[coreboot] New Defects reported by Coverity Scan for coreboot
scan-admin at coverity.com
scan-admin at coverity.com
Fri Apr 17 18:36:08 CEST 2015
Hi,
Please find the latest report on new defect(s) introduced to coreboot found with Coverity Scan.
18 new defect(s) introduced to coreboot found with Coverity Scan.
3 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 18 of 18 defect(s)
** CID 1294808: Integer handling issues (DIVIDE_BY_ZERO)
/src/soc/nvidia/tegra132/clock.c: 377 in clock_configure_plld()
________________________________________________________________________________________________________
*** CID 1294808: Integer handling issues (DIVIDE_BY_ZERO)
/src/soc/nvidia/tegra132/clock.c: 377 in clock_configure_plld()
371 plld.cpcon = 12;
372
373 if (best_diff) {
374 printk(BIOS_WARNING, "%s: Failed to match output frequency %u, "
375 "best difference is %u.\n", __func__, frequency,
376 best_diff);
>>> CID 1294808: Integer handling issues (DIVIDE_BY_ZERO)
>>> In expression "ref / plld.m", division by expression "plld.m" which may be zero has undefined behavior.
377 rounded_rate = (ref / plld.m * plld.n) >> plld.p;
378 }
379
380 printk(BIOS_DEBUG, "%s: PLLD=%u ref=%u, m/n/p/cpcon=%u/%u/%u/%u\n",
381 __func__, rounded_rate, ref, plld.m, plld.n, plld.p, plld.cpcon);
382
** CID 1294807: Integer handling issues (DIVIDE_BY_ZERO)
/payloads/libpayload/libc/time.c: 62 in update_clock()
________________________________________________________________________________________________________
*** CID 1294807: Integer handling issues (DIVIDE_BY_ZERO)
/payloads/libpayload/libc/time.c: 62 in update_clock()
56 ticks_per_sec = timer_hz();
57 ticks_per_usec = timer_hz() / 1000000;
58 }
59
60 clock.ticks += delta;
61
>>> CID 1294807: Integer handling issues (DIVIDE_BY_ZERO)
>>> In expression "delta / ticks_per_sec", division by expression "ticks_per_sec" which may be zero has undefined behavior.
62 secs = (int) (delta / ticks_per_sec);
63 clock.secs += secs;
64 delta -= (secs * ticks_per_sec);
65 clock.usecs += (int)(delta / ticks_per_usec);
66
67 if (clock.usecs > 1000000) {
** CID 1294806: Null pointer dereferences (FORWARD_NULL)
/src/arch/riscv/rom_media.c: 69 in init_rom_media_cbfs()
________________________________________________________________________________________________________
*** CID 1294806: Null pointer dereferences (FORWARD_NULL)
/src/arch/riscv/rom_media.c: 69 in init_rom_media_cbfs()
63 //extern unsigned long _cbfs_master_header;
64 // On X86, we always keep a reference of pointer to CBFS header in
65 // 0xfffffffc, and the pointer is still a memory-mapped address.
66 // Since the CBFS core always use ROM offset, we need to figure out
67 // header->romsize even before media is initialized.
68 struct cbfs_header *header = (struct cbfs_header*) CONFIG_CBFS_HEADER_ROM_OFFSET; //&_cbfs_master_header;
>>> CID 1294806: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "header".
69 if (CBFS_HEADER_MAGIC != ntohl(header->magic)) {
70 printk(BIOS_ERR, "Invalid CBFS master header at %p\n", header);
71 printk(BIOS_ERR, "Expected %08lx and got %08lx\n", (unsigned long) CBFS_HEADER_MAGIC, (unsigned long) ntohl(header->magic));
72 return -1;
73 } else {
74 uint32_t romsize = ntohl(header->romsize);
** CID 1294805: Null pointer dereferences (FORWARD_NULL)
/src/soc/nvidia/tegra132/dsi.c: 726 in tegra_dsi_host_transfer()
________________________________________________________________________________________________________
*** CID 1294805: Null pointer dereferences (FORWARD_NULL)
/src/soc/nvidia/tegra132/dsi.c: 726 in tegra_dsi_host_transfer()
720 /* write payload (if any) */
721 if (msg->tx_len > 2) {
722 for (j = 2; j < msg->tx_len; j += 4) {
723 value = 0;
724
725 for (i = 0; i < 4 && j + i < msg->tx_len; i++)
>>> CID 1294805: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "tx".
726 value |= tx[j + i] << (i << 3);
727
728 tegra_dsi_writel(dsi, value, DSI_WR_DATA);
729 }
730 }
731
** CID 1294804: Memory - illegal accesses (OVERRUN)
/coreboot-builds/amd_olivehillplus/agesa/amdlib.c: 1411 in IdsErrorStop()
________________________________________________________________________________________________________
*** CID 1294804: Memory - illegal accesses (OVERRUN)
/coreboot-builds/amd_olivehillplus/agesa/amdlib.c: 1411 in IdsErrorStop()
1405 } post = {0xDEAD, FileCode, 0xDEAD, FileCode};
1406 UINT16 offset = 0;
1407 UINT16 j;
1408
1409 while(1) {
1410 offset %= sizeof(struct POST) / 2;
>>> CID 1294804: Memory - illegal accesses (OVERRUN)
>>> Overrunning array of 3 4-byte elements at element index 15 (byte offset 60) by dereferencing pointer "(UINT32 *)(&post + offset)".
1411 WriteIo32(80, *((UINT32*)(&post+offset)));
1412 ++offset;
1413 for (j=0; j<250; ++j) {
1414 ReadIo8(80);
1415 }
1416 }
** CID 1294803: (OVERRUN)
/src/vendorcode/amd/agesa/f15tn/Proc/Mem/Ps/mpmaxfreq.c: 289 in MemPGetMaxFreqSupported()
/src/vendorcode/amd/agesa/f15/Proc/Mem/Ps/mpmaxfreq.c: 277 in MemPGetMaxFreqSupported()
________________________________________________________________________________________________________
*** CID 1294803: (OVERRUN)
/src/vendorcode/amd/agesa/f15tn/Proc/Mem/Ps/mpmaxfreq.c: 289 in MemPGetMaxFreqSupported()
283 NBPtr->MaxFreqVDDIO[CurrentVoltage] = 0;
284 }
285 }
286 IDS_HDT_CONSOLE (MEM_FLOW, "\n");
287 }
288 ASSERT (DDR3Voltage <= VOLT1_25_ENCODED_VAL);
>>> CID 1294803: (OVERRUN)
>>> Overrunning array of 3 2-byte elements at element index 255 (byte offset 510) by dereferencing pointer "SpeedArray + DDR3Voltage".
289 MaxFreqSupported = SpeedArray[DDR3Voltage];
290 }
291
292 if (MaxFreqSupported == UNSUPPORTED_DDR_FREQUENCY) {
293 // No entry in the table for current dimm population is found
294 IDS_HDT_CONSOLE (MEM_FLOW, "\nDCT %d: No entry is found in the Max Frequency table\n", NBPtr->Dct);
/src/vendorcode/amd/agesa/f15/Proc/Mem/Ps/mpmaxfreq.c: 277 in MemPGetMaxFreqSupported()
271 NBPtr->MaxFreqVDDIO[CurrentVoltage] = 0;
272 }
273 }
274 IDS_HDT_CONSOLE (MEM_FLOW, "\n");
275 }
276 ASSERT (DDR3Voltage <= VOLT1_25_ENCODED_VAL);
>>> CID 1294803: (OVERRUN)
>>> Overrunning array of 3 2-byte elements at element index 255 (byte offset 510) by dereferencing pointer "SpeedArray + DDR3Voltage".
277 MaxFreqSupported = SpeedArray[DDR3Voltage];
278 }
279
280 if (MaxFreqSupported == UNSUPPORTED_DDR_FREQUENCY) {
281 // No entry in the table for current dimm population is found
282 IDS_HDT_CONSOLE (MEM_FLOW, "\nDCT %d: No entry is found in the Max Frequency table\n", NBPtr->Dct);
** CID 1294802: API usage errors (PW.PRINTF_ARG_MISMATCH)
/util/bimgtool/bimgtool.c: 275 in ()
________________________________________________________________________________________________________
*** CID 1294802: API usage errors (PW.PRINTF_ARG_MISMATCH)
/util/bimgtool/bimgtool.c: 275 in ()
269 return -1;
270 }
271
272 if ((file_header.data_size + sizeof(struct bimg_header)) >
273 buf.st_size) {
274 fprintf(stderr, "Data size too big: %d > %d\n",
>>> CID 1294802: API usage errors (PW.PRINTF_ARG_MISMATCH)
>>> argument is incompatible with corresponding format string conversion
275 file_header.data_size, buf.st_size);
276 return -1;
277 }
278
279 if (file_header.ver_major != crc_type.ver_major) {
280 fprintf(stderr, "Image version mismatch: %d\n",
** CID 1294801: (RESOURCE_LEAK)
/src/soc/qualcomm/ipq806x/lcc.c: 313 in audio_clock_config()
/src/soc/qualcomm/ipq806x/lcc.c: 315 in audio_clock_config()
/src/soc/qualcomm/ipq806x/lcc.c: 310 in audio_clock_config()
/src/soc/qualcomm/ipq806x/lcc.c: 308 in audio_clock_config()
/src/soc/qualcomm/ipq806x/lcc.c: 306 in audio_clock_config()
________________________________________________________________________________________________________
*** CID 1294801: (RESOURCE_LEAK)
/src/soc/qualcomm/ipq806x/lcc.c: 313 in audio_clock_config()
307 if (lcc_init_enable_ahbix(bus))
308 return 1;
309 if (lcc_init_mi2s(bus, frequency))
310 return 1;
311
312 if (lcc_enable_mi2s(bus))
>>> CID 1294801: (RESOURCE_LEAK)
>>> Variable "bus" going out of scope leaks the storage it points to.
313 return 1;
314
315 return 0;
/src/soc/qualcomm/ipq806x/lcc.c: 315 in audio_clock_config()
309 if (lcc_init_mi2s(bus, frequency))
310 return 1;
311
312 if (lcc_enable_mi2s(bus))
313 return 1;
314
>>> CID 1294801: (RESOURCE_LEAK)
>>> Variable "bus" going out of scope leaks the storage it points to.
315 return 0;
/src/soc/qualcomm/ipq806x/lcc.c: 310 in audio_clock_config()
304
305 if (lcc_init_enable_pll0(bus))
306 return 1;
307 if (lcc_init_enable_ahbix(bus))
308 return 1;
309 if (lcc_init_mi2s(bus, frequency))
>>> CID 1294801: (RESOURCE_LEAK)
>>> Variable "bus" going out of scope leaks the storage it points to.
310 return 1;
311
312 if (lcc_enable_mi2s(bus))
313 return 1;
314
315 return 0;
/src/soc/qualcomm/ipq806x/lcc.c: 308 in audio_clock_config()
302 bus->lcc_pll_regs = (void *)(MSM_LPASS_LCC_BASE + LCC_PLL_PCLK_REG);
303
304
305 if (lcc_init_enable_pll0(bus))
306 return 1;
307 if (lcc_init_enable_ahbix(bus))
>>> CID 1294801: (RESOURCE_LEAK)
>>> Variable "bus" going out of scope leaks the storage it points to.
308 return 1;
309 if (lcc_init_mi2s(bus, frequency))
310 return 1;
311
312 if (lcc_enable_mi2s(bus))
313 return 1;
314
315 return 0;
/src/soc/qualcomm/ipq806x/lcc.c: 306 in audio_clock_config()
300 bus->lcc_ahbix_regs = (void *)(MSM_LPASS_LCC_BASE + LCC_AHBIX_NS_REG);
301 bus->lcc_mi2s_regs = (void *)(MSM_LPASS_LCC_BASE + LCC_MI2S_NS_REG);
302 bus->lcc_pll_regs = (void *)(MSM_LPASS_LCC_BASE + LCC_PLL_PCLK_REG);
303
304
305 if (lcc_init_enable_pll0(bus))
>>> CID 1294801: (RESOURCE_LEAK)
>>> Variable "bus" going out of scope leaks the storage it points to.
306 return 1;
307 if (lcc_init_enable_ahbix(bus))
308 return 1;
309 if (lcc_init_mi2s(bus, frequency))
310 return 1;
311
** CID 1294800: (SIGN_EXTENSION)
/src/soc/nvidia/tegra132/dsi.c: 340 in tegra_dsi_configure()
/src/soc/nvidia/tegra132/dsi.c: 341 in tegra_dsi_configure()
________________________________________________________________________________________________________
*** CID 1294800: (SIGN_EXTENSION)
/src/soc/nvidia/tegra132/dsi.c: 340 in tegra_dsi_configure()
334 } else {
335 /* 1 byte (DCS command) + pixel data */
336 bytes = 1 + mode->xres * mul / div;
337 }
338
339 tegra_dsi_writel(dsi, 0, DSI_PKT_LEN_0_1);
>>> CID 1294800: (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "bytes" with type "unsigned short" (16 bits, unsigned) is promoted in "bytes << 16" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "bytes << 16" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
340 tegra_dsi_writel(dsi, bytes << 16, DSI_PKT_LEN_2_3);
341 tegra_dsi_writel(dsi, bytes << 16, DSI_PKT_LEN_4_5);
342 tegra_dsi_writel(dsi, 0, DSI_PKT_LEN_6_7);
343
344 value = MIPI_DCS_WRITE_MEMORY_START << 8 |
345 MIPI_DCS_WRITE_MEMORY_CONTINUE;
/src/soc/nvidia/tegra132/dsi.c: 341 in tegra_dsi_configure()
335 /* 1 byte (DCS command) + pixel data */
336 bytes = 1 + mode->xres * mul / div;
337 }
338
339 tegra_dsi_writel(dsi, 0, DSI_PKT_LEN_0_1);
340 tegra_dsi_writel(dsi, bytes << 16, DSI_PKT_LEN_2_3);
>>> CID 1294800: (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "bytes" with type "unsigned short" (16 bits, unsigned) is promoted in "bytes << 16" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "bytes << 16" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
341 tegra_dsi_writel(dsi, bytes << 16, DSI_PKT_LEN_4_5);
342 tegra_dsi_writel(dsi, 0, DSI_PKT_LEN_6_7);
343
344 value = MIPI_DCS_WRITE_MEMORY_START << 8 |
345 MIPI_DCS_WRITE_MEMORY_CONTINUE;
346 tegra_dsi_writel(dsi, value, DSI_DCS_CMDS);
** CID 1294799: Control flow issues (UNREACHABLE)
/src/soc/rockchip/rk3288/edp.c: 746 in rk_edp_read_bytes_from_i2c()
________________________________________________________________________________________________________
*** CID 1294799: Control flow issues (UNREACHABLE)
/src/soc/rockchip/rk3288/edp.c: 746 in rk_edp_read_bytes_from_i2c()
740 edp_debug("Aux Transaction fail!\n");
741 continue;
742 }
743
744 /* Check if Rx sends defer */
745 val = readl(&edp->regs->aux_rx_comm);
>>> CID 1294799: Control flow issues (UNREACHABLE)
>>> This code cannot be reached: "if (val == 2U || val == 8U)...".
746 if (val == AUX_RX_COMM_AUX_DEFER ||
747 val == AUX_RX_COMM_I2C_DEFER) {
748 edp_debug("Defer: %d\n\n", val);
749 defer = 1;
750 }
751 }
** CID 1294798: Code maintainability issues (UNUSED_VALUE)
/src/soc/rockchip/rk3288/edp.c: 721 in rk_edp_read_bytes_from_i2c()
________________________________________________________________________________________________________
*** CID 1294798: Code maintainability issues (UNUSED_VALUE)
/src/soc/rockchip/rk3288/edp.c: 721 in rk_edp_read_bytes_from_i2c()
715
716 /*
717 * If Rx sends defer, Tx sends only reads
718 * request without sending addres
719 */
720 if (!defer)
>>> CID 1294798: Code maintainability issues (UNUSED_VALUE)
>>> Assigning value from "rk_edp_select_i2c_device(edp, device_addr, val_addr + i)" to "retval" here, but that stored value is overwritten before it can be used.
721 retval = rk_edp_select_i2c_device(edp,
722 device_addr, val_addr + i);
723 else
724 defer = 0;
725
726 /*
** CID 1294797: Error handling issues (CHECKED_RETURN)
/util/cbfstool/cbfstool.c: 350 in cbfs_create()
________________________________________________________________________________________________________
*** CID 1294797: Error handling issues (CHECKED_RETURN)
/util/cbfstool/cbfstool.c: 350 in cbfs_create()
344 ERROR("You need to specify -m/--machine arch.\n");
345 return 1;
346 }
347
348 if (!param.bootblock) {
349 DEBUG("-B not given, creating image without bootblock.\n");
>>> CID 1294797: Error handling issues (CHECKED_RETURN)
>>> Calling "buffer_create" without checking return value (as is done elsewhere 9 out of 10 times).
350 buffer_create(&bootblock, 0, "(dummy)");
351 } else if (buffer_from_file(&bootblock, param.bootblock)) {
352 return 1;
353 }
354
355 if (!param.alignment)
** CID 1294796: Integer handling issues (BAD_SHIFT)
/src/vendorcode/amd/agesa/f16kb/Proc/Mem/Ps/mpmaxfreq.c: 291 in MemPGetMaxFreqSupported()
________________________________________________________________________________________________________
*** CID 1294796: Integer handling issues (BAD_SHIFT)
/src/vendorcode/amd/agesa/f16kb/Proc/Mem/Ps/mpmaxfreq.c: 291 in MemPGetMaxFreqSupported()
285 }
286 }
287 IDS_HDT_CONSOLE (MEM_FLOW, "\n");
288 }
289 ASSERT (DDR3Voltage <= VOLT1_25_ENCODED_VAL);
290 for (CurrentVoltage = DDR3Voltage; CurrentVoltage >= VOLT1_5_ENCODED_VAL; CurrentVoltage --) {
>>> CID 1294796: Integer handling issues (BAD_SHIFT)
>>> In expression "1 << CurrentVoltage", left shifting by more than 31 bits has undefined behavior. The shift amount, "CurrentVoltage", is 255.
291 if (NBPtr->SharedPtr->VoltageMap & (1 << CurrentVoltage)) {
292 MaxFreqSupported = SpeedArray[CurrentVoltage];
293 if (MaxFreqSupported != UNSUPPORTED_DDR_FREQUENCY) {
294 NBPtr->RefPtr->DDR3Voltage = CONVERT_ENCODED_TO_VDDIO (CurrentVoltage);
295 IDS_HDT_CONSOLE (MEM_FLOW, "\nVDDIO leveraged to %s\n", (CurrentVoltage == VOLT1_5_ENCODED_VAL) ? "1.5V" : ((CurrentVoltage == VOLT1_35_ENCODED_VAL) ? "1.35V" : "1.25V"));
296 break;
** CID 1294795: Control flow issues (DEADCODE)
/src/soc/rockchip/rk3288/edp.c: 724 in rk_edp_read_bytes_from_i2c()
________________________________________________________________________________________________________
*** CID 1294795: Control flow issues (DEADCODE)
/src/soc/rockchip/rk3288/edp.c: 724 in rk_edp_read_bytes_from_i2c()
718 * request without sending addres
719 */
720 if (!defer)
721 retval = rk_edp_select_i2c_device(edp,
722 device_addr, val_addr + i);
723 else
>>> CID 1294795: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "defer = 0U;".
724 defer = 0;
725
726 /*
727 * Set I2C transaction and write data
728 * If bit 3 is 1, DisplayPort transaction.
729 * If Bit 3 is 0, I2C transaction.
** CID 1294794: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/src/soc/imgtec/pistachio/clocks.c: 359 in mips_clk_setup()
________________________________________________________________________________________________________
*** CID 1294794: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/src/soc/imgtec/pistachio/clocks.c: 359 in mips_clk_setup()
353 void mips_clk_setup(u8 divider1, u8 divider2)
354 {
355 u32 reg;
356
357 /* Check input parameters */
358 assert(!(divider1 & ~(MIPSCLKINTERNAL_MASK)));
>>> CID 1294794: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
>>> "divider2 & -256 /* ~0xff */" is always 0 regardless of the values of its operands. This occurs as the logical operand of '!'.
359 assert(!(divider2 & ~(MIPSCLKOUT_MASK)));
360
361 /* Set divider 1 */
362 reg = read32(MIPSCLKINTERNAL_CTRL_ADDR);
363 reg &= ~MIPSCLKINTERNAL_MASK;
364 reg |= divider1 & MIPSCLKINTERNAL_MASK;
** CID 1294793: Control flow issues (DEADCODE)
/src/soc/imgtec/pistachio/uart.c: 129 in uart_init()
________________________________________________________________________________________________________
*** CID 1294793: Control flow issues (DEADCODE)
/src/soc/imgtec/pistachio/uart.c: 129 in uart_init()
123 }
124
125 void uart_init(int idx)
126 {
127 u32 base = CONFIG_CONSOLE_SERIAL_UART_ADDRESS;
128 if (!base)
>>> CID 1294793: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "return;".
129 return;
130
131 unsigned int div;
132 div = uart_baudrate_divisor(CONFIG_TTYS0_BAUD,
133 uart_platform_refclk(), 16);
134 uart8250_mem_init(base, div);
** CID 1260908: Null pointer dereferences (FORWARD_NULL)
/src/ec/google/chromeec/ec.c: 421 in google_chromeec_set_usb_charge_mode()
________________________________________________________________________________________________________
*** CID 1260908: Null pointer dereferences (FORWARD_NULL)
/src/ec/google/chromeec/ec.c: 421 in google_chromeec_set_usb_charge_mode()
415
416 cmd.cmd_code = EC_CMD_USB_CHARGE_SET_MODE;
417 cmd.cmd_version = 0;
418 cmd.cmd_size_in = sizeof(set_mode);
419 cmd.cmd_data_in = &set_mode;
420 cmd.cmd_size_out = 0;
>>> CID 1260908: Null pointer dereferences (FORWARD_NULL)
>>> Assigning: "cmd.cmd_data_out" = "NULL".
421 cmd.cmd_data_out = NULL;
422 cmd.cmd_dev_index = 0;
423
424 return google_chromeec_command(&cmd);
425 }
426
** CID 1260807: Memory - illegal accesses (OVERRUN)
/src/southbridge/amd/agesa/hudson/imc.c: 78 in enable_imc_thermal_zone()
________________________________________________________________________________________________________
*** CID 1260807: Memory - illegal accesses (OVERRUN)
/src/southbridge/amd/agesa/hudson/imc.c: 78 in enable_imc_thermal_zone()
72 FunNum = Fun_80;
73 for (i=0; i<=1; i++)
74 WriteECmsg(MSG_REG0 + i, AccessWidth8, ®s[i], &StdHeader);
75 WriteECmsg(MSG_SYS_TO_IMC, AccessWidth8, &FunNum, &StdHeader); // function number
76 WaitForEcLDN9MailboxCmdAck(&StdHeader);
77
>>> CID 1260807: Memory - illegal accesses (OVERRUN)
>>> Checking "i <= 9" implies that "i" may be up to 9 on the true branch.
78 for (i=2; i<=9; i++)
79 ReadECmsg(MSG_REG0 + i, AccessWidth8, ®s[i], &StdHeader);
80
81 /* enable thermal zone 0 */
82 regs[2] |= 1;
83 regs[0] = 0;
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/1016?tab=overview
To manage Coverity Scan email notifications for "coreboot at coreboot.org", click https://scan.coverity.com/subscriptions/edit?email=coreboot%40coreboot.org&token=49533df725f93b78361afb7b89ccde93 .
More information about the coreboot
mailing list