New Defects reported by Coverity Scan for ARM-software/arm-trusted-firmware - TF-A

5 Feb 2021


      Hi,
Please find the latest report on new defect(s) introduced to ARM-software/arm-trusted-firmware found with Coverity Scan.
5 new defect(s) introduced to ARM-software/arm-trusted-firmware found with Coverity Scan.
14 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 5 of 5 defect(s)
** CID 366362:  Control flow issues  (DEADCODE)
/plat/rockchip/rk3399/drivers/dram/dfs.c: 123 in get_dram_drv_odt_val()
________________________________________________________________________________________________________
*** CID 366362:  Control flow issues  (DEADCODE)
/plat/rockchip/rk3399/drivers/dram/dfs.c: 123 in get_dram_drv_odt_val()
117     		tmp = ((mr1_val >> 2) & 1) | ((mr1_val >> 5) & 1) |
118     		      ((mr1_val >> 7) & 1);
119     		if (tmp == 0)
120     			drv_config->dram_side_dq_odt = 0;
121     		else if (tmp == 1)
122     			drv_config->dram_side_dq_odt = 60;
...
...
...
CID 366362:  Control flow issues  (DEADCODE)
Execution cannot reach this statement: "if (tmp == 3U)

drv_config...".
123     		else if (tmp == 3)
124     			drv_config->dram_side_dq_odt = 40;
125     		else
126     			drv_config->dram_side_dq_odt = 120;
127     		break;
128     	case LPDDR3:
** CID 366361:    (DEADCODE)
/drivers/st/fmc/stm32_fmc2_nand.c: 247 in stm32_fmc2_nand_setup_timing()
/drivers/st/fmc/stm32_fmc2_nand.c: 250 in stm32_fmc2_nand_setup_timing()
/drivers/st/fmc/stm32_fmc2_nand.c: 203 in stm32_fmc2_nand_setup_timing()
________________________________________________________________________________________________________
*** CID 366361:    (DEADCODE)
/drivers/st/fmc/stm32_fmc2_nand.c: 247 in stm32_fmc2_nand_setup_timing()
241     	 * tSETUP_ATT > tDS - (tWAIT - tHIZ)
242     	 */
243     	tset_att = hclkp;
244     	if ((twait < NAND_TCS_MIN) && (tset_att < (NAND_TCS_MIN - twait))) {
245     		tset_att = NAND_TCS_MIN - twait;
246     	}
...
...
...
CID 366361:    (DEADCODE)
Execution cannot reach the expression "tset_att < 50000UL - twait" inside this statement: "if (twait < 50000UL && tset...".

247     	if ((twait < NAND_TCLS_MIN) && (tset_att < (NAND_TCLS_MIN - twait))) {
248     		tset_att = NAND_TCLS_MIN - twait;
249     	}
250     	if ((twait < NAND_TALS_MIN) && (tset_att < (NAND_TALS_MIN - twait))) {
251     		tset_att = NAND_TALS_MIN - twait;
252     	}
/drivers/st/fmc/stm32_fmc2_nand.c: 250 in stm32_fmc2_nand_setup_timing()
244     	if ((twait < NAND_TCS_MIN) && (tset_att < (NAND_TCS_MIN - twait))) {
245     		tset_att = NAND_TCS_MIN - twait;
246     	}
247     	if ((twait < NAND_TCLS_MIN) && (tset_att < (NAND_TCLS_MIN - twait))) {
248     		tset_att = NAND_TCLS_MIN - twait;
249     	}
...
...
...
CID 366361:    (DEADCODE)
Execution cannot reach the expression "tset_att < 50000UL - twait" inside this statement: "if (twait < 50000UL && tset...".

250     	if ((twait < NAND_TALS_MIN) && (tset_att < (NAND_TALS_MIN - twait))) {
251     		tset_att = NAND_TALS_MIN - twait;
252     	}
253     	if ((thold_mem < NAND_TRHW_MIN) &&
254     	    (tset_att < (NAND_TRHW_MIN - thold_mem))) {
255     		tset_att = NAND_TRHW_MIN - thold_mem;
/drivers/st/fmc/stm32_fmc2_nand.c: 203 in stm32_fmc2_nand_setup_timing()
197     	 * tSETUP_MEM > tDS - (tWAIT - tHIZ)
198     	 */
199     	tset_mem = hclkp;
200     	if ((twait < NAND_TCS_MIN) && (tset_mem < (NAND_TCS_MIN - twait))) {
201     		tset_mem = NAND_TCS_MIN - twait;
202     	}
...
...
...
CID 366361:    (DEADCODE)
Execution cannot reach the expression "tset_mem < 50000UL - twait" inside this statement: "if (twait < 50000UL && tset...".

203     	if ((twait < NAND_TALS_MIN) && (tset_mem < (NAND_TALS_MIN - twait))) {
204     		tset_mem = NAND_TALS_MIN - twait;
205     	}
206     	if ((twait > thiz) && ((twait - thiz) < NAND_TDS_MIN) &&
207     	    (tset_mem < (NAND_TDS_MIN - (twait - thiz)))) {
208     		tset_mem = NAND_TDS_MIN - (twait - thiz);
** CID 366360:    (UNINIT)
/lib/zlib/tf_gunzip.c: 83 in gunzip()
/lib/zlib/tf_gunzip.c: 87 in gunzip()
________________________________________________________________________________________________________
*** CID 366360:    (UNINIT)
/lib/zlib/tf_gunzip.c: 83 in gunzip()
77     	zret = inflateInit(&stream);
78     	if (zret != Z_OK) {
79     		ERROR("zlib: inflate init failed (ret = %d)\n", zret);
80     		return (zret == Z_MEM_ERROR) ? -ENOMEM : -EIO;
81     	}
82
...
...
...
CID 366360:    (UNINIT)
Using uninitialized value "stream.total_out" when calling "inflate". [Note: The source code implementation of the function has been overridden by a builtin model.]

83     	zret = inflate(&stream, Z_NO_FLUSH);
84     	if (zret == Z_STREAM_END) {
85     		ret = 0;
86     	} else {
87     		if (stream.msg)
88     			ERROR("%s\n", stream.msg);
/lib/zlib/tf_gunzip.c: 87 in gunzip()
81     	}
82     
83     	zret = inflate(&stream, Z_NO_FLUSH);
84     	if (zret == Z_STREAM_END) {
85     		ret = 0;
86     	} else {
...
...
...
CID 366360:    (UNINIT)
Using uninitialized value "stream.msg".

87     		if (stream.msg)
88     			ERROR("%s\n", stream.msg);
89     		ERROR("zlib: inflate failed (ret = %d)\n", zret);
90     		ret = (zret == Z_MEM_ERROR) ? -ENOMEM : -EIO;
91     	}
92
** CID 366283:  Insecure data handling  (TAINTED_SCALAR)
/mbedtls/library/x509_crt.c: 568 in x509_get_key_usage()
________________________________________________________________________________________________________
*** CID 366283:  Insecure data handling  (TAINTED_SCALAR)
/mbedtls/library/x509_crt.c: 568 in x509_get_key_usage()
562         if( bs.len < 1 )
563             return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
564                     MBEDTLS_ERR_ASN1_INVALID_LENGTH );
565     
566         /* Get actual bitstring */
567         *key_usage = 0;
...
...
...
CID 366283:  Insecure data handling  (TAINTED_SCALAR)
Using tainted variable "bs.len" as a loop boundary.

568         for( i = 0; i < bs.len && i < sizeof( unsigned int ); i++ )
569         {
570             *key_usage |= (unsigned int) bs.p[i] << (8*i);
571         }
572     
573         return( 0 );
** CID 366277:  Insecure data handling  (TAINTED_SCALAR)
/mbedtls/library/asn1parse.c: 158 in asn1_get_tagged_int()
________________________________________________________________________________________________________
*** CID 366277:  Insecure data handling  (TAINTED_SCALAR)
/mbedtls/library/asn1parse.c: 158 in asn1_get_tagged_int()
152             return( MBEDTLS_ERR_ASN1_INVALID_LENGTH );
153         /* This is a cryptography library. Reject negative integers. */
154         if( ( **p & 0x80 ) != 0 )
155             return( MBEDTLS_ERR_ASN1_INVALID_LENGTH );
156     
157         /* Skip leading zeros. */
...
...
...
CID 366277:  Insecure data handling  (TAINTED_SCALAR)
Using tainted variable "len" as a loop boundary.

158         while( len > 0 && **p == 0 )
159         {
160             ++( *p );
161             --len;
162         }
163
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit, https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0...