The following issues were found
scripts/kconfig/qconf.cc
5 issues
Line: 920
Column: 34
CWE codes:
362
QAction *ConfigList::showAllAction;
QAction *ConfigList::showPromptAction;
void ConfigList::setAllOpen(bool open)
{
QTreeWidgetItemIterator it(this);
while (*it) {
(*it)->setExpanded(open);
Reported by FlawFinder.
Line: 925
Column: 22
CWE codes:
362
QTreeWidgetItemIterator it(this);
while (*it) {
(*it)->setExpanded(open);
++it;
}
}
Reported by FlawFinder.
Line: 1184
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return;
}
memcpy(data, str.constData(), count);
data[count] = '\0';
/* Seek for exact match */
data[0] = '^';
strcat(data, "$");
Reported by FlawFinder.
Line: 1323
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
bool ok = true;
QVariant x, y;
int width, height;
char title[256];
QDesktopWidget *d = configApp->desktop();
snprintf(title, sizeof(title), "%s%s",
rootmenu.prompt->text,
""
Reported by FlawFinder.
Line: 1189
Column: 2
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
/* Seek for exact match */
data[0] = '^';
strcat(data, "$");
result = sym_re_search(data);
if (!result) {
delete[] data;
return;
}
Reported by FlawFinder.
scripts/selinux/genheaders/genheaders.c
5 issues
Line: 15
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct security_class_mapping {
const char *name;
const char *perms[sizeof(unsigned) * 8 + 1];
};
#include "classmap.h"
#include "initial_sid_to_string.h"
Reported by FlawFinder.
Line: 55
Column: 9
CWE codes:
362
if (argc < 3)
usage();
fout = fopen(argv[1], "w");
if (!fout) {
fprintf(stderr, "Could not open %s for writing: %s\n",
argv[1], strerror(errno));
exit(2);
}
Reported by FlawFinder.
Line: 115
Column: 9
CWE codes:
362
fprintf(fout, "\n#endif\n");
fclose(fout);
fout = fopen(argv[2], "w");
if (!fout) {
fprintf(stderr, "Could not open %s for writing: %s\n",
argv[2], strerror(errno));
exit(4);
}
Reported by FlawFinder.
Line: 100
Column: 13
CWE codes:
126
for (i = 0; secclass_map[i].name; i++) {
static char s[] = "SOCKET";
struct security_class_mapping *map = &secclass_map[i];
int len = strlen(map->name), l = sizeof(s) - 1;
if (len >= l && memcmp(map->name + len - l, s, l) == 0)
fprintf(fout, "\tcase SECCLASS_%s:\n", map->name);
}
fprintf(fout, "\t\tsock = true;\n");
fprintf(fout, "\t\tbreak;\n");
Reported by FlawFinder.
Line: 127
Column: 13
CWE codes:
126
for (i = 0; secclass_map[i].name; i++) {
struct security_class_mapping *map = &secclass_map[i];
int len = strlen(map->name);
for (j = 0; map->perms[j]; j++) {
if (j >= 32) {
fprintf(stderr, "Too many permissions to fit into an access vector at (%s, %s).\n",
map->name, map->perms[j]);
exit(5);
Reported by FlawFinder.
security/integrity/evm/evm_main.c
5 issues
Line: 360
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (total_size)
*(buffer + total_size - 1) = '|';
memcpy(buffer + total_size, xattr->name, size);
}
break;
case 'l':
size = sizeof(u32);
if (buffer) {
Reported by FlawFinder.
Line: 293
Column: 12
CWE codes:
126
int found = 0;
struct xattr_list *xattr;
namelen = strlen(req_xattr_name);
list_for_each_entry_lockless(xattr, &evm_config_xattrnames, list) {
if (!all_xattrs && !xattr->enabled)
continue;
if ((strlen(xattr->name) == namelen)
Reported by FlawFinder.
Line: 298
Column: 8
CWE codes:
126
if (!all_xattrs && !xattr->enabled)
continue;
if ((strlen(xattr->name) == namelen)
&& (strncmp(req_xattr_name, xattr->name, namelen) == 0)) {
found = 1;
break;
}
if (strncmp(req_xattr_name,
Reported by FlawFinder.
Line: 305
Column: 8
CWE codes:
126
}
if (strncmp(req_xattr_name,
xattr->name + XATTR_SECURITY_PREFIX_LEN,
strlen(req_xattr_name)) == 0) {
found = 1;
break;
}
}
Reported by FlawFinder.
Line: 355
Column: 11
CWE codes:
126
switch (type) {
case 'n':
size = strlen(xattr->name) + 1;
if (buffer) {
if (total_size)
*(buffer + total_size - 1) = '|';
memcpy(buffer + total_size, xattr->name, size);
Reported by FlawFinder.
security/integrity/ima/ima_fs.c
5 issues
Line: 44
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static ssize_t ima_show_htable_value(char __user *buf, size_t count,
loff_t *ppos, atomic_long_t *val)
{
char tmpbuf[32]; /* greater than largest 'long' string value */
ssize_t len;
len = scnprintf(tmpbuf, sizeof(tmpbuf), "%li\n", atomic_long_read(val));
return simple_read_from_buffer(buf, count, ppos, tmpbuf, len);
}
Reported by FlawFinder.
Line: 157
Column: 33
CWE codes:
126
ima_putc(m, e->digests[ima_sha1_idx].digest, TPM_DIGEST_SIZE);
/* 3rd: template name size */
namelen = !ima_canonical_fmt ? strlen(template_name) :
(__force u32)cpu_to_le32(strlen(template_name));
ima_putc(m, &namelen, sizeof(namelen));
/* 4th: template name */
ima_putc(m, template_name, strlen(template_name));
Reported by FlawFinder.
Line: 158
Column: 28
CWE codes:
126
/* 3rd: template name size */
namelen = !ima_canonical_fmt ? strlen(template_name) :
(__force u32)cpu_to_le32(strlen(template_name));
ima_putc(m, &namelen, sizeof(namelen));
/* 4th: template name */
ima_putc(m, template_name, strlen(template_name));
Reported by FlawFinder.
Line: 162
Column: 29
CWE codes:
126
ima_putc(m, &namelen, sizeof(namelen));
/* 4th: template name */
ima_putc(m, template_name, strlen(template_name));
/* 5th: template length (except for 'ima' template) */
if (strcmp(template_name, IMA_TEMPLATE_IMA_NAME) == 0)
is_ima_template = true;
Reported by FlawFinder.
Line: 279
Column: 20
CWE codes:
126
void *data = NULL;
char *datap;
size_t size;
int rc, pathlen = strlen(path);
char *p;
/* remove \n */
datap = path;
Reported by FlawFinder.
security/keys/trusted-keys/trusted_core.c
5 issues
Line: 154
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
orig_datablob = datablob = kmalloc(datalen + 1, GFP_KERNEL);
if (!datablob)
return -ENOMEM;
memcpy(datablob, prep->data, datalen);
datablob[datalen] = '\0';
payload = trusted_payload_alloc(key);
if (!payload) {
ret = -ENOMEM;
Reported by FlawFinder.
Line: 244
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto out;
}
memcpy(datablob, prep->data, datalen);
datablob[datalen] = '\0';
ret = datablob_parse(&datablob, new_p);
if (ret != Opt_update) {
ret = -EINVAL;
kfree_sensitive(new_p);
Reported by FlawFinder.
Line: 256
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* copy old key values, and reseal with new pcrs */
new_p->migratable = p->migratable;
new_p->key_len = p->key_len;
memcpy(new_p->key, p->key, p->key_len);
dump_payload(p);
dump_payload(new_p);
ret = static_call(trusted_key_seal)(new_p, datablob);
if (ret < 0) {
Reported by FlawFinder.
Line: 95
Column: 17
CWE codes:
126
c = strsep(datablob, " \t");
if (!c)
return -EINVAL;
p->blob_len = strlen(c) / 2;
if (p->blob_len > MAX_BLOB_SIZE)
return -EINVAL;
ret = hex2bin(p->blob, c, p->blob_len);
if (ret < 0)
return -EINVAL;
Reported by FlawFinder.
Line: 322
Column: 8
CWE codes:
126
for (i = 0; i < ARRAY_SIZE(trusted_key_sources); i++) {
if (trusted_key_source &&
strncmp(trusted_key_source, trusted_key_sources[i].name,
strlen(trusted_key_sources[i].name)))
continue;
static_call_update(trusted_key_init,
trusted_key_sources[i].ops->init);
static_call_update(trusted_key_seal,
Reported by FlawFinder.
security/lockdown/lockdown.c
5 issues
Line: 103
Column: 15
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
const char *label = lockdown_reasons[level];
if (kernel_locked_down == level)
offset += sprintf(temp+offset, "[%s] ", label);
else
offset += sprintf(temp+offset, "%s ", label);
}
}
Reported by FlawFinder.
Line: 105
Column: 15
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (kernel_locked_down == level)
offset += sprintf(temp+offset, "[%s] ", label);
else
offset += sprintf(temp+offset, "%s ", label);
}
}
/* Convert the last space to a newline if needed. */
if (offset > 0)
Reported by FlawFinder.
Line: 93
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static ssize_t lockdown_read(struct file *filp, char __user *buf, size_t count,
loff_t *ppos)
{
char temp[80];
int i, offset = 0;
for (i = 0; i < ARRAY_SIZE(lockdown_levels); i++) {
enum lockdown_reason level = lockdown_levels[i];
Reported by FlawFinder.
Line: 113
Column: 57
CWE codes:
126
if (offset > 0)
temp[offset-1] = '\n';
return simple_read_from_buffer(buf, count, ppos, temp, strlen(temp));
}
static ssize_t lockdown_write(struct file *file, const char __user *buf,
size_t n, loff_t *ppos)
{
Reported by FlawFinder.
Line: 126
Column: 8
CWE codes:
126
if (IS_ERR(state))
return PTR_ERR(state);
len = strlen(state);
if (len && state[len-1] == '\n') {
state[len-1] = '\0';
len--;
}
Reported by FlawFinder.
security/tomoyo/domain.c
5 issues
Line: 931
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
char *kaddr = kmap_atomic(page);
dump->page = page;
memcpy(dump->data + offset, kaddr + offset,
PAGE_SIZE - offset);
kunmap_atomic(kaddr);
}
/* Same with put_arg_page(page) in fs/exec.c */
#ifdef CONFIG_MMU
Reported by FlawFinder.
Line: 506
Column: 18
CWE codes:
126
static bool tomoyo_namespace_jump(const char *domainname)
{
const char *namespace = tomoyo_current_namespace()->name;
const int len = strlen(namespace);
return strncmp(domainname, namespace, len) ||
(domainname[len] && domainname[len] != ' ');
}
Reported by FlawFinder.
Line: 545
Column: 6
CWE codes:
126
}
/* Requested domain does not exist. */
/* Don't create requested domain if domainname is invalid. */
if (strlen(domainname) >= TOMOYO_EXEC_TMPSIZE - 10 ||
!tomoyo_correct_domain(domainname))
return NULL;
/*
* Since definition of profiles and acl_groups may differ across
* namespaces, do not inherit "use_profile" and "use_group" settings
Reported by FlawFinder.
Line: 787
Column: 4
CWE codes:
120
if (!strcmp(domainname, "parent")) {
char *cp;
strncpy(ee->tmp, old_domain->domainname->name,
TOMOYO_EXEC_TMPSIZE - 1);
cp = strrchr(ee->tmp, ' ');
if (cp)
*cp = '\0';
} else if (*domainname == '<')
Reported by FlawFinder.
Line: 793
Column: 4
CWE codes:
120
if (cp)
*cp = '\0';
} else if (*domainname == '<')
strncpy(ee->tmp, domainname, TOMOYO_EXEC_TMPSIZE - 1);
else
snprintf(ee->tmp, TOMOYO_EXEC_TMPSIZE - 1, "%s %s",
old_domain->domainname->name, domainname);
goto force_jump_domain;
}
Reported by FlawFinder.
sound/aoa/soundbus/sysfs.c
5 issues
Line: 20
Column: 12
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
strcat(buf, "\n");
length = strlen(buf);
} else {
length = sprintf(buf, "of:N%pOFn%c%s\n",
of->dev.of_node, 'T',
of_node_get_device_type(of->dev.of_node));
}
return length;
Reported by FlawFinder.
Line: 45
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct soundbus_dev *sdev = to_soundbus_device(dev);
struct platform_device *of = &sdev->ofdev;
return sprintf(buf, "%s\n", of_node_get_device_type(of->dev.of_node));
}
static DEVICE_ATTR_RO(type);
struct attribute *soundbus_dev_attrs[] = {
&dev_attr_name.attr,
Reported by FlawFinder.
Line: 35
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct soundbus_dev *sdev = to_soundbus_device(dev);
struct platform_device *of = &sdev->ofdev;
return sprintf(buf, "%pOFn\n", of->dev.of_node);
}
static DEVICE_ATTR_RO(name);
static ssize_t type_show(struct device *dev,
struct device_attribute *attr, char *buf)
Reported by FlawFinder.
Line: 17
Column: 3
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
if (*sdev->modalias) {
strscpy(buf, sdev->modalias, sizeof(sdev->modalias) + 1);
strcat(buf, "\n");
length = strlen(buf);
} else {
length = sprintf(buf, "of:N%pOFn%c%s\n",
of->dev.of_node, 'T',
of_node_get_device_type(of->dev.of_node));
Reported by FlawFinder.
Line: 18
Column: 12
CWE codes:
126
if (*sdev->modalias) {
strscpy(buf, sdev->modalias, sizeof(sdev->modalias) + 1);
strcat(buf, "\n");
length = strlen(buf);
} else {
length = sprintf(buf, "of:N%pOFn%c%s\n",
of->dev.of_node, 'T',
of_node_get_device_type(of->dev.of_node));
}
Reported by FlawFinder.
sound/core/pcm_compat.c
5 issues
Line: 67
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 rate_num;
u32 rate_den;
u32 fifo_size;
unsigned char reserved[64];
};
struct snd_pcm_sw_params32 {
s32 tstamp_mode;
u32 period_step;
Reported by FlawFinder.
Line: 83
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 boundary;
u32 proto;
u32 tstamp_type;
unsigned char reserved[56];
};
static int snd_pcm_ioctl_sw_params_compat(struct snd_pcm_substream *substream,
struct snd_pcm_sw_params32 __user *src)
{
Reported by FlawFinder.
Line: 178
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
s64 driver_tstamp_sec;
s64 driver_tstamp_nsec;
u32 audio_tstamp_accuracy;
unsigned char reserved[52-4*sizeof(s64)];
} __packed;
static int snd_pcm_status_user_compat64(struct snd_pcm_substream *substream,
struct compat_snd_pcm_status64 __user *src,
bool ext)
Reported by FlawFinder.
Line: 403
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 rsvd; /* alignment */
union {
struct snd_pcm_mmap_status_x32 status;
unsigned char reserved[64];
} s;
union {
struct snd_pcm_mmap_control_x32 control;
unsigned char reserved[64];
} c;
Reported by FlawFinder.
Line: 407
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
} s;
union {
struct snd_pcm_mmap_control_x32 control;
unsigned char reserved[64];
} c;
} __packed;
static int snd_pcm_ioctl_sync_ptr_x32(struct snd_pcm_substream *substream,
struct snd_pcm_sync_ptr_x32 __user *src)
Reported by FlawFinder.
sound/core/pcm_native.c
5 issues
Line: 57
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int rate_num;
unsigned int rate_den;
snd_pcm_uframes_t fifo_size;
unsigned char reserved[64];
};
#ifdef CONFIG_SND_SUPPORT_OLD_API
#define SNDRV_PCM_IOCTL_HW_REFINE_OLD _IOWR('A', 0x10, struct snd_pcm_hw_params_old)
#define SNDRV_PCM_IOCTL_HW_PARAMS_OLD _IOWR('A', 0x11, struct snd_pcm_hw_params_old)
Reported by FlawFinder.
Line: 2671
Column: 24
CWE codes:
362
goto error;
}
err = substream->ops->open(substream);
if (err < 0)
goto error;
substream->hw_opened = 1;
Reported by FlawFinder.
Line: 3023
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 flags;
union {
struct snd_pcm_mmap_status32 status;
unsigned char reserved[64];
} s;
union {
struct snd_pcm_mmap_control32 control;
unsigned char reserved[64];
} c;
Reported by FlawFinder.
Line: 3027
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
} s;
union {
struct snd_pcm_mmap_control32 control;
unsigned char reserved[64];
} c;
} __attribute__((packed));
/* recalcuate the boundary within 32bit */
static snd_pcm_uframes_t recalculate_boundary(struct snd_pcm_runtime *runtime)
Reported by FlawFinder.
Line: 3874
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
params->flags = oparams->flags;
for (i = 0; i < ARRAY_SIZE(oparams->masks); i++)
params->masks[i].bits[0] = oparams->masks[i];
memcpy(params->intervals, oparams->intervals, sizeof(oparams->intervals));
params->rmask = __OLD_TO_NEW_MASK(oparams->rmask);
params->cmask = __OLD_TO_NEW_MASK(oparams->cmask);
params->info = oparams->info;
params->msbits = oparams->msbits;
params->rate_num = oparams->rate_num;
Reported by FlawFinder.