The following issues were found
arch/mips/alchemy/common/platform.c
6 issues
Line: 123
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
printk(KERN_INFO "Alchemy: no memory for UART data\n");
return;
}
memcpy(ports, au1x00_uart_data[ctype], s * c);
au1xx0_uart_device.dev.platform_data = ports;
/* Fill up uartclk. */
for (s = 0; s < c; s++)
ports[s].uartclk = uartclk;
Reported by FlawFinder.
Line: 389
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return;
if (port == 0)
memcpy(&au1xxx_eth0_platform_data, eth_data,
sizeof(struct au1000_eth_platform_data));
else
memcpy(&au1xxx_eth1_platform_data, eth_data,
sizeof(struct au1000_eth_platform_data));
}
Reported by FlawFinder.
Line: 392
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&au1xxx_eth0_platform_data, eth_data,
sizeof(struct au1000_eth_platform_data));
else
memcpy(&au1xxx_eth1_platform_data, eth_data,
sizeof(struct au1000_eth_platform_data));
}
static void __init alchemy_setup_macs(int ctype)
{
Reported by FlawFinder.
Line: 399
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void __init alchemy_setup_macs(int ctype)
{
int ret, i;
unsigned char ethaddr[6];
struct resource *macres;
/* Handle 1st MAC */
if (alchemy_get_macs(ctype) < 1)
return;
Reported by FlawFinder.
Line: 416
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
i = prom_get_ethernet_addr(ethaddr);
if (!i && !is_valid_ether_addr(au1xxx_eth0_platform_data.mac))
memcpy(au1xxx_eth0_platform_data.mac, ethaddr, 6);
ret = platform_device_register(&au1xxx_eth0_device);
if (ret)
printk(KERN_INFO "Alchemy: failed to register MAC0\n");
Reported by FlawFinder.
Line: 437
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ethaddr[5] += 1; /* next addr for 2nd MAC */
if (!i && !is_valid_ether_addr(au1xxx_eth1_platform_data.mac))
memcpy(au1xxx_eth1_platform_data.mac, ethaddr, 6);
/* Register second MAC if enabled in pinfunc */
if (!(alchemy_rdsys(AU1000_SYS_PINFUNC) & SYS_PF_NI2)) {
ret = platform_device_register(&au1xxx_eth1_device);
if (ret)
Reported by FlawFinder.
arch/powerpc/kernel/security.c
6 issues
Line: 349
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
default:
type = "unknown";
}
return sprintf(buf, "Mitigation: Kernel entry/exit barrier (%s)\n", type);
}
if (!security_ftr_enabled(SEC_FTR_L1D_FLUSH_HV) &&
!security_ftr_enabled(SEC_FTR_L1D_FLUSH_PR))
return sprintf(buf, "Not affected\n");
Reported by FlawFinder.
Line: 165
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
}
if (thread_priv)
return sprintf(buf, "Vulnerable: L1D private per thread\n");
if (!security_ftr_enabled(SEC_FTR_L1D_FLUSH_HV) &&
!security_ftr_enabled(SEC_FTR_L1D_FLUSH_PR))
return sprintf(buf, "Not affected\n");
Reported by FlawFinder.
Line: 169
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!security_ftr_enabled(SEC_FTR_L1D_FLUSH_HV) &&
!security_ftr_enabled(SEC_FTR_L1D_FLUSH_PR))
return sprintf(buf, "Not affected\n");
return sprintf(buf, "Vulnerable\n");
}
ssize_t cpu_show_l1tf(struct device *dev, struct device_attribute *attr, char *buf)
Reported by FlawFinder.
Line: 171
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
!security_ftr_enabled(SEC_FTR_L1D_FLUSH_PR))
return sprintf(buf, "Not affected\n");
return sprintf(buf, "Vulnerable\n");
}
ssize_t cpu_show_l1tf(struct device *dev, struct device_attribute *attr, char *buf)
{
return cpu_show_meltdown(dev, attr, buf);
Reported by FlawFinder.
Line: 354
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!security_ftr_enabled(SEC_FTR_L1D_FLUSH_HV) &&
!security_ftr_enabled(SEC_FTR_L1D_FLUSH_PR))
return sprintf(buf, "Not affected\n");
return sprintf(buf, "Vulnerable\n");
}
static int ssb_prctl_get(struct task_struct *task)
Reported by FlawFinder.
Line: 356
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
!security_ftr_enabled(SEC_FTR_L1D_FLUSH_PR))
return sprintf(buf, "Not affected\n");
return sprintf(buf, "Vulnerable\n");
}
static int ssb_prctl_get(struct task_struct *task)
{
if (stf_enabled_flush_types == STF_BARRIER_NONE)
Reported by FlawFinder.
arch/um/drivers/line.c
6 issues
Line: 107
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
end = line->buffer + LINE_BUFSIZE - line->tail;
if (len < end) {
memcpy(line->tail, buf, len);
line->tail += len;
}
else {
/* The circular buffer is wrapping */
memcpy(line->tail, buf, end);
Reported by FlawFinder.
Line: 112
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
else {
/* The circular buffer is wrapping */
memcpy(line->tail, buf, end);
buf += end;
memcpy(line->buffer, buf, len - end);
line->tail = line->buffer + len - end;
}
Reported by FlawFinder.
Line: 114
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* The circular buffer is wrapping */
memcpy(line->tail, buf, end);
buf += end;
memcpy(line->buffer, buf, len - end);
line->tail = line->buffer + len - end;
}
return len;
}
Reported by FlawFinder.
Line: 750
Column: 8
CWE codes:
126
if (*umid == '\0')
return base;
len = strlen(base) + strlen(" ()") + strlen(umid) + 1;
title = kmalloc(len, GFP_KERNEL);
if (title == NULL) {
printk(KERN_ERR "Failed to allocate buffer for xterm title\n");
return base;
}
Reported by FlawFinder.
Line: 750
Column: 39
CWE codes:
126
if (*umid == '\0')
return base;
len = strlen(base) + strlen(" ()") + strlen(umid) + 1;
title = kmalloc(len, GFP_KERNEL);
if (title == NULL) {
printk(KERN_ERR "Failed to allocate buffer for xterm title\n");
return base;
}
Reported by FlawFinder.
Line: 750
Column: 23
CWE codes:
126
if (*umid == '\0')
return base;
len = strlen(base) + strlen(" ()") + strlen(umid) + 1;
title = kmalloc(len, GFP_KERNEL);
if (title == NULL) {
printk(KERN_ERR "Failed to allocate buffer for xterm title\n");
return base;
}
Reported by FlawFinder.
arch/powerpc/kvm/book3s_emulate.c
6 issues
Line: 86
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
#ifdef CONFIG_PPC_TRANSACTIONAL_MEM
static inline void kvmppc_copyto_vcpu_tm(struct kvm_vcpu *vcpu)
{
memcpy(&vcpu->arch.gpr_tm[0], &vcpu->arch.regs.gpr[0],
sizeof(vcpu->arch.gpr_tm));
memcpy(&vcpu->arch.fp_tm, &vcpu->arch.fp,
sizeof(struct thread_fp_state));
memcpy(&vcpu->arch.vr_tm, &vcpu->arch.vr,
sizeof(struct thread_vr_state));
Reported by FlawFinder.
Line: 88
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
memcpy(&vcpu->arch.gpr_tm[0], &vcpu->arch.regs.gpr[0],
sizeof(vcpu->arch.gpr_tm));
memcpy(&vcpu->arch.fp_tm, &vcpu->arch.fp,
sizeof(struct thread_fp_state));
memcpy(&vcpu->arch.vr_tm, &vcpu->arch.vr,
sizeof(struct thread_vr_state));
vcpu->arch.ppr_tm = vcpu->arch.ppr;
vcpu->arch.dscr_tm = vcpu->arch.dscr;
Reported by FlawFinder.
Line: 90
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sizeof(vcpu->arch.gpr_tm));
memcpy(&vcpu->arch.fp_tm, &vcpu->arch.fp,
sizeof(struct thread_fp_state));
memcpy(&vcpu->arch.vr_tm, &vcpu->arch.vr,
sizeof(struct thread_vr_state));
vcpu->arch.ppr_tm = vcpu->arch.ppr;
vcpu->arch.dscr_tm = vcpu->arch.dscr;
vcpu->arch.amr_tm = vcpu->arch.amr;
vcpu->arch.ctr_tm = vcpu->arch.regs.ctr;
Reported by FlawFinder.
Line: 105
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static inline void kvmppc_copyfrom_vcpu_tm(struct kvm_vcpu *vcpu)
{
memcpy(&vcpu->arch.regs.gpr[0], &vcpu->arch.gpr_tm[0],
sizeof(vcpu->arch.regs.gpr));
memcpy(&vcpu->arch.fp, &vcpu->arch.fp_tm,
sizeof(struct thread_fp_state));
memcpy(&vcpu->arch.vr, &vcpu->arch.vr_tm,
sizeof(struct thread_vr_state));
Reported by FlawFinder.
Line: 107
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
memcpy(&vcpu->arch.regs.gpr[0], &vcpu->arch.gpr_tm[0],
sizeof(vcpu->arch.regs.gpr));
memcpy(&vcpu->arch.fp, &vcpu->arch.fp_tm,
sizeof(struct thread_fp_state));
memcpy(&vcpu->arch.vr, &vcpu->arch.vr_tm,
sizeof(struct thread_vr_state));
vcpu->arch.ppr = vcpu->arch.ppr_tm;
vcpu->arch.dscr = vcpu->arch.dscr_tm;
Reported by FlawFinder.
Line: 109
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sizeof(vcpu->arch.regs.gpr));
memcpy(&vcpu->arch.fp, &vcpu->arch.fp_tm,
sizeof(struct thread_fp_state));
memcpy(&vcpu->arch.vr, &vcpu->arch.vr_tm,
sizeof(struct thread_vr_state));
vcpu->arch.ppr = vcpu->arch.ppr_tm;
vcpu->arch.dscr = vcpu->arch.dscr_tm;
vcpu->arch.amr = vcpu->arch.amr_tm;
vcpu->arch.regs.ctr = vcpu->arch.ctr_tm;
Reported by FlawFinder.
arch/sh/kernel/cpu/shmobile/pm.c
6 issues
Line: 103
CWE codes:
570
vp = sdp + 1;
/* part 1: common code to enter sleep mode */
n = &sh_mobile_sleep_enter_end - &sh_mobile_sleep_enter_start;
memcpy(vp, &sh_mobile_sleep_enter_start, n);
vp += roundup(n, 4);
/* part 2: board specific code to enter self-refresh mode */
n = pre_end - pre_start;
Reported by Cppcheck.
Line: 122
CWE codes:
570
/* part 4: common code to resume from sleep mode */
WARN_ON(vp > (onchip_mem + 0x600));
vp = onchip_mem + 0x600; /* located at interrupt vector */
n = &sh_mobile_sleep_resume_end - &sh_mobile_sleep_resume_start;
memcpy(vp, &sh_mobile_sleep_resume_start, n);
sdp->resume = (unsigned long)vp;
sh_mobile_sleep_supported |= flags;
}
Reported by Cppcheck.
Line: 104
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* part 1: common code to enter sleep mode */
n = &sh_mobile_sleep_enter_end - &sh_mobile_sleep_enter_start;
memcpy(vp, &sh_mobile_sleep_enter_start, n);
vp += roundup(n, 4);
/* part 2: board specific code to enter self-refresh mode */
n = pre_end - pre_start;
memcpy(vp, pre_start, n);
Reported by FlawFinder.
Line: 109
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* part 2: board specific code to enter self-refresh mode */
n = pre_end - pre_start;
memcpy(vp, pre_start, n);
sdp->sf_pre = (unsigned long)vp;
vp += roundup(n, 4);
/* part 3: board specific code to resume from self-refresh mode */
n = post_end - post_start;
Reported by FlawFinder.
Line: 115
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* part 3: board specific code to resume from self-refresh mode */
n = post_end - post_start;
memcpy(vp, post_start, n);
sdp->sf_post = (unsigned long)vp;
vp += roundup(n, 4);
/* part 4: common code to resume from sleep mode */
WARN_ON(vp > (onchip_mem + 0x600));
Reported by FlawFinder.
Line: 123
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
WARN_ON(vp > (onchip_mem + 0x600));
vp = onchip_mem + 0x600; /* located at interrupt vector */
n = &sh_mobile_sleep_resume_end - &sh_mobile_sleep_resume_start;
memcpy(vp, &sh_mobile_sleep_resume_start, n);
sdp->resume = (unsigned long)vp;
sh_mobile_sleep_supported |= flags;
}
Reported by FlawFinder.
arch/ia64/kernel/ftrace.c
6 issues
Line: 115
CWE codes:
476
return -EFAULT;
/* Make sure it is what we expect it to be */
if (memcmp(replaced, old_code, MCOUNT_INSN_SIZE) != 0)
return -EINVAL;
skip_check:
/* replace the text with the new text */
if (copy_to_kernel_nofault(((void *)ip), new_code, MCOUNT_INSN_SIZE))
Reported by Cppcheck.
Line: 21
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#include <asm/patch.h>
/* In IA64, each function will be added below two bundles with -pg option */
static unsigned char __attribute__((aligned(8)))
ftrace_orig_code[MCOUNT_INSN_SIZE] = {
0x02, 0x40, 0x31, 0x10, 0x80, 0x05, /* alloc r40=ar.pfs,12,8,0 */
0xb0, 0x02, 0x00, 0x00, 0x42, 0x40, /* mov r43=r0;; */
0x05, 0x00, 0xc4, 0x00, /* mov r42=b0 */
0x11, 0x48, 0x01, 0x02, 0x00, 0x21, /* mov r41=r1 */
Reported by FlawFinder.
Line: 41
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
/* mcount stub will be converted below for nop */
static unsigned char ftrace_nop_code[MCOUNT_INSN_SIZE] = {
0x00, 0x00, 0x00, 0x00, 0x01, 0x00, /* [MII] nop.m 0x0 */
0x30, 0x00, 0x00, 0x60, 0x00, 0x00, /* mov r3=ip */
0x00, 0x00, 0x04, 0x00, /* nop.i 0x0 */
0x05, 0x00, 0x00, 0x00, 0x01, 0x00, /* [MLX] nop.m 0x0 */
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* nop.x 0x0;; */
Reported by FlawFinder.
Line: 59
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* mcount stub will be converted below for call
* Note: Just the last instruction is changed against nop
* */
static unsigned char __attribute__((aligned(8)))
ftrace_call_code[MCOUNT_INSN_SIZE] = {
0x00, 0x00, 0x00, 0x00, 0x01, 0x00, /* [MII] nop.m 0x0 */
0x30, 0x00, 0x00, 0x60, 0x00, 0x00, /* mov r3=ip */
0x00, 0x00, 0x04, 0x00, /* nop.i 0x0 */
0x05, 0x00, 0x00, 0x00, 0x01, 0x00, /* [MLX] nop.m 0x0 */
Reported by FlawFinder.
Line: 97
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
ftrace_modify_code(unsigned long ip, unsigned char *old_code,
unsigned char *new_code, int do_check)
{
unsigned char replaced[MCOUNT_INSN_SIZE];
/*
* Note:
* We are paranoid about modifying text, as if a bug was to happen, it
* could cause us to read or write to someplace that could cause harm.
Reported by FlawFinder.
Line: 129
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int ftrace_make_nop_check(struct dyn_ftrace *rec, unsigned long addr)
{
unsigned char __attribute__((aligned(8))) replaced[MCOUNT_INSN_SIZE];
unsigned long ip = rec->ip;
if (copy_from_kernel_nofault(replaced, (void *)ip, MCOUNT_INSN_SIZE))
return -EFAULT;
if (rec->flags & FTRACE_FL_CONVERTED) {
Reported by FlawFinder.
arch/mips/mti-malta/malta-init.c
6 issues
Line: 84
Column: 3
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
if ((strstr(fw_getcmdline(), "console=")) == NULL) {
sprintf(console_string, " console=ttyS0,%d%c%c%c", baud,
parity, bits, flow);
strcat(fw_getcmdline(), console_string);
pr_info("Config serial console:%s\n", console_string);
}
}
#endif
Reported by FlawFinder.
Line: 44
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#ifdef CONFIG_SERIAL_8250_CONSOLE
static void __init console_config(void)
{
char console_string[40];
int baud = 0;
char parity = '\0', bits = '\0', flow = '\0';
char *s;
s = fw_getenv("modetty0");
Reported by FlawFinder.
Line: 76
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
flow = 'r';
if ((strstr(fw_getcmdline(), "earlycon=")) == NULL) {
sprintf(console_string, "uart8250,io,0x3f8,%d%c%c", baud,
parity, bits);
setup_earlycon(console_string);
}
if ((strstr(fw_getcmdline(), "console=")) == NULL) {
Reported by FlawFinder.
Line: 82
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
}
if ((strstr(fw_getcmdline(), "console=")) == NULL) {
sprintf(console_string, " console=ttyS0,%d%c%c%c", baud,
parity, bits, flow);
strcat(fw_getcmdline(), console_string);
pr_info("Config serial console:%s\n", console_string);
}
}
Reported by FlawFinder.
Line: 97
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
base = cpu_has_veic ?
(void *)(CAC_BASE + 0xa80) :
(void *)(CAC_BASE + 0x380);
memcpy(base, except_vec_nmi, 0x80);
flush_icache_range((unsigned long)base, (unsigned long)base + 0x80);
}
static void __init mips_ejtag_setup(void)
{
Reported by FlawFinder.
Line: 109
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
base = cpu_has_veic ?
(void *)(CAC_BASE + 0xa00) :
(void *)(CAC_BASE + 0x300);
memcpy(base, except_vec_ejtag_debug, 0x80);
flush_icache_range((unsigned long)base, (unsigned long)base + 0x80);
}
phys_addr_t mips_cpc_default_phys_base(void)
{
Reported by FlawFinder.
arch/powerpc/include/asm/string.h
6 issues
Line: 20
Column: 15
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
#define __HAVE_ARCH_MEMMOVE
#define __HAVE_ARCH_MEMCPY_FLUSHCACHE
extern char * strcpy(char *,const char *);
extern char * strncpy(char *,const char *, __kernel_size_t);
extern __kernel_size_t strlen(const char *);
extern int strcmp(const char *,const char *);
extern int strncmp(const char *, const char *, __kernel_size_t);
extern char * strcat(char *, const char *);
Reported by FlawFinder.
Line: 25
Column: 15
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
extern __kernel_size_t strlen(const char *);
extern int strcmp(const char *,const char *);
extern int strncmp(const char *, const char *, __kernel_size_t);
extern char * strcat(char *, const char *);
extern void * memset(void *,int,__kernel_size_t);
extern void * memcpy(void *,const void *,__kernel_size_t);
extern void * memmove(void *,const void *,__kernel_size_t);
extern int memcmp(const void *,const void *,__kernel_size_t);
extern void * memchr(const void *,int,__kernel_size_t);
Reported by FlawFinder.
Line: 27
Column: 15
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
extern int strncmp(const char *, const char *, __kernel_size_t);
extern char * strcat(char *, const char *);
extern void * memset(void *,int,__kernel_size_t);
extern void * memcpy(void *,const void *,__kernel_size_t);
extern void * memmove(void *,const void *,__kernel_size_t);
extern int memcmp(const void *,const void *,__kernel_size_t);
extern void * memchr(const void *,int,__kernel_size_t);
void memcpy_flushcache(void *dest, const void *src, size_t size);
Reported by FlawFinder.
Line: 42
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* For files that are not instrumented (e.g. mm/slub.c) we
* should use not instrumented version of mem* functions.
*/
#define memcpy(dst, src, len) __memcpy(dst, src, len)
#define memmove(dst, src, len) __memmove(dst, src, len)
#define memset(s, c, n) __memset(s, c, n)
#ifndef __NO_FORTIFY
#define __NO_FORTIFY /* FORTIFY_SOURCE uses __builtin_memcpy, etc. */
Reported by FlawFinder.
Line: 21
Column: 15
CWE codes:
120
#define __HAVE_ARCH_MEMCPY_FLUSHCACHE
extern char * strcpy(char *,const char *);
extern char * strncpy(char *,const char *, __kernel_size_t);
extern __kernel_size_t strlen(const char *);
extern int strcmp(const char *,const char *);
extern int strncmp(const char *, const char *, __kernel_size_t);
extern char * strcat(char *, const char *);
extern void * memset(void *,int,__kernel_size_t);
Reported by FlawFinder.
Line: 22
Column: 24
CWE codes:
126
extern char * strcpy(char *,const char *);
extern char * strncpy(char *,const char *, __kernel_size_t);
extern __kernel_size_t strlen(const char *);
extern int strcmp(const char *,const char *);
extern int strncmp(const char *, const char *, __kernel_size_t);
extern char * strcat(char *, const char *);
extern void * memset(void *,int,__kernel_size_t);
extern void * memcpy(void *,const void *,__kernel_size_t);
Reported by FlawFinder.
arch/sh/kernel/ftrace.c
6 issues
Line: 27
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#include <trace/syscall.h>
#ifdef CONFIG_DYNAMIC_FTRACE
static unsigned char ftrace_replaced_code[MCOUNT_INSN_SIZE];
static unsigned char ftrace_nop[4];
/*
* If we're trying to nop out a call to a function, we instead
* place a call to the address after the memory table.
Reported by FlawFinder.
Line: 29
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#ifdef CONFIG_DYNAMIC_FTRACE
static unsigned char ftrace_replaced_code[MCOUNT_INSN_SIZE];
static unsigned char ftrace_nop[4];
/*
* If we're trying to nop out a call to a function, we instead
* place a call to the address after the memory table.
*
* 8c011060 <a>:
Reported by FlawFinder.
Line: 195
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int ftrace_modify_code(unsigned long ip, unsigned char *old_code,
unsigned char *new_code)
{
unsigned char replaced[MCOUNT_INSN_SIZE];
/*
* Note:
* We are paranoid about modifying text, as if a bug was to happen, it
* could cause us to read or write to someplace that could cause harm.
Reported by FlawFinder.
Line: 225
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int ftrace_update_ftrace_func(ftrace_func_t func)
{
unsigned long ip = (unsigned long)(&ftrace_call) + MCOUNT_INSN_OFFSET;
unsigned char old[MCOUNT_INSN_SIZE], *new;
memcpy(old, (unsigned char *)ip, MCOUNT_INSN_SIZE);
new = ftrace_call_replace(ip, (unsigned long)func);
return ftrace_modify_code(ip, old, new);
Reported by FlawFinder.
Line: 227
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
unsigned long ip = (unsigned long)(&ftrace_call) + MCOUNT_INSN_OFFSET;
unsigned char old[MCOUNT_INSN_SIZE], *new;
memcpy(old, (unsigned char *)ip, MCOUNT_INSN_SIZE);
new = ftrace_call_replace(ip, (unsigned long)func);
return ftrace_modify_code(ip, old, new);
}
Reported by FlawFinder.
Line: 269
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int ftrace_mod(unsigned long ip, unsigned long old_addr,
unsigned long new_addr)
{
unsigned char code[MCOUNT_INSN_SIZE];
if (copy_from_kernel_nofault(code, (void *)ip, MCOUNT_INSN_SIZE))
return -EFAULT;
if (old_addr != __raw_readl((unsigned long *)code))
Reported by FlawFinder.
arch/powerpc/mm/nohash/kaslr_booke.c
6 issues
Line: 292
Column: 24
CWE codes:
327
Suggestion:
Use a more secure technique for acquiring random values
static unsigned long __init kaslr_choose_location(void *dt_ptr, phys_addr_t size,
unsigned long kernel_sz)
{
unsigned long offset, random;
unsigned long ram, linear_sz;
u64 seed;
unsigned long index;
kaslr_get_cmdline(dt_ptr);
Reported by FlawFinder.
Line: 305
Column: 22
CWE codes:
327
Suggestion:
Use a more secure technique for acquiring random values
seed = get_tb() << 32;
seed ^= get_tb();
random = rotate_xor(random, &seed, sizeof(seed));
/*
* Retrieve (and wipe) the seed from the FDT
*/
seed = get_kaslr_seed(dt_ptr);
Reported by FlawFinder.
Line: 312
Column: 23
CWE codes:
327
Suggestion:
Use a more secure technique for acquiring random values
*/
seed = get_kaslr_seed(dt_ptr);
if (seed)
random = rotate_xor(random, &seed, sizeof(seed));
else
pr_warn("KASLR: No safe seed for randomizing the kernel base.\n");
ram = min_t(phys_addr_t, __max_low_memory, size);
ram = map_mem_in_cams(ram, CONFIG_LOWMEM_CAM_NUM, true);
Reported by FlawFinder.
Line: 344
Column: 10
CWE codes:
327
Suggestion:
Use a more secure technique for acquiring random values
* Decide which 64M we want to start
* Only use the low 8 bits of the random seed
*/
index = random & 0xFF;
index %= linear_sz / SZ_64M;
/* Decide offset inside 64M */
offset = random % (SZ_64M - kernel_sz);
offset = round_down(offset, SZ_16K);
Reported by FlawFinder.
Line: 348
Column: 11
CWE codes:
327
Suggestion:
Use a more secure technique for acquiring random values
index %= linear_sz / SZ_64M;
/* Decide offset inside 64M */
offset = random % (SZ_64M - kernel_sz);
offset = round_down(offset, SZ_16K);
return kaslr_legal_offset(dt_ptr, index, offset);
}
Reported by FlawFinder.
Line: 386
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
/* Copy the kernel to it's new location and run */
memcpy((void *)kernstart_virt_addr, (void *)_stext, kernel_sz);
flush_icache_range(kernstart_virt_addr, kernstart_virt_addr + kernel_sz);
reloc_kernel_entry(dt_ptr, kernstart_virt_addr);
}
Reported by FlawFinder.