[coreboot] New Defects reported by Coverity Scan for coreboot
scan-admin at coverity.com
scan-admin at coverity.com
Fri Aug 12 13:25:31 CEST 2016
Hi,
Please find the latest report on new defect(s) introduced to coreboot found with Coverity Scan.
246 new defect(s) introduced to coreboot found with Coverity Scan.
39 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 246 defect(s)
** CID 1357458: Insecure data handling (TAINTED_SCALAR)
/payloads/libpayload/libcbfs/cbfs_core.c: 255 in cbfs_get_contents()
________________________________________________________________________________________________________
*** CID 1357458: Insecure data handling (TAINTED_SCALAR)
/payloads/libpayload/libcbfs/cbfs_core.c: 255 in cbfs_get_contents()
249
250 void *data = m->map(m, handle->media_offset + handle->content_offset,
251 on_media_size);
252 if (data == CBFS_MEDIA_INVALID_MAP_ADDRESS)
253 return NULL;
254
>>> CID 1357458: Insecure data handling (TAINTED_SCALAR)
>>> Passing tainted variable "*size" to a tainted sink. [Note: The source code implementation of the function has been overridden by a builtin model.]
255 ret = malloc(*size);
256 if (ret != NULL && !cbfs_decompress(algo, data, ret, *size)) {
257 free(ret);
258 ret = NULL;
259 }
260
** CID 1357457: Resource leaks (RESOURCE_LEAK)
/src/arch/x86/acpi_device.c: 737 in acpi_dp_add_integer_array()
________________________________________________________________________________________________________
*** CID 1357457: Resource leaks (RESOURCE_LEAK)
/src/arch/x86/acpi_device.c: 737 in acpi_dp_add_integer_array()
731 return NULL;
732
733 for (i = 0; i < len; i++)
734 if (!acpi_dp_add_integer(dp_array, NULL, array[i]))
735 break;
736
>>> CID 1357457: Resource leaks (RESOURCE_LEAK)
>>> Ignoring storage allocated by "acpi_dp_add_array(dp, dp_array)" leaks it.
737 acpi_dp_add_array(dp, dp_array);
738
739 return dp_array;
740 }
741
742 struct acpi_dp *acpi_dp_add_gpio(struct acpi_dp *dp, const char *name,
** CID 1357456: Resource leaks (RESOURCE_LEAK)
/src/arch/x86/acpi_device.c: 763 in acpi_dp_add_gpio()
________________________________________________________________________________________________________
*** CID 1357456: Resource leaks (RESOURCE_LEAK)
/src/arch/x86/acpi_device.c: 763 in acpi_dp_add_gpio()
757 /* Pin in the GPIO resource, typically zero */
758 acpi_dp_add_integer(gpio, NULL, pin);
759
760 /* Set if pin is active low */
761 acpi_dp_add_integer(gpio, NULL, active_low);
762
>>> CID 1357456: Resource leaks (RESOURCE_LEAK)
>>> Ignoring storage allocated by "acpi_dp_add_array(dp, gpio)" leaks it.
763 acpi_dp_add_array(dp, gpio);
764
765 return gpio;
** CID 1357455: (RESOURCE_LEAK)
/payloads/libpayload/libcbfs/cbfs_core.c: 218 in cbfs_get_handle()
/payloads/libpayload/libcbfs/cbfs_core.c: 151 in cbfs_get_handle()
/payloads/libpayload/libcbfs/cbfs_core.c: 158 in cbfs_get_handle()
________________________________________________________________________________________________________
*** CID 1357455: (RESOURCE_LEAK)
/payloads/libpayload/libcbfs/cbfs_core.c: 218 in cbfs_get_handle()
212 offset += ntohl(file.len) + ntohl(file.offset);
213 if (offset % CBFS_ALIGNMENT)
214 offset += CBFS_ALIGNMENT - (offset % CBFS_ALIGNMENT);
215 }
216 media->close(media);
217 LOG("WARNING: '%s' not found.\n", name);
>>> CID 1357455: (RESOURCE_LEAK)
>>> Variable "handle" going out of scope leaks the storage it points to.
218 return NULL;
219 }
220
221 void *cbfs_get_contents(struct cbfs_handle *handle, size_t *size, size_t limit)
222 {
223 struct cbfs_media *m = &handle->media;
/payloads/libpayload/libcbfs/cbfs_core.c: 151 in cbfs_get_handle()
145
146 if (!handle)
147 return NULL;
148
149 if (get_cbfs_range(&offset, &cbfs_end, media)) {
150 ERROR("Failed to find cbfs range\n");
>>> CID 1357455: (RESOURCE_LEAK)
>>> Variable "handle" going out of scope leaks the storage it points to.
151 return NULL;
152 }
153
154 if (media == CBFS_DEFAULT_MEDIA) {
155 media = &handle->media;
156 if (init_default_cbfs_media(media) != 0) {
/payloads/libpayload/libcbfs/cbfs_core.c: 158 in cbfs_get_handle()
152 }
153
154 if (media == CBFS_DEFAULT_MEDIA) {
155 media = &handle->media;
156 if (init_default_cbfs_media(media) != 0) {
157 ERROR("Failed to initialize default media.\n");
>>> CID 1357455: (RESOURCE_LEAK)
>>> Returning without freeing "media" leaks the storage that it points to.
158 return NULL;
159 }
160 } else {
161 memcpy(&handle->media, media, sizeof(*media));
162 }
163
** CID 1357454: Memory - illegal accesses (OVERRUN)
/src/vendorcode/amd/agesa/f12/Proc/Mem/NB/LN/mnln.c: 255 in MemConstructNBBlockLN()
________________________________________________________________________________________________________
*** CID 1357454: Memory - illegal accesses (OVERRUN)
/src/vendorcode/amd/agesa/f12/Proc/Mem/NB/LN/mnln.c: 255 in MemConstructNBBlockLN()
249 NBPtr->BeforeDqsTraining = MemNBeforeDQSTrainingLN;
250 NBPtr->AfterDqsTraining = MemNAfterDQSTrainingLN;
251 NBPtr->OtherTiming = MemNOtherTimingLN;
252 NBPtr->GetSocketRelativeChannel = MemNGetSocketRelativeChannelNb;
253 NBPtr->TechBlockSwitch = MemNTechBlockSwitchLN;
254 NBPtr->SetEccSymbolSize = (VOID (*) (MEM_NB_BLOCK *)) memDefRet;
>>> CID 1357454: Memory - illegal accesses (OVERRUN)
>>> Overrunning array "memNTrainFlowControl" of 1 4-byte elements at element index 1 (byte offset 4) using index "1".
255 NBPtr->TrainingFlow = (VOID (*) (MEM_NB_BLOCK *))(memNTrainFlowControl[DDR3_TRAIN_FLOW]);
256 NBPtr->MinDataEyeWidth = MemNMinDataEyeWidthNb;
257 NBPtr->ChangeNbFrequencyWrap = MemNChangeNbFrequencyWrapLN;
258 NBPtr->AllocateC6Storage = MemNAllocateC6StorageClientNb;
259
260 MemNInitNBDataNb (NBPtr);
** CID 1357453: Memory - illegal accesses (OVERRUN)
/src/vendorcode/amd/agesa/f14/Proc/Mem/NB/ON/mnon.c: 254 in MemConstructNBBlockON()
________________________________________________________________________________________________________
*** CID 1357453: Memory - illegal accesses (OVERRUN)
/src/vendorcode/amd/agesa/f14/Proc/Mem/NB/ON/mnon.c: 254 in MemConstructNBBlockON()
248 NBPtr->BeforeDqsTraining = MemNBeforeDQSTrainingON;
249 NBPtr->AfterDqsTraining = MemNAfterDQSTrainingON;
250 NBPtr->OtherTiming = MemNOtherTimingON;
251 NBPtr->GetSocketRelativeChannel = MemNGetSocketRelativeChannelNb;
252 NBPtr->TechBlockSwitch = MemNTechBlockSwitchON;
253 NBPtr->SetEccSymbolSize = (VOID (*) (MEM_NB_BLOCK *)) memDefRet;
>>> CID 1357453: Memory - illegal accesses (OVERRUN)
>>> Overrunning array "memNTrainFlowControl" of 1 4-byte elements at element index 1 (byte offset 4) using index "1".
254 NBPtr->TrainingFlow = (VOID (*) (MEM_NB_BLOCK *)) memNTrainFlowControl[DDR3_TRAIN_FLOW];
255 NBPtr->MinDataEyeWidth = MemNMinDataEyeWidthNb;
256 NBPtr->PollBitField = MemNPollBitFieldNb;
257 NBPtr->BrdcstCheck = MemNBrdcstCheckON;
258 NBPtr->BrdcstSet = MemNSetBitFieldNb;
259 NBPtr->GetTrainDly = MemNGetTrainDlyNb;
** CID 1357452: (OVERRUN)
/src/vendorcode/amd/agesa/f12/Proc/Mem/NB/mn.c: 497 in MemNTrainingFlowUnb()
/src/vendorcode/amd/agesa/f15/Proc/Mem/NB/mn.c: 502 in MemNTrainingFlowUnb()
/src/vendorcode/amd/agesa/f14/Proc/Mem/NB/mn.c: 499 in MemNTrainingFlowUnb()
/src/vendorcode/amd/agesa/f16kb/Proc/Mem/NB/mn.c: 579 in MemNTrainingFlowUnb()
/src/vendorcode/amd/agesa/f15tn/Proc/Mem/NB/mn.c: 495 in MemNTrainingFlowUnb()
________________________________________________________________________________________________________
*** CID 1357452: (OVERRUN)
/src/vendorcode/amd/agesa/f12/Proc/Mem/NB/mn.c: 497 in MemNTrainingFlowUnb()
491 */
492 BOOLEAN
493 MemNTrainingFlowUnb (
494 IN OUT MEM_NB_BLOCK *NBPtr
495 )
496 {
>>> CID 1357452: (OVERRUN)
>>> Overrunning array "memNTrainFlowControl" of 1 4-byte elements at element index 1 (byte offset 4) using index "1".
497 memNTrainFlowControl[DDR3_TRAIN_FLOW] (NBPtr);
498 return TRUE;
499 }
500 /*----------------------------------------------------------------------------
501 * LOCAL FUNCTIONS
502 *
/src/vendorcode/amd/agesa/f15/Proc/Mem/NB/mn.c: 502 in MemNTrainingFlowUnb()
496 */
497 BOOLEAN
498 MemNTrainingFlowUnb (
499 IN OUT MEM_NB_BLOCK *NBPtr
500 )
501 {
>>> CID 1357452: (OVERRUN)
>>> Overrunning array "memNTrainFlowControl" of 1 4-byte elements at element index 1 (byte offset 4) using index "1".
502 memNTrainFlowControl[DDR3_TRAIN_FLOW] (NBPtr);
503 return TRUE;
504 }
505 /*----------------------------------------------------------------------------
506 * LOCAL FUNCTIONS
507 *
/src/vendorcode/amd/agesa/f14/Proc/Mem/NB/mn.c: 499 in MemNTrainingFlowUnb()
493 */
494 BOOLEAN
495 MemNTrainingFlowUnb (
496 IN OUT MEM_NB_BLOCK *NBPtr
497 )
498 {
>>> CID 1357452: (OVERRUN)
>>> Overrunning array "memNTrainFlowControl" of 1 4-byte elements at element index 1 (byte offset 4) using index "1".
499 memNTrainFlowControl[DDR3_TRAIN_FLOW] (NBPtr);
500 return TRUE;
501 }
502 /*----------------------------------------------------------------------------
503 * LOCAL FUNCTIONS
504 *
/src/vendorcode/amd/agesa/f16kb/Proc/Mem/NB/mn.c: 579 in MemNTrainingFlowUnb()
573 */
574 BOOLEAN
575 MemNTrainingFlowUnb (
576 IN OUT MEM_NB_BLOCK *NBPtr
577 )
578 {
>>> CID 1357452: (OVERRUN)
>>> Overrunning array "memNTrainFlowControl" of 1 4-byte elements at element index 1 (byte offset 4) using index "1".
579 memNTrainFlowControl[DDR3_TRAIN_FLOW] (NBPtr);
580 return TRUE;
581 }
582
583 /* -----------------------------------------------------------------------------*/
584 /**
/src/vendorcode/amd/agesa/f15tn/Proc/Mem/NB/mn.c: 495 in MemNTrainingFlowUnb()
489 */
490 VOID
491 MemNTrainingFlowUnb (
492 IN OUT MEM_NB_BLOCK *NBPtr
493 )
494 {
>>> CID 1357452: (OVERRUN)
>>> Overrunning array "memNTrainFlowControl" of 1 4-byte elements at element index 1 (byte offset 4) using index "1".
495 memNTrainFlowControl[DDR3_TRAIN_FLOW] (NBPtr);
496 return;
497 }
498 /*----------------------------------------------------------------------------
499 * LOCAL FUNCTIONS
500 *
501 *----------------------------------------------------------------------------
** CID 1357451: (OVERRUN)
/src/vendorcode/amd/agesa/f12/Proc/Mem/NB/mn.c: 304 in MemNTrainingFlowNb()
/src/vendorcode/amd/agesa/f15/Proc/Mem/NB/mn.c: 309 in MemNTrainingFlowNb()
/src/vendorcode/amd/agesa/f14/Proc/Mem/NB/mn.c: 306 in MemNTrainingFlowNb()
/src/vendorcode/amd/agesa/f15tn/Proc/Mem/NB/mn.c: 302 in MemNTrainingFlowNb()
________________________________________________________________________________________________________
*** CID 1357451: (OVERRUN)
/src/vendorcode/amd/agesa/f12/Proc/Mem/NB/mn.c: 304 in MemNTrainingFlowNb()
298 BOOLEAN
299 MemNTrainingFlowNb (
300 IN OUT MEM_NB_BLOCK *NBPtr
301 )
302 {
303 if (MemNGetBitFieldNb (NBPtr, BFDdr3Mode)!= 0) {
>>> CID 1357451: (OVERRUN)
>>> Overrunning array "memNTrainFlowControl" of 1 4-byte elements at element index 1 (byte offset 4) using index "1".
304 memNTrainFlowControl[DDR3_TRAIN_FLOW] (NBPtr);
305 } else {
306 memNTrainFlowControl[DDR2_TRAIN_FLOW] (NBPtr);
307 }
308 return TRUE;
309 }
/src/vendorcode/amd/agesa/f15/Proc/Mem/NB/mn.c: 309 in MemNTrainingFlowNb()
303 BOOLEAN
304 MemNTrainingFlowNb (
305 IN OUT MEM_NB_BLOCK *NBPtr
306 )
307 {
308 if (MemNGetBitFieldNb (NBPtr, BFDdr3Mode)!= 0) {
>>> CID 1357451: (OVERRUN)
>>> Overrunning array "memNTrainFlowControl" of 1 4-byte elements at element index 1 (byte offset 4) using index "1".
309 memNTrainFlowControl[DDR3_TRAIN_FLOW] (NBPtr);
310 } else {
311 memNTrainFlowControl[DDR2_TRAIN_FLOW] (NBPtr);
312 }
313 return TRUE;
314 }
/src/vendorcode/amd/agesa/f14/Proc/Mem/NB/mn.c: 306 in MemNTrainingFlowNb()
300 BOOLEAN
301 MemNTrainingFlowNb (
302 IN OUT MEM_NB_BLOCK *NBPtr
303 )
304 {
305 if (MemNGetBitFieldNb (NBPtr, BFDdr3Mode)!= 0) {
>>> CID 1357451: (OVERRUN)
>>> Overrunning array "memNTrainFlowControl" of 1 4-byte elements at element index 1 (byte offset 4) using index "1".
306 memNTrainFlowControl[DDR3_TRAIN_FLOW] (NBPtr);
307 } else {
308 memNTrainFlowControl[DDR2_TRAIN_FLOW] (NBPtr);
309 }
310 return TRUE;
311 }
/src/vendorcode/amd/agesa/f15tn/Proc/Mem/NB/mn.c: 302 in MemNTrainingFlowNb()
296 BOOLEAN
297 MemNTrainingFlowNb (
298 IN OUT MEM_NB_BLOCK *NBPtr
299 )
300 {
301 if (MemNGetBitFieldNb (NBPtr, BFDdr3Mode)!= 0) {
>>> CID 1357451: (OVERRUN)
>>> Overrunning array "memNTrainFlowControl" of 1 4-byte elements at element index 1 (byte offset 4) using index "1".
302 memNTrainFlowControl[DDR3_TRAIN_FLOW] (NBPtr);
303 } else {
304 memNTrainFlowControl[DDR2_TRAIN_FLOW] (NBPtr);
305 }
306 return TRUE;
307 }
** CID 1357446: Control flow issues (DEADCODE)
/src/northbridge/intel/x4x/raminit.c: 374 in sdram_detect_ram_speed()
________________________________________________________________________________________________________
*** CID 1357446: Control flow issues (DEADCODE)
/src/northbridge/intel/x4x/raminit.c: 374 in sdram_detect_ram_speed()
368 } else { // DDR3
369 // Limit frequency for MCH
370 maxfreq = (s->max_ddr2_mhz == 800) ? MEM_CLOCK_800MHz : MEM_CLOCK_667MHz;
371 maxfreq >>= 3;
372 freq = MEM_CLOCK_1333MHz;
373 if (maxfreq) {
>>> CID 1357446: Control flow issues (DEADCODE)
>>> Execution cannot reach this statement: "freq = maxfreq + 2;".
374 freq = maxfreq + 2;
375 }
376 if (freq > MEM_CLOCK_1333MHz) {
377 freq = MEM_CLOCK_1333MHz;
378 }
379
** CID 1357443: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/src/soc/intel/apollolake/gpio.c: 378 in gpio_route_gpe()
________________________________________________________________________________________________________
*** CID 1357443: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/src/soc/intel/apollolake/gpio.c: 378 in gpio_route_gpe()
372 if(gpe0b == -1)
373 return;
374 gpe0c = pmc_gpe_route_to_gpio(gpe0c);
375 if(gpe0c == -1)
376 return;
377 gpe0d = pmc_gpe_route_to_gpio(gpe0d);
>>> CID 1357443: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
>>> "gpe0d == -1" is always false regardless of the values of its operands. This occurs as the logical operand of if.
378 if(gpe0d == -1)
379 return;
380
381 misccfg_value = gpe0b << MISCCFG_GPE0_DW0_SHIFT;
382 misccfg_value |= gpe0c << MISCCFG_GPE0_DW1_SHIFT;
383 misccfg_value |= gpe0d << MISCCFG_GPE0_DW2_SHIFT;
** CID 1357442: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/src/soc/intel/apollolake/gpio.c: 375 in gpio_route_gpe()
________________________________________________________________________________________________________
*** CID 1357442: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/src/soc/intel/apollolake/gpio.c: 375 in gpio_route_gpe()
369 * default.
370 */
371 gpe0b = pmc_gpe_route_to_gpio(gpe0b);
372 if(gpe0b == -1)
373 return;
374 gpe0c = pmc_gpe_route_to_gpio(gpe0c);
>>> CID 1357442: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
>>> "gpe0c == -1" is always false regardless of the values of its operands. This occurs as the logical operand of if.
375 if(gpe0c == -1)
376 return;
377 gpe0d = pmc_gpe_route_to_gpio(gpe0d);
378 if(gpe0d == -1)
379 return;
380
** CID 1357441: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/src/soc/intel/apollolake/gpio.c: 372 in gpio_route_gpe()
________________________________________________________________________________________________________
*** CID 1357441: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/src/soc/intel/apollolake/gpio.c: 372 in gpio_route_gpe()
366 * If any of these returns -1 then there is some error in devicetree
367 * where the group is probably hardcoded and does not comply with the
368 * PMC group defines. So we return from here and MISCFG is set to
369 * default.
370 */
371 gpe0b = pmc_gpe_route_to_gpio(gpe0b);
>>> CID 1357441: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
>>> "gpe0b == -1" is always false regardless of the values of its operands. This occurs as the logical operand of if.
372 if(gpe0b == -1)
373 return;
374 gpe0c = pmc_gpe_route_to_gpio(gpe0c);
375 if(gpe0c == -1)
376 return;
377 gpe0d = pmc_gpe_route_to_gpio(gpe0d);
** CID 1357439: Incorrect expression (ASSERT_SIDE_EFFECT)
/src/soc/intel/quark/i2c.c: 104 in platform_i2c_transfer()
________________________________________________________________________________________________________
*** CID 1357439: Incorrect expression (ASSERT_SIDE_EFFECT)
/src/soc/intel/quark/i2c.c: 104 in platform_i2c_transfer()
98 buffer = NULL;
99 while (count-- > 0) {
100 buffer = segments->buf;
101 length = segments->len;
102 ASSERT (buffer != NULL);
103 ASSERT (length >= 1);
>>> CID 1357439: Incorrect expression (ASSERT_SIDE_EFFECT)
>>> Assignment "segments->chip = chip" has a side effect. This code will work differently in a non-debug build.
104 ASSERT (segments->chip = chip);
105
106 if (segments->read) {
107 /* Place read commands into the FIFO */
108 read_length = length;
109 while (length > 0) {
** CID 1355168: (CONSTANT_EXPRESSION_RESULT)
/src/soc/rockchip/rk3399/clock.c: 596 in rkclk_configure_spi()
/src/soc/rockchip/rk3399/clock.c: 611 in rkclk_configure_spi()
/src/soc/rockchip/rk3399/clock.c: 615 in rkclk_configure_spi()
________________________________________________________________________________________________________
*** CID 1355168: (CONSTANT_EXPRESSION_RESULT)
/src/soc/rockchip/rk3399/clock.c: 596 in rkclk_configure_spi()
590 case 0:
591 write32(&cru_ptr->clksel_con[59],
592 SPI_CLK_REG_VALUE(0, src_clk_div));
593 break;
594 case 1:
595 write32(&cru_ptr->clksel_con[59],
>>> CID 1355168: (CONSTANT_EXPRESSION_RESULT)
>>> "((65280 /* (CLK_SPI_PLL_SEL_MASK << CLK_SPI1_PLL_SEL_SHIFT) | (CLK_SPI_PLL_DIV_CON_MASK << CLK_SPI1_PLL_DIV_CON_SHIFT) */) | ((32768 /* CLK_SPI_PLL_SEL_GPLL << CLK_SPI1_PLL_SEL_SHIFT */) | (src_clk_div - 1 << CLK_SPI1_PLL_DIV_CON_SHIFT))) << 16" is 0xffffffffff000000 regardless of the values of its operands. This occurs as the bitwise first operand of '|'.
596 SPI_CLK_REG_VALUE(1, src_clk_div));
597 break;
598 case 2:
599 write32(&cru_ptr->clksel_con[60],
600 SPI_CLK_REG_VALUE(2, src_clk_div));
601 break;
/src/soc/rockchip/rk3399/clock.c: 611 in rkclk_configure_spi()
605 SPI3_DIV_CON_MASK << SPI3_DIV_CON_SHIFT,
606 SPI3_PLL_SEL_PPLL << SPI3_PLL_SEL_SHIFT |
607 (src_clk_div - 1) << SPI3_DIV_CON_SHIFT));
608 break;
609 case 4:
610 write32(&cru_ptr->clksel_con[60],
>>> CID 1355168: (CONSTANT_EXPRESSION_RESULT)
>>> "((65280 /* (CLK_SPI_PLL_SEL_MASK << CLK_SPI4_PLL_SEL_SHIFT) | (CLK_SPI_PLL_DIV_CON_MASK << CLK_SPI4_PLL_DIV_CON_SHIFT) */) | ((32768 /* CLK_SPI_PLL_SEL_GPLL << CLK_SPI4_PLL_SEL_SHIFT */) | (src_clk_div - 1 << CLK_SPI4_PLL_DIV_CON_SHIFT))) << 16" is 0xffffffffff000000 regardless of the values of its operands. This occurs as the bitwise first operand of '|'.
611 SPI_CLK_REG_VALUE(4, src_clk_div));
612 break;
613 case 5:
614 write32(&cru_ptr->clksel_con[58],
615 SPI_CLK_REG_VALUE(5, src_clk_div));
616 break;
/src/soc/rockchip/rk3399/clock.c: 615 in rkclk_configure_spi()
609 case 4:
610 write32(&cru_ptr->clksel_con[60],
611 SPI_CLK_REG_VALUE(4, src_clk_div));
612 break;
613 case 5:
614 write32(&cru_ptr->clksel_con[58],
>>> CID 1355168: (CONSTANT_EXPRESSION_RESULT)
>>> "((65280 /* (CLK_SPI_PLL_SEL_MASK << CLK_SPI5_PLL_SEL_SHIFT) | (CLK_SPI_PLL_DIV_CON_MASK << CLK_SPI5_PLL_DIV_CON_SHIFT) */) | ((32768 /* CLK_SPI_PLL_SEL_GPLL << CLK_SPI5_PLL_SEL_SHIFT */) | (src_clk_div - 1 << CLK_SPI5_PLL_DIV_CON_SHIFT))) << 16" is 0xffffffffff000000 regardless of the values of its operands. This occurs as the bitwise first operand of '|'.
615 SPI_CLK_REG_VALUE(5, src_clk_div));
616 break;
617 default:
618 printk(BIOS_ERR, "do not support this spi bus\n");
619 }
620 }
** CID 1355167: (CONSTANT_EXPRESSION_RESULT)
/src/soc/rockchip/rk3399/clock.c: 668 in rkclk_configure_i2c()
/src/soc/rockchip/rk3399/clock.c: 672 in rkclk_configure_i2c()
/src/soc/rockchip/rk3399/clock.c: 676 in rkclk_configure_i2c()
________________________________________________________________________________________________________
*** CID 1355167: (CONSTANT_EXPRESSION_RESULT)
/src/soc/rockchip/rk3399/clock.c: 668 in rkclk_configure_i2c()
662 case 4:
663 write32(&pmucru_ptr->pmucru_clksel[3],
664 PMU_I2C_CLK_REG_VALUE(4, src_clk_div));
665 break;
666 case 5:
667 write32(&cru_ptr->clksel_con[61],
>>> CID 1355167: (CONSTANT_EXPRESSION_RESULT)
>>> "((65280 /* (I2C_DIV_CON_MASK << CLK_I2C5_DIV_CON_SHIFT) | (CLK_I2C_PLL_SEL_MASK << CLK_I2C5_PLL_SEL_SHIFT) */) | ((src_clk_div - 1 << CLK_I2C5_DIV_CON_SHIFT) | (32768 /* CLK_I2C_PLL_SEL_GPLL << CLK_I2C5_PLL_SEL_SHIFT */))) << 16" is 0xffffffffff000000 regardless of the values of its operands. This occurs as the bitwise first operand of '|'.
668 I2C_CLK_REG_VALUE(5, src_clk_div));
669 break;
670 case 6:
671 write32(&cru_ptr->clksel_con[62],
672 I2C_CLK_REG_VALUE(6, src_clk_div));
673 break;
/src/soc/rockchip/rk3399/clock.c: 672 in rkclk_configure_i2c()
666 case 5:
667 write32(&cru_ptr->clksel_con[61],
668 I2C_CLK_REG_VALUE(5, src_clk_div));
669 break;
670 case 6:
671 write32(&cru_ptr->clksel_con[62],
>>> CID 1355167: (CONSTANT_EXPRESSION_RESULT)
>>> "((65280 /* (I2C_DIV_CON_MASK << CLK_I2C6_DIV_CON_SHIFT) | (CLK_I2C_PLL_SEL_MASK << CLK_I2C6_PLL_SEL_SHIFT) */) | ((src_clk_div - 1 << CLK_I2C6_DIV_CON_SHIFT) | (32768 /* CLK_I2C_PLL_SEL_GPLL << CLK_I2C6_PLL_SEL_SHIFT */))) << 16" is 0xffffffffff000000 regardless of the values of its operands. This occurs as the bitwise first operand of '|'.
672 I2C_CLK_REG_VALUE(6, src_clk_div));
673 break;
674 case 7:
675 write32(&cru_ptr->clksel_con[63],
676 I2C_CLK_REG_VALUE(7, src_clk_div));
677 break;
/src/soc/rockchip/rk3399/clock.c: 676 in rkclk_configure_i2c()
670 case 6:
671 write32(&cru_ptr->clksel_con[62],
672 I2C_CLK_REG_VALUE(6, src_clk_div));
673 break;
674 case 7:
675 write32(&cru_ptr->clksel_con[63],
>>> CID 1355167: (CONSTANT_EXPRESSION_RESULT)
>>> "((65280 /* (I2C_DIV_CON_MASK << CLK_I2C7_DIV_CON_SHIFT) | (CLK_I2C_PLL_SEL_MASK << CLK_I2C7_PLL_SEL_SHIFT) */) | ((src_clk_div - 1 << CLK_I2C7_DIV_CON_SHIFT) | (32768 /* CLK_I2C_PLL_SEL_GPLL << CLK_I2C7_PLL_SEL_SHIFT */))) << 16" is 0xffffffffff000000 regardless of the values of its operands. This occurs as the bitwise first operand of '|'.
676 I2C_CLK_REG_VALUE(7, src_clk_div));
677 break;
678 case 8:
679 write32(&pmucru_ptr->pmucru_clksel[2],
680 PMU_I2C_CLK_REG_VALUE(8, src_clk_div));
681 break;
** CID 1355166: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/src/soc/rockchip/rk3399/clock.c: 749 in rkclk_configure_saradc()
________________________________________________________________________________________________________
*** CID 1355166: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
/src/soc/rockchip/rk3399/clock.c: 749 in rkclk_configure_saradc()
743
744 /* saradc src clk from 24MHz */
745 src_clk_div = 24 * MHz / hz;
746 assert((src_clk_div - 1 < 255) && (src_clk_div * hz == 24 * MHz));
747
748 write32(&cru_ptr->clksel_con[26],
>>> CID 1355166: Integer handling issues (CONSTANT_EXPRESSION_RESULT)
>>> "((65280 /* CLK_SARADC_DIV_CON_MASK << CLK_SARADC_DIV_CON_SHIFT */) | (src_clk_div - 1 << CLK_SARADC_DIV_CON_SHIFT)) << 16" is 0xffffffffff000000 regardless of the values of its operands. This occurs as the bitwise first operand of '|'.
749 RK_CLRSETBITS(CLK_SARADC_DIV_CON_MASK <<
750 CLK_SARADC_DIV_CON_SHIFT,
751 (src_clk_div - 1) << CLK_SARADC_DIV_CON_SHIFT));
752 }
753
754 void rkclk_configure_vop_aclk(u32 vop_id, u32 aclk_hz)
** CID 1354970: Memory - corruptions (ARRAY_VS_SINGLETON)
/src/lib/selfboot.c: 249 in build_self_segment_list()
________________________________________________________________________________________________________
*** CID 1354970: Memory - corruptions (ARRAY_VS_SINGLETON)
/src/lib/selfboot.c: 249 in build_self_segment_list()
243
244 memset(head, 0, sizeof(*head));
245 head->next = head->prev = head;
246
247 first_segment = &cbfs_payload->segments;
248
>>> CID 1354970: Memory - corruptions (ARRAY_VS_SINGLETON)
>>> Using "current_segment" as an array. This might corrupt or misinterpret adjacent memory locations.
249 for (current_segment = first_segment;; ++current_segment) {
250 printk(BIOS_DEBUG,
251 "Loading segment from ROM address 0x%p\n",
252 current_segment);
253
254 cbfs_decode_payload_segment(&segment, current_segment);
** CID 1354849: Insecure data handling (INTEGER_OVERFLOW)
/src/arch/x86/tables.c: 85 in write_mptable()
________________________________________________________________________________________________________
*** CID 1354849: Insecure data handling (INTEGER_OVERFLOW)
/src/arch/x86/tables.c: 85 in write_mptable()
79 }
80
81 printk(BIOS_DEBUG, "MP table: %ld bytes.\n",
82 new_high_table_pointer - high_table_pointer);
83 }
84
>>> CID 1354849: Insecure data handling (INTEGER_OVERFLOW)
>>> Overflowed or truncated value (or a value computed from an overflowed or truncated value) "rom_table_end" used as return value.
85 return rom_table_end;
86 }
87
88 static unsigned long write_acpi_table(unsigned long rom_table_end)
89 {
90 unsigned long high_table_pointer;
** CID 1354778: (UNINIT)
/src/cpu/ti/am335x/uart.c: 190 in uart_fill_lb()
/src/soc/imgtec/pistachio/uart.c: 150 in uart_fill_lb()
/src/soc/samsung/exynos5250/uart.c: 191 in uart_fill_lb()
/src/soc/broadcom/cygnus/ns16550.c: 118 in uart_fill_lb()
/src/soc/intel/fsp_broadwell_de/uart.c: 104 in uart_fill_lb()
/src/soc/nvidia/tegra124/uart.c: 135 in uart_fill_lb()
/src/soc/samsung/exynos5420/uart.c: 182 in uart_fill_lb()
/src/soc/mediatek/mt8173/uart.c: 176 in uart_fill_lb()
/src/soc/nvidia/tegra210/uart.c: 122 in uart_fill_lb()
/src/soc/qualcomm/ipq40xx/uart.c: 296 in uart_fill_lb()
/src/mainboard/emulation/qemu-riscv/uart.c: 48 in uart_fill_lb()
/src/cpu/allwinner/a10/uart_console.c: 44 in uart_fill_lb()
________________________________________________________________________________________________________
*** CID 1354778: (UNINIT)
/src/cpu/ti/am335x/uart.c: 190 in uart_fill_lb()
184 {
185 }
186
187 #ifndef __PRE_RAM__
188 void uart_fill_lb(void *data)
189 {
>>> CID 1354778: (UNINIT)
>>> Declaring variable "serial" without initializer.
190 struct lb_serial serial;
191 serial.type = LB_SERIAL_TYPE_MEMORY_MAPPED;
192 serial.baseaddr = uart_platform_base(CONFIG_UART_FOR_CONSOLE);
193 serial.baud = default_baudrate();
194 serial.regwidth = 2;
195 lb_add_serial(&serial, data);
196
197 lb_add_console(LB_TAG_CONSOLE_SERIAL8250MEM, data);
198 }
/src/soc/imgtec/pistachio/uart.c: 150 in uart_fill_lb()
144 uart8250_mem_tx_flush(CONFIG_CONSOLE_SERIAL_UART_ADDRESS);
145 }
146
147 #ifndef __PRE_RAM__
148 void uart_fill_lb(void *data)
149 {
>>> CID 1354778: (UNINIT)
>>> Declaring variable "serial" without initializer.
150 struct lb_serial serial;
151 serial.type = LB_SERIAL_TYPE_MEMORY_MAPPED;
152 serial.baseaddr = CONFIG_CONSOLE_SERIAL_UART_ADDRESS;
153 serial.baud = default_baudrate();
154 serial.regwidth = 1 << UART_SHIFT;
155 lb_add_serial(&serial, data);
156
157 lb_add_console(LB_TAG_CONSOLE_SERIAL8250MEM, data);
158 }
/src/soc/samsung/exynos5250/uart.c: 191 in uart_fill_lb()
185 exynos5_uart_tx_flush(uart);
186 }
187
188 #ifndef __PRE_RAM__
189 void uart_fill_lb(void *data)
190 {
>>> CID 1354778: (UNINIT)
>>> Declaring variable "serial" without initializer.
191 struct lb_serial serial;
192 serial.type = LB_SERIAL_TYPE_MEMORY_MAPPED;
193 serial.baseaddr = uart_platform_base(CONFIG_UART_FOR_CONSOLE);
194 serial.baud = default_baudrate();
195 serial.regwidth = 4;
196 lb_add_serial(&serial, data);
197
198 lb_add_console(LB_TAG_CONSOLE_SERIAL8250MEM, data);
199 }
/src/soc/broadcom/cygnus/ns16550.c: 118 in uart_fill_lb()
112 return ns16550_rx_byte();
113 }
114
115 #ifndef __PRE_RAM__
116 void uart_fill_lb(void *data)
117 {
>>> CID 1354778: (UNINIT)
>>> Declaring variable "serial" without initializer.
118 struct lb_serial serial;
119 serial.type = LB_SERIAL_TYPE_MEMORY_MAPPED;
120 serial.baseaddr = (uintptr_t)regs;
121 serial.baud = default_baudrate();
122 serial.regwidth = 4;
123 lb_add_serial(&serial, data);
124
125 lb_add_console(LB_TAG_CONSOLE_SERIAL8250MEM, data);
126 }
/src/soc/intel/fsp_broadwell_de/uart.c: 104 in uart_fill_lb()
98 uart8250_tx_flush(uart_platform_base(idx));
99 }
100
101 #if ENV_RAMSTAGE
102 void uart_fill_lb(void *data)
103 {
>>> CID 1354778: (UNINIT)
>>> Declaring variable "serial" without initializer.
104 struct lb_serial serial;
105 serial.type = LB_SERIAL_TYPE_IO_MAPPED;
106 serial.baseaddr = uart_platform_base(CONFIG_UART_FOR_CONSOLE);
107 serial.baud = default_baudrate();
108 lb_add_serial(&serial, data);
109
110 lb_add_console(LB_TAG_CONSOLE_SERIAL8250, data);
111 }
/src/soc/nvidia/tegra124/uart.c: 135 in uart_fill_lb()
129 tegra124_uart_tx_flush(uart_ptr);
130 }
131
132 #ifndef __PRE_RAM__
133 void uart_fill_lb(void *data)
134 {
>>> CID 1354778: (UNINIT)
>>> Declaring variable "serial" without initializer.
135 struct lb_serial serial;
136 serial.type = LB_SERIAL_TYPE_MEMORY_MAPPED;
137 serial.baseaddr = uart_platform_base(CONFIG_UART_FOR_CONSOLE);
138 serial.baud = default_baudrate();
139 serial.regwidth = 4;
140 lb_add_serial(&serial, data);
141
142 lb_add_console(LB_TAG_CONSOLE_SERIAL8250MEM, data);
143 }
/src/soc/samsung/exynos5420/uart.c: 182 in uart_fill_lb()
176 /* Exynos5250 implements this too. */
177 }
178
179 #ifndef __PRE_RAM__
180 void uart_fill_lb(void *data)
181 {
>>> CID 1354778: (UNINIT)
>>> Declaring variable "serial" without initializer.
182 struct lb_serial serial;
183 serial.type = LB_SERIAL_TYPE_MEMORY_MAPPED;
184 serial.baseaddr = uart_platform_base(CONFIG_UART_FOR_CONSOLE);
185 serial.baud = default_baudrate();
186 serial.regwidth = 4;
187 lb_add_serial(&serial, data);
188
189 lb_add_console(LB_TAG_CONSOLE_SERIAL8250MEM, data);
190 }
/src/soc/mediatek/mt8173/uart.c: 176 in uart_fill_lb()
170 mtk_uart_tx_flush();
171 }
172
173 #ifndef __PRE_RAM__
174 void uart_fill_lb(void *data)
175 {
>>> CID 1354778: (UNINIT)
>>> Declaring variable "serial" without initializer.
176 struct lb_serial serial;
177 serial.type = LB_SERIAL_TYPE_MEMORY_MAPPED;
178 serial.baseaddr = UART0_BASE;
179 serial.baud = default_baudrate();
180 serial.regwidth = 4;
181 lb_add_serial(&serial, data);
182
183 lb_add_console(LB_TAG_CONSOLE_SERIAL8250MEM, data);
184 }
/src/soc/nvidia/tegra210/uart.c: 122 in uart_fill_lb()
116 return tegra210_uart_rx_byte();
117 }
118
119 #ifndef __PRE_RAM__
120 void uart_fill_lb(void *data)
121 {
>>> CID 1354778: (UNINIT)
>>> Declaring variable "serial" without initializer.
122 struct lb_serial serial;
123 serial.type = LB_SERIAL_TYPE_MEMORY_MAPPED;
124 serial.baseaddr = CONFIG_CONSOLE_SERIAL_TEGRA210_UART_ADDRESS;
125 serial.baud = default_baudrate();
126 serial.regwidth = 4;
127 lb_add_serial(&serial, data);
128
129 lb_add_console(LB_TAG_CONSOLE_SERIAL8250MEM, data);
130 }
/src/soc/qualcomm/ipq40xx/uart.c: 296 in uart_fill_lb()
290 #endif
291
292 #ifndef __PRE_RAM__
293 /* TODO: Implement function */
294 void uart_fill_lb(void *data)
295 {
>>> CID 1354778: (UNINIT)
>>> Declaring variable "serial" without initializer.
296 struct lb_serial serial;
297
298 serial.type = LB_SERIAL_TYPE_MEMORY_MAPPED;
299 serial.baseaddr = (uint32_t)UART1_DM_BASE;
300 serial.baud = default_baudrate();
301 serial.regwidth = 1;
/src/mainboard/emulation/qemu-riscv/uart.c: 48 in uart_fill_lb()
42 {
43 }
44
45 #ifndef __PRE_RAM__
46 void uart_fill_lb(void *data)
47 {
>>> CID 1354778: (UNINIT)
>>> Declaring variable "serial" without initializer.
48 struct lb_serial serial;
49 serial.type = LB_SERIAL_TYPE_MEMORY_MAPPED;
50 serial.baseaddr = 0x3f8;
51 serial.baud = 115200;
52 serial.regwidth = 1;
53 lb_add_serial(&serial, data);
54 lb_add_console(LB_TAG_CONSOLE_SERIAL8250MEM, data);
55 }
/src/cpu/allwinner/a10/uart_console.c: 44 in uart_fill_lb()
38 return 24000000;
39 }
40
41 #ifndef __PRE_RAM__
42 void uart_fill_lb(void *data)
43 {
>>> CID 1354778: (UNINIT)
>>> Declaring variable "serial" without initializer.
44 struct lb_serial serial;
45 serial.type = LB_SERIAL_TYPE_MEMORY_MAPPED;
46 serial.baseaddr = uart_platform_base(CONFIG_UART_FOR_CONSOLE);
47 serial.baud = default_baudrate();
48 serial.regwidth = 1;
49 lb_add_serial(&serial, data);
50
51 lb_add_console(LB_TAG_CONSOLE_SERIAL8250MEM, data);
52 }
** CID 1354615: Memory - illegal accesses (OVERRUN)
/src/cpu/ti/am335x/gpio.c: 30 in gpio_regs_and_bit()
________________________________________________________________________________________________________
*** CID 1354615: Memory - illegal accesses (OVERRUN)
/src/cpu/ti/am335x/gpio.c: 30 in gpio_regs_and_bit()
24
25 if (bank > ARRAY_SIZE(am335x_gpio_banks)) {
26 printk(BIOS_ERR, "Bad gpio index %d.\n", gpio);
27 return NULL;
28 }
29 *bit = 1 << (gpio % 32);
>>> CID 1354615: Memory - illegal accesses (OVERRUN)
>>> Overrunning array "am335x_gpio_banks" of 4 4-byte elements at element index 4 (byte offset 16) using index "bank" (which evaluates to 4).
30 return am335x_gpio_banks[bank];
31 }
32
33 void am335x_disable_gpio_irqs(void)
34 {
35 int i;
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRbLuoVetFLSjdonCi1EjfHRqWGQvojmmkYaBE-2BPJiTQvQ-3D-3D_q4bX76XMySz3BXBlWr5fXXJ4cvAsgEXEqC7dBPM7O5a5yKA03-2B-2F8gkr37oVNo-2BOWQTrPVLe6ZqVQnS9NY7w8Xn3yOhQs0IQ2qBrdn7UXzW3GLKbB0o08zj1bxbdHSdZlJZxFUBAotNS4ARAFmNql-2FwkOf99xRFT8gInJsMtFujyz6Xl9zz5uw97Nzj-2FaTc5i0oT8-2BYoLsT9DAA8-2Fhe-2BXTBySf-2Fdht3IaBd2nItsfPlc-3D
To manage Coverity Scan email notifications for "coreboot at coreboot.org", click https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-2BWcWUl-2F-2BfV0V05UPxvVjWch-2Bd2MGckcRbVDbis712qZDP-2FA8y06Nq4e-2BpBzwOa5gzBZa9dWpDbzfofODnVj1enK2UkK0-2BgCCqyeem8IVKvTxSaOFkteZFcnohwvb2rnYNjswGryEWCURnUk6WHU42sbOmtOjD-2Bx5c-3D_q4bX76XMySz3BXBlWr5fXXJ4cvAsgEXEqC7dBPM7O5a5yKA03-2B-2F8gkr37oVNo-2BOWRXHxwumgjbW6QPMPp1azXTzimm2u6XmNcmhbTk60zW9sjHf0wWThQpHB7huSdtBvaMrhmFzKNNtCjlHlJRFDG7fXXvNW2mHzQ8lPWfwhwt4l8e2wghVN9VJMHHzwFUCsfqlca6AxFKEe-2BdyTLChu5QCsyxxvrCyPwHQ2UzxBDw4-3D
More information about the coreboot
mailing list