Hi,
Please find the latest report on new defect(s) introduced to coreboot found with Coverity Scan.
4 new defect(s) introduced to coreboot found with Coverity Scan. 175 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan Showing 4 of 4 defect(s)
** CID 1430219: Security best practices violations (SECURE_TEMP) /3rdparty/vboot/host/lib/flashrom.c: 50 in write_temp_file()
________________________________________________________________________________________________________ *** CID 1430219: Security best practices violations (SECURE_TEMP) /3rdparty/vboot/host/lib/flashrom.c: 50 in write_temp_file() 44 vb2_error_t rv; 45 char *path; 46 47 *path_out = NULL; 48 path = strdup(P_tmpdir "/vb2_flashrom.XXXXXX"); 49
CID 1430219: Security best practices violations (SECURE_TEMP) Calling "mkstemp" without securely setting umask first.
50 fd = mkstemp(path); 51 if (fd < 0) { 52 rv = VB2_ERROR_WRITE_FILE_OPEN; 53 goto fail; 54 } 55
** CID 1430218: Integer handling issues (BAD_SHIFT) /src/ec/google/chromeec/ec.c: 397 in google_chromeec_log_events()
________________________________________________________________________________________________________ *** CID 1430218: Integer handling issues (BAD_SHIFT) /src/ec/google/chromeec/ec.c: 397 in google_chromeec_log_events() 391 392 if (!CONFIG(ELOG)) 393 return; 394 395 events = google_chromeec_get_events_b() & mask; 396 for (i = 0; i < sizeof(events) * 8; i++) {
CID 1430218: Integer handling issues (BAD_SHIFT) In expression "1ULL << i - 1", shifting by a negative amount has undefined behavior. The shift amount, "i - 1", is -1.
397 if (EC_HOST_EVENT_MASK(i) & events) 398 elog_add_event_byte(ELOG_TYPE_EC_EVENT, i); 399 } 400 401 google_chromeec_clear_events_b(events); 402 }
** CID 1429776: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________ *** CID 1429776: Memory - corruptions (OVERRUN) /src/soc/amd/picasso/fsp_params.c: 94 in fsp_fill_pcie_ddi_descriptors() 88 const fsp_ddi_descriptor *fsp_ddi; 89 size_t num_pcie; 90 size_t num_ddi; 91 92 mainboard_get_pcie_ddi_descriptors(&fsp_pcie, &num_pcie, 93 &fsp_ddi, &num_ddi);
CID 1429776: Memory - corruptions (OVERRUN) Overrunning callee's array of size 1 by passing argument "num_pcie" (which evaluates to 3) in call to "fill_pcie_descriptors".
94 fill_pcie_descriptors(scfg, fsp_pcie, num_pcie); 95 fill_ddi_descriptors(scfg, fsp_ddi, num_ddi); 96 } 97 98 static void fsp_usb_oem_customization(FSP_S_CONFIG *scfg, 99 const struct soc_amd_picasso_config *cfg)
** CID 1072951: Memory - illegal accesses (BUFFER_SIZE) /tests/lib/string-test.c: 149 in test_strncpy()
________________________________________________________________________________________________________ *** CID 1072951: Memory - illegal accesses (BUFFER_SIZE) /tests/lib/string-test.c: 149 in test_strncpy() 143 /* n1 case */ 144 145 /* Needed for ensuring that characters behind the limit 146 are not overwritten */ 147 memset(dst, 'x', dst_len); 148
CID 1072951: Memory - illegal accesses (BUFFER_SIZE) Calling "strncpy" with a source string whose length (5 chars) is greater than or equal to the size argument (2) will fail to null-terminate "dst".
149 strncpy(dst, src, n1); 150 151 assert_int_equal(0, memcmp(dst, src, n1)); 152 153 for (i = n1; i < dst_len; i++) 154 assert_true(dst[i] == 'x');
________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/ls/click?upn=nJaKvJSIH-2FPAfmty-2BK5tYpPklA...
-
scan-admin@coverity.com