Hi,
Please find the latest report on new defect(s) introduced to coreboot found
with Coverity Scan.
27 new defect(s) introduced to coreboot found with Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 27 defect(s)
** CID 1393979: (RESOURCE_LEAK)
/src/lib/device_tree.c: 948 in dt_set_bin_prop_by_path()
/src/lib/device_tree.c: 959 in dt_set_bin_prop_by_path()
/src/lib/device_tree.c: 964 in dt_set_bin_prop_by_path()
________________________________________________________________________________________________________
*** CID 1393979: (RESOURCE_LEAK)
/src/lib/device_tree.c: 948 in dt_set_bin_prop_by_path()
942 return 1;
943 }
944
945 prop_name = strrchr(path_copy, '/');
946 if (!prop_name) {
947 printk(BIOS_ERR, "Path %s does not include '/'\n",
path);
>>> CID 1393979: (RESOURCE_LEAK)
>>> Variable "path_copy" going out of scope leaks the storage it points to.
948 return 1;
949 }
950
951 *prop_name++ = '\0'; /* Separate path from the property name. */
952
953 dt_node = dt_find_node_by_path(tree->root, path_copy, NULL,
/src/lib/device_tree.c: 959 in dt_set_bin_prop_by_path()
953 dt_node = dt_find_node_by_path(tree->root, path_copy, NULL,
954 NULL, create);
955
956 if (!dt_node) {
957 printk(BIOS_ERR, "Failed to %s %s in the device tree\n",
958 create ? "create" : "find", path_copy);
>>> CID 1393979: (RESOURCE_LEAK)
>>> Variable "path_copy" going out of scope leaks the storage it points to.
959 return 1;
960 }
961
962 dt_add_bin_prop(dt_node, prop_name, data, data_size);
963
964 return 0;
/src/lib/device_tree.c: 964 in dt_set_bin_prop_by_path()
958 create ? "create" : "find", path_copy);
959 return 1;
960 }
961
962 dt_add_bin_prop(dt_node, prop_name, data, data_size);
963
>>> CID 1393979: (RESOURCE_LEAK)
>>> Variable "path_copy" going out of scope leaks the storage it points to.
964 return 0;
965 }
966
967 /*
968 * Prepare the /reserved-memory/ node.
969 *
** CID 1393978: Null pointer dereferences (FORWARD_NULL)
/src/vendorcode/cavium/bdk/libbdk-hal/device/bdk-device.c: 523 in
bdk_device_add()
________________________________________________________________________________________________________
*** CID 1393978: Null pointer dereferences (FORWARD_NULL)
/src/vendorcode/cavium/bdk/libbdk-hal/device/bdk-device.c: 523 in
bdk_device_add()
517 {
518 if (device_list_count == device_list_max)
519 {
520 int grow = device_list_max + DEVICE_GROW;
521 bdk_device_t *tmp = malloc(grow * sizeof(bdk_device_t));
522 if (!tmp)
>>> CID 1393978: Null pointer dereferences (FORWARD_NULL)
>>> Passing null pointer "tmp" to "memcpy", which dereferences it. [Note:
>>> The source code implementation of the function has been overridden by a
>>> builtin model.]
523 memcpy(tmp, device_list, device_list_max *
sizeof(bdk_device_t));
524 free(device_list);
525 if (tmp == NULL)
526 {
527 bdk_error("bdk-device: Failed to allocate space for
device\n");
528 return -1;
** CID 1393977: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
/src/soc/cavium/cn81xx/clock.c: 78 in thunderx_get_core_clock()
________________________________________________________________________________________________________
*** CID 1393977: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
/src/soc/cavium/cn81xx/clock.c: 78 in thunderx_get_core_clock()
72 u64 thunderx_get_core_clock(void)
73 {
74 union cavm_rst_boot rst_boot;
75
76 rst_boot.u = read64((void *)RST_PF_BAR0);
77
>>> CID 1393977: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
>>> Potentially overflowing expression "rst_boot.s.c_mul * 50000000" with
>>> type "int" (32 bits, signed) is evaluated using 32-bit arithmetic, and then
>>> used in a context that expects an expression of type "u64" (64 bits,
>>> unsigned).
78 return rst_boot.s.c_mul * PLL_REF_CLK;
** CID 1393976: Control flow issues (DEADCODE)
/src/vendorcode/cavium/bdk/libdram/libdram.c: 185 in bdk_libdram_tune_node()
________________________________________________________________________________________________________
*** CID 1393976: Control flow issues (DEADCODE)
/src/vendorcode/cavium/bdk/libdram/libdram.c: 185 in bdk_libdram_tune_node()
179 // disabled by default for now, does not seem to be needed?
180 // Automatically tune the data byte DLL write offsets
181 // allow override of default setting
182 str = getenv("ddr_tune_write_offsets");
183 str = NULL;
184 if (str)
>>> CID 1393976: Control flow issues (DEADCODE)
>>> Execution cannot reach the expression "do_dllwo" inside this statement:
>>> "do_dllwo = !!strtoul(str, N...".
185 do_dllwo = !!strtoul(str, NULL, 0);
186 if (do_dllwo) {
187 BDK_TRACE(DRAM, "N%d: Starting DLL Write Offset Tuning for
LMCs\n", node);
188 errs = perform_dll_offset_tuning(node, /* write */1, /* tune
*/1);
189 BDK_TRACE(DRAM, "N%d: Finished DLL Write Offset Tuning for
LMCs, %d errors)\n",
190 node, errs);
** CID 1393975: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 1393975: Memory - corruptions (OVERRUN)
/src/vendorcode/cavium/bdk/libdram/lib_octeon_shared.c: 595 in
test_dram_byte_hw()
589 dbtrain_ctl.s.prank, dbtrain_ctl.s.lrank,
590 dbtrain_ctl.s.bg, dbtrain_ctl.s.ba, row, col);
591 /*
592 4) Kick off the sequence (SEQ_CTL[SEQ_SEL] = 14,
SEQ_CTL[INIT_START] = 1).
593 5) Poll on SEQ_CTL[SEQ_COMPLETE] for completion.
594 */
>>> CID 1393975: Memory - corruptions (OVERRUN)
>>> Overrunning callee's array of size 12 by passing argument "14" in call
>>> to "perform_octeon3_ddr3_sequence".
595 perform_octeon3_ddr3_sequence(node, prank,
ddr_interface_num, 14);
596
597 /*
598 6) Read MPR_DATA0 and MPR_DATA1 for results:
599 a. MPR_DATA0[MPR_DATA<63:0>] comparison results for
DQ63:DQ0.
600 (1 means MATCH, 0 means FAIL).
** CID 1393974: (OVERFLOW_BEFORE_WIDEN)
/src/soc/cavium/cn81xx/gpio.c: 106 in gpio_set()
/src/soc/cavium/cn81xx/gpio.c: 108 in gpio_set()
________________________________________________________________________________________________________
*** CID 1393974: (OVERFLOW_BEFORE_WIDEN)
/src/soc/cavium/cn81xx/gpio.c: 106 in gpio_set()
100 if (gpio >= gpio_pin_count())
101 return;
102
103 printk(BIOS_SPEW, "GPIO(%u): level: %u\n", gpio, !!value);
104
105 if (value)
>>> CID 1393974: (OVERFLOW_BEFORE_WIDEN)
>>> Potentially overflowing expression "1 << gpio" with type "int" (32
>>> bits, signed) is evaluated using 32-bit arithmetic, and then used in a
>>> context that expects an expression of type "uint64_t" (64 bits, unsigned).
106 write64(®s->tx_set, 1 << gpio);
107 else
108 write64(®s->tx_clr, 1 << gpio);
109 }
110
111 /* Set GPIO direction to OUTPUT with level */
/src/soc/cavium/cn81xx/gpio.c: 108 in gpio_set()
102
103 printk(BIOS_SPEW, "GPIO(%u): level: %u\n", gpio, !!value);
104
105 if (value)
106 write64(®s->tx_set, 1 << gpio);
107 else
>>> CID 1393974: (OVERFLOW_BEFORE_WIDEN)
>>> Potentially overflowing expression "1 << gpio" with type "int" (32
>>> bits, signed) is evaluated using 32-bit arithmetic, and then used in a
>>> context that expects an expression of type "uint64_t" (64 bits, unsigned).
108 write64(®s->tx_clr, 1 << gpio);
109 }
110
111 /* Set GPIO direction to OUTPUT with level */
112 void gpio_output(gpio_t gpio, int value)
113 {
** CID 1393973: (DEADCODE)
/src/vendorcode/cavium/bdk/libdram/dram-spd.c: 100 in read_entire_spd()
/src/vendorcode/cavium/bdk/libdram/dram-spd.c: 111 in read_entire_spd()
/src/vendorcode/cavium/bdk/libdram/dram-spd.c: 119 in read_entire_spd()
________________________________________________________________________________________________________
*** CID 1393973: (DEADCODE)
/src/vendorcode/cavium/bdk/libdram/dram-spd.c: 100 in read_entire_spd()
94 uint32_t *ptr = (uint32_t *)spd_buf;
95
96 for (int bank = 0; bank < (spd_size >> 8); bank++)
97 {
98 /* this should only happen for DDR4, which has a second bank of
256 bytes */
99 if (bank)
>>> CID 1393973: (DEADCODE)
>>> Execution cannot reach this statement: "bdk_twsix_write_ia(node, bu...".
100 bdk_twsix_write_ia(node, bus, 0x36 | bank, 0, 2, 1, 0);
101 int bank_size = 256;
102 for (int i = 0; i < bank_size; i += 4)
103 {
104 int64_t data = bdk_twsix_read_ia(node, bus, address, i, 4,
1);
105 if (data < 0)
/src/vendorcode/cavium/bdk/libdram/dram-spd.c: 111 in read_entire_spd()
105 if (data < 0)
106 {
107 free(spd_buf);
108 bdk_error("Failed to read SPD data at 0x%x\n", i +
(bank << 8));
109 /* Restore the bank to zero */
110 if (bank)
>>> CID 1393973: (DEADCODE)
>>> Execution cannot reach this statement: "bdk_twsix_write_ia(node, bu...".
111 bdk_twsix_write_ia(node, bus, 0x36 | 0, 0, 2, 1, 0);
112 return -1;
113 }
114 else
115 *ptr++ = bdk_be32_to_cpu(data);
116 }
/src/vendorcode/cavium/bdk/libdram/dram-spd.c: 119 in read_entire_spd()
113 }
114 else
115 *ptr++ = bdk_be32_to_cpu(data);
116 }
117 /* Restore the bank to zero */
118 if (bank)
>>> CID 1393973: (DEADCODE)
>>> Execution cannot reach this statement: "bdk_twsix_write_ia(node, bu...".
119 bdk_twsix_write_ia(node, bus, 0x36 | 0, 0, 2, 1, 0);
120 }
121
122 /* Store the SPD in the device tree */
123 /* FIXME(dhendrix): No need for this? cfg gets updated, so the
caller
124 * (libdram_config()) has what it needs. */
** CID 1393972: Insecure data handling (TAINTED_SCALAR)
/src/vendorcode/cavium/bdk/libdram/dram-tune-ddr3.c: 1011 in
perform_dll_offset_tuning()
________________________________________________________________________________________________________
*** CID 1393972: Insecure data handling (TAINTED_SCALAR)
/src/vendorcode/cavium/bdk/libdram/dram-tune-ddr3.c: 1011 in
perform_dll_offset_tuning()
1005 /* Disable l2 sets for DRAM testing */
1006 limit_l2_ways(node, 0, ways_print);
1007 #endif
1008
1009 // testing is done on all LMCs simultaneously
1010 // FIXME: for now, loop here to show what happens multiple times
>>> CID 1393972: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "loops" as a loop boundary.
1011 for (loop = 0; loop < loops; loop++) {
1012 /* Perform DLL offset tuning */
1013 errs = auto_set_dll_offset(node, dll_offset_mode, num_lmcs,
ddr_interface_64b, do_tune);
1014 }
1015
1016 #if USE_L2_WAYS_LIMIT
** CID 1393971: Insecure data handling (TAINTED_SCALAR)
/src/vendorcode/cavium/bdk/libdram/lib_octeon_shared.c: 1146 in
initialize_ddr_clock()
________________________________________________________________________________________________________
*** CID 1393971: Insecure data handling (TAINTED_SCALAR)
/src/vendorcode/cavium/bdk/libdram/lib_octeon_shared.c: 1146 in
initialize_ddr_clock()
1140 best_en_idx = strtoul(s, NULL, 0);
1141 override_pll_settings = 1;
1142 }
1143
1144 if (override_pll_settings) {
1145 best_pll_MHz = ddr_ref_hertz * (best_clkf+1) /
(best_clkr+1) / 1000000;
>>> CID 1393971: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "best_en_idx" as an index into an array "_en".
1146 best_calculated_ddr_hertz = ddr_ref_hertz *
(best_clkf + 1) / ((best_clkr + 1) * (_en[best_en_idx]));
1147 best_error = ddr_hertz -
best_calculated_ddr_hertz;
1148 }
1149
1150 ddr_print("clkr: %2llu, en[%d]: %2d, clkf: %4llu,
pll_MHz: %4llu, ddr_hertz: %8llu, error: %8lld <==\n",
1151 best_clkr, best_en_idx, _en[best_en_idx],
best_clkf, best_pll_MHz,
** CID 1393970: Integer handling issues (DIVIDE_BY_ZERO)
/src/vendorcode/cavium/bdk/libbdk-hal/bdk-usb.c: 372 in bdk_usb_initialize()
________________________________________________________________________________________________________
*** CID 1393970: Integer handling issues (DIVIDE_BY_ZERO)
/src/vendorcode/cavium/bdk/libbdk-hal/bdk-usb.c: 372 in bdk_usb_initialize()
366 {
367 static bool printit[2] = {true,true};
368 if (printit[usb_port]) {
369 uint64_t fr_div;
370 if (divider < 5) fr_div = divider * 2;
371 else fr_div = 8 * (divider - 3);
>>> CID 1393970: Integer handling issues (DIVIDE_BY_ZERO)
>>> In expression "sclk_rate / fr_div", division by expression "fr_div"
>>> which may be zero has undefined behavior.
372 uint64_t freq = (typeof(freq)) (sclk_rate / fr_div);
373 const char *token;
374 if (freq < 62500000ULL) token = "???Low";
375 else if (freq < 90000000ULL) token = "USB2";
376 else if (freq < 125000000ULL) token = "USB2 Full";
377 else if (freq < 150000000ULL) token = "USB3";
** CID 1393969: Possible Control flow issues (DEADCODE)
/src/vendorcode/cavium/bdk/libbdk-hal/bdk-qlm.c: 421 in bdk_qlm_eye_display()
________________________________________________________________________________________________________
*** CID 1393969: Possible Control flow issues (DEADCODE)
/src/vendorcode/cavium/bdk/libbdk-hal/bdk-qlm.c: 421 in bdk_qlm_eye_display()
415 result = 0;
416 }
417 else
418 result = -1;
419
420 if (need_free)
>>> CID 1393969: Possible Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "free((void *)eye);".
421 free((void*)eye);
422 return result;
** CID 1393968: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
/src/soc/cavium/cn81xx/clock.c: 66 in thunderx_get_io_clock()
________________________________________________________________________________________________________
*** CID 1393968: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
/src/soc/cavium/cn81xx/clock.c: 66 in thunderx_get_io_clock()
60 u64 thunderx_get_io_clock(void)
61 {
62 union cavm_rst_boot rst_boot;
63
64 rst_boot.u = read64((void *)RST_PF_BAR0);
65
>>> CID 1393968: Integer handling issues (OVERFLOW_BEFORE_WIDEN)
>>> Potentially overflowing expression "rst_boot.s.pnr_mul * 50000000" with
>>> type "int" (32 bits, signed) is evaluated using 32-bit arithmetic, and then
>>> used in a context that expects an expression of type "u64" (64 bits,
>>> unsigned).
66 return rst_boot.s.pnr_mul * PLL_REF_CLK;
67 }
68
69 /**
70 * Returns the core clock speed in Hz
71 */
** CID 1393967: Code maintainability issues (UNUSED_VALUE)
/src/vendorcode/cavium/bdk/libdram/dram-tune-ddr3.c: 658 in
auto_set_dll_offset()
________________________________________________________________________________________________________
*** CID 1393967: Code maintainability issues (UNUSED_VALUE)
/src/vendorcode/cavium/bdk/libdram/dram-tune-ddr3.c: 658 in
auto_set_dll_offset()
652 } /* for (lmc = 0; lmc < num_lmcs; lmc++) */
653
654 bdk_watchdog_poke();
655
656 // run the test(s)
657 // only 1 call should be enough, let the bursts, etc, control
the load...
>>> CID 1393967: Code maintainability issues (UNUSED_VALUE)
>>> Assigning value from "run_dram_tuning_threads(node, num_lmcs,
>>> bytemask)" to "tot_errors" here, but that stored value is overwritten
>>> before it can be used.
658 tot_errors = run_dram_tuning_threads(node, num_lmcs, bytemask);
659
660 for (lmc = 0; lmc < num_lmcs; lmc++) {
661 // record stop cycle CSRs here for utilization measure
662 stop_dram_dclk[lmc] = BDK_CSR_READ(node,
BDK_LMCX_DCLK_CNT(lmc));
663 stop_dram_ops[lmc] = BDK_CSR_READ(node,
BDK_LMCX_OPS_CNT(lmc));
** CID 1393966: Control flow issues (DEADCODE)
/src/soc/cavium/cn81xx/uart.c: 104 in uart_platform_refclk()
________________________________________________________________________________________________________
*** CID 1393966: Control flow issues (DEADCODE)
/src/soc/cavium/cn81xx/uart.c: 104 in uart_platform_refclk()
98 unsigned int uart_platform_refclk(void)
99 {
100 struct cn81xx_uart *uart =
101 (struct cn81xx_uart *)CONFIG_CONSOLE_SERIAL_UART_ADDRESS;
102
103 if (!uart)
>>> CID 1393966: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "return 0U;".
104 return 0;
105
106 return uart_hclk(uart);
107 }
108
109 uintptr_t uart_platform_base(int idx)
** CID 1393965: Control flow issues (DEADCODE)
/src/vendorcode/cavium/bdk/libdram/lib_octeon_shared.c: 1880 in
dbi_switchover_interface()
________________________________________________________________________________________________________
*** CID 1393965: Control flow issues (DEADCODE)
/src/vendorcode/cavium/bdk/libdram/lib_octeon_shared.c: 1880 in
dbi_switchover_interface()
1874 for (byte = 0; byte < (8+ecc_ena); byte++) {
1875 unlocked += (dbi_settings[byte] & 1) ^ 1;
1876 }
1877
1878 // FIXME: print out the DBI settings array after each rank?
1879 if (rank_max > 1) // only when doing more than 1 rank
>>> CID 1393965: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "display_DAC_DBI_settings(no...".
1880 display_DAC_DBI_settings(node, lmc, /* DBI */0, ecc_ena,
dbi_settings, " RANK");
1881
1882 if (unlocked > 0) {
1883 ddr_print("N%d.LMC%d: DBI switchover: LOCK: %d still
unlocked.\n",
1884 node, lmc, unlocked);
1885
** CID 1393964: (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 1393964: (TAINTED_SCALAR)
/src/vendorcode/cavium/bdk/libdram/lib_octeon_shared.c: 682 in
perform_ddr_init_sequence()
676
677 bdk_wait_usec(1000); /* Wait a while. */
678
679 if ((s = lookup_env_parameter("ddr_sequence1")) != NULL) {
680 int sequence1;
681 sequence1 = strtoul(s, NULL, 0);
>>> CID 1393964: (TAINTED_SCALAR)
>>> Passing tainted variable "sequence1" to a tainted sink.
682 perform_octeon3_ddr3_sequence(node, (1 << rankx),
683 ddr_interface_num,
sequence1);
684 }
685
686 if ((s = lookup_env_parameter("ddr_sequence2")) != NULL) {
687 int sequence2;
/src/vendorcode/cavium/bdk/libdram/lib_octeon_shared.c: 689 in
perform_ddr_init_sequence()
683 ddr_interface_num,
sequence1);
684 }
685
686 if ((s = lookup_env_parameter("ddr_sequence2")) != NULL) {
687 int sequence2;
688 sequence2 = strtoul(s, NULL, 0);
>>> CID 1393964: (TAINTED_SCALAR)
>>> Passing tainted variable "sequence2" to a tainted sink.
689 perform_octeon3_ddr3_sequence(node, (1 << rankx),
690 ddr_interface_num,
sequence2);
691 }
692 }
693 }
694 }
** CID 1393963: Uninitialized variables (UNINIT)
/src/vendorcode/cavium/bdk/libdram/dram-spd.c: 570 in
dram_get_default_spd_speed()
________________________________________________________________________________________________________
*** CID 1393963: Uninitialized variables (UNINIT)
/src/vendorcode/cavium/bdk/libdram/dram-spd.c: 570 in
dram_get_default_spd_speed()
564 dimms_per_lmc++;
565 }
566 }
567 }
568
569 // all DIMMs must be same speed
>>> CID 1393963: Uninitialized variables (UNINIT)
>>> Using uninitialized value "dimm_speed[0]".
570 speed = dimm_speed[0];
571 for (dimm = 1; dimm < dimm_count; dimm++) {
572 if (dimm_speed[dimm] != speed) {
573 ret_speed = -1;
574 goto finish_up;
575 }
** CID 1393962: Null pointer dereferences (FORWARD_NULL)
________________________________________________________________________________________________________
*** CID 1393962: Null pointer dereferences (FORWARD_NULL)
/src/vendorcode/cavium/bdk/libbdk-dram/bdk-dram-test-addrbus.c: 64 in
__bdk_dram_test_mem_address_bus()
58 {
59 int failures = 0;
60
61 /* Clear our work area. Checking for aliases later could get false
62 positives if it matched stale data */
63 void *ptr = (area) ? bdk_phys_to_ptr(area) : NULL;
>>> CID 1393962: Null pointer dereferences (FORWARD_NULL)
>>> Passing null pointer "ptr" to "bdk_zero_memory", which dereferences it.
64 bdk_zero_memory(ptr, max_address - area);
65 __bdk_dram_flush_to_mem_range(area, max_address);
66
67 /* Each time we write, we'll write this pattern xored the address it
is
68 written too */
69 uint64_t pattern = 0x0fedcba987654321;
** CID 1393961: (INTEGER_OVERFLOW)
/src/vendorcode/cavium/bdk/libdram/lib_octeon_shared.c: 175 in
init_octeon_dram_interface()
________________________________________________________________________________________________________
*** CID 1393961: (INTEGER_OVERFLOW)
/src/vendorcode/cavium/bdk/libdram/lib_octeon_shared.c: 175 in
init_octeon_dram_interface()
169 bdk_reset_chip(node);
170 }
171 }
172
173 printf("N%d.LMC%d Configuration Completed: %d MB\n",
174 node, ddr_interface_num, mem_size_mbytes);
>>> CID 1393961: (INTEGER_OVERFLOW)
>>> Overflowed or truncated value (or a value computed from an overflowed
>>> or truncated value) "mem_size_mbytes" used as return value.
175 return mem_size_mbytes;
176 }
177
178 #define DO_LIKE_RANDOM_XOR 1
179
180 #if !DO_LIKE_RANDOM_XOR
/src/vendorcode/cavium/bdk/libdram/lib_octeon_shared.c: 145 in
init_octeon_dram_interface()
139
140 restart_lmc_init:
141
142 /* Poke the watchdog timer so it doesn't expire during DRAM init */
143 bdk_watchdog_poke();
144
>>> CID 1393961: (INTEGER_OVERFLOW)
>>> Overflowed or truncated value (or a value computed from an overflowed
>>> or truncated value) "ddr_hertz" used as critical argument to function.
145 mem_size_mbytes = init_octeon3_ddr3_interface(node,
146 ddr_configuration,
147 ddr_hertz,
148 cpu_hertz,
149 ddr_ref_hertz,
150 board_type,
** CID 1393960: Insecure data handling (TAINTED_SCALAR)
/src/vendorcode/cavium/bdk/libdram/dram-tune-ddr3.c: 1490 in
perform_HW_dll_offset_tuning()
________________________________________________________________________________________________________
*** CID 1393960: Insecure data handling (TAINTED_SCALAR)
/src/vendorcode/cavium/bdk/libdram/dram-tune-ddr3.c: 1490 in
perform_HW_dll_offset_tuning()
1484 lmc_config.s.ecc_ena = 1;
1485 DRAM_CSR_WRITE(node, BDK_LMCX_CONFIG(lmc), lmc_config.u);
1486 lmc_config.u = BDK_CSR_READ(node, BDK_LMCX_CONFIG(lmc));
1487
1488 // testing is done on a single LMC at a time
1489 // FIXME: for now, loop here to show what happens multiple
times
>>> CID 1393960: Insecure data handling (TAINTED_SCALAR)
>>> Using tainted variable "loops" as a loop boundary.
1490 for (loop = 0; loop < loops; loop++) {
1491 /* Perform DLL offset tuning */
1492 //auto_set_dll_offset(node, 1 /* 1=write */, lmc,
bytelane);
1493 hw_assist_test_dll_offset(node, 2 /* 2=read */, lmc,
bytelane);
1494 }
1495
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit,
https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRbLuoVetFLSjdonCi1EjfHRqWGQvojmmkYaBE-2BPJiTQvQ-3D-3D_q4bX76XMySz3BXBlWr5fXXJ4cvAsgEXEqC7dBPM7O5YWTJmHR68MjZmITQiRDM5u86XmyHuGSkyNnmhS4MY2gDkjBytchwI-2FzToS44Ci1WN5CD-2FaAJuFLwUXshGwjEYT7uSeDzexMA0-2FqZX7E8ITly3uch8OQJA0AjqmRCgyPFLeA-2FRa9B-2Fg-2FGHUpL4-2FwaimRDMU8ezSLEgtaaBkj2iM-2BqnI08GIrzyY-2FkhjdEeL6vI-3D
--
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot
