Codekhana

Tests/Kernel/TestKernelUnveil.cpp

1 issues

access - This usually indicates a security flaw. If an attacker can change anything along the path between the call to access() and the file's actual use (e.g., by moving files), the attacker can exploit the race condition

Security

Line: 84 Column: 11 CWE codes: 362/367!
Suggestion: Set up the correct permissions (e.g., using setuid()) and try to open the file directly

                  if (res >= 0)
        FAIL("unveil permitted after unveil state locked");

    res = access("/bin/id", F_OK);
    if (res == 0)
        FAIL("access(..., F_OK) permitted after locked veil without relevant unveil");
}

Reported by FlawFinder.

Tests/AK/TestFormat.cpp

1 issues

mkstemp - Potential for temporary file vulnerability in some circumstances. Some older Unix-like systems create temp files with permission to write by all by default, so be sure to set the umask to override this. Also, some older Unix systems might fail to use O_EXCL when opening the file, so make sure that O_EXCL is used by the library

Security

Line: 219 Column: 14 CWE codes: 377

              {
    char filename[] = "/tmp/test-file-descriptor-XXXXXX";

    int fd = mkstemp(filename);
    FILE* file = fdopen(fd, "w+");

    outln(file, "{}", "Hello, World!");
    out(file, "foo");
    outln(file, "bar");

Reported by FlawFinder.

Tests/AK/TestBase64.cpp

1 issues

strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)

Security

Line: 33 Column: 47 CWE codes: 126

              TEST_CASE(test_encode)
{
    auto encode_equal = [&](const char* input, const char* expected) {
        auto encoded = encode_base64({ input, strlen(input) });
        EXPECT(encoded == String(expected));
        EXPECT_EQ(StringView(expected).length(), calculate_base64_encoded_length(StringView(input).bytes()));
    };

    encode_equal("", "");

Reported by FlawFinder.

Userland/Libraries/LibCrypto/ASN1/DER.h

1 issues

read - Check buffer boundaries if used in a loop including recursive loops

Security

Line: 82 Column: 36 CWE codes: 120 20

                  }

    template<typename ValueType>
    Result<ValueType, DecodeError> read(Optional<Class> class_override = {}, Optional<Kind> kind_override = {})
    {
        if (m_stack.is_empty())
            return DecodeError::NoInput;

        if (eof())

Reported by FlawFinder.

AK/StringImpl.h

1 issues

char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues

Security

Line: 102 Column: 5 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length

                  mutable unsigned m_hash { 0 };
    mutable bool m_has_hash { false };
    mutable bool m_fly { false };
    char m_inline_buffer[0];
};

inline size_t allocation_size_for_stringimpl(size_t length)
{
    return sizeof(StringImpl) + (sizeof(char) * length) + sizeof(char);

Reported by FlawFinder.

Kernel/TTY/VirtualConsole.cpp

1 issues

memcpy - Does not check for buffer overflows when copying to destination

Security

Line: 157 Column: 9 CWE codes: 120
Suggestion: Make sure destination can always hold the source data

                  auto common_columns_count = min(old_columns_count, columns());
    for (size_t row = 0; row < common_rows_count; row++) {
        auto& line = m_lines[row];
        memcpy(new_cells->vaddr().offset(row * columns() * sizeof(Cell)).as_ptr(), m_cells->vaddr().offset(row * old_columns_count * sizeof(Cell)).as_ptr(), common_columns_count * sizeof(Cell));
        line.dirty = true;
    }

    // Update the new cells Region
    m_cells = move(new_cells);

Reported by FlawFinder.

Userland/Libraries/LibDebug/DebugSession.cpp

1 issues

open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?

Security

Line: 404 Column: 21 CWE codes: 362

              void DebugSession::update_loaded_libs()
{
    auto file = Core::File::construct(String::formatted("/proc/{}/vm", m_debuggee_pid));
    bool rc = file->open(Core::OpenMode::ReadOnly);
    VERIFY(rc);

    auto file_contents = file->read_all();
    auto json = JsonValue::from_string(file_contents);
    VERIFY(json.has_value());

Reported by FlawFinder.

Kernel/TTY/TTY.h

1 issues

read - Check buffer boundaries if used in a loop including recursive loops

Security

Line: 24 Column: 31 CWE codes: 120 20

              public:
    virtual ~TTY() override;

    virtual KResultOr<size_t> read(FileDescription&, u64, UserOrKernelBuffer&, size_t) override;
    virtual KResultOr<size_t> write(FileDescription&, u64, const UserOrKernelBuffer&, size_t) override;
    virtual bool can_read(const FileDescription&, size_t) const override;
    virtual bool can_write(const FileDescription&, size_t) const override;
    virtual KResult ioctl(FileDescription&, unsigned request, Userspace<void*> arg) override final;
    virtual String absolute_path(const FileDescription&) const override { return tty_name(); }

Reported by FlawFinder.

Userland/Libraries/LibDesktop/AppFile.h

1 issues

open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?

Security

Line: 19 Column: 35 CWE codes: 362

              public:
    static constexpr const char* APP_FILES_DIRECTORY = "/res/apps";
    static NonnullRefPtr<AppFile> get_for_app(const StringView& app_name);
    static NonnullRefPtr<AppFile> open(const StringView& path);
    static void for_each(Function<void(NonnullRefPtr<AppFile>)>, const StringView& directory = APP_FILES_DIRECTORY);
    ~AppFile();

    bool is_valid() const { return m_valid; }
    String filename() const { return m_config->filename(); }

Reported by FlawFinder.

Kernel/TTY/SlavePTY.h

1 issues

read - Check buffer boundaries if used in a loop including recursive loops

Security

Line: 36 Column: 31 CWE codes: 120 20

              
    // ^CharacterDevice
    virtual bool can_read(const FileDescription&, size_t) const override;
    virtual KResultOr<size_t> read(FileDescription&, u64, UserOrKernelBuffer&, size_t) override;
    virtual bool can_write(const FileDescription&, size_t) const override;
    virtual StringView class_name() const override { return "SlavePTY"; }
    virtual KResult close() override;

    // ^Device

Reported by FlawFinder.

Modal title

The following issues were found

Tests/Kernel/TestKernelUnveil.cpp

1 issues

Tests/AK/TestFormat.cpp

1 issues

Tests/AK/TestBase64.cpp

1 issues

Userland/Libraries/LibCrypto/ASN1/DER.h

1 issues

AK/StringImpl.h

1 issues

Kernel/TTY/VirtualConsole.cpp

1 issues

Userland/Libraries/LibDebug/DebugSession.cpp

1 issues

Kernel/TTY/TTY.h

1 issues

Userland/Libraries/LibDesktop/AppFile.h

1 issues

Kernel/TTY/SlavePTY.h

1 issues