The following issues were found
arch/x86/platform/uv/uv_nmi.c
11 issues
Line: 198
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static int param_get_action(char *buffer, const struct kernel_param *kp)
{
return sprintf(buffer, "%s\n", uv_nmi_action);
}
static int param_set_action(const char *val, const struct kernel_param *kp)
{
int i;
Reported by FlawFinder.
Line: 219
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
break;
if (i < n) {
strcpy(uv_nmi_action, arg);
pr_info("UV: New NMI action:%s\n", uv_nmi_action);
return 0;
}
pr_err("UV: Invalid NMI action:%s, valid actions are:\n", arg);
Reported by FlawFinder.
Line: 115
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
*/
static int param_get_local64(char *buffer, const struct kernel_param *kp)
{
return sprintf(buffer, "%lu\n", local64_read((local64_t *)kp->arg));
}
static int param_set_local64(const char *val, const struct kernel_param *kp)
{
/* Clear on any write */
Reported by FlawFinder.
Line: 193
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{ "kgdb", "enter KGDB (needs gdb target remote)" },
{ "health", "check if CPUs respond to NMI" },
};
typedef char action_t[ACTION_LEN];
static action_t uv_nmi_action = { "dump" };
static int param_get_action(char *buffer, const struct kernel_param *kp)
{
return sprintf(buffer, "%s\n", uv_nmi_action);
Reported by FlawFinder.
Line: 205
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
int i;
int n = ARRAY_SIZE(valid_acts);
char arg[ACTION_LEN], *p;
/* (remove possible '\n') */
strncpy(arg, val, ACTION_LEN - 1);
arg[ACTION_LEN - 1] = '\0';
p = strchr(arg, '\n');
Reported by FlawFinder.
Line: 208
Column: 2
CWE codes:
120
char arg[ACTION_LEN], *p;
/* (remove possible '\n') */
strncpy(arg, val, ACTION_LEN - 1);
arg[ACTION_LEN - 1] = '\0';
p = strchr(arg, '\n');
if (p)
*p = '\0';
Reported by FlawFinder.
Line: 241
Column: 41
CWE codes:
126
static inline bool uv_nmi_action_is(const char *action)
{
return (strncmp(uv_nmi_action, action, strlen(action)) == 0);
}
/* Setup which NMI support is present in system */
static void uv_nmi_setup_mmrs(void)
{
Reported by FlawFinder.
Line: 451
Column: 9
CWE codes:
120
20
static void uv_init_hubless_pch_d0(void)
{
int i, read;
read = *PCH_PCR_GPIO_ADDRESS(PAD_OWN_GPP_D_0);
if (read != 0) {
pr_info("UV: Hubless NMI already configured\n");
return;
Reported by FlawFinder.
Line: 454
Column: 6
CWE codes:
120
20
int i, read;
read = *PCH_PCR_GPIO_ADDRESS(PAD_OWN_GPP_D_0);
if (read != 0) {
pr_info("UV: Hubless NMI already configured\n");
return;
}
nmi_debug("UV: Initializing UV Hubless NMI on PCH\n");
Reported by FlawFinder.
Line: 961
Column: 4
CWE codes:
120
/* Unexpected return, revert action to "dump" */
if (master)
strncpy(uv_nmi_action, "dump", strlen(uv_nmi_action));
}
/* Pause as all CPU's enter the NMI handler */
uv_nmi_wait(master);
Reported by FlawFinder.
kernel/bpf/syscall.c
11 issues
Line: 1657
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
BPF_AUDIT_MAX,
};
static const char * const bpf_audit_str[BPF_AUDIT_MAX] = {
[BPF_AUDIT_LOAD] = "LOAD",
[BPF_AUDIT_UNLOAD] = "UNLOAD",
};
static void bpf_audit_prog(const struct bpf_prog *prog, unsigned int op)
Reported by FlawFinder.
Line: 1811
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void bpf_prog_show_fdinfo(struct seq_file *m, struct file *filp)
{
const struct bpf_prog *prog = filp->private_data;
char prog_tag[sizeof(prog->tag) * 2 + 1] = { };
struct bpf_prog_stats stats;
bpf_prog_get_stats(prog, &stats);
bin2hex(prog_tag, prog->tag, sizeof(prog->tag));
seq_printf(m,
Reported by FlawFinder.
Line: 2140
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct bpf_prog *prog, *dst_prog = NULL;
struct btf *attach_btf = NULL;
int err;
char license[128];
bool is_gpl;
if (CHECK_ATTR(BPF_PROG_LOAD))
return -EINVAL;
Reported by FlawFinder.
Line: 2446
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
const struct bpf_link *link = filp->private_data;
const struct bpf_prog *prog = link->prog;
char prog_tag[sizeof(prog->tag) * 2 + 1] = { };
bin2hex(prog_tag, prog->tag, sizeof(prog->tag));
seq_printf(m,
"link_type:\t%s\n"
"link_id:\t%u\n"
Reported by FlawFinder.
Line: 2885
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct bpf_raw_event_map *btp;
struct bpf_prog *prog;
const char *tp_name;
char buf[128];
int err;
if (CHECK_ATTR(BPF_RAW_TRACEPOINT_OPEN))
return -EINVAL;
Reported by FlawFinder.
Line: 3499
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
prog->aux->user->uid);
info.gpl_compatible = prog->gpl_compatible;
memcpy(info.tag, prog->tag, sizeof(prog->tag));
memcpy(info.name, prog->aux->name, sizeof(prog->aux->name));
mutex_lock(&prog->aux->used_maps_mutex);
ulen = info.nr_map_ids;
info.nr_map_ids = prog->aux->used_map_cnt;
Reported by FlawFinder.
Line: 3500
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
info.gpl_compatible = prog->gpl_compatible;
memcpy(info.tag, prog->tag, sizeof(prog->tag));
memcpy(info.name, prog->aux->name, sizeof(prog->aux->name));
mutex_lock(&prog->aux->used_maps_mutex);
ulen = info.nr_map_ids;
info.nr_map_ids = prog->aux->used_map_cnt;
ulen = min_t(u32, info.nr_map_ids, ulen);
Reported by FlawFinder.
Line: 3774
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
info.value_size = map->value_size;
info.max_entries = map->max_entries;
info.map_flags = map->map_flags;
memcpy(info.name, map->name, sizeof(map->name));
if (map->btf) {
info.btf_id = btf_obj_id(map->btf);
info.btf_key_type_id = map->btf_key_type_id;
info.btf_value_type_id = map->btf_value_type_id;
Reported by FlawFinder.
Line: 4408
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto out_unlock;
}
memcpy(used_maps_new, used_maps_old,
sizeof(used_maps_old[0]) * prog->aux->used_map_cnt);
used_maps_new[prog->aux->used_map_cnt] = map;
prog->aux->used_map_cnt++;
prog->aux->used_maps = used_maps_new;
Reported by FlawFinder.
Line: 2843
Column: 18
CWE codes:
126
char __user *ubuf = u64_to_user_ptr(info->raw_tracepoint.tp_name);
const char *tp_name = raw_tp_link->btp->tp->name;
u32 ulen = info->raw_tracepoint.tp_name_len;
size_t tp_len = strlen(tp_name);
if (!ulen ^ !ubuf)
return -EINVAL;
info->raw_tracepoint.tp_name_len = tp_len + 1;
Reported by FlawFinder.
drivers/md/raid10.c
11 issues
Line: 178
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (resync_alloc_pages(rp, gfp_flags))
goto out_free_pages;
} else {
memcpy(rp, &rps[0], sizeof(*rp));
resync_get_all_pages(rp);
}
rp->raid_bio = r10_bio;
bio->bi_private = rp;
Reported by FlawFinder.
Line: 185
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rp->raid_bio = r10_bio;
bio->bi_private = rp;
if (rbio) {
memcpy(rp_repl, rp, sizeof(*rp));
rbio->bi_private = rp_repl;
}
}
return r10_bio;
Reported by FlawFinder.
Line: 393
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/*
* oops, read error - keep the refcount on the rdev
*/
char b[BDEVNAME_SIZE];
pr_err_ratelimited("md/raid10:%s: %s: rescheduling sector %llu\n",
mdname(conf->mddev),
bdevname(rdev->bdev, b),
(unsigned long long)r10_bio->sector);
set_bit(R10BIO_ReadError, &r10_bio->state);
Reported by FlawFinder.
Line: 1127
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const unsigned long do_sync = (bio->bi_opf & REQ_SYNC);
int max_sectors;
struct md_rdev *rdev;
char b[BDEVNAME_SIZE];
int slot = r10_bio->read_slot;
struct md_rdev *err_rdev = NULL;
gfp_t gfp = GFP_NOIO;
if (slot >= 0 && r10_bio->devs[slot].rdev) {
Reported by FlawFinder.
Line: 1153
Column: 4
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if (err_rdev)
bdevname(err_rdev->bdev, b);
else {
strcpy(b, "???");
/* This never gets dereferenced */
err_rdev = r10_bio->devs[slot].rdev;
}
rcu_read_unlock();
}
Reported by FlawFinder.
Line: 1944
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void raid10_error(struct mddev *mddev, struct md_rdev *rdev)
{
char b[BDEVNAME_SIZE];
struct r10conf *conf = mddev->private;
unsigned long flags;
/*
* If it is not operational, then we have already marked it as dead
Reported by FlawFinder.
Line: 1996
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* This is only called with ->reconfix_mutex held, so
* rcu protection of rdev is not needed */
for (i = 0; i < conf->geo.raid_disks; i++) {
char b[BDEVNAME_SIZE];
rdev = conf->mirrors[i].rdev;
if (rdev)
pr_debug(" disk %d, wo:%d, o:%d, dev:%s\n",
i, !test_bit(In_sync, &rdev->flags),
!test_bit(Faulty, &rdev->flags),
Reported by FlawFinder.
Line: 2659
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
check_decay_read_errors(mddev, rdev);
atomic_inc(&rdev->read_errors);
if (atomic_read(&rdev->read_errors) > max_read_errors) {
char b[BDEVNAME_SIZE];
bdevname(rdev->bdev, b);
pr_notice("md/raid10:%s: %s: Raid device exceeded read_error threshold [cur %d:max %d]\n",
mdname(mddev), b,
atomic_read(&rdev->read_errors), max_read_errors);
Reported by FlawFinder.
Line: 2736
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* write it back and re-read */
rcu_read_lock();
while (sl != r10_bio->read_slot) {
char b[BDEVNAME_SIZE];
if (sl==0)
sl = conf->copies;
sl--;
d = r10_bio->devs[sl].devnum;
Reported by FlawFinder.
Line: 2772
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
sl = start;
while (sl != r10_bio->read_slot) {
char b[BDEVNAME_SIZE];
if (sl==0)
sl = conf->copies;
sl--;
d = r10_bio->devs[sl].devnum;
Reported by FlawFinder.
drivers/gpu/drm/omapdrm/omap_dmm_tiler.c
11 issues
Line: 338
CWE codes:
476
BUG_ON(!engine);
txn = &engine->txn;
engine->tcm = tcm;
txn->engine_handle = engine;
txn->last_pat = NULL;
txn->current_va = engine->refill_va;
txn->current_pa = engine->refill_pa;
Reported by Cppcheck.
Line: 341
CWE codes:
476
engine->tcm = tcm;
txn->engine_handle = engine;
txn->last_pat = NULL;
txn->current_va = engine->refill_va;
txn->current_pa = engine->refill_pa;
return txn;
}
Reported by Cppcheck.
Line: 342
CWE codes:
476
txn->engine_handle = engine;
txn->last_pat = NULL;
txn->current_va = engine->refill_va;
txn->current_pa = engine->refill_pa;
return txn;
}
/*
Reported by Cppcheck.
Line: 1049
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static void map_1d_info(char **map, int xdiv, int ydiv, char *nice,
struct tcm_area *a)
{
sprintf(nice, "%dK", tcm_sizeof(*a) * 4);
if (a->p0.y + 1 < a->p1.y) {
text_map(map, xdiv, nice, (a->p0.y + a->p1.y) / 2 / ydiv, 0,
256 - 1);
} else if (a->p0.y < a->p1.y) {
if (strlen(nice) < map_width(xdiv, a->p0.x, 256 - 1))
Reported by FlawFinder.
Line: 1068
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static void map_2d_info(char **map, int xdiv, int ydiv, char *nice,
struct tcm_area *a)
{
sprintf(nice, "(%d*%d)", tcm_awidth(*a), tcm_aheight(*a));
if (strlen(nice) + 1 < map_width(xdiv, a->p0.x, a->p1.x))
text_map(map, xdiv, nice, (a->p0.y + a->p1.y) / 2 / ydiv,
a->p0.x, a->p1.x);
}
Reported by FlawFinder.
Line: 1084
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *m2d = alphabet;
const char *a2d = special;
const char *m2dp = m2d, *a2dp = a2d;
char nice[128];
int h_adj;
int w_adj;
unsigned long flags;
int lut_idx;
Reported by FlawFinder.
Line: 1038
Column: 37
CWE codes:
126
static void text_map(char **map, int xdiv, char *nice, int yd, int x0, int x1)
{
char *p = map[yd] + (x0 / xdiv);
int w = (map_width(xdiv, x0, x1) - strlen(nice)) / 2;
if (w >= 0) {
p += w;
while (*nice)
*p++ = *nice++;
}
Reported by FlawFinder.
Line: 1054
Column: 7
CWE codes:
126
text_map(map, xdiv, nice, (a->p0.y + a->p1.y) / 2 / ydiv, 0,
256 - 1);
} else if (a->p0.y < a->p1.y) {
if (strlen(nice) < map_width(xdiv, a->p0.x, 256 - 1))
text_map(map, xdiv, nice, a->p0.y / ydiv,
a->p0.x + xdiv, 256 - 1);
else if (strlen(nice) < map_width(xdiv, 0, a->p1.x))
text_map(map, xdiv, nice, a->p1.y / ydiv,
0, a->p1.y - xdiv);
Reported by FlawFinder.
Line: 1057
Column: 12
CWE codes:
126
if (strlen(nice) < map_width(xdiv, a->p0.x, 256 - 1))
text_map(map, xdiv, nice, a->p0.y / ydiv,
a->p0.x + xdiv, 256 - 1);
else if (strlen(nice) < map_width(xdiv, 0, a->p1.x))
text_map(map, xdiv, nice, a->p1.y / ydiv,
0, a->p1.y - xdiv);
} else if (strlen(nice) + 1 < map_width(xdiv, a->p0.x, a->p1.x)) {
text_map(map, xdiv, nice, a->p0.y / ydiv, a->p0.x, a->p1.x);
}
Reported by FlawFinder.
Line: 1060
Column: 13
CWE codes:
126
else if (strlen(nice) < map_width(xdiv, 0, a->p1.x))
text_map(map, xdiv, nice, a->p1.y / ydiv,
0, a->p1.y - xdiv);
} else if (strlen(nice) + 1 < map_width(xdiv, a->p0.x, a->p1.x)) {
text_map(map, xdiv, nice, a->p0.y / ydiv, a->p0.x, a->p1.x);
}
}
static void map_2d_info(char **map, int xdiv, int ydiv, char *nice,
Reported by FlawFinder.
drivers/net/ethernet/dec/tulip/uli526x.c
11 issues
Line: 179
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned long reset_TXtimeout;
/* NIC SROM data */
unsigned char srom[128];
u8 init;
};
enum uli526x_offsets {
DCR0 = 0x00, DCR1 = 0x08, DCR2 = 0x10, DCR3 = 0x18, DCR4 = 0x20,
Reported by FlawFinder.
Line: 121
Column: 9
CWE codes:
120
20
struct uli526x_board_info {
struct uli_phy_ops {
void (*write)(struct uli526x_board_info *, u8, u8, u16);
u16 (*read)(struct uli526x_board_info *, u8, u8);
} phy;
struct net_device *next_dev; /* next device */
struct pci_dev *pdev; /* PCI device */
spinlock_t lock;
Reported by FlawFinder.
Line: 520
Column: 20
CWE codes:
120
20
for (phy_tmp = 0; phy_tmp < 32; phy_tmp++) {
u16 phy_value;
phy_value = phy->read(db, phy_tmp, 3); //peer add
if (phy_value != 0xffff && phy_value != 0) {
db->phy_addr = phy_tmp;
break;
}
}
Reported by FlawFinder.
Line: 533
Column: 23
CWE codes:
120
20
db->media_mode = uli526x_media_mode;
/* phyxcer capability setting */
phy_reg_reset = phy->read(db, db->phy_addr, 0);
phy_reg_reset = (phy_reg_reset | 0x8000);
phy->write(db, db->phy_addr, 0, phy_reg_reset);
/* See IEEE 802.3-2002.pdf (Section 2, Chapter "22.2.4 Management
* functions") or phy data sheet for details on phy reset
Reported by FlawFinder.
Line: 542
Column: 27
CWE codes:
120
20
*/
udelay(500);
timeout = 10;
while (timeout-- && phy->read(db, db->phy_addr, 0) & 0x8000)
udelay(100);
/* Process Phyxcer Media Mode */
uli526x_set_phyxcer(db);
Reported by FlawFinder.
Line: 1058
Column: 12
CWE codes:
120
20
}
/* Link status check, Dynamic media type change */
if ((phy->read(db, db->phy_addr, 5) & 0x01e0)!=0)
tmp_cr12 = 3;
if ( !(tmp_cr12 & 0x3) && !db->link_failed ) {
/* Link Failed */
ULI526X_DBUG(0, "Link Failed", tmp_cr12);
Reported by FlawFinder.
Line: 1478
Column: 18
CWE codes:
120
20
u8 ErrFlag = 0;
u16 phy_mode;
phy_mode = phy->read(db, db->phy_addr, 1);
phy_mode = phy->read(db, db->phy_addr, 1);
if ( (phy_mode & 0x24) == 0x24 ) {
phy_mode = ((phy->read(db, db->phy_addr, 5) & 0x01e0)<<7);
Reported by FlawFinder.
Line: 1479
Column: 18
CWE codes:
120
20
u16 phy_mode;
phy_mode = phy->read(db, db->phy_addr, 1);
phy_mode = phy->read(db, db->phy_addr, 1);
if ( (phy_mode & 0x24) == 0x24 ) {
phy_mode = ((phy->read(db, db->phy_addr, 5) & 0x01e0)<<7);
if(phy_mode&0x8000)
Reported by FlawFinder.
Line: 1483
Column: 21
CWE codes:
120
20
if ( (phy_mode & 0x24) == 0x24 ) {
phy_mode = ((phy->read(db, db->phy_addr, 5) & 0x01e0)<<7);
if(phy_mode&0x8000)
phy_mode = 0x8000;
else if(phy_mode&0x4000)
phy_mode = 0x4000;
else if(phy_mode&0x2000)
Reported by FlawFinder.
Line: 1522
Column: 17
CWE codes:
120
20
u16 phy_reg;
/* Phyxcer capability setting */
phy_reg = phy->read(db, db->phy_addr, 4) & ~0x01e0;
if (db->media_mode & ULI526X_AUTO) {
/* AUTO Mode */
phy_reg |= db->PHY_reg4;
} else {
Reported by FlawFinder.
drivers/usb/storage/ene_ub6250.c
11 issues
Line: 423
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u16 *Phy2LogMap; /* phy2log table */
u16 *Log2PhyMap; /* log2phy table */
u16 wrtblk;
unsigned char *pagemap[(MS_MAX_PAGES_PER_BLOCK + (MS_LIB_BITS_PER_BYTE-1)) / MS_LIB_BITS_PER_BYTE];
unsigned char *blkpag;
struct ms_lib_type_extdat *blkext;
unsigned char copybuf[512];
};
Reported by FlawFinder.
Line: 426
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char *pagemap[(MS_MAX_PAGES_PER_BLOCK + (MS_LIB_BITS_PER_BYTE-1)) / MS_LIB_BITS_PER_BYTE];
unsigned char *blkpag;
struct ms_lib_type_extdat *blkext;
unsigned char copybuf[512];
};
/* SD Block Length */
/* 2^9 = 512 Bytes, The HW maximum read/write data length */
Reported by FlawFinder.
Line: 576
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int do_scsi_request_sense(struct us_data *us, struct scsi_cmnd *srb)
{
struct ene_ub6250_info *info = (struct ene_ub6250_info *) us->extra;
unsigned char buf[18];
memset(buf, 0, 18);
buf[0] = 0x70; /* Current error */
buf[2] = info->SrbStatus >> 16; /* Sense key */
buf[7] = 10; /* Additional length */
Reported by FlawFinder.
Line: 591
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int do_scsi_inquiry(struct us_data *us, struct scsi_cmnd *srb)
{
unsigned char data_ptr[36] = {
0x00, 0x00, 0x02, 0x00, 0x1F, 0x00, 0x00, 0x00, 0x55,
0x53, 0x42, 0x32, 0x2E, 0x30, 0x20, 0x20, 0x43, 0x61,
0x72, 0x64, 0x52, 0x65, 0x61, 0x64, 0x65, 0x72, 0x20,
0x20, 0x20, 0x20, 0x20, 0x20, 0x30, 0x31, 0x30, 0x30 };
Reported by FlawFinder.
Line: 618
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int sd_scsi_mode_sense(struct us_data *us, struct scsi_cmnd *srb)
{
struct ene_ub6250_info *info = (struct ene_ub6250_info *) us->extra;
unsigned char mediaNoWP[12] = {
0x0b, 0x00, 0x00, 0x08, 0x00, 0x00,
0x71, 0xc0, 0x00, 0x00, 0x02, 0x00 };
unsigned char mediaWP[12] = {
0x0b, 0x00, 0x80, 0x08, 0x00, 0x00,
0x71, 0xc0, 0x00, 0x00, 0x02, 0x00 };
Reported by FlawFinder.
Line: 621
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char mediaNoWP[12] = {
0x0b, 0x00, 0x00, 0x08, 0x00, 0x00,
0x71, 0xc0, 0x00, 0x00, 0x02, 0x00 };
unsigned char mediaWP[12] = {
0x0b, 0x00, 0x80, 0x08, 0x00, 0x00,
0x71, 0xc0, 0x00, 0x00, 0x02, 0x00 };
if (info->SD_Status.WtP)
usb_stor_set_xfer_buf(mediaWP, 12, srb);
Reported by FlawFinder.
Line: 639
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 bl_num;
u32 bl_len;
unsigned int offset = 0;
unsigned char buf[8];
struct scatterlist *sg = NULL;
struct ene_ub6250_info *info = (struct ene_ub6250_info *) us->extra;
usb_stor_dbg(us, "sd_scsi_read_capacity\n");
if (info->SD_Status.HiCapacity) {
Reported by FlawFinder.
Line: 1472
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int ms_scsi_mode_sense(struct us_data *us, struct scsi_cmnd *srb)
{
struct ene_ub6250_info *info = (struct ene_ub6250_info *) us->extra;
unsigned char mediaNoWP[12] = {
0x0b, 0x00, 0x00, 0x08, 0x00, 0x00,
0x71, 0xc0, 0x00, 0x00, 0x02, 0x00 };
unsigned char mediaWP[12] = {
0x0b, 0x00, 0x80, 0x08, 0x00, 0x00,
0x71, 0xc0, 0x00, 0x00, 0x02, 0x00 };
Reported by FlawFinder.
Line: 1475
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char mediaNoWP[12] = {
0x0b, 0x00, 0x00, 0x08, 0x00, 0x00,
0x71, 0xc0, 0x00, 0x00, 0x02, 0x00 };
unsigned char mediaWP[12] = {
0x0b, 0x00, 0x80, 0x08, 0x00, 0x00,
0x71, 0xc0, 0x00, 0x00, 0x02, 0x00 };
if (info->MS_Status.WtP)
usb_stor_set_xfer_buf(mediaWP, 12, srb);
Reported by FlawFinder.
Line: 1492
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 bl_num;
u16 bl_len;
unsigned int offset = 0;
unsigned char buf[8];
struct scatterlist *sg = NULL;
struct ene_ub6250_info *info = (struct ene_ub6250_info *) us->extra;
usb_stor_dbg(us, "ms_scsi_read_capacity\n");
bl_len = 0x200;
Reported by FlawFinder.
tools/perf/builtin-report.c
11 issues
Line: 494
Column: 10
CWE codes:
134
Suggestion:
Use a constant for the format specification
}
if (rep->mem_mode) {
ret += fprintf(fp, "\n# Total weight : %" PRIu64, nr_events);
ret += fprintf(fp, "\n# Sort order : %s", sort_order ? : default_mem_sort_order);
} else
ret += fprintf(fp, "\n# Event count (approx.): %" PRIu64, nr_events);
if (socked_id > -1)
Reported by FlawFinder.
Line: 497
Column: 10
CWE codes:
134
Suggestion:
Use a constant for the format specification
ret += fprintf(fp, "\n# Total weight : %" PRIu64, nr_events);
ret += fprintf(fp, "\n# Sort order : %s", sort_order ? : default_mem_sort_order);
} else
ret += fprintf(fp, "\n# Event count (approx.): %" PRIu64, nr_events);
if (socked_id > -1)
ret += fprintf(fp, "\n# Processor Socket: %d", socked_id);
return ret + fprintf(fp, "\n#\n");
Reported by FlawFinder.
Line: 1382
Column: 6
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
perf_quiet_option();
if (symbol_conf.vmlinux_name &&
access(symbol_conf.vmlinux_name, R_OK)) {
pr_err("Invalid file: %s\n", symbol_conf.vmlinux_name);
ret = -EINVAL;
goto exit;
}
if (symbol_conf.kallsyms_name &&
Reported by FlawFinder.
Line: 1388
Column: 6
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
goto exit;
}
if (symbol_conf.kallsyms_name &&
access(symbol_conf.kallsyms_name, R_OK)) {
pr_err("Invalid file: %s\n", symbol_conf.kallsyms_name);
ret = -EINVAL;
goto exit;
}
Reported by FlawFinder.
Line: 448
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned long nr_samples = hists->stats.nr_samples;
u64 nr_events = hists->stats.total_period;
struct evsel *evsel = hists_to_evsel(hists);
char buf[512];
size_t size = sizeof(buf);
int socked_id = hists->socket_filter;
if (quiet)
return 0;
Reported by FlawFinder.
Line: 1078
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if (arg) {
int err = regcomp(&ignore_callees_regex, arg, REG_EXTENDED);
if (err) {
char buf[BUFSIZ];
regerror(err, &ignore_callees_regex, buf, sizeof(buf));
pr_err("Invalid --ignore-callees regex: %s\n%s", arg, buf);
return -1;
}
have_ignore_callees = 1;
Reported by FlawFinder.
Line: 1346
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
.mode = PERF_DATA_MODE_READ,
};
int ret = hists__init();
char sort_tmp[128];
if (ret < 0)
goto exit;
ret = perf_config(report__config, &report);
Reported by FlawFinder.
Line: 334
Column: 33
CWE codes:
120
20
if (rep->show_threads) {
const char *name = evsel__name(evsel);
int err = perf_read_values_add_value(&rep->show_threads_values,
event->read.pid, event->read.tid,
evsel->core.idx,
name,
event->read.value);
if (err)
Reported by FlawFinder.
Line: 334
Column: 16
CWE codes:
120
20
if (rep->show_threads) {
const char *name = evsel__name(evsel);
int err = perf_read_values_add_value(&rep->show_threads_values,
event->read.pid, event->read.tid,
evsel->core.idx,
name,
event->read.value);
if (err)
Reported by FlawFinder.
drivers/usb/serial/ti_usb_3410_5052.c
11 issues
Line: 1581
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int pipe = usb_sndbulkpipe(dev,
tdev->td_serial->port[0]->bulk_out_endpointAddress);
const struct firmware *fw_p;
char buf[32];
if (le16_to_cpu(dev->descriptor.idVendor) == MXU1_VENDOR_ID) {
snprintf(buf,
sizeof(buf),
"moxa/moxa-%04x.fw",
Reported by FlawFinder.
Line: 1594
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
}
/* try ID specific firmware first, then try generic firmware */
sprintf(buf, "ti_usb-v%04x-p%04x.fw",
le16_to_cpu(dev->descriptor.idVendor),
le16_to_cpu(dev->descriptor.idProduct));
status = request_firmware(&fw_p, buf, &dev->dev);
if (status != 0) {
Reported by FlawFinder.
Line: 1604
Column: 5
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if (le16_to_cpu(dev->descriptor.idVendor) == MTS_VENDOR_ID) {
switch (le16_to_cpu(dev->descriptor.idProduct)) {
case MTS_CDMA_PRODUCT_ID:
strcpy(buf, "mts_cdma.fw");
break;
case MTS_GSM_PRODUCT_ID:
strcpy(buf, "mts_gsm.fw");
break;
case MTS_EDGE_PRODUCT_ID:
Reported by FlawFinder.
Line: 1607
Column: 5
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
strcpy(buf, "mts_cdma.fw");
break;
case MTS_GSM_PRODUCT_ID:
strcpy(buf, "mts_gsm.fw");
break;
case MTS_EDGE_PRODUCT_ID:
strcpy(buf, "mts_edge.fw");
break;
case MTS_MT9234MU_PRODUCT_ID:
Reported by FlawFinder.
Line: 1610
Column: 5
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
strcpy(buf, "mts_gsm.fw");
break;
case MTS_EDGE_PRODUCT_ID:
strcpy(buf, "mts_edge.fw");
break;
case MTS_MT9234MU_PRODUCT_ID:
strcpy(buf, "mts_mt9234mu.fw");
break;
case MTS_MT9234ZBA_PRODUCT_ID:
Reported by FlawFinder.
Line: 1613
Column: 5
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
strcpy(buf, "mts_edge.fw");
break;
case MTS_MT9234MU_PRODUCT_ID:
strcpy(buf, "mts_mt9234mu.fw");
break;
case MTS_MT9234ZBA_PRODUCT_ID:
strcpy(buf, "mts_mt9234zba.fw");
break;
case MTS_MT9234ZBAOLD_PRODUCT_ID:
Reported by FlawFinder.
Line: 1616
Column: 5
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
strcpy(buf, "mts_mt9234mu.fw");
break;
case MTS_MT9234ZBA_PRODUCT_ID:
strcpy(buf, "mts_mt9234zba.fw");
break;
case MTS_MT9234ZBAOLD_PRODUCT_ID:
strcpy(buf, "mts_mt9234zba.fw");
break; }
}
Reported by FlawFinder.
Line: 1619
Column: 5
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
strcpy(buf, "mts_mt9234zba.fw");
break;
case MTS_MT9234ZBAOLD_PRODUCT_ID:
strcpy(buf, "mts_mt9234zba.fw");
break; }
}
if (buf[0] == '\0') {
if (tdev->td_is_3410)
strcpy(buf, "ti_3410.fw");
Reported by FlawFinder.
Line: 1624
Column: 5
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
}
if (buf[0] == '\0') {
if (tdev->td_is_3410)
strcpy(buf, "ti_3410.fw");
else
strcpy(buf, "ti_5052.fw");
}
status = request_firmware(&fw_p, buf, &dev->dev);
}
Reported by FlawFinder.
Line: 1626
Column: 5
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if (tdev->td_is_3410)
strcpy(buf, "ti_3410.fw");
else
strcpy(buf, "ti_5052.fw");
}
status = request_firmware(&fw_p, buf, &dev->dev);
}
check_firmware:
Reported by FlawFinder.
kernel/rcu/refscale.c
11 issues
Line: 586
Column: 3
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
if (i % 5 == 0)
strcat(buf, "\n");
strcat(buf, buf1);
sum += rt->last_duration_ns;
}
strcat(buf, "\n");
Reported by FlawFinder.
Line: 681
Column: 3
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
break;
avg = div_u64_rem(result_avg[exp], 1000, &rem);
sprintf(buf1, "%d\t%llu.%03u\n", exp + 1, avg, rem);
strcat(buf, buf1);
}
if (!errexit)
SCALEOUT("%s", buf);
Reported by FlawFinder.
Line: 569
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
int i;
struct reader_task *rt;
char buf1[64];
char *buf;
u64 sum = 0;
buf = kmalloc(128 + nreaders * 32, GFP_KERNEL);
if (!buf)
Reported by FlawFinder.
Line: 577
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!buf)
return 0;
buf[0] = 0;
sprintf(buf, "Experiment #%d (Format: <THREAD-NUM>:<Total loop time in ns>)",
exp_idx);
for (i = 0; i < n && !torture_must_stop(); i++) {
rt = &(reader_tasks[i]);
sprintf(buf1, "%d: %llu\t", i, rt->last_duration_ns);
Reported by FlawFinder.
Line: 582
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
for (i = 0; i < n && !torture_must_stop(); i++) {
rt = &(reader_tasks[i]);
sprintf(buf1, "%d: %llu\t", i, rt->last_duration_ns);
if (i % 5 == 0)
strcat(buf, "\n");
strcat(buf, buf1);
Reported by FlawFinder.
Line: 608
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
bool errexit = false;
int exp, r;
char buf1[64];
char *buf;
u64 *result_avg;
set_cpus_allowed_ptr(current, cpumask_of(nreaders % nr_cpu_ids));
set_user_nice(current, MAX_NICE);
Reported by FlawFinder.
Line: 670
Column: 3
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
if (!errexit) {
buf[0] = 0;
strcat(buf, "\n");
strcat(buf, "Runs\tTime(ns)\n");
}
for (exp = 0; exp < nruns; exp++) {
u64 avg;
u32 rem;
Reported by FlawFinder.
Line: 680
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (errexit)
break;
avg = div_u64_rem(result_avg[exp], 1000, &rem);
sprintf(buf1, "%d\t%llu.%03u\n", exp + 1, avg, rem);
strcat(buf, buf1);
}
if (!errexit)
SCALEOUT("%s", buf);
Reported by FlawFinder.
Line: 585
Column: 4
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
sprintf(buf1, "%d: %llu\t", i, rt->last_duration_ns);
if (i % 5 == 0)
strcat(buf, "\n");
strcat(buf, buf1);
sum += rt->last_duration_ns;
}
strcat(buf, "\n");
Reported by FlawFinder.
Line: 590
Column: 2
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
sum += rt->last_duration_ns;
}
strcat(buf, "\n");
SCALEOUT("%s\n", buf);
kfree(buf);
return sum;
Reported by FlawFinder.
drivers/usb/serial/ftdi_sio.c
11 issues
Line: 1096
Column: 16
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void ftdi_break_ctl(struct tty_struct *tty, int break_state);
static bool ftdi_tx_empty(struct usb_serial_port *port);
static int ftdi_get_modem_status(struct usb_serial_port *port,
unsigned char status[2]);
static unsigned short int ftdi_232am_baud_base_to_divisor(int baud, int base);
static unsigned short int ftdi_232am_baud_to_divisor(int baud);
static u32 ftdi_232bm_baud_base_to_divisor(int baud, int base);
static u32 ftdi_232bm_baud_to_divisor(int baud);
Reported by FlawFinder.
Line: 1177
Column: 24
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static u32 ftdi_232bm_baud_base_to_divisor(int baud, int base)
{
static const unsigned char divfrac[8] = { 0, 3, 2, 4, 1, 5, 6, 7 };
u32 divisor;
/* divisor shifted 3 bits to the left */
int divisor3 = DIV_ROUND_CLOSEST(base, 2 * baud);
divisor = divisor3 >> 3;
divisor |= (u32)divfrac[divisor3 & 0x7] << 14;
Reported by FlawFinder.
Line: 1198
Column: 24
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static u32 ftdi_2232h_baud_base_to_divisor(int baud, int base)
{
static const unsigned char divfrac[8] = { 0, 3, 2, 4, 1, 5, 6, 7 };
u32 divisor;
int divisor3;
/* hi-speed baud rate is 10-bit sampling instead of 16-bit */
divisor3 = DIV_ROUND_CLOSEST(8 * base, 10 * baud);
Reported by FlawFinder.
Line: 1681
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct usb_serial_port *port = to_usb_serial_port(dev);
struct ftdi_private *priv = usb_get_serial_port_data(port);
if (priv->flags & ASYNC_LOW_LATENCY)
return sprintf(buf, "1\n");
else
return sprintf(buf, "%i\n", priv->latency);
}
/* Write a new value of the latency timer, in units of milliseconds. */
Reported by FlawFinder.
Line: 1683
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (priv->flags & ASYNC_LOW_LATENCY)
return sprintf(buf, "1\n");
else
return sprintf(buf, "%i\n", priv->latency);
}
/* Write a new value of the latency timer, in units of milliseconds. */
static ssize_t latency_timer_store(struct device *dev,
struct device_attribute *attr,
Reported by FlawFinder.
Line: 2641
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static bool ftdi_tx_empty(struct usb_serial_port *port)
{
unsigned char buf[2];
int ret;
ret = ftdi_get_modem_status(port, buf);
if (ret == 2) {
if (!(buf[1] & FTDI_RS_TEMT))
Reported by FlawFinder.
Line: 2828
Column: 16
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* negative error code.
*/
static int ftdi_get_modem_status(struct usb_serial_port *port,
unsigned char status[2])
{
struct ftdi_private *priv = usb_get_serial_port_data(port);
unsigned char *buf;
int len;
int ret;
Reported by FlawFinder.
Line: 2895
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct usb_serial_port *port = tty->driver_data;
struct ftdi_private *priv = usb_get_serial_port_data(port);
unsigned char buf[2];
int ret;
ret = ftdi_get_modem_status(port, buf);
if (ret < 0)
return ret;
Reported by FlawFinder.
Line: 2021
Column: 9
CWE codes:
120
20
return -EINVAL;
/* Read EEPROM two bytes at a time */
while (read < nbytes) {
int rv;
rv = usb_control_msg(serial->dev,
usb_rcvctrlpipe(serial->dev, 0),
FTDI_SIO_READ_EEPROM_REQUEST,
Reported by FlawFinder.
Line: 2028
Column: 21
CWE codes:
120
20
usb_rcvctrlpipe(serial->dev, 0),
FTDI_SIO_READ_EEPROM_REQUEST,
FTDI_SIO_READ_EEPROM_REQUEST_TYPE,
0, (addr + read) / 2, dst + read, 2,
WDR_TIMEOUT);
if (rv < 2) {
if (rv >= 0)
return -EIO;
else
Reported by FlawFinder.