The following issues were found

Kernel/Devices/KCOVDevice.h
2 issues
open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 26 Column: 47 CWE codes: 362 

              
    // ^File
    KResultOr<Memory::Region*> mmap(Process&, FileDescription&, Memory::VirtualRange const&, u64 offset, int prot, bool shared) override;
    KResultOr<NonnullRefPtr<FileDescription>> open(int options) override;

    // ^Device
    virtual mode_t required_mode() const override { return 0660; }
    virtual String device_name() const override;

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 38 Column: 31 CWE codes: 120 20 

                  virtual bool can_read(const FileDescription&, size_t) const override final { return true; }
    virtual bool can_write(const FileDescription&, size_t) const override final { return true; }
    virtual void start_request(AsyncBlockDeviceRequest& request) override final { request.complete(AsyncDeviceRequest::Failure); }
    virtual KResultOr<size_t> read(FileDescription&, u64, UserOrKernelBuffer&, size_t) override { return EINVAL; }
    virtual KResultOr<size_t> write(FileDescription&, u64, const UserOrKernelBuffer&, size_t) override { return EINVAL; }
    virtual KResult ioctl(FileDescription&, unsigned request, Userspace<void*> arg) override;

private:
    KCOVDevice();

Reported by FlawFinder.

Kernel/KSyms.cpp
2 issues
char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 22 Column: 45 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              bool g_kernel_symbols_available = false;

extern "C" {
__attribute__((section(".kernel_symbols"))) char kernel_symbols[5 * MiB] {};
}

static KernelSymbol* s_symbols;
static size_t s_symbol_count = 0;

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 88 Column: 9 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

                      auto& ksym = s_symbols[current_symbol_index];
        ksym.address = kernel_load_base + address;
        char* name = static_cast<char*>(kmalloc_eternal((bufptr - start_of_name) + 1));
        memcpy(name, start_of_name, bufptr - start_of_name);
        name[bufptr - start_of_name] = '\0';
        ksym.name = name;

        if (ksym.address < g_lowest_kernel_symbol_address)
            g_lowest_kernel_symbol_address = ksym.address;

Reported by FlawFinder.

Userland/Applications/CrashReporter/main.cpp
2 issues
open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 211 Column: 28 CWE codes: 362 

                  executable_link_label.set_text(LexicalPath::canonicalized_path(executable_path));
    executable_link_label.on_click = [&] {
        LexicalPath path { executable_path };
        Desktop::Launcher::open(URL::create_with_file_protocol(path.dirname(), path.basename()));
    };

    auto& coredump_link_label = *widget.find_descendant_of_type_named<GUI::LinkLabel>("coredump_link");
    coredump_link_label.set_text(LexicalPath::canonicalized_path(coredump_path));
    coredump_link_label.on_click = [&] {

Reported by FlawFinder.

open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 218 Column: 28 CWE codes: 362 

                  coredump_link_label.set_text(LexicalPath::canonicalized_path(coredump_path));
    coredump_link_label.on_click = [&] {
        LexicalPath path { coredump_path };
        Desktop::Launcher::open(URL::create_with_file_protocol(path.dirname(), path.basename()));
    };

    auto& arguments_label = *widget.find_descendant_of_type_named<GUI::Label>("arguments_label");
    arguments_label.set_text(String::join(" ", arguments));

Reported by FlawFinder.

Kernel/Net/LocalSocket.h
2 issues
chown - This accepts filename arguments; if an attacker can move those files, a race condition results.
Security

Line: 50 Column: 21 CWE codes: 362
Suggestion: Use fchown( ) instead 

                  virtual KResultOr<size_t> sendto(FileDescription&, const UserOrKernelBuffer&, size_t, int, Userspace<const sockaddr*>, socklen_t) override;
    virtual KResultOr<size_t> recvfrom(FileDescription&, UserOrKernelBuffer&, size_t, int flags, Userspace<sockaddr*>, Userspace<socklen_t*>, Time&) override;
    virtual KResult getsockopt(FileDescription&, int level, int option, Userspace<void*>, Userspace<socklen_t*>) override;
    virtual KResult chown(FileDescription&, uid_t, gid_t) override;
    virtual KResult chmod(FileDescription&, mode_t) override;

private:
    explicit LocalSocket(int type, NonnullOwnPtr<DoubleBuffer> client_buffer, NonnullOwnPtr<DoubleBuffer> server_buffer);
    virtual StringView class_name() const override { return "LocalSocket"; }

Reported by FlawFinder.

chmod - This accepts filename arguments; if an attacker can move those files, a race condition results.
Security

Line: 51 Column: 21 CWE codes: 362
Suggestion: Use fchmod( ) instead 

                  virtual KResultOr<size_t> recvfrom(FileDescription&, UserOrKernelBuffer&, size_t, int flags, Userspace<sockaddr*>, Userspace<socklen_t*>, Time&) override;
    virtual KResult getsockopt(FileDescription&, int level, int option, Userspace<void*>, Userspace<socklen_t*>) override;
    virtual KResult chown(FileDescription&, uid_t, gid_t) override;
    virtual KResult chmod(FileDescription&, mode_t) override;

private:
    explicit LocalSocket(int type, NonnullOwnPtr<DoubleBuffer> client_buffer, NonnullOwnPtr<DoubleBuffer> server_buffer);
    virtual StringView class_name() const override { return "LocalSocket"; }
    virtual bool is_local() const override { return true; }

Reported by FlawFinder.

Tests/LibCrypto/TestAES.cpp
2 issues
strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)
Security

Line: 92 Column: 32 CWE codes: 126 

                  auto iv = ByteBuffer::create_zeroed(Crypto::Cipher::AESCipher::block_size());
    auto out_span = out.bytes();
    cipher.decrypt(in, out_span, iv);
    EXPECT_EQ(out_span.size(), strlen(true_value));
    EXPECT(memcmp(out_span.data(), true_value, strlen(true_value)) == 0);
};

TEST_CASE(test_AES_CBC_128bit_key_decrypt)
{

Reported by FlawFinder.

strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)
Security

Line: 93 Column: 48 CWE codes: 126 

                  auto out_span = out.bytes();
    cipher.decrypt(in, out_span, iv);
    EXPECT_EQ(out_span.size(), strlen(true_value));
    EXPECT(memcmp(out_span.data(), true_value, strlen(true_value)) == 0);
};

TEST_CASE(test_AES_CBC_128bit_key_decrypt)
{
    u8 result[] {

Reported by FlawFinder.

Userland/Libraries/LibC/shadow.cpp
2 issues
fopen - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 33 Column: 20 CWE codes: 362 

                  if (s_stream) {
        rewind(s_stream);
    } else {
        s_stream = fopen("/etc/shadow", "r");
        if (!s_stream) {
            dbgln("open /etc/shadow failed: {}", strerror(errno));
        }
    }
}

Reported by FlawFinder.

char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 164 Column: 9 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

                          return nullptr;
        }

        char buffer[1024];
        ++s_line_number;
        char* s = fgets(buffer, sizeof(buffer), s_stream);

        // Silently tolerate an empty line at the end.
        if ((!s || !s[0]) && feof(s_stream))

Reported by FlawFinder.

Tests/LibC/strlcpy-correctness.cpp
2 issues
strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)
Security

Line: 52 Column: 27 CWE codes: 126 

                      warnln("dest length {} != expected dest length {}? Check testcase! (Probably miscounted.)", testcase.dest_n, testcase.dest_expected_n);
        return false;
    }
    if (testcase.src_n != strlen(testcase.src)) {
        warnln("src length {} != actual src length {}? src can't contain NUL bytes!", testcase.src_n, strlen(testcase.src));
        return false;
    }

    // Setup

Reported by FlawFinder.

strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)
Security

Line: 53 Column: 103 CWE codes: 126 

                      return false;
    }
    if (testcase.src_n != strlen(testcase.src)) {
        warnln("src length {} != actual src length {}? src can't contain NUL bytes!", testcase.src_n, strlen(testcase.src));
        return false;
    }

    // Setup
    ByteBuffer actual = ByteBuffer::create_uninitialized(SANDBOX_CANARY_SIZE + testcase.dest_n + SANDBOX_CANARY_SIZE);

Reported by FlawFinder.

Kernel/Devices/KCOVDevice.cpp
2 issues
open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 64 Column: 55 CWE codes: 362 

                  delete kcov_instance;
}

KResultOr<NonnullRefPtr<FileDescription>> KCOVDevice::open(int options)
{
    auto pid = Process::current().pid();
    if (proc_instance->get(pid).has_value())
        return EBUSY; // This process already open()ed the kcov device
    auto kcov_instance = new KCOVInstance(pid);

Reported by FlawFinder.

open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 73 Column: 18 CWE codes: 362 

                  kcov_instance->state = KCOVInstance::OPENED;
    proc_instance->set(pid, kcov_instance);

    return File::open(options);
}

KResult KCOVDevice::ioctl(FileDescription&, unsigned request, Userspace<void*> arg)
{
    KResult return_value = KSuccess;

Reported by FlawFinder.

Userland/Libraries/LibC/libgen.cpp
2 issues
strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)
Security

Line: 19 Column: 15 CWE codes: 126 

                  if (path == nullptr)
        return dot;

    int len = strlen(path);
    if (len == 0)
        return dot;

    while (len > 1 && path[len - 1] == '/') {
        path[len - 1] = 0;

Reported by FlawFinder.

strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)
Security

Line: 44 Column: 15 CWE codes: 126 

                  if (path == nullptr)
        return dot;

    int len = strlen(path);
    if (len == 0)
        return dot;

    while (len > 1 && path[len - 1] == '/') {
        path[len - 1] = 0;

Reported by FlawFinder.

Tests/LibC/TestLibCTime.cpp
2 issues
char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 22 Column: 5 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              
TEST_CASE(asctime_r)
{
    char buffer[26] {};
    time_t epoch = 0;
    auto result = asctime_r(localtime(&epoch), buffer);
    EXPECT_EQ(expected_epoch, StringView(result));
}

Reported by FlawFinder.

char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 38 Column: 5 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              
TEST_CASE(ctime_r)
{
    char buffer[26] {};
    time_t epoch = 0;
    auto result = ctime_r(&epoch, buffer);

    EXPECT_EQ(expected_epoch, StringView(result));
}

Reported by FlawFinder.