The following issues were found

AK/StringImpl.cpp
2 issues
memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 71 Column: 5 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

              
    char* buffer;
    auto new_stringimpl = create_uninitialized(length, buffer);
    memcpy(buffer, cstring, length * sizeof(char));

    return new_stringimpl;
}

RefPtr<StringImpl> StringImpl::create(const char* cstring, ShouldChomp shouldChomp)

Reported by FlawFinder.

strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)
Security

Line: 81 Column: 28 CWE codes: 126 

                  if (!cstring)
        return nullptr;

    return create(cstring, strlen(cstring), shouldChomp);
}

RefPtr<StringImpl> StringImpl::create(ReadonlyBytes bytes, ShouldChomp shouldChomp)
{
    return StringImpl::create(reinterpret_cast<const char*>(bytes.data()), bytes.size(), shouldChomp);

Reported by FlawFinder.

Kernel/API/POSIX/sys/socket.h
2 issues
char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 75 Column: 5 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              
struct sockaddr {
    sa_family_t sa_family;
    char sa_data[14];
};

struct ucred {
    pid_t pid;
    uid_t uid;

Reported by FlawFinder.

char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 131 Column: 9 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              struct sockaddr_storage {
    sa_family_t ss_family;
    union {
        char data[sizeof(struct sockaddr_un)];
        void* alignment;
    };
};

#ifdef __cplusplus

Reported by FlawFinder.

Kernel/Thread.cpp
2 issues
memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 1219 Column: 9 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

                  thread_specific_data->self = thread_specific_data;

    if (process().m_master_tls_size)
        memcpy(thread_local_storage, process().m_master_tls_region.unsafe_ptr()->vaddr().as_ptr(), process().m_master_tls_size);

    return KSuccess;
}

RefPtr<Thread> Thread::from_tid(ThreadID tid)

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 1237 Column: 5 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

              
void Thread::reset_fpu_state()
{
    memcpy(&m_fpu_state, &Processor::current().clean_fpu_state(), sizeof(FPUState));
}

bool Thread::should_be_stopped() const
{
    return process().is_stopped();

Reported by FlawFinder.

Kernel/FileSystem/Inode.h
2 issues
chmod - This accepts filename arguments; if an attacker can move those files, a race condition results.
Security

Line: 61 Column: 21 CWE codes: 362
Suggestion: Use fchmod( ) instead 

                  virtual KResultOr<NonnullRefPtr<Inode>> create_child(StringView name, mode_t, dev_t, uid_t, gid_t) = 0;
    virtual KResult add_child(Inode&, const StringView& name, mode_t) = 0;
    virtual KResult remove_child(const StringView& name) = 0;
    virtual KResult chmod(mode_t) = 0;
    virtual KResult chown(uid_t, gid_t) = 0;
    virtual KResult truncate(u64) { return KSuccess; }
    virtual KResultOr<NonnullRefPtr<Custody>> resolve_as_link(Custody& base, RefPtr<Custody>* out_parent, int options, int symlink_recursion_level) const;

    virtual KResultOr<int> get_block_address(int) { return ENOTSUP; }

Reported by FlawFinder.

chown - This accepts filename arguments; if an attacker can move those files, a race condition results.
Security

Line: 62 Column: 21 CWE codes: 362
Suggestion: Use fchown( ) instead 

                  virtual KResult add_child(Inode&, const StringView& name, mode_t) = 0;
    virtual KResult remove_child(const StringView& name) = 0;
    virtual KResult chmod(mode_t) = 0;
    virtual KResult chown(uid_t, gid_t) = 0;
    virtual KResult truncate(u64) { return KSuccess; }
    virtual KResultOr<NonnullRefPtr<Custody>> resolve_as_link(Custody& base, RefPtr<Custody>* out_parent, int options, int symlink_recursion_level) const;

    virtual KResultOr<int> get_block_address(int) { return ENOTSUP; }

Reported by FlawFinder.

Userland/Libraries/LibC/sys/mman.cpp
2 issues
strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)
Security

Line: 18 Column: 112 CWE codes: 126 

              
void* serenity_mmap(void* addr, size_t size, int prot, int flags, int fd, off_t offset, size_t alignment, const char* name)
{
    Syscall::SC_mmap_params params { (uintptr_t)addr, size, alignment, prot, flags, fd, offset, { name, name ? strlen(name) : 0 } };
    ptrdiff_t rc = syscall(SC_mmap, &params);
    if (rc < 0 && rc > -EMAXERRNO) {
        errno = -rc;
        return MAP_FAILED;
    }

Reported by FlawFinder.

strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)
Security

Line: 66 Column: 67 CWE codes: 126 

                      errno = EFAULT;
        return -1;
    }
    Syscall::SC_set_mmap_name_params params { addr, size, { name, strlen(name) } };
    int rc = syscall(SC_set_mmap_name, &params);
    __RETURN_WITH_ERRNO(rc, rc, -1);
}

int madvise(void* address, size_t size, int advice)

Reported by FlawFinder.

Userland/Libraries/LibC/sys/stat.h
2 issues
chmod - This accepts filename arguments; if an attacker can move those files, a race condition results.
Security

Line: 17 Column: 5 CWE codes: 362
Suggestion: Use fchmod( ) instead 

              __BEGIN_DECLS

mode_t umask(mode_t);
int chmod(const char* pathname, mode_t);
int fchmod(int fd, mode_t);
int mkdir(const char* pathname, mode_t);
int mkfifo(const char* pathname, mode_t);
int fstat(int fd, struct stat* statbuf);
int lstat(const char* path, struct stat* statbuf);

Reported by FlawFinder.

umask - Ensure that umask is given most restrictive possible setting (e.g., 066 or 077)
Security

Line: 16 Column: 8 CWE codes: 732 

              
__BEGIN_DECLS

mode_t umask(mode_t);
int chmod(const char* pathname, mode_t);
int fchmod(int fd, mode_t);
int mkdir(const char* pathname, mode_t);
int mkfifo(const char* pathname, mode_t);
int fstat(int fd, struct stat* statbuf);

Reported by FlawFinder.

Userland/Libraries/LibC/syslog.cpp
2 issues
syslog - If syslog's format strings can be influenced by an attacker, they can be exploited
Security

Line: 103 Column: 6 CWE codes: 134
Suggestion: Use a constant format string for syslog 

                  va_end(ap);
}

void syslog(int priority, const char* message, ...)
{
    va_list ap;
    va_start(ap, message);
    vsyslog_r(priority, &global_log_data, message, ap);
    va_end(ap);

Reported by FlawFinder.

char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 34 Column: 8 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              
// Used when ident is null, since syslog traditionally prints the program's
// own name; the process name will always be the same unless we exec.
static char program_name_buffer[256];
static bool program_name_set = false;

// Convenience function for initialization and checking what string to use
// for the program name.
static const char* get_syslog_ident(struct syslog_data* data)

Reported by FlawFinder.

Kernel/TTY/TTY.cpp
2 issues
memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 41 Column: 5 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

                  m_termios.c_lflag = TTYDEF_LFLAG;
    m_termios.c_ispeed = TTYDEF_SPEED;
    m_termios.c_ospeed = TTYDEF_SPEED;
    memcpy(m_termios.c_cc, ttydefchars, sizeof(ttydefchars));
}

KResultOr<size_t> TTY::read(FileDescription&, u64, UserOrKernelBuffer& buffer, size_t size)
{
    if (Process::current().pgid() != pgid()) {

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 44 Column: 24 CWE codes: 120 20 

                  memcpy(m_termios.c_cc, ttydefchars, sizeof(ttydefchars));
}

KResultOr<size_t> TTY::read(FileDescription&, u64, UserOrKernelBuffer& buffer, size_t size)
{
    if (Process::current().pgid() != pgid()) {
        // FIXME: Should we propagate this error path somehow?
        [[maybe_unused]] auto rc = Process::current().send_signal(SIGTTIN, nullptr);
        return EINTR;

Reported by FlawFinder.

Kernel/TTY/SlavePTY.cpp
2 issues
read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 97 Column: 29 CWE codes: 120 20 

                  return TTY::can_read(description, offset);
}

KResultOr<size_t> SlavePTY::read(FileDescription& description, u64 offset, UserOrKernelBuffer& buffer, size_t size)
{
    if (m_master->is_closed())
        return 0;
    return TTY::read(description, offset, buffer, size);
}

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 101 Column: 17 CWE codes: 120 20 

              {
    if (m_master->is_closed())
        return 0;
    return TTY::read(description, offset, buffer, size);
}

KResult SlavePTY::close()
{
    m_master->notify_slave_closed({});

Reported by FlawFinder.

Kernel/TTY/PTYMultiplexer.h
2 issues
open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 30 Column: 55 CWE codes: 362 

                  static PTYMultiplexer& the();

    // ^CharacterDevice
    virtual KResultOr<NonnullRefPtr<FileDescription>> open(int options) override;
    virtual KResultOr<size_t> read(FileDescription&, u64, UserOrKernelBuffer&, size_t) override { return 0; }
    virtual KResultOr<size_t> write(FileDescription&, u64, const UserOrKernelBuffer&, size_t) override { return 0; }
    virtual bool can_read(const FileDescription&, size_t) const override { return true; }
    virtual bool can_write(const FileDescription&, size_t) const override { return true; }

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 31 Column: 31 CWE codes: 120 20 

              
    // ^CharacterDevice
    virtual KResultOr<NonnullRefPtr<FileDescription>> open(int options) override;
    virtual KResultOr<size_t> read(FileDescription&, u64, UserOrKernelBuffer&, size_t) override { return 0; }
    virtual KResultOr<size_t> write(FileDescription&, u64, const UserOrKernelBuffer&, size_t) override { return 0; }
    virtual bool can_read(const FileDescription&, size_t) const override { return true; }
    virtual bool can_write(const FileDescription&, size_t) const override { return true; }

    void notify_master_destroyed(Badge<MasterPTY>, unsigned index);

Reported by FlawFinder.