The following issues were found
tools/perf/util/vdso.c
5 issues
Line: 186
Column: 6
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
FILE *f;
int err;
f = popen(prog, "r");
if (!f)
return -errno;
err = vdso__do_copy_compat(f, fd);
Reported by FlawFinder.
Line: 34
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct vdso_file {
bool found;
bool error;
char temp_file_name[sizeof(VDSO__TEMP_FILE_NAME)];
const char *dso_name;
const char *read_prog;
};
struct vdso_info {
Reported by FlawFinder.
Line: 91
Column: 7
CWE codes:
377
if (!buf)
return NULL;
fd = mkstemp(vdso_file->temp_file_name);
if (fd < 0)
goto out;
if (size == (size_t) write(fd, buf, size))
vdso = vdso_file->temp_file_name;
Reported by FlawFinder.
Line: 165
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int vdso__do_copy_compat(FILE *f, int fd)
{
char buf[4096];
size_t count;
while (1) {
count = fread(buf, 1, sizeof(buf), f);
if (ferror(f))
Reported by FlawFinder.
Line: 202
Column: 7
CWE codes:
377
{
int fd, err;
fd = mkstemp(temp_name);
if (fd < 0)
return -errno;
err = vdso__copy_compat(prog, fd);
Reported by FlawFinder.
tools/testing/selftests/clone3/clone3_set_tid.c
5 issues
Line: 155
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t len = 0;
int pid_max = 0;
uid_t uid = getuid();
char proc_path[100] = {0};
pid_t pid, ns1, ns2, ns3, ns_pid;
pid_t set_tid[MAX_PID_NS_LEVEL * 2];
ksft_print_header();
ksft_set_plan(29);
Reported by FlawFinder.
Line: 166
Column: 6
CWE codes:
362
if (pipe(pipe_1) < 0 || pipe(pipe_2) < 0)
ksft_exit_fail_msg("pipe() failed\n");
f = fopen("/proc/sys/kernel/pid_max", "r");
if (f == NULL)
ksft_exit_fail_msg(
"%s - Could not open /proc/sys/kernel/pid_max\n",
strerror(errno));
fscanf(f, "%d", &pid_max);
Reported by FlawFinder.
Line: 343
Column: 6
CWE codes:
362
}
snprintf(proc_path, sizeof(proc_path), "/proc/%d/status", pid);
f = fopen(proc_path, "r");
if (f == NULL)
ksft_exit_fail_msg(
"%s - Could not open %s\n",
strerror(errno), proc_path);
Reported by FlawFinder.
Line: 84
Column: 10
CWE codes:
120
20
}
close(pipe_1[1]);
close(pipe_2[1]);
ret = read(pipe_2[0], &tmp, 1);
if (ret != 1) {
ksft_print_msg(
"Reading from pipe returned %d", ret);
exit_code = EXIT_FAILURE;
}
Reported by FlawFinder.
Line: 337
Column: 9
CWE codes:
120
20
close(pipe_1[1]);
close(pipe_2[0]);
while (read(pipe_1[0], &buf, 1) > 0) {
ksft_print_msg("[%d] Child is ready and waiting\n", getpid());
break;
}
snprintf(proc_path, sizeof(proc_path), "/proc/%d/status", pid);
Reported by FlawFinder.
sound/usb/usx2y/usbusx2y.c
5 issues
Line: 382
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
INIT_LIST_HEAD(&usx2y(card)->midi_list);
strcpy(card->driver, "USB "NAME_ALLCAPS"");
sprintf(card->shortname, "TASCAM "NAME_ALLCAPS"");
sprintf(card->longname, "%s (%x:%x if %d at %03d/%03d)",
card->shortname,
le16_to_cpu(device->descriptor.idVendor),
le16_to_cpu(device->descriptor.idProduct),
0,//us428(card)->usbmidi.ifnum,
usx2y(card)->dev->bus->busnum, usx2y(card)->dev->devnum);
Reported by FlawFinder.
Line: 139
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
MODULE_LICENSE("GPL");
static int index[SNDRV_CARDS] = SNDRV_DEFAULT_IDX; /* Index 0-max */
static char *id[SNDRV_CARDS] = SNDRV_DEFAULT_STR; /* Id for this card */
static bool enable[SNDRV_CARDS] = SNDRV_DEFAULT_ENABLE_PNP; /* Enable this card */
module_param_array(index, int, NULL, 0444);
MODULE_PARM_DESC(index, "Index value for "NAME_ALLCAPS".");
module_param_array(id, charp, NULL, 0444);
Reported by FlawFinder.
Line: 206
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
n = us428ctls->ctl_snapshot_last + 1;
if (n >= N_US428_CTL_BUFS || n < 0)
n = 0;
memcpy(us428ctls->ctl_snapshot + n, usx2y->in04_buf, sizeof(us428ctls->ctl_snapshot[0]));
us428ctls->ctl_snapshot_differs_at[n] = diff;
us428ctls->ctl_snapshot_last = n;
wake_up(&usx2y->us428ctls_wait_queue_head);
}
}
Reported by FlawFinder.
Line: 380
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
init_waitqueue_head(&usx2y(card)->us428ctls_wait_queue_head);
mutex_init(&usx2y(card)->pcm_mutex);
INIT_LIST_HEAD(&usx2y(card)->midi_list);
strcpy(card->driver, "USB "NAME_ALLCAPS"");
sprintf(card->shortname, "TASCAM "NAME_ALLCAPS"");
sprintf(card->longname, "%s (%x:%x if %d at %03d/%03d)",
card->shortname,
le16_to_cpu(device->descriptor.idVendor),
le16_to_cpu(device->descriptor.idProduct),
Reported by FlawFinder.
Line: 381
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
mutex_init(&usx2y(card)->pcm_mutex);
INIT_LIST_HEAD(&usx2y(card)->midi_list);
strcpy(card->driver, "USB "NAME_ALLCAPS"");
sprintf(card->shortname, "TASCAM "NAME_ALLCAPS"");
sprintf(card->longname, "%s (%x:%x if %d at %03d/%03d)",
card->shortname,
le16_to_cpu(device->descriptor.idVendor),
le16_to_cpu(device->descriptor.idProduct),
0,//us428(card)->usbmidi.ifnum,
Reported by FlawFinder.
tools/testing/selftests/dmabuf-heaps/dmabuf-heap.c
5 issues
Line: 25
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int check_vgem(int fd)
{
drm_version_t version = { 0 };
char name[5];
int ret;
version.name_len = 4;
version.name = name;
Reported by FlawFinder.
Line: 45
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
fd = -1;
for (i = 0; i < 16; i++) {
char name[80];
snprintf(name, 80, "%s%u", drmstr, i);
fd = open(name, O_RDWR);
if (fd < 0)
Reported by FlawFinder.
Line: 49
Column: 8
CWE codes:
362
snprintf(name, 80, "%s%u", drmstr, i);
fd = open(name, O_RDWR);
if (fd < 0)
continue;
if (!check_vgem(fd)) {
close(fd);
Reported by FlawFinder.
Line: 91
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int dmabuf_heap_open(char *name)
{
int ret, fd;
char buf[256];
ret = snprintf(buf, 256, "%s/%s", DEVPATH, name);
if (ret < 0) {
printf("snprintf failed!\n");
return ret;
Reported by FlawFinder.
Line: 99
Column: 7
CWE codes:
362
return ret;
}
fd = open(buf, O_RDWR);
if (fd < 0)
printf("open %s failed!\n", buf);
return fd;
}
Reported by FlawFinder.
tools/perf/util/data-convert-json.c
5 issues
Line: 88
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
output_json_delimiters(out, comma, depth);
va_start(args, format);
vfprintf(out, format, args);
va_end(args);
}
// Outputs a JSON key-value pair where the value is a string.
static void output_json_key_string(FILE *out, bool comma, int depth,
Reported by FlawFinder.
Line: 113
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
output_json_string(out, key);
fputs(": ", out);
va_start(args, format);
vfprintf(out, format, args);
va_end(args);
}
static void output_sample_callchain_entry(struct perf_tool *tool,
u64 ip, struct addr_location *al)
Reported by FlawFinder.
Line: 235
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
ret = fstat(fd, &st);
if (ret >= 0) {
time_t stctime = st.st_mtime;
char buf[256];
strftime(buf, sizeof(buf), "%FT%TZ", gmtime(&stctime));
output_json_key_string(out, true, 2, "captured-on", buf);
} else {
pr_debug("Failed to get mtime of source file, not writing captured-on");
Reported by FlawFinder.
Line: 321
Column: 7
CWE codes:
362
goto err;
}
fd = open(output_name, O_CREAT | O_WRONLY | (opts->force ? O_TRUNC : O_EXCL), 0666);
if (fd == -1) {
if (errno == EEXIST)
pr_err("Output file exists. Use --force to overwrite it.\n");
else
pr_err("Error opening output file!\n");
Reported by FlawFinder.
Line: 133
Column: 15
CWE codes:
126
if (al->map && al->map->dso) {
const char *dso = al->map->dso->short_name;
if (dso && strlen(dso) > 0) {
fputc(',', out);
output_json_key_string(out, false, 5, "dso", dso);
}
}
}
Reported by FlawFinder.
tools/perf/tests/dso-data.c
5 issues
Line: 26
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
int fd, i;
unsigned char *buf;
strcpy(buf_templ, TEMPL);
#undef TEMPL
fd = mkstemp(templ);
if (fd < 0) {
perror("mkstemp failed");
Reported by FlawFinder.
Line: 21
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static char *test_file(int size)
{
#define TEMPL "/tmp/perf-test-XXXXXX"
static char buf_templ[sizeof(TEMPL)];
char *templ = buf_templ;
int fd, i;
unsigned char *buf;
strcpy(buf_templ, TEMPL);
Reported by FlawFinder.
Line: 29
Column: 7
CWE codes:
377
strcpy(buf_templ, TEMPL);
#undef TEMPL
fd = mkstemp(templ);
if (fd < 0) {
perror("mkstemp failed");
return NULL;
}
Reported by FlawFinder.
Line: 179
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static long open_files_cnt(void)
{
char path[PATH_MAX];
struct dirent *dent;
DIR *dir;
long nr = 0;
scnprintf(path, PATH_MAX, "%s/self/fd", procfs__mountpoint());
Reported by FlawFinder.
Line: 353
Column: 13
CWE codes:
362
* open extra file descriptor and we just
* reached the files count limit
*/
fd_extra = open("/dev/null", O_RDONLY);
TEST_ASSERT_VAL("failed to open extra fd", fd_extra > 0);
/* open dso_2 */
fd = dso__data_fd(dso_2, &machine);
TEST_ASSERT_VAL("failed to get fd", fd > 0);
Reported by FlawFinder.
tools/perf/util/bpf-event.c
5 issues
Line: 365
Column: 7
CWE codes:
120
20
Suggestion:
Specify a limit to %s, or use a different input function
/* .. and only for trampolines and dispatchers */
if ((sscanf(name, "bpf_trampoline_%lu", &id) == 1) ||
(sscanf(name, "bpf_dispatcher_%s", disp) == 1))
err = process_bpf_image(name, start, data);
free(name);
return err;
}
Reported by FlawFinder.
Line: 110
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
node->id = btf_id;
node->data_size = data_size;
memcpy(node->data, data, data_size);
perf_env__insert_btf(env, node);
return 0;
}
Reported by FlawFinder.
Line: 274
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
.flags = 0,
.id = info->id,
};
memcpy(bpf_event->tag, info->tag, BPF_TAG_SIZE);
memset((void *)event + event->header.size, 0, machine->id_hdr_size);
event->header.size += machine->id_hdr_size;
/* save bpf_prog_info to env */
info_node = malloc(sizeof(struct bpf_prog_info_node));
Reported by FlawFinder.
Line: 344
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
kallsyms_process_symbol(void *data, const char *_name,
char type __maybe_unused, u64 start)
{
char disp[KSYM_NAME_LEN];
char *module, *name;
unsigned long id;
int err = 0;
module = strchr(_name, '\t');
Reported by FlawFinder.
Line: 545
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
__u32 *prog_lens = (__u32 *)(uintptr_t)(info->jited_func_lens);
__u64 *prog_addrs = (__u64 *)(uintptr_t)(info->jited_ksyms);
char name[KSYM_NAME_LEN];
struct btf *btf = NULL;
u32 sub_prog_cnt, i;
sub_prog_cnt = info->nr_jited_ksyms;
if (sub_prog_cnt != info->nr_prog_tags ||
Reported by FlawFinder.
tools/testing/selftests/exec/non-regular.c
5 issues
Line: 63
Column: 7
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
int i;
for (i = 0; i < ARRAY_SIZE(paths); i++) {
if (access(paths[i], X_OK) == 0) {
ASSERT_EQ(symlink(paths[i], self->pathname), 0);
return;
}
}
ASSERT_EQ(1, 0) {
Reported by FlawFinder.
Line: 165
Column: 12
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
{
char * const argv[2] = { (char * const)self->pathname, NULL };
EXPECT_LT(execv(argv[0], argv), 0);
EXPECT_EQ(errno, variant->expected);
}
/* S_IFSOCK */
FIXTURE(sock)
Reported by FlawFinder.
Line: 163
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
TEST_F(file, exec_errno)
{
char * const argv[2] = { (char * const)self->pathname, NULL };
EXPECT_LT(execv(argv[0], argv), 0);
EXPECT_EQ(errno, variant->expected);
}
Reported by FlawFinder.
Line: 189
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
TEST_F(sock, exec_errno)
{
char * const argv[2] = { " magic socket ", NULL };
char * const envp[1] = { NULL };
EXPECT_LT(fexecve(self->fd, argv, envp), 0);
EXPECT_EQ(errno, EACCES);
}
Reported by FlawFinder.
Line: 190
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
TEST_F(sock, exec_errno)
{
char * const argv[2] = { " magic socket ", NULL };
char * const envp[1] = { NULL };
EXPECT_LT(fexecve(self->fd, argv, envp), 0);
EXPECT_EQ(errno, EACCES);
}
Reported by FlawFinder.
tools/perf/bench/mem-functions.c
5 issues
Line: 61
Column: 12
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
const char *name;
const char *desc;
union {
memcpy_t memcpy;
memset_t memset;
} fn;
};
static struct perf_event_attr cycle_attr = {
Reported by FlawFinder.
Line: 241
Column: 22
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static u64 do_memcpy_cycles(const struct function *r, size_t size, void *src, void *dst)
{
u64 cycle_start = 0ULL, cycle_end = 0ULL;
memcpy_t fn = r->fn.memcpy;
int i;
memcpy_prefault(fn, size, src, dst);
cycle_start = get_cycles();
Reported by FlawFinder.
Line: 257
Column: 22
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static double do_memcpy_gettimeofday(const struct function *r, size_t size, void *src, void *dst)
{
struct timeval tv_start, tv_end, tv_diff;
memcpy_t fn = r->fn.memcpy;
int i;
memcpy_prefault(fn, size, src, dst);
BUG_ON(gettimeofday(&tv_start, NULL));
Reported by FlawFinder.
Line: 275
Column: 17
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct function memcpy_functions[] = {
{ .name = "default",
.desc = "Default memcpy() provided by glibc",
.fn.memcpy = memcpy },
#ifdef HAVE_ARCH_X86_64_SUPPORT
# define MEMCPY_FN(_fn, _name, _desc) {.name = _name, .desc = _desc, .fn.memcpy = _fn},
# include "mem-memcpy-x86-64-asm-def.h"
# undef MEMCPY_FN
Reported by FlawFinder.
tools/testing/selftests/resctrl/cache.c
5 issues
Line: 16
Column: 1
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static struct perf_event_attr pea_llc_miss;
static struct read_format rf_cqm;
static int fd_lm;
char llc_occup_path[1024];
static void initialize_perf_event_attr(void)
{
pea_llc_miss.type = PERF_TYPE_HARDWARE;
pea_llc_miss.size = sizeof(struct perf_event_attr);
Reported by FlawFinder.
Line: 129
Column: 7
CWE codes:
362
{
FILE *fp;
fp = fopen(llc_occup_path, "r");
if (!fp) {
perror("Failed to open results file");
return errno;
}
Reported by FlawFinder.
Line: 164
Column: 8
CWE codes:
362
printf("Pid: %d \t LLC_value: %lu\n", bm_pid,
llc_value);
} else {
fp = fopen(filename, "a");
if (!fp) {
perror("Cannot open results file");
return errno;
}
Reported by FlawFinder.
Line: 222
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
pid_t bm_pid;
if (strcmp(param->filename, "") == 0)
sprintf(param->filename, "stdio");
bm_pid = getpid();
/* Taskset benchmark to specified cpu */
ret = taskset_benchmark(bm_pid, param->cpu_no);
Reported by FlawFinder.
Line: 97
Column: 6
CWE codes:
120
20
ioctl(fd_lm, PERF_EVENT_IOC_DISABLE, 0);
if (read(fd_lm, &rf_cqm, sizeof(struct read_format)) == -1) {
perror("Could not get llc misses through perf");
return -1;
}
Reported by FlawFinder.