[PATCH v2] bsps/shared/ofw: Fix coverity defects

Gedare Bloom gedare at rtems.org
Wed May 5 14:42:04 UTC 2021


alright looks good. Vijay or Christian please confirm and push if
you're good with it too.

On Wed, May 5, 2021 at 12:52 AM Niteesh G. S. <niteesh.gs at gmail.com> wrote:
>
>
>
> On Mon, May 3, 2021 at 11:23 PM Gedare Bloom <gedare at rtems.org> wrote:
>>
>> Hi Niteesh,
>>
>> This looks good to me. What/how did you test it?
>
> I tested it using the ofw01 test
> https://git.rtems.org/rtems/tree/testsuites/libtests/ofw01/init.c
> and read EEPROM using i2c.
>
>>
>> Gedare
>>
>> On Sat, May 1, 2021 at 6:31 AM G S Niteesh Babu <niteesh.gs at gmail.com> wrote:
>> >
>> > This patch adds asserts to fix coverity defects
>> > 1) CID 1474437 (Out-of-bounds access)
>> > 2) CID 1474436 (Out-of-bounds access)
>> >
>> > From manual inspection, out of bounds access cannot occur due to
>> > bounds checking but coverity fails to detect the checks.
>> > We are adding asserts as a secondary check.
>> > ---
>> >  bsps/shared/ofw/ofw.c | 12 +++++++++++-
>> >  1 file changed, 11 insertions(+), 1 deletion(-)
>> >
>> > diff --git a/bsps/shared/ofw/ofw.c b/bsps/shared/ofw/ofw.c
>> > index f4b8b63931..0e0a7033ab 100644
>> > --- a/bsps/shared/ofw/ofw.c
>> > +++ b/bsps/shared/ofw/ofw.c
>> > @@ -42,6 +42,7 @@
>> >  #include <assert.h>
>> >  #include <rtems/sysinit.h>
>> >  #include <ofw/ofw_test.h>
>> > +#include <rtems/score/assert.h>
>> >
>> >  static void *fdtp = NULL;
>> >
>> > @@ -186,6 +187,7 @@ ssize_t rtems_ofw_get_prop(
>> >    const void *prop;
>> >    int offset;
>> >    int len;
>> > +  int copy_len;
>> >    uint32_t cpuid;
>> >
>> >    offset = rtems_fdt_phandle_to_offset(node);
>> > @@ -226,7 +228,9 @@ ssize_t rtems_ofw_get_prop(
>> >      return -1;
>> >    }
>> >
>> > -  bcopy(prop, buf, MIN(len, bufsize));
>> > +  copy_len = MIN(len, bufsize);
>> > +  _Assert(copy_len <= bufsize);
>> > +  memmove(prop, buf, copy_len);
>> >
>> >    return len;
>> >  }
>> > @@ -637,6 +641,12 @@ int rtems_ofw_get_reg(
>> >          range.child_bus = fdt32_to_cpu(ptr[j].child_bus);
>> >          range.size = fdt32_to_cpu(ptr[j].size);
>> >
>> > +        /**
>> > +         * (buf + size - (sizeof(buf[0]) - 1) is the last valid
>> > +         * address for buf[i]. If buf[i] points to any address larger
>> > +         * than this, it will be an out of bound access
>> > +         */
>> > +        _Assert(&buf[i] < (buf + size - (sizeof(buf[0]) - 1)));
>> >          if (buf[i].start >= range.child_bus &&
>> >              buf[i].start < range.child_bus + range.size) {
>> >            offset = range.parent_bus - range.child_bus;
>> > --
>> > 2.17.1
>> >


More information about the devel mailing list