The following issues were found
net/mac80211/vht.c
5 issues
Line: 229
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
vht_cap->cap |= cap_info & IEEE80211_VHT_CAP_TXSTBC;
/* Copy peer MCS info, the driver might need them. */
memcpy(&vht_cap->vht_mcs, &vht_cap_ie->supp_mcs,
sizeof(struct ieee80211_vht_mcs_info));
/* copy EXT_NSS_BW Support value or remove the capability */
if (ieee80211_hw_check(&sdata->local->hw, SUPPORTS_VHT_EXT_NSS_BW))
vht_cap->cap |= (cap_info & IEEE80211_VHT_CAP_EXT_NSS_BW_MASK);
Reported by FlawFinder.
Line: 635
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
bss_conf->mu_group.membership, WLAN_MEMBERSHIP_LEN))
return;
memcpy(bss_conf->mu_group.membership,
mgmt->u.action.u.vht_group_notif.membership,
WLAN_MEMBERSHIP_LEN);
memcpy(bss_conf->mu_group.position,
mgmt->u.action.u.vht_group_notif.position,
WLAN_USER_POSITION_LEN);
Reported by FlawFinder.
Line: 638
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(bss_conf->mu_group.membership,
mgmt->u.action.u.vht_group_notif.membership,
WLAN_MEMBERSHIP_LEN);
memcpy(bss_conf->mu_group.position,
mgmt->u.action.u.vht_group_notif.position,
WLAN_USER_POSITION_LEN);
ieee80211_bss_info_change_notify(sdata, BSS_CHANGED_MU_GROUPS);
}
Reported by FlawFinder.
Line: 653
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (WARN_ON_ONCE(!vif->mu_mimo_owner))
return;
memcpy(bss_conf->mu_group.membership, membership, WLAN_MEMBERSHIP_LEN);
memcpy(bss_conf->mu_group.position, position, WLAN_USER_POSITION_LEN);
}
EXPORT_SYMBOL_GPL(ieee80211_update_mu_groups);
void ieee80211_vht_handle_opmode(struct ieee80211_sub_if_data *sdata,
Reported by FlawFinder.
Line: 654
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return;
memcpy(bss_conf->mu_group.membership, membership, WLAN_MEMBERSHIP_LEN);
memcpy(bss_conf->mu_group.position, position, WLAN_USER_POSITION_LEN);
}
EXPORT_SYMBOL_GPL(ieee80211_update_mu_groups);
void ieee80211_vht_handle_opmode(struct ieee80211_sub_if_data *sdata,
struct sta_info *sta, u8 opmode,
Reported by FlawFinder.
kernel/time/timekeeping.c
5 issues
Line: 423
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
raw_write_seqcount_latch(&tkf->seq);
/* Update base[0] */
memcpy(base, tkr, sizeof(*base));
/* Force readers back to base[0] */
raw_write_seqcount_latch(&tkf->seq);
/* Update base[1] */
Reported by FlawFinder.
Line: 429
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
raw_write_seqcount_latch(&tkf->seq);
/* Update base[1] */
memcpy(base + 1, base, sizeof(*base));
}
static __always_inline u64 __ktime_get_fast_ns(struct tk_fast *tkf)
{
struct tk_read_base *tkr;
Reported by FlawFinder.
Line: 763
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* timekeeper structure on the next update with stale data
*/
if (action & TK_MIRROR)
memcpy(&shadow_timekeeper, &tk_core.timekeeper,
sizeof(tk_core.timekeeper));
}
/**
* timekeeping_forward_now - update clock to the current time
Reported by FlawFinder.
Line: 2194
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* updating.
*/
timekeeping_update(tk, clock_set);
memcpy(real_tk, tk, sizeof(*tk));
/* The memcpy must come last. Do not put anything here! */
write_seqcount_end(&tk_core.seq);
out:
raw_spin_unlock_irqrestore(&timekeeper_lock, flags);
if (clock_set)
Reported by FlawFinder.
Line: 193
Column: 16
CWE codes:
120
20
{
struct clocksource *clock = READ_ONCE(tkr->clock);
return clock->read(clock);
}
#ifdef CONFIG_DEBUG_TIMEKEEPING
#define WARNING_FREQ (HZ*300) /* 5 minute rate-limiting */
Reported by FlawFinder.
lib/xz/xz_dec_lzma2.c
5 issues
Line: 390
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*left -= copy_size;
memcpy(dict->buf + dict->pos, b->in + b->in_pos, copy_size);
dict->pos += copy_size;
if (dict->full < dict->pos)
dict->full = dict->pos;
Reported by FlawFinder.
Line: 400
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (dict->pos == dict->end)
dict->pos = 0;
memcpy(b->out + b->out_pos, b->in + b->in_pos,
copy_size);
}
dict->start = dict->pos;
Reported by FlawFinder.
Line: 424
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (dict->pos == dict->end)
dict->pos = 0;
memcpy(b->out + b->out_pos, dict->buf + dict->start,
copy_size);
}
dict->start = dict->pos;
b->out_pos += copy_size;
Reported by FlawFinder.
Line: 859
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (tmp > in_avail)
tmp = in_avail;
memcpy(s->temp.buf + s->temp.size, b->in + b->in_pos, tmp);
if (s->temp.size + tmp == s->lzma2.compressed) {
memzero(s->temp.buf + s->temp.size + tmp,
sizeof(s->temp.buf)
- s->temp.size - tmp);
Reported by FlawFinder.
Line: 919
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (in_avail > s->lzma2.compressed)
in_avail = s->lzma2.compressed;
memcpy(s->temp.buf, b->in + b->in_pos, in_avail);
s->temp.size = in_avail;
b->in_pos += in_avail;
}
return true;
Reported by FlawFinder.
kernel/time/posix-clock.c
5 issues
Line: 120
Column: 15
CWE codes:
362
err = -ENODEV;
goto out;
}
if (clk->ops.open)
err = clk->ops.open(clk, fp->f_mode);
else
err = 0;
if (!err) {
Reported by FlawFinder.
Line: 121
Column: 18
CWE codes:
362
goto out;
}
if (clk->ops.open)
err = clk->ops.open(clk, fp->f_mode);
else
err = 0;
if (!err) {
get_device(clk->dev);
Reported by FlawFinder.
Line: 207
Column: 16
CWE codes:
362
if (!fp)
return err;
if (fp->f_op->open != posix_clock_open || !fp->private_data)
goto out;
cd->fp = fp;
cd->clk = get_posix_clock(fp);
Reported by FlawFinder.
mm/kmemleak.c
5 issues
Line: 163
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int trace_len;
unsigned long jiffies; /* creation timestamp */
pid_t pid; /* pid of the current task */
char comm[TASK_COMM_LEN]; /* executable name */
};
/* flag representing the memory block allocation status */
#define OBJECT_ALLOCATED (1 << 0)
/* flag set after the first reporting of an unreference object */
Reported by FlawFinder.
Line: 1773
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static ssize_t kmemleak_write(struct file *file, const char __user *user_buf,
size_t size, loff_t *ppos)
{
char buf[64];
int buf_size;
int ret;
buf_size = min(size, (sizeof(buf) - 1));
if (strncpy_from_user(buf, user_buf, buf_size) < 0)
Reported by FlawFinder.
Line: 603
Column: 3
CWE codes:
120
/* task information */
if (in_irq()) {
object->pid = 0;
strncpy(object->comm, "hardirq", sizeof(object->comm));
} else if (in_serving_softirq()) {
object->pid = 0;
strncpy(object->comm, "softirq", sizeof(object->comm));
} else {
object->pid = current->pid;
Reported by FlawFinder.
Line: 606
Column: 3
CWE codes:
120
strncpy(object->comm, "hardirq", sizeof(object->comm));
} else if (in_serving_softirq()) {
object->pid = 0;
strncpy(object->comm, "softirq", sizeof(object->comm));
} else {
object->pid = current->pid;
/*
* There is a small chance of a race with set_task_comm(),
* however using get_task_comm() here may cause locking
Reported by FlawFinder.
Line: 615
Column: 3
CWE codes:
120
* dependency issues with current->alloc_lock. In the worst
* case, the command line is not correct.
*/
strncpy(object->comm, current->comm, sizeof(object->comm));
}
/* kernel backtrace */
object->trace_len = __save_stack_trace(object->trace);
Reported by FlawFinder.
net/ipv4/netfilter/nf_nat_snmp_basic_main.c
5 issues
Line: 69
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void fast_csum(struct snmp_ctx *ctx, unsigned char offset)
{
unsigned char s[12] = {0,};
int size;
if (offset & 1) {
memcpy(&s[1], &ctx->from, 4);
memcpy(&s[7], &ctx->to, 4);
Reported by FlawFinder.
Line: 73
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int size;
if (offset & 1) {
memcpy(&s[1], &ctx->from, 4);
memcpy(&s[7], &ctx->to, 4);
s[0] = ~0;
s[1] = ~s[1];
s[2] = ~s[2];
s[3] = ~s[3];
Reported by FlawFinder.
Line: 74
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (offset & 1) {
memcpy(&s[1], &ctx->from, 4);
memcpy(&s[7], &ctx->to, 4);
s[0] = ~0;
s[1] = ~s[1];
s[2] = ~s[2];
s[3] = ~s[3];
s[4] = ~s[4];
Reported by FlawFinder.
Line: 83
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
s[5] = ~0;
size = 12;
} else {
memcpy(&s[0], &ctx->from, 4);
memcpy(&s[4], &ctx->to, 4);
s[0] = ~s[0];
s[1] = ~s[1];
s[2] = ~s[2];
s[3] = ~s[3];
Reported by FlawFinder.
Line: 84
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
size = 12;
} else {
memcpy(&s[0], &ctx->from, 4);
memcpy(&s[4], &ctx->to, 4);
s[0] = ~s[0];
s[1] = ~s[1];
s[2] = ~s[2];
s[3] = ~s[3];
size = 8;
Reported by FlawFinder.
net/9p/trans_virtio.c
5 issues
Line: 419
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
out_nr_pages = DIV_ROUND_UP(n + offs, PAGE_SIZE);
if (n != outlen) {
__le32 v = cpu_to_le32(n);
memcpy(&req->tc.sdata[req->tc.size - 4], &v, 4);
outlen = n;
}
/* The size field of the message must include the length of the
* header and the length of the data. We didn't actually know
* the length of the data until this point so add it in now.
Reported by FlawFinder.
Line: 427
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* the length of the data until this point so add it in now.
*/
sz = cpu_to_le32(req->tc.size + outlen);
memcpy(&req->tc.sdata[0], &sz, sizeof(sz));
} else if (uidata) {
int n = p9_get_mapped_pages(chan, &in_pages, uidata,
inlen, &offs, &need_drop);
if (n < 0) {
err = n;
Reported by FlawFinder.
Line: 438
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
in_nr_pages = DIV_ROUND_UP(n + offs, PAGE_SIZE);
if (n != inlen) {
__le32 v = cpu_to_le32(n);
memcpy(&req->tc.sdata[req->tc.size - 4], &v, 4);
inlen = n;
}
}
req->status = REQ_STATUS_SENT;
req_retry_pinned:
Reported by FlawFinder.
Line: 542
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
chan = vdev->priv;
tag_len = strlen(chan->tag);
memcpy(buf, chan->tag, tag_len + 1);
return tag_len + 1;
}
static DEVICE_ATTR(mount_tag, 0444, p9_mount_tag_show, NULL);
Reported by FlawFinder.
Line: 540
Column: 12
CWE codes:
126
vdev = dev_to_virtio(dev);
chan = vdev->priv;
tag_len = strlen(chan->tag);
memcpy(buf, chan->tag, tag_len + 1);
return tag_len + 1;
}
Reported by FlawFinder.
mm/slab.c
5 issues
Line: 584
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!nr)
return 0;
memcpy(to->entry + to->avail, from->entry + from->avail - nr,
sizeof(void *) *nr);
from->avail -= nr;
to->avail += nr;
return nr;
Reported by FlawFinder.
Line: 1173
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ptr = kmalloc_node(sizeof(struct kmem_cache_node), GFP_NOWAIT, nodeid);
BUG_ON(!ptr);
memcpy(ptr, list, sizeof(struct kmem_cache_node));
/*
* Do not assume that spinlocks can be initialized via memcpy:
*/
spin_lock_init(&ptr->list_lock);
Reported by FlawFinder.
Line: 1451
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void poison_obj(struct kmem_cache *cachep, void *addr, unsigned char val)
{
int size = cachep->object_size;
addr = &((char *)addr)[obj_offset(cachep)];
memset(addr, val, size);
*(unsigned char *)(addr + size - 1) = POISON_END;
}
Reported by FlawFinder.
Line: 3393
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (max) {
if (batchcount > max)
batchcount = max;
memcpy(&(shared_array->entry[shared_array->avail]),
ac->entry, sizeof(void *) * batchcount);
shared_array->avail += batchcount;
goto free_done;
}
}
Reported by FlawFinder.
Line: 4135
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
ssize_t slabinfo_write(struct file *file, const char __user *buffer,
size_t count, loff_t *ppos)
{
char kbuf[MAX_SLABINFO_WRITE + 1], *tmp;
int limit, batchcount, shared, res;
struct kmem_cache *cachep;
if (count > MAX_SLABINFO_WRITE)
return -EINVAL;
Reported by FlawFinder.
net/mac802154/iface.c
5 issues
Line: 132
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!ieee802154_is_valid_extended_unicast_addr(extended_addr))
return -EINVAL;
memcpy(dev->dev_addr, addr->sa_data, dev->addr_len);
sdata->wpan_dev.extended_addr = extended_addr;
/* update lowpan interface mac address when
* wpan mac has been changed
*/
Reported by FlawFinder.
Line: 139
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* wpan mac has been changed
*/
if (sdata->wpan_dev.lowpan_dev)
memcpy(sdata->wpan_dev.lowpan_dev->dev_addr, dev->dev_addr,
dev->addr_len);
return mac802154_wpan_update_llsec(dev);
}
Reported by FlawFinder.
Line: 644
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ieee802154_is_valid_extended_unicast_addr(extended_addr))
ieee802154_le64_to_be64(ndev->dev_addr, &extended_addr);
else
memcpy(ndev->dev_addr, ndev->perm_addr,
IEEE802154_EXTENDED_ADDR_LEN);
break;
case NL802154_IFTYPE_MONITOR:
ndev->type = ARPHRD_IEEE802154_MONITOR;
break;
Reported by FlawFinder.
Line: 660
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dev_net_set(ndev, wpan_phy_net(local->hw.phy));
sdata = netdev_priv(ndev);
ndev->ieee802154_ptr = &sdata->wpan_dev;
memcpy(sdata->name, ndev->name, IFNAMSIZ);
sdata->dev = ndev;
sdata->wpan_dev.wpan_phy = local->hw.phy;
sdata->local = local;
/* setup type-dependent data */
Reported by FlawFinder.
Line: 726
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return NOTIFY_DONE;
sdata = IEEE802154_DEV_TO_SUB_IF(dev);
memcpy(sdata->name, dev->name, IFNAMSIZ);
return NOTIFY_OK;
}
static struct notifier_block mac802154_netdev_notifier = {
Reported by FlawFinder.
kernel/bpf/bpf_struct_ops.c
5 issues
Line: 130
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
st_ops->name);
continue;
}
sprintf(value_name, "%s%s", VALUE_PREFIX, st_ops->name);
value_id = btf_find_by_name_kind(btf, value_name,
BTF_KIND_STRUCT);
if (value_id < 0) {
pr_warn("Cannot find struct %s in btf_vmlinux\n",
Reported by FlawFinder.
Line: 105
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const struct btf_member *member;
struct bpf_struct_ops *st_ops;
const struct btf_type *t;
char value_name[128];
const char *mname;
u32 i, j;
/* Ensure BTF type is emitted for "struct bpf_struct_ops_##_name" */
#define BPF_STRUCT_OPS_TYPE(_name) BTF_TYPE_EMIT(struct bpf_struct_ops_##_name);
Reported by FlawFinder.
Line: 263
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* to be updated together under atomic context.
*/
uvalue = (struct bpf_struct_ops_value *)value;
memcpy(uvalue, st_map->uvalue, map->value_size);
uvalue->state = state;
refcount_set(&uvalue->refcnt, refcount_read(&kvalue->refcnt));
return 0;
}
Reported by FlawFinder.
Line: 360
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto unlock;
}
memcpy(uvalue, value, map->value_size);
udata = &uvalue->data;
kdata = &kvalue->data;
image = st_map->image;
Reported by FlawFinder.
Line: 124
Column: 7
CWE codes:
126
for (i = 0; i < ARRAY_SIZE(bpf_struct_ops); i++) {
st_ops = bpf_struct_ops[i];
if (strlen(st_ops->name) + VALUE_PREFIX_LEN >=
sizeof(value_name)) {
pr_warn("struct_ops name %s is too long\n",
st_ops->name);
continue;
}
Reported by FlawFinder.