Hi,
Please find the latest report on new defect(s) introduced to coreboot found with Coverity Scan.
12 new defect(s) introduced to coreboot found with Coverity Scan. 2 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan Showing 12 of 12 defect(s)
** CID 1458079: Integer handling issues (CONSTANT_EXPRESSION_RESULT) /src/soc/intel/alderlake/crashlog.c: 68 in pmc_cl_discovery()
________________________________________________________________________________________________________ *** CID 1458079: Integer handling issues (CONSTANT_EXPRESSION_RESULT) /src/soc/intel/alderlake/crashlog.c: 68 in pmc_cl_discovery() 62 tmp_bar_addr = SPI_BASE_ADDRESS; 63 pci_write_config32(PCH_DEV_SRAM, PCI_BASE_ADDRESS_0, tmp_bar_addr); 64 pci_or_config16(PCH_DEV_SRAM, PCI_COMMAND, PCI_COMMAND_MEMORY); 65 66 if (discovery_buf.bits.discov_mechanism == 1) { 67 /* discovery mode */
CID 1458079: Integer handling issues (CONSTANT_EXPRESSION_RESULT) "discovery_buf.bits.base_offset & (2147483648UL /* 1UL << 31 */)" is always 0 regardless of the values of its operands. This occurs as the logical operand of "if".
68 if (discovery_buf.bits.base_offset & BIT(31)) { 69 printk(BIOS_DEBUG, "PCH discovery to be used is disabled.\n"); 70 m_pmc_crashLog_present = false; 71 m_pmc_crashLog_size = 0; 72 return false; 73 }
** CID 1458078: Null pointer dereferences (FORWARD_NULL)
________________________________________________________________________________________________________ *** CID 1458078: Null pointer dereferences (FORWARD_NULL) /src/soc/intel/alderlake/crashlog.c: 45 in pmc_cl_discovery() 39 40 cmd_reg = pmc_make_ipc_cmd(PMC_IPC_CMD_CRASHLOG, 41 PMC_IPC_CMD_ID_CRASHLOG_DISCOVERY, 42 PMC_IPC_CMD_SIZE_SHIFT); 43 printk(BIOS_DEBUG, "cmd_reg from pmc_make_ipc_cmd %d\n", cmd_reg); 44
CID 1458078: Null pointer dereferences (FORWARD_NULL) Passing null pointer "req" to "pmc_send_ipc_cmd", which dereferences it.
45 r = pmc_send_ipc_cmd(cmd_reg, req, res); 46 47 if (r < 0) { 48 printk(BIOS_ERR, "pmc_send_ipc_cmd failed in %s\n", __func__); 49 return false; 50 }
** CID 1458077: Null pointer dereferences (FORWARD_NULL)
________________________________________________________________________________________________________ *** CID 1458077: Null pointer dereferences (FORWARD_NULL) /src/soc/intel/alderlake/crashlog.c: 45 in pmc_cl_discovery() 39 40 cmd_reg = pmc_make_ipc_cmd(PMC_IPC_CMD_CRASHLOG, 41 PMC_IPC_CMD_ID_CRASHLOG_DISCOVERY, 42 PMC_IPC_CMD_SIZE_SHIFT); 43 printk(BIOS_DEBUG, "cmd_reg from pmc_make_ipc_cmd %d\n", cmd_reg); 44
CID 1458077: Null pointer dereferences (FORWARD_NULL) Passing null pointer "res" to "pmc_send_ipc_cmd", which dereferences it.
45 r = pmc_send_ipc_cmd(cmd_reg, req, res); 46 47 if (r < 0) { 48 printk(BIOS_ERR, "pmc_send_ipc_cmd failed in %s\n", __func__); 49 return false; 50 }
** CID 1458076: Null pointer dereferences (FORWARD_NULL)
________________________________________________________________________________________________________ *** CID 1458076: Null pointer dereferences (FORWARD_NULL) /src/soc/intel/common/block/crashlog/crashlog.c: 256 in cl_pmc_en_gen_on_all_reboot() 250 int r; 251 252 cmd_reg = pmc_make_ipc_cmd(PMC_IPC_CMD_CRASHLOG, 253 PMC_IPC_CMD_ID_CRASHLOG_ON_RESET, 254 PMC_IPC_CMD_SIZE_SHIFT); 255
CID 1458076: Null pointer dereferences (FORWARD_NULL) Passing null pointer "req" to "pmc_send_ipc_cmd", which dereferences it.
256 r = pmc_send_ipc_cmd(cmd_reg, req, res); 257 258 if (r < 0) { 259 printk(BIOS_ERR, "pmc_send_ipc_cmd failed in %s\n", __func__); 260 return 0; 261 }
** CID 1458075: Null pointer dereferences (FORWARD_NULL)
________________________________________________________________________________________________________ *** CID 1458075: Null pointer dereferences (FORWARD_NULL) /src/soc/intel/common/block/crashlog/crashlog.c: 206 in cl_pmc_re_arm_after_reset() 200 int r; 201 202 cmd_reg = pmc_make_ipc_cmd(PMC_IPC_CMD_CRASHLOG, 203 PMC_IPC_CMD_ID_CRASHLOG_RE_ARM_ON_RESET, 204 PMC_IPC_CMD_SIZE_SHIFT); 205
CID 1458075: Null pointer dereferences (FORWARD_NULL) Passing null pointer "req" to "pmc_send_ipc_cmd", which dereferences it.
206 r = pmc_send_ipc_cmd(cmd_reg, req, res); 207 208 if (r < 0) { 209 printk(BIOS_ERR, "pmc_send_ipc_cmd failed in %s\n", __func__); 210 return 0; 211 }
** CID 1458074: Integer handling issues (CONSTANT_EXPRESSION_RESULT) /src/soc/intel/alderlake/crashlog.c: 144 in cpu_cl_get_capability()
________________________________________________________________________________________________________ *** CID 1458074: Integer handling issues (CONSTANT_EXPRESSION_RESULT) /src/soc/intel/alderlake/crashlog.c: 144 in cpu_cl_get_capability() 138 139 /* walk through the entries until crashLog entry */ 140 cl_devsc_cap->devsc_data.data_32[1] = pci_read_config32(SA_DEV_TMT, TEL_DVSEV_ID); 141 int new_offset = 0; 142 while (cl_devsc_cap->devsc_data.fields.devsc_id != CRASHLOG_DVSEC_ID) { 143 if (cl_devsc_cap->cap_data.fields.next_cap_offset == 0
CID 1458074: Integer handling issues (CONSTANT_EXPRESSION_RESULT) "cl_devsc_cap->cap_data.fields.next_cap_offset == 65535" is always false regardless of the values of its operands. This occurs as the logical second operand of "||".
144 || cl_devsc_cap->cap_data.fields.next_cap_offset == 0xFFFF) { 145 printk(BIOS_DEBUG, "Read invalid pcie_cap_id value: 0x%x\n", 146 cl_devsc_cap->cap_data.fields.pcie_cap_id); 147 return false; 148 } 149 new_offset = cl_devsc_cap->cap_data.fields.next_cap_offset;
** CID 1458073: Null pointer dereferences (FORWARD_NULL)
________________________________________________________________________________________________________ *** CID 1458073: Null pointer dereferences (FORWARD_NULL) /src/soc/intel/common/block/crashlog/crashlog.c: 206 in cl_pmc_re_arm_after_reset() 200 int r; 201 202 cmd_reg = pmc_make_ipc_cmd(PMC_IPC_CMD_CRASHLOG, 203 PMC_IPC_CMD_ID_CRASHLOG_RE_ARM_ON_RESET, 204 PMC_IPC_CMD_SIZE_SHIFT); 205
CID 1458073: Null pointer dereferences (FORWARD_NULL) Passing null pointer "res" to "pmc_send_ipc_cmd", which dereferences it.
206 r = pmc_send_ipc_cmd(cmd_reg, req, res); 207 208 if (r < 0) { 209 printk(BIOS_ERR, "pmc_send_ipc_cmd failed in %s\n", __func__); 210 return 0; 211 }
** CID 1458072: Integer handling issues (CONSTANT_EXPRESSION_RESULT) /src/soc/intel/common/block/crashlog/crashlog.c: 342 in cl_get_pmc_sram_data()
________________________________________________________________________________________________________ *** CID 1458072: Integer handling issues (CONSTANT_EXPRESSION_RESULT) /src/soc/intel/common/block/crashlog/crashlog.c: 342 in cl_get_pmc_sram_data() 336 printk(BIOS_DEBUG, "PCH crashlog feature not supported.\n"); 337 goto pmc_send_re_arm_after_reset; 338 } 339 340 /* Get the size of data to copy */ 341 if (discovery_buf.bits.discov_mechanism == 1) {
CID 1458072: Integer handling issues (CONSTANT_EXPRESSION_RESULT) "discovery_buf.bits.base_offset & (2147483648UL /* 1UL << 31 */)" is always 0 regardless of the values of its operands. This occurs as the logical operand of "if".
342 if (discovery_buf.bits.base_offset & BIT(31)) { 343 printk(BIOS_DEBUG, "PCH discovery to be used is disabled.\n"); 344 goto pmc_send_re_arm_after_reset; 345 } 346 printk(BIOS_DEBUG, "PMC crashLog size in discovery mode : 0x%X\n", 347 pmc_crashLog_size);
** CID 1458071: Null pointer dereferences (FORWARD_NULL)
________________________________________________________________________________________________________ *** CID 1458071: Null pointer dereferences (FORWARD_NULL) /src/soc/intel/common/block/crashlog/crashlog.c: 229 in cl_pmc_clear() 223 int r; 224 225 cmd_reg = pmc_make_ipc_cmd(PMC_IPC_CMD_CRASHLOG, 226 PMC_IPC_CMD_ID_CRASHLOG_ERASE, 227 PMC_IPC_CMD_SIZE_SHIFT); 228
CID 1458071: Null pointer dereferences (FORWARD_NULL) Passing null pointer "res" to "pmc_send_ipc_cmd", which dereferences it.
229 r = pmc_send_ipc_cmd(cmd_reg, req, res); 230 231 if (r < 0) { 232 printk(BIOS_ERR, "pmc_send_ipc_cmd failed in %s\n", __func__); 233 return 0; 234 }
** CID 1458070: Null pointer dereferences (FORWARD_NULL)
________________________________________________________________________________________________________ *** CID 1458070: Null pointer dereferences (FORWARD_NULL) /src/soc/intel/common/block/crashlog/crashlog.c: 256 in cl_pmc_en_gen_on_all_reboot() 250 int r; 251 252 cmd_reg = pmc_make_ipc_cmd(PMC_IPC_CMD_CRASHLOG, 253 PMC_IPC_CMD_ID_CRASHLOG_ON_RESET, 254 PMC_IPC_CMD_SIZE_SHIFT); 255
CID 1458070: Null pointer dereferences (FORWARD_NULL) Passing null pointer "res" to "pmc_send_ipc_cmd", which dereferences it.
256 r = pmc_send_ipc_cmd(cmd_reg, req, res); 257 258 if (r < 0) { 259 printk(BIOS_ERR, "pmc_send_ipc_cmd failed in %s\n", __func__); 260 return 0; 261 }
** CID 1458069: (OVERRUN) /src/soc/intel/common/block/crashlog/crashlog.c: 168 in pmc_cl_gen_descriptor_table() /src/soc/intel/common/block/crashlog/crashlog.c: 170 in pmc_cl_gen_descriptor_table() /src/soc/intel/common/block/crashlog/crashlog.c: 169 in pmc_cl_gen_descriptor_table()
________________________________________________________________________________________________________ *** CID 1458069: (OVERRUN) /src/soc/intel/common/block/crashlog/crashlog.c: 168 in pmc_cl_gen_descriptor_table() 162 int total_data_size = 0; 163 descriptor_table->numb_regions = read32((u32 *)desc_table_addr); 164 printk(BIOS_DEBUG, "CL PMC desc table: numb of regions is 0x%x at addr 0x%x\n", 165 descriptor_table->numb_regions, desc_table_addr); 166 for (int i = 0; i < descriptor_table->numb_regions; i++) { 167 desc_table_addr += 4;
CID 1458069: (OVERRUN) Overrunning array "descriptor_table->regions" of 256 4-byte elements at element index 256 (byte offset 1027) using index "i" (which evaluates to 256).
168 descriptor_table->regions[i].data = read32((u32 *)(desc_table_addr)); 169 total_data_size += descriptor_table->regions[i].bits.size * sizeof(u32); 170 printk(BIOS_DEBUG, "CL PMC desc table: region 0x%x has size 0x%x at offset 0x%x\n", 171 i, descriptor_table->regions[i].bits.size, 172 descriptor_table->regions[i].bits.offset); 173 if (i > 255) { /src/soc/intel/common/block/crashlog/crashlog.c: 170 in pmc_cl_gen_descriptor_table() 164 printk(BIOS_DEBUG, "CL PMC desc table: numb of regions is 0x%x at addr 0x%x\n", 165 descriptor_table->numb_regions, desc_table_addr); 166 for (int i = 0; i < descriptor_table->numb_regions; i++) { 167 desc_table_addr += 4; 168 descriptor_table->regions[i].data = read32((u32 *)(desc_table_addr)); 169 total_data_size += descriptor_table->regions[i].bits.size * sizeof(u32);
CID 1458069: (OVERRUN) Overrunning array "descriptor_table->regions" of 256 4-byte elements at element index 256 (byte offset 1027) using index "i" (which evaluates to 256).
170 printk(BIOS_DEBUG, "CL PMC desc table: region 0x%x has size 0x%x at offset 0x%x\n", 171 i, descriptor_table->regions[i].bits.size, 172 descriptor_table->regions[i].bits.offset); 173 if (i > 255) { 174 printk(BIOS_ERR, "More than 255 regions in PMC crashLog descriptor table"); 175 break; /src/soc/intel/common/block/crashlog/crashlog.c: 169 in pmc_cl_gen_descriptor_table() 163 descriptor_table->numb_regions = read32((u32 *)desc_table_addr); 164 printk(BIOS_DEBUG, "CL PMC desc table: numb of regions is 0x%x at addr 0x%x\n", 165 descriptor_table->numb_regions, desc_table_addr); 166 for (int i = 0; i < descriptor_table->numb_regions; i++) { 167 desc_table_addr += 4; 168 descriptor_table->regions[i].data = read32((u32 *)(desc_table_addr));
CID 1458069: (OVERRUN) Overrunning array "descriptor_table->regions" of 256 4-byte elements at element index 256 (byte offset 1027) using index "i" (which evaluates to 256).
169 total_data_size += descriptor_table->regions[i].bits.size * sizeof(u32); 170 printk(BIOS_DEBUG, "CL PMC desc table: region 0x%x has size 0x%x at offset 0x%x\n", 171 i, descriptor_table->regions[i].bits.size, 172 descriptor_table->regions[i].bits.offset); 173 if (i > 255) { 174 printk(BIOS_ERR, "More than 255 regions in PMC crashLog descriptor table");
** CID 1458068: Null pointer dereferences (FORWARD_NULL)
________________________________________________________________________________________________________ *** CID 1458068: Null pointer dereferences (FORWARD_NULL) /src/soc/intel/common/block/crashlog/crashlog.c: 229 in cl_pmc_clear() 223 int r; 224 225 cmd_reg = pmc_make_ipc_cmd(PMC_IPC_CMD_CRASHLOG, 226 PMC_IPC_CMD_ID_CRASHLOG_ERASE, 227 PMC_IPC_CMD_SIZE_SHIFT); 228
CID 1458068: Null pointer dereferences (FORWARD_NULL) Passing null pointer "req" to "pmc_send_ipc_cmd", which dereferences it.
229 r = pmc_send_ipc_cmd(cmd_reg, req, res); 230 231 if (r < 0) { 232 printk(BIOS_ERR, "pmc_send_ipc_cmd failed in %s\n", __func__); 233 return 0; 234 }
________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0...
-
scan-admin@coverity.com