The following issues were found
arch/arm/vfp/vfpmodule.c
4 issues
Line: 728
BUG_ON(in_interrupt());
cpu = get_cpu();
fpexc = fmrx(FPEXC) | FPEXC_EN;
fmxr(FPEXC, fpexc);
/*
* Save the userland NEON/VFP state. Under UP,
* the owner could be a task other than 'current'
Reported by Cppcheck.
Line: 424
Column: 6
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
static void vfp_enable(void *unused)
{
u32 access;
BUG_ON(preemptible());
access = get_copro_access();
/*
Reported by FlawFinder.
Line: 432
Column: 19
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
/*
* Enable full access to VFP (cp10 and cp11)
*/
set_copro_access(access | CPACC_FULL(10) | CPACC_FULL(11));
}
/* Called by platforms on which we want to disable VFP because it may not be
* present on all CPUs within a SMP complex. Needs to be called prior to
* vfp_init().
Reported by FlawFinder.
Line: 561
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* Copy the floating point registers. There can be unused
* registers see asm/hwcap.h for details.
*/
memcpy(&ufp->fpregs, &hwstate->fpregs, sizeof(hwstate->fpregs));
/*
* Copy the status and control register.
*/
ufp->fpscr = hwstate->fpscr;
Reported by FlawFinder.
arch/arm64/crypto/aes-glue.c
4 issues
Line: 464
Column: 10
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
unsigned int tail;
if (unlikely(nbytes < AES_BLOCK_SIZE))
src = memcpy(buf, src, nbytes);
else if (nbytes < walk.total)
nbytes &= ~(AES_BLOCK_SIZE - 1);
kernel_neon_begin();
aes_ctr_encrypt(dst, src, ctx->key_enc, rounds, nbytes,
Reported by FlawFinder.
Line: 480
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* an overlapping store, so it was passed via buf[]
* instead.
*/
memcpy(dst + nbytes - tail, buf, tail);
err = skcipher_walk_done(&walk, walk.nbytes - nbytes);
}
return err;
Reported by FlawFinder.
Line: 931
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mac_do_update(&tctx->key, NULL, 0, ctx->dg, (ctx->len != 0), 0);
memcpy(out, ctx->dg, AES_BLOCK_SIZE);
return 0;
}
static int cmac_final(struct shash_desc *desc, u8 *out)
Reported by FlawFinder.
Line: 949
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
mac_do_update(&tctx->key, consts, 1, ctx->dg, 0, 1);
memcpy(out, ctx->dg, AES_BLOCK_SIZE);
return 0;
}
static struct shash_alg mac_algs[] = { {
Reported by FlawFinder.
arch/arm64/crypto/chacha-neon-glue.c
4 issues
Line: 51
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (l <= CHACHA_BLOCK_SIZE) {
u8 buf[CHACHA_BLOCK_SIZE];
memcpy(buf, src, l);
chacha_block_xor_neon(state, buf, buf, nrounds);
memcpy(dst, buf, l);
state[12] += 1;
break;
}
Reported by FlawFinder.
Line: 53
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(buf, src, l);
chacha_block_xor_neon(state, buf, buf, nrounds);
memcpy(dst, buf, l);
state[12] += 1;
break;
}
chacha_4block_xor_neon(state, dst, src, nrounds, l);
bytes -= l;
Reported by FlawFinder.
Line: 158
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
hchacha_block_arch(state, subctx.key, ctx->nrounds);
subctx.nrounds = ctx->nrounds;
memcpy(&real_iv[0], req->iv + 24, 8);
memcpy(&real_iv[8], req->iv + 16, 8);
return chacha_neon_stream_xor(req, &subctx, real_iv);
}
static struct skcipher_alg algs[] = {
Reported by FlawFinder.
Line: 159
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
subctx.nrounds = ctx->nrounds;
memcpy(&real_iv[0], req->iv + 24, 8);
memcpy(&real_iv[8], req->iv + 16, 8);
return chacha_neon_stream_xor(req, &subctx, real_iv);
}
static struct skcipher_alg algs[] = {
{
Reported by FlawFinder.
arch/arm64/crypto/poly1305-glue.c
4 issues
Line: 87
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (unlikely(dctx->buflen)) {
u32 bytes = min(len, POLY1305_BLOCK_SIZE - dctx->buflen);
memcpy(dctx->buf + dctx->buflen, src, bytes);
src += bytes;
len -= bytes;
dctx->buflen += bytes;
if (dctx->buflen == POLY1305_BLOCK_SIZE) {
Reported by FlawFinder.
Line: 107
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (unlikely(len)) {
dctx->buflen = len;
memcpy(dctx->buf, src, len);
}
}
static int neon_poly1305_update(struct shash_desc *desc,
const u8 *src, unsigned int srclen)
Reported by FlawFinder.
Line: 131
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (unlikely(dctx->buflen)) {
u32 bytes = min(nbytes, POLY1305_BLOCK_SIZE - dctx->buflen);
memcpy(dctx->buf + dctx->buflen, src, bytes);
src += bytes;
nbytes -= bytes;
dctx->buflen += bytes;
if (dctx->buflen == POLY1305_BLOCK_SIZE) {
Reported by FlawFinder.
Line: 165
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (unlikely(nbytes)) {
dctx->buflen = nbytes;
memcpy(dctx->buf, src, nbytes);
}
}
EXPORT_SYMBOL(poly1305_update_arch);
void poly1305_final_arch(struct poly1305_desc_ctx *dctx, u8 *dst)
Reported by FlawFinder.
arch/alpha/kernel/sys_dp264.c
4 issues
Line: 378
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int
dp264_map_irq(const struct pci_dev *dev, u8 slot, u8 pin)
{
static char irq_tab[6][5] = {
/*INT INTA INTB INTC INTD */
{ -1, -1, -1, -1, -1}, /* IdSel 5 ISA Bridge */
{ 16+ 3, 16+ 3, 16+ 2, 16+ 2, 16+ 2}, /* IdSel 6 SCSI builtin*/
{ 16+15, 16+15, 16+14, 16+13, 16+12}, /* IdSel 7 slot 0 */
{ 16+11, 16+11, 16+10, 16+ 9, 16+ 8}, /* IdSel 8 slot 1 */
Reported by FlawFinder.
Line: 400
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int
monet_map_irq(const struct pci_dev *dev, u8 slot, u8 pin)
{
static char irq_tab[13][5] = {
/*INT INTA INTB INTC INTD */
{ 45, 45, 45, 45, 45}, /* IdSel 3 21143 PCI1 */
{ -1, -1, -1, -1, -1}, /* IdSel 4 unused */
{ -1, -1, -1, -1, -1}, /* IdSel 5 unused */
{ 47, 47, 47, 47, 47}, /* IdSel 6 SCSI PCI1 */
Reported by FlawFinder.
Line: 462
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int
webbrick_map_irq(const struct pci_dev *dev, u8 slot, u8 pin)
{
static char irq_tab[13][5] = {
/*INT INTA INTB INTC INTD */
{ -1, -1, -1, -1, -1}, /* IdSel 7 ISA Bridge */
{ -1, -1, -1, -1, -1}, /* IdSel 8 unused */
{ 29, 29, 29, 29, 29}, /* IdSel 9 21143 #1 */
{ -1, -1, -1, -1, -1}, /* IdSel 10 unused */
Reported by FlawFinder.
Line: 484
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int
clipper_map_irq(const struct pci_dev *dev, u8 slot, u8 pin)
{
static char irq_tab[7][5] = {
/*INT INTA INTB INTC INTD */
{ 16+ 8, 16+ 8, 16+ 9, 16+10, 16+11}, /* IdSel 1 slot 1 */
{ 16+12, 16+12, 16+13, 16+14, 16+15}, /* IdSel 2 slot 2 */
{ 16+16, 16+16, 16+17, 16+18, 16+19}, /* IdSel 3 slot 3 */
{ 16+20, 16+20, 16+21, 16+22, 16+23}, /* IdSel 4 slot 4 */
Reported by FlawFinder.
block/partitions/amiga.c
4 issues
Line: 37
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int start_sect, nr_sects, blk, part, res = 0;
int blksize = 1; /* Multiplier for disk block size */
int slot = 1;
char b[BDEVNAME_SIZE];
for (blk = 0; ; blk++, put_dev_sector(sect)) {
if (blk == RDB_ALLOCATION_LIMIT)
goto rdb_done;
data = read_part_sector(state, blk, §);
Reported by FlawFinder.
Line: 74
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
blksize = be32_to_cpu( rdb->rdb_BlockBytes ) / 512;
{
char tmp[7 + 10 + 1 + 1];
/* Be more informative */
snprintf(tmp, sizeof(tmp), " RDSK (%d)", blksize * 512);
strlcat(state->pp_buf, tmp, PAGE_SIZE);
}
Reported by FlawFinder.
Line: 114
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
put_partition(state,slot++,start_sect,nr_sects);
{
/* Be even more informative to aid mounting */
char dostype[4];
char tmp[42];
__be32 *dt = (__be32 *)dostype;
*dt = pb->pb_Environment[16];
if (dostype[3] < ' ')
Reported by FlawFinder.
Line: 115
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
/* Be even more informative to aid mounting */
char dostype[4];
char tmp[42];
__be32 *dt = (__be32 *)dostype;
*dt = pb->pb_Environment[16];
if (dostype[3] < ' ')
snprintf(tmp, sizeof(tmp), " (%c%c%c^%c)",
Reported by FlawFinder.
arch/x86/kernel/cpu/mce/apei.c
4 issues
Line: 151
CWE codes:
570
rcd.hdr.record_id = cper_next_record_id();
rcd.hdr.flags = CPER_HW_ERROR_FLAGS_PREVERR;
rcd.sec_hdr.section_offset = (void *)&rcd.mce - (void *)&rcd;
rcd.sec_hdr.section_length = sizeof(rcd.mce);
rcd.sec_hdr.revision = CPER_SEC_REV;
/* fru_id and fru_text is invalid */
rcd.sec_hdr.validation_bits = 0;
rcd.sec_hdr.flags = CPER_SEC_PRIMARY;
Reported by Cppcheck.
Line: 138
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct cper_mce_record rcd;
memset(&rcd, 0, sizeof(rcd));
memcpy(rcd.hdr.signature, CPER_SIG_RECORD, CPER_SIG_SIZE);
rcd.hdr.revision = CPER_RECORD_REV;
rcd.hdr.signature_end = CPER_SIG_END;
rcd.hdr.section_count = 1;
rcd.hdr.error_severity = CPER_SEV_FATAL;
/* timestamp, platform_id, partition_id are all invalid */
Reported by FlawFinder.
Line: 160
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
rcd.sec_hdr.section_type = CPER_SECTION_TYPE_MCE;
rcd.sec_hdr.section_severity = CPER_SEV_FATAL;
memcpy(&rcd.mce, m, sizeof(*m));
return erst_write(&rcd.hdr);
}
ssize_t apei_read_mce(struct mce *m, u64 *record_id)
Reported by FlawFinder.
Line: 190
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
else if (rc != sizeof(rcd) ||
!guid_equal(&rcd.hdr.creator_id, &CPER_CREATOR_MCE))
goto retry;
memcpy(m, &rcd.mce, sizeof(*m));
rc = sizeof(*m);
out:
erst_get_record_id_end();
return rc;
Reported by FlawFinder.
arch/alpha/kernel/sys_sable.c
4 issues
Line: 36
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
typedef struct irq_swizzle_struct
{
char irq_to_mask[64];
char mask_to_irq[64];
/* Note mask bit is true for DISABLED irqs. */
unsigned long shadow_mask;
Reported by FlawFinder.
Line: 37
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
typedef struct irq_swizzle_struct
{
char irq_to_mask[64];
char mask_to_irq[64];
/* Note mask bit is true for DISABLED irqs. */
unsigned long shadow_mask;
void (*update_irq_hw)(unsigned long bit, unsigned long mask);
Reported by FlawFinder.
Line: 198
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int
sable_map_irq(const struct pci_dev *dev, u8 slot, u8 pin)
{
static char irq_tab[9][5] = {
/*INT INTA INTB INTC INTD */
{ 32+0, 32+0, 32+0, 32+0, 32+0}, /* IdSel 0, TULIP */
{ 32+1, 32+1, 32+1, 32+1, 32+1}, /* IdSel 1, SCSI */
{ -1, -1, -1, -1, -1}, /* IdSel 2, SIO */
{ -1, -1, -1, -1, -1}, /* IdSel 3, none */
Reported by FlawFinder.
Line: 380
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int
lynx_map_irq(const struct pci_dev *dev, u8 slot, u8 pin)
{
static char irq_tab[19][5] = {
/*INT INTA INTB INTC INTD */
{ -1, -1, -1, -1, -1}, /* IdSel 13, PCEB */
{ -1, -1, -1, -1, -1}, /* IdSel 14, PPB */
{ 28, 28, 28, 28, 28}, /* IdSel 15, NCR demi */
{ -1, -1, -1, -1, -1}, /* IdSel 16, none */
Reported by FlawFinder.
arch/s390/include/asm/ap.h
4 issues
Line: 168
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int qact : 1; /* C bit */
unsigned int rc8a : 1; /* R bit */
unsigned char _reserved1 : 4;
unsigned char _reserved2[3];
unsigned char Na; /* max # of APs - 1 */
unsigned char Nd; /* max # of Domains - 1 */
unsigned char _reserved3[10];
unsigned int apm[8]; /* AP ID mask */
unsigned int aqm[8]; /* AP (usage) queue mask */
Reported by FlawFinder.
Line: 171
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char _reserved2[3];
unsigned char Na; /* max # of APs - 1 */
unsigned char Nd; /* max # of Domains - 1 */
unsigned char _reserved3[10];
unsigned int apm[8]; /* AP ID mask */
unsigned int aqm[8]; /* AP (usage) queue mask */
unsigned int adm[8]; /* AP (control) domain mask */
unsigned char _reserved4[16];
} __aligned(8);
Reported by FlawFinder.
Line: 175
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int apm[8]; /* AP ID mask */
unsigned int aqm[8]; /* AP (usage) queue mask */
unsigned int adm[8]; /* AP (control) domain mask */
unsigned char _reserved4[16];
} __aligned(8);
/**
* ap_qci(): Get AP configuration data
*
Reported by FlawFinder.
Line: 271
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned int : 26;
unsigned int cat : 8;
unsigned int : 8;
unsigned char ver[2];
};
};
/**
* ap_qact(): Query AP combatibility type.
Reported by FlawFinder.
arch/powerpc/kvm/book3s_hv.c
4 issues
Line: 2531
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct debugfs_timings_state {
struct kvm_vcpu *vcpu;
unsigned int buflen;
char buf[N_TIMINGS * 100];
};
static int debugfs_timings_open(struct inode *inode, struct file *file)
{
struct kvm_vcpu *vcpu = inode->i_private;
Reported by FlawFinder.
Line: 2642
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Create a debugfs directory for the vcpu */
static void debugfs_vcpu_init(struct kvm_vcpu *vcpu, unsigned int id)
{
char buf[16];
struct kvm *kvm = vcpu->kvm;
snprintf(buf, sizeof(buf), "vcpu%u", id);
vcpu->arch.debugfs_dir = debugfs_create_dir(buf, kvm->arch.debugfs_dir);
debugfs_create_file("timings", 0444, vcpu->arch.debugfs_dir, vcpu,
Reported by FlawFinder.
Line: 5100
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int kvmppc_core_init_vm_hv(struct kvm *kvm)
{
unsigned long lpcr, lpid;
char buf[32];
int ret;
mutex_init(&kvm->arch.uvmem_lock);
INIT_LIST_HEAD(&kvm->arch.uvmem_pfns);
mutex_init(&kvm->arch.mmu_setup_lock);
Reported by FlawFinder.
Line: 2604
Column: 9
CWE codes:
126
tb_to_ns(tb.tb_total),
tb_to_ns(tb.tb_min),
tb_to_ns(tb.tb_max));
s += strlen(s);
}
p->buflen = s - p->buf;
}
pos = *ppos;
Reported by FlawFinder.