The following issues were found
kernel/params.c
12 issues
Line: 855
CWE codes:
570
struct module_kobject *mk;
int err;
for (vattr = __start___modver; vattr < __stop___modver; vattr++) {
mk = locate_module_kobject(vattr->module_name);
if (mk) {
err = sysfs_create_file(&mk->kobj, &vattr->mattr.attr);
WARN_ON_ONCE(err);
kobject_uevent(&mk->kobj, KOBJ_ADD);
Reported by Cppcheck.
Line: 261
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
*(char **)kp->arg = kmalloc_parameter(strlen(val)+1);
if (!*(char **)kp->arg)
return -ENOMEM;
strcpy(*(char **)kp->arg, val);
} else
*(const char **)kp->arg = val;
return 0;
}
Reported by FlawFinder.
Line: 501
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
kp->name, kps->maxlen-1);
return -ENOSPC;
}
strcpy(kps->string, val);
return 0;
}
EXPORT_SYMBOL(param_set_copystring);
int param_get_string(char *buffer, const struct kernel_param *kp)
Reported by FlawFinder.
Line: 302
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int param_get_bool(char *buffer, const struct kernel_param *kp)
{
/* Y and N chosen as being relatively non-coder friendly */
return sprintf(buffer, "%c\n", *(bool *)kp->arg ? 'Y' : 'N');
}
EXPORT_SYMBOL(param_get_bool);
const struct kernel_param_ops param_ops_bool = {
.flags = KERNEL_PARAM_OPS_FL_NOARG,
Reported by FlawFinder.
Line: 361
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int param_get_invbool(char *buffer, const struct kernel_param *kp)
{
return sprintf(buffer, "%c\n", (*(bool *)kp->arg) ? 'N' : 'Y');
}
EXPORT_SYMBOL(param_get_invbool);
const struct kernel_param_ops param_ops_invbool = {
.set = param_set_invbool,
Reported by FlawFinder.
Line: 426
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* nul-terminate and parse */
save = val[len];
((char *)val)[len] = '\0';
check_kparam_locked(mod);
ret = set(val, &kp);
if (ret != 0)
return ret;
Reported by FlawFinder.
Line: 816
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
const struct kernel_param *kp;
unsigned int name_len;
char modname[MODULE_NAME_LEN];
for (kp = __start___param; kp < __stop___param; kp++) {
char *dot;
if (kp->perm == 0)
Reported by FlawFinder.
Line: 827
Column: 4
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
dot = strchr(kp->name, '.');
if (!dot) {
/* This happens for core_param() */
strcpy(modname, "kernel");
name_len = 0;
} else {
name_len = dot - kp->name + 1;
strlcpy(modname, kp->name, name_len);
}
Reported by FlawFinder.
Line: 97
Column: 24
CWE codes:
126
bool parameq(const char *a, const char *b)
{
return parameqn(a, b, strlen(a)+1);
}
static bool param_check_unsafe(const struct kernel_param *kp)
{
if (kp->flags & KERNEL_PARAM_FL_HWPARAM &&
Reported by FlawFinder.
Line: 248
Column: 6
CWE codes:
126
int param_set_charp(const char *val, const struct kernel_param *kp)
{
if (strlen(val) > 1024) {
pr_err("%s: string parameter too long\n", kp->name);
return -ENOSPC;
}
maybe_kfree_parameter(*(char **)kp->arg);
Reported by FlawFinder.
arch/s390/tools/gen_opcode_table.c
12 issues
Line: 138
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
char *base_format, **ptr;
int i;
strcpy(tmp, format);
base_format = tmp;
base_format = strsep(&base_format, "_");
for (i = 0; i < sizeof(insn_type_table) / sizeof(insn_type_table[0]); i++) {
ptr = insn_type_table[i].format;
while (*ptr) {
Reported by FlawFinder.
Line: 158
Column: 8
CWE codes:
120
20
Suggestion:
Specify a limit to %s, or use a different input function
int rc, i;
while (1) {
rc = scanf("%s %s %s", insn.opcode, insn.name, insn.format);
if (rc == EOF)
break;
if (rc != 3)
exit(EXIT_FAILURE);
insn.type = insn_format_to_type(insn.format);
Reported by FlawFinder.
Line: 24
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct insn {
struct insn_type *type;
char opcode[STRING_SIZE_MAX];
char name[STRING_SIZE_MAX];
char upper[STRING_SIZE_MAX];
char format[STRING_SIZE_MAX];
unsigned int name_len;
};
Reported by FlawFinder.
Line: 25
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct insn {
struct insn_type *type;
char opcode[STRING_SIZE_MAX];
char name[STRING_SIZE_MAX];
char upper[STRING_SIZE_MAX];
char format[STRING_SIZE_MAX];
unsigned int name_len;
};
Reported by FlawFinder.
Line: 26
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct insn_type *type;
char opcode[STRING_SIZE_MAX];
char name[STRING_SIZE_MAX];
char upper[STRING_SIZE_MAX];
char format[STRING_SIZE_MAX];
unsigned int name_len;
};
struct insn_group {
Reported by FlawFinder.
Line: 27
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char opcode[STRING_SIZE_MAX];
char name[STRING_SIZE_MAX];
char upper[STRING_SIZE_MAX];
char format[STRING_SIZE_MAX];
unsigned int name_len;
};
struct insn_group {
struct insn_type *type;
Reported by FlawFinder.
Line: 35
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct insn_type *type;
int offset;
int count;
char opcode[2];
};
struct insn_format {
char *format;
int type;
Reported by FlawFinder.
Line: 134
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static struct insn_type *insn_format_to_type(char *format)
{
char tmp[STRING_SIZE_MAX];
char *base_format, **ptr;
int i;
strcpy(tmp, format);
base_format = tmp;
Reported by FlawFinder.
Line: 260
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!desc->group)
exit(EXIT_FAILURE);
group = &desc->group[desc->nr_groups - 1];
memcpy(group->opcode, insn->opcode, 2);
group->type = insn->type;
group->offset = offset;
group->count = 1;
}
Reported by FlawFinder.
Line: 273
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void print_opcode_table(struct gen_opcode *desc)
{
char opcode[2] = "";
struct insn *insn;
int i, offset;
qsort(desc->insn, desc->nr, sizeof(*desc->insn), cmpopcode);
printf("#define OPCODE_TABLE_INITIALIZER { \\\n");
Reported by FlawFinder.
drivers/crypto/mxs-dcp.c
12 issues
Line: 307
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
actx->fill = 0;
/* Copy the key from the temporary location. */
memcpy(key, actx->key, actx->key_len);
if (!rctx->ecb) {
/* Copy the CBC IV just past the key. */
memcpy(key + AES_KEYSIZE_128, req->iv, AES_KEYSIZE_128);
/* CBC needs the INIT set. */
Reported by FlawFinder.
Line: 311
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!rctx->ecb) {
/* Copy the CBC IV just past the key. */
memcpy(key + AES_KEYSIZE_128, req->iv, AES_KEYSIZE_128);
/* CBC needs the INIT set. */
init = 1;
} else {
memset(key + AES_KEYSIZE_128, 0, AES_KEYSIZE_128);
}
Reported by FlawFinder.
Line: 333
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
else
clen = len;
memcpy(in_buf + actx->fill, src_buf, clen);
len -= clen;
src_buf += clen;
actx->fill += clen;
/*
Reported by FlawFinder.
Line: 359
Column: 6
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rem = min(sg_dma_len(dst) - dst_off,
actx->fill);
memcpy(dst_buf + dst_off, out_tmp, rem);
out_tmp += rem;
dst_off += rem;
actx->fill -= rem;
if (dst_off == sg_dma_len(dst)) {
Reported by FlawFinder.
Line: 381
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Copy the IV for CBC for chaining */
if (!rctx->ecb) {
if (rctx->enc)
memcpy(req->iv, out_buf+(last_out_len-AES_BLOCK_SIZE),
AES_BLOCK_SIZE);
else
memcpy(req->iv, in_buf+(last_out_len-AES_BLOCK_SIZE),
AES_BLOCK_SIZE);
}
Reported by FlawFinder.
Line: 384
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(req->iv, out_buf+(last_out_len-AES_BLOCK_SIZE),
AES_BLOCK_SIZE);
else
memcpy(req->iv, in_buf+(last_out_len-AES_BLOCK_SIZE),
AES_BLOCK_SIZE);
}
return ret;
}
Reported by FlawFinder.
Line: 505
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
actx->key_len = len;
if (len == AES_KEYSIZE_128) {
memcpy(actx->key, key, len);
return 0;
}
/*
* If the requested AES key size is not supported by the hardware,
Reported by FlawFinder.
Line: 583
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
const uint8_t *sha_buf =
(actx->alg == MXS_DCP_CONTROL1_HASH_SELECT_SHA1) ?
sha1_null_hash : sha256_null_hash;
memcpy(sdcp->coh->sha_out_buf, sha_buf, halg->digestsize);
ret = 0;
goto done_run;
}
/* Set HASH_TERM bit for last transfer block. */
Reported by FlawFinder.
Line: 816
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(rctx, 0, sizeof(struct dcp_sha_req_ctx));
memset(actx, 0, sizeof(struct dcp_async_ctx));
memcpy(rctx, &export->req_ctx, sizeof(struct dcp_sha_req_ctx));
memcpy(actx, &export->async_ctx, sizeof(struct dcp_async_ctx));
return 0;
}
Reported by FlawFinder.
Line: 817
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(rctx, 0, sizeof(struct dcp_sha_req_ctx));
memset(actx, 0, sizeof(struct dcp_async_ctx));
memcpy(rctx, &export->req_ctx, sizeof(struct dcp_sha_req_ctx));
memcpy(actx, &export->async_ctx, sizeof(struct dcp_async_ctx));
return 0;
}
static int dcp_sha_export(struct ahash_request *req, void *out)
Reported by FlawFinder.
tools/perf/util/hist.c
12 issues
Line: 679
Column: 16
CWE codes:
327
Suggestion:
Use a more secure technique for acquiring random values
{
unsigned thresh = -high % high;
for (;;) {
unsigned r = random();
if (r >= thresh)
return r % high;
}
}
Reported by FlawFinder.
Line: 450
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
he->stat_acc = malloc(sizeof(he->stat));
if (he->stat_acc == NULL)
return -ENOMEM;
memcpy(he->stat_acc, &he->stat, sizeof(he->stat));
if (!sample_self)
memset(&he->stat, 0, sizeof(he->stat));
}
map__get(he->ms.map);
Reported by FlawFinder.
Line: 467
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (he->branch_info == NULL)
goto err;
memcpy(he->branch_info, template->branch_info,
sizeof(*he->branch_info));
map__get(he->branch_info->from.ms.map);
map__get(he->branch_info->to.ms.map);
}
Reported by FlawFinder.
Line: 2717
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u64 nr_events = hists->stats.total_period;
struct evsel *evsel = hists_to_evsel(hists);
const char *ev_name = evsel__name(evsel);
char buf[512], sample_freq_str[64] = "";
size_t buflen = sizeof(buf);
char ref[30] = " show reference callgraph, ";
bool enable_ref = false;
if (symbol_conf.filter_relative) {
Reported by FlawFinder.
Line: 2719
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *ev_name = evsel__name(evsel);
char buf[512], sample_freq_str[64] = "";
size_t buflen = sizeof(buf);
char ref[30] = " show reference callgraph, ";
bool enable_ref = false;
if (symbol_conf.filter_relative) {
nr_samples = hists->stats.nr_non_filtered_samples;
nr_events = hists->stats.total_non_filtered_period;
Reported by FlawFinder.
Line: 146
Column: 6
CWE codes:
126
if (h->branch_info->srcline_from)
hists__new_col_len(hists, HISTC_SRCLINE_FROM,
strlen(h->branch_info->srcline_from));
if (h->branch_info->srcline_to)
hists__new_col_len(hists, HISTC_SRCLINE_TO,
strlen(h->branch_info->srcline_to));
}
Reported by FlawFinder.
Line: 149
Column: 6
CWE codes:
126
strlen(h->branch_info->srcline_from));
if (h->branch_info->srcline_to)
hists__new_col_len(hists, HISTC_SRCLINE_TO,
strlen(h->branch_info->srcline_to));
}
if (h->mem_info) {
if (h->mem_info->daddr.ms.sym) {
symlen = (int)h->mem_info->daddr.ms.sym->namelen + 4
Reported by FlawFinder.
Line: 222
Column: 13
CWE codes:
126
hists__new_col_len(hists, HISTC_CODE_PAGE_SIZE, 6);
if (h->srcline) {
len = MAX(strlen(h->srcline), strlen(sort_srcline.se_header));
hists__new_col_len(hists, HISTC_SRCLINE, len);
}
if (h->srcfile)
hists__new_col_len(hists, HISTC_SRCFILE, strlen(h->srcfile));
Reported by FlawFinder.
Line: 222
Column: 33
CWE codes:
126
hists__new_col_len(hists, HISTC_CODE_PAGE_SIZE, 6);
if (h->srcline) {
len = MAX(strlen(h->srcline), strlen(sort_srcline.se_header));
hists__new_col_len(hists, HISTC_SRCLINE, len);
}
if (h->srcfile)
hists__new_col_len(hists, HISTC_SRCFILE, strlen(h->srcfile));
Reported by FlawFinder.
Line: 227
Column: 44
CWE codes:
126
}
if (h->srcfile)
hists__new_col_len(hists, HISTC_SRCFILE, strlen(h->srcfile));
if (h->transaction)
hists__new_col_len(hists, HISTC_TRANSACTION,
hist_entry__transaction_len());
Reported by FlawFinder.
drivers/net/ethernet/jme.c
11 issues
Line: 534
Column: 3
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
}
jwrite32(jme, JME_GPREG1, jme->reg_gpreg1);
strcat(linkmsg, (phylink & PHY_LINK_DUPLEX) ?
"Full-Duplex, " :
"Half-Duplex, ");
strcat(linkmsg, (phylink & PHY_LINK_MDI_STAT) ?
"MDI-X" :
"MDI");
Reported by FlawFinder.
Line: 537
Column: 3
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
strcat(linkmsg, (phylink & PHY_LINK_DUPLEX) ?
"Full-Duplex, " :
"Half-Duplex, ");
strcat(linkmsg, (phylink & PHY_LINK_MDI_STAT) ?
"MDI-X" :
"MDI");
netif_info(jme, link, jme->dev, "Link is up at %s\n", linkmsg);
netif_carrier_on(netdev);
} else {
Reported by FlawFinder.
Line: 304
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
jme_load_macaddr(struct net_device *netdev)
{
struct jme_adapter *jme = netdev_priv(netdev);
unsigned char macaddr[ETH_ALEN];
u32 val;
spin_lock_bh(&jme->macaddr_lock);
val = jread32(jme, JME_RXUMA_LO);
macaddr[0] = (val >> 0) & 0xFF;
Reported by FlawFinder.
Line: 316
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
val = jread32(jme, JME_RXUMA_HI);
macaddr[4] = (val >> 0) & 0xFF;
macaddr[5] = (val >> 8) & 0xFF;
memcpy(netdev->dev_addr, macaddr, ETH_ALEN);
spin_unlock_bh(&jme->macaddr_lock);
}
static inline void
jme_set_rx_pcc(struct jme_adapter *jme, int p)
Reported by FlawFinder.
Line: 414
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct jme_adapter *jme = netdev_priv(netdev);
u32 phylink, cnt = JME_SPDRSV_TIMEOUT, bmcr;
char linkmsg[64];
int rc = 0;
linkmsg[0] = '\0';
if (jme->fpgaver)
Reported by FlawFinder.
Line: 446
Column: 4
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
phylink |= (bmcr & BMCR_FULLDPLX) ?
PHY_LINK_DUPLEX : 0;
strcat(linkmsg, "Forced: ");
} else {
/*
* Keep polling for speed/duplex resolve complete
*/
while (!(phylink & PHY_LINK_SPEEDDPU_RESOLVED) &&
Reported by FlawFinder.
Line: 464
Column: 4
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
if (!cnt)
pr_err("Waiting speed resolve timeout\n");
strcat(linkmsg, "ANed: ");
}
if (jme->phylink == phylink) {
rc = 1;
goto out;
Reported by FlawFinder.
Line: 483
Column: 4
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
switch (phylink & PHY_LINK_SPEED_MASK) {
case PHY_LINK_SPEED_10M:
jme->reg_ghc |= GHC_SPEED_10M;
strcat(linkmsg, "10 Mbps, ");
break;
case PHY_LINK_SPEED_100M:
jme->reg_ghc |= GHC_SPEED_100M;
strcat(linkmsg, "100 Mbps, ");
break;
Reported by FlawFinder.
Line: 487
Column: 4
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
break;
case PHY_LINK_SPEED_100M:
jme->reg_ghc |= GHC_SPEED_100M;
strcat(linkmsg, "100 Mbps, ");
break;
case PHY_LINK_SPEED_1000M:
jme->reg_ghc |= GHC_SPEED_1000M;
strcat(linkmsg, "1000 Mbps, ");
break;
Reported by FlawFinder.
Line: 491
Column: 4
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
break;
case PHY_LINK_SPEED_1000M:
jme->reg_ghc |= GHC_SPEED_1000M;
strcat(linkmsg, "1000 Mbps, ");
break;
default:
break;
}
Reported by FlawFinder.
kernel/debug/kdb/kdb_support.c
11 issues
Line: 303
Column: 9
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
char *s = kmalloc(n, type);
if (!s)
return NULL;
return strcpy(s, str);
}
/*
* kdb_getarea_size - Read an area of data. The kdb equivalent of
* copy_from_user, with kdb messages for invalid addresses.
Reported by FlawFinder.
Line: 55
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
EXPORT_SYMBOL(kdbgetsymval);
static char *kdb_name_table[100]; /* arbitrary size */
/*
* kdbnearsym - Return the name of the symbol with the nearest address
* less than 'addr'.
*
Reported by FlawFinder.
Line: 162
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
}
static char ks_namebuf[KSYM_NAME_LEN+1], ks_namebuf_prev[KSYM_NAME_LEN+1];
/*
* kallsyms_symbol_complete
*
* Parameters:
Reported by FlawFinder.
Line: 190
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (++number == 1) {
prev_len = min_t(int, max_len-1,
strlen(ks_namebuf));
memcpy(ks_namebuf_prev, ks_namebuf, prev_len);
ks_namebuf_prev[prev_len] = '\0';
continue;
}
for (i = 0; i < prev_len; i++) {
if (ks_namebuf[i] != ks_namebuf_prev[i]) {
Reported by FlawFinder.
Line: 204
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
}
if (prev_len > prefix_len)
memcpy(prefix_name, ks_namebuf_prev, prev_len+1);
return number;
}
/*
* kallsyms_symbol_next
Reported by FlawFinder.
Line: 378
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return 1;
page = pfn_to_page(pfn);
vaddr = kmap_atomic(page);
memcpy(res, vaddr + (addr & (PAGE_SIZE - 1)), size);
kunmap_atomic(vaddr);
return 0;
}
Reported by FlawFinder.
Line: 115
Column: 4
CWE codes:
120
* What was Rusty smoking when he wrote that code?
*/
if (symtab->sym_name != knt1) {
strncpy(knt1, symtab->sym_name, knt1_size);
knt1[knt1_size-1] = '\0';
}
for (i = 0; i < ARRAY_SIZE(kdb_name_table); ++i) {
if (kdb_name_table[i] &&
strcmp(kdb_name_table[i], knt1) == 0)
Reported by FlawFinder.
Line: 179
Column: 19
CWE codes:
126
int kallsyms_symbol_complete(char *prefix_name, int max_len)
{
loff_t pos = 0;
int prefix_len = strlen(prefix_name), prev_len = 0;
int i, number = 0;
const char *name;
while ((name = kdb_walk_kallsyms(&pos))) {
if (strncmp(name, prefix_name, prefix_len) == 0) {
Reported by FlawFinder.
Line: 189
Column: 8
CWE codes:
126
/* Work out the longest name that matches the prefix */
if (++number == 1) {
prev_len = min_t(int, max_len-1,
strlen(ks_namebuf));
memcpy(ks_namebuf_prev, ks_namebuf, prev_len);
ks_namebuf_prev[prev_len] = '\0';
continue;
}
for (i = 0; i < prev_len; i++) {
Reported by FlawFinder.
Line: 222
Column: 19
CWE codes:
126
*/
int kallsyms_symbol_next(char *prefix_name, int flag, int buf_size)
{
int prefix_len = strlen(prefix_name);
static loff_t pos;
const char *name;
if (!flag)
pos = 0;
Reported by FlawFinder.
drivers/video/logo/pnmtologo.c
11 issues
Line: 80
Column: 54
CWE codes:
134
Suggestion:
Use a constant for the format specification
static int is_plain_pbm = 0;
static void die(const char *fmt, ...)
__attribute__ ((noreturn)) __attribute ((format (printf, 1, 2)));
static void usage(void) __attribute ((noreturn));
static unsigned int get_number(FILE *fp)
{
Reported by FlawFinder.
Line: 424
Column: 5
CWE codes:
134
Suggestion:
Use a constant for the format specification
va_list ap;
va_start(ap, fmt);
vfprintf(stderr, fmt, ap);
va_end(ap);
exit(1);
}
Reported by FlawFinder.
Line: 455
Column: 8
CWE codes:
120
20
Suggestion:
Check implementation on installation, or limit the size of all string inputs
opterr = 0;
while (1) {
opt = getopt(argc, argv, "hn:o:t:");
if (opt == -1)
break;
switch (opt) {
case 'h':
Reported by FlawFinder.
Line: 36
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define LINUX_LOGO_CLUT224 3 /* 224 colors */
#define LINUX_LOGO_GRAY256 4 /* 256 levels grayscale */
static const char *logo_types[LINUX_LOGO_GRAY256+1] = {
[LINUX_LOGO_MONO] = "LINUX_LOGO_MONO",
[LINUX_LOGO_VGA16] = "LINUX_LOGO_VGA16",
[LINUX_LOGO_CLUT224] = "LINUX_LOGO_CLUT224",
[LINUX_LOGO_GRAY256] = "LINUX_LOGO_GRAY256"
};
Reported by FlawFinder.
Line: 133
Column: 10
CWE codes:
362
unsigned int maxval;
/* open image file */
fp = fopen(filename, "r");
if (!fp)
die("Cannot open file %s: %s\n", filename, strerror(errno));
/* check file type and read file header */
magic = fgetc(fp);
Reported by FlawFinder.
Line: 232
Column: 8
CWE codes:
362
{
/* open logo file */
if (outputname) {
out = fopen(outputname, "w");
if (!out)
die("Cannot create file %s: %s\n", outputname, strerror(errno));
} else {
out = stdout;
}
Reported by FlawFinder.
Line: 90
Column: 6
CWE codes:
120
20
/* Skip leading whitespace */
do {
c = fgetc(fp);
if (c == EOF)
die("%s: end of file\n", filename);
if (c == '#') {
/* Ignore comments 'till end of line */
do {
Reported by FlawFinder.
Line: 96
Column: 7
CWE codes:
120
20
if (c == '#') {
/* Ignore comments 'till end of line */
do {
c = fgetc(fp);
if (c == EOF)
die("%s: end of file\n", filename);
} while (c != '\n');
}
} while (isspace(c));
Reported by FlawFinder.
Line: 138
Column: 13
CWE codes:
120
20
die("Cannot open file %s: %s\n", filename, strerror(errno));
/* check file type and read file header */
magic = fgetc(fp);
if (magic != 'P')
die("%s is not a PNM file\n", filename);
magic = fgetc(fp);
switch (magic) {
case '1':
Reported by FlawFinder.
drivers/net/ethernet/intel/ixgbevf/ethtool.c
11 issues
Line: 25
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
enum {NETDEV_STATS, IXGBEVF_STATS};
struct ixgbe_stats {
char stat_string[ETH_GSTRING_LEN];
int type;
int sizeof_stat;
int stat_offset;
};
Reported by FlawFinder.
Line: 512
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
switch (stringset) {
case ETH_SS_TEST:
memcpy(data, *ixgbe_gstrings_test,
IXGBEVF_TEST_LEN * ETH_GSTRING_LEN);
break;
case ETH_SS_STATS:
for (i = 0; i < IXGBEVF_GLOBAL_STATS_LEN; i++) {
memcpy(p, ixgbevf_gstrings_stats[i].stat_string,
Reported by FlawFinder.
Line: 517
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
case ETH_SS_STATS:
for (i = 0; i < IXGBEVF_GLOBAL_STATS_LEN; i++) {
memcpy(p, ixgbevf_gstrings_stats[i].stat_string,
ETH_GSTRING_LEN);
p += ETH_GSTRING_LEN;
}
for (i = 0; i < adapter->num_tx_queues; i++) {
Reported by FlawFinder.
Line: 523
Column: 4
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
}
for (i = 0; i < adapter->num_tx_queues; i++) {
sprintf(p, "tx_queue_%u_packets", i);
p += ETH_GSTRING_LEN;
sprintf(p, "tx_queue_%u_bytes", i);
p += ETH_GSTRING_LEN;
}
for (i = 0; i < adapter->num_xdp_queues; i++) {
Reported by FlawFinder.
Line: 525
Column: 4
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
for (i = 0; i < adapter->num_tx_queues; i++) {
sprintf(p, "tx_queue_%u_packets", i);
p += ETH_GSTRING_LEN;
sprintf(p, "tx_queue_%u_bytes", i);
p += ETH_GSTRING_LEN;
}
for (i = 0; i < adapter->num_xdp_queues; i++) {
sprintf(p, "xdp_queue_%u_packets", i);
p += ETH_GSTRING_LEN;
Reported by FlawFinder.
Line: 529
Column: 4
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
p += ETH_GSTRING_LEN;
}
for (i = 0; i < adapter->num_xdp_queues; i++) {
sprintf(p, "xdp_queue_%u_packets", i);
p += ETH_GSTRING_LEN;
sprintf(p, "xdp_queue_%u_bytes", i);
p += ETH_GSTRING_LEN;
}
for (i = 0; i < adapter->num_rx_queues; i++) {
Reported by FlawFinder.
Line: 531
Column: 4
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
for (i = 0; i < adapter->num_xdp_queues; i++) {
sprintf(p, "xdp_queue_%u_packets", i);
p += ETH_GSTRING_LEN;
sprintf(p, "xdp_queue_%u_bytes", i);
p += ETH_GSTRING_LEN;
}
for (i = 0; i < adapter->num_rx_queues; i++) {
sprintf(p, "rx_queue_%u_packets", i);
p += ETH_GSTRING_LEN;
Reported by FlawFinder.
Line: 535
Column: 4
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
p += ETH_GSTRING_LEN;
}
for (i = 0; i < adapter->num_rx_queues; i++) {
sprintf(p, "rx_queue_%u_packets", i);
p += ETH_GSTRING_LEN;
sprintf(p, "rx_queue_%u_bytes", i);
p += ETH_GSTRING_LEN;
}
break;
Reported by FlawFinder.
Line: 537
Column: 4
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
for (i = 0; i < adapter->num_rx_queues; i++) {
sprintf(p, "rx_queue_%u_packets", i);
p += ETH_GSTRING_LEN;
sprintf(p, "rx_queue_%u_bytes", i);
p += ETH_GSTRING_LEN;
}
break;
case ETH_SS_PRIV_FLAGS:
memcpy(data, ixgbevf_priv_flags_strings,
Reported by FlawFinder.
Line: 542
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
break;
case ETH_SS_PRIV_FLAGS:
memcpy(data, ixgbevf_priv_flags_strings,
IXGBEVF_PRIV_FLAGS_STR_LEN * ETH_GSTRING_LEN);
break;
}
}
Reported by FlawFinder.
tools/perf/builtin-report.c
11 issues
Line: 494
Column: 10
CWE codes:
134
Suggestion:
Use a constant for the format specification
}
if (rep->mem_mode) {
ret += fprintf(fp, "\n# Total weight : %" PRIu64, nr_events);
ret += fprintf(fp, "\n# Sort order : %s", sort_order ? : default_mem_sort_order);
} else
ret += fprintf(fp, "\n# Event count (approx.): %" PRIu64, nr_events);
if (socked_id > -1)
Reported by FlawFinder.
Line: 497
Column: 10
CWE codes:
134
Suggestion:
Use a constant for the format specification
ret += fprintf(fp, "\n# Total weight : %" PRIu64, nr_events);
ret += fprintf(fp, "\n# Sort order : %s", sort_order ? : default_mem_sort_order);
} else
ret += fprintf(fp, "\n# Event count (approx.): %" PRIu64, nr_events);
if (socked_id > -1)
ret += fprintf(fp, "\n# Processor Socket: %d", socked_id);
return ret + fprintf(fp, "\n#\n");
Reported by FlawFinder.
Line: 1382
Column: 6
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
perf_quiet_option();
if (symbol_conf.vmlinux_name &&
access(symbol_conf.vmlinux_name, R_OK)) {
pr_err("Invalid file: %s\n", symbol_conf.vmlinux_name);
ret = -EINVAL;
goto exit;
}
if (symbol_conf.kallsyms_name &&
Reported by FlawFinder.
Line: 1388
Column: 6
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
goto exit;
}
if (symbol_conf.kallsyms_name &&
access(symbol_conf.kallsyms_name, R_OK)) {
pr_err("Invalid file: %s\n", symbol_conf.kallsyms_name);
ret = -EINVAL;
goto exit;
}
Reported by FlawFinder.
Line: 448
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned long nr_samples = hists->stats.nr_samples;
u64 nr_events = hists->stats.total_period;
struct evsel *evsel = hists_to_evsel(hists);
char buf[512];
size_t size = sizeof(buf);
int socked_id = hists->socket_filter;
if (quiet)
return 0;
Reported by FlawFinder.
Line: 1078
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if (arg) {
int err = regcomp(&ignore_callees_regex, arg, REG_EXTENDED);
if (err) {
char buf[BUFSIZ];
regerror(err, &ignore_callees_regex, buf, sizeof(buf));
pr_err("Invalid --ignore-callees regex: %s\n%s", arg, buf);
return -1;
}
have_ignore_callees = 1;
Reported by FlawFinder.
Line: 1346
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
.mode = PERF_DATA_MODE_READ,
};
int ret = hists__init();
char sort_tmp[128];
if (ret < 0)
goto exit;
ret = perf_config(report__config, &report);
Reported by FlawFinder.
Line: 334
Column: 33
CWE codes:
120
20
if (rep->show_threads) {
const char *name = evsel__name(evsel);
int err = perf_read_values_add_value(&rep->show_threads_values,
event->read.pid, event->read.tid,
evsel->core.idx,
name,
event->read.value);
if (err)
Reported by FlawFinder.
Line: 334
Column: 16
CWE codes:
120
20
if (rep->show_threads) {
const char *name = evsel__name(evsel);
int err = perf_read_values_add_value(&rep->show_threads_values,
event->read.pid, event->read.tid,
evsel->core.idx,
name,
event->read.value);
if (err)
Reported by FlawFinder.
drivers/crypto/hisilicon/sec2/sec_crypto.c
11 issues
Line: 810
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return ret;
}
memcpy(c_ctx->c_key, key, keylen);
if (c_ctx->fallback) {
ret = crypto_sync_skcipher_setkey(c_ctx->fbtfm, key, keylen);
if (ret) {
dev_err(dev, "failed to set fallback skcipher key!\n");
return ret;
Reported by FlawFinder.
Line: 871
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
tfm = crypto_aead_reqtfm(aead_req);
authsize = crypto_aead_authsize(tfm);
mac_offset = qp_ctx->res[req_id].pbuf + copy_size - authsize;
memcpy(a_req->out_mac, mac_offset, authsize);
}
req->in_dma = qp_ctx->res[req_id].pbuf_dma;
c_req->c_out_dma = req->in_dma;
Reported by FlawFinder.
Line: 1036
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pr_err("hisi_sec2: aead aes key error!\n");
return -EINVAL;
}
memcpy(c_ctx->c_key, keys->enckey, keys->enckeylen);
return 0;
}
static int sec_aead_auth_set_key(struct sec_auth_ctx *ctx,
Reported by FlawFinder.
Line: 1063
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
ctx->a_key_len = digestsize;
} else {
memcpy(ctx->a_key, keys->authkey, keys->authkeylen);
ctx->a_key_len = keys->authkeylen;
}
return 0;
}
Reported by FlawFinder.
Line: 1116
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dev_err(dev, "set sec aes ccm cipher key err!\n");
return ret;
}
memcpy(c_ctx->c_key, key, keylen);
if (unlikely(a_ctx->fallback_aead_tfm)) {
ret = sec_aead_fallback_setkey(a_ctx, tfm, key, keylen);
if (ret)
return ret;
Reported by FlawFinder.
Line: 1223
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct skcipher_request *sk_req = req->c_req.sk_req;
struct sec_cipher_req *c_req = &req->c_req;
memcpy(c_req->c_ivin, sk_req->iv, ctx->c_ctx.ivsize);
}
static int sec_skcipher_bd_fill(struct sec_ctx *ctx, struct sec_req *req)
{
struct sec_cipher_ctx *c_ctx = &ctx->c_ctx;
Reported by FlawFinder.
Line: 1443
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (aead_req->assoclen)
flage |= 0x01 << IV_FLAGS_OFFSET;
memcpy(a_req->a_ivin, c_req->c_ivin, ctx->c_ctx.ivsize);
a_req->a_ivin[0] = flage;
/*
* the last 32bit is counter's initial number,
* but the nonce uses the first 16bit
Reported by FlawFinder.
Line: 1469
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct sec_cipher_req *c_req = &req->c_req;
struct sec_aead_req *a_req = &req->aead_req;
memcpy(c_req->c_ivin, aead_req->iv, ctx->c_ctx.ivsize);
if (ctx->c_ctx.c_mode == SEC_CMODE_CCM) {
/*
* CCM 16Byte Cipher_IV: {1B_Flage,13B_IV,2B_counter},
* the counter must set to 0x01
Reported by FlawFinder.
Line: 1484
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* GCM 12Byte Cipher_IV == Auth_IV */
if (ctx->c_ctx.c_mode == SEC_CMODE_GCM) {
ctx->a_ctx.mac_len = authsize;
memcpy(a_req->a_ivin, c_req->c_ivin, SEC_AIV_SIZE);
}
}
static void sec_auth_bd_fill_xcm(struct sec_auth_ctx *ctx, int dir,
struct sec_req *req, struct sec_sqe *sec_sqe)
Reported by FlawFinder.
Line: 1751
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* As failing, restore the IV from user */
if (ctx->c_ctx.c_mode == SEC_CMODE_CBC && !req->c_req.encrypt) {
if (ctx->alg_type == SEC_SKCIPHER)
memcpy(req->c_req.sk_req->iv, c_req->c_ivin,
ctx->c_ctx.ivsize);
else
memcpy(req->aead_req.aead_req->iv, c_req->c_ivin,
ctx->c_ctx.ivsize);
}
Reported by FlawFinder.