The following issues were found
arch/um/drivers/xterm.c
5 issues
Line: 96
Column: 6
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
OS_LIB_PATH "/uml/port-helper", "-uml-socket",
file, NULL };
if (access(argv[4], X_OK) < 0)
argv[4] = "port-helper";
/*
* Check that DISPLAY is set, this doesn't guarantee the xterm
* will work but w/o it we can be pretty sure it won't.
Reported by FlawFinder.
Line: 138
Column: 2
CWE codes:
134
Suggestion:
Make format string constant
return fd;
}
sprintf(title, data->title, data->device);
pid = run_helper(NULL, NULL, argv);
if (pid < 0) {
err = pid;
printk(UM_KERN_ERR "xterm_open : run_helper failed, "
"errno = %d\n", -err);
Reported by FlawFinder.
Line: 103
Column: 6
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
* Check that DISPLAY is set, this doesn't guarantee the xterm
* will work but w/o it we can be pretty sure it won't.
*/
if (getenv("DISPLAY") == NULL) {
printk(UM_KERN_ERR "xterm_open: $DISPLAY not set.\n");
return -ENODEV;
}
/*
Reported by FlawFinder.
Line: 91
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct xterm_chan *data = d;
int pid, fd, new, err;
char title[256], file[] = "/tmp/xterm-pipeXXXXXX";
char *argv[] = { terminal_emulator, title_switch, title, exec_switch,
OS_LIB_PATH "/uml/port-helper", "-uml-socket",
file, NULL };
if (access(argv[4], X_OK) < 0)
Reported by FlawFinder.
Line: 114
Column: 7
CWE codes:
377
* a known-unused name for the Unix socket that we really
* want.
*/
fd = mkstemp(file);
if (fd < 0) {
err = -errno;
printk(UM_KERN_ERR "xterm_open : mkstemp failed, errno = %d\n",
errno);
return err;
Reported by FlawFinder.
arch/x86/kernel/unwind_orc.c
5 issues
Line: 166
CWE codes:
570
start = orc_lookup[idx];
stop = orc_lookup[idx + 1] + 1;
if (unlikely((__start_orc_unwind + start >= __stop_orc_unwind) ||
(__start_orc_unwind + stop > __stop_orc_unwind))) {
orc_warn("WARNING: bad lookup value: idx=%u num=%u start=%u stop=%u ip=%pB\n",
idx, lookup_num_blocks, start, stop, (void *)ip);
return NULL;
}
Reported by Cppcheck.
Line: 167
CWE codes:
570
stop = orc_lookup[idx + 1] + 1;
if (unlikely((__start_orc_unwind + start >= __stop_orc_unwind) ||
(__start_orc_unwind + stop > __stop_orc_unwind))) {
orc_warn("WARNING: bad lookup value: idx=%u num=%u start=%u stop=%u ip=%pB\n",
idx, lookup_num_blocks, start, stop, (void *)ip);
return NULL;
}
Reported by Cppcheck.
Line: 180
CWE codes:
570
/* vmlinux .init slow lookup: */
if (init_kernel_text(ip))
return __orc_find(__start_orc_unwind_ip, __start_orc_unwind,
__stop_orc_unwind_ip - __start_orc_unwind_ip, ip);
/* Module lookup: */
orc = orc_module_find(ip);
if (orc)
return orc;
Reported by Cppcheck.
Line: 268
CWE codes:
570
void __init unwind_init(void)
{
size_t orc_ip_size = (void *)__stop_orc_unwind_ip - (void *)__start_orc_unwind_ip;
size_t orc_size = (void *)__stop_orc_unwind - (void *)__start_orc_unwind;
size_t num_entries = orc_ip_size / sizeof(int);
struct orc_entry *orc;
int i;
Reported by Cppcheck.
Line: 269
CWE codes:
570
void __init unwind_init(void)
{
size_t orc_ip_size = (void *)__stop_orc_unwind_ip - (void *)__start_orc_unwind_ip;
size_t orc_size = (void *)__stop_orc_unwind - (void *)__start_orc_unwind;
size_t num_entries = orc_ip_size / sizeof(int);
struct orc_entry *orc;
int i;
if (!num_entries || orc_ip_size % sizeof(int) != 0 ||
Reported by Cppcheck.
arch/m68k/kernel/setup_mm.c
5 issues
Line: 83
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static struct m68k_mem_info m68k_ramdisk __initdata;
static char m68k_command_line[CL_SIZE] __initdata;
void (*mach_sched_init) (void) __initdata = NULL;
/* machine dependent irq functions */
void (*mach_init_IRQ) (void) __initdata = NULL;
void (*mach_get_model) (char *model);
Reported by FlawFinder.
Line: 269
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
#endif /* CONFIG_BOOTPARAM */
process_uboot_commandline(&m68k_command_line[0], CL_SIZE);
*cmdline_p = m68k_command_line;
memcpy(boot_command_line, *cmdline_p, CL_SIZE);
parse_early_param();
switch (m68k_machtype) {
#ifdef CONFIG_AMIGA
Reported by FlawFinder.
Line: 494
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#ifdef CONFIG_PROC_HARDWARE
static int hardware_proc_show(struct seq_file *m, void *v)
{
char model[80];
unsigned long mem;
int i;
if (mach_get_model)
mach_get_model(model);
Reported by FlawFinder.
Line: 501
Column: 3
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
if (mach_get_model)
mach_get_model(model);
else
strcpy(model, "Unknown m68k");
seq_printf(m, "Model:\t\t%s\n", model);
for (mem = 0, i = 0; i < m68k_num_memory; i++)
mem += m68k_memory[i].size;
seq_printf(m, "System Memory:\t%ldK\n", mem >> 10);
Reported by FlawFinder.
Line: 264
Column: 2
CWE codes:
120
setup_initial_init_mm((void *)PAGE_OFFSET, _etext, _edata, _end);
#if defined(CONFIG_BOOTPARAM)
strncpy(m68k_command_line, CONFIG_BOOTPARAM_STRING, CL_SIZE);
m68k_command_line[CL_SIZE - 1] = 0;
#endif /* CONFIG_BOOTPARAM */
process_uboot_commandline(&m68k_command_line[0], CL_SIZE);
*cmdline_p = m68k_command_line;
memcpy(boot_command_line, *cmdline_p, CL_SIZE);
Reported by FlawFinder.
arch/um/drivers/chan_kern.c
5 issues
Line: 93
Column: 25
CWE codes:
362
if (chan->ops->open == NULL)
fd = 0;
else fd = (*chan->ops->open)(chan->input, chan->output, chan->primary,
chan->data, &chan->dev);
if (fd < 0)
return fd;
err = os_set_fd_block(fd, 0);
Reported by FlawFinder.
Line: 451
Column: 33
CWE codes:
126
data = NULL;
for(i = 0; i < ARRAY_SIZE(chan_table); i++) {
entry = &chan_table[i];
if (!strncmp(str, entry->key, strlen(entry->key))) {
ops = entry->ops;
str += strlen(entry->key);
break;
}
}
Reported by FlawFinder.
Line: 453
Column: 11
CWE codes:
126
entry = &chan_table[i];
if (!strncmp(str, entry->key, strlen(entry->key))) {
ops = entry->ops;
str += strlen(entry->key);
break;
}
}
if (ops == NULL) {
*error_out = "No match for configured backends";
Reported by FlawFinder.
Line: 553
Column: 20
CWE codes:
120
20
schedule_delayed_work(&line->task, 1);
goto out;
}
err = chan->ops->read(chan->fd, &c, chan->data);
if (err > 0)
tty_insert_flip_char(port, c, TTY_NORMAL);
} while (err > 0);
if (err == -EIO) {
Reported by FlawFinder.
arch/um/drivers/virtio_uml.c
5 issues
Line: 67
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct virtio_uml_vq_info {
int kick_fd, call_fd;
char name[32];
bool suspended;
};
extern unsigned long long physmem_size, highmem;
Reported by FlawFinder.
Line: 547
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
msg->payload.config.size, cfg_size);
goto free;
}
memcpy(buf, msg->payload.config.payload + offset, len);
free:
kfree(msg);
}
Reported by FlawFinder.
Line: 572
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
msg->header.size = payload_size;
msg->payload.config.offset = offset;
msg->payload.config.size = len;
memcpy(msg->payload.config.payload, buf, len);
rc = vhost_user_send(vu_dev, false, msg, NULL, 0);
if (rc)
vu_err(vu_dev, "sending VHOST_USER_SET_CONFIG failed: %d\n",
rc);
Reported by FlawFinder.
Line: 1268
Column: 21
CWE codes:
126
struct platform_device *pdev = to_platform_device(dev);
struct virtio_uml_platform_data *pdata = pdev->dev.platform_data;
char *buffer = data;
unsigned int len = strlen(buffer);
snprintf(buffer + len, PAGE_SIZE - len, "%s:%d:%d\n",
pdata->socket_path, pdata->virtio_device_id, pdev->id);
return 0;
}
Reported by FlawFinder.
Line: 1281
Column: 9
CWE codes:
126
if (vu_cmdline_parent_registered)
device_for_each_child(&vu_cmdline_parent, buffer,
vu_cmdline_get_device);
return strlen(buffer) + 1;
}
static const struct kernel_param_ops vu_cmdline_param_ops = {
.set = vu_cmdline_set,
.get = vu_cmdline_get,
Reported by FlawFinder.
arch/arm/boot/compressed/atags_to_fdt.c
5 issues
Line: 74
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void merge_fdt_bootargs(void *fdt, const char *fdt_cmdline)
{
char cmdline[COMMAND_LINE_SIZE];
const char *fdt_bootargs;
char *ptr = cmdline;
int len = 0;
/* copy the fdt command line into the buffer */
Reported by FlawFinder.
Line: 83
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
fdt_bootargs = getprop(fdt, "/chosen", "bootargs", &len);
if (fdt_bootargs)
if (len < COMMAND_LINE_SIZE) {
memcpy(ptr, fdt_bootargs, len);
/* len is the length of the string
* including the NULL terminator */
ptr += len - 1;
}
Reported by FlawFinder.
Line: 94
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
len = strlen(fdt_cmdline);
if (ptr - cmdline + len + 2 < COMMAND_LINE_SIZE) {
*ptr++ = ' ';
memcpy(ptr, fdt_cmdline, len);
ptr += len;
}
}
*ptr = '\0';
Reported by FlawFinder.
Line: 204
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
setprop_cell(fdt, "/chosen", "linux,initrd-end",
initrd_start + initrd_size);
} else if (atag->hdr.tag == ATAG_SERIAL) {
char serno[16+2];
hex_str(serno, atag->u.serialnr.high);
hex_str(serno+8, atag->u.serialnr.low);
setprop_string(fdt, "/", "serial-number", serno);
}
}
Reported by FlawFinder.
Line: 91
Column: 9
CWE codes:
126
/* and append the ATAG_CMDLINE */
if (fdt_cmdline) {
len = strlen(fdt_cmdline);
if (ptr - cmdline + len + 2 < COMMAND_LINE_SIZE) {
*ptr++ = ' ';
memcpy(ptr, fdt_cmdline, len);
ptr += len;
}
Reported by FlawFinder.
arch/x86/kernel/e820.c
5 issues
Line: 416
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
/* Copy the new entries into the original location: */
memcpy(entries, new_entries, new_nr_entries*sizeof(*entries));
table->nr_entries = new_nr_entries;
return 0;
}
Reported by FlawFinder.
Line: 737
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
__append_e820_table(extmap, entries);
e820__update_table(e820_table);
memcpy(e820_table_kexec, e820_table, sizeof(*e820_table_kexec));
memcpy(e820_table_firmware, e820_table, sizeof(*e820_table_firmware));
early_memunmap(sdata, data_len);
pr_info("extended physical RAM map:\n");
e820__print_table("extended");
Reported by FlawFinder.
Line: 738
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
e820__update_table(e820_table);
memcpy(e820_table_kexec, e820_table, sizeof(*e820_table_kexec));
memcpy(e820_table_firmware, e820_table, sizeof(*e820_table_firmware));
early_memunmap(sdata, data_len);
pr_info("extended physical RAM map:\n");
e820__print_table("extended");
}
Reported by FlawFinder.
Line: 1288
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
who = x86_init.resources.memory_setup();
memcpy(e820_table_kexec, e820_table, sizeof(*e820_table_kexec));
memcpy(e820_table_firmware, e820_table, sizeof(*e820_table_firmware));
pr_info("BIOS-provided physical RAM map:\n");
e820__print_table(who);
}
Reported by FlawFinder.
Line: 1289
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
who = x86_init.resources.memory_setup();
memcpy(e820_table_kexec, e820_table, sizeof(*e820_table_kexec));
memcpy(e820_table_firmware, e820_table, sizeof(*e820_table_firmware));
pr_info("BIOS-provided physical RAM map:\n");
e820__print_table(who);
}
Reported by FlawFinder.
crypto/algboss.c
5 issues
Line: 36
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct crypto_attr_alg data;
} attrs[CRYPTO_MAX_ATTRS];
char template[CRYPTO_MAX_ALG_NAME];
struct crypto_larval *larval;
u32 otype;
u32 omask;
Reported by FlawFinder.
Line: 45
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
struct crypto_test_param {
char driver[CRYPTO_MAX_ALG_NAME];
char alg[CRYPTO_MAX_ALG_NAME];
u32 type;
};
static int cryptomgr_probe(void *data)
Reported by FlawFinder.
Line: 46
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct crypto_test_param {
char driver[CRYPTO_MAX_ALG_NAME];
char alg[CRYPTO_MAX_ALG_NAME];
u32 type;
};
static int cryptomgr_probe(void *data)
{
Reported by FlawFinder.
Line: 96
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!len || *p != '(')
goto err_free_param;
memcpy(param->template, name, len);
i = 0;
for (;;) {
name = ++p;
Reported by FlawFinder.
Line: 126
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
param->attrs[i].attr.rta_len = sizeof(param->attrs[i]);
param->attrs[i].attr.rta_type = CRYPTOA_ALG;
memcpy(param->attrs[i].data.name, name, len);
param->tb[i + 1] = ¶m->attrs[i].attr;
i++;
if (i >= CRYPTO_MAX_ATTRS)
Reported by FlawFinder.
arch/mips/bcm47xx/board.c
5 issues
Line: 33
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct bcm47xx_board_store {
enum bcm47xx_board board;
char name[BCM47XX_BOARD_MAX_NAME];
};
/* model_name */
static const
struct bcm47xx_board_type_list1 bcm47xx_board_list_model_name[] __initconst = {
Reported by FlawFinder.
Line: 230
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static __init const struct bcm47xx_board_type *bcm47xx_board_get_nvram(void)
{
char buf1[30];
char buf2[30];
char buf3[30];
const struct bcm47xx_board_type_list1 *e1;
const struct bcm47xx_board_type_list2 *e2;
const struct bcm47xx_board_type_list3 *e3;
Reported by FlawFinder.
Line: 231
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static __init const struct bcm47xx_board_type *bcm47xx_board_get_nvram(void)
{
char buf1[30];
char buf2[30];
char buf3[30];
const struct bcm47xx_board_type_list1 *e1;
const struct bcm47xx_board_type_list2 *e2;
const struct bcm47xx_board_type_list3 *e3;
Reported by FlawFinder.
Line: 232
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
char buf1[30];
char buf2[30];
char buf3[30];
const struct bcm47xx_board_type_list1 *e1;
const struct bcm47xx_board_type_list2 *e2;
const struct bcm47xx_board_type_list3 *e3;
if (bcm47xx_nvram_getenv("model_name", buf1, sizeof(buf1)) >= 0) {
Reported by FlawFinder.
Line: 333
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void __init bcm47xx_board_detect(void)
{
int err;
char buf[10];
const struct bcm47xx_board_type *board_detected;
if (bcm47xx_board.board != BCM47XX_BOARD_NO)
return;
Reported by FlawFinder.
arch/mips/alchemy/devboards/pm.c
5 issues
Line: 125
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int idx;
if (ATTRCMP(timer_timeout))
return sprintf(buf, "%lu\n", db1x_pm_sleep_secs);
else if (ATTRCMP(timer))
return sprintf(buf, "%u\n",
!!(db1x_pm_wakemsk & SYS_WAKEMSK_M2));
Reported by FlawFinder.
Line: 128
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return sprintf(buf, "%lu\n", db1x_pm_sleep_secs);
else if (ATTRCMP(timer))
return sprintf(buf, "%u\n",
!!(db1x_pm_wakemsk & SYS_WAKEMSK_M2));
else if (ATTRCMP(wakesrc))
return sprintf(buf, "%lu\n", db1x_pm_last_wakesrc);
Reported by FlawFinder.
Line: 132
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
!!(db1x_pm_wakemsk & SYS_WAKEMSK_M2));
else if (ATTRCMP(wakesrc))
return sprintf(buf, "%lu\n", db1x_pm_last_wakesrc);
else if (ATTRCMP(gpio0) || ATTRCMP(gpio1) || ATTRCMP(gpio2) ||
ATTRCMP(gpio3) || ATTRCMP(gpio4) || ATTRCMP(gpio5) ||
ATTRCMP(gpio6) || ATTRCMP(gpio7)) {
idx = (attr->attr.name)[4] - '0';
Reported by FlawFinder.
Line: 138
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
ATTRCMP(gpio3) || ATTRCMP(gpio4) || ATTRCMP(gpio5) ||
ATTRCMP(gpio6) || ATTRCMP(gpio7)) {
idx = (attr->attr.name)[4] - '0';
return sprintf(buf, "%d\n",
!!(db1x_pm_wakemsk & SYS_WAKEMSK_GPIO(idx)));
} else if (ATTRCMP(wakemsk)) {
return sprintf(buf, "%08lx\n", db1x_pm_wakemsk);
}
Reported by FlawFinder.
Line: 142
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
!!(db1x_pm_wakemsk & SYS_WAKEMSK_GPIO(idx)));
} else if (ATTRCMP(wakemsk)) {
return sprintf(buf, "%08lx\n", db1x_pm_wakemsk);
}
return -ENOENT;
}
Reported by FlawFinder.