[prev in list] [next in list] [prev in thread] [next in thread]
List: linuxbios
Subject: [coreboot] New Defects reported by Coverity Scan for coreboot
From: scan-admin--- via coreboot <coreboot () coreboot ! org>
Date: 2022-03-30 17:07:30
Message-ID: 62448e51e73de_67b172b1bf91e19b01965 () prd-scan-dashboard-0 ! mail
[Download RAW message or body]
Hi,
Please find the latest report on new defect(s) introduced to coreboot found with \
Coverity Scan.
200 new defect(s) introduced to coreboot found with Coverity Scan.
26 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent \
build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 200 defect(s)
** CID 1487449: Memory - corruptions (STRING_OVERFLOW)
________________________________________________________________________________________________________
*** CID 1487449: Memory - corruptions (STRING_OVERFLOW)
/src/arch/x86/smbios_defaults.c: 27 in smbios_fill_dimm_asset_tag()
21 __weak void smbios_fill_dimm_asset_tag(const struct dimm_info *dimm, struct \
smbios_type17 *t) 22 {
23 char buf[40];
24
25 snprintf(buf, sizeof(buf), "Channel-%d-DIMM-%d-AssetTag",
26 dimm->channel_num, dimm->dimm_num);
> > > CID 1487449: Memory - corruptions (STRING_OVERFLOW)
> > > You might overrun the 2-character destination string "t->eos" by writing 40 \
> > > characters from "buf".
27 t->asset_tag = smbios_add_string(t->eos, buf);
28 }
29
30 __weak smbios_wakeup_type smbios_system_wakeup_type(void)
31 {
32 return SMBIOS_WAKEUP_TYPE_RESERVED;
** CID 1487448: Insecure data handling (TAINTED_SCALAR)
/util/cbfstool/ifwitool.c: 1160 in bpdt_fixup_write_buffer()
________________________________________________________________________________________________________
*** CID 1487448: Insecure data handling (TAINTED_SCALAR)
/util/cbfstool/ifwitool.c: 1160 in bpdt_fixup_write_buffer()
1154 sizeof(h->xor_redundant_block));
1155 offset = fix_member(&h->ifwi_version, offset, sizeof(h->ifwi_version));
1156 offset = fix_member(&h->fit_tool_version, offset,
1157 sizeof(h->fit_tool_version));
1158
1159 uint32_t i;
> > > CID 1487448: Insecure data handling (TAINTED_SCALAR)
> > > Using tainted variable "count" as a loop boundary.
1160 for (i = 0; i < count; i++) {
1161 offset = fix_member(&e[i].type, offset, sizeof(e[i].type));
1162 offset = fix_member(&e[i].flags, offset, sizeof(e[i].flags));
1163 offset = fix_member(&e[i].offset, offset, sizeof(e[i].offset));
1164 offset = fix_member(&e[i].size, offset, sizeof(e[i].size));
1165 }
** CID 1487447: Audit impact security (SUPPRESSED_ERROR)
/home/coreboot/go/pkg/mod/github.com/ulikunitz/xz@v0.5.8/internal/xlog/xlog.go: 259 \
in github.com/ulikunitz/xz/internal/xlog.Fatal([]interface{})()
________________________________________________________________________________________________________
*** CID 1487447: Audit impact security (SUPPRESSED_ERROR)
/home/coreboot/go/pkg/mod/github.com/ulikunitz/xz@v0.5.8/internal/xlog/xlog.go: 259 \
in github.com/ulikunitz/xz/internal/xlog.Fatal([]interface{})() 253 os.Exit(1)
254 }
255
256 // Fatal prints the message like Print and calls os.Exit(1). The
257 // printing might be suppressed by the flag Lnofatal.
258 func Fatal(v ...interface{}) {
> > > CID 1487447: Audit impact security (SUPPRESSED_ERROR)
> > > The error returned by the function "std.Output(2, 64, v)" is not explicitly \
> > > checked.
259 std.Output(2, Lnofatal, v...)
260 os.Exit(1)
261 }
262
263 // Fatalf prints the message like Printf and calls os.Exit(1). The
264 // printing might be suppressed by the flag Lnofatal.
** CID 1487446: Memory - corruptions (OVERRUN)
/payloads/libpayload/drivers/usb/xhci.c: 921 in xhci_destroy_intr_queue()
________________________________________________________________________________________________________
*** CID 1487446: Memory - corruptions (OVERRUN)
/payloads/libpayload/drivers/usb/xhci.c: 921 in xhci_destroy_intr_queue()
915 /* Free all pending transfers and the interrupt queue structure */
916 int i;
917 for (i = 0; i < intrq->count; ++i) {
918 free(phys_to_virt(intrq->next->ptr_low));
919 intrq->next = xhci_next_trb(intrq->next, NULL);
920 }
> > > CID 1487446: Memory - corruptions (OVERRUN)
> > > Overrunning array "xhci->dev[slot_id].interrupt_queues" of 32 4-byte elements \
> > > at element index 255 (byte offset 1023) using index "ep_id" (which evaluates to \
> > > 255).
921 xhci->dev[slot_id].interrupt_queues[ep_id] = NULL;
922 free((void *)intrq);
923
924 /* Reset the controller's dequeue pointer and reinitialize the ring */
925 xhci_cmd_set_tr_dq(xhci, slot_id, ep_id, tr->ring, 1);
926 xhci_init_cycle_ring(tr, TRANSFER_RING_SIZE);
** CID 1487445: Audit impact security (SUPPRESSED_ERROR)
/home/coreboot/go/pkg/mod/github.com/ulikunitz/xz@v0.5.8/internal/xlog/xlog.go: 372 \
in github.com/ulikunitz/xz/internal/xlog.Debug([]interface{})()
________________________________________________________________________________________________________
*** CID 1487445: Audit impact security (SUPPRESSED_ERROR)
/home/coreboot/go/pkg/mod/github.com/ulikunitz/xz@v0.5.8/internal/xlog/xlog.go: 372 \
in github.com/ulikunitz/xz/internal/xlog.Debug([]interface{})() 366 l.Output(2, \
Lnodebug, v...) 367 }
368
369 // Debug prints the message like Print. The printing might be suppressed
370 // by the flag Lnodebug.
371 func Debug(v ...interface{}) {
> > > CID 1487445: Audit impact security (SUPPRESSED_ERROR)
> > > The error returned by the function "std.Output(2, 512, v)" is not explicitly \
> > > checked.
372 std.Output(2, Lnodebug, v...)
373 }
374
375 // Debugf prints the message like Printf. The printing might be suppressed
376 // by the flag Lnodebug.
377 func (l *Logger) Debugf(format string, v ...interface{}) {
** CID 1487444: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 1487444: Insecure data handling (TAINTED_SCALAR)
/3rdparty/vboot/firmware/lib/tpm2_lite/tlcl.c: 142 in TlclSendReceive()
136 uint32_t TlclSendReceive(const uint8_t *request, uint8_t *response,
137 int max_length)
138 {
139 uint32_t rv, resp_size;
140
141 resp_size = max_length;
> > > CID 1487444: Insecure data handling (TAINTED_SCALAR)
> > > Passing tainted expression "tpm_get_packet_size(request)" to \
> > > "vb2ex_tpm_send_recv", which uses it as an offset.
142 rv = vb2ex_tpm_send_recv(request, tpm_get_packet_size(request),
143 response, &resp_size);
144
145 return rv ? rv : tpm_get_packet_response_code(response);
146 }
147
** CID 1487443: Memory - illegal accesses (UNINIT)
________________________________________________________________________________________________________
*** CID 1487443: Memory - illegal accesses (UNINIT)
/src/vendorcode/amd/agesa/f16kb/Proc/CPU/Family/0x16/KB/F16KbCoreAfterReset.c: 146 in \
F16KbPmCoreAfterReset() 140 HwPsMaxVal = ((CLK_PWR_TIMING_CTRL2_REGISTER *) \
&HwPsMaxVal)->HwPstateMaxVal; 141
142 // Launch each local core to perform steps 1 through 4.
143 TaskPtr.FuncAddress.PfApTask = F16KbPmCoreAfterResetPhase1OnCore;
144 TaskPtr.DataTransfer.DataSizeInDwords = 0;
145 TaskPtr.ExeFlags = WAIT_FOR_CORE;
> > > CID 1487443: Memory - illegal accesses (UNINIT)
> > > Using uninitialized value "TaskPtr.DataTransfer.DataPtr" when calling \
> > > "ApUtilRunCodeOnAllLocalCoresAtEarly".
146 ApUtilRunCodeOnAllLocalCoresAtEarly (&TaskPtr, StdHeader, \
CpuEarlyParamsPtr); 147
148 // Launch each local core to perform steps 5 through 7.
149 TaskPtr.FuncAddress.PfApTaskI = F16KbPmCoreAfterResetPhase2OnCore;
150 TaskPtr.DataTransfer.DataSizeInDwords = 1;
151 TaskPtr.DataTransfer.DataPtr = &HwPsMaxVal;
** CID 1487442: Insecure data handling (TAINTED_SCALAR)
/src/soc/intel/xeon_sp/skx/hob_display.c: 154 in soc_display_iio_universal_data_hob()
________________________________________________________________________________________________________
*** CID 1487442: Insecure data handling (TAINTED_SCALAR)
/src/soc/intel/xeon_sp/skx/hob_display.c: 154 in soc_display_iio_universal_data_hob()
148 printk(BIOS_DEBUG, "\tMaxBusNumber: 0x%x\n", \
hob->PlatformData.MaxBusNumber); 149 printk(BIOS_DEBUG, "\tIoGranularity: \
0x%x\n", hob->PlatformData.IoGranularity); 150 printk(BIOS_DEBUG, \
"\tMmiolGranularity: 0x%x\n", hob->PlatformData.MmiolGranularity); 151 \
printk(BIOS_DEBUG, "\tMmiohGranularity: hi: 0x%x, lo:0x%x\n", 152 \
hob->PlatformData.MmiohGranularity.hi, hob->PlatformData.MmiohGranularity.lo); 153 \
> > > CID 1487442: Insecure data handling (TAINTED_SCALAR)
> > > Using tainted variable "hob->PlatformData.numofIIO" as a loop boundary.
154 for (int s = 0; s < hob->PlatformData.numofIIO; ++s) {
155 printk(BIOS_DEBUG, "\t============ Socket %d Info ================\n", s);
156 printk(BIOS_DEBUG, "\tSocketID: 0x%x\n",
157 hob->PlatformData.IIO_resource[s].SocketID);
158 printk(BIOS_DEBUG, "\tBusBase: 0x%x\n",
159 hob->PlatformData.IIO_resource[s].BusBase);
** CID 1487441: (STRING_OVERFLOW)
________________________________________________________________________________________________________
*** CID 1487441: (STRING_OVERFLOW)
/src/arch/x86/smbios.c: 487 in smbios_write_type2()
481 struct smbios_type2 *t = smbios_carve_table(*current, \
SMBIOS_BOARD_INFORMATION, 482 sizeof(*t), handle);
483
484 t->manufacturer = smbios_add_string(t->eos, \
smbios_mainboard_manufacturer()); 485 t->product_name = \
smbios_add_string(t->eos, smbios_mainboard_product_name()); 486 t->serial_number \
= smbios_add_string(t->eos, smbios_mainboard_serial_number());
> > > CID 1487441: (STRING_OVERFLOW)
> > > You might overrun the 2-character destination string "t->eos" by writing 4 \
> > > characters from "smbios_mainboard_version()".
487 t->version = smbios_add_string(t->eos, smbios_mainboard_version());
488 t->asset_tag = smbios_add_string(t->eos, smbios_mainboard_asset_tag());
489 t->feature_flags = smbios_mainboard_feature_flags();
490 t->location_in_chassis = smbios_add_string(t->eos,
491 smbios_mainboard_location_in_chassis());
492 t->board_type = smbios_mainboard_board_type();
/src/arch/x86/smbios.c: 485 in smbios_write_type2()
479 static int smbios_write_type2(unsigned long *current, int handle, const int \
chassis_handle) 480 {
481 struct smbios_type2 *t = smbios_carve_table(*current, \
SMBIOS_BOARD_INFORMATION, 482 sizeof(*t), handle);
483
484 t->manufacturer = smbios_add_string(t->eos, \
smbios_mainboard_manufacturer());
> > > CID 1487441: (STRING_OVERFLOW)
> > > You might overrun the 2-character destination string "t->eos" by writing 7 \
> > > characters from "smbios_mainboard_product_name()".
485 t->product_name = smbios_add_string(t->eos, \
smbios_mainboard_product_name()); 486 t->serial_number = \
smbios_add_string(t->eos, smbios_mainboard_serial_number()); 487 t->version = \
smbios_add_string(t->eos, smbios_mainboard_version()); 488 t->asset_tag = \
smbios_add_string(t->eos, smbios_mainboard_asset_tag()); 489 t->feature_flags = \
smbios_mainboard_feature_flags(); 490 t->location_in_chassis = \
smbios_add_string(t->eos,
/src/arch/x86/smbios.c: 484 in smbios_write_type2()
478
479 static int smbios_write_type2(unsigned long *current, int handle, const int \
chassis_handle) 480 {
481 struct smbios_type2 *t = smbios_carve_table(*current, \
SMBIOS_BOARD_INFORMATION, 482 sizeof(*t), handle);
483
> > > CID 1487441: (STRING_OVERFLOW)
> > > You might overrun the 2-character destination string "t->eos" by writing 7 \
> > > characters from "smbios_mainboard_manufacturer()".
484 t->manufacturer = smbios_add_string(t->eos, \
smbios_mainboard_manufacturer()); 485 t->product_name = \
smbios_add_string(t->eos, smbios_mainboard_product_name()); 486 t->serial_number \
= smbios_add_string(t->eos, smbios_mainboard_serial_number()); 487 t->version = \
smbios_add_string(t->eos, smbios_mainboard_version()); 488 t->asset_tag = \
smbios_add_string(t->eos, smbios_mainboard_asset_tag()); 489 t->feature_flags = \
smbios_mainboard_feature_flags();
/src/arch/x86/smbios.c: 486 in smbios_write_type2()
480 {
481 struct smbios_type2 *t = smbios_carve_table(*current, \
SMBIOS_BOARD_INFORMATION, 482 sizeof(*t), handle);
483
484 t->manufacturer = smbios_add_string(t->eos, \
smbios_mainboard_manufacturer()); 485 t->product_name = \
smbios_add_string(t->eos, smbios_mainboard_product_name());
> > > CID 1487441: (STRING_OVERFLOW)
> > > You might overrun the 2-character destination string "t->eos" by writing 10 \
> > > characters from "smbios_mainboard_serial_number()".
486 t->serial_number = smbios_add_string(t->eos, \
smbios_mainboard_serial_number()); 487 t->version = smbios_add_string(t->eos, \
smbios_mainboard_version()); 488 t->asset_tag = smbios_add_string(t->eos, \
smbios_mainboard_asset_tag()); 489 t->feature_flags = \
smbios_mainboard_feature_flags(); 490 t->location_in_chassis = \
smbios_add_string(t->eos, 491 smbios_mainboard_location_in_chassis());
** CID 1487440: (OVERRUN)
________________________________________________________________________________________________________
*** CID 1487440: (OVERRUN)
/src/vendorcode/amd/cimx/sb800/SBCMN.c: 1020 in softwareToggleImcStrapping()
1014 } else {
1015 abValue1 &= ~BIT2; // bit2=0 EcEnableStrap
1016 }
1017 WriteMEM ((ACPI_MMIO_BASE + MISC_BASE + SB_MISC_REG84), AccWidthUint32, \
&abValue1); 1018 dbValue |= BIT6; // PwrGoodOut =1
1019 dbValue &= ~BIT7; // PwrGoodEnB =0
> > > CID 1487440: (OVERRUN)
> > > Overrunning buffer pointed to by "&dbValue" of 1 bytes by passing it to a \
> > > function which accesses it at byte offset 2.
1020 WritePMIO (SB_PMIOA_REGBF, AccWidthUint8, &dbValue);
1021
1022 dbValue = 06;
1023 WriteIO (0xcf9, AccWidthUint8, &dbValue);
1024 SbStall (0xffffffff);
1025 }
/src/vendorcode/amd/cimx/sb800/SBCMN.c: 984 in softwareToggleImcStrapping()
978 UINT8 dbPortStatus;
979 UINT32 abValue;
980 UINT32 abValue1;
981
982 getChipSysMode (&dbPortStatus);
983
> > > CID 1487440: (OVERRUN)
> > > Overrunning buffer pointed to by "&dbValue" of 1 bytes by passing it to a \
> > > function which accesses it at byte offset 2.
984 ReadPMIO (SB_PMIOA_REGBF, AccWidthUint8, &dbValue);
985 //if ( (dbValue & (BIT6 + BIT7)) != 0xC0 ) { // PwrGoodOut =1, \
PwrGoodEnB=1 986 //The strapStatus register is not mapped into StrapOveride not \
in the same bit position. The following is difference. 987
988 //StrapStatus StrapOverride
989 // bit4 bit17
** CID 1487439: Memory - illegal accesses (OVERRUN)
/payloads/libpayload/drivers/usb/xhci.c: 744 in xhci_bulk()
________________________________________________________________________________________________________
*** CID 1487439: Memory - illegal accesses (OVERRUN)
/payloads/libpayload/drivers/usb/xhci.c: 744 in xhci_bulk()
738
739 u8 *data = src;
740 xhci_t *const xhci = XHCI_INST(ep->dev->controller);
741 const int slot_id = ep->dev->address;
742 const int ep_id = xhci_ep_id(ep);
743 epctx_t *const epctx = xhci->dev[slot_id].ctx.ep[ep_id];
> > > CID 1487439: Memory - illegal accesses (OVERRUN)
> > > Overrunning array "xhci->dev[slot_id].transfer_rings" of 32 4-byte elements at \
> > > element index 255 (byte offset 1023) using index "ep_id" (which evaluates to \
> > > 255).
744 transfer_ring_t *const tr = xhci->dev[slot_id].transfer_rings[ep_id];
745
746 const size_t off = (size_t)data & 0xffff;
747 if ((off + size) > ((TRANSFER_RING_SIZE - 2) << 16)) {
748 xhci_debug("Unsupported transfer size\n");
749 return -1;
** CID 1487438: (UNSAFE_FUNCTIONALITY)
/home/coreboot/go/pkg/mod/golang.org/x/sys@v0.0.0-20210218155724-8ebf48af031b/unix/syscall_linux.go: \
1750 in golang.org/x/sys/unix.direntReclen([]byte)(uint64, bool)()
/home/coreboot/go/pkg/mod/golang.org/x/sys@v0.0.0-20210218155724-8ebf48af031b/unix/syscall_linux.go: \
1750 in golang.org/x/sys/unix.direntReclen([]byte)(uint64, bool)()
________________________________________________________________________________________________________
*** CID 1487438: (UNSAFE_FUNCTIONALITY)
/home/coreboot/go/pkg/mod/golang.org/x/sys@v0.0.0-20210218155724-8ebf48af031b/unix/syscall_linux.go: \
1750 in golang.org/x/sys/unix.direntReclen([]byte)(uint64, bool)() 1744
1745 func direntIno(buf []byte) (uint64, bool) {
1746 return readInt(buf, unsafe.Offsetof(Dirent{}.Ino), \
unsafe.Sizeof(Dirent{}.Ino)) 1747 }
1748
1749 func direntReclen(buf []byte) (uint64, bool) {
> > > CID 1487438: (UNSAFE_FUNCTIONALITY)
> > > Using unsafe function Offsetof.
1750 return readInt(buf, unsafe.Offsetof(Dirent{}.Reclen), \
unsafe.Sizeof(Dirent{}.Reclen)) 1751 }
1752
1753 func direntNamlen(buf []byte) (uint64, bool) {
1754 reclen, ok := direntReclen(buf)
1755 if !ok {
/home/coreboot/go/pkg/mod/golang.org/x/sys@v0.0.0-20210218155724-8ebf48af031b/unix/syscall_linux.go: \
1750 in golang.org/x/sys/unix.direntReclen([]byte)(uint64, bool)() 1744
1745 func direntIno(buf []byte) (uint64, bool) {
1746 return readInt(buf, unsafe.Offsetof(Dirent{}.Ino), \
unsafe.Sizeof(Dirent{}.Ino)) 1747 }
1748
1749 func direntReclen(buf []byte) (uint64, bool) {
> > > CID 1487438: (UNSAFE_FUNCTIONALITY)
> > > Using unsafe function Sizeof.
1750 return readInt(buf, unsafe.Offsetof(Dirent{}.Reclen), \
unsafe.Sizeof(Dirent{}.Reclen)) 1751 }
1752
1753 func direntNamlen(buf []byte) (uint64, bool) {
1754 reclen, ok := direntReclen(buf)
1755 if !ok {
** CID 1487437: (SUPPRESSED_ERROR)
/home/coreboot/go/pkg/mod/github.com/dustin/go-humanize@v1.0.0/commaf.go: 27 in \
github.com/dustin/go-humanize.BigCommaf(*math/big.Float)string()
/home/coreboot/go/pkg/mod/github.com/dustin/go-humanize@v1.0.0/commaf.go: 36 in \
github.com/dustin/go-humanize.BigCommaf(*math/big.Float)string()
/home/coreboot/go/pkg/mod/github.com/dustin/go-humanize@v1.0.0/commaf.go: 37 in \
github.com/dustin/go-humanize.BigCommaf(*math/big.Float)string()
/home/coreboot/go/pkg/mod/github.com/dustin/go-humanize@v1.0.0/commaf.go: 16 in \
github.com/dustin/go-humanize.BigCommaf(*math/big.Float)string()
/home/coreboot/go/pkg/mod/github.com/dustin/go-humanize@v1.0.0/commaf.go: 26 in \
github.com/dustin/go-humanize.BigCommaf(*math/big.Float)string()
/home/coreboot/go/pkg/mod/github.com/dustin/go-humanize@v1.0.0/commaf.go: 30 in \
github.com/dustin/go-humanize.BigCommaf(*math/big.Float)string()
/home/coreboot/go/pkg/mod/github.com/dustin/go-humanize@v1.0.0/commaf.go: 31 in \
github.com/dustin/go-humanize.BigCommaf(*math/big.Float)string()
________________________________________________________________________________________________________
*** CID 1487437: (SUPPRESSED_ERROR)
/home/coreboot/go/pkg/mod/github.com/dustin/go-humanize@v1.0.0/commaf.go: 27 in \
github.com/dustin/go-humanize.BigCommaf(*math/big.Float)string() 21
22 parts := strings.Split(v.Text('f', -1), ".")
23 pos := 0
24 if len(parts[0])%3 != 0 {
25 pos += len(parts[0]) % 3
26 buf.WriteString(parts[0][:pos])
> > > CID 1487437: (SUPPRESSED_ERROR)
> > > The error returned by the function "buf.Write(comma)" is not explicitly \
> > > checked.
27 buf.Write(comma)
28 }
29 for ; pos < len(parts[0]); pos += 3 {
30 buf.WriteString(parts[0][pos : pos+3])
31 buf.Write(comma)
32 }
/home/coreboot/go/pkg/mod/github.com/dustin/go-humanize@v1.0.0/commaf.go: 36 in \
github.com/dustin/go-humanize.BigCommaf(*math/big.Float)string() 30 \
buf.WriteString(parts[0][pos : pos+3]) 31 buf.Write(comma)
32 }
33 buf.Truncate(buf.Len() - 1)
34
35 if len(parts) > 1 {
> > > CID 1487437: (SUPPRESSED_ERROR)
> > > The error returned by the function "buf.Write({46})" is not explicitly checked.
36 buf.Write([]byte{'.'})
37 buf.WriteString(parts[1])
38 }
39 return buf.String()
/home/coreboot/go/pkg/mod/github.com/dustin/go-humanize@v1.0.0/commaf.go: 37 in \
github.com/dustin/go-humanize.BigCommaf(*math/big.Float)string() 31 \
buf.Write(comma) 32 }
33 buf.Truncate(buf.Len() - 1)
34
35 if len(parts) > 1 {
36 buf.Write([]byte{'.'})
> > > CID 1487437: (SUPPRESSED_ERROR)
> > > The error returned by the function "buf.WriteString(parts[1])" is not \
> > > explicitly checked.
37 buf.WriteString(parts[1])
38 }
39 return buf.String()
/home/coreboot/go/pkg/mod/github.com/dustin/go-humanize@v1.0.0/commaf.go: 16 in \
github.com/dustin/go-humanize.BigCommaf(*math/big.Float)string() 10
11 // BigCommaf produces a string form of the given big.Float in base 10
12 // with commas after every three orders of magnitude.
13 func BigCommaf(v *big.Float) string {
14 buf := &bytes.Buffer{}
15 if v.Sign() < 0 {
> > > CID 1487437: (SUPPRESSED_ERROR)
> > > The error returned by the function "buf.Write({45})" is not explicitly checked.
16 buf.Write([]byte{'-'})
17 v.Abs(v)
18 }
19
20 comma := []byte{','}
21
/home/coreboot/go/pkg/mod/github.com/dustin/go-humanize@v1.0.0/commaf.go: 26 in \
github.com/dustin/go-humanize.BigCommaf(*math/big.Float)string() 20 comma := \
[]byte{','} 21
22 parts := strings.Split(v.Text('f', -1), ".")
23 pos := 0
24 if len(parts[0])%3 != 0 {
25 pos += len(parts[0]) % 3
> > > CID 1487437: (SUPPRESSED_ERROR)
> > > The error returned by the function "buf.WriteString(parts[0][nil:pos:nil])" is \
> > > not explicitly checked.
26 buf.WriteString(parts[0][:pos])
27 buf.Write(comma)
28 }
29 for ; pos < len(parts[0]); pos += 3 {
30 buf.WriteString(parts[0][pos : pos+3])
31 buf.Write(comma)
/home/coreboot/go/pkg/mod/github.com/dustin/go-humanize@v1.0.0/commaf.go: 30 in \
github.com/dustin/go-humanize.BigCommaf(*math/big.Float)string() 24 if \
len(parts[0])%3 != 0 { 25 pos += len(parts[0]) % 3
26 buf.WriteString(parts[0][:pos])
27 buf.Write(comma)
28 }
29 for ; pos < len(parts[0]); pos += 3 {
> > > CID 1487437: (SUPPRESSED_ERROR)
> > > The error returned by the function "buf.WriteString(parts[0][pos:pos + 3:nil])" \
> > > is not explicitly checked.
30 buf.WriteString(parts[0][pos : pos+3])
31 buf.Write(comma)
32 }
33 buf.Truncate(buf.Len() - 1)
34
35 if len(parts) > 1 {
/home/coreboot/go/pkg/mod/github.com/dustin/go-humanize@v1.0.0/commaf.go: 31 in \
github.com/dustin/go-humanize.BigCommaf(*math/big.Float)string() 25 pos += \
len(parts[0]) % 3 26 buf.WriteString(parts[0][:pos])
27 buf.Write(comma)
28 }
29 for ; pos < len(parts[0]); pos += 3 {
30 buf.WriteString(parts[0][pos : pos+3])
> > > CID 1487437: (SUPPRESSED_ERROR)
> > > The error returned by the function "buf.Write(comma)" is not explicitly \
> > > checked.
31 buf.Write(comma)
32 }
33 buf.Truncate(buf.Len() - 1)
34
35 if len(parts) > 1 {
36 buf.Write([]byte{'.'})
37 buf.WriteString(parts[1])
38 }
39 return buf.String()
** CID 1487436: Audit impact security (SUPPRESSED_ERROR)
/3rdparty/intel-sec-tools/pkg/tools/lcp.go: 599 in \
github.com/9elements/converged-security-suite/v2/pkg/tools.parsePolicyElementMLE(*bytes.Reader, \
*github.com/9elements/converged-security-suite/v2/pkg/tools.LCPPolicyMLE)error()
________________________________________________________________________________________________________
*** CID 1487436: Audit impact security (SUPPRESSED_ERROR)
/3rdparty/intel-sec-tools/pkg/tools/lcp.go: 599 in \
github.com/9elements/converged-security-suite/v2/pkg/tools.parsePolicyElementMLE(*bytes.Reader, \
*github.com/9elements/converged-security-suite/v2/pkg/tools.LCPPolicyMLE)error() 593 \
if err != nil { 594 return err
595 }
596
597 pol.Hashes = make([][20]byte, pol.NumHashes)
598 for i := 0; i < int(pol.NumHashes); i++ {
> > > CID 1487436: Audit impact security (SUPPRESSED_ERROR)
> > > The error returned by the function "Read(buf, LittleEndian, &pol.Hashes[i])" is \
> > > not explicitly checked.
599 binary.Read(buf, binary.LittleEndian, &pol.Hashes[i])
600 }
601 return nil
602 }
603
604 func parsePolicyElementSBIOS(buf *bytes.Reader, pol *LCPPolicySBIOS) error {
** CID 1487435: Audit impact security (SUPPRESSED_ERROR)
/home/coreboot/go/pkg/mod/github.com/ulikunitz/xz@v0.5.8/internal/xlog/xlog.go: 220 \
in github.com/ulikunitz/xz/internal/xlog.Logger.Panicf(string, []interface{})()
________________________________________________________________________________________________________
*** CID 1487435: Audit impact security (SUPPRESSED_ERROR)
/home/coreboot/go/pkg/mod/github.com/ulikunitz/xz@v0.5.8/internal/xlog/xlog.go: 220 \
in github.com/ulikunitz/xz/internal/xlog.Logger.Panicf(string, []interface{})() 214 \
panic(s) 215 }
216
217 // Panicf prints the message like Printf and calls panic. The printing
218 // might be suppressed by the flag Lnopanic.
219 func (l *Logger) Panicf(format string, v ...interface{}) {
> > > CID 1487435: Audit impact security (SUPPRESSED_ERROR)
> > > The error returned by the function "l.Outputf(2, 32, format, v)" is not \
> > > explicitly checked.
220 l.Outputf(2, Lnopanic, format, v...)
221 s := fmt.Sprintf(format, v...)
222 panic(s)
223 }
224
225 // Panicf prints the message like Printf and calls panic. The printing
** CID 1487434: Uninitialized variables (UNINIT)
/3rdparty/vboot/firmware/lib/vboot_kernel.c: 521 in try_minios_sectors()
________________________________________________________________________________________________________
*** CID 1487434: Uninitialized variables (UNINIT)
/3rdparty/vboot/firmware/lib/vboot_kernel.c: 521 in try_minios_sectors()
515 VbExStreamClose(stream);
516 return rv;
517 }
518 VbExStreamClose(stream);
519
520 for (isector = 0; isector < count; isector++) {
> > > CID 1487434: Uninitialized variables (UNINIT)
> > > Using uninitialized value "*(buf + isector * disk_info->bytes_per_lba)" when \
> > > calling "memcmp". [Note: The source code implementation of the function has \
> > > been overridden by a builtin model.]
521 if (memcmp(buf + isector * disk_info->bytes_per_lba,
522 VB2_KEYBLOCK_MAGIC, VB2_KEYBLOCK_MAGIC_SIZE))
523 continue;
524 VB2_DEBUG("Match on sector %" PRIu64 " / %" PRIu64 "\n",
525 start + isector,
526 disk_info->lba_count - 1);
** CID 1487433: Memory - illegal accesses (UNINIT)
________________________________________________________________________________________________________
*** CID 1487433: Memory - illegal accesses (UNINIT)
/src/vendorcode/amd/agesa/f16kb/Proc/CPU/Family/0x16/KB/F16KbNbAfterReset.c: 183 in \
F16KbPmNbAfterReset() 177 if (GetGivenModuleCoreRange (Socket, Module, \
&TaskedCore, &Ignored, StdHeader)) { 178 if (TaskedCore != 0) {
179 ApUtilRunCodeOnSocketCore ((UINT8) Socket, (UINT8) TaskedCore, \
&TaskPtr, StdHeader); 180 }
181 }
182 }
> > > CID 1487433: Memory - illegal accesses (UNINIT)
> > > Using uninitialized value "TaskPtr.DataTransfer.DataPtr" when calling \
> > > "ApUtilTaskOnExecutingCore".
183 ApUtilTaskOnExecutingCore (&TaskPtr, StdHeader, (VOID *) \
CpuEarlyParamsPtr); 184 }
185
186 /*---------------------------------------------------------------------------------------
187 * L O C A L F U N C T I O N S
188 *---------------------------------------------------------------------------------------
** CID 1487432: (STRING_OVERFLOW)
________________________________________________________________________________________________________
*** CID 1487432: (STRING_OVERFLOW)
/src/mainboard/ocp/deltalake/ramstage.c: 149 in dl_oem_smbios_strings()
143 t->count = smbios_add_oem_string(t->eos, "0x0: Unknown");
144 break;
145 case PCIE_CONFIG_A:
146 t->count = smbios_add_oem_string(t->eos, "0x1: YV3 Config-A");
147 break;
148 case PCIE_CONFIG_B:
> > > CID 1487432: (STRING_OVERFLOW)
> > > You might overrun the 2-character destination string "t->eos" by writing 18 \
> > > characters from ""0x2: YV3 Config-B"".
149 t->count = smbios_add_oem_string(t->eos, "0x2: YV3 Config-B");
150 break;
151 case PCIE_CONFIG_C:
152 t->count = smbios_add_oem_string(t->eos, "0x3: YV3 Config-C");
153 break;
154 case PCIE_CONFIG_D:
/src/mainboard/ocp/deltalake/ramstage.c: 155 in dl_oem_smbios_strings()
149 t->count = smbios_add_oem_string(t->eos, "0x2: YV3 Config-B");
150 break;
151 case PCIE_CONFIG_C:
152 t->count = smbios_add_oem_string(t->eos, "0x3: YV3 Config-C");
153 break;
154 case PCIE_CONFIG_D:
> > > CID 1487432: (STRING_OVERFLOW)
> > > You might overrun the 2-character destination string "t->eos" by writing 18 \
> > > characters from ""0x4: YV3 Config-D"".
155 t->count = smbios_add_oem_string(t->eos, "0x4: YV3 Config-D");
156 break;
157 default:
158 t->count = smbios_add_oem_string(t->eos, "Check BMC return data");
159 }
160 } else {
/src/mainboard/ocp/deltalake/ramstage.c: 158 in dl_oem_smbios_strings()
152 t->count = smbios_add_oem_string(t->eos, "0x3: YV3 Config-C");
153 break;
154 case PCIE_CONFIG_D:
155 t->count = smbios_add_oem_string(t->eos, "0x4: YV3 Config-D");
156 break;
157 default:
> > > CID 1487432: (STRING_OVERFLOW)
> > > You might overrun the 2-character destination string "t->eos" by writing 22 \
> > > characters from ""Check BMC return data"".
158 t->count = smbios_add_oem_string(t->eos, "Check BMC return data");
159 }
160 } else {
161 printk(BIOS_ERR, "Failed to get IPMI PCIe config\n");
162 }
163 }
/src/mainboard/ocp/deltalake/ramstage.c: 146 in dl_oem_smbios_strings()
140 if (ipmi_get_pcie_config(&pcie_config) == CB_SUCCESS) {
141 switch (pcie_config) {
142 case PCIE_CONFIG_UNKNOWN:
143 t->count = smbios_add_oem_string(t->eos, "0x0: Unknown");
144 break;
145 case PCIE_CONFIG_A:
> > > CID 1487432: (STRING_OVERFLOW)
> > > You might overrun the 2-character destination string "t->eos" by writing 18 \
> > > characters from ""0x1: YV3 Config-A"".
146 t->count = smbios_add_oem_string(t->eos, "0x1: YV3 Config-A");
147 break;
148 case PCIE_CONFIG_B:
149 t->count = smbios_add_oem_string(t->eos, "0x2: YV3 Config-B");
150 break;
151 case PCIE_CONFIG_C:
/src/mainboard/ocp/deltalake/ramstage.c: 152 in dl_oem_smbios_strings()
146 t->count = smbios_add_oem_string(t->eos, "0x1: YV3 Config-A");
147 break;
148 case PCIE_CONFIG_B:
149 t->count = smbios_add_oem_string(t->eos, "0x2: YV3 Config-B");
150 break;
151 case PCIE_CONFIG_C:
> > > CID 1487432: (STRING_OVERFLOW)
> > > You might overrun the 2-character destination string "t->eos" by writing 18 \
> > > characters from ""0x3: YV3 Config-C"".
152 t->count = smbios_add_oem_string(t->eos, "0x3: YV3 Config-C");
153 break;
154 case PCIE_CONFIG_D:
155 t->count = smbios_add_oem_string(t->eos, "0x4: YV3 Config-D");
156 break;
157 default:
/src/mainboard/ocp/deltalake/ramstage.c: 143 in dl_oem_smbios_strings()
137 t->count = smbios_add_oem_string(t->eos, oem_str7);
138
139 /* Add OEM string 8 */
140 if (ipmi_get_pcie_config(&pcie_config) == CB_SUCCESS) {
141 switch (pcie_config) {
142 case PCIE_CONFIG_UNKNOWN:
> > > CID 1487432: (STRING_OVERFLOW)
> > > You might overrun the 2-character destination string "t->eos" by writing 13 \
> > > characters from ""0x0: Unknown"".
143 t->count = smbios_add_oem_string(t->eos, "0x0: Unknown");
144 break;
145 case PCIE_CONFIG_A:
146 t->count = smbios_add_oem_string(t->eos, "0x1: YV3 Config-A");
147 break;
148 case PCIE_CONFIG_B:
/src/mainboard/ocp/deltalake/ramstage.c: 137 in dl_oem_smbios_strings()
131 for (int dimm = 0; dimm < MAX_IMC; dimm++) {
132 write_oem_word(hob->Socket[0].ChannelInfo[ch].DimmInfo[dimm].SPDRegVen,
133 spd_reg_vid);
134 oem_str7 = strconcat(oem_str7, spd_reg_vid);
135 }
136 }
> > > CID 1487432: (STRING_OVERFLOW)
> > > You might overrun the 2-character fixed-size string "t->eos" by copying \
> > > "oem_str7" without checking the length.
137 t->count = smbios_add_oem_string(t->eos, oem_str7);
138
139 /* Add OEM string 8 */
140 if (ipmi_get_pcie_config(&pcie_config) == CB_SUCCESS) {
141 switch (pcie_config) {
142 case PCIE_CONFIG_UNKNOWN:
** CID 1487431: (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 1487431: (TAINTED_SCALAR)
/util/cbfstool/ifwitool.c: 1666 in ifwi_print()
1660
1661 bpdt_print_header(&b->h, "BPDT");
1662 bpdt_print_entries(&b->e[0], b->h.descriptor_count, "BPDT");
1663
1664 b = buffer_get(&ifwi_image.subpart_buf[S_BPDT_TYPE]);
1665 bpdt_print_header(&b->h, "S-BPDT");
> > > CID 1487431: (TAINTED_SCALAR)
> > > Passing tainted expression "b->h.descriptor_count" to "bpdt_print_entries", \
> > > which uses it as a loop boundary.
1666 bpdt_print_entries(&b->e[0], b->h.descriptor_count, "S-BPDT");
1667
1668 if (param.dir_ops == 0) {
1669 verbose -= 2;
1670 return NO_ACTION_REQUIRED;
1671 }
/util/cbfstool/ifwitool.c: 1666 in ifwi_print()
1660
1661 bpdt_print_header(&b->h, "BPDT");
1662 bpdt_print_entries(&b->e[0], b->h.descriptor_count, "BPDT");
1663
1664 b = buffer_get(&ifwi_image.subpart_buf[S_BPDT_TYPE]);
1665 bpdt_print_header(&b->h, "S-BPDT");
> > > CID 1487431: (TAINTED_SCALAR)
> > > Passing tainted expression "b->e[0].type" to "bpdt_print_entries", which uses \
> > > it as an offset.
1666 bpdt_print_entries(&b->e[0], b->h.descriptor_count, "S-BPDT");
1667
1668 if (param.dir_ops == 0) {
1669 verbose -= 2;
1670 return NO_ACTION_REQUIRED;
1671 }
/util/cbfstool/ifwitool.c: 1662 in ifwi_print()
1656 {
1657 verbose += 2;
1658
1659 struct bpdt *b = buffer_get(&ifwi_image.bpdt);
1660
1661 bpdt_print_header(&b->h, "BPDT");
> > > CID 1487431: (TAINTED_SCALAR)
> > > Passing tainted expression "b->h.descriptor_count" to "bpdt_print_entries", \
> > > which uses it as a loop boundary.
1662 bpdt_print_entries(&b->e[0], b->h.descriptor_count, "BPDT");
1663
1664 b = buffer_get(&ifwi_image.subpart_buf[S_BPDT_TYPE]);
1665 bpdt_print_header(&b->h, "S-BPDT");
1666 bpdt_print_entries(&b->e[0], b->h.descriptor_count, "S-BPDT");
1667
/util/cbfstool/ifwitool.c: 1662 in ifwi_print()
1656 {
1657 verbose += 2;
1658
1659 struct bpdt *b = buffer_get(&ifwi_image.bpdt);
1660
1661 bpdt_print_header(&b->h, "BPDT");
> > > CID 1487431: (TAINTED_SCALAR)
> > > Passing tainted expression "b->e[0].type" to "bpdt_print_entries", which uses \
> > > it as an offset.
1662 bpdt_print_entries(&b->e[0], b->h.descriptor_count, "BPDT");
1663
1664 b = buffer_get(&ifwi_image.subpart_buf[S_BPDT_TYPE]);
1665 bpdt_print_header(&b->h, "S-BPDT");
1666 bpdt_print_entries(&b->e[0], b->h.descriptor_count, "S-BPDT");
1667
/util/cbfstool/ifwitool.c: 1680 in ifwi_print()
1674 struct buffer subpart_dir_buf;
1675 for (i = 0; i < MAX_SUBPARTS ; i++) {
1676 if (!(subparts[i].attr & CONTAINS_DIR) ||
1677 (buffer_size(&ifwi_image.subpart_buf[i]) == 0))
1678 continue;
1679
> > > CID 1487431: (TAINTED_SCALAR)
> > > Passing tainted expression "*subpart_dir_buf.data" to "parse_subpart_dir", \
> > > which uses it as a loop boundary.
1680 parse_subpart_dir(&subpart_dir_buf, &ifwi_image.subpart_buf[i],
1681 subparts[i].name);
1682 buffer_delete(&subpart_dir_buf);
1683 }
1684
1685 verbose -= 2;
** CID 1487430: (OVERRUN)
________________________________________________________________________________________________________
*** CID 1487430: (OVERRUN)
/src/southbridge/amd/cimx/sb800/fadt.c: 48 in acpi_fill_fadt()
42 WritePMIO(SB_PMIOA_REG68, AccWidthUint16, &val);
43
44 /* CpuControl is in \_PR.CP00, 6 bytes */
45 val = CPU_CNT_BLK_ADDRESS;
46 WritePMIO(SB_PMIOA_REG66, AccWidthUint16, &val);
47 val = 0;
> > > CID 1487430: (OVERRUN)
> > > Overrunning buffer pointed to by "&val" of 2 bytes by passing it to a function \
> > > which accesses it at byte offset 2.
48 WritePMIO(SB_PMIOA_REG6A, AccWidthUint16, &val);
49 val = ACPI_PMA_CNT_BLK_ADDRESS;
50 WritePMIO(SB_PMIOA_REG6E, AccWidthUint16, &val);
51
52 /* AcpiDecodeEnable, When set, SB uses the contents of the
53 * PM registers at index 60-6B to decode ACPI I/O address.
/src/southbridge/amd/cimx/sb800/fadt.c: 40 in acpi_fill_fadt()
34
35 val = PM1_EVT_BLK_ADDRESS;
36 WritePMIO(SB_PMIOA_REG60, AccWidthUint16, &val);
37 val = PM1_CNT_BLK_ADDRESS;
38 WritePMIO(SB_PMIOA_REG62, AccWidthUint16, &val);
39 val = PM1_TMR_BLK_ADDRESS;
> > > CID 1487430: (OVERRUN)
> > > Overrunning buffer pointed to by "&val" of 2 bytes by passing it to a function \
> > > which accesses it at byte offset 2.
40 WritePMIO(SB_PMIOA_REG64, AccWidthUint16, &val);
41 val = GPE0_BLK_ADDRESS;
42 WritePMIO(SB_PMIOA_REG68, AccWidthUint16, &val);
43
44 /* CpuControl is in \_PR.CP00, 6 bytes */
45 val = CPU_CNT_BLK_ADDRESS;
/src/southbridge/amd/cimx/sb800/fadt.c: 38 in acpi_fill_fadt()
32
33 fadt->sci_int = 9; /* HUDSON 1 - IRQ 09 - ACPI SCI */
34
35 val = PM1_EVT_BLK_ADDRESS;
36 WritePMIO(SB_PMIOA_REG60, AccWidthUint16, &val);
37 val = PM1_CNT_BLK_ADDRESS;
> > > CID 1487430: (OVERRUN)
> > > Overrunning buffer pointed to by "&val" of 2 bytes by passing it to a function \
> > > which accesses it at byte offset 2.
38 WritePMIO(SB_PMIOA_REG62, AccWidthUint16, &val);
39 val = PM1_TMR_BLK_ADDRESS;
40 WritePMIO(SB_PMIOA_REG64, AccWidthUint16, &val);
41 val = GPE0_BLK_ADDRESS;
42 WritePMIO(SB_PMIOA_REG68, AccWidthUint16, &val);
43
/src/southbridge/amd/cimx/sb800/fadt.c: 56 in acpi_fill_fadt()
50 WritePMIO(SB_PMIOA_REG6E, AccWidthUint16, &val);
51
52 /* AcpiDecodeEnable, When set, SB uses the contents of the
53 * PM registers at index 60-6B to decode ACPI I/O address.
54 * AcpiSmiEn & SmiCmdEn*/
55 val = BIT0 | BIT1 | BIT2 | BIT4;
> > > CID 1487430: (OVERRUN)
> > > Overrunning buffer pointed to by "&val" of 2 bytes by passing it to a function \
> > > which accesses it at byte offset 2.
56 WritePMIO(SB_PMIOA_REG74, AccWidthUint16, &val);
57
58 /* RTC_En_En, TMR_En_En, GBL_EN_EN */
59 outl(0x1, PM1_CNT_BLK_ADDRESS); /* set SCI_EN */
60 fadt->pm1a_evt_blk = PM1_EVT_BLK_ADDRESS;
61 fadt->pm1a_cnt_blk = PM1_CNT_BLK_ADDRESS;
/src/southbridge/amd/cimx/sb800/fadt.c: 42 in acpi_fill_fadt()
36 WritePMIO(SB_PMIOA_REG60, AccWidthUint16, &val);
37 val = PM1_CNT_BLK_ADDRESS;
38 WritePMIO(SB_PMIOA_REG62, AccWidthUint16, &val);
39 val = PM1_TMR_BLK_ADDRESS;
40 WritePMIO(SB_PMIOA_REG64, AccWidthUint16, &val);
41 val = GPE0_BLK_ADDRESS;
> > > CID 1487430: (OVERRUN)
> > > Overrunning buffer pointed to by "&val" of 2 bytes by passing it to a function \
> > > which accesses it at byte offset 2.
42 WritePMIO(SB_PMIOA_REG68, AccWidthUint16, &val);
43
44 /* CpuControl is in \_PR.CP00, 6 bytes */
45 val = CPU_CNT_BLK_ADDRESS;
46 WritePMIO(SB_PMIOA_REG66, AccWidthUint16, &val);
47 val = 0;
/src/southbridge/amd/cimx/sb800/fadt.c: 50 in acpi_fill_fadt()
44 /* CpuControl is in \_PR.CP00, 6 bytes */
45 val = CPU_CNT_BLK_ADDRESS;
46 WritePMIO(SB_PMIOA_REG66, AccWidthUint16, &val);
47 val = 0;
48 WritePMIO(SB_PMIOA_REG6A, AccWidthUint16, &val);
49 val = ACPI_PMA_CNT_BLK_ADDRESS;
> > > CID 1487430: (OVERRUN)
> > > Overrunning buffer pointed to by "&val" of 2 bytes by passing it to a function \
> > > which accesses it at byte offset 2.
50 WritePMIO(SB_PMIOA_REG6E, AccWidthUint16, &val);
51
52 /* AcpiDecodeEnable, When set, SB uses the contents of the
53 * PM registers at index 60-6B to decode ACPI I/O address.
54 * AcpiSmiEn & SmiCmdEn*/
55 val = BIT0 | BIT1 | BIT2 | BIT4;
/src/southbridge/amd/cimx/sb800/fadt.c: 36 in acpi_fill_fadt()
30
31 printk(BIOS_DEBUG, "ACPI_BLK_BASE: 0x%04x\n", ACPI_BLK_BASE);
32
33 fadt->sci_int = 9; /* HUDSON 1 - IRQ 09 - ACPI SCI */
34
35 val = PM1_EVT_BLK_ADDRESS;
> > > CID 1487430: (OVERRUN)
> > > Overrunning buffer pointed to by "&val" of 2 bytes by passing it to a function \
> > > which accesses it at byte offset 2.
36 WritePMIO(SB_PMIOA_REG60, AccWidthUint16, &val);
37 val = PM1_CNT_BLK_ADDRESS;
38 WritePMIO(SB_PMIOA_REG62, AccWidthUint16, &val);
39 val = PM1_TMR_BLK_ADDRESS;
40 WritePMIO(SB_PMIOA_REG64, AccWidthUint16, &val);
41 val = GPE0_BLK_ADDRESS;
/src/southbridge/amd/cimx/sb800/fadt.c: 46 in acpi_fill_fadt()
40 WritePMIO(SB_PMIOA_REG64, AccWidthUint16, &val);
41 val = GPE0_BLK_ADDRESS;
42 WritePMIO(SB_PMIOA_REG68, AccWidthUint16, &val);
43
44 /* CpuControl is in \_PR.CP00, 6 bytes */
45 val = CPU_CNT_BLK_ADDRESS;
> > > CID 1487430: (OVERRUN)
> > > Overrunning buffer pointed to by "&val" of 2 bytes by passing it to a function \
> > > which accesses it at byte offset 2.
46 WritePMIO(SB_PMIOA_REG66, AccWidthUint16, &val);
47 val = 0;
48 WritePMIO(SB_PMIOA_REG6A, AccWidthUint16, &val);
49 val = ACPI_PMA_CNT_BLK_ADDRESS;
50 WritePMIO(SB_PMIOA_REG6E, AccWidthUint16, &val);
51
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, \
https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31O \
Yv50yq2SfQfrHt3Prsn4qSLrYIrajINpiFX8l0vrlNSf8iCrS27qY0Cr0DkycwNUgGZJj8-3DLtst_L-2FDzr1 \
4mnrsJO5b1wX1hp9b1MAQygl7x-2B74RAaH2cn307hcy8zMOMeJe1aznW0OTXRcN3J5SHQcWM-2Fu-2FRlJIpX \
GgKzRQo4PkRS7D98RmpvcDICg7uTsb5tCIKhBuftqfy5dlUzUxDV1IS3QX8734iMOwgyseJykQ2MMckDsCY40pnLDfEheaQF6qxY0spMt5HfOGeuyzjEpXOLevvsVQmQ-3D-3D
_______________________________________________
coreboot mailing list -- coreboot@coreboot.org
To unsubscribe send an email to coreboot-leave@coreboot.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic