[coreboot] New Defects reported by Coverity Scan for coreboot

scan-admin at coverity.com scan-admin at coverity.com
Tue Oct 9 16:27:26 CEST 2018


Hi,

Please find the latest report on new defect(s) introduced to coreboot found with Coverity Scan.

9 new defect(s) introduced to coreboot found with Coverity Scan.


New defect(s) Reported-by: Coverity Scan
Showing 9 of 9 defect(s)


** CID 1396055:  Incorrect expression  (SIZEOF_MISMATCH)
/src/drivers/generic/generic/generic.c: 67 in generic_autogen_name()


________________________________________________________________________________________________________
*** CID 1396055:  Incorrect expression  (SIZEOF_MISMATCH)
/src/drivers/generic/generic/generic.c: 67 in generic_autogen_name()
61     	char *name = &config->autogen_name[0];
62     	static unsigned int id;
63     
64     	if (name[0] != '\0')
65     		return name;
66     
>>>     CID 1396055:  Incorrect expression  (SIZEOF_MISMATCH)
>>>     Passing argument "name" of type "char *" and argument "4UL /* sizeof (name) */" to function "snprintf" is suspicious.
67     	snprintf(name, sizeof(name), "G%03.3X", id++);
68     	name[4] = '\0';
69     	return name;
70     }
71     
72     static const char *generic_dev_acpi_name(const struct device *dev)

** CID 1396054:  Null pointer dereferences  (NULL_RETURNS)


________________________________________________________________________________________________________
*** CID 1396054:  Null pointer dereferences  (NULL_RETURNS)
/src/drivers/generic/generic/generic.c: 38 in generic_dev_fill_ssdt_generator()
32     
33     	if (!config->hid) {
34     		printk(BIOS_ERR, "%s: ERROR: _HID required\n", dev_path(dev));
35     		return;
36     	}
37     
>>>     CID 1396054:  Null pointer dereferences  (NULL_RETURNS)
>>>     Dereferencing a pointer that might be null "acpi_device_scope(dev)" when calling "acpigen_write_scope".
38     	acpigen_write_scope(acpi_device_scope(dev));
39     	acpigen_write_device(acpi_device_name(dev));
40     	acpigen_write_name_string("_HID", config->hid);
41     	if (config->cid)
42     		acpigen_write_name_string("_CID", config->cid);
43     	acpigen_write_name_integer("_UID", config->uid);

** CID 1396053:  Parse warnings  (PARSE_ERROR)
/src/soc/nvidia/tegra124/lp0/tegra_lp0_resume.c: 652 in ()


________________________________________________________________________________________________________
*** CID 1396053:  Parse warnings  (PARSE_ERROR)
/src/soc/nvidia/tegra124/lp0/tegra_lp0_resume.c: 652 in ()
646     } __packed;
647     
648     struct lp0_header header __attribute__((section(".header"))) =
649     {
650     	.length_insecure = (uintptr_t)&blob_total_size,
651     	.length_secure = (uintptr_t)&blob_total_size,
>>>     CID 1396053:  Parse warnings  (PARSE_ERROR)
>>>     identifier "blob_data" is undefined
652     	.destination = (uintptr_t)&blob_data,
653     	.entry_point = (uintptr_t)&lp0_resume,
654     	.code_length = (uintptr_t)&blob_data_size

** CID 1396052:    (RESOURCE_LEAK)
/util/intelvbttool/intelvbttool.c: 993 in fix_vbios_checksum()
/util/intelvbttool/intelvbttool.c: 998 in fix_vbios_checksum()


________________________________________________________________________________________________________
*** CID 1396052:    (RESOURCE_LEAK)
/util/intelvbttool/intelvbttool.c: 993 in fix_vbios_checksum()
987     	if (!fo) {
988     		printerr("%s open failed\n", filename);
989     		return 1;
990     	}
991     
992     	if (fo->size < sizeof(optionrom_header_t))
>>>     CID 1396052:    (RESOURCE_LEAK)
>>>     Variable "fo" going out of scope leaks the storage it points to.
993     		return 1;
994     
995     	optionrom_header_t *oh = (optionrom_header_t *)fo->data;
996     
997     	if (oh->size * 512 > fo->size)
998     		return 1;
/util/intelvbttool/intelvbttool.c: 998 in fix_vbios_checksum()
992     	if (fo->size < sizeof(optionrom_header_t))
993     		return 1;
994     
995     	optionrom_header_t *oh = (optionrom_header_t *)fo->data;
996     
997     	if (oh->size * 512 > fo->size)
>>>     CID 1396052:    (RESOURCE_LEAK)
>>>     Variable "fo" going out of scope leaks the storage it points to.
998     		return 1;
999     
1000     	/* fix checksum */
1001     	oh->checksum = -(checksum_vbios(oh) - oh->checksum);
1002     
1003     	if (write_file(filename, fo)) {

** CID 1396051:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/util/intelvbttool/intelvbttool.c: 394 in read_file()


________________________________________________________________________________________________________
*** CID 1396051:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
/util/intelvbttool/intelvbttool.c: 394 in read_file()
388     		printerr("%s seek failed: %s\n", filename, strerror(errno));
389     		fclose(fd);
390     		return NULL;
391     	}
392     
393     	const off_t size = ftell(fd);
>>>     CID 1396051:  Integer handling issues  (CONSTANT_EXPRESSION_RESULT)
>>>     "size > 18446744073709551615UL" is always false regardless of the values of its operands. This occurs as the logical second operand of "||".
394     	if (size < 0 || size > SIZE_MAX) {
395     		printerr("%s tell failed: %s\n", filename, strerror(errno));
396     		fclose(fd);
397     		return NULL;
398     	}
399     

** CID 1396050:  Resource leaks  (RESOURCE_LEAK)
/util/intelvbttool/intelvbttool.c: 794 in parse_vbt()


________________________________________________________________________________________________________
*** CID 1396050:  Resource leaks  (RESOURCE_LEAK)
/util/intelvbttool/intelvbttool.c: 794 in parse_vbt()
788     	if (!bdb_head->header_size || bdb_head->header_size > fo->size) {
789     		printerr("invalid BDB header size\n");
790     		return;
791     	}
792     
793     	/* Duplicate fo as caller is owner and remalloc frees the object */
>>>     CID 1396050:  Resource leaks  (RESOURCE_LEAK)
>>>     Failing to save or free storage allocated by "malloc_fo_sub(fo, 0UL)" leaks it.
794     	*vbt = remalloc_fo(malloc_fo_sub(fo, 0), head->vbt_size);
795     }
796     
797     /* Option ROM checksum */
798     static u8 checksum_vbios(const optionrom_header_t *oh)
799     {

** CID 1396049:  Parse warnings  (PARSE_ERROR)
/src/soc/nvidia/tegra124/lp0/tegra_lp0_resume.c: 653 in ()


________________________________________________________________________________________________________
*** CID 1396049:  Parse warnings  (PARSE_ERROR)
/src/soc/nvidia/tegra124/lp0/tegra_lp0_resume.c: 653 in ()
647     
648     struct lp0_header header __attribute__((section(".header"))) =
649     {
650     	.length_insecure = (uintptr_t)&blob_total_size,
651     	.length_secure = (uintptr_t)&blob_total_size,
652     	.destination = (uintptr_t)&blob_data,
>>>     CID 1396049:  Parse warnings  (PARSE_ERROR)
>>>     identifier "lp0_resume" is undefined
653     	.entry_point = (uintptr_t)&lp0_resume,
654     	.code_length = (uintptr_t)&blob_data_size

** CID 1396048:    (PARSE_ERROR)
/src/soc/nvidia/tegra124/lp0/tegra_lp0_resume.c: 266 in ()
/src/soc/nvidia/tegra210/lp0/tegra_lp0_resume.c: 430 in ()


________________________________________________________________________________________________________
*** CID 1396048:    (PARSE_ERROR)
/src/soc/nvidia/tegra124/lp0/tegra_lp0_resume.c: 266 in ()
260     static uint32_t *sysctr_cntfid0_ptr = (void *)(SYSCTR_CTLR_BASE + 0x20);
261     
262     
263     
264     /* Utility functions. */
265     
>>>     CID 1396048:    (PARSE_ERROR)
>>>     expected a ";"
266     static __always_inline void __noreturn halt(void)
267     {
268     	for (;;);
269     }
270     
271     static inline uint32_t read32(const void *addr)
/src/soc/nvidia/tegra210/lp0/tegra_lp0_resume.c: 430 in ()
424     #define MAX77621_VOUT_VAL	(0x80 | 0x27)
425     #define MAX77621_VOUT_DATA	(MAX77621_VOUT_REG | (MAX77621_VOUT_VAL << 8))
426     
427     
428     /* Utility functions. */
429     
>>>     CID 1396048:    (PARSE_ERROR)
>>>     expected a ";"
430     static __always_inline void __noreturn halt(void)
431     {
432     	for (;;);
433     }
434     
435     static inline uint32_t read32(const void *addr)

** CID 1396047:    (RESOURCE_LEAK)
/util/intelvbttool/intelvbttool.c: 1041 in patch_vbios()
/util/intelvbttool/intelvbttool.c: 1045 in patch_vbios()


________________________________________________________________________________________________________
*** CID 1396047:    (RESOURCE_LEAK)
/util/intelvbttool/intelvbttool.c: 1041 in patch_vbios()
1035     	parse_vbios(fo, &old_vbt);
1036     
1037     	if (old_vbt) {
1038     		if (oh->vbt_offset + vbt_size(old_vbt) == fo->size) {
1039     			/* Located at the end of file - reduce file size */
1040     			if (fo->size < vbt_size(old_vbt))
>>>     CID 1396047:    (RESOURCE_LEAK)
>>>     Variable "old_vbt" going out of scope leaks the storage it points to.
1041     				return 1;
1042     			fo = remalloc_fo(fo, fo->size - vbt_size(old_vbt));
1043     			if (!fo) {
1044     				printerr("Failed to allocate memory\n");
1045     				return 1;
1046     			}
/util/intelvbttool/intelvbttool.c: 1045 in patch_vbios()
1039     			/* Located at the end of file - reduce file size */
1040     			if (fo->size < vbt_size(old_vbt))
1041     				return 1;
1042     			fo = remalloc_fo(fo, fo->size - vbt_size(old_vbt));
1043     			if (!fo) {
1044     				printerr("Failed to allocate memory\n");
>>>     CID 1396047:    (RESOURCE_LEAK)
>>>     Variable "old_vbt" going out of scope leaks the storage it points to.
1045     				return 1;
1046     			}
1047     			oh->vbt_offset = 0;
1048     		} else if (vbt_size(old_vbt) < vbt_size(fo_vbt)) {
1049     			/* In the middle of the file - Remove old VBT */
1050     			memset(fo->data + oh->vbt_offset, 0xff,


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRbLuoVetFLSjdonCi1EjfHRqWGQvojmmkYaBE-2BPJiTQvQ-3D-3D_q4bX76XMySz3BXBlWr5fXXJ4cvAsgEXEqC7dBPM7O5bOy3AWPfQ3nD9AkRtyiSLXO7H14lQOr9-2BjeTrnJDrqEIpgFK2pq-2F9qmWpOUeIbXNCxaXNENW-2FtPU9KydOMHP-2F6u3xTdRldolq3WLF6DC83YarQxS24f4OoX-2FSuiI7d3Qr8Khg7h2oWVPX7KzNxFQrdqEuyCbffLbz5mTDuSWix5xciaVavZ8Rv0cYsWZBsCI8-3D




More information about the coreboot mailing list