The following issues were found
drivers/iio/proximity/srf08.c
5 issues
Line: 233
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t srf08_show_range_mm_available(struct device *dev,
struct device_attribute *attr, char *buf)
{
return sprintf(buf, "[0.043 0.043 11.008]\n");
}
static IIO_DEVICE_ATTR(sensor_max_range_available, S_IRUGO,
srf08_show_range_mm_available, NULL, 0);
Reported by FlawFinder.
Line: 245
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct iio_dev *indio_dev = dev_to_iio_dev(dev);
struct srf08_data *data = iio_priv(indio_dev);
return sprintf(buf, "%d.%03d\n", data->range_mm / 1000,
data->range_mm % 1000);
}
/*
* set the range of the sensor to an even multiple of 43 mm
Reported by FlawFinder.
Line: 323
Column: 11
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
for (i = 0; i < data->chip_info->num_sensitivity_avail; i++)
if (data->chip_info->sensitivity_avail[i])
len += sprintf(buf + len, "%d ",
data->chip_info->sensitivity_avail[i]);
len += sprintf(buf + len, "\n");
return len;
Reported by FlawFinder.
Line: 341
Column: 8
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
struct srf08_data *data = iio_priv(indio_dev);
int len;
len = sprintf(buf, "%d\n", data->sensitivity);
return len;
}
static ssize_t srf08_write_sensitivity(struct srf08_data *data,
Reported by FlawFinder.
Line: 326
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
len += sprintf(buf + len, "%d ",
data->chip_info->sensitivity_avail[i]);
len += sprintf(buf + len, "\n");
return len;
}
static IIO_DEVICE_ATTR(sensor_sensitivity_available, S_IRUGO,
Reported by FlawFinder.
tools/perf/util/strbuf.c
5 issues
Line: 106
Column: 8
CWE codes:
134
Suggestion:
Use a constant for the format specification
}
va_copy(ap_saved, ap);
len = vsnprintf(sb->buf + sb->len, sb->alloc - sb->len, fmt, ap);
if (len < 0) {
va_end(ap_saved);
return len;
}
if (len > strbuf_avail(sb)) {
Reported by FlawFinder.
Line: 117
Column: 9
CWE codes:
134
Suggestion:
Use a constant for the format specification
va_end(ap_saved);
return ret;
}
len = vsnprintf(sb->buf + sb->len, sb->alloc - sb->len, fmt, ap_saved);
if (len > strbuf_avail(sb)) {
pr_debug("this should not happen, your vsnprintf is broken");
va_end(ap_saved);
return -EINVAL;
}
Reported by FlawFinder.
Line: 18
Column: 1
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* buf is non NULL and ->buf is NUL terminated even for a freshly
* initialized strbuf.
*/
char strbuf_slopbuf[1];
int strbuf_init(struct strbuf *sb, ssize_t hint)
{
sb->alloc = sb->len = 0;
sb->buf = strbuf_slopbuf;
Reported by FlawFinder.
Line: 90
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ret)
return ret;
memcpy(sb->buf + sb->len, data, len);
return strbuf_setlen(sb, sb->len + len);
}
static int strbuf_addv(struct strbuf *sb, const char *fmt, va_list ap)
{
Reported by FlawFinder.
Line: 152
Column: 9
CWE codes:
120
20
for (;;) {
ssize_t cnt;
cnt = read(fd, sb->buf + sb->len, sb->alloc - sb->len - 1);
if (cnt < 0) {
if (oldalloc == 0)
strbuf_release(sb);
else
strbuf_setlen(sb, oldlen);
Reported by FlawFinder.
tools/testing/selftests/powerpc/syscalls/rtas_filter.c
5 issues
Line: 96
Column: 8
CWE codes:
362
snprintf(path, len, "%s/%s", prop_path, prop_name);
*fd = open(path, O_RDONLY);
free(path);
if (*fd < 0)
return -errno;
return 0;
Reported by FlawFinder.
Line: 144
Column: 7
CWE codes:
362
int fd;
int rc;
fd = open("/proc/ppc64/rtas/rmo_buffer", O_RDONLY);
if (fd < 0) {
printf("Could not open rmo_buffer file\n");
return RTAS_IO_ASSERT;
}
Reported by FlawFinder.
Line: 89
Column: 8
CWE codes:
126
int len;
/* allocate enough for two string, a slash and trailing NULL */
len = strlen(prop_path) + strlen(prop_name) + 1 + 1;
path = malloc(len);
if (path == NULL)
return -ENOMEM;
snprintf(path, len, "%s/%s", prop_path, prop_name);
Reported by FlawFinder.
Line: 89
Column: 28
CWE codes:
126
int len;
/* allocate enough for two string, a slash and trailing NULL */
len = strlen(prop_path) + strlen(prop_name) + 1 + 1;
path = malloc(len);
if (path == NULL)
return -ENOMEM;
snprintf(path, len, "%s/%s", prop_path, prop_name);
Reported by FlawFinder.
tools/testing/selftests/media_tests/media_device_test.c
5 issues
Line: 59
Column: 16
CWE codes:
120
20
Suggestion:
Check implementation on installation, or limit the size of all string inputs
}
/* Process arguments */
while ((opt = getopt(argc, argv, "d:")) != -1) {
switch (opt) {
case 'd':
strncpy(media_device, optarg, sizeof(media_device) - 1);
media_device[sizeof(media_device)-1] = '\0';
break;
Reported by FlawFinder.
Line: 75
Column: 2
CWE codes:
327
Suggestion:
Use a more secure technique for acquiring random values
ksft_exit_skip("Please run the test as root - Exiting.\n");
/* Generate random number of interations */
srand((unsigned int) time(NULL));
count = rand();
/* Open Media device and keep it open */
fd = open(media_device, O_RDWR);
if (fd == -1) {
Reported by FlawFinder.
Line: 47
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int main(int argc, char **argv)
{
int opt;
char media_device[256];
int count;
struct media_device_info mdi;
int ret;
int fd;
Reported by FlawFinder.
Line: 79
Column: 7
CWE codes:
362
count = rand();
/* Open Media device and keep it open */
fd = open(media_device, O_RDWR);
if (fd == -1) {
printf("Media Device open errno %s\n", strerror(errno));
exit(-1);
}
Reported by FlawFinder.
Line: 62
Column: 4
CWE codes:
120
while ((opt = getopt(argc, argv, "d:")) != -1) {
switch (opt) {
case 'd':
strncpy(media_device, optarg, sizeof(media_device) - 1);
media_device[sizeof(media_device)-1] = '\0';
break;
default:
printf("Usage: %s [-d </dev/mediaX>]\n", argv[0]);
exit(-1);
Reported by FlawFinder.
tools/testing/selftests/media_tests/video_device_test.c
5 issues
Line: 56
Column: 16
CWE codes:
120
20
Suggestion:
Check implementation on installation, or limit the size of all string inputs
}
/* Process arguments */
while ((opt = getopt(argc, argv, "d:")) != -1) {
switch (opt) {
case 'd':
strncpy(video_dev, optarg, sizeof(video_dev) - 1);
video_dev[sizeof(video_dev)-1] = '\0';
break;
Reported by FlawFinder.
Line: 69
Column: 2
CWE codes:
327
Suggestion:
Use a more secure technique for acquiring random values
}
/* Generate random number of interations */
srand((unsigned int) time(NULL));
count = rand();
/* Open Video device and keep it open */
fd = open(video_dev, O_RDWR);
if (fd == -1) {
Reported by FlawFinder.
Line: 43
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int main(int argc, char **argv)
{
int opt;
char video_dev[256];
int count;
struct v4l2_tuner vtuner;
struct v4l2_capability vcap;
int ret;
int fd;
Reported by FlawFinder.
Line: 73
Column: 7
CWE codes:
362
count = rand();
/* Open Video device and keep it open */
fd = open(video_dev, O_RDWR);
if (fd == -1) {
printf("Video Device open errno %s\n", strerror(errno));
exit(-1);
}
Reported by FlawFinder.
Line: 59
Column: 4
CWE codes:
120
while ((opt = getopt(argc, argv, "d:")) != -1) {
switch (opt) {
case 'd':
strncpy(video_dev, optarg, sizeof(video_dev) - 1);
video_dev[sizeof(video_dev)-1] = '\0';
break;
default:
printf("Usage: %s [-d </dev/videoX>]\n", argv[0]);
exit(-1);
Reported by FlawFinder.
tools/testing/selftests/mincore/mincore_selftest.c
5 issues
Line: 34
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
int retval;
int page_size;
unsigned char vec[1];
char *addr;
page_size = sysconf(_SC_PAGESIZE);
/* Query a 0 byte sized range */
Reported by FlawFinder.
Line: 85
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
TEST(check_anonymous_locked_pages)
{
unsigned char vec[1];
char *addr;
int retval;
int page_size;
page_size = sysconf(_SC_PAGESIZE);
Reported by FlawFinder.
Line: 141
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
TEST(check_huge_pages)
{
unsigned char vec[1];
char *addr;
int retval;
int page_size;
page_size = sysconf(_SC_PAGESIZE);
Reported by FlawFinder.
Line: 209
Column: 7
CWE codes:
362
}
errno = 0;
fd = open(".", O_TMPFILE | O_RDWR, 0600);
ASSERT_NE(-1, fd) {
TH_LOG("Can't create temporary file: %s",
strerror(errno));
}
errno = 0;
Reported by FlawFinder.
Line: 306
Column: 7
CWE codes:
362
}
errno = 0;
fd = open("/dev/shm", O_TMPFILE | O_RDWR, 0600);
ASSERT_NE(-1, fd) {
TH_LOG("Can't create temporary file: %s",
strerror(errno));
}
errno = 0;
Reported by FlawFinder.
tools/io_uring/io_uring-cp.c
5 issues
Line: 261
Column: 9
CWE codes:
362
return 1;
}
infd = open(argv[1], O_RDONLY);
if (infd < 0) {
perror("open infile");
return 1;
}
outfd = open(argv[2], O_WRONLY | O_CREAT | O_TRUNC, 0644);
Reported by FlawFinder.
Line: 266
Column: 10
CWE codes:
362
perror("open infile");
return 1;
}
outfd = open(argv[2], O_WRONLY | O_CREAT | O_TRUNC, 0644);
if (outfd < 0) {
perror("open outfile");
return 1;
}
Reported by FlawFinder.
Line: 76
Column: 12
CWE codes:
120
20
sqe = io_uring_get_sqe(ring);
assert(sqe);
if (data->read)
io_uring_prep_readv(sqe, infd, &data->iov, 1, data->offset);
else
io_uring_prep_writev(sqe, outfd, &data->iov, 1, data->offset);
io_uring_sqe_set_data(sqe, data);
Reported by FlawFinder.
Line: 215
Column: 14
CWE codes:
120
20
* All done. if write, nothing else to do. if read,
* queue up corresponding write.
*/
if (data->read) {
queue_write(ring, data);
write_left -= data->first_len;
reads--;
writes++;
} else {
Reported by FlawFinder.
tools/testing/selftests/proc/fd-003-kthread.c
5 issues
Line: 43
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int kernel_thread_fd(unsigned int pid)
{
unsigned int flags = 0;
char buf[4096];
int dir_fd, fd;
ssize_t rv;
snprintf(buf, sizeof(buf), "/proc/%u", pid);
dir_fd = open(buf, O_RDONLY|O_DIRECTORY);
Reported by FlawFinder.
Line: 48
Column: 11
CWE codes:
362
ssize_t rv;
snprintf(buf, sizeof(buf), "/proc/%u", pid);
dir_fd = open(buf, O_RDONLY|O_DIRECTORY);
if (dir_fd == -1)
return -1;
/*
* Believe it or not, struct task_struct::flags is directly exposed
Reported by FlawFinder.
Line: 124
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void test_lookup_fail(int fd, const char *pathname)
{
char stx[256] __attribute__((aligned(8)));
int rv;
rv = sys_statx(fd, pathname, AT_SYMLINK_NOFOLLOW, 0, (void *)stx);
assert(rv == -1 && errno == ENOENT);
}
Reported by FlawFinder.
Line: 133
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void test_lookup(int fd)
{
char buf[64];
unsigned int u;
int i;
for (i = INT_MIN; i < INT_MIN + 1024; i++) {
snprintf(buf, sizeof(buf), "%d", i);
Reported by FlawFinder.
Line: 61
Column: 7
CWE codes:
120
20
close(dir_fd);
return -1;
}
rv = read(fd, buf, sizeof(buf));
close(fd);
if (0 < rv && rv <= sizeof(buf)) {
unsigned long long flags_ull;
char *p, *end;
int i;
Reported by FlawFinder.
tools/testing/selftests/bpf/prog_tests/stacktrace_build_id.c
5 issues
Line: 33
Column: 17
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
stackmap_fd = bpf_map__fd(skel->maps.stackmap);
stack_amap_fd = bpf_map__fd(skel->maps.stack_amap);
if (CHECK_FAIL(system("dd if=/dev/urandom of=/dev/zero count=4 2> /dev/null")))
goto cleanup;
if (CHECK_FAIL(system("./urandom_read")))
goto cleanup;
/* disable stack trace collection */
key = 0;
Reported by FlawFinder.
Line: 35
Column: 17
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
if (CHECK_FAIL(system("dd if=/dev/urandom of=/dev/zero count=4 2> /dev/null")))
goto cleanup;
if (CHECK_FAIL(system("./urandom_read")))
goto cleanup;
/* disable stack trace collection */
key = 0;
val = 1;
bpf_map_update_elem(control_map_fd, &key, &val, 0);
Reported by FlawFinder.
Line: 12
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct test_stacktrace_build_id *skel;
int err, stack_trace_len;
__u32 key, previous_key, val, duration = 0;
char buf[256];
int i, j;
struct bpf_stack_build_id id_offs[PERF_MAX_STACK_DEPTH];
int build_id_matches = 0;
int retry = 1;
Reported by FlawFinder.
Line: 67
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
goto cleanup;
do {
char build_id[64];
err = bpf_map_lookup_elem(stackmap_fd, &key, id_offs);
if (CHECK(err, "lookup_elem from stackmap",
"err %d, errno %d\n", err, errno))
goto cleanup;
Reported by FlawFinder.
Line: 77
Column: 6
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (id_offs[i].status == BPF_STACK_BUILD_ID_VALID &&
id_offs[i].offset != 0) {
for (j = 0; j < 20; ++j)
sprintf(build_id + 2 * j, "%02x",
id_offs[i].build_id[j] & 0xff);
if (strstr(buf, build_id) != NULL)
build_id_matches = 1;
}
previous_key = key;
Reported by FlawFinder.
tools/testing/selftests/powerpc/ptrace/ptrace-perf-hwbreak.c
5 issues
Line: 15
Column: 1
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#include <sys/wait.h>
#include "ptrace.h"
char data[16];
/* Overlapping address range */
volatile __u64 *ptrace_data1 = (__u64 *)&data[0];
volatile __u64 *perf_data1 = (__u64 *)&data[4];
Reported by FlawFinder.
Line: 29
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
FILE *fp;
char *line, *c;
char addr[100];
size_t len = 0;
fp = fopen("/proc/kallsyms", "r");
if (!fp) {
printf("Failed to read /proc/kallsyms. Exiting..\n");
Reported by FlawFinder.
Line: 32
Column: 7
CWE codes:
362
char addr[100];
size_t len = 0;
fp = fopen("/proc/kallsyms", "r");
if (!fp) {
printf("Failed to read /proc/kallsyms. Exiting..\n");
exit(EXIT_FAILURE);
}
Reported by FlawFinder.
Line: 583
Column: 1
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
return ret;
}
char *desc[14] = {
"perf cpu event -> ptrace thread event (Overlapping)",
"perf cpu event -> ptrace thread event (Non-overlapping)",
"perf thread event -> ptrace same thread event (Overlapping)",
"perf thread event -> ptrace same thread event (Non-overlapping)",
"perf thread event -> ptrace other thread event",
Reported by FlawFinder.
Line: 43
Column: 3
CWE codes:
120
strstr(line, "pid_max_min"))
continue;
strncpy(addr, line, len < 100 ? len : 100);
c = strchr(addr, ' ');
*c = '\0';
return strtoul(addr, &c, 16);
}
fclose(fp);
Reported by FlawFinder.