[coreboot] New Defects reported by Coverity Scan for coreboot
scan-admin at coverity.com
scan-admin at coverity.com
Thu Jan 7 19:53:29 CET 2016
Hi,
Please find the latest report on new defect(s) introduced to coreboot found with Coverity Scan.
77 new defect(s) introduced to coreboot found with Coverity Scan.
14 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 77 defect(s)
** CID 1347357: (NEGATIVE_RETURNS)
/util/intelvbttool/intelvbttool.c: 530 in main()
/util/intelvbttool/intelvbttool.c: 530 in main()
________________________________________________________________________________________________________
*** CID 1347357: (NEGATIVE_RETURNS)
/util/intelvbttool/intelvbttool.c: 530 in main()
524 }
525 if (ptr == MAP_FAILED) {
526 fprintf(stderr, "mmap failed: %s\n", strerror(errno));
527 return 1;
528 }
529 parse_vbios(ptr);
>>> CID 1347357: (NEGATIVE_RETURNS)
>>> "fd" is passed to a parameter that cannot be negative.
530 close(fd);
531 return 0;
/util/intelvbttool/intelvbttool.c: 530 in main()
524 }
525 if (ptr == MAP_FAILED) {
526 fprintf(stderr, "mmap failed: %s\n", strerror(errno));
527 return 1;
528 }
529 parse_vbios(ptr);
>>> CID 1347357: (NEGATIVE_RETURNS)
>>> "fd" is passed to a parameter that cannot be negative.
530 close(fd);
531 return 0;
** CID 1347356: (NO_EFFECT)
/src/northbridge/intel/pineview/raminit.c: 348 in msbpos()
/src/northbridge/intel/x4x/raminit_ddr2.c: 48 in msbpos()
/src/northbridge/intel/x4x/raminit.c: 259 in msbpos()
________________________________________________________________________________________________________
*** CID 1347356: (NO_EFFECT)
/src/northbridge/intel/pineview/raminit.c: 348 in msbpos()
342 return i;
343 }
344
345 static u8 msbpos(u8 val) //Reverse
346 {
347 u8 i;
>>> CID 1347356: (NO_EFFECT)
>>> This greater-than-or-equal-to-zero comparison of an unsigned value is always true. "i >= 0".
348 for (i = 7; (i >= 0) && ((val & (1 << i)) == 0); i--);
349 return i;
350 }
351
352 static void sdram_detect_smallest_params(struct sysinfo *s)
353 {
/src/northbridge/intel/x4x/raminit_ddr2.c: 48 in msbpos()
42 return mhz[speed];
43 }
44
45 static u8 msbpos(u8 val) //Reverse
46 {
47 u8 i;
>>> CID 1347356: (NO_EFFECT)
>>> This greater-than-or-equal-to-zero comparison of an unsigned value is always true. "i >= 0".
48 for (i = 7; i >= 0; i--) {
49 if ((val & (1 << i)) == 0)
50 break;
51 }
52 return i;
53 }
/src/northbridge/intel/x4x/raminit.c: 259 in msbpos()
253 return i;
254 }
255
256 static u8 msbpos(u8 val) //Reverse
257 {
258 u8 i;
>>> CID 1347356: (NO_EFFECT)
>>> This greater-than-or-equal-to-zero comparison of an unsigned value is always true. "i >= 0".
259 for (i = 7; (i >= 0) && ((val & (1 << i)) == 0); i--);
260 return i;
261 }
262
263 static void mchinfo_ddr2(struct sysinfo *s)
264 {
** CID 1347355: Control flow issues (NO_EFFECT)
/src/northbridge/amd/amdmct/mct_ddr3/mct_d.c: 2649 in fam15EnableTrainingMode()
________________________________________________________________________________________________________
*** CID 1347355: Control flow issues (NO_EFFECT)
/src/northbridge/amd/amdmct/mct_ddr3/mct_d.c: 2649 in fam15EnableTrainingMode()
2643 * Implement LRDIMM support
2644 * See Fam15h BKDG Rev. 3.14 section 2.10.5.5
2645 */
2646 twrrd = 0xb;
2647 } else {
2648 max_cdd_we_delta = (((int16_t)cdd_twrrd + 1 - ((int16_t)write_early * 2)) + 1) / 2;
>>> CID 1347355: Control flow issues (NO_EFFECT)
>>> This less-than-zero comparison of an unsigned value is never true. "max_cdd_we_delta < 0".
2649 if (max_cdd_we_delta < 0)
2650 max_cdd_we_delta = 0;
2651 if (((uint16_t)max_cdd_we_delta) > write_odt_delay)
2652 dword = max_cdd_we_delta;
2653 else
2654 dword = write_odt_delay;
** CID 1347354: Memory - corruptions (OVERRUN)
/src/northbridge/amd/amdmct/mct_ddr3/mctsrc.c: 1214 in dqsTrainRcvrEn_SW_Fam15()
________________________________________________________________________________________________________
*** CID 1347354: Memory - corruptions (OVERRUN)
/src/northbridge/amd/amdmct/mct_ddr3/mctsrc.c: 1214 in dqsTrainRcvrEn_SW_Fam15()
1208
1209 _DisableDramECC = mct_DisableDimmEccEn_D(pMCTstat, pDCTstat);
1210
1211 Errors = 0;
1212 dev = pDCTstat->dev_dct;
1213
>>> CID 1347354: Memory - corruptions (OVERRUN)
>>> Checking "Channel < 2" implies that "Channel" is 2 on the false branch.
1214 for (Channel = 0; Channel < 2; Channel++) {
1215 print_debug_dqs("\tTrainRcvEn51: Node ", pDCTstat->Node_ID, 1);
1216 print_debug_dqs("\tTrainRcvEn51: Channel ", Channel, 1);
1217 pDCTstat->Channel = Channel;
1218
1219 mem_clk = Get_NB32_DCT(dev, Channel, 0x94) & 0x1f;
** CID 1347353: Memory - illegal accesses (OVERRUN)
/src/northbridge/amd/amdmct/mct_ddr3/mct_d.c: 302 in fam10h_mhz_to_memclk_config()
________________________________________________________________________________________________________
*** CID 1347353: Memory - illegal accesses (OVERRUN)
/src/northbridge/amd/amdmct/mct_ddr3/mct_d.c: 302 in fam10h_mhz_to_memclk_config()
296
297 /* Compute the index value for the given frequency */
298 for (iter = 0; iter <= 0x6; iter++) {
299 if (fam10h_freq_tab[iter] == freq)
300 break;
301 }
>>> CID 1347353: Memory - illegal accesses (OVERRUN)
>>> Overrunning array "fam10h_freq_tab" of 7 2-byte elements at element index 7 (byte offset 14) using index "iter" (which evaluates to 7).
302 if (fam10h_freq_tab[iter] == freq)
303 freq = iter;
304 if (freq == 0)
305 freq = 0x3;
306
307 return freq;
** CID 1347352: Memory - illegal accesses (OVERRUN)
/src/northbridge/amd/amdmct/mct_ddr3/mct_d.c: 284 in fam15h_mhz_to_memclk_config()
________________________________________________________________________________________________________
*** CID 1347352: Memory - illegal accesses (OVERRUN)
/src/northbridge/amd/amdmct/mct_ddr3/mct_d.c: 284 in fam15h_mhz_to_memclk_config()
278
279 /* Compute the index value for the given frequency */
280 for (iter = 0; iter <= 0x16; iter++) {
281 if (fam15h_freq_tab[iter] == freq)
282 break;
283 }
>>> CID 1347352: Memory - illegal accesses (OVERRUN)
>>> Overrunning array "fam15h_freq_tab" of 23 2-byte elements at element index 23 (byte offset 46) using index "iter" (which evaluates to 23).
284 if (fam15h_freq_tab[iter] == freq)
285 freq = iter;
286 if (freq == 0)
287 freq = 0x4;
288
289 return freq;
** CID 1347351: Memory - illegal accesses (OVERRUN)
/src/northbridge/intel/x4x/ram_calc.c: 47 in decode_igd_gtt_size()
________________________________________________________________________________________________________
*** CID 1347351: Memory - illegal accesses (OVERRUN)
/src/northbridge/intel/x4x/ram_calc.c: 47 in decode_igd_gtt_size()
41 {
42 static const u8 ggc2gtt[] = { 0, 1, 0, 2, 0, 0, 0, 0, 0, 2, 3, 4};
43
44 if (gsm > ARRAY_SIZE(ggc2gtt))
45 die("Bad GTT Graphics Memory Size (GGMS) setting.\n");
46
>>> CID 1347351: Memory - illegal accesses (OVERRUN)
>>> Overrunning array "ggc2gtt" of 12 bytes at byte offset 12 using index "gsm" (which evaluates to 12).
47 return ggc2gtt[gsm] << 10;
48 }
49
50 u8 decode_pciebar(u32 *const base, u32 *const len)
51 {
52 *base = 0;
** CID 1347350: Memory - illegal accesses (OVERRUN)
/src/northbridge/intel/x4x/ram_calc.c: 36 in decode_igd_memory_size()
________________________________________________________________________________________________________
*** CID 1347350: Memory - illegal accesses (OVERRUN)
/src/northbridge/intel/x4x/ram_calc.c: 36 in decode_igd_memory_size()
30 static const u16 ggc2uma[] = { 0, 0, 0, 0, 0,
31 32, 48, 64, 128, 256, 96, 160, 224, 352 };
32
33 if (gms > ARRAY_SIZE(ggc2uma))
34 die("Bad Graphics Mode Select (GMS) setting.\n");
35
>>> CID 1347350: Memory - illegal accesses (OVERRUN)
>>> Overrunning array "ggc2uma" of 14 2-byte elements at element index 14 (byte offset 28) using index "gms" (which evaluates to 14).
36 return ggc2uma[gms] << 10;
37 }
38
39 /** Decodes used GTT Graphics Memory Size (GGMS) to kilobytes. */
40 u32 decode_igd_gtt_size(const u32 gsm)
41 {
** CID 1347349: (PARSE_ERROR)
/util/inteltool/.test.c: 3 in ()
/util/viatool/.test.c: 3 in ()
________________________________________________________________________________________________________
*** CID 1347349: (PARSE_ERROR)
/util/inteltool/.test.c: 3 in ()
1 /* Avoid a failing test due to libpci header symbol shadowing breakage */
2 #define index shadow_workaround_index
>>> CID 1347349: (PARSE_ERROR)
>>> cannot open source file "pci/pci.h"
3 #include <pci/pci.h>
4 struct pci_access *pacc;
5 int main(int argc, char **argv)
6 {
7 (void) argc;
8 (void) argv;
9 pacc = pci_alloc();
10 return 0;
/util/viatool/.test.c: 3 in ()
1 /* Avoid a failing test due to libpci header symbol shadowing breakage */
2 #define index shadow_workaround_index
>>> CID 1347349: (PARSE_ERROR)
>>> cannot open source file "pci/pci.h"
3 #include <pci/pci.h>
4 struct pci_access *pacc;
5 int main(int argc, char **argv)
6 {
7 (void) argc;
8 (void) argv;
9 pacc = pci_alloc();
10 return 0;
** CID 1347348: Parse warnings (PARSE_ERROR)
/util/inteltool/inteltool.h: 27 in ()
________________________________________________________________________________________________________
*** CID 1347348: Parse warnings (PARSE_ERROR)
/util/inteltool/inteltool.h: 27 in ()
21 #endif
22 #if (defined(__MACH__) && defined(__APPLE__))
23 /* DirectHW is available here: http://www.coreboot.org/DirectHW */
24 #define __DARWIN__
25 #include <DirectHW/DirectHW.h>
26 #endif
>>> CID 1347348: Parse warnings (PARSE_ERROR)
>>> During compilation of file '/home/coreboot/coreboot/util/inteltool/cpu.c'
27 #include <pci/pci.h>
28
29 /* This #include is needed for freebsd_{rd,wr}msr. */
30 #if defined(__FreeBSD__)
31 #include <machine/cpufunc.h>
32 #endif
** CID 1347347: Parse warnings (PARSE_ERROR)
/util/superiotool/superiotool.h: 37 in ()
________________________________________________________________________________________________________
*** CID 1347347: Parse warnings (PARSE_ERROR)
/util/superiotool/superiotool.h: 37 in ()
31 #if (defined(__MACH__) && defined(__APPLE__))
32 /* DirectHW is available here: http://www.coreboot.org/DirectHW */
33 #include <DirectHW/DirectHW.h>
34 #endif
35
36 #ifdef PCI_SUPPORT
>>> CID 1347347: Parse warnings (PARSE_ERROR)
>>> During compilation of file '/home/coreboot/coreboot/util/superiotool/ali.c'
37 #include <pci/pci.h>
38 #endif
39
40 #if defined(__FreeBSD__)
41 #include <sys/types.h>
42 #include <machine/cpufunc.h>
** CID 1347346: Parse warnings (PARSE_ERROR)
/util/viatool/viatool.h: 31 in ()
________________________________________________________________________________________________________
*** CID 1347346: Parse warnings (PARSE_ERROR)
/util/viatool/viatool.h: 31 in ()
25 #endif
26 #if (defined(__MACH__) && defined(__APPLE__))
27 /* DirectHW is available here: http://www.coreboot.org/DirectHW */
28 #define __DARWIN__
29 #include <DirectHW/DirectHW.h>
30 #endif
>>> CID 1347346: Parse warnings (PARSE_ERROR)
>>> During compilation of file '/home/coreboot/coreboot/util/viatool/cpu.c'
31 #include <pci/pci.h>
32
33 /* This #include is needed for freebsd_{rd,wr}msr. */
34 #if defined(__FreeBSD__)
35 #include <machine/cpufunc.h>
36 #endif
** CID 1347345: Resource leaks (RESOURCE_LEAK)
/payloads/libpayload/libcbfs/cbfs.c: 115 in cbfs_load_stage()
________________________________________________________________________________________________________
*** CID 1347345: Resource leaks (RESOURCE_LEAK)
/payloads/libpayload/libcbfs/cbfs.c: 115 in cbfs_load_stage()
109 final_size = cbfs_decompress(stage->compression,
110 ((unsigned char *) stage) +
111 sizeof(struct cbfs_stage),
112 (void *) (uintptr_t) stage->load,
113 stage->len);
114 if (!final_size)
>>> CID 1347345: Resource leaks (RESOURCE_LEAK)
>>> Variable "stage" going out of scope leaks the storage it points to.
115 return (void *) -1;
116
117 memset((void *)((uintptr_t)stage->load + final_size), 0,
118 stage->memlen - final_size);
119
120 DEBUG("stage loaded.\n");
** CID 1347344: (RESOURCE_LEAK)
/src/northbridge/amd/amdmct/mct_ddr3/s3utils.c: 1117 in save_mct_information_to_nvram()
/src/northbridge/amd/amdmct/mct_ddr3/s3utils.c: 1123 in save_mct_information_to_nvram()
________________________________________________________________________________________________________
*** CID 1347344: (RESOURCE_LEAK)
/src/northbridge/amd/amdmct/mct_ddr3/s3utils.c: 1117 in save_mct_information_to_nvram()
1111 if (restored) {
1112 /* Allow training bypass if DIMM configuration is unchanged on next boot */
1113 nvram = 1;
1114 set_option("allow_spd_nvram_cache_restore", &nvram);
1115
1116 printk(BIOS_DEBUG, "Hardware configuration unchanged since last boot; skipping write\n");
>>> CID 1347344: (RESOURCE_LEAK)
>>> Variable "persistent_data" going out of scope leaks the storage it points to.
1117 return 0;
1118 }
1119
1120 /* Obtain CBFS file offset */
1121 s3nv_offset = get_s3nv_file_offset();
1122 if (s3nv_offset == -1)
/src/northbridge/amd/amdmct/mct_ddr3/s3utils.c: 1123 in save_mct_information_to_nvram()
1117 return 0;
1118 }
1119
1120 /* Obtain CBFS file offset */
1121 s3nv_offset = get_s3nv_file_offset();
1122 if (s3nv_offset == -1)
>>> CID 1347344: (RESOURCE_LEAK)
>>> Variable "persistent_data" going out of scope leaks the storage it points to.
1123 return -1;
1124
1125 /* Align flash pointer to nearest boundary */
1126 s3nv_offset &= ~(CONFIG_S3_DATA_SIZE-1);
1127 s3nv_offset += CONFIG_S3_DATA_SIZE;
1128
** CID 1347343: Integer handling issues (SIGN_EXTENSION)
/src/northbridge/amd/amdfam10/northbridge.c: 809 in amdfam10_domain_read_resources()
________________________________________________________________________________________________________
*** CID 1347343: Integer handling issues (SIGN_EXTENSION)
/src/northbridge/amd/amdfam10/northbridge.c: 809 in amdfam10_domain_read_resources()
803 }
804 }
805 }
806
807 /* Calculate CC6 storage area size */
808 if (interleaved)
>>> CID 1347343: Integer handling issues (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "num_nodes" with type "unsigned char" (8 bits, unsigned) is promoted in "16777216 * num_nodes" to type "int" (32 bits, signed), then sign-extended to type "unsigned long long" (64 bits, unsigned). If "16777216 * num_nodes" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
809 qword = (0x1000000 * num_nodes);
810 else
811 qword = 0x1000000;
812
813 /* FIXME
814 * The BKDG appears to be incorrect as to the location of the CC6 save region
** CID 1347342: Integer handling issues (SIGN_EXTENSION)
/src/northbridge/amd/amdmct/mct_ddr3/mct_d.c: 1760 in set_up_cc6_storage_fam15()
________________________________________________________________________________________________________
*** CID 1347342: Integer handling issues (SIGN_EXTENSION)
/src/northbridge/amd/amdmct/mct_ddr3/mct_d.c: 1760 in set_up_cc6_storage_fam15()
1754 __func__, max_node, max_range_limit,
1755 (((uint64_t)(Get_NB32(pDCTstat->dev_map, 0x124)
1756 & 0x1fffff)) << 27) | 0x7ffffff);
1757
1758 if (interleaved)
1759 /* Move upper limit down by 16M * the number of nodes */
>>> CID 1347342: Integer handling issues (SIGN_EXTENSION)
>>> Suspicious implicit sign extension: "num_nodes" with type "unsigned char" (8 bits, unsigned) is promoted in "16777216 * num_nodes" to type "int" (32 bits, signed), then sign-extended to type "unsigned long long" (64 bits, unsigned). If "16777216 * num_nodes" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1.
1760 max_range_limit -= (0x1000000 * num_nodes);
1761 else
1762 /* Move upper limit down by 16M */
1763 max_range_limit -= 0x1000000;
1764
1765 printk(BIOS_INFO, "%s:\tnew max_range_limit: %16llx\n",
** CID 1347341: Incorrect expression (SIZEOF_MISMATCH)
/src/southbridge/intel/fsp_i89xx/romstage.c: 215 in romstage_main_continue()
________________________________________________________________________________________________________
*** CID 1347341: Incorrect expression (SIZEOF_MISMATCH)
/src/southbridge/intel/fsp_i89xx/romstage.c: 215 in romstage_main_continue()
209
210 if(cbmem_was_initted) {
211 reset_system();
212 }
213
214 /* Save the HOB pointer in CBMEM to be used in ramstage. */
>>> CID 1347341: Incorrect expression (SIZEOF_MISMATCH)
>>> Passing argument "4ULL /* sizeof (HobListPtr) */" to function "cbmem_add" which returns a value of type "VOID *" is suspicious.
215 cbmem_hob_ptr = cbmem_add (CBMEM_ID_HOB_POINTER, sizeof(HobListPtr));
216 *(uint32_t*)cbmem_hob_ptr = (uint32_t)HobListPtr;
217 post_code(0x4f);
218
219 timestamp_add_now(TS_END_ROMSTAGE);
220
** CID 1347340: Memory - illegal accesses (STRING_NULL)
/util/cbmem/cbmem.c: 398 in arch_tick_frequency()
________________________________________________________________________________________________________
*** CID 1347340: Memory - illegal accesses (STRING_NULL)
/util/cbmem/cbmem.c: 398 in arch_tick_frequency()
392 }
393 fclose(cpuf);
394 rv = strtoull(freqs, &endp, 10);
395
396 if (*endp == '\0' || *endp == '\n')
397 return rv;
>>> CID 1347340: Memory - illegal accesses (STRING_NULL)
>>> Passing unterminated string "freqs" to "fprintf".
398 fprintf(stderr, "Wrong formatted value ^%s^ read from %s\n",
399 freqs, freq_file);
400 exit(1);
401 }
402 #elif defined(__OpenBSD__) && (defined(__i386__) || defined(__x86_64__))
403 static unsigned long arch_tick_frequency(void)
** CID 1347339: Uninitialized variables (UNINIT)
/src/northbridge/amd/amdfam10/northbridge.c: 1701 in detect_and_enable_probe_filter()
________________________________________________________________________________________________________
*** CID 1347339: Uninitialized variables (UNINIT)
/src/northbridge/amd/amdfam10/northbridge.c: 1701 in detect_and_enable_probe_filter()
1695 if ((model >= 0x8) || fam15h)
1696 /* Revision D or later */
1697 rev_gte_d = 1;
1698
1699 if (rev_gte_d)
1700 /* Check for dual node capability */
>>> CID 1347339: Uninitialized variables (UNINIT)
>>> Using uninitialized value "f3xe8".
1701 if (f3xe8 & 0x20000000)
1702 dual_node = 1;
1703
1704 if (rev_gte_d && (sysconf.nodes > 1)) {
1705 /* Enable the probe filter */
1706 uint8_t i;
** CID 1347338: Uninitialized variables (UNINIT)
/src/northbridge/amd/amdmct/wrappers/mcti_d.c: 368 in mctGet_MaxLoadFreq()
________________________________________________________________________________________________________
*** CID 1347338: Uninitialized variables (UNINIT)
/src/northbridge/amd/amdmct/wrappers/mcti_d.c: 368 in mctGet_MaxLoadFreq()
362 highest_rank_count[i] = pDCTstat->DimmRanks[dimm];
363 }
364 }
365 #endif
366
367 /* Set limits if needed */
>>> CID 1347338: Uninitialized variables (UNINIT)
>>> Using uninitialized value "highest_rank_count[0]".
368 pDCTstat->PresetmaxFreq = mct_MaxLoadFreq(max(ch1_count, ch2_count), max(highest_rank_count[0], highest_rank_count[1]), (ch1_registered || ch2_registered), (ch1_voltage | ch2_voltage), pDCTstat->PresetmaxFreq);
369 }
370
371 #ifdef UNUSED_CODE
372 static void mctAdjustAutoCycTmg(void)
373 {
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/coreboot?tab=overview
To manage Coverity Scan email notifications for "coreboot at coreboot.org", click https://scan.coverity.com/subscriptions/edit?email=coreboot%40coreboot.org&token=49533df725f93b78361afb7b89ccde93
More information about the coreboot
mailing list