Hi,
Please find the latest report on new defect(s) introduced to coreboot found with Coverity Scan.
18 new defect(s) introduced to coreboot found with Coverity Scan. 3 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan Showing 18 of 18 defect(s)
** CID 1294808: Integer handling issues (DIVIDE_BY_ZERO) /src/soc/nvidia/tegra132/clock.c: 377 in clock_configure_plld()
________________________________________________________________________________________________________ *** CID 1294808: Integer handling issues (DIVIDE_BY_ZERO) /src/soc/nvidia/tegra132/clock.c: 377 in clock_configure_plld() 371 plld.cpcon = 12; 372 373 if (best_diff) { 374 printk(BIOS_WARNING, "%s: Failed to match output frequency %u, " 375 "best difference is %u.\n", __func__, frequency, 376 best_diff);
CID 1294808: Integer handling issues (DIVIDE_BY_ZERO) In expression "ref / plld.m", division by expression "plld.m" which may be zero has undefined behavior.
377 rounded_rate = (ref / plld.m * plld.n) >> plld.p; 378 } 379 380 printk(BIOS_DEBUG, "%s: PLLD=%u ref=%u, m/n/p/cpcon=%u/%u/%u/%u\n", 381 __func__, rounded_rate, ref, plld.m, plld.n, plld.p, plld.cpcon); 382
** CID 1294807: Integer handling issues (DIVIDE_BY_ZERO) /payloads/libpayload/libc/time.c: 62 in update_clock()
________________________________________________________________________________________________________ *** CID 1294807: Integer handling issues (DIVIDE_BY_ZERO) /payloads/libpayload/libc/time.c: 62 in update_clock() 56 ticks_per_sec = timer_hz(); 57 ticks_per_usec = timer_hz() / 1000000; 58 } 59 60 clock.ticks += delta; 61
CID 1294807: Integer handling issues (DIVIDE_BY_ZERO) In expression "delta / ticks_per_sec", division by expression "ticks_per_sec" which may be zero has undefined behavior.
62 secs = (int) (delta / ticks_per_sec); 63 clock.secs += secs; 64 delta -= (secs * ticks_per_sec); 65 clock.usecs += (int)(delta / ticks_per_usec); 66 67 if (clock.usecs > 1000000) {
** CID 1294806: Null pointer dereferences (FORWARD_NULL) /src/arch/riscv/rom_media.c: 69 in init_rom_media_cbfs()
________________________________________________________________________________________________________ *** CID 1294806: Null pointer dereferences (FORWARD_NULL) /src/arch/riscv/rom_media.c: 69 in init_rom_media_cbfs() 63 //extern unsigned long _cbfs_master_header; 64 // On X86, we always keep a reference of pointer to CBFS header in 65 // 0xfffffffc, and the pointer is still a memory-mapped address. 66 // Since the CBFS core always use ROM offset, we need to figure out 67 // header->romsize even before media is initialized. 68 struct cbfs_header *header = (struct cbfs_header*) CONFIG_CBFS_HEADER_ROM_OFFSET; //&_cbfs_master_header;
CID 1294806: Null pointer dereferences (FORWARD_NULL) Dereferencing null pointer "header".
69 if (CBFS_HEADER_MAGIC != ntohl(header->magic)) { 70 printk(BIOS_ERR, "Invalid CBFS master header at %p\n", header); 71 printk(BIOS_ERR, "Expected %08lx and got %08lx\n", (unsigned long) CBFS_HEADER_MAGIC, (unsigned long) ntohl(header->magic)); 72 return -1; 73 } else { 74 uint32_t romsize = ntohl(header->romsize);
** CID 1294805: Null pointer dereferences (FORWARD_NULL) /src/soc/nvidia/tegra132/dsi.c: 726 in tegra_dsi_host_transfer()
________________________________________________________________________________________________________ *** CID 1294805: Null pointer dereferences (FORWARD_NULL) /src/soc/nvidia/tegra132/dsi.c: 726 in tegra_dsi_host_transfer() 720 /* write payload (if any) */ 721 if (msg->tx_len > 2) { 722 for (j = 2; j < msg->tx_len; j += 4) { 723 value = 0; 724 725 for (i = 0; i < 4 && j + i < msg->tx_len; i++)
CID 1294805: Null pointer dereferences (FORWARD_NULL) Dereferencing null pointer "tx".
726 value |= tx[j + i] << (i << 3); 727 728 tegra_dsi_writel(dsi, value, DSI_WR_DATA); 729 } 730 } 731
** CID 1294804: Memory - illegal accesses (OVERRUN) /coreboot-builds/amd_olivehillplus/agesa/amdlib.c: 1411 in IdsErrorStop()
________________________________________________________________________________________________________ *** CID 1294804: Memory - illegal accesses (OVERRUN) /coreboot-builds/amd_olivehillplus/agesa/amdlib.c: 1411 in IdsErrorStop() 1405 } post = {0xDEAD, FileCode, 0xDEAD, FileCode}; 1406 UINT16 offset = 0; 1407 UINT16 j; 1408 1409 while(1) { 1410 offset %= sizeof(struct POST) / 2;
CID 1294804: Memory - illegal accesses (OVERRUN) Overrunning array of 3 4-byte elements at element index 15 (byte offset 60) by dereferencing pointer "(UINT32 *)(&post + offset)".
1411 WriteIo32(80, *((UINT32*)(&post+offset))); 1412 ++offset; 1413 for (j=0; j<250; ++j) { 1414 ReadIo8(80); 1415 } 1416 }
** CID 1294803: (OVERRUN) /src/vendorcode/amd/agesa/f15tn/Proc/Mem/Ps/mpmaxfreq.c: 289 in MemPGetMaxFreqSupported() /src/vendorcode/amd/agesa/f15/Proc/Mem/Ps/mpmaxfreq.c: 277 in MemPGetMaxFreqSupported()
________________________________________________________________________________________________________ *** CID 1294803: (OVERRUN) /src/vendorcode/amd/agesa/f15tn/Proc/Mem/Ps/mpmaxfreq.c: 289 in MemPGetMaxFreqSupported() 283 NBPtr->MaxFreqVDDIO[CurrentVoltage] = 0; 284 } 285 } 286 IDS_HDT_CONSOLE (MEM_FLOW, "\n"); 287 } 288 ASSERT (DDR3Voltage <= VOLT1_25_ENCODED_VAL);
CID 1294803: (OVERRUN) Overrunning array of 3 2-byte elements at element index 255 (byte offset 510) by dereferencing pointer "SpeedArray + DDR3Voltage".
289 MaxFreqSupported = SpeedArray[DDR3Voltage]; 290 } 291 292 if (MaxFreqSupported == UNSUPPORTED_DDR_FREQUENCY) { 293 // No entry in the table for current dimm population is found 294 IDS_HDT_CONSOLE (MEM_FLOW, "\nDCT %d: No entry is found in the Max Frequency table\n", NBPtr->Dct); /src/vendorcode/amd/agesa/f15/Proc/Mem/Ps/mpmaxfreq.c: 277 in MemPGetMaxFreqSupported() 271 NBPtr->MaxFreqVDDIO[CurrentVoltage] = 0; 272 } 273 } 274 IDS_HDT_CONSOLE (MEM_FLOW, "\n"); 275 } 276 ASSERT (DDR3Voltage <= VOLT1_25_ENCODED_VAL);
CID 1294803: (OVERRUN) Overrunning array of 3 2-byte elements at element index 255 (byte offset 510) by dereferencing pointer "SpeedArray + DDR3Voltage".
277 MaxFreqSupported = SpeedArray[DDR3Voltage]; 278 } 279 280 if (MaxFreqSupported == UNSUPPORTED_DDR_FREQUENCY) { 281 // No entry in the table for current dimm population is found 282 IDS_HDT_CONSOLE (MEM_FLOW, "\nDCT %d: No entry is found in the Max Frequency table\n", NBPtr->Dct);
** CID 1294802: API usage errors (PW.PRINTF_ARG_MISMATCH) /util/bimgtool/bimgtool.c: 275 in ()
________________________________________________________________________________________________________ *** CID 1294802: API usage errors (PW.PRINTF_ARG_MISMATCH) /util/bimgtool/bimgtool.c: 275 in () 269 return -1; 270 } 271 272 if ((file_header.data_size + sizeof(struct bimg_header)) > 273 buf.st_size) { 274 fprintf(stderr, "Data size too big: %d > %d\n",
CID 1294802: API usage errors (PW.PRINTF_ARG_MISMATCH) argument is incompatible with corresponding format string conversion
275 file_header.data_size, buf.st_size); 276 return -1; 277 } 278 279 if (file_header.ver_major != crc_type.ver_major) { 280 fprintf(stderr, "Image version mismatch: %d\n",
** CID 1294801: (RESOURCE_LEAK) /src/soc/qualcomm/ipq806x/lcc.c: 313 in audio_clock_config() /src/soc/qualcomm/ipq806x/lcc.c: 315 in audio_clock_config() /src/soc/qualcomm/ipq806x/lcc.c: 310 in audio_clock_config() /src/soc/qualcomm/ipq806x/lcc.c: 308 in audio_clock_config() /src/soc/qualcomm/ipq806x/lcc.c: 306 in audio_clock_config()
________________________________________________________________________________________________________ *** CID 1294801: (RESOURCE_LEAK) /src/soc/qualcomm/ipq806x/lcc.c: 313 in audio_clock_config() 307 if (lcc_init_enable_ahbix(bus)) 308 return 1; 309 if (lcc_init_mi2s(bus, frequency)) 310 return 1; 311 312 if (lcc_enable_mi2s(bus))
CID 1294801: (RESOURCE_LEAK) Variable "bus" going out of scope leaks the storage it points to.
313 return 1; 314 315 return 0; /src/soc/qualcomm/ipq806x/lcc.c: 315 in audio_clock_config() 309 if (lcc_init_mi2s(bus, frequency)) 310 return 1; 311 312 if (lcc_enable_mi2s(bus)) 313 return 1; 314
CID 1294801: (RESOURCE_LEAK) Variable "bus" going out of scope leaks the storage it points to.
315 return 0; /src/soc/qualcomm/ipq806x/lcc.c: 310 in audio_clock_config() 304 305 if (lcc_init_enable_pll0(bus)) 306 return 1; 307 if (lcc_init_enable_ahbix(bus)) 308 return 1; 309 if (lcc_init_mi2s(bus, frequency))
CID 1294801: (RESOURCE_LEAK) Variable "bus" going out of scope leaks the storage it points to.
310 return 1; 311 312 if (lcc_enable_mi2s(bus)) 313 return 1; 314 315 return 0; /src/soc/qualcomm/ipq806x/lcc.c: 308 in audio_clock_config() 302 bus->lcc_pll_regs = (void *)(MSM_LPASS_LCC_BASE + LCC_PLL_PCLK_REG); 303 304 305 if (lcc_init_enable_pll0(bus)) 306 return 1; 307 if (lcc_init_enable_ahbix(bus))
CID 1294801: (RESOURCE_LEAK) Variable "bus" going out of scope leaks the storage it points to.
308 return 1; 309 if (lcc_init_mi2s(bus, frequency)) 310 return 1; 311 312 if (lcc_enable_mi2s(bus)) 313 return 1; 314 315 return 0; /src/soc/qualcomm/ipq806x/lcc.c: 306 in audio_clock_config() 300 bus->lcc_ahbix_regs = (void *)(MSM_LPASS_LCC_BASE + LCC_AHBIX_NS_REG); 301 bus->lcc_mi2s_regs = (void *)(MSM_LPASS_LCC_BASE + LCC_MI2S_NS_REG); 302 bus->lcc_pll_regs = (void *)(MSM_LPASS_LCC_BASE + LCC_PLL_PCLK_REG); 303 304 305 if (lcc_init_enable_pll0(bus))
CID 1294801: (RESOURCE_LEAK) Variable "bus" going out of scope leaks the storage it points to.
306 return 1; 307 if (lcc_init_enable_ahbix(bus)) 308 return 1; 309 if (lcc_init_mi2s(bus, frequency)) 310 return 1; 311
** CID 1294800: (SIGN_EXTENSION) /src/soc/nvidia/tegra132/dsi.c: 340 in tegra_dsi_configure() /src/soc/nvidia/tegra132/dsi.c: 341 in tegra_dsi_configure()
________________________________________________________________________________________________________ *** CID 1294800: (SIGN_EXTENSION) /src/soc/nvidia/tegra132/dsi.c: 340 in tegra_dsi_configure() 334 } else { 335 /* 1 byte (DCS command) + pixel data */ 336 bytes = 1 + mode->xres * mul / div; 337 } 338 339 tegra_dsi_writel(dsi, 0, DSI_PKT_LEN_0_1);
CID 1294800: (SIGN_EXTENSION) Suspicious implicit sign extension: "bytes" with type "unsigned short" (16 bits, unsigned) is promoted in "bytes << 16" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "bytes << 16" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
340 tegra_dsi_writel(dsi, bytes << 16, DSI_PKT_LEN_2_3); 341 tegra_dsi_writel(dsi, bytes << 16, DSI_PKT_LEN_4_5); 342 tegra_dsi_writel(dsi, 0, DSI_PKT_LEN_6_7); 343 344 value = MIPI_DCS_WRITE_MEMORY_START << 8 | 345 MIPI_DCS_WRITE_MEMORY_CONTINUE; /src/soc/nvidia/tegra132/dsi.c: 341 in tegra_dsi_configure() 335 /* 1 byte (DCS command) + pixel data */ 336 bytes = 1 + mode->xres * mul / div; 337 } 338 339 tegra_dsi_writel(dsi, 0, DSI_PKT_LEN_0_1); 340 tegra_dsi_writel(dsi, bytes << 16, DSI_PKT_LEN_2_3);
CID 1294800: (SIGN_EXTENSION) Suspicious implicit sign extension: "bytes" with type "unsigned short" (16 bits, unsigned) is promoted in "bytes << 16" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "bytes << 16" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
341 tegra_dsi_writel(dsi, bytes << 16, DSI_PKT_LEN_4_5); 342 tegra_dsi_writel(dsi, 0, DSI_PKT_LEN_6_7); 343 344 value = MIPI_DCS_WRITE_MEMORY_START << 8 | 345 MIPI_DCS_WRITE_MEMORY_CONTINUE; 346 tegra_dsi_writel(dsi, value, DSI_DCS_CMDS);
** CID 1294799: Control flow issues (UNREACHABLE) /src/soc/rockchip/rk3288/edp.c: 746 in rk_edp_read_bytes_from_i2c()
________________________________________________________________________________________________________ *** CID 1294799: Control flow issues (UNREACHABLE) /src/soc/rockchip/rk3288/edp.c: 746 in rk_edp_read_bytes_from_i2c() 740 edp_debug("Aux Transaction fail!\n"); 741 continue; 742 } 743 744 /* Check if Rx sends defer */ 745 val = readl(&edp->regs->aux_rx_comm);
CID 1294799: Control flow issues (UNREACHABLE) This code cannot be reached: "if (val == 2U || val == 8U)...".
746 if (val == AUX_RX_COMM_AUX_DEFER || 747 val == AUX_RX_COMM_I2C_DEFER) { 748 edp_debug("Defer: %d\n\n", val); 749 defer = 1; 750 } 751 }
** CID 1294798: Code maintainability issues (UNUSED_VALUE) /src/soc/rockchip/rk3288/edp.c: 721 in rk_edp_read_bytes_from_i2c()
________________________________________________________________________________________________________ *** CID 1294798: Code maintainability issues (UNUSED_VALUE) /src/soc/rockchip/rk3288/edp.c: 721 in rk_edp_read_bytes_from_i2c() 715 716 /* 717 * If Rx sends defer, Tx sends only reads 718 * request without sending addres 719 */ 720 if (!defer)
CID 1294798: Code maintainability issues (UNUSED_VALUE) Assigning value from "rk_edp_select_i2c_device(edp, device_addr, val_addr + i)" to "retval" here, but that stored value is overwritten before it can be used.
721 retval = rk_edp_select_i2c_device(edp, 722 device_addr, val_addr + i); 723 else 724 defer = 0; 725 726 /*
** CID 1294797: Error handling issues (CHECKED_RETURN) /util/cbfstool/cbfstool.c: 350 in cbfs_create()
________________________________________________________________________________________________________ *** CID 1294797: Error handling issues (CHECKED_RETURN) /util/cbfstool/cbfstool.c: 350 in cbfs_create() 344 ERROR("You need to specify -m/--machine arch.\n"); 345 return 1; 346 } 347 348 if (!param.bootblock) { 349 DEBUG("-B not given, creating image without bootblock.\n");
CID 1294797: Error handling issues (CHECKED_RETURN) Calling "buffer_create" without checking return value (as is done elsewhere 9 out of 10 times).
350 buffer_create(&bootblock, 0, "(dummy)"); 351 } else if (buffer_from_file(&bootblock, param.bootblock)) { 352 return 1; 353 } 354 355 if (!param.alignment)
** CID 1294796: Integer handling issues (BAD_SHIFT) /src/vendorcode/amd/agesa/f16kb/Proc/Mem/Ps/mpmaxfreq.c: 291 in MemPGetMaxFreqSupported()
________________________________________________________________________________________________________ *** CID 1294796: Integer handling issues (BAD_SHIFT) /src/vendorcode/amd/agesa/f16kb/Proc/Mem/Ps/mpmaxfreq.c: 291 in MemPGetMaxFreqSupported() 285 } 286 } 287 IDS_HDT_CONSOLE (MEM_FLOW, "\n"); 288 } 289 ASSERT (DDR3Voltage <= VOLT1_25_ENCODED_VAL); 290 for (CurrentVoltage = DDR3Voltage; CurrentVoltage >= VOLT1_5_ENCODED_VAL; CurrentVoltage --) {
CID 1294796: Integer handling issues (BAD_SHIFT) In expression "1 << CurrentVoltage", left shifting by more than 31 bits has undefined behavior. The shift amount, "CurrentVoltage", is 255.
291 if (NBPtr->SharedPtr->VoltageMap & (1 << CurrentVoltage)) { 292 MaxFreqSupported = SpeedArray[CurrentVoltage]; 293 if (MaxFreqSupported != UNSUPPORTED_DDR_FREQUENCY) { 294 NBPtr->RefPtr->DDR3Voltage = CONVERT_ENCODED_TO_VDDIO (CurrentVoltage); 295 IDS_HDT_CONSOLE (MEM_FLOW, "\nVDDIO leveraged to %s\n", (CurrentVoltage == VOLT1_5_ENCODED_VAL) ? "1.5V" : ((CurrentVoltage == VOLT1_35_ENCODED_VAL) ? "1.35V" : "1.25V")); 296 break;
** CID 1294795: Control flow issues (DEADCODE) /src/soc/rockchip/rk3288/edp.c: 724 in rk_edp_read_bytes_from_i2c()
________________________________________________________________________________________________________ *** CID 1294795: Control flow issues (DEADCODE) /src/soc/rockchip/rk3288/edp.c: 724 in rk_edp_read_bytes_from_i2c() 718 * request without sending addres 719 */ 720 if (!defer) 721 retval = rk_edp_select_i2c_device(edp, 722 device_addr, val_addr + i); 723 else
CID 1294795: Control flow issues (DEADCODE) Execution cannot reach this statement: "defer = 0U;".
724 defer = 0; 725 726 /* 727 * Set I2C transaction and write data 728 * If bit 3 is 1, DisplayPort transaction. 729 * If Bit 3 is 0, I2C transaction.
** CID 1294794: Integer handling issues (CONSTANT_EXPRESSION_RESULT) /src/soc/imgtec/pistachio/clocks.c: 359 in mips_clk_setup()
________________________________________________________________________________________________________ *** CID 1294794: Integer handling issues (CONSTANT_EXPRESSION_RESULT) /src/soc/imgtec/pistachio/clocks.c: 359 in mips_clk_setup() 353 void mips_clk_setup(u8 divider1, u8 divider2) 354 { 355 u32 reg; 356 357 /* Check input parameters */ 358 assert(!(divider1 & ~(MIPSCLKINTERNAL_MASK)));
CID 1294794: Integer handling issues (CONSTANT_EXPRESSION_RESULT) "divider2 & -256 /* ~0xff */" is always 0 regardless of the values of its operands. This occurs as the logical operand of '!'.
359 assert(!(divider2 & ~(MIPSCLKOUT_MASK))); 360 361 /* Set divider 1 */ 362 reg = read32(MIPSCLKINTERNAL_CTRL_ADDR); 363 reg &= ~MIPSCLKINTERNAL_MASK; 364 reg |= divider1 & MIPSCLKINTERNAL_MASK;
** CID 1294793: Control flow issues (DEADCODE) /src/soc/imgtec/pistachio/uart.c: 129 in uart_init()
________________________________________________________________________________________________________ *** CID 1294793: Control flow issues (DEADCODE) /src/soc/imgtec/pistachio/uart.c: 129 in uart_init() 123 } 124 125 void uart_init(int idx) 126 { 127 u32 base = CONFIG_CONSOLE_SERIAL_UART_ADDRESS; 128 if (!base)
CID 1294793: Control flow issues (DEADCODE) Execution cannot reach this statement: "return;".
129 return; 130 131 unsigned int div; 132 div = uart_baudrate_divisor(CONFIG_TTYS0_BAUD, 133 uart_platform_refclk(), 16); 134 uart8250_mem_init(base, div);
** CID 1260908: Null pointer dereferences (FORWARD_NULL) /src/ec/google/chromeec/ec.c: 421 in google_chromeec_set_usb_charge_mode()
________________________________________________________________________________________________________ *** CID 1260908: Null pointer dereferences (FORWARD_NULL) /src/ec/google/chromeec/ec.c: 421 in google_chromeec_set_usb_charge_mode() 415 416 cmd.cmd_code = EC_CMD_USB_CHARGE_SET_MODE; 417 cmd.cmd_version = 0; 418 cmd.cmd_size_in = sizeof(set_mode); 419 cmd.cmd_data_in = &set_mode; 420 cmd.cmd_size_out = 0;
CID 1260908: Null pointer dereferences (FORWARD_NULL) Assigning: "cmd.cmd_data_out" = "NULL".
421 cmd.cmd_data_out = NULL; 422 cmd.cmd_dev_index = 0; 423 424 return google_chromeec_command(&cmd); 425 } 426
** CID 1260807: Memory - illegal accesses (OVERRUN) /src/southbridge/amd/agesa/hudson/imc.c: 78 in enable_imc_thermal_zone()
________________________________________________________________________________________________________ *** CID 1260807: Memory - illegal accesses (OVERRUN) /src/southbridge/amd/agesa/hudson/imc.c: 78 in enable_imc_thermal_zone() 72 FunNum = Fun_80; 73 for (i=0; i<=1; i++) 74 WriteECmsg(MSG_REG0 + i, AccessWidth8, ®s[i], &StdHeader); 75 WriteECmsg(MSG_SYS_TO_IMC, AccessWidth8, &FunNum, &StdHeader); // function number 76 WaitForEcLDN9MailboxCmdAck(&StdHeader); 77
CID 1260807: Memory - illegal accesses (OVERRUN) Checking "i <= 9" implies that "i" may be up to 9 on the true branch.
78 for (i=2; i<=9; i++) 79 ReadECmsg(MSG_REG0 + i, AccessWidth8, ®s[i], &StdHeader); 80 81 /* enable thermal zone 0 */ 82 regs[2] |= 1; 83 regs[0] = 0;
________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/1016?tab=overview
To manage Coverity Scan email notifications for "coreboot@coreboot.org", click https://scan.coverity.com/subscriptions/edit?email=coreboot%40coreboot.org&a... .
-
scan-admin@coverity.com