The following issues were found
tools/virtio/virtio_test.c
4 issues
Line: 192
Column: 14
CWE codes:
327
Suggestion:
Use a more secure technique for acquiring random values
do {
const bool reset = completed > next_reset;
if (random_batch)
batch = (random() % vq->vring.num) + 1;
while (started < bufs &&
(started - completed) < batch) {
sg_init_one(&sl, dev->buf, dev->buf_size);
r = virtqueue_add_outbuf(vq->vq, &sl, 1,
Reported by FlawFinder.
Line: 351
Column: 7
CWE codes:
120
20
Suggestion:
Check implementation on installation, or limit the size of all string inputs
bool delayed = false;
for (;;) {
o = getopt_long(argc, argv, optstring, longopts, NULL);
switch (o) {
case -1:
goto done;
case '?':
help();
Reported by FlawFinder.
Line: 136
Column: 24
CWE codes:
362
dev->buf_size = 1024;
dev->buf = malloc(dev->buf_size);
assert(dev->buf);
dev->control = open("/dev/vhost-test", O_RDWR);
assert(dev->control >= 0);
r = ioctl(dev->control, VHOST_SET_OWNER, NULL);
assert(r >= 0);
dev->mem = malloc(offsetof(struct vhost_memory, regions) +
sizeof dev->mem->regions[0]);
Reported by FlawFinder.
Line: 164
Column: 4
CWE codes:
120
20
poll(dev->fds, dev->nvqs, -1);
for (i = 0; i < dev->nvqs; ++i)
if (dev->fds[i].revents & POLLIN) {
read(dev->fds[i].fd, &val, sizeof val);
}
}
static void run_test(struct vdev_info *dev, struct vq_info *vq,
bool delayed, int batch, int reset_n, int bufs)
Reported by FlawFinder.
tools/testing/selftests/timers/change_skew.c
4 issues
Line: 50
Column: 8
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
return ret;
}
ret = system("./raw_skew");
ret |= system("./inconsistency-check");
ret |= system("./nanosleep");
return ret;
}
Reported by FlawFinder.
Line: 51
Column: 9
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
}
ret = system("./raw_skew");
ret |= system("./inconsistency-check");
ret |= system("./nanosleep");
return ret;
}
Reported by FlawFinder.
Line: 52
Column: 9
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
ret = system("./raw_skew");
ret |= system("./inconsistency-check");
ret |= system("./nanosleep");
return ret;
}
Reported by FlawFinder.
Line: 66
Column: 8
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
int ppm[5] = {0, 250, 500, -250, -500};
/* Kill ntpd */
ret = system("killall -9 ntpd");
/* Make sure there's no offset adjustment going on */
tx.modes = ADJ_OFFSET;
tx.offset = 0;
ret = adjtimex(&tx);
Reported by FlawFinder.
tools/testing/selftests/timers/freq-step.c
4 issues
Line: 233
Column: 2
CWE codes:
327
Suggestion:
Use a more secure technique for acquiring random values
1e9 * precision, 1e9 * MAX_PRECISION);
printf("[OK]\n");
srand(ts.tv_sec ^ ts.tv_nsec);
run_test(1, 0.0, 0.0);
}
int main(int argc, char **argv)
Reported by FlawFinder.
Line: 156
Column: 3
CWE codes:
676
Suggestion:
Use nanosleep(2) or setitimer(2) instead
set_frequency(freq_base);
for (i = 0; i < 10; i++)
usleep(1e6 * MEAN_SAMPLE_INTERVAL / 10);
reset_ntp_error();
set_frequency(freq_base + freq_step);
Reported by FlawFinder.
Line: 163
Column: 3
CWE codes:
676
Suggestion:
Use nanosleep(2) or setitimer(2) instead
set_frequency(freq_base + freq_step);
for (i = 0; i < 10; i++)
usleep(rand() % 2000000 * STEP_INTERVAL / 10);
set_frequency(freq_base);
for (i = 0; i < SAMPLES; i++) {
usleep(rand() % 2000000 * MEAN_SAMPLE_INTERVAL);
Reported by FlawFinder.
Line: 168
Column: 3
CWE codes:
676
Suggestion:
Use nanosleep(2) or setitimer(2) instead
set_frequency(freq_base);
for (i = 0; i < SAMPLES; i++) {
usleep(rand() % 2000000 * MEAN_SAMPLE_INTERVAL);
get_sample(&samples[i]);
}
if (calibration) {
regress(samples, SAMPLES, &intercept, &slope, &stddev1, &max1);
Reported by FlawFinder.
tools/testing/selftests/timers/leap-a-day.c
4 issues
Line: 189
Column: 16
CWE codes:
120
20
Suggestion:
Check implementation on installation, or limit the size of all string inputs
int opt;
/* Process arguments */
while ((opt = getopt(argc, argv, "sti:")) != -1) {
switch (opt) {
case 'w':
printf("Only setting leap-flag, not changing time. It could take up to a day for leap to trigger.\n");
settime = 0;
break;
Reported by FlawFinder.
Line: 196
Column: 17
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
settime = 0;
break;
case 'i':
iterations = atoi(optarg);
break;
case 't':
tai_time = 1;
break;
default:
Reported by FlawFinder.
Line: 330
Column: 4
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Check adjtimex output every half second */
now = tx.time.tv_sec;
while (now < next_leap + 2) {
char buf[26];
struct timespec tai;
int ret;
tx.modes = 0;
ret = adjtimex(&tx);
Reported by FlawFinder.
Line: 345
Column: 9
CWE codes:
126
time_state_str(ret));
} else {
ctime_r(&tx.time.tv_sec, buf);
buf[strlen(buf)-1] = 0; /*remove trailing\n */
printf("%s + %6ld us (%i)\t%s\n",
buf,
tx.time.tv_usec,
tx.tai,
Reported by FlawFinder.
tools/virtio/ringtest/ring.c
4 issues
Line: 46
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* Mostly read */
struct event {
unsigned short kick_index;
unsigned char reserved0[HOST_GUEST_PADDING - 2];
unsigned short call_index;
unsigned char reserved1[HOST_GUEST_PADDING - 2];
};
struct data {
Reported by FlawFinder.
Line: 48
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned short kick_index;
unsigned char reserved0[HOST_GUEST_PADDING - 2];
unsigned short call_index;
unsigned char reserved1[HOST_GUEST_PADDING - 2];
};
struct data {
void *buf; /* descriptor is writeable, we can't get buf from there */
void *data;
Reported by FlawFinder.
Line: 64
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned last_used_idx;
unsigned num_free;
unsigned kicked_avail_idx;
unsigned char reserved[HOST_GUEST_PADDING - 12];
} guest;
struct host {
/* we do not need to track last avail index
* unless we have more than one in flight.
Reported by FlawFinder.
Line: 73
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
*/
unsigned used_idx;
unsigned called_used_idx;
unsigned char reserved[HOST_GUEST_PADDING - 4];
} host;
/* implemented by ring */
void alloc_ring(void)
{
Reported by FlawFinder.
tools/testing/selftests/timers/threadtest.c
4 issues
Line: 135
Column: 16
CWE codes:
120
20
Suggestion:
Check implementation on installation, or limit the size of all string inputs
runtime = DEFAULT_RUNTIME;
/* Process arguments */
while ((opt = getopt(argc, argv, "t:n:i")) != -1) {
switch (opt) {
case 't':
runtime = atoi(optarg);
break;
case 'n':
Reported by FlawFinder.
Line: 124
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
int thread_count, i;
time_t start, now, runtime;
char buf[255];
pthread_t pth[MAX_THREADS];
int opt;
void *tret;
int ret = 0;
void *(*thread)(void *) = shared_thread;
Reported by FlawFinder.
Line: 138
Column: 14
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
while ((opt = getopt(argc, argv, "t:n:i")) != -1) {
switch (opt) {
case 't':
runtime = atoi(optarg);
break;
case 'n':
thread_count = atoi(optarg);
break;
case 'i':
Reported by FlawFinder.
Line: 141
Column: 19
CWE codes:
190
Suggestion:
If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)
runtime = atoi(optarg);
break;
case 'n':
thread_count = atoi(optarg);
break;
case 'i':
thread = independent_thread;
printf("using independent threads\n");
break;
Reported by FlawFinder.
tools/testing/selftests/vm/mlock-random-test.c
4 issues
Line: 153
Column: 2
CWE codes:
327
Suggestion:
Use a more secure technique for acquiring random values
return -1;
}
srand(time(NULL));
for (i = 0; i < TEST_LOOP; i++) {
/*
* - choose mlock/mlock2 randomly
* - choose lock_size randomly but lock_size < alloc_size
* - choose start_offset randomly but p+start_offset+lock_size
Reported by FlawFinder.
Line: 230
Column: 2
CWE codes:
327
Suggestion:
Use a more secure technique for acquiring random values
}
old_locked_vm_size = get_proc_locked_vm_size();
srand(time(NULL));
for (i = 0; i < TEST_LOOP; i++) {
int is_mlock = !!(rand() % 2);
int lock_size = (rand() % (alloc_size - cur.rlim_cur))
+ cur.rlim_cur;
int start_offset = rand() % (alloc_size - lock_size);
Reported by FlawFinder.
Line: 50
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
FILE *f;
int ret = -1;
char line[1024] = {0};
unsigned long lock_size = 0;
f = fopen("/proc/self/status", "r");
if (!f) {
perror("fopen");
Reported by FlawFinder.
Line: 53
Column: 6
CWE codes:
362
char line[1024] = {0};
unsigned long lock_size = 0;
f = fopen("/proc/self/status", "r");
if (!f) {
perror("fopen");
return -1;
}
Reported by FlawFinder.
tools/testing/selftests/vm/mlock2-tests.c
4 issues
Line: 23
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
FILE *file;
int ret = 1;
char line[1024] = {0};
char *end_addr;
char *stop;
unsigned long start;
unsigned long end;
Reported by FlawFinder.
Line: 32
Column: 9
CWE codes:
362
if (!area)
return ret;
file = fopen("/proc/self/maps", "r");
if (!file) {
perror("fopen");
return ret;
}
Reported by FlawFinder.
Line: 94
Column: 18
CWE codes:
126
continue;
}
flags = line + strlen(VMFLAGS);
ret = (strstr(flags, vmflag) != NULL);
goto out;
}
out:
Reported by FlawFinder.
Line: 131
Column: 22
CWE codes:
126
continue;
}
value_ptr = line + strlen(name);
if (sscanf(value_ptr, "%lu kB", &value) < 1) {
printf("Unable to parse smaps entry for Size\n");
goto out;
}
break;
Reported by FlawFinder.
tools/testing/selftests/vm/pkey-helpers.h
4 issues
Line: 35
Column: 23
CWE codes:
134
Suggestion:
Use a constant for the format specification
extern int iteration_nr;
#ifdef __GNUC__
__attribute__((format(printf, 1, 2)))
#endif
static inline void sigsafe_printf(const char *format, ...)
{
va_list ap;
Reported by FlawFinder.
Line: 43
Column: 3
CWE codes:
134
Suggestion:
Use a constant for the format specification
if (!dprint_in_signal) {
va_start(ap, format);
vprintf(format, ap);
va_end(ap);
} else {
int ret;
/*
* No printf() functions are signal-safe.
Reported by FlawFinder.
Line: 29
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#endif
#define DPRINT_IN_SIGNAL_BUF_SIZE 4096
extern int dprint_in_signal;
extern char dprint_in_signal_buffer[DPRINT_IN_SIGNAL_BUF_SIZE];
extern int test_nr;
extern int iteration_nr;
#ifdef __GNUC__
Reported by FlawFinder.
Line: 53
Column: 26
CWE codes:
126
* string to get some output, even if
* incomplete.
*/
ret = write(1, format, strlen(format));
if (ret < 0)
exit(1);
}
}
#define dprintf_level(level, args...) do { \
Reported by FlawFinder.
tools/usb/usbip/libsrc/usbip_device_driver.c
4 issues
Line: 66
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int read_usb_vudc_device(struct udev_device *sdev, struct usbip_usb_device *dev)
{
const char *path, *name;
char filepath[SYSFS_PATH_MAX];
struct usb_device_descriptor descr;
unsigned int i;
FILE *fd = NULL;
struct udev_device *plat;
const char *speed;
Reported by FlawFinder.
Line: 78
Column: 7
CWE codes:
362
path = udev_device_get_syspath(plat);
snprintf(filepath, SYSFS_PATH_MAX, "%s/%s",
path, VUDC_DEVICE_DESCR_FILE);
fd = fopen(filepath, "r");
if (!fd)
return -1;
ret = fread((char *) &descr, sizeof(descr), 1, fd);
if (ret != 1) {
err("Cannot read vudc device descr file: %s", strerror(errno));
Reported by FlawFinder.
Line: 96
Column: 2
CWE codes:
120
copy_descr_attr16(dev, &descr, idProduct);
copy_descr_attr16(dev, &descr, bcdDevice);
strncpy(dev->path, path, SYSFS_PATH_MAX - 1);
dev->path[SYSFS_PATH_MAX - 1] = '\0';
dev->speed = USB_SPEED_UNKNOWN;
speed = udev_device_get_sysattr_value(sdev, "current_speed");
if (speed) {
Reported by FlawFinder.
Line: 116
Column: 2
CWE codes:
120
dev->busnum = 0;
name = udev_device_get_sysname(plat);
strncpy(dev->busid, name, SYSFS_BUS_ID_SIZE - 1);
dev->busid[SYSFS_BUS_ID_SIZE - 1] = '\0';
return 0;
err:
fclose(fd);
return -1;
Reported by FlawFinder.