The following issues were found
arch/x86/lib/string_32.c
10 issues
Line: 18
Column: 7
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
#include <linux/export.h>
#ifdef __HAVE_ARCH_STRCPY
char *strcpy(char *dest, const char *src)
{
int d0, d1, d2;
asm volatile("1:\tlodsb\n\t"
"stosb\n\t"
"testb %%al,%%al\n\t"
Reported by FlawFinder.
Line: 29
Column: 15
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
: "0" (src), "1" (dest) : "memory");
return dest;
}
EXPORT_SYMBOL(strcpy);
#endif
#ifdef __HAVE_ARCH_STRNCPY
char *strncpy(char *dest, const char *src, size_t count)
{
Reported by FlawFinder.
Line: 53
Column: 7
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
#endif
#ifdef __HAVE_ARCH_STRCAT
char *strcat(char *dest, const char *src)
{
int d0, d1, d2, d3;
asm volatile("repne\n\t"
"scasb\n\t"
"decl %1\n"
Reported by FlawFinder.
Line: 67
Column: 15
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
: "0" (src), "1" (dest), "2" (0), "3" (0xffffffffu) : "memory");
return dest;
}
EXPORT_SYMBOL(strcat);
#endif
#ifdef __HAVE_ARCH_STRNCAT
char *strncat(char *dest, const char *src, size_t count)
{
Reported by FlawFinder.
Line: 33
Column: 7
CWE codes:
120
#endif
#ifdef __HAVE_ARCH_STRNCPY
char *strncpy(char *dest, const char *src, size_t count)
{
int d0, d1, d2, d3;
asm volatile("1:\tdecl %2\n\t"
"js 2f\n\t"
"lodsb\n\t"
Reported by FlawFinder.
Line: 49
Column: 15
CWE codes:
120
: "0" (src), "1" (dest), "2" (count) : "memory");
return dest;
}
EXPORT_SYMBOL(strncpy);
#endif
#ifdef __HAVE_ARCH_STRCAT
char *strcat(char *dest, const char *src)
{
Reported by FlawFinder.
Line: 71
Column: 7
CWE codes:
120
Suggestion:
Consider strcat_s, strlcat, snprintf, or automatically resizing strings
#endif
#ifdef __HAVE_ARCH_STRNCAT
char *strncat(char *dest, const char *src, size_t count)
{
int d0, d1, d2, d3;
asm volatile("repne\n\t"
"scasb\n\t"
"decl %1\n\t"
Reported by FlawFinder.
Line: 91
Column: 15
CWE codes:
120
Suggestion:
Consider strcat_s, strlcat, snprintf, or automatically resizing strings
: "memory");
return dest;
}
EXPORT_SYMBOL(strncat);
#endif
#ifdef __HAVE_ARCH_STRCMP
int strcmp(const char *cs, const char *ct)
{
Reported by FlawFinder.
Line: 165
Column: 8
CWE codes:
126
#endif
#ifdef __HAVE_ARCH_STRLEN
size_t strlen(const char *s)
{
int d0;
size_t res;
asm volatile("repne\n\t"
"scasb"
Reported by FlawFinder.
Line: 176
Column: 15
CWE codes:
126
: "memory");
return ~res - 1;
}
EXPORT_SYMBOL(strlen);
#endif
#ifdef __HAVE_ARCH_MEMCHR
void *memchr(const void *cs, int c, size_t count)
{
Reported by FlawFinder.
arch/powerpc/platforms/powermac/bootx_init.c
10 issues
Line: 35
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static unsigned long __initdata bootx_dt_strend;
static unsigned long __initdata bootx_node_chosen;
static boot_infos_t * __initdata bootx_info;
static char __initdata bootx_disp_path[256];
/* Is boot-info compatible ? */
#define BOOT_INFO_IS_COMPATIBLE(bi) \
((bi)->compatible_version <= BOOT_INFO_VERSION)
#define BOOT_INFO_IS_V2_COMPATIBLE(bi) ((bi)->version >= 2)
Reported by FlawFinder.
Line: 152
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* push property content */
if (size && data) {
memcpy((void *)*mem_end, data, size);
*mem_end = ALIGN(*mem_end + size, 4);
}
}
static void __init bootx_add_chosen_props(unsigned long base,
Reported by FlawFinder.
Line: 212
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static void __init bootx_dt_add_string(char *s, unsigned long *mem_end)
{
unsigned int l = strlen(s) + 1;
memcpy((void *)*mem_end, s, l);
bootx_dt_strend = *mem_end = *mem_end + l;
}
static void __init bootx_scan_dt_build_strings(unsigned long base,
unsigned long node,
Reported by FlawFinder.
Line: 297
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* middle of the path in some properties, and extract
* the unit name (everything after the last '/').
*/
memcpy((void *)*mem_end, namep, l + 1);
namep = (char *)*mem_end;
for (lp = p = namep, ep = namep + l; p < ep; p++) {
if (*p == '/')
lp = namep;
else if (*p != 0)
Reported by FlawFinder.
Line: 125
Column: 8
CWE codes:
126
while (s < (char *)bootx_dt_strend) {
if (strcmp(s, str) == 0)
return s - os;
s += strlen(s) + 1;
}
return 0;
}
static void __init bootx_dt_add_prop(char *name, void *data, int size,
Reported by FlawFinder.
Line: 167
Column: 39
CWE codes:
126
if (bootx_info->kernelParamsOffset) {
char *args = (char *)((unsigned long)bootx_info) +
bootx_info->kernelParamsOffset;
bootx_dt_add_prop("bootargs", args, strlen(args) + 1, mem_end);
}
if (bootx_info->ramDisk) {
val = ((unsigned long)bootx_info) + bootx_info->ramDisk;
bootx_dt_add_prop("linux,initrd-start", &val, 4, mem_end);
val += bootx_info->ramDiskSize;
Reported by FlawFinder.
Line: 175
Column: 6
CWE codes:
126
val += bootx_info->ramDiskSize;
bootx_dt_add_prop("linux,initrd-end", &val, 4, mem_end);
}
if (strlen(bootx_disp_path))
bootx_dt_add_prop("linux,stdout-path", bootx_disp_path,
strlen(bootx_disp_path) + 1, mem_end);
}
static void __init bootx_add_display_props(unsigned long base,
Reported by FlawFinder.
Line: 177
Column: 7
CWE codes:
126
}
if (strlen(bootx_disp_path))
bootx_dt_add_prop("linux,stdout-path", bootx_disp_path,
strlen(bootx_disp_path) + 1, mem_end);
}
static void __init bootx_add_display_props(unsigned long base,
unsigned long *mem_end,
int has_real_node)
Reported by FlawFinder.
Line: 211
Column: 19
CWE codes:
126
static void __init bootx_dt_add_string(char *s, unsigned long *mem_end)
{
unsigned int l = strlen(s) + 1;
memcpy((void *)*mem_end, s, l);
bootx_dt_strend = *mem_end = *mem_end + l;
}
static void __init bootx_scan_dt_build_strings(unsigned long base,
Reported by FlawFinder.
Line: 289
Column: 6
CWE codes:
126
namep = np->full_name ? (char *)(base + np->full_name) : NULL;
if (namep == NULL)
namep = "";
l = strlen(namep);
DBG("* struct: %s\n", namep);
/* Fixup an Apple bug where they have bogus \0 chars in the
* middle of the path in some properties, and extract
Reported by FlawFinder.
arch/um/kernel/um_arch.c
10 issues
Line: 46
Column: 2
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
}
if (strlen(command_line) > 0)
strcat(command_line, " ");
strcat(command_line, arg);
}
/*
* These fields are initialized at boot time and not changed.
* XXX This structure is used only in the non-SMP case. Maybe this
Reported by FlawFinder.
Line: 196
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
{
const char **p;
printf(usage_string, init_utsname()->release);
p = &__uml_help_start;
/* Explicitly use printf() to show help in stdout */
while (p < &__uml_help_end) {
printf("%s", *p);
p++;
Reported by FlawFinder.
Line: 36
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define DEFAULT_COMMAND_LINE_CONSOLE "console=tty"
/* Changed in add_arg and setup_arch, which run before SMP is started */
static char __initdata command_line[COMMAND_LINE_SIZE] = { 0 };
static void __init add_arg(char *arg)
{
if (strlen(command_line) + strlen(arg) + 1 > COMMAND_LINE_SIZE) {
os_warn("add_arg: Too many command line arguments!\n");
Reported by FlawFinder.
Line: 68
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{ .thread_info = INIT_THREAD_INFO(init_task) };
/* Changed in setup_arch, which is called in early boot */
static char host_info[(__NEW_UTS_LEN + 1) * 5];
static int show_cpuinfo(struct seq_file *m, void *v)
{
int i = 0;
Reported by FlawFinder.
Line: 437
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
WARN_ON(1);
return memcpy(addr, opcode, len);
}
void text_poke_sync(void)
{
}
Reported by FlawFinder.
Line: 40
Column: 29
CWE codes:
126
static void __init add_arg(char *arg)
{
if (strlen(command_line) + strlen(arg) + 1 > COMMAND_LINE_SIZE) {
os_warn("add_arg: Too many command line arguments!\n");
exit(1);
}
if (strlen(command_line) > 0)
strcat(command_line, " ");
Reported by FlawFinder.
Line: 40
Column: 6
CWE codes:
126
static void __init add_arg(char *arg)
{
if (strlen(command_line) + strlen(arg) + 1 > COMMAND_LINE_SIZE) {
os_warn("add_arg: Too many command line arguments!\n");
exit(1);
}
if (strlen(command_line) > 0)
strcat(command_line, " ");
Reported by FlawFinder.
Line: 44
Column: 6
CWE codes:
126
os_warn("add_arg: Too many command line arguments!\n");
exit(1);
}
if (strlen(command_line) > 0)
strcat(command_line, " ");
strcat(command_line, arg);
}
/*
Reported by FlawFinder.
Line: 45
Column: 3
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
exit(1);
}
if (strlen(command_line) > 0)
strcat(command_line, " ");
strcat(command_line, arg);
}
/*
* These fields are initialized at boot time and not changed.
Reported by FlawFinder.
Line: 220
Column: 7
CWE codes:
126
while (p < &__uml_setup_end) {
size_t n;
n = strlen(p->str);
if (!strncmp(line, p->str, n) && p->setup_func(line + n, add))
return;
p++;
}
}
Reported by FlawFinder.
arch/um/os-Linux/sigio.c
10 issues
Line: 537
Column: 7
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
static void __init check_sigio(void)
{
if ((access("/dev/ptmx", R_OK) < 0) &&
(access("/dev/ptyp0", R_OK) < 0)) {
printk(UM_KERN_WARNING "No pseudo-terminals available - "
"skipping pty SIGIO check\n");
return;
}
Reported by FlawFinder.
Line: 538
Column: 7
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
static void __init check_sigio(void)
{
if ((access("/dev/ptmx", R_OK) < 0) &&
(access("/dev/ptyp0", R_OK) < 0)) {
printk(UM_KERN_WARNING "No pseudo-terminals available - "
"skipping pty SIGIO check\n");
return;
}
check_one_sigio(tty_output);
Reported by FlawFinder.
Line: 117
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENOMEM;
}
memcpy(new, polls->poll, polls->used * sizeof(struct pollfd));
kfree(polls->poll);
polls->poll = new;
polls->size = n;
return 0;
Reported by FlawFinder.
Line: 191
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (err)
return err;
memcpy(next_poll.poll, current_poll.poll,
current_poll.used * sizeof(struct pollfd));
next_poll.poll[n] = *p;
next_poll.used = n + 1;
update_thread();
Reported by FlawFinder.
Line: 324
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (write_sigio_irq(l_write_sigio_fds[0]))
goto out_clear_poll;
memcpy(write_sigio_fds, l_write_sigio_fds, sizeof(l_write_sigio_fds));
memcpy(sigio_private, l_sigio_private, sizeof(l_sigio_private));
write_sigio_pid = run_helper_thread(write_sigio_thread, NULL,
CLONE_FILES | CLONE_VM,
&write_sigio_stack);
Reported by FlawFinder.
Line: 325
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto out_clear_poll;
memcpy(write_sigio_fds, l_write_sigio_fds, sizeof(l_write_sigio_fds));
memcpy(sigio_private, l_sigio_private, sizeof(l_sigio_private));
write_sigio_pid = run_helper_thread(write_sigio_thread, NULL,
CLONE_FILES | CLONE_VM,
&write_sigio_stack);
Reported by FlawFinder.
Line: 512
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void tty_output(int master, int slave)
{
int n;
char buf[512];
printk(UM_KERN_INFO "Checking that host ptys support output SIGIO...");
memset(buf, 0, sizeof(buf));
Reported by FlawFinder.
Line: 73
Column: 21
CWE codes:
120
20
if (p->revents == 0)
continue;
if (p->fd == sigio_private[1]) {
CATCH_EINTR(n = read(sigio_private[1], &c,
sizeof(c)));
if (n != sizeof(c))
printk(UM_KERN_ERR
"write_sigio_thread : "
"read on socket failed, "
Reported by FlawFinder.
Line: 143
Column: 18
CWE codes:
120
20
goto fail;
}
CATCH_EINTR(n = read(sigio_private[0], &c, sizeof(c)));
if (n != sizeof(c)) {
printk(UM_KERN_ERR "update_thread : read failed, err = %d\n",
errno);
goto fail;
}
Reported by FlawFinder.
Line: 522
Column: 15
CWE codes:
120
20
if (errno != EAGAIN)
printk(UM_KERN_ERR "tty_output : write failed, errno = %d\n",
errno);
while (((n = read(slave, buf, sizeof(buf))) > 0) &&
!({ barrier(); got_sigio; }))
;
if (got_sigio) {
printk(UM_KERN_CONT "Yes\n");
Reported by FlawFinder.
arch/ia64/kernel/traps.c
10 issues
Line: 448
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
switch (vector) {
case 24: /* General Exception */
code = (isr >> 4) & 0xf;
sprintf(buf, "General Exception: %s%s", reason[code],
(code == 3) ? ((isr & (1UL << 37))
? " (RSE access)" : " (data access)") : "");
if (code == 8) {
# ifdef CONFIG_IA64_PRINT_HAZARDS
printk("%s[%d]: possible hazard @ ip=%016lx (pr = %016lx)\n",
Reported by FlawFinder.
Line: 392
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct pt_regs regs)
{
struct illegal_op_return rv;
char buf[128];
#ifdef CONFIG_IA64_BRL_EMU
{
extern struct illegal_op_return ia64_emulate_brl (struct pt_regs *, unsigned long);
Reported by FlawFinder.
Line: 404
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
}
#endif
sprintf(buf, "IA-64 Illegal operation fault");
rv.fkt = 0;
if (die_if_kernel(buf, ®s, 0))
return rv;
force_sig_fault(SIGILL, ILL_ILLOPC,
Reported by FlawFinder.
Line: 421
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
long arg7, struct pt_regs regs)
{
unsigned long code, error = isr, iip;
char buf[128];
int result, sig, si_code;
static const char *reason[] = {
"IA-64 Illegal Operation fault",
"IA-64 Privileged Operation fault",
"IA-64 Privileged Register fault",
Reported by FlawFinder.
Line: 466
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
disabled_fph_fault(®s);
return;
}
sprintf(buf, "Disabled FPL fault---not supposed to happen!");
break;
case 26: /* NaT Consumption */
if (user_mode(®s)) {
void __user *addr;
Reported by FlawFinder.
Line: 490
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return;
} else if (ia64_done_with_exception(®s))
return;
sprintf(buf, "NaT consumption");
break;
case 31: /* Unsupported Data Reference */
if (user_mode(®s)) {
force_sig_fault(SIGILL, ILL_ILLOPN, (void __user *) iip,
Reported by FlawFinder.
Line: 499
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
vector, __ISR_VALID, isr);
return;
}
sprintf(buf, "Unsupported data reference");
break;
case 29: /* Debug */
case 35: /* Taken Branch Trap */
case 36: /* Single Step Trap */
Reported by FlawFinder.
Line: 584
Column: 4
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
0, 0, 0);
return;
}
sprintf(buf, "Unimplemented Instruction Address fault");
}
break;
case 45:
printk(KERN_ERR "Unexpected IA-32 exception (Trap 45)\n");
Reported by FlawFinder.
Line: 603
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return;
case 47:
sprintf(buf, "IA-32 Interruption Fault (int 0x%lx)", isr >> 16);
break;
default:
sprintf(buf, "Fault %lu", vector);
break;
Reported by FlawFinder.
Line: 607
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
break;
default:
sprintf(buf, "Fault %lu", vector);
break;
}
if (!die_if_kernel(buf, ®s, error))
force_sig(SIGILL);
}
Reported by FlawFinder.
Documentation/sphinx/kernellog.py
10 issues
Line: 10
Column: 1
# We don't support 1.4 anymore, but we'll keep the wrappers around until
# we change all the code to not use them anymore :)
#
import sphinx
from sphinx.util import logging
logger = logging.getLogger('kerneldoc')
def warn(app, message):
Reported by Pylint.
Line: 11
Column: 1
# we change all the code to not use them anymore :)
#
import sphinx
from sphinx.util import logging
logger = logging.getLogger('kerneldoc')
def warn(app, message):
logger.warning(message)
Reported by Pylint.
Line: 10
Column: 1
# We don't support 1.4 anymore, but we'll keep the wrappers around until
# we change all the code to not use them anymore :)
#
import sphinx
from sphinx.util import logging
logger = logging.getLogger('kerneldoc')
def warn(app, message):
Reported by Pylint.
Line: 15
Column: 10
logger = logging.getLogger('kerneldoc')
def warn(app, message):
logger.warning(message)
def verbose(app, message):
logger.verbose(message)
Reported by Pylint.
Line: 18
Column: 13
def warn(app, message):
logger.warning(message)
def verbose(app, message):
logger.verbose(message)
def info(app, message):
logger.info(message)
Reported by Pylint.
Line: 21
Column: 10
def verbose(app, message):
logger.verbose(message)
def info(app, message):
logger.info(message)
Reported by Pylint.
Line: 1
Column: 1
# SPDX-License-Identifier: GPL-2.0
#
# Sphinx has deprecated its older logging interface, but the replacement
# only goes back to 1.6. So here's a wrapper layer to keep around for
# as long as we support 1.4.
#
# We don't support 1.4 anymore, but we'll keep the wrappers around until
# we change all the code to not use them anymore :)
#
Reported by Pylint.
Line: 15
Column: 1
logger = logging.getLogger('kerneldoc')
def warn(app, message):
logger.warning(message)
def verbose(app, message):
logger.verbose(message)
Reported by Pylint.
Line: 18
Column: 1
def warn(app, message):
logger.warning(message)
def verbose(app, message):
logger.verbose(message)
def info(app, message):
logger.info(message)
Reported by Pylint.
Line: 21
Column: 1
def verbose(app, message):
logger.verbose(message)
def info(app, message):
logger.info(message)
Reported by Pylint.
arch/x86/net/bpf_jit_comp.c
10 issues
Line: 466
CWE codes:
190
EMIT2_off32(0x89, 0x85, tcc_off); /* mov dword ptr [rbp - tcc_off], eax */
/* prog = array->ptrs[index]; */
EMIT4_off32(0x48, 0x8B, 0x8C, 0xD6, /* mov rcx, [rsi + rdx * 8 + offsetof(...)] */
offsetof(struct bpf_array, ptrs));
/*
* if (prog == NULL)
* goto out;
Reported by Cppcheck.
Line: 1865
CWE codes:
190
* goto do_fexit;
*/
/* cmp QWORD PTR [rbp - 0x8], 0x0 */
EMIT4(0x48, 0x83, 0x7d, 0xf8); EMIT1(0x00);
/* Save the location of the branch and Generate 6 nops
* (4 bytes for an offset and 2 bytes for the jump) These nops
* are replaced with a conditional jump once do_fexit (i.e. the
* start of the fexit invocation) is finalized.
Reported by Cppcheck.
Line: 282
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* BPF trampoline can be made to work without these nops,
* but let's waste 5 bytes for now and optimize later
*/
memcpy(prog, x86_nops[5], X86_PATCH_SIZE);
prog += X86_PATCH_SIZE;
if (!ebpf_from_cbpf) {
if (tail_call_reachable && !is_subprog)
EMIT2(0x31, 0xC0); /* xor eax, eax */
else
Reported by FlawFinder.
Line: 335
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u8 *prog;
int ret;
memcpy(old_insn, nop_insn, X86_PATCH_SIZE);
if (old_addr) {
prog = old_insn;
ret = t == BPF_MOD_CALL ?
emit_call(&prog, old_addr, ip) :
emit_jump(&prog, old_addr, ip);
Reported by FlawFinder.
Line: 345
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return ret;
}
memcpy(new_insn, nop_insn, X86_PATCH_SIZE);
if (new_addr) {
prog = new_insn;
ret = t == BPF_MOD_CALL ?
emit_call(&prog, new_addr, ip) :
emit_jump(&prog, new_addr, ip);
Reported by FlawFinder.
Line: 364
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (text_live)
text_poke_bp(ip, new_insn, X86_PATCH_SIZE, NULL);
else
memcpy(ip, new_insn, X86_PATCH_SIZE);
ret = 0;
}
out:
mutex_unlock(&text_mutex);
return ret;
Reported by FlawFinder.
Line: 557
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (stack_depth)
EMIT3_off32(0x48, 0x81, 0xC4, round_up(stack_depth, 8));
memcpy(prog, x86_nops[5], X86_PATCH_SIZE);
prog += X86_PATCH_SIZE;
/* out: */
*pprog = prog;
}
Reported by FlawFinder.
Line: 910
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ilen = prog - temp;
if (image)
memcpy(image + proglen, temp, ilen);
proglen += ilen;
addrs[0] = proglen;
prog = temp;
for (i = 1; i <= insn_cnt; i++, insn++) {
Reported by FlawFinder.
Line: 1699
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pr_err("bpf_jit: fatal error\n");
return -EFAULT;
}
memcpy(image + proglen, temp, ilen);
}
proglen += ilen;
addrs[i] = proglen;
prog = temp;
}
Reported by FlawFinder.
Line: 2016
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* remember return value in a stack for bpf prog to access */
emit_stx(&prog, BPF_DW, BPF_REG_FP, BPF_REG_0, -8);
im->ip_after_call = prog;
memcpy(prog, x86_nops[5], X86_PATCH_SIZE);
prog += X86_PATCH_SIZE;
}
if (fmod_ret->nr_progs) {
/* From Intel 64 and IA-32 Architectures Optimization
Reported by FlawFinder.
tools/testing/selftests/pidfd/pidfd_test.c
10 issues
Line: 542
CWE codes:
908
poll_pidfd(test_name, pidfd);
}
if (ret == pid)
ksft_print_msg("Parent: Child process waited for.\n");
time_t since_child_exit = time(NULL) - *child_exit_secs;
ksft_print_msg("Time since child exit: %lu\n", since_child_exit);
Reported by Cppcheck.
Line: 387
Column: 2
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
getpid(), syscall(SYS_gettid));
ksft_print_msg("Child Thread: doing exec of sleep\n");
execl("/bin/sleep", "sleep", str(CHILD_THREAD_MIN_WAIT), (char *)NULL);
ksft_print_msg("Child Thread: DONE. pid %d tid %d\n",
getpid(), syscall(SYS_gettid));
return NULL;
}
Reported by FlawFinder.
Line: 36
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static pid_t pidfd_clone(int flags, int *pidfd, int (*fn)(void *))
{
size_t stack_size = 1024;
char *stack[1024] = { 0 };
#ifdef __ia64__
return __clone2(fn, stack, stack_size, flags | SIGCHLD, NULL, pidfd);
#else
return clone(fn, stack + stack_size, flags | SIGCHLD, NULL, pidfd);
Reported by FlawFinder.
Line: 69
Column: 10
CWE codes:
362
return 0;
}
pidfd = open("/proc/self", O_DIRECTORY | O_CLOEXEC);
if (pidfd < 0)
ksft_exit_fail_msg(
"%s test: Failed to open process file descriptor\n",
test_name);
Reported by FlawFinder.
Line: 95
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int test_pidfd_send_signal_exited_fail(void)
{
int pidfd, ret, saved_errno;
char buf[256];
pid_t pid;
const char *test_name = "pidfd_send_signal signal exited process";
if (!have_pidfd_send_signal) {
ksft_test_result_skip(
Reported by FlawFinder.
Line: 116
Column: 10
CWE codes:
362
snprintf(buf, sizeof(buf), "/proc/%d", pid);
pidfd = open(buf, O_DIRECTORY | O_CLOEXEC);
(void)wait_for_pid(pid);
if (pidfd < 0)
ksft_exit_fail_msg(
Reported by FlawFinder.
Line: 198
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
test_name);
if (pid1 == 0) {
char buf[256];
pid_t pid2;
int pidfd = -1;
(void)umount2("/proc", MNT_DETACH);
ret = mount("proc", "/proc", "proc", 0, NULL);
Reported by FlawFinder.
Line: 219
Column: 13
CWE codes:
362
if (pid2 == PID_RECYCLE) {
snprintf(buf, sizeof(buf), "/proc/%d", pid2);
ksft_print_msg("pid to recycle is %d\n", pid2);
pidfd = open(buf, O_DIRECTORY | O_CLOEXEC);
}
if (wait_for_pid(pid2))
_exit(PIDFD_ERROR);
Reported by FlawFinder.
Line: 355
Column: 10
CWE codes:
362
int pidfd, ret;
const char *test_name = "pidfd_send_signal check for support";
pidfd = open("/proc/self", O_DIRECTORY | O_CLOEXEC);
if (pidfd < 0)
ksft_exit_fail_msg(
"%s test: Failed to open process file descriptor\n",
test_name);
Reported by FlawFinder.
tools/arch/x86/kcpuid/kcpuid.c
10 issues
Line: 383
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if (start)
bdesc->start = strtoul(start, NULL, 0);
strcpy(bdesc->simp, tokens[4]);
strcpy(bdesc->detail, tokens[5]);
return 0;
err_exit:
printf("Warning: wrong line format:\n");
Reported by FlawFinder.
Line: 384
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
bdesc->start = strtoul(start, NULL, 0);
strcpy(bdesc->simp, tokens[4]);
strcpy(bdesc->detail, tokens[5]);
return 0;
err_exit:
printf("Warning: wrong line format:\n");
printf("\tline[%d]: %s\n", flines, line);
Reported by FlawFinder.
Line: 598
Column: 14
CWE codes:
120
20
Suggestion:
Check implementation on installation, or limit the size of all string inputs
{
int c;
while ((c = getopt_long(argc, argv, "abdf:hl:rs:",
opts, NULL)) != -1)
switch (c) {
case 'a':
show_flags_only = false;
break;
Reported by FlawFinder.
Line: 25
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int start, end;
/* 0 or 1 for 1-bit flag */
int value;
char simp[32];
char detail[256];
};
/* descriptor info for eax/ebx/ecx/edx */
struct reg_desc {
Reported by FlawFinder.
Line: 26
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* 0 or 1 for 1-bit flag */
int value;
char simp[32];
char detail[256];
};
/* descriptor info for eax/ebx/ecx/edx */
struct reg_desc {
/* number of valid entries */
Reported by FlawFinder.
Line: 296
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct subleaf *leaf;
u32 index;
u32 sub;
char buffer[512];
char *buf;
/*
* Tokens:
* 1. leaf
* 2. subleaf
Reported by FlawFinder.
Line: 307
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* 5. short name
* 6. long detail
*/
char *tokens[6];
struct reg_desc *reg;
struct bits_desc *bdesc;
int reg_index;
char *start, *end;
Reported by FlawFinder.
Line: 405
Column: 9
CWE codes:
362
return;
filename = user_csv ? user_csv : def_csv;
file = fopen(filename, "r");
if (!file) {
/* Fallback to a csv in the same dir */
file = fopen("./cpuid.csv", "r");
}
Reported by FlawFinder.
Line: 408
Column: 10
CWE codes:
362
file = fopen(filename, "r");
if (!file) {
/* Fallback to a csv in the same dir */
file = fopen("./cpuid.csv", "r");
}
if (!file) {
printf("Fail to open '%s'\n", filename);
return;
Reported by FlawFinder.
Line: 317
Column: 2
CWE codes:
120
if (line[0] == '#' || line[0] == '\n')
return 0;
strncpy(buffer, line, 511);
buffer[511] = 0;
str = buffer;
for (i = 0; i < 5; i++) {
tokens[i] = strtok(str, ",");
if (!tokens[i])
Reported by FlawFinder.
tools/perf/builtin-lock.c
10 issues
Line: 339
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
goto alloc_failed;
}
strcpy(new->name, name);
new->wait_time_min = ULLONG_MAX;
list_add(&new->hash_entry, entry);
return new;
Reported by FlawFinder.
Line: 411
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u64 tmp = evsel__intval(evsel, sample, "lockdep_addr");
int flag = evsel__intval(evsel, sample, "flags");
memcpy(&addr, &tmp, sizeof(void *));
ls = lock_stat_findnew(addr, name);
if (!ls)
return -ENOMEM;
if (ls->discard)
Reported by FlawFinder.
Line: 483
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
const char *name = evsel__strval(evsel, sample, "name");
u64 tmp = evsel__intval(evsel, sample, "lockdep_addr");
memcpy(&addr, &tmp, sizeof(void *));
ls = lock_stat_findnew(addr, name);
if (!ls)
return -ENOMEM;
if (ls->discard)
Reported by FlawFinder.
Line: 545
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
const char *name = evsel__strval(evsel, sample, "name");
u64 tmp = evsel__intval(evsel, sample, "lockdep_addr");
memcpy(&addr, &tmp, sizeof(void *));
ls = lock_stat_findnew(addr, name);
if (!ls)
return -ENOMEM;
if (ls->discard)
Reported by FlawFinder.
Line: 600
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
const char *name = evsel__strval(evsel, sample, "name");
u64 tmp = evsel__intval(evsel, sample, "lockdep_addr");
memcpy(&addr, &tmp, sizeof(void *));
ls = lock_stat_findnew(addr, name);
if (!ls)
return -ENOMEM;
if (ls->discard)
Reported by FlawFinder.
Line: 692
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
/* Output for debug, this have to be removed */
int i;
const char *name[4] =
{ "acquire", "acquired", "contended", "release" };
pr_info("\n=== output for debug===\n\n");
pr_info("bad: %d, total: %d\n", bad, total);
pr_info("bad rate: %.2f %%\n", (double)bad / (double)total * 100);
Reported by FlawFinder.
Line: 707
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void print_result(void)
{
struct lock_stat *st;
char cut_name[20];
int bad, total;
pr_info("%20s ", "Name");
pr_info("%10s ", "acquired");
pr_info("%10s ", "contended");
Reported by FlawFinder.
Line: 333
Column: 36
CWE codes:
126
goto alloc_failed;
new->addr = addr;
new->name = zalloc(sizeof(char) * strlen(name) + 1);
if (!new->name) {
free(new);
goto alloc_failed;
}
Reported by FlawFinder.
Line: 730
Column: 7
CWE codes:
126
}
bzero(cut_name, 20);
if (strlen(st->name) < 16) {
/* output raw name */
pr_info("%20s ", st->name);
} else {
strncpy(cut_name, st->name, 16);
cut_name[16] = '.';
Reported by FlawFinder.
Line: 734
Column: 4
CWE codes:
120
/* output raw name */
pr_info("%20s ", st->name);
} else {
strncpy(cut_name, st->name, 16);
cut_name[16] = '.';
cut_name[17] = '.';
cut_name[18] = '.';
cut_name[19] = '\0';
/* cut off name for saving output style */
Reported by FlawFinder.