[PATCH v3] bsps/shared/ofw: Fix coverity defects

Niteesh G. S. niteesh.gs at gmail.com
Fri May 7 01:45:47 UTC 2021 

On Fri, May 7, 2021 at 4:16 AM Vijay Kumar Banerjee <vijay at rtems.org> wrote:

> On Thu, May 6, 2021 at 10:57 AM Gedare Bloom <gedare at rtems.org> wrote:
> >
> > ok, Vijay please push
>
> Pushed. Thanks.
>
Thanks for pushing.

>
> >
> > On Thu, May 6, 2021 at 2:06 AM G S Niteesh Babu <niteesh.gs at gmail.com>
> wrote:
> > >
> > > This patch adds asserts to fix coverity defects
> > > 1) CID 1474437 (Out-of-bounds access)
> > > 2) CID 1474436 (Out-of-bounds access)
> > >
> > > From manual inspection, out of bounds access cannot occur due to
> > > bounds checking but coverity fails to detect the checks.
> > > We are adding asserts as a secondary check.
> > > ---
> > >  bsps/shared/ofw/ofw.c | 12 +++++++++++-
> > >  1 file changed, 11 insertions(+), 1 deletion(-)
> > >
> > > diff --git a/bsps/shared/ofw/ofw.c b/bsps/shared/ofw/ofw.c
> > > index f4b8b63931..f7638b98ef 100644
> > > --- a/bsps/shared/ofw/ofw.c
> > > +++ b/bsps/shared/ofw/ofw.c
> > > @@ -42,6 +42,7 @@
> > >  #include <assert.h>
> > >  #include <rtems/sysinit.h>
> > >  #include <ofw/ofw_test.h>
> > > +#include <rtems/score/assert.h>
> > >
> > >  static void *fdtp = NULL;
> > >
> > > @@ -186,6 +187,7 @@ ssize_t rtems_ofw_get_prop(
> > >    const void *prop;
> > >    int offset;
> > >    int len;
> > > +  int copy_len;
> > >    uint32_t cpuid;
> > >
> > >    offset = rtems_fdt_phandle_to_offset(node);
> > > @@ -226,7 +228,9 @@ ssize_t rtems_ofw_get_prop(
> > >      return -1;
> > >    }
> > >
> > > -  bcopy(prop, buf, MIN(len, bufsize));
> > > +  copy_len = MIN(len, bufsize);
> > > +  _Assert(copy_len <= bufsize);
> > > +  memmove(buf, prop, copy_len);
> > >
> > >    return len;
> > >  }
> > > @@ -637,6 +641,12 @@ int rtems_ofw_get_reg(
> > >          range.child_bus = fdt32_to_cpu(ptr[j].child_bus);
> > >          range.size = fdt32_to_cpu(ptr[j].size);
> > >
> > > +        /**
> > > +         * (buf + size - (sizeof(buf[0]) - 1) is the last valid
> > > +         * address for buf[i]. If buf[i] points to any address larger
> > > +         * than this, it will be an out of bound access
> > > +         */
> > > +        _Assert(&buf[i] < (buf + size - (sizeof(buf[0]) - 1)));
> > >          if (buf[i].start >= range.child_bus &&
> > >              buf[i].start < range.child_bus + range.size) {
> > >            offset = range.parent_bus - range.child_bus;
> > > --
> > > 2.17.1
> > >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rtems.org/pipermail/devel/attachments/20210507/801053ff/attachment.html>

More information about the devel mailing list