[PATCH v2] bsps/shared/ofw: Fix coverity defects

Niteesh G. S. niteesh.gs at gmail.com
Wed May 5 06:52:12 UTC 2021


On Mon, May 3, 2021 at 11:23 PM Gedare Bloom <gedare at rtems.org> wrote:

> Hi Niteesh,
>
> This looks good to me. What/how did you test it?
>
I tested it using the ofw01 test
https://git.rtems.org/rtems/tree/testsuites/libtests/ofw01/init.c
and read EEPROM using i2c.


> Gedare
>
> On Sat, May 1, 2021 at 6:31 AM G S Niteesh Babu <niteesh.gs at gmail.com>
> wrote:
> >
> > This patch adds asserts to fix coverity defects
> > 1) CID 1474437 (Out-of-bounds access)
> > 2) CID 1474436 (Out-of-bounds access)
> >
> > From manual inspection, out of bounds access cannot occur due to
> > bounds checking but coverity fails to detect the checks.
> > We are adding asserts as a secondary check.
> > ---
> >  bsps/shared/ofw/ofw.c | 12 +++++++++++-
> >  1 file changed, 11 insertions(+), 1 deletion(-)
> >
> > diff --git a/bsps/shared/ofw/ofw.c b/bsps/shared/ofw/ofw.c
> > index f4b8b63931..0e0a7033ab 100644
> > --- a/bsps/shared/ofw/ofw.c
> > +++ b/bsps/shared/ofw/ofw.c
> > @@ -42,6 +42,7 @@
> >  #include <assert.h>
> >  #include <rtems/sysinit.h>
> >  #include <ofw/ofw_test.h>
> > +#include <rtems/score/assert.h>
> >
> >  static void *fdtp = NULL;
> >
> > @@ -186,6 +187,7 @@ ssize_t rtems_ofw_get_prop(
> >    const void *prop;
> >    int offset;
> >    int len;
> > +  int copy_len;
> >    uint32_t cpuid;
> >
> >    offset = rtems_fdt_phandle_to_offset(node);
> > @@ -226,7 +228,9 @@ ssize_t rtems_ofw_get_prop(
> >      return -1;
> >    }
> >
> > -  bcopy(prop, buf, MIN(len, bufsize));
> > +  copy_len = MIN(len, bufsize);
> > +  _Assert(copy_len <= bufsize);
> > +  memmove(prop, buf, copy_len);
> >
> >    return len;
> >  }
> > @@ -637,6 +641,12 @@ int rtems_ofw_get_reg(
> >          range.child_bus = fdt32_to_cpu(ptr[j].child_bus);
> >          range.size = fdt32_to_cpu(ptr[j].size);
> >
> > +        /**
> > +         * (buf + size - (sizeof(buf[0]) - 1) is the last valid
> > +         * address for buf[i]. If buf[i] points to any address larger
> > +         * than this, it will be an out of bound access
> > +         */
> > +        _Assert(&buf[i] < (buf + size - (sizeof(buf[0]) - 1)));
> >          if (buf[i].start >= range.child_bus &&
> >              buf[i].start < range.child_bus + range.size) {
> >            offset = range.parent_bus - range.child_bus;
> > --
> > 2.17.1
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rtems.org/pipermail/devel/attachments/20210505/83865b8e/attachment-0001.html>


More information about the devel mailing list