Hi,
Please find the latest report on new defect(s) introduced to coreboot found with Coverity Scan.
26 new defect(s) introduced to coreboot found with Coverity Scan. 2 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan Showing 20 of 26 defect(s)
** CID 1458462: Resource leaks (RESOURCE_LEAK) /util/kconfig/confdata.c: 1149 in conf_write_autoconf()
________________________________________________________________________________________________________ *** CID 1458462: Resource leaks (RESOURCE_LEAK) /util/kconfig/confdata.c: 1149 in conf_write_autoconf() 1143 return 1; 1144 1145 name = getenv("KCONFIG_AUTOHEADER"); 1146 if (!name) 1147 name = "include/generated/autoconf.h"; 1148 if (make_parent_dir(name))
CID 1458462: Resource leaks (RESOURCE_LEAK) Variable "out" going out of scope leaks the storage it points to.
1149 return 1; 1150 char filename_h[PATH_MAX]; 1151 int fd_h = conf_mktemp(name, filename_h); 1152 if (fd_h == -1) 1153 return 1; 1154 out_h = fdopen(fd_h, "w");
** CID 1458461: Resource leaks (RESOURCE_LEAK) /util/kconfig/menu.c: 212 in menu_add_symbol()
________________________________________________________________________________________________________ *** CID 1458461: Resource leaks (RESOURCE_LEAK) /util/kconfig/menu.c: 212 in menu_add_symbol() 206 { 207 menu_add_prop(type, expr, dep); 208 } 209 210 void menu_add_symbol(enum prop_type type, struct symbol *sym, struct expr *dep) 211 {
CID 1458461: Resource leaks (RESOURCE_LEAK) Ignoring storage allocated by "menu_add_prop(type, expr_alloc_symbol(sym), dep)" leaks it.
212 menu_add_prop(type, expr_alloc_symbol(sym), dep); 213 } 214 215 static int menu_validate_number(struct symbol *sym, struct symbol *sym2) 216 { 217 return sym2->type == S_INT || sym2->type == S_HEX ||
** CID 1458460: Security best practices violations (STRING_OVERFLOW) /util/kconfig/confdata.c: 1049 in conf_touch_deps()
________________________________________________________________________________________________________ *** CID 1458460: Security best practices violations (STRING_OVERFLOW) /util/kconfig/confdata.c: 1049 in conf_touch_deps() 1043 static int conf_touch_deps(void) 1044 { 1045 const char *name; 1046 struct symbol *sym; 1047 int res, i; 1048
CID 1458460: Security best practices violations (STRING_OVERFLOW) You might overrun the 4096-character fixed-size string "depfile_path" by copying the return value of "conf_get_autobase_name" without checking the length.
1049 strcpy(depfile_path, conf_get_autobase_name()); 1050 depfile_prefix_len = strlen(depfile_path); 1051 1052 name = conf_get_autoconfig_name(); 1053 conf_read_simple(name, S_DEF_AUTO); 1054 sym_calc_value(modules_sym);
** CID 1458459: Resource leaks (RESOURCE_LEAK) /util/kconfig/menu.c: 207 in menu_add_expr()
________________________________________________________________________________________________________ *** CID 1458459: Resource leaks (RESOURCE_LEAK) /util/kconfig/menu.c: 207 in menu_add_expr() 201 current_entry->visibility = expr_alloc_and(current_entry->visibility, 202 expr); 203 } 204 205 void menu_add_expr(enum prop_type type, struct expr *expr, struct expr *dep) 206 {
CID 1458459: Resource leaks (RESOURCE_LEAK) Ignoring storage allocated by "menu_add_prop(type, expr, dep)" leaks it.
207 menu_add_prop(type, expr, dep); 208 } 209 210 void menu_add_symbol(enum prop_type type, struct symbol *sym, struct expr *dep) 211 { 212 menu_add_prop(type, expr_alloc_symbol(sym), dep);
** CID 1458458: Null pointer dereferences (FORWARD_NULL) /util/kconfig/menu.c: 820 in get_symbol_str()
________________________________________________________________________________________________________ *** CID 1458458: Null pointer dereferences (FORWARD_NULL) /util/kconfig/menu.c: 820 in get_symbol_str() 814 str_append(r, "\n"); 815 } 816 } 817 } 818 819 /* Print the definitions with prompts before the ones without */
CID 1458458: Null pointer dereferences (FORWARD_NULL) Dereferencing null pointer "sym".
820 for_all_properties(sym, prop, P_SYMBOL) { 821 if (prop->menu->prompt) { 822 get_def_str(r, prop->menu); 823 get_prompt_str(r, prop->menu->prompt, head); 824 } 825 }
** CID 1458457: Security best practices violations (SECURE_TEMP) /util/kconfig/confdata.c: 890 in conf_mktemp()
________________________________________________________________________________________________________ *** CID 1458457: Security best practices violations (SECURE_TEMP) /util/kconfig/confdata.c: 890 in conf_mktemp() 884 static int conf_mktemp(const char *path, char *tmpfile) 885 { 886 if (snprintf(tmpfile, PATH_MAX, "%s.tmp.XXXXXX", path) >= PATH_MAX) { 887 errno = EOVERFLOW; 888 return -1; 889 }
CID 1458457: Security best practices violations (SECURE_TEMP) Calling "mkstemp" without securely setting umask first.
890 return mkstemp(tmpfile); 891 } 892 893 int conf_write(const char *name) 894 { 895 FILE *out;
** CID 1425175: Resource leaks (RESOURCE_LEAK) /util/kconfig/confdata.c: 84 in is_same()
________________________________________________________________________________________________________ *** CID 1425175: Resource leaks (RESOURCE_LEAK) /util/kconfig/confdata.c: 84 in is_same() 78 ret = true; 79 close2: 80 close(fd2); 81 close1: 82 close(fd1); 83
CID 1425175: Resource leaks (RESOURCE_LEAK) Variable "map1" going out of scope leaks the storage it points to.
84 return ret; 85 } 86 87 /* 88 * Create the parent directory of the given path. 89 *
** CID 1425144: Null pointer dereferences (FORWARD_NULL) /util/kconfig/symbol.c: 1078 in sym_check_print_recursive()
________________________________________________________________________________________________________ *** CID 1425144: Null pointer dereferences (FORWARD_NULL) /util/kconfig/symbol.c: 1078 in sym_check_print_recursive() 1072 menu = prop->menu; 1073 if (prop->menu) 1074 break; 1075 } 1076 } 1077 if (stack->sym == last_sym)
CID 1425144: Null pointer dereferences (FORWARD_NULL) Dereferencing null pointer "prop".
1078 fprintf(stderr, "%s:%d:error: recursive dependency detected!\n", 1079 prop->file->name, prop->lineno); 1080 1081 if (sym_is_choice(sym)) { 1082 fprintf(stderr, "%s:%d:\tchoice %s contains symbol %s\n", 1083 menu->file->name, menu->lineno,
** CID 1425116: (TAINTED_SCALAR)
________________________________________________________________________________________________________ *** CID 1425116: (TAINTED_SCALAR) /util/kconfig/confdata.c: 1130 in conf_write_autoconf() 1124 if (!overwrite && is_present(autoconf_name)) 1125 return 0; 1126 1127 char autoconfcmd_path[PATH_MAX]; 1128 snprintf(autoconfcmd_path, sizeof(autoconfcmd_path), "%s%s", 1129 conf_get_autobase_name(), "auto.conf.cmd");
CID 1425116: (TAINTED_SCALAR) Passing tainted variable "autoconfcmd_path" to a tainted sink.
1130 conf_write_dep(autoconfcmd_path); 1131 1132 if (conf_touch_deps()) 1133 return 1; 1134 1135 if (make_parent_dir(autoconf_name)) /util/kconfig/confdata.c: 1148 in conf_write_autoconf() 1142 if (!out) 1143 return 1; 1144 1145 name = getenv("KCONFIG_AUTOHEADER"); 1146 if (!name) 1147 name = "include/generated/autoconf.h";
CID 1425116: (TAINTED_SCALAR) Passing tainted variable "name" to a tainted sink.
1148 if (make_parent_dir(name)) 1149 return 1; 1150 char filename_h[PATH_MAX]; 1151 int fd_h = conf_mktemp(name, filename_h); 1152 if (fd_h == -1) 1153 return 1; /util/kconfig/confdata.c: 1135 in conf_write_autoconf() 1129 conf_get_autobase_name(), "auto.conf.cmd"); 1130 conf_write_dep(autoconfcmd_path); 1131 1132 if (conf_touch_deps()) 1133 return 1; 1134
CID 1425116: (TAINTED_SCALAR) Passing tainted variable "autoconf_name" to a tainted sink.
1135 if (make_parent_dir(autoconf_name)) 1136 return 1; 1137 char filename[PATH_MAX]; 1138 int fd = conf_mktemp(autoconf_name, filename); 1139 if (fd == -1) 1140 return 1;
** CID 1425106: Resource leaks (RESOURCE_LEAK) /util/kconfig/confdata.c: 84 in is_same()
________________________________________________________________________________________________________ *** CID 1425106: Resource leaks (RESOURCE_LEAK) /util/kconfig/confdata.c: 84 in is_same() 78 ret = true; 79 close2: 80 close(fd2); 81 close1: 82 close(fd1); 83
CID 1425106: Resource leaks (RESOURCE_LEAK) Variable "map2" going out of scope leaks the storage it points to.
84 return ret; 85 } 86 87 /* 88 * Create the parent directory of the given path. 89 *
** CID 1425096: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________ *** CID 1425096: Insecure data handling (TAINTED_SCALAR) /util/kconfig/confdata.c: 917 in conf_write() 911 912 if (is_dir(name)) { 913 fprintf(stderr, "%s: Is a directory\n", name); 914 return -1; 915 } 916
CID 1425096: Insecure data handling (TAINTED_SCALAR) Passing tainted variable "name" to a tainted sink.
917 if (make_parent_dir(name)) 918 return -1; 919 920 env = getenv("KCONFIG_OVERWRITECONFIG"); 921 if (env && *env) { 922 *tmpname = 0;
** CID 1425085: Incorrect expression (COPY_PASTE_ERROR) /util/kconfig/expr.c: 537 in expr_join_and()
________________________________________________________________________________________________________ *** CID 1425085: Incorrect expression (COPY_PASTE_ERROR) /util/kconfig/expr.c: 537 in expr_join_and() 531 // (a) && (a!='n') -> (a) 532 return expr_alloc_symbol(sym1); 533 534 if ((e1->type == E_SYMBOL && e2->type == E_UNEQUAL && e2->right.sym == &symbol_mod) || 535 (e2->type == E_SYMBOL && e1->type == E_UNEQUAL && e1->right.sym == &symbol_mod)) 536 // (a) && (a!='m') -> (a='y')
CID 1425085: Incorrect expression (COPY_PASTE_ERROR) "symbol_yes" in "&symbol_yes" looks like a copy-paste error.
537 return expr_alloc_comp(E_EQUAL, sym1, &symbol_yes); 538 539 if (sym1->type == S_TRISTATE) { 540 if (e1->type == E_EQUAL && e2->type == E_UNEQUAL) { 541 // (a='b') && (a!='c') -> 'b'='c' ? 'n' : a='b' 542 sym2 = e1->right.sym;
** CID 1425081: Control flow issues (MISSING_BREAK) /util/kconfig/expr.c: 1112 in expr_compare_type()
________________________________________________________________________________________________________ *** CID 1425081: Control flow issues (MISSING_BREAK) /util/kconfig/expr.c: 1112 in expr_compare_type() 1106 if (t1 == t2) 1107 return 0; 1108 switch (t1) { 1109 case E_LEQ: 1110 case E_LTH: 1111 case E_GEQ:
CID 1425081: Control flow issues (MISSING_BREAK) The case for value "E_GTH" is not terminated by a 'break' statement.
1112 case E_GTH: 1113 if (t2 == E_EQUAL || t2 == E_UNEQUAL) 1114 return 1; 1115 case E_EQUAL: 1116 case E_UNEQUAL: 1117 if (t2 == E_NOT)
** CID 1425079: Control flow issues (UNREACHABLE) /util/kconfig/expr.c: 1134 in expr_compare_type()
________________________________________________________________________________________________________ *** CID 1425079: Control flow issues (UNREACHABLE) /util/kconfig/expr.c: 1134 in expr_compare_type() 1128 case E_LIST: 1129 if (t2 == 0) 1130 return 1; 1131 default: 1132 return -1; 1133 }
CID 1425079: Control flow issues (UNREACHABLE) This code cannot be reached: "printf("[%dgt%d?]", t1, t2);".
1134 printf("[%dgt%d?]", t1, t2); 1135 return 0; 1136 } 1137 1138 void expr_print(struct expr *e, 1139 void (*fn)(void *, struct symbol *, const char *),
** CID 1425063: Null pointer dereferences (REVERSE_INULL) /util/kconfig/confdata.c: 526 in conf_read_simple()
________________________________________________________________________________________________________ *** CID 1425063: Null pointer dereferences (REVERSE_INULL) /util/kconfig/confdata.c: 526 in conf_read_simple() 520 conf_warning("unexpected data: %.*s", 521 (int)strcspn(line, "\r\n"), line); 522 523 continue; 524 } 525
CID 1425063: Null pointer dereferences (REVERSE_INULL) Null-checking "sym" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
526 if (sym && sym_is_choice_value(sym)) { 527 struct symbol *cs = prop_get_symbol(sym_get_choice_prop(sym)); 528 switch (sym->def[def].tri) { 529 case no: 530 break; 531 case mod:
** CID 1425039: Error handling issues (CHECKED_RETURN) /util/kconfig/confdata.c: 1039 in conf_write_dep()
________________________________________________________________________________________________________ *** CID 1425039: Error handling issues (CHECKED_RETURN) /util/kconfig/confdata.c: 1039 in conf_write_dep() 1033 1034 env_write_dep(out, conf_get_autoconfig_name()); 1035 1036 fprintf(out, "\n$(deps_config): ;\n"); 1037 fclose(out); 1038
CID 1425039: Error handling issues (CHECKED_RETURN) Calling "rename(filename, name)" without checking return value. This library function may fail and return an error code.
1039 rename(filename, name); 1040 return 0; 1041 } 1042 1043 static int conf_touch_deps(void) 1044 {
** CID 1425010: Security best practices violations (DC.WEAK_CRYPTO) /util/kconfig/conf.c: 251 in conf_set_all_new_symbols()
________________________________________________________________________________________________________ *** CID 1425010: Security best practices violations (DC.WEAK_CRYPTO) /util/kconfig/conf.c: 251 in conf_set_all_new_symbols() 245 break; 246 case def_no: 247 sym->def[S_DEF_USER].tri = no; 248 break; 249 case def_random: 250 sym->def[S_DEF_USER].tri = no;
CID 1425010: Security best practices violations (DC.WEAK_CRYPTO) "rand" should not be used for security-related applications, because linear congruential algorithms are too easy to break.
251 cnt = rand() % 100; 252 if (sym->type == S_TRISTATE) { 253 if (cnt < pty) 254 sym->def[S_DEF_USER].tri = yes; 255 else if (cnt < pty + ptm) 256 sym->def[S_DEF_USER].tri = mod;
** CID 1425007: (RESOURCE_LEAK) /util/kconfig/expr.c: 949 in expr_trans_compare() /util/kconfig/expr.c: 939 in expr_trans_compare()
________________________________________________________________________________________________________ *** CID 1425007: (RESOURCE_LEAK) /util/kconfig/expr.c: 949 in expr_trans_compare() 943 case E_OR: 944 e1 = expr_trans_compare(e->left.expr, E_EQUAL, sym); 945 e2 = expr_trans_compare(e->right.expr, E_EQUAL, sym); 946 if (sym == &symbol_yes) 947 e = expr_alloc_two(E_OR, e1, e2); 948 if (sym == &symbol_no)
CID 1425007: (RESOURCE_LEAK) Overwriting "e" in "e = expr_alloc_two(E_AND, e1, e2)" leaks the storage that "e" points to.
949 e = expr_alloc_two(E_AND, e1, e2); 950 if (type == E_UNEQUAL) 951 e = expr_alloc_one(E_NOT, e); 952 return e; 953 case E_NOT: 954 return expr_trans_compare(e->left.expr, type == E_EQUAL ? E_UNEQUAL : E_EQUAL, sym); /util/kconfig/expr.c: 939 in expr_trans_compare() 933 case E_AND: 934 e1 = expr_trans_compare(e->left.expr, E_EQUAL, sym); 935 e2 = expr_trans_compare(e->right.expr, E_EQUAL, sym); 936 if (sym == &symbol_yes) 937 e = expr_alloc_two(E_AND, e1, e2); 938 if (sym == &symbol_no)
CID 1425007: (RESOURCE_LEAK) Overwriting "e" in "e = expr_alloc_two(E_OR, e1, e2)" leaks the storage that "e" points to.
939 e = expr_alloc_two(E_OR, e1, e2); 940 if (type == E_UNEQUAL) 941 e = expr_alloc_one(E_NOT, e); 942 return e; 943 case E_OR: 944 e1 = expr_trans_compare(e->left.expr, E_EQUAL, sym);
** CID 1424942: (REVERSE_INULL) /payloads/coreinfo/build/util/kconfig/lexer.lex.c: 4017 in zconf_fopen() /payloads/coreinfo/libpayload/util/lp_kconfig/lexer.lex.c: 4017 in zconf_fopen() /payloads/libpayload/build/util/lp_kconfig/lexer.lex.c: 4017 in zconf_fopen() /cb-build/coreboot-coverity.0/default/sharedutils/kconfig/lexer.lex.c: 4017 in zconf_fopen() /build/util/kconfig/lexer.lex.c: 4017 in zconf_fopen() /cb-build/coreboot-coverity.0/chromeos/sharedutils/kconfig/lexer.lex.c: 4017 in zconf_fopen() /payloads/nvramcui/libpayload/util/lp_kconfig/lexer.lex.c: 4017 in zconf_fopen()
________________________________________________________________________________________________________ *** CID 1424942: (REVERSE_INULL) /payloads/coreinfo/build/util/kconfig/lexer.lex.c: 4017 in zconf_fopen() 4011 FILE *zconf_fopen(const char *name) 4012 { 4013 char *env, fullname[PATH_MAX+1]; 4014 FILE *f; 4015 4016 f = fopen(name, "r");
CID 1424942: (REVERSE_INULL) Null-checking "name" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
4017 if (!f && name != NULL && name[0] != '/') { 4018 env = getenv(SRCTREE); 4019 if (env) { 4020 snprintf(fullname, sizeof(fullname), 4021 "%s/%s", env, name); 4022 f = fopen(fullname, "r"); /payloads/coreinfo/libpayload/util/lp_kconfig/lexer.lex.c: 4017 in zconf_fopen() 4011 FILE *zconf_fopen(const char *name) 4012 { 4013 char *env, fullname[PATH_MAX+1]; 4014 FILE *f; 4015 4016 f = fopen(name, "r");
CID 1424942: (REVERSE_INULL) Null-checking "name" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
4017 if (!f && name != NULL && name[0] != '/') { 4018 env = getenv(SRCTREE); 4019 if (env) { 4020 snprintf(fullname, sizeof(fullname), 4021 "%s/%s", env, name); 4022 f = fopen(fullname, "r"); /payloads/libpayload/build/util/lp_kconfig/lexer.lex.c: 4017 in zconf_fopen() 4011 FILE *zconf_fopen(const char *name) 4012 { 4013 char *env, fullname[PATH_MAX+1]; 4014 FILE *f; 4015 4016 f = fopen(name, "r");
CID 1424942: (REVERSE_INULL) Null-checking "name" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
4017 if (!f && name != NULL && name[0] != '/') { 4018 env = getenv(SRCTREE); 4019 if (env) { 4020 snprintf(fullname, sizeof(fullname), 4021 "%s/%s", env, name); 4022 f = fopen(fullname, "r"); /cb-build/coreboot-coverity.0/default/sharedutils/kconfig/lexer.lex.c: 4017 in zconf_fopen() 4011 FILE *zconf_fopen(const char *name) 4012 { 4013 char *env, fullname[PATH_MAX+1]; 4014 FILE *f; 4015 4016 f = fopen(name, "r");
CID 1424942: (REVERSE_INULL) Null-checking "name" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
4017 if (!f && name != NULL && name[0] != '/') { 4018 env = getenv(SRCTREE); 4019 if (env) { 4020 snprintf(fullname, sizeof(fullname), 4021 "%s/%s", env, name); 4022 f = fopen(fullname, "r"); /build/util/kconfig/lexer.lex.c: 4017 in zconf_fopen() 4011 FILE *zconf_fopen(const char *name) 4012 { 4013 char *env, fullname[PATH_MAX+1]; 4014 FILE *f; 4015 4016 f = fopen(name, "r");
CID 1424942: (REVERSE_INULL) Null-checking "name" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
4017 if (!f && name != NULL && name[0] != '/') { 4018 env = getenv(SRCTREE); 4019 if (env) { 4020 snprintf(fullname, sizeof(fullname), 4021 "%s/%s", env, name); 4022 f = fopen(fullname, "r"); /cb-build/coreboot-coverity.0/chromeos/sharedutils/kconfig/lexer.lex.c: 4017 in zconf_fopen() 4011 FILE *zconf_fopen(const char *name) 4012 { 4013 char *env, fullname[PATH_MAX+1]; 4014 FILE *f; 4015 4016 f = fopen(name, "r");
CID 1424942: (REVERSE_INULL) Null-checking "name" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
4017 if (!f && name != NULL && name[0] != '/') { 4018 env = getenv(SRCTREE); 4019 if (env) { 4020 snprintf(fullname, sizeof(fullname), 4021 "%s/%s", env, name); 4022 f = fopen(fullname, "r"); /payloads/nvramcui/libpayload/util/lp_kconfig/lexer.lex.c: 4017 in zconf_fopen() 4011 FILE *zconf_fopen(const char *name) 4012 { 4013 char *env, fullname[PATH_MAX+1]; 4014 FILE *f; 4015 4016 f = fopen(name, "r");
CID 1424942: (REVERSE_INULL) Null-checking "name" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
4017 if (!f && name != NULL && name[0] != '/') { 4018 env = getenv(SRCTREE); 4019 if (env) { 4020 snprintf(fullname, sizeof(fullname), 4021 "%s/%s", env, name); 4022 f = fopen(fullname, "r");
** CID 1424938: Control flow issues (MISSING_BREAK) /util/kconfig/expr.c: 1125 in expr_compare_type()
________________________________________________________________________________________________________ *** CID 1424938: Control flow issues (MISSING_BREAK) /util/kconfig/expr.c: 1125 in expr_compare_type() 1119 case E_NOT: 1120 if (t2 == E_AND) 1121 return 1; 1122 case E_AND: 1123 if (t2 == E_OR) 1124 return 1;
CID 1424938: Control flow issues (MISSING_BREAK) The case for value "E_OR" is not terminated by a 'break' statement.
1125 case E_OR: 1126 if (t2 == E_LIST) 1127 return 1; 1128 case E_LIST: 1129 if (t2 == 0) 1130 return 1;
________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0...
-
scan-admin@coverity.com