The following issues were found
drivers/platform/x86/dell/dell-wmi-sysman/sysman.c
15 issues
Line: 152
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
for (i = 0; i < MAX_TYPES; i++) {
if (i == reset_option)
buf += sprintf(buf, "[%s] ", reset_types[i]);
else
buf += sprintf(buf, "%s ", reset_types[i]);
}
buf += sprintf(buf, "\n");
return buf-start;
Reported by FlawFinder.
Line: 154
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (i == reset_option)
buf += sprintf(buf, "[%s] ", reset_types[i]);
else
buf += sprintf(buf, "%s ", reset_types[i]);
}
buf += sprintf(buf, "\n");
return buf-start;
}
Reported by FlawFinder.
Line: 103
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* plain text */
if (strlen(authentication) > 0)
memcpy(auth, authentication, *seclen);
}
/**
* map_wmi_error() - map errors from WMI methods to kernel error codes
* @error_code: integer error code returned from Dell's firmware
Reported by FlawFinder.
Line: 198
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t pending_reboot_show(struct kobject *kobj, struct kobj_attribute *attr,
char *buf)
{
return sprintf(buf, "%d\n", wmi_priv.pending_changes);
}
static struct kobj_attribute reset_bios = __ATTR_RW(reset_bios);
static struct kobj_attribute pending_reboot = __ATTR_RO(pending_reboot);
Reported by FlawFinder.
Line: 43
Column: 29
CWE codes:
126
u16 *target = length + 1;
int ret;
ret = utf8s_to_utf16s(str, strlen(str), UTF16_HOST_ENDIAN,
target, buffer_len - sizeof(u16));
if (ret < 0) {
dev_err(wmi_priv.class_dev, "UTF16 conversion failed\n");
return ret;
}
Reported by FlawFinder.
Line: 67
Column: 23
CWE codes:
126
size_t calculate_string_buffer(const char *str)
{
/* u16 length field + one UTF16 char for each input char */
return sizeof(u16) + strlen(str) * sizeof(u16);
}
/**
* calculate_security_buffer() - determines size of security buffer for authentication scheme
* @authentication: the authentication content
Reported by FlawFinder.
Line: 78
Column: 6
CWE codes:
126
*/
size_t calculate_security_buffer(char *authentication)
{
if (strlen(authentication) > 0) {
return (sizeof(u32) * 2) + strlen(authentication) +
strlen(authentication) % 2;
}
return sizeof(u32) * 2;
}
Reported by FlawFinder.
Line: 79
Column: 30
CWE codes:
126
size_t calculate_security_buffer(char *authentication)
{
if (strlen(authentication) > 0) {
return (sizeof(u32) * 2) + strlen(authentication) +
strlen(authentication) % 2;
}
return sizeof(u32) * 2;
}
Reported by FlawFinder.
Line: 80
Column: 4
CWE codes:
126
{
if (strlen(authentication) > 0) {
return (sizeof(u32) * 2) + strlen(authentication) +
strlen(authentication) % 2;
}
return sizeof(u32) * 2;
}
/**
Reported by FlawFinder.
Line: 98
Column: 13
CWE codes:
126
u32 *sectype = (u32 *) buffer;
u32 *seclen = sectype + 1;
*sectype = strlen(authentication) > 0 ? 1 : 0;
*seclen = strlen(authentication);
/* plain text */
if (strlen(authentication) > 0)
memcpy(auth, authentication, *seclen);
Reported by FlawFinder.
tools/perf/util/cs-etm.c
15 issues
Line: 2557
Column: 3
CWE codes:
134
Suggestion:
Use a constant for the format specification
if ((magic != __perf_cs_etmv3_magic) &&
(magic != __perf_cs_etmv4_magic)) {
/* failure - note bad magic value */
fprintf(stdout, magic_unk_fmt, magic);
return -EINVAL;
}
/* print common header block */
fprintf(stdout, cs_etm_priv_fmts[CS_ETM_MAGIC], val[i++]);
Reported by FlawFinder.
Line: 2562
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
}
/* print common header block */
fprintf(stdout, cs_etm_priv_fmts[CS_ETM_MAGIC], val[i++]);
fprintf(stdout, cs_etm_priv_fmts[CS_ETM_CPU], val[i++]);
if (magic == __perf_cs_etmv3_magic) {
nr_params = CS_ETM_NR_TRC_PARAMS_V0;
fmt_offset = CS_ETM_ETMCR;
Reported by FlawFinder.
Line: 2563
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
/* print common header block */
fprintf(stdout, cs_etm_priv_fmts[CS_ETM_MAGIC], val[i++]);
fprintf(stdout, cs_etm_priv_fmts[CS_ETM_CPU], val[i++]);
if (magic == __perf_cs_etmv3_magic) {
nr_params = CS_ETM_NR_TRC_PARAMS_V0;
fmt_offset = CS_ETM_ETMCR;
/* after common block, offset format index past NR_PARAMS */
Reported by FlawFinder.
Line: 2570
Column: 4
CWE codes:
134
Suggestion:
Use a constant for the format specification
fmt_offset = CS_ETM_ETMCR;
/* after common block, offset format index past NR_PARAMS */
for (j = fmt_offset; j < nr_params + fmt_offset; j++, i++)
fprintf(stdout, cs_etm_priv_fmts[j], val[i]);
} else if (magic == __perf_cs_etmv4_magic) {
nr_params = CS_ETMV4_NR_TRC_PARAMS_V0;
fmt_offset = CS_ETMV4_TRCCONFIGR;
/* after common block, offset format index past NR_PARAMS */
for (j = fmt_offset; j < nr_params + fmt_offset; j++, i++)
Reported by FlawFinder.
Line: 2576
Column: 4
CWE codes:
134
Suggestion:
Use a constant for the format specification
fmt_offset = CS_ETMV4_TRCCONFIGR;
/* after common block, offset format index past NR_PARAMS */
for (j = fmt_offset; j < nr_params + fmt_offset; j++, i++)
fprintf(stdout, cs_etmv4_priv_fmts[j], val[i]);
}
*offset = i;
return 0;
}
Reported by FlawFinder.
Line: 2595
Column: 5
CWE codes:
134
Suggestion:
Use a constant for the format specification
for (j = 0; j < total_params; j++, i++) {
/* if newer record - could be excess params */
if (j >= CS_ETM_PRIV_MAX)
fprintf(stdout, param_unk_fmt, j, val[i]);
else
fprintf(stdout, cs_etm_priv_fmts[j], val[i]);
}
} else if (magic == __perf_cs_etmv4_magic) {
for (j = 0; j < total_params; j++, i++) {
Reported by FlawFinder.
Line: 2597
Column: 5
CWE codes:
134
Suggestion:
Use a constant for the format specification
if (j >= CS_ETM_PRIV_MAX)
fprintf(stdout, param_unk_fmt, j, val[i]);
else
fprintf(stdout, cs_etm_priv_fmts[j], val[i]);
}
} else if (magic == __perf_cs_etmv4_magic) {
for (j = 0; j < total_params; j++, i++) {
/* if newer record - could be excess params */
if (j >= CS_ETMV4_PRIV_MAX)
Reported by FlawFinder.
Line: 2603
Column: 5
CWE codes:
134
Suggestion:
Use a constant for the format specification
for (j = 0; j < total_params; j++, i++) {
/* if newer record - could be excess params */
if (j >= CS_ETMV4_PRIV_MAX)
fprintf(stdout, param_unk_fmt, j, val[i]);
else
fprintf(stdout, cs_etmv4_priv_fmts[j], val[i]);
}
} else {
/* failure - note bad magic value and error out */
Reported by FlawFinder.
Line: 2605
Column: 5
CWE codes:
134
Suggestion:
Use a constant for the format specification
if (j >= CS_ETMV4_PRIV_MAX)
fprintf(stdout, param_unk_fmt, j, val[i]);
else
fprintf(stdout, cs_etmv4_priv_fmts[j], val[i]);
}
} else {
/* failure - note bad magic value and error out */
fprintf(stdout, magic_unk_fmt, magic);
return -EINVAL;
Reported by FlawFinder.
Line: 2609
Column: 3
CWE codes:
134
Suggestion:
Use a constant for the format specification
}
} else {
/* failure - note bad magic value and error out */
fprintf(stdout, magic_unk_fmt, magic);
return -EINVAL;
}
*offset = i;
return 0;
}
Reported by FlawFinder.
drivers/ata/libata-core.c
15 issues
Line: 111
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static struct ata_force_ent *ata_force_tbl;
static int ata_force_tbl_size;
static char ata_force_param_buf[COMMAND_LINE_SIZE] __initdata;
/* param_buf is thrown away after initialization, disallow read */
module_param_string(force, ata_force_param_buf, sizeof(ata_force_param_buf), 0);
MODULE_PARM_DESC(force, "Force ATA configurations including cable type, link speed and transfer mode (see Documentation/admin-guide/kernel-parameters.rst for details)");
#endif
Reported by FlawFinder.
Line: 1540
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* prepare & issue qc */
qc->tf = *tf;
if (cdb)
memcpy(qc->cdb, cdb, ATAPI_CDB_LEN);
/* some SATA bridges need us to indicate data xfer direction */
if (tf->protocol == ATAPI_PROT_DMA && (dev->flags & ATA_DFLAG_DMADIR) &&
dma_dir == DMA_FROM_DEVICE)
qc->tf.feature |= ATAPI_DMADIR;
Reported by FlawFinder.
Line: 2138
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u8 *cmds = dev->ncq_send_recv_cmds;
dev->flags |= ATA_DFLAG_NCQ_SEND_RECV;
memcpy(cmds, ap->sector_buf, ATA_LOG_NCQ_SEND_RECV_SIZE);
if (dev->horkage & ATA_HORKAGE_NO_NCQ_TRIM) {
ata_dev_dbg(dev, "disabling queued TRIM support\n");
cmds[ATA_LOG_NCQ_SEND_RECV_DSM_OFFSET] &=
~ATA_LOG_NCQ_SEND_RECV_DSM_TRIM;
Reported by FlawFinder.
Line: 2167
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else {
u8 *cmds = dev->ncq_non_data_cmds;
memcpy(cmds, ap->sector_buf, ATA_LOG_NCQ_NON_DATA_SIZE);
}
}
static void ata_dev_config_ncq_prio(struct ata_device *dev)
{
Reported by FlawFinder.
Line: 2387
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const u16 *id = dev->id;
unsigned long xfer_mask;
unsigned int err_mask;
char revbuf[7]; /* XYZ-99\0 */
char fwrevbuf[ATA_ID_FW_REV_LEN+1];
char modelbuf[ATA_ID_PROD_LEN+1];
int rc;
if (!ata_dev_enabled(dev) && ata_msg_info(ap)) {
Reported by FlawFinder.
Line: 2388
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned long xfer_mask;
unsigned int err_mask;
char revbuf[7]; /* XYZ-99\0 */
char fwrevbuf[ATA_ID_FW_REV_LEN+1];
char modelbuf[ATA_ID_PROD_LEN+1];
int rc;
if (!ata_dev_enabled(dev) && ata_msg_info(ap)) {
ata_dev_info(dev, "%s: ENTER/EXIT -- nodev\n", __func__);
Reported by FlawFinder.
Line: 2389
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int err_mask;
char revbuf[7]; /* XYZ-99\0 */
char fwrevbuf[ATA_ID_FW_REV_LEN+1];
char modelbuf[ATA_ID_PROD_LEN+1];
int rc;
if (!ata_dev_enabled(dev) && ata_msg_info(ap)) {
ata_dev_info(dev, "%s: ENTER/EXIT -- nodev\n", __func__);
return 0;
Reported by FlawFinder.
Line: 2512
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if (ata_id_has_lba(id)) {
const char *lba_desc;
char ncq_desc[24];
lba_desc = "LBA";
dev->flags |= ATA_DFLAG_LBA;
if (ata_id_has_lba48(id)) {
dev->flags |= ATA_DFLAG_LBA48;
Reported by FlawFinder.
Line: 3122
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
int ata_down_xfermask_limit(struct ata_device *dev, unsigned int sel)
{
char buf[32];
unsigned long orig_mask, xfer_mask;
unsigned long pio_mask, mwdma_mask, udma_mask;
int quiet, highbit;
quiet = !!(sel & ATA_DNXFER_QUIET);
Reported by FlawFinder.
Line: 3609
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const u16 *new_id)
{
const u16 *old_id = dev->id;
unsigned char model[2][ATA_ID_PROD_LEN + 1];
unsigned char serial[2][ATA_ID_SERNO_LEN + 1];
if (dev->class != new_class) {
ata_dev_info(dev, "class mismatch %d != %d\n",
dev->class, new_class);
Reported by FlawFinder.
fs/nfsd/vfs.c
15 issues
Line: 607
Column: 7
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
* Check server access rights to a file system object
*/
struct accessmap {
u32 access;
int how;
};
static struct accessmap nfs3_regaccess[] = {
{ NFS3_ACCESS_READ, NFSD_MAY_READ },
{ NFS3_ACCESS_EXECUTE, NFSD_MAY_EXEC },
Reported by FlawFinder.
Line: 658
Column: 62
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
};
__be32
nfsd_access(struct svc_rqst *rqstp, struct svc_fh *fhp, u32 *access, u32 *supported)
{
struct accessmap *map;
struct svc_export *export;
struct dentry *dentry;
u32 query, result = 0, sresult = 0;
Reported by FlawFinder.
Line: 681
Column: 11
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
map = nfs3_anyaccess;
query = *access;
for (; map->access; map++) {
if (map->access & query) {
__be32 err2;
sresult |= map->access;
Reported by FlawFinder.
Line: 682
Column: 15
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
query = *access;
for (; map->access; map++) {
if (map->access & query) {
__be32 err2;
sresult |= map->access;
Reported by FlawFinder.
Line: 683
Column: 12
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
query = *access;
for (; map->access; map++) {
if (map->access & query) {
__be32 err2;
sresult |= map->access;
err2 = nfsd_permission(rqstp, export, dentry, map->how);
Reported by FlawFinder.
Line: 686
Column: 20
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
if (map->access & query) {
__be32 err2;
sresult |= map->access;
err2 = nfsd_permission(rqstp, export, dentry, map->how);
switch (err2) {
case nfs_ok:
result |= map->access;
Reported by FlawFinder.
Line: 691
Column: 20
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
err2 = nfsd_permission(rqstp, export, dentry, map->how);
switch (err2) {
case nfs_ok:
result |= map->access;
break;
/* the following error codes just mean the access was not allowed,
* rather than an error occurred */
case nfserr_rofs:
Reported by FlawFinder.
Line: 716
Column: 52
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
}
#endif /* CONFIG_NFSD_V3 */
int nfsd_open_break_lease(struct inode *inode, int access)
{
unsigned int mode;
if (access & NFSD_MAY_NOT_BREAK_LEASE)
return 0;
Reported by FlawFinder.
Line: 720
Column: 6
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
{
unsigned int mode;
if (access & NFSD_MAY_NOT_BREAK_LEASE)
return 0;
mode = (access & NFSD_MAY_WRITE) ? O_WRONLY : O_RDONLY;
return break_lease(inode, mode | O_NONBLOCK);
}
Reported by FlawFinder.
Line: 722
Column: 10
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
if (access & NFSD_MAY_NOT_BREAK_LEASE)
return 0;
mode = (access & NFSD_MAY_WRITE) ? O_WRONLY : O_RDONLY;
return break_lease(inode, mode | O_NONBLOCK);
}
/*
* Open an existing file or directory.
Reported by FlawFinder.
drivers/firmware/efi/efi.c
15 issues
Line: 124
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return -EINVAL;
if (efi.acpi20 != EFI_INVALID_TABLE_ADDR)
str += sprintf(str, "ACPI20=0x%lx\n", efi.acpi20);
if (efi.acpi != EFI_INVALID_TABLE_ADDR)
str += sprintf(str, "ACPI=0x%lx\n", efi.acpi);
/*
* If both SMBIOS and SMBIOS3 entry points are implemented, the
* SMBIOS3 entry point shall be preferred, so we list it first to
Reported by FlawFinder.
Line: 126
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (efi.acpi20 != EFI_INVALID_TABLE_ADDR)
str += sprintf(str, "ACPI20=0x%lx\n", efi.acpi20);
if (efi.acpi != EFI_INVALID_TABLE_ADDR)
str += sprintf(str, "ACPI=0x%lx\n", efi.acpi);
/*
* If both SMBIOS and SMBIOS3 entry points are implemented, the
* SMBIOS3 entry point shall be preferred, so we list it first to
* let applications stop parsing after the first match.
*/
Reported by FlawFinder.
Line: 133
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
* let applications stop parsing after the first match.
*/
if (efi.smbios3 != EFI_INVALID_TABLE_ADDR)
str += sprintf(str, "SMBIOS3=0x%lx\n", efi.smbios3);
if (efi.smbios != EFI_INVALID_TABLE_ADDR)
str += sprintf(str, "SMBIOS=0x%lx\n", efi.smbios);
if (IS_ENABLED(CONFIG_IA64) || IS_ENABLED(CONFIG_X86))
str = efi_systab_show_arch(str);
Reported by FlawFinder.
Line: 135
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (efi.smbios3 != EFI_INVALID_TABLE_ADDR)
str += sprintf(str, "SMBIOS3=0x%lx\n", efi.smbios3);
if (efi.smbios != EFI_INVALID_TABLE_ADDR)
str += sprintf(str, "SMBIOS=0x%lx\n", efi.smbios);
if (IS_ENABLED(CONFIG_IA64) || IS_ENABLED(CONFIG_X86))
str = efi_systab_show_arch(str);
return str - buf;
Reported by FlawFinder.
Line: 148
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t fw_platform_size_show(struct kobject *kobj,
struct kobj_attribute *attr, char *buf)
{
return sprintf(buf, "%d\n", efi_enabled(EFI_64BIT) ? 64 : 32);
}
extern __weak struct kobj_attribute efi_attr_fw_vendor;
extern __weak struct kobj_attribute efi_attr_runtime;
extern __weak struct kobj_attribute efi_attr_config_table;
Reported by FlawFinder.
Line: 200
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#ifdef CONFIG_EFI_CUSTOM_SSDT_OVERLAYS
#define EFIVAR_SSDT_NAME_MAX 16
static char efivar_ssdt[EFIVAR_SSDT_NAME_MAX] __initdata;
static int __init efivar_ssdt_setup(char *str)
{
int ret = security_locked_down(LOCKDOWN_ACPI_TABLES);
if (ret)
Reported by FlawFinder.
Line: 209
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return ret;
if (strlen(str) < sizeof(efivar_ssdt))
memcpy(efivar_ssdt, str, strlen(str));
else
pr_warn("efivar_ssdt: name too long: %s\n", str);
return 0;
}
__setup("efivar_ssdt=", efivar_ssdt_setup);
Reported by FlawFinder.
Line: 221
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct efivar_entry *entry;
struct list_head *list = data;
char utf8_name[EFIVAR_SSDT_NAME_MAX];
int limit = min_t(unsigned long, EFIVAR_SSDT_NAME_MAX, name_size);
ucs2_as_utf8(utf8_name, name, limit - 1);
if (strncmp(utf8_name, efivar_ssdt, limit) != 0)
return 0;
Reported by FlawFinder.
Line: 232
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!entry)
return 0;
memcpy(entry->var.VariableName, name, name_size);
memcpy(&entry->var.VendorGuid, &vendor, sizeof(efi_guid_t));
efivar_entry_add(entry, list);
return 0;
Reported by FlawFinder.
Line: 233
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return 0;
memcpy(entry->var.VariableName, name, name_size);
memcpy(&entry->var.VendorGuid, &vendor, sizeof(efi_guid_t));
efivar_entry_add(entry, list);
return 0;
}
Reported by FlawFinder.
drivers/pinctrl/pinctrl-single.c
15 issues
Line: 1804
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mutex_init(&pcs->mutex);
INIT_LIST_HEAD(&pcs->gpiofuncs);
pcs->flags = soc->flags;
memcpy(&pcs->socdata, soc, sizeof(*soc));
ret = of_property_read_u32(np, "pinctrl-single,register-width",
&pcs->width);
if (ret) {
dev_err(pcs->dev, "register width not specified\n");
Reported by FlawFinder.
Line: 206
Column: 13
CWE codes:
120
20
struct irq_chip chip;
struct irq_domain *domain;
struct pinctrl_desc desc;
unsigned (*read)(void __iomem *reg);
void (*write)(unsigned val, void __iomem *reg);
};
#define PCS_QUIRK_HAS_SHARED_IRQ (pcs->flags & PCS_QUIRK_SHARED_IRQ)
#define PCS_HAS_IRQ (pcs->flags & PCS_FEAT_IRQ)
Reported by FlawFinder.
Line: 306
Column: 13
CWE codes:
120
20
pcs = pinctrl_dev_get_drvdata(pctldev);
offset = pcs_pin_reg_offset_get(pcs, pin);
val = pcs->read(pcs->base + offset);
if (pcs->bits_per_mux)
val &= pcs->fmask << pcs_pin_shift_reg_get(pcs, pin);
pa = pcs->res->start + offset;
Reported by FlawFinder.
Line: 389
Column: 14
CWE codes:
120
20
vals = &func->vals[i];
raw_spin_lock_irqsave(&pcs->lock, flags);
val = pcs->read(vals->reg);
if (pcs->bits_per_mux)
mask = vals->mask;
else
mask = pcs->fmask;
Reported by FlawFinder.
Line: 430
Column: 16
CWE codes:
120
20
if (pcs->bits_per_mux) {
int pin_shift = pcs_pin_shift_reg_get(pcs, pin);
data = pcs->read(pcs->base + offset);
data &= ~(pcs->fmask << pin_shift);
data |= frange->gpiofunc << pin_shift;
pcs->write(data, pcs->base + offset);
} else {
data = pcs->read(pcs->base + offset);
Reported by FlawFinder.
Line: 435
Column: 16
CWE codes:
120
20
data |= frange->gpiofunc << pin_shift;
pcs->write(data, pcs->base + offset);
} else {
data = pcs->read(pcs->base + offset);
data &= ~pcs->fmask;
data |= frange->gpiofunc;
pcs->write(data, pcs->base + offset);
}
break;
Reported by FlawFinder.
Line: 509
Column: 15
CWE codes:
120
20
}
offset = pin * (pcs->width / BITS_PER_BYTE);
data = pcs->read(pcs->base + offset) & func->conf[i].mask;
switch (func->conf[i].param) {
/* 4 parameters */
case PIN_CONFIG_BIAS_PULL_DOWN:
case PIN_CONFIG_BIAS_PULL_UP:
case PIN_CONFIG_INPUT_SCHMITT_ENABLE:
Reported by FlawFinder.
Line: 568
Column: 16
CWE codes:
120
20
continue;
offset = pin * (pcs->width / BITS_PER_BYTE);
data = pcs->read(pcs->base + offset);
arg = pinconf_to_config_argument(configs[j]);
switch (func->conf[i].param) {
/* 2 parameters */
case PIN_CONFIG_INPUT_SCHMITT:
case PIN_CONFIG_DRIVE_STRENGTH:
Reported by FlawFinder.
Line: 699
Column: 14
CWE codes:
120
20
if (pcs_soc->irq_enable_mask) {
unsigned val;
val = pcs->read(pcs->base + offset);
if (val & pcs_soc->irq_enable_mask) {
dev_dbg(pcs->dev, "irq enabled at boot for pin at %lx (%x), clearing\n",
(unsigned long)pcs->res->start + offset, val);
val &= ~pcs_soc->irq_enable_mask;
pcs->write(val, pcs->base + offset);
Reported by FlawFinder.
Line: 1414
Column: 15
CWE codes:
120
20
soc_mask = pcs_soc->irq_enable_mask;
raw_spin_lock(&pcs->lock);
mask = pcs->read(pcswi->reg);
if (enable)
mask |= soc_mask;
else
mask &= ~soc_mask;
pcs->write(mask, pcswi->reg);
Reported by FlawFinder.
drivers/sbus/char/envctrl.c
15 issues
Line: 383
CWE codes:
788
/* Read data from address and port. */
data = envctrl_i2c_read_8591((unsigned char)pchild->addr,
(unsigned char)pchild->chnl_array[i].chnl_no);
/* Find decoding table. */
tbl = pchild->tables + pchild->tblprop_array[i].offset;
return envctrl_i2c_data_translate(data, pchild->tblprop_array[i].type,
Reported by Cppcheck.
Line: 386
CWE codes:
788
(unsigned char)pchild->chnl_array[i].chnl_no);
/* Find decoding table. */
tbl = pchild->tables + pchild->tblprop_array[i].offset;
return envctrl_i2c_data_translate(data, pchild->tblprop_array[i].type,
pchild->tblprop_array[i].scale,
tbl, bufdata);
}
Reported by Cppcheck.
Line: 388
CWE codes:
788
/* Find decoding table. */
tbl = pchild->tables + pchild->tblprop_array[i].offset;
return envctrl_i2c_data_translate(data, pchild->tblprop_array[i].type,
pchild->tblprop_array[i].scale,
tbl, bufdata);
}
/* Function Description: Read noncpu-related data such as motherboard
Reported by Cppcheck.
Line: 389
CWE codes:
788
tbl = pchild->tables + pchild->tblprop_array[i].offset;
return envctrl_i2c_data_translate(data, pchild->tblprop_array[i].type,
pchild->tblprop_array[i].scale,
tbl, bufdata);
}
/* Function Description: Read noncpu-related data such as motherboard
* temperature.
Reported by Cppcheck.
Line: 168
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Properties of all monitor channels. */
unsigned int total_tbls; /* Number of monitor tables. */
char *tables; /* Pointer to table(s). */
char chnls_desc[CHANNEL_DESC_SZ]; /* Channel description. */
char mon_type[PCF8584_MAX_CHANNELS];
};
static void __iomem *i2c;
static struct i2c_child_t i2c_childlist[ENVCTRL_MAX_CPU*2];
Reported by FlawFinder.
Line: 169
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int total_tbls; /* Number of monitor tables. */
char *tables; /* Pointer to table(s). */
char chnls_desc[CHANNEL_DESC_SZ]; /* Channel description. */
char mon_type[PCF8584_MAX_CHANNELS];
};
static void __iomem *i2c;
static struct i2c_child_t i2c_childlist[ENVCTRL_MAX_CPU*2];
static unsigned char chnls_mask[] = { 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80 };
Reported by FlawFinder.
Line: 346
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
case ENVCTRL_TRANSLATE_SCALE:
/* Decode this way: data = table[data]/scale */
sprintf(bufdata,"%d ", (tbl[data] * 10) / (scale));
len = strlen(bufdata);
bufdata[len - 1] = bufdata[len - 2];
bufdata[len - 2] = '.';
break;
Reported by FlawFinder.
Line: 540
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
envctrl_read(struct file *file, char __user *buf, size_t count, loff_t *ppos)
{
struct i2c_child_t *pchild;
unsigned char data[10];
int ret = 0;
/* Get the type of read as decided in ioctl() call.
* Find the appropriate i2c child.
* Get the data and put back to the user buffer.
Reported by FlawFinder.
Line: 868
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Get device address. */
pval = of_get_property(dp, "reg", &len);
memcpy(&pchild->addr, pval, len);
/* Get tables property. Read firmware temperature tables. */
pval = of_get_property(dp, "translation", &len);
if (pval && len > 0) {
memcpy(pchild->tblprop_array, pval, len);
Reported by FlawFinder.
Line: 873
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Get tables property. Read firmware temperature tables. */
pval = of_get_property(dp, "translation", &len);
if (pval && len > 0) {
memcpy(pchild->tblprop_array, pval, len);
pchild->total_tbls = len / sizeof(struct pcf8584_tblprop);
for (i = 0; i < pchild->total_tbls; i++) {
if ((pchild->tblprop_array[i].size + pchild->tblprop_array[i].offset) > tbls_size) {
tbls_size = pchild->tblprop_array[i].size + pchild->tblprop_array[i].offset;
}
Reported by FlawFinder.
arch/s390/mm/extmem.c
15 issues
Line: 582
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
goto out;
}
sprintf(cmd1, "DEFSEG %s", name);
for (i=0; i<seg->segcnt; i++) {
sprintf(cmd1+strlen(cmd1), " %lX-%lX %s",
seg->range[i].start >> PAGE_SHIFT,
seg->range[i].end >> PAGE_SHIFT,
segtype_string[seg->range[i].start & 0xff]);
Reported by FlawFinder.
Line: 584
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
sprintf(cmd1, "DEFSEG %s", name);
for (i=0; i<seg->segcnt; i++) {
sprintf(cmd1+strlen(cmd1), " %lX-%lX %s",
seg->range[i].start >> PAGE_SHIFT,
seg->range[i].end >> PAGE_SHIFT,
segtype_string[seg->range[i].start & 0xff]);
}
sprintf(cmd2, "SAVESEG %s", name);
Reported by FlawFinder.
Line: 589
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
seg->range[i].end >> PAGE_SHIFT,
segtype_string[seg->range[i].start & 0xff]);
}
sprintf(cmd2, "SAVESEG %s", name);
response = 0;
cpcmd(cmd1, NULL, 0, &response);
if (response) {
pr_err("Saving a DCSS failed with DEFSEG response code "
"%i\n", response);
Reported by FlawFinder.
Line: 54
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct qin64 {
char qopcode;
char rsrv1[3];
char qrcode;
char rsrv2[3];
char qname[8];
unsigned int qoutptr;
short int qoutlen;
Reported by FlawFinder.
Line: 56
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char qopcode;
char rsrv1[3];
char qrcode;
char rsrv2[3];
char qname[8];
unsigned int qoutptr;
short int qoutlen;
};
Reported by FlawFinder.
Line: 57
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char rsrv1[3];
char qrcode;
char rsrv2[3];
char qname[8];
unsigned int qoutptr;
short int qoutlen;
};
struct dcss_segment {
Reported by FlawFinder.
Line: 64
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct dcss_segment {
struct list_head list;
char dcss_name[8];
char res_name[16];
unsigned long start_addr;
unsigned long end;
refcount_t ref_count;
int do_nonshared;
Reported by FlawFinder.
Line: 65
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct dcss_segment {
struct list_head list;
char dcss_name[8];
char res_name[16];
unsigned long start_addr;
unsigned long end;
refcount_t ref_count;
int do_nonshared;
unsigned int vm_segtype;
Reported by FlawFinder.
Line: 112
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static struct dcss_segment *
segment_by_name (char *name)
{
char dcss_name[9];
struct list_head *l;
struct dcss_segment *tmp, *retval = NULL;
BUG_ON(!mutex_is_locked(&dcss_lock));
dcss_mkname (name, dcss_name);
Reported by FlawFinder.
Line: 183
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
qin->qopcode = DCSS_FINDSEGA;
qin->qoutptr = (unsigned long) qout;
qin->qoutlen = sizeof(struct qout64);
memcpy (qin->qname, seg->dcss_name, 8);
diag_cc = dcss_diag(&segext_scode, qin, &dummy, &vmrc);
if (diag_cc < 0) {
rc = diag_cc;
Reported by FlawFinder.
drivers/scsi/qla2xxx/qla_dbg.c
15 issues
Line: 94
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct req_que *req = ha->req_q_map[0];
struct rsp_que *rsp = ha->rsp_q_map[0];
/* Request queue. */
memcpy(ptr, req->ring, req->length *
sizeof(request_t));
/* Response queue. */
ptr += req->length * sizeof(request_t);
memcpy(ptr, rsp->ring, rsp->length *
Reported by FlawFinder.
Line: 99
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Response queue. */
ptr += req->length * sizeof(request_t);
memcpy(ptr, rsp->ring, rsp->length *
sizeof(response_t));
return ptr + (rsp->length * sizeof(response_t));
}
Reported by FlawFinder.
Line: 479
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!ha->eft)
return ptr;
memcpy(ptr, ha->eft, ntohl(ha->fw_dump->eft_size));
return ptr + ntohl(ha->fw_dump->eft_size);
}
static inline void *
qla25xx_copy_fce(struct qla_hw_data *ha, void *ptr, __be32 **last_chain)
Reported by FlawFinder.
Line: 505
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (cnt = 0; cnt < 8; cnt++)
*iter_reg++ = htonl(ha->fce_mb[cnt]);
memcpy(iter_reg, ha->fce, ntohl(fcec->size));
return (char *)iter_reg + ntohl(fcec->size);
}
static inline void *
Reported by FlawFinder.
Line: 527
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
c->addr = cpu_to_be64(ha->exlogin_buf_dma);
ptr += sizeof(struct qla2xxx_offld_chain);
memcpy(ptr, ha->exlogin_buf, ha->exlogin_size);
return (char *)ptr + be32_to_cpu(c->size);
}
static inline void *
Reported by FlawFinder.
Line: 549
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
c->addr = cpu_to_be64(ha->exchoffld_buf_dma);
ptr += sizeof(struct qla2xxx_offld_chain);
memcpy(ptr, ha->exchoffld_buf, ha->exchoffld_size);
return (char *)ptr + be32_to_cpu(c->size);
}
static inline void *
Reported by FlawFinder.
Line: 594
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ptr += sizeof(struct qla2xxx_mqueue_header);
/* Add data. */
memcpy(ptr, aqp->ring, aqp->length * sizeof(request_t));
ptr += aqp->length * sizeof(request_t);
}
return ptr;
Reported by FlawFinder.
Line: 638
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ptr += sizeof(struct qla2xxx_mqueue_header);
/* Add data. */
memcpy(ptr, req->ring, req->length * sizeof(request_t));
ptr += req->length * sizeof(request_t);
}
/* Response queues */
for (que = 1; que < ha->max_rsp_queues; que++) {
Reported by FlawFinder.
Line: 666
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ptr += sizeof(struct qla2xxx_mqueue_header);
/* Add data. */
memcpy(ptr, rsp->ring, rsp->length * sizeof(response_t));
ptr += rsp->length * sizeof(response_t);
}
return ptr;
}
Reported by FlawFinder.
Line: 2493
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
va_list va;
struct va_format vaf;
char pbuf[64];
va_start(va, fmt);
vaf.fmt = fmt;
vaf.va = &va;
Reported by FlawFinder.
drivers/of/unittest.c
14 issues
Line: 1416
CWE codes:
570
*/
extern uint8_t __dtb_testcases_begin[];
extern uint8_t __dtb_testcases_end[];
const int size = __dtb_testcases_end - __dtb_testcases_begin;
int rc;
void *ret;
if (!size) {
pr_warn("%s: testcases is empty\n", __func__);
Reported by Cppcheck.
Line: 284
Column: 9
CWE codes:
134
Suggestion:
Use a constant for the format specification
/* Baseline; check conversion with a large size limit */
memset(buf, 0xff, buf_size);
size = snprintf(buf, buf_size - 2, fmt, np);
/* use strcmp() instead of strncmp() here to be absolutely sure strings match */
unittest((strcmp(buf, expected) == 0) && (buf[size+1] == 0xff),
"sprintf failed; fmt='%s' expected='%s' rslt='%s'\n",
fmt, expected, buf);
Reported by FlawFinder.
Line: 296
Column: 3
CWE codes:
134
Suggestion:
Use a constant for the format specification
for (i = 0; i < 2; i++, size--) {
/* Clear the buffer, and make sure it works correctly still */
memset(buf, 0xff, buf_size);
snprintf(buf, size+1, fmt, np);
unittest(strncmp(buf, expected, size) == 0 && (buf[size+1] == 0xff),
"snprintf failed; size=%i fmt='%s' expected='%s' rslt='%s'\n",
size, fmt, expected, buf);
}
kfree(buf);
Reported by FlawFinder.
Line: 308
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct device_node *np;
const char *full_name = "/testcase-data/platform-tests/test-device@1/dev@100";
char phandle_str[16] = "";
np = of_find_node_by_path(full_name);
if (!np) {
unittest(np, "testcase data missing\n");
return;
Reported by FlawFinder.
Line: 685
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void __init of_unittest_property_string(void)
{
const char *strings[4];
struct device_node *np;
int rc;
np = of_find_node_by_path("/testcase-data/phandle-tests/consumer-a");
if (!np) {
Reported by FlawFinder.
Line: 1431
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENOMEM;
unittest_data_align = PTR_ALIGN(unittest_data, FDT_ALIGN_SIZE);
memcpy(unittest_data_align, __dtb_testcases_begin, size);
ret = of_fdt_unflatten_tree(unittest_data_align, NULL, &unittest_data_node);
if (!ret) {
pr_warn("%s: unflatten testcases tree failed\n", __func__);
kfree(unittest_data);
Reported by FlawFinder.
Line: 1856
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static const char *unittest_path(int nr, enum overlay_type ovtype)
{
const char *base;
static char buf[256];
switch (ovtype) {
case PDEV_OVERLAY:
base = "/testcase-data/overlay-node/test-bus";
break;
Reported by FlawFinder.
Line: 1891
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static const char *overlay_name_from_nr(int nr)
{
static char buf[256];
snprintf(buf, sizeof(buf) - 1,
"overlay_%d", nr);
buf[sizeof(buf) - 1] = '\0';
Reported by FlawFinder.
Line: 2971
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return;
}
memcpy(new_fdt, info->dtb_begin, size);
__unflatten_device_tree(new_fdt, NULL, &overlay_base_root,
dt_alloc_memory, true);
}
Reported by FlawFinder.
Line: 186
Column: 17
CWE codes:
126
/* Add a new property - should pass*/
prop->name = "new-property";
prop->value = "new-property-data";
prop->length = strlen(prop->value) + 1;
unittest(of_add_property(np, prop) == 0, "Adding a new property failed\n");
/* Try to add an existing property - should fail */
prop++;
prop->name = "new-property";
Reported by FlawFinder.