The following issues were found

Kernel/kprintf.cpp
3 issues
sprintf - Potential format string problem
Security

Line: 107 Column: 16 CWE codes: 134
Suggestion: Make format string constant 

              
// Declare it, so that the symbol is exported, because libstdc++ uses it.
// However, *only* libstdc++ uses it, and none of the rest of the Kernel.
extern "C" int sprintf(char* buffer, const char* fmt, ...);

int sprintf(char* buffer, const char* fmt, ...)
{
    va_list ap;
    va_start(ap, fmt);

Reported by FlawFinder.

sprintf - Potential format string problem
Security

Line: 109 Column: 5 CWE codes: 134
Suggestion: Make format string constant 

              // However, *only* libstdc++ uses it, and none of the rest of the Kernel.
extern "C" int sprintf(char* buffer, const char* fmt, ...);

int sprintf(char* buffer, const char* fmt, ...)
{
    va_list ap;
    va_start(ap, fmt);
    int ret = printf_internal(buffer_putch, buffer, fmt, ap);
    buffer[ret] = '\0';

Reported by FlawFinder.

snprintf - If format strings can be influenced by an attacker, they can be exploited, and note that sprintf variations do not always \0-terminate
Security

Line: 128 Column: 5 CWE codes: 134
Suggestion: Use a constant for the format specification 

                  }
}

int snprintf(char* buffer, size_t size, const char* fmt, ...)
{
    va_list ap;
    va_start(ap, fmt);
    if (size) {
        __vsnprintf_space_remaining = size - 1;

Reported by FlawFinder.

Kernel/init.cpp
3 issues
Comparing pointers that point to different objects
Error

Line: 178 CWE codes: 570 

                  s_bsp_processor.early_initialize(0);

    // Invoke the constructors needed for the kernel heap
    for (ctor_func_t* ctor = start_heap_ctors; ctor < end_heap_ctors; ctor++)
        (*ctor)();
    kmalloc_init();
    slab_alloc_init();

    load_kernel_symbol_table();

Reported by Cppcheck.

Comparing pointers that point to different objects
Error

Line: 197 CWE codes: 570 

              
    // Invoke all static global constructors in the kernel.
    // Note that we want to do this as early as possible.
    for (ctor_func_t* ctor = start_ctors; ctor < end_ctors; ctor++)
        (*ctor)();

    APIC::initialize();
    InterruptManagement::initialize();
    ACPI::initialize();

Reported by Cppcheck.

memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 173 Column: 5 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

                  // We need to copy the command line before kmalloc is initialized,
    // as it may overwrite parts of multiboot!
    CommandLine::early_initialize(kernel_cmdline);
    memcpy(multiboot_copy_boot_modules_array, multiboot_modules, multiboot_modules_count * sizeof(multiboot_module_entry_t));
    multiboot_copy_boot_modules_count = multiboot_modules_count;
    s_bsp_processor.early_initialize(0);

    // Invoke the constructors needed for the kernel heap
    for (ctor_func_t* ctor = start_heap_ctors; ctor < end_heap_ctors; ctor++)

Reported by FlawFinder.

Kernel/UserOrKernelBuffer.cpp
3 issues
memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 60 Column: 5 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

                  if (Memory::is_user_address(VirtualAddress(m_buffer)))
        return copy_to_user(m_buffer + offset, src, len);

    memcpy(m_buffer + offset, src, len);
    return true;
}

bool UserOrKernelBuffer::read(void* dest, size_t offset, size_t len) const
{

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 72 Column: 5 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

                  if (Memory::is_user_address(VirtualAddress(m_buffer)))
        return copy_from_user(dest, m_buffer + offset, len);

    memcpy(dest, m_buffer + offset, len);
    return true;
}

bool UserOrKernelBuffer::memset(int value, size_t offset, size_t len)
{

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 64 Column: 26 CWE codes: 120 20 

                  return true;
}

bool UserOrKernelBuffer::read(void* dest, size_t offset, size_t len) const
{
    if (!m_buffer)
        return false;

    if (Memory::is_user_address(VirtualAddress(m_buffer)))

Reported by FlawFinder.

Kernel/FileSystem/InodeFile.h
3 issues
chown - This accepts filename arguments; if an attacker can move those files, a race condition results.
Security

Line: 42 Column: 21 CWE codes: 362
Suggestion: Use fchown( ) instead 

                  virtual String absolute_path(const FileDescription&) const override;

    virtual KResult truncate(u64) override;
    virtual KResult chown(FileDescription&, uid_t, gid_t) override;
    virtual KResult chmod(FileDescription&, mode_t) override;

    virtual StringView class_name() const override { return "InodeFile"; }

    virtual bool is_seekable() const override { return true; }

Reported by FlawFinder.

chmod - This accepts filename arguments; if an attacker can move those files, a race condition results.
Security

Line: 43 Column: 21 CWE codes: 362
Suggestion: Use fchmod( ) instead 

              
    virtual KResult truncate(u64) override;
    virtual KResult chown(FileDescription&, uid_t, gid_t) override;
    virtual KResult chmod(FileDescription&, mode_t) override;

    virtual StringView class_name() const override { return "InodeFile"; }

    virtual bool is_seekable() const override { return true; }
    virtual bool is_inode() const override { return true; }

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 33 Column: 31 CWE codes: 120 20 

                  virtual bool can_read(const FileDescription&, size_t) const override { return true; }
    virtual bool can_write(const FileDescription&, size_t) const override { return true; }

    virtual KResultOr<size_t> read(FileDescription&, u64, UserOrKernelBuffer&, size_t) override;
    virtual KResultOr<size_t> write(FileDescription&, u64, const UserOrKernelBuffer&, size_t) override;
    virtual KResult ioctl(FileDescription&, unsigned request, Userspace<void*> arg) override;
    virtual KResultOr<Memory::Region*> mmap(Process&, FileDescription&, Memory::VirtualRange const&, u64 offset, int prot, bool shared) override;
    virtual KResult stat(::stat& buffer) const override { return inode().metadata().stat(buffer); }

Reported by FlawFinder.

Userland/Libraries/LibCore/File.h
3 issues
open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 22 Column: 49 CWE codes: 362 

              public:
    virtual ~File() override;

    static Result<NonnullRefPtr<File>, OSError> open(String filename, OpenMode, mode_t = 0644);

    String filename() const { return m_filename; }
    void set_filename(const String filename) { m_filename = move(filename); }

    bool is_directory() const;

Reported by FlawFinder.

open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 80 Column: 18 CWE codes: 362 

                  };
    static Result<void, RemoveError> remove(String const& path, RecursionMode, bool force);

    virtual bool open(OpenMode) override;

    enum class ShouldCloseFileDescriptor {
        No = 0,
        Yes
    };

Reported by FlawFinder.

open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 86 Column: 10 CWE codes: 362 

                      No = 0,
        Yes
    };
    bool open(int fd, OpenMode, ShouldCloseFileDescriptor);
    [[nodiscard]] int leak_fd();

    static NonnullRefPtr<File> standard_input();
    static NonnullRefPtr<File> standard_output();
    static NonnullRefPtr<File> standard_error();

Reported by FlawFinder.

Kernel/Time/RTC.cpp
3 issues
read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 27 Column: 29 CWE codes: 120 20 

                  InterruptDisabler disabler;
    NonMaskableInterruptDisabler nmi_disabler;
    enable_irq();
    CMOS::write(0x8B, CMOS::read(0xB) | 0x40);
    reset_to_default_ticks_per_second();
}
bool RealTimeClock::handle_irq(const RegisterState& regs)
{
    auto result = HardwareTimer::handle_irq(regs);

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 33 Column: 11 CWE codes: 120 20 

              bool RealTimeClock::handle_irq(const RegisterState& regs)
{
    auto result = HardwareTimer::handle_irq(regs);
    CMOS::read(0x8C);
    return result;
}

size_t RealTimeClock::ticks_per_second() const
{

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 64 Column: 30 CWE codes: 120 20 

                  if (!is_capable_of_frequency(frequency))
        return false;
    disable_irq();
    u8 previous_rate = CMOS::read(0x8A);
    u8 rate = quick_log2(32768 / frequency) + 1;
    dbgln("RTC: Set rate to {}", rate);
    CMOS::write(0x8A, (previous_rate & 0xF0) | rate);
    m_frequency = frequency;
    dbgln("RTC: Set frequency to {} Hz", frequency);

Reported by FlawFinder.

Userland/Applications/Help/main.cpp
3 issues
open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 181 Column: 72 CWE codes: 362 

                      open_page(path);
    };

    tree_view.on_toggle = [&](const GUI::ModelIndex& index, const bool open) {
        model->update_section_node_on_toggle(index, open);
    };

    auto open_external = [&](auto& url) {
        if (!Desktop::Launcher::open(url)) {

Reported by FlawFinder.

open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 182 Column: 53 CWE codes: 362 

                  };

    tree_view.on_toggle = [&](const GUI::ModelIndex& index, const bool open) {
        model->update_section_node_on_toggle(index, open);
    };

    auto open_external = [&](auto& url) {
        if (!Desktop::Launcher::open(url)) {
            GUI::MessageBox::show(window,

Reported by FlawFinder.

open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 186 Column: 33 CWE codes: 362 

                  };

    auto open_external = [&](auto& url) {
        if (!Desktop::Launcher::open(url)) {
            GUI::MessageBox::show(window,
                String::formatted("The link to '{}' could not be opened.", url),
                "Failed to open link",
                GUI::MessageBox::Type::Error);
        }

Reported by FlawFinder.

Kernel/CommandLine.cpp
3 issues
char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 15 Column: 8 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              
namespace Kernel {

static char s_cmd_line[1024];
static constexpr StringView s_embedded_cmd_line = "";
static CommandLine* s_the;

UNMAP_AFTER_INIT void CommandLine::early_initialize(const char* cmd_line)
{

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 26 Column: 5 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

                  size_t length = strlen(cmd_line);
    if (length >= sizeof(s_cmd_line))
        length = sizeof(s_cmd_line) - 1;
    memcpy(s_cmd_line, cmd_line, length);
    s_cmd_line[length] = '\0';
}

const CommandLine& kernel_command_line()
{

Reported by FlawFinder.

strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)
Security

Line: 23 Column: 21 CWE codes: 126 

              {
    if (!cmd_line)
        return;
    size_t length = strlen(cmd_line);
    if (length >= sizeof(s_cmd_line))
        length = sizeof(s_cmd_line) - 1;
    memcpy(s_cmd_line, cmd_line, length);
    s_cmd_line[length] = '\0';
}

Reported by FlawFinder.

Userland/Applications/HexEditor/HexEditor.h
3 issues
There is an unknown macro here somewhere. Configuration is required. If C_OBJECT is a macro then please configure it.
Error

Line: 21 

              #include <LibGfx/TextAlignment.h>

class HexEditor : public GUI::AbstractScrollableWidget {
    C_OBJECT(HexEditor)
public:
    enum EditMode {
        Hex,
        Text
    };

Reported by Cppcheck.

There is an unknown macro here somewhere. Configuration is required. If C_OBJECT is a macro then please configure it.
Error

Line: 21 

              #include <LibGfx/TextAlignment.h>

class HexEditor : public GUI::AbstractScrollableWidget {
    C_OBJECT(HexEditor)
public:
    enum EditMode {
        Hex,
        Text
    };

Reported by Cppcheck.

There is an unknown macro here somewhere. Configuration is required. If C_OBJECT is a macro then please configure it.
Error

Line: 21 

              #include <LibGfx/TextAlignment.h>

class HexEditor : public GUI::AbstractScrollableWidget {
    C_OBJECT(HexEditor)
public:
    enum EditMode {
        Hex,
        Text
    };

Reported by Cppcheck.

Userland/Libraries/LibCore/ConfigFile.cpp
3 issues
open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 37 Column: 39 CWE codes: 362 

                  return adopt_ref(*new ConfigFile(path));
}

NonnullRefPtr<ConfigFile> ConfigFile::open(const String& path)
{
    return adopt_ref(*new ConfigFile(path));
}

ConfigFile::ConfigFile(const String& filename)

Reported by FlawFinder.

open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 58 Column: 16 CWE codes: 362 

                  m_groups.clear();

    auto file = File::construct(m_filename);
    if (!file->open(OpenMode::ReadOnly))
        return;

    HashMap<String, String>* current_group = nullptr;

    while (file->can_read_line()) {

Reported by FlawFinder.

fopen - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 152 Column: 16 CWE codes: 362 

                  if (!m_dirty)
        return true;

    FILE* fp = fopen(m_filename.characters(), "wb");
    if (!fp)
        return false;

    for (auto& it : m_groups) {
        outln(fp, "[{}]", it.key);

Reported by FlawFinder.