Hi,
Please find the latest report on new defect(s) introduced to coreboot found with Coverity Scan.
31 new defect(s) introduced to coreboot found with Coverity Scan.
New defect(s) Reported-by: Coverity Scan Showing 20 of 31 defect(s)
** CID 1361275: (TAINTED_SCALAR) /util/cbfstool/ifwitool.c: 838 in parse_subpart_dir()
________________________________________________________________________________________________________ *** CID 1361275: (TAINTED_SCALAR) /util/cbfstool/ifwitool.c: 831 in parse_subpart_dir() 825 memcpy(hdr.name, data + offset, sizeof(hdr.name)); 826 offset += sizeof(hdr.name); 827 828 validate_subpart_dir_without_checksum((struct subpart_dir *)&hdr, name); 829 830 assert(size > subpart_dir_size(&hdr));
CID 1361275: (TAINTED_SCALAR) Passing tainted variable "subpart_dir_size(&hdr)" to a tainted sink.
831 alloc_buffer(subpart_dir_buf, subpart_dir_size(&hdr), "Subpart Dir"); 832 memcpy(buffer_get(subpart_dir_buf), &hdr, SUBPART_DIR_HEADER_SIZE); 833 834 /* Read Subpart Dir entries. */ 835 struct subpart_dir *subpart_dir = buffer_get(subpart_dir_buf); 836 struct subpart_dir_entry *e = &subpart_dir->e[0]; /util/cbfstool/ifwitool.c: 838 in parse_subpart_dir() 832 memcpy(buffer_get(subpart_dir_buf), &hdr, SUBPART_DIR_HEADER_SIZE); 833 834 /* Read Subpart Dir entries. */ 835 struct subpart_dir *subpart_dir = buffer_get(subpart_dir_buf); 836 struct subpart_dir_entry *e = &subpart_dir->e[0]; 837 uint32_t i;
CID 1361275: (TAINTED_SCALAR) Using tainted variable "hdr.num_entries" as a loop boundary.
838 for (i = 0; i < hdr.num_entries; i++) { 839 memcpy(e[i].name, data + offset, sizeof(e[i].name)); 840 offset += sizeof(e[i].name); 841 offset = read_member(data, offset, sizeof(e[i].offset), 842 &e[i].offset); 843 offset = read_member(data, offset, sizeof(e[i].length),
** CID 1361274: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________ *** CID 1361274: Insecure data handling (TAINTED_SCALAR) /util/cbfstool/ifwitool.c: 717 in alloc_bpdt_buffer() 711 { 712 struct bpdt_header bpdt_header; 713 assert((offset + BPDT_HEADER_SIZE) < size); 714 bpdt_read_header((uint8_t *)data + offset, &bpdt_header, name); 715 716 /* Buffer to read BPDT header and entries. */
CID 1361274: Insecure data handling (TAINTED_SCALAR) Passing tainted variable "get_bpdt_size(&bpdt_header)" to a tainted sink.
717 alloc_buffer(b, get_bpdt_size(&bpdt_header), name); 718 719 struct bpdt *bpdt = buffer_get(b); 720 memcpy(&bpdt->h, &bpdt_header, BPDT_HEADER_SIZE); 721 722 /*
** CID 1361253: Memory - illegal accesses (BUFFER_SIZE_WARNING) /util/cbfstool/ifwitool.c: 1300 in init_subpart_dir_entry()
________________________________________________________________________________________________________ *** CID 1361253: Memory - illegal accesses (BUFFER_SIZE_WARNING) /util/cbfstool/ifwitool.c: 1300 in init_subpart_dir_entry() 1294 static size_t init_subpart_dir_entry(struct subpart_dir_entry *e, 1295 struct buffer *b, size_t offset) 1296 { 1297 memset(e, 0, sizeof(*e)); 1298 1299 assert(strlen(b->name) <= sizeof(e->name));
CID 1361253: Memory - illegal accesses (BUFFER_SIZE_WARNING) Calling strncpy with a maximum size argument of 12 bytes on destination array "e->name" of size 12 bytes might leave the destination string unterminated.
1300 strncpy((char *)e->name, (char *)b->name, sizeof(e->name)); 1301 e->offset = offset; 1302 e->length = buffer_size(b); 1303 1304 return (offset + buffer_size(b)); 1305 }
** CID 1353793: Resource leaks (RESOURCE_LEAK) /util/nvidia/cbootimage/src/data_layout.c: 1096 in resign_bl()
________________________________________________________________________________________________________ *** CID 1353793: Resource leaks (RESOURCE_LEAK) /util/nvidia/cbootimage/src/data_layout.c: 1096 in resign_bl() 1090 1091 if (read_from_image(context->input_image_filename, 1092 offset, bl_length, 1093 &image, &image_actual_size, file_type_bin)) { 1094 printf("Error reading image file %s.\n", 1095 context->input_image_filename);
CID 1353793: Resource leaks (RESOURCE_LEAK) Variable "image" going out of scope leaks the storage it points to.
1096 return -ENOMEM; 1097 } 1098 1099 pages_in_image = ICEIL(image_actual_size, page_size); 1100 1101 /* Create a local copy of the bl */
** CID 1353781: Control flow issues (NO_EFFECT) /util/nvidia/cbootimage/src/cbootimage.c: 242 in main()
________________________________________________________________________________________________________ *** CID 1353781: Control flow issues (NO_EFFECT) /util/nvidia/cbootimage/src/cbootimage.c: 242 in main() 236 context.input_image_filename); 237 goto fail; 238 } 239 240 /* Get BCT_SIZE from input image file */ 241 bct_size = get_bct_size_from_image(&context);
CID 1353781: Control flow issues (NO_EFFECT) This less-than-zero comparison of an unsigned value is never true. "bct_size < 0U".
242 if (bct_size < 0) { 243 printf("Error: Invalid input image file %s\n", 244 context.input_image_filename); 245 goto fail; 246 } 247
** CID 1353028: Error handling issues (NEGATIVE_RETURNS) /util/amdfwtool/amdfwtool.c: 341 in integrate_psp_firmwares()
________________________________________________________________________________________________________ *** CID 1353028: Error handling issues (NEGATIVE_RETURNS) /util/amdfwtool/amdfwtool.c: 341 in integrate_psp_firmwares() 335 pspdir[4+4*i+2] = 1; 336 pspdir[4+4*i+3] = 0; 337 } else if (fw_table[i].filename != NULL) { 338 pspdir[4+4*i+0] = fw_table[i].type; 339 340 fd = open(fw_table[i].filename, O_RDONLY);
CID 1353028: Error handling issues (NEGATIVE_RETURNS) "fd" is passed to a parameter that cannot be negative. [Note: The source code implementation of the function has been overridden by a builtin model.]
341 fstat(fd, &fd_stat); 342 pspdir[4+4*i+1] = (uint32_t)fd_stat.st_size; 343 344 pspdir[4+4*i+2] = pos + rom_base_address; 345 pspdir[4+4*i+3] = 0; 346
** CID 1353027: Error handling issues (NEGATIVE_RETURNS) /util/amdfwtool/amdfwtool.c: 284 in integrate_firmwares()
________________________________________________________________________________________________________ *** CID 1353027: Error handling issues (NEGATIVE_RETURNS) /util/amdfwtool/amdfwtool.c: 284 in integrate_firmwares() 278 int i; 279 uint32_t rom_base_address = 0xFFFFFFFF - rom_size + 1; 280 281 for (i = 0; fw_table[i].type != AMD_FW_INVALID; i++) { 282 if (fw_table[i].filename != NULL) { 283 fd = open(fw_table[i].filename, O_RDONLY);
CID 1353027: Error handling issues (NEGATIVE_RETURNS) "fd" is passed to a parameter that cannot be negative. [Note: The source code implementation of the function has been overridden by a builtin model.]
284 fstat(fd, &fd_stat); 285 286 switch (fw_table[i].type) { 287 case AMD_FW_IMC: 288 pos = ALIGN(pos, 0x10000U); 289 romsig[1] = pos + rom_base_address;
** CID 1353022: Error handling issues (CHECKED_RETURN) /util/nvidia/cbootimage/src/cbootimage.c: 297 in main()
________________________________________________________________________________________________________ *** CID 1353022: Error handling issues (CHECKED_RETURN) /util/nvidia/cbootimage/src/cbootimage.c: 297 in main() 291 begin_update(&context); 292 /* Signing the bct. */ 293 e = sign_bct(&context, context.bct); 294 if (e != 0) 295 printf("Signing BCT failed, error: %d.\n", e); 296
CID 1353022: Error handling issues (CHECKED_RETURN) Calling "fwrite" without checking return value (as is done elsewhere 36 out of 45 times).
297 fwrite(context.bct, 1, context.bct_size, 298 context.raw_file); 299 printf("New BCT file %s has been successfully generated!\n", 300 context.output_image_filename); 301 goto fail; 302 }
** CID 1353021: Error handling issues (CHECKED_RETURN) /util/amdfwtool/amdfwtool.c: 355 in integrate_psp_firmwares()
________________________________________________________________________________________________________ *** CID 1353021: Error handling issues (CHECKED_RETURN) /util/amdfwtool/amdfwtool.c: 355 in integrate_psp_firmwares() 349 " will not fit %s. Exiting.\n", 350 rom_size, fw_table[i].filename); 351 free(base); 352 exit(1); 353 } 354
CID 1353021: Error handling issues (CHECKED_RETURN) "read(int, void *, size_t)" returns the number of bytes read, but it is ignored.
355 read(fd, (void *)(base + pos), (size_t)fd_stat.st_size); 356 357 pos += fd_stat.st_size; 358 close(fd); 359 pos = ALIGN(pos, 0x100U); 360 } else {
** CID 1353020: Error handling issues (CHECKED_RETURN) /util/amdfwtool/amdfwtool.c: 341 in integrate_psp_firmwares()
________________________________________________________________________________________________________ *** CID 1353020: Error handling issues (CHECKED_RETURN) /util/amdfwtool/amdfwtool.c: 341 in integrate_psp_firmwares() 335 pspdir[4+4*i+2] = 1; 336 pspdir[4+4*i+3] = 0; 337 } else if (fw_table[i].filename != NULL) { 338 pspdir[4+4*i+0] = fw_table[i].type; 339 340 fd = open(fw_table[i].filename, O_RDONLY);
CID 1353020: Error handling issues (CHECKED_RETURN) Calling "fstat(fd, &fd_stat)" without checking return value. This library function may fail and return an error code. [Note: The source code implementation of the function has been overridden by a builtin model.]
341 fstat(fd, &fd_stat); 342 pspdir[4+4*i+1] = (uint32_t)fd_stat.st_size; 343 344 pspdir[4+4*i+2] = pos + rom_base_address; 345 pspdir[4+4*i+3] = 0; 346
** CID 1353019: Error handling issues (CHECKED_RETURN) /util/amdfwtool/amdfwtool.c: 310 in integrate_firmwares()
________________________________________________________________________________________________________ *** CID 1353019: Error handling issues (CHECKED_RETURN) /util/amdfwtool/amdfwtool.c: 310 in integrate_firmwares() 304 " will not fit %s. Exiting.\n", 305 rom_size, fw_table[i].filename); 306 free(base); 307 exit(1); 308 } 309
CID 1353019: Error handling issues (CHECKED_RETURN) "read(int, void *, size_t)" returns the number of bytes read, but it is ignored.
310 read(fd, (void *)(base + pos), (size_t)fd_stat.st_size); 311 312 pos += fd_stat.st_size; 313 close(fd); 314 pos = ALIGN(pos, 0x100U); 315 }
** CID 1353018: Error handling issues (CHECKED_RETURN) /util/amdfwtool/amdfwtool.c: 284 in integrate_firmwares()
________________________________________________________________________________________________________ *** CID 1353018: Error handling issues (CHECKED_RETURN) /util/amdfwtool/amdfwtool.c: 284 in integrate_firmwares() 278 int i; 279 uint32_t rom_base_address = 0xFFFFFFFF - rom_size + 1; 280 281 for (i = 0; fw_table[i].type != AMD_FW_INVALID; i++) { 282 if (fw_table[i].filename != NULL) { 283 fd = open(fw_table[i].filename, O_RDONLY);
CID 1353018: Error handling issues (CHECKED_RETURN) Calling "fstat(fd, &fd_stat)" without checking return value. This library function may fail and return an error code. [Note: The source code implementation of the function has been overridden by a builtin model.]
284 fstat(fd, &fd_stat); 285 286 switch (fw_table[i].type) { 287 case AMD_FW_IMC: 288 pos = ALIGN(pos, 0x10000U); 289 romsig[1] = pos + rom_base_address;
** CID 1302457: Control flow issues (MISSING_RESTORE) /util/cbfstool/flashmap/fmap.c: 485 in fmap_append_area_test()
________________________________________________________________________________________________________ *** CID 1302457: Control flow issues (MISSING_RESTORE) /util/cbfstool/flashmap/fmap.c: 485 in fmap_append_area_test() 479 if ((*fmap)->nareas != 1) { 480 printf("FAILURE: failed to increment number of areas\n"); 481 goto fmap_append_area_test_exit; 482 } 483 484 status = pass;
CID 1302457: Control flow issues (MISSING_RESTORE) Jumped to here, skipping restore.
485 fmap_append_area_test_exit: 486 return status; 487 } 488 489 static int fmap_find_area_test(struct fmap *fmap) 490 {
** CID 1302456: Error handling issues (NEGATIVE_RETURNS) /util/cbfstool/flashmap/fmap.c: 601 in fmap_find_test()
________________________________________________________________________________________________________ *** CID 1302456: Error handling issues (NEGATIVE_RETURNS) /util/cbfstool/flashmap/fmap.c: 601 in fmap_find_test() 595 printf("FAILURE: bsearch returned false positive\n"); 596 goto fmap_find_test_exit; 597 } 598 599 /* simple test case: fmap at (total_size / 2) + 1 */ 600 offset = (total_size / 2) + 1;
CID 1302456: Error handling issues (NEGATIVE_RETURNS) "fmap_size(fmap)" is passed to a parameter that cannot be negative. [Note: The source code implementation of the function has been overridden by a builtin model.]
601 memcpy(&buf[offset], fmap, fmap_size(fmap)); 602 603 if ((unsigned)fmap_find(buf, total_size - 1) != offset) { 604 printf("FAILURE: lsearch failed to find fmap\n"); 605 goto fmap_find_test_exit; 606 }
** CID 1302455: Null pointer dereferences (NULL_RETURNS) /util/cbfstool/partitioned_file.c: 199 in partitioned_file_reopen()
________________________________________________________________________________________________________ *** CID 1302455: Null pointer dereferences (NULL_RETURNS) /util/cbfstool/partitioned_file.c: 199 in partitioned_file_reopen() 193 partitioned_file_close(file); 194 return NULL; 195 } 196 197 const struct fmap_area *fmap_fmap_entry = 198 fmap_find_area(file->fmap, SECTION_NAME_FMAP);
CID 1302455: Null pointer dereferences (NULL_RETURNS) Dereferencing a null pointer "fmap_fmap_entry".
199 if ((long)fmap_fmap_entry->offset != fmap_region_offset) { 200 ERROR("FMAP's '%s' section doesn't point back to FMAP start (did something corrupt this file?)\n", 201 SECTION_NAME_FMAP); 202 partitioned_file_close(file); 203 return NULL; 204 }
** CID 1302453: Resource leaks (RESOURCE_LEAK) /util/cbfstool/flashmap/fmap.c: 563 in fmap_flags_to_string_test()
________________________________________________________________________________________________________ *** CID 1302453: Resource leaks (RESOURCE_LEAK) /util/cbfstool/flashmap/fmap.c: 563 in fmap_flags_to_string_test() 557 } 558 free(my_str); 559 free(str); 560 561 status = pass; 562 fmap_flags_to_string_test_exit:
CID 1302453: Resource leaks (RESOURCE_LEAK) Variable "my_str" going out of scope leaks the storage it points to.
563 return status; 564 565 } 566 567 static int fmap_find_test(struct fmap *fmap) 568 {
** CID 1302452: (RESOURCE_LEAK) /util/cbfstool/flashmap/fmap.c: 563 in fmap_flags_to_string_test() /util/cbfstool/flashmap/fmap.c: 563 in fmap_flags_to_string_test()
________________________________________________________________________________________________________ *** CID 1302452: (RESOURCE_LEAK) /util/cbfstool/flashmap/fmap.c: 563 in fmap_flags_to_string_test() 557 } 558 free(my_str); 559 free(str); 560 561 status = pass; 562 fmap_flags_to_string_test_exit:
CID 1302452: (RESOURCE_LEAK) Variable "str" going out of scope leaks the storage it points to.
563 return status; 564 565 } 566 567 static int fmap_find_test(struct fmap *fmap) 568 { /util/cbfstool/flashmap/fmap.c: 563 in fmap_flags_to_string_test() 557 } 558 free(my_str); 559 free(str); 560 561 status = pass; 562 fmap_flags_to_string_test_exit:
CID 1302452: (RESOURCE_LEAK) Variable "str" going out of scope leaks the storage it points to.
563 return status; 564 565 } 566 567 static int fmap_find_test(struct fmap *fmap) 568 {
** CID 1302451: Resource leaks (RESOURCE_LEAK) /util/cbfstool/flashmap/fmap.c: 240 in fmap_print()
________________________________________________________________________________________________________ *** CID 1302451: Resource leaks (RESOURCE_LEAK) /util/cbfstool/flashmap/fmap.c: 240 in fmap_print() 234 kv_pair_fmt(pair, "area_flags_raw", "0x%02x", 235 fmap->areas[i].flags); 236 237 /* Print descriptive strings for flags rather than the field */ 238 flags = fmap->areas[i].flags; 239 if ((str = fmap_flags_to_string(flags)) == NULL)
CID 1302451: Resource leaks (RESOURCE_LEAK) Variable "pair" going out of scope leaks the storage it points to.
240 return -1; 241 kv_pair_fmt(pair, "area_flags", "%s", str); 242 free(str); 243 244 kv_pair_print(pair); 245 kv_pair_free(pair);
** CID 1241790: Insecure data handling (TAINTED_SCALAR) /util/cbfstool/lzma/C/LzFind.c: 653 in Bt2_MatchFinder_Skip()
________________________________________________________________________________________________________ *** CID 1241790: Insecure data handling (TAINTED_SCALAR) /util/cbfstool/lzma/C/LzFind.c: 653 in Bt2_MatchFinder_Skip() 647 static void Bt2_MatchFinder_Skip(struct CMatchFinder *p, uint32_t num) 648 { 649 do 650 { 651 SKIP_HEADER(2) 652 HASH2_CALC;
CID 1241790: Insecure data handling (TAINTED_SCALAR) Using tainted variable "hashValue" as an index to pointer "p->hash".
653 curMatch = p->hash[hashValue]; 654 p->hash[hashValue] = p->pos; 655 SKIP_FOOTER 656 } 657 while (--num != 0); 658 }
** CID 1241788: Insecure data handling (TAINTED_SCALAR) /util/cbfstool/lzma/C/LzFind.c: 489 in Bt2_MatchFinder_GetMatches()
________________________________________________________________________________________________________ *** CID 1241788: Insecure data handling (TAINTED_SCALAR) /util/cbfstool/lzma/C/LzFind.c: 489 in Bt2_MatchFinder_GetMatches() 483 484 static uint32_t Bt2_MatchFinder_GetMatches(struct CMatchFinder *p, uint32_t *distances) 485 { 486 uint32_t offset; 487 GET_MATCHES_HEADER(2) 488 HASH2_CALC;
CID 1241788: Insecure data handling (TAINTED_SCALAR) Using tainted variable "hashValue" as an index to pointer "p->hash".
489 curMatch = p->hash[hashValue]; 490 p->hash[hashValue] = p->pos; 491 offset = 0; 492 GET_MATCHES_FOOTER(offset, 1) 493 } 494
________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05...
To manage Coverity Scan email notifications for "coreboot@coreboot.org", click https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05...
-
scan-admin@coverity.com