The following issues were found
drivers/firmware/efi/libstub/gop.c
5 issues
Line: 44
Column: 12
CWE codes:
126
if (!strstarts(option, "mode="))
return false;
option += strlen("mode=");
m = simple_strtoull(option, &option, 0);
if (*option && *option++ != ',')
return false;
cmdline.option = EFI_CMDLINE_MODE_NUM;
cmdline.mode = m;
Reported by FlawFinder.
Line: 69
Column: 14
CWE codes:
126
if (*option == '-') {
option++;
if (strstarts(option, "rgb")) {
option += strlen("rgb");
pf = PIXEL_RGB_RESERVED_8BIT_PER_COLOR;
} else if (strstarts(option, "bgr")) {
option += strlen("bgr");
pf = PIXEL_BGR_RESERVED_8BIT_PER_COLOR;
} else if (isdigit(*option))
Reported by FlawFinder.
Line: 72
Column: 14
CWE codes:
126
option += strlen("rgb");
pf = PIXEL_RGB_RESERVED_8BIT_PER_COLOR;
} else if (strstarts(option, "bgr")) {
option += strlen("bgr");
pf = PIXEL_BGR_RESERVED_8BIT_PER_COLOR;
} else if (isdigit(*option))
d = simple_strtoull(option, &option, 10);
else
return false;
Reported by FlawFinder.
Line: 95
Column: 12
CWE codes:
126
{
if (!strstarts(option, "auto"))
return false;
option += strlen("auto");
if (*option && *option++ != ',')
return false;
cmdline.option = EFI_CMDLINE_AUTO;
*next = option;
Reported by FlawFinder.
Line: 108
Column: 12
CWE codes:
126
{
if (!strstarts(option, "list"))
return false;
option += strlen("list");
if (*option && *option++ != ',')
return false;
cmdline.option = EFI_CMDLINE_LIST;
*next = option;
Reported by FlawFinder.
drivers/firmware/efi/libstub/vsprintf.c
5 issues
Line: 301
Column: 5
CWE codes:
134
Suggestion:
Use a constant for the format specification
++pos; \
} while (0);
int vsnprintf(char *buf, size_t size, const char *fmt, va_list ap)
{
/* The maximum space required is to print a 64-bit number in octal */
char tmp[(sizeof(unsigned long long) * 8 + 2) / 3];
char *tmp_end = &tmp[ARRAY_SIZE(tmp)];
long long num;
Reported by FlawFinder.
Line: 555
Column: 5
CWE codes:
134
Suggestion:
Use a constant for the format specification
return pos;
}
int snprintf(char *buf, size_t size, const char *fmt, ...)
{
va_list args;
int i;
va_start(args, fmt);
Reported by FlawFinder.
Line: 561
Column: 6
CWE codes:
134
Suggestion:
Use a constant for the format specification
int i;
va_start(args, fmt);
i = vsnprintf(buf, size, fmt, args);
va_end(args);
return i;
}
Reported by FlawFinder.
Line: 121
Column: 15
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
/* we are called with base 8, 10 or 16, only, thus don't need "G..." */
static const char digits[16] = "0123456789ABCDEF"; /* "GHIJKLMNOPQRSTUVWXYZ"; */
switch (base) {
case 10:
if (num != 0)
end = put_dec(end, num);
Reported by FlawFinder.
Line: 304
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int vsnprintf(char *buf, size_t size, const char *fmt, va_list ap)
{
/* The maximum space required is to print a 64-bit number in octal */
char tmp[(sizeof(unsigned long long) * 8 + 2) / 3];
char *tmp_end = &tmp[ARRAY_SIZE(tmp)];
long long num;
int base;
const char *s;
size_t len, pos;
Reported by FlawFinder.
drivers/firmware/efi/libstub/x86-stub.c
5 issues
Line: 88
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (status != EFI_SUCCESS)
goto free_struct;
memcpy(rom->romdata, romimage, romsize);
return status;
free_struct:
efi_bs_call(free_pool, rom);
return status;
Reported by FlawFinder.
Line: 393
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
hdr = &boot_params->hdr;
/* Copy the setup header from the second sector to boot_params */
memcpy(&hdr->jump, image_base + 512,
sizeof(struct setup_header) - offsetof(struct setup_header, jump));
/*
* Fill out some of the header fields ourselves because the
* EFI firmware loader doesn't load the first sector.
Reported by FlawFinder.
Line: 612
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
signature = efi_is_64bit() ? EFI64_LOADER_SIGNATURE
: EFI32_LOADER_SIGNATURE;
memcpy(&p->efi->efi_loader_signature, signature, sizeof(__u32));
efi_set_u64_split((unsigned long)efi_system_table,
&p->efi->efi_systab, &p->efi->efi_systab_hi);
p->efi->efi_memdesc_size = *map->desc_size;
p->efi->efi_memdesc_version = *map->desc_ver;
Reported by FlawFinder.
Line: 66
Column: 35
CWE codes:
120
20
rom->pcilen = pci->romsize;
*__rom = rom;
status = efi_call_proto(pci, pci.read, EfiPciIoWidthUint16,
PCI_VENDOR_ID, 1, &rom->vendor);
if (status != EFI_SUCCESS) {
efi_err("Failed to read rom->vendor\n");
goto free_struct;
Reported by FlawFinder.
Line: 74
Column: 35
CWE codes:
120
20
goto free_struct;
}
status = efi_call_proto(pci, pci.read, EfiPciIoWidthUint16,
PCI_DEVICE_ID, 1, &rom->devid);
if (status != EFI_SUCCESS) {
efi_err("Failed to read rom->devid\n");
goto free_struct;
Reported by FlawFinder.
drivers/acpi/osl.c
5 issues
Line: 157
Column: 2
CWE codes:
134
Suggestion:
Make format string constant
{
static char buffer[512];
vsprintf(buffer, fmt, args);
#ifdef ENABLE_DEBUGGER
if (acpi_in_debugger) {
kdb_printf("%s", buffer);
} else {
Reported by FlawFinder.
Line: 155
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void acpi_os_vprintf(const char *fmt, va_list args)
{
static char buffer[512];
vsprintf(buffer, fmt, args);
#ifdef ENABLE_DEBUGGER
if (acpi_in_debugger) {
Reported by FlawFinder.
Line: 523
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define ACPI_MAX_OVERRIDE_LEN 100
static char acpi_os_name[ACPI_MAX_OVERRIDE_LEN];
acpi_status
acpi_os_predefined_override(const struct acpi_predefined_names *init_val,
acpi_string *new_val)
{
Reported by FlawFinder.
Line: 533
Column: 44
CWE codes:
126
return AE_BAD_PARAMETER;
*new_val = NULL;
if (!memcmp(init_val->name, "_OS_", 4) && strlen(acpi_os_name)) {
pr_info("Overriding _OS definition to '%s'\n", acpi_os_name);
*new_val = acpi_os_name;
}
if (!memcmp(init_val->name, "_REV", 4) && acpi_rev_override) {
Reported by FlawFinder.
Line: 1317
Column: 11
CWE codes:
126
kdb_read(buffer, buffer_length);
/* remove the CR kdb includes */
chars = strlen(buffer) - 1;
buffer[chars] = '\0';
}
#else
int ret;
Reported by FlawFinder.
crypto/cbc.c
5 issues
Line: 36
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
do {
crypto_xor(iv, src, bsize);
fn(tfm, dst, iv);
memcpy(iv, dst, bsize);
src += bsize;
dst += bsize;
} while ((nbytes -= bsize) >= bsize);
Reported by FlawFinder.
Line: 68
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
src += bsize;
} while ((nbytes -= bsize) >= bsize);
memcpy(walk->iv, iv, bsize);
return nbytes;
}
static int crypto_cbc_encrypt(struct skcipher_request *req)
Reported by FlawFinder.
Line: 117
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dst += bsize;
} while ((nbytes -= bsize) >= bsize);
memcpy(walk->iv, iv, bsize);
return nbytes;
}
static int crypto_cbc_decrypt_inplace(struct skcipher_walk *walk,
Reported by FlawFinder.
Line: 139
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Start of the last block. */
src += nbytes - (nbytes & (bsize - 1)) - bsize;
memcpy(last_iv, src, bsize);
for (;;) {
fn(tfm, src, src);
if ((nbytes -= bsize) < bsize)
break;
Reported by FlawFinder.
Line: 150
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
crypto_xor(src, walk->iv, bsize);
memcpy(walk->iv, last_iv, bsize);
return nbytes;
}
static int crypto_cbc_decrypt(struct skcipher_request *req)
Reported by FlawFinder.
drivers/firmware/efi/memmap.c
5 issues
Line: 319
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
old += old_memmap->desc_size, new += old_memmap->desc_size) {
/* copy original EFI memory descriptor */
memcpy(new, old, old_memmap->desc_size);
md = new;
start = md->phys_addr;
end = md->phys_addr + (md->num_pages << EFI_PAGE_SHIFT) - 1;
if (m_start <= start && end <= m_end)
Reported by FlawFinder.
Line: 335
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
EFI_PAGE_SHIFT;
/* latter part */
new += old_memmap->desc_size;
memcpy(new, old, old_memmap->desc_size);
md = new;
md->phys_addr = m_end + 1;
md->num_pages = (end - md->phys_addr + 1) >>
EFI_PAGE_SHIFT;
}
Reported by FlawFinder.
Line: 348
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
EFI_PAGE_SHIFT;
/* middle part */
new += old_memmap->desc_size;
memcpy(new, old, old_memmap->desc_size);
md = new;
md->attribute |= m_attr;
md->phys_addr = m_start;
md->num_pages = (m_end - m_start + 1) >>
EFI_PAGE_SHIFT;
Reported by FlawFinder.
Line: 356
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
EFI_PAGE_SHIFT;
/* last part */
new += old_memmap->desc_size;
memcpy(new, old, old_memmap->desc_size);
md = new;
md->phys_addr = m_end + 1;
md->num_pages = (end - m_end) >>
EFI_PAGE_SHIFT;
}
Reported by FlawFinder.
Line: 370
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
EFI_PAGE_SHIFT;
/* latter part */
new += old_memmap->desc_size;
memcpy(new, old, old_memmap->desc_size);
md = new;
md->phys_addr = m_start;
md->num_pages = (end - md->phys_addr + 1) >>
EFI_PAGE_SHIFT;
md->attribute |= m_attr;
Reported by FlawFinder.
drivers/crypto/ccp/sev-dev.c
5 issues
Line: 170
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* physically contiguous.
*/
if (data)
memcpy(sev->cmd_buf, data, buf_len);
/* Get the physical address of the command buffer */
phys_lsb = data ? lower_32_bits(__psp_pa(sev->cmd_buf)) : 0;
phys_msb = data ? upper_32_bits(__psp_pa(sev->cmd_buf)) : 0;
Reported by FlawFinder.
Line: 223
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* failure in case the caller wants to glean something from the error.
*/
if (data)
memcpy(data, sev->cmd_buf, buf_len);
return ret;
}
static int sev_do_cmd(int cmd, void *data, int *psp_ret)
Reported by FlawFinder.
Line: 498
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int sev_get_firmware(struct device *dev,
const struct firmware **firmware)
{
char fw_name_specific[SEV_FW_NAME_SIZE];
char fw_name_subset[SEV_FW_NAME_SIZE];
snprintf(fw_name_specific, sizeof(fw_name_specific),
"amd/amd_sev_fam%.2xh_model%.2xh.sbin",
boot_cpu_data.x86, boot_cpu_data.x86_model);
Reported by FlawFinder.
Line: 499
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const struct firmware **firmware)
{
char fw_name_specific[SEV_FW_NAME_SIZE];
char fw_name_subset[SEV_FW_NAME_SIZE];
snprintf(fw_name_specific, sizeof(fw_name_specific),
"amd/amd_sev_fam%.2xh_model%.2xh.sbin",
boot_cpu_data.x86, boot_cpu_data.x86_model);
Reported by FlawFinder.
Line: 565
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* memory region.
*/
data = page_address(p);
memcpy(page_address(p) + data_size, firmware->data, firmware->size);
data->address = __psp_pa(page_address(p) + data_size);
data->len = firmware->size;
ret = sev_do_cmd(SEV_CMD_DOWNLOAD_FIRMWARE, data, &error);
Reported by FlawFinder.
drivers/crypto/cavium/cpt/cptvf_algs.c
5 issues
Line: 126
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
fctx->enc.enc_ctrl.e.iv_source = FROM_DPTR;
if (ctx->cipher_type == AES_XTS)
memcpy(fctx->enc.encr_key, ctx->enc_key, ctx->key_len * 2);
else
memcpy(fctx->enc.encr_key, ctx->enc_key, ctx->key_len);
ctrl_flags = (__be64 *)&fctx->enc.enc_ctrl.flags;
*ctrl_flags = cpu_to_be64(fctx->enc.enc_ctrl.flags);
Reported by FlawFinder.
Line: 128
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ctx->cipher_type == AES_XTS)
memcpy(fctx->enc.encr_key, ctx->enc_key, ctx->key_len * 2);
else
memcpy(fctx->enc.encr_key, ctx->enc_key, ctx->key_len);
ctrl_flags = (__be64 *)&fctx->enc.enc_ctrl.flags;
*ctrl_flags = cpu_to_be64(fctx->enc.enc_ctrl.flags);
offset_control = (__be64 *)&rctx->control_word;
*offset_control = cpu_to_be64(((u64)(enc_iv_len) << 16));
Reported by FlawFinder.
Line: 245
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (err)
return err;
ctx->key_len = keylen;
memcpy(ctx->enc_key, key1, keylen / 2);
memcpy(ctx->enc_key + KEY2_OFFSET, key2, keylen / 2);
ctx->cipher_type = AES_XTS;
switch (ctx->key_len) {
case 32:
ctx->key_type = AES_128_BIT;
Reported by FlawFinder.
Line: 246
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return err;
ctx->key_len = keylen;
memcpy(ctx->enc_key, key1, keylen / 2);
memcpy(ctx->enc_key + KEY2_OFFSET, key2, keylen / 2);
ctx->cipher_type = AES_XTS;
switch (ctx->key_len) {
case 32:
ctx->key_type = AES_128_BIT;
break;
Reported by FlawFinder.
Line: 297
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ctx->cipher_type = cipher_type;
if (!cvm_validate_keylen(ctx, keylen)) {
memcpy(ctx->enc_key, key, keylen);
return 0;
} else {
return -EINVAL;
}
}
Reported by FlawFinder.
drivers/crypto/caam/error.c
5 issues
Line: 230
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
JRSTA_DECOERR_INDEX_SHIFT;
char *idx_str;
const char *cha_str = "unidentified cha_id value 0x";
char cha_err_code[3] = { 0 };
const char *err_str = "unidentified err_id value 0x";
char err_err_code[3] = { 0 };
if (status & JRSTA_DECOERR_JUMP)
idx_str = "jump tgt desc idx";
Reported by FlawFinder.
Line: 232
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *cha_str = "unidentified cha_id value 0x";
char cha_err_code[3] = { 0 };
const char *err_str = "unidentified err_id value 0x";
char err_err_code[3] = { 0 };
if (status & JRSTA_DECOERR_JUMP)
idx_str = "jump tgt desc idx";
else
idx_str = "desc idx";
Reported by FlawFinder.
Line: 284
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
JRSTA_DECOERR_INDEX_SHIFT;
char *idx_str;
const char *err_str = "unidentified error value 0x";
char err_err_code[3] = { 0 };
int i;
if (status & JRSTA_DECOERR_JUMP)
idx_str = "jump tgt desc idx";
else
Reported by FlawFinder.
Line: 312
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
u8 err_id = status & JRSTA_QIERR_ERROR_MASK;
const char *err_str = "unidentified error value 0x";
char err_err_code[3] = { 0 };
int i;
for (i = 0; i < ARRAY_SIZE(qi_error_list); i++)
if (qi_error_list[i].value == err_id)
break;
Reported by FlawFinder.
Line: 246
Column: 6
CWE codes:
126
if ((cha_id << JRSTA_CCBERR_CHAID_SHIFT) == JRSTA_CCBERR_CHAID_RNG &&
err_id < ARRAY_SIZE(rng_err_id_list) &&
strlen(rng_err_id_list[err_id])) {
/* RNG-only error */
err_str = rng_err_id_list[err_id];
} else {
err_str = err_id_list[err_id];
}
Reported by FlawFinder.
drivers/firmware/smccc/soc_id.c
5 issues
Line: 88
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
sprintf(soc_id_jep106_id_str, "jep106:%02x%02x",
JEP106_BANK_CONT_CODE(soc_id_version),
JEP106_ID_CODE(soc_id_version));
sprintf(soc_id_str, "%s:%04x", soc_id_jep106_id_str,
IMP_DEF_SOC_ID(soc_id_version));
soc_dev_attr->soc_id = soc_id_str;
soc_dev_attr->revision = soc_id_rev_str;
soc_dev_attr->family = soc_id_jep106_id_str;
Reported by FlawFinder.
Line: 39
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct arm_smccc_res res;
int soc_id_rev, soc_id_version;
static char soc_id_str[20], soc_id_rev_str[12];
static char soc_id_jep106_id_str[12];
if (arm_smccc_get_version() < ARM_SMCCC_VERSION_1_2)
return 0;
Reported by FlawFinder.
Line: 40
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct arm_smccc_res res;
int soc_id_rev, soc_id_version;
static char soc_id_str[20], soc_id_rev_str[12];
static char soc_id_jep106_id_str[12];
if (arm_smccc_get_version() < ARM_SMCCC_VERSION_1_2)
return 0;
if (arm_smccc_1_1_get_conduit() == SMCCC_CONDUIT_NONE) {
Reported by FlawFinder.
Line: 84
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!soc_dev_attr)
return -ENOMEM;
sprintf(soc_id_rev_str, "0x%08x", soc_id_rev);
sprintf(soc_id_jep106_id_str, "jep106:%02x%02x",
JEP106_BANK_CONT_CODE(soc_id_version),
JEP106_ID_CODE(soc_id_version));
sprintf(soc_id_str, "%s:%04x", soc_id_jep106_id_str,
IMP_DEF_SOC_ID(soc_id_version));
Reported by FlawFinder.
Line: 85
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return -ENOMEM;
sprintf(soc_id_rev_str, "0x%08x", soc_id_rev);
sprintf(soc_id_jep106_id_str, "jep106:%02x%02x",
JEP106_BANK_CONT_CODE(soc_id_version),
JEP106_ID_CODE(soc_id_version));
sprintf(soc_id_str, "%s:%04x", soc_id_jep106_id_str,
IMP_DEF_SOC_ID(soc_id_version));
Reported by FlawFinder.