Hi,
Please find the latest report on new defect(s) introduced to coreboot found with Coverity Scan.
5 new defect(s) introduced to coreboot found with Coverity Scan. 442 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan Showing 5 of 5 defect(s)
** CID 1532881: (OVERRUN)
________________________________________________________________________________________________________ *** CID 1532881: (OVERRUN) /src/soc/intel/apollolake/mmap_boot.c: 73 in bios_mmap_init() 67 */ 68 bios_mapped_size = size - 256 * KiB; 69 70 rdev_chain_mem(&shadow_dev, (void *)base, bios_mapped_size); 71 72 xlate_window_init(&real_dev_window, &shadow_dev, start, bios_mapped_size);
CID 1532881: (OVERRUN) Overrunning struct type xlate_region_device of 24 bytes by passing it to a function which accesses it at byte offset 47.
73 xlate_region_device_ro_init(&real_dev, 1, &real_dev_window, CONFIG_ROM_SIZE); 74 75 bios_size = size; 76 77 /* Check that the CBFS lies within the memory mapped area. It's too 78 easy to forget the SRAM mapping when crafting an FMAP file. */ /src/soc/intel/common/block/fast_spi/mmap_boot.c: 134 in bios_mmap_init() 128 ext_win_flash_base = fixed_win_flash_base - ext_win_size; 129 initialize_window(EXT_BIOS_DECODE_WINDOW, ext_win_host_base, 130 ext_win_flash_base, ext_win_size); 131 win_count++; 132 } 133
CID 1532881: (OVERRUN) Overrunning struct type xlate_region_device of 24 bytes by passing it to a function which accesses it at byte offset 47.
134 xlate_region_device_ro_init(&real_dev, win_count, real_dev_windows, CONFIG_ROM_SIZE); 135 136 init_done = true; 137 } 138 139 const struct region_device *boot_device_ro(void)
** CID 1532880: Integer handling issues (SIGN_EXTENSION) /src/lib/ramtest.c: 58 in test_pattern()
________________________________________________________________________________________________________ *** CID 1532880: Integer handling issues (SIGN_EXTENSION) /src/lib/ramtest.c: 58 in test_pattern() 52 { 53 uint8_t j, k; 54 55 k = (idx >> 8) + 1; 56 j = (idx >> 4) & 0x0f; 57 *addr = idx & 0x0f;
CID 1532880: Integer handling issues (SIGN_EXTENSION) Suspicious implicit sign extension: "j" with type "uint8_t" (8 bits, unsigned) is promoted in "j << 4 * k" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "j << 4 * k" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
58 *addr |= j << (4*k); 59 *value = 0x01010101 << (j & 7); 60 if (j & 8) 61 *value = ~(*value); 62 } 63
** CID 1532879: Error handling issues (CHECKED_RETURN) /src/soc/intel/apollolake/cpu.c: 255 in post_mp_init()
________________________________________________________________________________________________________ *** CID 1532879: Error handling issues (CHECKED_RETURN) /src/soc/intel/apollolake/cpu.c: 255 in post_mp_init() 249 250 static void post_mp_init(void) 251 { 252 global_smi_enable(); 253 254 if (CONFIG(SOC_INTEL_COMMON_BLOCK_SGX_ENABLE))
CID 1532879: Error handling issues (CHECKED_RETURN) Calling "mp_run_on_all_cpus" without checking return value (as is done elsewhere 4 out of 5 times).
255 mp_run_on_all_cpus(sgx_configure, NULL); 256 } 257 258 static const struct mp_ops mp_ops = { 259 .pre_mp_init = pre_mp_init, 260 .get_cpu_count = get_cpu_count,
** CID 1532878: Null pointer dereferences (FORWARD_NULL)
________________________________________________________________________________________________________ *** CID 1532878: Null pointer dereferences (FORWARD_NULL) /src/soc/qualcomm/common/qup_se_handler.c: 167 in qup_handle_transfer() 161 m_irq = qup_wait_for_m_irq(bus); 162 if ((m_irq & M_RX_FIFO_WATERMARK_EN) || 163 (m_irq & M_RX_FIFO_LAST_EN)) 164 rx_rem_bytes -= handle_rx(bus, din + size 165 - rx_rem_bytes, rx_rem_bytes); 166 if (m_irq & M_TX_FIFO_WATERMARK_EN)
CID 1532878: Null pointer dereferences (FORWARD_NULL) Passing null pointer "dout + size - tx_rem_bytes" to "handle_tx", which dereferences it.
167 tx_rem_bytes -= handle_tx(bus, dout + size 168 - tx_rem_bytes, tx_rem_bytes); 169 if (m_irq & M_CMD_DONE_EN) { 170 write32(®s->geni_m_irq_clear, m_irq); 171 break; 172 }
** CID 1532877: Resource leaks (RESOURCE_LEAK) /src/soc/intel/common/block/crashlog/crashlog.c: 341 in malloc_cl_node()
________________________________________________________________________________________________________ *** CID 1532877: Resource leaks (RESOURCE_LEAK) /src/soc/intel/common/block/crashlog/crashlog.c: 341 in malloc_cl_node() 335 cl_node_t *node = malloc(sizeof(cl_node_t)); 336 if (!node) 337 return NULL; 338 339 node->data = malloc(len * sizeof(u32)); 340 if (!(node->data))
CID 1532877: Resource leaks (RESOURCE_LEAK) Variable "node" going out of scope leaks the storage it points to.
341 return NULL; 342 343 node->size = len * sizeof(u32); 344 node->next = NULL; 345 346 return node;
________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0...