Hi,
Please find the latest report on new defect(s) introduced to coreboot found with Coverity Scan.
113 new defect(s) introduced to coreboot found with Coverity Scan. 1 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan Showing 20 of 113 defect(s)
** CID 1432759: Performance inefficiencies (PASS_BY_VALUE) /src/soc/intel/xeon_sp/cpx/acpi.c: 608 in acpi_create_dmar_ds_pci_br_for_port()
________________________________________________________________________________________________________ *** CID 1432759: Performance inefficiencies (PASS_BY_VALUE) /src/soc/intel/xeon_sp/cpx/acpi.c: 608 in acpi_create_dmar_ds_pci_br_for_port() 602 603 /* 604 * This function adds PCIe bridge device entry in DMAR table. If it is called 605 * in the context of ATSR subtable, it adds ATSR subtable when it is first called. 606 */ 607 static unsigned long acpi_create_dmar_ds_pci_br_for_port(unsigned long current,
CID 1432759: Performance inefficiencies (PASS_BY_VALUE) Passing parameter iio_resource of type "IIO_RESOURCE_INSTANCE" (size 623 bytes) by value.
608 int port, int stack, IIO_RESOURCE_INSTANCE iio_resource, uint32_t pcie_seg, 609 bool is_atsr, bool *first) 610 { 611 612 if (get_stack_for_port(port) != stack) 613 return 0;
** CID 1431154: Control flow issues (DEADCODE) /src/ec/kontron/kempld/kempld_i2c.c: 254 in kempld_i2c_device_init()
________________________________________________________________________________________________________ *** CID 1431154: Control flow issues (DEADCODE) /src/ec/kontron/kempld/kempld_i2c.c: 254 in kempld_i2c_device_init() 248 if (spec_major == 1) 249 prescale = KEMPLD_CLK / (KEMPLD_I2C_FREQ_STD * 5) - 1000; 250 else 251 prescale = KEMPLD_CLK / (KEMPLD_I2C_FREQ_STD * 4) - 3000; 252 253 if (prescale < 0)
CID 1431154: Control flow issues (DEADCODE) Execution cannot reach this statement: "prescale = 0L;".
254 prescale = 0; 255 256 /* Round to the best matching value */ 257 prescale_corr = prescale / 1000; 258 if (prescale % 1000 >= 500) 259 prescale_corr++;
** CID 1431127: Memory - corruptions (ARRAY_VS_SINGLETON) /src/lib/gcov-glue.c: 128 in coverage_init()
________________________________________________________________________________________________________ *** CID 1431127: Memory - corruptions (ARRAY_VS_SINGLETON) /src/lib/gcov-glue.c: 128 in coverage_init() 122 extern long __CTOR_LIST__; 123 typedef void (*func_ptr)(void); 124 func_ptr *ctor = (func_ptr *) &__CTOR_LIST__; 125 if (ctor == NULL) 126 return; 127
CID 1431127: Memory - corruptions (ARRAY_VS_SINGLETON) Using "ctor" as an array. This might corrupt or misinterpret adjacent memory locations.
128 for (; *ctor != (func_ptr) 0; ctor++) 129 (*ctor)(); 130 } 131 132 void __gcov_flush(void); 133 static void coverage_exit(void *unused)
** CID 1431126: (DEADCODE) /src/lib/libgcov.c: 425 in gcov_exit() /src/lib/libgcov.c: 391 in gcov_exit()
________________________________________________________________________________________________________ *** CID 1431126: (DEADCODE) /src/lib/libgcov.c: 425 in gcov_exit() 419 fname += 2; 420 421 /* Build relocated filename, stripping off leading 422 * directories from the initial filename if requested. 423 */ 424 if (gcov_prefix_strip > 0) {
CID 1431126: (DEADCODE) Execution cannot reach this statement: "level = 0;".
425 int level = 0; 426 427 s = fname; 428 if (IS_DIR_SEPARATOR(*s)) 429 ++s; 430 /src/lib/libgcov.c: 391 in gcov_exit() 385 } else 386 #endif 387 prefix_length = 0; 388 389 /* If no prefix was specified and a prefix strip, then we assume 390 relative. */
CID 1431126: (DEADCODE) Execution cannot reach the expression "prefix_length == 0UL" inside this statement: "if (gcov_prefix_strip != 0 ...".
391 if (gcov_prefix_strip != 0 && prefix_length == 0) { 392 gcov_prefix = "."; 393 prefix_length = 1; 394 } 395 /* Allocate and initialize the filename scratch space plus one. */ 396 gi_filename = (char *) alloca(prefix_length + gcov_max_filename + 2);
** CID 1431125: Control flow issues (DEADCODE) /src/lib/gcov-glue.c: 126 in coverage_init()
________________________________________________________________________________________________________ *** CID 1431125: Control flow issues (DEADCODE) /src/lib/gcov-glue.c: 126 in coverage_init() 120 static void coverage_init(void *unused) 121 { 122 extern long __CTOR_LIST__; 123 typedef void (*func_ptr)(void); 124 func_ptr *ctor = (func_ptr *) &__CTOR_LIST__; 125 if (ctor == NULL)
CID 1431125: Control flow issues (DEADCODE) Execution cannot reach this statement: "return;".
126 return; 127 128 for (; *ctor != (func_ptr) 0; ctor++) 129 (*ctor)(); 130 } 131
** CID 1431124: Integer handling issues (BAD_SHIFT) /src/security/intel/txt/common.c: 185 in validate_acm()
________________________________________________________________________________________________________ *** CID 1431124: Integer handling issues (BAD_SHIFT) /src/security/intel/txt/common.c: 185 in validate_acm() 179 /* 180 * Causes #GP if acm_header->size > processor internal authenticated 181 * code area capacity. 182 * SAFER MODE EXTENSIONS REFERENCE. 183 * Intel 64 and IA-32 Architectures Software Developer Manuals Vol 2D 184 */
CID 1431124: Integer handling issues (BAD_SHIFT) In expression "1UL << log2_ceil((acm_header->size & 0xffffffU) << 2)", shifting by a negative amount has undefined behavior. The shift amount, "log2_ceil((acm_header->size & 0xffffffU) << 2)", is -1.
185 const size_t acm_len = 1UL << log2_ceil((acm_header->size & 0xffffff) << 2); 186 if (max_size_acm_area < acm_len) { 187 printk(BIOS_ERR, "TEE-TXT: BIOS ACM doesn't fit into AC execution region\n"); 188 return ACM_E_NOT_FIT_INTO_CPU_ACM_MEM; 189 } 190
** CID 1431123: Control flow issues (DEADCODE) /src/lib/libgcov.c: 398 in gcov_exit()
________________________________________________________________________________________________________ *** CID 1431123: Control flow issues (DEADCODE) /src/lib/libgcov.c: 398 in gcov_exit() 392 gcov_prefix = "."; 393 prefix_length = 1; 394 } 395 /* Allocate and initialize the filename scratch space plus one. */ 396 gi_filename = (char *) alloca(prefix_length + gcov_max_filename + 2); 397 if (prefix_length)
CID 1431123: Control flow issues (DEADCODE) Execution cannot reach this statement: "memcpy(gi_filename, gcov_pr...".
398 memcpy(gi_filename, gcov_prefix, prefix_length); 399 gi_filename_up = gi_filename + prefix_length; 400 401 /* Now merge each file. */ 402 for (gi_ptr = gcov_list; gi_ptr; gi_ptr = gi_ptr->next) { 403 unsigned int n_counts;
** CID 1430578: Integer handling issues (CONSTANT_EXPRESSION_RESULT) /src/security/intel/stm/SmmStm.c: 359 in validate_resource()
________________________________________________________________________________________________________ *** CID 1430578: Integer handling issues (CONSTANT_EXPRESSION_RESULT) /src/security/intel/stm/SmmStm.c: 359 in validate_resource() 353 resource->mem.base, 354 resource->mem.length); 355 356 if (resource->header.length != sizeof(STM_RSC_MEM_DESC)) 357 return false; 358
CID 1430578: Integer handling issues (CONSTANT_EXPRESSION_RESULT) "resource->mem.rwx_attributes > 7" is always false regardless of the values of its operands. This occurs as the logical operand of "if".
359 if (resource->mem.rwx_attributes > FULL_ACCS) 360 return false; 361 break; 362 363 case IO_RANGE: 364 case TRAPPED_IO_RANGE:
** CID 1429780: Uninitialized variables (UNINIT)
________________________________________________________________________________________________________ *** CID 1429780: Uninitialized variables (UNINIT) /src/mainboard/dell/optiplex_9010/sch5545_ec.c: 615 in sch5545_ec_hwm_init() 609 610 printk(BIOS_DEBUG, "%s\n", __func__); 611 sch5545_emi_init(0x2e); 612 613 chassis_type = get_chassis_type(); 614
CID 1429780: Uninitialized variables (UNINIT) Using uninitialized value "val" when calling "ec_read_write_reg".
615 ec_read_write_reg(EC_HWM_LDN, 0x0048, &val, READ_OP); 616 ec_read_write_reg(EC_HWM_LDN, 0x0048, &val, WRITE_OP); 617 ec_read_write_reg(EC_HWM_LDN, 0x0042, &val, READ_OP); 618 ec_read_write_reg(EC_HWM_LDN, 0x0048, &val, READ_OP); 619 val |= 0x02; 620 ec_read_write_reg(EC_HWM_LDN, 0x0048, &val, WRITE_OP);
** CID 1429772: Uninitialized variables (UNINIT)
________________________________________________________________________________________________________ *** CID 1429772: Uninitialized variables (UNINIT) /src/mainboard/dell/optiplex_9010/sch5545_ec.c: 428 in sch5545_get_ec_fw_version() 422 uint16_t sch5545_get_ec_fw_version(void) 423 { 424 uint8_t val; 425 uint16_t ec_fw_version; 426 427 /* Read the FW version currently loaded used by EC */
CID 1429772: Uninitialized variables (UNINIT) Using uninitialized value "val" when calling "ec_read_write_reg".
428 ec_read_write_reg(EC_HWM_LDN, 0x2ad, &val, READ_OP); 429 ec_fw_version = (val << 8); 430 ec_read_write_reg(EC_HWM_LDN, 0x2ae, &val, READ_OP); 431 ec_fw_version |= val; 432 ec_read_write_reg(EC_HWM_LDN, 0x2ac, &val, READ_OP); 433 ec_read_write_reg(EC_HWM_LDN, 0x2fd, &val, READ_OP);
** CID 1429765: Uninitialized variables (UNINIT)
________________________________________________________________________________________________________ *** CID 1429765: Uninitialized variables (UNINIT) /src/mainboard/dell/optiplex_9010/sch5545_ec.c: 509 in sch5545_ec_hwm_early_init() 503 int i; 504 505 printk(BIOS_DEBUG, "%s\n", __func__); 506 507 ec_check_mbox_and_int_status(0x20, 0x01); 508
CID 1429765: Uninitialized variables (UNINIT) Using uninitialized value "val" when calling "ec_read_write_reg".
509 ec_read_write_reg(2, 0xcb, &val, READ_OP); 510 ec_read_write_reg(2, 0xb8, &val, READ_OP); 511 512 for (i = 0; i < ARRAY_SIZE(ec_hwm_init_seq); i++) { 513 val = ec_hwm_init_seq[i].val; 514 ec_read_write_reg(EC_HWM_LDN, ec_hwm_init_seq[i].reg, &val,
** CID 1428711: (OVERRUN)
________________________________________________________________________________________________________ *** CID 1428711: (OVERRUN) /src/vendorcode/eltan/security/mboot/mboot.c: 431 in mb_crtm() 425 tcgEventHdr.pcrIndex = MBOOT_PCR_INDEX_0; 426 tcgEventHdr.eventType = EV_S_CRTM_VERSION; 427 tcgEventHdr.eventSize = sizeof(crtm_version); 428 printk(BIOS_DEBUG, "%s: EventSize - %u\n", __func__, 429 tcgEventHdr.eventSize); 430
CID 1428711: (OVERRUN) Overrunning callee's array of size 32 by passing argument "tcgEventHdr.eventSize" (which evaluates to 67) in call to "mboot_hash_extend_log".
431 status = mboot_hash_extend_log(0, (uint8_t *)crtm_version, tcgEventHdr.eventSize, 432 &tcgEventHdr, (uint8_t *)crtm_version); 433 if (status) { 434 printk(BIOS_DEBUG, "Measure CRTM Version returned 0x%x\n", status); 435 return status; 436 } /src/mainboard/facebook/fbg1701/romstage.c: 78 in mb_crtm() 72 memset(&tcgEventHdr, 0, sizeof(tcgEventHdr)); 73 tcgEventHdr.pcrIndex = MBOOT_PCR_INDEX_0; 74 tcgEventHdr.eventType = EV_S_CRTM_VERSION; 75 tcgEventHdr.eventSize = sizeof(crtm_version); 76 printk(BIOS_DEBUG, "%s: EventSize - %u\n", __func__, tcgEventHdr.eventSize); 77
CID 1428711: (OVERRUN) Overrunning callee's array of size 32 by passing argument "tcgEventHdr.eventSize" (which evaluates to 67) in call to "mboot_hash_extend_log".
78 status = mboot_hash_extend_log(0, (uint8_t *)crtm_version, 79 tcgEventHdr.eventSize, &tcgEventHdr, 80 (uint8_t *)crtm_version); 81 if (status) { 82 printk(BIOS_DEBUG, "Measure CRTM Version returned 0x%x\n", status); 83 } 84 85 return status; 86 }
** CID 1419488: Null pointer dereferences (FORWARD_NULL)
________________________________________________________________________________________________________ *** CID 1419488: Null pointer dereferences (FORWARD_NULL) /src/superio/common/generic.c: 23 in generic_set_resources() 17 18 for (res = dev->resource_list; res; res = res->next) { 19 if (!(res->flags & IORESOURCE_ASSIGNED)) 20 continue; 21 22 res->flags |= IORESOURCE_STORED;
CID 1419488: Null pointer dereferences (FORWARD_NULL) Passing "dev" to "report_resource_stored", which dereferences null "dev->link_list".
23 report_resource_stored(dev, res, ""); 24 } 25 } 26 27 static void generic_read_resources(struct device *dev) 28 {
** CID 1419483: Memory - corruptions (OVERRUN) /src/vendorcode/eltan/security/verified_boot/vboot_check.c: 85 in verified_boot_check_manifest()
________________________________________________________________________________________________________ *** CID 1419483: Memory - corruptions (OVERRUN) /src/vendorcode/eltan/security/verified_boot/vboot_check.c: 85 in verified_boot_check_manifest() 79 pre->body_signature.data_size = CONFIG_VENDORCODE_ELTAN_OEM_MANIFEST_ITEMS * 80 DIGEST_SIZE; 81 pre->body_signature.sig_offset = sizeof(struct vb2_signature) + 82 pre->body_signature.data_size; 83 pre->body_signature.sig_size = size - pre->body_signature.data_size; 84 sd->workbuf_used += size;
CID 1419483: Memory - corruptions (OVERRUN) Overrunning struct type vb2_signature of 24 bytes by passing it to a function which accesses it at byte offset 663 using argument "size" (which evaluates to 640). [Note: The source code implementation of the function has been overridden by a builtin model.]
85 memcpy((void *)((void *)&pre->body_signature + (long)sizeof(struct vb2_signature)), 86 (uint8_t *)CONFIG_VENDORCODE_ELTAN_OEM_MANIFEST_LOC, size); 87 88 89 if (vb2api_verify_kernel_data(ctx, (void *)CONFIG_VENDORCODE_ELTAN_OEM_MANIFEST_LOC, 90 pre->body_signature.data_size))
** CID 1407750: Control flow issues (NO_EFFECT) /3rdparty/opensbi/lib/sbi/sbi_ecall.c: 50 in sbi_check_extension()
________________________________________________________________________________________________________ *** CID 1407750: Control flow issues (NO_EFFECT) /3rdparty/opensbi/lib/sbi/sbi_ecall.c: 50 in sbi_check_extension() 44 * by checking the feature bits of the platform. We can create a map 45 * between extension ID & feature and use a generic function to check 46 * or just use a switch case for every new extension support added 47 * TODO: Implement it. 48 */ 49
CID 1407750: Control flow issues (NO_EFFECT) This greater-than-or-equal-to-zero comparison of an unsigned value is always true. "extid >= SBI_EXT_0_1_SET_TIMER".
50 if ((extid >= SBI_EXT_0_1_SET_TIMER && 51 extid <= SBI_EXT_0_1_SHUTDOWN) || (extid == SBI_EXT_BASE)) { 52 *out_val = 1; 53 } else if (extid >= SBI_EXT_VENDOR_START && 54 extid <= SBI_EXT_VENDOR_END) { 55 *out_val = sbi_platform_vendor_ext_check(
** CID 1407740: Control flow issues (DEADCODE) /3rdparty/opensbi/lib/sbi/sbi_trap.c: 131 in sbi_trap_redirect()
________________________________________________________________________________________________________ *** CID 1407740: Control flow issues (DEADCODE) /3rdparty/opensbi/lib/sbi/sbi_trap.c: 131 in sbi_trap_redirect() 125 hstatus = csr_read(CSR_HSTATUS); 126 hstatus &= ~HSTATUS_SP2P; 127 hstatus |= (regs->mstatus & MSTATUS_SPP) ? HSTATUS_SP2P : 0; 128 hstatus &= ~HSTATUS_SP2V; 129 hstatus |= (hstatus & HSTATUS_SPV) ? HSTATUS_SP2V : 0; 130 hstatus &= ~HSTATUS_SPV;
CID 1407740: Control flow issues (DEADCODE) Execution cannot reach the expression "0UL" inside this statement: "hstatus |= (prev_virt ? 128...".
131 hstatus |= (prev_virt) ? HSTATUS_SPV : 0; 132 hstatus &= ~HSTATUS_STL; 133 hstatus |= (prev_stage2) ? HSTATUS_STL : 0; 134 csr_write(CSR_HSTATUS, hstatus); 135 } 136
** CID 1407737: Error handling issues (CHECKED_RETURN) /src/drivers/spi/spi_sdcard.c: 357 in spi_sdcard_do_app_command()
________________________________________________________________________________________________________ *** CID 1407737: Error handling issues (CHECKED_RETURN) /src/drivers/spi/spi_sdcard.c: 357 in spi_sdcard_do_app_command() 351 static int spi_sdcard_do_app_command(const struct spi_sdcard *card, 352 uint8_t cmd, 353 uint32_t argument, 354 uint32_t *out_register) 355 { 356 /* CMD55 */
CID 1407737: Error handling issues (CHECKED_RETURN) Calling "spi_sdcard_do_command" without checking return value (as is done elsewhere 15 out of 17 times).
357 spi_sdcard_do_command(card, APP_CMD, 0, NULL); 358 return spi_sdcard_do_command_help(card, 1, cmd, argument, out_register); 359 } 360 361 size_t spi_sdcard_size(const struct spi_sdcard *card) 362 {
** CID 1407730: (SWAPPED_ARGUMENTS)
________________________________________________________________________________________________________ *** CID 1407730: (SWAPPED_ARGUMENTS) /3rdparty/opensbi/lib/sbi/sbi_ecall.c: 217 in sbi_ecall_handler() 211 } else if (extension_id == SBI_EXT_BASE) 212 ret = sbi_ecall_base_handler(scratch, extension_id, func_id, 213 args, &out_val, 214 &out_tval, &out_tcause); 215 else if (extension_id >= SBI_EXT_VENDOR_START && 216 extension_id <= SBI_EXT_VENDOR_END) {
CID 1407730: (SWAPPED_ARGUMENTS) The positions of arguments in the call to "sbi_ecall_vendor_ext_handler" do not match the ordering of the parameters:
* "&out_tval" is passed to "out_tcause" * "&out_tcause" is passed to "out_tval" 217 ret = sbi_ecall_vendor_ext_handler(scratch, extension_id, 218 func_id, args, &out_val, 219 &out_tval, &out_tcause); 220 } else { 221 ret = SBI_ENOTSUPP; 222 } /3rdparty/opensbi/lib/sbi/sbi_ecall.c: 212 in sbi_ecall_handler() 206 if (extension_id >= SBI_EXT_0_1_SET_TIMER && 207 extension_id <= SBI_EXT_0_1_SHUTDOWN) { 208 ret = sbi_ecall_0_1_handler(scratch, extension_id, args, 209 &out_tval, &out_tcause); 210 is_0_1_spec = 1; 211 } else if (extension_id == SBI_EXT_BASE)
CID 1407730: (SWAPPED_ARGUMENTS) The positions of arguments in the call to "sbi_ecall_base_handler" do not match the ordering of the parameters:
* "&out_tval" is passed to "out_tcause" * "&out_tcause" is passed to "out_tval" 212 ret = sbi_ecall_base_handler(scratch, extension_id, func_id, 213 args, &out_val, 214 &out_tval, &out_tcause); 215 else if (extension_id >= SBI_EXT_VENDOR_START && 216 extension_id <= SBI_EXT_VENDOR_END) { 217 ret = sbi_ecall_vendor_ext_handler(scratch, extension_id,
** CID 1407727: Control flow issues (NO_EFFECT) /3rdparty/opensbi/lib/sbi/sbi_ecall.c: 206 in sbi_ecall_handler()
________________________________________________________________________________________________________ *** CID 1407727: Control flow issues (NO_EFFECT) /3rdparty/opensbi/lib/sbi/sbi_ecall.c: 206 in sbi_ecall_handler() 200 args[1] = regs->a1; 201 args[2] = regs->a2; 202 args[3] = regs->a3; 203 args[4] = regs->a4; 204 args[5] = regs->a5; 205
CID 1407727: Control flow issues (NO_EFFECT) This greater-than-or-equal-to-zero comparison of an unsigned value is always true. "extension_id >= SBI_EXT_0_1_SET_TIMER".
206 if (extension_id >= SBI_EXT_0_1_SET_TIMER && 207 extension_id <= SBI_EXT_0_1_SHUTDOWN) { 208 ret = sbi_ecall_0_1_handler(scratch, extension_id, args, 209 &out_tval, &out_tcause); 210 is_0_1_spec = 1; 211 } else if (extension_id == SBI_EXT_BASE)
** CID 1407723: Control flow issues (MISSING_BREAK) /3rdparty/opensbi/lib/sbi/sbi_ecall.c: 105 in sbi_ecall_base_handler()
________________________________________________________________________________________________________ *** CID 1407723: Control flow issues (MISSING_BREAK) /3rdparty/opensbi/lib/sbi/sbi_ecall.c: 105 in sbi_ecall_base_handler() 99 case SBI_EXT_BASE_GET_MARCHID: 100 *out_val = csr_read(CSR_MARCHID); 101 break; 102 case SBI_EXT_BASE_GET_MIMPID: 103 *out_val = csr_read(CSR_MIMPID); 104 break;
CID 1407723: Control flow issues (MISSING_BREAK) The case for value "SBI_EXT_BASE_PROBE_EXT" is not terminated by a 'break' statement.
105 case SBI_EXT_BASE_PROBE_EXT: 106 ret = sbi_check_extension(scratch, args[0], out_val); 107 default: 108 ret = SBI_ENOTSUPP; 109 } 110
________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0...
-
scan-admin@coverity.com