[coreboot] New Defects reported by Coverity Scan for coreboot

[scan-admin--- via coreboot]

Hi,

Please find the latest report on new defect(s) introduced to coreboot found 
with Coverity Scan.

4 new defect(s) introduced to coreboot found with Coverity Scan.
175 defect(s), reported by Coverity Scan earlier, were marked fixed in the 
recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 4 of 4 defect(s)


** CID 1430219:  Security best practices violations  (SECURE_TEMP)
/3rdparty/vboot/host/lib/flashrom.c: 50 in write_temp_file()


________________________________________________________________________________________________________
*** CID 1430219:  Security best practices violations  (SECURE_TEMP)
/3rdparty/vboot/host/lib/flashrom.c: 50 in write_temp_file()
44      vb2_error_t rv;
45      char *path;
46     
47      *path_out = NULL;
48      path = strdup(P_tmpdir "/vb2_flashrom.XXXXXX");
49     
>>>     CID 1430219:  Security best practices violations  (SECURE_TEMP)
>>>     Calling "mkstemp" without securely setting umask first.
50      fd = mkstemp(path);
51      if (fd < 0) {
52              rv = VB2_ERROR_WRITE_FILE_OPEN;
53              goto fail;
54      }
55     

** CID 1430218:  Integer handling issues  (BAD_SHIFT)
/src/ec/google/chromeec/ec.c: 397 in google_chromeec_log_events()


________________________________________________________________________________________________________
*** CID 1430218:  Integer handling issues  (BAD_SHIFT)
/src/ec/google/chromeec/ec.c: 397 in google_chromeec_log_events()
391     
392             if (!CONFIG(ELOG))
393                     return;
394     
395             events = google_chromeec_get_events_b() & mask;
396             for (i = 0; i < sizeof(events) * 8; i++) {
>>>     CID 1430218:  Integer handling issues  (BAD_SHIFT)
>>>     In expression "1ULL << i - 1", shifting by a negative amount has 
>>> undefined behavior.  The shift amount, "i - 1", is -1.
397                     if (EC_HOST_EVENT_MASK(i) & events)
398                             elog_add_event_byte(ELOG_TYPE_EC_EVENT, i);
399             }
400     
401             google_chromeec_clear_events_b(events);
402     }

** CID 1429776:  Memory - corruptions  (OVERRUN)


________________________________________________________________________________________________________
*** CID 1429776:  Memory - corruptions  (OVERRUN)
/src/soc/amd/picasso/fsp_params.c: 94 in fsp_fill_pcie_ddi_descriptors()
88      const fsp_ddi_descriptor *fsp_ddi;
89      size_t num_pcie;
90      size_t num_ddi;
91     
92      mainboard_get_pcie_ddi_descriptors(&fsp_pcie, &num_pcie,
93                                              &fsp_ddi, &num_ddi);
>>>     CID 1429776:  Memory - corruptions  (OVERRUN)
>>>     Overrunning callee's array of size 1 by passing argument "num_pcie" 
>>> (which evaluates to 3) in call to "fill_pcie_descriptors".
94      fill_pcie_descriptors(scfg, fsp_pcie, num_pcie);
95      fill_ddi_descriptors(scfg, fsp_ddi, num_ddi);
96     }
97     
98     static void fsp_usb_oem_customization(FSP_S_CONFIG *scfg,
99                      const struct soc_amd_picasso_config *cfg)

** CID 1072951:  Memory - illegal accesses  (BUFFER_SIZE)
/tests/lib/string-test.c: 149 in test_strncpy()


________________________________________________________________________________________________________
*** CID 1072951:  Memory - illegal accesses  (BUFFER_SIZE)
/tests/lib/string-test.c: 149 in test_strncpy()
143             /* n1 case  */
144     
145             /* Needed for ensuring that characters behind the limit
146                are not overwritten */
147             memset(dst, 'x', dst_len);
148     
>>>     CID 1072951:  Memory - illegal accesses  (BUFFER_SIZE)
>>>     Calling "strncpy" with a source string whose length (5 chars) is 
>>> greater than or equal to the size argument (2) will fail to null-terminate 
>>> "dst".
149             strncpy(dst, src, n1);
150     
151             assert_int_equal(0, memcmp(dst, src, n1));
152     
153             for (i = n1; i < dst_len; i++)
154                     assert_true(dst[i] == 'x');


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, 
https://u2389337.ct.sendgrid.net/ls/click?upn=nJaKvJSIH-2FPAfmty-2BK5tYpPklAc1eEA-2F1zfUjH6teExSZiGT4AO9dqB-2BC868xZOCag75Y7p1UmqAHPbZ6SCvYLXjumWuqPoaDGx7Muigyow-3DbnBy_L-2FDzr14mnrsJO5b1wX1hp9b1MAQygl7x-2B74RAaH2cn0WDfkmmYrI9ssIkAK2tgNCNSInAlFua3me8xOb2Cujgut-2FJk8-2BeYBUo8OPUoDQ4RpvQpzfPPvyEhIlb4DvruWZkeuEkRH8B-2FsSbuUUTKuDuwv-2FU2s-2FF2reTuUfuAXjsNGBAlAJSuQgwUmc-2FWM1my5t68k2mSj0n-2F8St2RF9mqtzSw33LKzyo5GN2lNQupxxLs-3D
_______________________________________________
coreboot mailing list -- coreboot@coreboot.org
To unsubscribe send an email to coreboot-le...@coreboot.org