The following issues were found
arch/arm/mach-davinci/board-dm644x-evm.c
4 issues
Line: 395
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
{
char *s = gpio_get_value_cansleep(sw_gpio) ? "on\n" : "off\n";
strcpy(buf, s);
return strlen(s);
}
static DEVICE_ATTR(user_sw, S_IRUGO, sw_show, NULL);
Reported by FlawFinder.
Line: 581
Column: 15
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int dm6444evm_msp430_get_pins(void)
{
static const char txbuf[2] = { 2, 4, };
char buf[4];
struct i2c_msg msg[2] = {
{
.flags = 0,
.len = 2,
Reported by FlawFinder.
Line: 582
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static int dm6444evm_msp430_get_pins(void)
{
static const char txbuf[2] = { 2, 4, };
char buf[4];
struct i2c_msg msg[2] = {
{
.flags = 0,
.len = 2,
.buf = (void __force *)txbuf,
Reported by FlawFinder.
Line: 396
Column: 9
CWE codes:
126
char *s = gpio_get_value_cansleep(sw_gpio) ? "on\n" : "off\n";
strcpy(buf, s);
return strlen(s);
}
static DEVICE_ATTR(user_sw, S_IRUGO, sw_show, NULL);
static int
Reported by FlawFinder.
arch/arm/plat-omap/dma.c
4 issues
Line: 588
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if (!omap_dma_in_1510_mode() && dma_chan[lch].next_lch != -1) {
int next_lch, cur_lch;
char dma_chan_link_map[MAX_LOGICAL_DMA_CH_COUNT];
/* Set the link register of the first channel */
enable_lnk(lch);
memset(dma_chan_link_map, 0, sizeof(dma_chan_link_map));
Reported by FlawFinder.
Line: 685
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
if (!omap_dma_in_1510_mode() && dma_chan[lch].next_lch != -1) {
int next_lch, cur_lch = lch;
char dma_chan_link_map[MAX_LOGICAL_DMA_CH_COUNT];
memset(dma_chan_link_map, 0, sizeof(dma_chan_link_map));
do {
/* The loop case: we've been here already */
if (dma_chan_link_map[cur_lch])
Reported by FlawFinder.
Line: 879
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
int ch, ret = 0;
int dma_irq;
char irq_name[4];
p = pdev->dev.platform_data;
if (!p) {
dev_err(&pdev->dev,
"%s: System DMA initialized without platform data\n",
Reported by FlawFinder.
Line: 919
Column: 4
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
* request_irq() doesn't like dev_id (ie. ch) being
* zero, so we have to kludge around this.
*/
sprintf(&irq_name[0], "%d", ch);
dma_irq = platform_get_irq_byname(pdev, irq_name);
if (dma_irq < 0) {
ret = dma_irq;
goto exit_dma_irq_fail;
Reported by FlawFinder.
arch/parisc/kernel/processor.c
4 issues
Line: 230
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void __init collect_boot_cpu_data(void)
{
unsigned long cr16_seed;
char orig_prod_num[64], current_prod_num[64], serial_no[64];
memset(&boot_cpu_data, 0, sizeof(boot_cpu_data));
cr16_seed = get_cycles();
add_device_randomness(&cr16_seed, sizeof(cr16_seed));
Reported by FlawFinder.
Line: 295
Column: 40
CWE codes:
126
printk(KERN_INFO "product %s, original product %s, S/N: %s\n",
current_prod_num[0] ? current_prod_num : "n/a",
orig_prod_num, serial_no);
add_device_randomness(orig_prod_num, strlen(orig_prod_num));
add_device_randomness(current_prod_num, strlen(current_prod_num));
add_device_randomness(serial_no, strlen(serial_no));
}
}
Reported by FlawFinder.
Line: 296
Column: 43
CWE codes:
126
current_prod_num[0] ? current_prod_num : "n/a",
orig_prod_num, serial_no);
add_device_randomness(orig_prod_num, strlen(orig_prod_num));
add_device_randomness(current_prod_num, strlen(current_prod_num));
add_device_randomness(serial_no, strlen(serial_no));
}
}
Reported by FlawFinder.
Line: 297
Column: 36
CWE codes:
126
orig_prod_num, serial_no);
add_device_randomness(orig_prod_num, strlen(orig_prod_num));
add_device_randomness(current_prod_num, strlen(current_prod_num));
add_device_randomness(serial_no, strlen(serial_no));
}
}
/**
Reported by FlawFinder.
arch/alpha/boot/main.c
4 issues
Line: 183
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
nbytes = 0;
}
envval[nbytes] = '\0';
strcpy((char*)ZERO_PGE, envval);
srm_printk(" Ok\nNow booting the kernel\n");
runkernel();
for (i = 0 ; i < 0x100000000 ; i++)
/* nothing */;
Reported by FlawFinder.
Line: 106
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static inline long openboot(void)
{
char bootdev[256];
long result;
result = callback_getenv(ENV_BOOTED_DEV, bootdev, 255);
if (result < 0)
return result;
Reported by FlawFinder.
Line: 122
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static inline long load(long dev, unsigned long addr, unsigned long count)
{
char bootfile[256];
extern char _end;
long result, boot_size = &_end - (char *) BOOT_ADDR;
result = callback_getenv(ENV_BOOTED_FILE, bootfile, 255);
if (result < 0)
Reported by FlawFinder.
Line: 156
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
long i;
long dev;
int nbytes;
char envval[256];
srm_printk("Linux/AXP bootloader for Linux " UTS_RELEASE "\n");
if (INIT_HWRPB->pagesize != 8192) {
srm_printk("Expected 8kB pages, got %ldkB\n", INIT_HWRPB->pagesize >> 10);
return;
Reported by FlawFinder.
arch/powerpc/platforms/ps3/os-area.c
4 issues
Line: 288
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (tmp) {
BUG_ON(prop->length != tmp->length);
memcpy(prop->value, tmp->value, prop->length);
} else
pr_debug("%s:%d not found %s\n", __func__, __LINE__,
prop->name);
}
Reported by FlawFinder.
Line: 309
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void _dump_header(const struct os_area_header *h, const char *func,
int line)
{
char str[sizeof(h->magic_num) + 1];
dump_field(str, h->magic_num, sizeof(h->magic_num));
pr_debug("%s:%d: h.magic_num: '%s'\n", func, line,
str);
pr_debug("%s:%d: h.hdr_version: %u\n", func, line,
Reported by FlawFinder.
Line: 529
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void _dump_db(const struct os_area_db *db, const char *func,
int line)
{
char str[sizeof(db->magic_num) + 1];
dump_field(str, db->magic_num, sizeof(db->magic_num));
pr_debug("%s:%d: db.magic_num: '%s'\n", func, line,
str);
pr_debug("%s:%d: db.version: %u\n", func, line,
Reported by FlawFinder.
Line: 233
Column: 28
CWE codes:
120
20
mutex_lock(&os_area_flash_mutex);
if (os_area_flash_ops)
res = os_area_flash_ops->read(buf, count, pos);
mutex_unlock(&os_area_flash_mutex);
return res;
}
Reported by FlawFinder.
arch/parisc/kernel/parisc_ksyms.c
4 issues
Line: 21
Column: 15
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
#include <linux/string.h>
EXPORT_SYMBOL(memset);
EXPORT_SYMBOL(strlen);
EXPORT_SYMBOL(strcpy);
EXPORT_SYMBOL(strncpy);
EXPORT_SYMBOL(strcat);
#include <linux/atomic.h>
EXPORT_SYMBOL(__xchg8);
Reported by FlawFinder.
Line: 23
Column: 15
CWE codes:
120
Suggestion:
Consider using strcat_s, strncat, strlcat, or snprintf (warning: strncat is easily misused)
EXPORT_SYMBOL(strlen);
EXPORT_SYMBOL(strcpy);
EXPORT_SYMBOL(strncpy);
EXPORT_SYMBOL(strcat);
#include <linux/atomic.h>
EXPORT_SYMBOL(__xchg8);
EXPORT_SYMBOL(__xchg32);
EXPORT_SYMBOL(__cmpxchg_u32);
Reported by FlawFinder.
Line: 20
Column: 15
CWE codes:
126
#include <linux/string.h>
EXPORT_SYMBOL(memset);
EXPORT_SYMBOL(strlen);
EXPORT_SYMBOL(strcpy);
EXPORT_SYMBOL(strncpy);
EXPORT_SYMBOL(strcat);
#include <linux/atomic.h>
Reported by FlawFinder.
Line: 22
Column: 15
CWE codes:
120
EXPORT_SYMBOL(memset);
EXPORT_SYMBOL(strlen);
EXPORT_SYMBOL(strcpy);
EXPORT_SYMBOL(strncpy);
EXPORT_SYMBOL(strcat);
#include <linux/atomic.h>
EXPORT_SYMBOL(__xchg8);
EXPORT_SYMBOL(__xchg32);
Reported by FlawFinder.
arch/mips/kernel/spram.c
4 issues
Line: 115
Column: 21
CWE codes:
120
20
static void probe_spram(char *type,
unsigned int base,
unsigned int (*read)(unsigned int),
void (*write)(unsigned int, unsigned int))
{
unsigned int firstsize = 0, lastsize = 0;
unsigned int firstpa = 0, lastpa = 0, pa = 0;
unsigned int offset = 0;
Reported by FlawFinder.
Line: 131
Column: 10
CWE codes:
120
20
*/
for (i = 0; i < 8; i++) {
tag0 = read(offset);
tag1 = read(offset+SPRAM_TAG_STRIDE);
pr_debug("DBG %s%d: tag0=%08x tag1=%08x\n",
type, i, tag0, tag1);
size = tag1 & SPRAM_TAG1_SIZE_MASK;
Reported by FlawFinder.
Line: 132
Column: 10
CWE codes:
120
20
for (i = 0; i < 8; i++) {
tag0 = read(offset);
tag1 = read(offset+SPRAM_TAG_STRIDE);
pr_debug("DBG %s%d: tag0=%08x tag1=%08x\n",
type, i, tag0, tag1);
size = tag1 & SPRAM_TAG1_SIZE_MASK;
Reported by FlawFinder.
arch/s390/kernel/vtime.c
4 issues
Line: 127
Column: 33
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
*/
static int do_account_vtime(struct task_struct *tsk)
{
u64 timer, clock, user, guest, system, hardirq, softirq;
timer = S390_lowcore.last_update_timer;
clock = S390_lowcore.last_update_clock;
/* Use STORE CLOCK by default, STORE CLOCK FAST if available. */
alternative_io("stpt %0\n .insn s,0xb2050000,%1\n",
Reported by FlawFinder.
Line: 176
Column: 6
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
tsk->utimescaled += cputime_to_nsecs(scale_vtime(guest));
}
if (system)
account_system_index_scaled(tsk, system, CPUTIME_SYSTEM);
if (hardirq)
account_system_index_scaled(tsk, hardirq, CPUTIME_IRQ);
if (softirq)
account_system_index_scaled(tsk, softirq, CPUTIME_SOFTIRQ);
Reported by FlawFinder.
Line: 177
Column: 36
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
}
if (system)
account_system_index_scaled(tsk, system, CPUTIME_SYSTEM);
if (hardirq)
account_system_index_scaled(tsk, hardirq, CPUTIME_IRQ);
if (softirq)
account_system_index_scaled(tsk, softirq, CPUTIME_SOFTIRQ);
Reported by FlawFinder.
Line: 88
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Update scaling factor */
__this_cpu_write(mt_scaling_mult, mult);
__this_cpu_write(mt_scaling_div, div);
memcpy(cycles_old, cycles_new,
sizeof(u64) * (smp_cpu_mtid + 1));
}
__this_cpu_write(mt_scaling_jiffies, jiffies_64);
}
Reported by FlawFinder.
arch/mips/kernel/vpe.c
4 issues
Line: 586
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
struct module mod; /* so we can re-use the relocations code */
memset(&mod, 0, sizeof(struct module));
strcpy(mod.name, "VPE loader");
hdr = (Elf_Ehdr *) v->pbuffer;
len = v->plen;
/* Sanity checks against insmoding binaries or wrong arch,
Reported by FlawFinder.
Line: 660
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
dest = v->load_addr + sechdrs[i].sh_entsize;
if (sechdrs[i].sh_type != SHT_NOBITS)
memcpy(dest, (void *)sechdrs[i].sh_addr,
sechdrs[i].sh_size);
/* Update sh_addr to point to copy in image. */
sechdrs[i].sh_addr = (unsigned long)dest;
pr_debug(" section sh_name %s sh_addr 0x%x\n",
Reported by FlawFinder.
Line: 676
Column: 26
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Now do relocations. */
for (i = 1; i < hdr->e_shnum; i++) {
const char *strtab = (char *)sechdrs[strindex].sh_addr;
unsigned int info = sechdrs[i].sh_info;
/* Not a valid relocation section? */
if (info >= hdr->e_shnum)
continue;
Reported by FlawFinder.
Line: 703
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 0; i < hdr->e_phnum; i++) {
if (phdr->p_type == PT_LOAD) {
memcpy((void *)phdr->p_paddr,
(char *)hdr + phdr->p_offset,
phdr->p_filesz);
memset((void *)phdr->p_paddr + phdr->p_filesz,
0, phdr->p_memsz - phdr->p_filesz);
}
Reported by FlawFinder.
arch/alpha/boot/stdio.c
4 issues
Line: 110
Column: 5
CWE codes:
134
Suggestion:
Make format string constant
return str;
}
int vsprintf(char *buf, const char *fmt, va_list args)
{
int len;
unsigned long long num;
int i, base;
char * str;
Reported by FlawFinder.
Line: 293
Column: 5
CWE codes:
134
Suggestion:
Make format string constant
return str-buf;
}
int sprintf(char * buf, const char *fmt, ...)
{
va_list args;
int i;
va_start(args, fmt);
Reported by FlawFinder.
Line: 299
Column: 4
CWE codes:
134
Suggestion:
Make format string constant
int i;
va_start(args, fmt);
i=vsprintf(buf,fmt,args);
va_end(args);
return i;
}
Reported by FlawFinder.
Line: 45
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static char * number(char * str, unsigned long long num, int base, int size, int precision, int type)
{
char c,sign,tmp[66];
const char *digits="0123456789abcdefghijklmnopqrstuvwxyz";
int i;
if (type & LARGE)
digits = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
Reported by FlawFinder.