The following issues were found
arch/powerpc/kernel/process.c
4 issues
Line: 870
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
void __set_breakpoint(int nr, struct arch_hw_breakpoint *brk)
{
memcpy(this_cpu_ptr(¤t_brk[nr]), brk, sizeof(*brk));
if (dawr_enabled())
// Power8 or later
set_dawr(nr, brk);
else if (IS_ENABLED(CONFIG_PPC_8xx))
Reported by FlawFinder.
Line: 941
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* or reclaim will. Similarly for VMX.
*/
if ((thr->ckpt_regs.msr & MSR_FP) == 0)
memcpy(&thr->ckfp_state, &thr->fp_state,
sizeof(struct thread_fp_state));
if ((thr->ckpt_regs.msr & MSR_VEC) == 0)
memcpy(&thr->ckvr_state, &thr->vr_state,
sizeof(struct thread_vr_state));
}
Reported by FlawFinder.
Line: 944
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&thr->ckfp_state, &thr->fp_state,
sizeof(struct thread_fp_state));
if ((thr->ckpt_regs.msr & MSR_VEC) == 0)
memcpy(&thr->ckvr_state, &thr->vr_state,
sizeof(struct thread_vr_state));
}
void tm_reclaim_current(uint8_t cause)
{
Reported by FlawFinder.
Line: 1367
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned long pc;
int n = NR_INSN_TO_PRINT;
struct seq_buf s;
char buf[96]; /* enough for 8 times 9 + 2 chars */
pc = regs->nip - (NR_INSN_TO_PRINT * 3 / 4 * sizeof(int));
seq_buf_init(&s, buf, sizeof(buf));
Reported by FlawFinder.
arch/powerpc/mm/book3s64/hash_4k.c
4 issues
Line: 19
Column: 52
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
#include <asm/machdep.h>
#include <asm/mmu.h>
int __hash_page_4K(unsigned long ea, unsigned long access, unsigned long vsid,
pte_t *ptep, unsigned long trap, unsigned long flags,
int ssize, int subpg_prot)
{
real_pte_t rpte;
unsigned long hpte_group;
Reported by FlawFinder.
Line: 41
Column: 34
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
if (unlikely(old_pte & H_PAGE_BUSY))
return 0;
/* If PTE permissions don't match, take page fault */
if (unlikely(!check_pte_access(access, old_pte)))
return 1;
/*
* Try to lock the PTE, add ACCESSED and DIRTY if it was
* a write access. Since this is 4K insert of 64K page size
* also add H_PAGE_COMBO
Reported by FlawFinder.
Line: 49
Column: 7
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
* also add H_PAGE_COMBO
*/
new_pte = old_pte | H_PAGE_BUSY | _PAGE_ACCESSED;
if (access & _PAGE_WRITE)
new_pte |= _PAGE_DIRTY;
} while (!pte_xchg(ptep, __pte(old_pte), __pte(new_pte)));
/*
* PP bits. _PAGE_USER is already PP bit 0x2, so we only
Reported by FlawFinder.
Line: 115
Column: 27
CWE codes:
362/367!
Suggestion:
Set up the correct permissions (e.g., using setuid()) and try to open the file directly
*/
if (unlikely(slot == -2)) {
*ptep = __pte(old_pte);
hash_failure_debug(ea, access, vsid, trap, ssize,
MMU_PAGE_4K, MMU_PAGE_4K, old_pte);
return -1;
}
new_pte = (new_pte & ~_PAGE_HPTEFLAGS) | H_PAGE_HASHPTE;
new_pte |= pte_set_hidx(ptep, rpte, 0, slot, PTRS_PER_PTE);
Reported by FlawFinder.
block/blk-mq-debugfs.c
4 issues
Line: 150
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t count, loff_t *ppos)
{
struct request_queue *q = data;
char opbuf[16] = { }, *op;
/*
* The "state" attribute is removed after blk_cleanup_queue() has called
* blk_mq_free_queue(). Return if QUEUE_FLAG_DEAD has been set to avoid
* triggering a use-after-free.
Reported by FlawFinder.
Line: 866
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct blk_mq_ctx *ctx)
{
struct dentry *ctx_dir;
char name[20];
snprintf(name, sizeof(name), "cpu%u", ctx->cpu);
ctx_dir = debugfs_create_dir(name, hctx->debugfs_dir);
debugfs_create_files(ctx_dir, ctx, blk_mq_debugfs_ctx_attrs);
Reported by FlawFinder.
Line: 878
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct blk_mq_hw_ctx *hctx)
{
struct blk_mq_ctx *ctx;
char name[20];
int i;
snprintf(name, sizeof(name), "hctx%u", hctx->queue_num);
hctx->debugfs_dir = debugfs_create_dir(name, q->debugfs_dir);
Reported by FlawFinder.
Line: 662
Column: 16
CWE codes:
120
20
}
CTX_RQ_SEQ_OPS(default, HCTX_TYPE_DEFAULT);
CTX_RQ_SEQ_OPS(read, HCTX_TYPE_READ);
CTX_RQ_SEQ_OPS(poll, HCTX_TYPE_POLL);
static int ctx_dispatched_show(void *data, struct seq_file *m)
{
struct blk_mq_ctx *ctx = data;
Reported by FlawFinder.
arch/x86/crypto/camellia_glue.c
4 issues
Line: 1220
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void camellia_setup192(const unsigned char *key, u64 *subkey)
{
unsigned char kk[32];
u64 krl, krr;
memcpy(kk, key, 24);
memcpy((unsigned char *)&krl, key+16, 8);
krr = ~krl;
Reported by FlawFinder.
Line: 1223
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
unsigned char kk[32];
u64 krl, krr;
memcpy(kk, key, 24);
memcpy((unsigned char *)&krl, key+16, 8);
krr = ~krl;
memcpy(kk+24, (unsigned char *)&krr, 8);
camellia_setup256(kk, subkey);
}
Reported by FlawFinder.
Line: 1224
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u64 krl, krr;
memcpy(kk, key, 24);
memcpy((unsigned char *)&krl, key+16, 8);
krr = ~krl;
memcpy(kk+24, (unsigned char *)&krr, 8);
camellia_setup256(kk, subkey);
}
Reported by FlawFinder.
Line: 1226
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(kk, key, 24);
memcpy((unsigned char *)&krl, key+16, 8);
krr = ~krl;
memcpy(kk+24, (unsigned char *)&krr, 8);
camellia_setup256(kk, subkey);
}
int __camellia_setkey(struct camellia_ctx *cctx, const unsigned char *key,
unsigned int key_len)
Reported by FlawFinder.
arch/nds32/kernel/traps.c
4 issues
Line: 34
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
for (first = bottom & ~31; first < top; first += 32) {
unsigned long p;
char str[sizeof(" 12345678") * 8 + 1];
memset(str, ' ', sizeof(str));
str[sizeof(str) - 1] = '\0';
for (p = first, i = 0; i < 8 && p < top; i++, p += 4) {
Reported by FlawFinder.
Line: 45
Column: 6
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (get_kernel_nofault(val,
(unsigned long *)p) == 0)
sprintf(str + i * 9, " %08lx", val);
else
sprintf(str + i * 9, " ????????");
}
}
pr_emerg("%s%04lx:%s\n", lvl, first & 0xffff, str);
Reported by FlawFinder.
Line: 47
Column: 6
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
(unsigned long *)p) == 0)
sprintf(str + i * 9, " %08lx", val);
else
sprintf(str + i * 9, " ????????");
}
}
pr_emerg("%s%04lx:%s\n", lvl, first & 0xffff, str);
}
}
Reported by FlawFinder.
Line: 196
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
unsigned long ivb = 0;
unsigned long base = PAGE_OFFSET;
memcpy((unsigned long *)base, (unsigned long *)&exception_vector,
((unsigned long)&exception_vector_end -
(unsigned long)&exception_vector));
ivb = __nds32__mfsr(NDS32_SR_IVB);
/* Check platform support. */
if (((ivb & IVB_mskNIVIC) >> IVB_offNIVIC) < 2)
Reported by FlawFinder.
arch/x86/boot/string.h
4 issues
Line: 6
Column: 8
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
#define BOOT_STRING_H
/* Undef any of these macros coming from string_32.h. */
#undef memcpy
#undef memset
#undef memcmp
void *memcpy(void *dst, const void *src, size_t len);
void *memset(void *dst, int c, size_t len);
Reported by FlawFinder.
Line: 10
Column: 7
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
#undef memset
#undef memcmp
void *memcpy(void *dst, const void *src, size_t len);
void *memset(void *dst, int c, size_t len);
int memcmp(const void *s1, const void *s2, size_t len);
/* Access builtin version by default. */
#define memcpy(d,s,l) __builtin_memcpy(d,s,l)
Reported by FlawFinder.
Line: 15
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
int memcmp(const void *s1, const void *s2, size_t len);
/* Access builtin version by default. */
#define memcpy(d,s,l) __builtin_memcpy(d,s,l)
#define memset(d,c,l) __builtin_memset(d,c,l)
#define memcmp __builtin_memcmp
extern int strcmp(const char *str1, const char *str2);
extern int strncmp(const char *cs, const char *ct, size_t count);
Reported by FlawFinder.
Line: 21
Column: 15
CWE codes:
126
extern int strcmp(const char *str1, const char *str2);
extern int strncmp(const char *cs, const char *ct, size_t count);
extern size_t strlen(const char *s);
extern char *strstr(const char *s1, const char *s2);
extern char *strchr(const char *s, int c);
extern size_t strnlen(const char *s, size_t maxlen);
extern unsigned int atou(const char *s);
extern unsigned long long simple_strtoull(const char *cp, char **endp,
Reported by FlawFinder.
arch/ia64/kernel/efi.c
4 issues
Line: 570
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
const char *unit;
unsigned long size;
char buf[64];
md = p;
size = md->num_pages << EFI_PAGE_SHIFT;
if ((size >> 40) > 0) {
Reported by FlawFinder.
Line: 927
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
char *s, name[] = "ConOut";
efi_guid_t guid = EFI_GLOBAL_VARIABLE_GUID;
efi_char16_t *utf16, name_utf16[32];
unsigned char data[1024];
unsigned long size = sizeof(data);
struct efi_generic_dev_path *hdr, *end_addr;
int uart = 0;
/* Convert to UTF-16 */
Reported by FlawFinder.
Line: 1356
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
char *efi_systab_show_arch(char *str)
{
if (mps_phys != EFI_INVALID_TABLE_ADDR)
str += sprintf(str, "MPS=0x%lx\n", mps_phys);
if (hcdp_phys != EFI_INVALID_TABLE_ADDR)
str += sprintf(str, "HCDP=0x%lx\n", hcdp_phys);
return str;
}
Reported by FlawFinder.
Line: 1358
Column: 10
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
if (mps_phys != EFI_INVALID_TABLE_ADDR)
str += sprintf(str, "MPS=0x%lx\n", mps_phys);
if (hcdp_phys != EFI_INVALID_TABLE_ADDR)
str += sprintf(str, "HCDP=0x%lx\n", hcdp_phys);
return str;
}
Reported by FlawFinder.
arch/x86/boot/string.c
4 issues
Line: 28
Column: 8
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* here will have the correct names regardless of how string.h
* may have chosen to #define them.
*/
#undef memcpy
#undef memset
#undef memcmp
int memcmp(const void *s1, const void *s2, size_t len)
{
Reported by FlawFinder.
Line: 157
Column: 8
CWE codes:
126
* strlen - Find the length of a string
* @s: The string to be sized
*/
size_t strlen(const char *s)
{
const char *sc;
for (sc = s; *sc != '\0'; ++sc)
/* nothing */;
Reported by FlawFinder.
Line: 175
Column: 7
CWE codes:
126
{
size_t l1, l2;
l2 = strlen(s2);
if (!l2)
return (char *)s1;
l1 = strlen(s1);
while (l1 >= l2) {
l1--;
Reported by FlawFinder.
Line: 178
Column: 7
CWE codes:
126
l2 = strlen(s2);
if (!l2)
return (char *)s1;
l1 = strlen(s1);
while (l1 >= l2) {
l1--;
if (!memcmp(s1, s2, l2))
return (char *)s1;
s1++;
Reported by FlawFinder.
arch/arm/mach-omap2/cminst44xx.c
4 issues
Line: 65
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
*/
static void omap_cm_base_init(void)
{
memcpy(&_cm_bases[OMAP4430_PRM_PARTITION], &prm_base, sizeof(prm_base));
memcpy(&_cm_bases[OMAP4430_CM1_PARTITION], &cm_base, sizeof(cm_base));
memcpy(&_cm_bases[OMAP4430_CM2_PARTITION], &cm2_base, sizeof(cm2_base));
memcpy(&_cm_bases[OMAP4430_PRCM_MPU_PARTITION], &prcm_mpu_base,
sizeof(prcm_mpu_base));
}
Reported by FlawFinder.
Line: 66
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static void omap_cm_base_init(void)
{
memcpy(&_cm_bases[OMAP4430_PRM_PARTITION], &prm_base, sizeof(prm_base));
memcpy(&_cm_bases[OMAP4430_CM1_PARTITION], &cm_base, sizeof(cm_base));
memcpy(&_cm_bases[OMAP4430_CM2_PARTITION], &cm2_base, sizeof(cm2_base));
memcpy(&_cm_bases[OMAP4430_PRCM_MPU_PARTITION], &prcm_mpu_base,
sizeof(prcm_mpu_base));
}
Reported by FlawFinder.
Line: 67
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
{
memcpy(&_cm_bases[OMAP4430_PRM_PARTITION], &prm_base, sizeof(prm_base));
memcpy(&_cm_bases[OMAP4430_CM1_PARTITION], &cm_base, sizeof(cm_base));
memcpy(&_cm_bases[OMAP4430_CM2_PARTITION], &cm2_base, sizeof(cm2_base));
memcpy(&_cm_bases[OMAP4430_PRCM_MPU_PARTITION], &prcm_mpu_base,
sizeof(prcm_mpu_base));
}
/* Private functions */
Reported by FlawFinder.
Line: 68
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&_cm_bases[OMAP4430_PRM_PARTITION], &prm_base, sizeof(prm_base));
memcpy(&_cm_bases[OMAP4430_CM1_PARTITION], &cm_base, sizeof(cm_base));
memcpy(&_cm_bases[OMAP4430_CM2_PARTITION], &cm2_base, sizeof(cm2_base));
memcpy(&_cm_bases[OMAP4430_PRCM_MPU_PARTITION], &prcm_mpu_base,
sizeof(prcm_mpu_base));
}
/* Private functions */
Reported by FlawFinder.
arch/x86/boot/compressed/sev.c
4 issues
Line: 80
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static enum es_result vc_decode_insn(struct es_em_ctxt *ctxt)
{
char buffer[MAX_INSN_SIZE];
int ret;
memcpy(buffer, (unsigned char *)ctxt->regs->ip, MAX_INSN_SIZE);
ret = insn_decode(&ctxt->insn, buffer, MAX_INSN_SIZE, INSN_MODE_64);
Reported by FlawFinder.
Line: 83
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
char buffer[MAX_INSN_SIZE];
int ret;
memcpy(buffer, (unsigned char *)ctxt->regs->ip, MAX_INSN_SIZE);
ret = insn_decode(&ctxt->insn, buffer, MAX_INSN_SIZE, INSN_MODE_64);
if (ret < 0)
return ES_DECODE_FAILED;
Reported by FlawFinder.
Line: 95
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static enum es_result vc_write_mem(struct es_em_ctxt *ctxt,
void *dst, char *buf, size_t size)
{
memcpy(dst, buf, size);
return ES_OK;
}
static enum es_result vc_read_mem(struct es_em_ctxt *ctxt,
Reported by FlawFinder.
Line: 103
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static enum es_result vc_read_mem(struct es_em_ctxt *ctxt,
void *src, char *buf, size_t size)
{
memcpy(buf, src, size);
return ES_OK;
}
#undef __init
Reported by FlawFinder.