Hi, Please find the latest report on new defect(s) introduced to coreboot found with Coverity Scan.
6 new defect(s) introduced to coreboot found with Coverity Scan. 16 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan. New defect(s) Reported-by: Coverity Scan Showing 6 of 6 defect(s) ** CID 1401305: Memory - illegal accesses (BUFFER_SIZE_WARNING) /src/soc/qualcomm/common/qclib.c: 44 in qclib_add_if_table_entry() ________________________________________________________________________________________________________ *** CID 1401305: Memory - illegal accesses (BUFFER_SIZE_WARNING) /src/soc/qualcomm/common/qclib.c: 44 in qclib_add_if_table_entry() 38 void qclib_add_if_table_entry(const char *name, void *base, 39 uint32_t size, uint32_t attrs) 40 { 41 struct qclib_cb_if_table_entry *te = 42 &qclib_cb_if_table.te[qclib_cb_if_table.num_entries++]; 43 assert(qclib_cb_if_table.num_entries <= qclib_cb_if_table.max_entries); >>> CID 1401305: Memory - illegal accesses (BUFFER_SIZE_WARNING) >>> Calling strncpy with a maximum size argument of 24 bytes on destination >>> array "te->name" of size 24 bytes might leave the destination string >>> unterminated. 44 strncpy(te->name, name, sizeof(te->name)); 45 te->blob_address = (uintptr_t)base; 46 te->size = size; 47 te->blob_attributes = attrs; 48 } 49 ** CID 1401304: Control flow issues (NO_EFFECT) /3rdparty/vboot/firmware/2lib/2misc.c: 131 in vb2_init_context() ________________________________________________________________________________________________________ *** CID 1401304: Control flow issues (NO_EFFECT) /3rdparty/vboot/firmware/2lib/2misc.c: 131 in vb2_init_context() 125 * initialized. */ 126 if (ctx->workbuf_used) { 127 if (sd->magic != VB2_SHARED_DATA_MAGIC) 128 return VB2_ERROR_SHARED_DATA_MAGIC; 129 130 if (sd->struct_version_major != VB2_SHARED_DATA_VERSION_MAJOR || >>> CID 1401304: Control flow issues (NO_EFFECT) >>> This less-than-zero comparison of an unsigned value is never true. >>> "sd->struct_version_minor < 0". 131 sd->struct_version_minor < VB2_SHARED_DATA_VERSION_MINOR) 132 return VB2_ERROR_SHARED_DATA_VERSION; 133 134 return VB2_SUCCESS; 135 } 136 ** CID 1381814: (BUFFER_SIZE) /src/soc/intel/cannonlake/fsp_params.c: 281 in platform_fsp_silicon_init_params_cb() /src/soc/intel/cannonlake/fsp_params.c: 283 in platform_fsp_silicon_init_params_cb() ________________________________________________________________________________________________________ *** CID 1381814: (BUFFER_SIZE) /src/soc/intel/cannonlake/fsp_params.c: 281 in platform_fsp_silicon_init_params_cb() 275 #endif 276 /* PCI Express */ 277 for (i = 0; i < ARRAY_SIZE(config->PcieClkSrcUsage); i++) { 278 if (config->PcieClkSrcUsage[i] == 0) 279 config->PcieClkSrcUsage[i] = PCIE_CLK_NOTUSED; 280 } >>> CID 1381814: (BUFFER_SIZE) >>> You might overrun the 16 byte destination string >>> "params->PcieClkSrcUsage" by writing the maximum 24 bytes from >>> "config->PcieClkSrcUsage". 281 memcpy(params->PcieClkSrcUsage, config->PcieClkSrcUsage, 282 sizeof(config->PcieClkSrcUsage)); 283 memcpy(params->PcieClkSrcClkReq, config->PcieClkSrcClkReq, 284 sizeof(config->PcieClkSrcClkReq)); 285 memcpy(params->PcieRpLtrEnable, config->PcieRpLtrEnable, 286 sizeof(config->PcieRpLtrEnable)); /src/soc/intel/cannonlake/fsp_params.c: 283 in platform_fsp_silicon_init_params_cb() 277 for (i = 0; i < ARRAY_SIZE(config->PcieClkSrcUsage); i++) { 278 if (config->PcieClkSrcUsage[i] == 0) 279 config->PcieClkSrcUsage[i] = PCIE_CLK_NOTUSED; 280 } 281 memcpy(params->PcieClkSrcUsage, config->PcieClkSrcUsage, 282 sizeof(config->PcieClkSrcUsage)); >>> CID 1381814: (BUFFER_SIZE) >>> You might overrun the 16 byte destination string >>> "params->PcieClkSrcClkReq" by writing the maximum 24 bytes from >>> "config->PcieClkSrcClkReq". 283 memcpy(params->PcieClkSrcClkReq, config->PcieClkSrcClkReq, 284 sizeof(config->PcieClkSrcClkReq)); 285 memcpy(params->PcieRpLtrEnable, config->PcieRpLtrEnable, 286 sizeof(config->PcieRpLtrEnable)); 287 memcpy(params->PcieRpHotPlug, config->PcieRpHotPlug, 288 sizeof(config->PcieRpHotPlug)); ** CID 1381813: Memory - corruptions (OVERRUN) /src/soc/intel/cannonlake/fsp_params.c: 281 in platform_fsp_silicon_init_params_cb() ________________________________________________________________________________________________________ *** CID 1381813: Memory - corruptions (OVERRUN) /src/soc/intel/cannonlake/fsp_params.c: 281 in platform_fsp_silicon_init_params_cb() 275 #endif 276 /* PCI Express */ 277 for (i = 0; i < ARRAY_SIZE(config->PcieClkSrcUsage); i++) { 278 if (config->PcieClkSrcUsage[i] == 0) 279 config->PcieClkSrcUsage[i] = PCIE_CLK_NOTUSED; 280 } >>> CID 1381813: Memory - corruptions (OVERRUN) >>> Overrunning array "params->PcieClkSrcUsage" of 16 bytes by passing it >>> to a function which accesses it at byte offset 23 using argument "24UL". >>> [Note: The source code implementation of the function has been overridden >>> by a builtin model.] 281 memcpy(params->PcieClkSrcUsage, config->PcieClkSrcUsage, 282 sizeof(config->PcieClkSrcUsage)); 283 memcpy(params->PcieClkSrcClkReq, config->PcieClkSrcClkReq, 284 sizeof(config->PcieClkSrcClkReq)); 285 memcpy(params->PcieRpLtrEnable, config->PcieRpLtrEnable, 286 sizeof(config->PcieRpLtrEnable)); ** CID 1381812: Memory - corruptions (OVERRUN) /src/soc/intel/cannonlake/fsp_params.c: 283 in platform_fsp_silicon_init_params_cb() ________________________________________________________________________________________________________ *** CID 1381812: Memory - corruptions (OVERRUN) /src/soc/intel/cannonlake/fsp_params.c: 283 in platform_fsp_silicon_init_params_cb() 277 for (i = 0; i < ARRAY_SIZE(config->PcieClkSrcUsage); i++) { 278 if (config->PcieClkSrcUsage[i] == 0) 279 config->PcieClkSrcUsage[i] = PCIE_CLK_NOTUSED; 280 } 281 memcpy(params->PcieClkSrcUsage, config->PcieClkSrcUsage, 282 sizeof(config->PcieClkSrcUsage)); >>> CID 1381812: Memory - corruptions (OVERRUN) >>> Overrunning array "params->PcieClkSrcClkReq" of 16 bytes by passing it >>> to a function which accesses it at byte offset 23 using argument "24UL". >>> [Note: The source code implementation of the function has been overridden >>> by a builtin model.] 283 memcpy(params->PcieClkSrcClkReq, config->PcieClkSrcClkReq, 284 sizeof(config->PcieClkSrcClkReq)); 285 memcpy(params->PcieRpLtrEnable, config->PcieRpLtrEnable, 286 sizeof(config->PcieRpLtrEnable)); 287 memcpy(params->PcieRpHotPlug, config->PcieRpHotPlug, 288 sizeof(config->PcieRpHotPlug)); ** CID 1353342: (OVERRUN) ________________________________________________________________________________________________________ *** CID 1353342: (OVERRUN) /3rdparty/chromeec/common/pwm.c: 120 in cc_pwm_duty() 114 char *e; 115 char *raw; 116 117 if (argc < 2) { 118 ccprintf("PWM channels:\n"); 119 for (ch = 0; ch < PWM_CH_COUNT; ch++) >>> CID 1353342: (OVERRUN) >>> Overrunning callee's array of size 1 by passing argument "ch" (which >>> evaluates to 2) in call to "print_channel". 120 print_channel(ch, max_duty); 121 return EC_SUCCESS; 122 } 123 124 ch = strtoi(argv[1], &e, 0); 125 if (*e || ch < 0 || ch >= PWM_CH_COUNT) /3rdparty/chromeec/common/pwm.c: 148 in cc_pwm_duty() 142 return EC_ERROR_PARAM2; 143 } else if (value < 0) { 144 /* Negative = disable */ 145 pwm_enable(ch, 0); 146 } else { 147 ccprintf("Setting channel %d to %d\n", ch, value); >>> CID 1353342: (OVERRUN) >>> Overrunning callee's array of size 1 by passing argument "ch" (which >>> evaluates to 2) in call to "pwm_enable". 148 pwm_enable(ch, 1); 149 (max_duty == 100) ? pwm_set_duty(ch, value) : 150 pwm_set_raw_duty(ch, value); 151 } 152 } 153 /3rdparty/chromeec/common/pwm.c: 149 in cc_pwm_duty() 143 } else if (value < 0) { 144 /* Negative = disable */ 145 pwm_enable(ch, 0); 146 } else { 147 ccprintf("Setting channel %d to %d\n", ch, value); 148 pwm_enable(ch, 1); >>> CID 1353342: (OVERRUN) >>> Overrunning callee's array of size 1 by passing argument "ch" (which >>> evaluates to 2) in call to "pwm_set_raw_duty". 149 (max_duty == 100) ? pwm_set_duty(ch, value) : 150 pwm_set_raw_duty(ch, value); 151 } 152 } 153 154 print_channel(ch, max_duty); /3rdparty/chromeec/common/pwm.c: 154 in cc_pwm_duty() 148 pwm_enable(ch, 1); 149 (max_duty == 100) ? pwm_set_duty(ch, value) : 150 pwm_set_raw_duty(ch, value); 151 } 152 } 153 >>> CID 1353342: (OVERRUN) >>> Overrunning callee's array of size 1 by passing argument "ch" (which >>> evaluates to 2) in call to "print_channel". 154 print_channel(ch, max_duty); 155 156 return EC_SUCCESS; 157 } 158 DECLARE_CONSOLE_COMMAND(pwmduty, cc_pwm_duty, 159 "[channel [<percent> | -1=disable] | [raw <value>]]", ________________________________________________________________________________________________________ To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRbLuoVetFLSjdonCi1EjfHRqWGQvojmmkYaBE-2BPJiTQvaU4HClancRgJSp1vcdHRWU-3D_q4bX76XMySz3BXBlWr5fXXJ4cvAsgEXEqC7dBPM7O5ZD4wjpWRrfm0oxUomQ8C6yuM2iLq6-2Fy-2F6ZPOm8NbGh4KVkQBWHH-2FC4-2B-2BATpqhZ5M9cyrfUYZEb8a9YBe-2FKAQwcVG9518Ap-2FOVn5-2FayhTSmSabjQY4WCDDevR1HfGkWGyarvKdASLDBz2rOMi16xNWNHxBm34u7DZEBOSXYcBgkW7-2BR35iqNMxUUMeE3w3Nf-2Bc-3D _______________________________________________ coreboot mailing list -- coreboot@coreboot.org To unsubscribe send an email to coreboot-le...@coreboot.org