Hi,
Please find the latest report on new defect(s) introduced to coreboot found with Coverity Scan.
34 new defect(s) introduced to coreboot found with Coverity Scan. 17 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan Showing 20 of 34 defect(s)
** CID 1401794: Control flow issues (MISSING_BREAK) /3rdparty/vboot/firmware/lib/vboot_ui.c: 266 in vb2_enter_vendor_data_ui()
________________________________________________________________________________________________________ *** CID 1401794: Control flow issues (MISSING_BREAK) /3rdparty/vboot/firmware/lib/vboot_ui.c: 266 in vb2_enter_vendor_data_ui() 260 case VB_KEY_ESC: 261 /* Escape pressed - return to developer screen */ 262 VB2_DEBUG("Vendor Data UI - user pressed Esc: " 263 "exit to Developer screen\n"); 264 data_value[0] = '\0'; 265 return VBERROR_SUCCESS;
CID 1401794: Control flow issues (MISSING_BREAK) The case for value "122U" is not terminated by a 'break' statement.
266 case 'a'...'z': 267 key = toupper(key); 268 case '0'...'9': 269 case 'A'...'Z': 270 if ((len > 0 && is_vowel(key)) || 271 len >= VENDOR_DATA_LENGTH) {
** CID 1401793: Insecure data handling (INTEGER_OVERFLOW) /3rdparty/vboot/futility/updater.c: 240 in host_get_platform_version()
________________________________________________________________________________________________________ *** CID 1401793: Insecure data handling (INTEGER_OVERFLOW) /3rdparty/vboot/futility/updater.c: 240 in host_get_platform_version() 234 /* Result should be 'revN' */ 235 if (strncmp(result, STR_REV, strlen(STR_REV)) == 0) 236 rev = strtol(result + strlen(STR_REV), NULL, 0); 237 DEBUG("Raw data = [%s], parsed version is %d", result, rev); 238 239 free(result);
CID 1401793: Insecure data handling (INTEGER_OVERFLOW) Overflowed or truncated value (or a value computed from an overflowed or truncated value) "rev" used as return value.
240 return rev; 241 } 242 243 /* 244 * A helper function to invoke flashrom(8) command. 245 * Returns 0 if success, non-zero if error.
** CID 1401792: Error handling issues (CHECKED_RETURN) /3rdparty/vboot/futility/updater.c: 99 in updater_create_temp_file()
________________________________________________________________________________________________________ *** CID 1401792: Error handling issues (CHECKED_RETURN) /3rdparty/vboot/futility/updater.c: 99 in updater_create_temp_file() 93 } 94 close(fd); 95 new_temp = (struct tempfile *)malloc(sizeof(*new_temp)); 96 if (new_temp) 97 new_temp->filepath = strdup(new_path); 98 if (!new_temp || !new_temp->filepath) {
CID 1401792: Error handling issues (CHECKED_RETURN) Calling "remove(new_path)" without checking return value. This library function may fail and return an error code.
99 remove(new_path); 100 free(new_temp); 101 ERROR("Failed to allocate buffer for new temp file."); 102 return NULL; 103 } 104 DEBUG("Created new temporary file: %s.", new_path);
** CID 1401791: Security best practices violations (SECURE_TEMP) /3rdparty/vboot/futility/updater.c: 89 in updater_create_temp_file()
________________________________________________________________________________________________________ *** CID 1401791: Security best practices violations (SECURE_TEMP) /3rdparty/vboot/futility/updater.c: 89 in updater_create_temp_file() 83 const char *updater_create_temp_file(struct updater_config *cfg) 84 { 85 struct tempfile *new_temp; 86 char new_path[] = P_tmpdir "/fwupdater.XXXXXX"; 87 int fd; 88
CID 1401791: Security best practices violations (SECURE_TEMP) Calling "mkstemp" without securely setting umask first.
89 fd = mkstemp(new_path); 90 if (fd < 0) { 91 ERROR("Failed to create new temp file in %s", new_path); 92 return NULL; 93 } 94 close(fd);
** CID 1401790: (RESOURCE_LEAK) /3rdparty/vboot/futility/cmd_update.c: 137 in do_update() /3rdparty/vboot/futility/cmd_update.c: 178 in do_update()
________________________________________________________________________________________________________ *** CID 1401790: (RESOURCE_LEAK) /3rdparty/vboot/futility/cmd_update.c: 137 in do_update() 131 132 opterr = 0; 133 while ((i = getopt_long(argc, argv, short_opts, long_opts, 0)) != -1) { 134 switch (i) { 135 case 'h': 136 print_help(argc, argv);
CID 1401790: (RESOURCE_LEAK) Variable "cfg" going out of scope leaks the storage it points to.
137 return !!errorcnt; 138 case 'd': 139 debugging_enabled = 1; 140 args.verbosity++; 141 break; 142 case 'v': /3rdparty/vboot/futility/cmd_update.c: 178 in do_update() 172 break; 173 case OPT_QUIRKS: 174 args.quirks = optarg; 175 break; 176 case OPT_QUIRKS_LIST: 177 updater_list_config_quirks(cfg);
CID 1401790: (RESOURCE_LEAK) Variable "cfg" going out of scope leaks the storage it points to.
178 return 0; 179 case OPT_OUTPUT_DIR: 180 args.output_dir = optarg; 181 break; 182 case OPT_MODEL: 183 args.model = optarg;
** CID 1401789: Error handling issues (CHECKED_RETURN) /3rdparty/vboot/futility/updater.c: 120 in updater_remove_all_temp_files()
________________________________________________________________________________________________________ *** CID 1401789: Error handling issues (CHECKED_RETURN) /3rdparty/vboot/futility/updater.c: 120 in updater_remove_all_temp_files() 114 static void updater_remove_all_temp_files(struct updater_config *cfg) 115 { 116 struct tempfile *tempfiles = cfg->tempfiles; 117 while (tempfiles != NULL) { 118 struct tempfile *target = tempfiles; 119 DEBUG("Remove temporary file: %s.", target->filepath);
CID 1401789: Error handling issues (CHECKED_RETURN) Calling "remove(target->filepath)" without checking return value. This library function may fail and return an error code.
120 remove(target->filepath); 121 free(target->filepath); 122 tempfiles = target->next; 123 free(target); 124 } 125 cfg->tempfiles = NULL;
** CID 1390695: (RESOURCE_LEAK) /3rdparty/vboot/host/lib/crossystem.c: 112 in vb2_get_nv_storage() /3rdparty/vboot/host/lib/crossystem.c: 121 in vb2_get_nv_storage()
________________________________________________________________________________________________________ *** CID 1390695: (RESOURCE_LEAK) /3rdparty/vboot/host/lib/crossystem.c: 112 in vb2_get_nv_storage() 106 /* TODO: locking around NV access */ 107 if (!vnc_read) { 108 memset(&cached_ctx, 0, sizeof(cached_ctx)); 109 if (sh && sh->flags & VBSD_NVDATA_V2) 110 cached_ctx.flags |= VB2_CONTEXT_NVDATA_V2; 111 if (0 != vb2_read_nv_storage(&cached_ctx))
CID 1390695: (RESOURCE_LEAK) Variable "sh" going out of scope leaks the storage it points to.
112 return -1; 113 vb2_nv_init(&cached_ctx); 114 115 /* TODO: If vnc.raw_changed, attempt to reopen NVRAM for write 116 * and save the new defaults. If we're able to, log. */ 117 /3rdparty/vboot/host/lib/crossystem.c: 121 in vb2_get_nv_storage() 115 /* TODO: If vnc.raw_changed, attempt to reopen NVRAM for write 116 * and save the new defaults. If we're able to, log. */ 117 118 vnc_read = 1; 119 } 120
CID 1390695: (RESOURCE_LEAK) Variable "sh" going out of scope leaks the storage it points to.
121 return (int)vb2_nv_get(&cached_ctx, param); 122 } 123 124 int vb2_set_nv_storage(enum vb2_nv_param param, int value) 125 { 126 VbSharedDataHeader* sh = VbSharedDataRead();
** CID 1390694: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________ *** CID 1390694: Insecure data handling (TAINTED_SCALAR) /3rdparty/vboot/firmware/lib/tpm_lite/tlcl.c: 215 in StartOSAPSession() 209 sizeof(TPM_NONCE)) != VB2_SUCCESS) { 210 return TPM_E_INTERNAL_ERROR; 211 } 212 213 /* Send OSAP command. */ 214 uint8_t response[TPM_LARGE_ENOUGH_COMMAND_SIZE];
CID 1390694: Insecure data handling (TAINTED_SCALAR) Passing tainted variable "cmd.buffer" to a tainted sink.
215 uint32_t result = TlclSendReceive(cmd.buffer, response, 216 sizeof(response)); 217 if (result != TPM_SUCCESS) { 218 return result; 219 } 220
** CID 1390693: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________ *** CID 1390693: Insecure data handling (TAINTED_SCALAR) /3rdparty/vboot/firmware/lib/tpm_lite/tlcl.c: 1230 in TlclReadPubek() 1224 return TPM_E_INTERNAL_ERROR; 1225 } 1226 1227 /* The response contains the public endorsement key, so use a large 1228 * response buffer. */ 1229 uint8_t response[TPM_LARGE_ENOUGH_COMMAND_SIZE + TPM_RSA_2048_LEN];
CID 1390693: Insecure data handling (TAINTED_SCALAR) Passing tainted variable "cmd.buffer" to a tainted sink.
1230 uint32_t result = TlclSendReceive(cmd.buffer, response, 1231 sizeof(response)); 1232 if (result != TPM_SUCCESS) { 1233 return result; 1234 } 1235
** CID 1390692: (RESOURCE_LEAK) /3rdparty/vboot/host/lib/crossystem.c: 134 in vb2_set_nv_storage() /3rdparty/vboot/host/lib/crossystem.c: 141 in vb2_set_nv_storage() /3rdparty/vboot/host/lib/crossystem.c: 145 in vb2_set_nv_storage()
________________________________________________________________________________________________________ *** CID 1390692: (RESOURCE_LEAK) /3rdparty/vboot/host/lib/crossystem.c: 134 in vb2_set_nv_storage() 128 129 /* TODO: locking around NV access */ 130 memset(&ctx, 0, sizeof(ctx)); 131 if (sh && sh->flags & VBSD_NVDATA_V2) 132 ctx.flags |= VB2_CONTEXT_NVDATA_V2; 133 if (0 != vb2_read_nv_storage(&ctx))
CID 1390692: (RESOURCE_LEAK) Variable "sh" going out of scope leaks the storage it points to.
134 return -1; 135 vb2_nv_init(&ctx); 136 vb2_nv_set(&ctx, param, (uint32_t)value); 137 138 if (ctx.flags & VB2_CONTEXT_NVDATA_CHANGED) { 139 vnc_read = 0; /3rdparty/vboot/host/lib/crossystem.c: 141 in vb2_set_nv_storage() 135 vb2_nv_init(&ctx); 136 vb2_nv_set(&ctx, param, (uint32_t)value); 137 138 if (ctx.flags & VB2_CONTEXT_NVDATA_CHANGED) { 139 vnc_read = 0; 140 if (0 != vb2_write_nv_storage(&ctx))
CID 1390692: (RESOURCE_LEAK) Variable "sh" going out of scope leaks the storage it points to.
141 return -1; 142 } 143 144 /* Success */ 145 return 0; 146 } /3rdparty/vboot/host/lib/crossystem.c: 145 in vb2_set_nv_storage() 139 vnc_read = 0; 140 if (0 != vb2_write_nv_storage(&ctx)) 141 return -1; 142 } 143 144 /* Success */
CID 1390692: (RESOURCE_LEAK) Variable "sh" going out of scope leaks the storage it points to.
145 return 0; 146 } 147 148 /* 149 * Set a param value, and try to flag it for persistent backup. It's okay if 150 * backup isn't supported (which it isn't, in current designs). It's
** CID 1387030: (RESOURCE_LEAK) /3rdparty/chromeec/util/genvif.c: 520 in gen_vif() /3rdparty/chromeec/util/genvif.c: 550 in gen_vif() /3rdparty/chromeec/util/genvif.c: 550 in gen_vif()
________________________________________________________________________________________________________ *** CID 1387030: (RESOURCE_LEAK) /3rdparty/chromeec/util/genvif.c: 520 in gen_vif() 514 515 /* Write Source PDOs */ 516 for (i = 0; i < src_pdo_cnt; i++) { 517 pwr = write_pdo_to_buf(&buf, src_pdo[i], SRC, i+1); 518 if (pwr < 0) { 519 fprintf(stderr, "ERROR: Out of memory.\n");
CID 1387030: (RESOURCE_LEAK) Variable "vif" going out of scope leaks the storage it points to.
520 return 1; 521 } 522 523 if (pwr > max_power) 524 max_power = pwr; 525 } /3rdparty/chromeec/util/genvif.c: 550 in gen_vif() 544 /* Write Sink PDOs */ 545 for (i = 0; i < pd_snk_pdo_cnt; i++) { 546 pwr = write_pdo_to_buf(&buf, pd_snk_pdo[i], SNK, i+1); 547 548 if (pwr < 0) { 549 fprintf(stderr, "ERROR: Out of memory.\n");
CID 1387030: (RESOURCE_LEAK) Variable "vif" going out of scope leaks the storage it points to.
550 return 1; 551 } 552 553 if (pwr > max_power) 554 max_power = pwr; 555 } /3rdparty/chromeec/util/genvif.c: 550 in gen_vif() 544 /* Write Sink PDOs */ 545 for (i = 0; i < pd_snk_pdo_cnt; i++) { 546 pwr = write_pdo_to_buf(&buf, pd_snk_pdo[i], SNK, i+1); 547 548 if (pwr < 0) { 549 fprintf(stderr, "ERROR: Out of memory.\n");
CID 1387030: (RESOURCE_LEAK) Variable "vif" going out of scope leaks the storage it points to.
550 return 1; 551 } 552 553 if (pwr > max_power) 554 max_power = pwr; 555 }
** CID 1385420: Null pointer dereferences (REVERSE_INULL) /3rdparty/vboot/firmware/lib/region-init.c: 45 in VbGbbReadHWID()
________________________________________________________________________________________________________ *** CID 1385420: Null pointer dereferences (REVERSE_INULL) /3rdparty/vboot/firmware/lib/region-init.c: 45 in VbGbbReadHWID() 39 struct vb2_shared_data *sd = vb2_get_sd(ctx); 40 41 if (!max_size) 42 return VBERROR_INVALID_PARAMETER; 43 *hwid = '\0'; 44 StrnAppend(hwid, "{INVALID}", max_size);
CID 1385420: Null pointer dereferences (REVERSE_INULL) Null-checking "ctx" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
45 if (!ctx) 46 return VBERROR_INVALID_GBB; 47 48 if (0 == sd->gbb->hwid_size) { 49 VB2_DEBUG("VbHWID(): invalid hwid size\n"); 50 return VBERROR_SUCCESS; /* oddly enough! */
** CID 1365395: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________ *** CID 1365395: Insecure data handling (TAINTED_SCALAR) /3rdparty/vboot/futility/cmd_bdb.c: 489 in do_verify() 483 fprintf(stderr, 484 "Invalid digest size: %d\n", key_digest_size); 485 goto exit; 486 } 487 } 488
CID 1365395: Insecure data handling (TAINTED_SCALAR) Passing tainted variable "bdb" to a tainted sink.
489 rv = bdb_verify(bdb, bdb_size, key_digest); 490 switch (rv) { 491 case BDB_SUCCESS: 492 fprintf(stderr, "BDB is successfully verified.\n"); 493 break; 494 case BDB_GOOD_OTHER_THAN_KEY:
** CID 1365394: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________ *** CID 1365394: Insecure data handling (TAINTED_SCALAR) /3rdparty/vboot/futility/cmd_vbutil_key.c: 128 in do_unpack() 122 printf("Public Key file: %s\n", infile); 123 printf("Algorithm: %u %s\n", pubkey->algorithm, 124 vb2_get_crypto_algorithm_name(pubkey->algorithm)); 125 printf("Key Version: %u\n", pubkey->key_version); 126 printf("Key sha1sum: %s\n", 127 packed_key_sha1_string(pubkey));
CID 1365394: Insecure data handling (TAINTED_SCALAR) Passing tainted variable "pubkey->key_size" to a tainted sink.
128 if (outfile && 129 VB2_SUCCESS != vb2_write_packed_key(outfile, pubkey)) { 130 fprintf(stderr, "butil_key: Error writing key copy\n"); 131 free(pubkey); 132 return 1; 133 }
** CID 1365393: (TAINTED_SCALAR)
________________________________________________________________________________________________________ *** CID 1365393: (TAINTED_SCALAR) /3rdparty/vboot/futility/cmd_bdb.c: 358 in do_resign() 352 struct bdb_key *key = bdb_create_key(bdbkey_pub_filename, 353 bdbkey_version, NULL); 354 if (!key) { 355 fprintf(stderr, "Unable to read BDB key\n"); 356 goto exit; 357 }
CID 1365393: (TAINTED_SCALAR) Passing tainted variable "bdb" to a tainted sink.
358 if (install_bdbkey(&bdb, key)) { 359 fprintf(stderr, "Unable to install new BDB key\n"); 360 goto exit; 361 } 362 } 363 /3rdparty/vboot/futility/cmd_bdb.c: 371 in do_resign() 365 struct bdb_key *key = bdb_create_key(datakey_pub_filename, 366 datakey_version, NULL); 367 if (!key) { 368 fprintf(stderr, "Unable to read data key\n"); 369 goto exit; 370 }
CID 1365393: (TAINTED_SCALAR) Passing tainted variable "bdb" to a tainted sink.
371 if (install_datakey(&bdb, key)) { 372 fprintf(stderr, "Unable to install new data key\n"); 373 goto exit; 374 } 375 } 376 /3rdparty/vboot/futility/cmd_bdb.c: 446 in do_resign() 440 /* This is not expected. We installed new keys and resigned 441 * BDB but it's still invalid. */ 442 fprintf(stderr, "BDB is resigned but it's invalid: %d\n", rv); 443 goto exit; 444 } 445
CID 1365393: (TAINTED_SCALAR) Passing tainted variable "bdb_size_of(bdb)" to a tainted sink.
446 rv = write_file(bdb_filename, bdb, bdb_size_of(bdb)); 447 if (rv) { 448 fprintf(stderr, "Unable to write BDB.\n"); 449 goto exit; 450 } 451 /3rdparty/vboot/futility/cmd_bdb.c: 391 in do_resign() 385 if (!bdbkey_pri_filename) { 386 fprintf(stderr, "Private BDB key is required but not " 387 "provided.\n"); 388 goto exit; 389 } 390 bdbkey_pri = read_pem(bdbkey_pri_filename);
CID 1365393: (TAINTED_SCALAR) Passing tainted variable "bdb" to a tainted sink.
391 rv = bdb_sign_datakey(&bdb, bdbkey_pri); 392 if (rv) { 393 fprintf(stderr, "Failed to resign data key: %d\n", rv); 394 goto exit; 395 } 396 fprintf(stderr, "Data key is resigned.\n"); /3rdparty/vboot/futility/cmd_bdb.c: 446 in do_resign() 440 /* This is not expected. We installed new keys and resigned 441 * BDB but it's still invalid. */ 442 fprintf(stderr, "BDB is resigned but it's invalid: %d\n", rv); 443 goto exit; 444 } 445
CID 1365393: (TAINTED_SCALAR) Passing tainted variable "bdb_size_of(bdb)" to a tainted sink.
446 rv = write_file(bdb_filename, bdb, bdb_size_of(bdb)); 447 if (rv) { 448 fprintf(stderr, "Unable to write BDB.\n"); 449 goto exit; 450 } 451
** CID 1365392: (TAINTED_SCALAR)
________________________________________________________________________________________________________ *** CID 1365392: (TAINTED_SCALAR) /3rdparty/vboot/futility/cmd_vbutil_keyblock.c: 121 in Pack() 115 "vbutil_keyblock: Invalid --pem_algorithm %" 116 PRIu64 "\n", pem_algorithm); 117 return 1; 118 } 119 if (external_signer) { 120 /* External signing uses the PEM file directly. */
CID 1365392: (TAINTED_SCALAR) Passing tainted variable "data_key->key_size" to a tainted sink.
121 block = vb2_create_keyblock_external(data_key, 122 signprivate_pem, 123 pem_algorithm, 124 flags, 125 external_signer); 126 } else { /3rdparty/vboot/futility/cmd_vbutil_keyblock.c: 135 in Pack() 129 pem_algorithm); 130 if (!signing_key) { 131 fprintf(stderr, "vbutil_keyblock:" 132 " Error reading signing key.\n"); 133 return 1; 134 }
CID 1365392: (TAINTED_SCALAR) Passing tainted variable "data_key->key_size" to a tainted sink.
135 block = vb2_create_keyblock(data_key, signing_key, 136 flags); 137 } 138 } else { 139 if (signprivate) { 140 signing_key = vb2_read_private_key(signprivate); /3rdparty/vboot/futility/cmd_vbutil_keyblock.c: 147 in Pack() 141 if (!signing_key) { 142 fprintf(stderr, "vbutil_keyblock:" 143 " Error reading signing key.\n"); 144 return 1; 145 } 146 }
CID 1365392: (TAINTED_SCALAR) Passing tainted variable "data_key->key_size" to a tainted sink.
147 block = vb2_create_keyblock(data_key, signing_key, flags); 148 } 149 150 free(data_key); 151 if (signing_key) 152 free(signing_key);
** CID 1365391: (TAINTED_SCALAR) /3rdparty/vboot/futility/cmd_vbutil_firmware.c: 159 in do_vblock()
________________________________________________________________________________________________________ *** CID 1365391: (TAINTED_SCALAR) /3rdparty/vboot/futility/cmd_vbutil_firmware.c: 159 in do_vblock() 153 /* Write the output file */ 154 FILE *f = fopen(outfile, "wb"); 155 if (!f) { 156 VbExError("Can't open output file %s\n", outfile); 157 goto vblock_cleanup; 158 }
CID 1365391: (TAINTED_SCALAR) Passing tainted variable "keyblock->keyblock_size" to a tainted sink.
159 int i = ((1 != fwrite(keyblock, keyblock->keyblock_size, 1, f)) || 160 (1 != fwrite(preamble, preamble->preamble_size, 1, f))); 161 fclose(f); 162 if (i) { 163 VbExError("Can't write output file %s\n", outfile); 164 unlink(outfile); /3rdparty/vboot/futility/cmd_vbutil_firmware.c: 146 in do_vblock() 140 if (!body_sig) { 141 VbExError("Error calculating body signature\n"); 142 goto vblock_cleanup; 143 } 144 145 /* Create preamble */
CID 1365391: (TAINTED_SCALAR) Passing tainted variable "kernel_subkey->key_size" to a tainted sink.
146 preamble = vb2_create_fw_preamble(version, kernel_subkey, body_sig, 147 signing_key, preamble_flags); 148 if (!preamble) { 149 VbExError("Error creating preamble.\n"); 150 goto vblock_cleanup; 151 }
** CID 1365390: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________ *** CID 1365390: Insecure data handling (TAINTED_SCALAR) /3rdparty/vboot/futility/cmd_bdb.c: 133 in do_add() 127 } 128 129 /* Update data header */ 130 data_header->num_hashes++; 131 data_header->signed_size += sizeof(*new_hash); 132
CID 1365390: Insecure data handling (TAINTED_SCALAR) Passing tainted variable "bdb_header->bdb_size" to a tainted sink.
133 rv = write_file(bdb_filename, bdb_header, bdb_header->bdb_size); 134 if (rv) { 135 fprintf(stderr, "Unable to write BDB\n"); 136 goto exit; 137 } 138
** CID 1365387: (RESOURCE_LEAK) /3rdparty/vboot/futility/cmd_bdb.c: 360 in do_resign() /3rdparty/vboot/futility/cmd_bdb.c: 362 in do_resign() /3rdparty/vboot/futility/cmd_bdb.c: 373 in do_resign() /3rdparty/vboot/futility/cmd_bdb.c: 375 in do_resign()
________________________________________________________________________________________________________ *** CID 1365387: (RESOURCE_LEAK) /3rdparty/vboot/futility/cmd_bdb.c: 360 in do_resign() 354 if (!key) { 355 fprintf(stderr, "Unable to read BDB key\n"); 356 goto exit; 357 } 358 if (install_bdbkey(&bdb, key)) { 359 fprintf(stderr, "Unable to install new BDB key\n");
CID 1365387: (RESOURCE_LEAK) Variable "key" going out of scope leaks the storage it points to.
360 goto exit; 361 } 362 } 363 364 if (datakey_pub_filename) { 365 struct bdb_key *key = bdb_create_key(datakey_pub_filename, /3rdparty/vboot/futility/cmd_bdb.c: 362 in do_resign() 356 goto exit; 357 } 358 if (install_bdbkey(&bdb, key)) { 359 fprintf(stderr, "Unable to install new BDB key\n"); 360 goto exit; 361 }
CID 1365387: (RESOURCE_LEAK) Variable "key" going out of scope leaks the storage it points to.
362 } 363 364 if (datakey_pub_filename) { 365 struct bdb_key *key = bdb_create_key(datakey_pub_filename, 366 datakey_version, NULL); 367 if (!key) { /3rdparty/vboot/futility/cmd_bdb.c: 373 in do_resign() 367 if (!key) { 368 fprintf(stderr, "Unable to read data key\n"); 369 goto exit; 370 } 371 if (install_datakey(&bdb, key)) { 372 fprintf(stderr, "Unable to install new data key\n");
CID 1365387: (RESOURCE_LEAK) Variable "key" going out of scope leaks the storage it points to.
373 goto exit; 374 } 375 } 376 377 /* Check validity for the new bdb key */ 378 rv = bdb_verify(bdb, bdb_size_of(bdb), NULL); /3rdparty/vboot/futility/cmd_bdb.c: 375 in do_resign() 369 goto exit; 370 } 371 if (install_datakey(&bdb, key)) { 372 fprintf(stderr, "Unable to install new data key\n"); 373 goto exit; 374 }
CID 1365387: (RESOURCE_LEAK) Variable "key" going out of scope leaks the storage it points to.
375 } 376 377 /* Check validity for the new bdb key */ 378 rv = bdb_verify(bdb, bdb_size_of(bdb), NULL); 379 if (rv == BDB_ERROR_HEADER_SIG) { 380 /* This is expected failure if we installed a new BDB key.
** CID 1361273: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________ *** CID 1361273: Insecure data handling (TAINTED_SCALAR) /3rdparty/vboot/host/lib21/host_key.c: 230 in vb21_private_key_read() 224 *key_ptr = NULL; 225 226 rv = vb2_read_file(filename, &buf, &size); 227 if (rv) 228 return rv; 229
CID 1361273: Insecure data handling (TAINTED_SCALAR) Passing tainted variable "buf" to a tainted sink.
230 rv = vb21_private_key_unpack(key_ptr, buf, size); 231 232 free(buf); 233 234 return rv; 235 }
________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05...