[coreboot] New Defects reported by Coverity Scan for coreboot

scan-admin at coverity.com scan-admin at coverity.com
Fri Aug 31 16:19:13 CEST 2018 

Hi,

Please find the latest report on new defect(s) introduced to coreboot found with Coverity Scan.

5 new defect(s) introduced to coreboot found with Coverity Scan.
1 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 5 of 5 defect(s)


** CID 1395334:    (BAD_SHIFT)
/src/lib/gpio.c: 150 in _gpio_base3_value()
/src/lib/gpio.c: 147 in _gpio_base3_value()
/src/lib/gpio.c: 150 in _gpio_base3_value()
/src/lib/gpio.c: 150 in _gpio_base3_value()


________________________________________________________________________________________________________
*** CID 1395334:    (BAD_SHIFT)
/src/lib/gpio.c: 150 in _gpio_base3_value()
144     			case 0:	/* Ignore '0' digits. */
145     				break;
146     			case 1:	/* Account for binaries 0 to 2^index - 1. */
147     				binary_below += 1 << index;
148     				break;
149     			case 2:	/* Account for binaries 0 to 2^(index+1) - 1. */
>>>     CID 1395334:    (BAD_SHIFT)
>>>     In expression "1 << index + 1", left shifting by more than 31 bits has undefined behavior.  The shift amount, "index + 1", is at least 32.
150     				binary_below += 1 << (index + 1);
151     				has_z = 1;
152     			}
153     		}
154     	}
155     
/src/lib/gpio.c: 147 in _gpio_base3_value()
141     		 */
142     		if (binary_first && !has_z) {
143     			switch (temp) {
144     			case 0:	/* Ignore '0' digits. */
145     				break;
146     			case 1:	/* Account for binaries 0 to 2^index - 1. */
>>>     CID 1395334:    (BAD_SHIFT)
>>>     In expression "1 << index", left shifting by more than 31 bits has undefined behavior.  The shift amount, "index", is at least 32.
147     				binary_below += 1 << index;
148     				break;
149     			case 2:	/* Account for binaries 0 to 2^(index+1) - 1. */
150     				binary_below += 1 << (index + 1);
151     				has_z = 1;
152     			}
/src/lib/gpio.c: 150 in _gpio_base3_value()
144     			case 0:	/* Ignore '0' digits. */
145     				break;
146     			case 1:	/* Account for binaries 0 to 2^index - 1. */
147     				binary_below += 1 << index;
148     				break;
149     			case 2:	/* Account for binaries 0 to 2^(index+1) - 1. */
>>>     CID 1395334:    (BAD_SHIFT)
>>>     In expression "1 << index + 1", left shifting by more than 31 bits has undefined behavior.  The shift amount, "index + 1", is at least 33.
150     				binary_below += 1 << (index + 1);
151     				has_z = 1;
152     			}
153     		}
154     	}
155     
/src/lib/gpio.c: 150 in _gpio_base3_value()
144     			case 0:	/* Ignore '0' digits. */
145     				break;
146     			case 1:	/* Account for binaries 0 to 2^index - 1. */
147     				binary_below += 1 << index;
148     				break;
149     			case 2:	/* Account for binaries 0 to 2^(index+1) - 1. */
>>>     CID 1395334:    (BAD_SHIFT)
>>>     In expression "1 << index + 1", left shifting by more than 31 bits has undefined behavior.  The shift amount, "index + 1", is as much as 32.
150     				binary_below += 1 << (index + 1);
151     				has_z = 1;
152     			}
153     		}
154     	}
155     

** CID 1395333:  Memory - illegal accesses  (OVERRUN)
/src/lib/gpio.c: 117 in _gpio_base3_value()


________________________________________________________________________________________________________
*** CID 1395333:  Memory - illegal accesses  (OVERRUN)
/src/lib/gpio.c: 117 in _gpio_base3_value()
111     	 *  1: pull up
112     	 *  2: floating
113     	 */
114     	printk(BIOS_DEBUG, "Reading tristate GPIOs: ");
115     	for (index = num_gpio - 1; index >= 0; --index) {
116     		temp = gpio_get(gpio[index]);
>>>     CID 1395333:  Memory - illegal accesses  (OVERRUN)
>>>     Overrunning array "value" of 32 bytes at byte offset 32 using index "index" (which evaluates to 32).
117     		temp |= ((value[index] ^ temp) << 1);
118     		printk(BIOS_DEBUG, "%c ", tristate_char[temp]);
119     		result = (result * 3) + temp;
120     
121     		/*
122     		 * For binary_first we keep track of the normal ternary result

** CID 1395332:  Integer handling issues  (BAD_SHIFT)
/src/lib/gpio.c: 158 in _gpio_base3_value()


________________________________________________________________________________________________________
*** CID 1395332:  Integer handling issues  (BAD_SHIFT)
/src/lib/gpio.c: 158 in _gpio_base3_value()
152     			}
153     		}
154     	}
155     
156     	if (binary_first) {
157     		if (has_z)
>>>     CID 1395332:  Integer handling issues  (BAD_SHIFT)
>>>     In expression "1 << num_gpio", left shifting by more than 31 bits has undefined behavior.  The shift amount, "num_gpio", is at least 33.
158     			result = result + (1 << num_gpio) - binary_below;
159     		else /* binary_below is normal binary system value if !has_z. */
160     			result = binary_below;
161     	}
162     
163     	printk(BIOS_DEBUG, "= %d (%s base3 number system)\n", result,

** CID 1395331:  Uninitialized variables  (UNINIT)
/src/soc/intel/cannonlake/cnl_memcfg_init.c: 116 in cannonlake_memcfg_init()


________________________________________________________________________________________________________
*** CID 1395331:  Uninitialized variables  (UNINIT)
/src/soc/intel/cannonlake/cnl_memcfg_init.c: 116 in cannonlake_memcfg_init()
110     		if (spd->spd_smbus_address[i] != 0) {
111     			mem_cfg->SpdAddressTable[i] = spd->spd_smbus_address[i];
112     			OnModuleSpd = 1;
113     		}
114     	}
115     
>>>     CID 1395331:  Uninitialized variables  (UNINIT)
>>>     Using uninitialized value "OnModuleSpd".
116     	if (!OnModuleSpd) {
117     		if (spd->spd_by_index) {
118     			meminit_cbfs_spd_index(mem_cfg, cnl_cfg,
119     				spd->spd_spec.spd_index);
120     		} else {
121     			meminit_spd_data(mem_cfg, cnl_cfg,

** CID 1395330:  Null pointer dereferences  (FORWARD_NULL)
/util/romcc/romcc.c: 1988 in new_occurrence()


________________________________________________________________________________________________________
*** CID 1395330:  Null pointer dereferences  (FORWARD_NULL)
/util/romcc/romcc.c: 1988 in new_occurrence()
1982     		col      = get_col(state->file);
1983     	}
1984     	if (state->function) {
1985     		function = state->function;
1986     	}
1987     	last = state->last_occurrence;
>>>     CID 1395330:  Null pointer dereferences  (FORWARD_NULL)
>>>     Passing null pointer "filename" to "strcmp", which dereferences it. [Note: The source code implementation of the function has been overridden by a builtin model.]
1988     	if (last &&
1989     		(last->col == col) &&
1990     		(last->line == line) &&
1991     		(last->function == function) &&
1992     		((last->filename == filename) ||
1993     			(strcmp(last->filename, filename) == 0)))


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRbLuoVetFLSjdonCi1EjfHRqWGQvojmmkYaBE-2BPJiTQvQ-3D-3D_q4bX76XMySz3BXBlWr5fXXJ4cvAsgEXEqC7dBPM7O5Yc21LPqijtFjWx0vyiHv28pQrAVLUANNaesXiHIz-2BACbwrGJVekMsmSgJRKiVo16dXWNcx7NY3CT5zdxDoG864onQRWp4DADBgIciN-2Be-2BP3MsV2tAmRyunB0UegjF7-2BHiu-2Fddh9wRuArHNg4fzXRO2cbYaavedymdoWQ8LN4DCk91kHd6p9do4a-2BR09Okkm8U-3D

More information about the coreboot mailing list