[coreboot] New Defects reported by Coverity Scan for coreboot
scan-admin at coverity.com
scan-admin at coverity.com
Tue Jul 10 16:08:28 CEST 2018
Hi,
Please find the latest report on new defect(s) introduced to coreboot found with Coverity Scan.
27 new defect(s) introduced to coreboot found with Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 27 defect(s)
** CID 1393979: (RESOURCE_LEAK)
/src/lib/device_tree.c: 948 in dt_set_bin_prop_by_path()
/src/lib/device_tree.c: 959 in dt_set_bin_prop_by_path()
/src/lib/device_tree.c: 964 in dt_set_bin_prop_by_path()
________________________________________________________________________________________________________
*** CID 1393979: (RESOURCE_LEAK)
/src/lib/device_tree.c: 948 in dt_set_bin_prop_by_path()
942 return 1;
943 }
944
945 prop_name = strrchr(path_copy, '/');
946 if (!prop_name) {
947 printk(BIOS_ERR, "Path %s does not include '/'\n", path);
>>> CID 1393979: (RESOURCE_LEAK)
>>> Variable "path_copy" going out of scope leaks the storage it points to.
948 return 1;
949 }
950
951 *prop_name++ = '\0'; /* Separate path from the property name. */
952
953 dt_node = dt_find_node_by_path(tree->root, path_copy, NULL,
/src/lib/device_tree.c: 959 in dt_set_bin_prop_by_path()
953 dt_node = dt_find_node_by_path(tree->root, path_copy, NULL,
954 NULL, create);
955
956 if (!dt_node) {
957 printk(BIOS_ERR, "Failed to %s %s in the device tree\n",
958 create ? "create" : "find", path_copy);
>>> CID 1393979: (RESOURCE_LEAK)
>>> Variable "path_copy" going out of scope leaks the storage it points to.
959 return 1;
960 }
961
962 dt_add_bin_prop(dt_node, prop_name, data, data_size);
963
964 return 0;
/src/lib/device_tree.c: 964 in dt_set_bin_prop_by_path()
958 create ? "create" : "find", path_copy);
959 return 1;
960 }
961
962 dt_add_bin_prop(dt_node, prop_name, data, data_size);
963
>>> CID 1393979: (RESOURCE_LEAK)
>>> Variable "path_copy" going out of scope leaks the storage it points to.
964 return 0;
965 }
966
967 /*
968 * Prepare the /reserved-memory/ node.
969 *
** CID 1393978: Null pointer dereferences (FORWARD_NULL)
/src/vendorcode/cavium/bdk/libbdk-hal/device/bdk-device.c: 523 in bdk_device_add()
________________________________________________________________________________________________________
*** CID 1393978: Null pointer dereferences (FORWARD_NULL)
/src/vendorcode/cavium/bdk/libbdk-hal/device/bdk-device.c: 523 in bdk_device_add()
517 {
518 if (device_list_count == device_list_max)
519 {
520 int grow = device_list_max + DEVICE_GROW;
521 bdk_device_t *tmp = malloc(grow * sizeof(bdk_device_t));
522 if (!tmp)
>>> CID 1393978: Null pointer dereferences (FORWARD_NULL)
>>> Passing null pointer "tmp" to "memcpy", which dereferences it. [Note: The source code implementation of the function has been overridden by a builtin model.]
523 memcpy(tmp, device_list, device_list_max * sizeof(bdk_device_t));
524 free(device_list);
525 if (tmp == NULL)
526 {
527 bdk_error("bdk-device: Failed to allocate space for device\n");
528 return -1;
** CID 1393977: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
/src/soc/cavium/cn81xx/clock.c: 78 in thunderx_get_core_clock()
________________________________________________________________________________________________________
*** CID 1393977: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
/src/soc/cavium/cn81xx/clock.c: 78 in thunderx_get_core_clock()
72 u64 thunderx_get_core_clock(void)
73 {
74 union cavm_rst_boot rst_boot;
75
76 rst_boot.u = read64((void *)RST_PF_BAR0);
77
>>> CID 1393977: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
>>> Potentially overflowing expression "rst_boot.s.c_mul * 50000000" with type "int" (32 bits, signed) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "u64" (64 bits, unsigned).
78 return rst_boot.s.c_mul * PLL_REF_CLK;
** CID 1393976: Control flow issues (DEADCODE)
/src/vendorcode/cavium/bdk/libdram/libdram.c: 185 in bdk_libdram_tune_node()
________________________________________________________________________________________________________
*** CID 1393976: Control flow issues (DEADCODE)
/src/vendorcode/cavium/bdk/libdram/libdram.c: 185 in bdk_libdram_tune_node()
179 // disabled by default for now, does not seem to be needed?
180 // Automatically tune the data byte DLL write offsets
181 // allow override of default setting
182 str = getenv("ddr_tune_write_offsets");
183 str = NULL;
184 if (str)
>>> CID 1393976: Control flow issues (DEADCODE)
>>> Execution cannot reach the expression "do_dllwo" inside this statement: "do_dllwo = !!strtoul(str, N...".
185 do_dllwo = !!strtoul(str, NULL, 0);
186 if (do_dllwo) {
187 BDK_TRACE(DRAM, "N%d: Starting DLL Write Offset Tuning for LMCs\n", node);
188 errs = perform_dll_offset_tuning(node, /* write */1, /* tune */1);
189 BDK_TRACE(DRAM, "N%d: Finished DLL Write Offset Tuning for LMCs, %d errors)\n",
190 node, errs);
** CID 1393975: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 1393975: Memory - corruptions (OVERRUN)
/src/vendorcode/cavium/bdk/libdram/lib_octeon_shared.c: 595 in test_dram_byte_hw()
589 dbtrain_ctl.s.prank, dbtrain_ctl.s.lrank,
590 dbtrain_ctl.s.bg, dbtrain_ctl.s.ba, row, col);
591 /*
592 4) Kick off the sequence (SEQ_CTL[SEQ_SEL] = 14, SEQ_CTL[INIT_START] = 1).
593 5) Poll on SEQ_CTL[SEQ_COMPLETE] for completion.
594 */
>>> CID 1393975: Memory - corruptions (OVERRUN)
>>> Overrunning callee's array of size 12 by passing argument "14" in call to "perform_octeon3_ddr3_sequence".
595 perform_octeon3_ddr3_sequence(node, prank, ddr_interface_num, 14);
596
597 /*
598 6) Read MPR_DATA0 and MPR_DATA1 for results:
599 a. MPR_DATA0[MPR_DATA<63:0>] comparison results for DQ63:DQ0.
600 (1 means MATCH, 0 means FAIL).
** CID 1393974: (OVERFLOW_BEFORE_WIDEN)
/src/soc/cavium/cn81xx/gpio.c: 106 in gpio_set()
/src/soc/cavium/cn81xx/gpio.c: 108 in gpio_set()
________________________________________________________________________________________________________
*** CID 1393974: (OVERFLOW_BEFORE_WIDEN)
/src/soc/cavium/cn81xx/gpio.c: 106 in gpio_set()
100 if (gpio >= gpio_pin_count())
101 return;
102
103 printk(BIOS_SPEW, "GPIO(%u): level: %u\n", gpio, !!value);
104
105 if (value)
>>> CID 1393974: (OVERFLOW_BEFORE_WIDEN)
>>> Potentially overflowing expression "1 << gpio" with type "int" (32 bits, signed) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "uint64_t" (64 bits, unsigned).
106 write64(®s->tx_set, 1 << gpio);
107 else
108 write64(®s->tx_clr, 1 << gpio);
109 }
110
111 /* Set GPIO direction to OUTPUT with level */
/src/soc/cavium/cn81xx/gpio.c: 108 in gpio_set()
102
103 printk(BIOS_SPEW, "GPIO(%u): level: %u\n", gpio, !!value);
104
105 if (value)
106 write64(®s->tx_set, 1 << gpio);
107 else
>>> CID 1393974: (OVERFLOW_BEFORE_WIDEN)
>>> Potentially overflowing expression "1 << gpio" with type "int" (32 bits, signed) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "uint64_t" (64 bits, unsigned).
108 write64(®s->tx_clr, 1 << gpio);
109 }
110
111 /* Set GPIO direction to OUTPUT with level */
112 void gpio_output(gpio_t gpio, int value)
113 {
** CID 1393973: (DEADCODE)
/src/vendorcode/cavium/bdk/libdram/dram-spd.c: 100 in read_entire_spd()
/src/vendorcode/cavium/bdk/libdram/dram-spd.c: 111 in read_entire_spd()
/src/vendorcode/cavium/bdk/libdram/dram-spd.c: 119 in read_entire_spd()
________________________________________________________________________________________________________
*** CID 1393973: (DEADCODE)
/src/vendorcode/cavium/bdk/libdram/dram-spd.c: 100 in read_entire_spd()
94 uint32_t *ptr = (uint32_t *)spd_buf;
95
96 for (int bank = 0; bank < (spd_size >> 8); bank++)
97 {
98 /* this should only happen for DDR4, which has a second bank of 256 bytes */
99 if (bank)
>>> CID 1393973: (DEADCODE)
>>> Execution cannot reach this statement: "bdk_twsix_write_ia(node, bu...".
100 bdk_twsix_write_ia(node, bus, 0x36 | bank, 0, 2, 1, 0);
101 int bank_size = 256;
102 for (int i = 0; i < bank_size; i += 4)
103 {
104 int64_t data = bdk_twsix_read_ia(node, bus, address, i, 4, 1);
105 if (data < 0)
/src/vendorcode/cavium/bdk/libdram/dram-spd.c: 111 in read_entire_spd()
105 if (data < 0)
106 {
107 free(spd_buf);
108 bdk_error("Failed to read SPD data at 0x%x\n", i + (bank << 8));
109 /* Restore the bank to zero */
110 if (bank)
>>> CID 1393973: (DEADCODE)
>>> Execution cannot reach this statement: "bdk_twsix_write_ia(node, bu...".
111 bdk_twsix_write_ia(node, bus, 0x36 | 0, 0, 2, 1, 0);
112 return -1;
113 }
114 else
115 *ptr++ = bdk_be32_to_cpu(data);
116 }
/src/vendorcode/cavium/bdk/libdram/dram-spd.c: 119 in read_entire_spd()
113 }
114 else
115 *ptr++ = bdk_be32_to_cpu(data);
116 }
117 /* Restore the bank to zero */
118 if (bank)
>>> CID 1393973: (DEADCODE)
>>> Execution cannot reach this statement: "bdk_twsix_write_ia(node, bu...".
119 bdk_twsix_write_ia(node, bus, 0x36 | 0, 0, 2, 1, 0);
120 }
121
122 /* Store the SPD in the device tree */
123 /* FIXME(dhendrix): No need for this? cfg gets updated, so the caller
124 * (libdram_config()) has what it needs. */
** CID 1393972: Insecure data handling (TAINTED_SCALAR)
/src/vendorcode/cavium/bdk/libdram/dram-tune-ddr3.c: 1011 in perform_dll_offset_tuning()
________________________________________________________________________________________________________
*** CID 1393972: Insecure data handling (TAINTED_SCALAR)
/src/vendorcode/cavium/bdk/libdram/dram-tune-ddr3.c: 1011 in perform_dll_offset_tuning()
1005 /* Disable l2 sets for DRAM testing */
1006 limit_l2_ways(node, 0, ways_print);
1007 #endif
1008
1009 // testing is done on all LMCs simultaneously
1010 // FIXME: for now, loop here to show what happens multiple times
>>> CID 1393972: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "loops" as a loop boundary.
1011 for (loop = 0; loop < loops; loop++) {
1012 /* Perform DLL offset tuning */
1013 errs = auto_set_dll_offset(node, dll_offset_mode, num_lmcs, ddr_interface_64b, do_tune);
1014 }
1015
1016 #if USE_L2_WAYS_LIMIT
** CID 1393971: Insecure data handling (TAINTED_SCALAR)
/src/vendorcode/cavium/bdk/libdram/lib_octeon_shared.c: 1146 in initialize_ddr_clock()
________________________________________________________________________________________________________
*** CID 1393971: Insecure data handling (TAINTED_SCALAR)
/src/vendorcode/cavium/bdk/libdram/lib_octeon_shared.c: 1146 in initialize_ddr_clock()
1140 best_en_idx = strtoul(s, NULL, 0);
1141 override_pll_settings = 1;
1142 }
1143
1144 if (override_pll_settings) {
1145 best_pll_MHz = ddr_ref_hertz * (best_clkf+1) / (best_clkr+1) / 1000000;
>>> CID 1393971: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "best_en_idx" as an index into an array "_en".
1146 best_calculated_ddr_hertz = ddr_ref_hertz * (best_clkf + 1) / ((best_clkr + 1) * (_en[best_en_idx]));
1147 best_error = ddr_hertz - best_calculated_ddr_hertz;
1148 }
1149
1150 ddr_print("clkr: %2llu, en[%d]: %2d, clkf: %4llu, pll_MHz: %4llu, ddr_hertz: %8llu, error: %8lld <==\n",
1151 best_clkr, best_en_idx, _en[best_en_idx], best_clkf, best_pll_MHz,
** CID 1393970: Integer handling issues (DIVIDE_BY_ZERO)
/src/vendorcode/cavium/bdk/libbdk-hal/bdk-usb.c: 372 in bdk_usb_initialize()
________________________________________________________________________________________________________
*** CID 1393970: Integer handling issues (DIVIDE_BY_ZERO)
/src/vendorcode/cavium/bdk/libbdk-hal/bdk-usb.c: 372 in bdk_usb_initialize()
366 {
367 static bool printit[2] = {true,true};
368 if (printit[usb_port]) {
369 uint64_t fr_div;
370 if (divider < 5) fr_div = divider * 2;
371 else fr_div = 8 * (divider - 3);
>>> CID 1393970: Integer handling issues (DIVIDE_BY_ZERO)
>>> In expression "sclk_rate / fr_div", division by expression "fr_div" which may be zero has undefined behavior.
372 uint64_t freq = (typeof(freq)) (sclk_rate / fr_div);
373 const char *token;
374 if (freq < 62500000ULL) token = "???Low";
375 else if (freq < 90000000ULL) token = "USB2";
376 else if (freq < 125000000ULL) token = "USB2 Full";
377 else if (freq < 150000000ULL) token = "USB3";
** CID 1393969: Possible Control flow issues (DEADCODE)
/src/vendorcode/cavium/bdk/libbdk-hal/bdk-qlm.c: 421 in bdk_qlm_eye_display()
________________________________________________________________________________________________________
*** CID 1393969: Possible Control flow issues (DEADCODE)
/src/vendorcode/cavium/bdk/libbdk-hal/bdk-qlm.c: 421 in bdk_qlm_eye_display()
415 result = 0;
416 }
417 else
418 result = -1;
419
420 if (need_free)
>>> CID 1393969: Possible Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "free((void *)eye);".
421 free((void*)eye);
422 return result;
** CID 1393968: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
/src/soc/cavium/cn81xx/clock.c: 66 in thunderx_get_io_clock()
________________________________________________________________________________________________________
*** CID 1393968: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
/src/soc/cavium/cn81xx/clock.c: 66 in thunderx_get_io_clock()
60 u64 thunderx_get_io_clock(void)
61 {
62 union cavm_rst_boot rst_boot;
63
64 rst_boot.u = read64((void *)RST_PF_BAR0);
65
>>> CID 1393968: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
>>> Potentially overflowing expression "rst_boot.s.pnr_mul * 50000000" with type "int" (32 bits, signed) is evaluated using 32-bit arithmetic, and then used in a context that expects an expression of type "u64" (64 bits, unsigned).
66 return rst_boot.s.pnr_mul * PLL_REF_CLK;
67 }
68
69 /**
70 * Returns the core clock speed in Hz
71 */
** CID 1393967: Code maintainability issues (UNUSED_VALUE)
/src/vendorcode/cavium/bdk/libdram/dram-tune-ddr3.c: 658 in auto_set_dll_offset()
________________________________________________________________________________________________________
*** CID 1393967: Code maintainability issues (UNUSED_VALUE)
/src/vendorcode/cavium/bdk/libdram/dram-tune-ddr3.c: 658 in auto_set_dll_offset()
652 } /* for (lmc = 0; lmc < num_lmcs; lmc++) */
653
654 bdk_watchdog_poke();
655
656 // run the test(s)
657 // only 1 call should be enough, let the bursts, etc, control the load...
>>> CID 1393967: Code maintainability issues (UNUSED_VALUE)
>>> Assigning value from "run_dram_tuning_threads(node, num_lmcs, bytemask)" to "tot_errors" here, but that stored value is overwritten before it can be used.
658 tot_errors = run_dram_tuning_threads(node, num_lmcs, bytemask);
659
660 for (lmc = 0; lmc < num_lmcs; lmc++) {
661 // record stop cycle CSRs here for utilization measure
662 stop_dram_dclk[lmc] = BDK_CSR_READ(node, BDK_LMCX_DCLK_CNT(lmc));
663 stop_dram_ops[lmc] = BDK_CSR_READ(node, BDK_LMCX_OPS_CNT(lmc));
** CID 1393966: Control flow issues (DEADCODE)
/src/soc/cavium/cn81xx/uart.c: 104 in uart_platform_refclk()
________________________________________________________________________________________________________
*** CID 1393966: Control flow issues (DEADCODE)
/src/soc/cavium/cn81xx/uart.c: 104 in uart_platform_refclk()
98 unsigned int uart_platform_refclk(void)
99 {
100 struct cn81xx_uart *uart =
101 (struct cn81xx_uart *)CONFIG_CONSOLE_SERIAL_UART_ADDRESS;
102
103 if (!uart)
>>> CID 1393966: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "return 0U;".
104 return 0;
105
106 return uart_hclk(uart);
107 }
108
109 uintptr_t uart_platform_base(int idx)
** CID 1393965: Control flow issues (DEADCODE)
/src/vendorcode/cavium/bdk/libdram/lib_octeon_shared.c: 1880 in dbi_switchover_interface()
________________________________________________________________________________________________________
*** CID 1393965: Control flow issues (DEADCODE)
/src/vendorcode/cavium/bdk/libdram/lib_octeon_shared.c: 1880 in dbi_switchover_interface()
1874 for (byte = 0; byte < (8+ecc_ena); byte++) {
1875 unlocked += (dbi_settings[byte] & 1) ^ 1;
1876 }
1877
1878 // FIXME: print out the DBI settings array after each rank?
1879 if (rank_max > 1) // only when doing more than 1 rank
>>> CID 1393965: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "display_DAC_DBI_settings(no...".
1880 display_DAC_DBI_settings(node, lmc, /* DBI */0, ecc_ena, dbi_settings, " RANK");
1881
1882 if (unlocked > 0) {
1883 ddr_print("N%d.LMC%d: DBI switchover: LOCK: %d still unlocked.\n",
1884 node, lmc, unlocked);
1885
** CID 1393964: (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 1393964: (TAINTED_SCALAR)
/src/vendorcode/cavium/bdk/libdram/lib_octeon_shared.c: 682 in perform_ddr_init_sequence()
676
677 bdk_wait_usec(1000); /* Wait a while. */
678
679 if ((s = lookup_env_parameter("ddr_sequence1")) != NULL) {
680 int sequence1;
681 sequence1 = strtoul(s, NULL, 0);
>>> CID 1393964: (TAINTED_SCALAR)
>>> Passing tainted variable "sequence1" to a tainted sink.
682 perform_octeon3_ddr3_sequence(node, (1 << rankx),
683 ddr_interface_num, sequence1);
684 }
685
686 if ((s = lookup_env_parameter("ddr_sequence2")) != NULL) {
687 int sequence2;
/src/vendorcode/cavium/bdk/libdram/lib_octeon_shared.c: 689 in perform_ddr_init_sequence()
683 ddr_interface_num, sequence1);
684 }
685
686 if ((s = lookup_env_parameter("ddr_sequence2")) != NULL) {
687 int sequence2;
688 sequence2 = strtoul(s, NULL, 0);
>>> CID 1393964: (TAINTED_SCALAR)
>>> Passing tainted variable "sequence2" to a tainted sink.
689 perform_octeon3_ddr3_sequence(node, (1 << rankx),
690 ddr_interface_num, sequence2);
691 }
692 }
693 }
694 }
** CID 1393963: Uninitialized variables (UNINIT)
/src/vendorcode/cavium/bdk/libdram/dram-spd.c: 570 in dram_get_default_spd_speed()
________________________________________________________________________________________________________
*** CID 1393963: Uninitialized variables (UNINIT)
/src/vendorcode/cavium/bdk/libdram/dram-spd.c: 570 in dram_get_default_spd_speed()
564 dimms_per_lmc++;
565 }
566 }
567 }
568
569 // all DIMMs must be same speed
>>> CID 1393963: Uninitialized variables (UNINIT)
>>> Using uninitialized value "dimm_speed[0]".
570 speed = dimm_speed[0];
571 for (dimm = 1; dimm < dimm_count; dimm++) {
572 if (dimm_speed[dimm] != speed) {
573 ret_speed = -1;
574 goto finish_up;
575 }
** CID 1393962: Null pointer dereferences (FORWARD_NULL)
________________________________________________________________________________________________________
*** CID 1393962: Null pointer dereferences (FORWARD_NULL)
/src/vendorcode/cavium/bdk/libbdk-dram/bdk-dram-test-addrbus.c: 64 in __bdk_dram_test_mem_address_bus()
58 {
59 int failures = 0;
60
61 /* Clear our work area. Checking for aliases later could get false
62 positives if it matched stale data */
63 void *ptr = (area) ? bdk_phys_to_ptr(area) : NULL;
>>> CID 1393962: Null pointer dereferences (FORWARD_NULL)
>>> Passing null pointer "ptr" to "bdk_zero_memory", which dereferences it.
64 bdk_zero_memory(ptr, max_address - area);
65 __bdk_dram_flush_to_mem_range(area, max_address);
66
67 /* Each time we write, we'll write this pattern xored the address it is
68 written too */
69 uint64_t pattern = 0x0fedcba987654321;
** CID 1393961: (INTEGER_OVERFLOW)
/src/vendorcode/cavium/bdk/libdram/lib_octeon_shared.c: 175 in init_octeon_dram_interface()
________________________________________________________________________________________________________
*** CID 1393961: (INTEGER_OVERFLOW)
/src/vendorcode/cavium/bdk/libdram/lib_octeon_shared.c: 175 in init_octeon_dram_interface()
169 bdk_reset_chip(node);
170 }
171 }
172
173 printf("N%d.LMC%d Configuration Completed: %d MB\n",
174 node, ddr_interface_num, mem_size_mbytes);
>>> CID 1393961: (INTEGER_OVERFLOW)
>>> Overflowed or truncated value (or a value computed from an overflowed or truncated value) "mem_size_mbytes" used as return value.
175 return mem_size_mbytes;
176 }
177
178 #define DO_LIKE_RANDOM_XOR 1
179
180 #if !DO_LIKE_RANDOM_XOR
/src/vendorcode/cavium/bdk/libdram/lib_octeon_shared.c: 145 in init_octeon_dram_interface()
139
140 restart_lmc_init:
141
142 /* Poke the watchdog timer so it doesn't expire during DRAM init */
143 bdk_watchdog_poke();
144
>>> CID 1393961: (INTEGER_OVERFLOW)
>>> Overflowed or truncated value (or a value computed from an overflowed or truncated value) "ddr_hertz" used as critical argument to function.
145 mem_size_mbytes = init_octeon3_ddr3_interface(node,
146 ddr_configuration,
147 ddr_hertz,
148 cpu_hertz,
149 ddr_ref_hertz,
150 board_type,
** CID 1393960: Insecure data handling (TAINTED_SCALAR)
/src/vendorcode/cavium/bdk/libdram/dram-tune-ddr3.c: 1490 in perform_HW_dll_offset_tuning()
________________________________________________________________________________________________________
*** CID 1393960: Insecure data handling (TAINTED_SCALAR)
/src/vendorcode/cavium/bdk/libdram/dram-tune-ddr3.c: 1490 in perform_HW_dll_offset_tuning()
1484 lmc_config.s.ecc_ena = 1;
1485 DRAM_CSR_WRITE(node, BDK_LMCX_CONFIG(lmc), lmc_config.u);
1486 lmc_config.u = BDK_CSR_READ(node, BDK_LMCX_CONFIG(lmc));
1487
1488 // testing is done on a single LMC at a time
1489 // FIXME: for now, loop here to show what happens multiple times
>>> CID 1393960: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "loops" as a loop boundary.
1490 for (loop = 0; loop < loops; loop++) {
1491 /* Perform DLL offset tuning */
1492 //auto_set_dll_offset(node, 1 /* 1=write */, lmc, bytelane);
1493 hw_assist_test_dll_offset(node, 2 /* 2=read */, lmc, bytelane);
1494 }
1495
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRbLuoVetFLSjdonCi1EjfHRqWGQvojmmkYaBE-2BPJiTQvQ-3D-3D_q4bX76XMySz3BXBlWr5fXXJ4cvAsgEXEqC7dBPM7O5YWTJmHR68MjZmITQiRDM5u86XmyHuGSkyNnmhS4MY2gDkjBytchwI-2FzToS44Ci1WN5CD-2FaAJuFLwUXshGwjEYT7uSeDzexMA0-2FqZX7E8ITly3uch8OQJA0AjqmRCgyPFLeA-2FRa9B-2Fg-2FGHUpL4-2FwaimRDMU8ezSLEgtaaBkj2iM-2BqnI08GIrzyY-2FkhjdEeL6vI-3D
More information about the coreboot
mailing list