The following issues were found
drivers/usb/misc/usblcd.c
5 issues
Line: 184
Column: 3
CWE codes:
134
Suggestion:
Make format string constant
return -EFAULT;
break;
case IOCTL_GET_DRV_VERSION:
sprintf(buf, DRIVER_VERSION);
if (copy_to_user((void __user *)arg, buf, strlen(buf)) != 0)
return -EFAULT;
break;
default:
return -ENOTTY;
Reported by FlawFinder.
Line: 166
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct usb_lcd *dev;
u16 bcdDevice;
char buf[30];
dev = file->private_data;
if (dev == NULL)
return -ENODEV;
Reported by FlawFinder.
Line: 175
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
switch (cmd) {
case IOCTL_GET_HARD_VERSION:
bcdDevice = le16_to_cpu((dev->udev)->descriptor.bcdDevice);
sprintf(buf, "%1d%1d.%1d%1d",
(bcdDevice & 0xF000)>>12,
(bcdDevice & 0xF00)>>8,
(bcdDevice & 0xF0)>>4,
(bcdDevice & 0xF));
if (copy_to_user((void __user *)arg, buf, strlen(buf)) != 0)
Reported by FlawFinder.
Line: 180
Column: 45
CWE codes:
126
(bcdDevice & 0xF00)>>8,
(bcdDevice & 0xF0)>>4,
(bcdDevice & 0xF));
if (copy_to_user((void __user *)arg, buf, strlen(buf)) != 0)
return -EFAULT;
break;
case IOCTL_GET_DRV_VERSION:
sprintf(buf, DRIVER_VERSION);
if (copy_to_user((void __user *)arg, buf, strlen(buf)) != 0)
Reported by FlawFinder.
Line: 185
Column: 45
CWE codes:
126
break;
case IOCTL_GET_DRV_VERSION:
sprintf(buf, DRIVER_VERSION);
if (copy_to_user((void __user *)arg, buf, strlen(buf)) != 0)
return -EFAULT;
break;
default:
return -ENOTTY;
}
Reported by FlawFinder.
drivers/usb/phy/phy-tahvo.c
5 issues
Line: 66
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct device_attribute *attr, char *buf)
{
struct tahvo_usb *tu = dev_get_drvdata(device);
return sprintf(buf, "%s\n", tu->vbus_state ? "on" : "off");
}
static DEVICE_ATTR_RO(vbus);
static void check_vbus_state(struct tahvo_usb *tu)
{
Reported by FlawFinder.
Line: 266
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
switch (tu->tahvo_mode) {
case TAHVO_MODE_HOST:
return sprintf(buf, "host\n");
case TAHVO_MODE_PERIPHERAL:
return sprintf(buf, "peripheral\n");
}
return -EINVAL;
Reported by FlawFinder.
Line: 268
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
case TAHVO_MODE_HOST:
return sprintf(buf, "host\n");
case TAHVO_MODE_PERIPHERAL:
return sprintf(buf, "peripheral\n");
}
return -EINVAL;
}
Reported by FlawFinder.
Line: 293
Column: 7
CWE codes:
126
dev_info(device, "HOST mode: no host controller, powering off\n");
tahvo_usb_power_off(tu);
}
r = strlen(buf);
} else if (count >= 10 && strncmp(buf, "peripheral", 10) == 0) {
if (tu->tahvo_mode == TAHVO_MODE_HOST)
tahvo_usb_stop_host(tu);
tu->tahvo_mode = TAHVO_MODE_PERIPHERAL;
if (tu->phy.otg->gadget) {
Reported by FlawFinder.
Line: 305
Column: 7
CWE codes:
126
dev_info(device, "PERIPHERAL mode: no gadget driver, powering off\n");
tahvo_usb_power_off(tu);
}
r = strlen(buf);
} else {
r = -EINVAL;
}
mutex_unlock(&tu->serialize);
Reported by FlawFinder.
drivers/usb/storage/transport.c
5 issues
Line: 531
Column: 18
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 sector;
/* To Report "Medium Error: Record Not Found */
static unsigned char record_not_found[18] = {
[0] = 0x70, /* current error */
[2] = MEDIUM_ERROR, /* = 0x03 */
[7] = 0x0a, /* additional length */
[12] = 0x14 /* Record Not Found */
};
Reported by FlawFinder.
Line: 584
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (++us->last_sector_retries < 3)
return;
srb->result = SAM_STAT_CHECK_CONDITION;
memcpy(srb->sense_buffer, record_not_found,
sizeof(record_not_found));
}
done:
/*
Reported by FlawFinder.
Line: 969
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* Command is sometime (f.e. after scsi_eh_prep_cmnd) on the stack.
* Stack may be vmallocated. So no DMA for us. Make a copy.
*/
memcpy(us->iobuf, srb->cmnd, srb->cmd_len);
result = usb_stor_ctrl_transfer(us, us->send_ctrl_pipe,
US_CBI_ADSC,
USB_TYPE_CLASS | USB_RECIP_INTERFACE, 0,
us->ifnum, us->iobuf, srb->cmd_len);
Reported by FlawFinder.
Line: 1145
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* copy the command payload */
memset(bcb->CDB, 0, sizeof(bcb->CDB));
memcpy(bcb->CDB, srb->cmnd, bcb->Length);
/* send it to out endpoint */
usb_stor_dbg(us, "Bulk Command S 0x%x T 0x%x L %d F %d Trg %d LUN %d CL %d\n",
le32_to_cpu(bcb->Signature), bcb->Tag,
le32_to_cpu(bcb->DataTransferLength), bcb->Flags,
Reported by FlawFinder.
Line: 1308
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case US_BULK_STAT_OK:
/* device babbled -- return fake sense data */
if (fake_sense) {
memcpy(srb->sense_buffer,
usb_stor_sense_invalidCDB,
sizeof(usb_stor_sense_invalidCDB));
return USB_STOR_TRANSPORT_NO_SENSE;
}
Reported by FlawFinder.
drivers/usb/typec/altmodes/displayport.c
5 issues
Line: 395
Column: 8
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
cap = DP_CAP_CAPABILITY(dp->alt->vdo);
cur = DP_CONF_CURRENTLY(dp->data.conf);
len = sprintf(buf, "%s ", cur ? "USB" : "[USB]");
for (i = 1; i < ARRAY_SIZE(configurations); i++) {
if (i == cur)
len += sprintf(buf + len, "[%s] ", configurations[i]);
else if ((i == DP_CONF_DFP_D && cap & DP_CAP_DFP_D) ||
Reported by FlawFinder.
Line: 399
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
for (i = 1; i < ARRAY_SIZE(configurations); i++) {
if (i == cur)
len += sprintf(buf + len, "[%s] ", configurations[i]);
else if ((i == DP_CONF_DFP_D && cap & DP_CAP_DFP_D) ||
(i == DP_CONF_UFP_D && cap & DP_CAP_UFP_D))
len += sprintf(buf + len, "%s ", configurations[i]);
}
Reported by FlawFinder.
Line: 402
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
len += sprintf(buf + len, "[%s] ", configurations[i]);
else if ((i == DP_CONF_DFP_D && cap & DP_CAP_DFP_D) ||
(i == DP_CONF_UFP_D && cap & DP_CAP_UFP_D))
len += sprintf(buf + len, "%s ", configurations[i]);
}
mutex_unlock(&dp->lock);
buf[len - 1] = '\n';
Reported by FlawFinder.
Line: 495
Column: 12
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
for (i = 0; assignments; assignments >>= 1, i++) {
if (assignments & 1) {
if (i == cur)
len += sprintf(buf + len, "[%s] ",
pin_assignments[i]);
else
len += sprintf(buf + len, "%s ",
pin_assignments[i]);
}
Reported by FlawFinder.
Line: 498
Column: 12
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
len += sprintf(buf + len, "[%s] ",
pin_assignments[i]);
else
len += sprintf(buf + len, "%s ",
pin_assignments[i]);
}
}
mutex_unlock(&dp->lock);
Reported by FlawFinder.
drivers/usb/typec/tcpm/fusb302.c
5 issues
Line: 148
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
return;
}
vsnprintf(tmpbuffer, sizeof(tmpbuffer), fmt, args);
mutex_lock(&chip->logbuffer_lock);
if (fusb302_log_full(chip)) {
chip->logbuffer_head = max(chip->logbuffer_head - 1, 0);
Reported by FlawFinder.
Line: 137
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void _fusb302_log(struct fusb302_chip *chip, const char *fmt,
va_list args)
{
char tmpbuffer[LOG_BUFFER_ENTRY_SIZE];
u64 ts_nsec = local_clock();
unsigned long rem_nsec;
if (!chip->logbuffer[chip->logbuffer_head]) {
chip->logbuffer[chip->logbuffer_head] =
Reported by FlawFinder.
Line: 212
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void fusb302_debugfs_init(struct fusb302_chip *chip)
{
char name[NAME_MAX];
mutex_init(&chip->logbuffer_lock);
snprintf(name, NAME_MAX, "fusb302-%s", dev_name(chip->dev));
chip->dentry = debugfs_create_dir(name, usb_debug_root);
debugfs_create_file("log", S_IFREG | 0444, chip->dentry, chip,
Reported by FlawFinder.
Line: 977
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
/* packsym tells the FUSB302 chip that the next X bytes are payload */
buf[pos++] = FUSB302_TKN_PACKSYM | (len & 0x1F);
memcpy(&buf[pos], &msg->header, sizeof(msg->header));
pos += sizeof(msg->header);
len -= 2;
memcpy(&buf[pos], msg->payload, len);
pos += len;
Reported by FlawFinder.
Line: 981
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pos += sizeof(msg->header);
len -= 2;
memcpy(&buf[pos], msg->payload, len);
pos += len;
/* CRC */
buf[pos++] = FUSB302_TKN_JAMCRC;
/* EOP */
Reported by FlawFinder.
drivers/vhost/vringh.c
5 issues
Line: 223
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
else {
new = kmalloc_array(new_num, sizeof(struct iovec), gfp);
if (new) {
memcpy(new, iov->iov,
iov->max_num * sizeof(struct iovec));
flag = VRINGH_IOV_ALLOCATED;
}
}
if (!new)
Reported by FlawFinder.
Line: 875
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static inline int copydesc_kern(const struct vringh *vrh,
void *dst, const void *src, size_t len)
{
memcpy(dst, src, len);
return 0;
}
static inline int putused_kern(const struct vringh *vrh,
struct vring_used_elem *dst,
Reported by FlawFinder.
Line: 884
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
const struct vring_used_elem *src,
unsigned int num)
{
memcpy(dst, src, num * sizeof(*dst));
return 0;
}
static inline int xfer_kern(const struct vringh *vrh, void *src,
void *dst, size_t len)
Reported by FlawFinder.
Line: 891
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static inline int xfer_kern(const struct vringh *vrh, void *src,
void *dst, size_t len)
{
memcpy(dst, src, len);
return 0;
}
static inline int kern_xfer(const struct vringh *vrh, void *dst,
void *src, size_t len)
Reported by FlawFinder.
Line: 898
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static inline int kern_xfer(const struct vringh *vrh, void *dst,
void *src, size_t len)
{
memcpy(dst, src, len);
return 0;
}
/**
* vringh_init_kern - initialize a vringh for a kernelspace vring.
Reported by FlawFinder.
drivers/video/console/sticore.c
5 issues
Line: 286
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static char default_sti_path[21] __read_mostly;
#ifndef MODULE
static int __init sti_setup(char *str)
{
if (str)
Reported by FlawFinder.
Line: 528
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dest = nf;
dest += sizeof(struct sti_rom_font);
memcpy(dest, fbfont->data, bpc * fbfont->charcount);
cooked_font = kzalloc(sizeof(*cooked_font), GFP_KERNEL);
if (!cooked_font) {
kfree(nf);
return NULL;
Reported by FlawFinder.
Line: 960
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
static int __init sticore_pa_init(struct parisc_device *dev)
{
char pa_path[21];
struct sti_struct *sti = NULL;
int hpa = dev->hpa.start;
if (dev->num_addrs && dev->addr[0])
sti = sti_try_rom_generic(dev->addr[0], hpa, NULL);
Reported by FlawFinder.
Line: 1010
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
sti = sti_try_rom_generic(rom_base, fb_base, pd);
if (sti) {
char pa_path[30];
print_pci_hwpath(pd, pa_path);
sticore_check_for_default_sti(sti, pa_path);
}
if (!sti) {
Reported by FlawFinder.
Line: 498
Column: 21
CWE codes:
126
struct sti_rom_font *nf;
struct sti_cooked_font *cooked_font;
if (fbfont_name && strlen(fbfont_name))
fbfont = find_font(fbfont_name);
if (!fbfont)
fbfont = get_default_font(1024,768, ~(u32)0, ~(u32)0);
if (!fbfont)
return NULL;
Reported by FlawFinder.
drivers/video/fbdev/au1200fb.c
5 issues
Line: 92
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int colorkey;
unsigned int mask;
unsigned int panel_choice;
char panel_desc[80];
};
#define WIN_POSITION (1<< 0)
#define WIN_ALPHA_COLOR (1<< 1)
Reported by FlawFinder.
Line: 189
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int nohwcursor = 0;
struct window_settings {
unsigned char name[64];
uint32 mode_backcolor;
uint32 mode_colorkey;
uint32 mode_colorkeymsk;
struct {
int xres;
Reported by FlawFinder.
Line: 323
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct panel_settings
{
const char name[25]; /* Full name <vendor>_<model> */
struct fb_monspecs monspecs; /* FB monitor specs */
/* panel timings */
uint32 mode_screen;
Reported by FlawFinder.
Line: 1530
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* fixme: we're setting up LCD controller windows, so these dont give a
damn as to what the monitor specs are (the panel itself does, but that
isn't done here...so maybe need a generic catchall monitor setting??? */
memcpy(&fbi->monspecs, &panel->monspecs, sizeof(struct fb_monspecs));
/* We first try the user mode passed in argument. If that failed,
* or if no one has been specified, we default to the first mode of the
* panel list. Note that after this call, var data will be set */
if (!fb_find_mode(&fbi->var,
Reported by FlawFinder.
Line: 1558
Column: 2
CWE codes:
120
return ret;
}
strncpy(fbi->fix.id, "AU1200", sizeof(fbi->fix.id));
fbi->fix.smem_start = fbdev->fb_phys;
fbi->fix.smem_len = fbdev->fb_len;
fbi->fix.type = FB_TYPE_PACKED_PIXELS;
fbi->fix.xpanstep = 0;
fbi->fix.ypanstep = 0;
Reported by FlawFinder.
drivers/video/fbdev/omap/sossi.c
5 issues
Line: 252
Column: 35
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
sossi_clear_bits(SOSSI_INIT2_REG, 1 << 6);
}
static inline void set_timing(int access)
{
if (access != sossi.last_access) {
sossi.last_access = access;
_set_timing(sossi.clk_div,
sossi.clk_tw0[access], sossi.clk_tw1[access]);
Reported by FlawFinder.
Line: 254
Column: 6
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
static inline void set_timing(int access)
{
if (access != sossi.last_access) {
sossi.last_access = access;
_set_timing(sossi.clk_div,
sossi.clk_tw0[access], sossi.clk_tw1[access]);
}
}
Reported by FlawFinder.
Line: 255
Column: 23
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
static inline void set_timing(int access)
{
if (access != sossi.last_access) {
sossi.last_access = access;
_set_timing(sossi.clk_div,
sossi.clk_tw0[access], sossi.clk_tw1[access]);
}
}
Reported by FlawFinder.
Line: 257
Column: 22
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
if (access != sossi.last_access) {
sossi.last_access = access;
_set_timing(sossi.clk_div,
sossi.clk_tw0[access], sossi.clk_tw1[access]);
}
}
static void sossi_start_transfer(void)
{
Reported by FlawFinder.
Line: 257
Column: 45
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
if (access != sossi.last_access) {
sossi.last_access = access;
_set_timing(sossi.clk_div,
sossi.clk_tw0[access], sossi.clk_tw1[access]);
}
}
static void sossi_start_transfer(void)
{
Reported by FlawFinder.
drivers/misc/ibmasm/ibmasm.h
5 issues
Line: 46
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct timespec64 now;
ktime_get_real_ts64(&now);
sprintf(buf, "%llu.%.08lu", (long long)now.tv_sec,
now.tv_nsec / NSEC_PER_USEC);
return buf;
}
#define IBMASM_CMD_PENDING 0
Reported by FlawFinder.
Line: 110
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ibmasm_event {
unsigned int serial_number;
unsigned int data_size;
unsigned char data[IBMASM_EVENT_MAX_SIZE];
};
struct event_buffer {
struct ibmasm_event events[IBMASM_NUM_EVENTS];
unsigned int next_serial_number;
Reported by FlawFinder.
Line: 126
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
wait_queue_head_t wait;
struct list_head node;
unsigned int data_size;
unsigned char data[IBMASM_EVENT_MAX_SIZE];
};
struct reverse_heartbeat {
wait_queue_head_t wait;
unsigned int stopped;
Reported by FlawFinder.
Line: 148
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct command *heartbeat;
struct list_head command_queue;
struct event_buffer *event_buffer;
char dirname[IBMASM_NAME_SIZE];
char devname[IBMASM_NAME_SIZE];
unsigned int number;
struct ibmasm_remote remote;
int serial_line;
struct device *dev;
Reported by FlawFinder.
Line: 149
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct list_head command_queue;
struct event_buffer *event_buffer;
char dirname[IBMASM_NAME_SIZE];
char devname[IBMASM_NAME_SIZE];
unsigned int number;
struct ibmasm_remote remote;
int serial_line;
struct device *dev;
};
Reported by FlawFinder.