The following issues were found
arch/ia64/kernel/mca.c
8 issues
Line: 183
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define MLOGBUF_SIZE (512+256*NR_CPUS)
#define MLOGBUF_MSGMAX 256
static char mlogbuf[MLOGBUF_SIZE];
static DEFINE_SPINLOCK(mlogbuf_wlock); /* mca context only */
static DEFINE_SPINLOCK(mlogbuf_rlock); /* normal context only */
static unsigned long mlogbuf_start;
static unsigned long mlogbuf_end;
static unsigned int mlogbuf_finished = 0;
Reported by FlawFinder.
Line: 213
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
va_list args;
int printed_len;
char temp_buf[MLOGBUF_MSGMAX];
char *p;
va_start(args, fmt);
printed_len = vscnprintf(temp_buf, sizeof(temp_buf), fmt, args);
va_end(args);
Reported by FlawFinder.
Line: 248
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
void ia64_mlogbuf_dump(void)
{
char temp_buf[MLOGBUF_MSGMAX];
char *p;
unsigned long index;
unsigned long flags;
unsigned int printed_len;
Reported by FlawFinder.
Line: 878
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void
ia64_mca_modify_comm(const struct task_struct *previous_current)
{
char *p, comm[sizeof(current->comm)];
if (previous_current->pid)
snprintf(comm, sizeof(comm), "%s %d",
current->comm, previous_current->pid);
else {
int l;
Reported by FlawFinder.
Line: 1089
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
p = (char *)r12 - sizeof(*regs);
old_regs = (struct pt_regs *)p;
memcpy(old_regs, regs, sizeof(*regs));
old_regs->loadrs = loadrs;
old_unat = old_regs->ar_unat;
finish_pt_regs(old_regs, sos, &old_unat);
/* Next stack a struct switch_stack. mca_asm.S built a partial
Reported by FlawFinder.
Line: 1112
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
p -= sizeof(struct switch_stack);
old_sw = (struct switch_stack *)p;
memcpy(old_sw, sw, sizeof(*sw));
old_sw->caller_unat = old_unat;
old_sw->ar_fpsr = old_regs->ar_fpsr;
copy_reg(&ms->pmsa_gr[4-1], ms->pmsa_nat_bits, &old_sw->r4, &old_unat);
copy_reg(&ms->pmsa_gr[5-1], ms->pmsa_nat_bits, &old_sw->r5, &old_unat);
copy_reg(&ms->pmsa_gr[6-1], ms->pmsa_nat_bits, &old_sw->r6, &old_unat);
Reported by FlawFinder.
Line: 887
Column: 8
CWE codes:
126
if ((p = strchr(previous_current->comm, ' ')))
l = p - previous_current->comm;
else
l = strlen(previous_current->comm);
snprintf(comm, sizeof(comm), "%s %*s %d",
current->comm, l, previous_current->comm,
task_thread_info(previous_current)->cpu);
}
memcpy(current->comm, comm, sizeof(current->comm));
Reported by FlawFinder.
Line: 1797
Column: 2
CWE codes:
120
p->parent = p->real_parent = p->group_leader = p;
INIT_LIST_HEAD(&p->children);
INIT_LIST_HEAD(&p->sibling);
strncpy(p->comm, type, sizeof(p->comm)-1);
}
/* Caller prevents this from being called after init */
static void * __ref mca_bootmem(void)
{
Reported by FlawFinder.
arch/x86/boot/printf.c
8 issues
Line: 113
Column: 5
CWE codes:
134
Suggestion:
Make format string constant
return str;
}
int vsprintf(char *buf, const char *fmt, va_list args)
{
int len;
unsigned long num;
int i, base;
char *str;
Reported by FlawFinder.
Line: 283
Column: 5
CWE codes:
134
Suggestion:
Make format string constant
return str - buf;
}
int sprintf(char *buf, const char *fmt, ...)
{
va_list args;
int i;
va_start(args, fmt);
Reported by FlawFinder.
Line: 289
Column: 6
CWE codes:
134
Suggestion:
Make format string constant
int i;
va_start(args, fmt);
i = vsprintf(buf, fmt, args);
va_end(args);
return i;
}
int printf(const char *fmt, ...)
Reported by FlawFinder.
Line: 294
Column: 5
CWE codes:
134
Suggestion:
Use a constant for the format specification
return i;
}
int printf(const char *fmt, ...)
{
char printf_buf[1024];
va_list args;
int printed;
Reported by FlawFinder.
Line: 301
Column: 12
CWE codes:
134
Suggestion:
Make format string constant
int printed;
va_start(args, fmt);
printed = vsprintf(printf_buf, fmt, args);
va_end(args);
puts(printf_buf);
return printed;
Reported by FlawFinder.
Line: 45
Column: 15
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int type)
{
/* we are called with base 8, 10 or 16, only, thus don't need "G..." */
static const char digits[16] = "0123456789ABCDEF"; /* "GHIJKLMNOPQRSTUVWXYZ"; */
char tmp[66];
char c, sign, locase;
int i;
Reported by FlawFinder.
Line: 47
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* we are called with base 8, 10 or 16, only, thus don't need "G..." */
static const char digits[16] = "0123456789ABCDEF"; /* "GHIJKLMNOPQRSTUVWXYZ"; */
char tmp[66];
char c, sign, locase;
int i;
/* locase = 0 or 0x20. ORing digits or letters with 'locase'
* produces same digits or (maybe lowercased) letters */
Reported by FlawFinder.
Line: 296
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int printf(const char *fmt, ...)
{
char printf_buf[1024];
va_list args;
int printed;
va_start(args, fmt);
printed = vsprintf(printf_buf, fmt, args);
Reported by FlawFinder.
arch/x86/boot/video-mode.c
8 issues
Line: 41
CWE codes:
570
probed[unsafe] = 1;
for (card = video_cards; card < video_cards_end; card++) {
if (card->unsafe == unsafe) {
if (card->probe)
card->nmodes = card->probe();
else
card->nmodes = 0;
Reported by Cppcheck.
Line: 41
CWE codes:
570
probed[unsafe] = 1;
for (card = video_cards; card < video_cards_end; card++) {
if (card->unsafe == unsafe) {
if (card->probe)
card->nmodes = card->probe();
else
card->nmodes = 0;
Reported by Cppcheck.
Line: 58
CWE codes:
570
struct mode_info *mi;
int i;
for (card = video_cards; card < video_cards_end; card++) {
mi = card->modes;
for (i = 0; i < card->nmodes; i++, mi++) {
if (mi->mode == mode)
return 1;
}
Reported by Cppcheck.
Line: 58
CWE codes:
570
struct mode_info *mi;
int i;
for (card = video_cards; card < video_cards_end; card++) {
mi = card->modes;
for (i = 0; i < card->nmodes; i++, mi++) {
if (mi->mode == mode)
return 1;
}
Reported by Cppcheck.
Line: 81
CWE codes:
570
/* Scan for mode based on fixed ID, position, or resolution */
nmode = 0;
for (card = video_cards; card < video_cards_end; card++) {
mi = card->modes;
for (i = 0; i < card->nmodes; i++, mi++) {
int visible = mi->x || mi->y;
if ((mode == nmode && visible) ||
Reported by Cppcheck.
Line: 81
CWE codes:
570
/* Scan for mode based on fixed ID, position, or resolution */
nmode = 0;
for (card = video_cards; card < video_cards_end; card++) {
mi = card->modes;
for (i = 0; i < card->nmodes; i++, mi++) {
int visible = mi->x || mi->y;
if ((mode == nmode && visible) ||
Reported by Cppcheck.
Line: 99
CWE codes:
570
}
/* Nothing found? Is it an "exceptional" (unprobed) mode? */
for (card = video_cards; card < video_cards_end; card++) {
if (mode >= card->xmode_first &&
mode < card->xmode_first+card->xmode_n) {
struct mode_info mix;
*real_mode = mix.mode = mode;
mix.x = mix.y = 0;
Reported by Cppcheck.
Line: 99
CWE codes:
570
}
/* Nothing found? Is it an "exceptional" (unprobed) mode? */
for (card = video_cards; card < video_cards_end; card++) {
if (mode >= card->xmode_first &&
mode < card->xmode_first+card->xmode_n) {
struct mode_info mix;
*real_mode = mix.mode = mode;
mix.x = mix.y = 0;
Reported by Cppcheck.
arch/x86/pci/ce4100.c
8 issues
Line: 33
Column: 9
CWE codes:
120
20
int dev_func;
int reg;
void (*init)(struct sim_dev_reg *reg);
void (*read)(struct sim_dev_reg *reg, u32 *value);
void (*write)(struct sim_dev_reg *reg, u32 value);
struct sim_reg sim_reg;
};
struct sim_reg_op {
Reported by FlawFinder.
Line: 40
Column: 9
CWE codes:
120
20
struct sim_reg_op {
void (*init)(struct sim_dev_reg *reg);
void (*read)(struct sim_dev_reg *reg, u32 value);
void (*write)(struct sim_dev_reg *reg, u32 value);
};
#define MB (1024 * 1024)
#define KB (1024)
Reported by FlawFinder.
Line: 57
Column: 19
CWE codes:
120
20
*/
static void reg_init(struct sim_dev_reg *reg)
{
pci_direct_conf1.read(0, 1, reg->dev_func, reg->reg, 4,
®->sim_reg.value);
}
static void reg_read(struct sim_dev_reg *reg, u32 *value)
{
Reported by FlawFinder.
Line: 74
Column: 19
CWE codes:
120
20
static void sata_reg_init(struct sim_dev_reg *reg)
{
pci_direct_conf1.read(0, 1, PCI_DEVFN(14, 0), 0x10, 4,
®->sim_reg.value);
reg->sim_reg.value += 0x400;
}
static void ehci_reg_read(struct sim_dev_reg *reg, u32 *value)
Reported by FlawFinder.
Line: 204
Column: 20
CWE codes:
120
20
case PCI_MEMORY_BASE:
case PCI_MEMORY_LIMIT:
/* Get the A/V bridge base address. */
pci_direct_conf1.read(0, 0, devfn,
PCI_BASE_ADDRESS_0, 4, &av_bridge_base);
av_bridge_limit = av_bridge_base + (512*MB - 1);
av_bridge_limit >>= 16;
av_bridge_limit &= 0xFFF0;
Reported by FlawFinder.
Line: 251
Column: 22
CWE codes:
120
20
for (i = 0; i < ARRAY_SIZE(bus1_fixups); i++) {
if (bus1_fixups[i].dev_func == devfn &&
bus1_fixups[i].reg == (reg & ~3) &&
bus1_fixups[i].read) {
raw_spin_lock_irqsave(&pci_config_lock, flags);
bus1_fixups[i].read(&(bus1_fixups[i]), value);
raw_spin_unlock_irqrestore(&pci_config_lock, flags);
extract_bytes(value, reg, len);
Reported by FlawFinder.
Line: 254
Column: 19
CWE codes:
120
20
bus1_fixups[i].read) {
raw_spin_lock_irqsave(&pci_config_lock, flags);
bus1_fixups[i].read(&(bus1_fixups[i]), value);
raw_spin_unlock_irqrestore(&pci_config_lock, flags);
extract_bytes(value, reg, len);
return 0;
}
}
Reported by FlawFinder.
Line: 275
Column: 26
CWE codes:
120
20
!bridge_read(devfn, reg, len, value))
return 0;
return pci_direct_conf1.read(seg, bus, devfn, reg, len, value);
}
static int ce4100_bus1_write(unsigned int devfn, int reg, int len, u32 value)
{
unsigned long flags;
Reported by FlawFinder.
drivers/hwtracing/coresight/coresight-etm4x-core.c
8 issues
Line: 193
Column: 48
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
static void etm4_os_unlock(struct etmv4_drvdata *drvdata)
{
if (!WARN_ON(!drvdata->csdev))
etm4_os_unlock_csa(drvdata, &drvdata->csdev->access);
}
static void etm4_os_lock(struct etmv4_drvdata *drvdata)
{
if (WARN_ON(!drvdata->csdev))
Reported by FlawFinder.
Line: 201
Column: 46
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
if (WARN_ON(!drvdata->csdev))
return;
/* Writing 0x1 to OS Lock locks the trace registers */
etm_write_os_lock(drvdata, &drvdata->csdev->access, 0x1);
drvdata->os_unlock = false;
}
static void etm4_cs_lock(struct etmv4_drvdata *drvdata,
struct csdev_access *csa)
Reported by FlawFinder.
Line: 336
Column: 37
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
struct etmv4_config *config = &drvdata->config;
struct coresight_device *csdev = drvdata->csdev;
struct device *etm_dev = &csdev->dev;
struct csdev_access *csa = &csdev->access;
etm4_cs_unlock(drvdata, csa);
etm4_enable_arch_specific(drvdata);
Reported by FlawFinder.
Line: 726
Column: 37
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
struct etmv4_config *config = &drvdata->config;
struct coresight_device *csdev = drvdata->csdev;
struct device *etm_dev = &csdev->dev;
struct csdev_access *csa = &csdev->access;
int i;
etm4_cs_unlock(drvdata, csa);
etm4_disable_arch_specific(drvdata);
Reported by FlawFinder.
Line: 809
Column: 41
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
* scheduled again. Configuration of the start/stop logic happens in
* function etm4_set_event_filters().
*/
control = etm4x_relaxed_read32(&csdev->access, TRCVICTLR);
/* TRCVICTLR::SSSTATUS, bit[9] */
filters->ssstatus = (control & BIT(9));
return 0;
}
Reported by FlawFinder.
Line: 1543
Column: 16
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
return -ENODEV;
etm_dev = &csdev->dev;
csa = &csdev->access;
/*
* As recommended by 3.4.1 ("The procedure when powering down the PE")
* of ARM IHI 0064D
*/
Reported by FlawFinder.
Line: 1886
Column: 23
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
return drvdata->cpu;
init_arg.drvdata = drvdata;
init_arg.csa = &desc.access;
init_arg.pid = etm_pid;
if (smp_call_function_single(drvdata->cpu,
etm4_init_arch_data, &init_arg, 1))
dev_err(dev, "ETM arch init failed\n");
Reported by FlawFinder.
Line: 1897
Column: 12
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
return -EINVAL;
/* TRCPDCR is not accessible with system instructions. */
if (!desc.access.io_mem ||
fwnode_property_present(dev_fwnode(dev), "qcom,skip-power-up"))
drvdata->skip_power_up = true;
major = ETM_ARCH_MAJOR_VERSION(drvdata->arch);
minor = ETM_ARCH_MINOR_VERSION(drvdata->arch);
Reported by FlawFinder.
drivers/gpu/drm/vmwgfx/vmwgfx_binding.c
8 issues
Line: 350
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (loc->ctx != NULL)
vmw_binding_drop(loc);
memcpy(loc, bi, b->size);
loc->scrubbed = false;
list_add(&loc->ctx_list, &cbs->list);
INIT_LIST_HEAD(&loc->res_list);
}
Reported by FlawFinder.
Line: 391
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
if (bi->res != NULL) {
memcpy(loc, bi, vmw_binding_infos[bi->bt].size);
list_add_tail(&loc->ctx_list, &cbs->list);
list_add_tail(&loc->res_list, &loc->res->binding_head);
}
}
Reported by FlawFinder.
Line: 825
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cmd->body.type = shader_slot + SVGA3D_SHADERTYPE_MIN;
cmd->body.startView = cbs->bind_first_slot;
memcpy(&cmd[1], cbs->bind_cmd_buffer, view_id_size);
vmw_cmd_commit(ctx->dev_priv, cmd_size);
bitmap_clear(cbs->per_shader[shader_slot].dirty_sr,
cbs->bind_first_slot, cbs->bind_cmd_count);
Reported by FlawFinder.
Line: 864
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
else
cmd->body.depthStencilViewId = SVGA3D_INVALID_ID;
memcpy(&cmd[1], cbs->bind_cmd_buffer, view_id_size);
vmw_cmd_commit(ctx->dev_priv, cmd_size);
return 0;
Reported by FlawFinder.
Line: 942
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cmd->header.id = SVGA_3D_CMD_DX_SET_SOTARGETS;
cmd->header.size = sizeof(cmd->body) + so_target_size;
memcpy(&cmd[1], cbs->bind_cmd_buffer, so_target_size);
vmw_cmd_commit(ctx->dev_priv, cmd_size);
return 0;
Reported by FlawFinder.
Line: 1058
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cmd->header.size = sizeof(cmd->body) + set_vb_size;
cmd->body.startBuffer = cbs->bind_first_slot;
memcpy(&cmd[1], cbs->bind_cmd_buffer, set_vb_size);
vmw_cmd_commit(ctx->dev_priv, cmd_size);
bitmap_clear(cbs->dirty_vb,
cbs->bind_first_slot, cbs->bind_cmd_count);
Reported by FlawFinder.
Line: 1090
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Splice index is specified user-space */
cmd->body.uavSpliceIndex = cbs->ua_views[0].index;
memcpy(&cmd[1], cbs->bind_cmd_buffer, view_id_size);
vmw_cmd_commit(ctx->dev_priv, cmd_size);
return 0;
}
Reported by FlawFinder.
Line: 1120
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Start index is specified user-space */
cmd->body.startIndex = cbs->ua_views[1].index;
memcpy(&cmd[1], cbs->bind_cmd_buffer, view_id_size);
vmw_cmd_commit(ctx->dev_priv, cmd_size);
return 0;
}
Reported by FlawFinder.
drivers/infiniband/hw/hfi1/msix.c
8 issues
Line: 201
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
{
char name[MAX_NAME_SIZE];
snprintf(name, sizeof(name), DRIVER_NAME "_%d kctxt%d",
rcd->dd->unit, rcd->ctxt);
return msix_request_rcd_irq_common(rcd, receive_context_interrupt,
receive_context_thread, name);
}
Reported by FlawFinder.
Line: 217
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
{
char name[MAX_NAME_SIZE];
snprintf(name, sizeof(name), DRIVER_NAME "_%d nd kctxt%d",
rcd->dd->unit, rcd->ctxt);
return msix_request_rcd_irq_common(rcd, receive_context_interrupt_napi,
NULL, name);
}
Reported by FlawFinder.
Line: 233
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
int nr;
char name[MAX_NAME_SIZE];
snprintf(name, sizeof(name), DRIVER_NAME "_%d sdma%d",
sde->dd->unit, sde->this_idx);
nr = msix_request_irq(sde->dd, sde, sdma_interrupt, NULL,
IRQ_SDMA, name);
if (nr < 0)
return nr;
Reported by FlawFinder.
Line: 255
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
int nr;
char name[MAX_NAME_SIZE];
snprintf(name, sizeof(name), DRIVER_NAME "_%d", dd->unit);
nr = msix_request_irq(dd, dd, general_interrupt, NULL, IRQ_GENERAL,
name);
if (nr < 0)
return nr;
Reported by FlawFinder.
Line: 199
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
int msix_request_rcd_irq(struct hfi1_ctxtdata *rcd)
{
char name[MAX_NAME_SIZE];
snprintf(name, sizeof(name), DRIVER_NAME "_%d kctxt%d",
rcd->dd->unit, rcd->ctxt);
return msix_request_rcd_irq_common(rcd, receive_context_interrupt,
Reported by FlawFinder.
Line: 215
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
int msix_netdev_request_rcd_irq(struct hfi1_ctxtdata *rcd)
{
char name[MAX_NAME_SIZE];
snprintf(name, sizeof(name), DRIVER_NAME "_%d nd kctxt%d",
rcd->dd->unit, rcd->ctxt);
return msix_request_rcd_irq_common(rcd, receive_context_interrupt_napi,
NULL, name);
Reported by FlawFinder.
Line: 231
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int msix_request_sdma_irq(struct sdma_engine *sde)
{
int nr;
char name[MAX_NAME_SIZE];
snprintf(name, sizeof(name), DRIVER_NAME "_%d sdma%d",
sde->dd->unit, sde->this_idx);
nr = msix_request_irq(sde->dd, sde, sdma_interrupt, NULL,
IRQ_SDMA, name);
Reported by FlawFinder.
Line: 253
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int msix_request_general_irq(struct hfi1_devdata *dd)
{
int nr;
char name[MAX_NAME_SIZE];
snprintf(name, sizeof(name), DRIVER_NAME "_%d", dd->unit);
nr = msix_request_irq(dd, dd, general_interrupt, NULL, IRQ_GENERAL,
name);
if (nr < 0)
Reported by FlawFinder.
drivers/hwmon/applesmc.c
8 issues
Line: 100
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Dynamic device node attributes */
struct applesmc_dev_attr {
struct sensor_device_attribute sda; /* hwmon attributes */
char name[32]; /* room for node file name */
};
/* Dynamic device node group */
struct applesmc_node_group {
char *format; /* format string */
Reported by FlawFinder.
Line: 114
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* AppleSMC entry - cached register information */
struct applesmc_entry {
char key[5]; /* four-letter key code */
u8 valid; /* set when entry is successfully read once */
u8 len; /* bounded by APPLESMC_MAX_DATA_LENGTH */
char type[5]; /* four-letter type code */
u8 flags; /* 0x10: func; 0x40: write; 0x80: read */
};
Reported by FlawFinder.
Line: 117
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char key[5]; /* four-letter key code */
u8 valid; /* set when entry is successfully read once */
u8 len; /* bounded by APPLESMC_MAX_DATA_LENGTH */
char type[5]; /* four-letter type code */
u8 flags; /* 0x10: func; 0x40: write; 0x80: read */
};
/* Register lookup and registers common to all SMCs */
static struct applesmc_registers {
Reported by FlawFinder.
Line: 390
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ret)
goto out;
memcpy(cache->key, key, 4);
cache->len = info[0];
memcpy(cache->type, &info[1], 4);
cache->flags = info[5];
cache->valid = 1;
Reported by FlawFinder.
Line: 392
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(cache->key, key, 4);
cache->len = info[0];
memcpy(cache->type, &info[1], 4);
cache->flags = info[5];
cache->valid = 1;
out:
mutex_unlock(&smcreg.mutex);
Reported by FlawFinder.
Line: 843
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
int ret;
unsigned int speed = 0;
char newkey[5];
u8 buffer[2];
scnprintf(newkey, sizeof(newkey), fan_speed_fmt[to_option(attr)],
to_index(attr));
Reported by FlawFinder.
Line: 863
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
int ret;
unsigned long speed;
char newkey[5];
u8 buffer[2];
if (kstrtoul(sysfsbuf, 10, &speed) < 0 || speed >= 0x4000)
return -EINVAL; /* Bigger than a 14-bit value */
Reported by FlawFinder.
Line: 936
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct device_attribute *attr, char *sysfsbuf)
{
int ret;
char newkey[5];
u8 buffer[17];
scnprintf(newkey, sizeof(newkey), FAN_ID_FMT, to_index(attr));
ret = applesmc_read_key(newkey, buffer, 16);
Reported by FlawFinder.
drivers/gpu/drm/i915/display/intel_sdvo.c
8 issues
Line: 424
Column: 9
CWE codes:
134
Suggestion:
Use a constant for the format specification
char buffer[64];
#define BUF_PRINT(args...) \
pos += snprintf(buffer + pos, max_t(int, sizeof(buffer) - pos, 0), args)
for (i = 0; i < args_len; i++) {
BUF_PRINT("%02X ", ((u8 *)args)[i]);
}
for (; i < 8; i++) {
Reported by FlawFinder.
Line: 586
Column: 9
CWE codes:
134
Suggestion:
Use a constant for the format specification
}
#define BUF_PRINT(args...) \
pos += snprintf(buffer + pos, max_t(int, sizeof(buffer) - pos, 0), args)
cmd_status = sdvo_cmd_status(status);
if (cmd_status)
BUF_PRINT("(%s)", cmd_status);
else
Reported by FlawFinder.
Line: 421
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct drm_i915_private *dev_priv = to_i915(intel_sdvo->base.base.dev);
const char *cmd_name;
int i, pos = 0;
char buffer[64];
#define BUF_PRINT(args...) \
pos += snprintf(buffer + pos, max_t(int, sizeof(buffer) - pos, 0), args)
for (i = 0; i < args_len; i++) {
Reported by FlawFinder.
Line: 546
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u8 retry = 15; /* 5 quick checks, followed by 10 long checks */
u8 status;
int i, pos = 0;
char buffer[64];
buffer[0] = '\0';
/*
* The documentation states that all commands will be
Reported by FlawFinder.
Line: 1032
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 0; i < hbuf_size; i += 8) {
memset(tmp, 0, 8);
if (i < length)
memcpy(tmp, data + i, min_t(unsigned, 8, length - i));
if (!intel_sdvo_set_value(intel_sdvo,
SDVO_CMD_SET_HBUF_DATA,
tmp, 8))
return false;
Reported by FlawFinder.
Line: 2258
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* format.
*/
format_map = 1 << conn_state->tv.mode;
memcpy(&tv_res, &format_map,
min(sizeof(format_map), sizeof(struct intel_sdvo_sdtv_resolution_request)));
if (!intel_sdvo_set_target_output(intel_sdvo, intel_sdvo->attached_output))
return 0;
Reported by FlawFinder.
Line: 2985
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
return false;
if ((flags & SDVO_OUTPUT_MASK) == 0) {
unsigned char bytes[2];
intel_sdvo->controlled_output = 0;
memcpy(bytes, &intel_sdvo->caps.output_flags, 2);
DRM_DEBUG_KMS("%s: Unknown SDVO output type (0x%02x%02x)\n",
SDVO_NAME(intel_sdvo),
Reported by FlawFinder.
Line: 2988
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
unsigned char bytes[2];
intel_sdvo->controlled_output = 0;
memcpy(bytes, &intel_sdvo->caps.output_flags, 2);
DRM_DEBUG_KMS("%s: Unknown SDVO output type (0x%02x%02x)\n",
SDVO_NAME(intel_sdvo),
bytes[0], bytes[1]);
return false;
}
Reported by FlawFinder.
drivers/hid/hid-logitech-hidpp.c
8 issues
Line: 152
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u8 voltage_feature_index;
struct power_supply_desc desc;
struct power_supply *ps;
char name[64];
int status;
int capacity;
int level;
int voltage;
int charge_type;
Reported by FlawFinder.
Line: 347
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
message->report_id = REPORT_ID_HIDPP_LONG;
message->fap.feature_index = feat_index;
message->fap.funcindex_clientid = funcindex_clientid;
memcpy(&message->fap.params, params, param_count);
ret = hidpp_send_message_sync(hidpp, message, response);
kfree(message);
return ret;
}
Reported by FlawFinder.
Line: 389
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
message->report_id = report_id;
message->rap.sub_id = sub_id;
message->rap.reg_address = reg_address;
memcpy(&message->rap.params, params, param_count);
ret = hidpp_send_message_sync(hidpp_dev, message, response);
kfree(message);
return ret;
}
Reported by FlawFinder.
Line: 551
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ret)
return ret;
memcpy(params, response.rap.params, 3);
params[byte] &= ~mask;
params[byte] |= value & mask;
return hidpp_send_rap_command_sync(hidpp_dev,
Reported by FlawFinder.
Line: 796
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!name)
return NULL;
memcpy(name, &response.rap.params[2], len);
/* include the terminating '\0' */
hidpp_prefix_name(&name, len + 1);
return name;
Reported by FlawFinder.
Line: 2241
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
wd->effect_id = effect_id;
wd->command = command;
wd->size = size;
memcpy(wd->params, params, size);
atomic_inc(&data->workqueue_size);
queue_work(data->wq, &wd->work);
/* warn about excessive queue size */
Reported by FlawFinder.
Line: 3361
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* is necessary to get some keyboards to report their 0x10xx usages.
*/
consumer_report[0] = 0x03;
memcpy(&consumer_report[1], &data[3], 4);
/* We are called from atomic context */
hid_report_raw_event(hidpp->hid_dev, HID_INPUT_REPORT,
consumer_report, 5, 1);
return 1;
Reported by FlawFinder.
Line: 3738
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
desc->properties = battery_props;
desc->num_properties = num_battery_props;
desc->get_property = hidpp_battery_get_property;
sprintf(battery->name, "hidpp_battery_%ld", n);
desc->name = battery->name;
desc->type = POWER_SUPPLY_TYPE_BATTERY;
desc->use_for_apm = 0;
battery->ps = devm_power_supply_register(&hidpp->hid_dev->dev,
Reported by FlawFinder.