The following issues were found
include/rdma/ib_umem.h
4 issues
Line: 101
Column: 25
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
#ifdef CONFIG_INFINIBAND_USER_MEM
struct ib_umem *ib_umem_get(struct ib_device *device, unsigned long addr,
size_t size, int access);
void ib_umem_release(struct ib_umem *umem);
int ib_umem_copy_from(void *dst, struct ib_umem *umem, size_t offset,
size_t length);
unsigned long ib_umem_find_best_pgsz(struct ib_umem *umem,
unsigned long pgsz_bitmap,
Reported by FlawFinder.
Line: 141
Column: 20
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
struct ib_umem_dmabuf *ib_umem_dmabuf_get(struct ib_device *device,
unsigned long offset, size_t size,
int fd, int access,
const struct dma_buf_attach_ops *ops);
int ib_umem_dmabuf_map_pages(struct ib_umem_dmabuf *umem_dmabuf);
void ib_umem_dmabuf_unmap_pages(struct ib_umem_dmabuf *umem_dmabuf);
void ib_umem_dmabuf_release(struct ib_umem_dmabuf *umem_dmabuf);
Reported by FlawFinder.
Line: 153
Column: 12
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
static inline struct ib_umem *ib_umem_get(struct ib_device *device,
unsigned long addr, size_t size,
int access)
{
return ERR_PTR(-EOPNOTSUPP);
}
static inline void ib_umem_release(struct ib_umem *umem) { }
static inline int ib_umem_copy_from(void *dst, struct ib_umem *umem, size_t offset,
Reported by FlawFinder.
Line: 178
Column: 12
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
struct ib_umem_dmabuf *ib_umem_dmabuf_get(struct ib_device *device,
unsigned long offset,
size_t size, int fd,
int access,
struct dma_buf_attach_ops *ops)
{
return ERR_PTR(-EOPNOTSUPP);
}
static inline int ib_umem_dmabuf_map_pages(struct ib_umem_dmabuf *umem_dmabuf)
Reported by FlawFinder.
net/ipv4/igmp.c
4 issues
Line: 1138
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void ip_mc_filter_add(struct in_device *in_dev, __be32 addr)
{
char buf[MAX_ADDR_LEN];
struct net_device *dev = in_dev->dev;
/* Checking for IFF_MULTICAST here is WRONG-WRONG-WRONG.
We will get multicast token leakage, when IFF_MULTICAST
is changed. This check should be done in ndo_set_rx_mode
Reported by FlawFinder.
Line: 1158
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void ip_mc_filter_del(struct in_device *in_dev, __be32 addr)
{
char buf[MAX_ADDR_LEN];
struct net_device *dev = in_dev->dev;
if (arp_mc_map(addr, buf, dev, 0) == 0)
dev_mc_del(dev, buf);
}
Reported by FlawFinder.
Line: 2201
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!iml)
goto done;
memcpy(&iml->multi, imr, sizeof(*imr));
iml->next_rcu = inet->mc_list;
iml->sflist = NULL;
iml->sfmode = mode;
rcu_assign_pointer(inet->mc_list, iml);
____ip_mc_inc_group(in_dev, addr, mode, GFP_KERNEL);
Reported by FlawFinder.
Line: 2485
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto done;
}
newpsl->sl_max = newpsl->sl_count = msf->imsf_numsrc;
memcpy(newpsl->sl_addr, msf->imsf_slist,
msf->imsf_numsrc * sizeof(msf->imsf_slist[0]));
err = ip_mc_add_src(in_dev, &msf->imsf_multiaddr,
msf->imsf_fmode, newpsl->sl_count, newpsl->sl_addr, 0);
if (err) {
sock_kfree_s(sk, newpsl, IP_SFLSIZE(newpsl->sl_max));
Reported by FlawFinder.
lib/objagg.c
4 issues
Line: 374
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!objagg_obj)
return ERR_PTR(-ENOMEM);
objagg_obj_ref_inc(objagg_obj);
memcpy(objagg_obj->obj, obj, objagg->ops->obj_size);
err = objagg_obj_init(objagg, objagg_obj);
if (err)
goto err_obj_init;
Reported by FlawFinder.
Line: 617
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
i = 0;
list_for_each_entry(objagg_obj, &objagg->obj_list, list) {
memcpy(&objagg_stats->stats_info[i].stats, &objagg_obj->stats,
sizeof(objagg_stats->stats_info[0].stats));
objagg_stats->stats_info[i].objagg_obj = objagg_obj;
objagg_stats->stats_info[i].is_root =
objagg_obj_is_root(objagg_obj);
if (objagg_stats->stats_info[i].is_root)
Reported by FlawFinder.
Line: 660
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
hnode = kzalloc(sizeof(*hnode) + obj_size, GFP_KERNEL);
if (!hnode)
return ERR_PTR(-ENOMEM);
memcpy(hnode->obj, &objagg_obj->obj, obj_size);
hnode->stats_info.stats.user_count = user_count;
hnode->stats_info.stats.delta_user_count = user_count;
if (parent_hnode) {
parent_hnode->stats_info.stats.delta_user_count += user_count;
} else {
Reported by FlawFinder.
Line: 1036
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
i = 0;
list_for_each_entry(hnode, &objagg_hints->node_list, list) {
memcpy(&objagg_stats->stats_info[i], &hnode->stats_info,
sizeof(objagg_stats->stats_info[0]));
if (objagg_stats->stats_info[i].is_root)
objagg_stats->root_count++;
i++;
}
Reported by FlawFinder.
include/pcmcia/cistpl.h
4 issues
Line: 87
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
typedef struct cistpl_altstr_t {
u_char ns;
u_char ofs[CISTPL_MAX_ALTSTR_STRINGS];
char str[254];
} cistpl_altstr_t;
#define CISTPL_DTYPE_NULL 0x00
#define CISTPL_DTYPE_ROM 0x01
#define CISTPL_DTYPE_OTPROM 0x02
Reported by FlawFinder.
Line: 128
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u_char minor;
u_char ns;
u_char ofs[CISTPL_VERS_1_MAX_PROD_STRINGS];
char str[254];
} cistpl_vers_1_t;
typedef struct cistpl_jedec_t {
u_char nid;
struct {
Reported by FlawFinder.
Line: 506
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u_char vspec8, vspec9;
u_char nhdr;
u_char vendor, info;
char str[244];
} cistpl_vers_2_t;
typedef struct cistpl_org_t {
u_char data_org;
char desc[30];
Reported by FlawFinder.
Line: 511
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
typedef struct cistpl_org_t {
u_char data_org;
char desc[30];
} cistpl_org_t;
#define CISTPL_ORG_FS 0x00
#define CISTPL_ORG_APPSPEC 0x01
#define CISTPL_ORG_XIP 0x02
Reported by FlawFinder.
include/uapi/linux/kvm.h
4 issues
Line: 134
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__u32 chip_id;
__u32 pad;
union {
char dummy[512]; /* reserving space */
#ifdef __KVM_HAVE_PIT
struct kvm_pic_state pic;
#endif
#ifdef __KVM_HAVE_IOAPIC
struct kvm_ioapic_state ioapic;
Reported by FlawFinder.
Line: 473
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* KVM_EXIT_XEN */
struct kvm_xen_exit xen;
/* Fix the size of the union. */
char padding[256];
};
/* 2048 is the size of the char array used to bound/pad the size
* of the union that holds sync regs.
*/
Reported by FlawFinder.
Line: 491
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__u64 kvm_dirty_regs;
union {
struct kvm_sync_regs regs;
char padding[SYNC_REGS_SIZE_BYTES];
} s;
};
/* for KVM_REGISTER_COALESCED_MMIO / KVM_UNREGISTER_COALESCED_MMIO */
Reported by FlawFinder.
Line: 731
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct kvm_s390_prefix_info prefix;
struct kvm_s390_stop_info stop;
struct kvm_s390_mchk_info mchk;
char reserved[64];
} u;
};
struct kvm_s390_irq_state {
__u64 buf;
Reported by FlawFinder.
include/video/neomagic.h
4 issues
Line: 129
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int ref_count;
unsigned char MiscOutReg; /* Misc */
unsigned char CRTC[25]; /* Crtc Controller */
unsigned char Sequencer[5]; /* Video Sequencer */
unsigned char Graphics[9]; /* Video Graphics */
unsigned char Attribute[21]; /* Video Attribute */
unsigned char GeneralLockReg;
Reported by FlawFinder.
Line: 130
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char MiscOutReg; /* Misc */
unsigned char CRTC[25]; /* Crtc Controller */
unsigned char Sequencer[5]; /* Video Sequencer */
unsigned char Graphics[9]; /* Video Graphics */
unsigned char Attribute[21]; /* Video Attribute */
unsigned char GeneralLockReg;
unsigned char ExtCRTDispAddr;
Reported by FlawFinder.
Line: 131
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char MiscOutReg; /* Misc */
unsigned char CRTC[25]; /* Crtc Controller */
unsigned char Sequencer[5]; /* Video Sequencer */
unsigned char Graphics[9]; /* Video Graphics */
unsigned char Attribute[21]; /* Video Attribute */
unsigned char GeneralLockReg;
unsigned char ExtCRTDispAddr;
unsigned char ExtCRTOffset;
Reported by FlawFinder.
Line: 132
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char CRTC[25]; /* Crtc Controller */
unsigned char Sequencer[5]; /* Video Sequencer */
unsigned char Graphics[9]; /* Video Graphics */
unsigned char Attribute[21]; /* Video Attribute */
unsigned char GeneralLockReg;
unsigned char ExtCRTDispAddr;
unsigned char ExtCRTOffset;
unsigned char SysIfaceCntl1;
Reported by FlawFinder.
net/ipv4/ip_sockglue.c
4 issues
Line: 89
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void ip_cmsg_recv_retopts(struct net *net, struct msghdr *msg,
struct sk_buff *skb)
{
unsigned char optbuf[sizeof(struct ip_options) + 40];
struct ip_options *opt = (struct ip_options *)optbuf;
if (IPCB(skb)->opt.optlen == 0)
return;
Reported by FlawFinder.
Line: 556
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*addr_len = sizeof(*sin);
}
memcpy(&errhdr.ee, &serr->ee, sizeof(struct sock_extended_err));
sin = &errhdr.offender;
memset(sin, 0, sizeof(*sin));
if (ipv4_datagram_support_cmsg(sk, skb, serr->ee.ee_origin)) {
sin->sin_family = AF_INET;
Reported by FlawFinder.
Line: 1541
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
switch (optname) {
case IP_OPTIONS:
{
unsigned char optbuf[sizeof(struct ip_options)+40];
struct ip_options *opt = (struct ip_options *)optbuf;
struct ip_options_rcu *inet_opt;
inet_opt = rcu_dereference_protected(inet->inet_opt,
lockdep_sock_is_held(sk));
Reported by FlawFinder.
Line: 1549
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
lockdep_sock_is_held(sk));
opt->optlen = 0;
if (inet_opt)
memcpy(optbuf, &inet_opt->opt,
sizeof(struct ip_options) +
inet_opt->opt.optlen);
release_sock(sk);
if (opt->optlen == 0)
Reported by FlawFinder.
net/ipv4/netfilter/arpt_mangle.c
4 issues
Line: 32
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ARPT_DEV_ADDR_LEN_MAX < hln ||
(arpptr + hln > skb_tail_pointer(skb)))
return NF_DROP;
memcpy(arpptr, mangle->src_devaddr, hln);
}
arpptr += hln;
if (mangle->flags & ARPT_MANGLE_SIP) {
if (ARPT_MANGLE_ADDR_LEN_MAX < pln ||
(arpptr + pln > skb_tail_pointer(skb)))
Reported by FlawFinder.
Line: 39
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ARPT_MANGLE_ADDR_LEN_MAX < pln ||
(arpptr + pln > skb_tail_pointer(skb)))
return NF_DROP;
memcpy(arpptr, &mangle->u_s.src_ip, pln);
}
arpptr += pln;
if (mangle->flags & ARPT_MANGLE_TDEV) {
if (ARPT_DEV_ADDR_LEN_MAX < hln ||
(arpptr + hln > skb_tail_pointer(skb)))
Reported by FlawFinder.
Line: 46
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ARPT_DEV_ADDR_LEN_MAX < hln ||
(arpptr + hln > skb_tail_pointer(skb)))
return NF_DROP;
memcpy(arpptr, mangle->tgt_devaddr, hln);
}
arpptr += hln;
if (mangle->flags & ARPT_MANGLE_TIP) {
if (ARPT_MANGLE_ADDR_LEN_MAX < pln ||
(arpptr + pln > skb_tail_pointer(skb)))
Reported by FlawFinder.
Line: 53
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (ARPT_MANGLE_ADDR_LEN_MAX < pln ||
(arpptr + pln > skb_tail_pointer(skb)))
return NF_DROP;
memcpy(arpptr, &mangle->u_t.tgt_ip, pln);
}
return mangle->target;
}
static int checkentry(const struct xt_tgchk_param *par)
Reported by FlawFinder.
lib/mpi/ec.c
4 issues
Line: 357
mpi_limb_t b1[LIMB_SIZE_HALF_448];
mpi_limb_t cy;
int i;
#if (LIMB_SIZE_HALF_448 > LIMB_SIZE_448/2)
mpi_limb_t b1_rest, a3_rest;
#endif
if (w->nlimbs != wsize || u->nlimbs != wsize || v->nlimbs != wsize)
log_bug("mulm_448: different sizes\n");
Reported by Cppcheck.
Line: 260
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
wp = w->d;
mpihelp_mul_n(n, up, vp, wsize);
memcpy(wp, n, wsize * BYTES_PER_MPI_LIMB);
wp[LIMB_SIZE_25519-1] &= ~((mpi_limb_t)1 << (255 % BITS_PER_MPI_LIMB));
memcpy(m, n+LIMB_SIZE_25519-1, (wsize+1) * BYTES_PER_MPI_LIMB);
mpihelp_rshift(m, m, LIMB_SIZE_25519+1, (255 % BITS_PER_MPI_LIMB));
Reported by FlawFinder.
Line: 263
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(wp, n, wsize * BYTES_PER_MPI_LIMB);
wp[LIMB_SIZE_25519-1] &= ~((mpi_limb_t)1 << (255 % BITS_PER_MPI_LIMB));
memcpy(m, n+LIMB_SIZE_25519-1, (wsize+1) * BYTES_PER_MPI_LIMB);
mpihelp_rshift(m, m, LIMB_SIZE_25519+1, (255 % BITS_PER_MPI_LIMB));
memcpy(n, m, wsize * BYTES_PER_MPI_LIMB);
cy = mpihelp_lshift(m, m, LIMB_SIZE_25519, 4);
m[LIMB_SIZE_25519] = cy;
Reported by FlawFinder.
Line: 266
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(m, n+LIMB_SIZE_25519-1, (wsize+1) * BYTES_PER_MPI_LIMB);
mpihelp_rshift(m, m, LIMB_SIZE_25519+1, (255 % BITS_PER_MPI_LIMB));
memcpy(n, m, wsize * BYTES_PER_MPI_LIMB);
cy = mpihelp_lshift(m, m, LIMB_SIZE_25519, 4);
m[LIMB_SIZE_25519] = cy;
cy = mpihelp_add_n(m, m, n, wsize);
m[LIMB_SIZE_25519] += cy;
cy = mpihelp_add_n(m, m, n, wsize);
Reported by FlawFinder.
kernel/dma/swiotlb.c
4 issues
Line: 388
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
local_irq_save(flags);
buffer = kmap_atomic(pfn_to_page(pfn));
if (dir == DMA_TO_DEVICE)
memcpy(vaddr, buffer + offset, sz);
else
memcpy(buffer + offset, vaddr, sz);
kunmap_atomic(buffer);
local_irq_restore(flags);
Reported by FlawFinder.
Line: 390
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (dir == DMA_TO_DEVICE)
memcpy(vaddr, buffer + offset, sz);
else
memcpy(buffer + offset, vaddr, sz);
kunmap_atomic(buffer);
local_irq_restore(flags);
size -= sz;
pfn++;
Reported by FlawFinder.
Line: 400
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
offset = 0;
}
} else if (dir == DMA_TO_DEVICE) {
memcpy(vaddr, phys_to_virt(orig_addr), size);
} else {
memcpy(phys_to_virt(orig_addr), vaddr, size);
}
}
Reported by FlawFinder.
Line: 402
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else if (dir == DMA_TO_DEVICE) {
memcpy(vaddr, phys_to_virt(orig_addr), size);
} else {
memcpy(phys_to_virt(orig_addr), vaddr, size);
}
}
#define slot_addr(start, idx) ((start) + ((idx) << IO_TLB_SHIFT))
Reported by FlawFinder.