Hi,
Please find the latest report on new defect(s) introduced to coreboot found with Coverity Scan.
296 new defect(s) introduced to coreboot found with Coverity Scan. 12 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan Showing 20 of 296 defect(s)
** CID 1353788: Memory - illegal accesses (OVERRUN) /3rdparty/chromeec/common/fan.c: 527 in pwm_fan_S3_S5()
________________________________________________________________________________________________________ *** CID 1353788: Memory - illegal accesses (OVERRUN) /3rdparty/chromeec/common/fan.c: 527 in pwm_fan_S3_S5() 521 /* Take back fan control when the processor shuts down */ 522 set_thermal_control_enabled(fan, 1); 523 /* For now don't do anything with it. We'll have to turn it on 524 * again if we need active cooling during heavy battery 525 * charging or something. 526 */
CID 1353788: Memory - illegal accesses (OVERRUN) Overrunning array "fans" of 1 28-byte elements at element index 1 (byte offset 28) using index "fan" (which evaluates to 1).
527 fan_set_rpm_target(fans[fan].ch, 0); 528 set_enabled(fan, 0); /* crosbug.com/p/8097 */ 529 } 530 } 531 DECLARE_HOOK(HOOK_CHIPSET_SUSPEND, pwm_fan_S3_S5, HOOK_PRIO_DEFAULT);
** CID 1353787: Memory - illegal accesses (OVERRUN) /3rdparty/chromeec/common/fan.c: 338 in hc_pwm_set_fan_target_rpm()
________________________________________________________________________________________________________ *** CID 1353787: Memory - illegal accesses (OVERRUN) /3rdparty/chromeec/common/fan.c: 338 in hc_pwm_set_fan_target_rpm() 332 if (args->version == 0) { 333 for (fan = 0; fan < CONFIG_FANS; fan++) { 334 /* enable the fan if rpm is non-zero */ 335 set_enabled(fan, (p_v0->rpm > 0) ? 1 : 0); 336 337 set_thermal_control_enabled(fan, 0);
CID 1353787: Memory - illegal accesses (OVERRUN) Overrunning array "fans" of 1 28-byte elements at element index 1 (byte offset 28) using index "fan" (which evaluates to 1).
338 fan_set_rpm_mode(fans[fan].ch, 1); 339 fan_set_rpm_target(fans[fan].ch, p_v0->rpm); 340 } 341 342 return EC_RES_SUCCESS; 343 }
** CID 1353786: (OVERRUN) /3rdparty/chromeec/common/fan.c: 333 in hc_pwm_set_fan_target_rpm() /3rdparty/chromeec/common/fan.c: 346 in hc_pwm_set_fan_target_rpm()
________________________________________________________________________________________________________ *** CID 1353786: (OVERRUN) /3rdparty/chromeec/common/fan.c: 333 in hc_pwm_set_fan_target_rpm() 327 { 328 const struct ec_params_pwm_set_fan_target_rpm_v1 *p_v1 = args->params; 329 const struct ec_params_pwm_set_fan_target_rpm_v0 *p_v0 = args->params; 330 int fan; 331 332 if (args->version == 0) {
CID 1353786: (OVERRUN) Checking "fan < 2" implies that "fan" may be up to 1 on the true branch.
333 for (fan = 0; fan < CONFIG_FANS; fan++) { 334 /* enable the fan if rpm is non-zero */ 335 set_enabled(fan, (p_v0->rpm > 0) ? 1 : 0); 336 337 set_thermal_control_enabled(fan, 0); 338 fan_set_rpm_mode(fans[fan].ch, 1); /3rdparty/chromeec/common/fan.c: 346 in hc_pwm_set_fan_target_rpm() 340 } 341 342 return EC_RES_SUCCESS; 343 } 344 345 fan = p_v1->fan_idx;
CID 1353786: (OVERRUN) Checking "fan >= 2" implies that "fan" and "p_v1->fan_idx" may be up to 1 on the false branch.
346 if (fan >= CONFIG_FANS) 347 return EC_RES_ERROR; 348 349 /* enable the fan if rpm is non-zero */ 350 set_enabled(fan, (p_v1->rpm > 0) ? 1 :0); 351
** CID 1353785: (OVERRUN) /3rdparty/chromeec/common/fan.c: 369 in hc_pwm_set_fan_duty() /3rdparty/chromeec/common/fan.c: 376 in hc_pwm_set_fan_duty()
________________________________________________________________________________________________________ *** CID 1353785: (OVERRUN) /3rdparty/chromeec/common/fan.c: 369 in hc_pwm_set_fan_duty() 363 { 364 const struct ec_params_pwm_set_fan_duty_v1 *p_v1 = args->params; 365 const struct ec_params_pwm_set_fan_duty_v0 *p_v0 = args->params; 366 int fan; 367 368 if (args->version == 0) {
CID 1353785: (OVERRUN) Checking "fan < 2" implies that "fan" may be up to 1 on the true branch.
369 for (fan = 0; fan < CONFIG_FANS; fan++) 370 set_duty_cycle(fan, p_v0->percent); 371 372 return EC_RES_SUCCESS; 373 } 374 /3rdparty/chromeec/common/fan.c: 376 in hc_pwm_set_fan_duty() 370 set_duty_cycle(fan, p_v0->percent); 371 372 return EC_RES_SUCCESS; 373 } 374 375 fan = p_v1->fan_idx;
CID 1353785: (OVERRUN) Checking "fan >= 2" implies that "fan" and "p_v1->fan_idx" may be up to 1 on the false branch.
376 if (fan >= CONFIG_FANS) 377 return EC_RES_ERROR; 378 379 set_duty_cycle(fan, p_v1->percent); 380 381 return EC_RES_SUCCESS;
** CID 1353784: Memory - corruptions (OVERRUN) /3rdparty/chromeec/common/fan.c: 160 in cc_faninfo()
________________________________________________________________________________________________________ *** CID 1353784: Memory - corruptions (OVERRUN) /3rdparty/chromeec/common/fan.c: 160 in cc_faninfo() 154 static const char * const human_status[] = { 155 "not spinning", "changing", "locked", "frustrated" 156 }; 157 int tmp, is_pgood; 158 int fan; 159 char leader[20] = "";
CID 1353784: Memory - corruptions (OVERRUN) Checking "fan < 2" implies that "fan" may be up to 1 on the true branch.
160 for (fan = 0; fan < CONFIG_FANS; fan++) { 161 if (CONFIG_FANS > 1) 162 snprintf(leader, sizeof(leader), "Fan %d ", fan); 163 if (fan) 164 ccprintf("\n"); 165 ccprintf("%sActual: %4d rpm\n", leader,
** CID 1353783: Memory - illegal accesses (OVERRUN) /3rdparty/chromeec/common/fan.c: 165 in cc_faninfo()
________________________________________________________________________________________________________ *** CID 1353783: Memory - illegal accesses (OVERRUN) /3rdparty/chromeec/common/fan.c: 165 in cc_faninfo() 159 char leader[20] = ""; 160 for (fan = 0; fan < CONFIG_FANS; fan++) { 161 if (CONFIG_FANS > 1) 162 snprintf(leader, sizeof(leader), "Fan %d ", fan); 163 if (fan) 164 ccprintf("\n");
CID 1353783: Memory - illegal accesses (OVERRUN) Overrunning array "fans" of 1 28-byte elements at element index 1 (byte offset 28) using index "fan" (which evaluates to 1).
165 ccprintf("%sActual: %4d rpm\n", leader, 166 fan_get_rpm_actual(fans[fan].ch)); 167 ccprintf("%sTarget: %4d rpm\n", leader, 168 fan_get_rpm_target(fans[fan].ch)); 169 ccprintf("%sDuty: %d%%\n", leader, 170 fan_get_duty(fans[fan].ch));
** CID 1353782: Memory - corruptions (OVERRUN) /3rdparty/chromeec/common/fan.c: 303 in dptf_set_fan_duty_target()
________________________________________________________________________________________________________ *** CID 1353782: Memory - corruptions (OVERRUN) /3rdparty/chromeec/common/fan.c: 303 in dptf_set_fan_duty_target() 297 if (pct < 0 || pct > 100) { 298 /* TODO(crosbug.com/p/23803) */ 299 for (fan = 0; fan < CONFIG_FANS; fan++) 300 set_thermal_control_enabled(fan, 1); 301 } else { 302 /* TODO(crosbug.com/p/23803) */
CID 1353782: Memory - corruptions (OVERRUN) Checking "fan < 2" implies that "fan" may be up to 1 on the true branch.
303 for (fan = 0; fan < CONFIG_FANS; fan++) 304 set_duty_cycle(fan, pct); 305 } 306 } 307 308 /*****************************************************************************/
** CID 1353360: Code maintainability issues (UNUSED_VALUE) /3rdparty/chromeec/driver/pmu_tps65090.c: 680 in command_pmu()
________________________________________________________________________________________________________ *** CID 1353360: Code maintainability issues (UNUSED_VALUE) /3rdparty/chromeec/driver/pmu_tps65090.c: 680 in command_pmu() 674 ccputs("Invalid repeat count\n"); 675 return EC_ERROR_INVAL; 676 } 677 } 678 679 for (loop = 0; loop < repeat; loop++) {
CID 1353360: Code maintainability issues (UNUSED_VALUE) Assigning value from "print_pmu_info()" to "rv" here, but that stored value is overwritten before it can be used.
680 rv = print_pmu_info(); 681 usleep(1000); 682 } 683 684 rv = pmu_read(IRQ1_REG, &value); 685 if (rv)
** CID 1353358: Control flow issues (UNREACHABLE) /3rdparty/chromeec/common/lightbar.c: 502 in sequence_S3S0()
________________________________________________________________________________________________________ *** CID 1353358: Control flow issues (UNREACHABLE) /3rdparty/chromeec/common/lightbar.c: 502 in sequence_S3S0() 496 #ifndef BLUE_PULSING 497 /* next sequence */ 498 return LIGHTBAR_S0; 499 #endif 500 501 /* Ramp up to starting brightness, using S0 colors */
CID 1353358: Control flow issues (UNREACHABLE) This code cannot be reached: "ci = st.p.s0_idx[st.battery...".
502 ci = st.p.s0_idx[st.battery_is_charging][st.battery_level]; 503 if (ci >= ARRAY_SIZE(st.p.color)) 504 ci = 0; 505 506 fmin = st.p.osc_min[st.battery_is_charging] * FP_SCALE / 255; 507
** CID 1353354: Insecure data handling (TAINTED_SCALAR) /src/lib/lzma.c: 39 in ulzman()
________________________________________________________________________________________________________ *** CID 1353354: Insecure data handling (TAINTED_SCALAR) /src/lib/lzma.c: 39 in ulzman() 33 memcpy(properties, src, LZMA_PROPERTIES_SIZE); 34 /* The outSize in LZMA stream is a 64bit integer stored in little-endian 35 * (ref: lzma.cc@LZMACompress: put_64). To prevent accessing by 36 * unaligned memory address and to load in correct endianness, read each 37 * byte and re-construct. */ 38 cp = src + LZMA_PROPERTIES_SIZE;
CID 1353354: Insecure data handling (TAINTED_SCALAR) Assigning: "outSize" = "(cp[3] << 24) | (cp[2] << 16) | (cp[1] << 8) | cp[0]". Both are now tainted.
39 outSize = cp[3] << 24 | cp[2] << 16 | cp[1] << 8 | cp[0]; 40 if (LzmaDecodeProperties(&state.Properties, properties, 41 LZMA_PROPERTIES_SIZE) != LZMA_RESULT_OK) { 42 printk(BIOS_WARNING, "lzma: Incorrect stream properties.\n"); 43 return 0; 44 }
** CID 1353347: Memory - corruptions (OVERRUN) /3rdparty/chromeec/chip/mec1322/pwm.c: 78 in pwm_init()
________________________________________________________________________________________________________ *** CID 1353347: Memory - corruptions (OVERRUN) /3rdparty/chromeec/chip/mec1322/pwm.c: 78 in pwm_init() 72 } 73 74 static void pwm_init(void) 75 { 76 int i; 77
CID 1353347: Memory - corruptions (OVERRUN) Checking "i < PWM_CH_COUNT" implies that "i" may be up to 2 on the true branch.
78 for (i = 0; i < PWM_CH_COUNT; ++i) { 79 pwm_configure(pwm_channels[i].channel, 80 pwm_channels[i].flags & PWM_CONFIG_ACTIVE_LOW, 81 pwm_channels[i].flags & PWM_CONFIG_ALT_CLOCK); 82 pwm_set_duty(i, 0); 83 } 84 }
** CID 1353346: Memory - illegal accesses (OVERRUN) /3rdparty/chromeec/chip/mec1322/pwm.c: 79 in pwm_init()
________________________________________________________________________________________________________ *** CID 1353346: Memory - illegal accesses (OVERRUN) /3rdparty/chromeec/chip/mec1322/pwm.c: 79 in pwm_init() 73 74 static void pwm_init(void) 75 { 76 int i; 77 78 for (i = 0; i < PWM_CH_COUNT; ++i) {
CID 1353346: Memory - illegal accesses (OVERRUN) Overrunning array "pwm_channels" of 1 8-byte elements at element index 2 (byte offset 16) using index "i" (which evaluates to 2).
79 pwm_configure(pwm_channels[i].channel, 80 pwm_channels[i].flags & PWM_CONFIG_ACTIVE_LOW, 81 pwm_channels[i].flags & PWM_CONFIG_ALT_CLOCK); 82 pwm_set_duty(i, 0); 83 } 84 }
** CID 1353329: Memory - corruptions (OVERRUN) /3rdparty/chromeec/common/host_command_master.c: 59 in pd_host_command_internal()
________________________________________________________________________________________________________ *** CID 1353329: Memory - corruptions (OVERRUN) /3rdparty/chromeec/common/host_command_master.c: 59 in pd_host_command_internal() 53 rq.command_version = version; 54 rq.reserved = 0; 55 rq.data_len = outsize; 56 57 /* Copy data and start checksum */ 58 for (i = 0, c = (const uint8_t *)outdata; i < outsize; i++, c++) {
CID 1353329: Memory - corruptions (OVERRUN) Overrunning array "req_buf" of 256 bytes at byte offset 256 using index "9UL + i" (which evaluates to 256).
59 req_buf[sizeof(rq) + 1 + i] = *c; 60 sum += *c; 61 } 62 63 /* Finish checksum */ 64 for (i = 0, c = (const uint8_t *)&rq; i < sizeof(rq); i++, c++)
** CID 1353325: Memory - illegal accesses (OVERRUN) /3rdparty/chromeec/driver/temp_sensor/bd99992gw.c: 65 in bd99992gw_init()
________________________________________________________________________________________________________ *** CID 1353325: Memory - illegal accesses (OVERRUN) /3rdparty/chromeec/driver/temp_sensor/bd99992gw.c: 65 in bd99992gw_init() 59 int i; 60 int active_channel_count = 0; 61 uint8_t pointer_reg = BD99992GW_REG_ADC1ADDR0; 62 63 /* Mark active channels from the board temp sensor table */ 64 for (i = 0; i < TEMP_SENSOR_COUNT; ++i)
CID 1353325: Memory - illegal accesses (OVERRUN) Overrunning array "temp_sensors" of 4 20-byte elements at element index 4 (byte offset 80) using index "i" (which evaluates to 4).
65 if (temp_sensors[i].read == bd99992gw_get_val) 66 active_channels[active_channel_count++] = 67 temp_sensors[i].idx; 68 69 /* Make sure we don't have too many active channels. */ 70 ASSERT(active_channel_count <= ARRAY_SIZE(active_channels));
** CID 1353319: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________ *** CID 1353319: Memory - corruptions (OVERRUN) /3rdparty/chromeec/common/wireless.c: 84 in wireless_get() 78 if (gpio_get_level(WIRELESS_GPIO_BLUETOOTH)) 79 flags |= EC_WIRELESS_SWITCH_BLUETOOTH; 80 #endif 81 82 #ifdef WIRELESS_GPIO_WLAN_POWER 83 #ifndef CONFIG_WLAN_POWER_ACTIVE_LOW
CID 1353319: Memory - corruptions (OVERRUN) Overrunning callee's array of size 62 by passing argument "GPIO_PP3300_WLAN_EN" in call to "gpio_get_level".
84 if (gpio_get_level(WIRELESS_GPIO_WLAN_POWER)) 85 #else 86 if (!gpio_get_level(WIRELESS_GPIO_WLAN_POWER)) 87 #endif /* CONFIG_WLAN_POWER_ACTIVE_LOW */ 88 flags |= EC_WIRELESS_SWITCH_WLAN_POWER; 89 #endif
** CID 1353318: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________ *** CID 1353318: Memory - corruptions (OVERRUN) /3rdparty/chromeec/common/wireless.c: 53 in wireless_enable() 47 gpio_set_level(WIRELESS_GPIO_BLUETOOTH, 48 flags & EC_WIRELESS_SWITCH_BLUETOOTH); 49 #endif 50 51 #ifdef WIRELESS_GPIO_WLAN_POWER 52 #ifndef CONFIG_WLAN_POWER_ACTIVE_LOW
CID 1353318: Memory - corruptions (OVERRUN) Overrunning callee's array of size 62 by passing argument "GPIO_PP3300_WLAN_EN" in call to "gpio_set_level".
53 gpio_set_level(WIRELESS_GPIO_WLAN_POWER, 54 flags & EC_WIRELESS_SWITCH_WLAN_POWER); 55 #else 56 gpio_set_level(WIRELESS_GPIO_WLAN_POWER, 57 !(flags & EC_WIRELESS_SWITCH_WLAN_POWER)); 58 #endif /* CONFIG_WLAN_POWER_ACTIVE_LOW */
** CID 1353309: (OVERRUN) /3rdparty/chromeec/common/gpio_commands.c: 243 in gpio_command_get() /3rdparty/chromeec/common/gpio_commands.c: 243 in gpio_command_get() /3rdparty/chromeec/common/gpio_commands.c: 243 in gpio_command_get() /3rdparty/chromeec/common/gpio_commands.c: 243 in gpio_command_get()
________________________________________________________________________________________________________ *** CID 1353309: (OVERRUN) /3rdparty/chromeec/common/gpio_commands.c: 243 in gpio_command_get() 237 args->response_size = sizeof(r_v1->get_count); 238 break; 239 case EC_GPIO_GET_INFO: 240 if (p_v1->get_info.index >= GPIO_COUNT) 241 return EC_RES_ERROR; 242
CID 1353309: (OVERRUN) Assigning: "i" = "(*p_v1).get_info.index". The value of "i" may now be up to 73.
243 i = p_v1->get_info.index; 244 len = strlen(gpio_get_name(i)); 245 memcpy(r_v1->get_info.name, gpio_get_name(i), len+1); 246 r_v1->get_info.val = gpio_get_level(i); 247 r_v1->get_info.flags = gpio_get_default_flags(i); 248 args->response_size = sizeof(r_v1->get_info); /3rdparty/chromeec/common/gpio_commands.c: 243 in gpio_command_get() 237 args->response_size = sizeof(r_v1->get_count); 238 break; 239 case EC_GPIO_GET_INFO: 240 if (p_v1->get_info.index >= GPIO_COUNT) 241 return EC_RES_ERROR; 242
CID 1353309: (OVERRUN) Assigning: "i" = "(*p_v1).get_info.index". The value of "i" may now be up to 73.
243 i = p_v1->get_info.index; 244 len = strlen(gpio_get_name(i)); 245 memcpy(r_v1->get_info.name, gpio_get_name(i), len+1); 246 r_v1->get_info.val = gpio_get_level(i); 247 r_v1->get_info.flags = gpio_get_default_flags(i); 248 args->response_size = sizeof(r_v1->get_info); /3rdparty/chromeec/common/gpio_commands.c: 243 in gpio_command_get() 237 args->response_size = sizeof(r_v1->get_count); 238 break; 239 case EC_GPIO_GET_INFO: 240 if (p_v1->get_info.index >= GPIO_COUNT) 241 return EC_RES_ERROR; 242
CID 1353309: (OVERRUN) Assigning: "i" = "(*p_v1).get_info.index". The value of "i" may now be up to 73.
243 i = p_v1->get_info.index; 244 len = strlen(gpio_get_name(i)); 245 memcpy(r_v1->get_info.name, gpio_get_name(i), len+1); 246 r_v1->get_info.val = gpio_get_level(i); 247 r_v1->get_info.flags = gpio_get_default_flags(i); 248 args->response_size = sizeof(r_v1->get_info); /3rdparty/chromeec/common/gpio_commands.c: 243 in gpio_command_get() 237 args->response_size = sizeof(r_v1->get_count); 238 break; 239 case EC_GPIO_GET_INFO: 240 if (p_v1->get_info.index >= GPIO_COUNT) 241 return EC_RES_ERROR; 242
CID 1353309: (OVERRUN) Assigning: "i" = "(*p_v1).get_info.index". The value of "i" may now be up to 73.
243 i = p_v1->get_info.index; 244 len = strlen(gpio_get_name(i)); 245 memcpy(r_v1->get_info.name, gpio_get_name(i), len+1); 246 r_v1->get_info.val = gpio_get_level(i); 247 r_v1->get_info.flags = gpio_get_default_flags(i); 248 args->response_size = sizeof(r_v1->get_info);
** CID 1353307: (OVERRUN) /3rdparty/chromeec/common/gpio_commands.c: 126 in command_gpio_get() /3rdparty/chromeec/common/gpio_commands.c: 126 in command_gpio_get()
________________________________________________________________________________________________________ *** CID 1353307: (OVERRUN) /3rdparty/chromeec/common/gpio_commands.c: 126 in command_gpio_get() 120 print_gpio_info(i); 121 122 return EC_SUCCESS; 123 } 124 125 /* Otherwise print them all */
CID 1353307: (OVERRUN) Checking "i < GPIO_COUNT" implies that "i" may be up to 73 on the true branch.
126 for (i = 0; i < GPIO_COUNT; i++) { 127 if (!gpio_is_implemented(i)) 128 continue; /* Skip unsupported signals */ 129 130 print_gpio_info(i); 131 } /3rdparty/chromeec/common/gpio_commands.c: 126 in command_gpio_get() 120 print_gpio_info(i); 121 122 return EC_SUCCESS; 123 } 124 125 /* Otherwise print them all */
CID 1353307: (OVERRUN) Checking "i < GPIO_COUNT" implies that "i" may be up to 73 on the true branch.
126 for (i = 0; i < GPIO_COUNT; i++) { 127 if (!gpio_is_implemented(i)) 128 continue; /* Skip unsupported signals */ 129 130 print_gpio_info(i); 131 }
** CID 1353300: (OVERRUN)
________________________________________________________________________________________________________ *** CID 1353300: (OVERRUN) /3rdparty/chromeec/board/glados/led.c: 46 in bat_led_set_color() 40 }; 41 42 static int bat_led_set_color(enum led_color color) 43 { 44 switch (color) { 45 case LED_OFF:
CID 1353300: (OVERRUN) Overrunning callee's array of size 62 by passing argument "GPIO_CHARGE_LED_1" in call to "gpio_set_level".
46 gpio_set_level(GPIO_BAT_LED_RED, BAT_LED_OFF); 47 gpio_set_level(GPIO_BAT_LED_GREEN, BAT_LED_OFF); 48 break; 49 case LED_RED: 50 gpio_set_level(GPIO_BAT_LED_RED, BAT_LED_ON); 51 gpio_set_level(GPIO_BAT_LED_GREEN, BAT_LED_OFF); /3rdparty/chromeec/board/glados/led.c: 47 in bat_led_set_color() 41 42 static int bat_led_set_color(enum led_color color) 43 { 44 switch (color) { 45 case LED_OFF: 46 gpio_set_level(GPIO_BAT_LED_RED, BAT_LED_OFF);
CID 1353300: (OVERRUN) Overrunning callee's array of size 62 by passing argument "GPIO_CHARGE_LED_2" in call to "gpio_set_level".
47 gpio_set_level(GPIO_BAT_LED_GREEN, BAT_LED_OFF); 48 break; 49 case LED_RED: 50 gpio_set_level(GPIO_BAT_LED_RED, BAT_LED_ON); 51 gpio_set_level(GPIO_BAT_LED_GREEN, BAT_LED_OFF); 52 break; /3rdparty/chromeec/board/glados/led.c: 50 in bat_led_set_color() 44 switch (color) { 45 case LED_OFF: 46 gpio_set_level(GPIO_BAT_LED_RED, BAT_LED_OFF); 47 gpio_set_level(GPIO_BAT_LED_GREEN, BAT_LED_OFF); 48 break; 49 case LED_RED:
CID 1353300: (OVERRUN) Overrunning callee's array of size 62 by passing argument "GPIO_CHARGE_LED_1" in call to "gpio_set_level".
50 gpio_set_level(GPIO_BAT_LED_RED, BAT_LED_ON); 51 gpio_set_level(GPIO_BAT_LED_GREEN, BAT_LED_OFF); 52 break; 53 case LED_AMBER: 54 gpio_set_level(GPIO_BAT_LED_RED, BAT_LED_ON); 55 gpio_set_level(GPIO_BAT_LED_GREEN, BAT_LED_ON); /3rdparty/chromeec/board/glados/led.c: 51 in bat_led_set_color() 45 case LED_OFF: 46 gpio_set_level(GPIO_BAT_LED_RED, BAT_LED_OFF); 47 gpio_set_level(GPIO_BAT_LED_GREEN, BAT_LED_OFF); 48 break; 49 case LED_RED: 50 gpio_set_level(GPIO_BAT_LED_RED, BAT_LED_ON);
CID 1353300: (OVERRUN) Overrunning callee's array of size 62 by passing argument "GPIO_CHARGE_LED_2" in call to "gpio_set_level".
51 gpio_set_level(GPIO_BAT_LED_GREEN, BAT_LED_OFF); 52 break; 53 case LED_AMBER: 54 gpio_set_level(GPIO_BAT_LED_RED, BAT_LED_ON); 55 gpio_set_level(GPIO_BAT_LED_GREEN, BAT_LED_ON); 56 break; /3rdparty/chromeec/board/glados/led.c: 54 in bat_led_set_color() 48 break; 49 case LED_RED: 50 gpio_set_level(GPIO_BAT_LED_RED, BAT_LED_ON); 51 gpio_set_level(GPIO_BAT_LED_GREEN, BAT_LED_OFF); 52 break; 53 case LED_AMBER:
CID 1353300: (OVERRUN) Overrunning callee's array of size 62 by passing argument "GPIO_CHARGE_LED_1" in call to "gpio_set_level".
54 gpio_set_level(GPIO_BAT_LED_RED, BAT_LED_ON); 55 gpio_set_level(GPIO_BAT_LED_GREEN, BAT_LED_ON); 56 break; 57 case LED_GREEN: 58 gpio_set_level(GPIO_BAT_LED_RED, BAT_LED_OFF); 59 gpio_set_level(GPIO_BAT_LED_GREEN, BAT_LED_ON); /3rdparty/chromeec/board/glados/led.c: 55 in bat_led_set_color() 49 case LED_RED: 50 gpio_set_level(GPIO_BAT_LED_RED, BAT_LED_ON); 51 gpio_set_level(GPIO_BAT_LED_GREEN, BAT_LED_OFF); 52 break; 53 case LED_AMBER: 54 gpio_set_level(GPIO_BAT_LED_RED, BAT_LED_ON);
CID 1353300: (OVERRUN) Overrunning callee's array of size 62 by passing argument "GPIO_CHARGE_LED_2" in call to "gpio_set_level".
55 gpio_set_level(GPIO_BAT_LED_GREEN, BAT_LED_ON); 56 break; 57 case LED_GREEN: 58 gpio_set_level(GPIO_BAT_LED_RED, BAT_LED_OFF); 59 gpio_set_level(GPIO_BAT_LED_GREEN, BAT_LED_ON); 60 break; /3rdparty/chromeec/board/glados/led.c: 58 in bat_led_set_color() 52 break; 53 case LED_AMBER: 54 gpio_set_level(GPIO_BAT_LED_RED, BAT_LED_ON); 55 gpio_set_level(GPIO_BAT_LED_GREEN, BAT_LED_ON); 56 break; 57 case LED_GREEN:
CID 1353300: (OVERRUN) Overrunning callee's array of size 62 by passing argument "GPIO_CHARGE_LED_1" in call to "gpio_set_level".
58 gpio_set_level(GPIO_BAT_LED_RED, BAT_LED_OFF); 59 gpio_set_level(GPIO_BAT_LED_GREEN, BAT_LED_ON); 60 break; 61 default: 62 return EC_ERROR_UNKNOWN; 63 } /3rdparty/chromeec/board/glados/led.c: 59 in bat_led_set_color() 53 case LED_AMBER: 54 gpio_set_level(GPIO_BAT_LED_RED, BAT_LED_ON); 55 gpio_set_level(GPIO_BAT_LED_GREEN, BAT_LED_ON); 56 break; 57 case LED_GREEN: 58 gpio_set_level(GPIO_BAT_LED_RED, BAT_LED_OFF);
CID 1353300: (OVERRUN) Overrunning callee's array of size 62 by passing argument "GPIO_CHARGE_LED_2" in call to "gpio_set_level".
59 gpio_set_level(GPIO_BAT_LED_GREEN, BAT_LED_ON); 60 break; 61 default: 62 return EC_ERROR_UNKNOWN; 63 } 64 return EC_SUCCESS; /3rdparty/chromeec/board/chell/led.c: 37 in bat_led_set_color() 31 }; 32 33 static int bat_led_set_color(enum led_color color) 34 { 35 switch (color) { 36 case LED_OFF:
CID 1353300: (OVERRUN) Overrunning callee's array of size 62 by passing argument "GPIO_CHARGE_LED_1" in call to "gpio_set_level".
37 gpio_set_level(GPIO_BAT_LED_RED, BAT_LED_OFF); 38 gpio_set_level(GPIO_BAT_LED_GREEN, BAT_LED_OFF); 39 break; 40 case LED_AMBER: 41 gpio_set_level(GPIO_BAT_LED_RED, BAT_LED_ON); 42 gpio_set_level(GPIO_BAT_LED_GREEN, BAT_LED_OFF); /3rdparty/chromeec/board/chell/led.c: 38 in bat_led_set_color() 32 33 static int bat_led_set_color(enum led_color color) 34 { 35 switch (color) { 36 case LED_OFF: 37 gpio_set_level(GPIO_BAT_LED_RED, BAT_LED_OFF);
CID 1353300: (OVERRUN) Overrunning callee's array of size 62 by passing argument "GPIO_CHARGE_LED_2" in call to "gpio_set_level".
38 gpio_set_level(GPIO_BAT_LED_GREEN, BAT_LED_OFF); 39 break; 40 case LED_AMBER: 41 gpio_set_level(GPIO_BAT_LED_RED, BAT_LED_ON); 42 gpio_set_level(GPIO_BAT_LED_GREEN, BAT_LED_OFF); 43 break; /3rdparty/chromeec/board/chell/led.c: 41 in bat_led_set_color() 35 switch (color) { 36 case LED_OFF: 37 gpio_set_level(GPIO_BAT_LED_RED, BAT_LED_OFF); 38 gpio_set_level(GPIO_BAT_LED_GREEN, BAT_LED_OFF); 39 break; 40 case LED_AMBER:
CID 1353300: (OVERRUN) Overrunning callee's array of size 62 by passing argument "GPIO_CHARGE_LED_1" in call to "gpio_set_level".
41 gpio_set_level(GPIO_BAT_LED_RED, BAT_LED_ON); 42 gpio_set_level(GPIO_BAT_LED_GREEN, BAT_LED_OFF); 43 break; 44 case LED_WHITE: 45 gpio_set_level(GPIO_BAT_LED_RED, BAT_LED_OFF); 46 gpio_set_level(GPIO_BAT_LED_GREEN, BAT_LED_ON); /3rdparty/chromeec/board/chell/led.c: 42 in bat_led_set_color() 36 case LED_OFF: 37 gpio_set_level(GPIO_BAT_LED_RED, BAT_LED_OFF); 38 gpio_set_level(GPIO_BAT_LED_GREEN, BAT_LED_OFF); 39 break; 40 case LED_AMBER: 41 gpio_set_level(GPIO_BAT_LED_RED, BAT_LED_ON);
CID 1353300: (OVERRUN) Overrunning callee's array of size 62 by passing argument "GPIO_CHARGE_LED_2" in call to "gpio_set_level".
42 gpio_set_level(GPIO_BAT_LED_GREEN, BAT_LED_OFF); 43 break; 44 case LED_WHITE: 45 gpio_set_level(GPIO_BAT_LED_RED, BAT_LED_OFF); 46 gpio_set_level(GPIO_BAT_LED_GREEN, BAT_LED_ON); 47 break; /3rdparty/chromeec/board/chell/led.c: 45 in bat_led_set_color() 39 break; 40 case LED_AMBER: 41 gpio_set_level(GPIO_BAT_LED_RED, BAT_LED_ON); 42 gpio_set_level(GPIO_BAT_LED_GREEN, BAT_LED_OFF); 43 break; 44 case LED_WHITE:
CID 1353300: (OVERRUN) Overrunning callee's array of size 62 by passing argument "GPIO_CHARGE_LED_1" in call to "gpio_set_level".
45 gpio_set_level(GPIO_BAT_LED_RED, BAT_LED_OFF); 46 gpio_set_level(GPIO_BAT_LED_GREEN, BAT_LED_ON); 47 break; 48 default: 49 return EC_ERROR_UNKNOWN; 50 } /3rdparty/chromeec/board/chell/led.c: 46 in bat_led_set_color() 40 case LED_AMBER: 41 gpio_set_level(GPIO_BAT_LED_RED, BAT_LED_ON); 42 gpio_set_level(GPIO_BAT_LED_GREEN, BAT_LED_OFF); 43 break; 44 case LED_WHITE: 45 gpio_set_level(GPIO_BAT_LED_RED, BAT_LED_OFF);
CID 1353300: (OVERRUN) Overrunning callee's array of size 62 by passing argument "GPIO_CHARGE_LED_2" in call to "gpio_set_level".
46 gpio_set_level(GPIO_BAT_LED_GREEN, BAT_LED_ON); 47 break; 48 default: 49 return EC_ERROR_UNKNOWN; 50 } 51 return EC_SUCCESS;
** CID 1353299: (OVERRUN)
________________________________________________________________________________________________________ *** CID 1353299: (OVERRUN) /3rdparty/chromeec/chip/mec1322/lpc.c: 52 in keyboard_irq_assert() 46 /* 47 * Enforce signal-high for long enough for the signal to be pulled high 48 * by the external pullup resistor. This ensures the host will see the 49 * following falling edge, regardless of the line state before this 50 * function call. 51 */
CID 1353299: (OVERRUN) Overrunning callee's array of size 62 by passing argument "GPIO_KBD_IRQ_L" in call to "gpio_set_level".
52 gpio_set_level(CONFIG_KEYBOARD_IRQ_GPIO, 1); 53 udelay(4); 54 /* Generate a falling edge */ 55 gpio_set_level(CONFIG_KEYBOARD_IRQ_GPIO, 0); 56 udelay(4); 57 /3rdparty/chromeec/chip/mec1322/lpc.c: 55 in keyboard_irq_assert() 49 * following falling edge, regardless of the line state before this 50 * function call. 51 */ 52 gpio_set_level(CONFIG_KEYBOARD_IRQ_GPIO, 1); 53 udelay(4); 54 /* Generate a falling edge */
CID 1353299: (OVERRUN) Overrunning callee's array of size 62 by passing argument "GPIO_KBD_IRQ_L" in call to "gpio_set_level".
55 gpio_set_level(CONFIG_KEYBOARD_IRQ_GPIO, 0); 56 udelay(4); 57 58 /* Set signal high, now that we've generated the edge */ 59 gpio_set_level(CONFIG_KEYBOARD_IRQ_GPIO, 1); 60 #else /3rdparty/chromeec/chip/mec1322/lpc.c: 59 in keyboard_irq_assert() 53 udelay(4); 54 /* Generate a falling edge */ 55 gpio_set_level(CONFIG_KEYBOARD_IRQ_GPIO, 0); 56 udelay(4); 57 58 /* Set signal high, now that we've generated the edge */
CID 1353299: (OVERRUN) Overrunning callee's array of size 62 by passing argument "GPIO_KBD_IRQ_L" in call to "gpio_set_level".
59 gpio_set_level(CONFIG_KEYBOARD_IRQ_GPIO, 1); 60 #else 61 /* 62 * SERIRQ is automatically sent by KBC 63 */ 64 #endif
________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05...
To manage Coverity Scan email notifications for "coreboot@coreboot.org", click https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05...
Hey, I'm not sure if people pay much attention to these, but you can safely ignore these issues. I'm not even seeing them show up as issues inside coverity, so I'm not sure why they are presented here.
1) These issues are in the chromeec codebase, not the coreboot codebase. We've marked them as ignore for coreboot in the coverity scan system, but somehow they keep popping up. We've got a separate coverity instance set up for the chromeec codebase. 2) Even in the chromeec codebase, these are false positives. We're compiling the same code over and over with different values in the #defines for different platforms, but for some reason coverity wants to compare the array size of one build to the accesses of that array in a completely different platform.
Martin
On Tue, Mar 14, 2017 at 7:14 AM, scan-admin@coverity.com wrote:
Hi,
Please find the latest report on new defect(s) introduced to coreboot found with Coverity Scan.
296 new defect(s) introduced to coreboot found with Coverity Scan. 12 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan Showing 20 of 296 defect(s)
** CID 1353788: Memory - illegal accesses (OVERRUN) /3rdparty/chromeec/common/fan.c: 527 in pwm_fan_S3_S5()
*** CID 1353788: Memory - illegal accesses (OVERRUN) /3rdparty/chromeec/common/fan.c: 527 in pwm_fan_S3_S5() 521 /* Take back fan control when the processor shuts down */ 522 set_thermal_control_enabled(fan, 1); 523 /* For now don't do anything with it. We'll have to turn it on 524 * again if we need active cooling during heavy battery 525 * charging or something. 526 */
CID 1353788: Memory - illegal accesses (OVERRUN) Overrunning array "fans" of 1 28-byte elements at element index 1 (byte offset 28) using index "fan" (which evaluates to 1).527 fan_set_rpm_target(fans[fan].ch, 0); 528 set_enabled(fan, 0); /* crosbug.com/p/8097 */ 529 } 530 } 531 DECLARE_HOOK(HOOK_CHIPSET_SUSPEND, pwm_fan_S3_S5, HOOK_PRIO_DEFAULT);
** CID 1353787: Memory - illegal accesses (OVERRUN) /3rdparty/chromeec/common/fan.c: 338 in hc_pwm_set_fan_target_rpm()
*** CID 1353787: Memory - illegal accesses (OVERRUN) /3rdparty/chromeec/common/fan.c: 338 in hc_pwm_set_fan_target_rpm() 332 if (args->version == 0) { 333 for (fan = 0; fan < CONFIG_FANS; fan++) { 334 /* enable the fan if rpm is non-zero */ 335 set_enabled(fan, (p_v0->rpm > 0) ? 1 : 0); 336 337 set_thermal_control_enabled(fan, 0);
CID 1353787: Memory - illegal accesses (OVERRUN) Overrunning array "fans" of 1 28-byte elements at element index 1 (byte offset 28) using index "fan" (which evaluates to 1).338 fan_set_rpm_mode(fans[fan].ch, 1); 339 fan_set_rpm_target(fans[fan].ch, p_v0->rpm); 340 } 341 342 return EC_RES_SUCCESS; 343 }
** CID 1353786: (OVERRUN) /3rdparty/chromeec/common/fan.c: 333 in hc_pwm_set_fan_target_rpm() /3rdparty/chromeec/common/fan.c: 346 in hc_pwm_set_fan_target_rpm()
*** CID 1353786: (OVERRUN) /3rdparty/chromeec/common/fan.c: 333 in hc_pwm_set_fan_target_rpm() 327 { 328 const struct ec_params_pwm_set_fan_target_rpm_v1 *p_v1 = args->params; 329 const struct ec_params_pwm_set_fan_target_rpm_v0 *p_v0 = args->params; 330 int fan; 331 332 if (args->version == 0) {
CID 1353786: (OVERRUN) Checking "fan < 2" implies that "fan" may be up to 1 on the true branch.333 for (fan = 0; fan < CONFIG_FANS; fan++) { 334 /* enable the fan if rpm is non-zero */ 335 set_enabled(fan, (p_v0->rpm > 0) ? 1 : 0); 336 337 set_thermal_control_enabled(fan, 0); 338 fan_set_rpm_mode(fans[fan].ch, 1); /3rdparty/chromeec/common/fan.c: 346 in hc_pwm_set_fan_target_rpm() 340 } 341 342 return EC_RES_SUCCESS; 343 } 344 345 fan = p_v1->fan_idx;
CID 1353786: (OVERRUN) Checking "fan >= 2" implies that "fan" and "p_v1->fan_idx" may be up to 1 on the false branch.346 if (fan >= CONFIG_FANS) 347 return EC_RES_ERROR; 348 349 /* enable the fan if rpm is non-zero */ 350 set_enabled(fan, (p_v1->rpm > 0) ? 1 :0); 351
** CID 1353785: (OVERRUN) /3rdparty/chromeec/common/fan.c: 369 in hc_pwm_set_fan_duty() /3rdparty/chromeec/common/fan.c: 376 in hc_pwm_set_fan_duty()
*** CID 1353785: (OVERRUN) /3rdparty/chromeec/common/fan.c: 369 in hc_pwm_set_fan_duty() 363 { 364 const struct ec_params_pwm_set_fan_duty_v1 *p_v1 = args->params; 365 const struct ec_params_pwm_set_fan_duty_v0 *p_v0 = args->params; 366 int fan; 367 368 if (args->version == 0) {
CID 1353785: (OVERRUN) Checking "fan < 2" implies that "fan" may be up to 1 on the true branch.369 for (fan = 0; fan < CONFIG_FANS; fan++) 370 set_duty_cycle(fan, p_v0->percent); 371 372 return EC_RES_SUCCESS; 373 } 374 /3rdparty/chromeec/common/fan.c: 376 in hc_pwm_set_fan_duty() 370 set_duty_cycle(fan, p_v0->percent); 371 372 return EC_RES_SUCCESS; 373 } 374 375 fan = p_v1->fan_idx;
CID 1353785: (OVERRUN) Checking "fan >= 2" implies that "fan" and "p_v1->fan_idx" may be up to 1 on the false branch.376 if (fan >= CONFIG_FANS) 377 return EC_RES_ERROR; 378 379 set_duty_cycle(fan, p_v1->percent); 380 381 return EC_RES_SUCCESS;
** CID 1353784: Memory - corruptions (OVERRUN) /3rdparty/chromeec/common/fan.c: 160 in cc_faninfo()
*** CID 1353784: Memory - corruptions (OVERRUN) /3rdparty/chromeec/common/fan.c: 160 in cc_faninfo() 154 static const char * const human_status[] = { 155 "not spinning", "changing", "locked", "frustrated" 156 }; 157 int tmp, is_pgood; 158 int fan; 159 char leader[20] = "";
CID 1353784: Memory - corruptions (OVERRUN) Checking "fan < 2" implies that "fan" may be up to 1 on the true branch.160 for (fan = 0; fan < CONFIG_FANS; fan++) { 161 if (CONFIG_FANS > 1) 162 snprintf(leader, sizeof(leader), "Fan %d ", fan); 163 if (fan) 164 ccprintf("\n"); 165 ccprintf("%sActual: %4d rpm\n", leader,
** CID 1353783: Memory - illegal accesses (OVERRUN) /3rdparty/chromeec/common/fan.c: 165 in cc_faninfo()
*** CID 1353783: Memory - illegal accesses (OVERRUN) /3rdparty/chromeec/common/fan.c: 165 in cc_faninfo() 159 char leader[20] = ""; 160 for (fan = 0; fan < CONFIG_FANS; fan++) { 161 if (CONFIG_FANS > 1) 162 snprintf(leader, sizeof(leader), "Fan %d ", fan); 163 if (fan) 164 ccprintf("\n");
CID 1353783: Memory - illegal accesses (OVERRUN) Overrunning array "fans" of 1 28-byte elements at element index 1 (byte offset 28) using index "fan" (which evaluates to 1).165 ccprintf("%sActual: %4d rpm\n", leader, 166 fan_get_rpm_actual(fans[fan].ch)); 167 ccprintf("%sTarget: %4d rpm\n", leader, 168 fan_get_rpm_target(fans[fan].ch)); 169 ccprintf("%sDuty: %d%%\n", leader, 170 fan_get_duty(fans[fan].ch));
** CID 1353782: Memory - corruptions (OVERRUN) /3rdparty/chromeec/common/fan.c: 303 in dptf_set_fan_duty_target()
*** CID 1353782: Memory - corruptions (OVERRUN) /3rdparty/chromeec/common/fan.c: 303 in dptf_set_fan_duty_target() 297 if (pct < 0 || pct > 100) { 298 /* TODO(crosbug.com/p/23803) */ 299 for (fan = 0; fan < CONFIG_FANS; fan++) 300 set_thermal_control_enabled(fan, 1); 301 } else { 302 /* TODO(crosbug.com/p/23803) */
CID 1353782: Memory - corruptions (OVERRUN) Checking "fan < 2" implies that "fan" may be up to 1 on the true branch.303 for (fan = 0; fan < CONFIG_FANS; fan++) 304 set_duty_cycle(fan, pct); 305 } 306 } 307 308 /*****************************************************************************/
** CID 1353360: Code maintainability issues (UNUSED_VALUE) /3rdparty/chromeec/driver/pmu_tps65090.c: 680 in command_pmu()
*** CID 1353360: Code maintainability issues (UNUSED_VALUE) /3rdparty/chromeec/driver/pmu_tps65090.c: 680 in command_pmu() 674 ccputs("Invalid repeat count\n"); 675 return EC_ERROR_INVAL; 676 } 677 } 678 679 for (loop = 0; loop < repeat; loop++) {
CID 1353360: Code maintainability issues (UNUSED_VALUE) Assigning value from "print_pmu_info()" to "rv" here, but that stored value is overwritten before it can be used.680 rv = print_pmu_info(); 681 usleep(1000); 682 } 683 684 rv = pmu_read(IRQ1_REG, &value); 685 if (rv)
** CID 1353358: Control flow issues (UNREACHABLE) /3rdparty/chromeec/common/lightbar.c: 502 in sequence_S3S0()
*** CID 1353358: Control flow issues (UNREACHABLE) /3rdparty/chromeec/common/lightbar.c: 502 in sequence_S3S0() 496 #ifndef BLUE_PULSING 497 /* next sequence */ 498 return LIGHTBAR_S0; 499 #endif 500 501 /* Ramp up to starting brightness, using S0 colors */
CID 1353358: Control flow issues (UNREACHABLE) This code cannot be reached: "ci = st.p.s0_idx[st.battery...".502 ci = st.p.s0_idx[st.battery_is_charging][st.battery_level]; 503 if (ci >= ARRAY_SIZE(st.p.color)) 504 ci = 0; 505 506 fmin = st.p.osc_min[st.battery_is_charging] * FP_SCALE / 255; 507
** CID 1353354: Insecure data handling (TAINTED_SCALAR) /src/lib/lzma.c: 39 in ulzman()
*** CID 1353354: Insecure data handling (TAINTED_SCALAR) /src/lib/lzma.c: 39 in ulzman() 33 memcpy(properties, src, LZMA_PROPERTIES_SIZE); 34 /* The outSize in LZMA stream is a 64bit integer stored in little-endian 35 * (ref: lzma.cc@LZMACompress: put_64). To prevent accessing by 36 * unaligned memory address and to load in correct endianness, read each 37 * byte and re-construct. */ 38 cp = src + LZMA_PROPERTIES_SIZE;
CID 1353354: Insecure data handling (TAINTED_SCALAR) Assigning: "outSize" = "(cp[3] << 24) | (cp[2] << 16) | (cp[1] << 8) | cp[0]". Both are now tainted.39 outSize = cp[3] << 24 | cp[2] << 16 | cp[1] << 8 | cp[0]; 40 if (LzmaDecodeProperties(&state.Properties, properties, 41 LZMA_PROPERTIES_SIZE) != LZMA_RESULT_OK) { 42 printk(BIOS_WARNING, "lzma: Incorrect stream properties.\n"); 43 return 0; 44 }
** CID 1353347: Memory - corruptions (OVERRUN) /3rdparty/chromeec/chip/mec1322/pwm.c: 78 in pwm_init()
*** CID 1353347: Memory - corruptions (OVERRUN) /3rdparty/chromeec/chip/mec1322/pwm.c: 78 in pwm_init() 72 } 73 74 static void pwm_init(void) 75 { 76 int i; 77
CID 1353347: Memory - corruptions (OVERRUN) Checking "i < PWM_CH_COUNT" implies that "i" may be up to 2 on the true branch.78 for (i = 0; i < PWM_CH_COUNT; ++i) { 79 pwm_configure(pwm_channels[i].channel, 80 pwm_channels[i].flags & PWM_CONFIG_ACTIVE_LOW, 81 pwm_channels[i].flags & PWM_CONFIG_ALT_CLOCK); 82 pwm_set_duty(i, 0); 83 } 84 }
** CID 1353346: Memory - illegal accesses (OVERRUN) /3rdparty/chromeec/chip/mec1322/pwm.c: 79 in pwm_init()
*** CID 1353346: Memory - illegal accesses (OVERRUN) /3rdparty/chromeec/chip/mec1322/pwm.c: 79 in pwm_init() 73 74 static void pwm_init(void) 75 { 76 int i; 77 78 for (i = 0; i < PWM_CH_COUNT; ++i) {
CID 1353346: Memory - illegal accesses (OVERRUN) Overrunning array "pwm_channels" of 1 8-byte elements at element index 2 (byte offset 16) using index "i" (which evaluates to 2).79 pwm_configure(pwm_channels[i].channel, 80 pwm_channels[i].flags & PWM_CONFIG_ACTIVE_LOW, 81 pwm_channels[i].flags & PWM_CONFIG_ALT_CLOCK); 82 pwm_set_duty(i, 0); 83 } 84 }
** CID 1353329: Memory - corruptions (OVERRUN) /3rdparty/chromeec/common/host_command_master.c: 59 in pd_host_command_internal()
*** CID 1353329: Memory - corruptions (OVERRUN) /3rdparty/chromeec/common/host_command_master.c: 59 in pd_host_command_internal() 53 rq.command_version = version; 54 rq.reserved = 0; 55 rq.data_len = outsize; 56 57 /* Copy data and start checksum */ 58 for (i = 0, c = (const uint8_t *)outdata; i < outsize; i++, c++) {
CID 1353329: Memory - corruptions (OVERRUN) Overrunning array "req_buf" of 256 bytes at byte offset 256 using index "9UL + i" (which evaluates to 256).59 req_buf[sizeof(rq) + 1 + i] = *c; 60 sum += *c; 61 } 62 63 /* Finish checksum */ 64 for (i = 0, c = (const uint8_t *)&rq; i < sizeof(rq); i++, c++)
** CID 1353325: Memory - illegal accesses (OVERRUN) /3rdparty/chromeec/driver/temp_sensor/bd99992gw.c: 65 in bd99992gw_init()
*** CID 1353325: Memory - illegal accesses (OVERRUN) /3rdparty/chromeec/driver/temp_sensor/bd99992gw.c: 65 in bd99992gw_init() 59 int i; 60 int active_channel_count = 0; 61 uint8_t pointer_reg = BD99992GW_REG_ADC1ADDR0; 62 63 /* Mark active channels from the board temp sensor table */ 64 for (i = 0; i < TEMP_SENSOR_COUNT; ++i)
CID 1353325: Memory - illegal accesses (OVERRUN) Overrunning array "temp_sensors" of 4 20-byte elements at element index 4 (byte offset 80) using index "i" (which evaluates to 4).65 if (temp_sensors[i].read == bd99992gw_get_val) 66 active_channels[active_channel_count++] = 67 temp_sensors[i].idx; 68 69 /* Make sure we don't have too many active channels. */ 70 ASSERT(active_channel_count <= ARRAY_SIZE(active_channels));
** CID 1353319: Memory - corruptions (OVERRUN)
*** CID 1353319: Memory - corruptions (OVERRUN) /3rdparty/chromeec/common/wireless.c: 84 in wireless_get() 78 if (gpio_get_level(WIRELESS_GPIO_BLUETOOTH)) 79 flags |= EC_WIRELESS_SWITCH_BLUETOOTH; 80 #endif 81 82 #ifdef WIRELESS_GPIO_WLAN_POWER 83 #ifndef CONFIG_WLAN_POWER_ACTIVE_LOW
CID 1353319: Memory - corruptions (OVERRUN) Overrunning callee's array of size 62 by passing argument "GPIO_PP3300_WLAN_EN" in call to "gpio_get_level".84 if (gpio_get_level(WIRELESS_GPIO_WLAN_POWER)) 85 #else 86 if (!gpio_get_level(WIRELESS_GPIO_WLAN_POWER)) 87 #endif /* CONFIG_WLAN_POWER_ACTIVE_LOW */ 88 flags |= EC_WIRELESS_SWITCH_WLAN_POWER; 89 #endif
** CID 1353318: Memory - corruptions (OVERRUN)
*** CID 1353318: Memory - corruptions (OVERRUN) /3rdparty/chromeec/common/wireless.c: 53 in wireless_enable() 47 gpio_set_level(WIRELESS_GPIO_BLUETOOTH, 48 flags & EC_WIRELESS_SWITCH_BLUETOOTH); 49 #endif 50 51 #ifdef WIRELESS_GPIO_WLAN_POWER 52 #ifndef CONFIG_WLAN_POWER_ACTIVE_LOW
CID 1353318: Memory - corruptions (OVERRUN) Overrunning callee's array of size 62 by passing argument "GPIO_PP3300_WLAN_EN" in call to "gpio_set_level".53 gpio_set_level(WIRELESS_GPIO_WLAN_POWER, 54 flags & EC_WIRELESS_SWITCH_WLAN_POWER); 55 #else 56 gpio_set_level(WIRELESS_GPIO_WLAN_POWER, 57 !(flags & EC_WIRELESS_SWITCH_WLAN_POWER)); 58 #endif /* CONFIG_WLAN_POWER_ACTIVE_LOW */
** CID 1353309: (OVERRUN) /3rdparty/chromeec/common/gpio_commands.c: 243 in gpio_command_get() /3rdparty/chromeec/common/gpio_commands.c: 243 in gpio_command_get() /3rdparty/chromeec/common/gpio_commands.c: 243 in gpio_command_get() /3rdparty/chromeec/common/gpio_commands.c: 243 in gpio_command_get()
*** CID 1353309: (OVERRUN) /3rdparty/chromeec/common/gpio_commands.c: 243 in gpio_command_get() 237 args->response_size = sizeof(r_v1->get_count); 238 break; 239 case EC_GPIO_GET_INFO: 240 if (p_v1->get_info.index >= GPIO_COUNT) 241 return EC_RES_ERROR; 242
CID 1353309: (OVERRUN) Assigning: "i" = "(*p_v1).get_info.index". The value of "i" may now be up to 73.243 i = p_v1->get_info.index; 244 len = strlen(gpio_get_name(i)); 245 memcpy(r_v1->get_info.name, gpio_get_name(i), len+1); 246 r_v1->get_info.val = gpio_get_level(i); 247 r_v1->get_info.flags = gpio_get_default_flags(i); 248 args->response_size = sizeof(r_v1->get_info); /3rdparty/chromeec/common/gpio_commands.c: 243 in gpio_command_get() 237 args->response_size = sizeof(r_v1->get_count); 238 break; 239 case EC_GPIO_GET_INFO: 240 if (p_v1->get_info.index >= GPIO_COUNT) 241 return EC_RES_ERROR; 242
CID 1353309: (OVERRUN) Assigning: "i" = "(*p_v1).get_info.index". The value of "i" may now be up to 73.243 i = p_v1->get_info.index; 244 len = strlen(gpio_get_name(i)); 245 memcpy(r_v1->get_info.name, gpio_get_name(i), len+1); 246 r_v1->get_info.val = gpio_get_level(i); 247 r_v1->get_info.flags = gpio_get_default_flags(i); 248 args->response_size = sizeof(r_v1->get_info); /3rdparty/chromeec/common/gpio_commands.c: 243 in gpio_command_get() 237 args->response_size = sizeof(r_v1->get_count); 238 break; 239 case EC_GPIO_GET_INFO: 240 if (p_v1->get_info.index >= GPIO_COUNT) 241 return EC_RES_ERROR; 242
CID 1353309: (OVERRUN) Assigning: "i" = "(*p_v1).get_info.index". The value of "i" may now be up to 73.243 i = p_v1->get_info.index; 244 len = strlen(gpio_get_name(i)); 245 memcpy(r_v1->get_info.name, gpio_get_name(i), len+1); 246 r_v1->get_info.val = gpio_get_level(i); 247 r_v1->get_info.flags = gpio_get_default_flags(i); 248 args->response_size = sizeof(r_v1->get_info); /3rdparty/chromeec/common/gpio_commands.c: 243 in gpio_command_get() 237 args->response_size = sizeof(r_v1->get_count); 238 break; 239 case EC_GPIO_GET_INFO: 240 if (p_v1->get_info.index >= GPIO_COUNT) 241 return EC_RES_ERROR; 242
CID 1353309: (OVERRUN) Assigning: "i" = "(*p_v1).get_info.index". The value of "i" may now be up to 73.243 i = p_v1->get_info.index; 244 len = strlen(gpio_get_name(i)); 245 memcpy(r_v1->get_info.name, gpio_get_name(i), len+1); 246 r_v1->get_info.val = gpio_get_level(i); 247 r_v1->get_info.flags = gpio_get_default_flags(i); 248 args->response_size = sizeof(r_v1->get_info);
** CID 1353307: (OVERRUN) /3rdparty/chromeec/common/gpio_commands.c: 126 in command_gpio_get() /3rdparty/chromeec/common/gpio_commands.c: 126 in command_gpio_get()
*** CID 1353307: (OVERRUN) /3rdparty/chromeec/common/gpio_commands.c: 126 in command_gpio_get() 120 print_gpio_info(i); 121 122 return EC_SUCCESS; 123 } 124 125 /* Otherwise print them all */
CID 1353307: (OVERRUN) Checking "i < GPIO_COUNT" implies that "i" may be up to 73 on the true branch.126 for (i = 0; i < GPIO_COUNT; i++) { 127 if (!gpio_is_implemented(i)) 128 continue; /* Skip unsupported signals */ 129 130 print_gpio_info(i); 131 } /3rdparty/chromeec/common/gpio_commands.c: 126 in command_gpio_get() 120 print_gpio_info(i); 121 122 return EC_SUCCESS; 123 } 124 125 /* Otherwise print them all */
CID 1353307: (OVERRUN) Checking "i < GPIO_COUNT" implies that "i" may be up to 73 on the true branch.126 for (i = 0; i < GPIO_COUNT; i++) { 127 if (!gpio_is_implemented(i)) 128 continue; /* Skip unsupported signals */ 129 130 print_gpio_info(i); 131 }
** CID 1353300: (OVERRUN)
*** CID 1353300: (OVERRUN) /3rdparty/chromeec/board/glados/led.c: 46 in bat_led_set_color() 40 }; 41 42 static int bat_led_set_color(enum led_color color) 43 { 44 switch (color) { 45 case LED_OFF:
CID 1353300: (OVERRUN) Overrunning callee's array of size 62 by passing argument "GPIO_CHARGE_LED_1" in call to "gpio_set_level".46 gpio_set_level(GPIO_BAT_LED_RED, BAT_LED_OFF); 47 gpio_set_level(GPIO_BAT_LED_GREEN, BAT_LED_OFF); 48 break; 49 case LED_RED: 50 gpio_set_level(GPIO_BAT_LED_RED, BAT_LED_ON); 51 gpio_set_level(GPIO_BAT_LED_GREEN, BAT_LED_OFF); /3rdparty/chromeec/board/glados/led.c: 47 in bat_led_set_color() 41 42 static int bat_led_set_color(enum led_color color) 43 { 44 switch (color) { 45 case LED_OFF: 46 gpio_set_level(GPIO_BAT_LED_RED, BAT_LED_OFF);
CID 1353300: (OVERRUN) Overrunning callee's array of size 62 by passing argument "GPIO_CHARGE_LED_2" in call to "gpio_set_level".47 gpio_set_level(GPIO_BAT_LED_GREEN, BAT_LED_OFF); 48 break; 49 case LED_RED: 50 gpio_set_level(GPIO_BAT_LED_RED, BAT_LED_ON); 51 gpio_set_level(GPIO_BAT_LED_GREEN, BAT_LED_OFF); 52 break; /3rdparty/chromeec/board/glados/led.c: 50 in bat_led_set_color() 44 switch (color) { 45 case LED_OFF: 46 gpio_set_level(GPIO_BAT_LED_RED, BAT_LED_OFF); 47 gpio_set_level(GPIO_BAT_LED_GREEN, BAT_LED_OFF); 48 break; 49 case LED_RED:
CID 1353300: (OVERRUN) Overrunning callee's array of size 62 by passing argument "GPIO_CHARGE_LED_1" in call to "gpio_set_level".50 gpio_set_level(GPIO_BAT_LED_RED, BAT_LED_ON); 51 gpio_set_level(GPIO_BAT_LED_GREEN, BAT_LED_OFF); 52 break; 53 case LED_AMBER: 54 gpio_set_level(GPIO_BAT_LED_RED, BAT_LED_ON); 55 gpio_set_level(GPIO_BAT_LED_GREEN, BAT_LED_ON); /3rdparty/chromeec/board/glados/led.c: 51 in bat_led_set_color() 45 case LED_OFF: 46 gpio_set_level(GPIO_BAT_LED_RED, BAT_LED_OFF); 47 gpio_set_level(GPIO_BAT_LED_GREEN, BAT_LED_OFF); 48 break; 49 case LED_RED: 50 gpio_set_level(GPIO_BAT_LED_RED, BAT_LED_ON);
CID 1353300: (OVERRUN) Overrunning callee's array of size 62 by passing argument "GPIO_CHARGE_LED_2" in call to "gpio_set_level".51 gpio_set_level(GPIO_BAT_LED_GREEN, BAT_LED_OFF); 52 break; 53 case LED_AMBER: 54 gpio_set_level(GPIO_BAT_LED_RED, BAT_LED_ON); 55 gpio_set_level(GPIO_BAT_LED_GREEN, BAT_LED_ON); 56 break; /3rdparty/chromeec/board/glados/led.c: 54 in bat_led_set_color() 48 break; 49 case LED_RED: 50 gpio_set_level(GPIO_BAT_LED_RED, BAT_LED_ON); 51 gpio_set_level(GPIO_BAT_LED_GREEN, BAT_LED_OFF); 52 break; 53 case LED_AMBER:
CID 1353300: (OVERRUN) Overrunning callee's array of size 62 by passing argument "GPIO_CHARGE_LED_1" in call to "gpio_set_level".54 gpio_set_level(GPIO_BAT_LED_RED, BAT_LED_ON); 55 gpio_set_level(GPIO_BAT_LED_GREEN, BAT_LED_ON); 56 break; 57 case LED_GREEN: 58 gpio_set_level(GPIO_BAT_LED_RED, BAT_LED_OFF); 59 gpio_set_level(GPIO_BAT_LED_GREEN, BAT_LED_ON); /3rdparty/chromeec/board/glados/led.c: 55 in bat_led_set_color() 49 case LED_RED: 50 gpio_set_level(GPIO_BAT_LED_RED, BAT_LED_ON); 51 gpio_set_level(GPIO_BAT_LED_GREEN, BAT_LED_OFF); 52 break; 53 case LED_AMBER: 54 gpio_set_level(GPIO_BAT_LED_RED, BAT_LED_ON);
CID 1353300: (OVERRUN) Overrunning callee's array of size 62 by passing argument "GPIO_CHARGE_LED_2" in call to "gpio_set_level".55 gpio_set_level(GPIO_BAT_LED_GREEN, BAT_LED_ON); 56 break; 57 case LED_GREEN: 58 gpio_set_level(GPIO_BAT_LED_RED, BAT_LED_OFF); 59 gpio_set_level(GPIO_BAT_LED_GREEN, BAT_LED_ON); 60 break; /3rdparty/chromeec/board/glados/led.c: 58 in bat_led_set_color() 52 break; 53 case LED_AMBER: 54 gpio_set_level(GPIO_BAT_LED_RED, BAT_LED_ON); 55 gpio_set_level(GPIO_BAT_LED_GREEN, BAT_LED_ON); 56 break; 57 case LED_GREEN:
CID 1353300: (OVERRUN) Overrunning callee's array of size 62 by passing argument "GPIO_CHARGE_LED_1" in call to "gpio_set_level".58 gpio_set_level(GPIO_BAT_LED_RED, BAT_LED_OFF); 59 gpio_set_level(GPIO_BAT_LED_GREEN, BAT_LED_ON); 60 break; 61 default: 62 return EC_ERROR_UNKNOWN; 63 } /3rdparty/chromeec/board/glados/led.c: 59 in bat_led_set_color() 53 case LED_AMBER: 54 gpio_set_level(GPIO_BAT_LED_RED, BAT_LED_ON); 55 gpio_set_level(GPIO_BAT_LED_GREEN, BAT_LED_ON); 56 break; 57 case LED_GREEN: 58 gpio_set_level(GPIO_BAT_LED_RED, BAT_LED_OFF);
CID 1353300: (OVERRUN) Overrunning callee's array of size 62 by passing argument "GPIO_CHARGE_LED_2" in call to "gpio_set_level".59 gpio_set_level(GPIO_BAT_LED_GREEN, BAT_LED_ON); 60 break; 61 default: 62 return EC_ERROR_UNKNOWN; 63 } 64 return EC_SUCCESS; /3rdparty/chromeec/board/chell/led.c: 37 in bat_led_set_color() 31 }; 32 33 static int bat_led_set_color(enum led_color color) 34 { 35 switch (color) { 36 case LED_OFF:
CID 1353300: (OVERRUN) Overrunning callee's array of size 62 by passing argument "GPIO_CHARGE_LED_1" in call to "gpio_set_level".37 gpio_set_level(GPIO_BAT_LED_RED, BAT_LED_OFF); 38 gpio_set_level(GPIO_BAT_LED_GREEN, BAT_LED_OFF); 39 break; 40 case LED_AMBER: 41 gpio_set_level(GPIO_BAT_LED_RED, BAT_LED_ON); 42 gpio_set_level(GPIO_BAT_LED_GREEN, BAT_LED_OFF); /3rdparty/chromeec/board/chell/led.c: 38 in bat_led_set_color() 32 33 static int bat_led_set_color(enum led_color color) 34 { 35 switch (color) { 36 case LED_OFF: 37 gpio_set_level(GPIO_BAT_LED_RED, BAT_LED_OFF);
CID 1353300: (OVERRUN) Overrunning callee's array of size 62 by passing argument "GPIO_CHARGE_LED_2" in call to "gpio_set_level".38 gpio_set_level(GPIO_BAT_LED_GREEN, BAT_LED_OFF); 39 break; 40 case LED_AMBER: 41 gpio_set_level(GPIO_BAT_LED_RED, BAT_LED_ON); 42 gpio_set_level(GPIO_BAT_LED_GREEN, BAT_LED_OFF); 43 break; /3rdparty/chromeec/board/chell/led.c: 41 in bat_led_set_color() 35 switch (color) { 36 case LED_OFF: 37 gpio_set_level(GPIO_BAT_LED_RED, BAT_LED_OFF); 38 gpio_set_level(GPIO_BAT_LED_GREEN, BAT_LED_OFF); 39 break; 40 case LED_AMBER:
CID 1353300: (OVERRUN) Overrunning callee's array of size 62 by passing argument "GPIO_CHARGE_LED_1" in call to "gpio_set_level".41 gpio_set_level(GPIO_BAT_LED_RED, BAT_LED_ON); 42 gpio_set_level(GPIO_BAT_LED_GREEN, BAT_LED_OFF); 43 break; 44 case LED_WHITE: 45 gpio_set_level(GPIO_BAT_LED_RED, BAT_LED_OFF); 46 gpio_set_level(GPIO_BAT_LED_GREEN, BAT_LED_ON); /3rdparty/chromeec/board/chell/led.c: 42 in bat_led_set_color() 36 case LED_OFF: 37 gpio_set_level(GPIO_BAT_LED_RED, BAT_LED_OFF); 38 gpio_set_level(GPIO_BAT_LED_GREEN, BAT_LED_OFF); 39 break; 40 case LED_AMBER: 41 gpio_set_level(GPIO_BAT_LED_RED, BAT_LED_ON);
CID 1353300: (OVERRUN) Overrunning callee's array of size 62 by passing argument "GPIO_CHARGE_LED_2" in call to "gpio_set_level".42 gpio_set_level(GPIO_BAT_LED_GREEN, BAT_LED_OFF); 43 break; 44 case LED_WHITE: 45 gpio_set_level(GPIO_BAT_LED_RED, BAT_LED_OFF); 46 gpio_set_level(GPIO_BAT_LED_GREEN, BAT_LED_ON); 47 break; /3rdparty/chromeec/board/chell/led.c: 45 in bat_led_set_color() 39 break; 40 case LED_AMBER: 41 gpio_set_level(GPIO_BAT_LED_RED, BAT_LED_ON); 42 gpio_set_level(GPIO_BAT_LED_GREEN, BAT_LED_OFF); 43 break; 44 case LED_WHITE:
CID 1353300: (OVERRUN) Overrunning callee's array of size 62 by passing argument "GPIO_CHARGE_LED_1" in call to "gpio_set_level".45 gpio_set_level(GPIO_BAT_LED_RED, BAT_LED_OFF); 46 gpio_set_level(GPIO_BAT_LED_GREEN, BAT_LED_ON); 47 break; 48 default: 49 return EC_ERROR_UNKNOWN; 50 } /3rdparty/chromeec/board/chell/led.c: 46 in bat_led_set_color() 40 case LED_AMBER: 41 gpio_set_level(GPIO_BAT_LED_RED, BAT_LED_ON); 42 gpio_set_level(GPIO_BAT_LED_GREEN, BAT_LED_OFF); 43 break; 44 case LED_WHITE: 45 gpio_set_level(GPIO_BAT_LED_RED, BAT_LED_OFF);
CID 1353300: (OVERRUN) Overrunning callee's array of size 62 by passing argument "GPIO_CHARGE_LED_2" in call to "gpio_set_level".46 gpio_set_level(GPIO_BAT_LED_GREEN, BAT_LED_ON); 47 break; 48 default: 49 return EC_ERROR_UNKNOWN; 50 } 51 return EC_SUCCESS;
** CID 1353299: (OVERRUN)
*** CID 1353299: (OVERRUN) /3rdparty/chromeec/chip/mec1322/lpc.c: 52 in keyboard_irq_assert() 46 /* 47 * Enforce signal-high for long enough for the signal to be pulled high 48 * by the external pullup resistor. This ensures the host will see the 49 * following falling edge, regardless of the line state before this 50 * function call. 51 */
CID 1353299: (OVERRUN) Overrunning callee's array of size 62 by passing argument "GPIO_KBD_IRQ_L" in call to "gpio_set_level".52 gpio_set_level(CONFIG_KEYBOARD_IRQ_GPIO, 1); 53 udelay(4); 54 /* Generate a falling edge */ 55 gpio_set_level(CONFIG_KEYBOARD_IRQ_GPIO, 0); 56 udelay(4); 57 /3rdparty/chromeec/chip/mec1322/lpc.c: 55 in keyboard_irq_assert() 49 * following falling edge, regardless of the line state before this 50 * function call. 51 */ 52 gpio_set_level(CONFIG_KEYBOARD_IRQ_GPIO, 1); 53 udelay(4); 54 /* Generate a falling edge */
CID 1353299: (OVERRUN) Overrunning callee's array of size 62 by passing argument "GPIO_KBD_IRQ_L" in call to "gpio_set_level".55 gpio_set_level(CONFIG_KEYBOARD_IRQ_GPIO, 0); 56 udelay(4); 57 58 /* Set signal high, now that we've generated the edge */ 59 gpio_set_level(CONFIG_KEYBOARD_IRQ_GPIO, 1); 60 #else /3rdparty/chromeec/chip/mec1322/lpc.c: 59 in keyboard_irq_assert() 53 udelay(4); 54 /* Generate a falling edge */ 55 gpio_set_level(CONFIG_KEYBOARD_IRQ_GPIO, 0); 56 udelay(4); 57 58 /* Set signal high, now that we've generated the edge */
CID 1353299: (OVERRUN) Overrunning callee's array of size 62 by passing argument "GPIO_KBD_IRQ_L" in call to "gpio_set_level".59 gpio_set_level(CONFIG_KEYBOARD_IRQ_GPIO, 1); 60 #else 61 /* 62 * SERIRQ is automatically sent by KBC 63 */ 64 #endif
To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05...
To manage Coverity Scan email notifications for "coreboot@coreboot.org", click https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05...
-- coreboot mailing list: coreboot@coreboot.org https://www.coreboot.org/mailman/listinfo/coreboot
-
Martin Roth -
scan-admin@coverity.com