The following issues were found

Userland/Libraries/LibC/shadow.cpp
2 issues
fopen - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 33 Column: 20 CWE codes: 362 

                  if (s_stream) {
        rewind(s_stream);
    } else {
        s_stream = fopen("/etc/shadow", "r");
        if (!s_stream) {
            dbgln("open /etc/shadow failed: {}", strerror(errno));
        }
    }
}

Reported by FlawFinder.

char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 164 Column: 9 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

                          return nullptr;
        }

        char buffer[1024];
        ++s_line_number;
        char* s = fgets(buffer, sizeof(buffer), s_stream);

        // Silently tolerate an empty line at the end.
        if ((!s || !s[0]) && feof(s_stream))

Reported by FlawFinder.

Tests/LibC/TestLibCTime.cpp
2 issues
char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 22 Column: 5 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              
TEST_CASE(asctime_r)
{
    char buffer[26] {};
    time_t epoch = 0;
    auto result = asctime_r(localtime(&epoch), buffer);
    EXPECT_EQ(expected_epoch, StringView(result));
}

Reported by FlawFinder.

char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 38 Column: 5 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              
TEST_CASE(ctime_r)
{
    char buffer[26] {};
    time_t epoch = 0;
    auto result = ctime_r(&epoch, buffer);

    EXPECT_EQ(expected_epoch, StringView(result));
}

Reported by FlawFinder.

Userland/Libraries/LibC/pty.cpp
2 issues
char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 37 Column: 5 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

                      return -1;
    }

    char tty_name[32];
    int rc = ptsname_r(*amaster, tty_name, sizeof(tty_name));
    if (rc < 0) {
        int error = errno;
        close(*amaster);
        errno = error;

Reported by FlawFinder.

open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 51 Column: 15 CWE codes: 362 

                      [[maybe_unused]] auto rc = strlcpy(name, tty_name, 128);
    }

    *aslave = open(tty_name, O_RDWR | O_NOCTTY);
    if (*aslave < 0) {
        int error = errno;
        close(*amaster);
        errno = error;
        return -1;

Reported by FlawFinder.

Userland/Libraries/LibC/locale.cpp
2 issues
char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 50 Column: 12 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              
char* setlocale(int, const char*)
{
    static char locale[2];
    memcpy(locale, "C", 2);
    return locale;
}

struct lconv* localeconv()

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 51 Column: 5 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

              char* setlocale(int, const char*)
{
    static char locale[2];
    memcpy(locale, "C", 2);
    return locale;
}

struct lconv* localeconv()
{

Reported by FlawFinder.

Tests/LibC/TestLibCExec.cpp
2 issues
execlp - This causes a new program to execute and is difficult to use safely
Security

Line: 19 Column: 14 CWE codes: 78
Suggestion: try using a library call that implements the same functionality if available 

                  ftruncate(fd, 0);
    close(fd);

    int rc = execlp("hax", "hax", nullptr);
    int saved_errno = errno;
    perror("execlp");
    unlink("hax");

    EXPECT_EQ(rc, -1);

Reported by FlawFinder.

open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 15 Column: 14 CWE codes: 362 

              
TEST_CASE(exec_should_not_search_current_directory)
{
    int fd = open("hax", O_CREAT | O_RDWR, 0755);
    ftruncate(fd, 0);
    close(fd);

    int rc = execlp("hax", "hax", nullptr);
    int saved_errno = errno;

Reported by FlawFinder.

Userland/Libraries/LibC/pwd.cpp
2 issues
fopen - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 35 Column: 20 CWE codes: 362 

                  if (s_stream) {
        rewind(s_stream);
    } else {
        s_stream = fopen("/etc/passwd", "r");
        if (!s_stream) {
            perror("open /etc/passwd");
        }
    }
}

Reported by FlawFinder.

char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 131 Column: 9 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

                          return nullptr;
        }

        char buffer[1024];
        ++s_line_number;
        char* s = fgets(buffer, sizeof(buffer), s_stream);

        // Silently tolerate an empty line at the end.
        if ((!s || !s[0]) && feof(s_stream))

Reported by FlawFinder.

Kernel/Graphics/FramebufferDevice.cpp
2 issues
memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 86 Column: 5 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

                  ScopedSpinLock lock(m_activation_lock);
    if (!m_userspace_framebuffer_region)
        return;
    memcpy(m_swapped_framebuffer_region->vaddr().as_ptr(), m_real_framebuffer_region->vaddr().as_ptr(), Memory::page_round_up(framebuffer_size_in_bytes()));
    auto vmobject = m_swapped_framebuffer_vmobject;
    m_userspace_framebuffer_region->set_vmobject(vmobject.release_nonnull());
    m_userspace_framebuffer_region->remap();
    m_graphical_writes_enabled = false;
}

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 100 Column: 5 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

                  // restore the image we had in the void area
    // FIXME: if we happen to have multiple Framebuffers that are writing to that location
    // we will experience glitches...
    memcpy(m_real_framebuffer_region->vaddr().as_ptr(), m_swapped_framebuffer_region->vaddr().as_ptr(), Memory::page_round_up(framebuffer_size_in_bytes()));
    auto vmobject = m_userspace_real_framebuffer_vmobject;
    m_userspace_framebuffer_region->set_vmobject(vmobject.release_nonnull());
    m_userspace_framebuffer_region->remap();
    m_graphical_writes_enabled = true;
}

Reported by FlawFinder.

Tests/Kernel/uaf-close-while-blocked-in-read.cpp
2 issues
char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 31 Column: 5 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

                      nullptr);

    printf("First thread doing a blocking read from pipe...\n");
    char buffer[16];
    ssize_t nread = read(pipefds[0], buffer, sizeof(buffer));
    if (nread != 0) {
        printf("FAIL, read %zd bytes from pipe\n", nread);
        return 1;
    }

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 32 Column: 21 CWE codes: 120 20 

              
    printf("First thread doing a blocking read from pipe...\n");
    char buffer[16];
    ssize_t nread = read(pipefds[0], buffer, sizeof(buffer));
    if (nread != 0) {
        printf("FAIL, read %zd bytes from pipe\n", nread);
        return 1;
    }

Reported by FlawFinder.

Userland/Libraries/LibC/libgen.cpp
2 issues
strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)
Security

Line: 19 Column: 15 CWE codes: 126 

                  if (path == nullptr)
        return dot;

    int len = strlen(path);
    if (len == 0)
        return dot;

    while (len > 1 && path[len - 1] == '/') {
        path[len - 1] = 0;

Reported by FlawFinder.

strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)
Security

Line: 44 Column: 15 CWE codes: 126 

                  if (path == nullptr)
        return dot;

    int len = strlen(path);
    if (len == 0)
        return dot;

    while (len > 1 && path[len - 1] == '/') {
        path[len - 1] = 0;

Reported by FlawFinder.

Tests/Kernel/setpgid-across-sessions-without-leader.cpp
2 issues
usleep - This C routine is considered obsolete (as opposed to the shell command by the same name). The interaction of this function with SIGALRM and other timer functions such as sleep(), alarm(), setitimer(), and nanosleep() is unspecified
Security

Line: 76 Column: 20 CWE codes: 676
Suggestion: Use nanosleep(2) or setitimer(2) instead 

              
static void sleep_steps(useconds_t steps)
{
    const int rc = usleep(steps * STEP_SIZE);
    if (rc < 0) {
        perror("usleep");
        VERIFY_NOT_REACHED();
    }
}

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 114 Column: 18 CWE codes: 120 20 

                  // the test as failed (for lack of knowledge). Otherwise, it outputs accordingly.
    dbgln("PX reads from pipe");
    unsigned char buf = 42;
    ssize_t rc = read(fds[0], &buf, 1);
    if (rc == 0) {
        // In fact, we only reach this branch when *all* processes have died,
        // including this one. So … should be unreachable.
        printf("DOUBLE FAIL: pipe is closed, but we still have it open.\n"
               "See debug log, some process probably crashed.\n");

Reported by FlawFinder.