The following issues were found
Userland/Libraries/LibLine/InternalFunctions.cpp
5 issues
Line: 564
Column: 9
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
}
if (pid == 0) {
execvp(editor_command, const_cast<char* const*>(args.data()));
perror("execv");
_exit(126);
} else {
int wstatus = 0;
do {
Reported by FlawFinder.
Line: 518
Column: 34
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
void Editor::edit_in_external_editor()
{
const auto* editor_command = getenv("EDITOR");
if (!editor_command)
editor_command = m_configuration.m_default_text_editor.characters();
char file_path[] = "/tmp/line-XXXXXX";
auto fd = mkstemp(file_path);
Reported by FlawFinder.
Line: 523
Column: 15
CWE codes:
377
editor_command = m_configuration.m_default_text_editor.characters();
char file_path[] = "/tmp/line-XXXXXX";
auto fd = mkstemp(file_path);
if (fd < 0) {
perror("mktemp");
return;
}
Reported by FlawFinder.
Line: 556
Column: 16
CWE codes:
362
Suggestion:
Use fork() instead
};
Vector<const char*> args { editor_command, file_path, nullptr };
auto pid = vfork();
if (pid == -1) {
perror("vfork");
return;
}
Reported by FlawFinder.
Line: 578
Column: 42
CWE codes:
362
}
{
auto file_or_error = Core::File::open(file_path, Core::OpenMode::ReadOnly);
if (file_or_error.is_error())
return;
auto file = file_or_error.release_value();
auto contents = file->read_all();
Reported by FlawFinder.
Userland/Libraries/LibPDF/Parser.cpp
5 issues
Line: 94
Column: 31
CWE codes:
120
20
return false;
m_reader.move_by(5);
char major_ver = m_reader.read();
if (major_ver != '1' && major_ver != '2')
return false;
if (m_reader.read() != '.')
return false;
Reported by FlawFinder.
Line: 97
Column: 18
CWE codes:
120
20
char major_ver = m_reader.read();
if (major_ver != '1' && major_ver != '2')
return false;
if (m_reader.read() != '.')
return false;
char minor_ver = m_reader.read();
if (minor_ver < '0' || minor_ver > '7')
return false;
Reported by FlawFinder.
Line: 100
Column: 31
CWE codes:
120
20
if (m_reader.read() != '.')
return false;
char minor_ver = m_reader.read();
if (minor_ver < '0' || minor_ver > '7')
return false;
consume_eol();
// Parse optional high-byte comment, which signifies a binary file
Reported by FlawFinder.
Line: 347
Column: 36
CWE codes:
120
20
if (!consume(' '))
return {};
auto letter = m_reader.read();
if (letter != 'n' && letter != 'f')
return {};
// The line ending sequence can be one of the following:
// SP CR, SP LF, or CR LF
Reported by FlawFinder.
AK/Buffered.h
5 issues
Line: 52
Column: 12
CWE codes:
120
20
void set_recoverable_error() const override { return m_stream.set_recoverable_error(); }
void set_fatal_error() const override { return m_stream.set_fatal_error(); }
size_t read(Bytes bytes) override
{
if (has_any_error())
return 0;
auto nread = buffer().trim(m_buffered).copy_trimmed_to(bytes);
Reported by FlawFinder.
Line: 63
Column: 35
CWE codes:
120
20
buffer().slice(nread, m_buffered).copy_to(buffer());
if (nread < bytes.size()) {
m_buffered = m_stream.read(buffer());
if (m_buffered == 0)
return nread;
nread += read(bytes.slice(nread));
Reported by FlawFinder.
Tests/Kernel/TestKernelFilePermissions.cpp
5 issues
Line: 21
Column: 15
CWE codes:
377
TEST_CASE(test_change_file_contents)
{
char path[] = "/tmp/suid.XXXXXX";
auto fd = mkstemp(path);
EXPECT(fd != -1);
ftruncate(fd, 0);
EXPECT(fchmod(fd, 06755) != -1);
char buffer[8] {};
Reported by FlawFinder.
Line: 26
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
ftruncate(fd, 0);
EXPECT(fchmod(fd, 06755) != -1);
char buffer[8] {};
write(fd, buffer, sizeof(buffer));
struct stat s;
EXPECT(fstat(fd, &s) != -1);
close(fd);
Reported by FlawFinder.
Line: 41
Column: 15
CWE codes:
377
TEST_CASE(test_change_file_ownership)
{
char path[] = "/tmp/suid.XXXXXX";
auto fd = mkstemp(path);
EXPECT(fd != -1);
ftruncate(fd, 0);
EXPECT(fchmod(fd, 06755) != -1);
fchown(fd, getuid(), getgid());
Reported by FlawFinder.
Line: 60
Column: 15
CWE codes:
377
TEST_CASE(test_change_file_permissions)
{
char path[] = "/tmp/suid.XXXXXX";
auto fd = mkstemp(path);
EXPECT(fd != -1);
ftruncate(fd, 0);
EXPECT(fchmod(fd, 06755) != -1);
fchmod(fd, 0755);
Reported by FlawFinder.
Line: 79
Column: 15
CWE codes:
377
TEST_CASE(test_change_file_location)
{
char path[] = "/tmp/suid.XXXXXX";
auto fd = mkstemp(path);
EXPECT(fd != -1);
ftruncate(fd, 0);
EXPECT(fchmod(fd, 06755) != -1);
auto suid_path = Core::File::read_link(String::formatted("/proc/{}/fd/{}", getpid(), fd));
Reported by FlawFinder.
Userland/Libraries/LibAudio/FlacLoader.cpp
5 issues
Line: 26
Column: 18
CWE codes:
362
FlacLoaderPlugin::FlacLoaderPlugin(const StringView& path)
: m_file(Core::File::construct(path))
{
if (!m_file->open(Core::OpenMode::ReadOnly)) {
m_error_string = String::formatted("Can't open file: {}", m_file->error_string());
return;
}
m_stream = make<FlacInputStream>(Core::InputFileStream(*m_file));
Reported by FlawFinder.
Line: 142
Column: 43
CWE codes:
120
20
CHECK_OK("Number of samples");
// Parse checksum into a buffer first
ByteBuffer md5_checksum = ByteBuffer::create_uninitialized(128 / 8);
auto md5_bytes_read = streaminfo_data.read(md5_checksum);
ok = ok && (md5_bytes_read == md5_checksum.size());
CHECK_OK("MD5 Checksum");
md5_checksum.bytes().copy_to({ m_md5_checksum, sizeof(m_md5_checksum) });
// Parse other blocks
Reported by FlawFinder.
Line: 204
Column: 15
CWE codes:
120
20
CHECK_IO_ERROR();
ByteBuffer block_data = ByteBuffer::create_uninitialized(block_length);
// Reads exactly the bytes necessary into the Bytes container
bit_input.read(block_data);
m_data_start_location += block_length;
CHECK_IO_ERROR();
return FlacRawMetadataBlock {
is_last_block,
type,
Reported by FlawFinder.
Line: 811
Column: 11
CWE codes:
120
20
{
u64 character;
ByteBuffer single_byte_buffer = ByteBuffer::create_uninitialized(1);
input.read(single_byte_buffer);
u8 start_byte = single_byte_buffer[0];
// Signal byte is zero: ASCII character
if ((start_byte & 0b10000000) == 0) {
return start_byte;
} else if ((start_byte & 0b11000000) == 0b10000000) {
Reported by FlawFinder.
Line: 828
Column: 15
CWE codes:
120
20
u8 start_byte_bitmask = AK::exp2(bits_from_start_byte) - 1;
character = start_byte_bitmask & start_byte;
for (u8 i = length - 1; i > 0; --i) {
input.read(single_byte_buffer);
u8 current_byte = single_byte_buffer[0];
character = (character << 6) | (current_byte & 0b00111111);
}
return character;
}
Reported by FlawFinder.
Kernel/ACPI/MultiProcessorParser.h
5 issues
Line: 18
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
namespace MultiProcessor {
struct [[gnu::packed]] FloatingPointer {
char sig[4];
u32 physical_address_ptr;
u8 length;
u8 specification_revision;
u8 checksum;
u8 feature_info[5];
Reported by FlawFinder.
Line: 31
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct [[gnu::packed]] ConfigurationTableHeader {
char sig[4];
u16 length;
u8 specification_revision;
u8 checksum;
char oem_id[8];
char product_id[12];
Reported by FlawFinder.
Line: 35
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u16 length;
u8 specification_revision;
u8 checksum;
char oem_id[8];
char product_id[12];
u32 oem_table_ptr;
u16 oem_table_size;
u16 entry_count;
u32 local_apic_address;
Reported by FlawFinder.
Line: 36
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u8 specification_revision;
u8 checksum;
char oem_id[8];
char product_id[12];
u32 oem_table_ptr;
u16 oem_table_size;
u16 entry_count;
u32 local_apic_address;
u16 ext_table_length;
Reported by FlawFinder.
Line: 76
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct [[gnu::packed]] BusEntry {
EntryHeader h;
u8 bus_id;
char bus_type[6];
};
struct [[gnu::packed]] IOAPICEntry {
EntryHeader h;
u8 ioapic_id;
Reported by FlawFinder.
AK/PrintfImplementation.h
5 issues
Line: 85
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 divisor = 1000000000;
char ch;
char padding = 1;
char buf[16];
char* p = buf;
for (;;) {
ch = '0' + (number / divisor);
number %= divisor;
Reported by FlawFinder.
Line: 126
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u64 divisor = 10000000000000000000LLU;
char ch;
char padding = 1;
char buf[16];
char* p = buf;
for (;;) {
ch = '0' + (number / divisor);
number %= divisor;
Reported by FlawFinder.
Line: 200
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 divisor = 134217728;
char ch;
char padding = 1;
char buf[32];
char* p = buf;
for (;;) {
ch = '0' + (number / divisor);
number %= divisor;
Reported by FlawFinder.
Line: 15
Column: 19
CWE codes:
126
#include <stdarg.h>
#ifdef __serenity__
extern "C" size_t strlen(const char*);
#else
# include <string.h>
#endif
namespace PrintfImplementation {
Reported by FlawFinder.
Line: 302
Column: 52
CWE codes:
126
const char* sp = NextArgument<const char*>()(ap);
if (!sp)
sp = "(null)";
return print_string(m_putch, m_bufptr, sp, strlen(sp), state.left_pad, state.field_width, state.dot, state.fraction_length, state.has_fraction_length);
}
ALWAYS_INLINE int format_d(const ModifierState& state, ArgumentListRefT ap) const
{
if (state.long_qualifiers >= 2)
return print_i64(m_putch, m_bufptr, NextArgument<i64>()(ap), state.left_pad, state.zero_pad, state.field_width);
Reported by FlawFinder.
Kernel/Memory/MemoryManager.h
5 issues
Line: 183
Column: 94
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
NonnullRefPtrVector<PhysicalPage> allocate_contiguous_supervisor_physical_pages(size_t size);
void deallocate_physical_page(PhysicalAddress);
OwnPtr<Region> allocate_contiguous_kernel_region(size_t, StringView name, Region::Access access, Region::Cacheable = Region::Cacheable::Yes);
OwnPtr<Region> allocate_kernel_region(size_t, StringView name, Region::Access access, AllocationStrategy strategy = AllocationStrategy::Reserve, Region::Cacheable = Region::Cacheable::Yes);
OwnPtr<Region> allocate_kernel_region(PhysicalAddress, size_t, StringView name, Region::Access access, Region::Cacheable = Region::Cacheable::Yes);
OwnPtr<Region> allocate_kernel_region_with_vmobject(VMObject&, size_t, StringView name, Region::Access access, Region::Cacheable = Region::Cacheable::Yes);
OwnPtr<Region> allocate_kernel_region_with_vmobject(VirtualRange const&, VMObject&, StringView name, Region::Access access, Region::Cacheable = Region::Cacheable::Yes);
Reported by FlawFinder.
Line: 184
Column: 83
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
void deallocate_physical_page(PhysicalAddress);
OwnPtr<Region> allocate_contiguous_kernel_region(size_t, StringView name, Region::Access access, Region::Cacheable = Region::Cacheable::Yes);
OwnPtr<Region> allocate_kernel_region(size_t, StringView name, Region::Access access, AllocationStrategy strategy = AllocationStrategy::Reserve, Region::Cacheable = Region::Cacheable::Yes);
OwnPtr<Region> allocate_kernel_region(PhysicalAddress, size_t, StringView name, Region::Access access, Region::Cacheable = Region::Cacheable::Yes);
OwnPtr<Region> allocate_kernel_region_with_vmobject(VMObject&, size_t, StringView name, Region::Access access, Region::Cacheable = Region::Cacheable::Yes);
OwnPtr<Region> allocate_kernel_region_with_vmobject(VirtualRange const&, VMObject&, StringView name, Region::Access access, Region::Cacheable = Region::Cacheable::Yes);
struct SystemMemoryInfo {
Reported by FlawFinder.
Line: 185
Column: 100
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
OwnPtr<Region> allocate_contiguous_kernel_region(size_t, StringView name, Region::Access access, Region::Cacheable = Region::Cacheable::Yes);
OwnPtr<Region> allocate_kernel_region(size_t, StringView name, Region::Access access, AllocationStrategy strategy = AllocationStrategy::Reserve, Region::Cacheable = Region::Cacheable::Yes);
OwnPtr<Region> allocate_kernel_region(PhysicalAddress, size_t, StringView name, Region::Access access, Region::Cacheable = Region::Cacheable::Yes);
OwnPtr<Region> allocate_kernel_region_with_vmobject(VMObject&, size_t, StringView name, Region::Access access, Region::Cacheable = Region::Cacheable::Yes);
OwnPtr<Region> allocate_kernel_region_with_vmobject(VirtualRange const&, VMObject&, StringView name, Region::Access access, Region::Cacheable = Region::Cacheable::Yes);
struct SystemMemoryInfo {
PhysicalSize user_physical_pages { 0 };
Reported by FlawFinder.
Line: 186
Column: 108
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
OwnPtr<Region> allocate_contiguous_kernel_region(size_t, StringView name, Region::Access access, Region::Cacheable = Region::Cacheable::Yes);
OwnPtr<Region> allocate_kernel_region(size_t, StringView name, Region::Access access, AllocationStrategy strategy = AllocationStrategy::Reserve, Region::Cacheable = Region::Cacheable::Yes);
OwnPtr<Region> allocate_kernel_region(PhysicalAddress, size_t, StringView name, Region::Access access, Region::Cacheable = Region::Cacheable::Yes);
OwnPtr<Region> allocate_kernel_region_with_vmobject(VMObject&, size_t, StringView name, Region::Access access, Region::Cacheable = Region::Cacheable::Yes);
OwnPtr<Region> allocate_kernel_region_with_vmobject(VirtualRange const&, VMObject&, StringView name, Region::Access access, Region::Cacheable = Region::Cacheable::Yes);
struct SystemMemoryInfo {
PhysicalSize user_physical_pages { 0 };
PhysicalSize user_physical_pages_used { 0 };
Reported by FlawFinder.
Line: 187
Column: 121
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
OwnPtr<Region> allocate_kernel_region(size_t, StringView name, Region::Access access, AllocationStrategy strategy = AllocationStrategy::Reserve, Region::Cacheable = Region::Cacheable::Yes);
OwnPtr<Region> allocate_kernel_region(PhysicalAddress, size_t, StringView name, Region::Access access, Region::Cacheable = Region::Cacheable::Yes);
OwnPtr<Region> allocate_kernel_region_with_vmobject(VMObject&, size_t, StringView name, Region::Access access, Region::Cacheable = Region::Cacheable::Yes);
OwnPtr<Region> allocate_kernel_region_with_vmobject(VirtualRange const&, VMObject&, StringView name, Region::Access access, Region::Cacheable = Region::Cacheable::Yes);
struct SystemMemoryInfo {
PhysicalSize user_physical_pages { 0 };
PhysicalSize user_physical_pages_used { 0 };
PhysicalSize user_physical_pages_committed { 0 };
Reported by FlawFinder.
Kernel/ACPI/Definitions.h
5 issues
Line: 117
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
// https://uefi.org/specs/ACPI/6.4/05_ACPI_Software_Programming_Model/ACPI_Software_Programming_Model.html#root-system-description-pointer-rsdp-structure
struct [[gnu::packed]] RSDPDescriptor {
char sig[8];
u8 checksum;
char oem_id[6];
u8 revision;
u32 rsdt_ptr;
};
Reported by FlawFinder.
Line: 119
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct [[gnu::packed]] RSDPDescriptor {
char sig[8];
u8 checksum;
char oem_id[6];
u8 revision;
u32 rsdt_ptr;
};
struct [[gnu::packed]] RSDPDescriptor20 {
Reported by FlawFinder.
Line: 134
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
// https://uefi.org/specs/ACPI/6.4/05_ACPI_Software_Programming_Model/ACPI_Software_Programming_Model.html#system-description-table-header
struct [[gnu::packed]] SDTHeader {
char sig[4];
u32 length;
u8 revision;
u8 checksum;
char oem_id[6];
char oem_table_id[8];
Reported by FlawFinder.
Line: 138
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 length;
u8 revision;
u8 checksum;
char oem_id[6];
char oem_table_id[8];
u32 oem_revision;
u32 creator_id;
u32 creator_revision;
};
Reported by FlawFinder.
Line: 139
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u8 revision;
u8 checksum;
char oem_id[6];
char oem_table_id[8];
u32 oem_revision;
u32 creator_id;
u32 creator_revision;
};
Reported by FlawFinder.
AK/kstdio.h
4 issues
Line: 17
Column: 68
CWE codes:
134
Suggestion:
Use a constant for the format specification
# include <stdarg.h>
extern "C" {
void dbgputstr(const char*, size_t);
int sprintf(char* buf, const char* fmt, ...) __attribute__((format(printf, 2, 3)));
int snprintf(char* buffer, size_t, const char* fmt, ...) __attribute__((format(printf, 3, 4)));
}
# endif
#else
# include <stdio.h>
Reported by FlawFinder.
Line: 17
Column: 5
CWE codes:
134
Suggestion:
Make format string constant
# include <stdarg.h>
extern "C" {
void dbgputstr(const char*, size_t);
int sprintf(char* buf, const char* fmt, ...) __attribute__((format(printf, 2, 3)));
int snprintf(char* buffer, size_t, const char* fmt, ...) __attribute__((format(printf, 3, 4)));
}
# endif
#else
# include <stdio.h>
Reported by FlawFinder.
Line: 18
Column: 80
CWE codes:
134
Suggestion:
Use a constant for the format specification
extern "C" {
void dbgputstr(const char*, size_t);
int sprintf(char* buf, const char* fmt, ...) __attribute__((format(printf, 2, 3)));
int snprintf(char* buffer, size_t, const char* fmt, ...) __attribute__((format(printf, 3, 4)));
}
# endif
#else
# include <stdio.h>
inline void dbgputstr(const char* characters, size_t length)
Reported by FlawFinder.
Line: 18
Column: 5
CWE codes:
134
Suggestion:
Use a constant for the format specification
extern "C" {
void dbgputstr(const char*, size_t);
int sprintf(char* buf, const char* fmt, ...) __attribute__((format(printf, 2, 3)));
int snprintf(char* buffer, size_t, const char* fmt, ...) __attribute__((format(printf, 3, 4)));
}
# endif
#else
# include <stdio.h>
inline void dbgputstr(const char* characters, size_t length)
Reported by FlawFinder.