The following issues were found
drivers/crypto/padlock-aes.c
5 issues
Line: 150
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (aes_expandkey(&gen_aes, in_key, key_len))
return -EINVAL;
memcpy(ctx->E, gen_aes.key_enc, AES_MAX_KEYLENGTH);
memcpy(ctx->D, gen_aes.key_dec, AES_MAX_KEYLENGTH);
ok:
for_each_online_cpu(cpu)
if (&ctx->cword.encrypt == per_cpu(paes_last_cword, cpu) ||
Reported by FlawFinder.
Line: 151
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EINVAL;
memcpy(ctx->E, gen_aes.key_enc, AES_MAX_KEYLENGTH);
memcpy(ctx->D, gen_aes.key_dec, AES_MAX_KEYLENGTH);
ok:
for_each_online_cpu(cpu)
if (&ctx->cword.encrypt == per_cpu(paes_last_cword, cpu) ||
&ctx->cword.decrypt == per_cpu(paes_last_cword, cpu))
Reported by FlawFinder.
Line: 221
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u8 buf[AES_BLOCK_SIZE * (MAX_ECB_FETCH_BLOCKS - 1) + PADLOCK_ALIGNMENT - 1];
u8 *tmp = PTR_ALIGN(&buf[0], PADLOCK_ALIGNMENT);
memcpy(tmp, in, count * AES_BLOCK_SIZE);
rep_xcrypt_ecb(tmp, out, key, cword, count);
}
static u8 *cbc_crypt_copy(const u8 *in, u8 *out, u32 *key,
u8 *iv, struct cword *cword, int count)
Reported by FlawFinder.
Line: 235
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u8 buf[AES_BLOCK_SIZE * (MAX_CBC_FETCH_BLOCKS - 1) + PADLOCK_ALIGNMENT - 1];
u8 *tmp = PTR_ALIGN(&buf[0], PADLOCK_ALIGNMENT);
memcpy(tmp, in, count * AES_BLOCK_SIZE);
return rep_xcrypt_cbc(tmp, out, key, iv, cword, count);
}
static inline void ecb_crypt(const u8 *in, u8 *out, u32 *key,
struct cword *cword, int count)
Reported by FlawFinder.
Line: 426
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
walk.dst.virt.addr, ctx->E,
walk.iv, &ctx->cword.encrypt,
nbytes / AES_BLOCK_SIZE);
memcpy(walk.iv, iv, AES_BLOCK_SIZE);
nbytes &= AES_BLOCK_SIZE - 1;
err = skcipher_walk_done(&walk, nbytes);
}
padlock_store_cword(&ctx->cword.decrypt);
Reported by FlawFinder.
drivers/crypto/nx/nx-common-pseries.c
5 issues
Line: 92
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct nx842_workmem {
/* scatterlist */
char slin[4096];
char slout[4096];
/* coprocessor status/parameter block */
struct nx_csbcpb csbcpb;
char padding[WORKMEM_ALIGN];
Reported by FlawFinder.
Line: 93
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct nx842_workmem {
/* scatterlist */
char slin[4096];
char slout[4096];
/* coprocessor status/parameter block */
struct nx_csbcpb csbcpb;
char padding[WORKMEM_ALIGN];
} __aligned(WORKMEM_ALIGN);
Reported by FlawFinder.
Line: 97
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* coprocessor status/parameter block */
struct nx_csbcpb csbcpb;
char padding[WORKMEM_ALIGN];
} __aligned(WORKMEM_ALIGN);
/* Macros for fields within nx_csbcpb */
/* Check the valid bit within the csbcpb valid field */
#define NX842_CSBCBP_VALID_CHK(x) (x & BIT_MASK(7))
Reported by FlawFinder.
Line: 764
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENODEV;
}
memcpy(new_devdata, old_devdata, sizeof(*old_devdata));
new_devdata->counters = old_devdata->counters;
/* Set ptrs for existing properties */
status = of_find_property(of_node, "status", NULL);
maxsglen = of_find_property(of_node, "ibm,max-sg-len", NULL);
Reported by FlawFinder.
Line: 974
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t nxcop_##_name##_show(struct device *dev, \
struct device_attribute *attr, char *buf) \
{ \
return sprintf(buf, "%lld\n", nx_cop_caps._name); \
}
#define NXCT_ATTR_RO(_name) \
nxcop_caps_read(_name); \
static struct device_attribute dev_attr_##_name = __ATTR(_name, \
Reported by FlawFinder.
drivers/edac/octeon_edac-lmc.c
5 issues
Line: 42
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
union cvmx_lmcx_mem_cfg0 cfg0;
bool do_clear = false;
char msg[64];
cfg0.u64 = cvmx_read_csr(CVMX_LMCX_MEM_CFG0(mci->mc_idx));
if (cfg0.s.sec_err || cfg0.s.ded_err) {
union cvmx_lmcx_fadr fadr;
fadr.u64 = cvmx_read_csr(CVMX_LMCX_FADR(mci->mc_idx));
Reported by FlawFinder.
Line: 76
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct octeon_lmc_pvt *pvt = mci->pvt_info;
union cvmx_lmcx_int int_reg;
bool do_clear = false;
char msg[64];
if (!pvt->inject)
int_reg.u64 = cvmx_read_csr(CVMX_LMCX_INT(mci->mc_idx));
else {
int_reg.u64 = 0;
Reported by FlawFinder.
Line: 137
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{ \
struct mem_ctl_info *mci = to_mci(dev); \
struct octeon_lmc_pvt *pvt = mci->pvt_info; \
return sprintf(data, "%016llu\n", (u64)pvt->reg); \
}
#define TEMPLATE_STORE(reg) \
static ssize_t octeon_mc_inject_##reg##_store(struct device *dev, \
struct device_attribute *attr, \
Reported by FlawFinder.
Line: 190
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct mem_ctl_info *mci = to_mci(dev);
struct octeon_lmc_pvt *pvt = mci->pvt_info;
if (pvt->error_type == 1)
return sprintf(data, "single");
else if (pvt->error_type == 2)
return sprintf(data, "double");
return 0;
}
Reported by FlawFinder.
Line: 192
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (pvt->error_type == 1)
return sprintf(data, "single");
else if (pvt->error_type == 2)
return sprintf(data, "double");
return 0;
}
static DEVICE_ATTR(inject, S_IRUGO | S_IWUSR,
Reported by FlawFinder.
drivers/crypto/nx/nx-aes-ctr.c
5 issues
Line: 49
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
csbcpb->cpb.hdr.mode = NX_MODE_AES_CTR;
memcpy(csbcpb->cpb.aes_ctr.key, in_key, key_len);
return 0;
}
static int ctr3686_aes_nx_set_key(struct crypto_skcipher *tfm,
Reported by FlawFinder.
Line: 63
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (key_len < CTR_RFC3686_NONCE_SIZE)
return -EINVAL;
memcpy(nx_ctx->priv.ctr.nonce,
in_key + key_len - CTR_RFC3686_NONCE_SIZE,
CTR_RFC3686_NONCE_SIZE);
key_len -= CTR_RFC3686_NONCE_SIZE;
Reported by FlawFinder.
Line: 102
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (rc)
goto out;
memcpy(iv, csbcpb->cpb.aes_cbc.cv, AES_BLOCK_SIZE);
atomic_inc(&(nx_ctx->stats->aes_ops));
atomic64_add(be32_to_cpu(csbcpb->csb.processed_byte_count),
&(nx_ctx->stats->aes_bytes));
Reported by FlawFinder.
Line: 121
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct nx_crypto_ctx *nx_ctx = crypto_skcipher_ctx(tfm);
u8 iv[16];
memcpy(iv, nx_ctx->priv.ctr.nonce, CTR_RFC3686_NONCE_SIZE);
memcpy(iv + CTR_RFC3686_NONCE_SIZE, req->iv, CTR_RFC3686_IV_SIZE);
iv[12] = iv[13] = iv[14] = 0;
iv[15] = 1;
return ctr_aes_nx_crypt(req, iv);
Reported by FlawFinder.
Line: 122
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u8 iv[16];
memcpy(iv, nx_ctx->priv.ctr.nonce, CTR_RFC3686_NONCE_SIZE);
memcpy(iv + CTR_RFC3686_NONCE_SIZE, req->iv, CTR_RFC3686_IV_SIZE);
iv[12] = iv[13] = iv[14] = 0;
iv[15] = 1;
return ctr_aes_nx_crypt(req, iv);
}
Reported by FlawFinder.
drivers/acpi/acpica/exstorob.c
5 issues
Line: 15
#include "acinterp.h"
#define _COMPONENT ACPI_EXECUTER
ACPI_MODULE_NAME("exstorob")
/*******************************************************************************
*
* FUNCTION: acpi_ex_store_buffer_to_buffer
*
Reported by Cppcheck.
Line: 71
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(target_desc->buffer.pointer, 0,
target_desc->buffer.length);
memcpy(target_desc->buffer.pointer, buffer, length);
#ifdef ACPI_OBSOLETE_BEHAVIOR
/*
* NOTE: ACPI versions up to 3.0 specified that the buffer must be
* truncated if the string is smaller than the buffer. However, "other"
Reported by FlawFinder.
Line: 98
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else {
/* Truncate the source, copy only what will fit */
memcpy(target_desc->buffer.pointer, buffer,
target_desc->buffer.length);
ACPI_DEBUG_PRINT((ACPI_DB_INFO,
"Truncating source buffer from %X to %X\n",
length, target_desc->buffer.length));
Reported by FlawFinder.
Line: 158
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
memset(target_desc->string.pointer, 0,
(acpi_size)target_desc->string.length + 1);
memcpy(target_desc->string.pointer, buffer, length);
} else {
/*
* Free the current buffer, then allocate a new buffer
* large enough to hold the value
*/
Reported by FlawFinder.
Line: 180
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
target_desc->common.flags &= ~AOPOBJ_STATIC_POINTER;
memcpy(target_desc->string.pointer, buffer, length);
}
/* Set the new target length */
target_desc->string.length = length;
Reported by FlawFinder.
drivers/acpi/acpica/exregion.c
5 issues
Line: 15
#include "acinterp.h"
#define _COMPONENT ACPI_EXECUTER
ACPI_MODULE_NAME("exregion")
/*******************************************************************************
*
* FUNCTION: acpi_ex_system_memory_space_handler
*
Reported by Cppcheck.
Line: 121
Column: 9
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
continue;
mem_info->cur_mm = mm;
goto access;
}
/* Create a new mappings list entry */
mm = ACPI_ALLOCATE_ZEROED(sizeof(*mm));
if (!mm) {
Reported by FlawFinder.
Line: 190
Column: 1
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
mem_info->cur_mm = mm;
}
access:
/*
* Generate a logical pointer corresponding to the address we want to
* access
*/
logical_addr_ptr = mm->logical_address +
Reported by FlawFinder.
Line: 521
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
switch (function) {
case ACPI_READ:
memcpy(ACPI_CAST_PTR(char, value),
ACPI_PHYSADDR_TO_PTR(address), ACPI_DIV_8(bit_width));
break;
case ACPI_WRITE:
Reported by FlawFinder.
Line: 527
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case ACPI_WRITE:
memcpy(ACPI_PHYSADDR_TO_PTR(address),
ACPI_CAST_PTR(char, value), ACPI_DIV_8(bit_width));
break;
default:
Reported by FlawFinder.
drivers/firewire/sbp2.c
5 issues
Line: 425
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
status.orb_low = be32_to_cpup(payload + 4);
memset(status.data, 0, sizeof(status.data));
if (length > 8)
memcpy(status.data, payload + 8, length - 8);
if (STATUS_GET_SOURCE(status) == 2 || STATUS_GET_SOURCE(status) == 3) {
dev_notice(lu_dev(lu),
"non-ORB related status write, not handled\n");
fw_send_response(card, request, RCODE_COMPLETE);
Reported by FlawFinder.
Line: 543
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
container_of(base_orb, struct sbp2_management_orb, base);
if (status)
memcpy(&orb->status, status, sizeof(*status));
complete(&orb->done);
}
static int sbp2_send_management_orb(struct sbp2_logical_unit *lu, int node_id,
int generation, int function,
Reported by FlawFinder.
Line: 639
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
sizeof(orb->response), DMA_FROM_DEVICE);
fail_mapping_response:
if (response)
memcpy(response, orb->response, sizeof(orb->response));
kref_put(&orb->base.kref, free_orb);
return retval;
}
Reported by FlawFinder.
Line: 1472
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (scsi_sg_count(cmd) && sbp2_map_scatterlist(orb, device, lu) < 0)
goto out;
memcpy(orb->request.command_block, cmd->cmnd, cmd->cmd_len);
orb->base.callback = complete_command_orb;
orb->base.request_bus =
dma_map_single(device->card->device, &orb->request,
sizeof(orb->request), DMA_TO_DEVICE);
Reported by FlawFinder.
Line: 1574
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
lu = sdev->hostdata;
return sprintf(buf, "%016llx:%06x:%04x\n",
(unsigned long long)lu->tgt->guid,
lu->tgt->directory_id, lu->lun);
}
static DEVICE_ATTR(ieee1394_id, S_IRUGO, sbp2_sysfs_ieee1394_id_show, NULL);
Reported by FlawFinder.
drivers/firmware/broadcom/bcm47xx_nvram.c
5 issues
Line: 33
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 config_ncdl; /* ncdl values for memc */
};
static char nvram_buf[NVRAM_SPACE];
static size_t nvram_len;
static const u32 nvram_sizes[] = {0x6000, 0x8000, 0xF000, 0x10000};
/**
* bcm47xx_nvram_is_valid - check for a valid NVRAM at specified memory
Reported by FlawFinder.
Line: 202
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
int i, err;
char nvram_var[] = "gpioXX";
char buf[NVRAM_MAX_GPIO_VALUE_LEN];
/* TODO: Optimize it to don't call getenv so many times */
for (i = 0; i < NVRAM_MAX_GPIO_ENTRIES; i++) {
err = snprintf(nvram_var, sizeof(nvram_var), "gpio%i", i);
if (err <= 0)
Reported by FlawFinder.
Line: 234
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
nvram = vmalloc(*nvram_size);
if (!nvram)
return NULL;
memcpy(nvram, &nvram_buf[sizeof(struct nvram_header)], *nvram_size);
return nvram;
}
EXPORT_SYMBOL(bcm47xx_nvram_get_contents);
Reported by FlawFinder.
Line: 189
Column: 19
CWE codes:
126
if (!eq)
break;
value = eq + 1;
if (eq - var == strlen(name) &&
strncmp(var, name, eq - var) == 0)
return snprintf(val, val_len, "%s", value);
var = value + strlen(value) + 1;
}
return -ENOENT;
Reported by FlawFinder.
Line: 192
Column: 17
CWE codes:
126
if (eq - var == strlen(name) &&
strncmp(var, name, eq - var) == 0)
return snprintf(val, val_len, "%s", value);
var = value + strlen(value) + 1;
}
return -ENOENT;
}
EXPORT_SYMBOL(bcm47xx_nvram_getenv);
Reported by FlawFinder.
drivers/firmware/efi/cper.c
5 issues
Line: 28
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#include <acpi/ghes.h>
#include <ras/ras_event.h>
static char rcd_decode_str[CPER_REC_LEN];
/*
* CPER record ID need to be unique even after reboot, because record
* ID is used as index for ERST storage, while CPER records from
* multiple boot may co-exist in ERST.
Reported by FlawFinder.
Line: 89
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
int i, len = 0;
const char *str;
char buf[84];
for (i = 0; i < strs_size; i++) {
if (!(bits & (1U << i)))
continue;
str = strs[i];
Reported by FlawFinder.
Line: 501
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
guid_t *sec_type = (guid_t *)gdata->section_type;
__u16 severity;
char newpfx[64];
if (acpi_hest_get_version(gdata) >= 3)
cper_print_tstamp(pfx, (struct acpi_hest_generic_data_v300 *)gdata);
severity = gdata->error_severity;
Reported by FlawFinder.
Line: 592
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct acpi_hest_generic_data *gdata;
int sec_no = 0;
char newpfx[64];
__u16 severity;
severity = estatus->error_severity;
if (severity == CPER_SEV_CORRECTED)
printk("%s%s\n", pfx,
Reported by FlawFinder.
Line: 97
Column: 20
CWE codes:
126
str = strs[i];
if (!str)
continue;
if (len && len + strlen(str) + 2 > 80) {
printk("%s\n", buf);
len = 0;
}
if (!len)
len = snprintf(buf, sizeof(buf), "%s%s", pfx, str);
Reported by FlawFinder.
drivers/firmware/efi/libstub/efistub.h
5 issues
Line: 494
Column: 26
CWE codes:
362
struct efi_file_protocol {
u64 revision;
efi_status_t (__efiapi *open) (efi_file_protocol_t *,
efi_file_protocol_t **,
efi_char16_t *, u64, u64);
efi_status_t (__efiapi *close) (efi_file_protocol_t *);
efi_status_t (__efiapi *delete) (efi_file_protocol_t *);
efi_status_t (__efiapi *read) (efi_file_protocol_t *,
Reported by FlawFinder.
Line: 499
Column: 26
CWE codes:
120
20
efi_char16_t *, u64, u64);
efi_status_t (__efiapi *close) (efi_file_protocol_t *);
efi_status_t (__efiapi *delete) (efi_file_protocol_t *);
efi_status_t (__efiapi *read) (efi_file_protocol_t *,
unsigned long *, void *);
efi_status_t (__efiapi *write) (efi_file_protocol_t *,
unsigned long, void *);
efi_status_t (__efiapi *get_position)(efi_file_protocol_t *, u64 *);
efi_status_t (__efiapi *set_position)(efi_file_protocol_t *, u64);
Reported by FlawFinder.
Line: 552
Column: 6
CWE codes:
120
20
} EFI_PCI_IO_PROTOCOL_ATTRIBUTE_OPERATION;
typedef struct {
u32 read;
u32 write;
} efi_pci_io_protocol_access_32_t;
typedef union efi_pci_io_protocol efi_pci_io_protocol_t;
Reported by FlawFinder.
Line: 571
Column: 28
CWE codes:
120
20
} efi_pci_io_protocol_access_t;
typedef struct {
efi_pci_io_protocol_cfg_t read;
efi_pci_io_protocol_cfg_t write;
} efi_pci_io_protocol_config_access_t;
union efi_pci_io_protocol {
struct {
Reported by FlawFinder.