Hi,
Please find the latest report on new defect(s) introduced to coreboot found with Coverity Scan.
29 new defect(s) introduced to coreboot found with Coverity Scan. 28 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan Showing 20 of 29 defect(s)
** CID 1385126: (UNUSED_VALUE) /src/mainboard/asus/am1i-a/romstage.c: 148 in board_BeforeAgesa() /src/mainboard/asus/am1i-a/romstage.c: 154 in board_BeforeAgesa()
________________________________________________________________________________________________________ *** CID 1385126: (UNUSED_VALUE) /src/mainboard/asus/am1i-a/romstage.c: 148 in board_BeforeAgesa() 142 /* Enable the AcpiMmio space */ 143 outb(0x24, 0xcd6); 144 outb(0x1, 0xcd7); 145 146 /* Configure ClkDrvStr1 settings */ 147 addr32 = (u32 *)0xfed80e24;
CID 1385126: (UNUSED_VALUE) Assigning value from "*addr32" to "t32" here, but that stored value is overwritten before it can be used.
148 t32 = *addr32; 149 t32 = 0x030800aa; 150 *addr32 = t32; 151 152 /* Configure MiscClkCntl1 settings */ 153 addr32 = (u32 *)0xfed80e40; /src/mainboard/asus/am1i-a/romstage.c: 154 in board_BeforeAgesa() 148 t32 = *addr32; 149 t32 = 0x030800aa; 150 *addr32 = t32; 151 152 /* Configure MiscClkCntl1 settings */ 153 addr32 = (u32 *)0xfed80e40;
CID 1385126: (UNUSED_VALUE) Assigning value from "*addr32" to "t32" here, but that stored value is overwritten before it can be used.
154 t32 = *addr32; 155 t32 = 0x000c4050; 156 *addr32 = t32; 157 158 /* enable SIO LPC decode */ 159 dev = PCI_DEV(0, 0x14, 3);
** CID 1383919: Resource leaks (RESOURCE_LEAK) /util/cbfstool/partitioned_file.c: 201 in partitioned_file_reopen()
________________________________________________________________________________________________________ *** CID 1383919: Resource leaks (RESOURCE_LEAK) /util/cbfstool/partitioned_file.c: 201 in partitioned_file_reopen() 195 } 196 197 const struct fmap_area *fmap_fmap_entry = 198 fmap_find_area(file->fmap, SECTION_NAME_FMAP); 199 200 if (!fmap_fmap_entry)
CID 1383919: Resource leaks (RESOURCE_LEAK) Variable "file" going out of scope leaks the storage it points to.
201 return NULL; 202 203 if ((long)fmap_fmap_entry->offset != fmap_region_offset) { 204 ERROR("FMAP's '%s' section doesn't point back to FMAP start (did something corrupt this file?)\n", 205 SECTION_NAME_FMAP); 206 partitioned_file_close(file);
** CID 1361275: (TAINTED_SCALAR) /util/cbfstool/ifwitool.c: 839 in parse_subpart_dir()
________________________________________________________________________________________________________ *** CID 1361275: (TAINTED_SCALAR) /util/cbfstool/ifwitool.c: 832 in parse_subpart_dir() 826 memcpy(hdr.name, data + offset, sizeof(hdr.name)); 827 offset += sizeof(hdr.name); 828 829 validate_subpart_dir_without_checksum((struct subpart_dir *)&hdr, name); 830 831 assert(size > subpart_dir_size(&hdr));
CID 1361275: (TAINTED_SCALAR) Passing tainted variable "subpart_dir_size(&hdr)" to a tainted sink.
832 alloc_buffer(subpart_dir_buf, subpart_dir_size(&hdr), "Subpart Dir"); 833 memcpy(buffer_get(subpart_dir_buf), &hdr, SUBPART_DIR_HEADER_SIZE); 834 835 /* Read Subpart Dir entries. */ 836 struct subpart_dir *subpart_dir = buffer_get(subpart_dir_buf); 837 struct subpart_dir_entry *e = &subpart_dir->e[0]; /util/cbfstool/ifwitool.c: 839 in parse_subpart_dir() 833 memcpy(buffer_get(subpart_dir_buf), &hdr, SUBPART_DIR_HEADER_SIZE); 834 835 /* Read Subpart Dir entries. */ 836 struct subpart_dir *subpart_dir = buffer_get(subpart_dir_buf); 837 struct subpart_dir_entry *e = &subpart_dir->e[0]; 838 uint32_t i;
CID 1361275: (TAINTED_SCALAR) Using tainted variable "hdr.num_entries" as a loop boundary.
839 for (i = 0; i < hdr.num_entries; i++) { 840 memcpy(e[i].name, data + offset, sizeof(e[i].name)); 841 offset += sizeof(e[i].name); 842 offset = read_member(data, offset, sizeof(e[i].offset), 843 &e[i].offset); 844 offset = read_member(data, offset, sizeof(e[i].length),
** CID 1361274: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________ *** CID 1361274: Insecure data handling (TAINTED_SCALAR) /util/cbfstool/ifwitool.c: 718 in alloc_bpdt_buffer() 712 { 713 struct bpdt_header bpdt_header; 714 assert((offset + BPDT_HEADER_SIZE) < size); 715 bpdt_read_header((uint8_t *)data + offset, &bpdt_header, name); 716 717 /* Buffer to read BPDT header and entries. */
CID 1361274: Insecure data handling (TAINTED_SCALAR) Passing tainted variable "get_bpdt_size(&bpdt_header)" to a tainted sink.
718 alloc_buffer(b, get_bpdt_size(&bpdt_header), name); 719 720 struct bpdt *bpdt = buffer_get(b); 721 memcpy(&bpdt->h, &bpdt_header, BPDT_HEADER_SIZE); 722 723 /*
** CID 1361253: Memory - illegal accesses (BUFFER_SIZE_WARNING) /util/cbfstool/ifwitool.c: 1301 in init_subpart_dir_entry()
________________________________________________________________________________________________________ *** CID 1361253: Memory - illegal accesses (BUFFER_SIZE_WARNING) /util/cbfstool/ifwitool.c: 1301 in init_subpart_dir_entry() 1295 static size_t init_subpart_dir_entry(struct subpart_dir_entry *e, 1296 struct buffer *b, size_t offset) 1297 { 1298 memset(e, 0, sizeof(*e)); 1299 1300 assert(strlen(b->name) <= sizeof(e->name));
CID 1361253: Memory - illegal accesses (BUFFER_SIZE_WARNING) Calling strncpy with a maximum size argument of 12 bytes on destination array "e->name" of size 12 bytes might leave the destination string unterminated.
1301 strncpy((char *)e->name, (char *)b->name, sizeof(e->name)); 1302 e->offset = offset; 1303 e->length = buffer_size(b); 1304 1305 return (offset + buffer_size(b)); 1306 }
** CID 1353028: Error handling issues (NEGATIVE_RETURNS) /util/amdfwtool/amdfwtool.c: 352 in integrate_psp_firmwares()
________________________________________________________________________________________________________ *** CID 1353028: Error handling issues (NEGATIVE_RETURNS) /util/amdfwtool/amdfwtool.c: 352 in integrate_psp_firmwares() 346 pspdir[4+4*i+2] = 1; 347 pspdir[4+4*i+3] = 0; 348 } else if (fw_table[i].filename != NULL) { 349 pspdir[4+4*i+0] = fw_table[i].type; 350 351 fd = open(fw_table[i].filename, O_RDONLY);
CID 1353028: Error handling issues (NEGATIVE_RETURNS) "fd" is passed to a parameter that cannot be negative. [Note: The source code implementation of the function has been overridden by a builtin model.]
352 fstat(fd, &fd_stat); 353 pspdir[4+4*i+1] = (uint32_t)fd_stat.st_size; 354 355 pspdir[4+4*i+2] = pos + rom_base_address; 356 pspdir[4+4*i+3] = 0; 357
** CID 1353027: Error handling issues (NEGATIVE_RETURNS) /util/amdfwtool/amdfwtool.c: 295 in integrate_firmwares()
________________________________________________________________________________________________________ *** CID 1353027: Error handling issues (NEGATIVE_RETURNS) /util/amdfwtool/amdfwtool.c: 295 in integrate_firmwares() 289 int i; 290 uint32_t rom_base_address = 0xFFFFFFFF - rom_size + 1; 291 292 for (i = 0; fw_table[i].type != AMD_FW_INVALID; i++) { 293 if (fw_table[i].filename != NULL) { 294 fd = open(fw_table[i].filename, O_RDONLY);
CID 1353027: Error handling issues (NEGATIVE_RETURNS) "fd" is passed to a parameter that cannot be negative. [Note: The source code implementation of the function has been overridden by a builtin model.]
295 fstat(fd, &fd_stat); 296 297 switch (fw_table[i].type) { 298 case AMD_FW_IMC: 299 pos = ALIGN(pos, 0x10000U); 300 romsig[1] = pos + rom_base_address;
** CID 1353021: Error handling issues (CHECKED_RETURN) /util/amdfwtool/amdfwtool.c: 366 in integrate_psp_firmwares()
________________________________________________________________________________________________________ *** CID 1353021: Error handling issues (CHECKED_RETURN) /util/amdfwtool/amdfwtool.c: 366 in integrate_psp_firmwares() 360 " will not fit %s. Exiting.\n", 361 rom_size, fw_table[i].filename); 362 free(base); 363 exit(1); 364 } 365
CID 1353021: Error handling issues (CHECKED_RETURN) "read(int, void *, size_t)" returns the number of bytes read, but it is ignored.
366 read(fd, (void *)(base + pos), (size_t)fd_stat.st_size); 367 368 pos += fd_stat.st_size; 369 close(fd); 370 pos = ALIGN(pos, 0x100U); 371 } else {
** CID 1353020: Error handling issues (CHECKED_RETURN) /util/amdfwtool/amdfwtool.c: 352 in integrate_psp_firmwares()
________________________________________________________________________________________________________ *** CID 1353020: Error handling issues (CHECKED_RETURN) /util/amdfwtool/amdfwtool.c: 352 in integrate_psp_firmwares() 346 pspdir[4+4*i+2] = 1; 347 pspdir[4+4*i+3] = 0; 348 } else if (fw_table[i].filename != NULL) { 349 pspdir[4+4*i+0] = fw_table[i].type; 350 351 fd = open(fw_table[i].filename, O_RDONLY);
CID 1353020: Error handling issues (CHECKED_RETURN) Calling "fstat(fd, &fd_stat)" without checking return value. This library function may fail and return an error code. [Note: The source code implementation of the function has been overridden by a builtin model.]
352 fstat(fd, &fd_stat); 353 pspdir[4+4*i+1] = (uint32_t)fd_stat.st_size; 354 355 pspdir[4+4*i+2] = pos + rom_base_address; 356 pspdir[4+4*i+3] = 0; 357
** CID 1353019: Error handling issues (CHECKED_RETURN) /util/amdfwtool/amdfwtool.c: 321 in integrate_firmwares()
________________________________________________________________________________________________________ *** CID 1353019: Error handling issues (CHECKED_RETURN) /util/amdfwtool/amdfwtool.c: 321 in integrate_firmwares() 315 " will not fit %s. Exiting.\n", 316 rom_size, fw_table[i].filename); 317 free(base); 318 exit(1); 319 } 320
CID 1353019: Error handling issues (CHECKED_RETURN) "read(int, void *, size_t)" returns the number of bytes read, but it is ignored.
321 read(fd, (void *)(base + pos), (size_t)fd_stat.st_size); 322 323 pos += fd_stat.st_size; 324 close(fd); 325 pos = ALIGN(pos, 0x100U); 326 }
** CID 1353018: Error handling issues (CHECKED_RETURN) /util/amdfwtool/amdfwtool.c: 295 in integrate_firmwares()
________________________________________________________________________________________________________ *** CID 1353018: Error handling issues (CHECKED_RETURN) /util/amdfwtool/amdfwtool.c: 295 in integrate_firmwares() 289 int i; 290 uint32_t rom_base_address = 0xFFFFFFFF - rom_size + 1; 291 292 for (i = 0; fw_table[i].type != AMD_FW_INVALID; i++) { 293 if (fw_table[i].filename != NULL) { 294 fd = open(fw_table[i].filename, O_RDONLY);
CID 1353018: Error handling issues (CHECKED_RETURN) Calling "fstat(fd, &fd_stat)" without checking return value. This library function may fail and return an error code. [Note: The source code implementation of the function has been overridden by a builtin model.]
295 fstat(fd, &fd_stat); 296 297 switch (fw_table[i].type) { 298 case AMD_FW_IMC: 299 pos = ALIGN(pos, 0x10000U); 300 romsig[1] = pos + rom_base_address;
** CID 1347335: (UNINIT) /util/cbfstool/elfheaders.c: 1000 in write_phdrs() /util/cbfstool/elfheaders.c: 1002 in write_phdrs() /util/cbfstool/elfheaders.c: 1003 in write_phdrs() /util/cbfstool/elfheaders.c: 1004 in write_phdrs()
________________________________________________________________________________________________________ *** CID 1347335: (UNINIT) /util/cbfstool/elfheaders.c: 1000 in write_phdrs() 994 } else { 995 /* Accumulate file size and memsize. The assumption 996 * is that each section is either NOBITS or full 997 * (sh_size == file size). This is standard in that 998 * an ELF section doesn't have a file size component. */ 999 if (sec->shdr.sh_flags & SHF_EXECINSTR)
CID 1347335: (UNINIT) Using uninitialized value "phdr.p_flags".
1000 phdr.p_flags |= PF_X | PF_R; 1001 if (sec->shdr.sh_flags & SHF_WRITE) 1002 phdr.p_flags |= PF_W; 1003 phdr.p_filesz += buffer_size(&sec->content); 1004 phdr.p_memsz += sec->shdr.sh_size; 1005 } /util/cbfstool/elfheaders.c: 1002 in write_phdrs() 996 * is that each section is either NOBITS or full 997 * (sh_size == file size). This is standard in that 998 * an ELF section doesn't have a file size component. */ 999 if (sec->shdr.sh_flags & SHF_EXECINSTR) 1000 phdr.p_flags |= PF_X | PF_R; 1001 if (sec->shdr.sh_flags & SHF_WRITE)
CID 1347335: (UNINIT) Using uninitialized value "phdr.p_flags".
1002 phdr.p_flags |= PF_W; 1003 phdr.p_filesz += buffer_size(&sec->content); 1004 phdr.p_memsz += sec->shdr.sh_size; 1005 } 1006 } 1007 /util/cbfstool/elfheaders.c: 1003 in write_phdrs() 997 * (sh_size == file size). This is standard in that 998 * an ELF section doesn't have a file size component. */ 999 if (sec->shdr.sh_flags & SHF_EXECINSTR) 1000 phdr.p_flags |= PF_X | PF_R; 1001 if (sec->shdr.sh_flags & SHF_WRITE) 1002 phdr.p_flags |= PF_W;
CID 1347335: (UNINIT) Using uninitialized value "phdr.p_filesz".
1003 phdr.p_filesz += buffer_size(&sec->content); 1004 phdr.p_memsz += sec->shdr.sh_size; 1005 } 1006 } 1007 1008 /* Write out the last phdr. */ /util/cbfstool/elfheaders.c: 1004 in write_phdrs() 998 * an ELF section doesn't have a file size component. */ 999 if (sec->shdr.sh_flags & SHF_EXECINSTR) 1000 phdr.p_flags |= PF_X | PF_R; 1001 if (sec->shdr.sh_flags & SHF_WRITE) 1002 phdr.p_flags |= PF_W; 1003 phdr.p_filesz += buffer_size(&sec->content);
CID 1347335: (UNINIT) Using uninitialized value "phdr.p_memsz".
1004 phdr.p_memsz += sec->shdr.sh_size; 1005 } 1006 } 1007 1008 /* Write out the last phdr. */ 1009 if (num_needs_write != num_written) {
** CID 1302457: Control flow issues (MISSING_RESTORE) /util/cbfstool/flashmap/fmap.c: 485 in fmap_append_area_test()
________________________________________________________________________________________________________ *** CID 1302457: Control flow issues (MISSING_RESTORE) /util/cbfstool/flashmap/fmap.c: 485 in fmap_append_area_test() 479 if ((*fmap)->nareas != 1) { 480 printf("FAILURE: failed to increment number of areas\n"); 481 goto fmap_append_area_test_exit; 482 } 483 484 status = pass;
CID 1302457: Control flow issues (MISSING_RESTORE) Jumped to here, skipping restore.
485 fmap_append_area_test_exit: 486 return status; 487 } 488 489 static int fmap_find_area_test(struct fmap *fmap) 490 {
** CID 1302456: Error handling issues (NEGATIVE_RETURNS) /util/cbfstool/flashmap/fmap.c: 601 in fmap_find_test()
________________________________________________________________________________________________________ *** CID 1302456: Error handling issues (NEGATIVE_RETURNS) /util/cbfstool/flashmap/fmap.c: 601 in fmap_find_test() 595 printf("FAILURE: bsearch returned false positive\n"); 596 goto fmap_find_test_exit; 597 } 598 599 /* simple test case: fmap at (total_size / 2) + 1 */ 600 offset = (total_size / 2) + 1;
CID 1302456: Error handling issues (NEGATIVE_RETURNS) "fmap_size(fmap)" is passed to a parameter that cannot be negative. [Note: The source code implementation of the function has been overridden by a builtin model.]
601 memcpy(&buf[offset], fmap, fmap_size(fmap)); 602 603 if ((unsigned)fmap_find(buf, total_size - 1) != offset) { 604 printf("FAILURE: lsearch failed to find fmap\n"); 605 goto fmap_find_test_exit; 606 }
** CID 1302453: Resource leaks (RESOURCE_LEAK) /util/cbfstool/flashmap/fmap.c: 563 in fmap_flags_to_string_test()
________________________________________________________________________________________________________ *** CID 1302453: Resource leaks (RESOURCE_LEAK) /util/cbfstool/flashmap/fmap.c: 563 in fmap_flags_to_string_test() 557 } 558 free(my_str); 559 free(str); 560 561 status = pass; 562 fmap_flags_to_string_test_exit:
CID 1302453: Resource leaks (RESOURCE_LEAK) Variable "my_str" going out of scope leaks the storage it points to.
563 return status; 564 565 } 566 567 static int fmap_find_test(struct fmap *fmap) 568 {
** CID 1302452: (RESOURCE_LEAK) /util/cbfstool/flashmap/fmap.c: 563 in fmap_flags_to_string_test() /util/cbfstool/flashmap/fmap.c: 563 in fmap_flags_to_string_test()
________________________________________________________________________________________________________ *** CID 1302452: (RESOURCE_LEAK) /util/cbfstool/flashmap/fmap.c: 563 in fmap_flags_to_string_test() 557 } 558 free(my_str); 559 free(str); 560 561 status = pass; 562 fmap_flags_to_string_test_exit:
CID 1302452: (RESOURCE_LEAK) Variable "str" going out of scope leaks the storage it points to.
563 return status; 564 565 } 566 567 static int fmap_find_test(struct fmap *fmap) 568 { /util/cbfstool/flashmap/fmap.c: 563 in fmap_flags_to_string_test() 557 } 558 free(my_str); 559 free(str); 560 561 status = pass; 562 fmap_flags_to_string_test_exit:
CID 1302452: (RESOURCE_LEAK) Variable "str" going out of scope leaks the storage it points to.
563 return status; 564 565 } 566 567 static int fmap_find_test(struct fmap *fmap) 568 {
** CID 1302451: Resource leaks (RESOURCE_LEAK) /util/cbfstool/flashmap/fmap.c: 240 in fmap_print()
________________________________________________________________________________________________________ *** CID 1302451: Resource leaks (RESOURCE_LEAK) /util/cbfstool/flashmap/fmap.c: 240 in fmap_print() 234 kv_pair_fmt(pair, "area_flags_raw", "0x%02x", 235 fmap->areas[i].flags); 236 237 /* Print descriptive strings for flags rather than the field */ 238 flags = fmap->areas[i].flags; 239 if ((str = fmap_flags_to_string(flags)) == NULL)
CID 1302451: Resource leaks (RESOURCE_LEAK) Variable "pair" going out of scope leaks the storage it points to.
240 return -1; 241 kv_pair_fmt(pair, "area_flags", "%s", str); 242 free(str); 243 244 kv_pair_print(pair); 245 kv_pair_free(pair);
** CID 1241818: Memory - illegal accesses (OVERRUN) /src/vendorcode/amd/cimx/rd890/nbPcieLib.c: 1359 in PcieLibGetPortInfo()
________________________________________________________________________________________________________ *** CID 1241818: Memory - illegal accesses (OVERRUN) /src/vendorcode/amd/cimx/rd890/nbPcieLib.c: 1359 in PcieLibGetPortInfo() 1353 case GPP3a_CORE: 1354 pGppCfgInfoTable = (GPP_CFG_INFO*)FIX_PTR_ADDR (&GppCfgInfoTable[CoreConfig - 1], NULL); 1355 NativePortId = PcieLibNativePortId (PortId, pConfig); 1356 if (NativePortId == 0xf) { 1357 return NULL; 1358 }
CID 1241818: Memory - illegal accesses (OVERRUN) Overrunning array of 6 8-byte elements at element index 4294967295 (byte offset 34359738360) by dereferencing pointer "pGppCfgInfoTable".
1359 pPortInfo = &pGppCfgInfoTable->PortInfoPtr[NativePortId - 4]; 1360 break; 1361 default: 1362 return NULL; 1363 } 1364 return (PORT_INFO*)FIX_PTR_ADDR (pPortInfo, NULL);
** CID 1241790: Insecure data handling (TAINTED_SCALAR) /util/cbfstool/lzma/C/LzFind.c: 653 in Bt2_MatchFinder_Skip()
________________________________________________________________________________________________________ *** CID 1241790: Insecure data handling (TAINTED_SCALAR) /util/cbfstool/lzma/C/LzFind.c: 653 in Bt2_MatchFinder_Skip() 647 static void Bt2_MatchFinder_Skip(struct CMatchFinder *p, uint32_t num) 648 { 649 do 650 { 651 SKIP_HEADER(2) 652 HASH2_CALC;
CID 1241790: Insecure data handling (TAINTED_SCALAR) Using tainted variable "hashValue" as an index to pointer "p->hash".
653 curMatch = p->hash[hashValue]; 654 p->hash[hashValue] = p->pos; 655 SKIP_FOOTER 656 } 657 while (--num != 0); 658 }
** CID 1241788: Insecure data handling (TAINTED_SCALAR) /util/cbfstool/lzma/C/LzFind.c: 489 in Bt2_MatchFinder_GetMatches()
________________________________________________________________________________________________________ *** CID 1241788: Insecure data handling (TAINTED_SCALAR) /util/cbfstool/lzma/C/LzFind.c: 489 in Bt2_MatchFinder_GetMatches() 483 484 static uint32_t Bt2_MatchFinder_GetMatches(struct CMatchFinder *p, uint32_t *distances) 485 { 486 uint32_t offset; 487 GET_MATCHES_HEADER(2) 488 HASH2_CALC;
CID 1241788: Insecure data handling (TAINTED_SCALAR) Using tainted variable "hashValue" as an index to pointer "p->hash".
489 curMatch = p->hash[hashValue]; 490 p->hash[hashValue] = p->pos; 491 offset = 0; 492 GET_MATCHES_FOOTER(offset, 1) 493 } 494
________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05...
To manage Coverity Scan email notifications for "coreboot@coreboot.org", click https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05...
-
scan-admin@coverity.com