[prev in list] [next in list] [prev in thread] [next in thread]
List: linuxbios
Subject: [coreboot] New Defects reported by Coverity Scan for coreboot
From: scan-admin () coverity ! com
Date: 2018-02-20 16:24:55
Message-ID: 5a8c4bd760b0b_1c43d422f0c117c () node1 ! mail
[Download RAW message or body]
Hi,
Please find the latest report on new defect(s) introduced to coreboot found with \
Coverity Scan.
24 new defect(s) introduced to coreboot found with Coverity Scan.
14 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent \
build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 24 defect(s)
** CID 1383919: Resource leaks (RESOURCE_LEAK)
/util/cbfstool/partitioned_file.c: 201 in partitioned_file_reopen()
________________________________________________________________________________________________________
*** CID 1383919: Resource leaks (RESOURCE_LEAK)
/util/cbfstool/partitioned_file.c: 201 in partitioned_file_reopen()
195 }
196
197 const struct fmap_area *fmap_fmap_entry =
198 fmap_find_area(file->fmap, SECTION_NAME_FMAP);
199
200 if (!fmap_fmap_entry)
> > > CID 1383919: Resource leaks (RESOURCE_LEAK)
> > > Variable "file" going out of scope leaks the storage it points to.
201 return NULL;
202
203 if ((long)fmap_fmap_entry->offset != fmap_region_offset) {
204 ERROR("FMAP's '%s' section doesn't point back to FMAP start (did something \
corrupt this file?)\n", 205 SECTION_NAME_FMAP);
206 partitioned_file_close(file);
** CID 1361275: (TAINTED_SCALAR)
/util/cbfstool/ifwitool.c: 839 in parse_subpart_dir()
________________________________________________________________________________________________________
*** CID 1361275: (TAINTED_SCALAR)
/util/cbfstool/ifwitool.c: 832 in parse_subpart_dir()
826 memcpy(hdr.name, data + offset, sizeof(hdr.name));
827 offset += sizeof(hdr.name);
828
829 validate_subpart_dir_without_checksum((struct subpart_dir *)&hdr, name);
830
831 assert(size > subpart_dir_size(&hdr));
> > > CID 1361275: (TAINTED_SCALAR)
> > > Passing tainted variable "subpart_dir_size(&hdr)" to a tainted sink.
832 alloc_buffer(subpart_dir_buf, subpart_dir_size(&hdr), "Subpart Dir");
833 memcpy(buffer_get(subpart_dir_buf), &hdr, SUBPART_DIR_HEADER_SIZE);
834
835 /* Read Subpart Dir entries. */
836 struct subpart_dir *subpart_dir = buffer_get(subpart_dir_buf);
837 struct subpart_dir_entry *e = &subpart_dir->e[0];
/util/cbfstool/ifwitool.c: 839 in parse_subpart_dir()
833 memcpy(buffer_get(subpart_dir_buf), &hdr, SUBPART_DIR_HEADER_SIZE);
834
835 /* Read Subpart Dir entries. */
836 struct subpart_dir *subpart_dir = buffer_get(subpart_dir_buf);
837 struct subpart_dir_entry *e = &subpart_dir->e[0];
838 uint32_t i;
> > > CID 1361275: (TAINTED_SCALAR)
> > > Using tainted variable "hdr.num_entries" as a loop boundary.
839 for (i = 0; i < hdr.num_entries; i++) {
840 memcpy(e[i].name, data + offset, sizeof(e[i].name));
841 offset += sizeof(e[i].name);
842 offset = read_member(data, offset, sizeof(e[i].offset),
843 &e[i].offset);
844 offset = read_member(data, offset, sizeof(e[i].length),
** CID 1361274: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 1361274: Insecure data handling (TAINTED_SCALAR)
/util/cbfstool/ifwitool.c: 718 in alloc_bpdt_buffer()
712 {
713 struct bpdt_header bpdt_header;
714 assert((offset + BPDT_HEADER_SIZE) < size);
715 bpdt_read_header((uint8_t *)data + offset, &bpdt_header, name);
716
717 /* Buffer to read BPDT header and entries. */
> > > CID 1361274: Insecure data handling (TAINTED_SCALAR)
> > > Passing tainted variable "get_bpdt_size(&bpdt_header)" to a tainted sink.
718 alloc_buffer(b, get_bpdt_size(&bpdt_header), name);
719
720 struct bpdt *bpdt = buffer_get(b);
721 memcpy(&bpdt->h, &bpdt_header, BPDT_HEADER_SIZE);
722
723 /*
** CID 1361253: Memory - illegal accesses (BUFFER_SIZE_WARNING)
/util/cbfstool/ifwitool.c: 1301 in init_subpart_dir_entry()
________________________________________________________________________________________________________
*** CID 1361253: Memory - illegal accesses (BUFFER_SIZE_WARNING)
/util/cbfstool/ifwitool.c: 1301 in init_subpart_dir_entry()
1295 static size_t init_subpart_dir_entry(struct subpart_dir_entry *e,
1296 struct buffer *b, size_t offset)
1297 {
1298 memset(e, 0, sizeof(*e));
1299
1300 assert(strlen(b->name) <= sizeof(e->name));
> > > CID 1361253: Memory - illegal accesses (BUFFER_SIZE_WARNING)
> > > Calling strncpy with a maximum size argument of 12 bytes on destination array \
> > > "e->name" of size 12 bytes might leave the destination string unterminated.
1301 strncpy((char *)e->name, (char *)b->name, sizeof(e->name));
1302 e->offset = offset;
1303 e->length = buffer_size(b);
1304
1305 return (offset + buffer_size(b));
1306 }
** CID 1353022: Error handling issues (CHECKED_RETURN)
/util/nvidia/cbootimage/src/cbootimage.c: 297 in main()
________________________________________________________________________________________________________
*** CID 1353022: Error handling issues (CHECKED_RETURN)
/util/nvidia/cbootimage/src/cbootimage.c: 297 in main()
291 begin_update(&context);
292 /* Signing the bct. */
293 e = sign_bct(&context, context.bct);
294 if (e != 0)
295 printf("Signing BCT failed, error: %d.\n", e);
296
> > > CID 1353022: Error handling issues (CHECKED_RETURN)
> > > Calling "fwrite" without checking return value (as is done elsewhere 39 out of \
> > > 48 times).
297 fwrite(context.bct, 1, context.bct_size,
298 context.raw_file);
299 printf("New BCT file %s has been successfully generated!\n",
300 context.output_image_filename);
301 goto fail;
302 }
** CID 1353020: Error handling issues (CHECKED_RETURN)
/util/amdfwtool/amdfwtool.c: 372 in integrate_psp_firmwares()
________________________________________________________________________________________________________
*** CID 1353020: Error handling issues (CHECKED_RETURN)
/util/amdfwtool/amdfwtool.c: 372 in integrate_psp_firmwares()
366 fd = open(fw_table[i].filename, O_RDONLY);
367 if (fd < 0) {
368 printf("Error: %s\n", strerror(errno));
369 free(base);
370 exit(1);
371 }
> > > CID 1353020: Error handling issues (CHECKED_RETURN)
> > > Calling "fstat(fd, &fd_stat)" without checking return value. This library \
> > > function may fail and return an error code. [Note: The source code \
> > > implementation of the function has been overridden by a builtin model.]
372 fstat(fd, &fd_stat);
373 pspdir[4+4*i+1] = (uint32_t)fd_stat.st_size;
374
375 pspdir[4+4*i+2] = pos + rom_base_address;
376 pspdir[4+4*i+3] = 0;
377
** CID 1353018: Error handling issues (CHECKED_RETURN)
/util/amdfwtool/amdfwtool.c: 301 in integrate_firmwares()
________________________________________________________________________________________________________
*** CID 1353018: Error handling issues (CHECKED_RETURN)
/util/amdfwtool/amdfwtool.c: 301 in integrate_firmwares()
295 fd = open(fw_table[i].filename, O_RDONLY);
296 if (fd < 0) {
297 printf("Error: %s\n", strerror(errno));
298 free(base);
299 exit(1);
300 }
> > > CID 1353018: Error handling issues (CHECKED_RETURN)
> > > Calling "fstat(fd, &fd_stat)" without checking return value. This library \
> > > function may fail and return an error code. [Note: The source code \
> > > implementation of the function has been overridden by a builtin model.]
301 fstat(fd, &fd_stat);
302
303 switch (fw_table[i].type) {
304 case AMD_FW_IMC:
305 pos = ALIGN(pos, 0x10000U);
306 romsig[1] = pos + rom_base_address;
** CID 1347335: (UNINIT)
/util/cbfstool/elfheaders.c: 1000 in write_phdrs()
/util/cbfstool/elfheaders.c: 1002 in write_phdrs()
/util/cbfstool/elfheaders.c: 1003 in write_phdrs()
/util/cbfstool/elfheaders.c: 1004 in write_phdrs()
________________________________________________________________________________________________________
*** CID 1347335: (UNINIT)
/util/cbfstool/elfheaders.c: 1000 in write_phdrs()
994 } else {
995 /* Accumulate file size and memsize. The assumption
996 * is that each section is either NOBITS or full
997 * (sh_size == file size). This is standard in that
998 * an ELF section doesn't have a file size component. */
999 if (sec->shdr.sh_flags & SHF_EXECINSTR)
> > > CID 1347335: (UNINIT)
> > > Using uninitialized value "phdr.p_flags".
1000 phdr.p_flags |= PF_X | PF_R;
1001 if (sec->shdr.sh_flags & SHF_WRITE)
1002 phdr.p_flags |= PF_W;
1003 phdr.p_filesz += buffer_size(&sec->content);
1004 phdr.p_memsz += sec->shdr.sh_size;
1005 }
/util/cbfstool/elfheaders.c: 1002 in write_phdrs()
996 * is that each section is either NOBITS or full
997 * (sh_size == file size). This is standard in that
998 * an ELF section doesn't have a file size component. */
999 if (sec->shdr.sh_flags & SHF_EXECINSTR)
1000 phdr.p_flags |= PF_X | PF_R;
1001 if (sec->shdr.sh_flags & SHF_WRITE)
> > > CID 1347335: (UNINIT)
> > > Using uninitialized value "phdr.p_flags".
1002 phdr.p_flags |= PF_W;
1003 phdr.p_filesz += buffer_size(&sec->content);
1004 phdr.p_memsz += sec->shdr.sh_size;
1005 }
1006 }
1007
/util/cbfstool/elfheaders.c: 1003 in write_phdrs()
997 * (sh_size == file size). This is standard in that
998 * an ELF section doesn't have a file size component. */
999 if (sec->shdr.sh_flags & SHF_EXECINSTR)
1000 phdr.p_flags |= PF_X | PF_R;
1001 if (sec->shdr.sh_flags & SHF_WRITE)
1002 phdr.p_flags |= PF_W;
> > > CID 1347335: (UNINIT)
> > > Using uninitialized value "phdr.p_filesz".
1003 phdr.p_filesz += buffer_size(&sec->content);
1004 phdr.p_memsz += sec->shdr.sh_size;
1005 }
1006 }
1007
1008 /* Write out the last phdr. */
/util/cbfstool/elfheaders.c: 1004 in write_phdrs()
998 * an ELF section doesn't have a file size component. */
999 if (sec->shdr.sh_flags & SHF_EXECINSTR)
1000 phdr.p_flags |= PF_X | PF_R;
1001 if (sec->shdr.sh_flags & SHF_WRITE)
1002 phdr.p_flags |= PF_W;
1003 phdr.p_filesz += buffer_size(&sec->content);
> > > CID 1347335: (UNINIT)
> > > Using uninitialized value "phdr.p_memsz".
1004 phdr.p_memsz += sec->shdr.sh_size;
1005 }
1006 }
1007
1008 /* Write out the last phdr. */
1009 if (num_needs_write != num_written) {
** CID 1302457: Control flow issues (MISSING_RESTORE)
/util/cbfstool/flashmap/fmap.c: 486 in fmap_append_area_test()
________________________________________________________________________________________________________
*** CID 1302457: Control flow issues (MISSING_RESTORE)
/util/cbfstool/flashmap/fmap.c: 486 in fmap_append_area_test()
480 printf("FAILURE: failed to increment number of areas\n");
481 goto fmap_append_area_test_exit;
482 }
483
484 status = pass;
485 fmap_append_area_test_exit:
> > > CID 1302457: Control flow issues (MISSING_RESTORE)
> > > Value of non-local "(*fmap)->nareas" that was saved in "nareas_orig" is not \
> > > restored as it was along other paths.
486 return status;
487 }
488
489 static int fmap_find_area_test(struct fmap *fmap)
490 {
491 status = fail;
** CID 1302456: Error handling issues (NEGATIVE_RETURNS)
/util/cbfstool/flashmap/fmap.c: 601 in fmap_find_test()
________________________________________________________________________________________________________
*** CID 1302456: Error handling issues (NEGATIVE_RETURNS)
/util/cbfstool/flashmap/fmap.c: 601 in fmap_find_test()
595 printf("FAILURE: bsearch returned false positive\n");
596 goto fmap_find_test_exit;
597 }
598
599 /* simple test case: fmap at (total_size / 2) + 1 */
600 offset = (total_size / 2) + 1;
> > > CID 1302456: Error handling issues (NEGATIVE_RETURNS)
> > > "fmap_size(fmap)" is passed to a parameter that cannot be negative. [Note: The \
> > > source code implementation of the function has been overridden by a builtin \
> > > model.]
601 memcpy(&buf[offset], fmap, fmap_size(fmap));
602
603 if ((unsigned)fmap_find(buf, total_size - 1) != offset) {
604 printf("FAILURE: lsearch failed to find fmap\n");
605 goto fmap_find_test_exit;
606 }
** CID 1302453: Resource leaks (RESOURCE_LEAK)
/util/cbfstool/flashmap/fmap.c: 563 in fmap_flags_to_string_test()
________________________________________________________________________________________________________
*** CID 1302453: Resource leaks (RESOURCE_LEAK)
/util/cbfstool/flashmap/fmap.c: 563 in fmap_flags_to_string_test()
557 }
558 free(my_str);
559 free(str);
560
561 status = pass;
562 fmap_flags_to_string_test_exit:
> > > CID 1302453: Resource leaks (RESOURCE_LEAK)
> > > Variable "my_str" going out of scope leaks the storage it points to.
563 return status;
564
565 }
566
567 static int fmap_find_test(struct fmap *fmap)
568 {
** CID 1302452: (RESOURCE_LEAK)
/util/cbfstool/flashmap/fmap.c: 563 in fmap_flags_to_string_test()
/util/cbfstool/flashmap/fmap.c: 563 in fmap_flags_to_string_test()
________________________________________________________________________________________________________
*** CID 1302452: (RESOURCE_LEAK)
/util/cbfstool/flashmap/fmap.c: 563 in fmap_flags_to_string_test()
557 }
558 free(my_str);
559 free(str);
560
561 status = pass;
562 fmap_flags_to_string_test_exit:
> > > CID 1302452: (RESOURCE_LEAK)
> > > Variable "str" going out of scope leaks the storage it points to.
563 return status;
564
565 }
566
567 static int fmap_find_test(struct fmap *fmap)
568 {
/util/cbfstool/flashmap/fmap.c: 563 in fmap_flags_to_string_test()
557 }
558 free(my_str);
559 free(str);
560
561 status = pass;
562 fmap_flags_to_string_test_exit:
> > > CID 1302452: (RESOURCE_LEAK)
> > > Variable "str" going out of scope leaks the storage it points to.
563 return status;
564
565 }
566
567 static int fmap_find_test(struct fmap *fmap)
568 {
** CID 1302451: Resource leaks (RESOURCE_LEAK)
/util/cbfstool/flashmap/fmap.c: 240 in fmap_print()
________________________________________________________________________________________________________
*** CID 1302451: Resource leaks (RESOURCE_LEAK)
/util/cbfstool/flashmap/fmap.c: 240 in fmap_print()
234 kv_pair_fmt(pair, "area_flags_raw", "0x%02x",
235 fmap->areas[i].flags);
236
237 /* Print descriptive strings for flags rather than the field */
238 flags = fmap->areas[i].flags;
239 if ((str = fmap_flags_to_string(flags)) == NULL)
> > > CID 1302451: Resource leaks (RESOURCE_LEAK)
> > > Variable "pair" going out of scope leaks the storage it points to.
240 return -1;
241 kv_pair_fmt(pair, "area_flags", "%s", str);
242 free(str);
243
244 kv_pair_print(pair);
245 kv_pair_free(pair);
** CID 1241790: Insecure data handling (TAINTED_SCALAR)
/util/cbfstool/lzma/C/LzFind.c: 653 in Bt2_MatchFinder_Skip()
________________________________________________________________________________________________________
*** CID 1241790: Insecure data handling (TAINTED_SCALAR)
/util/cbfstool/lzma/C/LzFind.c: 653 in Bt2_MatchFinder_Skip()
647 static void Bt2_MatchFinder_Skip(struct CMatchFinder *p, uint32_t num)
648 {
649 do
650 {
651 SKIP_HEADER(2)
652 HASH2_CALC;
> > > CID 1241790: Insecure data handling (TAINTED_SCALAR)
> > > Using tainted variable "hashValue" as an index to pointer "p->hash".
653 curMatch = p->hash[hashValue];
654 p->hash[hashValue] = p->pos;
655 SKIP_FOOTER
656 }
657 while (--num != 0);
658 }
** CID 1241788: Insecure data handling (TAINTED_SCALAR)
/util/cbfstool/lzma/C/LzFind.c: 489 in Bt2_MatchFinder_GetMatches()
________________________________________________________________________________________________________
*** CID 1241788: Insecure data handling (TAINTED_SCALAR)
/util/cbfstool/lzma/C/LzFind.c: 489 in Bt2_MatchFinder_GetMatches()
483
484 static uint32_t Bt2_MatchFinder_GetMatches(struct CMatchFinder *p, uint32_t \
*distances) 485 {
486 uint32_t offset;
487 GET_MATCHES_HEADER(2)
488 HASH2_CALC;
> > > CID 1241788: Insecure data handling (TAINTED_SCALAR)
> > > Using tainted variable "hashValue" as an index to pointer "p->hash".
489 curMatch = p->hash[hashValue];
490 p->hash[hashValue] = p->pos;
491 offset = 0;
492 GET_MATCHES_FOOTER(offset, 1)
493 }
494
** CID 1229710: Integer handling issues (SIGN_EXTENSION)
/util/cbfstool/elfheaders.c: 265 in phdr_read()
________________________________________________________________________________________________________
*** CID 1229710: Integer handling issues (SIGN_EXTENSION)
/util/cbfstool/elfheaders.c: 265 in phdr_read()
259 ehdr = &pelf->ehdr;
260 /* cons up an input buffer for the headers.
261 * Note that the program headers can be anywhere,
262 * per the ELF spec, You'd be surprised how many ELF
263 * readers miss this little detail.
264 */
> > > CID 1229710: Integer handling issues (SIGN_EXTENSION)
> > > Suspicious implicit sign extension: "ehdr->e_phentsize" with type "Elf64_Half" \
> > > (16 bits, unsigned) is promoted in "ehdr->e_phentsize * ehdr->e_phnum" to type \
> > > "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, \
> > > unsigned). If "ehdr->e_phentsize * ehdr->e_phnum" is greater than 0x7FFFFFFF, \
> > > the upper bits of the result will all be 1.
265 buffer_splice(&b, in, ehdr->e_phoff, ehdr->e_phentsize * ehdr->e_phnum);
266 if (check_size(in, ehdr->e_phoff, buffer_size(&b), "program headers"))
267 return -1;
268
269 /* gather up all the phdrs.
270 * We do them all at once because there is more
** CID 1229709: Integer handling issues (SIGN_EXTENSION)
/util/cbfstool/elfheaders.c: 265 in phdr_read()
________________________________________________________________________________________________________
*** CID 1229709: Integer handling issues (SIGN_EXTENSION)
/util/cbfstool/elfheaders.c: 265 in phdr_read()
259 ehdr = &pelf->ehdr;
260 /* cons up an input buffer for the headers.
261 * Note that the program headers can be anywhere,
262 * per the ELF spec, You'd be surprised how many ELF
263 * readers miss this little detail.
264 */
> > > CID 1229709: Integer handling issues (SIGN_EXTENSION)
> > > Suspicious implicit sign extension: "ehdr->e_phnum" with type "Elf64_Half" (16 \
> > > bits, unsigned) is promoted in "ehdr->e_phentsize * ehdr->e_phnum" to type \
> > > "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, \
> > > unsigned). If "ehdr->e_phentsize * ehdr->e_phnum" is greater than 0x7FFFFFFF, \
> > > the upper bits of the result will all be 1.
265 buffer_splice(&b, in, ehdr->e_phoff, ehdr->e_phentsize * ehdr->e_phnum);
266 if (check_size(in, ehdr->e_phoff, buffer_size(&b), "program headers"))
267 return -1;
268
269 /* gather up all the phdrs.
270 * We do them all at once because there is more
** CID 1229708: Integer handling issues (SIGN_EXTENSION)
/util/cbfstool/elfheaders.c: 307 in shdr_read()
________________________________________________________________________________________________________
*** CID 1229708: Integer handling issues (SIGN_EXTENSION)
/util/cbfstool/elfheaders.c: 307 in shdr_read()
301
302 /* cons up an input buffer for the section headers.
303 * Note that the section headers can be anywhere,
304 * per the ELF spec, You'd be surprised how many ELF
305 * readers miss this little detail.
306 */
> > > CID 1229708: Integer handling issues (SIGN_EXTENSION)
> > > Suspicious implicit sign extension: "ehdr->e_shentsize" with type "Elf64_Half" \
> > > (16 bits, unsigned) is promoted in "ehdr->e_shentsize * ehdr->e_shnum" to type \
> > > "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, \
> > > unsigned). If "ehdr->e_shentsize * ehdr->e_shnum" is greater than 0x7FFFFFFF, \
> > > the upper bits of the result will all be 1.
307 buffer_splice(&b, in, ehdr->e_shoff, ehdr->e_shentsize * ehdr->e_shnum);
308 if (check_size(in, ehdr->e_shoff, buffer_size(&b), "section headers"))
309 return -1;
310
311 /* gather up all the shdrs. */
312 shdr = calloc(ehdr->e_shnum, sizeof(*shdr));
** CID 1229707: Integer handling issues (SIGN_EXTENSION)
/util/cbfstool/elfheaders.c: 307 in shdr_read()
________________________________________________________________________________________________________
*** CID 1229707: Integer handling issues (SIGN_EXTENSION)
/util/cbfstool/elfheaders.c: 307 in shdr_read()
301
302 /* cons up an input buffer for the section headers.
303 * Note that the section headers can be anywhere,
304 * per the ELF spec, You'd be surprised how many ELF
305 * readers miss this little detail.
306 */
> > > CID 1229707: Integer handling issues (SIGN_EXTENSION)
> > > Suspicious implicit sign extension: "ehdr->e_shnum" with type "Elf64_Half" (16 \
> > > bits, unsigned) is promoted in "ehdr->e_shentsize * ehdr->e_shnum" to type \
> > > "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, \
> > > unsigned). If "ehdr->e_shentsize * ehdr->e_shnum" is greater than 0x7FFFFFFF, \
> > > the upper bits of the result will all be 1.
307 buffer_splice(&b, in, ehdr->e_shoff, ehdr->e_shentsize * ehdr->e_shnum);
308 if (check_size(in, ehdr->e_shoff, buffer_size(&b), "section headers"))
309 return -1;
310
311 /* gather up all the shdrs. */
312 shdr = calloc(ehdr->e_shnum, sizeof(*shdr));
** CID 1229706: (SIGN_EXTENSION)
/util/cbfstool/elfheaders.c: 1181 in elf_writer_serialize()
/util/cbfstool/elfheaders.c: 1204 in elf_writer_serialize()
________________________________________________________________________________________________________
*** CID 1229706: (SIGN_EXTENSION)
/util/cbfstool/elfheaders.c: 1181 in elf_writer_serialize()
1175 }
1176 }
1177 ew->ehdr.e_shnum = ew->num_secs;
1178 metadata_size = 0;
1179 metadata_size += ew->ehdr.e_ehsize;
1180 metadata_size += ew->ehdr.e_shnum * ew->ehdr.e_shentsize;
> > > CID 1229706: (SIGN_EXTENSION)
> > > Suspicious implicit sign extension: "ew->ehdr.e_phentsize" with type \
> > > "Elf64_Half" (16 bits, unsigned) is promoted in "ew->ehdr.e_phnum * \
> > > ew->ehdr.e_phentsize" to type "int" (32 bits, signed), then sign-extended to \
> > > type "unsigned long" (64 bits, unsigned). If "ew->ehdr.e_phnum * \
> > > ew->ehdr.e_phentsize" is greater than 0x7FFFFFFF, the upper bits of the result \
> > > will all be 1.
1181 metadata_size += ew->ehdr.e_phnum * ew->ehdr.e_phentsize;
1182 shstroffset = metadata_size;
1183 /* Align up section header string size and metadata size to 4KiB */
1184 metadata_size = ALIGN(metadata_size + shstrlen, 4096);
1185
1186 if (buffer_create(out, metadata_size + program_size, "elfout")) {
/util/cbfstool/elfheaders.c: 1204 in elf_writer_serialize()
1198 ew->ehdr.e_shoff = ew->ehdr.e_ehsize;
1199 ew->ehdr.e_phoff = ew->ehdr.e_shoff +
1200 ew->ehdr.e_shnum * ew->ehdr.e_shentsize;
1201
1202 buffer_splice(&metadata, out, 0, metadata_size);
1203 buffer_splice(&phdrs, out, ew->ehdr.e_phoff,
> > > CID 1229706: (SIGN_EXTENSION)
> > > Suspicious implicit sign extension: "ew->ehdr.e_phentsize" with type \
> > > "Elf64_Half" (16 bits, unsigned) is promoted in "ew->ehdr.e_phnum * \
> > > ew->ehdr.e_phentsize" to type "int" (32 bits, signed), then sign-extended to \
> > > type "unsigned long" (64 bits, unsigned). If "ew->ehdr.e_phnum * \
> > > ew->ehdr.e_phentsize" is greater than 0x7FFFFFFF, the upper bits of the result \
> > > will all be 1.
1204 ew->ehdr.e_phnum * ew->ehdr.e_phentsize);
1205 buffer_splice(&data, out, metadata_size, program_size);
1206 /* Set up the section header string table contents. */
1207 strtab = &ew->shstrtab_sec->content;
1208 buffer_splice(strtab, out, shstroffset, shstrlen);
1209 ew->shstrtab_sec->shdr.sh_size = shstrlen;
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, \
https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch- \
2Bd2MGckcRbLuoVetFLSjdonCi1EjfHRqWGQvojmmkYaBE-2BPJiTQvQ-3D-3D_q4bX76XMySz3BXBlWr5fXXJ \
4cvAsgEXEqC7dBPM7O5YlaIoZ9FRM1ZQOliQrFonPEjZsIkM-2FsFb9jFb5BkaQ4DqJaxXXFNPPbidAF0E5gb1 \
vH-2ButoNvJ1M3jxRiRaerw4mHvzWzRmTERKl5pzKEVJo-2Feh8L69CGDIgbcoYwZHDQbiwSqLiM-2BftqiOXy42xFIIEuEt37-2FT7g11msUdFgp-2FkMDG9tEWUq-2BhTcaLt-2FtCNI-3D
--
coreboot mailing list: coreboot@coreboot.org
https://mail.coreboot.org/mailman/listinfo/coreboot
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic