The following issues were found
arch/alpha/kernel/machvec_impl.h
4 issues
Line: 145
Column: 18
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
delusion that you shouldn't be able to declare it extern somewhere
else beforehand. Fine. We'll do it ourselves. */
#if 0
#define ALIAS_MV(system) \
struct alpha_machine_vector alpha_mv __attribute__((alias(#system "_mv"))); \
EXPORT_SYMBOL(alpha_mv);
#else
#define ALIAS_MV(system) \
asm(".global alpha_mv\nalpha_mv = " #system "_mv"); \
Reported by FlawFinder.
Line: 146
Column: 62
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
else beforehand. Fine. We'll do it ourselves. */
#if 0
#define ALIAS_MV(system) \
struct alpha_machine_vector alpha_mv __attribute__((alias(#system "_mv"))); \
EXPORT_SYMBOL(alpha_mv);
#else
#define ALIAS_MV(system) \
asm(".global alpha_mv\nalpha_mv = " #system "_mv"); \
EXPORT_SYMBOL(alpha_mv);
Reported by FlawFinder.
Line: 149
Column: 18
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
struct alpha_machine_vector alpha_mv __attribute__((alias(#system "_mv"))); \
EXPORT_SYMBOL(alpha_mv);
#else
#define ALIAS_MV(system) \
asm(".global alpha_mv\nalpha_mv = " #system "_mv"); \
EXPORT_SYMBOL(alpha_mv);
#endif
#endif /* GENERIC */
Reported by FlawFinder.
Line: 150
Column: 40
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
EXPORT_SYMBOL(alpha_mv);
#else
#define ALIAS_MV(system) \
asm(".global alpha_mv\nalpha_mv = " #system "_mv"); \
EXPORT_SYMBOL(alpha_mv);
#endif
#endif /* GENERIC */
Reported by FlawFinder.
arch/x86/kvm/ioapic.c
4 issues
Line: 117
CWE codes:
786
struct dest_map *dest_map = &ioapic->rtc_status.dest_map;
union kvm_ioapic_redirect_entry *e;
e = &ioapic->redirtbl[RTC_GSI];
if (!kvm_apic_match_dest(vcpu, NULL, APIC_DEST_NOSHORT,
e->fields.dest_id,
kvm_lapic_irq_dest_mode(!!e->fields.dest_mode)))
return;
Reported by Cppcheck.
Line: 612
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
case 1:
case 2:
case 4:
memcpy(val, (char *)&result, len);
break;
default:
printk(KERN_WARNING "ioapic: wrong length %d\n", len);
}
return 0;
Reported by FlawFinder.
Line: 731
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct kvm_ioapic *ioapic = kvm->arch.vioapic;
spin_lock(&ioapic->lock);
memcpy(state, ioapic, sizeof(struct kvm_ioapic_state));
state->irr &= ~ioapic->irr_delivered;
spin_unlock(&ioapic->lock);
}
void kvm_set_ioapic(struct kvm *kvm, struct kvm_ioapic_state *state)
Reported by FlawFinder.
Line: 741
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct kvm_ioapic *ioapic = kvm->arch.vioapic;
spin_lock(&ioapic->lock);
memcpy(ioapic, state, sizeof(struct kvm_ioapic_state));
ioapic->irr = 0;
ioapic->irr_delivered = 0;
kvm_make_scan_ioapic_request(kvm);
kvm_ioapic_inject_all(ioapic, state->irr);
spin_unlock(&ioapic->lock);
Reported by FlawFinder.
arch/x86/kernel/vm86_32.c
4 issues
Line: 153
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
vm86->saved_sp0 = 0;
preempt_enable();
memcpy(®s->pt, &vm86->regs32, sizeof(struct pt_regs));
lazy_load_gs(vm86->regs32.gs);
regs->pt.ax = retval;
return;
Reported by FlawFinder.
Line: 249
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* VM86_SCREEN_BITMAP had numerous bugs and appears to have no users. */
if (v.flags & VM86_SCREEN_BITMAP) {
char comm[TASK_COMM_LEN];
pr_info_once("vm86: '%s' uses VM86_SCREEN_BITMAP, which is no longer supported\n", get_task_comm(comm, current));
return -EINVAL;
}
Reported by FlawFinder.
Line: 294
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(&vm86->vm86plus, 0,
sizeof(struct vm86plus_info_struct));
memcpy(&vm86->regs32, regs, sizeof(struct pt_regs));
vm86->user_vm86 = user_vm86;
/*
* The flags register is also special: we cannot trust that the user
* has set it up safely, so this makes sure interrupt etc flags are
Reported by FlawFinder.
Line: 342
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
update_task_stack(tsk);
preempt_enable();
memcpy((struct kernel_vm86_regs *)regs, &vm86regs, sizeof(vm86regs));
return regs->ax;
}
static inline void set_IF(struct kernel_vm86_regs *regs)
{
Reported by FlawFinder.
arch/arm/mach-socfpga/platsmp.c
4 issues
Line: 23
CWE codes:
570
static int socfpga_boot_secondary(unsigned int cpu, struct task_struct *idle)
{
int trampoline_size = &secondary_trampoline_end - &secondary_trampoline;
if (socfpga_cpu1start_addr) {
/* This will put CPU #1 into reset. */
writel(RSTMGR_MPUMODRST_CPU1,
rst_manager_base_addr + SOCFPGA_RSTMGR_MODMPURST);
Reported by Cppcheck.
Line: 48
CWE codes:
570
static int socfpga_a10_boot_secondary(unsigned int cpu, struct task_struct *idle)
{
int trampoline_size = &secondary_trampoline_end - &secondary_trampoline;
if (socfpga_cpu1start_addr) {
writel(RSTMGR_MPUMODRST_CPU1, rst_manager_base_addr +
SOCFPGA_A10_RSTMGR_MODMPURST);
memcpy(phys_to_virt(0), &secondary_trampoline, trampoline_size);
Reported by Cppcheck.
Line: 30
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
writel(RSTMGR_MPUMODRST_CPU1,
rst_manager_base_addr + SOCFPGA_RSTMGR_MODMPURST);
memcpy(phys_to_virt(0), &secondary_trampoline, trampoline_size);
writel(__pa_symbol(secondary_startup),
sys_manager_base_addr + (socfpga_cpu1start_addr & 0x000000ff));
flush_cache_all();
Reported by FlawFinder.
Line: 53
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (socfpga_cpu1start_addr) {
writel(RSTMGR_MPUMODRST_CPU1, rst_manager_base_addr +
SOCFPGA_A10_RSTMGR_MODMPURST);
memcpy(phys_to_virt(0), &secondary_trampoline, trampoline_size);
writel(__pa_symbol(secondary_startup),
sys_manager_base_addr + (socfpga_cpu1start_addr & 0x00000fff));
flush_cache_all();
Reported by FlawFinder.
arch/arm/mach-tegra/pm.c
4 issues
Line: 322
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static void tegra_suspend_enter_lp1(void)
{
/* copy the reset vector & SDRAM shutdown code into IRAM */
memcpy(iram_save_addr, IO_ADDRESS(TEGRA_IRAM_LPx_RESUME_AREA),
iram_save_size);
memcpy(IO_ADDRESS(TEGRA_IRAM_LPx_RESUME_AREA),
tegra_lp1_iram.start_addr, iram_save_size);
*((u32 *)tegra_cpu_lp1_mask) = 1;
Reported by FlawFinder.
Line: 324
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* copy the reset vector & SDRAM shutdown code into IRAM */
memcpy(iram_save_addr, IO_ADDRESS(TEGRA_IRAM_LPx_RESUME_AREA),
iram_save_size);
memcpy(IO_ADDRESS(TEGRA_IRAM_LPx_RESUME_AREA),
tegra_lp1_iram.start_addr, iram_save_size);
*((u32 *)tegra_cpu_lp1_mask) = 1;
}
Reported by FlawFinder.
Line: 333
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
static void tegra_suspend_exit_lp1(void)
{
/* restore IRAM */
memcpy(IO_ADDRESS(TEGRA_IRAM_LPx_RESUME_AREA), iram_save_addr,
iram_save_size);
*(u32 *)tegra_cpu_lp1_mask = 0;
}
Reported by FlawFinder.
Line: 339
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*(u32 *)tegra_cpu_lp1_mask = 0;
}
static const char *lp_state[TEGRA_MAX_SUSPEND_MODE] = {
[TEGRA_SUSPEND_NONE] = "none",
[TEGRA_SUSPEND_LP2] = "LP2",
[TEGRA_SUSPEND_LP1] = "LP1",
[TEGRA_SUSPEND_LP0] = "LP0",
};
Reported by FlawFinder.
arch/x86/kernel/fpu/regset.c
4 issues
Line: 113
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
fpu_force_restore(fpu);
/* Copy the state */
memcpy(&fpu->state.fxsave, &newstate, sizeof(newstate));
/* Clear xmm8..15 */
BUILD_BUG_ON(sizeof(fpu->state.fxsave.xmm_space) != 16 * 16);
memset(&fpu->state.fxsave.xmm_space[8], 0, 8 * 16);
Reported by FlawFinder.
Line: 280
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
#endif
for (i = 0; i < 8; ++i)
memcpy(&to[i], &from[i], sizeof(to[0]));
}
void
convert_from_fxsr(struct user_i387_ia32_struct *env, struct task_struct *tsk)
{
Reported by FlawFinder.
Line: 313
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
#endif
for (i = 0; i < 8; ++i)
memcpy(&to[i], &from[i], sizeof(from[0]));
}
int fpregs_get(struct task_struct *target, const struct user_regset *regset,
struct membuf to)
{
Reported by FlawFinder.
Line: 371
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (cpu_feature_enabled(X86_FEATURE_FXSR))
convert_to_fxsr(&fpu->state.fxsave, &env);
else
memcpy(&fpu->state.fsave, &env, sizeof(env));
/*
* Update the header bit in the xsave header, indicating the
* presence of FP.
*/
Reported by FlawFinder.
block/partitions/sun.c
4 issues
Line: 29
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__be16 *ush;
Sector sect;
struct sun_disklabel {
unsigned char info[128]; /* Informative text string */
struct sun_vtoc {
__be32 version; /* Layout version */
char volume[8]; /* Volume name */
__be16 nparts; /* Number of partitions */
struct sun_info { /* Partition hdrs, sec 2 */
Reported by FlawFinder.
Line: 32
Column: 7
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned char info[128]; /* Informative text string */
struct sun_vtoc {
__be32 version; /* Layout version */
char volume[8]; /* Volume name */
__be16 nparts; /* Number of partitions */
struct sun_info { /* Partition hdrs, sec 2 */
__be16 id;
__be16 flags;
} infos[8];
Reported by FlawFinder.
Line: 46
Column: 12
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
} vtoc;
__be32 write_reinstruct; /* sectors to skip, writes */
__be32 read_reinstruct; /* sectors to skip, reads */
unsigned char spare[148]; /* Padding */
__be16 rspeed; /* Disk rotational speed */
__be16 pcylcount; /* Physical cylinder count */
__be16 sparecyl; /* extra sects per cylinder */
__be16 obs1; /* gap1 */
__be16 obs2; /* gap2 */
Reported by FlawFinder.
Line: 68
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
} * label;
struct sun_partition *p;
unsigned long spc;
char b[BDEVNAME_SIZE];
int use_vtoc;
int nparts;
label = read_part_sector(state, 0, §);
if (!label)
Reported by FlawFinder.
tools/testing/selftests/vDSO/vdso_test_correctness.c
4 issues
Line: 84
Column: 7
CWE codes:
120
20
Suggestion:
Specify a limit to %s, or use a different input function
char name[MAPS_LINE_LEN];
/* sscanf() is safe here as strlen(name) >= strlen(line) */
if (sscanf(line, "%p-%p %c-%cp %*x %*x:%*x %*u %s",
&start, &end, &r, &x, name) != 5)
continue;
if (strcmp(name, "[vsyscall]"))
continue;
Reported by FlawFinder.
Line: 71
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
#ifdef __x86_64__
FILE *maps;
char line[MAPS_LINE_LEN];
bool found = false;
maps = fopen("/proc/self/maps", "r");
if (!maps) /* might still be present, but ignore it here, as we test vDSO not vsyscall */
return NULL;
Reported by FlawFinder.
Line: 74
Column: 9
CWE codes:
362
char line[MAPS_LINE_LEN];
bool found = false;
maps = fopen("/proc/self/maps", "r");
if (!maps) /* might still be present, but ignore it here, as we test vDSO not vsyscall */
return NULL;
while (fgets(line, MAPS_LINE_LEN, maps)) {
char r, x;
Reported by FlawFinder.
Line: 81
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
while (fgets(line, MAPS_LINE_LEN, maps)) {
char r, x;
void *start, *end;
char name[MAPS_LINE_LEN];
/* sscanf() is safe here as strlen(name) >= strlen(line) */
if (sscanf(line, "%p-%p %c-%cp %*x %*x:%*x %*u %s",
&start, &end, &r, &x, name) != 5)
continue;
Reported by FlawFinder.
tools/testing/vsock/vsock_test.c
4 issues
Line: 514
Column: 13
CWE codes:
120
20
Suggestion:
Check implementation on installation, or limit the size of all string inputs
init_signals();
for (;;) {
int opt = getopt_long(argc, argv, optstring, longopts, NULL);
if (opt == -1)
break;
switch (opt) {
Reported by FlawFinder.
Line: 306
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void test_seqpacket_msg_bounds_server(const struct test_opts *opts)
{
int fd;
char buf[16];
struct msghdr msg = {0};
struct iovec iov = {0};
fd = vsock_seqpacket_accept(VMADDR_CID_ANY, 1234, NULL);
if (fd < 0) {
Reported by FlawFinder.
Line: 336
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void test_seqpacket_msg_trunc_client(const struct test_opts *opts)
{
int fd;
char buf[MESSAGE_TRUNC_SZ];
fd = vsock_seqpacket_connect(opts->peer_cid, 1234);
if (fd < 0) {
perror("connect");
exit(EXIT_FAILURE);
Reported by FlawFinder.
Line: 356
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
static void test_seqpacket_msg_trunc_server(const struct test_opts *opts)
{
int fd;
char buf[MESSAGE_TRUNC_SZ / 2];
struct msghdr msg = {0};
struct iovec iov = {0};
fd = vsock_seqpacket_accept(VMADDR_CID_ANY, 1234, NULL);
if (fd < 0) {
Reported by FlawFinder.
tools/vm/page_owner_sort.c
4 issues
Line: 77
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
list[list_size].txt = malloc(len+1);
list[list_size].len = len;
list[list_size].num = 1;
memcpy(list[list_size].txt, buf, len);
list[list_size].txt[len] = 0;
list_size++;
if (list_size % 1000 == 0) {
printf("loaded %d\r", list_size);
fflush(stdout);
Reported by FlawFinder.
Line: 102
Column: 8
CWE codes:
362
exit(1);
}
fin = fopen(argv[1], "r");
fout = fopen(argv[2], "w");
if (!fin || !fout) {
printf("Usage: ./program <input> <output>\n");
perror("open: ");
exit(1);
Reported by FlawFinder.
Line: 103
Column: 9
CWE codes:
362
}
fin = fopen(argv[1], "r");
fout = fopen(argv[2], "w");
if (!fin || !fout) {
printf("Usage: ./program <input> <output>\n");
perror("open: ");
exit(1);
}
Reported by FlawFinder.
Line: 42
Column: 11
CWE codes:
126
return curr - buf;
if (!strncmp(curr, "PFN", 3))
continue;
curr += strlen(curr);
}
return -1; /* EOF or no space left in buf. */
}
Reported by FlawFinder.