The following issues were found
tools/testing/selftests/kselftest.h
9 issues
Line: 123
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
va_start(args, msg);
printf("# ");
errno = saved_errno;
vprintf(msg, args);
va_end(args);
}
static inline void ksft_test_result_pass(const char *msg, ...)
{
Reported by FlawFinder.
Line: 137
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
va_start(args, msg);
printf("ok %d ", ksft_test_num());
errno = saved_errno;
vprintf(msg, args);
va_end(args);
}
static inline void ksft_test_result_fail(const char *msg, ...)
{
Reported by FlawFinder.
Line: 151
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
va_start(args, msg);
printf("not ok %d ", ksft_test_num());
errno = saved_errno;
vprintf(msg, args);
va_end(args);
}
/**
* ksft_test_result() - Report test success based on truth of condition
Reported by FlawFinder.
Line: 177
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
va_start(args, msg);
printf("ok %d # XFAIL ", ksft_test_num());
errno = saved_errno;
vprintf(msg, args);
va_end(args);
}
static inline void ksft_test_result_skip(const char *msg, ...)
{
Reported by FlawFinder.
Line: 191
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
va_start(args, msg);
printf("ok %d # SKIP ", ksft_test_num());
errno = saved_errno;
vprintf(msg, args);
va_end(args);
}
/* TODO: how does "error" differ from "fail" or "skip"? */
static inline void ksft_test_result_error(const char *msg, ...)
Reported by FlawFinder.
Line: 206
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
va_start(args, msg);
printf("not ok %d # error ", ksft_test_num());
errno = saved_errno;
vprintf(msg, args);
va_end(args);
}
static inline int ksft_exit_pass(void)
{
Reported by FlawFinder.
Line: 242
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
va_start(args, msg);
printf("Bail out! ");
errno = saved_errno;
vprintf(msg, args);
va_end(args);
ksft_print_cnts();
exit(KSFT_FAIL);
}
Reported by FlawFinder.
Line: 282
Column: 3
CWE codes:
134
Suggestion:
Use a constant for the format specification
}
if (msg) {
errno = saved_errno;
vprintf(msg, args);
va_end(args);
}
if (ksft_test_num())
ksft_print_cnts();
exit(KSFT_SKIP);
Reported by FlawFinder.
Line: 94
Column: 8
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
static inline void ksft_print_header(void)
{
if (!(getenv("KSFT_TAP_LEVEL")))
printf("TAP version 13\n");
}
static inline void ksft_set_plan(unsigned int plan)
{
Reported by FlawFinder.
tools/testing/selftests/bpf/test_dev_cgroup.c
9 issues
Line: 57
Column: 9
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
/* All operations with /dev/zero and and /dev/urandom are allowed,
* everything else is forbidden.
*/
assert(system("rm -f /tmp/test_dev_cgroup_null") == 0);
assert(system("mknod /tmp/test_dev_cgroup_null c 1 3"));
assert(system("rm -f /tmp/test_dev_cgroup_null") == 0);
/* /dev/zero is whitelisted */
assert(system("rm -f /tmp/test_dev_cgroup_zero") == 0);
Reported by FlawFinder.
Line: 58
Column: 9
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
* everything else is forbidden.
*/
assert(system("rm -f /tmp/test_dev_cgroup_null") == 0);
assert(system("mknod /tmp/test_dev_cgroup_null c 1 3"));
assert(system("rm -f /tmp/test_dev_cgroup_null") == 0);
/* /dev/zero is whitelisted */
assert(system("rm -f /tmp/test_dev_cgroup_zero") == 0);
assert(system("mknod /tmp/test_dev_cgroup_zero c 1 5") == 0);
Reported by FlawFinder.
Line: 59
Column: 9
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
*/
assert(system("rm -f /tmp/test_dev_cgroup_null") == 0);
assert(system("mknod /tmp/test_dev_cgroup_null c 1 3"));
assert(system("rm -f /tmp/test_dev_cgroup_null") == 0);
/* /dev/zero is whitelisted */
assert(system("rm -f /tmp/test_dev_cgroup_zero") == 0);
assert(system("mknod /tmp/test_dev_cgroup_zero c 1 5") == 0);
assert(system("rm -f /tmp/test_dev_cgroup_zero") == 0);
Reported by FlawFinder.
Line: 62
Column: 9
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
assert(system("rm -f /tmp/test_dev_cgroup_null") == 0);
/* /dev/zero is whitelisted */
assert(system("rm -f /tmp/test_dev_cgroup_zero") == 0);
assert(system("mknod /tmp/test_dev_cgroup_zero c 1 5") == 0);
assert(system("rm -f /tmp/test_dev_cgroup_zero") == 0);
assert(system("dd if=/dev/urandom of=/dev/zero count=64") == 0);
Reported by FlawFinder.
Line: 63
Column: 9
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
/* /dev/zero is whitelisted */
assert(system("rm -f /tmp/test_dev_cgroup_zero") == 0);
assert(system("mknod /tmp/test_dev_cgroup_zero c 1 5") == 0);
assert(system("rm -f /tmp/test_dev_cgroup_zero") == 0);
assert(system("dd if=/dev/urandom of=/dev/zero count=64") == 0);
/* src is allowed, target is forbidden */
Reported by FlawFinder.
Line: 64
Column: 9
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
/* /dev/zero is whitelisted */
assert(system("rm -f /tmp/test_dev_cgroup_zero") == 0);
assert(system("mknod /tmp/test_dev_cgroup_zero c 1 5") == 0);
assert(system("rm -f /tmp/test_dev_cgroup_zero") == 0);
assert(system("dd if=/dev/urandom of=/dev/zero count=64") == 0);
/* src is allowed, target is forbidden */
assert(system("dd if=/dev/urandom of=/dev/full count=64"));
Reported by FlawFinder.
Line: 66
Column: 9
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
assert(system("mknod /tmp/test_dev_cgroup_zero c 1 5") == 0);
assert(system("rm -f /tmp/test_dev_cgroup_zero") == 0);
assert(system("dd if=/dev/urandom of=/dev/zero count=64") == 0);
/* src is allowed, target is forbidden */
assert(system("dd if=/dev/urandom of=/dev/full count=64"));
/* src is forbidden, target is allowed */
Reported by FlawFinder.
Line: 69
Column: 9
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
assert(system("dd if=/dev/urandom of=/dev/zero count=64") == 0);
/* src is allowed, target is forbidden */
assert(system("dd if=/dev/urandom of=/dev/full count=64"));
/* src is forbidden, target is allowed */
assert(system("dd if=/dev/random of=/dev/zero count=64"));
error = 0;
Reported by FlawFinder.
Line: 72
Column: 9
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
assert(system("dd if=/dev/urandom of=/dev/full count=64"));
/* src is forbidden, target is allowed */
assert(system("dd if=/dev/random of=/dev/zero count=64"));
error = 0;
printf("test_dev_cgroup:PASS\n");
err:
Reported by FlawFinder.
tools/testing/selftests/bpf/trace_helpers.c
9 issues
Line: 37
Column: 7
CWE codes:
120
20
Suggestion:
Specify a limit to %s, or use a different input function
return -ENOENT;
while (fgets(buf, sizeof(buf), f)) {
if (sscanf(buf, "%p %c %s", &addr, &symbol, func) != 3)
break;
if (!addr)
continue;
syms[i].addr = (long) addr;
syms[i].name = strdup(func);
Reported by FlawFinder.
Line: 27
Column: 12
CWE codes:
362
int load_kallsyms(void)
{
FILE *f = fopen("/proc/kallsyms", "r");
char func[256], buf[256];
char symbol;
void *addr;
int i = 0;
Reported by FlawFinder.
Line: 28
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int load_kallsyms(void)
{
FILE *f = fopen("/proc/kallsyms", "r");
char func[256], buf[256];
char symbol;
void *addr;
int i = 0;
if (!f)
Reported by FlawFinder.
Line: 98
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
int kallsyms_find(const char *sym, unsigned long long *addr)
{
char type, name[500];
unsigned long long value;
int err = 0;
FILE *f;
f = fopen("/proc/kallsyms", "r");
Reported by FlawFinder.
Line: 103
Column: 6
CWE codes:
362
int err = 0;
FILE *f;
f = fopen("/proc/kallsyms", "r");
if (!f)
return -EINVAL;
while (fscanf(f, "%llx %c %499s%*[^\n]\n", &value, &type, name) > 0) {
if (strcmp(name, sym) == 0) {
Reported by FlawFinder.
Line: 124
Column: 13
CWE codes:
362
{
int trace_fd;
trace_fd = open(DEBUGFS "trace_pipe", O_RDONLY, 0);
if (trace_fd < 0)
return;
while (1) {
static char buf[4096];
Reported by FlawFinder.
Line: 129
Column: 10
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
return;
while (1) {
static char buf[4096];
ssize_t sz;
sz = read(trace_fd, buf, sizeof(buf) - 1);
if (sz > 0) {
buf[sz] = 0;
Reported by FlawFinder.
Line: 107
Column: 9
CWE codes:
120
Suggestion:
Check that the limit is sufficiently small, or use a different input function
if (!f)
return -EINVAL;
while (fscanf(f, "%llx %c %499s%*[^\n]\n", &value, &type, name) > 0) {
if (strcmp(name, sym) == 0) {
*addr = value;
goto out;
}
}
Reported by FlawFinder.
tools/testing/selftests/bpf/prog_tests/core_reloc.c
9 issues
Line: 867
Column: 10
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
if (test_case->btf_src_file) {
err = access(test_case->btf_src_file, R_OK);
if (!ASSERT_OK(err, "btf_src_file"))
goto cleanup;
}
load_attr.obj = obj;
Reported by FlawFinder.
Line: 483
Column: 7
CWE codes:
362
struct core_reloc_module_output *exp = (void *)test->output;
int fd, err;
fd = open("/sys/kernel/bpf_testmod", O_RDONLY);
err = -errno;
if (CHECK(fd < 0, "testmod_file_open", "failed: %d\n", err))
return err;
read(fd, NULL, exp->len); /* request expected number of bytes */
Reported by FlawFinder.
Line: 804
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct data {
char in[256];
char out[256];
bool skip;
uint64_t my_pid_tgid;
};
Reported by FlawFinder.
Line: 805
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct data {
char in[256];
char out[256];
bool skip;
uint64_t my_pid_tgid;
};
static size_t roundup_page(size_t sz)
Reported by FlawFinder.
Line: 896
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
data = mmap_data;
memset(mmap_data, 0, sizeof(*data));
memcpy(data->in, test_case->input, test_case->input_len);
data->my_pid_tgid = my_pid_tgid;
link = bpf_program__attach_raw_tracepoint(prog, tp_name);
if (!ASSERT_OK_PTR(link, "attach_raw_tp"))
goto cleanup;
Reported by FlawFinder.
Line: 488
Column: 2
CWE codes:
120
20
if (CHECK(fd < 0, "testmod_file_open", "failed: %d\n", err))
return err;
read(fd, NULL, exp->len); /* request expected number of bytes */
close(fd);
return 0;
}
Reported by FlawFinder.
Line: 822
Column: 14
CWE codes:
126
Suggestion:
This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it
struct bpf_object_load_attr load_attr = {};
struct core_reloc_test_case *test_case;
const char *tp_name, *probe_name;
int err, i, equal;
struct bpf_link *link = NULL;
struct bpf_map *data_map;
struct bpf_program *prog;
struct bpf_object *obj;
uint64_t my_pid_tgid;
Reported by FlawFinder.
Line: 908
Column: 4
CWE codes:
676
Suggestion:
Use nanosleep(2) or setitimer(2) instead
if (!ASSERT_OK(test_case->trigger(test_case), "test_trigger"))
goto cleanup;
} else {
usleep(1);
}
if (data->skip) {
test__skip();
goto cleanup;
Reported by FlawFinder.
Line: 921
Column: 14
CWE codes:
126
Suggestion:
This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it
equal = memcmp(data->out, test_case->output,
test_case->output_len) == 0;
if (CHECK(!equal, "check_result",
"input/output data don't match\n")) {
int j;
for (j = 0; j < test_case->input_len; j++) {
printf("input byte #%d: 0x%02hhx\n",
Reported by FlawFinder.
tools/lib/bpf/xsk.c
9 issues
Line: 78
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int prog_fd;
int link_fd;
int xsks_map_fd;
char ifname[IFNAMSIZ];
bool has_bpf_link;
};
struct xsk_socket {
struct xsk_ring_cons *rx;
Reported by FlawFinder.
Line: 355
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
struct xsk_umem_config config;
memcpy(&config, usr_config, sizeof(struct xsk_umem_config_v1));
config.flags = 0;
return xsk_umem__create_v0_0_4(umem_ptr, umem_area, size, fill, comp,
&config);
}
Reported by FlawFinder.
Line: 416
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
static const int log_buf_size = 16 * 1024;
struct xsk_ctx *ctx = xsk->ctx;
char log_buf[log_buf_size];
int prog_fd;
/* This is the fallback C-program:
* SEC("xdp_sock") int xdp_sock_prog(struct xdp_md *ctx)
* {
Reported by FlawFinder.
Line: 557
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -errno;
ifr.ifr_data = (void *)&channels;
memcpy(ifr.ifr_name, ctx->ifname, IFNAMSIZ - 1);
ifr.ifr_name[IFNAMSIZ - 1] = '\0';
err = ioctl(fd, SIOCETHTOOL, &ifr);
if (err && errno != EOPNOTSUPP) {
ret = -errno;
goto out;
Reported by FlawFinder.
Line: 770
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int xsk_create_xsk_struct(int ifindex, struct xsk_socket *xsk)
{
char ifname[IFNAMSIZ];
struct xsk_ctx *ctx;
char *interface;
ctx = calloc(1, sizeof(*ctx));
if (!ctx)
Reported by FlawFinder.
Line: 785
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
ctx->ifindex = ifindex;
memcpy(ctx->ifname, ifname, IFNAMSIZ -1);
ctx->ifname[IFNAMSIZ - 1] = 0;
xsk->ctx = ctx;
xsk->ctx->has_bpf_link = xsk_probe_bpf_link();
Reported by FlawFinder.
Line: 960
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
} else if (umem->fill_save != fill || umem->comp_save != comp) {
/* Copy over rings to new structs. */
memcpy(fill, umem->fill_save, sizeof(*fill));
memcpy(comp, umem->comp_save, sizeof(*comp));
}
ctx->ifindex = ifindex;
ctx->refcount = 1;
Reported by FlawFinder.
Line: 961
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else if (umem->fill_save != fill || umem->comp_save != comp) {
/* Copy over rings to new structs. */
memcpy(fill, umem->fill_save, sizeof(*fill));
memcpy(comp, umem->comp_save, sizeof(*comp));
}
ctx->ifindex = ifindex;
ctx->refcount = 1;
ctx->umem = umem;
Reported by FlawFinder.
Line: 968
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ctx->refcount = 1;
ctx->umem = umem;
ctx->queue_id = queue_id;
memcpy(ctx->ifname, ifname, IFNAMSIZ - 1);
ctx->ifname[IFNAMSIZ - 1] = '\0';
ctx->fill = fill;
ctx->comp = comp;
list_add(&ctx->list, &umem->ctx_list);
Reported by FlawFinder.
tools/perf/tests/attr.c
9 issues
Line: 57
Column: 9
CWE codes:
134
Suggestion:
Use a constant for the format specification
char buf[BUFSIZE]; \
size_t size; \
\
size = snprintf(buf, BUFSIZE, #str "=%"fmt "\n", data); \
if (1 != fwrite(buf, size, 1, file)) { \
perror("test attr - failed to write event file"); \
fclose(file); \
return -1; \
} \
Reported by FlawFinder.
Line: 178
Column: 9
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
scnprintf(cmd, 3*PATH_MAX, PYTHON " %s/attr.py -d %s/attr/ -p %s %.*s",
d, d, perf, vcnt, v);
return system(cmd) ? TEST_FAIL : TEST_OK;
}
int test__attr(struct test *test __maybe_unused, int subtest __maybe_unused)
{
struct stat st;
Reported by FlawFinder.
Line: 46
Column: 8
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
void test_attr__init(void)
{
dir = getenv(ENV);
test_attr__enabled = (dir != NULL);
}
#define BUFSIZE 1024
Reported by FlawFinder.
Line: 54
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define __WRITE_ASS(str, fmt, data) \
do { \
char buf[BUFSIZE]; \
size_t size; \
\
size = snprintf(buf, BUFSIZE, #str "=%"fmt "\n", data); \
if (1 != fwrite(buf, size, 1, file)) { \
perror("test attr - failed to write event file"); \
Reported by FlawFinder.
Line: 72
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int fd, int group_fd, unsigned long flags)
{
FILE *file;
char path[PATH_MAX];
if (!ready)
return 0;
snprintf(path, PATH_MAX, "%s/event-%d-%llu-%d", dir,
Reported by FlawFinder.
Line: 80
Column: 9
CWE codes:
362
snprintf(path, PATH_MAX, "%s/event-%d-%llu-%d", dir,
attr->type, attr->config, fd);
file = fopen(path, "w+");
if (!file) {
perror("test attr - failed to open event file");
return -1;
}
Reported by FlawFinder.
Line: 170
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
char v[] = "-vvvvv";
int vcnt = min(verbose, (int) sizeof(v) - 1);
char cmd[3*PATH_MAX];
if (verbose > 0)
vcnt++;
scnprintf(cmd, 3*PATH_MAX, PYTHON " %s/attr.py -d %s/attr/ -p %s %.*s",
Reported by FlawFinder.
Line: 184
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int test__attr(struct test *test __maybe_unused, int subtest __maybe_unused)
{
struct stat st;
char path_perf[PATH_MAX];
char path_dir[PATH_MAX];
char *exec_path;
if (perf_pmu__has_hybrid())
return TEST_SKIP;
Reported by FlawFinder.
Line: 185
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct stat st;
char path_perf[PATH_MAX];
char path_dir[PATH_MAX];
char *exec_path;
if (perf_pmu__has_hybrid())
return TEST_SKIP;
Reported by FlawFinder.
tools/perf/arch/x86/util/intel-pt.c
9 issues
Line: 190
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static u64 intel_pt_default_config(struct perf_pmu *intel_pt_pmu)
{
char buf[256];
int mtc, mtc_periods = 0, mtc_period;
int psb_cyc, psb_periods, psb_period;
int pos = 0;
u64 config;
char c;
Reported by FlawFinder.
Line: 491
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *caps, const char *name,
const char *supported, u64 config)
{
char valid_str[256];
unsigned int shift;
unsigned long long valid;
u64 bits;
int ok;
Reported by FlawFinder.
Line: 946
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!refs)
return -ENOMEM;
memcpy(refs, ptr->snapshot_refs, cnt * sz);
ptr->snapshot_refs = refs;
ptr->snapshot_ref_cnt = new_cnt;
return 0;
Reported by FlawFinder.
Line: 1078
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
void *data, size_t head)
{
if (head >= ref_size) {
memcpy(ref_buf, data + head - ref_size, ref_size);
} else {
memcpy(ref_buf, data, head);
ref_size -= head;
memcpy(ref_buf + head, data + buf_size - ref_size, ref_size);
}
Reported by FlawFinder.
Line: 1080
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (head >= ref_size) {
memcpy(ref_buf, data + head - ref_size, ref_size);
} else {
memcpy(ref_buf, data, head);
ref_size -= head;
memcpy(ref_buf + head, data + buf_size - ref_size, ref_size);
}
}
Reported by FlawFinder.
Line: 1082
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else {
memcpy(ref_buf, data, head);
ref_size -= head;
memcpy(ref_buf + head, data + buf_size - ref_size, ref_size);
}
}
static bool intel_pt_wrapped(struct intel_pt_recording *ptr, int idx,
struct auxtrace_mmap *mm, unsigned char *data,
Reported by FlawFinder.
Line: 295
Column: 24
CWE codes:
126
static size_t intel_pt_filter_bytes(const char *filter)
{
size_t len = filter ? strlen(filter) : 0;
return len ? roundup(len + 1, 8) : 0;
}
static size_t
Reported by FlawFinder.
Line: 362
Column: 28
CWE codes:
126
max_non_turbo_ratio = 0;
filter = intel_pt_find_filter(session->evlist, ptr->intel_pt_pmu);
filter_str_len = filter ? strlen(filter) : 0;
if (!session->evlist->core.nr_mmaps)
return -EINVAL;
pc = session->evlist->mmap[0].core.base;
Reported by FlawFinder.
Line: 406
Column: 3
CWE codes:
120
if (filter_str_len) {
size_t len = intel_pt_filter_bytes(filter);
strncpy((char *)info, filter, len);
info += len >> 3;
}
return 0;
}
Reported by FlawFinder.
drivers/media/usb/cx231xx/cx231xx-417.c
9 issues
Line: 924
Column: 24
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int cx231xx_load_firmware(struct cx231xx *dev)
{
static const unsigned char magic[8] = {
0xa7, 0x0d, 0x00, 0x00, 0x66, 0xbb, 0x55, 0xaa
};
const struct firmware *firmware;
int i, retval = 0;
u32 value = 0;
Reported by FlawFinder.
Line: 1262
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mpeglines*mpeglinesize) {
if (dma_q->add_ps_package_head ==
CX231XX_NEED_ADD_PS_PACKAGE_HEAD) {
memcpy(vbuf+dma_q->mpeg_buffer_completed,
dma_q->ps_head, 3);
dma_q->mpeg_buffer_completed =
dma_q->mpeg_buffer_completed + 3;
dma_q->add_ps_package_head =
CX231XX_NONEED_PS_PACKAGE_HEAD;
Reported by FlawFinder.
Line: 1269
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dma_q->add_ps_package_head =
CX231XX_NONEED_PS_PACKAGE_HEAD;
}
memcpy(vbuf+dma_q->mpeg_buffer_completed, data, len);
dma_q->mpeg_buffer_completed =
dma_q->mpeg_buffer_completed + len;
} else {
dma_q->mpeg_buffer_done = 0;
Reported by FlawFinder.
Line: 1277
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
tail_data =
mpeglines*mpeglinesize - dma_q->mpeg_buffer_completed;
memcpy(vbuf+dma_q->mpeg_buffer_completed,
data, tail_data);
buf->vb.vb2_buf.timestamp = ktime_get_ns();
buf->vb.sequence = dma_q->sequence++;
list_del(&buf->list);
Reported by FlawFinder.
Line: 1289
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (len - tail_data > 0) {
p_data = data + tail_data;
dma_q->left_data_count = len - tail_data;
memcpy(dma_q->p_left_data,
p_data, len - tail_data);
}
}
}
Reported by FlawFinder.
Line: 1308
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Fill buffer */
vbuf = vb2_plane_vaddr(&buf->vb.vb2_buf, 0);
memcpy(vbuf, data, len);
buf->vb.sequence = dma_q->sequence++;
buf->vb.vb2_buf.timestamp = ktime_get_ns();
list_del(&buf->list);
vb2_buffer_done(&buf->vb.vb2_buf, VB2_BUF_STATE_DONE);
}
Reported by FlawFinder.
Line: 1354
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!buffer)
return -ENOMEM;
memcpy(buffer, dma_q->ps_head, 3);
memcpy(buffer+3, p_buffer, buffer_size-3);
memcpy(dma_q->ps_head, p_buffer+buffer_size-3, 3);
p_buffer = buffer;
buffer_filled(p_buffer, buffer_size, urb, dma_q);
Reported by FlawFinder.
Line: 1355
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENOMEM;
memcpy(buffer, dma_q->ps_head, 3);
memcpy(buffer+3, p_buffer, buffer_size-3);
memcpy(dma_q->ps_head, p_buffer+buffer_size-3, 3);
p_buffer = buffer;
buffer_filled(p_buffer, buffer_size, urb, dma_q);
Reported by FlawFinder.
Line: 1356
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(buffer, dma_q->ps_head, 3);
memcpy(buffer+3, p_buffer, buffer_size-3);
memcpy(dma_q->ps_head, p_buffer+buffer_size-3, 3);
p_buffer = buffer;
buffer_filled(p_buffer, buffer_size, urb, dma_q);
kfree(buffer);
Reported by FlawFinder.
drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c
9 issues
Line: 699
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if (!cmd)
return -ENOMEM;
strcpy(cmd->map_ch_req.name, name);
cmd->header.cmd_no = CMD_MAP_CHANNEL_REQ;
kvaser_usb_hydra_set_cmd_dest_he
(cmd, KVASER_USB_HYDRA_HE_ADDRESS_ROUTER);
cmd->map_ch_req.channel = channel;
Reported by FlawFinder.
Line: 96
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define KVASER_USB_HYDRA_TRANSID_SYSDBG 0x61
struct kvaser_cmd_map_ch_req {
char name[16];
u8 channel;
u8 reserved[11];
} __packed;
struct kvaser_cmd_map_ch_res {
Reported by FlawFinder.
Line: 636
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (tmp_cmd->header.cmd_no == cmd_no) {
memcpy(cmd, tmp_cmd, cmd_len);
goto end;
}
pos += cmd_len;
}
} while (time_before(jiffies, timeout));
Reported by FlawFinder.
Line: 1214
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (flags & KVASER_USB_HYDRA_CF_FLAG_REMOTE_FRAME)
cf->can_id |= CAN_RTR_FLAG;
else
memcpy(cf->data, cmd->rx_can.data, cf->len);
stats->rx_packets++;
stats->rx_bytes += cf->len;
netif_rx(skb);
}
Reported by FlawFinder.
Line: 1292
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (flags & KVASER_USB_HYDRA_CF_FLAG_REMOTE_FRAME)
cf->can_id |= CAN_RTR_FLAG;
else
memcpy(cf->data, cmd->rx_can.kcan_payload, cf->len);
stats->rx_packets++;
stats->rx_bytes += cf->len;
netif_rx(skb);
}
Reported by FlawFinder.
Line: 1447
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cmd->tx_can.flags = cpu_to_le32(flags);
cmd->tx_can.kcan_header = cpu_to_le32(kcan_header);
memcpy(cmd->tx_can.kcan_payload, cf->data, nbr_of_bytes);
return cmd;
}
static void *
Reported by FlawFinder.
Line: 1498
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cmd->tx_can.id = cpu_to_le32(id);
cmd->tx_can.flags = flags;
memcpy(cmd->tx_can.data, cf->data, *frame_len);
return cmd;
}
static int kvaser_usb_hydra_set_mode(struct net_device *netdev,
Reported by FlawFinder.
Line: 1961
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return;
}
memcpy(card_data->usb_rx_leftover + usb_rx_leftover_len, buf,
remaining_bytes);
pos += remaining_bytes;
if (remaining_bytes + usb_rx_leftover_len == cmd_len) {
kvaser_usb_hydra_handle_cmd(dev, cmd);
Reported by FlawFinder.
Line: 1992
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return;
}
spin_lock_irqsave(usb_rx_leftover_lock, irq_flags);
memcpy(card_data->usb_rx_leftover, buf + pos,
leftover_bytes);
card_data->usb_rx_leftover_len = leftover_bytes;
spin_unlock_irqrestore(usb_rx_leftover_lock, irq_flags);
break;
}
Reported by FlawFinder.
drivers/misc/ti-st/st_kim.c
9 issues
Line: 620
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct device_attribute *attr, char *buf)
{
struct kim_data_s *kim_data = dev_get_drvdata(dev);
return sprintf(buf, "%s\n", kim_data->dev_name);
}
static ssize_t show_baud_rate(struct device *dev,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 66
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (skb->data[2] == 0x01 && skb->data[3] == 0x01 &&
skb->data[4] == 0x10 && skb->data[5] == 0x00) {
/* fw version response */
memcpy(kim_gdata->resp_buffer,
kim_gdata->rx_skb->data,
kim_gdata->rx_skb->len);
kim_gdata->rx_state = ST_W4_PACKET_TYPE;
kim_gdata->rx_skb = NULL;
kim_gdata->rx_count = 0;
Reported by FlawFinder.
Line: 240
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (version & 0x8000)
maj_ver |= 0x0008;
sprintf(bts_scr_name, "ti-connectivity/TIInit_%d.%d.%d.bts",
chip, maj_ver, min_ver);
/* to be accessed later via sysfs entry */
kim_gdata->version.full = version;
kim_gdata->version.chip = chip;
Reported by FlawFinder.
Line: 284
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
long len = 0;
unsigned char *ptr = NULL;
unsigned char *action_ptr = NULL;
unsigned char bts_scr_name[40] = { 0 }; /* 40 char long bts scr name? */
int wr_room_space;
int cmd_size;
unsigned long timeout;
err = read_local_version(kim_gdata, bts_scr_name);
Reported by FlawFinder.
Line: 591
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct device_attribute *attr, char *buf)
{
struct kim_data_s *kim_data = dev_get_drvdata(dev);
return sprintf(buf, "%d\n", kim_data->ldisc_install);
}
#ifdef DEBUG
static ssize_t store_dev_name(struct device *dev,
struct device_attribute *attr, const char *buf, size_t count)
Reported by FlawFinder.
Line: 627
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct device_attribute *attr, char *buf)
{
struct kim_data_s *kim_data = dev_get_drvdata(dev);
return sprintf(buf, "%d\n", kim_data->baud_rate);
}
static ssize_t show_flow_cntrl(struct device *dev,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 634
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct device_attribute *attr, char *buf)
{
struct kim_data_s *kim_data = dev_get_drvdata(dev);
return sprintf(buf, "%d\n", kim_data->flow_cntrl);
}
/* structures specific for sysfs entries */
static struct kobj_attribute ldisc_install =
__ATTR(install, 0444, (void *)show_install, NULL);
Reported by FlawFinder.
Line: 600
Column: 2
CWE codes:
120
{
struct kim_data_s *kim_data = dev_get_drvdata(dev);
pr_debug("storing dev name >%s<", buf);
strncpy(kim_data->dev_name, buf, count);
pr_debug("stored dev name >%s<", kim_data->dev_name);
return count;
}
static ssize_t store_baud_rate(struct device *dev,
Reported by FlawFinder.
Line: 761
Column: 2
CWE codes:
120
}
/* copying platform data */
strncpy(kim_gdata->dev_name, pdata->dev_name, UART_DEV_NAME_LEN);
kim_gdata->flow_cntrl = pdata->flow_cntrl;
kim_gdata->baud_rate = pdata->baud_rate;
pr_info("sysfs entries created\n");
kim_debugfs_dir = debugfs_create_dir("ti-st", NULL);
Reported by FlawFinder.