The following issues were found
drivers/dma/bestcomm/bestcomm.c
4 issues
Line: 196
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
var_src = desc_src + hdr->desc_size;
inc_src = var_src + hdr->var_size;
memcpy(desc, desc_src, hdr->desc_size * sizeof(u32));
memcpy(var + hdr->first_var, var_src, hdr->var_size * sizeof(u32));
memcpy(inc, inc_src, hdr->inc_size * sizeof(u32));
return 0;
}
Reported by FlawFinder.
Line: 197
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
inc_src = var_src + hdr->var_size;
memcpy(desc, desc_src, hdr->desc_size * sizeof(u32));
memcpy(var + hdr->first_var, var_src, hdr->var_size * sizeof(u32));
memcpy(inc, inc_src, hdr->inc_size * sizeof(u32));
return 0;
}
EXPORT_SYMBOL_GPL(bcom_load_image);
Reported by FlawFinder.
Line: 198
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(desc, desc_src, hdr->desc_size * sizeof(u32));
memcpy(var + hdr->first_var, var_src, hdr->var_size * sizeof(u32));
memcpy(inc, inc_src, hdr->inc_size * sizeof(u32));
return 0;
}
EXPORT_SYMBOL_GPL(bcom_load_image);
Reported by FlawFinder.
Line: 311
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memset(bcom_eng->fdt, 0x00, fdt_size);
/* Copy the FDT for the EU#3 */
memcpy(&bcom_eng->fdt[48], fdt_ops, sizeof(fdt_ops));
/* Initialize Task base structure */
for (task=0; task<BCOM_MAX_TASKS; task++)
{
out_be16(&bcom_eng->regs->tcr[task], 0);
Reported by FlawFinder.
drivers/dma/idxd/sysfs.c
4 issues
Line: 77
Column: 6
CWE codes:
126
return -EINVAL;
}
if (strlen(wq->name) == 0) {
mutex_unlock(&wq->wq_lock);
dev_warn(dev, "WQ name not set.\n");
return -EINVAL;
}
Reported by FlawFinder.
Line: 1107
Column: 36
CWE codes:
126
if (wq->state != IDXD_WQ_DISABLED)
return -EPERM;
if (strlen(buf) > WQ_NAME_SIZE || strlen(buf) == 0)
return -EINVAL;
/*
* This is temporarily placed here until we have SVM support for
* dmaengine.
Reported by FlawFinder.
Line: 1107
Column: 6
CWE codes:
126
if (wq->state != IDXD_WQ_DISABLED)
return -EPERM;
if (strlen(buf) > WQ_NAME_SIZE || strlen(buf) == 0)
return -EINVAL;
/*
* This is temporarily placed here until we have SVM support for
* dmaengine.
Reported by FlawFinder.
Line: 1118
Column: 2
CWE codes:
120
return -EOPNOTSUPP;
memset(wq->name, 0, WQ_NAME_SIZE + 1);
strncpy(wq->name, buf, WQ_NAME_SIZE);
strreplace(wq->name, '\n', '\0');
return count;
}
static struct device_attribute dev_attr_wq_name =
Reported by FlawFinder.
drivers/dma/qcom/bam_dma.c
4 issues
Line: 588
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
unsigned long flag;
spin_lock_irqsave(&bchan->vc.lock, flag);
memcpy(&bchan->slave, cfg, sizeof(*cfg));
bchan->reconfigure = 1;
spin_unlock_irqrestore(&bchan->vc.lock, flag);
return 0;
}
Reported by FlawFinder.
Line: 1042
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (bchan->tail + async_desc->xfer_len > MAX_DESCRIPTORS) {
u32 partial = MAX_DESCRIPTORS - bchan->tail;
memcpy(&fifo[bchan->tail], desc,
partial * sizeof(struct bam_desc_hw));
memcpy(fifo, &desc[partial],
(async_desc->xfer_len - partial) *
sizeof(struct bam_desc_hw));
} else {
Reported by FlawFinder.
Line: 1044
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(&fifo[bchan->tail], desc,
partial * sizeof(struct bam_desc_hw));
memcpy(fifo, &desc[partial],
(async_desc->xfer_len - partial) *
sizeof(struct bam_desc_hw));
} else {
memcpy(&fifo[bchan->tail], desc,
async_desc->xfer_len *
Reported by FlawFinder.
Line: 1048
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
(async_desc->xfer_len - partial) *
sizeof(struct bam_desc_hw));
} else {
memcpy(&fifo[bchan->tail], desc,
async_desc->xfer_len *
sizeof(struct bam_desc_hw));
}
bchan->tail += async_desc->xfer_len;
Reported by FlawFinder.
drivers/dma/xgene-dma.c
4 issues
Line: 275
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct device *dev;
int id;
int rx_irq;
char name[10];
spinlock_t lock;
int pending;
int max_outstanding;
struct list_head ld_pending;
struct list_head ld_running;
Reported by FlawFinder.
Line: 610
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ring->head = 0;
/* Copy prepared sw descriptor data to hw descriptor */
memcpy(desc_hw, &desc_sw->desc1, sizeof(*desc_hw));
/*
* Check if we have prepared 64B descriptor,
* in this case we need one more hw descriptor
*/
Reported by FlawFinder.
Line: 622
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (++ring->head == ring->slots)
ring->head = 0;
memcpy(desc_hw, &desc_sw->desc2, sizeof(*desc_hw));
}
/* Increment the pending transaction count */
chan->pending += ((desc_sw->flags &
XGENE_DMA_FLAG_64B_DESC) ? 2 : 1);
Reported by FlawFinder.
Line: 905
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* prepare two descriptor to generate P and Q if both enabled
* in the flags by client
*/
memcpy(_src, src, sizeof(*src) * src_cnt);
if (flags & DMA_PREP_PQ_DISABLE_P)
len = 0;
if (flags & DMA_PREP_PQ_DISABLE_Q)
Reported by FlawFinder.
drivers/dma/xilinx/xilinx_dpdma.c
4 issues
Line: 296
Column: 12
CWE codes:
120
20
struct xilinx_dpdma_debugfs_request {
const char *name;
enum xilinx_dpdma_testcases tc;
ssize_t (*read)(char *buf);
int (*write)(char *args);
};
static void xilinx_dpdma_debugfs_desc_done_irq(struct xilinx_dpdma_chan *chan)
{
Reported by FlawFinder.
Line: 312
Column: 16
CWE codes:
126
dpdma_debugfs.testcase = DPDMA_TC_NONE;
out_str_len = strlen(XILINX_DPDMA_DEBUGFS_UINT16_MAX_STR);
out_str_len = min_t(size_t, XILINX_DPDMA_DEBUGFS_READ_MAX_SIZE,
out_str_len);
snprintf(buf, out_str_len, "%d",
dpdma_debugfs.xilinx_dpdma_irq_done_count);
Reported by FlawFinder.
Line: 377
Column: 38
CWE codes:
120
20
testcase = READ_ONCE(dpdma_debugfs.testcase);
if (testcase != DPDMA_TC_NONE) {
ret = dpdma_debugfs_reqs[testcase].read(kern_buff);
if (ret < 0)
goto done;
} else {
strlcpy(kern_buff, "No testcase executed",
XILINX_DPDMA_DEBUGFS_READ_MAX_SIZE);
Reported by FlawFinder.
Line: 385
Column: 19
CWE codes:
126
XILINX_DPDMA_DEBUGFS_READ_MAX_SIZE);
}
size = min(size, strlen(kern_buff));
if (copy_to_user(buf, kern_buff, size))
ret = -EFAULT;
done:
kfree(kern_buff);
Reported by FlawFinder.
drivers/edac/edac_pci_sysfs.c
4 issues
Line: 685
*
* Called to handle a PARITY ERROR event
*/
void edac_pci_handle_pe(struct edac_pci_ctl_info *pci, const char *msg)
{
/* global PE counter incremented by edac_pci_do_parity_check() */
atomic_inc(&pci->counters.pe_count);
Reported by Cppcheck.
Line: 61
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
/**************************** EDAC PCI sysfs instance *******************/
static ssize_t instance_pe_count_show(struct edac_pci_ctl_info *pci, char *data)
{
return sprintf(data, "%u\n", atomic_read(&pci->counters.pe_count));
}
static ssize_t instance_npe_count_show(struct edac_pci_ctl_info *pci,
char *data)
{
Reported by FlawFinder.
Line: 67
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t instance_npe_count_show(struct edac_pci_ctl_info *pci,
char *data)
{
return sprintf(data, "%u\n", atomic_read(&pci->counters.npe_count));
}
#define to_instance(k) container_of(k, struct edac_pci_ctl_info, kobj)
#define to_instance_attr(a) container_of(a, struct instance_attribute, attr)
Reported by FlawFinder.
Line: 217
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
static ssize_t edac_pci_int_show(void *ptr, char *buffer)
{
int *value = ptr;
return sprintf(buffer, "%d\n", *value);
}
static ssize_t edac_pci_int_store(void *ptr, const char *buffer, size_t count)
{
int *value = ptr;
Reported by FlawFinder.
drivers/firewire/core-transaction.c
4 issues
Line: 393
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct transaction_callback_data *d = data;
if (rcode == RCODE_COMPLETE)
memcpy(d->payload, payload, length);
d->rcode = rcode;
complete(&d->done);
}
/**
Reported by FlawFinder.
Line: 793
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
request->ack = p->ack;
request->length = length;
if (data)
memcpy(request->data, data, length);
memcpy(request->request_header, p->header, sizeof(p->header));
return request;
}
Reported by FlawFinder.
Line: 795
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (data)
memcpy(request->data, data, length);
memcpy(request->request_header, p->header, sizeof(p->header));
return request;
}
void fw_send_response(struct fw_card *card,
Reported by FlawFinder.
Line: 1057
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
start = (offset - topology_map_region.start) / 4;
memcpy(payload, &card->topology_map[start], length);
fw_send_response(card, request, RCODE_COMPLETE);
}
static struct fw_address_handler topology_map = {
Reported by FlawFinder.
drivers/firmware/arm_scmi/driver.c
4 issues
Line: 1554
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct scmi_info *info = dev_get_drvdata(dev);
return sprintf(buf, "%s\n", info->version.vendor_id);
}
static DEVICE_ATTR_RO(vendor_id);
static ssize_t sub_vendor_id_show(struct device *dev,
struct device_attribute *attr, char *buf)
Reported by FlawFinder.
Line: 1563
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct scmi_info *info = dev_get_drvdata(dev);
return sprintf(buf, "%s\n", info->version.sub_vendor_id);
}
static DEVICE_ATTR_RO(sub_vendor_id);
static struct attribute *versions_attrs[] = {
&dev_attr_firmware_version.attr,
Reported by FlawFinder.
Line: 1535
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct scmi_info *info = dev_get_drvdata(dev);
return sprintf(buf, "%u.%u\n", info->version.major_ver,
info->version.minor_ver);
}
static DEVICE_ATTR_RO(protocol_version);
static ssize_t firmware_version_show(struct device *dev,
Reported by FlawFinder.
Line: 1545
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct scmi_info *info = dev_get_drvdata(dev);
return sprintf(buf, "0x%x\n", info->version.impl_ver);
}
static DEVICE_ATTR_RO(firmware_version);
static ssize_t vendor_id_show(struct device *dev,
struct device_attribute *attr, char *buf)
Reported by FlawFinder.
drivers/firmware/arm_scpi.c
4 issues
Line: 319
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
__le16 sensor_id;
u8 class;
u8 trigger_type;
char name[20];
};
struct dev_pstate_set {
__le16 dev_id;
u8 pstate;
Reported by FlawFinder.
Line: 732
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ret = scpi_send_message(CMD_SENSOR_INFO, &id, sizeof(id),
&_info, sizeof(_info));
if (!ret) {
memcpy(info, &_info, sizeof(*info));
info->sensor_id = le16_to_cpu(_info.sensor_id);
}
return ret;
}
Reported by FlawFinder.
Line: 829
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct scpi_drvinfo *scpi_info = dev_get_drvdata(dev);
return sprintf(buf, "%lu.%lu\n",
FIELD_GET(PROTO_REV_MAJOR_MASK, scpi_info->protocol_version),
FIELD_GET(PROTO_REV_MINOR_MASK, scpi_info->protocol_version));
}
static DEVICE_ATTR_RO(protocol_version);
Reported by FlawFinder.
Line: 840
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
struct scpi_drvinfo *scpi_info = dev_get_drvdata(dev);
return sprintf(buf, "%lu.%lu.%lu\n",
FIELD_GET(FW_REV_MAJOR_MASK, scpi_info->firmware_version),
FIELD_GET(FW_REV_MINOR_MASK, scpi_info->firmware_version),
FIELD_GET(FW_REV_PATCH_MASK, scpi_info->firmware_version));
}
static DEVICE_ATTR_RO(firmware_version);
Reported by FlawFinder.
drivers/firmware/efi/esrt.c
4 issues
Line: 126
Column: 9
CWE codes:
134
Suggestion:
Make format string constant
#define esre_attr_decl(name, size, fmt) \
static ssize_t name##_show(struct esre_entry *entry, char *buf) \
{ \
return sprintf(buf, fmt "\n", \
le##size##_to_cpu(entry->esre.esre1->name)); \
} \
\
static struct esre_attribute esre_##name = __ATTR_RO_MODE(name, 0400)
Reported by FlawFinder.
Line: 198
Column: 9
CWE codes:
134
Suggestion:
Make format string constant
static ssize_t name##_show(struct kobject *kobj, \
struct kobj_attribute *attr, char *buf)\
{ \
return sprintf(buf, fmt "\n", le##size##_to_cpu(esrt->name)); \
} \
\
static struct kobj_attribute esrt_##name = __ATTR_RO_MODE(name, 0400)
esrt_attr_decl(fw_resource_count, 32, "%u");
Reported by FlawFinder.
Line: 115
Column: 9
CWE codes:
126
char *str = buf;
efi_guid_to_str(&entry->esre.esre1->fw_class, str);
str += strlen(str);
str += sprintf(str, "\n");
return str - buf;
}
Reported by FlawFinder.
Line: 116
Column: 9
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
efi_guid_to_str(&entry->esre.esre1->fw_class, str);
str += strlen(str);
str += sprintf(str, "\n");
return str - buf;
}
static struct esre_attribute esre_fw_class = __ATTR_RO_MODE(fw_class, 0400);
Reported by FlawFinder.