/home/coreboot/node-root/workspace/coreboot_scanbuild/util/nvramtool/cmos_lowlevel.c

Bug Summary

File:	util/nvramtool/cmos_lowlevel.c
Warning:	line 133, column 9 Potential leak of memory pointed to by 'newstring'

Annotated Source Code

Press '?' to see keyboard shortcuts

Show analyzer invocation

clang -cc1 -cc1 -triple x86_64-unknown-linux-gnu -analyze -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name cmos_lowlevel.c -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 2 -pic-is-pie -mframe-pointer=all -fmath-errno -ffp-contract=on -fno-rounding-math -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/home/coreboot/node-root/workspace/coreboot_scanbuild -resource-dir /opt/xgcc/lib/clang/17 -I /home/coreboot/node-root/workspace/coreboot_scanbuild/util/nvramtool -internal-isystem /opt/xgcc/lib/clang/17/include -internal-isystem /usr/local/include -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/13/../../../../x86_64-linux-gnu/include -internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-externc-isystem /usr/include -source-date-epoch 1714465709 -fdebug-compilation-dir=/home/coreboot/node-root/workspace/coreboot_scanbuild -ferror-limit 19 -fgnuc-version=4.2.1 -analyzer-opt-analyze-headers -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /cb-build/coreboot_scanbuild.0/sharedutils-scanbuildtmp/2024-05-02-073004-2299942-1 -x c /home/coreboot/node-root/workspace/coreboot_scanbuild/util/nvramtool/cmos_lowlevel.c

1/* SPDX-License-Identifier: GPL-2.0-only */

3#if defined(__FreeBSD__)
4#include <fcntl.h>
5#include <unistd.h>
6#endif

8#include "common.h"
9#include "cmos_lowlevel.h"

11/* Hardware Abstraction Layer: lowlevel byte-wise write access */

13extern cmos_access_t cmos_hal, memory_hal;
14static cmos_access_t *current_access =
15#ifdef CMOS_HAL
&cmos_hal;
17#else
&memory_hal;
19#endif

21void select_hal(hal_t hal, void *data)
22{
switch(hal) {
24#ifdef CMOS_HAL
case HAL_CMOS:
current_access = &cmos_hal;
break;
28#endif
case HAL_MEMORY:
default:
current_access = &memory_hal;
break;
}
current_access->init(data);
35}

37/* Bit-level access */
38typedef struct {
unsigned byte_index;
unsigned bit_offset;
41} cmos_bit_op_location_t;

43static unsigned cmos_bit_op_strategy(unsigned bit, unsigned bits_left,
		     cmos_bit_op_location_t * where);
45static unsigned char cmos_read_bits(const cmos_bit_op_location_t * where,
		    unsigned nr_bits);
47static void cmos_write_bits(const cmos_bit_op_location_t * where,
	    unsigned nr_bits, unsigned char value);
49static unsigned char get_bits(unsigned long long value, unsigned bit,
	      unsigned nr_bits);
51static void put_bits(unsigned char value, unsigned bit, unsigned nr_bits,
     unsigned long long *result);

54/****************************************************************************
* get_bits
*
* Extract a value 'nr_bits' bits wide starting at bit position 'bit' from
* 'value' and return the result.  It is assumed that 'nr_bits' is at most 8.
****************************************************************************/
60static inline unsigned char get_bits(unsigned long long value, unsigned bit,
		     unsigned nr_bits)
62{
return (value >> bit) & ((unsigned char)((1 << nr_bits) - 1));
64}

66/****************************************************************************
* put_bits
*
* Extract the low order 'nr_bits' bits from 'value' and store them in the
* value pointed to by 'result' starting at bit position 'bit'.  The bit
* positions in 'result' where the result is stored are assumed to be
* initially zero.
****************************************************************************/
74static inline void put_bits(unsigned char value, unsigned bit,
	    unsigned nr_bits, unsigned long long *result)
76{
*result += ((unsigned long long)(value &
		((unsigned char)((1 << nr_bits) - 1)))) << bit;
79}

81/****************************************************************************
* cmos_read
*
* Read value from nonvolatile RAM at position given by 'bit' and 'length'
* and return this value.  The I/O privilege level of the currently executing
* process must be set appropriately.
*
* Returned value is either (unsigned long long), or malloc()'d (char *)
* cast to (unsigned long long)
****************************************************************************/
91unsigned long long cmos_read(const cmos_entry_t * e)
92{
cmos_bit_op_location_t where;
unsigned bit = e->bit, length = e->length;
unsigned next_bit, bits_left, nr_bits;
unsigned long long result = 0;
unsigned char value;

assert(!verify_cmos_op(bit, length, e->config))((void) sizeof ((!verify_cmos_op(bit, length, e->config)) ?
: 0), __extension__ ({ if (!verify_cmos_op(bit, length, e->
config)) ; else __assert_fail ("!verify_cmos_op(bit, length, e->config)"
, "/home/coreboot/node-root/workspace/coreboot_scanbuild/util/nvramtool/cmos_lowlevel.c"
, 99, __extension__ __PRETTY_FUNCTION__); }));
1
Taking true branch→

if (e->config1.1
Field 'config' is equal to CMOS_ENTRY_STRING
 == CMOS_ENTRY_STRING) {
2
←
Taking true branch→
int strsz = (length + 7) / 8 + 1;
char *newstring = malloc(strsz);
3
←
Memory is allocated→
unsigned usize = (8 * sizeof(unsigned long long));

if (!newstring) {
4
←
Assuming 'newstring' is non-null→
5
←
Taking false branch→
	out_of_memory();
}

memset(newstring, 0, strsz);

for (next_bit = 0, bits_left = length;
6
←
Loop condition is false. Execution continues on line 133→
     bits_left; next_bit += nr_bits, bits_left -= nr_bits) {
	nr_bits = cmos_bit_op_strategy(bit + next_bit,
		   bits_left > usize ? usize : bits_left, &where);
	value = cmos_read_bits(&where, nr_bits);
	put_bits(value, next_bit % usize, nr_bits,
		 &((unsigned long long *)newstring)[next_bit /
						    usize]);
	result = (unsigned long)newstring;
}
} else {
for (next_bit = 0, bits_left = length;
     bits_left; next_bit += nr_bits, bits_left -= nr_bits) {
	nr_bits =
	    cmos_bit_op_strategy(bit + next_bit, bits_left,
				 &where);
	value = cmos_read_bits(&where, nr_bits);
	put_bits(value, next_bit, nr_bits, &result);
}
}

return result;
7
←
Potential leak of memory pointed to by 'newstring'
134}

136/****************************************************************************
* cmos_write
*
* Write 'data' to nonvolatile RAM at position given by 'bit' and 'length'.
* The I/O privilege level of the currently executing process must be set
* appropriately.
****************************************************************************/
143void cmos_write(const cmos_entry_t * e, unsigned long long value)
144{
cmos_bit_op_location_t where;
unsigned bit = e->bit, length = e->length;
unsigned next_bit, bits_left, nr_bits;

assert(!verify_cmos_op(bit, length, e->config))((void) sizeof ((!verify_cmos_op(bit, length, e->config)) ?
: 0), __extension__ ({ if (!verify_cmos_op(bit, length, e->
config)) ; else __assert_fail ("!verify_cmos_op(bit, length, e->config)"
, "/home/coreboot/node-root/workspace/coreboot_scanbuild/util/nvramtool/cmos_lowlevel.c"
, 149, __extension__ __PRETTY_FUNCTION__); }));

if (e->config == CMOS_ENTRY_STRING) {
unsigned long long *data =
    (unsigned long long *)(unsigned long)value;
unsigned usize = (8 * sizeof(unsigned long long));

for (next_bit = 0, bits_left = length;
     bits_left; next_bit += nr_bits, bits_left -= nr_bits) {
	nr_bits = cmos_bit_op_strategy(bit + next_bit,
			bits_left > usize ? usize : bits_left,
			&where);
	value = data[next_bit / usize];
	cmos_write_bits(&where, nr_bits,
		get_bits(value, next_bit % usize, nr_bits));
}
} else {
for (next_bit = 0, bits_left = length;
     bits_left; next_bit += nr_bits, bits_left -= nr_bits) {
	nr_bits = cmos_bit_op_strategy(bit + next_bit,
			bits_left, &where);
	cmos_write_bits(&where, nr_bits,
			get_bits(value, next_bit, nr_bits));
}
}
174}

176/****************************************************************************
* cmos_read_byte
*
* Read a byte from nonvolatile RAM at a position given by 'index' and return
* the result.  An 'index' value of 0 represents the first byte of
* nonvolatile RAM.
*
* Note: the first 14 bytes of nonvolatile RAM provide an interface to the
*       real time clock.
****************************************************************************/
186unsigned char cmos_read_byte(unsigned index)
187{
return current_access->read(index);
189}

191/****************************************************************************
* cmos_write_byte
*
* Write 'value' to nonvolatile RAM at a position given by 'index'.  An
* 'index' of 0 represents the first byte of nonvolatile RAM.
*
* Note: the first 14 bytes of nonvolatile RAM provide an interface to the
*       real time clock.  Writing to any of these bytes will therefore
*       affect its functioning.
****************************************************************************/
201void cmos_write_byte(unsigned index, unsigned char value)
202{
current_access->write(index, value);
204}

206/****************************************************************************
* cmos_read_all
*
* Read all contents of CMOS memory into array 'data'.  The first 14 bytes of
* 'data' are set to zero since this corresponds to the real time clock area.
****************************************************************************/
212void cmos_read_all(unsigned char data[])
213{
unsigned i;

for (i = 0; i < CMOS_RTC_AREA_SIZE14; i++)
data[i] = 0;

for (; i < CMOS_SIZE256; i++)
data[i] = cmos_read_byte(i);
221}

223/****************************************************************************
* cmos_write_all
*
* Update all of CMOS memory with the contents of array 'data'.  The first 14
* bytes of 'data' are ignored since this corresponds to the real time clock
* area.
****************************************************************************/
230void cmos_write_all(unsigned char data[])
231{
unsigned i;

for (i = CMOS_RTC_AREA_SIZE14; i < CMOS_SIZE256; i++)
cmos_write_byte(i, data[i]);
236}

238/****************************************************************************
* set_iopl
*
* Set the I/O privilege level of the executing process.  Root privileges are
* required for performing this action.  A sufficient I/O privilege level
* allows the process to access x86 I/O address space and to disable/reenable
* interrupts while executing in user space.  Messing with the I/O privilege
* level is therefore somewhat dangerous.
****************************************************************************/
247void set_iopl(int level)
248{
current_access->set_iopl(level);
250}

252/****************************************************************************
* verify_cmos_op
*
* 'bit' represents a bit position in the nonvolatile RAM.  The first bit
* (i.e. the lowest order bit of the first byte) of nonvolatile RAM is
* labeled as bit 0.  'length' represents the width in bits of a value we
* wish to read or write.  Perform sanity checking on 'bit' and 'length'.  If
* no problems were encountered, return OK.  Else return an error code.
****************************************************************************/
261int verify_cmos_op(unsigned bit, unsigned length, cmos_entry_config_t config)
262{
if ((bit >= (8 * CMOS_SIZE256)) || ((bit + length) > (8 * CMOS_SIZE256)))
return CMOS_AREA_OUT_OF_RANGE(0x30000 + 0);

if (bit < (8 * CMOS_RTC_AREA_SIZE14))
return CMOS_AREA_OVERLAPS_RTC(0x30000 + 1);

if (config == CMOS_ENTRY_STRING)
return OK0;

if (length > (8 * sizeof(unsigned long long)))
return CMOS_AREA_TOO_WIDE(0x30000 + 2);

return OK0;
276}

278/****************************************************************************
* cmos_bit_op_strategy
*
* Helper function used by cmos_read() and cmos_write() to determine which
* bits to read or write next.
****************************************************************************/
284static unsigned cmos_bit_op_strategy(unsigned bit, unsigned bits_left,
		     cmos_bit_op_location_t * where)
286{
unsigned max_bits;

where->byte_index = bit >> 3;
where->bit_offset = bit & 0x07;
max_bits = 8 - where->bit_offset;
return (bits_left > max_bits) ? max_bits : bits_left;
293}

295/****************************************************************************
* cmos_read_bits
*
* Read a chunk of bits from a byte location within CMOS memory.  Return the
* value represented by the chunk of bits.
****************************************************************************/
301static unsigned char cmos_read_bits(const cmos_bit_op_location_t * where,
		    unsigned nr_bits)
303{
return (cmos_read_byte(where->byte_index) >> where->bit_offset) &
   ((unsigned char)((1 << nr_bits) - 1));
306}

308/****************************************************************************
* cmos_write_bits
*
* Write a chunk of bits (the low order 'nr_bits' bits of 'value') to an area
* within a particular byte of CMOS memory.
****************************************************************************/
314static void cmos_write_bits(const cmos_bit_op_location_t * where,
	    unsigned nr_bits, unsigned char value)
316{
unsigned char n, mask;

if (nr_bits == 8) {
cmos_write_byte(where->byte_index, value);
return;
}

n = cmos_read_byte(where->byte_index);
mask = ((unsigned char)((1 << nr_bits) - 1)) << where->bit_offset;
n = (n & ~mask) + ((value << where->bit_offset) & mask);
cmos_write_byte(where->byte_index, n);
328}