The following issues were found
drivers/iio/industrialio-core.c
5 issues
Line: 418
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct iio_dev *indio_dev = file->private_data;
struct iio_dev_opaque *iio_dev_opaque = to_iio_dev_opaque(indio_dev);
unsigned reg, val;
char buf[80];
int ret;
count = min_t(size_t, count, (sizeof(buf)-1));
if (copy_from_user(buf, userbuf, count))
return -EFAULT;
Reported by FlawFinder.
Line: 1452
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
BUG();
}
memcpy(buf, name, sz);
return sz;
}
static ssize_t iio_store_timestamp_clock(struct device *dev,
struct device_attribute *attr,
Reported by FlawFinder.
Line: 1561
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
/* Copy across original attributes */
if (indio_dev->info->attrs) {
memcpy(iio_dev_opaque->chan_attr_group.attrs,
indio_dev->info->attrs->attrs,
sizeof(iio_dev_opaque->chan_attr_group.attrs[0])
*attrcount_orig);
iio_dev_opaque->chan_attr_group.is_visible =
indio_dev->info->attrs->is_visible;
Reported by FlawFinder.
Line: 502
Column: 19
CWE codes:
120
20
ext_info = &this_attr->c->ext_info[this_attr->address];
return ext_info->read(indio_dev, ext_info->private, this_attr->c, buf);
}
static ssize_t iio_write_channel_ext_info(struct device *dev,
struct device_attribute *attr,
const char *buf,
Reported by FlawFinder.
Line: 1349
Column: 16
CWE codes:
120
20
for (ext_info = chan->ext_info; ext_info->name; ext_info++) {
ret = __iio_add_chan_devattr(ext_info->name,
chan,
ext_info->read ?
&iio_read_channel_ext_info : NULL,
ext_info->write ?
&iio_write_channel_ext_info : NULL,
i,
ext_info->shared,
Reported by FlawFinder.
drivers/gpu/drm/i915/i915_perf.c
5 issues
Line: 4010
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct i915_oa_config *oa_config =
container_of(attr, typeof(*oa_config), sysfs_metric_id);
return sprintf(buf, "%d\n", oa_config->id);
}
static int create_dynamic_oa_sysfs_entry(struct i915_perf *perf,
struct i915_oa_config *oa_config)
{
Reported by FlawFinder.
Line: 4094
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Last character in oa_config->uuid will be 0 because oa_config is
* kzalloc.
*/
memcpy(oa_config->uuid, args->uuid, sizeof(args->uuid));
oa_config->mux_regs_len = args->n_mux_regs;
regs = alloc_oa_regs(perf,
perf->ops.is_valid_mux_reg,
u64_to_user_ptr(args->mux_regs_ptr),
Reported by FlawFinder.
Line: 1184
Column: 27
CWE codes:
120
20
size_t count,
size_t *offset)
{
return stream->perf->ops.read(stream, buf, count, offset);
}
static struct intel_context *oa_pin_context(struct i915_perf_stream *stream)
{
struct i915_gem_engines_iter it;
Reported by FlawFinder.
Line: 3062
Column: 23
CWE codes:
120
20
return ret;
mutex_lock(&perf->lock);
ret = stream->ops->read(stream, buf, count, &offset);
mutex_unlock(&perf->lock);
} while (!offset && !ret);
} else {
mutex_lock(&perf->lock);
ret = stream->ops->read(stream, buf, count, &offset);
Reported by FlawFinder.
Line: 3067
Column: 22
CWE codes:
120
20
} while (!offset && !ret);
} else {
mutex_lock(&perf->lock);
ret = stream->ops->read(stream, buf, count, &offset);
mutex_unlock(&perf->lock);
}
/* We allow the poll checking to sometimes report false positive EPOLLIN
* events where we might actually report EAGAIN on read() if there's
Reported by FlawFinder.
drivers/hwmon/scpi-hwmon.c
5 issues
Line: 121
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
sensor = container_of(attr, struct sensor_data, dev_attr_label);
return sprintf(buf, "%s\n", sensor->info.name);
}
static const struct thermal_zone_of_device_ops scpi_sensor_ops = {
.get_temp = scpi_read_temp,
};
Reported by FlawFinder.
Line: 23
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct scpi_sensor_info info;
struct device_attribute dev_attr_input;
struct device_attribute dev_attr_label;
char input[20];
char label[20];
};
struct scpi_thermal_zone {
int sensor_id;
Reported by FlawFinder.
Line: 24
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct device_attribute dev_attr_input;
struct device_attribute dev_attr_label;
char input[20];
char label[20];
};
struct scpi_thermal_zone {
int sensor_id;
struct scpi_sensors *scpi_sensors;
Reported by FlawFinder.
Line: 109
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
* sense especially when the temperature is below zero degrees Celsius.
*/
if (sensor->info.class == TEMPERATURE)
return sprintf(buf, "%lld\n", (s64)value);
return sprintf(buf, "%llu\n", value);
}
static ssize_t
Reported by FlawFinder.
Line: 111
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (sensor->info.class == TEMPERATURE)
return sprintf(buf, "%lld\n", (s64)value);
return sprintf(buf, "%llu\n", value);
}
static ssize_t
scpi_show_label(struct device *dev, struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
drivers/hwtracing/intel_th/core.c
5 issues
Line: 392
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
thdev->id = id;
thdev->type = type;
strcpy(thdev->name, name);
device_initialize(&thdev->dev);
thdev->dev.bus = &intel_th_bus;
thdev->dev.type = intel_th_device_type[type];
thdev->dev.parent = parent;
thdev->dev.dma_mask = parent->dma_mask;
Reported by FlawFinder.
Line: 633
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
thdev->drvdata = th->drvdata;
memcpy(res, subdev->res,
sizeof(struct resource) * subdev->nres);
for (r = 0; r < subdev->nres; r++) {
struct resource *devres = th->resource;
int bar = TH_MMIO_CONFIG;
Reported by FlawFinder.
Line: 827
Column: 18
CWE codes:
362
file->private_data = to_intel_th_device(dev);
if (file->f_op->open) {
err = file->f_op->open(inode, file);
return err;
}
return 0;
Reported by FlawFinder.
Line: 828
Column: 21
CWE codes:
362
file->private_data = to_intel_th_device(dev);
if (file->f_op->open) {
err = file->f_op->open(inode, file);
return err;
}
return 0;
}
Reported by FlawFinder.
Line: 385
Column: 35
CWE codes:
126
else
parent = th->dev;
thdev = kzalloc(sizeof(*thdev) + strlen(name) + 1, GFP_KERNEL);
if (!thdev)
return NULL;
thdev->id = id;
thdev->type = type;
Reported by FlawFinder.
drivers/hwtracing/stm/core.c
5 issues
Line: 1159
Column: 8
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
idx = srcu_read_lock(&stm_source_srcu);
stm = srcu_dereference(src->link, &stm_source_srcu);
ret = sprintf(buf, "%s\n",
stm ? dev_name(&stm->dev) : "<none>");
srcu_read_unlock(&stm_source_srcu, idx);
return ret;
}
Reported by FlawFinder.
Line: 43
Column: 8
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct stm_device *stm = to_stm_device(dev);
int ret;
ret = sprintf(buf, "%u %u\n", stm->data->sw_start, stm->data->sw_end);
return ret;
}
static DEVICE_ATTR_RO(masters);
Reported by FlawFinder.
Line: 57
Column: 8
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct stm_device *stm = to_stm_device(dev);
int ret;
ret = sprintf(buf, "%u\n", stm->data->sw_nchannels);
return ret;
}
static DEVICE_ATTR_RO(channels);
Reported by FlawFinder.
Line: 71
Column: 8
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct stm_device *stm = to_stm_device(dev);
int ret;
ret = sprintf(buf, "%u\n", stm->data->hw_override);
return ret;
}
static DEVICE_ATTR_RO(hw_override);
Reported by FlawFinder.
Line: 634
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* point, try to use the task name and "default" policy entries.
*/
if (!stmf->output.nr_chans) {
char comm[sizeof(current->comm)];
char *ids[] = { comm, "default", NULL };
get_task_comm(comm, current);
err = stm_assign_first_policy(stmf->stm, &stmf->output, ids, 1);
Reported by FlawFinder.
drivers/i2c/busses/i2c-cpm.c
5 issues
Line: 65
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
ushort tbptr; /* Tx Buffer descriptor pointer */
ushort tbc; /* Internal */
uint txtmp; /* Internal */
char res1[4]; /* Reserved */
ushort rpbase; /* Relocation pointer */
char res2[2]; /* Reserved */
/* The following elements are only for CPM2 */
char res3[4]; /* Reserved */
uint sdmatmp; /* Internal */
Reported by FlawFinder.
Line: 67
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
uint txtmp; /* Internal */
char res1[4]; /* Reserved */
ushort rpbase; /* Relocation pointer */
char res2[2]; /* Reserved */
/* The following elements are only for CPM2 */
char res3[4]; /* Reserved */
uint sdmatmp; /* Internal */
};
Reported by FlawFinder.
Line: 69
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
ushort rpbase; /* Relocation pointer */
char res2[2]; /* Reserved */
/* The following elements are only for CPM2 */
char res3[4]; /* Reserved */
uint sdmatmp; /* Internal */
};
#define I2COM_START 0x80
#define I2COM_MASTER 0x01
Reported by FlawFinder.
Line: 233
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else {
dev_dbg(&adap->dev, "cpm_i2c_write(abyte=0x%x)\n", addr);
memcpy(tb+1, pmsg->buf, pmsg->len);
eieio();
setbits16(&tbdf->cbd_sc, BD_SC_READY | BD_SC_INTRPT);
}
}
Reported by FlawFinder.
Line: 276
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dev_err(&adap->dev, "I2C read; Overrun\n");
return -EREMOTEIO;
}
memcpy(pmsg->buf, rb, pmsg->len);
} else {
dev_dbg(&adap->dev, "tx sc %d 0x%04x\n", tx,
in_be16(&tbdf->cbd_sc));
if (in_be16(&tbdf->cbd_sc) & BD_SC_NAK) {
Reported by FlawFinder.
drivers/gpu/drm/drm_print.c
5 issues
Line: 81
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
copy = iterator->remain;
/* Copy out the bit of the string that we need */
memcpy(iterator->data,
str + (iterator->start - iterator->offset), copy);
iterator->offset = iterator->start + copy;
iterator->remain -= copy;
} else {
Reported by FlawFinder.
Line: 91
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
len = min_t(ssize_t, strlen(str), iterator->remain);
memcpy(iterator->data + pos, str, len);
iterator->offset += len;
iterator->remain -= len;
}
}
Reported by FlawFinder.
Line: 68
Column: 9
CWE codes:
126
if (iterator->offset < iterator->start) {
ssize_t copy;
len = strlen(str);
if (iterator->offset + len <= iterator->start) {
iterator->offset += len;
return;
}
Reported by FlawFinder.
Line: 89
Column: 24
CWE codes:
126
} else {
ssize_t pos = iterator->offset - iterator->start;
len = min_t(ssize_t, strlen(str), iterator->remain);
memcpy(iterator->data + pos, str, len);
iterator->offset += len;
iterator->remain -= len;
Reported by FlawFinder.
Line: 336
Column: 31
CWE codes:
126
int i;
for (i = 0; i < regset->nregs; i++)
namelen = max(namelen, (int)strlen(regset->regs[i].name));
for (i = 0; i < regset->nregs; i++) {
drm_printf(p, "%*s = 0x%08x\n",
namelen, regset->regs[i].name,
readl(regset->base + regset->regs[i].offset));
Reported by FlawFinder.
drivers/i2c/busses/i2c-ismt.c
5 issues
Line: 353
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (desc->rxbytes != dma_buffer[0] + 1)
return -EMSGSIZE;
memcpy(data->block, dma_buffer, desc->rxbytes);
break;
case I2C_SMBUS_I2C_BLOCK_DATA:
memcpy(&data->block[1], dma_buffer, desc->rxbytes);
data->block[0] = desc->rxbytes;
break;
Reported by FlawFinder.
Line: 356
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(data->block, dma_buffer, desc->rxbytes);
break;
case I2C_SMBUS_I2C_BLOCK_DATA:
memcpy(&data->block[1], dma_buffer, desc->rxbytes);
data->block[0] = desc->rxbytes;
break;
}
return 0;
}
Reported by FlawFinder.
Line: 511
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
desc->wr_len_cmd = dma_size;
desc->control |= ISMT_DESC_BLK;
dma_buffer[0] = command;
memcpy(&dma_buffer[1], &data->block[1], dma_size - 1);
} else {
/* Block Read */
dev_dbg(dev, "I2C_SMBUS_BLOCK_DATA: READ\n");
dma_size = I2C_SMBUS_BLOCK_MAX;
dma_direction = DMA_FROM_DEVICE;
Reported by FlawFinder.
Line: 532
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
desc->control |= ISMT_DESC_BLK;
dma_direction = DMA_BIDIRECTIONAL;
dma_buffer[0] = command;
memcpy(&dma_buffer[1], &data->block[1], data->block[0]);
break;
case I2C_SMBUS_I2C_BLOCK_DATA:
/* Make sure the length is valid */
if (data->block[0] < 1)
Reported by FlawFinder.
Line: 551
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
desc->wr_len_cmd = dma_size;
desc->control |= ISMT_DESC_I2C;
dma_buffer[0] = command;
memcpy(&dma_buffer[1], &data->block[1], dma_size - 1);
} else {
/* i2c Block Read */
dev_dbg(dev, "I2C_SMBUS_I2C_BLOCK_DATA: READ\n");
dma_size = data->block[0];
dma_direction = DMA_FROM_DEVICE;
Reported by FlawFinder.
drivers/input/touchscreen/raydium_i2c_ts.c
5 issues
Line: 918
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct i2c_client *client = to_i2c_client(dev);
struct raydium_data *ts = i2c_get_clientdata(client);
return sprintf(buf, "%s\n",
ts->boot_mode == RAYDIUM_TS_MAIN ?
"Normal" : "Recovery");
}
static ssize_t raydium_i2c_update_fw_store(struct device *dev,
Reported by FlawFinder.
Line: 180
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENOMEM;
tx_buf[0] = reg_addr;
memcpy(tx_buf + 1, data, len);
do {
struct raydium_bank_switch_header header = {
.cmd = RM_CMD_BANK_SWITCH,
.be_addr = cpu_to_be32(addr),
Reported by FlawFinder.
Line: 625
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buf[BL_PKG_IDX] = i + 1;
xfer_len = min_t(size_t, len, RM_BL_WRT_PKG_SIZE);
memcpy(&buf[BL_DATA_STR], data, xfer_len);
if (len < RM_BL_WRT_PKG_SIZE)
memset(&buf[BL_DATA_STR + xfer_len], 0xff,
RM_BL_WRT_PKG_SIZE - xfer_len);
error = raydium_i2c_write_object(client, buf, RM_BL_WRT_LEN,
Reported by FlawFinder.
Line: 899
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct i2c_client *client = to_i2c_client(dev);
struct raydium_data *ts = i2c_get_clientdata(client);
return sprintf(buf, "%d.%d\n", ts->info.main_ver, ts->info.sub_ver);
}
static ssize_t raydium_i2c_hw_ver_show(struct device *dev,
struct device_attribute *attr, char *buf)
{
Reported by FlawFinder.
Line: 908
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct i2c_client *client = to_i2c_client(dev);
struct raydium_data *ts = i2c_get_clientdata(client);
return sprintf(buf, "%#04x\n", le32_to_cpu(ts->info.hw_ver));
}
static ssize_t raydium_i2c_boot_mode_show(struct device *dev,
struct device_attribute *attr,
char *buf)
Reported by FlawFinder.
drivers/input/touchscreen/melfas_mip4.c
5 issues
Line: 152
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct input_dev *input;
struct gpio_desc *gpio_ce;
char phys[32];
char product_name[16];
u16 product_id;
char ic_name[4];
char fw_name[32];
Reported by FlawFinder.
Line: 153
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct gpio_desc *gpio_ce;
char phys[32];
char product_name[16];
u16 product_id;
char ic_name[4];
char fw_name[32];
unsigned int max_x;
Reported by FlawFinder.
Line: 155
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char phys[32];
char product_name[16];
u16 product_id;
char ic_name[4];
char fw_name[32];
unsigned int max_x;
unsigned int max_y;
u8 node_x;
Reported by FlawFinder.
Line: 156
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char product_name[16];
u16 product_id;
char ic_name[4];
char fw_name[32];
unsigned int max_x;
unsigned int max_y;
u8 node_x;
u8 node_y;
Reported by FlawFinder.
Line: 934
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
"writing chunk at %#04x (size %d)\n",
buf_offset, MIP4_BL_PACKET_SIZE);
put_unaligned_be16(buf_addr + buf_offset, data_buf);
memcpy(&data_buf[2], &data[buf_offset], MIP4_BL_PACKET_SIZE);
ret = i2c_master_send(ts->client,
data_buf, 2 + MIP4_BL_PACKET_SIZE);
if (ret != 2 + MIP4_BL_PACKET_SIZE) {
error = ret < 0 ? ret : -EIO;
dev_err(&ts->client->dev,
Reported by FlawFinder.