Hi,
Please find the latest report on new defect(s) introduced to coreboot found with Coverity Scan.
17 new defect(s) introduced to coreboot found with Coverity Scan. 6 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan Showing 17 of 17 defect(s)
** CID 1295501: Null pointer dereferences (FORWARD_NULL) /src/soc/broadcom/cygnus/gpio.c: 464 in gpio_get()
________________________________________________________________________________________________________ *** CID 1295501: Null pointer dereferences (FORWARD_NULL) /src/soc/broadcom/cygnus/gpio.c: 464 in gpio_get() 458 { 459 struct cygnus_gpio *chip; 460 unsigned gpio_num; 461 462 chip = cygnus_get_gpio_core(gpio, &gpio_num); 463 if (chip == NULL) {
CID 1295501: Null pointer dereferences (FORWARD_NULL) Dereferencing null pointer "chip".
464 dev_dbg(chip, "unable to find chip for gpio %d", gpio); 465 return -1; 466 } 467 468 return cygnus_gpio_get(chip, gpio_num); 469 }
** CID 1295500: Control flow issues (DEADCODE) /src/soc/broadcom/cygnus/shmoo_and28.c: 4278 in soc_and28_shmoo_ctl()
________________________________________________________________________________________________________ *** CID 1295500: Control flow issues (DEADCODE) /src/soc/broadcom/cygnus/shmoo_and28.c: 4278 in soc_and28_shmoo_ctl() 4272 4273 if(!stat) 4274 { 4275 scPtr = &shmoo_container; 4276 if(scPtr == NULL) 4277 {
CID 1295500: Control flow issues (DEADCODE) Execution cannot reach this statement: "return 4;".
4278 return SOC_E_MEMORY; 4279 } 4280 sal_memset(scPtr, 0, sizeof(and28_shmoo_container_t)); 4281 4282 if(phy_ndx != SHMOO_AND28_INTERFACE_RSVP) 4283 {
** CID 1295499: Control flow issues (DEADCODE) /src/soc/intel/common/nvm.c: 113 in nvm_is_write_protected()
________________________________________________________________________________________________________ *** CID 1295499: Control flow issues (DEADCODE) /src/soc/intel/common/nvm.c: 113 in nvm_is_write_protected() 107 } 108 wp_spi = !!(sr1 & 0x80); 109 110 printk(BIOS_DEBUG, "SPI flash protection: WPSW=%d SRP0=%d\n", 111 wp_gpio, wp_spi); 112
CID 1295499: Control flow issues (DEADCODE) Execution cannot reach the expression "wp_spi" inside this statement: "return wp_gpio && wp_spi;".
113 return wp_gpio && wp_spi; 114 } 115 116 /* Apply protection to a range of flash */ 117 int nvm_protect(void *start, size_t size) 118 {
** CID 1295498: Null pointer dereferences (FORWARD_NULL) /src/soc/broadcom/cygnus/gpio.c: 404 in gpio_free()
________________________________________________________________________________________________________ *** CID 1295498: Null pointer dereferences (FORWARD_NULL) /src/soc/broadcom/cygnus/gpio.c: 404 in gpio_free() 398 { 399 struct cygnus_gpio *chip; 400 unsigned gpio_num; 401 402 chip = cygnus_get_gpio_core(gpio, &gpio_num); 403 if (chip == NULL) {
CID 1295498: Null pointer dereferences (FORWARD_NULL) Dereferencing null pointer "chip".
404 dev_dbg(chip, "unable to find chip for gpio %d", gpio); 405 return; 406 } 407 408 cygnus_gpio_free(chip, gpio_num); 409 }
** CID 1295497: Integer handling issues (NO_EFFECT) /src/soc/broadcom/cygnus/i2c.c: 240 in i2c_init()
________________________________________________________________________________________________________ *** CID 1295497: Integer handling issues (NO_EFFECT) /src/soc/broadcom/cygnus/i2c.c: 240 in i2c_init() 234 } 235 236 void i2c_init(unsigned int bus, unsigned int hz) 237 { 238 struct cygnus_i2c_regs *regs = i2c_bus[bus]; 239
CID 1295497: Integer handling issues (NO_EFFECT) This greater-than-or-equal-to-zero comparison of an unsigned value is always true. "bus >= 0U".
240 assert(bus >= 0 && bus <= 1); 241 242 setbits_le32(®s->i2c_con, I2C_SMB_RESET); 243 udelay(100); /* wait 100 usec per spec */ 244 clrbits_le32(®s->i2c_con, I2C_SMB_RESET); 245
** CID 1295496: Null pointer dereferences (FORWARD_NULL) /src/soc/broadcom/cygnus/gpio.c: 436 in gpio_input_pulldown()
________________________________________________________________________________________________________ *** CID 1295496: Null pointer dereferences (FORWARD_NULL) /src/soc/broadcom/cygnus/gpio.c: 436 in gpio_input_pulldown() 430 { 431 struct cygnus_gpio *chip; 432 unsigned gpio_num; 433 434 chip = cygnus_get_gpio_core(gpio, &gpio_num); 435 if (chip == NULL) {
CID 1295496: Null pointer dereferences (FORWARD_NULL) Dereferencing null pointer "chip".
436 dev_dbg(chip, "unable to find chip for gpio %d", gpio); 437 return; 438 } 439 440 cygnus_gpio_set_pull(chip, gpio_num, 0, 0); 441 }
** CID 1295495: Null pointer dereferences (FORWARD_NULL) /src/soc/broadcom/cygnus/gpio.c: 478 in gpio_set()
________________________________________________________________________________________________________ *** CID 1295495: Null pointer dereferences (FORWARD_NULL) /src/soc/broadcom/cygnus/gpio.c: 478 in gpio_set() 472 { 473 struct cygnus_gpio *chip; 474 unsigned gpio_num; 475 476 chip = cygnus_get_gpio_core(gpio, &gpio_num); 477 if (chip == NULL) {
CID 1295495: Null pointer dereferences (FORWARD_NULL) Dereferencing null pointer "chip".
478 dev_dbg(chip, "unable to find chip for gpio %d", gpio); 479 return; 480 } 481 482 cygnus_gpio_set(chip, gpio_num, value); 483 }
** CID 1295494: Error handling issues (NEGATIVE_RETURNS) /util/cbfstool/common.c: 83 in buffer_from_file()
________________________________________________________________________________________________________ *** CID 1295494: Error handling issues (NEGATIVE_RETURNS) /util/cbfstool/common.c: 83 in buffer_from_file() 77 if (buffer->size == -1u) { 78 fprintf(stderr, "could not determine size of %s\n", filename); 79 fclose(fp); 80 return -1; 81 } 82 buffer->name = strdup(filename);
CID 1295494: Error handling issues (NEGATIVE_RETURNS) "buffer->size" is passed to a parameter that cannot be negative. [Note: The source code implementation of the function has been overridden by a builtin model.]
83 buffer->data = (char *)malloc(buffer->size); 84 assert(buffer->data); 85 if (fread(buffer->data, 1, buffer->size, fp) != buffer->size) { 86 fprintf(stderr, "incomplete read: %s\n", filename); 87 fclose(fp); 88 return -1;
** CID 1295493: Control flow issues (UNREACHABLE) /src/soc/broadcom/cygnus/ddr_init.c: 1194 in simple_ddr_crc32_check()
________________________________________________________________________________________________________ *** CID 1295493: Control flow issues (UNREACHABLE) /src/soc/broadcom/cygnus/ddr_init.c: 1194 in simple_ddr_crc32_check() 1188 #endif 1189 1190 #if defined(CONFIG_SOC_BROADCOM_CYGNUS) 1191 static int simple_ddr_crc32_check(void) 1192 { 1193 return 0;
CID 1295493: Control flow issues (UNREACHABLE) This code cannot be reached: "register uint32_t crc_mcu =...".
1194 register uint32_t crc_mcu = 0; 1195 register uint32_t crc = 0, offset = 0; 1196 register volatile uint32_t *buf = (uint32_t *)0x60000000; 1197 register uint32_t len = 0x00100000;//in word 1198 1199 printk(BIOS_INFO, "Checking simple DDR CRC, word start 0x%p, len 0x%08x...\n", buf, len);
** CID 1295492: Control flow issues (STRAY_SEMICOLON) /src/soc/broadcom/cygnus/ddr_init.c: 431 in ddr_phy_ctl_regs_ovrd()
________________________________________________________________________________________________________ *** CID 1295492: Control flow issues (STRAY_SEMICOLON) /src/soc/broadcom/cygnus/ddr_init.c: 431 in ddr_phy_ctl_regs_ovrd() 425 #if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__ 426 addr[offset/4] = *tblptr; 427 #else 428 addr[offset/4] = swap_u32(*tblptr); 429 #endif 430 val = reg32_read((volatile uint32_t *)DDR_PHY_CONTROL_REGS_REVISION);
CID 1295492: Control flow issues (STRAY_SEMICOLON) An "if" statement with no "then" or "else" is suspicious.
431 if (val) ; 432 ++tblptr; 433 offset = *tblptr; 434 } 435 } 436
** CID 1295491: Parse warnings (PARSE_ERROR) /util/broadcom/secimage/crypto.c: 19 in ()
________________________________________________________________________________________________________ *** CID 1295491: Parse warnings (PARSE_ERROR) /util/broadcom/secimage/crypto.c: 19 in () 13 14 15 #include <stdio.h> 16 #include <string.h> 17 #include <stdint.h> 18 #include "secimage.h"
CID 1295491: Parse warnings (PARSE_ERROR) cannot open source file "openssl/hmac.h"
19 #include <openssl/hmac.h> 20 21 22 /*---------------------------------------------------------------------- 23 * Name : HmacSha256Hash 24 * Purpose :
** CID 1295490: Null pointer dereferences (FORWARD_NULL) /src/soc/broadcom/cygnus/gpio.c: 450 in gpio_input_pullup()
________________________________________________________________________________________________________ *** CID 1295490: Null pointer dereferences (FORWARD_NULL) /src/soc/broadcom/cygnus/gpio.c: 450 in gpio_input_pullup() 444 { 445 struct cygnus_gpio *chip; 446 unsigned gpio_num; 447 448 chip = cygnus_get_gpio_core(gpio, &gpio_num); 449 if (chip == NULL) {
CID 1295490: Null pointer dereferences (FORWARD_NULL) Dereferencing null pointer "chip".
450 dev_dbg(chip, "unable to find chip for gpio %d", gpio); 451 return; 452 } 453 454 cygnus_gpio_set_pull(chip, gpio_num, 0, 1); 455 }
** CID 1295489: (OVERRUN)
________________________________________________________________________________________________________ *** CID 1295489: (OVERRUN) /src/mainboard/google/veyron_jerry/mainboard.c: 77 in configure_codec() 71 gpio_output(GPIO(2, B, 1), 1); /* EMMC_RST_L */ 72 } 73 74 static void configure_codec(void) 75 { 76 write32(&rk3288_grf->iomux_i2c2, IOMUX_I2C2); /* CODEC I2C */
CID 1295489: (OVERRUN) Overrunning callee's array of size 2 by passing argument "2U" in call to "i2c_init".
77 i2c_init(2, 400*KHz); /* CODEC I2C */ 78 79 write32(&rk3288_grf->iomux_i2s, IOMUX_I2S); 80 write32(&rk3288_grf->iomux_i2sclk, IOMUX_I2SCLK); 81 82 rk808_configure_ldo(6, 1800); /* VCC18_CODEC */ /src/mainboard/google/veyron_danger/mainboard.c: 77 in configure_codec() 71 gpio_output(GPIO(2, B, 1), 1); /* EMMC_RST_L */ 72 } 73 74 static void configure_codec(void) 75 { 76 write32(&rk3288_grf->iomux_i2c2, IOMUX_I2C2); /* CODEC I2C */
CID 1295489: (OVERRUN) Overrunning callee's array of size 2 by passing argument "2U" in call to "i2c_init".
77 i2c_init(2, 400*KHz); /* CODEC I2C */ 78 79 write32(&rk3288_grf->iomux_i2s, IOMUX_I2S); 80 write32(&rk3288_grf->iomux_i2sclk, IOMUX_I2SCLK); 81 82 rk808_configure_ldo(6, 1800); /* VCC18_CODEC */ /src/mainboard/google/veyron_pinky/mainboard.c: 108 in configure_codec() 102 } 103 } 104 105 static void configure_codec(void) 106 { 107 write32(&rk3288_grf->iomux_i2c2, IOMUX_I2C2); /* CODEC I2C */
CID 1295489: (OVERRUN) Overrunning callee's array of size 2 by passing argument "2U" in call to "i2c_init".
108 i2c_init(2, 400*KHz); /* CODEC I2C */ 109 110 write32(&rk3288_grf->iomux_i2s, IOMUX_I2S); 111 write32(&rk3288_grf->iomux_i2sclk, IOMUX_I2SCLK); 112 113 switch (board_id()) { /src/mainboard/google/veyron_speedy/mainboard.c: 77 in configure_codec() 71 gpio_output(GPIO(2, B, 1), 1); /* EMMC_RST_L */ 72 } 73 74 static void configure_codec(void) 75 { 76 write32(&rk3288_grf->iomux_i2c2, IOMUX_I2C2); /* CODEC I2C */
CID 1295489: (OVERRUN) Overrunning callee's array of size 2 by passing argument "2U" in call to "i2c_init".
77 i2c_init(2, 400*KHz); /* CODEC I2C */ 78 79 write32(&rk3288_grf->iomux_i2s, IOMUX_I2S); 80 write32(&rk3288_grf->iomux_i2sclk, IOMUX_I2SCLK); 81 82 rk808_configure_ldo(6, 1800); /* VCC18_CODEC */ /src/mainboard/google/veyron_mighty/mainboard.c: 77 in configure_codec() 71 gpio_output(GPIO(2, B, 1), 1); /* EMMC_RST_L */ 72 } 73 74 static void configure_codec(void) 75 { 76 write32(&rk3288_grf->iomux_i2c2, IOMUX_I2C2); /* CODEC I2C */
CID 1295489: (OVERRUN) Overrunning callee's array of size 2 by passing argument "2U" in call to "i2c_init".
77 i2c_init(2, 400*KHz); /* CODEC I2C */ 78 79 write32(&rk3288_grf->iomux_i2s, IOMUX_I2S); 80 write32(&rk3288_grf->iomux_i2sclk, IOMUX_I2SCLK); 81 82 rk808_configure_ldo(6, 1800); /* VCC18_CODEC */ /src/mainboard/google/veyron_brain/mainboard.c: 63 in configure_codec() 57 gpio_output(GPIO(2, B, 1), 1); /* EMMC_RST_L */ 58 } 59 60 static void configure_codec(void) 61 { 62 write32(&rk3288_grf->iomux_i2c2, IOMUX_I2C2); /* CODEC I2C */
CID 1295489: (OVERRUN) Overrunning callee's array of size 2 by passing argument "2U" in call to "i2c_init".
63 i2c_init(2, 400*KHz); /* CODEC I2C */ 64 65 write32(&rk3288_grf->iomux_i2s, IOMUX_I2S); 66 write32(&rk3288_grf->iomux_i2sclk, IOMUX_I2SCLK); 67 68 rk808_configure_ldo(6, 1800); /* VCC18_CODEC */ /src/mainboard/google/veyron_rialto/mainboard.c: 63 in configure_codec() 57 gpio_output(GPIO(2, B, 1), 1); /* EMMC_RST_L */ 58 } 59 60 static void configure_codec(void) 61 { 62 write32(&rk3288_grf->iomux_i2c2, IOMUX_I2C2); /* CODEC I2C */
CID 1295489: (OVERRUN) Overrunning callee's array of size 2 by passing argument "2U" in call to "i2c_init".
63 i2c_init(2, 400*KHz); /* CODEC I2C */ 64 65 write32(&rk3288_grf->iomux_i2s, IOMUX_I2S); 66 write32(&rk3288_grf->iomux_i2sclk, IOMUX_I2SCLK); 67 68 rk808_configure_ldo(6, 1800); /* VCC18_CODEC */
** CID 1295488: Null pointer dereferences (FORWARD_NULL) /src/soc/broadcom/cygnus/gpio.c: 492 in gpio_output()
________________________________________________________________________________________________________ *** CID 1295488: Null pointer dereferences (FORWARD_NULL) /src/soc/broadcom/cygnus/gpio.c: 492 in gpio_output() 486 { 487 struct cygnus_gpio *chip; 488 unsigned gpio_num; 489 490 chip = cygnus_get_gpio_core(gpio, &gpio_num); 491 if (chip == NULL) {
CID 1295488: Null pointer dereferences (FORWARD_NULL) Dereferencing null pointer "chip".
492 dev_dbg(chip, "unable to find chip for gpio %d", gpio); 493 return; 494 } 495 496 if (cygnus_gpio_request(chip, gpio_num) != 0) { 497 printk(BIOS_ERR, "Cannot mux GPIO %d\n", gpio); 498 return; 499 } 500 cygnus_gpio_direction_output(chip, gpio_num, value);
** CID 1295487: Memory - illegal accesses (OVERRUN) /coreboot-builds/amd_lamar/agesa/amdlib.c: 1411 in IdsErrorStop()
________________________________________________________________________________________________________ *** CID 1295487: Memory - illegal accesses (OVERRUN) /coreboot-builds/amd_lamar/agesa/amdlib.c: 1411 in IdsErrorStop() 1405 } post = {0xDEAD, FileCode, 0xDEAD, FileCode}; 1406 UINT16 offset = 0; 1407 UINT16 j; 1408 1409 while(1) { 1410 offset %= sizeof(struct POST) / 2;
CID 1295487: Memory - illegal accesses (OVERRUN) Overrunning array of 3 4-byte elements at element index 15 (byte offset 60) by dereferencing pointer "(UINT32 *)(&post + offset)".
1411 WriteIo32(80, *((UINT32*)(&post+offset))); 1412 ++offset; 1413 for (j=0; j<250; ++j) { 1414 ReadIo8(80); 1415 } 1416 }
** CID 1295486: Null pointer dereferences (FORWARD_NULL) /src/soc/broadcom/cygnus/gpio.c: 418 in gpio_input()
________________________________________________________________________________________________________ *** CID 1295486: Null pointer dereferences (FORWARD_NULL) /src/soc/broadcom/cygnus/gpio.c: 418 in gpio_input() 412 { 413 struct cygnus_gpio *chip; 414 unsigned gpio_num; 415 416 chip = cygnus_get_gpio_core(gpio, &gpio_num); 417 if (chip == NULL) {
CID 1295486: Null pointer dereferences (FORWARD_NULL) Dereferencing null pointer "chip".
418 dev_dbg(chip, "unable to find chip for gpio %d", gpio); 419 return; 420 } 421 422 if (cygnus_gpio_request(chip, gpio_num) != 0) { 423 printk(BIOS_ERR, "Cannot mux GPIO %d\n", gpio);
** CID 1295485: Null pointer dereferences (NULL_RETURNS) /src/vendorcode/amd/agesa/f16kb/Proc/GNB/Modules/GnbCommonLib/GnbTimerLib.c: 147 in GnbFmTimeStamp()
________________________________________________________________________________________________________ *** CID 1295485: Null pointer dereferences (NULL_RETURNS) /src/vendorcode/amd/agesa/f16kb/Proc/GNB/Modules/GnbCommonLib/GnbTimerLib.c: 147 in GnbFmTimeStamp() 141 ) 142 { 143 AGESA_STATUS Status; 144 GNB_FAM_TS_SERVICES *GnbFamTsFunc; 145 GNB_HANDLE *GnbHandle; 146
CID 1295485: Null pointer dereferences (NULL_RETURNS) Assigning: "GnbHandle" = null return value from "GnbGetHandle".
147 GnbHandle = GnbGetHandle (StdHeader); 148 149 Status = GnbLibLocateService (GnbFamTsService, GnbGetSocketId (GnbHandle), (VOID **)&GnbFamTsFunc, StdHeader); 150 ASSERT (Status == AGESA_SUCCESS); 151 if (Status == AGESA_SUCCESS) { 152 return GnbFamTsFunc->GnbFmTimeStamp (StdHeader); 153 } 154 return 0;
________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/1016?tab=overview
To manage Coverity Scan email notifications for "coreboot@coreboot.org", click https://scan.coverity.com/subscriptions/edit?email=coreboot%40coreboot.org&a... .
** CID 1295489: (OVERRUN)
*** CID 1295489: (OVERRUN) /src/mainboard/google/veyron_jerry/mainboard.c: 77 in configure_codec() 71 gpio_output(GPIO(2, B, 1), 1); /* EMMC_RST_L */ 72 } 73 74 static void configure_codec(void) 75 { 76 write32(&rk3288_grf->iomux_i2c2, IOMUX_I2C2); /* CODEC I2C */
CID 1295489: (OVERRUN) Overrunning callee's array of size 2 by passing argument "2U" in call to "i2c_init".77 i2c_init(2, 400*KHz); /* CODEC I2C */ 78 79 write32(&rk3288_grf->iomux_i2s, IOMUX_I2S); 80 write32(&rk3288_grf->iomux_i2sclk, IOMUX_I2SCLK); 81 82 rk808_configure_ldo(6, 1800); /* VCC18_CODEC */
Does anybody know what this is talking about? The code in i2c_init(bus, hz) just does:
struct rk3288_i2c_regs *regs = i2c_bus[bus];
and further up in that file:
struct rk3288_i2c_regs *i2c_bus[] = { (struct rk3288_i2c_regs *)0xff650000, (struct rk3288_i2c_regs *)0xff140000, (struct rk3288_i2c_regs *)0xff660000, (struct rk3288_i2c_regs *)0xff150000, (struct rk3288_i2c_regs *)0xff160000, (struct rk3288_i2c_regs *)0xff170000, };
so unless I'm really missing something the array size should be 6, not 2, and the call is perfectly fine. Bug in coverity?
-
Julius Werner -
scan-admin@coverity.com