The following issues were found

Kernel/KBufferBuilder.cpp
3 issues
memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 52 Column: 5 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

              {
    if (!check_expand(bytes.size()))
        return;
    memcpy(insertion_ptr(), bytes.data(), bytes.size());
    m_size += bytes.size();
}

void KBufferBuilder::append(const StringView& str)
{

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 62 Column: 5 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

                      return;
    if (!check_expand(str.length()))
        return;
    memcpy(insertion_ptr(), str.characters_without_null_termination(), str.length());
    m_size += str.length();
}

void KBufferBuilder::append(const char* characters, int length)
{

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 72 Column: 5 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

                      return;
    if (!check_expand(length))
        return;
    memcpy(insertion_ptr(), characters, length);
    m_size += length;
}

void KBufferBuilder::append(char ch)
{

Reported by FlawFinder.

Userland/Utilities/checksum.cpp
3 issues
open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 57 Column: 29 CWE codes: 362 

              
    for (auto const& path : paths) {
        if (path == "-") {
            success = file->open(STDIN_FILENO, Core::OpenMode::ReadOnly, Core::File::ShouldCloseFileDescriptor::No);
        } else {
            file->set_filename(path);
            success = file->open(Core::OpenMode::ReadOnly);
        }
        if (!success) {

Reported by FlawFinder.

open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 60 Column: 29 CWE codes: 362 

                          success = file->open(STDIN_FILENO, Core::OpenMode::ReadOnly, Core::File::ShouldCloseFileDescriptor::No);
        } else {
            file->set_filename(path);
            success = file->open(Core::OpenMode::ReadOnly);
        }
        if (!success) {
            warnln("{}: {}: {}", argv[0], path, file->error_string());
            has_error = true;
            continue;

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 69 Column: 31 CWE codes: 120 20 

                      }

        while (!file->eof() && !file->has_error())
            hash.update(file->read(PAGE_SIZE));
        auto digest = hash.digest();
        auto digest_data = digest.immutable_data();
        StringBuilder builder;
        for (size_t i = 0; i < hash.digest_size(); ++i)
            builder.appendff("{:02x}", digest_data[i]);

Reported by FlawFinder.

Userland/Applications/Help/ManualSectionNode.cpp
3 issues
open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 41 Column: 39 CWE codes: 362 

                      m_children.append(make<ManualPageNode>(*this, move(page_name)));
}

void ManualSectionNode::set_open(bool open)
{
    if (m_open == open)
        return;
    m_open = open;
}

Reported by FlawFinder.

open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 43 Column: 19 CWE codes: 362 

              
void ManualSectionNode::set_open(bool open)
{
    if (m_open == open)
        return;
    m_open = open;
}

Reported by FlawFinder.

open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 45 Column: 14 CWE codes: 362 

              {
    if (m_open == open)
        return;
    m_open = open;
}

Reported by FlawFinder.

Userland/Applications/Help/main.cpp
3 issues
open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 181 Column: 72 CWE codes: 362 

                      open_page(path);
    };

    tree_view.on_toggle = [&](const GUI::ModelIndex& index, const bool open) {
        model->update_section_node_on_toggle(index, open);
    };

    auto open_external = [&](auto& url) {
        if (!Desktop::Launcher::open(url)) {

Reported by FlawFinder.

open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 182 Column: 53 CWE codes: 362 

                  };

    tree_view.on_toggle = [&](const GUI::ModelIndex& index, const bool open) {
        model->update_section_node_on_toggle(index, open);
    };

    auto open_external = [&](auto& url) {
        if (!Desktop::Launcher::open(url)) {
            GUI::MessageBox::show(window,

Reported by FlawFinder.

open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 186 Column: 33 CWE codes: 362 

                  };

    auto open_external = [&](auto& url) {
        if (!Desktop::Launcher::open(url)) {
            GUI::MessageBox::show(window,
                String::formatted("The link to '{}' could not be opened.", url),
                "Failed to open link",
                GUI::MessageBox::Type::Error);
        }

Reported by FlawFinder.

Kernel/Bus/VirtIO/VirtIO.cpp
3 issues
read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 130 Column: 40 CWE codes: 120 20 

              
u8 VirtIODevice::config_read8(const Configuration& config, u32 offset)
{
    return mapping_for_bar(config.bar).read<u8>(config.offset + offset);
}

u16 VirtIODevice::config_read16(const Configuration& config, u32 offset)
{
    return mapping_for_bar(config.bar).read<u16>(config.offset + offset);

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 135 Column: 40 CWE codes: 120 20 

              
u16 VirtIODevice::config_read16(const Configuration& config, u32 offset)
{
    return mapping_for_bar(config.bar).read<u16>(config.offset + offset);
}

u32 VirtIODevice::config_read32(const Configuration& config, u32 offset)
{
    return mapping_for_bar(config.bar).read<u32>(config.offset + offset);

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 140 Column: 40 CWE codes: 120 20 

              
u32 VirtIODevice::config_read32(const Configuration& config, u32 offset)
{
    return mapping_for_bar(config.bar).read<u32>(config.offset + offset);
}

void VirtIODevice::config_write8(const Configuration& config, u32 offset, u8 value)
{
    mapping_for_bar(config.bar).write(config.offset + offset, value);

Reported by FlawFinder.

Kernel/DoubleBuffer.h
3 issues
read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 25 Column: 37 CWE codes: 120 20 

                  {
        return write(UserOrKernelBuffer::for_kernel_buffer(const_cast<u8*>(data)), size);
    }
    [[nodiscard]] KResultOr<size_t> read(UserOrKernelBuffer&, size_t);
    [[nodiscard]] KResultOr<size_t> read(u8* data, size_t size)
    {
        auto buffer = UserOrKernelBuffer::for_kernel_buffer(data);
        return read(buffer, size);
    }

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 26 Column: 37 CWE codes: 120 20 

                      return write(UserOrKernelBuffer::for_kernel_buffer(const_cast<u8*>(data)), size);
    }
    [[nodiscard]] KResultOr<size_t> read(UserOrKernelBuffer&, size_t);
    [[nodiscard]] KResultOr<size_t> read(u8* data, size_t size)
    {
        auto buffer = UserOrKernelBuffer::for_kernel_buffer(data);
        return read(buffer, size);
    }
    [[nodiscard]] KResultOr<size_t> peek(UserOrKernelBuffer&, size_t);

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 29 Column: 16 CWE codes: 120 20 

                  [[nodiscard]] KResultOr<size_t> read(u8* data, size_t size)
    {
        auto buffer = UserOrKernelBuffer::for_kernel_buffer(data);
        return read(buffer, size);
    }
    [[nodiscard]] KResultOr<size_t> peek(UserOrKernelBuffer&, size_t);
    [[nodiscard]] KResultOr<size_t> peek(u8* data, size_t size)
    {
        auto buffer = UserOrKernelBuffer::for_kernel_buffer(data);

Reported by FlawFinder.

Userland/Libraries/LibC/dirent.cpp
3 issues
open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 26 Column: 14 CWE codes: 362 

              
DIR* opendir(const char* name)
{
    int fd = open(name, O_RDONLY | O_DIRECTORY);
    if (fd == -1)
        return nullptr;
    return fdopendir(fd);
}

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 88 Column: 5 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

                  // Note: We can't use any normal string function as sys_ent->name is
    // not null terminated. All string copy functions will attempt to read
    // the non-existent null terminator past the end of the source string.
    memcpy(str_ent->d_name, sys_ent->name, sys_ent->namelen);
    str_ent->d_name[sys_ent->namelen] = '\0';
}

static int allocate_dirp_buffer(DIR* dirp)
{

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 251 Column: 9 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

                      auto entry_copy = (struct dirent*)malloc(entry->d_reclen);
        if (!entry_copy)
            break;
        memcpy(entry_copy, entry, entry->d_reclen);
        tmp_names.append(entry_copy);
    }

    // Propagate any errors encountered while accumulating back to the user.
    if (errno) {

Reported by FlawFinder.

Userland/Libraries/LibC/grp.cpp
3 issues
fprintf - If format strings can be influenced by an attacker, they can be exploited
Security

Line: 189 Column: 24 CWE codes: 134
Suggestion: Use a constant for the format specification 

              
    if (group->gr_mem) {
        for (size_t i = 0; group->gr_mem[i] != nullptr; i++) {
            nwritten = fprintf(stream, i == 0 ? "%s" : ",%s", group->gr_mem[i]);
            if (!nwritten || nwritten < 0) {
                errno = ferror(stream);
                return -1;
            }
        }

Reported by FlawFinder.

fopen - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 35 Column: 20 CWE codes: 362 

                  if (s_stream) {
        rewind(s_stream);
    } else {
        s_stream = fopen("/etc/group", "r");
        if (!s_stream) {
            perror("open /etc/group");
        }
    }
}

Reported by FlawFinder.

char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 128 Column: 9 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

                          return nullptr;
        }

        char buffer[1024];
        ++s_line_number;
        char* s = fgets(buffer, sizeof(buffer), s_stream);

        // Silently tolerate an empty line at the end.
        if ((!s || !s[0]) && feof(s_stream))

Reported by FlawFinder.

Kernel/PerformanceEventBuffer.h
3 issues
char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 29 Column: 5 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              struct [[gnu::packed]] MmapPerformanceEvent {
    size_t size;
    FlatPtr ptr;
    char name[64];
};

struct [[gnu::packed]] MunmapPerformanceEvent {
    size_t size;
    FlatPtr ptr;

Reported by FlawFinder.

char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 39 Column: 5 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              
struct [[gnu::packed]] ProcessCreatePerformanceEvent {
    pid_t parent_pid;
    char executable[64];
};

struct [[gnu::packed]] ProcessExecPerformanceEvent {
    char executable[64];
};

Reported by FlawFinder.

char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 43 Column: 5 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              };

struct [[gnu::packed]] ProcessExecPerformanceEvent {
    char executable[64];
};

struct [[gnu::packed]] ThreadCreatePerformanceEvent {
    pid_t parent_tid;
};

Reported by FlawFinder.

Userland/Applications/Assistant/FuzzyMatch.cpp
3 issues
memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 50 Column: 17 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

                              return { false, out_score };

            if (first_match && src_matches) {
                memcpy(matches, src_matches, next_match);
                first_match = false;
            }

            u8 recursive_matches[recursive_match_limit];
            auto result = fuzzy_match_recursive(needle, haystack, needle_idx, haystack_idx + 1, matches, recursive_matches, next_match, recursion_count);

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 58 Column: 21 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

                          auto result = fuzzy_match_recursive(needle, haystack, needle_idx, haystack_idx + 1, matches, recursive_matches, next_match, recursion_count);
            if (result.matched) {
                if (!had_recursive_match || result.score > best_recursive_score) {
                    memcpy(best_recursive_matches, recursive_matches, recursive_match_limit);
                    best_recursive_score = result.score;
                }
                had_recursive_match = true;
                matches[next_match++] = haystack_idx;
            }

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 105 Column: 13 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

                      }

        if (had_recursive_match && (!matched || best_recursive_score > out_score)) {
            memcpy(matches, best_recursive_matches, MAX_MATCHES);
            out_score = best_recursive_score;
            return { true, out_score };
        } else if (matched) {
            return { true, out_score };
        }

Reported by FlawFinder.