The following issues were found

Kernel/TTY/PTYMultiplexer.h
2 issues
open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 30 Column: 55 CWE codes: 362 

                  static PTYMultiplexer& the();

    // ^CharacterDevice
    virtual KResultOr<NonnullRefPtr<FileDescription>> open(int options) override;
    virtual KResultOr<size_t> read(FileDescription&, u64, UserOrKernelBuffer&, size_t) override { return 0; }
    virtual KResultOr<size_t> write(FileDescription&, u64, const UserOrKernelBuffer&, size_t) override { return 0; }
    virtual bool can_read(const FileDescription&, size_t) const override { return true; }
    virtual bool can_write(const FileDescription&, size_t) const override { return true; }

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 31 Column: 31 CWE codes: 120 20 

              
    // ^CharacterDevice
    virtual KResultOr<NonnullRefPtr<FileDescription>> open(int options) override;
    virtual KResultOr<size_t> read(FileDescription&, u64, UserOrKernelBuffer&, size_t) override { return 0; }
    virtual KResultOr<size_t> write(FileDescription&, u64, const UserOrKernelBuffer&, size_t) override { return 0; }
    virtual bool can_read(const FileDescription&, size_t) const override { return true; }
    virtual bool can_write(const FileDescription&, size_t) const override { return true; }

    void notify_master_destroyed(Badge<MasterPTY>, unsigned index);

Reported by FlawFinder.

Kernel/FileSystem/ISO9660FileSystem.h
2 issues
chmod - This accepts filename arguments; if an attacker can move those files, a race condition results.
Security

Line: 359 Column: 21 CWE codes: 362
Suggestion: Use fchmod( ) instead 

                  virtual KResultOr<NonnullRefPtr<Inode>> create_child(StringView name, mode_t, dev_t, uid_t, gid_t) override;
    virtual KResult add_child(Inode&, const StringView& name, mode_t) override;
    virtual KResult remove_child(const StringView& name) override;
    virtual KResult chmod(mode_t) override;
    virtual KResult chown(uid_t, gid_t) override;
    virtual KResult truncate(u64) override;
    virtual KResult set_atime(time_t) override;
    virtual KResult set_ctime(time_t) override;
    virtual KResult set_mtime(time_t) override;

Reported by FlawFinder.

chown - This accepts filename arguments; if an attacker can move those files, a race condition results.
Security

Line: 360 Column: 21 CWE codes: 362
Suggestion: Use fchown( ) instead 

                  virtual KResult add_child(Inode&, const StringView& name, mode_t) override;
    virtual KResult remove_child(const StringView& name) override;
    virtual KResult chmod(mode_t) override;
    virtual KResult chown(uid_t, gid_t) override;
    virtual KResult truncate(u64) override;
    virtual KResult set_atime(time_t) override;
    virtual KResult set_ctime(time_t) override;
    virtual KResult set_mtime(time_t) override;
    virtual void one_ref_left() override;

Reported by FlawFinder.

Userland/Libraries/LibC/syslog.cpp
2 issues
syslog - If syslog's format strings can be influenced by an attacker, they can be exploited
Security

Line: 103 Column: 6 CWE codes: 134
Suggestion: Use a constant format string for syslog 

                  va_end(ap);
}

void syslog(int priority, const char* message, ...)
{
    va_list ap;
    va_start(ap, message);
    vsyslog_r(priority, &global_log_data, message, ap);
    va_end(ap);

Reported by FlawFinder.

char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 34 Column: 8 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              
// Used when ident is null, since syslog traditionally prints the program's
// own name; the process name will always be the same unless we exec.
static char program_name_buffer[256];
static bool program_name_set = false;

// Convenience function for initialization and checking what string to use
// for the program name.
static const char* get_syslog_ident(struct syslog_data* data)

Reported by FlawFinder.

Kernel/FileSystem/ISO9660FileSystem.cpp
2 issues
chmod - This accepts filename arguments; if an attacker can move those files, a race condition results.
Security

Line: 583 Column: 23 CWE codes: 362
Suggestion: Use fchmod( ) instead 

                  return EROFS;
}

KResult ISO9660Inode::chmod(mode_t)
{
    return EROFS;
}

KResult ISO9660Inode::chown(uid_t, gid_t)

Reported by FlawFinder.

chown - This accepts filename arguments; if an attacker can move those files, a race condition results.
Security

Line: 588 Column: 23 CWE codes: 362
Suggestion: Use fchown( ) instead 

                  return EROFS;
}

KResult ISO9660Inode::chown(uid_t, gid_t)
{
    return EROFS;
}

KResult ISO9660Inode::truncate(u64)

Reported by FlawFinder.

Kernel/TTY/MasterPTY.cpp
2 issues
read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 65 Column: 30 CWE codes: 120 20 

                  return m_pts_name;
}

KResultOr<size_t> MasterPTY::read(FileDescription&, u64, UserOrKernelBuffer& buffer, size_t size)
{
    if (!m_slave && m_buffer->is_empty())
        return 0;
    return m_buffer->read(buffer, size);
}

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 69 Column: 22 CWE codes: 120 20 

              {
    if (!m_slave && m_buffer->is_empty())
        return 0;
    return m_buffer->read(buffer, size);
}

KResultOr<size_t> MasterPTY::write(FileDescription&, u64, const UserOrKernelBuffer& buffer, size_t size)
{
    if (!m_slave)

Reported by FlawFinder.

Kernel/Syscalls/sigaction.cpp
2 issues
memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 98 Column: 5 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

                  stack_ptr++;

    //pop edi, esi, ebp, esp, ebx, edx, ecx and eax
    memcpy(&registers.edi, stack_ptr, 8 * sizeof(FlatPtr));
    stack_ptr += 8;

    registers.eip = *stack_ptr;
    stack_ptr++;

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 121 Column: 5 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

                  stack_ptr++;

    //pop rdi, rsi, rbp, rsp, rbx, rdx, rcx, rax, r8, r9, r10, r11, r12, r13, r14 and r15
    memcpy(&registers.rdi, stack_ptr, 16 * sizeof(FlatPtr));
    stack_ptr += 16;

    registers.rip = *stack_ptr;
    stack_ptr++;

Reported by FlawFinder.

Kernel/Syscalls/read.cpp
2 issues
read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 63 Column: 36 CWE codes: 120 20 

                      auto buffer = UserOrKernelBuffer::for_user_buffer((u8*)vec.iov_base, vec.iov_len);
        if (!buffer.has_value())
            return EFAULT;
        auto result = description->read(buffer.value(), vec.iov_len);
        if (result.is_error())
            return result.error();
        nread += result.value();
    }

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 101 Column: 32 CWE codes: 120 20 

                  auto user_buffer = UserOrKernelBuffer::for_user_buffer(buffer, size);
    if (!user_buffer.has_value())
        return EFAULT;
    auto result = description->read(user_buffer.value(), size);
    if (result.is_error())
        return result.error();
    return result.value();
}

Reported by FlawFinder.

Kernel/Bus/VirtIO/VirtIOConsolePort.h
2 issues
open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 41 Column: 55 CWE codes: 362 

                  virtual KResultOr<size_t> read(FileDescription&, u64, UserOrKernelBuffer&, size_t) override;
    virtual bool can_write(const FileDescription&, size_t) const override;
    virtual KResultOr<size_t> write(FileDescription&, u64, const UserOrKernelBuffer&, size_t) override;
    virtual KResultOr<NonnullRefPtr<FileDescription>> open(int options) override;

    mode_t required_mode() const override { return 0666; }

    String device_name() const override;

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 38 Column: 31 CWE codes: 120 20 

                  virtual StringView class_name() const override { return "VirtIOConsolePort"; }

    virtual bool can_read(const FileDescription&, size_t) const override;
    virtual KResultOr<size_t> read(FileDescription&, u64, UserOrKernelBuffer&, size_t) override;
    virtual bool can_write(const FileDescription&, size_t) const override;
    virtual KResultOr<size_t> write(FileDescription&, u64, const UserOrKernelBuffer&, size_t) override;
    virtual KResultOr<NonnullRefPtr<FileDescription>> open(int options) override;

    mode_t required_mode() const override { return 0666; }

Reported by FlawFinder.

Userland/Libraries/LibC/sys/mman.cpp
2 issues
strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)
Security

Line: 18 Column: 112 CWE codes: 126 

              
void* serenity_mmap(void* addr, size_t size, int prot, int flags, int fd, off_t offset, size_t alignment, const char* name)
{
    Syscall::SC_mmap_params params { (uintptr_t)addr, size, alignment, prot, flags, fd, offset, { name, name ? strlen(name) : 0 } };
    ptrdiff_t rc = syscall(SC_mmap, &params);
    if (rc < 0 && rc > -EMAXERRNO) {
        errno = -rc;
        return MAP_FAILED;
    }

Reported by FlawFinder.

strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)
Security

Line: 66 Column: 67 CWE codes: 126 

                      errno = EFAULT;
        return -1;
    }
    Syscall::SC_set_mmap_name_params params { addr, size, { name, strlen(name) } };
    int rc = syscall(SC_set_mmap_name, &params);
    __RETURN_WITH_ERRNO(rc, rc, -1);
}

int madvise(void* address, size_t size, int advice)

Reported by FlawFinder.

Kernel/Syscalls/open.cpp
2 issues
open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 66 Column: 44 CWE codes: 362 

                      base = base_description->custody();
    }

    auto result = VirtualFileSystem::the().open(path.value()->view(), options, mode & ~umask(), *base);
    if (result.is_error())
        return result.error();
    auto description = result.value();

    if (description->inode() && description->inode()->socket())

Reported by FlawFinder.

umask - Ensure that umask is given most restrictive possible setting (e.g., 066 or 077)
Security

Line: 66 Column: 88 CWE codes: 732 

                      base = base_description->custody();
    }

    auto result = VirtualFileSystem::the().open(path.value()->view(), options, mode & ~umask(), *base);
    if (result.is_error())
        return result.error();
    auto description = result.value();

    if (description->inode() && description->inode()->socket())

Reported by FlawFinder.