The following issues were found
tools/include/uapi/linux/bpf.h
6 issues
Line: 4950
Column: 5
CWE codes:
134
Suggestion:
Use a constant for the format specification
FN(sock_from_file), \
FN(check_mtu), \
FN(for_each_map_elem), \
FN(snprintf), \
FN(sys_bpf), \
FN(btf_find_by_name_kind), \
FN(sys_close), \
/* */
Reported by FlawFinder.
Line: 1247
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define BPF_BUILD_ID_SIZE 20
struct bpf_stack_build_id {
__s32 status;
unsigned char build_id[BPF_BUILD_ID_SIZE];
union {
__u64 offset;
__u64 ip;
};
};
Reported by FlawFinder.
Line: 1269
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__u32 numa_node; /* numa node (effective only if
* BPF_F_NUMA_NODE is set).
*/
char map_name[BPF_OBJ_NAME_LEN];
__u32 map_ifindex; /* ifindex of netdev to create on */
__u32 btf_fd; /* fd pointing to a BTF type data */
__u32 btf_key_type_id; /* BTF type_id of the key */
__u32 btf_value_type_id; /* BTF type_id of the value */
__u32 btf_vmlinux_value_type_id;/* BTF type_id of a kernel-
Reported by FlawFinder.
Line: 1317
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__aligned_u64 log_buf; /* user supplied buffer */
__u32 kern_version; /* not used */
__u32 prog_flags;
char prog_name[BPF_OBJ_NAME_LEN];
__u32 prog_ifindex; /* ifindex of netdev to prep for */
/* For some prog types expected attach type must be known at
* load time to verify attach type specific parts of prog
* (context accesses, allowed helpers, etc).
*/
Reported by FlawFinder.
Line: 5451
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__u32 created_by_uid;
__u32 nr_map_ids;
__aligned_u64 map_ids;
char name[BPF_OBJ_NAME_LEN];
__u32 ifindex;
__u32 gpl_compatible:1;
__u32 :31; /* alignment pad */
__u64 netns_dev;
__u64 netns_ino;
Reported by FlawFinder.
Line: 5485
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__u32 value_size;
__u32 max_entries;
__u32 map_flags;
char name[BPF_OBJ_NAME_LEN];
__u32 ifindex;
__u32 btf_vmlinux_value_type_id;
__u64 netns_dev;
__u64 netns_ino;
__u32 btf_id;
Reported by FlawFinder.
tools/testing/selftests/powerpc/benchmarks/context_switch.c
6 issues
Line: 426
Column: 7
CWE codes:
120
20
Suggestion:
Check implementation on installation, or limit the size of all string inputs
while (1) {
int option_index = 0;
c = getopt_long(argc, argv, "", options, &option_index);
if (c == -1)
break;
switch (c) {
Reported by FlawFinder.
Line: 454
Column: 14
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
break;
case 's':
timeout = atoi(optarg);
break;
default:
usage();
exit(1);
Reported by FlawFinder.
Line: 471
Column: 10
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
if (((argc - optind) != 2)) {
cpu1 = cpu2 = pick_online_cpu();
} else {
cpu1 = atoi(argv[optind++]);
cpu2 = atoi(argv[optind++]);
}
printf("Using %s with ", processes ? "processes" : "threads");
Reported by FlawFinder.
Line: 472
Column: 10
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
cpu1 = cpu2 = pick_online_cpu();
} else {
cpu1 = atoi(argv[optind++]);
cpu2 = atoi(argv[optind++]);
}
printf("Using %s with ", processes ? "processes" : "threads");
if (actions == &pipe_actions)
Reported by FlawFinder.
tools/leds/led_hw_brightness_mon.c
6 issues
Line: 29
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int main(int argc, char const *argv[])
{
int fd, ret;
char brightness_file_path[LED_MAX_NAME_SIZE + 11];
struct pollfd pollfd;
struct timespec ts;
char buf[11];
if (argc != 2) {
Reported by FlawFinder.
Line: 32
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char brightness_file_path[LED_MAX_NAME_SIZE + 11];
struct pollfd pollfd;
struct timespec ts;
char buf[11];
if (argc != 2) {
fprintf(stderr, "Requires <device-name> argument\n");
return 1;
}
Reported by FlawFinder.
Line: 42
Column: 7
CWE codes:
362
snprintf(brightness_file_path, LED_MAX_NAME_SIZE,
"/sys/class/leds/%s/brightness_hw_changed", argv[1]);
fd = open(brightness_file_path, O_RDONLY);
if (fd == -1) {
printf("Failed to open %s file\n", brightness_file_path);
return 1;
}
Reported by FlawFinder.
Line: 79
Column: 53
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
break;
}
printf("[%ld.%09ld] %d\n", ts.tv_sec, ts.tv_nsec, atoi(buf));
}
close(fd);
return ret;
Reported by FlawFinder.
Line: 53
Column: 2
CWE codes:
120
20
* but it is required to avoid spurious poll notifications in
* the opposite case.
*/
read(fd, buf, sizeof(buf));
pollfd.fd = fd;
pollfd.events = POLLPRI;
while (1) {
Reported by FlawFinder.
tools/testing/selftests/kvm/memslot_perf_test.c
6 issues
Line: 865
Column: 16
CWE codes:
120
20
Suggestion:
Check implementation on installation, or limit the size of all string inputs
{
int opt;
while ((opt = getopt(argc, argv, "hvds:f:e:l:r:")) != -1) {
switch (opt) {
case 'h':
default:
help(argv[0], targs);
return false;
Reported by FlawFinder.
Line: 878
Column: 20
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
map_unmap_verify = true;
break;
case 's':
targs->nslots = atoi(optarg);
if (targs->nslots <= 0 && targs->nslots != -1) {
pr_info("Slot count cap has to be positive or -1 for no cap\n");
return false;
}
break;
Reported by FlawFinder.
Line: 885
Column: 20
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
}
break;
case 'f':
targs->tfirst = atoi(optarg);
if (targs->tfirst < 0) {
pr_info("First test to run has to be non-negative\n");
return false;
}
break;
Reported by FlawFinder.
Line: 892
Column: 19
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
}
break;
case 'e':
targs->tlast = atoi(optarg);
if (targs->tlast < 0 || targs->tlast >= NTESTS) {
pr_info("Last test to run has to be non-negative and less than %zu\n",
NTESTS);
return false;
}
Reported by FlawFinder.
Line: 900
Column: 21
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
}
break;
case 'l':
targs->seconds = atoi(optarg);
if (targs->seconds < 0) {
pr_info("Test length in seconds has to be non-negative\n");
return false;
}
break;
Reported by FlawFinder.
Line: 907
Column: 18
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
}
break;
case 'r':
targs->runs = atoi(optarg);
if (targs->runs <= 0) {
pr_info("Runs per test has to be positive\n");
return false;
}
break;
Reported by FlawFinder.
tools/perf/util/bpf_counter.h
6 issues
Line: 125
.ctx_size_in = 0,
.flags = BPF_F_TEST_RUN_ON_CPU,
.cpu = cpu,
.retval = 0,
);
return bpf_prog_test_run_opts(prog_fd, &opts);
}
Reported by Cppcheck.
Line: 125
.ctx_size_in = 0,
.flags = BPF_F_TEST_RUN_ON_CPU,
.cpu = cpu,
.retval = 0,
);
return bpf_prog_test_run_opts(prog_fd, &opts);
}
Reported by Cppcheck.
Line: 125
.ctx_size_in = 0,
.flags = BPF_F_TEST_RUN_ON_CPU,
.cpu = cpu,
.retval = 0,
);
return bpf_prog_test_run_opts(prog_fd, &opts);
}
Reported by Cppcheck.
Line: 125
.ctx_size_in = 0,
.flags = BPF_F_TEST_RUN_ON_CPU,
.cpu = cpu,
.retval = 0,
);
return bpf_prog_test_run_opts(prog_fd, &opts);
}
Reported by Cppcheck.
Line: 125
.ctx_size_in = 0,
.flags = BPF_F_TEST_RUN_ON_CPU,
.cpu = cpu,
.retval = 0,
);
return bpf_prog_test_run_opts(prog_fd, &opts);
}
Reported by Cppcheck.
Line: 26
Column: 23
CWE codes:
120
20
bpf_counter_evsel_target_op load;
bpf_counter_evsel_op enable;
bpf_counter_evsel_op disable;
bpf_counter_evsel_op read;
bpf_counter_evsel_op destroy;
bpf_counter_evsel_install_pe_op install_pe;
};
struct bpf_counter {
Reported by FlawFinder.
tools/perf/perf.c
6 issues
Line: 458
Column: 2
CWE codes:
327
Suggestion:
Use a more secure technique for acquiring random values
if (!cmd)
cmd = "perf-help";
srandom(time(NULL));
/* Setting $PERF_CONFIG makes perf read _only_ the given config file. */
config_exclusive_filename = getenv("PERF_CONFIG");
err = perf_config(perf_default_config, NULL);
Reported by FlawFinder.
Line: 461
Column: 30
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
srandom(time(NULL));
/* Setting $PERF_CONFIG makes perf read _only_ the given config file. */
config_exclusive_filename = getenv("PERF_CONFIG");
err = perf_config(perf_default_config, NULL);
if (err)
return err;
set_buildid_dir(NULL);
Reported by FlawFinder.
Line: 300
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
int status;
struct stat st;
char sbuf[STRERR_BUFSIZE];
if (use_browser == -1)
use_browser = check_browser_config(p->cmd);
if (use_pager == -1 && p->option & RUN_SETUP)
Reported by FlawFinder.
Line: 444
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
int err;
const char *cmd;
char sbuf[STRERR_BUFSIZE];
perf_debug_setup();
/* libsubcmd init */
exec_cmd_init("perf", PREFIX, PERF_EXEC_PATH, EXEC_PATH_ENVIRONMENT);
Reported by FlawFinder.
Line: 212
Column: 11
CWE codes:
126
* Check remaining flags.
*/
if (strstarts(cmd, CMD_EXEC_PATH)) {
cmd += strlen(CMD_EXEC_PATH);
if (*cmd == '=')
set_argv_exec_path(cmd + 1);
else {
puts(get_argv_exec_path());
exit(0);
Reported by FlawFinder.
Line: 249
Column: 27
CWE codes:
126
(*argv)++;
(*argc)--;
} else if (strstarts(cmd, CMD_DEBUGFS_DIR)) {
tracing_path_set(cmd + strlen(CMD_DEBUGFS_DIR));
fprintf(stderr, "dir: %s\n", tracing_path_mount());
if (envchanged)
*envchanged = 1;
} else if (!strcmp(cmd, "--list-cmds")) {
unsigned int i;
Reported by FlawFinder.
tools/perf/util/cpumap.c
6 issues
Line: 74
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t cpu_map__fprintf(struct perf_cpu_map *map, FILE *fp)
{
#define BUFSIZE 1024
char buf[BUFSIZE];
cpu_map__snprint(map, buf, sizeof(buf));
return fprintf(fp, "%s\n", buf);
#undef BUFSIZE
}
Reported by FlawFinder.
Line: 117
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int cpu__get_topology_int(int cpu, const char *name, int *value)
{
char path[PATH_MAX];
snprintf(path, PATH_MAX,
"devices/system/cpu/cpu%d/topology/%s", cpu, name);
return sysfs__read_int(path, value);
Reported by FlawFinder.
Line: 334
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void set_max_cpu_num(void)
{
const char *mnt;
char path[PATH_MAX];
int ret = -1;
/* set up default */
max_cpu_num = 4096;
max_present_cpu_num = 4096;
Reported by FlawFinder.
Line: 374
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void set_max_node_num(void)
{
const char *mnt;
char path[PATH_MAX];
int ret = -1;
/* set up default */
max_node_num = 8;
Reported by FlawFinder.
Line: 457
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct dirent *dent1, *dent2;
DIR *dir1, *dir2;
unsigned int cpu, mem;
char buf[PATH_MAX];
char path[PATH_MAX];
const char *mnt;
int n;
/* initialize globals */
Reported by FlawFinder.
Line: 458
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
DIR *dir1, *dir2;
unsigned int cpu, mem;
char buf[PATH_MAX];
char path[PATH_MAX];
const char *mnt;
int n;
/* initialize globals */
if (init_cpunode_map())
Reported by FlawFinder.
tools/lib/bpf/strset.c
6 issues
Line: 62
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!set->strs_data)
goto err_out;
memcpy(set->strs_data, init_data, init_data_sz);
set->strs_data_len = init_data_sz;
set->strs_data_cap = init_data_sz;
for (off = 0; off < set->strs_data_len; off += strlen(set->strs_data + off) + 1) {
/* hashmap__add() returns EEXIST if string with the same
Reported by FlawFinder.
Line: 127
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENOMEM;
new_off = set->strs_data_len;
memcpy(p, s, len);
if (hashmap__find(set->strs_hash, (void *)new_off, (void **)&old_off))
return old_off;
return -ENOENT;
Reported by FlawFinder.
Line: 161
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENOMEM;
new_off = set->strs_data_len;
memcpy(p, s, len);
/* Now attempt to add the string, but only if the string with the same
* contents doesn't exist already (HASHMAP_ADD strategy). If such
* string exists, we'll get its offset in old_off (that's old_key).
*/
Reported by FlawFinder.
Line: 66
Column: 50
CWE codes:
126
set->strs_data_len = init_data_sz;
set->strs_data_cap = init_data_sz;
for (off = 0; off < set->strs_data_len; off += strlen(set->strs_data + off) + 1) {
/* hashmap__add() returns EEXIST if string with the same
* content already is in the hash map
*/
err = hashmap__add(hash, (void *)off, (void *)off);
if (err == -EEXIST)
Reported by FlawFinder.
Line: 121
Column: 8
CWE codes:
126
void *p;
/* see strset__add_str() for why we do this */
len = strlen(s) + 1;
p = strset_add_str_mem(set, len);
if (!p)
return -ENOMEM;
new_off = set->strs_data_len;
Reported by FlawFinder.
Line: 155
Column: 8
CWE codes:
126
* other hand, if the string is unique, it's already appended and
* ready to be used, only a simple set->strs_data_len increment away.
*/
len = strlen(s) + 1;
p = strset_add_str_mem(set, len);
if (!p)
return -ENOMEM;
new_off = set->strs_data_len;
Reported by FlawFinder.
tools/testing/selftests/bpf/prog_tests/migrate_reuseport.c
6 issues
Line: 152
Column: 7
CWE codes:
362
{
int err = 0, fd, len;
fd = open("/proc/sys/net/ipv4/tcp_fastopen", O_RDWR);
if (!ASSERT_NEQ(fd, -1, "open"))
return -1;
if (restore) {
len = write(fd, buf, *saved_len);
Reported by FlawFinder.
Line: 280
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int start_clients(struct migrate_reuseport_test_case *test_case)
{
char buf[MSGLEN] = MSG;
int i, err;
for (i = 0; i < NR_CLIENTS; i++) {
test_case->clients[i] = socket(test_case->family, SOCK_STREAM,
IPPROTO_TCP);
Reported by FlawFinder.
Line: 413
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct sockaddr_storage addr;
socklen_t len = sizeof(addr);
int err, cnt = 0, client;
char buf[MSGLEN];
err = settimeo(test_case->servers[MIGRATED_TO], 4000);
if (!ASSERT_OK(err, "settimeo"))
goto out;
Reported by FlawFinder.
Line: 460
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct test_migrate_reuseport *skel)
{
int err, saved_len;
char buf[16];
skel->bss->migrated_at_close = 0;
skel->bss->migrated_at_close_fastopen = 0;
skel->bss->migrated_at_send_synack = 0;
skel->bss->migrated_at_recv_ack = 0;
Reported by FlawFinder.
Line: 161
Column: 16
CWE codes:
120
20
if (!ASSERT_EQ(len, *saved_len, "write - restore"))
err = -1;
} else {
*saved_len = read(fd, buf, size);
if (!ASSERT_GE(*saved_len, 1, "read")) {
err = -1;
goto close;
}
Reported by FlawFinder.
tools/testing/selftests/kvm/access_tracking_perf_test.c
6 issues
Line: 279
Column: 74
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
description, ts_elapsed.tv_sec, ts_elapsed.tv_nsec);
}
static void access_memory(struct kvm_vm *vm, int vcpus, enum access_type access,
const char *description)
{
perf_test_args.wr_fract = (access == ACCESS_READ) ? INT_MAX : 1;
sync_global_to_guest(vm, perf_test_args);
iteration_work = ITERATION_ACCESS_MEMORY;
Reported by FlawFinder.
Line: 395
Column: 16
CWE codes:
120
20
Suggestion:
Check implementation on installation, or limit the size of all string inputs
guest_modes_append_default();
while ((opt = getopt(argc, argv, "hm:b:v:os:")) != -1) {
switch (opt) {
case 'm':
guest_modes_cmdline(optarg);
break;
case 'b':
Reported by FlawFinder.
Line: 144
Column: 17
CWE codes:
362
if (overlap_memory_access && vcpu_id)
return;
page_idle_fd = open("/sys/kernel/mm/page_idle/bitmap", O_RDWR);
TEST_ASSERT(page_idle_fd > 0, "Failed to open page_idle.");
pagemap_fd = open("/proc/self/pagemap", O_RDONLY);
TEST_ASSERT(pagemap_fd > 0, "Failed to open pagemap.");
Reported by FlawFinder.
Line: 147
Column: 15
CWE codes:
362
page_idle_fd = open("/sys/kernel/mm/page_idle/bitmap", O_RDWR);
TEST_ASSERT(page_idle_fd > 0, "Failed to open page_idle.");
pagemap_fd = open("/proc/self/pagemap", O_RDONLY);
TEST_ASSERT(pagemap_fd > 0, "Failed to open pagemap.");
for (page = 0; page < pages; page++) {
uint64_t gva = base_gva + page * perf_test_args.guest_page_size;
uint64_t pfn = lookup_pfn(pagemap_fd, vm, gva);
Reported by FlawFinder.
Line: 404
Column: 19
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
params.vcpu_memory_bytes = parse_size(optarg);
break;
case 'v':
params.vcpus = atoi(optarg);
break;
case 'o':
overlap_memory_access = true;
break;
case 's':
Reported by FlawFinder.
Line: 419
Column: 17
CWE codes:
362
}
}
page_idle_fd = open("/sys/kernel/mm/page_idle/bitmap", O_RDWR);
if (page_idle_fd < 0) {
print_skip("CONFIG_IDLE_PAGE_TRACKING is not enabled");
exit(KSFT_SKIP);
}
close(page_idle_fd);
Reported by FlawFinder.