Hi,
Please find the latest report on new defect(s) introduced to coreboot found
with Coverity Scan.
180 new defect(s) introduced to coreboot found with Coverity Scan.
164 defect(s), reported by Coverity Scan earlier, were marked fixed in the
recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 180 defect(s)
** CID 1469466: (OVERRUN)
/src/soc/qualcomm/common/qupv3_config.c: 29 in qupv3_se_fw_load_and_init()
/src/soc/qualcomm/common/qupv3_config.c: 33 in qupv3_se_fw_load_and_init()
________________________________________________________________________________________________________
*** CID 1469466: (OVERRUN)
/src/soc/qualcomm/common/qupv3_config.c: 29 in qupv3_se_fw_load_and_init()
23 static const char * const filename[] = {
24 [SE_PROTOCOL_SPI] = "fallback/spi_fw",
25 [SE_PROTOCOL_UART] = "fallback/uart_fw",
26 [SE_PROTOCOL_I2C] = "fallback/i2c_fw",
27 };
28
>>> CID 1469466: (OVERRUN)
>>> Overrunning array "filename" of 4 8-byte elements at element index 4
>>> (byte offset 39) using index "protocol" (which evaluates to 4).
29 if (protocol >= SE_PROTOCOL_MAX || !filename[protocol])
30 die("*ERROR* * INVALID PROTOCOL ***\n");
31
32 if (!fw_list[protocol]) {
33 fw_list[protocol] = cbfs_map(filename[protocol], NULL);
34 if (!fw_list[protocol])
/src/soc/qualcomm/common/qupv3_config.c: 33 in qupv3_se_fw_load_and_init()
27 };
28
29 if (protocol >= SE_PROTOCOL_MAX || !filename[protocol])
30 die("*ERROR* * INVALID PROTOCOL ***\n");
31
32 if (!fw_list[protocol]) {
>>> CID 1469466: (OVERRUN)
>>> Overrunning array "filename" of 4 8-byte elements at element index 4
>>> (byte offset 39) using index "protocol" (which evaluates to 4).
33 fw_list[protocol] = cbfs_map(filename[protocol], NULL);
34 if (!fw_list[protocol])
35 die("*ERROR* * cbfs_map failed ***\n");
36 }
37
38 hdr = fw_list[protocol];
** CID 1469465: Null pointer dereferences (FORWARD_NULL)
________________________________________________________________________________________________________
*** CID 1469465: Null pointer dereferences (FORWARD_NULL)
/src/ec/google/chromeec/ec.c: 1819 in google_chromeec_regulator_set_voltage()
1813 .cmd_size_in = sizeof(params),
1814 .cmd_data_out = NULL,
1815 .cmd_size_out = 0,
1816 .cmd_dev_index = 0,
1817 };
1818
>>> CID 1469465: Null pointer dereferences (FORWARD_NULL)
>>> Passing "&cmd" to "google_chromeec_command", which dereferences null
>>> "cmd.cmd_data_out".
1819 if (google_chromeec_command(&cmd))
1820 return -1;
1821
1822 return 0;
1823 }
1824
** CID 1469464: (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 1469464: (TAINTED_SCALAR)
/3rdparty/vboot/cgpt/cgpt_show.c: 387 in GptShow()
381 GptHeader *header;
382 char indent[64];
383
384 require(snprintf(indent, sizeof(indent), GPT_MORE) <
sizeof(indent));
385 header = (GptHeader*)drive->gpt.secondary_header;
386 entries = (GptEntry*)drive->gpt.secondary_entries;
>>> CID 1469464: (TAINTED_SCALAR)
>>> Passing tainted expression "header->size_of_entry" to "HeaderDetails",
>>> which uses it as a loop boundary.
387 HeaderDetails(header, entries, indent, params->numeric);
388 }
389 }
390 }
391
392 CheckValid(drive);
/3rdparty/vboot/cgpt/cgpt_show.c: 256 in GptShow()
250 } else if (params->quick) { // show all partitions,
quickly
251 uint32_t i;
252 GptEntry *entry;
253 char type[GUID_STRLEN];
254
255 for (i = 0; i < GetNumberOfEntries(drive); ++i) {
>>> CID 1469464: (TAINTED_SCALAR)
>>> Passing tainted expression "*drive->gpt.primary_header" to "GetEntry",
>>> which uses it as an offset.
256 entry = GetEntry(&drive->gpt, ANY_VALID, i);
257
258 if (GuidIsZero(&entry->type))
259 continue;
260
261 if (!params->numeric && CGPT_OK == ResolveType(&entry->type,
type)) {
/3rdparty/vboot/cgpt/cgpt_show.c: 387 in GptShow()
381 GptHeader *header;
382 char indent[64];
383
384 require(snprintf(indent, sizeof(indent), GPT_MORE) <
sizeof(indent));
385 header = (GptHeader*)drive->gpt.secondary_header;
386 entries = (GptEntry*)drive->gpt.secondary_entries;
>>> CID 1469464: (TAINTED_SCALAR)
>>> Passing tainted expression "header->size" to "HeaderDetails", which
>>> uses it as a loop boundary.
387 HeaderDetails(header, entries, indent, params->numeric);
388 }
389 }
390 }
391
392 CheckValid(drive);
/3rdparty/vboot/cgpt/cgpt_show.c: 197 in GptShow()
191 if (params->partition > GetNumberOfEntries(drive)) {
192 Error("invalid partition number: %d\n", params->partition);
193 return CGPT_FAILED;
194 }
195
196 uint32_t index = params->partition - 1;
>>> CID 1469464: (TAINTED_SCALAR)
>>> Passing tainted expression "*drive->gpt.secondary_header" to
>>> "GetEntry", which uses it as an offset.
197 GptEntry *entry = GetEntry(&drive->gpt, ANY_VALID, index);
198 char buf[256]; // scratch buffer for string
conversion
199
200 if (params->single_item) {
201 switch(params->single_item) {
202 case 'b':
/3rdparty/vboot/cgpt/cgpt_show.c: 319 in GptShow()
313 GptHeader *header;
314 char indent[64];
315
316 require(snprintf(indent, sizeof(indent), GPT_MORE) <
sizeof(indent));
317 header = (GptHeader*)drive->gpt.primary_header;
318 entries = (GptEntry*)drive->gpt.primary_entries;
>>> CID 1469464: (TAINTED_SCALAR)
>>> Passing tainted expression "header->size_of_entry" to "HeaderDetails",
>>> which uses it as a loop boundary.
319 HeaderDetails(header, entries, indent, params->numeric);
320 }
321
322 GptHeader* primary_header = (GptHeader*)drive->gpt.primary_header;
323 printf(GPT_FMT, (uint64_t)primary_header->entries_lba,
324 (uint64_t)CalculateEntriesSectors(primary_header,
/3rdparty/vboot/cgpt/cgpt_show.c: 319 in GptShow()
313 GptHeader *header;
314 char indent[64];
315
316 require(snprintf(indent, sizeof(indent), GPT_MORE) <
sizeof(indent));
317 header = (GptHeader*)drive->gpt.primary_header;
318 entries = (GptEntry*)drive->gpt.primary_entries;
>>> CID 1469464: (TAINTED_SCALAR)
>>> Passing tainted expression "header->size" to "HeaderDetails", which
>>> uses it as a loop boundary.
319 HeaderDetails(header, entries, indent, params->numeric);
320 }
321
322 GptHeader* primary_header = (GptHeader*)drive->gpt.primary_header;
323 printf(GPT_FMT, (uint64_t)primary_header->entries_lba,
324 (uint64_t)CalculateEntriesSectors(primary_header,
/3rdparty/vboot/cgpt/cgpt_show.c: 197 in GptShow()
191 if (params->partition > GetNumberOfEntries(drive)) {
192 Error("invalid partition number: %d\n", params->partition);
193 return CGPT_FAILED;
194 }
195
196 uint32_t index = params->partition - 1;
>>> CID 1469464: (TAINTED_SCALAR)
>>> Passing tainted expression "*drive->gpt.primary_header" to "GetEntry",
>>> which uses it as an offset.
197 GptEntry *entry = GetEntry(&drive->gpt, ANY_VALID, index);
198 char buf[256]; // scratch buffer for string
conversion
199
200 if (params->single_item) {
201 switch(params->single_item) {
202 case 'b':
/3rdparty/vboot/cgpt/cgpt_show.c: 256 in GptShow()
250 } else if (params->quick) { // show all partitions,
quickly
251 uint32_t i;
252 GptEntry *entry;
253 char type[GUID_STRLEN];
254
255 for (i = 0; i < GetNumberOfEntries(drive); ++i) {
>>> CID 1469464: (TAINTED_SCALAR)
>>> Passing tainted expression "*drive->gpt.secondary_header" to
>>> "GetEntry", which uses it as an offset.
256 entry = GetEntry(&drive->gpt, ANY_VALID, i);
257
258 if (GuidIsZero(&entry->type))
259 continue;
260
261 if (!params->numeric && CGPT_OK == ResolveType(&entry->type,
type)) {
** CID 1469463: Medium impact security (RISKY_CRYPTO)
/home/coreboot/go/pkg/mod/github.com/google/go-tpm@v0.3.3-0.20210120190357-1ff48daca32f/tpm/pcrs.go:
97 in
github.com/google/go-tpm/tpm.createPCRInfoLong(github.com/google/go-tpm/tpm.Locality,
github.com/google/go-tpm/tpm.pcrMask,
[]byte)(*github.com/google/go-tpm/tpm.pcrInfoLong, error)()
________________________________________________________________________________________________________
*** CID 1469463: Medium impact security (RISKY_CRYPTO)
/home/coreboot/go/pkg/mod/github.com/google/go-tpm@v0.3.3-0.20210120190357-1ff48daca32f/tpm/pcrs.go:
97 in
github.com/google/go-tpm/tpm.createPCRInfoLong(github.com/google/go-tpm/tpm.Locality,
github.com/google/go-tpm/tpm.pcrMask,
[]byte)(*github.com/google/go-tpm/tpm.pcrInfoLong, error)()
91 return fmt.Sprintf("pcrInfoShort{LocAtRelease: %x, PCRsAtRelease: %s,
DigestAtRelease: % x}", pcri.LocAtRelease, pcri.PCRsAtRelease,
pcri.DigestAtRelease)
92 }
93
94 // createPCRInfoLong creates a pcrInfoLong structure from a mask and
some PCR
95 // values that match this mask, along with a TPM locality.
96 func createPCRInfoLong(loc Locality, mask pcrMask, pcrVals []byte)
(*pcrInfoLong, error) {
>>> CID 1469463: Medium impact security (RISKY_CRYPTO)
>>> Using a weak hashing algorithm. The RIPEMD, MD2, MD4, MD5, SHA0 and
>>> SHA1 cryptographic hashing algorithms are not collision resistant.
>>> Furthermore, these algorithms suffer from length extension attacks: without
>>> knowing the original unhashed message, an attacker can generate a valid
>>> hash for messages that have the original message as a prefix.
97 d, err := createPCRComposite(mask, pcrVals)
98 if err != nil {
99 return nil, err
100 }
101
102 pcri := &pcrInfoLong{
** CID 1469462: Error handling issues (CHECKED_RETURN)
/src/drivers/ti/tps65913/tps65913rtc.c: 34 in tps65913_read()
________________________________________________________________________________________________________
*** CID 1469462: Error handling issues (CHECKED_RETURN)
/src/drivers/ti/tps65913/tps65913rtc.c: 34 in tps65913_read()
28 TPS65913_RTC_FROZEN = (0 << 1),
29 };
30
31 static inline uint8_t tps65913_read(enum TPS65913_RTC_REG reg)
32 {
33 uint8_t val;
>>> CID 1469462: Error handling issues (CHECKED_RETURN)
>>> Calling "i2c_readb" without checking return value (as is done elsewhere
>>> 9 out of 11 times).
34 i2c_readb(CONFIG_DRIVERS_TI_TPS65913_RTC_BUS,
35 CONFIG_DRIVERS_TI_TPS65913_RTC_ADDR, reg, &val);
36 return val;
37 }
38
39 static inline void tps65913_write(enum TPS65913_RTC_REG reg, uint8_t val)
** CID 1469461: (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 1469461: (TAINTED_SCALAR)
/3rdparty/vboot/futility/cmd_gbb_utility.c: 478 in do_gbb()
472 sel_hwid = 1;
473
474 inbuf = read_entire_file(infile, &filesize);
475 if (!inbuf)
476 break;
477
>>> CID 1469461: (TAINTED_SCALAR)
>>> Passing tainted expression "*inbuf" to "FindGbbHeader", which uses it
>>> as a loop boundary.
478 gbb = FindGbbHeader(inbuf, filesize);
479 if (!gbb) {
480 fprintf(stderr, "ERROR: No GBB found in %s\n",
infile);
481 break;
482 }
483 gbb_base = (uint8_t *) gbb;
/3rdparty/vboot/futility/cmd_gbb_utility.c: 538 in do_gbb()
532
533 /* With no args, we'll either copy it unchanged or do
nothing */
534 inbuf = read_entire_file(infile, &filesize);
535 if (!inbuf)
536 break;
537
>>> CID 1469461: (TAINTED_SCALAR)
>>> Passing tainted expression "*inbuf" to "FindGbbHeader", which uses it
>>> as a loop boundary.
538 gbb = FindGbbHeader(inbuf, filesize);
539 if (!gbb) {
540 fprintf(stderr, "ERROR: No GBB found in %s\n",
infile);
541 break;
542 }
543 gbb_base = (uint8_t *) gbb;
** CID 1469460: (PRINTF_ARGS)
/src/soc/cavium/cn81xx/soc.c: 291 in dt_platform_fixup()
/src/soc/cavium/cn81xx/soc.c: 288 in dt_platform_fixup()
________________________________________________________________________________________________________
*** CID 1469460: (PRINTF_ARGS)
/src/soc/cavium/cn81xx/soc.c: 291 in dt_platform_fixup()
285
286 if (qlm_mode == BDK_QLM_MODE_DISABLED)
287 snprintf(path, sizeof(path),
"0x0%x%x,disabled",
288 bgx_iface, bgx_index);
289 else
290 snprintf(path, sizeof(path),
"0x0%x%x,%s",
>>> CID 1469460: (PRINTF_ARGS)
>>> Argument "bgx_iface" to format specifier "%x" was expected to have type
>>> "unsigned int" but has type "unsigned long". [Note: The source code
>>> implementation of the function has been overridden by a builtin model.]
291 bgx_iface, bgx_index,
292 QLM_BGX_MODE_MAP[qlm_mode]);
293
294 int64_t phy_address =
295 bdk_config_get_int(BDK_CONFIG_PHY_ADDRESS,
0,
296 bgx_iface, bgx_index);
/src/soc/cavium/cn81xx/soc.c: 288 in dt_platform_fixup()
282 if (rx_dmac_ctl.u == 0)
283 qlm_mode =
BDK_QLM_MODE_DISABLED;
284 }
285
286 if (qlm_mode == BDK_QLM_MODE_DISABLED)
287 snprintf(path, sizeof(path),
"0x0%x%x,disabled",
>>> CID 1469460: (PRINTF_ARGS)
>>> Argument "bgx_iface" to format specifier "%x" was expected to have type
>>> "unsigned int" but has type "unsigned long". [Note: The source code
>>> implementation of the function has been overridden by a builtin model.]
288 bgx_iface, bgx_index);
289 else
290 snprintf(path, sizeof(path),
"0x0%x%x,%s",
291 bgx_iface, bgx_index,
292 QLM_BGX_MODE_MAP[qlm_mode]);
293
** CID 1469459: Memory - illegal accesses (OVERRUN)
/src/vendorcode/mediatek/mt8195/dramc/emi.c: 942 in update_emi_setting()
________________________________________________________________________________________________________
*** CID 1469459: Memory - illegal accesses (OVERRUN)
/src/vendorcode/mediatek/mt8195/dramc/emi.c: 942 in update_emi_setting()
936 row = emi_info->row_width[i] - 13;
937 row_ext = row >> 2;
938 row &= 0x3;
939
940 col = emi_info->col_width[i] - 9;
941
>>> CID 1469459: Memory - illegal accesses (OVERRUN)
>>> Overrunning array "emi_info->rank_size" of 2 8-byte elements at element
>>> index 2 (byte offset 23) using index "i" (which evaluates to 2).
942 rk_size = emi_info->rank_size[i] >> 28;
943 if (u1IsLP4Family(ddr_type))
944 rk_size >>= 1;
945 rk_size_ext = rk_size >> 4;
946 rk_size_chn_ext = rk_size_ext & 0x1;
947 rk_size &= 0xF;
** CID 1469458: (PARSE_ERROR)
/3rdparty/chromeec/common/timer.c: 37 in ()
/3rdparty/chromeec/common/timer.c: 37 in ()
/3rdparty/chromeec/common/timer.c: 37 in ()
________________________________________________________________________________________________________
*** CID 1469458: (PARSE_ERROR)
/3rdparty/chromeec/common/timer.c: 37 in ()
31 #define CPRINTF(format, args...)
32 #endif
33
34 #define TIMER_SYSJUMP_TAG 0x4d54 /* "TM" */
35
36 /* High 32-bits of the 64-bit timestamp counter. */
>>> CID 1469458: (PARSE_ERROR)
>>> function call is not allowed in a constant expression
37 STATIC_IF_NOT(CONFIG_HWTIMER_64BIT) volatile uint32_t clksrc_high;
38
39 /* Bitmap of currently running timers */
40 static uint32_t timer_running;
41
42 /* Deadlines of all timers */
/3rdparty/chromeec/common/timer.c: 37 in ()
31 #define CPRINTF(format, args...)
32 #endif
33
34 #define TIMER_SYSJUMP_TAG 0x4d54 /* "TM" */
35
36 /* High 32-bits of the 64-bit timestamp counter. */
>>> CID 1469458: (PARSE_ERROR)
>>> expression must have integral type
37 STATIC_IF_NOT(CONFIG_HWTIMER_64BIT) volatile uint32_t clksrc_high;
38
39 /* Bitmap of currently running timers */
40 static uint32_t timer_running;
41
42 /* Deadlines of all timers */
/3rdparty/chromeec/common/timer.c: 37 in ()
31 #define CPRINTF(format, args...)
32 #endif
33
34 #define TIMER_SYSJUMP_TAG 0x4d54 /* "TM" */
35
36 /* High 32-bits of the 64-bit timestamp counter. */
>>> CID 1469458: (PARSE_ERROR)
>>> expression must be an integral constant expression
37 STATIC_IF_NOT(CONFIG_HWTIMER_64BIT) volatile uint32_t clksrc_high;
38
39 /* Bitmap of currently running timers */
40 static uint32_t timer_running;
41
42 /* Deadlines of all timers */
** CID 1469457: Null pointer dereferences (FORWARD_NULL)
________________________________________________________________________________________________________
*** CID 1469457: Null pointer dereferences (FORWARD_NULL)
/src/ec/google/chromeec/ec.c: 647 in google_chromeec_flash_write_block()
641 .cmd_data_in = params_data,
642 .cmd_dev_index = 0,
643 };
644
645 assert(params_data);
646
>>> CID 1469457: Null pointer dereferences (FORWARD_NULL)
>>> Passing "&cmd" to "google_chromeec_command", which dereferences null
>>> "cmd.cmd_data_out".
647 return google_chromeec_command(&cmd);
648 }
649
650 /*
651 * EFS verification of flash.
652 */
** CID 1469456: Possible Control flow issues (DEADCODE)
/src/soc/qualcomm/sc7180/display/dsi_phy.c: 267 in
mdss_dsi_calculate_phy_timings()
________________________________________________________________________________________________________
*** CID 1469456: Possible Control flow issues (DEADCODE)
/src/soc/qualcomm/sc7180/display/dsi_phy.c: 267 in
mdss_dsi_calculate_phy_timings()
261 tmin = DIV_ROUND_UP(temp, ui_x8) - 1;
262 tmax = 63;
263 timing->clk_post = linear_inter(tmax, tmin, pcnt2, 0, false);
264
265 temp = 8 * ui + (timing->clk_prepare << 3) * ui;
266 temp += (((timing->clk_zero + 3) << 3) + 11) * ui;
>>> CID 1469456: Possible Control flow issues (DEADCODE)
>>> Execution cannot reach the expression "((timing->hs_rqst << 3) + 4U) *
>>> ui" inside this statement: "temp += (hb_en_ckln ? ((tim...".
267 temp += hb_en_ckln ? (((timing->hs_rqst << 3) + 4) * ui) :
268 (((timing->hs_rqst << 3) + 8) * ui);
269 tmin = S_DIV_ROUND_UP(temp, ui_x8) - 1;
270 tmax = 63;
271 if (tmin > tmax) {
272 temp = linear_inter(tmax << 1, tmin, pcnt2, 0, false);
** CID 1469455: (DEADCODE)
/home/coreboot/go/pkg/mod/github.com/tjfoc/gmsm@v1.4.0/sm2/sm2.go: 492 in
github.com/tjfoc/gmsm/sm2.CipherUnmarshal([]byte)([]byte, error)()
/home/coreboot/go/pkg/mod/github.com/tjfoc/gmsm@v1.4.0/sm2/sm2.go: 488 in
github.com/tjfoc/gmsm/sm2.CipherUnmarshal([]byte)([]byte, error)()
________________________________________________________________________________________________________
*** CID 1469455: (DEADCODE)
/home/coreboot/go/pkg/mod/github.com/tjfoc/gmsm@v1.4.0/sm2/sm2.go: 492 in
github.com/tjfoc/gmsm/sm2.CipherUnmarshal([]byte)([]byte, error)()
486 hash := cipher.HASH
487 if err != nil {
488 return nil, err
489 }
490 cipherText := cipher.CipherText
491 if err != nil {
>>> CID 1469455: (DEADCODE)
>>> Execution cannot reach this statement: "<temporary>.$0 = nil;".
492 return nil, err
493 }
494 c := []byte{}
495 c = append(c, x...) // x
496 c = append(c, y...) // y
497 c = append(c, hash...) // x
/home/coreboot/go/pkg/mod/github.com/tjfoc/gmsm@v1.4.0/sm2/sm2.go: 488 in
github.com/tjfoc/gmsm/sm2.CipherUnmarshal([]byte)([]byte, error)()
482 return nil, err
483 }
484 x := cipher.XCoordinate.Bytes()
485 y := cipher.YCoordinate.Bytes()
486 hash := cipher.HASH
487 if err != nil {
>>> CID 1469455: (DEADCODE)
>>> Execution cannot reach this statement: "<temporary>.$0 = nil;".
488 return nil, err
489 }
490 cipherText := cipher.CipherText
491 if err != nil {
492 return nil, err
493 }
** CID 1469454: Possible Control flow issues (DEADCODE)
/src/vendorcode/mediatek/mt8192/dramc/dramc_top.c: 1061 in mt_set_emi()
________________________________________________________________________________________________________
*** CID 1469454: Possible Control flow issues (DEADCODE)
/src/vendorcode/mediatek/mt8192/dramc/dramc_top.c: 1061 in mt_set_emi()
1055 emi_setting_index = -1;
1056 emi_set = &default_emi_setting;
1057 #endif
1058 segment = (seclib_get_devinfo_with_index(7) & 0xFF);
1059 if ((segment == 0x80) || (segment == 0x01) || (segment == 0x40)
|| (segment == 0x02))
1060 {
>>> CID 1469454: Possible Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "(*emi_set).DRAMC_ACTIME_UNI...".
1061 emi_set->DRAMC_ACTIME_UNION[0] = 3733;
1062 }
1063 #ifdef DDR_RESERVE_MODE
1064 if(g_ddr_reserve_enable==1 && g_ddr_reserve_success==0)
1065 Before_Init_DRAM_While_Reserve_Mode_fail(emi_set->type
& 0xF);
1066 #endif
** CID 1469453: Control flow issues (DEADCODE)
/3rdparty/arm-trusted-firmware/plat/mediatek/mt8195/plat_pm.c: 301 in
plat_validate_power_state()
________________________________________________________________________________________________________
*** CID 1469453: Control flow issues (DEADCODE)
/3rdparty/arm-trusted-firmware/plat/mediatek/mt8195/plat_pm.c: 301 in
plat_validate_power_state()
295 {
296 unsigned int pstate = psci_get_pstate_type(power_state);
297 unsigned int aff_lvl = psci_get_pstate_pwrlvl(power_state);
298 unsigned int cpu = plat_my_core_pos();
299
300 if (aff_lvl > PLAT_MAX_PWR_LVL) {
>>> CID 1469453: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "return -2;".
301 return PSCI_E_INVALID_PARAMS;
302 }
303
304 if (pstate == PSTATE_TYPE_STANDBY) {
305 req_state->pwr_domain_state[0] = PLAT_MAX_RET_STATE;
306 } else {
** CID 1469452: (BAD_SHIFT)
/src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1073 in SPM_control()
/src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1085 in SPM_control()
/src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1081 in SPM_control()
/src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1073 in SPM_control()
/src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1087 in SPM_control()
/src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1085 in SPM_control()
/src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1073 in SPM_control()
/src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1073 in SPM_control()
/src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1085 in SPM_control()
/src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1087 in SPM_control()
/src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1079 in SPM_control()
/src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1081 in SPM_control()
/src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1081 in SPM_control()
/src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1081 in SPM_control()
/src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1079 in SPM_control()
/src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1079 in SPM_control()
/src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1087 in SPM_control()
/src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1085 in SPM_control()
/src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1079 in SPM_control()
/src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1087 in SPM_control()
________________________________________________________________________________________________________
*** CID 1469452: (BAD_SHIFT)
/src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1073 in SPM_control()
1067 MS_SLV_LP_SEL_Reg.u4Fld = CA_LP_CTRL0_RG_CA_MS_SLV_LP_SEL;
1068 }
1069
1070 if(a_cfg->DLL_ASYNC_EN == 1)
1071 {
1072 DramcBroadcastOnOff(DRAMC_BROADCAST_OFF);
>>> CID 1469452: (BAD_SHIFT)
>>> In expression "(1U & (1 << (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 16)) - 1)
>>> << (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 8)", left shifting by more than 31
>>> bits has undefined behavior. The shift amount, "MS_SLV_LP_SEL_Reg.u4Fld >>
>>> 8", is 268.
1073
vIO32WriteFldMulti_All(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(1,
MS_SLV_LP_SEL_Reg.u4Fld));
1074 DramcBroadcastOnOff(DRAMC_BROADCAST_ON);
1075 }
1076 else
1077 {
1078 DramcBroadcastOnOff(DRAMC_BROADCAST_OFF);
/src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1085 in SPM_control()
1079 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr),
P_Fld(1, MS_SLV_LP_SEL_Reg.u4Fld ));
1080 vSetPHY2ChannelMapping(p, CHANNEL_B);
1081 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr),
P_Fld(0 , MS_SLV_LP_SEL_Reg.u4Fld ));
1082 #if (CHANNEL_NUM>2)
1083 if (channel_num_auxadc > 2) {
1084 vSetPHY2ChannelMapping(p, CHANNEL_C);
>>> CID 1469452: (BAD_SHIFT)
>>> In expression "(0xffffffffU >> 32 - (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >>
>>> 16)) << (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 8)", left shifting by more than
>>> 31 bits has undefined behavior. The shift amount, "MS_SLV_LP_SEL_Reg.u4Fld
>>> >> 8", is 268.
1085 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr),
P_Fld(1, MS_SLV_LP_SEL_Reg.u4Fld ));
1086 vSetPHY2ChannelMapping(p, CHANNEL_D);
1087
vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(0
, MS_SLV_LP_SEL_Reg.u4Fld ));
1088 }
1089 #endif
1090 vSetPHY2ChannelMapping(p, CHANNEL_A);
/src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1081 in SPM_control()
1075 }
1076 else
1077 {
1078 DramcBroadcastOnOff(DRAMC_BROADCAST_OFF);
1079 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr),
P_Fld(1, MS_SLV_LP_SEL_Reg.u4Fld ));
1080 vSetPHY2ChannelMapping(p, CHANNEL_B);
>>> CID 1469452: (BAD_SHIFT)
>>> In expression "(0U & (1 << (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 16)) - 1)
>>> << (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 8)", left shifting by more than 31
>>> bits has undefined behavior. The shift amount, "MS_SLV_LP_SEL_Reg.u4Fld >>
>>> 8", is 268.
1081 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr),
P_Fld(0 , MS_SLV_LP_SEL_Reg.u4Fld ));
1082 #if (CHANNEL_NUM>2)
1083 if (channel_num_auxadc > 2) {
1084 vSetPHY2ChannelMapping(p, CHANNEL_C);
1085 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr),
P_Fld(1, MS_SLV_LP_SEL_Reg.u4Fld ));
1086 vSetPHY2ChannelMapping(p, CHANNEL_D);
/src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1073 in SPM_control()
1067 MS_SLV_LP_SEL_Reg.u4Fld = CA_LP_CTRL0_RG_CA_MS_SLV_LP_SEL;
1068 }
1069
1070 if(a_cfg->DLL_ASYNC_EN == 1)
1071 {
1072 DramcBroadcastOnOff(DRAMC_BROADCAST_OFF);
>>> CID 1469452: (BAD_SHIFT)
>>> In expression "(1U & (1 << (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 16)) - 1)
>>> << (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 8)", left shifting by more than 31
>>> bits has undefined behavior. The shift amount, "MS_SLV_LP_SEL_Reg.u4Fld >>
>>> 8", is 268.
1073
vIO32WriteFldMulti_All(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(1,
MS_SLV_LP_SEL_Reg.u4Fld));
1074 DramcBroadcastOnOff(DRAMC_BROADCAST_ON);
1075 }
1076 else
1077 {
1078 DramcBroadcastOnOff(DRAMC_BROADCAST_OFF);
/src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1087 in SPM_control()
1081 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr),
P_Fld(0 , MS_SLV_LP_SEL_Reg.u4Fld ));
1082 #if (CHANNEL_NUM>2)
1083 if (channel_num_auxadc > 2) {
1084 vSetPHY2ChannelMapping(p, CHANNEL_C);
1085 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr),
P_Fld(1, MS_SLV_LP_SEL_Reg.u4Fld ));
1086 vSetPHY2ChannelMapping(p, CHANNEL_D);
>>> CID 1469452: (BAD_SHIFT)
>>> In expression "(0U & (1 << (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 16)) - 1)
>>> << (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 8)", left shifting by more than 31
>>> bits has undefined behavior. The shift amount, "MS_SLV_LP_SEL_Reg.u4Fld >>
>>> 8", is 268.
1087
vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(0
, MS_SLV_LP_SEL_Reg.u4Fld ));
1088 }
1089 #endif
1090 vSetPHY2ChannelMapping(p, CHANNEL_A);
1091 DramcBroadcastOnOff(DRAMC_BROADCAST_ON);
1092 }
/src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1085 in SPM_control()
1079 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr),
P_Fld(1, MS_SLV_LP_SEL_Reg.u4Fld ));
1080 vSetPHY2ChannelMapping(p, CHANNEL_B);
1081 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr),
P_Fld(0 , MS_SLV_LP_SEL_Reg.u4Fld ));
1082 #if (CHANNEL_NUM>2)
1083 if (channel_num_auxadc > 2) {
1084 vSetPHY2ChannelMapping(p, CHANNEL_C);
>>> CID 1469452: (BAD_SHIFT)
>>> In expression "(1U & (1 << (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 16)) - 1)
>>> << (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 8)", left shifting by more than 31
>>> bits has undefined behavior. The shift amount, "MS_SLV_LP_SEL_Reg.u4Fld >>
>>> 8", is 268.
1085 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr),
P_Fld(1, MS_SLV_LP_SEL_Reg.u4Fld ));
1086 vSetPHY2ChannelMapping(p, CHANNEL_D);
1087
vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(0
, MS_SLV_LP_SEL_Reg.u4Fld ));
1088 }
1089 #endif
1090 vSetPHY2ChannelMapping(p, CHANNEL_A);
/src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1073 in SPM_control()
1067 MS_SLV_LP_SEL_Reg.u4Fld = CA_LP_CTRL0_RG_CA_MS_SLV_LP_SEL;
1068 }
1069
1070 if(a_cfg->DLL_ASYNC_EN == 1)
1071 {
1072 DramcBroadcastOnOff(DRAMC_BROADCAST_OFF);
>>> CID 1469452: (BAD_SHIFT)
>>> In expression "(0xffffffffU >> 32 - (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >>
>>> 16)) << (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 8)", left shifting by more than
>>> 31 bits has undefined behavior. The shift amount, "MS_SLV_LP_SEL_Reg.u4Fld
>>> >> 8", is 268.
1073
vIO32WriteFldMulti_All(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(1,
MS_SLV_LP_SEL_Reg.u4Fld));
1074 DramcBroadcastOnOff(DRAMC_BROADCAST_ON);
1075 }
1076 else
1077 {
1078 DramcBroadcastOnOff(DRAMC_BROADCAST_OFF);
/src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1073 in SPM_control()
1067 MS_SLV_LP_SEL_Reg.u4Fld = CA_LP_CTRL0_RG_CA_MS_SLV_LP_SEL;
1068 }
1069
1070 if(a_cfg->DLL_ASYNC_EN == 1)
1071 {
1072 DramcBroadcastOnOff(DRAMC_BROADCAST_OFF);
>>> CID 1469452: (BAD_SHIFT)
>>> In expression "(0xffffffffU >> 32 - (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >>
>>> 16)) << (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 8)", left shifting by more than
>>> 31 bits has undefined behavior. The shift amount, "MS_SLV_LP_SEL_Reg.u4Fld
>>> >> 8", is 268.
1073
vIO32WriteFldMulti_All(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(1,
MS_SLV_LP_SEL_Reg.u4Fld));
1074 DramcBroadcastOnOff(DRAMC_BROADCAST_ON);
1075 }
1076 else
1077 {
1078 DramcBroadcastOnOff(DRAMC_BROADCAST_OFF);
/src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1085 in SPM_control()
1079 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr),
P_Fld(1, MS_SLV_LP_SEL_Reg.u4Fld ));
1080 vSetPHY2ChannelMapping(p, CHANNEL_B);
1081 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr),
P_Fld(0 , MS_SLV_LP_SEL_Reg.u4Fld ));
1082 #if (CHANNEL_NUM>2)
1083 if (channel_num_auxadc > 2) {
1084 vSetPHY2ChannelMapping(p, CHANNEL_C);
>>> CID 1469452: (BAD_SHIFT)
>>> In expression "(0xffffffffU >> 32 - (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >>
>>> 16)) << (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 8)", left shifting by more than
>>> 31 bits has undefined behavior. The shift amount, "MS_SLV_LP_SEL_Reg.u4Fld
>>> >> 8", is 268.
1085 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr),
P_Fld(1, MS_SLV_LP_SEL_Reg.u4Fld ));
1086 vSetPHY2ChannelMapping(p, CHANNEL_D);
1087
vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(0
, MS_SLV_LP_SEL_Reg.u4Fld ));
1088 }
1089 #endif
1090 vSetPHY2ChannelMapping(p, CHANNEL_A);
/src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1087 in SPM_control()
1081 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr),
P_Fld(0 , MS_SLV_LP_SEL_Reg.u4Fld ));
1082 #if (CHANNEL_NUM>2)
1083 if (channel_num_auxadc > 2) {
1084 vSetPHY2ChannelMapping(p, CHANNEL_C);
1085 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr),
P_Fld(1, MS_SLV_LP_SEL_Reg.u4Fld ));
1086 vSetPHY2ChannelMapping(p, CHANNEL_D);
>>> CID 1469452: (BAD_SHIFT)
>>> In expression "(0xffffffffU >> 32 - (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >>
>>> 16)) << (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 8)", left shifting by more than
>>> 31 bits has undefined behavior. The shift amount, "MS_SLV_LP_SEL_Reg.u4Fld
>>> >> 8", is 268.
1087
vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(0
, MS_SLV_LP_SEL_Reg.u4Fld ));
1088 }
1089 #endif
1090 vSetPHY2ChannelMapping(p, CHANNEL_A);
1091 DramcBroadcastOnOff(DRAMC_BROADCAST_ON);
1092 }
/src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1079 in SPM_control()
1073
vIO32WriteFldMulti_All(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(1,
MS_SLV_LP_SEL_Reg.u4Fld));
1074 DramcBroadcastOnOff(DRAMC_BROADCAST_ON);
1075 }
1076 else
1077 {
1078 DramcBroadcastOnOff(DRAMC_BROADCAST_OFF);
>>> CID 1469452: (BAD_SHIFT)
>>> In expression "(1U & (1 << (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 16)) - 1)
>>> << (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 8)", left shifting by more than 31
>>> bits has undefined behavior. The shift amount, "MS_SLV_LP_SEL_Reg.u4Fld >>
>>> 8", is 268.
1079 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr),
P_Fld(1, MS_SLV_LP_SEL_Reg.u4Fld ));
1080 vSetPHY2ChannelMapping(p, CHANNEL_B);
1081 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr),
P_Fld(0 , MS_SLV_LP_SEL_Reg.u4Fld ));
1082 #if (CHANNEL_NUM>2)
1083 if (channel_num_auxadc > 2) {
1084 vSetPHY2ChannelMapping(p, CHANNEL_C);
/src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1081 in SPM_control()
1075 }
1076 else
1077 {
1078 DramcBroadcastOnOff(DRAMC_BROADCAST_OFF);
1079 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr),
P_Fld(1, MS_SLV_LP_SEL_Reg.u4Fld ));
1080 vSetPHY2ChannelMapping(p, CHANNEL_B);
>>> CID 1469452: (BAD_SHIFT)
>>> In expression "(0xffffffffU >> 32 - (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >>
>>> 16)) << (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 8)", left shifting by more than
>>> 31 bits has undefined behavior. The shift amount, "MS_SLV_LP_SEL_Reg.u4Fld
>>> >> 8", is 268.
1081 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr),
P_Fld(0 , MS_SLV_LP_SEL_Reg.u4Fld ));
1082 #if (CHANNEL_NUM>2)
1083 if (channel_num_auxadc > 2) {
1084 vSetPHY2ChannelMapping(p, CHANNEL_C);
1085 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr),
P_Fld(1, MS_SLV_LP_SEL_Reg.u4Fld ));
1086 vSetPHY2ChannelMapping(p, CHANNEL_D);
/src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1081 in SPM_control()
1075 }
1076 else
1077 {
1078 DramcBroadcastOnOff(DRAMC_BROADCAST_OFF);
1079 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr),
P_Fld(1, MS_SLV_LP_SEL_Reg.u4Fld ));
1080 vSetPHY2ChannelMapping(p, CHANNEL_B);
>>> CID 1469452: (BAD_SHIFT)
>>> In expression "(0xffffffffU >> 32 - (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >>
>>> 16)) << (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 8)", left shifting by more than
>>> 31 bits has undefined behavior. The shift amount, "MS_SLV_LP_SEL_Reg.u4Fld
>>> >> 8", is 268.
1081 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr),
P_Fld(0 , MS_SLV_LP_SEL_Reg.u4Fld ));
1082 #if (CHANNEL_NUM>2)
1083 if (channel_num_auxadc > 2) {
1084 vSetPHY2ChannelMapping(p, CHANNEL_C);
1085 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr),
P_Fld(1, MS_SLV_LP_SEL_Reg.u4Fld ));
1086 vSetPHY2ChannelMapping(p, CHANNEL_D);
/src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1081 in SPM_control()
1075 }
1076 else
1077 {
1078 DramcBroadcastOnOff(DRAMC_BROADCAST_OFF);
1079 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr),
P_Fld(1, MS_SLV_LP_SEL_Reg.u4Fld ));
1080 vSetPHY2ChannelMapping(p, CHANNEL_B);
>>> CID 1469452: (BAD_SHIFT)
>>> In expression "(0U & (1 << (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 16)) - 1)
>>> << (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 8)", left shifting by more than 31
>>> bits has undefined behavior. The shift amount, "MS_SLV_LP_SEL_Reg.u4Fld >>
>>> 8", is 268.
1081 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr),
P_Fld(0 , MS_SLV_LP_SEL_Reg.u4Fld ));
1082 #if (CHANNEL_NUM>2)
1083 if (channel_num_auxadc > 2) {
1084 vSetPHY2ChannelMapping(p, CHANNEL_C);
1085 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr),
P_Fld(1, MS_SLV_LP_SEL_Reg.u4Fld ));
1086 vSetPHY2ChannelMapping(p, CHANNEL_D);
/src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1079 in SPM_control()
1073
vIO32WriteFldMulti_All(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(1,
MS_SLV_LP_SEL_Reg.u4Fld));
1074 DramcBroadcastOnOff(DRAMC_BROADCAST_ON);
1075 }
1076 else
1077 {
1078 DramcBroadcastOnOff(DRAMC_BROADCAST_OFF);
>>> CID 1469452: (BAD_SHIFT)
>>> In expression "(0xffffffffU >> 32 - (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >>
>>> 16)) << (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 8)", left shifting by more than
>>> 31 bits has undefined behavior. The shift amount, "MS_SLV_LP_SEL_Reg.u4Fld
>>> >> 8", is 268.
1079 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr),
P_Fld(1, MS_SLV_LP_SEL_Reg.u4Fld ));
1080 vSetPHY2ChannelMapping(p, CHANNEL_B);
1081 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr),
P_Fld(0 , MS_SLV_LP_SEL_Reg.u4Fld ));
1082 #if (CHANNEL_NUM>2)
1083 if (channel_num_auxadc > 2) {
1084 vSetPHY2ChannelMapping(p, CHANNEL_C);
/src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1079 in SPM_control()
1073
vIO32WriteFldMulti_All(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(1,
MS_SLV_LP_SEL_Reg.u4Fld));
1074 DramcBroadcastOnOff(DRAMC_BROADCAST_ON);
1075 }
1076 else
1077 {
1078 DramcBroadcastOnOff(DRAMC_BROADCAST_OFF);
>>> CID 1469452: (BAD_SHIFT)
>>> In expression "(1U & (1 << (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 16)) - 1)
>>> << (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 8)", left shifting by more than 31
>>> bits has undefined behavior. The shift amount, "MS_SLV_LP_SEL_Reg.u4Fld >>
>>> 8", is 268.
1079 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr),
P_Fld(1, MS_SLV_LP_SEL_Reg.u4Fld ));
1080 vSetPHY2ChannelMapping(p, CHANNEL_B);
1081 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr),
P_Fld(0 , MS_SLV_LP_SEL_Reg.u4Fld ));
1082 #if (CHANNEL_NUM>2)
1083 if (channel_num_auxadc > 2) {
1084 vSetPHY2ChannelMapping(p, CHANNEL_C);
/src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1087 in SPM_control()
1081 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr),
P_Fld(0 , MS_SLV_LP_SEL_Reg.u4Fld ));
1082 #if (CHANNEL_NUM>2)
1083 if (channel_num_auxadc > 2) {
1084 vSetPHY2ChannelMapping(p, CHANNEL_C);
1085 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr),
P_Fld(1, MS_SLV_LP_SEL_Reg.u4Fld ));
1086 vSetPHY2ChannelMapping(p, CHANNEL_D);
>>> CID 1469452: (BAD_SHIFT)
>>> In expression "(0U & (1 << (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 16)) - 1)
>>> << (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 8)", left shifting by more than 31
>>> bits has undefined behavior. The shift amount, "MS_SLV_LP_SEL_Reg.u4Fld >>
>>> 8", is 268.
1087
vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(0
, MS_SLV_LP_SEL_Reg.u4Fld ));
1088 }
1089 #endif
1090 vSetPHY2ChannelMapping(p, CHANNEL_A);
1091 DramcBroadcastOnOff(DRAMC_BROADCAST_ON);
1092 }
/src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1085 in SPM_control()
1079 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr),
P_Fld(1, MS_SLV_LP_SEL_Reg.u4Fld ));
1080 vSetPHY2ChannelMapping(p, CHANNEL_B);
1081 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr),
P_Fld(0 , MS_SLV_LP_SEL_Reg.u4Fld ));
1082 #if (CHANNEL_NUM>2)
1083 if (channel_num_auxadc > 2) {
1084 vSetPHY2ChannelMapping(p, CHANNEL_C);
>>> CID 1469452: (BAD_SHIFT)
>>> In expression "(1U & (1 << (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 16)) - 1)
>>> << (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 8)", left shifting by more than 31
>>> bits has undefined behavior. The shift amount, "MS_SLV_LP_SEL_Reg.u4Fld >>
>>> 8", is 268.
1085 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr),
P_Fld(1, MS_SLV_LP_SEL_Reg.u4Fld ));
1086 vSetPHY2ChannelMapping(p, CHANNEL_D);
1087
vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(0
, MS_SLV_LP_SEL_Reg.u4Fld ));
1088 }
1089 #endif
1090 vSetPHY2ChannelMapping(p, CHANNEL_A);
/src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1079 in SPM_control()
1073
vIO32WriteFldMulti_All(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(1,
MS_SLV_LP_SEL_Reg.u4Fld));
1074 DramcBroadcastOnOff(DRAMC_BROADCAST_ON);
1075 }
1076 else
1077 {
1078 DramcBroadcastOnOff(DRAMC_BROADCAST_OFF);
>>> CID 1469452: (BAD_SHIFT)
>>> In expression "(0xffffffffU >> 32 - (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >>
>>> 16)) << (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 8)", left shifting by more than
>>> 31 bits has undefined behavior. The shift amount, "MS_SLV_LP_SEL_Reg.u4Fld
>>> >> 8", is 268.
1079 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr),
P_Fld(1, MS_SLV_LP_SEL_Reg.u4Fld ));
1080 vSetPHY2ChannelMapping(p, CHANNEL_B);
1081 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr),
P_Fld(0 , MS_SLV_LP_SEL_Reg.u4Fld ));
1082 #if (CHANNEL_NUM>2)
1083 if (channel_num_auxadc > 2) {
1084 vSetPHY2ChannelMapping(p, CHANNEL_C);
/src/vendorcode/mediatek/mt8195/dramc/ANA_init_config.c: 1087 in SPM_control()
1081 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr),
P_Fld(0 , MS_SLV_LP_SEL_Reg.u4Fld ));
1082 #if (CHANNEL_NUM>2)
1083 if (channel_num_auxadc > 2) {
1084 vSetPHY2ChannelMapping(p, CHANNEL_C);
1085 vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr),
P_Fld(1, MS_SLV_LP_SEL_Reg.u4Fld ));
1086 vSetPHY2ChannelMapping(p, CHANNEL_D);
>>> CID 1469452: (BAD_SHIFT)
>>> In expression "(0xffffffffU >> 32 - (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >>
>>> 16)) << (UINT8)(MS_SLV_LP_SEL_Reg.u4Fld >> 8)", left shifting by more than
>>> 31 bits has undefined behavior. The shift amount, "MS_SLV_LP_SEL_Reg.u4Fld
>>> >> 8", is 268.
1087
vIO32WriteFldMulti(DRAMC_REG_ADDR(MS_SLV_LP_SEL_Reg.u4Addr), P_Fld(0
, MS_SLV_LP_SEL_Reg.u4Fld ));
1088 }
1089 #endif
1090 vSetPHY2ChannelMapping(p, CHANNEL_A);
1091 DramcBroadcastOnOff(DRAMC_BROADCAST_ON);
1092 }
** CID 1469451: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 1469451: Insecure data handling (TAINTED_SCALAR)
/util/cbfstool/cbfstool.c: 1208 in cbfstool_convert_mkpayload()
1202 /* If it's not an FIT, see if it's a UEFI FV */
1203 if (ret != 0)
1204 ret = parse_fv_to_payload(buffer, &output,
param.compression);
1205
1206 /* If it's neither ELF nor UEFI Fv, try bzImage */
1207 if (ret != 0)
>>> CID 1469451: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted expression "*buffer->data" to
>>> "parse_bzImage_to_payload", which uses it as an offset.
1208 ret = parse_bzImage_to_payload(buffer, &output,
1209 param.initrd, param.cmdline,
param.compression);
1210
1211 /* Not a supported payload type */
1212 if (ret != 0) {
1213 ERROR("Not a supported payload type (ELF / FV).\n");
** CID 1469450: (UNINIT)
/src/vendorcode/mediatek/mt8195/dramc/dramc_pi_calibration_api.c: 3188 in
DramcWriteLeveling()
/src/vendorcode/mediatek/mt8192/dramc/dramc_pi_calibration_api.c: 3749 in
DramcWriteLeveling()
________________________________________________________________________________________________________
*** CID 1469450: (UNINIT)
/src/vendorcode/mediatek/mt8195/dramc/dramc_pi_calibration_api.c: 3188 in
DramcWriteLeveling()
3182 }
3183 #endif
3184
3185 if (u1OverBoundCnt > 0)
3186 ShiftDQSWCK_UI(p, -u1OverBoundCnt * (PI_bound / DQPI_PER_UI),
ALL_BYTES);
3187
>>> CID 1469450: (UNINIT)
>>> Using uninitialized value "ucDoneFlg".
3188 if (ucDoneFlg == 0xff)
3189 {
3190
3191 fgwrlevel_done = 1;
3192 KResult = DRAM_OK;
3193 }
/src/vendorcode/mediatek/mt8192/dramc/dramc_pi_calibration_api.c: 3749 in
DramcWriteLeveling()
3743 }
3744 #endif
3745
3746 if (u1OverBoundCnt > 0)
3747 ShiftDQSWCK_UI(p, -u1OverBoundCnt * (PI_bound /
DQPI_PER_UI), ALL_BYTES);
3748
>>> CID 1469450: (UNINIT)
>>> Using uninitialized value "ucDoneFlg".
3749 if (ucDoneFlg == 0xff)
3750 {
3751 // all bytes are done
3752 fgwrlevel_done = 1;
3753 KResult = DRAM_OK;
3754 }
** CID 1469449: Medium impact security (RISKY_CRYPTO)
/home/coreboot/go/pkg/mod/github.com/google/go-tpm@v0.3.3-0.20210120190357-1ff48daca32f/tpm/verify.go:
139 in github.com/google/go-tpm/tpm.VerifyQuote(*crypto/rsa.PublicKey, []byte,
[]byte, []int, []byte)error()
________________________________________________________________________________________________________
*** CID 1469449: Medium impact security (RISKY_CRYPTO)
/home/coreboot/go/pkg/mod/github.com/google/go-tpm@v0.3.3-0.20210120190357-1ff48daca32f/tpm/verify.go:
139 in github.com/google/go-tpm/tpm.VerifyQuote(*crypto/rsa.PublicKey, []byte,
[]byte, []int, []byte)error()
133 func VerifyQuote(pk *rsa.PublicKey, data []byte, quote []byte, pcrNums
[]int, pcrs []byte) error {
134 p, err := NewQuoteInfo(data, pcrNums, pcrs)
135 if err != nil {
136 return err
137 }
138
>>> CID 1469449: Medium impact security (RISKY_CRYPTO)
>>> Using a weak hashing algorithm. The RIPEMD, MD2, MD4, MD5, SHA0 and
>>> SHA1 cryptographic hashing algorithms are not collision resistant.
>>> Furthermore, these algorithms suffer from length extension attacks: without
>>> knowing the original unhashed message, an attacker can generate a valid
>>> hash for messages that have the original message as a prefix.
139 s := sha1.Sum(p)
140
141 // Try to do a direct encryption to reverse the value and see
if it's padded
142 // with PKCS1v1.5.
143 return rsa.VerifyPKCS1v15(pk, crypto.SHA1, s[:], quote)
144 }
** CID 1469448: (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 1469448: (TAINTED_SCALAR)
/util/cbfstool/partitioned_file.c: 116 in partitioned_file_create()
110 if (fmap_find((const uint8_t *)flashmap->data, flashmap->size)
!= 0) {
111 ERROR("Attempted to create a partitioned image out of
something that isn't an FMAP\n");
112 return NULL;
113 }
114 struct fmap *bootstrap_fmap = (struct fmap *)flashmap->data;
115
>>> CID 1469448: (TAINTED_SCALAR)
>>> Passing tainted expression "bootstrap_fmap->nareas" to
>>> "fmap_find_area", which uses it as a loop boundary.
116 const struct fmap_area *fmap_area =
117 fmap_find_area(bootstrap_fmap,
SECTION_NAME_FMAP);
118 if (!fmap_area) {
119 ERROR("Provided FMAP missing '%s' region\n",
SECTION_NAME_FMAP);
120 return NULL;
121 }
/util/cbfstool/partitioned_file.c: 150 in partitioned_file_create()
144 if (!file)
145 return NULL;
146
147 struct buffer fmap_region;
148 buffer_splice(&fmap_region, &file->buffer, fmap_area->offset,
fmap_area->size);
149 memcpy(fmap_region.data, bootstrap_fmap, fmap_len);
>>> CID 1469448: (TAINTED_SCALAR)
>>> Passing tainted expression "fmap_region.size" to
>>> "partitioned_file_write_region", which uses it as an offset.
150 if (!partitioned_file_write_region(file, &fmap_region)) {
151 partitioned_file_close(file);
152 return NULL;
153 }
154 file->fmap = (struct fmap *)(file->buffer.data +
fmap_area->offset);
155
/util/cbfstool/partitioned_file.c: 142 in partitioned_file_create()
136 if ((uint32_t)fmap_len > fmap_area->size) {
137 ERROR("Provided FMAP's '%s' region needs to be at least
%d bytes\n",
138 SECTION_NAME_FMAP,
fmap_len);
139 return NULL;
140 }
141
>>> CID 1469448: (TAINTED_SCALAR)
>>> Passing tainted expression "bootstrap_fmap->size" to
>>> "partitioned_file_create_flat", which uses it as an allocation size.
142 partitioned_file_t *file =
partitioned_file_create_flat(filename,
143
bootstrap_fmap->size);
144 if (!file)
145 return NULL;
146
147 struct buffer fmap_region;
** CID 1469447: Memory - corruptions (OVERRUN)
/src/vendorcode/mediatek/mt8192/dramc/dramc_pi_basic_api.c: 319 in
UpdateDFSTbltoDDR3200()
________________________________________________________________________________________________________
*** CID 1469447: Memory - corruptions (OVERRUN)
/src/vendorcode/mediatek/mt8192/dramc/dramc_pi_basic_api.c: 319 in
UpdateDFSTbltoDDR3200()
313 // lookup table to find highest freq
314 highestfreqsel = GetSelByFreq(p, u2HighestFreq);
315 for (u1ShuffleIdx = DRAM_DFS_SHUFFLE_1; u1ShuffleIdx <
DRAM_DFS_SHUFFLE_MAX; u1ShuffleIdx++)
316 if (gFreqTbl[u1ShuffleIdx].freq_sel == highestfreqsel)
317 break;
318
>>> CID 1469447: Memory - corruptions (OVERRUN)
>>> Overrunning array "gFreqTbl" of 7 24-byte elements at element index 7
>>> (byte offset 191) using index "u1ShuffleIdx" (which evaluates to 7).
319 gFreqTbl[u1ShuffleIdx].freq_sel = LP4_DDR3200; // for DSC DRAM
320
321 gUpdateHighestFreq = TRUE;
322 u2HighestFreq = u2DFSGetHighestFreq(p); // @Darren, Update
u2FreqMax variables
323 #if __ETT__
324 UpdateEttDFVSTbltoDDR3200(p, u2HighestFreq); //@Darren, Update
for DDR3200 ETT DVFS stress
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit,
https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yq2SfQfrHt3Prsn4qSLrYIrajINpiFX8l0vrlNSf8iCrS27qY0Cr0DkycwNUgGZJj8-3DSRzB_L-2FDzr14mnrsJO5b1wX1hp9b1MAQygl7x-2B74RAaH2cn2Q9cFZmshSvthTrv7-2BF5UzCVy-2BBOwox31LM38TlV43VVucOAeo3yFpo4UEdlzR4jX3LvVIU-2FwQaZR3ZY4QCLYqdNGbgFW-2BJx4xacEHJ9bxhaZm1OOVHSa-2BXXazVEkM3-2F-2F00PdjOeNeRa7Bvwaouy0EGLYrUXWutxwJlTtveBukEg-3D-3D
_______________________________________________
coreboot mailing list -- coreboot@coreboot.org
To unsubscribe send an email to coreboot-le...@coreboot.org
