The following issues were found

Userland/Libraries/LibC/sys/mman.cpp
2 issues
strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)
Security

Line: 18 Column: 112 CWE codes: 126 

              
void* serenity_mmap(void* addr, size_t size, int prot, int flags, int fd, off_t offset, size_t alignment, const char* name)
{
    Syscall::SC_mmap_params params { (uintptr_t)addr, size, alignment, prot, flags, fd, offset, { name, name ? strlen(name) : 0 } };
    ptrdiff_t rc = syscall(SC_mmap, &params);
    if (rc < 0 && rc > -EMAXERRNO) {
        errno = -rc;
        return MAP_FAILED;
    }

Reported by FlawFinder.

strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)
Security

Line: 66 Column: 67 CWE codes: 126 

                      errno = EFAULT;
        return -1;
    }
    Syscall::SC_set_mmap_name_params params { addr, size, { name, strlen(name) } };
    int rc = syscall(SC_set_mmap_name, &params);
    __RETURN_WITH_ERRNO(rc, rc, -1);
}

int madvise(void* address, size_t size, int advice)

Reported by FlawFinder.

Userland/Libraries/LibELF/DynamicLoader.cpp
2 issues
memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 386 Column: 9 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

              
        VERIFY(data_segment_start.as_ptr() + data_region.size_in_memory() <= data_segment + data_segment_size);

        memcpy(data_segment_start.as_ptr(), (u8*)m_file_data + data_region.offset(), data_region.size_in_image());
    }

    // FIXME: Initialize the values in the TLS section. Currently, it is zeroed.
}

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 558 Column: 9 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

                      ssize_t negative_offset = negative_offset_from_tls_block_end(m_tls_offset, symbol.value());
        VERIFY(symbol.size() != 0);
        VERIFY(buffer.size() + negative_offset + symbol.size() <= buffer.size());
        memcpy(buffer.data() + buffer.size() + negative_offset, tls_data + symbol.value(), symbol.size());

        return IterationDecision::Continue;
    });
}

Reported by FlawFinder.

Kernel/FileSystem/DevPtsFS.cpp
2 issues
chmod - This accepts filename arguments; if an attacker can move those files, a race condition results.
Security

Line: 173 Column: 24 CWE codes: 362
Suggestion: Use fchmod( ) instead 

                  return EROFS;
}

KResult DevPtsFSInode::chmod(mode_t)
{
    return EROFS;
}

KResult DevPtsFSInode::chown(uid_t, gid_t)

Reported by FlawFinder.

chown - This accepts filename arguments; if an attacker can move those files, a race condition results.
Security

Line: 178 Column: 24 CWE codes: 362
Suggestion: Use fchown( ) instead 

                  return EROFS;
}

KResult DevPtsFSInode::chown(uid_t, gid_t)
{
    return EROFS;
}

}

Reported by FlawFinder.

Userland/Applications/Run/RunWindow.h
2 issues
There is an unknown macro here somewhere. Configuration is required. If C_OBJECT is a macro then please configure it.
Error

Line: 16 

              #include <LibGUI/Window.h>

class RunWindow final : public GUI::Window {
    C_OBJECT(RunWindow)
public:
    virtual ~RunWindow() override;

    virtual void event(Core::Event&) override;

Reported by Cppcheck.

There is an unknown macro here somewhere. Configuration is required. If C_OBJECT is a macro then please configure it.
Error

Line: 16 

              #include <LibGUI/Window.h>

class RunWindow final : public GUI::Window {
    C_OBJECT(RunWindow)
public:
    virtual ~RunWindow() override;

    virtual void event(Core::Event&) override;

Reported by Cppcheck.

Kernel/TTY/SlavePTY.cpp
2 issues
read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 97 Column: 29 CWE codes: 120 20 

                  return TTY::can_read(description, offset);
}

KResultOr<size_t> SlavePTY::read(FileDescription& description, u64 offset, UserOrKernelBuffer& buffer, size_t size)
{
    if (m_master->is_closed())
        return 0;
    return TTY::read(description, offset, buffer, size);
}

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 101 Column: 17 CWE codes: 120 20 

              {
    if (m_master->is_closed())
        return 0;
    return TTY::read(description, offset, buffer, size);
}

KResult SlavePTY::close()
{
    m_master->notify_slave_closed({});

Reported by FlawFinder.

Userland/Libraries/LibGUI/JsonArrayModel.cpp
2 issues
open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 16 Column: 16 CWE codes: 362 

              void JsonArrayModel::invalidate()
{
    auto file = Core::File::construct(m_json_path);
    if (!file->open(Core::OpenMode::ReadOnly)) {
        dbgln("Unable to open {}", file->filename());
        m_array.clear();
        did_update();
        return;
    }

Reported by FlawFinder.

open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 35 Column: 16 CWE codes: 362 

              bool JsonArrayModel::store()
{
    auto file = Core::File::construct(m_json_path);
    if (!file->open(Core::OpenMode::WriteOnly)) {
        dbgln("Unable to open {}", file->filename());
        return false;
    }

    file->write(m_array.to_string());

Reported by FlawFinder.

Userland/Libraries/LibC/sys/stat.h
2 issues
chmod - This accepts filename arguments; if an attacker can move those files, a race condition results.
Security

Line: 17 Column: 5 CWE codes: 362
Suggestion: Use fchmod( ) instead 

              __BEGIN_DECLS

mode_t umask(mode_t);
int chmod(const char* pathname, mode_t);
int fchmod(int fd, mode_t);
int mkdir(const char* pathname, mode_t);
int mkfifo(const char* pathname, mode_t);
int fstat(int fd, struct stat* statbuf);
int lstat(const char* path, struct stat* statbuf);

Reported by FlawFinder.

umask - Ensure that umask is given most restrictive possible setting (e.g., 066 or 077)
Security

Line: 16 Column: 8 CWE codes: 732 

              
__BEGIN_DECLS

mode_t umask(mode_t);
int chmod(const char* pathname, mode_t);
int fchmod(int fd, mode_t);
int mkdir(const char* pathname, mode_t);
int mkfifo(const char* pathname, mode_t);
int fstat(int fd, struct stat* statbuf);

Reported by FlawFinder.

Userland/Libraries/LibGUI/Window.cpp
2 issues
getenv - Environment variables are untrustable input if they can be set by an attacker. They can have any content and length, and the same variable can be set more than once
Security

Line: 125 Column: 43 CWE codes: 807 20
Suggestion: Check environment variables carefully before using them 

                  m_window_id = s_window_id_allocator.allocate();

    Gfx::IntRect launch_origin_rect;
    if (auto* launch_origin_rect_string = getenv("__libgui_launch_origin_rect")) {
        auto parts = StringView(launch_origin_rect_string).split_view(',');
        if (parts.size() == 4) {
            launch_origin_rect = Gfx::IntRect {
                parts[0].to_int().value_or(0),
                parts[1].to_int().value_or(0),

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 834 Column: 9 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

                  if (!m_back_store || m_back_store->size() != m_front_store->size()) {
        m_back_store = create_backing_store(m_front_store->size());
        VERIFY(m_back_store);
        memcpy(m_back_store->bitmap().scanline(0), m_front_store->bitmap().scanline(0), m_front_store->bitmap().size_in_bytes());
        m_back_store->bitmap().set_volatile();
        return;
    }

    // Copy whatever was painted from the front to the back.

Reported by FlawFinder.

Userland/DevTools/HackStudio/Locator.h
2 issues
There is an unknown macro here somewhere. Configuration is required. If C_OBJECT is a macro then please configure it.
Error

Line: 16 

              namespace HackStudio {

class Locator final : public GUI::Widget {
    C_OBJECT(Locator)
public:
    virtual ~Locator() override;

    void open();
    void close();

Reported by Cppcheck.

open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 20 Column: 10 CWE codes: 362 

              public:
    virtual ~Locator() override;

    void open();
    void close();

private:
    void update_suggestions();
    void open_suggestion(const GUI::ModelIndex&);

Reported by FlawFinder.

Kernel/Storage/StorageDevice.cpp
2 issues
read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 40 Column: 34 CWE codes: 120 20 

                  return m_storage_controller;
}

KResultOr<size_t> StorageDevice::read(FileDescription&, u64 offset, UserOrKernelBuffer& outbuf, size_t len)
{
    unsigned index = offset / block_size();
    u16 whole_blocks = len / block_size();
    size_t remaining = len % block_size();

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 165 Column: 20 CWE codes: 120 20 

                          }
        }

        if (!inbuf.read(data.data(), pos, remaining))
            return EFAULT;

        {
            auto write_request = make_request<AsyncBlockDeviceRequest>(AsyncBlockDeviceRequest::Write, index + whole_blocks, 1, data_buffer, block_size());
            auto result = write_request->wait();

Reported by FlawFinder.