The following issues were found
drivers/gpu/drm/amd/display/dc/dce/dce_clk_mgr.c
5 issues
Line: 856
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return NULL;
}
memcpy(clk_mgr_dce->max_clks_by_state,
dce80_max_clks_by_state,
sizeof(dce80_max_clks_by_state));
dce_clk_mgr_construct(
clk_mgr_dce, ctx, regs, clk_shift, clk_mask);
Reported by FlawFinder.
Line: 879
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return NULL;
}
memcpy(clk_mgr_dce->max_clks_by_state,
dce110_max_clks_by_state,
sizeof(dce110_max_clks_by_state));
dce_clk_mgr_construct(
clk_mgr_dce, ctx, regs, clk_shift, clk_mask);
Reported by FlawFinder.
Line: 904
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return NULL;
}
memcpy(clk_mgr_dce->max_clks_by_state,
dce112_max_clks_by_state,
sizeof(dce112_max_clks_by_state));
dce_clk_mgr_construct(
clk_mgr_dce, ctx, regs, clk_shift, clk_mask);
Reported by FlawFinder.
Line: 925
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return NULL;
}
memcpy(clk_mgr_dce->max_clks_by_state,
dce120_max_clks_by_state,
sizeof(dce120_max_clks_by_state));
dce_clk_mgr_construct(
clk_mgr_dce, ctx, NULL, NULL, NULL);
Reported by FlawFinder.
Line: 948
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return NULL;
}
memcpy(clk_mgr_dce->max_clks_by_state, dce120_max_clks_by_state,
sizeof(dce120_max_clks_by_state));
dce_clk_mgr_construct(clk_mgr_dce, ctx, NULL, NULL, NULL);
clk_mgr_dce->dprefclk_khz = 625000;
Reported by FlawFinder.
drivers/gpu/drm/amd/include/atombios.h
5 issues
Line: 7939
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
UCHAR ucRefreshRateFactor; // [1:0]=RefreshFactor (00=8ms, 01=16ms, 10=32ms,11=64ms)
UCHAR ucFIFODepth; // FIFO depth can be detected during vendor detection, here is hardcoded per memory
UCHAR ucCDR_Bandwidth; // [0:3]=Read CDR bandwidth, [4:7] - Write CDR Bandwidth
char strMemPNString[20]; // part number end with '0'.
}ATOM_VRAM_MODULE_V7;
typedef struct _ATOM_VRAM_MODULE_V8
{
Reported by FlawFinder.
Line: 7973
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
ULONG ulChannelMapCfg1; // channel mapping for channel8~15
ULONG ulBankMapCfg;
ULONG ulReserved;
char strMemPNString[20]; // part number end with '0'.
}ATOM_VRAM_MODULE_V8;
typedef struct _ATOM_VRAM_INFO_V2
{
Reported by FlawFinder.
Line: 8687
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
UCHAR PciReservedSpace[18];
USHORT usPciDataStructureOffset;
UCHAR Rsvd1d_1a[4];
char strIbm[3];
UCHAR CheckSum[14];
UCHAR ucBiosMsgNumber;
char str761295520[16];
USHORT usLabelCoreVPOSTNoMode;
USHORT usSpecialPostOffset;
Reported by FlawFinder.
Line: 8690
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char strIbm[3];
UCHAR CheckSum[14];
UCHAR ucBiosMsgNumber;
char str761295520[16];
USHORT usLabelCoreVPOSTNoMode;
USHORT usSpecialPostOffset;
UCHAR ucSpeicalPostImageSizeIn512Bytes;
UCHAR Rsved47_45[3];
USHORT usROM_HeaderInformationTableOffset;
Reported by FlawFinder.
Line: 8697
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
UCHAR Rsved47_45[3];
USHORT usROM_HeaderInformationTableOffset;
UCHAR Rsved4f_4a[6];
char strBuildTimeStamp[20];
UCHAR ucJumpCoreXFuncFarHandler;
USHORT usCoreXFuncFarHandlerOffset;
UCHAR ucRsved67;
UCHAR ucJumpCoreVFuncFarHandler;
USHORT usCoreVFuncFarHandlerOffset;
Reported by FlawFinder.
drivers/block/brd.c
5 issues
Line: 208
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
BUG_ON(!page);
dst = kmap_atomic(page);
memcpy(dst + offset, src, copy);
kunmap_atomic(dst);
if (copy < n) {
src += copy;
sector += copy >> SECTOR_SHIFT;
Reported by FlawFinder.
Line: 219
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
BUG_ON(!page);
dst = kmap_atomic(page);
memcpy(dst, src, copy);
kunmap_atomic(dst);
}
}
/*
Reported by FlawFinder.
Line: 239
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
page = brd_lookup_page(brd, sector);
if (page) {
src = kmap_atomic(page);
memcpy(dst, src + offset, copy);
kunmap_atomic(src);
} else
memset(dst, 0, copy);
if (copy < n) {
Reported by FlawFinder.
Line: 251
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
page = brd_lookup_page(brd, sector);
if (page) {
src = kmap_atomic(page);
memcpy(dst, src, copy);
kunmap_atomic(src);
} else
memset(dst, 0, copy);
}
}
Reported by FlawFinder.
Line: 377
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct brd_device *brd;
struct gendisk *disk;
char buf[DISK_NAME_LEN];
brd = kzalloc(sizeof(*brd), GFP_KERNEL);
if (!brd)
return -ENOMEM;
brd->brd_number = i;
Reported by FlawFinder.
drivers/dio/dio-sysfs.c
5 issues
Line: 52
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct dio_dev *d;
d = to_dio_dev(dev);
return sprintf(buf, "%s\n", d->name);
}
static DEVICE_ATTR(name, S_IRUGO, dio_show_name, NULL);
static ssize_t dio_show_resource(struct device *dev, struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 25
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct dio_dev *d;
d = to_dio_dev(dev);
return sprintf(buf, "0x%02x\n", (d->id & 0xff));
}
static DEVICE_ATTR(id, S_IRUGO, dio_show_id, NULL);
static ssize_t dio_show_ipl(struct device *dev, struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 34
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct dio_dev *d;
d = to_dio_dev(dev);
return sprintf(buf, "0x%02x\n", d->ipl);
}
static DEVICE_ATTR(ipl, S_IRUGO, dio_show_ipl, NULL);
static ssize_t dio_show_secid(struct device *dev, struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 43
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct dio_dev *d;
d = to_dio_dev(dev);
return sprintf(buf, "0x%02x\n", ((d->id >> 8)& 0xff));
}
static DEVICE_ATTR(secid, S_IRUGO, dio_show_secid, NULL);
static ssize_t dio_show_name(struct device *dev, struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 60
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct dio_dev *d = to_dio_dev(dev);
return sprintf(buf, "0x%08lx 0x%08lx 0x%08lx\n",
(unsigned long)dio_resource_start(d),
(unsigned long)dio_resource_end(d),
dio_resource_flags(d));
}
static DEVICE_ATTR(resource, S_IRUGO, dio_show_resource, NULL);
Reported by FlawFinder.
drivers/dma/dmatest.c
5 issues
Line: 28
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
module_param(test_buf_size, uint, S_IRUGO | S_IWUSR);
MODULE_PARM_DESC(test_buf_size, "Size of the memcpy test buffer");
static char test_device[32];
module_param_string(device, test_device, sizeof(test_device),
S_IRUGO | S_IWUSR);
MODULE_PARM_DESC(device, "Bus ID of the DMA Engine to test (default: any)");
static unsigned int threads_per_chan = 1;
Reported by FlawFinder.
Line: 111
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
struct dmatest_params {
unsigned int buf_size;
char channel[20];
char device[32];
unsigned int threads_per_chan;
unsigned int max_channels;
unsigned int iterations;
unsigned int xor_sources;
Reported by FlawFinder.
Line: 112
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct dmatest_params {
unsigned int buf_size;
char channel[20];
char device[32];
unsigned int threads_per_chan;
unsigned int max_channels;
unsigned int iterations;
unsigned int xor_sources;
unsigned int pq_sources;
Reported by FlawFinder.
Line: 167
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
.get = dmatest_chan_get,
};
static char test_channel[20];
static struct kparam_string newchan_kps = {
.string = test_channel,
.maxlen = 20,
};
module_param_cb(channel, &multi_chan_ops, &newchan_kps, 0644);
Reported by FlawFinder.
Line: 1223
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct dmatest_info *info = &test_info;
struct dmatest_chan *dtc;
char chan_reset_val[20];
int ret;
mutex_lock(&info->lock);
ret = param_set_copystring(val, kp);
if (ret) {
Reported by FlawFinder.
drivers/crypto/vmx/ghash.c
5 issues
Line: 70
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pagefault_enable();
preempt_enable();
memcpy(&ctx->key, key, GHASH_BLOCK_SIZE);
return 0;
}
static inline void __ghash_block(struct p8_ghash_ctx *ctx,
Reported by FlawFinder.
Line: 125
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (dctx->bytes) {
if (dctx->bytes + srclen < GHASH_DIGEST_SIZE) {
memcpy(dctx->buffer + dctx->bytes, src,
srclen);
dctx->bytes += srclen;
return 0;
}
memcpy(dctx->buffer + dctx->bytes, src,
Reported by FlawFinder.
Line: 130
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dctx->bytes += srclen;
return 0;
}
memcpy(dctx->buffer + dctx->bytes, src,
GHASH_DIGEST_SIZE - dctx->bytes);
__ghash_block(ctx, dctx);
src += GHASH_DIGEST_SIZE - dctx->bytes;
Reported by FlawFinder.
Line: 146
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
srclen -= len;
}
if (srclen) {
memcpy(dctx->buffer, src, srclen);
dctx->bytes = srclen;
}
return 0;
}
Reported by FlawFinder.
Line: 164
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
__ghash_block(ctx, dctx);
dctx->bytes = 0;
}
memcpy(out, dctx->shash, GHASH_DIGEST_SIZE);
return 0;
}
struct shash_alg p8_ghash_alg = {
.digestsize = GHASH_DIGEST_SIZE,
Reported by FlawFinder.
drivers/dma/ioat/sysfs.c
5 issues
Line: 21
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct dma_device *dma = c->device;
return sprintf(page, "copy%s%s%s%s%s\n",
dma_has_cap(DMA_PQ, dma->cap_mask) ? " pq" : "",
dma_has_cap(DMA_PQ_VAL, dma->cap_mask) ? " pq_val" : "",
dma_has_cap(DMA_XOR, dma->cap_mask) ? " xor" : "",
dma_has_cap(DMA_XOR_VAL, dma->cap_mask) ? " xor_val" : "",
dma_has_cap(DMA_INTERRUPT, dma->cap_mask) ? " intr" : "");
Reported by FlawFinder.
Line: 36
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct dma_device *dma = c->device;
struct ioatdma_device *ioat_dma = to_ioatdma_device(dma);
return sprintf(page, "%d.%d\n",
ioat_dma->version >> 4, ioat_dma->version & 0xf);
}
struct ioat_sysfs_entry ioat_version_attr = __ATTR_RO(version);
static ssize_t
Reported by FlawFinder.
Line: 115
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct ioatdma_chan *ioat_chan = to_ioat_chan(c);
return sprintf(page, "%d\n", (1 << ioat_chan->alloc_order) & ~1);
}
static struct ioat_sysfs_entry ring_size_attr = __ATTR_RO(ring_size);
static ssize_t ring_active_show(struct dma_chan *c, char *page)
{
Reported by FlawFinder.
Line: 124
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct ioatdma_chan *ioat_chan = to_ioat_chan(c);
/* ...taken outside the lock, no need to be precise */
return sprintf(page, "%d\n", ioat_ring_active(ioat_chan));
}
static struct ioat_sysfs_entry ring_active_attr = __ATTR_RO(ring_active);
static ssize_t intr_coalesce_show(struct dma_chan *c, char *page)
{
Reported by FlawFinder.
Line: 132
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct ioatdma_chan *ioat_chan = to_ioat_chan(c);
return sprintf(page, "%d\n", ioat_chan->intr_coalesce);
}
static ssize_t intr_coalesce_store(struct dma_chan *c, const char *page,
size_t count)
{
Reported by FlawFinder.
drivers/crypto/qce/skcipher.c
5 issues
Line: 59
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (error < 0)
dev_dbg(qce->dev, "skcipher operation error (%x)\n", status);
memcpy(rctx->iv, result_buf->encr_cntr_iv, rctx->ivsize);
qce->async_req_done(tmpl->qce, error);
}
static int
qce_skcipher_async_req_handle(struct crypto_async_request *async_req)
Reported by FlawFinder.
Line: 197
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
switch (__keylen) {
case AES_KEYSIZE_128:
case AES_KEYSIZE_256:
memcpy(ctx->enc_key, key, keylen);
break;
case AES_KEYSIZE_192:
break;
default:
return -EINVAL;
Reported by FlawFinder.
Line: 222
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return err;
ctx->enc_keylen = keylen;
memcpy(ctx->enc_key, key, keylen);
return 0;
}
static int qce_des3_setkey(struct crypto_skcipher *ablk, const u8 *key,
unsigned int keylen)
Reported by FlawFinder.
Line: 245
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* are the same. Revisit to see if a fallback cipher
* is needed to handle this condition.
*/
memcpy(_key, key, DES3_EDE_KEY_SIZE);
if (!((_key[0] ^ _key[2]) | (_key[1] ^ _key[3])) ||
!((_key[2] ^ _key[4]) | (_key[3] ^ _key[5])) ||
!((_key[0] ^ _key[4]) | (_key[1] ^ _key[5])))
return -ENOKEY;
Reported by FlawFinder.
Line: 252
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENOKEY;
ctx->enc_keylen = keylen;
memcpy(ctx->enc_key, key, keylen);
return 0;
}
static int qce_skcipher_crypt(struct skcipher_request *req, int encrypt)
{
Reported by FlawFinder.
arch/s390/include/uapi/asm/hypfs.h
5 issues
Line: 35
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct hypfs_diag0c_hdr {
__u64 len; /* Length of diag0c buffer without header */
__u16 version; /* Version of header */
char reserved1[6]; /* Reserved */
char tod_ext[16]; /* TOD clock for diag0c */
__u64 count; /* Number of entries (CPUs) in diag0c array */
char reserved2[24]; /* Reserved */
};
Reported by FlawFinder.
Line: 36
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__u64 len; /* Length of diag0c buffer without header */
__u16 version; /* Version of header */
char reserved1[6]; /* Reserved */
char tod_ext[16]; /* TOD clock for diag0c */
__u64 count; /* Number of entries (CPUs) in diag0c array */
char reserved2[24]; /* Reserved */
};
struct hypfs_diag0c_entry {
Reported by FlawFinder.
Line: 38
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char reserved1[6]; /* Reserved */
char tod_ext[16]; /* TOD clock for diag0c */
__u64 count; /* Number of entries (CPUs) in diag0c array */
char reserved2[24]; /* Reserved */
};
struct hypfs_diag0c_entry {
char date[8]; /* MM/DD/YY in EBCDIC */
char time[8]; /* HH:MM:SS in EBCDIC */
Reported by FlawFinder.
Line: 42
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct hypfs_diag0c_entry {
char date[8]; /* MM/DD/YY in EBCDIC */
char time[8]; /* HH:MM:SS in EBCDIC */
__u64 virtcpu; /* Virtual time consumed by the virt CPU (us) */
__u64 totalproc; /* Total of virtual and simulation time (us) */
__u32 cpu; /* Linux logical CPU number */
__u32 reserved; /* Align to 8 byte */
Reported by FlawFinder.
Line: 43
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct hypfs_diag0c_entry {
char date[8]; /* MM/DD/YY in EBCDIC */
char time[8]; /* HH:MM:SS in EBCDIC */
__u64 virtcpu; /* Virtual time consumed by the virt CPU (us) */
__u64 totalproc; /* Total of virtual and simulation time (us) */
__u32 cpu; /* Linux logical CPU number */
__u32 reserved; /* Align to 8 byte */
};
Reported by FlawFinder.
block/scsi_ioctl.c
5 issues
Line: 33
Column: 16
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static struct blk_cmd_filter blk_default_cmd_filter;
/* Command group 3 is reserved and should never be used. */
const unsigned char scsi_command_size_tbl[8] =
{
6, 10, 10, 12,
16, 12, 10, 10
};
EXPORT_SYMBOL(scsi_command_size_tbl);
Reported by FlawFinder.
Line: 637
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#ifdef CONFIG_COMPAT
struct compat_cdrom_generic_command {
unsigned char cmd[CDROM_PACKET_SIZE];
compat_caddr_t buffer;
compat_uint_t buflen;
compat_int_t stat;
compat_caddr_t sense;
unsigned char data_direction;
Reported by FlawFinder.
Line: 643
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
compat_int_t stat;
compat_caddr_t sense;
unsigned char data_direction;
unsigned char pad[3];
compat_int_t quiet;
compat_int_t timeout;
compat_caddr_t unused;
};
#endif
Reported by FlawFinder.
Line: 670
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
.timeout = cgc32.timeout,
.unused = compat_ptr(cgc32.unused),
};
memcpy(&cgc->cmd, &cgc32.cmd, CDROM_PACKET_SIZE);
return 0;
}
#endif
if (copy_from_user(cgc, arg, sizeof(*cgc)))
return -EFAULT;
Reported by FlawFinder.
Line: 695
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
.timeout = cgc->timeout,
.unused = (uintptr_t)(cgc->unused),
};
memcpy(&cgc32.cmd, &cgc->cmd, CDROM_PACKET_SIZE);
if (copy_to_user(arg, &cgc32, sizeof(cgc32)))
return -EFAULT;
return 0;
Reported by FlawFinder.