The following issues were found
arch/um/drivers/pty.c
9 issues
Line: 65
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
}
dev = ptsname(fd);
sprintf(data->dev_name, "%s", dev);
*dev_out = data->dev_name;
if (data->announce)
(*data->announce)(dev, data->dev);
Reported by FlawFinder.
Line: 100
Column: 11
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
/* verify slave side is usable */
*tp = 't';
err = access(line, R_OK | W_OK);
*tp = 'p';
if (!err)
return master;
close(master);
}
Reported by FlawFinder.
Line: 135
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (data->announce)
(*data->announce)(dev, data->dev);
sprintf(data->dev_name, "%s", dev);
*dev_out = data->dev_name;
return fd;
}
Reported by FlawFinder.
Line: 23
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int dev;
int raw;
struct termios tt;
char dev_name[sizeof("/dev/pts/0123456\0")];
};
static void *pty_chan_init(char *str, int device, const struct chan_opts *opts)
{
struct pty_chan *data;
Reported by FlawFinder.
Line: 94
Column: 13
CWE codes:
362
for (cp = "0123456789abcdef"; *cp; cp++) {
*pty = *cp;
master = open(line, O_RDWR);
if (master >= 0) {
char *tp = &line[strlen("/dev/")];
/* verify slave side is usable */
*tp = 't';
Reported by FlawFinder.
Line: 118
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct pty_chan *data = d;
int fd, err;
char dev[sizeof("/dev/ptyxx\0")] = "/dev/ptyxx";
fd = getmaster(dev);
if (fd < 0)
return fd;
Reported by FlawFinder.
Line: 84
Column: 14
CWE codes:
126
char *pty, *bank, *cp;
int master, err;
pty = &line[strlen("/dev/ptyp")];
for (bank = "pqrs"; *bank; bank++) {
line[strlen("/dev/pty")] = *bank;
*pty = '0';
/* Did we hit the end ? */
if ((stat(line, &buf) < 0) && (errno == ENOENT))
Reported by FlawFinder.
Line: 86
Column: 8
CWE codes:
126
pty = &line[strlen("/dev/ptyp")];
for (bank = "pqrs"; *bank; bank++) {
line[strlen("/dev/pty")] = *bank;
*pty = '0';
/* Did we hit the end ? */
if ((stat(line, &buf) < 0) && (errno == ENOENT))
break;
Reported by FlawFinder.
Line: 96
Column: 22
CWE codes:
126
*pty = *cp;
master = open(line, O_RDWR);
if (master >= 0) {
char *tp = &line[strlen("/dev/")];
/* verify slave side is usable */
*tp = 't';
err = access(line, R_OK | W_OK);
*tp = 'p';
Reported by FlawFinder.
arch/s390/mm/fault.c
9 issues
Line: 288
Column: 63
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
(void __user *)(regs->int_parm_long & __FAIL_ADDR_MASK));
}
static noinline void do_fault_error(struct pt_regs *regs, int access,
vm_fault_t fault)
{
int si_code;
switch (fault) {
Reported by FlawFinder.
Line: 348
Column: 65
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
* 11 Page translation -> Not present (nullification)
* 3b Region third trans. -> Not present (nullification)
*/
static inline vm_fault_t do_exception(struct pt_regs *regs, int access)
{
struct gmap *gmap;
struct task_struct *tsk;
struct mm_struct *mm;
struct vm_area_struct *vma;
Reported by FlawFinder.
Line: 432
Column: 33
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
* we can handle it..
*/
fault = VM_FAULT_BADACCESS;
if (unlikely(!(vma->vm_flags & access)))
goto out_up;
if (is_vm_hugetlb_page(vma))
address &= HPAGE_MASK;
/*
Reported by FlawFinder.
Line: 490
Column: 6
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
void do_protection_exception(struct pt_regs *regs)
{
unsigned long trans_exc_code;
int access;
vm_fault_t fault;
trans_exc_code = regs->int_parm_long;
/*
* Protection exceptions are suppressing, decrement psw address.
Reported by FlawFinder.
Line: 517
Column: 30
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
fault = VM_FAULT_BADACCESS;
} else {
access = VM_WRITE;
fault = do_exception(regs, access);
}
if (unlikely(fault))
do_fault_error(regs, access, fault);
}
NOKPROBE_SYMBOL(do_protection_exception);
Reported by FlawFinder.
Line: 520
Column: 24
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
fault = do_exception(regs, access);
}
if (unlikely(fault))
do_fault_error(regs, access, fault);
}
NOKPROBE_SYMBOL(do_protection_exception);
void do_dat_exception(struct pt_regs *regs)
{
Reported by FlawFinder.
Line: 526
Column: 6
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
void do_dat_exception(struct pt_regs *regs)
{
int access;
vm_fault_t fault;
access = VM_ACCESS_FLAGS;
fault = do_exception(regs, access);
if (unlikely(fault))
Reported by FlawFinder.
Line: 530
Column: 29
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
vm_fault_t fault;
access = VM_ACCESS_FLAGS;
fault = do_exception(regs, access);
if (unlikely(fault))
do_fault_error(regs, access, fault);
}
NOKPROBE_SYMBOL(do_dat_exception);
Reported by FlawFinder.
Line: 532
Column: 24
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
access = VM_ACCESS_FLAGS;
fault = do_exception(regs, access);
if (unlikely(fault))
do_fault_error(regs, access, fault);
}
NOKPROBE_SYMBOL(do_dat_exception);
#ifdef CONFIG_PFAULT
/*
Reported by FlawFinder.
arch/arm64/kernel/idreg-override.c
9 issues
Line: 23
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define FTR_ALIAS_OPTION_LEN 80
struct ftr_set_desc {
char name[FTR_DESC_NAME_LEN];
struct arm64_ftr_override *override;
struct {
char name[FTR_DESC_FIELD_LEN];
u8 shift;
bool (*filter)(u64 val);
Reported by FlawFinder.
Line: 26
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char name[FTR_DESC_NAME_LEN];
struct arm64_ftr_override *override;
struct {
char name[FTR_DESC_FIELD_LEN];
u8 shift;
bool (*filter)(u64 val);
} fields[];
};
Reported by FlawFinder.
Line: 94
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
static const struct {
char alias[FTR_ALIAS_NAME_LEN];
char feature[FTR_ALIAS_OPTION_LEN];
} aliases[] __initconst = {
{ "kvm-arm.mode=nvhe", "id_aa64mmfr1.vh=0" },
{ "kvm-arm.mode=protected", "id_aa64mmfr1.vh=0" },
{ "arm64.nobti", "id_aa64pfr1.bt=0" },
Reported by FlawFinder.
Line: 95
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static const struct {
char alias[FTR_ALIAS_NAME_LEN];
char feature[FTR_ALIAS_OPTION_LEN];
} aliases[] __initconst = {
{ "kvm-arm.mode=nvhe", "id_aa64mmfr1.vh=0" },
{ "kvm-arm.mode=protected", "id_aa64mmfr1.vh=0" },
{ "arm64.nobti", "id_aa64pfr1.bt=0" },
{ "arm64.nopauth",
Reported by FlawFinder.
Line: 109
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int __init find_field(const char *cmdline,
const struct ftr_set_desc *reg, int f, u64 *v)
{
char opt[FTR_DESC_NAME_LEN + FTR_DESC_FIELD_LEN + 2];
int len;
len = snprintf(opt, ARRAY_SIZE(opt), "%s.%s=",
reg->name, reg->fields[f].name);
Reported by FlawFinder.
Line: 163
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static __init void __parse_cmdline(const char *cmdline, bool parse_aliases)
{
do {
char buf[256];
size_t len;
int i;
cmdline = skip_spaces(cmdline);
Reported by FlawFinder.
Line: 131
Column: 15
CWE codes:
126
if (!regs[i]->override)
continue;
for (f = 0; strlen(regs[i]->fields[f].name); f++) {
u64 shift = regs[i]->fields[f].shift;
u64 mask = 0xfUL << shift;
u64 v;
if (find_field(cmdline, regs[i], f, &v))
Reported by FlawFinder.
Line: 174
Column: 3
CWE codes:
120
return;
len = min(len, ARRAY_SIZE(buf) - 1);
strncpy(buf, cmdline, len);
buf[len] = 0;
if (strcmp(buf, "--") == 0)
return;
Reported by FlawFinder.
Line: 208
Column: 9
CWE codes:
126
if (!prop)
return NULL;
return strlen(prop) ? prop : NULL;
}
static __init void parse_cmdline(void)
{
const u8 *prop = get_bootargs_cmdline();
Reported by FlawFinder.
arch/m68k/include/asm/math-emu.h
9 issues
Line: 197
Column: 3
CWE codes:
134
Suggestion:
Use a constant for the format specification
* (derived from <asm/uaccess.h>)
*/
.macro getuser size,src,dest,label,addr
| printf ,"[\size<%08x]",1,\addr
.Lu1\@: moves\size \src,\dest
.section .fixup,"ax"
.even
.Lu2\@: move.l \addr,%a0
Reported by FlawFinder.
Line: 213
Column: 3
CWE codes:
134
Suggestion:
Use a constant for the format specification
.endm
.macro putuser size,src,dest,label,addr
| printf ,"[\size>%08x]",1,\addr
.Lu1\@: moves\size \src,\dest
.Lu2\@:
.section .fixup,"ax"
.even
Reported by FlawFinder.
Line: 253
Column: 8
CWE codes:
134
Suggestion:
Use a constant for the format specification
.endif
.endm
.macro printf bit=-1,string,nr=0,arg1,arg2,arg3,arg4,arg5
#ifdef FPU_EMU_DEBUG
.data
.Lpdata\@:
.string "\string"
.previous
Reported by FlawFinder.
Line: 289
Column: 9
CWE codes:
134
Suggestion:
Use a constant for the format specification
tst.w (%a0)
jeq .Lx1\@
moveq #'-',%d0
.Lx1\@: printf \bit," %c",1,%d0
move.l (4,%a0),%d0
bclr #31,%d0
jne .Lx2\@
printf \bit,"0."
jra .Lx3\@
Reported by FlawFinder.
Line: 293
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
move.l (4,%a0),%d0
bclr #31,%d0
jne .Lx2\@
printf \bit,"0."
jra .Lx3\@
.Lx2\@: printf \bit,"1."
.Lx3\@: printf \bit,"%08x%08x",2,%d0,%a0@(8)
move.w (2,%a0),%d0
ext.l %d0
Reported by FlawFinder.
Line: 295
Column: 9
CWE codes:
134
Suggestion:
Use a constant for the format specification
jne .Lx2\@
printf \bit,"0."
jra .Lx3\@
.Lx2\@: printf \bit,"1."
.Lx3\@: printf \bit,"%08x%08x",2,%d0,%a0@(8)
move.w (2,%a0),%d0
ext.l %d0
printf \bit,"E%04x",1,%d0
#else
Reported by FlawFinder.
Line: 296
Column: 9
CWE codes:
134
Suggestion:
Use a constant for the format specification
printf \bit,"0."
jra .Lx3\@
.Lx2\@: printf \bit,"1."
.Lx3\@: printf \bit,"%08x%08x",2,%d0,%a0@(8)
move.w (2,%a0),%d0
ext.l %d0
printf \bit,"E%04x",1,%d0
#else
printf \bit," %08x%08x%08x",3,%a0@,%a0@(4),%a0@(8)
Reported by FlawFinder.
Line: 299
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
.Lx3\@: printf \bit,"%08x%08x",2,%d0,%a0@(8)
move.w (2,%a0),%d0
ext.l %d0
printf \bit,"E%04x",1,%d0
#else
printf \bit," %08x%08x%08x",3,%a0@,%a0@(4),%a0@(8)
#endif
movem.l (%sp)+,%d0/%a0
#endif
Reported by FlawFinder.
Line: 301
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
ext.l %d0
printf \bit,"E%04x",1,%d0
#else
printf \bit," %08x%08x%08x",3,%a0@,%a0@(4),%a0@(8)
#endif
movem.l (%sp)+,%d0/%a0
#endif
.endm
Reported by FlawFinder.
arch/x86/tools/insn_sanity.c
9 issues
Line: 150
Column: 40
CWE codes:
327
Suggestion:
Use a more secure technique for acquiring random values
/* Fills buffer with random binary up to MAX_INSN_SIZE */
for (i = 0; i < MAX_INSN_SIZE - 1; i += 2)
*(unsigned short *)(&insn_buff[i]) = random() & 0xffff;
while (i < MAX_INSN_SIZE)
insn_buff[i++] = random() & 0xff;
return i;
Reported by FlawFinder.
Line: 153
Column: 20
CWE codes:
327
Suggestion:
Use a more secure technique for acquiring random values
*(unsigned short *)(&insn_buff[i]) = random() & 0xffff;
while (i < MAX_INSN_SIZE)
insn_buff[i++] = random() & 0xff;
return i;
}
static void parse_args(int argc, char **argv)
Reported by FlawFinder.
Line: 165
Column: 14
CWE codes:
120
20
Suggestion:
Check implementation on installation, or limit the size of all string inputs
int set_seed = 0;
prog = argv[0];
while ((c = getopt(argc, argv, "ynvs:m:i:")) != -1) {
switch (c) {
case 'y':
x86_64 = 1;
break;
case 'n':
Reported by FlawFinder.
Line: 215
Column: 3
CWE codes:
327
Suggestion:
Use a more secure technique for acquiring random values
if (!input_file) {
if (!set_seed) /* No seed is given */
init_random_seed();
srand(seed);
}
}
int main(int argc, char **argv)
{
Reported by FlawFinder.
Line: 109
Column: 7
CWE codes:
362
{
int fd;
fd = open("/dev/urandom", O_RDONLY);
if (fd < 0)
goto fail;
if (read(fd, &seed, sizeof(seed)) != sizeof(seed))
goto fail;
Reported by FlawFinder.
Line: 125
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Read given instruction sequence from the input file */
static int read_next_insn(unsigned char *insn_buff)
{
char buf[256] = "", *tmp;
int i;
tmp = fgets(buf, ARRAY_SIZE(buf), input_file);
if (tmp == NULL || feof(input_file))
return 0;
Reported by FlawFinder.
Line: 180
Column: 18
CWE codes:
362
if (strcmp("-", optarg) == 0)
input_file = stdin;
else
input_file = fopen(optarg, "r");
if (!input_file)
usage("Failed to open input file");
break;
case 's':
seed = (unsigned int)strtoul(optarg, &tmp, 0);
Reported by FlawFinder.
Line: 225
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct insn insn;
int errors = 0;
unsigned long i;
unsigned char insn_buff[MAX_INSN_SIZE * 2];
parse_args(argc, argv);
/* Prepare stop bytes with NOPs */
memset(insn_buff + MAX_INSN_SIZE, INSN_NOP, MAX_INSN_SIZE);
Reported by FlawFinder.
arch/um/os-Linux/drivers/ethertap_user.c
9 issues
Line: 32
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct addr_change {
enum { ADD_ADDR, DEL_ADDR } what;
unsigned char addr[4];
unsigned char netmask[4];
};
static void etap_change(int op, unsigned char *addr, unsigned char *netmask,
int fd)
Reported by FlawFinder.
Line: 33
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct addr_change {
enum { ADD_ADDR, DEL_ADDR } what;
unsigned char addr[4];
unsigned char netmask[4];
};
static void etap_change(int op, unsigned char *addr, unsigned char *netmask,
int fd)
{
Reported by FlawFinder.
Line: 96
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct etap_pre_exec_data pe_data;
int pid, err, n;
char version_buf[sizeof("nnnnn\0")];
char data_fd_buf[sizeof("nnnnnn\0")];
char gate_buf[sizeof("nnn.nnn.nnn.nnn\0")];
char *setup_args[] = { "uml_net", version_buf, "ethertap", dev,
data_fd_buf, gate_buf, NULL };
char *nosetup_args[] = { "uml_net", version_buf, "ethertap",
Reported by FlawFinder.
Line: 97
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct etap_pre_exec_data pe_data;
int pid, err, n;
char version_buf[sizeof("nnnnn\0")];
char data_fd_buf[sizeof("nnnnnn\0")];
char gate_buf[sizeof("nnn.nnn.nnn.nnn\0")];
char *setup_args[] = { "uml_net", version_buf, "ethertap", dev,
data_fd_buf, gate_buf, NULL };
char *nosetup_args[] = { "uml_net", version_buf, "ethertap",
dev, data_fd_buf, NULL };
Reported by FlawFinder.
Line: 98
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int pid, err, n;
char version_buf[sizeof("nnnnn\0")];
char data_fd_buf[sizeof("nnnnnn\0")];
char gate_buf[sizeof("nnn.nnn.nnn.nnn\0")];
char *setup_args[] = { "uml_net", version_buf, "ethertap", dev,
data_fd_buf, gate_buf, NULL };
char *nosetup_args[] = { "uml_net", version_buf, "ethertap",
dev, data_fd_buf, NULL };
char **args, c;
Reported by FlawFinder.
Line: 105
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
dev, data_fd_buf, NULL };
char **args, c;
sprintf(data_fd_buf, "%d", data_remote);
sprintf(version_buf, "%d", UML_NET_VERSION);
if (gate != NULL) {
strncpy(gate_buf, gate, 15);
args = setup_args;
}
Reported by FlawFinder.
Line: 106
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
char **args, c;
sprintf(data_fd_buf, "%d", data_remote);
sprintf(version_buf, "%d", UML_NET_VERSION);
if (gate != NULL) {
strncpy(gate_buf, gate, 15);
args = setup_args;
}
else args = nosetup_args;
Reported by FlawFinder.
Line: 108
Column: 3
CWE codes:
120
sprintf(data_fd_buf, "%d", data_remote);
sprintf(version_buf, "%d", UML_NET_VERSION);
if (gate != NULL) {
strncpy(gate_buf, gate, 15);
args = setup_args;
}
else args = nosetup_args;
err = 0;
Reported by FlawFinder.
Line: 123
Column: 18
CWE codes:
120
20
err = pid;
close(data_remote);
close(control_remote);
CATCH_EINTR(n = read(control_me, &c, sizeof(c)));
if (n != sizeof(c)) {
err = -errno;
printk(UM_KERN_ERR "etap_tramp : read of status failed, "
"err = %d\n", -err);
return err;
Reported by FlawFinder.
arch/um/drivers/net_user.c
9 issues
Line: 209
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void change(char *dev, char *what, unsigned char *addr,
unsigned char *netmask)
{
char addr_buf[sizeof("255.255.255.255\0")];
char netmask_buf[sizeof("255.255.255.255\0")];
char version[sizeof("nnnnn\0")];
char *argv[] = { "uml_net", version, what, dev, addr_buf,
netmask_buf, NULL };
char *output;
Reported by FlawFinder.
Line: 210
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char *netmask)
{
char addr_buf[sizeof("255.255.255.255\0")];
char netmask_buf[sizeof("255.255.255.255\0")];
char version[sizeof("nnnnn\0")];
char *argv[] = { "uml_net", version, what, dev, addr_buf,
netmask_buf, NULL };
char *output;
int output_len, pid;
Reported by FlawFinder.
Line: 211
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
char addr_buf[sizeof("255.255.255.255\0")];
char netmask_buf[sizeof("255.255.255.255\0")];
char version[sizeof("nnnnn\0")];
char *argv[] = { "uml_net", version, what, dev, addr_buf,
netmask_buf, NULL };
char *output;
int output_len, pid;
Reported by FlawFinder.
Line: 217
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
char *output;
int output_len, pid;
sprintf(version, "%d", UML_NET_VERSION);
sprintf(addr_buf, "%d.%d.%d.%d", addr[0], addr[1], addr[2], addr[3]);
sprintf(netmask_buf, "%d.%d.%d.%d", netmask[0], netmask[1],
netmask[2], netmask[3]);
output_len = UM_KERN_PAGE_SIZE;
Reported by FlawFinder.
Line: 218
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int output_len, pid;
sprintf(version, "%d", UML_NET_VERSION);
sprintf(addr_buf, "%d.%d.%d.%d", addr[0], addr[1], addr[2], addr[3]);
sprintf(netmask_buf, "%d.%d.%d.%d", netmask[0], netmask[1],
netmask[2], netmask[3]);
output_len = UM_KERN_PAGE_SIZE;
output = uml_kmalloc(output_len, UM_GFP_KERNEL);
Reported by FlawFinder.
Line: 219
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
sprintf(version, "%d", UML_NET_VERSION);
sprintf(addr_buf, "%d.%d.%d.%d", addr[0], addr[1], addr[2], addr[3]);
sprintf(netmask_buf, "%d.%d.%d.%d", netmask[0], netmask[1],
netmask[2], netmask[3]);
output_len = UM_KERN_PAGE_SIZE;
output = uml_kmalloc(output_len, UM_GFP_KERNEL);
if (output == NULL)
Reported by FlawFinder.
Line: 74
Column: 9
CWE codes:
120
20
while (remain != 0) {
expected = (remain < len) ? remain : len;
ret = read(fd, output, expected);
if (ret != expected) {
if (ret < 0)
ret = -errno;
str = "data";
goto err;
Reported by FlawFinder.
drivers/net/xen-netfront.c
9 issues
Line: 107
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct netfront_queue {
unsigned int id; /* Queue ID, 0-based */
char name[QUEUE_NAME_SIZE]; /* DEVNAME-qN */
struct netfront_info *info;
struct bpf_prog __rcu *xdp_prog;
struct napi_struct napi;
Reported by FlawFinder.
Line: 120
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int tx_evtchn, rx_evtchn;
unsigned int tx_irq, rx_irq;
/* Only used when split event channels support is enabled */
char tx_irq_name[IRQ_NAME_SIZE]; /* DEVNAME-qN-tx */
char rx_irq_name[IRQ_NAME_SIZE]; /* DEVNAME-qN-rx */
spinlock_t tx_lock;
struct xen_netif_tx_front_ring tx;
int tx_ring_ref;
Reported by FlawFinder.
Line: 121
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int tx_irq, rx_irq;
/* Only used when split event channels support is enabled */
char tx_irq_name[IRQ_NAME_SIZE]; /* DEVNAME-qN-tx */
char rx_irq_name[IRQ_NAME_SIZE]; /* DEVNAME-qN-rx */
spinlock_t tx_lock;
struct xen_netif_tx_front_ring tx;
int tx_ring_ref;
Reported by FlawFinder.
Line: 843
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
extra->type);
err = -EINVAL;
} else {
memcpy(&extras[extra->type - 1], extra,
sizeof(*extra));
}
skb = xennet_get_rx_skb(queue, cons);
ref = xennet_get_rx_ref(queue, cons);
Reported by FlawFinder.
Line: 1164
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
i = queue->rx.rsp_cons;
work_done = 0;
while ((i != rp) && (work_done < budget)) {
memcpy(rx, RING_GET_RESPONSE(&queue->rx, i), sizeof(*rx));
memset(extras, 0, sizeof(rinfo.extras));
err = xennet_get_responses(queue, &rinfo, rp, &tmpq,
&need_xdp_flush);
Reported by FlawFinder.
Line: 2350
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
static const struct xennet_stat {
char name[ETH_GSTRING_LEN];
u16 offset;
} xennet_stats[] = {
{
"rx_gso_checksum_fixup",
offsetof(struct netfront_info, rx_gso_checksum_fixup)
Reported by FlawFinder.
Line: 2386
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
switch (stringset) {
case ETH_SS_STATS:
for (i = 0; i < ARRAY_SIZE(xennet_stats); i++)
memcpy(data + i * ETH_GSTRING_LEN,
xennet_stats[i].name, ETH_GSTRING_LEN);
break;
}
}
Reported by FlawFinder.
Line: 2406
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t show_rxbuf(struct device *dev,
struct device_attribute *attr, char *buf)
{
return sprintf(buf, "%lu\n", NET_RX_RING_SIZE);
}
static ssize_t store_rxbuf(struct device *dev,
struct device_attribute *attr,
const char *buf, size_t len)
Reported by FlawFinder.
Line: 1909
Column: 14
CWE codes:
126
/* Choose the correct place to write the keys */
if (write_hierarchical) {
pathsize = strlen(dev->nodename) + 10;
path = kzalloc(pathsize, GFP_KERNEL);
if (!path) {
err = -ENOMEM;
message = "out of memory while writing ring references";
goto error;
Reported by FlawFinder.
drivers/ptp/ptp_qoriq.c
9 issues
Line: 33
Column: 18
CWE codes:
120
20
u64 ns;
u32 lo, hi;
lo = ptp_qoriq->read(®s->ctrl_regs->tmr_cnt_l);
hi = ptp_qoriq->read(®s->ctrl_regs->tmr_cnt_h);
ns = ((u64) hi) << 32;
ns |= lo;
return ns;
}
Reported by FlawFinder.
Line: 34
Column: 18
CWE codes:
120
20
u32 lo, hi;
lo = ptp_qoriq->read(®s->ctrl_regs->tmr_cnt_l);
hi = ptp_qoriq->read(®s->ctrl_regs->tmr_cnt_h);
ns = ((u64) hi) << 32;
ns |= lo;
return ns;
}
Reported by FlawFinder.
Line: 108
Column: 20
CWE codes:
120
20
event.index = index;
if (ptp_qoriq->extts_fifo_support)
if (!(ptp_qoriq->read(®s->ctrl_regs->tmr_stat) & valid))
return 0;
do {
lo = ptp_qoriq->read(reg_etts_l);
hi = ptp_qoriq->read(reg_etts_h);
Reported by FlawFinder.
Line: 112
Column: 19
CWE codes:
120
20
return 0;
do {
lo = ptp_qoriq->read(reg_etts_l);
hi = ptp_qoriq->read(reg_etts_h);
if (update_event) {
event.timestamp = ((u64) hi) << 32;
event.timestamp |= lo;
Reported by FlawFinder.
Line: 113
Column: 19
CWE codes:
120
20
do {
lo = ptp_qoriq->read(reg_etts_l);
hi = ptp_qoriq->read(reg_etts_h);
if (update_event) {
event.timestamp = ((u64) hi) << 32;
event.timestamp |= lo;
ptp_clock_event(ptp_qoriq->clock, &event);
Reported by FlawFinder.
Line: 142
Column: 19
CWE codes:
120
20
spin_lock(&ptp_qoriq->lock);
val = ptp_qoriq->read(®s->ctrl_regs->tmr_tevent);
mask = ptp_qoriq->read(®s->ctrl_regs->tmr_temask);
spin_unlock(&ptp_qoriq->lock);
irqs = val & mask;
Reported by FlawFinder.
Line: 143
Column: 20
CWE codes:
120
20
spin_lock(&ptp_qoriq->lock);
val = ptp_qoriq->read(®s->ctrl_regs->tmr_tevent);
mask = ptp_qoriq->read(®s->ctrl_regs->tmr_temask);
spin_unlock(&ptp_qoriq->lock);
irqs = val & mask;
Reported by FlawFinder.
Line: 299
Column: 20
CWE codes:
120
20
spin_lock_irqsave(&ptp_qoriq->lock, flags);
mask = ptp_qoriq->read(®s->ctrl_regs->tmr_temask);
if (on) {
mask |= bit;
ptp_qoriq->write(®s->ctrl_regs->tmr_tevent, bit);
} else {
mask &= ~bit;
Reported by FlawFinder.
drivers/net/wireless/realtek/rtw88/debug.c
9 issues
Line: 182
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct seq_file *seqpriv = (struct seq_file *)filp->private_data;
struct rtw_debugfs_priv *debugfs_priv = seqpriv->private;
struct rtw_dev *rtwdev = debugfs_priv->rtwdev;
char tmp[32 + 1];
u32 addr, len;
int num;
rtw_debugfs_copy_from_user(tmp, sizeof(tmp), buffer, count, 2);
Reported by FlawFinder.
Line: 273
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct seq_file *seqpriv = (struct seq_file *)filp->private_data;
struct rtw_debugfs_priv *debugfs_priv = seqpriv->private;
struct rtw_dev *rtwdev = debugfs_priv->rtwdev;
char tmp[32 + 1];
u32 offset, page_num;
int num;
rtw_debugfs_copy_from_user(tmp, sizeof(tmp), buffer, count, 2);
Reported by FlawFinder.
Line: 299
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct seq_file *seqpriv = (struct seq_file *)filp->private_data;
struct rtw_debugfs_priv *debugfs_priv = seqpriv->private;
struct rtw_dev *rtwdev = debugfs_priv->rtwdev;
char tmp[32 + 1];
u32 input;
int num;
rtw_debugfs_copy_from_user(tmp, sizeof(tmp), buffer, count, 1);
Reported by FlawFinder.
Line: 323
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct rtw_debugfs_priv *debugfs_priv = filp->private_data;
struct rtw_dev *rtwdev = debugfs_priv->rtwdev;
char tmp[32 + 1];
u32 addr, val, len;
int num;
rtw_debugfs_copy_from_user(tmp, sizeof(tmp), buffer, count, 3);
Reported by FlawFinder.
Line: 366
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct rtw_debugfs_priv *debugfs_priv = filp->private_data;
struct rtw_dev *rtwdev = debugfs_priv->rtwdev;
char tmp[32 + 1];
u8 param[8];
int num;
rtw_debugfs_copy_from_user(tmp, sizeof(tmp), buffer, count, 3);
Reported by FlawFinder.
Line: 391
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct rtw_debugfs_priv *debugfs_priv = filp->private_data;
struct rtw_dev *rtwdev = debugfs_priv->rtwdev;
char tmp[32 + 1];
u32 path, addr, mask, val;
int num;
rtw_debugfs_copy_from_user(tmp, sizeof(tmp), buffer, count, 4);
Reported by FlawFinder.
Line: 419
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct seq_file *seqpriv = (struct seq_file *)filp->private_data;
struct rtw_debugfs_priv *debugfs_priv = seqpriv->private;
struct rtw_dev *rtwdev = debugfs_priv->rtwdev;
char tmp[32 + 1];
u32 path, addr, mask;
int num;
rtw_debugfs_copy_from_user(tmp, sizeof(tmp), buffer, count, 3);
Reported by FlawFinder.
Line: 800
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct rtw_debugfs_priv *debugfs_priv = seqpriv->private;
struct rtw_dev *rtwdev = debugfs_priv->rtwdev;
struct rtw_coex *coex = &rtwdev->coex;
char tmp[32 + 1];
bool enable;
int ret;
rtw_debugfs_copy_from_user(tmp, sizeof(tmp), buffer, count, 1);
Reported by FlawFinder.
Line: 838
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct seq_file *seqpriv = (struct seq_file *)filp->private_data;
struct rtw_debugfs_priv *debugfs_priv = seqpriv->private;
struct rtw_dev *rtwdev = debugfs_priv->rtwdev;
char tmp[32 + 1];
bool input;
int ret;
rtw_debugfs_copy_from_user(tmp, sizeof(tmp), buffer, count, 1);
Reported by FlawFinder.