The following issues were found
tools/testing/selftests/powerpc/alignment/alignment_handler.c
5 issues
Line: 623
Column: 19
CWE codes:
120
20
Suggestion:
Check implementation on installation, or limit the size of all string inputs
int rc = 0;
int option = 0;
while ((option = getopt(argc, argv, "d")) != -1) {
switch (option) {
case 'd':
debug++;
break;
default:
Reported by FlawFinder.
Line: 228
Column: 7
CWE codes:
362
printf("\tDoing %s:\t", test_name);
fd = open(cipath, O_RDWR);
if (fd < 0) {
printf("\n");
perror("Can't open ci file now?");
return 1;
}
Reported by FlawFinder.
Line: 272
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* load pattern into memory byte by byte */
preload_data(ci0, offset, width);
preload_data(mem0, offset, width); // FIXME: remove??
memcpy(ci0, mem0, bufsize);
memcpy(ci1, mem1, bufsize); /* initialise output to the same */
/* sanity check */
test_memcmp(mem0, ci0, width, offset, test_name);
Reported by FlawFinder.
Line: 273
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
preload_data(ci0, offset, width);
preload_data(mem0, offset, width); // FIXME: remove??
memcpy(ci0, mem0, bufsize);
memcpy(ci1, mem1, bufsize); /* initialise output to the same */
/* sanity check */
test_memcmp(mem0, ci0, width, offset, test_name);
r |= test_memcpy(ci1, ci0, width, offset, test_func);
Reported by FlawFinder.
Line: 312
Column: 7
CWE codes:
362
{
int fd;
fd = open(cipath, O_RDWR);
if (fd < 0)
return false;
close(fd);
return true;
Reported by FlawFinder.
tools/testing/selftests/arm64/signal/test_signals_utils.c
5 issues
Line: 27
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int sig_copyctx = SIGTRAP;
static char const *const feats_names[FMAX_END] = {
" SSBS ",
};
#define MAX_FEATS_SZ 128
static char feats_string[MAX_FEATS_SZ];
Reported by FlawFinder.
Line: 32
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
#define MAX_FEATS_SZ 128
static char feats_string[MAX_FEATS_SZ];
static inline char *feats_to_string(unsigned long feats)
{
size_t flen = MAX_FEATS_SZ - 1;
Reported by FlawFinder.
Line: 167
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
/* Mangling PC to avoid loops on original BRK instr */
((ucontext_t *)uc)->uc_mcontext.pc += 4;
memcpy(td->live_uc, uc, td->live_sz);
ASSERT_GOOD_CONTEXT(td->live_uc);
td->live_uc_valid = 1;
fprintf(stderr,
"GOOD CONTEXT grabbed from sig_copyctx handler\n");
Reported by FlawFinder.
Line: 40
Column: 18
CWE codes:
126
for (int i = 0; i < FMAX_END; i++) {
if (feats & (1UL << i)) {
size_t tlen = strlen(feats_names[i]);
assert(flen > tlen);
flen -= tlen;
strncat(feats_string, feats_names[i], flen);
}
Reported by FlawFinder.
Line: 44
Column: 4
CWE codes:
120
Suggestion:
Consider strcat_s, strlcat, snprintf, or automatically resizing strings
assert(flen > tlen);
flen -= tlen;
strncat(feats_string, feats_names[i], flen);
}
}
return feats_string;
}
Reported by FlawFinder.
tools/testing/selftests/sgx/test_encl.c
5 issues
Line: 9
Column: 14
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static uint8_t encl_buffer[8192] = { 1 };
static void *memcpy(void *dest, const void *src, size_t n)
{
size_t i;
for (i = 0; i < n; i++)
((char *)dest)[i] = ((char *)src)[i];
Reported by FlawFinder.
Line: 14
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t i;
for (i = 0; i < n; i++)
((char *)dest)[i] = ((char *)src)[i];
return dest;
}
void encl_body(void *rdi, void *rsi)
Reported by FlawFinder.
Line: 14
Column: 25
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t i;
for (i = 0; i < n; i++)
((char *)dest)[i] = ((char *)src)[i];
return dest;
}
void encl_body(void *rdi, void *rsi)
Reported by FlawFinder.
Line: 25
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
switch (op->type) {
case ENCL_OP_PUT:
memcpy(&encl_buffer[0], &op->buffer, 8);
break;
case ENCL_OP_GET:
memcpy(&op->buffer, &encl_buffer[0], 8);
break;
Reported by FlawFinder.
Line: 29
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
case ENCL_OP_GET:
memcpy(&op->buffer, &encl_buffer[0], 8);
break;
default:
break;
}
Reported by FlawFinder.
fs/xfs/xfs_iops.c
5 issues
Line: 168
Column: 8
CWE codes:
377
struct dentry *dentry,
umode_t mode,
dev_t rdev,
bool tmpfile) /* unnamed file */
{
struct inode *inode;
struct xfs_inode *ip = NULL;
struct posix_acl *default_acl, *acl;
struct xfs_name name;
Reported by FlawFinder.
Line: 196
Column: 7
CWE codes:
377
if (unlikely(error))
goto out_free_acl;
if (!tmpfile) {
error = xfs_create(mnt_userns, XFS_I(dir), &name, mode, rdev,
xfs_create_need_xattr(dir, default_acl, acl),
&ip);
} else {
error = xfs_create_tmpfile(mnt_userns, XFS_I(dir), mode, &ip);
Reported by FlawFinder.
Line: 227
Column: 6
CWE codes:
377
xfs_setup_iops(ip);
if (tmpfile) {
/*
* The VFS requires that any inode fed to d_tmpfile must have
* nlink == 1 so that it can decrement the nlink in d_tmpfile.
* However, we created the temp file with nlink == 0 because
* we're not allowed to put an inode with nlink > 0 on the
Reported by FlawFinder.
Line: 250
Column: 7
CWE codes:
377
out_cleanup_inode:
xfs_finish_inode_setup(ip);
if (!tmpfile)
xfs_cleanup_inode(dir, inode, dentry);
xfs_irele(ip);
goto out_free_acl;
}
Reported by FlawFinder.
Line: 58
Column: 15
CWE codes:
126
.dp = ip,
.attr_filter = XFS_ATTR_SECURE,
.name = xattr->name,
.namelen = strlen(xattr->name),
.value = xattr->value,
.valuelen = xattr->value_len,
};
error = xfs_attr_set(&args);
if (error < 0)
Reported by FlawFinder.
fs/nfsd/nfs2acl.c
5 issues
Line: 175
Column: 10
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
dprintk("nfsd: ACCESS(2acl) %s 0x%x\n",
SVCFH_fmt(&argp->fh),
argp->access);
fh_copy(&resp->fh, &argp->fh);
resp->access = argp->access;
resp->status = nfsd_access(rqstp, &resp->fh, &resp->access, NULL);
if (resp->status != nfs_ok)
Reported by FlawFinder.
Line: 178
Column: 23
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
argp->access);
fh_copy(&resp->fh, &argp->fh);
resp->access = argp->access;
resp->status = nfsd_access(rqstp, &resp->fh, &resp->access, NULL);
if (resp->status != nfs_ok)
goto out;
resp->status = fh_getattr(&resp->fh, &resp->stat);
out:
Reported by FlawFinder.
Line: 179
Column: 54
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
fh_copy(&resp->fh, &argp->fh);
resp->access = argp->access;
resp->status = nfsd_access(rqstp, &resp->fh, &resp->access, NULL);
if (resp->status != nfs_ok)
goto out;
resp->status = fh_getattr(&resp->fh, &resp->stat);
out:
return rpc_success;
Reported by FlawFinder.
Line: 232
Column: 40
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
if (!svcxdr_decode_fhandle(xdr, &args->fh))
return 0;
if (xdr_stream_decode_u32(xdr, &args->access) < 0)
return 0;
return 1;
}
Reported by FlawFinder.
Line: 294
Column: 40
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
case nfs_ok:
if (!svcxdr_encode_fattr(rqstp, xdr, &resp->fh, &resp->stat))
return 0;
if (xdr_stream_encode_u32(xdr, resp->access) < 0)
return 0;
break;
}
return 1;
Reported by FlawFinder.
fs/afs/yfsclient.c
5 issues
Line: 64
Column: 7
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static __be32 *xdr_encode_string(__be32 *bp, const char *p, unsigned int len)
{
bp = xdr_encode_u32(bp, len);
bp = memcpy(bp, p, len);
if (len & 3) {
unsigned int pad = 4 - (len & 3);
memset((u8 *)bp + len, 0, pad);
len += pad;
Reported by FlawFinder.
Line: 167
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
pr_notice("YFS XDR: Bad status record\n");
for (i = 0; i < 6 * 4 * 4; i += 16) {
memcpy(x, bp, 16);
bp += 4;
pr_notice("%03x: %08x %08x %08x %08x\n",
i, ntohl(x[0]), ntohl(x[1]), ntohl(x[2]), ntohl(x[3]));
}
Reported by FlawFinder.
Line: 173
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
i, ntohl(x[0]), ntohl(x[1]), ntohl(x[2]), ntohl(x[3]));
}
memcpy(x, bp, 8);
pr_notice("0x60: %08x %08x\n", ntohl(x[0]), ntohl(x[1]));
}
/*
* Decode a YFSFetchStatus block
Reported by FlawFinder.
Line: 1952
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
bp = xdr_encode_u32(bp, 0); /* RPC flags */
bp = xdr_encode_YFSFid(bp, &vp->fid);
bp = xdr_encode_u32(bp, acl->size);
memcpy(bp, acl->data, acl->size);
if (acl->size != size)
memset((void *)bp + acl->size, 0, size - acl->size);
bp += size / sizeof(__be32);
yfs_check_req(call, bp);
Reported by FlawFinder.
Line: 953
Column: 16
CWE codes:
126
_enter("");
contents_sz = strlen(op->create.symlink);
call = afs_alloc_flat_call(op->net, &yfs_RXYFSSymlink,
sizeof(__be32) +
sizeof(struct yfs_xdr_RPCFlags) +
sizeof(struct yfs_xdr_YFSFid) +
xdr_strlen(name->len) +
Reported by FlawFinder.
fs/read_write.c
5 issues
Line: 448
Column: 53
CWE codes:
120
20
* Also fail if ->read_iter and ->read are both wired up as that
* implies very convoluted semantics.
*/
if (unlikely(!file->f_op->read_iter || file->f_op->read))
return warn_unsupported(file, "read");
init_sync_kiocb(&kiocb, file);
kiocb.ki_pos = pos ? *pos : 0;
iov_iter_kvec(&iter, READ, &iov, 1, iov.iov_len);
Reported by FlawFinder.
Line: 493
Column: 18
CWE codes:
120
20
if (count > MAX_RW_COUNT)
count = MAX_RW_COUNT;
if (file->f_op->read)
ret = file->f_op->read(file, buf, count, pos);
else if (file->f_op->read_iter)
ret = new_sync_read(file, buf, count, pos);
else
ret = -EINVAL;
Reported by FlawFinder.
Line: 494
Column: 21
CWE codes:
120
20
count = MAX_RW_COUNT;
if (file->f_op->read)
ret = file->f_op->read(file, buf, count, pos);
else if (file->f_op->read_iter)
ret = new_sync_read(file, buf, count, pos);
else
ret = -EINVAL;
if (ret > 0) {
Reported by FlawFinder.
Line: 642
Column: 17
CWE codes:
120
20
return ret;
}
SYSCALL_DEFINE3(read, unsigned int, fd, char __user *, buf, size_t, count)
{
return ksys_read(fd, buf, count);
}
ssize_t ksys_write(unsigned int fd, const char __user *buf, size_t count)
Reported by FlawFinder.
Line: 761
Column: 21
CWE codes:
120
20
ssize_t nr;
if (type == READ) {
nr = filp->f_op->read(filp, iovec.iov_base,
iovec.iov_len, ppos);
} else {
nr = filp->f_op->write(filp, iovec.iov_base,
iovec.iov_len, ppos);
}
Reported by FlawFinder.
fs/gfs2/dir.c
5 issues
Line: 130
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return error;
gfs2_trans_add_meta(ip->i_gl, dibh);
memcpy(dibh->b_data + offset + sizeof(struct gfs2_dinode), buf, size);
if (ip->i_inode.i_size < offset + size)
i_size_write(&ip->i_inode, offset + size);
ip->i_inode.i_mtime = ip->i_inode.i_ctime = current_time(&ip->i_inode);
gfs2_dinode_out(ip, dibh->b_data);
Reported by FlawFinder.
Line: 211
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto fail;
gfs2_trans_add_meta(ip->i_gl, bh);
memcpy(bh->b_data + o, buf, amount);
brelse(bh);
buf += amount;
copied += amount;
lblock++;
Reported by FlawFinder.
Line: 251
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
error = gfs2_meta_inode_buffer(ip, &dibh);
if (!error) {
memcpy(buf, dibh->b_data + sizeof(struct gfs2_dinode), size);
brelse(dibh);
}
return (error) ? error : size;
}
Reported by FlawFinder.
Line: 314
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
dblock++;
extlen--;
memcpy(buf, bh->b_data + o, amount);
brelse(bh);
buf += (amount/sizeof(__be64));
copied += amount;
lblock++;
o = sizeof(struct gfs2_meta_header);
Reported by FlawFinder.
Line: 1348
Column: 13
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if (!sdp->sd_args.ar_loccookie)
continue;
offset = (char *)(darr[i]) -
(bh->b_data + gfs2_dirent_offset(sdp, bh->b_data));
offset /= GFS2_MIN_DIRENT_SIZE;
offset += leaf_nr * sdp->sd_max_dents_per_leaf;
if (offset >= GFS2_USE_HASH_FLAG ||
leaf_nr >= GFS2_USE_HASH_FLAG) {
Reported by FlawFinder.
fs/qnx6/super_mmi.c
5 issues
Line: 31
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
qsb->sb_free_blocks = sb->sb_free_blocks;
/* the rest of the superblock is the same */
memcpy(&qsb->Inode, &sb->Inode, sizeof(sb->Inode));
memcpy(&qsb->Bitmap, &sb->Bitmap, sizeof(sb->Bitmap));
memcpy(&qsb->Longfile, &sb->Longfile, sizeof(sb->Longfile));
}
struct qnx6_super_block *qnx6_mmi_fill_super(struct super_block *s, int silent)
Reported by FlawFinder.
Line: 32
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* the rest of the superblock is the same */
memcpy(&qsb->Inode, &sb->Inode, sizeof(sb->Inode));
memcpy(&qsb->Bitmap, &sb->Bitmap, sizeof(sb->Bitmap));
memcpy(&qsb->Longfile, &sb->Longfile, sizeof(sb->Longfile));
}
struct qnx6_super_block *qnx6_mmi_fill_super(struct super_block *s, int silent)
{
Reported by FlawFinder.
Line: 33
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* the rest of the superblock is the same */
memcpy(&qsb->Inode, &sb->Inode, sizeof(sb->Inode));
memcpy(&qsb->Bitmap, &sb->Bitmap, sizeof(sb->Bitmap));
memcpy(&qsb->Longfile, &sb->Longfile, sizeof(sb->Longfile));
}
struct qnx6_super_block *qnx6_mmi_fill_super(struct super_block *s, int silent)
{
struct buffer_head *bh1, *bh2 = NULL;
Reported by FlawFinder.
Line: 116
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
#ifdef CONFIG_QNX6FS_DEBUG
qnx6_superblock_debug(qsb, s);
#endif
memcpy(bh1->b_data, qsb, sizeof(struct qnx6_super_block));
sbi->sb_buf = bh1;
sbi->sb = (struct qnx6_super_block *)bh1->b_data;
brelse(bh2);
pr_info("superblock #1 active\n");
Reported by FlawFinder.
Line: 128
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
#ifdef CONFIG_QNX6FS_DEBUG
qnx6_superblock_debug(qsb, s);
#endif
memcpy(bh2->b_data, qsb, sizeof(struct qnx6_super_block));
sbi->sb_buf = bh2;
sbi->sb = (struct qnx6_super_block *)bh2->b_data;
brelse(bh1);
pr_info("superblock #2 active\n");
Reported by FlawFinder.
fs/erofs/decompressor.c
5 issues
Line: 180
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!inpage)
inpage = kmap_atomic(*in);
memcpy(tmp, inpage + *inputmargin, page_copycnt);
kunmap_atomic(inpage);
inpage = NULL;
tmp += page_copycnt;
total -= page_copycnt;
++in;
Reported by FlawFinder.
Line: 286
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
char *buf = kmap_atomic(page);
if (cur >= dst) {
memcpy(buf, cur, min_t(uint, PAGE_SIZE,
end - cur));
} else {
memcpy(buf + pageofs_out, cur + pageofs_out,
min_t(uint, righthalf, end - cur));
}
Reported by FlawFinder.
Line: 289
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(buf, cur, min_t(uint, PAGE_SIZE,
end - cur));
} else {
memcpy(buf + pageofs_out, cur + pageofs_out,
min_t(uint, righthalf, end - cur));
}
kunmap_atomic(buf);
}
cur += PAGE_SIZE;
Reported by FlawFinder.
Line: 384
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
src = kmap_atomic(*rq->in);
if (rq->out[0]) {
dst = kmap_atomic(rq->out[0]);
memcpy(dst + rq->pageofs_out, src, righthalf);
kunmap_atomic(dst);
}
if (nrpages_out == 2) {
DBG_BUGON(!rq->out[1]);
Reported by FlawFinder.
Line: 394
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memmove(src, src + righthalf, rq->pageofs_out);
} else {
dst = kmap_atomic(rq->out[1]);
memcpy(dst, src + righthalf, rq->pageofs_out);
kunmap_atomic(dst);
}
}
kunmap_atomic(src);
return 0;
Reported by FlawFinder.