Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Coverity CID :205617]Memory - corruptions in /drivers/kscan/kscan_mchp_xec.c #20494

Closed
aasthagr opened this issue Nov 8, 2019 · 3 comments · Fixed by #21108
Closed

[Coverity CID :205617]Memory - corruptions in /drivers/kscan/kscan_mchp_xec.c #20494

aasthagr opened this issue Nov 8, 2019 · 3 comments · Fixed by #21108
Assignees
@franciscomunoz
Labels
area: Drivers bug The issue is a bug, or the PR is fixing a bug Coverity A Coverity detected issue or its fix priority: medium Medium impact/importance bug

Comments

@aasthagr
Copy link
Collaborator

aasthagr commented Nov 8, 2019

Static code scan issues seen in File: /drivers/kscan/kscan_mchp_xec.c
Category: Memory - corruptions
Function: check_key_events
Component: Drivers
CID: 205617
Please fix or provide comments to square it off in coverity in the link: https://scan9.coverity.com/reports.htm#v32951/p12996
@aasthagr aasthagr added area: Drivers bug The issue is a bug, or the PR is fixing a bug Coverity A Coverity detected issue or its fix labels Nov 8, 2019
@aescolar
Copy link
Member

0d85074

154static bool check_key_events(void *dev)
155{
156        u8_t matrix_new_state[MAX_MATRIX_KEY_COLS] = {0U};
157        bool key_pressed = false;
158        u32_t cycles_now  = k_cycle_get_32();
159
   	1. Condition ++kbd_data.scan_cycles_idx > 30U, taking false branch.
   	2. cond_at_most: Checking ++kbd_data.scan_cycles_idx > 30U implies that kbd_data.scan_cycles_idx may be up to 30 on the false branch.
160        if (++kbd_data.scan_cycles_idx > SCAN_OCURRENCES)
161                kbd_data.scan_cycles_idx = 0U;
162
   	
CID 205617 (#1 of 1): Out-of-bounds write (OVERRUN)
3. overrun-local: Overrunning array kbd_data.scan_clk_cycle of 30 bytes at byte offset 30 using index kbd_data.scan_cycles_idx (which evaluates to 30).
163        kbd_data.scan_clk_cycle[kbd_data.scan_cycles_idx] = cycles_now;
164
165        /* Scan the matrix */
166        key_pressed = read_keyboard_matrix(matrix_new_state);
167
168        /* Abort if ghosting is detected */
169        if (is_matrix_ghosting(matrix_new_state)) {
170                return false;
171        }
172

@galak galak added the priority: medium Medium impact/importance bug label Nov 11, 2019
@nashif
Copy link
Member

nashif commented Nov 27, 2019

@franciscomunoz can you please address this one?

@dleach02
Copy link
Member

dleach02 commented Dec 2, 2019 

160        if (++kbd_data.scan_cycles_idx > SCAN_OCURRENCES)
161                kbd_data.scan_cycles_idx = 0U;

this should be >=

@nashif nashif mentioned this issue Dec 2, 2019
Merged
nashif added a commit to nashif/zephyr that referenced this issue Dec 2, 2019
@nashif
drivers: kscan_mchp_xec: fix memory corruption
b66be9f 
Fixes memory corruption (Out-of-bounds write ) case discovered by
coverity.

Fixes zephyrproject-rtos#20494
Coverity CID: 205617

Signed-off-by: Anas Nashif <anas.nashif@intel.com>
dleach02 pushed a commit that referenced this issue Dec 2, 2019
@nashif @dleach02
drivers: kscan_mchp_xec: fix memory corruption
d0aa6fc 
Fixes memory corruption (Out-of-bounds write ) case discovered by
coverity.

Fixes #20494
Coverity CID: 205617

Signed-off-by: Anas Nashif <anas.nashif@intel.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@franciscomunoz franciscomunoz

Labels
area: Drivers bug The issue is a bug, or the PR is fixing a bug Coverity A Coverity detected issue or its fix priority: medium Medium impact/importance bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

drivers: kscan_mchp_xec: fix memory corruption nashif/zephyr
6 participants
@nashif @franciscomunoz @galak @dleach02 @aescolar @aasthagr