The following issues were found

Kernel/Devices/RandomDevice.h
1 issues
read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 27 Column: 31 CWE codes: 120 20 

                  RandomDevice();

    // ^CharacterDevice
    virtual KResultOr<size_t> read(FileDescription&, u64, UserOrKernelBuffer&, size_t) override;
    virtual KResultOr<size_t> write(FileDescription&, u64, const UserOrKernelBuffer&, size_t) override;
    virtual bool can_read(const FileDescription&, size_t) const override;
    virtual bool can_write(const FileDescription&, size_t) const override { return true; }
    virtual StringView class_name() const override { return "RandomDevice"; }
};

Reported by FlawFinder.

Kernel/Devices/RandomDevice.cpp
1 issues
read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 32 Column: 33 CWE codes: 120 20 

                  return true;
}

KResultOr<size_t> RandomDevice::read(FileDescription&, u64, UserOrKernelBuffer& buffer, size_t size)
{
    return buffer.write_buffered<256>(size, [&](u8* data, size_t data_size) {
        get_good_random_bytes(data, data_size);
        return data_size;
    });

Reported by FlawFinder.

Kernel/Devices/NullDevice.h
1 issues
read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 28 Column: 31 CWE codes: 120 20 

              
private:
    // ^CharacterDevice
    virtual KResultOr<size_t> read(FileDescription&, u64, UserOrKernelBuffer&, size_t) override;
    virtual KResultOr<size_t> write(FileDescription&, u64, const UserOrKernelBuffer&, size_t) override;
    virtual bool can_write(const FileDescription&, size_t) const override { return true; }
    virtual bool can_read(const FileDescription&, size_t) const override;
    virtual StringView class_name() const override { return "NullDevice"; }
    virtual bool is_seekable() const override { return true; }

Reported by FlawFinder.

Userland/Shell/Parser.cpp
1 issues
char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues
Security

Line: 119 Column: 5 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length 

              
static inline char to_byte(char a, char b)
{
    char buf[3] { a, b, 0 };
    return strtol(buf, nullptr, 16);
}

RefPtr<AST::Node> Parser::parse()
{

Reported by FlawFinder.

Kernel/Devices/NullDevice.cpp
1 issues
read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 39 Column: 31 CWE codes: 120 20 

                  return true;
}

KResultOr<size_t> NullDevice::read(FileDescription&, u64, UserOrKernelBuffer&, size_t)
{
    return 0;
}

KResultOr<size_t> NullDevice::write(FileDescription&, u64, const UserOrKernelBuffer&, size_t buffer_size)

Reported by FlawFinder.

Kernel/Devices/MemoryDevice.h
1 issues
read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 34 Column: 31 CWE codes: 120 20 

                  virtual bool can_read(const FileDescription&, size_t) const override { return true; }
    virtual bool can_write(const FileDescription&, size_t) const override { return false; }
    virtual bool is_seekable() const override { return true; }
    virtual KResultOr<size_t> read(FileDescription&, u64, UserOrKernelBuffer&, size_t) override;
    virtual KResultOr<size_t> write(FileDescription&, u64, const UserOrKernelBuffer&, size_t) override { return EINVAL; }

    virtual void did_seek(FileDescription&, off_t) override;

    bool is_allowed_range(PhysicalAddress, Memory::VirtualRange const&) const;

Reported by FlawFinder.

Userland/Shell/SyntaxHighlighter.cpp
1 issues
Iterators to containers from different expressions 'a.range' and 'b.range' are used together.
Error

Line: 550 CWE codes: 664 

                  if (ast)
        ast->visit(visitor);

    quick_sort(spans, [](auto& a, auto& b) { return a.range.start() < b.range.start() && a.range.end() < b.range.end(); });

    if constexpr (SYNTAX_HIGHLIGHTING_DEBUG) {
        for (auto& span : spans) {
            dbgln("Kind {}, range {}.", span.data, span.range);
        }

Reported by Cppcheck.

Userland/Shell/main.cpp
1 issues
open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 110 Column: 33 CWE codes: 362 

                  parser.parse(argc, argv);

    if (format) {
        auto file = Core::File::open(format, Core::OpenMode::ReadOnly);
        if (file.is_error()) {
            warnln("Error: {}", file.error());
            return 1;
        }

Reported by FlawFinder.

Userland/Utilities/test-unveil.cpp
1 issues
access - This usually indicates a security flaw. If an attacker can change anything along the path between the call to access() and the file's actual use (e.g., by moving files), the attacker can exploit the race condition
Security

Line: 57 Column: 17 CWE codes: 362/367!
Suggestion: Set up the correct permissions (e.g., using setuid()) and try to open the file directly 

                      .min_values = 0,
        .max_values = INT_MAX,
        .accept_value = [&](auto* s) {
            if (access(s, X_OK) == 0)
                warnln("'{}' - ok", s);
            else
                warnln("'{}' - fail: {}", s, strerror(errno));
            return true;
        } });

Reported by FlawFinder.

Userland/Utilities/avol.cpp
1 issues
atoi - Unless checked, the resulting number can exceed the expected range
Security

Line: 45 Column: 27 CWE codes: 190
Suggestion: If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended) 

                      audio_client->set_muted(false);
        outln("Unmuted.");
    } else {
        auto new_volume = atoi(volume);
        audio_client->set_main_mix_volume(new_volume);
    }
    return 0;
}

Reported by FlawFinder.