[coreboot] New Defects reported by Coverity Scan for coreboot
scan-admin at coverity.com
scan-admin at coverity.com
Sat Apr 25 18:08:12 CEST 2015
Hi,
Please find the latest report on new defect(s) introduced to coreboot found with Coverity Scan.
17 new defect(s) introduced to coreboot found with Coverity Scan.
6 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 17 of 17 defect(s)
** CID 1295501: Null pointer dereferences (FORWARD_NULL)
/src/soc/broadcom/cygnus/gpio.c: 464 in gpio_get()
________________________________________________________________________________________________________
*** CID 1295501: Null pointer dereferences (FORWARD_NULL)
/src/soc/broadcom/cygnus/gpio.c: 464 in gpio_get()
458 {
459 struct cygnus_gpio *chip;
460 unsigned gpio_num;
461
462 chip = cygnus_get_gpio_core(gpio, &gpio_num);
463 if (chip == NULL) {
>>> CID 1295501: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "chip".
464 dev_dbg(chip, "unable to find chip for gpio %d", gpio);
465 return -1;
466 }
467
468 return cygnus_gpio_get(chip, gpio_num);
469 }
** CID 1295500: Control flow issues (DEADCODE)
/src/soc/broadcom/cygnus/shmoo_and28.c: 4278 in soc_and28_shmoo_ctl()
________________________________________________________________________________________________________
*** CID 1295500: Control flow issues (DEADCODE)
/src/soc/broadcom/cygnus/shmoo_and28.c: 4278 in soc_and28_shmoo_ctl()
4272
4273 if(!stat)
4274 {
4275 scPtr = &shmoo_container;
4276 if(scPtr == NULL)
4277 {
>>> CID 1295500: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "return 4;".
4278 return SOC_E_MEMORY;
4279 }
4280 sal_memset(scPtr, 0, sizeof(and28_shmoo_container_t));
4281
4282 if(phy_ndx != SHMOO_AND28_INTERFACE_RSVP)
4283 {
** CID 1295499: Control flow issues (DEADCODE)
/src/soc/intel/common/nvm.c: 113 in nvm_is_write_protected()
________________________________________________________________________________________________________
*** CID 1295499: Control flow issues (DEADCODE)
/src/soc/intel/common/nvm.c: 113 in nvm_is_write_protected()
107 }
108 wp_spi = !!(sr1 & 0x80);
109
110 printk(BIOS_DEBUG, "SPI flash protection: WPSW=%d SRP0=%d\n",
111 wp_gpio, wp_spi);
112
>>> CID 1295499: Control flow issues (DEADCODE)
>>> Execution cannot reach the expression "wp_spi" inside this statement: "return wp_gpio && wp_spi;".
113 return wp_gpio && wp_spi;
114 }
115
116 /* Apply protection to a range of flash */
117 int nvm_protect(void *start, size_t size)
118 {
** CID 1295498: Null pointer dereferences (FORWARD_NULL)
/src/soc/broadcom/cygnus/gpio.c: 404 in gpio_free()
________________________________________________________________________________________________________
*** CID 1295498: Null pointer dereferences (FORWARD_NULL)
/src/soc/broadcom/cygnus/gpio.c: 404 in gpio_free()
398 {
399 struct cygnus_gpio *chip;
400 unsigned gpio_num;
401
402 chip = cygnus_get_gpio_core(gpio, &gpio_num);
403 if (chip == NULL) {
>>> CID 1295498: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "chip".
404 dev_dbg(chip, "unable to find chip for gpio %d", gpio);
405 return;
406 }
407
408 cygnus_gpio_free(chip, gpio_num);
409 }
** CID 1295497: Integer handling issues (NO_EFFECT)
/src/soc/broadcom/cygnus/i2c.c: 240 in i2c_init()
________________________________________________________________________________________________________
*** CID 1295497: Integer handling issues (NO_EFFECT)
/src/soc/broadcom/cygnus/i2c.c: 240 in i2c_init()
234 }
235
236 void i2c_init(unsigned int bus, unsigned int hz)
237 {
238 struct cygnus_i2c_regs *regs = i2c_bus[bus];
239
>>> CID 1295497: Integer handling issues (NO_EFFECT)
>>> This greater-than-or-equal-to-zero comparison of an unsigned value is always true. "bus >= 0U".
240 assert(bus >= 0 && bus <= 1);
241
242 setbits_le32(®s->i2c_con, I2C_SMB_RESET);
243 udelay(100); /* wait 100 usec per spec */
244 clrbits_le32(®s->i2c_con, I2C_SMB_RESET);
245
** CID 1295496: Null pointer dereferences (FORWARD_NULL)
/src/soc/broadcom/cygnus/gpio.c: 436 in gpio_input_pulldown()
________________________________________________________________________________________________________
*** CID 1295496: Null pointer dereferences (FORWARD_NULL)
/src/soc/broadcom/cygnus/gpio.c: 436 in gpio_input_pulldown()
430 {
431 struct cygnus_gpio *chip;
432 unsigned gpio_num;
433
434 chip = cygnus_get_gpio_core(gpio, &gpio_num);
435 if (chip == NULL) {
>>> CID 1295496: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "chip".
436 dev_dbg(chip, "unable to find chip for gpio %d", gpio);
437 return;
438 }
439
440 cygnus_gpio_set_pull(chip, gpio_num, 0, 0);
441 }
** CID 1295495: Null pointer dereferences (FORWARD_NULL)
/src/soc/broadcom/cygnus/gpio.c: 478 in gpio_set()
________________________________________________________________________________________________________
*** CID 1295495: Null pointer dereferences (FORWARD_NULL)
/src/soc/broadcom/cygnus/gpio.c: 478 in gpio_set()
472 {
473 struct cygnus_gpio *chip;
474 unsigned gpio_num;
475
476 chip = cygnus_get_gpio_core(gpio, &gpio_num);
477 if (chip == NULL) {
>>> CID 1295495: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "chip".
478 dev_dbg(chip, "unable to find chip for gpio %d", gpio);
479 return;
480 }
481
482 cygnus_gpio_set(chip, gpio_num, value);
483 }
** CID 1295494: Error handling issues (NEGATIVE_RETURNS)
/util/cbfstool/common.c: 83 in buffer_from_file()
________________________________________________________________________________________________________
*** CID 1295494: Error handling issues (NEGATIVE_RETURNS)
/util/cbfstool/common.c: 83 in buffer_from_file()
77 if (buffer->size == -1u) {
78 fprintf(stderr, "could not determine size of %s\n", filename);
79 fclose(fp);
80 return -1;
81 }
82 buffer->name = strdup(filename);
>>> CID 1295494: Error handling issues (NEGATIVE_RETURNS)
>>> "buffer->size" is passed to a parameter that cannot be negative. [Note: The source code implementation of the function has been overridden by a builtin model.]
83 buffer->data = (char *)malloc(buffer->size);
84 assert(buffer->data);
85 if (fread(buffer->data, 1, buffer->size, fp) != buffer->size) {
86 fprintf(stderr, "incomplete read: %s\n", filename);
87 fclose(fp);
88 return -1;
** CID 1295493: Control flow issues (UNREACHABLE)
/src/soc/broadcom/cygnus/ddr_init.c: 1194 in simple_ddr_crc32_check()
________________________________________________________________________________________________________
*** CID 1295493: Control flow issues (UNREACHABLE)
/src/soc/broadcom/cygnus/ddr_init.c: 1194 in simple_ddr_crc32_check()
1188 #endif
1189
1190 #if defined(CONFIG_SOC_BROADCOM_CYGNUS)
1191 static int simple_ddr_crc32_check(void)
1192 {
1193 return 0;
>>> CID 1295493: Control flow issues (UNREACHABLE)
>>> This code cannot be reached: "register uint32_t crc_mcu =...".
1194 register uint32_t crc_mcu = 0;
1195 register uint32_t crc = 0, offset = 0;
1196 register volatile uint32_t *buf = (uint32_t *)0x60000000;
1197 register uint32_t len = 0x00100000;//in word
1198
1199 printk(BIOS_INFO, "Checking simple DDR CRC, word start 0x%p, len 0x%08x...\n", buf, len);
** CID 1295492: Control flow issues (STRAY_SEMICOLON)
/src/soc/broadcom/cygnus/ddr_init.c: 431 in ddr_phy_ctl_regs_ovrd()
________________________________________________________________________________________________________
*** CID 1295492: Control flow issues (STRAY_SEMICOLON)
/src/soc/broadcom/cygnus/ddr_init.c: 431 in ddr_phy_ctl_regs_ovrd()
425 #if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__
426 addr[offset/4] = *tblptr;
427 #else
428 addr[offset/4] = swap_u32(*tblptr);
429 #endif
430 val = reg32_read((volatile uint32_t *)DDR_PHY_CONTROL_REGS_REVISION);
>>> CID 1295492: Control flow issues (STRAY_SEMICOLON)
>>> An "if" statement with no "then" or "else" is suspicious.
431 if (val) ;
432 ++tblptr;
433 offset = *tblptr;
434 }
435 }
436
** CID 1295491: Parse warnings (PARSE_ERROR)
/util/broadcom/secimage/crypto.c: 19 in ()
________________________________________________________________________________________________________
*** CID 1295491: Parse warnings (PARSE_ERROR)
/util/broadcom/secimage/crypto.c: 19 in ()
13
14
15 #include <stdio.h>
16 #include <string.h>
17 #include <stdint.h>
18 #include "secimage.h"
>>> CID 1295491: Parse warnings (PARSE_ERROR)
>>> cannot open source file "openssl/hmac.h"
19 #include <openssl/hmac.h>
20
21
22 /*----------------------------------------------------------------------
23 * Name : HmacSha256Hash
24 * Purpose :
** CID 1295490: Null pointer dereferences (FORWARD_NULL)
/src/soc/broadcom/cygnus/gpio.c: 450 in gpio_input_pullup()
________________________________________________________________________________________________________
*** CID 1295490: Null pointer dereferences (FORWARD_NULL)
/src/soc/broadcom/cygnus/gpio.c: 450 in gpio_input_pullup()
444 {
445 struct cygnus_gpio *chip;
446 unsigned gpio_num;
447
448 chip = cygnus_get_gpio_core(gpio, &gpio_num);
449 if (chip == NULL) {
>>> CID 1295490: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "chip".
450 dev_dbg(chip, "unable to find chip for gpio %d", gpio);
451 return;
452 }
453
454 cygnus_gpio_set_pull(chip, gpio_num, 0, 1);
455 }
** CID 1295489: (OVERRUN)
________________________________________________________________________________________________________
*** CID 1295489: (OVERRUN)
/src/mainboard/google/veyron_jerry/mainboard.c: 77 in configure_codec()
71 gpio_output(GPIO(2, B, 1), 1); /* EMMC_RST_L */
72 }
73
74 static void configure_codec(void)
75 {
76 write32(&rk3288_grf->iomux_i2c2, IOMUX_I2C2); /* CODEC I2C */
>>> CID 1295489: (OVERRUN)
>>> Overrunning callee's array of size 2 by passing argument "2U" in call to "i2c_init".
77 i2c_init(2, 400*KHz); /* CODEC I2C */
78
79 write32(&rk3288_grf->iomux_i2s, IOMUX_I2S);
80 write32(&rk3288_grf->iomux_i2sclk, IOMUX_I2SCLK);
81
82 rk808_configure_ldo(6, 1800); /* VCC18_CODEC */
/src/mainboard/google/veyron_danger/mainboard.c: 77 in configure_codec()
71 gpio_output(GPIO(2, B, 1), 1); /* EMMC_RST_L */
72 }
73
74 static void configure_codec(void)
75 {
76 write32(&rk3288_grf->iomux_i2c2, IOMUX_I2C2); /* CODEC I2C */
>>> CID 1295489: (OVERRUN)
>>> Overrunning callee's array of size 2 by passing argument "2U" in call to "i2c_init".
77 i2c_init(2, 400*KHz); /* CODEC I2C */
78
79 write32(&rk3288_grf->iomux_i2s, IOMUX_I2S);
80 write32(&rk3288_grf->iomux_i2sclk, IOMUX_I2SCLK);
81
82 rk808_configure_ldo(6, 1800); /* VCC18_CODEC */
/src/mainboard/google/veyron_pinky/mainboard.c: 108 in configure_codec()
102 }
103 }
104
105 static void configure_codec(void)
106 {
107 write32(&rk3288_grf->iomux_i2c2, IOMUX_I2C2); /* CODEC I2C */
>>> CID 1295489: (OVERRUN)
>>> Overrunning callee's array of size 2 by passing argument "2U" in call to "i2c_init".
108 i2c_init(2, 400*KHz); /* CODEC I2C */
109
110 write32(&rk3288_grf->iomux_i2s, IOMUX_I2S);
111 write32(&rk3288_grf->iomux_i2sclk, IOMUX_I2SCLK);
112
113 switch (board_id()) {
/src/mainboard/google/veyron_speedy/mainboard.c: 77 in configure_codec()
71 gpio_output(GPIO(2, B, 1), 1); /* EMMC_RST_L */
72 }
73
74 static void configure_codec(void)
75 {
76 write32(&rk3288_grf->iomux_i2c2, IOMUX_I2C2); /* CODEC I2C */
>>> CID 1295489: (OVERRUN)
>>> Overrunning callee's array of size 2 by passing argument "2U" in call to "i2c_init".
77 i2c_init(2, 400*KHz); /* CODEC I2C */
78
79 write32(&rk3288_grf->iomux_i2s, IOMUX_I2S);
80 write32(&rk3288_grf->iomux_i2sclk, IOMUX_I2SCLK);
81
82 rk808_configure_ldo(6, 1800); /* VCC18_CODEC */
/src/mainboard/google/veyron_mighty/mainboard.c: 77 in configure_codec()
71 gpio_output(GPIO(2, B, 1), 1); /* EMMC_RST_L */
72 }
73
74 static void configure_codec(void)
75 {
76 write32(&rk3288_grf->iomux_i2c2, IOMUX_I2C2); /* CODEC I2C */
>>> CID 1295489: (OVERRUN)
>>> Overrunning callee's array of size 2 by passing argument "2U" in call to "i2c_init".
77 i2c_init(2, 400*KHz); /* CODEC I2C */
78
79 write32(&rk3288_grf->iomux_i2s, IOMUX_I2S);
80 write32(&rk3288_grf->iomux_i2sclk, IOMUX_I2SCLK);
81
82 rk808_configure_ldo(6, 1800); /* VCC18_CODEC */
/src/mainboard/google/veyron_brain/mainboard.c: 63 in configure_codec()
57 gpio_output(GPIO(2, B, 1), 1); /* EMMC_RST_L */
58 }
59
60 static void configure_codec(void)
61 {
62 write32(&rk3288_grf->iomux_i2c2, IOMUX_I2C2); /* CODEC I2C */
>>> CID 1295489: (OVERRUN)
>>> Overrunning callee's array of size 2 by passing argument "2U" in call to "i2c_init".
63 i2c_init(2, 400*KHz); /* CODEC I2C */
64
65 write32(&rk3288_grf->iomux_i2s, IOMUX_I2S);
66 write32(&rk3288_grf->iomux_i2sclk, IOMUX_I2SCLK);
67
68 rk808_configure_ldo(6, 1800); /* VCC18_CODEC */
/src/mainboard/google/veyron_rialto/mainboard.c: 63 in configure_codec()
57 gpio_output(GPIO(2, B, 1), 1); /* EMMC_RST_L */
58 }
59
60 static void configure_codec(void)
61 {
62 write32(&rk3288_grf->iomux_i2c2, IOMUX_I2C2); /* CODEC I2C */
>>> CID 1295489: (OVERRUN)
>>> Overrunning callee's array of size 2 by passing argument "2U" in call to "i2c_init".
63 i2c_init(2, 400*KHz); /* CODEC I2C */
64
65 write32(&rk3288_grf->iomux_i2s, IOMUX_I2S);
66 write32(&rk3288_grf->iomux_i2sclk, IOMUX_I2SCLK);
67
68 rk808_configure_ldo(6, 1800); /* VCC18_CODEC */
** CID 1295488: Null pointer dereferences (FORWARD_NULL)
/src/soc/broadcom/cygnus/gpio.c: 492 in gpio_output()
________________________________________________________________________________________________________
*** CID 1295488: Null pointer dereferences (FORWARD_NULL)
/src/soc/broadcom/cygnus/gpio.c: 492 in gpio_output()
486 {
487 struct cygnus_gpio *chip;
488 unsigned gpio_num;
489
490 chip = cygnus_get_gpio_core(gpio, &gpio_num);
491 if (chip == NULL) {
>>> CID 1295488: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "chip".
492 dev_dbg(chip, "unable to find chip for gpio %d", gpio);
493 return;
494 }
495
496 if (cygnus_gpio_request(chip, gpio_num) != 0) {
497 printk(BIOS_ERR, "Cannot mux GPIO %d\n", gpio);
498 return;
499 }
500 cygnus_gpio_direction_output(chip, gpio_num, value);
** CID 1295487: Memory - illegal accesses (OVERRUN)
/coreboot-builds/amd_lamar/agesa/amdlib.c: 1411 in IdsErrorStop()
________________________________________________________________________________________________________
*** CID 1295487: Memory - illegal accesses (OVERRUN)
/coreboot-builds/amd_lamar/agesa/amdlib.c: 1411 in IdsErrorStop()
1405 } post = {0xDEAD, FileCode, 0xDEAD, FileCode};
1406 UINT16 offset = 0;
1407 UINT16 j;
1408
1409 while(1) {
1410 offset %= sizeof(struct POST) / 2;
>>> CID 1295487: Memory - illegal accesses (OVERRUN)
>>> Overrunning array of 3 4-byte elements at element index 15 (byte offset 60) by dereferencing pointer "(UINT32 *)(&post + offset)".
1411 WriteIo32(80, *((UINT32*)(&post+offset)));
1412 ++offset;
1413 for (j=0; j<250; ++j) {
1414 ReadIo8(80);
1415 }
1416 }
** CID 1295486: Null pointer dereferences (FORWARD_NULL)
/src/soc/broadcom/cygnus/gpio.c: 418 in gpio_input()
________________________________________________________________________________________________________
*** CID 1295486: Null pointer dereferences (FORWARD_NULL)
/src/soc/broadcom/cygnus/gpio.c: 418 in gpio_input()
412 {
413 struct cygnus_gpio *chip;
414 unsigned gpio_num;
415
416 chip = cygnus_get_gpio_core(gpio, &gpio_num);
417 if (chip == NULL) {
>>> CID 1295486: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "chip".
418 dev_dbg(chip, "unable to find chip for gpio %d", gpio);
419 return;
420 }
421
422 if (cygnus_gpio_request(chip, gpio_num) != 0) {
423 printk(BIOS_ERR, "Cannot mux GPIO %d\n", gpio);
** CID 1295485: Null pointer dereferences (NULL_RETURNS)
/src/vendorcode/amd/agesa/f16kb/Proc/GNB/Modules/GnbCommonLib/GnbTimerLib.c: 147 in GnbFmTimeStamp()
________________________________________________________________________________________________________
*** CID 1295485: Null pointer dereferences (NULL_RETURNS)
/src/vendorcode/amd/agesa/f16kb/Proc/GNB/Modules/GnbCommonLib/GnbTimerLib.c: 147 in GnbFmTimeStamp()
141 )
142 {
143 AGESA_STATUS Status;
144 GNB_FAM_TS_SERVICES *GnbFamTsFunc;
145 GNB_HANDLE *GnbHandle;
146
>>> CID 1295485: Null pointer dereferences (NULL_RETURNS)
>>> Assigning: "GnbHandle" = null return value from "GnbGetHandle".
147 GnbHandle = GnbGetHandle (StdHeader);
148
149 Status = GnbLibLocateService (GnbFamTsService, GnbGetSocketId (GnbHandle), (VOID **)&GnbFamTsFunc, StdHeader);
150 ASSERT (Status == AGESA_SUCCESS);
151 if (Status == AGESA_SUCCESS) {
152 return GnbFamTsFunc->GnbFmTimeStamp (StdHeader);
153 }
154 return 0;
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/1016?tab=overview
To manage Coverity Scan email notifications for "coreboot at coreboot.org", click https://scan.coverity.com/subscriptions/edit?email=coreboot%40coreboot.org&token=49533df725f93b78361afb7b89ccde93 .
More information about the coreboot
mailing list