Hi,
Please find the latest report on new defect(s) introduced to coreboot found with Coverity Scan.
5 new defect(s) introduced to coreboot found with Coverity Scan. 3 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan Showing 5 of 5 defect(s)
** CID 1488867: Integer handling issues (CONSTANT_EXPRESSION_RESULT) /src/cpu/x86/mtrr/earlymtrr.c: 45 in var_mtrr_set()
________________________________________________________________________________________________________ *** CID 1488867: Integer handling issues (CONSTANT_EXPRESSION_RESULT) /src/cpu/x86/mtrr/earlymtrr.c: 45 in var_mtrr_set() 39 min base bit set and maximum size bit set. */ 40 if (addr_lsb > size_msb) 41 mtrr_size = 1 << size_msb; 42 else 43 mtrr_size = 1 << addr_lsb; 44
CID 1488867: Integer handling issues (CONSTANT_EXPRESSION_RESULT) "(uint64_t)addr >> 32" is 0 regardless of the values of its operands. This occurs as the operand of assignment.
45 base.hi = (uint64_t)addr >> 32; 46 base.lo = addr | type; 47 mask.hi = upper_mask; 48 mask.lo = ~(mtrr_size - 1) | MTRR_PHYS_MASK_VALID; 49 ctx->mtrr[ctx->used_var_mtrrs].base = base; 50 ctx->mtrr[ctx->used_var_mtrrs].mask = mask;
** CID 1488866: (TAINTED_SCALAR) /util/amdfwtool/amdfwread.c: 121 in read_soft_fuse() /util/amdfwtool/amdfwread.c: 121 in read_soft_fuse()
________________________________________________________________________________________________________ *** CID 1488866: (TAINTED_SCALAR) /util/amdfwtool/amdfwread.c: 121 in read_soft_fuse() 115 ¤t_entries, &num_current_entries) != 0) 116 return 1; 117 118 while (1) { 119 uint32_t l2_dir_offset = 0; 120
CID 1488866: (TAINTED_SCALAR) Using tainted variable "num_current_entries" as a loop boundary.
121 for (size_t i = 0; i < num_current_entries; i++) { 122 uint32_t type = current_entries[i].type; 123 if (type == AMD_PSP_FUSE_CHAIN) { 124 uint64_t mode = current_entries[i].address_mode; 125 uint64_t addr = current_entries[i].addr; 126 uint64_t fuse = mode << 62 | addr; /util/amdfwtool/amdfwread.c: 121 in read_soft_fuse() 115 ¤t_entries, &num_current_entries) != 0) 116 return 1; 117 118 while (1) { 119 uint32_t l2_dir_offset = 0; 120
CID 1488866: (TAINTED_SCALAR) Using tainted variable "num_current_entries" as a loop boundary.
121 for (size_t i = 0; i < num_current_entries; i++) { 122 uint32_t type = current_entries[i].type; 123 if (type == AMD_PSP_FUSE_CHAIN) { 124 uint64_t mode = current_entries[i].address_mode; 125 uint64_t addr = current_entries[i].addr; 126 uint64_t fuse = mode << 62 | addr;
** CID 1488865: Integer handling issues (BAD_SHIFT) /src/cpu/x86/mtrr/earlymtrr.c: 45 in var_mtrr_set()
________________________________________________________________________________________________________ *** CID 1488865: Integer handling issues (BAD_SHIFT) /src/cpu/x86/mtrr/earlymtrr.c: 45 in var_mtrr_set() 39 min base bit set and maximum size bit set. */ 40 if (addr_lsb > size_msb) 41 mtrr_size = 1 << size_msb; 42 else 43 mtrr_size = 1 << addr_lsb; 44
CID 1488865: Integer handling issues (BAD_SHIFT) In expression "(uint64_t)addr >> 32", right shifting "addr" by more than 31 bits always yields zero. The shift amount is 32.
45 base.hi = (uint64_t)addr >> 32; 46 base.lo = addr | type; 47 mask.hi = upper_mask; 48 mask.lo = ~(mtrr_size - 1) | MTRR_PHYS_MASK_VALID; 49 ctx->mtrr[ctx->used_var_mtrrs].base = base; 50 ctx->mtrr[ctx->used_var_mtrrs].mask = mask;
** CID 1488864: (TAINTED_SCALAR) /util/amdfwtool/amdfwread.c: 91 in read_psp_directory() /util/amdfwtool/amdfwread.c: 92 in read_psp_directory()
________________________________________________________________________________________________________ *** CID 1488864: (TAINTED_SCALAR) /util/amdfwtool/amdfwread.c: 91 in read_psp_directory() 85 expected_cookie, header->cookie); 86 return 1; 87 } 88 89 /* Read the entries */ 90 *num_entries = header->num_entries;
CID 1488864: (TAINTED_SCALAR) Passing tainted expression "16UL * header->num_entries" to "malloc", which uses it as an allocation size. [Note: The source code implementation of the function has been overridden by a builtin model.]
91 *entries = malloc(sizeof(psp_directory_entry) * header->num_entries); 92 if (fread(*entries, sizeof(psp_directory_entry), header->num_entries, fw) 93 != header->num_entries) { 94 ERR("Failed to read %d PSP entries\n", header->num_entries); 95 return 1; 96 } /util/amdfwtool/amdfwread.c: 92 in read_psp_directory() 86 return 1; 87 } 88 89 /* Read the entries */ 90 *num_entries = header->num_entries; 91 *entries = malloc(sizeof(psp_directory_entry) * header->num_entries);
CID 1488864: (TAINTED_SCALAR) Passing tainted expression "header->num_entries" to "fread", which uses it as an offset.
92 if (fread(*entries, sizeof(psp_directory_entry), header->num_entries, fw) 93 != header->num_entries) { 94 ERR("Failed to read %d PSP entries\n", header->num_entries); 95 return 1; 96 } 97
** CID 1488863: (RESOURCE_LEAK) /util/amdfwtool/amdfwread.c: 129 in read_soft_fuse() /util/amdfwtool/amdfwread.c: 152 in read_soft_fuse() /util/amdfwtool/amdfwread.c: 116 in read_soft_fuse() /util/amdfwtool/amdfwread.c: 129 in read_soft_fuse()
________________________________________________________________________________________________________ *** CID 1488863: (RESOURCE_LEAK) /util/amdfwtool/amdfwread.c: 129 in read_soft_fuse() 123 if (type == AMD_PSP_FUSE_CHAIN) { 124 uint64_t mode = current_entries[i].address_mode; 125 uint64_t addr = current_entries[i].addr; 126 uint64_t fuse = mode << 62 | addr; 127 128 printf("Soft-fuse:0x%lx\n", fuse);
CID 1488863: (RESOURCE_LEAK) Variable "current_entries" going out of scope leaks the storage it points to.
129 return 0; 130 } else if (type == AMD_FW_L2_PTR) { 131 /* There's a second level PSP directory to read */ 132 if (l2_dir_offset != 0) 133 return 1; 134 /util/amdfwtool/amdfwread.c: 152 in read_soft_fuse() 146 /* Read the L2 PSP directory */ 147 if (read_psp_directory(fw, l2_dir_offset, PSPL2_COOKIE, &header, 148 ¤t_entries, &num_current_entries) != 0) 149 break; 150 } 151
CID 1488863: (RESOURCE_LEAK) Variable "current_entries" going out of scope leaks the storage it points to.
152 return 1; 153 } 154 155 enum { 156 AMDFW_OPT_HELP = 'h', 157 /util/amdfwtool/amdfwread.c: 116 in read_soft_fuse() 110 else 111 psp_offset = fw_header->new_psp_directory; 112 113 psp_directory_header header; 114 if (read_psp_directory(fw, psp_offset, PSP_COOKIE, &header, 115 ¤t_entries, &num_current_entries) != 0)
CID 1488863: (RESOURCE_LEAK) Variable "current_entries" going out of scope leaks the storage it points to.
116 return 1; 117 118 while (1) { 119 uint32_t l2_dir_offset = 0; 120 121 for (size_t i = 0; i < num_current_entries; i++) { /util/amdfwtool/amdfwread.c: 129 in read_soft_fuse() 123 if (type == AMD_PSP_FUSE_CHAIN) { 124 uint64_t mode = current_entries[i].address_mode; 125 uint64_t addr = current_entries[i].addr; 126 uint64_t fuse = mode << 62 | addr; 127 128 printf("Soft-fuse:0x%lx\n", fuse);
CID 1488863: (RESOURCE_LEAK) Variable "current_entries" going out of scope leaks the storage it points to.
129 return 0; 130 } else if (type == AMD_FW_L2_PTR) { 131 /* There's a second level PSP directory to read */ 132 if (l2_dir_offset != 0) 133 return 1; 134
________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0...
-
scan-admin@coverity.com