The following issues were found
arch/arm64/kernel/traps.c
4 issues
Line: 862
#ifdef CONFIG_VMAP_STACK
DEFINE_PER_CPU(unsigned long [OVERFLOW_STACK_SIZE/sizeof(long)], overflow_stack)
__aligned(16);
void panic_bad_stack(struct pt_regs *regs, unsigned int esr, unsigned long far)
{
unsigned long tsk_stk = (unsigned long)current->stack;
Reported by Cppcheck.
Line: 164
Column: 9
CWE codes:
134
Suggestion:
Make format string constant
bad = aarch64_insn_read(&((u32 *)addr)[i], &val);
if (!bad)
p += sprintf(p, i == 0 ? "(%08x) " : "%08x ", val);
else {
p += sprintf(p, "bad PC value");
break;
}
}
Reported by FlawFinder.
Line: 152
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void dump_kernel_instr(const char *lvl, struct pt_regs *regs)
{
unsigned long addr = instruction_pointer(regs);
char str[sizeof("00000000 ") * 5 + 2 + 1], *p = str;
int i;
if (user_mode(regs))
return;
Reported by FlawFinder.
Line: 166
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (!bad)
p += sprintf(p, i == 0 ? "(%08x) " : "%08x ", val);
else {
p += sprintf(p, "bad PC value");
break;
}
}
printk("%sCode: %s\n", lvl, str);
Reported by FlawFinder.
arch/arm64/kernel/vdso.c
4 issues
Line: 305
CWE codes:
570
static int aarch32_alloc_kuser_vdso_page(void)
{
extern char __kuser_helper_start[], __kuser_helper_end[];
int kuser_sz = __kuser_helper_end - __kuser_helper_start;
unsigned long vdso_page;
if (!IS_ENABLED(CONFIG_KUSER_HELPERS))
return 0;
Reported by Cppcheck.
Line: 325
CWE codes:
570
static int aarch32_alloc_sigpage(void)
{
extern char __aarch32_sigret_code_start[], __aarch32_sigret_code_end[];
int sigret_sz = __aarch32_sigret_code_end - __aarch32_sigret_code_start;
__le32 poison = cpu_to_le32(COMPAT_SIGPAGE_POISON_WORD);
void *sigpage;
sigpage = (void *)__get_free_page(GFP_KERNEL);
if (!sigpage)
Reported by Cppcheck.
Line: 315
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!vdso_page)
return -ENOMEM;
memcpy((void *)(vdso_page + 0x1000 - kuser_sz), __kuser_helper_start,
kuser_sz);
aarch32_vectors_page = virt_to_page(vdso_page);
return 0;
}
Reported by FlawFinder.
Line: 334
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENOMEM;
memset32(sigpage, (__force u32)poison, PAGE_SIZE / sizeof(poison));
memcpy(sigpage, __aarch32_sigret_code_start, sigret_sz);
aarch32_sig_page = virt_to_page(sigpage);
return 0;
}
static int __init __aarch32_alloc_vdso_pages(void)
Reported by FlawFinder.
arch/x86/kernel/apic/x2apic_uv_x.c
4 issues
Line: 1005
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned long mmr, nasid_mask;
int nasid, min_nasid, max_nasid, lnasid, mapped;
int i, fi, li, n, max_io;
char id[8];
/* One (UV2) mapping */
if (index == UV2_MMIOH) {
strncpy(id, "MMIOH", sizeof(id));
max_io = max_pnode;
Reported by FlawFinder.
Line: 292
Column: 2
CWE codes:
120
static void __init uv_stringify(int len, char *to, char *from)
{
/* Relies on 'to' being NULL chars so result will be NULL terminated */
strncpy(to, from, len-1);
/* Trim trailing spaces */
(void)strim(to);
}
Reported by FlawFinder.
Line: 319
Column: 10
CWE codes:
126
static int __init decode_arch_type(unsigned long ptr)
{
struct uv_arch_type_entry *uv_ate = (struct uv_arch_type_entry *)ptr;
int n = strlen(uv_ate->archtype);
if (n > 0 && n < sizeof(uv_ate->archtype)) {
pr_info("UV: UVarchtype received from BIOS\n");
uv_stringify(sizeof(uv_archtype), uv_archtype, uv_ate->archtype);
return 1;
Reported by FlawFinder.
Line: 1009
Column: 3
CWE codes:
120
/* One (UV2) mapping */
if (index == UV2_MMIOH) {
strncpy(id, "MMIOH", sizeof(id));
max_io = max_pnode;
mapped = 0;
goto map_exit;
}
Reported by FlawFinder.
arch/arm64/kvm/sys_regs.c
4 issues
Line: 2810
CWE codes:
908
* value of 0b000, the values of Ctype4 to Ctype7 must be
* ignored.
*/
get_clidr_el1(NULL, &clidr); /* Ugly... */
cache_levels = clidr.val;
for (i = 0; i < 7; i++)
if (((cache_levels >> (i*3)) & 7) == 0)
break;
/* Clear all higher bits. */
Reported by Cppcheck.
Line: 2811
CWE codes:
908
* ignored.
*/
get_clidr_el1(NULL, &clidr); /* Ugly... */
cache_levels = clidr.val;
for (i = 0; i < 7; i++)
if (((cache_levels >> (i*3)) & 7) == 0)
break;
/* Clear all higher bits. */
cache_levels &= (1 << (i*3))-1;
Reported by Cppcheck.
Line: 2149
Column: 13
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
* that we don't know how to handle. This certainly qualifies
* as a gross bug that should be fixed right away.
*/
BUG_ON(!r->access);
/* Skip instruction if instructed so */
if (likely(r->access(vcpu, params, r)))
kvm_incr_pc(vcpu);
}
Reported by FlawFinder.
Line: 2152
Column: 16
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
BUG_ON(!r->access);
/* Skip instruction if instructed so */
if (likely(r->access(vcpu, params, r)))
kvm_incr_pc(vcpu);
}
/*
* emulate_cp -- tries to match a sys_reg access in a handling table, and
Reported by FlawFinder.
arch/x86/kernel/apic/io_apic.c
4 issues
Line: 1057
CWE codes:
908
} else {
ioapic_copy_alloc_attr(&tmp, info, gsi, ioapic, pin);
if (legacy)
irq = alloc_isa_irq_from_domain(domain, irq,
ioapic, pin, &tmp);
else if ((irq = irq_find_mapping(domain, pin)) == 0)
irq = alloc_irq_from_domain(domain, ioapic, gsi, &tmp);
else if (!mp_check_pin_attr(irq, &tmp))
irq = -EBUSY;
Reported by Cppcheck.
Line: 1070
CWE codes:
908
}
mutex_unlock(&ioapic_mutex);
return irq;
}
static int pin_2_irq(int idx, int ioapic, int pin, unsigned int flags)
{
u32 gsi = mp_pin_to_gsi(ioapic, pin);
Reported by Cppcheck.
Line: 216
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return;
}
memcpy(&mp_irqs[mp_irq_entries], m, sizeof(*m));
if (++mp_irq_entries == MAX_IRQ_SOURCES)
panic("Max # of irq sources exceeded!!\n");
}
static void alloc_ioapic_saved_registers(int idx)
Reported by FlawFinder.
Line: 1232
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void io_apic_print_entries(unsigned int apic, unsigned int nr_entries)
{
struct IO_APIC_route_entry entry;
char buf[256];
int i;
printk(KERN_DEBUG "IOAPIC %d:\n", apic);
for (i = 0; i <= nr_entries; i++) {
entry = ioapic_read_entry(apic, i);
Reported by FlawFinder.
block/cmdline-parser.c
4 issues
Line: 97
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int length;
struct cmdline_subpart **next_subpart;
struct cmdline_parts *newparts;
char buf[BDEVNAME_SIZE + 32 + 4];
*parts = NULL;
newparts = kzalloc(sizeof(struct cmdline_parts), GFP_KERNEL);
if (!newparts)
Reported by FlawFinder.
Line: 53
Column: 3
CWE codes:
120
length = min_t(int, next - partdef,
sizeof(new_subpart->name) - 1);
strncpy(new_subpart->name, partdef, length);
new_subpart->name[length] = '\0';
partdef = ++next;
} else
new_subpart->name[0] = '\0';
Reported by FlawFinder.
Line: 112
Column: 2
CWE codes:
120
}
length = min_t(int, next - bdevdef, sizeof(newparts->name) - 1);
strncpy(newparts->name, bdevdef, length);
newparts->name[length] = '\0';
newparts->nr_subparts = 0;
next_subpart = &newparts->subpart;
Reported by FlawFinder.
Line: 125
Column: 3
CWE codes:
120
length = (!next) ? (sizeof(buf) - 1) :
min_t(int, next - bdevdef, sizeof(buf) - 1);
strncpy(buf, bdevdef, length);
buf[length] = '\0';
ret = parse_subpart(next_subpart, buf);
if (ret)
goto fail;
Reported by FlawFinder.
arch/arm64/kvm/vgic/vgic-mmio.c
4 issues
Line: 957
Column: 18
CWE codes:
120
20
if (region->uaccess_read)
*val = region->uaccess_read(r_vcpu, addr, sizeof(u32));
else
*val = region->read(r_vcpu, addr, sizeof(u32));
return 0;
}
static int vgic_uaccess_write(struct kvm_vcpu *vcpu, struct vgic_io_device *iodev,
Reported by FlawFinder.
Line: 1007
Column: 18
CWE codes:
120
20
switch (iodev->iodev_type) {
case IODEV_CPUIF:
data = region->read(vcpu, addr, len);
break;
case IODEV_DIST:
data = region->read(vcpu, addr, len);
break;
case IODEV_REDIST:
Reported by FlawFinder.
Line: 1010
Column: 18
CWE codes:
120
20
data = region->read(vcpu, addr, len);
break;
case IODEV_DIST:
data = region->read(vcpu, addr, len);
break;
case IODEV_REDIST:
data = region->read(iodev->redist_vcpu, addr, len);
break;
case IODEV_ITS:
Reported by FlawFinder.
Line: 1013
Column: 18
CWE codes:
120
20
data = region->read(vcpu, addr, len);
break;
case IODEV_REDIST:
data = region->read(iodev->redist_vcpu, addr, len);
break;
case IODEV_ITS:
data = region->its_read(vcpu->kvm, iodev->its, addr, len);
break;
}
Reported by FlawFinder.
arch/x86/include/asm/uv/bios.h
4 issues
Line: 91
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define UV_AT_SIZE 8 /* 7 character arch type + NULL char */
struct uv_arch_type_entry {
char archtype[UV_AT_SIZE];
};
#define UV_SYSTAB_SIG "UVST"
#define UV_SYSTAB_VERSION_1 1 /* UV2/3 BIOS version */
#define UV_SYSTAB_VERSION_UV4 0x400 /* UV4 BIOS base version */
Reported by FlawFinder.
Line: 116
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* capabilities available to the Linux kernel at runtime.
*/
struct uv_systab {
char signature[4]; /* must be UV_SYSTAB_SIG */
u32 revision; /* distinguish different firmware revs */
u64 function; /* BIOS runtime callback function ptr */
u32 size; /* systab size (starting with _VERSION_UV4) */
struct {
u32 type:8; /* type of entry */
Reported by FlawFinder.
Line: 141
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned long long reserved;
} b;
} f;
char name[UV_BIOS_MAXSTRING];
char location[UV_BIOS_MAXSTRING];
unsigned int ports;
};
struct uv_bios_port_info {
Reported by FlawFinder.
Line: 142
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
} b;
} f;
char name[UV_BIOS_MAXSTRING];
char location[UV_BIOS_MAXSTRING];
unsigned int ports;
};
struct uv_bios_port_info {
unsigned int port;
Reported by FlawFinder.
arch/powerpc/kernel/rtas.c
4 issues
Line: 65
Column: 1
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
DEFINE_SPINLOCK(rtas_data_buf_lock);
EXPORT_SYMBOL(rtas_data_buf_lock);
char rtas_data_buf[RTAS_DATA_BUF_SIZE] __cacheline_aligned;
EXPORT_SYMBOL(rtas_data_buf);
unsigned long rtas_rmo_buf;
/*
Reported by FlawFinder.
Line: 365
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
EXPORT_SYMBOL(rtas_get_error_log_max);
static char rtas_err_buf[RTAS_ERROR_LOG_MAX];
static int rtas_last_error_token;
/** Return a copy of the detailed error text associated with the
* most recent failed call to rtas. Because the error text
* might go stale if there are any other intervening rtas calls,
Reported by FlawFinder.
Line: 410
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
buf = kmalloc(RTAS_ERROR_LOG_MAX, GFP_ATOMIC);
}
if (buf)
memcpy(buf, rtas_err_buf, RTAS_ERROR_LOG_MAX);
}
return buf;
}
Reported by FlawFinder.
Line: 782
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
/* Must be in the RMO region, so we place it here */
static char rtas_os_term_buf[2048];
void rtas_os_term(char *str)
{
int status;
Reported by FlawFinder.
arch/x86/include/asm/desc.h
4 issues
Line: 139
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static inline void native_write_idt_entry(gate_desc *idt, int entry, const gate_desc *gate)
{
memcpy(&idt[entry], gate, sizeof(*gate));
}
static inline void native_write_ldt_entry(struct desc_struct *ldt, int entry, const void *desc)
{
memcpy(&ldt[entry], desc, 8);
Reported by FlawFinder.
Line: 144
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static inline void native_write_ldt_entry(struct desc_struct *ldt, int entry, const void *desc)
{
memcpy(&ldt[entry], desc, 8);
}
static inline void
native_write_gdt_entry(struct desc_struct *gdt, int entry, const void *desc, int type)
{
Reported by FlawFinder.
Line: 158
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
default: size = sizeof(*gdt); break;
}
memcpy(&gdt[entry], desc, size);
}
static inline void set_tssldt_descriptor(void *d, unsigned long addr,
unsigned type, unsigned size)
{
Reported by FlawFinder.
Line: 308
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct desc_struct *d = get_current_gdt_rw();
tss_desc tss;
memcpy(&tss, &d[GDT_ENTRY_TSS], sizeof(tss_desc));
/*
* LTR requires an available TSS, and the TSS is currently
* busy. Make it be available so that LTR will work.
*/
Reported by FlawFinder.