The following issues were found
drivers/misc/ocxl/link.c
4 issues
Line: 139
Column: 16
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
static void xsl_fault_handler_bh(struct work_struct *fault_work)
{
vm_fault_t flt = 0;
unsigned long access, flags, inv_flags = 0;
enum xsl_response r;
struct xsl_fault *fault = container_of(fault_work, struct xsl_fault,
fault_work);
struct spa *spa = container_of(fault, struct spa, xsl_fault);
Reported by FlawFinder.
Line: 172
Column: 4
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
*/
access = _PAGE_PRESENT | _PAGE_READ;
if (fault->dsisr & SPA_XSL_S)
access |= _PAGE_WRITE;
if (get_region_id(fault->dar) != USER_REGION_ID)
access |= _PAGE_PRIVILEGED;
local_irq_save(flags);
Reported by FlawFinder.
Line: 175
Column: 4
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
access |= _PAGE_WRITE;
if (get_region_id(fault->dar) != USER_REGION_ID)
access |= _PAGE_PRIVILEGED;
local_irq_save(flags);
hash_page_mm(fault->pe_data.mm, fault->dar, access, 0x300,
inv_flags);
local_irq_restore(flags);
Reported by FlawFinder.
Line: 178
Column: 47
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
access |= _PAGE_PRIVILEGED;
local_irq_save(flags);
hash_page_mm(fault->pe_data.mm, fault->dar, access, 0x300,
inv_flags);
local_irq_restore(flags);
}
r = RESTART;
ack:
Reported by FlawFinder.
drivers/media/rc/redrat3.c
4 issues
Line: 232
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 carrier;
char name[64];
char phys[64];
};
static void redrat3_dump_fw_error(struct redrat3_dev *rr3, int code)
{
Reported by FlawFinder.
Line: 233
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u32 carrier;
char name[64];
char phys[64];
};
static void redrat3_dump_fw_error(struct redrat3_dev *rr3, int code)
{
if (!rr3->transmitting && (code != 0x40))
Reported by FlawFinder.
Line: 622
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
break;
case RR3_MOD_SIGNAL_IN:
memcpy(&rr3->irdata, rr3->bulk_in_buf, len);
rr3->bytes_read = len;
dev_dbg(rr3->dev, "bytes_read %d, pktlen %d\n",
rr3->bytes_read, pktlen);
break;
Reported by FlawFinder.
Line: 645
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return;
}
memcpy(irdata + rr3->bytes_read, rr3->bulk_in_buf, len);
rr3->bytes_read += len;
dev_dbg(rr3->dev, "bytes_read %d, pktlen %d\n", rr3->bytes_read,
be16_to_cpu(rr3->irdata.header.length));
}
Reported by FlawFinder.
drivers/md/persistent-data/dm-space-map-metadata.c
4 issues
Line: 150
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENODATA;
bop = brb->bops + brb->begin;
memcpy(result, bop, sizeof(*result));
return 0;
}
static int brb_pop(struct bop_ring_buffer *brb)
{
Reported by FlawFinder.
Line: 552
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (max < sizeof(root_le))
return -ENOSPC;
memcpy(where_le, &root_le, sizeof(root_le));
return 0;
}
static int sm_metadata_extend(struct dm_space_map *sm, dm_block_t extra_blocks);
Reported by FlawFinder.
Line: 725
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* Flick into a mode where all blocks get allocated in the new area.
*/
smm->begin = old_len;
memcpy(sm, &bootstrap_ops, sizeof(*sm));
/*
* Extend.
*/
r = sm_ll_extend(&smm->ll, extra_blocks);
Reported by FlawFinder.
Line: 761
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/*
* Switch back to normal behaviour.
*/
memcpy(sm, &ops, sizeof(*sm));
return r;
}
/*----------------------------------------------------------------*/
Reported by FlawFinder.
drivers/media/pci/saa7134/saa7134.h
4 issues
Line: 116
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct saa7134_card_ir {
struct rc_dev *dev;
char phys[32];
u32 polling;
u32 last_gpio;
u32 mask_keycode, mask_keydown, mask_keyup;
Reported by FlawFinder.
Line: 568
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct saa7134_card_ir *remote;
/* pci i/o */
char name[32];
int nr;
struct pci_dev *pci;
unsigned char pci_rev,pci_lat;
__u32 __iomem *lmmio;
__u8 __iomem *bmmio;
Reported by FlawFinder.
Line: 588
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* i2c i/o */
struct i2c_adapter i2c_adap;
struct i2c_client i2c_client;
unsigned char eedata[256];
int has_rds;
/* video overlay */
struct v4l2_framebuffer ovbuf;
struct saa7134_format *ovfmt;
Reported by FlawFinder.
Line: 685
Column: 49
CWE codes:
362
enum fe_sec_voltage voltage);
int (*original_set_high_voltage)(struct dvb_frontend *fe, long arg);
#endif
void (*gate_ctrl)(struct saa7134_dev *dev, int open);
};
/* ----------------------------------------------------------- */
#define saa_readl(reg) readl(dev->lmmio + (reg))
Reported by FlawFinder.
drivers/net/ethernet/3com/3c59x.c
4 issues
Line: 632
Column: 3
CWE codes:
362
has_nway:1,
enable_wol:1, /* Wake-on-LAN is enabled */
pm_state_valid:1, /* pci_dev->saved_config_space has sane contents */
open:1,
medialock:1,
large_frames:1, /* accept large frames */
handling_irq:1; /* private in_irq indicator */
/* {get|set}_wol operations are already serialized by rtnl.
* no additional locking is required for the enable_wol and acpi_set_WOL()
Reported by FlawFinder.
Line: 645
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
u16 available_media; /* From Wn3_Options. */
u16 capabilities, info1, info2; /* Various, from EEPROM. */
u16 advertising; /* NWay media advertisement */
unsigned char phys[2]; /* MII device addresses. */
u16 deferred; /* Resend these interrupts when we
* bale from the ISR */
u16 io_size; /* Size of PCI region (for release_region) */
/* Serialises access to hardware other than MII and variables below.
Reported by FlawFinder.
Line: 741
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
};
static struct {
const char str[ETH_GSTRING_LEN];
} ethtool_stats_keys[] = {
{ "tx_deferred" },
{ "tx_max_collisions" },
{ "tx_multiple_collisions" },
{ "tx_single_collisions" },
Reported by FlawFinder.
Line: 2947
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
switch (stringset) {
case ETH_SS_STATS:
memcpy(data, ðtool_stats_keys, sizeof(ethtool_stats_keys));
break;
default:
WARN_ON(1);
break;
}
Reported by FlawFinder.
drivers/net/ethernet/8390/ne.c
4 issues
Line: 131
Column: 54
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#ifdef SUPPORT_NE_BAD_CLONES
/* A list of bad clones that we none-the-less recognize. */
static struct { const char *name8, *name16; unsigned char SAprefix[4];}
bad_clone_list[] __initdata = {
{"DE100", "DE200", {0x00, 0xDE, 0x01,}},
{"DE120", "DE220", {0x00, 0x80, 0xc8,}},
{"DFI1000", "DFI2000", {'D', 'F', 'I',}}, /* Original, eh? */
{"EtherNext UTP8", "EtherNext UTP16", {0x00, 0x00, 0x79}},
Reported by FlawFinder.
Line: 271
Column: 10
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
dev->irq = pnp_irq(idev, 0);
netdev_info(dev,
"ne.c: ISAPnP reports %s at i/o %#lx, irq %d.\n",
(char *) isapnp_clone_list[i].driver_data,
dev->base_addr, dev->irq);
if (ne_probe1(dev, dev->base_addr) != 0) { /* Shouldn't happen. */
netdev_err(dev,
"ne.c: Probe of ISAPnP card at %#lx failed.\n",
dev->base_addr);
Reported by FlawFinder.
Line: 294
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int __init ne_probe1(struct net_device *dev, unsigned long ioaddr)
{
int i;
unsigned char SA_prom[32];
int wordlength = 2;
const char *name = NULL;
int start_page, stop_page;
int neX000, ctron, copam, bad_card;
int reg0, ret;
Reported by FlawFinder.
Line: 972
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!dev)
return ERR_PTR(-ENOMEM);
sprintf(dev->name, "eth%d", unit);
netdev_boot_setup_check(dev);
io[this_dev] = dev->base_addr;
irq[this_dev] = dev->irq;
bad[this_dev] = dev->mem_end;
Reported by FlawFinder.
drivers/misc/hmc6352.c
4 issues
Line: 67
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct device_attribute *attr, char *buf)
{
struct i2c_client *client = to_i2c_client(dev);
unsigned char i2c_data[2];
int ret;
mutex_lock(&compass_mutex);
ret = compass_command(client, 'A');
if (ret != 1) {
Reported by FlawFinder.
Line: 84
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return ret;
}
ret = (i2c_data[0] << 8) | i2c_data[1];
return sprintf(buf, "%d.%d\n", ret/10, ret%10);
}
static DEVICE_ATTR(heading0_input, S_IRUGO, compass_heading_data_show, NULL);
static DEVICE_ATTR(calibration, S_IWUSR, NULL, compass_calibration_store);
Reported by FlawFinder.
Line: 40
Column: 13
CWE codes:
126
ret = kstrtoul(buf, 10, &val);
if (ret)
return ret;
if (val >= strlen(map))
return -EINVAL;
val = array_index_nospec(val, strlen(map));
mutex_lock(&compass_mutex);
ret = compass_command(c, map[val]);
mutex_unlock(&compass_mutex);
Reported by FlawFinder.
Line: 42
Column: 32
CWE codes:
126
return ret;
if (val >= strlen(map))
return -EINVAL;
val = array_index_nospec(val, strlen(map));
mutex_lock(&compass_mutex);
ret = compass_command(c, map[val]);
mutex_unlock(&compass_mutex);
if (ret < 0)
return ret;
Reported by FlawFinder.
drivers/media/usb/gspca/sonixj.c
4 issues
Line: 1213
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return;
}
memcpy(gspca_dev->usb_buf, buffer, len);
ret = usb_control_msg(gspca_dev->dev,
usb_sndctrlpipe(gspca_dev->dev, 0),
0x08,
USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_INTERFACE,
value, 0,
Reported by FlawFinder.
Line: 1278
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return;
gspca_dbg(gspca_dev, D_USBO, "i2c_w8 [%02x] = %02x ..\n",
buffer[2], buffer[3]);
memcpy(gspca_dev->usb_buf, buffer, 8);
ret = usb_control_msg(gspca_dev->dev,
usb_sndctrlpipe(gspca_dev->dev, 0),
0x08,
USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_INTERFACE,
0x08, 0, /* value, index */
Reported by FlawFinder.
Line: 2133
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
#if USB_BUF_SZ < 64
#error "No room enough in usb_buf for quantization table"
#endif
memcpy(gspca_dev->usb_buf, &sd->jpeg_hdr[JPEG_QT0_OFFSET], 64);
usb_control_msg(gspca_dev->dev,
usb_sndctrlpipe(gspca_dev->dev, 0),
0x08,
USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_INTERFACE,
0x0100, 0,
Reported by FlawFinder.
Line: 2141
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
0x0100, 0,
gspca_dev->usb_buf, 64,
500);
memcpy(gspca_dev->usb_buf, &sd->jpeg_hdr[JPEG_QT1_OFFSET], 64);
usb_control_msg(gspca_dev->dev,
usb_sndctrlpipe(gspca_dev->dev, 0),
0x08,
USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_INTERFACE,
0x0140, 0,
Reported by FlawFinder.
drivers/net/ethernet/amd/a2065.c
4 issues
Line: 86
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct lance_init_block {
unsigned short mode; /* Pre-set mode (reg. 15) */
unsigned char phys_addr[6]; /* Physical ethernet address */
unsigned filter[2]; /* Multicast filter. */
/* Receive and transmit ring base, along with extra bits. */
unsigned short rx_ptr; /* receive descriptor addr */
unsigned short rx_len; /* receive len and high addr */
Reported by FlawFinder.
Line: 99
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct lance_rx_desc brx_ring[RX_RING_SIZE];
struct lance_tx_desc btx_ring[TX_RING_SIZE];
char rx_buf[RX_RING_SIZE][RX_BUFF_SIZE];
char tx_buf[TX_RING_SIZE][TX_BUFF_SIZE];
};
/* Private Device Data */
Reported by FlawFinder.
Line: 100
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct lance_tx_desc btx_ring[TX_RING_SIZE];
char rx_buf[RX_RING_SIZE][RX_BUFF_SIZE];
char tx_buf[TX_RING_SIZE][TX_BUFF_SIZE];
};
/* Private Device Data */
struct lance_private {
Reported by FlawFinder.
Line: 251
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#ifdef TEST_HITS
int i;
char buf[RX_RING_SIZE + 1];
for (i = 0; i < RX_RING_SIZE; i++) {
char r1_own = ib->brx_ring[i].rmd1_bits & LE_R1_OWN;
if (i == lp->rx_new)
buf[i] = r1_own ? '_' : 'X';
Reported by FlawFinder.
drivers/net/ethernet/amd/ni65.c
4 issues
Line: 372
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return ERR_PTR(-ENOMEM);
if (unit >= 0) {
sprintf(dev->name, "eth%d", unit);
netdev_boot_setup_check(dev);
irq = dev->irq;
dma = dev->dma;
} else {
dev->base_addr = io;
Reported by FlawFinder.
Line: 765
Column: 52
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
for(i=0;i<TMDNUM;i++) {
int num = (i + p->tmdlast) & (TMDNUM-1);
p->tmdhead[i].u.buffer = (u32) isa_virt_to_bus((char *)buffer[num]); /* status is part of buffer field */
p->tmdhead[i].blen = blen[num];
if(p->tmdhead[i].u.s.status & XMIT_OWN) {
p->tmdnum = (p->tmdnum + 1) & (TMDNUM-1);
p->xmit_queued = 1;
writedatareg(CSR0_TDMD | CSR0_INEA | csr0);
Reported by FlawFinder.
Line: 944
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if(debuglevel > 0)
{
char buf[256],*buf1;
buf1 = buf;
for(k=0;k<RMDNUM;k++) {
sprintf(buf1,"%02x ",(p->rmdhead[k].u.s.status)); /* & RCV_OWN) ); */
buf1 += 3;
}
Reported by FlawFinder.
Line: 947
Column: 5
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
char buf[256],*buf1;
buf1 = buf;
for(k=0;k<RMDNUM;k++) {
sprintf(buf1,"%02x ",(p->rmdhead[k].u.s.status)); /* & RCV_OWN) ); */
buf1 += 3;
}
*buf1 = 0;
printk(KERN_ERR "%s: Ooops, receive ring corrupted %2d %2d | %s\n",dev->name,p->rmdnum,i,buf);
}
Reported by FlawFinder.