[coreboot] New Defects reported by Coverity Scan for coreboot

scan-admin at coverity.com scan-admin at coverity.com
Sat May 30 01:32:16 CEST 2015 

Hi,

Please find the latest report on new defect(s) introduced to coreboot found with Coverity Scan.

10 new defect(s) introduced to coreboot found with Coverity Scan.
1 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 10 of 10 defect(s)


** CID 1302458:  Control flow issues  (DEADCODE)
/src/cpu/amd/model_10xxx/powernow_acpi.c: 75 in write_pstates_for_core()


________________________________________________________________________________________________________
*** CID 1302458:  Control flow issues  (DEADCODE)
/src/cpu/amd/model_10xxx/powernow_acpi.c: 75 in write_pstates_for_core()
69     	/* Write PPC object */
70     	acpigen_write_PPC(pstate_num);
71     
72     	/* Write PSD indicating coordination type */
73     	if ((single_link) && (mctGetLogicalCPUID(0) & AMD_DR_GT_Bx)) {
74     		/* Revision C or greater single-link processor */
>>>     CID 1302458:  Control flow issues  (DEADCODE)
>>>     Execution cannot reach this statement: "cpuid1 = cpuid(-2147483640);".
75     		cpuid1 = cpuid(0x80000008);
76     		acpigen_write_PSD_package(0, (cpuid1.ecx & 0xff) + 1, SW_ALL);
77     	}
78     	else {
79     		/* Find the local APIC ID for the specified core ID */
80     		struct device* cpu;

** CID 1302457:  Control flow issues  (MISSING_RESTORE)
/util/cbfstool/flashmap/fmap.c: 452 in fmap_append_area_test()


________________________________________________________________________________________________________
*** CID 1302457:  Control flow issues  (MISSING_RESTORE)
/util/cbfstool/flashmap/fmap.c: 452 in fmap_append_area_test()
446     	if ((*fmap)->nareas != 1) {
447     		printf("FAILURE: failed to increment number of areas\n");
448     		goto fmap_append_area_test_exit;
449     	}
450     
451     	status = pass;
>>>     CID 1302457:  Control flow issues  (MISSING_RESTORE)
>>>     Jumped to here, skipping restore.
452     fmap_append_area_test_exit:
453     	return status;
454     }
455     
456     static int fmap_find_area_test(struct fmap *fmap)
457     {

** CID 1302456:  Error handling issues  (NEGATIVE_RETURNS)
/util/cbfstool/flashmap/fmap.c: 568 in fmap_find_test()


________________________________________________________________________________________________________
*** CID 1302456:  Error handling issues  (NEGATIVE_RETURNS)
/util/cbfstool/flashmap/fmap.c: 568 in fmap_find_test()
562     		printf("FAILURE: bsearch returned false positive\n");
563     		goto fmap_find_test_exit;
564     	}
565     
566     	/* simple test case: fmap at (total_size / 2) + 1 */
567     	offset = (total_size / 2) + 1;
>>>     CID 1302456:  Error handling issues  (NEGATIVE_RETURNS)
>>>     "fmap_size(fmap)" is passed to a parameter that cannot be negative. [Note: The source code implementation of the function has been overridden by a builtin model.]
568     	memcpy(&buf[offset], fmap, fmap_size(fmap));
569     
570     	if ((unsigned)fmap_find(buf, total_size - 1) != offset) {
571     		printf("FAILURE: lsearch failed to find fmap\n");
572     		goto fmap_find_test_exit;
573     	}

** CID 1302455:  Null pointer dereferences  (NULL_RETURNS)
/util/cbfstool/partitioned_file.c: 204 in partitioned_file_reopen()


________________________________________________________________________________________________________
*** CID 1302455:  Null pointer dereferences  (NULL_RETURNS)
/util/cbfstool/partitioned_file.c: 204 in partitioned_file_reopen()
198     		partitioned_file_close(file);
199     		return NULL;
200     	}
201     
202     	const struct fmap_area *fmap_fmap_entry =
203     				fmap_find_area(file->fmap, SECTION_NAME_FMAP);
>>>     CID 1302455:  Null pointer dereferences  (NULL_RETURNS)
>>>     Dereferencing a null pointer "fmap_fmap_entry".
204     	if ((long)fmap_fmap_entry->offset != fmap_region_offset) {
205     		ERROR("FMAP's '%s' section doesn't point back to FMAP start (did something corrupt this file?)\n",
206     							SECTION_NAME_FMAP);
207     		partitioned_file_close(file);
208     		return NULL;
209     	}

** CID 1302454:  Memory - corruptions  (OVERRUN)


________________________________________________________________________________________________________
*** CID 1302454:  Memory - corruptions  (OVERRUN)
/util/cbfstool/flashmap/fmap.c: 342 in fmap_create_test()
336     	uint64_t base = 0;
337     	uint32_t size = 0x100000;
338     	char name[] = "test_fmap";
339     
340     	status = fail;
341     
>>>     CID 1302454:  Memory - corruptions  (OVERRUN)
>>>     Overrunning array "name" of 10 bytes by passing it to a function which accesses it at byte offset 31.
342     	fmap = fmap_create(base, size, (uint8_t *)name);
343     	if (!fmap)
344     		return NULL;
345     
346     	if (memcmp(&fmap->signature, FMAP_SIGNATURE, strlen(FMAP_SIGNATURE))) {
347     		printf("FAILURE: signature is incorrect\n");

** CID 1302453:  Resource leaks  (RESOURCE_LEAK)
/util/cbfstool/flashmap/fmap.c: 530 in fmap_flags_to_string_test()


________________________________________________________________________________________________________
*** CID 1302453:  Resource leaks  (RESOURCE_LEAK)
/util/cbfstool/flashmap/fmap.c: 530 in fmap_flags_to_string_test()
524     	}
525     	free(my_str);
526     	free(str);
527     
528     	status = pass;
529     fmap_flags_to_string_test_exit:
>>>     CID 1302453:  Resource leaks  (RESOURCE_LEAK)
>>>     Variable "my_str" going out of scope leaks the storage it points to.
530     	return status;
531     
532     }
533     
534     static int fmap_find_test(struct fmap *fmap)
535     {

** CID 1302452:    (RESOURCE_LEAK)
/util/cbfstool/flashmap/fmap.c: 530 in fmap_flags_to_string_test()
/util/cbfstool/flashmap/fmap.c: 530 in fmap_flags_to_string_test()


________________________________________________________________________________________________________
*** CID 1302452:    (RESOURCE_LEAK)
/util/cbfstool/flashmap/fmap.c: 530 in fmap_flags_to_string_test()
524     	}
525     	free(my_str);
526     	free(str);
527     
528     	status = pass;
529     fmap_flags_to_string_test_exit:
>>>     CID 1302452:    (RESOURCE_LEAK)
>>>     Variable "str" going out of scope leaks the storage it points to.
530     	return status;
531     
532     }
533     
534     static int fmap_find_test(struct fmap *fmap)
535     {
/util/cbfstool/flashmap/fmap.c: 530 in fmap_flags_to_string_test()
524     	}
525     	free(my_str);
526     	free(str);
527     
528     	status = pass;
529     fmap_flags_to_string_test_exit:
>>>     CID 1302452:    (RESOURCE_LEAK)
>>>     Variable "str" going out of scope leaks the storage it points to.
530     	return status;
531     
532     }
533     
534     static int fmap_find_test(struct fmap *fmap)
535     {

** CID 1302451:  Resource leaks  (RESOURCE_LEAK)
/util/cbfstool/flashmap/fmap.c: 207 in fmap_print()


________________________________________________________________________________________________________
*** CID 1302451:  Resource leaks  (RESOURCE_LEAK)
/util/cbfstool/flashmap/fmap.c: 207 in fmap_print()
201     		kv_pair_fmt(pair, "area_flags_raw", "0x%02x",
202     				fmap->areas[i].flags);
203     
204     		/* Print descriptive strings for flags rather than the field */
205     		flags = fmap->areas[i].flags;
206     		if ((str = fmap_flags_to_string(flags)) == NULL)
>>>     CID 1302451:  Resource leaks  (RESOURCE_LEAK)
>>>     Variable "pair" going out of scope leaks the storage it points to.
207     			return -1;
208     		kv_pair_fmt(pair, "area_flags", "%s", str);
209     		free(str);
210     
211     		kv_pair_print(pair);
212     		kv_pair_free(pair);

** CID 1302450:  Security best practices violations  (STRING_OVERFLOW)
/src/drivers/intel/gma/acpi.c: 50 in drivers_intel_gma_displays_ssdt_generate()


________________________________________________________________________________________________________
*** CID 1302450:  Security best practices violations  (STRING_OVERFLOW)
/src/drivers/intel/gma/acpi.c: 50 in drivers_intel_gma_displays_ssdt_generate()
44     		char *ptr;
45     		int kind;
46     		kind = (conf->did[i] >> 8) & 0xf;
47     		if (kind >= ARRAY_SIZE(names)) {
48     			kind = 0;
49     		}
>>>     CID 1302450:  Security best practices violations  (STRING_OVERFLOW)
>>>     You might overrun the 10 byte fixed-size string "name" by copying "names[kind]" without checking the length.
50     		strcpy(name, names[kind]);
51     		for (ptr = name; *ptr; ptr++);
52     		*ptr++ = counters[kind] + '0';
53     		*ptr++ = '\0';
54     		counters[kind]++;
55     		acpigen_write_device(name);

** CID 1256584:  Error handling issues  (CHECKED_RETURN)
/src/ec/google/chromeec/ec_spi.c: 52 in crosec_spi_io()


________________________________________________________________________________________________________
*** CID 1256584:  Error handling issues  (CHECKED_RETURN)
/src/ec/google/chromeec/ec_spi.c: 52 in crosec_spi_io()
46     }
47     
48     static int crosec_spi_io(size_t req_size, size_t resp_size, void *context)
49     {
50     	struct spi_slave *slave = (struct spi_slave *)context;
51     
>>>     CID 1256584:  Error handling issues  (CHECKED_RETURN)
>>>     Calling "spi_claim_bus" without checking return value (as is done elsewhere 4 out of 5 times).
52     	spi_claim_bus(slave);
53     
54     	 /* Allow EC to ramp up clock after being awaken.
55     	  * See chrome-os-partner:32223 for more details. */
56     	udelay(CONFIG_EC_GOOGLE_CHROMEEC_SPI_WAKEUP_DELAY_US);
57     


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/1016?tab=overview

To manage Coverity Scan email notifications for "coreboot at coreboot.org", click https://scan.coverity.com/subscriptions/edit?email=coreboot%40coreboot.org&token=49533df725f93b78361afb7b89ccde93 .

More information about the coreboot mailing list