Hi,
Please find the latest report on new defect(s) introduced to coreboot found
with Coverity Scan.
5 new defect(s) introduced to coreboot found with Coverity Scan.
3 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent
build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 5 of 5 defect(s)
** CID 1488867: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/src/cpu/x86/mtrr/earlymtrr.c: 45 in var_mtrr_set()
________________________________________________________________________________________________________
*** CID 1488867: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/src/cpu/x86/mtrr/earlymtrr.c: 45 in var_mtrr_set()
39 min base bit set and maximum size bit set. */
40 if (addr_lsb > size_msb)
41 mtrr_size = 1 << size_msb;
42 else
43 mtrr_size = 1 << addr_lsb;
44
>>> CID 1488867: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
>>> "(uint64_t)addr >> 32" is 0 regardless of the values of its operands.
>>> This occurs as the operand of assignment.
45 base.hi = (uint64_t)addr >> 32;
46 base.lo = addr | type;
47 mask.hi = upper_mask;
48 mask.lo = ~(mtrr_size - 1) | MTRR_PHYS_MASK_VALID;
49 ctx->mtrr[ctx->used_var_mtrrs].base = base;
50 ctx->mtrr[ctx->used_var_mtrrs].mask = mask;
** CID 1488866: (TAINTED_SCALAR)
/util/amdfwtool/amdfwread.c: 121 in read_soft_fuse()
/util/amdfwtool/amdfwread.c: 121 in read_soft_fuse()
________________________________________________________________________________________________________
*** CID 1488866: (TAINTED_SCALAR)
/util/amdfwtool/amdfwread.c: 121 in read_soft_fuse()
115 ¤t_entries, &num_current_entries) != 0)
116 return 1;
117
118 while (1) {
119 uint32_t l2_dir_offset = 0;
120
>>> CID 1488866: (TAINTED_SCALAR)
>>> Using tainted variable "num_current_entries" as a loop boundary.
121 for (size_t i = 0; i < num_current_entries; i++) {
122 uint32_t type = current_entries[i].type;
123 if (type == AMD_PSP_FUSE_CHAIN) {
124 uint64_t mode =
current_entries[i].address_mode;
125 uint64_t addr = current_entries[i].addr;
126 uint64_t fuse = mode << 62 | addr;
/util/amdfwtool/amdfwread.c: 121 in read_soft_fuse()
115 ¤t_entries, &num_current_entries) != 0)
116 return 1;
117
118 while (1) {
119 uint32_t l2_dir_offset = 0;
120
>>> CID 1488866: (TAINTED_SCALAR)
>>> Using tainted variable "num_current_entries" as a loop boundary.
121 for (size_t i = 0; i < num_current_entries; i++) {
122 uint32_t type = current_entries[i].type;
123 if (type == AMD_PSP_FUSE_CHAIN) {
124 uint64_t mode =
current_entries[i].address_mode;
125 uint64_t addr = current_entries[i].addr;
126 uint64_t fuse = mode << 62 | addr;
** CID 1488865: Integer handling issues (BAD_SHIFT)
/src/cpu/x86/mtrr/earlymtrr.c: 45 in var_mtrr_set()
________________________________________________________________________________________________________
*** CID 1488865: Integer handling issues (BAD_SHIFT)
/src/cpu/x86/mtrr/earlymtrr.c: 45 in var_mtrr_set()
39 min base bit set and maximum size bit set. */
40 if (addr_lsb > size_msb)
41 mtrr_size = 1 << size_msb;
42 else
43 mtrr_size = 1 << addr_lsb;
44
>>> CID 1488865: Integer handling issues (BAD_SHIFT)
>>> In expression "(uint64_t)addr >> 32", right shifting "addr" by more
>>> than 31 bits always yields zero. The shift amount is 32.
45 base.hi = (uint64_t)addr >> 32;
46 base.lo = addr | type;
47 mask.hi = upper_mask;
48 mask.lo = ~(mtrr_size - 1) | MTRR_PHYS_MASK_VALID;
49 ctx->mtrr[ctx->used_var_mtrrs].base = base;
50 ctx->mtrr[ctx->used_var_mtrrs].mask = mask;
** CID 1488864: (TAINTED_SCALAR)
/util/amdfwtool/amdfwread.c: 91 in read_psp_directory()
/util/amdfwtool/amdfwread.c: 92 in read_psp_directory()
________________________________________________________________________________________________________
*** CID 1488864: (TAINTED_SCALAR)
/util/amdfwtool/amdfwread.c: 91 in read_psp_directory()
85 expected_cookie, header->cookie);
86 return 1;
87 }
88
89 /* Read the entries */
90 *num_entries = header->num_entries;
>>> CID 1488864: (TAINTED_SCALAR)
>>> Passing tainted expression "16UL * header->num_entries" to "malloc",
>>> which uses it as an allocation size. [Note: The source code implementation
>>> of the function has been overridden by a builtin model.]
91 *entries = malloc(sizeof(psp_directory_entry) * header->num_entries);
92 if (fread(*entries, sizeof(psp_directory_entry), header->num_entries,
fw)
93 != header->num_entries) {
94 ERR("Failed to read %d PSP entries\n", header->num_entries);
95 return 1;
96 }
/util/amdfwtool/amdfwread.c: 92 in read_psp_directory()
86 return 1;
87 }
88
89 /* Read the entries */
90 *num_entries = header->num_entries;
91 *entries = malloc(sizeof(psp_directory_entry) * header->num_entries);
>>> CID 1488864: (TAINTED_SCALAR)
>>> Passing tainted expression "header->num_entries" to "fread", which uses
>>> it as an offset.
92 if (fread(*entries, sizeof(psp_directory_entry), header->num_entries,
fw)
93 != header->num_entries) {
94 ERR("Failed to read %d PSP entries\n", header->num_entries);
95 return 1;
96 }
97
** CID 1488863: (RESOURCE_LEAK)
/util/amdfwtool/amdfwread.c: 129 in read_soft_fuse()
/util/amdfwtool/amdfwread.c: 152 in read_soft_fuse()
/util/amdfwtool/amdfwread.c: 116 in read_soft_fuse()
/util/amdfwtool/amdfwread.c: 129 in read_soft_fuse()
________________________________________________________________________________________________________
*** CID 1488863: (RESOURCE_LEAK)
/util/amdfwtool/amdfwread.c: 129 in read_soft_fuse()
123 if (type == AMD_PSP_FUSE_CHAIN) {
124 uint64_t mode =
current_entries[i].address_mode;
125 uint64_t addr = current_entries[i].addr;
126 uint64_t fuse = mode << 62 | addr;
127
128 printf("Soft-fuse:0x%lx\n", fuse);
>>> CID 1488863: (RESOURCE_LEAK)
>>> Variable "current_entries" going out of scope leaks the storage it
>>> points to.
129 return 0;
130 } else if (type == AMD_FW_L2_PTR) {
131 /* There's a second level PSP directory
to read */
132 if (l2_dir_offset != 0)
133 return 1;
134
/util/amdfwtool/amdfwread.c: 152 in read_soft_fuse()
146 /* Read the L2 PSP directory */
147 if (read_psp_directory(fw, l2_dir_offset, PSPL2_COOKIE,
&header,
148 ¤t_entries, &num_current_entries)
!= 0)
149 break;
150 }
151
>>> CID 1488863: (RESOURCE_LEAK)
>>> Variable "current_entries" going out of scope leaks the storage it
>>> points to.
152 return 1;
153 }
154
155 enum {
156 AMDFW_OPT_HELP = 'h',
157
/util/amdfwtool/amdfwread.c: 116 in read_soft_fuse()
110 else
111 psp_offset = fw_header->new_psp_directory;
112
113 psp_directory_header header;
114 if (read_psp_directory(fw, psp_offset, PSP_COOKIE, &header,
115 ¤t_entries, &num_current_entries) != 0)
>>> CID 1488863: (RESOURCE_LEAK)
>>> Variable "current_entries" going out of scope leaks the storage it
>>> points to.
116 return 1;
117
118 while (1) {
119 uint32_t l2_dir_offset = 0;
120
121 for (size_t i = 0; i < num_current_entries; i++) {
/util/amdfwtool/amdfwread.c: 129 in read_soft_fuse()
123 if (type == AMD_PSP_FUSE_CHAIN) {
124 uint64_t mode =
current_entries[i].address_mode;
125 uint64_t addr = current_entries[i].addr;
126 uint64_t fuse = mode << 62 | addr;
127
128 printf("Soft-fuse:0x%lx\n", fuse);
>>> CID 1488863: (RESOURCE_LEAK)
>>> Variable "current_entries" going out of scope leaks the storage it
>>> points to.
129 return 0;
130 } else if (type == AMD_FW_L2_PTR) {
131 /* There's a second level PSP directory
to read */
132 if (l2_dir_offset != 0)
133 return 1;
134
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit,
https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yq2SfQfrHt3Prsn4qSLrYIrajINpiFX8l0vrlNSf8iCrS27qY0Cr0DkycwNUgGZJj8-3DPJ76_L-2FDzr14mnrsJO5b1wX1hp9b1MAQygl7x-2B74RAaH2cn3grfSepR3BYEGx4gI-2FNFQtkCGMdj48JnWgd-2FnMK-2BHuIEquE1XQnPZ0djz59pxWvry82LDawi0yCYmsiBbS04gn846yoCumW1n9pPpoQCshAcG5aggV85RZFJQilpsH85msdGV-2FMYrQbUxuxRLnwqne5JLoVVRYAz7JZZi3afNs6Q-3D-3D
_______________________________________________
coreboot mailing list -- [email protected]
To unsubscribe send an email to [email protected]
