression "b->e[0].type" to "bpdt_print_entries", which uses it as an offset.
1662 bpdt_print_entries(&b->e[0], b->h.descriptor_count, "BPDT"); 1663 1664 b = buffer_get(&ifwi_image.subpart_buf[S_BPDT_TYPE]); 1665 bpdt_print_header(&b->h, "S-BPDT"); 1666 bpdt_print_entries(&b->e[0], b->h.descriptor_count, "S-BPDT"); 1667 /util/cbfstool/ifwitool.c: 1680 in ifwi_print() 1674 struct buffer subpart_dir_buf; 1675 for (i = 0; i < MAX_SUBPARTS ; i++) { 1676 if (!(subparts[i].attr & CONTAINS_DIR) || 1677 (buffer_size(&ifwi_image.subpart_buf[i]) == 0)) 1678 continue; 1679
CID 1487431: (TAINTED_SCALAR) Passing tainted expression "*subpart_dir_buf.data" to "parse_subpart_dir", which uses it as a loop boundary.
1680 parse_subpart_dir(&subpart_dir_buf, &ifwi_image.subpart_buf[i], 1681 subparts[i].name); 1682 buffer_delete(&subpart_dir_buf); 1683 } 1684 1685 verbose -= 2;
** CID 1487430: (OVERRUN)
________________________________________________________________________________________________________ *** CID 1487430: (OVERRUN) /src/southbridge/amd/cimx/sb800/fadt.c: 48 in acpi_fill_fadt() 42 WritePMIO(SB_PMIOA_REG68, AccWidthUint16, &val); 43 44 /* CpuControl is in _PR.CP00, 6 bytes */ 45 val = CPU_CNT_BLK_ADDRESS; 46 WritePMIO(SB_PMIOA_REG66, AccWidthUint16, &val); 47 val = 0;
CID 1487430: (OVERRUN) Overrunning buffer pointed to by "&val" of 2 bytes by passing it to a function which accesses it at byte offset 2.
48 WritePMIO(SB_PMIOA_REG6A, AccWidthUint16, &val); 49 val = ACPI_PMA_CNT_BLK_ADDRESS; 50 WritePMIO(SB_PMIOA_REG6E, AccWidthUint16, &val); 51 52 /* AcpiDecodeEnable, When set, SB uses the contents of the 53 * PM registers at index 60-6B to decode ACPI I/O address. /src/southbridge/amd/cimx/sb800/fadt.c: 40 in acpi_fill_fadt() 34 35 val = PM1_EVT_BLK_ADDRESS; 36 WritePMIO(SB_PMIOA_REG60, AccWidthUint16, &val); 37 val = PM1_CNT_BLK_ADDRESS; 38 WritePMIO(SB_PMIOA_REG62, AccWidthUint16, &val); 39 val = PM1_TMR_BLK_ADDRESS;
CID 1487430: (OVERRUN) Overrunning buffer pointed to by "&val" of 2 bytes by passing it to a function which accesses it at byte offset 2.
40 WritePMIO(SB_PMIOA_REG64, AccWidthUint16, &val); 41 val = GPE0_BLK_ADDRESS; 42 WritePMIO(SB_PMIOA_REG68, AccWidthUint16, &val); 43 44 /* CpuControl is in _PR.CP00, 6 bytes */ 45 val = CPU_CNT_BLK_ADDRESS; /src/southbridge/amd/cimx/sb800/fadt.c: 38 in acpi_fill_fadt() 32 33 fadt->sci_int = 9; /* HUDSON 1 - IRQ 09 - ACPI SCI */ 34 35 val = PM1_EVT_BLK_ADDRESS; 36 WritePMIO(SB_PMIOA_REG60, AccWidthUint16, &val); 37 val = PM1_CNT_BLK_ADDRESS;
CID 1487430: (OVERRUN) Overrunning buffer pointed to by "&val" of 2 bytes by passing it to a function which accesses it at byte offset 2.
38 WritePMIO(SB_PMIOA_REG62, AccWidthUint16, &val); 39 val = PM1_TMR_BLK_ADDRESS; 40 WritePMIO(SB_PMIOA_REG64, AccWidthUint16, &val); 41 val = GPE0_BLK_ADDRESS; 42 WritePMIO(SB_PMIOA_REG68, AccWidthUint16, &val); 43 /src/southbridge/amd/cimx/sb800/fadt.c: 56 in acpi_fill_fadt() 50 WritePMIO(SB_PMIOA_REG6E, AccWidthUint16, &val); 51 52 /* AcpiDecodeEnable, When set, SB uses the contents of the 53 * PM registers at index 60-6B to decode ACPI I/O address. 54 * AcpiSmiEn & SmiCmdEn*/ 55 val = BIT0 | BIT1 | BIT2 | BIT4;
CID 1487430: (OVERRUN) Overrunning buffer pointed to by "&val" of 2 bytes by passing it to a function which accesses it at byte offset 2.
56 WritePMIO(SB_PMIOA_REG74, AccWidthUint16, &val); 57 58 /* RTC_En_En, TMR_En_En, GBL_EN_EN */ 59 outl(0x1, PM1_CNT_BLK_ADDRESS); /* set SCI_EN */ 60 fadt->pm1a_evt_blk = PM1_EVT_BLK_ADDRESS; 61 fadt->pm1a_cnt_blk = PM1_CNT_BLK_ADDRESS; /src/southbridge/amd/cimx/sb800/fadt.c: 42 in acpi_fill_fadt() 36 WritePMIO(SB_PMIOA_REG60, AccWidthUint16, &val); 37 val = PM1_CNT_BLK_ADDRESS; 38 WritePMIO(SB_PMIOA_REG62, AccWidthUint16, &val); 39 val = PM1_TMR_BLK_ADDRESS; 40 WritePMIO(SB_PMIOA_REG64, AccWidthUint16, &val); 41 val = GPE0_BLK_ADDRESS;
CID 1487430: (OVERRUN) Overrunning buffer pointed to by "&val" of 2 bytes by passing it to a function which accesses it at byte offset 2.
42 WritePMIO(SB_PMIOA_REG68, AccWidthUint16, &val); 43 44 /* CpuControl is in _PR.CP00, 6 bytes */ 45 val = CPU_CNT_BLK_ADDRESS; 46 WritePMIO(SB_PMIOA_REG66, AccWidthUint16, &val); 47 val = 0; /src/southbridge/amd/cimx/sb800/fadt.c: 50 in acpi_fill_fadt() 44 /* CpuControl is in _PR.CP00, 6 bytes */ 45 val = CPU_CNT_BLK_ADDRESS; 46 WritePMIO(SB_PMIOA_REG66, AccWidthUint16, &val); 47 val = 0; 48 WritePMIO(SB_PMIOA_REG6A, AccWidthUint16, &val); 49 val = ACPI_PMA_CNT_BLK_ADDRESS;
CID 1487430: (OVERRUN) Overrunning buffer pointed to by "&val" of 2 bytes by passing it to a function which accesses it at byte offset 2.
50 WritePMIO(SB_PMIOA_REG6E, AccWidthUint16, &val); 51 52 /* AcpiDecodeEnable, When set, SB uses the contents of the 53 * PM registers at index 60-6B to decode ACPI I/O address. 54 * AcpiSmiEn & SmiCmdEn*/ 55 val = BIT0 | BIT1 | BIT2 | BIT4; /src/southbridge/amd/cimx/sb800/fadt.c: 36 in acpi_fill_fadt() 30 31 printk(BIOS_DEBUG, "ACPI_BLK_BASE: 0x%04x\n", ACPI_BLK_BASE); 32 33 fadt->sci_int = 9; /* HUDSON 1 - IRQ 09 - ACPI SCI */ 34 35 val = PM1_EVT_BLK_ADDRESS;
CID 1487430: (OVERRUN) Overrunning buffer pointed to by "&val" of 2 bytes by passing it to a function which accesses it at byte offset 2.
36 WritePMIO(SB_PMIOA_REG60, AccWidthUint16, &val); 37 val = PM1_CNT_BLK_ADDRESS; 38 WritePMIO(SB_PMIOA_REG62, AccWidthUint16, &val); 39 val = PM1_TMR_BLK_ADDRESS; 40 WritePMIO(SB_PMIOA_REG64, AccWidthUint16, &val); 41 val = GPE0_BLK_ADDRESS; /src/southbridge/amd/cimx/sb800/fadt.c: 46 in acpi_fill_fadt() 40 WritePMIO(SB_PMIOA_REG64, AccWidthUint16, &val); 41 val = GPE0_BLK_ADDRESS; 42 WritePMIO(SB_PMIOA_REG68, AccWidthUint16, &val); 43 44 /* CpuControl is in _PR.CP00, 6 bytes */ 45 val = CPU_CNT_BLK_ADDRESS;
CID 1487430: (OVERRUN) Overrunning buffer pointed to by "&val" of 2 bytes by passing it to a function which accesses it at byte offset 2.
46 WritePMIO(SB_PMIOA_REG66, AccWidthUint16, &val); 47 val = 0; 48 WritePMIO(SB_PMIOA_REG6A, AccWidthUint16, &val); 49 val = ACPI_PMA_CNT_BLK_ADDRESS; 50 WritePMIO(SB_PMIOA_REG6E, AccWidthUint16, &val); 51
________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0...