The following issues were found
include/linux/mtd/map.h
5 issues
Line: 336
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
r.x[0] = get_unaligned((uint64_t *)ptr);
#endif
else if (map_bankwidth_is_large(map))
memcpy(r.x, ptr, map->bankwidth);
else
BUG();
return r;
}
Reported by FlawFinder.
Line: 350
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (map_bankwidth_is_large(map)) {
char *dest = (char *)&orig;
memcpy(dest+start, buf, len);
} else {
for (i = start; i < start+len; i++) {
int bitpos;
#ifdef __LITTLE_ENDIAN
Reported by FlawFinder.
Line: 433
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static inline void inline_map_copy_from(struct map_info *map, void *to, unsigned long from, ssize_t len)
{
if (map->cached)
memcpy(to, (char *)map->cached + from, len);
else
memcpy_fromio(to, map->virt + from, len);
}
static inline void inline_map_copy_to(struct map_info *map, unsigned long to, const void *from, ssize_t len)
Reported by FlawFinder.
Line: 207
Column: 13
CWE codes:
120
20
*/
#ifdef CONFIG_MTD_COMPLEX_MAPPINGS
map_word (*read)(struct map_info *, unsigned long);
void (*copy_from)(struct map_info *, void *, unsigned long, ssize_t);
void (*write)(struct map_info *, const map_word, unsigned long);
void (*copy_to)(struct map_info *, unsigned long, const void *, ssize_t);
Reported by FlawFinder.
Line: 444
Column: 35
CWE codes:
120
20
}
#ifdef CONFIG_MTD_COMPLEX_MAPPINGS
#define map_read(map, ofs) (map)->read(map, ofs)
#define map_copy_from(map, to, from, len) (map)->copy_from(map, to, from, len)
#define map_write(map, datum, ofs) (map)->write(map, datum, ofs)
#define map_copy_to(map, to, from, len) (map)->copy_to(map, to, from, len)
extern void simple_map_init(struct map_info *);
Reported by FlawFinder.
fs/adfs/dir_f.h
5 issues
Line: 28
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
struct adfs_direntry {
#define ADFS_F_NAME_LEN 10
char dirobname[ADFS_F_NAME_LEN];
__u8 dirload[4];
__u8 direxec[4];
__u8 dirlen[4];
__u8 dirinddiscadd[3];
__u8 newdiratts;
Reported by FlawFinder.
Line: 41
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
struct adfs_olddirtail {
__u8 dirlastmask;
char dirname[10];
__u8 dirparent[3];
char dirtitle[19];
__u8 reserved[14];
__u8 endmasseq;
__u8 endname[4];
Reported by FlawFinder.
Line: 43
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__u8 dirlastmask;
char dirname[10];
__u8 dirparent[3];
char dirtitle[19];
__u8 reserved[14];
__u8 endmasseq;
__u8 endname[4];
__u8 dircheckbyte;
} __attribute__((packed));
Reported by FlawFinder.
Line: 54
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__u8 dirlastmask;
__u8 reserved[2];
__u8 dirparent[3];
char dirtitle[19];
char dirname[10];
__u8 endmasseq;
__u8 endname[4];
__u8 dircheckbyte;
} __attribute__((packed));
Reported by FlawFinder.
Line: 55
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__u8 reserved[2];
__u8 dirparent[3];
char dirtitle[19];
char dirname[10];
__u8 endmasseq;
__u8 endname[4];
__u8 dircheckbyte;
} __attribute__((packed));
Reported by FlawFinder.
fs/overlayfs/dir.c
5 issues
Line: 48
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct dentry *ovl_lookup_temp(struct dentry *workdir)
{
struct dentry *temp;
char name[20];
static atomic_t temp_id = ATOMIC_INIT(0);
/* counter is allowed to wrap, since temp dentries are ephemeral */
snprintf(name, sizeof(name), "#%x", atomic_inc_return(&temp_id));
Reported by FlawFinder.
Line: 995
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
buflen -= thislen;
memcpy(&buf[buflen], name, thislen);
spin_unlock(&d->d_lock);
tmp = dget_parent(d);
dput(d);
d = tmp;
Reported by FlawFinder.
Line: 54
Column: 39
CWE codes:
126
/* counter is allowed to wrap, since temp dentries are ephemeral */
snprintf(name, sizeof(name), "#%x", atomic_inc_return(&temp_id));
temp = lookup_one_len(name, workdir, strlen(name));
if (!IS_ERR(temp) && temp->d_inode) {
pr_err("workdir/%s already exists\n", name);
dput(temp);
temp = ERR_PTR(-EIO);
}
Reported by FlawFinder.
Line: 981
Column: 14
CWE codes:
126
spin_lock(&d->d_lock);
name = ovl_dentry_get_redirect(d);
if (name) {
thislen = strlen(name);
} else {
name = d->d_name.name;
thislen = d->d_name.len;
}
Reported by FlawFinder.
Line: 1058
Column: 16
CWE codes:
126
err = ovl_check_setxattr(dentry, ovl_dentry_upper(dentry),
OVL_XATTR_REDIRECT,
redirect, strlen(redirect), -EXDEV);
if (!err) {
spin_lock(&dentry->d_lock);
ovl_dentry_set_redirect(dentry, redirect);
spin_unlock(&dentry->d_lock);
} else {
Reported by FlawFinder.
fs/xfs/xfs_trace.h
5 issues
Line: 825
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
__entry->dev = VFS_I(dp)->i_sb->s_dev;
__entry->dp_ino = dp->i_ino;
__entry->namelen = name->len;
memcpy(__get_str(name), name->name, name->len);
),
TP_printk("dev %d:%d dp ino 0x%llx name %.*s",
MAJOR(__entry->dev), MINOR(__entry->dev),
__entry->dp_ino,
__entry->namelen,
Reported by FlawFinder.
Line: 863
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
__entry->target_dp_ino = target_dp->i_ino;
__entry->src_namelen = src_name->len;
__entry->target_namelen = target_name->len;
memcpy(__get_str(src_name), src_name->name, src_name->len);
memcpy(__get_str(target_name), target_name->name,
target_name->len);
),
TP_printk("dev %d:%d src dp ino 0x%llx target dp ino 0x%llx"
" src name %.*s target name %.*s",
Reported by FlawFinder.
Line: 864
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
__entry->src_namelen = src_name->len;
__entry->target_namelen = target_name->len;
memcpy(__get_str(src_name), src_name->name, src_name->len);
memcpy(__get_str(target_name), target_name->name,
target_name->len);
),
TP_printk("dev %d:%d src dp ino 0x%llx target dp ino 0x%llx"
" src name %.*s target name %.*s",
MAJOR(__entry->dev), MINOR(__entry->dev),
Reported by FlawFinder.
Line: 1810
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
__entry->dev = VFS_I(args->dp)->i_sb->s_dev;
__entry->ino = args->dp->i_ino;
if (args->namelen)
memcpy(__get_str(name), args->name, args->namelen);
__entry->namelen = args->namelen;
__entry->hashval = args->hashval;
__entry->inumber = args->inumber;
__entry->op_flags = args->op_flags;
),
Reported by FlawFinder.
Line: 1876
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
__entry->dev = VFS_I(args->dp)->i_sb->s_dev;
__entry->ino = args->dp->i_ino;
if (args->namelen)
memcpy(__get_str(name), args->name, args->namelen);
__entry->namelen = args->namelen;
__entry->valuelen = args->valuelen;
__entry->hashval = args->hashval;
__entry->attr_filter = args->attr_filter;
__entry->attr_flags = args->attr_flags;
Reported by FlawFinder.
fs/afs/cell.c
5 issues
Line: 645
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int afs_alloc_anon_key(struct afs_cell *cell)
{
struct key *key;
char keyname[4 + AFS_MAXCELLNAME + 1], *cp, *dp;
/* Create a key to represent an anonymous user. */
memcpy(keyname, "afs@", 4);
dp = keyname + 4;
cp = cell->name;
Reported by FlawFinder.
Line: 648
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
char keyname[4 + AFS_MAXCELLNAME + 1], *cp, *dp;
/* Create a key to represent an anonymous user. */
memcpy(keyname, "afs@", 4);
dp = keyname + 4;
cp = cell->name;
do {
*dp++ = tolower(*cp);
} while (*cp++);
Reported by FlawFinder.
Line: 177
Column: 23
CWE codes:
126
*/
if (addresses) {
vllist = afs_parse_text_addrs(net,
addresses, strlen(addresses), ':',
VL_SERVICE, AFS_VL_PORT);
if (IS_ERR(vllist)) {
ret = PTR_ERR(vllist);
goto parse_failed;
}
Reported by FlawFinder.
Line: 361
Column: 9
CWE codes:
126
if (!cp) {
_debug("kAFS: no VL server IP addresses specified");
vllist = NULL;
len = strlen(rootcell);
} else {
vllist = cp + 1;
len = cp - rootcell;
}
Reported by FlawFinder.
Line: 684
Column: 23
CWE codes:
126
#ifdef CONFIG_AFS_FSCACHE
cell->cache = fscache_acquire_cookie(afs_cache_netfs.primary_index,
&afs_cell_cache_index_def,
cell->name, strlen(cell->name),
NULL, 0,
cell, 0, true);
#endif
ret = afs_proc_cell_setup(cell);
if (ret < 0)
Reported by FlawFinder.
fs/ext4/fast_commit.c
5 issues
Line: 457
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mutex_lock(&ei->i_fc_lock);
return -ENOMEM;
}
memcpy((u8 *)node->fcd_name.name, dentry->d_name.name,
dentry->d_name.len);
} else {
memcpy(node->fcd_iname, dentry->d_name.name,
dentry->d_name.len);
node->fcd_name.name = node->fcd_iname;
Reported by FlawFinder.
Line: 460
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy((u8 *)node->fcd_name.name, dentry->d_name.name,
dentry->d_name.len);
} else {
memcpy(node->fcd_iname, dentry->d_name.name,
dentry->d_name.len);
node->fcd_name.name = node->fcd_iname;
}
node->fcd_name.len = dentry->d_name.len;
Reported by FlawFinder.
Line: 708
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
if (crc)
*crc = ext4_chksum(EXT4_SB(sb), *crc, src, len);
return memcpy(dst, src, len);
}
/*
* Complete a fast commit by writing tail tag.
*
Reported by FlawFinder.
Line: 1489
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
inode_len = le16_to_cpu(tl->fc_len) - sizeof(struct ext4_fc_inode);
raw_inode = ext4_raw_inode(&iloc);
memcpy(raw_inode, raw_fc_inode, offsetof(struct ext4_inode, i_block));
memcpy(&raw_inode->i_generation, &raw_fc_inode->i_generation,
inode_len - offsetof(struct ext4_inode, i_generation));
if (le32_to_cpu(raw_inode->i_flags) & EXT4_EXTENTS_FL) {
eh = (struct ext4_extent_header *)(&raw_inode->i_block[0]);
if (eh->eh_magic != EXT4_EXT_MAGIC) {
Reported by FlawFinder.
Line: 1490
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
raw_inode = ext4_raw_inode(&iloc);
memcpy(raw_inode, raw_fc_inode, offsetof(struct ext4_inode, i_block));
memcpy(&raw_inode->i_generation, &raw_fc_inode->i_generation,
inode_len - offsetof(struct ext4_inode, i_generation));
if (le32_to_cpu(raw_inode->i_flags) & EXT4_EXTENTS_FL) {
eh = (struct ext4_extent_header *)(&raw_inode->i_block[0]);
if (eh->eh_magic != EXT4_EXT_MAGIC) {
memset(eh, 0, sizeof(*eh));
Reported by FlawFinder.
fs/reiserfs/journal.c
5 issues
Line: 2257
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
kfree(real_blocks);
return -1;
}
memcpy(real_blocks[i]->b_data, log_blocks[i]->b_data,
real_blocks[i]->b_size);
set_buffer_uptodate(real_blocks[i]);
brelse(log_blocks[i]);
}
/* flush out the real blocks */
Reported by FlawFinder.
Line: 3231
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (cur_th->t_super == sb) {
BUG_ON(!cur_th->t_refcount);
cur_th->t_refcount++;
memcpy(th, cur_th, sizeof(*th));
if (th->t_refcount <= 1)
reiserfs_warning(sb, "reiserfs-2005",
"BAD: refcount <= 1, but "
"journal_info != 0");
return 0;
Reported by FlawFinder.
Line: 3407
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
BUG_ON(cur_th->t_super != th->t_super);
if (th != cur_th) {
memcpy(current->journal_info, th, sizeof(*th));
th->t_trans_id = 0;
}
return 0;
} else {
return do_journal_end(th, 0);
Reported by FlawFinder.
Line: 4080
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
set_buffer_uptodate(d_bh);
desc = (struct reiserfs_journal_desc *)(d_bh)->b_data;
memset(d_bh->b_data, 0, d_bh->b_size);
memcpy(get_journal_desc_magic(d_bh), JOURNAL_DESC_MAGIC, 8);
set_desc_trans_id(desc, journal->j_trans_id);
/*
* setup commit block. Don't write (keep it clean too) this one
* until after everyone else is written
Reported by FlawFinder.
Line: 4210
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
set_buffer_uptodate(tmp_bh);
page = cn->bh->b_page;
addr = kmap(page);
memcpy(tmp_bh->b_data,
addr + offset_in_page(cn->bh->b_data),
cn->bh->b_size);
kunmap(page);
mark_buffer_dirty(tmp_bh);
jindex++;
Reported by FlawFinder.
fs/nilfs2/dir.c
5 issues
Line: 232
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
nilfs_rec_len_from_disk(p->rec_len));
}
static unsigned char
nilfs_filetype_table[NILFS_FT_MAX] = {
[NILFS_FT_UNKNOWN] = DT_UNKNOWN,
[NILFS_FT_REG_FILE] = DT_REG,
[NILFS_FT_DIR] = DT_DIR,
[NILFS_FT_CHRDEV] = DT_CHR,
Reported by FlawFinder.
Line: 245
Column: 17
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
#define S_SHIFT 12
static unsigned char
nilfs_type_by_mode[S_IFMT >> S_SHIFT] = {
[S_IFREG >> S_SHIFT] = NILFS_FT_REG_FILE,
[S_IFDIR >> S_SHIFT] = NILFS_FT_DIR,
[S_IFCHR >> S_SHIFT] = NILFS_FT_CHRDEV,
[S_IFBLK >> S_SHIFT] = NILFS_FT_BLKDEV,
Reported by FlawFinder.
Line: 518
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
de = de1;
}
de->name_len = namelen;
memcpy(de->name, name, namelen);
de->inode = cpu_to_le64(inode->i_ino);
nilfs_set_de_type(de, inode);
nilfs_commit_chunk(page, page->mapping, from, to);
dir->i_mtime = dir->i_ctime = current_time(dir);
nilfs_mark_inode_dirty(dir);
Reported by FlawFinder.
Line: 601
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
de = (struct nilfs_dir_entry *)kaddr;
de->name_len = 1;
de->rec_len = nilfs_rec_len_to_disk(NILFS_DIR_REC_LEN(1));
memcpy(de->name, ".\0\0", 4);
de->inode = cpu_to_le64(inode->i_ino);
nilfs_set_de_type(de, inode);
de = (struct nilfs_dir_entry *)(kaddr + NILFS_DIR_REC_LEN(1));
de->name_len = 2;
Reported by FlawFinder.
Line: 609
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
de->name_len = 2;
de->rec_len = nilfs_rec_len_to_disk(chunk_size - NILFS_DIR_REC_LEN(1));
de->inode = cpu_to_le64(parent->i_ino);
memcpy(de->name, "..\0", 4);
nilfs_set_de_type(de, inode);
kunmap_atomic(kaddr);
nilfs_commit_chunk(page, mapping, 0, chunk_size);
fail:
put_page(page);
Reported by FlawFinder.
include/linux/device_cgroup.h
5 issues
Line: 16
Column: 17
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
#if defined(CONFIG_CGROUP_DEVICE) || defined(CONFIG_CGROUP_BPF)
int devcgroup_check_permission(short type, u32 major, u32 minor,
short access);
static inline int devcgroup_inode_permission(struct inode *inode, int mask)
{
short type, access = 0;
if (likely(!inode->i_rdev))
Reported by FlawFinder.
Line: 32
Column: 3
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
return 0;
if (mask & MAY_WRITE)
access |= DEVCG_ACC_WRITE;
if (mask & MAY_READ)
access |= DEVCG_ACC_READ;
return devcgroup_check_permission(type, imajor(inode), iminor(inode),
access);
Reported by FlawFinder.
Line: 34
Column: 3
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
if (mask & MAY_WRITE)
access |= DEVCG_ACC_WRITE;
if (mask & MAY_READ)
access |= DEVCG_ACC_READ;
return devcgroup_check_permission(type, imajor(inode), iminor(inode),
access);
}
Reported by FlawFinder.
Line: 37
Column: 8
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
access |= DEVCG_ACC_READ;
return devcgroup_check_permission(type, imajor(inode), iminor(inode),
access);
}
static inline int devcgroup_inode_mknod(int mode, dev_t dev)
{
short type;
Reported by FlawFinder.
Line: 61
Column: 17
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
#else
static inline int devcgroup_check_permission(short type, u32 major, u32 minor,
short access)
{ return 0; }
static inline int devcgroup_inode_permission(struct inode *inode, int mask)
{ return 0; }
static inline int devcgroup_inode_mknod(int mode, dev_t dev)
{ return 0; }
Reported by FlawFinder.
include/linux/raid/pq.h
5 issues
Line: 171
Column: 18
CWE codes:
134
Suggestion:
Use a constant for the format specification
#ifndef __KERNEL__
# define jiffies raid6_jiffies()
# define printk printf
# define pr_err(format, ...) fprintf(stderr, format, ## __VA_ARGS__)
# define pr_info(format, ...) fprintf(stdout, format, ## __VA_ARGS__)
# define GFP_KERNEL 0
# define __get_free_pages(x, y) ((unsigned long)mmap(NULL, PAGE_SIZE << (y), \
PROT_READ|PROT_WRITE, \
Reported by FlawFinder.
Line: 172
Column: 30
CWE codes:
134
Suggestion:
Use a constant for the format specification
# define jiffies raid6_jiffies()
# define printk printf
# define pr_err(format, ...) fprintf(stderr, format, ## __VA_ARGS__)
# define pr_info(format, ...) fprintf(stdout, format, ## __VA_ARGS__)
# define GFP_KERNEL 0
# define __get_free_pages(x, y) ((unsigned long)mmap(NULL, PAGE_SIZE << (y), \
PROT_READ|PROT_WRITE, \
MAP_PRIVATE|MAP_ANONYMOUS,\
Reported by FlawFinder.
Line: 173
Column: 31
CWE codes:
134
Suggestion:
Use a constant for the format specification
# define jiffies raid6_jiffies()
# define printk printf
# define pr_err(format, ...) fprintf(stderr, format, ## __VA_ARGS__)
# define pr_info(format, ...) fprintf(stdout, format, ## __VA_ARGS__)
# define GFP_KERNEL 0
# define __get_free_pages(x, y) ((unsigned long)mmap(NULL, PAGE_SIZE << (y), \
PROT_READ|PROT_WRITE, \
MAP_PRIVATE|MAP_ANONYMOUS,\
0, 0))
Reported by FlawFinder.
Line: 22
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#if RAID6_USE_EMPTY_ZERO_PAGE
# define raid6_empty_zero_page empty_zero_page
#else
extern const char raid6_empty_zero_page[PAGE_SIZE];
#endif
#else /* ! __KERNEL__ */
/* Used for testing in user space */
Reported by FlawFinder.
Line: 50
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#ifndef PAGE_SHIFT
# define PAGE_SHIFT 12
#endif
extern const char raid6_empty_zero_page[PAGE_SIZE];
#define __init
#define __exit
#ifndef __attribute_const__
# define __attribute_const__ __attribute__((const))
Reported by FlawFinder.