The following issues were found
fs/nfsd/vfs.c
15 issues
Line: 607
Column: 7
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
* Check server access rights to a file system object
*/
struct accessmap {
u32 access;
int how;
};
static struct accessmap nfs3_regaccess[] = {
{ NFS3_ACCESS_READ, NFSD_MAY_READ },
{ NFS3_ACCESS_EXECUTE, NFSD_MAY_EXEC },
Reported by FlawFinder.
Line: 658
Column: 62
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
};
__be32
nfsd_access(struct svc_rqst *rqstp, struct svc_fh *fhp, u32 *access, u32 *supported)
{
struct accessmap *map;
struct svc_export *export;
struct dentry *dentry;
u32 query, result = 0, sresult = 0;
Reported by FlawFinder.
Line: 681
Column: 11
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
map = nfs3_anyaccess;
query = *access;
for (; map->access; map++) {
if (map->access & query) {
__be32 err2;
sresult |= map->access;
Reported by FlawFinder.
Line: 682
Column: 15
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
query = *access;
for (; map->access; map++) {
if (map->access & query) {
__be32 err2;
sresult |= map->access;
Reported by FlawFinder.
Line: 683
Column: 12
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
query = *access;
for (; map->access; map++) {
if (map->access & query) {
__be32 err2;
sresult |= map->access;
err2 = nfsd_permission(rqstp, export, dentry, map->how);
Reported by FlawFinder.
Line: 686
Column: 20
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
if (map->access & query) {
__be32 err2;
sresult |= map->access;
err2 = nfsd_permission(rqstp, export, dentry, map->how);
switch (err2) {
case nfs_ok:
result |= map->access;
Reported by FlawFinder.
Line: 691
Column: 20
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
err2 = nfsd_permission(rqstp, export, dentry, map->how);
switch (err2) {
case nfs_ok:
result |= map->access;
break;
/* the following error codes just mean the access was not allowed,
* rather than an error occurred */
case nfserr_rofs:
Reported by FlawFinder.
Line: 716
Column: 52
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
}
#endif /* CONFIG_NFSD_V3 */
int nfsd_open_break_lease(struct inode *inode, int access)
{
unsigned int mode;
if (access & NFSD_MAY_NOT_BREAK_LEASE)
return 0;
Reported by FlawFinder.
Line: 720
Column: 6
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
{
unsigned int mode;
if (access & NFSD_MAY_NOT_BREAK_LEASE)
return 0;
mode = (access & NFSD_MAY_WRITE) ? O_WRONLY : O_RDONLY;
return break_lease(inode, mode | O_NONBLOCK);
}
Reported by FlawFinder.
Line: 722
Column: 10
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
if (access & NFSD_MAY_NOT_BREAK_LEASE)
return 0;
mode = (access & NFSD_MAY_WRITE) ? O_WRONLY : O_RDONLY;
return break_lease(inode, mode | O_NONBLOCK);
}
/*
* Open an existing file or directory.
Reported by FlawFinder.
drivers/ata/libata-core.c
15 issues
Line: 111
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static struct ata_force_ent *ata_force_tbl;
static int ata_force_tbl_size;
static char ata_force_param_buf[COMMAND_LINE_SIZE] __initdata;
/* param_buf is thrown away after initialization, disallow read */
module_param_string(force, ata_force_param_buf, sizeof(ata_force_param_buf), 0);
MODULE_PARM_DESC(force, "Force ATA configurations including cable type, link speed and transfer mode (see Documentation/admin-guide/kernel-parameters.rst for details)");
#endif
Reported by FlawFinder.
Line: 1540
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* prepare & issue qc */
qc->tf = *tf;
if (cdb)
memcpy(qc->cdb, cdb, ATAPI_CDB_LEN);
/* some SATA bridges need us to indicate data xfer direction */
if (tf->protocol == ATAPI_PROT_DMA && (dev->flags & ATA_DFLAG_DMADIR) &&
dma_dir == DMA_FROM_DEVICE)
qc->tf.feature |= ATAPI_DMADIR;
Reported by FlawFinder.
Line: 2138
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u8 *cmds = dev->ncq_send_recv_cmds;
dev->flags |= ATA_DFLAG_NCQ_SEND_RECV;
memcpy(cmds, ap->sector_buf, ATA_LOG_NCQ_SEND_RECV_SIZE);
if (dev->horkage & ATA_HORKAGE_NO_NCQ_TRIM) {
ata_dev_dbg(dev, "disabling queued TRIM support\n");
cmds[ATA_LOG_NCQ_SEND_RECV_DSM_OFFSET] &=
~ATA_LOG_NCQ_SEND_RECV_DSM_TRIM;
Reported by FlawFinder.
Line: 2167
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else {
u8 *cmds = dev->ncq_non_data_cmds;
memcpy(cmds, ap->sector_buf, ATA_LOG_NCQ_NON_DATA_SIZE);
}
}
static void ata_dev_config_ncq_prio(struct ata_device *dev)
{
Reported by FlawFinder.
Line: 2387
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const u16 *id = dev->id;
unsigned long xfer_mask;
unsigned int err_mask;
char revbuf[7]; /* XYZ-99\0 */
char fwrevbuf[ATA_ID_FW_REV_LEN+1];
char modelbuf[ATA_ID_PROD_LEN+1];
int rc;
if (!ata_dev_enabled(dev) && ata_msg_info(ap)) {
Reported by FlawFinder.
Line: 2388
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned long xfer_mask;
unsigned int err_mask;
char revbuf[7]; /* XYZ-99\0 */
char fwrevbuf[ATA_ID_FW_REV_LEN+1];
char modelbuf[ATA_ID_PROD_LEN+1];
int rc;
if (!ata_dev_enabled(dev) && ata_msg_info(ap)) {
ata_dev_info(dev, "%s: ENTER/EXIT -- nodev\n", __func__);
Reported by FlawFinder.
Line: 2389
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int err_mask;
char revbuf[7]; /* XYZ-99\0 */
char fwrevbuf[ATA_ID_FW_REV_LEN+1];
char modelbuf[ATA_ID_PROD_LEN+1];
int rc;
if (!ata_dev_enabled(dev) && ata_msg_info(ap)) {
ata_dev_info(dev, "%s: ENTER/EXIT -- nodev\n", __func__);
return 0;
Reported by FlawFinder.
Line: 2512
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if (ata_id_has_lba(id)) {
const char *lba_desc;
char ncq_desc[24];
lba_desc = "LBA";
dev->flags |= ATA_DFLAG_LBA;
if (ata_id_has_lba48(id)) {
dev->flags |= ATA_DFLAG_LBA48;
Reported by FlawFinder.
Line: 3122
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
int ata_down_xfermask_limit(struct ata_device *dev, unsigned int sel)
{
char buf[32];
unsigned long orig_mask, xfer_mask;
unsigned long pio_mask, mwdma_mask, udma_mask;
int quiet, highbit;
quiet = !!(sel & ATA_DNXFER_QUIET);
Reported by FlawFinder.
Line: 3609
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const u16 *new_id)
{
const u16 *old_id = dev->id;
unsigned char model[2][ATA_ID_PROD_LEN + 1];
unsigned char serial[2][ATA_ID_SERNO_LEN + 1];
if (dev->class != new_class) {
ata_dev_info(dev, "class mismatch %d != %d\n",
dev->class, new_class);
Reported by FlawFinder.
drivers/pinctrl/pinctrl-single.c
15 issues
Line: 1804
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mutex_init(&pcs->mutex);
INIT_LIST_HEAD(&pcs->gpiofuncs);
pcs->flags = soc->flags;
memcpy(&pcs->socdata, soc, sizeof(*soc));
ret = of_property_read_u32(np, "pinctrl-single,register-width",
&pcs->width);
if (ret) {
dev_err(pcs->dev, "register width not specified\n");
Reported by FlawFinder.
Line: 206
Column: 13
CWE codes:
120
20
struct irq_chip chip;
struct irq_domain *domain;
struct pinctrl_desc desc;
unsigned (*read)(void __iomem *reg);
void (*write)(unsigned val, void __iomem *reg);
};
#define PCS_QUIRK_HAS_SHARED_IRQ (pcs->flags & PCS_QUIRK_SHARED_IRQ)
#define PCS_HAS_IRQ (pcs->flags & PCS_FEAT_IRQ)
Reported by FlawFinder.
Line: 306
Column: 13
CWE codes:
120
20
pcs = pinctrl_dev_get_drvdata(pctldev);
offset = pcs_pin_reg_offset_get(pcs, pin);
val = pcs->read(pcs->base + offset);
if (pcs->bits_per_mux)
val &= pcs->fmask << pcs_pin_shift_reg_get(pcs, pin);
pa = pcs->res->start + offset;
Reported by FlawFinder.
Line: 389
Column: 14
CWE codes:
120
20
vals = &func->vals[i];
raw_spin_lock_irqsave(&pcs->lock, flags);
val = pcs->read(vals->reg);
if (pcs->bits_per_mux)
mask = vals->mask;
else
mask = pcs->fmask;
Reported by FlawFinder.
Line: 430
Column: 16
CWE codes:
120
20
if (pcs->bits_per_mux) {
int pin_shift = pcs_pin_shift_reg_get(pcs, pin);
data = pcs->read(pcs->base + offset);
data &= ~(pcs->fmask << pin_shift);
data |= frange->gpiofunc << pin_shift;
pcs->write(data, pcs->base + offset);
} else {
data = pcs->read(pcs->base + offset);
Reported by FlawFinder.
Line: 435
Column: 16
CWE codes:
120
20
data |= frange->gpiofunc << pin_shift;
pcs->write(data, pcs->base + offset);
} else {
data = pcs->read(pcs->base + offset);
data &= ~pcs->fmask;
data |= frange->gpiofunc;
pcs->write(data, pcs->base + offset);
}
break;
Reported by FlawFinder.
Line: 509
Column: 15
CWE codes:
120
20
}
offset = pin * (pcs->width / BITS_PER_BYTE);
data = pcs->read(pcs->base + offset) & func->conf[i].mask;
switch (func->conf[i].param) {
/* 4 parameters */
case PIN_CONFIG_BIAS_PULL_DOWN:
case PIN_CONFIG_BIAS_PULL_UP:
case PIN_CONFIG_INPUT_SCHMITT_ENABLE:
Reported by FlawFinder.
Line: 568
Column: 16
CWE codes:
120
20
continue;
offset = pin * (pcs->width / BITS_PER_BYTE);
data = pcs->read(pcs->base + offset);
arg = pinconf_to_config_argument(configs[j]);
switch (func->conf[i].param) {
/* 2 parameters */
case PIN_CONFIG_INPUT_SCHMITT:
case PIN_CONFIG_DRIVE_STRENGTH:
Reported by FlawFinder.
Line: 699
Column: 14
CWE codes:
120
20
if (pcs_soc->irq_enable_mask) {
unsigned val;
val = pcs->read(pcs->base + offset);
if (val & pcs_soc->irq_enable_mask) {
dev_dbg(pcs->dev, "irq enabled at boot for pin at %lx (%x), clearing\n",
(unsigned long)pcs->res->start + offset, val);
val &= ~pcs_soc->irq_enable_mask;
pcs->write(val, pcs->base + offset);
Reported by FlawFinder.
Line: 1414
Column: 15
CWE codes:
120
20
soc_mask = pcs_soc->irq_enable_mask;
raw_spin_lock(&pcs->lock);
mask = pcs->read(pcswi->reg);
if (enable)
mask |= soc_mask;
else
mask &= ~soc_mask;
pcs->write(mask, pcswi->reg);
Reported by FlawFinder.
drivers/scsi/qla2xxx/qla_dbg.c
15 issues
Line: 94
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct req_que *req = ha->req_q_map[0];
struct rsp_que *rsp = ha->rsp_q_map[0];
/* Request queue. */
memcpy(ptr, req->ring, req->length *
sizeof(request_t));
/* Response queue. */
ptr += req->length * sizeof(request_t);
memcpy(ptr, rsp->ring, rsp->length *
Reported by FlawFinder.
Line: 99
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Response queue. */
ptr += req->length * sizeof(request_t);
memcpy(ptr, rsp->ring, rsp->length *
sizeof(response_t));
return ptr + (rsp->length * sizeof(response_t));
}
Reported by FlawFinder.
Line: 479
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!ha->eft)
return ptr;
memcpy(ptr, ha->eft, ntohl(ha->fw_dump->eft_size));
return ptr + ntohl(ha->fw_dump->eft_size);
}
static inline void *
qla25xx_copy_fce(struct qla_hw_data *ha, void *ptr, __be32 **last_chain)
Reported by FlawFinder.
Line: 505
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (cnt = 0; cnt < 8; cnt++)
*iter_reg++ = htonl(ha->fce_mb[cnt]);
memcpy(iter_reg, ha->fce, ntohl(fcec->size));
return (char *)iter_reg + ntohl(fcec->size);
}
static inline void *
Reported by FlawFinder.
Line: 527
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
c->addr = cpu_to_be64(ha->exlogin_buf_dma);
ptr += sizeof(struct qla2xxx_offld_chain);
memcpy(ptr, ha->exlogin_buf, ha->exlogin_size);
return (char *)ptr + be32_to_cpu(c->size);
}
static inline void *
Reported by FlawFinder.
Line: 549
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
c->addr = cpu_to_be64(ha->exchoffld_buf_dma);
ptr += sizeof(struct qla2xxx_offld_chain);
memcpy(ptr, ha->exchoffld_buf, ha->exchoffld_size);
return (char *)ptr + be32_to_cpu(c->size);
}
static inline void *
Reported by FlawFinder.
Line: 594
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ptr += sizeof(struct qla2xxx_mqueue_header);
/* Add data. */
memcpy(ptr, aqp->ring, aqp->length * sizeof(request_t));
ptr += aqp->length * sizeof(request_t);
}
return ptr;
Reported by FlawFinder.
Line: 638
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ptr += sizeof(struct qla2xxx_mqueue_header);
/* Add data. */
memcpy(ptr, req->ring, req->length * sizeof(request_t));
ptr += req->length * sizeof(request_t);
}
/* Response queues */
for (que = 1; que < ha->max_rsp_queues; que++) {
Reported by FlawFinder.
Line: 666
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ptr += sizeof(struct qla2xxx_mqueue_header);
/* Add data. */
memcpy(ptr, rsp->ring, rsp->length * sizeof(response_t));
ptr += rsp->length * sizeof(response_t);
}
return ptr;
}
Reported by FlawFinder.
Line: 2493
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
va_list va;
struct va_format vaf;
char pbuf[64];
va_start(va, fmt);
vaf.fmt = fmt;
vaf.va = &va;
Reported by FlawFinder.
tools/perf/scripts/python/stackcollapse.py
15 issues
Line: 32
Column: 1
sys.path.append(os.environ['PERF_EXEC_PATH'] + \
'/scripts/python/Perf-Trace-Util/lib/Perf/Trace')
from perf_trace_context import *
from Core import *
from EventClass import *
# command line parsing
Reported by Pylint.
Line: 33
Column: 1
'/scripts/python/Perf-Trace-Util/lib/Perf/Trace')
from perf_trace_context import *
from Core import *
from EventClass import *
# command line parsing
option_list = [
Reported by Pylint.
Line: 34
Column: 1
from perf_trace_context import *
from Core import *
from EventClass import *
# command line parsing
option_list = [
# formatting options for the bottom entry of the stack
Reported by Pylint.
Line: 27
Column: 1
import os
import sys
from collections import defaultdict
from optparse import OptionParser, make_option
sys.path.append(os.environ['PERF_EXEC_PATH'] + \
'/scripts/python/Perf-Trace-Util/lib/Perf/Trace')
from perf_trace_context import *
Reported by Pylint.
Line: 32
Column: 1
sys.path.append(os.environ['PERF_EXEC_PATH'] + \
'/scripts/python/Perf-Trace-Util/lib/Perf/Trace')
from perf_trace_context import *
from Core import *
from EventClass import *
# command line parsing
Reported by Pylint.
Line: 33
Column: 1
'/scripts/python/Perf-Trace-Util/lib/Perf/Trace')
from perf_trace_context import *
from Core import *
from EventClass import *
# command line parsing
option_list = [
Reported by Pylint.
Line: 34
Column: 1
from perf_trace_context import *
from Core import *
from EventClass import *
# command line parsing
option_list = [
# formatting options for the bottom entry of the stack
Reported by Pylint.
Line: 125
Column: 5
lines[stack_string] = lines[stack_string] + 1
def trace_end():
list = sorted(lines)
for stack in list:
print("%s %d" % (stack, lines[stack]))
Reported by Pylint.
Line: 1
Column: 1
# stackcollapse.py - format perf samples with one line per distinct call stack
# SPDX-License-Identifier: GPL-2.0
#
# This script's output has two space-separated fields. The first is a semicolon
# separated stack including the program name (from the "comm" field) and the
# function names from the call stack. The second is a count:
#
# swapper;start_kernel;rest_init;cpu_idle;default_idle;native_safe_halt 2
#
Reported by Pylint.
Line: 32
Column: 1
sys.path.append(os.environ['PERF_EXEC_PATH'] + \
'/scripts/python/Perf-Trace-Util/lib/Perf/Trace')
from perf_trace_context import *
from Core import *
from EventClass import *
# command line parsing
Reported by Pylint.
drivers/usb/early/xhci-dbc.c
15 issues
Line: 496
CWE codes:
476
xdbc.flags |= XDBC_FLAGS_IN_PROCESS;
} else {
memset(xdbc.out_buf, 0, XDBC_MAX_PACKET);
memcpy(xdbc.out_buf, data, size);
addr = xdbc.out_dma;
xdbc.flags |= XDBC_FLAGS_OUT_PROCESS;
}
xdbc_queue_trb(ring, lower_32_bits(addr), upper_32_bits(addr), length, control);
Reported by Cppcheck.
Line: 496
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
xdbc.flags |= XDBC_FLAGS_IN_PROCESS;
} else {
memset(xdbc.out_buf, 0, XDBC_MAX_PACKET);
memcpy(xdbc.out_buf, data, size);
addr = xdbc.out_dma;
xdbc.flags |= XDBC_FLAGS_OUT_PROCESS;
}
xdbc_queue_trb(ring, lower_32_bits(addr), upper_32_bits(addr), length, control);
Reported by FlawFinder.
Line: 867
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void early_xdbc_write(struct console *con, const char *str, u32 n)
{
static char buf[XDBC_MAX_PACKET];
int chunk, ret;
int use_cr = 0;
if (!xdbc.xdbc_reg)
return;
Reported by FlawFinder.
Line: 271
Column: 22
CWE codes:
126
/* Serial string: */
s_desc = (struct usb_string_descriptor *)strings->serial;
s_desc->bLength = (strlen(XDBC_STRING_SERIAL) + 1) * 2;
s_desc->bDescriptorType = USB_DT_STRING;
xdbc_put_utf16(s_desc->wData, XDBC_STRING_SERIAL, strlen(XDBC_STRING_SERIAL));
string_length = s_desc->bLength;
string_length <<= 8;
Reported by FlawFinder.
Line: 274
Column: 52
CWE codes:
126
s_desc->bLength = (strlen(XDBC_STRING_SERIAL) + 1) * 2;
s_desc->bDescriptorType = USB_DT_STRING;
xdbc_put_utf16(s_desc->wData, XDBC_STRING_SERIAL, strlen(XDBC_STRING_SERIAL));
string_length = s_desc->bLength;
string_length <<= 8;
/* Product string: */
s_desc = (struct usb_string_descriptor *)strings->product;
Reported by FlawFinder.
Line: 280
Column: 22
CWE codes:
126
/* Product string: */
s_desc = (struct usb_string_descriptor *)strings->product;
s_desc->bLength = (strlen(XDBC_STRING_PRODUCT) + 1) * 2;
s_desc->bDescriptorType = USB_DT_STRING;
xdbc_put_utf16(s_desc->wData, XDBC_STRING_PRODUCT, strlen(XDBC_STRING_PRODUCT));
string_length += s_desc->bLength;
string_length <<= 8;
Reported by FlawFinder.
Line: 283
Column: 53
CWE codes:
126
s_desc->bLength = (strlen(XDBC_STRING_PRODUCT) + 1) * 2;
s_desc->bDescriptorType = USB_DT_STRING;
xdbc_put_utf16(s_desc->wData, XDBC_STRING_PRODUCT, strlen(XDBC_STRING_PRODUCT));
string_length += s_desc->bLength;
string_length <<= 8;
/* Manufacture string: */
s_desc = (struct usb_string_descriptor *)strings->manufacturer;
Reported by FlawFinder.
Line: 289
Column: 22
CWE codes:
126
/* Manufacture string: */
s_desc = (struct usb_string_descriptor *)strings->manufacturer;
s_desc->bLength = (strlen(XDBC_STRING_MANUFACTURER) + 1) * 2;
s_desc->bDescriptorType = USB_DT_STRING;
xdbc_put_utf16(s_desc->wData, XDBC_STRING_MANUFACTURER, strlen(XDBC_STRING_MANUFACTURER));
string_length += s_desc->bLength;
string_length <<= 8;
Reported by FlawFinder.
Line: 292
Column: 58
CWE codes:
126
s_desc->bLength = (strlen(XDBC_STRING_MANUFACTURER) + 1) * 2;
s_desc->bDescriptorType = USB_DT_STRING;
xdbc_put_utf16(s_desc->wData, XDBC_STRING_MANUFACTURER, strlen(XDBC_STRING_MANUFACTURER));
string_length += s_desc->bLength;
string_length <<= 8;
/* String0: */
strings->string0[0] = 4;
Reported by FlawFinder.
Line: 457
Column: 58
CWE codes:
120
20
return 0;
}
static int xdbc_bulk_transfer(void *data, int size, bool read)
{
struct xdbc_ring *ring;
struct xdbc_trb *trb;
u32 length, control;
u32 cycle;
Reported by FlawFinder.
drivers/firmware/efi/efi.c
15 issues
Line: 124
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return -EINVAL;
if (efi.acpi20 != EFI_INVALID_TABLE_ADDR)
str += sprintf(str, "ACPI20=0x%lx\n", efi.acpi20);
if (efi.acpi != EFI_INVALID_TABLE_ADDR)
str += sprintf(str, "ACPI=0x%lx\n", efi.acpi);
/*
* If both SMBIOS and SMBIOS3 entry points are implemented, the
* SMBIOS3 entry point shall be preferred, so we list it first to
Reported by FlawFinder.
Line: 126
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (efi.acpi20 != EFI_INVALID_TABLE_ADDR)
str += sprintf(str, "ACPI20=0x%lx\n", efi.acpi20);
if (efi.acpi != EFI_INVALID_TABLE_ADDR)
str += sprintf(str, "ACPI=0x%lx\n", efi.acpi);
/*
* If both SMBIOS and SMBIOS3 entry points are implemented, the
* SMBIOS3 entry point shall be preferred, so we list it first to
* let applications stop parsing after the first match.
*/
Reported by FlawFinder.
Line: 133
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
* let applications stop parsing after the first match.
*/
if (efi.smbios3 != EFI_INVALID_TABLE_ADDR)
str += sprintf(str, "SMBIOS3=0x%lx\n", efi.smbios3);
if (efi.smbios != EFI_INVALID_TABLE_ADDR)
str += sprintf(str, "SMBIOS=0x%lx\n", efi.smbios);
if (IS_ENABLED(CONFIG_IA64) || IS_ENABLED(CONFIG_X86))
str = efi_systab_show_arch(str);
Reported by FlawFinder.
Line: 135
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (efi.smbios3 != EFI_INVALID_TABLE_ADDR)
str += sprintf(str, "SMBIOS3=0x%lx\n", efi.smbios3);
if (efi.smbios != EFI_INVALID_TABLE_ADDR)
str += sprintf(str, "SMBIOS=0x%lx\n", efi.smbios);
if (IS_ENABLED(CONFIG_IA64) || IS_ENABLED(CONFIG_X86))
str = efi_systab_show_arch(str);
return str - buf;
Reported by FlawFinder.
Line: 148
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t fw_platform_size_show(struct kobject *kobj,
struct kobj_attribute *attr, char *buf)
{
return sprintf(buf, "%d\n", efi_enabled(EFI_64BIT) ? 64 : 32);
}
extern __weak struct kobj_attribute efi_attr_fw_vendor;
extern __weak struct kobj_attribute efi_attr_runtime;
extern __weak struct kobj_attribute efi_attr_config_table;
Reported by FlawFinder.
Line: 200
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#ifdef CONFIG_EFI_CUSTOM_SSDT_OVERLAYS
#define EFIVAR_SSDT_NAME_MAX 16
static char efivar_ssdt[EFIVAR_SSDT_NAME_MAX] __initdata;
static int __init efivar_ssdt_setup(char *str)
{
int ret = security_locked_down(LOCKDOWN_ACPI_TABLES);
if (ret)
Reported by FlawFinder.
Line: 209
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return ret;
if (strlen(str) < sizeof(efivar_ssdt))
memcpy(efivar_ssdt, str, strlen(str));
else
pr_warn("efivar_ssdt: name too long: %s\n", str);
return 0;
}
__setup("efivar_ssdt=", efivar_ssdt_setup);
Reported by FlawFinder.
Line: 221
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct efivar_entry *entry;
struct list_head *list = data;
char utf8_name[EFIVAR_SSDT_NAME_MAX];
int limit = min_t(unsigned long, EFIVAR_SSDT_NAME_MAX, name_size);
ucs2_as_utf8(utf8_name, name, limit - 1);
if (strncmp(utf8_name, efivar_ssdt, limit) != 0)
return 0;
Reported by FlawFinder.
Line: 232
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!entry)
return 0;
memcpy(entry->var.VariableName, name, name_size);
memcpy(&entry->var.VendorGuid, &vendor, sizeof(efi_guid_t));
efivar_entry_add(entry, list);
return 0;
Reported by FlawFinder.
Line: 233
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return 0;
memcpy(entry->var.VariableName, name, name_size);
memcpy(&entry->var.VendorGuid, &vendor, sizeof(efi_guid_t));
efivar_entry_add(entry, list);
return 0;
}
Reported by FlawFinder.
net/ax25/af_ax25.c
15 issues
Line: 447
CWE codes:
476
static void ax25_fillin_cb_from_dev(ax25_cb *ax25, ax25_dev *ax25_dev)
{
ax25->rtt = msecs_to_jiffies(ax25_dev->values[AX25_VALUES_T1]) / 2;
ax25->t1 = msecs_to_jiffies(ax25_dev->values[AX25_VALUES_T1]);
ax25->t2 = msecs_to_jiffies(ax25_dev->values[AX25_VALUES_T2]);
ax25->t3 = msecs_to_jiffies(ax25_dev->values[AX25_VALUES_T3]);
ax25->n2 = ax25_dev->values[AX25_VALUES_N2];
ax25->paclen = ax25_dev->values[AX25_VALUES_PACLEN];
Reported by Cppcheck.
Line: 447
CWE codes:
476
static void ax25_fillin_cb_from_dev(ax25_cb *ax25, ax25_dev *ax25_dev)
{
ax25->rtt = msecs_to_jiffies(ax25_dev->values[AX25_VALUES_T1]) / 2;
ax25->t1 = msecs_to_jiffies(ax25_dev->values[AX25_VALUES_T1]);
ax25->t2 = msecs_to_jiffies(ax25_dev->values[AX25_VALUES_T2]);
ax25->t3 = msecs_to_jiffies(ax25_dev->values[AX25_VALUES_T3]);
ax25->n2 = ax25_dev->values[AX25_VALUES_N2];
ax25->paclen = ax25_dev->values[AX25_VALUES_PACLEN];
Reported by Cppcheck.
Line: 448
CWE codes:
476
static void ax25_fillin_cb_from_dev(ax25_cb *ax25, ax25_dev *ax25_dev)
{
ax25->rtt = msecs_to_jiffies(ax25_dev->values[AX25_VALUES_T1]) / 2;
ax25->t1 = msecs_to_jiffies(ax25_dev->values[AX25_VALUES_T1]);
ax25->t2 = msecs_to_jiffies(ax25_dev->values[AX25_VALUES_T2]);
ax25->t3 = msecs_to_jiffies(ax25_dev->values[AX25_VALUES_T3]);
ax25->n2 = ax25_dev->values[AX25_VALUES_N2];
ax25->paclen = ax25_dev->values[AX25_VALUES_PACLEN];
ax25->idle = msecs_to_jiffies(ax25_dev->values[AX25_VALUES_IDLE]);
Reported by Cppcheck.
Line: 449
CWE codes:
476
{
ax25->rtt = msecs_to_jiffies(ax25_dev->values[AX25_VALUES_T1]) / 2;
ax25->t1 = msecs_to_jiffies(ax25_dev->values[AX25_VALUES_T1]);
ax25->t2 = msecs_to_jiffies(ax25_dev->values[AX25_VALUES_T2]);
ax25->t3 = msecs_to_jiffies(ax25_dev->values[AX25_VALUES_T3]);
ax25->n2 = ax25_dev->values[AX25_VALUES_N2];
ax25->paclen = ax25_dev->values[AX25_VALUES_PACLEN];
ax25->idle = msecs_to_jiffies(ax25_dev->values[AX25_VALUES_IDLE]);
ax25->backoff = ax25_dev->values[AX25_VALUES_BACKOFF];
Reported by Cppcheck.
Line: 450
CWE codes:
476
ax25->rtt = msecs_to_jiffies(ax25_dev->values[AX25_VALUES_T1]) / 2;
ax25->t1 = msecs_to_jiffies(ax25_dev->values[AX25_VALUES_T1]);
ax25->t2 = msecs_to_jiffies(ax25_dev->values[AX25_VALUES_T2]);
ax25->t3 = msecs_to_jiffies(ax25_dev->values[AX25_VALUES_T3]);
ax25->n2 = ax25_dev->values[AX25_VALUES_N2];
ax25->paclen = ax25_dev->values[AX25_VALUES_PACLEN];
ax25->idle = msecs_to_jiffies(ax25_dev->values[AX25_VALUES_IDLE]);
ax25->backoff = ax25_dev->values[AX25_VALUES_BACKOFF];
Reported by Cppcheck.
Line: 451
CWE codes:
476
ax25->t1 = msecs_to_jiffies(ax25_dev->values[AX25_VALUES_T1]);
ax25->t2 = msecs_to_jiffies(ax25_dev->values[AX25_VALUES_T2]);
ax25->t3 = msecs_to_jiffies(ax25_dev->values[AX25_VALUES_T3]);
ax25->n2 = ax25_dev->values[AX25_VALUES_N2];
ax25->paclen = ax25_dev->values[AX25_VALUES_PACLEN];
ax25->idle = msecs_to_jiffies(ax25_dev->values[AX25_VALUES_IDLE]);
ax25->backoff = ax25_dev->values[AX25_VALUES_BACKOFF];
if (ax25_dev->values[AX25_VALUES_AXDEFMODE]) {
Reported by Cppcheck.
Line: 452
CWE codes:
476
ax25->t2 = msecs_to_jiffies(ax25_dev->values[AX25_VALUES_T2]);
ax25->t3 = msecs_to_jiffies(ax25_dev->values[AX25_VALUES_T3]);
ax25->n2 = ax25_dev->values[AX25_VALUES_N2];
ax25->paclen = ax25_dev->values[AX25_VALUES_PACLEN];
ax25->idle = msecs_to_jiffies(ax25_dev->values[AX25_VALUES_IDLE]);
ax25->backoff = ax25_dev->values[AX25_VALUES_BACKOFF];
if (ax25_dev->values[AX25_VALUES_AXDEFMODE]) {
ax25->modulus = AX25_EMODULUS;
Reported by Cppcheck.
Line: 453
CWE codes:
476
ax25->t3 = msecs_to_jiffies(ax25_dev->values[AX25_VALUES_T3]);
ax25->n2 = ax25_dev->values[AX25_VALUES_N2];
ax25->paclen = ax25_dev->values[AX25_VALUES_PACLEN];
ax25->idle = msecs_to_jiffies(ax25_dev->values[AX25_VALUES_IDLE]);
ax25->backoff = ax25_dev->values[AX25_VALUES_BACKOFF];
if (ax25_dev->values[AX25_VALUES_AXDEFMODE]) {
ax25->modulus = AX25_EMODULUS;
ax25->window = ax25_dev->values[AX25_VALUES_EWINDOW];
Reported by Cppcheck.
Line: 454
CWE codes:
476
ax25->n2 = ax25_dev->values[AX25_VALUES_N2];
ax25->paclen = ax25_dev->values[AX25_VALUES_PACLEN];
ax25->idle = msecs_to_jiffies(ax25_dev->values[AX25_VALUES_IDLE]);
ax25->backoff = ax25_dev->values[AX25_VALUES_BACKOFF];
if (ax25_dev->values[AX25_VALUES_AXDEFMODE]) {
ax25->modulus = AX25_EMODULUS;
ax25->window = ax25_dev->values[AX25_VALUES_EWINDOW];
} else {
Reported by Cppcheck.
Line: 456
CWE codes:
476
ax25->idle = msecs_to_jiffies(ax25_dev->values[AX25_VALUES_IDLE]);
ax25->backoff = ax25_dev->values[AX25_VALUES_BACKOFF];
if (ax25_dev->values[AX25_VALUES_AXDEFMODE]) {
ax25->modulus = AX25_EMODULUS;
ax25->window = ax25_dev->values[AX25_VALUES_EWINDOW];
} else {
ax25->modulus = AX25_MODULUS;
ax25->window = ax25_dev->values[AX25_VALUES_WINDOW];
Reported by Cppcheck.
scripts/unifdef.c
15 issues
Line: 341
Column: 5
CWE codes:
134
Suggestion:
Use a constant for the format specification
dirsep = strrchr(ofilename, '/');
if (dirsep != NULL)
snprintf(tempname, sizeof(tempname),
"%.*s/" TEMPLATE,
(int)(dirsep - ofilename), ofilename);
else
snprintf(tempname, sizeof(tempname),
TEMPLATE);
Reported by FlawFinder.
Line: 345
Column: 5
CWE codes:
134
Suggestion:
Use a constant for the format specification
"%.*s/" TEMPLATE,
(int)(dirsep - ofilename), ofilename);
else
snprintf(tempname, sizeof(tempname),
TEMPLATE);
ofd = mkstemp(tempname);
if (ofd != -1)
output = fdopen(ofd, "wb+");
if (output == NULL)
Reported by FlawFinder.
Line: 725
Column: 5
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
size_t len = cp - tline;
if (fgets(tline + len, MAXLINE - len, input) == NULL) {
/* append the missing newline */
strcpy(tline + len, newline);
cp += strlen(newline);
linestate = LS_START;
} else {
linestate = LS_DIRTY;
}
Reported by FlawFinder.
Line: 245
Column: 16
CWE codes:
120
20
Suggestion:
Check implementation on installation, or limit the size of all string inputs
{
int opt;
while ((opt = getopt(argc, argv, "i:D:U:I:o:bBcdeKklnsStV")) != -1)
switch (opt) {
case 'i': /* treat stuff controlled by these symbols as text */
/*
* For strict backwards-compatibility the U or D
* should be immediately after the -i but it doesn't
Reported by FlawFinder.
Line: 177
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static bool symdepth; /* -S: output symbol depth */
static bool text; /* -t: this is a text file */
static const char *symname[MAXSYMS]; /* symbol name */
static const char *value[MAXSYMS]; /* -Dsym=value */
static bool ignore[MAXSYMS]; /* -iDsym or -iUsym */
static int nsyms; /* number of symbols */
static FILE *input; /* input file pointer */
Reported by FlawFinder.
Line: 178
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static bool text; /* -t: this is a text file */
static const char *symname[MAXSYMS]; /* symbol name */
static const char *value[MAXSYMS]; /* -Dsym=value */
static bool ignore[MAXSYMS]; /* -iDsym or -iUsym */
static int nsyms; /* number of symbols */
static FILE *input; /* input file pointer */
static const char *filename; /* input file name */
Reported by FlawFinder.
Line: 188
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static FILE *output; /* output file pointer */
static const char *ofilename; /* output file name */
static bool overwriting; /* output overwrites input */
static char tempname[FILENAME_MAX]; /* used when overwriting */
static char tline[MAXLINE+EDITSLOP];/* input buffer plus space */
static char *keyword; /* used for editing #elif's */
static const char *newline; /* input file format */
Reported by FlawFinder.
Line: 190
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static bool overwriting; /* output overwrites input */
static char tempname[FILENAME_MAX]; /* used when overwriting */
static char tline[MAXLINE+EDITSLOP];/* input buffer plus space */
static char *keyword; /* used for editing #elif's */
static const char *newline; /* input file format */
static const char newline_unix[] = "\n";
static const char newline_crlf[] = "\r\n";
Reported by FlawFinder.
Line: 319
Column: 11
CWE codes:
362
errx(2, "can only do one file");
} else if (argc == 1 && strcmp(*argv, "-") != 0) {
filename = *argv;
input = fopen(filename, "rb");
if (input == NULL)
err(2, "can't open %s", filename);
} else {
filename = "[stdin]";
input = stdin;
Reported by FlawFinder.
Line: 347
Column: 10
CWE codes:
377
else
snprintf(tempname, sizeof(tempname),
TEMPLATE);
ofd = mkstemp(tempname);
if (ofd != -1)
output = fdopen(ofd, "wb+");
if (output == NULL)
err(2, "can't create temporary file");
fchmod(ofd, ist.st_mode & (S_IRWXU|S_IRWXG|S_IRWXO));
Reported by FlawFinder.
drivers/scsi/pm8001/pm8001_ctl.c
15 issues
Line: 266
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
ssize_t len = 0;
if (mode & SAS_1_1)
len = sprintf(buf, "%s", "SAS1.1");
if (mode & SAS_2_0)
len += sprintf(buf + len, "%s%s", len ? ", " : "", "SAS2.0");
len += sprintf(buf + len, "\n");
return len;
Reported by FlawFinder.
Line: 268
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (mode & SAS_1_1)
len = sprintf(buf, "%s", "SAS1.1");
if (mode & SAS_2_0)
len += sprintf(buf + len, "%s%s", len ? ", " : "", "SAS2.0");
len += sprintf(buf + len, "\n");
return len;
}
Reported by FlawFinder.
Line: 820
Column: 8
CWE codes:
120
20
Suggestion:
Specify a limit to %s, or use a different input function
}
filename_ptr = cmd_ptr + count;
res = sscanf(buf, "%s %s", cmd_ptr, filename_ptr);
if (res != 2) {
pm8001_ha->fw_status = FAIL_PARAMETERS;
ret = -EINVAL;
goto out;
}
Reported by FlawFinder.
Line: 379
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
char *str = buf;
int max = 2;
for (i = 0; i < max; i++) {
str += sprintf(str, "0x%08x 0x%08x 0x%08x 0x%08x 0x%08x 0x%08x"
"0x%08x 0x%08x\n",
pm8001_ctl_aap1_memmap(ptr, i, 0),
pm8001_ctl_aap1_memmap(ptr, i, 4),
pm8001_ctl_aap1_memmap(ptr, i, 8),
pm8001_ctl_aap1_memmap(ptr, i, 12),
Reported by FlawFinder.
Line: 418
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
pm8001_ha->evtlog_ib_offset + (c)))
for (offset = 0; offset < IB_OB_READ_TIMES; offset++) {
str += sprintf(str, "0x%08x\n", IB_MEMMAP(start));
start = start + 4;
}
pm8001_ha->evtlog_ib_offset += SYSFS_OFFSET;
if (((pm8001_ha->evtlog_ib_offset) % (PM80XX_IB_OB_QUEUE_SIZE)) == 0)
pm8001_ha->evtlog_ib_offset = 0;
Reported by FlawFinder.
Line: 454
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
pm8001_ha->evtlog_ob_offset + (c)))
for (offset = 0; offset < IB_OB_READ_TIMES; offset++) {
str += sprintf(str, "0x%08x\n", OB_MEMMAP(start));
start = start + 4;
}
pm8001_ha->evtlog_ob_offset += SYSFS_OFFSET;
if (((pm8001_ha->evtlog_ob_offset) % (PM80XX_IB_OB_QUEUE_SIZE)) == 0)
pm8001_ha->evtlog_ob_offset = 0;
Reported by FlawFinder.
Line: 497
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
wait_for_completion(&completion);
for (bios_index = BIOSOFFSET; bios_index < BIOS_OFFSET_LIMIT;
bios_index++)
str += sprintf(str, "%c",
*(payload.func_specific+bios_index));
kfree(payload.func_specific);
return str - buf;
}
static DEVICE_ATTR(bios_version, S_IRUGO, pm8001_ctl_bios_version_show, NULL);
Reported by FlawFinder.
Line: 554
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
}
for (; start < end; start++)
str += sprintf(str, "%08x ", *(temp+start));
count++;
return str - buf;
}
static DEVICE_ATTR(iop_log, S_IRUGO, pm8001_ctl_iop_log_show, NULL);
Reported by FlawFinder.
Line: 699
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENOMEM;
}
payload = (struct pm8001_ioctl_payload *)ioctlbuffer;
memcpy((u8 *)&payload->func_specific, (u8 *)pm8001_ha->fw_image->data,
pm8001_ha->fw_image->size);
payload->wr_length = pm8001_ha->fw_image->size;
payload->id = 0;
payload->minor_function = 0x1;
pm8001_ha->nvmd_completion = &completion;
Reported by FlawFinder.
Line: 762
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
((partitionSize + HEADER_LEN) % IOCTL_BUF_SIZE)) {
fwControl->len =
(partitionSize + HEADER_LEN) % IOCTL_BUF_SIZE;
memcpy((u8 *)fwControl->buffer,
(u8 *)pm8001_ha->fw_image->data + sizeRead,
(partitionSize + HEADER_LEN) % IOCTL_BUF_SIZE);
sizeRead +=
(partitionSize + HEADER_LEN) % IOCTL_BUF_SIZE;
} else {
Reported by FlawFinder.