New Defects reported by Coverity Scan for coreboot - coreboot

28 Oct 2022


      Hi,
Please find the latest report on new defect(s) introduced to coreboot found with Coverity Scan.
6 new defect(s) introduced to coreboot found with Coverity Scan.
3 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 6 of 6 defect(s)
** CID 1500223:    (TAINTED_SCALAR)
/util/amdfwtool/amdfwread.c: 140 in read_bios_directory()
/util/amdfwtool/amdfwread.c: 141 in read_bios_directory()
________________________________________________________________________________________________________
*** CID 1500223:    (TAINTED_SCALAR)
/util/amdfwtool/amdfwread.c: 140 in read_bios_directory()
134     			header->cookie, expected_cookie);
135     		return 1;
136     	}
137     
138     	/* Read the entries */
139     	*num_entries = header->num_entries;
...
...
...
CID 1500223:    (TAINTED_SCALAR)
Passing tainted expression "24UL * header->num_entries" to "malloc", which uses it as an allocation size. [Note: The source code implementation of the function has been overridden by a builtin model.]

140     	*entries = malloc(sizeof(bios_directory_entry) * header->num_entries);
141     	if (fread(*entries, sizeof(bios_directory_entry), header->num_entries, fw)
142     		!= header->num_entries) {
143     		ERR("Failed to read %d BIOS entries\n", header->num_entries);
144     		return 1;
145     	}
/util/amdfwtool/amdfwread.c: 141 in read_bios_directory()
135     		return 1;
136     	}
137     
138     	/* Read the entries */
139     	*num_entries = header->num_entries;
140     	*entries = malloc(sizeof(bios_directory_entry) * header->num_entries);
...
...
...
CID 1500223:    (TAINTED_SCALAR)
Passing tainted expression "header->num_entries" to "fread", which uses it as an offset.

141     	if (fread(*entries, sizeof(bios_directory_entry), header->num_entries, fw)
142     		!= header->num_entries) {
143     		ERR("Failed to read %d BIOS entries\n", header->num_entries);
144     		return 1;
145     	}
146
** CID 1500222:  Control flow issues  (DEADCODE)
/src/soc/mediatek/mt8188/ddp.c: 103 in main_disp_path_setup()
________________________________________________________________________________________________________
*** CID 1500222:  Control flow issues  (DEADCODE)
/src/soc/mediatek/mt8188/ddp.c: 103 in main_disp_path_setup()
97     static void main_disp_path_setup(u32 width, u32 height, u32 vrefresh)
98     {
99     	u32 idx;
100     	const u32 pixel_clk = width * height * vrefresh;
101     
102     	for (idx = 0; idx < MAIN_PATH_OVL_NR; idx++) {
...
...
...
CID 1500222:  Control flow issues  (DEADCODE)
Execution cannot reach the expression "0U" inside this statement: "ovl_set_roi(idx, width, hei...".

103     		ovl_set_roi(idx, width, height, idx ? 0 : 0xff0000ff);
104     		ovl_layer_smi_id_en(idx);
105     		ovl_layer_gclast_en(idx);
106     		ovl_layer_output_clamp_en(idx);
107     		ovl_layer_en(idx);
108     	}
** CID 1500221:  Insecure data handling  (TAINTED_SCALAR)
/util/amdfwtool/amdfwread.c: 260 in amdfw_bios_dir_walk()
________________________________________________________________________________________________________
*** CID 1500221:  Insecure data handling  (TAINTED_SCALAR)
/util/amdfwtool/amdfwread.c: 260 in amdfw_bios_dir_walk()
254     
255     	if (read_bios_directory(fw, bios_offset, cookie, &header,
256     		       &current_entries, &num_current_entries) != 0)
257     		return 1;
258     
259     	do_indentation_string(indent, level);
...
...
...
CID 1500221:  Insecure data handling  (TAINTED_SCALAR)
Using tainted variable "num_current_entries" as a loop boundary.

260     	for (size_t i = 0; i < num_current_entries; i++) {
261     		uint32_t type = current_entries[i].type;
262     		uint64_t mode = current_entries[i].address_mode;
263     		uint64_t addr = current_entries[i].source;
264     
265     		if (type == AMD_BIOS_APOB || type == AMD_BIOS_PSP_SHARED_MEM)
** CID 1500220:  Resource leaks  (RESOURCE_LEAK)
/util/amdfwtool/amdfwread.c: 312 in amdfw_psp_dir_walk()
________________________________________________________________________________________________________
*** CID 1500220:  Resource leaks  (RESOURCE_LEAK)
/util/amdfwtool/amdfwread.c: 312 in amdfw_psp_dir_walk()
306     	uint32_t ish_dir_offset = 0;
307     	ish_directory_table ish_dir;
308     	char indent[MAX_INDENTATION_LEN] = {0};
309     
310     	if (read_psp_directory(fw, psp_offset, cookie, &header,
311     		       &current_entries, &num_current_entries) != 0)
...
...
...
CID 1500220:  Resource leaks  (RESOURCE_LEAK)
Variable "current_entries" going out of scope leaks the storage it points to.

312     		return 1;
313     
314     	do_indentation_string(indent, level);
315     	for (size_t i = 0; i < num_current_entries; i++) {
316     		uint32_t type = current_entries[i].type;
317     		uint64_t mode = current_entries[i].address_mode;
** CID 1500219:  Insecure data handling  (TAINTED_SCALAR)
/util/amdfwtool/amdfwread.c: 315 in amdfw_psp_dir_walk()
________________________________________________________________________________________________________
*** CID 1500219:  Insecure data handling  (TAINTED_SCALAR)
/util/amdfwtool/amdfwread.c: 315 in amdfw_psp_dir_walk()
309     
310     	if (read_psp_directory(fw, psp_offset, cookie, &header,
311     		       &current_entries, &num_current_entries) != 0)
312     		return 1;
313     
314     	do_indentation_string(indent, level);
...
...
...
CID 1500219:  Insecure data handling  (TAINTED_SCALAR)
Using tainted variable "num_current_entries" as a loop boundary.

315     	for (size_t i = 0; i < num_current_entries; i++) {
316     		uint32_t type = current_entries[i].type;
317     		uint64_t mode = current_entries[i].address_mode;
318     		uint64_t addr = current_entries[i].addr;
319     
320     		if (type == AMD_PSP_FUSE_CHAIN)
** CID 1500218:  Resource leaks  (RESOURCE_LEAK)
/util/amdfwtool/amdfwread.c: 257 in amdfw_bios_dir_walk()
________________________________________________________________________________________________________
*** CID 1500218:  Resource leaks  (RESOURCE_LEAK)
/util/amdfwtool/amdfwread.c: 257 in amdfw_bios_dir_walk()
251     	bios_directory_hdr header;
252     	uint32_t l2_dir_offset = 0;
253     	char indent[MAX_INDENTATION_LEN] = {0};
254     
255     	if (read_bios_directory(fw, bios_offset, cookie, &header,
256     		       &current_entries, &num_current_entries) != 0)
...
...
...
CID 1500218:  Resource leaks  (RESOURCE_LEAK)
Variable "current_entries" going out of scope leaks the storage it points to.

257     		return 1;
258     
259     	do_indentation_string(indent, level);
260     	for (size_t i = 0; i < num_current_entries; i++) {
261     		uint32_t type = current_entries[i].type;
262     		uint64_t mode = current_entries[i].address_mode;
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0...