The following issues were found
arch/s390/boot/startup.c
5 issues
Line: 104
CWE codes:
570
static void copy_bootdata(void)
{
if (__boot_data_end - __boot_data_start != vmlinux.bootdata_size)
error(".boot.data section size mismatch");
memcpy((void *)vmlinux.bootdata_off, __boot_data_start, vmlinux.bootdata_size);
if (__boot_data_preserved_end - __boot_data_preserved_start != vmlinux.bootdata_preserved_size)
error(".boot.preserved.data section size mismatch");
memcpy((void *)vmlinux.bootdata_preserved_off, __boot_data_preserved_start, vmlinux.bootdata_preserved_size);
Reported by Cppcheck.
Line: 107
CWE codes:
570
if (__boot_data_end - __boot_data_start != vmlinux.bootdata_size)
error(".boot.data section size mismatch");
memcpy((void *)vmlinux.bootdata_off, __boot_data_start, vmlinux.bootdata_size);
if (__boot_data_preserved_end - __boot_data_preserved_start != vmlinux.bootdata_preserved_size)
error(".boot.preserved.data section size mismatch");
memcpy((void *)vmlinux.bootdata_preserved_off, __boot_data_preserved_start, vmlinux.bootdata_preserved_size);
}
static void handle_relocs(unsigned long offset)
Reported by Cppcheck.
Line: 106
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
if (__boot_data_end - __boot_data_start != vmlinux.bootdata_size)
error(".boot.data section size mismatch");
memcpy((void *)vmlinux.bootdata_off, __boot_data_start, vmlinux.bootdata_size);
if (__boot_data_preserved_end - __boot_data_preserved_start != vmlinux.bootdata_preserved_size)
error(".boot.preserved.data section size mismatch");
memcpy((void *)vmlinux.bootdata_preserved_off, __boot_data_preserved_start, vmlinux.bootdata_preserved_size);
}
Reported by FlawFinder.
Line: 109
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy((void *)vmlinux.bootdata_off, __boot_data_start, vmlinux.bootdata_size);
if (__boot_data_preserved_end - __boot_data_preserved_start != vmlinux.bootdata_preserved_size)
error(".boot.preserved.data section size mismatch");
memcpy((void *)vmlinux.bootdata_preserved_off, __boot_data_preserved_start, vmlinux.bootdata_preserved_size);
}
static void handle_relocs(unsigned long offset)
{
Elf64_Rela *rela_start, *rela_end, *rela;
Reported by FlawFinder.
Line: 324
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
img = decompress_kernel();
memmove((void *)vmlinux.default_lma, img, vmlinux.image_size);
} else if (__kaslr_offset)
memcpy((void *)vmlinux.default_lma, img, vmlinux.image_size);
clear_bss_section();
copy_bootdata();
if (IS_ENABLED(CONFIG_RELOCATABLE))
handle_relocs(__kaslr_offset);
Reported by FlawFinder.
arch/s390/crypto/ghash_s390.c
5 issues
Line: 36
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct ghash_ctx *ctx = crypto_shash_ctx(desc->tfm);
memset(dctx, 0, sizeof(*dctx));
memcpy(dctx->key, ctx->key, GHASH_BLOCK_SIZE);
return 0;
}
static int ghash_setkey(struct crypto_shash *tfm,
Reported by FlawFinder.
Line: 49
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (keylen != GHASH_BLOCK_SIZE)
return -EINVAL;
memcpy(ctx->key, key, GHASH_BLOCK_SIZE);
return 0;
}
static int ghash_update(struct shash_desc *desc,
Reported by FlawFinder.
Line: 68
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dctx->bytes -= n;
srclen -= n;
memcpy(pos, src, n);
src += n;
if (!dctx->bytes) {
cpacf_kimd(CPACF_KIMD_GHASH, dctx, buf,
GHASH_BLOCK_SIZE);
Reported by FlawFinder.
Line: 86
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (srclen) {
dctx->bytes = GHASH_BLOCK_SIZE - srclen;
memcpy(buf, src, srclen);
}
return 0;
}
Reported by FlawFinder.
Line: 114
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ret = ghash_flush(dctx);
if (!ret)
memcpy(dst, dctx->icv, GHASH_BLOCK_SIZE);
return ret;
}
static struct shash_alg ghash_alg = {
.digestsize = GHASH_DIGEST_SIZE,
Reported by FlawFinder.
block/partitions/acorn.c
5 issues
Line: 58
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__le32 start;
__le32 length;
__le32 one;
char name[16];
};
struct riscix_record {
__le32 magic;
#define RISCIX_MAGIC cpu_to_le32(0x4a657320)
Reported by FlawFinder.
Line: 415
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__le32 start;
__le32 size;
__le32 unused5;
char type[8];
};
static inline int valid_ptec_sector(const unsigned char *data)
{
unsigned char checksum = 0x2a;
Reported by FlawFinder.
Line: 481
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#ifdef CONFIG_ACORN_PARTITION_EESOX
struct eesox_part {
char magic[6];
char name[10];
__le32 start;
__le32 unused6;
__le32 unused7;
__le32 unused8;
Reported by FlawFinder.
Line: 482
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#ifdef CONFIG_ACORN_PARTITION_EESOX
struct eesox_part {
char magic[6];
char name[10];
__le32 start;
__le32 unused6;
__le32 unused7;
__le32 unused8;
};
Reported by FlawFinder.
Line: 511
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
Sector sect;
const unsigned char *data;
unsigned char buffer[256];
struct eesox_part *p;
sector_t start = 0;
int i, slot = 1;
data = read_part_sector(state, 7, §);
Reported by FlawFinder.
arch/s390/kernel/nospec-sysfs.c
5 issues
Line: 10
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
ssize_t cpu_show_spectre_v1(struct device *dev,
struct device_attribute *attr, char *buf)
{
return sprintf(buf, "Mitigation: __user pointer sanitization\n");
}
ssize_t cpu_show_spectre_v2(struct device *dev,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 17
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct device_attribute *attr, char *buf)
{
if (test_facility(156))
return sprintf(buf, "Mitigation: etokens\n");
if (__is_defined(CC_USING_EXPOLINE) && !nospec_disable)
return sprintf(buf, "Mitigation: execute trampolines\n");
if (__test_facility(82, alt_stfle_fac_list))
return sprintf(buf, "Mitigation: limited branch prediction\n");
return sprintf(buf, "Vulnerable\n");
Reported by FlawFinder.
Line: 19
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (test_facility(156))
return sprintf(buf, "Mitigation: etokens\n");
if (__is_defined(CC_USING_EXPOLINE) && !nospec_disable)
return sprintf(buf, "Mitigation: execute trampolines\n");
if (__test_facility(82, alt_stfle_fac_list))
return sprintf(buf, "Mitigation: limited branch prediction\n");
return sprintf(buf, "Vulnerable\n");
}
Reported by FlawFinder.
Line: 21
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (__is_defined(CC_USING_EXPOLINE) && !nospec_disable)
return sprintf(buf, "Mitigation: execute trampolines\n");
if (__test_facility(82, alt_stfle_fac_list))
return sprintf(buf, "Mitigation: limited branch prediction\n");
return sprintf(buf, "Vulnerable\n");
}
Reported by FlawFinder.
Line: 22
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return sprintf(buf, "Mitigation: execute trampolines\n");
if (__test_facility(82, alt_stfle_fac_list))
return sprintf(buf, "Mitigation: limited branch prediction\n");
return sprintf(buf, "Vulnerable\n");
}
Reported by FlawFinder.
arch/s390/kernel/perf_cpum_cf.c
5 issues
Line: 1059
Column: 26
CWE codes:
120
20
static long cfset_ioctl_read(unsigned long arg)
{
struct s390_ctrset_read read;
int ret = 0;
if (copy_from_user(&read, (char __user *)arg, sizeof(read)))
return -EFAULT;
ret = cfset_all_read(arg);
Reported by FlawFinder.
Line: 1062
Column: 55
CWE codes:
120
20
struct s390_ctrset_read read;
int ret = 0;
if (copy_from_user(&read, (char __user *)arg, sizeof(read)))
return -EFAULT;
ret = cfset_all_read(arg);
return ret;
}
Reported by FlawFinder.
Line: 1062
Column: 22
CWE codes:
120
20
struct s390_ctrset_read read;
int ret = 0;
if (copy_from_user(&read, (char __user *)arg, sizeof(read)))
return -EFAULT;
ret = cfset_all_read(arg);
return ret;
}
Reported by FlawFinder.
Line: 1083
Column: 15
CWE codes:
732
{
struct s390_ctrset_start __user *ustart;
struct s390_ctrset_start start;
void __user *umask;
unsigned int len;
int ret = 0;
size_t need;
if (cfset_request.ctrset)
Reported by FlawFinder.
Line: 1106
Column: 42
CWE codes:
732
cpumask_clear(&cfset_request.mask);
len = min_t(u64, start.cpumask_len, cpumask_size());
umask = (void __user *)start.cpumask;
if (copy_from_user(&cfset_request.mask, umask, len))
return -EFAULT;
if (cpumask_empty(&cfset_request.mask))
return -EINVAL;
need = cfset_needspace(start.counter_sets);
if (put_user(need, &ustart->data_bytes))
Reported by FlawFinder.
arch/mips/loongson64/boardinfo.c
5 issues
Line: 13
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
char bios_vendor[64] = {0};
char *tmp_bios_vendor = bios_vendor;
strcpy(board_manufacturer, eboard->name);
strcpy(bios_vendor, einter->description);
return sprintf(buf,
"Board Info\n"
"Manufacturer\t\t: %s\n"
Reported by FlawFinder.
Line: 14
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
char *tmp_bios_vendor = bios_vendor;
strcpy(board_manufacturer, eboard->name);
strcpy(bios_vendor, einter->description);
return sprintf(buf,
"Board Info\n"
"Manufacturer\t\t: %s\n"
"Board Name\t\t: %s\n"
Reported by FlawFinder.
Line: 16
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
strcpy(board_manufacturer, eboard->name);
strcpy(bios_vendor, einter->description);
return sprintf(buf,
"Board Info\n"
"Manufacturer\t\t: %s\n"
"Board Name\t\t: %s\n"
"Family\t\t\t: LOONGSON3\n\n"
"BIOS Info\n"
Reported by FlawFinder.
Line: 8
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static ssize_t boardinfo_show(struct kobject *kobj,
struct kobj_attribute *attr, char *buf)
{
char board_manufacturer[64] = {0};
char *tmp_board_manufacturer = board_manufacturer;
char bios_vendor[64] = {0};
char *tmp_bios_vendor = bios_vendor;
strcpy(board_manufacturer, eboard->name);
Reported by FlawFinder.
Line: 10
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
char board_manufacturer[64] = {0};
char *tmp_board_manufacturer = board_manufacturer;
char bios_vendor[64] = {0};
char *tmp_bios_vendor = bios_vendor;
strcpy(board_manufacturer, eboard->name);
strcpy(bios_vendor, einter->description);
Reported by FlawFinder.
arch/s390/kvm/priv.c
5 issues
Line: 675
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* We send this response to the guest.
*/
status.response_code = 0x01;
memcpy(&vcpu->run->s.regs.gprs[1], &status, sizeof(status));
kvm_s390_set_psw_cc(vcpu, 3);
return 0;
}
static int handle_stfl(struct kvm_vcpu *vcpu)
Reported by FlawFinder.
Line: 818
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (mem->count < 8)
mem->count++;
for (n = mem->count - 1; n > 0 ; n--)
memcpy(&mem->vm[n], &mem->vm[n - 1], sizeof(mem->vm[0]));
memset(&mem->vm[0], 0, sizeof(mem->vm[0]));
mem->vm[0].cpus_total = cpus;
mem->vm[0].cpus_configured = cpus;
mem->vm[0].cpus_standby = 0;
Reported by FlawFinder.
Line: 826
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mem->vm[0].cpus_standby = 0;
mem->vm[0].cpus_reserved = 0;
mem->vm[0].caf = 1000;
memcpy(mem->vm[0].name, "KVMguest", 8);
ASCEBC(mem->vm[0].name, 8);
memcpy(mem->vm[0].cpi, "KVM/Linux ", 16);
ASCEBC(mem->vm[0].cpi, 16);
}
Reported by FlawFinder.
Line: 828
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mem->vm[0].caf = 1000;
memcpy(mem->vm[0].name, "KVMguest", 8);
ASCEBC(mem->vm[0].name, 8);
memcpy(mem->vm[0].cpi, "KVM/Linux ", 16);
ASCEBC(mem->vm[0].cpi, 16);
}
static void insert_stsi_usr_data(struct kvm_vcpu *vcpu, u64 addr, u8 ar,
u8 fc, u8 sel1, u16 sel2)
Reported by FlawFinder.
Line: 898
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
}
if (kvm_s390_pv_cpu_is_protected(vcpu)) {
memcpy((void *)sida_origin(vcpu->arch.sie_block), (void *)mem,
PAGE_SIZE);
rc = 0;
} else {
rc = write_guest(vcpu, operand2, ar, (void *)mem, PAGE_SIZE);
}
Reported by FlawFinder.
arch/x86/entry/vdso/vdso2c.c
5 issues
Line: 108
Column: 23
CWE codes:
134
Suggestion:
Use a constant for the format specification
{"vdso32_sigreturn_landing_pad", true},
};
__attribute__((format(printf, 1, 2))) __attribute__((noreturn))
static void fail(const char *format, ...)
{
va_list ap;
va_start(ap, format);
fprintf(stderr, "Error: ");
Reported by FlawFinder.
Line: 114
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
va_list ap;
va_start(ap, format);
fprintf(stderr, "Error: ");
vfprintf(stderr, format, ap);
if (outfilename)
unlink(outfilename);
exit(1);
va_end(ap);
}
Reported by FlawFinder.
Line: 190
Column: 11
CWE codes:
362
{
off_t tmp_len;
int fd = open(name, O_RDONLY);
if (fd == -1)
err(1, "open(%s)", name);
tmp_len = lseek(fd, 0, SEEK_END);
if (tmp_len == (off_t)-1)
Reported by FlawFinder.
Line: 243
Column: 12
CWE codes:
362
map_input(argv[2], &stripped_addr, &stripped_len, PROT_READ);
outfilename = argv[3];
outfile = fopen(outfilename, "w");
if (!outfile)
err(1, "fopen(%s)", outfilename);
go(raw_addr, raw_len, stripped_addr, stripped_len, outfile, name);
Reported by FlawFinder.
Line: 224
Column: 12
CWE codes:
126
* generate raw output instead.
*/
name = strdup(argv[3]);
namelen = strlen(name);
if (namelen >= 3 && !strcmp(name + namelen - 3, ".so")) {
name = NULL;
} else {
tmp = strrchr(name, '/');
if (tmp)
Reported by FlawFinder.
arch/x86/pci/mmconfig-shared.c
5 issues
Line: 133
Column: 15
CWE codes:
120
20
static const char *__init pci_mmcfg_e7520(void)
{
u32 win;
raw_pci_ops->read(0, 0, PCI_DEVFN(0, 0), 0xce, 2, &win);
win = win & 0xf000;
if (win == 0x0000 || win == 0xf000)
return NULL;
Reported by FlawFinder.
Line: 273
Column: 16
CWE codes:
120
20
u16 vendor, device;
int start, size_index, end;
raw_pci_ops->read(0, bus, PCI_DEVFN(0, 0), 0, 4, &l);
vendor = l & 0xffff;
device = (l >> 16) & 0xffff;
if (PCI_VENDOR_ID_NVIDIA != vendor || 0x0369 != device)
continue;
Reported by FlawFinder.
Line: 280
Column: 16
CWE codes:
120
20
if (PCI_VENDOR_ID_NVIDIA != vendor || 0x0369 != device)
continue;
raw_pci_ops->read(0, bus, PCI_DEVFN(0, 0), extcfg_regnum,
extcfg_regsize, &extcfg);
if (!(extcfg & extcfg_enable_mask))
continue;
Reported by FlawFinder.
Line: 359
Column: 16
CWE codes:
120
20
for (i = 0; i < ARRAY_SIZE(pci_mmcfg_probes); i++) {
bus = pci_mmcfg_probes[i].bus;
devfn = pci_mmcfg_probes[i].devfn;
raw_pci_ops->read(0, bus, devfn, 0, 4, &l);
vendor = l & 0xffff;
device = (l >> 16) & 0xffff;
name = NULL;
if (pci_mmcfg_probes[i].vendor == vendor &&
Reported by FlawFinder.
arch/x86/crypto/curve25519-x86_64.c
5 issues
Line: 858
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u64 sw0;
u64 *nq1;
u64 *tmp1;
memcpy(p11, init1, (u32)8U * sizeof(init1[0U]));
x0 = p03;
z0 = p03 + (u32)4U;
x0[0U] = (u64)1U;
x0[1U] = (u64)0U;
x0[2U] = (u64)0U;
Reported by FlawFinder.
Line: 898
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
point_double(nq1, tmp1, tmp2);
point_double(nq1, tmp1, tmp2);
point_double(nq1, tmp1, tmp2);
memcpy(out, p0, (u32)8U * sizeof(p0[0U]));
memzero_explicit(tmp2, sizeof(tmp2));
memzero_explicit(p01_tmp1_swap, sizeof(p01_tmp1_swap));
}
Reported by FlawFinder.
Line: 1344
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u64 *efgh = &tmp[16 + 16];
u64 *key = &tmp[0 + 16 + 32];
memcpy(key, priv, 32);
((u8 *)key)[0] &= 248;
((u8 *)key)[31] = (((u8 *)key)[31] & 127) | 64;
x1[0] = 1, x1[1] = x1[2] = x1[3] = 0;
z1[0] = 1, z1[1] = z1[2] = z1[3] = 0;
Reported by FlawFinder.
Line: 1351
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
x1[0] = 1, x1[1] = x1[2] = x1[3] = 0;
z1[0] = 1, z1[1] = z1[2] = z1[3] = 0;
z2[0] = 1, z2[1] = z2[2] = z2[3] = 0;
memcpy(x2, p_minus_s, sizeof(p_minus_s));
j = 3;
for (i = 0; i < 4; ++i) {
while (j < (const int[]){ 64, 64, 64, 63 }[i]) {
u64 bit = (key[i] >> j) & 1;
Reported by FlawFinder.
Line: 1413
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
curve25519_generate_secret(secret);
else if (len == CURVE25519_KEY_SIZE &&
crypto_memneq(buf, curve25519_null_point, CURVE25519_KEY_SIZE))
memcpy(secret, buf, CURVE25519_KEY_SIZE);
else
return -EINVAL;
return 0;
}
Reported by FlawFinder.