Hi,
Please find the latest report on new defect(s) introduced to coreboot found with Coverity Scan.
83 new defect(s) introduced to coreboot found with Coverity Scan. 2 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan Showing 20 of 83 defect(s)
** CID 1360527: Memory - corruptions (NEGATIVE_RETURNS) /3rdparty/chromeec/common/charge_manager.c: 468 in charge_manager_refresh()
________________________________________________________________________________________________________ *** CID 1360527: Memory - corruptions (NEGATIVE_RETURNS) /3rdparty/chromeec/common/charge_manager.c: 468 in charge_manager_refresh() 462 463 /* 464 * Zero the available charge on the rejected port so that 465 * it is no longer chosen. 466 */ 467 for (i = 0; i < CHARGE_SUPPLIER_COUNT; ++i)
CID 1360527: Memory - corruptions (NEGATIVE_RETURNS) Using variable "new_port" as an index to array "available_charge[i]".
468 available_charge[i][new_port].current = 0; 469 } 470 471 /* 472 * Clear override if it wasn't selected as the 'best' port -- it means 473 * that no charge is available on the port, or the port was rejected.
** CID 1353358: Control flow issues (UNREACHABLE) /3rdparty/chromeec/common/lightbar.c: 502 in sequence_S3S0()
________________________________________________________________________________________________________ *** CID 1353358: Control flow issues (UNREACHABLE) /3rdparty/chromeec/common/lightbar.c: 502 in sequence_S3S0() 496 #ifndef BLUE_PULSING 497 /* next sequence */ 498 return LIGHTBAR_S0; 499 #endif 500 501 /* Ramp up to starting brightness, using S0 colors */
CID 1353358: Control flow issues (UNREACHABLE) This code cannot be reached: "ci = st.p.s0_idx[st.battery...".
502 ci = st.p.s0_idx[st.battery_is_charging][st.battery_level]; 503 if (ci >= ARRAY_SIZE(st.p.color)) 504 ci = 0; 505 506 fmin = st.p.osc_min[st.battery_is_charging] * FP_SCALE / 255; 507
** CID 1353353: Memory - illegal accesses (REVERSE_NEGATIVE) /3rdparty/chromeec/driver/usb_mux.c: 23 in usb_mux_init()
________________________________________________________________________________________________________ *** CID 1353353: Memory - illegal accesses (REVERSE_NEGATIVE) /3rdparty/chromeec/driver/usb_mux.c: 23 in usb_mux_init() 17 18 void usb_mux_init(int port) 19 { 20 const struct usb_mux *mux = &usb_muxes[port]; 21 int res; 22
CID 1353353: Memory - illegal accesses (REVERSE_NEGATIVE) You might be using variable "port" before verifying that it is >= 0.
23 ASSERT(port >= 0 && port < CONFIG_USB_PD_PORT_COUNT); 24 res = mux->driver->init(mux->port_addr); 25 if (res) 26 CPRINTS("Error initializing mux port(%d): %d", port, res); 27 28 /* Apply board specific initialization */
** CID 1353345: (OVERRUN)
________________________________________________________________________________________________________ *** CID 1353345: (OVERRUN) /3rdparty/chromeec/common/host_command_master.c: 82 in pd_host_command_internal() 76 77 /* 78 * Transmit all data and receive 2 bytes for return value and response 79 * length. 80 */ 81 i2c_lock(I2C_PORT_PD_MCU, 1);
CID 1353345: (OVERRUN) Overrunning callee's array of size 2 by passing argument "MEC1322_I2C1" in call to "i2c_set_timeout".
82 i2c_set_timeout(I2C_PORT_PD_MCU, PD_HOST_COMMAND_TIMEOUT_US); 83 ret = i2c_xfer(I2C_PORT_PD_MCU, CONFIG_USB_PD_I2C_SLAVE_ADDR, 84 &req_buf[0], outsize + sizeof(rq) + 1, &resp_buf[0], 85 2, I2C_XFER_START); 86 i2c_set_timeout(I2C_PORT_PD_MCU, 0); 87 if (ret) { /3rdparty/chromeec/common/host_command_master.c: 86 in pd_host_command_internal() 80 */ 81 i2c_lock(I2C_PORT_PD_MCU, 1); 82 i2c_set_timeout(I2C_PORT_PD_MCU, PD_HOST_COMMAND_TIMEOUT_US); 83 ret = i2c_xfer(I2C_PORT_PD_MCU, CONFIG_USB_PD_I2C_SLAVE_ADDR, 84 &req_buf[0], outsize + sizeof(rq) + 1, &resp_buf[0], 85 2, I2C_XFER_START);
CID 1353345: (OVERRUN) Overrunning callee's array of size 2 by passing argument "MEC1322_I2C1" in call to "i2c_set_timeout".
86 i2c_set_timeout(I2C_PORT_PD_MCU, 0); 87 if (ret) { 88 i2c_lock(I2C_PORT_PD_MCU, 0); 89 CPRINTF("[%T i2c transaction 1 failed: %d]\n", ret); 90 return -EC_RES_BUS_ERROR; 91 } /3rdparty/chromeec/common/host_command_master.c: 83 in pd_host_command_internal() 77 /* 78 * Transmit all data and receive 2 bytes for return value and response 79 * length. 80 */ 81 i2c_lock(I2C_PORT_PD_MCU, 1); 82 i2c_set_timeout(I2C_PORT_PD_MCU, PD_HOST_COMMAND_TIMEOUT_US);
CID 1353345: (OVERRUN) Overrunning callee's array of size 2 by passing argument "MEC1322_I2C1" in call to "i2c_xfer".
83 ret = i2c_xfer(I2C_PORT_PD_MCU, CONFIG_USB_PD_I2C_SLAVE_ADDR, 84 &req_buf[0], outsize + sizeof(rq) + 1, &resp_buf[0], 85 2, I2C_XFER_START); 86 i2c_set_timeout(I2C_PORT_PD_MCU, 0); 87 if (ret) { 88 i2c_lock(I2C_PORT_PD_MCU, 0); /3rdparty/chromeec/common/host_command_master.c: 97 in pd_host_command_internal() 91 } 92 93 resp_len = resp_buf[1]; 94 95 if (resp_len > (insize + sizeof(rs))) { 96 /* Do a dummy read to generate stop condition */
CID 1353345: (OVERRUN) Overrunning callee's array of size 2 by passing argument "MEC1322_I2C1" in call to "i2c_xfer".
97 i2c_xfer(I2C_PORT_PD_MCU, CONFIG_USB_PD_I2C_SLAVE_ADDR, 98 0, 0, &resp_buf[2], 1, I2C_XFER_STOP); 99 i2c_lock(I2C_PORT_PD_MCU, 0); 100 CPRINTF("[%T response size is too large %d > %d]\n", 101 resp_len, insize + sizeof(rs)); 102 return -EC_RES_RESPONSE_TOO_BIG; /3rdparty/chromeec/common/host_command_master.c: 106 in pd_host_command_internal() 100 CPRINTF("[%T response size is too large %d > %d]\n", 101 resp_len, insize + sizeof(rs)); 102 return -EC_RES_RESPONSE_TOO_BIG; 103 } 104 105 /* Receive remaining data */
CID 1353345: (OVERRUN) Overrunning callee's array of size 2 by passing argument "MEC1322_I2C1" in call to "i2c_xfer".
106 ret = i2c_xfer(I2C_PORT_PD_MCU, CONFIG_USB_PD_I2C_SLAVE_ADDR, 0, 0, 107 &resp_buf[2], resp_len, I2C_XFER_STOP); 108 i2c_lock(I2C_PORT_PD_MCU, 0); 109 if (ret) { 110 CPRINTF("[%T i2c transaction 2 failed: %d]\n", ret); 111 return -EC_RES_BUS_ERROR;
** CID 1353343: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________ *** CID 1353343: Memory - corruptions (OVERRUN) /3rdparty/chromeec/common/battery.c: 45 in battery_is_present() 39 /** 40 * Physical detection of battery. 41 */ 42 enum battery_present battery_is_present(void) 43 { 44 /* The GPIO is low when the battery is present */
CID 1353343: Memory - corruptions (OVERRUN) Overrunning callee's array of size 28 by passing argument "GPIO_BAT_PRESENT_L" in call to "gpio_get_level".
45 return gpio_get_level(CONFIG_BATTERY_PRESENT_GPIO) ? BP_NO : BP_YES; 46 } 47 #endif 48 49 static const char *get_error_text(int rv) 50 {
** CID 1353329: Memory - corruptions (OVERRUN) /3rdparty/chromeec/common/host_command_master.c: 59 in pd_host_command_internal()
________________________________________________________________________________________________________ *** CID 1353329: Memory - corruptions (OVERRUN) /3rdparty/chromeec/common/host_command_master.c: 59 in pd_host_command_internal() 53 rq.command_version = version; 54 rq.reserved = 0; 55 rq.data_len = outsize; 56 57 /* Copy data and start checksum */ 58 for (i = 0, c = (const uint8_t *)outdata; i < outsize; i++, c++) {
CID 1353329: Memory - corruptions (OVERRUN) Overrunning array "req_buf" of 256 bytes at byte offset 256 using index "9U + i" (which evaluates to 256).
59 req_buf[sizeof(rq) + 1 + i] = *c; 60 sum += *c; 61 } 62 63 /* Finish checksum */ 64 for (i = 0, c = (const uint8_t *)&rq; i < sizeof(rq); i++, c++)
** CID 1353327: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________ *** CID 1353327: Memory - corruptions (OVERRUN) /3rdparty/chromeec/driver/als_opt3001.c: 34 in opt3001_i2c_write() 28 */ 29 static int opt3001_i2c_write(const int reg, int data) 30 { 31 int ret; 32 33 data = ((data << 8) & 0xFF00) | ((data >> 8) & 0x00FF);
CID 1353327: Memory - corruptions (OVERRUN) Overrunning callee's array of size 2 by passing argument "MEC1322_I2C2" in call to "i2c_write16".
34 ret = i2c_write16(I2C_PORT_ALS, OPT3001_I2C_ADDR, reg, data); 35 36 return ret; 37 } 38 39 /**
** CID 1353326: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________ *** CID 1353326: Memory - corruptions (OVERRUN) /3rdparty/chromeec/driver/als_opt3001.c: 18 in opt3001_i2c_read() 12 * Read register from OPT3001 light sensor. 13 */ 14 static int opt3001_i2c_read(const int reg, int *data_ptr) 15 { 16 int ret; 17
CID 1353326: Memory - corruptions (OVERRUN) Overrunning callee's array of size 2 by passing argument "MEC1322_I2C2" in call to "i2c_read16".
18 ret = i2c_read16(I2C_PORT_ALS, OPT3001_I2C_ADDR, reg, data_ptr); 19 if (!ret) 20 *data_ptr = ((*data_ptr << 8) & 0xFF00) | 21 ((*data_ptr >> 8) & 0x00FF); 22 23 return ret;
** CID 1353323: Memory - corruptions (OVERRUN) /3rdparty/chromeec/common/pd_log.c: 176 in hc_pd_get_log_entry()
________________________________________________________________________________________________________ *** CID 1353323: Memory - corruptions (OVERRUN) /3rdparty/chromeec/common/pd_log.c: 176 in hc_pd_get_log_entry() 170 dequeue_retry: 171 args->response_size = pd_log_dequeue(r); 172 /* if the MCU log no longer has entries, try connected accessories */ 173 if (r->type == PD_EVENT_NO_ENTRY) { 174 int i, res; 175 incoming_logs = 0;
CID 1353323: Memory - corruptions (OVERRUN) Checking "i < 2" implies that "i" may be up to 1 on the true branch.
176 for (i = 0; i < CONFIG_USB_PD_PORT_COUNT; ++i) { 177 /* only accessories who knows Google logging format */ 178 if (pd_get_identity_vid(i) != USB_VID_GOOGLE) 179 continue; 180 res = pd_fetch_acc_log_entry(i); 181 if (res == EC_RES_BUSY) /* host should retry */
** CID 1353313: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________ *** CID 1353313: Memory - corruptions (OVERRUN) /3rdparty/chromeec/common/inductive_charging.c: 84 in inductive_charging_deferred_update() 78 } 79 } 80 81 static void inductive_charging_deferred_update(void) 82 { 83 int lid_open = lid_is_open();
CID 1353313: Memory - corruptions (OVERRUN) Overrunning callee's array of size 28 by passing argument "GPIO_BASE_CHG_VDD_EN" in call to "gpio_set_level".
84 gpio_set_level(GPIO_BASE_CHG_VDD_EN, !lid_open); 85 inductive_charging_interrupt(GPIO_LID_OPEN); 86 } 87 DECLARE_DEFERRED(inductive_charging_deferred_update); 88 89 static void inductive_charging_lid_update(void)
** CID 1353312: (OVERRUN)
________________________________________________________________________________________________________ *** CID 1353312: (OVERRUN) /3rdparty/chromeec/common/inductive_charging.c: 43 in inductive_charging_interrupt() 37 inductive_charging_interrupt(GPIO_CHARGE_DONE); 38 } 39 DECLARE_DEFERRED(inductive_charging_monitor_charge); 40 41 void inductive_charging_interrupt(enum gpio_signal signal) 42 {
CID 1353312: (OVERRUN) Overrunning callee's array of size 28 by passing argument "GPIO_BASE_CHG_VDD_EN" in call to "gpio_get_level".
43 int charger_enabled = gpio_get_level(GPIO_BASE_CHG_VDD_EN); 44 int charge_done = gpio_get_level(GPIO_CHARGE_DONE); 45 static int charge_already_done; 46 47 if (!monitor_charge_done && signal == GPIO_CHARGE_DONE) 48 return; /3rdparty/chromeec/common/inductive_charging.c: 67 in inductive_charging_interrupt() 61 charge_already_done = 1; 62 else if (charge_already_done) 63 return; 64 } 65 66 if (!charger_enabled || charge_done) {
CID 1353312: (OVERRUN) Overrunning callee's array of size 28 by passing argument "GPIO_CHARGE_EN" in call to "gpio_set_level".
67 gpio_set_level(GPIO_CHARGE_EN, 0); 68 } else { 69 gpio_set_level(GPIO_CHARGE_EN, 1); 70 /* 71 * When the charging is just enabled, there might be a 72 * blip on CHARGE_DONE. Wait for a second before we start /3rdparty/chromeec/common/inductive_charging.c: 69 in inductive_charging_interrupt() 63 return; 64 } 65 66 if (!charger_enabled || charge_done) { 67 gpio_set_level(GPIO_CHARGE_EN, 0); 68 } else {
CID 1353312: (OVERRUN) Overrunning callee's array of size 28 by passing argument "GPIO_CHARGE_EN" in call to "gpio_set_level".
69 gpio_set_level(GPIO_CHARGE_EN, 1); 70 /* 71 * When the charging is just enabled, there might be a 72 * blip on CHARGE_DONE. Wait for a second before we start 73 * looking at CHARGE_DONE. 74 */
** CID 1353311: (OVERRUN)
________________________________________________________________________________________________________ *** CID 1353311: (OVERRUN) /3rdparty/chromeec/board/oak/led.c: 53 in bat_led_set() 47 case BAT_LED_AMBER: 48 /* for rev3 or later */ 49 gpio_set_level(GPIO_BAT_LED0, on ? 0 : 1); /* BAT_LED_AMBER */ 50 gpio_set_level(GPIO_BAT_LED1, on ? 0 : 1); 51 break; 52 case PWR_LED_GREEN:
CID 1353311: (OVERRUN) Overrunning callee's array of size 28 by passing argument "GPIO_PWR_LED0" in call to "gpio_set_level".
53 gpio_set_level(GPIO_PWR_LED0, on ? 0 : 1); /* PWR_LED_GREEN */ 54 break; 55 case PWR_LED_ORANGE: 56 gpio_set_level(GPIO_PWR_LED1, on ? 0 : 1); /* PWR_LED_ORANGE */ 57 break; 58 default: /3rdparty/chromeec/board/oak/led.c: 56 in bat_led_set() 50 gpio_set_level(GPIO_BAT_LED1, on ? 0 : 1); 51 break; 52 case PWR_LED_GREEN: 53 gpio_set_level(GPIO_PWR_LED0, on ? 0 : 1); /* PWR_LED_GREEN */ 54 break; 55 case PWR_LED_ORANGE:
CID 1353311: (OVERRUN) Overrunning callee's array of size 28 by passing argument "GPIO_PWR_LED1" in call to "gpio_set_level".
56 gpio_set_level(GPIO_PWR_LED1, on ? 0 : 1); /* PWR_LED_ORANGE */ 57 break; 58 default: 59 return EC_ERROR_UNKNOWN; 60 } 61 return EC_SUCCESS;
** CID 1353309: (OVERRUN) /3rdparty/chromeec/common/gpio.c: 260 in gpio_command_get() /3rdparty/chromeec/common/gpio.c: 260 in gpio_command_get()
________________________________________________________________________________________________________ *** CID 1353309: (OVERRUN) /3rdparty/chromeec/common/gpio.c: 260 in gpio_command_get() 254 args->response_size = sizeof(r_v1->get_count); 255 break; 256 case EC_GPIO_GET_INFO: 257 if (p_v1->get_info.index >= GPIO_COUNT) 258 return EC_RES_ERROR; 259
CID 1353309: (OVERRUN) Assigning: "i" = "(*p_v1).get_info.index". The value of "i" may now be up to 47.
260 i = p_v1->get_info.index; 261 len = strlen(g[i].name); 262 memcpy(r_v1->get_info.name, g[i].name, len+1); 263 r_v1->get_info.val = gpio_get_level(i); 264 r_v1->get_info.flags = g[i].flags; 265 args->response_size = sizeof(r_v1->get_info); /3rdparty/chromeec/common/gpio.c: 260 in gpio_command_get() 254 args->response_size = sizeof(r_v1->get_count); 255 break; 256 case EC_GPIO_GET_INFO: 257 if (p_v1->get_info.index >= GPIO_COUNT) 258 return EC_RES_ERROR; 259
CID 1353309: (OVERRUN) Assigning: "i" = "(*p_v1).get_info.index". The value of "i" may now be up to 43.
260 i = p_v1->get_info.index; 261 len = strlen(g[i].name); 262 memcpy(r_v1->get_info.name, g[i].name, len+1); 263 r_v1->get_info.val = gpio_get_level(i); 264 r_v1->get_info.flags = g[i].flags; 265 args->response_size = sizeof(r_v1->get_info);
** CID 1353308: (OVERRUN) /3rdparty/chromeec/common/gpio.c: 261 in gpio_command_get() /3rdparty/chromeec/common/gpio.c: 261 in gpio_command_get()
________________________________________________________________________________________________________ *** CID 1353308: (OVERRUN) /3rdparty/chromeec/common/gpio.c: 261 in gpio_command_get() 255 break; 256 case EC_GPIO_GET_INFO: 257 if (p_v1->get_info.index >= GPIO_COUNT) 258 return EC_RES_ERROR; 259 260 i = p_v1->get_info.index;
CID 1353308: (OVERRUN) Overrunning array of 28 16-byte elements at element index 47 (byte offset 752) by dereferencing pointer "g + i".
261 len = strlen(g[i].name); 262 memcpy(r_v1->get_info.name, g[i].name, len+1); 263 r_v1->get_info.val = gpio_get_level(i); 264 r_v1->get_info.flags = g[i].flags; 265 args->response_size = sizeof(r_v1->get_info); 266 break; /3rdparty/chromeec/common/gpio.c: 261 in gpio_command_get() 255 break; 256 case EC_GPIO_GET_INFO: 257 if (p_v1->get_info.index >= GPIO_COUNT) 258 return EC_RES_ERROR; 259 260 i = p_v1->get_info.index;
CID 1353308: (OVERRUN) Overrunning array of 28 16-byte elements at element index 43 (byte offset 688) by dereferencing pointer "g + i".
261 len = strlen(g[i].name); 262 memcpy(r_v1->get_info.name, g[i].name, len+1); 263 r_v1->get_info.val = gpio_get_level(i); 264 r_v1->get_info.flags = g[i].flags; 265 args->response_size = sizeof(r_v1->get_info); 266 break;
** CID 1353307: (OVERRUN) /3rdparty/chromeec/common/gpio.c: 169 in command_gpio_get() /3rdparty/chromeec/common/gpio.c: 169 in command_gpio_get()
________________________________________________________________________________________________________ *** CID 1353307: (OVERRUN) /3rdparty/chromeec/common/gpio.c: 169 in command_gpio_get() 163 ccprintf(" %d%c %s\n", v, (changed ? '*' : ' '), g->name); 164 165 return EC_SUCCESS; 166 } 167 168 /* Otherwise print them all */
CID 1353307: (OVERRUN) Checking "i < GPIO_COUNT" implies that "i" may be up to 47 on the true branch.
169 for (i = 0; i < GPIO_COUNT; i++, g++) { 170 if (!g->mask) 171 continue; /* Skip unsupported signals */ 172 173 v = gpio_get_level(i); 174 changed = last_val_changed(i, v); /3rdparty/chromeec/common/gpio.c: 169 in command_gpio_get() 163 ccprintf(" %d%c %s\n", v, (changed ? '*' : ' '), g->name); 164 165 return EC_SUCCESS; 166 } 167 168 /* Otherwise print them all */
CID 1353307: (OVERRUN) Checking "i < GPIO_COUNT" implies that "i" may be up to 43 on the true branch.
169 for (i = 0; i < GPIO_COUNT; i++, g++) { 170 if (!g->mask) 171 continue; /* Skip unsupported signals */ 172 173 v = gpio_get_level(i); 174 changed = last_val_changed(i, v);
** CID 1353306: (OVERRUN) /3rdparty/chromeec/common/gpio.c: 170 in command_gpio_get() /3rdparty/chromeec/common/gpio.c: 170 in command_gpio_get()
________________________________________________________________________________________________________ *** CID 1353306: (OVERRUN) /3rdparty/chromeec/common/gpio.c: 170 in command_gpio_get() 164 165 return EC_SUCCESS; 166 } 167 168 /* Otherwise print them all */ 169 for (i = 0; i < GPIO_COUNT; i++, g++) {
CID 1353306: (OVERRUN) Overrunning array of 28 16-byte elements at element index 47 (byte offset 752) by dereferencing pointer "g".
170 if (!g->mask) 171 continue; /* Skip unsupported signals */ 172 173 v = gpio_get_level(i); 174 changed = last_val_changed(i, v); 175 ccprintf(" %d%c %s\n", v, (changed ? '*' : ' '), g->name); /3rdparty/chromeec/common/gpio.c: 170 in command_gpio_get() 164 165 return EC_SUCCESS; 166 } 167 168 /* Otherwise print them all */ 169 for (i = 0; i < GPIO_COUNT; i++, g++) {
CID 1353306: (OVERRUN) Overrunning array of 28 16-byte elements at element index 43 (byte offset 688) by dereferencing pointer "g".
170 if (!g->mask) 171 continue; /* Skip unsupported signals */ 172 173 v = gpio_get_level(i); 174 changed = last_val_changed(i, v); 175 ccprintf(" %d%c %s\n", v, (changed ? '*' : ' '), g->name);
** CID 1353305: (OVERRUN) /3rdparty/chromeec/common/gpio.c: 33 in find_signal_by_name() /3rdparty/chromeec/common/gpio.c: 33 in find_signal_by_name()
________________________________________________________________________________________________________ *** CID 1353305: (OVERRUN) /3rdparty/chromeec/common/gpio.c: 33 in find_signal_by_name() 27 int i; 28 29 if (!name || !*name) 30 return GPIO_COUNT; 31 32 for (i = 0; i < GPIO_COUNT; i++, g++) {
CID 1353305: (OVERRUN) Overrunning array of 28 16-byte elements at element index 47 (byte offset 752) by dereferencing pointer "g".
33 if (g->mask && !strcasecmp(name, g->name)) 34 return i; 35 } 36 37 return GPIO_COUNT; 38 } /3rdparty/chromeec/common/gpio.c: 33 in find_signal_by_name() 27 int i; 28 29 if (!name || !*name) 30 return GPIO_COUNT; 31 32 for (i = 0; i < GPIO_COUNT; i++, g++) {
CID 1353305: (OVERRUN) Overrunning array of 28 16-byte elements at element index 43 (byte offset 688) by dereferencing pointer "g".
33 if (g->mask && !strcasecmp(name, g->name)) 34 return i; 35 } 36 37 return GPIO_COUNT; 38 }
** CID 1353304: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________ *** CID 1353304: Memory - corruptions (OVERRUN) /3rdparty/chromeec/common/mkbp_event.c: 39 in set_host_interrupt() 33 /** 34 * Assert host keyboard interrupt line. 35 */ 36 static void set_host_interrupt(int active) 37 { 38 /* interrupt host by using active low EC_INT signal */
CID 1353304: Memory - corruptions (OVERRUN) Overrunning callee's array of size 28 by passing argument "GPIO_EC_INT_L" in call to "gpio_set_level".
39 gpio_set_level(GPIO_EC_INT_L, !active); 40 } 41 42 void mkbp_send_event(uint8_t event_type) 43 { 44 set_event(event_type);
** CID 1353302: Memory - illegal accesses (OVERRUN) /3rdparty/chromeec/chip/stm32/keyboard_raw.c: 66 in keyboard_raw_drive_column()
________________________________________________________________________________________________________ *** CID 1353302: Memory - illegal accesses (OVERRUN) /3rdparty/chromeec/chip/stm32/keyboard_raw.c: 66 in keyboard_raw_drive_column() 60 61 for (i = 0; i < ARRAY_SIZE(kb_out_ports); i++) { 62 uint32_t bsrr = 0; 63 int j; 64 65 for (j = GPIO_KB_OUT00; j <= GPIO_KB_OUT12; j++) {
CID 1353302: Memory - illegal accesses (OVERRUN) Overrunning array "gpio_list" of 28 16-byte elements at element index 34 (byte offset 544) using index "j" (which evaluates to 34).
66 if (gpio_list[j].port != kb_out_ports[i]) 67 continue; 68 69 if (out == KEYBOARD_COLUMN_ALL) { 70 /* drive low (clear bit) */ 71 bsrr |= gpio_list[j].mask << 16;
** CID 1353298: (OVERRUN)
________________________________________________________________________________________________________ *** CID 1353298: (OVERRUN) /3rdparty/chromeec/chip/mec1322/keyboard_raw.c: 37 in keyboard_raw_drive_column() 31 32 test_mockable void keyboard_raw_drive_column(int out) 33 { 34 if (out == KEYBOARD_COLUMN_ALL) { 35 MEC1322_KS_KSO_SEL = 1 << 5; /* KSEN=0, KSALL=1 */ 36 #ifdef CONFIG_KEYBOARD_COL2_INVERTED
CID 1353298: (OVERRUN) Overrunning callee's array of size 28 by passing argument "GPIO_KBD_KSO2" in call to "gpio_set_level".
37 gpio_set_level(GPIO_KBD_KSO2, 1); 38 #endif 39 } else if (out == KEYBOARD_COLUMN_NONE) { 40 MEC1322_KS_KSO_SEL = 1 << 6; /* KSEN=1 */ 41 #ifdef CONFIG_KEYBOARD_COL2_INVERTED 42 gpio_set_level(GPIO_KBD_KSO2, 0); /3rdparty/chromeec/chip/mec1322/keyboard_raw.c: 42 in keyboard_raw_drive_column() 36 #ifdef CONFIG_KEYBOARD_COL2_INVERTED 37 gpio_set_level(GPIO_KBD_KSO2, 1); 38 #endif 39 } else if (out == KEYBOARD_COLUMN_NONE) { 40 MEC1322_KS_KSO_SEL = 1 << 6; /* KSEN=1 */ 41 #ifdef CONFIG_KEYBOARD_COL2_INVERTED
CID 1353298: (OVERRUN) Overrunning callee's array of size 28 by passing argument "GPIO_KBD_KSO2" in call to "gpio_set_level".
42 gpio_set_level(GPIO_KBD_KSO2, 0); 43 #endif 44 } else { 45 #ifdef CONFIG_KEYBOARD_COL2_INVERTED 46 if (out == 2) { 47 MEC1322_KS_KSO_SEL = 1 << 6; /* KSEN=1 */ /3rdparty/chromeec/chip/mec1322/keyboard_raw.c: 48 in keyboard_raw_drive_column() 42 gpio_set_level(GPIO_KBD_KSO2, 0); 43 #endif 44 } else { 45 #ifdef CONFIG_KEYBOARD_COL2_INVERTED 46 if (out == 2) { 47 MEC1322_KS_KSO_SEL = 1 << 6; /* KSEN=1 */
CID 1353298: (OVERRUN) Overrunning callee's array of size 28 by passing argument "GPIO_KBD_KSO2" in call to "gpio_set_level".
48 gpio_set_level(GPIO_KBD_KSO2, 1); 49 } else { 50 MEC1322_KS_KSO_SEL = out + CONFIG_KEYBOARD_KSO_BASE; 51 gpio_set_level(GPIO_KBD_KSO2, 0); 52 } 53 #else /3rdparty/chromeec/chip/mec1322/keyboard_raw.c: 51 in keyboard_raw_drive_column() 45 #ifdef CONFIG_KEYBOARD_COL2_INVERTED 46 if (out == 2) { 47 MEC1322_KS_KSO_SEL = 1 << 6; /* KSEN=1 */ 48 gpio_set_level(GPIO_KBD_KSO2, 1); 49 } else { 50 MEC1322_KS_KSO_SEL = out + CONFIG_KEYBOARD_KSO_BASE;
CID 1353298: (OVERRUN) Overrunning callee's array of size 28 by passing argument "GPIO_KBD_KSO2" in call to "gpio_set_level".
51 gpio_set_level(GPIO_KBD_KSO2, 0); 52 } 53 #else 54 MEC1322_KS_KSO_SEL = out + CONFIG_KEYBOARD_KSO_BASE; 55 #endif 56 }
________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05...
To manage Coverity Scan email notifications for "coreboot@coreboot.org", click https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05...
-
scan-admin@coverity.com