The following issues were found
fs/btrfs/check-integrity.c
7 issues
Line: 2473
Column: 15
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
* This algorithm is recursive because the amount of used stack space
* is very small and the max recursion depth is limited.
*/
indent_add = sprintf(buf, "%c-%llu(%s/%llu/%u)",
btrfsic_get_block_type(state, block),
block->logical_bytenr, block->dev_state->name,
block->dev_bytenr, block->mirror_num);
if (indent_level + indent_add > BTRFSIC_TREE_DUMP_MAX_INDENT_LEVEL) {
printk("[...]\n");
Reported by FlawFinder.
Line: 189
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct list_head collision_resolving_node; /* list node */
struct btrfsic_block dummy_block_for_bio_bh_flush;
u64 last_flush_gen;
char name[BDEVNAME_SIZE];
};
struct btrfsic_block_hashtable {
struct list_head table[BTRFSIC_BLOCK_HASHTABLE_SIZE];
};
Reported by FlawFinder.
Line: 823
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (btrfs_super_generation(super_tmp) >
state->max_superblock_generation ||
0 == state->max_superblock_generation) {
memcpy(selected_super, super_tmp, sizeof(*selected_super));
*selected_dev_state = dev_state;
state->max_superblock_generation =
btrfs_super_generation(super_tmp);
state->latest_superblock = superblock_tmp;
}
Reported by FlawFinder.
Line: 1205
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
cur = min(len, ((size_t)PAGE_SIZE - pgoff));
BUG_ON(i >= DIV_ROUND_UP(block_ctx->len, PAGE_SIZE));
kaddr = block_ctx->datav[i];
memcpy(dst, kaddr + pgoff, cur);
dst += cur;
len -= cur;
pgoff = 0;
i++;
Reported by FlawFinder.
Line: 2461
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
const struct btrfsic_block_link *l;
int indent_add;
static char buf[80];
int cursor_position;
/*
* Should better fill an on-stack buffer with a complete line and
* dump it at once when it is time to print a newline character.
Reported by FlawFinder.
Line: 2500
Column: 17
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
cursor_position++;
}
if (l->ref_cnt > 1)
indent_add = sprintf(buf, " %d*--> ", l->ref_cnt);
else
indent_add = sprintf(buf, " --> ");
if (indent_level + indent_add >
BTRFSIC_TREE_DUMP_MAX_INDENT_LEVEL) {
printk("[...]\n");
Reported by FlawFinder.
Line: 2502
Column: 17
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (l->ref_cnt > 1)
indent_add = sprintf(buf, " %d*--> ", l->ref_cnt);
else
indent_add = sprintf(buf, " --> ");
if (indent_level + indent_add >
BTRFSIC_TREE_DUMP_MAX_INDENT_LEVEL) {
printk("[...]\n");
cursor_position = 0;
continue;
Reported by FlawFinder.
include/linux/kernel.h
7 issues
Line: 201
Column: 27
CWE codes:
134
Suggestion:
Make format string constant
/* lib/printf utilities */
extern __printf(2, 3) int sprintf(char *buf, const char * fmt, ...);
extern __printf(2, 0) int vsprintf(char *buf, const char *, va_list);
extern __printf(3, 4)
int snprintf(char *buf, size_t size, const char *fmt, ...);
extern __printf(3, 0)
int vsnprintf(char *buf, size_t size, const char *fmt, va_list args);
Reported by FlawFinder.
Line: 202
Column: 27
CWE codes:
134
Suggestion:
Make format string constant
/* lib/printf utilities */
extern __printf(2, 3) int sprintf(char *buf, const char * fmt, ...);
extern __printf(2, 0) int vsprintf(char *buf, const char *, va_list);
extern __printf(3, 4)
int snprintf(char *buf, size_t size, const char *fmt, ...);
extern __printf(3, 0)
int vsnprintf(char *buf, size_t size, const char *fmt, va_list args);
extern __printf(3, 4)
Reported by FlawFinder.
Line: 204
Column: 5
CWE codes:
134
Suggestion:
Use a constant for the format specification
extern __printf(2, 3) int sprintf(char *buf, const char * fmt, ...);
extern __printf(2, 0) int vsprintf(char *buf, const char *, va_list);
extern __printf(3, 4)
int snprintf(char *buf, size_t size, const char *fmt, ...);
extern __printf(3, 0)
int vsnprintf(char *buf, size_t size, const char *fmt, va_list args);
extern __printf(3, 4)
int scnprintf(char *buf, size_t size, const char *fmt, ...);
extern __printf(3, 0)
Reported by FlawFinder.
Line: 206
Column: 5
CWE codes:
134
Suggestion:
Use a constant for the format specification
extern __printf(3, 4)
int snprintf(char *buf, size_t size, const char *fmt, ...);
extern __printf(3, 0)
int vsnprintf(char *buf, size_t size, const char *fmt, va_list args);
extern __printf(3, 4)
int scnprintf(char *buf, size_t size, const char *fmt, ...);
extern __printf(3, 0)
int vscnprintf(char *buf, size_t size, const char *fmt, va_list args);
extern __printf(2, 3) __malloc
Reported by FlawFinder.
Line: 219
Column: 5
CWE codes:
120
20
Suggestion:
Specify a limit to %s, or use a different input function
const char *kvasprintf_const(gfp_t gfp, const char *fmt, va_list args);
extern __scanf(2, 3)
int sscanf(const char *, const char *, ...);
extern __scanf(2, 0)
int vsscanf(const char *, const char *, va_list);
extern int no_hash_pointers_enable(char *str);
Reported by FlawFinder.
Line: 221
Column: 5
CWE codes:
120
20
Suggestion:
Specify a limit to %s, or use a different input function
extern __scanf(2, 3)
int sscanf(const char *, const char *, ...);
extern __scanf(2, 0)
int vsscanf(const char *, const char *, va_list);
extern int no_hash_pointers_enable(char *str);
extern int get_option(char **str, int *pint);
extern char *get_options(const char *str, int nints, int *ints);
Reported by FlawFinder.
Line: 424
Column: 32
CWE codes:
126
if (__builtin_constant_p(str)) \
__trace_bputs(_THIS_IP_, trace_printk_fmt); \
else \
__trace_puts(_THIS_IP_, str, strlen(str)); \
})
extern int __trace_bputs(unsigned long ip, const char *str);
extern int __trace_puts(unsigned long ip, const char *str, int size);
extern void trace_dump_stack(int skip);
Reported by FlawFinder.
fs/nls/nls_iso8859-5.c
7 issues
Line: 16
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#include <linux/nls.h>
#include <linux/errno.h>
static const wchar_t charset2uni[256] = {
/* 0x00*/
0x0000, 0x0001, 0x0002, 0x0003,
0x0004, 0x0005, 0x0006, 0x0007,
0x0008, 0x0009, 0x000a, 0x000b,
0x000c, 0x000d, 0x000e, 0x000f,
Reported by FlawFinder.
Line: 99
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
0x045c, 0x00a7, 0x045e, 0x045f,
};
static const unsigned char page00[256] = {
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, /* 0x00-0x07 */
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, /* 0x08-0x0f */
0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, /* 0x10-0x17 */
0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, /* 0x18-0x1f */
0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, /* 0x20-0x27 */
Reported by FlawFinder.
Line: 125
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
0x00, 0x00, 0x00, 0x00, 0x00, 0xad, 0x00, 0x00, /* 0xa8-0xaf */
};
static const unsigned char page04[256] = {
0x00, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5, 0xa6, 0xa7, /* 0x00-0x07 */
0xa8, 0xa9, 0xaa, 0xab, 0xac, 0x00, 0xae, 0xaf, /* 0x08-0x0f */
0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, /* 0x10-0x17 */
0xb8, 0xb9, 0xba, 0xbb, 0xbc, 0xbd, 0xbe, 0xbf, /* 0x18-0x1f */
0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7, /* 0x20-0x27 */
Reported by FlawFinder.
Line: 140
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0x00, 0xfe, 0xff, /* 0x58-0x5f */
};
static const unsigned char page21[256] = {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* 0x00-0x07 */
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* 0x08-0x0f */
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf0, 0x00, /* 0x10-0x17 */
};
Reported by FlawFinder.
Line: 146
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf0, 0x00, /* 0x10-0x17 */
};
static const unsigned char *const page_uni2charset[256] = {
page00, NULL, NULL, NULL, page04, NULL, NULL, NULL,
NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
NULL, page21, NULL, NULL, NULL, NULL, NULL, NULL,
Reported by FlawFinder.
Line: 154
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
NULL, page21, NULL, NULL, NULL, NULL, NULL, NULL,
};
static const unsigned char charset2lower[256] = {
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, /* 0x00-0x07 */
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, /* 0x08-0x0f */
0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, /* 0x10-0x17 */
0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, /* 0x18-0x1f */
0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, /* 0x20-0x27 */
Reported by FlawFinder.
Line: 190
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff, /* 0xf8-0xff */
};
static const unsigned char charset2upper[256] = {
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, /* 0x00-0x07 */
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, /* 0x08-0x0f */
0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, /* 0x10-0x17 */
0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, /* 0x18-0x1f */
0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, /* 0x20-0x27 */
Reported by FlawFinder.
fs/btrfs/scrub.c
7 issues
Line: 1346
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
spage->logical = logical;
spage->have_csum = have_csum;
if (have_csum)
memcpy(spage->csum,
original_sblock->pagev[0]->csum,
sctx->fs_info->csum_size);
scrub_stripe_index_and_offset(logical,
bbio->map_type,
Reported by FlawFinder.
Line: 1871
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
spage = sblock->pagev[0];
kaddr = page_address(spage->page);
h = (struct btrfs_header *)kaddr;
memcpy(on_disk_csum, h->csum, sctx->fs_info->csum_size);
/*
* we don't use the getter functions here, as we
* a) don't have an extent buffer and
* b) the page is already kmapped
Reported by FlawFinder.
Line: 2314
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
spage->mirror_num = mirror_num;
if (csum) {
spage->have_csum = 1;
memcpy(spage->csum, csum, sctx->fs_info->csum_size);
} else {
spage->have_csum = 0;
}
sblock->page_count++;
spage->page = alloc_page(GFP_KERNEL);
Reported by FlawFinder.
Line: 2526
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
index = (logical - sum->bytenr) >> sctx->fs_info->sectorsize_bits;
num_sectors = sum->len >> sctx->fs_info->sectorsize_bits;
memcpy(csum, sum->sums + index * sctx->fs_info->csum_size,
sctx->fs_info->csum_size);
/* Cleanup the range if we're at the end of the csum range */
if (index == num_sectors - 1)
drop_csum_range(sctx, sum);
Reported by FlawFinder.
Line: 2651
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
spage->mirror_num = mirror_num;
if (csum) {
spage->have_csum = 1;
memcpy(spage->csum, csum, sctx->fs_info->csum_size);
} else {
spage->have_csum = 0;
}
sblock->page_count++;
spage->page = alloc_page(GFP_KERNEL);
Reported by FlawFinder.
Line: 4201
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
wait_event(sctx->list_wait, atomic_read(&sctx->workers_pending) == 0);
if (progress)
memcpy(progress, &sctx->stat, sizeof(*progress));
if (!is_dev_replace)
btrfs_info(fs_info, "scrub: %s on devid %llu with status: %d",
ret ? "not finished" : "finished", devid, ret);
Reported by FlawFinder.
Line: 4299
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (dev)
sctx = dev->scrub_ctx;
if (sctx)
memcpy(progress, &sctx->stat, sizeof(*progress));
mutex_unlock(&fs_info->fs_devices->device_list_mutex);
return dev ? (sctx ? 0 : -ENOTCONN) : -ENODEV;
}
Reported by FlawFinder.
fs/jfs/super.c
7 issues
Line: 767
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
bh = sb_bread(sb, tmp_bh.b_blocknr);
if (!bh)
return -EIO;
memcpy(data, bh->b_data+offset, tocopy);
brelse(bh);
}
offset = 0;
toread -= tocopy;
data += tocopy;
Reported by FlawFinder.
Line: 810
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto out;
}
lock_buffer(bh);
memcpy(bh->b_data+offset, data, tocopy);
flush_dcache_page(bh->b_page);
set_buffer_uptodate(bh);
mark_buffer_dirty(bh);
unlock_buffer(bh);
brelse(bh);
Reported by FlawFinder.
Line: 364
Column: 24
CWE codes:
732
case Opt_umask:
{
char *umask = args[0].from;
int rc = kstrtouint(umask, 8, &sbi->umask);
if (rc)
goto cleanup;
if (sbi->umask & ~0777) {
pr_err("JFS: Invalid value of umask\n");
Reported by FlawFinder.
Line: 364
Column: 40
CWE codes:
732
case Opt_umask:
{
char *umask = args[0].from;
int rc = kstrtouint(umask, 8, &sbi->umask);
if (rc)
goto cleanup;
if (sbi->umask & ~0777) {
pr_err("JFS: Invalid value of umask\n");
Reported by FlawFinder.
Line: 368
Column: 13
CWE codes:
732
if (rc)
goto cleanup;
if (sbi->umask & ~0777) {
pr_err("JFS: Invalid value of umask\n");
goto cleanup;
}
break;
}
Reported by FlawFinder.
Line: 704
Column: 11
CWE codes:
732
seq_printf(seq, ",uid=%d", from_kuid(&init_user_ns, sbi->uid));
if (gid_valid(sbi->gid))
seq_printf(seq, ",gid=%d", from_kgid(&init_user_ns, sbi->gid));
if (sbi->umask != -1)
seq_printf(seq, ",umask=%03o", sbi->umask);
if (sbi->flag & JFS_NOINTEGRITY)
seq_puts(seq, ",nointegrity");
if (sbi->flag & JFS_DISCARD)
seq_printf(seq, ",discard=%u", sbi->minblks_trim);
Reported by FlawFinder.
Line: 705
Column: 39
CWE codes:
732
if (gid_valid(sbi->gid))
seq_printf(seq, ",gid=%d", from_kgid(&init_user_ns, sbi->gid));
if (sbi->umask != -1)
seq_printf(seq, ",umask=%03o", sbi->umask);
if (sbi->flag & JFS_NOINTEGRITY)
seq_puts(seq, ",nointegrity");
if (sbi->flag & JFS_DISCARD)
seq_printf(seq, ",discard=%u", sbi->minblks_trim);
if (sbi->nls_tab)
Reported by FlawFinder.
fs/ocfs2/refcounttree.c
7 issues
Line: 623
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
/* Initialize ocfs2_refcount_block. */
rb = (struct ocfs2_refcount_block *)new_bh->b_data;
memset(rb, 0, inode->i_sb->s_blocksize);
strcpy((void *)rb, OCFS2_REFCOUNT_BLOCK_SIGNATURE);
rb->rf_suballoc_slot = cpu_to_le16(meta_ac->ac_alloc_slot);
rb->rf_suballoc_loc = cpu_to_le64(suballoc_loc);
rb->rf_suballoc_bit = cpu_to_le16(suballoc_bit_start);
rb->rf_fs_generation = cpu_to_le32(osb->fs_generation);
rb->rf_blkno = cpu_to_le64(first_blkno);
Reported by FlawFinder.
Line: 1571
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
/* Initialize ocfs2_refcount_block. */
new_rb = (struct ocfs2_refcount_block *)new_bh->b_data;
memset(new_rb, 0, sb->s_blocksize);
strcpy((void *)new_rb, OCFS2_REFCOUNT_BLOCK_SIGNATURE);
new_rb->rf_suballoc_slot = cpu_to_le16(meta_ac->ac_alloc_slot);
new_rb->rf_suballoc_loc = cpu_to_le64(suballoc_loc);
new_rb->rf_suballoc_bit = cpu_to_le16(suballoc_bit_start);
new_rb->rf_fs_generation = cpu_to_le32(OCFS2_SB(sb)->fs_generation);
new_rb->rf_blkno = cpu_to_le64(blkno);
Reported by FlawFinder.
Line: 1325
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* It should contain the same information as the old root.
* so just memcpy it and change the corresponding field.
*/
memcpy(new_bh->b_data, ref_root_bh->b_data, sb->s_blocksize);
new_rb = (struct ocfs2_refcount_block *)new_bh->b_data;
new_rb->rf_suballoc_slot = cpu_to_le16(meta_ac->ac_alloc_slot);
new_rb->rf_suballoc_loc = cpu_to_le64(suballoc_loc);
new_rb->rf_suballoc_bit = cpu_to_le16(suballoc_bit_start);
Reported by FlawFinder.
Line: 1489
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* move refcount records starting from split_index to the new block. */
num_moved = le16_to_cpu(rl->rl_used) - split_index;
memcpy(new_rl->rl_recs, &rl->rl_recs[split_index],
num_moved * sizeof(struct ocfs2_refcount_rec));
/*ok, remove the entries we just moved over to the other block. */
memset(&rl->rl_recs[split_index], 0,
num_moved * sizeof(struct ocfs2_refcount_rec));
Reported by FlawFinder.
Line: 1935
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (len) {
tail_rec = &rf_list->rl_recs[index + recs_need];
memcpy(tail_rec, orig_rec, sizeof(struct ocfs2_refcount_rec));
le64_add_cpu(&tail_rec->r_cpos,
le32_to_cpu(tail_rec->r_clusters) - len);
tail_rec->r_clusters = cpu_to_le32(len);
}
Reported by FlawFinder.
Line: 3039
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
}
memcpy(new_bh->b_data, old_bh->b_data, sb->s_blocksize);
ocfs2_journal_dirty(handle, new_bh);
brelse(new_bh);
brelse(old_bh);
new_bh = NULL;
Reported by FlawFinder.
Line: 3982
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
t_di->id2.i_data.id_count = s_di->id2.i_data.id_count;
memcpy(t_di->id2.i_data.id_data, s_di->id2.i_data.id_data,
le16_to_cpu(s_di->id2.i_data.id_count));
spin_lock(&OCFS2_I(t_inode)->ip_lock);
OCFS2_I(t_inode)->ip_dyn_features |= OCFS2_INLINE_DATA_FL;
t_di->i_dyn_features = cpu_to_le16(OCFS2_I(t_inode)->ip_dyn_features);
spin_unlock(&OCFS2_I(t_inode)->ip_lock);
Reported by FlawFinder.
fs/nfs/flexfilelayout/flexfilelayout.c
7 issues
Line: 83
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (unlikely(p == NULL))
return -ENOBUFS;
stateid->type = NFS4_PNFS_DS_STATEID_TYPE;
memcpy(stateid->data, p, NFS4_STATEID_SIZE);
dprintk("%s: stateid id= [%x%x%x%x]\n", __func__,
p[0], p[1], p[2], p[3]);
return 0;
}
Reported by FlawFinder.
Line: 96
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
p = xdr_inline_decode(xdr, NFS4_DEVICEID4_SIZE);
if (unlikely(!p))
return -ENOBUFS;
memcpy(devid, p, NFS4_DEVICEID4_SIZE);
nfs4_print_deviceid(devid);
return 0;
}
static int decode_nfs_fh(struct xdr_stream *xdr, struct nfs_fh *fh)
Reported by FlawFinder.
Line: 118
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
p = xdr_inline_decode(xdr, fh->size);
if (unlikely(!p))
return -ENOBUFS;
memcpy(&fh->data, p, fh->size);
dprintk("%s: fh len %d\n", __func__, fh->size);
return 0;
}
Reported by FlawFinder.
Line: 2281
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
ff_layout_encode_netaddr(struct xdr_stream *xdr, struct nfs4_pnfs_ds_addr *da)
{
struct sockaddr *sap = (struct sockaddr *)&da->da_addr;
char portbuf[RPCBIND_MAXUADDRPLEN];
char addrbuf[RPCBIND_MAXUADDRLEN];
unsigned short port;
int len, netid_len;
__be32 *p;
Reported by FlawFinder.
Line: 2282
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct sockaddr *sap = (struct sockaddr *)&da->da_addr;
char portbuf[RPCBIND_MAXUADDRPLEN];
char addrbuf[RPCBIND_MAXUADDRLEN];
unsigned short port;
int len, netid_len;
__be32 *p;
switch (sap->sa_family) {
Reported by FlawFinder.
Line: 2423
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!refcount_inc_not_zero(&mirror->ref))
continue;
dev = &mirror->mirror_ds->id_node;
memcpy(&devinfo->dev_id, &dev->deviceid, NFS4_DEVICEID4_SIZE);
devinfo->offset = 0;
devinfo->length = NFS4_MAX_UINT64;
spin_lock(&mirror->lock);
devinfo->read_count = mirror->read_stat.io_stat.ops_completed;
devinfo->read_bytes = mirror->read_stat.io_stat.bytes_completed;
Reported by FlawFinder.
Line: 2306
Column: 14
CWE codes:
126
snprintf(portbuf, sizeof(portbuf), ".%u.%u", port >> 8, port & 0xff);
len = strlcat(addrbuf, portbuf, sizeof(addrbuf));
netid_len = strlen(da->da_netid);
p = xdr_reserve_space(xdr, 4 + netid_len);
xdr_encode_opaque(p, da->da_netid, netid_len);
p = xdr_reserve_space(xdr, 4 + len);
xdr_encode_opaque(p, addrbuf, len);
Reported by FlawFinder.
fs/fuse/virtio_fs.c
7 issues
Line: 52
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
bool connected;
long in_flight;
struct completion in_flight_zero; /* No inflight requests */
char name[VQ_NAME_LEN];
} ____cacheline_aligned_in_smp;
/* A virtio-fs device instance */
struct virtio_fs {
struct kref refcount;
Reported by FlawFinder.
Line: 295
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Read filesystem name from virtio config into fs->tag (must kfree()). */
static int virtio_fs_read_tag(struct virtio_device *vdev, struct virtio_fs *fs)
{
char tag_buf[sizeof_field(struct virtio_fs_config, tag)];
char *end;
size_t len;
virtio_cread_bytes(vdev, offsetof(struct virtio_fs_config, tag),
&tag_buf, sizeof(tag_buf));
Reported by FlawFinder.
Line: 311
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
fs->tag = devm_kmalloc(&vdev->dev, len + 1, GFP_KERNEL);
if (!fs->tag)
return -ENOMEM;
memcpy(fs->tag, tag_buf, len);
fs->tag[len] = '\0';
return 0;
}
/* Work function for hiprio completion */
Reported by FlawFinder.
Line: 497
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENOMEM;
for (i = 0; i < num_in; i++) {
memcpy(req->argbuf + offset,
args->in_args[i].value,
args->in_args[i].size);
offset += args->in_args[i].size;
}
Reported by FlawFinder.
Line: 529
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
argsize = remaining;
}
memcpy(args->out_args[i].value, req->argbuf + offset, argsize);
offset += argsize;
if (i != args->out_numargs - 1)
remaining -= argsize;
}
Reported by FlawFinder.
Line: 705
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Initialize the requests virtqueues */
for (i = VQ_REQUEST; i < fs->nvqs; i++) {
char vq_name[VQ_NAME_LEN];
snprintf(vq_name, VQ_NAME_LEN, "requests.%u", i - VQ_REQUEST);
virtio_fs_init_vq(&fs->vqs[i], vq_name, VQ_REQUEST);
callbacks[i] = virtio_fs_vq_done;
names[i] = fs->vqs[i].name;
Reported by FlawFinder.
Line: 652
Column: 2
CWE codes:
120
static void virtio_fs_init_vq(struct virtio_fs_vq *fsvq, char *name,
int vq_type)
{
strncpy(fsvq->name, name, VQ_NAME_LEN);
spin_lock_init(&fsvq->lock);
INIT_LIST_HEAD(&fsvq->queued_reqs);
INIT_LIST_HEAD(&fsvq->end_reqs);
init_completion(&fsvq->in_flight_zero);
Reported by FlawFinder.
fs/proc/vmcore.c
7 issues
Line: 213
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (copy_to_user((char __user *) target, src, size))
return -EFAULT;
} else {
memcpy(target, src, size);
}
return 0;
}
#ifdef CONFIG_PROC_VMCORE_DEVICE_DUMP
Reported by FlawFinder.
Line: 864
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Add merged PT_NOTE program header*/
tmp = elfptr + sizeof(Elf64_Ehdr);
memcpy(tmp, &phdr, sizeof(phdr));
tmp += sizeof(phdr);
/* Remove unwanted PT_NOTE program headers. */
i = (nr_ptnote - 1) * sizeof(Elf64_Phdr);
*elfsz = *elfsz - i;
Reported by FlawFinder.
Line: 1055
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Add merged PT_NOTE program header*/
tmp = elfptr + sizeof(Elf32_Ehdr);
memcpy(tmp, &phdr, sizeof(phdr));
tmp += sizeof(phdr);
/* Remove unwanted PT_NOTE program headers. */
i = (nr_ptnote - 1) * sizeof(Elf32_Phdr);
*elfsz = *elfsz - i;
Reported by FlawFinder.
Line: 1301
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int __init parse_crash_elf_headers(void)
{
unsigned char e_ident[EI_NIDENT];
u64 addr;
int rc=0;
addr = elfcorehdr_addr;
rc = elfcorehdr_read(e_ident, EI_NIDENT, &addr);
Reported by FlawFinder.
Line: 1353
Column: 2
CWE codes:
120
vdd_hdr->n_descsz = size + sizeof(vdd_hdr->dump_name);
vdd_hdr->n_type = NT_VMCOREDD;
strncpy((char *)vdd_hdr->name, VMCOREDD_NOTE_NAME,
sizeof(vdd_hdr->name));
memcpy(vdd_hdr->dump_name, data->dump_name, sizeof(vdd_hdr->dump_name));
}
/**
Reported by FlawFinder.
Line: 1464
Column: 16
CWE codes:
126
return -EINVAL;
}
if (!data || !strlen(data->dump_name) ||
!data->vmcoredd_callback || !data->size)
return -EINVAL;
dump = vzalloc(sizeof(*dump));
if (!dump) {
Reported by FlawFinder.
include/linux/coresight.h
7 issues
Line: 166
Column: 22
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
struct device *dev;
const struct attribute_group **groups;
const char *name;
struct csdev_access access;
};
/**
* struct coresight_connection - representation of a single connection
* @outport: a connection's output port number.
Reported by FlawFinder.
Line: 229
Column: 22
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
enum coresight_dev_type type;
union coresight_dev_subtype subtype;
const struct coresight_ops *ops;
struct csdev_access access;
struct device dev;
atomic_t *refcnt;
bool orphan;
bool enable; /* true only if configured as part of a path */
/* sink specific fields */
Reported by FlawFinder.
Line: 132
Column: 10
CWE codes:
120
20
union {
void __iomem *base;
struct {
u64 (*read)(u32 offset, bool relaxed, bool _64bit);
void (*write)(u64 val, u32 offset, bool relaxed,
bool _64bit);
};
};
};
Reported by FlawFinder.
Line: 368
Column: 14
CWE codes:
120
20
if (likely(csa->io_mem))
return readl_relaxed(csa->base + offset);
return csa->read(offset, true, false);
}
static inline u32 csdev_access_read32(struct csdev_access *csa, u32 offset)
{
if (likely(csa->io_mem))
Reported by FlawFinder.
Line: 376
Column: 14
CWE codes:
120
20
if (likely(csa->io_mem))
return readl(csa->base + offset);
return csa->read(offset, false, false);
}
static inline void csdev_access_relaxed_write32(struct csdev_access *csa,
u32 val, u32 offset)
{
Reported by FlawFinder.
Line: 404
Column: 14
CWE codes:
120
20
if (likely(csa->io_mem))
return readq_relaxed(csa->base + offset);
return csa->read(offset, true, true);
}
static inline u64 csdev_access_read64(struct csdev_access *csa, u32 offset)
{
if (likely(csa->io_mem))
Reported by FlawFinder.
Line: 412
Column: 14
CWE codes:
120
20
if (likely(csa->io_mem))
return readq(csa->base + offset);
return csa->read(offset, false, true);
}
static inline void csdev_access_relaxed_write64(struct csdev_access *csa,
u64 val, u32 offset)
{
Reported by FlawFinder.