Hi,
Please find the latest report on new defect(s) introduced to coreboot found with Coverity Scan.
246 new defect(s) introduced to coreboot found with Coverity Scan. 39 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan Showing 20 of 246 defect(s)
** CID 1357458: Insecure data handling (TAINTED_SCALAR) /payloads/libpayload/libcbfs/cbfs_core.c: 255 in cbfs_get_contents()
________________________________________________________________________________________________________ *** CID 1357458: Insecure data handling (TAINTED_SCALAR) /payloads/libpayload/libcbfs/cbfs_core.c: 255 in cbfs_get_contents() 249 250 void *data = m->map(m, handle->media_offset + handle->content_offset, 251 on_media_size); 252 if (data == CBFS_MEDIA_INVALID_MAP_ADDRESS) 253 return NULL; 254
CID 1357458: Insecure data handling (TAINTED_SCALAR) Passing tainted variable "*size" to a tainted sink. [Note: The source code implementation of the function has been overridden by a builtin model.]
255 ret = malloc(*size); 256 if (ret != NULL && !cbfs_decompress(algo, data, ret, *size)) { 257 free(ret); 258 ret = NULL; 259 } 260
** CID 1357457: Resource leaks (RESOURCE_LEAK) /src/arch/x86/acpi_device.c: 737 in acpi_dp_add_integer_array()
________________________________________________________________________________________________________ *** CID 1357457: Resource leaks (RESOURCE_LEAK) /src/arch/x86/acpi_device.c: 737 in acpi_dp_add_integer_array() 731 return NULL; 732 733 for (i = 0; i < len; i++) 734 if (!acpi_dp_add_integer(dp_array, NULL, array[i])) 735 break; 736
CID 1357457: Resource leaks (RESOURCE_LEAK) Ignoring storage allocated by "acpi_dp_add_array(dp, dp_array)" leaks it.
737 acpi_dp_add_array(dp, dp_array); 738 739 return dp_array; 740 } 741 742 struct acpi_dp *acpi_dp_add_gpio(struct acpi_dp *dp, const char *name,
** CID 1357456: Resource leaks (RESOURCE_LEAK) /src/arch/x86/acpi_device.c: 763 in acpi_dp_add_gpio()
________________________________________________________________________________________________________ *** CID 1357456: Resource leaks (RESOURCE_LEAK) /src/arch/x86/acpi_device.c: 763 in acpi_dp_add_gpio() 757 /* Pin in the GPIO resource, typically zero */ 758 acpi_dp_add_integer(gpio, NULL, pin); 759 760 /* Set if pin is active low */ 761 acpi_dp_add_integer(gpio, NULL, active_low); 762
CID 1357456: Resource leaks (RESOURCE_LEAK) Ignoring storage allocated by "acpi_dp_add_array(dp, gpio)" leaks it.
763 acpi_dp_add_array(dp, gpio); 764 765 return gpio;
** CID 1357455: (RESOURCE_LEAK) /payloads/libpayload/libcbfs/cbfs_core.c: 218 in cbfs_get_handle() /payloads/libpayload/libcbfs/cbfs_core.c: 151 in cbfs_get_handle() /payloads/libpayload/libcbfs/cbfs_core.c: 158 in cbfs_get_handle()
________________________________________________________________________________________________________ *** CID 1357455: (RESOURCE_LEAK) /payloads/libpayload/libcbfs/cbfs_core.c: 218 in cbfs_get_handle() 212 offset += ntohl(file.len) + ntohl(file.offset); 213 if (offset % CBFS_ALIGNMENT) 214 offset += CBFS_ALIGNMENT - (offset % CBFS_ALIGNMENT); 215 } 216 media->close(media); 217 LOG("WARNING: '%s' not found.\n", name);
CID 1357455: (RESOURCE_LEAK) Variable "handle" going out of scope leaks the storage it points to.
218 return NULL; 219 } 220 221 void *cbfs_get_contents(struct cbfs_handle *handle, size_t *size, size_t limit) 222 { 223 struct cbfs_media *m = &handle->media; /payloads/libpayload/libcbfs/cbfs_core.c: 151 in cbfs_get_handle() 145 146 if (!handle) 147 return NULL; 148 149 if (get_cbfs_range(&offset, &cbfs_end, media)) { 150 ERROR("Failed to find cbfs range\n");
CID 1357455: (RESOURCE_LEAK) Variable "handle" going out of scope leaks the storage it points to.
151 return NULL; 152 } 153 154 if (media == CBFS_DEFAULT_MEDIA) { 155 media = &handle->media; 156 if (init_default_cbfs_media(media) != 0) { /payloads/libpayload/libcbfs/cbfs_core.c: 158 in cbfs_get_handle() 152 } 153 154 if (media == CBFS_DEFAULT_MEDIA) { 155 media = &handle->media; 156 if (init_default_cbfs_media(media) != 0) { 157 ERROR("Failed to initialize default media.\n");
CID 1357455: (RESOURCE_LEAK) Returning without freeing "media" leaks the storage that it points to.
158 return NULL; 159 } 160 } else { 161 memcpy(&handle->media, media, sizeof(*media)); 162 } 163
** CID 1357454: Memory - illegal accesses (OVERRUN) /src/vendorcode/amd/agesa/f12/Proc/Mem/NB/LN/mnln.c: 255 in MemConstructNBBlockLN()
________________________________________________________________________________________________________ *** CID 1357454: Memory - illegal accesses (OVERRUN) /src/vendorcode/amd/agesa/f12/Proc/Mem/NB/LN/mnln.c: 255 in MemConstructNBBlockLN() 249 NBPtr->BeforeDqsTraining = MemNBeforeDQSTrainingLN; 250 NBPtr->AfterDqsTraining = MemNAfterDQSTrainingLN; 251 NBPtr->OtherTiming = MemNOtherTimingLN; 252 NBPtr->GetSocketRelativeChannel = MemNGetSocketRelativeChannelNb; 253 NBPtr->TechBlockSwitch = MemNTechBlockSwitchLN; 254 NBPtr->SetEccSymbolSize = (VOID (*) (MEM_NB_BLOCK *)) memDefRet;
CID 1357454: Memory - illegal accesses (OVERRUN) Overrunning array "memNTrainFlowControl" of 1 4-byte elements at element index 1 (byte offset 4) using index "1".
255 NBPtr->TrainingFlow = (VOID (*) (MEM_NB_BLOCK *))(memNTrainFlowControl[DDR3_TRAIN_FLOW]); 256 NBPtr->MinDataEyeWidth = MemNMinDataEyeWidthNb; 257 NBPtr->ChangeNbFrequencyWrap = MemNChangeNbFrequencyWrapLN; 258 NBPtr->AllocateC6Storage = MemNAllocateC6StorageClientNb; 259 260 MemNInitNBDataNb (NBPtr);
** CID 1357453: Memory - illegal accesses (OVERRUN) /src/vendorcode/amd/agesa/f14/Proc/Mem/NB/ON/mnon.c: 254 in MemConstructNBBlockON()
________________________________________________________________________________________________________ *** CID 1357453: Memory - illegal accesses (OVERRUN) /src/vendorcode/amd/agesa/f14/Proc/Mem/NB/ON/mnon.c: 254 in MemConstructNBBlockON() 248 NBPtr->BeforeDqsTraining = MemNBeforeDQSTrainingON; 249 NBPtr->AfterDqsTraining = MemNAfterDQSTrainingON; 250 NBPtr->OtherTiming = MemNOtherTimingON; 251 NBPtr->GetSocketRelativeChannel = MemNGetSocketRelativeChannelNb; 252 NBPtr->TechBlockSwitch = MemNTechBlockSwitchON; 253 NBPtr->SetEccSymbolSize = (VOID (*) (MEM_NB_BLOCK *)) memDefRet;
CID 1357453: Memory - illegal accesses (OVERRUN) Overrunning array "memNTrainFlowControl" of 1 4-byte elements at element index 1 (byte offset 4) using index "1".
254 NBPtr->TrainingFlow = (VOID (*) (MEM_NB_BLOCK *)) memNTrainFlowControl[DDR3_TRAIN_FLOW]; 255 NBPtr->MinDataEyeWidth = MemNMinDataEyeWidthNb; 256 NBPtr->PollBitField = MemNPollBitFieldNb; 257 NBPtr->BrdcstCheck = MemNBrdcstCheckON; 258 NBPtr->BrdcstSet = MemNSetBitFieldNb; 259 NBPtr->GetTrainDly = MemNGetTrainDlyNb;
** CID 1357452: (OVERRUN) /src/vendorcode/amd/agesa/f12/Proc/Mem/NB/mn.c: 497 in MemNTrainingFlowUnb() /src/vendorcode/amd/agesa/f15/Proc/Mem/NB/mn.c: 502 in MemNTrainingFlowUnb() /src/vendorcode/amd/agesa/f14/Proc/Mem/NB/mn.c: 499 in MemNTrainingFlowUnb() /src/vendorcode/amd/agesa/f16kb/Proc/Mem/NB/mn.c: 579 in MemNTrainingFlowUnb() /src/vendorcode/amd/agesa/f15tn/Proc/Mem/NB/mn.c: 495 in MemNTrainingFlowUnb()
________________________________________________________________________________________________________ *** CID 1357452: (OVERRUN) /src/vendorcode/amd/agesa/f12/Proc/Mem/NB/mn.c: 497 in MemNTrainingFlowUnb() 491 */ 492 BOOLEAN 493 MemNTrainingFlowUnb ( 494 IN OUT MEM_NB_BLOCK *NBPtr 495 ) 496 {
CID 1357452: (OVERRUN) Overrunning array "memNTrainFlowControl" of 1 4-byte elements at element index 1 (byte offset 4) using index "1".
497 memNTrainFlowControl[DDR3_TRAIN_FLOW] (NBPtr); 498 return TRUE; 499 } 500 /*---------------------------------------------------------------------------- 501 * LOCAL FUNCTIONS 502 * /src/vendorcode/amd/agesa/f15/Proc/Mem/NB/mn.c: 502 in MemNTrainingFlowUnb() 496 */ 497 BOOLEAN 498 MemNTrainingFlowUnb ( 499 IN OUT MEM_NB_BLOCK *NBPtr 500 ) 501 {
CID 1357452: (OVERRUN) Overrunning array "memNTrainFlowControl" of 1 4-byte elements at element index 1 (byte offset 4) using index "1".
502 memNTrainFlowControl[DDR3_TRAIN_FLOW] (NBPtr); 503 return TRUE; 504 } 505 /*---------------------------------------------------------------------------- 506 * LOCAL FUNCTIONS 507 * /src/vendorcode/amd/agesa/f14/Proc/Mem/NB/mn.c: 499 in MemNTrainingFlowUnb() 493 */ 494 BOOLEAN 495 MemNTrainingFlowUnb ( 496 IN OUT MEM_NB_BLOCK *NBPtr 497 ) 498 {
CID 1357452: (OVERRUN) Overrunning array "memNTrainFlowControl" of 1 4-byte elements at element index 1 (byte offset 4) using index "1".
499 memNTrainFlowControl[DDR3_TRAIN_FLOW] (NBPtr); 500 return TRUE; 501 } 502 /*---------------------------------------------------------------------------- 503 * LOCAL FUNCTIONS 504 * /src/vendorcode/amd/agesa/f16kb/Proc/Mem/NB/mn.c: 579 in MemNTrainingFlowUnb() 573 */ 574 BOOLEAN 575 MemNTrainingFlowUnb ( 576 IN OUT MEM_NB_BLOCK *NBPtr 577 ) 578 {
CID 1357452: (OVERRUN) Overrunning array "memNTrainFlowControl" of 1 4-byte elements at element index 1 (byte offset 4) using index "1".
579 memNTrainFlowControl[DDR3_TRAIN_FLOW] (NBPtr); 580 return TRUE; 581 } 582 583 /* -----------------------------------------------------------------------------*/ 584 /** /src/vendorcode/amd/agesa/f15tn/Proc/Mem/NB/mn.c: 495 in MemNTrainingFlowUnb() 489 */ 490 VOID 491 MemNTrainingFlowUnb ( 492 IN OUT MEM_NB_BLOCK *NBPtr 493 ) 494 {
CID 1357452: (OVERRUN) Overrunning array "memNTrainFlowControl" of 1 4-byte elements at element index 1 (byte offset 4) using index "1".
495 memNTrainFlowControl[DDR3_TRAIN_FLOW] (NBPtr); 496 return; 497 } 498 /*---------------------------------------------------------------------------- 499 * LOCAL FUNCTIONS 500 * 501 *----------------------------------------------------------------------------
** CID 1357451: (OVERRUN) /src/vendorcode/amd/agesa/f12/Proc/Mem/NB/mn.c: 304 in MemNTrainingFlowNb() /src/vendorcode/amd/agesa/f15/Proc/Mem/NB/mn.c: 309 in MemNTrainingFlowNb() /src/vendorcode/amd/agesa/f14/Proc/Mem/NB/mn.c: 306 in MemNTrainingFlowNb() /src/vendorcode/amd/agesa/f15tn/Proc/Mem/NB/mn.c: 302 in MemNTrainingFlowNb()
________________________________________________________________________________________________________ *** CID 1357451: (OVERRUN) /src/vendorcode/amd/agesa/f12/Proc/Mem/NB/mn.c: 304 in MemNTrainingFlowNb() 298 BOOLEAN 299 MemNTrainingFlowNb ( 300 IN OUT MEM_NB_BLOCK *NBPtr 301 ) 302 { 303 if (MemNGetBitFieldNb (NBPtr, BFDdr3Mode)!= 0) {
CID 1357451: (OVERRUN) Overrunning array "memNTrainFlowControl" of 1 4-byte elements at element index 1 (byte offset 4) using index "1".
304 memNTrainFlowControl[DDR3_TRAIN_FLOW] (NBPtr); 305 } else { 306 memNTrainFlowControl[DDR2_TRAIN_FLOW] (NBPtr); 307 } 308 return TRUE; 309 } /src/vendorcode/amd/agesa/f15/Proc/Mem/NB/mn.c: 309 in MemNTrainingFlowNb() 303 BOOLEAN 304 MemNTrainingFlowNb ( 305 IN OUT MEM_NB_BLOCK *NBPtr 306 ) 307 { 308 if (MemNGetBitFieldNb (NBPtr, BFDdr3Mode)!= 0) {
CID 1357451: (OVERRUN) Overrunning array "memNTrainFlowControl" of 1 4-byte elements at element index 1 (byte offset 4) using index "1".
309 memNTrainFlowControl[DDR3_TRAIN_FLOW] (NBPtr); 310 } else { 311 memNTrainFlowControl[DDR2_TRAIN_FLOW] (NBPtr); 312 } 313 return TRUE; 314 } /src/vendorcode/amd/agesa/f14/Proc/Mem/NB/mn.c: 306 in MemNTrainingFlowNb() 300 BOOLEAN 301 MemNTrainingFlowNb ( 302 IN OUT MEM_NB_BLOCK *NBPtr 303 ) 304 { 305 if (MemNGetBitFieldNb (NBPtr, BFDdr3Mode)!= 0) {
CID 1357451: (OVERRUN) Overrunning array "memNTrainFlowControl" of 1 4-byte elements at element index 1 (byte offset 4) using index "1".
306 memNTrainFlowControl[DDR3_TRAIN_FLOW] (NBPtr); 307 } else { 308 memNTrainFlowControl[DDR2_TRAIN_FLOW] (NBPtr); 309 } 310 return TRUE; 311 } /src/vendorcode/amd/agesa/f15tn/Proc/Mem/NB/mn.c: 302 in MemNTrainingFlowNb() 296 BOOLEAN 297 MemNTrainingFlowNb ( 298 IN OUT MEM_NB_BLOCK *NBPtr 299 ) 300 { 301 if (MemNGetBitFieldNb (NBPtr, BFDdr3Mode)!= 0) {
CID 1357451: (OVERRUN) Overrunning array "memNTrainFlowControl" of 1 4-byte elements at element index 1 (byte offset 4) using index "1".
302 memNTrainFlowControl[DDR3_TRAIN_FLOW] (NBPtr); 303 } else { 304 memNTrainFlowControl[DDR2_TRAIN_FLOW] (NBPtr); 305 } 306 return TRUE; 307 }
** CID 1357446: Control flow issues (DEADCODE) /src/northbridge/intel/x4x/raminit.c: 374 in sdram_detect_ram_speed()
________________________________________________________________________________________________________ *** CID 1357446: Control flow issues (DEADCODE) /src/northbridge/intel/x4x/raminit.c: 374 in sdram_detect_ram_speed() 368 } else { // DDR3 369 // Limit frequency for MCH 370 maxfreq = (s->max_ddr2_mhz == 800) ? MEM_CLOCK_800MHz : MEM_CLOCK_667MHz; 371 maxfreq >>= 3; 372 freq = MEM_CLOCK_1333MHz; 373 if (maxfreq) {
CID 1357446: Control flow issues (DEADCODE) Execution cannot reach this statement: "freq = maxfreq + 2;".
374 freq = maxfreq + 2; 375 } 376 if (freq > MEM_CLOCK_1333MHz) { 377 freq = MEM_CLOCK_1333MHz; 378 } 379
** CID 1357443: Integer handling issues (CONSTANT_EXPRESSION_RESULT) /src/soc/intel/apollolake/gpio.c: 378 in gpio_route_gpe()
________________________________________________________________________________________________________ *** CID 1357443: Integer handling issues (CONSTANT_EXPRESSION_RESULT) /src/soc/intel/apollolake/gpio.c: 378 in gpio_route_gpe() 372 if(gpe0b == -1) 373 return; 374 gpe0c = pmc_gpe_route_to_gpio(gpe0c); 375 if(gpe0c == -1) 376 return; 377 gpe0d = pmc_gpe_route_to_gpio(gpe0d);
CID 1357443: Integer handling issues (CONSTANT_EXPRESSION_RESULT) "gpe0d == -1" is always false regardless of the values of its operands. This occurs as the logical operand of if.
378 if(gpe0d == -1) 379 return; 380 381 misccfg_value = gpe0b << MISCCFG_GPE0_DW0_SHIFT; 382 misccfg_value |= gpe0c << MISCCFG_GPE0_DW1_SHIFT; 383 misccfg_value |= gpe0d << MISCCFG_GPE0_DW2_SHIFT;
** CID 1357442: Integer handling issues (CONSTANT_EXPRESSION_RESULT) /src/soc/intel/apollolake/gpio.c: 375 in gpio_route_gpe()
________________________________________________________________________________________________________ *** CID 1357442: Integer handling issues (CONSTANT_EXPRESSION_RESULT) /src/soc/intel/apollolake/gpio.c: 375 in gpio_route_gpe() 369 * default. 370 */ 371 gpe0b = pmc_gpe_route_to_gpio(gpe0b); 372 if(gpe0b == -1) 373 return; 374 gpe0c = pmc_gpe_route_to_gpio(gpe0c);
CID 1357442: Integer handling issues (CONSTANT_EXPRESSION_RESULT) "gpe0c == -1" is always false regardless of the values of its operands. This occurs as the logical operand of if.
375 if(gpe0c == -1) 376 return; 377 gpe0d = pmc_gpe_route_to_gpio(gpe0d); 378 if(gpe0d == -1) 379 return; 380
** CID 1357441: Integer handling issues (CONSTANT_EXPRESSION_RESULT) /src/soc/intel/apollolake/gpio.c: 372 in gpio_route_gpe()
________________________________________________________________________________________________________ *** CID 1357441: Integer handling issues (CONSTANT_EXPRESSION_RESULT) /src/soc/intel/apollolake/gpio.c: 372 in gpio_route_gpe() 366 * If any of these returns -1 then there is some error in devicetree 367 * where the group is probably hardcoded and does not comply with the 368 * PMC group defines. So we return from here and MISCFG is set to 369 * default. 370 */ 371 gpe0b = pmc_gpe_route_to_gpio(gpe0b);
CID 1357441: Integer handling issues (CONSTANT_EXPRESSION_RESULT) "gpe0b == -1" is always false regardless of the values of its operands. This occurs as the logical operand of if.
372 if(gpe0b == -1) 373 return; 374 gpe0c = pmc_gpe_route_to_gpio(gpe0c); 375 if(gpe0c == -1) 376 return; 377 gpe0d = pmc_gpe_route_to_gpio(gpe0d);
** CID 1357439: Incorrect expression (ASSERT_SIDE_EFFECT) /src/soc/intel/quark/i2c.c: 104 in platform_i2c_transfer()
________________________________________________________________________________________________________ *** CID 1357439: Incorrect expression (ASSERT_SIDE_EFFECT) /src/soc/intel/quark/i2c.c: 104 in platform_i2c_transfer() 98 buffer = NULL; 99 while (count-- > 0) { 100 buffer = segments->buf; 101 length = segments->len; 102 ASSERT (buffer != NULL); 103 ASSERT (length >= 1);
CID 1357439: Incorrect expression (ASSERT_SIDE_EFFECT) Assignment "segments->chip = chip" has a side effect. This code will work differently in a non-debug build.
104 ASSERT (segments->chip = chip); 105 106 if (segments->read) { 107 /* Place read commands into the FIFO */ 108 read_length = length; 109 while (length > 0) {
** CID 1355168: (CONSTANT_EXPRESSION_RESULT) /src/soc/rockchip/rk3399/clock.c: 596 in rkclk_configure_spi() /src/soc/rockchip/rk3399/clock.c: 611 in rkclk_configure_spi() /src/soc/rockchip/rk3399/clock.c: 615 in rkclk_configure_spi()
________________________________________________________________________________________________________ *** CID 1355168: (CONSTANT_EXPRESSION_RESULT) /src/soc/rockchip/rk3399/clock.c: 596 in rkclk_configure_spi() 590 case 0: 591 write32(&cru_ptr->clksel_con[59], 592 SPI_CLK_REG_VALUE(0, src_clk_div)); 593 break; 594 case 1: 595 write32(&cru_ptr->clksel_con[59],
CID 1355168: (CONSTANT_EXPRESSION_RESULT) "((65280 /* (CLK_SPI_PLL_SEL_MASK << CLK_SPI1_PLL_SEL_SHIFT) | (CLK_SPI_PLL_DIV_CON_MASK << CLK_SPI1_PLL_DIV_CON_SHIFT) */) | ((32768 /* CLK_SPI_PLL_SEL_GPLL << CLK_SPI1_PLL_SEL_SHIFT */) | (src_clk_div - 1 << CLK_SPI1_PLL_DIV_CON_SHIFT))) << 16" is 0xffffffffff000000 regardless of the values of its operands. This occurs as the bitwise first operand of '|'.
596 SPI_CLK_REG_VALUE(1, src_clk_div)); 597 break; 598 case 2: 599 write32(&cru_ptr->clksel_con[60], 600 SPI_CLK_REG_VALUE(2, src_clk_div)); 601 break; /src/soc/rockchip/rk3399/clock.c: 611 in rkclk_configure_spi() 605 SPI3_DIV_CON_MASK << SPI3_DIV_CON_SHIFT, 606 SPI3_PLL_SEL_PPLL << SPI3_PLL_SEL_SHIFT | 607 (src_clk_div - 1) << SPI3_DIV_CON_SHIFT)); 608 break; 609 case 4: 610 write32(&cru_ptr->clksel_con[60],
CID 1355168: (CONSTANT_EXPRESSION_RESULT) "((65280 /* (CLK_SPI_PLL_SEL_MASK << CLK_SPI4_PLL_SEL_SHIFT) | (CLK_SPI_PLL_DIV_CON_MASK << CLK_SPI4_PLL_DIV_CON_SHIFT) */) | ((32768 /* CLK_SPI_PLL_SEL_GPLL << CLK_SPI4_PLL_SEL_SHIFT */) | (src_clk_div - 1 << CLK_SPI4_PLL_DIV_CON_SHIFT))) << 16" is 0xffffffffff000000 regardless of the values of its operands. This occurs as the bitwise first operand of '|'.
611 SPI_CLK_REG_VALUE(4, src_clk_div)); 612 break; 613 case 5: 614 write32(&cru_ptr->clksel_con[58], 615 SPI_CLK_REG_VALUE(5, src_clk_div)); 616 break; /src/soc/rockchip/rk3399/clock.c: 615 in rkclk_configure_spi() 609 case 4: 610 write32(&cru_ptr->clksel_con[60], 611 SPI_CLK_REG_VALUE(4, src_clk_div)); 612 break; 613 case 5: 614 write32(&cru_ptr->clksel_con[58],
CID 1355168: (CONSTANT_EXPRESSION_RESULT) "((65280 /* (CLK_SPI_PLL_SEL_MASK << CLK_SPI5_PLL_SEL_SHIFT) | (CLK_SPI_PLL_DIV_CON_MASK << CLK_SPI5_PLL_DIV_CON_SHIFT) */) | ((32768 /* CLK_SPI_PLL_SEL_GPLL << CLK_SPI5_PLL_SEL_SHIFT */) | (src_clk_div - 1 << CLK_SPI5_PLL_DIV_CON_SHIFT))) << 16" is 0xffffffffff000000 regardless of the values of its operands. This occurs as the bitwise first operand of '|'.
615 SPI_CLK_REG_VALUE(5, src_clk_div)); 616 break; 617 default: 618 printk(BIOS_ERR, "do not support this spi bus\n"); 619 } 620 }
** CID 1355167: (CONSTANT_EXPRESSION_RESULT) /src/soc/rockchip/rk3399/clock.c: 668 in rkclk_configure_i2c() /src/soc/rockchip/rk3399/clock.c: 672 in rkclk_configure_i2c() /src/soc/rockchip/rk3399/clock.c: 676 in rkclk_configure_i2c()
________________________________________________________________________________________________________ *** CID 1355167: (CONSTANT_EXPRESSION_RESULT) /src/soc/rockchip/rk3399/clock.c: 668 in rkclk_configure_i2c() 662 case 4: 663 write32(&pmucru_ptr->pmucru_clksel[3], 664 PMU_I2C_CLK_REG_VALUE(4, src_clk_div)); 665 break; 666 case 5: 667 write32(&cru_ptr->clksel_con[61],
CID 1355167: (CONSTANT_EXPRESSION_RESULT) "((65280 /* (I2C_DIV_CON_MASK << CLK_I2C5_DIV_CON_SHIFT) | (CLK_I2C_PLL_SEL_MASK << CLK_I2C5_PLL_SEL_SHIFT) */) | ((src_clk_div - 1 << CLK_I2C5_DIV_CON_SHIFT) | (32768 /* CLK_I2C_PLL_SEL_GPLL << CLK_I2C5_PLL_SEL_SHIFT */))) << 16" is 0xffffffffff000000 regardless of the values of its operands. This occurs as the bitwise first operand of '|'.
668 I2C_CLK_REG_VALUE(5, src_clk_div)); 669 break; 670 case 6: 671 write32(&cru_ptr->clksel_con[62], 672 I2C_CLK_REG_VALUE(6, src_clk_div)); 673 break; /src/soc/rockchip/rk3399/clock.c: 672 in rkclk_configure_i2c() 666 case 5: 667 write32(&cru_ptr->clksel_con[61], 668 I2C_CLK_REG_VALUE(5, src_clk_div)); 669 break; 670 case 6: 671 write32(&cru_ptr->clksel_con[62],
CID 1355167: (CONSTANT_EXPRESSION_RESULT) "((65280 /* (I2C_DIV_CON_MASK << CLK_I2C6_DIV_CON_SHIFT) | (CLK_I2C_PLL_SEL_MASK << CLK_I2C6_PLL_SEL_SHIFT) */) | ((src_clk_div - 1 << CLK_I2C6_DIV_CON_SHIFT) | (32768 /* CLK_I2C_PLL_SEL_GPLL << CLK_I2C6_PLL_SEL_SHIFT */))) << 16" is 0xffffffffff000000 regardless of the values of its operands. This occurs as the bitwise first operand of '|'.
672 I2C_CLK_REG_VALUE(6, src_clk_div)); 673 break; 674 case 7: 675 write32(&cru_ptr->clksel_con[63], 676 I2C_CLK_REG_VALUE(7, src_clk_div)); 677 break; /src/soc/rockchip/rk3399/clock.c: 676 in rkclk_configure_i2c() 670 case 6: 671 write32(&cru_ptr->clksel_con[62], 672 I2C_CLK_REG_VALUE(6, src_clk_div)); 673 break; 674 case 7: 675 write32(&cru_ptr->clksel_con[63],
CID 1355167: (CONSTANT_EXPRESSION_RESULT) "((65280 /* (I2C_DIV_CON_MASK << CLK_I2C7_DIV_CON_SHIFT) | (CLK_I2C_PLL_SEL_MASK << CLK_I2C7_PLL_SEL_SHIFT) */) | ((src_clk_div - 1 << CLK_I2C7_DIV_CON_SHIFT) | (32768 /* CLK_I2C_PLL_SEL_GPLL << CLK_I2C7_PLL_SEL_SHIFT */))) << 16" is 0xffffffffff000000 regardless of the values of its operands. This occurs as the bitwise first operand of '|'.
676 I2C_CLK_REG_VALUE(7, src_clk_div)); 677 break; 678 case 8: 679 write32(&pmucru_ptr->pmucru_clksel[2], 680 PMU_I2C_CLK_REG_VALUE(8, src_clk_div)); 681 break;
** CID 1355166: Integer handling issues (CONSTANT_EXPRESSION_RESULT) /src/soc/rockchip/rk3399/clock.c: 749 in rkclk_configure_saradc()
________________________________________________________________________________________________________ *** CID 1355166: Integer handling issues (CONSTANT_EXPRESSION_RESULT) /src/soc/rockchip/rk3399/clock.c: 749 in rkclk_configure_saradc() 743 744 /* saradc src clk from 24MHz */ 745 src_clk_div = 24 * MHz / hz; 746 assert((src_clk_div - 1 < 255) && (src_clk_div * hz == 24 * MHz)); 747 748 write32(&cru_ptr->clksel_con[26],
CID 1355166: Integer handling issues (CONSTANT_EXPRESSION_RESULT) "((65280 /* CLK_SARADC_DIV_CON_MASK << CLK_SARADC_DIV_CON_SHIFT */) | (src_clk_div - 1 << CLK_SARADC_DIV_CON_SHIFT)) << 16" is 0xffffffffff000000 regardless of the values of its operands. This occurs as the bitwise first operand of '|'.
749 RK_CLRSETBITS(CLK_SARADC_DIV_CON_MASK << 750 CLK_SARADC_DIV_CON_SHIFT, 751 (src_clk_div - 1) << CLK_SARADC_DIV_CON_SHIFT)); 752 } 753 754 void rkclk_configure_vop_aclk(u32 vop_id, u32 aclk_hz)
** CID 1354970: Memory - corruptions (ARRAY_VS_SINGLETON) /src/lib/selfboot.c: 249 in build_self_segment_list()
________________________________________________________________________________________________________ *** CID 1354970: Memory - corruptions (ARRAY_VS_SINGLETON) /src/lib/selfboot.c: 249 in build_self_segment_list() 243 244 memset(head, 0, sizeof(*head)); 245 head->next = head->prev = head; 246 247 first_segment = &cbfs_payload->segments; 248
CID 1354970: Memory - corruptions (ARRAY_VS_SINGLETON) Using "current_segment" as an array. This might corrupt or misinterpret adjacent memory locations.
249 for (current_segment = first_segment;; ++current_segment) { 250 printk(BIOS_DEBUG, 251 "Loading segment from ROM address 0x%p\n", 252 current_segment); 253 254 cbfs_decode_payload_segment(&segment, current_segment);
** CID 1354849: Insecure data handling (INTEGER_OVERFLOW) /src/arch/x86/tables.c: 85 in write_mptable()
________________________________________________________________________________________________________ *** CID 1354849: Insecure data handling (INTEGER_OVERFLOW) /src/arch/x86/tables.c: 85 in write_mptable() 79 } 80 81 printk(BIOS_DEBUG, "MP table: %ld bytes.\n", 82 new_high_table_pointer - high_table_pointer); 83 } 84
CID 1354849: Insecure data handling (INTEGER_OVERFLOW) Overflowed or truncated value (or a value computed from an overflowed or truncated value) "rom_table_end" used as return value.
85 return rom_table_end; 86 } 87 88 static unsigned long write_acpi_table(unsigned long rom_table_end) 89 { 90 unsigned long high_table_pointer;
** CID 1354778: (UNINIT) /src/cpu/ti/am335x/uart.c: 190 in uart_fill_lb() /src/soc/imgtec/pistachio/uart.c: 150 in uart_fill_lb() /src/soc/samsung/exynos5250/uart.c: 191 in uart_fill_lb() /src/soc/broadcom/cygnus/ns16550.c: 118 in uart_fill_lb() /src/soc/intel/fsp_broadwell_de/uart.c: 104 in uart_fill_lb() /src/soc/nvidia/tegra124/uart.c: 135 in uart_fill_lb() /src/soc/samsung/exynos5420/uart.c: 182 in uart_fill_lb() /src/soc/mediatek/mt8173/uart.c: 176 in uart_fill_lb() /src/soc/nvidia/tegra210/uart.c: 122 in uart_fill_lb() /src/soc/qualcomm/ipq40xx/uart.c: 296 in uart_fill_lb() /src/mainboard/emulation/qemu-riscv/uart.c: 48 in uart_fill_lb() /src/cpu/allwinner/a10/uart_console.c: 44 in uart_fill_lb()
________________________________________________________________________________________________________ *** CID 1354778: (UNINIT) /src/cpu/ti/am335x/uart.c: 190 in uart_fill_lb() 184 { 185 } 186 187 #ifndef __PRE_RAM__ 188 void uart_fill_lb(void *data) 189 {
CID 1354778: (UNINIT) Declaring variable "serial" without initializer.
190 struct lb_serial serial; 191 serial.type = LB_SERIAL_TYPE_MEMORY_MAPPED; 192 serial.baseaddr = uart_platform_base(CONFIG_UART_FOR_CONSOLE); 193 serial.baud = default_baudrate(); 194 serial.regwidth = 2; 195 lb_add_serial(&serial, data); 196 197 lb_add_console(LB_TAG_CONSOLE_SERIAL8250MEM, data); 198 } /src/soc/imgtec/pistachio/uart.c: 150 in uart_fill_lb() 144 uart8250_mem_tx_flush(CONFIG_CONSOLE_SERIAL_UART_ADDRESS); 145 } 146 147 #ifndef __PRE_RAM__ 148 void uart_fill_lb(void *data) 149 {
CID 1354778: (UNINIT) Declaring variable "serial" without initializer.
150 struct lb_serial serial; 151 serial.type = LB_SERIAL_TYPE_MEMORY_MAPPED; 152 serial.baseaddr = CONFIG_CONSOLE_SERIAL_UART_ADDRESS; 153 serial.baud = default_baudrate(); 154 serial.regwidth = 1 << UART_SHIFT; 155 lb_add_serial(&serial, data); 156 157 lb_add_console(LB_TAG_CONSOLE_SERIAL8250MEM, data); 158 } /src/soc/samsung/exynos5250/uart.c: 191 in uart_fill_lb() 185 exynos5_uart_tx_flush(uart); 186 } 187 188 #ifndef __PRE_RAM__ 189 void uart_fill_lb(void *data) 190 {
CID 1354778: (UNINIT) Declaring variable "serial" without initializer.
191 struct lb_serial serial; 192 serial.type = LB_SERIAL_TYPE_MEMORY_MAPPED; 193 serial.baseaddr = uart_platform_base(CONFIG_UART_FOR_CONSOLE); 194 serial.baud = default_baudrate(); 195 serial.regwidth = 4; 196 lb_add_serial(&serial, data); 197 198 lb_add_console(LB_TAG_CONSOLE_SERIAL8250MEM, data); 199 } /src/soc/broadcom/cygnus/ns16550.c: 118 in uart_fill_lb() 112 return ns16550_rx_byte(); 113 } 114 115 #ifndef __PRE_RAM__ 116 void uart_fill_lb(void *data) 117 {
CID 1354778: (UNINIT) Declaring variable "serial" without initializer.
118 struct lb_serial serial; 119 serial.type = LB_SERIAL_TYPE_MEMORY_MAPPED; 120 serial.baseaddr = (uintptr_t)regs; 121 serial.baud = default_baudrate(); 122 serial.regwidth = 4; 123 lb_add_serial(&serial, data); 124 125 lb_add_console(LB_TAG_CONSOLE_SERIAL8250MEM, data); 126 } /src/soc/intel/fsp_broadwell_de/uart.c: 104 in uart_fill_lb() 98 uart8250_tx_flush(uart_platform_base(idx)); 99 } 100 101 #if ENV_RAMSTAGE 102 void uart_fill_lb(void *data) 103 {
CID 1354778: (UNINIT) Declaring variable "serial" without initializer.
104 struct lb_serial serial; 105 serial.type = LB_SERIAL_TYPE_IO_MAPPED; 106 serial.baseaddr = uart_platform_base(CONFIG_UART_FOR_CONSOLE); 107 serial.baud = default_baudrate(); 108 lb_add_serial(&serial, data); 109 110 lb_add_console(LB_TAG_CONSOLE_SERIAL8250, data); 111 } /src/soc/nvidia/tegra124/uart.c: 135 in uart_fill_lb() 129 tegra124_uart_tx_flush(uart_ptr); 130 } 131 132 #ifndef __PRE_RAM__ 133 void uart_fill_lb(void *data) 134 {
CID 1354778: (UNINIT) Declaring variable "serial" without initializer.
135 struct lb_serial serial; 136 serial.type = LB_SERIAL_TYPE_MEMORY_MAPPED; 137 serial.baseaddr = uart_platform_base(CONFIG_UART_FOR_CONSOLE); 138 serial.baud = default_baudrate(); 139 serial.regwidth = 4; 140 lb_add_serial(&serial, data); 141 142 lb_add_console(LB_TAG_CONSOLE_SERIAL8250MEM, data); 143 } /src/soc/samsung/exynos5420/uart.c: 182 in uart_fill_lb() 176 /* Exynos5250 implements this too. */ 177 } 178 179 #ifndef __PRE_RAM__ 180 void uart_fill_lb(void *data) 181 {
CID 1354778: (UNINIT) Declaring variable "serial" without initializer.
182 struct lb_serial serial; 183 serial.type = LB_SERIAL_TYPE_MEMORY_MAPPED; 184 serial.baseaddr = uart_platform_base(CONFIG_UART_FOR_CONSOLE); 185 serial.baud = default_baudrate(); 186 serial.regwidth = 4; 187 lb_add_serial(&serial, data); 188 189 lb_add_console(LB_TAG_CONSOLE_SERIAL8250MEM, data); 190 } /src/soc/mediatek/mt8173/uart.c: 176 in uart_fill_lb() 170 mtk_uart_tx_flush(); 171 } 172 173 #ifndef __PRE_RAM__ 174 void uart_fill_lb(void *data) 175 {
CID 1354778: (UNINIT) Declaring variable "serial" without initializer.
176 struct lb_serial serial; 177 serial.type = LB_SERIAL_TYPE_MEMORY_MAPPED; 178 serial.baseaddr = UART0_BASE; 179 serial.baud = default_baudrate(); 180 serial.regwidth = 4; 181 lb_add_serial(&serial, data); 182 183 lb_add_console(LB_TAG_CONSOLE_SERIAL8250MEM, data); 184 } /src/soc/nvidia/tegra210/uart.c: 122 in uart_fill_lb() 116 return tegra210_uart_rx_byte(); 117 } 118 119 #ifndef __PRE_RAM__ 120 void uart_fill_lb(void *data) 121 {
CID 1354778: (UNINIT) Declaring variable "serial" without initializer.
122 struct lb_serial serial; 123 serial.type = LB_SERIAL_TYPE_MEMORY_MAPPED; 124 serial.baseaddr = CONFIG_CONSOLE_SERIAL_TEGRA210_UART_ADDRESS; 125 serial.baud = default_baudrate(); 126 serial.regwidth = 4; 127 lb_add_serial(&serial, data); 128 129 lb_add_console(LB_TAG_CONSOLE_SERIAL8250MEM, data); 130 } /src/soc/qualcomm/ipq40xx/uart.c: 296 in uart_fill_lb() 290 #endif 291 292 #ifndef __PRE_RAM__ 293 /* TODO: Implement function */ 294 void uart_fill_lb(void *data) 295 {
CID 1354778: (UNINIT) Declaring variable "serial" without initializer.
296 struct lb_serial serial; 297 298 serial.type = LB_SERIAL_TYPE_MEMORY_MAPPED; 299 serial.baseaddr = (uint32_t)UART1_DM_BASE; 300 serial.baud = default_baudrate(); 301 serial.regwidth = 1; /src/mainboard/emulation/qemu-riscv/uart.c: 48 in uart_fill_lb() 42 { 43 } 44 45 #ifndef __PRE_RAM__ 46 void uart_fill_lb(void *data) 47 {
CID 1354778: (UNINIT) Declaring variable "serial" without initializer.
48 struct lb_serial serial; 49 serial.type = LB_SERIAL_TYPE_MEMORY_MAPPED; 50 serial.baseaddr = 0x3f8; 51 serial.baud = 115200; 52 serial.regwidth = 1; 53 lb_add_serial(&serial, data); 54 lb_add_console(LB_TAG_CONSOLE_SERIAL8250MEM, data); 55 } /src/cpu/allwinner/a10/uart_console.c: 44 in uart_fill_lb() 38 return 24000000; 39 } 40 41 #ifndef __PRE_RAM__ 42 void uart_fill_lb(void *data) 43 {
CID 1354778: (UNINIT) Declaring variable "serial" without initializer.
44 struct lb_serial serial; 45 serial.type = LB_SERIAL_TYPE_MEMORY_MAPPED; 46 serial.baseaddr = uart_platform_base(CONFIG_UART_FOR_CONSOLE); 47 serial.baud = default_baudrate(); 48 serial.regwidth = 1; 49 lb_add_serial(&serial, data); 50 51 lb_add_console(LB_TAG_CONSOLE_SERIAL8250MEM, data); 52 }
** CID 1354615: Memory - illegal accesses (OVERRUN) /src/cpu/ti/am335x/gpio.c: 30 in gpio_regs_and_bit()
________________________________________________________________________________________________________ *** CID 1354615: Memory - illegal accesses (OVERRUN) /src/cpu/ti/am335x/gpio.c: 30 in gpio_regs_and_bit() 24 25 if (bank > ARRAY_SIZE(am335x_gpio_banks)) { 26 printk(BIOS_ERR, "Bad gpio index %d.\n", gpio); 27 return NULL; 28 } 29 *bit = 1 << (gpio % 32);
CID 1354615: Memory - illegal accesses (OVERRUN) Overrunning array "am335x_gpio_banks" of 4 4-byte elements at element index 4 (byte offset 16) using index "bank" (which evaluates to 4).
30 return am335x_gpio_banks[bank]; 31 } 32 33 void am335x_disable_gpio_irqs(void) 34 { 35 int i;
________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05...
To manage Coverity Scan email notifications for "coreboot@coreboot.org", click https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05...
-
scan-admin@coverity.com