Hi,
Please find the latest report on new defect(s) introduced to coreboot found with Coverity Scan.
180 new defect(s) introduced to coreboot found with Coverity Scan. 164 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan Showing 20 of 180 defect(s)
** CID 1469466: (OVERRUN) /src/soc/qualcomm/common/qupv3_config.c: 29 in qupv3_se_fw_load_and_init() /src/soc/qualcomm/common/qupv3_config.c: 33 in qupv3_se_fw_load_and_init()
________________________________________________________________________________________________________ *** CID 1469466: (OVERRUN) /src/soc/qualcomm/common/qupv3_config.c: 29 in qupv3_se_fw_load_and_init() 23 static const char * const filename[] = { 24 [SE_PROTOCOL_SPI] = "fallback/spi_fw", 25 [SE_PROTOCOL_UART] = "fallback/uart_fw", 26 [SE_PROTOCOL_I2C] = "fallback/i2c_fw", 27 }; 28
CID 1469466: (OVERRUN) Overrunning array "filename" of 4 8-byte elements at element index 4 (byte offset 39) using index "protocol" (which evaluates to 4).
29 if (protocol >= SE_PROTOCOL_MAX || !filename[protocol]) 30 die("*ERROR* * INVALID PROTOCOL ***\n"); 31 32 if (!fw_list[protocol]) { 33 fw_list[protocol] = cbfs_map(filename[protocol], NULL); 34 if (!fw_list[protocol]) /src/soc/qualcomm/common/qupv3_config.c: 33 in qupv3_se_fw_load_and_init() 27 }; 28 29 if (protocol >= SE_PROTOCOL_MAX || !filename[protocol]) 30 die("*ERROR* * INVALID PROTOCOL ***\n"); 31 32 if (!fw_list[protocol]) {
CID 1469466: (OVERRUN) Overrunning array "filename" of 4 8-byte elements at element index 4 (byte offset 39) using index "protocol" (which evaluates to 4).
33 fw_list[protocol] = cbfs_map(filename[protocol], NULL); 34 if (!fw_list[protocol]) 35 die("*ERROR* * cbfs_map failed ***\n"); 36 } 37 38 hdr = fw_list[protocol];
** CID 1469465: Null pointer dereferences (FORWARD_NULL)
________________________________________________________________________________________________________ *** CID 1469465: Null pointer dereferences (FORWARD_NULL) /src/ec/google/chromeec/ec.c: 1819 in google_chromeec_regulator_set_voltage() 1813 .cmd_size_in = sizeof(params), 1814 .cmd_data_out = NULL, 1815 .cmd_size_out = 0, 1816 .cmd_dev_index = 0, 1817 }; 1818
CID 1469465: Null pointer dereferences (FORWARD_NULL) Passing "&cmd" to "google_chromeec_command", which dereferences null "cmd.cmd_data_out".
1819 if (google_chromeec_command(&cmd)) 1820 return -1; 1821 1822 return 0; 1823 } 1824
** CID 1469464: (TAINTED_SCALAR)
________________________________________________________________________________________________________ *** CID 1469464: (TAINTED_SCALAR) /3rdparty/vboot/cgpt/cgpt_show.c: 387 in GptShow() 381 GptHeader *header; 382 char indent[64]; 383 384 require(snprintf(indent, sizeof(indent), GPT_MORE) < sizeof(indent)); 385 header = (GptHeader*)drive->gpt.secondary_header; 386 entries = (GptEntry*)drive->gpt.secondary_entries;
CID 1469464: (TAINTED_SCALAR) Passing tainted expression "header->size_of_entry" to "HeaderDetails", which uses it as a loop boundary.
387 HeaderDetails(header, entries, indent, params->numeric); 388 } 389 } 390 } 391 392 CheckValid(drive); /3rdparty/vboot/cgpt/cgpt_show.c: 256 in GptShow() 250 } else if (params->quick) { // show all partitions, quickly 251 uint32_t i; 252 GptEntry *entry; 253 char type[GUID_STRLEN]; 254 255 for (i = 0; i < GetNumberOfEntries(drive); ++i) {
CID 1469464: (TAINTED_SCALAR) Passing tainted expression "*drive->gpt.primary_header" to "GetEntry", which uses it as an offset.
256 entry = GetEntry(&drive->gpt, ANY_VALID, i); 257 258 if (GuidIsZero(&entry->type)) 259 continue; 260 261 if (!params->numeric && CGPT_OK == ResolveType(&entry->type, type)) { /3rdparty/vboot/cgpt/cgpt_show.c: 387 in GptShow() 381 GptHeader *header; 382 char indent[64]; 383 384 require(snprintf(indent, sizeof(indent), GPT_MORE) < sizeof(indent)); 385 header = (GptHeader*)drive->gpt.secondary_header; 386 entries = (GptEntry*)drive->gpt.secondary_entries;
CID 1469464: (TAINTED_SCALAR) Passing tainted expression "header->size" to "HeaderDetails", which uses it as a loop boundary.
387 HeaderDetails(header, entries, indent, params->numeric); 388 } 389 } 390 } 391 392 CheckValid(drive); /3rdparty/vboot/cgpt/cgpt_show.c: 197 in GptShow() 191 if (params->partition > GetNumberOfEntries(drive)) { 192 Error("invalid partition number: %d\n", params->partition); 193 return CGPT_FAILED; 194 } 195 196 uint32_t index = params->partition - 1;
CID 1469464: (TAINTED_SCALAR) Passing tainted expression "*drive->gpt.secondary_header" to "GetEntry", which uses it as an offset.
197 GptEntry *entry = GetEntry(&drive->gpt, ANY_VALID, index); 198 char buf[256]; // scratch buffer for string conversion 199 200 if (params->single_item) { 201 switch(params->single_item) { 202 case 'b': /3rdparty/vboot/cgpt/cgpt_show.c: 319 in GptShow() 313 GptHeader *header; 314 char indent[64]; 315 316 require(snprintf(indent, sizeof(indent), GPT_MORE) < sizeof(indent)); 317 header = (GptHeader*)drive->gpt.primary_header; 318 entries = (GptEntry*)drive->gpt.primary_entries;
CID 1469464: (TAINTED_SCALAR) Passing tainted expression "header->size_of_entry" to "HeaderDetails", which uses it as a loop boundary.
319 HeaderDetails(header, entries, indent, params->numeric); 320 } 321 322 GptHeader* primary_header = (GptHeader*)drive->gpt.primary_header; 323 printf(GPT_FMT, (uint64_t)primary_header->entries_lba, 324 (uint64_t)CalculateEntriesSectors(primary_header, /3rdparty/vboot/cgpt/cgpt_show.c: 319 in GptShow() 313 GptHeader *header; 314 char indent[64]; 315 316 require(snprintf(indent, sizeof(indent), GPT_MORE) < sizeof(indent)); 317 header = (GptHeader*)drive->gpt.primary_header; 318 entries = (GptEntry*)drive->gpt.primary_entries;
CID 1469464: (TAINTED_SCALAR) Passing tainted expression "header->size" to "HeaderDetails", which uses it as a loop boundary.
319 HeaderDetails(header, entries, indent, params->numeric); 320 } 321 322 GptHeader* primary_header = (GptHeader*)drive->gpt.primary_header; 323 printf(GPT_FMT, (uint64_t)primary_header->entries_lba, 324 (uint64_t)CalculateEntriesSectors(primary_header, /3rdparty/vboot/cgpt/cgpt_show.c: 197 in GptShow() 191 if (params->partition > GetNumberOfEntries(drive)) { 192 Error("invalid partition number: %d\n", params->partition); 193 return CGPT_FAILED; 194 } 195 196 uint32_t index = params->partition - 1;
CID 1469464: (TAINTED_SCALAR) Passing tainted expression "*drive->gpt.primary_header" to "GetEntry", which uses it as an offset.
197 GptEntry *entry = GetEntry(&drive->gpt, ANY_VALID, index); 198 char buf[256]; // scratch buffer for string conversion 199 200 if (params->single_item) { 201 switch(params->single_item) { 202 case 'b': /3rdparty/vboot/cgpt/cgpt_show.c: 256 in GptShow() 250 } else if (params->quick) { // show all partitions, quickly 251 uint32_t i; 252 GptEntry *entry; 253 char type[GUID_STRLEN]; 254 255 for (i = 0; i < GetNumberOfEntries(drive); ++i) {
CID 1469464: (TAINTED_SCALAR) Passing tainted expression "*drive->gpt.secondary_header" to "GetEntry", which uses it as an offset.
256 entry = GetEntry(&drive->gpt, ANY_VALID, i); 257 258 if (GuidIsZero(&entry->type)) 259 continue; 260 261 if (!params->numeric && CGPT_OK == ResolveType(&entry->type, type)) {
** CID 1469463: Medium impact security (RISKY_CRYPTO) /home/coreboot/go/pkg/mod/github.com/google/go-tpm@v0.3.3-0.20210120190357-1ff48daca32f/tpm/pcrs.go: 97 in github.com/google/go-tpm/tpm.createPCRInfoLong(github.com/google/go-tpm/tpm.Locality, github.com/google/go-tpm/tpm.pcrMask, []byte)(*github.com/google/go-tpm/tpm.pcrInfoLong, error)()
________________________________________________________________________________________________________ *** CID 1469463: Medium impact security (RISKY_CRYPTO) /home/coreboot/go/pkg/mod/github.com/google/go-tpm@v0.3.3-0.20210120190357-1ff48daca32f/tpm/pcrs.go: 97 in github.com/google/go-tpm/tpm.createPCRInfoLong(github.com/google/go-tpm/tpm.Locality, github.com/google/go-tpm/tpm.pcrMask, []byte)(*github.com/google/go-tpm/tpm.pcrInfoLong, error)() 91 return fmt.Sprintf("pcrInfoShort{LocAtRelease: %x, PCRsAtRelease: %s, DigestAtRelease: % x}", pcri.LocAtRelease, pcri.PCRsAtRelease, pcri.DigestAtRelease) 92 } 93 94 // createPCRInfoLong creates a pcrInfoLong structure from a mask and some PCR 95 // values that match this mask, along with a TPM locality. 96 func createPCRInfoLong(loc Locality, mask pcrMask, pcrVals []byte) (*pcrInfoLong, error) {
CID 1469463: Medium impact security (RISKY_CRYPTO) Using a weak hashing algorithm. The RIPEMD, MD2, MD4, MD5, SHA0 and SHA1 cryptographic hashing algorithms are not collision resistant. Furthermore, these algorithms suffer from length extension attacks: without knowing the original unhashed message, an attacker can generate a valid hash for messages that have the original message as a prefix.
97 d, err := createPCRComposite(mask, pcrVals) 98 if err != nil { 99 return nil, err 100 } 101 102 pcri := &pcrInfoLong{
** CID 1469462: Error handling issues (CHECKED_RETURN) /src/drivers/ti/tps65913/tps65913rtc.c: 34 in tps65913_read()
________________________________________________________________________________________________________ *** CID 1469462: Error handling issues (CHECKED_RETURN) /src/drivers/ti/tps65913/tps65913rtc.c: 34 in tps65913_read() 28 TPS65913_RTC_FROZEN = (0 << 1), 29 }; 30 31 static inline uint8_t tps65913_read(enum TPS65913_RTC_REG reg) 32 { 33 uint8_t val;
CID 1469462: Error handling issues (CHECKED_RETURN) Calling "i2c_readb" without checking return value (as is done elsewhere 9 out of 11 times).
34 i2c_readb(CONFIG_DRIVERS_TI_TPS65913_RTC_BUS, 35 CONFIG_DRIVERS_TI_TPS65913_RTC_ADDR, reg, &val); 36 return val; 37 } 38 39 static inline void tps65913_write(enum TPS65913_RTC_REG reg, uint8_t val)
** CID 1469461: (TAINTED_SCALAR)
________________________________________________________________________________________________________ *** CID 1469461: (TAINTED_SCALAR) /3rdparty/vboot/futility/cmd_gbb_utility.c: 478 in do_gbb() 472 sel_hwid = 1; 473 474 inbuf = read_entire_file(infile, &filesize); 475 if (!inbuf) 476 break; 477
CID 1469461: (TAINTED_SCALAR) Passing tainted expression "*inbuf" to "FindGbbHeader", which uses it as a loop boundary.
478 gbb = FindGbbHeader(inbuf, filesize); 479 if (!gbb) { 480 fprintf(stderr, "ERROR: No GBB found in %s\n", infile); 481 break; 482 } 483 gbb_base = (uint8_t *) gbb; /3rdparty/vboot/futility/cmd_gbb_utility.c: 538 in do_gbb() 532 533 /* With no args, we'll either copy it unchanged or do nothing */ 534 inbuf = read_entire_file(infile, &filesize); 535 if (!inbuf) 536 break; 537
CID 1469461: (TAINTED_SCALAR) Passing tainted expression "*inbuf" to "FindGbbHeader", which uses it as a loop boundary.
538 gbb = FindGbbHeader(inbuf, filesize); 539 if (!gbb) { 540 fprintf(stderr, "ERROR: No GBB found in %s\n", infile); 541 break; 542 } 543 gbb_base = (uint8_t *) gbb;
** CID 1469460: (PRINTF_ARGS) /src/soc/cavium/cn81xx/soc.c: 291 in dt_platform_fixup() /src/soc/cavium/cn81xx/soc.c: 288 in dt_platform_fixup()
________________________________________________________________________________________________________ *** CID 1469460: (PRINTF_ARGS) /src/soc/cavium/cn81xx/soc.c: 291 in dt_platform_fixup() 285 286 if (qlm_mode == BDK_QLM_MODE_DISABLED) 287 snprintf(path, sizeof(path), "0x0%x%x,disabled", 288 bgx_iface, bgx_index); 289 else 290 snprintf(path, sizeof(path), "0x0%x%x,%s",
CID 1469460: (PRINTF_ARGS) Argument "bgx_iface" to format specifier "%x" was expected to have type "unsigned int" but has type "unsigned long". [Note: The source code implementation of the function has been overridden by a builtin model.]
291 bgx_iface, bgx_index, 292 QLM_BGX_MODE_MAP[qlm_mode]); 293 294 int64_t phy_address = 295 bdk_config_get_int(BDK_CONFIG_PHY_ADDRESS, 0, 296 bgx_iface, bgx_index); /src/soc/cavium/cn81xx/soc.c: 288 in dt_platform_fixup() 282 if (rx_dmac_ctl.u == 0) 283 qlm_mode = BDK_QLM_MODE_DISABLED; 284 } 285 286 if (qlm_mode == BDK_QLM_MODE_DISABLED) 287 snprintf(path, sizeof(path), "0x0%x%x,disabled",
CID 1469460: (PRINTF_ARGS) Argument "bgx_iface" to format specifier "%x" was expected to have type "unsigned int" but has type "unsigned long". [Note: The source code implementation of the function has been overridden by a builtin model.]
288 bgx_iface, bgx_index); 289 else 290 snprintf(path, sizeof(path), "0x0%x%x,%s", 291 bgx_iface, bgx_index, 292 QLM_BGX_MODE_MAP[qlm_mode]); 293
** CID 1469459: Memory - illegal accesses (OVERRUN) /src/vendorcode/mediatek/mt8195/dramc/emi.c: 942 in update_emi_setting()
________________________________________________________________________________________________________ *** CID 1469459: Memory - illegal accesses (OVERRUN) /src/vendorcode/mediatek/mt8195/dramc/emi.c: 942 in update_emi_setting() 936 row = emi_info->row_width[i] - 13; 937 row_ext = row >> 2; 938 row &= 0x3; 939 940 col = emi_info->col_width[i] - 9; 941
CID 1469459: Memory - illegal accesses (OVERRUN) Overrunning array "emi_info->rank_size" of 2 8-byte elements at element index 2 (byte offset 23) using index "i" (which evaluates to 2).
942 rk_size = emi_info->rank_size[i] >> 28; 943 if (u1IsLP4Family(ddr_type)) 944 rk_size >>= 1; 945 rk_size_ext = rk_size >> 4; 946 rk_size_chn_ext = rk_size_ext & 0x1; 947 rk_size &= 0xF;
** CID 1469458: (PARSE_ERROR) /3rdparty/chromeec/common/timer.c: 37 in () /3rdparty/chromeec/common/timer.c: 37 in () /3rdparty/chromeec/common/timer.c: 37 in ()
________________________________________________________________________________________________________ *** CID 1469458: (PARSE_ERROR) /3rdparty/chromeec/common/timer.c: 37 in () 31 #define CPRINTF(format, args...) 32 #endif 33 34 #define TIMER_SYSJUMP_TAG 0x4d54 /* "TM" */ 35 36 /* High 32-bits of the 64-bit timestamp counter. */
CID 1469458: (PARSE_ERROR) function call is not allowed in a constant expression
37 STATIC_IF_NOT(CONFIG_HWTIMER_64BIT) volatile uint32_t clksrc_high; 38 39 /* Bitmap of currently running timers */ 40 static uint32_t timer_running; 41 42 /* Deadlines of all timers */ /3rdparty/chromeec/common/timer.c: 37 in () 31 #define CPRINTF(format, args...) 32 #endif 33 34 #define TIMER_SYSJUMP_TAG 0x4d54 /* "TM" */ 35 36 /* High 32-bits of the 64-bit timestamp counter. */
CID 1469458: (PARSE_ERROR) expression must have integral type
37 STATIC_IF_NOT(CONFIG_HWTIMER_64BIT) volatile uint32_t clksrc_high; 38 39 /* Bitmap of currently running timers */ 40 static uint32_t timer_running; 41 42 /* Deadlines of all timers */ /3rdparty/chromeec/common/timer.c: 37 in () 31 #define CPRINTF(format, args...) 32 #endif 33 34 #define TIMER_SYSJUMP_TAG 0x4d54 /* "TM" */ 35 36 /* High 32-bits of the 64-bit timestamp counter. */
CID 1469458: (PARSE_ERROR) expression must be an integral constant expression
37 STATIC_IF_NOT(CONFIG_HWTIMER_64BIT) volatile uint32_t clksrc_high; 38 39 /* Bitmap of currently running timers */ 40 static uint32_t timer_running; 41 42 /* Deadlines of all timers */
** CID 1469457: Null pointer dereferences (FORWARD_NULL)
________________________________________________________________________________________________________ *** CID 1469457: Null pointer dereferences (FORWARD_NULL) /src/ec/google/chromeec/ec.c: 647 in google_chromeec_flash_write_block() 641 .cmd_data_in = params_data, 642 .cmd_dev_index = 0, 643 }; 644 645 assert(params_data); 646
CID 1469457: Null pointer dereferences (FORWARD_NULL) Passing "&cmd" to "google_chromeec_command", which dereferences null "cmd.cmd_data_out".
647 return google_chromeec_command(&cmd); 648 } 649 650 /* 651 * EFS verification of flash. 652 */
** CID 1469456: Possible Control flow issues (DEADCODE) /src/soc/qualcomm/sc7180/display/dsi_phy.c: 267 in mdss_dsi_calculate_phy_timings()
________________________________________________________________________________________________________ *** CID 1469456: Possible Control flow issues (DEADCODE) /src/soc/qualcomm/sc7180/display/dsi_phy.c: 267 in mdss_dsi_calculate_phy_timings() 261 tmin = DIV_ROUND_UP(temp, ui_x8) - 1; 262 tmax = 63; 263 timing->clk_post = linear_inter(tmax, tmin, pcnt2, 0, false); 264 265 temp = 8 * ui + (timing->clk_prepare << 3) * ui; 266 temp += (((timing->clk_zero + 3) << 3) + 11) * ui;
CID 1469456: Possible Control flow issues (DEADCODE) Execution cannot reach the expression "((timing->hs_rqst << 3) + 4U) * ui" inside this statement: "temp += (hb_en_ckln ? ((tim...".
267 temp += hb_en_ckln ? (((timing->hs_rqst << 3) + 4) * ui) : 268 (((timing->hs_rqst << 3) + 8) * ui); 269 tmin = S_DIV_ROUND_UP(temp, ui_x8) - 1; 270 tmax = 63; 271 if (tmin > tmax) { 272 temp = linear_inter(tmax << 1, tmin, pcnt2, 0, false);
** CID 1469455: (DEADCODE) /home/coreboot/go/pkg/mod/github.com/tjfoc/gmsm@v1.4.0/sm2/sm2.go: 492 in github.com/tjfoc/gmsm/sm2.CipherUnmarshal([]byte)([]byte, error)() /home/coreboot/go/pkg/mod/github.com/tjfoc/gmsm@v1.4.0/sm2/sm2.go: 488 in github.com/tjfoc/gmsm/sm2.CipherUnmarshal([]byte)([]byte, error)()
________________________________________________________________________________________________________ *** CID 1469455: (DEADCODE) /home/coreboot/go/pkg/mod/github.com/tjfoc/gmsm@v1.4.0/sm2/sm2.go: 492 in github.com/tjfoc/gmsm/sm2.CipherUnmarshal([]byte)([]byte, error)() 486 hash := cipher.HASH 487 if err != nil { 488 return nil, err 489 } 490 cipherText := cipher.CipherText 491 if err != nil {
CID 1469455: (DEADCODE) Execution cannot reach this statement: "<temporary>.$0 = nil;".
492 return nil, err 493 } 494 c := []byte{} 495 c = append(c, x...) // x 496 c = append(c, y...) // y 497 c = append(c, hash...) // x /home/coreboot/go/pkg/mod/github.com/tjfoc/gmsm@v1.4.0/sm2/sm2.go: 488 in github.com/tjfoc/gmsm/sm2.CipherUnmarshal([]byte)([]byte, error)() 482 return nil, err 483 } 484 x := cipher.XCoordinate.Bytes() 485 y := cipher.YCoordinate.Bytes() 486 hash := cipher.HASH 487 if err != nil {
CID 1469455: (DEADCODE) Execution cannot reach this statement: "<temporary>.$0 = nil;".
488 return nil, err 489 } 490 cipherText := cipher.CipherText 491 if err != nil { 492 return nil, err 493 }
** CID 1469454: Possible Control flow issues (DEADCODE) /src/vendorcode/mediatek/mt8192/dramc/dramc_top.c: 1061 in mt_set_emi()
________________________________________________________________________________________________________ *** CID 1469454: Possible Control flow issues (DEADCODE) /src/vendorcode/mediatek/mt8192/dramc/dramc_top.c: 1061 in mt_set_emi() 1055 emi_setting_index = -1; 1056 emi_set = &default_emi_setting; 1057 #endif 1058 segment = (seclib_get_devinfo_with_index(7) & 0xFF); 1059 if ((segment == 0x80) || (segment == 0x01) || (segment == 0x40) || (segment == 0x02)) 1060 {
CID 1469454: Possible Control flow issues (DEADCODE) Execution cannot reach this statement: "(*emi_set).DRAMC_ACTIME_UNI...".
1061 emi_set->DRAMC_ACTIME_UNION[0] = 3733; 1062 } 1063 #ifdef DDR_RESERVE_MODE 1064 if(g_ddr_reserve_enable==1 && g_ddr_reserve_success==0) 1065 Before_Init_DRAM_While_Reserve_Mode_fail(emi_set->type & 0xF); 1066 #endif
** CID 1469453: Control flow issues (DEADCODE) /3rdparty/arm-trusted-firmware/plat/mediatek/mt8195/plat_pm.c: 301 in plat_validate_power_state()
________________________________________________________________________________________________________ *** CID 1469453: Control flow issues (DEADCODE) /3rdparty/arm-trusted-firmware/plat/mediatek/mt8195/plat_pm.c: 301 in plat_validate_power_state() 295 { 296 unsigned int pstate = psci_get_pstate_type(power_state); 297 unsigned int aff_lvl = psci_get_pstate_pwrlvl(power_state); 298 unsigned int cpu = plat_my_core_pos(); 299 300 if (aff_lvl > PLAT_MAX_PWR_LVL) {
CID 1469453: Control flow issues (DEADCODE) Execution cannot reach this statement: "return -2;".
301 return PSCI_E_INVALID_PARAMS; 302 } 303 304 if (pstate == PSTATE_TYPE_STANDBY) { 305 req_state->pwr_domain_state[0] = PLAT_MAX_RET_STATE; 306 } else {
** CID 1469452: (BAD_SHIFT) /src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1073 in SPM_control() /src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1085 in SPM_control() /src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1081 in SPM_control() /src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1073 in SPM_control() /src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1087 in SPM_control() /src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1085 in SPM_control() /src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1073 in SPM_control() /src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1073 in SPM_control() /src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1085 in SPM_control() /src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1087 in SPM_control() /src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1079 in SPM_control() /src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1081 in SPM_control() /src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1081 in SPM_control() /src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1081 in SPM_control() /src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1079 in SPM_control() /src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1079 in SPM_control() /src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1087 in SPM_control() /src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1085 in SPM_control() /src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1079 in SPM_control() /src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1087 in SPM_control()
________________________________________________________________________________________________________ *** CID 1469452: (BAD_SHIFT) /src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1073 in SPM_control() 1067 MS_SLV_LP_SEL_Reg.u4Fld = CA_LP_CTRL0_RG_CA_MS_SLV_LP_SEL; 1068 } 1069 1070 if(a_cfg->DLL_ASYNC_EN == 1) 1071 { 1072 DramcBroadcastOnOff(DRAMC_BROADCAST_OFF);
CID 1469452: (BAD_SHIFT) In expression "(1U & (1 << (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 16)) - 1) << (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 8)", left shifting by more than 31 bits has undefined behavior. The shift amount, "MS_SLV_LP_SEL_Reg.u4Fld >> 8", is 268.
1073 vIO32WriteFldMulti_All(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(1, MS_SLV_LP_SEL_Reg.u4Fld)); 1074 DramcBroadcastOnOff(DRAMC_BROADCAST_ON); 1075 } 1076 else 1077 { 1078 DramcBroadcastOnOff(DRAMC_BROADCAST_OFF); /src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1085 in SPM_control() 1079 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(1, MS_SLV_LP_SEL_Reg.u4Fld )); 1080 vSetPHY2ChannelMapping(p, CHANNEL_B); 1081 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(0 , MS_SLV_LP_SEL_Reg.u4Fld )); 1082 #if (CHANNEL_NUM>2) 1083 if (channel_num_auxadc > 2) { 1084 vSetPHY2ChannelMapping(p, CHANNEL_C);
CID 1469452: (BAD_SHIFT) In expression "(0xffffffffU >> 32 - (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 16)) << (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 8)", left shifting by more than 31 bits has undefined behavior. The shift amount, "MS_SLV_LP_SEL_Reg.u4Fld >> 8", is 268.
1085 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(1, MS_SLV_LP_SEL_Reg.u4Fld )); 1086 vSetPHY2ChannelMapping(p, CHANNEL_D); 1087 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(0 , MS_SLV_LP_SEL_Reg.u4Fld )); 1088 } 1089 #endif 1090 vSetPHY2ChannelMapping(p, CHANNEL_A); /src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1081 in SPM_control() 1075 } 1076 else 1077 { 1078 DramcBroadcastOnOff(DRAMC_BROADCAST_OFF); 1079 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(1, MS_SLV_LP_SEL_Reg.u4Fld )); 1080 vSetPHY2ChannelMapping(p, CHANNEL_B);
CID 1469452: (BAD_SHIFT) In expression "(0U & (1 << (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 16)) - 1) << (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 8)", left shifting by more than 31 bits has undefined behavior. The shift amount, "MS_SLV_LP_SEL_Reg.u4Fld >> 8", is 268.
1081 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(0 , MS_SLV_LP_SEL_Reg.u4Fld )); 1082 #if (CHANNEL_NUM>2) 1083 if (channel_num_auxadc > 2) { 1084 vSetPHY2ChannelMapping(p, CHANNEL_C); 1085 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(1, MS_SLV_LP_SEL_Reg.u4Fld )); 1086 vSetPHY2ChannelMapping(p, CHANNEL_D); /src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1073 in SPM_control() 1067 MS_SLV_LP_SEL_Reg.u4Fld = CA_LP_CTRL0_RG_CA_MS_SLV_LP_SEL; 1068 } 1069 1070 if(a_cfg->DLL_ASYNC_EN == 1) 1071 { 1072 DramcBroadcastOnOff(DRAMC_BROADCAST_OFF);
CID 1469452: (BAD_SHIFT) In expression "(1U & (1 << (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 16)) - 1) << (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 8)", left shifting by more than 31 bits has undefined behavior. The shift amount, "MS_SLV_LP_SEL_Reg.u4Fld >> 8", is 268.
1073 vIO32WriteFldMulti_All(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(1, MS_SLV_LP_SEL_Reg.u4Fld)); 1074 DramcBroadcastOnOff(DRAMC_BROADCAST_ON); 1075 } 1076 else 1077 { 1078 DramcBroadcastOnOff(DRAMC_BROADCAST_OFF); /src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1087 in SPM_control() 1081 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(0 , MS_SLV_LP_SEL_Reg.u4Fld )); 1082 #if (CHANNEL_NUM>2) 1083 if (channel_num_auxadc > 2) { 1084 vSetPHY2ChannelMapping(p, CHANNEL_C); 1085 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(1, MS_SLV_LP_SEL_Reg.u4Fld )); 1086 vSetPHY2ChannelMapping(p, CHANNEL_D);
CID 1469452: (BAD_SHIFT) In expression "(0U & (1 << (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 16)) - 1) << (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 8)", left shifting by more than 31 bits has undefined behavior. The shift amount, "MS_SLV_LP_SEL_Reg.u4Fld >> 8", is 268.
1087 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(0 , MS_SLV_LP_SEL_Reg.u4Fld )); 1088 } 1089 #endif 1090 vSetPHY2ChannelMapping(p, CHANNEL_A); 1091 DramcBroadcastOnOff(DRAMC_BROADCAST_ON); 1092 } /src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1085 in SPM_control() 1079 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(1, MS_SLV_LP_SEL_Reg.u4Fld )); 1080 vSetPHY2ChannelMapping(p, CHANNEL_B); 1081 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(0 , MS_SLV_LP_SEL_Reg.u4Fld )); 1082 #if (CHANNEL_NUM>2) 1083 if (channel_num_auxadc > 2) { 1084 vSetPHY2ChannelMapping(p, CHANNEL_C);
CID 1469452: (BAD_SHIFT) In expression "(1U & (1 << (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 16)) - 1) << (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 8)", left shifting by more than 31 bits has undefined behavior. The shift amount, "MS_SLV_LP_SEL_Reg.u4Fld >> 8", is 268.
1085 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(1, MS_SLV_LP_SEL_Reg.u4Fld )); 1086 vSetPHY2ChannelMapping(p, CHANNEL_D); 1087 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(0 , MS_SLV_LP_SEL_Reg.u4Fld )); 1088 } 1089 #endif 1090 vSetPHY2ChannelMapping(p, CHANNEL_A); /src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1073 in SPM_control() 1067 MS_SLV_LP_SEL_Reg.u4Fld = CA_LP_CTRL0_RG_CA_MS_SLV_LP_SEL; 1068 } 1069 1070 if(a_cfg->DLL_ASYNC_EN == 1) 1071 { 1072 DramcBroadcastOnOff(DRAMC_BROADCAST_OFF);
CID 1469452: (BAD_SHIFT) In expression "(0xffffffffU >> 32 - (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 16)) << (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 8)", left shifting by more than 31 bits has undefined behavior. The shift amount, "MS_SLV_LP_SEL_Reg.u4Fld >> 8", is 268.
1073 vIO32WriteFldMulti_All(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(1, MS_SLV_LP_SEL_Reg.u4Fld)); 1074 DramcBroadcastOnOff(DRAMC_BROADCAST_ON); 1075 } 1076 else 1077 { 1078 DramcBroadcastOnOff(DRAMC_BROADCAST_OFF); /src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1073 in SPM_control() 1067 MS_SLV_LP_SEL_Reg.u4Fld = CA_LP_CTRL0_RG_CA_MS_SLV_LP_SEL; 1068 } 1069 1070 if(a_cfg->DLL_ASYNC_EN == 1) 1071 { 1072 DramcBroadcastOnOff(DRAMC_BROADCAST_OFF);
CID 1469452: (BAD_SHIFT) In expression "(0xffffffffU >> 32 - (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 16)) << (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 8)", left shifting by more than 31 bits has undefined behavior. The shift amount, "MS_SLV_LP_SEL_Reg.u4Fld >> 8", is 268.
1073 vIO32WriteFldMulti_All(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(1, MS_SLV_LP_SEL_Reg.u4Fld)); 1074 DramcBroadcastOnOff(DRAMC_BROADCAST_ON); 1075 } 1076 else 1077 { 1078 DramcBroadcastOnOff(DRAMC_BROADCAST_OFF); /src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1085 in SPM_control() 1079 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(1, MS_SLV_LP_SEL_Reg.u4Fld )); 1080 vSetPHY2ChannelMapping(p, CHANNEL_B); 1081 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(0 , MS_SLV_LP_SEL_Reg.u4Fld )); 1082 #if (CHANNEL_NUM>2) 1083 if (channel_num_auxadc > 2) { 1084 vSetPHY2ChannelMapping(p, CHANNEL_C);
CID 1469452: (BAD_SHIFT) In expression "(0xffffffffU >> 32 - (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 16)) << (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 8)", left shifting by more than 31 bits has undefined behavior. The shift amount, "MS_SLV_LP_SEL_Reg.u4Fld >> 8", is 268.
1085 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(1, MS_SLV_LP_SEL_Reg.u4Fld )); 1086 vSetPHY2ChannelMapping(p, CHANNEL_D); 1087 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(0 , MS_SLV_LP_SEL_Reg.u4Fld )); 1088 } 1089 #endif 1090 vSetPHY2ChannelMapping(p, CHANNEL_A); /src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1087 in SPM_control() 1081 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(0 , MS_SLV_LP_SEL_Reg.u4Fld )); 1082 #if (CHANNEL_NUM>2) 1083 if (channel_num_auxadc > 2) { 1084 vSetPHY2ChannelMapping(p, CHANNEL_C); 1085 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(1, MS_SLV_LP_SEL_Reg.u4Fld )); 1086 vSetPHY2ChannelMapping(p, CHANNEL_D);
CID 1469452: (BAD_SHIFT) In expression "(0xffffffffU >> 32 - (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 16)) << (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 8)", left shifting by more than 31 bits has undefined behavior. The shift amount, "MS_SLV_LP_SEL_Reg.u4Fld >> 8", is 268.
1087 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(0 , MS_SLV_LP_SEL_Reg.u4Fld )); 1088 } 1089 #endif 1090 vSetPHY2ChannelMapping(p, CHANNEL_A); 1091 DramcBroadcastOnOff(DRAMC_BROADCAST_ON); 1092 } /src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1079 in SPM_control() 1073 vIO32WriteFldMulti_All(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(1, MS_SLV_LP_SEL_Reg.u4Fld)); 1074 DramcBroadcastOnOff(DRAMC_BROADCAST_ON); 1075 } 1076 else 1077 { 1078 DramcBroadcastOnOff(DRAMC_BROADCAST_OFF);
CID 1469452: (BAD_SHIFT) In expression "(1U & (1 << (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 16)) - 1) << (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 8)", left shifting by more than 31 bits has undefined behavior. The shift amount, "MS_SLV_LP_SEL_Reg.u4Fld >> 8", is 268.
1079 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(1, MS_SLV_LP_SEL_Reg.u4Fld )); 1080 vSetPHY2ChannelMapping(p, CHANNEL_B); 1081 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(0 , MS_SLV_LP_SEL_Reg.u4Fld )); 1082 #if (CHANNEL_NUM>2) 1083 if (channel_num_auxadc > 2) { 1084 vSetPHY2ChannelMapping(p, CHANNEL_C); /src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1081 in SPM_control() 1075 } 1076 else 1077 { 1078 DramcBroadcastOnOff(DRAMC_BROADCAST_OFF); 1079 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(1, MS_SLV_LP_SEL_Reg.u4Fld )); 1080 vSetPHY2ChannelMapping(p, CHANNEL_B);
CID 1469452: (BAD_SHIFT) In expression "(0xffffffffU >> 32 - (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 16)) << (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 8)", left shifting by more than 31 bits has undefined behavior. The shift amount, "MS_SLV_LP_SEL_Reg.u4Fld >> 8", is 268.
1081 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(0 , MS_SLV_LP_SEL_Reg.u4Fld )); 1082 #if (CHANNEL_NUM>2) 1083 if (channel_num_auxadc > 2) { 1084 vSetPHY2ChannelMapping(p, CHANNEL_C); 1085 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(1, MS_SLV_LP_SEL_Reg.u4Fld )); 1086 vSetPHY2ChannelMapping(p, CHANNEL_D); /src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1081 in SPM_control() 1075 } 1076 else 1077 { 1078 DramcBroadcastOnOff(DRAMC_BROADCAST_OFF); 1079 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(1, MS_SLV_LP_SEL_Reg.u4Fld )); 1080 vSetPHY2ChannelMapping(p, CHANNEL_B);
CID 1469452: (BAD_SHIFT) In expression "(0xffffffffU >> 32 - (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 16)) << (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 8)", left shifting by more than 31 bits has undefined behavior. The shift amount, "MS_SLV_LP_SEL_Reg.u4Fld >> 8", is 268.
1081 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(0 , MS_SLV_LP_SEL_Reg.u4Fld )); 1082 #if (CHANNEL_NUM>2) 1083 if (channel_num_auxadc > 2) { 1084 vSetPHY2ChannelMapping(p, CHANNEL_C); 1085 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(1, MS_SLV_LP_SEL_Reg.u4Fld )); 1086 vSetPHY2ChannelMapping(p, CHANNEL_D); /src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1081 in SPM_control() 1075 } 1076 else 1077 { 1078 DramcBroadcastOnOff(DRAMC_BROADCAST_OFF); 1079 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(1, MS_SLV_LP_SEL_Reg.u4Fld )); 1080 vSetPHY2ChannelMapping(p, CHANNEL_B);
CID 1469452: (BAD_SHIFT) In expression "(0U & (1 << (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 16)) - 1) << (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 8)", left shifting by more than 31 bits has undefined behavior. The shift amount, "MS_SLV_LP_SEL_Reg.u4Fld >> 8", is 268.
1081 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(0 , MS_SLV_LP_SEL_Reg.u4Fld )); 1082 #if (CHANNEL_NUM>2) 1083 if (channel_num_auxadc > 2) { 1084 vSetPHY2ChannelMapping(p, CHANNEL_C); 1085 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(1, MS_SLV_LP_SEL_Reg.u4Fld )); 1086 vSetPHY2ChannelMapping(p, CHANNEL_D); /src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1079 in SPM_control() 1073 vIO32WriteFldMulti_All(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(1, MS_SLV_LP_SEL_Reg.u4Fld)); 1074 DramcBroadcastOnOff(DRAMC_BROADCAST_ON); 1075 } 1076 else 1077 { 1078 DramcBroadcastOnOff(DRAMC_BROADCAST_OFF);
CID 1469452: (BAD_SHIFT) In expression "(0xffffffffU >> 32 - (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 16)) << (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 8)", left shifting by more than 31 bits has undefined behavior. The shift amount, "MS_SLV_LP_SEL_Reg.u4Fld >> 8", is 268.
1079 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(1, MS_SLV_LP_SEL_Reg.u4Fld )); 1080 vSetPHY2ChannelMapping(p, CHANNEL_B); 1081 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(0 , MS_SLV_LP_SEL_Reg.u4Fld )); 1082 #if (CHANNEL_NUM>2) 1083 if (channel_num_auxadc > 2) { 1084 vSetPHY2ChannelMapping(p, CHANNEL_C); /src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1079 in SPM_control() 1073 vIO32WriteFldMulti_All(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(1, MS_SLV_LP_SEL_Reg.u4Fld)); 1074 DramcBroadcastOnOff(DRAMC_BROADCAST_ON); 1075 } 1076 else 1077 { 1078 DramcBroadcastOnOff(DRAMC_BROADCAST_OFF);
CID 1469452: (BAD_SHIFT) In expression "(1U & (1 << (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 16)) - 1) << (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 8)", left shifting by more than 31 bits has undefined behavior. The shift amount, "MS_SLV_LP_SEL_Reg.u4Fld >> 8", is 268.
1079 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(1, MS_SLV_LP_SEL_Reg.u4Fld )); 1080 vSetPHY2ChannelMapping(p, CHANNEL_B); 1081 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(0 , MS_SLV_LP_SEL_Reg.u4Fld )); 1082 #if (CHANNEL_NUM>2) 1083 if (channel_num_auxadc > 2) { 1084 vSetPHY2ChannelMapping(p, CHANNEL_C); /src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1087 in SPM_control() 1081 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(0 , MS_SLV_LP_SEL_Reg.u4Fld )); 1082 #if (CHANNEL_NUM>2) 1083 if (channel_num_auxadc > 2) { 1084 vSetPHY2ChannelMapping(p, CHANNEL_C); 1085 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(1, MS_SLV_LP_SEL_Reg.u4Fld )); 1086 vSetPHY2ChannelMapping(p, CHANNEL_D);
CID 1469452: (BAD_SHIFT) In expression "(0U & (1 << (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 16)) - 1) << (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 8)", left shifting by more than 31 bits has undefined behavior. The shift amount, "MS_SLV_LP_SEL_Reg.u4Fld >> 8", is 268.
1087 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(0 , MS_SLV_LP_SEL_Reg.u4Fld )); 1088 } 1089 #endif 1090 vSetPHY2ChannelMapping(p, CHANNEL_A); 1091 DramcBroadcastOnOff(DRAMC_BROADCAST_ON); 1092 } /src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1085 in SPM_control() 1079 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(1, MS_SLV_LP_SEL_Reg.u4Fld )); 1080 vSetPHY2ChannelMapping(p, CHANNEL_B); 1081 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(0 , MS_SLV_LP_SEL_Reg.u4Fld )); 1082 #if (CHANNEL_NUM>2) 1083 if (channel_num_auxadc > 2) { 1084 vSetPHY2ChannelMapping(p, CHANNEL_C);
CID 1469452: (BAD_SHIFT) In expression "(1U & (1 << (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 16)) - 1) << (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 8)", left shifting by more than 31 bits has undefined behavior. The shift amount, "MS_SLV_LP_SEL_Reg.u4Fld >> 8", is 268.
1085 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(1, MS_SLV_LP_SEL_Reg.u4Fld )); 1086 vSetPHY2ChannelMapping(p, CHANNEL_D); 1087 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(0 , MS_SLV_LP_SEL_Reg.u4Fld )); 1088 } 1089 #endif 1090 vSetPHY2ChannelMapping(p, CHANNEL_A); /src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1079 in SPM_control() 1073 vIO32WriteFldMulti_All(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(1, MS_SLV_LP_SEL_Reg.u4Fld)); 1074 DramcBroadcastOnOff(DRAMC_BROADCAST_ON); 1075 } 1076 else 1077 { 1078 DramcBroadcastOnOff(DRAMC_BROADCAST_OFF);
CID 1469452: (BAD_SHIFT) In expression "(0xffffffffU >> 32 - (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 16)) << (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 8)", left shifting by more than 31 bits has undefined behavior. The shift amount, "MS_SLV_LP_SEL_Reg.u4Fld >> 8", is 268.
1079 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(1, MS_SLV_LP_SEL_Reg.u4Fld )); 1080 vSetPHY2ChannelMapping(p, CHANNEL_B); 1081 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(0 , MS_SLV_LP_SEL_Reg.u4Fld )); 1082 #if (CHANNEL_NUM>2) 1083 if (channel_num_auxadc > 2) { 1084 vSetPHY2ChannelMapping(p, CHANNEL_C); /src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1087 in SPM_control() 1081 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(0 , MS_SLV_LP_SEL_Reg.u4Fld )); 1082 #if (CHANNEL_NUM>2) 1083 if (channel_num_auxadc > 2) { 1084 vSetPHY2ChannelMapping(p, CHANNEL_C); 1085 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(1, MS_SLV_LP_SEL_Reg.u4Fld )); 1086 vSetPHY2ChannelMapping(p, CHANNEL_D);
CID 1469452: (BAD_SHIFT) In expression "(0xffffffffU >> 32 - (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 16)) << (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 8)", left shifting by more than 31 bits has undefined behavior. The shift amount, "MS_SLV_LP_SEL_Reg.u4Fld >> 8", is 268.
1087 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(0 , MS_SLV_LP_SEL_Reg.u4Fld )); 1088 } 1089 #endif 1090 vSetPHY2ChannelMapping(p, CHANNEL_A); 1091 DramcBroadcastOnOff(DRAMC_BROADCAST_ON); 1092 }
** CID 1469451: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________ *** CID 1469451: Insecure data handling (TAINTED_SCALAR) /util/cbfstool/cbfstool.c: 1208 in cbfstool_convert_mkpayload() 1202 /* If it's not an FIT, see if it's a UEFI FV */ 1203 if (ret != 0) 1204 ret = parse_fv_to_payload(buffer, &output, param.compression); 1205 1206 /* If it's neither ELF nor UEFI Fv, try bzImage */ 1207 if (ret != 0)
CID 1469451: Insecure data handling (TAINTED_SCALAR) Passing tainted expression "*buffer->data" to "parse_bzImage_to_payload", which uses it as an offset.
1208 ret = parse_bzImage_to_payload(buffer, &output, 1209 param.initrd, param.cmdline, param.compression); 1210 1211 /* Not a supported payload type */ 1212 if (ret != 0) { 1213 ERROR("Not a supported payload type (ELF / FV).\n");
** CID 1469450: (UNINIT) /src/vendorcode/mediatek/mt8195/dramc/dramc_pi_calibration_api.c: 3188 in DramcWriteLeveling() /src/vendorcode/mediatek/mt8192/dramc/dramc_pi_calibration_api.c: 3749 in DramcWriteLeveling()
________________________________________________________________________________________________________ *** CID 1469450: (UNINIT) /src/vendorcode/mediatek/mt8195/dramc/dramc_pi_calibration_api.c: 3188 in DramcWriteLeveling() 3182 } 3183 #endif 3184 3185 if (u1OverBoundCnt > 0) 3186 ShiftDQSWCK_UI(p, -u1OverBoundCnt * (PI_bound / DQPI_PER_UI), ALL_BYTES); 3187
CID 1469450: (UNINIT) Using uninitialized value "ucDoneFlg".
3188 if (ucDoneFlg == 0xff) 3189 { 3190 3191 fgwrlevel_done = 1; 3192 KResult = DRAM_OK; 3193 } /src/vendorcode/mediatek/mt8192/dramc/dramc_pi_calibration_api.c: 3749 in DramcWriteLeveling() 3743 } 3744 #endif 3745 3746 if (u1OverBoundCnt > 0) 3747 ShiftDQSWCK_UI(p, -u1OverBoundCnt * (PI_bound / DQPI_PER_UI), ALL_BYTES); 3748
CID 1469450: (UNINIT) Using uninitialized value "ucDoneFlg".
3749 if (ucDoneFlg == 0xff) 3750 { 3751 // all bytes are done 3752 fgwrlevel_done = 1; 3753 KResult = DRAM_OK; 3754 }
** CID 1469449: Medium impact security (RISKY_CRYPTO) /home/coreboot/go/pkg/mod/github.com/google/go-tpm@v0.3.3-0.20210120190357-1ff48daca32f/tpm/verify.go: 139 in github.com/google/go-tpm/tpm.VerifyQuote(*crypto/rsa.PublicKey, []byte, []byte, []int, []byte)error()
________________________________________________________________________________________________________ *** CID 1469449: Medium impact security (RISKY_CRYPTO) /home/coreboot/go/pkg/mod/github.com/google/go-tpm@v0.3.3-0.20210120190357-1ff48daca32f/tpm/verify.go: 139 in github.com/google/go-tpm/tpm.VerifyQuote(*crypto/rsa.PublicKey, []byte, []byte, []int, []byte)error() 133 func VerifyQuote(pk *rsa.PublicKey, data []byte, quote []byte, pcrNums []int, pcrs []byte) error { 134 p, err := NewQuoteInfo(data, pcrNums, pcrs) 135 if err != nil { 136 return err 137 } 138
CID 1469449: Medium impact security (RISKY_CRYPTO) Using a weak hashing algorithm. The RIPEMD, MD2, MD4, MD5, SHA0 and SHA1 cryptographic hashing algorithms are not collision resistant. Furthermore, these algorithms suffer from length extension attacks: without knowing the original unhashed message, an attacker can generate a valid hash for messages that have the original message as a prefix.
139 s := sha1.Sum(p) 140 141 // Try to do a direct encryption to reverse the value and see if it's padded 142 // with PKCS1v1.5. 143 return rsa.VerifyPKCS1v15(pk, crypto.SHA1, s[:], quote) 144 }
** CID 1469448: (TAINTED_SCALAR)
________________________________________________________________________________________________________ *** CID 1469448: (TAINTED_SCALAR) /util/cbfstool/partitioned_file.c: 116 in partitioned_file_create() 110 if (fmap_find((const uint8_t *)flashmap->data, flashmap->size) != 0) { 111 ERROR("Attempted to create a partitioned image out of something that isn't an FMAP\n"); 112 return NULL; 113 } 114 struct fmap *bootstrap_fmap = (struct fmap *)flashmap->data; 115
CID 1469448: (TAINTED_SCALAR) Passing tainted expression "bootstrap_fmap->nareas" to "fmap_find_area", which uses it as a loop boundary.
116 const struct fmap_area *fmap_area = 117 fmap_find_area(bootstrap_fmap, SECTION_NAME_FMAP); 118 if (!fmap_area) { 119 ERROR("Provided FMAP missing '%s' region\n", SECTION_NAME_FMAP); 120 return NULL; 121 } /util/cbfstool/partitioned_file.c: 150 in partitioned_file_create() 144 if (!file) 145 return NULL; 146 147 struct buffer fmap_region; 148 buffer_splice(&fmap_region, &file->buffer, fmap_area->offset, fmap_area->size); 149 memcpy(fmap_region.data, bootstrap_fmap, fmap_len);
CID 1469448: (TAINTED_SCALAR) Passing tainted expression "fmap_region.size" to "partitioned_file_write_region", which uses it as an offset.
150 if (!partitioned_file_write_region(file, &fmap_region)) { 151 partitioned_file_close(file); 152 return NULL; 153 } 154 file->fmap = (struct fmap *)(file->buffer.data + fmap_area->offset); 155 /util/cbfstool/partitioned_file.c: 142 in partitioned_file_create() 136 if ((uint32_t)fmap_len > fmap_area->size) { 137 ERROR("Provided FMAP's '%s' region needs to be at least %d bytes\n", 138 SECTION_NAME_FMAP, fmap_len); 139 return NULL; 140 } 141
CID 1469448: (TAINTED_SCALAR) Passing tainted expression "bootstrap_fmap->size" to "partitioned_file_create_flat", which uses it as an allocation size.
142 partitioned_file_t *file = partitioned_file_create_flat(filename, 143 bootstrap_fmap->size); 144 if (!file) 145 return NULL; 146 147 struct buffer fmap_region;
** CID 1469447: Memory - corruptions (OVERRUN) /src/vendorcode/mediatek/mt8192/dramc/dramc_pi_basic_api.c: 319 in UpdateDFSTbltoDDR3200()
________________________________________________________________________________________________________ *** CID 1469447: Memory - corruptions (OVERRUN) /src/vendorcode/mediatek/mt8192/dramc/dramc_pi_basic_api.c: 319 in UpdateDFSTbltoDDR3200() 313 // lookup table to find highest freq 314 highestfreqsel = GetSelByFreq(p, u2HighestFreq); 315 for (u1ShuffleIdx = DRAM_DFS_SHUFFLE_1; u1ShuffleIdx < DRAM_DFS_SHUFFLE_MAX; u1ShuffleIdx++) 316 if (gFreqTbl[u1ShuffleIdx].freq_sel == highestfreqsel) 317 break; 318
CID 1469447: Memory - corruptions (OVERRUN) Overrunning array "gFreqTbl" of 7 24-byte elements at element index 7 (byte offset 191) using index "u1ShuffleIdx" (which evaluates to 7).
319 gFreqTbl[u1ShuffleIdx].freq_sel = LP4_DDR3200; // for DSC DRAM 320 321 gUpdateHighestFreq = TRUE; 322 u2HighestFreq = u2DFSGetHighestFreq(p); // @Darren, Update u2FreqMax variables 323 #if __ETT__ 324 UpdateEttDFVSTbltoDDR3200(p, u2HighestFreq); //@Darren, Update for DDR3200 ETT DVFS stress
________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0...