The following issues were found
drivers/gpu/drm/radeon/radeon_acpi.c
5 issues
Line: 231
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
size = min(sizeof(output), size);
memcpy(&output, info->buffer.pointer, size);
/* TODO: check version? */
DRM_DEBUG_DRIVER("ATIF version %u\n", output.version);
radeon_atif_parse_notification(&atif->notifications, output.notification_mask);
Reported by FlawFinder.
Line: 278
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(¶ms, 0, sizeof(params));
size = min(sizeof(params), size);
memcpy(¶ms, info->buffer.pointer, size);
DRM_DEBUG_DRIVER("SYSTEM_PARAMS: mask = %#x, flags = %#x\n",
params.flags, params.valid_mask);
params.flags = params.flags & params.valid_mask;
Reported by FlawFinder.
Line: 337
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(req, 0, sizeof(*req));
size = min(sizeof(*req), size);
memcpy(req, info->buffer.pointer, size);
DRM_DEBUG_DRIVER("SBIOS pending requests: %#x\n", req->pending);
count = hweight32(req->pending);
out:
Reported by FlawFinder.
Line: 527
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
size = min(sizeof(output), size);
memcpy(&output, info->buffer.pointer, size);
/* TODO: check version? */
DRM_DEBUG_DRIVER("ATCS version %u\n", output.version);
radeon_atcs_parse_functions(&atcs->functions, output.function_bits);
Reported by FlawFinder.
Line: 649
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
size = min(sizeof(atcs_output), size);
memcpy(&atcs_output, info->buffer.pointer, size);
kfree(info);
switch (atcs_output.ret_val) {
case ATCS_REQUEST_REFUSED:
Reported by FlawFinder.
drivers/infiniband/hw/mlx4/cq.c
5 issues
Line: 368
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
while ((cqe->owner_sr_opcode & MLX4_CQE_OPCODE_MASK) != MLX4_CQE_OPCODE_RESIZE) {
new_cqe = get_cqe_from_buf(&cq->resize_buf->buf,
(i + 1) & cq->resize_buf->cqe);
memcpy(new_cqe, get_cqe(cq, i & cq->ibcq.cqe), cqe_size);
new_cqe += cqe_inc;
new_cqe->owner_sr_opcode = (cqe->owner_sr_opcode & ~MLX4_CQE_OWNER_MASK) |
(((i + 1) & (cq->resize_buf->cqe + 1)) ? MLX4_CQE_OWNER_MASK : 0);
cqe = get_cqe(cq, ++i & cq->ibcq.cqe);
Reported by FlawFinder.
Line: 598
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (is_eth) {
wc->slid = 0;
wc->vlan_id = be16_to_cpu(hdr->tun.sl_vid);
memcpy(&(wc->smac[0]), (char *)&hdr->tun.mac_31_0, 4);
memcpy(&(wc->smac[4]), (char *)&hdr->tun.slid_mac_47_32, 2);
wc->wc_flags |= (IB_WC_WITH_VLAN | IB_WC_WITH_SMAC);
} else {
wc->slid = be16_to_cpu(hdr->tun.slid_mac_47_32);
wc->sl = (u8) (be16_to_cpu(hdr->tun.sl_vid) >> 12);
Reported by FlawFinder.
Line: 599
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
wc->slid = 0;
wc->vlan_id = be16_to_cpu(hdr->tun.sl_vid);
memcpy(&(wc->smac[0]), (char *)&hdr->tun.mac_31_0, 4);
memcpy(&(wc->smac[4]), (char *)&hdr->tun.slid_mac_47_32, 2);
wc->wc_flags |= (IB_WC_WITH_VLAN | IB_WC_WITH_SMAC);
} else {
wc->slid = be16_to_cpu(hdr->tun.slid_mac_47_32);
wc->sl = (u8) (be16_to_cpu(hdr->tun.sl_vid) >> 12);
}
Reported by FlawFinder.
Line: 865
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else {
wc->vlan_id = 0xffff;
}
memcpy(wc->smac, cqe->smac, ETH_ALEN);
wc->wc_flags |= (IB_WC_WITH_VLAN | IB_WC_WITH_SMAC);
} else {
wc->slid = be16_to_cpu(cqe->rlid);
wc->sl = be16_to_cpu(cqe->sl_vid) >> 12;
wc->vlan_id = 0xffff;
Reported by FlawFinder.
Line: 951
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dest += cqe_inc;
owner_bit = dest->owner_sr_opcode & MLX4_CQE_OWNER_MASK;
memcpy(dest, cqe, sizeof *cqe);
dest->owner_sr_opcode = owner_bit |
(dest->owner_sr_opcode & ~MLX4_CQE_OWNER_MASK);
}
}
Reported by FlawFinder.
drivers/gpu/drm/i915/gt/intel_gtt.h
5 issues
Line: 245
Column: 11
CWE codes:
362
* and do not allow any new attachments, and proceed to shutdown our
* vma and page directories.
*/
atomic_t open;
struct mutex mutex; /* protects vma and our lists */
struct kref resv_ref; /* kref to keep the reservation lock alive. */
struct dma_resv _resv; /* reservation lock for all pd objects, and buffer pool */
Reported by FlawFinder.
Line: 443
Column: 31
CWE codes:
362
static inline struct i915_address_space *
i915_vm_open(struct i915_address_space *vm)
{
GEM_BUG_ON(!atomic_read(&vm->open));
atomic_inc(&vm->open);
return i915_vm_get(vm);
}
static inline bool
Reported by FlawFinder.
Line: 444
Column: 18
CWE codes:
362
i915_vm_open(struct i915_address_space *vm)
{
GEM_BUG_ON(!atomic_read(&vm->open));
atomic_inc(&vm->open);
return i915_vm_get(vm);
}
static inline bool
i915_vm_tryopen(struct i915_address_space *vm)
Reported by FlawFinder.
Line: 451
Column: 29
CWE codes:
362
static inline bool
i915_vm_tryopen(struct i915_address_space *vm)
{
if (atomic_add_unless(&vm->open, 1, 0))
return i915_vm_get(vm);
return false;
}
Reported by FlawFinder.
Line: 462
Column: 31
CWE codes:
362
static inline void
i915_vm_close(struct i915_address_space *vm)
{
GEM_BUG_ON(!atomic_read(&vm->open));
__i915_vm_close(vm);
i915_vm_put(vm);
}
Reported by FlawFinder.
drivers/infiniband/hw/hfi1/eprom.c
5 issues
Line: 136
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (len <= bytes) {
/* end is within this page */
memcpy(dest, (u8 *)buffer + start_offset, len);
return 0;
}
memcpy(dest, (u8 *)buffer + start_offset, bytes);
Reported by FlawFinder.
Line: 140
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return 0;
}
memcpy(dest, (u8 *)buffer + start_offset, bytes);
start += bytes;
len -= bytes;
dest += bytes;
}
Reported by FlawFinder.
Line: 151
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* read whole pages */
while (len >= EP_PAGE_SIZE) {
read_page(dd, start, buffer);
memcpy(dest, buffer, EP_PAGE_SIZE);
start += EP_PAGE_SIZE;
len -= EP_PAGE_SIZE;
dest += EP_PAGE_SIZE;
}
Reported by FlawFinder.
Line: 161
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* read the last partial page */
if (len) {
read_page(dd, start, buffer);
memcpy(dest, buffer, len);
}
return 0;
}
Reported by FlawFinder.
Line: 270
Column: 40
CWE codes:
126
}
/* config partition is valid only if it starts with IMAGE_START_MAGIC */
if (memcmp(buffer, IMAGE_START_MAGIC, strlen(IMAGE_START_MAGIC))) {
kfree(buffer);
return -ENOENT;
}
/* scan for image magic that may trail the actual data */
Reported by FlawFinder.
drivers/gpu/drm/vmwgfx/vmwgfx_msg.c
5 issues
Line: 179
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
unsigned int bytes = min_t(size_t, msg_len, 4);
unsigned long word = 0;
memcpy(&word, msg, bytes);
msg_len -= bytes;
msg += bytes;
si = channel->cookie_high;
di = channel->cookie_low;
Reported by FlawFinder.
Line: 244
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if ((HIGH_WORD(ecx) & MESSAGE_STATUS_SUCCESS) == 0)
break;
memcpy(reply, &ebx, bytes);
reply_len -= bytes;
reply += bytes;
}
return ecx;
Reported by FlawFinder.
Line: 455
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
reply_len = min(reply_len, *length);
if (reply_len > 0)
memcpy(buffer, reply + 2, reply_len);
}
*length = reply_len;
kfree(reply);
Reported by FlawFinder.
Line: 153
Column: 26
CWE codes:
126
const char *msg, bool hb)
{
unsigned long si, di, eax, ebx, ecx, edx;
unsigned long msg_len = strlen(msg);
/* HB port can't access encrypted memory. */
if (hb && !mem_encrypt_active()) {
unsigned long bp = channel->cookie_high;
Reported by FlawFinder.
Line: 264
Column: 19
CWE codes:
126
static int vmw_send_msg(struct rpc_channel *channel, const char *msg)
{
unsigned long eax, ebx, ecx, edx, si, di;
size_t msg_len = strlen(msg);
int retries = 0;
while (retries < RETRIES) {
retries++;
Reported by FlawFinder.
drivers/infiniband/core/uverbs_marshall.c
5 issues
Line: 85
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (dst->is_global) {
const struct ib_global_route *grh = rdma_ah_read_grh(src);
memcpy(dst->grh.dgid, grh->dgid.raw, sizeof(grh->dgid));
dst->grh.flow_label = grh->flow_label;
dst->grh.sgid_index = grh->sgid_index;
dst->grh.hop_limit = grh->hop_limit;
dst->grh.traffic_class = grh->traffic_class;
}
Reported by FlawFinder.
Line: 139
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static void __ib_copy_path_rec_to_user(struct ib_user_path_rec *dst,
struct sa_path_rec *src)
{
memcpy(dst->dgid, src->dgid.raw, sizeof(src->dgid));
memcpy(dst->sgid, src->sgid.raw, sizeof(src->sgid));
dst->dlid = htons(ntohl(sa_path_get_dlid(src)));
dst->slid = htons(ntohl(sa_path_get_slid(src)));
dst->raw_traffic = sa_path_get_raw_traffic(src);
Reported by FlawFinder.
Line: 140
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct sa_path_rec *src)
{
memcpy(dst->dgid, src->dgid.raw, sizeof(src->dgid));
memcpy(dst->sgid, src->sgid.raw, sizeof(src->sgid));
dst->dlid = htons(ntohl(sa_path_get_dlid(src)));
dst->slid = htons(ntohl(sa_path_get_slid(src)));
dst->raw_traffic = sa_path_get_raw_traffic(src);
dst->flow_label = src->flow_label;
Reported by FlawFinder.
Line: 191
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
slid = ntohs(src->slid);
dlid = ntohs(src->dlid);
}
memcpy(dst->dgid.raw, src->dgid, sizeof dst->dgid);
memcpy(dst->sgid.raw, src->sgid, sizeof dst->sgid);
sa_path_set_dlid(dst, dlid);
sa_path_set_slid(dst, slid);
sa_path_set_raw_traffic(dst, src->raw_traffic);
Reported by FlawFinder.
Line: 192
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dlid = ntohs(src->dlid);
}
memcpy(dst->dgid.raw, src->dgid, sizeof dst->dgid);
memcpy(dst->sgid.raw, src->sgid, sizeof dst->sgid);
sa_path_set_dlid(dst, dlid);
sa_path_set_slid(dst, slid);
sa_path_set_raw_traffic(dst, src->raw_traffic);
dst->flow_label = src->flow_label;
Reported by FlawFinder.
drivers/infiniband/core/uverbs_ioctl.c
5 issues
Line: 211
Column: 50
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
for (i = 0; i != array_len; i++) {
attr->uobjects[i] = uverbs_get_uobject_from_file(
spec->u2.objs_arr.obj_type, spec->u2.objs_arr.access,
idr_vals[i], &pbundle->bundle);
if (IS_ERR(attr->uobjects[i])) {
ret = PTR_ERR(attr->uobjects[i]);
break;
}
Reported by FlawFinder.
Line: 234
Column: 30
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
for (i = 0; i != attr->len; i++)
uverbs_finalize_object(attr->uobjects[i],
spec->u2.objs_arr.access, false, commit,
attrs);
}
static int uverbs_process_attr(struct bundle_priv *pbundle,
const struct uverbs_api_attr *attr_uapi,
Reported by FlawFinder.
Line: 323
Column: 38
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
* IDR implementation today rejects negative IDs
*/
o_attr->uobject = uverbs_get_uobject_from_file(
spec->u.obj.obj_type, spec->u.obj.access,
uattr->data_s64, &pbundle->bundle);
if (IS_ERR(o_attr->uobject))
return PTR_ERR(o_attr->uobject);
__set_bit(attr_bkey, pbundle->uobj_finalize);
Reported by FlawFinder.
Line: 507
Column: 40
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
uverbs_finalize_object(
attr->obj_attr.uobject,
attr->obj_attr.attr_elm->spec.u.obj.access,
test_bit(i, pbundle->uobj_hw_obj_valid),
commit,
&pbundle->bundle);
}
Reported by FlawFinder.
Line: 206
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ret)
return -EFAULT;
} else {
memcpy(idr_vals, &uattr->data, uattr->len);
}
for (i = 0; i != array_len; i++) {
attr->uobjects[i] = uverbs_get_uobject_from_file(
spec->u2.objs_arr.obj_type, spec->u2.objs_arr.access,
Reported by FlawFinder.
drivers/greybus/es2.c
5 issues
Line: 198
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
buf = (u8 *)dr + sizeof(*dr);
memcpy(buf, req, size);
dr->bRequest = cmd;
dr->bRequestType = USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_INTERFACE;
dr->wValue = 0;
dr->wIndex = 0;
Reported by FlawFinder.
Line: 901
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rpc->req->type = type;
rpc->req->size = cpu_to_le16(sizeof(*rpc->req) + size);
memcpy(rpc->req->data, payload, size);
init_completion(&rpc->response_received);
return rpc;
Reported by FlawFinder.
Line: 1062
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
arpc_del(es2, rpc);
memcpy(rpc->resp, resp, sizeof(*resp));
complete(&rpc->response_received);
spin_unlock_irqrestore(&es2->arpc_lock, flags);
exit:
/* put our urb back in the request pool */
Reported by FlawFinder.
Line: 1171
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct es2_ap_dev *es2 = file_inode(f)->i_private;
int enable = !IS_ERR_OR_NULL(es2->apb_log_task);
char tmp_buf[3];
sprintf(tmp_buf, "%d\n", enable);
return simple_read_from_buffer(buf, count, ppos, tmp_buf, 2);
}
Reported by FlawFinder.
Line: 1173
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
int enable = !IS_ERR_OR_NULL(es2->apb_log_task);
char tmp_buf[3];
sprintf(tmp_buf, "%d\n", enable);
return simple_read_from_buffer(buf, count, ppos, tmp_buf, 2);
}
static ssize_t apb_log_enable_write(struct file *f, const char __user *buf,
size_t count, loff_t *ppos)
Reported by FlawFinder.
drivers/greybus/operation.c
5 issues
Line: 651
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return NULL;
operation->id = id;
memcpy(operation->request->header, data, size);
trace_gb_operation_create_incoming(operation);
return operation;
}
Reported by FlawFinder.
Line: 1011
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* The rest will be handled in work queue context */
if (gb_operation_result_set(operation, errno)) {
memcpy(message->buffer, data, size);
trace_gb_message_recv_response(message);
queue_work(gb_operation_completion_wq, &operation->work);
}
Reported by FlawFinder.
Line: 1157
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENOMEM;
if (request_size)
memcpy(operation->request->payload, request, request_size);
ret = gb_operation_request_send_sync_timeout(operation, timeout);
if (ret) {
dev_err(&connection->hd->dev,
"%s: synchronous operation id 0x%04x of type 0x%02x failed: %d\n",
Reported by FlawFinder.
Line: 1166
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
connection->name, operation->id, type, ret);
} else {
if (response_size) {
memcpy(response, operation->response->payload,
response_size);
}
}
gb_operation_put(operation);
Reported by FlawFinder.
Line: 1210
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENOMEM;
if (request_size)
memcpy(operation->request->payload, request, request_size);
ret = gb_operation_request_send_sync_timeout(operation, timeout);
if (ret) {
dev_err(&connection->hd->dev,
"%s: unidirectional operation of type 0x%02x failed: %d\n",
Reported by FlawFinder.
drivers/hid/hid-input.c
5 issues
Line: 27
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define unk KEY_UNKNOWN
static const unsigned char hid_keyboard[256] = {
0, 0, 0, 0, 30, 48, 46, 32, 18, 33, 34, 35, 23, 36, 37, 38,
50, 49, 24, 25, 16, 19, 31, 20, 22, 47, 17, 45, 21, 44, 2, 3,
4, 5, 6, 7, 8, 9, 10, 11, 28, 1, 14, 15, 57, 12, 13, 26,
27, 43, 43, 39, 40, 41, 51, 52, 53, 58, 59, 60, 61, 62, 63, 64,
65, 66, 67, 68, 87, 88, 99, 70,119,110,102,104,111,107,109,106,
Reported by FlawFinder.
Line: 145
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ke->index = index;
scancode = usage->hid & (HID_USAGE_PAGE | HID_USAGE);
ke->len = sizeof(scancode);
memcpy(ke->scancode, &scancode, sizeof(scancode));
return 0;
}
return -EINVAL;
}
Reported by FlawFinder.
Line: 465
Column: 8
CWE codes:
126
return -ENOMEM;
psy_desc->name = kasprintf(GFP_KERNEL, "hid-%s-battery",
strlen(dev->uniq) ?
dev->uniq : dev_name(&dev->dev));
if (!psy_desc->name) {
error = -ENOMEM;
goto err_free_mem;
}
Reported by FlawFinder.
Line: 1770
Column: 14
CWE codes:
126
}
if (suffix) {
name_len = strlen(hid->name);
suffix_len = strlen(suffix);
if ((name_len < suffix_len) ||
strcmp(hid->name + name_len - suffix_len, suffix)) {
hidinput->name = kasprintf(GFP_KERNEL, "%s %s",
hid->name, suffix);
Reported by FlawFinder.
Line: 1771
Column: 16
CWE codes:
126
if (suffix) {
name_len = strlen(hid->name);
suffix_len = strlen(suffix);
if ((name_len < suffix_len) ||
strcmp(hid->name + name_len - suffix_len, suffix)) {
hidinput->name = kasprintf(GFP_KERNEL, "%s %s",
hid->name, suffix);
if (!hidinput->name)
Reported by FlawFinder.