Hi,
Please find the latest report on new defect(s) introduced to coreboot found with Coverity Scan.
10 new defect(s) introduced to coreboot found with Coverity Scan. 1 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan Showing 10 of 10 defect(s)
** CID 1302458: Control flow issues (DEADCODE) /src/cpu/amd/model_10xxx/powernow_acpi.c: 75 in write_pstates_for_core()
________________________________________________________________________________________________________ *** CID 1302458: Control flow issues (DEADCODE) /src/cpu/amd/model_10xxx/powernow_acpi.c: 75 in write_pstates_for_core() 69 /* Write PPC object */ 70 acpigen_write_PPC(pstate_num); 71 72 /* Write PSD indicating coordination type */ 73 if ((single_link) && (mctGetLogicalCPUID(0) & AMD_DR_GT_Bx)) { 74 /* Revision C or greater single-link processor */
CID 1302458: Control flow issues (DEADCODE) Execution cannot reach this statement: "cpuid1 = cpuid(-2147483640);".
75 cpuid1 = cpuid(0x80000008); 76 acpigen_write_PSD_package(0, (cpuid1.ecx & 0xff) + 1, SW_ALL); 77 } 78 else { 79 /* Find the local APIC ID for the specified core ID */ 80 struct device* cpu;
** CID 1302457: Control flow issues (MISSING_RESTORE) /util/cbfstool/flashmap/fmap.c: 452 in fmap_append_area_test()
________________________________________________________________________________________________________ *** CID 1302457: Control flow issues (MISSING_RESTORE) /util/cbfstool/flashmap/fmap.c: 452 in fmap_append_area_test() 446 if ((*fmap)->nareas != 1) { 447 printf("FAILURE: failed to increment number of areas\n"); 448 goto fmap_append_area_test_exit; 449 } 450 451 status = pass;
CID 1302457: Control flow issues (MISSING_RESTORE) Jumped to here, skipping restore.
452 fmap_append_area_test_exit: 453 return status; 454 } 455 456 static int fmap_find_area_test(struct fmap *fmap) 457 {
** CID 1302456: Error handling issues (NEGATIVE_RETURNS) /util/cbfstool/flashmap/fmap.c: 568 in fmap_find_test()
________________________________________________________________________________________________________ *** CID 1302456: Error handling issues (NEGATIVE_RETURNS) /util/cbfstool/flashmap/fmap.c: 568 in fmap_find_test() 562 printf("FAILURE: bsearch returned false positive\n"); 563 goto fmap_find_test_exit; 564 } 565 566 /* simple test case: fmap at (total_size / 2) + 1 */ 567 offset = (total_size / 2) + 1;
CID 1302456: Error handling issues (NEGATIVE_RETURNS) "fmap_size(fmap)" is passed to a parameter that cannot be negative. [Note: The source code implementation of the function has been overridden by a builtin model.]
568 memcpy(&buf[offset], fmap, fmap_size(fmap)); 569 570 if ((unsigned)fmap_find(buf, total_size - 1) != offset) { 571 printf("FAILURE: lsearch failed to find fmap\n"); 572 goto fmap_find_test_exit; 573 }
** CID 1302455: Null pointer dereferences (NULL_RETURNS) /util/cbfstool/partitioned_file.c: 204 in partitioned_file_reopen()
________________________________________________________________________________________________________ *** CID 1302455: Null pointer dereferences (NULL_RETURNS) /util/cbfstool/partitioned_file.c: 204 in partitioned_file_reopen() 198 partitioned_file_close(file); 199 return NULL; 200 } 201 202 const struct fmap_area *fmap_fmap_entry = 203 fmap_find_area(file->fmap, SECTION_NAME_FMAP);
CID 1302455: Null pointer dereferences (NULL_RETURNS) Dereferencing a null pointer "fmap_fmap_entry".
204 if ((long)fmap_fmap_entry->offset != fmap_region_offset) { 205 ERROR("FMAP's '%s' section doesn't point back to FMAP start (did something corrupt this file?)\n", 206 SECTION_NAME_FMAP); 207 partitioned_file_close(file); 208 return NULL; 209 }
** CID 1302454: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________ *** CID 1302454: Memory - corruptions (OVERRUN) /util/cbfstool/flashmap/fmap.c: 342 in fmap_create_test() 336 uint64_t base = 0; 337 uint32_t size = 0x100000; 338 char name[] = "test_fmap"; 339 340 status = fail; 341
CID 1302454: Memory - corruptions (OVERRUN) Overrunning array "name" of 10 bytes by passing it to a function which accesses it at byte offset 31.
342 fmap = fmap_create(base, size, (uint8_t *)name); 343 if (!fmap) 344 return NULL; 345 346 if (memcmp(&fmap->signature, FMAP_SIGNATURE, strlen(FMAP_SIGNATURE))) { 347 printf("FAILURE: signature is incorrect\n");
** CID 1302453: Resource leaks (RESOURCE_LEAK) /util/cbfstool/flashmap/fmap.c: 530 in fmap_flags_to_string_test()
________________________________________________________________________________________________________ *** CID 1302453: Resource leaks (RESOURCE_LEAK) /util/cbfstool/flashmap/fmap.c: 530 in fmap_flags_to_string_test() 524 } 525 free(my_str); 526 free(str); 527 528 status = pass; 529 fmap_flags_to_string_test_exit:
CID 1302453: Resource leaks (RESOURCE_LEAK) Variable "my_str" going out of scope leaks the storage it points to.
530 return status; 531 532 } 533 534 static int fmap_find_test(struct fmap *fmap) 535 {
** CID 1302452: (RESOURCE_LEAK) /util/cbfstool/flashmap/fmap.c: 530 in fmap_flags_to_string_test() /util/cbfstool/flashmap/fmap.c: 530 in fmap_flags_to_string_test()
________________________________________________________________________________________________________ *** CID 1302452: (RESOURCE_LEAK) /util/cbfstool/flashmap/fmap.c: 530 in fmap_flags_to_string_test() 524 } 525 free(my_str); 526 free(str); 527 528 status = pass; 529 fmap_flags_to_string_test_exit:
CID 1302452: (RESOURCE_LEAK) Variable "str" going out of scope leaks the storage it points to.
530 return status; 531 532 } 533 534 static int fmap_find_test(struct fmap *fmap) 535 { /util/cbfstool/flashmap/fmap.c: 530 in fmap_flags_to_string_test() 524 } 525 free(my_str); 526 free(str); 527 528 status = pass; 529 fmap_flags_to_string_test_exit:
CID 1302452: (RESOURCE_LEAK) Variable "str" going out of scope leaks the storage it points to.
530 return status; 531 532 } 533 534 static int fmap_find_test(struct fmap *fmap) 535 {
** CID 1302451: Resource leaks (RESOURCE_LEAK) /util/cbfstool/flashmap/fmap.c: 207 in fmap_print()
________________________________________________________________________________________________________ *** CID 1302451: Resource leaks (RESOURCE_LEAK) /util/cbfstool/flashmap/fmap.c: 207 in fmap_print() 201 kv_pair_fmt(pair, "area_flags_raw", "0x%02x", 202 fmap->areas[i].flags); 203 204 /* Print descriptive strings for flags rather than the field */ 205 flags = fmap->areas[i].flags; 206 if ((str = fmap_flags_to_string(flags)) == NULL)
CID 1302451: Resource leaks (RESOURCE_LEAK) Variable "pair" going out of scope leaks the storage it points to.
207 return -1; 208 kv_pair_fmt(pair, "area_flags", "%s", str); 209 free(str); 210 211 kv_pair_print(pair); 212 kv_pair_free(pair);
** CID 1302450: Security best practices violations (STRING_OVERFLOW) /src/drivers/intel/gma/acpi.c: 50 in drivers_intel_gma_displays_ssdt_generate()
________________________________________________________________________________________________________ *** CID 1302450: Security best practices violations (STRING_OVERFLOW) /src/drivers/intel/gma/acpi.c: 50 in drivers_intel_gma_displays_ssdt_generate() 44 char *ptr; 45 int kind; 46 kind = (conf->did[i] >> 8) & 0xf; 47 if (kind >= ARRAY_SIZE(names)) { 48 kind = 0; 49 }
CID 1302450: Security best practices violations (STRING_OVERFLOW) You might overrun the 10 byte fixed-size string "name" by copying "names[kind]" without checking the length.
50 strcpy(name, names[kind]); 51 for (ptr = name; *ptr; ptr++); 52 *ptr++ = counters[kind] + '0'; 53 *ptr++ = '\0'; 54 counters[kind]++; 55 acpigen_write_device(name);
** CID 1256584: Error handling issues (CHECKED_RETURN) /src/ec/google/chromeec/ec_spi.c: 52 in crosec_spi_io()
________________________________________________________________________________________________________ *** CID 1256584: Error handling issues (CHECKED_RETURN) /src/ec/google/chromeec/ec_spi.c: 52 in crosec_spi_io() 46 } 47 48 static int crosec_spi_io(size_t req_size, size_t resp_size, void *context) 49 { 50 struct spi_slave *slave = (struct spi_slave *)context; 51
CID 1256584: Error handling issues (CHECKED_RETURN) Calling "spi_claim_bus" without checking return value (as is done elsewhere 4 out of 5 times).
52 spi_claim_bus(slave); 53 54 /* Allow EC to ramp up clock after being awaken. 55 * See chrome-os-partner:32223 for more details. */ 56 udelay(CONFIG_EC_GOOGLE_CHROMEEC_SPI_WAKEUP_DELAY_US); 57
________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/1016?tab=overview
To manage Coverity Scan email notifications for "coreboot@coreboot.org", click https://scan.coverity.com/subscriptions/edit?email=coreboot%40coreboot.org&a... .