The following issues were found
drivers/xen/efi.c
8 issues
Line: 52
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (tm) {
BUILD_BUG_ON(sizeof(*tm) != sizeof(efi_data(op).u.get_time.time));
memcpy(tm, &efi_data(op).u.get_time.time, sizeof(*tm));
}
if (tc) {
tc->resolution = efi_data(op).u.get_time.resolution;
tc->accuracy = efi_data(op).u.get_time.accuracy;
Reported by FlawFinder.
Line: 70
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct xen_platform_op op = INIT_EFI_OP(set_time);
BUILD_BUG_ON(sizeof(*tm) != sizeof(efi_data(op).u.set_time));
memcpy(&efi_data(op).u.set_time, tm, sizeof(*tm));
if (HYPERVISOR_platform_op(&op) < 0)
return EFI_UNSUPPORTED;
return efi_data(op).status;
Reported by FlawFinder.
Line: 89
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (tm) {
BUILD_BUG_ON(sizeof(*tm) != sizeof(efi_data(op).u.get_wakeup_time));
memcpy(tm, &efi_data(op).u.get_wakeup_time, sizeof(*tm));
}
if (enabled)
*enabled = !!(efi_data(op).misc & XEN_EFI_GET_WAKEUP_TIME_ENABLED);
Reported by FlawFinder.
Line: 109
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (enabled)
efi_data(op).misc = XEN_EFI_SET_WAKEUP_TIME_ENABLE;
if (tm)
memcpy(&efi_data(op).u.set_wakeup_time, tm, sizeof(*tm));
else
efi_data(op).misc |= XEN_EFI_SET_WAKEUP_TIME_ENABLE_ONLY;
if (HYPERVISOR_platform_op(&op) < 0)
return EFI_UNSUPPORTED;
Reported by FlawFinder.
Line: 128
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
set_xen_guest_handle(efi_data(op).u.get_variable.name, name);
BUILD_BUG_ON(sizeof(*vendor) !=
sizeof(efi_data(op).u.get_variable.vendor_guid));
memcpy(&efi_data(op).u.get_variable.vendor_guid, vendor, sizeof(*vendor));
efi_data(op).u.get_variable.size = *data_size;
set_xen_guest_handle(efi_data(op).u.get_variable.data, data);
if (HYPERVISOR_platform_op(&op) < 0)
return EFI_UNSUPPORTED;
Reported by FlawFinder.
Line: 152
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
set_xen_guest_handle(efi_data(op).u.get_next_variable_name.name, name);
BUILD_BUG_ON(sizeof(*vendor) !=
sizeof(efi_data(op).u.get_next_variable_name.vendor_guid));
memcpy(&efi_data(op).u.get_next_variable_name.vendor_guid, vendor,
sizeof(*vendor));
if (HYPERVISOR_platform_op(&op) < 0)
return EFI_UNSUPPORTED;
Reported by FlawFinder.
Line: 159
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return EFI_UNSUPPORTED;
*name_size = efi_data(op).u.get_next_variable_name.size;
memcpy(vendor, &efi_data(op).u.get_next_variable_name.vendor_guid,
sizeof(*vendor));
return efi_data(op).status;
}
Reported by FlawFinder.
Line: 175
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
efi_data(op).misc = attr;
BUILD_BUG_ON(sizeof(*vendor) !=
sizeof(efi_data(op).u.set_variable.vendor_guid));
memcpy(&efi_data(op).u.set_variable.vendor_guid, vendor, sizeof(*vendor));
efi_data(op).u.set_variable.size = data_size;
set_xen_guest_handle(efi_data(op).u.set_variable.data, data);
if (HYPERVISOR_platform_op(&op) < 0)
return EFI_UNSUPPORTED;
Reported by FlawFinder.
fs/nfs/nfs42xdr.c
8 issues
Line: 621
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto out;
}
memcpy(buf, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN);
memcpy(buf + XATTR_USER_PREFIX_LEN, p, len);
buf[ulen - 1] = 0;
buf += ulen;
left -= ulen;
Reported by FlawFinder.
Line: 622
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
memcpy(buf, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN);
memcpy(buf + XATTR_USER_PREFIX_LEN, p, len);
buf[ulen - 1] = 0;
buf += ulen;
left -= ulen;
}
Reported by FlawFinder.
Line: 917
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return status;
if (unlikely(dummy > NFS4_OPAQUE_LIMIT))
return -EIO;
memcpy(&ns->u.nl4_str, dummy_str, dummy);
ns->u.nl4_str_sz = dummy;
break;
case NL4_NETADDR:
naddr = &ns->u.nl4_addr;
Reported by FlawFinder.
Line: 930
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (unlikely(dummy > RPCBIND_MAXNETIDLEN))
return -EIO;
naddr->netid_len = dummy;
memcpy(naddr->netid, dummy_str, naddr->netid_len);
/* uaddr string */
status = decode_opaque_inline(xdr, &dummy, &dummy_str);
if (unlikely(status))
return status;
Reported by FlawFinder.
Line: 939
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (unlikely(dummy > RPCBIND_MAXUADDRLEN))
return -EIO;
naddr->addr_len = dummy;
memcpy(naddr->addr, dummy_str, naddr->addr_len);
break;
default:
WARN_ON_ONCE(1);
return -EIO;
}
Reported by FlawFinder.
Line: 447
Column: 21
CWE codes:
126
encode_op_hdr(xdr, OP_SETXATTR, decode_setxattr_maxsz, hdr);
p = reserve_space(xdr, 4);
*p = cpu_to_be32(arg->xattr_flags);
encode_string(xdr, strlen(arg->xattr_name), arg->xattr_name);
p = reserve_space(xdr, 4);
*p = cpu_to_be32(arg->xattr_len);
if (arg->xattr_len)
xdr_write_pages(xdr, arg->xattr_pages, 0, arg->xattr_len);
}
Reported by FlawFinder.
Line: 472
Column: 21
CWE codes:
126
struct compound_hdr *hdr)
{
encode_op_hdr(xdr, OP_GETXATTR, decode_getxattr_maxsz, hdr);
encode_string(xdr, strlen(name), name);
}
static int decode_getxattr(struct xdr_stream *xdr,
struct nfs42_getxattrres *res,
struct rpc_rqst *req)
Reported by FlawFinder.
Line: 516
Column: 21
CWE codes:
126
struct compound_hdr *hdr)
{
encode_op_hdr(xdr, OP_REMOVEXATTR, decode_removexattr_maxsz, hdr);
encode_string(xdr, strlen(name), name);
}
static int decode_removexattr(struct xdr_stream *xdr,
struct nfs4_change_info *cinfo)
Reported by FlawFinder.
drivers/zorro/gen-devlist.c
8 issues
Line: 83
Column: 4
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if (manufs)
fputs("ENDMANUF()\n\n", devf);
manufs++;
strcpy(manuf, line);
manuf_len = strlen(c);
if (manuf_len + 24 > MAX_NAME_SIZE) {
fprintf(stderr, "Line %d: manufacturer name too long\n", lino);
return 1;
}
Reported by FlawFinder.
Line: 32
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int
main(void)
{
char line[1024], *c, *bra, manuf[8];
int manufs = 0;
int mode = 0;
int lino = 0;
int manuf_len = 0;
FILE *devf;
Reported by FlawFinder.
Line: 39
Column: 9
CWE codes:
362
int manuf_len = 0;
FILE *devf;
devf = fopen("devlist.h", "w");
if (!devf) {
fprintf(stderr, "Cannot create output file!\n");
return 1;
}
Reported by FlawFinder.
Line: 54
Column: 9
CWE codes:
126
if (line[0] == '\t') {
switch (mode) {
case 1:
if (strlen(line) > 5 && line[5] == ' ') {
c = line + 5;
while (*c == ' ')
*c++ = 0;
if (manuf_len + strlen(c) + 1 > MAX_NAME_SIZE) {
/* Too long, try cutting off long description */
Reported by FlawFinder.
Line: 58
Column: 22
CWE codes:
126
c = line + 5;
while (*c == ' ')
*c++ = 0;
if (manuf_len + strlen(c) + 1 > MAX_NAME_SIZE) {
/* Too long, try cutting off long description */
bra = strchr(c, '[');
if (bra && bra > c && bra[-1] == ' ')
bra[-1] = 0;
if (manuf_len + strlen(c) + 1 > MAX_NAME_SIZE) {
Reported by FlawFinder.
Line: 63
Column: 23
CWE codes:
126
bra = strchr(c, '[');
if (bra && bra > c && bra[-1] == ' ')
bra[-1] = 0;
if (manuf_len + strlen(c) + 1 > MAX_NAME_SIZE) {
fprintf(stderr, "Line %d: Product name too long\n", lino);
return 1;
}
}
fprintf(devf, "\tPRODUCT(%s,%s,\"", manuf, line+1);
Reported by FlawFinder.
Line: 76
Column: 14
CWE codes:
126
default:
goto err;
}
} else if (strlen(line) > 4 && line[4] == ' ') {
c = line + 4;
while (*c == ' ')
*c++ = 0;
if (manufs)
fputs("ENDMANUF()\n\n", devf);
Reported by FlawFinder.
Line: 84
Column: 16
CWE codes:
126
fputs("ENDMANUF()\n\n", devf);
manufs++;
strcpy(manuf, line);
manuf_len = strlen(c);
if (manuf_len + 24 > MAX_NAME_SIZE) {
fprintf(stderr, "Line %d: manufacturer name too long\n", lino);
return 1;
}
fprintf(devf, "MANUF(%s,\"", manuf);
Reported by FlawFinder.
fs/9p/vfs_inode.c
8 issues
Line: 428
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct v9fs_inode *v9inode = V9FS_I(inode);
struct p9_wstat *st = (struct p9_wstat *)data;
memcpy(&v9inode->qid, &st->qid, sizeof(st->qid));
return 0;
}
static struct inode *v9fs_qid_iget(struct super_block *sb,
struct p9_qid *qid,
Reported by FlawFinder.
Line: 1198
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ino_t i = 0;
if (sizeof(ino_t) == sizeof(path))
memcpy(&i, &path, sizeof(ino_t));
else
i = (ino_t) (path ^ (path >> 32));
return i;
}
Reported by FlawFinder.
Line: 1321
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct dentry *dentry)
{
int retval;
char name[1 + U32_MAX_DIGITS + 2]; /* sign + number + \n + \0 */
struct p9_fid *oldfid;
p9_debug(P9_DEBUG_VFS, " %lu,%pd,%pd\n",
dir->i_ino, dentry, old_dentry);
Reported by FlawFinder.
Line: 1331
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (IS_ERR(oldfid))
return PTR_ERR(oldfid);
sprintf(name, "%d\n", oldfid->fid);
retval = v9fs_vfs_mkspecial(dir, dentry, P9_DMLINK, name);
if (!retval) {
v9fs_refresh_inode(oldfid, d_inode(old_dentry));
v9fs_invalidate_inode_attr(dir);
}
Reported by FlawFinder.
Line: 1356
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct v9fs_session_info *v9ses = v9fs_inode2v9ses(dir);
int retval;
char name[2 + U32_MAX_DIGITS + 1 + U32_MAX_DIGITS + 1];
u32 perm;
p9_debug(P9_DEBUG_VFS, " %lu,%pd mode: %hx MAJOR: %u MINOR: %u\n",
dir->i_ino, dentry, mode,
MAJOR(rdev), MINOR(rdev));
Reported by FlawFinder.
Line: 1365
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
/* build extension */
if (S_ISBLK(mode))
sprintf(name, "b %u %u", MAJOR(rdev), MINOR(rdev));
else if (S_ISCHR(mode))
sprintf(name, "c %u %u", MAJOR(rdev), MINOR(rdev));
else
*name = 0;
Reported by FlawFinder.
Line: 1367
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (S_ISBLK(mode))
sprintf(name, "b %u %u", MAJOR(rdev), MINOR(rdev));
else if (S_ISCHR(mode))
sprintf(name, "c %u %u", MAJOR(rdev), MINOR(rdev));
else
*name = 0;
perm = unixmode2p9mode(v9ses, mode);
retval = v9fs_vfs_mkspecial(dir, dentry, perm, name);
Reported by FlawFinder.
Line: 1246
Column: 6
CWE codes:
126
}
res = st->extension;
st->extension = NULL;
if (strlen(res) >= PATH_MAX)
res[PATH_MAX - 1] = '\0';
p9stat_free(st);
kfree(st);
set_delayed_call(done, kfree_link, res);
Reported by FlawFinder.
fs/nfsd/nfsctl.c
8 issues
Line: 561
Column: 9
CWE codes:
134
Suggestion:
Use a constant for the format specification
* +4, unless -4.0 is present.
*/
return 0;
return snprintf(buf, remaining, format, sep,
supported ? '+' : '-', vers, minor);
}
static ssize_t __write_versions(struct file *file, char *buf, size_t size)
{
Reported by FlawFinder.
Line: 500
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
* file, sorry. Report zero threads.
*/
mutex_unlock(&nfsd_mutex);
strcpy(buf, "0\n");
return strlen(buf);
}
nthreads = kcalloc(npools, sizeof(int), GFP_KERNEL);
rv = -ENOMEM;
Reported by FlawFinder.
Line: 761
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
static ssize_t __write_ports_addxprt(char *buf, struct net *net, const struct cred *cred)
{
char transport[16];
struct svc_xprt *xprt;
int port, err;
struct nfsd_net *nn = net_generic(net, nfsd_net_id);
if (sscanf(buf, "%15s %5u", transport, &port) != 2)
Reported by FlawFinder.
Line: 1311
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct dentry **fdentries)
{
struct dentry *dentry;
char name[11];
int ret;
sprintf(name, "%u", id);
dentry = nfsd_mkdir(nn->nfsd_client_dir, ncl, name);
Reported by FlawFinder.
Line: 1314
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
char name[11];
int ret;
sprintf(name, "%u", id);
dentry = nfsd_mkdir(nn->nfsd_client_dir, ncl, name);
if (IS_ERR(dentry)) /* XXX: tossing errors? */
return NULL;
ret = nfsdfs_create_files(dentry, files, fdentries);
Reported by FlawFinder.
Line: 501
Column: 10
CWE codes:
126
*/
mutex_unlock(&nfsd_mutex);
strcpy(buf, "0\n");
return strlen(buf);
}
nthreads = kcalloc(npools, sizeof(int), GFP_KERNEL);
rv = -ENOMEM;
if (nthreads == NULL)
Reported by FlawFinder.
Line: 533
Column: 9
CWE codes:
126
size = SIMPLE_TRANSACTION_LIMIT;
for (i = 0; i < npools && size > 0; i++) {
snprintf(mesg, size, "%d%c", nthreads[i], (i == npools-1 ? '\n' : ' '));
len = strlen(mesg);
size -= len;
mesg += len;
}
rv = mesg - buf;
out_free:
Reported by FlawFinder.
Line: 766
Column: 6
CWE codes:
120
Suggestion:
Check that the limit is sufficiently small, or use a different input function
int port, err;
struct nfsd_net *nn = net_generic(net, nfsd_net_id);
if (sscanf(buf, "%15s %5u", transport, &port) != 2)
return -EINVAL;
if (port < 1 || port > USHRT_MAX)
return -EINVAL;
Reported by FlawFinder.
fs/proc/inode.c
8 issues
Line: 488
Column: 44
CWE codes:
362
{
struct proc_dir_entry *pde = PDE(inode);
int rv = 0;
typeof_member(struct proc_ops, proc_open) open;
typeof_member(struct proc_ops, proc_release) release;
struct pde_opener *pdeo;
if (pde_is_permanent(pde)) {
open = pde->proc_ops->proc_open;
Reported by FlawFinder.
Line: 494
Column: 7
CWE codes:
362
if (pde_is_permanent(pde)) {
open = pde->proc_ops->proc_open;
if (open)
rv = open(inode, file);
return rv;
}
/*
Reported by FlawFinder.
Line: 495
Column: 9
CWE codes:
362
if (pde_is_permanent(pde)) {
open = pde->proc_ops->proc_open;
if (open)
rv = open(inode, file);
return rv;
}
/*
* Ensure that
Reported by FlawFinder.
Line: 523
Column: 6
CWE codes:
362
}
open = pde->proc_ops->proc_open;
if (open)
rv = open(inode, file);
if (release) {
if (rv == 0) {
/* To know what to release. */
Reported by FlawFinder.
Line: 524
Column: 8
CWE codes:
362
open = pde->proc_ops->proc_open;
if (open)
rv = open(inode, file);
if (release) {
if (rv == 0) {
/* To know what to release. */
pdeo->file = file;
Reported by FlawFinder.
Line: 307
Column: 44
CWE codes:
120
20
static ssize_t pde_read(struct proc_dir_entry *pde, struct file *file, char __user *buf, size_t count, loff_t *ppos)
{
typeof_member(struct proc_ops, proc_read) read;
read = pde->proc_ops->proc_read;
if (read)
return read(file, buf, count, ppos);
return -EIO;
Reported by FlawFinder.
Line: 310
Column: 6
CWE codes:
120
20
typeof_member(struct proc_ops, proc_read) read;
read = pde->proc_ops->proc_read;
if (read)
return read(file, buf, count, ppos);
return -EIO;
}
static ssize_t proc_reg_read(struct file *file, char __user *buf, size_t count, loff_t *ppos)
Reported by FlawFinder.
Line: 311
Column: 10
CWE codes:
120
20
read = pde->proc_ops->proc_read;
if (read)
return read(file, buf, count, ppos);
return -EIO;
}
static ssize_t proc_reg_read(struct file *file, char __user *buf, size_t count, loff_t *ppos)
{
Reported by FlawFinder.
fs/binfmt_elf.c
8 issues
Line: 186
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
elf_addr_t __user *u_rand_bytes;
const char *k_platform = ELF_PLATFORM;
const char *k_base_platform = ELF_BASE_PLATFORM;
unsigned char k_rand_bytes[16];
int items;
elf_addr_t *elf_info;
elf_addr_t flags = 0;
int ei_index;
const struct cred *cred = current_cred();
Reported by FlawFinder.
Line: 771
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
union {
struct elf_note nhdr;
char data[NOTE_DATA_SZ];
} note;
loff_t pos;
ssize_t n;
size_t off, datasz;
int ret;
Reported by FlawFinder.
Line: 1460
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
memset(elf, 0, sizeof(*elf));
memcpy(elf->e_ident, ELFMAG, SELFMAG);
elf->e_ident[EI_CLASS] = ELF_CLASS;
elf->e_ident[EI_DATA] = ELF_DATA;
elf->e_ident[EI_VERSION] = EV_CURRENT;
elf->e_ident[EI_OSABI] = ELF_OSABI;
Reported by FlawFinder.
Line: 210
Column: 16
CWE codes:
126
*/
u_platform = NULL;
if (k_platform) {
size_t len = strlen(k_platform) + 1;
u_platform = (elf_addr_t __user *)STACK_ALLOC(p, len);
if (copy_to_user(u_platform, k_platform, len))
return -EFAULT;
}
Reported by FlawFinder.
Line: 223
Column: 16
CWE codes:
126
*/
u_base_platform = NULL;
if (k_base_platform) {
size_t len = strlen(k_base_platform) + 1;
u_base_platform = (elf_addr_t __user *)STACK_ALLOC(p, len);
if (copy_to_user(u_base_platform, k_base_platform, len))
return -EFAULT;
}
Reported by FlawFinder.
Line: 1437
Column: 16
CWE codes:
126
int sz;
sz = sizeof(struct elf_note);
sz += roundup(strlen(en->name) + 1, 4);
sz += roundup(en->datasz, 4);
return sz;
}
Reported by FlawFinder.
Line: 1446
Column: 16
CWE codes:
126
static int writenote(struct memelfnote *men, struct coredump_params *cprm)
{
struct elf_note en;
en.n_namesz = strlen(men->name) + 1;
en.n_descsz = men->datasz;
en.n_type = men->type;
return dump_emit(cprm, &en, sizeof(en)) &&
dump_emit(cprm, men->name, en.n_namesz) && dump_align(cprm, 4) &&
Reported by FlawFinder.
Line: 1575
Column: 2
CWE codes:
120
SET_UID(psinfo->pr_uid, from_kuid_munged(cred->user_ns, cred->uid));
SET_GID(psinfo->pr_gid, from_kgid_munged(cred->user_ns, cred->gid));
rcu_read_unlock();
strncpy(psinfo->pr_fname, p->comm, sizeof(psinfo->pr_fname));
return 0;
}
static void fill_auxv_note(struct memelfnote *note, struct mm_struct *mm)
Reported by FlawFinder.
fs/btrfs/struct-funcs.c
8 issues
Line: 79
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (oip + size <= PAGE_SIZE) \
return get_unaligned_le##bits(token->kaddr + oip); \
\
memcpy(lebytes, token->kaddr + oip, part); \
token->kaddr = page_address(token->eb->pages[idx + 1]); \
token->offset = (idx + 1) << PAGE_SHIFT; \
memcpy(lebytes + part, token->kaddr, size - part); \
return get_unaligned_le##bits(lebytes); \
} \
Reported by FlawFinder.
Line: 82
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(lebytes, token->kaddr + oip, part); \
token->kaddr = page_address(token->eb->pages[idx + 1]); \
token->offset = (idx + 1) << PAGE_SHIFT; \
memcpy(lebytes + part, token->kaddr, size - part); \
return get_unaligned_le##bits(lebytes); \
} \
u##bits btrfs_get_##bits(const struct extent_buffer *eb, \
const void *ptr, unsigned long off) \
{ \
Reported by FlawFinder.
Line: 100
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (oip + size <= PAGE_SIZE) \
return get_unaligned_le##bits(kaddr + oip); \
\
memcpy(lebytes, kaddr + oip, part); \
kaddr = page_address(eb->pages[idx + 1]); \
memcpy(lebytes + part, kaddr, size - part); \
return get_unaligned_le##bits(lebytes); \
} \
void btrfs_set_token_##bits(struct btrfs_map_token *token, \
Reported by FlawFinder.
Line: 102
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
\
memcpy(lebytes, kaddr + oip, part); \
kaddr = page_address(eb->pages[idx + 1]); \
memcpy(lebytes + part, kaddr, size - part); \
return get_unaligned_le##bits(lebytes); \
} \
void btrfs_set_token_##bits(struct btrfs_map_token *token, \
const void *ptr, unsigned long off, \
u##bits val) \
Reported by FlawFinder.
Line: 132
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return; \
} \
put_unaligned_le##bits(val, lebytes); \
memcpy(token->kaddr + oip, lebytes, part); \
token->kaddr = page_address(token->eb->pages[idx + 1]); \
token->offset = (idx + 1) << PAGE_SHIFT; \
memcpy(token->kaddr, lebytes + part, size - part); \
} \
void btrfs_set_##bits(const struct extent_buffer *eb, void *ptr, \
Reported by FlawFinder.
Line: 135
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(token->kaddr + oip, lebytes, part); \
token->kaddr = page_address(token->eb->pages[idx + 1]); \
token->offset = (idx + 1) << PAGE_SHIFT; \
memcpy(token->kaddr, lebytes + part, size - part); \
} \
void btrfs_set_##bits(const struct extent_buffer *eb, void *ptr, \
unsigned long off, u##bits val) \
{ \
const unsigned long member_offset = (unsigned long)ptr + off; \
Reported by FlawFinder.
Line: 155
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} \
\
put_unaligned_le##bits(val, lebytes); \
memcpy(kaddr + oip, lebytes, part); \
kaddr = page_address(eb->pages[idx + 1]); \
memcpy(kaddr, lebytes + part, size - part); \
}
DEFINE_BTRFS_SETGET_BITS(8)
Reported by FlawFinder.
Line: 157
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
put_unaligned_le##bits(val, lebytes); \
memcpy(kaddr + oip, lebytes, part); \
kaddr = page_address(eb->pages[idx + 1]); \
memcpy(kaddr, lebytes + part, size - part); \
}
DEFINE_BTRFS_SETGET_BITS(8)
DEFINE_BTRFS_SETGET_BITS(16)
DEFINE_BTRFS_SETGET_BITS(32)
Reported by FlawFinder.
fs/pstore/platform.c
8 issues
Line: 360
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (total_len > psinfo->bufsize) {
diff = total_len - psinfo->bufsize + hsize;
memcpy(psinfo->buf, big_oops_buf, hsize);
memcpy(psinfo->buf + hsize, big_oops_buf + diff,
psinfo->bufsize - hsize);
total_len = psinfo->bufsize;
} else
memcpy(psinfo->buf, big_oops_buf, total_len);
Reported by FlawFinder.
Line: 361
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (total_len > psinfo->bufsize) {
diff = total_len - psinfo->bufsize + hsize;
memcpy(psinfo->buf, big_oops_buf, hsize);
memcpy(psinfo->buf + hsize, big_oops_buf + diff,
psinfo->bufsize - hsize);
total_len = psinfo->bufsize;
} else
memcpy(psinfo->buf, big_oops_buf, total_len);
Reported by FlawFinder.
Line: 365
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
psinfo->bufsize - hsize);
total_len = psinfo->bufsize;
} else
memcpy(psinfo->buf, big_oops_buf, total_len);
return total_len;
}
void pstore_record_init(struct pstore_record *record,
Reported by FlawFinder.
Line: 709
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
/* Append ECC notice to decompressed buffer. */
memcpy(workspace + unzipped_len, record->buf + record->size,
record->ecc_notice_size);
/* Copy decompressed contents into an minimum-sized allocation. */
unzipped = kmemdup(workspace, unzipped_len + record->ecc_notice_size,
GFP_KERNEL);
Reported by FlawFinder.
Line: 742
Column: 11
CWE codes:
362
return;
mutex_lock(&psi->read_mutex);
if (psi->open && psi->open(psi))
goto out;
/*
* Backend callback read() allocates record.buf. decompress_record()
* may reallocate record.buf. On success, pstore_mkfile() will keep
Reported by FlawFinder.
Line: 742
Column: 24
CWE codes:
362
return;
mutex_lock(&psi->read_mutex);
if (psi->open && psi->open(psi))
goto out;
/*
* Backend callback read() allocates record.buf. decompress_record()
* may reallocate record.buf. On success, pstore_mkfile() will keep
Reported by FlawFinder.
Line: 579
Column: 12
CWE codes:
120
20
}
/* Check for required functions. */
if (!psi->read || !psi->write) {
pr_warn("backend '%s' must implement read() and write()\n",
psi->name);
return -EINVAL;
}
Reported by FlawFinder.
Line: 761
Column: 23
CWE codes:
120
20
}
pstore_record_init(record, psi);
record->size = psi->read(record);
/* No more records left in backend? */
if (record->size <= 0) {
kfree(record);
break;
Reported by FlawFinder.
drivers/video/fbdev/uvesafb.c
8 issues
Line: 37
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
.idx = CN_IDX_V86D,
.val = CN_VAL_V86D_UVESAFB
};
static char v86d_path[PATH_MAX] = "/sbin/v86d";
static char v86d_started; /* has v86d been started by uvesafb? */
static const struct fb_fix_screeninfo uvesafb_fix = {
.id = "VESA VGA",
.type = FB_TYPE_PACKED_PIXELS,
Reported by FlawFinder.
Line: 103
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
uvfb_tasks[msg->seq] = NULL;
mutex_unlock(&uvfb_lock);
memcpy(&task->t, utask, sizeof(*utask));
if (task->t.buf_len && task->buf)
memcpy(task->buf, utask + 1, task->t.buf_len);
complete(task->done);
Reported by FlawFinder.
Line: 106
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&task->t, utask, sizeof(*utask));
if (task->t.buf_len && task->buf)
memcpy(task->buf, utask + 1, task->t.buf_len);
complete(task->done);
return;
}
Reported by FlawFinder.
Line: 173
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
m->ack = prandom_u32();
/* uvesafb_task structure */
memcpy(m + 1, &task->t, sizeof(task->t));
/* Buffer */
memcpy((u8 *)(m + 1) + sizeof(task->t), task->buf, task->t.buf_len);
/*
Reported by FlawFinder.
Line: 176
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(m + 1, &task->t, sizeof(task->t));
/* Buffer */
memcpy((u8 *)(m + 1) + sizeof(task->t), task->buf, task->t.buf_len);
/*
* Save the message ack number so that we can find the kernel
* part of this task when a reply is received from userspace.
*/
Reported by FlawFinder.
Line: 426
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
task->t.flags = TF_VBEIB;
task->t.buf_len = sizeof(struct vbe_ib);
task->buf = &par->vbe_ib;
memcpy(par->vbe_ib.vbe_signature, "VBE2", 4);
err = uvesafb_exec(task);
if (err || (task->t.regs.eax & 0xffff) != 0x004f) {
pr_err("Getting VBE info block failed (eax=0x%x, err=%d)\n",
(u32)task->t.regs.eax, err);
Reported by FlawFinder.
Line: 1271
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
crtc->flags |= 0x4;
if (!(info->var.sync & FB_SYNC_VERT_HIGH_ACT))
crtc->flags |= 0x8;
memcpy(&par->crtc, crtc, sizeof(*crtc));
} else {
memset(&par->crtc, 0, sizeof(*crtc));
}
task->t.buf_len = sizeof(struct vbe_crtc_ib);
Reported by FlawFinder.
Line: 1876
Column: 2
CWE codes:
120
static ssize_t v86d_store(struct device_driver *dev, const char *buf,
size_t count)
{
strncpy(v86d_path, buf, PATH_MAX - 1);
return count;
}
static DRIVER_ATTR_RW(v86d);
static int uvesafb_init(void)
Reported by FlawFinder.