The following issues were found
tools/testing/selftests/ipc/msgque.c
8 issues
Line: 17
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct msg1 {
int msize;
long mtype;
char mtext[MAX_MSG_SIZE];
};
#define TEST_STRING "Test sysv5 msg"
#define MSG_TYPE 1
Reported by FlawFinder.
Line: 38
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int restore_queue(struct msgque_data *msgque)
{
int fd, ret, id, i;
char buf[32];
fd = open("/proc/sys/kernel/msg_next_id", O_WRONLY);
if (fd == -1) {
printf("Failed to open /proc/sys/kernel/msg_next_id\n");
return -errno;
Reported by FlawFinder.
Line: 40
Column: 7
CWE codes:
362
int fd, ret, id, i;
char buf[32];
fd = open("/proc/sys/kernel/msg_next_id", O_WRONLY);
if (fd == -1) {
printf("Failed to open /proc/sys/kernel/msg_next_id\n");
return -errno;
}
sprintf(buf, "%d", msgque->msq_id);
Reported by FlawFinder.
Line: 45
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
printf("Failed to open /proc/sys/kernel/msg_next_id\n");
return -errno;
}
sprintf(buf, "%d", msgque->msq_id);
ret = write(fd, buf, strlen(buf));
if (ret != strlen(buf)) {
printf("Failed to write to /proc/sys/kernel/msg_next_id\n");
return -errno;
Reported by FlawFinder.
Line: 178
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct msg1 msgbuf;
msgbuf.mtype = MSG_TYPE;
memcpy(msgbuf.mtext, TEST_STRING, sizeof(TEST_STRING));
if (msgsnd(msgque->msq_id, &msgbuf.mtype, sizeof(TEST_STRING),
IPC_NOWAIT) != 0) {
printf("First message send failed (%m)\n");
return -errno;
}
Reported by FlawFinder.
Line: 186
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
msgbuf.mtype = ANOTHER_MSG_TYPE;
memcpy(msgbuf.mtext, ANOTHER_TEST_STRING, sizeof(ANOTHER_TEST_STRING));
if (msgsnd(msgque->msq_id, &msgbuf.mtype, sizeof(ANOTHER_TEST_STRING),
IPC_NOWAIT) != 0) {
printf("Second message send failed (%m)\n");
return -errno;
}
Reported by FlawFinder.
Line: 47
Column: 23
CWE codes:
126
}
sprintf(buf, "%d", msgque->msq_id);
ret = write(fd, buf, strlen(buf));
if (ret != strlen(buf)) {
printf("Failed to write to /proc/sys/kernel/msg_next_id\n");
return -errno;
}
Reported by FlawFinder.
Line: 48
Column: 13
CWE codes:
126
sprintf(buf, "%d", msgque->msq_id);
ret = write(fd, buf, strlen(buf));
if (ret != strlen(buf)) {
printf("Failed to write to /proc/sys/kernel/msg_next_id\n");
return -errno;
}
id = msgget(msgque->key, msgque->mode | IPC_CREAT | IPC_EXCL);
Reported by FlawFinder.
tools/testing/selftests/bpf/progs/test_l4lb.c
8 issues
Line: 167
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct eth_hdr {
unsigned char eth_dest[ETH_ALEN];
unsigned char eth_source[ETH_ALEN];
unsigned short eth_proto;
};
struct {
Reported by FlawFinder.
Line: 168
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct eth_hdr {
unsigned char eth_dest[ETH_ALEN];
unsigned char eth_source[ETH_ALEN];
unsigned short eth_proto;
};
struct {
__uint(type, BPF_MAP_TYPE_HASH);
Reported by FlawFinder.
Line: 253
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return TC_ACT_SHOT;
pckt->proto = ip6h->nexthdr;
pckt->flags |= F_ICMP;
memcpy(pckt->srcv6, ip6h->daddr.s6_addr32, 16);
memcpy(pckt->dstv6, ip6h->saddr.s6_addr32, 16);
return TC_ACT_UNSPEC;
}
static __always_inline int parse_icmp(void *data, void *data_end, __u64 off,
Reported by FlawFinder.
Line: 254
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pckt->proto = ip6h->nexthdr;
pckt->flags |= F_ICMP;
memcpy(pckt->srcv6, ip6h->daddr.s6_addr32, 16);
memcpy(pckt->dstv6, ip6h->saddr.s6_addr32, 16);
return TC_ACT_UNSPEC;
}
static __always_inline int parse_icmp(void *data, void *data_end, __u64 off,
struct packet_description *pckt)
Reported by FlawFinder.
Line: 367
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return action;
off += IPV6_PLUS_ICMP_HDR;
} else {
memcpy(pckt.srcv6, ip6h->saddr.s6_addr32, 16);
memcpy(pckt.dstv6, ip6h->daddr.s6_addr32, 16);
}
} else {
iph = data + off;
if (iph + 1 > data_end)
Reported by FlawFinder.
Line: 368
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
off += IPV6_PLUS_ICMP_HDR;
} else {
memcpy(pckt.srcv6, ip6h->saddr.s6_addr32, 16);
memcpy(pckt.dstv6, ip6h->daddr.s6_addr32, 16);
}
} else {
iph = data + off;
if (iph + 1 > data_end)
return TC_ACT_SHOT;
Reported by FlawFinder.
Line: 407
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (is_ipv6)
memcpy(vip.daddr.v6, pckt.dstv6, 16);
else
vip.daddr.v4 = pckt.dst;
vip.dport = pckt.port16[1];
vip.protocol = pckt.proto;
Reported by FlawFinder.
Line: 433
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!cval)
return TC_ACT_SHOT;
ifindex = cval->ifindex;
memcpy(tkey.remote_ipv6, dst->dstv6, 16);
tun_flag = BPF_F_TUNINFO_IPV6;
} else {
cval = bpf_map_lookup_elem(&ctl_array, &v4_intf_pos);
if (!cval)
return TC_ACT_SHOT;
Reported by FlawFinder.
tools/lib/subcmd/exec-cmd.c
8 issues
Line: 180
Column: 2
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
const char **nargv = prepare_exec_cmd(argv);
/* execvp() can only ever return if it fails */
execvp(subcmd_config.exec_name, (char **)nargv);
free(nargv);
return -1;
}
Reported by FlawFinder.
Line: 43
Column: 8
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
struct stat cwd_stat, pwd_stat;
if (getcwd(cwd, PATH_MAX) == NULL)
return NULL;
pwd = getenv("PWD");
if (pwd && strcmp(pwd, cwd)) {
stat(cwd, &cwd_stat);
if (!stat(pwd, &pwd_stat) &&
pwd_stat.st_dev == cwd_stat.st_dev &&
pwd_stat.st_ino == cwd_stat.st_ino) {
Reported by FlawFinder.
Line: 121
Column: 8
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
if (argv_exec_path)
return strdup(argv_exec_path);
env = getenv(subcmd_config.exec_path_env);
if (env && *env)
return strdup(env);
return system_path(subcmd_config.exec_path);
}
Reported by FlawFinder.
Line: 142
Column: 25
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
void setup_path(void)
{
const char *old_path = getenv("PATH");
char *new_path = NULL;
char *tmp = get_argv_exec_path();
add_path(&new_path, tmp);
add_path(&new_path, argv0_path);
Reported by FlawFinder.
Line: 38
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static const char *get_pwd_cwd(void)
{
static char cwd[PATH_MAX + 1];
char *pwd;
struct stat cwd_stat, pwd_stat;
if (getcwd(cwd, PATH_MAX) == NULL)
return NULL;
pwd = getenv("PWD");
Reported by FlawFinder.
Line: 57
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static const char *make_nonrelative_path(const char *path)
{
static char buf[PATH_MAX + 1];
if (is_absolute_path(path)) {
if (strlcpy(buf, path, PATH_MAX) >= PATH_MAX)
die("Too long path: %.*s", 60, path);
} else {
Reported by FlawFinder.
Line: 190
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int execl_cmd(const char *cmd,...)
{
int argc;
const char *argv[MAX_ARGS + 1];
const char *arg;
va_list param;
va_start(param, cmd);
argv[0] = cmd;
Reported by FlawFinder.
Line: 90
Column: 18
CWE codes:
126
if (!argv0 || !*argv0)
return NULL;
slash = argv0 + strlen(argv0);
while (argv0 <= slash && !is_dir_sep(*slash))
slash--;
if (slash >= argv0) {
Reported by FlawFinder.
tools/perf/util/thread_map.c
8 issues
Line: 36
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct perf_thread_map *thread_map__new_by_pid(pid_t pid)
{
struct perf_thread_map *threads;
char name[256];
int items;
struct dirent **namelist = NULL;
int i;
sprintf(name, "/proc/%d/task", pid);
Reported by FlawFinder.
Line: 41
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct dirent **namelist = NULL;
int i;
sprintf(name, "/proc/%d/task", pid);
items = scandir(name, &namelist, filter, NULL);
if (items <= 0)
return NULL;
threads = thread_map__alloc(items);
Reported by FlawFinder.
Line: 49
Column: 41
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
threads = thread_map__alloc(items);
if (threads != NULL) {
for (i = 0; i < items; i++)
perf_thread_map__set_pid(threads, i, atoi(namelist[i]->d_name));
threads->nr = items;
refcount_set(&threads->refcnt, 1);
}
for (i=0; i<items; i++)
Reported by FlawFinder.
Line: 78
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
DIR *proc;
int max_threads = 32, items, i;
char path[NAME_MAX + 1 + 6];
struct dirent *dirent, **namelist = NULL;
struct perf_thread_map *threads = thread_map__alloc(max_threads);
if (threads == NULL)
goto out;
Reported by FlawFinder.
Line: 131
Column: 11
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
for (i = 0; i < items; i++) {
perf_thread_map__set_pid(threads, threads->nr + i,
atoi(namelist[i]->d_name));
}
for (i = 0; i < items; i++)
zfree(&namelist[i]);
free(namelist);
Reported by FlawFinder.
Line: 184
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static struct perf_thread_map *thread_map__new_by_pid_str(const char *pid_str)
{
struct perf_thread_map *threads = NULL, *nt;
char name[256];
int items, total_tasks = 0;
struct dirent **namelist = NULL;
int i, j = 0;
pid_t pid, prev_pid = INT_MAX;
char *end_ptr;
Reported by FlawFinder.
Line: 207
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (pid == prev_pid)
continue;
sprintf(name, "/proc/%d/task", pid);
items = scandir(name, &namelist, filter, NULL);
if (items <= 0)
goto out_free_threads;
total_tasks += items;
Reported by FlawFinder.
Line: 220
Column: 43
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
threads = nt;
for (i = 0; i < items; i++) {
perf_thread_map__set_pid(threads, j++, atoi(namelist[i]->d_name));
zfree(&namelist[i]);
}
threads->nr = total_tasks;
free(namelist);
}
Reported by FlawFinder.
tools/testing/selftests/bpf/progs/connect4_prog.c
8 issues
Line: 52
Column: 10
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
static __inline int verify_cc(struct bpf_sock_addr *ctx,
char expected[TCP_CA_NAME_MAX])
{
char buf[TCP_CA_NAME_MAX];
int i;
if (bpf_getsockopt(ctx, SOL_TCP, TCP_CONGESTION, &buf, sizeof(buf)))
Reported by FlawFinder.
Line: 54
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static __inline int verify_cc(struct bpf_sock_addr *ctx,
char expected[TCP_CA_NAME_MAX])
{
char buf[TCP_CA_NAME_MAX];
int i;
if (bpf_getsockopt(ctx, SOL_TCP, TCP_CONGESTION, &buf, sizeof(buf)))
return 1;
Reported by FlawFinder.
Line: 72
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static __inline int set_cc(struct bpf_sock_addr *ctx)
{
char reno[TCP_CA_NAME_MAX] = "reno";
char cubic[TCP_CA_NAME_MAX] = "cubic";
if (bpf_setsockopt(ctx, SOL_TCP, TCP_CONGESTION, &reno, sizeof(reno)))
return 1;
if (verify_cc(ctx, reno))
Reported by FlawFinder.
Line: 73
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static __inline int set_cc(struct bpf_sock_addr *ctx)
{
char reno[TCP_CA_NAME_MAX] = "reno";
char cubic[TCP_CA_NAME_MAX] = "cubic";
if (bpf_setsockopt(ctx, SOL_TCP, TCP_CONGESTION, &reno, sizeof(reno)))
return 1;
if (verify_cc(ctx, reno))
return 1;
Reported by FlawFinder.
Line: 90
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static __inline int bind_to_device(struct bpf_sock_addr *ctx)
{
char veth1[IFNAMSIZ] = "test_sock_addr1";
char veth2[IFNAMSIZ] = "test_sock_addr2";
char missing[IFNAMSIZ] = "nonexistent_dev";
char del_bind[IFNAMSIZ] = "";
if (bpf_setsockopt(ctx, SOL_SOCKET, SO_BINDTODEVICE,
Reported by FlawFinder.
Line: 91
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static __inline int bind_to_device(struct bpf_sock_addr *ctx)
{
char veth1[IFNAMSIZ] = "test_sock_addr1";
char veth2[IFNAMSIZ] = "test_sock_addr2";
char missing[IFNAMSIZ] = "nonexistent_dev";
char del_bind[IFNAMSIZ] = "";
if (bpf_setsockopt(ctx, SOL_SOCKET, SO_BINDTODEVICE,
&veth1, sizeof(veth1)))
Reported by FlawFinder.
Line: 92
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
char veth1[IFNAMSIZ] = "test_sock_addr1";
char veth2[IFNAMSIZ] = "test_sock_addr2";
char missing[IFNAMSIZ] = "nonexistent_dev";
char del_bind[IFNAMSIZ] = "";
if (bpf_setsockopt(ctx, SOL_SOCKET, SO_BINDTODEVICE,
&veth1, sizeof(veth1)))
return 1;
Reported by FlawFinder.
Line: 93
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char veth1[IFNAMSIZ] = "test_sock_addr1";
char veth2[IFNAMSIZ] = "test_sock_addr2";
char missing[IFNAMSIZ] = "nonexistent_dev";
char del_bind[IFNAMSIZ] = "";
if (bpf_setsockopt(ctx, SOL_SOCKET, SO_BINDTODEVICE,
&veth1, sizeof(veth1)))
return 1;
if (bpf_setsockopt(ctx, SOL_SOCKET, SO_BINDTODEVICE,
Reported by FlawFinder.
tools/testing/selftests/net/udpgso.c
8 issues
Line: 283
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
memset(&ifr, 0, sizeof(ifr));
strcpy(ifr.ifr_name, ifname);
if (ioctl(fd, SIOCGIFMTU, &ifr))
error(1, errno, "ioctl get mtu");
return ifr.ifr_mtu;
Reported by FlawFinder.
Line: 298
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
memset(&ifr, 0, sizeof(ifr));
ifr.ifr_mtu = mtu;
strcpy(ifr.ifr_name, ifname);
if (ioctl(fd, SIOCSIFMTU, &ifr))
error(1, errno, "ioctl set mtu");
}
Reported by FlawFinder.
Line: 645
Column: 14
CWE codes:
120
20
Suggestion:
Check implementation on installation, or limit the size of all string inputs
{
int c;
while ((c = getopt(argc, argv, "46cCmst:")) != -1) {
switch (c) {
case '4':
cfg_do_ipv4 = true;
break;
case '6':
Reported by FlawFinder.
Line: 62
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static const char cfg_ifname[] = "lo";
static unsigned short cfg_port = 9000;
static char buf[ETH_MAX_MTU];
struct testcase {
int tlen; /* send() buffer size, may exceed mss */
bool tfail; /* send() call is expected to fail */
int gso_len; /* mss after applying gso */
Reported by FlawFinder.
Line: 364
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct nlmsghdr *nh;
struct rtattr *rta;
struct rtmsg *rt;
char data[NLMSG_ALIGN(sizeof(*nh)) +
NLMSG_ALIGN(sizeof(*rt)) +
NLMSG_ALIGN(RTA_LENGTH(sizeof(addr6))) +
NLMSG_ALIGN(RTA_LENGTH(sizeof(int))) +
NLMSG_ALIGN(RTA_LENGTH(0) + RTA_LENGTH(sizeof(int)))];
int fd, ret, alen, off = 0;
Reported by FlawFinder.
Line: 397
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rta->rta_type = RTA_DST;
rta->rta_len = RTA_LENGTH(alen);
if (is_ipv4)
memcpy(RTA_DATA(rta), &addr4, alen);
else
memcpy(RTA_DATA(rta), &addr6, alen);
off += NLMSG_ALIGN(rta->rta_len);
rta = (void *)(data + off);
Reported by FlawFinder.
Line: 399
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (is_ipv4)
memcpy(RTA_DATA(rta), &addr4, alen);
else
memcpy(RTA_DATA(rta), &addr6, alen);
off += NLMSG_ALIGN(rta->rta_len);
rta = (void *)(data + off);
rta->rta_type = RTA_OIF;
rta->rta_len = RTA_LENGTH(sizeof(int));
Reported by FlawFinder.
Line: 454
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static bool send_one(int fd, int len, int gso_len,
struct sockaddr *addr, socklen_t alen)
{
char control[CMSG_SPACE(sizeof(uint16_t))] = {0};
struct msghdr msg = {0};
struct iovec iov = {0};
struct cmsghdr *cm;
iov.iov_base = buf;
Reported by FlawFinder.
tools/testing/selftests/bpf/prog_tests/test_local_storage.c
8 issues
Line: 56
Column: 9
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
/* Use the copied /usr/bin/rm to delete itself
* /tmp/copy_of_rm /tmp/copy_of_rm.
*/
ret = execlp(rm_path, rm_path, rm_path, NULL);
if (ret)
exit(errno);
} else if (child_pid > 0) {
waitpid(child_pid, &child_status, 0);
return WEXITSTATUS(child_status);
Reported by FlawFinder.
Line: 146
Column: 17
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
snprintf(tmp_exec_path, sizeof(tmp_exec_path), "%s/copy_of_rm",
tmp_dir_path);
snprintf(cmd, sizeof(cmd), "cp /bin/rm %s", tmp_exec_path);
if (CHECK_FAIL(system(cmd)))
goto close_prog_rmdir;
rm_fd = open(tmp_exec_path, O_RDONLY);
if (CHECK(rm_fd < 0, "open", "failed to open %s err:%d, errno:%d",
tmp_exec_path, rm_fd, errno))
Reported by FlawFinder.
Line: 175
Column: 17
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
*/
snprintf(cmd, sizeof(cmd), "mv %s/copy_of_rm %s/check_null_ptr",
tmp_dir_path, tmp_dir_path);
if (CHECK_FAIL(system(cmd)))
goto close_prog_rmdir;
CHECK(skel->data->inode_storage_result != 0, "inode_storage_result",
"inode_local_storage not set\n");
Reported by FlawFinder.
Line: 194
Column: 2
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
close_prog_rmdir:
snprintf(cmd, sizeof(cmd), "rm -rf %s", tmp_dir_path);
system(cmd);
close_prog:
close(serv_sk);
close(rm_fd);
close(task_fd);
local_storage__destroy(skel);
Reported by FlawFinder.
Line: 47
Column: 13
CWE codes:
362
child_pid = fork();
if (child_pid == 0) {
null_fd = open("/dev/null", O_WRONLY);
dup2(null_fd, STDOUT_FILENO);
dup2(null_fd, STDERR_FILENO);
close(null_fd);
*monitored_pid = getpid();
Reported by FlawFinder.
Line: 119
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char tmp_dir_path[] = "/tmp/local_storageXXXXXX";
int err, serv_sk = -1, task_fd = -1, rm_fd = -1;
struct local_storage *skel = NULL;
char tmp_exec_path[64];
char cmd[256];
skel = local_storage__open_and_load();
if (CHECK(!skel, "skel_load", "lsm skeleton failed\n"))
goto close_prog;
Reported by FlawFinder.
Line: 120
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int err, serv_sk = -1, task_fd = -1, rm_fd = -1;
struct local_storage *skel = NULL;
char tmp_exec_path[64];
char cmd[256];
skel = local_storage__open_and_load();
if (CHECK(!skel, "skel_load", "lsm skeleton failed\n"))
goto close_prog;
Reported by FlawFinder.
Line: 149
Column: 10
CWE codes:
362
if (CHECK_FAIL(system(cmd)))
goto close_prog_rmdir;
rm_fd = open(tmp_exec_path, O_RDONLY);
if (CHECK(rm_fd < 0, "open", "failed to open %s err:%d, errno:%d",
tmp_exec_path, rm_fd, errno))
goto close_prog_rmdir;
if (!check_syscall_operations(bpf_map__fd(skel->maps.inode_storage_map),
Reported by FlawFinder.
tools/perf/arch/x86/util/iostat.c
8 issues
Line: 187
Column: 4
CWE codes:
134
Suggestion:
Use a constant for the format specification
if (sysfs) {
for (;; pmu_idx++) {
snprintf(path, sizeof(path), SYSFS_UNCORE_PMU_PATH,
sysfs, pmu_idx);
if (access(path, F_OK) != 0)
break;
}
}
Reported by FlawFinder.
Line: 189
Column: 8
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
for (;; pmu_idx++) {
snprintf(path, sizeof(path), SYSFS_UNCORE_PMU_PATH,
sysfs, pmu_idx);
if (access(path, F_OK) != 0)
break;
}
}
return pmu_idx;
}
Reported by FlawFinder.
Line: 316
Column: 3
CWE codes:
134
Suggestion:
Make format string constant
return -ENOMEM;
for (idx = 0; idx < list->nr_entries; idx++) {
sprintf(iostat_cmd, iostat_cmd_template,
list->rps[idx]->pmu_idx, list->rps[idx]->pmu_idx,
list->rps[idx]->pmu_idx, list->rps[idx]->pmu_idx);
ret = parse_events(evl, iostat_cmd, NULL);
if (ret)
goto err;
Reported by FlawFinder.
Line: 406
Column: 4
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (rp) {
if (ts)
sprintf(prefix, "%6lu.%09lu%s%04x:%02x%s",
ts->tv_sec, ts->tv_nsec,
config->csv_sep, rp->domain, rp->bus,
config->csv_sep);
else
sprintf(prefix, "%04x:%02x%s", rp->domain, rp->bus,
Reported by FlawFinder.
Line: 411
Column: 4
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
config->csv_sep, rp->domain, rp->bus,
config->csv_sep);
else
sprintf(prefix, "%04x:%02x%s", rp->domain, rp->bus,
config->csv_sep);
}
}
void iostat_print_header_prefix(struct perf_stat_config *config)
Reported by FlawFinder.
Line: 147
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int iio_mapping(u8 pmu_idx, struct iio_root_ports_list * const list)
{
char *buf;
char path[MAX_PATH];
u32 domain;
u8 bus;
struct iio_root_port *rp;
size_t size;
int ret;
Reported by FlawFinder.
Line: 182
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static u8 iio_pmu_count(void)
{
u8 pmu_idx = 0;
char path[MAX_PATH];
const char *sysfs = sysfs__mountpoint();
if (sysfs) {
for (;; pmu_idx++) {
snprintf(path, sizeof(path), SYSFS_UNCORE_PMU_PATH,
Reported by FlawFinder.
Line: 307
Column: 27
CWE codes:
126
uncore_iio_%x/event=0x83,umask=0x01,ch_mask=0xF,fc_mask=0x07/,\
uncore_iio_%x/event=0xc0,umask=0x04,ch_mask=0xF,fc_mask=0x07/,\
uncore_iio_%x/event=0xc0,umask=0x01,ch_mask=0xF,fc_mask=0x07/}";
const int len_template = strlen(iostat_cmd_template) + 1;
struct evsel *evsel = NULL;
int metrics_count = iostat_metrics_count();
char *iostat_cmd = calloc(len_template, 1);
if (!iostat_cmd)
Reported by FlawFinder.
tools/perf/util/util.c
8 issues
Line: 412
Column: 10
CWE codes:
362
20
Suggestion:
Reconsider approach
char *perf_exe(char *buf, int len)
{
int n = readlink("/proc/self/exe", buf, len);
if (n > 0) {
buf[n] = 0;
return buf;
}
return strcpy(buf, "perf");
Reported by FlawFinder.
Line: 354
Column: 6
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
int version, patchlevel, sublevel, err;
bool int_ver_ready = false;
if (access("/proc/version_signature", R_OK) == 0)
if (!fetch_ubuntu_kernel_version(puint))
int_ver_ready = true;
if (uname(&utsname))
return -1;
Reported by FlawFinder.
Line: 400
Column: 30
CWE codes:
327
Suggestion:
Use a more secure technique for acquiring random values
if (strlist__nr_entries(tips) == 0)
goto out;
node = strlist__entry(tips, random() % strlist__nr_entries(tips));
if (asprintf(&tip, "Tip: %s", node->s) < 0)
tip = (char *)"Tip: get more memory! ;-)";
out:
strlist__delete(tips);
Reported by FlawFinder.
Line: 153
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
DIR *dir;
int ret;
struct dirent *d;
char namebuf[PATH_MAX];
struct stat statbuf;
/* Do not fail if there's no file. */
ret = lstat(path, &statbuf);
if (ret)
Reported by FlawFinder.
Line: 205
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int rm_rf_kcore_dir(const char *path)
{
char kcore_dir_path[PATH_MAX];
const char *pat[] = {
"kcore",
"kallsyms",
"modules",
NULL,
Reported by FlawFinder.
Line: 309
Column: 9
CWE codes:
362
if (!puint)
return 0;
vsig = fopen("/proc/version_signature", "r");
if (!vsig) {
pr_debug("Open /proc/version_signature failed: %s\n",
strerror(errno));
return -1;
}
Reported by FlawFinder.
Line: 417
Column: 9
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
buf[n] = 0;
return buf;
}
return strcpy(buf, "perf");
}
Reported by FlawFinder.
Line: 362
Column: 3
CWE codes:
120
return -1;
if (str && str_size) {
strncpy(str, utsname.release, str_size);
str[str_size - 1] = '\0';
}
if (!puint || int_ver_ready)
return 0;
Reported by FlawFinder.
tools/perf/jvmti/libjvmti.c
8 issues
Line: 201
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
ret = JVMTI_ERROR_OUT_OF_MEMORY;
goto free_class_sign_error;
}
strcpy(*buffer, fn);
ret = JVMTI_ERROR_NONE;
free_class_sign_error:
(*jvmti)->Deallocate(jvmti, (unsigned char *)class_sign);
free_file_name_error:
Reported by FlawFinder.
Line: 172
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
jclass decl_class;
char *file_name = NULL;
char *class_sign = NULL;
char fn[PATH_MAX];
size_t len;
ret = (*jvmti)->GetMethodDeclaringClass(jvmti, methodID, &decl_class);
if (ret != JVMTI_ERROR_NONE) {
print_error(jvmti, "GetMethodDeclaringClass", ret);
Reported by FlawFinder.
Line: 303
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
len = strlen(func_name) + strlen(class_sign) + strlen(func_sign) + 2;
{
char str[len];
snprintf(str, len, "%s%s%s", class_sign, func_name, func_sign);
if (jvmti_write_code(jvmti_agent, str, addr, code_addr, code_size))
warnx("jvmti: write_code() failed");
}
Reported by FlawFinder.
Line: 155
Column: 56
CWE codes:
126
* append file name, we use loops and not string ops to avoid modifying
* class_sign which is used later for the symbol name
*/
for (j = 0; i < (max_length - 1) && file_name && j < strlen(file_name); j++, i++)
result[i] = file_name[j];
result[i] = '\0';
} else {
/* fallback case */
Reported by FlawFinder.
Line: 194
Column: 8
CWE codes:
126
}
copy_class_filename(class_sign, file_name, fn, PATH_MAX);
len = strlen(fn);
*buffer = malloc((len + 1) * sizeof(char));
if (!*buffer) {
print_error(jvmti, "GetClassSignature", ret);
ret = JVMTI_ERROR_OUT_OF_MEMORY;
goto free_class_sign_error;
Reported by FlawFinder.
Line: 301
Column: 49
CWE codes:
126
if (jvmti_write_debug_info(jvmti_agent, addr, nr_lines, line_tab, (const char * const *) line_file_names))
warnx("jvmti: write_debug_info() failed");
len = strlen(func_name) + strlen(class_sign) + strlen(func_sign) + 2;
{
char str[len];
snprintf(str, len, "%s%s%s", class_sign, func_name, func_sign);
if (jvmti_write_code(jvmti_agent, str, addr, code_addr, code_size))
Reported by FlawFinder.
Line: 301
Column: 8
CWE codes:
126
if (jvmti_write_debug_info(jvmti_agent, addr, nr_lines, line_tab, (const char * const *) line_file_names))
warnx("jvmti: write_debug_info() failed");
len = strlen(func_name) + strlen(class_sign) + strlen(func_sign) + 2;
{
char str[len];
snprintf(str, len, "%s%s%s", class_sign, func_name, func_sign);
if (jvmti_write_code(jvmti_agent, str, addr, code_addr, code_size))
Reported by FlawFinder.
Line: 301
Column: 28
CWE codes:
126
if (jvmti_write_debug_info(jvmti_agent, addr, nr_lines, line_tab, (const char * const *) line_file_names))
warnx("jvmti: write_debug_info() failed");
len = strlen(func_name) + strlen(class_sign) + strlen(func_sign) + 2;
{
char str[len];
snprintf(str, len, "%s%s%s", class_sign, func_name, func_sign);
if (jvmti_write_code(jvmti_agent, str, addr, code_addr, code_size))
Reported by FlawFinder.