Hi,
Please find the latest report on new defect(s) introduced to coreboot found with Coverity Scan.
200 new defect(s) introduced to coreboot found with Coverity Scan. 3 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan Showing 20 of 200 defect(s)
** CID 1353327: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________ *** CID 1353327: Memory - corruptions (OVERRUN) /3rdparty/chromeec/driver/als_opt3001.c: 34 in opt3001_i2c_write() 28 */ 29 static int opt3001_i2c_write(const int reg, int data) 30 { 31 int ret; 32 33 data = ((data << 8) & 0xFF00) | ((data >> 8) & 0x00FF);
CID 1353327: Memory - corruptions (OVERRUN) Overrunning callee's array of size 2 by passing argument "MEC1322_I2C2" in call to "i2c_write16".
34 ret = i2c_write16(I2C_PORT_ALS, OPT3001_I2C_ADDR, reg, data); 35 36 return ret; 37 } 38 39 /**
** CID 1353326: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________ *** CID 1353326: Memory - corruptions (OVERRUN) /3rdparty/chromeec/driver/als_opt3001.c: 18 in opt3001_i2c_read() 12 * Read register from OPT3001 light sensor. 13 */ 14 static int opt3001_i2c_read(const int reg, int *data_ptr) 15 { 16 int ret; 17
CID 1353326: Memory - corruptions (OVERRUN) Overrunning callee's array of size 2 by passing argument "MEC1322_I2C2" in call to "i2c_read16".
18 ret = i2c_read16(I2C_PORT_ALS, OPT3001_I2C_ADDR, reg, data_ptr); 19 if (!ret) 20 *data_ptr = ((*data_ptr << 8) & 0xFF00) | 21 ((*data_ptr >> 8) & 0x00FF); 22 23 return ret;
** CID 1353325: Memory - illegal accesses (OVERRUN) /3rdparty/chromeec/driver/temp_sensor/bd99992gw.c: 65 in bd99992gw_init()
________________________________________________________________________________________________________ *** CID 1353325: Memory - illegal accesses (OVERRUN) /3rdparty/chromeec/driver/temp_sensor/bd99992gw.c: 65 in bd99992gw_init() 59 int i; 60 int active_channel_count = 0; 61 uint8_t pointer_reg = BD99992GW_REG_ADC1ADDR0; 62 63 /* Mark active channels from the board temp sensor table */ 64 for (i = 0; i < TEMP_SENSOR_COUNT; ++i)
CID 1353325: Memory - illegal accesses (OVERRUN) Overrunning array "temp_sensors" of 4 20-byte elements at element index 4 (byte offset 80) using index "i" (which evaluates to 4).
65 if (temp_sensors[i].read == bd99992gw_get_val) 66 active_channels[active_channel_count++] = 67 temp_sensors[i].idx; 68 69 /* Make sure we don't have too many active channels. */ 70 ASSERT(active_channel_count <= ARRAY_SIZE(active_channels));
** CID 1353324: Memory - corruptions (OVERRUN) /3rdparty/chromeec/driver/temp_sensor/bd99992gw.c: 74 in bd99992gw_init()
________________________________________________________________________________________________________ *** CID 1353324: Memory - corruptions (OVERRUN) /3rdparty/chromeec/driver/temp_sensor/bd99992gw.c: 74 in bd99992gw_init() 68 69 /* Make sure we don't have too many active channels. */ 70 ASSERT(active_channel_count <= ARRAY_SIZE(active_channels)); 71 72 /* Mark the first unused channel so we know where to stop searching */ 73 if (active_channel_count != ARRAY_SIZE(active_channels))
CID 1353324: Memory - corruptions (OVERRUN) Overrunning array "active_channels" of 8 4-byte elements at element index 9 (byte offset 36) using index "active_channel_count" (which evaluates to 9).
74 active_channels[active_channel_count] = 75 BD99992GW_ADC_CHANNEL_NONE; 76 77 /* Now write pointer regs with channel to monitor */ 78 for (i = 0; i < active_channel_count; ++i) 79 /* Write stop bit on last channel */
** CID 1353322: (OVERRUN)
________________________________________________________________________________________________________ *** CID 1353322: (OVERRUN) /3rdparty/chromeec/driver/charger/isl9237.c: 407 in console_command_amon_bmon() 401 * Get charger AMON and BMON current. 402 */ 403 static int console_command_amon_bmon(int argc, char **argv) 404 { 405 int adc, curr, val, ret; 406
CID 1353322: (OVERRUN) Overrunning callee's array of size 2 by passing argument "MEC1322_I2C3" in call to "i2c_read16".
407 ret = i2c_read16(I2C_PORT_CHARGER, I2C_ADDR_CHARGER, 408 ISL9237_REG_CONTROL1, &val); 409 if (ret) 410 return ret; 411 412 /* Enable monitor */ /3rdparty/chromeec/driver/charger/isl9237.c: 417 in console_command_amon_bmon() 411 412 /* Enable monitor */ 413 val &= ~ISL9237_C1_DISABLE_MON; 414 if (argc == 1 || (argc >= 2 && argv[1][0] == 'a')) { 415 /* Switch to AMON */ 416 val &= ~ISL9237_C1_SELECT_BMON;
CID 1353322: (OVERRUN) Overrunning callee's array of size 2 by passing argument "MEC1322_I2C3" in call to "i2c_write16".
417 ret = i2c_write16(I2C_PORT_CHARGER, I2C_ADDR_CHARGER, 418 ISL9237_REG_CONTROL1, val); 419 if (ret) 420 return ret; 421 422 adc = adc_read_channel(ADC_AMON_BMON); /3rdparty/chromeec/driver/charger/isl9237.c: 430 in console_command_amon_bmon() 424 CPRINTF("AMON: %d uV, %d mA\n", adc, curr); 425 } 426 427 if (argc == 1 || (argc >= 2 && argv[1][0] == 'b')) { 428 /* Switch to BMON */ 429 val |= ISL9237_C1_SELECT_BMON;
CID 1353322: (OVERRUN) Overrunning callee's array of size 2 by passing argument "MEC1322_I2C3" in call to "i2c_write16".
430 ret = i2c_write16(I2C_PORT_CHARGER, I2C_ADDR_CHARGER, 431 ISL9237_REG_CONTROL1, val); 432 if (ret) 433 return ret; 434 435 adc = adc_read_channel(ADC_AMON_BMON);
** CID 1353321: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________ *** CID 1353321: Memory - corruptions (OVERRUN) /3rdparty/chromeec/driver/charger/isl9237.c: 58 in raw_write16() 52 { 53 return i2c_read16(I2C_PORT_CHARGER, I2C_ADDR_CHARGER, offset, value); 54 } 55 56 static inline int raw_write16(int offset, int value) 57 {
CID 1353321: Memory - corruptions (OVERRUN) Overrunning callee's array of size 2 by passing argument "MEC1322_I2C3" in call to "i2c_write16".
58 return i2c_write16(I2C_PORT_CHARGER, I2C_ADDR_CHARGER, offset, value); 59 } 60 61 static int isl9237_set_current(uint16_t current) 62 { 63 return raw_write16(ISL9237_REG_CHG_CURRENT, CURRENT_TO_REG(current));
** CID 1353320: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________ *** CID 1353320: Memory - corruptions (OVERRUN) /3rdparty/chromeec/driver/charger/isl9237.c: 53 in raw_read16() 47 { 48 return i2c_read8(I2C_PORT_CHARGER, I2C_ADDR_CHARGER, offset, value); 49 } 50 51 static inline int raw_read16(int offset, int *value) 52 {
CID 1353320: Memory - corruptions (OVERRUN) Overrunning callee's array of size 2 by passing argument "MEC1322_I2C3" in call to "i2c_read16".
53 return i2c_read16(I2C_PORT_CHARGER, I2C_ADDR_CHARGER, offset, value); 54 } 55 56 static inline int raw_write16(int offset, int value) 57 { 58 return i2c_write16(I2C_PORT_CHARGER, I2C_ADDR_CHARGER, offset, value);
** CID 1353317: (OVERRUN) /3rdparty/chromeec/common/temp_sensor.c: 153 in temp_sensor_command_get_info() /3rdparty/chromeec/common/temp_sensor.c: 153 in temp_sensor_command_get_info()
________________________________________________________________________________________________________ *** CID 1353317: (OVERRUN) /3rdparty/chromeec/common/temp_sensor.c: 153 in temp_sensor_command_get_info() 147 struct ec_response_temp_sensor_get_info *r = args->response; 148 int id = p->id; 149 150 if (id >= TEMP_SENSOR_COUNT) 151 return EC_RES_ERROR; 152
CID 1353317: (OVERRUN) Overrunning array "temp_sensors" of 4 20-byte elements at element index 14 (byte offset 280) using index "id" (which evaluates to 14).
153 strzcpy(r->sensor_name, temp_sensors[id].name, sizeof(r->sensor_name)); 154 r->sensor_type = temp_sensors[id].type; 155 156 args->response_size = sizeof(*r); 157 158 return EC_RES_SUCCESS; 159 } 160 DECLARE_HOST_COMMAND(EC_CMD_TEMP_SENSOR_GET_INFO, 161 temp_sensor_command_get_info, /3rdparty/chromeec/common/temp_sensor.c: 153 in temp_sensor_command_get_info() 147 struct ec_response_temp_sensor_get_info *r = args->response; 148 int id = p->id; 149 150 if (id >= TEMP_SENSOR_COUNT) 151 return EC_RES_ERROR; 152
CID 1353317: (OVERRUN) Overrunning array "temp_sensors" of 4 20-byte elements at element index 4 (byte offset 80) using index "id" (which evaluates to 4).
153 strzcpy(r->sensor_name, temp_sensors[id].name, sizeof(r->sensor_name)); 154 r->sensor_type = temp_sensors[id].type; 155 156 args->response_size = sizeof(*r); 157 158 return EC_RES_SUCCESS; 159 } 160 DECLARE_HOST_COMMAND(EC_CMD_TEMP_SENSOR_GET_INFO, 161 temp_sensor_command_get_info,
** CID 1353316: (OVERRUN) /3rdparty/chromeec/common/temp_sensor.c: 114 in command_temps() /3rdparty/chromeec/common/temp_sensor.c: 114 in command_temps()
________________________________________________________________________________________________________ *** CID 1353316: (OVERRUN) /3rdparty/chromeec/common/temp_sensor.c: 114 in command_temps() 108 if (rv) 109 rv1 = rv; 110 111 switch (rv) { 112 case EC_SUCCESS: 113 ccprintf("%d K = %d C", t, K_TO_C(t));
CID 1353316: (OVERRUN) Overrunning array "thermal_params" of 4 20-byte elements at element index 14 (byte offset 280) using index "i" (which evaluates to 14).
114 if (thermal_params[i].temp_fan_off && 115 thermal_params[i].temp_fan_max) 116 ccprintf(" %d%%", 117 thermal_fan_percent( 118 thermal_params[i].temp_fan_off, 119 thermal_params[i].temp_fan_max, /3rdparty/chromeec/common/temp_sensor.c: 114 in command_temps() 108 if (rv) 109 rv1 = rv; 110 111 switch (rv) { 112 case EC_SUCCESS: 113 ccprintf("%d K = %d C", t, K_TO_C(t));
CID 1353316: (OVERRUN) Overrunning array "thermal_params" of 4 20-byte elements at element index 4 (byte offset 80) using index "i" (which evaluates to 4).
114 if (thermal_params[i].temp_fan_off && 115 thermal_params[i].temp_fan_max) 116 ccprintf(" %d%%", 117 thermal_fan_percent( 118 thermal_params[i].temp_fan_off, 119 thermal_params[i].temp_fan_max,
** CID 1353315: (OVERRUN) /3rdparty/chromeec/common/temp_sensor.c: 106 in command_temps() /3rdparty/chromeec/common/temp_sensor.c: 106 in command_temps()
________________________________________________________________________________________________________ *** CID 1353315: (OVERRUN) /3rdparty/chromeec/common/temp_sensor.c: 106 in command_temps() 100 static int command_temps(int argc, char **argv) 101 { 102 int t, i; 103 int rv, rv1 = EC_SUCCESS; 104 105 for (i = 0; i < TEMP_SENSOR_COUNT; ++i) {
CID 1353315: (OVERRUN) Overrunning array "temp_sensors" of 4 20-byte elements at element index 14 (byte offset 280) using index "i" (which evaluates to 14).
106 ccprintf(" %-20s: ", temp_sensors[i].name); 107 rv = temp_sensor_read(i, &t); 108 if (rv) 109 rv1 = rv; 110 111 switch (rv) { /3rdparty/chromeec/common/temp_sensor.c: 106 in command_temps() 100 static int command_temps(int argc, char **argv) 101 { 102 int t, i; 103 int rv, rv1 = EC_SUCCESS; 104 105 for (i = 0; i < TEMP_SENSOR_COUNT; ++i) {
CID 1353315: (OVERRUN) Overrunning array "temp_sensors" of 4 20-byte elements at element index 4 (byte offset 80) using index "i" (which evaluates to 4).
106 ccprintf(" %-20s: ", temp_sensors[i].name); 107 rv = temp_sensor_read(i, &t); 108 if (rv) 109 rv1 = rv; 110 111 switch (rv) {
** CID 1353314: (OVERRUN) /3rdparty/chromeec/common/temp_sensor.c: 26 in temp_sensor_read() /3rdparty/chromeec/common/temp_sensor.c: 26 in temp_sensor_read()
________________________________________________________________________________________________________ *** CID 1353314: (OVERRUN) /3rdparty/chromeec/common/temp_sensor.c: 26 in temp_sensor_read() 20 const struct temp_sensor_t *sensor; 21 22 if (id < 0 || id >= TEMP_SENSOR_COUNT) 23 return EC_ERROR_INVAL; 24 sensor = temp_sensors + id; 25
CID 1353314: (OVERRUN) Overrunning array of 4 20-byte elements at element index 14 (byte offset 280) by dereferencing pointer "sensor".
26 return sensor->read(sensor->idx, temp_ptr); 27 } 28 29 static void update_mapped_memory(void) 30 { 31 int i, t; /3rdparty/chromeec/common/temp_sensor.c: 26 in temp_sensor_read() 20 const struct temp_sensor_t *sensor; 21 22 if (id < 0 || id >= TEMP_SENSOR_COUNT) 23 return EC_ERROR_INVAL; 24 sensor = temp_sensors + id; 25
CID 1353314: (OVERRUN) Overrunning array of 4 20-byte elements at element index 4 (byte offset 80) by dereferencing pointer "sensor".
26 return sensor->read(sensor->idx, temp_ptr); 27 } 28 29 static void update_mapped_memory(void) 30 { 31 int i, t;
** CID 1353310: (OVERRUN)
________________________________________________________________________________________________________ *** CID 1353310: (OVERRUN) /3rdparty/chromeec/board/glados/battery.c: 50 in board_cut_off_battery() 44 /* Ship mode command must be sent twice to take effect */ 45 buf[0] = SB_MANUFACTURER_ACCESS & 0xff; 46 buf[1] = PARAM_CUT_OFF_LOW; 47 buf[2] = PARAM_CUT_OFF_HIGH; 48 49 i2c_lock(I2C_PORT_BATTERY, 1);
CID 1353310: (OVERRUN) Overrunning callee's array of size 2 by passing argument "MEC1322_I2C3" in call to "i2c_xfer".
50 rv = i2c_xfer(I2C_PORT_BATTERY, BATTERY_ADDR, buf, 3, NULL, 0, 51 I2C_XFER_SINGLE); 52 rv |= i2c_xfer(I2C_PORT_BATTERY, BATTERY_ADDR, buf, 3, NULL, 0, 53 I2C_XFER_SINGLE); 54 i2c_lock(I2C_PORT_BATTERY, 0); 55 /3rdparty/chromeec/board/glados/battery.c: 52 in board_cut_off_battery() 46 buf[1] = PARAM_CUT_OFF_LOW; 47 buf[2] = PARAM_CUT_OFF_HIGH; 48 49 i2c_lock(I2C_PORT_BATTERY, 1); 50 rv = i2c_xfer(I2C_PORT_BATTERY, BATTERY_ADDR, buf, 3, NULL, 0, 51 I2C_XFER_SINGLE);
CID 1353310: (OVERRUN) Overrunning callee's array of size 2 by passing argument "MEC1322_I2C3" in call to "i2c_xfer".
52 rv |= i2c_xfer(I2C_PORT_BATTERY, BATTERY_ADDR, buf, 3, NULL, 0, 53 I2C_XFER_SINGLE); 54 i2c_lock(I2C_PORT_BATTERY, 0); 55 56 return rv; 57 }
** CID 1353309: Memory - corruptions (OVERRUN) /3rdparty/chromeec/common/gpio.c: 260 in gpio_command_get()
________________________________________________________________________________________________________ *** CID 1353309: Memory - corruptions (OVERRUN) /3rdparty/chromeec/common/gpio.c: 260 in gpio_command_get() 254 args->response_size = sizeof(r_v1->get_count); 255 break; 256 case EC_GPIO_GET_INFO: 257 if (p_v1->get_info.index >= GPIO_COUNT) 258 return EC_RES_ERROR; 259
CID 1353309: Memory - corruptions (OVERRUN) Assigning: "i" = "(*p_v1).get_info.index". The value of "i" may now be up to 80.
260 i = p_v1->get_info.index; 261 len = strlen(g[i].name); 262 memcpy(r_v1->get_info.name, g[i].name, len+1); 263 r_v1->get_info.val = gpio_get_level(i); 264 r_v1->get_info.flags = g[i].flags; 265 args->response_size = sizeof(r_v1->get_info);
** CID 1353308: Memory - illegal accesses (OVERRUN) /3rdparty/chromeec/common/gpio.c: 261 in gpio_command_get()
________________________________________________________________________________________________________ *** CID 1353308: Memory - illegal accesses (OVERRUN) /3rdparty/chromeec/common/gpio.c: 261 in gpio_command_get() 255 break; 256 case EC_GPIO_GET_INFO: 257 if (p_v1->get_info.index >= GPIO_COUNT) 258 return EC_RES_ERROR; 259 260 i = p_v1->get_info.index;
CID 1353308: Memory - illegal accesses (OVERRUN) Overrunning array of 78 16-byte elements at element index 80 (byte offset 1280) by dereferencing pointer "g + i".
261 len = strlen(g[i].name); 262 memcpy(r_v1->get_info.name, g[i].name, len+1); 263 r_v1->get_info.val = gpio_get_level(i); 264 r_v1->get_info.flags = g[i].flags; 265 args->response_size = sizeof(r_v1->get_info); 266 break;
** CID 1353307: Memory - corruptions (OVERRUN) /3rdparty/chromeec/common/gpio.c: 169 in command_gpio_get()
________________________________________________________________________________________________________ *** CID 1353307: Memory - corruptions (OVERRUN) /3rdparty/chromeec/common/gpio.c: 169 in command_gpio_get() 163 ccprintf(" %d%c %s\n", v, (changed ? '*' : ' '), g->name); 164 165 return EC_SUCCESS; 166 } 167 168 /* Otherwise print them all */
CID 1353307: Memory - corruptions (OVERRUN) Checking "i < GPIO_COUNT" implies that "i" may be up to 80 on the true branch.
169 for (i = 0; i < GPIO_COUNT; i++, g++) { 170 if (!g->mask) 171 continue; /* Skip unsupported signals */ 172 173 v = gpio_get_level(i); 174 changed = last_val_changed(i, v);
** CID 1353306: Memory - illegal accesses (OVERRUN) /3rdparty/chromeec/common/gpio.c: 170 in command_gpio_get()
________________________________________________________________________________________________________ *** CID 1353306: Memory - illegal accesses (OVERRUN) /3rdparty/chromeec/common/gpio.c: 170 in command_gpio_get() 164 165 return EC_SUCCESS; 166 } 167 168 /* Otherwise print them all */ 169 for (i = 0; i < GPIO_COUNT; i++, g++) {
CID 1353306: Memory - illegal accesses (OVERRUN) Overrunning array of 78 16-byte elements at element index 80 (byte offset 1280) by dereferencing pointer "g".
170 if (!g->mask) 171 continue; /* Skip unsupported signals */ 172 173 v = gpio_get_level(i); 174 changed = last_val_changed(i, v); 175 ccprintf(" %d%c %s\n", v, (changed ? '*' : ' '), g->name);
** CID 1353305: Memory - illegal accesses (OVERRUN) /3rdparty/chromeec/common/gpio.c: 33 in find_signal_by_name()
________________________________________________________________________________________________________ *** CID 1353305: Memory - illegal accesses (OVERRUN) /3rdparty/chromeec/common/gpio.c: 33 in find_signal_by_name() 27 int i; 28 29 if (!name || !*name) 30 return GPIO_COUNT; 31 32 for (i = 0; i < GPIO_COUNT; i++, g++) {
CID 1353305: Memory - illegal accesses (OVERRUN) Overrunning array of 78 16-byte elements at element index 80 (byte offset 1280) by dereferencing pointer "g".
33 if (g->mask && !strcasecmp(name, g->name)) 34 return i; 35 } 36 37 return GPIO_COUNT; 38 }
** CID 1353293: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________ *** CID 1353293: Memory - corruptions (OVERRUN) /3rdparty/chromeec/driver/battery/smart.c: 32 in sbc_write() 26 { 27 return i2c_read16(I2C_PORT_CHARGER, CHARGER_ADDR, cmd, param); 28 } 29 30 test_mockable int sbc_write(int cmd, int param) 31 {
CID 1353293: Memory - corruptions (OVERRUN) Overrunning callee's array of size 2 by passing argument "MEC1322_I2C3" in call to "i2c_write16".
32 return i2c_write16(I2C_PORT_CHARGER, CHARGER_ADDR, cmd, param); 33 } 34 35 test_mockable int sb_read(int cmd, int *param) 36 { 37 #ifdef CONFIG_BATTERY_CUT_OFF
** CID 1353292: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________ *** CID 1353292: Memory - corruptions (OVERRUN) /3rdparty/chromeec/driver/battery/smart.c: 27 in sbc_read() 21 #define BATTERY_NO_RESPONSE_TIMEOUT (1000*MSEC) 22 23 static int fake_state_of_charge = -1; 24 25 test_mockable int sbc_read(int cmd, int *param) 26 {
CID 1353292: Memory - corruptions (OVERRUN) Overrunning callee's array of size 2 by passing argument "MEC1322_I2C3" in call to "i2c_read16".
27 return i2c_read16(I2C_PORT_CHARGER, CHARGER_ADDR, cmd, param); 28 } 29 30 test_mockable int sbc_write(int cmd, int param) 31 { 32 return i2c_write16(I2C_PORT_CHARGER, CHARGER_ADDR, cmd, param);
** CID 1353291: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________ *** CID 1353291: Memory - corruptions (OVERRUN) /3rdparty/chromeec/driver/battery/smart.c: 69 in sb_write() 63 if (battery_is_cut_off()) 64 return EC_RES_ACCESS_DENIED; 65 #endif 66 #ifdef CONFIG_SMBUS 67 return smbus_write_word(I2C_PORT_BATTERY, BATTERY_ADDR, cmd, param); 68 #else
CID 1353291: Memory - corruptions (OVERRUN) Overrunning callee's array of size 2 by passing argument "MEC1322_I2C3" in call to "i2c_write16".
69 return i2c_write16(I2C_PORT_BATTERY, BATTERY_ADDR, cmd, param); 70 #endif 71 } 72 73 int sb_read_string(int port, int slave_addr, int offset, uint8_t *data, 74 int len)
________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/coreboot?tab=overview
To manage Coverity Scan email notifications for "coreboot@coreboot.org", click https://scan.coverity.com/subscriptions/edit?email=coreboot%40coreboot.org&a...
-
scan-admin@coverity.com