[coreboot] New Defects reported by Coverity Scan for coreboot

scan-admin at coverity.com scan-admin at coverity.com
Fri Aug 12 13:25:31 CEST 2016


Hi,

Please find the latest report on new defect(s) introduced to coreboot found with Coverity Scan.

246 new defect(s) introduced to coreboot found with Coverity Scan.
39 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 20 of 246 defect(s)


** CID 1357458:  Insecure data handling  (TAINTED_SCALAR)
/payloads/libpayload/libcbfs/cbfs_core.c: 255 in cbfs_get_contents()


________________________________________________________________________________________________________
*** CID 1357458:  Insecure data handling  (TAINTED_SCALAR)
/payloads/libpayload/libcbfs/cbfs_core.c: 255 in cbfs_get_contents()
249     
250     	void *data = m->map(m, handle->media_offset + handle->content_offset,
251     			    on_media_size);
252     	if (data == CBFS_MEDIA_INVALID_MAP_ADDRESS)
253     		return NULL;
254     
>>>     CID 1357458:  Insecure data handling  (TAINTED_SCALAR)
>>>     Passing tainted variable "*size" to a tainted sink. [Note: The source code implementation of the function has been overridden by a builtin model.]
255     	ret = malloc(*size);
256     	if (ret != NULL && !cbfs_decompress(algo, data, ret, *size)) {
257     		free(ret);
258     		ret = NULL;
259     	}
260     

** CID 1357457:  Resource leaks  (RESOURCE_LEAK)
/src/arch/x86/acpi_device.c: 737 in acpi_dp_add_integer_array()


________________________________________________________________________________________________________
*** CID 1357457:  Resource leaks  (RESOURCE_LEAK)
/src/arch/x86/acpi_device.c: 737 in acpi_dp_add_integer_array()
731     		return NULL;
732     
733     	for (i = 0; i < len; i++)
734     		if (!acpi_dp_add_integer(dp_array, NULL, array[i]))
735     			break;
736     
>>>     CID 1357457:  Resource leaks  (RESOURCE_LEAK)
>>>     Ignoring storage allocated by "acpi_dp_add_array(dp, dp_array)" leaks it.
737     	acpi_dp_add_array(dp, dp_array);
738     
739     	return dp_array;
740     }
741     
742     struct acpi_dp *acpi_dp_add_gpio(struct acpi_dp *dp, const char *name,

** CID 1357456:  Resource leaks  (RESOURCE_LEAK)
/src/arch/x86/acpi_device.c: 763 in acpi_dp_add_gpio()


________________________________________________________________________________________________________
*** CID 1357456:  Resource leaks  (RESOURCE_LEAK)
/src/arch/x86/acpi_device.c: 763 in acpi_dp_add_gpio()
757     	/* Pin in the GPIO resource, typically zero */
758     	acpi_dp_add_integer(gpio, NULL, pin);
759     
760     	/* Set if pin is active low */
761     	acpi_dp_add_integer(gpio, NULL, active_low);
762     
>>>     CID 1357456:  Resource leaks  (RESOURCE_LEAK)
>>>     Ignoring storage allocated by "acpi_dp_add_array(dp, gpio)" leaks it.
763     	acpi_dp_add_array(dp, gpio);
764     
765     	return gpio;

** CID 1357455:    (RESOURCE_LEAK)
/payloads/libpayload/libcbfs/cbfs_core.c: 218 in cbfs_get_handle()
/payloads/libpayload/libcbfs/cbfs_core.c: 151 in cbfs_get_handle()
/payloads/libpayload/libcbfs/cbfs_core.c: 158 in cbfs_get_handle()


________________________________________________________________________________________________________
*** CID 1357455:    (RESOURCE_LEAK)
/payloads/libpayload/libcbfs/cbfs_core.c: 218 in cbfs_get_handle()
212     		offset += ntohl(file.len) + ntohl(file.offset);
213     		if (offset % CBFS_ALIGNMENT)
214     			offset += CBFS_ALIGNMENT - (offset % CBFS_ALIGNMENT);
215     	}
216     	media->close(media);
217     	LOG("WARNING: '%s' not found.\n", name);
>>>     CID 1357455:    (RESOURCE_LEAK)
>>>     Variable "handle" going out of scope leaks the storage it points to.
218     	return NULL;
219     }
220     
221     void *cbfs_get_contents(struct cbfs_handle *handle, size_t *size, size_t limit)
222     {
223     	struct cbfs_media *m = &handle->media;
/payloads/libpayload/libcbfs/cbfs_core.c: 151 in cbfs_get_handle()
145     
146     	if (!handle)
147     		return NULL;
148     
149     	if (get_cbfs_range(&offset, &cbfs_end, media)) {
150     		ERROR("Failed to find cbfs range\n");
>>>     CID 1357455:    (RESOURCE_LEAK)
>>>     Variable "handle" going out of scope leaks the storage it points to.
151     		return NULL;
152     	}
153     
154     	if (media == CBFS_DEFAULT_MEDIA) {
155     		media = &handle->media;
156     		if (init_default_cbfs_media(media) != 0) {
/payloads/libpayload/libcbfs/cbfs_core.c: 158 in cbfs_get_handle()
152     	}
153     
154     	if (media == CBFS_DEFAULT_MEDIA) {
155     		media = &handle->media;
156     		if (init_default_cbfs_media(media) != 0) {
157     			ERROR("Failed to initialize default media.\n");
>>>     CID 1357455:    (RESOURCE_LEAK)
>>>     Returning without freeing "media" leaks the storage that it points to.
158     			return NULL;
159     		}
160     	} else {
161     		memcpy(&handle->media, media, sizeof(*media));
162     	}
163     

** CID 1357454:  Memory - illegal accesses  (OVERRUN)
/src/vendorcode/amd/agesa/f12/Proc/Mem/NB/LN/mnln.c: 255 in MemConstructNBBlockLN()


________________________________________________________________________________________________________
*** CID 1357454:  Memory - illegal accesses  (OVERRUN)
/src/vendorcode/amd/agesa/f12/Proc/Mem/NB/LN/mnln.c: 255 in MemConstructNBBlockLN()
249       NBPtr->BeforeDqsTraining = MemNBeforeDQSTrainingLN;
250       NBPtr->AfterDqsTraining = MemNAfterDQSTrainingLN;
251       NBPtr->OtherTiming = MemNOtherTimingLN;
252       NBPtr->GetSocketRelativeChannel = MemNGetSocketRelativeChannelNb;
253       NBPtr->TechBlockSwitch = MemNTechBlockSwitchLN;
254       NBPtr->SetEccSymbolSize = (VOID (*) (MEM_NB_BLOCK *)) memDefRet;
>>>     CID 1357454:  Memory - illegal accesses  (OVERRUN)
>>>     Overrunning array "memNTrainFlowControl" of 1 4-byte elements at element index 1 (byte offset 4) using index "1".
255       NBPtr->TrainingFlow = (VOID (*) (MEM_NB_BLOCK *))(memNTrainFlowControl[DDR3_TRAIN_FLOW]);
256       NBPtr->MinDataEyeWidth = MemNMinDataEyeWidthNb;
257       NBPtr->ChangeNbFrequencyWrap = MemNChangeNbFrequencyWrapLN;
258       NBPtr->AllocateC6Storage = MemNAllocateC6StorageClientNb;
259     
260       MemNInitNBDataNb (NBPtr);

** CID 1357453:  Memory - illegal accesses  (OVERRUN)
/src/vendorcode/amd/agesa/f14/Proc/Mem/NB/ON/mnon.c: 254 in MemConstructNBBlockON()


________________________________________________________________________________________________________
*** CID 1357453:  Memory - illegal accesses  (OVERRUN)
/src/vendorcode/amd/agesa/f14/Proc/Mem/NB/ON/mnon.c: 254 in MemConstructNBBlockON()
248       NBPtr->BeforeDqsTraining = MemNBeforeDQSTrainingON;
249       NBPtr->AfterDqsTraining = MemNAfterDQSTrainingON;
250       NBPtr->OtherTiming = MemNOtherTimingON;
251       NBPtr->GetSocketRelativeChannel = MemNGetSocketRelativeChannelNb;
252       NBPtr->TechBlockSwitch = MemNTechBlockSwitchON;
253       NBPtr->SetEccSymbolSize = (VOID (*) (MEM_NB_BLOCK *)) memDefRet;
>>>     CID 1357453:  Memory - illegal accesses  (OVERRUN)
>>>     Overrunning array "memNTrainFlowControl" of 1 4-byte elements at element index 1 (byte offset 4) using index "1".
254       NBPtr->TrainingFlow = (VOID (*) (MEM_NB_BLOCK *)) memNTrainFlowControl[DDR3_TRAIN_FLOW];
255       NBPtr->MinDataEyeWidth = MemNMinDataEyeWidthNb;
256       NBPtr->PollBitField = MemNPollBitFieldNb;
257       NBPtr->BrdcstCheck = MemNBrdcstCheckON;
258       NBPtr->BrdcstSet = MemNSetBitFieldNb;
259       NBPtr->GetTrainDly = MemNGetTrainDlyNb;

** CID 1357452:    (OVERRUN)
/src/vendorcode/amd/agesa/f12/Proc/Mem/NB/mn.c: 497 in MemNTrainingFlowUnb()
/src/vendorcode/amd/agesa/f15/Proc/Mem/NB/mn.c: 502 in MemNTrainingFlowUnb()
/src/vendorcode/amd/agesa/f14/Proc/Mem/NB/mn.c: 499 in MemNTrainingFlowUnb()
/src/vendorcode/amd/agesa/f16kb/Proc/Mem/NB/mn.c: 579 in MemNTrainingFlowUnb()
/src/vendorcode/amd/agesa/f15tn/Proc/Mem/NB/mn.c: 495 in MemNTrainingFlowUnb()


________________________________________________________________________________________________________
*** CID 1357452:    (OVERRUN)
/src/vendorcode/amd/agesa/f12/Proc/Mem/NB/mn.c: 497 in MemNTrainingFlowUnb()
491      */
492     BOOLEAN
493     MemNTrainingFlowUnb (
494       IN OUT   MEM_NB_BLOCK *NBPtr
495       )
496     {
>>>     CID 1357452:    (OVERRUN)
>>>     Overrunning array "memNTrainFlowControl" of 1 4-byte elements at element index 1 (byte offset 4) using index "1".
497       memNTrainFlowControl[DDR3_TRAIN_FLOW] (NBPtr);
498       return TRUE;
499     }
500     /*----------------------------------------------------------------------------
501      *                              LOCAL FUNCTIONS
502      *
/src/vendorcode/amd/agesa/f15/Proc/Mem/NB/mn.c: 502 in MemNTrainingFlowUnb()
496      */
497     BOOLEAN
498     MemNTrainingFlowUnb (
499       IN OUT   MEM_NB_BLOCK *NBPtr
500       )
501     {
>>>     CID 1357452:    (OVERRUN)
>>>     Overrunning array "memNTrainFlowControl" of 1 4-byte elements at element index 1 (byte offset 4) using index "1".
502       memNTrainFlowControl[DDR3_TRAIN_FLOW] (NBPtr);
503       return TRUE;
504     }
505     /*----------------------------------------------------------------------------
506      *                              LOCAL FUNCTIONS
507      *
/src/vendorcode/amd/agesa/f14/Proc/Mem/NB/mn.c: 499 in MemNTrainingFlowUnb()
493      */
494     BOOLEAN
495     MemNTrainingFlowUnb (
496       IN OUT   MEM_NB_BLOCK *NBPtr
497       )
498     {
>>>     CID 1357452:    (OVERRUN)
>>>     Overrunning array "memNTrainFlowControl" of 1 4-byte elements at element index 1 (byte offset 4) using index "1".
499       memNTrainFlowControl[DDR3_TRAIN_FLOW] (NBPtr);
500       return TRUE;
501     }
502     /*----------------------------------------------------------------------------
503      *                              LOCAL FUNCTIONS
504      *
/src/vendorcode/amd/agesa/f16kb/Proc/Mem/NB/mn.c: 579 in MemNTrainingFlowUnb()
573      */
574     BOOLEAN
575     MemNTrainingFlowUnb (
576       IN OUT   MEM_NB_BLOCK *NBPtr
577       )
578     {
>>>     CID 1357452:    (OVERRUN)
>>>     Overrunning array "memNTrainFlowControl" of 1 4-byte elements at element index 1 (byte offset 4) using index "1".
579       memNTrainFlowControl[DDR3_TRAIN_FLOW] (NBPtr);
580       return TRUE;
581     }
582     
583     /* -----------------------------------------------------------------------------*/
584     /**
/src/vendorcode/amd/agesa/f15tn/Proc/Mem/NB/mn.c: 495 in MemNTrainingFlowUnb()
489      */
490     VOID
491     MemNTrainingFlowUnb (
492       IN OUT   MEM_NB_BLOCK *NBPtr
493       )
494     {
>>>     CID 1357452:    (OVERRUN)
>>>     Overrunning array "memNTrainFlowControl" of 1 4-byte elements at element index 1 (byte offset 4) using index "1".
495       memNTrainFlowControl[DDR3_TRAIN_FLOW] (NBPtr);
496       return;
497     }
498     /*----------------------------------------------------------------------------
499      *                              LOCAL FUNCTIONS
500      *
501      *----------------------------------------------------------------------------

** CID 1357451:    (OVERRUN)
/src/vendorcode/amd/agesa/f12/Proc/Mem/NB/mn.c: 304 in MemNTrainingFlowNb()
/src/vendorcode/amd/agesa/f15/Proc/Mem/NB/mn.c: 309 in MemNTrainingFlowNb()
/src/vendorcode/amd/agesa/f14/Proc/Mem/NB/mn.c: 306 in MemNTrainingFlowNb()
/src/vendorcode/amd/agesa/f15tn/Proc/Mem/NB/mn.c: 302 in MemNTrainingFlowNb()


________________________________________________________________________________________________________
*** CID 1357451:    (OVERRUN)
/src/vendorcode/amd/agesa/f12/Proc/Mem/NB/mn.c: 304 in MemNTrainingFlowNb()
298     BOOLEAN
299     MemNTrainingFlowNb (
300       IN OUT   MEM_NB_BLOCK *NBPtr
301       )
302     {
303       if (MemNGetBitFieldNb (NBPtr, BFDdr3Mode)!= 0) {
>>>     CID 1357451:    (OVERRUN)
>>>     Overrunning array "memNTrainFlowControl" of 1 4-byte elements at element index 1 (byte offset 4) using index "1".
304         memNTrainFlowControl[DDR3_TRAIN_FLOW] (NBPtr);
305       } else {
306         memNTrainFlowControl[DDR2_TRAIN_FLOW] (NBPtr);
307       }
308       return TRUE;
309     }
/src/vendorcode/amd/agesa/f15/Proc/Mem/NB/mn.c: 309 in MemNTrainingFlowNb()
303     BOOLEAN
304     MemNTrainingFlowNb (
305       IN OUT   MEM_NB_BLOCK *NBPtr
306       )
307     {
308       if (MemNGetBitFieldNb (NBPtr, BFDdr3Mode)!= 0) {
>>>     CID 1357451:    (OVERRUN)
>>>     Overrunning array "memNTrainFlowControl" of 1 4-byte elements at element index 1 (byte offset 4) using index "1".
309         memNTrainFlowControl[DDR3_TRAIN_FLOW] (NBPtr);
310       } else {
311         memNTrainFlowControl[DDR2_TRAIN_FLOW] (NBPtr);
312       }
313       return TRUE;
314     }
/src/vendorcode/amd/agesa/f14/Proc/Mem/NB/mn.c: 306 in MemNTrainingFlowNb()
300     BOOLEAN
301     MemNTrainingFlowNb (
302       IN OUT   MEM_NB_BLOCK *NBPtr
303       )
304     {
305       if (MemNGetBitFieldNb (NBPtr, BFDdr3Mode)!= 0) {
>>>     CID 1357451:    (OVERRUN)
>>>     Overrunning array "memNTrainFlowControl" of 1 4-byte elements at element index 1 (byte offset 4) using index "1".
306         memNTrainFlowControl[DDR3_TRAIN_FLOW] (NBPtr);
307       } else {
308         memNTrainFlowControl[DDR2_TRAIN_FLOW] (NBPtr);
309       }
310       return TRUE;
311     }
/src/vendorcode/amd/agesa/f15tn/Proc/Mem/NB/mn.c: 302 in MemNTrainingFlowNb()
296     BOOLEAN
297     MemNTrainingFlowNb (
298       IN OUT   MEM_NB_BLOCK *NBPtr
299       )
300     {
301       if (MemNGetBitFieldNb (NBPtr, BFDdr3Mode)!= 0) {
>>>     CID 1357451:    (OVERRUN)
>>>     Overrunning array "memNTrainFlowControl" of 1 4-byte elements at element index 1 (byte offset 4) using index "1".
302         memNTrainFlowControl[DDR3_TRAIN_FLOW] (NBPtr);
303       } else {
304         memNTrainFlowControl[DDR2_TRAIN_FLOW] (NBPtr);
305       }
306       return TRUE;
307     }

** CID 1357446:  Control flow issues  (DEADCODE)
/src/northbridge/intel/x4x/raminit.c: 374 in sdram_detect_ram_speed()


________________________________________________________________________________________________________
*** CID 1357446:  Control flow issues  (DEADCODE)
/src/northbridge/intel/x4x/raminit.c: 374 in sdram_detect_ram_speed()
368     	} else { // DDR3
369     		// Limit frequency for MCH
370     		maxfreq = (s->max_ddr2_mhz == 800) ? MEM_CLOCK_800MHz : MEM_CLOCK_667MHz;
371     		maxfreq >>= 3;
372     		freq = MEM_CLOCK_1333MHz;
373     		if (maxfreq) {
>>>     CID 1357446:  Control flow issues  (DEADCODE)
>>>     Execution cannot reach this statement: "freq = maxfreq + 2;".
374     			freq = maxfreq + 2;
375     		}
376     		if (freq > MEM_CLOCK_1333MHz) {
377     			freq = MEM_CLOCK_1333MHz;
378     		}
379     

** CID 1357443:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/src/soc/intel/apollolake/gpio.c: 378 in gpio_route_gpe()


________________________________________________________________________________________________________
*** CID 1357443:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/src/soc/intel/apollolake/gpio.c: 378 in gpio_route_gpe()
372     	if(gpe0b == -1)
373     		return;
374     	gpe0c = pmc_gpe_route_to_gpio(gpe0c);
375     	if(gpe0c == -1)
376     		return;
377     	gpe0d = pmc_gpe_route_to_gpio(gpe0d);
>>>     CID 1357443:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
>>>     "gpe0d == -1" is always false regardless of the values of its operands. This occurs as the logical operand of if.
378     	if(gpe0d == -1)
379     		return;
380     
381     	misccfg_value = gpe0b << MISCCFG_GPE0_DW0_SHIFT;
382     	misccfg_value |= gpe0c << MISCCFG_GPE0_DW1_SHIFT;
383     	misccfg_value |= gpe0d << MISCCFG_GPE0_DW2_SHIFT;

** CID 1357442:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/src/soc/intel/apollolake/gpio.c: 375 in gpio_route_gpe()


________________________________________________________________________________________________________
*** CID 1357442:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/src/soc/intel/apollolake/gpio.c: 375 in gpio_route_gpe()
369     	 * default.
370     	 */
371     	gpe0b = pmc_gpe_route_to_gpio(gpe0b);
372     	if(gpe0b == -1)
373     		return;
374     	gpe0c = pmc_gpe_route_to_gpio(gpe0c);
>>>     CID 1357442:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
>>>     "gpe0c == -1" is always false regardless of the values of its operands. This occurs as the logical operand of if.
375     	if(gpe0c == -1)
376     		return;
377     	gpe0d = pmc_gpe_route_to_gpio(gpe0d);
378     	if(gpe0d == -1)
379     		return;
380     

** CID 1357441:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/src/soc/intel/apollolake/gpio.c: 372 in gpio_route_gpe()


________________________________________________________________________________________________________
*** CID 1357441:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/src/soc/intel/apollolake/gpio.c: 372 in gpio_route_gpe()
366     	 * If any of these returns -1 then there is some error in devicetree
367     	 * where the group is probably hardcoded and does not comply with the
368     	 * PMC group defines. So we return from here and MISCFG is set to
369     	 * default.
370     	 */
371     	gpe0b = pmc_gpe_route_to_gpio(gpe0b);
>>>     CID 1357441:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
>>>     "gpe0b == -1" is always false regardless of the values of its operands. This occurs as the logical operand of if.
372     	if(gpe0b == -1)
373     		return;
374     	gpe0c = pmc_gpe_route_to_gpio(gpe0c);
375     	if(gpe0c == -1)
376     		return;
377     	gpe0d = pmc_gpe_route_to_gpio(gpe0d);

** CID 1357439:  Incorrect expression  (ASSERT_SIDE_EFFECT)
/src/soc/intel/quark/i2c.c: 104 in platform_i2c_transfer()


________________________________________________________________________________________________________
*** CID 1357439:  Incorrect expression  (ASSERT_SIDE_EFFECT)
/src/soc/intel/quark/i2c.c: 104 in platform_i2c_transfer()
98     	buffer = NULL;
99     	while (count-- > 0) {
100     		buffer = segments->buf;
101     		length = segments->len;
102     		ASSERT (buffer != NULL);
103     		ASSERT (length >= 1);
>>>     CID 1357439:  Incorrect expression  (ASSERT_SIDE_EFFECT)
>>>     Assignment "segments->chip = chip" has a side effect.  This code will work differently in a non-debug build.
104     		ASSERT (segments->chip = chip);
105     
106     		if (segments->read) {
107     			/* Place read commands into the FIFO */
108     			read_length = length;
109     			while (length > 0) {

** CID 1355168:    (CONSTANT_EXPRESSION_RESULT)
/src/soc/rockchip/rk3399/clock.c: 596 in rkclk_configure_spi()
/src/soc/rockchip/rk3399/clock.c: 611 in rkclk_configure_spi()
/src/soc/rockchip/rk3399/clock.c: 615 in rkclk_configure_spi()


________________________________________________________________________________________________________
*** CID 1355168:    (CONSTANT_EXPRESSION_RESULT)
/src/soc/rockchip/rk3399/clock.c: 596 in rkclk_configure_spi()
590     	case 0:
591     		write32(&cru_ptr->clksel_con[59],
592     			SPI_CLK_REG_VALUE(0, src_clk_div));
593     		break;
594     	case 1:
595     		write32(&cru_ptr->clksel_con[59],
>>>     CID 1355168:    (CONSTANT_EXPRESSION_RESULT)
>>>     "((65280 /* (CLK_SPI_PLL_SEL_MASK << CLK_SPI1_PLL_SEL_SHIFT) | (CLK_SPI_PLL_DIV_CON_MASK << CLK_SPI1_PLL_DIV_CON_SHIFT) */) | ((32768 /* CLK_SPI_PLL_SEL_GPLL << CLK_SPI1_PLL_SEL_SHIFT */) | (src_clk_div - 1 << CLK_SPI1_PLL_DIV_CON_SHIFT))) << 16" is 0xffffffffff000000 regardless of the values of its operands. This occurs as the bitwise first operand of '|'.
596     			SPI_CLK_REG_VALUE(1, src_clk_div));
597     		break;
598     	case 2:
599     		write32(&cru_ptr->clksel_con[60],
600     			SPI_CLK_REG_VALUE(2, src_clk_div));
601     		break;
/src/soc/rockchip/rk3399/clock.c: 611 in rkclk_configure_spi()
605     				      SPI3_DIV_CON_MASK << SPI3_DIV_CON_SHIFT,
606     				      SPI3_PLL_SEL_PPLL << SPI3_PLL_SEL_SHIFT |
607     				      (src_clk_div - 1) << SPI3_DIV_CON_SHIFT));
608     		break;
609     	case 4:
610     		write32(&cru_ptr->clksel_con[60],
>>>     CID 1355168:    (CONSTANT_EXPRESSION_RESULT)
>>>     "((65280 /* (CLK_SPI_PLL_SEL_MASK << CLK_SPI4_PLL_SEL_SHIFT) | (CLK_SPI_PLL_DIV_CON_MASK << CLK_SPI4_PLL_DIV_CON_SHIFT) */) | ((32768 /* CLK_SPI_PLL_SEL_GPLL << CLK_SPI4_PLL_SEL_SHIFT */) | (src_clk_div - 1 << CLK_SPI4_PLL_DIV_CON_SHIFT))) << 16" is 0xffffffffff000000 regardless of the values of its operands. This occurs as the bitwise first operand of '|'.
611     			SPI_CLK_REG_VALUE(4, src_clk_div));
612     		break;
613     	case 5:
614     		write32(&cru_ptr->clksel_con[58],
615     			SPI_CLK_REG_VALUE(5, src_clk_div));
616     		break;
/src/soc/rockchip/rk3399/clock.c: 615 in rkclk_configure_spi()
609     	case 4:
610     		write32(&cru_ptr->clksel_con[60],
611     			SPI_CLK_REG_VALUE(4, src_clk_div));
612     		break;
613     	case 5:
614     		write32(&cru_ptr->clksel_con[58],
>>>     CID 1355168:    (CONSTANT_EXPRESSION_RESULT)
>>>     "((65280 /* (CLK_SPI_PLL_SEL_MASK << CLK_SPI5_PLL_SEL_SHIFT) | (CLK_SPI_PLL_DIV_CON_MASK << CLK_SPI5_PLL_DIV_CON_SHIFT) */) | ((32768 /* CLK_SPI_PLL_SEL_GPLL << CLK_SPI5_PLL_SEL_SHIFT */) | (src_clk_div - 1 << CLK_SPI5_PLL_DIV_CON_SHIFT))) << 16" is 0xffffffffff000000 regardless of the values of its operands. This occurs as the bitwise first operand of '|'.
615     			SPI_CLK_REG_VALUE(5, src_clk_div));
616     		break;
617     	default:
618     		printk(BIOS_ERR, "do not support this spi bus\n");
619     	}
620     }

** CID 1355167:    (CONSTANT_EXPRESSION_RESULT)
/src/soc/rockchip/rk3399/clock.c: 668 in rkclk_configure_i2c()
/src/soc/rockchip/rk3399/clock.c: 672 in rkclk_configure_i2c()
/src/soc/rockchip/rk3399/clock.c: 676 in rkclk_configure_i2c()


________________________________________________________________________________________________________
*** CID 1355167:    (CONSTANT_EXPRESSION_RESULT)
/src/soc/rockchip/rk3399/clock.c: 668 in rkclk_configure_i2c()
662     	case 4:
663     		write32(&pmucru_ptr->pmucru_clksel[3],
664     			PMU_I2C_CLK_REG_VALUE(4, src_clk_div));
665     		break;
666     	case 5:
667     		write32(&cru_ptr->clksel_con[61],
>>>     CID 1355167:    (CONSTANT_EXPRESSION_RESULT)
>>>     "((65280 /* (I2C_DIV_CON_MASK << CLK_I2C5_DIV_CON_SHIFT) | (CLK_I2C_PLL_SEL_MASK << CLK_I2C5_PLL_SEL_SHIFT) */) | ((src_clk_div - 1 << CLK_I2C5_DIV_CON_SHIFT) | (32768 /* CLK_I2C_PLL_SEL_GPLL << CLK_I2C5_PLL_SEL_SHIFT */))) << 16" is 0xffffffffff000000 regardless of the values of its operands. This occurs as the bitwise first operand of '|'.
668     			I2C_CLK_REG_VALUE(5, src_clk_div));
669     		break;
670     	case 6:
671     		write32(&cru_ptr->clksel_con[62],
672     			I2C_CLK_REG_VALUE(6, src_clk_div));
673     		break;
/src/soc/rockchip/rk3399/clock.c: 672 in rkclk_configure_i2c()
666     	case 5:
667     		write32(&cru_ptr->clksel_con[61],
668     			I2C_CLK_REG_VALUE(5, src_clk_div));
669     		break;
670     	case 6:
671     		write32(&cru_ptr->clksel_con[62],
>>>     CID 1355167:    (CONSTANT_EXPRESSION_RESULT)
>>>     "((65280 /* (I2C_DIV_CON_MASK << CLK_I2C6_DIV_CON_SHIFT) | (CLK_I2C_PLL_SEL_MASK << CLK_I2C6_PLL_SEL_SHIFT) */) | ((src_clk_div - 1 << CLK_I2C6_DIV_CON_SHIFT) | (32768 /* CLK_I2C_PLL_SEL_GPLL << CLK_I2C6_PLL_SEL_SHIFT */))) << 16" is 0xffffffffff000000 regardless of the values of its operands. This occurs as the bitwise first operand of '|'.
672     			I2C_CLK_REG_VALUE(6, src_clk_div));
673     		break;
674     	case 7:
675     		write32(&cru_ptr->clksel_con[63],
676     			I2C_CLK_REG_VALUE(7, src_clk_div));
677     		break;
/src/soc/rockchip/rk3399/clock.c: 676 in rkclk_configure_i2c()
670     	case 6:
671     		write32(&cru_ptr->clksel_con[62],
672     			I2C_CLK_REG_VALUE(6, src_clk_div));
673     		break;
674     	case 7:
675     		write32(&cru_ptr->clksel_con[63],
>>>     CID 1355167:    (CONSTANT_EXPRESSION_RESULT)
>>>     "((65280 /* (I2C_DIV_CON_MASK << CLK_I2C7_DIV_CON_SHIFT) | (CLK_I2C_PLL_SEL_MASK << CLK_I2C7_PLL_SEL_SHIFT) */) | ((src_clk_div - 1 << CLK_I2C7_DIV_CON_SHIFT) | (32768 /* CLK_I2C_PLL_SEL_GPLL << CLK_I2C7_PLL_SEL_SHIFT */))) << 16" is 0xffffffffff000000 regardless of the values of its operands. This occurs as the bitwise first operand of '|'.
676     			I2C_CLK_REG_VALUE(7, src_clk_div));
677     		break;
678     	case 8:
679     		write32(&pmucru_ptr->pmucru_clksel[2],
680     			PMU_I2C_CLK_REG_VALUE(8, src_clk_div));
681     		break;

** CID 1355166:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/src/soc/rockchip/rk3399/clock.c: 749 in rkclk_configure_saradc()


________________________________________________________________________________________________________
*** CID 1355166:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/src/soc/rockchip/rk3399/clock.c: 749 in rkclk_configure_saradc()
743     
744     	/* saradc src clk from 24MHz */
745     	src_clk_div = 24 * MHz / hz;
746     	assert((src_clk_div - 1 < 255) && (src_clk_div * hz == 24 * MHz));
747     
748     	write32(&cru_ptr->clksel_con[26],
>>>     CID 1355166:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
>>>     "((65280 /* CLK_SARADC_DIV_CON_MASK << CLK_SARADC_DIV_CON_SHIFT */) | (src_clk_div - 1 << CLK_SARADC_DIV_CON_SHIFT)) << 16" is 0xffffffffff000000 regardless of the values of its operands. This occurs as the bitwise first operand of '|'.
749     		RK_CLRSETBITS(CLK_SARADC_DIV_CON_MASK <<
750     						CLK_SARADC_DIV_CON_SHIFT,
751     			      (src_clk_div - 1) << CLK_SARADC_DIV_CON_SHIFT));
752     }
753     
754     void rkclk_configure_vop_aclk(u32 vop_id, u32 aclk_hz)

** CID 1354970:  Memory - corruptions  (ARRAY_VS_SINGLETON)
/src/lib/selfboot.c: 249 in build_self_segment_list()


________________________________________________________________________________________________________
*** CID 1354970:  Memory - corruptions  (ARRAY_VS_SINGLETON)
/src/lib/selfboot.c: 249 in build_self_segment_list()
243     
244     	memset(head, 0, sizeof(*head));
245     	head->next = head->prev = head;
246     
247     	first_segment = &cbfs_payload->segments;
248     
>>>     CID 1354970:  Memory - corruptions  (ARRAY_VS_SINGLETON)
>>>     Using "current_segment" as an array.  This might corrupt or misinterpret adjacent memory locations.
249     	for (current_segment = first_segment;; ++current_segment) {
250     		printk(BIOS_DEBUG,
251     			"Loading segment from ROM address 0x%p\n",
252     			current_segment);
253     
254     		cbfs_decode_payload_segment(&segment, current_segment);

** CID 1354849:  Insecure data handling  (INTEGER_OVERFLOW)
/src/arch/x86/tables.c: 85 in write_mptable()


________________________________________________________________________________________________________
*** CID 1354849:  Insecure data handling  (INTEGER_OVERFLOW)
/src/arch/x86/tables.c: 85 in write_mptable()
79     		}
80     
81     		printk(BIOS_DEBUG, "MP table: %ld bytes.\n",
82     				new_high_table_pointer - high_table_pointer);
83     	}
84     
>>>     CID 1354849:  Insecure data handling  (INTEGER_OVERFLOW)
>>>     Overflowed or truncated value (or a value computed from an overflowed or truncated value) "rom_table_end" used as return value.
85     	return rom_table_end;
86     }
87     
88     static unsigned long write_acpi_table(unsigned long rom_table_end)
89     {
90     	unsigned long high_table_pointer;

** CID 1354778:    (UNINIT)
/src/cpu/ti/am335x/uart.c: 190 in uart_fill_lb()
/src/soc/imgtec/pistachio/uart.c: 150 in uart_fill_lb()
/src/soc/samsung/exynos5250/uart.c: 191 in uart_fill_lb()
/src/soc/broadcom/cygnus/ns16550.c: 118 in uart_fill_lb()
/src/soc/intel/fsp_broadwell_de/uart.c: 104 in uart_fill_lb()
/src/soc/nvidia/tegra124/uart.c: 135 in uart_fill_lb()
/src/soc/samsung/exynos5420/uart.c: 182 in uart_fill_lb()
/src/soc/mediatek/mt8173/uart.c: 176 in uart_fill_lb()
/src/soc/nvidia/tegra210/uart.c: 122 in uart_fill_lb()
/src/soc/qualcomm/ipq40xx/uart.c: 296 in uart_fill_lb()
/src/mainboard/emulation/qemu-riscv/uart.c: 48 in uart_fill_lb()
/src/cpu/allwinner/a10/uart_console.c: 44 in uart_fill_lb()


________________________________________________________________________________________________________
*** CID 1354778:    (UNINIT)
/src/cpu/ti/am335x/uart.c: 190 in uart_fill_lb()
184     {
185     }
186     
187     #ifndef __PRE_RAM__
188     void uart_fill_lb(void *data)
189     {
>>>     CID 1354778:    (UNINIT)
>>>     Declaring variable "serial" without initializer.
190     	struct lb_serial serial;
191     	serial.type = LB_SERIAL_TYPE_MEMORY_MAPPED;
192     	serial.baseaddr = uart_platform_base(CONFIG_UART_FOR_CONSOLE);
193     	serial.baud = default_baudrate();
194     	serial.regwidth = 2;
195     	lb_add_serial(&serial, data);
196     
197     	lb_add_console(LB_TAG_CONSOLE_SERIAL8250MEM, data);
198     }
/src/soc/imgtec/pistachio/uart.c: 150 in uart_fill_lb()
144     	uart8250_mem_tx_flush(CONFIG_CONSOLE_SERIAL_UART_ADDRESS);
145     }
146     
147     #ifndef __PRE_RAM__
148     void uart_fill_lb(void *data)
149     {
>>>     CID 1354778:    (UNINIT)
>>>     Declaring variable "serial" without initializer.
150     	struct lb_serial serial;
151     	serial.type = LB_SERIAL_TYPE_MEMORY_MAPPED;
152     	serial.baseaddr = CONFIG_CONSOLE_SERIAL_UART_ADDRESS;
153     	serial.baud = default_baudrate();
154     	serial.regwidth = 1 << UART_SHIFT;
155     	lb_add_serial(&serial, data);
156     
157     	lb_add_console(LB_TAG_CONSOLE_SERIAL8250MEM, data);
158     }
/src/soc/samsung/exynos5250/uart.c: 191 in uart_fill_lb()
185     	exynos5_uart_tx_flush(uart);
186     }
187     
188     #ifndef __PRE_RAM__
189     void uart_fill_lb(void *data)
190     {
>>>     CID 1354778:    (UNINIT)
>>>     Declaring variable "serial" without initializer.
191     	struct lb_serial serial;
192     	serial.type = LB_SERIAL_TYPE_MEMORY_MAPPED;
193     	serial.baseaddr = uart_platform_base(CONFIG_UART_FOR_CONSOLE);
194     	serial.baud = default_baudrate();
195     	serial.regwidth = 4;
196     	lb_add_serial(&serial, data);
197     
198     	lb_add_console(LB_TAG_CONSOLE_SERIAL8250MEM, data);
199     }
/src/soc/broadcom/cygnus/ns16550.c: 118 in uart_fill_lb()
112     	return ns16550_rx_byte();
113     }
114     
115     #ifndef __PRE_RAM__
116     void uart_fill_lb(void *data)
117     {
>>>     CID 1354778:    (UNINIT)
>>>     Declaring variable "serial" without initializer.
118     	struct lb_serial serial;
119     	serial.type = LB_SERIAL_TYPE_MEMORY_MAPPED;
120     	serial.baseaddr = (uintptr_t)regs;
121     	serial.baud = default_baudrate();
122     	serial.regwidth = 4;
123     	lb_add_serial(&serial, data);
124     
125     	lb_add_console(LB_TAG_CONSOLE_SERIAL8250MEM, data);
126     }
/src/soc/intel/fsp_broadwell_de/uart.c: 104 in uart_fill_lb()
98     	uart8250_tx_flush(uart_platform_base(idx));
99     }
100     
101     #if ENV_RAMSTAGE
102     void uart_fill_lb(void *data)
103     {
>>>     CID 1354778:    (UNINIT)
>>>     Declaring variable "serial" without initializer.
104     	struct lb_serial serial;
105     	serial.type = LB_SERIAL_TYPE_IO_MAPPED;
106     	serial.baseaddr = uart_platform_base(CONFIG_UART_FOR_CONSOLE);
107     	serial.baud = default_baudrate();
108     	lb_add_serial(&serial, data);
109     
110     	lb_add_console(LB_TAG_CONSOLE_SERIAL8250, data);
111     }
/src/soc/nvidia/tegra124/uart.c: 135 in uart_fill_lb()
129     	tegra124_uart_tx_flush(uart_ptr);
130     }
131     
132     #ifndef __PRE_RAM__
133     void uart_fill_lb(void *data)
134     {
>>>     CID 1354778:    (UNINIT)
>>>     Declaring variable "serial" without initializer.
135     	struct lb_serial serial;
136     	serial.type = LB_SERIAL_TYPE_MEMORY_MAPPED;
137     	serial.baseaddr = uart_platform_base(CONFIG_UART_FOR_CONSOLE);
138     	serial.baud = default_baudrate();
139     	serial.regwidth = 4;
140     	lb_add_serial(&serial, data);
141     
142     	lb_add_console(LB_TAG_CONSOLE_SERIAL8250MEM, data);
143     }
/src/soc/samsung/exynos5420/uart.c: 182 in uart_fill_lb()
176     	/* Exynos5250 implements this too. */
177     }
178     
179     #ifndef __PRE_RAM__
180     void uart_fill_lb(void *data)
181     {
>>>     CID 1354778:    (UNINIT)
>>>     Declaring variable "serial" without initializer.
182     	struct lb_serial serial;
183     	serial.type = LB_SERIAL_TYPE_MEMORY_MAPPED;
184     	serial.baseaddr = uart_platform_base(CONFIG_UART_FOR_CONSOLE);
185     	serial.baud = default_baudrate();
186     	serial.regwidth = 4;
187     	lb_add_serial(&serial, data);
188     
189     	lb_add_console(LB_TAG_CONSOLE_SERIAL8250MEM, data);
190     }
/src/soc/mediatek/mt8173/uart.c: 176 in uart_fill_lb()
170     	mtk_uart_tx_flush();
171     }
172     
173     #ifndef __PRE_RAM__
174     void uart_fill_lb(void *data)
175     {
>>>     CID 1354778:    (UNINIT)
>>>     Declaring variable "serial" without initializer.
176     	struct lb_serial serial;
177     	serial.type = LB_SERIAL_TYPE_MEMORY_MAPPED;
178     	serial.baseaddr = UART0_BASE;
179     	serial.baud = default_baudrate();
180     	serial.regwidth = 4;
181     	lb_add_serial(&serial, data);
182     
183     	lb_add_console(LB_TAG_CONSOLE_SERIAL8250MEM, data);
184     }
/src/soc/nvidia/tegra210/uart.c: 122 in uart_fill_lb()
116     	return tegra210_uart_rx_byte();
117     }
118     
119     #ifndef __PRE_RAM__
120     void uart_fill_lb(void *data)
121     {
>>>     CID 1354778:    (UNINIT)
>>>     Declaring variable "serial" without initializer.
122     	struct lb_serial serial;
123     	serial.type = LB_SERIAL_TYPE_MEMORY_MAPPED;
124     	serial.baseaddr = CONFIG_CONSOLE_SERIAL_TEGRA210_UART_ADDRESS;
125     	serial.baud = default_baudrate();
126     	serial.regwidth = 4;
127     	lb_add_serial(&serial, data);
128     
129     	lb_add_console(LB_TAG_CONSOLE_SERIAL8250MEM, data);
130     }
/src/soc/qualcomm/ipq40xx/uart.c: 296 in uart_fill_lb()
290     #endif
291     
292     #ifndef __PRE_RAM__
293     /* TODO: Implement function */
294     void uart_fill_lb(void *data)
295     {
>>>     CID 1354778:    (UNINIT)
>>>     Declaring variable "serial" without initializer.
296     	struct lb_serial serial;
297     
298     	serial.type = LB_SERIAL_TYPE_MEMORY_MAPPED;
299     	serial.baseaddr = (uint32_t)UART1_DM_BASE;
300     	serial.baud = default_baudrate();
301     	serial.regwidth = 1;
/src/mainboard/emulation/qemu-riscv/uart.c: 48 in uart_fill_lb()
42     {
43     }
44     
45     #ifndef __PRE_RAM__
46     void uart_fill_lb(void *data)
47     {
>>>     CID 1354778:    (UNINIT)
>>>     Declaring variable "serial" without initializer.
48     	struct lb_serial serial;
49     	serial.type = LB_SERIAL_TYPE_MEMORY_MAPPED;
50     	serial.baseaddr = 0x3f8;
51     	serial.baud = 115200;
52     	serial.regwidth = 1;
53     	lb_add_serial(&serial, data);
54             lb_add_console(LB_TAG_CONSOLE_SERIAL8250MEM, data);
55     }
/src/cpu/allwinner/a10/uart_console.c: 44 in uart_fill_lb()
38     	return 24000000;
39     }
40     
41     #ifndef __PRE_RAM__
42     void uart_fill_lb(void *data)
43     {
>>>     CID 1354778:    (UNINIT)
>>>     Declaring variable "serial" without initializer.
44     	struct lb_serial serial;
45     	serial.type = LB_SERIAL_TYPE_MEMORY_MAPPED;
46     	serial.baseaddr = uart_platform_base(CONFIG_UART_FOR_CONSOLE);
47     	serial.baud = default_baudrate();
48     	serial.regwidth = 1;
49     	lb_add_serial(&serial, data);
50     
51     	lb_add_console(LB_TAG_CONSOLE_SERIAL8250MEM, data);
52     }

** CID 1354615:  Memory - illegal accesses  (OVERRUN)
/src/cpu/ti/am335x/gpio.c: 30 in gpio_regs_and_bit()


________________________________________________________________________________________________________
*** CID 1354615:  Memory - illegal accesses  (OVERRUN)
/src/cpu/ti/am335x/gpio.c: 30 in gpio_regs_and_bit()
24     
25     	if (bank > ARRAY_SIZE(am335x_gpio_banks)) {
26     		printk(BIOS_ERR, "Bad gpio index %d.\n", gpio);
27     		return NULL;
28     	}
29     	*bit = 1 << (gpio % 32);
>>>     CID 1354615:  Memory - illegal accesses  (OVERRUN)
>>>     Overrunning array "am335x_gpio_banks" of 4 4-byte elements at element index 4 (byte offset 16) using index "bank" (which evaluates to 4).
30     	return am335x_gpio_banks[bank];
31     }
32     
33     void am335x_disable_gpio_irqs(void)
34     {
35     	int i;


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRbLuoVetFLSjdonCi1EjfHRqWGQvojmmkYaBE-2BPJiTQvQ-3D-3D_q4bX76XMySz3BXBlWr5fXXJ4cvAsgEXEqC7dBPM7O5a5yKA03-2B-2F8gkr37oVNo-2BOWQTrPVLe6ZqVQnS9NY7w8Xn3yOhQs0IQ2qBrdn7UXzW3GLKbB0o08zj1bxbdHSdZlJZxFUBAotNS4ARAFmNql-2FwkOf99xRFT8gInJsMtFujyz6Xl9zz5uw97Nzj-2FaTc5i0oT8-2BYoLsT9DAA8-2Fhe-2BXTBySf-2Fdht3IaBd2nItsfPlc-3D

To manage Coverity Scan email notifications for "coreboot at coreboot.org", click https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRbVDbis712qZDP-2FA8y06Nq4e-2BpBzwOa5gzBZa9dWpDbzfofODnVj1enK2UkK0-2BgCCqyeem8IVKvTxSaOFkteZFcnohwvb2rnYNjswGryEWCURnUk6WHU42sbOmtOjD-2Bx5c-3D_q4bX76XMySz3BXBlWr5fXXJ4cvAsgEXEqC7dBPM7O5a5yKA03-2B-2F8gkr37oVNo-2BOWRXHxwumgjbW6QPMPp1azXTzimm2u6XmNcmhbTk60zW9sjHf0wWThQpHB7huSdtBvaMrhmFzKNNtCjlHlJRFDG7fXXvNW2mHzQ8lPWfwhwt4l8e2wghVN9VJMHHzwFUCsfqlca6AxFKEe-2BdyTLChu5QCsyxxvrCyPwHQ2UzxBDw4-3D




More information about the coreboot mailing list