Fwd: New Defects reported by Coverity Scan for RTEMS

Gedare Bloom gedare at rtems.org
Thu Jan 28 20:06:30 UTC 2021 

fyi; I should see if I can get this put to the list directly...

---------- Forwarded message ---------
From: <scan-admin at coverity.com>
Date: Thu, Jan 28, 2021 at 11:59 AM
Subject: New Defects reported by Coverity Scan for RTEMS
To: <gedare at gwmail.gwu.edu>


Hi,

Please find the latest report on new defect(s) introduced to RTEMS found
with Coverity Scan.

7 new defect(s) introduced to RTEMS found with Coverity Scan.
3 defect(s), reported by Coverity Scan earlier, were marked fixed in the
recent build analyzed by Coverity Scan.

New defect(s) Reported-by: Coverity Scan
Showing 7 of 7 defect(s)


** CID 1472601:  Null pointer dereferences  (NULL_RETURNS)
/bsps/shared/ofw/ofw.c: 627 in rtems_ofw_get_reg()


________________________________________________________________________________________________________
*** CID 1472601:  Null pointer dereferences  (NULL_RETURNS)
/bsps/shared/ofw/ofw.c: 627 in rtems_ofw_get_reg()
621         nranges = len / sizeof(rtems_ofw_ranges);
622
623         offset = 0;
624         for (int i=0; i < nregs; i++) {
625           for (int j=0; j < nranges; j++) {
626
>>>     CID 1472601:  Null pointer dereferences  (NULL_RETURNS)
>>>     Dereferencing "ptr", which is known to be "NULL".
627             range.parent_bus = fdt32_to_cpu(ptr[j].parent_bus);
628             range.child_bus = fdt32_to_cpu(ptr[j].child_bus);
629             range.size = fdt32_to_cpu(ptr[j].size);
630
631             if (buf[i].start >= range.child_bus &&
632                 buf[i].start < range.child_bus + range.size) {

** CID 1472600:  Memory - corruptions  (USE_AFTER_FREE)
/bsps/shared/ofw/ofw.c: 377 in rtems_ofw_get_enc_prop_alloc()


________________________________________________________________________________________________________
*** CID 1472600:  Memory - corruptions  (USE_AFTER_FREE)
/bsps/shared/ofw/ofw.c: 377 in rtems_ofw_get_enc_prop_alloc()
371         if (*buf == NULL) {
372           return -1;
373         }
374
375         if (rtems_ofw_get_enc_prop(node, propname, *buf, len) == -1) {
376           rtems_ofw_free(buf);
>>>     CID 1472600:  Memory - corruptions  (USE_AFTER_FREE)
>>>     Dereferencing freed pointer "buf".
377           *buf = NULL;
378           return -1;
379         }
380       }
381
382       return len;

** CID 1472599:  Memory - corruptions  (USE_AFTER_FREE)
/bsps/shared/ofw/ofw.c: 348 in rtems_ofw_get_prop_alloc_multi()


________________________________________________________________________________________________________
*** CID 1472599:  Memory - corruptions  (USE_AFTER_FREE)
/bsps/shared/ofw/ofw.c: 348 in rtems_ofw_get_prop_alloc_multi()
342         if (*buf == NULL) {
343           return -1;
344         }
345
346         if (rtems_ofw_get_prop(node, propname, *buf, len) == -1) {
347           rtems_ofw_free(buf);
>>>     CID 1472599:  Memory - corruptions  (USE_AFTER_FREE)
>>>     Dereferencing freed pointer "buf".
348           *buf = NULL;
349           return -1;
350         }
351       }
352
353       return (len / elsz);

** CID 1472598:  Memory - corruptions  (USE_AFTER_FREE)
/bsps/shared/ofw/ofw.c: 317 in rtems_ofw_get_prop_alloc()


________________________________________________________________________________________________________
*** CID 1472598:  Memory - corruptions  (USE_AFTER_FREE)
/bsps/shared/ofw/ofw.c: 317 in rtems_ofw_get_prop_alloc()
311         if (*buf == NULL) {
312           return -1;
313         }
314
315         if (rtems_ofw_get_prop(node, propname, *buf, len) == -1) {
316           rtems_ofw_free(buf);
>>>     CID 1472598:  Memory - corruptions  (USE_AFTER_FREE)
>>>     Dereferencing freed pointer "buf".
317           *buf = NULL;
318           return -1;
319         }
320       }
321
322       return len;

** CID 1472597:  Memory - corruptions  (ARRAY_VS_SINGLETON)


________________________________________________________________________________________________________
*** CID 1472597:  Memory - corruptions  (ARRAY_VS_SINGLETON)
/bsps/shared/ofw/ofw.c: 510 in rtems_ofw_get_effective_phandle()
504
505       for (child = rtems_ofw_child(node); child != 0; child =
rtems_ofw_peer(child)) {
506         ref = rtems_ofw_get_effective_phandle(child, xref);
507         if (ref != -1)
508           return ref;
509
>>>     CID 1472597:  Memory - corruptions  (ARRAY_VS_SINGLETON)
>>>     Passing "&ref" to function "rtems_ofw_get_enc_prop" which uses it
as an array. This might corrupt or misinterpret adjacent memory locations.
510         if (rtems_ofw_get_enc_prop(child, "phandle", &ref, sizeof(ref))
== -1 &&
511             rtems_ofw_get_enc_prop(child, "ibm,phandle", &ref,
sizeof(ref)) == -1 &&
512             rtems_ofw_get_enc_prop(child, "linux,phandle", &ref,
sizeof(ref)) == -1
513         ) {
514           continue;
515         }

** CID 1472596:  Memory - corruptions  (USE_AFTER_FREE)
/bsps/shared/ofw/ofw.c: 408 in rtems_ofw_get_enc_prop_alloc_multi()


________________________________________________________________________________________________________
*** CID 1472596:  Memory - corruptions  (USE_AFTER_FREE)
/bsps/shared/ofw/ofw.c: 408 in rtems_ofw_get_enc_prop_alloc_multi()
402         if (*buf == NULL) {
403           return -1;
404         }
405
406         if (rtems_ofw_get_enc_prop(node, propname, *buf, len) == -1) {
407           rtems_ofw_free(buf);
>>>     CID 1472596:  Memory - corruptions  (USE_AFTER_FREE)
>>>     Dereferencing freed pointer "buf".
408           *buf = NULL;
409           return -1;
410         }
411       }
412
413       return (len / elsz);

** CID 1472595:  Memory - corruptions  (ARRAY_VS_SINGLETON)


________________________________________________________________________________________________________
*** CID 1472595:  Memory - corruptions  (ARRAY_VS_SINGLETON)
/bsps/shared/ofw/ofw.c: 538 in rtems_ofw_xref_from_node()
532     }
533
534     phandle_t rtems_ofw_xref_from_node( phandle_t node )
535     {
536       phandle_t ref;
537
>>>     CID 1472595:  Memory - corruptions  (ARRAY_VS_SINGLETON)
>>>     Passing "&ref" to function "rtems_ofw_get_enc_prop" which uses it
as an array. This might corrupt or misinterpret adjacent memory locations.
538         if (rtems_ofw_get_enc_prop(node, "phandle", &ref, sizeof(ref))
== -1 &&
539             rtems_ofw_get_enc_prop(node, "ibm,phandle", &ref,
sizeof(ref)) == -1 &&
540             rtems_ofw_get_enc_prop(node, "linux,phandle", &ref,
sizeof(ref)) == -1)
541         {
542           return node;
543         }


________________________________________________________________________________________________________
To view the defects in Coverity Scan visit,
https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50ypUUzi-2FdSNmuyRB7BEFT8xQ4-2B8hpujh0hTgQljRGId4Dg-3D-3D4rCS_NXfCUf1CLFYLbjXajJIgHlbL5qYn95oel6MvjPauKObfKXAxQ82kyzbTTgHGbdRzqrUhmhYWDX-2FyQdnWo5YnM-2FFUamWoMY-2BoKaEuqI2cyQv-2F-2Fhu0OTnekxXXUMfFLrMvhuvV4eI1uHLQGggvvsj-2FLfNGn-2BGPcv-2FG4UQSY4tky86S7nsFiHxxfqeXd31O6xy-2FCgLy2h3kVviDDWthwfms12-2BjQqk8Zt9jVBFB6z3QmdY-3D

  To manage Coverity Scan email notifications for "gedare at gwmail.gwu.edu",
click
https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yped04pjJnmXOsUBtKYNIXxkxN7gn3yK5ofbuH1ptBFYw9YgpazuIaA-2BBUVKiHj8oUDwYWUynp42iaapm4KJU8XqWU01jaV7ANE1ZK33b9AxrNSft0QTNSkD2bLN6ho-2BnY-3DliTr_NXfCUf1CLFYLbjXajJIgHlbL5qYn95oel6MvjPauKObfKXAxQ82kyzbTTgHGbdRz-2BKYfPnlg8v0lG2OqkZltGqoPujs4o3Ew0WTou9CIxoFc4RjvuFhkcXGRn3c7g6KmB509Izxa1pJ-2F-2FjZk3UcbB8IeOv8BL-2FA9BKCOzInvZG8-2BJhuSFCgnDMpdzFxT189-2FHmarweYa8ZFAFFgf29GheX05-2F2-2FArB0zn-2F7w52Pa2yo-3D
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rtems.org/pipermail/devel/attachments/20210128/bb56b4e0/attachment.html>

More information about the devel mailing list