Hi,
Please find the latest report on new defect(s) introduced to coreboot found
with Coverity Scan.
12 new defect(s) introduced to coreboot found with Coverity Scan.
2 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent
build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 12 of 12 defect(s)
** CID 1458079: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/src/soc/intel/alderlake/crashlog.c: 68 in pmc_cl_discovery()
________________________________________________________________________________________________________
*** CID 1458079: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/src/soc/intel/alderlake/crashlog.c: 68 in pmc_cl_discovery()
62 tmp_bar_addr = SPI_BASE_ADDRESS;
63 pci_write_config32(PCH_DEV_SRAM, PCI_BASE_ADDRESS_0, tmp_bar_addr);
64 pci_or_config16(PCH_DEV_SRAM, PCI_COMMAND, PCI_COMMAND_MEMORY);
65
66 if (discovery_buf.bits.discov_mechanism == 1) {
67 /* discovery mode */
>>> CID 1458079: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
>>> "discovery_buf.bits.base_offset & (2147483648UL /* 1UL << 31 */)" is
>>> always 0 regardless of the values of its operands. This occurs as the
>>> logical operand of "if".
68 if (discovery_buf.bits.base_offset & BIT(31)) {
69 printk(BIOS_DEBUG, "PCH discovery to be used is
disabled.\n");
70 m_pmc_crashLog_present = false;
71 m_pmc_crashLog_size = 0;
72 return false;
73 }
** CID 1458078: Null pointer dereferences (FORWARD_NULL)
________________________________________________________________________________________________________
*** CID 1458078: Null pointer dereferences (FORWARD_NULL)
/src/soc/intel/alderlake/crashlog.c: 45 in pmc_cl_discovery()
39
40 cmd_reg = pmc_make_ipc_cmd(PMC_IPC_CMD_CRASHLOG,
41 PMC_IPC_CMD_ID_CRASHLOG_DISCOVERY,
42 PMC_IPC_CMD_SIZE_SHIFT);
43 printk(BIOS_DEBUG, "cmd_reg from pmc_make_ipc_cmd %d\n", cmd_reg);
44
>>> CID 1458078: Null pointer dereferences (FORWARD_NULL)
>>> Passing null pointer "req" to "pmc_send_ipc_cmd", which dereferences it.
45 r = pmc_send_ipc_cmd(cmd_reg, req, res);
46
47 if (r < 0) {
48 printk(BIOS_ERR, "pmc_send_ipc_cmd failed in %s\n", __func__);
49 return false;
50 }
** CID 1458077: Null pointer dereferences (FORWARD_NULL)
________________________________________________________________________________________________________
*** CID 1458077: Null pointer dereferences (FORWARD_NULL)
/src/soc/intel/alderlake/crashlog.c: 45 in pmc_cl_discovery()
39
40 cmd_reg = pmc_make_ipc_cmd(PMC_IPC_CMD_CRASHLOG,
41 PMC_IPC_CMD_ID_CRASHLOG_DISCOVERY,
42 PMC_IPC_CMD_SIZE_SHIFT);
43 printk(BIOS_DEBUG, "cmd_reg from pmc_make_ipc_cmd %d\n", cmd_reg);
44
>>> CID 1458077: Null pointer dereferences (FORWARD_NULL)
>>> Passing null pointer "res" to "pmc_send_ipc_cmd", which dereferences it.
45 r = pmc_send_ipc_cmd(cmd_reg, req, res);
46
47 if (r < 0) {
48 printk(BIOS_ERR, "pmc_send_ipc_cmd failed in %s\n", __func__);
49 return false;
50 }
** CID 1458076: Null pointer dereferences (FORWARD_NULL)
________________________________________________________________________________________________________
*** CID 1458076: Null pointer dereferences (FORWARD_NULL)
/src/soc/intel/common/block/crashlog/crashlog.c: 256 in
cl_pmc_en_gen_on_all_reboot()
250 int r;
251
252 cmd_reg = pmc_make_ipc_cmd(PMC_IPC_CMD_CRASHLOG,
253 PMC_IPC_CMD_ID_CRASHLOG_ON_RESET,
254 PMC_IPC_CMD_SIZE_SHIFT);
255
>>> CID 1458076: Null pointer dereferences (FORWARD_NULL)
>>> Passing null pointer "req" to "pmc_send_ipc_cmd", which dereferences it.
256 r = pmc_send_ipc_cmd(cmd_reg, req, res);
257
258 if (r < 0) {
259 printk(BIOS_ERR, "pmc_send_ipc_cmd failed in %s\n",
__func__);
260 return 0;
261 }
** CID 1458075: Null pointer dereferences (FORWARD_NULL)
________________________________________________________________________________________________________
*** CID 1458075: Null pointer dereferences (FORWARD_NULL)
/src/soc/intel/common/block/crashlog/crashlog.c: 206 in
cl_pmc_re_arm_after_reset()
200 int r;
201
202 cmd_reg = pmc_make_ipc_cmd(PMC_IPC_CMD_CRASHLOG,
203 PMC_IPC_CMD_ID_CRASHLOG_RE_ARM_ON_RESET,
204 PMC_IPC_CMD_SIZE_SHIFT);
205
>>> CID 1458075: Null pointer dereferences (FORWARD_NULL)
>>> Passing null pointer "req" to "pmc_send_ipc_cmd", which dereferences it.
206 r = pmc_send_ipc_cmd(cmd_reg, req, res);
207
208 if (r < 0) {
209 printk(BIOS_ERR, "pmc_send_ipc_cmd failed in %s\n",
__func__);
210 return 0;
211 }
** CID 1458074: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/src/soc/intel/alderlake/crashlog.c: 144 in cpu_cl_get_capability()
________________________________________________________________________________________________________
*** CID 1458074: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/src/soc/intel/alderlake/crashlog.c: 144 in cpu_cl_get_capability()
138
139 /* walk through the entries until crashLog entry */
140 cl_devsc_cap->devsc_data.data_32[1] =
pci_read_config32(SA_DEV_TMT, TEL_DVSEV_ID);
141 int new_offset = 0;
142 while (cl_devsc_cap->devsc_data.fields.devsc_id !=
CRASHLOG_DVSEC_ID) {
143 if (cl_devsc_cap->cap_data.fields.next_cap_offset == 0
>>> CID 1458074: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
>>> "cl_devsc_cap->cap_data.fields.next_cap_offset == 65535" is always
>>> false regardless of the values of its operands. This occurs as the logical
>>> second operand of "||".
144 || cl_devsc_cap->cap_data.fields.next_cap_offset
== 0xFFFF) {
145 printk(BIOS_DEBUG, "Read invalid pcie_cap_id
value: 0x%x\n",
146
cl_devsc_cap->cap_data.fields.pcie_cap_id);
147 return false;
148 }
149 new_offset =
cl_devsc_cap->cap_data.fields.next_cap_offset;
** CID 1458073: Null pointer dereferences (FORWARD_NULL)
________________________________________________________________________________________________________
*** CID 1458073: Null pointer dereferences (FORWARD_NULL)
/src/soc/intel/common/block/crashlog/crashlog.c: 206 in
cl_pmc_re_arm_after_reset()
200 int r;
201
202 cmd_reg = pmc_make_ipc_cmd(PMC_IPC_CMD_CRASHLOG,
203 PMC_IPC_CMD_ID_CRASHLOG_RE_ARM_ON_RESET,
204 PMC_IPC_CMD_SIZE_SHIFT);
205
>>> CID 1458073: Null pointer dereferences (FORWARD_NULL)
>>> Passing null pointer "res" to "pmc_send_ipc_cmd", which dereferences it.
206 r = pmc_send_ipc_cmd(cmd_reg, req, res);
207
208 if (r < 0) {
209 printk(BIOS_ERR, "pmc_send_ipc_cmd failed in %s\n",
__func__);
210 return 0;
211 }
** CID 1458072: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/src/soc/intel/common/block/crashlog/crashlog.c: 342 in cl_get_pmc_sram_data()
________________________________________________________________________________________________________
*** CID 1458072: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/src/soc/intel/common/block/crashlog/crashlog.c: 342 in cl_get_pmc_sram_data()
336 printk(BIOS_DEBUG, "PCH crashlog feature not
supported.\n");
337 goto pmc_send_re_arm_after_reset;
338 }
339
340 /* Get the size of data to copy */
341 if (discovery_buf.bits.discov_mechanism == 1) {
>>> CID 1458072: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
>>> "discovery_buf.bits.base_offset & (2147483648UL /* 1UL << 31 */)" is
>>> always 0 regardless of the values of its operands. This occurs as the
>>> logical operand of "if".
342 if (discovery_buf.bits.base_offset & BIT(31)) {
343 printk(BIOS_DEBUG, "PCH discovery to be used is
disabled.\n");
344 goto pmc_send_re_arm_after_reset;
345 }
346 printk(BIOS_DEBUG, "PMC crashLog size in discovery mode
: 0x%X\n",
347 pmc_crashLog_size);
** CID 1458071: Null pointer dereferences (FORWARD_NULL)
________________________________________________________________________________________________________
*** CID 1458071: Null pointer dereferences (FORWARD_NULL)
/src/soc/intel/common/block/crashlog/crashlog.c: 229 in cl_pmc_clear()
223 int r;
224
225 cmd_reg = pmc_make_ipc_cmd(PMC_IPC_CMD_CRASHLOG,
226 PMC_IPC_CMD_ID_CRASHLOG_ERASE,
227 PMC_IPC_CMD_SIZE_SHIFT);
228
>>> CID 1458071: Null pointer dereferences (FORWARD_NULL)
>>> Passing null pointer "res" to "pmc_send_ipc_cmd", which dereferences it.
229 r = pmc_send_ipc_cmd(cmd_reg, req, res);
230
231 if (r < 0) {
232 printk(BIOS_ERR, "pmc_send_ipc_cmd failed in %s\n",
__func__);
233 return 0;
234 }
** CID 1458070: Null pointer dereferences (FORWARD_NULL)
________________________________________________________________________________________________________
*** CID 1458070: Null pointer dereferences (FORWARD_NULL)
/src/soc/intel/common/block/crashlog/crashlog.c: 256 in
cl_pmc_en_gen_on_all_reboot()
250 int r;
251
252 cmd_reg = pmc_make_ipc_cmd(PMC_IPC_CMD_CRASHLOG,
253 PMC_IPC_CMD_ID_CRASHLOG_ON_RESET,
254 PMC_IPC_CMD_SIZE_SHIFT);
255
>>> CID 1458070: Null pointer dereferences (FORWARD_NULL)
>>> Passing null pointer "res" to "pmc_send_ipc_cmd", which dereferences it.
256 r = pmc_send_ipc_cmd(cmd_reg, req, res);
257
258 if (r < 0) {
259 printk(BIOS_ERR, "pmc_send_ipc_cmd failed in %s\n",
__func__);
260 return 0;
261 }
** CID 1458069: (OVERRUN)
/src/soc/intel/common/block/crashlog/crashlog.c: 168 in
pmc_cl_gen_descriptor_table()
/src/soc/intel/common/block/crashlog/crashlog.c: 170 in
pmc_cl_gen_descriptor_table()
/src/soc/intel/common/block/crashlog/crashlog.c: 169 in
pmc_cl_gen_descriptor_table()
________________________________________________________________________________________________________
*** CID 1458069: (OVERRUN)
/src/soc/intel/common/block/crashlog/crashlog.c: 168 in
pmc_cl_gen_descriptor_table()
162 int total_data_size = 0;
163 descriptor_table->numb_regions = read32((u32 *)desc_table_addr);
164 printk(BIOS_DEBUG, "CL PMC desc table: numb of regions is 0x%x
at addr 0x%x\n",
165 descriptor_table->numb_regions, desc_table_addr);
166 for (int i = 0; i < descriptor_table->numb_regions; i++) {
167 desc_table_addr += 4;
>>> CID 1458069: (OVERRUN)
>>> Overrunning array "descriptor_table->regions" of 256 4-byte elements at
>>> element index 256 (byte offset 1027) using index "i" (which evaluates to
>>> 256).
168 descriptor_table->regions[i].data = read32((u32
*)(desc_table_addr));
169 total_data_size +=
descriptor_table->regions[i].bits.size * sizeof(u32);
170 printk(BIOS_DEBUG, "CL PMC desc table: region 0x%x has
size 0x%x at offset 0x%x\n",
171 i, descriptor_table->regions[i].bits.size,
172 descriptor_table->regions[i].bits.offset);
173 if (i > 255) {
/src/soc/intel/common/block/crashlog/crashlog.c: 170 in
pmc_cl_gen_descriptor_table()
164 printk(BIOS_DEBUG, "CL PMC desc table: numb of regions is 0x%x
at addr 0x%x\n",
165 descriptor_table->numb_regions, desc_table_addr);
166 for (int i = 0; i < descriptor_table->numb_regions; i++) {
167 desc_table_addr += 4;
168 descriptor_table->regions[i].data = read32((u32
*)(desc_table_addr));
169 total_data_size +=
descriptor_table->regions[i].bits.size * sizeof(u32);
>>> CID 1458069: (OVERRUN)
>>> Overrunning array "descriptor_table->regions" of 256 4-byte elements at
>>> element index 256 (byte offset 1027) using index "i" (which evaluates to
>>> 256).
170 printk(BIOS_DEBUG, "CL PMC desc table: region 0x%x has
size 0x%x at offset 0x%x\n",
171 i, descriptor_table->regions[i].bits.size,
172 descriptor_table->regions[i].bits.offset);
173 if (i > 255) {
174 printk(BIOS_ERR, "More than 255 regions in PMC
crashLog descriptor table");
175 break;
/src/soc/intel/common/block/crashlog/crashlog.c: 169 in
pmc_cl_gen_descriptor_table()
163 descriptor_table->numb_regions = read32((u32 *)desc_table_addr);
164 printk(BIOS_DEBUG, "CL PMC desc table: numb of regions is 0x%x
at addr 0x%x\n",
165 descriptor_table->numb_regions, desc_table_addr);
166 for (int i = 0; i < descriptor_table->numb_regions; i++) {
167 desc_table_addr += 4;
168 descriptor_table->regions[i].data = read32((u32
*)(desc_table_addr));
>>> CID 1458069: (OVERRUN)
>>> Overrunning array "descriptor_table->regions" of 256 4-byte elements at
>>> element index 256 (byte offset 1027) using index "i" (which evaluates to
>>> 256).
169 total_data_size +=
descriptor_table->regions[i].bits.size * sizeof(u32);
170 printk(BIOS_DEBUG, "CL PMC desc table: region 0x%x has
size 0x%x at offset 0x%x\n",
171 i, descriptor_table->regions[i].bits.size,
172 descriptor_table->regions[i].bits.offset);
173 if (i > 255) {
174 printk(BIOS_ERR, "More than 255 regions in PMC
crashLog descriptor table");
** CID 1458068: Null pointer dereferences (FORWARD_NULL)
________________________________________________________________________________________________________
*** CID 1458068: Null pointer dereferences (FORWARD_NULL)
/src/soc/intel/common/block/crashlog/crashlog.c: 229 in cl_pmc_clear()
223 int r;
224
225 cmd_reg = pmc_make_ipc_cmd(PMC_IPC_CMD_CRASHLOG,
226 PMC_IPC_CMD_ID_CRASHLOG_ERASE,
227 PMC_IPC_CMD_SIZE_SHIFT);
228
>>> CID 1458068: Null pointer dereferences (FORWARD_NULL)
>>> Passing null pointer "req" to "pmc_send_ipc_cmd", which dereferences it.
229 r = pmc_send_ipc_cmd(cmd_reg, req, res);
230
231 if (r < 0) {
232 printk(BIOS_ERR, "pmc_send_ipc_cmd failed in %s\n",
__func__);
233 return 0;
234 }
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit,
https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yq2SfQfrHt3Prsn4qSLrYIrajINpiFX8l0vrlNSf8iCrS27qY0Cr0DkycwNUgGZJj8-3D_gWM_L-2FDzr14mnrsJO5b1wX1hp9b1MAQygl7x-2B74RAaH2cn3b5MLJbdyxb7xCO1-2FBqxZQQgbioMiw5PQvt1VWBmxITEjB2dqCKhUCh2l2EGn6y9ZsbVG03Ue0BDW8yS4N87WuhjgId52eOFijVTZTTtXHycZmgNY0gUkpV2pkBlVe6NRlPNSskLdWbgAW6XgjZo6TQUctEmPbsZSej7PkSs0bsUXG2Ki9KlmIZuFGQcXmETU-3D
_______________________________________________
coreboot mailing list -- [email protected]
To unsubscribe send an email to [email protected]
