The following issues were found
drivers/gpu/drm/gma500/psb_intel_sdvo.c
5 issues
Line: 457
CWE codes:
476
msgs[i].len = 2;
msgs[i].buf = buf + 2 *i;
buf[2*i + 0] = SDVO_I2C_ARG_0 - i;
buf[2*i + 1] = ((u8*)args)[i];
}
msgs[i].addr = psb_intel_sdvo->slave_addr;
msgs[i].flags = 0;
msgs[i].len = 2;
msgs[i].buf = buf + 2*i;
Reported by Cppcheck.
Line: 457
CWE codes:
476
msgs[i].len = 2;
msgs[i].buf = buf + 2 *i;
buf[2*i + 0] = SDVO_I2C_ARG_0 - i;
buf[2*i + 1] = ((u8*)args)[i];
}
msgs[i].addr = psb_intel_sdvo->slave_addr;
msgs[i].flags = 0;
msgs[i].len = 2;
msgs[i].buf = buf + 2*i;
Reported by Cppcheck.
Line: 1462
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* format.
*/
format_map = 1 << psb_intel_sdvo->tv_format_index;
memcpy(&tv_res, &format_map,
min(sizeof(format_map), sizeof(struct psb_intel_sdvo_sdtv_resolution_request)));
if (!psb_intel_sdvo_set_target_output(psb_intel_sdvo, psb_intel_sdvo->attached_output))
return;
Reported by FlawFinder.
Line: 2144
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
return false;
if ((flags & SDVO_OUTPUT_MASK) == 0) {
unsigned char bytes[2];
psb_intel_sdvo->controlled_output = 0;
memcpy(bytes, &psb_intel_sdvo->caps.output_flags, 2);
DRM_DEBUG_KMS("%s: Unknown SDVO output type (0x%02x%02x)\n",
SDVO_NAME(psb_intel_sdvo),
Reported by FlawFinder.
Line: 2147
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
unsigned char bytes[2];
psb_intel_sdvo->controlled_output = 0;
memcpy(bytes, &psb_intel_sdvo->caps.output_flags, 2);
DRM_DEBUG_KMS("%s: Unknown SDVO output type (0x%02x%02x)\n",
SDVO_NAME(psb_intel_sdvo),
bytes[0], bytes[1]);
return false;
}
Reported by FlawFinder.
drivers/input/touchscreen/cy8ctmg110_ts.c
5 issues
Line: 45
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
struct cy8ctmg110 {
struct input_dev *input;
char phys[32];
struct i2c_client *client;
struct gpio_desc *reset_gpio;
};
/*
Reported by FlawFinder.
Line: 66
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct i2c_client *client = tsc->client;
int ret;
unsigned char i2c_data[6];
BUG_ON(len > 5);
i2c_data[0] = reg;
memcpy(i2c_data + 1, value, len);
Reported by FlawFinder.
Line: 71
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
BUG_ON(len > 5);
i2c_data[0] = reg;
memcpy(i2c_data + 1, value, len);
ret = i2c_master_send(client, i2c_data, len + 1);
if (ret != len + 1) {
dev_err(&client->dev, "i2c write data cmd failed\n");
return ret < 0 ? ret : -EIO;
Reported by FlawFinder.
Line: 113
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int cy8ctmg110_touch_pos(struct cy8ctmg110 *tsc)
{
struct input_dev *input = tsc->input;
unsigned char reg_p[CY8CTMG110_REG_MAX];
memset(reg_p, 0, CY8CTMG110_REG_MAX);
/* Reading coordinates */
if (cy8ctmg110_read_regs(tsc, reg_p, 9, CY8CTMG110_TOUCH_X1) != 0)
Reported by FlawFinder.
Line: 139
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int cy8ctmg110_set_sleepmode(struct cy8ctmg110 *ts, bool sleep)
{
unsigned char reg_p[3];
if (sleep) {
reg_p[0] = 0x00;
reg_p[1] = 0xff;
reg_p[2] = 5;
Reported by FlawFinder.
drivers/input/touchscreen/ads7846.c
5 issues
Line: 98
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ads7846 {
struct input_dev *input;
char phys[32];
char name[32];
struct spi_device *spi;
struct regulator *reg;
Reported by FlawFinder.
Line: 99
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct ads7846 {
struct input_dev *input;
char phys[32];
char name[32];
struct spi_device *spi;
struct regulator *reg;
#if IS_ENABLED(CONFIG_HWMON)
Reported by FlawFinder.
Line: 474
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
READ_12BIT_SER(var)); \
if (v < 0) \
return v; \
return sprintf(buf, "%u\n", adjust(ts, v)); \
} \
static DEVICE_ATTR(name, S_IRUGO, name ## _show, NULL);
/* Sysfs conventions report temperatures in millidegrees Celsius.
Reported by FlawFinder.
Line: 603
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct ads7846 *ts = dev_get_drvdata(dev);
return sprintf(buf, "%u\n", ts->pendown);
}
static DEVICE_ATTR(pen_down, S_IRUGO, ads7846_pen_down_show, NULL);
static ssize_t ads7846_disable_show(struct device *dev,
Reported by FlawFinder.
Line: 613
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct ads7846 *ts = dev_get_drvdata(dev);
return sprintf(buf, "%u\n", ts->disabled);
}
static ssize_t ads7846_disable_store(struct device *dev,
struct device_attribute *attr,
const char *buf, size_t count)
Reported by FlawFinder.
drivers/gpu/drm/msm/dp/dp_aux.c
5 issues
Line: 70
Column: 11
CWE codes:
120
20
/* Pack cmd and write to HW */
data[0] = (msg->address >> 16) & 0xf; /* addr[19:16] */
if (aux->read)
data[0] |= BIT(4); /* R/W */
data[1] = msg->address >> 8; /* addr[15:8] */
data[2] = msg->address; /* addr[7:0] */
data[3] = msg->size - 1; /* len[7:0] */
Reported by FlawFinder.
Line: 341
Column: 11
CWE codes:
120
20
aux->read = msg->request & (DP_AUX_I2C_READ & DP_AUX_NATIVE_READ);
aux->cmd_busy = true;
if (aux->read) {
aux->no_send_addr = true;
aux->no_send_stop = false;
} else {
aux->no_send_addr = true;
aux->no_send_stop = true;
Reported by FlawFinder.
Line: 360
Column: 13
CWE codes:
120
20
aux->retry_cnt = 0;
switch (aux->aux_error_num) {
case DP_AUX_ERR_NONE:
if (aux->read)
ret = dp_aux_cmd_fifo_rx(aux, msg);
msg->reply = aux->native ? DP_AUX_NATIVE_REPLY_ACK : DP_AUX_I2C_REPLY_ACK;
break;
case DP_AUX_ERR_DEFER:
msg->reply = aux->native ? DP_AUX_NATIVE_REPLY_DEFER : DP_AUX_I2C_REPLY_DEFER;
Reported by FlawFinder.
drivers/md/dm-init.c
5 issues
Line: 35
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct dm_device {
struct dm_ioctl dmi;
struct dm_target_spec *table[DM_MAX_TARGETS];
char *target_args_array[DM_MAX_TARGETS];
struct list_head list;
};
static const char * const dm_allowed_targets[] __initconst = {
"crypt",
Reported by FlawFinder.
Line: 112
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct dm_target_spec *sp;
unsigned int i;
/* fields: */
char *field[4];
char *next;
field[0] = str;
/* Delimit first 3 fields that are separated by space */
for (i = 0; i < ARRAY_SIZE(field) - 1; i++) {
Reported by FlawFinder.
Line: 190
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static char __init *dm_parse_device_entry(struct dm_device *dev, char *str)
{
/* There are 5 fields: name,uuid,minor,flags,table; */
char *field[5];
unsigned int i;
char *next;
field[0] = str;
/* Delimit first 4 fields that are separated by comma */
Reported by FlawFinder.
Line: 209
Column: 6
CWE codes:
126
/* uuid */
strscpy(dev->dmi.uuid, field[1], sizeof(dev->dmi.uuid));
/* minor */
if (strlen(field[2])) {
if (kstrtoull(field[2], 0, &dev->dmi.dev))
return ERR_PTR(-EINVAL);
dev->dmi.flags |= DM_PERSISTENT_DEV_FLAG;
}
/* flags */
Reported by FlawFinder.
Line: 274
Column: 6
CWE codes:
126
if (!create)
return 0;
if (strlen(create) >= DM_MAX_STR_SIZE) {
DMERR("Argument is too big. Limit is %d", DM_MAX_STR_SIZE);
return -EINVAL;
}
str = kstrndup(create, DM_MAX_STR_SIZE, GFP_KERNEL);
if (!str)
Reported by FlawFinder.
drivers/input/serio/serio_raw.c
5 issues
Line: 29
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define SERIO_RAW_QUEUE_LEN 64
struct serio_raw {
unsigned char queue[SERIO_RAW_QUEUE_LEN];
unsigned int tail, head;
char name[16];
struct kref kref;
struct serio *serio;
Reported by FlawFinder.
Line: 32
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char queue[SERIO_RAW_QUEUE_LEN];
unsigned int tail, head;
char name[16];
struct kref kref;
struct serio *serio;
struct miscdevice dev;
wait_queue_head_t wait;
struct list_head client_list;
Reported by FlawFinder.
drivers/gpu/drm/msm/dsi/dsi_host.c
5 issues
Line: 900
CWE codes:
476
data |= DSI_TRIG_CTRL_BLOCK_DMA_WITHIN_FRAME;
dsi_write(msm_host, REG_DSI_TRIG_CTRL, data);
data = DSI_CLKOUT_TIMING_CTRL_T_CLK_POST(phy_shared_timings->clk_post) |
DSI_CLKOUT_TIMING_CTRL_T_CLK_PRE(phy_shared_timings->clk_pre);
dsi_write(msm_host, REG_DSI_CLKOUT_TIMING_CTRL, data);
if ((cfg_hnd->major == MSM_DSI_VER_MAJOR_6G) &&
(cfg_hnd->minor > MSM_DSI_6G_VER_MINOR_V1_0) &&
Reported by Cppcheck.
Line: 901
CWE codes:
476
dsi_write(msm_host, REG_DSI_TRIG_CTRL, data);
data = DSI_CLKOUT_TIMING_CTRL_T_CLK_POST(phy_shared_timings->clk_post) |
DSI_CLKOUT_TIMING_CTRL_T_CLK_PRE(phy_shared_timings->clk_pre);
dsi_write(msm_host, REG_DSI_CLKOUT_TIMING_CTRL, data);
if ((cfg_hnd->major == MSM_DSI_VER_MAJOR_6G) &&
(cfg_hnd->minor > MSM_DSI_6G_VER_MINOR_V1_0) &&
phy_shared_timings->clk_pre_inc_by_2)
Reported by Cppcheck.
Line: 906
CWE codes:
476
if ((cfg_hnd->major == MSM_DSI_VER_MAJOR_6G) &&
(cfg_hnd->minor > MSM_DSI_6G_VER_MINOR_V1_0) &&
phy_shared_timings->clk_pre_inc_by_2)
dsi_write(msm_host, REG_DSI_T_CLK_PRE_EXTEND,
DSI_T_CLK_PRE_EXTEND_INC_BY_2_BYTECLK);
data = 0;
if (!(flags & MIPI_DSI_MODE_EOT_PACKET))
Reported by Cppcheck.
Line: 1208
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Long packet */
if (packet.payload && packet.payload_length)
memcpy(data + 4, packet.payload, packet.payload_length);
/* Append 0xff to the end */
if (packet.size < len)
memset(data + packet.size, 0xff, len - packet.size);
Reported by FlawFinder.
Line: 1257
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
/* strip out 4 byte dcs header */
if (msg->rx_buf && msg->rx_len)
memcpy(msg->rx_buf, buf + 4, msg->rx_len);
return msg->rx_len;
}
int dsi_dma_base_get_6g(struct msm_dsi_host *msm_host, uint64_t *dma_base)
Reported by FlawFinder.
drivers/input/serio/i8042-x86ia64io.h
5 issues
Line: 999
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int i8042_pnp_kbd_irq;
static int i8042_pnp_aux_irq;
static char i8042_pnp_kbd_name[32];
static char i8042_pnp_aux_name[32];
static void i8042_pnp_id_to_string(struct pnp_id *id, char *dst, int dst_size)
{
strlcpy(dst, "PNP:", dst_size);
Reported by FlawFinder.
Line: 1000
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int i8042_pnp_aux_irq;
static char i8042_pnp_kbd_name[32];
static char i8042_pnp_aux_name[32];
static void i8042_pnp_id_to_string(struct pnp_id *id, char *dst, int dst_size)
{
strlcpy(dst, "PNP:", dst_size);
Reported by FlawFinder.
Line: 1134
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int __init i8042_pnp_init(void)
{
char kbd_irq_str[4] = { 0 }, aux_irq_str[4] = { 0 };
bool pnp_data_busted = false;
int err;
#ifdef CONFIG_X86
if (dmi_check_system(i8042_dmi_nopnp_table))
Reported by FlawFinder.
Line: 1025
Column: 6
CWE codes:
126
i8042_pnp_kbd_irq = pnp_irq(dev, 0);
strlcpy(i8042_pnp_kbd_name, did->id, sizeof(i8042_pnp_kbd_name));
if (strlen(pnp_dev_name(dev))) {
strlcat(i8042_pnp_kbd_name, ":", sizeof(i8042_pnp_kbd_name));
strlcat(i8042_pnp_kbd_name, pnp_dev_name(dev), sizeof(i8042_pnp_kbd_name));
}
i8042_pnp_id_to_string(dev->id, i8042_kbd_firmware_id,
sizeof(i8042_kbd_firmware_id));
Reported by FlawFinder.
Line: 1052
Column: 6
CWE codes:
126
i8042_pnp_aux_irq = pnp_irq(dev, 0);
strlcpy(i8042_pnp_aux_name, did->id, sizeof(i8042_pnp_aux_name));
if (strlen(pnp_dev_name(dev))) {
strlcat(i8042_pnp_aux_name, ":", sizeof(i8042_pnp_aux_name));
strlcat(i8042_pnp_aux_name, pnp_dev_name(dev), sizeof(i8042_pnp_aux_name));
}
i8042_pnp_id_to_string(dev->id, i8042_aux_firmware_id,
sizeof(i8042_aux_firmware_id));
Reported by FlawFinder.
drivers/input/mouse/cypress_ps2.c
5 issues
Line: 124
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
(psmouse->pktcnt >= pktsize),
msecs_to_jiffies(CYTP_CMD_TIMEOUT));
memcpy(param, psmouse->packet, pktsize);
psmouse_dbg(psmouse, "Command 0x%02x response data (0x): %*ph\n",
cmd, pktsize, param);
out:
Reported by FlawFinder.
Line: 203
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int cypress_detect(struct psmouse *psmouse, bool set_properties)
{
unsigned char param[3];
if (cypress_send_ext_cmd(psmouse, CYTP_CMD_READ_CYPRESS_ID, param))
return -ENODEV;
/* Check for Cypress Trackpad signature bytes: 0x33 0xCC */
Reported by FlawFinder.
Line: 223
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int cypress_read_fw_version(struct psmouse *psmouse)
{
struct cytp_data *cytp = psmouse->private;
unsigned char param[3];
if (cypress_send_ext_cmd(psmouse, CYTP_CMD_READ_CYPRESS_ID, param))
return -ENODEV;
/* Check for Cypress Trackpad signature bytes: 0x33 0xCC */
Reported by FlawFinder.
Line: 252
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int cypress_read_tp_metrics(struct psmouse *psmouse)
{
struct cytp_data *cytp = psmouse->private;
unsigned char param[8];
/* set default values for tp metrics. */
cytp->tp_width = CYTP_DEFAULT_WIDTH;
cytp->tp_high = CYTP_DEFAULT_HIGH;
cytp->tp_max_abs_x = CYTP_ABS_MAX_X;
Reported by FlawFinder.
Line: 340
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int cypress_set_absolute_mode(struct psmouse *psmouse)
{
struct cytp_data *cytp = psmouse->private;
unsigned char param[3];
if (cypress_send_ext_cmd(psmouse, CYTP_CMD_ABS_WITH_PRESSURE_MODE, param) < 0)
return -1;
cytp->mode = (cytp->mode & ~CYTP_BIT_ABS_REL_MASK)
Reported by FlawFinder.
drivers/input/mouse/cyapa.c
5 issues
Line: 132
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t len, const void *values)
{
struct i2c_client *client = cyapa->client;
char buf[32];
int ret;
if (len > sizeof(buf) - 1)
return -ENOMEM;
Reported by FlawFinder.
Line: 139
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENOMEM;
buf[0] = reg;
memcpy(&buf[1], values, len);
ret = i2c_master_send(client, buf, len + 1);
if (ret != len + 1)
return ret < 0 ? ret : -EIO;
Reported by FlawFinder.
Line: 1080
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *buf, size_t count)
{
struct cyapa *cyapa = dev_get_drvdata(dev);
char fw_name[NAME_MAX];
int ret, error;
if (count >= NAME_MAX) {
dev_err(dev, "File name too long\n");
return -EINVAL;
Reported by FlawFinder.
Line: 1088
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EINVAL;
}
memcpy(fw_name, buf, count);
if (fw_name[count - 1] == '\n')
fw_name[count - 1] = '\0';
else
fw_name[count] = '\0';
Reported by FlawFinder.
Line: 1277
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
cyapa->client = client;
i2c_set_clientdata(client, cyapa);
sprintf(cyapa->phys, "i2c-%d-%04x/input0", client->adapter->nr,
client->addr);
cyapa->vcc = devm_regulator_get(dev, "vcc");
if (IS_ERR(cyapa->vcc)) {
error = PTR_ERR(cyapa->vcc);
Reported by FlawFinder.