[coreboot] New Defects reported by Coverity Scan for coreboot

scan-admin at coverity.com scan-admin at coverity.com
Tue Oct 4 13:18:31 CEST 2016


Hi,

Please find the latest report on new defect(s) introduced to coreboot found with Coverity Scan.

46 new defect(s) introduced to coreboot found with Coverity Scan.


New defect(s) Reported-by: Coverity Scan
Showing 20 of 46 defect(s)


** CID 1361275:    (TAINTED_SCALAR)
/util/cbfstool/ifwitool.c: 838 in parse_subpart_dir()


________________________________________________________________________________________________________
*** CID 1361275:    (TAINTED_SCALAR)
/util/cbfstool/ifwitool.c: 831 in parse_subpart_dir()
825     	memcpy(hdr.name, data + offset, sizeof(hdr.name));
826     	offset += sizeof(hdr.name);
827     
828     	validate_subpart_dir_without_checksum((struct subpart_dir *)&hdr, name);
829     
830     	assert(size > subpart_dir_size(&hdr));
>>>     CID 1361275:    (TAINTED_SCALAR)
>>>     Passing tainted variable "subpart_dir_size(&hdr)" to a tainted sink.
831     	alloc_buffer(subpart_dir_buf, subpart_dir_size(&hdr), "Subpart Dir");
832     	memcpy(buffer_get(subpart_dir_buf), &hdr, SUBPART_DIR_HEADER_SIZE);
833     
834     	/* Read Subpart Dir entries. */
835     	struct subpart_dir *subpart_dir = buffer_get(subpart_dir_buf);
836     	struct subpart_dir_entry *e = &subpart_dir->e[0];
/util/cbfstool/ifwitool.c: 838 in parse_subpart_dir()
832     	memcpy(buffer_get(subpart_dir_buf), &hdr, SUBPART_DIR_HEADER_SIZE);
833     
834     	/* Read Subpart Dir entries. */
835     	struct subpart_dir *subpart_dir = buffer_get(subpart_dir_buf);
836     	struct subpart_dir_entry *e = &subpart_dir->e[0];
837     	uint32_t i;
>>>     CID 1361275:    (TAINTED_SCALAR)
>>>     Using tainted variable "hdr.num_entries" as a loop boundary.
838     	for (i = 0; i < hdr.num_entries; i++) {
839     		memcpy(e[i].name, data + offset, sizeof(e[i].name));
840     		offset += sizeof(e[i].name);
841     		offset = read_member(data, offset, sizeof(e[i].offset),
842     				     &e[i].offset);
843     		offset = read_member(data, offset, sizeof(e[i].length),

** CID 1361274:  Insecure data handling  (TAINTED_SCALAR)


________________________________________________________________________________________________________
*** CID 1361274:  Insecure data handling  (TAINTED_SCALAR)
/util/cbfstool/ifwitool.c: 717 in alloc_bpdt_buffer()
711     {
712     	struct bpdt_header bpdt_header;
713     	assert((offset + BPDT_HEADER_SIZE) < size);
714     	bpdt_read_header((uint8_t *)data + offset, &bpdt_header, name);
715     
716     	/* Buffer to read BPDT header and entries. */
>>>     CID 1361274:  Insecure data handling  (TAINTED_SCALAR)
>>>     Passing tainted variable "get_bpdt_size(&bpdt_header)" to a tainted sink.
717     	alloc_buffer(b, get_bpdt_size(&bpdt_header), name);
718     
719     	struct bpdt *bpdt = buffer_get(b);
720     	memcpy(&bpdt->h, &bpdt_header, BPDT_HEADER_SIZE);
721     
722     	/*

** CID 1361253:  Memory - illegal accesses  (BUFFER_SIZE_WARNING)
/util/cbfstool/ifwitool.c: 1300 in init_subpart_dir_entry()


________________________________________________________________________________________________________
*** CID 1361253:  Memory - illegal accesses  (BUFFER_SIZE_WARNING)
/util/cbfstool/ifwitool.c: 1300 in init_subpart_dir_entry()
1294     static size_t init_subpart_dir_entry(struct subpart_dir_entry *e,
1295     				     struct buffer *b, size_t offset)
1296     {
1297     	memset(e, 0, sizeof(*e));
1298     
1299     	assert(strlen(b->name) <= sizeof(e->name));
>>>     CID 1361253:  Memory - illegal accesses  (BUFFER_SIZE_WARNING)
>>>     Calling strncpy with a maximum size argument of 12 bytes on destination array "e->name" of size 12 bytes might leave the destination string unterminated.
1300     	strncpy((char *)e->name, (char *)b->name, sizeof(e->name));
1301     	e->offset = offset;
1302     	e->length = buffer_size(b);
1303     
1304     	return (offset + buffer_size(b));
1305     }

** CID 1353793:  Resource leaks  (RESOURCE_LEAK)
/util/nvidia/cbootimage/src/data_layout.c: 1096 in resign_bl()


________________________________________________________________________________________________________
*** CID 1353793:  Resource leaks  (RESOURCE_LEAK)
/util/nvidia/cbootimage/src/data_layout.c: 1096 in resign_bl()
1090     
1091     	if (read_from_image(context->input_image_filename,
1092     				offset, bl_length,
1093     				&image, &image_actual_size, file_type_bin)) {
1094     		printf("Error reading image file %s.\n",
1095     				context->input_image_filename);
>>>     CID 1353793:  Resource leaks  (RESOURCE_LEAK)
>>>     Variable "image" going out of scope leaks the storage it points to.
1096     		return -ENOMEM;
1097     	}
1098     
1099     	pages_in_image = ICEIL(image_actual_size, page_size);
1100     
1101     	/* Create a local copy of the bl */

** CID 1353781:  Control flow issues  (NO_EFFECT)
/util/nvidia/cbootimage/src/cbootimage.c: 242 in main()


________________________________________________________________________________________________________
*** CID 1353781:  Control flow issues  (NO_EFFECT)
/util/nvidia/cbootimage/src/cbootimage.c: 242 in main()
236     			context.input_image_filename);
237     			goto fail;
238     		}
239     
240     		/* Get BCT_SIZE from input image file  */
241     		bct_size = get_bct_size_from_image(&context);
>>>     CID 1353781:  Control flow issues  (NO_EFFECT)
>>>     This less-than-zero comparison of an unsigned value is never true. "bct_size < 0U".
242     		if (bct_size < 0) {
243     			printf("Error: Invalid input image file %s\n",
244     			context.input_image_filename);
245     			goto fail;
246     		}
247     

** CID 1353028:  Error handling issues  (NEGATIVE_RETURNS)
/util/amdfwtool/amdfwtool.c: 284 in integrate_psp_firmwares()


________________________________________________________________________________________________________
*** CID 1353028:  Error handling issues  (NEGATIVE_RETURNS)
/util/amdfwtool/amdfwtool.c: 284 in integrate_psp_firmwares()
278     			pspdir[4+4*i+2] = 1;
279     			pspdir[4+4*i+3] = 0;
280     		} else if (fw_table[i].filename != NULL) {
281     			pspdir[4+4*i+0] = fw_table[i].type;
282     
283     			fd = open (fw_table[i].filename, O_RDONLY);
>>>     CID 1353028:  Error handling issues  (NEGATIVE_RETURNS)
>>>     "fd" is passed to a parameter that cannot be negative. [Note: The source code implementation of the function has been overridden by a builtin model.]
284     			fstat(fd, &fd_stat);
285     			pspdir[4+4*i+1] = fd_stat.st_size;
286     
287     			pspdir[4+4*i+2] = pos + ROM_BASE_ADDRESS;
288     			pspdir[4+4*i+3] = 0;
289     

** CID 1353027:  Error handling issues  (NEGATIVE_RETURNS)
/util/amdfwtool/amdfwtool.c: 239 in integrate_firmwares()


________________________________________________________________________________________________________
*** CID 1353027:  Error handling issues  (NEGATIVE_RETURNS)
/util/amdfwtool/amdfwtool.c: 239 in integrate_firmwares()
233     	struct stat fd_stat;
234     	int i;
235     
236     	for (i = 0; fw_table[i].type != AMD_FW_INVALID; i ++) {
237     		if (fw_table[i].filename != NULL) {
238     			fd = open (fw_table[i].filename, O_RDONLY);
>>>     CID 1353027:  Error handling issues  (NEGATIVE_RETURNS)
>>>     "fd" is passed to a parameter that cannot be negative. [Note: The source code implementation of the function has been overridden by a builtin model.]
239     			fstat(fd, &fd_stat);
240     
241     			switch (fw_table[i].type) {
242     			case AMD_FW_IMC:
243     				pos = ALIGN(pos, 0x10000);
244     				romsig[1] = pos + ROM_BASE_ADDRESS;

** CID 1353021:  Error handling issues  (CHECKED_RETURN)
/util/amdfwtool/amdfwtool.c: 290 in integrate_psp_firmwares()


________________________________________________________________________________________________________
*** CID 1353021:  Error handling issues  (CHECKED_RETURN)
/util/amdfwtool/amdfwtool.c: 290 in integrate_psp_firmwares()
284     			fstat(fd, &fd_stat);
285     			pspdir[4+4*i+1] = fd_stat.st_size;
286     
287     			pspdir[4+4*i+2] = pos + ROM_BASE_ADDRESS;
288     			pspdir[4+4*i+3] = 0;
289     
>>>     CID 1353021:  Error handling issues  (CHECKED_RETURN)
>>>     "read(int, void *, size_t)" returns the number of bytes read, but it is ignored.
290     			read (fd, base+pos, fd_stat.st_size);
291     
292     			pos += fd_stat.st_size;
293     			pos = ALIGN(pos, 0x100);
294     			close (fd);
295     		} else {

** CID 1353020:  Error handling issues  (CHECKED_RETURN)
/util/amdfwtool/amdfwtool.c: 284 in integrate_psp_firmwares()


________________________________________________________________________________________________________
*** CID 1353020:  Error handling issues  (CHECKED_RETURN)
/util/amdfwtool/amdfwtool.c: 284 in integrate_psp_firmwares()
278     			pspdir[4+4*i+2] = 1;
279     			pspdir[4+4*i+3] = 0;
280     		} else if (fw_table[i].filename != NULL) {
281     			pspdir[4+4*i+0] = fw_table[i].type;
282     
283     			fd = open (fw_table[i].filename, O_RDONLY);
>>>     CID 1353020:  Error handling issues  (CHECKED_RETURN)
>>>     Calling "fstat(fd, &fd_stat)" without checking return value. This library function may fail and return an error code. [Note: The source code implementation of the function has been overridden by a builtin model.]
284     			fstat(fd, &fd_stat);
285     			pspdir[4+4*i+1] = fd_stat.st_size;
286     
287     			pspdir[4+4*i+2] = pos + ROM_BASE_ADDRESS;
288     			pspdir[4+4*i+3] = 0;
289     

** CID 1353019:  Error handling issues  (CHECKED_RETURN)
/util/amdfwtool/amdfwtool.c: 257 in integrate_firmwares()


________________________________________________________________________________________________________
*** CID 1353019:  Error handling issues  (CHECKED_RETURN)
/util/amdfwtool/amdfwtool.c: 257 in integrate_firmwares()
251     				break;
252     			default:
253     				/* Error */
254     				break;
255     			}
256     
>>>     CID 1353019:  Error handling issues  (CHECKED_RETURN)
>>>     "read(int, void *, size_t)" returns the number of bytes read, but it is ignored.
257     			read (fd, base+pos, fd_stat.st_size);
258     
259     			pos += fd_stat.st_size;
260     			pos = ALIGN(pos, 0x100);
261     			close (fd);
262     		}

** CID 1353018:  Error handling issues  (CHECKED_RETURN)
/util/amdfwtool/amdfwtool.c: 239 in integrate_firmwares()


________________________________________________________________________________________________________
*** CID 1353018:  Error handling issues  (CHECKED_RETURN)
/util/amdfwtool/amdfwtool.c: 239 in integrate_firmwares()
233     	struct stat fd_stat;
234     	int i;
235     
236     	for (i = 0; fw_table[i].type != AMD_FW_INVALID; i ++) {
237     		if (fw_table[i].filename != NULL) {
238     			fd = open (fw_table[i].filename, O_RDONLY);
>>>     CID 1353018:  Error handling issues  (CHECKED_RETURN)
>>>     Calling "fstat(fd, &fd_stat)" without checking return value. This library function may fail and return an error code. [Note: The source code implementation of the function has been overridden by a builtin model.]
239     			fstat(fd, &fd_stat);
240     
241     			switch (fw_table[i].type) {
242     			case AMD_FW_IMC:
243     				pos = ALIGN(pos, 0x10000);
244     				romsig[1] = pos + ROM_BASE_ADDRESS;

** CID 1347358:  Error handling issues  (NEGATIVE_RETURNS)
/util/amdfwtool/amdfwtool.c: 586 in main()


________________________________________________________________________________________________________
*** CID 1347358:  Error handling issues  (NEGATIVE_RETURNS)
/util/amdfwtool/amdfwtool.c: 586 in main()
580     		current = integrate_psp_firmwares(rom, current, psp2dir, amd_psp2_fw_table);
581     #endif
582     	}
583     #endif
584     
585     	targetfd = open(output, O_RDWR | O_CREAT | O_TRUNC, 0666);
>>>     CID 1347358:  Error handling issues  (NEGATIVE_RETURNS)
>>>     "targetfd" is passed to a parameter that cannot be negative.
586     	write(targetfd, amd_romsig, current - AMD_ROMSIG_OFFSET);
587     	close(targetfd);
588     	free(rom);
589     
590     	return 0;

** CID 1347333:  Memory - illegal accesses  (UNINIT)
/util/amdfwtool/amdfwtool.c: 585 in main()


________________________________________________________________________________________________________
*** CID 1347333:  Memory - illegal accesses  (UNINIT)
/util/amdfwtool/amdfwtool.c: 585 in main()
579     #else
580     		current = integrate_psp_firmwares(rom, current, psp2dir, amd_psp2_fw_table);
581     #endif
582     	}
583     #endif
584     
>>>     CID 1347333:  Memory - illegal accesses  (UNINIT)
>>>     Using uninitialized value "output" when calling "open".
585     	targetfd = open(output, O_RDWR | O_CREAT | O_TRUNC, 0666);
586     	write(targetfd, amd_romsig, current - AMD_ROMSIG_OFFSET);
587     	close(targetfd);
588     	free(rom);
589     
590     	return 0;

** CID 1325840:  Memory - illegal accesses  (OVERRUN)
/util/cbfstool/cbfs_image.c: 1406 in cbfs_print_entry_info()


________________________________________________________________________________________________________
*** CID 1325840:  Memory - illegal accesses  (OVERRUN)
/util/cbfstool/cbfs_image.c: 1406 in cbfs_print_entry_info()
1400     	while ((hash = cbfs_file_get_next_hash(entry, hash)) != NULL) {
1401     		unsigned int hash_type = ntohl(hash->hash_type);
1402     		if (hash_type > CBFS_NUM_SUPPORTED_HASHES) {
1403     			fprintf(fp, "invalid hash type %d\n", hash_type);
1404     			break;
1405     		}
>>>     CID 1325840:  Memory - illegal accesses  (OVERRUN)
>>>     Overrunning array "widths_cbfs_hash" of 4 8-byte elements at element index 4 (byte offset 32) using index "hash_type" (which evaluates to 4).
1406     		size_t hash_len = widths_cbfs_hash[hash_type];
1407     		char *hash_str = bintohex(hash->hash_data, hash_len);
1408     		uint8_t local_hash[hash_len];
1409     		if (vb2_digest_buffer(CBFS_SUBHEADER(entry),
1410     			ntohl(entry->len), hash_type, local_hash,
1411     			hash_len) != VB2_SUCCESS) {

** CID 1325836:  Resource leaks  (RESOURCE_LEAK)
/util/cbfstool/cbfs_image.c: 1413 in cbfs_print_entry_info()


________________________________________________________________________________________________________
*** CID 1325836:  Resource leaks  (RESOURCE_LEAK)
/util/cbfstool/cbfs_image.c: 1413 in cbfs_print_entry_info()
1407     		char *hash_str = bintohex(hash->hash_data, hash_len);
1408     		uint8_t local_hash[hash_len];
1409     		if (vb2_digest_buffer(CBFS_SUBHEADER(entry),
1410     			ntohl(entry->len), hash_type, local_hash,
1411     			hash_len) != VB2_SUCCESS) {
1412     			fprintf(fp, "failed to hash '%s'\n", name);
>>>     CID 1325836:  Resource leaks  (RESOURCE_LEAK)
>>>     Variable "hash_str" going out of scope leaks the storage it points to.
1413     			break;
1414     		}
1415     		int valid = memcmp(local_hash, hash->hash_data, hash_len) == 0;
1416     		const char *valid_str = valid ? "valid" : "invalid";
1417     
1418     		fprintf(fp, "    hash %s:%s %s\n",

** CID 1323515:  Error handling issues  (CHECKED_RETURN)
/util/broadcom/secimage/sbi.c: 112 in CreateSecureBootImage()


________________________________________________________________________________________________________
*** CID 1323515:  Error handling issues  (CHECKED_RETURN)
/util/broadcom/secimage/sbi.c: 112 in CreateSecureBootImage()
106     		} else {
107     			return SBIUsage();
108     		}
109     		--ac, ++av;
110     	}
111     
>>>     CID 1323515:  Error handling issues  (CHECKED_RETURN)
>>>     Calling "stat(bl, &file_stat)" without checking return value. This library function may fail and return an error code. [Note: The source code implementation of the function has been overridden by a builtin model.]
112     	stat(bl, &file_stat);
113     	filesize = file_stat.st_size + MIN_SIZE;
114     	buf = calloc(sizeof(uint8_t), filesize);
115     
116     	if (buf == NULL) {
117     		puts("Memory allocation error");

** CID 1323512:  Null pointer dereferences  (FORWARD_NULL)
/util/broadcom/secimage/sbi.c: 112 in CreateSecureBootImage()


________________________________________________________________________________________________________
*** CID 1323512:  Null pointer dereferences  (FORWARD_NULL)
/util/broadcom/secimage/sbi.c: 112 in CreateSecureBootImage()
106     		} else {
107     			return SBIUsage();
108     		}
109     		--ac, ++av;
110     	}
111     
>>>     CID 1323512:  Null pointer dereferences  (FORWARD_NULL)
>>>     Passing null pointer "bl" to "stat", which dereferences it. [Note: The source code implementation of the function has been overridden by a builtin model.]
112     	stat(bl, &file_stat);
113     	filesize = file_stat.st_size + MIN_SIZE;
114     	buf = calloc(sizeof(uint8_t), filesize);
115     
116     	if (buf == NULL) {
117     		puts("Memory allocation error");

** CID 1323511:  Null pointer dereferences  (FORWARD_NULL)
/util/broadcom/secimage/sbi.c: 80 in CreateSecureBootImage()


________________________________________________________________________________________________________
*** CID 1323511:  Null pointer dereferences  (FORWARD_NULL)
/util/broadcom/secimage/sbi.c: 80 in CreateSecureBootImage()
74      * Purpose :
75      * Input   : none
76      * Output  : none
77      *---------------------------------------------------------------------*/
78     int CreateSecureBootImage(int ac, char **av)
79     {
>>>     CID 1323511:  Null pointer dereferences  (FORWARD_NULL)
>>>     Assigning: "privkey" = "NULL".
80     	char *outfile, *configfile, *arg, *privkey = NULL, *bl = NULL;
81     	int status = 0;
82     	uint32_t sbiLen;
83     	struct stat file_stat;
84     	uint32_t add_header = 1;
85     	outfile = *av;

** CID 1323510:  Error handling issues  (NEGATIVE_RETURNS)
/util/broadcom/secimage/io.c: 81 in DataRead()


________________________________________________________________________________________________________
*** CID 1323510:  Error handling issues  (NEGATIVE_RETURNS)
/util/broadcom/secimage/io.c: 81 in DataRead()
75     	len = FileSizeGet(file);
76     	if (len < *length)
77     		*length = len;
78     	else
79     		/* Do not exceed the maximum length of the buffer */
80     		len = *length;
>>>     CID 1323510:  Error handling issues  (NEGATIVE_RETURNS)
>>>     "len" is passed to a parameter that cannot be negative.
81     	if (fread((uint8_t *)buf, 1, len, file) != len) {
82     		printf("Error reading data (%d bytes) from file: %s\n",
83     		       len, filename);
84     		return -1;
85     	}
86     	fclose(file);

** CID 1323509:  Resource leaks  (RESOURCE_LEAK)
/util/broadcom/secimage/io.c: 84 in DataRead()


________________________________________________________________________________________________________
*** CID 1323509:  Resource leaks  (RESOURCE_LEAK)
/util/broadcom/secimage/io.c: 84 in DataRead()
78     	else
79     		/* Do not exceed the maximum length of the buffer */
80     		len = *length;
81     	if (fread((uint8_t *)buf, 1, len, file) != len) {
82     		printf("Error reading data (%d bytes) from file: %s\n",
83     		       len, filename);
>>>     CID 1323509:  Resource leaks  (RESOURCE_LEAK)
>>>     Variable "file" going out of scope leaks the storage it points to.
84     		return -1;
85     	}
86     	fclose(file);
87     	return 0;
88     }
89     


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRbLuoVetFLSjdonCi1EjfHRqWGQvojmmkYaBE-2BPJiTQvQ-3D-3D_q4bX76XMySz3BXBlWr5fXXJ4cvAsgEXEqC7dBPM7O5aYeCBUJ9Ig9KQMgYUnVrKXyS4xMjIrzrcIj45KpZXv2W4PyEY8eYNwceUF3w7uR1yTsiSikVQUtkY7SWIJEP3VxrLHFm6EnX7CA9vnrYgkGYJPOHb3Ac-2FBVQW-2F5CgJKJs1wUDaJs-2F-2BnXzo01rDvz4QOey-2BfdEUon6sH-2FX403IZwA-3D-3D

To manage Coverity Scan email notifications for "coreboot at coreboot.org", click https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRbVDbis712qZDP-2FA8y06Nq4e-2BpBzwOa5gzBZa9dWpDbzfofODnVj1enK2UkK0-2BgCCqyeem8IVKvTxSaOFkteZFcnohwvb2rnYNjswGryEWCURnUk6WHU42sbOmtOjD-2Bx5c-3D_q4bX76XMySz3BXBlWr5fXXJ4cvAsgEXEqC7dBPM7O5aYeCBUJ9Ig9KQMgYUnVrKXYOJ4fjGOysRK-2ByY4lsAJWy-2Blp06jZrBT9H7MEoHLMd5rTzrd1nky-2FIxRl-2FEjPRYIqyYJwxCHyoGuLp217EdDArpgpABjOdjuxuQdVUm5z20-2Bn-2FVHdKWWXa-2BXu-2FrfD1jXdZaZtDxXm-2FV0gaHYap9sYA-3D-3D




More information about the coreboot mailing list