Hi,
Please find the latest report on new defect(s) introduced to coreboot found with Coverity Scan.
59 new defect(s) introduced to coreboot found with Coverity Scan. 10 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan Showing 20 of 59 defect(s)
** CID 1361276: Uninitialized variables (UNINIT) /util/cbfstool/cbfs_image.c: 1165 in cbfs_payload_make_elf()
________________________________________________________________________________________________________ *** CID 1361276: Uninitialized variables (UNINIT) /util/cbfstool/cbfs_image.c: 1165 in cbfs_payload_make_elf() 1159 if (elf_writer_add_section(ew, &shdr, &tbuff, name)) { 1160 ERROR("Unable to add ELF section: %s\n", name); 1161 elf_writer_destroy(ew); 1162 return -1; 1163 } 1164
CID 1361276: Uninitialized variables (UNINIT) Using uninitialized value "empty_sz".
1165 if (empty_sz != 0) { 1166 struct buffer b; 1167 1168 buffer_init(&b, NULL, NULL, 0); 1169 memset(&shdr, 0, sizeof(shdr)); 1170 shdr.sh_type = SHT_NOBITS;
** CID 1361275: (TAINTED_SCALAR) /util/cbfstool/ifwitool.c: 838 in parse_subpart_dir()
________________________________________________________________________________________________________ *** CID 1361275: (TAINTED_SCALAR) /util/cbfstool/ifwitool.c: 831 in parse_subpart_dir() 825 memcpy(hdr.name, data + offset, sizeof(hdr.name)); 826 offset += sizeof(hdr.name); 827 828 validate_subpart_dir_without_checksum((struct subpart_dir *)&hdr, name); 829 830 assert(size > subpart_dir_size(&hdr));
CID 1361275: (TAINTED_SCALAR) Passing tainted variable "subpart_dir_size(&hdr)" to a tainted sink.
831 alloc_buffer(subpart_dir_buf, subpart_dir_size(&hdr), "Subpart Dir"); 832 memcpy(buffer_get(subpart_dir_buf), &hdr, SUBPART_DIR_HEADER_SIZE); 833 834 /* Read Subpart Dir entries. */ 835 struct subpart_dir *subpart_dir = buffer_get(subpart_dir_buf); 836 struct subpart_dir_entry *e = &subpart_dir->e[0]; /util/cbfstool/ifwitool.c: 838 in parse_subpart_dir() 832 memcpy(buffer_get(subpart_dir_buf), &hdr, SUBPART_DIR_HEADER_SIZE); 833 834 /* Read Subpart Dir entries. */ 835 struct subpart_dir *subpart_dir = buffer_get(subpart_dir_buf); 836 struct subpart_dir_entry *e = &subpart_dir->e[0]; 837 uint32_t i;
CID 1361275: (TAINTED_SCALAR) Using tainted variable "hdr.num_entries" as a loop boundary.
838 for (i = 0; i < hdr.num_entries; i++) { 839 memcpy(e[i].name, data + offset, sizeof(e[i].name)); 840 offset += sizeof(e[i].name); 841 offset = read_member(data, offset, sizeof(e[i].offset), 842 &e[i].offset); 843 offset = read_member(data, offset, sizeof(e[i].length),
** CID 1361274: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________ *** CID 1361274: Insecure data handling (TAINTED_SCALAR) /util/cbfstool/ifwitool.c: 717 in alloc_bpdt_buffer() 711 { 712 struct bpdt_header bpdt_header; 713 assert((offset + BPDT_HEADER_SIZE) < size); 714 bpdt_read_header((uint8_t *)data + offset, &bpdt_header, name); 715 716 /* Buffer to read BPDT header and entries. */
CID 1361274: Insecure data handling (TAINTED_SCALAR) Passing tainted variable "get_bpdt_size(&bpdt_header)" to a tainted sink.
717 alloc_buffer(b, get_bpdt_size(&bpdt_header), name); 718 719 struct bpdt *bpdt = buffer_get(b); 720 memcpy(&bpdt->h, &bpdt_header, BPDT_HEADER_SIZE); 721 722 /*
** CID 1361273: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________ *** CID 1361273: Insecure data handling (TAINTED_SCALAR) /3rdparty/vboot/host/lib21/host_key.c: 175 in vb21_private_key_read() 169 *key_ptr = NULL; 170 171 rv = vb2_read_file(filename, &buf, &size); 172 if (rv) 173 return rv; 174
CID 1361273: Insecure data handling (TAINTED_SCALAR) Passing tainted variable "buf" to a tainted sink.
175 rv = vb21_private_key_unpack(key_ptr, buf, size); 176 177 free(buf); 178 179 return rv; 180 }
** CID 1361272: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________ *** CID 1361272: Insecure data handling (TAINTED_SCALAR) /3rdparty/vboot/host/lib21/host_key.c: 449 in vb21_packed_key_read() 443 *key_ptr = NULL; 444 445 if (vb2_read_file(filename, &buf, &size)) 446 return VB2_ERROR_READ_PACKED_KEY_DATA; 447 448 /* Sanity check: make sure key unpacks properly */
CID 1361272: Insecure data handling (TAINTED_SCALAR) Passing tainted variable "buf" to a tainted sink.
449 if (vb21_unpack_key(&key, buf, size)) 450 return VB2_ERROR_READ_PACKED_KEY; 451 452 *key_ptr = (struct vb21_packed_key *)buf; 453 454 return VB2_SUCCESS;
** CID 1361268: (RESOURCE_LEAK) /util/cbfstool/cbfs_image.c: 1102 in cbfs_payload_make_elf() /util/cbfstool/cbfs_image.c: 1106 in cbfs_payload_make_elf() /util/cbfstool/cbfs_image.c: 1113 in cbfs_payload_make_elf() /util/cbfstool/cbfs_image.c: 1162 in cbfs_payload_make_elf() /util/cbfstool/cbfs_image.c: 1187 in cbfs_payload_make_elf() /util/cbfstool/cbfs_image.c: 1196 in cbfs_payload_make_elf()
________________________________________________________________________________________________________ *** CID 1361268: (RESOURCE_LEAK) /util/cbfstool/cbfs_image.c: 1102 in cbfs_payload_make_elf() 1096 1097 xdr_get_seg(&segs[i], &serialized_seg[i]); 1098 } 1099 1100 if (cbfs_payload_decompress(segs, buff, segments)) { 1101 ERROR("Failed to decompress payload.\n");
CID 1361268: (RESOURCE_LEAK) Variable "segs" going out of scope leaks the storage it points to.
1102 return -1; 1103 } 1104 1105 if (init_elf_from_arch(&ehdr, arch)) 1106 return -1; 1107 /util/cbfstool/cbfs_image.c: 1106 in cbfs_payload_make_elf() 1100 if (cbfs_payload_decompress(segs, buff, segments)) { 1101 ERROR("Failed to decompress payload.\n"); 1102 return -1; 1103 } 1104 1105 if (init_elf_from_arch(&ehdr, arch))
CID 1361268: (RESOURCE_LEAK) Variable "segs" going out of scope leaks the storage it points to.
1106 return -1; 1107 1108 ehdr.e_entry = segs[segments-1].load_addr; 1109 1110 ew = elf_writer_init(&ehdr); 1111 if (ew == NULL) { /util/cbfstool/cbfs_image.c: 1113 in cbfs_payload_make_elf() 1107 1108 ehdr.e_entry = segs[segments-1].load_addr; 1109 1110 ew = elf_writer_init(&ehdr); 1111 if (ew == NULL) { 1112 ERROR("Unable to init ELF writer.\n");
CID 1361268: (RESOURCE_LEAK) Variable "segs" going out of scope leaks the storage it points to.
1113 return -1; 1114 } 1115 1116 for (int i = 0; i < segments; i++) { 1117 struct buffer tbuff; 1118 /util/cbfstool/cbfs_image.c: 1162 in cbfs_payload_make_elf() 1156 } 1157 1158 1159 if (elf_writer_add_section(ew, &shdr, &tbuff, name)) { 1160 ERROR("Unable to add ELF section: %s\n", name); 1161 elf_writer_destroy(ew);
CID 1361268: (RESOURCE_LEAK) Variable "segs" going out of scope leaks the storage it points to.
1162 return -1; 1163 } 1164 1165 if (empty_sz != 0) { 1166 struct buffer b; 1167 /util/cbfstool/cbfs_image.c: 1187 in cbfs_payload_make_elf() 1181 1182 } 1183 1184 if (elf_writer_serialize(ew, &elf_out)) { 1185 ERROR("Unable to create ELF file from stage.\n"); 1186 elf_writer_destroy(ew);
CID 1361268: (RESOURCE_LEAK) Variable "segs" going out of scope leaks the storage it points to.
1187 return -1; 1188 } 1189 1190 /* Flip buffer with the created ELF one. */ 1191 buffer_delete(buff); 1192 *buff = elf_out; /util/cbfstool/cbfs_image.c: 1196 in cbfs_payload_make_elf() 1190 /* Flip buffer with the created ELF one. */ 1191 buffer_delete(buff); 1192 *buff = elf_out; 1193 1194 elf_writer_destroy(ew); 1195
CID 1361268: (RESOURCE_LEAK) Variable "segs" going out of scope leaks the storage it points to.
1196 return 0; 1197 } 1198 1199 int cbfs_export_entry(struct cbfs_image *image, const char *entry_name, 1200 const char *filename, uint32_t arch) 1201 {
** CID 1361266: (RESOURCE_LEAK) /3rdparty/vboot/host/arch/x86_64/lib/crossystem_arch.c: 178 in VbWriteNvStorage() /3rdparty/vboot/host/arch/x86_64/lib/crossystem_arch.c: 182 in VbWriteNvStorage() /3rdparty/vboot/host/arch/x86_64/lib/crossystem_arch.c: 184 in VbWriteNvStorage() /3rdparty/vboot/host/arch/x86_64/lib/crossystem_arch.c: 186 in VbWriteNvStorage() /3rdparty/vboot/host/arch/x86_64/lib/crossystem_arch.c: 189 in VbWriteNvStorage() /3rdparty/vboot/host/arch/x86_64/lib/crossystem_arch.c: 195 in VbWriteNvStorage()
________________________________________________________________________________________________________ *** CID 1361266: (RESOURCE_LEAK) /3rdparty/vboot/host/arch/x86_64/lib/crossystem_arch.c: 178 in VbWriteNvStorage() 172 173 int VbWriteNvStorage(VbNvContext* vnc) { 174 unsigned offs, blksz; 175 VbSharedDataHeader *sh = VbSharedDataRead(); 176 177 if (!vnc->raw_changed)
CID 1361266: (RESOURCE_LEAK) Variable "sh" going out of scope leaks the storage it points to.
178 return 0; /* Nothing changed, so no need to write */ 179 180 /* Get the byte offset from VBNV */ 181 if (ReadFileInt(ACPI_VBNV_PATH ".0", &offs) < 0) 182 return -1; 183 if (ReadFileInt(ACPI_VBNV_PATH ".1", &blksz) < 0) /3rdparty/vboot/host/arch/x86_64/lib/crossystem_arch.c: 182 in VbWriteNvStorage() 176 177 if (!vnc->raw_changed) 178 return 0; /* Nothing changed, so no need to write */ 179 180 /* Get the byte offset from VBNV */ 181 if (ReadFileInt(ACPI_VBNV_PATH ".0", &offs) < 0)
CID 1361266: (RESOURCE_LEAK) Variable "sh" going out of scope leaks the storage it points to.
182 return -1; 183 if (ReadFileInt(ACPI_VBNV_PATH ".1", &blksz) < 0) 184 return -1; 185 if (VBNV_BLOCK_SIZE > blksz) 186 return -1; /* NV storage block is too small */ 187 /3rdparty/vboot/host/arch/x86_64/lib/crossystem_arch.c: 184 in VbWriteNvStorage() 178 return 0; /* Nothing changed, so no need to write */ 179 180 /* Get the byte offset from VBNV */ 181 if (ReadFileInt(ACPI_VBNV_PATH ".0", &offs) < 0) 182 return -1; 183 if (ReadFileInt(ACPI_VBNV_PATH ".1", &blksz) < 0)
CID 1361266: (RESOURCE_LEAK) Variable "sh" going out of scope leaks the storage it points to.
184 return -1; 185 if (VBNV_BLOCK_SIZE > blksz) 186 return -1; /* NV storage block is too small */ 187 188 if (0 != VbCmosWrite(offs, VBNV_BLOCK_SIZE, vnc->raw)) 189 return -1; /3rdparty/vboot/host/arch/x86_64/lib/crossystem_arch.c: 186 in VbWriteNvStorage() 180 /* Get the byte offset from VBNV */ 181 if (ReadFileInt(ACPI_VBNV_PATH ".0", &offs) < 0) 182 return -1; 183 if (ReadFileInt(ACPI_VBNV_PATH ".1", &blksz) < 0) 184 return -1; 185 if (VBNV_BLOCK_SIZE > blksz)
CID 1361266: (RESOURCE_LEAK) Variable "sh" going out of scope leaks the storage it points to.
186 return -1; /* NV storage block is too small */ 187 188 if (0 != VbCmosWrite(offs, VBNV_BLOCK_SIZE, vnc->raw)) 189 return -1; 190 191 /* Also attempt to write using mosys if using vboot2 */ /3rdparty/vboot/host/arch/x86_64/lib/crossystem_arch.c: 189 in VbWriteNvStorage() 183 if (ReadFileInt(ACPI_VBNV_PATH ".1", &blksz) < 0) 184 return -1; 185 if (VBNV_BLOCK_SIZE > blksz) 186 return -1; /* NV storage block is too small */ 187 188 if (0 != VbCmosWrite(offs, VBNV_BLOCK_SIZE, vnc->raw))
CID 1361266: (RESOURCE_LEAK) Variable "sh" going out of scope leaks the storage it points to.
189 return -1; 190 191 /* Also attempt to write using mosys if using vboot2 */ 192 if (sh && (sh->flags & VBSD_BOOT_FIRMWARE_VBOOT2)) 193 VbWriteNvStorage_mosys(vnc); 194 /3rdparty/vboot/host/arch/x86_64/lib/crossystem_arch.c: 195 in VbWriteNvStorage() 189 return -1; 190 191 /* Also attempt to write using mosys if using vboot2 */ 192 if (sh && (sh->flags & VBSD_BOOT_FIRMWARE_VBOOT2)) 193 VbWriteNvStorage_mosys(vnc); 194
CID 1361266: (RESOURCE_LEAK) Variable "sh" going out of scope leaks the storage it points to.
195 return 0; 196 } 197 198 199 /* 200 * Get buffer data from ACPI.
** CID 1361263: Error handling issues (NEGATIVE_RETURNS) /3rdparty/vboot/host/lib/crossystem.c: 743 in InAndroid()
________________________________________________________________________________________________________ *** CID 1361263: Error handling issues (NEGATIVE_RETURNS) /3rdparty/vboot/host/lib/crossystem.c: 743 in InAndroid() 737 struct stat s; 738 739 /* In Android, mosys utility located in /system/bin 740 check if file exists. Using fstat because for some 741 reason, stat() was seg faulting in Android */ 742 fd = open(MOSYS_ANDROID_PATH, O_RDONLY);
CID 1361263: Error handling issues (NEGATIVE_RETURNS) "fd" is passed to a parameter that cannot be negative. [Note: The source code implementation of the function has been overridden by a builtin model.]
743 if (fstat(fd, &s) == 0) { 744 close(fd); 745 return 1; 746 } 747 close(fd); 748 return 0;
** CID 1361261: Control flow issues (MISSING_BREAK) /src/soc/intel/quark/reg_access.c: 167 in reg_cpu_cr_write()
________________________________________________________________________________________________________ *** CID 1361261: Control flow issues (MISSING_BREAK) /src/soc/intel/quark/reg_access.c: 167 in reg_cpu_cr_write() 161 default: 162 die("ERROR - Unsupported CPU register!\n"); 163 164 case 0: 165 write_cr0(value); 166
CID 1361261: Control flow issues (MISSING_BREAK) The above case falls through to this one.
167 case 4: 168 write_cr4(value); 169 } 170 } 171 172 static uint32_t reg_gpe0_read(uint32_t reg_address)
** CID 1361259: Insecure data handling (INTEGER_OVERFLOW) /3rdparty/vboot/host/lib21/host_keyblock.c: 56 in vb21_keyblock_create()
________________________________________________________________________________________________________ *** CID 1361259: Insecure data handling (INTEGER_OVERFLOW) /3rdparty/vboot/host/lib21/host_keyblock.c: 56 in vb21_keyblock_create() 50 return VB2_KEYBLOCK_CREATE_DATA_KEY; 51 52 kb.sig_offset = kb.key_offset + key->c.total_size; 53 kb.c.total_size = kb.sig_offset + sig_size; 54 55 /* Allocate buffer and copy header and data key */
CID 1361259: Insecure data handling (INTEGER_OVERFLOW) Overflowed or truncated value (or a value computed from an overflowed or truncated value) "kb.c.total_size" used as critical argument to function. [Note: The source code implementation of the function has been overridden by a builtin model.]
56 buf = calloc(1, kb.c.total_size); 57 if (!buf) { 58 free(key); 59 return VB2_KEYBLOCK_CREATE_ALLOC; 60 } 61
** CID 1361254: (CHECKED_RETURN) /util/cbfstool/cbfs_image.c: 850 in cbfs_payload_decompress() /util/cbfstool/cbfs_image.c: 881 in cbfs_payload_decompress()
________________________________________________________________________________________________________ *** CID 1361254: (CHECKED_RETURN) /util/cbfstool/cbfs_image.c: 850 in cbfs_payload_decompress() 844 845 /* Find out and allocate the amount of memory occupied 846 * by the binary data */ 847 for (int i = 0; i < num_seg; i++) 848 new_buff_sz += segments[i].mem_len; 849
CID 1361254: (CHECKED_RETURN) Calling "buffer_create" without checking return value (as is done elsewhere 13 out of 16 times).
850 buffer_create(&new_buffer, new_buff_sz, "decompressed_buff"); 851 852 in_ptr = buffer_get(buff) + new_offset; 853 out_ptr = buffer_get(&new_buffer) + new_offset; 854 855 for (int i = 0; i < num_seg; i++) { /util/cbfstool/cbfs_image.c: 881 in cbfs_payload_decompress() 875 in_ptr += segments[i].len; 876 out_ptr += segments[i].len; 877 segments[i].compression = CBFS_COMPRESS_NONE; 878 continue; 879 } 880
CID 1361254: (CHECKED_RETURN) Calling "buffer_create" without checking return value (as is done elsewhere 13 out of 16 times).
881 buffer_create(&tbuff, segments[i].mem_len, "segment"); 882 883 if (decompress(in_ptr, segments[i].len, buffer_get(&tbuff), 884 (int) buffer_size(&tbuff), 885 &decomp_size)) { 886 ERROR("Couldn't decompress payload segment %u\n", i);
** CID 1361253: Memory - illegal accesses (BUFFER_SIZE_WARNING) /util/cbfstool/ifwitool.c: 1300 in init_subpart_dir_entry()
________________________________________________________________________________________________________ *** CID 1361253: Memory - illegal accesses (BUFFER_SIZE_WARNING) /util/cbfstool/ifwitool.c: 1300 in init_subpart_dir_entry() 1294 static size_t init_subpart_dir_entry(struct subpart_dir_entry *e, 1295 struct buffer *b, size_t offset) 1296 { 1297 memset(e, 0, sizeof(*e)); 1298 1299 assert(strlen(b->name) <= sizeof(e->name));
CID 1361253: Memory - illegal accesses (BUFFER_SIZE_WARNING) Calling strncpy with a maximum size argument of 12 bytes on destination array "e->name" of size 12 bytes might leave the destination string unterminated.
1300 strncpy((char *)e->name, (char *)b->name, sizeof(e->name)); 1301 e->offset = offset; 1302 e->length = buffer_size(b); 1303 1304 return (offset + buffer_size(b)); 1305 }
** CID 1353793: Resource leaks (RESOURCE_LEAK) /util/nvidia/cbootimage/src/data_layout.c: 1096 in resign_bl()
________________________________________________________________________________________________________ *** CID 1353793: Resource leaks (RESOURCE_LEAK) /util/nvidia/cbootimage/src/data_layout.c: 1096 in resign_bl() 1090 1091 if (read_from_image(context->input_image_filename, 1092 offset, bl_length, 1093 &image, &image_actual_size, file_type_bin)) { 1094 printf("Error reading image file %s.\n", 1095 context->input_image_filename);
CID 1353793: Resource leaks (RESOURCE_LEAK) Variable "image" going out of scope leaks the storage it points to.
1096 return -ENOMEM; 1097 } 1098 1099 pages_in_image = ICEIL(image_actual_size, page_size); 1100 1101 /* Create a local copy of the bl */
** CID 1353781: Control flow issues (NO_EFFECT) /util/nvidia/cbootimage/src/cbootimage.c: 242 in main()
________________________________________________________________________________________________________ *** CID 1353781: Control flow issues (NO_EFFECT) /util/nvidia/cbootimage/src/cbootimage.c: 242 in main() 236 context.input_image_filename); 237 goto fail; 238 } 239 240 /* Get BCT_SIZE from input image file */ 241 bct_size = get_bct_size_from_image(&context);
CID 1353781: Control flow issues (NO_EFFECT) This less-than-zero comparison of an unsigned value is never true. "bct_size < 0U".
242 if (bct_size < 0) { 243 printf("Error: Invalid input image file %s\n", 244 context.input_image_filename); 245 goto fail; 246 } 247
** CID 1353028: Error handling issues (NEGATIVE_RETURNS) /util/amdfwtool/amdfwtool.c: 284 in integrate_psp_firmwares()
________________________________________________________________________________________________________ *** CID 1353028: Error handling issues (NEGATIVE_RETURNS) /util/amdfwtool/amdfwtool.c: 284 in integrate_psp_firmwares() 278 pspdir[4+4*i+2] = 1; 279 pspdir[4+4*i+3] = 0; 280 } else if (fw_table[i].filename != NULL) { 281 pspdir[4+4*i+0] = fw_table[i].type; 282 283 fd = open (fw_table[i].filename, O_RDONLY);
CID 1353028: Error handling issues (NEGATIVE_RETURNS) "fd" is passed to a parameter that cannot be negative. [Note: The source code implementation of the function has been overridden by a builtin model.]
284 fstat(fd, &fd_stat); 285 pspdir[4+4*i+1] = fd_stat.st_size; 286 287 pspdir[4+4*i+2] = pos + ROM_BASE_ADDRESS; 288 pspdir[4+4*i+3] = 0; 289
** CID 1353027: Error handling issues (NEGATIVE_RETURNS) /util/amdfwtool/amdfwtool.c: 239 in integrate_firmwares()
________________________________________________________________________________________________________ *** CID 1353027: Error handling issues (NEGATIVE_RETURNS) /util/amdfwtool/amdfwtool.c: 239 in integrate_firmwares() 233 struct stat fd_stat; 234 int i; 235 236 for (i = 0; fw_table[i].type != AMD_FW_INVALID; i ++) { 237 if (fw_table[i].filename != NULL) { 238 fd = open (fw_table[i].filename, O_RDONLY);
CID 1353027: Error handling issues (NEGATIVE_RETURNS) "fd" is passed to a parameter that cannot be negative. [Note: The source code implementation of the function has been overridden by a builtin model.]
239 fstat(fd, &fd_stat); 240 241 switch (fw_table[i].type) { 242 case AMD_FW_IMC: 243 pos = ALIGN(pos, 0x10000); 244 romsig[1] = pos + ROM_BASE_ADDRESS;
** CID 1353022: Error handling issues (CHECKED_RETURN) /util/nvidia/cbootimage/src/cbootimage.c: 297 in main()
________________________________________________________________________________________________________ *** CID 1353022: Error handling issues (CHECKED_RETURN) /util/nvidia/cbootimage/src/cbootimage.c: 297 in main() 291 begin_update(&context); 292 /* Signing the bct. */ 293 e = sign_bct(&context, context.bct); 294 if (e != 0) 295 printf("Signing BCT failed, error: %d.\n", e); 296
CID 1353022: Error handling issues (CHECKED_RETURN) Calling "fwrite" without checking return value (as is done elsewhere 34 out of 42 times).
297 fwrite(context.bct, 1, context.bct_size, 298 context.raw_file); 299 printf("New BCT file %s has been successfully generated!\n", 300 context.output_image_filename); 301 goto fail; 302 }
** CID 1353021: Error handling issues (CHECKED_RETURN) /util/amdfwtool/amdfwtool.c: 290 in integrate_psp_firmwares()
________________________________________________________________________________________________________ *** CID 1353021: Error handling issues (CHECKED_RETURN) /util/amdfwtool/amdfwtool.c: 290 in integrate_psp_firmwares() 284 fstat(fd, &fd_stat); 285 pspdir[4+4*i+1] = fd_stat.st_size; 286 287 pspdir[4+4*i+2] = pos + ROM_BASE_ADDRESS; 288 pspdir[4+4*i+3] = 0; 289
CID 1353021: Error handling issues (CHECKED_RETURN) "read(int, void *, size_t)" returns the number of bytes read, but it is ignored.
290 read (fd, base+pos, fd_stat.st_size); 291 292 pos += fd_stat.st_size; 293 pos = ALIGN(pos, 0x100); 294 close (fd); 295 } else {
** CID 1353020: Error handling issues (CHECKED_RETURN) /util/amdfwtool/amdfwtool.c: 284 in integrate_psp_firmwares()
________________________________________________________________________________________________________ *** CID 1353020: Error handling issues (CHECKED_RETURN) /util/amdfwtool/amdfwtool.c: 284 in integrate_psp_firmwares() 278 pspdir[4+4*i+2] = 1; 279 pspdir[4+4*i+3] = 0; 280 } else if (fw_table[i].filename != NULL) { 281 pspdir[4+4*i+0] = fw_table[i].type; 282 283 fd = open (fw_table[i].filename, O_RDONLY);
CID 1353020: Error handling issues (CHECKED_RETURN) Calling "fstat(fd, &fd_stat)" without checking return value. This library function may fail and return an error code. [Note: The source code implementation of the function has been overridden by a builtin model.]
284 fstat(fd, &fd_stat); 285 pspdir[4+4*i+1] = fd_stat.st_size; 286 287 pspdir[4+4*i+2] = pos + ROM_BASE_ADDRESS; 288 pspdir[4+4*i+3] = 0; 289
** CID 1353019: Error handling issues (CHECKED_RETURN) /util/amdfwtool/amdfwtool.c: 257 in integrate_firmwares()
________________________________________________________________________________________________________ *** CID 1353019: Error handling issues (CHECKED_RETURN) /util/amdfwtool/amdfwtool.c: 257 in integrate_firmwares() 251 break; 252 default: 253 /* Error */ 254 break; 255 } 256
CID 1353019: Error handling issues (CHECKED_RETURN) "read(int, void *, size_t)" returns the number of bytes read, but it is ignored.
257 read (fd, base+pos, fd_stat.st_size); 258 259 pos += fd_stat.st_size; 260 pos = ALIGN(pos, 0x100); 261 close (fd); 262 }
________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05...
To manage Coverity Scan email notifications for "coreboot@coreboot.org", click https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05...
-
scan-admin@coverity.com