Hi,
Please find the latest report on new defect(s) introduced to coreboot found with Coverity Scan.
106 new defect(s) introduced to coreboot found with Coverity Scan. 2 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan Showing 20 of 106 defect(s)
** CID 1429780: Uninitialized variables (UNINIT)
________________________________________________________________________________________________________ *** CID 1429780: Uninitialized variables (UNINIT) /src/mainboard/dell/optiplex_9010/sch5545_ec.c: 619 in sch5545_ec_hwm_init() 613 614 printk(BIOS_DEBUG, "%s\n", __func__); 615 sch5545_emi_init(0x2e); 616 617 chassis_type = get_chassis_type(); 618
CID 1429780: Uninitialized variables (UNINIT) Using uninitialized value "val" when calling "ec_read_write_reg".
619 ec_read_write_reg(EC_HWM_LDN, 0x0048, &val, READ_OP); 620 ec_read_write_reg(EC_HWM_LDN, 0x0048, &val, WRITE_OP); 621 ec_read_write_reg(EC_HWM_LDN, 0x0042, &val, READ_OP); 622 ec_read_write_reg(EC_HWM_LDN, 0x0048, &val, READ_OP); 623 val |= 0x02; 624 ec_read_write_reg(EC_HWM_LDN, 0x0048, &val, WRITE_OP);
** CID 1429772: Uninitialized variables (UNINIT)
________________________________________________________________________________________________________ *** CID 1429772: Uninitialized variables (UNINIT) /src/mainboard/dell/optiplex_9010/sch5545_ec.c: 432 in sch5545_get_ec_fw_version() 426 uint16_t sch5545_get_ec_fw_version(void) 427 { 428 uint8_t val; 429 uint16_t ec_fw_version; 430 431 /* Read the FW version currently loaded used by EC */
CID 1429772: Uninitialized variables (UNINIT) Using uninitialized value "val" when calling "ec_read_write_reg".
432 ec_read_write_reg(EC_HWM_LDN, 0x2ad, &val, READ_OP); 433 ec_fw_version = (val << 8); 434 ec_read_write_reg(EC_HWM_LDN, 0x2ae, &val, READ_OP); 435 ec_fw_version |= val; 436 ec_read_write_reg(EC_HWM_LDN, 0x2ac, &val, READ_OP); 437 ec_read_write_reg(EC_HWM_LDN, 0x2fd, &val, READ_OP);
** CID 1429765: Uninitialized variables (UNINIT)
________________________________________________________________________________________________________ *** CID 1429765: Uninitialized variables (UNINIT) /src/mainboard/dell/optiplex_9010/sch5545_ec.c: 513 in sch5545_ec_hwm_early_init() 507 int i; 508 509 printk(BIOS_DEBUG, "%s\n", __func__); 510 511 ec_check_mbox_and_int_status(0x20, 0x01); 512
CID 1429765: Uninitialized variables (UNINIT) Using uninitialized value "val" when calling "ec_read_write_reg".
513 ec_read_write_reg(2, 0xcb, &val, READ_OP); 514 ec_read_write_reg(2, 0xb8, &val, READ_OP); 515 516 for (i = 0; i < ARRAY_SIZE(ec_hwm_init_seq); i++) { 517 val = ec_hwm_init_seq[i].val; 518 ec_read_write_reg(EC_HWM_LDN, ec_hwm_init_seq[i].reg, &val,
** CID 1428711: (OVERRUN)
________________________________________________________________________________________________________ *** CID 1428711: (OVERRUN) /src/vendorcode/eltan/security/mboot/mboot.c: 431 in mb_crtm() 425 tcgEventHdr.pcrIndex = MBOOT_PCR_INDEX_0; 426 tcgEventHdr.eventType = EV_S_CRTM_VERSION; 427 tcgEventHdr.eventSize = sizeof(crtm_version); 428 printk(BIOS_DEBUG, "%s: EventSize - %u\n", __func__, 429 tcgEventHdr.eventSize); 430
CID 1428711: (OVERRUN) Overrunning callee's array of size 32 by passing argument "tcgEventHdr.eventSize" (which evaluates to 67) in call to "mboot_hash_extend_log".
431 status = mboot_hash_extend_log(0, (uint8_t *)crtm_version, tcgEventHdr.eventSize, 432 &tcgEventHdr, (uint8_t *)crtm_version); 433 if (status) { 434 printk(BIOS_DEBUG, "Measure CRTM Version returned 0x%x\n", status); 435 return status; 436 } /src/mainboard/facebook/fbg1701/romstage.c: 78 in mb_crtm() 72 memset(&tcgEventHdr, 0, sizeof(tcgEventHdr)); 73 tcgEventHdr.pcrIndex = MBOOT_PCR_INDEX_0; 74 tcgEventHdr.eventType = EV_S_CRTM_VERSION; 75 tcgEventHdr.eventSize = sizeof(crtm_version); 76 printk(BIOS_DEBUG, "%s: EventSize - %u\n", __func__, tcgEventHdr.eventSize); 77
CID 1428711: (OVERRUN) Overrunning callee's array of size 32 by passing argument "tcgEventHdr.eventSize" (which evaluates to 67) in call to "mboot_hash_extend_log".
78 status = mboot_hash_extend_log(0, (uint8_t *)crtm_version, 79 tcgEventHdr.eventSize, &tcgEventHdr, 80 (uint8_t *)crtm_version); 81 if (status) { 82 printk(BIOS_DEBUG, "Measure CRTM Version returned 0x%x\n", status); 83 } 84 85 return status; 86 }
** CID 1420207: Null pointer dereferences (NULL_RETURNS)
________________________________________________________________________________________________________ *** CID 1420207: Null pointer dereferences (NULL_RETURNS) /src/superio/nuvoton/npcd378/superio.c: 328 in npcd378_ssdt_pwr() 322 323 acpigen_pop_len(); /* Pop SIOS method */ 324 325 acpigen_pop_len(); /* Pop Scope */ 326 327 /* Inject into parent: */
CID 1420207: Null pointer dereferences (NULL_RETURNS) Dereferencing a pointer that might be "NULL" "acpi_device_scope(dev)" when calling "acpigen_write_scope".
328 acpigen_write_scope(acpi_device_scope(dev)); 329 330 acpigen_write_name_integer("MSFG", 1); 331 acpigen_write_name_integer("KBFG", 1); 332 acpigen_write_name_integer("PMFG", 0); 333
** CID 1419488: Null pointer dereferences (FORWARD_NULL)
________________________________________________________________________________________________________ *** CID 1419488: Null pointer dereferences (FORWARD_NULL) /src/superio/common/generic.c: 20 in generic_set_resources() 14 15 for (res = dev->resource_list; res; res = res->next) { 16 if (!(res->flags & IORESOURCE_ASSIGNED)) 17 continue; 18 19 res->flags |= IORESOURCE_STORED;
CID 1419488: Null pointer dereferences (FORWARD_NULL) Passing "dev" to "report_resource_stored", which dereferences null "dev->link_list".
20 report_resource_stored(dev, res, ""); 21 } 22 } 23 24 static void generic_read_resources(struct device *dev) 25 {
** CID 1419483: Memory - corruptions (OVERRUN) /src/vendorcode/eltan/security/verified_boot/vboot_check.c: 85 in verified_boot_check_manifest()
________________________________________________________________________________________________________ *** CID 1419483: Memory - corruptions (OVERRUN) /src/vendorcode/eltan/security/verified_boot/vboot_check.c: 85 in verified_boot_check_manifest() 79 pre->body_signature.data_size = CONFIG_VENDORCODE_ELTAN_OEM_MANIFEST_ITEMS * 80 DIGEST_SIZE; 81 pre->body_signature.sig_offset = sizeof(struct vb2_signature) + 82 pre->body_signature.data_size; 83 pre->body_signature.sig_size = size - pre->body_signature.data_size; 84 sd->workbuf_used += size;
CID 1419483: Memory - corruptions (OVERRUN) Overrunning struct type vb2_signature of 24 bytes by passing it to a function which accesses it at byte offset 663 using argument "size" (which evaluates to 640). [Note: The source code implementation of the function has been overridden by a builtin model.]
85 memcpy((void *)((void *)&pre->body_signature + (long)sizeof(struct vb2_signature)), 86 (uint8_t *)CONFIG_VENDORCODE_ELTAN_OEM_MANIFEST_LOC, size); 87 88 89 if (vb2api_verify_kernel_data(ctx, (void *)CONFIG_VENDORCODE_ELTAN_OEM_MANIFEST_LOC, 90 pre->body_signature.data_size))
** CID 1407750: Control flow issues (NO_EFFECT) /3rdparty/opensbi/lib/sbi/sbi_ecall.c: 50 in sbi_check_extension()
________________________________________________________________________________________________________ *** CID 1407750: Control flow issues (NO_EFFECT) /3rdparty/opensbi/lib/sbi/sbi_ecall.c: 50 in sbi_check_extension() 44 * by checking the feature bits of the platform. We can create a map 45 * between extension ID & feature and use a generic function to check 46 * or just use a switch case for every new extension support added 47 * TODO: Implement it. 48 */ 49
CID 1407750: Control flow issues (NO_EFFECT) This greater-than-or-equal-to-zero comparison of an unsigned value is always true. "extid >= SBI_EXT_0_1_SET_TIMER".
50 if ((extid >= SBI_EXT_0_1_SET_TIMER && 51 extid <= SBI_EXT_0_1_SHUTDOWN) || (extid == SBI_EXT_BASE)) { 52 *out_val = 1; 53 } else if (extid >= SBI_EXT_VENDOR_START && 54 extid <= SBI_EXT_VENDOR_END) { 55 *out_val = sbi_platform_vendor_ext_check(
** CID 1407740: Control flow issues (DEADCODE) /3rdparty/opensbi/lib/sbi/sbi_trap.c: 131 in sbi_trap_redirect()
________________________________________________________________________________________________________ *** CID 1407740: Control flow issues (DEADCODE) /3rdparty/opensbi/lib/sbi/sbi_trap.c: 131 in sbi_trap_redirect() 125 hstatus = csr_read(CSR_HSTATUS); 126 hstatus &= ~HSTATUS_SP2P; 127 hstatus |= (regs->mstatus & MSTATUS_SPP) ? HSTATUS_SP2P : 0; 128 hstatus &= ~HSTATUS_SP2V; 129 hstatus |= (hstatus & HSTATUS_SPV) ? HSTATUS_SP2V : 0; 130 hstatus &= ~HSTATUS_SPV;
CID 1407740: Control flow issues (DEADCODE) Execution cannot reach the expression "0UL" inside this statement: "hstatus |= (prev_virt ? 128...".
131 hstatus |= (prev_virt) ? HSTATUS_SPV : 0; 132 hstatus &= ~HSTATUS_STL; 133 hstatus |= (prev_stage2) ? HSTATUS_STL : 0; 134 csr_write(CSR_HSTATUS, hstatus); 135 } 136
** CID 1407737: Error handling issues (CHECKED_RETURN) /src/drivers/spi/spi_sdcard.c: 357 in spi_sdcard_do_app_command()
________________________________________________________________________________________________________ *** CID 1407737: Error handling issues (CHECKED_RETURN) /src/drivers/spi/spi_sdcard.c: 357 in spi_sdcard_do_app_command() 351 static int spi_sdcard_do_app_command(const struct spi_sdcard *card, 352 uint8_t cmd, 353 uint32_t argument, 354 uint32_t *out_register) 355 { 356 /* CMD55 */
CID 1407737: Error handling issues (CHECKED_RETURN) Calling "spi_sdcard_do_command" without checking return value (as is done elsewhere 15 out of 17 times).
357 spi_sdcard_do_command(card, APP_CMD, 0, NULL); 358 return spi_sdcard_do_command_help(card, 1, cmd, argument, out_register); 359 } 360 361 362 size_t spi_sdcard_size(const struct spi_sdcard *card)
** CID 1407730: (SWAPPED_ARGUMENTS)
________________________________________________________________________________________________________ *** CID 1407730: (SWAPPED_ARGUMENTS) /3rdparty/opensbi/lib/sbi/sbi_ecall.c: 217 in sbi_ecall_handler() 211 } else if (extension_id == SBI_EXT_BASE) 212 ret = sbi_ecall_base_handler(scratch, extension_id, func_id, 213 args, &out_val, 214 &out_tval, &out_tcause); 215 else if (extension_id >= SBI_EXT_VENDOR_START && 216 extension_id <= SBI_EXT_VENDOR_END) {
CID 1407730: (SWAPPED_ARGUMENTS) The positions of arguments in the call to "sbi_ecall_vendor_ext_handler" do not match the ordering of the parameters:
* "&out_tval" is passed to "out_tcause" * "&out_tcause" is passed to "out_tval" 217 ret = sbi_ecall_vendor_ext_handler(scratch, extension_id, 218 func_id, args, &out_val, 219 &out_tval, &out_tcause); 220 } else { 221 ret = SBI_ENOTSUPP; 222 } /3rdparty/opensbi/lib/sbi/sbi_ecall.c: 212 in sbi_ecall_handler() 206 if (extension_id >= SBI_EXT_0_1_SET_TIMER && 207 extension_id <= SBI_EXT_0_1_SHUTDOWN) { 208 ret = sbi_ecall_0_1_handler(scratch, extension_id, args, 209 &out_tval, &out_tcause); 210 is_0_1_spec = 1; 211 } else if (extension_id == SBI_EXT_BASE)
CID 1407730: (SWAPPED_ARGUMENTS) The positions of arguments in the call to "sbi_ecall_base_handler" do not match the ordering of the parameters:
* "&out_tval" is passed to "out_tcause" * "&out_tcause" is passed to "out_tval" 212 ret = sbi_ecall_base_handler(scratch, extension_id, func_id, 213 args, &out_val, 214 &out_tval, &out_tcause); 215 else if (extension_id >= SBI_EXT_VENDOR_START && 216 extension_id <= SBI_EXT_VENDOR_END) { 217 ret = sbi_ecall_vendor_ext_handler(scratch, extension_id,
** CID 1407727: Control flow issues (NO_EFFECT) /3rdparty/opensbi/lib/sbi/sbi_ecall.c: 206 in sbi_ecall_handler()
________________________________________________________________________________________________________ *** CID 1407727: Control flow issues (NO_EFFECT) /3rdparty/opensbi/lib/sbi/sbi_ecall.c: 206 in sbi_ecall_handler() 200 args[1] = regs->a1; 201 args[2] = regs->a2; 202 args[3] = regs->a3; 203 args[4] = regs->a4; 204 args[5] = regs->a5; 205
CID 1407727: Control flow issues (NO_EFFECT) This greater-than-or-equal-to-zero comparison of an unsigned value is always true. "extension_id >= SBI_EXT_0_1_SET_TIMER".
206 if (extension_id >= SBI_EXT_0_1_SET_TIMER && 207 extension_id <= SBI_EXT_0_1_SHUTDOWN) { 208 ret = sbi_ecall_0_1_handler(scratch, extension_id, args, 209 &out_tval, &out_tcause); 210 is_0_1_spec = 1; 211 } else if (extension_id == SBI_EXT_BASE)
** CID 1407723: Control flow issues (MISSING_BREAK) /3rdparty/opensbi/lib/sbi/sbi_ecall.c: 105 in sbi_ecall_base_handler()
________________________________________________________________________________________________________ *** CID 1407723: Control flow issues (MISSING_BREAK) /3rdparty/opensbi/lib/sbi/sbi_ecall.c: 105 in sbi_ecall_base_handler() 99 case SBI_EXT_BASE_GET_MARCHID: 100 *out_val = csr_read(CSR_MARCHID); 101 break; 102 case SBI_EXT_BASE_GET_MIMPID: 103 *out_val = csr_read(CSR_MIMPID); 104 break;
CID 1407723: Control flow issues (MISSING_BREAK) The case for value "SBI_EXT_BASE_PROBE_EXT" is not terminated by a 'break' statement.
105 case SBI_EXT_BASE_PROBE_EXT: 106 ret = sbi_check_extension(scratch, args[0], out_val); 107 default: 108 ret = SBI_ENOTSUPP; 109 } 110
** CID 1407720: (RESOURCE_LEAK) /src/lib/bootsplash.c: 37 in set_bootsplash() /src/lib/bootsplash.c: 40 in set_bootsplash()
________________________________________________________________________________________________________ *** CID 1407720: (RESOURCE_LEAK) /src/lib/bootsplash.c: 37 in set_bootsplash() 31 decdata = malloc(sizeof(*decdata)); 32 int ret = jpeg_decode(jpeg, framebuffer, x_resolution, y_resolution, fb_resolution, 33 decdata); 34 if (ret != 0) { 35 printk(BIOS_ERR, "Bootsplash could not be decoded. jpeg_decode returned %d.\n", 36 ret);
CID 1407720: (RESOURCE_LEAK) Variable "decdata" going out of scope leaks the storage it points to.
37 return; 38 } 39 printk(BIOS_INFO, "Bootsplash loaded\n"); /src/lib/bootsplash.c: 40 in set_bootsplash() 34 if (ret != 0) { 35 printk(BIOS_ERR, "Bootsplash could not be decoded. jpeg_decode returned %d.\n", 36 ret); 37 return; 38 } 39 printk(BIOS_INFO, "Bootsplash loaded\n");
CID 1407720: (RESOURCE_LEAK) Variable "decdata" going out of scope leaks the storage it points to.
** CID 1407713: Uninitialized variables (UNINIT) /3rdparty/opensbi/lib/sbi/sbi_ecall.c: 238 in sbi_ecall_handler()
________________________________________________________________________________________________________ *** CID 1407713: Uninitialized variables (UNINIT) /3rdparty/opensbi/lib/sbi/sbi_ecall.c: 238 in sbi_ecall_handler() 232 * accordingly for now. Once fatal errors are defined, that 233 * case should be handled differently. 234 */ 235 regs->mepc += 4; 236 regs->a0 = ret; 237 if (!is_0_1_spec)
CID 1407713: Uninitialized variables (UNINIT) Using uninitialized value "out_val".
238 regs->a1 = out_val; 239 } 240 241 return 0;
** CID 1407708: Code maintainability issues (UNUSED_VALUE) /3rdparty/opensbi/lib/sbi/sbi_ecall.c: 106 in sbi_ecall_base_handler()
________________________________________________________________________________________________________ *** CID 1407708: Code maintainability issues (UNUSED_VALUE) /3rdparty/opensbi/lib/sbi/sbi_ecall.c: 106 in sbi_ecall_base_handler() 100 *out_val = csr_read(CSR_MARCHID); 101 break; 102 case SBI_EXT_BASE_GET_MIMPID: 103 *out_val = csr_read(CSR_MIMPID); 104 break; 105 case SBI_EXT_BASE_PROBE_EXT:
CID 1407708: Code maintainability issues (UNUSED_VALUE) Assigning value from "sbi_check_extension(scratch, args[0], out_val)" to "ret" here, but that stored value is overwritten before it can be used.
106 ret = sbi_check_extension(scratch, args[0], out_val); 107 default: 108 ret = SBI_ENOTSUPP; 109 } 110 111 return ret;
** CID 1405309: Incorrect expression (COPY_PASTE_ERROR) /src/superio/common/ssdt.c: 55 in superio_guess_function()
________________________________________________________________________________________________________ *** CID 1405309: Incorrect expression (COPY_PASTE_ERROR) /src/superio/common/ssdt.c: 55 in superio_guess_function() 49 if (!res || !res->size) 50 continue; 51 for (size_t j = 0; j < ARRAY_SIZE(superio_devs); j++) { 52 for (size_t k = 0; k < 2; k++) { 53 if (!superio_devs[j].irq[k]) 54 continue;
CID 1405309: Incorrect expression (COPY_PASTE_ERROR) "base" in "res->base" looks like a copy-paste error.
55 if (superio_devs[j].irq[k] == res->base) 56 return &superio_devs[j]; 57 } 58 } 59 } 60 return NULL;
** CID 1402174: (ARRAY_VS_SINGLETON) /src/vendorcode/amd/agesa/f15tn/Proc/GNB/Modules/GnbPcieInitLibV4/PcieWrapperServicesV4.c: 247 in PcieTopologySetLinkReversalV4() /src/vendorcode/amd/agesa/f16kb/Proc/GNB/Modules/GnbPcieInitLibV4/PcieWrapperServicesV4.c: 201 in PcieTopologySetLinkReversalV4()
________________________________________________________________________________________________________ *** CID 1402174: (ARRAY_VS_SINGLETON) /src/vendorcode/amd/agesa/f15tn/Proc/GNB/Modules/GnbPcieInitLibV4/PcieWrapperServicesV4.c: 247 in PcieTopologySetLinkReversalV4() 241 FALSE, 242 Pcie 243 ); 244 } 245 } 246 }
CID 1402174: (ARRAY_VS_SINGLETON) Using "EngineList" as an array. This might corrupt or misinterpret adjacent memory locations.
247 EngineList = PcieLibGetNextDescriptor (EngineList); 248 } 249 IDS_HDT_CONSOLE (GNB_TRACE, "PcieTopologySetLinkReversal Exit\n"); /src/vendorcode/amd/agesa/f16kb/Proc/GNB/Modules/GnbPcieInitLibV4/PcieWrapperServicesV4.c: 201 in PcieTopologySetLinkReversalV4() 195 FALSE, 196 Pcie 197 ); 198 } 199 } 200 }
CID 1402174: (ARRAY_VS_SINGLETON) Using "EngineList" as an array. This might corrupt or misinterpret adjacent memory locations.
201 EngineList = PcieLibGetNextDescriptor (EngineList); 202 } 203 IDS_HDT_CONSOLE (GNB_TRACE, "PcieTopologySetLinkReversal Exit\n");
** CID 1402170: Memory - corruptions (ARRAY_VS_SINGLETON) /src/vendorcode/amd/agesa/f15tn/Proc/GNB/Modules/GnbInitTN/PcieConfigTN.c: 405 in PcieConfigureGppEnginesLaneAllocationTN()
________________________________________________________________________________________________________ *** CID 1402170: Memory - corruptions (ARRAY_VS_SINGLETON) /src/vendorcode/amd/agesa/f15tn/Proc/GNB/Modules/GnbInitTN/PcieConfigTN.c: 405 in PcieConfigureGppEnginesLaneAllocationTN() 399 CoreLaneIndex = 0; 400 PortIdIndex = 0; 401 while (EnginesList != NULL) { 402 PcieConfigResetDescriptorFlags (EnginesList, DESCRIPTOR_ALLOCATED); 403 EnginesList->Type.Port.StartCoreLane = GppLaneConfigurationTable [ConfigurationId][CoreLaneIndex++]; 404 EnginesList->Type.Port.EndCoreLane = GppLaneConfigurationTable [ConfigurationId][CoreLaneIndex++];
CID 1402170: Memory - corruptions (ARRAY_VS_SINGLETON) Using "EnginesList" as an array. This might corrupt or misinterpret adjacent memory locations.
405 EnginesList = PcieLibGetNextDescriptor (EnginesList); 406 } 407 return AGESA_SUCCESS; 408 } 409 410
** CID 1402165: Memory - corruptions (ARRAY_VS_SINGLETON) /src/vendorcode/amd/agesa/f16kb/Proc/GNB/Modules/GnbInitKB/PcieConfigKB.c: 193 in PcieConfigurePcieEnginesLaneAllocation()
________________________________________________________________________________________________________ *** CID 1402165: Memory - corruptions (ARRAY_VS_SINGLETON) /src/vendorcode/amd/agesa/f16kb/Proc/GNB/Modules/GnbInitKB/PcieConfigKB.c: 193 in PcieConfigurePcieEnginesLaneAllocation() 187 while (EnginesList != NULL) { 188 if (PcieLibIsPcieEngine (EnginesList)) { 189 PcieConfigResetDescriptorFlags (EnginesList, DESCRIPTOR_ALLOCATED); 190 EnginesList->Type.Port.StartCoreLane = PcieLaneConfig->ConfigTable[CoreLaneIndex++]; 191 EnginesList->Type.Port.EndCoreLane = PcieLaneConfig->ConfigTable[CoreLaneIndex++]; 192 }
CID 1402165: Memory - corruptions (ARRAY_VS_SINGLETON) Using "EnginesList" as an array. This might corrupt or misinterpret adjacent memory locations.
193 EnginesList = PcieLibGetNextDescriptor (EnginesList); 194 } 195 return AGESA_SUCCESS; 196 } 197 198 /*----------------------------------------------------------------------------------------*/
________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/ls/click?upn=nJaKvJSIH-2FPAfmty-2BK5tYpPklA...
-
scan-admin@coverity.com