The following issues were found
tools/testing/selftests/bpf/progs/tailcall_bpf2bpf3.c
5 issues
Line: 16
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__noinline
int subprog_tail2(struct __sk_buff *skb)
{
volatile char arr[64] = {};
if (load_word(skb, 0) || load_half(skb, 0))
bpf_tail_call_static(skb, &jmp_table, 10);
else
bpf_tail_call_static(skb, &jmp_table, 1);
Reported by FlawFinder.
Line: 29
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static __noinline
int subprog_tail(struct __sk_buff *skb)
{
volatile char arr[64] = {};
bpf_tail_call_static(skb, &jmp_table, 0);
return skb->len * 2;
}
Reported by FlawFinder.
Line: 39
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
SEC("classifier/0")
int bpf_func_0(struct __sk_buff *skb)
{
volatile char arr[128] = {};
return subprog_tail2(skb);
}
SEC("classifier/1")
Reported by FlawFinder.
Line: 47
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
SEC("classifier/1")
int bpf_func_1(struct __sk_buff *skb)
{
volatile char arr[128] = {};
return skb->len * 3;
}
SEC("classifier")
Reported by FlawFinder.
Line: 55
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
SEC("classifier")
int entry(struct __sk_buff *skb)
{
volatile char arr[128] = {};
return subprog_tail(skb);
}
char __license[] SEC("license") = "GPL";
Reported by FlawFinder.
tools/testing/selftests/bpf/test_tag.c
5 issues
Line: 31
Column: 2
CWE codes:
327
Suggestion:
Use a more secure technique for acquiring random values
{
int i;
srand(time(NULL));
for (i = 0; i < insns; i++)
prog[i] = BPF_ALU64_IMM(BPF_MOV, i % BPF_REG_10, rand());
prog[i - 1] = BPF_EXIT_INSN();
}
Reported by FlawFinder.
Line: 46
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
BPF_LD_MAP_FD(j++ % BPF_REG_10, fd_map)
};
memcpy(&prog[i], tmp, sizeof(tmp));
}
if (insns % 2 == 0)
prog[insns - 2] = BPF_ALU64_IMM(BPF_MOV, i % BPF_REG_10, 42);
prog[insns - 1] = BPF_EXIT_INSN();
}
Reported by FlawFinder.
Line: 94
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void tag_from_fdinfo(int fd_prog, uint8_t *tag, uint32_t len)
{
const int prefix_len = sizeof("prog_tag:\t") - 1;
char buff[256];
int ret = -1;
FILE *fp;
snprintf(buff, sizeof(buff), "/proc/%d/fdinfo/%d", getpid(),
fd_prog);
Reported by FlawFinder.
Line: 100
Column: 7
CWE codes:
362
snprintf(buff, sizeof(buff), "/proc/%d/fdinfo/%d", getpid(),
fd_prog);
fp = fopen(buff, "r");
assert(fp);
while (fgets(buff, sizeof(buff), fp)) {
if (strncmp(buff, "prog_tag:\t", prefix_len))
continue;
Reported by FlawFinder.
tools/testing/selftests/bpf/prog_tests/check_mtu.c
5 issues
Line: 19
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int read_mtu_device_lo(void)
{
const char *filename = "/sys/class/net/lo/mtu";
char buf[11] = {};
int value, n, fd;
fd = open(filename, 0, O_RDONLY);
if (fd == -1)
return -1;
Reported by FlawFinder.
Line: 22
Column: 7
CWE codes:
362
char buf[11] = {};
int value, n, fd;
fd = open(filename, 0, O_RDONLY);
if (fd == -1)
return -1;
n = read(fd, buf, sizeof(buf));
close(fd);
Reported by FlawFinder.
Line: 85
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *prog_name = bpf_program__name(prog);
int retval_expect = XDP_PASS;
__u32 mtu_result = 0;
char buf[256] = {};
int err;
struct bpf_prog_test_run_attr tattr = {
.repeat = 1,
.data_in = &pkt_v4,
.data_size_in = sizeof(pkt_v4),
Reported by FlawFinder.
Line: 145
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *prog_name = bpf_program__name(prog);
int retval_expect = BPF_OK;
__u32 mtu_result = 0;
char buf[256] = {};
int err;
struct bpf_prog_test_run_attr tattr = {
.repeat = 1,
.data_in = &pkt_v4,
.data_size_in = sizeof(pkt_v4),
Reported by FlawFinder.
tools/perf/util/symbol-minimal.c
5 issues
Line: 67
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
nhdr->n_namesz == sizeof("GNU")) {
if (memcmp(name, "GNU", sizeof("GNU")) == 0) {
size_t sz = min(size, descsz);
memcpy(bid->data, ptr, sz);
memset(bid->data + sz, 0, size - sz);
bid->size = sz;
return 0;
}
}
Reported by FlawFinder.
Line: 99
Column: 7
CWE codes:
362
void *buf;
int i;
fp = fopen(filename, "r");
if (fp == NULL)
return -1;
if (fread(e_ident, sizeof(e_ident), 1, fp) != 1)
goto out;
Reported by FlawFinder.
Line: 233
Column: 7
CWE codes:
362
size_t buf_size;
void *buf;
fd = open(filename, O_RDONLY);
if (fd < 0)
return -1;
if (fstat(fd, &stbuf) < 0)
goto out;
Reported by FlawFinder.
Line: 259
Column: 11
CWE codes:
362
int symsrc__init(struct symsrc *ss, struct dso *dso, const char *name,
enum dso_binary_type type)
{
int fd = open(name, O_RDONLY);
if (fd < 0)
goto out_errno;
ss->name = strdup(name);
if (!ss->name)
Reported by FlawFinder.
Line: 245
Column: 6
CWE codes:
120
20
if (buf == NULL)
goto out;
if (read(fd, buf, buf_size) != (ssize_t) buf_size)
goto out_free;
ret = read_build_id(buf, buf_size, bid, false);
out_free:
free(buf);
Reported by FlawFinder.
tools/perf/bench/epoll-wait.c
5 issues
Line: 88
Column: 24
CWE codes:
134
Suggestion:
Use a constant for the format specification
#include <err.h>
#define printinfo(fmt, arg...) \
do { if (__verbose) { printf(fmt, ## arg); fflush(stdout); } } while (0)
static unsigned int nthreads = 0;
static unsigned int nsecs = 8;
static bool wdone, done, __verbose, randomize, nonblocking;
Reported by FlawFinder.
Line: 173
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
size_t j = i + rand() / (RAND_MAX / (n - i) + 1);
j *= size;
memcpy(aux, &carray[j], size);
memcpy(&carray[j], &carray[i*size], size);
memcpy(&carray[i*size], aux, size);
}
free(aux);
Reported by FlawFinder.
Line: 174
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
j *= size;
memcpy(aux, &carray[j], size);
memcpy(&carray[j], &carray[i*size], size);
memcpy(&carray[i*size], aux, size);
}
free(aux);
}
Reported by FlawFinder.
Line: 175
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(aux, &carray[j], size);
memcpy(&carray[j], &carray[i*size], size);
memcpy(&carray[i*size], aux, size);
}
free(aux);
}
Reported by FlawFinder.
Line: 215
Column: 8
CWE codes:
120
20
fd = ev.data.fd;
do {
r = read(fd, &val, sizeof(val));
} while (!done && (r < 0 && errno == EAGAIN));
if (et) {
ev.events = EPOLLIN | EPOLLET;
ret = epoll_ctl(efd, EPOLL_CTL_ADD, fd, &ev);
Reported by FlawFinder.
tools/testing/selftests/kvm/aarch64/get-reg-list.c
5 issues
Line: 94
Column: 3
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
for_each_sublist(c, s) {
if (!strcmp(s->name, "base"))
continue;
strcat(c->name + len, s->name);
len += strlen(s->name) + 1;
c->name[len - 1] = '+';
}
c->name[len - 1] = '\0';
Reported by FlawFinder.
Line: 143
Column: 2
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
str = strdup(template);
p = strstr(str, "##");
n = sprintf(p, "%lld", index);
strcat(p + n, strstr(template, "##") + 2);
return (const char *)str;
}
#define REG_MASK (KVM_REG_ARCH_MASK | KVM_REG_SIZE_MASK | KVM_REG_ARM_COPROC_MASK)
Reported by FlawFinder.
Line: 142
Column: 6
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
str = strdup(template);
p = strstr(str, "##");
n = sprintf(p, "%lld", index);
strcat(p + n, strstr(template, "##") + 2);
return (const char *)str;
}
Reported by FlawFinder.
Line: 86
Column: 10
CWE codes:
126
return c->name;
for_each_sublist(c, s)
len += strlen(s->name) + 1;
c->name = malloc(len);
len = 0;
for_each_sublist(c, s) {
Reported by FlawFinder.
Line: 95
Column: 10
CWE codes:
126
if (!strcmp(s->name, "base"))
continue;
strcat(c->name + len, s->name);
len += strlen(s->name) + 1;
c->name[len - 1] = '+';
}
c->name[len - 1] = '\0';
return c->name;
Reported by FlawFinder.
tools/perf/util/s390-cpumsf.c
5 issues
Line: 218
Column: 23
CWE codes:
362
sf->logdir, sample->cpu)
: asprintf(&name, "aux.ctr.%02x", sample->cpu);
if (rc > 0)
sfq->logfile_ctr = fopen(name, "w");
if (sfq->logfile_ctr == NULL) {
pr_err("Failed to open counter set log file %s, "
"continue...\n", name);
rc = 1;
}
Reported by FlawFinder.
Line: 335
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
local.t = flags >> 61 & 0x1;
local.bsdes = be16toh((flags >> 16 & 0xffff));
local.dsdes = be16toh((flags & 0xffff));
memcpy(&local.timestamp, te->timestamp, sizeof(te->timestamp));
local.overflow = be64toh(te->overflow);
local.clock_base = be64toh(te->progusage[0]) >> 63 & 1;
local.progusage2 = be64toh(te->progusage2);
te = &local;
#endif
Reported by FlawFinder.
Line: 787
Column: 19
CWE codes:
362
sf->logdir, queue_nr)
: asprintf(&name, "aux.smp.%02x", queue_nr);
if (rc > 0)
sfq->logfile = fopen(name, "w");
if (sfq->logfile == NULL) {
pr_err("Failed to open auxiliary log file %s,"
"continue...\n", name);
sf->use_logfile = false;
}
Reported by FlawFinder.
Line: 888
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int s390_cpumsf_synth_error(struct s390_cpumsf *sf, int code, int cpu,
pid_t pid, pid_t tid, u64 ip, u64 timestamp)
{
char msg[MAX_AUXTRACE_ERROR_MSG];
union perf_event event;
int err;
strncpy(msg, "Lost Auxiliary Trace Buffer", sizeof(msg) - 1);
auxtrace_synth_error(&event.auxtrace_error, PERF_AUXTRACE_ERROR_ITRACE,
Reported by FlawFinder.
Line: 892
Column: 2
CWE codes:
120
union perf_event event;
int err;
strncpy(msg, "Lost Auxiliary Trace Buffer", sizeof(msg) - 1);
auxtrace_synth_error(&event.auxtrace_error, PERF_AUXTRACE_ERROR_ITRACE,
code, cpu, pid, tid, ip, msg, timestamp);
err = perf_session__deliver_synth_event(sf->session, &event, NULL);
if (err)
Reported by FlawFinder.
tools/testing/selftests/powerpc/include/utils.h
5 issues
Line: 84
Column: 3
CWE codes:
134
Suggestion:
Use a constant for the format specification
#define FAIL_IF(x) \
do { \
if ((x)) { \
fprintf(stderr, \
"[FAIL] Test FAILED on line %d\n", __LINE__); \
return 1; \
} \
} while (0)
Reported by FlawFinder.
Line: 93
Column: 3
CWE codes:
134
Suggestion:
Use a constant for the format specification
#define FAIL_IF_EXIT(x) \
do { \
if ((x)) { \
fprintf(stderr, \
"[FAIL] Test FAILED on line %d\n", __LINE__); \
_exit(1); \
} \
} while (0)
Reported by FlawFinder.
Line: 105
Column: 3
CWE codes:
134
Suggestion:
Use a constant for the format specification
#define SKIP_IF(x) \
do { \
if ((x)) { \
fprintf(stderr, \
"[SKIP] Test skipped on line %d\n", __LINE__); \
return MAGIC_SKIP_RETURN_VALUE; \
} \
} while (0)
Reported by FlawFinder.
Line: 114
Column: 3
CWE codes:
134
Suggestion:
Use a constant for the format specification
#define SKIP_IF_MSG(x, msg) \
do { \
if ((x)) { \
fprintf(stderr, \
"[SKIP] Test skipped on line %d: %s\n", \
__LINE__, msg); \
return MAGIC_SKIP_RETURN_VALUE; \
} \
} while (0)
Reported by FlawFinder.
Line: 126
Column: 38
CWE codes:
126
#define sigsafe_err(msg) ({ \
ssize_t nbytes __attribute__((unused)); \
nbytes = write(STDERR_FILENO, msg, strlen(msg)); })
/* POWER9 feature */
#ifndef PPC_FEATURE2_ARCH_3_00
#define PPC_FEATURE2_ARCH_3_00 0x00800000
#endif
Reported by FlawFinder.
tools/testing/selftests/powerpc/dscr/dscr_sysfs_test.c
5 issues
Line: 65
Column: 7
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
len = snprintf(file, LEN_MAX, "%s%s/dscr", CPU_PATH, dp->d_name);
if (len >= LEN_MAX)
continue;
if (access(file, F_OK))
continue;
if (check_cpu_dscr_default(file, val))
return 1;
}
Reported by FlawFinder.
Line: 15
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int check_cpu_dscr_default(char *file, unsigned long val)
{
char buf[10];
int fd, rc;
fd = open(file, O_RDWR);
if (fd == -1) {
perror("open() failed");
Reported by FlawFinder.
Line: 18
Column: 7
CWE codes:
362
char buf[10];
int fd, rc;
fd = open(file, O_RDWR);
if (fd == -1) {
perror("open() failed");
return 1;
}
Reported by FlawFinder.
Line: 44
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
DIR *sysfs;
struct dirent *dp;
char file[LEN_MAX];
sysfs = opendir(CPU_PATH);
if (!sysfs) {
perror("opendir() failed");
return 1;
Reported by FlawFinder.
tools/testing/selftests/bpf/prog_tests/btf_dump.c
5 issues
Line: 9
Column: 2
CWE codes:
134
Suggestion:
Use a constant for the format specification
void btf_dump_printf(void *ctx, const char *fmt, va_list args)
{
vfprintf(ctx, fmt, args);
}
static struct btf_dump_test_case {
const char *name;
const char *file;
Reported by FlawFinder.
Line: 100
Column: 6
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
}
snprintf(test_file, sizeof(test_file), "progs/%s.c", t->file);
if (access(test_file, R_OK) == -1)
/*
* When the test is run with O=, kselftest copies TEST_FILES
* without preserving the directory structure.
*/
snprintf(test_file, sizeof(test_file), "%s.c", t->file);
Reported by FlawFinder.
Line: 119
Column: 8
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
"/\\/\\*|\\*\\//{next} " /* ignore comment start/end lines */
"out {sub(/^[ \\t]*\\*/, \"\"); print}' '%s' | diff -u - '%s'",
test_file, out_file);
err = system(diff_cmd);
if (CHECK(err, "diff",
"differing test output, output=%s, err=%d, diff cmd:\n%s\n",
out_file, err, diff_cmd))
goto done;
Reported by FlawFinder.
Line: 52
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int test_btf_dump_case(int n, struct btf_dump_test_case *t)
{
char test_file[256], out_file[256], diff_cmd[1024];
struct btf *btf = NULL;
int err = 0, fd = -1;
FILE *f = NULL;
snprintf(test_file, sizeof(test_file), "%s.o", t->file);
Reported by FlawFinder.
Line: 79
Column: 7
CWE codes:
377
}
snprintf(out_file, sizeof(out_file), "/tmp/%s.output.XXXXXX", t->file);
fd = mkstemp(out_file);
if (!ASSERT_GE(fd, 0, "create_tmp")) {
err = fd;
goto done;
}
f = fdopen(fd, "w");
Reported by FlawFinder.