The following issues were found

Userland/Libraries/LibCore/DirIterator.cpp
3 issues
access - This usually indicates a security flaw. If an attacker can change anything along the path between the call to access() and the file's actual use (e.g., by moving files), the attacker can exploit the race condition
Security

Line: 91 Column: 13 CWE codes: 362/367!
Suggestion: Set up the correct permissions (e.g., using setuid()) and try to open the file directly 

              String find_executable_in_path(String filename)
{
    if (filename.starts_with('/')) {
        if (access(filename.characters(), X_OK) == 0)
            return filename;

        return {};
    }

Reported by FlawFinder.

access - This usually indicates a security flaw. If an attacker can change anything along the path between the call to access() and the file's actual use (e.g., by moving files), the attacker can exploit the race condition
Security

Line: 100 Column: 13 CWE codes: 362/367!
Suggestion: Set up the correct permissions (e.g., using setuid()) and try to open the file directly 

                  for (auto directory : String { getenv("PATH") }.split(':')) {
        auto fullpath = String::formatted("{}/{}", directory, filename);

        if (access(fullpath.characters(), X_OK) == 0)
            return fullpath;
    }

    return {};
}

Reported by FlawFinder.

getenv - Environment variables are untrustable input if they can be set by an attacker. They can have any content and length, and the same variable can be set more than once
Security

Line: 97 Column: 36 CWE codes: 807 20
Suggestion: Check environment variables carefully before using them 

                      return {};
    }

    for (auto directory : String { getenv("PATH") }.split(':')) {
        auto fullpath = String::formatted("{}/{}", directory, filename);

        if (access(fullpath.characters(), X_OK) == 0)
            return fullpath;
    }

Reported by FlawFinder.

Kernel/FileSystem/Ext2FileSystem.cpp
3 issues
chmod - This accepts filename arguments; if an attacker can move those files, a race condition results.
Security

Line: 1733 Column: 22 CWE codes: 362
Suggestion: Use fchmod( ) instead 

                  m_inode_cache.remove(index);
}

KResult Ext2FSInode::chmod(mode_t mode)
{
    MutexLocker locker(m_inode_lock);
    if (m_raw_inode.i_mode == mode)
        return KSuccess;
    m_raw_inode.i_mode = mode;

Reported by FlawFinder.

chown - This accepts filename arguments; if an attacker can move those files, a race condition results.
Security

Line: 1743 Column: 22 CWE codes: 362
Suggestion: Use fchown( ) instead 

                  return KSuccess;
}

KResult Ext2FSInode::chown(uid_t uid, gid_t gid)
{
    MutexLocker locker(m_inode_lock);
    if (m_raw_inode.i_uid == uid && m_raw_inode.i_gid == gid)
        return KSuccess;
    m_raw_inode.i_uid = uid;

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 1003 Column: 23 CWE codes: 120 20 

                      VERIFY(offset == 0);
        if (max((size_t)(offset + count), (size_t)m_raw_inode.i_size) < max_inline_symlink_length) {
            dbgln_if(EXT2_DEBUG, "Ext2FSInode[{}]::write_bytes(): Poking into i_block array for inline symlink '{}' ({} bytes)", identifier(), data.copy_into_string(count), count);
            if (!data.read(((u8*)m_raw_inode.i_block) + offset, (size_t)count))
                return EFAULT;
            if ((size_t)(offset + count) > (size_t)m_raw_inode.i_size)
                m_raw_inode.i_size = offset + count;
            set_metadata_dirty(true);
            return count;

Reported by FlawFinder.

Userland/Applications/Help/main.cpp
3 issues
open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 181 Column: 72 CWE codes: 362 

                      open_page(path);
    };

    tree_view.on_toggle = [&](const GUI::ModelIndex& index, const bool open) {
        model->update_section_node_on_toggle(index, open);
    };

    auto open_external = [&](auto& url) {
        if (!Desktop::Launcher::open(url)) {

Reported by FlawFinder.

open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 182 Column: 53 CWE codes: 362 

                  };

    tree_view.on_toggle = [&](const GUI::ModelIndex& index, const bool open) {
        model->update_section_node_on_toggle(index, open);
    };

    auto open_external = [&](auto& url) {
        if (!Desktop::Launcher::open(url)) {
            GUI::MessageBox::show(window,

Reported by FlawFinder.

open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 186 Column: 33 CWE codes: 362 

                  };

    auto open_external = [&](auto& url) {
        if (!Desktop::Launcher::open(url)) {
            GUI::MessageBox::show(window,
                String::formatted("The link to '{}' could not be opened.", url),
                "Failed to open link",
                GUI::MessageBox::Type::Error);
        }

Reported by FlawFinder.

Kernel/FileSystem/DevFS.h
3 issues
chmod - This accepts filename arguments; if an attacker can move those files, a race condition results.
Security

Line: 64 Column: 21 CWE codes: 362
Suggestion: Use fchmod( ) instead 

                  virtual KResultOr<NonnullRefPtr<Inode>> create_child(StringView name, mode_t, dev_t, uid_t, gid_t) override;
    virtual KResult add_child(Inode&, const StringView& name, mode_t) override;
    virtual KResult remove_child(const StringView& name) override;
    virtual KResult chmod(mode_t) override;
    virtual KResult chown(uid_t, gid_t) override;
    virtual KResult truncate(u64) override;
};

class DevFSDeviceInode : public DevFSInode {

Reported by FlawFinder.

chown - This accepts filename arguments; if an attacker can move those files, a race condition results.
Security

Line: 65 Column: 21 CWE codes: 362
Suggestion: Use fchown( ) instead 

                  virtual KResult add_child(Inode&, const StringView& name, mode_t) override;
    virtual KResult remove_child(const StringView& name) override;
    virtual KResult chmod(mode_t) override;
    virtual KResult chown(uid_t, gid_t) override;
    virtual KResult truncate(u64) override;
};

class DevFSDeviceInode : public DevFSInode {
    friend class DevFS;

Reported by FlawFinder.

chown - This accepts filename arguments; if an attacker can move those files, a race condition results.
Security

Line: 83 Column: 21 CWE codes: 362
Suggestion: Use fchown( ) instead 

                  virtual KResultOr<size_t> read_bytes(off_t, size_t, UserOrKernelBuffer& buffer, FileDescription*) const override;
    virtual InodeMetadata metadata() const override;
    virtual KResultOr<size_t> write_bytes(off_t, size_t, const UserOrKernelBuffer& buffer, FileDescription*) override;
    virtual KResult chown(uid_t, gid_t) override;

    NonnullRefPtr<Device> m_attached_device;
    NonnullOwnPtr<KString> m_name;

    uid_t m_uid { 0 };

Reported by FlawFinder.

Userland/Applications/Help/ManualSectionNode.cpp
3 issues
open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 41 Column: 39 CWE codes: 362 

                      m_children.append(make<ManualPageNode>(*this, move(page_name)));
}

void ManualSectionNode::set_open(bool open)
{
    if (m_open == open)
        return;
    m_open = open;
}

Reported by FlawFinder.

open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 43 Column: 19 CWE codes: 362 

              
void ManualSectionNode::set_open(bool open)
{
    if (m_open == open)
        return;
    m_open = open;
}

Reported by FlawFinder.

open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 45 Column: 14 CWE codes: 362 

              {
    if (m_open == open)
        return;
    m_open = open;
}

Reported by FlawFinder.

Kernel/Bus/VirtIO/VirtIO.cpp
3 issues
read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 130 Column: 40 CWE codes: 120 20 

              
u8 VirtIODevice::config_read8(const Configuration& config, u32 offset)
{
    return mapping_for_bar(config.bar).read<u8>(config.offset + offset);
}

u16 VirtIODevice::config_read16(const Configuration& config, u32 offset)
{
    return mapping_for_bar(config.bar).read<u16>(config.offset + offset);

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 135 Column: 40 CWE codes: 120 20 

              
u16 VirtIODevice::config_read16(const Configuration& config, u32 offset)
{
    return mapping_for_bar(config.bar).read<u16>(config.offset + offset);
}

u32 VirtIODevice::config_read32(const Configuration& config, u32 offset)
{
    return mapping_for_bar(config.bar).read<u32>(config.offset + offset);

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 140 Column: 40 CWE codes: 120 20 

              
u32 VirtIODevice::config_read32(const Configuration& config, u32 offset)
{
    return mapping_for_bar(config.bar).read<u32>(config.offset + offset);
}

void VirtIODevice::config_write8(const Configuration& config, u32 offset, u8 value)
{
    mapping_for_bar(config.bar).write(config.offset + offset, value);

Reported by FlawFinder.

Kernel/DoubleBuffer.h
3 issues
read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 25 Column: 37 CWE codes: 120 20 

                  {
        return write(UserOrKernelBuffer::for_kernel_buffer(const_cast<u8*>(data)), size);
    }
    [[nodiscard]] KResultOr<size_t> read(UserOrKernelBuffer&, size_t);
    [[nodiscard]] KResultOr<size_t> read(u8* data, size_t size)
    {
        auto buffer = UserOrKernelBuffer::for_kernel_buffer(data);
        return read(buffer, size);
    }

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 26 Column: 37 CWE codes: 120 20 

                      return write(UserOrKernelBuffer::for_kernel_buffer(const_cast<u8*>(data)), size);
    }
    [[nodiscard]] KResultOr<size_t> read(UserOrKernelBuffer&, size_t);
    [[nodiscard]] KResultOr<size_t> read(u8* data, size_t size)
    {
        auto buffer = UserOrKernelBuffer::for_kernel_buffer(data);
        return read(buffer, size);
    }
    [[nodiscard]] KResultOr<size_t> peek(UserOrKernelBuffer&, size_t);

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 29 Column: 16 CWE codes: 120 20 

                  [[nodiscard]] KResultOr<size_t> read(u8* data, size_t size)
    {
        auto buffer = UserOrKernelBuffer::for_kernel_buffer(data);
        return read(buffer, size);
    }
    [[nodiscard]] KResultOr<size_t> peek(UserOrKernelBuffer&, size_t);
    [[nodiscard]] KResultOr<size_t> peek(u8* data, size_t size)
    {
        auto buffer = UserOrKernelBuffer::for_kernel_buffer(data);

Reported by FlawFinder.

Kernel/PerformanceEventBuffer.h
3 issues
char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 29 Column: 5 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              struct [[gnu::packed]] MmapPerformanceEvent {
    size_t size;
    FlatPtr ptr;
    char name[64];
};

struct [[gnu::packed]] MunmapPerformanceEvent {
    size_t size;
    FlatPtr ptr;

Reported by FlawFinder.

char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 39 Column: 5 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              
struct [[gnu::packed]] ProcessCreatePerformanceEvent {
    pid_t parent_pid;
    char executable[64];
};

struct [[gnu::packed]] ProcessExecPerformanceEvent {
    char executable[64];
};

Reported by FlawFinder.

char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 43 Column: 5 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              };

struct [[gnu::packed]] ProcessExecPerformanceEvent {
    char executable[64];
};

struct [[gnu::packed]] ThreadCreatePerformanceEvent {
    pid_t parent_tid;
};

Reported by FlawFinder.

Userland/Applications/Assistant/FuzzyMatch.cpp
3 issues
memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 50 Column: 17 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

                              return { false, out_score };

            if (first_match && src_matches) {
                memcpy(matches, src_matches, next_match);
                first_match = false;
            }

            u8 recursive_matches[recursive_match_limit];
            auto result = fuzzy_match_recursive(needle, haystack, needle_idx, haystack_idx + 1, matches, recursive_matches, next_match, recursion_count);

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 58 Column: 21 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

                          auto result = fuzzy_match_recursive(needle, haystack, needle_idx, haystack_idx + 1, matches, recursive_matches, next_match, recursion_count);
            if (result.matched) {
                if (!had_recursive_match || result.score > best_recursive_score) {
                    memcpy(best_recursive_matches, recursive_matches, recursive_match_limit);
                    best_recursive_score = result.score;
                }
                had_recursive_match = true;
                matches[next_match++] = haystack_idx;
            }

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 105 Column: 13 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

                      }

        if (had_recursive_match && (!matched || best_recursive_score > out_score)) {
            memcpy(matches, best_recursive_matches, MAX_MATCHES);
            out_score = best_recursive_score;
            return { true, out_score };
        } else if (matched) {
            return { true, out_score };
        }

Reported by FlawFinder.

Tests/LibM/test-math.cpp
3 issues
Invalid sqrt() argument nr 1. The value is -1 but the valid values are '0.0:'.
Error

Line: 36 CWE codes: 628 

                  EXPECT_APPROXIMATE(sin(-1), -0.8414709848078965);
    EXPECT_APPROXIMATE(cos(-1), 0.5403023058681398);
    EXPECT_APPROXIMATE(tan(-1), -1.5574077246549023);
    EXPECT(isnan(sqrt(-1)));
    EXPECT(isnan(asin(1.1)));
    EXPECT(isnan(asin(-1.1)));
    EXPECT_APPROXIMATE(asin(0), 0.0);
    EXPECT_APPROXIMATE(asin(0.01), 0.01);
    EXPECT_APPROXIMATE(asin(0.1), 0.100167);

Reported by Cppcheck.

Invalid asin() argument nr 1. The value is 1.1 but the valid values are '-1.0:1.0'.
Error

Line: 37 CWE codes: 628 

                  EXPECT_APPROXIMATE(cos(-1), 0.5403023058681398);
    EXPECT_APPROXIMATE(tan(-1), -1.5574077246549023);
    EXPECT(isnan(sqrt(-1)));
    EXPECT(isnan(asin(1.1)));
    EXPECT(isnan(asin(-1.1)));
    EXPECT_APPROXIMATE(asin(0), 0.0);
    EXPECT_APPROXIMATE(asin(0.01), 0.01);
    EXPECT_APPROXIMATE(asin(0.1), 0.100167);
    EXPECT_APPROXIMATE(asin(0.3), 0.304693);

Reported by Cppcheck.

Invalid asin() argument nr 1. The value is -1.1 but the valid values are '-1.0:1.0'.
Error

Line: 38 CWE codes: 628 

                  EXPECT_APPROXIMATE(tan(-1), -1.5574077246549023);
    EXPECT(isnan(sqrt(-1)));
    EXPECT(isnan(asin(1.1)));
    EXPECT(isnan(asin(-1.1)));
    EXPECT_APPROXIMATE(asin(0), 0.0);
    EXPECT_APPROXIMATE(asin(0.01), 0.01);
    EXPECT_APPROXIMATE(asin(0.1), 0.100167);
    EXPECT_APPROXIMATE(asin(0.3), 0.304693);
    EXPECT_APPROXIMATE(asin(0.499), 0.522444);

Reported by Cppcheck.