The following issues were found
Kernel/Prekernel/init.cpp
1 issues
Line: 35
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
extern "C" u64 boot_pd_kernel_pt0[512];
extern "C" u64 boot_pd_kernel_image_pts[512 * (MAX_KERNEL_SIZE >> 21 & 0x1ff)];
extern "C" u64 boot_pd_kernel_pt1023[512];
extern "C" char const kernel_cmdline[4096];
extern "C" void reload_cr3();
extern "C" {
multiboot_info_t* multiboot_info_ptr;
Reported by FlawFinder.
Userland/Libraries/LibSanitizer/UBSanitizer.cpp
1 issues
Line: 35
Column: 30
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
static bool checked_env_for_deadly = false;
if (!checked_env_for_deadly) {
checked_env_for_deadly = true;
StringView options = getenv("UBSAN_OPTIONS");
// FIXME: Parse more options and complain about invalid options
if (!options.is_null() && options.contains("halt_on_error=1"))
g_ubsan_is_deadly = true;
}
if (g_ubsan_is_deadly) {
Reported by FlawFinder.
Kernel/PerformanceEventBuffer.cpp
1 issues
Line: 150
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
auto backtrace = raw_backtrace(bp, ip);
event.stack_size = min(sizeof(event.stack) / sizeof(FlatPtr), static_cast<size_t>(backtrace.size()));
memcpy(event.stack, backtrace.data(), event.stack_size * sizeof(FlatPtr));
event.pid = pid.value();
event.tid = tid.value();
event.timestamp = TimeManagement::the().uptime_ms();
at(m_count++) = event;
Reported by FlawFinder.
Kernel/Net/UDPSocket.cpp
1 issues
Line: 92
Column: 15
CWE codes:
120
20
udp_packet.set_source_port(local_port());
udp_packet.set_destination_port(peer_port());
udp_packet.set_length(udp_buffer_size);
if (!data.read(udp_packet.payload(), data_length))
return set_so_error(EFAULT);
routing_decision.adapter->fill_in_ipv4_header(*packet, local_address(), routing_decision.next_hop,
peer_address(), IPv4Protocol::UDP, udp_buffer_size, ttl());
routing_decision.adapter->send_packet(packet->bytes());
Reported by FlawFinder.
Kernel/Net/Socket.h
1 issues
Line: 105
Column: 31
CWE codes:
120
20
Mutex& lock() { return m_lock; }
// ^File
virtual KResultOr<size_t> read(FileDescription&, u64, UserOrKernelBuffer&, size_t) override final;
virtual KResultOr<size_t> write(FileDescription&, u64, const UserOrKernelBuffer&, size_t) override final;
virtual KResult stat(::stat&) const override;
virtual String absolute_path(const FileDescription&) const override = 0;
bool has_receive_timeout() const { return m_receive_timeout != Time::zero(); }
Reported by FlawFinder.
Userland/Utilities/realpath.cpp
1 issues
Line: 26
Column: 19
CWE codes:
120/785!
Suggestion:
Ensure that the destination buffer is at least of size MAXPATHLEN, andto protect against implementation problems, the input argument should also be checked to ensure it is no larger than MAXPATHLEN
args_parser.add_positional_argument(path, "Path to resolve", "path");
args_parser.parse(argc, argv);
char* value = realpath(path, nullptr);
if (value == nullptr) {
perror("realpath");
return 1;
}
outln("{}", value);
Reported by FlawFinder.
Kernel/Net/Socket.cpp
1 issues
Line: 226
Column: 27
CWE codes:
120
20
}
}
KResultOr<size_t> Socket::read(FileDescription& description, u64, UserOrKernelBuffer& buffer, size_t size)
{
if (is_shut_down_for_reading())
return 0;
Time t {};
return recvfrom(description, buffer, size, 0, {}, 0, t);
Reported by FlawFinder.
Userland/Libraries/LibTLS/HandshakeServer.cpp
1 issues
Line: 59
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (session_length && session_length <= 32) {
memcpy(m_context.session_id, buffer.offset_pointer(res), session_length);
m_context.session_id_size = session_length;
if constexpr (TLS_DEBUG) {
dbgln("Remote session ID:");
print_buffer(ReadonlyBytes { m_context.session_id, session_length });
}
Reported by FlawFinder.
Userland/Libraries/LibTLS/Record.cpp
1 issues
Line: 419
Column: 17
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
const u8* message_hmac = decrypted_span.offset(length);
u8 temp_buf[5];
memcpy(temp_buf, buffer.offset_pointer(0), 3);
*(u16*)(temp_buf + 3) = AK::convert_between_host_and_network_endian(length);
auto hmac = hmac_message({ temp_buf, 5 }, decrypted_span.slice(0, length), mac_size);
auto message_mac = ReadonlyBytes { message_hmac, mac_size };
if (hmac != message_mac) {
dbgln("integrity check failed (mac length {})", mac_size);
Reported by FlawFinder.
Kernel/Net/RTL8168NetworkAdapter.cpp
1 issues
Line: 1165
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
dbgln_if(RTL8168_DEBUG, "RTL8168: Chose descriptor {}", m_tx_free_index);
memcpy(m_tx_buffers_regions[m_tx_free_index].vaddr().as_ptr(), payload.data(), payload.size());
m_tx_free_index = (m_tx_free_index + 1) % number_of_tx_descriptors;
free_descriptor.frame_length = payload.size() & 0x3FFF;
free_descriptor.flags = free_descriptor.flags | TXDescriptor::Ownership;
Reported by FlawFinder.