Hi,
Please find the latest report on new defect(s) introduced to coreboot found with Coverity Scan.
53 new defect(s) introduced to coreboot found with Coverity Scan. 5 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan Showing 20 of 53 defect(s)
** CID 1361695: Null pointer dereferences (NULL_RETURNS) /src/northbridge/intel/pineview/early_init.c: 45 in early_graphics_setup()
________________________________________________________________________________________________________ *** CID 1361695: Null pointer dereferences (NULL_RETURNS) /src/northbridge/intel/pineview/early_init.c: 45 in early_graphics_setup() 39 { 40 u8 reg8; 41 u16 reg16; 42 u32 reg32; 43 44 const struct device *d0f0 = dev_find_slot(0, PCI_DEVFN(0,0));
CID 1361695: Null pointer dereferences (NULL_RETURNS) Dereferencing a null pointer "d0f0".
45 const struct northbridge_intel_pineview_config *config = d0f0->chip_info; 46 47 pci_write_config8(D0F0, DEVEN, BOARD_DEVEN); 48 pci_write_config16(D0F0, GGC, 0x130); /* 1MB GTT 8MB UMA */ 49 50 printk(BIOS_SPEW, "Set GFX clocks...");
** CID 1361275: (TAINTED_SCALAR) /util/cbfstool/ifwitool.c: 838 in parse_subpart_dir()
________________________________________________________________________________________________________ *** CID 1361275: (TAINTED_SCALAR) /util/cbfstool/ifwitool.c: 831 in parse_subpart_dir() 825 memcpy(hdr.name, data + offset, sizeof(hdr.name)); 826 offset += sizeof(hdr.name); 827 828 validate_subpart_dir_without_checksum((struct subpart_dir *)&hdr, name); 829 830 assert(size > subpart_dir_size(&hdr));
CID 1361275: (TAINTED_SCALAR) Passing tainted variable "subpart_dir_size(&hdr)" to a tainted sink.
831 alloc_buffer(subpart_dir_buf, subpart_dir_size(&hdr), "Subpart Dir"); 832 memcpy(buffer_get(subpart_dir_buf), &hdr, SUBPART_DIR_HEADER_SIZE); 833 834 /* Read Subpart Dir entries. */ 835 struct subpart_dir *subpart_dir = buffer_get(subpart_dir_buf); 836 struct subpart_dir_entry *e = &subpart_dir->e[0]; /util/cbfstool/ifwitool.c: 838 in parse_subpart_dir() 832 memcpy(buffer_get(subpart_dir_buf), &hdr, SUBPART_DIR_HEADER_SIZE); 833 834 /* Read Subpart Dir entries. */ 835 struct subpart_dir *subpart_dir = buffer_get(subpart_dir_buf); 836 struct subpart_dir_entry *e = &subpart_dir->e[0]; 837 uint32_t i;
CID 1361275: (TAINTED_SCALAR) Using tainted variable "hdr.num_entries" as a loop boundary.
838 for (i = 0; i < hdr.num_entries; i++) { 839 memcpy(e[i].name, data + offset, sizeof(e[i].name)); 840 offset += sizeof(e[i].name); 841 offset = read_member(data, offset, sizeof(e[i].offset), 842 &e[i].offset); 843 offset = read_member(data, offset, sizeof(e[i].length),
** CID 1361274: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________ *** CID 1361274: Insecure data handling (TAINTED_SCALAR) /util/cbfstool/ifwitool.c: 717 in alloc_bpdt_buffer() 711 { 712 struct bpdt_header bpdt_header; 713 assert((offset + BPDT_HEADER_SIZE) < size); 714 bpdt_read_header((uint8_t *)data + offset, &bpdt_header, name); 715 716 /* Buffer to read BPDT header and entries. */
CID 1361274: Insecure data handling (TAINTED_SCALAR) Passing tainted variable "get_bpdt_size(&bpdt_header)" to a tainted sink.
717 alloc_buffer(b, get_bpdt_size(&bpdt_header), name); 718 719 struct bpdt *bpdt = buffer_get(b); 720 memcpy(&bpdt->h, &bpdt_header, BPDT_HEADER_SIZE); 721 722 /*
** CID 1361253: Memory - illegal accesses (BUFFER_SIZE_WARNING) /util/cbfstool/ifwitool.c: 1300 in init_subpart_dir_entry()
________________________________________________________________________________________________________ *** CID 1361253: Memory - illegal accesses (BUFFER_SIZE_WARNING) /util/cbfstool/ifwitool.c: 1300 in init_subpart_dir_entry() 1294 static size_t init_subpart_dir_entry(struct subpart_dir_entry *e, 1295 struct buffer *b, size_t offset) 1296 { 1297 memset(e, 0, sizeof(*e)); 1298 1299 assert(strlen(b->name) <= sizeof(e->name));
CID 1361253: Memory - illegal accesses (BUFFER_SIZE_WARNING) Calling strncpy with a maximum size argument of 12 bytes on destination array "e->name" of size 12 bytes might leave the destination string unterminated.
1300 strncpy((char *)e->name, (char *)b->name, sizeof(e->name)); 1301 e->offset = offset; 1302 e->length = buffer_size(b); 1303 1304 return (offset + buffer_size(b)); 1305 }
** CID 1353793: Resource leaks (RESOURCE_LEAK) /util/nvidia/cbootimage/src/data_layout.c: 1096 in resign_bl()
________________________________________________________________________________________________________ *** CID 1353793: Resource leaks (RESOURCE_LEAK) /util/nvidia/cbootimage/src/data_layout.c: 1096 in resign_bl() 1090 1091 if (read_from_image(context->input_image_filename, 1092 offset, bl_length, 1093 &image, &image_actual_size, file_type_bin)) { 1094 printf("Error reading image file %s.\n", 1095 context->input_image_filename);
CID 1353793: Resource leaks (RESOURCE_LEAK) Variable "image" going out of scope leaks the storage it points to.
1096 return -ENOMEM; 1097 } 1098 1099 pages_in_image = ICEIL(image_actual_size, page_size); 1100 1101 /* Create a local copy of the bl */
** CID 1353781: Control flow issues (NO_EFFECT) /util/nvidia/cbootimage/src/cbootimage.c: 242 in main()
________________________________________________________________________________________________________ *** CID 1353781: Control flow issues (NO_EFFECT) /util/nvidia/cbootimage/src/cbootimage.c: 242 in main() 236 context.input_image_filename); 237 goto fail; 238 } 239 240 /* Get BCT_SIZE from input image file */ 241 bct_size = get_bct_size_from_image(&context);
CID 1353781: Control flow issues (NO_EFFECT) This less-than-zero comparison of an unsigned value is never true. "bct_size < 0U".
242 if (bct_size < 0) { 243 printf("Error: Invalid input image file %s\n", 244 context.input_image_filename); 245 goto fail; 246 } 247
** CID 1353171: Null pointer dereferences (NULL_RETURNS) /src/soc/intel/skylake/romstage/romstage.c: 72 in soc_memory_init_params()
________________________________________________________________________________________________________ *** CID 1353171: Null pointer dereferences (NULL_RETURNS) /src/soc/intel/skylake/romstage/romstage.c: 72 in soc_memory_init_params() 66 { 67 const struct device *dev; 68 const struct soc_intel_skylake_config *config; 69 70 /* Set the parameters for MemoryInit */ 71 dev = dev_find_slot(0, PCI_DEVFN(PCH_DEV_SLOT_LPC, 0));
CID 1353171: Null pointer dereferences (NULL_RETURNS) Dereferencing a null pointer "dev".
72 config = dev->chip_info; 73 74 /* 75 * Set IGD stolen size to 64MB. The FBC hardware for skylake does not 76 * have access to the bios_reserved range so it always assumes 8MB is 77 * used and so the kernel will avoid the last 8MB of the stolen window.
** CID 1353028: Error handling issues (NEGATIVE_RETURNS) /util/amdfwtool/amdfwtool.c: 284 in integrate_psp_firmwares()
________________________________________________________________________________________________________ *** CID 1353028: Error handling issues (NEGATIVE_RETURNS) /util/amdfwtool/amdfwtool.c: 284 in integrate_psp_firmwares() 278 pspdir[4+4*i+2] = 1; 279 pspdir[4+4*i+3] = 0; 280 } else if (fw_table[i].filename != NULL) { 281 pspdir[4+4*i+0] = fw_table[i].type; 282 283 fd = open (fw_table[i].filename, O_RDONLY);
CID 1353028: Error handling issues (NEGATIVE_RETURNS) "fd" is passed to a parameter that cannot be negative. [Note: The source code implementation of the function has been overridden by a builtin model.]
284 fstat(fd, &fd_stat); 285 pspdir[4+4*i+1] = fd_stat.st_size; 286 287 pspdir[4+4*i+2] = pos + ROM_BASE_ADDRESS; 288 pspdir[4+4*i+3] = 0; 289
** CID 1353027: Error handling issues (NEGATIVE_RETURNS) /util/amdfwtool/amdfwtool.c: 239 in integrate_firmwares()
________________________________________________________________________________________________________ *** CID 1353027: Error handling issues (NEGATIVE_RETURNS) /util/amdfwtool/amdfwtool.c: 239 in integrate_firmwares() 233 struct stat fd_stat; 234 int i; 235 236 for (i = 0; fw_table[i].type != AMD_FW_INVALID; i ++) { 237 if (fw_table[i].filename != NULL) { 238 fd = open (fw_table[i].filename, O_RDONLY);
CID 1353027: Error handling issues (NEGATIVE_RETURNS) "fd" is passed to a parameter that cannot be negative. [Note: The source code implementation of the function has been overridden by a builtin model.]
239 fstat(fd, &fd_stat); 240 241 switch (fw_table[i].type) { 242 case AMD_FW_IMC: 243 pos = ALIGN(pos, 0x10000); 244 romsig[1] = pos + ROM_BASE_ADDRESS;
** CID 1353022: Error handling issues (CHECKED_RETURN) /util/nvidia/cbootimage/src/cbootimage.c: 297 in main()
________________________________________________________________________________________________________ *** CID 1353022: Error handling issues (CHECKED_RETURN) /util/nvidia/cbootimage/src/cbootimage.c: 297 in main() 291 begin_update(&context); 292 /* Signing the bct. */ 293 e = sign_bct(&context, context.bct); 294 if (e != 0) 295 printf("Signing BCT failed, error: %d.\n", e); 296
CID 1353022: Error handling issues (CHECKED_RETURN) Calling "fwrite" without checking return value (as is done elsewhere 34 out of 42 times).
297 fwrite(context.bct, 1, context.bct_size, 298 context.raw_file); 299 printf("New BCT file %s has been successfully generated!\n", 300 context.output_image_filename); 301 goto fail; 302 }
** CID 1353021: Error handling issues (CHECKED_RETURN) /util/amdfwtool/amdfwtool.c: 290 in integrate_psp_firmwares()
________________________________________________________________________________________________________ *** CID 1353021: Error handling issues (CHECKED_RETURN) /util/amdfwtool/amdfwtool.c: 290 in integrate_psp_firmwares() 284 fstat(fd, &fd_stat); 285 pspdir[4+4*i+1] = fd_stat.st_size; 286 287 pspdir[4+4*i+2] = pos + ROM_BASE_ADDRESS; 288 pspdir[4+4*i+3] = 0; 289
CID 1353021: Error handling issues (CHECKED_RETURN) "read(int, void *, size_t)" returns the number of bytes read, but it is ignored.
290 read (fd, base+pos, fd_stat.st_size); 291 292 pos += fd_stat.st_size; 293 pos = ALIGN(pos, 0x100); 294 close (fd); 295 } else {
** CID 1353020: Error handling issues (CHECKED_RETURN) /util/amdfwtool/amdfwtool.c: 284 in integrate_psp_firmwares()
________________________________________________________________________________________________________ *** CID 1353020: Error handling issues (CHECKED_RETURN) /util/amdfwtool/amdfwtool.c: 284 in integrate_psp_firmwares() 278 pspdir[4+4*i+2] = 1; 279 pspdir[4+4*i+3] = 0; 280 } else if (fw_table[i].filename != NULL) { 281 pspdir[4+4*i+0] = fw_table[i].type; 282 283 fd = open (fw_table[i].filename, O_RDONLY);
CID 1353020: Error handling issues (CHECKED_RETURN) Calling "fstat(fd, &fd_stat)" without checking return value. This library function may fail and return an error code. [Note: The source code implementation of the function has been overridden by a builtin model.]
284 fstat(fd, &fd_stat); 285 pspdir[4+4*i+1] = fd_stat.st_size; 286 287 pspdir[4+4*i+2] = pos + ROM_BASE_ADDRESS; 288 pspdir[4+4*i+3] = 0; 289
** CID 1353019: Error handling issues (CHECKED_RETURN) /util/amdfwtool/amdfwtool.c: 257 in integrate_firmwares()
________________________________________________________________________________________________________ *** CID 1353019: Error handling issues (CHECKED_RETURN) /util/amdfwtool/amdfwtool.c: 257 in integrate_firmwares() 251 break; 252 default: 253 /* Error */ 254 break; 255 } 256
CID 1353019: Error handling issues (CHECKED_RETURN) "read(int, void *, size_t)" returns the number of bytes read, but it is ignored.
257 read (fd, base+pos, fd_stat.st_size); 258 259 pos += fd_stat.st_size; 260 pos = ALIGN(pos, 0x100); 261 close (fd); 262 }
** CID 1353018: Error handling issues (CHECKED_RETURN) /util/amdfwtool/amdfwtool.c: 239 in integrate_firmwares()
________________________________________________________________________________________________________ *** CID 1353018: Error handling issues (CHECKED_RETURN) /util/amdfwtool/amdfwtool.c: 239 in integrate_firmwares() 233 struct stat fd_stat; 234 int i; 235 236 for (i = 0; fw_table[i].type != AMD_FW_INVALID; i ++) { 237 if (fw_table[i].filename != NULL) { 238 fd = open (fw_table[i].filename, O_RDONLY);
CID 1353018: Error handling issues (CHECKED_RETURN) Calling "fstat(fd, &fd_stat)" without checking return value. This library function may fail and return an error code. [Note: The source code implementation of the function has been overridden by a builtin model.]
239 fstat(fd, &fd_stat); 240 241 switch (fw_table[i].type) { 242 case AMD_FW_IMC: 243 pos = ALIGN(pos, 0x10000); 244 romsig[1] = pos + ROM_BASE_ADDRESS;
** CID 1347358: Error handling issues (NEGATIVE_RETURNS) /util/amdfwtool/amdfwtool.c: 586 in main()
________________________________________________________________________________________________________ *** CID 1347358: Error handling issues (NEGATIVE_RETURNS) /util/amdfwtool/amdfwtool.c: 586 in main() 580 current = integrate_psp_firmwares(rom, current, psp2dir, amd_psp2_fw_table); 581 #endif 582 } 583 #endif 584 585 targetfd = open(output, O_RDWR | O_CREAT | O_TRUNC, 0666);
CID 1347358: Error handling issues (NEGATIVE_RETURNS) "targetfd" is passed to a parameter that cannot be negative.
586 write(targetfd, amd_romsig, current - AMD_ROMSIG_OFFSET); 587 close(targetfd); 588 free(rom); 589 590 return 0;
** CID 1347335: (UNINIT) /util/cbfstool/elfheaders.c: 1002 in write_phdrs() /util/cbfstool/elfheaders.c: 999 in write_phdrs() /util/cbfstool/elfheaders.c: 1001 in write_phdrs() /util/cbfstool/elfheaders.c: 1003 in write_phdrs()
________________________________________________________________________________________________________ *** CID 1347335: (UNINIT) /util/cbfstool/elfheaders.c: 1002 in write_phdrs() 996 * (sh_size == file size). This is standard in that 997 * an ELF section doesn't have a file size component. */ 998 if (sec->shdr.sh_flags & SHF_EXECINSTR) 999 phdr.p_flags |= PF_X | PF_R; 1000 if (sec->shdr.sh_flags & SHF_WRITE) 1001 phdr.p_flags |= PF_W;
CID 1347335: (UNINIT) Using uninitialized value "phdr.p_filesz".
1002 phdr.p_filesz += buffer_size(&sec->content); 1003 phdr.p_memsz += sec->shdr.sh_size; 1004 } 1005 } 1006 1007 /* Write out the last phdr. */ /util/cbfstool/elfheaders.c: 999 in write_phdrs() 993 } else { 994 /* Accumulate file size and memsize. The assumption 995 * is that each section is either NOBITS or full 996 * (sh_size == file size). This is standard in that 997 * an ELF section doesn't have a file size component. */ 998 if (sec->shdr.sh_flags & SHF_EXECINSTR)
CID 1347335: (UNINIT) Using uninitialized value "phdr.p_flags".
999 phdr.p_flags |= PF_X | PF_R; 1000 if (sec->shdr.sh_flags & SHF_WRITE) 1001 phdr.p_flags |= PF_W; 1002 phdr.p_filesz += buffer_size(&sec->content); 1003 phdr.p_memsz += sec->shdr.sh_size; 1004 } /util/cbfstool/elfheaders.c: 1001 in write_phdrs() 995 * is that each section is either NOBITS or full 996 * (sh_size == file size). This is standard in that 997 * an ELF section doesn't have a file size component. */ 998 if (sec->shdr.sh_flags & SHF_EXECINSTR) 999 phdr.p_flags |= PF_X | PF_R; 1000 if (sec->shdr.sh_flags & SHF_WRITE)
CID 1347335: (UNINIT) Using uninitialized value "phdr.p_flags".
1001 phdr.p_flags |= PF_W; 1002 phdr.p_filesz += buffer_size(&sec->content); 1003 phdr.p_memsz += sec->shdr.sh_size; 1004 } 1005 } 1006 /util/cbfstool/elfheaders.c: 1003 in write_phdrs() 997 * an ELF section doesn't have a file size component. */ 998 if (sec->shdr.sh_flags & SHF_EXECINSTR) 999 phdr.p_flags |= PF_X | PF_R; 1000 if (sec->shdr.sh_flags & SHF_WRITE) 1001 phdr.p_flags |= PF_W; 1002 phdr.p_filesz += buffer_size(&sec->content);
CID 1347335: (UNINIT) Using uninitialized value "phdr.p_memsz".
1003 phdr.p_memsz += sec->shdr.sh_size; 1004 } 1005 } 1006 1007 /* Write out the last phdr. */ 1008 if (num_needs_write != num_written) {
** CID 1347333: Memory - illegal accesses (UNINIT) /util/amdfwtool/amdfwtool.c: 585 in main()
________________________________________________________________________________________________________ *** CID 1347333: Memory - illegal accesses (UNINIT) /util/amdfwtool/amdfwtool.c: 585 in main() 579 #else 580 current = integrate_psp_firmwares(rom, current, psp2dir, amd_psp2_fw_table); 581 #endif 582 } 583 #endif 584
CID 1347333: Memory - illegal accesses (UNINIT) Using uninitialized value "output" when calling "open".
585 targetfd = open(output, O_RDWR | O_CREAT | O_TRUNC, 0666); 586 write(targetfd, amd_romsig, current - AMD_ROMSIG_OFFSET); 587 close(targetfd); 588 free(rom); 589 590 return 0;
** CID 1325840: Memory - illegal accesses (OVERRUN) /util/cbfstool/cbfs_image.c: 1406 in cbfs_print_entry_info()
________________________________________________________________________________________________________ *** CID 1325840: Memory - illegal accesses (OVERRUN) /util/cbfstool/cbfs_image.c: 1406 in cbfs_print_entry_info() 1400 while ((hash = cbfs_file_get_next_hash(entry, hash)) != NULL) { 1401 unsigned int hash_type = ntohl(hash->hash_type); 1402 if (hash_type > CBFS_NUM_SUPPORTED_HASHES) { 1403 fprintf(fp, "invalid hash type %d\n", hash_type); 1404 break; 1405 }
CID 1325840: Memory - illegal accesses (OVERRUN) Overrunning array "widths_cbfs_hash" of 4 8-byte elements at element index 4 (byte offset 32) using index "hash_type" (which evaluates to 4).
1406 size_t hash_len = widths_cbfs_hash[hash_type]; 1407 char *hash_str = bintohex(hash->hash_data, hash_len); 1408 uint8_t local_hash[hash_len]; 1409 if (vb2_digest_buffer(CBFS_SUBHEADER(entry), 1410 ntohl(entry->len), hash_type, local_hash, 1411 hash_len) != VB2_SUCCESS) {
** CID 1325836: Resource leaks (RESOURCE_LEAK) /util/cbfstool/cbfs_image.c: 1413 in cbfs_print_entry_info()
________________________________________________________________________________________________________ *** CID 1325836: Resource leaks (RESOURCE_LEAK) /util/cbfstool/cbfs_image.c: 1413 in cbfs_print_entry_info() 1407 char *hash_str = bintohex(hash->hash_data, hash_len); 1408 uint8_t local_hash[hash_len]; 1409 if (vb2_digest_buffer(CBFS_SUBHEADER(entry), 1410 ntohl(entry->len), hash_type, local_hash, 1411 hash_len) != VB2_SUCCESS) { 1412 fprintf(fp, "failed to hash '%s'\n", name);
CID 1325836: Resource leaks (RESOURCE_LEAK) Variable "hash_str" going out of scope leaks the storage it points to.
1413 break; 1414 } 1415 int valid = memcmp(local_hash, hash->hash_data, hash_len) == 0; 1416 const char *valid_str = valid ? "valid" : "invalid"; 1417 1418 fprintf(fp, " hash %s:%s %s\n",
** CID 1323515: Error handling issues (CHECKED_RETURN) /util/broadcom/secimage/sbi.c: 112 in CreateSecureBootImage()
________________________________________________________________________________________________________ *** CID 1323515: Error handling issues (CHECKED_RETURN) /util/broadcom/secimage/sbi.c: 112 in CreateSecureBootImage() 106 } else { 107 return SBIUsage(); 108 } 109 --ac, ++av; 110 } 111
CID 1323515: Error handling issues (CHECKED_RETURN) Calling "stat(bl, &file_stat)" without checking return value. This library function may fail and return an error code. [Note: The source code implementation of the function has been overridden by a builtin model.]
112 stat(bl, &file_stat); 113 filesize = file_stat.st_size + MIN_SIZE; 114 buf = calloc(sizeof(uint8_t), filesize); 115 116 if (buf == NULL) { 117 puts("Memory allocation error");
________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05...
To manage Coverity Scan email notifications for "coreboot@coreboot.org", click https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05...