Hi,
Please find the latest report on new defect(s) introduced to coreboot found with Coverity Scan.
13 new defect(s) introduced to coreboot found with Coverity Scan. 1 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan Showing 13 of 13 defect(s)
** CID 1501089: Null pointer dereferences (FORWARD_NULL) /src/ec/clevo/it5570e/ec.c: 37 in pnp_configure_smfi()
________________________________________________________________________________________________________ *** CID 1501089: Null pointer dereferences (FORWARD_NULL) /src/ec/clevo/it5570e/ec.c: 37 in pnp_configure_smfi() 31 32 struct device dev = { 33 .path.type = DEVICE_PATH_PNP, 34 .path.pnp.port = 0x2e, 35 .path.pnp.device = IT5570E_SMFI, 36 };
CID 1501089: Null pointer dereferences (FORWARD_NULL) Dereferencing null pointer "dev.ops".
37 dev.ops->ops_pnp_mode = &pnp_conf_mode_870155_aa; 38 39 /* Configure SMFI for LGMR */ 40 pnp_enter_conf_mode(&dev); 41 pnp_set_logical_device(&dev); 42 pnp_set_enable(&dev, 1);
** CID 1501088: Code maintainability issues (UNUSED_VALUE) /src/cpu/intel/slot_1/l2_cache.c: 152 in calculate_l2_latency()
________________________________________________________________________________________________________ *** CID 1501088: Code maintainability issues (UNUSED_VALUE) /src/cpu/intel/slot_1/l2_cache.c: 152 in calculate_l2_latency() 146 printk(BIOS_DEBUG, "L2 latency type = %x\n", t); 147 148 /* Get CPUID family/model */ 149 signature = cpuid_eax(1) & 0xfff0; 150 151 /* Read EBL_CR_POWERON */
CID 1501088: Code maintainability issues (UNUSED_VALUE) Assigning value from "rdmsr(42U)" to "msr" here, but that stored value is overwritten before it can be used.
152 msr = rdmsr(EBL_CR_POWERON); 153 /* Get clock multiplier and FSB frequency. 154 * Multiplier is in [25:22]. 155 * FSB is in [19:18] in Katmai, [19] in Deschutes ([18] is zero 156 * for them). 157 */
** CID 1501087: (STRING_OVERFLOW)
________________________________________________________________________________________________________ *** CID 1501087: (STRING_OVERFLOW) /src/arch/x86/smbios.c: 1138 in smbios_write_type39() 1132 1133 t->power_unit_group = unit_group; 1134 t->location = smbios_add_string(t->eos, loc); 1135 t->device_name = smbios_add_string(t->eos, dev_name); 1136 t->manufacturer = smbios_add_string(t->eos, man); 1137 t->serial_number = smbios_add_string(t->eos, serial_num);
CID 1501087: (STRING_OVERFLOW) You might overrun the 2-character fixed-size string "t->eos" by copying "tag_num" without checking the length.
1138 t->asset_tag_number = smbios_add_string(t->eos, tag_num); 1139 t->model_part_number = smbios_add_string(t->eos, part_num); 1140 t->revision_level = smbios_add_string(t->eos, rev_lvl); 1141 t->max_power_capacity = max_pow_cap; 1142 1143 ps_type = ps_ch->power_supply_type & 0xF; /src/arch/x86/smbios.c: 1140 in smbios_write_type39() 1134 t->location = smbios_add_string(t->eos, loc); 1135 t->device_name = smbios_add_string(t->eos, dev_name); 1136 t->manufacturer = smbios_add_string(t->eos, man); 1137 t->serial_number = smbios_add_string(t->eos, serial_num); 1138 t->asset_tag_number = smbios_add_string(t->eos, tag_num); 1139 t->model_part_number = smbios_add_string(t->eos, part_num);
CID 1501087: (STRING_OVERFLOW) You might overrun the 2-character fixed-size string "t->eos" by copying "rev_lvl" without checking the length.
1140 t->revision_level = smbios_add_string(t->eos, rev_lvl); 1141 t->max_power_capacity = max_pow_cap; 1142 1143 ps_type = ps_ch->power_supply_type & 0xF; 1144 ps_status = ps_ch->power_supply_status & 0x7; 1145 vol_switch = ps_ch->input_voltage_range_switch & 0xF; /src/arch/x86/smbios.c: 1134 in smbios_write_type39() 1128 sizeof(*t), *handle); 1129 1130 uint16_t val = 0; 1131 uint16_t ps_type, ps_status, vol_switch, ps_unplug, ps_present, hot_rep; 1132 1133 t->power_unit_group = unit_group;
CID 1501087: (STRING_OVERFLOW) You might overrun the 2-character fixed-size string "t->eos" by copying "loc" without checking the length.
1134 t->location = smbios_add_string(t->eos, loc); 1135 t->device_name = smbios_add_string(t->eos, dev_name); 1136 t->manufacturer = smbios_add_string(t->eos, man); 1137 t->serial_number = smbios_add_string(t->eos, serial_num); 1138 t->asset_tag_number = smbios_add_string(t->eos, tag_num); 1139 t->model_part_number = smbios_add_string(t->eos, part_num); /src/arch/x86/smbios.c: 1139 in smbios_write_type39() 1133 t->power_unit_group = unit_group; 1134 t->location = smbios_add_string(t->eos, loc); 1135 t->device_name = smbios_add_string(t->eos, dev_name); 1136 t->manufacturer = smbios_add_string(t->eos, man); 1137 t->serial_number = smbios_add_string(t->eos, serial_num); 1138 t->asset_tag_number = smbios_add_string(t->eos, tag_num);
CID 1501087: (STRING_OVERFLOW) You might overrun the 2-character fixed-size string "t->eos" by copying "part_num" without checking the length.
1139 t->model_part_number = smbios_add_string(t->eos, part_num); 1140 t->revision_level = smbios_add_string(t->eos, rev_lvl); 1141 t->max_power_capacity = max_pow_cap; 1142 1143 ps_type = ps_ch->power_supply_type & 0xF; 1144 ps_status = ps_ch->power_supply_status & 0x7; /src/arch/x86/smbios.c: 1135 in smbios_write_type39() 1129 1130 uint16_t val = 0; 1131 uint16_t ps_type, ps_status, vol_switch, ps_unplug, ps_present, hot_rep; 1132 1133 t->power_unit_group = unit_group; 1134 t->location = smbios_add_string(t->eos, loc);
CID 1501087: (STRING_OVERFLOW) You might overrun the 2-character fixed-size string "t->eos" by copying "dev_name" without checking the length.
1135 t->device_name = smbios_add_string(t->eos, dev_name); 1136 t->manufacturer = smbios_add_string(t->eos, man); 1137 t->serial_number = smbios_add_string(t->eos, serial_num); 1138 t->asset_tag_number = smbios_add_string(t->eos, tag_num); 1139 t->model_part_number = smbios_add_string(t->eos, part_num); 1140 t->revision_level = smbios_add_string(t->eos, rev_lvl); /src/arch/x86/smbios.c: 1136 in smbios_write_type39() 1130 uint16_t val = 0; 1131 uint16_t ps_type, ps_status, vol_switch, ps_unplug, ps_present, hot_rep; 1132 1133 t->power_unit_group = unit_group; 1134 t->location = smbios_add_string(t->eos, loc); 1135 t->device_name = smbios_add_string(t->eos, dev_name);
CID 1501087: (STRING_OVERFLOW) You might overrun the 2-character fixed-size string "t->eos" by copying "man" without checking the length.
1136 t->manufacturer = smbios_add_string(t->eos, man); 1137 t->serial_number = smbios_add_string(t->eos, serial_num); 1138 t->asset_tag_number = smbios_add_string(t->eos, tag_num); 1139 t->model_part_number = smbios_add_string(t->eos, part_num); 1140 t->revision_level = smbios_add_string(t->eos, rev_lvl); 1141 t->max_power_capacity = max_pow_cap; /src/arch/x86/smbios.c: 1137 in smbios_write_type39() 1131 uint16_t ps_type, ps_status, vol_switch, ps_unplug, ps_present, hot_rep; 1132 1133 t->power_unit_group = unit_group; 1134 t->location = smbios_add_string(t->eos, loc); 1135 t->device_name = smbios_add_string(t->eos, dev_name); 1136 t->manufacturer = smbios_add_string(t->eos, man);
CID 1501087: (STRING_OVERFLOW) You might overrun the 2-character fixed-size string "t->eos" by copying "serial_num" without checking the length.
1137 t->serial_number = smbios_add_string(t->eos, serial_num); 1138 t->asset_tag_number = smbios_add_string(t->eos, tag_num); 1139 t->model_part_number = smbios_add_string(t->eos, part_num); 1140 t->revision_level = smbios_add_string(t->eos, rev_lvl); 1141 t->max_power_capacity = max_pow_cap; 1142
** CID 1501086: API usage errors (BAD_COMPARE) /src/device/oprom/yabel/biosemu.c: 200 in biosemu()
________________________________________________________________________________________________________ *** CID 1501086: API usage errors (BAD_COMPARE) /src/device/oprom/yabel/biosemu.c: 200 in biosemu() 194 clr_ci(); 195 my_wrb((uintptr_t)mem_img + i, c); 196 } 197 #endif 198 copy_count++; 199 set_ci();
CID 1501086: API usage errors (BAD_COMPARE) Truncating the result of "memcmp" to "unsigned char" may cause it to be misinterpreted as 0. Note that "memcmp" may return an integer besides -1, 0, or 1.
200 cmp_result = memcmp(mem_img, rom_image, bios_device.img_size); 201 clr_ci(); 202 } 203 while ((copy_count < 5) && (cmp_result != 0)); 204 if (cmp_result != 0) { 205 printf
** CID 1501085: Control flow issues (DEADCODE) /src/device/oprom/yabel/interrupt.c: 299 in handleInt16()
________________________________________________________________________________________________________ *** CID 1501085: Control flow issues (DEADCODE) /src/device/oprom/yabel/interrupt.c: 299 in handleInt16() 293 /* TODO: we need getchar... */ 294 c = -1; //getchar(); 295 if (c == -1) { 296 // no key available 297 SET_FLAG(F_ZF); 298 } else {
CID 1501085: Control flow issues (DEADCODE) Execution cannot reach this statement: "*keycode = c;".
299 *keycode = c; 300 301 // since after an ESC it may take a while to receive the next char, 302 // we send something that is not shown on the screen, and then try to get 303 // the next char 304 // TODO: only after ESC?? what about other multibyte keys
** CID 1501084: (UNUSED_VALUE) /src/device/oprom/x86emu/decode.c: 829 in decode_sib_address() /src/device/oprom/x86emu/decode.c: 834 in decode_sib_address()
________________________________________________________________________________________________________ *** CID 1501084: (UNUSED_VALUE) /src/device/oprom/x86emu/decode.c: 829 in decode_sib_address() 823 DECODE_PRINTF2("[%d]", displacement); 824 offset = displacement; 825 break; 826 case 1: 827 displacement = (s8)fetch_byte_imm(); 828 DECODE_PRINTF2("[%d][EBP]", displacement);
CID 1501084: (UNUSED_VALUE) Assigning value from "_X86EMU_env.x86.spc.BP.I32_reg.e_reg + displacement" to "offset" here, but that stored value is overwritten before it can be used.
829 offset = M.x86.R_EBP + displacement; 830 break; 831 case 2: 832 displacement = (s32)fetch_long_imm(); 833 DECODE_PRINTF2("[%d][EBP]", displacement); 834 offset = M.x86.R_EBP + displacement; /src/device/oprom/x86emu/decode.c: 834 in decode_sib_address() 828 DECODE_PRINTF2("[%d][EBP]", displacement); 829 offset = M.x86.R_EBP + displacement; 830 break; 831 case 2: 832 displacement = (s32)fetch_long_imm(); 833 DECODE_PRINTF2("[%d][EBP]", displacement);
CID 1501084: (UNUSED_VALUE) Assigning value from "_X86EMU_env.x86.spc.BP.I32_reg.e_reg + displacement" to "offset" here, but that stored value is overwritten before it can be used.
834 offset = M.x86.R_EBP + displacement; 835 break; 836 default: 837 HALT_SYS(); 838 } 839 DECODE_PRINTF("[EAX]");
** CID 1501083: Null pointer dereferences (FORWARD_NULL) /src/device/oprom/yabel/biosemu.c: 246 in biosemu()
________________________________________________________________________________________________________ *** CID 1501083: Null pointer dereferences (FORWARD_NULL) /src/device/oprom/yabel/biosemu.c: 246 in biosemu() 240 my_wrl(0x1a * 4, 0xf000fe6e); 241 my_wrb(0x000ffe6e, 0xcf); 242 243 // setup BIOS Data Area (0000:04xx, or 0040:00xx) 244 // we currently 0 this area, meaning "we don't have 245 // any hardware" :-) no serial/parallel ports, floppys, ...
CID 1501083: Null pointer dereferences (FORWARD_NULL) Passing null pointer "biosmem + 1024" to "memset", which dereferences it. [Note: The source code implementation of the function has been overridden by a builtin model.]
246 memset(biosmem + 0x400, 0x0, 0x100); 247 248 // at offset 13h in BDA is the memory size in kbytes 249 my_wrw(0x413, biosmem_size / 1024); 250 // at offset 0eh in BDA is the segment of the Extended BIOS Data Area 251 // see setup further down
** CID 1299819: (BAD_SHIFT) /src/device/oprom/x86emu/prim_ops.c: 2136 in idiv_long() /src/device/oprom/x86emu/prim_ops.c: 2136 in idiv_long() /src/device/oprom/x86emu/prim_ops.c: 2143 in idiv_long() /src/device/oprom/x86emu/prim_ops.c: 2136 in idiv_long()
________________________________________________________________________________________________________ *** CID 1299819: (BAD_SHIFT) /src/device/oprom/x86emu/prim_ops.c: 2136 in idiv_long() 2130 do { 2131 div <<= 1; 2132 carry = (l_dvd >= l_s) ? 0 : 1; 2133 2134 if (abs_h_dvd < (h_s + carry)) { 2135 h_s >>= 1;
CID 1299819: (BAD_SHIFT) In expression "abs_s << --counter", shifting by a negative amount has undefined behavior. The shift amount, "--counter", is as little as -1.
2136 l_s = abs_s << (--counter); 2137 continue; 2138 } else { 2139 abs_h_dvd -= (h_s + carry); 2140 l_dvd = carry ? ((0xFFFFFFFF - l_s) + l_dvd + 1) 2141 : (l_dvd - l_s); /src/device/oprom/x86emu/prim_ops.c: 2136 in idiv_long() 2130 do { 2131 div <<= 1; 2132 carry = (l_dvd >= l_s) ? 0 : 1; 2133 2134 if (abs_h_dvd < (h_s + carry)) { 2135 h_s >>= 1;
CID 1299819: (BAD_SHIFT) In expression "abs_s << --counter", shifting by a negative amount has undefined behavior. The shift amount, "--counter", is as little as -1.
2136 l_s = abs_s << (--counter); 2137 continue; 2138 } else { 2139 abs_h_dvd -= (h_s + carry); 2140 l_dvd = carry ? ((0xFFFFFFFF - l_s) + l_dvd + 1) 2141 : (l_dvd - l_s); /src/device/oprom/x86emu/prim_ops.c: 2143 in idiv_long() 2137 continue; 2138 } else { 2139 abs_h_dvd -= (h_s + carry); 2140 l_dvd = carry ? ((0xFFFFFFFF - l_s) + l_dvd + 1) 2141 : (l_dvd - l_s); 2142 h_s >>= 1;
CID 1299819: (BAD_SHIFT) In expression "abs_s << --counter", shifting by a negative amount has undefined behavior. The shift amount, "--counter", is as little as -1.
2143 l_s = abs_s << (--counter); 2144 div |= 1; 2145 continue; 2146 } 2147 2148 } while (counter > -1); /src/device/oprom/x86emu/prim_ops.c: 2136 in idiv_long() 2130 do { 2131 div <<= 1; 2132 carry = (l_dvd >= l_s) ? 0 : 1; 2133 2134 if (abs_h_dvd < (h_s + carry)) { 2135 h_s >>= 1;
CID 1299819: (BAD_SHIFT) In expression "abs_s << --counter", shifting by a negative amount has undefined behavior. The shift amount, "--counter", is as little as -1.
2136 l_s = abs_s << (--counter); 2137 continue; 2138 } else { 2139 abs_h_dvd -= (h_s + carry); 2140 l_dvd = carry ? ((0xFFFFFFFF - l_s) + l_dvd + 1) 2141 : (l_dvd - l_s);
** CID 1299818: (BAD_SHIFT) /src/device/oprom/x86emu/prim_ops.c: 2260 in div_long() /src/device/oprom/x86emu/prim_ops.c: 2260 in div_long() /src/device/oprom/x86emu/prim_ops.c: 2260 in div_long() /src/device/oprom/x86emu/prim_ops.c: 2267 in div_long()
________________________________________________________________________________________________________ *** CID 1299818: (BAD_SHIFT) /src/device/oprom/x86emu/prim_ops.c: 2260 in div_long() 2254 do { 2255 div <<= 1; 2256 carry = (l_dvd >= l_s) ? 0 : 1; 2257 2258 if (h_dvd < (h_s + carry)) { 2259 h_s >>= 1;
CID 1299818: (BAD_SHIFT) In expression "s << --counter", shifting by a negative amount has undefined behavior. The shift amount, "--counter", is as little as -1.
2260 l_s = s << (--counter); 2261 continue; 2262 } else { 2263 h_dvd -= (h_s + carry); 2264 l_dvd = carry ? ((0xFFFFFFFF - l_s) + l_dvd + 1) 2265 : (l_dvd - l_s); /src/device/oprom/x86emu/prim_ops.c: 2260 in div_long() 2254 do { 2255 div <<= 1; 2256 carry = (l_dvd >= l_s) ? 0 : 1; 2257 2258 if (h_dvd < (h_s + carry)) { 2259 h_s >>= 1;
CID 1299818: (BAD_SHIFT) In expression "s << --counter", shifting by a negative amount has undefined behavior. The shift amount, "--counter", is as little as -1.
2260 l_s = s << (--counter); 2261 continue; 2262 } else { 2263 h_dvd -= (h_s + carry); 2264 l_dvd = carry ? ((0xFFFFFFFF - l_s) + l_dvd + 1) 2265 : (l_dvd - l_s); /src/device/oprom/x86emu/prim_ops.c: 2260 in div_long() 2254 do { 2255 div <<= 1; 2256 carry = (l_dvd >= l_s) ? 0 : 1; 2257 2258 if (h_dvd < (h_s + carry)) { 2259 h_s >>= 1;
CID 1299818: (BAD_SHIFT) In expression "s << --counter", shifting by a negative amount has undefined behavior. The shift amount, "--counter", is as little as -1.
2260 l_s = s << (--counter); 2261 continue; 2262 } else { 2263 h_dvd -= (h_s + carry); 2264 l_dvd = carry ? ((0xFFFFFFFF - l_s) + l_dvd + 1) 2265 : (l_dvd - l_s); /src/device/oprom/x86emu/prim_ops.c: 2267 in div_long() 2261 continue; 2262 } else { 2263 h_dvd -= (h_s + carry); 2264 l_dvd = carry ? ((0xFFFFFFFF - l_s) + l_dvd + 1) 2265 : (l_dvd - l_s); 2266 h_s >>= 1;
CID 1299818: (BAD_SHIFT) In expression "s << --counter", shifting by a negative amount has undefined behavior. The shift amount, "--counter", is as little as -1.
2267 l_s = s << (--counter); 2268 div |= 1; 2269 continue; 2270 } 2271 2272 } while (counter > -1);
** CID 1198906: Integer handling issues (BAD_SHIFT) /src/device/oprom/x86emu/prim_ops.c: 835 in rcl_long()
________________________________________________________________________________________________________ *** CID 1198906: Integer handling issues (BAD_SHIFT) /src/device/oprom/x86emu/prim_ops.c: 835 in rcl_long() 829 { 830 u32 res, cnt, mask, cf; 831 832 res = d; 833 if ((cnt = s % 33) != 0) { 834 cf = (d >> (32 - cnt)) & 0x1;
CID 1198906: Integer handling issues (BAD_SHIFT) In expression "d << cnt", left shifting by more than 31 bits has undefined behavior. The shift amount, "cnt", is as much as 32.
835 res = (d << cnt) & 0xffffffff; 836 mask = (1 << (cnt - 1)) - 1; 837 res |= (d >> (33 - cnt)) & mask; 838 if (ACCESS_FLAG(F_CF)) { /* carry flag is set */ 839 res |= 1 << (cnt - 1); 840 }
** CID 1198905: Integer handling issues (BAD_SHIFT) /src/device/oprom/x86emu/prim_ops.c: 904 in rcr_byte()
________________________________________________________________________________________________________ *** CID 1198905: Integer handling issues (BAD_SHIFT) /src/device/oprom/x86emu/prim_ops.c: 904 in rcr_byte() 898 This is effectively done by shifting the 899 object to the right. The result must be masked, 900 in case the object came in and was treated 901 as a negative number. Needed??? */ 902 903 mask = (1 << (8 - cnt)) - 1;
CID 1198905: Integer handling issues (BAD_SHIFT) In expression "d >> cnt", right shifting "d" by more than 7 bits always yields zero. The shift amount, "cnt", is as much as 8.
904 res = (d >> cnt) & mask; 905 906 /* now the high stuff which rotated around 907 into the positions B_cnt-2 .. B_0 */ 908 /* B_(7) .. B_(8-(n-1)) <- b_(n-2) .. b_(0) */ 909 /* shift it downward, 7-(n-2) = 9-n positions.
** CID 1198904: Integer handling issues (BAD_SHIFT) /src/device/oprom/x86emu/prim_ops.c: 982 in rcr_long()
________________________________________________________________________________________________________ *** CID 1198904: Integer handling issues (BAD_SHIFT) /src/device/oprom/x86emu/prim_ops.c: 982 in rcr_long() 976 if (cnt == 1) { 977 cf = d & 0x1; 978 ocf = ACCESS_FLAG(F_CF) != 0; 979 } else 980 cf = (d >> (cnt - 1)) & 0x1; 981 mask = (1 << (32 - cnt)) - 1;
CID 1198904: Integer handling issues (BAD_SHIFT) In expression "d >> cnt", right shifting by more than 31 bits has undefined behavior. The shift amount, "cnt", is as much as 32.
982 res = (d >> cnt) & mask; 983 if (cnt != 1) 984 res |= (d << (33 - cnt)); 985 if (ACCESS_FLAG(F_CF)) { /* carry flag is set */ 986 res |= 1 << (32 - cnt); 987 }
** CID 1198903: Integer handling issues (BAD_SHIFT) /src/device/oprom/x86emu/prim_ops.c: 950 in rcr_word()
________________________________________________________________________________________________________ *** CID 1198903: Integer handling issues (BAD_SHIFT) /src/device/oprom/x86emu/prim_ops.c: 950 in rcr_word() 944 if (cnt == 1) { 945 cf = d & 0x1; 946 ocf = ACCESS_FLAG(F_CF) != 0; 947 } else 948 cf = (d >> (cnt - 1)) & 0x1; 949 mask = (1 << (16 - cnt)) - 1;
CID 1198903: Integer handling issues (BAD_SHIFT) In expression "d >> cnt", right shifting "d" by more than 15 bits always yields zero. The shift amount, "cnt", is as much as 16.
950 res = (d >> cnt) & mask; 951 res |= (d << (17 - cnt)); 952 if (ACCESS_FLAG(F_CF)) { 953 res |= 1 << (16 - cnt); 954 } 955 CONDITIONAL_SET_FLAG(cf, F_CF);
________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0...