The following issues were found
Userland/Applications/FileManager/DirectoryView.cpp
5 issues
Line: 189
Column: 34
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
add_path_to_history(model().root_path());
bool can_write_in_path = access(model().root_path().characters(), W_OK) == 0;
m_mkdir_action->set_enabled(can_write_in_path);
m_touch_action->set_enabled(can_write_in_path);
if (on_path_change)
Reported by FlawFinder.
Line: 496
Column: 65
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
{
update_statusbar();
bool can_modify = !current_view().selection().is_empty() && access(path().characters(), W_OK) == 0;
m_delete_action->set_enabled(can_modify);
m_force_delete_action->set_enabled(can_modify);
m_rename_action->set_enabled(can_modify);
if (on_selection_change)
Reported by FlawFinder.
Line: 109
Column: 32
CWE codes:
362
if (S_ISDIR(st.st_mode)) {
if (is_desktop()) {
Desktop::Launcher::open(URL::create_with_file_protocol(path));
return;
}
open(path);
return;
}
Reported by FlawFinder.
Line: 112
Column: 9
CWE codes:
362
Desktop::Launcher::open(URL::create_with_file_protocol(path));
return;
}
open(path);
return;
}
auto url = URL::create_with_file_protocol(path);
auto launcher_handlers = get_launch_handlers(url);
Reported by FlawFinder.
Line: 358
Column: 21
CWE codes:
362
m_path_history_position = m_path_history.size() - 1;
}
void DirectoryView::open(String const& path)
{
auto real_path = Core::File::real_path_for(path);
if (model().root_path() == real_path) {
model().invalidate();
Reported by FlawFinder.
Userland/Libraries/LibPDF/Parser.cpp
5 issues
Line: 94
Column: 31
CWE codes:
120
20
return false;
m_reader.move_by(5);
char major_ver = m_reader.read();
if (major_ver != '1' && major_ver != '2')
return false;
if (m_reader.read() != '.')
return false;
Reported by FlawFinder.
Line: 97
Column: 18
CWE codes:
120
20
char major_ver = m_reader.read();
if (major_ver != '1' && major_ver != '2')
return false;
if (m_reader.read() != '.')
return false;
char minor_ver = m_reader.read();
if (minor_ver < '0' || minor_ver > '7')
return false;
Reported by FlawFinder.
Line: 100
Column: 31
CWE codes:
120
20
if (m_reader.read() != '.')
return false;
char minor_ver = m_reader.read();
if (minor_ver < '0' || minor_ver > '7')
return false;
consume_eol();
// Parse optional high-byte comment, which signifies a binary file
Reported by FlawFinder.
Line: 347
Column: 36
CWE codes:
120
20
if (!consume(' '))
return {};
auto letter = m_reader.read();
if (letter != 'n' && letter != 'f')
return {};
// The line ending sequence can be one of the following:
// SP CR, SP LF, or CR LF
Reported by FlawFinder.
Userland/Applications/FileManager/PropertiesWindow.cpp
5 issues
Line: 213
Column: 13
CWE codes:
362
Suggestion:
Use fchmod( ) instead
}
if (m_permissions_dirty) {
if (chmod(make_full_path(m_name).characters(), m_mode)) {
GUI::MessageBox::show(this, String::formatted("Could not update permissions: {}!", strerror(errno)), "Error", GUI::MessageBox::Type::Error);
return false;
}
m_old_mode = m_mode;
Reported by FlawFinder.
Line: 92
Column: 28
CWE codes:
362
auto location = general_tab.find_descendant_of_type_named<GUI::LinkLabel>("location");
location->set_text(path);
location->on_click = [this] {
Desktop::Launcher::open(URL::create_with_file_protocol(m_parent_path, m_name));
};
if (S_ISLNK(m_mode)) {
auto link_destination = Core::File::read_link(path);
if (link_destination.is_null()) {
Reported by FlawFinder.
Line: 104
Column: 36
CWE codes:
362
link_location->set_text(link_destination);
link_location->on_click = [link_destination] {
auto link_directory = LexicalPath(link_destination);
Desktop::Launcher::open(URL::create_with_file_protocol(link_directory.dirname(), link_directory.basename()));
};
}
} else {
auto link_location_widget = general_tab.find_descendant_of_type_named<GUI::Widget>("link_location_widget");
general_tab.remove_child(*link_location_widget);
Reported by FlawFinder.
Line: 240
Column: 39
CWE codes:
120
20
auto can_edit_checkboxes = st.st_uid == getuid();
box_read.set_checked(mode & masks.read);
box_read.on_checked = [&, masks](bool checked) { permission_changed(masks.read, checked); };
box_read.set_enabled(can_edit_checkboxes);
box_write.set_checked(mode & masks.write);
box_write.on_checked = [&, masks](bool checked) { permission_changed(masks.write, checked); };
Reported by FlawFinder.
Line: 241
Column: 79
CWE codes:
120
20
auto can_edit_checkboxes = st.st_uid == getuid();
box_read.set_checked(mode & masks.read);
box_read.on_checked = [&, masks](bool checked) { permission_changed(masks.read, checked); };
box_read.set_enabled(can_edit_checkboxes);
box_write.set_checked(mode & masks.write);
box_write.on_checked = [&, masks](bool checked) { permission_changed(masks.write, checked); };
box_write.set_enabled(can_edit_checkboxes);
Reported by FlawFinder.
Userland/Libraries/LibLine/InternalFunctions.cpp
5 issues
Line: 564
Column: 9
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
}
if (pid == 0) {
execvp(editor_command, const_cast<char* const*>(args.data()));
perror("execv");
_exit(126);
} else {
int wstatus = 0;
do {
Reported by FlawFinder.
Line: 518
Column: 34
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
void Editor::edit_in_external_editor()
{
const auto* editor_command = getenv("EDITOR");
if (!editor_command)
editor_command = m_configuration.m_default_text_editor.characters();
char file_path[] = "/tmp/line-XXXXXX";
auto fd = mkstemp(file_path);
Reported by FlawFinder.
Line: 523
Column: 15
CWE codes:
377
editor_command = m_configuration.m_default_text_editor.characters();
char file_path[] = "/tmp/line-XXXXXX";
auto fd = mkstemp(file_path);
if (fd < 0) {
perror("mktemp");
return;
}
Reported by FlawFinder.
Line: 556
Column: 16
CWE codes:
362
Suggestion:
Use fork() instead
};
Vector<const char*> args { editor_command, file_path, nullptr };
auto pid = vfork();
if (pid == -1) {
perror("vfork");
return;
}
Reported by FlawFinder.
Line: 578
Column: 42
CWE codes:
362
}
{
auto file_or_error = Core::File::open(file_path, Core::OpenMode::ReadOnly);
if (file_or_error.is_error())
return;
auto file = file_or_error.release_value();
auto contents = file->read_all();
Reported by FlawFinder.
Userland/Libraries/LibC/stat.cpp
5 issues
Line: 33
Column: 5
CWE codes:
362
Suggestion:
Use fchmod( ) instead
__RETURN_WITH_ERRNO(rc, rc, -1);
}
int chmod(const char* pathname, mode_t mode)
{
if (!pathname) {
errno = EFAULT;
return -1;
}
Reported by FlawFinder.
Line: 18
Column: 8
CWE codes:
732
extern "C" {
mode_t umask(mode_t mask)
{
return syscall(SC_umask, mask);
}
int mkdir(const char* pathname, mode_t mode)
Reported by FlawFinder.
Line: 29
Column: 42
CWE codes:
126
errno = EFAULT;
return -1;
}
int rc = syscall(SC_mkdir, pathname, strlen(pathname), mode);
__RETURN_WITH_ERRNO(rc, rc, -1);
}
int chmod(const char* pathname, mode_t mode)
{
Reported by FlawFinder.
Line: 39
Column: 42
CWE codes:
126
errno = EFAULT;
return -1;
}
int rc = syscall(SC_chmod, pathname, strlen(pathname), mode);
__RETURN_WITH_ERRNO(rc, rc, -1);
}
int fchmod(int fd, mode_t mode)
{
Reported by FlawFinder.
Line: 60
Column: 53
CWE codes:
126
errno = EFAULT;
return -1;
}
Syscall::SC_stat_params params { dirfd, { path, strlen(path) }, statbuf, follow_symlinks };
int rc = syscall(SC_stat, ¶ms);
__RETURN_WITH_ERRNO(rc, rc, -1);
}
int lstat(const char* path, struct stat* statbuf)
Reported by FlawFinder.
Kernel/Process.cpp
5 issues
Line: 380
CWE codes:
570
g_signal_trampoline_region = MM.allocate_kernel_region(PAGE_SIZE, "Signal trampolines", Memory::Region::Access::ReadWrite).leak_ptr();
g_signal_trampoline_region->set_syscall_region(true);
size_t trampoline_size = asm_signal_trampoline_end - asm_signal_trampoline;
u8* code_ptr = (u8*)g_signal_trampoline_region->vaddr().as_ptr();
memcpy(code_ptr, asm_signal_trampoline, trampoline_size);
g_signal_trampoline_region->set_writable(false);
Reported by Cppcheck.
Line: 167
Column: 45
CWE codes:
362
return {};
}
auto& device_to_use_as_tty = tty ? (CharacterDevice&)*tty : NullDevice::the();
auto description = device_to_use_as_tty.open(O_RDWR).value();
auto setup_description = [&process, &description](int fd) {
process->m_fds.m_fds_metadatas[fd].allocate();
process->m_fds[fd].set(*description);
};
Reported by FlawFinder.
Line: 383
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
size_t trampoline_size = asm_signal_trampoline_end - asm_signal_trampoline;
u8* code_ptr = (u8*)g_signal_trampoline_region->vaddr().as_ptr();
memcpy(code_ptr, asm_signal_trampoline, trampoline_size);
g_signal_trampoline_region->set_writable(false);
g_signal_trampoline_region->remap();
}
Reported by FlawFinder.
Line: 581
Column: 58
CWE codes:
362
// Try to generate a filename which isn't already used.
auto base_filename = String::formatted("{}_{}", name(), pid().value());
auto description_or_error = VirtualFileSystem::the().open(String::formatted("{}.profile", base_filename), O_CREAT | O_EXCL, 0400, current_directory(), UidAndGid { uid(), gid() });
for (size_t attempt = 1; attempt < 10 && description_or_error.is_error(); ++attempt)
description_or_error = VirtualFileSystem::the().open(String::formatted("{}.{}.profile", base_filename, attempt), O_CREAT | O_EXCL, 0400, current_directory(), UidAndGid { uid(), gid() });
if (description_or_error.is_error()) {
dbgln("Failed to generate perfcore for pid {}: Could not generate filename for the perfcore file.", pid().value());
return false;
Reported by FlawFinder.
Line: 583
Column: 57
CWE codes:
362
auto base_filename = String::formatted("{}_{}", name(), pid().value());
auto description_or_error = VirtualFileSystem::the().open(String::formatted("{}.profile", base_filename), O_CREAT | O_EXCL, 0400, current_directory(), UidAndGid { uid(), gid() });
for (size_t attempt = 1; attempt < 10 && description_or_error.is_error(); ++attempt)
description_or_error = VirtualFileSystem::the().open(String::formatted("{}.{}.profile", base_filename, attempt), O_CREAT | O_EXCL, 0400, current_directory(), UidAndGid { uid(), gid() });
if (description_or_error.is_error()) {
dbgln("Failed to generate perfcore for pid {}: Could not generate filename for the perfcore file.", pid().value());
return false;
}
Reported by FlawFinder.
Kernel/API/POSIX/sys/utsname.h
5 issues
Line: 18
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define UTSNAME_ENTRY_LEN 65
struct utsname {
char sysname[UTSNAME_ENTRY_LEN];
char nodename[UTSNAME_ENTRY_LEN];
char release[UTSNAME_ENTRY_LEN];
char version[UTSNAME_ENTRY_LEN];
char machine[UTSNAME_ENTRY_LEN];
};
Reported by FlawFinder.
Line: 19
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct utsname {
char sysname[UTSNAME_ENTRY_LEN];
char nodename[UTSNAME_ENTRY_LEN];
char release[UTSNAME_ENTRY_LEN];
char version[UTSNAME_ENTRY_LEN];
char machine[UTSNAME_ENTRY_LEN];
};
Reported by FlawFinder.
Line: 20
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct utsname {
char sysname[UTSNAME_ENTRY_LEN];
char nodename[UTSNAME_ENTRY_LEN];
char release[UTSNAME_ENTRY_LEN];
char version[UTSNAME_ENTRY_LEN];
char machine[UTSNAME_ENTRY_LEN];
};
#ifdef __cplusplus
Reported by FlawFinder.
Line: 21
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char sysname[UTSNAME_ENTRY_LEN];
char nodename[UTSNAME_ENTRY_LEN];
char release[UTSNAME_ENTRY_LEN];
char version[UTSNAME_ENTRY_LEN];
char machine[UTSNAME_ENTRY_LEN];
};
#ifdef __cplusplus
}
Reported by FlawFinder.
Line: 22
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char nodename[UTSNAME_ENTRY_LEN];
char release[UTSNAME_ENTRY_LEN];
char version[UTSNAME_ENTRY_LEN];
char machine[UTSNAME_ENTRY_LEN];
};
#ifdef __cplusplus
}
#endif
Reported by FlawFinder.
Kernel/FileSystem/InodeFile.cpp
5 issues
Line: 125
Column: 20
CWE codes:
362
Suggestion:
Use fchown( ) instead
return KSuccess;
}
KResult InodeFile::chown(FileDescription& description, uid_t uid, gid_t gid)
{
VERIFY(description.inode() == m_inode);
VERIFY(description.custody());
return VirtualFileSystem::the().chown(*description.custody(), uid, gid);
}
Reported by FlawFinder.
Line: 129
Column: 37
CWE codes:
362
Suggestion:
Use fchown( ) instead
{
VERIFY(description.inode() == m_inode);
VERIFY(description.custody());
return VirtualFileSystem::the().chown(*description.custody(), uid, gid);
}
KResult InodeFile::chmod(FileDescription& description, mode_t mode)
{
VERIFY(description.inode() == m_inode);
Reported by FlawFinder.
Line: 132
Column: 20
CWE codes:
362
Suggestion:
Use fchmod( ) instead
return VirtualFileSystem::the().chown(*description.custody(), uid, gid);
}
KResult InodeFile::chmod(FileDescription& description, mode_t mode)
{
VERIFY(description.inode() == m_inode);
VERIFY(description.custody());
return VirtualFileSystem::the().chmod(*description.custody(), mode);
}
Reported by FlawFinder.
Line: 136
Column: 37
CWE codes:
362
Suggestion:
Use fchmod( ) instead
{
VERIFY(description.inode() == m_inode);
VERIFY(description.custody());
return VirtualFileSystem::the().chmod(*description.custody(), mode);
}
}
Reported by FlawFinder.
Line: 29
Column: 30
CWE codes:
120
20
{
}
KResultOr<size_t> InodeFile::read(FileDescription& description, u64 offset, UserOrKernelBuffer& buffer, size_t count)
{
if (Checked<off_t>::addition_would_overflow(offset, count))
return EOVERFLOW;
auto result = m_inode->read_bytes(offset, count, buffer, &description);
Reported by FlawFinder.
Tests/Kernel/TestKernelFilePermissions.cpp
5 issues
Line: 21
Column: 15
CWE codes:
377
TEST_CASE(test_change_file_contents)
{
char path[] = "/tmp/suid.XXXXXX";
auto fd = mkstemp(path);
EXPECT(fd != -1);
ftruncate(fd, 0);
EXPECT(fchmod(fd, 06755) != -1);
char buffer[8] {};
Reported by FlawFinder.
Line: 26
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
ftruncate(fd, 0);
EXPECT(fchmod(fd, 06755) != -1);
char buffer[8] {};
write(fd, buffer, sizeof(buffer));
struct stat s;
EXPECT(fstat(fd, &s) != -1);
close(fd);
Reported by FlawFinder.
Line: 41
Column: 15
CWE codes:
377
TEST_CASE(test_change_file_ownership)
{
char path[] = "/tmp/suid.XXXXXX";
auto fd = mkstemp(path);
EXPECT(fd != -1);
ftruncate(fd, 0);
EXPECT(fchmod(fd, 06755) != -1);
fchown(fd, getuid(), getgid());
Reported by FlawFinder.
Line: 60
Column: 15
CWE codes:
377
TEST_CASE(test_change_file_permissions)
{
char path[] = "/tmp/suid.XXXXXX";
auto fd = mkstemp(path);
EXPECT(fd != -1);
ftruncate(fd, 0);
EXPECT(fchmod(fd, 06755) != -1);
fchmod(fd, 0755);
Reported by FlawFinder.
Line: 79
Column: 15
CWE codes:
377
TEST_CASE(test_change_file_location)
{
char path[] = "/tmp/suid.XXXXXX";
auto fd = mkstemp(path);
EXPECT(fd != -1);
ftruncate(fd, 0);
EXPECT(fchmod(fd, 06755) != -1);
auto suid_path = Core::File::read_link(String::formatted("/proc/{}/fd/{}", getpid(), fd));
Reported by FlawFinder.
Userland/Libraries/LibAudio/FlacLoader.cpp
5 issues
Line: 26
Column: 18
CWE codes:
362
FlacLoaderPlugin::FlacLoaderPlugin(const StringView& path)
: m_file(Core::File::construct(path))
{
if (!m_file->open(Core::OpenMode::ReadOnly)) {
m_error_string = String::formatted("Can't open file: {}", m_file->error_string());
return;
}
m_stream = make<FlacInputStream>(Core::InputFileStream(*m_file));
Reported by FlawFinder.
Line: 142
Column: 43
CWE codes:
120
20
CHECK_OK("Number of samples");
// Parse checksum into a buffer first
ByteBuffer md5_checksum = ByteBuffer::create_uninitialized(128 / 8);
auto md5_bytes_read = streaminfo_data.read(md5_checksum);
ok = ok && (md5_bytes_read == md5_checksum.size());
CHECK_OK("MD5 Checksum");
md5_checksum.bytes().copy_to({ m_md5_checksum, sizeof(m_md5_checksum) });
// Parse other blocks
Reported by FlawFinder.
Line: 204
Column: 15
CWE codes:
120
20
CHECK_IO_ERROR();
ByteBuffer block_data = ByteBuffer::create_uninitialized(block_length);
// Reads exactly the bytes necessary into the Bytes container
bit_input.read(block_data);
m_data_start_location += block_length;
CHECK_IO_ERROR();
return FlacRawMetadataBlock {
is_last_block,
type,
Reported by FlawFinder.
Line: 811
Column: 11
CWE codes:
120
20
{
u64 character;
ByteBuffer single_byte_buffer = ByteBuffer::create_uninitialized(1);
input.read(single_byte_buffer);
u8 start_byte = single_byte_buffer[0];
// Signal byte is zero: ASCII character
if ((start_byte & 0b10000000) == 0) {
return start_byte;
} else if ((start_byte & 0b11000000) == 0b10000000) {
Reported by FlawFinder.
Line: 828
Column: 15
CWE codes:
120
20
u8 start_byte_bitmask = AK::exp2(bits_from_start_byte) - 1;
character = start_byte_bitmask & start_byte;
for (u8 i = length - 1; i > 0; --i) {
input.read(single_byte_buffer);
u8 current_byte = single_byte_buffer[0];
character = (character << 6) | (current_byte & 0b00111111);
}
return character;
}
Reported by FlawFinder.