Hi,
Please find the latest report on new defect(s) introduced to coreboot found with Coverity Scan.
9 new defect(s) introduced to coreboot found with Coverity Scan. 2 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan Showing 9 of 9 defect(s)
** CID 1399155: Null pointer dereferences (REVERSE_INULL) /src/soc/intel/skylake/acpi.c: 521 in generate_cpu_entries()
________________________________________________________________________________________________________ *** CID 1399155: Null pointer dereferences (REVERSE_INULL) /src/soc/intel/skylake/acpi.c: 521 in generate_cpu_entries() 515 else 516 max_c_state = ARRAY_SIZE(cstate_set_non_s0ix); 517 518 printk(BIOS_DEBUG, "Found %d CPU(s) with %d core(s) each.\n", 519 numcpus, cores_per_package); 520
CID 1399155: Null pointer dereferences (REVERSE_INULL) Null-checking "config" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
521 if (config && config->eist_enable && config->speed_shift_enable) { 522 struct cppc_config cppc_config; 523 cpu_init_cppc_config(&cppc_config, 2 /* version 2 */); 524 acpigen_write_CPPC_package(&cppc_config); 525 } 526
** CID 1399154: Uninitialized variables (UNINIT) /src/mainboard/sifive/hifive-unleashed/fixup_fdt.c: 102 in fixup_fdt()
________________________________________________________________________________________________________ *** CID 1399154: Uninitialized variables (UNINIT) /src/mainboard/sifive/hifive-unleashed/fixup_fdt.c: 102 in fixup_fdt() 96 /* convert the tree to a flat dt */ 97 void *dt = malloc(dt_flat_size(tree)); 98 dt_flatten(tree, dt); 99 100 /* update HLS */ 101 for (int i = 0; i < CONFIG_MAX_CPUS; i++)
CID 1399154: Uninitialized variables (UNINIT) Using uninitialized value "sp".
102 OTHER_HLS(i)->fdt = dt; 103 } 104
** CID 1399153: Uninitialized variables (UNINIT)
________________________________________________________________________________________________________ *** CID 1399153: Uninitialized variables (UNINIT) /src/arch/x86/acpi.c: 166 in acpi_create_madt_lapics() 160 if (!cpu->enabled) 161 continue; 162 if (num_cpus >= ARRAY_SIZE(apic_ids)) 163 break; 164 apic_ids[num_cpus++] = cpu->path.apic.apic_id; 165 }
CID 1399153: Uninitialized variables (UNINIT) Using uninitialized element of array "apic_ids" when calling "bubblesort".
166 bubblesort(apic_ids, num_cpus, NUM_ASCENDING); 167 for (index = 0; index < num_cpus; index++) { 168 current += acpi_create_madt_lapic((acpi_madt_lapic_t *)current, 169 index, apic_ids[index]); 170 } 171
** CID 1399152: (UNINIT) /src/arch/riscv/stages.c: 41 in stage_entry() /src/arch/riscv/stages.c: 42 in stage_entry()
________________________________________________________________________________________________________ *** CID 1399152: (UNINIT) /src/arch/riscv/stages.c: 41 in stage_entry() 35 { 36 /* 37 * Save the FDT pointer before entering ramstage, because mscratch 38 * might be overwritten in the trap handler, and there is code in 39 * ramstage that generates misaligned access faults. 40 */
CID 1399152: (UNINIT) Using uninitialized value "sp".
41 HLS()->hart_id = hart_id; 42 HLS()->fdt = fdt; 43 smp_pause(CONFIG_RISCV_WORKING_HARTID); 44 45 main(); /src/arch/riscv/stages.c: 42 in stage_entry() 36 /* 37 * Save the FDT pointer before entering ramstage, because mscratch 38 * might be overwritten in the trap handler, and there is code in 39 * ramstage that generates misaligned access faults. 40 */ 41 HLS()->hart_id = hart_id;
CID 1399152: (UNINIT) Using uninitialized value "sp".
42 HLS()->fdt = fdt; 43 smp_pause(CONFIG_RISCV_WORKING_HARTID); 44 45 main();
** CID 1399151: Integer handling issues (DIVIDE_BY_ZERO)
________________________________________________________________________________________________________ *** CID 1399151: Integer handling issues (DIVIDE_BY_ZERO) /src/vendorcode/cavium/bdk/libdram/lib_octeon_shared.c: 145 in init_octeon_dram_interface() 139 140 restart_lmc_init: 141 142 /* Poke the watchdog timer so it doesn't expire during DRAM init */ 143 bdk_watchdog_poke(); 144
CID 1399151: Integer handling issues (DIVIDE_BY_ZERO) In function call "init_octeon3_ddr3_interface", division by expression "ddr_hertz" which may be zero has undefined behavior.
145 mem_size_mbytes = init_octeon3_ddr3_interface(node, 146 ddr_configuration, 147 ddr_hertz, 148 cpu_hertz, 149 ddr_ref_hertz, 150 board_type,
** CID 1399150: Insecure data handling (TAINTED_SCALAR) /src/mainboard/emulation/qemu-i440fx/fw_cfg.c: 70 in fw_cfg_find_file()
________________________________________________________________________________________________________ *** CID 1399150: Insecure data handling (TAINTED_SCALAR) /src/mainboard/emulation/qemu-i440fx/fw_cfg.c: 70 in fw_cfg_find_file() 64 uint32_t count = 0; 65 66 fw_cfg_select(FW_CFG_FILE_DIR); 67 fw_cfg_read(&count, sizeof(count)); 68 count = be32_to_cpu(count); 69
CID 1399150: Insecure data handling (TAINTED_SCALAR) Using tainted variable "count" as a loop boundary.
70 for (int i = 0; i < count; i++) { 71 fw_cfg_read(file, sizeof(*file)); 72 if (strcmp(file->name, name) == 0) { 73 file->size = be32_to_cpu(file->size); 74 file->select = be16_to_cpu(file->select); 75 return 0;
** CID 1399149: Null pointer dereferences (REVERSE_INULL) /src/southbridge/intel/i82801gx/pcie.c: 198 in root_port_commit_config()
________________________________________________________________________________________________________ *** CID 1399149: Null pointer dereferences (REVERSE_INULL) /src/southbridge/intel/i82801gx/pcie.c: 198 in root_port_commit_config() 192 193 for (i = 0; i < rpc.num_ports; i++) { 194 struct device *pcie_dev; 195 196 pcie_dev = rpc.ports[i]; 197
CID 1399149: Null pointer dereferences (REVERSE_INULL) Null-checking "dev" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
198 if (dev == NULL) { 199 printk(BIOS_ERR, "Root Port %d device is NULL?\n", 200 i + 1); 201 continue; 202 } 203
** CID 1399148: (UNINIT) /src/arch/riscv/boot.c: 42 in do_arch_prog_run() /src/arch/riscv/boot.c: 50 in do_arch_prog_run()
________________________________________________________________________________________________________ *** CID 1399148: (UNINIT) /src/arch/riscv/boot.c: 42 in do_arch_prog_run() 36 37 /* 38 * If prog_entry_arg is not set (e.g. by fit_payload), use fdt from HLS 39 * instead. 40 */ 41 if (fdt == NULL)
CID 1399148: (UNINIT) Using uninitialized value "sp".
42 fdt = HLS()->fdt; 43 44 if (ENV_RAMSTAGE && prog_type(prog) == PROG_PAYLOAD) { 45 run_payload(prog, fdt, RISCV_PAYLOAD_MODE_S); 46 return; 47 } /src/arch/riscv/boot.c: 50 in do_arch_prog_run() 44 if (ENV_RAMSTAGE && prog_type(prog) == PROG_PAYLOAD) { 45 run_payload(prog, fdt, RISCV_PAYLOAD_MODE_S); 46 return; 47 } 48 49 doit = prog_entry(prog);
CID 1399148: (UNINIT) Using uninitialized value "sp".
50 hart_id = HLS()->hart_id; 51 52 doit(hart_id, fdt); 53 } 54 55 void arch_prog_run(struct prog *prog) 56 { 57 smp_resume((void (*)(void *))do_arch_prog_run, prog);
** CID 1399147: Null pointer dereferences (NULL_RETURNS)
________________________________________________________________________________________________________ *** CID 1399147: Null pointer dereferences (NULL_RETURNS) /src/mainboard/sifive/hifive-unleashed/fixup_fdt.c: 90 in fixup_fdt() 84 struct device_tree *tree; 85 86 /* load flat dt from cbfs */ 87 fdt_rom = cbfs_boot_map_with_leak("fallback/DTB", CBFS_TYPE_RAW, NULL); 88 89 /* Expand DT into a tree */
CID 1399147: Null pointer dereferences (NULL_RETURNS) Dereferencing a pointer that might be null "fdt_rom" when calling "fdt_unflatten".
90 tree = fdt_unflatten(fdt_rom); 91 92 /* fixup tree */ 93 fixup_mac(tree->root); 94 fixup_memory(tree->root); 95
________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05...
-
scan-admin@coverity.com