Codekhana

Kernel/PerformanceEventBuffer.h

3 issues

char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues

Security

Line: 29 Column: 5 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length

              struct [[gnu::packed]] MmapPerformanceEvent {
    size_t size;
    FlatPtr ptr;
    char name[64];
};

struct [[gnu::packed]] MunmapPerformanceEvent {
    size_t size;
    FlatPtr ptr;

Reported by FlawFinder.

char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues

Security

Line: 39 Column: 5 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length

              
struct [[gnu::packed]] ProcessCreatePerformanceEvent {
    pid_t parent_pid;
    char executable[64];
};

struct [[gnu::packed]] ProcessExecPerformanceEvent {
    char executable[64];
};

Reported by FlawFinder.

char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues

Security

Line: 43 Column: 5 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length

              };

struct [[gnu::packed]] ProcessExecPerformanceEvent {
    char executable[64];
};

struct [[gnu::packed]] ThreadCreatePerformanceEvent {
    pid_t parent_tid;
};

Reported by FlawFinder.

AK/BitStream.h

3 issues

read - Check buffer boundaries if used in a loop including recursive loops

Security

Line: 22 Column: 12 CWE codes: 120 20

                  {
    }

    size_t read(Bytes bytes) override
    {
        if (has_any_error())
            return 0;

        size_t nread = 0;

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops

Security

Line: 37 Column: 33 CWE codes: 120 20

                          }
        }

        return nread + m_stream.read(bytes.slice(nread));
    }

    bool read_or_error(Bytes bytes) override
    {
        if (read(bytes) != bytes.size()) {

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops

Security

Line: 42 Column: 13 CWE codes: 120 20

              
    bool read_or_error(Bytes bytes) override
    {
        if (read(bytes) != bytes.size()) {
            set_fatal_error();
            return false;
        }

        return true;

Reported by FlawFinder.

Userland/Applications/HexEditor/HexEditor.h

3 issues

There is an unknown macro here somewhere. Configuration is required. If C_OBJECT is a macro then please configure it.

Error

Line: 21

              #include <LibGfx/TextAlignment.h>

class HexEditor : public GUI::AbstractScrollableWidget {
    C_OBJECT(HexEditor)
public:
    enum EditMode {
        Hex,
        Text
    };

Reported by Cppcheck.

There is an unknown macro here somewhere. Configuration is required. If C_OBJECT is a macro then please configure it.

Error

Line: 21

              #include <LibGfx/TextAlignment.h>

class HexEditor : public GUI::AbstractScrollableWidget {
    C_OBJECT(HexEditor)
public:
    enum EditMode {
        Hex,
        Text
    };

Reported by Cppcheck.

There is an unknown macro here somewhere. Configuration is required. If C_OBJECT is a macro then please configure it.

Error

Line: 21

              #include <LibGfx/TextAlignment.h>

class HexEditor : public GUI::AbstractScrollableWidget {
    C_OBJECT(HexEditor)
public:
    enum EditMode {
        Hex,
        Text
    };

Reported by Cppcheck.

Kernel/Net/NetworkAdapter.cpp

3 issues

memcpy - Does not check for buffer overflows when copying to destination

Security

Line: 41 Column: 5 CWE codes: 120
Suggestion: Make sure destination can always hold the source data

                  eth->set_source(mac_address());
    eth->set_destination(destination);
    eth->set_ether_type(EtherType::ARP);
    memcpy(eth->payload(), &packet, sizeof(ARPPacket));
    send_packet({ (const u8*)eth, size_in_bytes });
}

void NetworkAdapter::fill_in_ipv4_header(PacketWithTimestamp& packet, IPv4Address const& source_ipv4, MACAddress const& destination_mac, IPv4Address const& destination_ipv4, IPv4Protocol protocol, size_t payload_size, u8 ttl)
{

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination

Security

Line: 86 Column: 5 CWE codes: 120
Suggestion: Make sure destination can always hold the source data

                      return;
    }

    memcpy(packet->buffer->data(), payload.data(), payload.size());

    m_packet_queue.append(*packet);
    m_packet_queue_size++;

    if (on_receive)

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination

Security

Line: 106 Column: 5 CWE codes: 120
Suggestion: Make sure destination can always hold the source data

                  auto& packet_buffer = packet_with_timestamp->buffer;
    size_t packet_size = packet_buffer->size();
    VERIFY(packet_size <= buffer_size);
    memcpy(buffer, packet_buffer->data(), packet_size);
    release_packet_buffer(*packet_with_timestamp);
    return packet_size;
}

RefPtr<PacketWithTimestamp> NetworkAdapter::acquire_packet_buffer(size_t size)

Reported by FlawFinder.

Userland/Applications/Assistant/FuzzyMatch.cpp

3 issues

memcpy - Does not check for buffer overflows when copying to destination

Security

Line: 50 Column: 17 CWE codes: 120
Suggestion: Make sure destination can always hold the source data

                              return { false, out_score };

            if (first_match && src_matches) {
                memcpy(matches, src_matches, next_match);
                first_match = false;
            }

            u8 recursive_matches[recursive_match_limit];
            auto result = fuzzy_match_recursive(needle, haystack, needle_idx, haystack_idx + 1, matches, recursive_matches, next_match, recursion_count);

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination

Security

Line: 58 Column: 21 CWE codes: 120
Suggestion: Make sure destination can always hold the source data

                          auto result = fuzzy_match_recursive(needle, haystack, needle_idx, haystack_idx + 1, matches, recursive_matches, next_match, recursion_count);
            if (result.matched) {
                if (!had_recursive_match || result.score > best_recursive_score) {
                    memcpy(best_recursive_matches, recursive_matches, recursive_match_limit);
                    best_recursive_score = result.score;
                }
                had_recursive_match = true;
                matches[next_match++] = haystack_idx;
            }

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination

Security

Line: 105 Column: 13 CWE codes: 120
Suggestion: Make sure destination can always hold the source data

                      }

        if (had_recursive_match && (!matched || best_recursive_score > out_score)) {
            memcpy(matches, best_recursive_matches, MAX_MATCHES);
            out_score = best_recursive_score;
            return { true, out_score };
        } else if (matched) {
            return { true, out_score };
        }

Reported by FlawFinder.

Userland/Applications/Run/RunWindow.cpp

3 issues

open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?

Security

Line: 155 Column: 29 CWE codes: 362

                      url = URL::create_with_url_or_path(real_path);
    }

    if (!Desktop::Launcher::open(url)) {
        warnln("Failed to launch '{}'", url);
        return false;
    }

    dbgln("Ran via URL launch.");

Reported by FlawFinder.

open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?

Security

Line: 173 Column: 38 CWE codes: 362

              void RunWindow::load_history()
{
    m_path_history.clear();
    auto file_or_error = Core::File::open(history_file_path(), Core::OpenMode::ReadOnly);
    if (file_or_error.is_error())
        return;

    auto file = file_or_error.release_value();
    while (!file->eof()) {

Reported by FlawFinder.

open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?

Security

Line: 187 Column: 38 CWE codes: 362

              
void RunWindow::save_history()
{
    auto file_or_error = Core::File::open(history_file_path(), Core::OpenMode::WriteOnly);
    if (file_or_error.is_error())
        return;

    auto file = file_or_error.release_value();
    // Write the first 25 items of history

Reported by FlawFinder.

Userland/Libraries/LibCore/DirIterator.cpp

3 issues

access - This usually indicates a security flaw. If an attacker can change anything along the path between the call to access() and the file's actual use (e.g., by moving files), the attacker can exploit the race condition

Security

Line: 91 Column: 13 CWE codes: 362/367!
Suggestion: Set up the correct permissions (e.g., using setuid()) and try to open the file directly

              String find_executable_in_path(String filename)
{
    if (filename.starts_with('/')) {
        if (access(filename.characters(), X_OK) == 0)
            return filename;

        return {};
    }

Reported by FlawFinder.

access - This usually indicates a security flaw. If an attacker can change anything along the path between the call to access() and the file's actual use (e.g., by moving files), the attacker can exploit the race condition

Security

Line: 100 Column: 13 CWE codes: 362/367!
Suggestion: Set up the correct permissions (e.g., using setuid()) and try to open the file directly

                  for (auto directory : String { getenv("PATH") }.split(':')) {
        auto fullpath = String::formatted("{}/{}", directory, filename);

        if (access(fullpath.characters(), X_OK) == 0)
            return fullpath;
    }

    return {};
}

Reported by FlawFinder.

getenv - Environment variables are untrustable input if they can be set by an attacker. They can have any content and length, and the same variable can be set more than once

Security

Line: 97 Column: 36 CWE codes: 807 20
Suggestion: Check environment variables carefully before using them

                      return {};
    }

    for (auto directory : String { getenv("PATH") }.split(':')) {
        auto fullpath = String::formatted("{}/{}", directory, filename);

        if (access(fullpath.characters(), X_OK) == 0)
            return fullpath;
    }

Reported by FlawFinder.

Kernel/Net/LocalSocket.h

2 issues

chown - This accepts filename arguments; if an attacker can move those files, a race condition results.

Security

Line: 50 Column: 21 CWE codes: 362
Suggestion: Use fchown( ) instead

                  virtual KResultOr<size_t> sendto(FileDescription&, const UserOrKernelBuffer&, size_t, int, Userspace<const sockaddr*>, socklen_t) override;
    virtual KResultOr<size_t> recvfrom(FileDescription&, UserOrKernelBuffer&, size_t, int flags, Userspace<sockaddr*>, Userspace<socklen_t*>, Time&) override;
    virtual KResult getsockopt(FileDescription&, int level, int option, Userspace<void*>, Userspace<socklen_t*>) override;
    virtual KResult chown(FileDescription&, uid_t, gid_t) override;
    virtual KResult chmod(FileDescription&, mode_t) override;

private:
    explicit LocalSocket(int type, NonnullOwnPtr<DoubleBuffer> client_buffer, NonnullOwnPtr<DoubleBuffer> server_buffer);
    virtual StringView class_name() const override { return "LocalSocket"; }

Reported by FlawFinder.

chmod - This accepts filename arguments; if an attacker can move those files, a race condition results.

Security

Line: 51 Column: 21 CWE codes: 362
Suggestion: Use fchmod( ) instead

                  virtual KResultOr<size_t> recvfrom(FileDescription&, UserOrKernelBuffer&, size_t, int flags, Userspace<sockaddr*>, Userspace<socklen_t*>, Time&) override;
    virtual KResult getsockopt(FileDescription&, int level, int option, Userspace<void*>, Userspace<socklen_t*>) override;
    virtual KResult chown(FileDescription&, uid_t, gid_t) override;
    virtual KResult chmod(FileDescription&, mode_t) override;

private:
    explicit LocalSocket(int type, NonnullOwnPtr<DoubleBuffer> client_buffer, NonnullOwnPtr<DoubleBuffer> server_buffer);
    virtual StringView class_name() const override { return "LocalSocket"; }
    virtual bool is_local() const override { return true; }

Reported by FlawFinder.

Kernel/Devices/SB16.cpp

2 issues

read - Check buffer boundaries if used in a loop including recursive loops

Security

Line: 174 Column: 25 CWE codes: 120 20

                  return false;
}

KResultOr<size_t> SB16::read(FileDescription&, u64, UserOrKernelBuffer&, size_t)
{
    return 0;
}

void SB16::dma_start(uint32_t length)

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops

Security

Line: 262 Column: 15 CWE codes: 120 20

              
    const int sample_rate = 44100;
    set_sample_rate(sample_rate);
    if (!data.read(m_dma_region->vaddr().as_ptr(), length))
        return EFAULT;
    dma_start(length);

    // 16-bit single-cycle output.
    // FIXME: Implement auto-initialized output.

Reported by FlawFinder.

Userland/Libraries/LibC/sys/mman.cpp

2 issues

strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)

Security

Line: 18 Column: 112 CWE codes: 126

              
void* serenity_mmap(void* addr, size_t size, int prot, int flags, int fd, off_t offset, size_t alignment, const char* name)
{
    Syscall::SC_mmap_params params { (uintptr_t)addr, size, alignment, prot, flags, fd, offset, { name, name ? strlen(name) : 0 } };
    ptrdiff_t rc = syscall(SC_mmap, &params);
    if (rc < 0 && rc > -EMAXERRNO) {
        errno = -rc;
        return MAP_FAILED;
    }

Reported by FlawFinder.

strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)

Security

Line: 66 Column: 67 CWE codes: 126

                      errno = EFAULT;
        return -1;
    }
    Syscall::SC_set_mmap_name_params params { addr, size, { name, strlen(name) } };
    int rc = syscall(SC_set_mmap_name, &params);
    __RETURN_WITH_ERRNO(rc, rc, -1);
}

int madvise(void* address, size_t size, int advice)

Reported by FlawFinder.

Modal title

The following issues were found

Kernel/PerformanceEventBuffer.h

3 issues

AK/BitStream.h

3 issues

Userland/Applications/HexEditor/HexEditor.h

3 issues

Kernel/Net/NetworkAdapter.cpp

3 issues

Userland/Applications/Assistant/FuzzyMatch.cpp

3 issues

Userland/Applications/Run/RunWindow.cpp

3 issues

Userland/Libraries/LibCore/DirIterator.cpp

3 issues

Kernel/Net/LocalSocket.h

2 issues

Kernel/Devices/SB16.cpp

2 issues

Userland/Libraries/LibC/sys/mman.cpp

2 issues