[coreboot] New Defects reported by Coverity Scan for coreboot
scan-admin at coverity.com
scan-admin at coverity.com
Fri May 6 13:41:52 CEST 2016
Hi,
Please find the latest report on new defect(s) introduced to coreboot found with Coverity Scan.
148 new defect(s) introduced to coreboot found with Coverity Scan.
92 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 148 defect(s)
** CID 1355008: Code maintainability issues (UNUSED_VALUE)
/src/mainboard/siemens/mc_tcu3/lcd_panel.c: 69 in setup_lcd_panel()
________________________________________________________________________________________________________
*** CID 1355008: Code maintainability issues (UNUSED_VALUE)
/src/mainboard/siemens/mc_tcu3/lcd_panel.c: 69 in setup_lcd_panel()
63 break;
64 case LCD_PANEL_TYPE_EDID:
65 strcpy(blockname, "hwinfo.hex");
66 break;
67 default:
68 printk(BIOS_ERR, "LCD: No supported panel found.\n");
>>> CID 1355008: Code maintainability issues (UNUSED_VALUE)
>>> Assigning value "1" to "status" here, but that stored value is overwritten before it can be used.
69 status = 1;
70 break;
71 }
72 /* Now that we have the panel type, setup the DP2LVDS converter */
73 status = ptn3460_init(blockname);
74 if (status)
** CID 1354970: Memory - corruptions (ARRAY_VS_SINGLETON)
/src/lib/selfboot.c: 239 in build_self_segment_list()
________________________________________________________________________________________________________
*** CID 1354970: Memory - corruptions (ARRAY_VS_SINGLETON)
/src/lib/selfboot.c: 239 in build_self_segment_list()
233
234 memset(head, 0, sizeof(*head));
235 head->next = head->prev = head;
236
237 first_segment = &cbfs_payload->segments;
238
>>> CID 1354970: Memory - corruptions (ARRAY_VS_SINGLETON)
>>> Using "current_segment" as an array. This might corrupt or misinterpret adjacent memory locations.
239 for (current_segment = first_segment;; ++current_segment) {
240 printk(BIOS_DEBUG,
241 "Loading segment from rom address 0x%p\n",
242 current_segment);
243
244 cbfs_decode_payload_segment(&segment, current_segment);
** CID 1354852: Memory - corruptions (OVERRUN)
/3rdparty/chromeec/common/thermal.c: 265 in thermal_control()
________________________________________________________________________________________________________
*** CID 1354852: Memory - corruptions (OVERRUN)
/3rdparty/chromeec/common/thermal.c: 265 in thermal_control()
259 #ifdef CONFIG_FANS
260 /* TODO(crosbug.com/p/23797): For now, we just treat all fans the
261 * same. It would be better if we could assign different thermal
262 * profiles to each fan - in case one fan cools the CPU while another
263 * cools the radios or battery.
264 */
>>> CID 1354852: Memory - corruptions (OVERRUN)
>>> Checking "i < 2" implies that "i" may be up to 1 on the true branch.
265 for (i = 0; i < CONFIG_FANS; i++)
266 fan_set_percent_needed(i, fmax);
267 #endif
268 }
269
270 /* Don't forget to signal any DPTF thresholds */
** CID 1354849: Insecure data handling (INTEGER_OVERFLOW)
/src/arch/x86/tables.c: 85 in write_mptable()
________________________________________________________________________________________________________
*** CID 1354849: Insecure data handling (INTEGER_OVERFLOW)
/src/arch/x86/tables.c: 85 in write_mptable()
79 }
80
81 printk(BIOS_DEBUG, "MP table: %ld bytes.\n",
82 new_high_table_pointer - high_table_pointer);
83 }
84
>>> CID 1354849: Insecure data handling (INTEGER_OVERFLOW)
>>> Overflowed or truncated value (or a value computed from an overflowed or truncated value) "rom_table_end" used as return value.
85 return rom_table_end;
86 }
87
88 static unsigned long write_acpi_table(unsigned long rom_table_end)
89 {
90 unsigned long high_table_pointer;
** CID 1354778: Uninitialized variables (UNINIT)
/src/soc/intel/fsp_broadwell_de/uart.c: 104 in uart_fill_lb()
________________________________________________________________________________________________________
*** CID 1354778: Uninitialized variables (UNINIT)
/src/soc/intel/fsp_broadwell_de/uart.c: 104 in uart_fill_lb()
98 uart8250_tx_flush(uart_platform_base(idx));
99 }
100
101 #if ENV_RAMSTAGE
102 void uart_fill_lb(void *data)
103 {
>>> CID 1354778: Uninitialized variables (UNINIT)
>>> Declaring variable "serial" without initializer.
104 struct lb_serial serial;
105 serial.type = LB_SERIAL_TYPE_IO_MAPPED;
106 serial.baseaddr = uart_platform_base(CONFIG_UART_FOR_CONSOLE);
107 serial.baud = default_baudrate();
108 lb_add_serial(&serial, data);
109
110 lb_add_console(LB_TAG_CONSOLE_SERIAL8250, data);
111 }
** CID 1353792: Memory - illegal accesses (OVERRUN)
/3rdparty/chromeec/common/fan.c: 477 in pwm_fan_second()
________________________________________________________________________________________________________
*** CID 1353792: Memory - illegal accesses (OVERRUN)
/3rdparty/chromeec/common/fan.c: 477 in pwm_fan_second()
471 uint16_t *mapped = (uint16_t *)host_get_memmap(EC_MEMMAP_FAN);
472 uint16_t rpm;
473 int stalled = 0;
474 int fan;
475
476 for (fan = 0; fan < CONFIG_FANS; fan++) {
>>> CID 1353792: Memory - illegal accesses (OVERRUN)
>>> Overrunning array "fans" of 1 28-byte elements at element index 1 (byte offset 28) using index "fan" (which evaluates to 1).
477 if (fan_is_stalled(fans[fan].ch)) {
478 rpm = EC_FAN_SPEED_STALLED;
479 stalled = 1;
480 cprints(CC_PWM, "Fan %d stalled!", fan);
481 } else {
482 rpm = fan_get_rpm_actual(fans[fan].ch);
** CID 1353791: Memory - illegal accesses (OVERRUN)
/3rdparty/chromeec/common/fan.c: 515 in pwm_fan_resume()
________________________________________________________________________________________________________
*** CID 1353791: Memory - illegal accesses (OVERRUN)
/3rdparty/chromeec/common/fan.c: 515 in pwm_fan_resume()
509 DECLARE_HOOK(HOOK_SYSJUMP, pwm_fan_preserve_state, HOOK_PRIO_DEFAULT);
510
511 static void pwm_fan_resume(void)
512 {
513 int fan;
514 for (fan = 0; fan < CONFIG_FANS; fan++)
>>> CID 1353791: Memory - illegal accesses (OVERRUN)
>>> Overrunning array "fans" of 1 28-byte elements at element index 1 (byte offset 28) using index "fan" (which evaluates to 1).
515 fan_set_enabled(fans[fan].ch, 1);
516 }
517 DECLARE_HOOK(HOOK_CHIPSET_RESUME, pwm_fan_resume, HOOK_PRIO_DEFAULT);
518
519 static void pwm_fan_S3_S5(void)
520 {
** CID 1353790: Memory - illegal accesses (OVERRUN)
/3rdparty/chromeec/common/fan.c: 443 in pwm_fan_init()
________________________________________________________________________________________________________
*** CID 1353790: Memory - illegal accesses (OVERRUN)
/3rdparty/chromeec/common/fan.c: 443 in pwm_fan_init()
437 uint16_t *mapped;
438 int version, size;
439 int i;
440 int fan = 0;
441
442 for (fan = 0; fan < CONFIG_FANS; fan++)
>>> CID 1353790: Memory - illegal accesses (OVERRUN)
>>> Overrunning array "fans" of 1 28-byte elements at element index 1 (byte offset 28) using index "fan" (which evaluates to 1).
443 fan_channel_setup(fans[fan].ch, fans[fan].flags);
444
445 prev = (const struct pwm_fan_state *)
446 system_get_jump_tag(PWMFAN_SYSJUMP_TAG, &version, &size);
447 if (prev && version == PWM_HOOK_VERSION && size == sizeof(*prev)) {
448 /* Restore previous state. */
** CID 1353789: Memory - corruptions (OVERRUN)
/3rdparty/chromeec/common/fan.c: 524 in pwm_fan_S3_S5()
________________________________________________________________________________________________________
*** CID 1353789: Memory - corruptions (OVERRUN)
/3rdparty/chromeec/common/fan.c: 524 in pwm_fan_S3_S5()
518
519 static void pwm_fan_S3_S5(void)
520 {
521 int fan;
522
523 /* TODO(crosbug.com/p/23530): Still treating all fans as one. */
>>> CID 1353789: Memory - corruptions (OVERRUN)
>>> Checking "fan < 2" implies that "fan" may be up to 1 on the true branch.
524 for (fan = 0; fan < CONFIG_FANS; fan++) {
525 /* Take back fan control when the processor shuts down */
526 set_thermal_control_enabled(fan, 1);
527 /* For now don't do anything with it. We'll have to turn it on
528 * again if we need active cooling during heavy battery
529 * charging or something.
** CID 1353788: Memory - illegal accesses (OVERRUN)
/3rdparty/chromeec/common/fan.c: 531 in pwm_fan_S3_S5()
________________________________________________________________________________________________________
*** CID 1353788: Memory - illegal accesses (OVERRUN)
/3rdparty/chromeec/common/fan.c: 531 in pwm_fan_S3_S5()
525 /* Take back fan control when the processor shuts down */
526 set_thermal_control_enabled(fan, 1);
527 /* For now don't do anything with it. We'll have to turn it on
528 * again if we need active cooling during heavy battery
529 * charging or something.
530 */
>>> CID 1353788: Memory - illegal accesses (OVERRUN)
>>> Overrunning array "fans" of 1 28-byte elements at element index 1 (byte offset 28) using index "fan" (which evaluates to 1).
531 fan_set_rpm_target(fans[fan].ch, 0);
532 set_enabled(fan, 0); /* crosbug.com/p/8097 */
533 }
534 }
535 DECLARE_HOOK(HOOK_CHIPSET_SUSPEND, pwm_fan_S3_S5, HOOK_PRIO_DEFAULT);
** CID 1353787: Memory - illegal accesses (OVERRUN)
/3rdparty/chromeec/common/fan.c: 342 in hc_pwm_set_fan_target_rpm()
________________________________________________________________________________________________________
*** CID 1353787: Memory - illegal accesses (OVERRUN)
/3rdparty/chromeec/common/fan.c: 342 in hc_pwm_set_fan_target_rpm()
336 if (args->version == 0) {
337 for (fan = 0; fan < CONFIG_FANS; fan++) {
338 /* enable the fan if rpm is non-zero */
339 set_enabled(fan, (p_v0->rpm > 0) ? 1 : 0);
340
341 set_thermal_control_enabled(fan, 0);
>>> CID 1353787: Memory - illegal accesses (OVERRUN)
>>> Overrunning array "fans" of 1 28-byte elements at element index 1 (byte offset 28) using index "fan" (which evaluates to 1).
342 fan_set_rpm_mode(fans[fan].ch, 1);
343 fan_set_rpm_target(fans[fan].ch, p_v0->rpm);
344 }
345
346 return EC_RES_SUCCESS;
347 }
** CID 1353314: (OVERRUN)
/3rdparty/chromeec/common/temp_sensor.c: 26 in temp_sensor_read()
/3rdparty/chromeec/common/temp_sensor.c: 26 in temp_sensor_read()
________________________________________________________________________________________________________
*** CID 1353314: (OVERRUN)
/3rdparty/chromeec/common/temp_sensor.c: 26 in temp_sensor_read()
20 const struct temp_sensor_t *sensor;
21
22 if (id < 0 || id >= TEMP_SENSOR_COUNT)
23 return EC_ERROR_INVAL;
24 sensor = temp_sensors + id;
25
>>> CID 1353314: (OVERRUN)
>>> Overrunning array of 4 20-byte elements at element index 4 (byte offset 80) by dereferencing pointer "sensor".
26 return sensor->read(sensor->idx, temp_ptr);
27 }
28
29 static void update_mapped_memory(void)
30 {
31 int i, t;
/3rdparty/chromeec/common/temp_sensor.c: 26 in temp_sensor_read()
20 const struct temp_sensor_t *sensor;
21
22 if (id < 0 || id >= TEMP_SENSOR_COUNT)
23 return EC_ERROR_INVAL;
24 sensor = temp_sensors + id;
25
>>> CID 1353314: (OVERRUN)
>>> Overrunning array of 4 20-byte elements at element index 14 (byte offset 280) by dereferencing pointer "sensor".
26 return sensor->read(sensor->idx, temp_ptr);
27 }
28
29 static void update_mapped_memory(void)
30 {
31 int i, t;
** CID 1353310: (OVERRUN)
________________________________________________________________________________________________________
*** CID 1353310: (OVERRUN)
/3rdparty/chromeec/board/glados/battery.c: 50 in board_cut_off_battery()
44 /* Ship mode command must be sent twice to take effect */
45 buf[0] = SB_MANUFACTURER_ACCESS & 0xff;
46 buf[1] = PARAM_CUT_OFF_LOW;
47 buf[2] = PARAM_CUT_OFF_HIGH;
48
49 i2c_lock(I2C_PORT_BATTERY, 1);
>>> CID 1353310: (OVERRUN)
>>> Overrunning callee's array of size 2 by passing argument "MEC1322_I2C3" in call to "i2c_xfer".
50 rv = i2c_xfer(I2C_PORT_BATTERY, BATTERY_ADDR, buf, 3, NULL, 0,
51 I2C_XFER_SINGLE);
52 rv |= i2c_xfer(I2C_PORT_BATTERY, BATTERY_ADDR, buf, 3, NULL, 0,
53 I2C_XFER_SINGLE);
54 i2c_lock(I2C_PORT_BATTERY, 0);
55
/3rdparty/chromeec/board/glados/battery.c: 52 in board_cut_off_battery()
46 buf[1] = PARAM_CUT_OFF_LOW;
47 buf[2] = PARAM_CUT_OFF_HIGH;
48
49 i2c_lock(I2C_PORT_BATTERY, 1);
50 rv = i2c_xfer(I2C_PORT_BATTERY, BATTERY_ADDR, buf, 3, NULL, 0,
51 I2C_XFER_SINGLE);
>>> CID 1353310: (OVERRUN)
>>> Overrunning callee's array of size 2 by passing argument "MEC1322_I2C3" in call to "i2c_xfer".
52 rv |= i2c_xfer(I2C_PORT_BATTERY, BATTERY_ADDR, buf, 3, NULL, 0,
53 I2C_XFER_SINGLE);
54 i2c_lock(I2C_PORT_BATTERY, 0);
55
56 return rv;
57 }
** CID 1353309: Memory - corruptions (OVERRUN)
/3rdparty/chromeec/common/gpio.c: 260 in gpio_command_get()
________________________________________________________________________________________________________
*** CID 1353309: Memory - corruptions (OVERRUN)
/3rdparty/chromeec/common/gpio.c: 260 in gpio_command_get()
254 args->response_size = sizeof(r_v1->get_count);
255 break;
256 case EC_GPIO_GET_INFO:
257 if (p_v1->get_info.index >= GPIO_COUNT)
258 return EC_RES_ERROR;
259
>>> CID 1353309: Memory - corruptions (OVERRUN)
>>> Assigning: "i" = "(*p_v1).get_info.index". The value of "i" may now be up to 80.
260 i = p_v1->get_info.index;
261 len = strlen(g[i].name);
262 memcpy(r_v1->get_info.name, g[i].name, len+1);
263 r_v1->get_info.val = gpio_get_level(i);
264 r_v1->get_info.flags = g[i].flags;
265 args->response_size = sizeof(r_v1->get_info);
** CID 1353307: Memory - corruptions (OVERRUN)
/3rdparty/chromeec/common/gpio.c: 169 in command_gpio_get()
________________________________________________________________________________________________________
*** CID 1353307: Memory - corruptions (OVERRUN)
/3rdparty/chromeec/common/gpio.c: 169 in command_gpio_get()
163 ccprintf(" %d%c %s\n", v, (changed ? '*' : ' '), g->name);
164
165 return EC_SUCCESS;
166 }
167
168 /* Otherwise print them all */
>>> CID 1353307: Memory - corruptions (OVERRUN)
>>> Checking "i < GPIO_COUNT" implies that "i" may be up to 80 on the true branch.
169 for (i = 0; i < GPIO_COUNT; i++, g++) {
170 if (!g->mask)
171 continue; /* Skip unsupported signals */
172
173 v = gpio_get_level(i);
174 changed = last_val_changed(i, v);
** CID 1353293: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 1353293: Memory - corruptions (OVERRUN)
/3rdparty/chromeec/driver/battery/smart.c: 32 in sbc_write()
26 {
27 return i2c_read16(I2C_PORT_CHARGER, CHARGER_ADDR, cmd, param);
28 }
29
30 test_mockable int sbc_write(int cmd, int param)
31 {
>>> CID 1353293: Memory - corruptions (OVERRUN)
>>> Overrunning callee's array of size 2 by passing argument "MEC1322_I2C3" in call to "i2c_write16".
32 return i2c_write16(I2C_PORT_CHARGER, CHARGER_ADDR, cmd, param);
33 }
34
35 test_mockable int sb_read(int cmd, int *param)
36 {
37 #ifdef CONFIG_BATTERY_CUT_OFF
** CID 1353292: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 1353292: Memory - corruptions (OVERRUN)
/3rdparty/chromeec/driver/battery/smart.c: 27 in sbc_read()
21 #define BATTERY_NO_RESPONSE_TIMEOUT (1000*MSEC)
22
23 static int fake_state_of_charge = -1;
24
25 test_mockable int sbc_read(int cmd, int *param)
26 {
>>> CID 1353292: Memory - corruptions (OVERRUN)
>>> Overrunning callee's array of size 2 by passing argument "MEC1322_I2C3" in call to "i2c_read16".
27 return i2c_read16(I2C_PORT_CHARGER, CHARGER_ADDR, cmd, param);
28 }
29
30 test_mockable int sbc_write(int cmd, int param)
31 {
32 return i2c_write16(I2C_PORT_CHARGER, CHARGER_ADDR, cmd, param);
** CID 1353291: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 1353291: Memory - corruptions (OVERRUN)
/3rdparty/chromeec/driver/battery/smart.c: 69 in sb_write()
63 if (battery_is_cut_off())
64 return EC_RES_ACCESS_DENIED;
65 #endif
66 #ifdef CONFIG_SMBUS
67 return smbus_write_word(I2C_PORT_BATTERY, BATTERY_ADDR, cmd, param);
68 #else
>>> CID 1353291: Memory - corruptions (OVERRUN)
>>> Overrunning callee's array of size 2 by passing argument "MEC1322_I2C3" in call to "i2c_write16".
69 return i2c_write16(I2C_PORT_BATTERY, BATTERY_ADDR, cmd, param);
70 #endif
71 }
72
73 int sb_read_string(int port, int slave_addr, int offset, uint8_t *data,
74 int len)
** CID 1353290: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 1353290: Memory - corruptions (OVERRUN)
/3rdparty/chromeec/driver/battery/smart.c: 53 in sb_read()
47 uint16_t d16 = 0;
48 rv = smbus_read_word(I2C_PORT_BATTERY, BATTERY_ADDR, cmd, &d16);
49 *param = d16;
50 return rv;
51 }
52 #else
>>> CID 1353290: Memory - corruptions (OVERRUN)
>>> Overrunning callee's array of size 2 by passing argument "MEC1322_I2C3" in call to "i2c_read16".
53 return i2c_read16(I2C_PORT_BATTERY, BATTERY_ADDR, cmd, param);
54 #endif
55 }
56
57 test_mockable int sb_write(int cmd, int param)
58 {
** CID 1353289: Memory - corruptions (OVERRUN)
________________________________________________________________________________________________________
*** CID 1353289: Memory - corruptions (OVERRUN)
/3rdparty/chromeec/driver/battery/smart.c: 250 in battery_manufacturer_name()
244 return EC_SUCCESS;
245 }
246
247 /* Read manufacturer name */
248 test_mockable int battery_manufacturer_name(char *dest, int size)
249 {
>>> CID 1353289: Memory - corruptions (OVERRUN)
>>> Overrunning callee's array of size 2 by passing argument "MEC1322_I2C3" in call to "sb_read_string".
250 return sb_read_string(I2C_PORT_BATTERY, BATTERY_ADDR,
251 SB_MANUFACTURER_NAME, dest, size);
252 }
253
254 /* Read device name */
255 test_mockable int battery_device_name(char *dest, int size)
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://scan.coverity.com/projects/coreboot?tab=overview
To manage Coverity Scan email notifications for "coreboot at coreboot.org", click https://scan.coverity.com/subscriptions/edit?email=coreboot%40coreboot.org&token=49533df725f93b78361afb7b89ccde93
More information about the coreboot
mailing list