The following issues were found
arch/sparc/kernel/of_device_64.c
5 issues
Line: 128
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EINVAL;
/* Start with the parent range base. */
memcpy(result, range + na, pna * 4);
/* Add in the child address offset, skipping high cell. */
for (i = 0; i < na - 1; i++)
result[pna - 1 - i] +=
(addr[na - 1 - i] -
Reported by FlawFinder.
Line: 136
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
(addr[na - 1 - i] -
range[na - 1 - i]);
memcpy(addr, result, pna * 4);
return 0;
}
static unsigned long of_bus_pci_get_flags(const u32 *addr, unsigned long flags)
Reported by FlawFinder.
Line: 261
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
result[pna - 1 - i] =
addr[na - 1 - i];
memcpy(addr, result, pna * 4);
return 0;
}
/* Now walk through the ranges */
rlen /= 4;
Reported by FlawFinder.
Line: 365
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int pna, pns;
size = of_read_addr(reg + na, ns);
memcpy(addr, reg, na * 4);
flags = bus->get_flags(addr, 0);
if (use_1to1_mapping(pp)) {
result = of_read_addr(addr, na);
Reported by FlawFinder.
Line: 663
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dp, op->archdata.num_irqs, PROMINTR_MAX);
op->archdata.num_irqs = PROMINTR_MAX;
}
memcpy(op->archdata.irqs, irq, op->archdata.num_irqs * 4);
} else {
op->archdata.num_irqs = 0;
}
build_device_resources(op, parent);
Reported by FlawFinder.
arch/powerpc/xmon/nonstdio.c
5 issues
Line: 174
Column: 6
CWE codes:
134
Suggestion:
Use a constant for the format specification
int rc, n;
va_start(args, format);
n = vsnprintf(xmon_outbuf, sizeof(xmon_outbuf), format, args);
va_end(args);
rc = xmon_write(xmon_outbuf, n);
if (n && rc == 0) {
Reported by FlawFinder.
Line: 92
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
return xmon_write(&ch, 1) == 1? c: -1;
}
static char line[256];
static char *lineptr;
static int lineleft;
static int xmon_getchar(void)
{
Reported by FlawFinder.
Line: 170
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void xmon_printf(const char *format, ...)
{
va_list args;
static char xmon_outbuf[1024];
int rc, n;
va_start(args, format);
n = vsnprintf(xmon_outbuf, sizeof(xmon_outbuf), format, args);
va_end(args);
Reported by FlawFinder.
Line: 57
Column: 21
CWE codes:
126
paginate_pos++;
if (paginate_pos >= paginate_lpp) {
udbg_write(msg, strlen(msg));
switch (xmon_readchar()) {
case 'a':
paginating = false;
break;
Reported by FlawFinder.
Line: 187
Column: 18
CWE codes:
126
void xmon_puts(const char *str)
{
xmon_write(str, strlen(str));
}
Reported by FlawFinder.
arch/alpha/kernel/core_marvel.c
5 issues
Line: 83
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
char tmp[80];
char *name;
sprintf(tmp, "PCI %s PE %d PORT %d", str, pe, port);
name = memblock_alloc(strlen(tmp) + 1, SMP_CACHE_BYTES);
if (!name)
panic("%s: Failed to allocate %zu bytes\n", __func__,
strlen(tmp) + 1);
strcpy(name, tmp);
Reported by FlawFinder.
Line: 88
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if (!name)
panic("%s: Failed to allocate %zu bytes\n", __func__,
strlen(tmp) + 1);
strcpy(name, tmp);
return name;
}
inline struct io7 *
Reported by FlawFinder.
Line: 80
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static char * __init
mk_resource_name(int pe, int port, char *str)
{
char tmp[80];
char *name;
sprintf(tmp, "PCI %s PE %d PORT %d", str, pe, port);
name = memblock_alloc(strlen(tmp) + 1, SMP_CACHE_BYTES);
if (!name)
Reported by FlawFinder.
Line: 84
Column: 24
CWE codes:
126
char *name;
sprintf(tmp, "PCI %s PE %d PORT %d", str, pe, port);
name = memblock_alloc(strlen(tmp) + 1, SMP_CACHE_BYTES);
if (!name)
panic("%s: Failed to allocate %zu bytes\n", __func__,
strlen(tmp) + 1);
strcpy(name, tmp);
Reported by FlawFinder.
Line: 87
Column: 9
CWE codes:
126
name = memblock_alloc(strlen(tmp) + 1, SMP_CACHE_BYTES);
if (!name)
panic("%s: Failed to allocate %zu bytes\n", __func__,
strlen(tmp) + 1);
strcpy(name, tmp);
return name;
}
Reported by FlawFinder.
arch/x86/kernel/cpu/microcode/intel.c
5 issues
Line: 459
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static bool load_builtin_intel_microcode(struct cpio_data *cp)
{
unsigned int eax = 1, ebx, ecx = 0, edx;
char name[30];
if (IS_ENABLED(CONFIG_X86_32))
return false;
native_cpuid(&eax, &ebx, &ecx, &edx);
Reported by FlawFinder.
Line: 466
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
native_cpuid(&eax, &ebx, &ecx, &edx);
sprintf(name, "intel-ucode/%02x-%02x-%02x",
x86_family(eax), x86_model(eax), x86_stepping(eax));
return get_builtin_firmware(cp, name);
}
Reported by FlawFinder.
Line: 858
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
curr_mc_size = mc_size;
}
memcpy(mc, &mc_header, sizeof(mc_header));
data = mc + sizeof(mc_header);
if (!copy_from_iter_full(data, data_size, iter) ||
microcode_sanity_check(mc, 1) < 0) {
break;
}
Reported by FlawFinder.
Line: 934
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct iov_iter iter;
enum ucode_state ret;
struct kvec kvec;
char name[30];
if (is_blacklisted(cpu))
return UCODE_NFOUND;
sprintf(name, "intel-ucode/%02x-%02x-%02x",
Reported by FlawFinder.
Line: 939
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (is_blacklisted(cpu))
return UCODE_NFOUND;
sprintf(name, "intel-ucode/%02x-%02x-%02x",
c->x86, c->x86_model, c->x86_stepping);
if (request_firmware_direct(&firmware, name, device)) {
pr_debug("data file %s load failed\n", name);
return UCODE_NFOUND;
Reported by FlawFinder.
arch/mips/pci/fixup-sni.c
5 issues
Line: 43
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* seem to be a documentation error. At least on my RM200C the Cirrus
* Logic CL-GD5434 VGA is device 3.
*/
static char irq_tab_rm200[8][5] = {
/* INTA INTB INTC INTD */
{ 0, 0, 0, 0, 0 }, /* EISA bridge */
{ SCSI, SCSI, SCSI, SCSI, SCSI }, /* SCSI */
{ ETH, ETH, ETH, ETH, ETH }, /* Ethernet */
{ INTB, INTB, INTB, INTB, INTB }, /* VGA */
Reported by FlawFinder.
Line: 60
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*
* The VGA card is optional for RM300 systems.
*/
static char irq_tab_rm300d[8][5] = {
/* INTA INTB INTC INTD */
{ 0, 0, 0, 0, 0 }, /* EISA bridge */
{ SCSI, SCSI, SCSI, SCSI, SCSI }, /* SCSI */
{ 0, INTC, INTD, INTA, INTB }, /* Slot 1 */
{ INTB, INTB, INTB, INTB, INTB }, /* VGA */
Reported by FlawFinder.
Line: 72
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{ 0, INTD, INTA, INTB, INTC }, /* Slot 4 */
};
static char irq_tab_rm300e[5][5] = {
/* INTA INTB INTC INTD */
{ 0, 0, 0, 0, 0 }, /* HOST bridge */
{ SCSI, SCSI, SCSI, SCSI, SCSI }, /* SCSI */
{ 0, INTC, INTD, INTA, INTB }, /* Bridge/i960 */
{ 0, INTD, INTA, INTB, INTC }, /* Slot 1 */
Reported by FlawFinder.
Line: 99
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define INTC PCIT_IRQ_INTC
#define INTD PCIT_IRQ_INTD
static char irq_tab_pcit[13][5] = {
/* INTA INTB INTC INTD */
{ 0, 0, 0, 0, 0 }, /* HOST bridge */
{ SCSI0, SCSI0, SCSI0, SCSI0, SCSI0 }, /* SCSI */
{ SCSI1, SCSI1, SCSI1, SCSI1, SCSI1 }, /* SCSI */
{ ETH, ETH, ETH, ETH, ETH }, /* Ethernet */
Reported by FlawFinder.
Line: 116
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{ 0, INTA, INTB, INTC, INTD }, /* Slot 5 */
};
static char irq_tab_pcit_cplus[13][5] = {
/* INTA INTB INTC INTD */
{ 0, 0, 0, 0, 0 }, /* HOST bridge */
{ 0, INTB, INTC, INTD, INTA }, /* PCI Slot 9 */
{ 0, 0, 0, 0, 0 }, /* PCI-EISA */
{ 0, 0, 0, 0, 0 }, /* Unused */
Reported by FlawFinder.
arch/um/os-Linux/main.c
5 issues
Line: 98
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
perror("couldn't malloc to set a new PATH");
return;
}
snprintf(new_path, path_len, "PATH=%s" UML_LIB_PATH, old_path);
if (putenv(new_path)) {
perror("couldn't putenv to set a new PATH");
free(new_path);
}
}
Reported by FlawFinder.
Line: 178
Column: 3
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
os_info("\n");
/* Reboot */
if (ret) {
execvp(new_argv[0], new_argv);
perror("Failed to exec kernel");
ret = 1;
}
return uml_exitcode;
}
Reported by FlawFinder.
Line: 80
Column: 13
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
char *old_path = NULL;
int path_len = 0;
old_path = getenv("PATH");
/*
* if no PATH variable is set or it has an empty value
* just use the default + /usr/lib/uml
*/
if (!old_path || (path_len = strlen(old_path)) == 0) {
Reported by FlawFinder.
Line: 85
Column: 31
CWE codes:
126
* if no PATH variable is set or it has an empty value
* just use the default + /usr/lib/uml
*/
if (!old_path || (path_len = strlen(old_path)) == 0) {
if (putenv("PATH=:/bin:/usr/bin/" UML_LIB_PATH))
perror("couldn't putenv");
return;
}
Reported by FlawFinder.
Line: 92
Column: 14
CWE codes:
126
}
/* append /usr/lib/uml to the existing path */
path_len += strlen("PATH=" UML_LIB_PATH) + 1;
new_path = malloc(path_len);
if (!new_path) {
perror("couldn't malloc to set a new PATH");
return;
}
Reported by FlawFinder.
arch/alpha/kernel/smp.c
5 issues
Line: 217
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
len = strlen(cp2);
*(unsigned int *)&cpu->ipc_buffer[0] = len;
cp1 = (char *) &cpu->ipc_buffer[1];
memcpy(cp1, cp2, len);
/* atomic test and set */
wmb();
set_bit(cpuid, &hwrpb->rxrdy);
Reported by FlawFinder.
Line: 239
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
int mycpu, i, cnt;
unsigned long txrdy = hwrpb->txrdy;
char *cp1, *cp2, buf[80];
struct percpu_struct *cpu;
DBGS(("recv_secondary_console_msg: TXRDY 0x%lx.\n", txrdy));
mycpu = hard_smp_processor_id();
Reported by FlawFinder.
Line: 264
Column: 4
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
cnt = cpu->ipc_buffer[0] >> 32;
if (cnt <= 0 || cnt >= 80)
strcpy(buf, "<<< BOGUS MSG >>>");
else {
cp1 = (char *) &cpu->ipc_buffer[1];
cp2 = buf;
memcpy(cp2, cp1, cnt);
cp2[cnt] = '\0';
Reported by FlawFinder.
Line: 268
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
else {
cp1 = (char *) &cpu->ipc_buffer[1];
cp2 = buf;
memcpy(cp2, cp1, cnt);
cp2[cnt] = '\0';
while ((cp2 = strchr(cp2, '\r')) != 0) {
*cp2 = ' ';
if (cp2[1] == '\n')
Reported by FlawFinder.
Line: 214
Column: 8
CWE codes:
126
goto timeout;
cp2 = str;
len = strlen(cp2);
*(unsigned int *)&cpu->ipc_buffer[0] = len;
cp1 = (char *) &cpu->ipc_buffer[1];
memcpy(cp1, cp2, len);
/* atomic test and set */
Reported by FlawFinder.
arch/sparc/kernel/setup_64.c
5 issues
Line: 318
CWE codes:
570
struct popc_6insn_patch_entry *p6;
p3 = &__popc_3insn_patch;
while (p3 < &__popc_3insn_patch_end) {
unsigned long i, addr = p3->addr;
for (i = 0; i < 3; i++) {
*(unsigned int *) (addr + (i * 4)) = p3->insns[i];
wmb();
Reported by Cppcheck.
Line: 332
CWE codes:
570
}
p6 = &__popc_6insn_patch;
while (p6 < &__popc_6insn_patch_end) {
unsigned long i, addr = p6->addr;
for (i = 0; i < 6; i++) {
*(unsigned int *) (addr + (i * 4)) = p6->insns[i];
wmb();
Reported by Cppcheck.
Line: 351
CWE codes:
570
struct pause_patch_entry *p;
p = &__pause_3insn_patch;
while (p < &__pause_3insn_patch_end) {
unsigned long i, addr = p->addr;
for (i = 0; i < 3; i++) {
*(unsigned int *) (addr + (i * 4)) = p->insns[i];
wmb();
Reported by Cppcheck.
Line: 166
Column: 1
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
extern int root_mountflags;
char reboot_command[COMMAND_LINE_SIZE];
static void __init per_cpu_patch(void)
{
struct cpuid_patch_entry *p;
unsigned long ver;
Reported by FlawFinder.
Line: 518
Column: 10
CWE codes:
126
caps |= HWCAP_SPARC_CRYPTO;
}
plen = strlen(prop) + 1;
prop += plen;
len -= plen;
}
out:
Reported by FlawFinder.
arch/powerpc/include/asm/trace.h
5 issues
Line: 169
Column: 49
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
TRACE_EVENT(hash_fault,
TP_PROTO(unsigned long addr, unsigned long access, unsigned long trap),
TP_ARGS(addr, access, trap),
TP_STRUCT__entry(
__field(unsigned long, addr)
__field(unsigned long, access)
__field(unsigned long, trap)
Reported by FlawFinder.
Line: 170
Column: 20
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
TRACE_EVENT(hash_fault,
TP_PROTO(unsigned long addr, unsigned long access, unsigned long trap),
TP_ARGS(addr, access, trap),
TP_STRUCT__entry(
__field(unsigned long, addr)
__field(unsigned long, access)
__field(unsigned long, trap)
),
Reported by FlawFinder.
Line: 173
Column: 30
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
TP_ARGS(addr, access, trap),
TP_STRUCT__entry(
__field(unsigned long, addr)
__field(unsigned long, access)
__field(unsigned long, trap)
),
TP_fast_assign(
__entry->addr = addr;
Reported by FlawFinder.
Line: 179
Column: 25
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
TP_fast_assign(
__entry->addr = addr;
__entry->access = access;
__entry->trap = trap;
),
TP_printk("hash fault with addr 0x%lx and access = 0x%lx trap = 0x%lx",
__entry->addr, __entry->access, __entry->trap)
Reported by FlawFinder.
Line: 184
Column: 33
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
),
TP_printk("hash fault with addr 0x%lx and access = 0x%lx trap = 0x%lx",
__entry->addr, __entry->access, __entry->trap)
);
TRACE_EVENT(tlbie,
Reported by FlawFinder.
block/disk-events.c
5 issues
Line: 313
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
for (i = 0; i < ARRAY_SIZE(disk_events_strs); i++)
if (events & (1 << i)) {
pos += sprintf(buf + pos, "%s%s",
delim, disk_events_strs[i]);
delim = " ";
}
if (pos)
pos += sprintf(buf + pos, "\n");
Reported by FlawFinder.
Line: 170
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int *clearing_ptr)
{
struct gendisk *disk = ev->disk;
char *envp[ARRAY_SIZE(disk_uevents) + 1] = { };
unsigned int clearing = *clearing_ptr;
unsigned int events;
unsigned long intv;
int nr_events = 0, i;
Reported by FlawFinder.
Line: 345
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct gendisk *disk = dev_to_disk(dev);
if (!disk->ev)
return sprintf(buf, "-1\n");
return sprintf(buf, "%ld\n", disk->ev->poll_msecs);
}
static ssize_t disk_events_poll_msecs_store(struct device *dev,
struct device_attribute *attr,
Reported by FlawFinder.
Line: 346
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!disk->ev)
return sprintf(buf, "-1\n");
return sprintf(buf, "%ld\n", disk->ev->poll_msecs);
}
static ssize_t disk_events_poll_msecs_store(struct device *dev,
struct device_attribute *attr,
const char *buf, size_t count)
Reported by FlawFinder.
Line: 318
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
delim = " ";
}
if (pos)
pos += sprintf(buf + pos, "\n");
return pos;
}
static ssize_t disk_events_show(struct device *dev,
struct device_attribute *attr, char *buf)
Reported by FlawFinder.