Hi,
Please find the latest report on new defect(s) introduced to coreboot found with Coverity Scan.
12 new defect(s) introduced to coreboot found with Coverity Scan. 9 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan Showing 12 of 12 defect(s)
** CID 1404005: Integer handling issues (SIGN_EXTENSION) /3rdparty/opensbi/lib/sbi/sbi_fifo.c: 79 in __sbi_fifo_reset()
________________________________________________________________________________________________________ *** CID 1404005: Integer handling issues (SIGN_EXTENSION) /3rdparty/opensbi/lib/sbi/sbi_fifo.c: 79 in __sbi_fifo_reset() 73 74 /* Note: must be called with fifo->qlock held */ 75 static inline void __sbi_fifo_reset(struct sbi_fifo *fifo) 76 { 77 fifo->avail = 0; 78 fifo->tail = 0;
CID 1404005: Integer handling issues (SIGN_EXTENSION) Suspicious implicit sign extension: "fifo->entry_size" with type "u16" (16 bits, unsigned) is promoted in "fifo->num_entries * fifo->entry_size" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "fifo->num_entries * fifo->entry_size" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
79 sbi_memset(fifo->queue, 0, fifo->num_entries * fifo->entry_size); 80 } 81 82 bool sbi_fifo_reset(struct sbi_fifo *fifo) 83 { 84 if (!fifo)
** CID 1404004: Control flow issues (NO_EFFECT) /3rdparty/opensbi/lib/utils/irqchip/plic.c: 57 in plic_fdt_fixup()
________________________________________________________________________________________________________ *** CID 1404004: Control flow issues (NO_EFFECT) /3rdparty/opensbi/lib/utils/irqchip/plic.c: 57 in plic_fdt_fixup() 51 { 52 u32 *cells; 53 int i, cells_count; 54 u32 plic_off; 55 56 plic_off = fdt_node_offset_by_compatible(fdt, 0, compat);
CID 1404004: Control flow issues (NO_EFFECT) This less-than-zero comparison of an unsigned value is never true. "plic_off < 0U".
57 if (plic_off < 0) 58 return; 59 60 cells = (u32 *)fdt_getprop(fdt, plic_off, 61 "interrupts-extended", &cells_count); 62 if (!cells)
** CID 1404003: Memory - corruptions (ARRAY_VS_SINGLETON)
________________________________________________________________________________________________________ *** CID 1404003: Memory - corruptions (ARRAY_VS_SINGLETON) /3rdparty/opensbi/lib/sbi/riscv_atomic.c: 221 in atomic_clear_bit() 215 { 216 return atomic_raw_set_bit(nr, (unsigned long *)&atom->counter); 217 } 218 219 inline int atomic_clear_bit(int nr, atomic_t *atom) 220 {
CID 1404003: Memory - corruptions (ARRAY_VS_SINGLETON) Passing "(unsigned long *)&atom->counter" to function "atomic_raw_clear_bit" which uses it as an array. This might corrupt or misinterpret adjacent memory locations.
221 return atomic_raw_clear_bit(nr, (unsigned long *)&atom->counter);
** CID 1404002: Integer handling issues (SIGN_EXTENSION) /3rdparty/opensbi/lib/sbi/sbi_fifo.c: 79 in __sbi_fifo_reset()
________________________________________________________________________________________________________ *** CID 1404002: Integer handling issues (SIGN_EXTENSION) /3rdparty/opensbi/lib/sbi/sbi_fifo.c: 79 in __sbi_fifo_reset() 73 74 /* Note: must be called with fifo->qlock held */ 75 static inline void __sbi_fifo_reset(struct sbi_fifo *fifo) 76 { 77 fifo->avail = 0; 78 fifo->tail = 0;
CID 1404002: Integer handling issues (SIGN_EXTENSION) Suspicious implicit sign extension: "fifo->num_entries" with type "u16" (16 bits, unsigned) is promoted in "fifo->num_entries * fifo->entry_size" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "fifo->num_entries * fifo->entry_size" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
79 sbi_memset(fifo->queue, 0, fifo->num_entries * fifo->entry_size); 80 } 81 82 bool sbi_fifo_reset(struct sbi_fifo *fifo) 83 { 84 if (!fifo)
** CID 1404001: Memory - corruptions (ARRAY_VS_SINGLETON)
________________________________________________________________________________________________________ *** CID 1404001: Memory - corruptions (ARRAY_VS_SINGLETON) /3rdparty/opensbi/lib/sbi/riscv_atomic.c: 216 in atomic_set_bit() 210 { 211 return __atomic_op_bit(and, __NOT, nr, addr); 212 } 213 214 inline int atomic_set_bit(int nr, atomic_t *atom) 215 {
CID 1404001: Memory - corruptions (ARRAY_VS_SINGLETON) Passing "(unsigned long *)&atom->counter" to function "atomic_raw_set_bit" which uses it as an array. This might corrupt or misinterpret adjacent memory locations.
216 return atomic_raw_set_bit(nr, (unsigned long *)&atom->counter); 217 } 218 219 inline int atomic_clear_bit(int nr, atomic_t *atom) 220 { 221 return atomic_raw_clear_bit(nr, (unsigned long *)&atom->counter);
** CID 1404000: Insecure data handling (TAINTED_SCALAR) /src/drivers/crb/tpm.c: 257 in tpm2_process_command()
________________________________________________________________________________________________________ *** CID 1404000: Insecure data handling (TAINTED_SCALAR) /src/drivers/crb/tpm.c: 257 in tpm2_process_command() 251 252 /* Response has to have at least 6 bytes */ 253 if (length < 6) 254 return 1; 255 256 // Copy Response
CID 1404000: Insecure data handling (TAINTED_SCALAR) Passing tainted variable "length" to a tainted sink. [Note: The source code implementation of the function has been overridden by a builtin model.]
257 memcpy(tpm2_response, control_area.response_bfr, length); 258 259 if (crb_switch_to_ready()) { 260 printk(BIOS_DEBUG, "TPM: Can not transition into ready state again.\n"); 261 return -1; 262 }
** CID 1403999: Null pointer dereferences (FORWARD_NULL) /3rdparty/opensbi/lib/sbi/sbi_tlb.c: 74 in sbi_tlb_fifo_update_cb()
________________________________________________________________________________________________________ *** CID 1403999: Null pointer dereferences (FORWARD_NULL) /3rdparty/opensbi/lib/sbi/sbi_tlb.c: 74 in sbi_tlb_fifo_update_cb() 68 69 if (!in && !!data) 70 return ret; 71 72 curr = (struct sbi_tlb_info *)data; 73 next = (struct sbi_tlb_info *)in;
CID 1403999: Null pointer dereferences (FORWARD_NULL) Dereferencing null pointer "next".
74 if (next->type == SBI_TLB_FLUSH_VMA_ASID && 75 curr->type == SBI_TLB_FLUSH_VMA_ASID) { 76 if (next->asid == curr->asid) 77 ret = __sbi_tlb_fifo_range_check(curr, next); 78 } else if (next->type == SBI_TLB_FLUSH_VMA && 79 curr->type == SBI_TLB_FLUSH_VMA) {
** CID 1403998: Integer handling issues (SIGN_EXTENSION) /3rdparty/opensbi/lib/sbi/sbi_fifo.c: 23 in sbi_fifo_init()
________________________________________________________________________________________________________ *** CID 1403998: Integer handling issues (SIGN_EXTENSION) /3rdparty/opensbi/lib/sbi/sbi_fifo.c: 23 in sbi_fifo_init() 17 { 18 fifo->queue = queue_mem; 19 fifo->num_entries = entries; 20 fifo->entry_size = entry_size; 21 SPIN_LOCK_INIT(&fifo->qlock); 22 fifo->avail = fifo->tail = 0;
CID 1403998: Integer handling issues (SIGN_EXTENSION) Suspicious implicit sign extension: "entry_size" with type "u16" (16 bits, unsigned) is promoted in "entries * entry_size" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "entries * entry_size" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
23 sbi_memset(fifo->queue, 0, entries * entry_size); 24 } 25 26 /* Note: must be called with fifo->qlock held */ 27 static inline bool __sbi_fifo_is_full(struct sbi_fifo *fifo) 28 {
** CID 1403997: Integer handling issues (SIGN_EXTENSION) /3rdparty/opensbi/lib/sbi/sbi_fifo.c: 23 in sbi_fifo_init()
________________________________________________________________________________________________________ *** CID 1403997: Integer handling issues (SIGN_EXTENSION) /3rdparty/opensbi/lib/sbi/sbi_fifo.c: 23 in sbi_fifo_init() 17 { 18 fifo->queue = queue_mem; 19 fifo->num_entries = entries; 20 fifo->entry_size = entry_size; 21 SPIN_LOCK_INIT(&fifo->qlock); 22 fifo->avail = fifo->tail = 0;
CID 1403997: Integer handling issues (SIGN_EXTENSION) Suspicious implicit sign extension: "entries" with type "u16" (16 bits, unsigned) is promoted in "entries * entry_size" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "entries * entry_size" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
23 sbi_memset(fifo->queue, 0, entries * entry_size); 24 } 25 26 /* Note: must be called with fifo->qlock held */ 27 static inline bool __sbi_fifo_is_full(struct sbi_fifo *fifo) 28 {
** CID 1403996: Integer handling issues (CONSTANT_EXPRESSION_RESULT) /3rdparty/opensbi/lib/sbi/sbi_hart.c: 349 in sbi_hart_wait_for_coldboot()
________________________________________________________________________________________________________ *** CID 1403996: Integer handling issues (CONSTANT_EXPRESSION_RESULT) /3rdparty/opensbi/lib/sbi/sbi_hart.c: 349 in sbi_hart_wait_for_coldboot() 343 wfi(); 344 mipval = csr_read(CSR_MIP); 345 346 spin_lock(&coldboot_wait_bitmap_lock); 347 coldboot_wait_bitmap &= ~(1UL << hartid); 348 spin_unlock(&coldboot_wait_bitmap_lock);
CID 1403996: Integer handling issues (CONSTANT_EXPRESSION_RESULT) The expression "mipval && 1 /* 1 << 3 */" is suspicious because it performs a Boolean operation on a constant other than 0 or 1.
349 } while (!(mipval && MIP_MSIP)); 350 351 csr_clear(CSR_MIP, MIP_MSIP); 352 } 353 354 void sbi_hart_wake_coldboot_harts(struct sbi_scratch *scratch, u32 hartid)
** CID 1403995: Memory - corruptions (ARRAY_VS_SINGLETON)
________________________________________________________________________________________________________ *** CID 1403995: Memory - corruptions (ARRAY_VS_SINGLETON) /3rdparty/opensbi/lib/sbi/sbi_ipi.c: 122 in sbi_ipi_process() 116 sbi_tlb_fifo_process(scratch, ipi_event); 117 break; 118 case SBI_IPI_EVENT_HALT: 119 sbi_hart_hang(); 120 break; 121 };
CID 1403995: Memory - corruptions (ARRAY_VS_SINGLETON) Passing "&ipi_data->ipi_type" to function "atomic_raw_clear_bit" which uses it as an array. This might corrupt or misinterpret adjacent memory locations.
122 ipi_type = atomic_raw_clear_bit(ipi_event, &ipi_data->ipi_type); 123 } while (ipi_type > 0); 124 } 125 126 int sbi_ipi_init(struct sbi_scratch *scratch, bool cold_boot) 127 {
** CID 1403994: Memory - corruptions (ARRAY_VS_SINGLETON)
________________________________________________________________________________________________________ *** CID 1403994: Memory - corruptions (ARRAY_VS_SINGLETON) /3rdparty/opensbi/lib/sbi/sbi_ipi.c: 50 in sbi_ipi_send() 44 ret = sbi_tlb_fifo_update(remote_scratch, event, data); 45 if (ret > 0) 46 goto done; 47 else if (ret < 0) 48 return ret; 49 }
CID 1403994: Memory - corruptions (ARRAY_VS_SINGLETON) Passing "&ipi_data->ipi_type" to function "atomic_raw_set_bit" which uses it as an array. This might corrupt or misinterpret adjacent memory locations.
50 atomic_raw_set_bit(event, &ipi_data->ipi_type); 51 mb(); 52 sbi_platform_ipi_send(plat, hartid); 53 if (event != SBI_IPI_EVENT_SOFT) 54 sbi_platform_ipi_sync(plat, hartid); 55
________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05...
-
scan-admin@coverity.com