Hi,
Please find the latest report on new defect(s) introduced to coreboot found with Coverity Scan.
148 new defect(s) introduced to coreboot found with Coverity Scan. 92 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan Showing 20 of 148 defect(s)
** CID 1355008: Code maintainability issues (UNUSED_VALUE) /src/mainboard/siemens/mc_tcu3/lcd_panel.c: 69 in setup_lcd_panel()
________________________________________________________________________________________________________ *** CID 1355008: Code maintainability issues (UNUSED_VALUE) /src/mainboard/siemens/mc_tcu3/lcd_panel.c: 69 in setup_lcd_panel() 63 break; 64 case LCD_PANEL_TYPE_EDID: 65 strcpy(blockname, "hwinfo.hex"); 66 break; 67 default: 68 printk(BIOS_ERR, "LCD: No supported panel found.\n");
CID 1355008: Code maintainability issues (UNUSED_VALUE) Assigning value "1" to "status" here, but that stored value is overwritten before it can be used.
69 status = 1; 70 break; 71 } 72 /* Now that we have the panel type, setup the DP2LVDS converter */ 73 status = ptn3460_init(blockname); 74 if (status)
** CID 1354970: Memory - corruptions (ARRAY_VS_SINGLETON) /src/lib/selfboot.c: 239 in build_self_segment_list()
________________________________________________________________________________________________________ *** CID 1354970: Memory - corruptions (ARRAY_VS_SINGLETON) /src/lib/selfboot.c: 239 in build_self_segment_list() 233 234 memset(head, 0, sizeof(*head)); 235 head->next = head->prev = head; 236 237 first_segment = &cbfs_payload->segments; 238
CID 1354970: Memory - corruptions (ARRAY_VS_SINGLETON) Using "current_segment" as an array. This might corrupt or misinterpret adjacent memory locations.
239 for (current_segment = first_segment;; ++current_segment) { 240 printk(BIOS_DEBUG, 241 "Loading segment from rom address 0x%p\n", 242 current_segment); 243 244 cbfs_decode_payload_segment(&segment, current_segment);
** CID 1354852: Memory - corruptions (OVERRUN) /3rdparty/chromeec/common/thermal.c: 265 in thermal_control()
________________________________________________________________________________________________________ *** CID 1354852: Memory - corruptions (OVERRUN) /3rdparty/chromeec/common/thermal.c: 265 in thermal_control() 259 #ifdef CONFIG_FANS 260 /* TODO(crosbug.com/p/23797): For now, we just treat all fans the 261 * same. It would be better if we could assign different thermal 262 * profiles to each fan - in case one fan cools the CPU while another 263 * cools the radios or battery. 264 */
CID 1354852: Memory - corruptions (OVERRUN) Checking "i < 2" implies that "i" may be up to 1 on the true branch.
265 for (i = 0; i < CONFIG_FANS; i++) 266 fan_set_percent_needed(i, fmax); 267 #endif 268 } 269 270 /* Don't forget to signal any DPTF thresholds */
** CID 1354849: Insecure data handling (INTEGER_OVERFLOW) /src/arch/x86/tables.c: 85 in write_mptable()
________________________________________________________________________________________________________ *** CID 1354849: Insecure data handling (INTEGER_OVERFLOW) /src/arch/x86/tables.c: 85 in write_mptable() 79 } 80 81 printk(BIOS_DEBUG, "MP table: %ld bytes.\n", 82 new_high_table_pointer - high_table_pointer); 83 } 84
CID 1354849: Insecure data handling (INTEGER_OVERFLOW) Overflowed or truncated value (or a value computed from an overflowed or truncated value) "rom_table_end" used as return value.
85 return rom_table_end; 86 } 87 88 static unsigned long write_acpi_table(unsigned long rom_table_end) 89 { 90 unsigned long high_table_pointer;
** CID 1354778: Uninitialized variables (UNINIT) /src/soc/intel/fsp_broadwell_de/uart.c: 104 in uart_fill_lb()
________________________________________________________________________________________________________ *** CID 1354778: Uninitialized variables (UNINIT) /src/soc/intel/fsp_broadwell_de/uart.c: 104 in uart_fill_lb() 98 uart8250_tx_flush(uart_platform_base(idx)); 99 } 100 101 #if ENV_RAMSTAGE 102 void uart_fill_lb(void *data) 103 {
CID 1354778: Uninitialized variables (UNINIT) Declaring variable "serial" without initializer.
104 struct lb_serial serial; 105 serial.type = LB_SERIAL_TYPE_IO_MAPPED; 106 serial.baseaddr = uart_platform_base(CONFIG_UART_FOR_CONSOLE); 107 serial.baud = default_baudrate(); 108 lb_add_serial(&serial, data); 109 110 lb_add_console(LB_TAG_CONSOLE_SERIAL8250, data); 111 }
** CID 1353792: Memory - illegal accesses (OVERRUN) /3rdparty/chromeec/common/fan.c: 477 in pwm_fan_second()
________________________________________________________________________________________________________ *** CID 1353792: Memory - illegal accesses (OVERRUN) /3rdparty/chromeec/common/fan.c: 477 in pwm_fan_second() 471 uint16_t *mapped = (uint16_t *)host_get_memmap(EC_MEMMAP_FAN); 472 uint16_t rpm; 473 int stalled = 0; 474 int fan; 475 476 for (fan = 0; fan < CONFIG_FANS; fan++) {
CID 1353792: Memory - illegal accesses (OVERRUN) Overrunning array "fans" of 1 28-byte elements at element index 1 (byte offset 28) using index "fan" (which evaluates to 1).
477 if (fan_is_stalled(fans[fan].ch)) { 478 rpm = EC_FAN_SPEED_STALLED; 479 stalled = 1; 480 cprints(CC_PWM, "Fan %d stalled!", fan); 481 } else { 482 rpm = fan_get_rpm_actual(fans[fan].ch);
** CID 1353791: Memory - illegal accesses (OVERRUN) /3rdparty/chromeec/common/fan.c: 515 in pwm_fan_resume()
________________________________________________________________________________________________________ *** CID 1353791: Memory - illegal accesses (OVERRUN) /3rdparty/chromeec/common/fan.c: 515 in pwm_fan_resume() 509 DECLARE_HOOK(HOOK_SYSJUMP, pwm_fan_preserve_state, HOOK_PRIO_DEFAULT); 510 511 static void pwm_fan_resume(void) 512 { 513 int fan; 514 for (fan = 0; fan < CONFIG_FANS; fan++)
CID 1353791: Memory - illegal accesses (OVERRUN) Overrunning array "fans" of 1 28-byte elements at element index 1 (byte offset 28) using index "fan" (which evaluates to 1).
515 fan_set_enabled(fans[fan].ch, 1); 516 } 517 DECLARE_HOOK(HOOK_CHIPSET_RESUME, pwm_fan_resume, HOOK_PRIO_DEFAULT); 518 519 static void pwm_fan_S3_S5(void) 520 {
** CID 1353790: Memory - illegal accesses (OVERRUN) /3rdparty/chromeec/common/fan.c: 443 in pwm_fan_init()
________________________________________________________________________________________________________ *** CID 1353790: Memory - illegal accesses (OVERRUN) /3rdparty/chromeec/common/fan.c: 443 in pwm_fan_init() 437 uint16_t *mapped; 438 int version, size; 439 int i; 440 int fan = 0; 441 442 for (fan = 0; fan < CONFIG_FANS; fan++)
CID 1353790: Memory - illegal accesses (OVERRUN) Overrunning array "fans" of 1 28-byte elements at element index 1 (byte offset 28) using index "fan" (which evaluates to 1).
443 fan_channel_setup(fans[fan].ch, fans[fan].flags); 444 445 prev = (const struct pwm_fan_state *) 446 system_get_jump_tag(PWMFAN_SYSJUMP_TAG, &version, &size); 447 if (prev && version == PWM_HOOK_VERSION && size == sizeof(*prev)) { 448 /* Restore previous state. */
** CID 1353789: Memory - corruptions (OVERRUN) /3rdparty/chromeec/common/fan.c: 524 in pwm_fan_S3_S5()
________________________________________________________________________________________________________ *** CID 1353789: Memory - corruptions (OVERRUN) /3rdparty/chromeec/common/fan.c: 524 in pwm_fan_S3_S5() 518 519 static void pwm_fan_S3_S5(void) 520 { 521 int fan; 522 523 /* TODO(crosbug.com/p/23530): Still treating all fans as one. */
CID 1353789: Memory - corruptions (OVERRUN) Checking "fan < 2" implies that "fan" may be up to 1 on the true branch.
524 for (fan = 0; fan < CONFIG_FANS; fan++) { 525 /* Take back fan control when the processor shuts down */ 526 set_thermal_control_enabled(fan, 1); 527 /* For now don't do anything with it. We'll have to turn it on 528 * again if we need active cooling during heavy battery 529 * charging or something.
** CID 1353788: Memory - illegal accesses (OVERRUN) /3rdparty/chromeec/common/fan.c: 531 in pwm_fan_S3_S5()
________________________________________________________________________________________________________ *** CID 1353788: Memory - illegal accesses (OVERRUN) /3rdparty/chromeec/common/fan.c: 531 in pwm_fan_S3_S5() 525 /* Take back fan control when the processor shuts down */ 526 set_thermal_control_enabled(fan, 1); 527 /* For now don't do anything with it. We'll have to turn it on 528 * again if we need active cooling during heavy battery 529 * charging or something. 530 */
CID 1353788: Memory - illegal accesses (OVERRUN) Overrunning array "fans" of 1 28-byte elements at element index 1 (byte offset 28) using index "fan" (which evaluates to 1).
531 fan_set_rpm_target(fans[fan].ch, 0); 532 set_enabled(fan, 0); /* crosbug.com/p/8097 */ 533 } 534 } 535 DECLARE_HOOK(HOOK_CHIPSET_SUSPEND, pwm_fan_S3_S5, HOOK_PRIO_DEFAULT);
** CID 1353787: Memory - illegal accesses (OVERRUN) /3rdparty/chromeec/common/fan.c: 342 in hc_pwm_set_fan_target_rpm()
________________________________________________________________________________________________________ *** CID 1353787: Memory - illegal accesses (OVERRUN) /3rdparty/chromeec/common/fan.c: 342 in hc_pwm_set_fan_target_rpm() 336 if (args->version == 0) { 337 for (fan = 0; fan < CONFIG_FANS; fan++) { 338 /* enable the fan if rpm is non-zero */ 339 set_enabled(fan, (p_v0->rpm > 0) ? 1 : 0); 340 341 set_thermal_control_enabled(fan, 0);
CID 1353787: Memory - illegal accesses (OVERRUN) Overrunning array "fans" of 1 28-byte elements at element index 1 (byte offset 28) using index "fan" (which evaluates to 1).
342 fan_set_rpm_mode(fans[fan].ch, 1); 343 fan_set_rpm_target(fans[fan].ch, p_v0->rpm); 344 } 345 346 return EC_RES_SUCCESS; 347 }
** CID 1353314: (OVERRUN) /3rdparty/chromeec/common/temp_sensor.c: 26 in temp_sensor_read() /3rdparty/chromeec/common/temp_sensor.c: 26 in temp_sensor_read()
________________________________________________________________________________________________________ *** CID 1353314: (OVERRUN) /3rdparty/chromeec/common/temp_sensor.c: 26 in temp_sensor_read() 20 const struct temp_sensor_t *sensor; 21 22 if (id < 0 || id >= TEMP_SENSOR_COUNT) 23 return EC_ERROR_INVAL; 24 sensor = temp_sensors + id; 25
CID 1353314: (OVERRUN) Overrunning array of 4 20-byte elements at element index 4 (byte offset 80) by dereferencing pointer "sensor".
26 return sensor->read(sensor->idx, temp_ptr); 27 } 28 29 static void update_mapped_memory(void) 30 { 31 int i, t; /3rdparty/chromeec/common/temp_sensor.c: 26 in temp_sensor_read() 20 const struct temp_sensor_t *sensor; 21 22 if (id < 0 || id >= TEMP_SENSOR_COUNT) 23 return EC_ERROR_INVAL; 24 sensor = temp_sensors + id; 25
CID 1353314: (OVERRUN) Overrunning array of 4 20-byte elements at element index 14 (byte offset 280) by dereferencing pointer "sensor".
26 return sensor->read(sensor->idx, temp_ptr); 27 } 28 29 static void update_mapped_memory(void) 30 { 31 int i, t;
** CID 1353310: (OVERRUN)
________________________________________________________________________________________________________ *** CID 1353310: (OVERRUN) /3rdparty/chromeec/board/glados/battery.c: 50 in board_cut_off_battery() 44 /* Ship mode command must be sent twice to take effect */ 45 buf[0] = SB_MANUFACTURER_ACCESS & 0xff; 46 buf[1] = PARAM_CUT_OFF_LOW; 47 buf[2] = PARAM_CUT_OFF_HIGH; 48 49 i2c_lock(I2C_PORT_BATTERY, 1);
CID 1353310: (OVERRUN) Overrunning callee's array of size 2 by passing argument "MEC1322_I2C3" in call to "i2c_xfer".
50 rv = i2c_xfer(I2C_PORT_BATTERY, BATTERY_ADDR, buf, 3, NULL, 0, 51 I2C_XFER_SINGLE); 52 rv |= i2c_xfer(I2C_PORT_BATTERY, BATTERY_ADDR, buf, 3, NULL, 0, 53 I2C_XFER_SINGLE); 54 i2c_lock(I2C_PORT_BATTERY, 0); 55 /3rdparty/chromeec/board/glados/battery.c: 52 in board_cut_off_battery() 46 buf[1] = PARAM_CUT_OFF_LOW; 47 buf[2] = PARAM_CUT_OFF_HIGH; 48 49 i2c_lock(I2C_PORT_BATTERY, 1); 50 rv = i2c_xfer(I2C_PORT_BATTERY, BATTERY_ADDR, buf, 3, NULL, 0, 51 I2C_XFER_SINGLE);
CID 1353310: (OVERRUN) Overrunning callee's array of size 2 by passing argument "MEC1322_I2C3" in call to "i2c_xfer".
52 rv |= i2c_xfer(I2C_PORT_BATTERY, BATTERY_ADDR, buf, 3, NULL, 0, 53 I2C_XFER_SINGLE); 54 i2c_lock(I2C_PORT_BATTERY, 0); 55 56 return rv; 57 }
** CID 1353309: Memory - corruptions (OVERRUN) /3rdparty/chromeec/common/gpio.c: 260 in gpio_command_get()
________________________________________________________________________________________________________ *** CID 1353309: Memory - corruptions (OVERRUN) /3rdparty/chromeec/common/gpio.c: 260 in gpio_command_get() 254 args->response_size = sizeof(r_v1->get_count); 255 break; 256 case EC_GPIO_GET_INFO: 257 if (p_v1->get_info.index >= GPIO_COUNT) 258 return EC_RES_ERROR; 259
CID 1353309: Memory - corruptions (OVERRUN) Assigning: "i" = "(*p_v1).get_info.index". The value of "i" may now be up to 80.
260 i = p_v1->get_info.index; 261 len = strlen(g[i].name); 262 memcpy(r_v1->get_info.name, g[i].name, len+1); 263 r_v1->get_info.val = gpio_get_level(i); 264 r_v1->get_info.flags = g[i].flags; 265 args->response_size = sizeof(r_v1->get_info);
** CID 1353307: Memory - corruptions (OVERRUN) /3rdparty/chromeec/common/gpio.c: 169 in command_gpio_get()
________________________________________________________________________________________________________ *** CID 1353307: Memory - corruptions (OVERRUN) /3rdparty/chromeec/common/gpio.c: 169 in command_gpio_get() 163 ccprintf(" %d%c %s\n", v, (changed ? '*' : ' '), g->name); 164 165 return EC_SUCCESS; 166 } 167 168 /* Otherwise print them all */
CID 1353307: Memory - corruptions (OVERRUN) Checking "i < GPIO_COUNT" implies that "i" may be up to 80 on the true branch.
169 for (i = 0; i < GPIO_COUNT; i++, g++) { 170 if (!g->mask) 171 continue; /* Skip unsupported signals */ 172 173 v = gpio_get_level(i); 174 changed = last_val_changed(i, v);
** CID 1353293: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________ *** CID 1353293: Memory - corruptions (OVERRUN) /3rdparty/chromeec/driver/battery/smart.c: 32 in sbc_write() 26 { 27 return i2c_read16(I2C_PORT_CHARGER, CHARGER_ADDR, cmd, param); 28 } 29 30 test_mockable int sbc_write(int cmd, int param) 31 {
CID 1353293: Memory - corruptions (OVERRUN) Overrunning callee's array of size 2 by passing argument "MEC1322_I2C3" in call to "i2c_write16".
32 return i2c_write16(I2C_PORT_CHARGER, CHARGER_ADDR, cmd, param); 33 } 34 35 test_mockable int sb_read(int cmd, int *param) 36 { 37 #ifdef CONFIG_BATTERY_CUT_OFF
** CID 1353292: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________ *** CID 1353292: Memory - corruptions (OVERRUN) /3rdparty/chromeec/driver/battery/smart.c: 27 in sbc_read() 21 #define BATTERY_NO_RESPONSE_TIMEOUT (1000*MSEC) 22 23 static int fake_state_of_charge = -1; 24 25 test_mockable int sbc_read(int cmd, int *param) 26 {
CID 1353292: Memory - corruptions (OVERRUN) Overrunning callee's array of size 2 by passing argument "MEC1322_I2C3" in call to "i2c_read16".
27 return i2c_read16(I2C_PORT_CHARGER, CHARGER_ADDR, cmd, param); 28 } 29 30 test_mockable int sbc_write(int cmd, int param) 31 { 32 return i2c_write16(I2C_PORT_CHARGER, CHARGER_ADDR, cmd, param);
** CID 1353291: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________ *** CID 1353291: Memory - corruptions (OVERRUN) /3rdparty/chromeec/driver/battery/smart.c: 69 in sb_write() 63 if (battery_is_cut_off()) 64 return EC_RES_ACCESS_DENIED; 65 #endif 66 #ifdef CONFIG_SMBUS 67 return smbus_write_word(I2C_PORT_BATTERY, BATTERY_ADDR, cmd, param); 68 #else
CID 1353291: Memory - corruptions (OVERRUN) Overrunning callee's array of size 2 by passing argument "MEC1322_I2C3" in call to "i2c_write16".
69 return i2c_write16(I2C_PORT_BATTERY, BATTERY_ADDR, cmd, param); 70 #endif 71 } 72 73 int sb_read_string(int port, int slave_addr, int offset, uint8_t *data, 74 int len)
** CID 1353290: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________ *** CID 1353290: Memory - corruptions (OVERRUN) /3rdparty/chromeec/driver/battery/smart.c: 53 in sb_read() 47 uint16_t d16 = 0; 48 rv = smbus_read_word(I2C_PORT_BATTERY, BATTERY_ADDR, cmd, &d16); 49 *param = d16; 50 return rv; 51 } 52 #else
CID 1353290: Memory - corruptions (OVERRUN) Overrunning callee's array of size 2 by passing argument "MEC1322_I2C3" in call to "i2c_read16".
53 return i2c_read16(I2C_PORT_BATTERY, BATTERY_ADDR, cmd, param); 54 #endif 55 } 56 57 test_mockable int sb_write(int cmd, int param) 58 {
** CID 1353289: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________ *** CID 1353289: Memory - corruptions (OVERRUN) /3rdparty/chromeec/driver/battery/smart.c: 250 in battery_manufacturer_name() 244 return EC_SUCCESS; 245 } 246 247 /* Read manufacturer name */ 248 test_mockable int battery_manufacturer_name(char *dest, int size) 249 {
CID 1353289: Memory - corruptions (OVERRUN) Overrunning callee's array of size 2 by passing argument "MEC1322_I2C3" in call to "sb_read_string".
250 return sb_read_string(I2C_PORT_BATTERY, BATTERY_ADDR, 251 SB_MANUFACTURER_NAME, dest, size); 252 } 253 254 /* Read device name */ 255 test_mockable int battery_device_name(char *dest, int size)
________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/coreboot?tab=overview
To manage Coverity Scan email notifications for "coreboot@coreboot.org", click https://scan.coverity.com/subscriptions/edit?email=coreboot%40coreboot.org&a...