[prev in list] [next in list] [prev in thread] [next in thread]
List: linuxbios
Subject: [coreboot] New Defects reported by Coverity Scan for coreboot
From: scan-admin () coverity ! com
Date: 2015-01-10 15:18:04
Message-ID: 54b142ac971d6_505ed29330796d9 () scan ! coverity ! com ! mail
[Download RAW message or body]
Hi,
Please find the latest report on new defect(s) introduced to coreboot found with \
Coverity Scan.
12 new defect(s) introduced to coreboot found with Coverity Scan.
12 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent \
build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 12 of 12 defect(s)
** CID 1255943: Dereference null return value (NULL_RETURNS)
/src/cpu/amd/agesa/s3_resume.c: 164 in move_stack_high_mem()
/src/cpu/amd/pi/s3_resume.c: 164 in move_stack_high_mem()
** CID 1262213: Out-of-bounds access (ARRAY_VS_SINGLETON)
/src/cpu/x86/car.c: 102 in do_car_migrate_variables()
** CID 1262212: Unchecked return value (CHECKED_RETURN)
/src/cpu/intel/hyperthreading/intel_sibling.c: 49 in intel_sibling_init()
** CID 1262211: Unchecked return value (CHECKED_RETURN)
/src/southbridge/intel/i82801gx/lpc.c: 220 in i82801gx_power_options()
** CID 1262210: Unchecked return value (CHECKED_RETURN)
/src/southbridge/intel/i82801gx/smihandler.c: 286 in southbridge_smi_sleep()
** CID 1262209: Logically dead code (DEADCODE)
/src/soc/intel/broadwell/igd.c: 429 in igd_cdclk_init_broadwell()
** CID 1262208: Division or modulo by zero (DIVIDE_BY_ZERO)
/payloads/libpayload/arch/arm64/main.c: 46 in test_exception()
** CID 1262207: Self assignment (NO_EFFECT)
/src/soc/intel/broadwell/finalize.c: 107 in broadwell_finalize()
** CID 1262206: Unsigned compared against 0 (NO_EFFECT)
/payloads/libpayload/libc/memory.c: 91 in default_memmove()
** CID 1262205: Dereference null return value (NULL_RETURNS)
/src/drivers/intel/fsp/fsp_util.c: 192 in print_fsp_info()
** CID 1262204: Dereference null return value (NULL_RETURNS)
/src/drivers/intel/fsp/fsp_util.c: 265 in find_fsp_hob_update_mrc()
** CID 1262203: Out-of-bounds read (OVERRUN)
/coreboot-builds/amd_olivehillplus/agesa/amdlib.c: 1411 in IdsErrorStop()
________________________________________________________________________________________________________
*** CID 1255943: Dereference null return value (NULL_RETURNS)
/src/cpu/amd/agesa/s3_resume.c: 164 in move_stack_high_mem()
158
159 static void move_stack_high_mem(void)
160 {
161 void *high_stack;
162
163 high_stack = cbmem_find(CBMEM_ID_RESUME_SCRATCH);
> > > CID 1255943: Dereference null return value (NULL_RETURNS)
> > > Dereferencing a pointer that might be null "high_stack" when calling "memcpy". \
> > > [Note: The source code implementation of the function has been overridden by a \
> > > builtin model.]
164 memcpy(high_stack, (void *)BSP_STACK_BASE_ADDR,
165 (CONFIG_HIGH_SCRATCH_MEMORY_SIZE - BIOS_HEAP_SIZE));
166
167 __asm__
168 volatile ("add %0, %%esp; add %0, %%ebp; invd"::"g"
169 (high_stack - BSP_STACK_BASE_ADDR)
/src/cpu/amd/pi/s3_resume.c: 164 in move_stack_high_mem()
158
159 static void move_stack_high_mem(void)
160 {
161 void *high_stack;
162
163 high_stack = cbmem_find(CBMEM_ID_RESUME_SCRATCH);
> > > CID 1255943: Dereference null return value (NULL_RETURNS)
> > > Dereferencing a pointer that might be null "high_stack" when calling "memcpy". \
> > > [Note: The source code implementation of the function has been overridden by a \
> > > builtin model.]
164 memcpy(high_stack, (void *)BSP_STACK_BASE_ADDR,
165 (CONFIG_HIGH_SCRATCH_MEMORY_SIZE - BIOS_HEAP_SIZE));
166
167 __asm__
168 volatile ("add %0, %%esp; add %0, %%ebp; invd"::"g"
169 (high_stack - BSP_STACK_BASE_ADDR)
________________________________________________________________________________________________________
*** CID 1262213: Out-of-bounds access (ARRAY_VS_SINGLETON)
/src/cpu/x86/car.c: 102 in do_car_migrate_variables()
96 car_migrated = ~0;
97
98 /* Call all the migration functions. */
99 migrate_func = &_car_migrate_start;
100 while (*migrate_func != NULL) {
101 (*migrate_func)();
> > > CID 1262213: Out-of-bounds access (ARRAY_VS_SINGLETON)
> > > Using "migrate_func" as an array. This might corrupt or misinterpret adjacent \
> > > memory locations.
102 migrate_func++;
103 }
104 }
105
106 void car_migrate_variables(void)
107 {
108 if (!IS_ENABLED(CONFIG_BROKEN_CAR_MIGRATE))
109 do_car_migrate_variables();
________________________________________________________________________________________________________
*** CID 1262212: Unchecked return value (CHECKED_RETURN)
/src/cpu/intel/hyperthreading/intel_sibling.c: 49 in intel_sibling_init()
43 unsigned i, siblings;
44 struct cpuid_result result;
45
46 /* On the bootstrap processor see if I want sibling cpus enabled */
47 if (first_time) {
48 first_time = 0;
> > > CID 1262212: Unchecked return value (CHECKED_RETURN)
> > > Calling "get_option" without checking return value (as is done elsewhere 15 out \
> > > of 18 times).
49 get_option(&disable_siblings, "hyper_threading");
50 }
51 result = cpuid(1);
52 /* Is hyperthreading supported */
53 if (!(result.edx & (1 << 28))) {
54 return;
________________________________________________________________________________________________________
*** CID 1262211: Unchecked return value (CHECKED_RETURN)
/src/southbridge/intel/i82801gx/lpc.c: 220 in i82801gx_power_options()
214 // reg8 &= ~(1 << 2); /* PCI SERR# Enable */
215 reg8 |= (1 << 2); /* PCI SERR# Disable for now */
216 outb(reg8, 0x61);
217
218 reg8 = inb(0x70);
219 nmi_option = NMI_OFF;
> > > CID 1262211: Unchecked return value (CHECKED_RETURN)
> > > Calling "get_option" without checking return value (as is done elsewhere 15 out \
> > > of 18 times).
220 get_option(&nmi_option, "nmi");
221 if (nmi_option) {
222 printk(BIOS_INFO, "NMI sources enabled.\n");
223 reg8 &= ~(1 << 7); /* Set NMI. */
224 } else {
225 printk(BIOS_INFO, "NMI sources disabled.\n");
________________________________________________________________________________________________________
*** CID 1262210: Unchecked return value (CHECKED_RETURN)
/src/southbridge/intel/i82801gx/smihandler.c: 286 in southbridge_smi_sleep()
280 u8 s5pwr = CONFIG_MAINBOARD_POWER_ON_AFTER_POWER_FAIL;
281
282 // save and recover RTC port values
283 u8 tmp70, tmp72;
284 tmp70 = inb(0x70);
285 tmp72 = inb(0x72);
> > > CID 1262210: Unchecked return value (CHECKED_RETURN)
> > > Calling "get_option" without checking return value (as is done elsewhere 15 out \
> > > of 18 times).
286 get_option(&s5pwr, "power_on_after_fail");
287 outb(tmp70, 0x70);
288 outb(tmp72, 0x72);
289
290 /* First, disable further SMIs */
291 reg8 = inb(pmbase + SMI_EN);
________________________________________________________________________________________________________
*** CID 1262209: Logically dead code (DEADCODE)
/src/soc/intel/broadwell/igd.c: 429 in igd_cdclk_init_broadwell()
423 /* CD clock frequency 675MHz not supported on ULT */
424 if (cpu_is_ult() && cdclk == GT_CDCLK_675)
425 cdclk = GT_CDCLK_540;
426
427 /* Set variables based on CD Clock setting */
428 switch (cdclk) {
> > > CID 1262209: Logically dead code (DEADCODE)
> > > Execution cannot reach this statement: "case 0:".
429 case GT_CDCLK_337:
430 cdset = 337;
431 lpcll = (1 << 27);
432 pwctl = 2;
433 dpdiv = 169;
434 break;
________________________________________________________________________________________________________
*** CID 1262208: Division or modulo by zero (DIVIDE_BY_ZERO)
/payloads/libpayload/arch/arm64/main.c: 46 in test_exception()
40 int test_exception(void);
41 int test_exception(void)
42 {
43 int a = 1;
44 int b = 0;
45 test_exc = 1;
> > > CID 1262208: Division or modulo by zero (DIVIDE_BY_ZERO)
> > > In expression "a / b", division by expression "b" which may be zero has \
> > > undefined behavior.
46 return a/b;
47 }
48
49 /**
50 * This is our C entry function - set up the system
51 * and jump into the payload entry point.
________________________________________________________________________________________________________
*** CID 1262207: Self assignment (NO_EFFECT)
/src/soc/intel/broadwell/finalize.c: 107 in broadwell_finalize()
101 reg_script_run_on_dev(PCH_DEV_LPC, pch_finalize_script);
102
103 /* Read+Write the following registers */
104 MCHBAR32(0x6030) = MCHBAR32(0x6030);
105 MCHBAR32(0x6034) = MCHBAR32(0x6034);
106 MCHBAR32(0x6008) = MCHBAR32(0x6008);
> > > CID 1262207: Self assignment (NO_EFFECT)
> > > Assignment operation "*(u32 volatile *)0xfed1e1a4 = *(u32 volatile \
> > > *)0xfed1e1a4" has no effect.
107 RCBA32(0x21a4) = RCBA32(0x21a4);
108
109 /* Re-init SPI after lockdown */
110 spi_init();
111
112 /* Lock down management engine */
________________________________________________________________________________________________________
*** CID 1262206: Unsigned compared against 0 (NO_EFFECT)
/payloads/libpayload/libc/memory.c: 91 in default_memmove()
85
86 offs = n - (n % sizeof(unsigned long));
87
88 for (i = (n % sizeof(unsigned long)) - 1; i >= 0; i--)
89 ((u8 *)dst)[i + offs] = ((u8 *)src)[i + offs];
90
> > > CID 1262206: Unsigned compared against 0 (NO_EFFECT)
> > > This greater-than-or-equal-to-zero comparison of an unsigned value is always \
> > > true. "i >= 0UL".
91 for (i = n / sizeof(unsigned long) - 1; i >= 0; i--)
92 ((unsigned long *)dst)[i] = ((unsigned long *)src)[i];
93
94 return dst;
95 }
96
________________________________________________________________________________________________________
*** CID 1262205: Dereference null return value (NULL_RETURNS)
/src/drivers/intel/fsp/fsp_util.c: 192 in print_fsp_info()
186 if ((u32)fsp_header_ptr < 0xff) {
187 post_code(0x4F); /* output something in case there is no serial */
188 die("Can't find the FSP!\n");
189 }
190
191 if (FspHobListPtr == NULL) {
> > > CID 1262205: Dereference null return value (NULL_RETURNS)
> > > Dereferencing a null pointer "cbmem_find(1213153825U)".
192 FspHobListPtr = (void*)*((u32*) cbmem_find(CBMEM_ID_HOB_POINTER));
193 }
194
195 printk(BIOS_SPEW,"fsp_header_ptr: %p\n", fsp_header_ptr);
196 printk(BIOS_INFO,"FSP Header Version: %d\n", \
fsp_header_ptr->HeaderRevision); 197 printk(BIOS_INFO,"FSP Revision: %d.%d\n",
________________________________________________________________________________________________________
*** CID 1262204: Dereference null return value (NULL_RETURNS)
/src/drivers/intel/fsp/fsp_util.c: 265 in find_fsp_hob_update_mrc()
259 }
260 #endif /* CONFIG_ENABLE_MRC_CACHE */
261
262 static void find_fsp_hob_update_mrc(void *unused)
263 {
264 /* Set the global HOB list pointer */
> > > CID 1262204: Dereference null return value (NULL_RETURNS)
> > > Dereferencing a null pointer "cbmem_find(1213153825U)".
265 FspHobListPtr = (void*)*((u32*) cbmem_find(CBMEM_ID_HOB_POINTER));
266
267 if (!FspHobListPtr){
268 printk(BIOS_ERR, "ERROR: Could not find FSP HOB pointer in CBFS!\n");
269 } else {
270 /* 0x0000: Print all types */
________________________________________________________________________________________________________
*** CID 1262203: Out-of-bounds read (OVERRUN)
/coreboot-builds/amd_olivehillplus/agesa/amdlib.c: 1411 in IdsErrorStop()
1405 } post = {0xDEAD, FileCode, 0xDEAD, FileCode};
1406 UINT16 offset = 0;
1407 UINT16 j;
1408
1409 while(1) {
1410 offset %= sizeof(struct POST) / 2;
> > > CID 1262203: Out-of-bounds read (OVERRUN)
> > > Overrunning array of 3 4-byte elements at element index 15 (byte offset 60) by \
> > > dereferencing pointer "(UINT32 *)(&post + offset)".
1411 WriteIo32(80, *((UINT32*)(&post+offset)));
1412 ++offset;
1413 for (j=0; j<250; ++j) {
1414 ReadIo8(80);
1415 }
1416 }
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, \
http://scan.coverity.com/projects/1016?tab=overview
To manage Coverity Scan email notifications for "coreboot@coreboot.org", click \
http://scan.coverity.com/subscriptions/edit?email=coreboot%40coreboot.org&token=8ddd1fe26945626880b796e94d465567 \
.
--
coreboot mailing list: coreboot@coreboot.org
http://www.coreboot.org/mailman/listinfo/coreboot
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic