The following issues were found
drivers/gpu/drm/drm_atomic_state_helper.c
4 issues
Line: 134
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
void __drm_atomic_helper_crtc_duplicate_state(struct drm_crtc *crtc,
struct drm_crtc_state *state)
{
memcpy(state, crtc->state, sizeof(*state));
if (state->mode_blob)
drm_property_blob_get(state->mode_blob);
if (state->degamma_lut)
drm_property_blob_get(state->degamma_lut);
Reported by FlawFinder.
Line: 306
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
void __drm_atomic_helper_plane_duplicate_state(struct drm_plane *plane,
struct drm_plane_state *state)
{
memcpy(state, plane->state, sizeof(*state));
if (state->fb)
drm_framebuffer_get(state->fb);
state->fence = NULL;
Reported by FlawFinder.
Line: 469
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
__drm_atomic_helper_connector_duplicate_state(struct drm_connector *connector,
struct drm_connector_state *state)
{
memcpy(state, connector->state, sizeof(*state));
if (state->crtc)
drm_connector_get(connector);
state->commit = NULL;
if (state->hdr_output_metadata)
Reported by FlawFinder.
Line: 556
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
void __drm_atomic_helper_private_obj_duplicate_state(struct drm_private_obj *obj,
struct drm_private_state *state)
{
memcpy(state, obj->state, sizeof(*state));
}
EXPORT_SYMBOL(__drm_atomic_helper_private_obj_duplicate_state);
/**
* __drm_atomic_helper_bridge_duplicate_state() - Copy atomic bridge state
Reported by FlawFinder.
drivers/gpu/drm/drm_client_modeset.c
4 issues
Line: 545
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
crtcs[n] = crtc;
memcpy(crtcs, best_crtcs, n * sizeof(*crtcs));
score = my_score + drm_client_pick_crtcs(client, connectors, connector_count,
crtcs, modes, n + 1, width, height);
if (score > best_score) {
best_score = score;
memcpy(best_crtcs, crtcs, connector_count * sizeof(*crtcs));
Reported by FlawFinder.
Line: 550
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
crtcs, modes, n + 1, width, height);
if (score > best_score) {
best_score = score;
memcpy(best_crtcs, crtcs, connector_count * sizeof(*crtcs));
}
}
kfree(crtcs);
return best_score;
Reported by FlawFinder.
Line: 593
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
while (drm_modeset_lock_all_ctx(dev, &ctx) != 0)
drm_modeset_backoff(&ctx);
memcpy(save_enabled, enabled, count);
mask = GENMASK(count - 1, 0);
conn_configured = 0;
for (i = 0; i < count; i++) {
if (connectors[i]->has_tile &&
connectors[i]->status == connector_status_connected)
Reported by FlawFinder.
Line: 742
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (fallback) {
bail:
DRM_DEBUG_KMS("Not using firmware configuration\n");
memcpy(enabled, save_enabled, count);
ret = false;
}
drm_modeset_drop_locks(&ctx);
drm_modeset_acquire_fini(&ctx);
Reported by FlawFinder.
drivers/gpu/drm/drm_edid_load.c
4 issues
Line: 20
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#include <drm/drm_edid.h>
#include <drm/drm_print.h>
static char edid_firmware[PATH_MAX];
module_param_string(edid_firmware, edid_firmware, sizeof(edid_firmware), 0644);
MODULE_PARM_DESC(edid_firmware, "Do not probe monitor, use specified EDID blob "
"from built-in data or /lib/firmware instead. ");
/* Use only for backward compatibility with drm_kms_helper.edid_firmware */
Reported by FlawFinder.
Line: 42
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
EXPORT_SYMBOL(__drm_get_edid_firmware_path);
#define GENERIC_EDIDS 6
static const char * const generic_edid_name[GENERIC_EDIDS] = {
"edid/800x600.bin",
"edid/1024x768.bin",
"edid/1280x1024.bin",
"edid/1600x1200.bin",
"edid/1680x1050.bin",
Reported by FlawFinder.
Line: 233
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 1; i <= edid[0x7e]; i++) {
if (i != valid_extensions + 1)
memcpy(edid + (valid_extensions + 1) * EDID_LENGTH,
edid + i * EDID_LENGTH, EDID_LENGTH);
if (drm_edid_block_valid(edid + i * EDID_LENGTH, i,
print_bad_edid,
NULL))
valid_extensions++;
Reported by FlawFinder.
Line: 309
Column: 20
CWE codes:
126
edidname = fallback;
}
last = edidname + strlen(edidname) - 1;
if (*last == '\n')
*last = '\0';
edid = edid_load(connector, edidname, connector_name);
kfree(fwstr);
Reported by FlawFinder.
drivers/gpu/drm/drm_format_helper.c
4 issues
Line: 45
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
vaddr += clip_offset(clip, fb->pitches[0], cpp);
for (y = 0; y < lines; y++) {
memcpy(dst, vaddr, len);
vaddr += fb->pitches[0];
dst += len;
}
}
EXPORT_SYMBOL(drm_fb_memcpy);
Reported by FlawFinder.
Line: 116
Column: 4
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (y = clip->y1; y < clip->y2; y++) {
if (buf) {
memcpy(buf, src, len);
src16 = buf;
src32 = buf;
} else {
src16 = src;
src32 = src;
Reported by FlawFinder.
Line: 190
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
vaddr += clip_offset(clip, fb->pitches[0], sizeof(u32));
for (y = 0; y < lines; y++) {
memcpy(sbuf, vaddr, src_len);
drm_fb_xrgb8888_to_rgb565_line(dst, sbuf, linepixels, swab);
vaddr += fb->pitches[0];
dst += dst_len;
}
Reported by FlawFinder.
Line: 330
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (y = clip->y1; y < clip->y2; y++) {
src = vaddr + (y * fb->pitches[0]);
src += clip->x1;
memcpy(buf, src, len);
src = buf;
for (x = clip->x1; x < clip->x2; x++) {
u8 r = (*src & 0x00ff0000) >> 16;
u8 g = (*src & 0x0000ff00) >> 8;
u8 b = *src & 0x000000ff;
Reported by FlawFinder.
drivers/gpu/drm/drm_ioctl.c
4 issues
Line: 827
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
drm_ioctl_t *func;
unsigned int nr = DRM_IOCTL_NR(cmd);
int retcode = -EINVAL;
char stack_kdata[128];
char *kdata = NULL;
unsigned int in_size, out_size, drv_size, ksize;
bool is_driver_ioctl;
dev = file_priv->minor->dev;
Reported by FlawFinder.
Line: 163
Column: 25
CWE codes:
126
WARN_ON(!dev->unique);
master->unique = kstrdup(dev->unique, GFP_KERNEL);
if (master->unique)
master->unique_len = strlen(dev->unique);
}
return 0;
}
Reported by FlawFinder.
Line: 478
Column: 8
CWE codes:
126
int len;
/* don't overflow userbuf */
len = strlen(value);
if (len > *buf_len)
len = *buf_len;
/* let userspace know exact length of driver value (which could be
* larger than the userspace-supplied buffer) */
Reported by FlawFinder.
Line: 484
Column: 13
CWE codes:
126
/* let userspace know exact length of driver value (which could be
* larger than the userspace-supplied buffer) */
*buf_len = strlen(value);
/* finally, try filling in the userbuf */
if (len && buf)
if (copy_to_user(buf, value, len))
return -EFAULT;
Reported by FlawFinder.
drivers/gpu/drm/drm_plane.c
4 issues
Line: 203
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
blob_data->modifiers_offset =
ALIGN(blob_data->formats_offset + formats_size, 8);
memcpy(formats_ptr(blob_data), plane->format_types, formats_size);
/* If we can't determine support, just bail */
if (!plane->funcs->format_mod_supported)
goto done;
Reported by FlawFinder.
Line: 321
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -ENOMEM;
}
memcpy(plane->format_types, formats, format_count * sizeof(uint32_t));
plane->format_count = format_count;
memcpy(plane->modifiers, format_modifiers,
format_modifier_count * sizeof(format_modifiers[0]));
plane->possible_crtcs = possible_crtcs;
plane->type = type;
Reported by FlawFinder.
Line: 323
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
memcpy(plane->format_types, formats, format_count * sizeof(uint32_t));
plane->format_count = format_count;
memcpy(plane->modifiers, format_modifiers,
format_modifier_count * sizeof(format_modifiers[0]));
plane->possible_crtcs = possible_crtcs;
plane->type = type;
list_add_tail(&plane->head, &config->plane_list);
Reported by FlawFinder.
Line: 1183
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
struct drm_mode_cursor *req = data;
struct drm_mode_cursor2 new_req;
memcpy(&new_req, req, sizeof(struct drm_mode_cursor));
new_req.hot_x = new_req.hot_y = 0;
return drm_mode_cursor_common(dev, &new_req, file_priv);
}
Reported by FlawFinder.
drivers/nvdimm/security.c
4 issues
Line: 57
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
char desc[NVDIMM_KEY_DESC_LEN + sizeof(NVDIMM_PREFIX)];
struct device *dev = &nvdimm->dev;
sprintf(desc, "%s%s", NVDIMM_PREFIX, nvdimm->dimm_id);
key = request_key(&key_type_encrypted, desc, "");
if (IS_ERR(key)) {
if (PTR_ERR(key) == -ENOKEY)
dev_dbg(dev, "request_key() found no key\n");
else
Reported by FlawFinder.
Line: 25
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
module_param(key_revalidate, bool, 0444);
MODULE_PARM_DESC(key_revalidate, "Require key validation at init.");
static const char zero_key[NVDIMM_PASSPHRASE_LEN];
static void *key_data(struct key *key)
{
struct encrypted_key_payload *epayload = dereference_key_locked(key);
Reported by FlawFinder.
Line: 54
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct key *key = NULL;
static const char NVDIMM_PREFIX[] = "nvdimm:";
char desc[NVDIMM_KEY_DESC_LEN + sizeof(NVDIMM_PREFIX)];
struct device *dev = &nvdimm->dev;
sprintf(desc, "%s%s", NVDIMM_PREFIX, nvdimm->dimm_id);
key = request_key(&key_type_encrypted, desc, "");
if (IS_ERR(key)) {
Reported by FlawFinder.
Line: 504
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct nvdimm *nvdimm = to_nvdimm(dev);
ssize_t rc;
char cmd[SEC_CMD_SIZE+1], keystr[KEY_ID_SIZE+1],
nkeystr[KEY_ID_SIZE+1];
unsigned int key, newkey;
int i;
rc = sscanf(buf, "%"__stringify(SEC_CMD_SIZE)"s"
Reported by FlawFinder.
drivers/pnp/pnpbios/proc.c
4 issues
Line: 223
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
int pnpbios_interface_attach_device(struct pnp_bios_node *node)
{
char name[3];
sprintf(name, "%02x", node->handle);
if (!proc_pnp)
return -EIO;
Reported by FlawFinder.
Line: 225
Column: 2
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
{
char name[3];
sprintf(name, "%02x", node->handle);
if (!proc_pnp)
return -EIO;
if (!pnpbios_dont_use_current_config) {
proc_create_data(name, 0644, proc_pnp, &pnpbios_proc_ops,
Reported by FlawFinder.
Line: 268
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
void __exit pnpbios_proc_exit(void)
{
int i;
char name[3];
if (!proc_pnp)
return;
for (i = 0; i < 0xff; i++) {
Reported by FlawFinder.
Line: 274
Column: 3
CWE codes:
120
Suggestion:
Use sprintf_s, snprintf, or vsnprintf
return;
for (i = 0; i < 0xff; i++) {
sprintf(name, "%02x", i);
if (!pnpbios_dont_use_current_config)
remove_proc_entry(name, proc_pnp);
remove_proc_entry(name, proc_pnp_boot);
}
remove_proc_entry("legacy_device_resources", proc_pnp);
Reported by FlawFinder.
drivers/nfc/pn544/pn544.c
4 issues
Line: 626
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u8 uid[MIFARE_UID_LEN];
u8 *data = skb->data + MIFARE_CMD_HEADER;
memcpy(uid, data + MIFARE_KEY_LEN,
MIFARE_UID_LEN);
memmove(data + MIFARE_UID_LEN, data,
MIFARE_KEY_LEN);
memcpy(data, uid, MIFARE_UID_LEN);
}
Reported by FlawFinder.
Line: 630
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
MIFARE_UID_LEN);
memmove(data + MIFARE_UID_LEN, data,
MIFARE_KEY_LEN);
memcpy(data, uid, MIFARE_UID_LEN);
}
return nfc_hci_send_cmd_async(hdev,
target->hci_reader_gate,
PN544_MIFARE_CMD,
Reported by FlawFinder.
Line: 927
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
init_data.gate_count = ARRAY_SIZE(pn544_gates);
memcpy(init_data.gates, pn544_gates, sizeof(pn544_gates));
/*
* TODO: Session id must include the driver name + some bus addr
* persistent info to discriminate 2 identical chips
*/
Reported by FlawFinder.
Line: 933
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
* TODO: Session id must include the driver name + some bus addr
* persistent info to discriminate 2 identical chips
*/
strcpy(init_data.session_id, "ID544HCI");
protocols = NFC_PROTO_JEWEL_MASK |
NFC_PROTO_MIFARE_MASK |
NFC_PROTO_FELICA_MASK |
NFC_PROTO_ISO14443_MASK |
Reported by FlawFinder.
drivers/nfc/pn544/i2c.c
4 issues
Line: 531
Column: 2
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
pr_info("Starting Firmware Download (%s)\n", firmware_name);
strcpy(phy->firmware_name, firmware_name);
phy->hw_variant = hw_variant;
phy->fw_work_state = FW_WORK_STATE_START;
schedule_work(&phy->fw_work);
Reported by FlawFinder.
Line: 162
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
struct work_struct fw_work;
int fw_work_state;
char firmware_name[NFC_FIRMWARE_NAME_MAXSIZE + 1];
const struct firmware *fw;
u32 fw_blob_dest_addr;
size_t fw_blob_size;
const u8 *fw_blob_data;
size_t fw_written;
Reported by FlawFinder.
Line: 587
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
put_unaligned_be16(datalen, &framep->be_datalen);
memcpy(framep->data, data, datalen);
r = i2c_master_send(client, frame, framelen);
if (r == framelen)
return datalen;
Reported by FlawFinder.
Line: 672
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
put_unaligned_be16(datalen, &chunk->be_datalen);
memcpy(chunk->data, data, datalen);
chunklen = sizeof(chunk->cmd) + sizeof(chunk->be_datalen) + datalen;
r = i2c_master_send(phy->i2c_dev, buf, chunklen);
Reported by FlawFinder.