[coreboot] New Defects reported by Coverity Scan for coreboot
scan-admin at coverity.com
scan-admin at coverity.com
Fri Aug 5 13:36:54 CEST 2016
Hi,
Please find the latest report on new defect(s) introduced to coreboot found with Coverity Scan.
59 new defect(s) introduced to coreboot found with Coverity Scan.
10 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 59 defect(s)
** CID 1361276: Uninitialized variables (UNINIT)
/util/cbfstool/cbfs_image.c: 1165 in cbfs_payload_make_elf()
________________________________________________________________________________________________________
*** CID 1361276: Uninitialized variables (UNINIT)
/util/cbfstool/cbfs_image.c: 1165 in cbfs_payload_make_elf()
1159 if (elf_writer_add_section(ew, &shdr, &tbuff, name)) {
1160 ERROR("Unable to add ELF section: %s\n", name);
1161 elf_writer_destroy(ew);
1162 return -1;
1163 }
1164
>>> CID 1361276: Uninitialized variables (UNINIT)
>>> Using uninitialized value "empty_sz".
1165 if (empty_sz != 0) {
1166 struct buffer b;
1167
1168 buffer_init(&b, NULL, NULL, 0);
1169 memset(&shdr, 0, sizeof(shdr));
1170 shdr.sh_type = SHT_NOBITS;
** CID 1361275: (TAINTED_SCALAR)
/util/cbfstool/ifwitool.c: 838 in parse_subpart_dir()
________________________________________________________________________________________________________
*** CID 1361275: (TAINTED_SCALAR)
/util/cbfstool/ifwitool.c: 831 in parse_subpart_dir()
825 memcpy(hdr.name, data + offset, sizeof(hdr.name));
826 offset += sizeof(hdr.name);
827
828 validate_subpart_dir_without_checksum((struct subpart_dir *)&hdr, name);
829
830 assert(size > subpart_dir_size(&hdr));
>>> CID 1361275: (TAINTED_SCALAR)
>>> Passing tainted variable "subpart_dir_size(&hdr)" to a tainted sink.
831 alloc_buffer(subpart_dir_buf, subpart_dir_size(&hdr), "Subpart Dir");
832 memcpy(buffer_get(subpart_dir_buf), &hdr, SUBPART_DIR_HEADER_SIZE);
833
834 /* Read Subpart Dir entries. */
835 struct subpart_dir *subpart_dir = buffer_get(subpart_dir_buf);
836 struct subpart_dir_entry *e = &subpart_dir->e[0];
/util/cbfstool/ifwitool.c: 838 in parse_subpart_dir()
832 memcpy(buffer_get(subpart_dir_buf), &hdr, SUBPART_DIR_HEADER_SIZE);
833
834 /* Read Subpart Dir entries. */
835 struct subpart_dir *subpart_dir = buffer_get(subpart_dir_buf);
836 struct subpart_dir_entry *e = &subpart_dir->e[0];
837 uint32_t i;
>>> CID 1361275: (TAINTED_SCALAR)
>>> Using tainted variable "hdr.num_entries" as a loop boundary.
838 for (i = 0; i < hdr.num_entries; i++) {
839 memcpy(e[i].name, data + offset, sizeof(e[i].name));
840 offset += sizeof(e[i].name);
841 offset = read_member(data, offset, sizeof(e[i].offset),
842 &e[i].offset);
843 offset = read_member(data, offset, sizeof(e[i].length),
** CID 1361274: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 1361274: Insecure data handling (TAINTED_SCALAR)
/util/cbfstool/ifwitool.c: 717 in alloc_bpdt_buffer()
711 {
712 struct bpdt_header bpdt_header;
713 assert((offset + BPDT_HEADER_SIZE) < size);
714 bpdt_read_header((uint8_t *)data + offset, &bpdt_header, name);
715
716 /* Buffer to read BPDT header and entries. */
>>> CID 1361274: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted variable "get_bpdt_size(&bpdt_header)" to a tainted sink.
717 alloc_buffer(b, get_bpdt_size(&bpdt_header), name);
718
719 struct bpdt *bpdt = buffer_get(b);
720 memcpy(&bpdt->h, &bpdt_header, BPDT_HEADER_SIZE);
721
722 /*
** CID 1361273: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 1361273: Insecure data handling (TAINTED_SCALAR)
/3rdparty/vboot/host/lib21/host_key.c: 175 in vb21_private_key_read()
169 *key_ptr = NULL;
170
171 rv = vb2_read_file(filename, &buf, &size);
172 if (rv)
173 return rv;
174
>>> CID 1361273: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted variable "buf" to a tainted sink.
175 rv = vb21_private_key_unpack(key_ptr, buf, size);
176
177 free(buf);
178
179 return rv;
180 }
** CID 1361272: Insecure data handling (TAINTED_SCALAR)
________________________________________________________________________________________________________
*** CID 1361272: Insecure data handling (TAINTED_SCALAR)
/3rdparty/vboot/host/lib21/host_key.c: 449 in vb21_packed_key_read()
443 *key_ptr = NULL;
444
445 if (vb2_read_file(filename, &buf, &size))
446 return VB2_ERROR_READ_PACKED_KEY_DATA;
447
448 /* Sanity check: make sure key unpacks properly */
>>> CID 1361272: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted variable "buf" to a tainted sink.
449 if (vb21_unpack_key(&key, buf, size))
450 return VB2_ERROR_READ_PACKED_KEY;
451
452 *key_ptr = (struct vb21_packed_key *)buf;
453
454 return VB2_SUCCESS;
** CID 1361268: (RESOURCE_LEAK)
/util/cbfstool/cbfs_image.c: 1102 in cbfs_payload_make_elf()
/util/cbfstool/cbfs_image.c: 1106 in cbfs_payload_make_elf()
/util/cbfstool/cbfs_image.c: 1113 in cbfs_payload_make_elf()
/util/cbfstool/cbfs_image.c: 1162 in cbfs_payload_make_elf()
/util/cbfstool/cbfs_image.c: 1187 in cbfs_payload_make_elf()
/util/cbfstool/cbfs_image.c: 1196 in cbfs_payload_make_elf()
________________________________________________________________________________________________________
*** CID 1361268: (RESOURCE_LEAK)
/util/cbfstool/cbfs_image.c: 1102 in cbfs_payload_make_elf()
1096
1097 xdr_get_seg(&segs[i], &serialized_seg[i]);
1098 }
1099
1100 if (cbfs_payload_decompress(segs, buff, segments)) {
1101 ERROR("Failed to decompress payload.\n");
>>> CID 1361268: (RESOURCE_LEAK)
>>> Variable "segs" going out of scope leaks the storage it points to.
1102 return -1;
1103 }
1104
1105 if (init_elf_from_arch(&ehdr, arch))
1106 return -1;
1107
/util/cbfstool/cbfs_image.c: 1106 in cbfs_payload_make_elf()
1100 if (cbfs_payload_decompress(segs, buff, segments)) {
1101 ERROR("Failed to decompress payload.\n");
1102 return -1;
1103 }
1104
1105 if (init_elf_from_arch(&ehdr, arch))
>>> CID 1361268: (RESOURCE_LEAK)
>>> Variable "segs" going out of scope leaks the storage it points to.
1106 return -1;
1107
1108 ehdr.e_entry = segs[segments-1].load_addr;
1109
1110 ew = elf_writer_init(&ehdr);
1111 if (ew == NULL) {
/util/cbfstool/cbfs_image.c: 1113 in cbfs_payload_make_elf()
1107
1108 ehdr.e_entry = segs[segments-1].load_addr;
1109
1110 ew = elf_writer_init(&ehdr);
1111 if (ew == NULL) {
1112 ERROR("Unable to init ELF writer.\n");
>>> CID 1361268: (RESOURCE_LEAK)
>>> Variable "segs" going out of scope leaks the storage it points to.
1113 return -1;
1114 }
1115
1116 for (int i = 0; i < segments; i++) {
1117 struct buffer tbuff;
1118
/util/cbfstool/cbfs_image.c: 1162 in cbfs_payload_make_elf()
1156 }
1157
1158
1159 if (elf_writer_add_section(ew, &shdr, &tbuff, name)) {
1160 ERROR("Unable to add ELF section: %s\n", name);
1161 elf_writer_destroy(ew);
>>> CID 1361268: (RESOURCE_LEAK)
>>> Variable "segs" going out of scope leaks the storage it points to.
1162 return -1;
1163 }
1164
1165 if (empty_sz != 0) {
1166 struct buffer b;
1167
/util/cbfstool/cbfs_image.c: 1187 in cbfs_payload_make_elf()
1181
1182 }
1183
1184 if (elf_writer_serialize(ew, &elf_out)) {
1185 ERROR("Unable to create ELF file from stage.\n");
1186 elf_writer_destroy(ew);
>>> CID 1361268: (RESOURCE_LEAK)
>>> Variable "segs" going out of scope leaks the storage it points to.
1187 return -1;
1188 }
1189
1190 /* Flip buffer with the created ELF one. */
1191 buffer_delete(buff);
1192 *buff = elf_out;
/util/cbfstool/cbfs_image.c: 1196 in cbfs_payload_make_elf()
1190 /* Flip buffer with the created ELF one. */
1191 buffer_delete(buff);
1192 *buff = elf_out;
1193
1194 elf_writer_destroy(ew);
1195
>>> CID 1361268: (RESOURCE_LEAK)
>>> Variable "segs" going out of scope leaks the storage it points to.
1196 return 0;
1197 }
1198
1199 int cbfs_export_entry(struct cbfs_image *image, const char *entry_name,
1200 const char *filename, uint32_t arch)
1201 {
** CID 1361266: (RESOURCE_LEAK)
/3rdparty/vboot/host/arch/x86_64/lib/crossystem_arch.c: 178 in VbWriteNvStorage()
/3rdparty/vboot/host/arch/x86_64/lib/crossystem_arch.c: 182 in VbWriteNvStorage()
/3rdparty/vboot/host/arch/x86_64/lib/crossystem_arch.c: 184 in VbWriteNvStorage()
/3rdparty/vboot/host/arch/x86_64/lib/crossystem_arch.c: 186 in VbWriteNvStorage()
/3rdparty/vboot/host/arch/x86_64/lib/crossystem_arch.c: 189 in VbWriteNvStorage()
/3rdparty/vboot/host/arch/x86_64/lib/crossystem_arch.c: 195 in VbWriteNvStorage()
________________________________________________________________________________________________________
*** CID 1361266: (RESOURCE_LEAK)
/3rdparty/vboot/host/arch/x86_64/lib/crossystem_arch.c: 178 in VbWriteNvStorage()
172
173 int VbWriteNvStorage(VbNvContext* vnc) {
174 unsigned offs, blksz;
175 VbSharedDataHeader *sh = VbSharedDataRead();
176
177 if (!vnc->raw_changed)
>>> CID 1361266: (RESOURCE_LEAK)
>>> Variable "sh" going out of scope leaks the storage it points to.
178 return 0; /* Nothing changed, so no need to write */
179
180 /* Get the byte offset from VBNV */
181 if (ReadFileInt(ACPI_VBNV_PATH ".0", &offs) < 0)
182 return -1;
183 if (ReadFileInt(ACPI_VBNV_PATH ".1", &blksz) < 0)
/3rdparty/vboot/host/arch/x86_64/lib/crossystem_arch.c: 182 in VbWriteNvStorage()
176
177 if (!vnc->raw_changed)
178 return 0; /* Nothing changed, so no need to write */
179
180 /* Get the byte offset from VBNV */
181 if (ReadFileInt(ACPI_VBNV_PATH ".0", &offs) < 0)
>>> CID 1361266: (RESOURCE_LEAK)
>>> Variable "sh" going out of scope leaks the storage it points to.
182 return -1;
183 if (ReadFileInt(ACPI_VBNV_PATH ".1", &blksz) < 0)
184 return -1;
185 if (VBNV_BLOCK_SIZE > blksz)
186 return -1; /* NV storage block is too small */
187
/3rdparty/vboot/host/arch/x86_64/lib/crossystem_arch.c: 184 in VbWriteNvStorage()
178 return 0; /* Nothing changed, so no need to write */
179
180 /* Get the byte offset from VBNV */
181 if (ReadFileInt(ACPI_VBNV_PATH ".0", &offs) < 0)
182 return -1;
183 if (ReadFileInt(ACPI_VBNV_PATH ".1", &blksz) < 0)
>>> CID 1361266: (RESOURCE_LEAK)
>>> Variable "sh" going out of scope leaks the storage it points to.
184 return -1;
185 if (VBNV_BLOCK_SIZE > blksz)
186 return -1; /* NV storage block is too small */
187
188 if (0 != VbCmosWrite(offs, VBNV_BLOCK_SIZE, vnc->raw))
189 return -1;
/3rdparty/vboot/host/arch/x86_64/lib/crossystem_arch.c: 186 in VbWriteNvStorage()
180 /* Get the byte offset from VBNV */
181 if (ReadFileInt(ACPI_VBNV_PATH ".0", &offs) < 0)
182 return -1;
183 if (ReadFileInt(ACPI_VBNV_PATH ".1", &blksz) < 0)
184 return -1;
185 if (VBNV_BLOCK_SIZE > blksz)
>>> CID 1361266: (RESOURCE_LEAK)
>>> Variable "sh" going out of scope leaks the storage it points to.
186 return -1; /* NV storage block is too small */
187
188 if (0 != VbCmosWrite(offs, VBNV_BLOCK_SIZE, vnc->raw))
189 return -1;
190
191 /* Also attempt to write using mosys if using vboot2 */
/3rdparty/vboot/host/arch/x86_64/lib/crossystem_arch.c: 189 in VbWriteNvStorage()
183 if (ReadFileInt(ACPI_VBNV_PATH ".1", &blksz) < 0)
184 return -1;
185 if (VBNV_BLOCK_SIZE > blksz)
186 return -1; /* NV storage block is too small */
187
188 if (0 != VbCmosWrite(offs, VBNV_BLOCK_SIZE, vnc->raw))
>>> CID 1361266: (RESOURCE_LEAK)
>>> Variable "sh" going out of scope leaks the storage it points to.
189 return -1;
190
191 /* Also attempt to write using mosys if using vboot2 */
192 if (sh && (sh->flags & VBSD_BOOT_FIRMWARE_VBOOT2))
193 VbWriteNvStorage_mosys(vnc);
194
/3rdparty/vboot/host/arch/x86_64/lib/crossystem_arch.c: 195 in VbWriteNvStorage()
189 return -1;
190
191 /* Also attempt to write using mosys if using vboot2 */
192 if (sh && (sh->flags & VBSD_BOOT_FIRMWARE_VBOOT2))
193 VbWriteNvStorage_mosys(vnc);
194
>>> CID 1361266: (RESOURCE_LEAK)
>>> Variable "sh" going out of scope leaks the storage it points to.
195 return 0;
196 }
197
198
199 /*
200 * Get buffer data from ACPI.
** CID 1361263: Error handling issues (NEGATIVE_RETURNS)
/3rdparty/vboot/host/lib/crossystem.c: 743 in InAndroid()
________________________________________________________________________________________________________
*** CID 1361263: Error handling issues (NEGATIVE_RETURNS)
/3rdparty/vboot/host/lib/crossystem.c: 743 in InAndroid()
737 struct stat s;
738
739 /* In Android, mosys utility located in /system/bin
740 check if file exists. Using fstat because for some
741 reason, stat() was seg faulting in Android */
742 fd = open(MOSYS_ANDROID_PATH, O_RDONLY);
>>> CID 1361263: Error handling issues (NEGATIVE_RETURNS)
>>> "fd" is passed to a parameter that cannot be negative. [Note: The source code implementation of the function has been overridden by a builtin model.]
743 if (fstat(fd, &s) == 0) {
744 close(fd);
745 return 1;
746 }
747 close(fd);
748 return 0;
** CID 1361261: Control flow issues (MISSING_BREAK)
/src/soc/intel/quark/reg_access.c: 167 in reg_cpu_cr_write()
________________________________________________________________________________________________________
*** CID 1361261: Control flow issues (MISSING_BREAK)
/src/soc/intel/quark/reg_access.c: 167 in reg_cpu_cr_write()
161 default:
162 die("ERROR - Unsupported CPU register!\n");
163
164 case 0:
165 write_cr0(value);
166
>>> CID 1361261: Control flow issues (MISSING_BREAK)
>>> The above case falls through to this one.
167 case 4:
168 write_cr4(value);
169 }
170 }
171
172 static uint32_t reg_gpe0_read(uint32_t reg_address)
** CID 1361259: Insecure data handling (INTEGER_OVERFLOW)
/3rdparty/vboot/host/lib21/host_keyblock.c: 56 in vb21_keyblock_create()
________________________________________________________________________________________________________
*** CID 1361259: Insecure data handling (INTEGER_OVERFLOW)
/3rdparty/vboot/host/lib21/host_keyblock.c: 56 in vb21_keyblock_create()
50 return VB2_KEYBLOCK_CREATE_DATA_KEY;
51
52 kb.sig_offset = kb.key_offset + key->c.total_size;
53 kb.c.total_size = kb.sig_offset + sig_size;
54
55 /* Allocate buffer and copy header and data key */
>>> CID 1361259: Insecure data handling (INTEGER_OVERFLOW)
>>> Overflowed or truncated value (or a value computed from an overflowed or truncated value) "kb.c.total_size" used as critical argument to function. [Note: The source code implementation of the function has been overridden by a builtin model.]
56 buf = calloc(1, kb.c.total_size);
57 if (!buf) {
58 free(key);
59 return VB2_KEYBLOCK_CREATE_ALLOC;
60 }
61
** CID 1361254: (CHECKED_RETURN)
/util/cbfstool/cbfs_image.c: 850 in cbfs_payload_decompress()
/util/cbfstool/cbfs_image.c: 881 in cbfs_payload_decompress()
________________________________________________________________________________________________________
*** CID 1361254: (CHECKED_RETURN)
/util/cbfstool/cbfs_image.c: 850 in cbfs_payload_decompress()
844
845 /* Find out and allocate the amount of memory occupied
846 * by the binary data */
847 for (int i = 0; i < num_seg; i++)
848 new_buff_sz += segments[i].mem_len;
849
>>> CID 1361254: (CHECKED_RETURN)
>>> Calling "buffer_create" without checking return value (as is done elsewhere 13 out of 16 times).
850 buffer_create(&new_buffer, new_buff_sz, "decompressed_buff");
851
852 in_ptr = buffer_get(buff) + new_offset;
853 out_ptr = buffer_get(&new_buffer) + new_offset;
854
855 for (int i = 0; i < num_seg; i++) {
/util/cbfstool/cbfs_image.c: 881 in cbfs_payload_decompress()
875 in_ptr += segments[i].len;
876 out_ptr += segments[i].len;
877 segments[i].compression = CBFS_COMPRESS_NONE;
878 continue;
879 }
880
>>> CID 1361254: (CHECKED_RETURN)
>>> Calling "buffer_create" without checking return value (as is done elsewhere 13 out of 16 times).
881 buffer_create(&tbuff, segments[i].mem_len, "segment");
882
883 if (decompress(in_ptr, segments[i].len, buffer_get(&tbuff),
884 (int) buffer_size(&tbuff),
885 &decomp_size)) {
886 ERROR("Couldn't decompress payload segment %u\n", i);
** CID 1361253: Memory - illegal accesses (BUFFER_SIZE_WARNING)
/util/cbfstool/ifwitool.c: 1300 in init_subpart_dir_entry()
________________________________________________________________________________________________________
*** CID 1361253: Memory - illegal accesses (BUFFER_SIZE_WARNING)
/util/cbfstool/ifwitool.c: 1300 in init_subpart_dir_entry()
1294 static size_t init_subpart_dir_entry(struct subpart_dir_entry *e,
1295 struct buffer *b, size_t offset)
1296 {
1297 memset(e, 0, sizeof(*e));
1298
1299 assert(strlen(b->name) <= sizeof(e->name));
>>> CID 1361253: Memory - illegal accesses (BUFFER_SIZE_WARNING)
>>> Calling strncpy with a maximum size argument of 12 bytes on destination array "e->name" of size 12 bytes might leave the destination string unterminated.
1300 strncpy((char *)e->name, (char *)b->name, sizeof(e->name));
1301 e->offset = offset;
1302 e->length = buffer_size(b);
1303
1304 return (offset + buffer_size(b));
1305 }
** CID 1353793: Resource leaks (RESOURCE_LEAK)
/util/nvidia/cbootimage/src/data_layout.c: 1096 in resign_bl()
________________________________________________________________________________________________________
*** CID 1353793: Resource leaks (RESOURCE_LEAK)
/util/nvidia/cbootimage/src/data_layout.c: 1096 in resign_bl()
1090
1091 if (read_from_image(context->input_image_filename,
1092 offset, bl_length,
1093 &image, &image_actual_size, file_type_bin)) {
1094 printf("Error reading image file %s.\n",
1095 context->input_image_filename);
>>> CID 1353793: Resource leaks (RESOURCE_LEAK)
>>> Variable "image" going out of scope leaks the storage it points to.
1096 return -ENOMEM;
1097 }
1098
1099 pages_in_image = ICEIL(image_actual_size, page_size);
1100
1101 /* Create a local copy of the bl */
** CID 1353781: Control flow issues (NO_EFFECT)
/util/nvidia/cbootimage/src/cbootimage.c: 242 in main()
________________________________________________________________________________________________________
*** CID 1353781: Control flow issues (NO_EFFECT)
/util/nvidia/cbootimage/src/cbootimage.c: 242 in main()
236 context.input_image_filename);
237 goto fail;
238 }
239
240 /* Get BCT_SIZE from input image file */
241 bct_size = get_bct_size_from_image(&context);
>>> CID 1353781: Control flow issues (NO_EFFECT)
>>> This less-than-zero comparison of an unsigned value is never true. "bct_size < 0U".
242 if (bct_size < 0) {
243 printf("Error: Invalid input image file %s\n",
244 context.input_image_filename);
245 goto fail;
246 }
247
** CID 1353028: Error handling issues (NEGATIVE_RETURNS)
/util/amdfwtool/amdfwtool.c: 284 in integrate_psp_firmwares()
________________________________________________________________________________________________________
*** CID 1353028: Error handling issues (NEGATIVE_RETURNS)
/util/amdfwtool/amdfwtool.c: 284 in integrate_psp_firmwares()
278 pspdir[4+4*i+2] = 1;
279 pspdir[4+4*i+3] = 0;
280 } else if (fw_table[i].filename != NULL) {
281 pspdir[4+4*i+0] = fw_table[i].type;
282
283 fd = open (fw_table[i].filename, O_RDONLY);
>>> CID 1353028: Error handling issues (NEGATIVE_RETURNS)
>>> "fd" is passed to a parameter that cannot be negative. [Note: The source code implementation of the function has been overridden by a builtin model.]
284 fstat(fd, &fd_stat);
285 pspdir[4+4*i+1] = fd_stat.st_size;
286
287 pspdir[4+4*i+2] = pos + ROM_BASE_ADDRESS;
288 pspdir[4+4*i+3] = 0;
289
** CID 1353027: Error handling issues (NEGATIVE_RETURNS)
/util/amdfwtool/amdfwtool.c: 239 in integrate_firmwares()
________________________________________________________________________________________________________
*** CID 1353027: Error handling issues (NEGATIVE_RETURNS)
/util/amdfwtool/amdfwtool.c: 239 in integrate_firmwares()
233 struct stat fd_stat;
234 int i;
235
236 for (i = 0; fw_table[i].type != AMD_FW_INVALID; i ++) {
237 if (fw_table[i].filename != NULL) {
238 fd = open (fw_table[i].filename, O_RDONLY);
>>> CID 1353027: Error handling issues (NEGATIVE_RETURNS)
>>> "fd" is passed to a parameter that cannot be negative. [Note: The source code implementation of the function has been overridden by a builtin model.]
239 fstat(fd, &fd_stat);
240
241 switch (fw_table[i].type) {
242 case AMD_FW_IMC:
243 pos = ALIGN(pos, 0x10000);
244 romsig[1] = pos + ROM_BASE_ADDRESS;
** CID 1353022: Error handling issues (CHECKED_RETURN)
/util/nvidia/cbootimage/src/cbootimage.c: 297 in main()
________________________________________________________________________________________________________
*** CID 1353022: Error handling issues (CHECKED_RETURN)
/util/nvidia/cbootimage/src/cbootimage.c: 297 in main()
291 begin_update(&context);
292 /* Signing the bct. */
293 e = sign_bct(&context, context.bct);
294 if (e != 0)
295 printf("Signing BCT failed, error: %d.\n", e);
296
>>> CID 1353022: Error handling issues (CHECKED_RETURN)
>>> Calling "fwrite" without checking return value (as is done elsewhere 34 out of 42 times).
297 fwrite(context.bct, 1, context.bct_size,
298 context.raw_file);
299 printf("New BCT file %s has been successfully generated!\n",
300 context.output_image_filename);
301 goto fail;
302 }
** CID 1353021: Error handling issues (CHECKED_RETURN)
/util/amdfwtool/amdfwtool.c: 290 in integrate_psp_firmwares()
________________________________________________________________________________________________________
*** CID 1353021: Error handling issues (CHECKED_RETURN)
/util/amdfwtool/amdfwtool.c: 290 in integrate_psp_firmwares()
284 fstat(fd, &fd_stat);
285 pspdir[4+4*i+1] = fd_stat.st_size;
286
287 pspdir[4+4*i+2] = pos + ROM_BASE_ADDRESS;
288 pspdir[4+4*i+3] = 0;
289
>>> CID 1353021: Error handling issues (CHECKED_RETURN)
>>> "read(int, void *, size_t)" returns the number of bytes read, but it is ignored.
290 read (fd, base+pos, fd_stat.st_size);
291
292 pos += fd_stat.st_size;
293 pos = ALIGN(pos, 0x100);
294 close (fd);
295 } else {
** CID 1353020: Error handling issues (CHECKED_RETURN)
/util/amdfwtool/amdfwtool.c: 284 in integrate_psp_firmwares()
________________________________________________________________________________________________________
*** CID 1353020: Error handling issues (CHECKED_RETURN)
/util/amdfwtool/amdfwtool.c: 284 in integrate_psp_firmwares()
278 pspdir[4+4*i+2] = 1;
279 pspdir[4+4*i+3] = 0;
280 } else if (fw_table[i].filename != NULL) {
281 pspdir[4+4*i+0] = fw_table[i].type;
282
283 fd = open (fw_table[i].filename, O_RDONLY);
>>> CID 1353020: Error handling issues (CHECKED_RETURN)
>>> Calling "fstat(fd, &fd_stat)" without checking return value. This library function may fail and return an error code. [Note: The source code implementation of the function has been overridden by a builtin model.]
284 fstat(fd, &fd_stat);
285 pspdir[4+4*i+1] = fd_stat.st_size;
286
287 pspdir[4+4*i+2] = pos + ROM_BASE_ADDRESS;
288 pspdir[4+4*i+3] = 0;
289
** CID 1353019: Error handling issues (CHECKED_RETURN)
/util/amdfwtool/amdfwtool.c: 257 in integrate_firmwares()
________________________________________________________________________________________________________
*** CID 1353019: Error handling issues (CHECKED_RETURN)
/util/amdfwtool/amdfwtool.c: 257 in integrate_firmwares()
251 break;
252 default:
253 /* Error */
254 break;
255 }
256
>>> CID 1353019: Error handling issues (CHECKED_RETURN)
>>> "read(int, void *, size_t)" returns the number of bytes read, but it is ignored.
257 read (fd, base+pos, fd_stat.st_size);
258
259 pos += fd_stat.st_size;
260 pos = ALIGN(pos, 0x100);
261 close (fd);
262 }
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRbLuoVetFLSjdonCi1EjfHRqWGQvojmmkYaBE-2BPJiTQvQ-3D-3D_q4bX76XMySz3BXBlWr5fXXJ4cvAsgEXEqC7dBPM7O5a-2Fz1x2sfsQkuszxO2ChJMIu1cRO1bYP3mDkNgWABYSh9m-2BNZ7zH5MpL99sHbi26O6P716RbnAaNcrONNSZy1-2BkBz6HhWX0CROpkyd2U1Zj3H61i3sEtgm7g5e0-2B0lrpI6JJvqJI6JG8mMzn38A8m2WSklkFozz9tpnAxrwzBe47w-3D-3D
To manage Coverity Scan email notifications for "coreboot at coreboot.org", click https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRbVDbis712qZDP-2FA8y06Nq4e-2BpBzwOa5gzBZa9dWpDbzfofODnVj1enK2UkK0-2BgCCqyeem8IVKvTxSaOFkteZFcnohwvb2rnYNjswGryEWCURnUk6WHU42sbOmtOjD-2Bx5c-3D_q4bX76XMySz3BXBlWr5fXXJ4cvAsgEXEqC7dBPM7O5a-2Fz1x2sfsQkuszxO2ChJMIgWjVsourxFEEHq5D8mmwXNjybHu1SGsYzlPFmNoYq4LOpJpnFTzlFQxT5EKwhbOwGnnKV8nE1RYBFC7-2BQO4gffnhuIttqZb4lu6XL-2FqTr0IJ4-2F7IscMNMXCkCpou0mtGf3AdEjf93Jj7anTwADeiGA-3D-3D
More information about the coreboot
mailing list